[openssl] master update

Richard Levitte levitte at openssl.org
Mon Oct 19 10:16:02 UTC 2020


The branch master has been updated
       via  ea7277fd2e27afa3a173ea30d567f45d7bb3d30d (commit)
       via  ee55a2072785701d7f9322013f5e9968b1ff141f (commit)
       via  0ba71d6a63add7efb244965c0f18502bd786a0f7 (commit)
      from  6c8149df1fb6fce50a914a70040955d3512b0bd6 (commit)


- Log -----------------------------------------------------------------
commit ea7277fd2e27afa3a173ea30d567f45d7bb3d30d
Author: Richard Levitte <levitte at openssl.org>
Date:   Thu Oct 15 08:30:49 2020 +0200

    TEST: fix the DH tests to reproduce the priv_len settings
    
    Some DH tests are done against files generated with '-pkeyopt priv_len:224'
    This parameter must of course be reproduced when creating the key with
    EVP_PKEY_fromdata(), or there will be a default that's guaranteed to
    differ from the key parameters on file.
    
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/13166)

commit ee55a2072785701d7f9322013f5e9968b1ff141f
Author: Richard Levitte <levitte at openssl.org>
Date:   Thu Oct 15 07:14:16 2020 +0200

    DH: have DH_set_length() increment the dirty count.
    
    The recommended private key length is a key parameter among other key
    parameters, and is included in the key data transferred in an import
    or export between legacy implementations and provider implementations.
    
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/13166)

commit 0ba71d6a63add7efb244965c0f18502bd786a0f7
Author: Richard Levitte <levitte at openssl.org>
Date:   Thu Oct 15 07:10:29 2020 +0200

    DH: make the private key length importable / exportable
    
    The DH private key length, which is an optional parameter, wasn't
    properly imported / exported between legacy and provider side
    implementations.
    
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/13166)

-----------------------------------------------------------------------

Summary of changes:
 crypto/dh/dh_ameth.c                         |  8 +++-
 crypto/dh/dh_backend.c                       | 66 ++++++++++++++++++++++++++++
 crypto/dh/dh_lib.c                           | 20 +--------
 crypto/param_build_set.c                     | 11 +++++
 include/crypto/dh.h                          |  5 ++-
 include/internal/param_build_set.h           |  2 +
 providers/implementations/keymgmt/dh_kmgmt.c | 30 +++----------
 test/evp_pkey_provided_test.c                |  6 +++
 8 files changed, 103 insertions(+), 45 deletions(-)

diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c
index 69b166362a..49e65e4d6c 100644
--- a/crypto/dh/dh_ameth.c
+++ b/crypto/dh/dh_ameth.c
@@ -485,6 +485,7 @@ static int dh_pkey_export_to(const EVP_PKEY *from, void *to_keydata,
     DH *dh = from->pkey.dh;
     OSSL_PARAM_BLD *tmpl;
     const BIGNUM *p = DH_get0_p(dh), *g = DH_get0_g(dh), *q = DH_get0_q(dh);
+    long l = DH_get_length(dh);
     const BIGNUM *pub_key = DH_get0_pub_key(dh);
     const BIGNUM *priv_key = DH_get0_priv_key(dh);
     OSSL_PARAM *params = NULL;
@@ -512,6 +513,11 @@ static int dh_pkey_export_to(const EVP_PKEY *from, void *to_keydata,
             goto err;
     }
     selection |= OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS;
+    if (l > 0) {
+        if (!OSSL_PARAM_BLD_push_long(tmpl, OSSL_PKEY_PARAM_DH_PRIV_LEN, l))
+            goto err;
+        selection |= OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS;
+    }
     if (pub_key != NULL) {
         if (!OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_PUB_KEY, pub_key))
             goto err;
@@ -550,7 +556,7 @@ static int dh_pkey_import_from_type(const OSSL_PARAM params[], void *vpctx,
     DH_clear_flags(dh, DH_FLAG_TYPE_MASK);
     DH_set_flags(dh, type == EVP_PKEY_DH ? DH_FLAG_TYPE_DH : DH_FLAG_TYPE_DHX);
 
-    if (!dh_ffc_params_fromdata(dh, params)
+    if (!dh_params_fromdata(dh, params)
         || !dh_key_fromdata(dh, params)
         || !EVP_PKEY_assign(pkey, type, dh)) {
         DH_free(dh);
diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c
index 704f6efac1..1ce29e652d 100644
--- a/crypto/dh/dh_backend.c
+++ b/crypto/dh/dh_backend.c
@@ -8,6 +8,7 @@
  */
 
 #include <openssl/core_names.h>
+#include "internal/param_build_set.h"
 #include "crypto/dh.h"
 
 /*
@@ -16,6 +17,41 @@
  * implementations alike.
  */
 
+static int dh_ffc_params_fromdata(DH *dh, const OSSL_PARAM params[])
+{
+    int ret;
+    FFC_PARAMS *ffc;
+
+    if (dh == NULL)
+        return 0;
+    ffc = dh_get0_params(dh);
+    if (ffc == NULL)
+        return 0;
+
+    ret = ossl_ffc_params_fromdata(ffc, params);
+    if (ret)
+        dh_cache_named_group(dh); /* This increments dh->dirt_cnt */
+    return ret;
+}
+
+int dh_params_fromdata(DH *dh, const OSSL_PARAM params[])
+{
+    const OSSL_PARAM *param_priv_len;
+    long priv_len;
+
+    if (!dh_ffc_params_fromdata(dh, params))
+        return 0;
+
+    param_priv_len =
+        OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_PRIV_LEN);
+    if (param_priv_len != NULL
+        && (!OSSL_PARAM_get_long(param_priv_len, &priv_len)
+            || !DH_set_length(dh, priv_len)))
+        return 0;
+
+    return 1;
+}
+
 int dh_key_fromdata(DH *dh, const OSSL_PARAM params[])
 {
     const OSSL_PARAM *param_priv_key, *param_pub_key;
@@ -52,3 +88,33 @@ int dh_key_fromdata(DH *dh, const OSSL_PARAM params[])
     BN_free(pub_key);
     return 0;
 }
+
+int dh_params_todata(DH *dh, OSSL_PARAM_BLD *bld, OSSL_PARAM params[])
+{
+    long l = DH_get_length(dh);
+
+    if (!ossl_ffc_params_todata(dh_get0_params(dh), bld, params))
+        return 0;
+    if (l > 0
+        && !ossl_param_build_set_long(bld, params, OSSL_PKEY_PARAM_DH_PRIV_LEN, l))
+        return 0;
+    return 1;
+}
+
+int dh_key_todata(DH *dh, OSSL_PARAM_BLD *bld, OSSL_PARAM params[])
+{
+    const BIGNUM *priv = NULL, *pub = NULL;
+
+    if (dh == NULL)
+        return 0;
+
+    DH_get0_key(dh, &pub, &priv);
+    if (priv != NULL
+        && !ossl_param_build_set_bn(bld, params, OSSL_PKEY_PARAM_PRIV_KEY, priv))
+        return 0;
+    if (pub != NULL
+        && !ossl_param_build_set_bn(bld, params, OSSL_PKEY_PARAM_PUB_KEY, pub))
+        return 0;
+
+    return 1;
+}
diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c
index 94978a2cb2..6280472ade 100644
--- a/crypto/dh/dh_lib.c
+++ b/crypto/dh/dh_lib.c
@@ -243,6 +243,7 @@ long DH_get_length(const DH *dh)
 int DH_set_length(DH *dh, long length)
 {
     dh->length = length;
+    dh->dirty_cnt++;
     return 1;
 }
 
@@ -325,22 +326,3 @@ int dh_get0_nid(const DH *dh)
 {
     return dh->params.nid;
 }
-
-int dh_ffc_params_fromdata(DH *dh, const OSSL_PARAM params[])
-{
-    int ret;
-    FFC_PARAMS *ffc;
-
-    if (dh == NULL)
-        return 0;
-    ffc = dh_get0_params(dh);
-    if (ffc == NULL)
-        return 0;
-
-    ret = ossl_ffc_params_fromdata(ffc, params);
-    if (ret) {
-        dh_cache_named_group(dh);
-        dh->dirty_cnt++;
-    }
-    return ret;
-}
diff --git a/crypto/param_build_set.c b/crypto/param_build_set.c
index b74b0d59ee..1ea8097e88 100644
--- a/crypto/param_build_set.c
+++ b/crypto/param_build_set.c
@@ -30,6 +30,17 @@ int ossl_param_build_set_int(OSSL_PARAM_BLD *bld, OSSL_PARAM *p,
     return 1;
 }
 
+int ossl_param_build_set_long(OSSL_PARAM_BLD *bld, OSSL_PARAM *p,
+                              const char *key, long num)
+{
+    if (bld != NULL)
+        return OSSL_PARAM_BLD_push_long(bld, key, num);
+    p = OSSL_PARAM_locate(p, key);
+    if (p != NULL)
+        return OSSL_PARAM_set_long(p, num);
+    return 1;
+}
+
 int ossl_param_build_set_utf8_string(OSSL_PARAM_BLD *bld, OSSL_PARAM *p,
                                      const char *key, const char *buf)
 {
diff --git a/include/crypto/dh.h b/include/crypto/dh.h
index cd7e1e4a89..4dbd0c582c 100644
--- a/include/crypto/dh.h
+++ b/include/crypto/dh.h
@@ -8,6 +8,7 @@
  */
 
 #include <openssl/core.h>
+#include <openssl/params.h>
 #include <openssl/dh.h>
 #include "internal/ffc.h"
 
@@ -24,8 +25,10 @@ void dh_cache_named_group(DH *dh);
 
 FFC_PARAMS *dh_get0_params(DH *dh);
 int dh_get0_nid(const DH *dh);
-int dh_ffc_params_fromdata(DH *dh, const OSSL_PARAM params[]);
+int dh_params_fromdata(DH *dh, const OSSL_PARAM params[]);
 int dh_key_fromdata(DH *dh, const OSSL_PARAM params[]);
+int dh_params_todata(DH *dh, OSSL_PARAM_BLD *bld, OSSL_PARAM params[]);
+int dh_key_todata(DH *dh, OSSL_PARAM_BLD *bld, OSSL_PARAM params[]);
 
 int dh_check_pub_key_partial(const DH *dh, const BIGNUM *pub_key, int *ret);
 int dh_check_priv_key(const DH *dh, const BIGNUM *priv_key, int *ret);
diff --git a/include/internal/param_build_set.h b/include/internal/param_build_set.h
index 36d3b914d9..d1f1863381 100644
--- a/include/internal/param_build_set.h
+++ b/include/internal/param_build_set.h
@@ -12,6 +12,8 @@
 
 int ossl_param_build_set_int(OSSL_PARAM_BLD *bld, OSSL_PARAM *p,
                              const char *key, int num);
+int ossl_param_build_set_long(OSSL_PARAM_BLD *bld, OSSL_PARAM *p,
+                              const char *key, long num);
 int ossl_param_build_set_utf8_string(OSSL_PARAM_BLD *bld, OSSL_PARAM *p,
                                      const char *key, const char *buf);
 int ossl_param_build_set_octet_string(OSSL_PARAM_BLD *bld, OSSL_PARAM *p,
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
index 3cca031963..bfd70c3962 100644
--- a/providers/implementations/keymgmt/dh_kmgmt.c
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
@@ -24,7 +24,6 @@
 #include "crypto/dh.h"
 #include "internal/sizes.h"
 #include "internal/nelem.h"
-#include "internal/param_build_set.h"
 
 static OSSL_FUNC_keymgmt_new_fn dh_newdata;
 static OSSL_FUNC_keymgmt_free_fn dh_freedata;
@@ -113,24 +112,6 @@ static int dh_gen_type_name2id(const char *name)
     return -1;
 }
 
-static int dh_key_todata(DH *dh, OSSL_PARAM_BLD *bld, OSSL_PARAM params[])
-{
-    const BIGNUM *priv = NULL, *pub = NULL;
-
-    if (dh == NULL)
-        return 0;
-
-    DH_get0_key(dh, &pub, &priv);
-    if (priv != NULL
-        && !ossl_param_build_set_bn(bld, params, OSSL_PKEY_PARAM_PRIV_KEY, priv))
-        return 0;
-    if (pub != NULL
-        && !ossl_param_build_set_bn(bld, params, OSSL_PKEY_PARAM_PUB_KEY, pub))
-        return 0;
-
-    return 1;
-}
-
 static void *dh_newdata(void *provctx)
 {
     DH *dh = NULL;
@@ -215,7 +196,7 @@ static int dh_import(void *keydata, int selection, const OSSL_PARAM params[])
         return 0;
 
     if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0)
-        ok = ok && dh_ffc_params_fromdata(dh, params);
+        ok = ok && dh_params_fromdata(dh, params);
 
     if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0)
         ok = ok && dh_key_fromdata(dh, params);
@@ -239,7 +220,7 @@ static int dh_export(void *keydata, int selection, OSSL_CALLBACK *param_cb,
         return 0;
 
     if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0)
-        ok = ok && ossl_ffc_params_todata(dh_get0_params(dh), tmpl, NULL);
+        ok = ok && dh_params_todata(dh, tmpl, NULL);
     if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0)
         ok = ok && dh_key_todata(dh, tmpl, NULL);
 
@@ -266,7 +247,8 @@ err:
     OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_PCOUNTER, NULL),                        \
     OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_H, NULL),                               \
     OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_FFC_SEED, NULL, 0),                \
-    OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, NULL, 0)
+    OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, NULL, 0),               \
+    OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_DH_PRIV_LEN, NULL, 0)
 # define DH_IMEXPORTABLE_PUBLIC_KEY                                            \
     OSSL_PARAM_BN(OSSL_PKEY_PARAM_PUB_KEY, NULL, 0)
 # define DH_IMEXPORTABLE_PRIVATE_KEY                                           \
@@ -337,8 +319,8 @@ static ossl_inline int dh_get_params(void *key, OSSL_PARAM params[])
             return 0;
     }
 
-    return ossl_ffc_params_todata(dh_get0_params(dh), NULL, params)
-           && dh_key_todata(dh, NULL, params);
+    return dh_params_todata(dh, NULL, params)
+        && dh_key_todata(dh, NULL, params);
 }
 
 static const OSSL_PARAM dh_params[] = {
diff --git a/test/evp_pkey_provided_test.c b/test/evp_pkey_provided_test.c
index 33f3915222..6b56fc7997 100644
--- a/test/evp_pkey_provided_test.c
+++ b/test/evp_pkey_provided_test.c
@@ -457,6 +457,7 @@ static int test_fromdata_dh_named_group(void)
         0xcf, 0x33, 0x42, 0x83, 0x42
     };
     static const char group_name[] = "ffdhe2048";
+    static const long priv_len = 224;
 
     if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())
         || !TEST_ptr(pub = BN_bin2bn(pub_data, sizeof(pub_data), NULL))
@@ -464,6 +465,8 @@ static int test_fromdata_dh_named_group(void)
         || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(bld,
                                                       OSSL_PKEY_PARAM_GROUP_NAME,
                                                       group_name, 0))
+        || !TEST_true(OSSL_PARAM_BLD_push_long(bld, OSSL_PKEY_PARAM_DH_PRIV_LEN,
+                                               priv_len))
         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub))
         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv))
         || !TEST_ptr(fromdata_params = OSSL_PARAM_BLD_to_param(bld)))
@@ -597,6 +600,7 @@ static int test_fromdata_dh_fips186_4(void)
        0x33, 0x42, 0x83, 0x42
     };
     static const char group_name[] = "ffdhe2048";
+    static const long priv_len = 224;
 
 
     if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())
@@ -605,6 +609,8 @@ static int test_fromdata_dh_fips186_4(void)
         || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(bld,
                                                       OSSL_PKEY_PARAM_GROUP_NAME,
                                                       group_name, 0))
+        || !TEST_true(OSSL_PARAM_BLD_push_long(bld, OSSL_PKEY_PARAM_DH_PRIV_LEN,
+                                               priv_len))
         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub))
         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv))
         || !TEST_ptr(fromdata_params = OSSL_PARAM_BLD_to_param(bld)))


More information about the openssl-commits mailing list