From 0b660c7f1a404b27b81e36b152050863d0ab8e8c Mon Sep 17 00:00:00 2001 From: Justin Smith Date: Wed, 7 Aug 2024 12:25:43 -0400 Subject: [PATCH] EVP_PKEY_get0 implementation --- crypto/asn1/asn1_test.cc | 4 ++++ crypto/ecdh_extra/ecdh_test.cc | 4 +++- crypto/evp_extra/evp_test.cc | 7 +++++++ crypto/fipsmodule/evp/evp.c | 11 +++++------ include/openssl/evp.h | 14 +++++++------- 5 files changed, 26 insertions(+), 14 deletions(-) diff --git a/crypto/asn1/asn1_test.cc b/crypto/asn1/asn1_test.cc index d738e59071b..830605086c9 100644 --- a/crypto/asn1/asn1_test.cc +++ b/crypto/asn1/asn1_test.cc @@ -2462,9 +2462,13 @@ TEST(ASN1Test, ASN1Dup) { 0); bssl::UniquePtr evp_pkey(EVP_PKEY_new()); + OPENSSL_BEGIN_ALLOW_DEPRECATED + ASSERT_FALSE(EVP_PKEY_get0(evp_pkey.get())); X509_PUBKEY *tmp_key = nullptr; ASSERT_TRUE(evp_pkey); ASSERT_TRUE(EVP_PKEY_set1_EC_KEY(evp_pkey.get(), key.get())); + ASSERT_EQ(key.get(), EVP_PKEY_get0(evp_pkey.get())); + OPENSSL_END_ALLOW_DEPRECATED ASSERT_TRUE(X509_PUBKEY_set(&tmp_key, evp_pkey.get())); bssl::UniquePtr x509_pubkey(tmp_key); bssl::UniquePtr x509_pubkey_copy((X509_PUBKEY *)ASN1_dup( diff --git a/crypto/ecdh_extra/ecdh_test.cc b/crypto/ecdh_extra/ecdh_test.cc index 45c40db3df1..eaa29956b68 100644 --- a/crypto/ecdh_extra/ecdh_test.cc +++ b/crypto/ecdh_extra/ecdh_test.cc @@ -264,7 +264,9 @@ static void RunWycheproofTest(FileTest *t) { } EC_KEY *peer_ec = EVP_PKEY_get0_EC_KEY(peer_evp.get()); ASSERT_TRUE(peer_ec); - + OPENSSL_BEGIN_ALLOW_DEPRECATED + ASSERT_EQ(peer_ec, EVP_PKEY_get0(peer_evp.get())); + OPENSSL_END_ALLOW_DEPRECATED bssl::UniquePtr key(EC_KEY_new()); ASSERT_TRUE(key); ASSERT_TRUE(EC_KEY_set_group(key.get(), group)); diff --git a/crypto/evp_extra/evp_test.cc b/crypto/evp_extra/evp_test.cc index fb87e498189..9202e94904f 100644 --- a/crypto/evp_extra/evp_test.cc +++ b/crypto/evp_extra/evp_test.cc @@ -662,6 +662,9 @@ static void RunWycheproofVerifyTest(const char *path) { if (EVP_PKEY_id(key.get()) == EVP_PKEY_DSA) { // DSA is deprecated and is not usable via EVP. DSA *dsa = EVP_PKEY_get0_DSA(key.get()); + OPENSSL_BEGIN_ALLOW_DEPRECATED + ASSERT_EQ(dsa, EVP_PKEY_get0(key.get())); + OPENSSL_END_ALLOW_DEPRECATED uint8_t digest[EVP_MAX_MD_SIZE]; unsigned digest_len; ASSERT_TRUE( @@ -1037,7 +1040,11 @@ static EVP_PKEY * instantiate_and_set_private_key(const uint8_t *private_key, BN_free(private_key_bn); pkey = EVP_PKEY_new(); EXPECT_TRUE(pkey); + OPENSSL_BEGIN_ALLOW_DEPRECATED + EXPECT_FALSE(EVP_PKEY_get0(pkey)); EXPECT_TRUE(EVP_PKEY_assign(pkey, key_type, (EC_KEY *) ec_key)); + EXPECT_EQ(ec_key, EVP_PKEY_get0(pkey)); + OPENSSL_END_ALLOW_DEPRECATED } return pkey; diff --git a/crypto/fipsmodule/evp/evp.c b/crypto/fipsmodule/evp/evp.c index 4587f8a36ab..f6f3279b3e6 100644 --- a/crypto/fipsmodule/evp/evp.c +++ b/crypto/fipsmodule/evp/evp.c @@ -543,12 +543,11 @@ int EVP_PKEY_CTX_get_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) { } void *EVP_PKEY_get0(const EVP_PKEY *pkey) { - // Node references, but never calls this function, so for now we return NULL. - // If other projects require complete support, call |EVP_PKEY_get0_RSA|, etc., - // rather than reading |pkey->pkey.ptr| directly. This avoids problems if our - // internal representation does not match the type the caller expects from - // OpenSSL. - return NULL; + GUARD_PTR(pkey); + if (pkey->type == EVP_PKEY_NONE) { + return NULL; + } + return pkey->pkey.ptr; } void OpenSSL_add_all_algorithms(void) {} diff --git a/include/openssl/evp.h b/include/openssl/evp.h index eea831786f9..53719f3d094 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1142,17 +1142,17 @@ OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *engine, size_t mac_key_len); -// General No-op Functions [Deprecated]. +// Deprecated functions -// EVP_PKEY_get0 returns NULL. This function is provided for compatibility with -// OpenSSL but does not return anything. Use the typed |EVP_PKEY_get0_*| -// functions instead. +// EVP_PKEY_get0 returns the consumed key. The type of value returned differs +// depending on the type of the |EVP_PKEY|. // -// Note: In OpenSSL, the returned type will be different depending on the type -// of |EVP_PKEY| consumed. This leads to misuage very easily and has been -// deprecated as a no-op to avoid so. +// This function is provided only for compatibility with OpenSSL. +// Prefer the use the typed |EVP_PKEY_get0_*| functions instead. OPENSSL_EXPORT OPENSSL_DEPRECATED void *EVP_PKEY_get0(const EVP_PKEY *pkey); +// General No-op Functions [Deprecated]. + // OpenSSL_add_all_algorithms does nothing. This has been deprecated since // OpenSSL 1.1.0. //