diff options
| author | Richard Levitte <levitte@openssl.org> | 2020-02-20 20:26:16 +0100 |
|---|---|---|
| committer | Richard Levitte <levitte@openssl.org> | 2020-02-29 05:39:43 +0100 |
| commit | 3c6ed9555c7735c24d5f59c8b4ab7b9c4d807c77 (patch) | |
| tree | 663b632b0655551629e64f860c64d8b892513449 /crypto/evp/exchange.c | |
| parent | man: openssl-ocsp: separate client and server options (diff) | |
| download | openssl-3c6ed9555c7735c24d5f59c8b4ab7b9c4d807c77.tar.xz openssl-3c6ed9555c7735c24d5f59c8b4ab7b9c4d807c77.zip | |
Rethink the EVP_PKEY cache of provider side keys
The role of this cache was two-fold:
1. It was a cache of key copies exported to providers with which an
operation was initiated.
2. If the EVP_PKEY didn't have a legacy key, item 0 of the cache was
the corresponding provider side origin, while the rest was the
actual cache.
This dual role for item 0 made the code a bit confusing, so we now
make a separate keymgmt / keydata pair outside of that cache, which is
the provider side "origin" key.
A hard rule is that an EVP_PKEY cannot hold a legacy "origin" and a
provider side "origin" at the same time.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11148)
Diffstat (limited to 'crypto/evp/exchange.c')
| -rw-r--r-- | crypto/evp/exchange.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/crypto/evp/exchange.c b/crypto/evp/exchange.c index 142a820651..ec5ba03f09 100644 --- a/crypto/evp/exchange.c +++ b/crypto/evp/exchange.c @@ -200,10 +200,13 @@ int EVP_PKEY_derive_init(EVP_PKEY_CTX *ctx) if (ctx->engine != NULL || ctx->keytype == NULL) goto legacy; - /* Ensure that the key is provided. If not, go legacy */ + /* + * Ensure that the key is provided, either natively, or as a cached export. + * If not, go legacy + */ tmp_keymgmt = ctx->keymgmt; - provkey = evp_pkey_make_provided(ctx->pkey, ctx->libctx, - &tmp_keymgmt, ctx->propquery); + provkey = evp_pkey_export_to_provider(ctx->pkey, ctx->libctx, + &tmp_keymgmt, ctx->propquery); if (provkey == NULL) goto legacy; if (!EVP_KEYMGMT_up_ref(tmp_keymgmt)) { @@ -309,8 +312,8 @@ int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *ctx, EVP_PKEY *peer) return -2; } - provkey = evp_pkey_make_provided(peer, ctx->libctx, &ctx->keymgmt, - ctx->propquery); + provkey = evp_pkey_export_to_provider(peer, ctx->libctx, &ctx->keymgmt, + ctx->propquery); /* * If making the key provided wasn't possible, legacy may be able to pick * it up |