1 files changed, 67 insertions, 62 deletions
diff --git a/src/lib/libcrypto/ec/ec_ameth.c b/src/lib/libcrypto/ec/ec_ameth.c
index 6adf7ce671..f2ad5f60c6 100644
--- a/src/lib/libcrypto/ec/ec_ameth.c
+++ b/src/lib/libcrypto/ec/ec_ameth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_ameth.c,v 1.42 2023/08/12 08:07:35 tb Exp $ */
+/* $OpenBSD: ec_ameth.c,v 1.43 2023/08/21 09:52:30 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -75,6 +75,17 @@ static int ecdh_cms_decrypt(CMS_RecipientInfo *ri);
 static int ecdh_cms_encrypt(CMS_RecipientInfo *ri);
 #endif
+static void
+eckey_param_free(int ptype, void *pval)
+{
+        if (pval == NULL)
+                return;
+        if (ptype == V_ASN1_OBJECT)
+                ASN1_OBJECT_free(pval);         /* XXX - really necessary? */
+        else
+                ASN1_STRING_free(pval);
+}
 static int
 eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key)
 {
@@ -110,36 +121,37 @@ eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key)
 static int
 eckey_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
 {
-        EC_KEY *ec_key = pkey->pkey.ec;
+        EC_KEY *eckey = pkey->pkey.ec;
+        int ptype = V_ASN1_UNDEF;
        void *pval = NULL;
-        int ptype;
+        ASN1_OBJECT *aobj;
-        unsigned char *penc = NULL, *p;
+        unsigned char *key = NULL;
-        int penclen;
+        int key_len = 0;
+        int ret = 0;
-        if (!eckey_param2type(&ptype, &pval, ec_key)) {
+        if (!eckey_param2type(&ptype, &pval, eckey)) {
                ECerror(ERR_R_EC_LIB);
-                return 0;
+                goto err;
        }
-        penclen = i2o_ECPublicKey(ec_key, NULL);
+        if ((key_len = i2o_ECPublicKey(eckey, &key)) <= 0) {
-        if (penclen <= 0)
+                key_len = 0;
                goto err;
-        penc = malloc(penclen);
+        }
-        if (!penc)
+        if ((aobj = OBJ_nid2obj(EVP_PKEY_EC)) == NULL)
                goto err;
-        p = penc;
+        if (!X509_PUBKEY_set0_param(pk, aobj, ptype, pval, key, key_len))
-        penclen = i2o_ECPublicKey(ec_key, &p);
-        if (penclen <= 0)
                goto err;
-        if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_EC),
+        pval = NULL;
-                ptype, pval, penc, penclen))
+        key = NULL;
-                return 1;
+        key_len = 0;
+        ret = 1;
 err:
-        if (ptype == V_ASN1_OBJECT)
+        eckey_param_free(ptype, pval);
-                ASN1_OBJECT_free(pval);
+        freezero(key, key_len);
-        else
-                ASN1_STRING_free(pval);
+        return ret;
-        free(penc);
-        return 0;
 }
 static EC_KEY *
@@ -308,54 +320,47 @@ eckey_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
 static int
 eckey_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
 {
-        EC_KEY *ec_key;
+        EC_KEY *eckey = pkey->pkey.ec;
-        unsigned char *ep, *p;
+        void *pval = NULL;
-        int eplen, ptype;
+        int ptype = V_ASN1_UNDEF;
-        void *pval;
+        ASN1_OBJECT *aobj;
-        unsigned int tmp_flags, old_flags;
+        unsigned char *key = NULL;
+        int key_len = 0;
+        unsigned int flags;
+        int ret = 0;
-        ec_key = pkey->pkey.ec;
+        flags = EC_KEY_get_enc_flags(eckey);
-        if (!eckey_param2type(&ptype, &pval, ec_key)) {
+        if (!eckey_param2type(&ptype, &pval, eckey)) {
                ECerror(EC_R_DECODE_ERROR);
-                return 0;
+                goto err;
        }
-        /* set the private key */
-        /*
+        /* PKCS#11 12.11: don't include parameters in the SEC1 private key. */
-         * do not include the parameters in the SEC1 private key see PKCS#11
+        EC_KEY_set_enc_flags(eckey, flags | EC_PKEY_NO_PARAMETERS);
-         * 12.11
-         */
+        if ((key_len = i2d_ECPrivateKey(eckey, &key)) <= 0) {
-        old_flags = EC_KEY_get_enc_flags(ec_key);
-        tmp_flags = old_flags | EC_PKEY_NO_PARAMETERS;
-        EC_KEY_set_enc_flags(ec_key, tmp_flags);
-        eplen = i2d_ECPrivateKey(ec_key, NULL);
-        if (!eplen) {
-                EC_KEY_set_enc_flags(ec_key, old_flags);
-                ECerror(ERR_R_EC_LIB);
-                return 0;
-        }
-        ep = malloc(eplen);
-        if (!ep) {
-                EC_KEY_set_enc_flags(ec_key, old_flags);
-                ECerror(ERR_R_MALLOC_FAILURE);
-                return 0;
-        }
-        p = ep;
-        if (!i2d_ECPrivateKey(ec_key, &p)) {
-                EC_KEY_set_enc_flags(ec_key, old_flags);
-                free(ep);
                ECerror(ERR_R_EC_LIB);
-                return 0;
+                key_len = 0;
+                goto err;
        }
-        /* restore old encoding flags */
+        if ((aobj = OBJ_nid2obj(NID_X9_62_id_ecPublicKey)) == NULL)
-        EC_KEY_set_enc_flags(ec_key, old_flags);
+                goto err;
+        if (!PKCS8_pkey_set0(p8, aobj, 0, ptype, pval, key, key_len))
+                goto err;
+        pval = NULL;
+        key = NULL;
+        key_len = 0;
-        if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), 0,
+        ret = 1;
-                ptype, pval, ep, eplen))
-                return 0;
-        return 1;
+ err:
+        eckey_param_free(ptype, pval);
+        freezero(key, key_len);
+        EC_KEY_set_enc_flags(eckey, flags);
+        return ret;
 }
 static int

diff --git a/src/lib/libcrypto/ec/ec_ameth.c b/src/lib/libcrypto/ec/ec_ameth.c index 6adf7ce671..f2ad5f60c6 100644 --- a/src/lib/libcrypto/ec/ec_ameth.c +++ b/src/lib/libcrypto/ec/ec_ameth.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ec_ameth.c,v 1.42 2023/08/12 08:07:35 tb Exp $ */	1	/* $OpenBSD: ec_ameth.c,v 1.43 2023/08/21 09:52:30 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2006.	3	* project 2006.
4	*/	4	*/
@@ -75,6 +75,17 @@ static int ecdh_cms_decrypt(CMS_RecipientInfo *ri);
75	static int ecdh_cms_encrypt(CMS_RecipientInfo *ri);	75	static int ecdh_cms_encrypt(CMS_RecipientInfo *ri);
76	#endif	76	#endif
77		77
		78	static void
		79	eckey_param_free(int ptype, void *pval)
		80	{
		81	if (pval == NULL)
		82	return;
		83	if (ptype == V_ASN1_OBJECT)
		84	ASN1_OBJECT_free(pval); /* XXX - really necessary? */
		85	else
		86	ASN1_STRING_free(pval);
		87	}
		88
78	static int	89	static int
79	eckey_param2type(int pptype, void ppval, EC_KEY ec_key)	90	eckey_param2type(int pptype, void ppval, EC_KEY ec_key)
80	{	91	{
@@ -110,36 +121,37 @@ eckey_param2type(int pptype, void ppval, EC_KEY ec_key)
110	static int	121	static int
111	eckey_pub_encode(X509_PUBKEY pk, const EVP_PKEY pkey)	122	eckey_pub_encode(X509_PUBKEY pk, const EVP_PKEY pkey)
112	{	123	{
113	EC_KEY *ec_key = pkey->pkey.ec;	124	EC_KEY *eckey = pkey->pkey.ec;
		125	int ptype = V_ASN1_UNDEF;
114	void *pval = NULL;	126	void *pval = NULL;
115	int ptype;	127	ASN1_OBJECT *aobj;
116	unsigned char penc = NULL, p;	128	unsigned char *key = NULL;
117	int penclen;	129	int key_len = 0;
		130	int ret = 0;
118		131
119	if (!eckey_param2type(&ptype, &pval, ec_key)) {	132	if (!eckey_param2type(&ptype, &pval, eckey)) {
120	ECerror(ERR_R_EC_LIB);	133	ECerror(ERR_R_EC_LIB);
121	return 0;	134	goto err;
122	}	135	}
123	penclen = i2o_ECPublicKey(ec_key, NULL);	136	if ((key_len = i2o_ECPublicKey(eckey, &key)) <= 0) {
124	if (penclen <= 0)	137	key_len = 0;
125	goto err;	138	goto err;
126	penc = malloc(penclen);	139	}
127	if (!penc)	140	if ((aobj = OBJ_nid2obj(EVP_PKEY_EC)) == NULL)
128	goto err;	141	goto err;
129	p = penc;	142	if (!X509_PUBKEY_set0_param(pk, aobj, ptype, pval, key, key_len))
130	penclen = i2o_ECPublicKey(ec_key, &p);
131	if (penclen <= 0)
132	goto err;	143	goto err;
133	if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_EC),	144	pval = NULL;
134	ptype, pval, penc, penclen))	145	key = NULL;
135	return 1;	146	key_len = 0;
		147
		148	ret = 1;
		149
136	err:	150	err:
137	if (ptype == V_ASN1_OBJECT)	151	eckey_param_free(ptype, pval);
138	ASN1_OBJECT_free(pval);	152	freezero(key, key_len);
139	else	153
140	ASN1_STRING_free(pval);	154	return ret;
141	free(penc);
142	return 0;
143	}	155	}
144		156
145	static EC_KEY *	157	static EC_KEY *
@@ -308,54 +320,47 @@ eckey_priv_decode(EVP_PKEY pkey, const PKCS8_PRIV_KEY_INFO p8)
308	static int	320	static int
309	eckey_priv_encode(PKCS8_PRIV_KEY_INFO p8, const EVP_PKEY pkey)	321	eckey_priv_encode(PKCS8_PRIV_KEY_INFO p8, const EVP_PKEY pkey)
310	{	322	{
311	EC_KEY *ec_key;	323	EC_KEY *eckey = pkey->pkey.ec;
312	unsigned char ep, p;	324	void *pval = NULL;
313	int eplen, ptype;	325	int ptype = V_ASN1_UNDEF;
314	void *pval;	326	ASN1_OBJECT *aobj;
315	unsigned int tmp_flags, old_flags;	327	unsigned char *key = NULL;
		328	int key_len = 0;
		329	unsigned int flags;
		330	int ret = 0;
316		331
317	ec_key = pkey->pkey.ec;	332	flags = EC_KEY_get_enc_flags(eckey);
318		333
319	if (!eckey_param2type(&ptype, &pval, ec_key)) {	334	if (!eckey_param2type(&ptype, &pval, eckey)) {
320	ECerror(EC_R_DECODE_ERROR);	335	ECerror(EC_R_DECODE_ERROR);
321	return 0;	336	goto err;
322	}	337	}
323	/* set the private key */
324		338
325	/*	339	/* PKCS#11 12.11: don't include parameters in the SEC1 private key. */
326	* do not include the parameters in the SEC1 private key see PKCS#11	340	EC_KEY_set_enc_flags(eckey, flags \| EC_PKEY_NO_PARAMETERS);
327	* 12.11	341
328	*/	342	if ((key_len = i2d_ECPrivateKey(eckey, &key)) <= 0) {
329	old_flags = EC_KEY_get_enc_flags(ec_key);
330	tmp_flags = old_flags \| EC_PKEY_NO_PARAMETERS;
331	EC_KEY_set_enc_flags(ec_key, tmp_flags);
332	eplen = i2d_ECPrivateKey(ec_key, NULL);
333	if (!eplen) {
334	EC_KEY_set_enc_flags(ec_key, old_flags);
335	ECerror(ERR_R_EC_LIB);
336	return 0;
337	}
338	ep = malloc(eplen);
339	if (!ep) {
340	EC_KEY_set_enc_flags(ec_key, old_flags);
341	ECerror(ERR_R_MALLOC_FAILURE);
342	return 0;
343	}
344	p = ep;
345	if (!i2d_ECPrivateKey(ec_key, &p)) {
346	EC_KEY_set_enc_flags(ec_key, old_flags);
347	free(ep);
348	ECerror(ERR_R_EC_LIB);	343	ECerror(ERR_R_EC_LIB);
349	return 0;	344	key_len = 0;
		345	goto err;
350	}	346	}
351	/* restore old encoding flags */	347	if ((aobj = OBJ_nid2obj(NID_X9_62_id_ecPublicKey)) == NULL)
352	EC_KEY_set_enc_flags(ec_key, old_flags);	348	goto err;
		349	if (!PKCS8_pkey_set0(p8, aobj, 0, ptype, pval, key, key_len))
		350	goto err;
		351	pval = NULL;
		352	key = NULL;
		353	key_len = 0;
353		354
354	if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), 0,	355	ret = 1;
355	ptype, pval, ep, eplen))
356	return 0;
357		356
358	return 1;	357	err:
		358	eckey_param_free(ptype, pval);
		359	freezero(key, key_len);
		360
		361	EC_KEY_set_enc_flags(eckey, flags);
		362
		363	return ret;
359	}	364	}
360		365
361	static int	366	static int