EVP & TLS: Add necessary EC_KEY data extraction functions, and use them#11358
EVP & TLS: Add necessary EC_KEY data extraction functions, and use them#11358levitte wants to merge 7 commits intoopenssl:masterfrom
Conversation
levitte
added
branch: master
|
Hmmm. I can't say I'm keen on this. This seems to just sidestep the problem of what to do with the |
|
Yes, that's true. However, as soon as we get EC key generation, we get issues with this, so the question is how long that should be stuck waiting for "the right thing" to happen. I could make those functions internal but still exported, if that helps matters |
|
This is an interim solution |
levitte
changed the title
|
Marked as WIP for obvious reasons |
That would definitely help I think. |
|
Although, I think |
|
There. I've also added EVP_PKEY_is_a(), which has been floating a more than one branch I juggled with |
|
Could you push the latest version of your local branch here? I'm experimenting with your ec key gen stuff... |
|
Done, and in #11328 as well |
levitte
changed the title
levitte
force-pushed
the
ec-tls-fixes
branch
2 times, most recently
from
8184f4c to
1763fdf
Compare
levitte
changed the title
|
Rebased on master, now that #11375 is in. |
levitte
changed the title
|
Ping! |
|
UPDATE: it's the other way around, which is much better, so never mind!
|
|
Ping! |
|
Needs rebase! |
|
There are now conflicts and the Travis failure is probably relevant |
EVP_PKEY_is_a() is the provider side key checking function corresponding to checking EVP_PKEY_id() or an EVP_PKEY against macros like EVP_PKEY_EC. It also works with legacy internal keys. We also add a warning indoc/man3/EVP_PKEY_set1_RSA.pod regarding the reliability of certain functions that only understand legacy keys. Finally, we take the opportunity to clean up doc/man3/EVP_PKEY_set1_RSA.pod to better conform with man-page layout norms, see man-pages(7) on Linux.
libssl code uses EVP_PKEY_get0_EC_KEY() to extract certain basic data from the EC_KEY. We replace that with internal EVP_PKEY functions. This may or may not be refactored later on.
The exporter freed a buffer too soon, and there were attempts to use its data later, which was overwritten by something else at that point.
The transfer of TLS encodedpoint to backends isn't yet fully supported in provider implementations. This is a temporary measure so as not to get stuck in other development.
|
Ah, the CI failure was due to a merge error with duplicate definition of the same local variable. |
mattcaswell
added
approval: done
|
Approved assuming CIs pass. |
|
... it only takes a rebase for hell to break loose 😒 |
|
With @mattcaswell's assistance, I was able to put in a workable hack. It turned out that legacy key support needed some hard coding. |
|
One failure left... I didn't account for |
|
... at least not everywhere |
|
Fixed |
mattcaswell
left a comment
mattcaswell
left a comment
There was a problem hiding this comment.
Reconfirm assuming CIs are ok
|
Apart from the usual timeout, CIs are fine |
|
24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually. |
EVP_PKEY_is_a() is the provider side key checking function corresponding to checking EVP_PKEY_id() or an EVP_PKEY against macros like EVP_PKEY_EC. It also works with legacy internal keys. We also add a warning indoc/man3/EVP_PKEY_set1_RSA.pod regarding the reliability of certain functions that only understand legacy keys. Finally, we take the opportunity to clean up doc/man3/EVP_PKEY_set1_RSA.pod to better conform with man-page layout norms, see man-pages(7) on Linux. Reviewed-by: Matt Caswell <[email protected]> (Merged from #11358)
libssl code uses EVP_PKEY_get0_EC_KEY() to extract certain basic data from the EC_KEY. We replace that with internal EVP_PKEY functions. This may or may not be refactored later on. Reviewed-by: Matt Caswell <[email protected]> (Merged from #11358)
The exporter freed a buffer too soon, and there were attempts to use its data later, which was overwritten by something else at that point. Reviewed-by: Matt Caswell <[email protected]> (Merged from #11358)
The transfer of TLS encodedpoint to backends isn't yet fully supported in provider implementations. This is a temporary measure so as not to get stuck in other development. Reviewed-by: Matt Caswell <[email protected]> (Merged from #11358)
|
Oh damn, now I see that the last approval came after the "approval: done" label was set, so I cut the grace period short... by 3hrs, I hope it's not too bad. |
6 participants
libssl code uses EVP_PKEY_get0_EC_KEY() to extract certain basic data
from the EC_KEY. We replace that with EVP_PKEY functions.
This may or may not be refactored later on.