From: Richard Levitte <levitte@openssl.org>
Date: Wed, 28 Apr 2021 09:02:36 +0000 (+0200)
Subject: STORE: Use the 'expect' param to limit the amount of decoders used
X-Git-Tag: openssl-3.0.0-alpha16~72
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e73fc81345ae2cdcc4be55768345d8a00fed6453;p=thirdparty%2Fopenssl.git

STORE: Use the 'expect' param to limit the amount of decoders used

In the provider file: scheme loader implementation, the OSSL_DECODER_CTX
was set up with all sorts of implementations, even if the caller has
declared a limited expectation on what should be loaded, which means
that even though a certificate is expected, all the diverse decoders
to produce an EVP_PKEY are added to the decoding change.

This optimization looks more closely at the expected type, and only
adds the EVP_PKEY related decoder implementations to the chain if
there is no expectation, or if the expectation is one of
OSSL_STORE_INFO_PARAMS, OSSL_STORE_INFO_PUBKEY, OSSL_STORE_INFO_PKEY.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15066)
---

diff --git a/providers/implementations/storemgmt/file_store.c b/providers/implementations/storemgmt/file_store.c
index 37f2fcee67b..033efb40acf 100644
--- a/providers/implementations/storemgmt/file_store.c
+++ b/providers/implementations/storemgmt/file_store.c
@@ -415,7 +415,7 @@ static int file_setup_decoders(struct file_ctx_st *ctx)
     OSSL_DECODER_INSTANCE *to_obj_inst = NULL;
     OSSL_DECODER_CLEANUP *old_cleanup = NULL;
     void *old_construct_data = NULL;
-    int ok = 0;
+    int ok = 0, expect_evp_pkey = 0;
 
     /* Setup for this session, so only if not already done */
     if (ctx->_.file.decoderctx == NULL) {
@@ -424,6 +424,11 @@ static int file_setup_decoders(struct file_ctx_st *ctx)
             goto err;
         }
 
+        expect_evp_pkey = (ctx->expected_type == 0
+                           || ctx->expected_type == OSSL_STORE_INFO_PARAMS
+                           || ctx->expected_type == OSSL_STORE_INFO_PUBKEY
+                           || ctx->expected_type == OSSL_STORE_INFO_PKEY);
+
         /* Make sure the input type is set */
         if (!OSSL_DECODER_CTX_set_input_type(ctx->_.file.decoderctx,
                                              ctx->_.file.input_type)) {
@@ -462,9 +467,10 @@ static int file_setup_decoders(struct file_ctx_st *ctx)
          * Since we're setting up our own constructor, we don't need to care
          * more than that...
          */
-        if (!ossl_decoder_ctx_setup_for_pkey(ctx->_.file.decoderctx,
-                                             &dummy, NULL,
-                                             libctx, ctx->_.file.propq)
+        if ((expect_evp_pkey
+             && !ossl_decoder_ctx_setup_for_pkey(ctx->_.file.decoderctx,
+                                                 &dummy, NULL,
+                                                 libctx, ctx->_.file.propq))
             || !OSSL_DECODER_CTX_add_extra(ctx->_.file.decoderctx,
                                            libctx, ctx->_.file.propq)) {
             ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);