diff options
| author | Matt Caswell <matt@openssl.org> | 2021-02-09 16:50:05 +0100 |
|---|---|---|
| committer | Shane Lontis <shane.lontis@oracle.com> | 2021-02-15 05:17:36 +0100 |
| commit | 899e25643dc63a84a924d08f86d7d19613714431 (patch) | |
| tree | f79751777385af9b6d4d05a8dc1739a94f59510b /include | |
| parent | Run DH_check_ex() not DH_check_params_ex() when checking params (diff) | |
| download | openssl-899e25643dc63a84a924d08f86d7d19613714431.tar.xz openssl-899e25643dc63a84a924d08f86d7d19613714431.zip | |
Implement EVP_PKEY_param_check_quick() and use it in libssl
The low level DH API has two functions for checking parameters:
DH_check_ex() and DH_check_params_ex(). The former does a "full" check,
while the latter does a "quick" check. Most importantly it skips the
check for a safe prime. We're ok without using safe primes here because
we're doing ephemeral DH.
Now that libssl is fully using the EVP API, we need a way to specify that
we want a quick check instead of a full check. Therefore we introduce
EVP_PKEY_param_check_quick() and use it.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14146)
Diffstat (limited to 'include')
| -rw-r--r-- | include/crypto/evp.h | 2 | ||||
| -rw-r--r-- | include/openssl/core_dispatch.h | 6 | ||||
| -rw-r--r-- | include/openssl/evp.h | 1 |
3 files changed, 7 insertions, 2 deletions
diff --git a/include/crypto/evp.h b/include/crypto/evp.h index b78535aed0..1017ace03d 100644 --- a/include/crypto/evp.h +++ b/include/crypto/evp.h @@ -778,7 +778,7 @@ void *evp_keymgmt_load(const EVP_KEYMGMT *keymgmt, int evp_keymgmt_has(const EVP_KEYMGMT *keymgmt, void *keyddata, int selection); int evp_keymgmt_validate(const EVP_KEYMGMT *keymgmt, void *keydata, - int selection); + int selection, int checktype); int evp_keymgmt_match(const EVP_KEYMGMT *keymgmt, const void *keydata1, const void *keydata2, int selection); diff --git a/include/openssl/core_dispatch.h b/include/openssl/core_dispatch.h index 1689778c72..7823af7cbd 100644 --- a/include/openssl/core_dispatch.h +++ b/include/openssl/core_dispatch.h @@ -491,6 +491,9 @@ OSSL_CORE_MAKE_FUNC(int,rand_verify_zeroization, # define OSSL_KEYMGMT_SELECT_ALL \ ( OSSL_KEYMGMT_SELECT_KEYPAIR | OSSL_KEYMGMT_SELECT_ALL_PARAMETERS ) +# define OSSL_KEYMGMT_VALIDATE_FULL_CHECK 0 +# define OSSL_KEYMGMT_VALIDATE_QUICK_CHECK 1 + /* Basic key object creation */ # define OSSL_FUNC_KEYMGMT_NEW 1 OSSL_CORE_MAKE_FUNC(void *, keymgmt_new, (void *provctx)) @@ -551,7 +554,8 @@ OSSL_CORE_MAKE_FUNC(int, keymgmt_has, (const void *keydata, int selection)) /* Key checks - validation */ # define OSSL_FUNC_KEYMGMT_VALIDATE 22 -OSSL_CORE_MAKE_FUNC(int, keymgmt_validate, (const void *keydata, int selection)) +OSSL_CORE_MAKE_FUNC(int, keymgmt_validate, (const void *keydata, int selection, + int checktype)) /* Key checks - matching */ # define OSSL_FUNC_KEYMGMT_MATCH 23 diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 5f9de9d8b9..aeff6de4f7 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1828,6 +1828,7 @@ int EVP_PKEY_gen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey); int EVP_PKEY_check(EVP_PKEY_CTX *ctx); int EVP_PKEY_public_check(EVP_PKEY_CTX *ctx); int EVP_PKEY_param_check(EVP_PKEY_CTX *ctx); +int EVP_PKEY_param_check_quick(EVP_PKEY_CTX *ctx); int EVP_PKEY_private_check(EVP_PKEY_CTX *ctx); int EVP_PKEY_pairwise_check(EVP_PKEY_CTX *ctx); |