[openssl] master update

Matt Caswell matt at openssl.org
Tue Oct 20 15:50:12 UTC 2020


The branch master has been updated
       via  0a737e16b2bc333cc3a8727458acc5460be10e0e (commit)
       via  3795b2a302fe0bd49118605f8692591e971c4608 (commit)
       via  5ac8fb584a0ba8e4223e98b87a5416d67340360e (commit)
      from  6a13c9c9842f54ed8d98c6f37cc4ae6c1cde8b7a (commit)


- Log -----------------------------------------------------------------
commit 0a737e16b2bc333cc3a8727458acc5460be10e0e
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Oct 9 16:24:07 2020 +0100

    Deprecate EVP_PKEY_set1_tls_encodedpoint()
    
    Also deprecate EVP_PKEY_get1_tls_encodedpoint().
    
    The preferred alternative is EVP_PKEY_set1_encoded_public_key() and
    EVP_PKEY_get1_encoded_public_key().
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/13105)

commit 3795b2a302fe0bd49118605f8692591e971c4608
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Oct 9 15:43:24 2020 +0100

    Document EVP_PKEY_set1_encoded_public_key()
    
    Also documented EVP_PKEY_get1_encoded_public_key
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/13105)

commit 5ac8fb584a0ba8e4223e98b87a5416d67340360e
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Oct 9 14:19:42 2020 +0100

    Rename EVP_PKEY_set1_tls_encodedpoint to EVP_PKEY_set1_encoded_public_key
    
    We do the same thing for the "get1" version. In reality this has broader
    use than just TLS (it can also be used in CMS), and "encodedpoint" only
    makes sense when you are talking about EC based algorithms.
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/13105)

-----------------------------------------------------------------------

Summary of changes:
 CHANGES.md                                    |  10 ++
 crypto/cms/cms_dh.c                           |   6 +-
 crypto/cms/cms_ec.c                           |   6 +-
 crypto/evp/p_lib.c                            |  29 +++---
 doc/man3/EVP_PKEY_ASN1_METHOD.pod             |   4 +-
 doc/man3/EVP_PKEY_set1_encoded_public_key.pod | 142 ++++++++++++++++++++++++++
 doc/man7/EVP_PKEY-DH.pod                      |   2 +-
 doc/man7/EVP_PKEY-EC.pod                      |   7 +-
 doc/man7/EVP_PKEY-X25519.pod                  |   7 +-
 include/openssl/core_names.h                  |   2 +-
 include/openssl/evp.h                         |  25 ++++-
 providers/implementations/keymgmt/dh_kmgmt.c  |   8 +-
 providers/implementations/keymgmt/ec_kmgmt.c  |  13 +--
 providers/implementations/keymgmt/ecx_kmgmt.c |   8 +-
 ssl/statem/extensions_clnt.c                  |   8 +-
 ssl/statem/extensions_srvr.c                  |   6 +-
 ssl/statem/statem_clnt.c                      |   8 +-
 ssl/statem/statem_srvr.c                      |   6 +-
 test/tls-provider.c                           |   9 +-
 util/libcrypto.num                            |   6 +-
 util/missingcrypto.txt                        |   2 -
 util/missingcrypto111.txt                     |   2 -
 util/other.syms                               |   2 +
 23 files changed, 244 insertions(+), 74 deletions(-)
 create mode 100644 doc/man3/EVP_PKEY_set1_encoded_public_key.pod

diff --git a/CHANGES.md b/CHANGES.md
index ba068b4f9d..828bbd1b75 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -23,6 +23,16 @@ OpenSSL 3.0
 
 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
 
+ * Deprecated EVP_PKEY_set1_tls_encodedpoint() and
+   EVP_PKEY_get1_tls_encodedpoint(). These functions were previously used by
+   libssl to set or get an encoded public key in/from an EVP_PKEY object. With
+   OpenSSL 3.0 these are replaced by the more generic functions
+   EVP_PKEY_set1_encoded_public_key() and EVP_PKEY_get1_encoded_public_key().
+   The old versions have been converted to deprecated macros that just call the
+   new functions.
+
+   *Matt Caswell*
+
  * The security callback, which can be customised by application code, supports
    the security operation SSL_SECOP_TMP_DH. This is defined to take an EVP_PKEY
    in the "other" parameter. In most places this is what is passed. All these
diff --git a/crypto/cms/cms_dh.c b/crypto/cms/cms_dh.c
index 0d9eac50b3..2c64f50259 100644
--- a/crypto/cms/cms_dh.c
+++ b/crypto/cms/cms_dh.c
@@ -46,11 +46,7 @@ static int dh_cms_set_peerkey(EVP_PKEY_CTX *pctx,
     pkpeer = EVP_PKEY_new();
     if (pkpeer == NULL
             || !EVP_PKEY_copy_parameters(pkpeer, pk)
-               /*
-                * TODO(3.0): This is badly named!! Can we make this more
-                * generic and not TLS specific?
-                */
-            || !EVP_PKEY_set1_tls_encodedpoint(pkpeer, p, plen))
+            || !EVP_PKEY_set1_encoded_public_key(pkpeer, p, plen))
         goto err;
 
     if (EVP_PKEY_derive_set_peer(pctx, pkpeer) > 0)
diff --git a/crypto/cms/cms_ec.c b/crypto/cms/cms_ec.c
index 79d603adcb..9a602bb81d 100644
--- a/crypto/cms/cms_ec.c
+++ b/crypto/cms/cms_ec.c
@@ -112,8 +112,7 @@ static int ecdh_cms_set_peerkey(EVP_PKEY_CTX *pctx,
     if (p == NULL || plen == 0)
         goto err;
 
-    /* TODO(3.0): Terrible name. We need a non-tls specific name */
-    if (!EVP_PKEY_set1_tls_encodedpoint(pkpeer, p, plen))
+    if (!EVP_PKEY_set1_encoded_public_key(pkpeer, p, plen))
         goto err;
 
     if (EVP_PKEY_derive_set_peer(pctx, pkpeer) > 0)
@@ -279,8 +278,7 @@ static int ecdh_cms_encrypt(CMS_RecipientInfo *ri)
     if (aoid == OBJ_nid2obj(NID_undef)) {
         /* Set the key */
 
-        /* TODO(3.0): Terrible name. Needs a non TLS specific name */
-        penclen = EVP_PKEY_get1_tls_encodedpoint(pkey, &penc);
+        penclen = EVP_PKEY_get1_encoded_public_key(pkey, &penc);
         ASN1_STRING_set0(pubkey, penc, penclen);
         pubkey->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
         pubkey->flags |= ASN1_STRING_FLAG_BITS_LEFT;
diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
index cc30bc3495..1ec36d6cbc 100644
--- a/crypto/evp/p_lib.c
+++ b/crypto/evp/p_lib.c
@@ -1317,8 +1317,8 @@ int EVP_PKEY_supports_digest_nid(EVP_PKEY *pkey, int nid)
     return rv;
 }
 
-int EVP_PKEY_set1_tls_encodedpoint(EVP_PKEY *pkey,
-                               const unsigned char *pt, size_t ptlen)
+int EVP_PKEY_set1_encoded_public_key(EVP_PKEY *pkey, const unsigned char *pub,
+                                     size_t publen)
 {
     if (pkey->ameth == NULL) {
         OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
@@ -1327,20 +1327,21 @@ int EVP_PKEY_set1_tls_encodedpoint(EVP_PKEY *pkey,
             return 0;
 
         params[0] =
-            OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_TLS_ENCODED_PT,
-                                              (unsigned char *)pt, ptlen);
+            OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
+                                              (unsigned char *)pub, publen);
         return evp_keymgmt_set_params(pkey->keymgmt, pkey->keydata, params);
     }
 
-    if (ptlen > INT_MAX)
+    if (publen > INT_MAX)
         return 0;
-    if (evp_pkey_asn1_ctrl(pkey, ASN1_PKEY_CTRL_SET1_TLS_ENCPT, ptlen,
-                           (void *)pt) <= 0)
+    /* Historically this function was EVP_PKEY_set1_tls_encodedpoint */
+    if (evp_pkey_asn1_ctrl(pkey, ASN1_PKEY_CTRL_SET1_TLS_ENCPT, publen,
+                           (void *)pub) <= 0)
         return 0;
     return 1;
 }
 
-size_t EVP_PKEY_get1_tls_encodedpoint(EVP_PKEY *pkey, unsigned char **ppt)
+size_t EVP_PKEY_get1_encoded_public_key(EVP_PKEY *pkey, unsigned char **ppub)
 {
     int rv;
 
@@ -1351,18 +1352,18 @@ size_t EVP_PKEY_get1_tls_encodedpoint(EVP_PKEY *pkey, unsigned char **ppt)
             return 0;
 
         params[0] =
-            OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_TLS_ENCODED_PT,
+            OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
                                               NULL, 0);
         if (!evp_keymgmt_get_params(pkey->keymgmt, pkey->keydata, params))
             return 0;
 
-        *ppt = OPENSSL_malloc(params[0].return_size);
-        if (*ppt == NULL)
+        *ppub = OPENSSL_malloc(params[0].return_size);
+        if (*ppub == NULL)
             return 0;
 
         params[0] =
-            OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_TLS_ENCODED_PT,
-                                              *ppt, params[0].return_size);
+            OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
+                                              *ppub, params[0].return_size);
         if (!evp_keymgmt_get_params(pkey->keymgmt, pkey->keydata, params))
             return 0;
 
@@ -1370,7 +1371,7 @@ size_t EVP_PKEY_get1_tls_encodedpoint(EVP_PKEY *pkey, unsigned char **ppt)
     }
 
 
-    rv = evp_pkey_asn1_ctrl(pkey, ASN1_PKEY_CTRL_GET1_TLS_ENCPT, 0, ppt);
+    rv = evp_pkey_asn1_ctrl(pkey, ASN1_PKEY_CTRL_GET1_TLS_ENCPT, 0, ppub);
     if (rv <= 0)
         return 0;
     return rv;
diff --git a/doc/man3/EVP_PKEY_ASN1_METHOD.pod b/doc/man3/EVP_PKEY_ASN1_METHOD.pod
index bc1f1ad04d..9f50a56964 100644
--- a/doc/man3/EVP_PKEY_ASN1_METHOD.pod
+++ b/doc/man3/EVP_PKEY_ASN1_METHOD.pod
@@ -258,8 +258,8 @@ L<EVP_PKEY_set_type_str(3)>, and L<EVP_PKEY_assign(3)>.
 The pkey_ctrl() method adds extra algorithm specific control.
 It's called by L<EVP_PKEY_get_default_digest_nid(3)>,
 L<EVP_PKEY_supports_digest_nid(3)>,
-L<EVP_PKEY_set1_tls_encodedpoint(3)>,
-L<EVP_PKEY_get1_tls_encodedpoint(3)>, L<PKCS7_SIGNER_INFO_set(3)>,
+L<EVP_PKEY_set1_encoded_public_key(3)>,
+L<EVP_PKEY_get1_encoded_public_key(3)>, L<PKCS7_SIGNER_INFO_set(3)>,
 L<PKCS7_RECIP_INFO_set(3)>, ...
 
  int (*old_priv_decode) (EVP_PKEY *pkey,
diff --git a/doc/man3/EVP_PKEY_set1_encoded_public_key.pod b/doc/man3/EVP_PKEY_set1_encoded_public_key.pod
new file mode 100644
index 0000000000..be30ad2d11
--- /dev/null
+++ b/doc/man3/EVP_PKEY_set1_encoded_public_key.pod
@@ -0,0 +1,142 @@
+=pod
+
+=head1 NAME
+
+EVP_PKEY_set1_encoded_public_key, EVP_PKEY_get1_encoded_public_key,
+EVP_PKEY_set1_tls_encodedpoint, EVP_PKEY_get1_tls_encodedpoint
+- functions to set and get public key data within an EVP_PKEY
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ int EVP_PKEY_set1_encoded_public_key(EVP_PKEY *pkey,
+                                      const unsigned char *pub, size_t publen);
+
+ size_t EVP_PKEY_get1_encoded_public_key(EVP_PKEY *pkey, unsigned char **ppub);
+
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
+ int EVP_PKEY_set1_tls_encodedpoint(EVP_PKEY *pkey,
+                                    const unsigned char *pt, size_t ptlen);
+
+ size_t EVP_PKEY_get1_tls_encodedpoint(EVP_PKEY *pkey, unsigned char **ppt);
+
+=head1 DESCRIPTION
+
+EVP_PKEY_set1_encoded_public_key() can be used to set the public key value
+within an existing EVP_PKEY object. For the built-in OpenSSL algorithms this
+currently only works for those that support key exchange. Parameters are not
+set as part of this operation, so typically an application will create an
+EVP_PKEY first, set the parameters on it, and then call this function.
+For example setting the parameters might be done using
+L<EVP_PKEY_copy_parameters(3)>.
+
+The format for the encoded public key will depend on the algorithm in use. For
+DH it should be encoded as a positive integer in big-endian form. For EC is
+should be a point conforming to Sec. 2.3.4 of the SECG SEC 1 ("Elliptic
+Curve Cryptography") standard. For X25519 and X448 it should be encoded in a
+format as defined by RFC7748.
+
+The key to be updated is supplied in B<pkey>. The buffer containing the encoded
+key is pointed to be B<pub>. The length of the buffer is supplied in B<publen>.
+
+EVP_PKEY_get1_encoded_public_key() does the equivalent operation except that
+the encoded public key is returned to the application. The key containing the
+public key data is supplied in B<pkey>. A buffer containing the encoded key will
+be allocated and stored in B<*ppub>. The length of the encoded public key is
+returned by the function. The application is responsible for freeing the
+allocated buffer.
+
+The macro EVP_PKEY_set1_tls_encodedpoint() is deprecated and simply calls
+EVP_PKEY_set1_encoded_public_key() with all the same arguments. New applications
+should use EVP_PKEY_set1_encoded_public_key() instead.
+
+The macro EVP_PKEY_get1_tls_encodedpoint() is deprecated and simply calls
+EVP_PKEY_get1_encoded_public_key() with all the same arguments. New applications
+should use EVP_PKEY_get1_encoded_public_key() instead.
+
+
+=head1 RETURN VALUES
+
+EVP_PKEY_set1_encoded_public_key() returns 1 for success and 0 or a negative
+value for failure.
+
+EVP_PKEY_get1_encoded_public_key() return 1
+
+=head1 EXAMPLES
+
+See L<EVP_PKEY_derive_init(3)> and L<EVP_PKEY_derive(3)> for information about
+performing a key exchange operation.
+
+=head2 Set up a peer's EVP_PKEY ready for a key exchange operation
+
+ #include <openssl/evp.h>
+
+ int exchange(EVP_PKEY *ourkey, unsigned char *peer_pub, size_t peer_pub_len)
+ {
+     EVP_PKEY *peerkey = EVP_PKEY_new();
+
+     if (peerkey == NULL || EVP_PKEY_copy_parameters(peerkey, ourkey) <= 0)
+         return 0;
+
+     if (EVP_PKEY_set1_encoded_public_key(peerkey, peer_pub,
+                                          peer_pub_len) <= 0)
+         return 0;
+
+     /* Do the key exchange here */
+
+     EVP_PKEY_free(peerkey);
+
+     return 1;
+ }
+
+=head2 Get an encoded public key to send to a peer
+
+ #include <openssl/evp.h>
+
+ int get_encoded_pub_key(EVP_PKEY *ourkey)
+ {
+     unsigned char *pubkey;
+     size_t pubkey_len;
+
+    pubkey_len = EVP_PKEY_get1_encoded_public_key(ourkey, &pubkey);
+    if (pubkey_len == 0)
+        return 0;
+
+    /*
+     * Send the encoded public key stored in the buffer at "pubkey" and of
+     * length pubkey_len, to the peer.
+     */
+
+    OPENSSL_free(pubkey);
+    return 1;
+ }
+
+=head1 SEE ALSO
+
+L<EVP_PKEY_new(3)>, L<EVP_PKEY_copy_parameters(3)>,
+L<EVP_PKEY_derive_init(3)>, L<EVP_PKEY_derive(3)>,
+L<EVP_PKEY-DH(7)>, L<EVP_PKEY-EC(7)>, L<EVP_PKEY-X25519(7)>, L<EVP_PKEY-X448(7)>
+
+=head1 HISTORY
+
+EVP_PKEY_set1_encoded_public_key() and EVP_PKEY_get1_encoded_public_key() were
+added in OpenSSL 3.0.
+
+EVP_PKEY_set1_tls_encodedpoint() and EVP_PKEY_get1_tls_encodedpoint() were
+deprecated in OpenSSL 3.0.
+
+=head1 COPYRIGHT
+
+Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
+
diff --git a/doc/man7/EVP_PKEY-DH.pod b/doc/man7/EVP_PKEY-DH.pod
index 45d7c6ed5f..64ba7079dc 100644
--- a/doc/man7/EVP_PKEY-DH.pod
+++ b/doc/man7/EVP_PKEY-DH.pod
@@ -54,7 +54,7 @@ validation is required. The default value is 2.
 These are not named safe prime groups so setting this value for the OpenSSL FIPS
 provider will instead choose a named safe prime group based on the size of I<p>.
 
-=item "tls-encoded-pt" (B<OSSL_PKEY_PARAM_TLS_ENCODED_PT>) <octet string>
+=item "encoded-pub-key" (B<OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY>) <octet string>
 
 Used for getting and setting the encoding of the DH public key used in a key
 exchange message for the TLS protocol.
diff --git a/doc/man7/EVP_PKEY-EC.pod b/doc/man7/EVP_PKEY-EC.pod
index 9b195810d0..be6e507169 100644
--- a/doc/man7/EVP_PKEY-EC.pod
+++ b/doc/man7/EVP_PKEY-EC.pod
@@ -91,10 +91,11 @@ The public key value in EC point format.
 
 The private key value.
 
-=item "tls-encoded-pt" (B<OSSL_PKEY_PARAM_TLS_ENCODED_PT>) <octet string>
+=item "encoded-pub-key" (B<OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY>) <octet string>
 
-Used for getting and setting the encoding of the EC public key used in key
-exchange message for the TLS protocol.
+Used for getting and setting the encoding of an EC public key. The public key
+is expected to be a point conforming to Sec. 2.3.4 of the SECG SEC 1 ("Elliptic
+Curve Cryptography") standard.
 
 =back
 
diff --git a/doc/man7/EVP_PKEY-X25519.pod b/doc/man7/EVP_PKEY-X25519.pod
index 63760389c9..80a1a627d0 100644
--- a/doc/man7/EVP_PKEY-X25519.pod
+++ b/doc/man7/EVP_PKEY-X25519.pod
@@ -40,10 +40,11 @@ The public key value.
 
 The private key value.
 
-=item "tls-encoded-pt" (B<OSSL_PKEY_PARAM_TLS_ENCODED_PT>) <octet string>
+=item "encoded-pub-key" (B<OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY>) <octet string>
 
-Used for getting and setting the encoding of the public key used in a key exchange
-message for the TLS protocol.
+Used for getting and setting the encoding of a public key for the B<X25519> and
+B<X448> key types. Public keys are expected be encoded in a format as defined by
+RFC7748.
 
 =back
 
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
index 4a4bd36cbe..6a50f10da7 100644
--- a/include/openssl/core_names.h
+++ b/include/openssl/core_names.h
@@ -261,7 +261,7 @@ extern "C" {
 #define OSSL_PKEY_PARAM_MASKGENFUNC         "mgf"
 #define OSSL_PKEY_PARAM_MGF1_DIGEST         "mgf1-digest"
 #define OSSL_PKEY_PARAM_MGF1_PROPERTIES     "mgf1-properties"
-#define OSSL_PKEY_PARAM_TLS_ENCODED_PT      "tls-encoded-pt"
+#define OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY  "encoded-pub-key"
 #define OSSL_PKEY_PARAM_GROUP_NAME          "group"
 #define OSSL_PKEY_PARAM_DIST_ID             "distid"
 #define OSSL_PKEY_PARAM_PUB_KEY             "pub"
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 326289a1dd..7c36e78ce1 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -1280,9 +1280,28 @@ int EVP_PKEY_get_default_digest_name(EVP_PKEY *pkey,
                                      char *mdname, size_t mdname_sz);
 int EVP_PKEY_supports_digest_nid(EVP_PKEY *pkey, int nid);
 
-int EVP_PKEY_set1_tls_encodedpoint(EVP_PKEY *pkey,
-                                   const unsigned char *pt, size_t ptlen);
-size_t EVP_PKEY_get1_tls_encodedpoint(EVP_PKEY *pkey, unsigned char **ppt);
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+/*
+ * For backwards compatibility. Use EVP_PKEY_set1_encoded_public_key in
+ * preference
+ */
+#  define EVP_PKEY_set1_tls_encodedpoint(pkey, pt, ptlen) \
+          EVP_PKEY_set1_encoded_public_key((pkey), (pt), (ptlen))
+# endif
+
+int EVP_PKEY_set1_encoded_public_key(EVP_PKEY *pkey,
+                                     const unsigned char *pub, size_t publen);
+
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+/*
+ * For backwards compatibility. Use EVP_PKEY_get1_encoded_public_key in
+ * preference
+ */
+#  define EVP_PKEY_get1_tls_encodedpoint(pkey, ppt) \
+          EVP_PKEY_get1_encoded_public_key((pkey), (ppt))
+# endif
+
+size_t EVP_PKEY_get1_encoded_public_key(EVP_PKEY *pkey, unsigned char **ppub);
 
 int EVP_CIPHER_type(const EVP_CIPHER *ctx);
 
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
index bfd70c3962..73164672f8 100644
--- a/providers/implementations/keymgmt/dh_kmgmt.c
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
@@ -310,7 +310,7 @@ static ossl_inline int dh_get_params(void *key, OSSL_PARAM params[])
     if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_MAX_SIZE)) != NULL
         && !OSSL_PARAM_set_int(p, DH_size(dh)))
         return 0;
-    if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_TLS_ENCODED_PT)) != NULL) {
+    if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY)) != NULL) {
         if (p->data_type != OSSL_PARAM_OCTET_STRING)
             return 0;
         p->return_size = dh_key2buf(dh, (unsigned char **)&p->data,
@@ -327,7 +327,7 @@ static const OSSL_PARAM dh_params[] = {
     OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL),
     OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL),
     OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),
-    OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_TLS_ENCODED_PT, NULL, 0),
+    OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0),
     DH_IMEXPORTABLE_PARAMETERS,
     DH_IMEXPORTABLE_PUBLIC_KEY,
     DH_IMEXPORTABLE_PRIVATE_KEY,
@@ -340,7 +340,7 @@ static const OSSL_PARAM *dh_gettable_params(void *provctx)
 }
 
 static const OSSL_PARAM dh_known_settable_params[] = {
-    OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_TLS_ENCODED_PT, NULL, 0),
+    OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0),
     OSSL_PARAM_END
 };
 
@@ -354,7 +354,7 @@ static int dh_set_params(void *key, const OSSL_PARAM params[])
     DH *dh = key;
     const OSSL_PARAM *p;
 
-    p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_TLS_ENCODED_PT);
+    p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY);
     if (p != NULL
             && (p->data_type != OSSL_PARAM_OCTET_STRING
                 || !dh_buf2key(dh, p->data, p->data_size)))
diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
index 7508a794ad..b96d0ea538 100644
--- a/providers/implementations/keymgmt/ec_kmgmt.c
+++ b/providers/implementations/keymgmt/ec_kmgmt.c
@@ -650,7 +650,8 @@ int common_get_params(void *key, OSSL_PARAM params[], int sm2)
                 goto err;
         }
     }
-    if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_TLS_ENCODED_PT)) != NULL) {
+    if ((p = OSSL_PARAM_locate(params,
+                               OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY)) != NULL) {
         p->return_size = EC_POINT_point2oct(EC_KEY_get0_group(key),
                                             EC_KEY_get0_public_key(key),
                                             POINT_CONVERSION_UNCOMPRESSED,
@@ -693,7 +694,7 @@ static const OSSL_PARAM ec_known_gettable_params[] = {
     OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL),
     OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL),
     OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),
-    OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_TLS_ENCODED_PT, NULL, 0),
+    OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0),
     EC_IMEXPORTABLE_DOM_PARAMETERS,
     EC2M_GETTABLE_DOM_PARAMS
     EC_IMEXPORTABLE_PUBLIC_KEY,
@@ -712,7 +713,7 @@ const OSSL_PARAM *ec_gettable_params(void *provctx)
 
 static const OSSL_PARAM ec_known_settable_params[] = {
     OSSL_PARAM_int(OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, NULL),
-    OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_TLS_ENCODED_PT, NULL, 0),
+    OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0),
     OSSL_PARAM_END
 };
 
@@ -728,7 +729,7 @@ int ec_set_params(void *key, const OSSL_PARAM params[])
     EC_KEY *eck = key;
     const OSSL_PARAM *p;
 
-    p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_TLS_ENCODED_PT);
+    p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY);
     if (p != NULL) {
         BN_CTX *ctx = BN_CTX_new_ex(ec_key_get_libctx(key));
         int ret = 1;
@@ -756,7 +757,7 @@ static const OSSL_PARAM sm2_known_gettable_params[] = {
     OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL),
     OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL),
     OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),
-    OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_TLS_ENCODED_PT, NULL, 0),
+    OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0),
     EC_IMEXPORTABLE_DOM_PARAMETERS,
     EC_IMEXPORTABLE_PUBLIC_KEY,
     OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_EC_PUB_X, NULL, 0),
@@ -772,7 +773,7 @@ const OSSL_PARAM *sm2_gettable_params(ossl_unused void *provctx)
 }
 
 static const OSSL_PARAM sm2_known_settable_params[] = {
-    OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_TLS_ENCODED_PT, NULL, 0),
+    OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0),
     OSSL_PARAM_END
 };
 
diff --git a/providers/implementations/keymgmt/ecx_kmgmt.c b/providers/implementations/keymgmt/ecx_kmgmt.c
index f4e59b3322..16ffc3126c 100644
--- a/providers/implementations/keymgmt/ecx_kmgmt.c
+++ b/providers/implementations/keymgmt/ecx_kmgmt.c
@@ -265,7 +265,7 @@ static int ecx_get_params(void *key, OSSL_PARAM params[], int bits, int secbits,
     if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_MAX_SIZE)) != NULL
         && !OSSL_PARAM_set_int(p, size))
         return 0;
-    if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_TLS_ENCODED_PT)) != NULL
+    if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY)) != NULL
             && (ecx->type == ECX_KEY_TYPE_X25519
                 || ecx->type == ECX_KEY_TYPE_X448)) {
         if (!OSSL_PARAM_set_octet_string(p, ecx->pubkey, ecx->keylen))
@@ -317,7 +317,7 @@ static const OSSL_PARAM ecx_gettable_params[] = {
     OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL),
     OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),
     OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_MANDATORY_DIGEST, NULL, 0),
-    OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_TLS_ENCODED_PT, NULL, 0),
+    OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0),
     ECX_KEY_TYPES(),
     OSSL_PARAM_END
 };
@@ -369,7 +369,7 @@ static int ecx_set_params(void *key, const OSSL_PARAM params[])
     ECX_KEY *ecxkey = key;
     const OSSL_PARAM *p;
 
-    p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_TLS_ENCODED_PT);
+    p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY);
     if (p != NULL) {
         void *buf = ecxkey->pubkey;
 
@@ -412,7 +412,7 @@ static int ed448_set_params(void *key, const OSSL_PARAM params[])
 }
 
 static const OSSL_PARAM ecx_settable_params[] = {
-    OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_TLS_ENCODED_PT, NULL, 0),
+    OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0),
     OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_PROPERTIES, NULL, 0),
     OSSL_PARAM_END
 };
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 15cd622ed5..351d695af8 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -647,8 +647,8 @@ static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id)
     }
 
     /* Encode the public key. */
-    encodedlen = EVP_PKEY_get1_tls_encodedpoint(key_share_key,
-                                                &encoded_point);
+    encodedlen = EVP_PKEY_get1_encoded_public_key(key_share_key,
+                                                  &encoded_point);
     if (encodedlen == 0) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE, ERR_R_EC_LIB);
         goto err;
@@ -1916,8 +1916,8 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
             return 0;
         }
 
-        if (!EVP_PKEY_set1_tls_encodedpoint(skey, PACKET_data(&encoded_pt),
-                    PACKET_remaining(&encoded_pt))) {
+        if (EVP_PKEY_set1_encoded_public_key(skey, PACKET_data(&encoded_pt),
+                                             PACKET_remaining(&encoded_pt)) <= 0) {
             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
                     SSL_R_BAD_ECPOINT);
             EVP_PKEY_free(skey);
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index eb24d0a19e..cf4937125f 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -713,9 +713,9 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
 
         s->s3.group_id = group_id;
 
-        if (!EVP_PKEY_set1_tls_encodedpoint(s->s3.peer_tmp,
+        if (EVP_PKEY_set1_encoded_public_key(s->s3.peer_tmp,
                 PACKET_data(&encoded_pt),
-                PACKET_remaining(&encoded_pt))) {
+                PACKET_remaining(&encoded_pt)) <= 0) {
             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
                      SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
             return 0;
@@ -1751,7 +1751,7 @@ EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
         }
 
         /* Generate encoding of server key */
-        encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
+        encoded_pt_len = EVP_PKEY_get1_encoded_public_key(skey, &encodedPoint);
         if (encoded_pt_len == 0) {
             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                      SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index ba57d31428..f896e19d40 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2235,9 +2235,9 @@ static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey)
         return 0;
     }
 
-    if (!EVP_PKEY_set1_tls_encodedpoint(s->s3.peer_tmp,
-                                        PACKET_data(&encoded_pt),
-                                        PACKET_remaining(&encoded_pt))) {
+    if (EVP_PKEY_set1_encoded_public_key(s->s3.peer_tmp,
+                                         PACKET_data(&encoded_pt),
+                                         PACKET_remaining(&encoded_pt)) <= 0) {
         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_ECDHE,
                  SSL_R_BAD_ECPOINT);
         return 0;
@@ -3147,7 +3147,7 @@ static int tls_construct_cke_ecdhe(SSL *s, WPACKET *pkt)
     }
 
     /* Generate encoding of client key */
-    encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(ckey, &encodedPoint);
+    encoded_pt_len = EVP_PKEY_get1_encoded_public_key(ckey, &encodedPoint);
 
     if (encoded_pt_len == 0) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE,
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 2da037a248..81cea6db37 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2633,8 +2633,8 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
         }
 
         /* Encode the public key. */
-        encodedlen = EVP_PKEY_get1_tls_encodedpoint(s->s3.tmp.pkey,
-                                                    &encodedPoint);
+        encodedlen = EVP_PKEY_get1_encoded_public_key(s->s3.tmp.pkey,
+                                                      &encodedPoint);
         if (encodedlen == 0) {
             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                      SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EC_LIB);
@@ -3216,7 +3216,7 @@ static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt)
             goto err;
         }
 
-        if (EVP_PKEY_set1_tls_encodedpoint(ckey, data, i) == 0) {
+        if (EVP_PKEY_set1_encoded_public_key(ckey, data, i) <= 0) {
             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
                      ERR_R_EC_LIB);
             goto err;
diff --git a/test/tls-provider.c b/test/tls-provider.c
index 86d204240b..d3188d0c20 100644
--- a/test/tls-provider.c
+++ b/test/tls-provider.c
@@ -476,7 +476,8 @@ static ossl_inline int xor_get_params(void *vkey, OSSL_PARAM params[])
         && !OSSL_PARAM_set_int(p, xor_group.secbits))
         return 0;
 
-    if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_TLS_ENCODED_PT)) != NULL) {
+    if ((p = OSSL_PARAM_locate(params,
+                               OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY)) != NULL) {
         if (p->data_type != OSSL_PARAM_OCTET_STRING)
             return 0;
         p->return_size = XOR_KEY_SIZE;
@@ -490,7 +491,7 @@ static ossl_inline int xor_get_params(void *vkey, OSSL_PARAM params[])
 static const OSSL_PARAM xor_params[] = {
     OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL),
     OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL),
-    OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_TLS_ENCODED_PT, NULL, 0),
+    OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0),
     OSSL_PARAM_END
 };
 
@@ -504,7 +505,7 @@ static int xor_set_params(void *vkey, const OSSL_PARAM params[])
     XORKEY *key = vkey;
     const OSSL_PARAM *p;
 
-    p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_TLS_ENCODED_PT);
+    p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY);
     if (p != NULL) {
         if (p->data_type != OSSL_PARAM_OCTET_STRING
                 || p->data_size != XOR_KEY_SIZE)
@@ -517,7 +518,7 @@ static int xor_set_params(void *vkey, const OSSL_PARAM params[])
 }
 
 static const OSSL_PARAM xor_known_settable_params[] = {
-    OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_TLS_ENCODED_PT, NULL, 0),
+    OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0),
     OSSL_PARAM_END
 };
 
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 6c0fae783b..4fa6d9e50e 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4046,8 +4046,8 @@ X509_STORE_lock                         4134	3_0_0	EXIST::FUNCTION:
 X509_set_proxy_pathlen                  4135	3_0_0	EXIST::FUNCTION:
 X509_get_proxy_pathlen                  4136	3_0_0	EXIST::FUNCTION:
 DSA_bits                                4137	3_0_0	EXIST::FUNCTION:DSA
-EVP_PKEY_set1_tls_encodedpoint          4138	3_0_0	EXIST::FUNCTION:
-EVP_PKEY_get1_tls_encodedpoint          4139	3_0_0	EXIST::FUNCTION:
+EVP_PKEY_set1_tls_encodedpoint          4138	3_0_0	NOEXIST::FUNCTION:
+EVP_PKEY_get1_tls_encodedpoint          4139	3_0_0	NOEXIST::FUNCTION:
 ASN1_STRING_get0_data                   4140	3_0_0	EXIST::FUNCTION:
 X509_SIG_getm                           4141	3_0_0	EXIST::FUNCTION:
 X509_get0_serialNumber                  4142	3_0_0	EXIST::FUNCTION:
@@ -5290,3 +5290,5 @@ OSSL_DECODER_from_data                  ?	3_0_0	EXIST::FUNCTION:
 OSSL_ENCODER_to_data                    ?	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_CTX_get0_libctx                ?	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_CTX_get0_propq                 ?	3_0_0	EXIST::FUNCTION:
+EVP_PKEY_set1_encoded_public_key        ?	3_0_0	EXIST::FUNCTION:
+EVP_PKEY_get1_encoded_public_key        ?	3_0_0	EXIST::FUNCTION:
diff --git a/util/missingcrypto.txt b/util/missingcrypto.txt
index 481331e261..f2b91e2587 100644
--- a/util/missingcrypto.txt
+++ b/util/missingcrypto.txt
@@ -692,13 +692,11 @@ EVP_PKEY_decrypt_old(3)
 EVP_PKEY_delete_attr(3)
 EVP_PKEY_encrypt_old(3)
 EVP_PKEY_get0(3)
-EVP_PKEY_get1_tls_encodedpoint(3)
 EVP_PKEY_get_attr(3)
 EVP_PKEY_get_attr_by_NID(3)
 EVP_PKEY_get_attr_by_OBJ(3)
 EVP_PKEY_get_attr_count(3)
 EVP_PKEY_save_parameters(3)
-EVP_PKEY_set1_tls_encodedpoint(3)
 EVP_add_alg_module(3)
 EVP_add_cipher(3)
 EVP_add_digest(3)
diff --git a/util/missingcrypto111.txt b/util/missingcrypto111.txt
index 77a7295246..a232ed2af0 100644
--- a/util/missingcrypto111.txt
+++ b/util/missingcrypto111.txt
@@ -691,13 +691,11 @@ EVP_PKEY_encrypt_old(3)
 EVP_PKEY_get0(3)
 EVP_PKEY_get0_poly1305(3)
 EVP_PKEY_get0_siphash(3)
-EVP_PKEY_get1_tls_encodedpoint(3)
 EVP_PKEY_get_attr(3)
 EVP_PKEY_get_attr_by_NID(3)
 EVP_PKEY_get_attr_by_OBJ(3)
 EVP_PKEY_get_attr_count(3)
 EVP_PKEY_save_parameters(3)
-EVP_PKEY_set1_tls_encodedpoint(3)
 EVP_PKEY_set_type(3)
 EVP_PKEY_set_type_str(3)
 EVP_add_alg_module(3)
diff --git a/util/other.syms b/util/other.syms
index e5d98a9877..aa85ffa26a 100644
--- a/util/other.syms
+++ b/util/other.syms
@@ -601,3 +601,5 @@ OSSL_TRACE1                             define
 OSSL_TRACE2                             define
 OSSL_TRACE9                             define
 TS_VERIFY_CTS_set_certs                 define deprecated 3.0.0
+EVP_PKEY_get1_tls_encodedpoint          define deprecated 3.0.0
+EVP_PKEY_set1_tls_encodedpoint          define deprecated 3.0.0


More information about the openssl-commits mailing list