Prepare to provide EVP_PKEY_check()

This allows checking the validity of an EVP_PKEY. Only RSA and EC keys are supported. If a check function is set the EVP_PKEY_METHOD, it will be used, otherwise the check function on the EVP_PKEY_ASN1_METHOD is used. The default ASN.1 methods wrap RSA_check_key() and EC_KEY_check_key(), respectively. The corresponding setters are EVP_PKEY_{asn1,meth}_set_check(). It is unclear why the PKEY method has no const while the ASN.1 method has const. Requested by tobhe and used by PHP 8.1. Based on OpenSSL commit 2aee35d3 ok inoguchi jsing
author: tb <> 2022-01-10 11:52:43 +0000
committer: tb <> 2022-01-10 11:52:43 +0000
commit: a447c077ad67d6e81ed1a4fbe9003875add773c2 (patch)
tree: 1fec6a88d05f741604c6f6549798d45c11a3aef3 /src/lib
parent: 0af4f789497e3f3ba6818138f64585c080464044 (diff)
download: openbsd-a447c077ad67d6e81ed1a4fbe9003875add773c2.tar.gz
openbsd-a447c077ad67d6e81ed1a4fbe9003875add773c2.tar.bz2
openbsd-a447c077ad67d6e81ed1a4fbe9003875add773c2.zip
8 files changed, 89 insertions, 12 deletions
diff --git a/src/lib/libcrypto/asn1/ameth_lib.c b/src/lib/libcrypto/asn1/ameth_lib.c
index ed7f5bd3e4..96669bbd2f 100644
--- a/src/lib/libcrypto/asn1/ameth_lib.c
+++ b/src/lib/libcrypto/asn1/ameth_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ameth_lib.c,v 1.23 2021/12/12 21:30:13 tb Exp $ */
+/* $OpenBSD: ameth_lib.c,v 1.24 2022/01/10 11:52:43 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -429,3 +429,10 @@ EVP_PKEY_asn1_set_ctrl(EVP_PKEY_ASN1_METHOD *ameth,
 {
        ameth->pkey_ctrl = pkey_ctrl;
 }
+void
+EVP_PKEY_asn1_set_check(EVP_PKEY_ASN1_METHOD *ameth,
+    int (*pkey_check)(const EVP_PKEY *pk))
+{
+        ameth->pkey_check = pkey_check;
+}
diff --git a/src/lib/libcrypto/asn1/asn1_locl.h b/src/lib/libcrypto/asn1/asn1_locl.h
index 3b949dba65..31fcbef20d 100644
--- a/src/lib/libcrypto/asn1/asn1_locl.h
+++ b/src/lib/libcrypto/asn1/asn1_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_locl.h,v 1.15 2021/12/25 12:00:22 jsing Exp $ */
+/* $OpenBSD: asn1_locl.h,v 1.16 2022/01/10 11:52:43 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -124,6 +124,7 @@ struct evp_pkey_asn1_method_st {
        int (*item_sign)(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
            X509_ALGOR *alg1, X509_ALGOR *alg2, ASN1_BIT_STRING *sig);
+        int (*pkey_check)(const EVP_PKEY *pk);
 } /* EVP_PKEY_ASN1_METHOD */;
 /* Method to handle CRL access.
diff --git a/src/lib/libcrypto/ec/ec_ameth.c b/src/lib/libcrypto/ec/ec_ameth.c
index c96c46dd53..8316683f8f 100644
--- a/src/lib/libcrypto/ec/ec_ameth.c
+++ b/src/lib/libcrypto/ec/ec_ameth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_ameth.c,v 1.29 2021/12/12 21:30:13 tb Exp $ */
+/* $OpenBSD: ec_ameth.c,v 1.30 2022/01/10 11:52:43 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -67,6 +67,7 @@
 #include <openssl/x509.h>
 #include "asn1_locl.h"
+#include "ec_lcl.h"
 #include "evp_locl.h"
 #ifndef OPENSSL_NO_CMS
@@ -620,6 +621,19 @@ ec_pkey_ctrl(EVP_PKEY * pkey, int op, long arg1, void *arg2)
 }
+static int
+ec_pkey_check(const EVP_PKEY *pkey)
+{
+        EC_KEY *eckey = pkey->pkey.ec;
+        if (eckey->priv_key == NULL) {
+                ECerror(EC_R_MISSING_PRIVATE_KEY);
+                return 0;
+        }
+        return EC_KEY_check_key(eckey);
+}
 #ifndef OPENSSL_NO_CMS
 static int
@@ -981,5 +995,7 @@ const EVP_PKEY_ASN1_METHOD eckey_asn1_meth = {
        .pkey_free = int_ec_free,
        .pkey_ctrl = ec_pkey_ctrl,
        .old_priv_decode = old_ec_priv_decode,
-        .old_priv_encode = old_ec_priv_encode
+        .old_priv_encode = old_ec_priv_encode,
+        .pkey_check = ec_pkey_check,
 };
diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h
index aa5b35f67c..e122a6b329 100644
--- a/src/lib/libcrypto/evp/evp.h
+++ b/src/lib/libcrypto/evp/evp.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp.h,v 1.92 2022/01/09 15:15:25 tb Exp $ */
+/* $OpenBSD: evp.h,v 1.93 2022/01/10 11:52:43 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1087,6 +1087,11 @@ void EVP_PKEY_asn1_set_free(EVP_PKEY_ASN1_METHOD *ameth,
 void EVP_PKEY_asn1_set_ctrl(EVP_PKEY_ASN1_METHOD *ameth,
    int (*pkey_ctrl)(EVP_PKEY *pkey, int op, long arg1, void *arg2));
+#if defined(LIBRESSL_CRYPTO_INTERNAL) || defined(LIBRESSL_NEXT_API)
+void EVP_PKEY_asn1_set_check(EVP_PKEY_ASN1_METHOD *ameth,
+    int (*pkey_check)(const EVP_PKEY *pk));
+#endif
 #define EVP_PKEY_OP_UNDEFINED           0
 #define EVP_PKEY_OP_PARAMGEN            (1<<1)
 #define EVP_PKEY_OP_KEYGEN              (1<<2)
@@ -1213,6 +1218,9 @@ int EVP_PKEY_paramgen_init(EVP_PKEY_CTX *ctx);
 int EVP_PKEY_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey);
 int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx);
 int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey);
+#if defined(LIBRESSL_CRYPTO_INTERNAL) || defined(LIBRESSL_NEXT_API)
+int EVP_PKEY_check(EVP_PKEY_CTX *ctx);
+#endif
 void EVP_PKEY_CTX_set_cb(EVP_PKEY_CTX *ctx, EVP_PKEY_gen_cb *cb);
 EVP_PKEY_gen_cb *EVP_PKEY_CTX_get_cb(EVP_PKEY_CTX *ctx);
@@ -1279,6 +1287,11 @@ void EVP_PKEY_meth_set_ctrl(EVP_PKEY_METHOD *pmeth,
    int (*ctrl)(EVP_PKEY_CTX *ctx, int type, int p1, void *p2),
    int (*ctrl_str)(EVP_PKEY_CTX *ctx, const char *type, const char *value));
+#if defined(LIBRESSL_CRYPTO_INTERNAL) || defined(LIBRESSL_NEXT_API)
+void EVP_PKEY_meth_set_check(EVP_PKEY_METHOD *pmeth,
+    int (*check)(EVP_PKEY *pkey));
+#endif
 /* Authenticated Encryption with Additional Data.
 *
 * AEAD couples confidentiality and integrity in a single primtive. AEAD
diff --git a/src/lib/libcrypto/evp/evp_locl.h b/src/lib/libcrypto/evp/evp_locl.h
index 5eef0b244f..3ff8e8ad99 100644
--- a/src/lib/libcrypto/evp/evp_locl.h
+++ b/src/lib/libcrypto/evp/evp_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_locl.h,v 1.18 2022/01/09 15:15:25 tb Exp $ */
+/* $OpenBSD: evp_locl.h,v 1.19 2022/01/10 11:52:43 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -347,6 +347,8 @@ struct evp_pkey_method_st {
        int (*ctrl)(EVP_PKEY_CTX *ctx, int type, int p1, void *p2);
        int (*ctrl_str)(EVP_PKEY_CTX *ctx, const char *type, const char *value);
+        int (*check)(EVP_PKEY *pkey);
 } /* EVP_PKEY_METHOD */;
 void evp_pkey_set_cb_translate(BN_GENCB *cb, EVP_PKEY_CTX *ctx);
diff --git a/src/lib/libcrypto/evp/pmeth_gn.c b/src/lib/libcrypto/evp/pmeth_gn.c
index 066291b800..a8a4cc97db 100644
--- a/src/lib/libcrypto/evp/pmeth_gn.c
+++ b/src/lib/libcrypto/evp/pmeth_gn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pmeth_gn.c,v 1.8 2021/12/04 16:08:32 tb Exp $ */
+/* $OpenBSD: pmeth_gn.c,v 1.9 2022/01/10 11:52:43 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -64,6 +64,7 @@
 #include <openssl/evp.h>
 #include <openssl/objects.h>
+#include "asn1_locl.h"
 #include "bn_lcl.h"
 #include "evp_locl.h"
@@ -222,3 +223,24 @@ merr:
        EVP_PKEY_CTX_free(mac_ctx);
        return mac_key;
 }
+int
+EVP_PKEY_check(EVP_PKEY_CTX *ctx)
+{
+        EVP_PKEY *pkey;
+        if ((pkey = ctx->pkey) == NULL) {
+                EVPerror(EVP_R_NO_KEY_SET);
+                return 0;
+        }
+        if (ctx->pmeth->check != NULL)
+                return ctx->pmeth->check(pkey);
+        if (pkey->ameth == NULL || pkey->ameth->pkey_check == NULL) {
+                EVPerror(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
+                return -2;
+        }
+        return pkey->ameth->pkey_check(pkey);
+}
diff --git a/src/lib/libcrypto/evp/pmeth_lib.c b/src/lib/libcrypto/evp/pmeth_lib.c
index 33924dbd66..92328dd246 100644
--- a/src/lib/libcrypto/evp/pmeth_lib.c
+++ b/src/lib/libcrypto/evp/pmeth_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pmeth_lib.c,v 1.18 2021/12/03 14:19:57 tb Exp $ */
+/* $OpenBSD: pmeth_lib.c,v 1.19 2022/01/10 11:52:43 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -582,3 +582,9 @@ EVP_PKEY_meth_set_ctrl(EVP_PKEY_METHOD *pmeth,
        pmeth->ctrl = ctrl;
        pmeth->ctrl_str = ctrl_str;
 }
+void
+EVP_PKEY_meth_set_check(EVP_PKEY_METHOD *pmeth, int (*check)(EVP_PKEY *pkey))
+{
+        pmeth->check = check;
+}
diff --git a/src/lib/libcrypto/rsa/rsa_ameth.c b/src/lib/libcrypto/rsa/rsa_ameth.c
index d373d7c132..57fe46a976 100644
--- a/src/lib/libcrypto/rsa/rsa_ameth.c
+++ b/src/lib/libcrypto/rsa/rsa_ameth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_ameth.c,v 1.24 2019/11/20 10:46:17 inoguchi Exp $ */
+/* $OpenBSD: rsa_ameth.c,v 1.25 2022/01/10 11:52:43 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -916,6 +916,12 @@ rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
        return 2;
 }
+static int
+rsa_pkey_check(const EVP_PKEY *pkey)
+{
+        return RSA_check_key(pkey->pkey.rsa);
+}
 #ifndef OPENSSL_NO_CMS
 static RSA_OAEP_PARAMS *
 rsa_oaep_decode(const X509_ALGOR *alg)
@@ -1105,14 +1111,18 @@ const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = {
                .old_priv_decode = old_rsa_priv_decode,
                .old_priv_encode = old_rsa_priv_encode,
                .item_verify = rsa_item_verify,
-                .item_sign = rsa_item_sign
+                .item_sign = rsa_item_sign,
+                .pkey_check = rsa_pkey_check,
        },
        {
                .pkey_id = EVP_PKEY_RSA2,
                .pkey_base_id = EVP_PKEY_RSA,
-                .pkey_flags = ASN1_PKEY_ALIAS
+                .pkey_flags = ASN1_PKEY_ALIAS,
-        }
+                .pkey_check = rsa_pkey_check,
+        },
 };
 const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = {
author	tb <>	2022-01-10 11:52:43 +0000
committer	tb <>	2022-01-10 11:52:43 +0000
commit	a447c077ad67d6e81ed1a4fbe9003875add773c2 (patch)
tree	1fec6a88d05f741604c6f6549798d45c11a3aef3 /src/lib
parent	0af4f789497e3f3ba6818138f64585c080464044 (diff)
download	openbsd-a447c077ad67d6e81ed1a4fbe9003875add773c2.tar.gz openbsd-a447c077ad67d6e81ed1a4fbe9003875add773c2.tar.bz2 openbsd-a447c077ad67d6e81ed1a4fbe9003875add773c2.zip

diff --git a/src/lib/libcrypto/asn1/ameth_lib.c b/src/lib/libcrypto/asn1/ameth_lib.c index ed7f5bd3e4..96669bbd2f 100644 --- a/src/lib/libcrypto/asn1/ameth_lib.c +++ b/src/lib/libcrypto/asn1/ameth_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ameth_lib.c,v 1.23 2021/12/12 21:30:13 tb Exp $ */	1	/* $OpenBSD: ameth_lib.c,v 1.24 2022/01/10 11:52:43 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2006.	3	* project 2006.
4	*/	4	*/
@@ -429,3 +429,10 @@ EVP_PKEY_asn1_set_ctrl(EVP_PKEY_ASN1_METHOD *ameth,
429	{	429	{
430	ameth->pkey_ctrl = pkey_ctrl;	430	ameth->pkey_ctrl = pkey_ctrl;
431	}	431	}
		432
		433	void
		434	EVP_PKEY_asn1_set_check(EVP_PKEY_ASN1_METHOD *ameth,
		435	int (pkey_check)(const EVP_PKEY pk))
		436	{
		437	ameth->pkey_check = pkey_check;
		438	}


diff --git a/src/lib/libcrypto/asn1/asn1_locl.h b/src/lib/libcrypto/asn1/asn1_locl.h index 3b949dba65..31fcbef20d 100644 --- a/src/lib/libcrypto/asn1/asn1_locl.h +++ b/src/lib/libcrypto/asn1/asn1_locl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: asn1_locl.h,v 1.15 2021/12/25 12:00:22 jsing Exp $ */	1	/* $OpenBSD: asn1_locl.h,v 1.16 2022/01/10 11:52:43 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2006.	3	* project 2006.
4	*/	4	*/
@@ -124,6 +124,7 @@ struct evp_pkey_asn1_method_st {
124	int (item_sign)(EVP_MD_CTX ctx, const ASN1_ITEM it, void asn,	124	int (item_sign)(EVP_MD_CTX ctx, const ASN1_ITEM it, void asn,
125	X509_ALGOR alg1, X509_ALGOR alg2, ASN1_BIT_STRING *sig);	125	X509_ALGOR alg1, X509_ALGOR alg2, ASN1_BIT_STRING *sig);
126		126
		127	int (pkey_check)(const EVP_PKEY pk);
127	} /* EVP_PKEY_ASN1_METHOD */;	128	} /* EVP_PKEY_ASN1_METHOD */;
128		129
129	/* Method to handle CRL access.	130	/* Method to handle CRL access.


diff --git a/src/lib/libcrypto/ec/ec_ameth.c b/src/lib/libcrypto/ec/ec_ameth.c index c96c46dd53..8316683f8f 100644 --- a/src/lib/libcrypto/ec/ec_ameth.c +++ b/src/lib/libcrypto/ec/ec_ameth.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ec_ameth.c,v 1.29 2021/12/12 21:30:13 tb Exp $ */	1	/* $OpenBSD: ec_ameth.c,v 1.30 2022/01/10 11:52:43 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2006.	3	* project 2006.
4	*/	4	*/
@@ -67,6 +67,7 @@
67	#include <openssl/x509.h>	67	#include <openssl/x509.h>
68		68
69	#include "asn1_locl.h"	69	#include "asn1_locl.h"
		70	#include "ec_lcl.h"
70	#include "evp_locl.h"	71	#include "evp_locl.h"
71		72
72	#ifndef OPENSSL_NO_CMS	73	#ifndef OPENSSL_NO_CMS
@@ -620,6 +621,19 @@ ec_pkey_ctrl(EVP_PKEY * pkey, int op, long arg1, void *arg2)
620		621
621	}	622	}
622		623
		624	static int
		625	ec_pkey_check(const EVP_PKEY *pkey)
		626	{
		627	EC_KEY *eckey = pkey->pkey.ec;
		628
		629	if (eckey->priv_key == NULL) {
		630	ECerror(EC_R_MISSING_PRIVATE_KEY);
		631	return 0;
		632	}
		633
		634	return EC_KEY_check_key(eckey);
		635	}
		636
623	#ifndef OPENSSL_NO_CMS	637	#ifndef OPENSSL_NO_CMS
624		638
625	static int	639	static int
@@ -981,5 +995,7 @@ const EVP_PKEY_ASN1_METHOD eckey_asn1_meth = {
981	.pkey_free = int_ec_free,	995	.pkey_free = int_ec_free,
982	.pkey_ctrl = ec_pkey_ctrl,	996	.pkey_ctrl = ec_pkey_ctrl,
983	.old_priv_decode = old_ec_priv_decode,	997	.old_priv_decode = old_ec_priv_decode,
984	.old_priv_encode = old_ec_priv_encode	998	.old_priv_encode = old_ec_priv_encode,
		999
		1000	.pkey_check = ec_pkey_check,
985	};	1001	};


diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h index aa5b35f67c..e122a6b329 100644 --- a/src/lib/libcrypto/evp/evp.h +++ b/src/lib/libcrypto/evp/evp.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: evp.h,v 1.92 2022/01/09 15:15:25 tb Exp $ */	1	/* $OpenBSD: evp.h,v 1.93 2022/01/10 11:52:43 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1087,6 +1087,11 @@ void EVP_PKEY_asn1_set_free(EVP_PKEY_ASN1_METHOD *ameth,
1087	void EVP_PKEY_asn1_set_ctrl(EVP_PKEY_ASN1_METHOD *ameth,	1087	void EVP_PKEY_asn1_set_ctrl(EVP_PKEY_ASN1_METHOD *ameth,
1088	int (pkey_ctrl)(EVP_PKEY pkey, int op, long arg1, void *arg2));	1088	int (pkey_ctrl)(EVP_PKEY pkey, int op, long arg1, void *arg2));
1089		1089
		1090	#if defined(LIBRESSL_CRYPTO_INTERNAL) \|\| defined(LIBRESSL_NEXT_API)
		1091	void EVP_PKEY_asn1_set_check(EVP_PKEY_ASN1_METHOD *ameth,
		1092	int (pkey_check)(const EVP_PKEY pk));
		1093	#endif
		1094
1090	#define EVP_PKEY_OP_UNDEFINED 0	1095	#define EVP_PKEY_OP_UNDEFINED 0
1091	#define EVP_PKEY_OP_PARAMGEN (1<<1)	1096	#define EVP_PKEY_OP_PARAMGEN (1<<1)
1092	#define EVP_PKEY_OP_KEYGEN (1<<2)	1097	#define EVP_PKEY_OP_KEYGEN (1<<2)
@@ -1213,6 +1218,9 @@ int EVP_PKEY_paramgen_init(EVP_PKEY_CTX *ctx);
1213	int EVP_PKEY_paramgen(EVP_PKEY_CTX ctx, EVP_PKEY *ppkey);	1218	int EVP_PKEY_paramgen(EVP_PKEY_CTX ctx, EVP_PKEY *ppkey);
1214	int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx);	1219	int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx);
1215	int EVP_PKEY_keygen(EVP_PKEY_CTX ctx, EVP_PKEY *ppkey);	1220	int EVP_PKEY_keygen(EVP_PKEY_CTX ctx, EVP_PKEY *ppkey);
		1221	#if defined(LIBRESSL_CRYPTO_INTERNAL) \|\| defined(LIBRESSL_NEXT_API)
		1222	int EVP_PKEY_check(EVP_PKEY_CTX *ctx);
		1223	#endif
1216		1224
1217	void EVP_PKEY_CTX_set_cb(EVP_PKEY_CTX ctx, EVP_PKEY_gen_cb cb);	1225	void EVP_PKEY_CTX_set_cb(EVP_PKEY_CTX ctx, EVP_PKEY_gen_cb cb);
1218	EVP_PKEY_gen_cb EVP_PKEY_CTX_get_cb(EVP_PKEY_CTX ctx);	1226	EVP_PKEY_gen_cb EVP_PKEY_CTX_get_cb(EVP_PKEY_CTX ctx);
@@ -1279,6 +1287,11 @@ void EVP_PKEY_meth_set_ctrl(EVP_PKEY_METHOD *pmeth,
1279	int (ctrl)(EVP_PKEY_CTX ctx, int type, int p1, void *p2),	1287	int (ctrl)(EVP_PKEY_CTX ctx, int type, int p1, void *p2),
1280	int (ctrl_str)(EVP_PKEY_CTX ctx, const char type, const char value));	1288	int (ctrl_str)(EVP_PKEY_CTX ctx, const char type, const char value));
1281		1289
		1290	#if defined(LIBRESSL_CRYPTO_INTERNAL) \|\| defined(LIBRESSL_NEXT_API)
		1291	void EVP_PKEY_meth_set_check(EVP_PKEY_METHOD *pmeth,
		1292	int (check)(EVP_PKEY pkey));
		1293	#endif
		1294
1282	/* Authenticated Encryption with Additional Data.	1295	/* Authenticated Encryption with Additional Data.
1283	*	1296	*
1284	* AEAD couples confidentiality and integrity in a single primtive. AEAD	1297	* AEAD couples confidentiality and integrity in a single primtive. AEAD


diff --git a/src/lib/libcrypto/evp/evp_locl.h b/src/lib/libcrypto/evp/evp_locl.h index 5eef0b244f..3ff8e8ad99 100644 --- a/src/lib/libcrypto/evp/evp_locl.h +++ b/src/lib/libcrypto/evp/evp_locl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: evp_locl.h,v 1.18 2022/01/09 15:15:25 tb Exp $ */	1	/* $OpenBSD: evp_locl.h,v 1.19 2022/01/10 11:52:43 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2000.	3	* project 2000.
4	*/	4	*/
@@ -347,6 +347,8 @@ struct evp_pkey_method_st {
347		347
348	int (ctrl)(EVP_PKEY_CTX ctx, int type, int p1, void *p2);	348	int (ctrl)(EVP_PKEY_CTX ctx, int type, int p1, void *p2);
349	int (ctrl_str)(EVP_PKEY_CTX ctx, const char type, const char value);	349	int (ctrl_str)(EVP_PKEY_CTX ctx, const char type, const char value);
		350
		351	int (check)(EVP_PKEY pkey);
350	} /* EVP_PKEY_METHOD */;	352	} /* EVP_PKEY_METHOD */;
351		353
352	void evp_pkey_set_cb_translate(BN_GENCB cb, EVP_PKEY_CTX ctx);	354	void evp_pkey_set_cb_translate(BN_GENCB cb, EVP_PKEY_CTX ctx);


diff --git a/src/lib/libcrypto/evp/pmeth_gn.c b/src/lib/libcrypto/evp/pmeth_gn.c index 066291b800..a8a4cc97db 100644 --- a/src/lib/libcrypto/evp/pmeth_gn.c +++ b/src/lib/libcrypto/evp/pmeth_gn.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: pmeth_gn.c,v 1.8 2021/12/04 16:08:32 tb Exp $ */	1	/* $OpenBSD: pmeth_gn.c,v 1.9 2022/01/10 11:52:43 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2006.	3	* project 2006.
4	*/	4	*/
@@ -64,6 +64,7 @@
64	#include <openssl/evp.h>	64	#include <openssl/evp.h>
65	#include <openssl/objects.h>	65	#include <openssl/objects.h>
66		66
		67	#include "asn1_locl.h"
67	#include "bn_lcl.h"	68	#include "bn_lcl.h"
68	#include "evp_locl.h"	69	#include "evp_locl.h"
69		70
@@ -222,3 +223,24 @@ merr:
222	EVP_PKEY_CTX_free(mac_ctx);	223	EVP_PKEY_CTX_free(mac_ctx);
223	return mac_key;	224	return mac_key;
224	}	225	}
		226
		227	int
		228	EVP_PKEY_check(EVP_PKEY_CTX *ctx)
		229	{
		230	EVP_PKEY *pkey;
		231
		232	if ((pkey = ctx->pkey) == NULL) {
		233	EVPerror(EVP_R_NO_KEY_SET);
		234	return 0;
		235	}
		236
		237	if (ctx->pmeth->check != NULL)
		238	return ctx->pmeth->check(pkey);
		239
		240	if (pkey->ameth == NULL \|\| pkey->ameth->pkey_check == NULL) {
		241	EVPerror(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
		242	return -2;
		243	}
		244
		245	return pkey->ameth->pkey_check(pkey);
		246	}


diff --git a/src/lib/libcrypto/evp/pmeth_lib.c b/src/lib/libcrypto/evp/pmeth_lib.c index 33924dbd66..92328dd246 100644 --- a/src/lib/libcrypto/evp/pmeth_lib.c +++ b/src/lib/libcrypto/evp/pmeth_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: pmeth_lib.c,v 1.18 2021/12/03 14:19:57 tb Exp $ */	1	/* $OpenBSD: pmeth_lib.c,v 1.19 2022/01/10 11:52:43 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2006.	3	* project 2006.
4	*/	4	*/
@@ -582,3 +582,9 @@ EVP_PKEY_meth_set_ctrl(EVP_PKEY_METHOD *pmeth,
582	pmeth->ctrl = ctrl;	582	pmeth->ctrl = ctrl;
583	pmeth->ctrl_str = ctrl_str;	583	pmeth->ctrl_str = ctrl_str;
584	}	584	}
		585
		586	void
		587	EVP_PKEY_meth_set_check(EVP_PKEY_METHOD pmeth, int (check)(EVP_PKEY *pkey))
		588	{
		589	pmeth->check = check;
		590	}


diff --git a/src/lib/libcrypto/rsa/rsa_ameth.c b/src/lib/libcrypto/rsa/rsa_ameth.c index d373d7c132..57fe46a976 100644 --- a/src/lib/libcrypto/rsa/rsa_ameth.c +++ b/src/lib/libcrypto/rsa/rsa_ameth.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: rsa_ameth.c,v 1.24 2019/11/20 10:46:17 inoguchi Exp $ */	1	/* $OpenBSD: rsa_ameth.c,v 1.25 2022/01/10 11:52:43 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2006.	3	* project 2006.
4	*/	4	*/
@@ -916,6 +916,12 @@ rsa_item_sign(EVP_MD_CTX ctx, const ASN1_ITEM it, void *asn,
916	return 2;	916	return 2;
917	}	917	}
918		918
		919	static int
		920	rsa_pkey_check(const EVP_PKEY *pkey)
		921	{
		922	return RSA_check_key(pkey->pkey.rsa);
		923	}
		924
919	#ifndef OPENSSL_NO_CMS	925	#ifndef OPENSSL_NO_CMS
920	static RSA_OAEP_PARAMS *	926	static RSA_OAEP_PARAMS *
921	rsa_oaep_decode(const X509_ALGOR *alg)	927	rsa_oaep_decode(const X509_ALGOR *alg)
@@ -1105,14 +1111,18 @@ const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = {
1105	.old_priv_decode = old_rsa_priv_decode,	1111	.old_priv_decode = old_rsa_priv_decode,
1106	.old_priv_encode = old_rsa_priv_encode,	1112	.old_priv_encode = old_rsa_priv_encode,
1107	.item_verify = rsa_item_verify,	1113	.item_verify = rsa_item_verify,
1108	.item_sign = rsa_item_sign	1114	.item_sign = rsa_item_sign,
		1115
		1116	.pkey_check = rsa_pkey_check,
1109	},	1117	},
1110		1118
1111	{	1119	{
1112	.pkey_id = EVP_PKEY_RSA2,	1120	.pkey_id = EVP_PKEY_RSA2,
1113	.pkey_base_id = EVP_PKEY_RSA,	1121	.pkey_base_id = EVP_PKEY_RSA,
1114	.pkey_flags = ASN1_PKEY_ALIAS	1122	.pkey_flags = ASN1_PKEY_ALIAS,
1115	}	1123
		1124	.pkey_check = rsa_pkey_check,
		1125	},
1116	};	1126	};
1117		1127
1118	const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = {	1128	const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = {