diff options
| author | Richard Levitte <levitte@openssl.org> | 2020-12-11 11:01:09 +0100 |
|---|---|---|
| committer | Richard Levitte <levitte@openssl.org> | 2020-12-17 12:02:08 +0100 |
| commit | 6963979f5c0f95b2152ef74645faa7344e33284d (patch) | |
| tree | ff97ca1102560458f90bc3e16db622055aec41fd | |
| parent | e77c13f8b73ff937819d6551ddd616fe01b989d0 (diff) | |
DECODER: Adjust the library context of keys in our decoders
Because decoders are coupled with keymgmts from the same provider,
ours need to produce provider side keys the same way. Since our
keymgmts create key data with the provider library context, so must
our decoders.
We solve with functions to adjust the library context of decoded keys,
and use them.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13661)
| -rw-r--r-- | crypto/dh/dh_lib.c | 5 | ||||
| -rw-r--r-- | crypto/dsa/dsa_lib.c | 5 | ||||
| -rw-r--r-- | crypto/ec/ec_key.c | 6 | ||||
| -rw-r--r-- | crypto/ec/ecx_key.c | 5 | ||||
| -rw-r--r-- | crypto/rsa/rsa_lib.c | 5 | ||||
| -rw-r--r-- | include/crypto/dh.h | 1 | ||||
| -rw-r--r-- | include/crypto/dsa.h | 1 | ||||
| -rw-r--r-- | include/crypto/ec.h | 1 | ||||
| -rw-r--r-- | include/crypto/ecx.h | 1 | ||||
| -rw-r--r-- | include/crypto/rsa.h | 1 | ||||
| -rw-r--r-- | providers/implementations/encode_decode/decode_der2key.c | 60 |
11 files changed, 91 insertions, 0 deletions
diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c index e687b04259..e8a66878ab 100644 --- a/crypto/dh/dh_lib.c +++ b/crypto/dh/dh_lib.c @@ -168,6 +168,11 @@ int DH_up_ref(DH *r) return ((i > 1) ? 1 : 0); } +void ossl_dh_set0_libctx(DH *d, OSSL_LIB_CTX *libctx) +{ + d->libctx = libctx; +} + #ifndef FIPS_MODULE int DH_set_ex_data(DH *d, int idx, void *arg) { diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c index 4a9f572edd..df9dd73dfd 100644 --- a/crypto/dsa/dsa_lib.c +++ b/crypto/dsa/dsa_lib.c @@ -247,6 +247,11 @@ int DSA_up_ref(DSA *r) return ((i > 1) ? 1 : 0); } +void ossl_dsa_set0_libctx(DSA *d, OSSL_LIB_CTX *libctx) +{ + d->libctx = libctx; +} + void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) { diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index da3d6f04a2..d03c75e8aa 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -659,6 +659,12 @@ const char *ec_key_get0_propq(const EC_KEY *key) return key->propq; } +void ec_key_set0_libctx(EC_KEY *key, OSSL_LIB_CTX *libctx) +{ + key->libctx = libctx; + /* Do we need to propagate this to the group? */ +} + const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key) { return key->group; diff --git a/crypto/ec/ecx_key.c b/crypto/ec/ecx_key.c index db74a40c97..2b9386d522 100644 --- a/crypto/ec/ecx_key.c +++ b/crypto/ec/ecx_key.c @@ -73,6 +73,11 @@ void ecx_key_free(ECX_KEY *key) OPENSSL_free(key); } +void ecx_key_set0_libctx(ECX_KEY *key, OSSL_LIB_CTX *libctx) +{ + key->libctx = libctx; +} + int ecx_key_up_ref(ECX_KEY *key) { int i; diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index 8e7ad45608..f4e3ff423e 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -194,6 +194,11 @@ OSSL_LIB_CTX *ossl_rsa_get0_libctx(RSA *r) return r->libctx; } +void ossl_rsa_set0_libctx(RSA *r, OSSL_LIB_CTX *libctx) +{ + r->libctx = libctx; +} + #ifndef FIPS_MODULE int RSA_set_ex_data(RSA *r, int idx, void *arg) { diff --git a/include/crypto/dh.h b/include/crypto/dh.h index 3afe16935f..290cc7c0d2 100644 --- a/include/crypto/dh.h +++ b/include/crypto/dh.h @@ -14,6 +14,7 @@ DH *dh_new_by_nid_ex(OSSL_LIB_CTX *libctx, int nid); DH *dh_new_ex(OSSL_LIB_CTX *libctx); +void ossl_dh_set0_libctx(DH *d, OSSL_LIB_CTX *libctx); int dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits, BN_GENCB *cb); diff --git a/include/crypto/dsa.h b/include/crypto/dsa.h index 759fa4cce4..775a83c1ea 100644 --- a/include/crypto/dsa.h +++ b/include/crypto/dsa.h @@ -15,6 +15,7 @@ #define DSA_PARAMGEN_TYPE_FIPS_186_2 1 /* Use legacy FIPS186-2 standard */ DSA *dsa_new_with_ctx(OSSL_LIB_CTX *libctx); +void ossl_dsa_set0_libctx(DSA *d, OSSL_LIB_CTX *libctx); int dsa_generate_ffc_parameters(DSA *dsa, int type, int pbits, int qbits, BN_GENCB *cb); diff --git a/include/crypto/ec.h b/include/crypto/ec.h index 451a3751a1..087457fa50 100644 --- a/include/crypto/ec.h +++ b/include/crypto/ec.h @@ -61,6 +61,7 @@ int ec_key_private_check(const EC_KEY *eckey); int ec_key_pairwise_check(const EC_KEY *eckey, BN_CTX *ctx); OSSL_LIB_CTX *ec_key_get_libctx(const EC_KEY *eckey); const char *ec_key_get0_propq(const EC_KEY *eckey); +void ec_key_set0_libctx(EC_KEY *key, OSSL_LIB_CTX *libctx); /* Backend support */ int ec_group_todata(const EC_GROUP *group, OSSL_PARAM_BLD *tmpl, diff --git a/include/crypto/ecx.h b/include/crypto/ecx.h index 4771df5fb6..df04cdb562 100644 --- a/include/crypto/ecx.h +++ b/include/crypto/ecx.h @@ -77,6 +77,7 @@ typedef struct ecx_key_st ECX_KEY; size_t ecx_key_length(ECX_KEY_TYPE type); ECX_KEY *ecx_key_new(OSSL_LIB_CTX *libctx, ECX_KEY_TYPE type, int haspubkey, const char *propq); +void ecx_key_set0_libctx(ECX_KEY *key, OSSL_LIB_CTX *libctx); unsigned char *ecx_key_allocate_privkey(ECX_KEY *key); void ecx_key_free(ECX_KEY *key); int ecx_key_up_ref(ECX_KEY *key); diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h index ede11cfd41..cb53b5dde6 100644 --- a/include/crypto/rsa.h +++ b/include/crypto/rsa.h @@ -51,6 +51,7 @@ const char *ossl_rsa_oaeppss_nid2name(int md); RSA *ossl_rsa_new_with_ctx(OSSL_LIB_CTX *libctx); OSSL_LIB_CTX *ossl_rsa_get0_libctx(RSA *r); +void ossl_rsa_set0_libctx(RSA *r, OSSL_LIB_CTX *libctx); int ossl_rsa_set0_all_params(RSA *r, const STACK_OF(BIGNUM) *primes, const STACK_OF(BIGNUM) *exps, diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c index 17ed16235d..a91bd3b7b8 100644 --- a/providers/implementations/encode_decode/decode_der2key.c +++ b/providers/implementations/encode_decode/decode_der2key.c @@ -24,7 +24,11 @@ #include <openssl/x509.h> #include "internal/cryptlib.h" /* ossl_assert() */ #include "internal/asn1.h" +#include "crypto/dh.h" +#include "crypto/dsa.h" +#include "crypto/ec.h" #include "crypto/ecx.h" +#include "crypto/rsa.h" #include "prov/bio.h" #include "prov/implementations.h" #include "prov/providercommonerr.h" @@ -106,7 +110,9 @@ static OSSL_FUNC_decoder_freectx_fn der2key_freectx; static OSSL_FUNC_decoder_decode_fn der2key_decode; static OSSL_FUNC_decoder_export_object_fn der2key_export_object; +struct der2key_ctx_st; /* Forward declaration */ typedef void *(extract_key_fn)(EVP_PKEY *); +typedef void (adjust_key_fn)(void *, struct der2key_ctx_st *ctx); typedef void (free_key_fn)(void *); struct keytype_desc_st { const char *keytype_name; @@ -130,10 +136,16 @@ struct keytype_desc_st { d2i_of_void *d2i_private_key; d2i_of_void *d2i_public_key; d2i_of_void *d2i_key_params; + /* * For PKCS#8 decoders, we use EVP_PKEY extractors, EVP_PKEY_get1_{TYPE}() */ extract_key_fn *extract_key; + /* + * For any key, we may need to make provider specific adjustments, such + * as ensure the key carries the correct library context. + */ + adjust_key_fn *adjust_key; /* {type}_free() */ free_key_fn *free_key; }; @@ -341,6 +353,9 @@ static int der2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, } } + if (key != NULL && ctx->desc->adjust_key != NULL) + ctx->desc->adjust_key(key, ctx); + end: /* * Prune low-level ASN.1 parse errors from error queue, assuming @@ -403,12 +418,18 @@ static int der2key_export_object(void *vctx, # define dh_d2i_key_params (d2i_of_void *)d2i_DHparams # define dh_free (free_key_fn *)DH_free +static void dh_adjust(void *key, struct der2key_ctx_st *ctx) +{ + ossl_dh_set0_libctx(key, PROV_LIBCTX_OF(ctx->provctx)); +} + # define dhx_evp_type EVP_PKEY_DHX # define dhx_evp_extract (extract_key_fn *)EVP_PKEY_get1_DH # define dhx_d2i_private_key NULL # define dhx_d2i_public_key NULL # define dhx_d2i_key_params (d2i_of_void *)d2i_DHxparams # define dhx_free (free_key_fn *)DH_free +# define dhx_adjust dh_adjust #endif /* ---------------------------------------------------------------------- */ @@ -420,6 +441,11 @@ static int der2key_export_object(void *vctx, # define dsa_d2i_public_key (d2i_of_void *)d2i_DSAPublicKey # define dsa_d2i_key_params (d2i_of_void *)d2i_DSAparams # define dsa_free (free_key_fn *)DSA_free + +static void dsa_adjust(void *key, struct der2key_ctx_st *ctx) +{ + ossl_dsa_set0_libctx(key, PROV_LIBCTX_OF(ctx->provctx)); +} #endif /* ---------------------------------------------------------------------- */ @@ -432,16 +458,28 @@ static int der2key_export_object(void *vctx, # define ec_d2i_key_params (d2i_of_void *)d2i_ECParameters # define ec_free (free_key_fn *)EC_KEY_free +static void ec_adjust(void *key, struct der2key_ctx_st *ctx) +{ + ec_key_set0_libctx(key, PROV_LIBCTX_OF(ctx->provctx)); +} + /* * ED25519, ED448, X25519, X448 only implement PKCS#8 and SubjectPublicKeyInfo, * so no d2i functions to be had. */ + +static void ecx_key_adjust(void *key, struct der2key_ctx_st *ctx) +{ + ecx_key_set0_libctx(key, PROV_LIBCTX_OF(ctx->provctx)); +} + # define ed25519_evp_type EVP_PKEY_ED25519 # define ed25519_evp_extract (extract_key_fn *)evp_pkey_get1_ED25519 # define ed25519_d2i_private_key NULL # define ed25519_d2i_public_key NULL # define ed25519_d2i_key_params NULL # define ed25519_free (free_key_fn *)ecx_key_free +# define ed25519_adjust ecx_key_adjust # define ed448_evp_type EVP_PKEY_ED448 # define ed448_evp_extract (extract_key_fn *)evp_pkey_get1_ED448 @@ -449,6 +487,7 @@ static int der2key_export_object(void *vctx, # define ed448_d2i_public_key NULL # define ed448_d2i_key_params NULL # define ed448_free (free_key_fn *)ecx_key_free +# define ed448_adjust ecx_key_adjust # define x25519_evp_type EVP_PKEY_X25519 # define x25519_evp_extract (extract_key_fn *)evp_pkey_get1_X25519 @@ -456,6 +495,7 @@ static int der2key_export_object(void *vctx, # define x25519_d2i_public_key NULL # define x25519_d2i_key_params NULL # define x25519_free (free_key_fn *)ecx_key_free +# define x25519_adjust ecx_key_adjust # define x448_evp_type EVP_PKEY_X448 # define x448_evp_extract (extract_key_fn *)evp_pkey_get1_X448 @@ -463,6 +503,7 @@ static int der2key_export_object(void *vctx, # define x448_d2i_public_key NULL # define x448_d2i_key_params NULL # define x448_free (free_key_fn *)ecx_key_free +# define x448_adjust ecx_key_adjust #endif /* ---------------------------------------------------------------------- */ @@ -474,12 +515,18 @@ static int der2key_export_object(void *vctx, #define rsa_d2i_key_params NULL #define rsa_free (free_key_fn *)RSA_free +static void rsa_adjust(void *key, struct der2key_ctx_st *ctx) +{ + ossl_rsa_set0_libctx(key, PROV_LIBCTX_OF(ctx->provctx)); +} + #define rsapss_evp_type EVP_PKEY_RSA_PSS #define rsapss_evp_extract (extract_key_fn *)EVP_PKEY_get1_RSA #define rsapss_d2i_private_key (d2i_of_void *)d2i_RSAPrivateKey #define rsapss_d2i_public_key (d2i_of_void *)d2i_RSAPublicKey #define rsapss_d2i_key_params NULL #define rsapss_free (free_key_fn *)RSA_free +#define rsapss_adjust rsa_adjust /* ---------------------------------------------------------------------- */ @@ -494,6 +541,7 @@ static int der2key_export_object(void *vctx, keytype##_d2i_public_key, \ NULL, \ NULL, \ + keytype##_adjust, \ keytype##_free #define DO_type_specific_pub(keytype) \ @@ -503,6 +551,7 @@ static int der2key_export_object(void *vctx, keytype##_d2i_public_key, \ NULL, \ NULL, \ + keytype##_adjust, \ keytype##_free #define DO_type_specific_priv(keytype) \ @@ -512,6 +561,7 @@ static int der2key_export_object(void *vctx, NULL, \ NULL, \ NULL, \ + keytype##_adjust, \ keytype##_free #define DO_type_specific_params(keytype) \ @@ -521,6 +571,7 @@ static int der2key_export_object(void *vctx, NULL, \ keytype##_d2i_key_params, \ NULL, \ + keytype##_adjust, \ keytype##_free #define DO_type_specific(keytype) \ @@ -530,6 +581,7 @@ static int der2key_export_object(void *vctx, keytype##_d2i_public_key, \ keytype##_d2i_key_params, \ NULL, \ + keytype##_adjust, \ keytype##_free #define DO_type_specific_no_pub(keytype) \ @@ -540,6 +592,7 @@ static int der2key_export_object(void *vctx, NULL, \ keytype##_d2i_key_params, \ NULL, \ + keytype##_adjust, \ keytype##_free #define DO_PKCS8(keytype) \ @@ -549,6 +602,7 @@ static int der2key_export_object(void *vctx, NULL, \ NULL, \ keytype##_evp_extract, \ + keytype##_adjust, \ keytype##_free #define DO_SubjectPublicKeyInfo(keytype) \ @@ -558,6 +612,7 @@ static int der2key_export_object(void *vctx, NULL, \ NULL, \ keytype##_evp_extract, \ + keytype##_adjust, \ keytype##_free #define DO_DH(keytype) \ @@ -567,6 +622,7 @@ static int der2key_export_object(void *vctx, NULL, \ keytype##_d2i_key_params, \ NULL, \ + keytype##_adjust, \ keytype##_free #define DO_DHX(keytype) \ @@ -576,6 +632,7 @@ static int der2key_export_object(void *vctx, NULL, \ keytype##_d2i_key_params, \ NULL, \ + keytype##_adjust, \ keytype##_free #define DO_DSA(keytype) \ @@ -585,6 +642,7 @@ static int der2key_export_object(void *vctx, keytype##_d2i_public_key, \ keytype##_d2i_key_params, \ NULL, \ + keytype##_adjust, \ keytype##_free #define DO_EC(keytype) \ @@ -595,6 +653,7 @@ static int der2key_export_object(void *vctx, NULL, \ keytype##_d2i_key_params, \ NULL, \ + keytype##_adjust, \ keytype##_free #define DO_RSA(keytype) \ @@ -604,6 +663,7 @@ static int der2key_export_object(void *vctx, keytype##_d2i_public_key, \ NULL, \ NULL, \ + keytype##_adjust, \ keytype##_free /* |