From 472a88b79e779342adc3b85b5bea318de038ae14 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 6 Apr 2020 18:18:18 +0100 Subject: [PATCH] Teach d2i_PrivateKey et al about libctx The Ed448 private key decoding makes algorithm fetches. Therefore we teach d2i_PrivateKey et al about libctx and make sure it is passed through the layers. Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/11494) --- crypto/asn1/ameth_lib.c | 47 ++++++++++++---------------------------- crypto/asn1/d2i_pr.c | 48 ++++++++++++++++++++++++++--------------- crypto/evp/evp_pkey.c | 23 ++++++++++++++------ crypto/x509/x_all.c | 36 +++++++++++++++++++++++++++++++ include/crypto/asn1.h | 5 +++++ include/crypto/evp.h | 3 +++ include/openssl/evp.h | 6 ++++++ include/openssl/x509.h | 4 ++++ util/libcrypto.num | 4 ++++ 9 files changed, 120 insertions(+), 56 deletions(-) diff --git a/crypto/asn1/ameth_lib.c b/crypto/asn1/ameth_lib.c index 9ea5b665ba..013e1d69e1 100644 --- a/crypto/asn1/ameth_lib.c +++ b/crypto/asn1/ameth_lib.c @@ -250,39 +250,20 @@ EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_new(int id, int flags, void EVP_PKEY_asn1_copy(EVP_PKEY_ASN1_METHOD *dst, const EVP_PKEY_ASN1_METHOD *src) { - - dst->pub_decode = src->pub_decode; - dst->pub_encode = src->pub_encode; - dst->pub_cmp = src->pub_cmp; - dst->pub_print = src->pub_print; - - dst->priv_decode = src->priv_decode; - dst->priv_encode = src->priv_encode; - dst->priv_print = src->priv_print; - - dst->old_priv_encode = src->old_priv_encode; - dst->old_priv_decode = src->old_priv_decode; - - dst->pkey_size = src->pkey_size; - dst->pkey_bits = src->pkey_bits; - - dst->param_decode = src->param_decode; - dst->param_encode = src->param_encode; - dst->param_missing = src->param_missing; - dst->param_copy = src->param_copy; - dst->param_cmp = src->param_cmp; - dst->param_print = src->param_print; - - dst->pkey_free = src->pkey_free; - dst->pkey_ctrl = src->pkey_ctrl; - - dst->item_sign = src->item_sign; - dst->item_verify = src->item_verify; - - dst->siginf_set = src->siginf_set; - - dst->pkey_check = src->pkey_check; - + int pkey_id = dst->pkey_id; + int pkey_base_id = dst->pkey_base_id; + unsigned long pkey_flags = dst->pkey_flags; + char *pem_str = dst->pem_str; + char *info = dst->info; + + *dst = *src; + + /* We only copy the function pointers so restore the other values */ + dst->pkey_id = pkey_id; + dst->pkey_base_id = pkey_base_id; + dst->pkey_flags = pkey_flags; + dst->pem_str = pem_str; + dst->info = info; } void EVP_PKEY_asn1_free(EVP_PKEY_ASN1_METHOD *ameth) diff --git a/crypto/asn1/d2i_pr.c b/crypto/asn1/d2i_pr.c index 08101a826b..a1f8b570bc 100644 --- a/crypto/asn1/d2i_pr.c +++ b/crypto/asn1/d2i_pr.c @@ -18,15 +18,15 @@ #include "crypto/asn1.h" #include "crypto/evp.h" -EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, - long length) +EVP_PKEY *d2i_PrivateKey_ex(int type, EVP_PKEY **a, const unsigned char **pp, + long length, OPENSSL_CTX *libctx, const char *propq) { EVP_PKEY *ret; const unsigned char *p = *pp; if ((a == NULL) || (*a == NULL)) { if ((ret = EVP_PKEY_new()) == NULL) { - ASN1err(ASN1_F_D2I_PRIVATEKEY, ERR_R_EVP_LIB); + ASN1err(0, ERR_R_EVP_LIB); return NULL; } } else { @@ -38,26 +38,27 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, } if (!EVP_PKEY_set_type(ret, type)) { - ASN1err(ASN1_F_D2I_PRIVATEKEY, ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE); + ASN1err(0, ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE); goto err; } if (!ret->ameth->old_priv_decode || !ret->ameth->old_priv_decode(ret, &p, length)) { - if (ret->ameth->priv_decode) { + if (ret->ameth->priv_decode != NULL + || ret->ameth->priv_decode_with_libctx != NULL) { EVP_PKEY *tmp; PKCS8_PRIV_KEY_INFO *p8 = NULL; p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, length); if (p8 == NULL) goto err; - tmp = EVP_PKCS82PKEY(p8); + tmp = evp_pkcs82pkey_int(p8, libctx, propq); PKCS8_PRIV_KEY_INFO_free(p8); if (tmp == NULL) goto err; EVP_PKEY_free(ret); ret = tmp; } else { - ASN1err(ASN1_F_D2I_PRIVATEKEY, ERR_R_ASN1_LIB); + ASN1err(0, ERR_R_ASN1_LIB); goto err; } } @@ -71,13 +72,20 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, return NULL; } +EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, + long length) +{ + return d2i_PrivateKey_ex(type, a, pp, length, NULL, NULL); +} + /* * This works like d2i_PrivateKey() except it automatically works out the * type */ -EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, const unsigned char **pp, - long length) +EVP_PKEY *d2i_AutoPrivateKey_ex(EVP_PKEY **a, const unsigned char **pp, + long length, OPENSSL_CTX *libctx, + const char *propq) { STACK_OF(ASN1_TYPE) *inkey; const unsigned char *p; @@ -94,22 +102,21 @@ EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, const unsigned char **pp, * Since we only need to discern "traditional format" RSA and DSA keys we * can just count the elements. */ - if (sk_ASN1_TYPE_num(inkey) == 6) + if (sk_ASN1_TYPE_num(inkey) == 6) { keytype = EVP_PKEY_DSA; - else if (sk_ASN1_TYPE_num(inkey) == 4) + } else if (sk_ASN1_TYPE_num(inkey) == 4) { keytype = EVP_PKEY_EC; - else if (sk_ASN1_TYPE_num(inkey) == 3) { /* This seems to be PKCS8, not + } else if (sk_ASN1_TYPE_num(inkey) == 3) { /* This seems to be PKCS8, not * traditional format */ PKCS8_PRIV_KEY_INFO *p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, length); EVP_PKEY *ret; sk_ASN1_TYPE_pop_free(inkey, ASN1_TYPE_free); if (p8 == NULL) { - ASN1err(ASN1_F_D2I_AUTOPRIVATEKEY, - ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE); + ASN1err(0, ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE); return NULL; } - ret = EVP_PKCS82PKEY(p8); + ret = evp_pkcs82pkey_int(p8, libctx, propq); PKCS8_PRIV_KEY_INFO_free(p8); if (ret == NULL) return NULL; @@ -118,8 +125,15 @@ EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, const unsigned char **pp, *a = ret; } return ret; - } else + } else { keytype = EVP_PKEY_RSA; + } sk_ASN1_TYPE_pop_free(inkey, ASN1_TYPE_free); - return d2i_PrivateKey(keytype, a, pp, length); + return d2i_PrivateKey_ex(keytype, a, pp, length, libctx, propq); +} + +EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, const unsigned char **pp, + long length) +{ + return d2i_AutoPrivateKey_ex(a, pp, length, NULL, NULL); } diff --git a/crypto/evp/evp_pkey.c b/crypto/evp/evp_pkey.c index a11b856c03..6a40f4b456 100644 --- a/crypto/evp/evp_pkey.c +++ b/crypto/evp/evp_pkey.c @@ -18,7 +18,8 @@ /* Extract a private key from a PKCS8 structure */ -EVP_PKEY *EVP_PKCS82PKEY(const PKCS8_PRIV_KEY_INFO *p8) +EVP_PKEY *evp_pkcs82pkey_int(const PKCS8_PRIV_KEY_INFO *p8, OPENSSL_CTX *libctx, + const char *propq) { EVP_PKEY *pkey = NULL; const ASN1_OBJECT *algoid; @@ -28,24 +29,29 @@ EVP_PKEY *EVP_PKCS82PKEY(const PKCS8_PRIV_KEY_INFO *p8) return NULL; if ((pkey = EVP_PKEY_new()) == NULL) { - EVPerr(EVP_F_EVP_PKCS82PKEY, ERR_R_MALLOC_FAILURE); + EVPerr(0, ERR_R_MALLOC_FAILURE); return NULL; } if (!EVP_PKEY_set_type(pkey, OBJ_obj2nid(algoid))) { - EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM); + EVPerr(0, EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM); i2t_ASN1_OBJECT(obj_tmp, 80, algoid); ERR_add_error_data(2, "TYPE=", obj_tmp); goto error; } - if (pkey->ameth->priv_decode) { + if (pkey->ameth->priv_decode_with_libctx != NULL) { + if (!pkey->ameth->priv_decode_with_libctx(pkey, p8, libctx, propq)) { + EVPerr(0, EVP_R_PRIVATE_KEY_DECODE_ERROR); + goto error; + } + } else if (pkey->ameth->priv_decode != NULL) { if (!pkey->ameth->priv_decode(pkey, p8)) { - EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_PRIVATE_KEY_DECODE_ERROR); + EVPerr(0, EVP_R_PRIVATE_KEY_DECODE_ERROR); goto error; } } else { - EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_METHOD_NOT_SUPPORTED); + EVPerr(0, EVP_R_METHOD_NOT_SUPPORTED); goto error; } @@ -56,6 +62,11 @@ EVP_PKEY *EVP_PKCS82PKEY(const PKCS8_PRIV_KEY_INFO *p8) return NULL; } +EVP_PKEY *EVP_PKCS82PKEY(const PKCS8_PRIV_KEY_INFO *p8) +{ + return evp_pkcs82pkey_int(p8, NULL, NULL); +} + /* Turn a private key into a PKCS8 structure */ PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(const EVP_PKEY *pkey) diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index ce8c23b654..0f31c5155f 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -24,6 +24,7 @@ #include #include #include +#include "crypto/asn1.h" static void clean_id_ctx(EVP_MD_CTX *ctx) { @@ -594,6 +595,22 @@ EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a) return ASN1_d2i_fp_of(EVP_PKEY, EVP_PKEY_new, d2i_AutoPrivateKey, fp, a); } +EVP_PKEY *d2i_PrivateKey_ex_fp(FILE *fp, EVP_PKEY **a, OPENSSL_CTX *libctx, + const char *propq) +{ + BIO *b; + void *ret; + + if ((b = BIO_new(BIO_s_file())) == NULL) { + X509err(0, ERR_R_BUF_LIB); + return NULL; + } + BIO_set_fp(b, fp, BIO_NOCLOSE); + ret = d2i_PrivateKey_ex_bio(b, a, libctx, propq); + BIO_free(b); + return ret; +} + int i2d_PUBKEY_fp(FILE *fp, const EVP_PKEY *pkey) { return ASN1_i2d_fp_of(EVP_PKEY, i2d_PUBKEY, fp, pkey); @@ -642,6 +659,25 @@ EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a) return ASN1_d2i_bio_of(EVP_PKEY, EVP_PKEY_new, d2i_AutoPrivateKey, bp, a); } +EVP_PKEY *d2i_PrivateKey_ex_bio(BIO *bp, EVP_PKEY **a, OPENSSL_CTX *libctx, + const char *propq) +{ + BUF_MEM *b = NULL; + const unsigned char *p; + void *ret = NULL; + int len; + + len = asn1_d2i_read_bio(bp, &b); + if (len < 0) + goto err; + + p = (unsigned char *)b->data; + ret = d2i_AutoPrivateKey_ex(a, &p, len, libctx, propq); + err: + BUF_MEM_free(b); + return ret; +} + int i2d_PUBKEY_bio(BIO *bp, const EVP_PKEY *pkey) { return ASN1_i2d_bio_of(EVP_PKEY, i2d_PUBKEY, bp, pkey); diff --git a/include/crypto/asn1.h b/include/crypto/asn1.h index 84e6e7f544..737c715e33 100644 --- a/include/crypto/asn1.h +++ b/include/crypto/asn1.h @@ -76,6 +76,11 @@ struct evp_pkey_asn1_method_st { EVP_KEYMGMT *to_keymgmt, OPENSSL_CTX *libctx, const char *propq); OSSL_CALLBACK *import_from; + + int (*priv_decode_with_libctx) (EVP_PKEY *pk, + const PKCS8_PRIV_KEY_INFO *p8inf, + OPENSSL_CTX *libctx, + const char *propq); } /* EVP_PKEY_ASN1_METHOD */ ; DEFINE_STACK_OF_CONST(EVP_PKEY_ASN1_METHOD) diff --git a/include/crypto/evp.h b/include/crypto/evp.h index 38adbd0c82..3f9cc9c683 100644 --- a/include/crypto/evp.h +++ b/include/crypto/evp.h @@ -736,4 +736,7 @@ const EVP_MD *evp_get_digestbyname_ex(OPENSSL_CTX *libctx, const char *name); */ int evp_pkey_ctx_set_params_strict(EVP_PKEY_CTX *ctx, OSSL_PARAM *params); int evp_pkey_ctx_get_params_strict(EVP_PKEY_CTX *ctx, OSSL_PARAM *params); + +EVP_PKEY *evp_pkcs82pkey_int(const PKCS8_PRIV_KEY_INFO *p8, OPENSSL_CTX *libctx, + const char *propq); #endif /* !defined(FIPS_MODE) */ diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 3945e43fac..b1e2bb0dff 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1163,8 +1163,14 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp, long length); int i2d_PublicKey(const EVP_PKEY *a, unsigned char **pp); + +EVP_PKEY *d2i_PrivateKey_ex(int type, EVP_PKEY **a, const unsigned char **pp, + long length, OPENSSL_CTX *libctx, const char *propq); EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, long length); +EVP_PKEY *d2i_AutoPrivateKey_ex(EVP_PKEY **a, const unsigned char **pp, + long length, OPENSSL_CTX *libctx, + const char *propq); EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, const unsigned char **pp, long length); int i2d_PrivateKey(const EVP_PKEY *a, unsigned char **pp); diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 8952e392a8..64156d495b 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -435,6 +435,8 @@ PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, const PKCS8_PRIV_KEY_INFO *p8inf); int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, const EVP_PKEY *key); int i2d_PrivateKey_fp(FILE *fp, const EVP_PKEY *pkey); +EVP_PKEY *d2i_PrivateKey_ex_fp(FILE *fp, EVP_PKEY **a, OPENSSL_CTX *libctx, + const char *propq); EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a); int i2d_PUBKEY_fp(FILE *fp, const EVP_PKEY *pkey); EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a); @@ -475,6 +477,8 @@ PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, const PKCS8_PRIV_KEY_INFO *p8inf); int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, const EVP_PKEY *key); int i2d_PrivateKey_bio(BIO *bp, const EVP_PKEY *pkey); +EVP_PKEY *d2i_PrivateKey_ex_bio(BIO *bp, EVP_PKEY **a, OPENSSL_CTX *libctx, + const char *propq); EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a); int i2d_PUBKEY_bio(BIO *bp, const EVP_PKEY *pkey); EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a); diff --git a/util/libcrypto.num b/util/libcrypto.num index 60202b9008..a867a3502f 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5050,3 +5050,7 @@ EVP_PKEY_get_ex_data ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_CTX_set_ec_paramgen_curve_name ? 3_0_0 EXIST::FUNCTION:EC EVP_PKEY_CTX_get_ec_paramgen_curve_name ? 3_0_0 EXIST::FUNCTION:EC EVP_PKEY_CTX_set_ec_paramgen_curve_nid ? 3_0_0 EXIST::FUNCTION:EC +d2i_PrivateKey_ex ? 3_0_0 EXIST::FUNCTION: +d2i_AutoPrivateKey_ex ? 3_0_0 EXIST::FUNCTION: +d2i_PrivateKey_ex_fp ? 3_0_0 EXIST::FUNCTION:STDIO +d2i_PrivateKey_ex_bio ? 3_0_0 EXIST::FUNCTION: -- 2.25.1