[thirdparty/openssl.git] / crypto / evp / keymgmt_lib.c

/*
 * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include "internal/cryptlib.h"
#include "internal/nelem.h"
#include "internal/evp_int.h"
#include "internal/asn1_int.h"
#include "internal/provider.h"
#include "evp_locl.h"

static OSSL_PARAM *paramdefs_to_params(const OSSL_PARAM *paramdefs)
{
    size_t cnt;
    const OSSL_PARAM *p;
    OSSL_PARAM *params, *q;

    for (cnt = 1, p = paramdefs; p->key != NULL; p++, cnt++)
        continue;

    params = OPENSSL_zalloc(cnt * sizeof(*params));

    for (p = paramdefs, q = params; ; p++, q++) {
        *q = *p;
        if (p->key == NULL)
            break;

        q->data = NULL;          /* In case the provider used it */
        q->return_size = 0;
    }

    return params;
}

typedef union align_block_un {
    OSSL_UNION_ALIGN;
} ALIGN_BLOCK;

#define ALIGN_SIZE  sizeof(ALIGN_BLOCK)

static void *allocate_params_space(OSSL_PARAM *params)
{
    unsigned char *data = NULL;
    size_t space;
    OSSL_PARAM *p;

    for (space = 0, p = params; p->key != NULL; p++)
        space += ((p->return_size + ALIGN_SIZE - 1) / ALIGN_SIZE) * ALIGN_SIZE;

    data = OPENSSL_zalloc(space);

    for (space = 0, p = params; p->key != NULL; p++) {
        p->data = data + space;
        space += ((p->return_size + ALIGN_SIZE - 1) / ALIGN_SIZE) * ALIGN_SIZE;
    }

    return data;
}

void *evp_keymgmt_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
{
    void *provkey = NULL;
    size_t i, j;

    /*
     * If there is an underlying legacy key and it has changed, invalidate
     * the cache of provider keys.
     */
    if (pk->pkey.ptr != NULL) {
        /*
         * If there is no dirty counter, this key can't be used with
         * providers.
         */
        if (pk->ameth->dirty_cnt == NULL)
            return NULL;

        if (pk->ameth->dirty_cnt(pk) != pk->dirty_cnt_copy)
            for (i = 0;
                 i < OSSL_NELEM(pk->pkeys) && pk->pkeys[i].keymgmt != NULL;
                 i++) {
                pk->pkeys[i].keymgmt->freekey(pk->pkeys[i].provkey);
                pk->pkeys[i].keymgmt = NULL;
                pk->pkeys[i].provkey = NULL;
            }
    }

    /*
     * See if we have exported to this provider already.
     * If we have, return immediately.
     */
    for (i = 0;
         i < OSSL_NELEM(pk->pkeys) && pk->pkeys[i].keymgmt != NULL;
         i++) {
        if (keymgmt == pk->pkeys[i].keymgmt)
            return pk->pkeys[i].provkey;
    }

    if (pk->pkey.ptr != NULL) {
        /* There is a legacy key, try to export that one to the provider */

        /* If the legacy key doesn't have an export function, give up */
        if (pk->ameth->export_to == NULL)
            return NULL;

        /* Otherwise, simply use it */
        provkey = pk->ameth->export_to(pk, keymgmt);

        /* Synchronize the dirty count, but only if we exported successfully */
        if (provkey != NULL)
            pk->dirty_cnt_copy = pk->ameth->dirty_cnt(pk);

    } else {
        /*
         * Here, there is no legacy key, so we look at the already cached
         * provider keys, and import from the first that supports it
         * (i.e. use its export function), and export the imported data to
         * the new provider.
         */

        /*
         * If the given keymgmt doesn't have an import function, give up
         */
        if (keymgmt->importkey == NULL)
            return NULL;

        for (j = 0; j < i && pk->pkeys[j].keymgmt != NULL; j++) {
            if (pk->pkeys[j].keymgmt->exportkey != NULL) {
                const OSSL_PARAM *paramdefs = NULL;
                OSSL_PARAM *params = NULL;
                void *data = NULL;
                void *provctx =
                    ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));

                paramdefs = pk->pkeys[j].keymgmt->exportkey_types();
                /*
                 * All params have 'data' set to NULL.  In that case,
                 * the exportkey call should just fill in 'return_size'
                 * in all applicable params.
                 */
                params = paramdefs_to_params(paramdefs);
                /* Get 'return_size' filled */
                pk->pkeys[j].keymgmt->exportkey(pk->pkeys[j].provkey, params);

                /*
                 * Allocate space and assign 'data' to point into the
                 * data block
                 */
                data = allocate_params_space(params);

                /*
                 * Call the exportkey function a second time, to get
                 * the data filled
                 */
                pk->pkeys[j].keymgmt->exportkey(pk->pkeys[j].provkey, params);

                /*
                 * We should have all the data at this point, so import
                 * into the new provider and hope to get a key back.
                 */
                provkey = keymgmt->importkey(provctx, params);
                OPENSSL_free(params);
                OPENSSL_free(data);

                if (provkey != NULL)
                    break;
            }
        }
    }

    /*
     * TODO(3.0) Right now, we assume we have ample space.  We will
     * have to think about a cache aging scheme, though, if |i| indexes
     * outside the array.
     */
    j = ossl_assert(i < OSSL_NELEM(pk->pkeys));

    if (provkey != NULL) {
        EVP_KEYMGMT_up_ref(keymgmt);
        pk->pkeys[i].keymgmt = keymgmt;
        pk->pkeys[i].provkey = provkey;
    }
    return provkey;
}
Commit	Line	Data
70a1f7b4 RL	1	/*
	2	* Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
	3	*
	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	#include "internal/cryptlib.h"
	11	#include "internal/nelem.h"
	12	#include "internal/evp_int.h"
	13	#include "internal/asn1_int.h"
	14	#include "internal/provider.h"
	15	#include "evp_locl.h"
	16
	17	static OSSL_PARAM paramdefs_to_params(const OSSL_PARAM paramdefs)
	18	{
	19	size_t cnt;
	20	const OSSL_PARAM *p;
	21	OSSL_PARAM params, q;
	22
	23	for (cnt = 1, p = paramdefs; p->key != NULL; p++, cnt++)
	24	continue;
	25
	26	params = OPENSSL_zalloc(cnt * sizeof(*params));
	27
	28	for (p = paramdefs, q = params; ; p++, q++) {
	29	q = p;
	30	if (p->key == NULL)
	31	break;
	32
	33	q->data = NULL; /* In case the provider used it */
	34	q->return_size = 0;
	35	}
	36
	37	return params;
	38	}
	39
	40	typedef union align_block_un {
	41	OSSL_UNION_ALIGN;
	42	} ALIGN_BLOCK;
	43
	44	#define ALIGN_SIZE sizeof(ALIGN_BLOCK)
	45
	46	static void allocate_params_space(OSSL_PARAM params)
	47	{
	48	unsigned char *data = NULL;
	49	size_t space;
	50	OSSL_PARAM *p;
	51
	52	for (space = 0, p = params; p->key != NULL; p++)
	53	space += ((p->return_size + ALIGN_SIZE - 1) / ALIGN_SIZE) * ALIGN_SIZE;
	54
	55	data = OPENSSL_zalloc(space);
	56
	57	for (space = 0, p = params; p->key != NULL; p++) {
	58	p->data = data + space;
	59	space += ((p->return_size + ALIGN_SIZE - 1) / ALIGN_SIZE) * ALIGN_SIZE;
	60	}
	61
	62	return data;
	63	}
	64
65	void evp_keymgmt_export_to_provider(EVP_PKEY pk, EVP_KEYMGMT *keymgmt)
66	{
67	void *provkey = NULL;
68	size_t i, j;
69
70	/*
71	* If there is an underlying legacy key and it has changed, invalidate
72	* the cache of provider keys.
73	*/
74	if (pk->pkey.ptr != NULL) {
75	/*
76	* If there is no dirty counter, this key can't be used with
77	* providers.
78	*/
79	if (pk->ameth->dirty_cnt == NULL)
80	return NULL;
81
82	if (pk->ameth->dirty_cnt(pk) != pk->dirty_cnt_copy)
83	for (i = 0;
84	i < OSSL_NELEM(pk->pkeys) && pk->pkeys[i].keymgmt != NULL;
85	i++) {
86	pk->pkeys[i].keymgmt->freekey(pk->pkeys[i].provkey);
87	pk->pkeys[i].keymgmt = NULL;
88	pk->pkeys[i].provkey = NULL;
89	}
90	}
91
92	/*
93	* See if we have exported to this provider already.
94	* If we have, return immediately.
95	*/
96	for (i = 0;
97	i < OSSL_NELEM(pk->pkeys) && pk->pkeys[i].keymgmt != NULL;
98	i++) {
99	if (keymgmt == pk->pkeys[i].keymgmt)
100	return pk->pkeys[i].provkey;
101	}
102
103	if (pk->pkey.ptr != NULL) {
104	/* There is a legacy key, try to export that one to the provider */
105
106	/* If the legacy key doesn't have an export function, give up */
107	if (pk->ameth->export_to == NULL)
108	return NULL;
109
110	/* Otherwise, simply use it */
111	provkey = pk->ameth->export_to(pk, keymgmt);
112
113	/* Synchronize the dirty count, but only if we exported successfully */
114	if (provkey != NULL)
115	pk->dirty_cnt_copy = pk->ameth->dirty_cnt(pk);
116
117	} else {
118	/*
119	* Here, there is no legacy key, so we look at the already cached
120	* provider keys, and import from the first that supports it
121	* (i.e. use its export function), and export the imported data to
122	* the new provider.
123	*/
124
125	/*
126	* If the given keymgmt doesn't have an import function, give up
127	*/
128	if (keymgmt->importkey == NULL)
129	return NULL;
130
131	for (j = 0; j < i && pk->pkeys[j].keymgmt != NULL; j++) {
132	if (pk->pkeys[j].keymgmt->exportkey != NULL) {
133	const OSSL_PARAM *paramdefs = NULL;
134	OSSL_PARAM *params = NULL;
135	void *data = NULL;
136	void *provctx =
137	ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));
138
139	paramdefs = pk->pkeys[j].keymgmt->exportkey_types();
140	/*
141	* All params have 'data' set to NULL. In that case,
142	* the exportkey call should just fill in 'return_size'
143	* in all applicable params.
144	*/
145	params = paramdefs_to_params(paramdefs);
146	/* Get 'return_size' filled */
147	pk->pkeys[j].keymgmt->exportkey(pk->pkeys[j].provkey, params);
148
149	/*
150	* Allocate space and assign 'data' to point into the
151	* data block
152	*/
153	data = allocate_params_space(params);
154
155	/*
156	* Call the exportkey function a second time, to get
157	* the data filled
158	*/
159	pk->pkeys[j].keymgmt->exportkey(pk->pkeys[j].provkey, params);
160
161	/*
162	* We should have all the data at this point, so import
163	* into the new provider and hope to get a key back.
164	*/
165	provkey = keymgmt->importkey(provctx, params);
166	OPENSSL_free(params);
167	OPENSSL_free(data);
168
169	if (provkey != NULL)
170	break;
171	}
172	}
173	}
174
175	/*
176	* TODO(3.0) Right now, we assume we have ample space. We will
177	* have to think about a cache aging scheme, though, if \|i\| indexes
178	* outside the array.
179	*/
180	j = ossl_assert(i < OSSL_NELEM(pk->pkeys));
181
182	if (provkey != NULL) {
183	EVP_KEYMGMT_up_ref(keymgmt);
184	pk->pkeys[i].keymgmt = keymgmt;
185	pk->pkeys[i].provkey = provkey;
186	}
187	return provkey;
188	}