diff options
| author | David Benjamin <davidben@chromium.org> | 2014-07-19 02:39:42 +0400 |
|---|---|---|
| committer | Adam Langley <agl@google.com> | 2014-07-19 03:35:04 +0400 |
| commit | ecc0ce7e67b7dcfdfc57ffa99d70c9a04996e15b (patch) | |
| tree | 22a6abd430d4e93e85367512dcba67be45785d5e /crypto/evp | |
| parent | e14dcc45e879807422c0497c7b6a4dcb92ad2a54 (diff) | |
Introduce EVP_PKEY_is_opaque to replace RSA_METHOD_FLAG_NO_CHECK.
Custom RSA and ECDSA keys may not expose the key material. Plumb and "opaque"
bit out of the *_METHOD up to EVP_PKEY. Query that in ssl_rsa.c to skip the
sanity checks for certificate and key matching.
Change-Id: I362a2d5116bfd1803560dfca1d69a91153e895fc
Reviewed-on: https://boringssl-review.googlesource.com/1255
Reviewed-by: Adam Langley <agl@google.com>
Diffstat (limited to 'crypto/evp')
| -rw-r--r-- | crypto/evp/evp.c | 7 | ||||
| -rw-r--r-- | crypto/evp/internal.h | 4 | ||||
| -rw-r--r-- | crypto/evp/p_ec_asn1.c | 6 | ||||
| -rw-r--r-- | crypto/evp/p_hmac_asn1.c | 1 | ||||
| -rw-r--r-- | crypto/evp/p_rsa_asn1.c | 6 |
5 files changed, 24 insertions, 0 deletions
diff --git a/crypto/evp/evp.c b/crypto/evp/evp.c index 3871859e..06fdabfa 100644 --- a/crypto/evp/evp.c +++ b/crypto/evp/evp.c @@ -117,6 +117,13 @@ void EVP_PKEY_free(EVP_PKEY *pkey) { OPENSSL_free(pkey); } +int EVP_PKEY_is_opaque(const EVP_PKEY *pkey) { + if (pkey->ameth && pkey->ameth->pkey_opaque) { + return pkey->ameth->pkey_opaque(pkey); + } + return 0; +} + int EVP_PKEY_cmp(const EVP_PKEY *a, const EVP_PKEY *b) { if (a->type != b->type) { return -1; diff --git a/crypto/evp/internal.h b/crypto/evp/internal.h index 8561960d..36755f0f 100644 --- a/crypto/evp/internal.h +++ b/crypto/evp/internal.h @@ -87,6 +87,10 @@ struct evp_pkey_asn1_method_st { int (*priv_print)(BIO *out, const EVP_PKEY *pkey, int indent, ASN1_PCTX *pctx); + /* pkey_opaque returns 1 if the |pk| is opaque. Opaque keys are backed by + * custom implementations which do not expose key material and parameters.*/ + int (*pkey_opaque)(const EVP_PKEY *pk); + int (*pkey_size)(const EVP_PKEY *pk); int (*pkey_bits)(const EVP_PKEY *pk); diff --git a/crypto/evp/p_ec_asn1.c b/crypto/evp/p_ec_asn1.c index 3038b9ea..fe3ce0ea 100644 --- a/crypto/evp/p_ec_asn1.c +++ b/crypto/evp/p_ec_asn1.c @@ -519,6 +519,10 @@ static int eckey_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, return do_EC_KEY_print(bp, pkey->pkey.ec, indent, 2); } +static int eckey_opaque(const EVP_PKEY *pkey) { + return EC_KEY_is_opaque(pkey->pkey.ec); +} + static int old_ec_priv_decode(EVP_PKEY *pkey, const uint8_t **pder, int derlen) { EC_KEY *ec; @@ -561,6 +565,8 @@ const EVP_PKEY_ASN1_METHOD ec_asn1_meth = { eckey_priv_encode, eckey_priv_print, + eckey_opaque, + int_ec_size, ec_bits, diff --git a/crypto/evp/p_hmac_asn1.c b/crypto/evp/p_hmac_asn1.c index cabd7379..3d5e8017 100644 --- a/crypto/evp/p_hmac_asn1.c +++ b/crypto/evp/p_hmac_asn1.c @@ -91,6 +91,7 @@ const EVP_PKEY_ASN1_METHOD hmac_asn1_meth = { "HMAC", "OpenSSL HMAC method", 0 /* pub_decode */, 0 /* pub_encode */, 0 /* pub_cmp */, 0 /* pub_print */, 0 /*priv_decode */, 0 /* priv_encode */, 0 /* priv_print */, + 0 /* pkey_opaque */, hmac_size, 0 /* pkey_bits */, 0 /* param_decode */, 0 /* param_encode*/, 0 /* param_missing*/, 0 /* param_copy*/, 0 /* param_cmp*/, 0 /* param_print*/, 0 /* sig_print*/, diff --git a/crypto/evp/p_rsa_asn1.c b/crypto/evp/p_rsa_asn1.c index f43cdc3a..a9334ab0 100644 --- a/crypto/evp/p_rsa_asn1.c +++ b/crypto/evp/p_rsa_asn1.c @@ -149,6 +149,10 @@ static int rsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8) { return 1; } +static int rsa_opaque(const EVP_PKEY *pkey) { + return RSA_is_opaque(pkey->pkey.rsa); +} + static int int_rsa_size(const EVP_PKEY *pkey) { return RSA_size(pkey->pkey.rsa); } @@ -728,6 +732,8 @@ const EVP_PKEY_ASN1_METHOD rsa_asn1_meth = { rsa_priv_encode, rsa_priv_print, + rsa_opaque, + int_rsa_size, rsa_bits, |