diff options
author | Shane Lontis <shane.lontis@oracle.com> | 2021-05-10 10:27:42 +1000 |
---|---|---|
committer | Shane Lontis <shane.lontis@oracle.com> | 2021-05-13 09:49:18 +1000 |
commit | b98f752ec330cdc81d1f27a9506e6dcc8c00af5a (patch) | |
tree | 5cb469c545da743d0751cddf4bfce15e41e483bd | |
parent | 466cab4758289f91215eada905cf334d334830fa (diff) |
Export/import flags for FFC params changed to seperate fields.
An extra field got added to the ffc flags related to FIPS-186-2 key validation, but this field was
not handled by the export/import since the flags were done as string combinations.
To keep this consistent with other object flags they are now passed as seperate OSSL_PARAM fields.
Fixes 'no-cached-fetch' build which uses export/import.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15210)
-rw-r--r-- | crypto/ffc/ffc_backend.c | 19 | ||||
-rw-r--r-- | crypto/ffc/ffc_params.c | 50 | ||||
-rw-r--r-- | crypto/ffc/ffc_params_generate.c | 6 | ||||
-rw-r--r-- | doc/man7/EVP_PKEY-FFC.pod | 17 | ||||
-rw-r--r-- | include/internal/ffc.h | 7 | ||||
-rw-r--r-- | include/openssl/core_names.h | 9 | ||||
-rw-r--r-- | providers/fips-sources.checksums | 6 | ||||
-rw-r--r-- | providers/fips.checksum | 2 | ||||
-rw-r--r-- | test/evp_extra_test2.c | 19 |
9 files changed, 64 insertions, 71 deletions
diff --git a/crypto/ffc/ffc_backend.c b/crypto/ffc/ffc_backend.c index 43825d9216..27ce15715a 100644 --- a/crypto/ffc/ffc_backend.c +++ b/crypto/ffc/ffc_backend.c @@ -80,12 +80,25 @@ int ossl_ffc_params_fromdata(FFC_PARAMS *ffc, const OSSL_PARAM params[]) if (!ossl_ffc_params_set_seed(ffc, prm->data, prm->data_size)) goto err; } - prm = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_VALIDATE_TYPE); + prm = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_VALIDATE_PQ); if (prm != NULL) { - if (prm->data_type != OSSL_PARAM_UTF8_STRING) + if (!OSSL_PARAM_get_int(prm, &i)) + goto err; + ossl_ffc_params_enable_flags(ffc, FFC_PARAM_FLAG_VALIDATE_PQ, i); + } + prm = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_VALIDATE_G); + if (prm != NULL) { + if (!OSSL_PARAM_get_int(prm, &i)) goto err; - ossl_ffc_params_set_flags(ffc, ossl_ffc_params_flags_from_name(prm->data)); + ossl_ffc_params_enable_flags(ffc, FFC_PARAM_FLAG_VALIDATE_G, i); } + prm = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_VALIDATE_LEGACY); + if (prm != NULL) { + if (!OSSL_PARAM_get_int(prm, &i)) + goto err; + ossl_ffc_params_enable_flags(ffc, FFC_PARAM_FLAG_VALIDATE_LEGACY, i); + } + prm = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_DIGEST); if (prm != NULL) { const OSSL_PARAM *p1; diff --git a/crypto/ffc/ffc_params.c b/crypto/ffc/ffc_params.c index 9f52aa35ad..6e025a06be 100644 --- a/crypto/ffc/ffc_params.c +++ b/crypto/ffc/ffc_params.c @@ -23,7 +23,7 @@ void ossl_ffc_params_init(FFC_PARAMS *params) memset(params, 0, sizeof(*params)); params->pcounter = -1; params->gindex = FFC_UNVERIFIABLE_GINDEX; - params->flags = FFC_PARAM_FLAG_VALIDATE_ALL; + params->flags = FFC_PARAM_FLAG_VALIDATE_PQG; } void ossl_ffc_params_cleanup(FFC_PARAMS *params) @@ -207,39 +207,11 @@ int ossl_ffc_params_cmp(const FFC_PARAMS *a, const FFC_PARAMS *b, int ignore_q) && (ignore_q || BN_cmp(a->q, b->q) == 0); /* Note: q may be NULL */ } -static const OSSL_ITEM flag_map[] = { - { FFC_PARAM_FLAG_VALIDATE_PQ, OSSL_FFC_PARAM_VALIDATE_PQ }, - { FFC_PARAM_FLAG_VALIDATE_G, OSSL_FFC_PARAM_VALIDATE_G }, - { FFC_PARAM_FLAG_VALIDATE_ALL, OSSL_FFC_PARAM_VALIDATE_PQG }, - { 0, "" } -}; - -int ossl_ffc_params_flags_from_name(const char *name) -{ - size_t i; - - for (i = 0; i < OSSL_NELEM(flag_map); ++i) { - if (strcasecmp(flag_map[i].ptr, name) == 0) - return flag_map[i].id; - } - return NID_undef; -} - -const char *ossl_ffc_params_flags_to_name(int flags) -{ - size_t i; - - flags &= FFC_PARAM_FLAG_VALIDATE_ALL; - for (i = 0; i < OSSL_NELEM(flag_map); ++i) { - if ((int)flag_map[i].id == flags) - return flag_map[i].ptr; - } - return ""; -} - int ossl_ffc_params_todata(const FFC_PARAMS *ffc, OSSL_PARAM_BLD *bld, OSSL_PARAM params[]) { + int test_flags; + if (ffc == NULL) return 0; @@ -279,10 +251,20 @@ int ossl_ffc_params_todata(const FFC_PARAMS *ffc, OSSL_PARAM_BLD *bld, name)) return 0; } - if (!ossl_param_build_set_utf8_string(bld, params, - OSSL_PKEY_PARAM_FFC_VALIDATE_TYPE, - ossl_ffc_params_flags_to_name(ffc->flags))) + test_flags = ((ffc->flags & FFC_PARAM_FLAG_VALIDATE_PQ) != 0); + if (!ossl_param_build_set_int(bld, params, + OSSL_PKEY_PARAM_FFC_VALIDATE_PQ, test_flags)) return 0; + test_flags = ((ffc->flags & FFC_PARAM_FLAG_VALIDATE_G) != 0); + if (!ossl_param_build_set_int(bld, params, + OSSL_PKEY_PARAM_FFC_VALIDATE_G, test_flags)) + return 0; + test_flags = ((ffc->flags & FFC_PARAM_FLAG_VALIDATE_LEGACY) != 0); + if (!ossl_param_build_set_int(bld, params, + OSSL_PKEY_PARAM_FFC_VALIDATE_LEGACY, + test_flags)) + return 0; + if (ffc->mdname != NULL && !ossl_param_build_set_utf8_string(bld, params, OSSL_PKEY_PARAM_FFC_DIGEST, diff --git a/crypto/ffc/ffc_params_generate.c b/crypto/ffc/ffc_params_generate.c index ee13a07d10..26ab9120c6 100644 --- a/crypto/ffc/ffc_params_generate.c +++ b/crypto/ffc/ffc_params_generate.c @@ -479,7 +479,7 @@ static const char *default_mdname(size_t N) * For validation one of: * -FFC_PARAM_FLAG_VALIDATE_PQ * -FFC_PARAM_FLAG_VALIDATE_G - * -FFC_PARAM_FLAG_VALIDATE_ALL + * -FFC_PARAM_FLAG_VALIDATE_PQG * For generation of p & q: * - This is skipped if p & q are passed in. * - If the seed is passed in then generation of p & q uses this seed (and if @@ -720,7 +720,7 @@ int ossl_ffc_params_FIPS186_4_gen_verify(OSSL_LIB_CTX *libctx, goto err; /* If validating p & q only then skip the g validation test */ - if ((flags & FFC_PARAM_FLAG_VALIDATE_ALL) == FFC_PARAM_FLAG_VALIDATE_PQ) + if ((flags & FFC_PARAM_FLAG_VALIDATE_PQG) == FFC_PARAM_FLAG_VALIDATE_PQ) goto pass; g_only: if ((mont = BN_MONT_CTX_new()) == NULL) @@ -972,7 +972,7 @@ int ossl_ffc_params_FIPS186_2_gen_verify(OSSL_LIB_CTX *libctx, } } /* If validating p & q only then skip the g validation test */ - if ((flags & FFC_PARAM_FLAG_VALIDATE_ALL) == FFC_PARAM_FLAG_VALIDATE_PQ) + if ((flags & FFC_PARAM_FLAG_VALIDATE_PQG) == FFC_PARAM_FLAG_VALIDATE_PQ) goto pass; g_only: if ((mont = BN_MONT_CTX_new()) == NULL) diff --git a/doc/man7/EVP_PKEY-FFC.pod b/doc/man7/EVP_PKEY-FFC.pod index 9de066a865..3ab243f45a 100644 --- a/doc/man7/EVP_PKEY-FFC.pod +++ b/doc/man7/EVP_PKEY-FFC.pod @@ -100,6 +100,23 @@ satisfies g = h^j mod p (where g != 1 and "j" is the cofactor). An optional informational cofactor parameter that should equal to (p - 1) / q. +=item "validate-pq" (B<OSSL_PKEY_PARAM_FFC_VALIDATE_PQ>) <unsigned integer> + +=item "validate-g" (B<OSSL_PKEY_PARAM_FFC_VALIDATE_G>) <unsigned integer> + +These boolean values are used during FIPS186-4 or FIPS186-2 key validation checks +(See L<EVP_PKEY_param_check(3)>) to select validation options. By default +I<validate-pq> and I<validate-g> are both set to 1 to check that p,q and g are +valid. Either of these may be set to 0 to skip a test, which is mainly useful +for testing purposes. + +=item "validate-legacy" (B<OSSL_PKEY_PARAM_FFC_VALIDATE_LEGACY>) <unsigned integer> + +This boolean value is used during key validation checks +(See L<EVP_PKEY_param_check(3)>) to select the validation type. The default +value of 0 selects FIPS186-4 validation. Setting this value to 1 selects +FIPS186-2 validation. + =back =head2 FFC key generation parameters diff --git a/include/internal/ffc.h b/include/internal/ffc.h index f0ab31400b..79cb06aba3 100644 --- a/include/internal/ffc.h +++ b/include/internal/ffc.h @@ -42,7 +42,7 @@ /* Validation flags */ # define FFC_PARAM_FLAG_VALIDATE_PQ 0x01 # define FFC_PARAM_FLAG_VALIDATE_G 0x02 -# define FFC_PARAM_FLAG_VALIDATE_ALL \ +# define FFC_PARAM_FLAG_VALIDATE_PQG \ (FFC_PARAM_FLAG_VALIDATE_PQ | FFC_PARAM_FLAG_VALIDATE_G) #define FFC_PARAM_FLAG_VALIDATE_LEGACY 0x04 @@ -105,7 +105,7 @@ typedef struct ffc_params_st { int gindex; int h; /* loop counter for unverifiable g */ - unsigned int flags; /* See FFC_PARAM_FLAG_VALIDATE_ALL */ + unsigned int flags; /* * The digest to use for generation or validation. If this value is NULL, * then the digest is chosen using the value of N. @@ -209,7 +209,4 @@ const BIGNUM *ossl_ffc_named_group_get_q(const DH_NAMED_GROUP *group); int ossl_ffc_named_group_set_pqg(FFC_PARAMS *ffc, const DH_NAMED_GROUP *group); #endif -const char *ossl_ffc_params_flags_to_name(int flags); -int ossl_ffc_params_flags_from_name(const char *name); - #endif /* OSSL_INTERNAL_FFC_H */ diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index 7ebde7c2a1..c01be930ab 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h @@ -294,12 +294,9 @@ extern "C" { #define OSSL_PKEY_PARAM_FFC_SEED "seed" #define OSSL_PKEY_PARAM_FFC_COFACTOR "j" #define OSSL_PKEY_PARAM_FFC_H "hindex" -#define OSSL_PKEY_PARAM_FFC_VALIDATE_TYPE "valid-type" - -/* Diffie-Hellman/DSA Parameters parameter validation types */ -#define OSSL_FFC_PARAM_VALIDATE_PQ "validate-pq" -#define OSSL_FFC_PARAM_VALIDATE_G "validate-g" -#define OSSL_FFC_PARAM_VALIDATE_PQG "validate-pqg" +#define OSSL_PKEY_PARAM_FFC_VALIDATE_PQ "validate-pq" +#define OSSL_PKEY_PARAM_FFC_VALIDATE_G "validate-g" +#define OSSL_PKEY_PARAM_FFC_VALIDATE_LEGACY "validate-legacy" /* Diffie-Hellman params */ #define OSSL_PKEY_PARAM_DH_GENERATOR "safeprime-generator" diff --git a/providers/fips-sources.checksums b/providers/fips-sources.checksums index a127b70ef4..57c66af718 100644 --- a/providers/fips-sources.checksums +++ b/providers/fips-sources.checksums @@ -188,12 +188,12 @@ ff8a5ff024c228fe714e4cf758260cf9e9c992a9311acb5f96b0f2ed6af1a814 crypto/evp/pme b360a72944bcb8f8ae8bd28d9b8a4a6aa4f39d1402295f84af243d14c3f1898c crypto/evp/pmeth_lib.c 52d8ea3b8b3ef52b58306b0fbd4557d682ba69a5384672ba7e1682c9a853f417 crypto/evp/signature.c b06cb8fd4bd95aae1f66e1e145269c82169257f1a60ef0f78f80a3d4c5131fac crypto/ex_data.c -ae496cbb92b8664bb729997a241d12cc515a3944d66fe87b0c6e24f1011e061f crypto/ffc/ffc_backend.c +00ca3b72cd56308aabb2826b6a400c675526afa7efca052d39c74b2ac6d137d8 crypto/ffc/ffc_backend.c ead786b4f5689ab69d6cca5d49e513e0f90cb558b67e6c5898255f2671f1393d crypto/ffc/ffc_dh.c 8390c3015b5bb7f65a5cde533390788e7e61e381823c58c2e7caf8e50ca63a3b crypto/ffc/ffc_key_generate.c 084ae8e68a9df5785376bb961a998036336ed13092ffd1c4258b56e6a7e0478b crypto/ffc/ffc_key_validate.c -a87945698684673832fbedb4d01e2f11df58f43f79605a9e6d7136bb15b02e52 crypto/ffc/ffc_params.c -887357f0422954f2ecb855d468ad2456a76372dc401301ba284c0fd8c6b5092e crypto/ffc/ffc_params_generate.c +67fdf1a07ea118963a55540be2ee21c98b7a5eb8149c8caa26e19d922bf60346 crypto/ffc/ffc_params.c +4c614d354252e2cfdfa2fcb7d2abba0456fcdee3e5ffdcf4d7cec1d6c8c9d1d8 crypto/ffc/ffc_params_generate.c 73dac805abab36cd9df53a421221c71d06a366a4ce479fa788be777f11b47159 crypto/ffc/ffc_params_validate.c c193773792bec29c791e84d150ffe5ef25f53cb02e23f0e12e9000234b4322e5 crypto/hmac/hmac.c 271083f71a1ce24988a0932f73c0221260591823afd495bf2ae8d11e8469b659 crypto/initthread.c diff --git a/providers/fips.checksum b/providers/fips.checksum index 65860fc8fc..83fe30d81c 100644 --- a/providers/fips.checksum +++ b/providers/fips.checksum @@ -1 +1 @@ -685bc28466bcc7a645e423f4994d0f6d33d32368859ffdd9e42c2983934bffbb providers/fips-sources.checksums +3ea8c9568047f0cf5ca79b8de0b7d4daa76044baa6bfe25a22a7bbfe13186f7c providers/fips-sources.checksums diff --git a/test/evp_extra_test2.c b/test/evp_extra_test2.c index 2e5861c77f..d9d26711ba 100644 --- a/test/evp_extra_test2.c +++ b/test/evp_extra_test2.c @@ -596,20 +596,6 @@ static int do_check_int(OSSL_PARAM params[], const char *key, int expected) && TEST_int_eq(val, expected); } -static int do_check_utf8_str(OSSL_PARAM params[], const char *key, - const char *expected) -{ - OSSL_PARAM *p; - char *bufp = NULL; - int ret; - - ret = TEST_ptr(p = OSSL_PARAM_locate(params, key)) - && TEST_true(OSSL_PARAM_get_utf8_string(p, &bufp, 0)) - && TEST_str_eq(bufp, expected); - OPENSSL_free(bufp); - return ret; -} - static int test_dsa_todata(void) { EVP_PKEY *pkey = NULL; @@ -648,8 +634,9 @@ static int test_dsa_todata(void) || !do_check_int(to_params, OSSL_PKEY_PARAM_FFC_GINDEX, -1) || !do_check_int(to_params, OSSL_PKEY_PARAM_FFC_PCOUNTER, -1) || !do_check_int(to_params, OSSL_PKEY_PARAM_FFC_H, 0) - || !do_check_utf8_str(to_params, OSSL_PKEY_PARAM_FFC_VALIDATE_TYPE, - OSSL_FFC_PARAM_VALIDATE_PQG) + || !do_check_int(to_params, OSSL_PKEY_PARAM_FFC_VALIDATE_PQ, 1) + || !do_check_int(to_params, OSSL_PKEY_PARAM_FFC_VALIDATE_G, 1) + || !do_check_int(to_params, OSSL_PKEY_PARAM_FFC_VALIDATE_LEGACY, 0) || !TEST_ptr_null(OSSL_PARAM_locate(to_params, OSSL_PKEY_PARAM_FFC_SEED))) goto err; |