diff options
| author | tb <> | 2025-01-05 15:39:12 +0000 |
|---|---|---|
| committer | tb <> | 2025-01-05 15:39:12 +0000 |
| commit | aeaaf636a6726b17d0d27ea128a573bc90c4d04f (patch) | |
| tree | cd64f6e5f9ce5fc370008ff0fd77e5e13c35c0cc /src/lib/libcrypto/rsa/rsa_sign.c | |
| parent | 50987dd3b5034f6426dcbad59ec85073fc6f9c6f (diff) | |
| download | openbsd-aeaaf636a6726b17d0d27ea128a573bc90c4d04f.tar.gz openbsd-aeaaf636a6726b17d0d27ea128a573bc90c4d04f.tar.bz2 openbsd-aeaaf636a6726b17d0d27ea128a573bc90c4d04f.zip | |
Stop requiring the RSA_FLAG_SIGN_VER
You can set custom sign and verify handlers on an RSA method (wihch is
used to create RSA private and public key handles). However, even if you
set them explicitly with RSA_meth_set_{sign,verify}(3), these handlers
aren't used for the sake of "backward compatibility" (with what?). In order
to use them, you need to opt your objects into using the custom methods
you set by setting the RSA_FLAG_SIGN_VER flag.
OpenSSL 1.1 dropped this requirement and therefore nobody sets this flag
anyore. Like most of the mechanically added accessors, almost nothing
uses them, but, as found by kn, the yubco-piv-tool does. This resulted
in a public key being passed to rsa_private_encrypt(), which of course
doesn't end well.
So follow OpenSSL 1.1 and drop this muppetry. This makes kn's problem
with yubico-piv-tool go away.
ok jsing kn
Diffstat (limited to 'src/lib/libcrypto/rsa/rsa_sign.c')
| -rw-r--r-- | src/lib/libcrypto/rsa/rsa_sign.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c index 5356768615..6edd20626d 100644 --- a/src/lib/libcrypto/rsa/rsa_sign.c +++ b/src/lib/libcrypto/rsa/rsa_sign.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: rsa_sign.c,v 1.36 2023/07/08 12:26:45 beck Exp $ */ | 1 | /* $OpenBSD: rsa_sign.c,v 1.37 2025/01/05 15:39:12 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -130,7 +130,7 @@ RSA_sign(int type, const unsigned char *m, unsigned int m_len, | |||
| 130 | unsigned char *tmps = NULL; | 130 | unsigned char *tmps = NULL; |
| 131 | int encrypt_len, encoded_len = 0, ret = 0; | 131 | int encrypt_len, encoded_len = 0, ret = 0; |
| 132 | 132 | ||
| 133 | if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign != NULL) | 133 | if (rsa->meth->rsa_sign != NULL) |
| 134 | return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa); | 134 | return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa); |
| 135 | 135 | ||
| 136 | /* Compute the encoded digest. */ | 136 | /* Compute the encoded digest. */ |
| @@ -271,7 +271,7 @@ int | |||
| 271 | RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, | 271 | RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, |
| 272 | const unsigned char *sigbuf, unsigned int siglen, RSA *rsa) | 272 | const unsigned char *sigbuf, unsigned int siglen, RSA *rsa) |
| 273 | { | 273 | { |
| 274 | if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) | 274 | if (rsa->meth->rsa_verify != NULL) |
| 275 | return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen, | 275 | return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen, |
| 276 | rsa); | 276 | rsa); |
| 277 | 277 | ||