X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=crypto%2Fevp%2Fpmeth_lib.c;h=ea8bdec388633ac87db949f150483fcc436b33a1;hb=b533510f3bc70957dbf447f7ea8ec20765c5b314;hp=6a86b26ded844ff48e226c61d146408c94d5db3b;hpb=10d756a70e2aeaff0c08e86014075a8623f3e0ab;p=openssl.git diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index 6a86b26ded..ea8bdec388 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -8,7 +8,7 @@ */ /* - * DH low level APIs are deprecated for public use, but still ok for + * Low level key APIs (DH etc) are deprecated for public use, but still ok for * internal use. */ #include "internal/deprecated.h" @@ -24,11 +24,13 @@ #include "internal/cryptlib.h" #include "crypto/asn1.h" #include "crypto/evp.h" +#include "crypto/dh.h" +#include "internal/ffc.h" #include "internal/numbers.h" #include "internal/provider.h" #include "evp_local.h" -#ifndef FIPS_MODE +#ifndef FIPS_MODULE typedef const EVP_PKEY_METHOD *(*pmeth_fn)(void); typedef int sk_cmp_fn_type(const char *const *a, const char *const *b); @@ -133,7 +135,41 @@ EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags) pmeth->flags = flags | EVP_PKEY_FLAG_DYNAMIC; return pmeth; } -#endif /* FIPS_MODE */ +#endif /* FIPS_MODULE */ + +static int is_legacy_alg(int id, const char *keytype) +{ +#ifndef FIPS_MODULE + /* Certain EVP_PKEY keytypes are only available in legacy form */ + if (id == -1) { + id = OBJ_sn2nid(keytype); + if (id == NID_undef) + id = OBJ_ln2nid(keytype); + if (id == NID_undef) + return 0; + } + switch (id) { + /* + * TODO(3.0): Remove SM2 and DHX when they are converted to have provider + * support + */ + case EVP_PKEY_SM2: + case EVP_PKEY_DHX: + case EVP_PKEY_SCRYPT: + case EVP_PKEY_TLS1_PRF: + case EVP_PKEY_HKDF: + case EVP_PKEY_CMAC: + case EVP_PKEY_HMAC: + case EVP_PKEY_SIPHASH: + case EVP_PKEY_POLY1305: + return 1; + default: + return 0; + } +#else + return 0; +#endif +} static EVP_PKEY_CTX *int_ctx_new(OPENSSL_CTX *libctx, EVP_PKEY *pkey, ENGINE *e, @@ -153,17 +189,17 @@ static EVP_PKEY_CTX *int_ctx_new(OPENSSL_CTX *libctx, goto common; /* - * If the key doesn't contain anything legacy, then it must be provided, - * so we extract the necessary information and use that. + * If the internal key is provided, we extract the keytype from its + * keymgmt and skip over the legacy code. */ - if (pkey != NULL && pkey->type == EVP_PKEY_NONE) { + if (pkey != NULL && evp_pkey_is_provided(pkey)) { /* If we have an engine, something went wrong somewhere... */ if (!ossl_assert(e == NULL)) return NULL; keytype = evp_first_name(pkey->keymgmt->prov, pkey->keymgmt->name_id); goto common; } -#ifndef FIPS_MODE +#ifndef FIPS_MODULE /* TODO(3.0) Legacy code should be removed when all is provider based */ /* BEGIN legacy */ if (id == -1) { @@ -219,22 +255,33 @@ static EVP_PKEY_CTX *int_ctx_new(OPENSSL_CTX *libctx, return NULL; } /* END legacy */ -#endif /* FIPS_MODE */ +#endif /* FIPS_MODULE */ common: /* * If there's no engine and there's a name, we try fetching a provider * implementation. */ if (e == NULL && keytype != NULL) { - /* This could fail so ignore errors */ - ERR_set_mark(); + int legacy = is_legacy_alg(id, keytype); + + if (legacy) { + /* This could fail so ignore errors */ + ERR_set_mark(); + } + keymgmt = EVP_KEYMGMT_fetch(libctx, keytype, propquery); - ERR_pop_to_mark(); + if (legacy) { + ERR_pop_to_mark(); + } else if (keymgmt == NULL) { + EVPerr(EVP_F_INT_CTX_NEW, EVP_R_FETCH_FAILED); + return NULL; + } } ret = OPENSSL_zalloc(sizeof(*ret)); if (ret == NULL) { -#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE) + EVP_KEYMGMT_free(keymgmt); +#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) ENGINE_finish(e); #endif EVPerr(EVP_F_INT_CTX_NEW, ERR_R_MALLOC_FAILURE); @@ -262,7 +309,7 @@ static EVP_PKEY_CTX *int_ctx_new(OPENSSL_CTX *libctx, return ret; } -/*- All methods below can also be used in FIPS_MODE */ +/*- All methods below can also be used in FIPS_MODULE */ EVP_PKEY_CTX *EVP_PKEY_CTX_new_from_name(OPENSSL_CTX *libctx, const char *name, @@ -293,7 +340,7 @@ void evp_pkey_ctx_free_old_ops(EVP_PKEY_CTX *ctx) ctx->op.kex.exchange = NULL; } /* TODO(3.0): add dependancies and uncomment this when available for fips mode */ -#ifndef FIPS_MODE +#ifndef FIPS_MODULE else if (EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) { if (ctx->op.ciph.ciphprovctx != NULL && ctx->op.ciph.cipher != NULL) ctx->op.ciph.cipher->freectx(ctx->op.ciph.ciphprovctx); @@ -319,13 +366,13 @@ void EVP_PKEY_CTX_free(EVP_PKEY_CTX *ctx) EVP_PKEY_free(ctx->pkey); EVP_PKEY_free(ctx->peerkey); -#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE) +#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) ENGINE_finish(ctx->engine); #endif OPENSSL_free(ctx); } -#ifndef FIPS_MODE +#ifndef FIPS_MODULE void EVP_PKEY_meth_get0_info(int *ppkey_id, int *pflags, const EVP_PKEY_METHOD *meth) @@ -589,7 +636,7 @@ int EVP_PKEY_CTX_set_params(EVP_PKEY_CTX *ctx, OSSL_PARAM *params) return 0; } -#ifndef FIPS_MODE +#ifndef FIPS_MODULE int EVP_PKEY_CTX_get_params(EVP_PKEY_CTX *ctx, OSSL_PARAM *params) { if (EVP_PKEY_CTX_IS_DERIVE_OP(ctx) @@ -610,12 +657,6 @@ int EVP_PKEY_CTX_get_params(EVP_PKEY_CTX *ctx, OSSL_PARAM *params) && ctx->op.ciph.cipher->get_ctx_params != NULL) return ctx->op.ciph.cipher->get_ctx_params(ctx->op.ciph.ciphprovctx, params); - if (EVP_PKEY_CTX_IS_GEN_OP(ctx) - && ctx->op.keymgmt.genctx != NULL - && ctx->keymgmt != NULL - && ctx->keymgmt->gen_get_params != NULL) - return evp_keymgmt_gen_get_params(ctx->keymgmt, ctx->op.keymgmt.genctx, - params); return 0; } @@ -629,12 +670,10 @@ const OSSL_PARAM *EVP_PKEY_CTX_gettable_params(EVP_PKEY_CTX *ctx) && ctx->op.sig.signature != NULL && ctx->op.sig.signature->gettable_ctx_params != NULL) return ctx->op.sig.signature->gettable_ctx_params(); - if (EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx) && ctx->op.ciph.cipher != NULL && ctx->op.ciph.cipher->gettable_ctx_params != NULL) return ctx->op.ciph.cipher->gettable_ctx_params(); - return NULL; } @@ -653,8 +692,7 @@ const OSSL_PARAM *EVP_PKEY_CTX_settable_params(EVP_PKEY_CTX *ctx) && ctx->op.ciph.cipher->settable_ctx_params != NULL) return ctx->op.ciph.cipher->settable_ctx_params(); if (EVP_PKEY_CTX_IS_GEN_OP(ctx) - && ctx->keymgmt != NULL - && ctx->keymgmt->gen_settable_params != NULL) + && ctx->keymgmt != NULL) return evp_keymgmt_gen_settable_params(ctx->keymgmt); return NULL; @@ -667,7 +705,7 @@ const OSSL_PARAM *EVP_PKEY_CTX_settable_params(EVP_PKEY_CTX *ctx) * * In particular they return -2 if any of the params is not supported. * - * They are not available in FIPS_MODE as they depend on + * They are not available in FIPS_MODULE as they depend on * - EVP_PKEY_CTX_{get,set}_params() * - EVP_PKEY_CTX_{gettable,settable}_params() * @@ -808,11 +846,34 @@ static int legacy_ctrl_to_param(EVP_PKEY_CTX *ctx, int keytype, int optype, */ if (cmd == EVP_PKEY_CTRL_CIPHER) return -2; + # ifndef OPENSSL_NO_DH if (keytype == EVP_PKEY_DH) { switch (cmd) { case EVP_PKEY_CTRL_DH_PAD: return EVP_PKEY_CTX_set_dh_pad(ctx, p1); + case EVP_PKEY_CTRL_DH_PARAMGEN_PRIME_LEN: + return EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, p1); + case EVP_PKEY_CTRL_DH_PARAMGEN_SUBPRIME_LEN: + return EVP_PKEY_CTX_set_dh_paramgen_subprime_len(ctx, p1); + case EVP_PKEY_CTRL_DH_PARAMGEN_GENERATOR: + return EVP_PKEY_CTX_set_dh_paramgen_generator(ctx, p1); + case EVP_PKEY_CTRL_DH_PARAMGEN_TYPE: + return EVP_PKEY_CTX_set_dh_paramgen_type(ctx, p1); + case EVP_PKEY_CTRL_DH_RFC5114: + return EVP_PKEY_CTX_set_dh_rfc5114(ctx, p1); + } + } +# endif +# ifndef OPENSSL_NO_DSA + if (keytype == EVP_PKEY_DSA) { + switch (cmd) { + case EVP_PKEY_CTRL_DSA_PARAMGEN_BITS: + return EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, p1); + case EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS: + return EVP_PKEY_CTX_set_dsa_paramgen_q_bits(ctx, p1); + case EVP_PKEY_CTRL_DSA_PARAMGEN_MD: + return EVP_PKEY_CTX_set_dsa_paramgen_md(ctx, p2); } } # endif @@ -1000,8 +1061,36 @@ static int legacy_ctrl_str_to_param(EVP_PKEY_CTX *ctx, const char *name, name = OSSL_PKEY_PARAM_RSA_E; else if (strcmp(name, "rsa_keygen_primes") == 0) name = OSSL_PKEY_PARAM_RSA_PRIMES; + else if (strcmp(name, "rsa_pss_keygen_md") == 0) + name = OSSL_PKEY_PARAM_RSA_DIGEST; + else if (strcmp(name, "rsa_pss_keygen_mgf1_md") == 0) + name = OSSL_PKEY_PARAM_RSA_MGF1_DIGEST; + else if (strcmp(name, "rsa_pss_keygen_saltlen") == 0) + name = OSSL_PKEY_PARAM_RSA_PSS_SALTLEN; +# ifndef OPENSSL_NO_DSA + else if (strcmp(name, "dsa_paramgen_bits") == 0) + name = OSSL_PKEY_PARAM_FFC_PBITS; + else if (strcmp(name, "dsa_paramgen_q_bits") == 0) + name = OSSL_PKEY_PARAM_FFC_QBITS; + else if (strcmp(name, "dsa_paramgen_md") == 0) + name = OSSL_PKEY_PARAM_FFC_DIGEST; +# endif # ifndef OPENSSL_NO_DH - else if (strcmp(name, "dh_pad") == 0) + else if (strcmp(name, "dh_paramgen_generator") == 0) + name = OSSL_PKEY_PARAM_DH_GENERATOR; + else if (strcmp(name, "dh_paramgen_prime_len") == 0) + name = OSSL_PKEY_PARAM_FFC_PBITS; + else if (strcmp(name, "dh_paramgen_subprime_len") == 0) + name = OSSL_PKEY_PARAM_FFC_QBITS; + else if (strcmp(name, "dh_paramgen_type") == 0) { + name = OSSL_PKEY_PARAM_FFC_TYPE; + value = dh_gen_type_id2name(atoi(value)); + } else if (strcmp(name, "dh_param") == 0) + name = OSSL_PKEY_PARAM_DH_GROUP; + else if (strcmp(name, "dh_rfc5114") == 0) { + name = OSSL_PKEY_PARAM_DH_GROUP; + value = ffc_named_group_from_uid(atoi(value)); + } else if (strcmp(name, "dh_pad") == 0) name = OSSL_EXCHANGE_PARAM_PAD; # endif # ifndef OPENSSL_NO_EC @@ -1027,7 +1116,8 @@ static int legacy_ctrl_str_to_param(EVP_PKEY_CTX *ctx, const char *name, if (!OSSL_PARAM_allocate_from_text(¶ms[0], settable, name, value, strlen(value), &exists)) { if (!exists) { - ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); + ERR_raise_data(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED, + "name=%s,value=%s", name, value); return -2; } return 0; @@ -1544,4 +1634,4 @@ void EVP_PKEY_meth_get_digest_custom(EVP_PKEY_METHOD *pmeth, *pdigest_custom = pmeth->digest_custom; } -#endif /* FIPS_MODE */ +#endif /* FIPS_MODULE */