mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-12-03 05:41:46 +08:00
Code Issues Packages Projects Releases Wiki Activity
d5e66eab0b
openssl/crypto/evp/keymgmt_lib.c
Shane Lontis d5e66eab0b Fix coverity issues CID 1457745...1457752, 1457853, 1457854 
CID 1457854 - keymgmt_lib.c : OVERRUN
CID 1457853 - self_test_kats.c : UNINT
CID 1457752 - fipsprov.c RESOURCE_LEAK (code change in another PR removed this)
CID 1457751 - apps/pkcs12.c CHECKED_RETURN
CID 1457750 - dsa_ossl.c RESOURCE_LEAK (marked as false positive since tmp can not be NULL)
CID 1457749 - apps/nseq.c : CHECKED_RETURN
CID 1457748 - cipher_aes_cbc_hmac_sha.c : SIZEOF_MISMATCH
CID 1457747 - cipher_aes_cbc_hmac_sha.c : SIZEOF_MISMATCH
CID 1457746 - same as 1457752
CID 1457745 - apps/ocsp  : CHECKED_RETURN

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10934)
2020-02-04 13:50:51 +10:00

372 lines
11 KiB
C
Raw Blame History

/*
* Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <openssl/core_names.h>
#include "internal/cryptlib.h"
#include "internal/nelem.h"
#include "crypto/evp.h"
#include "crypto/asn1.h"
#include "internal/core.h"
#include "internal/provider.h"
#include "evp_local.h"
struct import_data_st {
void *provctx;
void *(*importfn)(const EVP_KEYMGMT *keymgmt, const OSSL_PARAM params[]);
/* Result */
void *provdata;
};
static int try_import(const OSSL_PARAM params[], void *arg)
{
struct import_data_st *data = arg;
data->provdata = data->importfn(data->provctx, params);
return data->provdata != NULL;
}
void *evp_keymgmt_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
int want_domainparams)
{
void *provdata = NULL;
size_t i, j;
/*
* If there is an underlying legacy key and it has changed, invalidate
* the cache of provider keys.
*/
if (pk->pkey.ptr != NULL) {
/*
* If there is no dirty counter, this key can't be used with
* providers.
*/
if (pk->ameth->dirty_cnt == NULL)
return NULL;
if (pk->ameth->dirty_cnt(pk) != pk->dirty_cnt_copy)
evp_keymgmt_clear_pkey_cache(pk);
}
/*
* See if we have exported to this provider already.
* If we have, return immediately.
*/
for (i = 0;
i < OSSL_NELEM(pk->pkeys) && pk->pkeys[i].keymgmt != NULL;
i++) {
if (keymgmt == pk->pkeys[i].keymgmt
&& want_domainparams == pk->pkeys[i].domainparams)
return pk->pkeys[i].provdata;
}
if (pk->pkey.ptr != NULL) {
/* There is a legacy key, try to export that one to the provider */
/* If the legacy key doesn't have an export function, give up */
if (pk->ameth->export_to == NULL)
return NULL;
/* Otherwise, simply use it. */
provdata = pk->ameth->export_to(pk, keymgmt, want_domainparams);
/* Synchronize the dirty count, but only if we exported successfully */
if (provdata != NULL)
pk->dirty_cnt_copy = pk->ameth->dirty_cnt(pk);
} else {
/*
* Here, there is no legacy key, so we look at the already cached
* provider keys, and import from the first that supports it
* (i.e. use its export function), and export the imported data to
* the new provider.
*/
/* Setup for the export callback */
struct import_data_st import_data;
import_data.importfn =
want_domainparams
? evp_keymgmt_importdomparams
: evp_keymgmt_importkey;
import_data.provdata = NULL;
/*
* If the given keymgmt doesn't have an import function, give up
*/
if (import_data.importfn == NULL)
return NULL;
for (j = 0; j < i && pk->pkeys[j].keymgmt != NULL; j++) {
int (*exportfn)(const EVP_KEYMGMT *keymgmt, void *provdata,
OSSL_CALLBACK *cb, void *cbarg) =
want_domainparams
? evp_keymgmt_exportdomparams
: evp_keymgmt_exportkey;
if (exportfn != NULL) {
import_data.provctx =
ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));
/*
* The export function calls the callback (try_import), which
* does the import for us.
* Even though we got a success return, we double check that
* we actually got something, just in case some implementation
* forgets to check the return value.
*/
if (exportfn(pk->pkeys[j].keymgmt, pk->pkeys[j].provdata,
&try_import, &import_data)
&& (provdata = import_data.provdata) != NULL)
break;
}
}
}
/*
* TODO(3.0) Right now, we assume we have ample space. We will
* have to think about a cache aging scheme, though, if |i| indexes
* outside the array.
*/
if (!ossl_assert(i < OSSL_NELEM(pk->pkeys)))
return NULL;
evp_keymgmt_cache_pkey(pk, i, keymgmt, provdata, want_domainparams);
return provdata;
}
void evp_keymgmt_clear_pkey_cache(EVP_PKEY *pk)
{
size_t i;
if (pk != NULL) {
for (i = 0;
i < OSSL_NELEM(pk->pkeys) && pk->pkeys[i].keymgmt != NULL;
i++) {
EVP_KEYMGMT *keymgmt = pk->pkeys[i].keymgmt;
void *provdata = pk->pkeys[i].provdata;
pk->pkeys[i].keymgmt = NULL;
pk->pkeys[i].provdata = NULL;
if (pk->pkeys[i].domainparams)
evp_keymgmt_freedomparams(keymgmt, provdata);
else
evp_keymgmt_freekey(keymgmt, provdata);
EVP_KEYMGMT_free(keymgmt);
}
pk->cache.size = 0;
pk->cache.bits = 0;
pk->cache.security_bits = 0;
}
}
void evp_keymgmt_cache_pkey(EVP_PKEY *pk, size_t index, EVP_KEYMGMT *keymgmt,
void *provdata, int domainparams)
{
if (provdata != NULL) {
EVP_KEYMGMT_up_ref(keymgmt);
pk->pkeys[index].keymgmt = keymgmt;
pk->pkeys[index].provdata = provdata;
pk->pkeys[index].domainparams = domainparams;
/*
* Cache information about the domain parameters or key. Only needed
* for the "original" provider side key.
*
* This services functions like EVP_PKEY_size, EVP_PKEY_bits, etc
*/
if (index == 0) {
int ok;
int bits = 0;
int security_bits = 0;
int size = 0;
OSSL_PARAM params[4];
params[0] = OSSL_PARAM_construct_int(OSSL_PKEY_PARAM_BITS, &bits);
params[1] = OSSL_PARAM_construct_int(OSSL_PKEY_PARAM_SECURITY_BITS,
&security_bits);
params[2] = OSSL_PARAM_construct_int(OSSL_PKEY_PARAM_MAX_SIZE, &size);
params[3] = OSSL_PARAM_construct_end();
ok = domainparams
? evp_keymgmt_get_domparam_params(keymgmt, provdata, params)
: evp_keymgmt_get_key_params(keymgmt, provdata, params);
if (ok) {
pk->cache.size = size;
pk->cache.bits = bits;
pk->cache.security_bits = security_bits;
}
}
}
}
void *evp_keymgmt_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt,
const OSSL_PARAM params[], int domainparams)
{
void *provdata = domainparams
? evp_keymgmt_importdomparams(keymgmt, params)
: evp_keymgmt_importkey(keymgmt, params);
evp_keymgmt_clear_pkey_cache(target);
evp_keymgmt_cache_pkey(target, 0, keymgmt, provdata, domainparams);
return provdata;
}
/* internal functions */
/* TODO(3.0) decide if these should be public or internal */
void *evp_keymgmt_importdomparams(const EVP_KEYMGMT *keymgmt,
const OSSL_PARAM params[])
{
void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));
return keymgmt->importdomparams(provctx, params);
}
void *evp_keymgmt_gendomparams(const EVP_KEYMGMT *keymgmt,
const OSSL_PARAM params[])
{
void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));
return keymgmt->gendomparams(provctx, params);
}
void evp_keymgmt_freedomparams(const EVP_KEYMGMT *keymgmt,
void *provdomparams)
{
keymgmt->freedomparams(provdomparams);
}
int evp_keymgmt_exportdomparams(const EVP_KEYMGMT *keymgmt,
void *provdomparams,
OSSL_CALLBACK *param_cb, void *cbarg)
{
return keymgmt->exportdomparams(provdomparams, param_cb, cbarg);
}
const OSSL_PARAM *evp_keymgmt_importdomparam_types(const EVP_KEYMGMT *keymgmt)
{
return keymgmt->importdomparam_types();
}
/*
* TODO(v3.0) investigate if we need this function. 'openssl provider' may
* be a caller...
*/
const OSSL_PARAM *evp_keymgmt_exportdomparam_types(const EVP_KEYMGMT *keymgmt)
{
return keymgmt->exportdomparam_types();
}
int evp_keymgmt_get_domparam_params(const EVP_KEYMGMT *keymgmt,
void *provdomparams, OSSL_PARAM params[])
{
if (keymgmt->get_domparam_params == NULL)
return 1;
return keymgmt->get_domparam_params(provdomparams, params);
}
const OSSL_PARAM *
evp_keymgmt_gettable_domparam_params(const EVP_KEYMGMT *keymgmt)
{
if (keymgmt->gettable_domparam_params == NULL)
return NULL;
return keymgmt->gettable_domparam_params();
}
void *evp_keymgmt_importkey(const EVP_KEYMGMT *keymgmt,
const OSSL_PARAM params[])
{
void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));
return keymgmt->importkey(provctx, params);
}
void *evp_keymgmt_genkey(const EVP_KEYMGMT *keymgmt, void *domparams,
const OSSL_PARAM params[])
{
void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));
return keymgmt->genkey(provctx, domparams, params);
}
void *evp_keymgmt_loadkey(const EVP_KEYMGMT *keymgmt,
void *id, size_t idlen)
{
void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));
return keymgmt->loadkey(provctx, id, idlen);
}
void evp_keymgmt_freekey(const EVP_KEYMGMT *keymgmt, void *provkey)
{
keymgmt->freekey(provkey);
}
int evp_keymgmt_exportkey(const EVP_KEYMGMT *keymgmt, void *provkey,
OSSL_CALLBACK *param_cb, void *cbarg)
{
return keymgmt->exportkey(provkey, param_cb, cbarg);
}
const OSSL_PARAM *evp_keymgmt_importkey_types(const EVP_KEYMGMT *keymgmt)
{
return keymgmt->importkey_types();
}
/*
* TODO(v3.0) investigate if we need this function. 'openssl provider' may
* be a caller...
*/
const OSSL_PARAM *evp_keymgmt_exportkey_types(const EVP_KEYMGMT *keymgmt)
{
return keymgmt->exportkey_types();
}
int evp_keymgmt_get_key_params(const EVP_KEYMGMT *keymgmt,
void *provkey, OSSL_PARAM params[])
{
if (keymgmt->get_key_params == NULL)
return 1;
return keymgmt->get_key_params(provkey, params);
}
const OSSL_PARAM *evp_keymgmt_gettable_key_params(const EVP_KEYMGMT *keymgmt)
{
if (keymgmt->gettable_key_params == NULL)
return NULL;
return keymgmt->gettable_key_params();
}
int evp_keymgmt_validate_domparams(const EVP_KEYMGMT *keymgmt, void *provkey)
{
/* if domainparams are not supported - then pass */
if (keymgmt->validatedomparams == NULL)
return 1;
return keymgmt->validatedomparams(provkey);
}
int evp_keymgmt_validate_public(const EVP_KEYMGMT *keymgmt, void *provkey)
{
return keymgmt->validatepublic(provkey);
}
int evp_keymgmt_validate_private(const EVP_KEYMGMT *keymgmt, void *provkey)
{
return keymgmt->validateprivate(provkey);
}
int evp_keymgmt_validate_pairwise(const EVP_KEYMGMT *keymgmt, void *provkey)
{
return keymgmt->validatepairwise(provkey);
}
Reference in New Issue View Git Blame Copy Permalink