Move PKCS#3 DH to the default provider#9266
Move PKCS#3 DH to the default provider#9266mattcaswell wants to merge 5 commits intoopenssl:masterfrom
Conversation
|
Rebased to fix merge conflict with master, and also to include some misc travis fixes. |
|
More fixups pushed to try and address travis issues. |
paulidale
left a comment
There was a problem hiding this comment.
Just a quick pass over and it looks good.
Neither comment is expecting a change, just questions.
crypto/evp/evp_lib.c
Outdated
There was a problem hiding this comment.
Is this worth being a separate PR?
BTW: I like this approach. The native types might stretch it a bit to handle things going out of scoping.
There was a problem hiding this comment.
I originally wrote this as a means to an end. If we think this is good general approach then I can have a go a pulling this out as a separate PR and making it more generic.
There was a problem hiding this comment.
I'm willing to have a go at the other types once this is merged (or before). I coded something which addresses the alignment issues in #9246. That should be reusable.
The other thing I think that could be addressed is scoping -- it would be nice if a function could be called that added an auto variable to a template without losing the value. This shouldn't be too difficult to support. For the two string types and BIGNUM, it should also be possible (and the _PTR versions not cloning the value).
@levitte what do you think about this approach compared to #9246 and #9254 ? To me, it seems to sit nicely in the middle.
There was a problem hiding this comment.
I'm willing to have a go at the other types once this is merged
Great. In that case. I'll leave this within this PR, and let you refactor it as part of a wider PR.
There was a problem hiding this comment.
I see this a a temporary measure until we have better key management (i.e. where non-legacy keys are entirely managed in the provider and treated as an object in its own right rather than just a bunch or parameters passed via init).
There was a problem hiding this comment.
I see this a a temporary measure until we have better key management (i.e. where non-legacy keys are entirely managed in the provider and treated as an object in its own right rather than just a bunch or parameters passed via init).
Even with the better key management in place we will still need this. For example some keys will be loaded from file by libcrypto and then transferred to the provider. Or similarly keys will be exported from a provider. Or transferred from one provider to another. Some providers may not implement import/export, but I expect at least our providers will.
There was a problem hiding this comment.
Refer #9305 for a first stab at something similar but including other types.
doc/man3/EVP_PKEY_derive.pod
Outdated
There was a problem hiding this comment.
Could this be just key B<exchange> algorithm.
Maybe Keyexchange is a better name for the type???
There was a problem hiding this comment.
I find it more confusing to just write key B<exchange> algorithm.
I'm open to a different type name, but EVP_KEYEXCHANGE seems a little long. Other possibilities could be EVP_KEYEXCH, EVP_KEYEX, EVP_KEXCHANGE
There was a problem hiding this comment.
I dont like EVP_KEYEX, either of the other 2 are fine.
|
Rebased to resolve conflicts with master, and updated with fixups for the various feedback comments. |
crypto/evp/evp_exchange.c
Outdated
There was a problem hiding this comment.
I have absolutely no idea what this "internal" property really does..
I cant see this property anywhere.
There was a problem hiding this comment.
There are a number of algorithms (such as HKDF) which (for historical reasons) have been forced into the "derive" API. They have nothing to do with key exchange - they are KDFs, and are now available via the EVP_KDF APIs. For backwards compatibility we need to be able to support them when doing implicit fetches. But I don't think we should encourage their use in an explicit fetch. For that reason I thought we might add an additional "internal" property only for use when doing implicit fetching. I'd expect those "key exchange" algorithms which are really KDFs to have the internal property, but not have the "default" property.
It's not currently used because I've only brought DH across as part of this PR. I expect future PRs to pull across the other algorithms.
If this is controversial I could drop this from this PR, and reintroduce it when we bring those algorithms across.
There was a problem hiding this comment.
Even a TODO above it would be fine..
There was a problem hiding this comment.
I don't think we should have a behaviour difference like this between implicit and explicit handling - that is asking for issues. Basically the decision on implicit/explicit shouldn't remove something that is available on implicit simply because the caller is using the explicit interface. That inconsistency is (in my view) substantially more concerning than someone using a less desirable interface.
There was a problem hiding this comment.
Shouldn't the code just fail in this situation? This is the key exchange code and it's considering (the unrelated) KDFs. That seems wrong.
Would a better way be having the PKEY legacy support make the decision to go to either the key exchange code or the KDF code?
There was a problem hiding this comment.
This is the legacy support code....it shouldn't fail, it should dispatch to the "correct" API.
There was a problem hiding this comment.
Since this is controversial, I've just removed this for now. We can think more about what to do with this when we move the KDFs that use the "derive" API into the providers in a later PR.
|
I renamed the New commits pushed. |
|
The usual shortcut for key exchange is KEX :) |
|
I'd also be ok with KEX....@slontis? |
|
I'd prefer KEYEXCH., one less search for somebody starting out in the code. |
|
Considering acronyms like KDF and MAC (oh, and MD for that matter), KEX would actually be fitting. On the other hand, there's going to be a whole family of operations around public keys, so we need to consider that pile of names too (it would be easier if we had them all listed, is that possible @mattcaswell?) |
|
We have functions that end in EX as well - so maybe not a good idea. |
|
Argh. True. |
|
If we are sticking to just 3 letters acronyms its probably the best one. |
|
I see no reason to stick to three letter acronyms. On reflection I think KEYEXCH is better. It is much more suggestive of its intent. KEX only means something if you already know what it stands for. |
|
One might argue that KEX is a commonly used acronym. I don't currently know if that absolutely true, I only know that I have seen it in a number of places. That being said, I have nothing against KEYEXCH. |
Tests fine now |
paulidale
left a comment
There was a problem hiding this comment.
LGTM, one question about secure allocation.
providers/common/exchange/dh.c
Outdated
There was a problem hiding this comment.
Should this use secure memory?
Or more generally, is a way for the OSSL_PARAM_get_BN call to allocate in secure memory desirable?
There was a problem hiding this comment.
I think having a "get_privateBN" API makes sense. Of course you'll need #8886 (or a replacement) merged first.
There was a problem hiding this comment.
|| (priv_key = BN_secure_new()) == NULL would work here, but the problem will be more widespread I suspect.
There was a problem hiding this comment.
Whether you do it in two steps (allocate the BN) or one (add a params API) doesn't matter to me. But yes, the provider will have to know which parameters are private key material, which doesn't seem like a big deal to me.
There was a problem hiding this comment.
If it's a common consensus that all keys (or at least their private bits) should reside in secure memory if possible, then the provider can decide on its own what to put there and what not. If the provider of an algorithm implementation doesn't intimately know its own keys, that provider needs a rewrite.
There was a problem hiding this comment.
I changed this to explicitly allocate the BN via BN_secure_new()
|
Rebased to resolve a conflict with master and addressed the one feedback item above. Ping @paulidale |
paulidale
left a comment
There was a problem hiding this comment.
There is a mismatch with secure allocation and free but the code will be changing once the supporting PR is done. Kludge for now seems like it would be okay.
crypto/evp/exchange.c
Outdated
There was a problem hiding this comment.
Yeah, good point. Most of the time it should actually be OPENSSL_secure_clear_free, because we expect the key to have a private element. I've changed it to that for now, and added a TODO.
crypto/evp/exchange.c
Outdated
There was a problem hiding this comment.
Similar comment about secure_free.
There was a problem hiding this comment.
Most of the time OPENSSL_free should be fine because we don't expect this key to have a private element - but I added a TODO anyway.
We introduce a new EVP_KEYEXCH type to represent key exchange algorithms and refactor the existing code to use it where available.
We add the capability for the default provider to perform PKCS#3 Diffie-Hellman key exchange. At this point the implementation is not used because libcrypto still uses legacy handling for Diffie-Hellman. Note X9.42 DH is not touched by this commit.
The default provider now has support for PKCS#3 Diffie-Hellman so we switch libcrypto to using providers for that algorithm.
This also adds the ability to set arbitrary parameters on key exchange algorithms. The ability to pad the output is one such parameter for DH.
Previous commits added the EVP_KEYEXCH type for representing key exchange algorithms. They also added various functions for fetching and using them, so we document all of those functions.
|
I rebased this due to some significant conflicts with master and addressed the feedback above. @paulidale - please reconfirm. |
|
The travis failure was not relevant. Pushed. |
We introduce a new EVP_KEYEXCH type to represent key exchange algorithms and refactor the existing code to use it where available. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from #9266)
We add the capability for the default provider to perform PKCS#3 Diffie-Hellman key exchange. At this point the implementation is not used because libcrypto still uses legacy handling for Diffie-Hellman. Note X9.42 DH is not touched by this commit. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from #9266)
The default provider now has support for PKCS#3 Diffie-Hellman so we switch libcrypto to using providers for that algorithm. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from #9266)
This also adds the ability to set arbitrary parameters on key exchange algorithms. The ability to pad the output is one such parameter for DH. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from #9266)
Previous commits added the EVP_KEYEXCH type for representing key exchange algorithms. They also added various functions for fetching and using them, so we document all of those functions. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from #9266)
A fuller implementation of PARAMS_TEMPLATE as per openssl#9266 but renamed. This introduces a statis data type which can be used to constructor a description of a parameter array. It can then be converted into a OSSL_PARAM array and the allocated storage freed by a single call to OPENSSL_free.
A fuller implementation of PARAMS_TEMPLATE as per #9266 but renamed. This introduces a statis data type which can be used to constructor a description of a parameter array. It can then be converted into a OSSL_PARAM array and the allocated storage freed by a single call to OPENSSL_free. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from #9305)
This PR implements a new EVP_EXCHANGE type to represent key exchange algorithms. It then provides an implementation of PKCS#3 DH as an EVP_EXCHANGE algorithm in the default provider.
Note that only the shared secret derivation portion is covered at this stage. Key and parameter generation is deferred to later PRs.