From 7fb3126fd893eaf943734896c92355fe150b44d6 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Sat, 15 May 2021 18:04:58 -0400
Subject: [PATCH] softpkcs11: Remove all openssl deprecated functions

Rewrite add_pubkey_info() in terms of the EVP_PKEY interface.  In this
process, fix its unchecked allocations and fail fast for non-RSA keys.

(cherry picked from commit ec4a325dc939da23967bb115bb5339963da80098)
---
 src/configure.ac            |  1 +
 src/tests/softpkcs11/main.c | 83 +++++++++++++++++++++++--------------
 2 files changed, 53 insertions(+), 31 deletions(-)

diff --git a/src/configure.ac b/src/configure.ac
index 3e1052db7..eb6307468 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -1114,6 +1114,7 @@ int i = 1;
 ])], k5_cv_openssl_version_okay=yes, k5_cv_openssl_version_okay=no)])
   old_LIBS="$LIBS"
   AC_CHECK_LIB(crypto, PKCS7_get_signer_info)
+  AC_CHECK_FUNCS(EVP_PKEY_get_bn_param)
   LIBS="$old_LIBS"
 fi
 if test "$k5_cv_openssl_version_okay" = yes && (test "$enable_pkinit" = yes || test "$enable_pkinit" = try); then
diff --git a/src/tests/softpkcs11/main.c b/src/tests/softpkcs11/main.c
index 500e3093d..c6f688dde 100644
--- a/src/tests/softpkcs11/main.c
+++ b/src/tests/softpkcs11/main.c
@@ -416,42 +416,63 @@ add_object_attribute(struct st_object *o,
 static CK_RV
 add_pubkey_info(struct st_object *o, CK_KEY_TYPE key_type, EVP_PKEY *key)
 {
-    switch (key_type) {
-    case CKK_RSA: {
-        CK_BYTE *modulus = NULL;
-        size_t modulus_len = 0;
-        CK_ULONG modulus_bits = 0;
-        CK_BYTE *exponent = NULL;
-        size_t exponent_len = 0;
-        const RSA *rsa;
-        const BIGNUM *n, *e;
+    CK_BYTE *modulus = NULL, *exponent = 0;
+    size_t modulus_len = 0, exponent_len = 0;
+    CK_ULONG modulus_bits = 0;
+    CK_RV ret;
 
-        rsa = EVP_PKEY_get0_RSA(key);
-        RSA_get0_key(rsa, &n, &e, NULL);
-        modulus_bits = BN_num_bits(n);
+#ifdef HAVE_EVP_PKEY_GET_BN_PARAM
+    BIGNUM *n = NULL, *e = NULL;
+#else
+    const RSA *rsa;
+    const BIGNUM *n, *e;
+#endif
 
-        modulus_len = BN_num_bytes(n);
-        modulus = malloc(modulus_len);
-        BN_bn2bin(n, modulus);
+    if (key_type != CKK_RSA)
+        abort();
 
-        exponent_len = BN_num_bytes(e);
-        exponent = malloc(exponent_len);
-        BN_bn2bin(e, exponent);
-
-        add_object_attribute(o, 0, CKA_MODULUS, modulus, modulus_len);
-        add_object_attribute(o, 0, CKA_MODULUS_BITS,
-                             &modulus_bits, sizeof(modulus_bits));
-        add_object_attribute(o, 0, CKA_PUBLIC_EXPONENT,
-                             exponent, exponent_len);
-
-        free(modulus);
-        free(exponent);
+#ifdef HAVE_EVP_PKEY_GET_BN_PARAM
+    if (EVP_PKEY_get_bn_param(key, "n", &n) == 0 ||
+        EVP_PKEY_get_bn_param(key, "e", &e) == 0) {
+        ret = CKR_DEVICE_ERROR;
+        goto done;
     }
-    default:
-        /* XXX */
-        break;
+#else
+    rsa = EVP_PKEY_get0_RSA(key);
+    RSA_get0_key(rsa, &n, &e, NULL);
+#endif
+
+    modulus_bits = BN_num_bits(n);
+    modulus_len = BN_num_bytes(n);
+    exponent_len = BN_num_bytes(e);
+
+    modulus = malloc(modulus_len);
+    exponent = malloc(exponent_len);
+    if (modulus == NULL || exponent == NULL) {
+        ret = CKR_DEVICE_MEMORY;
+        goto done;
     }
-    return CKR_OK;
+
+    BN_bn2bin(n, modulus);
+    BN_bn2bin(e, exponent);
+
+    add_object_attribute(o, 0, CKA_MODULUS, modulus, modulus_len);
+    add_object_attribute(o, 0, CKA_MODULUS_BITS,
+                         &modulus_bits, sizeof(modulus_bits));
+    add_object_attribute(o, 0, CKA_PUBLIC_EXPONENT,
+                         exponent, exponent_len);
+
+    ret = CKR_OK;
+done:
+    free(modulus);
+    free(exponent);
+
+#ifdef HAVE_EVP_PKEY_GET_BN_PARAM
+    BN_clear_free(n);
+    BN_clear_free(e);
+#endif
+
+    return ret;
 }