diff options
| author | Richard Levitte <levitte@openssl.org> | 2020-02-12 14:28:50 +0100 |
|---|---|---|
| committer | Richard Levitte <levitte@openssl.org> | 2020-02-22 01:19:54 +0100 |
| commit | 3f7ce7f1029c01c2c4d00e14ffc9630d26f485a4 (patch) | |
| tree | b9256d3cf61c639bb444c04e52ebff524fcba07c /crypto/evp/exchange.c | |
| parent | 8e90e3d53665854d76d6d46491b38f0e2a802428 (diff) | |
Refactor evp_pkey_make_provided() to do legacy to provider export
Previously, evp-keymgmt_util_export_to_provider() took care of all
kinds of exports of EVP_PKEYs to provider side keys, be it from its
legacy key or from another provider side key. This works most of the
times, but there may be cases where the caller wants to be a bit more
in control of what sort of export happens when.
Also, when it's time to remove all legacy stuff, that job will be much
easier if we have a better separation between legacy support and
support of provided stuff, as far as we can take it.
This changes moves the support of legacy key to provider side key
export from evp-keymgmt_util_export_to_provider() to
evp_pkey_make_provided(), and makes sure the latter is called from all
EVP_PKEY functions that handle legacy stuff.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11074)
Diffstat (limited to 'crypto/evp/exchange.c')
| -rw-r--r-- | crypto/evp/exchange.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/crypto/evp/exchange.c b/crypto/evp/exchange.c index 901081d062..142a820651 100644 --- a/crypto/evp/exchange.c +++ b/crypto/evp/exchange.c @@ -309,8 +309,12 @@ int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *ctx, EVP_PKEY *peer) return -2; } - provkey = evp_keymgmt_util_export_to_provider(peer, ctx->keymgmt); - /* If export failed, legacy may be able to pick it up */ + provkey = evp_pkey_make_provided(peer, ctx->libctx, &ctx->keymgmt, + ctx->propquery); + /* + * If making the key provided wasn't possible, legacy may be able to pick + * it up + */ if (provkey == NULL) goto legacy; return ctx->op.kex.exchange->set_peer(ctx->op.kex.exchprovctx, provkey); @@ -319,6 +323,10 @@ int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *ctx, EVP_PKEY *peer) #ifdef FIPS_MODE return ret; #else + /* + * TODO(3.0) investigate the case where the operation is deemed legacy, + * but the given peer key is provider only. + */ if (ctx->pmeth == NULL || !(ctx->pmeth->derive != NULL || ctx->pmeth->encrypt != NULL |