[openssl] master update
Richard Levitte
levitte at openssl.org
Mon Jun 8 21:51:34 UTC 2020
The branch master has been updated
via 78215852066d214ded6695a27c997eb0d651c31f (commit)
via edf96591650551274c650a48c228d089c4057df9 (commit)
via 4ec1463d71db6324abe9c91d2ed9aa1e136c9cb3 (commit)
from a6d36303e91b79379da2e2ffaa608dba704d3eb8 (commit)
- Log -----------------------------------------------------------------
commit 78215852066d214ded6695a27c997eb0d651c31f
Author: Richard Levitte <levitte at openssl.org>
Date: Fri Jun 5 23:40:49 2020 +0200
APPS: Fix 'openssl dhparam'
'dhparam' can't be completely rewritten in terms of EVP_PKEY functions
yet, because we lack X9.42 support. However, we do when generating,
but forgot to extract a DH pointer with EVP_PKEY_get0_DH().
Reviewed-by: David von Oheimb <david.von.oheimb at siemens.com>
(Merged from https://github.com/openssl/openssl/pull/12048)
commit edf96591650551274c650a48c228d089c4057df9
Author: Richard Levitte <levitte at openssl.org>
Date: Thu Jun 4 22:34:09 2020 +0200
APPS: Fix 'openssl dsaparam -genkey'
Using a parameter EVP_PKEY for key generation with EVP_PKEY routines
works a little differently than the raw DSA routines that were used
before.
While fixing that, clean away all remaining use of the DSA type, which
simplifies the code a bit more.
Reviewed-by: David von Oheimb <david.von.oheimb at siemens.com>
(Merged from https://github.com/openssl/openssl/pull/12048)
commit 4ec1463d71db6324abe9c91d2ed9aa1e136c9cb3
Author: Richard Levitte <levitte at openssl.org>
Date: Thu Jun 4 20:05:26 2020 +0200
EVP: Let EVP_PKEY_gen() initialize ctx->keygen_info
In EVP_PKEY_METHOD code, the backend initializes ctx->keygen_info.
With provider side code, it's not possible to reach back into the
EVP_PKEY_CTX in the same manner, so we need to make that
initialization in the central generation function, EVP_PKEY_gen().
This isn't quite compatible with the idea that keygen_info could have
an arbitrary amount of elements, but since all our legacy backends use
exactly two elements, that's what we go for.
Fixes #12047
Reviewed-by: David von Oheimb <david.von.oheimb at siemens.com>
(Merged from https://github.com/openssl/openssl/pull/12048)
-----------------------------------------------------------------------
Summary of changes:
apps/dhparam.c | 14 ++++++------
apps/dsaparam.c | 59 ++++++++++++++-------------------------------------
crypto/evp/pmeth_gn.c | 16 ++++++++++++++
3 files changed, 40 insertions(+), 49 deletions(-)
diff --git a/apps/dhparam.c b/apps/dhparam.c
index 3e5f4095a9..aadf1f2c32 100644
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -84,7 +84,7 @@ const OPTIONS dhparam_options[] = {
int dhparam_main(int argc, char **argv)
{
BIO *in = NULL, *out = NULL;
- DH *dh = NULL;
+ DH *dh = NULL, *alloc_dh = NULL;
EVP_PKEY *pkey = NULL;
EVP_PKEY_CTX *ctx = NULL;
char *infile = NULL, *outfile = NULL, *prog;
@@ -216,7 +216,7 @@ int dhparam_main(int argc, char **argv)
goto end;
}
- dh = DSA_dup_DH(dsa);
+ dh = alloc_dh = DSA_dup_DH(dsa);
DSA_free(dsa);
BN_GENCB_free(cb);
if (dh == NULL) {
@@ -256,6 +256,7 @@ int dhparam_main(int argc, char **argv)
ERR_print_errors(bio_err);
goto end;
}
+ dh = EVP_PKEY_get0_DH(pkey);
}
} else {
in = bio_open_default(infile, 'r', informat);
@@ -277,7 +278,7 @@ int dhparam_main(int argc, char **argv)
goto end;
}
- dh = DSA_dup_DH(dsa);
+ dh = alloc_dh = DSA_dup_DH(dsa);
DSA_free(dsa);
if (dh == NULL) {
ERR_print_errors(bio_err);
@@ -291,13 +292,13 @@ int dhparam_main(int argc, char **argv)
* We have no PEM header to determine what type of DH params it
* is. We'll just try both.
*/
- dh = ASN1_d2i_bio_of(DH, DH_new, d2i_DHparams, in, NULL);
+ dh = alloc_dh = ASN1_d2i_bio_of(DH, DH_new, d2i_DHparams, in, NULL);
/* BIO_reset() returns 0 for success for file BIOs only!!! */
if (dh == NULL && BIO_reset(in) == 0)
- dh = ASN1_d2i_bio_of(DH, DH_new, d2i_DHxparams, in, NULL);
+ dh = alloc_dh = ASN1_d2i_bio_of(DH, DH_new, d2i_DHxparams, in, NULL);
} else {
/* informat == FORMAT_PEM */
- dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
+ dh = alloc_dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
}
if (dh == NULL) {
@@ -389,6 +390,7 @@ int dhparam_main(int argc, char **argv)
}
ret = 0;
end:
+ DH_free(alloc_dh);
BIO_free(in);
BIO_free_all(out);
EVP_PKEY_free(pkey);
diff --git a/apps/dsaparam.c b/apps/dsaparam.c
index 9b73a31c30..19cb1bdd46 100644
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -66,9 +66,8 @@ const OPTIONS dsaparam_options[] = {
int dsaparam_main(int argc, char **argv)
{
ENGINE *e = NULL;
- DSA *dsa = NULL;
BIO *in = NULL, *out = NULL;
- EVP_PKEY *pkey = NULL;
+ EVP_PKEY *params = NULL, *pkey = NULL;
EVP_PKEY_CTX *ctx = NULL;
int numbits = -1, num = 0, genkey = 0;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0, C = 0;
@@ -181,51 +180,34 @@ int dsaparam_main(int argc, char **argv)
"Error, DSA key generation setting bit length failed\n");
goto end;
}
- if (EVP_PKEY_paramgen(ctx, &pkey) <= 0) {
+ if (EVP_PKEY_paramgen(ctx, ¶ms) <= 0) {
ERR_print_errors(bio_err);
BIO_printf(bio_err, "Error, DSA key generation failed\n");
goto end;
}
- dsa = EVP_PKEY_get1_DSA(pkey);
- if (dsa == NULL) {
- ERR_print_errors(bio_err);
- BIO_printf(bio_err, "Error, DSA key extraction failed\n");
- goto end;
- }
} else if (informat == FORMAT_ASN1) {
- dsa = d2i_DSAparams_bio(in, NULL);
+ params = d2i_KeyParams_bio(EVP_PKEY_DSA, NULL, in);
} else {
- dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL);
+ params = PEM_read_bio_Parameters(in, NULL);
}
- if (dsa == NULL) {
+ if (params == NULL) {
BIO_printf(bio_err, "unable to load DSA parameters\n");
ERR_print_errors(bio_err);
goto end;
}
- if (pkey == NULL) {
- pkey = EVP_PKEY_new();
- if (pkey == NULL) {
- BIO_printf(bio_err, "Error, unable to allocate PKEY object\n");
- ERR_print_errors(bio_err);
- goto end;
- }
- if (!EVP_PKEY_set1_DSA(pkey, dsa)) {
- BIO_printf(bio_err, "Error, unable to set DSA parameters\n");
- ERR_print_errors(bio_err);
- goto end;
- }
- }
if (text) {
- EVP_PKEY_print_params(out, pkey, 0, NULL);
+ EVP_PKEY_print_params(out, params, 0, NULL);
}
if (C) {
- const BIGNUM *p = NULL, *q = NULL, *g = NULL;
+ BIGNUM *p = NULL, *q = NULL, *g = NULL;
unsigned char *data;
int len, bits_p;
- DSA_get0_pqg(dsa, &p, &q, &g);
+ EVP_PKEY_get_bn_param(params, "p", &p);
+ EVP_PKEY_get_bn_param(params, "q", &q);
+ EVP_PKEY_get_bn_param(params, "g", &g);
len = BN_num_bytes(p);
bits_p = BN_num_bits(p);
@@ -261,9 +243,9 @@ int dsaparam_main(int argc, char **argv)
if (!noout) {
if (outformat == FORMAT_ASN1)
- i = i2d_DSAparams_bio(out, dsa);
+ i = i2d_KeyParams_bio(out, params);
else
- i = PEM_write_bio_DSAparams(out, dsa);
+ i = PEM_write_bio_Parameters(out, params);
if (!i) {
BIO_printf(bio_err, "unable to write DSA parameters\n");
ERR_print_errors(bio_err);
@@ -271,10 +253,8 @@ int dsaparam_main(int argc, char **argv)
}
}
if (genkey) {
- DSA *dsakey;
-
EVP_PKEY_CTX_free(ctx);
- ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
+ ctx = EVP_PKEY_CTX_new(params, NULL);
if (ctx == NULL) {
ERR_print_errors(bio_err);
BIO_printf(bio_err,
@@ -291,18 +271,11 @@ int dsaparam_main(int argc, char **argv)
ERR_print_errors(bio_err);
goto end;
}
- dsakey = EVP_PKEY_get0_DSA(pkey);
- if (dsakey == NULL) {
- BIO_printf(bio_err, "unable to extract generated key\n");
- ERR_print_errors(bio_err);
- goto end;
- }
assert(private);
if (outformat == FORMAT_ASN1)
- i = i2d_DSAPrivateKey_bio(out, dsakey);
+ i = i2d_PrivateKey_bio(out, pkey);
else
- i = PEM_write_bio_DSAPrivateKey(out, dsakey, NULL, NULL, 0, NULL,
- NULL);
+ i = PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, NULL);
}
ret = 0;
end:
@@ -310,7 +283,7 @@ int dsaparam_main(int argc, char **argv)
BIO_free_all(out);
EVP_PKEY_CTX_free(ctx);
EVP_PKEY_free(pkey);
- DSA_free(dsa);
+ EVP_PKEY_free(params);
release_engine(e);
return ret;
}
diff --git a/crypto/evp/pmeth_gn.c b/crypto/evp/pmeth_gn.c
index fb861d2487..411f270b49 100644
--- a/crypto/evp/pmeth_gn.c
+++ b/crypto/evp/pmeth_gn.c
@@ -144,6 +144,8 @@ int EVP_PKEY_gen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey)
int ret = 0;
OSSL_CALLBACK cb;
EVP_PKEY *allocated_pkey = NULL;
+ /* Legacy compatible keygen callback info, only used with provider impls */
+ int gentmp[2];
if (ppkey == NULL)
return -1;
@@ -165,6 +167,18 @@ int EVP_PKEY_gen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey)
if (ctx->op.keymgmt.genctx == NULL)
goto legacy;
+ /*
+ * Asssigning gentmp to ctx->keygen_info is something our legacy
+ * implementations do. Because the provider implementations aren't
+ * allowed to reach into our EVP_PKEY_CTX, we need to provide similar
+ * space for backward compatibility. It's ok that we attach a local
+ * variable, as it should only be useful in the calls down from here.
+ * This is cleared as soon as it isn't useful any more, i.e. directly
+ * after the evp_keymgmt_util_gen() call.
+ */
+ ctx->keygen_info = gentmp;
+ ctx->keygen_info_count = 2;
+
ret = 1;
if (ctx->pkey != NULL) {
EVP_KEYMGMT *tmp_keymgmt = ctx->keymgmt;
@@ -191,6 +205,8 @@ int EVP_PKEY_gen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey)
ossl_callback_to_pkey_gencb, ctx)
!= NULL);
+ ctx->keygen_info = NULL;
+
#ifndef FIPS_MODULE
/* In case |*ppkey| was originally a legacy key */
if (ret)
More information about the openssl-commits
mailing list