diff options
author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2022-02-27 17:01:20 -0500 |
---|---|---|
committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2022-02-28 09:56:49 -0500 |
commit | dadcf77a61f6e140273d8510044bd6b71507dfb2 (patch) | |
tree | cf51b125327d67cb5c514d74688941d9372132d9 | |
parent | 034c7733c643b06529515be228b974079ea10a99 (diff) | |
download | openssl_tpm2_engine-dadcf77a61f6e140273d8510044bd6b71507dfb2.tar.gz |
Take an engine reference in the key
Apparently openssl doesn't do this for engine keys meaning that the
openssl described way of obtaining and engine key
if (ENGINE_init(e)) {
pkey = ENGINE_load_private_key(e, file, ui_method, &cb_data);
ENGINE_finish(e);
}
results in a dynamic engine being torn down immediately after the key
is obtained. Fix this by taking a reference in the binding and
releasing it when the key app_data is freed. This requires adding a
pointer to the engine to the app_data.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rw-r--r-- | e_tpm2-ecc.c | 6 | ||||
-rw-r--r-- | e_tpm2-ecc.h | 2 | ||||
-rw-r--r-- | e_tpm2-rsa.c | 5 | ||||
-rw-r--r-- | e_tpm2-rsa.h | 2 | ||||
-rw-r--r-- | e_tpm2.c | 10 | ||||
-rw-r--r-- | tpm2-common.h | 1 |
6 files changed, 17 insertions, 9 deletions
diff --git a/e_tpm2-ecc.c b/e_tpm2-ecc.c index 0a2f7c5..a73a082 100644 --- a/e_tpm2-ecc.c +++ b/e_tpm2-ecc.c @@ -12,6 +12,7 @@ #include <openssl/ec.h> #include <openssl/ecdsa.h> #include <openssl/ecdh.h> +#include <openssl/engine.h> #include <openssl/evp.h> #include <openssl/sha.h> #include <openssl/bn.h> @@ -85,7 +86,7 @@ static TPM_HANDLE tpm2_load_key_from_ecc(const EC_KEY *eck, return tpm2_load_key(tssContext, app_data, srk_auth, NULL); } -void tpm2_bind_key_to_engine_ecc(EVP_PKEY *pkey, void *data) +void tpm2_bind_key_to_engine_ecc(ENGINE *e, EVP_PKEY *pkey, struct app_data *data) { EC_KEY *eck = EVP_PKEY_get1_EC_KEY(pkey); @@ -104,6 +105,8 @@ void tpm2_bind_key_to_engine_ecc(EVP_PKEY *pkey, void *data) #endif } + data->e = e; + ENGINE_init(e); active_keys++; #if OPENSSL_VERSION_NUMBER >= 0x30000000 EVP_PKEY_set1_EC_KEY(pkey, eck); @@ -121,6 +124,7 @@ static void tpm2_ecc_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, return; --active_keys; + ENGINE_finish(data->e); tpm2_delete(data); } diff --git a/e_tpm2-ecc.h b/e_tpm2-ecc.h index f3ac79f..d8000ec 100644 --- a/e_tpm2-ecc.h +++ b/e_tpm2-ecc.h @@ -1,7 +1,7 @@ #ifndef _E_TPM2_ECC_H #define _E_TPM2_ECC_H -void tpm2_bind_key_to_engine_ecc(EVP_PKEY *pkey, void *data); +void tpm2_bind_key_to_engine_ecc(ENGINE *e, EVP_PKEY *pkey, struct app_data *data); int tpm2_setup_ecc_methods(void); void tpm2_teardown_ecc_methods(void); diff --git a/e_tpm2-rsa.c b/e_tpm2-rsa.c index 6f67e2a..3fb5d62 100644 --- a/e_tpm2-rsa.c +++ b/e_tpm2-rsa.c @@ -117,7 +117,7 @@ static TPM_HANDLE tpm2_load_key_from_rsa(RSA *rsa, TSS_CONTEXT **tssContext, return tpm2_load_key(tssContext, app_data, srk_auth, NULL); } -void tpm2_bind_key_to_engine_rsa(EVP_PKEY *pkey, void *data) +void tpm2_bind_key_to_engine_rsa(ENGINE *e, EVP_PKEY *pkey, struct app_data *data) { RSA *rsa = EVP_PKEY_get1_RSA(pkey); @@ -128,6 +128,8 @@ void tpm2_bind_key_to_engine_rsa(EVP_PKEY *pkey, void *data) #else RSA_set_method(rsa, tpm2_rsa); #endif + data->e = e; + ENGINE_init(e); RSA_set_ex_data(rsa, ex_app_data, data); active_keys++; @@ -149,6 +151,7 @@ static void tpm2_rsa_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, return; --active_keys; + ENGINE_finish(app_data->e); tpm2_delete(app_data); } diff --git a/e_tpm2-rsa.h b/e_tpm2-rsa.h index 4a9f21f..c59a358 100644 --- a/e_tpm2-rsa.h +++ b/e_tpm2-rsa.h @@ -1,7 +1,7 @@ #ifndef _E_TPM2_RSA_H #define _E_TPM2_RSA_H -void tpm2_bind_key_to_engine_rsa(EVP_PKEY *pkey, void *data); +void tpm2_bind_key_to_engine_rsa(ENGINE *e, EVP_PKEY *pkey, struct app_data *data); int tpm2_setup_rsa_methods(void); void tpm2_teardown_rsa_methods(void); @@ -116,14 +116,14 @@ static const ENGINE_CMD_DEFN tpm2_cmd_defns[] = { {0, NULL, NULL, 0} }; -void tpm2_bind_key_to_engine(EVP_PKEY *pkey, void *data) +void tpm2_bind_key_to_engine(ENGINE *e, EVP_PKEY *pkey, struct app_data *data) { switch (EVP_PKEY_id(pkey)) { case EVP_PKEY_RSA: - tpm2_bind_key_to_engine_rsa(pkey, data); + tpm2_bind_key_to_engine_rsa(e, pkey, data); break; case EVP_PKEY_EC: - tpm2_bind_key_to_engine_ecc(pkey, data); + tpm2_bind_key_to_engine_ecc(e, pkey, data); break; default: break; @@ -193,7 +193,7 @@ static int tpm2_engine_load_nvkey(ENGINE *e, EVP_PKEY **ppkey, if (askauth) app_data->auth = tpm2_get_auth(ui, "TPM NV Key Password: ", cb_data); - tpm2_bind_key_to_engine(pkey, app_data); + tpm2_bind_key_to_engine(e, pkey, app_data); out: *ppkey = pkey; @@ -241,7 +241,7 @@ static int tpm2_engine_load_key_core(ENGINE *e, EVP_PKEY **ppkey, return 0; if (!public_only) - tpm2_bind_key_to_engine(pkey, app_data); + tpm2_bind_key_to_engine(e, pkey, app_data); *ppkey = pkey; return 1; diff --git a/tpm2-common.h b/tpm2-common.h index bd90488..6380901 100644 --- a/tpm2-common.h +++ b/tpm2-common.h @@ -40,6 +40,7 @@ struct app_data { int num_commands; unsigned int name_alg; struct policy_command *commands; + ENGINE *e; }; void tpm2_error(TPM_RC rc, const char *reason); |