From: Matt Caswell Date: Fri, 6 Feb 2026 15:06:26 +0000 (+0000) Subject: Pass low level EC_KEY objects to the default provider X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6c990c7bf4fb2bc6726b34d4488c6bb38c367d8d;p=thirdparty%2Fopenssl.git Pass low level EC_KEY objects to the default provider As we did for RSA objects we do the same for EC_KEY objects. Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz MergeDate: Fri Feb 13 07:58:24 2026 (Merged from https://github.com/openssl/openssl/pull/29960) --- diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c index b54f69df511..8fda3899976 100644 --- a/providers/implementations/keymgmt/ec_kmgmt.c +++ b/providers/implementations/keymgmt/ec_kmgmt.c @@ -29,6 +29,7 @@ #include "prov/securitycheck.h" #include "internal/fips.h" #include "internal/param_build_set.h" +#include "internal/threads_common.h" #ifndef FIPS_MODULE #ifndef OPENSSL_NO_SM2 @@ -276,9 +277,35 @@ static ossl_inline int otherparams_to_params(const EC_KEY *ec, OSSL_PARAM_BLD *t static void *ec_newdata(void *provctx) { + EC_KEY *eckey = NULL; + OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(provctx); + if (!ossl_prov_is_running()) return NULL; - return EC_KEY_new_ex(PROV_LIBCTX_OF(provctx), NULL); + +#ifndef FIPS_MODULE + /* + * This only works because we are in the default provider. We are not + * normally allowed to pass complex objects across the provider boundary + * like this. + */ + eckey = CRYPTO_THREAD_get_local_ex(CRYPTO_THREAD_LOCAL_LOW_LEVEL_OBJECT, libctx); + if (eckey != NULL) { +#ifdef OPENSSL_NO_EC_EXPLICIT_CURVES + if (EC_GROUP_check_named_curve(EC_KEY_get0_group(eckey), 0, NULL) == NID_undef) + return NULL; +#endif + if (ossl_lib_ctx_get_concrete(ossl_ec_key_get_libctx(eckey)) != ossl_lib_ctx_get_concrete(libctx)) + eckey = NULL; + else if (!EC_KEY_up_ref(eckey)) + return NULL; + } +#endif + + if (eckey == NULL) + eckey = EC_KEY_new_ex(libctx, NULL); + + return eckey; } #ifndef FIPS_MODULE