https://bugs.gentoo.org/916328 https://github.com/opendnssec/SoftHSMv2/issues/729 https://github.com/openssl/openssl/issues/22508 https://github.com/openssl/openssl/commit/ad6cbe4b7f57a783a66a7ae883ea0d35ef5f82b6 From ad6cbe4b7f57a783a66a7ae883ea0d35ef5f82b6 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 15 Dec 2023 13:45:50 +0100 Subject: [PATCH] Revert "Improved detection of engine-provided private "classic" keys" This reverts commit 2b74e75331a27fc89cad9c8ea6a26c70019300b5. The commit was wrong. With 3.x versions the engines must be themselves responsible for creating their EVP_PKEYs in a way that they are treated as legacy - either by using the respective set1 calls or by setting non-default EVP_PKEY_METHOD. The workaround has caused more problems than it solved. Fixes #22945 Reviewed-by: Dmitry Belyavskiy Reviewed-by: Neil Horman (Merged from https://github.com/openssl/openssl/pull/23063) (cherry picked from commit 39ea78379826fa98e8dc8c0d2b07e2c17cd68380) --- a/crypto/engine/eng_pkey.c +++ b/crypto/engine/eng_pkey.c @@ -79,48 +79,6 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id, ERR_raise(ERR_LIB_ENGINE, ENGINE_R_FAILED_LOADING_PRIVATE_KEY); return NULL; } - /* We enforce check for legacy key */ - switch (EVP_PKEY_get_id(pkey)) { - case EVP_PKEY_RSA: - { - RSA *rsa = EVP_PKEY_get1_RSA(pkey); - EVP_PKEY_set1_RSA(pkey, rsa); - RSA_free(rsa); - } - break; -# ifndef OPENSSL_NO_EC - case EVP_PKEY_SM2: - case EVP_PKEY_EC: - { - EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey); - EVP_PKEY_set1_EC_KEY(pkey, ec); - EC_KEY_free(ec); - } - break; -# endif -# ifndef OPENSSL_NO_DSA - case EVP_PKEY_DSA: - { - DSA *dsa = EVP_PKEY_get1_DSA(pkey); - EVP_PKEY_set1_DSA(pkey, dsa); - DSA_free(dsa); - } - break; -#endif -# ifndef OPENSSL_NO_DH - case EVP_PKEY_DH: - { - DH *dh = EVP_PKEY_get1_DH(pkey); - EVP_PKEY_set1_DH(pkey, dh); - DH_free(dh); - } - break; -#endif - default: - /*Do nothing */ - break; - } - return pkey; }