git.openssl.org Git - openssl.git/commit

author	Richard Levitte <levitte@openssl.org>
	Fri, 1 Oct 2021 12:05:02 +0000 (14:05 +0200)
committer	Richard Levitte <levitte@openssl.org>
	Wed, 27 Oct 2021 10:41:13 +0000 (12:41 +0200)
commit	839ffdd11cd48d329a1d89565d62e0be082f9d08
tree	1faaabec78c689c4e6e103bd1acfa0ef6e2a4982	tree \| snapshot
parent	ff7781462dd04ab99c159136b47672252bad7fa8	commit \| diff

EVP: Allow a fallback for operations that work with an EVP_PKEY

Functions like EVP_PKEY_sign_init() do an implicit fetch of the
operation implementation (EVP_SIGNATURE in this case), then get the
KEYMGMT from the same provider, and tries to export the key there if
necessary.

If an export of the key isn't possible (because the provider that
holds the key is an HSM and therefore can't export), we would simply
fail without looking any further.

This change modifies the behaviour a bit by trying a second fetch of
the operation implementation, but specifically from the provider of
the EVP_PKEY that's being used. This is done with the same properties
that were used with the initial operation implementation fetch, and
should therefore be safe, allowing only what those properties allow.

Fixes #16614

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16725)

crypto/evp/asymcipher.c		diff \| blob \| history
crypto/evp/exchange.c		diff \| blob \| history
crypto/evp/kem.c		diff \| blob \| history
crypto/evp/m_sigver.c		diff \| blob \| history
crypto/evp/signature.c		diff \| blob \| history
doc/build.info		diff \| blob \| history
doc/man3/EVP_SIGNATURE.pod	[moved from doc/man3/EVP_SIGNATURE_free.pod with 98% similarity]	diff \| blob \| history
doc/man7/crypto.pod		diff \| blob \| history
util/other.syms		diff \| blob \| history