Switch to BoringSSL.

net/android/keystore_openssl.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/android/keystore_openssl.h"
 
 #include <jni.h>
 #include <openssl/bn.h>
-// This include is required to get the ECDSA_METHOD structure definition
-// which isn't currently part of the OpenSSL official ABI. This should
-// not be a concern for Chromium which always links against its own
-// version of the library on Android.
-#include <openssl/crypto/ecdsa/ecs_locl.h>
-// And this one is needed for the EC_GROUP definition.
-#include <openssl/crypto/ec/ec_lcl.h>
+#include <openssl/err.h>
 #include <openssl/dsa.h>
 #include <openssl/ec.h>
 #include <openssl/engine.h>
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 
 #include "base/android/build_info.h"
 #include "base/android/jni_android.h"
 #include "base/android/scoped_java_ref.h"
 #include "base/basictypes.h"
@@ skipping 27 matching lines @@
 // For example, the RSA_sign() function will call "method->rsa_sign()" if
 // method->rsa_sign is not NULL, otherwise, it will perform a regular
 // signing operation using the other fields in the RSA structure (which
 // are used to hold the typical modulus / exponent / parameters for the
 // key pair).
 //
 // This source file thus defines a custom RSA_METHOD structure whose
 // fields point to static methods used to implement the corresponding
 // RSA operation using platform Android APIs.
 //
-// However, the platform APIs require a jobject JNI reference to work.
-// It must be stored in the RSA instance, or made accessible when the
-// custom RSA methods are called. This is done by using RSA_set_app_data()
-// and RSA_get_app_data().
-//
-// One can thus _directly_ create a new EVP_PKEY that uses a custom RSA
-// object with the following:
-//
-//    RSA* rsa = RSA_new()
-//    RSA_set_method(&custom_rsa_method);
-//    RSA_set_app_data(rsa, jni_private_key);
-//
-//    EVP_PKEY* pkey = EVP_PKEY_new();
-//    EVP_PKEY_assign_RSA(pkey, rsa);
-//
-// Note that because EVP_PKEY_assign_RSA() is used, instead of
-// EVP_PKEY_set1_RSA(), the new EVP_PKEY now owns the RSA object, and
-// will destroy it when it is itself destroyed.
-//
-// Unfortunately, such objects cannot be used with RSA_size(), which
-// totally ignores the RSA_METHOD pointers. Instead, it is necessary
-// to manually setup the modulus field (n) in the RSA object, with a
-// value that matches the wrapped PrivateKey object. See GetRsaPkeyWrapper
-// for full details.
-//
-// Similarly, custom DSA_METHOD and ECDSA_METHOD are defined by this source
-// file, and appropriate field setups are performed to ensure that
-// DSA_size() and ECDSA_size() work properly with the wrapper EVP_PKEY.
-//
-// Note that there is no need to define an OpenSSL ENGINE here. These
-// are objects that can be used to expose custom methods (i.e. either
-// RSA_METHOD, DSA_METHOD, ECDSA_METHOD, and a large number of other ones
-// for types not related to this source file), and make them used by
-// default for a lot of operations. Very fortunately, this is not needed
-// here, which saves a lot of complexity.
+// However, the platform APIs require a jobject JNI reference to work. It must
+// be stored in the RSA instance, or made accessible when the custom RSA
+// methods are called. This is done by storing it in a |KeyExData| structure
+// that's referenced by the key using |EX_DATA|.
 
 using base::android::ScopedJavaGlobalRef;
 using base::android::ScopedJavaLocalRef;
 
 namespace net {
 namespace android {
 
 namespace {
 
-typedef crypto::ScopedOpenSSL<EC_GROUP, EC_GROUP_free>::Type ScopedEC_GROUP;
+extern const RSA_METHOD android_rsa_method;
+extern const DSA_METHOD android_dsa_method;
+extern const ECDSA_METHOD android_ecdsa_method;
 
-// Custom RSA_METHOD that uses the platform APIs.
-// Note that for now, only signing through RSA_sign() is really supported.
-// all other method pointers are either stubs returning errors, or no-ops.
-// See <openssl/rsa.h> for exact declaration of RSA_METHOD.
-
-struct RsaAppData {
+// KeyExData contains the data that is contained in the EX_DATA of the RSA, DSA
+// and ECDSA objects that are created to wrap Android system keys.
+struct KeyExData {
+  // private_key contains a reference to a Java, private-key object.
   jobject private_key;
+  // legacy_rsa, if not NULL, points to an RSA* in the system's OpenSSL (which
+  // might not be ABI compatible with Chromium).
   AndroidRSA* legacy_rsa;
 };
 
-int RsaMethodPubEnc(int flen,
-                    const unsigned char* from,
-                    unsigned char* to,
-                    RSA* rsa,
-                    int padding) {
-  NOTIMPLEMENTED();
-  RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
-  return -1;
+// ExDataDup is called when one of the RSA, DSA or EC_KEY objects is
+// duplicated. We don't support this and it should never happen.
+int ExDataDup(CRYPTO_EX_DATA* to,
+              const CRYPTO_EX_DATA* from,
+              void** from_d,
+              int index,
+              long argl,
+              void* argp) {
+  CHECK(false);
+  return 0;
 }
 
-int RsaMethodPubDec(int flen,
-                    const unsigned char* from,
-                    unsigned char* to,
-                    RSA* rsa,
-                    int padding) {
-  NOTIMPLEMENTED();
-  RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
-  return -1;
+// ExDataFree is called when one of the RSA, DSA or EC_KEY object is freed.
+void ExDataFree(void* parent,
+                void* ptr,
+                CRYPTO_EX_DATA* ad,
+                int index,
+                long argl,
+                void* argp) {
+  // Ensure the global JNI reference created with this wrapper is
+  // properly destroyed with it.
+  KeyExData *ex_data = reinterpret_cast<KeyExData*>(ptr);
+  if (ex_data != NULL) {
+    ReleaseKey(ex_data->private_key);
+    delete ex_data;
+  }
 }
 
-// See RSA_eay_private_encrypt in
-// third_party/openssl/openssl/crypto/rsa/rsa_eay.c for the default
-// implementation of this function.
-int RsaMethodPrivEnc(int flen,
-                     const unsigned char *from,
-                     unsigned char *to,
-                     RSA *rsa,
+// BoringSSLEngine is a BoringSSL ENGINE that implements RSA, DSA and ECDSA by
+// forwarding the requested operations to the Java libraries.
+class BoringSSLEngine {
+ public:
+  BoringSSLEngine()
+      : rsa_index_(RSA_get_ex_new_index(0 /* argl */,
+                                        NULL /* argp */,
+                                        NULL /* new_func */,
+                                        ExDataDup,
+                                        ExDataFree)),
+        dsa_index_(DSA_get_ex_new_index(0 /* argl */,
+                                        NULL /* argp */,
+                                        NULL /* new_func */,
+                                        ExDataDup,
+                                        ExDataFree)),
+        ec_key_index_(EC_KEY_get_ex_new_index(0 /* argl */,
+                                              NULL /* argp */,
+                                              NULL /* new_func */,
+                                              ExDataDup,
+                                              ExDataFree)),
+        engine_(ENGINE_new()) {
+    ENGINE_set_RSA_method(
+        engine_, &android_rsa_method, sizeof(android_rsa_method));
+    ENGINE_set_DSA_method(
+        engine_, &android_dsa_method, sizeof(android_dsa_method));
+    ENGINE_set_ECDSA_method(
+        engine_, &android_ecdsa_method, sizeof(android_ecdsa_method));
+  }
+
+  int rsa_ex_index() const { return rsa_index_; }
+  int dsa_ex_index() const { return dsa_index_; }
+  int ec_key_ex_index() const { return ec_key_index_; }
+
+  const ENGINE* engine() const { return engine_; }
+
+ private:
+  const int rsa_index_;
+  const int dsa_index_;
+  const int ec_key_index_;
+  ENGINE* const engine_;
+};
+
+base::LazyInstance<BoringSSLEngine>::Leaky global_boringssl_engine =
+    LAZY_INSTANCE_INITIALIZER;
+
+KeyExData* RsaGetExData(const RSA* rsa) {
+  return reinterpret_cast<KeyExData*>(
+      RSA_get_ex_data(rsa, global_boringssl_engine.Get().rsa_ex_index()));
+}
+
+size_t RsaMethodSize(const RSA *rsa) {
+  const KeyExData *ex_data = RsaGetExData(rsa);
+
+  std::vector<uint8> modulus;
+  if (!GetRSAKeyModulus(ex_data->private_key, &modulus)) {
+    LOG(ERROR) << "Failed to get private key modulus";
+    return false;
+  }
+
+  size_t size = modulus.size();
+  // Ignore any leading zero bytes.
+  for (size_t i = 0; i < modulus.size() && modulus[i] == 0; i++) {
+    size--;
+  }
+  return size;
+}
+
+int RsaMethodEncrypt(RSA* rsa,
+                     size_t* out_len,
+                     uint8_t* out,
+                     size_t max_out,
+                     const uint8_t* in,
+                     size_t in_len,
+                     int padding) {
+  NOTIMPLEMENTED();
+  OPENSSL_PUT_ERROR(RSA, encrypt, RSA_R_UNKNOWN_ALGORITHM_TYPE);
+  return 1;
+}
+
+int RsaMethodSignRaw(RSA* rsa,
+                     size_t* out_len,
+                     uint8_t* out,
+                     size_t max_out,
+                     const uint8_t* in,
+                     size_t in_len,
                      int padding) {
   DCHECK_EQ(RSA_PKCS1_PADDING, padding);
   if (padding != RSA_PKCS1_PADDING) {
     // TODO(davidben): If we need to, we can implement RSA_NO_PADDING
     // by using javax.crypto.Cipher and picking either the
     // "RSA/ECB/NoPadding" or "RSA/ECB/PKCS1Padding" transformation as
     // appropriate. I believe support for both of these was added in
     // the same Android version as the "NONEwithRSA"
     // java.security.Signature algorithm, so the same version checks
     // for GetRsaLegacyKey should work.
-    RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
-    return -1;
+    OPENSSL_PUT_ERROR(RSA, sign_raw, RSA_R_UNKNOWN_ALGORITHM_TYPE);
+    return 0;
   }
 
   // Retrieve private key JNI reference.
-  RsaAppData* app_data = static_cast<RsaAppData*>(RSA_get_app_data(rsa));
-  if (!app_data || !app_data->private_key) {
+  const KeyExData *ex_data = RsaGetExData(rsa);
+  if (!ex_data || !ex_data->private_key) {
     LOG(WARNING) << "Null JNI reference passed to RsaMethodPrivEnc!";
-    RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
-    return -1;
+    OPENSSL_PUT_ERROR(RSA, sign_raw, ERR_R_INTERNAL_ERROR);
+    return 0;
   }
 
   // Pre-4.2 legacy codepath.
-  if (app_data->legacy_rsa) {
-    int ret = app_data->legacy_rsa->meth->rsa_priv_enc(
-        flen, from, to, app_data->legacy_rsa, ANDROID_RSA_PKCS1_PADDING);
+  if (ex_data->legacy_rsa) {
+    int ret = ex_data->legacy_rsa->meth->rsa_priv_enc(
+        in_len, in, out, ex_data->legacy_rsa, ANDROID_RSA_PKCS1_PADDING);
     if (ret < 0) {
       LOG(WARNING) << "Could not sign message in RsaMethodPrivEnc!";
       // System OpenSSL will use a separate error queue, so it is still
       // necessary to push a new error.
       //
       // TODO(davidben): It would be good to also clear the system error queue
       // if there were some way to convince Java to do it. (Without going
       // through Java, it's difficult to get a handle on a system OpenSSL
       // function; dlopen loads a second copy.)
-      RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
-      return -1;
+      OPENSSL_PUT_ERROR(RSA, sign_raw, ERR_R_INTERNAL_ERROR);
+      return 0;
     }
-    return ret;
+    *out_len = ret;
+    return 1;
   }
 
-  base::StringPiece from_piece(reinterpret_cast<const char*>(from), flen);
+  base::StringPiece from_piece(reinterpret_cast<const char*>(in), in_len);
   std::vector<uint8> result;
   // For RSA keys, this function behaves as RSA_private_encrypt with
   // PKCS#1 padding.
-  if (!RawSignDigestWithPrivateKey(app_data->private_key,
-                                   from_piece, &result)) {
+  if (!RawSignDigestWithPrivateKey(ex_data->private_key, from_piece, &result)) {
     LOG(WARNING) << "Could not sign message in RsaMethodPrivEnc!";
-    RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
-    return -1;
+    OPENSSL_PUT_ERROR(RSA, sign_raw, ERR_R_INTERNAL_ERROR);
+    return 0;
   }
 
   size_t expected_size = static_cast<size_t>(RSA_size(rsa));
   if (result.size() > expected_size) {
     LOG(ERROR) << "RSA Signature size mismatch, actual: "
                <<  result.size() << ", expected <= " << expected_size;
-    RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
-    return -1;
+    OPENSSL_PUT_ERROR(RSA, sign_raw, ERR_R_INTERNAL_ERROR);
+    return 0;
+  }
+
+  if (max_out < expected_size) {
+    OPENSSL_PUT_ERROR(RSA, sign_raw, RSA_R_DATA_TOO_LARGE);
+    return 0;
   }
 
   // Copy result to OpenSSL-provided buffer. RawSignDigestWithPrivateKey
   // should pad with leading 0s, but if it doesn't, pad the result.
   size_t zero_pad = expected_size - result.size();
-  memset(to, 0, zero_pad);
-  memcpy(to + zero_pad, &result[0], result.size());
+  memset(out, 0, zero_pad);
+  memcpy(out + zero_pad, &result[0], result.size());
+  *out_len = expected_size;
 
-  return expected_size;
+  return 1;
 }
 
-int RsaMethodPrivDec(int flen,
-                     const unsigned char* from,
-                     unsigned char* to,
-                     RSA* rsa,
+int RsaMethodDecrypt(RSA* rsa,
+                     size_t* out_len,
+                     uint8_t* out,
+                     size_t max_out,
+                     const uint8_t* in,
+                     size_t in_len,
                      int padding) {
   NOTIMPLEMENTED();
-  RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
-  return -1;
+  OPENSSL_PUT_ERROR(RSA, decrypt, RSA_R_UNKNOWN_PADDING_TYPE);
+  return 1;
 }
 
-int RsaMethodInit(RSA* rsa) {
-  return 0;
-}
-
-int RsaMethodFinish(RSA* rsa) {
-  // Ensure the global JNI reference created with this wrapper is
-  // properly destroyed with it.
-  RsaAppData* app_data = static_cast<RsaAppData*>(RSA_get_app_data(rsa));
-  if (app_data != NULL) {
-    RSA_set_app_data(rsa, NULL);
-    ReleaseKey(app_data->private_key);
-    delete app_data;
-  }
-  // Actual return value is ignored by OpenSSL. There are no docs
-  // explaining what this is supposed to be.
-  return 0;
+int RsaMethodVerifyRaw(RSA* rsa,
+                       size_t* out_len,
+                       uint8_t* out,
+                       size_t max_out,
+                       const uint8_t* in,
+                       size_t in_len,
+                       int padding) {
+  NOTIMPLEMENTED();
+  OPENSSL_PUT_ERROR(RSA, verify_raw, RSA_R_UNKNOWN_ALGORITHM_TYPE);
+  return 1;
 }
 
 const RSA_METHOD android_rsa_method = {
-  /* .name = */ "Android signing-only RSA method",
-  /* .rsa_pub_enc = */ RsaMethodPubEnc,
-  /* .rsa_pub_dec = */ RsaMethodPubDec,
-  /* .rsa_priv_enc = */ RsaMethodPrivEnc,
-  /* .rsa_priv_dec = */ RsaMethodPrivDec,
-  /* .rsa_mod_exp = */ NULL,
-  /* .bn_mod_exp = */ NULL,
-  /* .init = */ RsaMethodInit,
-  /* .finish = */ RsaMethodFinish,
-  // This flag is necessary to tell OpenSSL to avoid checking the content
-  // (i.e. internal fields) of the private key. Otherwise, it will complain
-  // it's not valid for the certificate.
-  /* .flags = */ RSA_METHOD_FLAG_NO_CHECK,
-  /* .app_data = */ NULL,
-  /* .rsa_sign = */ NULL,
-  /* .rsa_verify = */ NULL,
-  /* .rsa_keygen = */ NULL,
+    {
+     0 /* references */,
+     1 /* is_static */
+    } /* common */,
+    NULL /* app_data */,
+
+    NULL /* init */,
+    NULL /* finish */,
+    RsaMethodSize,
+    NULL /* sign */,
+    NULL /* verify */,
+    RsaMethodEncrypt,
+    RsaMethodSignRaw,
+    RsaMethodDecrypt,
+    RsaMethodVerifyRaw,
+    NULL /* mod_exp */,
+    NULL /* bn_mod_exp */,
+    0 /* flags */,
+    NULL /* keygen */,
 };
 
-// Copy the contents of an encoded big integer into an existing BIGNUM.
-// This function modifies |*num| in-place.
-// |new_bytes| is the byte encoding of the new value.
-// |num| points to the BIGNUM which will be assigned with the new value.
-// Returns true on success, false otherwise. On failure, |*num| is
-// not modified.
-bool CopyBigNumFromBytes(const std::vector<uint8>& new_bytes,
-                         BIGNUM* num) {
-  BIGNUM* ret = BN_bin2bn(
-      reinterpret_cast<const unsigned char*>(&new_bytes[0]),
-      static_cast<int>(new_bytes.size()),
-      num);
-  return (ret != NULL);
-}
-
-// Decode the contents of an encoded big integer and either create a new
-// BIGNUM object (if |*num_ptr| is NULL on input) or copy it (if
-// |*num_ptr| is not NULL).
-// |new_bytes| is the byte encoding of the new value.
-// |num_ptr| is the address of a BIGNUM pointer. |*num_ptr| can be NULL.
-// Returns true on success, false otherwise. On failure, |*num_ptr| is
-// not modified. On success, |*num_ptr| will always be non-NULL and
-// point to a valid BIGNUM object.
-bool SwapBigNumPtrFromBytes(const std::vector<uint8>& new_bytes,
-                            BIGNUM** num_ptr) {
-  BIGNUM* old_num = *num_ptr;
-  BIGNUM* new_num = BN_bin2bn(
-      reinterpret_cast<const unsigned char*>(&new_bytes[0]),
-      static_cast<int>(new_bytes.size()),
-      old_num);
-  if (new_num == NULL)
-    return false;
-
-  if (old_num == NULL)
-    *num_ptr = new_num;
-  return true;
-}
-
 // Setup an EVP_PKEY to wrap an existing platform RSA PrivateKey object.
 // |private_key| is the JNI reference (local or global) to the object.
 // |legacy_rsa|, if non-NULL, is a pointer to the system OpenSSL RSA object
 // backing |private_key|. This parameter is only used for Android < 4.2 to
 // implement key operations not exposed by the platform.
 // |pkey| is the EVP_PKEY to setup as a wrapper.
 // Returns true on success, false otherwise.
 // On success, this creates a new global JNI reference to the object
 // that is owned by and destroyed with the EVP_PKEY. I.e. caller can
 // free |private_key| after the call.
 bool GetRsaPkeyWrapper(jobject private_key,
                        AndroidRSA* legacy_rsa,
                        EVP_PKEY* pkey) {
-  crypto::ScopedRSA rsa(RSA_new());
-  RSA_set_method(rsa.get(), &android_rsa_method);
-
-  // HACK: RSA_size() doesn't work with custom RSA_METHODs. To ensure that
-  // it will return the right value, set the 'n' field of the RSA object
-  // to match the private key's modulus.
-  //
-  // TODO(davidben): After switching to BoringSSL, consider making RSA_size call
-  // into an RSA_METHOD hook.
-  std::vector<uint8> modulus;
-  if (!GetRSAKeyModulus(private_key, &modulus)) {
-    LOG(ERROR) << "Failed to get private key modulus";
-    return false;
-  }
-  if (!SwapBigNumPtrFromBytes(modulus, &rsa.get()->n)) {
-    LOG(ERROR) << "Failed to decode private key modulus";
-    return false;
-  }
+  crypto::ScopedRSA rsa(
+      RSA_new_method(global_boringssl_engine.Get().engine()));
 
   ScopedJavaGlobalRef<jobject> global_key;
   global_key.Reset(NULL, private_key);
   if (global_key.is_null()) {
     LOG(ERROR) << "Could not create global JNI reference";
     return false;
   }
-  RsaAppData* app_data = new RsaAppData();
-  app_data->private_key = global_key.Release();
-  app_data->legacy_rsa = legacy_rsa;
-  RSA_set_app_data(rsa.get(), app_data);
+  KeyExData* ex_data = new KeyExData;
+  ex_data->private_key = global_key.Release();
+  ex_data->legacy_rsa = legacy_rsa;
+  RSA_set_ex_data(
+      rsa.get(), global_boringssl_engine.Get().rsa_ex_index(), ex_data);
   EVP_PKEY_assign_RSA(pkey, rsa.release());
   return true;
 }
 
 // On Android < 4.2, the libkeystore.so ENGINE uses CRYPTO_EX_DATA and is not
 // added to the global engine list. If all references to it are dropped, OpenSSL
 // will dlclose the module, leaving a dangling function pointer in the RSA
 // CRYPTO_EX_DATA class. To work around this, leak an extra reference to the
 // ENGINE we extract in GetRsaLegacyKey.
 //
@@ skipping 38 matching lines @@
   if (sys_pkey != NULL) {
     if (sys_pkey->type != ANDROID_EVP_PKEY_RSA) {
       LOG(ERROR) << "Private key has wrong type!";
       return NULL;
     }
 
     AndroidRSA* sys_rsa = sys_pkey->pkey.rsa;
     if (sys_rsa->engine) {
       // |private_key| may not have an engine if the PrivateKey did not come
       // from the key store, such as in unit tests.
-      if (!strcmp(sys_rsa->engine->id, "keystore")) {
+      if (strcmp(sys_rsa->engine->id, "keystore") == 0) {
         LeakEngine(private_key);
       } else {
         NOTREACHED();
       }
     }
 
     crypto::ScopedEVP_PKEY pkey(EVP_PKEY_new());
     if (!GetRsaPkeyWrapper(private_key, sys_rsa, pkey.get()))
       return NULL;
     return pkey.release();
@@ skipping 16 matching lines @@
     LOG(ERROR) << "Can't convert private key data!";
     return NULL;
   }
   return pkey;
 }
 
 // Custom DSA_METHOD that uses the platform APIs.
 // Note that for now, only signing through DSA_sign() is really supported.
 // all other method pointers are either stubs returning errors, or no-ops.
 // See <openssl/dsa.h> for exact declaration of DSA_METHOD.
-//
-// Note: There is no DSA_set_app_data() and DSA_get_app_data() functions,
-//       but RSA_set_app_data() is defined as a simple macro that calls
-//       RSA_set_ex_data() with a hard-coded index of 0, so this code
-//       does the same thing here.
 
-DSA_SIG* DsaMethodDoSign(const unsigned char* dgst,
-                         int dlen,
-                         DSA* dsa) {
-  // Extract the JNI reference to the PrivateKey object.
-  jobject private_key = reinterpret_cast<jobject>(DSA_get_ex_data(dsa, 0));
+jobject DsaGetKey(const DSA *dsa) {
+  KeyExData* ex_data = reinterpret_cast<KeyExData*>(
+      DSA_get_ex_data(dsa, global_boringssl_engine.Get().dsa_ex_index()));
+  return ex_data->private_key;
+}
+
+DSA_SIG* DsaMethodSign(const uint8_t* digest, size_t digest_len, DSA* dsa) {
+  jobject private_key = DsaGetKey(dsa);
   if (private_key == NULL)
     return NULL;
 
   // Sign the message with it, calling platform APIs.
   std::vector<uint8> signature;
   if (!RawSignDigestWithPrivateKey(
           private_key,
-          base::StringPiece(
-              reinterpret_cast<const char*>(dgst),
-              static_cast<size_t>(dlen)),
+          base::StringPiece(reinterpret_cast<const char*>(digest), digest_len),
           &signature)) {
     return NULL;
   }
 
   // Note: With DSA, the actual signature might be smaller than DSA_size().
   size_t max_expected_size = static_cast<size_t>(DSA_size(dsa));
   if (signature.size() > max_expected_size) {
     LOG(ERROR) << "DSA Signature size mismatch, actual: "
                << signature.size() << ", expected <= "
                << max_expected_size;
     return NULL;
   }
 
   // Convert the signature into a DSA_SIG object.
   const unsigned char* sigbuf =
       reinterpret_cast<const unsigned char*>(&signature[0]);
   int siglen = static_cast<size_t>(signature.size());
   DSA_SIG* dsa_sig = d2i_DSA_SIG(NULL, &sigbuf, siglen);
   return dsa_sig;
 }
 
-int DsaMethodSignSetup(DSA* dsa,
+int DsaMethodSignSetup(const DSA* dsa,
                        BN_CTX* ctx_in,
                        BIGNUM** kinvp,
-                       BIGNUM** rp) {
+                       BIGNUM** rp,
+                       const uint8_t* digest,
+                       size_t digest_len) {
   NOTIMPLEMENTED();
-  DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_INVALID_DIGEST_TYPE);
-  return -1;
+  OPENSSL_PUT_ERROR(DSA, sign_setup, DSA_R_MISSING_PARAMETERS);
+  return 0;
 }
 
-int DsaMethodDoVerify(const unsigned char* dgst,
-                      int dgst_len,
-                      DSA_SIG* sig,
-                      DSA* dsa) {
+int DsaMethodVerify(int* out_valid,
+                    const uint8_t* digest,
+                    size_t digest_len,
+                    DSA_SIG* sig,
+                    const DSA* dsa) {
+  *out_valid = 0;
   NOTIMPLEMENTED();
-  DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_INVALID_DIGEST_TYPE);
-  return -1;
-}
-
-int DsaMethodFinish(DSA* dsa) {
-  // Free the global JNI reference that was created with this
-  // wrapper key.
-  jobject key = reinterpret_cast<jobject>(DSA_get_ex_data(dsa,0));
-  if (key != NULL) {
-    DSA_set_ex_data(dsa, 0, NULL);
-    ReleaseKey(key);
-  }
-  // Actual return value is ignored by OpenSSL. There are no docs
-  // explaining what this is supposed to be.
+  OPENSSL_PUT_ERROR(DSA, verify, DSA_R_MISSING_PARAMETERS);
   return 0;
 }
 
 const DSA_METHOD android_dsa_method = {
-  /* .name = */ "Android signing-only DSA method",
-  /* .dsa_do_sign = */ DsaMethodDoSign,
-  /* .dsa_sign_setup = */ DsaMethodSignSetup,
-  /* .dsa_do_verify = */ DsaMethodDoVerify,
-  /* .dsa_mod_exp = */ NULL,
-  /* .bn_mod_exp = */ NULL,
-  /* .init = */ NULL,  // nothing to do here.
-  /* .finish = */ DsaMethodFinish,
-  /* .flags = */ 0,
-  /* .app_data = */ NULL,
-  /* .dsa_paramgem = */ NULL,
-  /* .dsa_keygen = */ NULL
+    {
+     0 /* references */,
+     1 /* is_static */
+    } /* common */,
+    NULL /* app_data */,
+
+    NULL /* init */,
+    NULL /* finish */,
+    DsaMethodSign,
+    DsaMethodSignSetup,
+    DsaMethodVerify,
+    NULL /* generate_parameters */,
+    NULL /* keygen */,
 };
 
+// Decode the contents of an encoded big integer and either create a new
+// BIGNUM object (if |*num_ptr| is NULL on input) or copy it (if
+// |*num_ptr| is not NULL).
+// |new_bytes| is the byte encoding of the new value.
+// |num_ptr| is the address of a BIGNUM pointer. |*num_ptr| can be NULL.
+// Returns true on success, false otherwise. On failure, |*num_ptr| is
+// not modified. On success, |*num_ptr| will always be non-NULL and
+// point to a valid BIGNUM object.
+bool SwapBigNumPtrFromBytes(const std::vector<uint8>& new_bytes,
+                            BIGNUM** num_ptr) {
+  BIGNUM* old_num = *num_ptr;
+  BIGNUM* new_num = BN_bin2bn(
+      reinterpret_cast<const unsigned char*>(&new_bytes[0]),
+      static_cast<int>(new_bytes.size()),
+      old_num);
+  if (new_num == NULL)
+    return false;
+
+  if (old_num == NULL)
+    *num_ptr = new_num;
+  return true;
+}
+
 // Setup an EVP_PKEY to wrap an existing DSA platform PrivateKey object.
 // |private_key| is a JNI reference (local or global) to the object.
 // |pkey| is the EVP_PKEY to setup as a wrapper.
 // Returns true on success, false otherwise.
 // On success, this creates a global JNI reference to the same object
 // that will be owned by and destroyed with the EVP_PKEY.
 bool GetDsaPkeyWrapper(jobject private_key, EVP_PKEY* pkey) {
-  crypto::ScopedDSA dsa(DSA_new());
-  DSA_set_method(dsa.get(), &android_dsa_method);
+  crypto::ScopedDSA dsa(
+      DSA_new_method(global_boringssl_engine.Get().engine()));
 
   // DSA_size() doesn't work with custom DSA_METHODs. To ensure it
   // returns the right value, set the 'q' field in the DSA object to
   // match the parameter from the platform key.
   std::vector<uint8> q;
   if (!GetDSAKeyParamQ(private_key, &q)) {
     LOG(ERROR) << "Can't extract Q parameter from DSA private key";
     return false;
   }
   if (!SwapBigNumPtrFromBytes(q, &dsa.get()->q)) {
     LOG(ERROR) << "Can't decode Q parameter from DSA private key";
     return false;
   }
 
   ScopedJavaGlobalRef<jobject> global_key;
   global_key.Reset(NULL, private_key);
   if (global_key.is_null()) {
     LOG(ERROR) << "Could not create global JNI reference";
     return false;
   }
-  DSA_set_ex_data(dsa.get(), 0, global_key.Release());
+  KeyExData* ex_data = new KeyExData;
+  ex_data->private_key = global_key.Release();
+  ex_data->legacy_rsa = NULL;
+  DSA_set_ex_data(
+      dsa.get(), global_boringssl_engine.Get().dsa_ex_index(), ex_data);
   EVP_PKEY_assign_DSA(pkey, dsa.release());

[davidben, 2014/07/15 21:53:35]

This function will currently always fail, leaking a DSA and leaving the EVP_PKEY
uninitialized. Probably should either check the return value (maybe using
EVP_PKEY_set1_DSA(pkey, dsa.get()) to avoid the really awkward business where
EVP_PKEY_assign_* takes ownership of the parameter, but only if it succeeds) or
not call this code anywhere.

   return true;
 }
 
+
 // Custom ECDSA_METHOD that uses the platform APIs.
 // Note that for now, only signing through ECDSA_sign() is really supported.
 // all other method pointers are either stubs returning errors, or no-ops.
-//
-// Note: The ECDSA_METHOD structure doesn't have init/finish
-//       methods. As such, the only way to to ensure the global
-//       JNI reference is properly released when the EVP_PKEY is
-//       destroyed is to use a custom EX_DATA type.
 
-// Used to ensure that the global JNI reference associated with a custom
-// EC_KEY + ECDSA_METHOD wrapper is released when its EX_DATA is destroyed
-// (this function is called when EVP_PKEY_free() is called on the wrapper).
-void ExDataFree(void* parent,
-                void* ptr,
-                CRYPTO_EX_DATA* ad,
-                int idx,
-                long argl,
-                void* argp) {
-  jobject private_key = reinterpret_cast<jobject>(ptr);
-  if (private_key == NULL)
-    return;
-
-  CRYPTO_set_ex_data(ad, idx, NULL);
-  ReleaseKey(private_key);
+jobject EcKeyGetKey(const EC_KEY* ec_key) {
+  KeyExData* ex_data = reinterpret_cast<KeyExData*>(EC_KEY_get_ex_data(
+      ec_key, global_boringssl_engine.Get().ec_key_ex_index()));
+  return ex_data->private_key;
 }
 
-int ExDataDup(CRYPTO_EX_DATA* to,
-              CRYPTO_EX_DATA* from,
-              void* from_d,
-              int idx,
-              long argl,
-              void* argp) {
-  // This callback shall never be called with the current OpenSSL
-  // implementation (the library only ever duplicates EX_DATA items
-  // for SSL and BIO objects). But provide this to catch regressions
-  // in the future.
-  CHECK(false) << "ExDataDup was called for ECDSA custom key !?";
-  // Return value is currently ignored by OpenSSL.
-  return 0;
+size_t EcdsaMethodSize(const EC_KEY* key) {
+  jobject private_key = EcKeyGetKey(key);
+  std::vector<uint8> order;
+  if (!GetECKeyOrder(private_key, &order)) {
+    LOG(ERROR) << "Can't extract order parameter from EC private key";
+    return false;
+  }
+  return order.size();

[davidben, 2014/07/15 21:53:34]

The size hook is, as documented, supposed to return the maximum size of the
signature. I think this is why some of the ECDSA AndroidKeyStore tests are
failing. (Perhaps the hook should return this and BoringSSL internally convert
that to maximum signature size? Dunno. Otherwise we have to repeat DER size
calculations for each platform.)

 }
 
-class EcdsaExDataIndex {
-public:
-  int ex_data_index() { return ex_data_index_; }
-
-  EcdsaExDataIndex() {
-    ex_data_index_ = ECDSA_get_ex_new_index(0,           // argl
-                                            NULL,        // argp
-                                            NULL,        // new_func
-                                            ExDataDup,   // dup_func
-                                            ExDataFree); // free_func
-  }
-
-private:
-  int ex_data_index_;
-};
-
-// Returns the index of the custom EX_DATA used to store the JNI reference.
-int EcdsaGetExDataIndex(void) {
-  // Use a LazyInstance to perform thread-safe lazy initialization.
-  // Use a leaky one, since OpenSSL doesn't provide a way to release
-  // allocated EX_DATA indices.
-  static base::LazyInstance<EcdsaExDataIndex>::Leaky s_instance =
-      LAZY_INSTANCE_INITIALIZER;
-  return s_instance.Get().ex_data_index();
-}
-
-ECDSA_SIG* EcdsaMethodDoSign(const unsigned char* dgst,
-                             int dgst_len,
-                             const BIGNUM* inv,
-                             const BIGNUM* rp,
-                             EC_KEY* eckey) {
+int EcdsaMethodSign(const uint8_t* digest,
+                    size_t digest_len,
+                    uint8_t* sig,
+                    unsigned int* sig_len,
+                    EC_KEY* eckey) {
   // Retrieve private key JNI reference.
-  jobject private_key = reinterpret_cast<jobject>(
-      ECDSA_get_ex_data(eckey, EcdsaGetExDataIndex()));
+  jobject private_key = EcKeyGetKey(eckey);
   if (!private_key) {
-    LOG(WARNING) << "Null JNI reference passed to EcdsaMethodDoSign!";
-    return NULL;
+    LOG(WARNING) << "Null JNI reference passed to EcdsaMethodSign!";
+    return 0;
   }
   // Sign message with it through JNI.
   std::vector<uint8> signature;
-  base::StringPiece digest(
-      reinterpret_cast<const char*>(dgst),
-      static_cast<size_t>(dgst_len));
-  if (!RawSignDigestWithPrivateKey(
-          private_key, digest, &signature)) {
-    LOG(WARNING) << "Could not sign message in EcdsaMethodDoSign!";
-    return NULL;
+  base::StringPiece digest_sp(reinterpret_cast<const char*>(digest),
+                              digest_len);
+  if (!RawSignDigestWithPrivateKey(private_key, digest_sp, &signature)) {
+    LOG(WARNING) << "Could not sign message in EcdsaMethodSign!";
+    return 0;
   }
 
   // Note: With ECDSA, the actual signature may be smaller than
   // ECDSA_size().
-  size_t max_expected_size = static_cast<size_t>(ECDSA_size(eckey));
+  size_t max_expected_size = ECDSA_size(eckey);
   if (signature.size() > max_expected_size) {
     LOG(ERROR) << "ECDSA Signature size mismatch, actual: "
                <<  signature.size() << ", expected <= "
                << max_expected_size;
-    return NULL;
+    return 0;
   }
 
-  // Convert signature to ECDSA_SIG object
-  const unsigned char* sigbuf =
-      reinterpret_cast<const unsigned char*>(&signature[0]);
-  long siglen = static_cast<long>(signature.size());
-  return d2i_ECDSA_SIG(NULL, &sigbuf, siglen);
+  memcpy(sig, &signature[0], signature.size());
+  *sig_len = signature.size();
+  return 1;
 }
 
-int EcdsaMethodSignSetup(EC_KEY* eckey,
-                         BN_CTX* ctx,
-                         BIGNUM** kinv,
-                         BIGNUM** r) {
+int EcdsaMethodVerify(const uint8_t* digest,
+                      size_t digest_len,
+                      const uint8_t* sig,
+                      size_t sig_len,
+                      EC_KEY* eckey) {
   NOTIMPLEMENTED();
-  ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ECDSA_R_ERR_EC_LIB);
-  return -1;
+  OPENSSL_PUT_ERROR(ECDSA, ECDSA_do_verify, ECDSA_R_NOT_IMPLEMENTED);
+  return 0;
 }
 
-int EcdsaMethodDoVerify(const unsigned char* dgst,
-                        int dgst_len,
-                        const ECDSA_SIG* sig,
-                        EC_KEY* eckey) {
-  NOTIMPLEMENTED();
-  ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_ERR_EC_LIB);
-  return -1;
-}
-
-const ECDSA_METHOD android_ecdsa_method = {
-  /* .name = */ "Android signing-only ECDSA method",
-  /* .ecdsa_do_sign = */ EcdsaMethodDoSign,
-  /* .ecdsa_sign_setup = */ EcdsaMethodSignSetup,
-  /* .ecdsa_do_verify = */ EcdsaMethodDoVerify,
-  /* .flags = */ 0,
-  /* .app_data = */ NULL,
-};
-
 // Setup an EVP_PKEY to wrap an existing platform PrivateKey object.
 // |private_key| is the JNI reference (local or global) to the object.
 // |pkey| is the EVP_PKEY to setup as a wrapper.
 // Returns true on success, false otherwise.
 // On success, this creates a global JNI reference to the object that
 // is owned by and destroyed with the EVP_PKEY. I.e. the caller shall
 // always free |private_key| after the call.
 bool GetEcdsaPkeyWrapper(jobject private_key, EVP_PKEY* pkey) {
-  crypto::ScopedEC_KEY eckey(EC_KEY_new());
-  ECDSA_set_method(eckey.get(), &android_ecdsa_method);
-
-  // To ensure that ECDSA_size() works properly, craft a custom EC_GROUP
-  // that has the same order than the private key.
-  std::vector<uint8> order;
-  if (!GetECKeyOrder(private_key, &order)) {
-    LOG(ERROR) << "Can't extract order parameter from EC private key";
-    return false;
-  }
-  ScopedEC_GROUP group(EC_GROUP_new(EC_GFp_nist_method()));
-  if (!group.get()) {
-    LOG(ERROR) << "Can't create new EC_GROUP";
-    return false;
-  }
-  if (!CopyBigNumFromBytes(order, &group.get()->order)) {
-    LOG(ERROR) << "Can't decode order from PrivateKey";
-    return false;
-  }
-  EC_KEY_set_group(eckey.get(), group.release());
+  crypto::ScopedEC_KEY eckey(
+      EC_KEY_new_method(global_boringssl_engine.Get().engine()));
 
   ScopedJavaGlobalRef<jobject> global_key;
   global_key.Reset(NULL, private_key);
   if (global_key.is_null()) {
     LOG(ERROR) << "Can't create global JNI reference";
     return false;
   }
-  ECDSA_set_ex_data(eckey.get(),
-                    EcdsaGetExDataIndex(),
-                    global_key.Release());
+
+  KeyExData* ex_data = new KeyExData;
+  ex_data->private_key = global_key.Release();
+  ex_data->legacy_rsa = NULL;
+
+  EC_KEY_set_ex_data(
+      eckey.get(), global_boringssl_engine.Get().ec_key_ex_index(), ex_data);
 
   EVP_PKEY_assign_EC_KEY(pkey, eckey.release());
   return true;
 }
 
+const ECDSA_METHOD android_ecdsa_method = {
+    {
+     0 /* references */,
+     1 /* is_static */
+    } /* common */,
+    NULL /* app_data */,
+
+    NULL /* init */,
+    NULL /* finish */,
+    EcdsaMethodSize,
+    EcdsaMethodSign,
+    EcdsaMethodVerify,
+};
+
 }  // namespace
 
 EVP_PKEY* GetOpenSSLPrivateKeyWrapper(jobject private_key) {
   // Create new empty EVP_PKEY instance.
   crypto::ScopedEVP_PKEY pkey(EVP_PKEY_new());
   if (!pkey.get())
     return NULL;
 
   // Create sub key type, depending on private key's algorithm type.
   PrivateKeyType key_type = GetPrivateKeyType(private_key);
@@ skipping 29 matching lines @@
     default:
       LOG(WARNING)
           << "GetOpenSSLPrivateKeyWrapper() called with invalid key type";
       return NULL;
   }
   return pkey.release();
 }
 
 }  // namespace android
 }  // namespace net