From 7c415f6df19d01fe86d0271183125d919ef6d563 Mon Sep 17 00:00:00 2001 From: Pranav Senthilnathan Date: Mon, 20 Apr 2026 16:41:33 -0700 Subject: [PATCH 1/3] Use check_function_exists for OSSL RSA instead of check_source_compiles --- .../configure.cmake | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/native/libs/System.Security.Cryptography.Native/configure.cmake b/src/native/libs/System.Security.Cryptography.Native/configure.cmake index 78caad3fd5bd25..3fc7cba49c3b95 100644 --- a/src/native/libs/System.Security.Cryptography.Native/configure.cmake +++ b/src/native/libs/System.Security.Cryptography.Native/configure.cmake @@ -24,6 +24,11 @@ check_function_exists( HAVE_OPENSSL_EVP_PKEY_SIGN_MESSAGE_INIT ) +check_function_exists( + RSA_new + HAVE_OPENSSL_RSA_PRIMITIVE +) + check_source_compiles(C " #include // CodeQL [SM01923] This is a CMake function detection script for the OpenSSL API used to implement the .NET API System.Security.Cryptography.ChaCha20Poly1305, it is not actually using the algorithm here @@ -35,11 +40,6 @@ check_source_compiles(C " int main(void) { ENGINE_init(NULL); return 1; }" HAVE_OPENSSL_ENGINE) -check_source_compiles(C " -#include -int main(void) { RSA *r = RSA_new(); RSA_free(r); return 0; }" -HAVE_OPENSSL_RSA_PRIMITIVE) - configure_file( ${CMAKE_CURRENT_SOURCE_DIR}/pal_crypto_config.h.in ${CMAKE_CURRENT_BINARY_DIR}/pal_crypto_config.h) From 8a8c9ab9746ea9ea7709c0e68998a93a00187686 Mon Sep 17 00:00:00 2001 From: Pranav Senthilnathan Date: Tue, 21 Apr 2026 14:21:13 -0700 Subject: [PATCH 2/3] Use EVP_PKEY_get0_RSA instead --- .../libs/System.Security.Cryptography.Native/configure.cmake | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/native/libs/System.Security.Cryptography.Native/configure.cmake b/src/native/libs/System.Security.Cryptography.Native/configure.cmake index 3fc7cba49c3b95..aca296cf6c60c9 100644 --- a/src/native/libs/System.Security.Cryptography.Native/configure.cmake +++ b/src/native/libs/System.Security.Cryptography.Native/configure.cmake @@ -25,7 +25,7 @@ check_function_exists( ) check_function_exists( - RSA_new + EVP_PKEY_get0_RSA HAVE_OPENSSL_RSA_PRIMITIVE ) From 6152541ec060ed0a1f8b29a46e3829d48ce48622 Mon Sep 17 00:00:00 2001 From: Pranav Senthilnathan Date: Tue, 21 Apr 2026 18:29:05 -0700 Subject: [PATCH 3/3] Remove the RSA guard --- .../configure.cmake | 5 ----- .../opensslshim.h | 20 ------------------- .../pal_crypto_config.h.in | 1 - 3 files changed, 26 deletions(-) diff --git a/src/native/libs/System.Security.Cryptography.Native/configure.cmake b/src/native/libs/System.Security.Cryptography.Native/configure.cmake index aca296cf6c60c9..89d4c6c4760a0a 100644 --- a/src/native/libs/System.Security.Cryptography.Native/configure.cmake +++ b/src/native/libs/System.Security.Cryptography.Native/configure.cmake @@ -24,11 +24,6 @@ check_function_exists( HAVE_OPENSSL_EVP_PKEY_SIGN_MESSAGE_INIT ) -check_function_exists( - EVP_PKEY_get0_RSA - HAVE_OPENSSL_RSA_PRIMITIVE -) - check_source_compiles(C " #include // CodeQL [SM01923] This is a CMake function detection script for the OpenSSL API used to implement the .NET API System.Security.Cryptography.ChaCha20Poly1305, it is not actually using the algorithm here diff --git a/src/native/libs/System.Security.Cryptography.Native/opensslshim.h b/src/native/libs/System.Security.Cryptography.Native/opensslshim.h index 22425beb8a4126..156f4470ae3d5c 100644 --- a/src/native/libs/System.Security.Cryptography.Native/opensslshim.h +++ b/src/native/libs/System.Security.Cryptography.Native/opensslshim.h @@ -209,26 +209,6 @@ int SSL_set_ciphersuites(SSL *s, const char *str); const SSL_CIPHER* SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr); #endif -#if !HAVE_OPENSSL_RSA_PRIMITIVE -// In portable build, we need to support legacy RSA functions even if they were not present -// on the build OS. The shim will detect their presence at runtime. -#undef HAVE_OPENSSL_RSA_PRIMITIVE -#define HAVE_OPENSSL_RSA_PRIMITIVE 1 - -typedef struct rsa_st RSA; -typedef struct rsa_meth_st RSA_METHOD; - -const RSA* EVP_PKEY_get0_RSA(const EVP_PKEY* pkey); -int EVP_PKEY_set1_RSA(EVP_PKEY* pkey, RSA* key); -const RSA_METHOD* RSA_get_method(const RSA* rsa); -int RSA_get_multi_prime_extra_count(const RSA* rsa); -void RSA_get0_key(const RSA* r, const BIGNUM** n, const BIGNUM** e, const BIGNUM** d); -void RSA_get0_factors(const RSA* r, const BIGNUM** p, const BIGNUM** q); -void RSA_get0_crt_params(const RSA* r, const BIGNUM** dmp1, const BIGNUM** dmq1, const BIGNUM** iqmp); -int RSA_meth_get_flags(const RSA_METHOD* meth); -int RSA_test_flags(const RSA* r, int flags); -#endif - #if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_4_0_RTM #include "osslcompat_40.h" #endif diff --git a/src/native/libs/System.Security.Cryptography.Native/pal_crypto_config.h.in b/src/native/libs/System.Security.Cryptography.Native/pal_crypto_config.h.in index 2e54fbf405321d..d09ed47fa02843 100644 --- a/src/native/libs/System.Security.Cryptography.Native/pal_crypto_config.h.in +++ b/src/native/libs/System.Security.Cryptography.Native/pal_crypto_config.h.in @@ -6,4 +6,3 @@ #cmakedefine01 HAVE_OPENSSL_SHA3_SQUEEZE #cmakedefine01 HAVE_OPENSSL_EVP_PKEY_SIGN_MESSAGE_INIT #cmakedefine01 HAVE_OPENSSL_ENGINE -#cmakedefine01 HAVE_OPENSSL_RSA_PRIMITIVE