EVP: Fix calls to evp_pkey_export_to_provider()

The calls weren't quite right, as this function has changed its behaviour. We also change the internal documentation of this function, and document evp_pkey_downgrade(). Fixes #11549 Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11550)
author: Richard Levitte <levitte@openssl.org> 2020-04-15 09:54:11 +0200
committer: Pauli <paul.dale@oracle.com> 2020-04-17 19:50:03 +1000
commit: d0ddf9b409495e8e2adab8a6b5bc38b34273341a (patch)
tree: 84254d0480cef857e6b399ef9cce2f6c9990d0c5 /crypto
parent: 6f892296038490a7fa24b32ac6f7305687634fb0 (diff)
3 files changed, 14 insertions, 3 deletions
diff --git a/crypto/evp/keymgmt_meth.c b/crypto/evp/keymgmt_meth.c
index 7ea414e8dd..7925aeaf43 100644
--- a/crypto/evp/keymgmt_meth.c
+++ b/crypto/evp/keymgmt_meth.c
@@ -313,8 +313,15 @@ void *evp_keymgmt_gen_init(const EVP_KEYMGMT *keymgmt, int selection)
 int evp_keymgmt_gen_set_template(const EVP_KEYMGMT *keymgmt, void *genctx,
                                  void *template)
 {
+    /*
+     * It's arguable if we actually should return success in this case, as
+     * it allows the caller to set a template key, which is then ignored.
+     * However, this is how the legacy methods (EVP_PKEY_METHOD) operate,
+     * so we do this in the interest of backward compatibility.
+     * TODO(3.0) Investigate if we should change this behaviour.
+     */
     if (keymgmt->gen_set_template == NULL)
-        return 0;
+        return 1;
     return keymgmt->gen_set_template(genctx, template);
 }
 
diff --git a/crypto/evp/pmeth_gn.c b/crypto/evp/pmeth_gn.c
index 78ed9ec781..95e3185573 100644
--- a/crypto/evp/pmeth_gn.c
+++ b/crypto/evp/pmeth_gn.c
@@ -170,8 +170,12 @@ int EVP_PKEY_gen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey)
             evp_pkey_export_to_provider(ctx->pkey, ctx->libctx,
                                         &tmp_keymgmt, ctx->propquery);
 
-        if (keydata == NULL)
+        if (tmp_keymgmt == NULL)
             goto not_supported;
+        /*
+         * It's ok if keydata is NULL here.  The backend is expected to deal
+         * with that as it sees fit.
+         */
         ret = evp_keymgmt_gen_set_template(ctx->keymgmt,
                                            ctx->op.keymgmt.genctx, keydata);
     }
diff --git a/crypto/evp/signature.c b/crypto/evp/signature.c
index 1f5e570ff8..2334dcfb41 100644
--- a/crypto/evp/signature.c
+++ b/crypto/evp/signature.c
@@ -369,7 +369,7 @@ static int evp_pkey_signature_init(EVP_PKEY_CTX *ctx, int operation)
     tmp_keymgmt = ctx->keymgmt;
     provkey = evp_pkey_export_to_provider(ctx->pkey, ctx->libctx,
                                           &tmp_keymgmt, ctx->propquery);
-    if (provkey == NULL)
+    if (tmp_keymgmt == NULL)
         goto legacy;
     if (!EVP_KEYMGMT_up_ref(tmp_keymgmt)) {
         ERR_clear_last_mark();
author	Richard Levitte <levitte@openssl.org>	2020-04-15 09:54:11 +0200
committer	Pauli <paul.dale@oracle.com>	2020-04-17 19:50:03 +1000
commit	d0ddf9b409495e8e2adab8a6b5bc38b34273341a (patch)
tree	84254d0480cef857e6b399ef9cce2f6c9990d0c5 /crypto
parent	6f892296038490a7fa24b32ac6f7305687634fb0 (diff)