Make EVP_PKEY_type into the identity function

This function exists because callers sometimes write EVP_PKEY_type(EVP_PKEY_id(pkey)), which is equivalent to EVP_PKEY_base_id(pkey). In OpenSSL, all this existed so that a type parsed as EVP_PKEY_RSA2 could still be mapped to EVP_PKEY_RSA. We haven't supported this since 2015, so this purely exists as a way to check that the key type exists. In doing so, it currently pulls in the full implementation of every key type. I could replicate the list of keys, but that is one more place we have to keep things up-to-date. Instead, just make this function the identity. Looking through callers, it did not appear anyone depended on the error condition. Update-Note: EVP_PKEY_type used to return NID_undef when given a garbage key type. Given it is only ever used in concert with EVP_PKEY_id, this is unlikely to impact anyone. If it does, we can do the more tedious option. Bug: 497 Change-Id: Ibf68a07ef6906398df0fec425c869c107b8c90f4 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/67109 Reviewed-by: Bob Beck <[email protected]> Commit-Queue: David Benjamin <[email protected]> (cherry picked from commit 8ede9514dac7cace2084d95502d4bd8ea39b08b6)
aws · Dec 18, 2024 · 454d657 · 454d657
1 parent a1fcb33
commit 454d657
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 9 deletions.
diff --git a/crypto/fipsmodule/evp/evp.c b/crypto/fipsmodule/evp/evp.c
@@ -264,11 +264,9 @@ void evp_pkey_set_method(EVP_PKEY *pkey, const EVP_PKEY_ASN1_METHOD *method) {
 }
 
 int EVP_PKEY_type(int nid) {
-  const EVP_PKEY_ASN1_METHOD *meth = evp_pkey_asn1_find(nid);
-  if (meth == NULL) {
-    return NID_undef;
-  }
-  return meth->pkey_id;
+  // In OpenSSL, this was used to map between type aliases. BoringSSL supports
+  // no type aliases, so this function is just the identity.
+  return nid;
 }
 
 EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *engine, const uint8_t *mac_key,

diff --git a/include/openssl/evp.h b/include/openssl/evp.h
@@ -136,10 +136,6 @@ OPENSSL_EXPORT int EVP_PKEY_bits(const EVP_PKEY *pkey);
 // values.
 OPENSSL_EXPORT int EVP_PKEY_id(const EVP_PKEY *pkey);
 
-// EVP_PKEY_type returns |nid| if |nid| is a known key type and |NID_undef|
-// otherwise.
-OPENSSL_EXPORT int EVP_PKEY_type(int nid);
-
 // EVP_MD_get0_name returns the short name of |md|
 OPENSSL_EXPORT const char *EVP_MD_get0_name(const EVP_MD *md);
 
@@ -1262,6 +1258,9 @@ OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY(EC_KEY **out, const uint8_t **inp,
 // is NULL, it returns zero.
 OPENSSL_EXPORT int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key);
 
+// EVP_PKEY_type returns |nid|.
+OPENSSL_EXPORT int EVP_PKEY_type(int nid);
+
 // EVP_PKEY_new_mac_key is deprecated. It allocates a fresh |EVP_PKEY| of
 // |type|. Only |EVP_PKEY_HMAC| is supported. |mac_key| is used as the HMAC key,
 // NULL |mac_key| will result in a complete zero-key being used, but in that