[openssl] master update
dev at ddvo.net
dev at ddvo.net
Wed Jun 10 09:09:05 UTC 2020
The branch master has been updated
via 2a3158ac5ba5aae516f8d3264d723f1b7e86fc34 (commit)
via 8da42c8b26393f56acc4f301b95f925eb8902442 (commit)
from 498e807ed257b0f292ba94aea2971b928efbfd91 (commit)
- Log -----------------------------------------------------------------
commit 2a3158ac5ba5aae516f8d3264d723f1b7e86fc34
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Fri Jun 5 21:40:28 2020 +0200
Make error output of dhparams and dsaparams app more consistent
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12062)
commit 8da42c8b26393f56acc4f301b95f925eb8902442
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Fri Jun 5 21:27:34 2020 +0200
Generate error queue entry on FFC_CHECK_BAD_LN_PAIR for DH and DSA
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12062)
-----------------------------------------------------------------------
Summary of changes:
apps/dhparam.c | 36 ++++++++++++------------------------
apps/dsaparam.c | 20 +++++++-------------
crypto/dh/dh_err.c | 3 ++-
crypto/dh/dh_gen.c | 2 +-
crypto/dsa/dsa_err.c | 3 ++-
crypto/dsa/dsa_pmeth.c | 2 +-
crypto/err/openssl.txt | 2 ++
crypto/ffc/ffc_params_generate.c | 9 +++++++++
include/openssl/dherr.h | 1 +
include/openssl/dsaerr.h | 1 +
10 files changed, 38 insertions(+), 41 deletions(-)
diff --git a/apps/dhparam.c b/apps/dhparam.c
index aadf1f2c32..84f5f3ed8f 100644
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -177,7 +177,7 @@ int dhparam_main(int argc, char **argv)
#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
if (dsaparam && g) {
BIO_printf(bio_err,
- "generator may not be chosen for DSA parameters\n");
+ "Error, generator may not be chosen for DSA parameters\n");
goto end;
}
#endif
@@ -198,10 +198,8 @@ int dhparam_main(int argc, char **argv)
DSA *dsa = DSA_new();
BN_GENCB *cb = BN_GENCB_new();
- if (cb == NULL) {
- ERR_print_errors(bio_err);
+ if (cb == NULL)
goto end;
- }
BN_GENCB_set(cb, dh_cb, bio_err);
@@ -212,23 +210,20 @@ int dhparam_main(int argc, char **argv)
cb)) {
DSA_free(dsa);
BN_GENCB_free(cb);
- ERR_print_errors(bio_err);
+ BIO_printf(bio_err, "Error, unable to generate DSA parameters\n");
goto end;
}
dh = alloc_dh = DSA_dup_DH(dsa);
DSA_free(dsa);
BN_GENCB_free(cb);
- if (dh == NULL) {
- ERR_print_errors(bio_err);
+ if (dh == NULL)
goto end;
- }
} else
#endif
{
ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
if (ctx == NULL) {
- ERR_print_errors(bio_err);
BIO_printf(bio_err,
"Error, DH key generation context allocation failed\n");
goto end;
@@ -242,18 +237,15 @@ int dhparam_main(int argc, char **argv)
if (!EVP_PKEY_paramgen_init(ctx)) {
BIO_printf(bio_err,
"Error, unable to initialise DH param generation\n");
- ERR_print_errors(bio_err);
goto end;
}
if (!EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, num)) {
BIO_printf(bio_err, "Error, unable to set DH prime length\n");
- ERR_print_errors(bio_err);
goto end;
}
if (!EVP_PKEY_paramgen(ctx, &pkey)) {
BIO_printf(bio_err, "Error, DH generation failed\n");
- ERR_print_errors(bio_err);
goto end;
}
dh = EVP_PKEY_get0_DH(pkey);
@@ -273,17 +265,14 @@ int dhparam_main(int argc, char **argv)
dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL);
if (dsa == NULL) {
- BIO_printf(bio_err, "unable to load DSA parameters\n");
- ERR_print_errors(bio_err);
+ BIO_printf(bio_err, "Error, unable to load DSA parameters\n");
goto end;
}
dh = alloc_dh = DSA_dup_DH(dsa);
DSA_free(dsa);
- if (dh == NULL) {
- ERR_print_errors(bio_err);
+ if (dh == NULL)
goto end;
- }
} else
#endif
{
@@ -302,8 +291,7 @@ int dhparam_main(int argc, char **argv)
}
if (dh == NULL) {
- BIO_printf(bio_err, "unable to load DH parameters\n");
- ERR_print_errors(bio_err);
+ BIO_printf(bio_err, "Error, unable to load DH parameters\n");
goto end;
}
}
@@ -315,8 +303,7 @@ int dhparam_main(int argc, char **argv)
if (check) {
if (!EVP_PKEY_param_check(ctx) /* DH_check(dh, &i) */) {
- ERR_print_errors(bio_err);
- BIO_printf(bio_err, "ERROR: Invalid parameters generated\n");
+ BIO_printf(bio_err, "Error, invalid parameters generated\n");
goto end;
}
BIO_printf(bio_err, "DH parameters appear to be ok.\n");
@@ -325,7 +312,7 @@ int dhparam_main(int argc, char **argv)
* We have generated parameters but DH_check() indicates they are
* invalid! This should never happen!
*/
- BIO_printf(bio_err, "ERROR: Invalid parameters generated\n");
+ BIO_printf(bio_err, "Error, invalid parameters generated\n");
goto end;
}
}
@@ -383,13 +370,14 @@ int dhparam_main(int argc, char **argv)
i = PEM_write_bio_DHparams(out, dh);
}
if (!i) {
- BIO_printf(bio_err, "unable to write DH parameters\n");
- ERR_print_errors(bio_err);
+ BIO_printf(bio_err, "Error, unable to write DH parameters\n");
goto end;
}
}
ret = 0;
end:
+ if (ret != 0)
+ ERR_print_errors(bio_err);
DH_free(alloc_dh);
BIO_free(in);
BIO_free_all(out);
diff --git a/apps/dsaparam.c b/apps/dsaparam.c
index 19cb1bdd46..dfcaf38ca9 100644
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -149,7 +149,6 @@ int dsaparam_main(int argc, char **argv)
ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
if (ctx == NULL) {
- ERR_print_errors(bio_err);
BIO_printf(bio_err,
"Error, DSA parameter generation context allocation failed\n");
goto end;
@@ -169,19 +168,16 @@ int dsaparam_main(int argc, char **argv)
BIO_printf(bio_err, "This could take some time\n");
}
if (EVP_PKEY_paramgen_init(ctx) <= 0) {
- ERR_print_errors(bio_err);
BIO_printf(bio_err,
"Error, DSA key generation paramgen init failed\n");
goto end;
}
if (!EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, num)) {
- ERR_print_errors(bio_err);
BIO_printf(bio_err,
"Error, DSA key generation setting bit length failed\n");
goto end;
}
if (EVP_PKEY_paramgen(ctx, ¶ms) <= 0) {
- ERR_print_errors(bio_err);
BIO_printf(bio_err, "Error, DSA key generation failed\n");
goto end;
}
@@ -191,8 +187,7 @@ int dsaparam_main(int argc, char **argv)
params = PEM_read_bio_Parameters(in, NULL);
}
if (params == NULL) {
- BIO_printf(bio_err, "unable to load DSA parameters\n");
- ERR_print_errors(bio_err);
+ BIO_printf(bio_err, "Error, unable to load DSA parameters\n");
goto end;
}
@@ -247,8 +242,7 @@ int dsaparam_main(int argc, char **argv)
else
i = PEM_write_bio_Parameters(out, params);
if (!i) {
- BIO_printf(bio_err, "unable to write DSA parameters\n");
- ERR_print_errors(bio_err);
+ BIO_printf(bio_err, "Error, unable to write DSA parameters\n");
goto end;
}
}
@@ -256,19 +250,17 @@ int dsaparam_main(int argc, char **argv)
EVP_PKEY_CTX_free(ctx);
ctx = EVP_PKEY_CTX_new(params, NULL);
if (ctx == NULL) {
- ERR_print_errors(bio_err);
BIO_printf(bio_err,
"Error, DSA key generation context allocation failed\n");
goto end;
}
if (!EVP_PKEY_keygen_init(ctx)) {
- BIO_printf(bio_err, "unable to initialise for key generation\n");
- ERR_print_errors(bio_err);
+ BIO_printf(bio_err,
+ "Error, unable to initialise for key generation\n");
goto end;
}
if (!EVP_PKEY_keygen(ctx, &pkey)) {
- BIO_printf(bio_err, "unable to generate key\n");
- ERR_print_errors(bio_err);
+ BIO_printf(bio_err, "Error, unable to generate key\n");
goto end;
}
assert(private);
@@ -279,6 +271,8 @@ int dsaparam_main(int argc, char **argv)
}
ret = 0;
end:
+ if (ret != 0)
+ ERR_print_errors(bio_err);
BIO_free(in);
BIO_free_all(out);
EVP_PKEY_CTX_free(ctx);
diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
index e5eb32381d..a8243ec987 100644
--- a/crypto/dh/dh_err.c
+++ b/crypto/dh/dh_err.c
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -14,6 +14,7 @@
#ifndef OPENSSL_NO_ERR
static const ERR_STRING_DATA DH_str_reasons[] = {
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_BAD_FFC_PARAMETERS), "bad ffc parameters"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_BAD_GENERATOR), "bad generator"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_BN_DECODE_ERROR), "bn decode error"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_BN_ERROR), "bn error"},
diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c
index 327f6ff610..8c1518ad9b 100644
--- a/crypto/dh/dh_gen.c
+++ b/crypto/dh/dh_gen.c
@@ -68,7 +68,7 @@ int dh_get_named_group_uid_from_size(int pbits)
* Just choose an approved safe prime group.
* The alternative to this is to generate FIPS186-4 domain parameters i.e.
* return dh_generate_ffc_parameters(ret, prime_len, 0, NULL, cb);
- * As the FIPS186-4 generated params are for backwards compatability,
+ * As the FIPS186-4 generated params are for backwards compatibility,
* the safe prime group should be used as the default.
*/
int nid;
diff --git a/crypto/dsa/dsa_err.c b/crypto/dsa/dsa_err.c
index f4d187e4b9..6bf7accacf 100644
--- a/crypto/dsa/dsa_err.c
+++ b/crypto/dsa/dsa_err.c
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -14,6 +14,7 @@
#ifndef OPENSSL_NO_ERR
static const ERR_STRING_DATA DSA_str_reasons[] = {
+ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_BAD_FFC_PARAMETERS), "bad ffc parameters"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_BAD_Q_VALUE), "bad q value"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_BN_DECODE_ERROR), "bn decode error"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_BN_ERROR), "bn error"},
diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c
index 750d0168fa..7f7f57f6d3 100644
--- a/crypto/dsa/dsa_pmeth.c
+++ b/crypto/dsa/dsa_pmeth.c
@@ -221,7 +221,7 @@ static int pkey_dsa_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
dctx->nbits, dctx->qbits, dctx->pmd,
&res, pcb);
BN_GENCB_free(pcb);
- if (ret)
+ if (ret > 0)
EVP_PKEY_assign_DSA(pkey, dsa);
else
DSA_free(dsa);
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 8afc67e747..9b252e3827 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -2341,6 +2341,7 @@ CT_R_SCT_UNSUPPORTED_VERSION:115:sct unsupported version
CT_R_UNRECOGNIZED_SIGNATURE_NID:101:unrecognized signature nid
CT_R_UNSUPPORTED_ENTRY_TYPE:102:unsupported entry type
CT_R_UNSUPPORTED_VERSION:103:unsupported version
+DH_R_BAD_FFC_PARAMETERS:127:bad ffc parameters
DH_R_BAD_GENERATOR:101:bad generator
DH_R_BN_DECODE_ERROR:109:bn decode error
DH_R_BN_ERROR:106:bn error
@@ -2368,6 +2369,7 @@ DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
DH_R_PEER_KEY_ERROR:111:peer key error
DH_R_SHARED_INFO_ERROR:113:shared info error
DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
+DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters
DSA_R_BAD_Q_VALUE:102:bad q value
DSA_R_BN_DECODE_ERROR:108:bn decode error
DSA_R_BN_ERROR:109:bn error
diff --git a/crypto/ffc/ffc_params_generate.c b/crypto/ffc/ffc_params_generate.c
index 1d8d80c9b4..624c24dd21 100644
--- a/crypto/ffc/ffc_params_generate.c
+++ b/crypto/ffc/ffc_params_generate.c
@@ -27,6 +27,9 @@
#include <string.h> /* memset */
#include <openssl/sha.h> /* SHA_DIGEST_LENGTH */
#include <openssl/rand.h>
+#include <openssl/err.h>
+#include <openssl/dherr.h>
+#include <openssl/dsaerr.h>
#include "crypto/bn.h"
#include "internal/ffc.h"
@@ -40,6 +43,9 @@ static int ffc_validate_LN(size_t L, size_t N, int type)
/* Valid DH L,N parameters from SP800-56Ar3 5.5.1 Table 1 */
if (L == 2048 && (N == 224 || N == 256))
return 112;
+#ifndef OPENSSL_NO_DH
+ DHerr(0, DH_R_BAD_FFC_PARAMETERS);
+#endif
} else if (type == FFC_PARAM_TYPE_DSA) {
/* Valid DSA L,N parameters from FIPS 186-4 Section 4.2 */
if (L == 1024 && N == 160)
@@ -48,6 +54,9 @@ static int ffc_validate_LN(size_t L, size_t N, int type)
return 112;
if (L == 3072 && N == 256)
return 128;
+#ifndef OPENSSL_NO_DSA
+ DSAerr(0, DSA_R_BAD_FFC_PARAMETERS);
+#endif
}
return 0;
}
diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
index 0ebe560545..1b8fb17172 100644
--- a/include/openssl/dherr.h
+++ b/include/openssl/dherr.h
@@ -62,6 +62,7 @@ int ERR_load_DH_strings(void);
/*
* DH reason codes.
*/
+# define DH_R_BAD_FFC_PARAMETERS 127
# define DH_R_BAD_GENERATOR 101
# define DH_R_BN_DECODE_ERROR 109
# define DH_R_BN_ERROR 106
diff --git a/include/openssl/dsaerr.h b/include/openssl/dsaerr.h
index e2cf3098d5..271f24a2b5 100644
--- a/include/openssl/dsaerr.h
+++ b/include/openssl/dsaerr.h
@@ -57,6 +57,7 @@ int ERR_load_DSA_strings(void);
/*
* DSA reason codes.
*/
+# define DSA_R_BAD_FFC_PARAMETERS 114
# define DSA_R_BAD_Q_VALUE 102
# define DSA_R_BN_DECODE_ERROR 108
# define DSA_R_BN_ERROR 109
More information about the openssl-commits
mailing list