1 /*
2 * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include "e_os.h" /* strcasecmp on Windows */
11 #include <openssl/err.h>
12 #include <openssl/ui.h>
13 #include <openssl/params.h>
14 #include <openssl/encoder.h>
15 #include <openssl/core_names.h>
16 #include <openssl/provider.h>
17 #include <openssl/safestack.h>
18 #include <openssl/trace.h>
19 #include "internal/provider.h"
20 #include "internal/property.h"
21 #include "crypto/evp.h"
22 #include "encoder_local.h"
23
DEFINE_STACK_OF(OSSL_ENCODER)24 DEFINE_STACK_OF(OSSL_ENCODER)
25
26 int OSSL_ENCODER_CTX_set_cipher(OSSL_ENCODER_CTX *ctx,
27 const char *cipher_name,
28 const char *propquery)
29 {
30 OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END };
31
32 params[0] =
33 OSSL_PARAM_construct_utf8_string(OSSL_ENCODER_PARAM_CIPHER,
34 (void *)cipher_name, 0);
35 params[1] =
36 OSSL_PARAM_construct_utf8_string(OSSL_ENCODER_PARAM_PROPERTIES,
37 (void *)propquery, 0);
38
39 return OSSL_ENCODER_CTX_set_params(ctx, params);
40 }
41
OSSL_ENCODER_CTX_set_passphrase(OSSL_ENCODER_CTX * ctx,const unsigned char * kstr,size_t klen)42 int OSSL_ENCODER_CTX_set_passphrase(OSSL_ENCODER_CTX *ctx,
43 const unsigned char *kstr,
44 size_t klen)
45 {
46 return ossl_pw_set_passphrase(&ctx->pwdata, kstr, klen);
47 }
48
OSSL_ENCODER_CTX_set_passphrase_ui(OSSL_ENCODER_CTX * ctx,const UI_METHOD * ui_method,void * ui_data)49 int OSSL_ENCODER_CTX_set_passphrase_ui(OSSL_ENCODER_CTX *ctx,
50 const UI_METHOD *ui_method,
51 void *ui_data)
52 {
53 return ossl_pw_set_ui_method(&ctx->pwdata, ui_method, ui_data);
54 }
55
OSSL_ENCODER_CTX_set_pem_password_cb(OSSL_ENCODER_CTX * ctx,pem_password_cb * cb,void * cbarg)56 int OSSL_ENCODER_CTX_set_pem_password_cb(OSSL_ENCODER_CTX *ctx,
57 pem_password_cb *cb, void *cbarg)
58 {
59 return ossl_pw_set_pem_password_cb(&ctx->pwdata, cb, cbarg);
60 }
61
OSSL_ENCODER_CTX_set_passphrase_cb(OSSL_ENCODER_CTX * ctx,OSSL_PASSPHRASE_CALLBACK * cb,void * cbarg)62 int OSSL_ENCODER_CTX_set_passphrase_cb(OSSL_ENCODER_CTX *ctx,
63 OSSL_PASSPHRASE_CALLBACK *cb,
64 void *cbarg)
65 {
66 return ossl_pw_set_ossl_passphrase_cb(&ctx->pwdata, cb, cbarg);
67 }
68
69 /*
70 * Support for OSSL_ENCODER_CTX_new_for_type:
71 * finding a suitable encoder
72 */
73
74 struct collected_encoder_st {
75 STACK_OF(OPENSSL_CSTRING) *names;
76 const char *output_structure;
77 const char *output_type;
78
79 const OSSL_PROVIDER *keymgmt_prov;
80 OSSL_ENCODER_CTX *ctx;
81 unsigned int flag_find_same_provider:1;
82
83 int error_occurred;
84 };
85
collect_encoder(OSSL_ENCODER * encoder,void * arg)86 static void collect_encoder(OSSL_ENCODER *encoder, void *arg)
87 {
88 struct collected_encoder_st *data = arg;
89 size_t i, end_i;
90
91 if (data->error_occurred)
92 return;
93
94 data->error_occurred = 1; /* Assume the worst */
95
96 if (data->names == NULL)
97 return;
98
99 end_i = sk_OPENSSL_CSTRING_num(data->names);
100 for (i = 0; i < end_i; i++) {
101 const char *name = sk_OPENSSL_CSTRING_value(data->names, i);
102 const OSSL_PROVIDER *prov = OSSL_ENCODER_get0_provider(encoder);
103 void *provctx = OSSL_PROVIDER_get0_provider_ctx(prov);
104
105 /*
106 * collect_encoder() is called in two passes, one where the encoders
107 * from the same provider as the keymgmt are looked up, and one where
108 * the other encoders are looked up. |data->flag_find_same_provider|
109 * tells us which pass we're in.
110 */
111 if ((data->keymgmt_prov == prov) != data->flag_find_same_provider)
112 continue;
113
114 if (!OSSL_ENCODER_is_a(encoder, name)
115 || (encoder->does_selection != NULL
116 && !encoder->does_selection(provctx, data->ctx->selection))
117 || (data->keymgmt_prov != prov
118 && encoder->import_object == NULL))
119 continue;
120
121 /* Only add each encoder implementation once */
122 if (OSSL_ENCODER_CTX_add_encoder(data->ctx, encoder))
123 break;
124 }
125
126 data->error_occurred = 0; /* All is good now */
127 }
128
129 struct collected_names_st {
130 STACK_OF(OPENSSL_CSTRING) *names;
131 unsigned int error_occurred:1;
132 };
133
collect_name(const char * name,void * arg)134 static void collect_name(const char *name, void *arg)
135 {
136 struct collected_names_st *data = arg;
137
138 if (data->error_occurred)
139 return;
140
141 data->error_occurred = 1; /* Assume the worst */
142
143 if (sk_OPENSSL_CSTRING_push(data->names, name) <= 0)
144 return;
145
146 data->error_occurred = 0; /* All is good now */
147 }
148
149 /*
150 * Support for OSSL_ENCODER_to_bio:
151 * writing callback for the OSSL_PARAM (the implementation doesn't have
152 * intimate knowledge of the provider side object)
153 */
154
155 struct construct_data_st {
156 const EVP_PKEY *pk;
157 int selection;
158
159 OSSL_ENCODER_INSTANCE *encoder_inst;
160 const void *obj;
161 void *constructed_obj;
162 };
163
encoder_import_cb(const OSSL_PARAM params[],void * arg)164 static int encoder_import_cb(const OSSL_PARAM params[], void *arg)
165 {
166 struct construct_data_st *construct_data = arg;
167 OSSL_ENCODER_INSTANCE *encoder_inst = construct_data->encoder_inst;
168 OSSL_ENCODER *encoder = OSSL_ENCODER_INSTANCE_get_encoder(encoder_inst);
169 void *encoderctx = OSSL_ENCODER_INSTANCE_get_encoder_ctx(encoder_inst);
170
171 construct_data->constructed_obj =
172 encoder->import_object(encoderctx, construct_data->selection, params);
173
174 return (construct_data->constructed_obj != NULL);
175 }
176
177 static const void *
encoder_construct_pkey(OSSL_ENCODER_INSTANCE * encoder_inst,void * arg)178 encoder_construct_pkey(OSSL_ENCODER_INSTANCE *encoder_inst, void *arg)
179 {
180 struct construct_data_st *data = arg;
181
182 if (data->obj == NULL) {
183 OSSL_ENCODER *encoder =
184 OSSL_ENCODER_INSTANCE_get_encoder(encoder_inst);
185 const EVP_PKEY *pk = data->pk;
186 const OSSL_PROVIDER *k_prov = EVP_KEYMGMT_get0_provider(pk->keymgmt);
187 const OSSL_PROVIDER *e_prov = OSSL_ENCODER_get0_provider(encoder);
188
189 if (k_prov != e_prov) {
190 data->encoder_inst = encoder_inst;
191
192 if (!evp_keymgmt_export(pk->keymgmt, pk->keydata, data->selection,
193 &encoder_import_cb, data))
194 return NULL;
195 data->obj = data->constructed_obj;
196 } else {
197 data->obj = pk->keydata;
198 }
199 }
200
201 return data->obj;
202 }
203
encoder_destruct_pkey(void * arg)204 static void encoder_destruct_pkey(void *arg)
205 {
206 struct construct_data_st *data = arg;
207
208 if (data->encoder_inst != NULL) {
209 OSSL_ENCODER *encoder =
210 OSSL_ENCODER_INSTANCE_get_encoder(data->encoder_inst);
211
212 encoder->free_object(data->constructed_obj);
213 }
214 data->constructed_obj = NULL;
215 }
216
217 /*
218 * OSSL_ENCODER_CTX_new_for_pkey() returns a ctx with no encoder if
219 * it couldn't find a suitable encoder. This allows a caller to detect if
220 * a suitable encoder was found, with OSSL_ENCODER_CTX_get_num_encoder(),
221 * and to use fallback methods if the result is NULL.
222 */
ossl_encoder_ctx_setup_for_pkey(OSSL_ENCODER_CTX * ctx,const EVP_PKEY * pkey,int selection,const char * propquery)223 static int ossl_encoder_ctx_setup_for_pkey(OSSL_ENCODER_CTX *ctx,
224 const EVP_PKEY *pkey,
225 int selection,
226 const char *propquery)
227 {
228 struct construct_data_st *data = NULL;
229 const OSSL_PROVIDER *prov = NULL;
230 OSSL_LIB_CTX *libctx = NULL;
231 int ok = 0;
232
233 if (!ossl_assert(ctx != NULL) || !ossl_assert(pkey != NULL)) {
234 ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_PASSED_NULL_PARAMETER);
235 return 0;
236 }
237
238 if (evp_pkey_is_provided(pkey)) {
239 prov = EVP_KEYMGMT_get0_provider(pkey->keymgmt);
240 libctx = ossl_provider_libctx(prov);
241 }
242
243 if (pkey->keymgmt != NULL) {
244 struct collected_encoder_st encoder_data;
245 struct collected_names_st keymgmt_data;
246
247 if ((data = OPENSSL_zalloc(sizeof(*data))) == NULL) {
248 ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_MALLOC_FAILURE);
249 goto err;
250 }
251
252 /*
253 * Select the first encoder implementations in two steps.
254 * First, collect the keymgmt names, then the encoders that match.
255 */
256 keymgmt_data.names = sk_OPENSSL_CSTRING_new_null();
257 keymgmt_data.error_occurred = 0;
258 EVP_KEYMGMT_names_do_all(pkey->keymgmt, collect_name, &keymgmt_data);
259 if (keymgmt_data.error_occurred) {
260 sk_OPENSSL_CSTRING_free(keymgmt_data.names);
261 goto err;
262 }
263
264 encoder_data.names = keymgmt_data.names;
265 encoder_data.output_type = ctx->output_type;
266 encoder_data.output_structure = ctx->output_structure;
267 encoder_data.error_occurred = 0;
268 encoder_data.keymgmt_prov = prov;
269 encoder_data.ctx = ctx;
270
271 /*
272 * Place the encoders with the a different provider as the keymgmt
273 * last (the chain is processed in reverse order)
274 */
275 encoder_data.flag_find_same_provider = 0;
276 OSSL_ENCODER_do_all_provided(libctx, collect_encoder, &encoder_data);
277
278 /*
279 * Place the encoders with the same provider as the keymgmt first
280 * (the chain is processed in reverse order)
281 */
282 encoder_data.flag_find_same_provider = 1;
283 OSSL_ENCODER_do_all_provided(libctx, collect_encoder, &encoder_data);
284
285 sk_OPENSSL_CSTRING_free(keymgmt_data.names);
286 if (encoder_data.error_occurred) {
287 ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_MALLOC_FAILURE);
288 goto err;
289 }
290 }
291
292 if (data != NULL && OSSL_ENCODER_CTX_get_num_encoders(ctx) != 0) {
293 if (!OSSL_ENCODER_CTX_set_construct(ctx, encoder_construct_pkey)
294 || !OSSL_ENCODER_CTX_set_construct_data(ctx, data)
295 || !OSSL_ENCODER_CTX_set_cleanup(ctx, encoder_destruct_pkey))
296 goto err;
297
298 data->pk = pkey;
299 data->selection = selection;
300
301 data = NULL; /* Avoid it being freed */
302 }
303
304 ok = 1;
305 err:
306 if (data != NULL) {
307 OSSL_ENCODER_CTX_set_construct_data(ctx, NULL);
308 OPENSSL_free(data);
309 }
310 return ok;
311 }
312
OSSL_ENCODER_CTX_new_for_pkey(const EVP_PKEY * pkey,int selection,const char * output_type,const char * output_struct,const char * propquery)313 OSSL_ENCODER_CTX *OSSL_ENCODER_CTX_new_for_pkey(const EVP_PKEY *pkey,
314 int selection,
315 const char *output_type,
316 const char *output_struct,
317 const char *propquery)
318 {
319 OSSL_ENCODER_CTX *ctx = NULL;
320 OSSL_LIB_CTX *libctx = NULL;
321
322 if (pkey == NULL) {
323 ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_PASSED_NULL_PARAMETER);
324 return NULL;
325 }
326
327 if (!evp_pkey_is_assigned(pkey)) {
328 ERR_raise_data(ERR_LIB_OSSL_ENCODER, ERR_R_PASSED_INVALID_ARGUMENT,
329 "The passed EVP_PKEY must be assigned a key");
330 return NULL;
331 }
332
333 if ((ctx = OSSL_ENCODER_CTX_new()) == NULL) {
334 ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_MALLOC_FAILURE);
335 return NULL;
336 }
337
338 if (evp_pkey_is_provided(pkey)) {
339 const OSSL_PROVIDER *prov = EVP_KEYMGMT_get0_provider(pkey->keymgmt);
340
341 libctx = ossl_provider_libctx(prov);
342 }
343
344 OSSL_TRACE_BEGIN(ENCODER) {
345 BIO_printf(trc_out,
346 "(ctx %p) Looking for %s encoders with selection %d\n",
347 (void *)ctx, EVP_PKEY_get0_type_name(pkey), selection);
348 BIO_printf(trc_out, " output type: %s, output structure: %s\n",
349 output_type, output_struct);
350 } OSSL_TRACE_END(ENCODER);
351
352 if (OSSL_ENCODER_CTX_set_output_type(ctx, output_type)
353 && (output_struct == NULL
354 || OSSL_ENCODER_CTX_set_output_structure(ctx, output_struct))
355 && OSSL_ENCODER_CTX_set_selection(ctx, selection)
356 && ossl_encoder_ctx_setup_for_pkey(ctx, pkey, selection, propquery)
357 && OSSL_ENCODER_CTX_add_extra(ctx, libctx, propquery)) {
358 OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
359 int save_parameters = pkey->save_parameters;
360
361 params[0] = OSSL_PARAM_construct_int(OSSL_ENCODER_PARAM_SAVE_PARAMETERS,
362 &save_parameters);
363 /* ignoring error as this is only auxiliary parameter */
364 (void)OSSL_ENCODER_CTX_set_params(ctx, params);
365
366 OSSL_TRACE_BEGIN(ENCODER) {
367 BIO_printf(trc_out, "(ctx %p) Got %d encoders\n",
368 (void *)ctx, OSSL_ENCODER_CTX_get_num_encoders(ctx));
369 } OSSL_TRACE_END(ENCODER);
370 return ctx;
371 }
372
373 OSSL_ENCODER_CTX_free(ctx);
374 return NULL;
375 }
376