On Mon, Feb 01, 2016 at 11:16:50PM +0000, Viktor Dukhovni wrote: > On Mon, Feb 01, 2016 at 10:52:56PM +0000, Viktor Dukhovni wrote: > > > The only thing I see that's plausibly pertinent is: > > > > commit 6656ba7152dfe4bba865e327dd362ea08544aa80 > > Author: Dr. Stephen Henson <st...@openssl.org> > > Date: Sun Dec 20 18:18:43 2015 +0000 > > > > Don't check RSA_FLAG_SIGN_VER. > > > > Reviewed-by: Richard Levitte <levi...@openssl.org> > > > > This is related to: > > commit 1c80019a2c8f59410552197723829fd72ab45a5e > Author: Dr. Stephen Henson <st...@openssl.org> > Date: Sat Sep 18 22:37:44 1999 +0000 > > Add new sign and verify members to RSA_METHOD and change SSL code to > use sign > and verify rather than direct encrypt/decrypt. > > Which was already present in 0.9.7. Thus, presumably engines have > been expected to implement the "new" methods, if they were ported > to OpenSSL 0.9.7 or later. > > It seems that perhaps the need to implemnt sign/verify and not just > encrypt/decrypt has not been communicated to the engine maintainers. > > The master branch has: > > commit 19c6d3ea2d3b4e0ad3e978e42cc7cbdf0c09891f > Author: Dr. Stephen Henson <st...@openssl.org> > Date: Wed Dec 2 14:30:39 2015 +0000 > > Remove RSA_FLAG_SIGN_VER flag. > > Remove RSA_FLAG_SIGN_VER: this was origininally used to retain binary > compatibility after RSA_METHOD was extended to include rsa_sign and > rsa_verify fields. It is no longer needed. > > Reviewed-by: Richard Levitte <levi...@openssl.org> > > And while indeed the structure has been stable with sign/verify > methods for ages, engines that don't implement sign/verify may well > exist, so dropping the flag check can break some engines.
This looks like a change in behaviour that's not just a bug fix, and we should properly revert that. Kurt _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
