Skip to content

Implement asymmetric cipher support#10152

Closed
mattcaswell wants to merge 16 commits intoopenssl:masterfrom
mattcaswell:asymcipher
Closed

Implement asymmetric cipher support#10152
mattcaswell wants to merge 16 commits intoopenssl:masterfrom
mattcaswell:asymcipher

Conversation

@mattcaswell
Copy link
Member

@mattcaswell mattcaswell commented Oct 11, 2019

This PR implements asymmetric cipher support for providers, and moves that aspect of RSA into the default provider.

This is WIP because there are a number of outstanding issues:

  • Test failure in CMS for unknown reasons
  • There's a weird memory issue I need to investigate
  • It currently doesn't merge with master because of @levitte moving everything around under my feet :-)
  • Needs some documentation updates

@beldmit
Copy link
Member

beldmit commented Oct 11, 2019

I strongly support your intention because I need to do the same exercise with the GOST engine. BTW, are there any guidelines available?

@mattcaswell
Copy link
Member Author

mattcaswell commented Oct 11, 2019

I strongly support your intention because I need to do the same exercise with the GOST engine. BTW, are there any guidelines available?

For this PR specifically? No, not yet. Documentation is not yet done (part of the reason this is WIP).

If you're after more general provider documentation I suggest you start here:

https://www.openssl.org/docs/manmaster/man7/provider.html

@levitte
Copy link
Member

levitte commented Oct 11, 2019

It currently doesn't merge with master because of @levitte moving everything around under my feet :-)

I love it when you feign innocence 😉

@levitte
Copy link
Member

levitte commented Oct 11, 2019

CMS seems to be the hardest battlefront, constantly. I've stopped counting the times I got stuck with an issue there...

@t8m
Copy link
Member

t8m commented Oct 14, 2019

CMS seems to be the hardest battlefront, constantly. I've stopped counting the times I got stuck with an issue there...

On the other hand it provides a good testing ground on what weird API calls can be expected from third party apps.

@levitte
Copy link
Member

levitte commented Oct 14, 2019

On the other hand it provides a good testing ground on what weird API calls can be expected from third party apps.

I know, right? Infuriating as it can be, it has helped to cut down a number of corner cases!

@mattcaswell
Copy link
Member Author

mattcaswell commented Oct 14, 2019

Rebased so that it now merges cleanly with master.

levitte
levitte reviewed Oct 14, 2019
View reviewed changes
crypto/evp/pmeth_lib.c Outdated
Copy link
Member

@levitte levitte Oct 14, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At the very least, I would like to see aliases with rsa_ removed.

Copy link
Member Author

@mattcaswell mattcaswell Oct 28, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are legacy ctrls - so I'm not sure why we would add new aliases for them?

Copy link
Member

@levitte levitte Oct 29, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because -pkeyopt keys will eventually be directly used as OSSL_PARAM keys, and we might as well allow the legacy controls to be accessed with similar names (plus it's a pet peeve of mine... I have never understood why it couldn't simply be "mode", for example)

Copy link
Member

@levitte levitte Nov 6, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any more thoughts on this?

levitte
levitte reviewed Oct 14, 2019
View reviewed changes
levitte
levitte reviewed Oct 14, 2019
View reviewed changes
@levitte
Copy link
Member

levitte commented Oct 14, 2019

First quick look, looks good. I suspect that some amendment will be needed related to #9979

levitte
levitte requested changes Oct 15, 2019
View reviewed changes
Copy link
Member

@levitte levitte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're doing double work... I've RSA stuff in my key generation branch 😒

@levitte levitte mentioned this pull request Oct 15, 2019
Closed
2 tasks
@mattcaswell
Copy link
Member Author

mattcaswell commented Oct 16, 2019

We're doing double work... I've RSA stuff in my key generation branch

As soon as #10190 is done I'll rebase on top of that is remove any RSA export/import stuff from here.

@levitte
Copy link
Member

levitte commented Oct 16, 2019

We're doing double work... I've RSA stuff in my key generation branch

This does show that we might do well to split some of our PRs topic-wise... I often try to do that when I discover that something I'm working on contains more general components; I often end up making those into separate PRs, which also helps keep each PR in focus.

@mattcaswell
Copy link
Member Author

mattcaswell commented Oct 28, 2019

I've rebased this on top of latest master to pick up @levitte's work from #10190. I've also fixed various bugs, and I'm now getting a clean test run (at least locally).

The main outstanding thing is documentation now.

levitte
levitte requested changes Oct 28, 2019
View reviewed changes
@levitte levitte mentioned this pull request Oct 30, 2019
Closed
levitte
levitte reviewed Oct 31, 2019
View reviewed changes
@levitte
Copy link
Member

levitte commented Nov 4, 2019

Please rebase this

@paulidale paulidale mentioned this pull request Nov 4, 2019
Closed
@mattcaswell mattcaswell changed the title WIP: Implement asymmetric cipher support Implement asymmetric cipher support Nov 6, 2019
@mattcaswell
Copy link
Member Author

mattcaswell commented Nov 6, 2019

This has now been rebased and all missing documentation has been added. I've taken this out of WIP. Please take a look!

@mattcaswell
Copy link
Member Author

mattcaswell commented Nov 6, 2019

Fixup pushed to address travis failure.

levitte
levitte reviewed Nov 6, 2019
View reviewed changes
levitte
levitte requested changes Nov 6, 2019
View reviewed changes
Copy link
Member

@levitte levitte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, didn't we discuss EVP_PKEY_CTX_get_rsa_oaep_md_name and EVP_PKEY_CTX_get_rsa_mgf1_md_name as alternatives that return strings instead of const EVP_MD *?

@mattcaswell
Copy link
Member Author

mattcaswell commented Nov 6, 2019

Also, didn't we discuss EVP_PKEY_CTX_get_rsa_oaep_md_name and EVP_PKEY_CTX_get_rsa_mgf1_md_name as alternatives that return strings instead of const EVP_MD *?

Oh, yes. So we did. I forgot. Will add.

slontis
slontis reviewed Nov 12, 2019
View reviewed changes
slontis
slontis reviewed Nov 12, 2019
View reviewed changes
slontis
slontis reviewed Nov 12, 2019
View reviewed changes
slontis
slontis reviewed Nov 12, 2019
View reviewed changes
slontis
slontis reviewed Nov 12, 2019
View reviewed changes
@levitte levitte added approval: review pending This pull request needs review by a committer and removed approval: done This pull request has the required number of approvals labels Nov 12, 2019
@mattcaswell
Copy link
Member Author

mattcaswell commented Nov 12, 2019

Fixup commits pushed addressing latest feedback.

slontis
slontis reviewed Nov 12, 2019
View reviewed changes
Copy link
Member

@slontis slontis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mattcaswell
Copy link
Member Author

mattcaswell commented Nov 12, 2019
edited by slontis
Loading

LGTM

Is that intended to be an approval?

@levitte can you reconfirm?

I cant approve as Pauli already has - I approve in theory.

@slontis slontis requested a review from levitte November 13, 2019 03:37
@levitte levitte added approval: done This pull request has the required number of approvals and removed approval: review pending This pull request needs review by a committer labels Nov 13, 2019
@mattcaswell mattcaswell added approval: ready to merge The 24 hour grace period has passed, ready to merge and removed approval: done This pull request has the required number of approvals labels Nov 14, 2019
@mattcaswell
Copy link
Member Author

mattcaswell commented Nov 14, 2019

Pushed. Thanks!

openssl-machine pushed a commit that referenced this pull request Nov 14, 2019
@mattcaswell
Allow setting a NULL pointer in a params structure
b3f3ba7 
Sometimes it is valid to send a NULL pointer in params.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from #10152)
openssl-machine pushed a commit that referenced this pull request Nov 14, 2019
@mattcaswell
Allow strings in params to be of zero length
46ef075 
Sometimes it is useful to be able to pass NULL/zero length strings

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from #10152)
openssl-machine pushed a commit that referenced this pull request Nov 14, 2019
@mattcaswell
Implement provider support for Asym Ciphers
2c938e2 
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from #10152)
openssl-machine pushed a commit that referenced this pull request Nov 14, 2019
@mattcaswell
Increase OSSL_PARAM_BLD_MAX for multi-prime RSA
081d08f 
The old value of 10 for OSSL_PARAM_BLD_MAX is insufficient for multi-prime
RSA. That code has this assert:

        if (!ossl_assert(/* n, e */ 2 + /* d */ 1 + /* numprimes */ 1
                         + numprimes + numexps + numcoeffs
                         <= OSSL_PARAM_BLD_MAX))
            goto err;

So we increase OSSL_PARAM_BLD_MAX which would be enough for 7 primes
(more than you would ever reasonably want).

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from #10152)
openssl-machine pushed a commit that referenced this pull request Nov 14, 2019
@mattcaswell
Move RSA Asym cipher code to the default provider
89abd1b 
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from #10152)
openssl-machine pushed a commit that referenced this pull request Nov 14, 2019
@mattcaswell
Add documentation for the Asymmetric Cipher Operation
11d876d 
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from #10152)
openssl-machine pushed a commit that referenced this pull request Nov 14, 2019
@mattcaswell
Document the public EVP_ASYM_CIPHER releated functions
c68f505 
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from #10152)
openssl-machine pushed a commit that referenced this pull request Nov 14, 2019
@mattcaswell
Document various new/changes EVP_PKEY_CTX_* functions
d8fef6d 
We have converted a number of macros to functions and made them work
with providers. We've also added some *_ex() variants that needed
documenting.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from #10152)
@fekir fekir mentioned this pull request Nov 23, 2019
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@beldmit beldmit beldmit left review comments

@slontis slontis slontis left review comments

@levitte levitte levitte approved these changes

@paulidale paulidale paulidale approved these changes

Assignees

No one assigned

Labels

approval: ready to merge The 24 hour grace period has passed, ready to merge branch: master Applies to master branch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@mattcaswell @beldmit @levitte @t8m @mspncp @paulidale @slontis