[openssl] master update
Richard Levitte
levitte at openssl.org
Sun Nov 3 17:33:46 UTC 2019
The branch master has been updated
via 3ee348b0dc5cd904fc2c022e6543f478c3d78732 (commit)
via 60653e5b25242555446f8acf0abd5ab9ff83010c (commit)
from e774adb593e7bf9057775d85ecc7c24e9bacee12 (commit)
- Log -----------------------------------------------------------------
commit 3ee348b0dc5cd904fc2c022e6543f478c3d78732
Author: Richard Levitte <levitte at openssl.org>
Date: Fri Nov 1 16:56:31 2019 +0100
Change EVP_PKEY_CTX_new_provided() to take a library context too.
With provided algorithms, the library context is ever present, so of
course it should be specified alongside the algorithm name and
property query string.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10308)
commit 60653e5b25242555446f8acf0abd5ab9ff83010c
Author: Richard Levitte <levitte at openssl.org>
Date: Thu Oct 31 11:43:31 2019 +0100
Make EVP_PKEY_CTX initialization more precise
There is a vagueness around how the provider data (algorithm name and
property query string) is initialized in the presence of an engine.
This change modifies this slightly so that the algorithm name for use
with providers is never set if the initilization was given an engine.
This makes it easier for other functions to simply check ctx->algorithm
to see if the context is meant to be used for strictly legacy stuff or
not.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10308)
-----------------------------------------------------------------------
Summary of changes:
crypto/evp/pmeth_lib.c | 42 ++++++++++++++++++++++++++++++++++++------
doc/man3/EVP_PKEY_CTX_new.pod | 13 +++++++------
include/crypto/evp.h | 6 +++++-
include/openssl/evp.h | 3 ++-
4 files changed, 50 insertions(+), 14 deletions(-)
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index 350d963086..d547e5a69d 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -111,7 +111,8 @@ const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type)
return (**ret)();
}
-static EVP_PKEY_CTX *int_ctx_new(EVP_PKEY *pkey, ENGINE *e,
+static EVP_PKEY_CTX *int_ctx_new(OPENSSL_CTX *libctx,
+ EVP_PKEY *pkey, ENGINE *e,
const char *name, const char *propquery,
int id)
{
@@ -132,8 +133,34 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKEY *pkey, ENGINE *e,
return 0;
id = pkey->type;
}
- name = OBJ_nid2sn(id);
+
+ /*
+ * Here, we extract what information we can for the purpose of
+ * supporting usage with implementations from providers, to make
+ * for a smooth transition from legacy stuff to provider based stuff.
+ *
+ * If an engine is given, this is entirely legacy, and we should not
+ * pretend anything else, so we only set the name when no engine is
+ * given. If both are already given, someone made a mistake, and
+ * since that can only happen internally, it's safe to make an
+ * assertion.
+ */
+ if (!ossl_assert(e == NULL || name == NULL))
+ return NULL;
+ if (e == NULL)
+ name = OBJ_nid2sn(id);
propquery = NULL;
+ /*
+ * We were called using legacy data, or an EVP_PKEY, but an EVP_PKEY
+ * isn't tied to a specific library context, so we fall back to the
+ * default library context.
+ * TODO(v3.0): an EVP_PKEY that doesn't originate from a leagacy key
+ * structure only has the pkeys[] cache, where the first element is
+ * considered the "origin". Investigate if that could be a suitable
+ * way to find a library context.
+ */
+ libctx = NULL;
+
#ifndef OPENSSL_NO_ENGINE
if (e == NULL && pkey != NULL)
e = pkey->pmeth_engine != NULL ? pkey->pmeth_engine : pkey->engine;
@@ -175,6 +202,7 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKEY *pkey, ENGINE *e,
EVPerr(EVP_F_INT_CTX_NEW, ERR_R_MALLOC_FAILURE);
return NULL;
}
+ ret->libctx = libctx;
ret->algorithm = name;
ret->propquery = propquery;
ret->engine = e;
@@ -287,18 +315,19 @@ void EVP_PKEY_meth_free(EVP_PKEY_METHOD *pmeth)
EVP_PKEY_CTX *EVP_PKEY_CTX_new(EVP_PKEY *pkey, ENGINE *e)
{
- return int_ctx_new(pkey, e, NULL, NULL, -1);
+ return int_ctx_new(NULL, pkey, e, NULL, NULL, -1);
}
EVP_PKEY_CTX *EVP_PKEY_CTX_new_id(int id, ENGINE *e)
{
- return int_ctx_new(NULL, e, NULL, NULL, id);
+ return int_ctx_new(NULL, NULL, e, NULL, NULL, id);
}
-EVP_PKEY_CTX *EVP_PKEY_CTX_new_provided(const char *name,
+EVP_PKEY_CTX *EVP_PKEY_CTX_new_provided(OPENSSL_CTX *libctx,
+ const char *name,
const char *propquery)
{
- return int_ctx_new(NULL, NULL, name, propquery, -1);
+ return int_ctx_new(libctx, NULL, NULL, name, propquery, -1);
}
EVP_PKEY_CTX *EVP_PKEY_CTX_dup(const EVP_PKEY_CTX *pctx)
@@ -328,6 +357,7 @@ EVP_PKEY_CTX *EVP_PKEY_CTX_dup(const EVP_PKEY_CTX *pctx)
EVP_PKEY_up_ref(pctx->pkey);
rctx->pkey = pctx->pkey;
rctx->operation = pctx->operation;
+ rctx->libctx = pctx->libctx;
rctx->algorithm = pctx->algorithm;
rctx->propquery = pctx->propquery;
diff --git a/doc/man3/EVP_PKEY_CTX_new.pod b/doc/man3/EVP_PKEY_CTX_new.pod
index de7f439da5..5d18a04344 100644
--- a/doc/man3/EVP_PKEY_CTX_new.pod
+++ b/doc/man3/EVP_PKEY_CTX_new.pod
@@ -12,7 +12,8 @@ EVP_PKEY_CTX_dup, EVP_PKEY_CTX_free
EVP_PKEY_CTX *EVP_PKEY_CTX_new(EVP_PKEY *pkey, ENGINE *e);
EVP_PKEY_CTX *EVP_PKEY_CTX_new_id(int id, ENGINE *e);
- EVP_PKEY_CTX *EVP_PKEY_CTX_new_provided(const char *name,
+ EVP_PKEY_CTX *EVP_PKEY_CTX_new_provided(OPENSSL_CTX *libctx,
+ const char *name,
const char *propquery);
EVP_PKEY_CTX *EVP_PKEY_CTX_dup(const EVP_PKEY_CTX *ctx);
void EVP_PKEY_CTX_free(EVP_PKEY_CTX *ctx);
@@ -25,11 +26,11 @@ the algorithm specified in I<pkey> and ENGINE I<e>.
The EVP_PKEY_CTX_new_id() function allocates public key algorithm context
using the algorithm specified by I<id> and ENGINE I<e>.
-The EVP_PKEY_CTX_new_provided() function allocates a public key
-algorithm context using the algorithm specified by I<name> and the
-property query I<propquery>. The strings aren't duplicated, so they
-must remain unchanged for the lifetime of the returned B<EVP_PKEY_CTX>
-or of any of its duplicates.
+The EVP_PKEY_CTX_new_provided() function allocates a public key algorithm
+context using the library context I<libctx> (see L<OPENSSL_CTX(3)>), the
+algorithm specified by I<name> and the property query I<propquery>. None
+of the arguments are duplicated, so they must remain unchanged for the
+lifetime of the returned B<EVP_PKEY_CTX> or of any of its duplicates.
EVP_PKEY_CTX_new_id() and EVP_PKEY_CTX_new_provided() are normally
used when no B<EVP_PKEY> structure is associated with the operations,
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
index dad7174bc5..32ae121eea 100644
--- a/include/crypto/evp.h
+++ b/include/crypto/evp.h
@@ -21,7 +21,11 @@ struct evp_pkey_ctx_st {
/* Actual operation */
int operation;
- /* Algorithm name and properties associated with this context */
+ /*
+ * Library context, Algorithm name and properties associated
+ * with this context
+ */
+ OPENSSL_CTX *libctx;
const char *algorithm;
const char *propquery;
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index a0190c8b08..baa1ce8c6c 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -1461,7 +1461,8 @@ void EVP_KEYMGMT_names_do_all(const EVP_KEYMGMT *keymgmt,
EVP_PKEY_CTX *EVP_PKEY_CTX_new(EVP_PKEY *pkey, ENGINE *e);
EVP_PKEY_CTX *EVP_PKEY_CTX_new_id(int id, ENGINE *e);
-EVP_PKEY_CTX *EVP_PKEY_CTX_new_provided(const char *name,
+EVP_PKEY_CTX *EVP_PKEY_CTX_new_provided(OPENSSL_CTX *libctx,
+ const char *name,
const char *propquery);
EVP_PKEY_CTX *EVP_PKEY_CTX_dup(const EVP_PKEY_CTX *ctx);
void EVP_PKEY_CTX_free(EVP_PKEY_CTX *ctx);
More information about the openssl-commits
mailing list