From 9fdb2a0c2d58b7f95ceaddd477696afa133c5c36 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 8 Jan 2025 18:23:45 +0100 Subject: [PATCH] libssl: Accept any key management which implements the group Reviewed-by: Dmitry Belyavskiy Reviewed-by: Viktor Dukhovni (Merged from https://github.com/openssl/openssl/pull/26328) --- ssl/t1_lib.c | 21 +++------------------ 1 file changed, 3 insertions(+), 18 deletions(-) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 011ddc51d9..8fb1470b80 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -242,7 +242,6 @@ static int add_provider_groups(const OSSL_PARAM params[], void *data) { struct provider_ctx_data_st *pgd = data; SSL_CTX *ctx = pgd->ctx; - OSSL_PROVIDER *provider = pgd->provider; const OSSL_PARAM *p; TLS_GROUP_INFO *ginf = NULL; EVP_KEYMGMT *keymgmt; @@ -352,23 +351,9 @@ static int add_provider_groups(const OSSL_PARAM params[], void *data) ERR_set_mark(); keymgmt = EVP_KEYMGMT_fetch(ctx->libctx, ginf->algorithm, ctx->propq); if (keymgmt != NULL) { - /* - * We have successfully fetched the algorithm - however if the provider - * doesn't match this one then we ignore it. - * - * Note: We're cheating a little here. Technically if the same algorithm - * is available from more than one provider then it is undefined which - * implementation you will get back. Theoretically this could be - * different every time...we assume here that you'll always get the - * same one back if you repeat the exact same fetch. Is this a reasonable - * assumption to make (in which case perhaps we should document this - * behaviour)? - */ - if (EVP_KEYMGMT_get0_provider(keymgmt) == provider) { - /* We have a match - so we will use this group */ - ctx->group_list_len++; - ginf = NULL; - } + /* We have successfully fetched the algorithm, we can use the group. */ + ctx->group_list_len++; + ginf = NULL; EVP_KEYMGMT_free(keymgmt); } ERR_pop_to_mark();