[openssl-dev] Question about commit 222333cf01e2fec4a20c107ac9e820694611a4db
Michael Reilly
michaelr at cisco.com
Tue Apr 11 22:12:41 UTC 2017
Hi,
commit 222333cf01e2fec4a20c107ac9e820694611a4db added a check that the size
returned by EVP_PKEY_size(ctx->pkey) in M_check_autoarg() in
crypto/evp/pmeth_fn.c is != 0.
We are in the process of upgrading from 1.0.2j to 1.0.2k and discovered that the
if (pksize == 0) check added in 1.0.2k breaks some of our applications.
We use an engine for the RSA sign operation. The applications do not know
anything about the keypair being used. The keypair is kept private by the
engine so the application couldn't determine the attributes of the keypair if it
wanted to do so.
If this check is necessary is there a way to bypass it when the application does
not have the keypair but the engine being used is holding the keypair?
I know we can simply remove this line from our copy of the code but we like to
avoid modifying the openssl distributed code if at all possible.
Thanks,
michael
commit info:
commit 222333cf01e2fec4a20c107ac9e820694611a4db
Author: Richard Levitte <levitte at openssl.org>
Date: Tue Dec 20 12:56:14 2016 +0100
M_check_autoarg: sanity check the key
For now, checking that the size is non-zero will suffice.
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2120)
(cherry picked from commit d7c8f142ea5953bf260b70a58739c1c9b0f038eb)
--
---- ---- ----
Michael Reilly michaelr at cisco.com
Cisco Systems Arizona
More information about the openssl-dev
mailing list