]>
Commit | Line | Data |
---|---|---|
70a1f7b4 RL |
1 | /* |
2 | * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include "internal/cryptlib.h" | |
11 | #include "internal/nelem.h" | |
12 | #include "internal/evp_int.h" | |
13 | #include "internal/asn1_int.h" | |
14 | #include "internal/provider.h" | |
15 | #include "evp_locl.h" | |
16 | ||
17 | static OSSL_PARAM *paramdefs_to_params(const OSSL_PARAM *paramdefs) | |
18 | { | |
19 | size_t cnt; | |
20 | const OSSL_PARAM *p; | |
21 | OSSL_PARAM *params, *q; | |
22 | ||
23 | for (cnt = 1, p = paramdefs; p->key != NULL; p++, cnt++) | |
24 | continue; | |
25 | ||
26 | params = OPENSSL_zalloc(cnt * sizeof(*params)); | |
27 | ||
28 | for (p = paramdefs, q = params; ; p++, q++) { | |
29 | *q = *p; | |
30 | if (p->key == NULL) | |
31 | break; | |
32 | ||
33 | q->data = NULL; /* In case the provider used it */ | |
34 | q->return_size = 0; | |
35 | } | |
36 | ||
37 | return params; | |
38 | } | |
39 | ||
40 | typedef union align_block_un { | |
41 | OSSL_UNION_ALIGN; | |
42 | } ALIGN_BLOCK; | |
43 | ||
44 | #define ALIGN_SIZE sizeof(ALIGN_BLOCK) | |
45 | ||
46 | static void *allocate_params_space(OSSL_PARAM *params) | |
47 | { | |
48 | unsigned char *data = NULL; | |
49 | size_t space; | |
50 | OSSL_PARAM *p; | |
51 | ||
52 | for (space = 0, p = params; p->key != NULL; p++) | |
53 | space += ((p->return_size + ALIGN_SIZE - 1) / ALIGN_SIZE) * ALIGN_SIZE; | |
54 | ||
55 | data = OPENSSL_zalloc(space); | |
56 | ||
57 | for (space = 0, p = params; p->key != NULL; p++) { | |
58 | p->data = data + space; | |
59 | space += ((p->return_size + ALIGN_SIZE - 1) / ALIGN_SIZE) * ALIGN_SIZE; | |
60 | } | |
61 | ||
62 | return data; | |
63 | } | |
64 | ||
65 | void *evp_keymgmt_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) | |
66 | { | |
67 | void *provkey = NULL; | |
68 | size_t i, j; | |
69 | ||
70 | /* | |
71 | * If there is an underlying legacy key and it has changed, invalidate | |
72 | * the cache of provider keys. | |
73 | */ | |
74 | if (pk->pkey.ptr != NULL) { | |
75 | /* | |
76 | * If there is no dirty counter, this key can't be used with | |
77 | * providers. | |
78 | */ | |
79 | if (pk->ameth->dirty_cnt == NULL) | |
80 | return NULL; | |
81 | ||
82 | if (pk->ameth->dirty_cnt(pk) != pk->dirty_cnt_copy) | |
83 | for (i = 0; | |
84 | i < OSSL_NELEM(pk->pkeys) && pk->pkeys[i].keymgmt != NULL; | |
85 | i++) { | |
86 | pk->pkeys[i].keymgmt->freekey(pk->pkeys[i].provkey); | |
87 | pk->pkeys[i].keymgmt = NULL; | |
88 | pk->pkeys[i].provkey = NULL; | |
89 | } | |
90 | } | |
91 | ||
92 | /* | |
93 | * See if we have exported to this provider already. | |
94 | * If we have, return immediately. | |
95 | */ | |
96 | for (i = 0; | |
97 | i < OSSL_NELEM(pk->pkeys) && pk->pkeys[i].keymgmt != NULL; | |
98 | i++) { | |
99 | if (keymgmt == pk->pkeys[i].keymgmt) | |
100 | return pk->pkeys[i].provkey; | |
101 | } | |
102 | ||
103 | if (pk->pkey.ptr != NULL) { | |
104 | /* There is a legacy key, try to export that one to the provider */ | |
105 | ||
106 | /* If the legacy key doesn't have an export function, give up */ | |
107 | if (pk->ameth->export_to == NULL) | |
108 | return NULL; | |
109 | ||
110 | /* Otherwise, simply use it */ | |
111 | provkey = pk->ameth->export_to(pk, keymgmt); | |
112 | ||
113 | /* Synchronize the dirty count, but only if we exported successfully */ | |
114 | if (provkey != NULL) | |
115 | pk->dirty_cnt_copy = pk->ameth->dirty_cnt(pk); | |
116 | ||
117 | } else { | |
118 | /* | |
119 | * Here, there is no legacy key, so we look at the already cached | |
120 | * provider keys, and import from the first that supports it | |
121 | * (i.e. use its export function), and export the imported data to | |
122 | * the new provider. | |
123 | */ | |
124 | ||
125 | /* | |
126 | * If the given keymgmt doesn't have an import function, give up | |
127 | */ | |
128 | if (keymgmt->importkey == NULL) | |
129 | return NULL; | |
130 | ||
131 | for (j = 0; j < i && pk->pkeys[j].keymgmt != NULL; j++) { | |
132 | if (pk->pkeys[j].keymgmt->exportkey != NULL) { | |
133 | const OSSL_PARAM *paramdefs = NULL; | |
134 | OSSL_PARAM *params = NULL; | |
135 | void *data = NULL; | |
136 | void *provctx = | |
137 | ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt)); | |
138 | ||
139 | paramdefs = pk->pkeys[j].keymgmt->exportkey_types(); | |
140 | /* | |
141 | * All params have 'data' set to NULL. In that case, | |
142 | * the exportkey call should just fill in 'return_size' | |
143 | * in all applicable params. | |
144 | */ | |
145 | params = paramdefs_to_params(paramdefs); | |
146 | /* Get 'return_size' filled */ | |
147 | pk->pkeys[j].keymgmt->exportkey(pk->pkeys[j].provkey, params); | |
148 | ||
149 | /* | |
150 | * Allocate space and assign 'data' to point into the | |
151 | * data block | |
152 | */ | |
153 | data = allocate_params_space(params); | |
154 | ||
155 | /* | |
156 | * Call the exportkey function a second time, to get | |
157 | * the data filled | |
158 | */ | |
159 | pk->pkeys[j].keymgmt->exportkey(pk->pkeys[j].provkey, params); | |
160 | ||
161 | /* | |
162 | * We should have all the data at this point, so import | |
163 | * into the new provider and hope to get a key back. | |
164 | */ | |
165 | provkey = keymgmt->importkey(provctx, params); | |
166 | OPENSSL_free(params); | |
167 | OPENSSL_free(data); | |
168 | ||
169 | if (provkey != NULL) | |
170 | break; | |
171 | } | |
172 | } | |
173 | } | |
174 | ||
175 | /* | |
176 | * TODO(3.0) Right now, we assume we have ample space. We will | |
177 | * have to think about a cache aging scheme, though, if |i| indexes | |
178 | * outside the array. | |
179 | */ | |
180 | j = ossl_assert(i < OSSL_NELEM(pk->pkeys)); | |
181 | ||
182 | if (provkey != NULL) { | |
183 | EVP_KEYMGMT_up_ref(keymgmt); | |
184 | pk->pkeys[i].keymgmt = keymgmt; | |
185 | pk->pkeys[i].provkey = provkey; | |
186 | } | |
187 | return provkey; | |
188 | } |