]>
Commit | Line | Data |
---|---|---|
a517edec RL |
1 | /* |
2 | * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include <openssl/err.h> | |
11 | #include <openssl/ui.h> | |
12 | #include <openssl/core_names.h> | |
13 | #include "internal/cryptlib.h" | |
14 | #include "internal/passphrase.h" | |
15 | ||
16 | void ossl_pw_clear_passphrase_data(struct ossl_passphrase_data_st *data) | |
17 | { | |
18 | if (data != NULL) { | |
19 | if (data->type == is_expl_passphrase) | |
20 | OPENSSL_clear_free(data->_.expl_passphrase.passphrase_copy, | |
21 | data->_.expl_passphrase.passphrase_len); | |
22 | ossl_pw_clear_passphrase_cache(data); | |
23 | memset(data, 0, sizeof(*data)); | |
24 | } | |
25 | } | |
26 | ||
27 | void ossl_pw_clear_passphrase_cache(struct ossl_passphrase_data_st *data) | |
28 | { | |
29 | OPENSSL_clear_free(data->cached_passphrase, data->cached_passphrase_len); | |
30 | data->cached_passphrase = NULL; | |
31 | } | |
32 | ||
33 | int ossl_pw_set_passphrase(struct ossl_passphrase_data_st *data, | |
34 | const unsigned char *passphrase, | |
35 | size_t passphrase_len) | |
36 | { | |
37 | if (!ossl_assert(data != NULL && passphrase != NULL)) { | |
38 | ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_NULL_PARAMETER); | |
39 | return 0; | |
40 | } | |
41 | ossl_pw_clear_passphrase_data(data); | |
42 | data->type = is_expl_passphrase; | |
43 | data->_.expl_passphrase.passphrase_copy = | |
44 | OPENSSL_memdup(passphrase, passphrase_len); | |
45 | if (data->_.expl_passphrase.passphrase_copy == NULL) { | |
46 | ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); | |
47 | return 0; | |
48 | } | |
49 | data->_.expl_passphrase.passphrase_len = passphrase_len; | |
50 | return 1; | |
51 | } | |
52 | ||
53 | int ossl_pw_set_pem_password_cb(struct ossl_passphrase_data_st *data, | |
54 | pem_password_cb *cb, void *cbarg) | |
55 | { | |
56 | if (!ossl_assert(data != NULL && cb != NULL)) { | |
57 | ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_NULL_PARAMETER); | |
58 | return 0; | |
59 | } | |
60 | ossl_pw_clear_passphrase_data(data); | |
61 | data->type = is_pem_password; | |
62 | data->_.pem_password.password_cb = cb; | |
63 | data->_.pem_password.password_cbarg = cbarg; | |
64 | return 1; | |
65 | } | |
66 | ||
67 | int ossl_pw_set_ossl_passphrase_cb(struct ossl_passphrase_data_st *data, | |
68 | OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg) | |
69 | { | |
70 | if (!ossl_assert(data != NULL && cb != NULL)) { | |
71 | ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_NULL_PARAMETER); | |
72 | return 0; | |
73 | } | |
74 | ossl_pw_clear_passphrase_data(data); | |
75 | data->type = is_ossl_passphrase; | |
76 | data->_.ossl_passphrase.passphrase_cb = cb; | |
77 | data->_.ossl_passphrase.passphrase_cbarg = cbarg; | |
78 | return 1; | |
79 | } | |
80 | ||
81 | int ossl_pw_set_ui_method(struct ossl_passphrase_data_st *data, | |
82 | const UI_METHOD *ui_method, void *ui_data) | |
83 | { | |
84 | if (!ossl_assert(data != NULL && ui_method != NULL)) { | |
85 | ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_NULL_PARAMETER); | |
86 | return 0; | |
87 | } | |
88 | ossl_pw_clear_passphrase_data(data); | |
89 | data->type = is_ui_method; | |
90 | data->_.ui_method.ui_method = ui_method; | |
91 | data->_.ui_method.ui_method_data = ui_data; | |
92 | return 1; | |
93 | } | |
94 | ||
95 | int ossl_pw_enable_passphrase_caching(struct ossl_passphrase_data_st *data) | |
96 | { | |
97 | data->flag_cache_passphrase = 1; | |
98 | return 1; | |
99 | } | |
100 | ||
101 | int ossl_pw_disable_passphrase_caching(struct ossl_passphrase_data_st *data) | |
102 | { | |
103 | data->flag_cache_passphrase = 0; | |
104 | return 1; | |
105 | } | |
106 | ||
107 | ||
108 | /*- | |
109 | * UI_METHOD processor. It differs from UI_UTIL_read_pw() like this: | |
110 | * | |
111 | * 1. It constructs a prompt on its own, based on |prompt_info|. | |
112 | * 2. It allocates a buffer for verification on its own. | |
113 | * 3. It raises errors. | |
114 | * 4. It reports back the length of the prompted pass phrase. | |
115 | */ | |
116 | static int do_ui_passphrase(char *pass, size_t pass_size, size_t *pass_len, | |
117 | const char *prompt_info, int verify, | |
118 | const UI_METHOD *ui_method, void *ui_data) | |
119 | { | |
120 | char *prompt = NULL, *vpass = NULL; | |
121 | int prompt_idx = -1, verify_idx = -1; | |
122 | UI *ui = NULL; | |
123 | int ret = 0; | |
124 | ||
125 | if (!ossl_assert(pass != NULL && pass_size != 0 && pass_len != NULL)) { | |
126 | ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_NULL_PARAMETER); | |
127 | return 0; | |
128 | } | |
129 | ||
130 | if ((ui = UI_new()) == NULL) { | |
131 | ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); | |
132 | return 0; | |
133 | } | |
134 | ||
135 | if (ui_method != NULL) { | |
136 | UI_set_method(ui, ui_method); | |
137 | if (ui_data != NULL) | |
138 | UI_add_user_data(ui, ui_data); | |
139 | } | |
140 | ||
141 | /* Get an application constructed prompt */ | |
142 | prompt = UI_construct_prompt(ui, "pass phrase", prompt_info); | |
143 | if (prompt == NULL) { | |
144 | ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); | |
145 | goto end; | |
146 | } | |
147 | ||
148 | prompt_idx = UI_add_input_string(ui, prompt, | |
149 | UI_INPUT_FLAG_DEFAULT_PWD, | |
150 | pass, 0, pass_size - 1) - 1; | |
151 | if (prompt_idx < 0) { | |
152 | ERR_raise(ERR_LIB_CRYPTO, ERR_R_UI_LIB); | |
153 | goto end; | |
154 | } | |
155 | ||
156 | if (verify) { | |
157 | /* Get a buffer for verification prompt */ | |
158 | vpass = OPENSSL_zalloc(pass_size); | |
159 | if (vpass == NULL) { | |
160 | ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); | |
161 | goto end; | |
162 | } | |
163 | verify_idx = UI_add_verify_string(ui, prompt, | |
164 | UI_INPUT_FLAG_DEFAULT_PWD, | |
165 | vpass, 0, pass_size - 1, | |
166 | pass) - 1; | |
167 | if (verify_idx < 0) { | |
168 | ERR_raise(ERR_LIB_CRYPTO, ERR_R_UI_LIB); | |
169 | goto end; | |
170 | } | |
171 | } | |
172 | ||
173 | switch (UI_process(ui)) { | |
174 | case -2: | |
175 | ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERRUPTED_OR_CANCELLED); | |
176 | break; | |
177 | case -1: | |
178 | ERR_raise(ERR_LIB_CRYPTO, ERR_R_UI_LIB); | |
179 | break; | |
180 | default: | |
181 | *pass_len = (size_t)UI_get_result_length(ui, prompt_idx); | |
182 | ret = 1; | |
183 | break; | |
184 | } | |
185 | ||
186 | end: | |
187 | OPENSSL_free(vpass); | |
188 | OPENSSL_free(prompt); | |
189 | UI_free(ui); | |
190 | return ret; | |
191 | } | |
192 | ||
193 | /* Central pw prompting dispatcher */ | |
194 | int ossl_pw_get_passphrase(char *pass, size_t pass_size, size_t *pass_len, | |
195 | const OSSL_PARAM params[], int verify, | |
196 | struct ossl_passphrase_data_st *data) | |
197 | { | |
198 | const char *source = NULL; | |
199 | size_t source_len = 0; | |
200 | const char *prompt_info = NULL; | |
201 | const UI_METHOD *ui_method = NULL; | |
202 | UI_METHOD *allocated_ui_method = NULL; | |
203 | void *ui_data = NULL; | |
204 | const OSSL_PARAM *p = NULL; | |
205 | int ret; | |
206 | ||
207 | /* Handle explicit and cached passphrases */ | |
208 | ||
209 | if (data->type == is_expl_passphrase) { | |
210 | source = data->_.expl_passphrase.passphrase_copy; | |
211 | source_len = data->_.expl_passphrase.passphrase_len; | |
212 | } else if (data->flag_cache_passphrase && data->cached_passphrase != NULL) { | |
213 | source = data->cached_passphrase; | |
214 | source_len = data->cached_passphrase_len; | |
215 | } | |
216 | ||
217 | if (source != NULL) { | |
218 | if (source_len > pass_size) | |
219 | source_len = pass_size; | |
220 | memcpy(pass, source, source_len); | |
221 | *pass_len = source_len; | |
222 | return 1; | |
223 | } | |
224 | ||
225 | /* Handle the is_ossl_passphrase case... that's pretty direct */ | |
226 | ||
227 | if (data->type == is_ossl_passphrase) { | |
228 | OSSL_PASSPHRASE_CALLBACK *cb = data->_.ossl_passphrase.passphrase_cb; | |
229 | void *cbarg = data->_.ossl_passphrase.passphrase_cbarg; | |
230 | ||
231 | ret = cb(pass, pass_size, pass_len, params, cbarg); | |
232 | goto do_cache; | |
233 | } | |
234 | ||
235 | /* Handle the is_pem_password and is_ui_method cases */ | |
236 | ||
237 | if ((p = OSSL_PARAM_locate_const(params, | |
238 | OSSL_PASSPHRASE_PARAM_INFO)) != NULL) { | |
239 | if (p->data_type != OSSL_PARAM_UTF8_STRING) { | |
240 | ERR_raise_data(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT, | |
241 | "Prompt info data type incorrect"); | |
242 | return 0; | |
243 | } | |
244 | prompt_info = p->data; | |
245 | } | |
246 | ||
247 | if (data->type == is_pem_password) { | |
248 | /* We use a UI wrapper for PEM */ | |
249 | pem_password_cb *cb = data->_.pem_password.password_cb; | |
250 | ||
251 | ui_method = allocated_ui_method = | |
252 | UI_UTIL_wrap_read_pem_callback(cb, verify); | |
253 | ui_data = data->_.pem_password.password_cbarg; | |
254 | ||
255 | if (ui_method == NULL) { | |
256 | ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); | |
257 | return 0; | |
258 | } | |
259 | } else if (data->type == is_ui_method) { | |
260 | ui_method = data->_.ui_method.ui_method; | |
261 | ui_data = data->_.ui_method.ui_method_data; | |
262 | } | |
263 | ||
264 | if (ui_method == NULL) { | |
265 | ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); | |
266 | return 0; | |
267 | } | |
268 | ||
269 | ret = do_ui_passphrase(pass, pass_size, pass_len, prompt_info, verify, | |
270 | ui_method, ui_data); | |
271 | ||
272 | UI_destroy_method(allocated_ui_method); | |
273 | ||
274 | do_cache: | |
275 | if (ret && data->flag_cache_passphrase) { | |
67b64013 RL |
276 | if (data->cached_passphrase == NULL |
277 | || *pass_len > data->cached_passphrase_len) { | |
a517edec RL |
278 | void *new_cache = |
279 | OPENSSL_clear_realloc(data->cached_passphrase, | |
280 | data->cached_passphrase_len, | |
281 | *pass_len + 1); | |
282 | ||
283 | if (new_cache == NULL) { | |
284 | OPENSSL_cleanse(pass, *pass_len); | |
285 | ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); | |
286 | return 0; | |
287 | } | |
288 | data->cached_passphrase = new_cache; | |
289 | } | |
290 | memcpy(data->cached_passphrase, pass, *pass_len); | |
291 | data->cached_passphrase[*pass_len] = '\0'; | |
292 | data->cached_passphrase_len = *pass_len; | |
293 | } | |
294 | ||
295 | return ret; | |
296 | } | |
297 | ||
298 | int ossl_pw_pem_password(char *buf, int size, int rwflag, void *userdata) | |
299 | { | |
300 | size_t password_len = 0; | |
301 | OSSL_PARAM params[] = { | |
302 | OSSL_PARAM_utf8_string(OSSL_PASSPHRASE_PARAM_INFO, NULL, 0), | |
303 | OSSL_PARAM_END | |
304 | }; | |
305 | ||
306 | params[0].data = "PEM"; | |
307 | if (ossl_pw_get_passphrase(buf, (size_t)size, &password_len, params, | |
308 | rwflag, userdata)) | |
309 | return (int)password_len; | |
310 | return -1; | |
311 | } | |
312 | ||
313 | int ossl_pw_passphrase_callback_enc(char *pass, size_t pass_size, | |
314 | size_t *pass_len, | |
315 | const OSSL_PARAM params[], void *arg) | |
316 | { | |
317 | return ossl_pw_get_passphrase(pass, pass_size, pass_len, params, 1, arg); | |
318 | } | |
319 | ||
320 | int ossl_pw_passphrase_callback_dec(char *pass, size_t pass_size, | |
321 | size_t *pass_len, | |
322 | const OSSL_PARAM params[], void *arg) | |
323 | { | |
324 | return ossl_pw_get_passphrase(pass, pass_size, pass_len, params, 0, arg); | |
325 | } |