Add key_type to the derive_skey function

In some cases this information is necessary on the provider side

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28486)

diff --git a/crypto/evp/exchange.c b/crypto/evp/exchange.c
index 504458bc3eebc6c621368baae4b20a5dcdae4ec1..d323a7c67cfb0d54d3800a2936325c9be86e3535 100644 (file)
--- a/crypto/evp/exchange.c
+++ b/crypto/evp/exchange.c
@@ -643,7 +643,7 @@ EVP_SKEY *EVP_PKEY_derive_SKEY(EVP_PKEY_CTX *ctx, EVP_SKEYMGMT *mgmt,
         return NULL;
     }
 
-    ret->keydata = ctx->op.kex.exchange->derive_skey(ctx->op.kex.algctx,
+    ret->keydata = ctx->op.kex.exchange->derive_skey(ctx->op.kex.algctx, key_type,
                                                      ossl_provider_ctx(skeymgmt->prov),
                                                      skeymgmt->import, keylen, params);
 

diff --git a/crypto/evp/kdf_lib.c b/crypto/evp/kdf_lib.c
index 9558bbb2f6707dcb25121fd895c58cfb10e556cc..3f67548570432c3629d00d8f48827913a6bed72b 100644 (file)
--- a/crypto/evp/kdf_lib.c
+++ b/crypto/evp/kdf_lib.c
@@ -271,7 +271,7 @@ EVP_SKEY *EVP_KDF_derive_SKEY(EVP_KDF_CTX *ctx, EVP_SKEYMGMT *mgmt,
         return NULL;
     }
 
-    ret->keydata = ctx->meth->derive_skey(ctx->algctx, ossl_provider_ctx(skeymgmt->prov),
+    ret->keydata = ctx->meth->derive_skey(ctx->algctx, key_type, ossl_provider_ctx(skeymgmt->prov),
                                           skeymgmt->import, keylen, params);
     if (ret->keydata == NULL) {
         EVP_SKEY_free(ret);

diff --git a/doc/man7/provider-kdf.pod b/doc/man7/provider-kdf.pod
index 401c697e18fc9fdadb9a1c9f45af547cd0d8ae95..432b67472f1fff1992699a2af615d368e2bb66ab 100644 (file)
--- a/doc/man7/provider-kdf.pod
+++ b/doc/man7/provider-kdf.pod
@@ -26,7 +26,7 @@ provider-kdf - The KDF library E<lt>-E<gt> provider functions
  int OSSL_FUNC_kdf_reset(void *kctx);
  int OSSL_FUNC_kdf_derive(void *kctx, unsigned char *key, size_t keylen,
                           const OSSL_PARAM params[]);
- void *OSSL_FUNC_kdf_derive_skey(void *ctx, void *provctx,
+ void *OSSL_FUNC_kdf_derive_skey(void *ctx, const char *key_type, void *provctx,
                                  OSSL_FUNC_skeymgmt_import_fn *import,
                                  size_t keylen, const OSSL_PARAM params[]);
 
@@ -124,7 +124,11 @@ If the algorithm does not support the requested I<keylen> the function must
 return error.
 
 OSSL_FUNC_kdf_derive_skey() is similar to OSSL_FUNC_kdf_derive() but uses an
-opaque object for storing the derived key.
+opaque object for storing the derived key. It accepts I<key_type> parameter to
+give a hint to the provider what type of the key (e.g. generic or AES) would be
+generated and I<import> function from the B<EVP_SKEYMGMT> object to be
+associated with the key. The B<EVP_SKEYMGMT> object comes from the same
+provider as the KDF itself.
 
 =head2 KDF Parameters
 

diff --git a/doc/man7/provider-keyexch.pod b/doc/man7/provider-keyexch.pod
index 6096501d7f38bdaa593ef5519406175d6ea0b4a0..d5d2d4769c36c308884313b0689510f86933d7a3 100644 (file)
--- a/doc/man7/provider-keyexch.pod
+++ b/doc/man7/provider-keyexch.pod
@@ -28,7 +28,7 @@ provider-keyexch - The keyexch library E<lt>-E<gt> provider functions
  int OSSL_FUNC_keyexch_set_peer(void *ctx, void *provkey);
  int OSSL_FUNC_keyexch_derive(void *ctx, unsigned char *secret, size_t *secretlen,
                               size_t outlen);
- int OSSL_FUNC_keyexch_derive_skey(void *ctx, void *provctx,
+ int OSSL_FUNC_keyexch_derive_skey(void *ctx, const char *key_type, void *provctx,
                                    OSSL_FUNC_skeymgmt_import_fn *import,
                                    size_t keylen, const OSSL_PARAM params[]);
 
@@ -138,8 +138,12 @@ The length of the shared secret should be written to I<*secretlen>.
 If I<secret> is NULL then the maximum length of the shared secret should be
 written to I<*secretlen>.
 
-OSSL_FUNC_keyexch_derive_skey() is similar to OSSL_FUNC_keyexch_derive() but works
-with an opaque provider-specific object instead of raw bytes buffer.
+OSSL_FUNC_keyexch_derive_skey() is similar to OSSL_FUNC_keyexch_derive() but
+uses an opaque object for storing the derived key. It accepts I<key_type>
+parameter to give a hint to the provider what type of the key (e.g. generic or
+AES) would be generated and I<import> function from the B<EVP_SKEYMGMT> object
+to be associated with the key. The B<EVP_SKEYMGMT> object comes from the same
+provider as the KDF itself.
 
 =head2 Key Exchange Parameters Functions
 

diff --git a/include/openssl/core_dispatch.h b/include/openssl/core_dispatch.h
index d535d6b5375e91cd580b2b4ab05d7469e96cec5a..e435c08823f4d8793ee4c77ea8510c005fa7ed93 100644 (file)
--- a/include/openssl/core_dispatch.h
+++ b/include/openssl/core_dispatch.h
@@ -583,7 +583,7 @@ OSSL_CORE_MAKE_FUNC(int, kdf_set_ctx_params,
                     (void *kctx, const OSSL_PARAM params[]))
 OSSL_CORE_MAKE_FUNC(int, kdf_set_skey,
                     (void *kctx, void *skeydata, const char *paramname))
-OSSL_CORE_MAKE_FUNC(void *, kdf_derive_skey, (void *ctx, void *provctx,
+OSSL_CORE_MAKE_FUNC(void *, kdf_derive_skey, (void *ctx, const char *key_type, void *provctx,
                                               OSSL_FUNC_skeymgmt_import_fn *import,
                                               size_t keylen, const OSSL_PARAM params[]))
 
@@ -844,7 +844,7 @@ OSSL_CORE_MAKE_FUNC(int, keyexch_get_ctx_params, (void *ctx,
                                                      OSSL_PARAM params[]))
 OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, keyexch_gettable_ctx_params,
                     (void *ctx, void *provctx))
-OSSL_CORE_MAKE_FUNC(void *, keyexch_derive_skey, (void *ctx, void *provctx,
+OSSL_CORE_MAKE_FUNC(void *, keyexch_derive_skey, (void *ctx, const char *key_type, void *provctx,
                                                   OSSL_FUNC_skeymgmt_import_fn *import,
                                                   size_t keylen, const OSSL_PARAM params[]))
 

diff --git a/providers/implementations/exchange/ecdh_exch.c.in b/providers/implementations/exchange/ecdh_exch.c.in
index 8d6f1745f2bb33e015b69db405be0293bbb943a9..69cae378aab127d088175d2e331c8f97d6e18799 100644 (file)
--- a/providers/implementations/exchange/ecdh_exch.c.in
+++ b/providers/implementations/exchange/ecdh_exch.c.in
@@ -619,7 +619,8 @@ int ecdh_derive(void *vpecdhctx, unsigned char *secret,
 }
 
 static
-void *ecdh_derive_skey(void *vpecdhctx, void *provctx, OSSL_FUNC_skeymgmt_import_fn *import,
+void *ecdh_derive_skey(void *vpecdhctx, const char *key_type ossl_unused,
+                       void *provctx, OSSL_FUNC_skeymgmt_import_fn *import,
                        size_t outlen, const OSSL_PARAM params_in[] ossl_unused)
 {
     unsigned char *secret = NULL;

diff --git a/providers/implementations/kdfs/pbkdf1.c.in b/providers/implementations/kdfs/pbkdf1.c.in
index 5a4d770ae0752ff7c47c15ab2092670afe02fe09..12b7b6f8de86753f47ed4cfc7d679f8a829fe967 100644 (file)
--- a/providers/implementations/kdfs/pbkdf1.c.in
+++ b/providers/implementations/kdfs/pbkdf1.c.in
@@ -309,7 +309,8 @@ static int kdf_pbkdf1_set_skey(void *vctx, void *skeydata, const char *paramname
 }
 
 static
-void *kdf_pbkdf1_derive_skey(void *vctx, void *provctx, OSSL_FUNC_skeymgmt_import_fn *import,
+void *kdf_pbkdf1_derive_skey(void *vctx, const char *key_type ossl_unused, void *provctx,
+                             OSSL_FUNC_skeymgmt_import_fn *import,
                              size_t keylen, const OSSL_PARAM params[])
 {
     unsigned char *key = NULL;