Use accessors for ASN1_STRING values

OpenSSL is going to make ASN1_STRING opaque. The accessors
in question have been around in OpenSSL for a very long time.

(see openssl/openssl#29117)

Author: bob-beck

src/encoder.c

@@ -451,8 +451,8 @@ static int p11prov_print_pkeyinfo(CK_ATTRIBUTE *pkeyinfo, BIO *out)
             }
         } else if (ptype == V_ASN1_SEQUENCE) {
             const ASN1_STRING *pstr = pval;
-            const unsigned char *pm = pstr->data;
-            int pmlen = pstr->length;
+            const unsigned char *pm = ASN1_STRING_get0_data(pstr);
+            int pmlen = ASN1_STRING_length(pstr);
             EC_GROUP *group;
 
             group = d2i_ECPKParameters(NULL, &pm, pmlen);
@@ -1054,6 +1054,7 @@ static int p11prov_ec_set_keypoint_data(const OSSL_PARAM *params, void *key)
         keypoint->curve_type = V_ASN1_OBJECT;
     } else {
         EC_GROUP *group = EC_GROUP_new_from_params(params, NULL, NULL);
+        int len = 0;
         if (!group) {
             return RET_OSSL_ERR;
         }
@@ -1063,12 +1064,14 @@ static int p11prov_ec_set_keypoint_data(const OSSL_PARAM *params, void *key)
             EC_GROUP_free(group);
             return RET_OSSL_ERR;
         }
-        pstr->length = i2d_ECPKParameters(group, &pstr->data);
+        unsigned char *buf = NULL;
+        len = i2d_ECPKParameters(group, &buf);
         EC_GROUP_free(group);
-        if (pstr->length <= 0) {
-            ASN1_STRING_free(pstr);
+        if (len <= 0) {
+            OPENSSL_free(buf);
             return RET_OSSL_ERR;
         }
+        ASN1_STRING_set0(pstr, buf, len);
         keypoint->curve.sequence = pstr;
         keypoint->curve_type = V_ASN1_SEQUENCE;
     }

src/obj/keymgmt.c

@@ -332,12 +332,14 @@ CK_RV decode_ec_point(P11PROV_CTX *provctx, CK_KEY_TYPE key_type,
         }
     }
 
-    ec_point->data = octet->data;
-    ec_point->length = octet->length;
-
-    /* moved octet data, do not free it */
-    octet->data = NULL;
-    octet->length = 0;
+    ec_point->data =
+        OPENSSL_memdup(ASN1_STRING_get0_data(octet), ASN1_STRING_length(octet));
+    if (!ec_point->data) {
+        ret = CKR_HOST_MEMORY;
+        ec_point->length = 0;
+        goto done;
+    }
+    ec_point->length = ASN1_STRING_length(octet);
 
     ret = CKR_OK;
 done:
@@ -410,11 +412,11 @@ CK_RV p11prov_obj_set_ec_encoded_public_key(P11PROV_OBJ *key,
                                             const void *pubkey,
                                             size_t pubkey_len)
 {
-    CK_RV rv;
+    CK_RV rv = CKR_GENERAL_ERROR;
     CK_ATTRIBUTE *pub;
     CK_ATTRIBUTE *ecpoint;
     CK_ATTRIBUTE new_pub;
-    ASN1_OCTET_STRING oct;
+    ASN1_OCTET_STRING *oct = NULL;
     unsigned char *der = NULL;
     int add_attrs = 0;
     int len;
@@ -427,7 +429,8 @@ CK_RV p11prov_obj_set_ec_encoded_public_key(P11PROV_OBJ *key,
         /* not matching, error out */
         P11PROV_raise(key->ctx, CKR_KEY_INDIGESTIBLE,
                       "Cannot change public key of a token object");
-        return CKR_KEY_INDIGESTIBLE;
+        rv = CKR_KEY_INDIGESTIBLE;
+        goto done;
     }
 
     switch (key->data.key.type) {
@@ -440,15 +443,17 @@ CK_RV p11prov_obj_set_ec_encoded_public_key(P11PROV_OBJ *key,
             /* check that this is a public key */
             P11PROV_raise(key->ctx, CKR_KEY_INDIGESTIBLE,
                           "Invalid Key type, not a public key");
-            return CKR_KEY_INDIGESTIBLE;
+            rv = CKR_KEY_INDIGESTIBLE;
+            goto done;
         }
         break;
     case CKK_EC_MONTGOMERY:
         break;
     default:
         P11PROV_raise(key->ctx, CKR_KEY_INDIGESTIBLE,
                       "Invalid Key type, not an EC/ED key");
-        return CKR_KEY_INDIGESTIBLE;
+        rv = CKR_KEY_INDIGESTIBLE;
+        goto done;
     }
 
     pub = p11prov_obj_get_attr(key, CKA_P11PROV_PUB_KEY);
@@ -467,7 +472,8 @@ CK_RV p11prov_obj_set_ec_encoded_public_key(P11PROV_OBJ *key,
         if (!ptr) {
             P11PROV_raise(key->ctx, CKR_HOST_MEMORY,
                           "Failed to store key public key");
-            return CKR_HOST_MEMORY;
+            rv = CKR_HOST_MEMORY;
+            goto done;
         }
         key->attrs = ptr;
     }
@@ -495,24 +501,37 @@ CK_RV p11prov_obj_set_ec_encoded_public_key(P11PROV_OBJ *key,
     new_pub.ulValueLen = (CK_ULONG)pubkey_len;
     rv = p11prov_copy_attr(pub, &new_pub);
     if (rv != CKR_OK) {
-        return rv;
+        goto done;
     }
 
-    oct.data = (unsigned char *)pubkey;
-    oct.length = (int)pubkey_len;
-    oct.flags = 0;
-
-    len = i2d_ASN1_OCTET_STRING(&oct, &der);
+    oct = ASN1_OCTET_STRING_new();
+    if (!oct) {
+        rv = CKR_HOST_MEMORY;
+        goto done;
+    }
+    if (!ASN1_STRING_set(oct, pubkey, pubkey_len)) {
+        rv = CKR_HOST_MEMORY;
+        goto done;
+    }
+    len = i2d_ASN1_OCTET_STRING(oct, &der);
     if (len < 0) {
         P11PROV_raise(key->ctx, CKR_KEY_INDIGESTIBLE,
                       "Failure to encode EC point to DER");
-        return CKR_KEY_INDIGESTIBLE;
+        rv = CKR_KEY_INDIGESTIBLE;
+        goto done;
     }
     ecpoint->type = CKA_EC_POINT;
     ecpoint->pValue = der;
+    der = NULL;
     ecpoint->ulValueLen = len;
 
-    return CKR_OK;
+    rv = CKR_OK;
+
+done:
+    ASN1_OCTET_STRING_free(oct);
+    OPENSSL_free(der);
+
+    return rv;
 }
 
 static int cmp_bn_attr(P11PROV_OBJ *key1, P11PROV_OBJ *key2,

src/obj/store.c

@@ -703,43 +703,54 @@ CK_RV p11prov_obj_copy_key_data(P11PROV_OBJ *dst, P11PROV_OBJ *src)
 
 static CK_RV fix_ec_key_import(P11PROV_OBJ *key, int allocattrs)
 {
+    CK_RV ret = CKR_GENERAL_ERROR;
     CK_ATTRIBUTE *pub;
-    ASN1_OCTET_STRING oct;
+    ASN1_OCTET_STRING *oct = NULL;
     unsigned char *der = NULL;
     int len;
 
     if (key->numattrs >= allocattrs) {
-        P11PROV_raise(key->ctx, CKR_GENERAL_ERROR,
-                      "Too many attributes?? %d >= %d", key->numattrs,
-                      allocattrs);
-        return CKR_GENERAL_ERROR;
+        P11PROV_raise(key->ctx, ret, "Too many attributes?? %d >= %d",
+                      key->numattrs, allocattrs);
+        goto done;
     }
 
     pub = p11prov_obj_get_attr(key, CKA_P11PROV_PUB_KEY);
     if (!pub) {
-        P11PROV_raise(key->ctx, CKR_KEY_INDIGESTIBLE, "No public key found");
-        return CKR_KEY_INDIGESTIBLE;
+        ret = CKR_KEY_INDIGESTIBLE;
+        P11PROV_raise(key->ctx, ret, "No public key found");
+        goto done;
     }
 
-    oct.data = pub->pValue;
-    oct.length = pub->ulValueLen;
-    oct.flags = 0;
-
+    oct = ASN1_OCTET_STRING_new();
+    if (!oct) {
+        goto done;
+    }
+    if (!ASN1_STRING_set(oct, pub->pValue, pub->ulValueLen)) {
+        goto done;
+    }
     /* FIXME: should we set just bytes for Edwards and Montgomery keys? */
-    len = i2d_ASN1_OCTET_STRING(&oct, &der);
+    len = i2d_ASN1_OCTET_STRING(oct, &der);
     if (len < 0) {
-        P11PROV_raise(key->ctx, CKR_KEY_INDIGESTIBLE,
-                      "Failure to encode EC point to DER");
-        return CKR_KEY_INDIGESTIBLE;
+        ret = CKR_KEY_INDIGESTIBLE;
+        P11PROV_raise(key->ctx, ret, "Failure to encode EC point to DER");
+        goto done;
     }
     key->attrs[key->numattrs].type = CKA_EC_POINT;
     key->attrs[key->numattrs].pValue = der;
+    der = NULL;
     key->attrs[key->numattrs].ulValueLen = len;
     key->numattrs++;
 
     P11PROV_debug("fixing EC key %p import", key);
 
-    return CKR_OK;
+    ret = CKR_OK;
+
+done:
+    OPENSSL_free(der);
+    ASN1_OCTET_STRING_free(oct);
+
+    return ret;
 }
 
 static CK_RV p11prov_obj_import_public_key(P11PROV_OBJ *key,