switch to using pkey

crypto/s2n_rsa.c

@@ -52,9 +52,9 @@ static S2N_RESULT s2n_rsa_encrypted_size(const struct s2n_pkey *key, uint32_t *s
 
     const struct s2n_rsa_key *rsa_key = &key->key.rsa_key;
     RESULT_ENSURE_REF(rsa_key->rsa);
-    RESULT_GUARD(s2n_rsa_modulus_check(rsa_key->rsa));
+    RESULT_GUARD(s2n_rsa_modulus_check(EVP_PKEY_get0_RSA(rsa_key->rsa)));
 
-    const int size = RSA_size(rsa_key->rsa);
+    const int size = RSA_size(EVP_PKEY_get0_RSA(rsa_key->rsa));
     RESULT_GUARD_POSIX(size);
     *size_out = size;
 
@@ -98,7 +98,7 @@ static int s2n_rsa_encrypt(const struct s2n_pkey *pub, struct s2n_blob *in, stru
     S2N_ERROR_IF(out->size < size, S2N_ERR_NOMEM);
 
     const s2n_rsa_public_key *key = &pub->key.rsa_key;
-    int r = RSA_public_encrypt(in->size, ( unsigned char * )in->data, ( unsigned char * )out->data, key->rsa,
+    int r = RSA_public_encrypt(in->size, ( unsigned char * )in->data, ( unsigned char * )out->data, EVP_PKEY_get0_RSA(key->rsa),
                                RSA_PKCS1_PADDING);
     S2N_ERROR_IF(r != out->size, S2N_ERR_SIZE_MISMATCH);
 
@@ -118,7 +118,7 @@ static int s2n_rsa_decrypt(const struct s2n_pkey *priv, struct s2n_blob *in, str
     POSIX_GUARD_RESULT(s2n_get_public_random_data(out));
 
     const s2n_rsa_private_key *key = &priv->key.rsa_key;
-    int r = RSA_private_decrypt(in->size, ( unsigned char * )in->data, intermediate, key->rsa, RSA_NO_PADDING);
+    int r = RSA_private_decrypt(in->size, ( unsigned char * )in->data, intermediate, EVP_PKEY_get0_RSA(key->rsa), RSA_NO_PADDING);
     S2N_ERROR_IF(r != expected_size, S2N_ERR_SIZE_MISMATCH);
 
     s2n_constant_time_pkcs1_unpad_or_dont(out->data, intermediate, r, out->size);
@@ -150,11 +150,11 @@ static int s2n_rsa_keys_match(const struct s2n_pkey *pub, const struct s2n_pkey
 
 static int s2n_rsa_key_free(struct s2n_pkey *pkey)
 {
-    struct s2n_rsa_key *rsa_key = &pkey->key.rsa_key;
-    if (rsa_key->rsa == NULL) { return 0; }
+    /* struct s2n_rsa_key *rsa_key = &pkey->key.rsa_key; */
+    /* if (rsa_key->rsa == NULL) { return 0; } */
 
-    RSA_free(rsa_key->rsa);
-    rsa_key->rsa = NULL;
+    /* RSA_free(rsa_key->rsa); */
+    /* rsa_key->rsa = NULL; */
 
     return 0;
 }
@@ -168,19 +168,19 @@ static int s2n_rsa_check_key_exists(const struct s2n_pkey *pkey)
 
 int s2n_evp_pkey_to_rsa_public_key(s2n_rsa_public_key *rsa_key, EVP_PKEY *evp_public_key)
 {
-    RSA *rsa = EVP_PKEY_get1_RSA(evp_public_key);
-    S2N_ERROR_IF(rsa == NULL, S2N_ERR_DECODE_CERTIFICATE);
+    /* RSA *rsa = EVP_PKEY_get1_RSA(evp_public_key); */
+    /* S2N_ERROR_IF(rsa == NULL, S2N_ERR_DECODE_CERTIFICATE); */
 
-    rsa_key->rsa = rsa;
+    rsa_key->rsa = evp_public_key;
     return 0;
 }
 
 int s2n_evp_pkey_to_rsa_private_key(s2n_rsa_private_key *rsa_key, EVP_PKEY *evp_private_key)
 {
-    RSA *rsa = EVP_PKEY_get1_RSA(evp_private_key);
-    S2N_ERROR_IF(rsa == NULL, S2N_ERR_DECODE_PRIVATE_KEY);
+    /* RSA *rsa = EVP_PKEY_get1_RSA(evp_private_key); */
+    /* S2N_ERROR_IF(rsa == NULL, S2N_ERR_DECODE_PRIVATE_KEY); */
 
-    rsa_key->rsa = rsa;
+    rsa_key->rsa = evp_private_key;
     return 0;
 }
 

crypto/s2n_rsa.h

@@ -28,7 +28,8 @@
 struct s2n_pkey;
 
 struct s2n_rsa_key {
-    RSA *rsa;
+    /* RSA *rsa; */
+    EVP_PKEY *rsa;
 };
 
 typedef struct s2n_rsa_key s2n_rsa_public_key;

crypto/s2n_rsa_pss.c

@@ -52,7 +52,7 @@ static S2N_RESULT s2n_rsa_pss_size(const struct s2n_pkey *key, uint32_t *size_ou
     return S2N_RESULT_OK;
 }
 
-static int s2n_rsa_is_private_key(RSA *rsa_key)
+static int s2n_rsa_is_private_key(const RSA *rsa_key)
 {
     const BIGNUM *d = NULL;
     RSA_get0_key(rsa_key, NULL, NULL, &d);
@@ -70,7 +70,7 @@ int s2n_rsa_pss_key_sign(const struct s2n_pkey *priv, s2n_signature_algorithm si
     sig_alg_check(sig_alg, S2N_SIGNATURE_RSA_PSS_PSS);
 
     /* Not Possible to Sign with Public Key */
-    S2N_ERROR_IF(!s2n_rsa_is_private_key(priv->key.rsa_key.rsa), S2N_ERR_KEY_MISMATCH);
+    S2N_ERROR_IF(!s2n_rsa_is_private_key(EVP_PKEY_get0_RSA(priv->key.rsa_key.rsa)), S2N_ERR_KEY_MISMATCH);
 
     return s2n_rsa_pss_sign(priv, digest, signature_out);
 }
@@ -82,7 +82,7 @@ int s2n_rsa_pss_key_verify(const struct s2n_pkey *pub, s2n_signature_algorithm s
     sig_alg_check(sig_alg, S2N_SIGNATURE_RSA_PSS_PSS);
 
     /* Using Private Key to Verify means the public/private keys were likely swapped, and likely indicates a bug. */
-    S2N_ERROR_IF(s2n_rsa_is_private_key(pub->key.rsa_key.rsa), S2N_ERR_KEY_MISMATCH);
+    S2N_ERROR_IF(s2n_rsa_is_private_key(EVP_PKEY_get0_RSA(pub->key.rsa_key.rsa)), S2N_ERR_KEY_MISMATCH);
 
     return s2n_rsa_pss_verify(pub, digest, signature_in);
 }
@@ -144,8 +144,8 @@ static int s2n_rsa_validate_params_match(const struct s2n_pkey *pub, const struc
      *  - https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_get1_RSA.html
      *  - https://www.openssl.org/docs/manmaster/man3/RSA_get0_key.html
      */
-    RSA *pub_rsa_key = pub->key.rsa_key.rsa;
-    RSA *priv_rsa_key = priv->key.rsa_key.rsa;
+    const RSA *pub_rsa_key = EVP_PKEY_get0_RSA(pub->key.rsa_key.rsa);
+    const RSA *priv_rsa_key = EVP_PKEY_get0_RSA(priv->key.rsa_key.rsa);
 
     POSIX_ENSURE_REF(pub_rsa_key);
     POSIX_ENSURE_REF(priv_rsa_key);
@@ -173,31 +173,31 @@ static int s2n_rsa_pss_keys_match(const struct s2n_pkey *pub, const struct s2n_p
 
 static int s2n_rsa_pss_key_free(struct s2n_pkey *pkey)
 {
-    POSIX_ENSURE_REF(pkey);
-    struct s2n_rsa_key *rsa_key = &pkey->key.rsa_key;
-    if (rsa_key->rsa == NULL) {
-        return 0;
-    }
+    /* POSIX_ENSURE_REF(pkey); */
+    /* struct s2n_rsa_key *rsa_key = &pkey->key.rsa_key; */
+    /* if (rsa_key->rsa == NULL) { */
+    /*     return 0; */
+    /* } */
 
-    RSA_free(rsa_key->rsa);
-    rsa_key->rsa = NULL;
+    /* RSA_free(rsa_key->rsa); */
+    /* rsa_key->rsa = NULL; */
 
     return 0;
 }
 
 int s2n_evp_pkey_to_rsa_pss_public_key(struct s2n_rsa_key *rsa_key, EVP_PKEY *pkey) {
-    RSA *pub_rsa_key = EVP_PKEY_get1_RSA(pkey);
-    POSIX_ENSURE_REF(pub_rsa_key);
+    /* RSA *pub_rsa_key = EVP_PKEY_get1_RSA(pkey); */
+    /* POSIX_ENSURE_REF(pub_rsa_key); */
 
-    S2N_ERROR_IF(s2n_rsa_is_private_key(pub_rsa_key), S2N_ERR_KEY_MISMATCH);
+    /* S2N_ERROR_IF(s2n_rsa_is_private_key(pub_rsa_key), S2N_ERR_KEY_MISMATCH); */
 
-    rsa_key->rsa = pub_rsa_key;
+    rsa_key->rsa = pkey;
     return 0;
 }
 
 int s2n_evp_pkey_to_rsa_pss_private_key(struct s2n_rsa_key *rsa_key, EVP_PKEY *pkey)
 {
-    RSA *priv_rsa_key = EVP_PKEY_get1_RSA(pkey);
+    const RSA *priv_rsa_key = EVP_PKEY_get0_RSA(pkey);
     POSIX_ENSURE_REF(priv_rsa_key);
 
     /* Documentation: https://www.openssl.org/docs/man1.1.1/man3/RSA_check_key.html */
@@ -208,7 +208,7 @@ int s2n_evp_pkey_to_rsa_pss_private_key(struct s2n_rsa_key *rsa_key, EVP_PKEY *p
      */
     POSIX_GUARD_OSSL(RSA_check_key(priv_rsa_key), S2N_ERR_KEY_CHECK);
 
-    rsa_key->rsa = priv_rsa_key;
+    rsa_key->rsa = pkey;
     return 0;
 }
 

crypto/s2n_rsa_signing.c

@@ -67,7 +67,7 @@ int s2n_rsa_pkcs1v15_sign_digest(const struct s2n_pkey *priv, s2n_hash_algorithm
     const s2n_rsa_private_key *key = &priv->key.rsa_key;
 
     unsigned int signature_size = signature->size;
-    POSIX_GUARD_OSSL(RSA_sign(NID_type, digest->data, digest->size, signature->data, &signature_size, key->rsa), S2N_ERR_SIGN);
+    POSIX_GUARD_OSSL(RSA_sign(NID_type, digest->data, digest->size, signature->data, &signature_size, EVP_PKEY_get0_RSA(key->rsa)), S2N_ERR_SIGN);
     POSIX_ENSURE(signature_size <= signature->size, S2N_ERR_SIZE_MISMATCH);
     signature->size = signature_size;
 
@@ -105,7 +105,7 @@ int s2n_rsa_pkcs1v15_verify(const struct s2n_pkey *pub, struct s2n_hash_state *d
     uint8_t digest_out[S2N_MAX_DIGEST_LEN];
     POSIX_GUARD(s2n_hash_digest(digest, digest_out, digest_length));
 
-    POSIX_GUARD_OSSL(RSA_verify(digest_NID_type, digest_out, digest_length, signature->data, signature->size, key->rsa), S2N_ERR_VERIFY_SIGNATURE);
+    POSIX_GUARD_OSSL(RSA_verify(digest_NID_type, digest_out, digest_length, signature->data, signature->size, EVP_PKEY_get0_RSA(key->rsa)), S2N_ERR_VERIFY_SIGNATURE);
 
     return 0;
 }