Detect low-level engine and app method based keys

The low-level engine and app method based keys have to be treated
as foreign and must be used with old legacy pmeths.

Fixes #14632

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14859)

1 files changed, 10 insertions, 3 deletions

diff --git a/crypto/dsa/dsa_backend.c b/crypto/dsa/dsa_backend.c
index 2ef8cbc9f3..e4fa070f23 100644
--- a/crypto/dsa/dsa_backend.c
+++ b/crypto/dsa/dsa_backend.c
@@ -57,6 +57,15 @@ int ossl_dsa_key_fromdata(DSA *dsa, const OSSL_PARAM params[])
     return 0;
 }
 
+int ossl_dsa_is_foreign(const DSA *dsa)
+{
+#ifndef FIPS_MODULE
+    if (dsa->engine != NULL || DSA_get_method((DSA *)dsa) != DSA_OpenSSL())
+        return 1;
+#endif
+    return 0;
+}
+
 static ossl_inline int dsa_bn_dup_check(BIGNUM **out, const BIGNUM *f)
 {
     if (f != NULL && (*out = BN_dup(f)) == NULL)
@@ -68,11 +77,9 @@ DSA *ossl_dsa_dup(const DSA *dsa, int selection)
 {
     DSA *dupkey = NULL;
 
-#ifndef FIPS_MODULE
     /* Do not try to duplicate foreign DSA keys */
-    if (DSA_get_method((DSA *)dsa) != DSA_OpenSSL())
+    if (ossl_dsa_is_foreign(dsa))
         return NULL;
-#endif
 
     if ((dupkey = ossl_dsa_new(dsa->libctx)) == NULL)
         return NULL;