[openssl] master update
Matt Caswell
matt at openssl.org
Mon Mar 15 16:04:12 UTC 2021
The branch master has been updated
via 92a36b3705beca7bd06eed0e5c678375df79f9ca (commit)
via 2cf8bb46fc3e0e2aaead764d333c6e216f028ef3 (commit)
via 2db5834c43dcc2a04ccf4cf98f412d4d3474731e (commit)
from d8a809db4beae9c42954689d3ccff6aa18aae8c3 (commit)
- Log -----------------------------------------------------------------
commit 92a36b3705beca7bd06eed0e5c678375df79f9ca
Author: Matt Caswell <matt at openssl.org>
Date: Tue Mar 9 17:28:44 2021 +0000
Add a CHANGES entry for EVP_PKEY_public_check() and EVP_KEY_param_check()
These functions now work for more key types than they did in 1.1.1
Fixes #14477
Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14485)
commit 2cf8bb46fc3e0e2aaead764d333c6e216f028ef3
Author: Matt Caswell <matt at openssl.org>
Date: Tue Mar 9 17:07:48 2021 +0000
Ensure that ECX keys pass EVP_PKEY_param_check()
RSA keys have no parameters and pass EVP_PKEY_param_check(). Previously,
ECX keys had no parammeters and failed EVP_PKEY_param_check(). We should
be consistent. It makes more sense to always pass, and therefore this
commit implements that behaviour.
Fixes #14482
Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14485)
commit 2db5834c43dcc2a04ccf4cf98f412d4d3474731e
Author: Matt Caswell <matt at openssl.org>
Date: Tue Mar 9 14:40:54 2021 +0000
Add a CHANGES entry for the cosmetic differences in textual output
Numerous functions have had their textual output amended. We add
a CHANGES entry for this.
Fixes #14476
Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14485)
-----------------------------------------------------------------------
Summary of changes:
CHANGES.md | 13 +++++++++++++
doc/man3/EVP_PKEY_check.pod | 3 ++-
providers/implementations/keymgmt/ecx_kmgmt.c | 10 +++++++---
providers/implementations/keymgmt/rsa_kmgmt.c | 13 ++++++++++++-
test/evp_extra_test.c | 28 ++++++++++++++++++++++++---
5 files changed, 59 insertions(+), 8 deletions(-)
diff --git a/CHANGES.md b/CHANGES.md
index 43079a3e50..e51e61a96b 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -23,6 +23,19 @@ OpenSSL 3.0
### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
+ * The EVP_PKEY_public_check() and EVP_PKEY_param_check() functions now work for
+ more key types including RSA, DSA, ED25519, X25519, ED448 and X448.
+ Previously (in 1.1.1) they would return -2. For key types that do not have
+ parameters then EVP_PKEY_param_check() will always return 1.
+
+ * The output from numerous "printing" functions such as X509_signature_print(),
+ X509_print_ex(), X509_CRL_print_ex(), and other similar functions has been
+ amended such that there may be cosmetic differences between the output
+ observed in 1.1.1 and 3.0. This also applies to the "-text" output from the
+ x509 and crl applications.
+
+ *David von Oheimb*
+
* Windows thread synchronization uses read/write primitives (SRWLock) when
supported by the OS, otherwise CriticalSection continues to be used.
diff --git a/doc/man3/EVP_PKEY_check.pod b/doc/man3/EVP_PKEY_check.pod
index 4f91f8f9a2..dc03671498 100644
--- a/doc/man3/EVP_PKEY_check.pod
+++ b/doc/man3/EVP_PKEY_check.pod
@@ -22,7 +22,8 @@ EVP_PKEY_pairwise_check
=head1 DESCRIPTION
EVP_PKEY_param_check() validates the parameters component of the key
-given by B<ctx>.
+given by B<ctx>. This check will always succeed for key types that do not have
+parameters.
EVP_PKEY_param_check_quick() validates the parameters component of the key
given by B<ctx> like EVP_PKEY_param_check() does. However some algorithm
diff --git a/providers/implementations/keymgmt/ecx_kmgmt.c b/providers/implementations/keymgmt/ecx_kmgmt.c
index 8e47dfb03e..9b23c2f0ec 100644
--- a/providers/implementations/keymgmt/ecx_kmgmt.c
+++ b/providers/implementations/keymgmt/ecx_kmgmt.c
@@ -71,8 +71,6 @@ static OSSL_FUNC_keymgmt_import_types_fn ecx_imexport_types;
static OSSL_FUNC_keymgmt_export_fn ecx_export;
static OSSL_FUNC_keymgmt_export_types_fn ecx_imexport_types;
-#define ECX_POSSIBLE_SELECTIONS (OSSL_KEYMGMT_SELECT_KEYPAIR)
-
struct ecx_gen_ctx {
OSSL_LIB_CTX *libctx;
char *propq;
@@ -727,7 +725,13 @@ static int ecx_validate(const void *keydata, int selection, int type, size_t key
assert(keylen == ecx->keylen);
- if ((selection & ECX_POSSIBLE_SELECTIONS) != 0)
+ /*
+ * ECX keys have no parameters. But if EVP_PKEY_param_check() is called then
+ * we should return true.
+ */
+ if ((selection & (OSSL_KEYMGMT_SELECT_KEYPAIR
+ | OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS
+ | OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS)) != 0)
ok = 1;
if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)
diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c
index 095c713aac..425b6c80f2 100644
--- a/providers/implementations/keymgmt/rsa_kmgmt.c
+++ b/providers/implementations/keymgmt/rsa_kmgmt.c
@@ -367,7 +367,18 @@ static int rsa_validate(const void *keydata, int selection, int checktype)
if (!ossl_prov_is_running())
return 0;
- if ((selection & RSA_POSSIBLE_SELECTIONS) != 0)
+ /*
+ * Although an RSA key has no domain parameters, validating them should
+ * return true.
+ *
+ * RSA_POSSIBLE_SELECTIONS already includes
+ * OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS. We explicitly add
+ * OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS here as well for completeness. In
+ * practice this makes little difference since EVP_PKEY_param_check() always
+ * checks the combination of "other" and "domain" parameters anyway.
+ */
+ if ((selection & (RSA_POSSIBLE_SELECTIONS
+ | OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS)) != 0)
ok = 1;
/* If the whole key is selected, we do a pairwise validation */
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index acba9819e6..9317917303 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -380,6 +380,21 @@ static const unsigned char kExampleBadECPubKeyDER[] = {
static const unsigned char pExampleECParamDER[] = {
0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
};
+
+static const unsigned char kExampleED25519KeyDER[] = {
+ 0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70,
+ 0x04, 0x22, 0x04, 0x20, 0xba, 0x7b, 0xba, 0x20, 0x1b, 0x02, 0x75, 0x3a,
+ 0xe8, 0x88, 0xfe, 0x00, 0xcd, 0x8b, 0xc6, 0xf4, 0x5c, 0x47, 0x09, 0x46,
+ 0x66, 0xe4, 0x72, 0x85, 0x25, 0x26, 0x5e, 0x12, 0x33, 0x48, 0xf6, 0x50
+};
+
+static const unsigned char kExampleED25519PubKeyDER[] = {
+ 0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x03, 0x21, 0x00,
+ 0xf5, 0xc5, 0xeb, 0x52, 0x3e, 0x7d, 0x07, 0x86, 0xb2, 0x55, 0x07, 0x45,
+ 0xef, 0x5b, 0x7c, 0x20, 0xe8, 0x66, 0x28, 0x30, 0x3c, 0x8a, 0x82, 0x40,
+ 0x97, 0xa3, 0x08, 0xdc, 0x65, 0x80, 0x39, 0x29
+};
+
#endif
typedef struct APK_DATA_st {
@@ -402,14 +417,21 @@ static APK_DATA keydata[] = {
};
static APK_DATA keycheckdata[] = {
- {kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER), "RSA", EVP_PKEY_RSA, 1, 1, 1, 0},
+ {kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER), "RSA", EVP_PKEY_RSA, 1, 1, 1,
+ 0},
{kExampleBadRSAKeyDER, sizeof(kExampleBadRSAKeyDER), "RSA", EVP_PKEY_RSA,
0, 1, 1, 0},
#ifndef OPENSSL_NO_EC
{kExampleECKeyDER, sizeof(kExampleECKeyDER), "EC", EVP_PKEY_EC, 1, 1, 1, 0},
/* group is also associated in our pub key */
- {kExampleECPubKeyDER, sizeof(kExampleECPubKeyDER), "EC", EVP_PKEY_EC, 0, 1, 1, 1},
- {pExampleECParamDER, sizeof(pExampleECParamDER), "EC", EVP_PKEY_EC, 0, 0, 1, 2}
+ {kExampleECPubKeyDER, sizeof(kExampleECPubKeyDER), "EC", EVP_PKEY_EC, 0, 1,
+ 1, 1},
+ {pExampleECParamDER, sizeof(pExampleECParamDER), "EC", EVP_PKEY_EC, 0, 0, 1,
+ 2},
+ {kExampleED25519KeyDER, sizeof(kExampleED25519KeyDER), "ED25519",
+ EVP_PKEY_ED25519, 1, 1, 1, 0},
+ {kExampleED25519PubKeyDER, sizeof(kExampleED25519PubKeyDER), "ED25519",
+ EVP_PKEY_ED25519, 0, 1, 1, 1},
#endif
};
More information about the openssl-commits
mailing list