[openssl] master update

Richard Levitte levitte at openssl.org
Mon Mar 23 09:08:44 UTC 2020


The branch master has been updated
       via  0996cff91fe9d6ed7c37830debdf585119dcc067 (commit)
      from  8cc86b81ac20ff3e933ea7fd107a5a6066032330 (commit)


- Log -----------------------------------------------------------------
commit 0996cff91fe9d6ed7c37830debdf585119dcc067
Author: Richard Levitte <levitte at openssl.org>
Date:   Thu Mar 19 22:29:10 2020 +0100

    DH, DSA, EC_KEY: Fix exporters to allow domain parameter keys
    
    The export-to-provider functions for DH, DSA and EC_KEY assumed that a
    public key is always present, and would fail if not.  This blocks any
    attempt to export a key structure with only domain parameters.
    
    While fixing this, we also modify the selection declaration to
    evp_keymgmt_import() to be more adaptive, the diverse selection bits
    are now added when the corresponding data is added to the OSSL_PARAM
    array.
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/11374)

-----------------------------------------------------------------------

Summary of changes:
 crypto/dh/dh_ameth.c   | 14 +++++++++-----
 crypto/dsa/dsa_ameth.c | 15 ++++++++++-----
 crypto/ec/ec_ameth.c   | 36 ++++++++++++++++++------------------
 crypto/ec/ecx_meth.c   |  6 ++++--
 crypto/rsa/rsa_ameth.c |  6 ++++--
 5 files changed, 45 insertions(+), 32 deletions(-)

diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c
index ecec5fbcf6..877a66f9dc 100644
--- a/crypto/dh/dh_ameth.c
+++ b/crypto/dh/dh_ameth.c
@@ -498,6 +498,7 @@ static int dh_pkey_export_to(const EVP_PKEY *from, void *to_keydata,
     const BIGNUM *pub_key = DH_get0_pub_key(dh);
     const BIGNUM *priv_key = DH_get0_priv_key(dh);
     OSSL_PARAM *params;
+    int selection = 0;
     int rv;
 
     /*
@@ -518,21 +519,24 @@ static int dh_pkey_export_to(const EVP_PKEY *from, void *to_keydata,
         if (!ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_FFC_Q, q))
             return 0;
     }
-    /* A key must at least have a public part. */
-    if (!ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_PUB_KEY, pub_key))
-        return 0;
+    selection |= OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS;
+    if (pub_key != NULL) {
+        if (!ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_PUB_KEY, pub_key))
+            return 0;
+        selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
+    }
     if (priv_key != NULL) {
         if (!ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_PRIV_KEY,
                                     priv_key))
             return 0;
+        selection |= OSSL_KEYMGMT_SELECT_PRIVATE_KEY;
     }
 
     if ((params = ossl_param_bld_to_param(&tmpl)) == NULL)
         return 0;
 
     /* We export, the provider imports */
-    rv = evp_keymgmt_import(to_keymgmt, to_keydata, OSSL_KEYMGMT_SELECT_ALL,
-                            params);
+    rv = evp_keymgmt_import(to_keymgmt, to_keydata, selection, params);
 
     ossl_param_bld_free(params);
 
diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c
index 94f3f43b8e..92134f956b 100644
--- a/crypto/dsa/dsa_ameth.c
+++ b/crypto/dsa/dsa_ameth.c
@@ -526,6 +526,7 @@ static int dsa_pkey_export_to(const EVP_PKEY *from, void *to_keydata,
     const BIGNUM *q = DSA_get0_q(dsa), *pub_key = DSA_get0_pub_key(dsa);
     const BIGNUM *priv_key = DSA_get0_priv_key(dsa);
     OSSL_PARAM *params;
+    int selection = 0;
     int rv;
 
     /*
@@ -543,21 +544,25 @@ static int dsa_pkey_export_to(const EVP_PKEY *from, void *to_keydata,
         || !ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_FFC_Q, q)
         || !ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_FFC_G, g))
         return 0;
-    if (!ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_PUB_KEY,
-                                pub_key))
-        return 0;
+    selection |= OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS;
+    if (pub_key != NULL) {
+        if (!ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_PUB_KEY,
+                                    pub_key))
+            return 0;
+        selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
+    }
     if (priv_key != NULL) {
         if (!ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_PRIV_KEY,
                                     priv_key))
             return 0;
+        selection |= OSSL_KEYMGMT_SELECT_PRIVATE_KEY;
     }
 
     if ((params = ossl_param_bld_to_param(&tmpl)) == NULL)
         return 0;
 
     /* We export, the provider imports */
-    rv = evp_keymgmt_import(to_keymgmt, to_keydata, OSSL_KEYMGMT_SELECT_ALL,
-                            params);
+    rv = evp_keymgmt_import(to_keymgmt, to_keydata, selection, params);
 
     ossl_param_bld_free(params);
 
diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c
index 652086a93a..944fc05835 100644
--- a/crypto/ec/ec_ameth.c
+++ b/crypto/ec/ec_ameth.c
@@ -630,6 +630,7 @@ int ec_pkey_export_to(const EVP_PKEY *from, void *to_keydata,
     OSSL_PARAM *params = NULL;
     const BIGNUM *priv_key = NULL;
     const EC_POINT *pub_point = NULL;
+    int selection = 0;
     int rv = 0;
 
     if (from == NULL
@@ -648,26 +649,24 @@ int ec_pkey_export_to(const EVP_PKEY *from, void *to_keydata,
 
     /* export the domain parameters */
     if (!ecparams_to_params(eckey, &tmpl))
-        return 0;
+        goto err;
+    selection |= OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS;
 
     priv_key = EC_KEY_get0_private_key(eckey);
     pub_point = EC_KEY_get0_public_key(eckey);
 
-    /* public_key must be present, priv_key is optional */
-    if (pub_point == NULL)
-        return 0;
-
-    /* convert pub_point to a octet string according to the SECG standard */
-    if ((pub_key_buflen = EC_POINT_point2buf(ecg, pub_point,
-                                             POINT_CONVERSION_COMPRESSED,
-                                             &pub_key_buf, NULL)) == 0)
-        return 0;
-
-    if (!ossl_param_bld_push_octet_string(&tmpl,
-                OSSL_PKEY_PARAM_PUB_KEY,
-                pub_key_buf,
-                pub_key_buflen))
-        goto err;
+    if (pub_point != NULL) {
+        /* convert pub_point to a octet string according to the SECG standard */
+        if ((pub_key_buflen = EC_POINT_point2buf(ecg, pub_point,
+                                                 POINT_CONVERSION_COMPRESSED,
+                                                 &pub_key_buf, NULL)) == 0
+            || !ossl_param_bld_push_octet_string(&tmpl,
+                                                 OSSL_PKEY_PARAM_PUB_KEY,
+                                                 pub_key_buf,
+                                                 pub_key_buflen))
+            goto err;
+        selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
+    }
 
     if (priv_key != NULL) {
         size_t sz;
@@ -716,6 +715,7 @@ int ec_pkey_export_to(const EVP_PKEY *from, void *to_keydata,
                                         OSSL_PKEY_PARAM_PRIV_KEY,
                                         priv_key, sz))
             goto err;
+        selection |= OSSL_KEYMGMT_SELECT_PRIVATE_KEY;
 
         /*
          * The ECDH Cofactor Mode is defined only if the EC_KEY actually
@@ -730,13 +730,13 @@ int ec_pkey_export_to(const EVP_PKEY *from, void *to_keydata,
                                      OSSL_PKEY_PARAM_USE_COFACTOR_ECDH,
                                      ecdh_cofactor_mode))
             goto err;
+        selection |= OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS;
     }
 
     params = ossl_param_bld_to_param(&tmpl);
 
     /* We export, the provider imports */
-    rv = evp_keymgmt_import(to_keymgmt, to_keydata, OSSL_KEYMGMT_SELECT_ALL,
-                            params);
+    rv = evp_keymgmt_import(to_keymgmt, to_keydata, selection, params);
 
  err:
     ossl_param_bld_free(params);
diff --git a/crypto/ec/ecx_meth.c b/crypto/ec/ecx_meth.c
index 5f85927bd0..9b9536f022 100644
--- a/crypto/ec/ecx_meth.c
+++ b/crypto/ec/ecx_meth.c
@@ -423,6 +423,7 @@ static int ecx_pkey_export_to(const EVP_PKEY *from, void *to_keydata,
     const ECX_KEY *key = from->pkey.ecx;
     OSSL_PARAM_BLD tmpl;
     OSSL_PARAM *params = NULL;
+    int selection = 0;
     int rv = 0;
 
     ossl_param_bld_init(&tmpl);
@@ -431,19 +432,20 @@ static int ecx_pkey_export_to(const EVP_PKEY *from, void *to_keydata,
     if (!ossl_param_bld_push_octet_string(&tmpl, OSSL_PKEY_PARAM_PUB_KEY,
                                           key->pubkey, key->keylen))
         goto err;
+    selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
 
     if (key->privkey != NULL) {
         if (!ossl_param_bld_push_octet_string(&tmpl,
                                               OSSL_PKEY_PARAM_PRIV_KEY,
                                               key->privkey, key->keylen))
             goto err;
+        selection |= OSSL_KEYMGMT_SELECT_PRIVATE_KEY;
     }
 
     params = ossl_param_bld_to_param(&tmpl);
 
     /* We export, the provider imports */
-    rv = evp_keymgmt_import(to_keymgmt, to_keydata, OSSL_KEYMGMT_SELECT_ALL,
-                            params);
+    rv = evp_keymgmt_import(to_keymgmt, to_keydata, selection, params);
 
  err:
     ossl_param_bld_free(params);
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
index 3411b734e5..06d7a8caf6 100644
--- a/crypto/rsa/rsa_ameth.c
+++ b/crypto/rsa/rsa_ameth.c
@@ -1090,6 +1090,7 @@ static int rsa_pkey_export_to(const EVP_PKEY *from, void *to_keydata,
     STACK_OF(BIGNUM_const) *primes = NULL, *exps = NULL, *coeffs = NULL;
     int numprimes = 0, numexps = 0, numcoeffs = 0;
     OSSL_PARAM *params = NULL;
+    int selection = 0;
     int rv = 0;
 
     /*
@@ -1110,6 +1111,7 @@ static int rsa_pkey_export_to(const EVP_PKEY *from, void *to_keydata,
         goto err;
     if (!ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_RSA_N, n))
         goto err;
+    selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
 
     if (d != NULL) {
         int i;
@@ -1144,6 +1146,7 @@ static int rsa_pkey_export_to(const EVP_PKEY *from, void *to_keydata,
 
         if (!ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_RSA_D, d))
             goto err;
+        selection |= OSSL_KEYMGMT_SELECT_PRIVATE_KEY;
 
         for (i = 0; i < numprimes; i++) {
             const BIGNUM *num = sk_BIGNUM_const_value(primes, i);
@@ -1174,8 +1177,7 @@ static int rsa_pkey_export_to(const EVP_PKEY *from, void *to_keydata,
         goto err;
 
     /* We export, the provider imports */
-    rv = evp_keymgmt_import(to_keymgmt, to_keydata, OSSL_KEYMGMT_SELECT_ALL,
-                            params);
+    rv = evp_keymgmt_import(to_keymgmt, to_keydata, selection, params);
 
  err:
     sk_BIGNUM_const_free(primes);


More information about the openssl-commits mailing list