From: Norbert Pocs Date: Thu, 20 Nov 2025 16:39:16 +0000 (+0100) Subject: Clear ssl dir from engines X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=28d7ac4b95f9d8df26ecded2b6fb9579611508b1;p=thirdparty%2Fopenssl.git Clear ssl dir from engines Signed-off-by: Norbert Pocs Reviewed-by: Paul Yang Reviewed-by: Eugene Syromiatnikov Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/29183) --- diff --git a/ssl/record/methods/ssl3_cbc.c b/ssl/record/methods/ssl3_cbc.c index a8282989ed3..1e42a9cb538 100644 --- a/ssl/record/methods/ssl3_cbc.c +++ b/ssl/record/methods/ssl3_cbc.c @@ -456,7 +456,7 @@ int ssl3_cbc_digest_record(const EVP_MD *md, if (md_ctx == NULL) goto err; - if (EVP_DigestInit_ex(md_ctx, md, NULL /* engine */) <= 0) + if (EVP_DigestInit_ex(md_ctx, md, NULL) <= 0) goto err; if (is_sslv3) { /* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */ diff --git a/ssl/record/methods/ssl3_meth.c b/ssl/record/methods/ssl3_meth.c index 6b5a1bed23e..092085df637 100644 --- a/ssl/record/methods/ssl3_meth.c +++ b/ssl/record/methods/ssl3_meth.c @@ -64,10 +64,6 @@ static int ssl3_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, return OSSL_RECORD_RETURN_FATAL; } - /* - * The cipher we actually ended up using in the EVP_CIPHER_CTX may be - * different to that in ciph if we have an ENGINE in use - */ if (EVP_CIPHER_get0_provider(EVP_CIPHER_CTX_get0_cipher(ciph_ctx)) != NULL && !ossl_set_tls_provider_parameters(rl, ciph_ctx, ciph, md)) { /* ERR_raise already called */ diff --git a/ssl/record/methods/tls1_meth.c b/ssl/record/methods/tls1_meth.c index 19295f6e587..114a2e1eb6b 100644 --- a/ssl/record/methods/tls1_meth.c +++ b/ssl/record/methods/tls1_meth.c @@ -130,10 +130,6 @@ static int tls1_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, return OSSL_RECORD_RETURN_FATAL; } - /* - * The cipher we actually ended up using in the EVP_CIPHER_CTX may be - * different to that in ciph if we have an ENGINE in use - */ if (EVP_CIPHER_get0_provider(EVP_CIPHER_CTX_get0_cipher(ciph_ctx)) != NULL && !ossl_set_tls_provider_parameters(rl, ciph_ctx, ciph, md)) { /* ERR_raise already called */ diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index cd0d0e071bc..6b02c79ab95 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -18,7 +18,6 @@ #include #include #include -#include #include #include #include @@ -125,11 +124,6 @@ static int ssl_cipher_info_find(const ssl_cipher_table *table, #define ssl_cipher_info_lookup(table, x) \ ssl_cipher_info_find(table, OSSL_NELEM(table), x) -/* - * PKEY_TYPE for GOST89MAC is known in advance, but, because implementation - * is engine-provided, we'll fill it only if corresponding EVP_PKEY_METHOD is - * found - */ static const int default_mac_pkey_id[SSL_MD_NUM_IDX] = { /* MD5, SHA, GOST94, MAC89 */ EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, NID_undef, @@ -442,9 +436,8 @@ int ssl_cipher_get_evp_cipher(SSL_CTX *ctx, const SSL_CIPHER *sslc, } else { if (i == SSL_ENC_NULL_IDX) { /* - * We assume we don't care about this coming from an ENGINE so - * just do a normal EVP_CIPHER_fetch instead of - * ssl_evp_cipher_fetch() + * This does not need any special handling. Use EVP_CIPHER_fetch() + * directly. */ *enc = EVP_CIPHER_fetch(ctx->libctx, "NULL", ctx->propq); if (*enc == NULL) diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index c3aa35009d8..c726e3418cf 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -14,7 +14,6 @@ #endif #include #include -#include #include "internal/refcount.h" #include "internal/cryptlib.h" #include "internal/ssl_unwrap.h" diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 8658e78bba2..c7baa896f17 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -3513,7 +3513,6 @@ static int tls_process_cke_gost18(SSL_CONNECTION *s, PACKET *pkt) goto err; } - /* Reuse EVP_PKEY_CTRL_SET_IV, make choice in engine code depending on size */ if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_DECRYPT, EVP_PKEY_CTRL_SET_IV, 32, rnd_dgst) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG);