From c6313780586f94b0542f55c3ffa399f5ad2c7297 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 26 May 2021 17:18:13 +0100 Subject: Use the new ASN.1 libctx aware capabilities in CMP Make sure we pass the libctx/propq around everywhere that we need it to ensure we get provider keys when needed. Reviewed-by: Shane Lontis Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15591) --- crypto/cmp/cmp_asn.c | 30 ++++++++++++++-- crypto/cmp/cmp_local.h | 7 +++- crypto/cmp/cmp_msg.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++---- 3 files changed, 119 insertions(+), 10 deletions(-) (limited to 'crypto/cmp') diff --git a/crypto/cmp/cmp_asn.c b/crypto/cmp/cmp_asn.c index e2f7169dda..1d17f77bd6 100644 --- a/crypto/cmp/cmp_asn.c +++ b/crypto/cmp/cmp_asn.c @@ -208,6 +208,31 @@ int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a) return (int)res; } +static int ossl_cmp_msg_cb(int operation, ASN1_VALUE **pval, + const ASN1_ITEM *it, void *exarg) +{ + OSSL_CMP_MSG *ret = (OSSL_CMP_MSG *)*pval; + + switch (operation) { + case ASN1_OP_FREE_POST: + OPENSSL_free(ret->propq); + break; + + case ASN1_OP_DUP_POST: + { + OSSL_CMP_MSG *old = exarg; + + if (!ossl_cmp_msg_set0_libctx(ret, old->libctx, old->propq)) + return 0; + } + break; + default: + break; + } + + return 1; +} + ASN1_CHOICE(OSSL_CMP_CERTORENCCERT) = { /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */ ASN1_EXP(OSSL_CMP_CERTORENCCERT, value.certificate, X509, 0), @@ -405,14 +430,13 @@ ASN1_SEQUENCE(OSSL_CMP_PROTECTEDPART) = { } ASN1_SEQUENCE_END(OSSL_CMP_PROTECTEDPART) IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PROTECTEDPART) -ASN1_SEQUENCE(OSSL_CMP_MSG) = { +ASN1_SEQUENCE_cb(OSSL_CMP_MSG, ossl_cmp_msg_cb) = { ASN1_SIMPLE(OSSL_CMP_MSG, header, OSSL_CMP_PKIHEADER), ASN1_SIMPLE(OSSL_CMP_MSG, body, OSSL_CMP_PKIBODY), ASN1_EXP_OPT(OSSL_CMP_MSG, protection, ASN1_BIT_STRING, 0), /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */ ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_MSG, extraCerts, X509, 1) -} ASN1_SEQUENCE_END(OSSL_CMP_MSG) -IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_MSG) +} ASN1_SEQUENCE_END_cb(OSSL_CMP_MSG, OSSL_CMP_MSG) IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_MSG) ASN1_ITEM_TEMPLATE(OSSL_CMP_MSGS) = diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h index 2b22db3e82..9dba9e8169 100644 --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -670,8 +670,11 @@ struct ossl_cmp_msg_st { ASN1_BIT_STRING *protection; /* 0 */ /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */ STACK_OF(X509) *extraCerts; /* 1 */ + OSSL_LIB_CTX *libctx; + char *propq; } /* OSSL_CMP_MSG */; -DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSG) +OSSL_CMP_MSG *OSSL_CMP_MSG_new(OSSL_LIB_CTX *libctx, const char *propq); +void OSSL_CMP_MSG_free(OSSL_CMP_MSG *msg); /*- * ProtectedPart ::= SEQUENCE { @@ -852,6 +855,8 @@ int ossl_cmp_hdr_init(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr); # define OSSL_CMP_CERTREQID 0 /* sequence id for the first - and so far only - revocation request */ # define OSSL_CMP_REVREQSID 0 +int ossl_cmp_msg_set0_libctx(OSSL_CMP_MSG *msg, OSSL_LIB_CTX *libctx, + const char *propq); const char *ossl_cmp_bodytype_to_string(int type); int ossl_cmp_msg_set_bodytype(OSSL_CMP_MSG *msg, int type); int ossl_cmp_msg_get_bodytype(const OSSL_CMP_MSG *msg); diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index b9c347afb8..b625147b6e 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -20,6 +20,46 @@ #include #include +OSSL_CMP_MSG *OSSL_CMP_MSG_new(OSSL_LIB_CTX *libctx, const char *propq) +{ + OSSL_CMP_MSG *msg = NULL; + + msg = (OSSL_CMP_MSG *)ASN1_item_new_ex(ASN1_ITEM_rptr(OSSL_CMP_MSG), + libctx, propq); + if (!ossl_cmp_msg_set0_libctx(msg, libctx, propq)) { + OSSL_CMP_MSG_free(msg); + msg = NULL; + } + return msg; +} + +void OSSL_CMP_MSG_free(OSSL_CMP_MSG *msg) +{ + ASN1_item_free((ASN1_VALUE *)msg, ASN1_ITEM_rptr(OSSL_CMP_MSG)); +} + +/* + * This should only be used if the X509 object was embedded inside another + * asn1 object and it needs a libctx to operate. + * Use OSSL_CMP_MSG_new() instead if possible. + */ +int ossl_cmp_msg_set0_libctx(OSSL_CMP_MSG *msg, OSSL_LIB_CTX *libctx, + const char *propq) +{ + if (msg != NULL) { + msg->libctx = libctx; + OPENSSL_free(msg->propq); + msg->propq = NULL; + if (propq != NULL) { + msg->propq = OPENSSL_strdup(propq); + if (msg->propq == NULL) + return 0; + } + } + return 1; +} + + OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg) { if (msg == NULL) { @@ -125,7 +165,7 @@ OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype) if (!ossl_assert(ctx != NULL)) return NULL; - if ((msg = OSSL_CMP_MSG_new()) == NULL) + if ((msg = OSSL_CMP_MSG_new(ctx->libctx, ctx->propq)) == NULL) return NULL; if (!ossl_cmp_hdr_init(ctx, msg->header) || !ossl_cmp_msg_set_bodytype(msg, bodytype)) @@ -1031,9 +1071,10 @@ int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) || ossl_cmp_msg_protect(ctx, msg); } -OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file) +OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file, OSSL_LIB_CTX *libctx, + const char *propq) { - OSSL_CMP_MSG *msg = NULL; + OSSL_CMP_MSG *msg; BIO *bio = NULL; if (file == NULL) { @@ -1041,9 +1082,18 @@ OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file) return NULL; } + msg = OSSL_CMP_MSG_new(libctx, propq); + if (msg == NULL){ + ERR_raise(ERR_LIB_CMP, ERR_R_MALLOC_FAILURE); + return NULL; + } + if ((bio = BIO_new_file(file, "rb")) == NULL) return NULL; - msg = d2i_OSSL_CMP_MSG_bio(bio, NULL); + if (d2i_OSSL_CMP_MSG_bio(bio, &msg) == NULL) { + OSSL_CMP_MSG_free(msg); + msg = NULL; + } BIO_free(bio); return msg; } @@ -1066,10 +1116,40 @@ int OSSL_CMP_MSG_write(const char *file, const OSSL_CMP_MSG *msg) return res; } +OSSL_CMP_MSG *d2i_OSSL_CMP_MSG(OSSL_CMP_MSG **msg, const unsigned char **in, + long len) +{ + OSSL_LIB_CTX *libctx = NULL; + const char *propq = NULL; + + if (msg != NULL && *msg != NULL) { + libctx = (*msg)->libctx; + propq = (*msg)->propq; + } + + return (OSSL_CMP_MSG *)ASN1_item_d2i_ex((ASN1_VALUE **)msg, in, len, + ASN1_ITEM_rptr(OSSL_CMP_MSG), + libctx, propq); +} + +int i2d_OSSL_CMP_MSG(const OSSL_CMP_MSG *msg, unsigned char **out) +{ + return ASN1_item_i2d((const ASN1_VALUE *)msg, out, + ASN1_ITEM_rptr(OSSL_CMP_MSG)); +} + OSSL_CMP_MSG *d2i_OSSL_CMP_MSG_bio(BIO *bio, OSSL_CMP_MSG **msg) { - return ASN1_d2i_bio_of(OSSL_CMP_MSG, OSSL_CMP_MSG_new, - d2i_OSSL_CMP_MSG, bio, msg); + OSSL_LIB_CTX *libctx = NULL; + const char *propq = NULL; + + if (msg != NULL && *msg != NULL) { + libctx = (*msg)->libctx; + propq = (*msg)->propq; + } + + return ASN1_item_d2i_bio_ex(ASN1_ITEM_rptr(OSSL_CMP_MSG), bio, msg, libctx, + propq); } int i2d_OSSL_CMP_MSG_bio(BIO *bio, const OSSL_CMP_MSG *msg) -- cgit v1.2.3