/*
- * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#include "internal/provider.h"
#include "evp_local.h"
-#ifndef FIPS_MODE
+#ifndef FIPS_MODULE
typedef const EVP_PKEY_METHOD *(*pmeth_fn)(void);
typedef int sk_cmp_fn_type(const char *const *a, const char *const *b);
pmeth->flags = flags | EVP_PKEY_FLAG_DYNAMIC;
return pmeth;
}
-#endif /* FIPS_MODE */
+#endif /* FIPS_MODULE */
+
+static int is_legacy_alg(int id, const char *keytype)
+{
+#ifndef FIPS_MODULE
+ /* Certain EVP_PKEY keytypes are only available in legacy form */
+ if (id == -1) {
+ id = OBJ_sn2nid(keytype);
+ if (id == NID_undef)
+ id = OBJ_ln2nid(keytype);
+ if (id == NID_undef)
+ return 0;
+ }
+ switch (id) {
+ /*
+ * TODO(3.0): Remove SM2 and DHX when they are converted to have provider
+ * support
+ */
+ case EVP_PKEY_SM2:
+ case EVP_PKEY_DHX:
+ case EVP_PKEY_SCRYPT:
+ case EVP_PKEY_TLS1_PRF:
+ case EVP_PKEY_HKDF:
+ case EVP_PKEY_CMAC:
+ case EVP_PKEY_HMAC:
+ case EVP_PKEY_SIPHASH:
+ case EVP_PKEY_POLY1305:
+ return 1;
+ default:
+ return 0;
+ }
+#else
+ return 0;
+#endif
+}
static EVP_PKEY_CTX *int_ctx_new(OPENSSL_CTX *libctx,
EVP_PKEY *pkey, ENGINE *e,
goto common;
/*
- * If the key doesn't contain anything legacy, then it must be provided,
- * so we extract the necessary information and use that.
+ * If the internal key is provided, we extract the keytype from its
+ * keymgmt and skip over the legacy code.
*/
- if (pkey != NULL && pkey->type == EVP_PKEY_NONE) {
+ if (pkey != NULL && evp_pkey_is_provided(pkey)) {
/* If we have an engine, something went wrong somewhere... */
if (!ossl_assert(e == NULL))
return NULL;
keytype = evp_first_name(pkey->keymgmt->prov, pkey->keymgmt->name_id);
goto common;
}
-#ifndef FIPS_MODE
+#ifndef FIPS_MODULE
/* TODO(3.0) Legacy code should be removed when all is provider based */
/* BEGIN legacy */
if (id == -1) {
return NULL;
}
/* END legacy */
-#endif /* FIPS_MODE */
+#endif /* FIPS_MODULE */
common:
/*
* If there's no engine and there's a name, we try fetching a provider
* implementation.
*/
if (e == NULL && keytype != NULL) {
- /* This could fail so ignore errors */
- ERR_set_mark();
+ int legacy = is_legacy_alg(id, keytype);
+
+ if (legacy) {
+ /* This could fail so ignore errors */
+ ERR_set_mark();
+ }
+
keymgmt = EVP_KEYMGMT_fetch(libctx, keytype, propquery);
- ERR_pop_to_mark();
+ if (legacy) {
+ ERR_pop_to_mark();
+ } else if (keymgmt == NULL) {
+ EVPerr(EVP_F_INT_CTX_NEW, EVP_R_FETCH_FAILED);
+ return NULL;
+ }
}
ret = OPENSSL_zalloc(sizeof(*ret));
if (ret == NULL) {
-#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
+ EVP_KEYMGMT_free(keymgmt);
+#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
ENGINE_finish(e);
#endif
EVPerr(EVP_F_INT_CTX_NEW, ERR_R_MALLOC_FAILURE);
return ret;
}
-/*- All methods below can also be used in FIPS_MODE */
+/*- All methods below can also be used in FIPS_MODULE */
EVP_PKEY_CTX *EVP_PKEY_CTX_new_from_name(OPENSSL_CTX *libctx,
const char *name,
ctx->op.kex.exchange = NULL;
}
/* TODO(3.0): add dependancies and uncomment this when available for fips mode */
-#ifndef FIPS_MODE
+#ifndef FIPS_MODULE
else if (EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) {
if (ctx->op.ciph.ciphprovctx != NULL && ctx->op.ciph.cipher != NULL)
ctx->op.ciph.cipher->freectx(ctx->op.ciph.ciphprovctx);
EVP_PKEY_free(ctx->pkey);
EVP_PKEY_free(ctx->peerkey);
-#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
+#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
ENGINE_finish(ctx->engine);
#endif
OPENSSL_free(ctx);
}
-#ifndef FIPS_MODE
+#ifndef FIPS_MODULE
void EVP_PKEY_meth_get0_info(int *ppkey_id, int *pflags,
const EVP_PKEY_METHOD *meth)
return 0;
}
-#ifndef FIPS_MODE
+#ifndef FIPS_MODULE
int EVP_PKEY_CTX_get_params(EVP_PKEY_CTX *ctx, OSSL_PARAM *params)
{
if (EVP_PKEY_CTX_IS_DERIVE_OP(ctx)
&& ctx->op.ciph.cipher->get_ctx_params != NULL)
return ctx->op.ciph.cipher->get_ctx_params(ctx->op.ciph.ciphprovctx,
params);
- if (EVP_PKEY_CTX_IS_GEN_OP(ctx)
- && ctx->op.keymgmt.genctx != NULL
- && ctx->keymgmt != NULL
- && ctx->keymgmt->gen_get_params != NULL)
- return evp_keymgmt_gen_get_params(ctx->keymgmt, ctx->op.keymgmt.genctx,
- params);
return 0;
}
&& ctx->op.sig.signature != NULL
&& ctx->op.sig.signature->gettable_ctx_params != NULL)
return ctx->op.sig.signature->gettable_ctx_params();
-
if (EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)
&& ctx->op.ciph.cipher != NULL
&& ctx->op.ciph.cipher->gettable_ctx_params != NULL)
return ctx->op.ciph.cipher->gettable_ctx_params();
-
return NULL;
}
&& ctx->op.ciph.cipher->settable_ctx_params != NULL)
return ctx->op.ciph.cipher->settable_ctx_params();
if (EVP_PKEY_CTX_IS_GEN_OP(ctx)
- && ctx->keymgmt != NULL
- && ctx->keymgmt->gen_settable_params != NULL)
+ && ctx->keymgmt != NULL)
return evp_keymgmt_gen_settable_params(ctx->keymgmt);
return NULL;
*
* In particular they return -2 if any of the params is not supported.
*
- * They are not available in FIPS_MODE as they depend on
+ * They are not available in FIPS_MODULE as they depend on
* - EVP_PKEY_CTX_{get,set}_params()
* - EVP_PKEY_CTX_{gettable,settable}_params()
*
name = OSSL_PKEY_PARAM_RSA_E;
else if (strcmp(name, "rsa_keygen_primes") == 0)
name = OSSL_PKEY_PARAM_RSA_PRIMES;
+ else if (strcmp(name, "rsa_pss_keygen_md") == 0)
+ name = OSSL_PKEY_PARAM_RSA_DIGEST;
+ else if (strcmp(name, "rsa_pss_keygen_mgf1_md") == 0)
+ name = OSSL_PKEY_PARAM_RSA_MGF1_DIGEST;
+ else if (strcmp(name, "rsa_pss_keygen_saltlen") == 0)
+ name = OSSL_PKEY_PARAM_RSA_PSS_SALTLEN;
# ifndef OPENSSL_NO_DSA
else if (strcmp(name, "dsa_paramgen_bits") == 0)
name = OSSL_PKEY_PARAM_FFC_PBITS;
# endif
# ifndef OPENSSL_NO_DH
else if (strcmp(name, "dh_paramgen_generator") == 0)
- name = OSSL_PKEY_PARAM_FFC_GENERATOR;
+ name = OSSL_PKEY_PARAM_DH_GENERATOR;
else if (strcmp(name, "dh_paramgen_prime_len") == 0)
name = OSSL_PKEY_PARAM_FFC_PBITS;
else if (strcmp(name, "dh_paramgen_subprime_len") == 0)
name = OSSL_PKEY_PARAM_FFC_TYPE;
value = dh_gen_type_id2name(atoi(value));
} else if (strcmp(name, "dh_param") == 0)
- name = OSSL_PKEY_PARAM_FFC_GROUP;
+ name = OSSL_PKEY_PARAM_DH_GROUP;
else if (strcmp(name, "dh_rfc5114") == 0) {
- name = OSSL_PKEY_PARAM_FFC_GROUP;
+ name = OSSL_PKEY_PARAM_DH_GROUP;
value = ffc_named_group_from_uid(atoi(value));
} else if (strcmp(name, "dh_pad") == 0)
name = OSSL_EXCHANGE_PARAM_PAD;
if (!OSSL_PARAM_allocate_from_text(¶ms[0], settable, name, value,
strlen(value), &exists)) {
if (!exists) {
- ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
+ ERR_raise_data(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED,
+ "name=%s,value=%s", name, value);
return -2;
}
return 0;
*pdigest_custom = pmeth->digest_custom;
}
-#endif /* FIPS_MODE */
+#endif /* FIPS_MODULE */
projects / openssl.git / blobdiff