[openssl-dev] [PATCH] Export ASN1 templates for DH and ECDH groups

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[openssl-dev] [PATCH] Export ASN1 templates for DH and ECDH groups

Matthias St. Pierre
From: "Dr. Matthias St. Pierre" <[hidden email]>

Add missing forward declarations and export declarations for DHparams
and EC[PK]PARAMETERS.

Add public functions to convert between EC_GROUP objects and EC[PK]PARAMETERS
objects: EC_GROUP_new_from_ec[pk]parameters(), EC_GROUP_get_ec[pk]parameters().

Signed-off-by: Dr. Matthias St. Pierre <[hidden email]>
---
 crypto/ec/ec.h      | 38 ++++++++++++++++++++++++++++++++++++++
 crypto/ec/ec_asn1.c | 30 ++++++++++++++++++++++++++----
 util/libeay.num     | 10 ++++++++++
 3 files changed, 74 insertions(+), 4 deletions(-)

This patch makes the ASN1 templates used internally by OpenSSL for
serializing DH and ECDH group parameters publicly available for reuse.

For example, if one wants to save a set of [EC]DH Groups together with
application defined data (e.g, group-name, group-id) to a file, it
is much easier to define a small set of ASN1 rules extending the existing
ones and let OpenSSL do the serialization, than fiddling around with
i2d_DHparams, i2d_ECParameters, etc. to embed the curve data as an
opaque blob into an OCTET_STREAM.

The patch was created against the OpenSSL_1_0_2-stable branch. If possible,
it would be nice if it could be merged into the next 1.0.2 release.

diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h
index 98edfdf..97ccee8 100644
--- a/crypto/ec/ec.h
+++ b/crypto/ec/ec.h
@@ -128,6 +128,9 @@ typedef struct ec_group_st
 
 typedef struct ec_point_st EC_POINT;
 
+typedef struct ecpk_parameters_st ECPKPARAMETERS;
+typedef struct ec_parameters_st ECPARAMETERS;
+
 /********************************************************************/
 /*               EC_METHODs for curves over GF(p)                   */
 /********************************************************************/
@@ -393,6 +396,38 @@ EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a,
  */
 EC_GROUP *EC_GROUP_new_by_curve_name(int nid);
 
+/** Creates a new EC_GROUP object from an ECPARAMETERS object
+ *  \param  params  pointer to the ECPARAMETERS object
+ *  \return newly created EC_GROUP object with specified curve or NULL
+ *          if an error occurred
+ */
+EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params);
+
+/** Creates an ECPARAMETERS object for the the given EC_GROUP object.
+ *  \param  group   pointer to the EC_GROUP object
+ *  \param  params  pointer to an existing ECPARAMETERS object or NULL
+ *  \return pointer to the new ECPARAMETERS object or NULL
+ *          if an error occurred.
+ */
+ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group,
+                                        ECPARAMETERS *params);
+
+/** Creates a new EC_GROUP object from an ECPKPARAMETERS object
+ *  \param  params  pointer to an existing ECPKPARAMETERS object, or NULL
+ *  \return newly created EC_GROUP object with specified curve, or NULL
+ *          if an error occurred
+ */
+EC_GROUP *EC_GROUP_new_from_ecpkparameters(const ECPKPARAMETERS *params);
+
+/** Creates an ECPKPARAMETERS object for the the given EC_GROUP object.
+ *  \param  group   pointer to the EC_GROUP object
+ *  \param  params  pointer to an existing ECPKPARAMETERS object or NULL
+ *  \return pointer to the new ECPKPARAMETERS object or NULL
+ *          if an error occurred.
+ */
+ECPKPARAMETERS *EC_GROUP_get_ecpkparameters(const EC_GROUP *group,
+                                            ECPKPARAMETERS *params);
+
 /********************************************************************/
 /*               handling of internal curves                        */
 /********************************************************************/
@@ -702,6 +737,9 @@ int EC_GROUP_have_precompute_mult(const EC_GROUP *group);
 /*                       ASN1 stuff                                 */
 /********************************************************************/
 
+DECLARE_ASN1_ITEM(ECPKPARAMETERS)
+DECLARE_ASN1_ITEM(ECPARAMETERS)
+
 /*
  * EC_GROUP_get_basis_type() returns the NID of the basis type used to
  * represent the field elements
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 2924374..d84c6d2 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -306,6 +306,28 @@ static EC_GROUP *ec_asn1_pkparameters2group(const ECPKPARAMETERS *);
 static ECPKPARAMETERS *ec_asn1_group2pkparameters(const EC_GROUP *,
                                                   ECPKPARAMETERS *);
 
+EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
+{
+    return ec_asn1_parameters2group(params);
+}
+
+ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group,
+                                        ECPARAMETERS *params)
+{
+    return ec_asn1_group2parameters(group, params);
+}
+
+EC_GROUP *EC_GROUP_new_from_ecpkparameters(const ECPKPARAMETERS *params)
+{
+    return ec_asn1_pkparameters2group(params);
+}
+
+ECPKPARAMETERS *EC_GROUP_get_ecpkparameters(const EC_GROUP *group,
+                                            ECPKPARAMETERS *params)
+{
+    return ec_asn1_group2pkparameters(group, params);
+}
+
 /* the function definitions */
 
 static int ec_asn1_group2fieldid(const EC_GROUP *group, X9_62_FIELDID *field)
@@ -540,7 +562,7 @@ static int ec_asn1_group2curve(const EC_GROUP *group, X9_62_CURVE *curve)
 }
 
 static ECPARAMETERS *ec_asn1_group2parameters(const EC_GROUP *group,
-                                              ECPARAMETERS *param)
+                                              ECPARAMETERS *params)
 {
     int ok = 0;
     size_t len = 0;
@@ -555,13 +577,13 @@ static ECPARAMETERS *ec_asn1_group2parameters(const EC_GROUP *group,
         goto err;
     }
 
-    if (param == NULL) {
+    if (params == NULL) {
         if ((ret = ECPARAMETERS_new()) == NULL) {
             ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_MALLOC_FAILURE);
             goto err;
         }
     } else
-        ret = param;
+        ret = params;
 
     /* set the version (always one) */
     ret->version = (long)0x1;
@@ -631,7 +653,7 @@ static ECPARAMETERS *ec_asn1_group2parameters(const EC_GROUP *group,
     ok = 1;
 
  err:if (!ok) {
-        if (ret && !param)
+        if (ret && !params)
             ECPARAMETERS_free(ret);
         ret = NULL;
     }
diff --git a/util/libeay.num b/util/libeay.num
index 4a11d78..bf0adc5 100755
--- a/util/libeay.num
+++ b/util/libeay.num
@@ -4412,3 +4412,13 @@ ECDSA_METHOD_get_app_data               4770 EXIST::FUNCTION:ECDSA
 X509_VERIFY_PARAM_add1_host             4771 EXIST::FUNCTION:
 EC_GROUP_get_mont_data                  4772 EXIST::FUNCTION:EC
 i2d_re_X509_tbs                         4773 EXIST::FUNCTION:
+DHparams_it                             4774 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:DH
+DHparams_it                             4774 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:DH
+ECPARAMETERS_it                         4775 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:EC
+ECPARAMETERS_it                         4775 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:EC
+ECPKPARAMETERS_it                       4776 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:EC
+ECPKPARAMETERS_it                       4776 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:EC
+EC_GROUP_new_from_ecparameters          4777 EXIST::FUNCTION:EC
+EC_GROUP_get_ecparameters               4778 EXIST::FUNCTION:EC
+EC_GROUP_new_from_ecpkparameters        4779 EXIST::FUNCTION:EC
+EC_GROUP_get_ecpkparameters             4780 EXIST::FUNCTION:EC
--
2.0.5

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] [PATCH] Export ASN1 templates for DH and ECDH groups

Matt Caswell-2
Please submit patches to [hidden email].

Matt

On 27/01/15 16:15, Dr. Matthias St. Pierre wrote:

> From: "Dr. Matthias St. Pierre" <[hidden email]>
>
> Add missing forward declarations and export declarations for DHparams
> and EC[PK]PARAMETERS.
>
> Add public functions to convert between EC_GROUP objects and EC[PK]PARAMETERS
> objects: EC_GROUP_new_from_ec[pk]parameters(), EC_GROUP_get_ec[pk]parameters().
>
> Signed-off-by: Dr. Matthias St. Pierre <[hidden email]>
> ---
>  crypto/ec/ec.h      | 38 ++++++++++++++++++++++++++++++++++++++
>  crypto/ec/ec_asn1.c | 30 ++++++++++++++++++++++++++----
>  util/libeay.num     | 10 ++++++++++
>  3 files changed, 74 insertions(+), 4 deletions(-)
>
> This patch makes the ASN1 templates used internally by OpenSSL for
> serializing DH and ECDH group parameters publicly available for reuse.
>
> For example, if one wants to save a set of [EC]DH Groups together with
> application defined data (e.g, group-name, group-id) to a file, it
> is much easier to define a small set of ASN1 rules extending the existing
> ones and let OpenSSL do the serialization, than fiddling around with
> i2d_DHparams, i2d_ECParameters, etc. to embed the curve data as an
> opaque blob into an OCTET_STREAM.
>
> The patch was created against the OpenSSL_1_0_2-stable branch. If possible,
> it would be nice if it could be merged into the next 1.0.2 release.
>
> diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h
> index 98edfdf..97ccee8 100644
> --- a/crypto/ec/ec.h
> +++ b/crypto/ec/ec.h
> @@ -128,6 +128,9 @@ typedef struct ec_group_st
>  
>  typedef struct ec_point_st EC_POINT;
>  
> +typedef struct ecpk_parameters_st ECPKPARAMETERS;
> +typedef struct ec_parameters_st ECPARAMETERS;
> +
>  /********************************************************************/
>  /*               EC_METHODs for curves over GF(p)                   */
>  /********************************************************************/
> @@ -393,6 +396,38 @@ EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a,
>   */
>  EC_GROUP *EC_GROUP_new_by_curve_name(int nid);
>  
> +/** Creates a new EC_GROUP object from an ECPARAMETERS object
> + *  \param  params  pointer to the ECPARAMETERS object
> + *  \return newly created EC_GROUP object with specified curve or NULL
> + *          if an error occurred
> + */
> +EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params);
> +
> +/** Creates an ECPARAMETERS object for the the given EC_GROUP object.
> + *  \param  group   pointer to the EC_GROUP object
> + *  \param  params  pointer to an existing ECPARAMETERS object or NULL
> + *  \return pointer to the new ECPARAMETERS object or NULL
> + *          if an error occurred.
> + */
> +ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group,
> +                                        ECPARAMETERS *params);
> +
> +/** Creates a new EC_GROUP object from an ECPKPARAMETERS object
> + *  \param  params  pointer to an existing ECPKPARAMETERS object, or NULL
> + *  \return newly created EC_GROUP object with specified curve, or NULL
> + *          if an error occurred
> + */
> +EC_GROUP *EC_GROUP_new_from_ecpkparameters(const ECPKPARAMETERS *params);
> +
> +/** Creates an ECPKPARAMETERS object for the the given EC_GROUP object.
> + *  \param  group   pointer to the EC_GROUP object
> + *  \param  params  pointer to an existing ECPKPARAMETERS object or NULL
> + *  \return pointer to the new ECPKPARAMETERS object or NULL
> + *          if an error occurred.
> + */
> +ECPKPARAMETERS *EC_GROUP_get_ecpkparameters(const EC_GROUP *group,
> +                                            ECPKPARAMETERS *params);
> +
>  /********************************************************************/
>  /*               handling of internal curves                        */
>  /********************************************************************/
> @@ -702,6 +737,9 @@ int EC_GROUP_have_precompute_mult(const EC_GROUP *group);
>  /*                       ASN1 stuff                                 */
>  /********************************************************************/
>  
> +DECLARE_ASN1_ITEM(ECPKPARAMETERS)
> +DECLARE_ASN1_ITEM(ECPARAMETERS)
> +
>  /*
>   * EC_GROUP_get_basis_type() returns the NID of the basis type used to
>   * represent the field elements
> diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
> index 2924374..d84c6d2 100644
> --- a/crypto/ec/ec_asn1.c
> +++ b/crypto/ec/ec_asn1.c
> @@ -306,6 +306,28 @@ static EC_GROUP *ec_asn1_pkparameters2group(const ECPKPARAMETERS *);
>  static ECPKPARAMETERS *ec_asn1_group2pkparameters(const EC_GROUP *,
>                                                    ECPKPARAMETERS *);
>  
> +EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
> +{
> +    return ec_asn1_parameters2group(params);
> +}
> +
> +ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group,
> +                                        ECPARAMETERS *params)
> +{
> +    return ec_asn1_group2parameters(group, params);
> +}
> +
> +EC_GROUP *EC_GROUP_new_from_ecpkparameters(const ECPKPARAMETERS *params)
> +{
> +    return ec_asn1_pkparameters2group(params);
> +}
> +
> +ECPKPARAMETERS *EC_GROUP_get_ecpkparameters(const EC_GROUP *group,
> +                                            ECPKPARAMETERS *params)
> +{
> +    return ec_asn1_group2pkparameters(group, params);
> +}
> +
>  /* the function definitions */
>  
>  static int ec_asn1_group2fieldid(const EC_GROUP *group, X9_62_FIELDID *field)
> @@ -540,7 +562,7 @@ static int ec_asn1_group2curve(const EC_GROUP *group, X9_62_CURVE *curve)
>  }
>  
>  static ECPARAMETERS *ec_asn1_group2parameters(const EC_GROUP *group,
> -                                              ECPARAMETERS *param)
> +                                              ECPARAMETERS *params)
>  {
>      int ok = 0;
>      size_t len = 0;
> @@ -555,13 +577,13 @@ static ECPARAMETERS *ec_asn1_group2parameters(const EC_GROUP *group,
>          goto err;
>      }
>  
> -    if (param == NULL) {
> +    if (params == NULL) {
>          if ((ret = ECPARAMETERS_new()) == NULL) {
>              ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_MALLOC_FAILURE);
>              goto err;
>          }
>      } else
> -        ret = param;
> +        ret = params;
>  
>      /* set the version (always one) */
>      ret->version = (long)0x1;
> @@ -631,7 +653,7 @@ static ECPARAMETERS *ec_asn1_group2parameters(const EC_GROUP *group,
>      ok = 1;
>  
>   err:if (!ok) {
> -        if (ret && !param)
> +        if (ret && !params)
>              ECPARAMETERS_free(ret);
>          ret = NULL;
>      }
> diff --git a/util/libeay.num b/util/libeay.num
> index 4a11d78..bf0adc5 100755
> --- a/util/libeay.num
> +++ b/util/libeay.num
> @@ -4412,3 +4412,13 @@ ECDSA_METHOD_get_app_data               4770 EXIST::FUNCTION:ECDSA
>  X509_VERIFY_PARAM_add1_host             4771 EXIST::FUNCTION:
>  EC_GROUP_get_mont_data                  4772 EXIST::FUNCTION:EC
>  i2d_re_X509_tbs                         4773 EXIST::FUNCTION:
> +DHparams_it                             4774 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:DH
> +DHparams_it                             4774 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:DH
> +ECPARAMETERS_it                         4775 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:EC
> +ECPARAMETERS_it                         4775 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:EC
> +ECPKPARAMETERS_it                       4776 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:EC
> +ECPKPARAMETERS_it                       4776 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:EC
> +EC_GROUP_new_from_ecparameters          4777 EXIST::FUNCTION:EC
> +EC_GROUP_get_ecparameters               4778 EXIST::FUNCTION:EC
> +EC_GROUP_new_from_ecpkparameters        4779 EXIST::FUNCTION:EC
> +EC_GROUP_get_ecpkparameters             4780 EXIST::FUNCTION:EC
>
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] [PATCH] Export ASN1 templates for DH and ECDH groups

Daniel Kahn Gillmor
In reply to this post by Matthias St. Pierre
On Tue 2015-01-27 11:15:37 -0500, Dr. Matthias St. Pierre wrote:
> Add missing forward declarations and export declarations for DHparams
> and EC[PK]PARAMETERS.
>
> Add public functions to convert between EC_GROUP objects and EC[PK]PARAMETERS
> objects: EC_GROUP_new_from_ec[pk]parameters(), EC_GROUP_get_ec[pk]parameters().

fwiw, the IETF TLS WG is moving away from the possibility of arbitrary
EC groups, and toward the requirement of specified and vetted EC
groups.  I'm not sure how much extra work should be done to maintain
that as a public-facing interface.

   --dkg
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] [PATCH] Export ASN1 templates for DH and ECDH groups

Matthias St. Pierre
In reply to this post by Matt Caswell-2
Hello,

On 01/28/2015 12:52 AM, Matt Caswell wrote:
> Please submit patches to [hidden email].

Sorry about that, I will repost it.

I overlooked <https://www.openssl.org/support/rt.html>. Instead,
I followed the FAQ which sent me to the README file, and there
was no mention of the request tracker.

Maybe you could update the FAQ and the README accordingly?


Matthias

see
<https://www.openssl.org/support/faq.html#MISC3>
<https://github.com/openssl/openssl/blob/master/README>

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] [PATCH] Export ASN1 templates for DH and ECDH groups

Matthias St. Pierre
In reply to this post by Daniel Kahn Gillmor
On 01/28/2015 06:02 AM, Daniel Kahn Gillmor wrote:

> On Tue 2015-01-27 11:15:37 -0500, Dr. Matthias St. Pierre wrote:
>> Add missing forward declarations and export declarations for DHparams
>> and EC[PK]PARAMETERS.
>>
>> Add public functions to convert between EC_GROUP objects and EC[PK]PARAMETERS
>> objects: EC_GROUP_new_from_ec[pk]parameters(), EC_GROUP_get_ec[pk]parameters().
>
> fwiw, the IETF TLS WG is moving away from the possibility of arbitrary
> EC groups, and toward the requirement of specified and vetted EC
> groups.  I'm not sure how much extra work should be done to maintain
> that as a public-facing interface.

As for TLS, you maybe right. However, the use of Diffie-Hellman is not limited
to TLS (in my case, it's IKEv2). The proposed changes are not for libssl, but for
the 'low level' libcrypto library, which is in my opinion a general purpose crypto
library. As such, it should not make assumptions on or impose restrictions to possible
use cases of the library. Neither should it enforce standards, but provide algorithms.

My patch does not introduce new features or change existing ones. It just makes
functionality available for reuse. I needed this particular functionality and I
had the choice between 1) copy & paste the code 2) patch OpenSSL privately, or
3) submit a patch. So I chose the latter.


Regards,
Matthias
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] [PATCH] Export ASN1 templates for DH and ECDH groups

Daniel Kahn Gillmor
On Wed 2015-01-28 03:44:10 -0500, Dr. Matthias St. Pierre wrote:

> On 01/28/2015 06:02 AM, Daniel Kahn Gillmor wrote:
>> On Tue 2015-01-27 11:15:37 -0500, Dr. Matthias St. Pierre wrote:
>>> Add missing forward declarations and export declarations for DHparams
>>> and EC[PK]PARAMETERS.
>>>
>>> Add public functions to convert between EC_GROUP objects and EC[PK]PARAMETERS
>>> objects: EC_GROUP_new_from_ec[pk]parameters(), EC_GROUP_get_ec[pk]parameters().
>>
>> fwiw, the IETF TLS WG is moving away from the possibility of arbitrary
>> EC groups, and toward the requirement of specified and vetted EC
>> groups.  I'm not sure how much extra work should be done to maintain
>> that as a public-facing interface.
>
> As for TLS, you maybe right. However, the use of Diffie-Hellman is not limited
> to TLS (in my case, it's IKEv2). The proposed changes are not for libssl, but for
> the 'low level' libcrypto library, which is in my opinion a general purpose crypto
> library. As such, it should not make assumptions on or impose restrictions to possible
> use cases of the library. Neither should it enforce standards, but provide algorithms.
>
> My patch does not introduce new features or change existing ones. It just makes
> functionality available for reuse. I needed this particular functionality and I
> had the choice between 1) copy & paste the code 2) patch OpenSSL privately, or
> 3) submit a patch. So I chose the latter.

Your choice of action makes sense to me, thanks!

     --dkg
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] [PATCH] Export ASN1 templates for DH and ECDH groups

Salz, Rich
> > 3) submit a patch. So I chose the latter.
>
> Your choice of action makes sense to me, thanks!

Thanks for the patch, it seems useful and makes sense.

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev