From 0996cff91fe9d6ed7c37830debdf585119dcc067 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Thu, 19 Mar 2020 22:29:10 +0100 Subject: [PATCH] DH, DSA, EC_KEY: Fix exporters to allow domain parameter keys The export-to-provider functions for DH, DSA and EC_KEY assumed that a public key is always present, and would fail if not. This blocks any attempt to export a key structure with only domain parameters. While fixing this, we also modify the selection declaration to evp_keymgmt_import() to be more adaptive, the diverse selection bits are now added when the corresponding data is added to the OSSL_PARAM array. Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/11374) --- crypto/dh/dh_ameth.c | 14 +++++++++----- crypto/dsa/dsa_ameth.c | 15 ++++++++++----- crypto/ec/ec_ameth.c | 36 ++++++++++++++++++------------------ crypto/ec/ecx_meth.c | 6 ++++-- crypto/rsa/rsa_ameth.c | 6 ++++-- 5 files changed, 45 insertions(+), 32 deletions(-) diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c index ecec5fbcf6..877a66f9dc 100644 --- a/crypto/dh/dh_ameth.c +++ b/crypto/dh/dh_ameth.c @@ -498,6 +498,7 @@ static int dh_pkey_export_to(const EVP_PKEY *from, void *to_keydata, const BIGNUM *pub_key = DH_get0_pub_key(dh); const BIGNUM *priv_key = DH_get0_priv_key(dh); OSSL_PARAM *params; + int selection = 0; int rv; /* @@ -518,21 +519,24 @@ static int dh_pkey_export_to(const EVP_PKEY *from, void *to_keydata, if (!ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_FFC_Q, q)) return 0; } - /* A key must at least have a public part. */ - if (!ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_PUB_KEY, pub_key)) - return 0; + selection |= OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS; + if (pub_key != NULL) { + if (!ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_PUB_KEY, pub_key)) + return 0; + selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY; + } if (priv_key != NULL) { if (!ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_PRIV_KEY, priv_key)) return 0; + selection |= OSSL_KEYMGMT_SELECT_PRIVATE_KEY; } if ((params = ossl_param_bld_to_param(&tmpl)) == NULL) return 0; /* We export, the provider imports */ - rv = evp_keymgmt_import(to_keymgmt, to_keydata, OSSL_KEYMGMT_SELECT_ALL, - params); + rv = evp_keymgmt_import(to_keymgmt, to_keydata, selection, params); ossl_param_bld_free(params); diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c index 94f3f43b8e..92134f956b 100644 --- a/crypto/dsa/dsa_ameth.c +++ b/crypto/dsa/dsa_ameth.c @@ -526,6 +526,7 @@ static int dsa_pkey_export_to(const EVP_PKEY *from, void *to_keydata, const BIGNUM *q = DSA_get0_q(dsa), *pub_key = DSA_get0_pub_key(dsa); const BIGNUM *priv_key = DSA_get0_priv_key(dsa); OSSL_PARAM *params; + int selection = 0; int rv; /* @@ -543,21 +544,25 @@ static int dsa_pkey_export_to(const EVP_PKEY *from, void *to_keydata, || !ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_FFC_Q, q) || !ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_FFC_G, g)) return 0; - if (!ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_PUB_KEY, - pub_key)) - return 0; + selection |= OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS; + if (pub_key != NULL) { + if (!ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_PUB_KEY, + pub_key)) + return 0; + selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY; + } if (priv_key != NULL) { if (!ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_PRIV_KEY, priv_key)) return 0; + selection |= OSSL_KEYMGMT_SELECT_PRIVATE_KEY; } if ((params = ossl_param_bld_to_param(&tmpl)) == NULL) return 0; /* We export, the provider imports */ - rv = evp_keymgmt_import(to_keymgmt, to_keydata, OSSL_KEYMGMT_SELECT_ALL, - params); + rv = evp_keymgmt_import(to_keymgmt, to_keydata, selection, params); ossl_param_bld_free(params); diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index 652086a93a..944fc05835 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c @@ -630,6 +630,7 @@ int ec_pkey_export_to(const EVP_PKEY *from, void *to_keydata, OSSL_PARAM *params = NULL; const BIGNUM *priv_key = NULL; const EC_POINT *pub_point = NULL; + int selection = 0; int rv = 0; if (from == NULL @@ -648,26 +649,24 @@ int ec_pkey_export_to(const EVP_PKEY *from, void *to_keydata, /* export the domain parameters */ if (!ecparams_to_params(eckey, &tmpl)) - return 0; + goto err; + selection |= OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS; priv_key = EC_KEY_get0_private_key(eckey); pub_point = EC_KEY_get0_public_key(eckey); - /* public_key must be present, priv_key is optional */ - if (pub_point == NULL) - return 0; - - /* convert pub_point to a octet string according to the SECG standard */ - if ((pub_key_buflen = EC_POINT_point2buf(ecg, pub_point, - POINT_CONVERSION_COMPRESSED, - &pub_key_buf, NULL)) == 0) - return 0; - - if (!ossl_param_bld_push_octet_string(&tmpl, - OSSL_PKEY_PARAM_PUB_KEY, - pub_key_buf, - pub_key_buflen)) - goto err; + if (pub_point != NULL) { + /* convert pub_point to a octet string according to the SECG standard */ + if ((pub_key_buflen = EC_POINT_point2buf(ecg, pub_point, + POINT_CONVERSION_COMPRESSED, + &pub_key_buf, NULL)) == 0 + || !ossl_param_bld_push_octet_string(&tmpl, + OSSL_PKEY_PARAM_PUB_KEY, + pub_key_buf, + pub_key_buflen)) + goto err; + selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY; + } if (priv_key != NULL) { size_t sz; @@ -716,6 +715,7 @@ int ec_pkey_export_to(const EVP_PKEY *from, void *to_keydata, OSSL_PKEY_PARAM_PRIV_KEY, priv_key, sz)) goto err; + selection |= OSSL_KEYMGMT_SELECT_PRIVATE_KEY; /* * The ECDH Cofactor Mode is defined only if the EC_KEY actually @@ -730,13 +730,13 @@ int ec_pkey_export_to(const EVP_PKEY *from, void *to_keydata, OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, ecdh_cofactor_mode)) goto err; + selection |= OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS; } params = ossl_param_bld_to_param(&tmpl); /* We export, the provider imports */ - rv = evp_keymgmt_import(to_keymgmt, to_keydata, OSSL_KEYMGMT_SELECT_ALL, - params); + rv = evp_keymgmt_import(to_keymgmt, to_keydata, selection, params); err: ossl_param_bld_free(params); diff --git a/crypto/ec/ecx_meth.c b/crypto/ec/ecx_meth.c index 5f85927bd0..9b9536f022 100644 --- a/crypto/ec/ecx_meth.c +++ b/crypto/ec/ecx_meth.c @@ -423,6 +423,7 @@ static int ecx_pkey_export_to(const EVP_PKEY *from, void *to_keydata, const ECX_KEY *key = from->pkey.ecx; OSSL_PARAM_BLD tmpl; OSSL_PARAM *params = NULL; + int selection = 0; int rv = 0; ossl_param_bld_init(&tmpl); @@ -431,19 +432,20 @@ static int ecx_pkey_export_to(const EVP_PKEY *from, void *to_keydata, if (!ossl_param_bld_push_octet_string(&tmpl, OSSL_PKEY_PARAM_PUB_KEY, key->pubkey, key->keylen)) goto err; + selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY; if (key->privkey != NULL) { if (!ossl_param_bld_push_octet_string(&tmpl, OSSL_PKEY_PARAM_PRIV_KEY, key->privkey, key->keylen)) goto err; + selection |= OSSL_KEYMGMT_SELECT_PRIVATE_KEY; } params = ossl_param_bld_to_param(&tmpl); /* We export, the provider imports */ - rv = evp_keymgmt_import(to_keymgmt, to_keydata, OSSL_KEYMGMT_SELECT_ALL, - params); + rv = evp_keymgmt_import(to_keymgmt, to_keydata, selection, params); err: ossl_param_bld_free(params); diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index 3411b734e5..06d7a8caf6 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -1090,6 +1090,7 @@ static int rsa_pkey_export_to(const EVP_PKEY *from, void *to_keydata, STACK_OF(BIGNUM_const) *primes = NULL, *exps = NULL, *coeffs = NULL; int numprimes = 0, numexps = 0, numcoeffs = 0; OSSL_PARAM *params = NULL; + int selection = 0; int rv = 0; /* @@ -1110,6 +1111,7 @@ static int rsa_pkey_export_to(const EVP_PKEY *from, void *to_keydata, goto err; if (!ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_RSA_N, n)) goto err; + selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY; if (d != NULL) { int i; @@ -1144,6 +1146,7 @@ static int rsa_pkey_export_to(const EVP_PKEY *from, void *to_keydata, if (!ossl_param_bld_push_BN(&tmpl, OSSL_PKEY_PARAM_RSA_D, d)) goto err; + selection |= OSSL_KEYMGMT_SELECT_PRIVATE_KEY; for (i = 0; i < numprimes; i++) { const BIGNUM *num = sk_BIGNUM_const_value(primes, i); @@ -1174,8 +1177,7 @@ static int rsa_pkey_export_to(const EVP_PKEY *from, void *to_keydata, goto err; /* We export, the provider imports */ - rv = evp_keymgmt_import(to_keymgmt, to_keydata, OSSL_KEYMGMT_SELECT_ALL, - params); + rv = evp_keymgmt_import(to_keymgmt, to_keydata, selection, params); err: sk_BIGNUM_const_free(primes); -- 2.25.1