From 9bcd94a09cac618808e1f47aff1c670fbdb6828d Mon Sep 17 00:00:00 2001 From: tb <> Date: Sat, 31 Aug 2024 09:14:21 +0000 Subject: Remove EVP_PKEY_*check again This API turned out to be a really bad idea. OpenSSL 3 extended it, with the result that basically every key type had its own DoS issues fixed in a recent security release. We eschewed these by having some upper bounds that kick in when keys get insanely large. Initially added on tobhe's request who fortunately never used it in iked, this was picked up only by ruby/openssl (one of the rare projects doing proper configure checks rather than branching on VERSION defines) and of course xca, since it uses everything it can. So it was easy to get rid of this again. ok beck jsing --- src/lib/libcrypto/hidden/openssl/evp.h | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'src/lib/libcrypto/hidden') diff --git a/src/lib/libcrypto/hidden/openssl/evp.h b/src/lib/libcrypto/hidden/openssl/evp.h index 7721a2f412..fea609933e 100644 --- a/src/lib/libcrypto/hidden/openssl/evp.h +++ b/src/lib/libcrypto/hidden/openssl/evp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: evp.h,v 1.4 2024/04/10 15:00:38 beck Exp $ */ +/* $OpenBSD: evp.h,v 1.5 2024/08/31 09:14:21 tb Exp $ */ /* * Copyright (c) 2024 Bob Beck * @@ -353,9 +353,6 @@ LCRYPTO_USED(EVP_PKEY_paramgen_init); LCRYPTO_USED(EVP_PKEY_paramgen); LCRYPTO_USED(EVP_PKEY_keygen_init); LCRYPTO_USED(EVP_PKEY_keygen); -LCRYPTO_USED(EVP_PKEY_check); -LCRYPTO_USED(EVP_PKEY_public_check); -LCRYPTO_USED(EVP_PKEY_param_check); LCRYPTO_USED(EVP_PKEY_CTX_set_cb); LCRYPTO_USED(EVP_PKEY_CTX_get_cb); LCRYPTO_USED(EVP_PKEY_CTX_get_keygen_info); -- cgit v1.2.3-55-g6feb