EVP: Downgrade keys rather than upgrade

Upgrading EVP_PKEYs from containing legacy keys to containing provider side keys proved to be risky, with a number of unpleasant corner cases, and with functions like EVP_PKEY_get0_DSA() failing unexpectedly. We therefore change course, and instead of upgrading legacy internal keys to provider side internal keys, we downgrade provider side internal keys to legacy ones. To be able to do this, we add |import_from| and make it a callback function designed for evp_keymgmt_export(). This means that evp_pkey_upgrade_to_provider() is replaced with evp_pkey_downgrade(). EVP_PKEY_copy_parameters() is the most deeply affected function of this change. Fixes #11366 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11375)
author: Richard Levitte <levitte@openssl.org> 2020-03-21 06:21:26 +0100
committer: Richard Levitte <levitte@openssl.org> 2020-03-25 17:01:10 +0100
commit: acb90ba8ffe6a27f625607760e82842673eb9378 (patch)
tree: e2960e7bf66bf703ec58c26942462a1cbf27ed7b /include
parent: 8243d8d1a17b700c9c48fc5660ff61245b1d14d2 (diff)
3 files changed, 10 insertions, 10 deletions
diff --git a/include/crypto/asn1.h b/include/crypto/asn1.h
index 0e7e9ba3d4..20732c2251 100644
--- a/include/crypto/asn1.h
+++ b/include/crypto/asn1.h
@@ -11,6 +11,8 @@
 
 /* ASN1 public key method structure */
 
+#include <openssl/core.h>
+
 struct evp_pkey_asn1_method_st {
     int pkey_id;
     int pkey_base_id;
@@ -68,10 +70,11 @@ struct evp_pkey_asn1_method_st {
      * TODO: Make sure these functions are defined for key types that are
      * implemented in providers.
      */
-    /* Exports to providers */
+    /* Exports and imports to / from providers */
     size_t (*dirty_cnt) (const EVP_PKEY *pk);
     int (*export_to) (const EVP_PKEY *pk, void *to_keydata,
                       EVP_KEYMGMT *to_keymgmt);
+    OSSL_CALLBACK *import_from;
 } /* EVP_PKEY_ASN1_METHOD */ ;
 
 DEFINE_STACK_OF_CONST(EVP_PKEY_ASN1_METHOD)
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
index e5f9aad010..63b6dad9c6 100644
--- a/include/crypto/evp.h
+++ b/include/crypto/evp.h
@@ -630,10 +630,8 @@ void evp_app_cleanup_int(void);
 void *evp_pkey_export_to_provider(EVP_PKEY *pk, OPENSSL_CTX *libctx,
                                   EVP_KEYMGMT **keymgmt,
                                   const char *propquery);
-void *evp_pkey_upgrade_to_provider(EVP_PKEY *pk, OPENSSL_CTX *libctx,
-                                   EVP_KEYMGMT **keymgmt,
-                                   const char *propquery);
 #ifndef FIPS_MODE
+int evp_pkey_downgrade(EVP_PKEY *pk);
 void evp_pkey_free_legacy(EVP_PKEY *x);
 #endif
 
diff --git a/include/openssl/evperr.h b/include/openssl/evperr.h
index 994268af91..9290cfff94 100644
--- a/include/openssl/evperr.h
+++ b/include/openssl/evperr.h
@@ -10,12 +10,6 @@
 
 #ifndef OPENSSL_EVPERR_H
 # define OPENSSL_EVPERR_H
-# pragma once
-
-# include <openssl/macros.h>
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-#  define HEADER_EVPERR_H
-# endif
 
 # include <openssl/opensslconf.h>
 # include <openssl/symhacks.h>
@@ -199,6 +193,8 @@ int ERR_load_EVP_strings(void);
 # define EVP_R_FIPS_MODE_NOT_SUPPORTED                    167
 # define EVP_R_GET_RAW_KEY_FAILED                         182
 # define EVP_R_ILLEGAL_SCRYPT_PARAMETERS                  171
+# define EVP_R_INACCESSIBLE_DOMAIN_PARAMETERS             204
+# define EVP_R_INACCESSIBLE_KEY                           203
 # define EVP_R_INITIALIZATION_ERROR                       134
 # define EVP_R_INPUT_NOT_INITIALIZED                      111
 # define EVP_R_INVALID_CUSTOM_LENGTH                      185
@@ -211,6 +207,7 @@ int ERR_load_EVP_strings(void);
 # define EVP_R_INVALID_PROVIDER_FUNCTIONS                 193
 # define EVP_R_INVALID_SALT_LENGTH                        186
 # define EVP_R_KEYGEN_FAILURE                             120
+# define EVP_R_KEYMGMT_EXPORT_FAILURE                     205
 # define EVP_R_KEY_SETUP_FAILED                           180
 # define EVP_R_MEMORY_LIMIT_EXCEEDED                      172
 # define EVP_R_MESSAGE_DIGEST_IS_NULL                     159
@@ -221,6 +218,7 @@ int ERR_load_EVP_strings(void);
 # define EVP_R_NO_CIPHER_SET                              131
 # define EVP_R_NO_DEFAULT_DIGEST                          158
 # define EVP_R_NO_DIGEST_SET                              139
+# define EVP_R_NO_IMPORT_FUNCTION                         206
 # define EVP_R_NO_KEYMGMT_AVAILABLE                       199
 # define EVP_R_NO_KEYMGMT_PRESENT                         196
 # define EVP_R_NO_KEY_SET                                 154
@@ -238,6 +236,7 @@ int ERR_load_EVP_strings(void);
 # define EVP_R_TOO_MANY_RECORDS                           183
 # define EVP_R_UNKNOWN_CIPHER                             160
 # define EVP_R_UNKNOWN_DIGEST                             161
+# define EVP_R_UNKNOWN_KEY_TYPE                           207
 # define EVP_R_UNKNOWN_OPTION                             169
 # define EVP_R_UNKNOWN_PBE_ALGORITHM                      121
 # define EVP_R_UNSUPPORTED_ALGORITHM                      156
author	Richard Levitte <levitte@openssl.org>	2020-03-21 06:21:26 +0100
committer	Richard Levitte <levitte@openssl.org>	2020-03-25 17:01:10 +0100
commit	acb90ba8ffe6a27f625607760e82842673eb9378 (patch)
tree	e2960e7bf66bf703ec58c26942462a1cbf27ed7b /include
parent	8243d8d1a17b700c9c48fc5660ff61245b1d14d2 (diff)