[openssl] master update

shane.lontis at oracle.com shane.lontis at oracle.com
Sun May 30 23:27:26 UTC 2021


The branch master has been updated
       via  3bcc933ec4032a4b9eb0450adc07341678fe9e28 (commit)
      from  0a4e660a273d6d33cfc1608ed48d6e560ae970ed (commit)


- Log -----------------------------------------------------------------
commit 3bcc933ec4032a4b9eb0450adc07341678fe9e28
Author: Matt Caswell <matt at openssl.org>
Date:   Mon May 24 11:40:34 2021 +0100

    Teach EVP_PKEYs to say whether they were decoded from explicit params
    
    Currently we explicitly downgrade an EVP_PKEY to an EC_KEY and ask
    the EC_KEY directly whether it was decoded from explicit parameters or not.
    Instead we teach EVP_PKEYs to respond to a new parameter for this purpose.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/15526)

-----------------------------------------------------------------------

Summary of changes:
 crypto/evp/ctrl_params_translate.c           | 39 ++++++++++++++++++++++++++++
 crypto/x509/x509_vfy.c                       | 11 ++++----
 doc/man7/EVP_PKEY-EC.pod                     |  5 ++++
 include/openssl/core_names.h                 | 29 +++++++++++----------
 providers/implementations/keymgmt/ec_kmgmt.c | 12 +++++++++
 5 files changed, 77 insertions(+), 19 deletions(-)

diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c
index 216305b952..7e550f81a1 100644
--- a/crypto/evp/ctrl_params_translate.c
+++ b/crypto/evp/ctrl_params_translate.c
@@ -1680,6 +1680,40 @@ static int get_dh_dsa_payload_g(enum state state,
     return get_payload_bn(state, translation, ctx, bn);
 }
 
+static int get_payload_int(enum state state,
+                           const struct translation_st *translation,
+                           struct translation_ctx_st *ctx,
+                           const int val)
+{
+    if (ctx->params->data_type != OSSL_PARAM_INTEGER)
+        return 0;
+    ctx->p1 = val;
+    ctx->p2 = NULL;
+
+    return default_fixup_args(state, translation, ctx);
+}
+
+static int get_ec_decoded_from_explicit_params(enum state state,
+                                               const struct translation_st *translation,
+                                               struct translation_ctx_st *ctx)
+{
+    int val = 0;
+    EVP_PKEY *pkey = ctx->p2;
+
+    switch (EVP_PKEY_base_id(pkey)) {
+#ifndef OPENSSL_NO_EC
+    case EVP_PKEY_EC:
+        val = EC_KEY_decoded_from_explicit_params(EVP_PKEY_get0_EC_KEY(pkey));
+        break;
+#endif
+    default:
+        ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_KEY_TYPE);
+        return 0;
+    }
+
+    return get_payload_int(state, translation, ctx, val);
+}
+
 static int get_rsa_payload_n(enum state state,
                              const struct translation_st *translation,
                              struct translation_ctx_st *ctx)
@@ -2320,6 +2354,11 @@ static const struct translation_st evp_pkey_translations[] = {
     { GET, -1, -1, -1, 0, NULL, NULL,
       OSSL_PKEY_PARAM_RSA_COEFFICIENT9, OSSL_PARAM_UNSIGNED_INTEGER,
       get_rsa_payload_c9 },
+
+    /* EC */
+    { GET, -1, -1, -1, 0, NULL, NULL,
+      OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS, OSSL_PARAM_INTEGER,
+      get_ec_decoded_from_explicit_params },
 };
 
 static const struct translation_st *
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index ddb3378eee..edf3c51095 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -23,6 +23,7 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include <openssl/objects.h>
+#include <openssl/core_names.h>
 #include "internal/dane.h"
 #include "crypto/x509.h"
 #include "x509_local.h"
@@ -3399,7 +3400,6 @@ static int check_key_level(X509_STORE_CTX *ctx, X509 *cert)
  */
 static int check_curve(X509 *cert)
 {
-#ifndef OPENSSL_NO_EC
     EVP_PKEY *pkey = X509_get0_pubkey(cert);
 
     /* Unsupported or malformed key */
@@ -3407,12 +3407,13 @@ static int check_curve(X509 *cert)
         return -1;
 
     if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
-        int ret;
+        int ret, val;
 
-        ret = EC_KEY_decoded_from_explicit_params(EVP_PKEY_get0_EC_KEY(pkey));
-        return ret < 0 ? ret : !ret;
+        ret = EVP_PKEY_get_int_param(pkey,
+                                     OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS,
+                                     &val);
+        return ret < 0 ? ret : !val;
     }
-#endif
 
     return 1;
 }
diff --git a/doc/man7/EVP_PKEY-EC.pod b/doc/man7/EVP_PKEY-EC.pod
index 6dfc1f16ae..82892492e3 100644
--- a/doc/man7/EVP_PKEY-EC.pod
+++ b/doc/man7/EVP_PKEY-EC.pod
@@ -68,6 +68,11 @@ I<order> - 1.
 I<cofactor> is an optional value.
 I<order> multiplied by the I<cofactor> gives the number of points on the curve.
 
+=item  "decoded-from-explicit" (B<OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS>) <integer>
+
+Gets a flag indicating wether the key or parameters were decoded from explicit
+curve parameters. Set to 1 if so or 0 if a named curve was used. 
+
 =item "use-cofactor-flag" (B<OSSL_PKEY_PARAM_USE_COFACTOR_ECDH>) <integer>
 
 Enable Cofactor DH (ECC CDH) if this value is 1, otherwise it uses normal EC DH
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
index 003c5c6bb0..e4601a51ab 100644
--- a/include/openssl/core_names.h
+++ b/include/openssl/core_names.h
@@ -309,20 +309,21 @@ extern "C" {
 #define OSSL_PKEY_PARAM_EC_PUB_Y     "qy"
 
 /* Elliptic Curve Explicit Domain Parameters */
-#define OSSL_PKEY_PARAM_EC_FIELD_TYPE     "field-type"
-#define OSSL_PKEY_PARAM_EC_P              "p"
-#define OSSL_PKEY_PARAM_EC_A              "a"
-#define OSSL_PKEY_PARAM_EC_B              "b"
-#define OSSL_PKEY_PARAM_EC_GENERATOR      "generator"
-#define OSSL_PKEY_PARAM_EC_ORDER          "order"
-#define OSSL_PKEY_PARAM_EC_COFACTOR       "cofactor"
-#define OSSL_PKEY_PARAM_EC_SEED           "seed"
-#define OSSL_PKEY_PARAM_EC_CHAR2_M        "m"
-#define OSSL_PKEY_PARAM_EC_CHAR2_TYPE     "basis-type"
-#define OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS "tp"
-#define OSSL_PKEY_PARAM_EC_CHAR2_PP_K1    "k1"
-#define OSSL_PKEY_PARAM_EC_CHAR2_PP_K2    "k2"
-#define OSSL_PKEY_PARAM_EC_CHAR2_PP_K3    "k3"
+#define OSSL_PKEY_PARAM_EC_FIELD_TYPE                   "field-type"
+#define OSSL_PKEY_PARAM_EC_P                            "p"
+#define OSSL_PKEY_PARAM_EC_A                            "a"
+#define OSSL_PKEY_PARAM_EC_B                            "b"
+#define OSSL_PKEY_PARAM_EC_GENERATOR                    "generator"
+#define OSSL_PKEY_PARAM_EC_ORDER                        "order"
+#define OSSL_PKEY_PARAM_EC_COFACTOR                     "cofactor"
+#define OSSL_PKEY_PARAM_EC_SEED                         "seed"
+#define OSSL_PKEY_PARAM_EC_CHAR2_M                      "m"
+#define OSSL_PKEY_PARAM_EC_CHAR2_TYPE                   "basis-type"
+#define OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS               "tp"
+#define OSSL_PKEY_PARAM_EC_CHAR2_PP_K1                  "k1"
+#define OSSL_PKEY_PARAM_EC_CHAR2_PP_K2                  "k2"
+#define OSSL_PKEY_PARAM_EC_CHAR2_PP_K3                  "k3"
+#define OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS "decoded-from-explicit"
 
 /* Elliptic Curve Key Parameters */
 #define OSSL_PKEY_PARAM_USE_COFACTOR_FLAG "use-cofactor-flag"
diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
index e901275ce2..6cd9aa3d38 100644
--- a/providers/implementations/keymgmt/ec_kmgmt.c
+++ b/providers/implementations/keymgmt/ec_kmgmt.c
@@ -679,6 +679,16 @@ int common_get_params(void *key, OSSL_PARAM params[], int sm2)
             goto err;
     }
 
+    if ((p = OSSL_PARAM_locate(params,
+                               OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS))
+            != NULL) {
+        int explicitparams = EC_KEY_decoded_from_explicit_params(eck);
+
+        if (explicitparams < 0
+             || !OSSL_PARAM_set_int(p, explicitparams))
+            goto err;
+    }
+
     if (!sm2) {
         if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_DEFAULT_DIGEST)) != NULL
                 && !OSSL_PARAM_set_utf8_string(p, EC_DEFAULT_MD))
@@ -749,6 +759,7 @@ static const OSSL_PARAM ec_known_gettable_params[] = {
     OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),
     OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_DEFAULT_DIGEST, NULL, 0),
     OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0),
+    OSSL_PARAM_int(OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS, NULL),
     EC_IMEXPORTABLE_DOM_PARAMETERS,
     EC2M_GETTABLE_DOM_PARAMS
     EC_IMEXPORTABLE_PUBLIC_KEY,
@@ -828,6 +839,7 @@ static const OSSL_PARAM sm2_known_gettable_params[] = {
     OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),
     OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_DEFAULT_DIGEST, NULL, 0),
     OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0),
+    OSSL_PARAM_int(OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS, NULL),
     EC_IMEXPORTABLE_DOM_PARAMETERS,
     EC_IMEXPORTABLE_PUBLIC_KEY,
     OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_EC_PUB_X, NULL, 0),


More information about the openssl-commits mailing list