Note that this isn't finished yet, there are fixup functions missing. However, the functionality and structure have crystallised enough to make the idea reviewable. Please comment, even it doesn't build, early feedback welcome!

The fixup functions need to know the insize and outsize of all params, right? This means that third-party providers cant add new controls. Or am I just misreading the code?

@richsalz, I think you've misunderstood the purpose.

1. This is entirely in libcrypto and about stuff that libcrypto knows. Period. Providers are not involved (more than being recipients of OSSL_PARAM data), at all.
2. This is a tool that translates between ctrl functions and ctrl command numbers that libcrypto knows and OSSL_PARAM functions and names that libcrypto knows, in both directions.

Regarding insize and outsize, the OSSL_PARAM structure already delivers that. However, the limiting factor is the ctrl functions, which do not easily supply this (well, you can pass the insize as p1, and you can ask for an outsize with a separate ctrl command and passing the pointer to a size_t as p2...)

So in the end, this is meant to support calling EVP_PKEY_CTX_ctrl() with an EVP_PKEY_CTX that's set up for a provider backed operation, to support calling EVP_PKEY_CTX_set_params() with an EVP_PKEY_CTX that's set up for a legacy operation (limited to things libcrypto knows about), and to support calling EVP_PKEY_get_bn_param() with a legacy EVP_PKEY.

The life time of this source file is the same as the lifetime of legacy EVP_PKEYs, I totally expect them to be gone when ENGINE support is gone (ENGINE support being the last tangible reason why we retain legacy style EVP_PKEYs). That's also a reason to have all of this collected into one file.

(while I'm at it, I also mean to clean away the current hackery which is spread all over the source instead of being concentrated to one spot, and that includes huge amounts of code copying ... you've heard me battle that tendency before 😉)

This would be a great improvement! It would also allow to drop all the new convenience functions such as EVP_PKEY_get_group_name(). But on the other hand they could still be kept, just with very much simplified implementation.

This would be a great improvement! It would also allow to drop all the new convenience functions such as EVP_PKEY_get_group_name(). But on the other hand they could still be kept, just with very much simplified implementation.

... and [ahem] we can revert all the older convenience functions to being macros calling EVP_PKEY_CTX_ctrl() 😆

Thank you for the detailed explanation. That should make it into the code/comments I think.

At one point we liked the wrapper functions because they provided type-safety.

Thank you for the detailed explanation. That should make it into the code/comments I think.

At one point we liked the wrapper functions because they provided type-safety.

IMO they definitely make sense for more common things. However for obscure parameters they make less sense as they contribute to API and code bloat.

At one point we liked the wrapper functions because they provided type-safety.

I agree that for ctrl wrapper, that's a nice benefit.

Is there some test coverage in this area? I have some ad-hoc tests for legacy vs new EVP_PKEYs which I can clean up and supply a commit for.

Please do, thank you 😊

Some tests. Will add checks for other get/set APIs in due course:

5198095

Thanks

Side note: github seemed to assume that commit belongs in openssl/openssl... it took me a moment to find out where it really belonged 😉

Linked to otc evaluated issue.

There is one thing that comes to me a little bit awkward is that for the helper functions that used to call either set/get params or ctrl based on whether the key is legacy (like for example EVP_PKEY_CTX_set_dh_kdf_type()) we now call just the ctrl. Which is an obsolete API call so perhaps we should avoid using it internally. On the other hand it is indicative that it is extremely simple to convert the helpers to the ctrl call (as they were previously just macros, it makes it kind of obvious) but it is fairly harder to use the set/get_params instead. Could this mean we are missing some helper functions or macros for working with params?

Rebasing to resolve conflicts

It's a bit of a shame to have such beautiful code for legacy support.

Legacy will go, but at least it will get to leave with some panache 😉

This triggers a question - should we deprecate EVP_PKEY_CTX_ctrl and all the other EVP*ctrl functions?

This triggers a question - should we deprecate EVP_PKEY_CTX_ctrl and all the other EVP*ctrl functions?

Yes, we probably should.

Issue filed #14287 for the deprecations.

Merged

6179dfc EVP: Implement EVP_PKEY_CTX_is_a()
e19246d EVP: Make evp_pkey_ctx_state() available to all of EVP
4d4928e EVP: make evp_pkey_is_assigned() usable in the FIPS module
9a1c4e4 EVP: Implement data-driven translation between known ctrl and OSSL_PARAMs
5137312 EVP: Make evp_pkey_ctx_{set,get}_params_strict() legacy aware
6fcd92d EVP: Adapt diverse OSSL_PARAM setters and getters
5524580 EVP: Adapt the EVP_PKEY_CTX ctrl functions
df4592c EVP: Adapt the DH specific EVP_PKEY_CTX setter / getter functions
13f91a7 EVP: Adapt the RSA specific EVP_PKEY_CTX setter / getter functions
bbf4dc9 EVP: Make checks in evp_pkey_ctx_store_cached_data() more restricted
f5b0083 EVP: Adapt the EC_KEY specific EVP_PKEY_CTX setter / getter functions