diff --git a/CHANGES.md b/CHANGES.md index 69863b27da..80a7bc7075 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -405,6 +405,12 @@ OpenSSL 3.0 *Dmitry Belyavskiy* + * Added convenience functions for generating asymmetric key pairs: + The 'quick' one-shot (yet somewhat limited) function L + and macros for the most common cases: and L. + + *David von Oheimb* + * All of the low-level EC_KEY functions have been deprecated including: EC_KEY_OpenSSL, EC_KEY_get_default_method, EC_KEY_set_default_method, @@ -429,7 +435,8 @@ OpenSSL 3.0 Applications that need to implement an EC_KEY_METHOD need to consider implementation of the functionality in a special provider. For replacement of the functions manipulating the EC_KEY objects - see the EVP_PKEY-EC(7) manual page. + see the L manual page. + A simple way of generating EC keys is L. Additionally functions that read and write EC_KEY objects such as o2i_ECPublicKey, i2o_ECPublicKey, ECParameters_print_fp, EC_KEY_print_fp, @@ -825,7 +832,7 @@ OpenSSL 3.0 * All of the low-level RSA functions have been deprecated including: - RSA_new_method, RSA_size, RSA_security_bits, RSA_get0_pss_params, + RSA_new, RSA_new_method, RSA_size, RSA_security_bits, RSA_get0_pss_params, RSA_get_version, RSA_get0_engine, RSA_generate_key_ex, RSA_generate_multi_prime_key, RSA_X931_derive_ex, RSA_X931_generate_key_ex, RSA_check_key, RSA_check_key_ex, RSA_public_encrypt, RSA_private_encrypt, @@ -858,6 +865,9 @@ OpenSSL 3.0 time. Instead applications should use L, L, L and L. + For replacement of the functions manipulating the RSA objects + see the L manual page. + A simple way of generating RSA keys is L. All of these low-level RSA functions have been deprecated without replacement: diff --git a/NEWS.md b/NEWS.md index c5811b9bde..3193ce6149 100644 --- a/NEWS.md +++ b/NEWS.md @@ -26,6 +26,7 @@ OpenSSL 3.0 RC4, RC5, and DES to the legacy provider. * Moved the EVP digests MD2, MD4, MDC2, WHIRLPOOL and RIPEMD-160 to the legacy provider. + * Added convenience functions for generating asymmetric key pairs. * Deprecated the `OCSP_REQ_CTX` type and functions. * Deprecated the `EC_KEY` and `EC_KEY_METHOD` types and functions. * Deprecated the `RSA` and `RSA_METHOD` types and functions. diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c index ea6b5bf244..25fcc0400c 100644 --- a/crypto/conf/conf_def.c +++ b/crypto/conf/conf_def.c @@ -11,8 +11,8 @@ #include #include +#include "e_os.h" /* strcasecmp and struct stat */ #ifdef __TANDEM -# include /* strcasecmp */ # include /* needed for stat.h */ # include /* struct stat */ #endif @@ -28,7 +28,6 @@ # include # ifdef _WIN32 # define stat _stat -# define strcasecmp _stricmp # endif #endif diff --git a/crypto/ec/ec_backend.c b/crypto/ec/ec_backend.c index 6acfa21f69..defcb649fb 100644 --- a/crypto/ec/ec_backend.c +++ b/crypto/ec/ec_backend.c @@ -328,7 +328,7 @@ int ossl_ec_group_todata(const EC_GROUP *group, OSSL_PARAM_BLD *tmpl, if (curve_nid != NID_undef) { /* Named curve */ - const char *curve_name = ossl_ec_curve_nid2name(curve_nid); + const char *curve_name = OSSL_EC_curve_nid2name(curve_nid); if (curve_name == NULL || !ossl_param_build_set_utf8_string(tmpl, params, diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c index f48e723c33..3a49aea931 100644 --- a/crypto/evp/ctrl_params_translate.c +++ b/crypto/evp/ctrl_params_translate.c @@ -1482,7 +1482,7 @@ static int get_payload_group_name(enum state state, if (grp != NULL) nid = EC_GROUP_get_curve_name(grp); if (nid != NID_undef) - ctx->p2 = (char *)ossl_ec_curve_nid2name(nid); + ctx->p2 = (char *)OSSL_EC_curve_nid2name(nid); } break; #endif diff --git a/crypto/evp/ec_support.c b/crypto/evp/ec_support.c index 24337a5eac..8550be65e7 100644 --- a/crypto/evp/ec_support.c +++ b/crypto/evp/ec_support.c @@ -115,7 +115,7 @@ static const EC_NAME2NID curve_list[] = { {"SM2", NID_sm2 }, }; -const char *ossl_ec_curve_nid2name(int nid) +const char *OSSL_EC_curve_nid2name(int nid) { size_t i; diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index 842ee51b8d..5cd3cc6112 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -14,11 +14,14 @@ #include "internal/deprecated.h" #include +#include +#include "e_os.h" /* strcasecmp */ #include "internal/cryptlib.h" #include #include #include #include +#include #include #include #include "crypto/evp.h" @@ -27,6 +30,7 @@ #include "evp_local.h" #if !defined(FIPS_MODULE) + int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type) { return evp_cipher_param_to_asn1_ex(c, type, NULL); @@ -1111,3 +1115,59 @@ int EVP_PKEY_CTX_get_group_name(EVP_PKEY_CTX *ctx, char *name, size_t namelen) return -1; return 1; } + +/* + * evp_pkey_keygen() abstracts from the explicit use of B + * while providing a generic way of generating a new asymmetric key pair + * of algorithm type I (e.g., C or C). + * The library context I and property query I + * are used when fetching algorithms from providers. + * The I specify algorithm-specific parameters + * such as the RSA modulus size or the name of an EC curve. + */ +static EVP_PKEY *evp_pkey_keygen(OSSL_LIB_CTX *libctx, const char *name, + const char *propq, OSSL_PARAM *params) +{ + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(libctx, name, propq); + + if (ctx != NULL + && EVP_PKEY_keygen_init(ctx) > 0 + && EVP_PKEY_CTX_set_params(ctx, params)) + (void)EVP_PKEY_generate(ctx, &pkey); + + EVP_PKEY_CTX_free(ctx); + return pkey; +} + +EVP_PKEY *EVP_PKEY_Q_keygen(OSSL_LIB_CTX *libctx, const char *propq, + const char *type, ...) +{ + va_list args; + size_t bits; + char *name; + OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END }; + EVP_PKEY *ret = NULL; + + va_start(args, type); + + if (strcasecmp(type, "RSA") == 0) { + bits = va_arg(args, size_t); + params[0] = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_BITS, &bits); + } else if (strcasecmp(type, "EC") == 0) { + name = va_arg(args, char *); + params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, + name, 0); + } else if (strcasecmp(type, "ED25519") != 0 + && strcasecmp(type, "X25519") != 0 + && strcasecmp(type, "ED448") != 0 + && strcasecmp(type, "X448") != 0) { + ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_INVALID_ARGUMENT); + goto end; + } + ret = evp_pkey_keygen(libctx, type, propq, params); + + end: + va_end(args); + return ret; +} diff --git a/crypto/evp/pmeth_gn.c b/crypto/evp/pmeth_gn.c index e184db26a0..94499b1d45 100644 --- a/crypto/evp/pmeth_gn.c +++ b/crypto/evp/pmeth_gn.c @@ -123,7 +123,7 @@ static int ossl_callback_to_pkey_gencb(const OSSL_PARAM params[], void *arg) return ctx->pkey_gencb(ctx); } -int EVP_PKEY_gen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey) +int EVP_PKEY_generate(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey) { int ret = 0; OSSL_CALLBACK cb; @@ -262,7 +262,7 @@ int EVP_PKEY_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey) ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_INITIALIZED); return -1; } - return EVP_PKEY_gen(ctx, ppkey); + return EVP_PKEY_generate(ctx, ppkey); } int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey) @@ -271,7 +271,7 @@ int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey) ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_INITIALIZED); return -1; } - return EVP_PKEY_gen(ctx, ppkey); + return EVP_PKEY_generate(ctx, ppkey); } void EVP_PKEY_CTX_set_cb(EVP_PKEY_CTX *ctx, EVP_PKEY_gen_cb *cb) diff --git a/doc/build.info b/doc/build.info index 8ee9ca10e3..ec3baa2373 100644 --- a/doc/build.info +++ b/doc/build.info @@ -1206,10 +1206,6 @@ DEPEND[html/man3/EVP_PKEY_fromdata.html]=man3/EVP_PKEY_fromdata.pod GENERATE[html/man3/EVP_PKEY_fromdata.html]=man3/EVP_PKEY_fromdata.pod DEPEND[man/man3/EVP_PKEY_fromdata.3]=man3/EVP_PKEY_fromdata.pod GENERATE[man/man3/EVP_PKEY_fromdata.3]=man3/EVP_PKEY_fromdata.pod -DEPEND[html/man3/EVP_PKEY_gen.html]=man3/EVP_PKEY_gen.pod -GENERATE[html/man3/EVP_PKEY_gen.html]=man3/EVP_PKEY_gen.pod -DEPEND[man/man3/EVP_PKEY_gen.3]=man3/EVP_PKEY_gen.pod -GENERATE[man/man3/EVP_PKEY_gen.3]=man3/EVP_PKEY_gen.pod DEPEND[html/man3/EVP_PKEY_get_default_digest_nid.html]=man3/EVP_PKEY_get_default_digest_nid.pod GENERATE[html/man3/EVP_PKEY_get_default_digest_nid.html]=man3/EVP_PKEY_get_default_digest_nid.pod DEPEND[man/man3/EVP_PKEY_get_default_digest_nid.3]=man3/EVP_PKEY_get_default_digest_nid.pod @@ -1230,6 +1226,10 @@ DEPEND[html/man3/EVP_PKEY_is_a.html]=man3/EVP_PKEY_is_a.pod GENERATE[html/man3/EVP_PKEY_is_a.html]=man3/EVP_PKEY_is_a.pod DEPEND[man/man3/EVP_PKEY_is_a.3]=man3/EVP_PKEY_is_a.pod GENERATE[man/man3/EVP_PKEY_is_a.3]=man3/EVP_PKEY_is_a.pod +DEPEND[html/man3/EVP_PKEY_keygen.html]=man3/EVP_PKEY_keygen.pod +GENERATE[html/man3/EVP_PKEY_keygen.html]=man3/EVP_PKEY_keygen.pod +DEPEND[man/man3/EVP_PKEY_keygen.3]=man3/EVP_PKEY_keygen.pod +GENERATE[man/man3/EVP_PKEY_keygen.3]=man3/EVP_PKEY_keygen.pod DEPEND[html/man3/EVP_PKEY_meth_get_count.html]=man3/EVP_PKEY_meth_get_count.pod GENERATE[html/man3/EVP_PKEY_meth_get_count.html]=man3/EVP_PKEY_meth_get_count.pod DEPEND[man/man3/EVP_PKEY_meth_get_count.3]=man3/EVP_PKEY_meth_get_count.pod @@ -2999,12 +2999,12 @@ html/man3/EVP_PKEY_derive.html \ html/man3/EVP_PKEY_encapsulate.html \ html/man3/EVP_PKEY_encrypt.html \ html/man3/EVP_PKEY_fromdata.html \ -html/man3/EVP_PKEY_gen.html \ html/man3/EVP_PKEY_get_default_digest_nid.html \ html/man3/EVP_PKEY_get_field_type.html \ html/man3/EVP_PKEY_get_group_name.html \ html/man3/EVP_PKEY_gettable_params.html \ html/man3/EVP_PKEY_is_a.html \ +html/man3/EVP_PKEY_keygen.html \ html/man3/EVP_PKEY_meth_get_count.html \ html/man3/EVP_PKEY_meth_new.html \ html/man3/EVP_PKEY_new.html \ @@ -3586,12 +3586,12 @@ man/man3/EVP_PKEY_derive.3 \ man/man3/EVP_PKEY_encapsulate.3 \ man/man3/EVP_PKEY_encrypt.3 \ man/man3/EVP_PKEY_fromdata.3 \ -man/man3/EVP_PKEY_gen.3 \ man/man3/EVP_PKEY_get_default_digest_nid.3 \ man/man3/EVP_PKEY_get_field_type.3 \ man/man3/EVP_PKEY_get_group_name.3 \ man/man3/EVP_PKEY_gettable_params.3 \ man/man3/EVP_PKEY_is_a.3 \ +man/man3/EVP_PKEY_keygen.3 \ man/man3/EVP_PKEY_meth_get_count.3 \ man/man3/EVP_PKEY_meth_new.3 \ man/man3/EVP_PKEY_new.3 \ diff --git a/doc/man3/EC_GROUP_new.pod b/doc/man3/EC_GROUP_new.pod index 48b6aa7843..f45c5ac8d2 100644 --- a/doc/man3/EC_GROUP_new.pod +++ b/doc/man3/EC_GROUP_new.pod @@ -20,8 +20,9 @@ EC_GROUP_set_curve_GFp, EC_GROUP_get_curve_GFp, EC_GROUP_set_curve_GF2m, EC_GROUP_get_curve_GF2m, -EC_get_builtin_curves - Functions for creating and destroying EC_GROUP -objects +EC_get_builtin_curves, +OSSL_EC_curve_nid2name - +Functions for creating and destroying EC_GROUP objects =head1 SYNOPSIS @@ -52,6 +53,7 @@ objects ECPKPARAMETERS *params); size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems); + const char *OSSL_EC_curve_nid2name(int nid); Deprecated since OpenSSL 3.0, can be hidden entirely by defining B with a suitable version value, see @@ -173,6 +175,8 @@ in the EC_GROUP is public anyway, this function is unnecessary. Its use can be safely replaced with EC_GROUP_free(). If I is NULL nothing is done. +OSSL_EC_curve_nid2name() converts a curve I into the corresponding name. + =head1 RETURN VALUES All EC_GROUP_new* functions return a pointer to the newly constructed group, or @@ -184,6 +188,8 @@ available. EC_GROUP_set_curve_GFp(), EC_GROUP_get_curve_GFp(), EC_GROUP_set_curve_GF2m(), EC_GROUP_get_curve_GF2m() return 1 on success or 0 on error. +OSSL_EC_curve_nid2name() returns a character string constant, or NULL on error. + =head1 SEE ALSO L, L, diff --git a/doc/man3/EC_KEY_new.pod b/doc/man3/EC_KEY_new.pod index a572e490e1..a816a0745d 100644 --- a/doc/man3/EC_KEY_new.pod +++ b/doc/man3/EC_KEY_new.pod @@ -2,6 +2,7 @@ =head1 NAME +EVP_EC_gen, EC_KEY_get_method, EC_KEY_set_method, EC_KEY_new_ex, EC_KEY_new, EC_KEY_get_flags, EC_KEY_set_flags, EC_KEY_clear_flags, EC_KEY_new_by_curve_name_ex, EC_KEY_new_by_curve_name, EC_KEY_free, @@ -20,6 +21,8 @@ EC_KEY objects #include + EVP_PKEY *EVP_EC_gen(const char *curve); + Deprecated since OpenSSL 3.0, can be hidden entirely by defining B with a suitable version value, see L: @@ -65,8 +68,11 @@ L: =head1 DESCRIPTION -All of the functions described on this page are deprecated. -Applications should instead use L and L. +EVP_EC_gen() generates a new EC key pair on the given I. + +All of the functions described below are deprecated. +Applications should instead use EVP_EC_gen(), L, or +L and L. An EC_KEY represents a public key and, optionally, the associated private key. @@ -152,7 +158,6 @@ EC_KEY_decoded_from_explicit_params() returns 1 if the group of the I was decoded from data with explicitly encoded group parameters, -1 if the I is NULL or the group parameters are missing, and 0 otherwise. -Although deprecated in OpenSSL 3.0 and should no longer be used, EC_KEY_precompute_mult() stores multiples of the underlying EC_GROUP generator for faster point multiplication. See also L. Modern versions should instead switch to named curves which OpenSSL has @@ -208,6 +213,7 @@ of the buffer or 0 on error. =head1 SEE ALSO +L L, L, L, L, L, @@ -217,7 +223,9 @@ L =head1 HISTORY -All of these functions were deprecated in OpenSSL 3.0. +EVP_EC_gen() was added in OpenSSL 3.0. +All other functions described here were deprecated in OpenSSL 3.0. +For replacement see L. =head1 COPYRIGHT diff --git a/doc/man3/EVP_PKEY_gen.pod b/doc/man3/EVP_PKEY_keygen.pod similarity index 84% rename from doc/man3/EVP_PKEY_gen.pod rename to doc/man3/EVP_PKEY_keygen.pod index 979de8601e..08d2b1db0f 100644 --- a/doc/man3/EVP_PKEY_gen.pod +++ b/doc/man3/EVP_PKEY_keygen.pod @@ -2,7 +2,8 @@ =head1 NAME -EVP_PKEY_keygen_init, EVP_PKEY_paramgen_init, EVP_PKEY_gen, +EVP_PKEY_Q_keygen, +EVP_PKEY_keygen_init, EVP_PKEY_paramgen_init, EVP_PKEY_generate, EVP_PKEY_CTX_set_cb, EVP_PKEY_CTX_get_cb, EVP_PKEY_CTX_get_keygen_info, EVP_PKEY_CTX_set_app_data, EVP_PKEY_CTX_get_app_data, @@ -14,9 +15,12 @@ EVP_PKEY_paramgen, EVP_PKEY_keygen #include + EVP_PKEY *EVP_PKEY_Q_keygen(OSSL_LIB_CTX *libctx, const char *propq, + const char *type, ...); + int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx); int EVP_PKEY_paramgen_init(EVP_PKEY_CTX *ctx); - int EVP_PKEY_gen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey); + int EVP_PKEY_generate(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey); int EVP_PKEY_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey); int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey); @@ -57,16 +61,16 @@ After initialization, generation parameters may be provided with L or L, or any other function described in those manuals. -EVP_PKEY_gen() performs the generation operation, the resulting key +EVP_PKEY_generate() performs the generation operation, the resulting key parameters or key are written to I<*ppkey>. If I<*ppkey> is NULL when this function is called, it will be allocated, and should be freed by the caller when no longer useful, using L. EVP_PKEY_paramgen() and EVP_PKEY_keygen() do exactly the same thing as -EVP_PKEY_gen(), after checking that the corresponding EVP_PKEY_paramgen_init() +EVP_PKEY_generate(), after checking that the corresponding EVP_PKEY_paramgen_init() or EVP_PKEY_keygen_init() was used to initialize I. These are older functions that are kept for backward compatibility. -It is safe to use EVP_PKEY_gen() instead. +It is safe to use EVP_PKEY_generate() instead. The function EVP_PKEY_set_cb() sets the key or parameter generation callback to I. The function EVP_PKEY_CTX_get_cb() returns the key or parameter @@ -87,6 +91,18 @@ and retrieve an opaque pointer. This can be used to set some application defined value which can be retrieved in the callback: for example a handle which is used to update a "progress dialog". +EVP_PKEY_Q_keygen() abstracts from the explicit use of B while +providing a 'quick' but limited way of generating a new asymmetric key pair. +It provides shorthands for simple and common cases of key generation. +As usual, the library context I and property query I +can be given for fetching algorithms from providers. +If I is C, +a B parameter must be given to specify the size of the RSA key. +If I is C, +a string parameter must be given to specify the name of the EC curve. +If I is C, C, C, or C +no further parameter is needed. + =head1 RETURN VALUES EVP_PKEY_keygen_init(), EVP_PKEY_paramgen_init(), EVP_PKEY_keygen() and @@ -94,6 +110,8 @@ EVP_PKEY_paramgen() return 1 for success and 0 or a negative value for failure. In particular a return value of -2 indicates the operation is not supported by the public key algorithm. +EVP_PKEY_Q_keygen() returns an B, or NULL on failure. + =head1 NOTES After the call to EVP_PKEY_keygen_init() or EVP_PKEY_paramgen_init() algorithm @@ -187,6 +205,7 @@ Example of generation callback for OpenSSL public key implementations: =head1 SEE ALSO +L, L, L, L, L, @@ -203,7 +222,7 @@ EVP_PKEY_CTX_get_cb(), EVP_PKEY_CTX_get_keygen_info(), EVP_PKEY_CTX_set_app_data() and EVP_PKEY_CTX_get_app_data() were added in OpenSSL 1.0.0. -EVP_PKEY_gen() was added in OpenSSL 3.0. +EVP_PKEY_Q_keygen() and EVP_PKEY_generate() were added in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/doc/man3/RSA_generate_key.pod b/doc/man3/RSA_generate_key.pod index f8d4ba1484..7e96360ab8 100644 --- a/doc/man3/RSA_generate_key.pod +++ b/doc/man3/RSA_generate_key.pod @@ -2,6 +2,7 @@ =head1 NAME +EVP_RSA_gen, RSA_generate_key_ex, RSA_generate_key, RSA_generate_multi_prime_key - generate RSA key pair @@ -9,6 +10,8 @@ RSA_generate_multi_prime_key - generate RSA key pair #include + EVP_PKEY *EVP_RSA_gen(unsigned int bits); + Deprecated since OpenSSL 3.0, can be hidden entirely by defining B with a suitable version value, see L: @@ -16,44 +19,42 @@ L: int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb); int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes, BIGNUM *e, BN_GENCB *cb); -Deprecated since OpenSSL 0.9.8, can be hidden entirely by defining -B with a suitable version value, see -L: +Deprecated since OpenSSL 0.9.8: RSA *RSA_generate_key(int bits, unsigned long e, void (*callback)(int, int, void *), void *cb_arg); =head1 DESCRIPTION -All of the functions described on this page are deprecated. -Applications should instead use L and -L. +EVP_RSA_gen() generates a new RSA key pair with modulus size I. + +All of the functions described below are deprecated. +Applications should instead use EVP_RSA_gen(), L, or +L and L. RSA_generate_key_ex() generates a 2-prime RSA key pair and stores it in the -B structure provided in B. The pseudo-random number generator must -be seeded prior to calling RSA_generate_key_ex(). +B structure provided in I. RSA_generate_multi_prime_key() generates a multi-prime RSA key pair and stores -it in the B structure provided in B. The number of primes is given by -the B parameter. The random number generator must be seeded when -calling RSA_generate_multi_prime_key(). +it in the B structure provided in I. The number of primes is given by +the I parameter. If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to external circumstances (see L), the operation will fail. -The modulus size will be of length B, the number of primes to form the -modulus will be B, and the public exponent will be B. Key sizes -with B E 1024 should be considered insecure. The exponent is an odd +The modulus size will be of length I, the number of primes to form the +modulus will be I, and the public exponent will be I. Key sizes +with I E 1024 should be considered insecure. The exponent is an odd number, typically 3, 17 or 65537. In order to maintain adequate security level, the maximum number of permitted -B depends on modulus bit length: +I depends on modulus bit length: <1024 | >=1024 | >=4096 | >=8192 ------+--------+--------+------- 2 | 3 | 4 | 5 A callback function may be used to provide feedback about the -progress of the key generation. If B is not B, it +progress of the key generation. If I is not NULL, it will be called as follows using the BN_GENCB_call() function described on the L page. @@ -71,42 +72,44 @@ described in L. =item * When the n-th randomly generated prime is rejected as not -suitable for the key, B is called. +suitable for the key, I is called. =item * -When a random p has been found with p-1 relatively prime to B, -it is called as B. +When a random p has been found with p-1 relatively prime to I, +it is called as I. =back The process is then repeated for prime q and other primes (if any) -with B where B indicates the i-th prime. +with I where I indicates the i-th prime. =head1 RETURN VALUES +EVP_RSA_gen() returns an I or NULL on failure. + RSA_generate_multi_prime_key() returns 1 on success or 0 on error. RSA_generate_key_ex() returns 1 on success or 0 on error. The error codes can be obtained by L. RSA_generate_key() returns a pointer to the RSA structure or -B if the key generation fails. +NULL if the key generation fails. =head1 BUGS -B is used with two different meanings. +I is used with two different meanings. =head1 SEE ALSO -L, L, L, -L +L +L, L, +L, L =head1 HISTORY -All of these functions were deprecated in OpenSSL 3.0. - -RSA_generate_key() was deprecated in OpenSSL 0.9.8; use -RSA_generate_key_ex() instead. +EVP_RSA_gen() was added in OpenSSL 3.0. +All other functions described here were deprecated in OpenSSL 3.0. +For replacement see L. =head1 COPYRIGHT diff --git a/doc/man3/RSA_new.pod b/doc/man3/RSA_new.pod index 8c2651fe59..1396a66335 100644 --- a/doc/man3/RSA_new.pod +++ b/doc/man3/RSA_new.pod @@ -8,6 +8,8 @@ RSA_new, RSA_free - allocate and free RSA objects #include +Deprecated since OpenSSL 3.0: + RSA *RSA_new(void); void RSA_free(RSA *rsa); @@ -35,6 +37,11 @@ L, L, L +=head1 HISTORY + +All functions described here were deprecated in OpenSSL 3.0. +For replacement see EVP_PKEY-RSA(7). + =head1 COPYRIGHT Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man7/EVP_PKEY-DH.pod b/doc/man7/EVP_PKEY-DH.pod index c5ba90ec8c..9da5d9c6ef 100644 --- a/doc/man7/EVP_PKEY-DH.pod +++ b/doc/man7/EVP_PKEY-DH.pod @@ -154,7 +154,7 @@ A B key can be generated with a named safe prime group by calling: EVP_PKEY_keygen_init(pctx); EVP_PKEY_CTX_set_params(pctx, params); - EVP_PKEY_gen(pctx, &pkey); + EVP_PKEY_generate(pctx, &pkey); ... EVP_PKEY_free(key); EVP_PKEY_CTX_free(pctx); @@ -179,7 +179,7 @@ B domain parameters can be generated according to B by calling: params[5] = OSSL_PARAM_construct_end(); EVP_PKEY_CTX_set_params(pctx, params); - EVP_PKEY_gen(pctx, ¶m_key); + EVP_PKEY_generate(pctx, ¶m_key); EVP_PKEY_print_params(bio_out, param_key, 0, NULL); ... @@ -192,7 +192,7 @@ A B key can be generated using domain parameters by calling: EVP_PKEY_CTX *gctx = EVP_PKEY_CTX_new_from_pkey(NULL, param_key, NULL); EVP_PKEY_keygen_init(gctx); - EVP_PKEY_gen(gctx, &key); + EVP_PKEY_generate(gctx, &key); EVP_PKEY_print_private(bio_out, key, 0, NULL); ... EVP_PKEY_free(key); diff --git a/doc/man7/EVP_PKEY-DSA.pod b/doc/man7/EVP_PKEY-DSA.pod index 119d4b893a..6a335510d3 100644 --- a/doc/man7/EVP_PKEY-DSA.pod +++ b/doc/man7/EVP_PKEY-DSA.pod @@ -54,7 +54,7 @@ The B domain parameters can be generated by calling: params[4] = OSSL_PARAM_construct_end(); EVP_PKEY_CTX_set_params(pctx, params); - EVP_PKEY_gen(pctx, ¶m_key); + EVP_PKEY_generate(pctx, ¶m_key); EVP_PKEY_CTX_free(pctx); EVP_PKEY_print_params(bio_out, param_key, 0, NULL); @@ -66,7 +66,7 @@ A B key can be generated using domain parameters by calling: gctx = EVP_PKEY_CTX_new_from_pkey(NULL, param_key, NULL); EVP_PKEY_keygen_init(gctx); - EVP_PKEY_gen(gctx, &key); + EVP_PKEY_generate(gctx, &key); EVP_PKEY_CTX_free(gctx); EVP_PKEY_print_private(bio_out, key, 0, NULL); diff --git a/doc/man7/EVP_PKEY-EC.pod b/doc/man7/EVP_PKEY-EC.pod index 839d18a894..6dfc1f16ae 100644 --- a/doc/man7/EVP_PKEY-EC.pod +++ b/doc/man7/EVP_PKEY-EC.pod @@ -159,6 +159,10 @@ An B context can be obtained by calling: An B ECDSA or ECDH key can be generated with a "P-256" named group by calling: + pkey = EVP_EC_gen("P-256"); + +or like this: + EVP_PKEY *key = NULL; OSSL_PARAM params[2]; EVP_PKEY_CTX *gctx = @@ -171,7 +175,7 @@ calling: params[1] = OSSL_PARAM_construct_end(); EVP_PKEY_CTX_set_params(gctx, params); - EVP_PKEY_gen(gctx, &key); + EVP_PKEY_generate(gctx, &key); EVP_PKEY_print_private(bio_out, key, 0, NULL); ... @@ -201,7 +205,7 @@ An B EC CDH (Cofactor Diffie-Hellman) key can be generated with a params[2] = OSSL_PARAM_construct_end(); EVP_PKEY_CTX_set_params(gctx, params); - EVP_PKEY_gen(gctx, &key); + EVP_PKEY_generate(gctx, &key); EVP_PKEY_print_private(bio_out, key, 0, NULL); ... EVP_PKEY_free(key); @@ -209,6 +213,7 @@ An B EC CDH (Cofactor Diffie-Hellman) key can be generated with a =head1 SEE ALSO +L, L, L, L, diff --git a/doc/man7/EVP_PKEY-RSA.pod b/doc/man7/EVP_PKEY-RSA.pod index 428aa613a2..ec1e5777d7 100644 --- a/doc/man7/EVP_PKEY-RSA.pod +++ b/doc/man7/EVP_PKEY-RSA.pod @@ -202,14 +202,18 @@ An B context can be obtained by calling: EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); -An B key can be generated like this: +An B key can be generated simply like this: + + pkey = EVP_RSA_gen(4096); + +or like this: EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); EVP_PKEY_keygen_init(pctx); - EVP_PKEY_gen(pctx, &pkey); + EVP_PKEY_generate(pctx, &pkey); EVP_PKEY_CTX_free(pctx); An B key can be generated with key generation parameters: @@ -227,13 +231,13 @@ An B key can be generated with key generation parameters: params[2] = OSSL_PARAM_construct_end(); EVP_PKEY_CTX_set_params(pctx, params); - EVP_PKEY_gen(pctx, &pkey); + EVP_PKEY_generate(pctx, &pkey); EVP_PKEY_print_private(bio_out, pkey, 0, NULL); EVP_PKEY_CTX_free(pctx); =head1 SEE ALSO -L, L, L +L, L, L, L =head1 COPYRIGHT diff --git a/doc/man7/EVP_PKEY-X25519.pod b/doc/man7/EVP_PKEY-X25519.pod index 6fa75ba3c1..a597bc53be 100644 --- a/doc/man7/EVP_PKEY-X25519.pod +++ b/doc/man7/EVP_PKEY-X25519.pod @@ -84,25 +84,11 @@ An B context can be obtained by calling: EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "ED448", NULL); -An B key can be generated like this: +An B key can be generated like this: - EVP_PKEY *pkey = NULL; - EVP_PKEY_CTX *pctx = - EVP_PKEY_CTX_new_from_name(NULL, "ED25519", NULL); + pkey = EVP_Q_keygen(NULL, NULL, "X25519"); - EVP_PKEY_keygen_init(pctx); - EVP_PKEY_gen(pctx, &pkey); - EVP_PKEY_CTX_free(pctx); - -An B key can be generated in a similar way: - - EVP_PKEY *pkey = NULL; - EVP_PKEY_CTX *pctx = - EVP_PKEY_CTX_new_from_name(NULL, "X25519", NULL); - - EVP_PKEY_keygen_init(pctx); - EVP_PKEY_gen(pctx, &pkey); - EVP_PKEY_CTX_free(pctx); +An B, B, or B key can be generated likewise. =head1 SEE ALSO diff --git a/doc/man7/crypto.pod b/doc/man7/crypto.pod index 0200d0df96..9db62e5aab 100644 --- a/doc/man7/crypto.pod +++ b/doc/man7/crypto.pod @@ -422,7 +422,7 @@ For information on the OpenSSL configuration file format see L. =head1 ENCODING AND DECODING KEYS Many algorithms require the use of a key. Keys can be generated dynamically -using the EVP APIs (for example see L). However it is often +using the EVP APIs (for example see L). However it is often necessary to save or load keys (or their associated parameters) to or from some external format such as PEM or DER (see L). OpenSSL uses encoders and decoders to perform this task. diff --git a/include/crypto/ec.h b/include/crypto/ec.h index 9743dcc3a7..acb14effc9 100644 --- a/include/crypto/ec.h +++ b/include/crypto/ec.h @@ -16,7 +16,6 @@ # include # include -const char *ossl_ec_curve_nid2name(int nid); int ossl_ec_curve_name2nid(const char *name); const char *ossl_ec_curve_nid2nist_int(int nid); int ossl_ec_curve_nist2nid_int(const char *name); diff --git a/include/openssl/ec.h b/include/openssl/ec.h index 970570c1ed..ad40b9045c 100644 --- a/include/openssl/ec.h +++ b/include/openssl/ec.h @@ -84,6 +84,8 @@ typedef enum { POINT_CONVERSION_HYBRID = 6 } point_conversion_form_t; +const char *OSSL_EC_curve_nid2name(int nid); + # ifndef OPENSSL_NO_EC # include # include @@ -1072,7 +1074,7 @@ OSSL_DEPRECATEDIN_3_0 void EC_KEY_set_conv_form(EC_KEY *eckey, point_conversion_form_t cform); # endif /*OPENSSL_NO_DEPRECATED_3_0 */ -# define EC_KEY_get_ex_new_index(l, p, newf, dupf, freef) \ +# define EC_KEY_get_ex_new_index(l, p, newf, dupf, freef) \ CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_EC_KEY, l, p, newf, dupf, freef) # ifndef OPENSSL_NO_DEPRECATED_3_0 @@ -1544,6 +1546,8 @@ OSSL_DEPRECATEDIN_3_0 void EC_KEY_METHOD_get_verify EC_KEY *eckey)); # endif /* OPENSSL_NO_DEPRECATED_3_0 */ +# define EVP_EC_gen(curve) \ + EVP_PKEY_Q_keygen(NULL, NULL, "EC", (char *)(strstr(curve, ""))) # define ECParameters_dup(x) ASN1_dup_of(EC_KEY, i2d_ECParameters, \ d2i_ECParameters, x) diff --git a/include/openssl/evp.h b/include/openssl/evp.h index c380f2e539..34eced8d92 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1933,11 +1933,13 @@ int EVP_PKEY_set_octet_string_param(EVP_PKEY *pkey, const char *key_name, int EVP_PKEY_get_ec_point_conv_form(const EVP_PKEY *pkey); int EVP_PKEY_get_field_type(const EVP_PKEY *pkey); +EVP_PKEY *EVP_PKEY_Q_keygen(OSSL_LIB_CTX *libctx, const char *propq, + const char *type, ...); int EVP_PKEY_paramgen_init(EVP_PKEY_CTX *ctx); int EVP_PKEY_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey); int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx); int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey); -int EVP_PKEY_gen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey); +int EVP_PKEY_generate(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey); int EVP_PKEY_check(EVP_PKEY_CTX *ctx); int EVP_PKEY_public_check(EVP_PKEY_CTX *ctx); int EVP_PKEY_public_check_quick(EVP_PKEY_CTX *ctx); diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h index 573ba003cc..a55c9727c6 100644 --- a/include/openssl/rsa.h +++ b/include/openssl/rsa.h @@ -245,6 +245,9 @@ OSSL_DEPRECATEDIN_3_0 int RSA_get_version(RSA *r); OSSL_DEPRECATEDIN_3_0 ENGINE *RSA_get0_engine(const RSA *r); # endif /* !OPENSSL_NO_DEPRECATED_3_0 */ +# define EVP_RSA_gen(bits) \ + EVP_PKEY_Q_keygen(NULL, NULL, "RSA", (size_t)(0 + (bits))) + /* Deprecated version */ # ifndef OPENSSL_NO_DEPRECATED_0_9_8 OSSL_DEPRECATEDIN_0_9_8 RSA *RSA_generate_key(int bits, unsigned long e, void diff --git a/providers/fips-sources.checksums b/providers/fips-sources.checksums index da684b0718..d4ea8c8284 100644 --- a/providers/fips-sources.checksums +++ b/providers/fips-sources.checksums @@ -143,7 +143,7 @@ d4969259e4fa5b71d8abbf5e736e658bd1daad6e46d272a9b88e190e2de96b61 crypto/ec/curv 04f8d52acc6332bdf879bf1684e8c59d2f4d8ca303d16c74d87aab3dd4a94932 crypto/ec/ec2_oct.c 7579a156234dfa44e02d08e121f42035229364f9e40f38b11333edbae2282762 crypto/ec/ec2_smpl.c 69d64accd498583e65df2dc43730eee2922217a7bfefda2cd1a9da176e3d1dcd crypto/ec/ec_asn1.c -8cf8af8e9bfc29e0cdc41720ec4a6d6c74eb5c15a9fc8193f8ec8270c0df1d37 crypto/ec/ec_backend.c +4ec7fe2efa0e55316ac4bb8507c7a37360339070c406c2623c38c5a541ac65d6 crypto/ec/ec_backend.c 86e2becf9b3870979e2abefa1bd318e1a31820d275e2b50e03b17fc287abb20a crypto/ec/ec_check.c 845a5e6ad6921aed63a18084d6b64a1907e4cb093639153ba32138e0b29ff0e5 crypto/ec/ec_curve.c 8cfd0dcfb5acbf6105691a2d5e2826dba1ff3906707bc9dd6ff9bffcc306468f crypto/ec/ec_cvt.c @@ -167,10 +167,10 @@ fa39906519062932adafb63cbf05b5dfa7563673576d421c80ec6b889d024e84 crypto/ec/ecp_ 7c7f3e2a19a95d62942790e525f00cccc87e46da099a0c96d101787d68c75128 crypto/evp/asymcipher.c 0e75a058dcbbb62cfe39fec6c4a85385dc1a8fce794e4278ce6cebb29763b82b crypto/evp/dh_support.c e819c499207dd2ee5457cd9411c6089e13476bedf41de2aa67e10b13810ff0e5 crypto/evp/digest.c -87599335b61f97362799170d7b19cbbf775bfecc0fab570b267c7622241cfad8 crypto/evp/ec_support.c +5e2c5d865029ae86855f15e162360d091f28ca0d4c67260700c90aa25faf308b crypto/evp/ec_support.c c146c0a8a06e3c558207c1c76039dd2a61a2160cc243e9e3de2e290bc6e1b2d0 crypto/evp/evp_enc.c 9b4956b5c28db987001b33421aacf3b9f352181f874c768ad1b034e083483561 crypto/evp/evp_fetch.c -f975f6ba3aff8130b775f39182fdc783a3ef954402313248edd661d29032aa05 crypto/evp/evp_lib.c +b8f6bb49081428374f183255c6759520041d084bc85acd2fdc8d4392cb1ba0dd crypto/evp/evp_lib.c af0245f7a849997921c0719df339469427656821416b402754fc1f5f5e2da291 crypto/evp/evp_rand.c c0f87865be8dab6ea909fd976e5a46e4e8343b18403090c4a59b2af90f9a1329 crypto/evp/evp_utils.c 896bc29e0009657071bd74401513bdbedfb08ca66e34bf634e824fd3f34beb0a crypto/evp/exchange.c @@ -184,7 +184,7 @@ ec959b00487bfc51f4cf33c21a60fd8a73087a622504f459ba4cfe48bb0a738c crypto/evp/mac 5f4b933a479d7cd589c47388aebfd8d6ffa3943ec2883049fc929e6ca37e26b5 crypto/evp/mac_meth.c f5a18107256e00e2eed6a9b54eaf44ef1b99c0f29134e9f363a09daa2d35f1b5 crypto/evp/p_lib.c b7e9ce6e8a35e0fc5b4eb4c047cda1e811b757669dbfafa71e743d85e07817a4 crypto/evp/pmeth_check.c -d22e6f5041a894b7e8433c1be4c5f1bc5897453bcbdd66bbc8cbfba854f7fd74 crypto/evp/pmeth_gn.c +ff8a5ff024c228fe714e4cf758260cf9e9c992a9311acb5f96b0f2ed6af1a814 crypto/evp/pmeth_gn.c 12b8e891dc2f3a1cf8365d9fddd319343dc229d3e60149c51b5ae9df9b6b504d crypto/evp/pmeth_lib.c 52d8ea3b8b3ef52b58306b0fbd4557d682ba69a5384672ba7e1682c9a853f417 crypto/evp/signature.c e0a58ecf268c6bec531898d8fe6b148601b0bed8324fa8d5668de643c027606b crypto/ex_data.c diff --git a/providers/fips.checksum b/providers/fips.checksum index c4d76e1822..298054d15a 100644 --- a/providers/fips.checksum +++ b/providers/fips.checksum @@ -1 +1 @@ -14ae4fff4bd856c7e146d65b63880ff152276fe35b0f1f4ed5f24eb6e97e7b44 providers/fips-sources.checksums +a1b5830f0c664b833a60a60b5801afb3a750eeeb41f3218d7fdae5d99ed05be7 providers/fips-sources.checksums diff --git a/test/acvp_test.c b/test/acvp_test.c index 0510cc2c05..d400a81174 100644 --- a/test/acvp_test.c +++ b/test/acvp_test.c @@ -114,7 +114,6 @@ err: static int ecdsa_keygen_test(int id) { int ret = 0; - EVP_PKEY_CTX *ctx = NULL; EVP_PKEY *pkey = NULL; unsigned char *priv = NULL; unsigned char *pubx = NULL, *puby = NULL; @@ -123,10 +122,7 @@ static int ecdsa_keygen_test(int id) self_test_args.called = 0; self_test_args.enable = 1; - if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "EC", NULL)) - || !TEST_int_gt(EVP_PKEY_keygen_init(ctx), 0) - || !TEST_true(EVP_PKEY_CTX_set_group_name(ctx, tst->curve_name)) - || !TEST_int_gt(EVP_PKEY_keygen(ctx, &pkey), 0) + if (!TEST_ptr(pkey = EVP_PKEY_Q_keygen(libctx, NULL, "EC", tst->curve_name)) || !TEST_int_ge(self_test_args.called, 3) || !TEST_true(pkey_get_bn_bytes(pkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv, &priv_len)) @@ -147,7 +143,6 @@ err: OPENSSL_free(pubx); OPENSSL_free(puby); EVP_PKEY_free(pkey); - EVP_PKEY_CTX_free(ctx); return ret; } @@ -251,17 +246,13 @@ err: static int ecdsa_siggen_test(int id) { int ret = 0; - EVP_PKEY_CTX *ctx = NULL, *key_ctx = NULL; EVP_PKEY *pkey = NULL; size_t sig_len = 0, rlen = 0, slen = 0; unsigned char *sig = NULL; unsigned char *r = NULL, *s = NULL; const struct ecdsa_siggen_st *tst = &ecdsa_siggen_data[id]; - if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "EC", NULL)) - || !TEST_int_gt(EVP_PKEY_keygen_init(ctx), 0) - || !TEST_true(EVP_PKEY_CTX_set_group_name(ctx, tst->curve_name)) - || !TEST_int_gt(EVP_PKEY_keygen(ctx, &pkey), 0)) + if (!TEST_ptr(pkey = EVP_PKEY_Q_keygen(libctx, NULL, "EC", tst->curve_name))) goto err; if (!TEST_true(sig_gen(pkey, NULL, tst->digest_alg, tst->msg, tst->msg_len, @@ -276,8 +267,6 @@ err: OPENSSL_free(s); OPENSSL_free(sig); EVP_PKEY_free(pkey); - EVP_PKEY_CTX_free(key_ctx); - EVP_PKEY_CTX_free(ctx); return ret; } @@ -1007,21 +996,6 @@ err: #endif /* OPENSSL_NO_DH */ -static EVP_PKEY *rsa_keygen(int bits) -{ - EVP_PKEY *key = NULL; - EVP_PKEY_CTX *keygen_ctx = NULL; - - if (!TEST_ptr(keygen_ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", NULL)) - || !TEST_int_gt(EVP_PKEY_keygen_init(keygen_ctx), 0) - || !TEST_true(EVP_PKEY_CTX_set_rsa_keygen_bits(keygen_ctx, bits)) - || !TEST_int_gt(EVP_PKEY_keygen(keygen_ctx, &key), 0)) - goto err; -err: - EVP_PKEY_CTX_free(keygen_ctx); - return key; -} - static int rsa_create_pkey(EVP_PKEY **pkey, const unsigned char *n, size_t n_len, const unsigned char *e, size_t e_len, @@ -1199,7 +1173,7 @@ static int rsa_siggen_test(int id) } *p++ = OSSL_PARAM_construct_end(); - if (!TEST_ptr(pkey = rsa_keygen(tst->mod)) + if (!TEST_ptr(pkey = EVP_PKEY_Q_keygen(libctx, NULL, "RSA", tst->mod)) || !TEST_true(pkey_get_bn_bytes(pkey, OSSL_PKEY_PARAM_RSA_N, &n, &n_len)) || !TEST_true(pkey_get_bn_bytes(pkey, OSSL_PKEY_PARAM_RSA_E, &e, &e_len)) || !TEST_true(sig_gen(pkey, params, tst->digest_alg, @@ -1275,7 +1249,7 @@ static int rsa_decryption_primitive_test(int id) BN_CTX *bn_ctx = NULL; const struct rsa_decrypt_prim_st *tst = &rsa_decrypt_prim_data[id]; - if (!TEST_ptr(pkey = rsa_keygen(2048)) + if (!TEST_ptr(pkey = EVP_PKEY_Q_keygen(libctx, NULL, "RSA", 2048)) || !TEST_true(pkey_get_bn_bytes(pkey, OSSL_PKEY_PARAM_RSA_N, &n, &n_len)) || !TEST_true(pkey_get_bn_bytes(pkey, OSSL_PKEY_PARAM_RSA_E, &e, &e_len)) || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, "")) diff --git a/test/dsatest.c b/test/dsatest.c index 56693dd139..533fba1cbc 100644 --- a/test/dsatest.c +++ b/test/dsatest.c @@ -256,10 +256,10 @@ static int dsa_keygen_test(void) sizeof(seed_data))) || !TEST_true(EVP_PKEY_CTX_set_dsa_paramgen_md_props(pg_ctx, "SHA256", "")) - || !TEST_int_gt(EVP_PKEY_gen(pg_ctx, ¶m_key), 0) + || !TEST_int_gt(EVP_PKEY_generate(pg_ctx, ¶m_key), 0) || !TEST_ptr(kg_ctx = EVP_PKEY_CTX_new_from_pkey(NULL, param_key, NULL)) || !TEST_int_gt(EVP_PKEY_keygen_init(kg_ctx), 0) - || !TEST_int_gt(EVP_PKEY_gen(kg_ctx, &key), 0)) + || !TEST_int_gt(EVP_PKEY_generate(kg_ctx, &key), 0)) goto end; if (!TEST_true(EVP_PKEY_get_bn_param(key, OSSL_PKEY_PARAM_FFC_P, &p_out)) @@ -313,7 +313,7 @@ static int test_dsa_default_paramgen_validate(int i) && TEST_int_gt(EVP_PKEY_paramgen_init(gen_ctx), 0) && (i == 0 || TEST_true(EVP_PKEY_CTX_set_dsa_paramgen_bits(gen_ctx, 512))) - && TEST_int_gt(EVP_PKEY_gen(gen_ctx, ¶ms), 0) + && TEST_int_gt(EVP_PKEY_generate(gen_ctx, ¶ms), 0) && TEST_ptr(check_ctx = EVP_PKEY_CTX_new_from_pkey(NULL, params, NULL)) && TEST_int_gt(EVP_PKEY_param_check(check_ctx), 0); diff --git a/test/endecode_test.c b/test/endecode_test.c index df4f92c12c..9d0ebeb7e7 100644 --- a/test/endecode_test.c +++ b/test/endecode_test.c @@ -81,7 +81,7 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams) && EVP_PKEY_paramgen_init(ctx) > 0 && (genparams == NULL || EVP_PKEY_CTX_set_params(ctx, genparams) > 0) - && EVP_PKEY_gen(ctx, &pkey) > 0); + && EVP_PKEY_generate(ctx, &pkey) > 0); EVP_PKEY_CTX_free(ctx); return pkey; diff --git a/test/endecoder_legacy_test.c b/test/endecoder_legacy_test.c index 999b791d63..9e54f1f03b 100644 --- a/test/endecoder_legacy_test.c +++ b/test/endecoder_legacy_test.c @@ -249,7 +249,7 @@ static EVP_PKEY *make_key(const char *type, || EVP_PKEY_paramgen_init(ctx) <= 0 || (gen_template_params[0].key != NULL && EVP_PKEY_CTX_set_params(ctx, gen_template_params_noconst) <= 0) - || EVP_PKEY_gen(ctx, &template) <= 0)) + || EVP_PKEY_generate(ctx, &template) <= 0)) goto end; EVP_PKEY_CTX_free(ctx); diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c index 6dff939467..cb8b3b7fb4 100644 --- a/test/evp_libctx_test.c +++ b/test/evp_libctx_test.c @@ -488,16 +488,12 @@ static void collect_cipher_names(EVP_CIPHER *cipher, void *cipher_names_list) static int rsa_keygen(int bits, EVP_PKEY **pub, EVP_PKEY **priv) { int ret = 0; - EVP_PKEY_CTX *keygen_ctx = NULL; unsigned char *pub_der = NULL; const unsigned char *pp = NULL; size_t len = 0; OSSL_ENCODER_CTX *ectx = NULL; - if (!TEST_ptr(keygen_ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", NULL)) - || !TEST_int_gt(EVP_PKEY_keygen_init(keygen_ctx), 0) - || !TEST_true(EVP_PKEY_CTX_set_rsa_keygen_bits(keygen_ctx, bits)) - || !TEST_int_gt(EVP_PKEY_keygen(keygen_ctx, priv), 0) + if (!TEST_ptr(*priv = EVP_PKEY_Q_keygen(libctx, NULL, "RSA", bits)) || !TEST_ptr(ectx = OSSL_ENCODER_CTX_new_for_pkey(*priv, EVP_PKEY_PUBLIC_KEY, @@ -512,7 +508,6 @@ static int rsa_keygen(int bits, EVP_PKEY **pub, EVP_PKEY **priv) err: OSSL_ENCODER_CTX_free(ectx); OPENSSL_free(pub_der); - EVP_PKEY_CTX_free(keygen_ctx); return ret; } diff --git a/test/threadstest.c b/test/threadstest.c index b82e16f8c6..9d15a23d96 100644 --- a/test/threadstest.c +++ b/test/threadstest.c @@ -16,7 +16,7 @@ #include #include -#include +#include #include #include #include "testutil.h" @@ -291,7 +291,6 @@ static void thread_general_worker(void) }; unsigned int mdoutl; int ciphoutl; - EVP_PKEY_CTX *pctx = NULL; EVP_PKEY *pkey = NULL; int testresult = 0; int i, isfips; @@ -320,18 +319,13 @@ static void thread_general_worker(void) goto err; } - pctx = EVP_PKEY_CTX_new_from_name(multi_libctx, "RSA", NULL); - if (!TEST_ptr(pctx) - || !TEST_int_gt(EVP_PKEY_keygen_init(pctx), 0) - /* - * We want the test to run quickly - not securely. Therefore we - * use an insecure bit length where we can (512). In the FIPS - * module though we must use a longer length. - */ - || !TEST_int_gt(EVP_PKEY_CTX_set_rsa_keygen_bits(pctx, - isfips ? 2048 : 512), - 0) - || !TEST_int_gt(EVP_PKEY_keygen(pctx, &pkey), 0)) + /* + * We want the test to run quickly - not securely. + * Therefore we use an insecure bit length where we can (512). + * In the FIPS module though we must use a longer length. + */ + pkey = EVP_PKEY_Q_keygen(multi_libctx, NULL, "RSA", isfips ? 2048 : 512); + if (!TEST_ptr(pkey)) goto err; testresult = 1; @@ -340,7 +334,6 @@ static void thread_general_worker(void) EVP_MD_free(md); EVP_CIPHER_CTX_free(cipherctx); EVP_CIPHER_free(ciph); - EVP_PKEY_CTX_free(pctx); EVP_PKEY_free(pkey); if (!testresult) multi_success = 0; diff --git a/util/libcrypto.num b/util/libcrypto.num index 019a6ecb52..1820baf4ad 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4413,6 +4413,7 @@ EVP_MAC_init ? 3_0_0 EXIST::FUNCTION: EVP_MAC_update ? 3_0_0 EXIST::FUNCTION: EVP_MAC_final ? 3_0_0 EXIST::FUNCTION: EVP_MAC_finalXOF ? 3_0_0 EXIST::FUNCTION: +OSSL_EC_curve_nid2name ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_supports_digest_nid ? 3_0_0 EXIST::FUNCTION: SRP_VBASE_add0_user ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP SRP_user_pwd_new ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP @@ -4947,7 +4948,8 @@ OSSL_CMP_exec_GENM_ses ? 3_0_0 EXIST::FUNCTION:CMP OSSL_CMP_MSG_http_perform ? 3_0_0 EXIST::FUNCTION:CMP OSSL_CMP_MSG_read ? 3_0_0 EXIST::FUNCTION:CMP OSSL_CMP_MSG_write ? 3_0_0 EXIST::FUNCTION:CMP -EVP_PKEY_gen ? 3_0_0 EXIST::FUNCTION: +EVP_PKEY_Q_keygen ? 3_0_0 EXIST::FUNCTION: +EVP_PKEY_generate ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_CTX_set_rsa_keygen_bits ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_CTX_set_rsa_keygen_pubexp ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 EVP_PKEY_CTX_set1_rsa_keygen_pubexp ? 3_0_0 EXIST::FUNCTION: diff --git a/util/other.syms b/util/other.syms index fb8efcb12a..0047905209 100644 --- a/util/other.syms +++ b/util/other.syms @@ -322,6 +322,7 @@ EVP_VerifyUpdate define EVP_bf_cfb define EVP_cast5_cfb define EVP_cleanup define deprecated 1.1.0 +EVP_EC_gen define EVP_get_digestbynid define EVP_get_digestbyobj define EVP_get_macbynid define @@ -329,6 +330,7 @@ EVP_get_macbyobj define EVP_idea_cfb define EVP_rc2_cfb define EVP_rc5_32_12_16_cfb define +EVP_RSA_gen define EVP_seed_cfb define EVP_sm4_cfb define OBJ_cleanup define deprecated 1.1.0