diff options
author | Shane Lontis <shane.lontis@oracle.com> | 2021-04-15 18:25:17 +1000 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2021-04-26 19:52:11 +0200 |
commit | f1ffaaeece5efb7d2f4859a59e3164edf9b4b769 (patch) | |
tree | a125dfda9f44ef0702f8bae025ccec829eb33652 /crypto/evp/ctrl_params_translate.c | |
parent | 6c9bc258d2e9e7b500236a1c696da1f384f0b907 (diff) |
Fixes related to separation of DH and DHX types
Fix dh_rfc5114 option in genpkey.
Fixes #14145
Fixes #13956
Fixes #13952
Fixes #13871
Fixes #14054
Fixes #14444
Updated documentation for app to indicate what options are available for
DH and DHX keys.
DH and DHX now have different keymanager gen_set_params() methods.
Added CHANGES entry to indicate the breaking change.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14883)
Diffstat (limited to 'crypto/evp/ctrl_params_translate.c')
-rw-r--r-- | crypto/evp/ctrl_params_translate.c | 104 |
1 files changed, 61 insertions, 43 deletions
diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c index 8f4ffd3bc4..f48e723c33 100644 --- a/crypto/evp/ctrl_params_translate.c +++ b/crypto/evp/ctrl_params_translate.c @@ -977,7 +977,7 @@ static int fix_oid(enum state state, return ret; } -/* EVP_PKEY_CTRL_DH_NID, ...??? */ +/* EVP_PKEY_CTRL_DH_NID */ static int fix_dh_nid(enum state state, const struct translation_st *translation, struct translation_ctx_st *ctx) @@ -987,7 +987,7 @@ static int fix_dh_nid(enum state state, if ((ret = default_check(state, translation, ctx)) <= 0) return ret; - /* This is currently only settable */ + /* This is only settable */ if (ctx->action_type != SET) return 0; @@ -997,16 +997,30 @@ static int fix_dh_nid(enum state state, ctx->p1 = 0; } - if ((ret = default_fixup_args(state, translation, ctx)) <= 0) + return default_fixup_args(state, translation, ctx); +} + +/* EVP_PKEY_CTRL_DH_RFC5114 */ +static int fix_dh_nid5114(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) +{ + int ret; + + if ((ret = default_check(state, translation, ctx)) <= 0) return ret; - if (state == PRE_PARAMS_TO_CTRL) { - ctx->p1 = - ossl_ffc_named_group_get_uid(ossl_ffc_name_to_dh_named_group(ctx->p2)); - ctx->p2 = NULL; + /* This is only settable */ + if (ctx->action_type != SET) + return 0; + + if (state == PRE_CTRL_STR_TO_PARAMS) { + ctx->p2 = (char *)ossl_ffc_named_group_get_name + (ossl_ffc_uid_to_dh_named_group(atoi(ctx->p2))); + ctx->p1 = 0; } - return ret; + return default_fixup_args(state, translation, ctx); } /* EVP_PKEY_CTRL_DH_PARAMGEN_TYPE */ @@ -1019,24 +1033,16 @@ static int fix_dh_paramgen_type(enum state state, if ((ret = default_check(state, translation, ctx)) <= 0) return ret; - /* This is currently only settable */ + /* This is only settable */ if (ctx->action_type != SET) return 0; - if (state == PRE_CTRL_TO_PARAMS) { - ctx->p2 = (char *)ossl_dh_gen_type_id2name(ctx->p1); - ctx->p1 = 0; - } - - if ((ret = default_fixup_args(state, translation, ctx)) <= 0) - return ret; - - if (state == PRE_PARAMS_TO_CTRL) { - ctx->p1 = ossl_dh_gen_type_name2id(ctx->p2); - ctx->p2 = NULL; + if (state == PRE_CTRL_STR_TO_PARAMS) { + ctx->p2 = (char *)ossl_dh_gen_type_id2name(atoi(ctx->p2)); + ctx->p1 = strlen(ctx->p2); } - return ret; + return default_fixup_args(state, translation, ctx); } /* EVP_PKEY_CTRL_EC_PARAM_ENC */ @@ -1927,35 +1933,47 @@ static const struct translation_st evp_pkey_ctx_translations[] = { EVP_PKEY_CTRL_GET_DH_KDF_OID, NULL, NULL, OSSL_KDF_PARAM_CEK_ALG, OSSL_PARAM_UTF8_STRING, fix_oid }, - { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_DERIVE, - EVP_PKEY_CTRL_DH_PAD, "dh_pad", NULL, - OSSL_EXCHANGE_PARAM_PAD, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, + /* DHX Keygen Parameters that are shared with DH */ + { SET, EVP_PKEY_DHX, 0, EVP_PKEY_OP_PARAMGEN, + EVP_PKEY_CTRL_DH_PARAMGEN_TYPE, "dh_paramgen_type", NULL, + OSSL_PKEY_PARAM_FFC_TYPE, OSSL_PARAM_UTF8_STRING, fix_dh_paramgen_type }, + { SET, EVP_PKEY_DHX, 0, EVP_PKEY_OP_PARAMGEN, + EVP_PKEY_CTRL_DH_PARAMGEN_PRIME_LEN, "dh_paramgen_prime_len", NULL, + OSSL_PKEY_PARAM_FFC_PBITS, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, + { SET, EVP_PKEY_DHX, 0, EVP_PKEY_OP_PARAMGEN | EVP_PKEY_OP_KEYGEN, + EVP_PKEY_CTRL_DH_NID, "dh_param", NULL, + OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, NULL }, + { SET, EVP_PKEY_DHX, 0, EVP_PKEY_OP_PARAMGEN | EVP_PKEY_OP_KEYGEN, + EVP_PKEY_CTRL_DH_RFC5114, "dh_rfc5114", NULL, + OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, fix_dh_nid5114 }, + /* DH Keygen Parameters that are shared with DHX */ + { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_PARAMGEN, + EVP_PKEY_CTRL_DH_PARAMGEN_TYPE, "dh_paramgen_type", NULL, + OSSL_PKEY_PARAM_FFC_TYPE, OSSL_PARAM_UTF8_STRING, fix_dh_paramgen_type }, + { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_PARAMGEN, + EVP_PKEY_CTRL_DH_PARAMGEN_PRIME_LEN, "dh_paramgen_prime_len", NULL, + OSSL_PKEY_PARAM_FFC_PBITS, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_PARAMGEN | EVP_PKEY_OP_KEYGEN, EVP_PKEY_CTRL_DH_NID, "dh_param", NULL, OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, fix_dh_nid }, - { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_PARAMGEN, - EVP_PKEY_CTRL_DH_PARAMGEN_PRIME_LEN, NULL, NULL, - OSSL_PKEY_PARAM_FFC_PBITS, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, - { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_PARAMGEN, - EVP_PKEY_CTRL_DH_PARAMGEN_SUBPRIME_LEN, "dh_paramgen_subprime_len", NULL, - OSSL_PKEY_PARAM_FFC_QBITS, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, + { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_PARAMGEN | EVP_PKEY_OP_KEYGEN, + EVP_PKEY_CTRL_DH_RFC5114, "dh_rfc5114", NULL, + OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, fix_dh_nid5114 }, + + /* DH specific Keygen Parameters */ { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_PARAMGEN, EVP_PKEY_CTRL_DH_PARAMGEN_GENERATOR, "dh_paramgen_generator", NULL, OSSL_PKEY_PARAM_DH_GENERATOR, OSSL_PARAM_INTEGER, NULL }, - { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_PARAMGEN, - EVP_PKEY_CTRL_DH_PARAMGEN_TYPE, "dh_paramgen_type", NULL, - OSSL_PKEY_PARAM_FFC_TYPE, OSSL_PARAM_UTF8_STRING, fix_dh_paramgen_type }, - /* - * This is know to be incorrect, will be fixed and enabled when the - * underlying code is corrected. - * Until then, we simply don't support it here. - */ -#if 0 - { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_PARAMGEN, - EVP_PKEY_CTRL_DH_RFC5114, "dh_rfc5114", NULL, - OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_INTEGER, NULL }, -#endif + + /* DHX specific Keygen Parameters */ + { SET, EVP_PKEY_DHX, 0, EVP_PKEY_OP_PARAMGEN, + EVP_PKEY_CTRL_DH_PARAMGEN_SUBPRIME_LEN, "dh_paramgen_subprime_len", NULL, + OSSL_PKEY_PARAM_FFC_QBITS, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, + + { SET, EVP_PKEY_DH, 0, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_DH_PAD, "dh_pad", NULL, + OSSL_EXCHANGE_PARAM_PAD, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, /*- * DSA |