From 0abae1636d7054266dd20724c0d5e06617d9f679 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Mon, 23 Mar 2020 05:40:47 +0100 Subject: EVP: Implement support for key downgrading in backends Downgrading EVP_PKEYs from containing provider side internal keys to containing legacy keys demands support in the EVP_PKEY_ASN1_METHOD. This became a bit elaborate because the code would be almost exactly the same as the import functions int EVP_KEYMGMT. Therefore, we end up moving most of the code to common backend support files that can be used both by legacy backend code and by our providers. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/11375) --- crypto/dh/build.info | 2 +- crypto/dh/dh_ameth.c | 21 +++++++++++++++++++ crypto/dh/dh_backend.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 crypto/dh/dh_backend.c (limited to 'crypto/dh') diff --git a/crypto/dh/build.info b/crypto/dh/build.info index 56c085bb1e..ce0918e7d3 100644 --- a/crypto/dh/build.info +++ b/crypto/dh/build.info @@ -1,6 +1,6 @@ LIBS=../../libcrypto -$COMMON=dh_lib.c dh_key.c dh_group_params.c dh_check.c +$COMMON=dh_lib.c dh_key.c dh_group_params.c dh_check.c dh_backend.c SOURCE[../../libcrypto]=$COMMON\ dh_asn1.c dh_gen.c dh_err.c dh_depr.c \ diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c index 877a66f9dc..d0eaceccb4 100644 --- a/crypto/dh/dh_ameth.c +++ b/crypto/dh/dh_ameth.c @@ -25,6 +25,7 @@ #include #include #include "internal/param_build.h" +#include "internal/ffc.h" /* * i2d/d2i like DH parameter functions which use the appropriate routine for @@ -543,6 +544,25 @@ static int dh_pkey_export_to(const EVP_PKEY *from, void *to_keydata, return rv; } +static int dh_pkey_import_from(const OSSL_PARAM params[], void *key) +{ + EVP_PKEY *pkey = key; + DH *dh = DH_new(); + + if (dh == NULL) { + ERR_raise(ERR_LIB_DH, ERR_R_MALLOC_FAILURE); + return 0; + } + + if (!ffc_fromdata(dh_get0_params(dh), params) + || !dh_key_fromdata(dh, params) + || !EVP_PKEY_assign_DH(pkey, dh)) { + DH_free(dh); + return 0; + } + return 1; +} + const EVP_PKEY_ASN1_METHOD dh_asn1_meth = { EVP_PKEY_DH, EVP_PKEY_DH, @@ -585,6 +605,7 @@ const EVP_PKEY_ASN1_METHOD dh_asn1_meth = { dh_pkey_dirty_cnt, dh_pkey_export_to, + dh_pkey_import_from, }; const EVP_PKEY_ASN1_METHOD dhx_asn1_meth = { diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c new file mode 100644 index 0000000000..bbeb096d55 --- /dev/null +++ b/crypto/dh/dh_backend.c @@ -0,0 +1,56 @@ +/* + * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include "crypto/dh.h" + +/* + * The intention with the "backend" source file is to offer backend functions + * for legacy backends (EVP_PKEY_ASN1_METHOD and EVP_PKEY_METHOD) and provider + * implementations alike. + */ + +int dh_key_fromdata(DH *dh, const OSSL_PARAM params[]) +{ + const OSSL_PARAM *param_priv_key, *param_pub_key; + BIGNUM *priv_key = NULL, *pub_key = NULL; + + if (dh == NULL) + return 0; + + param_priv_key = + OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY); + param_pub_key = + OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PUB_KEY); + + /* + * DH documentation says that a public key must be present if a + * private key is present. + * We want to have at least a public key either way, so we end up + * requiring it unconditionally. + */ + if (param_priv_key != NULL && param_pub_key == NULL) + return 0; + + if ((param_priv_key != NULL + && !OSSL_PARAM_get_BN(param_priv_key, &priv_key)) + || (param_pub_key != NULL + && !OSSL_PARAM_get_BN(param_pub_key, &pub_key))) + goto err; + + if (!DH_set0_key(dh, pub_key, priv_key)) + goto err; + + return 1; + + err: + BN_clear_free(priv_key); + BN_free(pub_key); + return 0; +} -- cgit v1.2.3