mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 05:57:52 +00:00
Code Issues Releases Wiki Activity

Simplify opensslecdsa_fromlabel

Browse Source 
The 'opensslecdsa_fromlabel()' function does not need to get the
OpenSSL engine twice to load the private and public key. Also no need
to call 'dst_key_to_eckey()' as the EC_KEY can be derived from the
loaded EVP_PKEY's.

Add some extra checks to ensure the key has the same base id and curve
(group nid) as the dst key.

Since we already have the EVP_PKEY, no need to call 'finalize_eckey()',
instead just set the right values in the key structure.
This commit is contained in:
Matthijs Mekking 2021-01-05 10:53:17 +01:00
parent 1fcd0ef8bd
commit 393052d6ff
1 changed files with 61 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

121
lib/dns/opensslecdsa_link.c
View File

@ -620,39 +620,6 @@ load_privkey_from_privstruct(EC_KEY *eckey, dst_private_t *priv) {
} }
#if !defined(OPENSSL_NO_ENGINE) #if !defined(OPENSSL_NO_ENGINE)
static isc_result_t
load_pubkey_from_engine(EC_KEY *eckey, const char *engine, const char *label) {
EC_KEY *key;
ENGINE *ep;
EVP_PKEY *pubkey;
if (engine == NULL || label == NULL) {
return (DST_R_NOENGINE);
}
ep = dst__openssl_getengine(engine);
if (ep == NULL) {
return (DST_R_NOENGINE);
}
pubkey = ENGINE_load_public_key(ep, label, NULL, NULL);
if (pubkey == NULL) {
return (dst__openssl_toresult2("ENGINE_load_public_key",
ISC_R_NOTFOUND));
}
key = EVP_PKEY_get1_EC_KEY(pubkey);
EVP_PKEY_free(pubkey);
if (key == NULL) {
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
}
EC_KEY_set_public_key(eckey, EC_KEY_get0_public_key(key));
return (ISC_R_SUCCESS);
}
static isc_result_t static isc_result_t
load_privkey_from_engine(EC_KEY *eckey, const char *engine, const char *label) { load_privkey_from_engine(EC_KEY *eckey, const char *engine, const char *label) {
EC_KEY *key; EC_KEY *key;
@ -686,15 +653,6 @@ load_privkey_from_engine(EC_KEY *eckey, const char *engine, const char *label) {
return (ISC_R_SUCCESS); return (ISC_R_SUCCESS);
} }
#else #else
static isc_result_t
load_pubkey_from_engine(EC_KEY *eckey, const char *engine, const char *label) {
UNUSED(eckey);
UNUSED(engine);
UNUSED(label);
return (DST_R_NOENGINE);
}
static isc_result_t static isc_result_t
load_privkey_from_engine(EC_KEY *eckey, const char *engine, const char *label) { load_privkey_from_engine(EC_KEY *eckey, const char *engine, const char *label) {
UNUSED(eckey); UNUSED(eckey);
@ -844,40 +802,83 @@ static isc_result_t
opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
const char *pin) { const char *pin) {
#if !defined(OPENSSL_NO_ENGINE) #if !defined(OPENSSL_NO_ENGINE)
isc_result_t result = ISC_R_SUCCESS; isc_result_t ret = ISC_R_SUCCESS;
ENGINE *e;
EC_KEY *eckey = NULL; EC_KEY *eckey = NULL;
EC_KEY *pubeckey = NULL; EC_KEY *pubeckey = NULL;
EVP_PKEY *pkey = NULL;
EVP_PKEY *pubkey = NULL;
int group_nid = 0;
UNUSED(pin); UNUSED(pin);
result = dst__key_to_eckey(key, &eckey); if (engine == NULL || label == NULL) {
if (result != ISC_R_SUCCESS) { return (DST_R_NOENGINE);
goto end; }
e = dst__openssl_getengine(engine);
if (e == NULL) {
return (DST_R_NOENGINE);
} }
result = dst__key_to_eckey(key, &pubeckey); if (key->key_alg == DST_ALG_ECDSA256) {
if (result != ISC_R_SUCCESS) { group_nid = NID_X9_62_prime256v1;
goto end; } else {
group_nid = NID_secp384r1;
} }
result = load_pubkey_from_engine(pubeckey, engine, label); /* Load private key. */
if (result != ISC_R_SUCCESS) { pkey = ENGINE_load_private_key(e, label, NULL, NULL);
goto end; if (pkey == NULL) {
return (dst__openssl_toresult2("ENGINE_load_private_key",
DST_R_OPENSSLFAILURE));
}
/* Check base id, group nid */
if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) {
DST_RET(DST_R_INVALIDPRIVATEKEY);
}
eckey = EVP_PKEY_get1_EC_KEY(pkey);
if (eckey == NULL) {
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
}
if (EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)) != group_nid) {
DST_RET(DST_R_INVALIDPRIVATEKEY);
} }
result = load_privkey_from_engine(eckey, engine, label); /* Load public key. */
if (result != ISC_R_SUCCESS) { pubkey = ENGINE_load_public_key(e, label, NULL, NULL);
return (result); if (pubkey == NULL) {
DST_RET(dst__openssl_toresult2("ENGINE_load_public_key",
DST_R_OPENSSLFAILURE));
}
/* Check base id, group nid */
if (EVP_PKEY_base_id(pubkey) != EVP_PKEY_EC) {
DST_RET(DST_R_INVALIDPUBLICKEY);
}
pubeckey = EVP_PKEY_get1_EC_KEY(pubkey);
if (pubeckey == NULL) {
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
}
if (EC_GROUP_get_curve_name(EC_KEY_get0_group(pubeckey)) != group_nid) {
DST_RET(DST_R_INVALIDPUBLICKEY);
} }
if (ecdsa_check(eckey, pubeckey) != ISC_R_SUCCESS) { if (ecdsa_check(eckey, pubeckey) != ISC_R_SUCCESS) {
result = DST_R_INVALIDPRIVATEKEY; DST_RET(DST_R_INVALIDPRIVATEKEY);
goto end;
} }
result = finalize_eckey(key, eckey, engine, label); key->label = isc_mem_strdup(key->mctx, label);
key->engine = isc_mem_strdup(key->mctx, engine);
key->key_size = EVP_PKEY_bits(pkey);
key->keydata.pkey = pkey;
pkey = NULL;
end: err:
if (pubkey != NULL) {
EVP_PKEY_free(pubkey);
}
if (pkey != NULL) {
EVP_PKEY_free(pkey);
}
if (pubeckey != NULL) { if (pubeckey != NULL) {
EC_KEY_free(pubeckey); EC_KEY_free(pubeckey);
} }
@ -885,7 +886,7 @@ end:
EC_KEY_free(eckey); EC_KEY_free(eckey);
} }
return (result); return (ret);
#else #else
UNUSED(key); UNUSED(key);
UNUSED(engine); UNUSED(engine);