Remove EVP_PKEY_*check again

This API turned out to be a really bad idea. OpenSSL 3 extended it, with the result that basically every key type had its own DoS issues fixed in a recent security release. We eschewed these by having some upper bounds that kick in when keys get insanely large. Initially added on tobhe's request who fortunately never used it in iked, this was picked up only by ruby/openssl (one of the rare projects doing proper configure checks rather than branching on VERSION defines) and of course xca, since it uses everything it can. So it was easy to get rid of this again. ok beck jsing
author: tb <> 2024-08-31 09:14:21 +0000
committer: tb <> 2024-08-31 09:14:21 +0000
commit: 9bcd94a09cac618808e1f47aff1c670fbdb6828d (patch)
tree: 797124b4a826431ab1cb43dcdf84f0684f586817 /src/lib/libcrypto/evp
parent: f58c6219618056507686c5f66a57ece7246ae5fe (diff)
download: openbsd-9bcd94a09cac618808e1f47aff1c670fbdb6828d.tar.gz
openbsd-9bcd94a09cac618808e1f47aff1c670fbdb6828d.tar.bz2
openbsd-9bcd94a09cac618808e1f47aff1c670fbdb6828d.zip
2 files changed, 2 insertions, 33 deletions
diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h
index 2db8acfa01..7c767758da 100644
--- a/src/lib/libcrypto/evp/evp.h
+++ b/src/lib/libcrypto/evp/evp.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp.h,v 1.135 2024/07/09 16:15:37 tb Exp $ */
+/* $OpenBSD: evp.h,v 1.136 2024/08/31 09:14:21 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -985,9 +985,6 @@ int EVP_PKEY_paramgen_init(EVP_PKEY_CTX *ctx);
 int EVP_PKEY_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey);
 int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx);
 int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey);
-int EVP_PKEY_check(EVP_PKEY_CTX *ctx);
-int EVP_PKEY_public_check(EVP_PKEY_CTX *ctx);
-int EVP_PKEY_param_check(EVP_PKEY_CTX *ctx);
 void EVP_PKEY_CTX_set_cb(EVP_PKEY_CTX *ctx, EVP_PKEY_gen_cb *cb);
 EVP_PKEY_gen_cb *EVP_PKEY_CTX_get_cb(EVP_PKEY_CTX *ctx);
diff --git a/src/lib/libcrypto/evp/pmeth_gn.c b/src/lib/libcrypto/evp/pmeth_gn.c
index 415690cd0e..bc1c5bd7d2 100644
--- a/src/lib/libcrypto/evp/pmeth_gn.c
+++ b/src/lib/libcrypto/evp/pmeth_gn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pmeth_gn.c,v 1.20 2024/08/29 16:58:19 tb Exp $ */
+/* $OpenBSD: pmeth_gn.c,v 1.21 2024/08/31 09:14:21 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -225,31 +225,3 @@ merr:
        return mac_key;
 }
 LCRYPTO_ALIAS(EVP_PKEY_new_mac_key);
-/*
- * XXX - remove the API below in the next bump.
- */
-int
-EVP_PKEY_check(EVP_PKEY_CTX *ctx)
-{
-        EVPerror(ERR_R_DISABLED);
-        return -2;
-}
-LCRYPTO_ALIAS(EVP_PKEY_check);
-int
-EVP_PKEY_public_check(EVP_PKEY_CTX *ctx)
-{
-        EVPerror(ERR_R_DISABLED);
-        return -2;
-}
-LCRYPTO_ALIAS(EVP_PKEY_public_check);
-int
-EVP_PKEY_param_check(EVP_PKEY_CTX *ctx)
-{
-        EVPerror(ERR_R_DISABLED);
-        return -2;
-}
-LCRYPTO_ALIAS(EVP_PKEY_param_check);
author	tb <>	2024-08-31 09:14:21 +0000
committer	tb <>	2024-08-31 09:14:21 +0000
commit	9bcd94a09cac618808e1f47aff1c670fbdb6828d (patch)
tree	797124b4a826431ab1cb43dcdf84f0684f586817 /src/lib/libcrypto/evp
parent	f58c6219618056507686c5f66a57ece7246ae5fe (diff)
download	openbsd-9bcd94a09cac618808e1f47aff1c670fbdb6828d.tar.gz openbsd-9bcd94a09cac618808e1f47aff1c670fbdb6828d.tar.bz2 openbsd-9bcd94a09cac618808e1f47aff1c670fbdb6828d.zip

diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h index 2db8acfa01..7c767758da 100644 --- a/src/lib/libcrypto/evp/evp.h +++ b/src/lib/libcrypto/evp/evp.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: evp.h,v 1.135 2024/07/09 16:15:37 tb Exp $ */	1	/* $OpenBSD: evp.h,v 1.136 2024/08/31 09:14:21 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -985,9 +985,6 @@ int EVP_PKEY_paramgen_init(EVP_PKEY_CTX *ctx);
985	int EVP_PKEY_paramgen(EVP_PKEY_CTX ctx, EVP_PKEY *ppkey);	985	int EVP_PKEY_paramgen(EVP_PKEY_CTX ctx, EVP_PKEY *ppkey);
986	int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx);	986	int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx);
987	int EVP_PKEY_keygen(EVP_PKEY_CTX ctx, EVP_PKEY *ppkey);	987	int EVP_PKEY_keygen(EVP_PKEY_CTX ctx, EVP_PKEY *ppkey);
988	int EVP_PKEY_check(EVP_PKEY_CTX *ctx);
989	int EVP_PKEY_public_check(EVP_PKEY_CTX *ctx);
990	int EVP_PKEY_param_check(EVP_PKEY_CTX *ctx);
991		988
992	void EVP_PKEY_CTX_set_cb(EVP_PKEY_CTX ctx, EVP_PKEY_gen_cb cb);	989	void EVP_PKEY_CTX_set_cb(EVP_PKEY_CTX ctx, EVP_PKEY_gen_cb cb);
993	EVP_PKEY_gen_cb EVP_PKEY_CTX_get_cb(EVP_PKEY_CTX ctx);	990	EVP_PKEY_gen_cb EVP_PKEY_CTX_get_cb(EVP_PKEY_CTX ctx);


diff --git a/src/lib/libcrypto/evp/pmeth_gn.c b/src/lib/libcrypto/evp/pmeth_gn.c index 415690cd0e..bc1c5bd7d2 100644 --- a/src/lib/libcrypto/evp/pmeth_gn.c +++ b/src/lib/libcrypto/evp/pmeth_gn.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: pmeth_gn.c,v 1.20 2024/08/29 16:58:19 tb Exp $ */	1	/* $OpenBSD: pmeth_gn.c,v 1.21 2024/08/31 09:14:21 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2006.	3	* project 2006.
4	*/	4	*/
@@ -225,31 +225,3 @@ merr:
225	return mac_key;	225	return mac_key;
226	}	226	}
227	LCRYPTO_ALIAS(EVP_PKEY_new_mac_key);	227	LCRYPTO_ALIAS(EVP_PKEY_new_mac_key);
228
229	/*
230	* XXX - remove the API below in the next bump.
231	*/
232
233	int
234	EVP_PKEY_check(EVP_PKEY_CTX *ctx)
235	{
236	EVPerror(ERR_R_DISABLED);
237	return -2;
238	}
239	LCRYPTO_ALIAS(EVP_PKEY_check);
240
241	int
242	EVP_PKEY_public_check(EVP_PKEY_CTX *ctx)
243	{
244	EVPerror(ERR_R_DISABLED);
245	return -2;
246	}
247	LCRYPTO_ALIAS(EVP_PKEY_public_check);
248
249	int
250	EVP_PKEY_param_check(EVP_PKEY_CTX *ctx)
251	{
252	EVPerror(ERR_R_DISABLED);
253	return -2;
254	}
255	LCRYPTO_ALIAS(EVP_PKEY_param_check);