diff options
| author | Shane Lontis <shane.lontis@oracle.com> | 2020-10-15 13:41:59 +1000 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2021-01-26 15:22:14 +0100 |
| commit | 5b5eea4b60b682009d2b15587c9ceeae5e9c73f8 (patch) | |
| tree | 4a3261cb27a582770270a07b40ecf05ecb71c89a /crypto | |
| parent | 98dbf2c1c8143c0cc6dd05be7950d90bc6792064 (diff) | |
Deprecate EC_KEY + Update ec apps to use EVP_PKEY
Co-author: Richard Levitte <levitte@openssl.org>
Co-author: Tomas Mraz <tmraz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/asn1/asn1_item_list.h | 2 | ||||
| -rw-r--r-- | crypto/ec/ec_backend.c | 219 | ||||
| -rw-r--r-- | crypto/ec/ec_key.c | 2 | ||||
| -rw-r--r-- | crypto/ec/ec_lib.c | 86 | ||||
| -rw-r--r-- | crypto/ec/eck_prn.c | 8 | ||||
| -rw-r--r-- | crypto/evp/ec_ctrl.c | 4 | ||||
| -rw-r--r-- | crypto/evp/p_legacy.c | 36 | ||||
| -rw-r--r-- | crypto/evp/p_lib.c | 33 | ||||
| -rw-r--r-- | crypto/pem/pem_all.c | 13 | ||||
| -rw-r--r-- | crypto/sm2/sm2_key.c | 2 | ||||
| -rw-r--r-- | crypto/sm2/sm2_sign.c | 2 | ||||
| -rw-r--r-- | crypto/x509/x509_cmp.c | 16 | ||||
| -rw-r--r-- | crypto/x509/x509_vfy.c | 2 |
13 files changed, 336 insertions, 89 deletions
diff --git a/crypto/asn1/asn1_item_list.h b/crypto/asn1/asn1_item_list.h index 01d9076350..b8c5581146 100644 --- a/crypto/asn1/asn1_item_list.h +++ b/crypto/asn1/asn1_item_list.h @@ -63,8 +63,10 @@ static ASN1_ITEM_EXP *asn1_item_list[] = { ASN1_ITEM_ref(DIST_POINT_NAME), ASN1_ITEM_ref(DIST_POINT), #ifndef OPENSSL_NO_EC +# ifndef OPENSSL_NO_DEPRECATED_3_0 ASN1_ITEM_ref(ECPARAMETERS), ASN1_ITEM_ref(ECPKPARAMETERS), +# endif #endif ASN1_ITEM_ref(EDIPARTYNAME), ASN1_ITEM_ref(EXTENDED_KEY_USAGE), diff --git a/crypto/ec/ec_backend.c b/crypto/ec/ec_backend.c index f950657173..06acb7d607 100644 --- a/crypto/ec/ec_backend.c +++ b/crypto/ec/ec_backend.c @@ -7,6 +7,12 @@ * https://www.openssl.org/source/license.html */ +/* + * Low level APIs related to EC_KEY are deprecated for public use, + * but still ok for internal use. + */ +#include "internal/deprecated.h" + #include <openssl/core_names.h> #include <openssl/objects.h> #include <openssl/params.h> @@ -23,6 +29,18 @@ static const OSSL_ITEM encoding_nameid_map[] = { { OPENSSL_EC_NAMED_CURVE, OSSL_PKEY_EC_ENCODING_GROUP }, }; +static const OSSL_ITEM check_group_type_nameid_map[] = { + { 0, OSSL_PKEY_EC_GROUP_CHECK_DEFAULT }, + { EC_FLAG_CHECK_NAMED_GROUP, OSSL_PKEY_EC_GROUP_CHECK_NAMED }, + { EC_FLAG_CHECK_NAMED_GROUP_NIST, OSSL_PKEY_EC_GROUP_CHECK_NAMED_NIST }, +}; + +static const OSSL_ITEM format_nameid_map[] = { + { (int)POINT_CONVERSION_UNCOMPRESSED, OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_UNCOMPRESSED }, + { (int)POINT_CONVERSION_COMPRESSED, OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_COMPRESSED }, + { (int)POINT_CONVERSION_HYBRID, OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_HYBRID }, +}; + int ec_encoding_name2id(const char *name) { size_t i, sz; @@ -49,13 +67,95 @@ static char *ec_param_encoding_id2name(int id) return NULL; } +char *ec_check_group_type_id2name(int id) +{ + size_t i, sz; + + for (i = 0, sz = OSSL_NELEM(check_group_type_nameid_map); i < sz; i++) { + if (id == (int)check_group_type_nameid_map[i].id) + return check_group_type_nameid_map[i].ptr; + } + return NULL; +} + +static int ec_check_group_type_name2id(const char *name) +{ + size_t i, sz; + + /* Return the default value if there is no name */ + if (name == NULL) + return 0; + + for (i = 0, sz = OSSL_NELEM(check_group_type_nameid_map); i < sz; i++) { + if (strcasecmp(name, check_group_type_nameid_map[i].ptr) == 0) + return check_group_type_nameid_map[i].id; + } + return -1; +} + +int ec_set_check_group_type_from_name(EC_KEY *ec, const char *name) +{ + int flags = ec_check_group_type_name2id(name); + + if (flags == -1) + return 0; + EC_KEY_clear_flags(ec, EC_FLAG_CHECK_NAMED_GROUP_MASK); + EC_KEY_set_flags(ec, flags); + return 1; +} + +static int ec_set_check_group_type_from_param(EC_KEY *ec, const OSSL_PARAM *p) +{ + const char *name = NULL; + int status = 0; + + switch (p->data_type) { + case OSSL_PARAM_UTF8_STRING: + name = p->data; + status = (name != NULL); + break; + case OSSL_PARAM_UTF8_PTR: + status = OSSL_PARAM_get_utf8_ptr(p, &name); + break; + } + if (status) + return ec_set_check_group_type_from_name(ec, name); + return 0; +} + +int ec_pt_format_name2id(const char *name) +{ + size_t i, sz; + + /* Return the default value if there is no name */ + if (name == NULL) + return (int)POINT_CONVERSION_UNCOMPRESSED; + + for (i = 0, sz = OSSL_NELEM(format_nameid_map); i < sz; i++) { + if (strcasecmp(name, format_nameid_map[i].ptr) == 0) + return format_nameid_map[i].id; + } + return -1; +} + +char *ec_pt_format_id2name(int id) +{ + size_t i, sz; + + for (i = 0, sz = OSSL_NELEM(format_nameid_map); i < sz; i++) { + if (id == (int)format_nameid_map[i].id) + return format_nameid_map[i].ptr; + } + return NULL; +} + int ec_group_todata(const EC_GROUP *group, OSSL_PARAM_BLD *tmpl, OSSL_PARAM params[], OSSL_LIB_CTX *libctx, const char *propq, BN_CTX *bnctx, unsigned char **genbuf) { int ret = 0, curve_nid, encoding_flag; - const char *field_type, *encoding_name; + const char *field_type, *encoding_name, *pt_form_name; const BIGNUM *cofactor, *order; BIGNUM *p = NULL, *a = NULL, *b = NULL; point_conversion_form_t genform; @@ -68,6 +168,15 @@ int ec_group_todata(const EC_GROUP *group, OSSL_PARAM_BLD *tmpl, return 0; } + genform = EC_GROUP_get_point_conversion_form(group); + pt_form_name = ec_pt_format_id2name(genform); + if (pt_form_name == NULL + || !ossl_param_build_set_utf8_string( + tmpl, params, + OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT, pt_form_name)) { + ECerr(0, EC_R_INVALID_FORM); + return 0; + } encoding_flag = EC_GROUP_get_asn1_flag(group) & OPENSSL_EC_NAMED_CURVE; encoding_name = ec_param_encoding_id2name(encoding_flag); if (encoding_name == NULL @@ -115,7 +224,6 @@ int ec_group_todata(const EC_GROUP *group, OSSL_PARAM_BLD *tmpl, ERR_raise(ERR_LIB_EC, EC_R_INVALID_GENERATOR); goto err; } - genform = EC_GROUP_get_point_conversion_form(group); genbuf_len = EC_POINT_point2buf(group, genpt, genform, genbuf, bnctx); if (genbuf_len == 0) { ERR_raise(ERR_LIB_EC, EC_R_INVALID_GENERATOR); @@ -336,17 +444,50 @@ int ec_group_fromdata(EC_KEY *ec, const OSSL_PARAM params[]) if (!EC_KEY_set_group(ec, group)) goto err; - - /* - * TODO(3.0): if the group has changed, should we invalidate the private and - * public key? - */ ok = 1; err: EC_GROUP_free(group); return ok; } +static int ec_key_point_format_fromdata(EC_KEY *ec, const OSSL_PARAM params[]) +{ + const OSSL_PARAM *p; + int format = -1; + + p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT); + if (p != NULL) { + if (!ec_pt_format_param2id(p, &format)) { + ECerr(0, EC_R_INVALID_FORM); + return 0; + } + EC_KEY_set_conv_form(ec, format); + } + return 1; +} + +static int ec_key_group_check_fromdata(EC_KEY *ec, const OSSL_PARAM params[]) +{ + const OSSL_PARAM *p; + + p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE); + if (p != NULL) + return ec_set_check_group_type_from_param(ec, p); + return 1; +} + +static int ec_set_include_public(EC_KEY *ec, int include) +{ + int flags = EC_KEY_get_enc_flags(ec); + + if (!include) + flags |= EC_PKEY_NO_PUBKEY; + else + flags &= ~EC_PKEY_NO_PUBKEY; + EC_KEY_set_enc_flags(ec, flags); + return 1; +} + int ec_key_otherparams_fromdata(EC_KEY *ec, const OSSL_PARAM params[]) { const OSSL_PARAM *p; @@ -363,5 +504,69 @@ int ec_key_otherparams_fromdata(EC_KEY *ec, const OSSL_PARAM params[]) return 0; } + p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC); + if (p != NULL) { + int include = 1; + + if (!OSSL_PARAM_get_int(p, &include) + || !ec_set_include_public(ec, include)) + return 0; + } + if (!ec_key_point_format_fromdata(ec, params)) + return 0; + if (!ec_key_group_check_fromdata(ec, params)) + return 0; return 1; } + +int ec_encoding_param2id(const OSSL_PARAM *p, int *id) +{ + const char *name = NULL; + int status = 0; + + switch (p->data_type) { + case OSSL_PARAM_UTF8_STRING: + /* The OSSL_PARAM functions have no support for this */ + name = p->data; + status = (name != NULL); + break; + case OSSL_PARAM_UTF8_PTR: + status = OSSL_PARAM_get_utf8_ptr(p, &name); + break; + } + if (status) { + int i = ec_encoding_name2id(name); + + if (i >= 0) { + *id = i; + return 1; + } + } + return 0; +} + +int ec_pt_format_param2id(const OSSL_PARAM *p, int *id) +{ + const char *name = NULL; + int status = 0; + + switch (p->data_type) { + case OSSL_PARAM_UTF8_STRING: + /* The OSSL_PARAM functions have no support for this */ + name = p->data; + status = (name != NULL); + break; + case OSSL_PARAM_UTF8_PTR: + status = OSSL_PARAM_get_utf8_ptr(p, &name); + break; + } + if (status) { + int i = ec_pt_format_name2id(name); + + if (i >= 0) { + *id = i; + return 1; + } + } + return 0; +} diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index d03c75e8aa..d354fd484e 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -9,7 +9,7 @@ */ /* - * ECDSA low level APIs are deprecated for public use, but still ok for + * EC_KEY low level APIs are deprecated for public use, but still ok for * internal use. */ #include "internal/deprecated.h" diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index 678b77047d..e1b92f7c33 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -9,7 +9,7 @@ */ /* - * ECDSA low level APIs are deprecated for public use, but still ok for + * EC_GROUP low level APIs are deprecated for public use, but still ok for * internal use. */ #include "internal/deprecated.h" @@ -1461,32 +1461,6 @@ err: return NULL; } -static int ec_encoding_param2id(const OSSL_PARAM *p, int *id) -{ - const char *name = NULL; - int status = 0; - - switch (p->data_type) { - case OSSL_PARAM_UTF8_STRING: - /* The OSSL_PARAM functions have no support for this */ - name = p->data; - status = (name != NULL); - break; - case OSSL_PARAM_UTF8_PTR: - status = OSSL_PARAM_get_utf8_ptr(p, &name); - break; - } - if (status) { - int i = ec_encoding_name2id(name); - - if (i >= 0) { - *id = i; - return 1; - } - } - return 0; -} - static EC_GROUP *group_new_from_name(const OSSL_PARAM *p, OSSL_LIB_CTX *libctx, const char *propq) { @@ -1516,6 +1490,42 @@ static EC_GROUP *group_new_from_name(const OSSL_PARAM *p, return NULL; } +/* These parameters can be set directly into an EC_GROUP */ +int ec_group_set_params(EC_GROUP *group, const OSSL_PARAM params[]) +{ + int encoding_flag = -1, format = -1; + const OSSL_PARAM *p; + + p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT); + if (p != NULL) { + if (!ec_pt_format_param2id(p, &format)) { + ECerr(0, EC_R_INVALID_FORM); + return 0; + } + EC_GROUP_set_point_conversion_form(group, format); + } + + p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_ENCODING); + if (p != NULL) { + if (!ec_encoding_param2id(p, &encoding_flag)) { + ECerr(0, EC_R_INVALID_FORM); + return 0; + } + EC_GROUP_set_asn1_flag(group, encoding_flag); + } + /* Optional seed */ + p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_SEED); + if (p != NULL) { + /* The seed is allowed to be NULL */ + if (p->data_type != OSSL_PARAM_OCTET_STRING + || !EC_GROUP_set_seed(group, p->data, p->data_size)) { + ECerr(0, EC_R_INVALID_SEED); + return 0; + } + } + return 1; +} + EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], OSSL_LIB_CTX *libctx, const char *propq) { @@ -1530,19 +1540,19 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], const unsigned char *buf = NULL; int encoding_flag = -1; - ptmp = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_ENCODING); - if (ptmp != NULL && !ec_encoding_param2id(ptmp, &encoding_flag)) { - ERR_raise(ERR_LIB_EC, EC_R_INVALID_ENCODING); - return 0; - } - + /* This is the simple named group case */ ptmp = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_GROUP_NAME); if (ptmp != NULL) { group = group_new_from_name(ptmp, libctx, propq); - if (group != NULL) - EC_GROUP_set_asn1_flag(group, encoding_flag); + if (group != NULL) { + if (!ec_group_set_params(group, params)) { + EC_GROUP_free(group); + group = NULL; + } + } return group; } + /* If it gets here then we are trying explicit parameters */ bnctx = BN_CTX_new_ex(libctx); if (bnctx == NULL) { ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); @@ -1690,6 +1700,12 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], * If we did not find a named group then the encoding should be explicit * if it was specified */ + ptmp = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_ENCODING); + if (ptmp != NULL + && !ec_encoding_param2id(ptmp, &encoding_flag)) { + ECerr(0, EC_R_INVALID_ENCODING); + return 0; + } if (encoding_flag == OPENSSL_EC_NAMED_CURVE) { ERR_raise(ERR_LIB_EC, EC_R_INVALID_ENCODING); goto err; diff --git a/crypto/ec/eck_prn.c b/crypto/ec/eck_prn.c index 20c6065a31..e731d7c369 100644 --- a/crypto/ec/eck_prn.c +++ b/crypto/ec/eck_prn.c @@ -8,13 +8,16 @@ * https://www.openssl.org/source/license.html */ +#include "internal/deprecated.h" + #include <stdio.h> #include "internal/cryptlib.h" #include <openssl/evp.h> #include <openssl/ec.h> #include <openssl/bn.h> -#ifndef OPENSSL_NO_STDIO +#ifndef OPENSSL_NO_DEPRECATED_3_0 +# ifndef OPENSSL_NO_STDIO int ECPKParameters_print_fp(FILE *fp, const EC_GROUP *x, int off) { BIO *b; @@ -59,7 +62,7 @@ int ECParameters_print_fp(FILE *fp, const EC_KEY *x) BIO_free(b); return ret; } -#endif +#endif /* OPENSSL_NO_STDIO */ static int print_bin(BIO *fp, const char *str, const unsigned char *num, size_t len, int off); @@ -256,3 +259,4 @@ static int print_bin(BIO *fp, const char *name, const unsigned char *buf, return 1; } +#endif /* OPENSSL_NO_DEPRECATED_3_0 */ diff --git a/crypto/evp/ec_ctrl.c b/crypto/evp/ec_ctrl.c index 541d8549d4..5bb078639c 100644 --- a/crypto/evp/ec_ctrl.c +++ b/crypto/evp/ec_ctrl.c @@ -7,6 +7,8 @@ * https://www.openssl.org/source/license.html */ +#include "internal/deprecated.h" + #include <string.h> #include <openssl/core_names.h> @@ -466,7 +468,7 @@ int evp_pkey_ctx_set_ec_param_enc_prov(EVP_PKEY_CTX *ctx, int param_enc) *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_EC_ENCODING, (char *)enc, 0); - *p++ = OSSL_PARAM_construct_end(); + *p = OSSL_PARAM_construct_end(); ret = evp_pkey_ctx_set_params_strict(ctx, params); end: diff --git a/crypto/evp/p_legacy.c b/crypto/evp/p_legacy.c index cad4d67d73..a4e478c223 100644 --- a/crypto/evp/p_legacy.c +++ b/crypto/evp/p_legacy.c @@ -17,6 +17,7 @@ #include <openssl/evp.h> #include <openssl/err.h> #include <openssl/rsa.h> +#include <openssl/ec.h> #include "crypto/types.h" #include "crypto/evp.h" #include "evp_local.h" @@ -24,6 +25,7 @@ int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key) { int ret = EVP_PKEY_assign_RSA(pkey, key); + if (ret) RSA_up_ref(key); return ret; @@ -45,7 +47,41 @@ RSA *EVP_PKEY_get0_RSA(const EVP_PKEY *pkey) RSA *EVP_PKEY_get1_RSA(EVP_PKEY *pkey) { RSA *ret = EVP_PKEY_get0_RSA(pkey); + if (ret != NULL) RSA_up_ref(ret); return ret; } + +#ifndef OPENSSL_NO_EC +int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, EC_KEY *key) +{ + int ret = EVP_PKEY_assign_EC_KEY(pkey, key); + + if (ret) + EC_KEY_up_ref(key); + return ret; +} + +EC_KEY *EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey) +{ + if (!evp_pkey_downgrade((EVP_PKEY *)pkey)) { + ERR_raise(ERR_LIB_EVP, EVP_R_INACCESSIBLE_KEY); + return NULL; + } + if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) { + EVPerr(EVP_F_EVP_PKEY_GET0_EC_KEY, EVP_R_EXPECTING_A_EC_KEY); + return NULL; + } + return pkey->pkey.ec; +} + +EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey) +{ + EC_KEY *ret = EVP_PKEY_get0_EC_KEY(pkey); + + if (ret != NULL) + EC_KEY_up_ref(ret); + return ret; +} +#endif /* OPENSSL_NO_EC */ diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index f43f5488d0..6fdc186507 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -43,7 +43,6 @@ #include "crypto/ec.h" -/* TODO remove this when the EVP_PKEY_is_a() #legacy support hack is removed */ #include "e_os.h" /* strcasecmp on Windows */ static int pkey_set_type(EVP_PKEY *pkey, ENGINE *e, int type, const char *str, @@ -115,8 +114,7 @@ void *EVP_PKEY_get_ex_data(const EVP_PKEY *key, int idx) int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from) { /* - * TODO: clean up legacy stuff from this function when legacy support - * is gone. + * Clean up legacy stuff from this function when legacy support is gone. */ /* @@ -814,35 +812,6 @@ DSA *EVP_PKEY_get1_DSA(EVP_PKEY *pkey) #ifndef FIPS_MODULE # ifndef OPENSSL_NO_EC -int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, EC_KEY *key) -{ - int ret = EVP_PKEY_assign_EC_KEY(pkey, key); - if (ret) - EC_KEY_up_ref(key); - return ret; -} - -EC_KEY *EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey) -{ - if (!evp_pkey_downgrade((EVP_PKEY *)pkey)) { - ERR_raise(ERR_LIB_EVP, EVP_R_INACCESSIBLE_KEY); - return NULL; - } - if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) { - ERR_raise(ERR_LIB_EVP, EVP_R_EXPECTING_A_EC_KEY); - return NULL; - } - return pkey->pkey.ec; -} - -EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey) -{ - EC_KEY *ret = EVP_PKEY_get0_EC_KEY(pkey); - if (ret != NULL) - EC_KEY_up_ref(ret); - return ret; -} - static ECX_KEY *evp_pkey_get0_ECX_KEY(const EVP_PKEY *pkey, int type) { if (!evp_pkey_downgrade((EVP_PKEY *)pkey)) { diff --git a/crypto/pem/pem_all.c b/crypto/pem/pem_all.c index 5f73f93ce8..a31b81ceec 100644 --- a/crypto/pem/pem_all.c +++ b/crypto/pem/pem_all.c @@ -128,7 +128,9 @@ DSA *PEM_read_DSAPrivateKey(FILE *fp, DSA **dsa, pem_password_cb *cb, void *u) IMPLEMENT_PEM_rw(DSAparams, DSA, PEM_STRING_DSAPARAMS, DSAparams) #endif -#ifndef OPENSSL_NO_EC + +#ifndef OPENSSL_NO_DEPRECATED_3_0 +# ifndef OPENSSL_NO_EC static EC_KEY *pkey_get_eckey(EVP_PKEY *key, EC_KEY **eckey) { EC_KEY *dtmp; @@ -160,7 +162,7 @@ IMPLEMENT_PEM_rw(ECPKParameters, EC_GROUP, PEM_STRING_ECPARAMETERS, IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY, ECPrivateKey) IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY) -# ifndef OPENSSL_NO_STDIO +# ifndef OPENSSL_NO_STDIO EC_KEY *PEM_read_ECPrivateKey(FILE *fp, EC_KEY **eckey, pem_password_cb *cb, void *u) { @@ -168,10 +170,9 @@ EC_KEY *PEM_read_ECPrivateKey(FILE *fp, EC_KEY **eckey, pem_password_cb *cb, pktmp = PEM_read_PrivateKey(fp, NULL, cb, u); return pkey_get_eckey(pktmp, eckey); /* will free pktmp */ } - -# endif - -#endif +# endif +# endif /* !OPENSSL_NO_EC */ +#endif /* !OPENSSL_NO_DEPRECATED_3_0 */ #ifndef OPENSSL_NO_DH diff --git a/crypto/sm2/sm2_key.c b/crypto/sm2/sm2_key.c index 5182d01058..c91a712b67 100644 --- a/crypto/sm2/sm2_key.c +++ b/crypto/sm2/sm2_key.c @@ -7,6 +7,8 @@ * https://www.openssl.org/source/license.html */ +#include "internal/deprecated.h" /* to be able to use EC_KEY and EC_GROUP */ + #include <openssl/err.h> #include "crypto/sm2err.h" #include "crypto/sm2.h" diff --git a/crypto/sm2/sm2_sign.c b/crypto/sm2/sm2_sign.c index 94ea3aef96..1383e2e4f8 100644 --- a/crypto/sm2/sm2_sign.c +++ b/crypto/sm2/sm2_sign.c @@ -9,6 +9,8 @@ * https://www.openssl.org/source/license.html */ +#include "internal/deprecated.h" + #include "crypto/sm2.h" #include "crypto/sm2err.h" #include "crypto/ec.h" /* ec_group_do_inverse_ord() */ diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index d18d1e2b67..fb34d5cefc 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -400,13 +400,19 @@ int X509_check_private_key(const X509 *x, const EVP_PKEY *k) static int check_suite_b(EVP_PKEY *pkey, int sign_nid, unsigned long *pflags) { - const EC_GROUP *grp = NULL; + char curve_name[80]; + size_t curve_name_len; int curve_nid; - if (pkey && EVP_PKEY_id(pkey) == EVP_PKEY_EC) - grp = EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(pkey)); - if (!grp) + + if (pkey == NULL || !EVP_PKEY_is_a(pkey, "EC")) return X509_V_ERR_SUITE_B_INVALID_ALGORITHM; - curve_nid = EC_GROUP_get_curve_name(grp); + + if (!EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME, + curve_name, sizeof(curve_name), + &curve_name_len)) + return X509_V_ERR_SUITE_B_INVALID_CURVE; + + curve_nid = OBJ_txt2nid(curve_name); /* Check curve is consistent with LOS */ if (curve_nid == NID_secp384r1) { /* P-384 */ /* diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 1d79449331..2e61969791 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -7,6 +7,8 @@ * https://www.openssl.org/source/license.html */ +#include "internal/deprecated.h" + #include <stdio.h> #include <time.h> #include <errno.h> |