The branch master has been updated via 92a36b3705beca7bd06eed0e5c678375df79f9ca (commit) via 2cf8bb46fc3e0e2aaead764d333c6e216f028ef3 (commit) via 2db5834c43dcc2a04ccf4cf98f412d4d3474731e (commit) from d8a809db4beae9c42954689d3ccff6aa18aae8c3 (commit)
- Log ----------------------------------------------------------------- commit 92a36b3705beca7bd06eed0e5c678375df79f9ca Author: Matt Caswell <m...@openssl.org> Date: Tue Mar 9 17:28:44 2021 +0000 Add a CHANGES entry for EVP_PKEY_public_check() and EVP_KEY_param_check() These functions now work for more key types than they did in 1.1.1 Fixes #14477 Reviewed-by: Paul Dale <pa...@openssl.org> Reviewed-by: Shane Lontis <shane.lon...@oracle.com> (Merged from https://github.com/openssl/openssl/pull/14485) commit 2cf8bb46fc3e0e2aaead764d333c6e216f028ef3 Author: Matt Caswell <m...@openssl.org> Date: Tue Mar 9 17:07:48 2021 +0000 Ensure that ECX keys pass EVP_PKEY_param_check() RSA keys have no parameters and pass EVP_PKEY_param_check(). Previously, ECX keys had no parammeters and failed EVP_PKEY_param_check(). We should be consistent. It makes more sense to always pass, and therefore this commit implements that behaviour. Fixes #14482 Reviewed-by: Paul Dale <pa...@openssl.org> Reviewed-by: Shane Lontis <shane.lon...@oracle.com> (Merged from https://github.com/openssl/openssl/pull/14485) commit 2db5834c43dcc2a04ccf4cf98f412d4d3474731e Author: Matt Caswell <m...@openssl.org> Date: Tue Mar 9 14:40:54 2021 +0000 Add a CHANGES entry for the cosmetic differences in textual output Numerous functions have had their textual output amended. We add a CHANGES entry for this. Fixes #14476 Reviewed-by: Paul Dale <pa...@openssl.org> Reviewed-by: Shane Lontis <shane.lon...@oracle.com> (Merged from https://github.com/openssl/openssl/pull/14485) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 13 +++++++++++++ doc/man3/EVP_PKEY_check.pod | 3 ++- providers/implementations/keymgmt/ecx_kmgmt.c | 10 +++++++--- providers/implementations/keymgmt/rsa_kmgmt.c | 13 ++++++++++++- test/evp_extra_test.c | 28 ++++++++++++++++++++++++--- 5 files changed, 59 insertions(+), 8 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 43079a3e50..e51e61a96b 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,6 +23,19 @@ OpenSSL 3.0 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx] + * The EVP_PKEY_public_check() and EVP_PKEY_param_check() functions now work for + more key types including RSA, DSA, ED25519, X25519, ED448 and X448. + Previously (in 1.1.1) they would return -2. For key types that do not have + parameters then EVP_PKEY_param_check() will always return 1. + + * The output from numerous "printing" functions such as X509_signature_print(), + X509_print_ex(), X509_CRL_print_ex(), and other similar functions has been + amended such that there may be cosmetic differences between the output + observed in 1.1.1 and 3.0. This also applies to the "-text" output from the + x509 and crl applications. + + *David von Oheimb* + * Windows thread synchronization uses read/write primitives (SRWLock) when supported by the OS, otherwise CriticalSection continues to be used. diff --git a/doc/man3/EVP_PKEY_check.pod b/doc/man3/EVP_PKEY_check.pod index 4f91f8f9a2..dc03671498 100644 --- a/doc/man3/EVP_PKEY_check.pod +++ b/doc/man3/EVP_PKEY_check.pod @@ -22,7 +22,8 @@ EVP_PKEY_pairwise_check =head1 DESCRIPTION EVP_PKEY_param_check() validates the parameters component of the key -given by B<ctx>. +given by B<ctx>. This check will always succeed for key types that do not have +parameters. EVP_PKEY_param_check_quick() validates the parameters component of the key given by B<ctx> like EVP_PKEY_param_check() does. However some algorithm diff --git a/providers/implementations/keymgmt/ecx_kmgmt.c b/providers/implementations/keymgmt/ecx_kmgmt.c index 8e47dfb03e..9b23c2f0ec 100644 --- a/providers/implementations/keymgmt/ecx_kmgmt.c +++ b/providers/implementations/keymgmt/ecx_kmgmt.c @@ -71,8 +71,6 @@ static OSSL_FUNC_keymgmt_import_types_fn ecx_imexport_types; static OSSL_FUNC_keymgmt_export_fn ecx_export; static OSSL_FUNC_keymgmt_export_types_fn ecx_imexport_types; -#define ECX_POSSIBLE_SELECTIONS (OSSL_KEYMGMT_SELECT_KEYPAIR) - struct ecx_gen_ctx { OSSL_LIB_CTX *libctx; char *propq; @@ -727,7 +725,13 @@ static int ecx_validate(const void *keydata, int selection, int type, size_t key assert(keylen == ecx->keylen); - if ((selection & ECX_POSSIBLE_SELECTIONS) != 0) + /* + * ECX keys have no parameters. But if EVP_PKEY_param_check() is called then + * we should return true. + */ + if ((selection & (OSSL_KEYMGMT_SELECT_KEYPAIR + | OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS + | OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS)) != 0) ok = 1; if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c index 095c713aac..425b6c80f2 100644 --- a/providers/implementations/keymgmt/rsa_kmgmt.c +++ b/providers/implementations/keymgmt/rsa_kmgmt.c @@ -367,7 +367,18 @@ static int rsa_validate(const void *keydata, int selection, int checktype) if (!ossl_prov_is_running()) return 0; - if ((selection & RSA_POSSIBLE_SELECTIONS) != 0) + /* + * Although an RSA key has no domain parameters, validating them should + * return true. + * + * RSA_POSSIBLE_SELECTIONS already includes + * OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS. We explicitly add + * OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS here as well for completeness. In + * practice this makes little difference since EVP_PKEY_param_check() always + * checks the combination of "other" and "domain" parameters anyway. + */ + if ((selection & (RSA_POSSIBLE_SELECTIONS + | OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS)) != 0) ok = 1; /* If the whole key is selected, we do a pairwise validation */ diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index acba9819e6..9317917303 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -380,6 +380,21 @@ static const unsigned char kExampleBadECPubKeyDER[] = { static const unsigned char pExampleECParamDER[] = { 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 }; + +static const unsigned char kExampleED25519KeyDER[] = { + 0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, + 0x04, 0x22, 0x04, 0x20, 0xba, 0x7b, 0xba, 0x20, 0x1b, 0x02, 0x75, 0x3a, + 0xe8, 0x88, 0xfe, 0x00, 0xcd, 0x8b, 0xc6, 0xf4, 0x5c, 0x47, 0x09, 0x46, + 0x66, 0xe4, 0x72, 0x85, 0x25, 0x26, 0x5e, 0x12, 0x33, 0x48, 0xf6, 0x50 +}; + +static const unsigned char kExampleED25519PubKeyDER[] = { + 0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x03, 0x21, 0x00, + 0xf5, 0xc5, 0xeb, 0x52, 0x3e, 0x7d, 0x07, 0x86, 0xb2, 0x55, 0x07, 0x45, + 0xef, 0x5b, 0x7c, 0x20, 0xe8, 0x66, 0x28, 0x30, 0x3c, 0x8a, 0x82, 0x40, + 0x97, 0xa3, 0x08, 0xdc, 0x65, 0x80, 0x39, 0x29 +}; + #endif typedef struct APK_DATA_st { @@ -402,14 +417,21 @@ static APK_DATA keydata[] = { }; static APK_DATA keycheckdata[] = { - {kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER), "RSA", EVP_PKEY_RSA, 1, 1, 1, 0}, + {kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER), "RSA", EVP_PKEY_RSA, 1, 1, 1, + 0}, {kExampleBadRSAKeyDER, sizeof(kExampleBadRSAKeyDER), "RSA", EVP_PKEY_RSA, 0, 1, 1, 0}, #ifndef OPENSSL_NO_EC {kExampleECKeyDER, sizeof(kExampleECKeyDER), "EC", EVP_PKEY_EC, 1, 1, 1, 0}, /* group is also associated in our pub key */ - {kExampleECPubKeyDER, sizeof(kExampleECPubKeyDER), "EC", EVP_PKEY_EC, 0, 1, 1, 1}, - {pExampleECParamDER, sizeof(pExampleECParamDER), "EC", EVP_PKEY_EC, 0, 0, 1, 2} + {kExampleECPubKeyDER, sizeof(kExampleECPubKeyDER), "EC", EVP_PKEY_EC, 0, 1, + 1, 1}, + {pExampleECParamDER, sizeof(pExampleECParamDER), "EC", EVP_PKEY_EC, 0, 0, 1, + 2}, + {kExampleED25519KeyDER, sizeof(kExampleED25519KeyDER), "ED25519", + EVP_PKEY_ED25519, 1, 1, 1, 0}, + {kExampleED25519PubKeyDER, sizeof(kExampleED25519PubKeyDER), "ED25519", + EVP_PKEY_ED25519, 0, 1, 1, 1}, #endif };