/[smecontribs]/rpms/openssl3/contribs10/0092-provider-improvements.patch
ViewVC logotype

Annotation of /rpms/openssl3/contribs10/0092-provider-improvements.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Wed Jan 31 17:24:50 2024 UTC (9 months, 3 weeks ago) by jpp
Branch: MAIN
CVS Tags: openssl3-3_0_7-5_el7_sme_1, HEAD
Initial import

1 jpp 1.1 From 98642df4ba886818900ab7e6b23703544e6addd4 Mon Sep 17 00:00:00 2001
2     From: Simo Sorce <simo@redhat.com>
3     Date: Thu, 10 Nov 2022 10:46:32 -0500
4     Subject: [PATCH 1/3] Propagate selection all the way on key export
5    
6     EVP_PKEY_eq() is used to check, among other things, if a certificate
7     public key corresponds to a private key. When the private key belongs to
8     a provider that does not allow to export private keys this currently
9     fails as the internal functions used to import/export keys ignored the
10     selection given (which specifies that only the public key needs to be
11     considered) and instead tries to export everything.
12    
13     This patch allows to propagate the selection all the way down including
14     adding it in the cache so that a following operation actually looking
15     for other selection parameters does not mistakenly pick up an export
16     containing only partial information.
17    
18     Signed-off-by: Simo Sorce <simo@redhat.com>
19    
20     Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
21     Reviewed-by: Tomas Mraz <tomas@openssl.org>
22     (Merged from https://github.com/openssl/openssl/pull/19648)
23    
24     diff --git a/crypto/evp/keymgmt_lib.c b/crypto/evp/keymgmt_lib.c
25     index b06730dc7a..2d0238ee27 100644
26     --- a/crypto/evp/keymgmt_lib.c
27     +++ b/crypto/evp/keymgmt_lib.c
28     @@ -93,7 +93,8 @@ int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection,
29     export_cb, export_cbarg);
30     }
31    
32     -void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
33     +void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
34     + int selection)
35     {
36     struct evp_keymgmt_util_try_import_data_st import_data;
37     OP_CACHE_ELEM *op;
38     @@ -127,7 +128,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
39     */
40     if (pk->dirty_cnt == pk->dirty_cnt_copy) {
41     /* If this key is already exported to |keymgmt|, no more to do */
42     - op = evp_keymgmt_util_find_operation_cache(pk, keymgmt);
43     + op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection);
44     if (op != NULL && op->keymgmt != NULL) {
45     void *ret = op->keydata;
46    
47     @@ -157,13 +158,13 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
48     /* Setup for the export callback */
49     import_data.keydata = NULL; /* evp_keymgmt_util_try_import will create it */
50     import_data.keymgmt = keymgmt;
51     - import_data.selection = OSSL_KEYMGMT_SELECT_ALL;
52     + import_data.selection = selection;
53    
54     /*
55     * The export function calls the callback (evp_keymgmt_util_try_import),
56     * which does the import for us. If successful, we're done.
57     */
58     - if (!evp_keymgmt_util_export(pk, OSSL_KEYMGMT_SELECT_ALL,
59     + if (!evp_keymgmt_util_export(pk, selection,
60     &evp_keymgmt_util_try_import, &import_data))
61     /* If there was an error, bail out */
62     return NULL;
63     @@ -173,7 +174,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
64     return NULL;
65     }
66     /* Check to make sure some other thread didn't get there first */
67     - op = evp_keymgmt_util_find_operation_cache(pk, keymgmt);
68     + op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection);
69     if (op != NULL && op->keydata != NULL) {
70     void *ret = op->keydata;
71    
72     @@ -196,7 +197,8 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
73     evp_keymgmt_util_clear_operation_cache(pk, 0);
74    
75     /* Add the new export to the operation cache */
76     - if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata)) {
77     + if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata,
78     + selection)) {
79     CRYPTO_THREAD_unlock(pk->lock);
80     evp_keymgmt_freedata(keymgmt, import_data.keydata);
81     return NULL;
82     @@ -232,7 +234,8 @@ int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking)
83     }
84    
85     OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
86     - EVP_KEYMGMT *keymgmt)
87     + EVP_KEYMGMT *keymgmt,
88     + int selection)
89     {
90     int i, end = sk_OP_CACHE_ELEM_num(pk->operation_cache);
91     OP_CACHE_ELEM *p;
92     @@ -243,14 +246,14 @@ OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
93     */
94     for (i = 0; i < end; i++) {
95     p = sk_OP_CACHE_ELEM_value(pk->operation_cache, i);
96     - if (keymgmt == p->keymgmt)
97     + if (keymgmt == p->keymgmt && (p->selection & selection) == selection)
98     return p;
99     }
100     return NULL;
101     }
102    
103     -int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
104     - EVP_KEYMGMT *keymgmt, void *keydata)
105     +int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
106     + void *keydata, int selection)
107     {
108     OP_CACHE_ELEM *p = NULL;
109    
110     @@ -266,6 +269,7 @@ int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
111     return 0;
112     p->keydata = keydata;
113     p->keymgmt = keymgmt;
114     + p->selection = selection;
115    
116     if (!EVP_KEYMGMT_up_ref(keymgmt)) {
117     OPENSSL_free(p);
118     @@ -391,7 +395,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection)
119     ok = 1;
120     if (keydata1 != NULL) {
121     tmp_keydata =
122     - evp_keymgmt_util_export_to_provider(pk1, keymgmt2);
123     + evp_keymgmt_util_export_to_provider(pk1, keymgmt2,
124     + selection);
125     ok = (tmp_keydata != NULL);
126     }
127     if (ok) {
128     @@ -411,7 +416,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection)
129     ok = 1;
130     if (keydata2 != NULL) {
131     tmp_keydata =
132     - evp_keymgmt_util_export_to_provider(pk2, keymgmt1);
133     + evp_keymgmt_util_export_to_provider(pk2, keymgmt1,
134     + selection);
135     ok = (tmp_keydata != NULL);
136     }
137     if (ok) {
138     diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
139     index 70d17ec37e..905e9c9ce4 100644
140     --- a/crypto/evp/p_lib.c
141     +++ b/crypto/evp/p_lib.c
142     @@ -1822,6 +1822,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
143     {
144     EVP_KEYMGMT *allocated_keymgmt = NULL;
145     EVP_KEYMGMT *tmp_keymgmt = NULL;
146     + int selection = OSSL_KEYMGMT_SELECT_ALL;
147     void *keydata = NULL;
148     int check;
149    
150     @@ -1883,7 +1884,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
151     if (pk->ameth->dirty_cnt(pk) == pk->dirty_cnt_copy) {
152     if (!CRYPTO_THREAD_read_lock(pk->lock))
153     goto end;
154     - op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt);
155     + op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt,
156     + selection);
157    
158     /*
159     * If |tmp_keymgmt| is present in the operation cache, it means
160     @@ -1938,7 +1940,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
161     EVP_KEYMGMT_free(tmp_keymgmt); /* refcnt-- */
162    
163     /* Check to make sure some other thread didn't get there first */
164     - op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt);
165     + op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt, selection);
166     if (op != NULL && op->keymgmt != NULL) {
167     void *tmp_keydata = op->keydata;
168    
169     @@ -1949,7 +1951,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
170     }
171    
172     /* Add the new export to the operation cache */
173     - if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata)) {
174     + if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata,
175     + selection)) {
176     CRYPTO_THREAD_unlock(pk->lock);
177     evp_keymgmt_freedata(tmp_keymgmt, keydata);
178     keydata = NULL;
179     @@ -1964,7 +1967,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
180     }
181     #endif /* FIPS_MODULE */
182    
183     - keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt);
184     + keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt, selection);
185    
186     end:
187     /*
188     diff --git a/include/crypto/evp.h b/include/crypto/evp.h
189     index f601b72807..dbbdcccbda 100644
190     --- a/include/crypto/evp.h
191     +++ b/include/crypto/evp.h
192     @@ -589,6 +589,7 @@ int evp_cipher_asn1_to_param_ex(EVP_CIPHER_CTX *c, ASN1_TYPE *type,
193     typedef struct {
194     EVP_KEYMGMT *keymgmt;
195     void *keydata;
196     + int selection;
197     } OP_CACHE_ELEM;
198    
199     DEFINE_STACK_OF(OP_CACHE_ELEM)
200     @@ -778,12 +779,14 @@ EVP_PKEY *evp_keymgmt_util_make_pkey(EVP_KEYMGMT *keymgmt, void *keydata);
201    
202     int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection,
203     OSSL_CALLBACK *export_cb, void *export_cbarg);
204     -void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt);
205     +void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
206     + int selection);
207     OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
208     - EVP_KEYMGMT *keymgmt);
209     + EVP_KEYMGMT *keymgmt,
210     + int selection);
211     int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking);
212     -int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
213     - EVP_KEYMGMT *keymgmt, void *keydata);
214     +int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
215     + void *keydata, int selection);
216     void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk);
217     void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt,
218     int selection, const OSSL_PARAM params[]);
219     --
220     2.38.1
221    
222     From 504427eb5f32108dd64ff7858012863fe47b369b Mon Sep 17 00:00:00 2001
223     From: Simo Sorce <simo@redhat.com>
224     Date: Thu, 10 Nov 2022 16:58:28 -0500
225     Subject: [PATCH 2/3] Update documentation for keymgmt export utils
226    
227     Change function prototypes and explain how to use the selection
228     argument.
229    
230     Signed-off-by: Simo Sorce <simo@redhat.com>
231    
232     Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
233     Reviewed-by: Tomas Mraz <tomas@openssl.org>
234     (Merged from https://github.com/openssl/openssl/pull/19648)
235    
236     diff --git a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
237     index 1fee9f6ff9..7099e44964 100644
238     --- a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
239     +++ b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
240     @@ -20,12 +20,14 @@ OP_CACHE_ELEM
241    
242     int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection,
243     OSSL_CALLBACK *export_cb, void *export_cbarg);
244     - void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt);
245     + void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
246     + int selection);
247     OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
248     - EVP_KEYMGMT *keymgmt);
249     + EVP_KEYMGMT *keymgmt,
250     + int selection);
251     int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking);
252     - int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
253     - EVP_KEYMGMT *keymgmt, void *keydata);
254     + int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
255     + void *keydata, int selection);
256     void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk);
257     void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt,
258     int selection, const OSSL_PARAM params[]);
259     @@ -65,6 +67,11 @@ evp_keymgmt_util_fromdata() can be used to add key object data to a
260     given key I<target> via a B<EVP_KEYMGMT> interface. This is used as a
261     helper for L<EVP_PKEY_fromdata(3)>.
262    
263     +In all functions that take a I<selection> argument, the selection is used to
264     +constraint the information requested on export. It is also used in the cache
265     +so that key data is guaranteed to contain all the information requested in
266     +the selection.
267     +
268     =head1 RETURN VALUES
269    
270     evp_keymgmt_export_to_provider() and evp_keymgmt_util_fromdata()
271     --
272     2.38.1
273    
274     From e5202fbd461cb6c067874987998e91c6093e5267 Mon Sep 17 00:00:00 2001
275     From: Simo Sorce <simo@redhat.com>
276     Date: Fri, 11 Nov 2022 12:18:26 -0500
277     Subject: [PATCH 3/3] Add test for EVP_PKEY_eq
278    
279     This tests that the comparison work even if a provider can only return
280     a public key.
281    
282     Signed-off-by: Simo Sorce <simo@redhat.com>
283    
284     Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
285     Reviewed-by: Tomas Mraz <tomas@openssl.org>
286     (Merged from https://github.com/openssl/openssl/pull/19648)
287    
288     diff --git a/test/fake_rsaprov.c b/test/fake_rsaprov.c
289     index d556551bb6..5e92e72d4b 100644
290     --- a/test/fake_rsaprov.c
291     +++ b/test/fake_rsaprov.c
292     @@ -22,24 +22,34 @@ static OSSL_FUNC_keymgmt_has_fn fake_rsa_keymgmt_has;
293     static OSSL_FUNC_keymgmt_query_operation_name_fn fake_rsa_keymgmt_query;
294     static OSSL_FUNC_keymgmt_import_fn fake_rsa_keymgmt_import;
295     static OSSL_FUNC_keymgmt_import_types_fn fake_rsa_keymgmt_imptypes;
296     +static OSSL_FUNC_keymgmt_export_fn fake_rsa_keymgmt_export;
297     +static OSSL_FUNC_keymgmt_export_types_fn fake_rsa_keymgmt_exptypes;
298     static OSSL_FUNC_keymgmt_load_fn fake_rsa_keymgmt_load;
299    
300     static int has_selection;
301     static int imptypes_selection;
302     +static int exptypes_selection;
303     static int query_id;
304    
305     +struct fake_rsa_keydata {
306     + int selection;
307     + int status;
308     +};
309     +
310     static void *fake_rsa_keymgmt_new(void *provctx)
311     {
312     - unsigned char *keydata = OPENSSL_zalloc(1);
313     + struct fake_rsa_keydata *key;
314    
315     - TEST_ptr(keydata);
316     + if (!TEST_ptr(key = OPENSSL_zalloc(sizeof(struct fake_rsa_keydata))))
317     + return NULL;
318    
319     /* clear test globals */
320     has_selection = 0;
321     imptypes_selection = 0;
322     + exptypes_selection = 0;
323     query_id = 0;
324    
325     - return keydata;
326     + return key;
327     }
328    
329     static void fake_rsa_keymgmt_free(void *keydata)
330     @@ -67,14 +77,104 @@ static const char *fake_rsa_keymgmt_query(int id)
331     static int fake_rsa_keymgmt_import(void *keydata, int selection,
332     const OSSL_PARAM *p)
333     {
334     - unsigned char *fake_rsa_key = keydata;
335     + struct fake_rsa_keydata *fake_rsa_key = keydata;
336    
337     /* key was imported */
338     - *fake_rsa_key = 1;
339     + fake_rsa_key->status = 1;
340    
341     return 1;
342     }
343    
344     +static unsigned char fake_rsa_n[] =
345     + "\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F"
346     + "\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5"
347     + "\xAD\xB3\x00\xA0\x28\x5E\x53\x01\x93\x0E\x0C\x70\xFB\x68\x76\x93"
348     + "\x9C\xE6\x16\xCE\x62\x4A\x11\xE0\x08\x6D\x34\x1E\xBC\xAC\xA0\xA1"
349     + "\xF5";
350     +
351     +static unsigned char fake_rsa_e[] = "\x11";
352     +
353     +static unsigned char fake_rsa_d[] =
354     + "\x0A\x03\x37\x48\x62\x64\x87\x69\x5F\x5F\x30\xBC\x38\xB9\x8B\x44"
355     + "\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64"
356     + "\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9"
357     + "\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51";
358     +
359     +static unsigned char fake_rsa_p[] =
360     + "\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
361     + "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12"
362     + "\x0D";
363     +
364     +static unsigned char fake_rsa_q[] =
365     + "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
366     + "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
367     + "\x89";
368     +
369     +static unsigned char fake_rsa_dmp1[] =
370     + "\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF"
371     + "\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05";
372     +
373     +static unsigned char fake_rsa_dmq1[] =
374     + "\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99"
375     + "\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D"
376     + "\x51";
377     +
378     +static unsigned char fake_rsa_iqmp[] =
379     + "\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8"
380     + "\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26";
381     +
382     +OSSL_PARAM *fake_rsa_key_params(int priv)
383     +{
384     + if (priv) {
385     + OSSL_PARAM params[] = {
386     + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n,
387     + sizeof(fake_rsa_n) -1),
388     + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e,
389     + sizeof(fake_rsa_e) -1),
390     + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_D, fake_rsa_d,
391     + sizeof(fake_rsa_d) -1),
392     + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR1, fake_rsa_p,
393     + sizeof(fake_rsa_p) -1),
394     + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR2, fake_rsa_q,
395     + sizeof(fake_rsa_q) -1),
396     + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT1, fake_rsa_dmp1,
397     + sizeof(fake_rsa_dmp1) -1),
398     + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT2, fake_rsa_dmq1,
399     + sizeof(fake_rsa_dmq1) -1),
400     + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_COEFFICIENT1, fake_rsa_iqmp,
401     + sizeof(fake_rsa_iqmp) -1),
402     + OSSL_PARAM_END
403     + };
404     + return OSSL_PARAM_dup(params);
405     + } else {
406     + OSSL_PARAM params[] = {
407     + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n,
408     + sizeof(fake_rsa_n) -1),
409     + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e,
410     + sizeof(fake_rsa_e) -1),
411     + OSSL_PARAM_END
412     + };
413     + return OSSL_PARAM_dup(params);
414     + }
415     +}
416     +
417     +static int fake_rsa_keymgmt_export(void *keydata, int selection,
418     + OSSL_CALLBACK *param_callback, void *cbarg)
419     +{
420     + OSSL_PARAM *params = NULL;
421     + int ret;
422     +
423     + if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY)
424     + return 0;
425     +
426     + if (!TEST_ptr(params = fake_rsa_key_params(0)))
427     + return 0;
428     +
429     + ret = param_callback(params, cbarg);
430     + OSSL_PARAM_free(params);
431     + return ret;
432     +}
433     +
434     static const OSSL_PARAM fake_rsa_import_key_types[] = {
435     OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0),
436     OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0),
437     @@ -95,19 +195,33 @@ static const OSSL_PARAM *fake_rsa_keymgmt_imptypes(int selection)
438     return fake_rsa_import_key_types;
439     }
440    
441     +static const OSSL_PARAM fake_rsa_export_key_types[] = {
442     + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0),
443     + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0),
444     + OSSL_PARAM_END
445     +};
446     +
447     +static const OSSL_PARAM *fake_rsa_keymgmt_exptypes(int selection)
448     +{
449     + /* record global for checking */
450     + exptypes_selection = selection;
451     +
452     + return fake_rsa_export_key_types;
453     +}
454     +
455     static void *fake_rsa_keymgmt_load(const void *reference, size_t reference_sz)
456     {
457     - unsigned char *key = NULL;
458     + struct fake_rsa_keydata *key = NULL;
459    
460     - if (reference_sz != sizeof(key))
461     + if (reference_sz != sizeof(*key))
462     return NULL;
463    
464     - key = *(unsigned char **)reference;
465     - if (*key != 1)
466     + key = *(struct fake_rsa_keydata **)reference;
467     + if (key->status != 1)
468     return NULL;
469    
470     /* detach the reference */
471     - *(unsigned char **)reference = NULL;
472     + *(struct fake_rsa_keydata **)reference = NULL;
473    
474     return key;
475     }
476     @@ -129,7 +243,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
477     {
478     unsigned char *gctx = genctx;
479     static const unsigned char inited[] = { 1 };
480     - unsigned char *keydata;
481     + struct fake_rsa_keydata *keydata;
482    
483     if (!TEST_ptr(gctx)
484     || !TEST_mem_eq(gctx, sizeof(*gctx), inited, sizeof(inited)))
485     @@ -138,7 +252,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
486     if (!TEST_ptr(keydata = fake_rsa_keymgmt_new(NULL)))
487     return NULL;
488    
489     - *keydata = 2;
490     + keydata->status = 2;
491     return keydata;
492     }
493    
494     @@ -156,6 +270,9 @@ static const OSSL_DISPATCH fake_rsa_keymgmt_funcs[] = {
495     { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))fake_rsa_keymgmt_import },
496     { OSSL_FUNC_KEYMGMT_IMPORT_TYPES,
497     (void (*)(void))fake_rsa_keymgmt_imptypes },
498     + { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))fake_rsa_keymgmt_export },
499     + { OSSL_FUNC_KEYMGMT_EXPORT_TYPES,
500     + (void (*)(void))fake_rsa_keymgmt_exptypes },
501     { OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))fake_rsa_keymgmt_load },
502     { OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))fake_rsa_gen_init },
503     { OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))fake_rsa_gen },
504     @@ -191,14 +308,14 @@ static int fake_rsa_sig_sign_init(void *ctx, void *provkey,
505     const OSSL_PARAM params[])
506     {
507     unsigned char *sigctx = ctx;
508     - unsigned char *keydata = provkey;
509     + struct fake_rsa_keydata *keydata = provkey;
510    
511     /* we must have a ctx */
512     if (!TEST_ptr(sigctx))
513     return 0;
514    
515     /* we must have some initialized key */
516     - if (!TEST_ptr(keydata) || !TEST_int_gt(keydata[0], 0))
517     + if (!TEST_ptr(keydata) || !TEST_int_gt(keydata->status, 0))
518     return 0;
519    
520     /* record that sign init was called */
521     @@ -289,7 +406,7 @@ static int fake_rsa_st_load(void *loaderctx,
522     unsigned char *storectx = loaderctx;
523     OSSL_PARAM params[4];
524     int object_type = OSSL_OBJECT_PKEY;
525     - void *key = NULL;
526     + struct fake_rsa_keydata *key = NULL;
527     int rv = 0;
528    
529     switch (*storectx) {
530     @@ -307,7 +424,7 @@ static int fake_rsa_st_load(void *loaderctx,
531     /* The address of the key becomes the octet string */
532     params[2] =
533     OSSL_PARAM_construct_octet_string(OSSL_OBJECT_PARAM_REFERENCE,
534     - &key, sizeof(key));
535     + &key, sizeof(*key));
536     params[3] = OSSL_PARAM_construct_end();
537     rv = object_cb(params, object_cbarg);
538     *storectx = 1;
539     diff --git a/test/fake_rsaprov.h b/test/fake_rsaprov.h
540     index 57de1ecf8d..190c46a285 100644
541     --- a/test/fake_rsaprov.h
542     +++ b/test/fake_rsaprov.h
543     @@ -12,3 +12,4 @@
544     /* Fake RSA provider implementation */
545     OSSL_PROVIDER *fake_rsa_start(OSSL_LIB_CTX *libctx);
546     void fake_rsa_finish(OSSL_PROVIDER *p);
547     +OSSL_PARAM *fake_rsa_key_params(int priv);
548     diff --git a/test/provider_pkey_test.c b/test/provider_pkey_test.c
549     index 5c398398f4..3b190baa5e 100644
550     --- a/test/provider_pkey_test.c
551     +++ b/test/provider_pkey_test.c
552     @@ -176,6 +176,67 @@ end:
553     return ret;
554     }
555    
556     +static int test_pkey_eq(void)
557     +{
558     + OSSL_PROVIDER *deflt = NULL;
559     + OSSL_PROVIDER *fake_rsa = NULL;
560     + EVP_PKEY *pkey_fake = NULL;
561     + EVP_PKEY *pkey_dflt = NULL;
562     + EVP_PKEY_CTX *ctx = NULL;
563     + OSSL_PARAM *params = NULL;
564     + int ret = 0;
565     +
566     + if (!TEST_ptr(fake_rsa = fake_rsa_start(libctx)))
567     + return 0;
568     +
569     + if (!TEST_ptr(deflt = OSSL_PROVIDER_load(libctx, "default")))
570     + goto end;
571     +
572     + /* Construct a public key for fake-rsa */
573     + if (!TEST_ptr(params = fake_rsa_key_params(0))
574     + || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA",
575     + "provider=fake-rsa"))
576     + || !TEST_true(EVP_PKEY_fromdata_init(ctx))
577     + || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_fake, EVP_PKEY_PUBLIC_KEY,
578     + params))
579     + || !TEST_ptr(pkey_fake))
580     + goto end;
581     +
582     + EVP_PKEY_CTX_free(ctx);
583     + ctx = NULL;
584     + OSSL_PARAM_free(params);
585     + params = NULL;
586     +
587     + /* Construct a public key for default */
588     + if (!TEST_ptr(params = fake_rsa_key_params(0))
589     + || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA",
590     + "provider=default"))
591     + || !TEST_true(EVP_PKEY_fromdata_init(ctx))
592     + || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_dflt, EVP_PKEY_PUBLIC_KEY,
593     + params))
594     + || !TEST_ptr(pkey_dflt))
595     + goto end;
596     +
597     + EVP_PKEY_CTX_free(ctx);
598     + ctx = NULL;
599     + OSSL_PARAM_free(params);
600     + params = NULL;
601     +
602     + /* now test for equality */
603     + if (!TEST_int_eq(EVP_PKEY_eq(pkey_fake, pkey_dflt), 1))
604     + goto end;
605     +
606     + ret = 1;
607     +end:
608     + fake_rsa_finish(fake_rsa);
609     + OSSL_PROVIDER_unload(deflt);
610     + EVP_PKEY_CTX_free(ctx);
611     + EVP_PKEY_free(pkey_fake);
612     + EVP_PKEY_free(pkey_dflt);
613     + OSSL_PARAM_free(params);
614     + return ret;
615     +}
616     +
617     static int test_pkey_store(int idx)
618     {
619     OSSL_PROVIDER *deflt = NULL;
620     @@ -235,6 +296,7 @@ int setup_tests(void)
621    
622     ADD_TEST(test_pkey_sig);
623     ADD_TEST(test_alternative_keygen_init);
624     + ADD_TEST(test_pkey_eq);
625     ADD_ALL_TESTS(test_pkey_store, 2);
626    
627     return 1;
628     --
629     2.38.1
630    
631     From 2fea56832780248af2aba2e4433ece2d18428515 Mon Sep 17 00:00:00 2001
632     From: Simo Sorce <simo@redhat.com>
633     Date: Mon, 14 Nov 2022 10:25:15 -0500
634     Subject: [PATCH] Drop explicit check for engines in opt_legacy_okay
635    
636     The providers indication should always indicate that this is not a
637     legacy request.
638     This makes a check for engines redundant as the default return is that
639     legacy is ok if there are no explicit providers.
640    
641     Fixes #19662
642    
643     Signed-off-by: Simo Sorce <simo@redhat.com>
644    
645     Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
646     Reviewed-by: Paul Dale <pauli@openssl.org>
647     Reviewed-by: Tomas Mraz <tomas@openssl.org>
648     (Merged from https://github.com/openssl/openssl/pull/19671)
649     ---
650     apps/lib/apps.c | 8 --------
651     test/recipes/20-test_legacy_okay.t | 23 +++++++++++++++++++++++
652     2 files changed, 23 insertions(+), 8 deletions(-)
653     create mode 100755 test/recipes/20-test_legacy_okay.t
654    
655     diff --git a/apps/lib/apps.c b/apps/lib/apps.c
656     index 3d52e030ab7e258f9cd983b2d9755d954cb3aee5..bbe0d009efb35fcf1a902c86cbddc61e657e57f1 100644
657     --- a/apps/lib/apps.c
658     +++ b/apps/lib/apps.c
659     @@ -3405,14 +3405,6 @@ int opt_legacy_okay(void)
660     {
661     int provider_options = opt_provider_option_given();
662     int libctx = app_get0_libctx() != NULL || app_get0_propq() != NULL;
663     -#ifndef OPENSSL_NO_ENGINE
664     - ENGINE *e = ENGINE_get_first();
665     -
666     - if (e != NULL) {
667     - ENGINE_free(e);
668     - return 1;
669     - }
670     -#endif
671     /*
672     * Having a provider option specified or a custom library context or
673     * property query, is a sure sign we're not using legacy.
674     diff --git a/test/recipes/20-test_legacy_okay.t b/test/recipes/20-test_legacy_okay.t
675     new file mode 100755
676     index 0000000000000000000000000000000000000000..183499f3fd93f97e8a4a30681a9f383d2f6e0c56
677     --- /dev/null
678     +++ b/test/recipes/20-test_legacy_okay.t
679     @@ -0,0 +1,23 @@
680     +#! /usr/bin/env perl
681     +# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
682     +#
683     +# Licensed under the Apache License 2.0 (the "License"). You may not use
684     +# this file except in compliance with the License. You can obtain a copy
685     +# in the file LICENSE in the source distribution or at
686     +# https://www.openssl.org/source/license.html
687     +
688     +use strict;
689     +use warnings;
690     +
691     +use OpenSSL::Test;
692     +
693     +setup("test_legacy");
694     +
695     +plan tests => 3;
696     +
697     +ok(run(app(['openssl', 'rand', '-out', 'rand.txt', '256'])), "Generate random file");
698     +
699     +ok(run(app(['openssl', 'dgst', '-sha256', 'rand.txt'])), "Generate a digest");
700     +
701     +ok(!run(app(['openssl', 'dgst', '-sha256', '-propquery', 'foo=1',
702     + 'rand.txt'])), "Fail to generate a digest");
703     --
704     2.38.1
705    

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed