diff options
| author | Richard Levitte <levitte@openssl.org> | 2021-10-01 08:57:03 +0200 |
|---|---|---|
| committer | Richard Levitte <levitte@openssl.org> | 2021-10-27 12:41:12 +0200 |
| commit | 5246183e7a9f9fb1819d50ab40e2fecc68235e0d (patch) | |
| tree | 408f58790a0348bb654ac8be3094832b153aab67 /crypto/evp/pmeth_lib.c | |
| parent | EVP: Add evp_keymgmt_fetch_from_prov() (diff) | |
| download | openssl-5246183e7a9f9fb1819d50ab40e2fecc68235e0d.tar.xz openssl-5246183e7a9f9fb1819d50ab40e2fecc68235e0d.zip | |
EVP: Reverse the fetch logic in all pkey using functionality
In all initializing functions for functionality that use an EVP_PKEY, the
coded logic was to find an KEYMGMT implementation first, and then try to
find the operation method (for example, SIGNATURE implementation) in the
same provider.
This implies that in providers where there is a KEYMGMT implementation,
there must also be a SIGNATURE implementation, along with a KEYEXCH,
ASYM_CIPHER, etc implementation.
The intended design was, however, the opposite implication, i.e. that
where there is a SIGNATURE implementation, there must also be KEYMGMT.
This change reverses the logic of the code to be closer to the intended
design.
There is a consequence; we now use the query_operation_name function from
the KEYMGMT of the EVP_PKEY given by the EVP_PKEY_CTX (ultimately given by
the application). Previously, we used the query_operation_name function
from the KEYMGMT found alongside the SIGNATURE implementation.
Another minor consequence is that the |keymgmt| field in EVP_PKEY_CTX
is now always a reference to the KEYMGMT of the |pkey| field if that
one is given (|pkey| isn't NULL) and is provided (|pkey->keymgmt|
isn't NULL).
Fixes #16614
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16725)
Diffstat (limited to 'crypto/evp/pmeth_lib.c')
| -rw-r--r-- | crypto/evp/pmeth_lib.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index 1af1628823..2b9c6c2351 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -265,7 +265,20 @@ static EVP_PKEY_CTX *int_ctx_new(OSSL_LIB_CTX *libctx, * fetching a provider implementation. */ if (e == NULL && app_pmeth == NULL && keytype != NULL) { - keymgmt = EVP_KEYMGMT_fetch(libctx, keytype, propquery); + /* + * If |pkey| is given and is provided, we take a reference to its + * keymgmt. Otherwise, we fetch one for the keytype we got. This + * is to ensure that operation init functions can access what they + * need through this single pointer. + */ + if (pkey != NULL && pkey->keymgmt != NULL) { + if (!EVP_KEYMGMT_up_ref(pkey->keymgmt)) + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); + else + keymgmt = pkey->keymgmt; + } else { + keymgmt = EVP_KEYMGMT_fetch(libctx, keytype, propquery); + } if (keymgmt == NULL) return NULL; /* EVP_KEYMGMT_fetch() recorded an error */ |