]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/serializer/serializer_pkey.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Maintain strict type discipline between the core and providers
[thirdparty/openssl.git] / crypto / serializer / serializer_pkey.c
1 /*
2 * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/err.h>
11 #include <openssl/ui.h>
12 #include <openssl/params.h>
13 #include <openssl/serializer.h>
14 #include <openssl/core_names.h>
15 #include "internal/provider.h"
16 #include "internal/property.h"
17 #include "crypto/evp.h"
18 #include "serializer_local.h"
19
20 int OSSL_SERIALIZER_CTX_set_cipher(OSSL_SERIALIZER_CTX *ctx,
21 const char *cipher_name,
22 const char *propquery)
23 {
24 OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END };
25
26 params[0] =
27 OSSL_PARAM_construct_utf8_string(OSSL_SERIALIZER_PARAM_CIPHER,
28 (void *)cipher_name, 0);
29 params[1] =
30 OSSL_PARAM_construct_utf8_string(OSSL_SERIALIZER_PARAM_PROPERTIES,
31 (void *)propquery, 0);
32
33 return OSSL_SERIALIZER_CTX_set_params(ctx, params);
34 }
35
36 int OSSL_SERIALIZER_CTX_set_passphrase(OSSL_SERIALIZER_CTX *ctx,
37 const unsigned char *kstr,
38 size_t klen)
39 {
40 OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END };
41
42 params[0] = OSSL_PARAM_construct_octet_string(OSSL_SERIALIZER_PARAM_PASS,
43 (void *)kstr, klen);
44
45 return OSSL_SERIALIZER_CTX_set_params(ctx, params);
46 }
47
48 static void serializer_ctx_reset_passphrase_ui(OSSL_SERIALIZER_CTX *ctx)
49 {
50 UI_destroy_method(ctx->allocated_ui_method);
51 ctx->allocated_ui_method = NULL;
52 ctx->ui_method = NULL;
53 ctx->ui_data = NULL;
54 }
55
56 int OSSL_SERIALIZER_CTX_set_passphrase_ui(OSSL_SERIALIZER_CTX *ctx,
57 const UI_METHOD *ui_method,
58 void *ui_data)
59 {
60 if (!ossl_assert(ctx != NULL)) {
61 ERR_raise(ERR_LIB_OSSL_SERIALIZER, ERR_R_PASSED_NULL_PARAMETER);
62 return 0;
63 }
64
65 serializer_ctx_reset_passphrase_ui(ctx);
66 ctx->ui_method = ui_method;
67 ctx->ui_data = ui_data;
68 return 1;
69 }
70
71 int OSSL_SERIALIZER_CTX_set_passphrase_cb(OSSL_SERIALIZER_CTX *ctx, int enc,
72 pem_password_cb *cb, void *cbarg)
73 {
74 if (!ossl_assert(ctx != NULL)) {
75 ERR_raise(ERR_LIB_OSSL_SERIALIZER, ERR_R_PASSED_NULL_PARAMETER);
76 return 0;
77 }
78
79 serializer_ctx_reset_passphrase_ui(ctx);
80 if (cb == NULL)
81 return 1;
82 ctx->ui_method =
83 ctx->allocated_ui_method = UI_UTIL_wrap_read_pem_callback(cb, enc);
84 ctx->ui_data = cbarg;
85
86 return ctx->ui_method != NULL;
87 }
88
89 /*
90 * Support for OSSL_SERIALIZER_CTX_new_by_TYPE:
91 * finding a suitable serializer
92 */
93
94 struct selected_serializer_st {
95 OPENSSL_CTX *libctx;
96 const OSSL_PROVIDER *desired_provider;
97 const char *propquery;
98
99 /*
100 * Serializers offer two functions, one that handles object data in
101 * the form of a OSSL_PARAM array, and one that directly handles a
102 * provider side object. The latter requires that the serializer
103 * is offered by the same provider that holds that object, but is
104 * more desirable because it usually provides faster serialization.
105 *
106 * When looking up possible serializers, we save the first that can
107 * handle an OSSL_PARAM array in |first|, and the first that can
108 * handle a provider side object in |desired|.
109 */
110 OSSL_SERIALIZER *first;
111 OSSL_SERIALIZER *desired;
112 };
113
114 static void select_serializer(const char *name, void *data)
115 {
116 struct selected_serializer_st *d = data;
117 OSSL_SERIALIZER *s = NULL;
118
119 /* No need to look further if we already have the more desirable option */
120 if (d->desired != NULL)
121 return;
122
123 if ((s = OSSL_SERIALIZER_fetch(d->libctx, name, d->propquery)) != NULL) {
124 if (OSSL_SERIALIZER_provider(s) == d->desired_provider
125 && s->serialize_object != NULL) {
126 OSSL_SERIALIZER_free(d->first);
127 d->first = NULL;
128 d->desired = s;
129 } else if (d->first == NULL && s->serialize_data != NULL) {
130 d->first = s;
131 } else {
132 OSSL_SERIALIZER_free(s);
133 }
134 }
135 }
136
137 /*
138 * Support for OSSL_SERIALIZER_CTX_new_by_TYPE and OSSL_SERIALIZER_to_bio:
139 * Passphrase callbacks
140 */
141
142 /*
143 * First, we define the generic passphrase function that supports both
144 * outgoing (with passphrase verify) and incoming (without passphrase verify)
145 * passphrase reading.
146 */
147 static int serializer_passphrase(char *pass, size_t pass_size,
148 size_t *pass_len, int verify,
149 const OSSL_PARAM params[], void *arg)
150 {
151 OSSL_SERIALIZER_CTX *ctx = arg;
152 const OSSL_PARAM *p;
153 const char *prompt_info = NULL;
154 char *prompt = NULL, *vpass = NULL;
155 int prompt_idx = -1, verify_idx = -1;
156 UI *ui = NULL;
157 int ret = 0;
158
159 if (!ossl_assert(ctx != NULL && pass != NULL
160 && pass_size != 0 && pass_len != NULL)) {
161 ERR_raise(ERR_LIB_OSSL_SERIALIZER, ERR_R_PASSED_NULL_PARAMETER);
162 return 0;
163 }
164
165 if ((p = OSSL_PARAM_locate_const(params,
166 OSSL_PASSPHRASE_PARAM_INFO)) != NULL) {
167 if (p->data_type != OSSL_PARAM_UTF8_STRING)
168 return 0;
169 prompt_info = p->data;
170 }
171
172 if ((ui = UI_new()) == NULL) {
173 ERR_raise(ERR_LIB_OSSL_SERIALIZER, ERR_R_MALLOC_FAILURE);
174 return 0;
175 }
176
177 UI_set_method(ui, ctx->ui_method);
178 UI_add_user_data(ui, ctx->ui_data);
179
180 /* Get an application constructed prompt */
181 prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);
182 if (prompt == NULL) {
183 ERR_raise(ERR_LIB_OSSL_SERIALIZER, ERR_R_MALLOC_FAILURE);
184 goto end;
185 }
186
187 prompt_idx = UI_add_input_string(ui, prompt,
188 UI_INPUT_FLAG_DEFAULT_PWD,
189 pass, 0, pass_size - 1) - 1;
190 if (prompt_idx < 0) {
191 ERR_raise(ERR_LIB_OSSL_SERIALIZER, ERR_R_UI_LIB);
192 goto end;
193 }
194
195 if (verify) {
196 /* Get a buffer for verification prompt */
197 vpass = OPENSSL_zalloc(pass_size);
198 if (vpass == NULL) {
199 ERR_raise(ERR_LIB_OSSL_SERIALIZER, ERR_R_MALLOC_FAILURE);
200 goto end;
201 }
202 verify_idx = UI_add_verify_string(ui, prompt,
203 UI_INPUT_FLAG_DEFAULT_PWD,
204 vpass, 0, pass_size - 1,
205 pass) - 1;
206 if (verify_idx < 0) {
207 ERR_raise(ERR_LIB_OSSL_SERIALIZER, ERR_R_UI_LIB);
208 goto end;
209 }
210 }
211
212 switch (UI_process(ui)) {
213 case -2:
214 ERR_raise(ERR_LIB_OSSL_SERIALIZER, ERR_R_INTERRUPTED_OR_CANCELLED);
215 break;
216 case -1:
217 ERR_raise(ERR_LIB_OSSL_SERIALIZER, ERR_R_UI_LIB);
218 break;
219 default:
220 *pass_len = (size_t)UI_get_result_length(ui, prompt_idx);
221 ret = 1;
222 break;
223 }
224
225 end:
226 OPENSSL_free(vpass);
227 OPENSSL_free(prompt);
228 UI_free(ui);
229 return ret;
230 }
231
232 /* Ensure correct function definition for outgoing passphrase reader */
233 static OSSL_PASSPHRASE_CALLBACK serializer_passphrase_out_cb;
234 static int serializer_passphrase_out_cb(char *pass, size_t pass_size,
235 size_t *pass_len,
236 const OSSL_PARAM params[], void *arg)
237 {
238 return serializer_passphrase(pass, pass_size, pass_len, 1, params, arg);
239 }
240
241 /*
242 * Support for OSSL_SERIALIZER_to_bio:
243 * writing callback for the OSSL_PARAM (the implementation doesn't have
244 * intimate knowledge of the provider side object)
245 */
246
247 struct serializer_write_data_st {
248 OSSL_SERIALIZER_CTX *ctx;
249 BIO *out;
250 };
251
252 static int serializer_write_cb(const OSSL_PARAM params[], void *arg)
253 {
254 struct serializer_write_data_st *write_data = arg;
255 OSSL_SERIALIZER_CTX *ctx = write_data->ctx;
256 BIO *out = write_data->out;
257
258 return ctx->ser->serialize_data(ctx->serctx, params, (OSSL_CORE_BIO *)out,
259 serializer_passphrase_out_cb, ctx);
260 }
261
262 /*
263 * Support for OSSL_SERIALIZER_to_bio:
264 * Perform the actual output.
265 */
266
267 static int serializer_EVP_PKEY_to_bio(OSSL_SERIALIZER_CTX *ctx, BIO *out)
268 {
269 const EVP_PKEY *pkey = ctx->object;
270 void *keydata = pkey->keydata;
271 EVP_KEYMGMT *keymgmt = pkey->keymgmt;
272
273 /*
274 * OSSL_SERIALIZER_CTX_new() creates a context, even when the
275 * serializer it's given is NULL. Callers can detect the lack
276 * of serializer with OSSL_SERIALIZER_CTX_get_serializer() and
277 * should take precautions, possibly call a fallback instead of
278 * OSSL_SERIALIZER_to_bio() / OSSL_SERIALIZER_to_fp(). If it's
279 * come this far, we return an error.
280 */
281 if (ctx->ser == NULL)
282 return 0;
283
284 if (ctx->ser->serialize_object == NULL) {
285 struct serializer_write_data_st write_data;
286
287 write_data.ctx = ctx;
288 write_data.out = out;
289
290 return evp_keymgmt_export(keymgmt, keydata, ctx->selection,
291 &serializer_write_cb, &write_data);
292 }
293
294 return ctx->ser->serialize_object(ctx->serctx, keydata,
295 (OSSL_CORE_BIO *)out,
296 serializer_passphrase_out_cb, ctx);
297 }
298
299 /*
300 * OSSL_SERIALIZER_CTX_new_by_EVP_PKEY() returns a ctx with no serializer if
301 * it couldn't find a suitable serializer. This allows a caller to detect if
302 * a suitable serializer was found, with OSSL_SERIALIZER_CTX_get_serializer(),
303 * and to use fallback methods if the result is NULL.
304 */
305 OSSL_SERIALIZER_CTX *OSSL_SERIALIZER_CTX_new_by_EVP_PKEY(const EVP_PKEY *pkey,
306 const char *propquery)
307 {
308 OSSL_SERIALIZER_CTX *ctx = NULL;
309 OSSL_SERIALIZER *ser = NULL;
310 EVP_KEYMGMT *keymgmt = pkey->keymgmt;
311 int selection = OSSL_KEYMGMT_SELECT_ALL;
312
313 if (!ossl_assert(pkey != NULL && propquery != NULL)) {
314 ERR_raise(ERR_LIB_OSSL_SERIALIZER, ERR_R_PASSED_NULL_PARAMETER);
315 return NULL;
316 }
317
318 if (keymgmt != NULL) {
319 const OSSL_PROVIDER *desired_prov = EVP_KEYMGMT_provider(keymgmt);
320 OPENSSL_CTX *libctx = ossl_provider_library_context(desired_prov);
321 struct selected_serializer_st sel_data;
322 OSSL_PROPERTY_LIST *check =
323 ossl_parse_query(libctx, "type=parameters");
324 OSSL_PROPERTY_LIST *current_props = NULL;
325
326 memset(&sel_data, 0, sizeof(sel_data));
327 sel_data.libctx = libctx;
328 sel_data.desired_provider = desired_prov;
329 sel_data.propquery = propquery;
330 EVP_KEYMGMT_names_do_all(keymgmt, select_serializer, &sel_data);
331
332 if (sel_data.desired != NULL) {
333 ser = sel_data.desired;
334 sel_data.desired = NULL;
335 } else if (sel_data.first != NULL) {
336 ser = sel_data.first;
337 sel_data.first = NULL;
338 }
339 OSSL_SERIALIZER_free(sel_data.first);
340 OSSL_SERIALIZER_free(sel_data.desired);
341
342 if (ser != NULL) {
343 current_props =
344 ossl_parse_property(libctx, OSSL_SERIALIZER_properties(ser));
345 if (ossl_property_match_count(check, current_props) > 0)
346 selection = OSSL_KEYMGMT_SELECT_ALL_PARAMETERS;
347 ossl_property_free(current_props);
348 }
349
350 ossl_property_free(check);
351 }
352
353 ctx = OSSL_SERIALIZER_CTX_new(ser); /* refcnt(ser)++ */
354 OSSL_SERIALIZER_free(ser); /* refcnt(ser)-- */
355
356 if (ctx != NULL) {
357 /* Setup for OSSL_SERIALIZE_to_bio() */
358 ctx->selection = selection;
359 ctx->object = pkey;
360 ctx->do_output = serializer_EVP_PKEY_to_bio;
361 }
362
363 return ctx;
364 }
365
A mirror of the official openssl repository