Fail if we fail to fetch the EVP_KEYMGMT

If we failed to fetch an EVP_KEYMGMT then we were falling back to legacy. This is because some algorithms (such as MACs and KDFs used via an old style EVP_PKEY) have not been transferred to providers. Unfortunately this means that you cannot stop some algorithms from being used by not loading the provider. For example if you wanted to prevent RSA from being used, you might expect to just not load any providers that make it available. Unfortunately that doesn't work because we simply fall back to legacy if we fail to fetch the EVP_KEYMGMT. Instead we should fail *unless* the key type is one of those legacy key types that we have not transferred. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11826)
author: Matt Caswell <matt@openssl.org> 2020-05-13 17:17:35 +0100
committer: Matt Caswell <matt@openssl.org> 2020-05-28 17:01:47 +0100
commit: b533510f3bc70957dbf447f7ea8ec20765c5b314 (patch)
tree: 33f865910bc41eab1d5165940a9418dd4a3ea778 /test
parent: 9e6cb4344233aeefe91c6092567f887015ee345a (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/test/evp_test.c b/test/evp_test.c
index 813218a42a..6ed5bafba6 100644
--- a/test/evp_test.c
+++ b/test/evp_test.c
@@ -2995,7 +2995,8 @@ static int key_unsupported(void)
     long err = ERR_peek_error();
 
     if (ERR_GET_LIB(err) == ERR_LIB_EVP
-            && ERR_GET_REASON(err) == EVP_R_UNSUPPORTED_ALGORITHM) {
+            && (ERR_GET_REASON(err) == EVP_R_UNSUPPORTED_ALGORITHM
+                || ERR_GET_REASON(err) == EVP_R_FETCH_FAILED)) {
         ERR_clear_error();
         return 1;
     }
author	Matt Caswell <matt@openssl.org>	2020-05-13 17:17:35 +0100
committer	Matt Caswell <matt@openssl.org>	2020-05-28 17:01:47 +0100
commit	b533510f3bc70957dbf447f7ea8ec20765c5b314 (patch)
tree	33f865910bc41eab1d5165940a9418dd4a3ea778 /test
parent	9e6cb4344233aeefe91c6092567f887015ee345a (diff)