From 34b80d0622924d112b145fd36bfaad18616f2546 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 22 Jul 2020 22:55:00 +0200 Subject: [PATCH] STORE: Modify to support loading with provider based loaders This adds the needed code to make the OSSL_STORE API functions handle provided STORE implementations. This also modifies OSSL_STORE_attach() for have the URI, the library context and the properties in the same order as OSSL_STORE_open_with_libctx(). The most notable change, though, is how this creates a division of labor between libcrypto and any storemgmt implementation that wants to pass X.509, X.509 CRL, etc structures back to libcrypto. Since those structures aren't directly supported in the libcrypto <-> provider interface (asymmetric keys being the only exception so far), we resort to a libcrypto object callback that can handle passed data in DER form and does its part of figuring out what the DER content actually is. This also adds the internal x509_crl_set0_libctx(), which works just like x509_set0_libctx(), but for X509_CRL. Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/12512) --- crypto/store/build.info | 4 +- crypto/store/store_lib.c | 417 ++++++++++++++++++++---- crypto/store/store_local.h | 37 +++ crypto/store/store_result.c | 594 +++++++++++++++++++++++++++++++++++ crypto/x509/x_crl.c | 9 + doc/man3/OSSL_STORE_open.pod | 19 +- include/crypto/x509.h | 4 + include/openssl/err.h | 1 + include/openssl/store.h | 19 +- 9 files changed, 1024 insertions(+), 80 deletions(-) create mode 100644 crypto/store/store_result.c diff --git a/crypto/store/build.info b/crypto/store/build.info index 338c40efccf..33b59f0faeb 100644 --- a/crypto/store/build.info +++ b/crypto/store/build.info @@ -1,4 +1,4 @@ LIBS=../../libcrypto SOURCE[../../libcrypto]=\ - store_err.c store_init.c store_lib.c store_register.c store_strings.c \ - store_meth.c loader_file.c + store_err.c store_lib.c store_result.c store_strings.c store_meth.c \ + store_init.c store_register.c loader_file.c diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c index 2ff92b79846..9168f1a56f4 100644 --- a/crypto/store/store_lib.c +++ b/crypto/store/store_lib.c @@ -7,39 +7,39 @@ * https://www.openssl.org/source/license.html */ -#include "e_os.h" #include #include #include + +#include "e_os.h" + #include #include #include +#include +#include +#include #include #include "internal/thread_once.h" +#include "internal/cryptlib.h" +#include "internal/provider.h" #include "crypto/store.h" #include "store_local.h" -struct ossl_store_ctx_st { - const OSSL_STORE_LOADER *loader; - OSSL_STORE_LOADER_CTX *loader_ctx; - const UI_METHOD *ui_method; - void *ui_data; - OSSL_STORE_post_process_info_fn post_process; - void *post_process_data; - int expected_type; - - /* 0 before the first STORE_load(), 1 otherwise */ - int loading; -}; +static int ossl_store_close_it(OSSL_STORE_CTX *ctx); -OSSL_STORE_CTX *OSSL_STORE_open_with_libctx( - const char *uri, OPENSSL_CTX *libctx, const char *propq, - const UI_METHOD *ui_method, void *ui_data, - OSSL_STORE_post_process_info_fn post_process, void *post_process_data) +OSSL_STORE_CTX * +OSSL_STORE_open_with_libctx(const char *uri, + OPENSSL_CTX *libctx, const char *propq, + const UI_METHOD *ui_method, void *ui_data, + OSSL_STORE_post_process_info_fn post_process, + void *post_process_data) { const OSSL_STORE_LOADER *loader = NULL; + OSSL_STORE_LOADER *fetched_loader = NULL; OSSL_STORE_LOADER_CTX *loader_ctx = NULL; OSSL_STORE_CTX *ctx = NULL; + char *propq_copy = NULL; char scheme_copy[256], *p, *schemes[2]; size_t schemes_n = 0; size_t i; @@ -70,32 +70,76 @@ OSSL_STORE_CTX *OSSL_STORE_open_with_libctx( ERR_set_mark(); - /* Try each scheme until we find one that could open the URI */ + /* + * Try each scheme until we find one that could open the URI. + * + * For each scheme, we look for the engine implementation first, and + * failing that, we then try to fetch a provided implementation. + * This is consistent with how we handle legacy / engine implementations + * elsewhere. + */ for (i = 0; loader_ctx == NULL && i < schemes_n; i++) { OSSL_TRACE1(STORE, "Looking up scheme %s\n", schemes[i]); if ((loader = ossl_store_get0_loader_int(schemes[i])) != NULL) { - OSSL_TRACE1(STORE, "Found loader for scheme %s\n", schemes[i]); if (loader->open_with_libctx != NULL) loader_ctx = loader->open_with_libctx(loader, uri, libctx, propq, ui_method, ui_data); else loader_ctx = loader->open(loader, uri, ui_method, ui_data); - OSSL_TRACE2(STORE, "Opened %s => %p\n", uri, (void *)loader_ctx); + } + if (loader == NULL + && (fetched_loader = + OSSL_STORE_LOADER_fetch(schemes[i], libctx, propq)) != NULL) { + const OSSL_PROVIDER *provider = + OSSL_STORE_LOADER_provider(fetched_loader); + void *provctx = OSSL_PROVIDER_get0_provider_ctx(provider); + + loader_ctx = fetched_loader->p_open(provctx, uri); + if (loader_ctx == NULL) { + OSSL_STORE_LOADER_free(fetched_loader); + fetched_loader = NULL; + } else if (propq != NULL) { + OSSL_PARAM params[] = { + OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_PROPERTIES, + NULL, 0), + OSSL_PARAM_END + }; + + params[0].data = (void *)propq; + if (!fetched_loader->p_set_ctx_params(loader_ctx, params)) { + (void)fetched_loader->p_close(loader_ctx); + OSSL_STORE_LOADER_free(fetched_loader); + fetched_loader = NULL; + } + } + loader = fetched_loader; } } + if (loader != NULL) + OSSL_TRACE1(STORE, "Found loader for scheme %s\n", schemes[i]); + if (loader_ctx == NULL) goto err; - if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) { + OSSL_TRACE2(STORE, "Opened %s => %p\n", uri, (void *)loader_ctx); + + if ((propq != NULL && (propq_copy = OPENSSL_strdup(propq)) == NULL) + || (ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) { OSSL_STOREerr(0, ERR_R_MALLOC_FAILURE); goto err; } + if ((ui_method != NULL + && !ossl_pw_set_ui_method(&ctx->pwdata, ui_method, ui_data)) + || !ossl_pw_enable_passphrase_caching(&ctx->pwdata)) { + ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_CRYPTO_LIB); + goto err; + } + ctx->properties = propq_copy; + ctx->fetched_loader = fetched_loader; ctx->loader = loader; ctx->loader_ctx = loader_ctx; - ctx->ui_method = ui_method; - ctx->ui_data = ui_data; ctx->post_process = post_process; ctx->post_process_data = post_process_data; @@ -111,13 +155,25 @@ OSSL_STORE_CTX *OSSL_STORE_open_with_libctx( err: ERR_clear_last_mark(); if (loader_ctx != NULL) { + /* + * Temporary structure so OSSL_STORE_close() can work even when + * |ctx| couldn't be allocated properly + */ + OSSL_STORE_CTX tmpctx = { NULL, }; + + tmpctx.fetched_loader = fetched_loader; + tmpctx.loader = loader; + tmpctx.loader_ctx = loader_ctx; + /* * We ignore a returned error because we will return NULL anyway in * this case, so if something goes wrong when closing, that'll simply * just add another entry on the error stack. */ - (void)loader->close(loader_ctx); + (void)ossl_store_close_it(&tmpctx); } + OSSL_STORE_LOADER_free(fetched_loader); + OPENSSL_free(propq_copy); return NULL; } @@ -144,13 +200,40 @@ int OSSL_STORE_ctrl(OSSL_STORE_CTX *ctx, int cmd, ...) int OSSL_STORE_vctrl(OSSL_STORE_CTX *ctx, int cmd, va_list args) { - if (ctx->loader->ctrl != NULL) + if (ctx->fetched_loader != NULL) { + if (ctx->fetched_loader->p_set_ctx_params != NULL) { + OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; + + switch (cmd) { + case OSSL_STORE_C_USE_SECMEM: + { + int on = *(va_arg(args, int *)); + + params[0] = OSSL_PARAM_construct_int("use_secmem", &on); + } + break; + default: + break; + } + + return ctx->fetched_loader->p_set_ctx_params(ctx->loader_ctx, + params); + } + } else if (ctx->loader->ctrl != NULL) { return ctx->loader->ctrl(ctx->loader_ctx, cmd, args); - return 0; + } + + /* + * If the fetched loader doesn't have a set_ctx_params or a ctrl, it's as + * if there was one that ignored our params, which usually returns 1. + */ + return 1; } int OSSL_STORE_expect(OSSL_STORE_CTX *ctx, int expected_type) { + int ret = 1; + if (ctx->loading) { OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_EXPECT, OSSL_STORE_R_LOADING_STARTED); @@ -158,25 +241,111 @@ int OSSL_STORE_expect(OSSL_STORE_CTX *ctx, int expected_type) } ctx->expected_type = expected_type; - if (ctx->loader->expect != NULL) - return ctx->loader->expect(ctx->loader_ctx, expected_type); - return 1; + if (ctx->fetched_loader != NULL + && ctx->fetched_loader->p_set_ctx_params != NULL) { + OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; + + params[0] = + OSSL_PARAM_construct_int(OSSL_STORE_PARAM_EXPECT, &expected_type); + ret = ctx->fetched_loader->p_set_ctx_params(ctx->loader_ctx, params); + } +#ifndef OPENSSL_NO_DEPRECATED_3_0 + if (ctx->fetched_loader == NULL + && ctx->loader->expect != NULL) { + ret = ctx->loader->expect(ctx->loader_ctx, expected_type); + } +#endif + return ret; } int OSSL_STORE_find(OSSL_STORE_CTX *ctx, const OSSL_STORE_SEARCH *search) { + int ret = 1; + if (ctx->loading) { OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_FIND, OSSL_STORE_R_LOADING_STARTED); return 0; } - if (ctx->loader->find == NULL) { - OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_FIND, - OSSL_STORE_R_UNSUPPORTED_OPERATION); - return 0; + + if (ctx->fetched_loader != NULL) { + OSSL_PARAM_BLD *bld; + OSSL_PARAM *params; + /* OSSL_STORE_SEARCH_BY_NAME, OSSL_STORE_SEARCH_BY_ISSUER_SERIAL*/ + void *name_der = NULL; + int name_der_sz; + /* OSSL_STORE_SEARCH_BY_ISSUER_SERIAL */ + BIGNUM *number = NULL; + + if (ctx->fetched_loader->p_set_ctx_params == NULL) { + OSSL_STOREerr(ERR_LIB_OSSL_STORE, + OSSL_STORE_R_UNSUPPORTED_OPERATION); + return 0; + } + + if ((bld = OSSL_PARAM_BLD_new()) == NULL) { + OSSL_STOREerr(ERR_LIB_OSSL_STORE, ERR_R_MALLOC_FAILURE); + return 0; + } + + ret = 0; /* Assume the worst */ + + switch (search->search_type) { + case OSSL_STORE_SEARCH_BY_NAME: + if ((name_der_sz = i2d_X509_NAME(search->name, + (unsigned char **)&name_der)) > 0 + && OSSL_PARAM_BLD_push_octet_string(bld, + OSSL_STORE_PARAM_SUBJECT, + name_der, name_der_sz)) + ret = 1; + break; + case OSSL_STORE_SEARCH_BY_ISSUER_SERIAL: + if ((name_der_sz = i2d_X509_NAME(search->name, + (unsigned char **)&name_der)) > 0 + && (number = ASN1_INTEGER_to_BN(search->serial, NULL)) != NULL + && OSSL_PARAM_BLD_push_octet_string(bld, + OSSL_STORE_PARAM_ISSUER, + name_der, name_der_sz) + && OSSL_PARAM_BLD_push_BN(bld, OSSL_STORE_PARAM_SERIAL, + number)) + ret = 1; + break; + case OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT: + if (OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_STORE_PARAM_DIGEST, + EVP_MD_name(search->digest), 0) + && OSSL_PARAM_BLD_push_octet_string(bld, + OSSL_STORE_PARAM_FINGERPRINT, + search->string, + search->stringlength)) + ret = 1; + break; + case OSSL_STORE_SEARCH_BY_ALIAS: + if (OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_STORE_PARAM_ALIAS, + (char *)search->string, + search->stringlength)) + ret = 1; + break; + } + if (ret) { + params = OSSL_PARAM_BLD_to_param(bld); + ret = ctx->fetched_loader->p_set_ctx_params(ctx->loader_ctx, + params); + OSSL_PARAM_BLD_free_params(params); + } + OSSL_PARAM_BLD_free(bld); + OPENSSL_free(name_der); + BN_free(number); + } else { + /* legacy loader section */ + if (ctx->loader->find == NULL) { + OSSL_STOREerr(ERR_LIB_OSSL_STORE, + OSSL_STORE_R_UNSUPPORTED_OPERATION); + return 0; + } + ret = ctx->loader->find(ctx->loader_ctx, search); } - return ctx->loader->find(ctx->loader_ctx, search); + return ret; } OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx) @@ -188,8 +357,40 @@ OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx) if (OSSL_STORE_eof(ctx)) return NULL; - OSSL_TRACE(STORE, "Loading next object\n"); - v = ctx->loader->load(ctx->loader_ctx, ctx->ui_method, ctx->ui_data); + if (ctx->loader != NULL) + OSSL_TRACE(STORE, "Loading next object\n"); + + if (ctx->cached_info != NULL + && sk_OSSL_STORE_INFO_num(ctx->cached_info) == 0) { + sk_OSSL_STORE_INFO_free(ctx->cached_info); + ctx->cached_info = NULL; + } + + if (ctx->cached_info != NULL) { + v = sk_OSSL_STORE_INFO_shift(ctx->cached_info); + } else { + if (ctx->fetched_loader != NULL) { + struct ossl_load_result_data_st load_data; + + load_data.v = NULL; + load_data.ctx = ctx; + + if (!ctx->fetched_loader->p_load(ctx->loader_ctx, + ossl_store_handle_load_result, + &load_data, + ossl_pw_passphrase_callback_dec, + &ctx->pwdata)) { + if (!OSSL_STORE_eof(ctx)) + ctx->error_flag = 1; + return NULL; + } + v = load_data.v; + } + if (ctx->fetched_loader == NULL) + v = ctx->loader->load(ctx->loader_ctx, + ctx->pwdata._.ui_method.ui_method, + ctx->pwdata._.ui_method.ui_method_data); + } if (ctx->post_process != NULL && v != NULL) { v = ctx->post_process(v, ctx->post_process_data); @@ -206,13 +407,6 @@ OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx) int returned_type = OSSL_STORE_INFO_get_type(v); if (returned_type != OSSL_STORE_INFO_NAME && returned_type != 0) { - /* - * Soft assert here so those who want to harsly weed out faulty - * loaders can do so using a debugging version of libcrypto. - */ - if (ctx->loader->expect != NULL) - assert(ctx->expected_type == returned_type); - if (ctx->expected_type != returned_type) { OSSL_STORE_INFO_free(v); goto again; @@ -220,6 +414,7 @@ OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx) } } + ossl_pw_clear_passphrase_cache(&ctx->pwdata); if (v != NULL) OSSL_TRACE1(STORE, "Got a %s\n", OSSL_STORE_INFO_type_string(OSSL_STORE_INFO_get_type(v))); @@ -229,25 +424,51 @@ OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx) int OSSL_STORE_error(OSSL_STORE_CTX *ctx) { - return ctx->loader->error(ctx->loader_ctx); + int ret = 1; + + if (ctx->fetched_loader != NULL) + ret = ctx->error_flag; + if (ctx->fetched_loader == NULL) + ret = ctx->loader->error(ctx->loader_ctx); + return ret; } int OSSL_STORE_eof(OSSL_STORE_CTX *ctx) { - return ctx->loader->eof(ctx->loader_ctx); + int ret = 1; + + if (ctx->fetched_loader != NULL) + ret = ctx->loader->p_eof(ctx->loader_ctx); + if (ctx->fetched_loader == NULL) + ret = ctx->loader->eof(ctx->loader_ctx); + return ret; } -int OSSL_STORE_close(OSSL_STORE_CTX *ctx) +static int ossl_store_close_it(OSSL_STORE_CTX *ctx) { - int loader_ret; + int ret = 0; if (ctx == NULL) return 1; OSSL_TRACE1(STORE, "Closing %p\n", (void *)ctx->loader_ctx); - loader_ret = ctx->loader->close(ctx->loader_ctx); + + if (ctx->fetched_loader != NULL) + ret = ctx->loader->p_close(ctx->loader_ctx); + if (ctx->fetched_loader == NULL) + ret = ctx->loader->close(ctx->loader_ctx); + + sk_OSSL_STORE_INFO_pop_free(ctx->cached_info, OSSL_STORE_INFO_free); + OSSL_STORE_LOADER_free(ctx->fetched_loader); + OPENSSL_free(ctx->properties); + return ret; +} + +int OSSL_STORE_close(OSSL_STORE_CTX *ctx) +{ + int ret = ossl_store_close_it(ctx); OPENSSL_free(ctx); - return loader_ret; + return ret; } /* @@ -525,12 +746,53 @@ void OSSL_STORE_INFO_free(OSSL_STORE_INFO *info) int OSSL_STORE_supports_search(OSSL_STORE_CTX *ctx, int search_type) { - OSSL_STORE_SEARCH tmp_search; + int ret = 0; + + if (ctx->fetched_loader != NULL) { + void *provctx = + ossl_provider_ctx(OSSL_STORE_LOADER_provider(ctx->fetched_loader)); + const OSSL_PARAM *params; + const OSSL_PARAM *p_subject = NULL; + const OSSL_PARAM *p_issuer = NULL; + const OSSL_PARAM *p_serial = NULL; + const OSSL_PARAM *p_fingerprint = NULL; + const OSSL_PARAM *p_alias = NULL; + + if (ctx->fetched_loader->p_settable_ctx_params == NULL) + return 0; + + params = ctx->fetched_loader->p_settable_ctx_params(provctx); + p_subject = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_SUBJECT); + p_issuer = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_ISSUER); + p_serial = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_SERIAL); + p_fingerprint = + OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_FINGERPRINT); + p_alias = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_ALIAS); + + switch (search_type) { + case OSSL_STORE_SEARCH_BY_NAME: + ret = (p_subject != NULL); + break; + case OSSL_STORE_SEARCH_BY_ISSUER_SERIAL: + ret = (p_issuer != NULL && p_serial != NULL); + break; + case OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT: + ret = (p_fingerprint != NULL); + break; + case OSSL_STORE_SEARCH_BY_ALIAS: + ret = (p_alias != NULL); + break; + } + } + if (ctx->fetched_loader == NULL) { + OSSL_STORE_SEARCH tmp_search; - if (ctx->loader->find == NULL) - return 0; - tmp_search.search_type = search_type; - return ctx->loader->find(NULL, &tmp_search); + if (ctx->loader->find == NULL) + return 0; + tmp_search.search_type = search_type; + ret = ctx->loader->find(NULL, &tmp_search); + } + return ret; } /* Search term constructors */ @@ -698,14 +960,47 @@ OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bp, const char *scheme, OSSL_STORE_post_process_info_fn post_process, void *post_process_data) { - OSSL_STORE_CTX *ctx = NULL; const OSSL_STORE_LOADER *loader = NULL; + OSSL_STORE_LOADER *fetched_loader = NULL; OSSL_STORE_LOADER_CTX *loader_ctx = NULL; + OSSL_STORE_CTX *ctx = NULL; - if ((loader = - ossl_store_get0_loader_int(scheme != NULL ? scheme : "file")) == NULL - || (loader_ctx = loader->attach(loader, bp, libctx, propq, - ui_method, ui_data)) == NULL) + if (scheme == NULL) + scheme = "file"; + + OSSL_TRACE1(STORE, "Looking up scheme %s\n", scheme); + if ((loader = ossl_store_get0_loader_int(scheme)) != NULL) + loader_ctx = loader->attach(loader, bp, libctx, propq, + ui_method, ui_data); + if (loader == NULL + && (fetched_loader = + OSSL_STORE_LOADER_fetch(scheme, libctx, propq)) != NULL) { + const OSSL_PROVIDER *provider = + OSSL_STORE_LOADER_provider(fetched_loader); + void *provctx = OSSL_PROVIDER_get0_provider_ctx(provider); + + if ((loader_ctx = + fetched_loader->p_attach(provctx, (OSSL_CORE_BIO *)bp)) == NULL) { + OSSL_STORE_LOADER_free(fetched_loader); + fetched_loader = NULL; + } else if (propq != NULL) { + OSSL_PARAM params[] = { + OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_PROPERTIES, + NULL, 0), + OSSL_PARAM_END + }; + + params[0].data = (void *)propq; + if (!fetched_loader->p_set_ctx_params(loader_ctx, params)) { + (void)fetched_loader->p_close(loader_ctx); + OSSL_STORE_LOADER_free(fetched_loader); + fetched_loader = NULL; + } + } + loader = fetched_loader; + } + + if (loader_ctx == NULL) return NULL; if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) { @@ -713,10 +1008,10 @@ OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bp, const char *scheme, return NULL; } + (void)ossl_pw_set_ui_method(&ctx->pwdata, ui_method, ui_data); + ctx->fetched_loader = fetched_loader; ctx->loader = loader; ctx->loader_ctx = loader_ctx; - ctx->ui_method = ui_method; - ctx->ui_data = ui_data; ctx->post_process = post_process; ctx->post_process_data = post_process_data; diff --git a/crypto/store/store_local.h b/crypto/store/store_local.h index 15d40228569..619e547aaee 100644 --- a/crypto/store/store_local.h +++ b/crypto/store/store_local.h @@ -16,6 +16,7 @@ #include #include #include +#include "internal/passphrase.h" /*- * OSSL_STORE_INFO stuff @@ -138,6 +139,35 @@ DEFINE_LHASH_OF(OSSL_STORE_LOADER); const OSSL_STORE_LOADER *ossl_store_get0_loader_int(const char *scheme); void ossl_store_destroy_loaders_int(void); +/*- + * OSSL_STORE_CTX stuff + * --------------------- + */ + +struct ossl_store_ctx_st { + const OSSL_STORE_LOADER *loader; /* legacy */ + OSSL_STORE_LOADER *fetched_loader; + OSSL_STORE_LOADER_CTX *loader_ctx; + OSSL_STORE_post_process_info_fn post_process; + void *post_process_data; + int expected_type; + + char *properties; + + /* 0 before the first STORE_load(), 1 otherwise */ + int loading; + /* 1 on load error, only valid for fetched loaders */ + int error_flag; + + /* + * Cache of stuff, to be able to return the contents of a PKCS#12 + * blob, one object at a time. + */ + STACK_OF(OSSL_STORE_INFO) *cached_info; + + struct ossl_passphrase_data_st pwdata; +}; + /*- * OSSL_STORE init stuff * --------------------- @@ -164,3 +194,10 @@ OSSL_STORE_LOADER *ossl_store_loader_fetch(OPENSSL_CTX *libctx, OSSL_STORE_LOADER *ossl_store_loader_fetch_by_number(OPENSSL_CTX *libctx, int scheme_id, const char *properties); + +/* Standard function to handle the result from OSSL_FUNC_store_load() */ +struct ossl_load_result_data_st { + OSSL_STORE_INFO *v; /* To be filled in */ + OSSL_STORE_CTX *ctx; +}; +OSSL_CALLBACK ossl_store_handle_load_result; diff --git a/crypto/store/store_result.c b/crypto/store/store_result.c new file mode 100644 index 00000000000..74aeaf543b7 --- /dev/null +++ b/crypto/store/store_result.c @@ -0,0 +1,594 @@ +/* + * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "e_os.h" +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include "internal/provider.h" +#include "internal/passphrase.h" +#include "crypto/evp.h" +#include "crypto/x509.h" +#include "store_local.h" + +#ifndef OSSL_OBJECT_PKCS12 +/* + * The object abstraction doesn't know PKCS#12, but we want to indicate + * it anyway, so we create our own. Since the public macros use positive + * numbers, negative ones should be fine. They must never slip out from + * this translation unit anyway. + */ +# define OSSL_OBJECT_PKCS12 -1 +#endif + +/* + * ossl_store_handle_load_result() is initially written to be a companion + * to our 'file:' scheme provider implementation, but has been made generic + * to serve others as well. + * + * This result handler takes any object abstraction (see provider-object(7)) + * and does the best it can with it. If the object is passed by value (not + * by reference), the contents are currently expected to be DER encoded. + * If an object type is specified, that will be respected; otherwise, this + * handler will guess the contents, by trying the following in order: + * + * 1. Decode it into an EVP_PKEY, using OSSL_DECODER. + * 2. Decode it into an X.509 certificate, using d2i_X509 / d2i_X509_AUX. + * 3. Decode it into an X.509 CRL, using d2i_X509_CRL. + * 4. Decode it into a PKCS#12 structure, using d2i_PKCS12 (*). + * + * For the 'file:' scheme implementation, this is division of labor. Since + * the libcrypto <-> provider interface currently doesn't support certain + * structures as first class objects, they must be unpacked from DER here + * rather than in the provider. The current exception is asymmetric keys, + * which can reside within the provider boundary, most of all thanks to + * OSSL_FUNC_keymgmt_load(), which allows loading the key material by + * reference. + */ + +DEFINE_STACK_OF(X509) + +struct extracted_param_data_st { + int object_type; + const char *data_type; + const char *utf8_data; + const void *octet_data; + size_t octet_data_size; + const void *ref; + size_t ref_size; + const char *desc; +}; + +static int try_name(struct extracted_param_data_st *, OSSL_STORE_INFO **); +static int try_key(struct extracted_param_data_st *, OSSL_STORE_INFO **, + OSSL_STORE_CTX *, const OSSL_PROVIDER *, + OPENSSL_CTX *, const char *); +static int try_cert(struct extracted_param_data_st *, OSSL_STORE_INFO **, + OPENSSL_CTX *, const char *); +static int try_crl(struct extracted_param_data_st *, OSSL_STORE_INFO **, + OPENSSL_CTX *, const char *); +static int try_pkcs12(struct extracted_param_data_st *, OSSL_STORE_INFO **, + OSSL_STORE_CTX *, OPENSSL_CTX *, const char *); + +int ossl_store_handle_load_result(const OSSL_PARAM params[], void *arg) +{ + struct ossl_load_result_data_st *cbdata = arg; + OSSL_STORE_INFO **v = &cbdata->v; + OSSL_STORE_CTX *ctx = cbdata->ctx; + const OSSL_PROVIDER *provider = + OSSL_STORE_LOADER_provider(ctx->fetched_loader); + OPENSSL_CTX *libctx = ossl_provider_library_context(provider); + const char *propq = ctx->properties; + const OSSL_PARAM *p; + struct extracted_param_data_st helper_data; + + memset(&helper_data, 0, sizeof(helper_data)); + helper_data.object_type = OSSL_OBJECT_UNKNOWN; + + if ((p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_TYPE)) != NULL + && !OSSL_PARAM_get_int(p, &helper_data.object_type)) + return 0; + p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_TYPE); + if (p != NULL + && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.data_type)) + return 0; + p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA); + if (p != NULL + && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.octet_data, + &helper_data.octet_data_size) + && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.utf8_data)) + return 0; + p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_REFERENCE); + if (p != NULL && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.ref, + &helper_data.ref_size)) + return 0; + p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DESC); + if (p != NULL && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.desc)) + return 0; + + /* + * The helper functions return 0 on actual errors, otherwise 1, even if + * they didn't fill out |*v|. + */ + if (!try_name(&helper_data, v) + || !try_key(&helper_data, v, ctx, provider, libctx, propq) + || !try_cert(&helper_data, v, libctx, propq) + || !try_crl(&helper_data, v, libctx, propq) + || !try_pkcs12(&helper_data, v, ctx, libctx, propq)) + return 0; + + return (*v != NULL); +} + +static int try_name(struct extracted_param_data_st *data, OSSL_STORE_INFO **v) +{ + if (data->object_type == OSSL_OBJECT_NAME) { + char *newname = NULL, *newdesc = NULL; + + if (data->utf8_data == NULL) + return 0; + if ((newname = OPENSSL_strdup(data->utf8_data)) == NULL + || (data->desc != NULL + && (newdesc = OPENSSL_strdup(data->desc)) == NULL) + || (*v = OSSL_STORE_INFO_new_NAME(newname)) == NULL) { + OPENSSL_free(newname); + OPENSSL_free(newdesc); + return 0; + } + OSSL_STORE_INFO_set0_NAME_description(*v, newdesc); + } + return 1; +} + +/* + * For the rest of the object types, the provider code may not know what + * type of data it gave us, so we may need to figure that out on our own. + * Therefore, we do check for OSSL_OBJECT_UNKNOWN everywhere below, and + * only return 0 on error if the object type is known. + */ + +static EVP_PKEY *try_key_ref(struct extracted_param_data_st *data, + OSSL_STORE_CTX *ctx, + const OSSL_PROVIDER *provider, + OPENSSL_CTX *libctx, const char *propq) +{ + EVP_PKEY *pk = NULL; + EVP_KEYMGMT *keymgmt = NULL; + void *keydata = NULL; + + /* If we have an object reference, we must have a data type */ + if (data->data_type == NULL) + return 0; + + keymgmt = EVP_KEYMGMT_fetch(libctx, data->data_type, propq); + if (keymgmt != NULL) { + /* + * There are two possible cases + * + * 1. The keymgmt is from the same provider as the loader, + * so we can use evp_keymgmt_load() + * 2. The keymgmt is from another provider, then we must + * do the export/import dance. + */ + if (EVP_KEYMGMT_provider(keymgmt) == provider) { + keydata = evp_keymgmt_load(keymgmt, data->ref, data->ref_size); + } else { + struct evp_keymgmt_util_try_import_data_st import_data; + OSSL_FUNC_store_export_object_fn *export_object = + ctx->fetched_loader->p_export_object; + + import_data.keymgmt = keymgmt; + import_data.keydata = NULL; + import_data.selection = OSSL_KEYMGMT_SELECT_ALL; + + if (export_object != NULL) { + /* + * No need to check for errors here, the value of + * |import_data.keydata| is as much an indicator. + */ + (void)export_object(ctx->loader_ctx, + data->ref, data->ref_size, + &evp_keymgmt_util_try_import, + &import_data); + } + + keydata = import_data.keydata; + } + } + if (keydata != NULL) + pk = evp_keymgmt_util_make_pkey(keymgmt, keydata); + EVP_KEYMGMT_free(keymgmt); + + return pk; +} + +static EVP_PKEY *try_key_value(struct extracted_param_data_st *data, + OSSL_STORE_CTX *ctx, + OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg, + OPENSSL_CTX *libctx, const char *propq) +{ + EVP_PKEY *pk = NULL; + OSSL_DECODER_CTX *decoderctx = NULL; + BIO *membio = + BIO_new_mem_buf(data->octet_data, (int)data->octet_data_size); + + if (membio == NULL) + return 0; + + decoderctx = OSSL_DECODER_CTX_new_by_EVP_PKEY(&pk, "DER", libctx, propq); + (void)OSSL_DECODER_CTX_set_passphrase_cb(decoderctx, cb, cbarg); + + /* No error if this couldn't be decoded */ + (void)OSSL_DECODER_from_bio(decoderctx, membio); + + OSSL_DECODER_CTX_free(decoderctx); + BIO_free(membio); + + return pk; +} + +typedef OSSL_STORE_INFO *store_info_new_fn(EVP_PKEY *); + +static EVP_PKEY *try_key_value_legacy(struct extracted_param_data_st *data, + store_info_new_fn **store_info_new, + OSSL_STORE_CTX *ctx, + OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg, + OPENSSL_CTX *libctx, const char *propq) +{ + EVP_PKEY *pk = NULL; + const unsigned char *der = data->octet_data, *derp; + long der_len = (long)data->octet_data_size; + + /* Try PUBKEY first, that's a real easy target */ + derp = der; + pk = d2i_PUBKEY_ex(NULL, &derp, der_len, libctx, propq); + if (pk != NULL) + *store_info_new = OSSL_STORE_INFO_new_PUBKEY; + + /* Try private keys next */ + if (pk == NULL) { + unsigned char *new_der = NULL; + X509_SIG *p8 = NULL; + PKCS8_PRIV_KEY_INFO *p8info = NULL; + + /* See if it's an encrypted PKCS#8 and decrypt it */ + derp = der; + if ((p8 = d2i_X509_SIG(NULL, &derp, der_len)) != NULL) { + char pbuf[PEM_BUFSIZE]; + size_t plen = 0; + + if (!cb(pbuf, sizeof(pbuf), &plen, NULL, cbarg)) { + ERR_raise(ERR_LIB_OSSL_STORE, + OSSL_STORE_R_BAD_PASSWORD_READ); + } else { + const X509_ALGOR *alg = NULL; + const ASN1_OCTET_STRING *oct = NULL; + int len = 0; + + X509_SIG_get0(p8, &alg, &oct); + + /* + * No need to check the returned value, |new_der| + * will be NULL on error anyway. + */ + PKCS12_pbe_crypt(alg, pbuf, plen, + oct->data, oct->length, + &new_der, &len, 0); + der_len = len; + der = new_der; + } + X509_SIG_free(p8); + } + + /* + * If the encrypted PKCS#8 couldn't be decrypted, + * |der| is NULL + */ + if (der != NULL) { + /* Try to unpack an unencrypted PKCS#8, that's easy */ + derp = der; + p8info = d2i_PKCS8_PRIV_KEY_INFO(NULL, &derp, der_len); + if (p8info != NULL) { + pk = evp_pkcs82pkey_int(p8info, libctx, propq); + PKCS8_PRIV_KEY_INFO_free(p8info); + } + + /* + * It wasn't PKCS#8, so we must try the hard way. + * However, we can cheat a little bit, because we know + * what's not yet fully supported in out decoders. + * TODO(3.0) Eliminate these when we have decoder support. + */ + if (pk == NULL) { + derp = der; + pk = d2i_PrivateKey_ex(EVP_PKEY_SM2, NULL, + &derp, der_len, + libctx, NULL); + } + } + + if (pk != NULL) + *store_info_new = OSSL_STORE_INFO_new_PKEY; + + OPENSSL_free(new_der); + der = data->octet_data; + der_len = (long)data->octet_data_size; + } + + /* + * Last, we try parameters. We cheat the same way we do for + * private keys above. + * TODO(3.0) Eliminate these when we have decoder support. + */ + if (pk == NULL) { + derp = der; + pk = d2i_KeyParams(EVP_PKEY_SM2, NULL, &derp, der_len); + if (pk != NULL) + *store_info_new = OSSL_STORE_INFO_new_PARAMS; + } + + return pk; +} + +static int try_key(struct extracted_param_data_st *data, OSSL_STORE_INFO **v, + OSSL_STORE_CTX *ctx, const OSSL_PROVIDER *provider, + OPENSSL_CTX *libctx, const char *propq) +{ + store_info_new_fn *store_info_new = NULL; + + if (data->object_type == OSSL_OBJECT_UNKNOWN + || data->object_type == OSSL_OBJECT_PKEY) { + EVP_PKEY *pk = NULL; + + /* Prefer key by reference than key by value */ + if (data->object_type == OSSL_OBJECT_PKEY && data->ref != NULL) { + pk = try_key_ref(data, ctx, provider, libctx, propq); + + /* + * If for some reason we couldn't get a key, it's an error. + * It indicates that while decoders could make a key reference, + * the keymgmt somehow couldn't handle it, or doesn't have a + * OSSL_FUNC_keymgmt_load function. + */ + if (pk == NULL) + return 0; + } else if (data->octet_data != NULL) { + OSSL_PASSPHRASE_CALLBACK *cb = ossl_pw_passphrase_callback_dec; + void *cbarg = &ctx->pwdata; + + pk = try_key_value(data, ctx, cb, cbarg, libctx, propq); + + /* + * Desperate last maneuver, in case the decoders don't support + * the data we have, then we try on our own to at least get a + * legacy key. + * This is the same as der2key_decode() does, but in a limited + * way and within the walls of libcrypto. + * + * TODO Remove this when #legacy keys are gone + */ + if (pk == NULL) + pk = try_key_value_legacy(data, &store_info_new, ctx, + cb, cbarg, libctx, propq); + } + + if (pk != NULL) { + data->object_type = OSSL_OBJECT_PKEY; + + if (store_info_new == NULL) { + /* + * We determined the object type for OSSL_STORE_INFO, which + * makes an explicit difference between an EVP_PKEY with just + * (domain) parameters and an EVP_PKEY with actual key + * material. + * The logic is that an EVP_PKEY with actual key material + * always has the public half. + */ + if (evp_keymgmt_util_has(pk, OSSL_KEYMGMT_SELECT_PRIVATE_KEY)) + store_info_new = OSSL_STORE_INFO_new_PKEY; + else if (evp_keymgmt_util_has(pk, + OSSL_KEYMGMT_SELECT_PUBLIC_KEY)) + store_info_new = OSSL_STORE_INFO_new_PUBKEY; + else + store_info_new = OSSL_STORE_INFO_new_PARAMS; + } + *v = store_info_new(pk); + } + + if (*v == NULL) + EVP_PKEY_free(pk); + } + + return 1; +} + +static int try_cert(struct extracted_param_data_st *data, OSSL_STORE_INFO **v, + OPENSSL_CTX *libctx, const char *propq) +{ + if (data->object_type == OSSL_OBJECT_UNKNOWN + || data->object_type == OSSL_OBJECT_CERT) { + X509 *cert; + + /* + * In most cases, we can try to interpret the serialized + * data as a trusted cert (X509 + X509_AUX) and fall back + * to reading it as a normal cert (just X509), but if + * |data_type| (the PEM name) specifically declares it as a + * trusted cert, then no fallback should be engaged. + * |ignore_trusted| tells if the fallback can be used (1) + * or not (0). + */ + int ignore_trusted = 1; + + /* If we have a data type, it should be a PEM name */ + if (data->data_type != NULL + && (strcasecmp(data->data_type, PEM_STRING_X509_TRUSTED) == 0)) + ignore_trusted = 0; + + cert = d2i_X509_AUX(NULL, (const unsigned char **)&data->octet_data, + data->octet_data_size); + if (cert == NULL && ignore_trusted) + cert = d2i_X509(NULL, (const unsigned char **)&data->octet_data, + data->octet_data_size); + + if (cert != NULL) + /* We determined the object type */ + data->object_type = OSSL_OBJECT_CERT; + + if (cert != NULL && !x509_set0_libctx(cert, libctx, propq)) { + X509_free(cert); + cert = NULL; + } + + if (cert != NULL) + *v = OSSL_STORE_INFO_new_CERT(cert); + if (*v == NULL) + X509_free(cert); + } + + return 1; +} + +static int try_crl(struct extracted_param_data_st *data, OSSL_STORE_INFO **v, + OPENSSL_CTX *libctx, const char *propq) +{ + if (data->object_type == OSSL_OBJECT_UNKNOWN + || data->object_type == OSSL_OBJECT_CRL) { + X509_CRL *crl; + + crl = d2i_X509_CRL(NULL, (const unsigned char **)&data->octet_data, + data->octet_data_size); + if (crl != NULL) + /* We determined the object type */ + data->object_type = OSSL_OBJECT_CRL; + + if (crl != NULL && !x509_crl_set0_libctx(crl, libctx, propq)) { + X509_CRL_free(crl); + crl = NULL; + } + + if (crl != NULL) + *v = OSSL_STORE_INFO_new_CRL(crl); + if (*v == NULL) + X509_CRL_free(crl); + } + + return 1; +} + +static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v, + OSSL_STORE_CTX *ctx, + OPENSSL_CTX *libctx, const char *propq) +{ + /* There is no specific object type for PKCS12 */ + if (data->object_type == OSSL_OBJECT_UNKNOWN) { + /* Initial parsing */ + PKCS12 *p12; + + if ((p12 = d2i_PKCS12(NULL, (const unsigned char **)&data->octet_data, + data->octet_data_size)) != NULL) { + char *pass = NULL; + char tpass[PEM_BUFSIZE]; + size_t tpass_len; + EVP_PKEY *pkey = NULL; + X509 *cert = NULL; + STACK_OF(X509) *chain = NULL; + + data->object_type = OSSL_OBJECT_PKCS12; + + if (PKCS12_verify_mac(p12, "", 0) + || PKCS12_verify_mac(p12, NULL, 0)) { + pass = ""; + } else { + static char prompt_info[] = "PKCS12 import pass phrase"; + OSSL_PARAM pw_params[] = { + OSSL_PARAM_utf8_string(OSSL_PASSPHRASE_PARAM_INFO, + prompt_info, + sizeof(prompt_info) - 1), + OSSL_PARAM_END + }; + + if (!ossl_pw_get_passphrase(tpass, sizeof(tpass), &tpass_len, + pw_params, 0, &ctx->pwdata)) { + ERR_raise(ERR_LIB_OSSL_STORE, + OSSL_STORE_R_PASSPHRASE_CALLBACK_ERROR); + goto p12_end; + } + pass = tpass; + if (!PKCS12_verify_mac(p12, pass, strlen(pass))) { + ERR_raise(ERR_LIB_OSSL_STORE, + OSSL_STORE_R_ERROR_VERIFYING_PKCS12_MAC); + goto p12_end; + } + } + + if (PKCS12_parse(p12, pass, &pkey, &cert, &chain)) { + STACK_OF(OSSL_STORE_INFO) *infos = NULL; + OSSL_STORE_INFO *osi_pkey = NULL; + OSSL_STORE_INFO *osi_cert = NULL; + OSSL_STORE_INFO *osi_ca = NULL; + int ok = 1; + + if ((infos = sk_OSSL_STORE_INFO_new_null()) != NULL) { + if (pkey != NULL) { + if ((osi_pkey = OSSL_STORE_INFO_new_PKEY(pkey)) != NULL + /* clearing pkey here avoids case distinctions */ + && (pkey = NULL) == NULL + && sk_OSSL_STORE_INFO_push(infos, osi_pkey) != 0) + osi_pkey = NULL; + else + ok = 0; + } + if (ok && cert != NULL) { + if ((osi_cert = OSSL_STORE_INFO_new_CERT(cert)) != NULL + /* clearing cert here avoids case distinctions */ + && (cert = NULL) == NULL + && sk_OSSL_STORE_INFO_push(infos, osi_cert) != 0) + osi_cert = NULL; + else + ok = 0; + } + while (ok && sk_X509_num(chain) > 0) { + X509 *ca = sk_X509_value(chain, 0); + + if ((osi_ca = OSSL_STORE_INFO_new_CERT(ca)) != NULL + && sk_X509_shift(chain) != NULL + && sk_OSSL_STORE_INFO_push(infos, osi_ca) != 0) + osi_ca = NULL; + else + ok = 0; + } + } + EVP_PKEY_free(pkey); + X509_free(cert); + sk_X509_pop_free(chain, X509_free); + OSSL_STORE_INFO_free(osi_pkey); + OSSL_STORE_INFO_free(osi_cert); + OSSL_STORE_INFO_free(osi_ca); + if (!ok) { + sk_OSSL_STORE_INFO_pop_free(infos, OSSL_STORE_INFO_free); + infos = NULL; + } + ctx->cached_info = infos; + } + } + p12_end: + PKCS12_free(p12); + *v = sk_OSSL_STORE_INFO_shift(ctx->cached_info); + } + + return 1; +} diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c index 1690dd89634..44f374aed36 100644 --- a/crypto/x509/x_crl.c +++ b/crypto/x509/x_crl.c @@ -494,3 +494,12 @@ void *X509_CRL_get_meth_data(X509_CRL *crl) { return crl->meth_data; } + +int x509_crl_set0_libctx(X509_CRL *x, OPENSSL_CTX *libctx, const char *propq) +{ + if (x != NULL) { + x->libctx = libctx; + x->propq = propq; + } + return 1; +} diff --git a/doc/man3/OSSL_STORE_open.pod b/doc/man3/OSSL_STORE_open.pod index ee885012f8f..0f7bf9c0d3d 100644 --- a/doc/man3/OSSL_STORE_open.pod +++ b/doc/man3/OSSL_STORE_open.pod @@ -21,11 +21,12 @@ OSSL_STORE_error, OSSL_STORE_close void *ui_data, OSSL_STORE_post_process_info_fn post_process, void *post_process_data); - OSSL_STORE_CTX *OSSL_STORE_open_with_libctx - (const char *uri, OPENSSL_CTX *libctx, const char *propq, - const UI_METHOD *ui_method, void *ui_data, - OSSL_STORE_post_process_info_fn post_process, void *post_process_data); - + OSSL_STORE_CTX * + OSSL_STORE_open_with_libctx(const char *uri, + OPENSSL_CTX *libctx, const char *propq, + const UI_METHOD *ui_method, void *ui_data, + OSSL_STORE_post_process_info_fn post_process, + void *post_process_data); int OSSL_STORE_ctrl(OSSL_STORE_CTX *ctx, int cmd, ... /* args */); OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx); int OSSL_STORE_eof(OSSL_STORE_CTX *ctx); @@ -57,7 +58,7 @@ together. OSSL_STORE_open_with_libctx() takes a uri or path I, password UI method I with associated data I, and post processing callback I with associated data I, -a library context I with an associated property query , +a library context I with an associated property query I, and opens a channel to the data located at the URI and returns a B with all necessary internal information. The given I and I will be reused by all @@ -71,7 +72,7 @@ the next object, until I returns something other than NULL, or the end of data is reached as indicated by OSSL_STORE_eof(). OSSL_STORE_open() is similar to OSSL_STORE_open_with_libctx() but uses NULL for -the library context I and property query . +the library context I and property query I. OSSL_STORE_ctrl() takes a B, and command number I and more arguments not specified here. @@ -87,7 +88,7 @@ There are also global controls available: Controls if the loader should attempt to use secure memory for any allocated B and its contents. -This control expects one argument, a pointer to an B that is expected to +This control expects one argument, a pointer to an I that is expected to have the value 1 (yes) or 0 (no). Any other value is an error. @@ -168,6 +169,8 @@ were added in OpenSSL 1.1.1. Handling of NULL I argument for OSSL_STORE_close() was introduced in OpenSSL 1.1.1h. +OSSL_STORE_open_with_libctx() was added in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/include/crypto/x509.h b/include/crypto/x509.h index a3c05f15b89..bd8f9ba52d1 100644 --- a/include/crypto/x509.h +++ b/include/crypto/x509.h @@ -114,6 +114,9 @@ struct X509_crl_st { const X509_CRL_METHOD *meth; void *meth_data; CRYPTO_RWLOCK *lock; + + OPENSSL_CTX *libctx; + const char *propq; }; struct x509_revoked_st { @@ -302,6 +305,7 @@ int x509_set1_time(ASN1_TIME **ptm, const ASN1_TIME *tm); int x509_print_ex_brief(BIO *bio, X509 *cert, unsigned long neg_cflags); int x509v3_cache_extensions(X509 *x); int x509_set0_libctx(X509 *x, OPENSSL_CTX *libctx, const char *propq); +int x509_crl_set0_libctx(X509_CRL *x, OPENSSL_CTX *libctx, const char *propq); void x509_init_sig_info(X509 *x); int asn1_item_digest_with_libctx(const ASN1_ITEM *it, const EVP_MD *type, void *data, unsigned char *md, diff --git a/include/openssl/err.h b/include/openssl/err.h index 4dd69c6a3ff..497436d2c5e 100644 --- a/include/openssl/err.h +++ b/include/openssl/err.h @@ -295,6 +295,7 @@ static ossl_inline int ERR_FATAL_ERROR(unsigned long errcode) # define ERR_R_DSA_LIB ERR_LIB_DSA/* 10 */ # define ERR_R_X509_LIB ERR_LIB_X509/* 11 */ # define ERR_R_ASN1_LIB ERR_LIB_ASN1/* 13 */ +# define ERR_R_CRYPTO_LIB ERR_LIB_CRYPTO/* 15 */ # define ERR_R_EC_LIB ERR_LIB_EC/* 16 */ # define ERR_R_BIO_LIB ERR_LIB_BIO/* 32 */ # define ERR_R_PKCS7_LIB ERR_LIB_PKCS7/* 33 */ diff --git a/include/openssl/store.h b/include/openssl/store.h index 34f2910202d..9a2b423371a 100644 --- a/include/openssl/store.h +++ b/include/openssl/store.h @@ -52,15 +52,16 @@ typedef OSSL_STORE_INFO *(*OSSL_STORE_post_process_info_fn)(OSSL_STORE_INFO *, * Returns a context reference which represents the channel to communicate * through. */ -OSSL_STORE_CTX *OSSL_STORE_open(const char *uri, const UI_METHOD *ui_method, - void *ui_data, - OSSL_STORE_post_process_info_fn post_process, - void *post_process_data); - -OSSL_STORE_CTX *OSSL_STORE_open_with_libctx - (const char *uri, OPENSSL_CTX *libctx, const char *propq, - const UI_METHOD *ui_method, void *ui_data, - OSSL_STORE_post_process_info_fn post_process, void *post_process_data); +OSSL_STORE_CTX * +OSSL_STORE_open(const char *uri, const UI_METHOD *ui_method, void *ui_data, + OSSL_STORE_post_process_info_fn post_process, + void *post_process_data); +OSSL_STORE_CTX * +OSSL_STORE_open_with_libctx(const char *uri, + OPENSSL_CTX *libctx, const char *propq, + const UI_METHOD *ui_method, void *ui_data, + OSSL_STORE_post_process_info_fn post_process, + void *post_process_data); /* * Control / fine tune the OSSL_STORE channel. |cmd| determines what is to be -- 2.47.2