diff options
author | Matt Caswell <matt@openssl.org> | 2021-02-24 16:38:28 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2021-03-08 15:11:31 +0000 |
commit | b574c6a9ac96825b4f19c5e835273bf176174af8 (patch) | |
tree | 0320f1f6cd4905072ce38567868d3fe4881c8859 /include | |
parent | ec961f866ac048a2d3dfd6adcfa95042114bef52 (diff) |
Cache legacy keys instead of downgrading them
If someone calls an EVP_PKEY_get0*() function then we create a legacy
key and cache it in the EVP_PKEY - but it doesn't become an "origin" and
it doesn't ever get updated. This will be documented as a restriction of
the EVP_PKEY_get0*() function with provided keys.
Fixes #14020
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14319)
Diffstat (limited to 'include')
-rw-r--r-- | include/crypto/evp.h | 38 |
1 files changed, 22 insertions, 16 deletions
diff --git a/include/crypto/evp.h b/include/crypto/evp.h index 41487d2af2..c1cce43f80 100644 --- a/include/crypto/evp.h +++ b/include/crypto/evp.h @@ -608,6 +608,21 @@ DEFINE_STACK_OF(OP_CACHE_ELEM) #define evp_pkey_is_provided(pk) \ ((pk)->keymgmt != NULL) +union legacy_pkey_st { + void *ptr; + struct rsa_st *rsa; /* RSA */ +# ifndef OPENSSL_NO_DSA + struct dsa_st *dsa; /* DSA */ +# endif +# ifndef OPENSSL_NO_DH + struct dh_st *dh; /* DH */ +# endif +# ifndef OPENSSL_NO_EC + struct ec_key_st *ec; /* ECC */ + ECX_KEY *ecx; /* X25519, X448, Ed25519, Ed448 */ +# endif +}; + struct evp_pkey_st { /* == Legacy attributes == */ int type; @@ -621,24 +636,15 @@ struct evp_pkey_st { const EVP_PKEY_ASN1_METHOD *ameth; ENGINE *engine; ENGINE *pmeth_engine; /* If not NULL public key ENGINE to use */ - union { - void *ptr; - struct rsa_st *rsa; /* RSA */ -# ifndef OPENSSL_NO_DSA - struct dsa_st *dsa; /* DSA */ -# endif -# ifndef OPENSSL_NO_DH - struct dh_st *dh; /* DH */ -# endif -# ifndef OPENSSL_NO_EC - struct ec_key_st *ec; /* ECC */ - ECX_KEY *ecx; /* X25519, X448, Ed25519, Ed448 */ -# endif - } pkey; + + /* Union to store the reference to an origin legacy key */ + union legacy_pkey_st pkey; + + /* Union to store the reference to a non-origin legacy key */ + union legacy_pkey_st legacy_cache_pkey; # endif /* == Common attributes == */ - /* If these are modified, so must evp_pkey_downgrade() */ CRYPTO_REF_COUNT references; CRYPTO_RWLOCK *lock; STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */ @@ -719,7 +725,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, const char *propquery); #ifndef FIPS_MODULE int evp_pkey_copy_downgraded(EVP_PKEY **dest, const EVP_PKEY *src); -int evp_pkey_downgrade(EVP_PKEY *pk); +void *evp_pkey_get_legacy(EVP_PKEY *pk); void evp_pkey_free_legacy(EVP_PKEY *x); #endif |