Skip to content

Move all code using EVP_PKEY_assign and EVP_PKEY_get0 into legacy-only modules #508

Open
Open
Move all code using EVP_PKEY_assign and EVP_PKEY_get0 into legacy-only modules#508
@VladGud

Description

@VladGud
VladGud
opened on Dec 30, 2025

Move all code using EVP_PKEY_assign and EVP_PKEY_get0 into legacy-only modules

Summary

Extract all functions using deprecated EVP_PKEY internal accessors (EVP_PKEY_assign, EVP_PKEY_get0) into separate legacy-only modules (gost_ameth_legacy.c, gost_pmeth_legacy.c) that are compiled only when GOST_ENABLE_LEGACY is enabled.

Problem Description

The current implementation uses deprecated OpenSSL EVP_PKEY internal accessors scattered throughout multiple files:

  • EVP_PKEY_assign(pkey, nid, key_data) - Directly assigns algorithm-specific key data to an EVP_PKEY without going through proper OpenSSL provider interfaces
  • EVP_PKEY_get0(pkey) - Directly retrieves raw algorithm-specific key data from EVP_PKEY, bypassing encapsulation

These functions are deprecated because they:

  1. Break encapsulation by exposing internal EVP_PKEY structure layout
  2. Are not available in OpenSSL builds with OPENSSL_NO_DEPRECATED flag
  3. Prevent migration to provider-based EVP_PKEY implementations
  4. Create tight coupling to OpenSSL internal APIs

Current usage

These deprecated accessors are used in:

  • gost_ameth.c - ASN1 method implementations
  • gost_pmeth.c - PKEYmethod implementations for key generation, signing, MAC operations

Required Changes

1. Create gost_ameth_legacy.c

Move all functions from gost_ameth.c that call EVP_PKEY_assign or EVP_PKEY_get0:

Functions to extract:

  • All ASN1 key encoding/decoding functions that use EVP_PKEY_get0 to access EC_KEY
  • All functions that use EVP_PKEY_assign to set EC_KEY in pkey

File structure:

/*
 * gost_ameth_legacy.c - Legacy ENGINE-based ASN1 methods
 * Contains all ASN1 method implementations that depend on
 * EVP_PKEY_assign and EVP_PKEY_get0.
 * Only compiled when GOST_ENABLE_LEGACY is enabled.
 */

#include "gost_lcl.h"
#include "e_gost_err.h"


/* Legacy ASN1 implementations using EVP_PKEY internals */
static int gost_ameth_keybuf_to_priv_key(...)
{
    EVP_PKEY *pkey = EVP_PKEY_new();
    if (!pkey)
        return 0;
    
    /* Use EVP_PKEY_get0 / EVP_PKEY_assign here */
    EC_KEY *ec = ECP_KEY_new();
    /* ... */
    if (!EVP_PKEY_assign(pkey, NID_id_GostR3410_2001, ec)) {
        EC_KEY_free(ec);
        EVP_PKEY_free(pkey);
        return 0;
    }
    
    return 1;
}

/* ... other extracted functions ... */

2. Create gost_pmeth_legacy.c

Move all functions from gost_pmeth.c that call EVP_PKEY_assign or EVP_PKEY_get0:

Functions to extract:

  • pkey_gost2001_paramgen()
  • pkey_gost2012_paramgen()
  • pkey_gost2001cp_keygen()
  • pkey_gost2012cp_keygen()
  • pkey_gost_mac_keygen_base()
  • pkey_gost_mac_keygen_12()
  • pkey_gost_mac_keygen()
  • pkey_gost_magma_mac_keygen()
  • pkey_gost_grasshopper_mac_keygen()
  • pkey_gost_ec_cp_sign() and related
  • pkey_gost_ec_cp_verify() and related

File structure:

/*
 * gost_pmeth_legacy.c - Legacy ENGINE-based PKEY methods
 * Contains all EVP_PKEY_METHOD implementations that depend on
 * EVP_PKEY_assign and EVP_PKEY_get0.
 * Only compiled when GOST_ENABLE_LEGACY is enabled.
 */

#include "gost_lcl.h"
#include "e_gost_err.h"

/* Legacy paramgen implementations using EVP_PKEY internals */
static int pkey_gost2001_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
{
    struct gost_pmeth_data *data = EVP_PKEY_CTX_get_data(ctx);
    EC_KEY *ec = NULL;

    if (!data || data->sign_param_nid == NID_undef) {
        GOSTerr(GOST_F_PKEY_GOST2001_PARAMGEN, GOST_R_NO_PARAMETERS_SET);
        return 0;
    }

    ec = internal_ec_paramgen(data->sign_param_nid);
    if (!ec)
        return 0;

    if (!EVP_PKEY_assign(pkey, NID_id_GostR3410_2001, ec)) {
        EC_KEY_free(ec);
        return 0;
    }
    return 1;
}

/* ... other extracted functions ... */

/* Registration function called from main register_pmeth_gost */
int register_pmeth_gost_legacy(int id, EVP_PKEY_METHOD **pmeth, int flags)
{
    /* Set up methods for legacy-only cases */
    switch (id) {
    case NID_id_GostR3410_2001:
        EVP_PKEY_meth_set_keygen(*pmeth, NULL, pkey_gost2001cp_keygen);
        break;
    case NID_id_GostR3410_2012_256:
        EVP_PKEY_meth_set_keygen(*pmeth, NULL, pkey_gost2012cp_keygen);
        break;
    /* ... */
    }
    return 1;
}

3. Update gost_ameth.c

Remove all functions that use EVP_PKEY_assign or EVP_PKEY_get0. Keep only the common infrastructure:

/* gost_ameth.c - ASN1 method implementations (provider-compatible) */

#include "gost_lcl.h"
#include "e_gost_err.h"

/* Common ASN1 infrastructure that doesn't depend on EVP_PKEY internals */
static int gost_ameth_foo() { ... }

/* Conditional inclusion of legacy implementations */
#ifdef GOST_ENABLE_LEGACY
#include "gost_ameth_legacy.c"
#endif

/* For provider-only builds, these return error */
#ifndef GOST_ENABLE_LEGACY
static int gost_ameth_keybuf_to_priv_key_stub(...)
{
    GOSTerr(GOST_F_AMETH, GOST_R_LEGACY_DISABLED);
    return 0;
}
/* ... other stubs ... */
#endif

4. Update gost_pmeth.c

Remove all functions that use EVP_PKEY_assign or EVP_PKEY_get0.

5. Update CMakeLists.txt or build system

Add conditional compilation:

# Legacy support (default: ON for backward compatibility)
option(GOST_ENABLE_LEGACY "Enable legacy ENGINE-based implementations" ON)

if(GOST_ENABLE_LEGACY)
    target_sources(gost_engine PRIVATE
        gost_ameth_legacy.c
        gost_pmeth_legacy.c
    )
    target_compile_definitions(gost_engine PRIVATE GOST_ENABLE_LEGACY)
endif()

target_sources(gost_engine PRIVATE
    gost_ameth.c
    gost_pmeth.c
    # ... other sources ...
)

Files to Create

  • gost_ameth_legacy.c - Legacy ASN1 method implementations
  • gost_pmeth_legacy.c - Legacy PKEY method implementations

Files to Modify

  • gost_ameth.c - Remove legacy functions, keep common code
  • gost_pmeth.c - Remove legacy functions, update registration to delegate to legacy module
  • CMakeLists.txt or build system - Add conditional compilation

Compilation behavior

When GOST_ENABLE_LEGACY=ON (default):

  • gost_ameth_legacy.c and gost_pmeth_legacy.c are compiled
  • Full backward compatibility with existing ENGINE-based code
  • Uses EVP_PKEY_assign and EVP_PKEY_get0

When GOST_ENABLE_LEGACY is not set:

  • gost_ameth_legacy.c and gost_pmeth_legacy.c are NOT compiled
  • Legacy paramgen/keygen operations return error
  • Compatible with OpenSSL builds with OPENSSL_NO_DEPRECATED
  • Provider-only mode (future work will implement provider interfaces)

Acceptance Criteria

  • All EVP_PKEY_assign calls moved to legacy modules
  • All EVP_PKEY_get0 calls moved to legacy modules
  • Code compiles with GOST_ENABLE_LEGACY=ON (default) - all tests pass
  • Code compiles with GOST_ENABLE_LEGACY=OFF - legacy operations fail gracefully with clear error

Testing

  • Compile with -DGOST_ENABLE_LEGACY=ON (default) - all tests pass
  • Compile with -DGOST_ENABLE_LEGACY=OFF - legacy operations fail with GOST_R_LEGACY_DISABLED
  • Test with OpenSSL compiled with OPENSSL_NO_DEPRECATED and GOST_ENABLE_LEGACY=OFF

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions