-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EVP_PKEY_(get_)id not returning an OID (for provider PKEYs) #20497
Comments
No, it's a NID. Usually there's a one-to-one correspondence from NID to OID (
If we're talking about a name for human consumption, does |
There is also |
OK, then I'd suggest a documentation update (will do so if no-one jumps at this). I'd also add the correction that the retval from that function may actually be -1 (not just NID_undef or positive NID as currently documented) thus indicating a provided key. Would it be sensible to then also directly point to
No, that also returns NULL (but that might arguably be changed by the provider implementation). But it would not solve the issue for OpenVPN: Are you saying the code there must be updated to support providers? Adding a call to If so, do you recommend a "standard way" how to utilize OpenSSLv3 APIs (such as |
That is really unfortunate. Arguably that's a bug. We should either fix it, or fix the documentation. I worry whether it might be too late to actually fix it though??? Maybe applications already rely on this. Not sure.
Looks like it. It should still be ok if its a provider supplied sig alg that OpenSSL already knows about - but if it is completely unknown to OpenSSL its just not going to work.
Shouldn't you be able to just always call
https://www.openssl.org/docs/man3.0/man3/OPENSSL_VERSION_NUMBER.html Note that page describes numerous macros for checking the version number - but many of those were introduced in 3.0. |
Their fault if they do. It's clearly documented. I'd suggest fixing the code instead. It would also solve the "downstream" OpenVPN problem: The whole code causing the problem would not trigger again if the retval of As simple as
OK to PR? |
Let's have a PR for it. We can gather more opinion there. |
The documentation didn't mention the development where EVP_PKEY_get_id() returns a negative value for provider-only implementations, and the migration guide didn't mention how to cope with that. Fixes #20497 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from #20501) (cherry picked from commit a2a543e)
The documentation didn't mention the development where EVP_PKEY_get_id() returns a negative value for provider-only implementations, and the migration guide didn't mention how to cope with that. Fixes #20497 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from #20501) (cherry picked from commit a2a543e)
The
master
documentation forEVP_PKEY_get_id
(and thus for the old APIEVP_PKEY_id
) is documented to return an OID:Is this really correct? It rather seems to return a NID (or doesn't "OID" in this context refer to an X.509 OID but rather to an "OpenSSL internal object ID"?). In that case some clarification wrt "OID" may be in order (Apologies if I missed this somewhere).
The result is always used as a NID anyway. The one use that causes acute problems is here:
The issue is that a provider-based PKEY always causes
EVP_PKEY(_get)_id
to return -1 -- which is rather "suboptimal" for code interested in outputting the (SN) name of the algorithm.Or asked another way: How should an OpenSSL consumer (like OpenVPN) obtain the name (and/or NID) of the algorithm underlying a PKEY if that PKEY is provider-based? Ideally, it shouldn't know/have to worry about this "OpenSSL internal implementation detail", right?
In the OpenVPN use case, the problem is made worse by OpenSSL setting an error state due to the API call sequence
EVP_PKEY_get_id
->OBJ_nid2sn
: This causes the whole OpenVPN system to fail as OpenSSL reported an error:but only when logging is set too high (trying to obtain the algorithm name as per the above). Really surprising to users. Does an error state have to be set if a "provider-based" PKEY is examined?
The text was updated successfully, but these errors were encountered: