diff options
| author | Matt Caswell <matt@openssl.org> | 2021-03-09 17:07:48 +0000 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2021-03-15 15:51:26 +0000 |
| commit | 2cf8bb46fc3e0e2aaead764d333c6e216f028ef3 (patch) | |
| tree | e769525123b367abfeb520e7ead3c2c9e1a050a6 /providers | |
| parent | 2db5834c43dcc2a04ccf4cf98f412d4d3474731e (diff) | |
Ensure that ECX keys pass EVP_PKEY_param_check()
RSA keys have no parameters and pass EVP_PKEY_param_check(). Previously,
ECX keys had no parammeters and failed EVP_PKEY_param_check(). We should
be consistent. It makes more sense to always pass, and therefore this
commit implements that behaviour.
Fixes #14482
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14485)
Diffstat (limited to 'providers')
| -rw-r--r-- | providers/implementations/keymgmt/ecx_kmgmt.c | 10 | ||||
| -rw-r--r-- | providers/implementations/keymgmt/rsa_kmgmt.c | 13 |
2 files changed, 19 insertions, 4 deletions
diff --git a/providers/implementations/keymgmt/ecx_kmgmt.c b/providers/implementations/keymgmt/ecx_kmgmt.c index 8e47dfb03e..9b23c2f0ec 100644 --- a/providers/implementations/keymgmt/ecx_kmgmt.c +++ b/providers/implementations/keymgmt/ecx_kmgmt.c @@ -71,8 +71,6 @@ static OSSL_FUNC_keymgmt_import_types_fn ecx_imexport_types; static OSSL_FUNC_keymgmt_export_fn ecx_export; static OSSL_FUNC_keymgmt_export_types_fn ecx_imexport_types; -#define ECX_POSSIBLE_SELECTIONS (OSSL_KEYMGMT_SELECT_KEYPAIR) - struct ecx_gen_ctx { OSSL_LIB_CTX *libctx; char *propq; @@ -727,7 +725,13 @@ static int ecx_validate(const void *keydata, int selection, int type, size_t key assert(keylen == ecx->keylen); - if ((selection & ECX_POSSIBLE_SELECTIONS) != 0) + /* + * ECX keys have no parameters. But if EVP_PKEY_param_check() is called then + * we should return true. + */ + if ((selection & (OSSL_KEYMGMT_SELECT_KEYPAIR + | OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS + | OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS)) != 0) ok = 1; if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c index 095c713aac..425b6c80f2 100644 --- a/providers/implementations/keymgmt/rsa_kmgmt.c +++ b/providers/implementations/keymgmt/rsa_kmgmt.c @@ -367,7 +367,18 @@ static int rsa_validate(const void *keydata, int selection, int checktype) if (!ossl_prov_is_running()) return 0; - if ((selection & RSA_POSSIBLE_SELECTIONS) != 0) + /* + * Although an RSA key has no domain parameters, validating them should + * return true. + * + * RSA_POSSIBLE_SELECTIONS already includes + * OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS. We explicitly add + * OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS here as well for completeness. In + * practice this makes little difference since EVP_PKEY_param_check() always + * checks the combination of "other" and "domain" parameters anyway. + */ + if ((selection & (RSA_POSSIBLE_SELECTIONS + | OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS)) != 0) ok = 1; /* If the whole key is selected, we do a pairwise validation */ |