ECX/ED keymanager param getter fixes.

Fixes #28034

ECX and ED were sharing the same code for the getter, whilst also
maintaining seperate gettable tables.

The code has been reworked so that common code is shared, and algorithm
specific code is seperated out to make this clearer.

This fixes:
(1) The security category not being in the gettable table for ED
(2) The fips indicator for ED. i.e There is no fips indicator for ED
(previously there was no gettable, but the get() still tried to return
unapproved).

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28039)

diff --git a/doc/man7/EVP_PKEY-X25519.pod b/doc/man7/EVP_PKEY-X25519.pod
index 666b4197539178b4e047e116a0b40a0a5e83c6c5..7f2b130d51d875b237eb2b4842e5347ef0142126 100644 (file)
--- a/doc/man7/EVP_PKEY-X25519.pod
+++ b/doc/man7/EVP_PKEY-X25519.pod
@@ -13,7 +13,21 @@ implemented in OpenSSL's default and FIPS providers.  These implementations
 support the associated key, containing the public key I<pub> and the
 private key I<priv>.
 
-=head2 Keygen Parameters
+=head2 Common Keygen Parameters for X25519, X448, ED25519 and ED448
+
+The following parameters can be used during key generation by calling
+EVP_PKEY_CTX_set_params() after calling EVP_PKEY_keygen_init().
+
+=over 4
+
+=item "properties" (B<OSSL_PKEY_PARAM_PROPERTIES>) <octet string>
+
+The property query to use when fetching algorithms during the key generation
+operation.
+
+=back
+
+=head2 Keygen Parameters for X25519 and X448
 
 =over 4
 
@@ -23,20 +37,16 @@ DHKEM requires the generation of a keypair using an input key material (seed).
 Use this to specify the key material used for generation of the private key.
 This value should not be reused for other purposes.
 It should have a length of at least 32 for X25519, and 56 for X448.
-This is only supported by X25519 and X448.
-
-=item "fips-indicator" (B<OSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR>) <integer>
 
-This getter is only supported by X25519 and X448 for the FIPS provider.
-Since X25519 and X448 are unapproved in FIPS 140-3 this getter return 0.
+=item "group" (B<OSSL_PKEY_PARAM_GROUP_NAME>) <UTF8 string>
 
-See L<provider-keymgmt(7)/Common Information Parameters> for further information.
+The group name must be "x25519" or "x448" respectively for those algorithms.
+This is only present for consistency with other key exchange algorithms and is
+typically not needed.
 
 =back
 
-Use EVP_PKEY_CTX_set_params() after calling EVP_PKEY_keygen_init().
-
-=head2 Common X25519, X448, ED25519 and ED448 parameters
+=head2 Common Parameters for X25519, X448, ED25519 and ED448
 
 In addition to the common parameters that all keytypes should support (see
 L<provider-keymgmt(7)/Common parameters>), the implementation of these keytypes
@@ -44,12 +54,6 @@ support the following.
 
 =over 4
 
-=item "group" (B<OSSL_PKEY_PARAM_GROUP_NAME>) <UTF8 string>
-
-This is only supported by X25519 and X448. The group name must be "x25519" or
-"x448" respectively for those algorithms. This is only present for consistency
-with other key exchange algorithms and is typically not needed.
-
 =item "pub" (B<OSSL_PKEY_PARAM_PUB_KEY>) <octet string>
 
 The public key value.
@@ -58,15 +62,26 @@ The public key value.
 
 The private key value.
 
+=back
+
+=head2 Parameters for X25519 and X448
+
+=over 4
+
 =item "encoded-pub-key" (B<OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY>) <octet string>
 
 Used for getting and setting the encoding of a public key for the B<X25519> and
 B<X448> key types. Public keys are expected be encoded in a format as defined by
 RFC7748.
 
+=item "fips-indicator" (B<OSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR>) <integer>
+
+This getter is only supported by X25519 and X448 OpenSSL FIPS provider.
+Since X25519 and X448 are unapproved in FIPS 140-3 this getter returns 0.
+
 =back
 
-=head2 ED25519 and ED448 parameters
+=head2 Parameters for ED25519 and ED448
 
 =over 4
 

diff --git a/providers/implementations/keymgmt/ecx_kmgmt.c b/providers/implementations/keymgmt/ecx_kmgmt.c
index b3ff3bf097dbb3e0587bdd509f72a193c0753c15..9b78f8c5c6258b47e22fb27bc61f1af07653969c 100644 (file)
--- a/providers/implementations/keymgmt/ecx_kmgmt.c
+++ b/providers/implementations/keymgmt/ecx_kmgmt.c
@@ -283,8 +283,9 @@ static const OSSL_PARAM *ecx_imexport_types(int selection)
     return NULL;
 }
 
-static int ecx_get_params(void *key, OSSL_PARAM params[], int bits, int secbits,
-                          int size)
+/* This getter is shared by ED25519, ED448, X25519 and X448 */
+static int ecx_ed_common_get_params(void *key, OSSL_PARAM params[], int bits,
+                                    int secbits, int size)
 {
     ECX_KEY *ecx = key;
     OSSL_PARAM *p;
@@ -298,19 +299,27 @@ static int ecx_get_params(void *key, OSSL_PARAM params[], int bits, int secbits,
     if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_MAX_SIZE)) != NULL
         && !OSSL_PARAM_set_int(p, size))
         return 0;
-    if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY)) != NULL
-            && (ecx->type == ECX_KEY_TYPE_X25519
-                || ecx->type == ECX_KEY_TYPE_X448)) {
-        if (!OSSL_PARAM_set_octet_string(p, ecx->pubkey, ecx->keylen))
-            return 0;
-    }
     if ((p = OSSL_PARAM_locate(params,
                                OSSL_PKEY_PARAM_SECURITY_CATEGORY)) != NULL
         && !OSSL_PARAM_set_int(p, 0))
             return 0;
+    return key_to_params(ecx, NULL, params, 1);
+}
+
+/* X25519/X448 getter */
+static int ecx_get_params(void *key, OSSL_PARAM params[], int bits, int secbits,
+                          int size)
+{
+    ECX_KEY *ecx = key;
+    OSSL_PARAM *p;
+
+    p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY);
+    if (p != NULL
+        && !OSSL_PARAM_set_octet_string(p, ecx->pubkey, ecx->keylen))
+        return 0;
 #ifdef FIPS_MODULE
     {
-        /* X25519 and X448 are not approved */
+        /* Currently X25519 and X448 are not approved */
         int approved = 0;
 
         p = OSSL_PARAM_locate(params, OSSL_ALG_PARAM_FIPS_APPROVED_INDICATOR);
@@ -319,10 +328,12 @@ static int ecx_get_params(void *key, OSSL_PARAM params[], int bits, int secbits,
     }
 #endif
 
-    return key_to_params(ecx, NULL, params, 1);
+    return ecx_ed_common_get_params(key, params, bits, secbits, size);
 }
 
-static int ed_get_params(void *key, OSSL_PARAM params[])
+/* ED25519/ED448 getter */
+static int ed_get_params(void *key, OSSL_PARAM params[], int bits, int secbits,
+                         int size)
 {
     OSSL_PARAM *p;
 
@@ -330,7 +341,7 @@ static int ed_get_params(void *key, OSSL_PARAM params[])
                                OSSL_PKEY_PARAM_MANDATORY_DIGEST)) != NULL
         && !OSSL_PARAM_set_utf8_string(p, ""))
         return 0;
-    return 1;
+    return ecx_ed_common_get_params(key, params, bits, secbits, size);
 }
 
 static int x25519_get_params(void *key, OSSL_PARAM params[])
@@ -347,35 +358,32 @@ static int x448_get_params(void *key, OSSL_PARAM params[])
 
 static int ed25519_get_params(void *key, OSSL_PARAM params[])
 {
-    return ecx_get_params(key, params, ED25519_BITS, ED25519_SECURITY_BITS,
-                          ED25519_SIGSIZE)
-        && ed_get_params(key, params);
+    return ed_get_params(key, params, ED25519_BITS, ED25519_SECURITY_BITS,
+                         ED25519_SIGSIZE);
 }
-
 static int ed448_get_params(void *key, OSSL_PARAM params[])
 {
-    return ecx_get_params(key, params, ED448_BITS, ED448_SECURITY_BITS,
-                          ED448_SIGSIZE)
-        && ed_get_params(key, params);
+    return ed_get_params(key, params, ED448_BITS, ED448_SECURITY_BITS,
+                         ED448_SIGSIZE);
 }
 
+#define GETTABLES_COMMON()                                      \
+    OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL),                 \
+    OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL),        \
+    OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),             \
+    OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_CATEGORY, NULL),    \
+    ECX_KEY_TYPES()
+
 static const OSSL_PARAM ecx_gettable_params[] = {
-    OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL),
-    OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL),
-    OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),
-    OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_CATEGORY, NULL),
+    GETTABLES_COMMON(),
     OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0),
-    ECX_KEY_TYPES(),
     OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
     OSSL_PARAM_END
 };
 
 static const OSSL_PARAM ed_gettable_params[] = {
-    OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL),
-    OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL),
-    OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),
+    GETTABLES_COMMON(),
     OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_MANDATORY_DIGEST, NULL, 0),
-    ECX_KEY_TYPES(),
     OSSL_PARAM_END
 };