decoder_pkey.c@ 105943

Last change on this file since 105943 was 104078, checked in by vboxsync, 11 months ago
openssl-3.1.5: Applied and adjusted our OpenSSL changes to 3.1.4. bugref:10638
File size: 17.6 KB

Line
1	/*
2	* Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the Apache License 2.0 (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	#include <openssl/core_names.h>
11	#include <openssl/core_object.h>
12	#include <openssl/provider.h>
13	#include <openssl/evp.h>
14	#include <openssl/ui.h>
15	#include <openssl/decoder.h>
16	#include <openssl/safestack.h>
17	#include <openssl/trace.h>
18	#include "crypto/evp.h"
19	#include "crypto/decoder.h"
20	#include "crypto/evp/evp_local.h"
21	#include "encoder_local.h"
22	#include "internal/namemap.h"
23
24	int OSSL_DECODER_CTX_set_passphrase(OSSL_DECODER_CTX *ctx,
25	const unsigned char *kstr,
26	size_t klen)
27	{
28	return ossl_pw_set_passphrase(&ctx->pwdata, kstr, klen);
29	}
30
31	int OSSL_DECODER_CTX_set_passphrase_ui(OSSL_DECODER_CTX *ctx,
32	const UI_METHOD *ui_method,
33	void *ui_data)
34	{
35	return ossl_pw_set_ui_method(&ctx->pwdata, ui_method, ui_data);
36	}
37
38	int OSSL_DECODER_CTX_set_pem_password_cb(OSSL_DECODER_CTX *ctx,
39	pem_password_cb cb, void cbarg)
40	{
41	return ossl_pw_set_pem_password_cb(&ctx->pwdata, cb, cbarg);
42	}
43
44	int OSSL_DECODER_CTX_set_passphrase_cb(OSSL_DECODER_CTX *ctx,
45	OSSL_PASSPHRASE_CALLBACK *cb,
46	void *cbarg)
47	{
48	return ossl_pw_set_ossl_passphrase_cb(&ctx->pwdata, cb, cbarg);
49	}
50
51	/*
52	* Support for OSSL_DECODER_CTX_new_for_pkey:
53	* The construct data, and collecting keymgmt information for it
54	*/
55
56	DEFINE_STACK_OF(EVP_KEYMGMT)
57
58	struct decoder_pkey_data_st {
59	OSSL_LIB_CTX *libctx;
60	char *propq;
61	int selection;
62
63	STACK_OF(EVP_KEYMGMT) *keymgmts;
64	char object_type; / recorded object data type, may be NULL */
65	void *object; / Where the result should end up */
66	};
67
68	static int decoder_construct_pkey(OSSL_DECODER_INSTANCE *decoder_inst,
69	const OSSL_PARAM *params,
70	void *construct_data)
71	{
72	struct decoder_pkey_data_st *data = construct_data;
73	OSSL_DECODER *decoder = OSSL_DECODER_INSTANCE_get_decoder(decoder_inst);
74	void *decoderctx = OSSL_DECODER_INSTANCE_get_decoder_ctx(decoder_inst);
75	const OSSL_PROVIDER *decoder_prov = OSSL_DECODER_get0_provider(decoder);
76	EVP_KEYMGMT *keymgmt = NULL;
77	const OSSL_PROVIDER *keymgmt_prov = NULL;
78	int i, end;
79	/*
80	* \|object_ref\| points to a provider reference to an object, its exact
81	* contents entirely opaque to us, but may be passed to any provider
82	* function that expects this (such as OSSL_FUNC_keymgmt_load().
83	*
84	* This pointer is considered volatile, i.e. whatever it points at
85	* is assumed to be freed as soon as this function returns.
86	*/
87	void *object_ref = NULL;
88	size_t object_ref_sz = 0;
89	const OSSL_PARAM *p;
90
91	p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_TYPE);
92	if (p != NULL) {
93	char *object_type = NULL;
94
95	if (!OSSL_PARAM_get_utf8_string(p, &object_type, 0))
96	return 0;
97	OPENSSL_free(data->object_type);
98	data->object_type = object_type;
99	}
100
101	/*
102	* For stuff that should end up in an EVP_PKEY, we only accept an object
103	* reference for the moment. This enforces that the key data itself
104	* remains with the provider.
105	*/
106	p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_REFERENCE);
107	if (p == NULL \|\| p->data_type != OSSL_PARAM_OCTET_STRING)
108	return 0;
109	object_ref = p->data;
110	object_ref_sz = p->data_size;
111
112	/*
113	* First, we try to find a keymgmt that comes from the same provider as
114	* the decoder that passed the params.
115	*/
116	end = sk_EVP_KEYMGMT_num(data->keymgmts);
117	for (i = 0; i < end; i++) {
118	keymgmt = sk_EVP_KEYMGMT_value(data->keymgmts, i);
119	keymgmt_prov = EVP_KEYMGMT_get0_provider(keymgmt);
120
121	if (keymgmt_prov == decoder_prov
122	&& evp_keymgmt_has_load(keymgmt)
123	&& EVP_KEYMGMT_is_a(keymgmt, data->object_type))
124	break;
125	}
126	if (i < end) {
127	/* To allow it to be freed further down */
128	if (!EVP_KEYMGMT_up_ref(keymgmt))
129	return 0;
130	} else if ((keymgmt = EVP_KEYMGMT_fetch(data->libctx,
131	data->object_type,
132	data->propq)) != NULL) {
133	keymgmt_prov = EVP_KEYMGMT_get0_provider(keymgmt);
134	}
135
136	if (keymgmt != NULL) {
137	EVP_PKEY *pkey = NULL;
138	void *keydata = NULL;
139
140	/*
141	* If the EVP_KEYMGMT and the OSSL_DECODER are from the
142	* same provider, we assume that the KEYMGMT has a key loading
143	* function that can handle the provider reference we hold.
144	*
145	* Otherwise, we export from the decoder and import the
146	* result in the keymgmt.
147	*/
148	if (keymgmt_prov == decoder_prov) {
149	keydata = evp_keymgmt_load(keymgmt, object_ref, object_ref_sz);
150	} else {
151	struct evp_keymgmt_util_try_import_data_st import_data;
152
153	import_data.keymgmt = keymgmt;
154	import_data.keydata = NULL;
155	if (data->selection == 0)
156	/* import/export functions do not tolerate 0 selection */
157	import_data.selection = OSSL_KEYMGMT_SELECT_ALL;
158	else
159	import_data.selection = data->selection;
160
161	/*
162	* No need to check for errors here, the value of
163	* \|import_data.keydata\| is as much an indicator.
164	*/
165	(void)decoder->export_object(decoderctx,
166	object_ref, object_ref_sz,
167	&evp_keymgmt_util_try_import,
168	&import_data);
169	keydata = import_data.keydata;
170	import_data.keydata = NULL;
171	}
172
173	if (keydata != NULL
174	&& (pkey = evp_keymgmt_util_make_pkey(keymgmt, keydata)) == NULL)
175	evp_keymgmt_freedata(keymgmt, keydata);
176
177	*data->object = pkey;
178
179	/*
180	* evp_keymgmt_util_make_pkey() increments the reference count when
181	* assigning the EVP_PKEY, so we can free the keymgmt here.
182	*/
183	EVP_KEYMGMT_free(keymgmt);
184	}
185	/*
186	* We successfully looked through, \|*ctx->object\| determines if we
187	* actually found something.
188	*/
189	return (*data->object != NULL);
190	}
191
192	static void decoder_clean_pkey_construct_arg(void *construct_data)
193	{
194	struct decoder_pkey_data_st *data = construct_data;
195
196	if (data != NULL) {
197	sk_EVP_KEYMGMT_pop_free(data->keymgmts, EVP_KEYMGMT_free);
198	OPENSSL_free(data->propq);
199	OPENSSL_free(data->object_type);
200	OPENSSL_free(data);
201	}
202	}
203
204	struct collect_data_st {
205	OSSL_LIB_CTX *libctx;
206	OSSL_DECODER_CTX *ctx;
207
208	const char keytype; / the keytype requested, if any */
209	int keytype_id; /* if keytype_resolved is set, keymgmt name_id; else 0 */
210	int sm2_id; /* if keytype_resolved is set and EC, SM2 name_id; else 0 */
211	int total; /* number of matching results */
212	char error_occurred;
213	char keytype_resolved;
214
215	STACK_OF(EVP_KEYMGMT) *keymgmts;
216	};
217
218	static void collect_decoder_keymgmt(EVP_KEYMGMT keymgmt, OSSL_DECODER decoder,
219	void provctx, struct collect_data_st data)
220	{
221	void *decoderctx = NULL;
222	OSSL_DECODER_INSTANCE *di = NULL;
223
224	/*
225	* We already checked the EVP_KEYMGMT is applicable in check_keymgmt so we
226	* don't check it again here.
227	*/
228
229	if (keymgmt->name_id != decoder->base.id)
230	/* Mismatch is not an error, continue. */
231	return;
232
233	if ((decoderctx = decoder->newctx(provctx)) == NULL) {
234	data->error_occurred = 1;
235	return;
236	}
237
238	if ((di = ossl_decoder_instance_new(decoder, decoderctx)) == NULL) {
239	decoder->freectx(decoderctx);
240	data->error_occurred = 1;
241	return;
242	}
243
244	OSSL_TRACE_BEGIN(DECODER) {
245	BIO_printf(trc_out,
246	"(ctx %p) Checking out decoder %p:\n"
247	" %s with %s\n",
248	(void )data->ctx, (void )decoder,
249	OSSL_DECODER_get0_name(decoder),
250	OSSL_DECODER_get0_properties(decoder));
251	} OSSL_TRACE_END(DECODER);
252
253	if (!ossl_decoder_ctx_add_decoder_inst(data->ctx, di)) {
254	ossl_decoder_instance_free(di);
255	data->error_occurred = 1;
256	return;
257	}
258
259	++data->total;
260	}
261
262	static void collect_decoder(OSSL_DECODER decoder, void arg)
263	{
264	struct collect_data_st *data = arg;
265	STACK_OF(EVP_KEYMGMT) *keymgmts = data->keymgmts;
266	int i, end_i;
267	EVP_KEYMGMT *keymgmt;
268	const OSSL_PROVIDER *prov;
269	void *provctx;
270
271	if (data->error_occurred)
272	return;
273
274	prov = OSSL_DECODER_get0_provider(decoder);
275	provctx = OSSL_PROVIDER_get0_provider_ctx(prov);
276
277	/*
278	* Either the caller didn't give us a selection, or if they did, the decoder
279	* must tell us if it supports that selection to be accepted. If the decoder
280	* doesn't have \|does_selection\|, it's seen as taking anything.
281	*/
282	if (decoder->does_selection != NULL
283	&& !decoder->does_selection(provctx, data->ctx->selection))
284	return;
285
286	OSSL_TRACE_BEGIN(DECODER) {
287	BIO_printf(trc_out,
288	"(ctx %p) Checking out decoder %p:\n"
289	" %s with %s\n",
290	(void )data->ctx, (void )decoder,
291	OSSL_DECODER_get0_name(decoder),
292	OSSL_DECODER_get0_properties(decoder));
293	} OSSL_TRACE_END(DECODER);
294
295	end_i = sk_EVP_KEYMGMT_num(keymgmts);
296	for (i = 0; i < end_i; ++i) {
297	keymgmt = sk_EVP_KEYMGMT_value(keymgmts, i);
298
299	collect_decoder_keymgmt(keymgmt, decoder, provctx, data);
300	if (data->error_occurred)
301	return;
302	}
303	}
304
305	/*
306	* Is this EVP_KEYMGMT applicable given the key type given in the call to
307	* ossl_decoder_ctx_setup_for_pkey (if any)?
308	*/
309	static int check_keymgmt(EVP_KEYMGMT keymgmt, struct collect_data_st data)
310	{
311	/* If no keytype was specified, everything matches. */
312	if (data->keytype == NULL)
313	return 1;
314
315	if (!data->keytype_resolved) {
316	/* We haven't cached the IDs from the keytype string yet. */
317	OSSL_NAMEMAP *namemap = ossl_namemap_stored(data->libctx);
318	data->keytype_id = ossl_namemap_name2num(namemap, data->keytype);
319
320	/*
321	* If keytype is a value ambiguously used for both EC and SM2,
322	* collect the ID for SM2 as well.
323	*/
324	if (data->keytype_id != 0
325	&& (strcmp(data->keytype, "id-ecPublicKey") == 0
326	\|\| strcmp(data->keytype, "1.2.840.10045.2.1") == 0))
327	data->sm2_id = ossl_namemap_name2num(namemap, "SM2");
328
329	/*
330	* If keytype_id is zero the name was not found, but we still
331	* set keytype_resolved to avoid trying all this again.
332	*/
333	data->keytype_resolved = 1;
334	}
335
336	/* Specified keytype could not be resolved, so nothing matches. */
337	if (data->keytype_id == 0)
338	return 0;
339
340	/* Does not match the keytype specified, so skip. */
341	if (keymgmt->name_id != data->keytype_id
342	&& keymgmt->name_id != data->sm2_id)
343	return 0;
344
345	return 1;
346	}
347
348	static void collect_keymgmt(EVP_KEYMGMT keymgmt, void arg)
349	{
350	struct collect_data_st *data = arg;
351
352	if (!check_keymgmt(keymgmt, data))
353	return;
354
355	/*
356	* We have to ref EVP_KEYMGMT here because in the success case,
357	* data->keymgmts is referenced by the constructor we register in the
358	* OSSL_DECODER_CTX. The registered cleanup function
359	* (decoder_clean_pkey_construct_arg) unrefs every element of the stack and
360	* frees it.
361	*/
362	if (!EVP_KEYMGMT_up_ref(keymgmt))
363	return;
364
365	if (sk_EVP_KEYMGMT_push(data->keymgmts, keymgmt) <= 0) {
366	EVP_KEYMGMT_free(keymgmt);
367	data->error_occurred = 1;
368	}
369	}
370
371	/*
372	* This function does the actual binding of decoders to the OSSL_DECODER_CTX. It
373	* searches for decoders matching 'keytype', which is a string like "RSA", "DH",
374	* etc. If 'keytype' is NULL, decoders for all keytypes are bound.
375	*/
376	int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx,
377	EVP_PKEY *pkey, const char keytype,
378	OSSL_LIB_CTX *libctx,
379	const char *propquery)
380	{
381	int ok = 0;
382	struct decoder_pkey_data_st *process_data = NULL;
383	struct collect_data_st collect_data = { NULL };
384	STACK_OF(EVP_KEYMGMT) *keymgmts = NULL;
385
386	OSSL_TRACE_BEGIN(DECODER) {
387	const char *input_type = ctx->start_input_type;
388	const char *input_structure = ctx->input_structure;
389
390	BIO_printf(trc_out,
391	"(ctx %p) Looking for decoders producing %s%s%s%s%s%s\n",
392	(void *)ctx,
393	keytype != NULL ? keytype : "",
394	keytype != NULL ? " keys" : "keys of any type",
395	input_type != NULL ? " from " : "",
396	input_type != NULL ? input_type : "",
397	input_structure != NULL ? " with " : "",
398	input_structure != NULL ? input_structure : "");
399	} OSSL_TRACE_END(DECODER);
400
401	/* Allocate data. */
402	if ((process_data = OPENSSL_zalloc(sizeof(*process_data))) == NULL
403	\|\| (propquery != NULL
404	&& (process_data->propq = OPENSSL_strdup(propquery)) == NULL)) {
405	ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_MALLOC_FAILURE);
406	goto err;
407	}
408
409	/* Allocate our list of EVP_KEYMGMTs. */
410	keymgmts = sk_EVP_KEYMGMT_new_null();
411	if (keymgmts == NULL) {
412	ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_MALLOC_FAILURE);
413	goto err;
414	}
415
416	process_data->object = (void **)pkey;
417	process_data->libctx = libctx;
418	process_data->selection = ctx->selection;
419	process_data->keymgmts = keymgmts;
420
421	/*
422	* Enumerate all keymgmts into a stack.
423	*
424	* We could nest EVP_KEYMGMT_do_all_provided inside
425	* OSSL_DECODER_do_all_provided or vice versa but these functions become
426	* bottlenecks if called repeatedly, which is why we collect the
427	* EVP_KEYMGMTs into a stack here and call both functions only once.
428	*
429	* We resolve the keytype string to a name ID so we don't have to resolve it
430	* multiple times, avoiding repeated calls to EVP_KEYMGMT_is_a, which is a
431	* performance bottleneck. However, we do this lazily on the first call to
432	* collect_keymgmt made by EVP_KEYMGMT_do_all_provided, rather than do it
433	* upfront, as this ensures that the names for all loaded providers have
434	* been registered by the time we try to resolve the keytype string.
435	*/
436	collect_data.ctx = ctx;
437	collect_data.libctx = libctx;
438	collect_data.keymgmts = keymgmts;
439	collect_data.keytype = keytype;
440	EVP_KEYMGMT_do_all_provided(libctx, collect_keymgmt, &collect_data);
441
442	if (collect_data.error_occurred)
443	goto err;
444
445	/* Enumerate all matching decoders. */
446	OSSL_DECODER_do_all_provided(libctx, collect_decoder, &collect_data);
447
448	if (collect_data.error_occurred)
449	goto err;
450
451	OSSL_TRACE_BEGIN(DECODER) {
452	BIO_printf(trc_out,
453	"(ctx %p) Got %d decoders producing keys\n",
454	(void *)ctx, collect_data.total);
455	} OSSL_TRACE_END(DECODER);
456
457	/*
458	* Finish initializing the decoder context. If one or more decoders matched
459	* above then the number of decoders attached to the OSSL_DECODER_CTX will
460	* be nonzero. Else nothing was found and we do nothing.
461	*/
462	if (OSSL_DECODER_CTX_get_num_decoders(ctx) != 0) {
463	if (!OSSL_DECODER_CTX_set_construct(ctx, decoder_construct_pkey)
464	\|\| !OSSL_DECODER_CTX_set_construct_data(ctx, process_data)
465	\|\| !OSSL_DECODER_CTX_set_cleanup(ctx,
466	decoder_clean_pkey_construct_arg))
467	goto err;
468
469	process_data = NULL; /* Avoid it being freed */
470	}
471
472	ok = 1;
473	err:
474	decoder_clean_pkey_construct_arg(process_data);
475	return ok;
476	}
477
478	OSSL_DECODER_CTX *
479	OSSL_DECODER_CTX_new_for_pkey(EVP_PKEY **pkey,
480	const char *input_type,
481	const char *input_structure,
482	const char *keytype, int selection,
483	OSSL_LIB_CTX libctx, const char propquery)
484	{
485	OSSL_DECODER_CTX *ctx = NULL;
486
487	if ((ctx = OSSL_DECODER_CTX_new()) == NULL) {
488	ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_MALLOC_FAILURE);
489	return NULL;
490	}
491
492	OSSL_TRACE_BEGIN(DECODER) {
493	BIO_printf(trc_out,
494	"(ctx %p) Looking for %s decoders with selection %d\n",
495	(void *)ctx, keytype, selection);
496	BIO_printf(trc_out, " input type: %s, input structure: %s\n",
497	input_type, input_structure);
498	} OSSL_TRACE_END(DECODER);
499
500	if (OSSL_DECODER_CTX_set_input_type(ctx, input_type)
501	&& OSSL_DECODER_CTX_set_input_structure(ctx, input_structure)
502	&& OSSL_DECODER_CTX_set_selection(ctx, selection)
503	&& ossl_decoder_ctx_setup_for_pkey(ctx, pkey, keytype,
504	libctx, propquery)
505	&& OSSL_DECODER_CTX_add_extra(ctx, libctx, propquery)) {
506	OSSL_TRACE_BEGIN(DECODER) {
507	BIO_printf(trc_out, "(ctx %p) Got %d decoders\n",
508	(void *)ctx, OSSL_DECODER_CTX_get_num_decoders(ctx));
509	} OSSL_TRACE_END(DECODER);
510	return ctx;
511	}
512
513	OSSL_DECODER_CTX_free(ctx);
514	return NULL;
515	}

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/libs/openssl-3.1.7/crypto/encode_decode/decoder_pkey.c@ 105943

Download in other formats: