diff options
author | Matt Caswell <matt@openssl.org> | 2020-05-13 17:17:35 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2020-05-28 17:01:47 +0100 |
commit | b533510f3bc70957dbf447f7ea8ec20765c5b314 (patch) | |
tree | 33f865910bc41eab1d5165940a9418dd4a3ea778 /test | |
parent | 9e6cb4344233aeefe91c6092567f887015ee345a (diff) |
Fail if we fail to fetch the EVP_KEYMGMT
If we failed to fetch an EVP_KEYMGMT then we were falling back to legacy.
This is because some algorithms (such as MACs and KDFs used via an old
style EVP_PKEY) have not been transferred to providers.
Unfortunately this means that you cannot stop some algorithms from being
used by not loading the provider.
For example if you wanted to prevent RSA from being used, you might expect
to just not load any providers that make it available. Unfortunately that
doesn't work because we simply fall back to legacy if we fail to fetch
the EVP_KEYMGMT.
Instead we should fail *unless* the key type is one of those legacy key
types that we have not transferred.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11826)
Diffstat (limited to 'test')
-rw-r--r-- | test/evp_test.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/test/evp_test.c b/test/evp_test.c index 813218a42a..6ed5bafba6 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -2995,7 +2995,8 @@ static int key_unsupported(void) long err = ERR_peek_error(); if (ERR_GET_LIB(err) == ERR_LIB_EVP - && ERR_GET_REASON(err) == EVP_R_UNSUPPORTED_ALGORITHM) { + && (ERR_GET_REASON(err) == EVP_R_UNSUPPORTED_ALGORITHM + || ERR_GET_REASON(err) == EVP_R_FETCH_FAILED)) { ERR_clear_error(); return 1; } |