From: Matt Caswell <matt@openssl.org>
Date: Fri, 28 May 2021 10:07:24 +0000 (+0100)
Subject: Actually use a legacy route in pem_read_bio_key_legacy()
X-Git-Tag: openssl-3.0.0-beta1~132
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b2f1b36592806afcaae79289c33756fb0af5b4ca;p=thirdparty%2Fopenssl.git

Actually use a legacy route in pem_read_bio_key_legacy()

The function pem_read_bio_key_legacy() is a fallback route if we
failed to load a key via a provider. We should be using the legacy
specific d2i functions to force legacy otherwise we end up using a
provider anyway

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
---

diff --git a/crypto/asn1/d2i_pr.c b/crypto/asn1/d2i_pr.c
index 58b7646227..3b28460d4b 100644
--- a/crypto/asn1/d2i_pr.c
+++ b/crypto/asn1/d2i_pr.c
@@ -74,9 +74,9 @@ err:
     return NULL;
 }
 
-static EVP_PKEY *
-d2i_PrivateKey_legacy(int keytype, EVP_PKEY **a, const unsigned char **pp,
-                      long length, OSSL_LIB_CTX *libctx, const char *propq)
+EVP_PKEY *
+ossl_d2i_PrivateKey_legacy(int keytype, EVP_PKEY **a, const unsigned char **pp,
+                           long length, OSSL_LIB_CTX *libctx, const char *propq)
 {
     EVP_PKEY *ret;
     const unsigned char *p = *pp;
@@ -149,7 +149,7 @@ EVP_PKEY *d2i_PrivateKey_ex(int keytype, EVP_PKEY **a, const unsigned char **pp,
     ret = d2i_PrivateKey_decoder(keytype, a, pp, length, libctx, propq);
     /* try the legacy path if the decoder failed */
     if (ret == NULL)
-        ret = d2i_PrivateKey_legacy(keytype, a, pp, length, libctx, propq);
+        ret = ossl_d2i_PrivateKey_legacy(keytype, a, pp, length, libctx, propq);
     return ret;
 }
 
@@ -208,7 +208,7 @@ static EVP_PKEY *d2i_AutoPrivateKey_legacy(EVP_PKEY **a,
         keytype = EVP_PKEY_RSA;
     }
     sk_ASN1_TYPE_pop_free(inkey, ASN1_TYPE_free);
-    return d2i_PrivateKey_legacy(keytype, a, pp, length, libctx, propq);
+    return ossl_d2i_PrivateKey_legacy(keytype, a, pp, length, libctx, propq);
 }
 
 /*
diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c
index 01877057dc..ca6b2a2132 100644
--- a/crypto/pem/pem_pkey.c
+++ b/crypto/pem/pem_pkey.c
@@ -23,6 +23,7 @@
 #include <openssl/decoder.h>
 #include <openssl/ui.h>
 #include "crypto/asn1.h"
+#include "crypto/x509.h"
 #include "crypto/evp.h"
 #include "pem_local.h"
 
@@ -157,9 +158,10 @@ static EVP_PKEY *pem_read_bio_key_legacy(BIO *bp, EVP_PKEY **x,
         ameth = EVP_PKEY_asn1_find_str(NULL, nm, slen);
         if (ameth == NULL || ameth->old_priv_decode == NULL)
             goto p8err;
-        ret = d2i_PrivateKey(ameth->pkey_id, x, &p, len);
+        ret = ossl_d2i_PrivateKey_legacy(ameth->pkey_id, x, &p, len, libctx,
+                                         propq);
     } else if (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) {
-        ret = d2i_PUBKEY(x, &p, len);
+        ret = ossl_d2i_PUBKEY_legacy(x, &p, len);
     } else if ((slen = ossl_pem_check_suffix(nm, "PARAMETERS")) > 0) {
         ret = EVP_PKEY_new();
         if (ret == NULL)
diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c
index ace4b533fe..20216bd922 100644
--- a/crypto/x509/x_pubkey.c
+++ b/crypto/x509/x_pubkey.c
@@ -505,8 +505,8 @@ static EVP_PKEY *d2i_PUBKEY_int(EVP_PKEY **a,
 }
 
 /* For the algorithm specific d2i functions further down */
-static EVP_PKEY *d2i_PUBKEY_legacy(EVP_PKEY **a,
-                                   const unsigned char **pp, long length)
+EVP_PKEY *ossl_d2i_PUBKEY_legacy(EVP_PKEY **a, const unsigned char **pp,
+                                 long length)
 {
     return d2i_PUBKEY_int(a, pp, length, NULL, NULL, 1, d2i_X509_PUBKEY);
 }
@@ -583,7 +583,7 @@ RSA *d2i_RSA_PUBKEY(RSA **a, const unsigned char **pp, long length)
     const unsigned char *q;
 
     q = *pp;
-    pkey = d2i_PUBKEY_legacy(NULL, &q, length);
+    pkey = ossl_d2i_PUBKEY_legacy(NULL, &q, length);
     if (pkey == NULL)
         return NULL;
     key = EVP_PKEY_get1_RSA(pkey);
@@ -624,7 +624,7 @@ DH *ossl_d2i_DH_PUBKEY(DH **a, const unsigned char **pp, long length)
     const unsigned char *q;
 
     q = *pp;
-    pkey = d2i_PUBKEY_legacy(NULL, &q, length);
+    pkey = ossl_d2i_PUBKEY_legacy(NULL, &q, length);
     if (pkey == NULL)
         return NULL;
     if (EVP_PKEY_get_id(pkey) == EVP_PKEY_DH)
@@ -665,7 +665,7 @@ DH *ossl_d2i_DHx_PUBKEY(DH **a, const unsigned char **pp, long length)
     const unsigned char *q;
 
     q = *pp;
-    pkey = d2i_PUBKEY_legacy(NULL, &q, length);
+    pkey = ossl_d2i_PUBKEY_legacy(NULL, &q, length);
     if (pkey == NULL)
         return NULL;
     if (EVP_PKEY_get_id(pkey) == EVP_PKEY_DHX)
@@ -708,7 +708,7 @@ DSA *d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length)
     const unsigned char *q;
 
     q = *pp;
-    pkey = d2i_PUBKEY_legacy(NULL, &q, length);
+    pkey = ossl_d2i_PUBKEY_legacy(NULL, &q, length);
     if (pkey == NULL)
         return NULL;
     key = EVP_PKEY_get1_DSA(pkey);
@@ -751,7 +751,7 @@ EC_KEY *d2i_EC_PUBKEY(EC_KEY **a, const unsigned char **pp, long length)
     int type;
 
     q = *pp;
-    pkey = d2i_PUBKEY_legacy(NULL, &q, length);
+    pkey = ossl_d2i_PUBKEY_legacy(NULL, &q, length);
     if (pkey == NULL)
         return NULL;
     type = EVP_PKEY_get_id(pkey);
@@ -794,7 +794,7 @@ ECX_KEY *ossl_d2i_ED25519_PUBKEY(ECX_KEY **a,
     const unsigned char *q;
 
     q = *pp;
-    pkey = d2i_PUBKEY_legacy(NULL, &q, length);
+    pkey = ossl_d2i_PUBKEY_legacy(NULL, &q, length);
     if (pkey == NULL)
         return NULL;
     key = ossl_evp_pkey_get1_ED25519(pkey);
@@ -835,7 +835,7 @@ ECX_KEY *ossl_d2i_ED448_PUBKEY(ECX_KEY **a,
     const unsigned char *q;
 
     q = *pp;
-    pkey = d2i_PUBKEY_legacy(NULL, &q, length);
+    pkey = ossl_d2i_PUBKEY_legacy(NULL, &q, length);
     if (pkey == NULL)
         return NULL;
     if (EVP_PKEY_get_id(pkey) == EVP_PKEY_ED448)
@@ -877,7 +877,7 @@ ECX_KEY *ossl_d2i_X25519_PUBKEY(ECX_KEY **a,
     const unsigned char *q;
 
     q = *pp;
-    pkey = d2i_PUBKEY_legacy(NULL, &q, length);
+    pkey = ossl_d2i_PUBKEY_legacy(NULL, &q, length);
     if (pkey == NULL)
         return NULL;
     if (EVP_PKEY_get_id(pkey) == EVP_PKEY_X25519)
@@ -919,7 +919,7 @@ ECX_KEY *ossl_d2i_X448_PUBKEY(ECX_KEY **a,
     const unsigned char *q;
 
     q = *pp;
-    pkey = d2i_PUBKEY_legacy(NULL, &q, length);
+    pkey = ossl_d2i_PUBKEY_legacy(NULL, &q, length);
     if (pkey == NULL)
         return NULL;
     if (EVP_PKEY_get_id(pkey) == EVP_PKEY_X448)
diff --git a/include/crypto/asn1.h b/include/crypto/asn1.h
index 829c5980d2..dd0b54aad6 100644
--- a/include/crypto/asn1.h
+++ b/include/crypto/asn1.h
@@ -142,4 +142,8 @@ X509_ALGOR *ossl_x509_algor_mgf1_decode(X509_ALGOR *alg);
 int ossl_x509_algor_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md);
 int ossl_asn1_time_print_ex(BIO *bp, const ASN1_TIME *tm);
 
+EVP_PKEY * ossl_d2i_PrivateKey_legacy(int keytype, EVP_PKEY **a,
+                                      const unsigned char **pp, long length,
+                                      OSSL_LIB_CTX *libctx, const char *propq);
+
 #endif /* ndef OSSL_CRYPTO_ASN1_H */
diff --git a/include/crypto/x509.h b/include/crypto/x509.h
index 936ab790de..acb1d7b64a 100644
--- a/include/crypto/x509.h
+++ b/include/crypto/x509.h
@@ -354,4 +354,6 @@ ECX_KEY *ossl_d2i_X448_PUBKEY(ECX_KEY **a,
                               const unsigned char **pp, long length);
 int ossl_i2d_X448_PUBKEY(const ECX_KEY *a, unsigned char **pp);
 # endif
+EVP_PKEY *ossl_d2i_PUBKEY_legacy(EVP_PKEY **a, const unsigned char **pp,
+                                 long length);
 #endif