[openssl] master update
shane.lontis at oracle.com
shane.lontis at oracle.com
Sun May 30 23:27:26 UTC 2021
The branch master has been updated
via 3bcc933ec4032a4b9eb0450adc07341678fe9e28 (commit)
from 0a4e660a273d6d33cfc1608ed48d6e560ae970ed (commit)
- Log -----------------------------------------------------------------
commit 3bcc933ec4032a4b9eb0450adc07341678fe9e28
Author: Matt Caswell <matt at openssl.org>
Date: Mon May 24 11:40:34 2021 +0100
Teach EVP_PKEYs to say whether they were decoded from explicit params
Currently we explicitly downgrade an EVP_PKEY to an EC_KEY and ask
the EC_KEY directly whether it was decoded from explicit parameters or not.
Instead we teach EVP_PKEYs to respond to a new parameter for this purpose.
Reviewed-by: Richard Levitte <levitte at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15526)
-----------------------------------------------------------------------
Summary of changes:
crypto/evp/ctrl_params_translate.c | 39 ++++++++++++++++++++++++++++
crypto/x509/x509_vfy.c | 11 ++++----
doc/man7/EVP_PKEY-EC.pod | 5 ++++
include/openssl/core_names.h | 29 +++++++++++----------
providers/implementations/keymgmt/ec_kmgmt.c | 12 +++++++++
5 files changed, 77 insertions(+), 19 deletions(-)
diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c
index 216305b952..7e550f81a1 100644
--- a/crypto/evp/ctrl_params_translate.c
+++ b/crypto/evp/ctrl_params_translate.c
@@ -1680,6 +1680,40 @@ static int get_dh_dsa_payload_g(enum state state,
return get_payload_bn(state, translation, ctx, bn);
}
+static int get_payload_int(enum state state,
+ const struct translation_st *translation,
+ struct translation_ctx_st *ctx,
+ const int val)
+{
+ if (ctx->params->data_type != OSSL_PARAM_INTEGER)
+ return 0;
+ ctx->p1 = val;
+ ctx->p2 = NULL;
+
+ return default_fixup_args(state, translation, ctx);
+}
+
+static int get_ec_decoded_from_explicit_params(enum state state,
+ const struct translation_st *translation,
+ struct translation_ctx_st *ctx)
+{
+ int val = 0;
+ EVP_PKEY *pkey = ctx->p2;
+
+ switch (EVP_PKEY_base_id(pkey)) {
+#ifndef OPENSSL_NO_EC
+ case EVP_PKEY_EC:
+ val = EC_KEY_decoded_from_explicit_params(EVP_PKEY_get0_EC_KEY(pkey));
+ break;
+#endif
+ default:
+ ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_KEY_TYPE);
+ return 0;
+ }
+
+ return get_payload_int(state, translation, ctx, val);
+}
+
static int get_rsa_payload_n(enum state state,
const struct translation_st *translation,
struct translation_ctx_st *ctx)
@@ -2320,6 +2354,11 @@ static const struct translation_st evp_pkey_translations[] = {
{ GET, -1, -1, -1, 0, NULL, NULL,
OSSL_PKEY_PARAM_RSA_COEFFICIENT9, OSSL_PARAM_UNSIGNED_INTEGER,
get_rsa_payload_c9 },
+
+ /* EC */
+ { GET, -1, -1, -1, 0, NULL, NULL,
+ OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS, OSSL_PARAM_INTEGER,
+ get_ec_decoded_from_explicit_params },
};
static const struct translation_st *
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index ddb3378eee..edf3c51095 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -23,6 +23,7 @@
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/objects.h>
+#include <openssl/core_names.h>
#include "internal/dane.h"
#include "crypto/x509.h"
#include "x509_local.h"
@@ -3399,7 +3400,6 @@ static int check_key_level(X509_STORE_CTX *ctx, X509 *cert)
*/
static int check_curve(X509 *cert)
{
-#ifndef OPENSSL_NO_EC
EVP_PKEY *pkey = X509_get0_pubkey(cert);
/* Unsupported or malformed key */
@@ -3407,12 +3407,13 @@ static int check_curve(X509 *cert)
return -1;
if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
- int ret;
+ int ret, val;
- ret = EC_KEY_decoded_from_explicit_params(EVP_PKEY_get0_EC_KEY(pkey));
- return ret < 0 ? ret : !ret;
+ ret = EVP_PKEY_get_int_param(pkey,
+ OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS,
+ &val);
+ return ret < 0 ? ret : !val;
}
-#endif
return 1;
}
diff --git a/doc/man7/EVP_PKEY-EC.pod b/doc/man7/EVP_PKEY-EC.pod
index 6dfc1f16ae..82892492e3 100644
--- a/doc/man7/EVP_PKEY-EC.pod
+++ b/doc/man7/EVP_PKEY-EC.pod
@@ -68,6 +68,11 @@ I<order> - 1.
I<cofactor> is an optional value.
I<order> multiplied by the I<cofactor> gives the number of points on the curve.
+=item "decoded-from-explicit" (B<OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS>) <integer>
+
+Gets a flag indicating wether the key or parameters were decoded from explicit
+curve parameters. Set to 1 if so or 0 if a named curve was used.
+
=item "use-cofactor-flag" (B<OSSL_PKEY_PARAM_USE_COFACTOR_ECDH>) <integer>
Enable Cofactor DH (ECC CDH) if this value is 1, otherwise it uses normal EC DH
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
index 003c5c6bb0..e4601a51ab 100644
--- a/include/openssl/core_names.h
+++ b/include/openssl/core_names.h
@@ -309,20 +309,21 @@ extern "C" {
#define OSSL_PKEY_PARAM_EC_PUB_Y "qy"
/* Elliptic Curve Explicit Domain Parameters */
-#define OSSL_PKEY_PARAM_EC_FIELD_TYPE "field-type"
-#define OSSL_PKEY_PARAM_EC_P "p"
-#define OSSL_PKEY_PARAM_EC_A "a"
-#define OSSL_PKEY_PARAM_EC_B "b"
-#define OSSL_PKEY_PARAM_EC_GENERATOR "generator"
-#define OSSL_PKEY_PARAM_EC_ORDER "order"
-#define OSSL_PKEY_PARAM_EC_COFACTOR "cofactor"
-#define OSSL_PKEY_PARAM_EC_SEED "seed"
-#define OSSL_PKEY_PARAM_EC_CHAR2_M "m"
-#define OSSL_PKEY_PARAM_EC_CHAR2_TYPE "basis-type"
-#define OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS "tp"
-#define OSSL_PKEY_PARAM_EC_CHAR2_PP_K1 "k1"
-#define OSSL_PKEY_PARAM_EC_CHAR2_PP_K2 "k2"
-#define OSSL_PKEY_PARAM_EC_CHAR2_PP_K3 "k3"
+#define OSSL_PKEY_PARAM_EC_FIELD_TYPE "field-type"
+#define OSSL_PKEY_PARAM_EC_P "p"
+#define OSSL_PKEY_PARAM_EC_A "a"
+#define OSSL_PKEY_PARAM_EC_B "b"
+#define OSSL_PKEY_PARAM_EC_GENERATOR "generator"
+#define OSSL_PKEY_PARAM_EC_ORDER "order"
+#define OSSL_PKEY_PARAM_EC_COFACTOR "cofactor"
+#define OSSL_PKEY_PARAM_EC_SEED "seed"
+#define OSSL_PKEY_PARAM_EC_CHAR2_M "m"
+#define OSSL_PKEY_PARAM_EC_CHAR2_TYPE "basis-type"
+#define OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS "tp"
+#define OSSL_PKEY_PARAM_EC_CHAR2_PP_K1 "k1"
+#define OSSL_PKEY_PARAM_EC_CHAR2_PP_K2 "k2"
+#define OSSL_PKEY_PARAM_EC_CHAR2_PP_K3 "k3"
+#define OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS "decoded-from-explicit"
/* Elliptic Curve Key Parameters */
#define OSSL_PKEY_PARAM_USE_COFACTOR_FLAG "use-cofactor-flag"
diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
index e901275ce2..6cd9aa3d38 100644
--- a/providers/implementations/keymgmt/ec_kmgmt.c
+++ b/providers/implementations/keymgmt/ec_kmgmt.c
@@ -679,6 +679,16 @@ int common_get_params(void *key, OSSL_PARAM params[], int sm2)
goto err;
}
+ if ((p = OSSL_PARAM_locate(params,
+ OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS))
+ != NULL) {
+ int explicitparams = EC_KEY_decoded_from_explicit_params(eck);
+
+ if (explicitparams < 0
+ || !OSSL_PARAM_set_int(p, explicitparams))
+ goto err;
+ }
+
if (!sm2) {
if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_DEFAULT_DIGEST)) != NULL
&& !OSSL_PARAM_set_utf8_string(p, EC_DEFAULT_MD))
@@ -749,6 +759,7 @@ static const OSSL_PARAM ec_known_gettable_params[] = {
OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),
OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_DEFAULT_DIGEST, NULL, 0),
OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0),
+ OSSL_PARAM_int(OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS, NULL),
EC_IMEXPORTABLE_DOM_PARAMETERS,
EC2M_GETTABLE_DOM_PARAMS
EC_IMEXPORTABLE_PUBLIC_KEY,
@@ -828,6 +839,7 @@ static const OSSL_PARAM sm2_known_gettable_params[] = {
OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),
OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_DEFAULT_DIGEST, NULL, 0),
OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0),
+ OSSL_PARAM_int(OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS, NULL),
EC_IMEXPORTABLE_DOM_PARAMETERS,
EC_IMEXPORTABLE_PUBLIC_KEY,
OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_EC_PUB_X, NULL, 0),
More information about the openssl-commits
mailing list