diff options
author | Matt Caswell <matt@openssl.org> | 2021-02-09 15:50:05 +0000 |
---|---|---|
committer | Shane Lontis <shane.lontis@oracle.com> | 2021-02-15 14:17:36 +1000 |
commit | 899e25643dc63a84a924d08f86d7d19613714431 (patch) | |
tree | f79751777385af9b6d4d05a8dc1739a94f59510b /doc/man7 | |
parent | aee73562d17499f2660c14f8c150459097680a1d (diff) |
Implement EVP_PKEY_param_check_quick() and use it in libssl
The low level DH API has two functions for checking parameters:
DH_check_ex() and DH_check_params_ex(). The former does a "full" check,
while the latter does a "quick" check. Most importantly it skips the
check for a safe prime. We're ok without using safe primes here because
we're doing ephemeral DH.
Now that libssl is fully using the EVP API, we need a way to specify that
we want a quick check instead of a full check. Therefore we introduce
EVP_PKEY_param_check_quick() and use it.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14146)
Diffstat (limited to 'doc/man7')
-rw-r--r-- | doc/man7/provider-keymgmt.pod | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/doc/man7/provider-keymgmt.pod b/doc/man7/provider-keymgmt.pod index 0095da00ca..4c1f032744 100644 --- a/doc/man7/provider-keymgmt.pod +++ b/doc/man7/provider-keymgmt.pod @@ -54,7 +54,7 @@ provider-keymgmt - The KEYMGMT library E<lt>-E<gt> provider functions int OSSL_FUNC_keymgmt_copy(void *keydata_to, const void *keydata_from, int selection); /* Key object validation */ - int OSSL_FUNC_keymgmt_validate(const void *keydata, int selection); + int OSSL_FUNC_keymgmt_validate(const void *keydata, int selection, int checktype); =head1 DESCRIPTION @@ -298,7 +298,12 @@ data subsets may cause validation of the combined data. For example, the combination of B<OSSL_KEYMGMT_SELECT_PRIVATE_KEY> and B<OSSL_KEYMGMT_SELECT_PUBLIC_KEY> (or B<OSSL_KEYMGMT_SELECT_KEYPAIR> for short) is expected to check that the pairwise consistency of -I<keydata> is valid. +I<keydata> is valid. The I<checktype> parameter controls what type of check is +performed on the subset of data. Two types of check are defined: +B<OSSL_KEYMGMT_VALIDATE_FULL_CHECK> and B<OSSL_KEYMGMT_VALIDATE_QUICK_CHECK>. +The interpretation of how much checking is performed in a full check versus a +quick check is key type specific. Some providers may have no distinction +between a full check and a quick check. OSSL_FUNC_keymgmt_match() should check if the data subset indicated by I<selection> in I<keydata1> and I<keydata2> match. It is assumed that |