126 lines
3.8 KiB
Diff
126 lines
3.8 KiB
Diff
From 7fb3126fd893eaf943734896c92355fe150b44d6 Mon Sep 17 00:00:00 2001
|
|
From: Robbie Harwood <rharwood@redhat.com>
|
|
Date: Sat, 15 May 2021 18:04:58 -0400
|
|
Subject: [PATCH] softpkcs11: Remove all openssl deprecated functions
|
|
|
|
Rewrite add_pubkey_info() in terms of the EVP_PKEY interface. In this
|
|
process, fix its unchecked allocations and fail fast for non-RSA keys.
|
|
|
|
(cherry picked from commit ec4a325dc939da23967bb115bb5339963da80098)
|
|
---
|
|
src/configure.ac | 1 +
|
|
src/tests/softpkcs11/main.c | 83 +++++++++++++++++++++++--------------
|
|
2 files changed, 53 insertions(+), 31 deletions(-)
|
|
|
|
diff --git a/src/configure.ac b/src/configure.ac
|
|
index 3e1052db7..eb6307468 100644
|
|
--- a/src/configure.ac
|
|
+++ b/src/configure.ac
|
|
@@ -1114,6 +1114,7 @@ int i = 1;
|
|
])], k5_cv_openssl_version_okay=yes, k5_cv_openssl_version_okay=no)])
|
|
old_LIBS="$LIBS"
|
|
AC_CHECK_LIB(crypto, PKCS7_get_signer_info)
|
|
+ AC_CHECK_FUNCS(EVP_PKEY_get_bn_param)
|
|
LIBS="$old_LIBS"
|
|
fi
|
|
if test "$k5_cv_openssl_version_okay" = yes && (test "$enable_pkinit" = yes || test "$enable_pkinit" = try); then
|
|
diff --git a/src/tests/softpkcs11/main.c b/src/tests/softpkcs11/main.c
|
|
index 500e3093d..c6f688dde 100644
|
|
--- a/src/tests/softpkcs11/main.c
|
|
+++ b/src/tests/softpkcs11/main.c
|
|
@@ -416,42 +416,63 @@ add_object_attribute(struct st_object *o,
|
|
static CK_RV
|
|
add_pubkey_info(struct st_object *o, CK_KEY_TYPE key_type, EVP_PKEY *key)
|
|
{
|
|
- switch (key_type) {
|
|
- case CKK_RSA: {
|
|
- CK_BYTE *modulus = NULL;
|
|
- size_t modulus_len = 0;
|
|
- CK_ULONG modulus_bits = 0;
|
|
- CK_BYTE *exponent = NULL;
|
|
- size_t exponent_len = 0;
|
|
- const RSA *rsa;
|
|
- const BIGNUM *n, *e;
|
|
+ CK_BYTE *modulus = NULL, *exponent = 0;
|
|
+ size_t modulus_len = 0, exponent_len = 0;
|
|
+ CK_ULONG modulus_bits = 0;
|
|
+ CK_RV ret;
|
|
|
|
- rsa = EVP_PKEY_get0_RSA(key);
|
|
- RSA_get0_key(rsa, &n, &e, NULL);
|
|
- modulus_bits = BN_num_bits(n);
|
|
+#ifdef HAVE_EVP_PKEY_GET_BN_PARAM
|
|
+ BIGNUM *n = NULL, *e = NULL;
|
|
+#else
|
|
+ const RSA *rsa;
|
|
+ const BIGNUM *n, *e;
|
|
+#endif
|
|
|
|
- modulus_len = BN_num_bytes(n);
|
|
- modulus = malloc(modulus_len);
|
|
- BN_bn2bin(n, modulus);
|
|
+ if (key_type != CKK_RSA)
|
|
+ abort();
|
|
|
|
- exponent_len = BN_num_bytes(e);
|
|
- exponent = malloc(exponent_len);
|
|
- BN_bn2bin(e, exponent);
|
|
-
|
|
- add_object_attribute(o, 0, CKA_MODULUS, modulus, modulus_len);
|
|
- add_object_attribute(o, 0, CKA_MODULUS_BITS,
|
|
- &modulus_bits, sizeof(modulus_bits));
|
|
- add_object_attribute(o, 0, CKA_PUBLIC_EXPONENT,
|
|
- exponent, exponent_len);
|
|
-
|
|
- free(modulus);
|
|
- free(exponent);
|
|
+#ifdef HAVE_EVP_PKEY_GET_BN_PARAM
|
|
+ if (EVP_PKEY_get_bn_param(key, "n", &n) == 0 ||
|
|
+ EVP_PKEY_get_bn_param(key, "e", &e) == 0) {
|
|
+ ret = CKR_DEVICE_ERROR;
|
|
+ goto done;
|
|
}
|
|
- default:
|
|
- /* XXX */
|
|
- break;
|
|
+#else
|
|
+ rsa = EVP_PKEY_get0_RSA(key);
|
|
+ RSA_get0_key(rsa, &n, &e, NULL);
|
|
+#endif
|
|
+
|
|
+ modulus_bits = BN_num_bits(n);
|
|
+ modulus_len = BN_num_bytes(n);
|
|
+ exponent_len = BN_num_bytes(e);
|
|
+
|
|
+ modulus = malloc(modulus_len);
|
|
+ exponent = malloc(exponent_len);
|
|
+ if (modulus == NULL || exponent == NULL) {
|
|
+ ret = CKR_DEVICE_MEMORY;
|
|
+ goto done;
|
|
}
|
|
- return CKR_OK;
|
|
+
|
|
+ BN_bn2bin(n, modulus);
|
|
+ BN_bn2bin(e, exponent);
|
|
+
|
|
+ add_object_attribute(o, 0, CKA_MODULUS, modulus, modulus_len);
|
|
+ add_object_attribute(o, 0, CKA_MODULUS_BITS,
|
|
+ &modulus_bits, sizeof(modulus_bits));
|
|
+ add_object_attribute(o, 0, CKA_PUBLIC_EXPONENT,
|
|
+ exponent, exponent_len);
|
|
+
|
|
+ ret = CKR_OK;
|
|
+done:
|
|
+ free(modulus);
|
|
+ free(exponent);
|
|
+
|
|
+#ifdef HAVE_EVP_PKEY_GET_BN_PARAM
|
|
+ BN_clear_free(n);
|
|
+ BN_clear_free(e);
|
|
+#endif
|
|
+
|
|
+ return ret;
|
|
}
|
|
|
|
|