From 023b188ca553aa4318d8e7021e3abbbb98833410 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 20 May 2020 14:46:22 +0100 Subject: [PATCH] Make EVP_PKEY_CTX_[get|set]_group_name work for DH too The previous commit added the EVP_PKEY_CTX_[get|set]_group_name functions to work with EC groups. We now extend that to also work for DH. Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/11914) --- crypto/dh/dh_lib.c | 4 +-- crypto/evp/evp_lib.c | 31 +++++++++++++++++++- crypto/evp/pmeth_lib.c | 4 +-- crypto/ffc/ffc_backend.c | 2 +- crypto/ffc/ffc_params.c | 2 +- doc/man7/EVP_PKEY-DH.pod | 2 +- include/openssl/core_names.h | 3 +- providers/implementations/keymgmt/dh_kmgmt.c | 6 ++-- test/acvp_test.c | 4 +-- test/dsatest.c | 2 +- test/evp_pkey_provided_test.c | 10 +++---- 11 files changed, 49 insertions(+), 21 deletions(-) diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c index 3a523c3591..2a3921a137 100644 --- a/crypto/dh/dh_lib.c +++ b/crypto/dh/dh_lib.c @@ -500,7 +500,7 @@ int EVP_PKEY_CTX_set_dh_rfc5114(EVP_PKEY_CTX *ctx, int gen) if (name == NULL) return 0; - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_DH_GROUP, + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, (void *)name, 0); *p++ = OSSL_PARAM_construct_end(); return EVP_PKEY_CTX_set_params(ctx, params); @@ -531,7 +531,7 @@ int EVP_PKEY_CTX_set_dh_nid(EVP_PKEY_CTX *ctx, int nid) if (name == NULL) return 0; - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_DH_GROUP, + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, (void *)name, 0); *p++ = OSSL_PARAM_construct_end(); return EVP_PKEY_CTX_set_params(ctx, params); diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index 00d6b27177..ef978ec6f1 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -14,6 +14,7 @@ #include #include #include +#include #include "crypto/evp.h" #include "internal/provider.h" #include "evp_local.h" @@ -946,7 +947,34 @@ int EVP_PKEY_CTX_set_group_name(EVP_PKEY_CTX *ctx, const char *name) OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END }; OSSL_PARAM *p = params; - if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) { + if (ctx == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); + /* Uses the same return values as EVP_PKEY_CTX_ctrl */ + return -2; + } + + if (!EVP_PKEY_CTX_IS_GEN_OP(ctx)) { +#ifndef FIPS_MODULE + int nid; + + /* Could be a legacy key, try and convert to a ctrl */ + if (ctx->pmeth != NULL && (nid = OBJ_txt2nid(name)) != NID_undef) { +# ifndef OPENSSL_NO_DH + if (ctx->pmeth->pkey_id == EVP_PKEY_DH) + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, + EVP_PKEY_OP_PARAMGEN + | EVP_PKEY_OP_KEYGEN, + EVP_PKEY_CTRL_DH_NID, nid, NULL); +# endif +# ifndef OPENSSL_NO_EC + if (ctx->pmeth->pkey_id == EVP_PKEY_EC) + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, + EVP_PKEY_OP_PARAMGEN|EVP_PKEY_OP_KEYGEN, + EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID, + nid, NULL); +# endif + } +#endif ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); /* Uses the same return values as EVP_PKEY_CTX_ctrl */ return -2; @@ -966,6 +994,7 @@ int EVP_PKEY_CTX_get_group_name(EVP_PKEY_CTX *ctx, char *name, size_t namelen) OSSL_PARAM *p = params; if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) { + /* There is no legacy support for this */ ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); /* Uses the same return values as EVP_PKEY_CTX_ctrl */ return -2; diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index 4c1c01c703..52c304227b 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -1055,9 +1055,9 @@ static int legacy_ctrl_str_to_param(EVP_PKEY_CTX *ctx, const char *name, name = OSSL_PKEY_PARAM_FFC_TYPE; value = dh_gen_type_id2name(atoi(value)); } else if (strcmp(name, "dh_param") == 0) - name = OSSL_PKEY_PARAM_DH_GROUP; + name = OSSL_PKEY_PARAM_GROUP_NAME; else if (strcmp(name, "dh_rfc5114") == 0) { - name = OSSL_PKEY_PARAM_DH_GROUP; + name = OSSL_PKEY_PARAM_GROUP_NAME; value = ffc_named_group_from_uid(atoi(value)); } else if (strcmp(name, "dh_pad") == 0) name = OSSL_EXCHANGE_PARAM_PAD; diff --git a/crypto/ffc/ffc_backend.c b/crypto/ffc/ffc_backend.c index 49f42d70d0..6e269ebf56 100644 --- a/crypto/ffc/ffc_backend.c +++ b/crypto/ffc/ffc_backend.c @@ -27,7 +27,7 @@ int ffc_params_fromdata(FFC_PARAMS *ffc, const OSSL_PARAM params[]) if (ffc == NULL) return 0; - prm = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_GROUP); + prm = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_GROUP_NAME); if (prm != NULL) { if (prm->data_type != OSSL_PARAM_UTF8_STRING) goto err; diff --git a/crypto/ffc/ffc_params.c b/crypto/ffc/ffc_params.c index 0796d34337..d70aeea35b 100644 --- a/crypto/ffc/ffc_params.c +++ b/crypto/ffc/ffc_params.c @@ -265,7 +265,7 @@ int ffc_params_todata(const FFC_PARAMS *ffc, OSSL_PARAM_BLD *bld, if (name == NULL || !ossl_param_build_set_utf8_string(bld, params, - OSSL_PKEY_PARAM_DH_GROUP, + OSSL_PKEY_PARAM_GROUP_NAME, name)) return 0; #else diff --git a/doc/man7/EVP_PKEY-DH.pod b/doc/man7/EVP_PKEY-DH.pod index 6720417673..f640753bfe 100644 --- a/doc/man7/EVP_PKEY-DH.pod +++ b/doc/man7/EVP_PKEY-DH.pod @@ -29,7 +29,7 @@ implementation supports the following: =over 4 -=item "group" (B) +=item "group" (B) Set or gets a string that associates a B named safe prime group with known values for I

, I and I. diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index 9d99bc486f..7da0186392 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h @@ -195,7 +195,7 @@ extern "C" { #define OSSL_PKEY_PARAM_MGF1_DIGEST "mgf1-digest" #define OSSL_PKEY_PARAM_MGF1_PROPERTIES "mgf1-properties" #define OSSL_PKEY_PARAM_TLS_ENCODED_PT "tls-encoded-pt" -#define OSSL_PKEY_PARAM_GROUP_NAME "group-name" +#define OSSL_PKEY_PARAM_GROUP_NAME "group" /* Diffie-Hellman/DSA public/private key */ #define OSSL_PKEY_PARAM_PUB_KEY "pub" @@ -218,7 +218,6 @@ extern "C" { #define OSSL_FFC_PARAM_VALIDATE_PQG "validate-pqg" /* Diffie-Hellman params */ -#define OSSL_PKEY_PARAM_DH_GROUP "group" #define OSSL_PKEY_PARAM_DH_GENERATOR "safeprime-generator" #define OSSL_PKEY_PARAM_DH_PRIV_LEN "priv_len" diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c index c81d437dae..82fbdc8bb4 100644 --- a/providers/implementations/keymgmt/dh_kmgmt.c +++ b/providers/implementations/keymgmt/dh_kmgmt.c @@ -239,7 +239,7 @@ err: OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_PCOUNTER, NULL), \ OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_H, NULL), \ OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_FFC_SEED, NULL, 0), \ - OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_DH_GROUP, NULL, 0) + OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, NULL, 0) # define DH_IMEXPORTABLE_PUBLIC_KEY \ OSSL_PARAM_BN(OSSL_PKEY_PARAM_PUB_KEY, NULL, 0) # define DH_IMEXPORTABLE_PRIVATE_KEY \ @@ -464,7 +464,7 @@ static int dh_gen_set_params(void *genctx, const OSSL_PARAM params[]) return 0; } } - p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_GROUP); + p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_GROUP_NAME); if (p != NULL) { if (p->data_type != OSSL_PARAM_UTF8_STRING || ((gctx->group_nid = ffc_named_group_to_uid(p->data)) == NID_undef)) { @@ -518,7 +518,7 @@ static int dh_gen_set_params(void *genctx, const OSSL_PARAM params[]) static const OSSL_PARAM *dh_gen_settable_params(void *provctx) { static OSSL_PARAM settable[] = { - OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_DH_GROUP, NULL, 0), + OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, NULL, 0), OSSL_PARAM_int(OSSL_PKEY_PARAM_DH_PRIV_LEN, NULL), OSSL_PARAM_int(OSSL_PKEY_PARAM_DH_GENERATOR, NULL), OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_FFC_TYPE, NULL, 0), diff --git a/test/acvp_test.c b/test/acvp_test.c index b7db04079c..737d2c61bb 100644 --- a/test/acvp_test.c +++ b/test/acvp_test.c @@ -901,7 +901,7 @@ static int dh_create_pkey(EVP_PKEY **pkey, const char *group_name, if (!TEST_ptr(bld = OSSL_PARAM_BLD_new()) || (group_name != NULL && !TEST_int_gt(OSSL_PARAM_BLD_push_utf8_string( - bld, OSSL_PKEY_PARAM_DH_GROUP, + bld, OSSL_PKEY_PARAM_GROUP_NAME, group_name, 0), 0))) goto err; @@ -945,7 +945,7 @@ static int dh_safe_prime_keygen_test(int id) OSSL_PARAM params[2]; const struct dh_safe_prime_keygen_st *tst = &dh_safe_prime_keygen_data[id]; - params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_DH_GROUP, + params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, (char *)tst->group_name, 0); params[1] = OSSL_PARAM_construct_end(); diff --git a/test/dsatest.c b/test/dsatest.c index 8444ea147a..614a8ea1d8 100644 --- a/test/dsatest.c +++ b/test/dsatest.c @@ -282,7 +282,7 @@ static int dsa_keygen_test(void) &pcount_out)) || !TEST_int_eq(pcount_out, expected_c) || !TEST_false(EVP_PKEY_get_utf8_string_param(key, - OSSL_PKEY_PARAM_DH_GROUP, + OSSL_PKEY_PARAM_GROUP_NAME, group_out, sizeof(group_out), &len))) goto end; diff --git a/test/evp_pkey_provided_test.c b/test/evp_pkey_provided_test.c index f842999615..fd3e580d8c 100644 --- a/test/evp_pkey_provided_test.c +++ b/test/evp_pkey_provided_test.c @@ -447,7 +447,7 @@ static int test_fromdata_dh_named_group(void) || !TEST_ptr(pub = BN_bin2bn(pub_data, sizeof(pub_data), NULL)) || !TEST_ptr(priv = BN_bin2bn(priv_data, sizeof(priv_data), NULL)) || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(bld, - OSSL_PKEY_PARAM_DH_GROUP, + OSSL_PKEY_PARAM_GROUP_NAME, group_name, 0)) || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub)) || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv)) @@ -464,7 +464,7 @@ static int test_fromdata_dh_named_group(void) || !TEST_int_eq(EVP_PKEY_size(pk), 256)) goto err; - if (!TEST_true(EVP_PKEY_get_utf8_string_param(pk, OSSL_PKEY_PARAM_DH_GROUP, + if (!TEST_true(EVP_PKEY_get_utf8_string_param(pk, OSSL_PKEY_PARAM_GROUP_NAME, name_out, sizeof(name_out), &len)) || !TEST_str_eq(name_out, group_name) @@ -588,7 +588,7 @@ static int test_fromdata_dh_fips186_4(void) || !TEST_ptr(pub = BN_bin2bn(pub_data, sizeof(pub_data), NULL)) || !TEST_ptr(priv = BN_bin2bn(priv_data, sizeof(priv_data), NULL)) || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(bld, - OSSL_PKEY_PARAM_DH_GROUP, + OSSL_PKEY_PARAM_GROUP_NAME, group_name, 0)) || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub)) || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv)) @@ -605,7 +605,7 @@ static int test_fromdata_dh_fips186_4(void) || !TEST_int_eq(EVP_PKEY_size(pk), 256)) goto err; - if (!TEST_true(EVP_PKEY_get_utf8_string_param(pk, OSSL_PKEY_PARAM_DH_GROUP, + if (!TEST_true(EVP_PKEY_get_utf8_string_param(pk, OSSL_PKEY_PARAM_GROUP_NAME, name_out, sizeof(name_out), &len)) || !TEST_str_eq(name_out, group_name) @@ -1144,7 +1144,7 @@ static int test_fromdata_dsa_fips186_4(void) || !TEST_int_eq(EVP_PKEY_size(pk), 2 + 2 * (3 + sizeof(q_data)))) goto err; - if (!TEST_false(EVP_PKEY_get_utf8_string_param(pk, OSSL_PKEY_PARAM_DH_GROUP, + if (!TEST_false(EVP_PKEY_get_utf8_string_param(pk, OSSL_PKEY_PARAM_GROUP_NAME, name_out, sizeof(name_out), &len)) || !TEST_true(EVP_PKEY_get_bn_param(pk, OSSL_PKEY_PARAM_PUB_KEY, -- 2.25.1