1 /*
2 * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/err.h>
11 #include <openssl/ui.h>
12 #include <openssl/params.h>
13 #include <openssl/encoder.h>
14 #include <openssl/core_names.h>
15 #include <openssl/provider.h>
16 #include <openssl/safestack.h>
17 #include <openssl/trace.h>
18 #include "internal/provider.h"
19 #include "internal/property.h"
20 #include "crypto/evp.h"
21 #include "encoder_local.h"
22
DEFINE_STACK_OF(OSSL_ENCODER)23 DEFINE_STACK_OF(OSSL_ENCODER)
24
25 int OSSL_ENCODER_CTX_set_cipher(OSSL_ENCODER_CTX *ctx,
26 const char *cipher_name,
27 const char *propquery)
28 {
29 OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END };
30
31 params[0] =
32 OSSL_PARAM_construct_utf8_string(OSSL_ENCODER_PARAM_CIPHER,
33 (void *)cipher_name, 0);
34 params[1] =
35 OSSL_PARAM_construct_utf8_string(OSSL_ENCODER_PARAM_PROPERTIES,
36 (void *)propquery, 0);
37
38 return OSSL_ENCODER_CTX_set_params(ctx, params);
39 }
40
OSSL_ENCODER_CTX_set_passphrase(OSSL_ENCODER_CTX * ctx,const unsigned char * kstr,size_t klen)41 int OSSL_ENCODER_CTX_set_passphrase(OSSL_ENCODER_CTX *ctx,
42 const unsigned char *kstr,
43 size_t klen)
44 {
45 return ossl_pw_set_passphrase(&ctx->pwdata, kstr, klen);
46 }
47
OSSL_ENCODER_CTX_set_passphrase_ui(OSSL_ENCODER_CTX * ctx,const UI_METHOD * ui_method,void * ui_data)48 int OSSL_ENCODER_CTX_set_passphrase_ui(OSSL_ENCODER_CTX *ctx,
49 const UI_METHOD *ui_method,
50 void *ui_data)
51 {
52 return ossl_pw_set_ui_method(&ctx->pwdata, ui_method, ui_data);
53 }
54
OSSL_ENCODER_CTX_set_pem_password_cb(OSSL_ENCODER_CTX * ctx,pem_password_cb * cb,void * cbarg)55 int OSSL_ENCODER_CTX_set_pem_password_cb(OSSL_ENCODER_CTX *ctx,
56 pem_password_cb *cb, void *cbarg)
57 {
58 return ossl_pw_set_pem_password_cb(&ctx->pwdata, cb, cbarg);
59 }
60
OSSL_ENCODER_CTX_set_passphrase_cb(OSSL_ENCODER_CTX * ctx,OSSL_PASSPHRASE_CALLBACK * cb,void * cbarg)61 int OSSL_ENCODER_CTX_set_passphrase_cb(OSSL_ENCODER_CTX *ctx,
62 OSSL_PASSPHRASE_CALLBACK *cb,
63 void *cbarg)
64 {
65 return ossl_pw_set_ossl_passphrase_cb(&ctx->pwdata, cb, cbarg);
66 }
67
68 /*
69 * Support for OSSL_ENCODER_CTX_new_for_type:
70 * finding a suitable encoder
71 */
72
73 struct collected_encoder_st {
74 STACK_OF(OPENSSL_CSTRING) *names;
75 const char *output_structure;
76 const char *output_type;
77
78 const OSSL_PROVIDER *keymgmt_prov;
79 OSSL_ENCODER_CTX *ctx;
80 unsigned int flag_find_same_provider:1;
81
82 int error_occurred;
83 };
84
collect_encoder(OSSL_ENCODER * encoder,void * arg)85 static void collect_encoder(OSSL_ENCODER *encoder, void *arg)
86 {
87 struct collected_encoder_st *data = arg;
88 size_t i, end_i;
89
90 if (data->error_occurred)
91 return;
92
93 data->error_occurred = 1; /* Assume the worst */
94
95 if (data->names == NULL)
96 return;
97
98 end_i = sk_OPENSSL_CSTRING_num(data->names);
99 for (i = 0; i < end_i; i++) {
100 const char *name = sk_OPENSSL_CSTRING_value(data->names, i);
101 const OSSL_PROVIDER *prov = OSSL_ENCODER_get0_provider(encoder);
102 void *provctx = OSSL_PROVIDER_get0_provider_ctx(prov);
103
104 /*
105 * collect_encoder() is called in two passes, one where the encoders
106 * from the same provider as the keymgmt are looked up, and one where
107 * the other encoders are looked up. |data->flag_find_same_provider|
108 * tells us which pass we're in.
109 */
110 if ((data->keymgmt_prov == prov) != data->flag_find_same_provider)
111 continue;
112
113 if (!OSSL_ENCODER_is_a(encoder, name)
114 || (encoder->does_selection != NULL
115 && !encoder->does_selection(provctx, data->ctx->selection))
116 || (data->keymgmt_prov != prov
117 && encoder->import_object == NULL))
118 continue;
119
120 /* Only add each encoder implementation once */
121 if (OSSL_ENCODER_CTX_add_encoder(data->ctx, encoder))
122 break;
123 }
124
125 data->error_occurred = 0; /* All is good now */
126 }
127
128 struct collected_names_st {
129 STACK_OF(OPENSSL_CSTRING) *names;
130 unsigned int error_occurred:1;
131 };
132
collect_name(const char * name,void * arg)133 static void collect_name(const char *name, void *arg)
134 {
135 struct collected_names_st *data = arg;
136
137 if (data->error_occurred)
138 return;
139
140 data->error_occurred = 1; /* Assume the worst */
141
142 if (sk_OPENSSL_CSTRING_push(data->names, name) <= 0)
143 return;
144
145 data->error_occurred = 0; /* All is good now */
146 }
147
148 /*
149 * Support for OSSL_ENCODER_to_bio:
150 * writing callback for the OSSL_PARAM (the implementation doesn't have
151 * intimate knowledge of the provider side object)
152 */
153
154 struct construct_data_st {
155 const EVP_PKEY *pk;
156 int selection;
157
158 OSSL_ENCODER_INSTANCE *encoder_inst;
159 const void *obj;
160 void *constructed_obj;
161 };
162
encoder_import_cb(const OSSL_PARAM params[],void * arg)163 static int encoder_import_cb(const OSSL_PARAM params[], void *arg)
164 {
165 struct construct_data_st *construct_data = arg;
166 OSSL_ENCODER_INSTANCE *encoder_inst = construct_data->encoder_inst;
167 OSSL_ENCODER *encoder = OSSL_ENCODER_INSTANCE_get_encoder(encoder_inst);
168 void *encoderctx = OSSL_ENCODER_INSTANCE_get_encoder_ctx(encoder_inst);
169
170 construct_data->constructed_obj =
171 encoder->import_object(encoderctx, construct_data->selection, params);
172
173 return (construct_data->constructed_obj != NULL);
174 }
175
176 static const void *
encoder_construct_pkey(OSSL_ENCODER_INSTANCE * encoder_inst,void * arg)177 encoder_construct_pkey(OSSL_ENCODER_INSTANCE *encoder_inst, void *arg)
178 {
179 struct construct_data_st *data = arg;
180
181 if (data->obj == NULL) {
182 OSSL_ENCODER *encoder =
183 OSSL_ENCODER_INSTANCE_get_encoder(encoder_inst);
184 const EVP_PKEY *pk = data->pk;
185 const OSSL_PROVIDER *k_prov = EVP_KEYMGMT_get0_provider(pk->keymgmt);
186 const OSSL_PROVIDER *e_prov = OSSL_ENCODER_get0_provider(encoder);
187
188 if (k_prov != e_prov) {
189 int selection = data->selection;
190
191 if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)
192 selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
193 data->encoder_inst = encoder_inst;
194
195 if (!evp_keymgmt_export(pk->keymgmt, pk->keydata, selection,
196 &encoder_import_cb, data))
197 return NULL;
198 data->obj = data->constructed_obj;
199 } else {
200 data->obj = pk->keydata;
201 }
202 }
203
204 return data->obj;
205 }
206
encoder_destruct_pkey(void * arg)207 static void encoder_destruct_pkey(void *arg)
208 {
209 struct construct_data_st *data = arg;
210
211 if (data->encoder_inst != NULL) {
212 OSSL_ENCODER *encoder =
213 OSSL_ENCODER_INSTANCE_get_encoder(data->encoder_inst);
214
215 encoder->free_object(data->constructed_obj);
216 }
217 data->constructed_obj = NULL;
218 }
219
220 /*
221 * OSSL_ENCODER_CTX_new_for_pkey() returns a ctx with no encoder if
222 * it couldn't find a suitable encoder. This allows a caller to detect if
223 * a suitable encoder was found, with OSSL_ENCODER_CTX_get_num_encoder(),
224 * and to use fallback methods if the result is NULL.
225 */
ossl_encoder_ctx_setup_for_pkey(OSSL_ENCODER_CTX * ctx,const EVP_PKEY * pkey,int selection,const char * propquery)226 static int ossl_encoder_ctx_setup_for_pkey(OSSL_ENCODER_CTX *ctx,
227 const EVP_PKEY *pkey,
228 int selection,
229 const char *propquery)
230 {
231 struct construct_data_st *data = NULL;
232 const OSSL_PROVIDER *prov = NULL;
233 OSSL_LIB_CTX *libctx = NULL;
234 int ok = 0;
235
236 if (!ossl_assert(ctx != NULL) || !ossl_assert(pkey != NULL)) {
237 ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_PASSED_NULL_PARAMETER);
238 return 0;
239 }
240
241 if (evp_pkey_is_provided(pkey)) {
242 prov = EVP_KEYMGMT_get0_provider(pkey->keymgmt);
243 libctx = ossl_provider_libctx(prov);
244 }
245
246 if (pkey->keymgmt != NULL) {
247 struct collected_encoder_st encoder_data;
248 struct collected_names_st keymgmt_data;
249
250 if ((data = OPENSSL_zalloc(sizeof(*data))) == NULL) {
251 ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_MALLOC_FAILURE);
252 goto err;
253 }
254
255 /*
256 * Select the first encoder implementations in two steps.
257 * First, collect the keymgmt names, then the encoders that match.
258 */
259 keymgmt_data.names = sk_OPENSSL_CSTRING_new_null();
260 if (keymgmt_data.names == NULL) {
261 ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_MALLOC_FAILURE);
262 goto err;
263 }
264
265 keymgmt_data.error_occurred = 0;
266 EVP_KEYMGMT_names_do_all(pkey->keymgmt, collect_name, &keymgmt_data);
267 if (keymgmt_data.error_occurred) {
268 sk_OPENSSL_CSTRING_free(keymgmt_data.names);
269 goto err;
270 }
271
272 encoder_data.names = keymgmt_data.names;
273 encoder_data.output_type = ctx->output_type;
274 encoder_data.output_structure = ctx->output_structure;
275 encoder_data.error_occurred = 0;
276 encoder_data.keymgmt_prov = prov;
277 encoder_data.ctx = ctx;
278
279 /*
280 * Place the encoders with the a different provider as the keymgmt
281 * last (the chain is processed in reverse order)
282 */
283 encoder_data.flag_find_same_provider = 0;
284 OSSL_ENCODER_do_all_provided(libctx, collect_encoder, &encoder_data);
285
286 /*
287 * Place the encoders with the same provider as the keymgmt first
288 * (the chain is processed in reverse order)
289 */
290 encoder_data.flag_find_same_provider = 1;
291 OSSL_ENCODER_do_all_provided(libctx, collect_encoder, &encoder_data);
292
293 sk_OPENSSL_CSTRING_free(keymgmt_data.names);
294 if (encoder_data.error_occurred) {
295 ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_MALLOC_FAILURE);
296 goto err;
297 }
298 }
299
300 if (data != NULL && OSSL_ENCODER_CTX_get_num_encoders(ctx) != 0) {
301 if (!OSSL_ENCODER_CTX_set_construct(ctx, encoder_construct_pkey)
302 || !OSSL_ENCODER_CTX_set_construct_data(ctx, data)
303 || !OSSL_ENCODER_CTX_set_cleanup(ctx, encoder_destruct_pkey))
304 goto err;
305
306 data->pk = pkey;
307 data->selection = selection;
308
309 data = NULL; /* Avoid it being freed */
310 }
311
312 ok = 1;
313 err:
314 if (data != NULL) {
315 OSSL_ENCODER_CTX_set_construct_data(ctx, NULL);
316 OPENSSL_free(data);
317 }
318 return ok;
319 }
320
OSSL_ENCODER_CTX_new_for_pkey(const EVP_PKEY * pkey,int selection,const char * output_type,const char * output_struct,const char * propquery)321 OSSL_ENCODER_CTX *OSSL_ENCODER_CTX_new_for_pkey(const EVP_PKEY *pkey,
322 int selection,
323 const char *output_type,
324 const char *output_struct,
325 const char *propquery)
326 {
327 OSSL_ENCODER_CTX *ctx = NULL;
328 OSSL_LIB_CTX *libctx = NULL;
329
330 if (pkey == NULL) {
331 ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_PASSED_NULL_PARAMETER);
332 return NULL;
333 }
334
335 if (!evp_pkey_is_assigned(pkey)) {
336 ERR_raise_data(ERR_LIB_OSSL_ENCODER, ERR_R_PASSED_INVALID_ARGUMENT,
337 "The passed EVP_PKEY must be assigned a key");
338 return NULL;
339 }
340
341 if ((ctx = OSSL_ENCODER_CTX_new()) == NULL) {
342 ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_MALLOC_FAILURE);
343 return NULL;
344 }
345
346 if (evp_pkey_is_provided(pkey)) {
347 const OSSL_PROVIDER *prov = EVP_KEYMGMT_get0_provider(pkey->keymgmt);
348
349 libctx = ossl_provider_libctx(prov);
350 }
351
352 OSSL_TRACE_BEGIN(ENCODER) {
353 BIO_printf(trc_out,
354 "(ctx %p) Looking for %s encoders with selection %d\n",
355 (void *)ctx, EVP_PKEY_get0_type_name(pkey), selection);
356 BIO_printf(trc_out, " output type: %s, output structure: %s\n",
357 output_type, output_struct);
358 } OSSL_TRACE_END(ENCODER);
359
360 if (OSSL_ENCODER_CTX_set_output_type(ctx, output_type)
361 && (output_struct == NULL
362 || OSSL_ENCODER_CTX_set_output_structure(ctx, output_struct))
363 && OSSL_ENCODER_CTX_set_selection(ctx, selection)
364 && ossl_encoder_ctx_setup_for_pkey(ctx, pkey, selection, propquery)
365 && OSSL_ENCODER_CTX_add_extra(ctx, libctx, propquery)) {
366 OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
367 int save_parameters = pkey->save_parameters;
368
369 params[0] = OSSL_PARAM_construct_int(OSSL_ENCODER_PARAM_SAVE_PARAMETERS,
370 &save_parameters);
371 /* ignoring error as this is only auxiliary parameter */
372 (void)OSSL_ENCODER_CTX_set_params(ctx, params);
373
374 OSSL_TRACE_BEGIN(ENCODER) {
375 BIO_printf(trc_out, "(ctx %p) Got %d encoders\n",
376 (void *)ctx, OSSL_ENCODER_CTX_get_num_encoders(ctx));
377 } OSSL_TRACE_END(ENCODER);
378 return ctx;
379 }
380
381 OSSL_ENCODER_CTX_free(ctx);
382 return NULL;
383 }
384