STORE: Move the built-in 'file:' loader to become an engine module

From this point on, this engine must be specifically specified. To replace the internal EMBEDDED hack with something unique for the new module, functions to create application specific OSSL_STORE_INFO types were added. Furthermore, the following function had to be exported: ossl_do_blob_header() ossl_do_PVK_header() asn1_d2i_read_bio() Finally, evp_pkcs82pkey_int() has become public under a new name, EVP_PKCS82PKEY_with_libctx() Reviewed-by: Matt Caswell <[email protected]> (Merged from openssl#12587)
a-mair · Sep 3, 2020 · 16feca7 · 16feca7
1 parent bd7a6f1
commit 16feca7
Show file tree

Hide file tree

Showing 27 changed files with 504 additions and 241 deletions.
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
@@ -1075,6 +1075,8 @@ errors:
            include/internal/o_dir.h
            include/internal/err.h
            include/internal/evp.h
+           include/internal/pem.h
+           include/internal/asn1.h
            include/internal/sslconf.h );
    our @cryptoskipheaders = ( @sslheaders,
        qw( include/openssl/conf_api.h

diff --git a/crypto/asn1/a_d2i_fp.c b/crypto/asn1/a_d2i_fp.c
@@ -13,6 +13,7 @@
 #include "internal/numbers.h"
 #include <openssl/buffer.h>
 #include <openssl/asn1.h>
+#include "internal/asn1.h"
 #include "crypto/asn1.h"
 
 #ifndef NO_OLD_ASN1

diff --git a/crypto/asn1/d2i_param.c b/crypto/asn1/d2i_param.c
@@ -11,8 +11,9 @@
 #include "internal/cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/asn1.h>
-#include "crypto/evp.h"
+#include "internal/asn1.h"
 #include "crypto/asn1.h"
+#include "crypto/evp.h"
 
 EVP_PKEY *d2i_KeyParams(int type, EVP_PKEY **a, const unsigned char **pp,
                         long length)

diff --git a/crypto/asn1/d2i_pr.c b/crypto/asn1/d2i_pr.c
@@ -55,7 +55,7 @@ EVP_PKEY *d2i_PrivateKey_ex(int type, EVP_PKEY **a, const unsigned char **pp,
             p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, length);
             if (p8 == NULL)
                 goto err;
-            tmp = evp_pkcs82pkey_int(p8, libctx, propq);
+            tmp = EVP_PKCS82PKEY_with_libctx(p8, libctx, propq);
             PKCS8_PRIV_KEY_INFO_free(p8);
             if (tmp == NULL)
                 goto err;
@@ -122,7 +122,7 @@ EVP_PKEY *d2i_AutoPrivateKey_ex(EVP_PKEY **a, const unsigned char **pp,
             ASN1err(0, ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
             return NULL;
         }
-        ret = evp_pkcs82pkey_int(p8, libctx, propq);
+        ret = EVP_PKCS82PKEY_with_libctx(p8, libctx, propq);
         PKCS8_PRIV_KEY_INFO_free(p8);
         if (ret == NULL)
             return NULL;

diff --git a/crypto/evp/evp_pkey.c b/crypto/evp/evp_pkey.c
@@ -18,8 +18,8 @@
 
 /* Extract a private key from a PKCS8 structure */
 
-EVP_PKEY *evp_pkcs82pkey_int(const PKCS8_PRIV_KEY_INFO *p8, OPENSSL_CTX *libctx,
-                             const char *propq)
+EVP_PKEY *EVP_PKCS82PKEY_with_libctx(const PKCS8_PRIV_KEY_INFO *p8,
+                                     OPENSSL_CTX *libctx, const char *propq)
 {
     EVP_PKEY *pkey = NULL;
     const ASN1_OBJECT *algoid;
@@ -64,7 +64,7 @@ EVP_PKEY *evp_pkcs82pkey_int(const PKCS8_PRIV_KEY_INFO *p8, OPENSSL_CTX *libctx,
 
 EVP_PKEY *EVP_PKCS82PKEY(const PKCS8_PRIV_KEY_INFO *p8)
 {
-    return evp_pkcs82pkey_int(p8, NULL, NULL);
+    return EVP_PKCS82PKEY_with_libctx(p8, NULL, NULL);
 }
 
 /* Turn a private key into a PKCS8 structure */

diff --git a/crypto/store/build.info b/crypto/store/build.info
@@ -1,4 +1,4 @@
 LIBS=../../libcrypto
 SOURCE[../../libcrypto]=\
         store_err.c store_lib.c store_result.c store_strings.c store_meth.c \
-        store_init.c store_register.c loader_file.c
+        store_init.c store_register.c
diff --git a/crypto/store/store_init.c b/crypto/store/store_init.c
@@ -14,8 +14,7 @@
 static CRYPTO_ONCE store_init = CRYPTO_ONCE_STATIC_INIT;
 DEFINE_RUN_ONCE_STATIC(do_store_init)
 {
-    return OPENSSL_init_crypto(0, NULL)
-        && ossl_store_file_loader_init();
+    return OPENSSL_init_crypto(0, NULL);
 }
 
 int ossl_store_init_once(void)

diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c
@@ -474,7 +474,7 @@ int OSSL_STORE_close(OSSL_STORE_CTX *ctx)
  * In all cases, ownership of the object is transferred to the OSSL_STORE_INFO
  * and will therefore be freed when the OSSL_STORE_INFO is freed.
  */
-static OSSL_STORE_INFO *store_info_new(int type, void *data)
+OSSL_STORE_INFO *OSSL_STORE_INFO_new(int type, void *data)
 {
     OSSL_STORE_INFO *info = OPENSSL_zalloc(sizeof(*info));
 
@@ -488,7 +488,7 @@ static OSSL_STORE_INFO *store_info_new(int type, void *data)
 
 OSSL_STORE_INFO *OSSL_STORE_INFO_new_NAME(char *name)
 {
-    OSSL_STORE_INFO *info = store_info_new(OSSL_STORE_INFO_NAME, NULL);
+    OSSL_STORE_INFO *info = OSSL_STORE_INFO_new(OSSL_STORE_INFO_NAME, NULL);
 
     if (info == NULL) {
         ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_MALLOC_FAILURE);
@@ -514,7 +514,7 @@ int OSSL_STORE_INFO_set0_NAME_description(OSSL_STORE_INFO *info, char *desc)
 }
 OSSL_STORE_INFO *OSSL_STORE_INFO_new_PARAMS(EVP_PKEY *params)
 {
-    OSSL_STORE_INFO *info = store_info_new(OSSL_STORE_INFO_PARAMS, params);
+    OSSL_STORE_INFO *info = OSSL_STORE_INFO_new(OSSL_STORE_INFO_PARAMS, params);
 
     if (info == NULL)
         ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_MALLOC_FAILURE);
@@ -523,7 +523,7 @@ OSSL_STORE_INFO *OSSL_STORE_INFO_new_PARAMS(EVP_PKEY *params)
 
 OSSL_STORE_INFO *OSSL_STORE_INFO_new_PUBKEY(EVP_PKEY *pkey)
 {
-    OSSL_STORE_INFO *info = store_info_new(OSSL_STORE_INFO_PUBKEY, pkey);
+    OSSL_STORE_INFO *info = OSSL_STORE_INFO_new(OSSL_STORE_INFO_PUBKEY, pkey);
 
     if (info == NULL)
         ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_MALLOC_FAILURE);
@@ -532,7 +532,7 @@ OSSL_STORE_INFO *OSSL_STORE_INFO_new_PUBKEY(EVP_PKEY *pkey)
 
 OSSL_STORE_INFO *OSSL_STORE_INFO_new_PKEY(EVP_PKEY *pkey)
 {
-    OSSL_STORE_INFO *info = store_info_new(OSSL_STORE_INFO_PKEY, pkey);
+    OSSL_STORE_INFO *info = OSSL_STORE_INFO_new(OSSL_STORE_INFO_PKEY, pkey);
 
     if (info == NULL)
         ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_MALLOC_FAILURE);
@@ -541,7 +541,7 @@ OSSL_STORE_INFO *OSSL_STORE_INFO_new_PKEY(EVP_PKEY *pkey)
 
 OSSL_STORE_INFO *OSSL_STORE_INFO_new_CERT(X509 *x509)
 {
-    OSSL_STORE_INFO *info = store_info_new(OSSL_STORE_INFO_CERT, x509);
+    OSSL_STORE_INFO *info = OSSL_STORE_INFO_new(OSSL_STORE_INFO_CERT, x509);
 
     if (info == NULL)
         ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_MALLOC_FAILURE);
@@ -550,7 +550,7 @@ OSSL_STORE_INFO *OSSL_STORE_INFO_new_CERT(X509 *x509)
 
 OSSL_STORE_INFO *OSSL_STORE_INFO_new_CRL(X509_CRL *crl)
 {
-    OSSL_STORE_INFO *info = store_info_new(OSSL_STORE_INFO_CRL, crl);
+    OSSL_STORE_INFO *info = OSSL_STORE_INFO_new(OSSL_STORE_INFO_CRL, crl);
 
     if (info == NULL)
         ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_MALLOC_FAILURE);
@@ -565,6 +565,13 @@ int OSSL_STORE_INFO_get_type(const OSSL_STORE_INFO *info)
     return info->type;
 }
 
+void *OSSL_STORE_INFO_get0_data(int type, const OSSL_STORE_INFO *info)
+{
+    if (info->type == type)
+        return info->_.data;
+    return NULL;
+}
+
 const char *OSSL_STORE_INFO_get0_NAME(const OSSL_STORE_INFO *info)
 {
     if (info->type == OSSL_STORE_INFO_NAME)
@@ -698,10 +705,6 @@ void OSSL_STORE_INFO_free(OSSL_STORE_INFO *info)
 {
     if (info != NULL) {
         switch (info->type) {
-        case OSSL_STORE_INFO_EMBEDDED:
-            BUF_MEM_free(info->_.embedded.blob);
-            OPENSSL_free(info->_.embedded.pem_name);
-            break;
         case OSSL_STORE_INFO_NAME:
             OPENSSL_free(info->_.name.name);
             OPENSSL_free(info->_.name.desc);
@@ -889,44 +892,6 @@ const EVP_MD *OSSL_STORE_SEARCH_get0_digest(const OSSL_STORE_SEARCH *criterion)
     return criterion->digest;
 }
 
-/* Internal functions */
-OSSL_STORE_INFO *ossl_store_info_new_EMBEDDED(const char *new_pem_name,
-                                              BUF_MEM *embedded)
-{
-    OSSL_STORE_INFO *info = store_info_new(OSSL_STORE_INFO_EMBEDDED, NULL);
-
-    if (info == NULL) {
-        ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_MALLOC_FAILURE);
-        return NULL;
-    }
-
-    info->_.embedded.blob = embedded;
-    info->_.embedded.pem_name =
-        new_pem_name == NULL ? NULL : OPENSSL_strdup(new_pem_name);
-
-    if (new_pem_name != NULL && info->_.embedded.pem_name == NULL) {
-        ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_MALLOC_FAILURE);
-        OSSL_STORE_INFO_free(info);
-        info = NULL;
-    }
-
-    return info;
-}
-
-BUF_MEM *ossl_store_info_get0_EMBEDDED_buffer(OSSL_STORE_INFO *info)
-{
-    if (info->type == OSSL_STORE_INFO_EMBEDDED)
-        return info->_.embedded.blob;
-    return NULL;
-}
-
-char *ossl_store_info_get0_EMBEDDED_pem_name(OSSL_STORE_INFO *info)
-{
-    if (info->type == OSSL_STORE_INFO_EMBEDDED)
-        return info->_.embedded.pem_name;
-    return NULL;
-}
-
 OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bp, const char *scheme,
                                   OPENSSL_CTX *libctx, const char *propq,
                                   const UI_METHOD *ui_method, void *ui_data,

diff --git a/crypto/store/store_local.h b/crypto/store/store_local.h
@@ -28,11 +28,6 @@ struct ossl_store_info_st {
     union {
         void *data;              /* used internally as generic pointer */
 
-        struct {
-            BUF_MEM *blob;
-            char *pem_name;
-        } embedded;              /* when type == OSSL_STORE_INFO_EMBEDDED */
-
         struct {
             char *name;
             char *desc;
@@ -45,26 +40,8 @@ struct ossl_store_info_st {
         X509_CRL *crl;           /* when type == OSSL_STORE_INFO_CRL */
     } _;
 };
-
 DEFINE_STACK_OF(OSSL_STORE_INFO)
 
-/*
- * EMBEDDED is a special type of OSSL_STORE_INFO, specially for the file
- * handlers.  It should never reach a calling application or any engine.
- * However, it can be used by a FILE_HANDLER's try_decode function to signal
- * that it has decoded the incoming blob into a new blob, and that the
- * attempted decoding should be immediately restarted with the new blob, using
- * the new PEM name.
- */
-/*
- * Because this is an internal type, we don't make it public.
- */
-#define OSSL_STORE_INFO_EMBEDDED       -1
-OSSL_STORE_INFO *ossl_store_info_new_EMBEDDED(const char *new_pem_name,
-                                              BUF_MEM *embedded);
-BUF_MEM *ossl_store_info_get0_EMBEDDED_buffer(OSSL_STORE_INFO *info);
-char *ossl_store_info_get0_EMBEDDED_pem_name(OSSL_STORE_INFO *info);
-
 /*-
  *  OSSL_STORE_SEARCH stuff
  *  -----------------------
@@ -174,7 +151,6 @@ struct ossl_store_ctx_st {
  */
 
 int ossl_store_init_once(void);
-int ossl_store_file_loader_init(void);
 
 /*-
  *  'file' scheme stuff

diff --git a/crypto/store/store_result.c b/crypto/store/store_result.c
@@ -302,7 +302,7 @@ static EVP_PKEY *try_key_value_legacy(struct extracted_param_data_st *data,
             derp = der;
             p8info = d2i_PKCS8_PRIV_KEY_INFO(NULL, &derp, der_len);
             if (p8info != NULL) {
-                pk = evp_pkcs82pkey_int(p8info, libctx, propq);
+                pk = EVP_PKCS82PKEY_with_libctx(p8info, libctx, propq);
                 PKCS8_PRIV_KEY_INFO_free(p8info);
             }
 

diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
@@ -23,7 +23,7 @@
 #include <openssl/rsa.h>
 #include <openssl/dsa.h>
 #include <openssl/x509v3.h>
-#include "crypto/asn1.h"
+#include "internal/asn1.h"
 #include "crypto/pkcs7.h"
 #include "crypto/x509.h"
 

diff --git a/doc/man3/OSSL_STORE_INFO.pod b/doc/man3/OSSL_STORE_INFO.pod
@@ -12,7 +12,8 @@ OSSL_STORE_INFO_get1_PKEY, OSSL_STORE_INFO_get1_CERT, OSSL_STORE_INFO_get1_CRL,
 OSSL_STORE_INFO_type_string, OSSL_STORE_INFO_free,
 OSSL_STORE_INFO_new_NAME, OSSL_STORE_INFO_set0_NAME_description,
 OSSL_STORE_INFO_new_PARAMS, OSSL_STORE_INFO_new_PUBKEY,
-OSSL_STORE_INFO_new_PKEY, OSSL_STORE_INFO_new_CERT, OSSL_STORE_INFO_new_CRL
+OSSL_STORE_INFO_new_PKEY, OSSL_STORE_INFO_new_CERT, OSSL_STORE_INFO_new_CRL,
+OSSL_STORE_INFO_new, OSSL_STORE_INFO_get0_data
 - Functions to manipulate OSSL_STORE_INFO objects
 
 =head1 SYNOPSIS
@@ -50,6 +51,9 @@ OSSL_STORE_INFO_new_PKEY, OSSL_STORE_INFO_new_CERT, OSSL_STORE_INFO_new_CRL
  OSSL_STORE_INFO *OSSL_STORE_INFO_new_CERT(X509 *x509);
  OSSL_STORE_INFO *OSSL_STORE_INFO_new_CRL(X509_CRL *crl);
 
+ OSSL_STORE_INFO *OSSL_STORE_INFO_new(int type, void *data);
+ void *OSSL_STORE_INFO_get0_data(int type, const OSSL_STORE_INFO *info);
+
 =head1 DESCRIPTION
 
 These functions are primarily useful for applications to retrieve
@@ -110,6 +114,19 @@ description.
 This description is meant to be human readable and should be used for
 information printout.
 
+OSSL_STORE_INFO_new() creates a B<OSSL_STORE_INFO> with an arbitrary I<type>
+number and I<data> structure.  It's the responsibility of the caller to
+define type numbers other than the ones defined by F<< <openssl/store.h> >>,
+and to handle freeing the associated data structure on their own.
+I<Using type numbers that are defined by F<< <openssl/store.h> >> may cause
+undefined behaviours, including crashes>.
+
+OSSL_STORE_INFO_get0_data() returns the data pointer that was passed to
+OSSL_STORE_INFO_new() if I<type> matches the type number in I<info>.
+
+OSSL_STORE_INFO_new() and OSSL_STORE_INFO_get0_data() may be useful for
+applications that define their own STORE data, but must be used with care.
+
 =head1 SUPPORTED OBJECTS
 
 Currently supported object types are:
@@ -177,13 +194,13 @@ OSSL_STORE_INFO_get1_PARAMS(), OSSL_STORE_INFO_get1_PKEY(),
 OSSL_STORE_INFO_get1_CERT() and OSSL_STORE_INFO_get1_CRL() all return
 a pointer to a duplicate of the OpenSSL object on success, NULL otherwise.
 
-OSSL_STORE_INFO_type_string() returns a string on success, or B<NULL> on
+OSSL_STORE_INFO_type_string() returns a string on success, or NULL on
 failure.
 
 OSSL_STORE_INFO_new_NAME(), OSSL_STORE_INFO_new_PARAMS(),
 OSSL_STORE_INFO_new_PKEY(), OSSL_STORE_INFO_new_CERT() and
 OSSL_STORE_INFO_new_CRL() return a B<OSSL_STORE_INFO>
-pointer on success, or B<NULL> on failure.
+pointer on success, or NULL on failure.
 
 OSSL_STORE_INFO_set0_NAME_description() returns 1 on success, or 0 on
 failure.

diff --git a/engines/build.info b/engines/build.info
@@ -70,7 +70,7 @@ IF[{- !$disabled{"engine"} -}]
       ENDIF
     ENDIF
 
-    MODULES{noinst,engine}=ossltest dasync
+    MODULES{noinst,engine}=ossltest dasync loader_attic
     SOURCE[dasync]=e_dasync.c
     DEPEND[dasync]=../libcrypto
     INCLUDE[dasync]=../include
@@ -86,6 +86,14 @@ IF[{- !$disabled{"engine"} -}]
       SOURCE[ossltest]=ossltest.ld
       GENERATE[ossltest.ld]=../util/engines.num
     ENDIF
+
+    SOURCE[loader_attic]=e_loader_attic.c
+    DEPEND[loader_attic]=../libcrypto
+    INCLUDE[loader_attic]=../include
+    IF[{- defined $target{shared_defflag} -}]
+      SOURCE[loader_attic]=loader_attic.ld
+      GENERATE[loader_attic.ld]=../util/engines.num
+    ENDIF
   ENDIF
   GENERATE[e_padlock-x86.s]=asm/e_padlock-x86.pl
   GENERATE[e_padlock-x86_64.s]=asm/e_padlock-x86_64.pl