From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Mon, 8 Sep 2025 18:50:59 +0000 (+0200)
Subject: Add key_type to the derive_skey function
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c4aa51747026a07dbdaff1fcaf306ce66ef41828;p=thirdparty%2Fopenssl.git

Add key_type to the derive_skey function

In some cases this information is necessary on the provider side

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28486)
---

diff --git a/crypto/evp/exchange.c b/crypto/evp/exchange.c
index 504458bc3ee..d323a7c67cf 100644
--- a/crypto/evp/exchange.c
+++ b/crypto/evp/exchange.c
@@ -643,7 +643,7 @@ EVP_SKEY *EVP_PKEY_derive_SKEY(EVP_PKEY_CTX *ctx, EVP_SKEYMGMT *mgmt,
         return NULL;
     }
 
-    ret->keydata = ctx->op.kex.exchange->derive_skey(ctx->op.kex.algctx,
+    ret->keydata = ctx->op.kex.exchange->derive_skey(ctx->op.kex.algctx, key_type,
                                                      ossl_provider_ctx(skeymgmt->prov),
                                                      skeymgmt->import, keylen, params);
 
diff --git a/crypto/evp/kdf_lib.c b/crypto/evp/kdf_lib.c
index 9558bbb2f67..3f675485704 100644
--- a/crypto/evp/kdf_lib.c
+++ b/crypto/evp/kdf_lib.c
@@ -271,7 +271,7 @@ EVP_SKEY *EVP_KDF_derive_SKEY(EVP_KDF_CTX *ctx, EVP_SKEYMGMT *mgmt,
         return NULL;
     }
 
-    ret->keydata = ctx->meth->derive_skey(ctx->algctx, ossl_provider_ctx(skeymgmt->prov),
+    ret->keydata = ctx->meth->derive_skey(ctx->algctx, key_type, ossl_provider_ctx(skeymgmt->prov),
                                           skeymgmt->import, keylen, params);
     if (ret->keydata == NULL) {
         EVP_SKEY_free(ret);
diff --git a/doc/man7/provider-kdf.pod b/doc/man7/provider-kdf.pod
index 401c697e18f..432b67472f1 100644
--- a/doc/man7/provider-kdf.pod
+++ b/doc/man7/provider-kdf.pod
@@ -26,7 +26,7 @@ provider-kdf - The KDF library E<lt>-E<gt> provider functions
  int OSSL_FUNC_kdf_reset(void *kctx);
  int OSSL_FUNC_kdf_derive(void *kctx, unsigned char *key, size_t keylen,
                           const OSSL_PARAM params[]);
- void *OSSL_FUNC_kdf_derive_skey(void *ctx, void *provctx,
+ void *OSSL_FUNC_kdf_derive_skey(void *ctx, const char *key_type, void *provctx,
                                  OSSL_FUNC_skeymgmt_import_fn *import,
                                  size_t keylen, const OSSL_PARAM params[]);
 
@@ -124,7 +124,11 @@ If the algorithm does not support the requested I<keylen> the function must
 return error.
 
 OSSL_FUNC_kdf_derive_skey() is similar to OSSL_FUNC_kdf_derive() but uses an
-opaque object for storing the derived key.
+opaque object for storing the derived key. It accepts I<key_type> parameter to
+give a hint to the provider what type of the key (e.g. generic or AES) would be
+generated and I<import> function from the B<EVP_SKEYMGMT> object to be
+associated with the key. The B<EVP_SKEYMGMT> object comes from the same
+provider as the KDF itself.
 
 =head2 KDF Parameters
 
diff --git a/doc/man7/provider-keyexch.pod b/doc/man7/provider-keyexch.pod
index 6096501d7f3..d5d2d4769c3 100644
--- a/doc/man7/provider-keyexch.pod
+++ b/doc/man7/provider-keyexch.pod
@@ -28,7 +28,7 @@ provider-keyexch - The keyexch library E<lt>-E<gt> provider functions
  int OSSL_FUNC_keyexch_set_peer(void *ctx, void *provkey);
  int OSSL_FUNC_keyexch_derive(void *ctx, unsigned char *secret, size_t *secretlen,
                               size_t outlen);
- int OSSL_FUNC_keyexch_derive_skey(void *ctx, void *provctx,
+ int OSSL_FUNC_keyexch_derive_skey(void *ctx, const char *key_type, void *provctx,
                                    OSSL_FUNC_skeymgmt_import_fn *import,
                                    size_t keylen, const OSSL_PARAM params[]);
 
@@ -138,8 +138,12 @@ The length of the shared secret should be written to I<*secretlen>.
 If I<secret> is NULL then the maximum length of the shared secret should be
 written to I<*secretlen>.
 
-OSSL_FUNC_keyexch_derive_skey() is similar to OSSL_FUNC_keyexch_derive() but works
-with an opaque provider-specific object instead of raw bytes buffer.
+OSSL_FUNC_keyexch_derive_skey() is similar to OSSL_FUNC_keyexch_derive() but
+uses an opaque object for storing the derived key. It accepts I<key_type>
+parameter to give a hint to the provider what type of the key (e.g. generic or
+AES) would be generated and I<import> function from the B<EVP_SKEYMGMT> object
+to be associated with the key. The B<EVP_SKEYMGMT> object comes from the same
+provider as the KDF itself.
 
 =head2 Key Exchange Parameters Functions
 
diff --git a/include/openssl/core_dispatch.h b/include/openssl/core_dispatch.h
index d535d6b5375..e435c08823f 100644
--- a/include/openssl/core_dispatch.h
+++ b/include/openssl/core_dispatch.h
@@ -583,7 +583,7 @@ OSSL_CORE_MAKE_FUNC(int, kdf_set_ctx_params,
                     (void *kctx, const OSSL_PARAM params[]))
 OSSL_CORE_MAKE_FUNC(int, kdf_set_skey,
                     (void *kctx, void *skeydata, const char *paramname))
-OSSL_CORE_MAKE_FUNC(void *, kdf_derive_skey, (void *ctx, void *provctx,
+OSSL_CORE_MAKE_FUNC(void *, kdf_derive_skey, (void *ctx, const char *key_type, void *provctx,
                                               OSSL_FUNC_skeymgmt_import_fn *import,
                                               size_t keylen, const OSSL_PARAM params[]))
 
@@ -844,7 +844,7 @@ OSSL_CORE_MAKE_FUNC(int, keyexch_get_ctx_params, (void *ctx,
                                                      OSSL_PARAM params[]))
 OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, keyexch_gettable_ctx_params,
                     (void *ctx, void *provctx))
-OSSL_CORE_MAKE_FUNC(void *, keyexch_derive_skey, (void *ctx, void *provctx,
+OSSL_CORE_MAKE_FUNC(void *, keyexch_derive_skey, (void *ctx, const char *key_type, void *provctx,
                                                   OSSL_FUNC_skeymgmt_import_fn *import,
                                                   size_t keylen, const OSSL_PARAM params[]))
 
diff --git a/providers/implementations/exchange/ecdh_exch.c.in b/providers/implementations/exchange/ecdh_exch.c.in
index 8d6f1745f2b..69cae378aab 100644
--- a/providers/implementations/exchange/ecdh_exch.c.in
+++ b/providers/implementations/exchange/ecdh_exch.c.in
@@ -619,7 +619,8 @@ int ecdh_derive(void *vpecdhctx, unsigned char *secret,
 }
 
 static
-void *ecdh_derive_skey(void *vpecdhctx, void *provctx, OSSL_FUNC_skeymgmt_import_fn *import,
+void *ecdh_derive_skey(void *vpecdhctx, const char *key_type ossl_unused,
+                       void *provctx, OSSL_FUNC_skeymgmt_import_fn *import,
                        size_t outlen, const OSSL_PARAM params_in[] ossl_unused)
 {
     unsigned char *secret = NULL;
diff --git a/providers/implementations/kdfs/pbkdf1.c.in b/providers/implementations/kdfs/pbkdf1.c.in
index 5a4d770ae07..12b7b6f8de8 100644
--- a/providers/implementations/kdfs/pbkdf1.c.in
+++ b/providers/implementations/kdfs/pbkdf1.c.in
@@ -309,7 +309,8 @@ static int kdf_pbkdf1_set_skey(void *vctx, void *skeydata, const char *paramname
 }
 
 static
-void *kdf_pbkdf1_derive_skey(void *vctx, void *provctx, OSSL_FUNC_skeymgmt_import_fn *import,
+void *kdf_pbkdf1_derive_skey(void *vctx, const char *key_type ossl_unused, void *provctx,
+                             OSSL_FUNC_skeymgmt_import_fn *import,
                              size_t keylen, const OSSL_PARAM params[])
 {
     unsigned char *key = NULL;