[thirdparty/openssl.git] / crypto / evp / exchange.c

/*
 * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <openssl/crypto.h>
#include <openssl/evp.h>
#include <openssl/err.h>
#include "internal/refcount.h"
#include "crypto/evp.h"
#include "internal/provider.h"
#include "internal/numbers.h"   /* includes SIZE_MAX */
#include "evp_local.h"

static EVP_KEYEXCH *evp_keyexch_new(OSSL_PROVIDER *prov)
{
    EVP_KEYEXCH *exchange = OPENSSL_zalloc(sizeof(EVP_KEYEXCH));

    if (exchange == NULL) {
        ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
        return NULL;
    }

    exchange->lock = CRYPTO_THREAD_lock_new();
    if (exchange->lock == NULL) {
        ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
        OPENSSL_free(exchange);
        return NULL;
    }
    exchange->prov = prov;
    ossl_provider_up_ref(prov);
    exchange->refcnt = 1;

    return exchange;
}

static void *evp_keyexch_from_dispatch(int name_id,
                                       const OSSL_DISPATCH *fns,
                                       OSSL_PROVIDER *prov)
{
    EVP_KEYEXCH *exchange = NULL;
    int fncnt = 0, sparamfncnt = 0, gparamfncnt = 0;

    if ((exchange = evp_keyexch_new(prov)) == NULL) {
        ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
        goto err;
    }

    exchange->name_id = name_id;

    for (; fns->function_id != 0; fns++) {
        switch (fns->function_id) {
        case OSSL_FUNC_KEYEXCH_NEWCTX:
            if (exchange->newctx != NULL)
                break;
            exchange->newctx = OSSL_get_OP_keyexch_newctx(fns);
            fncnt++;
            break;
        case OSSL_FUNC_KEYEXCH_INIT:
            if (exchange->init != NULL)
                break;
            exchange->init = OSSL_get_OP_keyexch_init(fns);
            fncnt++;
            break;
        case OSSL_FUNC_KEYEXCH_SET_PEER:
            if (exchange->set_peer != NULL)
                break;
            exchange->set_peer = OSSL_get_OP_keyexch_set_peer(fns);
            break;
        case OSSL_FUNC_KEYEXCH_DERIVE:
            if (exchange->derive != NULL)
                break;
            exchange->derive = OSSL_get_OP_keyexch_derive(fns);
            fncnt++;
            break;
        case OSSL_FUNC_KEYEXCH_FREECTX:
            if (exchange->freectx != NULL)
                break;
            exchange->freectx = OSSL_get_OP_keyexch_freectx(fns);
            fncnt++;
            break;
        case OSSL_FUNC_KEYEXCH_DUPCTX:
            if (exchange->dupctx != NULL)
                break;
            exchange->dupctx = OSSL_get_OP_keyexch_dupctx(fns);
            break;
        case OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS:
            if (exchange->get_ctx_params != NULL)
                break;
            exchange->get_ctx_params = OSSL_get_OP_keyexch_get_ctx_params(fns);
            gparamfncnt++;
            break;
        case OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS:
            if (exchange->gettable_ctx_params != NULL)
                break;
            exchange->gettable_ctx_params
                = OSSL_get_OP_keyexch_gettable_ctx_params(fns);
            gparamfncnt++;
            break;
        case OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS:
            if (exchange->set_ctx_params != NULL)
                break;
            exchange->set_ctx_params = OSSL_get_OP_keyexch_set_ctx_params(fns);
            sparamfncnt++;
            break;
        case OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS:
            if (exchange->settable_ctx_params != NULL)
                break;
            exchange->settable_ctx_params
                = OSSL_get_OP_keyexch_settable_ctx_params(fns);
            sparamfncnt++;
            break;
        }
    }
    if (fncnt != 4
            || (gparamfncnt != 0 && gparamfncnt != 2)
            || (sparamfncnt != 0 && sparamfncnt != 2)) {
        /*
         * In order to be a consistent set of functions we must have at least
         * a complete set of "exchange" functions: init, derive, newctx,
         * and freectx. The set_ctx_params and settable_ctx_params functions are
         * optional, but if one of them is present then the other one must also
         * be present. Same goes for get_ctx_params and gettable_ctx_params.
         * The dupctx and set_peer functions are optional.
         */
        EVPerr(EVP_F_EVP_KEYEXCH_FROM_DISPATCH,
               EVP_R_INVALID_PROVIDER_FUNCTIONS);
        goto err;
    }

    return exchange;

 err:
    EVP_KEYEXCH_free(exchange);
    return NULL;
}

void EVP_KEYEXCH_free(EVP_KEYEXCH *exchange)
{
    if (exchange != NULL) {
        int i;

        CRYPTO_DOWN_REF(&exchange->refcnt, &i, exchange->lock);
        if (i > 0)
            return;
        ossl_provider_free(exchange->prov);
        CRYPTO_THREAD_lock_free(exchange->lock);
        OPENSSL_free(exchange);
    }
}

int EVP_KEYEXCH_up_ref(EVP_KEYEXCH *exchange)
{
    int ref = 0;

    CRYPTO_UP_REF(&exchange->refcnt, &ref, exchange->lock);
    return 1;
}

OSSL_PROVIDER *EVP_KEYEXCH_provider(const EVP_KEYEXCH *exchange)
{
    return exchange->prov;
}

EVP_KEYEXCH *EVP_KEYEXCH_fetch(OPENSSL_CTX *ctx, const char *algorithm,
                               const char *properties)
{
    return evp_generic_fetch(ctx, OSSL_OP_KEYEXCH, algorithm, properties,
                             evp_keyexch_from_dispatch,
                             (int (*)(void *))EVP_KEYEXCH_up_ref,
                             (void (*)(void *))EVP_KEYEXCH_free);
}

int EVP_PKEY_derive_init(EVP_PKEY_CTX *ctx)
{
    int ret;
    void *provkey = NULL;
    EVP_KEYEXCH *exchange = NULL;
    EVP_KEYMGMT *tmp_keymgmt = NULL;
    const char *supported_exch = NULL;

    if (ctx == NULL) {
        EVPerr(0, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
        return -2;
    }

    evp_pkey_ctx_free_old_ops(ctx);
    ctx->operation = EVP_PKEY_OP_DERIVE;

    /*
     * TODO when we stop falling back to legacy, this and the ERR_pop_to_mark()
     * calls can be removed.
     */
    ERR_set_mark();

    if (ctx->keymgmt == NULL)
        goto legacy;

    /*
     * Ensure that the key is provided, either natively, or as a cached export.
     *  If not, go legacy
     */
    tmp_keymgmt = ctx->keymgmt;
    provkey = evp_pkey_export_to_provider(ctx->pkey, ctx->libctx,
                                          &tmp_keymgmt, ctx->propquery);
    if (provkey == NULL)
        goto legacy;
    if (!EVP_KEYMGMT_up_ref(tmp_keymgmt)) {
        ERR_clear_last_mark();
        ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
        goto err;
    }
    EVP_KEYMGMT_free(ctx->keymgmt);
    ctx->keymgmt = tmp_keymgmt;

    if (ctx->keymgmt->query_operation_name != NULL)
        supported_exch = ctx->keymgmt->query_operation_name(OSSL_OP_KEYEXCH);

    /*
     * If we didn't get a supported exch, assume there is one with the
     * same name as the key type.
     */
    if (supported_exch == NULL)
        supported_exch = ctx->keytype;

    /*
     * Because we cleared out old ops, we shouldn't need to worry about
     * checking if exchange is already there.
     */
    exchange = EVP_KEYEXCH_fetch(ctx->libctx, supported_exch, ctx->propquery);

    if (exchange == NULL
        || (EVP_KEYMGMT_provider(ctx->keymgmt)
            != EVP_KEYEXCH_provider(exchange))) {
        /*
         * We don't need to free ctx->keymgmt here, as it's not necessarily
         * tied to this operation.  It will be freed by EVP_PKEY_CTX_free().
         */
        EVP_KEYEXCH_free(exchange);
        goto legacy;
    }

    /*
     * TODO remove this when legacy is gone
     * If we don't have the full support we need with provided methods,
     * let's go see if legacy does.
     */
    ERR_pop_to_mark();

    /* No more legacy from here down to legacy: */

    ctx->op.kex.exchange = exchange;
    ctx->op.kex.exchprovctx = exchange->newctx(ossl_provider_ctx(exchange->prov));
    if (ctx->op.kex.exchprovctx == NULL) {
        /* The provider key can stay in the cache */
        EVPerr(0, EVP_R_INITIALIZATION_ERROR);
        goto err;
    }
    ret = exchange->init(ctx->op.kex.exchprovctx, provkey);

    return ret ? 1 : 0;
 err:
    ctx->operation = EVP_PKEY_OP_UNDEFINED;
    return 0;

 legacy:
    /*
     * TODO remove this when legacy is gone
     * If we don't have the full support we need with provided methods,
     * let's go see if legacy does.
     */
    ERR_pop_to_mark();

#ifdef FIPS_MODULE
    return 0;
#else
    if (ctx->pmeth == NULL || ctx->pmeth->derive == NULL) {
        EVPerr(0, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
        return -2;
    }

    if (ctx->pmeth->derive_init == NULL)
        return 1;
    ret = ctx->pmeth->derive_init(ctx);
    if (ret <= 0)
        ctx->operation = EVP_PKEY_OP_UNDEFINED;
    return ret;
#endif
}

int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *ctx, EVP_PKEY *peer)
{
    int ret = 0;
    void *provkey = NULL;

    if (ctx == NULL) {
        EVPerr(EVP_F_EVP_PKEY_DERIVE_SET_PEER,
               EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
        return -2;
    }

    if (!EVP_PKEY_CTX_IS_DERIVE_OP(ctx) || ctx->op.kex.exchprovctx == NULL)
        goto legacy;

    if (ctx->op.kex.exchange->set_peer == NULL) {
        EVPerr(EVP_F_EVP_PKEY_DERIVE_SET_PEER,
               EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
        return -2;
    }

    provkey = evp_pkey_export_to_provider(peer, ctx->libctx, &ctx->keymgmt,
                                          ctx->propquery);
    /*
     * If making the key provided wasn't possible, legacy may be able to pick
     * it up
     */
    if (provkey == NULL)
        goto legacy;
    return ctx->op.kex.exchange->set_peer(ctx->op.kex.exchprovctx, provkey);

 legacy:
#ifdef FIPS_MODULE
    return ret;
#else
    /*
     * TODO(3.0) investigate the case where the operation is deemed legacy,
     * but the given peer key is provider only.
     */
    if (ctx->pmeth == NULL
        || !(ctx->pmeth->derive != NULL
             || ctx->pmeth->encrypt != NULL
             || ctx->pmeth->decrypt != NULL)
        || ctx->pmeth->ctrl == NULL) {
        EVPerr(EVP_F_EVP_PKEY_DERIVE_SET_PEER,
               EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
        return -2;
    }
    if (ctx->operation != EVP_PKEY_OP_DERIVE
        && ctx->operation != EVP_PKEY_OP_ENCRYPT
        && ctx->operation != EVP_PKEY_OP_DECRYPT) {
        EVPerr(EVP_F_EVP_PKEY_DERIVE_SET_PEER,
               EVP_R_OPERATON_NOT_INITIALIZED);
        return -1;
    }

    ret = ctx->pmeth->ctrl(ctx, EVP_PKEY_CTRL_PEER_KEY, 0, peer);

    if (ret <= 0)
        return ret;

    if (ret == 2)
        return 1;

    if (ctx->pkey == NULL) {
        EVPerr(EVP_F_EVP_PKEY_DERIVE_SET_PEER, EVP_R_NO_KEY_SET);
        return -1;
    }

    if (ctx->pkey->type != peer->type) {
        EVPerr(EVP_F_EVP_PKEY_DERIVE_SET_PEER, EVP_R_DIFFERENT_KEY_TYPES);
        return -1;
    }

    /*
     * For clarity.  The error is if parameters in peer are
     * present (!missing) but don't match.  EVP_PKEY_cmp_parameters may return
     * 1 (match), 0 (don't match) and -2 (comparison is not defined).  -1
     * (different key types) is impossible here because it is checked earlier.
     * -2 is OK for us here, as well as 1, so we can check for 0 only.
     */
    if (!EVP_PKEY_missing_parameters(peer) &&
        !EVP_PKEY_cmp_parameters(ctx->pkey, peer)) {
        EVPerr(EVP_F_EVP_PKEY_DERIVE_SET_PEER, EVP_R_DIFFERENT_PARAMETERS);
        return -1;
    }

    EVP_PKEY_free(ctx->peerkey);
    ctx->peerkey = peer;

    ret = ctx->pmeth->ctrl(ctx, EVP_PKEY_CTRL_PEER_KEY, 1, peer);

    if (ret <= 0) {
        ctx->peerkey = NULL;
        return ret;
    }

    EVP_PKEY_up_ref(peer);
    return 1;
#endif
}

int EVP_PKEY_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *pkeylen)
{
    int ret;

    if (ctx == NULL) {
        EVPerr(EVP_F_EVP_PKEY_DERIVE,
               EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
        return -2;
    }

    if (!EVP_PKEY_CTX_IS_DERIVE_OP(ctx)) {
        EVPerr(EVP_F_EVP_PKEY_DERIVE, EVP_R_OPERATON_NOT_INITIALIZED);
        return -1;
    }

    if (ctx->op.kex.exchprovctx == NULL)
        goto legacy;

    ret = ctx->op.kex.exchange->derive(ctx->op.kex.exchprovctx, key, pkeylen,
                                       SIZE_MAX);

    return ret;
 legacy:
    if (ctx ==  NULL || ctx->pmeth == NULL || ctx->pmeth->derive == NULL) {
        EVPerr(EVP_F_EVP_PKEY_DERIVE,
               EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
        return -2;
    }

    M_check_autoarg(ctx, key, pkeylen, EVP_F_EVP_PKEY_DERIVE)
        return ctx->pmeth->derive(ctx, key, pkeylen);
}

int EVP_KEYEXCH_number(const EVP_KEYEXCH *keyexch)
{
    return keyexch->name_id;
}

int EVP_KEYEXCH_is_a(const EVP_KEYEXCH *keyexch, const char *name)
{
    return evp_is_a(keyexch->prov, keyexch->name_id, NULL, name);
}

void EVP_KEYEXCH_do_all_provided(OPENSSL_CTX *libctx,
                                 void (*fn)(EVP_KEYEXCH *keyexch, void *arg),
                                 void *arg)
{
    evp_generic_do_all(libctx, OSSL_OP_KEYEXCH,
                       (void (*)(void *, void *))fn, arg,
                       evp_keyexch_from_dispatch,
                       (void (*)(void *))EVP_KEYEXCH_free);
}

void EVP_KEYEXCH_names_do_all(const EVP_KEYEXCH *keyexch,
                              void (*fn)(const char *name, void *data),
                              void *data)
{
    if (keyexch->prov != NULL)
        evp_names_do_all(keyexch->prov, keyexch->name_id, fn, data);
}
Commit	Line	Data
	1	/*
	2	* Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
	3	*
	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	#include <openssl/crypto.h>
	11	#include <openssl/evp.h>
	12	#include <openssl/err.h>
	13	#include "internal/refcount.h"
	14	#include "crypto/evp.h"
	15	#include "internal/provider.h"
	16	#include "internal/numbers.h" /* includes SIZE_MAX */
	17	#include "evp_local.h"
	18
	19	static EVP_KEYEXCH evp_keyexch_new(OSSL_PROVIDER prov)
	20	{
	21	EVP_KEYEXCH *exchange = OPENSSL_zalloc(sizeof(EVP_KEYEXCH));
	22
	23	if (exchange == NULL) {
	24	ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
	25	return NULL;
	26	}
	27
	28	exchange->lock = CRYPTO_THREAD_lock_new();
	29	if (exchange->lock == NULL) {
	30	ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
	31	OPENSSL_free(exchange);
	32	return NULL;
	33	}
	34	exchange->prov = prov;
	35	ossl_provider_up_ref(prov);
	36	exchange->refcnt = 1;
	37
	38	return exchange;
	39	}
	40
	41	static void *evp_keyexch_from_dispatch(int name_id,
	42	const OSSL_DISPATCH *fns,
	43	OSSL_PROVIDER *prov)
	44	{
	45	EVP_KEYEXCH *exchange = NULL;
	46	int fncnt = 0, sparamfncnt = 0, gparamfncnt = 0;
	47
	48	if ((exchange = evp_keyexch_new(prov)) == NULL) {
	49	ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
	50	goto err;
	51	}
	52
	53	exchange->name_id = name_id;
	54
	55	for (; fns->function_id != 0; fns++) {
	56	switch (fns->function_id) {
	57	case OSSL_FUNC_KEYEXCH_NEWCTX:
	58	if (exchange->newctx != NULL)
	59	break;
	60	exchange->newctx = OSSL_get_OP_keyexch_newctx(fns);
	61	fncnt++;
	62	break;
	63	case OSSL_FUNC_KEYEXCH_INIT:
	64	if (exchange->init != NULL)
	65	break;
	66	exchange->init = OSSL_get_OP_keyexch_init(fns);
	67	fncnt++;
	68	break;
	69	case OSSL_FUNC_KEYEXCH_SET_PEER:
	70	if (exchange->set_peer != NULL)
	71	break;
	72	exchange->set_peer = OSSL_get_OP_keyexch_set_peer(fns);
	73	break;
	74	case OSSL_FUNC_KEYEXCH_DERIVE:
	75	if (exchange->derive != NULL)
	76	break;
	77	exchange->derive = OSSL_get_OP_keyexch_derive(fns);
	78	fncnt++;
	79	break;
	80	case OSSL_FUNC_KEYEXCH_FREECTX:
	81	if (exchange->freectx != NULL)
	82	break;
	83	exchange->freectx = OSSL_get_OP_keyexch_freectx(fns);
	84	fncnt++;
	85	break;
	86	case OSSL_FUNC_KEYEXCH_DUPCTX:
	87	if (exchange->dupctx != NULL)
	88	break;
	89	exchange->dupctx = OSSL_get_OP_keyexch_dupctx(fns);
	90	break;
	91	case OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS:
	92	if (exchange->get_ctx_params != NULL)
	93	break;
	94	exchange->get_ctx_params = OSSL_get_OP_keyexch_get_ctx_params(fns);
	95	gparamfncnt++;
	96	break;
	97	case OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS:
	98	if (exchange->gettable_ctx_params != NULL)
	99	break;
	100	exchange->gettable_ctx_params
	101	= OSSL_get_OP_keyexch_gettable_ctx_params(fns);
	102	gparamfncnt++;
	103	break;
	104	case OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS:
	105	if (exchange->set_ctx_params != NULL)
	106	break;
	107	exchange->set_ctx_params = OSSL_get_OP_keyexch_set_ctx_params(fns);
	108	sparamfncnt++;
	109	break;
	110	case OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS:
	111	if (exchange->settable_ctx_params != NULL)
	112	break;
	113	exchange->settable_ctx_params
	114	= OSSL_get_OP_keyexch_settable_ctx_params(fns);
	115	sparamfncnt++;
	116	break;
	117	}
	118	}
	119	if (fncnt != 4
	120	\|\| (gparamfncnt != 0 && gparamfncnt != 2)
	121	\|\| (sparamfncnt != 0 && sparamfncnt != 2)) {
	122	/*
	123	* In order to be a consistent set of functions we must have at least
	124	* a complete set of "exchange" functions: init, derive, newctx,
	125	* and freectx. The set_ctx_params and settable_ctx_params functions are
	126	* optional, but if one of them is present then the other one must also
	127	* be present. Same goes for get_ctx_params and gettable_ctx_params.
	128	* The dupctx and set_peer functions are optional.
	129	*/
	130	EVPerr(EVP_F_EVP_KEYEXCH_FROM_DISPATCH,
	131	EVP_R_INVALID_PROVIDER_FUNCTIONS);
	132	goto err;
	133	}
	134
	135	return exchange;
	136
	137	err:
	138	EVP_KEYEXCH_free(exchange);
	139	return NULL;
	140	}
	141
	142	void EVP_KEYEXCH_free(EVP_KEYEXCH *exchange)
	143	{
	144	if (exchange != NULL) {
	145	int i;
	146
	147	CRYPTO_DOWN_REF(&exchange->refcnt, &i, exchange->lock);
	148	if (i > 0)
	149	return;
	150	ossl_provider_free(exchange->prov);
	151	CRYPTO_THREAD_lock_free(exchange->lock);
	152	OPENSSL_free(exchange);
	153	}
	154	}
	155
	156	int EVP_KEYEXCH_up_ref(EVP_KEYEXCH *exchange)
	157	{
	158	int ref = 0;
	159
	160	CRYPTO_UP_REF(&exchange->refcnt, &ref, exchange->lock);
	161	return 1;
	162	}
	163
	164	OSSL_PROVIDER EVP_KEYEXCH_provider(const EVP_KEYEXCH exchange)
	165	{
	166	return exchange->prov;
	167	}
	168
	169	EVP_KEYEXCH EVP_KEYEXCH_fetch(OPENSSL_CTX ctx, const char *algorithm,
	170	const char *properties)
	171	{
	172	return evp_generic_fetch(ctx, OSSL_OP_KEYEXCH, algorithm, properties,
	173	evp_keyexch_from_dispatch,
	174	(int ()(void ))EVP_KEYEXCH_up_ref,
	175	(void ()(void ))EVP_KEYEXCH_free);
	176	}
	177
	178	int EVP_PKEY_derive_init(EVP_PKEY_CTX *ctx)
	179	{
	180	int ret;
	181	void *provkey = NULL;
	182	EVP_KEYEXCH *exchange = NULL;
	183	EVP_KEYMGMT *tmp_keymgmt = NULL;
	184	const char *supported_exch = NULL;
	185
	186	if (ctx == NULL) {
	187	EVPerr(0, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
	188	return -2;
	189	}
	190
	191	evp_pkey_ctx_free_old_ops(ctx);
	192	ctx->operation = EVP_PKEY_OP_DERIVE;
	193
	194	/*
	195	* TODO when we stop falling back to legacy, this and the ERR_pop_to_mark()
	196	* calls can be removed.
	197	*/
	198	ERR_set_mark();
	199
	200	if (ctx->keymgmt == NULL)
	201	goto legacy;
	202
	203	/*
	204	* Ensure that the key is provided, either natively, or as a cached export.
	205	* If not, go legacy
	206	*/
	207	tmp_keymgmt = ctx->keymgmt;
	208	provkey = evp_pkey_export_to_provider(ctx->pkey, ctx->libctx,
	209	&tmp_keymgmt, ctx->propquery);
	210	if (provkey == NULL)
	211	goto legacy;
	212	if (!EVP_KEYMGMT_up_ref(tmp_keymgmt)) {
	213	ERR_clear_last_mark();
	214	ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
	215	goto err;
	216	}
	217	EVP_KEYMGMT_free(ctx->keymgmt);
	218	ctx->keymgmt = tmp_keymgmt;
	219
	220	if (ctx->keymgmt->query_operation_name != NULL)
	221	supported_exch = ctx->keymgmt->query_operation_name(OSSL_OP_KEYEXCH);
	222
	223	/*
	224	* If we didn't get a supported exch, assume there is one with the
	225	* same name as the key type.
	226	*/
	227	if (supported_exch == NULL)
	228	supported_exch = ctx->keytype;
	229
	230	/*
	231	* Because we cleared out old ops, we shouldn't need to worry about
	232	* checking if exchange is already there.
	233	*/
	234	exchange = EVP_KEYEXCH_fetch(ctx->libctx, supported_exch, ctx->propquery);
	235
	236	if (exchange == NULL
	237	\|\| (EVP_KEYMGMT_provider(ctx->keymgmt)
	238	!= EVP_KEYEXCH_provider(exchange))) {
	239	/*
	240	* We don't need to free ctx->keymgmt here, as it's not necessarily
	241	* tied to this operation. It will be freed by EVP_PKEY_CTX_free().
	242	*/
	243	EVP_KEYEXCH_free(exchange);
	244	goto legacy;
	245	}
	246
	247	/*
	248	* TODO remove this when legacy is gone
	249	* If we don't have the full support we need with provided methods,
	250	* let's go see if legacy does.
	251	*/
	252	ERR_pop_to_mark();
	253
	254	/* No more legacy from here down to legacy: */
	255
	256	ctx->op.kex.exchange = exchange;
	257	ctx->op.kex.exchprovctx = exchange->newctx(ossl_provider_ctx(exchange->prov));
	258	if (ctx->op.kex.exchprovctx == NULL) {
	259	/* The provider key can stay in the cache */
	260	EVPerr(0, EVP_R_INITIALIZATION_ERROR);
	261	goto err;
	262	}
	263	ret = exchange->init(ctx->op.kex.exchprovctx, provkey);
	264
	265	return ret ? 1 : 0;
	266	err:
	267	ctx->operation = EVP_PKEY_OP_UNDEFINED;
	268	return 0;
	269
	270	legacy:
	271	/*
	272	* TODO remove this when legacy is gone
	273	* If we don't have the full support we need with provided methods,
	274	* let's go see if legacy does.
	275	*/
	276	ERR_pop_to_mark();
	277
	278	#ifdef FIPS_MODULE
	279	return 0;
	280	#else
	281	if (ctx->pmeth == NULL \|\| ctx->pmeth->derive == NULL) {
	282	EVPerr(0, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
	283	return -2;
	284	}
	285
	286	if (ctx->pmeth->derive_init == NULL)
	287	return 1;
	288	ret = ctx->pmeth->derive_init(ctx);
	289	if (ret <= 0)
	290	ctx->operation = EVP_PKEY_OP_UNDEFINED;
	291	return ret;
	292	#endif
	293	}
	294
	295	int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX ctx, EVP_PKEY peer)
	296	{
	297	int ret = 0;
	298	void *provkey = NULL;
	299
	300	if (ctx == NULL) {
	301	EVPerr(EVP_F_EVP_PKEY_DERIVE_SET_PEER,
	302	EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
	303	return -2;
	304	}
	305
	306	if (!EVP_PKEY_CTX_IS_DERIVE_OP(ctx) \|\| ctx->op.kex.exchprovctx == NULL)
	307	goto legacy;
	308
	309	if (ctx->op.kex.exchange->set_peer == NULL) {
	310	EVPerr(EVP_F_EVP_PKEY_DERIVE_SET_PEER,
	311	EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
	312	return -2;
	313	}
	314
	315	provkey = evp_pkey_export_to_provider(peer, ctx->libctx, &ctx->keymgmt,
	316	ctx->propquery);
	317	/*
	318	* If making the key provided wasn't possible, legacy may be able to pick
	319	* it up
	320	*/
	321	if (provkey == NULL)
	322	goto legacy;
	323	return ctx->op.kex.exchange->set_peer(ctx->op.kex.exchprovctx, provkey);
	324
	325	legacy:
	326	#ifdef FIPS_MODULE
	327	return ret;
	328	#else
	329	/*
	330	* TODO(3.0) investigate the case where the operation is deemed legacy,
	331	* but the given peer key is provider only.
	332	*/
	333	if (ctx->pmeth == NULL
	334	\|\| !(ctx->pmeth->derive != NULL
	335	\|\| ctx->pmeth->encrypt != NULL
	336	\|\| ctx->pmeth->decrypt != NULL)
	337	\|\| ctx->pmeth->ctrl == NULL) {
	338	EVPerr(EVP_F_EVP_PKEY_DERIVE_SET_PEER,
	339	EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
	340	return -2;
	341	}
	342	if (ctx->operation != EVP_PKEY_OP_DERIVE
	343	&& ctx->operation != EVP_PKEY_OP_ENCRYPT
	344	&& ctx->operation != EVP_PKEY_OP_DECRYPT) {
	345	EVPerr(EVP_F_EVP_PKEY_DERIVE_SET_PEER,
	346	EVP_R_OPERATON_NOT_INITIALIZED);
	347	return -1;
	348	}
	349
	350	ret = ctx->pmeth->ctrl(ctx, EVP_PKEY_CTRL_PEER_KEY, 0, peer);
	351
	352	if (ret <= 0)
	353	return ret;
	354
	355	if (ret == 2)
	356	return 1;
	357
	358	if (ctx->pkey == NULL) {
	359	EVPerr(EVP_F_EVP_PKEY_DERIVE_SET_PEER, EVP_R_NO_KEY_SET);
	360	return -1;
	361	}
	362
	363	if (ctx->pkey->type != peer->type) {
	364	EVPerr(EVP_F_EVP_PKEY_DERIVE_SET_PEER, EVP_R_DIFFERENT_KEY_TYPES);
	365	return -1;
	366	}
	367
	368	/*
	369	* For clarity. The error is if parameters in peer are
	370	* present (!missing) but don't match. EVP_PKEY_cmp_parameters may return
	371	* 1 (match), 0 (don't match) and -2 (comparison is not defined). -1
	372	* (different key types) is impossible here because it is checked earlier.
	373	* -2 is OK for us here, as well as 1, so we can check for 0 only.
	374	*/
	375	if (!EVP_PKEY_missing_parameters(peer) &&
	376	!EVP_PKEY_cmp_parameters(ctx->pkey, peer)) {
	377	EVPerr(EVP_F_EVP_PKEY_DERIVE_SET_PEER, EVP_R_DIFFERENT_PARAMETERS);
	378	return -1;
	379	}
	380
	381	EVP_PKEY_free(ctx->peerkey);
	382	ctx->peerkey = peer;
	383
	384	ret = ctx->pmeth->ctrl(ctx, EVP_PKEY_CTRL_PEER_KEY, 1, peer);
	385
	386	if (ret <= 0) {
	387	ctx->peerkey = NULL;
	388	return ret;
	389	}
	390
	391	EVP_PKEY_up_ref(peer);
	392	return 1;
	393	#endif
	394	}
	395
	396	int EVP_PKEY_derive(EVP_PKEY_CTX ctx, unsigned char key, size_t *pkeylen)
	397	{
	398	int ret;
	399
	400	if (ctx == NULL) {
	401	EVPerr(EVP_F_EVP_PKEY_DERIVE,
	402	EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
	403	return -2;
	404	}
	405
	406	if (!EVP_PKEY_CTX_IS_DERIVE_OP(ctx)) {
	407	EVPerr(EVP_F_EVP_PKEY_DERIVE, EVP_R_OPERATON_NOT_INITIALIZED);
	408	return -1;
	409	}
	410
	411	if (ctx->op.kex.exchprovctx == NULL)
	412	goto legacy;
	413
	414	ret = ctx->op.kex.exchange->derive(ctx->op.kex.exchprovctx, key, pkeylen,
	415	SIZE_MAX);
	416
	417	return ret;
	418	legacy:
	419	if (ctx == NULL \|\| ctx->pmeth == NULL \|\| ctx->pmeth->derive == NULL) {
	420	EVPerr(EVP_F_EVP_PKEY_DERIVE,
	421	EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
	422	return -2;
	423	}
	424
	425	M_check_autoarg(ctx, key, pkeylen, EVP_F_EVP_PKEY_DERIVE)
	426	return ctx->pmeth->derive(ctx, key, pkeylen);
	427	}
	428
	429	int EVP_KEYEXCH_number(const EVP_KEYEXCH *keyexch)
	430	{
	431	return keyexch->name_id;
	432	}
	433
	434	int EVP_KEYEXCH_is_a(const EVP_KEYEXCH keyexch, const char name)
	435	{
	436	return evp_is_a(keyexch->prov, keyexch->name_id, NULL, name);
	437	}
	438
	439	void EVP_KEYEXCH_do_all_provided(OPENSSL_CTX *libctx,
	440	void (fn)(EVP_KEYEXCH keyexch, void *arg),
	441	void *arg)
	442	{
	443	evp_generic_do_all(libctx, OSSL_OP_KEYEXCH,
	444	(void ()(void , void *))fn, arg,
	445	evp_keyexch_from_dispatch,
	446	(void ()(void ))EVP_KEYEXCH_free);
	447	}
	448
	449	void EVP_KEYEXCH_names_do_all(const EVP_KEYEXCH *keyexch,
	450	void (fn)(const char name, void *data),
	451	void *data)
	452	{
	453	if (keyexch->prov != NULL)
	454	evp_names_do_all(keyexch->prov, keyexch->name_id, fn, data);
	455	}