2
0

by_dir.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418
  1. /*
  2. * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #if defined (__TANDEM) && defined (_SPT_MODEL_)
  10. /*
  11. * These definitions have to come first in SPT due to scoping of the
  12. * declarations in c99 associated with SPT use of stat.
  13. */
  14. # include <sys/types.h>
  15. # include <sys/stat.h>
  16. #endif
  17. #include "internal/e_os.h"
  18. #include "internal/cryptlib.h"
  19. #include <stdio.h>
  20. #include <time.h>
  21. #include <errno.h>
  22. #include <sys/types.h>
  23. #ifndef OPENSSL_NO_POSIX_IO
  24. # include <sys/stat.h>
  25. #endif
  26. #include <openssl/x509.h>
  27. #include "crypto/x509.h"
  28. #include "x509_local.h"
  29. struct lookup_dir_hashes_st {
  30. unsigned long hash;
  31. int suffix;
  32. };
  33. struct lookup_dir_entry_st {
  34. char *dir;
  35. int dir_type;
  36. STACK_OF(BY_DIR_HASH) *hashes;
  37. };
  38. typedef struct lookup_dir_st {
  39. BUF_MEM *buffer;
  40. STACK_OF(BY_DIR_ENTRY) *dirs;
  41. CRYPTO_RWLOCK *lock;
  42. } BY_DIR;
  43. static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
  44. char **retp);
  45. static int new_dir(X509_LOOKUP *lu);
  46. static void free_dir(X509_LOOKUP *lu);
  47. static int add_cert_dir(BY_DIR *ctx, const char *dir, int type);
  48. static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type,
  49. const X509_NAME *name, X509_OBJECT *ret);
  50. static int get_cert_by_subject_ex(X509_LOOKUP *xl, X509_LOOKUP_TYPE type,
  51. const X509_NAME *name, X509_OBJECT *ret,
  52. OSSL_LIB_CTX *libctx, const char *propq);
  53. static X509_LOOKUP_METHOD x509_dir_lookup = {
  54. "Load certs from files in a directory",
  55. new_dir, /* new_item */
  56. free_dir, /* free */
  57. NULL, /* init */
  58. NULL, /* shutdown */
  59. dir_ctrl, /* ctrl */
  60. get_cert_by_subject, /* get_by_subject */
  61. NULL, /* get_by_issuer_serial */
  62. NULL, /* get_by_fingerprint */
  63. NULL, /* get_by_alias */
  64. get_cert_by_subject_ex, /* get_by_subject_ex */
  65. NULL, /* ctrl_ex */
  66. };
  67. X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void)
  68. {
  69. return &x509_dir_lookup;
  70. }
  71. static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
  72. char **retp)
  73. {
  74. int ret = 0;
  75. BY_DIR *ld = (BY_DIR *)ctx->method_data;
  76. switch (cmd) {
  77. case X509_L_ADD_DIR:
  78. if (argl == X509_FILETYPE_DEFAULT) {
  79. /* If SSL_CERT_PATH is provided and non-empty, use that. */
  80. const char *dir = ossl_safe_getenv(X509_get_default_cert_path_env());
  81. /* Fallback to SSL_CERT_DIR. */
  82. if (dir == NULL)
  83. dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
  84. /* Fallback to built-in default. */
  85. if (dir == NULL)
  86. dir = X509_get_default_cert_dir();
  87. ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
  88. if (!ret) {
  89. ERR_raise(ERR_LIB_X509, X509_R_LOADING_CERT_DIR);
  90. }
  91. } else
  92. ret = add_cert_dir(ld, argp, (int)argl);
  93. break;
  94. }
  95. return ret;
  96. }
  97. static int new_dir(X509_LOOKUP *lu)
  98. {
  99. BY_DIR *a = OPENSSL_malloc(sizeof(*a));
  100. if (a == NULL)
  101. return 0;
  102. if ((a->buffer = BUF_MEM_new()) == NULL) {
  103. ERR_raise(ERR_LIB_X509, ERR_R_BN_LIB);
  104. goto err;
  105. }
  106. a->dirs = NULL;
  107. a->lock = CRYPTO_THREAD_lock_new();
  108. if (a->lock == NULL) {
  109. BUF_MEM_free(a->buffer);
  110. ERR_raise(ERR_LIB_X509, ERR_R_CRYPTO_LIB);
  111. goto err;
  112. }
  113. lu->method_data = a;
  114. return 1;
  115. err:
  116. OPENSSL_free(a);
  117. return 0;
  118. }
  119. static void by_dir_hash_free(BY_DIR_HASH *hash)
  120. {
  121. OPENSSL_free(hash);
  122. }
  123. static int by_dir_hash_cmp(const BY_DIR_HASH *const *a,
  124. const BY_DIR_HASH *const *b)
  125. {
  126. if ((*a)->hash > (*b)->hash)
  127. return 1;
  128. if ((*a)->hash < (*b)->hash)
  129. return -1;
  130. return 0;
  131. }
  132. static void by_dir_entry_free(BY_DIR_ENTRY *ent)
  133. {
  134. OPENSSL_free(ent->dir);
  135. sk_BY_DIR_HASH_pop_free(ent->hashes, by_dir_hash_free);
  136. OPENSSL_free(ent);
  137. }
  138. static void free_dir(X509_LOOKUP *lu)
  139. {
  140. BY_DIR *a = (BY_DIR *)lu->method_data;
  141. sk_BY_DIR_ENTRY_pop_free(a->dirs, by_dir_entry_free);
  142. BUF_MEM_free(a->buffer);
  143. CRYPTO_THREAD_lock_free(a->lock);
  144. OPENSSL_free(a);
  145. }
  146. static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
  147. {
  148. int j;
  149. size_t len;
  150. const char *s, *ss, *p;
  151. if (dir == NULL || *dir == '\0') {
  152. ERR_raise(ERR_LIB_X509, X509_R_INVALID_DIRECTORY);
  153. return 0;
  154. }
  155. s = dir;
  156. p = s;
  157. do {
  158. if ((*p == LIST_SEPARATOR_CHAR) || (*p == '\0')) {
  159. BY_DIR_ENTRY *ent;
  160. ss = s;
  161. s = p + 1;
  162. len = p - ss;
  163. if (len == 0)
  164. continue;
  165. for (j = 0; j < sk_BY_DIR_ENTRY_num(ctx->dirs); j++) {
  166. ent = sk_BY_DIR_ENTRY_value(ctx->dirs, j);
  167. if (strlen(ent->dir) == len && strncmp(ent->dir, ss, len) == 0)
  168. break;
  169. }
  170. if (j < sk_BY_DIR_ENTRY_num(ctx->dirs))
  171. continue;
  172. if (ctx->dirs == NULL) {
  173. ctx->dirs = sk_BY_DIR_ENTRY_new_null();
  174. if (!ctx->dirs) {
  175. ERR_raise(ERR_LIB_X509, ERR_R_CRYPTO_LIB);
  176. return 0;
  177. }
  178. }
  179. ent = OPENSSL_malloc(sizeof(*ent));
  180. if (ent == NULL)
  181. return 0;
  182. ent->dir_type = type;
  183. ent->hashes = sk_BY_DIR_HASH_new(by_dir_hash_cmp);
  184. ent->dir = OPENSSL_strndup(ss, len);
  185. if (ent->dir == NULL || ent->hashes == NULL) {
  186. by_dir_entry_free(ent);
  187. return 0;
  188. }
  189. if (!sk_BY_DIR_ENTRY_push(ctx->dirs, ent)) {
  190. by_dir_entry_free(ent);
  191. ERR_raise(ERR_LIB_X509, ERR_R_CRYPTO_LIB);
  192. return 0;
  193. }
  194. }
  195. } while (*p++ != '\0');
  196. return 1;
  197. }
  198. static int get_cert_by_subject_ex(X509_LOOKUP *xl, X509_LOOKUP_TYPE type,
  199. const X509_NAME *name, X509_OBJECT *ret,
  200. OSSL_LIB_CTX *libctx, const char *propq)
  201. {
  202. BY_DIR *ctx;
  203. union {
  204. X509 st_x509;
  205. X509_CRL crl;
  206. } data;
  207. int ok = 0;
  208. int i, j, k;
  209. unsigned long h;
  210. BUF_MEM *b = NULL;
  211. X509_OBJECT stmp, *tmp;
  212. const char *postfix = "";
  213. if (name == NULL)
  214. return 0;
  215. stmp.type = type;
  216. if (type == X509_LU_X509) {
  217. data.st_x509.cert_info.subject = (X509_NAME *)name; /* won't modify it */
  218. stmp.data.x509 = &data.st_x509;
  219. } else if (type == X509_LU_CRL) {
  220. data.crl.crl.issuer = (X509_NAME *)name; /* won't modify it */
  221. stmp.data.crl = &data.crl;
  222. postfix = "r";
  223. } else {
  224. ERR_raise(ERR_LIB_X509, X509_R_WRONG_LOOKUP_TYPE);
  225. goto finish;
  226. }
  227. if ((b = BUF_MEM_new()) == NULL) {
  228. ERR_raise(ERR_LIB_X509, ERR_R_BUF_LIB);
  229. goto finish;
  230. }
  231. ctx = (BY_DIR *)xl->method_data;
  232. h = X509_NAME_hash_ex(name, libctx, propq, &i);
  233. if (i == 0)
  234. goto finish;
  235. for (i = 0; i < sk_BY_DIR_ENTRY_num(ctx->dirs); i++) {
  236. BY_DIR_ENTRY *ent;
  237. int idx;
  238. BY_DIR_HASH htmp, *hent;
  239. ent = sk_BY_DIR_ENTRY_value(ctx->dirs, i);
  240. j = strlen(ent->dir) + 1 + 8 + 6 + 1 + 1;
  241. if (!BUF_MEM_grow(b, j)) {
  242. ERR_raise(ERR_LIB_X509, ERR_R_BUF_LIB);
  243. goto finish;
  244. }
  245. if (type == X509_LU_CRL && ent->hashes) {
  246. htmp.hash = h;
  247. if (!CRYPTO_THREAD_read_lock(ctx->lock))
  248. goto finish;
  249. idx = sk_BY_DIR_HASH_find(ent->hashes, &htmp);
  250. if (idx >= 0) {
  251. hent = sk_BY_DIR_HASH_value(ent->hashes, idx);
  252. k = hent->suffix;
  253. } else {
  254. hent = NULL;
  255. k = 0;
  256. }
  257. CRYPTO_THREAD_unlock(ctx->lock);
  258. } else {
  259. k = 0;
  260. hent = NULL;
  261. }
  262. for (;;) {
  263. char c = '/';
  264. #ifdef OPENSSL_SYS_VMS
  265. c = ent->dir[strlen(ent->dir) - 1];
  266. if (c != ':' && c != '>' && c != ']') {
  267. /*
  268. * If no separator is present, we assume the directory
  269. * specifier is a logical name, and add a colon. We really
  270. * should use better VMS routines for merging things like
  271. * this, but this will do for now... -- Richard Levitte
  272. */
  273. c = ':';
  274. } else {
  275. c = '\0';
  276. }
  277. if (c == '\0') {
  278. /*
  279. * This is special. When c == '\0', no directory separator
  280. * should be added.
  281. */
  282. BIO_snprintf(b->data, b->max,
  283. "%s%08lx.%s%d", ent->dir, h, postfix, k);
  284. } else
  285. #endif
  286. {
  287. BIO_snprintf(b->data, b->max,
  288. "%s%c%08lx.%s%d", ent->dir, c, h, postfix, k);
  289. }
  290. #ifndef OPENSSL_NO_POSIX_IO
  291. # ifdef _WIN32
  292. # define stat _stat
  293. # endif
  294. {
  295. struct stat st;
  296. if (stat(b->data, &st) < 0)
  297. break;
  298. }
  299. #endif
  300. /* found one. */
  301. if (type == X509_LU_X509) {
  302. if ((X509_load_cert_file_ex(xl, b->data, ent->dir_type, libctx,
  303. propq)) == 0)
  304. break;
  305. } else if (type == X509_LU_CRL) {
  306. if ((X509_load_crl_file(xl, b->data, ent->dir_type)) == 0)
  307. break;
  308. }
  309. /* else case will caught higher up */
  310. k++;
  311. }
  312. /*
  313. * we have added it to the cache so now pull it out again
  314. */
  315. X509_STORE_lock(xl->store_ctx);
  316. j = sk_X509_OBJECT_find(xl->store_ctx->objs, &stmp);
  317. tmp = sk_X509_OBJECT_value(xl->store_ctx->objs, j);
  318. X509_STORE_unlock(xl->store_ctx);
  319. /* If a CRL, update the last file suffix added for this */
  320. if (type == X509_LU_CRL) {
  321. if (!CRYPTO_THREAD_write_lock(ctx->lock))
  322. goto finish;
  323. /*
  324. * Look for entry again in case another thread added an entry
  325. * first.
  326. */
  327. if (hent == NULL) {
  328. htmp.hash = h;
  329. idx = sk_BY_DIR_HASH_find(ent->hashes, &htmp);
  330. hent = sk_BY_DIR_HASH_value(ent->hashes, idx);
  331. }
  332. if (hent == NULL) {
  333. hent = OPENSSL_malloc(sizeof(*hent));
  334. if (hent == NULL) {
  335. CRYPTO_THREAD_unlock(ctx->lock);
  336. ok = 0;
  337. goto finish;
  338. }
  339. hent->hash = h;
  340. hent->suffix = k;
  341. if (!sk_BY_DIR_HASH_push(ent->hashes, hent)) {
  342. CRYPTO_THREAD_unlock(ctx->lock);
  343. OPENSSL_free(hent);
  344. ERR_raise(ERR_LIB_X509, ERR_R_CRYPTO_LIB);
  345. ok = 0;
  346. goto finish;
  347. }
  348. } else if (hent->suffix < k) {
  349. hent->suffix = k;
  350. }
  351. CRYPTO_THREAD_unlock(ctx->lock);
  352. }
  353. if (tmp != NULL) {
  354. ok = 1;
  355. ret->type = tmp->type;
  356. memcpy(&ret->data, &tmp->data, sizeof(ret->data));
  357. /*
  358. * Clear any errors that might have been raised processing empty
  359. * or malformed files.
  360. */
  361. ERR_clear_error();
  362. goto finish;
  363. }
  364. }
  365. finish:
  366. BUF_MEM_free(b);
  367. return ok;
  368. }
  369. static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type,
  370. const X509_NAME *name, X509_OBJECT *ret)
  371. {
  372. return get_cert_by_subject_ex(xl, type, name, ret, NULL, NULL);
  373. }