crypto/evp/keymgmt_lib.c

   1 /*
   2  * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include "internal/cryptlib.h"
  11 #include "internal/nelem.h"
  12 #include "crypto/evp.h"
  13 #include "crypto/asn1.h"
  14 #include "internal/provider.h"
  15 #include "evp_local.h"
  16
  17 static OSSL_PARAM *paramdefs_to_params(const OSSL_PARAM *paramdefs)
  18 {
  19     size_t cnt;
  20     const OSSL_PARAM *p;
  21     OSSL_PARAM *params, *q;
  22
  23     for (cnt = 1, p = paramdefs; p->key != NULL; p++, cnt++)
  24         continue;
  25
  26     params = OPENSSL_zalloc(cnt * sizeof(*params));
  27
  28     for (p = paramdefs, q = params; ; p++, q++) {
  29         *q = *p;
  30         if (p->key == NULL)
  31             break;
  32
  33         q->data = NULL;          /* In case the provider used it */
  34         q->return_size = 0;
  35     }
  36
  37     return params;
  38 }
  39
  40 static OSSL_PARAM *reduce_params(OSSL_PARAM *params)
  41 {
  42     OSSL_PARAM *curr, *next;
  43     size_t cnt;
  44
  45     for (cnt = 0, curr = next = params; next->key != NULL; next++) {
  46         if (next->return_size == 0)
  47             continue;
  48         if (curr != next)
  49             *curr = *next;
  50         curr++;
  51         cnt++;
  52     }
  53     *curr = *next;               /* Terminating record */
  54     cnt++;
  55
  56     curr = OPENSSL_realloc(params, cnt * sizeof(*params));
  57     if (curr == NULL)
  58         return params;
  59     return curr;
  60 }
  61
  62 typedef union align_block_un {
  63     OSSL_UNION_ALIGN;
  64 } ALIGN_BLOCK;
  65
  66 #define ALIGN_SIZE  sizeof(ALIGN_BLOCK)
  67
  68 static void *allocate_params_space(OSSL_PARAM *params)
  69 {
  70     unsigned char *data = NULL;
  71     size_t space;
  72     OSSL_PARAM *p;
  73
  74     for (space = 0, p = params; p->key != NULL; p++)
  75         space += ((p->return_size + ALIGN_SIZE - 1) / ALIGN_SIZE) * ALIGN_SIZE;
  76
  77     if (space == 0)
  78         return NULL;
  79
  80     data = OPENSSL_zalloc(space);
  81
  82     for (space = 0, p = params; p->key != NULL; p++) {
  83         p->data = data + space;
  84         space += ((p->return_size + ALIGN_SIZE - 1) / ALIGN_SIZE) * ALIGN_SIZE;
  85     }
  86
  87     return data;
  88 }
  89
  90 void *evp_keymgmt_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
  91                                      int want_domainparams)
  92 {
  93     void *provdata = NULL;
  94     size_t i, j;
  95
  96     /*
  97      * If there is an underlying legacy key and it has changed, invalidate
  98      * the cache of provider keys.
  99      */
 100     if (pk->pkey.ptr != NULL) {
 101         /*
 102          * If there is no dirty counter, this key can't be used with
 103          * providers.
 104          */
 105         if (pk->ameth->dirty_cnt == NULL)
 106             return NULL;
 107
 108         if (pk->ameth->dirty_cnt(pk) != pk->dirty_cnt_copy)
 109             evp_keymgmt_clear_pkey_cache(pk);
 110     }
 111
 112     /*
 113      * See if we have exported to this provider already.
 114      * If we have, return immediately.
 115      */
 116     for (i = 0;
 117          i < OSSL_NELEM(pk->pkeys) && pk->pkeys[i].keymgmt != NULL;
 118          i++) {
 119         if (keymgmt == pk->pkeys[i].keymgmt
 120             && want_domainparams == pk->pkeys[i].domainparams)
 121             return pk->pkeys[i].provdata;
 122     }
 123
 124     if (pk->pkey.ptr != NULL) {
 125         /* There is a legacy key, try to export that one to the provider */
 126
 127         /* If the legacy key doesn't have an export function, give up */
 128         if (pk->ameth->export_to == NULL)
 129             return NULL;
 130
 131         /* Otherwise, simply use it. */
 132         provdata = pk->ameth->export_to(pk, keymgmt, want_domainparams);
 133
 134         /* Synchronize the dirty count, but only if we exported successfully */
 135         if (provdata != NULL)
 136             pk->dirty_cnt_copy = pk->ameth->dirty_cnt(pk);
 137
 138     } else {
 139         /*
 140          * Here, there is no legacy key, so we look at the already cached
 141          * provider keys, and import from the first that supports it
 142          * (i.e. use its export function), and export the imported data to
 143          * the new provider.
 144          */
 145
 146         void *(*importfn)(void *provctx, const OSSL_PARAM params[]) =
 147             want_domainparams ? keymgmt->importdomparams : keymgmt->importkey;
 148
 149         /*
 150          * If the given keymgmt doesn't have an import function, give up
 151          */
 152         if (importfn == NULL)
 153             return NULL;
 154
 155         for (j = 0; j < i && pk->pkeys[j].keymgmt != NULL; j++) {
 156             if (pk->pkeys[j].keymgmt->exportkey != NULL) {
 157                 const OSSL_PARAM *paramdefs = NULL;
 158                 OSSL_PARAM *params = NULL;
 159                 void *data = NULL;
 160                 void *provctx =
 161                     ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));
 162                 int (*exportfn)(void *provctx, OSSL_PARAM params[]) = NULL;
 163
 164                 if (pk->pkeys[j].domainparams != want_domainparams)
 165                     continue;
 166
 167                 exportfn = want_domainparams
 168                     ? pk->pkeys[j].keymgmt->exportdomparams
 169                     : pk->pkeys[j].keymgmt->exportkey;
 170
 171                 paramdefs = pk->pkeys[j].keymgmt->exportkey_types();
 172                 /*
 173                  * All params have 'data' set to NULL.  In that case,
 174                  * the exportkey call should just fill in 'return_size'
 175                  * in all applicable params.
 176                  */
 177                 params = paramdefs_to_params(paramdefs);
 178                 /* Get 'return_size' filled */
 179                 exportfn(pk->pkeys[j].provdata, params);
 180
 181                 /*
 182                  * Reduce the params by removing any entry that got return
 183                  * size zero, then allocate space and assign 'data' to point
 184                  * into the data block
 185                  */
 186                 params = reduce_params(params);
 187                 if ((data = allocate_params_space(params)) == NULL)
 188                     goto cont;
 189
 190                 /*
 191                  * Call the exportkey function a second time, to get
 192                  * the data filled.
 193                  * If something goes wrong, go to the next cached key.
 194                  */
 195                 if (!exportfn(pk->pkeys[j].provdata, params))
 196                     goto cont;
 197
 198                 /*
 199                  * We should have all the data at this point, so import
 200                  * into the new provider and hope to get a key back.
 201                  */
 202                 provdata = importfn(provctx, params);
 203
 204              cont:
 205                 OPENSSL_free(params);
 206                 OPENSSL_free(data);
 207
 208                 if (provdata != NULL)
 209                     break;
 210             }
 211         }
 212     }
 213
 214     /*
 215      * TODO(3.0) Right now, we assume we have ample space.  We will
 216      * have to think about a cache aging scheme, though, if |i| indexes
 217      * outside the array.
 218      */
 219     j = ossl_assert(i < OSSL_NELEM(pk->pkeys));
 220
 221     if (provdata != NULL) {
 222         EVP_KEYMGMT_up_ref(keymgmt);
 223         pk->pkeys[i].keymgmt = keymgmt;
 224         pk->pkeys[i].provdata = provdata;
 225         pk->pkeys[i].domainparams = want_domainparams;
 226     }
 227
 228     return provdata;
 229 }
 230
 231 void evp_keymgmt_clear_pkey_cache(EVP_PKEY *pk)
 232 {
 233     size_t i;
 234
 235     if (pk != NULL) {
 236         for (i = 0;
 237              i < OSSL_NELEM(pk->pkeys) && pk->pkeys[i].keymgmt != NULL;
 238              i++) {
 239             EVP_KEYMGMT *keymgmt = pk->pkeys[i].keymgmt;
 240             void *provdata = pk->pkeys[i].provdata;
 241
 242             pk->pkeys[i].keymgmt = NULL;
 243             pk->pkeys[i].provdata = NULL;
 244             if (pk->pkeys[i].domainparams)
 245                 keymgmt->freedomparams(provdata);
 246             else
 247                 keymgmt->freekey(provdata);
 248             EVP_KEYMGMT_free(keymgmt);
 249         }
 250     }
 251 }
 252
 253
 254 /* internal functions */
 255 /* TODO(3.0) decide if these should be public or internal */
 256 void *evp_keymgmt_importdomparams(const EVP_KEYMGMT *keymgmt,
 257                                   const OSSL_PARAM params[])
 258 {
 259     void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));
 260
 261     return keymgmt->importdomparams(provctx, params);
 262 }
 263
 264 void *evp_keymgmt_gendomparams(const EVP_KEYMGMT *keymgmt,
 265                                const OSSL_PARAM params[])
 266 {
 267     void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));
 268
 269     return keymgmt->gendomparams(provctx, params);
 270 }
 271
 272 void evp_keymgmt_freedomparams(const EVP_KEYMGMT *keymgmt,
 273                                void *provdomparams)
 274 {
 275     keymgmt->freedomparams(provdomparams);
 276 }
 277
 278 int evp_keymgmt_exportdomparams(const EVP_KEYMGMT *keymgmt,
 279                                 void *provdomparams, OSSL_PARAM params[])
 280 {
 281     return keymgmt->exportdomparams(provdomparams, params);
 282 }
 283
 284 const OSSL_PARAM *evp_keymgmt_importdomparam_types(const EVP_KEYMGMT *keymgmt)
 285 {
 286     return keymgmt->importdomparam_types();
 287 }
 288
 289 const OSSL_PARAM *evp_keymgmt_exportdomparam_types(const EVP_KEYMGMT *keymgmt)
 290 {
 291     return keymgmt->exportdomparam_types();
 292 }
 293
 294
 295 void *evp_keymgmt_importkey(const EVP_KEYMGMT *keymgmt,
 296                             const OSSL_PARAM params[])
 297 {
 298     void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));
 299
 300     return keymgmt->importkey(provctx, params);
 301 }
 302
 303 void *evp_keymgmt_genkey(const EVP_KEYMGMT *keymgmt, void *domparams,
 304                          const OSSL_PARAM params[])
 305 {
 306     void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));
 307
 308     return keymgmt->genkey(provctx, domparams, params);
 309 }
 310
 311 void *evp_keymgmt_loadkey(const EVP_KEYMGMT *keymgmt,
 312                           void *id, size_t idlen)
 313 {
 314     void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));
 315
 316     return keymgmt->loadkey(provctx, id, idlen);
 317 }
 318
 319 void evp_keymgmt_freekey(const EVP_KEYMGMT *keymgmt, void *provkey)
 320 {
 321     keymgmt->freekey(provkey);
 322 }
 323
 324 int evp_keymgmt_exportkey(const EVP_KEYMGMT *keymgmt, void *provkey,
 325                           OSSL_PARAM params[])
 326 {
 327     return keymgmt->exportkey(provkey, params);
 328 }
 329
 330 const OSSL_PARAM *evp_keymgmt_importkey_types(const EVP_KEYMGMT *keymgmt)
 331 {
 332     return keymgmt->importkey_types();
 333 }
 334
 335 const OSSL_PARAM *evp_keymgmt_exportkey_types(const EVP_KEYMGMT *keymgmt)
 336 {
 337     return keymgmt->exportkey_types();
 338 }