From: Viktor Dukhovni Date: Sun, 23 Feb 2025 04:21:14 +0000 (+1100) Subject: Make the KEM operating mode optional X-Git-Tag: openssl-3.5.0-alpha1~89 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ddd7ecb04bcea5c13be3c73f3dc1a101087cdf24;p=thirdparty%2Fopenssl.git Make the KEM operating mode optional There is only one operating mode supported for each of RSA, EC and ECX. We should not require an explicit setting for the obvious default. Reviewed-by: Tim Hudson Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/26872) --- diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in index 9d030935448..2a6a4d8814d 100644 --- a/doc/man1/openssl-pkeyutl.pod.in +++ b/doc/man1/openssl-pkeyutl.pod.in @@ -33,7 +33,7 @@ B B [B<-decap>] [B<-kdf> I] [B<-kdflen> I] -[B<-kemop> I] +[B<-kemop> I] [B<-pkeyopt> I:I] [B<-pkeyopt_passin> I[:I]] [B<-hexdump>] @@ -212,8 +212,8 @@ and L. The ECX and EC algorithms use the L DHKEM construction. -Encapsulation is also supported with L keys with the use of -an additional B<-kemop> option. +Encapsulation is also supported with L keys via the +B construction. At the API level, encapsulation and decapsulation are also supported for a few hybrid ECDHE (no DHKEM) plus B algorithms, but these are intended @@ -238,17 +238,16 @@ and L. The ECX and EC algorithms use the L DHKEM construction. -Encapsulation is also supported with L keys with the use of -an additional B<-kemop> option. +Decapsulation is also supported with L keys via the +B construction. -=item B<-kemop> I +=item B<-kemop> I This option is used with the I<-encap>/I<-decap> commands and specifies the KEM -operation (mode) specific for the key algorithm when there is no default way -to encapsulate and decapsulate shared secrets with the chosen key type. -This is needed only for RSA, where B, is not the default mode, even -though it is presently the only RSA KEM supported. -See L, L and L. +I specific for the key algorithm when there is no default way to +encapsulate and decapsulate shared secrets with the chosen key type. +All the supported algorithms presently support only their default I, and +this option, though available, is not required. =item B<-kdf> I @@ -569,6 +568,9 @@ Since OpenSSL 3.5, the B<-digest> option implies B<-rawin>, and these two options are no longer required when signing or verifying with an Ed25519 or Ed448 key. +Also since OpenSSL 3.5, the B<-kemop> option is no longer required for any of +the supported algorithms, the only supported B is now the default. + The B<-engine> option was deprecated in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/doc/man7/EVP_KEM-EC.pod b/doc/man7/EVP_KEM-EC.pod index 8877d7fb218..27035e5124e 100644 --- a/doc/man7/EVP_KEM-EC.pod +++ b/doc/man7/EVP_KEM-EC.pod @@ -17,7 +17,7 @@ See L and L for more info. =item "operation" (B) The OpenSSL EC Key Encapsulation Mechanisms only supports the -following operation: +following default operation (operating mode): =over 4 @@ -70,6 +70,10 @@ L This functionality was added in OpenSSL 3.2. +The C (operating mode) was a required parameter prior to OpenSSL 3.5. +As of OpenSSL 3.5, C is the default operating mode, and no explicit value +need be specified. + =head1 COPYRIGHT Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man7/EVP_KEM-RSA.pod b/doc/man7/EVP_KEM-RSA.pod index 8d54875690e..c6496f71c2e 100644 --- a/doc/man7/EVP_KEM-RSA.pod +++ b/doc/man7/EVP_KEM-RSA.pod @@ -17,7 +17,7 @@ See L and L for more info. =item "operation" (B) The OpenSSL RSA Key Encapsulation Mechanism only currently supports the -following operation +following default operation (operating mode): =over 4 @@ -63,6 +63,10 @@ L This functionality was added in OpenSSL 3.0. +The C (operating mode) was a required parameter prior to OpenSSL 3.5. +As of OpenSSL 3.5, C is the default operating mode, and no explicit +value need be specified. + =head1 COPYRIGHT Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man7/EVP_KEM-X25519.pod b/doc/man7/EVP_KEM-X25519.pod index a9dcd3a27ac..940a8cab068 100644 --- a/doc/man7/EVP_KEM-X25519.pod +++ b/doc/man7/EVP_KEM-X25519.pod @@ -18,7 +18,7 @@ See L and L for more info. =item "operation" (B) The OpenSSL X25519 and X448 Key Encapsulation Mechanisms only support the -following operation: +following default operation (operating mode): =over 4 @@ -69,6 +69,10 @@ L This functionality was added in OpenSSL 3.2. +The C (operating mode) was a required parameter prior to OpenSSL 3.5. +As of OpenSSL 3.5, C is the default operating mode, and no explicit value +need be specified. + =head1 COPYRIGHT Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. diff --git a/providers/implementations/kem/ec_kem.c b/providers/implementations/kem/ec_kem.c index c58727c9e2f..040bdaff018 100644 --- a/providers/implementations/kem/ec_kem.c +++ b/providers/implementations/kem/ec_kem.c @@ -197,6 +197,7 @@ static void *eckem_newctx(void *provctx) if (ctx == NULL) return NULL; ctx->libctx = PROV_LIBCTX_OF(provctx); + ctx->mode = KEM_MODE_DHKEM; return ctx; } diff --git a/providers/implementations/kem/ecx_kem.c b/providers/implementations/kem/ecx_kem.c index b611a21fbf4..b9ac8669d1b 100644 --- a/providers/implementations/kem/ecx_kem.c +++ b/providers/implementations/kem/ecx_kem.c @@ -162,6 +162,7 @@ static void *ecxkem_newctx(void *provctx) if (ctx == NULL) return NULL; ctx->libctx = PROV_LIBCTX_OF(provctx); + ctx->mode = KEM_MODE_DHKEM; return ctx; } diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c index 0ae34a5ee31..e1c607c7dd5 100644 --- a/providers/implementations/kem/rsa_kem.c +++ b/providers/implementations/kem/rsa_kem.c @@ -92,7 +92,7 @@ static void *rsakem_newctx(void *provctx) if (prsactx == NULL) return NULL; prsactx->libctx = PROV_LIBCTX_OF(provctx); - prsactx->op = KEM_OP_UNDEFINED; + prsactx->op = KEM_OP_RSASVE; OSSL_FIPS_IND_INIT(prsactx) return prsactx; diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c index 9940599b50d..9efe64ac6da 100644 --- a/test/evp_libctx_test.c +++ b/test/evp_libctx_test.c @@ -684,9 +684,12 @@ static int kem_rsa_params(void) && TEST_int_eq(EVP_PKEY_decapsulate(pubctx, secret, &secretlen, ct, sizeof(ct)), 0) && TEST_uchar_eq(secret[0], 0) - /* Test encapsulate fails if the mode is not set */ + /* Test encapsulate succeeds even if the mode is not set */ && TEST_int_eq(EVP_PKEY_encapsulate_init(pubctx, NULL), 1) - && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, secret, &secretlen), -2) + && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, &secretlen), 1) + && TEST_true(ctlen <= sizeof(ct)) + && TEST_true(secretlen <= sizeof(secret)) + && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, secret, &secretlen), 1) /* Test setting a bad kem ops fail */ && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSA"), 0) && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, NULL), 0) diff --git a/test/evp_pkey_dhkem_test.c b/test/evp_pkey_dhkem_test.c index 97d40a27723..9aaa8e80d1c 100644 --- a/test/evp_pkey_dhkem_test.c +++ b/test/evp_pkey_dhkem_test.c @@ -164,7 +164,7 @@ err: return ret; } -/* Fail if the operation parameter is not set */ +/* Succeed even if the operation parameter is not set */ static int test_no_operation_set(int tstid) { EVP_PKEY_CTX *ctx = rctx[tstid]; @@ -172,11 +172,11 @@ static int test_no_operation_set(int tstid) size_t len = 0; return TEST_int_eq(EVP_PKEY_encapsulate_init(ctx, NULL), 1) - && TEST_int_eq(EVP_PKEY_encapsulate(ctx, NULL, &len, NULL, NULL), -2) + && TEST_int_eq(EVP_PKEY_encapsulate(ctx, NULL, &len, NULL, NULL), 1) && TEST_int_eq(EVP_PKEY_decapsulate_init(ctx, NULL), 1) && TEST_int_eq(EVP_PKEY_decapsulate(ctx, NULL, &len, t->expected_enc, - t->expected_enclen), -2); + t->expected_enclen), 1); } /* Fail if the ikm is too small */ diff --git a/test/recipes/20-test_pkeyutl.t b/test/recipes/20-test_pkeyutl.t index 7b600979a3a..7c012c989e2 100644 --- a/test/recipes/20-test_pkeyutl.t +++ b/test/recipes/20-test_pkeyutl.t @@ -241,17 +241,17 @@ SKIP: { if disabled("rsa"); # Note "rsa" isn't (yet?) disablable. # Self-compat - ok(run(app(([ 'openssl', 'pkeyutl', '-encap', '-kemop', 'RSASVE', + ok(run(app(([ 'openssl', 'pkeyutl', '-encap', '-inkey', srctop_file('test', 'testrsa2048pub.pem'), '-out', 'encap_out.bin', '-secret', 'secret.bin']))), "RSA pubkey encapsulation"); - ok(run(app(([ 'openssl', 'pkeyutl', '-decap', '-kemop', 'RSASVE', + ok(run(app(([ 'openssl', 'pkeyutl', '-decap', '-inkey', srctop_file('test', 'testrsa2048.pem'), '-in', 'encap_out.bin', '-secret', 'decap_secret.bin']))), "RSA pubkey decapsulation"); is(compare("secret.bin", "decap_secret.bin"), 0, "Secret is correctly decapsulated"); - # Legacy CLI with decap output written to '-out' + # Legacy CLI with decap output written to '-out' and with '-kemop` specified ok(run(app(([ 'openssl', 'pkeyutl', '-decap', '-kemop', 'RSASVE', '-inkey', srctop_file('test', 'testrsa2048.pem'), '-in', 'encap_out.bin', '-out', 'decap_out.bin']))),