]> git.ipfire.org Git - thirdparty/openssl.git/blame - crypto/evp/keymgmt_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Fix krb5 external test failure
[thirdparty/openssl.git] / crypto / evp / keymgmt_lib.c
CommitLineData
70a1f7b4
RL		 1/*
2 * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
6508e858 10#include <openssl/core_names.h>
70a1f7b4
RL		 11#include "internal/cryptlib.h"
12#include "internal/nelem.h"
25f2138b
DMSP		 13#include "crypto/evp.h"
14#include "crypto/asn1.h"
1640d48c 15#include "internal/core.h"
70a1f7b4 16#include "internal/provider.h"
706457b7 17#include "evp_local.h"
70a1f7b4 18
1640d48c
RL		 19struct import_data_st {
20 void *provctx;
658608c4 21 void *(*importfn)(const EVP_KEYMGMT *keymgmt, const OSSL_PARAM params[]);
70a1f7b4 22
1640d48c
RL		 23 /* Result */
24 void *provdata;
25};
70a1f7b4 26
1640d48c 27static int try_import(const OSSL_PARAM params[], void *arg)
651101e1 28{
1640d48c 29 struct import_data_st *data = arg;
70a1f7b4 30
1640d48c
RL		 31 data->provdata = data->importfn(data->provctx, params);
32 return data->provdata != NULL;
70a1f7b4
RL		 33}
34
02f060d1
RL		 35void *evp_keymgmt_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
36 int want_domainparams)
70a1f7b4 37{
02f060d1 38 void *provdata = NULL;
70a1f7b4
RL		 39 size_t i, j;
40
41 /*
42 * If there is an underlying legacy key and it has changed, invalidate
43 * the cache of provider keys.
44 */
45 if (pk->pkey.ptr != NULL) {
46 /*
47 * If there is no dirty counter, this key can't be used with
48 * providers.
49 */
50 if (pk->ameth->dirty_cnt == NULL)
51 return NULL;
52
53 if (pk->ameth->dirty_cnt(pk) != pk->dirty_cnt_copy)
4cae07fe 54 evp_keymgmt_clear_pkey_cache(pk);
70a1f7b4
RL		 55 }
56
57 /*
58 * See if we have exported to this provider already.
59 * If we have, return immediately.
60 */
61 for (i = 0;
62 i < OSSL_NELEM(pk->pkeys) && pk->pkeys[i].keymgmt != NULL;
63 i++) {
02f060d1
RL		 64 if (keymgmt == pk->pkeys[i].keymgmt
65 && want_domainparams == pk->pkeys[i].domainparams)
66 return pk->pkeys[i].provdata;
70a1f7b4
RL		 67 }
68
69 if (pk->pkey.ptr != NULL) {
70 /* There is a legacy key, try to export that one to the provider */
71
72 /* If the legacy key doesn't have an export function, give up */
73 if (pk->ameth->export_to == NULL)
74 return NULL;
75
02f060d1
RL		 76 /* Otherwise, simply use it. */
77 provdata = pk->ameth->export_to(pk, keymgmt, want_domainparams);
70a1f7b4
RL		 78
79 /* Synchronize the dirty count, but only if we exported successfully */
02f060d1 80 if (provdata != NULL)
70a1f7b4
RL		 81 pk->dirty_cnt_copy = pk->ameth->dirty_cnt(pk);
82
83 } else {
84 /*
85 * Here, there is no legacy key, so we look at the already cached
86 * provider keys, and import from the first that supports it
87 * (i.e. use its export function), and export the imported data to
88 * the new provider.
89 */
90
1640d48c
RL		 91 /* Setup for the export callback */
92 struct import_data_st import_data;
93
94 import_data.importfn =
658608c4
RL		 95 want_domainparams
96 ? evp_keymgmt_importdomparams
97 : evp_keymgmt_importkey;
1640d48c 98 import_data.provdata = NULL;
02f060d1 99
70a1f7b4
RL		 100 /*
101 * If the given keymgmt doesn't have an import function, give up
102 */
1640d48c 103 if (import_data.importfn == NULL)
70a1f7b4
RL		 104 return NULL;
105
106 for (j = 0; j < i && pk->pkeys[j].keymgmt != NULL; j++) {
658608c4
RL		 107 int (*exportfn)(const EVP_KEYMGMT *keymgmt, void *provdata,
108 OSSL_CALLBACK *cb, void *cbarg) =
1640d48c 109 want_domainparams
658608c4
RL		 110 ? evp_keymgmt_exportdomparams
111 : evp_keymgmt_exportkey;
02f060d1 112
1640d48c
RL		 113 if (exportfn != NULL) {
114 import_data.provctx =
115 ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));
70a1f7b4
RL		 116
117 /*
1640d48c
RL		 118 * The export function calls the callback (try_import), which
119 * does the import for us.
120 * Even though we got a success return, we double check that
121 * we actually got something, just in case some implementation
122 * forgets to check the return value.
70a1f7b4 123
70a1f7b4 124 */
658608c4
RL		 125 if (exportfn(pk->pkeys[j].keymgmt, pk->pkeys[j].provdata,
126 &try_import, &import_data)
1640d48c 127 && (provdata = import_data.provdata) != NULL)
70a1f7b4
RL		 128 break;
129 }
130 }
131 }
132
133 /*
134 * TODO(3.0) Right now, we assume we have ample space. We will
135 * have to think about a cache aging scheme, though, if |i| indexes
136 * outside the array.
137 */
138 j = ossl_assert(i < OSSL_NELEM(pk->pkeys));
139
6508e858 140 evp_keymgmt_cache_pkey(pk, i, keymgmt, provdata, want_domainparams);
02f060d1
RL		 141
142 return provdata;
70a1f7b4 143}
4cae07fe
RL		 144
145void evp_keymgmt_clear_pkey_cache(EVP_PKEY *pk)
146{
147 size_t i;
148
149 if (pk != NULL) {
150 for (i = 0;
151 i < OSSL_NELEM(pk->pkeys) && pk->pkeys[i].keymgmt != NULL;
152 i++) {
153 EVP_KEYMGMT *keymgmt = pk->pkeys[i].keymgmt;
02f060d1 154 void *provdata = pk->pkeys[i].provdata;
4cae07fe
RL		 155
156 pk->pkeys[i].keymgmt = NULL;
02f060d1
RL		 157 pk->pkeys[i].provdata = NULL;
158 if (pk->pkeys[i].domainparams)
658608c4 159 evp_keymgmt_freedomparams(keymgmt, provdata);
02f060d1 160 else
658608c4 161 evp_keymgmt_freekey(keymgmt, provdata);
4cae07fe
RL		 162 EVP_KEYMGMT_free(keymgmt);
163 }
6508e858
RL		 164
165 pk->cache.size = 0;
166 pk->cache.bits = 0;
167 pk->cache.security_bits = 0;
168 }
169}
170
171void evp_keymgmt_cache_pkey(EVP_PKEY *pk, size_t index, EVP_KEYMGMT *keymgmt,
172 void *provdata, int domainparams)
173{
174 if (provdata != NULL) {
175 EVP_KEYMGMT_up_ref(keymgmt);
176 pk->pkeys[index].keymgmt = keymgmt;
177 pk->pkeys[index].provdata = provdata;
178 pk->pkeys[index].domainparams = domainparams;
179
180 /*
181 * Cache information about the domain parameters or key. Only needed
182 * for the "original" provider side key.
183 *
184 * This services functions like EVP_PKEY_size, EVP_PKEY_bits, etc
185 */
186 if (index == 0) {
187 int ok;
188 int bits = 0;
189 int security_bits = 0;
190 int size = 0;
191 OSSL_PARAM params[4];
192
193 params[0] = OSSL_PARAM_construct_int(OSSL_PKEY_PARAM_BITS, &bits);
194 params[1] = OSSL_PARAM_construct_int(OSSL_PKEY_PARAM_SECURITY_BITS,
195 &security_bits);
196 params[2] = OSSL_PARAM_construct_int(OSSL_PKEY_PARAM_MAX_SIZE, &size);
197 params[3] = OSSL_PARAM_construct_end();
198 ok = domainparams
199 ? evp_keymgmt_get_domparam_params(keymgmt, provdata, params)
200 : evp_keymgmt_get_key_params(keymgmt, provdata, params);
201 if (ok) {
202 pk->cache.size = size;
203 pk->cache.bits = bits;
204 pk->cache.security_bits = security_bits;
205 }
206 }
4cae07fe
RL		 207 }
208}
fa9faf01 209
46e2dd05
RL		 210void *evp_keymgmt_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt,
211 const OSSL_PARAM params[], int domainparams)
212{
46e2dd05 213 void *provdata = domainparams
658608c4
RL		 214 ? evp_keymgmt_importdomparams(keymgmt, params)
215 : evp_keymgmt_importkey(keymgmt, params);
46e2dd05
RL		 216
217 evp_keymgmt_clear_pkey_cache(target);
6508e858 218 evp_keymgmt_cache_pkey(target, 0, keymgmt, provdata, domainparams);
46e2dd05
RL		 219
220 return provdata;
221}
fa9faf01
RL		 222
223/* internal functions */
224/* TODO(3.0) decide if these should be public or internal */
225void *evp_keymgmt_importdomparams(const EVP_KEYMGMT *keymgmt,
226 const OSSL_PARAM params[])
227{
228 void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));
229
230 return keymgmt->importdomparams(provctx, params);
231}
232
233void *evp_keymgmt_gendomparams(const EVP_KEYMGMT *keymgmt,
234 const OSSL_PARAM params[])
235{
236 void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));
237
238 return keymgmt->gendomparams(provctx, params);
239}
240
241void evp_keymgmt_freedomparams(const EVP_KEYMGMT *keymgmt,
242 void *provdomparams)
243{
244 keymgmt->freedomparams(provdomparams);
245}
246
247int evp_keymgmt_exportdomparams(const EVP_KEYMGMT *keymgmt,
1640d48c
RL		 248 void *provdomparams,
249 OSSL_CALLBACK *param_cb, void *cbarg)
fa9faf01 250{
1640d48c 251 return keymgmt->exportdomparams(provdomparams, param_cb, cbarg);
fa9faf01
RL		 252}
253
254const OSSL_PARAM *evp_keymgmt_importdomparam_types(const EVP_KEYMGMT *keymgmt)
255{
256 return keymgmt->importdomparam_types();
257}
258
1640d48c
RL		 259/*
260 * TODO(v3.0) investigate if we need this function. 'openssl provider' may
261 * be a caller...
262 */
fa9faf01
RL		 263const OSSL_PARAM *evp_keymgmt_exportdomparam_types(const EVP_KEYMGMT *keymgmt)
264{
265 return keymgmt->exportdomparam_types();
266}
267
6508e858
RL		 268int evp_keymgmt_get_domparam_params(const EVP_KEYMGMT *keymgmt,
269 void *provdomparams, OSSL_PARAM params[])
270{
271 if (keymgmt->get_domparam_params == NULL)
272 return 1;
273 return keymgmt->get_domparam_params(provdomparams, params);
274}
275
276const OSSL_PARAM *
277evp_keymgmt_gettable_domparam_params(const EVP_KEYMGMT *keymgmt)
278{
279 if (keymgmt->gettable_domparam_params == NULL)
280 return NULL;
281 return keymgmt->gettable_domparam_params();
282}
283
fa9faf01
RL		 284
285void *evp_keymgmt_importkey(const EVP_KEYMGMT *keymgmt,
286 const OSSL_PARAM params[])
287{
288 void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));
289
290 return keymgmt->importkey(provctx, params);
291}
292
293void *evp_keymgmt_genkey(const EVP_KEYMGMT *keymgmt, void *domparams,
294 const OSSL_PARAM params[])
295{
296 void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));
297
298 return keymgmt->genkey(provctx, domparams, params);
299}
300
301void *evp_keymgmt_loadkey(const EVP_KEYMGMT *keymgmt,
302 void *id, size_t idlen)
303{
304 void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));
305
306 return keymgmt->loadkey(provctx, id, idlen);
307}
308
309void evp_keymgmt_freekey(const EVP_KEYMGMT *keymgmt, void *provkey)
310{
311 keymgmt->freekey(provkey);
312}
313
314int evp_keymgmt_exportkey(const EVP_KEYMGMT *keymgmt, void *provkey,
1640d48c 315 OSSL_CALLBACK *param_cb, void *cbarg)
fa9faf01 316{
1640d48c 317 return keymgmt->exportkey(provkey, param_cb, cbarg);
fa9faf01
RL		 318}
319
320const OSSL_PARAM *evp_keymgmt_importkey_types(const EVP_KEYMGMT *keymgmt)
321{
322 return keymgmt->importkey_types();
323}
324
1640d48c
RL		 325/*
326 * TODO(v3.0) investigate if we need this function. 'openssl provider' may
327 * be a caller...
328 */
fa9faf01
RL		 329const OSSL_PARAM *evp_keymgmt_exportkey_types(const EVP_KEYMGMT *keymgmt)
330{
331 return keymgmt->exportkey_types();
332}
6508e858
RL		 333
334int evp_keymgmt_get_key_params(const EVP_KEYMGMT *keymgmt,
335 void *provkey, OSSL_PARAM params[])
336{
337 if (keymgmt->get_key_params == NULL)
338 return 1;
339 return keymgmt->get_key_params(provkey, params);
340}
341
342const OSSL_PARAM *evp_keymgmt_gettable_key_params(const EVP_KEYMGMT *keymgmt)
343{
344 if (keymgmt->gettable_key_params == NULL)
345 return NULL;
346 return keymgmt->gettable_key_params();
347}
12603de6
SL		 348
349int evp_keymgmt_validate_domparams(const EVP_KEYMGMT *keymgmt, void *provkey)
350{
351 /* if domainparams are not supported - then pass */
352 if (keymgmt->validatedomparams == NULL)
353 return 1;
354 return keymgmt->validatedomparams(provkey);
355}
356
357int evp_keymgmt_validate_public(const EVP_KEYMGMT *keymgmt, void *provkey)
358{
359 return keymgmt->validatepublic(provkey);
360}
361
362int evp_keymgmt_validate_private(const EVP_KEYMGMT *keymgmt, void *provkey)
363{
364 return keymgmt->validateprivate(provkey);
365}
366
367int evp_keymgmt_validate_pairwise(const EVP_KEYMGMT *keymgmt, void *provkey)
368{
369 return keymgmt->validatepairwise(provkey);
370}
A mirror of the official openssl repository