commit 21617eda73fc4f7b75e6e27b6c102160aba57e9e from: Omar Polo date: Sat Jul 22 08:13:15 2023 UTC remove the useless logging methods it makes more clear where the magic is. adapted from the smtpd' ca.c diff. commit - 5d2f4b1611d724a3dbf0d4b8629119cf1ad11e87 commit + 21617eda73fc4f7b75e6e27b6c102160aba57e9e blob - dd4ead3a49898641583eedbf8d60e37ccf79287d blob + b24cb4310c4d9b192970ed9e2cd43091bff8f496 --- crypto.c +++ crypto.c @@ -356,22 +356,6 @@ rsae_send_imsg(int flen, const unsigned char *from, un imsg_event_add(iev); return (ret); -} - -static int -rsae_pub_enc(int flen,const unsigned char *from, unsigned char *to, RSA *rsa, - int padding) -{ - log_debug("debug: %s", __func__); - return (RSA_meth_get_pub_enc(rsa_default)(flen, from, to, rsa, padding)); -} - -static int -rsae_pub_dec(int flen,const unsigned char *from, unsigned char *to, RSA *rsa, - int padding) -{ - log_debug("debug: %s", __func__); - return (RSA_meth_get_pub_dec(rsa_default)(flen, from, to, rsa, padding)); } static int @@ -395,49 +379,9 @@ rsae_priv_dec(int flen, const unsigned char *from, uns IMSG_CRYPTO_RSA_PRIVDEC)); return (RSA_meth_get_priv_dec(rsa_default)(flen, from, to, rsa, padding)); -} - -static int -rsae_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) -{ - log_debug("debug: %s", __func__); - return (RSA_meth_get_mod_exp(rsa_default)(r0, I, rsa, ctx)); -} - -static int -rsae_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) -{ - log_debug("debug: %s", __func__); - return (RSA_meth_get_bn_mod_exp(rsa_default)(r, a, p, m, ctx, m_ctx)); -} - -static int -rsae_init(RSA *rsa) -{ - log_debug("debug: %s", __func__); - if (RSA_meth_get_init(rsa_default) == NULL) - return (1); - return (RSA_meth_get_init(rsa_default)(rsa)); -} - -static int -rsae_finish(RSA *rsa) -{ - log_debug("debug: %s", __func__); - if (RSA_meth_get_finish(rsa_default) == NULL) - return (1); - return (RSA_meth_get_finish(rsa_default)(rsa)); } -static int -rsae_keygen(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb) -{ - log_debug("debug: %s", __func__); - return (RSA_meth_get_keygen(rsa_default)(rsa, bits, e, cb)); -} - /* * ECDSA privsep engine (called from unprivileged processes) */ @@ -553,54 +497,6 @@ ecdsae_send_enc_imsg(const unsigned char *dgst, int dg return (sig); } -static int -ecdsae_keygen(EC_KEY *eckey) -{ - int (*keygen)(EC_KEY *); - - log_debug("debug: %s", __func__); - EC_KEY_METHOD_get_keygen(ecdsa_default, &keygen); - return (keygen(eckey)); -} - -#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <= 0x3080100fL -static int -ecdsae_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, - EC_KEY *ecdh, void *(*kdf)(const void *, size_t, void *, size_t *)) -{ - int (*ckey)(void *, size_t, const EC_POINT *, EC_KEY *, - void *(*)(const void *, size_t, void *, size_t *)); - - log_debug("debug: %s", __func__); - EC_KEY_METHOD_get_compute_key(ecdsa_default, &ckey); - return (ckey(out, outlen, pub_key, ecdh, kdf)); -} -#else -static int -ecdsae_compute_key(unsigned char **psec, size_t *pseclen, - const EC_POINT *pub_key, const EC_KEY *ecdh) -{ - int (*ckey)(unsigned char **, size_t *, const EC_POINT *, - const EC_KEY *); - - log_debug("debug: %s", __func__); - EC_KEY_METHOD_get_compute_key(ecdsa_default, &ckey); - return (ckey(psec, pseclen, pub_key, ecdh)); -} -#endif - -static int -ecdsae_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig, - unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey) -{ - int (*sign)(int, const unsigned char *, int, unsigned char *, - unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *); - - log_debug("debug: %s", __func__); - EC_KEY_METHOD_get_sign(ecdsa_default, &sign, NULL, NULL); - return (sign(type, dgst, dlen, sig, siglen, kinv, r, eckey)); -} - static ECDSA_SIG * ecdsae_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, const BIGNUM *rp, EC_KEY *eckey) @@ -615,41 +511,7 @@ ecdsae_do_sign(const unsigned char *dgst, int dgst_len return (psign_sig(dgst, dgst_len, inv, rp, eckey)); } -static int -ecdsae_sign_setup(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinv, BIGNUM **r) -{ - int (*psign_setup)(EC_KEY *, BN_CTX *, BIGNUM **, BIGNUM **); - log_debug("debug: %s", __func__); - EC_KEY_METHOD_get_sign(ecdsa_default, NULL, &psign_setup, NULL); - return (psign_setup(eckey, ctx, kinv, r)); -} - -static int -ecdsae_verify(int type, const unsigned char *dgst, int dgst_len, - const unsigned char *sigbuf, int sig_len, EC_KEY *eckey) -{ - int (*verify)(int, const unsigned char *, int, const unsigned char *, - int, EC_KEY *); - - log_debug("debug: %s", __func__); - EC_KEY_METHOD_get_verify(ecdsa_default, &verify, NULL); - return (verify(type, dgst, dgst_len, sigbuf, sig_len, eckey)); -} - -static int -ecdsae_do_verify(const unsigned char *dgst, int dgst_len, - const ECDSA_SIG *sig, EC_KEY *eckey) -{ - int (*pverify_sig)(const unsigned char *, int, const ECDSA_SIG *, - EC_KEY *); - - log_debug("debug: %s", __func__); - EC_KEY_METHOD_get_verify(ecdsa_default, NULL, &pverify_sig); - return (pverify_sig(dgst, dgst_len, sig, eckey)); -} - - /* * Initialize the two engines. */ @@ -660,27 +522,12 @@ rsa_engine_init(void) ENGINE *e; const char *errstr, *name; - if ((rsae_method = RSA_meth_new("RSA privsep engine", 0)) == NULL) { - errstr = "RSA_meth_new"; - goto fail; - } - - RSA_meth_set_pub_enc(rsae_method, rsae_pub_enc); - RSA_meth_set_pub_dec(rsae_method, rsae_pub_dec); - RSA_meth_set_priv_enc(rsae_method, rsae_priv_enc); - RSA_meth_set_priv_dec(rsae_method, rsae_priv_dec); - RSA_meth_set_mod_exp(rsae_method, rsae_mod_exp); - RSA_meth_set_bn_mod_exp(rsae_method, rsae_bn_mod_exp); - RSA_meth_set_init(rsae_method, rsae_init); - RSA_meth_set_finish(rsae_method, rsae_finish); - RSA_meth_set_keygen(rsae_method, rsae_keygen); - if ((e = ENGINE_get_default_RSA()) == NULL) { if ((e = ENGINE_new()) == NULL) { errstr = "ENGINE_new"; goto fail; } - if (!ENGINE_set_name(e, RSA_meth_get0_name(rsae_method))) { + if (!ENGINE_set_name(e, "RSA privsep engine")) { errstr = "ENGINE_set_name"; goto fail; } @@ -693,17 +540,19 @@ rsa_engine_init(void) goto fail; } + if ((rsae_method = RSA_meth_dup(rsa_default)) == NULL) { + errstr = "RSA_meth_dup"; + goto fail; + } + if ((name = ENGINE_get_name(e)) == NULL) name = "unknown RSA engine"; log_debug("debug: %s: using %s", __func__, name); - if (RSA_meth_get_mod_exp(rsa_default) == NULL) - RSA_meth_set_mod_exp(rsae_method, NULL); - if (RSA_meth_get_bn_mod_exp(rsa_default) == NULL) - RSA_meth_set_bn_mod_exp(rsae_method, NULL); - if (RSA_meth_get_keygen(rsa_default) == NULL) - RSA_meth_set_keygen(rsae_method, NULL); + RSA_meth_set_priv_enc(rsae_method, rsae_priv_enc); + RSA_meth_set_priv_dec(rsae_method, rsae_priv_dec); + RSA_meth_set_flags(rsae_method, RSA_meth_get_flags(rsa_default) | RSA_METHOD_FLAG_NO_CHECK); RSA_meth_set0_app_data(rsae_method, @@ -730,19 +579,10 @@ ecdsa_engine_init(void) { ENGINE *e; const char *errstr, *name; + int (*sign)(int, const unsigned char *, int, unsigned char *, + unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *); + int (*sign_setup)(EC_KEY *, BN_CTX *, BIGNUM **, BIGNUM **); - if ((ecdsae_method = EC_KEY_METHOD_new(NULL)) == NULL) { - errstr = "EC_KEY_METHOD_new"; - goto fail; - } - - EC_KEY_METHOD_set_keygen(ecdsae_method, ecdsae_keygen); - EC_KEY_METHOD_set_compute_key(ecdsae_method, ecdsae_compute_key); - EC_KEY_METHOD_set_sign(ecdsae_method, ecdsae_sign, ecdsae_sign_setup, - ecdsae_do_sign); - EC_KEY_METHOD_set_verify(ecdsae_method, ecdsae_verify, - ecdsae_do_verify); - if ((e = ENGINE_get_default_EC()) == NULL) { if ((e = ENGINE_new()) == NULL) { errstr = "ENGINE_new"; @@ -766,6 +606,15 @@ ecdsa_engine_init(void) log_debug("debug: %s: using %s", __func__, name); + if ((ecdsae_method = EC_KEY_METHOD_new(ecdsa_default)) == NULL) { + errstr = "EC_KEY_METHOD_new"; + goto fail; + } + + EC_KEY_METHOD_get_sign(ecdsa_default, &sign, &sign_setup, NULL); + EC_KEY_METHOD_set_sign(ecdsae_method, sign, sign_setup, + ecdsae_do_sign); + if (!ENGINE_set_EC(e, ecdsae_method)) { errstr = "ENGINE_set_EC"; goto fail;