From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Mon, 2 Aug 2021 13:06:26 +0000 (+0200)
Subject: - Move ECDSA functions to use OpenSSL 3.0.0 API.
X-Git-Tag: release-1.13.2rc1~16^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0bdcbc80b96983bca6c3710e58e34ccd7d4019ed;p=thirdparty%2Funbound.git

- Move ECDSA functions to use OpenSSL 3.0.0 API.
---

diff --git a/doc/Changelog b/doc/Changelog
index 686203b8e..29f8cbe75 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -2,6 +2,7 @@
 	- Prepare for OpenSSL 3.0.0 provider API usage, move the sldns
 	  keyraw functions to produce EVP_PKEY results.
 	- Move RSA and DSA to use OpenSSL 3.0.0 API.
+	- Move ECDSA functions to use OpenSSL 3.0.0 API.
 
 30 July 2021: Wouter
 	- Fix #515: Compilation against openssl 3.0.0 beta2 is failing to
diff --git a/sldns/keyraw.c b/sldns/keyraw.c
index ce94dd74e..b1e60d8b5 100644
--- a/sldns/keyraw.c
+++ b/sldns/keyraw.c
@@ -317,6 +317,7 @@ EVP_PKEY *sldns_key_dsa2pkey_raw(unsigned char* key, size_t len)
 
 	ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
 	if(!ctx) {
+		OSSL_PARAM_free(params);
 		BN_free(p);
 		BN_free(q);
 		BN_free(g);
@@ -482,6 +483,7 @@ EVP_PKEY* sldns_key_rsa2pkey_raw(unsigned char* key, size_t len)
 
 	ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
 	if(!ctx) {
+		OSSL_PARAM_free(params);
 		BN_free(n);
 		BN_free(e);
 		return NULL;
@@ -555,6 +557,62 @@ sldns_gost2pkey_raw(unsigned char* key, size_t keylen)
 EVP_PKEY*
 sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo)
 {
+#ifdef HAVE_OSSL_PARAM_BLD_NEW
+	unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
+	EVP_PKEY *evp_key = NULL;
+	EVP_PKEY_CTX* ctx;
+	OSSL_PARAM_BLD* param_bld;
+	OSSL_PARAM* params = NULL;
+	char* group = NULL;
+
+	/* check length, which uncompressed must be 2 bignums */
+	if(algo == LDNS_ECDSAP256SHA256) {
+		if(keylen != 2*256/8) return NULL;
+		group = "prime256v1";
+	} else if(algo == LDNS_ECDSAP384SHA384) {
+		if(keylen != 2*384/8) return NULL;
+		group = "P-384";
+	} else {
+		return NULL;
+	}
+	if(keylen+1 > sizeof(buf)) { /* sanity check */
+		return NULL;
+	}
+	/* prepend the 0x04 for uncompressed format */
+	buf[0] = POINT_CONVERSION_UNCOMPRESSED;
+	memmove(buf+1, key, keylen);
+
+	param_bld = OSSL_PARAM_BLD_new();
+	if(!param_bld) {
+		return NULL;
+	}
+	if(!OSSL_PARAM_BLD_push_utf8_string(param_bld, "group", group, 0) ||
+	   !OSSL_PARAM_BLD_push_octet_string(param_bld, "pub", buf, keylen+1)) {
+		OSSL_PARAM_BLD_free(param_bld);
+		return NULL;
+	}
+	params = OSSL_PARAM_BLD_to_param(param_bld);
+	OSSL_PARAM_BLD_free(param_bld);
+
+	ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
+	if(!ctx) {
+		OSSL_PARAM_free(params);
+		return NULL;
+	}
+	if(EVP_PKEY_fromdata_init(ctx) <= 0) {
+		EVP_PKEY_CTX_free(ctx);
+		OSSL_PARAM_free(params);
+		return NULL;
+	}
+	if(EVP_PKEY_fromdata(ctx, &evp_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
+		EVP_PKEY_CTX_free(ctx);
+		OSSL_PARAM_free(params);
+		return NULL;
+	}
+	EVP_PKEY_CTX_free(ctx);
+	OSSL_PARAM_free(params);
+	return evp_key;
+#else
 	unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
         const unsigned char* pp = buf;
         EVP_PKEY *evp_key;
@@ -591,6 +649,7 @@ sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo)
 		return NULL;
 	}
         return evp_key;
+#endif /* HAVE_OSSL_PARAM_BLD_NEW */
 }
 #endif /* USE_ECDSA */