Export/import flags for FFC params changed to seperate fields.

An extra field got added to the ffc flags related to FIPS-186-2 key validation, but this field was not handled by the export/import since the flags were done as string combinations. To keep this consistent with other object flags they are now passed as seperate OSSL_PARAM fields. Fixes 'no-cached-fetch' build which uses export/import. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15210)
author: Shane Lontis <shane.lontis@oracle.com> 2021-05-10 10:27:42 +1000
committer: Shane Lontis <shane.lontis@oracle.com> 2021-05-13 09:49:18 +1000
commit: b98f752ec330cdc81d1f27a9506e6dcc8c00af5a (patch)
tree: 5cb469c545da743d0751cddf4bfce15e41e483bd
parent: 466cab4758289f91215eada905cf334d334830fa (diff)
9 files changed, 64 insertions, 71 deletions
diff --git a/crypto/ffc/ffc_backend.c b/crypto/ffc/ffc_backend.c
index 43825d9216..27ce15715a 100644
--- a/crypto/ffc/ffc_backend.c
+++ b/crypto/ffc/ffc_backend.c
@@ -80,12 +80,25 @@ int ossl_ffc_params_fromdata(FFC_PARAMS *ffc, const OSSL_PARAM params[])
         if (!ossl_ffc_params_set_seed(ffc, prm->data, prm->data_size))
             goto err;
     }
-    prm  = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_VALIDATE_TYPE);
+    prm  = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_VALIDATE_PQ);
     if (prm != NULL) {
-        if (prm->data_type != OSSL_PARAM_UTF8_STRING)
+        if (!OSSL_PARAM_get_int(prm, &i))
+            goto err;
+        ossl_ffc_params_enable_flags(ffc, FFC_PARAM_FLAG_VALIDATE_PQ, i);
+    }
+    prm  = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_VALIDATE_G);
+    if (prm != NULL) {
+        if (!OSSL_PARAM_get_int(prm, &i))
             goto err;
-        ossl_ffc_params_set_flags(ffc, ossl_ffc_params_flags_from_name(prm->data));
+        ossl_ffc_params_enable_flags(ffc, FFC_PARAM_FLAG_VALIDATE_G, i);
     }
+    prm  = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_VALIDATE_LEGACY);
+    if (prm != NULL) {
+        if (!OSSL_PARAM_get_int(prm, &i))
+            goto err;
+        ossl_ffc_params_enable_flags(ffc, FFC_PARAM_FLAG_VALIDATE_LEGACY, i);
+    }
+
     prm = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_DIGEST);
     if (prm != NULL) {
         const OSSL_PARAM *p1;
diff --git a/crypto/ffc/ffc_params.c b/crypto/ffc/ffc_params.c
index 9f52aa35ad..6e025a06be 100644
--- a/crypto/ffc/ffc_params.c
+++ b/crypto/ffc/ffc_params.c
@@ -23,7 +23,7 @@ void ossl_ffc_params_init(FFC_PARAMS *params)
     memset(params, 0, sizeof(*params));
     params->pcounter = -1;
     params->gindex = FFC_UNVERIFIABLE_GINDEX;
-    params->flags = FFC_PARAM_FLAG_VALIDATE_ALL;
+    params->flags = FFC_PARAM_FLAG_VALIDATE_PQG;
 }
 
 void ossl_ffc_params_cleanup(FFC_PARAMS *params)
@@ -207,39 +207,11 @@ int ossl_ffc_params_cmp(const FFC_PARAMS *a, const FFC_PARAMS *b, int ignore_q)
            && (ignore_q || BN_cmp(a->q, b->q) == 0); /* Note: q may be NULL */
 }
 
-static const OSSL_ITEM flag_map[] = {
-    { FFC_PARAM_FLAG_VALIDATE_PQ, OSSL_FFC_PARAM_VALIDATE_PQ },
-    { FFC_PARAM_FLAG_VALIDATE_G, OSSL_FFC_PARAM_VALIDATE_G },
-    { FFC_PARAM_FLAG_VALIDATE_ALL, OSSL_FFC_PARAM_VALIDATE_PQG },
-    { 0, "" }
-};
-
-int ossl_ffc_params_flags_from_name(const char *name)
-{
-    size_t i;
-
-    for (i = 0; i < OSSL_NELEM(flag_map); ++i) {
-        if (strcasecmp(flag_map[i].ptr, name) == 0)
-            return flag_map[i].id;
-    }
-    return NID_undef;
-}
-
-const char *ossl_ffc_params_flags_to_name(int flags)
-{
-    size_t i;
-
-    flags &= FFC_PARAM_FLAG_VALIDATE_ALL;
-    for (i = 0; i < OSSL_NELEM(flag_map); ++i) {
-        if ((int)flag_map[i].id == flags)
-            return flag_map[i].ptr;
-    }
-    return "";
-}
-
 int ossl_ffc_params_todata(const FFC_PARAMS *ffc, OSSL_PARAM_BLD *bld,
                       OSSL_PARAM params[])
 {
+    int test_flags;
+
     if (ffc == NULL)
         return 0;
 
@@ -279,10 +251,20 @@ int ossl_ffc_params_todata(const FFC_PARAMS *ffc, OSSL_PARAM_BLD *bld,
                                                  name))
             return 0;
     }
-    if (!ossl_param_build_set_utf8_string(bld, params,
-                                          OSSL_PKEY_PARAM_FFC_VALIDATE_TYPE,
-                                          ossl_ffc_params_flags_to_name(ffc->flags)))
+    test_flags = ((ffc->flags & FFC_PARAM_FLAG_VALIDATE_PQ) != 0);
+    if (!ossl_param_build_set_int(bld, params,
+                                  OSSL_PKEY_PARAM_FFC_VALIDATE_PQ, test_flags))
         return 0;
+    test_flags = ((ffc->flags & FFC_PARAM_FLAG_VALIDATE_G) != 0);
+    if (!ossl_param_build_set_int(bld, params,
+                                  OSSL_PKEY_PARAM_FFC_VALIDATE_G, test_flags))
+        return 0;
+    test_flags = ((ffc->flags & FFC_PARAM_FLAG_VALIDATE_LEGACY) != 0);
+    if (!ossl_param_build_set_int(bld, params,
+                                  OSSL_PKEY_PARAM_FFC_VALIDATE_LEGACY,
+                                  test_flags))
+        return 0;
+
     if (ffc->mdname != NULL
         && !ossl_param_build_set_utf8_string(bld, params,
                                              OSSL_PKEY_PARAM_FFC_DIGEST,
diff --git a/crypto/ffc/ffc_params_generate.c b/crypto/ffc/ffc_params_generate.c
index ee13a07d10..26ab9120c6 100644
--- a/crypto/ffc/ffc_params_generate.c
+++ b/crypto/ffc/ffc_params_generate.c
@@ -479,7 +479,7 @@ static const char *default_mdname(size_t N)
  *  For validation one of:
  *   -FFC_PARAM_FLAG_VALIDATE_PQ
  *   -FFC_PARAM_FLAG_VALIDATE_G
- *   -FFC_PARAM_FLAG_VALIDATE_ALL
+ *   -FFC_PARAM_FLAG_VALIDATE_PQG
  *  For generation of p & q:
  *   - This is skipped if p & q are passed in.
  *   - If the seed is passed in then generation of p & q uses this seed (and if
@@ -720,7 +720,7 @@ int ossl_ffc_params_FIPS186_4_gen_verify(OSSL_LIB_CTX *libctx,
         goto err;
 
     /* If validating p & q only then skip the g validation test */
-    if ((flags & FFC_PARAM_FLAG_VALIDATE_ALL) == FFC_PARAM_FLAG_VALIDATE_PQ)
+    if ((flags & FFC_PARAM_FLAG_VALIDATE_PQG) == FFC_PARAM_FLAG_VALIDATE_PQ)
         goto pass;
 g_only:
     if ((mont = BN_MONT_CTX_new()) == NULL)
@@ -972,7 +972,7 @@ int ossl_ffc_params_FIPS186_2_gen_verify(OSSL_LIB_CTX *libctx,
         }
     }
     /* If validating p & q only then skip the g validation test */
-    if ((flags & FFC_PARAM_FLAG_VALIDATE_ALL) == FFC_PARAM_FLAG_VALIDATE_PQ)
+    if ((flags & FFC_PARAM_FLAG_VALIDATE_PQG) == FFC_PARAM_FLAG_VALIDATE_PQ)
         goto pass;
 g_only:
     if ((mont = BN_MONT_CTX_new()) == NULL)
diff --git a/doc/man7/EVP_PKEY-FFC.pod b/doc/man7/EVP_PKEY-FFC.pod
index 9de066a865..3ab243f45a 100644
--- a/doc/man7/EVP_PKEY-FFC.pod
+++ b/doc/man7/EVP_PKEY-FFC.pod
@@ -100,6 +100,23 @@ satisfies g = h^j mod p (where g != 1 and "j" is the cofactor).
 
 An optional informational cofactor parameter that should equal to (p - 1) / q.
 
+=item "validate-pq" (B<OSSL_PKEY_PARAM_FFC_VALIDATE_PQ>) <unsigned integer>
+
+=item "validate-g" (B<OSSL_PKEY_PARAM_FFC_VALIDATE_G>) <unsigned integer>
+
+These boolean values are used during FIPS186-4 or FIPS186-2 key validation checks
+(See L<EVP_PKEY_param_check(3)>) to select validation options. By default
+I<validate-pq> and I<validate-g> are both set to 1 to check that p,q and g are
+valid. Either of these may be set to 0 to skip a test, which is mainly useful
+for testing purposes.
+
+=item "validate-legacy" (B<OSSL_PKEY_PARAM_FFC_VALIDATE_LEGACY>) <unsigned integer>
+
+This boolean value is used during key validation checks
+(See L<EVP_PKEY_param_check(3)>) to select the validation type. The default
+value of 0 selects FIPS186-4 validation. Setting this value to 1 selects
+FIPS186-2 validation.
+
 =back
 
 =head2 FFC key generation parameters
diff --git a/include/internal/ffc.h b/include/internal/ffc.h
index f0ab31400b..79cb06aba3 100644
--- a/include/internal/ffc.h
+++ b/include/internal/ffc.h
@@ -42,7 +42,7 @@
 /* Validation flags */
 # define FFC_PARAM_FLAG_VALIDATE_PQ    0x01
 # define FFC_PARAM_FLAG_VALIDATE_G     0x02
-# define FFC_PARAM_FLAG_VALIDATE_ALL                                           \
+# define FFC_PARAM_FLAG_VALIDATE_PQG                                           \
     (FFC_PARAM_FLAG_VALIDATE_PQ | FFC_PARAM_FLAG_VALIDATE_G)
 #define FFC_PARAM_FLAG_VALIDATE_LEGACY 0x04
 
@@ -105,7 +105,7 @@ typedef struct ffc_params_st {
     int gindex;
     int h; /* loop counter for unverifiable g */
 
-    unsigned int flags; /* See FFC_PARAM_FLAG_VALIDATE_ALL */
+    unsigned int flags;
     /*
      * The digest to use for generation or validation. If this value is NULL,
      * then the digest is chosen using the value of N.
@@ -209,7 +209,4 @@ const BIGNUM *ossl_ffc_named_group_get_q(const DH_NAMED_GROUP *group);
 int ossl_ffc_named_group_set_pqg(FFC_PARAMS *ffc, const DH_NAMED_GROUP *group);
 #endif
 
-const char *ossl_ffc_params_flags_to_name(int flags);
-int ossl_ffc_params_flags_from_name(const char *name);
-
 #endif /* OSSL_INTERNAL_FFC_H */
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
index 7ebde7c2a1..c01be930ab 100644
--- a/include/openssl/core_names.h
+++ b/include/openssl/core_names.h
@@ -294,12 +294,9 @@ extern "C" {
 #define OSSL_PKEY_PARAM_FFC_SEED            "seed"
 #define OSSL_PKEY_PARAM_FFC_COFACTOR        "j"
 #define OSSL_PKEY_PARAM_FFC_H               "hindex"
-#define OSSL_PKEY_PARAM_FFC_VALIDATE_TYPE   "valid-type"
-
-/* Diffie-Hellman/DSA Parameters parameter validation types */
-#define OSSL_FFC_PARAM_VALIDATE_PQ          "validate-pq"
-#define OSSL_FFC_PARAM_VALIDATE_G           "validate-g"
-#define OSSL_FFC_PARAM_VALIDATE_PQG         "validate-pqg"
+#define OSSL_PKEY_PARAM_FFC_VALIDATE_PQ     "validate-pq"
+#define OSSL_PKEY_PARAM_FFC_VALIDATE_G      "validate-g"
+#define OSSL_PKEY_PARAM_FFC_VALIDATE_LEGACY "validate-legacy"
 
 /* Diffie-Hellman params */
 #define OSSL_PKEY_PARAM_DH_GENERATOR        "safeprime-generator"
diff --git a/providers/fips-sources.checksums b/providers/fips-sources.checksums
index a127b70ef4..57c66af718 100644
--- a/providers/fips-sources.checksums
+++ b/providers/fips-sources.checksums
@@ -188,12 +188,12 @@ ff8a5ff024c228fe714e4cf758260cf9e9c992a9311acb5f96b0f2ed6af1a814  crypto/evp/pme
 b360a72944bcb8f8ae8bd28d9b8a4a6aa4f39d1402295f84af243d14c3f1898c  crypto/evp/pmeth_lib.c
 52d8ea3b8b3ef52b58306b0fbd4557d682ba69a5384672ba7e1682c9a853f417  crypto/evp/signature.c
 b06cb8fd4bd95aae1f66e1e145269c82169257f1a60ef0f78f80a3d4c5131fac  crypto/ex_data.c
-ae496cbb92b8664bb729997a241d12cc515a3944d66fe87b0c6e24f1011e061f  crypto/ffc/ffc_backend.c
+00ca3b72cd56308aabb2826b6a400c675526afa7efca052d39c74b2ac6d137d8  crypto/ffc/ffc_backend.c
 ead786b4f5689ab69d6cca5d49e513e0f90cb558b67e6c5898255f2671f1393d  crypto/ffc/ffc_dh.c
 8390c3015b5bb7f65a5cde533390788e7e61e381823c58c2e7caf8e50ca63a3b  crypto/ffc/ffc_key_generate.c
 084ae8e68a9df5785376bb961a998036336ed13092ffd1c4258b56e6a7e0478b  crypto/ffc/ffc_key_validate.c
-a87945698684673832fbedb4d01e2f11df58f43f79605a9e6d7136bb15b02e52  crypto/ffc/ffc_params.c
-887357f0422954f2ecb855d468ad2456a76372dc401301ba284c0fd8c6b5092e  crypto/ffc/ffc_params_generate.c
+67fdf1a07ea118963a55540be2ee21c98b7a5eb8149c8caa26e19d922bf60346  crypto/ffc/ffc_params.c
+4c614d354252e2cfdfa2fcb7d2abba0456fcdee3e5ffdcf4d7cec1d6c8c9d1d8  crypto/ffc/ffc_params_generate.c
 73dac805abab36cd9df53a421221c71d06a366a4ce479fa788be777f11b47159  crypto/ffc/ffc_params_validate.c
 c193773792bec29c791e84d150ffe5ef25f53cb02e23f0e12e9000234b4322e5  crypto/hmac/hmac.c
 271083f71a1ce24988a0932f73c0221260591823afd495bf2ae8d11e8469b659  crypto/initthread.c
diff --git a/providers/fips.checksum b/providers/fips.checksum
index 65860fc8fc..83fe30d81c 100644
--- a/providers/fips.checksum
+++ b/providers/fips.checksum
@@ -1 +1 @@
-685bc28466bcc7a645e423f4994d0f6d33d32368859ffdd9e42c2983934bffbb  providers/fips-sources.checksums
+3ea8c9568047f0cf5ca79b8de0b7d4daa76044baa6bfe25a22a7bbfe13186f7c  providers/fips-sources.checksums
diff --git a/test/evp_extra_test2.c b/test/evp_extra_test2.c
index 2e5861c77f..d9d26711ba 100644
--- a/test/evp_extra_test2.c
+++ b/test/evp_extra_test2.c
@@ -596,20 +596,6 @@ static int do_check_int(OSSL_PARAM params[], const char *key, int expected)
            && TEST_int_eq(val, expected);
 }
 
-static int do_check_utf8_str(OSSL_PARAM params[], const char *key,
-                             const char *expected)
-{
-    OSSL_PARAM *p;
-    char *bufp = NULL;
-    int ret;
-
-    ret = TEST_ptr(p = OSSL_PARAM_locate(params, key))
-          && TEST_true(OSSL_PARAM_get_utf8_string(p, &bufp, 0))
-          && TEST_str_eq(bufp, expected);
-    OPENSSL_free(bufp);
-    return ret;
-}
-
 static int test_dsa_todata(void)
 {
     EVP_PKEY *pkey = NULL;
@@ -648,8 +634,9 @@ static int test_dsa_todata(void)
         || !do_check_int(to_params, OSSL_PKEY_PARAM_FFC_GINDEX, -1)
         || !do_check_int(to_params, OSSL_PKEY_PARAM_FFC_PCOUNTER, -1)
         || !do_check_int(to_params, OSSL_PKEY_PARAM_FFC_H, 0)
-        || !do_check_utf8_str(to_params, OSSL_PKEY_PARAM_FFC_VALIDATE_TYPE,
-                              OSSL_FFC_PARAM_VALIDATE_PQG)
+        || !do_check_int(to_params, OSSL_PKEY_PARAM_FFC_VALIDATE_PQ, 1)
+        || !do_check_int(to_params, OSSL_PKEY_PARAM_FFC_VALIDATE_G, 1)
+        || !do_check_int(to_params, OSSL_PKEY_PARAM_FFC_VALIDATE_LEGACY, 0)
         || !TEST_ptr_null(OSSL_PARAM_locate(to_params, OSSL_PKEY_PARAM_FFC_SEED)))
         goto err;
author	Shane Lontis <shane.lontis@oracle.com>	2021-05-10 10:27:42 +1000
committer	Shane Lontis <shane.lontis@oracle.com>	2021-05-13 09:49:18 +1000
commit	b98f752ec330cdc81d1f27a9506e6dcc8c00af5a (patch)
tree	5cb469c545da743d0751cddf4bfce15e41e483bd
parent	466cab4758289f91215eada905cf334d334830fa (diff)