/[smecontribs]/rpms/openssl3/contribs10/0092-provider-improvements.patch
ViewVC logotype

Contents of /rpms/openssl3/contribs10/0092-provider-improvements.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Wed Jan 31 17:24:50 2024 UTC (9 months, 3 weeks ago) by jpp
Branch: MAIN
CVS Tags: openssl3-3_0_7-5_el7_sme_1, HEAD
Initial import

1 From 98642df4ba886818900ab7e6b23703544e6addd4 Mon Sep 17 00:00:00 2001
2 From: Simo Sorce <simo@redhat.com>
3 Date: Thu, 10 Nov 2022 10:46:32 -0500
4 Subject: [PATCH 1/3] Propagate selection all the way on key export
5
6 EVP_PKEY_eq() is used to check, among other things, if a certificate
7 public key corresponds to a private key. When the private key belongs to
8 a provider that does not allow to export private keys this currently
9 fails as the internal functions used to import/export keys ignored the
10 selection given (which specifies that only the public key needs to be
11 considered) and instead tries to export everything.
12
13 This patch allows to propagate the selection all the way down including
14 adding it in the cache so that a following operation actually looking
15 for other selection parameters does not mistakenly pick up an export
16 containing only partial information.
17
18 Signed-off-by: Simo Sorce <simo@redhat.com>
19
20 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
21 Reviewed-by: Tomas Mraz <tomas@openssl.org>
22 (Merged from https://github.com/openssl/openssl/pull/19648)
23
24 diff --git a/crypto/evp/keymgmt_lib.c b/crypto/evp/keymgmt_lib.c
25 index b06730dc7a..2d0238ee27 100644
26 --- a/crypto/evp/keymgmt_lib.c
27 +++ b/crypto/evp/keymgmt_lib.c
28 @@ -93,7 +93,8 @@ int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection,
29 export_cb, export_cbarg);
30 }
31
32 -void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
33 +void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
34 + int selection)
35 {
36 struct evp_keymgmt_util_try_import_data_st import_data;
37 OP_CACHE_ELEM *op;
38 @@ -127,7 +128,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
39 */
40 if (pk->dirty_cnt == pk->dirty_cnt_copy) {
41 /* If this key is already exported to |keymgmt|, no more to do */
42 - op = evp_keymgmt_util_find_operation_cache(pk, keymgmt);
43 + op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection);
44 if (op != NULL && op->keymgmt != NULL) {
45 void *ret = op->keydata;
46
47 @@ -157,13 +158,13 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
48 /* Setup for the export callback */
49 import_data.keydata = NULL; /* evp_keymgmt_util_try_import will create it */
50 import_data.keymgmt = keymgmt;
51 - import_data.selection = OSSL_KEYMGMT_SELECT_ALL;
52 + import_data.selection = selection;
53
54 /*
55 * The export function calls the callback (evp_keymgmt_util_try_import),
56 * which does the import for us. If successful, we're done.
57 */
58 - if (!evp_keymgmt_util_export(pk, OSSL_KEYMGMT_SELECT_ALL,
59 + if (!evp_keymgmt_util_export(pk, selection,
60 &evp_keymgmt_util_try_import, &import_data))
61 /* If there was an error, bail out */
62 return NULL;
63 @@ -173,7 +174,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
64 return NULL;
65 }
66 /* Check to make sure some other thread didn't get there first */
67 - op = evp_keymgmt_util_find_operation_cache(pk, keymgmt);
68 + op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection);
69 if (op != NULL && op->keydata != NULL) {
70 void *ret = op->keydata;
71
72 @@ -196,7 +197,8 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
73 evp_keymgmt_util_clear_operation_cache(pk, 0);
74
75 /* Add the new export to the operation cache */
76 - if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata)) {
77 + if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata,
78 + selection)) {
79 CRYPTO_THREAD_unlock(pk->lock);
80 evp_keymgmt_freedata(keymgmt, import_data.keydata);
81 return NULL;
82 @@ -232,7 +234,8 @@ int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking)
83 }
84
85 OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
86 - EVP_KEYMGMT *keymgmt)
87 + EVP_KEYMGMT *keymgmt,
88 + int selection)
89 {
90 int i, end = sk_OP_CACHE_ELEM_num(pk->operation_cache);
91 OP_CACHE_ELEM *p;
92 @@ -243,14 +246,14 @@ OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
93 */
94 for (i = 0; i < end; i++) {
95 p = sk_OP_CACHE_ELEM_value(pk->operation_cache, i);
96 - if (keymgmt == p->keymgmt)
97 + if (keymgmt == p->keymgmt && (p->selection & selection) == selection)
98 return p;
99 }
100 return NULL;
101 }
102
103 -int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
104 - EVP_KEYMGMT *keymgmt, void *keydata)
105 +int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
106 + void *keydata, int selection)
107 {
108 OP_CACHE_ELEM *p = NULL;
109
110 @@ -266,6 +269,7 @@ int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
111 return 0;
112 p->keydata = keydata;
113 p->keymgmt = keymgmt;
114 + p->selection = selection;
115
116 if (!EVP_KEYMGMT_up_ref(keymgmt)) {
117 OPENSSL_free(p);
118 @@ -391,7 +395,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection)
119 ok = 1;
120 if (keydata1 != NULL) {
121 tmp_keydata =
122 - evp_keymgmt_util_export_to_provider(pk1, keymgmt2);
123 + evp_keymgmt_util_export_to_provider(pk1, keymgmt2,
124 + selection);
125 ok = (tmp_keydata != NULL);
126 }
127 if (ok) {
128 @@ -411,7 +416,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection)
129 ok = 1;
130 if (keydata2 != NULL) {
131 tmp_keydata =
132 - evp_keymgmt_util_export_to_provider(pk2, keymgmt1);
133 + evp_keymgmt_util_export_to_provider(pk2, keymgmt1,
134 + selection);
135 ok = (tmp_keydata != NULL);
136 }
137 if (ok) {
138 diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
139 index 70d17ec37e..905e9c9ce4 100644
140 --- a/crypto/evp/p_lib.c
141 +++ b/crypto/evp/p_lib.c
142 @@ -1822,6 +1822,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
143 {
144 EVP_KEYMGMT *allocated_keymgmt = NULL;
145 EVP_KEYMGMT *tmp_keymgmt = NULL;
146 + int selection = OSSL_KEYMGMT_SELECT_ALL;
147 void *keydata = NULL;
148 int check;
149
150 @@ -1883,7 +1884,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
151 if (pk->ameth->dirty_cnt(pk) == pk->dirty_cnt_copy) {
152 if (!CRYPTO_THREAD_read_lock(pk->lock))
153 goto end;
154 - op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt);
155 + op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt,
156 + selection);
157
158 /*
159 * If |tmp_keymgmt| is present in the operation cache, it means
160 @@ -1938,7 +1940,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
161 EVP_KEYMGMT_free(tmp_keymgmt); /* refcnt-- */
162
163 /* Check to make sure some other thread didn't get there first */
164 - op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt);
165 + op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt, selection);
166 if (op != NULL && op->keymgmt != NULL) {
167 void *tmp_keydata = op->keydata;
168
169 @@ -1949,7 +1951,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
170 }
171
172 /* Add the new export to the operation cache */
173 - if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata)) {
174 + if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata,
175 + selection)) {
176 CRYPTO_THREAD_unlock(pk->lock);
177 evp_keymgmt_freedata(tmp_keymgmt, keydata);
178 keydata = NULL;
179 @@ -1964,7 +1967,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
180 }
181 #endif /* FIPS_MODULE */
182
183 - keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt);
184 + keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt, selection);
185
186 end:
187 /*
188 diff --git a/include/crypto/evp.h b/include/crypto/evp.h
189 index f601b72807..dbbdcccbda 100644
190 --- a/include/crypto/evp.h
191 +++ b/include/crypto/evp.h
192 @@ -589,6 +589,7 @@ int evp_cipher_asn1_to_param_ex(EVP_CIPHER_CTX *c, ASN1_TYPE *type,
193 typedef struct {
194 EVP_KEYMGMT *keymgmt;
195 void *keydata;
196 + int selection;
197 } OP_CACHE_ELEM;
198
199 DEFINE_STACK_OF(OP_CACHE_ELEM)
200 @@ -778,12 +779,14 @@ EVP_PKEY *evp_keymgmt_util_make_pkey(EVP_KEYMGMT *keymgmt, void *keydata);
201
202 int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection,
203 OSSL_CALLBACK *export_cb, void *export_cbarg);
204 -void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt);
205 +void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
206 + int selection);
207 OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
208 - EVP_KEYMGMT *keymgmt);
209 + EVP_KEYMGMT *keymgmt,
210 + int selection);
211 int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking);
212 -int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
213 - EVP_KEYMGMT *keymgmt, void *keydata);
214 +int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
215 + void *keydata, int selection);
216 void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk);
217 void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt,
218 int selection, const OSSL_PARAM params[]);
219 --
220 2.38.1
221
222 From 504427eb5f32108dd64ff7858012863fe47b369b Mon Sep 17 00:00:00 2001
223 From: Simo Sorce <simo@redhat.com>
224 Date: Thu, 10 Nov 2022 16:58:28 -0500
225 Subject: [PATCH 2/3] Update documentation for keymgmt export utils
226
227 Change function prototypes and explain how to use the selection
228 argument.
229
230 Signed-off-by: Simo Sorce <simo@redhat.com>
231
232 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
233 Reviewed-by: Tomas Mraz <tomas@openssl.org>
234 (Merged from https://github.com/openssl/openssl/pull/19648)
235
236 diff --git a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
237 index 1fee9f6ff9..7099e44964 100644
238 --- a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
239 +++ b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
240 @@ -20,12 +20,14 @@ OP_CACHE_ELEM
241
242 int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection,
243 OSSL_CALLBACK *export_cb, void *export_cbarg);
244 - void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt);
245 + void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
246 + int selection);
247 OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
248 - EVP_KEYMGMT *keymgmt);
249 + EVP_KEYMGMT *keymgmt,
250 + int selection);
251 int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking);
252 - int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
253 - EVP_KEYMGMT *keymgmt, void *keydata);
254 + int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
255 + void *keydata, int selection);
256 void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk);
257 void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt,
258 int selection, const OSSL_PARAM params[]);
259 @@ -65,6 +67,11 @@ evp_keymgmt_util_fromdata() can be used to add key object data to a
260 given key I<target> via a B<EVP_KEYMGMT> interface. This is used as a
261 helper for L<EVP_PKEY_fromdata(3)>.
262
263 +In all functions that take a I<selection> argument, the selection is used to
264 +constraint the information requested on export. It is also used in the cache
265 +so that key data is guaranteed to contain all the information requested in
266 +the selection.
267 +
268 =head1 RETURN VALUES
269
270 evp_keymgmt_export_to_provider() and evp_keymgmt_util_fromdata()
271 --
272 2.38.1
273
274 From e5202fbd461cb6c067874987998e91c6093e5267 Mon Sep 17 00:00:00 2001
275 From: Simo Sorce <simo@redhat.com>
276 Date: Fri, 11 Nov 2022 12:18:26 -0500
277 Subject: [PATCH 3/3] Add test for EVP_PKEY_eq
278
279 This tests that the comparison work even if a provider can only return
280 a public key.
281
282 Signed-off-by: Simo Sorce <simo@redhat.com>
283
284 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
285 Reviewed-by: Tomas Mraz <tomas@openssl.org>
286 (Merged from https://github.com/openssl/openssl/pull/19648)
287
288 diff --git a/test/fake_rsaprov.c b/test/fake_rsaprov.c
289 index d556551bb6..5e92e72d4b 100644
290 --- a/test/fake_rsaprov.c
291 +++ b/test/fake_rsaprov.c
292 @@ -22,24 +22,34 @@ static OSSL_FUNC_keymgmt_has_fn fake_rsa_keymgmt_has;
293 static OSSL_FUNC_keymgmt_query_operation_name_fn fake_rsa_keymgmt_query;
294 static OSSL_FUNC_keymgmt_import_fn fake_rsa_keymgmt_import;
295 static OSSL_FUNC_keymgmt_import_types_fn fake_rsa_keymgmt_imptypes;
296 +static OSSL_FUNC_keymgmt_export_fn fake_rsa_keymgmt_export;
297 +static OSSL_FUNC_keymgmt_export_types_fn fake_rsa_keymgmt_exptypes;
298 static OSSL_FUNC_keymgmt_load_fn fake_rsa_keymgmt_load;
299
300 static int has_selection;
301 static int imptypes_selection;
302 +static int exptypes_selection;
303 static int query_id;
304
305 +struct fake_rsa_keydata {
306 + int selection;
307 + int status;
308 +};
309 +
310 static void *fake_rsa_keymgmt_new(void *provctx)
311 {
312 - unsigned char *keydata = OPENSSL_zalloc(1);
313 + struct fake_rsa_keydata *key;
314
315 - TEST_ptr(keydata);
316 + if (!TEST_ptr(key = OPENSSL_zalloc(sizeof(struct fake_rsa_keydata))))
317 + return NULL;
318
319 /* clear test globals */
320 has_selection = 0;
321 imptypes_selection = 0;
322 + exptypes_selection = 0;
323 query_id = 0;
324
325 - return keydata;
326 + return key;
327 }
328
329 static void fake_rsa_keymgmt_free(void *keydata)
330 @@ -67,14 +77,104 @@ static const char *fake_rsa_keymgmt_query(int id)
331 static int fake_rsa_keymgmt_import(void *keydata, int selection,
332 const OSSL_PARAM *p)
333 {
334 - unsigned char *fake_rsa_key = keydata;
335 + struct fake_rsa_keydata *fake_rsa_key = keydata;
336
337 /* key was imported */
338 - *fake_rsa_key = 1;
339 + fake_rsa_key->status = 1;
340
341 return 1;
342 }
343
344 +static unsigned char fake_rsa_n[] =
345 + "\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F"
346 + "\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5"
347 + "\xAD\xB3\x00\xA0\x28\x5E\x53\x01\x93\x0E\x0C\x70\xFB\x68\x76\x93"
348 + "\x9C\xE6\x16\xCE\x62\x4A\x11\xE0\x08\x6D\x34\x1E\xBC\xAC\xA0\xA1"
349 + "\xF5";
350 +
351 +static unsigned char fake_rsa_e[] = "\x11";
352 +
353 +static unsigned char fake_rsa_d[] =
354 + "\x0A\x03\x37\x48\x62\x64\x87\x69\x5F\x5F\x30\xBC\x38\xB9\x8B\x44"
355 + "\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64"
356 + "\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9"
357 + "\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51";
358 +
359 +static unsigned char fake_rsa_p[] =
360 + "\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
361 + "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12"
362 + "\x0D";
363 +
364 +static unsigned char fake_rsa_q[] =
365 + "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
366 + "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
367 + "\x89";
368 +
369 +static unsigned char fake_rsa_dmp1[] =
370 + "\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF"
371 + "\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05";
372 +
373 +static unsigned char fake_rsa_dmq1[] =
374 + "\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99"
375 + "\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D"
376 + "\x51";
377 +
378 +static unsigned char fake_rsa_iqmp[] =
379 + "\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8"
380 + "\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26";
381 +
382 +OSSL_PARAM *fake_rsa_key_params(int priv)
383 +{
384 + if (priv) {
385 + OSSL_PARAM params[] = {
386 + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n,
387 + sizeof(fake_rsa_n) -1),
388 + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e,
389 + sizeof(fake_rsa_e) -1),
390 + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_D, fake_rsa_d,
391 + sizeof(fake_rsa_d) -1),
392 + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR1, fake_rsa_p,
393 + sizeof(fake_rsa_p) -1),
394 + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR2, fake_rsa_q,
395 + sizeof(fake_rsa_q) -1),
396 + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT1, fake_rsa_dmp1,
397 + sizeof(fake_rsa_dmp1) -1),
398 + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT2, fake_rsa_dmq1,
399 + sizeof(fake_rsa_dmq1) -1),
400 + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_COEFFICIENT1, fake_rsa_iqmp,
401 + sizeof(fake_rsa_iqmp) -1),
402 + OSSL_PARAM_END
403 + };
404 + return OSSL_PARAM_dup(params);
405 + } else {
406 + OSSL_PARAM params[] = {
407 + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n,
408 + sizeof(fake_rsa_n) -1),
409 + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e,
410 + sizeof(fake_rsa_e) -1),
411 + OSSL_PARAM_END
412 + };
413 + return OSSL_PARAM_dup(params);
414 + }
415 +}
416 +
417 +static int fake_rsa_keymgmt_export(void *keydata, int selection,
418 + OSSL_CALLBACK *param_callback, void *cbarg)
419 +{
420 + OSSL_PARAM *params = NULL;
421 + int ret;
422 +
423 + if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY)
424 + return 0;
425 +
426 + if (!TEST_ptr(params = fake_rsa_key_params(0)))
427 + return 0;
428 +
429 + ret = param_callback(params, cbarg);
430 + OSSL_PARAM_free(params);
431 + return ret;
432 +}
433 +
434 static const OSSL_PARAM fake_rsa_import_key_types[] = {
435 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0),
436 OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0),
437 @@ -95,19 +195,33 @@ static const OSSL_PARAM *fake_rsa_keymgmt_imptypes(int selection)
438 return fake_rsa_import_key_types;
439 }
440
441 +static const OSSL_PARAM fake_rsa_export_key_types[] = {
442 + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0),
443 + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0),
444 + OSSL_PARAM_END
445 +};
446 +
447 +static const OSSL_PARAM *fake_rsa_keymgmt_exptypes(int selection)
448 +{
449 + /* record global for checking */
450 + exptypes_selection = selection;
451 +
452 + return fake_rsa_export_key_types;
453 +}
454 +
455 static void *fake_rsa_keymgmt_load(const void *reference, size_t reference_sz)
456 {
457 - unsigned char *key = NULL;
458 + struct fake_rsa_keydata *key = NULL;
459
460 - if (reference_sz != sizeof(key))
461 + if (reference_sz != sizeof(*key))
462 return NULL;
463
464 - key = *(unsigned char **)reference;
465 - if (*key != 1)
466 + key = *(struct fake_rsa_keydata **)reference;
467 + if (key->status != 1)
468 return NULL;
469
470 /* detach the reference */
471 - *(unsigned char **)reference = NULL;
472 + *(struct fake_rsa_keydata **)reference = NULL;
473
474 return key;
475 }
476 @@ -129,7 +243,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
477 {
478 unsigned char *gctx = genctx;
479 static const unsigned char inited[] = { 1 };
480 - unsigned char *keydata;
481 + struct fake_rsa_keydata *keydata;
482
483 if (!TEST_ptr(gctx)
484 || !TEST_mem_eq(gctx, sizeof(*gctx), inited, sizeof(inited)))
485 @@ -138,7 +252,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
486 if (!TEST_ptr(keydata = fake_rsa_keymgmt_new(NULL)))
487 return NULL;
488
489 - *keydata = 2;
490 + keydata->status = 2;
491 return keydata;
492 }
493
494 @@ -156,6 +270,9 @@ static const OSSL_DISPATCH fake_rsa_keymgmt_funcs[] = {
495 { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))fake_rsa_keymgmt_import },
496 { OSSL_FUNC_KEYMGMT_IMPORT_TYPES,
497 (void (*)(void))fake_rsa_keymgmt_imptypes },
498 + { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))fake_rsa_keymgmt_export },
499 + { OSSL_FUNC_KEYMGMT_EXPORT_TYPES,
500 + (void (*)(void))fake_rsa_keymgmt_exptypes },
501 { OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))fake_rsa_keymgmt_load },
502 { OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))fake_rsa_gen_init },
503 { OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))fake_rsa_gen },
504 @@ -191,14 +308,14 @@ static int fake_rsa_sig_sign_init(void *ctx, void *provkey,
505 const OSSL_PARAM params[])
506 {
507 unsigned char *sigctx = ctx;
508 - unsigned char *keydata = provkey;
509 + struct fake_rsa_keydata *keydata = provkey;
510
511 /* we must have a ctx */
512 if (!TEST_ptr(sigctx))
513 return 0;
514
515 /* we must have some initialized key */
516 - if (!TEST_ptr(keydata) || !TEST_int_gt(keydata[0], 0))
517 + if (!TEST_ptr(keydata) || !TEST_int_gt(keydata->status, 0))
518 return 0;
519
520 /* record that sign init was called */
521 @@ -289,7 +406,7 @@ static int fake_rsa_st_load(void *loaderctx,
522 unsigned char *storectx = loaderctx;
523 OSSL_PARAM params[4];
524 int object_type = OSSL_OBJECT_PKEY;
525 - void *key = NULL;
526 + struct fake_rsa_keydata *key = NULL;
527 int rv = 0;
528
529 switch (*storectx) {
530 @@ -307,7 +424,7 @@ static int fake_rsa_st_load(void *loaderctx,
531 /* The address of the key becomes the octet string */
532 params[2] =
533 OSSL_PARAM_construct_octet_string(OSSL_OBJECT_PARAM_REFERENCE,
534 - &key, sizeof(key));
535 + &key, sizeof(*key));
536 params[3] = OSSL_PARAM_construct_end();
537 rv = object_cb(params, object_cbarg);
538 *storectx = 1;
539 diff --git a/test/fake_rsaprov.h b/test/fake_rsaprov.h
540 index 57de1ecf8d..190c46a285 100644
541 --- a/test/fake_rsaprov.h
542 +++ b/test/fake_rsaprov.h
543 @@ -12,3 +12,4 @@
544 /* Fake RSA provider implementation */
545 OSSL_PROVIDER *fake_rsa_start(OSSL_LIB_CTX *libctx);
546 void fake_rsa_finish(OSSL_PROVIDER *p);
547 +OSSL_PARAM *fake_rsa_key_params(int priv);
548 diff --git a/test/provider_pkey_test.c b/test/provider_pkey_test.c
549 index 5c398398f4..3b190baa5e 100644
550 --- a/test/provider_pkey_test.c
551 +++ b/test/provider_pkey_test.c
552 @@ -176,6 +176,67 @@ end:
553 return ret;
554 }
555
556 +static int test_pkey_eq(void)
557 +{
558 + OSSL_PROVIDER *deflt = NULL;
559 + OSSL_PROVIDER *fake_rsa = NULL;
560 + EVP_PKEY *pkey_fake = NULL;
561 + EVP_PKEY *pkey_dflt = NULL;
562 + EVP_PKEY_CTX *ctx = NULL;
563 + OSSL_PARAM *params = NULL;
564 + int ret = 0;
565 +
566 + if (!TEST_ptr(fake_rsa = fake_rsa_start(libctx)))
567 + return 0;
568 +
569 + if (!TEST_ptr(deflt = OSSL_PROVIDER_load(libctx, "default")))
570 + goto end;
571 +
572 + /* Construct a public key for fake-rsa */
573 + if (!TEST_ptr(params = fake_rsa_key_params(0))
574 + || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA",
575 + "provider=fake-rsa"))
576 + || !TEST_true(EVP_PKEY_fromdata_init(ctx))
577 + || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_fake, EVP_PKEY_PUBLIC_KEY,
578 + params))
579 + || !TEST_ptr(pkey_fake))
580 + goto end;
581 +
582 + EVP_PKEY_CTX_free(ctx);
583 + ctx = NULL;
584 + OSSL_PARAM_free(params);
585 + params = NULL;
586 +
587 + /* Construct a public key for default */
588 + if (!TEST_ptr(params = fake_rsa_key_params(0))
589 + || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA",
590 + "provider=default"))
591 + || !TEST_true(EVP_PKEY_fromdata_init(ctx))
592 + || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_dflt, EVP_PKEY_PUBLIC_KEY,
593 + params))
594 + || !TEST_ptr(pkey_dflt))
595 + goto end;
596 +
597 + EVP_PKEY_CTX_free(ctx);
598 + ctx = NULL;
599 + OSSL_PARAM_free(params);
600 + params = NULL;
601 +
602 + /* now test for equality */
603 + if (!TEST_int_eq(EVP_PKEY_eq(pkey_fake, pkey_dflt), 1))
604 + goto end;
605 +
606 + ret = 1;
607 +end:
608 + fake_rsa_finish(fake_rsa);
609 + OSSL_PROVIDER_unload(deflt);
610 + EVP_PKEY_CTX_free(ctx);
611 + EVP_PKEY_free(pkey_fake);
612 + EVP_PKEY_free(pkey_dflt);
613 + OSSL_PARAM_free(params);
614 + return ret;
615 +}
616 +
617 static int test_pkey_store(int idx)
618 {
619 OSSL_PROVIDER *deflt = NULL;
620 @@ -235,6 +296,7 @@ int setup_tests(void)
621
622 ADD_TEST(test_pkey_sig);
623 ADD_TEST(test_alternative_keygen_init);
624 + ADD_TEST(test_pkey_eq);
625 ADD_ALL_TESTS(test_pkey_store, 2);
626
627 return 1;
628 --
629 2.38.1
630
631 From 2fea56832780248af2aba2e4433ece2d18428515 Mon Sep 17 00:00:00 2001
632 From: Simo Sorce <simo@redhat.com>
633 Date: Mon, 14 Nov 2022 10:25:15 -0500
634 Subject: [PATCH] Drop explicit check for engines in opt_legacy_okay
635
636 The providers indication should always indicate that this is not a
637 legacy request.
638 This makes a check for engines redundant as the default return is that
639 legacy is ok if there are no explicit providers.
640
641 Fixes #19662
642
643 Signed-off-by: Simo Sorce <simo@redhat.com>
644
645 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
646 Reviewed-by: Paul Dale <pauli@openssl.org>
647 Reviewed-by: Tomas Mraz <tomas@openssl.org>
648 (Merged from https://github.com/openssl/openssl/pull/19671)
649 ---
650 apps/lib/apps.c | 8 --------
651 test/recipes/20-test_legacy_okay.t | 23 +++++++++++++++++++++++
652 2 files changed, 23 insertions(+), 8 deletions(-)
653 create mode 100755 test/recipes/20-test_legacy_okay.t
654
655 diff --git a/apps/lib/apps.c b/apps/lib/apps.c
656 index 3d52e030ab7e258f9cd983b2d9755d954cb3aee5..bbe0d009efb35fcf1a902c86cbddc61e657e57f1 100644
657 --- a/apps/lib/apps.c
658 +++ b/apps/lib/apps.c
659 @@ -3405,14 +3405,6 @@ int opt_legacy_okay(void)
660 {
661 int provider_options = opt_provider_option_given();
662 int libctx = app_get0_libctx() != NULL || app_get0_propq() != NULL;
663 -#ifndef OPENSSL_NO_ENGINE
664 - ENGINE *e = ENGINE_get_first();
665 -
666 - if (e != NULL) {
667 - ENGINE_free(e);
668 - return 1;
669 - }
670 -#endif
671 /*
672 * Having a provider option specified or a custom library context or
673 * property query, is a sure sign we're not using legacy.
674 diff --git a/test/recipes/20-test_legacy_okay.t b/test/recipes/20-test_legacy_okay.t
675 new file mode 100755
676 index 0000000000000000000000000000000000000000..183499f3fd93f97e8a4a30681a9f383d2f6e0c56
677 --- /dev/null
678 +++ b/test/recipes/20-test_legacy_okay.t
679 @@ -0,0 +1,23 @@
680 +#! /usr/bin/env perl
681 +# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
682 +#
683 +# Licensed under the Apache License 2.0 (the "License"). You may not use
684 +# this file except in compliance with the License. You can obtain a copy
685 +# in the file LICENSE in the source distribution or at
686 +# https://www.openssl.org/source/license.html
687 +
688 +use strict;
689 +use warnings;
690 +
691 +use OpenSSL::Test;
692 +
693 +setup("test_legacy");
694 +
695 +plan tests => 3;
696 +
697 +ok(run(app(['openssl', 'rand', '-out', 'rand.txt', '256'])), "Generate random file");
698 +
699 +ok(run(app(['openssl', 'dgst', '-sha256', 'rand.txt'])), "Generate a digest");
700 +
701 +ok(!run(app(['openssl', 'dgst', '-sha256', '-propquery', 'foo=1',
702 + 'rand.txt'])), "Fail to generate a digest");
703 --
704 2.38.1
705

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed