1 /*
2 * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <stdlib.h>
11 #include <string.h>
12 #include <assert.h>
13
14 /* We need to use some STORE deprecated APIs */
15 #define OPENSSL_SUPPRESS_DEPRECATED
16
17 #include "e_os.h"
18
19 #include <openssl/crypto.h>
20 #include <openssl/err.h>
21 #include <openssl/trace.h>
22 #include <openssl/core_names.h>
23 #include <openssl/provider.h>
24 #include <openssl/param_build.h>
25 #include <openssl/store.h>
26 #include "internal/thread_once.h"
27 #include "internal/cryptlib.h"
28 #include "internal/provider.h"
29 #include "internal/bio.h"
30 #include "crypto/store.h"
31 #include "store_local.h"
32
33 static int ossl_store_close_it(OSSL_STORE_CTX *ctx);
34
loader_set_params(OSSL_STORE_LOADER * loader,OSSL_STORE_LOADER_CTX * loader_ctx,const OSSL_PARAM params[],const char * propq)35 static int loader_set_params(OSSL_STORE_LOADER *loader,
36 OSSL_STORE_LOADER_CTX *loader_ctx,
37 const OSSL_PARAM params[], const char *propq)
38 {
39 if (params != NULL) {
40 if (!loader->p_set_ctx_params(loader_ctx, params))
41 return 0;
42 }
43
44 if (propq != NULL) {
45 OSSL_PARAM propp[2];
46
47 if (OSSL_PARAM_locate_const(params,
48 OSSL_STORE_PARAM_PROPERTIES) != NULL)
49 /* use the propq from params */
50 return 1;
51
52 propp[0] = OSSL_PARAM_construct_utf8_string(OSSL_STORE_PARAM_PROPERTIES,
53 (char *)propq, 0);
54 propp[1] = OSSL_PARAM_construct_end();
55
56 if (!loader->p_set_ctx_params(loader_ctx, propp))
57 return 0;
58 }
59 return 1;
60 }
61
62 OSSL_STORE_CTX *
OSSL_STORE_open_ex(const char * uri,OSSL_LIB_CTX * libctx,const char * propq,const UI_METHOD * ui_method,void * ui_data,const OSSL_PARAM params[],OSSL_STORE_post_process_info_fn post_process,void * post_process_data)63 OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq,
64 const UI_METHOD *ui_method, void *ui_data,
65 const OSSL_PARAM params[],
66 OSSL_STORE_post_process_info_fn post_process,
67 void *post_process_data)
68 {
69 const OSSL_STORE_LOADER *loader = NULL;
70 OSSL_STORE_LOADER *fetched_loader = NULL;
71 OSSL_STORE_LOADER_CTX *loader_ctx = NULL;
72 OSSL_STORE_CTX *ctx = NULL;
73 char *propq_copy = NULL;
74 int no_loader_found = 1;
75 char scheme_copy[256], *p, *schemes[2], *scheme = NULL;
76 size_t schemes_n = 0;
77 size_t i;
78
79 /*
80 * Put the file scheme first. If the uri does represent an existing file,
81 * possible device name and all, then it should be loaded. Only a failed
82 * attempt at loading a local file should have us try something else.
83 */
84 schemes[schemes_n++] = "file";
85
86 /*
87 * Now, check if we have something that looks like a scheme, and add it
88 * as a second scheme. However, also check if there's an authority start
89 * (://), because that will invalidate the previous file scheme. Also,
90 * check that this isn't actually the file scheme, as there's no point
91 * going through that one twice!
92 */
93 OPENSSL_strlcpy(scheme_copy, uri, sizeof(scheme_copy));
94 if ((p = strchr(scheme_copy, ':')) != NULL) {
95 *p++ = '\0';
96 if (OPENSSL_strcasecmp(scheme_copy, "file") != 0) {
97 if (strncmp(p, "//", 2) == 0)
98 schemes_n--; /* Invalidate the file scheme */
99 schemes[schemes_n++] = scheme_copy;
100 }
101 }
102
103 ERR_set_mark();
104
105 /*
106 * Try each scheme until we find one that could open the URI.
107 *
108 * For each scheme, we look for the engine implementation first, and
109 * failing that, we then try to fetch a provided implementation.
110 * This is consistent with how we handle legacy / engine implementations
111 * elsewhere.
112 */
113 for (i = 0; loader_ctx == NULL && i < schemes_n; i++) {
114 scheme = schemes[i];
115 OSSL_TRACE1(STORE, "Looking up scheme %s\n", scheme);
116 #ifndef OPENSSL_NO_DEPRECATED_3_0
117 if ((loader = ossl_store_get0_loader_int(scheme)) != NULL) {
118 no_loader_found = 0;
119 if (loader->open_ex != NULL)
120 loader_ctx = loader->open_ex(loader, uri, libctx, propq,
121 ui_method, ui_data);
122 else
123 loader_ctx = loader->open(loader, uri, ui_method, ui_data);
124 }
125 #endif
126 if (loader == NULL
127 && (fetched_loader =
128 OSSL_STORE_LOADER_fetch(libctx, scheme, propq)) != NULL) {
129 const OSSL_PROVIDER *provider =
130 OSSL_STORE_LOADER_get0_provider(fetched_loader);
131 void *provctx = OSSL_PROVIDER_get0_provider_ctx(provider);
132
133 no_loader_found = 0;
134 loader_ctx = fetched_loader->p_open(provctx, uri);
135 if (loader_ctx == NULL) {
136 OSSL_STORE_LOADER_free(fetched_loader);
137 fetched_loader = NULL;
138 } else if(!loader_set_params(fetched_loader, loader_ctx,
139 params, propq)) {
140 (void)fetched_loader->p_close(loader_ctx);
141 OSSL_STORE_LOADER_free(fetched_loader);
142 fetched_loader = NULL;
143 }
144 loader = fetched_loader;
145 }
146 }
147
148 if (no_loader_found)
149 /*
150 * It's assumed that ossl_store_get0_loader_int() and
151 * OSSL_STORE_LOADER_fetch() report their own errors
152 */
153 goto err;
154
155 OSSL_TRACE1(STORE, "Found loader for scheme %s\n", scheme);
156
157 if (loader_ctx == NULL)
158 /*
159 * It's assumed that the loader's open() method reports its own
160 * errors
161 */
162 goto err;
163
164 OSSL_TRACE2(STORE, "Opened %s => %p\n", uri, (void *)loader_ctx);
165
166 if ((propq != NULL && (propq_copy = OPENSSL_strdup(propq)) == NULL)
167 || (ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) {
168 ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_MALLOC_FAILURE);
169 goto err;
170 }
171
172 if (ui_method != NULL
173 && (!ossl_pw_set_ui_method(&ctx->pwdata, ui_method, ui_data)
174 || !ossl_pw_enable_passphrase_caching(&ctx->pwdata))) {
175 ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_CRYPTO_LIB);
176 goto err;
177 }
178 ctx->properties = propq_copy;
179 ctx->fetched_loader = fetched_loader;
180 ctx->loader = loader;
181 ctx->loader_ctx = loader_ctx;
182 ctx->post_process = post_process;
183 ctx->post_process_data = post_process_data;
184
185 /*
186 * If the attempt to open with the 'file' scheme loader failed and the
187 * other scheme loader succeeded, the failure to open with the 'file'
188 * scheme loader leaves an error on the error stack. Let's remove it.
189 */
190 ERR_pop_to_mark();
191
192 return ctx;
193
194 err:
195 ERR_clear_last_mark();
196 if (loader_ctx != NULL) {
197 /*
198 * Temporary structure so OSSL_STORE_close() can work even when
199 * |ctx| couldn't be allocated properly
200 */
201 OSSL_STORE_CTX tmpctx = { NULL, };
202
203 tmpctx.fetched_loader = fetched_loader;
204 tmpctx.loader = loader;
205 tmpctx.loader_ctx = loader_ctx;
206
207 /*
208 * We ignore a returned error because we will return NULL anyway in
209 * this case, so if something goes wrong when closing, that'll simply
210 * just add another entry on the error stack.
211 */
212 (void)ossl_store_close_it(&tmpctx);
213 }
214 OSSL_STORE_LOADER_free(fetched_loader);
215 OPENSSL_free(propq_copy);
216 OPENSSL_free(ctx);
217 return NULL;
218 }
219
OSSL_STORE_open(const char * uri,const UI_METHOD * ui_method,void * ui_data,OSSL_STORE_post_process_info_fn post_process,void * post_process_data)220 OSSL_STORE_CTX *OSSL_STORE_open(const char *uri,
221 const UI_METHOD *ui_method, void *ui_data,
222 OSSL_STORE_post_process_info_fn post_process,
223 void *post_process_data)
224 {
225 return OSSL_STORE_open_ex(uri, NULL, NULL, ui_method, ui_data, NULL,
226 post_process, post_process_data);
227 }
228
229 #ifndef OPENSSL_NO_DEPRECATED_3_0
OSSL_STORE_ctrl(OSSL_STORE_CTX * ctx,int cmd,...)230 int OSSL_STORE_ctrl(OSSL_STORE_CTX *ctx, int cmd, ...)
231 {
232 va_list args;
233 int ret;
234
235 va_start(args, cmd);
236 ret = OSSL_STORE_vctrl(ctx, cmd, args);
237 va_end(args);
238
239 return ret;
240 }
241
OSSL_STORE_vctrl(OSSL_STORE_CTX * ctx,int cmd,va_list args)242 int OSSL_STORE_vctrl(OSSL_STORE_CTX *ctx, int cmd, va_list args)
243 {
244 if (ctx->fetched_loader != NULL) {
245 if (ctx->fetched_loader->p_set_ctx_params != NULL) {
246 OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
247
248 switch (cmd) {
249 case OSSL_STORE_C_USE_SECMEM:
250 {
251 int on = *(va_arg(args, int *));
252
253 params[0] = OSSL_PARAM_construct_int("use_secmem", &on);
254 }
255 break;
256 default:
257 break;
258 }
259
260 return ctx->fetched_loader->p_set_ctx_params(ctx->loader_ctx,
261 params);
262 }
263 } else if (ctx->loader->ctrl != NULL) {
264 return ctx->loader->ctrl(ctx->loader_ctx, cmd, args);
265 }
266
267 /*
268 * If the fetched loader doesn't have a set_ctx_params or a ctrl, it's as
269 * if there was one that ignored our params, which usually returns 1.
270 */
271 return 1;
272 }
273 #endif
274
OSSL_STORE_expect(OSSL_STORE_CTX * ctx,int expected_type)275 int OSSL_STORE_expect(OSSL_STORE_CTX *ctx, int expected_type)
276 {
277 int ret = 1;
278
279 if (ctx == NULL
280 || expected_type < 0 || expected_type > OSSL_STORE_INFO_CRL) {
281 ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_PASSED_INVALID_ARGUMENT);
282 return 0;
283 }
284 if (ctx->loading) {
285 ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_LOADING_STARTED);
286 return 0;
287 }
288
289 ctx->expected_type = expected_type;
290 if (ctx->fetched_loader != NULL
291 && ctx->fetched_loader->p_set_ctx_params != NULL) {
292 OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
293
294 params[0] =
295 OSSL_PARAM_construct_int(OSSL_STORE_PARAM_EXPECT, &expected_type);
296 ret = ctx->fetched_loader->p_set_ctx_params(ctx->loader_ctx, params);
297 }
298 #ifndef OPENSSL_NO_DEPRECATED_3_0
299 if (ctx->fetched_loader == NULL
300 && ctx->loader->expect != NULL) {
301 ret = ctx->loader->expect(ctx->loader_ctx, expected_type);
302 }
303 #endif
304 return ret;
305 }
306
OSSL_STORE_find(OSSL_STORE_CTX * ctx,const OSSL_STORE_SEARCH * search)307 int OSSL_STORE_find(OSSL_STORE_CTX *ctx, const OSSL_STORE_SEARCH *search)
308 {
309 int ret = 1;
310
311 if (ctx->loading) {
312 ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_LOADING_STARTED);
313 return 0;
314 }
315 if (search == NULL) {
316 ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_PASSED_NULL_PARAMETER);
317 return 0;
318 }
319
320 if (ctx->fetched_loader != NULL) {
321 OSSL_PARAM_BLD *bld;
322 OSSL_PARAM *params;
323 /* OSSL_STORE_SEARCH_BY_NAME, OSSL_STORE_SEARCH_BY_ISSUER_SERIAL*/
324 void *name_der = NULL;
325 int name_der_sz;
326 /* OSSL_STORE_SEARCH_BY_ISSUER_SERIAL */
327 BIGNUM *number = NULL;
328
329 if (ctx->fetched_loader->p_set_ctx_params == NULL) {
330 ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_UNSUPPORTED_OPERATION);
331 return 0;
332 }
333
334 if ((bld = OSSL_PARAM_BLD_new()) == NULL) {
335 ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_MALLOC_FAILURE);
336 return 0;
337 }
338
339 ret = 0; /* Assume the worst */
340
341 switch (search->search_type) {
342 case OSSL_STORE_SEARCH_BY_NAME:
343 if ((name_der_sz = i2d_X509_NAME(search->name,
344 (unsigned char **)&name_der)) > 0
345 && OSSL_PARAM_BLD_push_octet_string(bld,
346 OSSL_STORE_PARAM_SUBJECT,
347 name_der, name_der_sz))
348 ret = 1;
349 break;
350 case OSSL_STORE_SEARCH_BY_ISSUER_SERIAL:
351 if ((name_der_sz = i2d_X509_NAME(search->name,
352 (unsigned char **)&name_der)) > 0
353 && (number = ASN1_INTEGER_to_BN(search->serial, NULL)) != NULL
354 && OSSL_PARAM_BLD_push_octet_string(bld,
355 OSSL_STORE_PARAM_ISSUER,
356 name_der, name_der_sz)
357 && OSSL_PARAM_BLD_push_BN(bld, OSSL_STORE_PARAM_SERIAL,
358 number))
359 ret = 1;
360 break;
361 case OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT:
362 if (OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_STORE_PARAM_DIGEST,
363 EVP_MD_get0_name(search->digest),
364 0)
365 && OSSL_PARAM_BLD_push_octet_string(bld,
366 OSSL_STORE_PARAM_FINGERPRINT,
367 search->string,
368 search->stringlength))
369 ret = 1;
370 break;
371 case OSSL_STORE_SEARCH_BY_ALIAS:
372 if (OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_STORE_PARAM_ALIAS,
373 (char *)search->string,
374 search->stringlength))
375 ret = 1;
376 break;
377 }
378 if (ret) {
379 params = OSSL_PARAM_BLD_to_param(bld);
380 ret = ctx->fetched_loader->p_set_ctx_params(ctx->loader_ctx,
381 params);
382 OSSL_PARAM_free(params);
383 }
384 OSSL_PARAM_BLD_free(bld);
385 OPENSSL_free(name_der);
386 BN_free(number);
387 } else {
388 #ifndef OPENSSL_NO_DEPRECATED_3_0
389 /* legacy loader section */
390 if (ctx->loader->find == NULL) {
391 ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_UNSUPPORTED_OPERATION);
392 return 0;
393 }
394 ret = ctx->loader->find(ctx->loader_ctx, search);
395 #endif
396 }
397
398 return ret;
399 }
400
OSSL_STORE_load(OSSL_STORE_CTX * ctx)401 OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx)
402 {
403 OSSL_STORE_INFO *v = NULL;
404
405 ctx->loading = 1;
406 again:
407 if (OSSL_STORE_eof(ctx))
408 return NULL;
409
410 if (ctx->loader != NULL)
411 OSSL_TRACE(STORE, "Loading next object\n");
412
413 if (ctx->cached_info != NULL
414 && sk_OSSL_STORE_INFO_num(ctx->cached_info) == 0) {
415 sk_OSSL_STORE_INFO_free(ctx->cached_info);
416 ctx->cached_info = NULL;
417 }
418
419 if (ctx->cached_info != NULL) {
420 v = sk_OSSL_STORE_INFO_shift(ctx->cached_info);
421 } else {
422 if (ctx->fetched_loader != NULL) {
423 struct ossl_load_result_data_st load_data;
424
425 load_data.v = NULL;
426 load_data.ctx = ctx;
427 ctx->error_flag = 0;
428
429 if (!ctx->fetched_loader->p_load(ctx->loader_ctx,
430 ossl_store_handle_load_result,
431 &load_data,
432 ossl_pw_passphrase_callback_dec,
433 &ctx->pwdata)) {
434 ctx->error_flag = 1;
435 return NULL;
436 }
437 v = load_data.v;
438 }
439 #ifndef OPENSSL_NO_DEPRECATED_3_0
440 if (ctx->fetched_loader == NULL)
441 v = ctx->loader->load(ctx->loader_ctx,
442 ctx->pwdata._.ui_method.ui_method,
443 ctx->pwdata._.ui_method.ui_method_data);
444 #endif
445 }
446
447 if (ctx->post_process != NULL && v != NULL) {
448 v = ctx->post_process(v, ctx->post_process_data);
449
450 /*
451 * By returning NULL, the callback decides that this object should
452 * be ignored.
453 */
454 if (v == NULL)
455 goto again;
456 }
457
458 /* Clear any internally cached passphrase */
459 (void)ossl_pw_clear_passphrase_cache(&ctx->pwdata);
460
461 if (v != NULL && ctx->expected_type != 0) {
462 int returned_type = OSSL_STORE_INFO_get_type(v);
463
464 if (returned_type != OSSL_STORE_INFO_NAME && returned_type != 0) {
465 if (ctx->expected_type != returned_type) {
466 OSSL_STORE_INFO_free(v);
467 goto again;
468 }
469 }
470 }
471
472 if (v != NULL)
473 OSSL_TRACE1(STORE, "Got a %s\n",
474 OSSL_STORE_INFO_type_string(OSSL_STORE_INFO_get_type(v)));
475
476 return v;
477 }
478
OSSL_STORE_error(OSSL_STORE_CTX * ctx)479 int OSSL_STORE_error(OSSL_STORE_CTX *ctx)
480 {
481 int ret = 1;
482
483 if (ctx->fetched_loader != NULL)
484 ret = ctx->error_flag;
485 #ifndef OPENSSL_NO_DEPRECATED_3_0
486 if (ctx->fetched_loader == NULL)
487 ret = ctx->loader->error(ctx->loader_ctx);
488 #endif
489 return ret;
490 }
491
OSSL_STORE_eof(OSSL_STORE_CTX * ctx)492 int OSSL_STORE_eof(OSSL_STORE_CTX *ctx)
493 {
494 int ret = 1;
495
496 if (ctx->fetched_loader != NULL)
497 ret = ctx->loader->p_eof(ctx->loader_ctx);
498 #ifndef OPENSSL_NO_DEPRECATED_3_0
499 if (ctx->fetched_loader == NULL)
500 ret = ctx->loader->eof(ctx->loader_ctx);
501 #endif
502 return ret != 0;
503 }
504
ossl_store_close_it(OSSL_STORE_CTX * ctx)505 static int ossl_store_close_it(OSSL_STORE_CTX *ctx)
506 {
507 int ret = 0;
508
509 if (ctx == NULL)
510 return 1;
511 OSSL_TRACE1(STORE, "Closing %p\n", (void *)ctx->loader_ctx);
512
513 if (ctx->fetched_loader != NULL)
514 ret = ctx->loader->p_close(ctx->loader_ctx);
515 #ifndef OPENSSL_NO_DEPRECATED_3_0
516 if (ctx->fetched_loader == NULL)
517 ret = ctx->loader->closefn(ctx->loader_ctx);
518 #endif
519
520 sk_OSSL_STORE_INFO_pop_free(ctx->cached_info, OSSL_STORE_INFO_free);
521 OSSL_STORE_LOADER_free(ctx->fetched_loader);
522 OPENSSL_free(ctx->properties);
523 ossl_pw_clear_passphrase_data(&ctx->pwdata);
524 return ret;
525 }
526
OSSL_STORE_close(OSSL_STORE_CTX * ctx)527 int OSSL_STORE_close(OSSL_STORE_CTX *ctx)
528 {
529 int ret = ossl_store_close_it(ctx);
530
531 OPENSSL_free(ctx);
532 return ret;
533 }
534
535 /*
536 * Functions to generate OSSL_STORE_INFOs, one function for each type we
537 * support having in them as well as a generic constructor.
538 *
539 * In all cases, ownership of the object is transferred to the OSSL_STORE_INFO
540 * and will therefore be freed when the OSSL_STORE_INFO is freed.
541 */
OSSL_STORE_INFO_new(int type,void * data)542 OSSL_STORE_INFO *OSSL_STORE_INFO_new(int type, void *data)
543 {
544 OSSL_STORE_INFO *info = OPENSSL_zalloc(sizeof(*info));
545
546 if (info == NULL)
547 return NULL;
548
549 info->type = type;
550 info->_.data = data;
551 return info;
552 }
553
OSSL_STORE_INFO_new_NAME(char * name)554 OSSL_STORE_INFO *OSSL_STORE_INFO_new_NAME(char *name)
555 {
556 OSSL_STORE_INFO *info = OSSL_STORE_INFO_new(OSSL_STORE_INFO_NAME, NULL);
557
558 if (info == NULL) {
559 ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_MALLOC_FAILURE);
560 return NULL;
561 }
562
563 info->_.name.name = name;
564 info->_.name.desc = NULL;
565
566 return info;
567 }
568
OSSL_STORE_INFO_set0_NAME_description(OSSL_STORE_INFO * info,char * desc)569 int OSSL_STORE_INFO_set0_NAME_description(OSSL_STORE_INFO *info, char *desc)
570 {
571 if (info->type != OSSL_STORE_INFO_NAME) {
572 ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_PASSED_INVALID_ARGUMENT);
573 return 0;
574 }
575
576 info->_.name.desc = desc;
577
578 return 1;
579 }
OSSL_STORE_INFO_new_PARAMS(EVP_PKEY * params)580 OSSL_STORE_INFO *OSSL_STORE_INFO_new_PARAMS(EVP_PKEY *params)
581 {
582 OSSL_STORE_INFO *info = OSSL_STORE_INFO_new(OSSL_STORE_INFO_PARAMS, params);
583
584 if (info == NULL)
585 ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_MALLOC_FAILURE);
586 return info;
587 }
588
OSSL_STORE_INFO_new_PUBKEY(EVP_PKEY * pkey)589 OSSL_STORE_INFO *OSSL_STORE_INFO_new_PUBKEY(EVP_PKEY *pkey)
590 {
591 OSSL_STORE_INFO *info = OSSL_STORE_INFO_new(OSSL_STORE_INFO_PUBKEY, pkey);
592
593 if (info == NULL)
594 ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_MALLOC_FAILURE);
595 return info;
596 }
597
OSSL_STORE_INFO_new_PKEY(EVP_PKEY * pkey)598 OSSL_STORE_INFO *OSSL_STORE_INFO_new_PKEY(EVP_PKEY *pkey)
599 {
600 OSSL_STORE_INFO *info = OSSL_STORE_INFO_new(OSSL_STORE_INFO_PKEY, pkey);
601
602 if (info == NULL)
603 ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_MALLOC_FAILURE);
604 return info;
605 }
606
OSSL_STORE_INFO_new_CERT(X509 * x509)607 OSSL_STORE_INFO *OSSL_STORE_INFO_new_CERT(X509 *x509)
608 {
609 OSSL_STORE_INFO *info = OSSL_STORE_INFO_new(OSSL_STORE_INFO_CERT, x509);
610
611 if (info == NULL)
612 ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_MALLOC_FAILURE);
613 return info;
614 }
615
OSSL_STORE_INFO_new_CRL(X509_CRL * crl)616 OSSL_STORE_INFO *OSSL_STORE_INFO_new_CRL(X509_CRL *crl)
617 {
618 OSSL_STORE_INFO *info = OSSL_STORE_INFO_new(OSSL_STORE_INFO_CRL, crl);
619
620 if (info == NULL)
621 ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_MALLOC_FAILURE);
622 return info;
623 }
624
625 /*
626 * Functions to try to extract data from a OSSL_STORE_INFO.
627 */
OSSL_STORE_INFO_get_type(const OSSL_STORE_INFO * info)628 int OSSL_STORE_INFO_get_type(const OSSL_STORE_INFO *info)
629 {
630 return info->type;
631 }
632
OSSL_STORE_INFO_get0_data(int type,const OSSL_STORE_INFO * info)633 void *OSSL_STORE_INFO_get0_data(int type, const OSSL_STORE_INFO *info)
634 {
635 if (info->type == type)
636 return info->_.data;
637 return NULL;
638 }
639
OSSL_STORE_INFO_get0_NAME(const OSSL_STORE_INFO * info)640 const char *OSSL_STORE_INFO_get0_NAME(const OSSL_STORE_INFO *info)
641 {
642 if (info->type == OSSL_STORE_INFO_NAME)
643 return info->_.name.name;
644 return NULL;
645 }
646
OSSL_STORE_INFO_get1_NAME(const OSSL_STORE_INFO * info)647 char *OSSL_STORE_INFO_get1_NAME(const OSSL_STORE_INFO *info)
648 {
649 if (info->type == OSSL_STORE_INFO_NAME) {
650 char *ret = OPENSSL_strdup(info->_.name.name);
651
652 if (ret == NULL)
653 ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_MALLOC_FAILURE);
654 return ret;
655 }
656 ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_NOT_A_NAME);
657 return NULL;
658 }
659
OSSL_STORE_INFO_get0_NAME_description(const OSSL_STORE_INFO * info)660 const char *OSSL_STORE_INFO_get0_NAME_description(const OSSL_STORE_INFO *info)
661 {
662 if (info->type == OSSL_STORE_INFO_NAME)
663 return info->_.name.desc;
664 return NULL;
665 }
666
OSSL_STORE_INFO_get1_NAME_description(const OSSL_STORE_INFO * info)667 char *OSSL_STORE_INFO_get1_NAME_description(const OSSL_STORE_INFO *info)
668 {
669 if (info->type == OSSL_STORE_INFO_NAME) {
670 char *ret = OPENSSL_strdup(info->_.name.desc
671 ? info->_.name.desc : "");
672
673 if (ret == NULL)
674 ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_MALLOC_FAILURE);
675 return ret;
676 }
677 ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_NOT_A_NAME);
678 return NULL;
679 }
680
OSSL_STORE_INFO_get0_PARAMS(const OSSL_STORE_INFO * info)681 EVP_PKEY *OSSL_STORE_INFO_get0_PARAMS(const OSSL_STORE_INFO *info)
682 {
683 if (info->type == OSSL_STORE_INFO_PARAMS)
684 return info->_.params;
685 return NULL;
686 }
687
OSSL_STORE_INFO_get1_PARAMS(const OSSL_STORE_INFO * info)688 EVP_PKEY *OSSL_STORE_INFO_get1_PARAMS(const OSSL_STORE_INFO *info)
689 {
690 if (info->type == OSSL_STORE_INFO_PARAMS) {
691 EVP_PKEY_up_ref(info->_.params);
692 return info->_.params;
693 }
694 ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_NOT_PARAMETERS);
695 return NULL;
696 }
697
OSSL_STORE_INFO_get0_PUBKEY(const OSSL_STORE_INFO * info)698 EVP_PKEY *OSSL_STORE_INFO_get0_PUBKEY(const OSSL_STORE_INFO *info)
699 {
700 if (info->type == OSSL_STORE_INFO_PUBKEY)
701 return info->_.pubkey;
702 return NULL;
703 }
704
OSSL_STORE_INFO_get1_PUBKEY(const OSSL_STORE_INFO * info)705 EVP_PKEY *OSSL_STORE_INFO_get1_PUBKEY(const OSSL_STORE_INFO *info)
706 {
707 if (info->type == OSSL_STORE_INFO_PUBKEY) {
708 EVP_PKEY_up_ref(info->_.pubkey);
709 return info->_.pubkey;
710 }
711 ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_NOT_A_PUBLIC_KEY);
712 return NULL;
713 }
714
OSSL_STORE_INFO_get0_PKEY(const OSSL_STORE_INFO * info)715 EVP_PKEY *OSSL_STORE_INFO_get0_PKEY(const OSSL_STORE_INFO *info)
716 {
717 if (info->type == OSSL_STORE_INFO_PKEY)
718 return info->_.pkey;
719 return NULL;
720 }
721
OSSL_STORE_INFO_get1_PKEY(const OSSL_STORE_INFO * info)722 EVP_PKEY *OSSL_STORE_INFO_get1_PKEY(const OSSL_STORE_INFO *info)
723 {
724 if (info->type == OSSL_STORE_INFO_PKEY) {
725 EVP_PKEY_up_ref(info->_.pkey);
726 return info->_.pkey;
727 }
728 ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_NOT_A_PRIVATE_KEY);
729 return NULL;
730 }
731
OSSL_STORE_INFO_get0_CERT(const OSSL_STORE_INFO * info)732 X509 *OSSL_STORE_INFO_get0_CERT(const OSSL_STORE_INFO *info)
733 {
734 if (info->type == OSSL_STORE_INFO_CERT)
735 return info->_.x509;
736 return NULL;
737 }
738
OSSL_STORE_INFO_get1_CERT(const OSSL_STORE_INFO * info)739 X509 *OSSL_STORE_INFO_get1_CERT(const OSSL_STORE_INFO *info)
740 {
741 if (info->type == OSSL_STORE_INFO_CERT) {
742 X509_up_ref(info->_.x509);
743 return info->_.x509;
744 }
745 ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_NOT_A_CERTIFICATE);
746 return NULL;
747 }
748
OSSL_STORE_INFO_get0_CRL(const OSSL_STORE_INFO * info)749 X509_CRL *OSSL_STORE_INFO_get0_CRL(const OSSL_STORE_INFO *info)
750 {
751 if (info->type == OSSL_STORE_INFO_CRL)
752 return info->_.crl;
753 return NULL;
754 }
755
OSSL_STORE_INFO_get1_CRL(const OSSL_STORE_INFO * info)756 X509_CRL *OSSL_STORE_INFO_get1_CRL(const OSSL_STORE_INFO *info)
757 {
758 if (info->type == OSSL_STORE_INFO_CRL) {
759 X509_CRL_up_ref(info->_.crl);
760 return info->_.crl;
761 }
762 ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_NOT_A_CRL);
763 return NULL;
764 }
765
766 /*
767 * Free the OSSL_STORE_INFO
768 */
OSSL_STORE_INFO_free(OSSL_STORE_INFO * info)769 void OSSL_STORE_INFO_free(OSSL_STORE_INFO *info)
770 {
771 if (info != NULL) {
772 switch (info->type) {
773 case OSSL_STORE_INFO_NAME:
774 OPENSSL_free(info->_.name.name);
775 OPENSSL_free(info->_.name.desc);
776 break;
777 case OSSL_STORE_INFO_PARAMS:
778 EVP_PKEY_free(info->_.params);
779 break;
780 case OSSL_STORE_INFO_PUBKEY:
781 EVP_PKEY_free(info->_.pubkey);
782 break;
783 case OSSL_STORE_INFO_PKEY:
784 EVP_PKEY_free(info->_.pkey);
785 break;
786 case OSSL_STORE_INFO_CERT:
787 X509_free(info->_.x509);
788 break;
789 case OSSL_STORE_INFO_CRL:
790 X509_CRL_free(info->_.crl);
791 break;
792 }
793 OPENSSL_free(info);
794 }
795 }
796
OSSL_STORE_supports_search(OSSL_STORE_CTX * ctx,int search_type)797 int OSSL_STORE_supports_search(OSSL_STORE_CTX *ctx, int search_type)
798 {
799 int ret = 0;
800
801 if (ctx->fetched_loader != NULL) {
802 void *provctx =
803 ossl_provider_ctx(OSSL_STORE_LOADER_get0_provider(ctx->fetched_loader));
804 const OSSL_PARAM *params;
805 const OSSL_PARAM *p_subject = NULL;
806 const OSSL_PARAM *p_issuer = NULL;
807 const OSSL_PARAM *p_serial = NULL;
808 const OSSL_PARAM *p_fingerprint = NULL;
809 const OSSL_PARAM *p_alias = NULL;
810
811 if (ctx->fetched_loader->p_settable_ctx_params == NULL)
812 return 0;
813
814 params = ctx->fetched_loader->p_settable_ctx_params(provctx);
815 p_subject = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_SUBJECT);
816 p_issuer = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_ISSUER);
817 p_serial = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_SERIAL);
818 p_fingerprint =
819 OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_FINGERPRINT);
820 p_alias = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_ALIAS);
821
822 switch (search_type) {
823 case OSSL_STORE_SEARCH_BY_NAME:
824 ret = (p_subject != NULL);
825 break;
826 case OSSL_STORE_SEARCH_BY_ISSUER_SERIAL:
827 ret = (p_issuer != NULL && p_serial != NULL);
828 break;
829 case OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT:
830 ret = (p_fingerprint != NULL);
831 break;
832 case OSSL_STORE_SEARCH_BY_ALIAS:
833 ret = (p_alias != NULL);
834 break;
835 }
836 }
837 #ifndef OPENSSL_NO_DEPRECATED_3_0
838 if (ctx->fetched_loader == NULL) {
839 OSSL_STORE_SEARCH tmp_search;
840
841 if (ctx->loader->find == NULL)
842 return 0;
843 tmp_search.search_type = search_type;
844 ret = ctx->loader->find(NULL, &tmp_search);
845 }
846 #endif
847 return ret;
848 }
849
850 /* Search term constructors */
OSSL_STORE_SEARCH_by_name(X509_NAME * name)851 OSSL_STORE_SEARCH *OSSL_STORE_SEARCH_by_name(X509_NAME *name)
852 {
853 OSSL_STORE_SEARCH *search = OPENSSL_zalloc(sizeof(*search));
854
855 if (search == NULL) {
856 ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_MALLOC_FAILURE);
857 return NULL;
858 }
859
860 search->search_type = OSSL_STORE_SEARCH_BY_NAME;
861 search->name = name;
862 return search;
863 }
864
OSSL_STORE_SEARCH_by_issuer_serial(X509_NAME * name,const ASN1_INTEGER * serial)865 OSSL_STORE_SEARCH *OSSL_STORE_SEARCH_by_issuer_serial(X509_NAME *name,
866 const ASN1_INTEGER *serial)
867 {
868 OSSL_STORE_SEARCH *search = OPENSSL_zalloc(sizeof(*search));
869
870 if (search == NULL) {
871 ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_MALLOC_FAILURE);
872 return NULL;
873 }
874
875 search->search_type = OSSL_STORE_SEARCH_BY_ISSUER_SERIAL;
876 search->name = name;
877 search->serial = serial;
878 return search;
879 }
880
OSSL_STORE_SEARCH_by_key_fingerprint(const EVP_MD * digest,const unsigned char * bytes,size_t len)881 OSSL_STORE_SEARCH *OSSL_STORE_SEARCH_by_key_fingerprint(const EVP_MD *digest,
882 const unsigned char
883 *bytes, size_t len)
884 {
885 OSSL_STORE_SEARCH *search = OPENSSL_zalloc(sizeof(*search));
886
887 if (search == NULL) {
888 ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_MALLOC_FAILURE);
889 return NULL;
890 }
891
892 if (digest != NULL && len != (size_t)EVP_MD_get_size(digest)) {
893 ERR_raise_data(ERR_LIB_OSSL_STORE,
894 OSSL_STORE_R_FINGERPRINT_SIZE_DOES_NOT_MATCH_DIGEST,
895 "%s size is %d, fingerprint size is %zu",
896 EVP_MD_get0_name(digest), EVP_MD_get_size(digest), len);
897 OPENSSL_free(search);
898 return NULL;
899 }
900
901 search->search_type = OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT;
902 search->digest = digest;
903 search->string = bytes;
904 search->stringlength = len;
905 return search;
906 }
907
OSSL_STORE_SEARCH_by_alias(const char * alias)908 OSSL_STORE_SEARCH *OSSL_STORE_SEARCH_by_alias(const char *alias)
909 {
910 OSSL_STORE_SEARCH *search = OPENSSL_zalloc(sizeof(*search));
911
912 if (search == NULL) {
913 ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_MALLOC_FAILURE);
914 return NULL;
915 }
916
917 search->search_type = OSSL_STORE_SEARCH_BY_ALIAS;
918 search->string = (const unsigned char *)alias;
919 search->stringlength = strlen(alias);
920 return search;
921 }
922
923 /* Search term destructor */
OSSL_STORE_SEARCH_free(OSSL_STORE_SEARCH * search)924 void OSSL_STORE_SEARCH_free(OSSL_STORE_SEARCH *search)
925 {
926 OPENSSL_free(search);
927 }
928
929 /* Search term accessors */
OSSL_STORE_SEARCH_get_type(const OSSL_STORE_SEARCH * criterion)930 int OSSL_STORE_SEARCH_get_type(const OSSL_STORE_SEARCH *criterion)
931 {
932 return criterion->search_type;
933 }
934
OSSL_STORE_SEARCH_get0_name(const OSSL_STORE_SEARCH * criterion)935 X509_NAME *OSSL_STORE_SEARCH_get0_name(const OSSL_STORE_SEARCH *criterion)
936 {
937 return criterion->name;
938 }
939
OSSL_STORE_SEARCH_get0_serial(const OSSL_STORE_SEARCH * criterion)940 const ASN1_INTEGER *OSSL_STORE_SEARCH_get0_serial(const OSSL_STORE_SEARCH
941 *criterion)
942 {
943 return criterion->serial;
944 }
945
OSSL_STORE_SEARCH_get0_bytes(const OSSL_STORE_SEARCH * criterion,size_t * length)946 const unsigned char *OSSL_STORE_SEARCH_get0_bytes(const OSSL_STORE_SEARCH
947 *criterion, size_t *length)
948 {
949 *length = criterion->stringlength;
950 return criterion->string;
951 }
952
OSSL_STORE_SEARCH_get0_string(const OSSL_STORE_SEARCH * criterion)953 const char *OSSL_STORE_SEARCH_get0_string(const OSSL_STORE_SEARCH *criterion)
954 {
955 return (const char *)criterion->string;
956 }
957
OSSL_STORE_SEARCH_get0_digest(const OSSL_STORE_SEARCH * criterion)958 const EVP_MD *OSSL_STORE_SEARCH_get0_digest(const OSSL_STORE_SEARCH *criterion)
959 {
960 return criterion->digest;
961 }
962
OSSL_STORE_attach(BIO * bp,const char * scheme,OSSL_LIB_CTX * libctx,const char * propq,const UI_METHOD * ui_method,void * ui_data,const OSSL_PARAM params[],OSSL_STORE_post_process_info_fn post_process,void * post_process_data)963 OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bp, const char *scheme,
964 OSSL_LIB_CTX *libctx, const char *propq,
965 const UI_METHOD *ui_method, void *ui_data,
966 const OSSL_PARAM params[],
967 OSSL_STORE_post_process_info_fn post_process,
968 void *post_process_data)
969 {
970 const OSSL_STORE_LOADER *loader = NULL;
971 OSSL_STORE_LOADER *fetched_loader = NULL;
972 OSSL_STORE_LOADER_CTX *loader_ctx = NULL;
973 OSSL_STORE_CTX *ctx = NULL;
974
975 if (scheme == NULL)
976 scheme = "file";
977
978 OSSL_TRACE1(STORE, "Looking up scheme %s\n", scheme);
979 ERR_set_mark();
980 #ifndef OPENSSL_NO_DEPRECATED_3_0
981 if ((loader = ossl_store_get0_loader_int(scheme)) != NULL)
982 loader_ctx = loader->attach(loader, bp, libctx, propq,
983 ui_method, ui_data);
984 #endif
985 if (loader == NULL
986 && (fetched_loader =
987 OSSL_STORE_LOADER_fetch(libctx, scheme, propq)) != NULL) {
988 const OSSL_PROVIDER *provider =
989 OSSL_STORE_LOADER_get0_provider(fetched_loader);
990 void *provctx = OSSL_PROVIDER_get0_provider_ctx(provider);
991 OSSL_CORE_BIO *cbio = ossl_core_bio_new_from_bio(bp);
992
993 if (cbio == NULL
994 || (loader_ctx = fetched_loader->p_attach(provctx, cbio)) == NULL) {
995 OSSL_STORE_LOADER_free(fetched_loader);
996 fetched_loader = NULL;
997 } else if (!loader_set_params(fetched_loader, loader_ctx,
998 params, propq)) {
999 (void)fetched_loader->p_close(loader_ctx);
1000 OSSL_STORE_LOADER_free(fetched_loader);
1001 fetched_loader = NULL;
1002 }
1003 loader = fetched_loader;
1004 ossl_core_bio_free(cbio);
1005 }
1006
1007 if (loader_ctx == NULL) {
1008 ERR_clear_last_mark();
1009 return NULL;
1010 }
1011
1012 if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) {
1013 ERR_clear_last_mark();
1014 ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_MALLOC_FAILURE);
1015 return NULL;
1016 }
1017
1018 if (ui_method != NULL
1019 && !ossl_pw_set_ui_method(&ctx->pwdata, ui_method, ui_data)) {
1020 ERR_clear_last_mark();
1021 OPENSSL_free(ctx);
1022 return NULL;
1023 }
1024
1025 ctx->fetched_loader = fetched_loader;
1026 ctx->loader = loader;
1027 ctx->loader_ctx = loader_ctx;
1028 ctx->post_process = post_process;
1029 ctx->post_process_data = post_process_data;
1030
1031 /*
1032 * ossl_store_get0_loader_int will raise an error if the loader for the
1033 * the scheme cannot be retrieved. But if a loader was successfully
1034 * fetched then we remove this error from the error stack.
1035 */
1036 ERR_pop_to_mark();
1037
1038 return ctx;
1039 }
1040