[openssl] master update
shane.lontis at oracle.com
shane.lontis at oracle.com
Wed May 12 23:53:13 UTC 2021
The branch master has been updated
via b98f752ec330cdc81d1f27a9506e6dcc8c00af5a (commit)
from 466cab4758289f91215eada905cf334d334830fa (commit)
- Log -----------------------------------------------------------------
commit b98f752ec330cdc81d1f27a9506e6dcc8c00af5a
Author: Shane Lontis <shane.lontis at oracle.com>
Date: Mon May 10 10:27:42 2021 +1000
Export/import flags for FFC params changed to seperate fields.
An extra field got added to the ffc flags related to FIPS-186-2 key validation, but this field was
not handled by the export/import since the flags were done as string combinations.
To keep this consistent with other object flags they are now passed as seperate OSSL_PARAM fields.
Fixes 'no-cached-fetch' build which uses export/import.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15210)
-----------------------------------------------------------------------
Summary of changes:
crypto/ffc/ffc_backend.c | 19 ++++++++++++---
crypto/ffc/ffc_params.c | 50 +++++++++++++---------------------------
crypto/ffc/ffc_params_generate.c | 6 ++---
doc/man7/EVP_PKEY-FFC.pod | 17 ++++++++++++++
include/internal/ffc.h | 7 ++----
include/openssl/core_names.h | 9 +++-----
providers/fips-sources.checksums | 6 ++---
providers/fips.checksum | 2 +-
test/evp_extra_test2.c | 19 +++------------
9 files changed, 64 insertions(+), 71 deletions(-)
diff --git a/crypto/ffc/ffc_backend.c b/crypto/ffc/ffc_backend.c
index 43825d9216..27ce15715a 100644
--- a/crypto/ffc/ffc_backend.c
+++ b/crypto/ffc/ffc_backend.c
@@ -80,12 +80,25 @@ int ossl_ffc_params_fromdata(FFC_PARAMS *ffc, const OSSL_PARAM params[])
if (!ossl_ffc_params_set_seed(ffc, prm->data, prm->data_size))
goto err;
}
- prm = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_VALIDATE_TYPE);
+ prm = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_VALIDATE_PQ);
if (prm != NULL) {
- if (prm->data_type != OSSL_PARAM_UTF8_STRING)
+ if (!OSSL_PARAM_get_int(prm, &i))
+ goto err;
+ ossl_ffc_params_enable_flags(ffc, FFC_PARAM_FLAG_VALIDATE_PQ, i);
+ }
+ prm = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_VALIDATE_G);
+ if (prm != NULL) {
+ if (!OSSL_PARAM_get_int(prm, &i))
goto err;
- ossl_ffc_params_set_flags(ffc, ossl_ffc_params_flags_from_name(prm->data));
+ ossl_ffc_params_enable_flags(ffc, FFC_PARAM_FLAG_VALIDATE_G, i);
}
+ prm = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_VALIDATE_LEGACY);
+ if (prm != NULL) {
+ if (!OSSL_PARAM_get_int(prm, &i))
+ goto err;
+ ossl_ffc_params_enable_flags(ffc, FFC_PARAM_FLAG_VALIDATE_LEGACY, i);
+ }
+
prm = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_DIGEST);
if (prm != NULL) {
const OSSL_PARAM *p1;
diff --git a/crypto/ffc/ffc_params.c b/crypto/ffc/ffc_params.c
index 9f52aa35ad..6e025a06be 100644
--- a/crypto/ffc/ffc_params.c
+++ b/crypto/ffc/ffc_params.c
@@ -23,7 +23,7 @@ void ossl_ffc_params_init(FFC_PARAMS *params)
memset(params, 0, sizeof(*params));
params->pcounter = -1;
params->gindex = FFC_UNVERIFIABLE_GINDEX;
- params->flags = FFC_PARAM_FLAG_VALIDATE_ALL;
+ params->flags = FFC_PARAM_FLAG_VALIDATE_PQG;
}
void ossl_ffc_params_cleanup(FFC_PARAMS *params)
@@ -207,39 +207,11 @@ int ossl_ffc_params_cmp(const FFC_PARAMS *a, const FFC_PARAMS *b, int ignore_q)
&& (ignore_q || BN_cmp(a->q, b->q) == 0); /* Note: q may be NULL */
}
-static const OSSL_ITEM flag_map[] = {
- { FFC_PARAM_FLAG_VALIDATE_PQ, OSSL_FFC_PARAM_VALIDATE_PQ },
- { FFC_PARAM_FLAG_VALIDATE_G, OSSL_FFC_PARAM_VALIDATE_G },
- { FFC_PARAM_FLAG_VALIDATE_ALL, OSSL_FFC_PARAM_VALIDATE_PQG },
- { 0, "" }
-};
-
-int ossl_ffc_params_flags_from_name(const char *name)
-{
- size_t i;
-
- for (i = 0; i < OSSL_NELEM(flag_map); ++i) {
- if (strcasecmp(flag_map[i].ptr, name) == 0)
- return flag_map[i].id;
- }
- return NID_undef;
-}
-
-const char *ossl_ffc_params_flags_to_name(int flags)
-{
- size_t i;
-
- flags &= FFC_PARAM_FLAG_VALIDATE_ALL;
- for (i = 0; i < OSSL_NELEM(flag_map); ++i) {
- if ((int)flag_map[i].id == flags)
- return flag_map[i].ptr;
- }
- return "";
-}
-
int ossl_ffc_params_todata(const FFC_PARAMS *ffc, OSSL_PARAM_BLD *bld,
OSSL_PARAM params[])
{
+ int test_flags;
+
if (ffc == NULL)
return 0;
@@ -279,10 +251,20 @@ int ossl_ffc_params_todata(const FFC_PARAMS *ffc, OSSL_PARAM_BLD *bld,
name))
return 0;
}
- if (!ossl_param_build_set_utf8_string(bld, params,
- OSSL_PKEY_PARAM_FFC_VALIDATE_TYPE,
- ossl_ffc_params_flags_to_name(ffc->flags)))
+ test_flags = ((ffc->flags & FFC_PARAM_FLAG_VALIDATE_PQ) != 0);
+ if (!ossl_param_build_set_int(bld, params,
+ OSSL_PKEY_PARAM_FFC_VALIDATE_PQ, test_flags))
return 0;
+ test_flags = ((ffc->flags & FFC_PARAM_FLAG_VALIDATE_G) != 0);
+ if (!ossl_param_build_set_int(bld, params,
+ OSSL_PKEY_PARAM_FFC_VALIDATE_G, test_flags))
+ return 0;
+ test_flags = ((ffc->flags & FFC_PARAM_FLAG_VALIDATE_LEGACY) != 0);
+ if (!ossl_param_build_set_int(bld, params,
+ OSSL_PKEY_PARAM_FFC_VALIDATE_LEGACY,
+ test_flags))
+ return 0;
+
if (ffc->mdname != NULL
&& !ossl_param_build_set_utf8_string(bld, params,
OSSL_PKEY_PARAM_FFC_DIGEST,
diff --git a/crypto/ffc/ffc_params_generate.c b/crypto/ffc/ffc_params_generate.c
index ee13a07d10..26ab9120c6 100644
--- a/crypto/ffc/ffc_params_generate.c
+++ b/crypto/ffc/ffc_params_generate.c
@@ -479,7 +479,7 @@ static const char *default_mdname(size_t N)
* For validation one of:
* -FFC_PARAM_FLAG_VALIDATE_PQ
* -FFC_PARAM_FLAG_VALIDATE_G
- * -FFC_PARAM_FLAG_VALIDATE_ALL
+ * -FFC_PARAM_FLAG_VALIDATE_PQG
* For generation of p & q:
* - This is skipped if p & q are passed in.
* - If the seed is passed in then generation of p & q uses this seed (and if
@@ -720,7 +720,7 @@ int ossl_ffc_params_FIPS186_4_gen_verify(OSSL_LIB_CTX *libctx,
goto err;
/* If validating p & q only then skip the g validation test */
- if ((flags & FFC_PARAM_FLAG_VALIDATE_ALL) == FFC_PARAM_FLAG_VALIDATE_PQ)
+ if ((flags & FFC_PARAM_FLAG_VALIDATE_PQG) == FFC_PARAM_FLAG_VALIDATE_PQ)
goto pass;
g_only:
if ((mont = BN_MONT_CTX_new()) == NULL)
@@ -972,7 +972,7 @@ int ossl_ffc_params_FIPS186_2_gen_verify(OSSL_LIB_CTX *libctx,
}
}
/* If validating p & q only then skip the g validation test */
- if ((flags & FFC_PARAM_FLAG_VALIDATE_ALL) == FFC_PARAM_FLAG_VALIDATE_PQ)
+ if ((flags & FFC_PARAM_FLAG_VALIDATE_PQG) == FFC_PARAM_FLAG_VALIDATE_PQ)
goto pass;
g_only:
if ((mont = BN_MONT_CTX_new()) == NULL)
diff --git a/doc/man7/EVP_PKEY-FFC.pod b/doc/man7/EVP_PKEY-FFC.pod
index 9de066a865..3ab243f45a 100644
--- a/doc/man7/EVP_PKEY-FFC.pod
+++ b/doc/man7/EVP_PKEY-FFC.pod
@@ -100,6 +100,23 @@ satisfies g = h^j mod p (where g != 1 and "j" is the cofactor).
An optional informational cofactor parameter that should equal to (p - 1) / q.
+=item "validate-pq" (B<OSSL_PKEY_PARAM_FFC_VALIDATE_PQ>) <unsigned integer>
+
+=item "validate-g" (B<OSSL_PKEY_PARAM_FFC_VALIDATE_G>) <unsigned integer>
+
+These boolean values are used during FIPS186-4 or FIPS186-2 key validation checks
+(See L<EVP_PKEY_param_check(3)>) to select validation options. By default
+I<validate-pq> and I<validate-g> are both set to 1 to check that p,q and g are
+valid. Either of these may be set to 0 to skip a test, which is mainly useful
+for testing purposes.
+
+=item "validate-legacy" (B<OSSL_PKEY_PARAM_FFC_VALIDATE_LEGACY>) <unsigned integer>
+
+This boolean value is used during key validation checks
+(See L<EVP_PKEY_param_check(3)>) to select the validation type. The default
+value of 0 selects FIPS186-4 validation. Setting this value to 1 selects
+FIPS186-2 validation.
+
=back
=head2 FFC key generation parameters
diff --git a/include/internal/ffc.h b/include/internal/ffc.h
index f0ab31400b..79cb06aba3 100644
--- a/include/internal/ffc.h
+++ b/include/internal/ffc.h
@@ -42,7 +42,7 @@
/* Validation flags */
# define FFC_PARAM_FLAG_VALIDATE_PQ 0x01
# define FFC_PARAM_FLAG_VALIDATE_G 0x02
-# define FFC_PARAM_FLAG_VALIDATE_ALL \
+# define FFC_PARAM_FLAG_VALIDATE_PQG \
(FFC_PARAM_FLAG_VALIDATE_PQ | FFC_PARAM_FLAG_VALIDATE_G)
#define FFC_PARAM_FLAG_VALIDATE_LEGACY 0x04
@@ -105,7 +105,7 @@ typedef struct ffc_params_st {
int gindex;
int h; /* loop counter for unverifiable g */
- unsigned int flags; /* See FFC_PARAM_FLAG_VALIDATE_ALL */
+ unsigned int flags;
/*
* The digest to use for generation or validation. If this value is NULL,
* then the digest is chosen using the value of N.
@@ -209,7 +209,4 @@ const BIGNUM *ossl_ffc_named_group_get_q(const DH_NAMED_GROUP *group);
int ossl_ffc_named_group_set_pqg(FFC_PARAMS *ffc, const DH_NAMED_GROUP *group);
#endif
-const char *ossl_ffc_params_flags_to_name(int flags);
-int ossl_ffc_params_flags_from_name(const char *name);
-
#endif /* OSSL_INTERNAL_FFC_H */
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
index 7ebde7c2a1..c01be930ab 100644
--- a/include/openssl/core_names.h
+++ b/include/openssl/core_names.h
@@ -294,12 +294,9 @@ extern "C" {
#define OSSL_PKEY_PARAM_FFC_SEED "seed"
#define OSSL_PKEY_PARAM_FFC_COFACTOR "j"
#define OSSL_PKEY_PARAM_FFC_H "hindex"
-#define OSSL_PKEY_PARAM_FFC_VALIDATE_TYPE "valid-type"
-
-/* Diffie-Hellman/DSA Parameters parameter validation types */
-#define OSSL_FFC_PARAM_VALIDATE_PQ "validate-pq"
-#define OSSL_FFC_PARAM_VALIDATE_G "validate-g"
-#define OSSL_FFC_PARAM_VALIDATE_PQG "validate-pqg"
+#define OSSL_PKEY_PARAM_FFC_VALIDATE_PQ "validate-pq"
+#define OSSL_PKEY_PARAM_FFC_VALIDATE_G "validate-g"
+#define OSSL_PKEY_PARAM_FFC_VALIDATE_LEGACY "validate-legacy"
/* Diffie-Hellman params */
#define OSSL_PKEY_PARAM_DH_GENERATOR "safeprime-generator"
diff --git a/providers/fips-sources.checksums b/providers/fips-sources.checksums
index a127b70ef4..57c66af718 100644
--- a/providers/fips-sources.checksums
+++ b/providers/fips-sources.checksums
@@ -188,12 +188,12 @@ ff8a5ff024c228fe714e4cf758260cf9e9c992a9311acb5f96b0f2ed6af1a814 crypto/evp/pme
b360a72944bcb8f8ae8bd28d9b8a4a6aa4f39d1402295f84af243d14c3f1898c crypto/evp/pmeth_lib.c
52d8ea3b8b3ef52b58306b0fbd4557d682ba69a5384672ba7e1682c9a853f417 crypto/evp/signature.c
b06cb8fd4bd95aae1f66e1e145269c82169257f1a60ef0f78f80a3d4c5131fac crypto/ex_data.c
-ae496cbb92b8664bb729997a241d12cc515a3944d66fe87b0c6e24f1011e061f crypto/ffc/ffc_backend.c
+00ca3b72cd56308aabb2826b6a400c675526afa7efca052d39c74b2ac6d137d8 crypto/ffc/ffc_backend.c
ead786b4f5689ab69d6cca5d49e513e0f90cb558b67e6c5898255f2671f1393d crypto/ffc/ffc_dh.c
8390c3015b5bb7f65a5cde533390788e7e61e381823c58c2e7caf8e50ca63a3b crypto/ffc/ffc_key_generate.c
084ae8e68a9df5785376bb961a998036336ed13092ffd1c4258b56e6a7e0478b crypto/ffc/ffc_key_validate.c
-a87945698684673832fbedb4d01e2f11df58f43f79605a9e6d7136bb15b02e52 crypto/ffc/ffc_params.c
-887357f0422954f2ecb855d468ad2456a76372dc401301ba284c0fd8c6b5092e crypto/ffc/ffc_params_generate.c
+67fdf1a07ea118963a55540be2ee21c98b7a5eb8149c8caa26e19d922bf60346 crypto/ffc/ffc_params.c
+4c614d354252e2cfdfa2fcb7d2abba0456fcdee3e5ffdcf4d7cec1d6c8c9d1d8 crypto/ffc/ffc_params_generate.c
73dac805abab36cd9df53a421221c71d06a366a4ce479fa788be777f11b47159 crypto/ffc/ffc_params_validate.c
c193773792bec29c791e84d150ffe5ef25f53cb02e23f0e12e9000234b4322e5 crypto/hmac/hmac.c
271083f71a1ce24988a0932f73c0221260591823afd495bf2ae8d11e8469b659 crypto/initthread.c
diff --git a/providers/fips.checksum b/providers/fips.checksum
index 65860fc8fc..83fe30d81c 100644
--- a/providers/fips.checksum
+++ b/providers/fips.checksum
@@ -1 +1 @@
-685bc28466bcc7a645e423f4994d0f6d33d32368859ffdd9e42c2983934bffbb providers/fips-sources.checksums
+3ea8c9568047f0cf5ca79b8de0b7d4daa76044baa6bfe25a22a7bbfe13186f7c providers/fips-sources.checksums
diff --git a/test/evp_extra_test2.c b/test/evp_extra_test2.c
index 2e5861c77f..d9d26711ba 100644
--- a/test/evp_extra_test2.c
+++ b/test/evp_extra_test2.c
@@ -596,20 +596,6 @@ static int do_check_int(OSSL_PARAM params[], const char *key, int expected)
&& TEST_int_eq(val, expected);
}
-static int do_check_utf8_str(OSSL_PARAM params[], const char *key,
- const char *expected)
-{
- OSSL_PARAM *p;
- char *bufp = NULL;
- int ret;
-
- ret = TEST_ptr(p = OSSL_PARAM_locate(params, key))
- && TEST_true(OSSL_PARAM_get_utf8_string(p, &bufp, 0))
- && TEST_str_eq(bufp, expected);
- OPENSSL_free(bufp);
- return ret;
-}
-
static int test_dsa_todata(void)
{
EVP_PKEY *pkey = NULL;
@@ -648,8 +634,9 @@ static int test_dsa_todata(void)
|| !do_check_int(to_params, OSSL_PKEY_PARAM_FFC_GINDEX, -1)
|| !do_check_int(to_params, OSSL_PKEY_PARAM_FFC_PCOUNTER, -1)
|| !do_check_int(to_params, OSSL_PKEY_PARAM_FFC_H, 0)
- || !do_check_utf8_str(to_params, OSSL_PKEY_PARAM_FFC_VALIDATE_TYPE,
- OSSL_FFC_PARAM_VALIDATE_PQG)
+ || !do_check_int(to_params, OSSL_PKEY_PARAM_FFC_VALIDATE_PQ, 1)
+ || !do_check_int(to_params, OSSL_PKEY_PARAM_FFC_VALIDATE_G, 1)
+ || !do_check_int(to_params, OSSL_PKEY_PARAM_FFC_VALIDATE_LEGACY, 0)
|| !TEST_ptr_null(OSSL_PARAM_locate(to_params, OSSL_PKEY_PARAM_FFC_SEED)))
goto err;
More information about the openssl-commits
mailing list