From: Matthias St. Pierre <matthias.st.pierre@ncp-e.com>
Date: Thu, 21 Sep 2023 14:43:43 +0000 (+0200)
Subject: no-engine: fix signing with legacy app method based keys
X-Git-Tag: openssl-3.2.0-alpha2~20
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1acc3e8cc3c6;p=thirdparty%2Fopenssl.git

no-engine: fix signing with legacy app method based keys

Signing with an app method based key (i.e. an `EVP_PKEY` which wraps an
`RSA` key with an application defined `RSA_METHOD`) used to work in 1.1.1.
That feature was broken in commit 60488d2434, but later on fixed by @t8m
in commit b247113c05 (see #14859).

This commit corrects a  minor flaw of the fix, which affects only
`no-engine` builds: the special treatment for foreign keys is guarded
by an `OPENSSL_NO_ENGINE` check.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/22163)
---

diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index 6bd99940726..268b1617e37 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -247,10 +247,11 @@ static EVP_PKEY_CTX *int_ctx_new(OSSL_LIB_CTX *libctx,
      */
     if (e != NULL)
         pmeth = ENGINE_get_pkey_meth(e, id);
-    else if (pkey != NULL && pkey->foreign)
+    else
+# endif /* OPENSSL_NO_ENGINE */
+    if (pkey != NULL && pkey->foreign)
         pmeth = EVP_PKEY_meth_find(id);
     else
-# endif
         app_pmeth = pmeth = evp_pkey_meth_find_added_by_application(id);
 
     /* END legacy */