2
0

by_dir.c 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392
  1. /*
  2. * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include "e_os.h"
  10. #include "internal/cryptlib.h"
  11. #include <stdio.h>
  12. #include <time.h>
  13. #include <errno.h>
  14. #include <sys/types.h>
  15. #ifndef OPENSSL_NO_POSIX_IO
  16. # include <sys/stat.h>
  17. #endif
  18. #include <openssl/x509.h>
  19. #include "crypto/x509.h"
  20. #include "x509_local.h"
  21. DEFINE_STACK_OF(X509_OBJECT)
  22. struct lookup_dir_hashes_st {
  23. unsigned long hash;
  24. int suffix;
  25. };
  26. struct lookup_dir_entry_st {
  27. char *dir;
  28. int dir_type;
  29. STACK_OF(BY_DIR_HASH) *hashes;
  30. };
  31. typedef struct lookup_dir_st {
  32. BUF_MEM *buffer;
  33. STACK_OF(BY_DIR_ENTRY) *dirs;
  34. CRYPTO_RWLOCK *lock;
  35. } BY_DIR;
  36. static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
  37. char **ret);
  38. static int new_dir(X509_LOOKUP *lu);
  39. static void free_dir(X509_LOOKUP *lu);
  40. static int add_cert_dir(BY_DIR *ctx, const char *dir, int type);
  41. static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type,
  42. const X509_NAME *name, X509_OBJECT *ret);
  43. static X509_LOOKUP_METHOD x509_dir_lookup = {
  44. "Load certs from files in a directory",
  45. new_dir, /* new_item */
  46. free_dir, /* free */
  47. NULL, /* init */
  48. NULL, /* shutdown */
  49. dir_ctrl, /* ctrl */
  50. get_cert_by_subject, /* get_by_subject */
  51. NULL, /* get_by_issuer_serial */
  52. NULL, /* get_by_fingerprint */
  53. NULL, /* get_by_alias */
  54. };
  55. X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void)
  56. {
  57. return &x509_dir_lookup;
  58. }
  59. static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
  60. char **retp)
  61. {
  62. int ret = 0;
  63. BY_DIR *ld = (BY_DIR *)ctx->method_data;
  64. switch (cmd) {
  65. case X509_L_ADD_DIR:
  66. if (argl == X509_FILETYPE_DEFAULT) {
  67. const char *dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
  68. if (dir)
  69. ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
  70. else
  71. ret = add_cert_dir(ld, X509_get_default_cert_dir(),
  72. X509_FILETYPE_PEM);
  73. if (!ret) {
  74. X509err(X509_F_DIR_CTRL, X509_R_LOADING_CERT_DIR);
  75. }
  76. } else
  77. ret = add_cert_dir(ld, argp, (int)argl);
  78. break;
  79. }
  80. return ret;
  81. }
  82. static int new_dir(X509_LOOKUP *lu)
  83. {
  84. BY_DIR *a = OPENSSL_malloc(sizeof(*a));
  85. if (a == NULL) {
  86. X509err(X509_F_NEW_DIR, ERR_R_MALLOC_FAILURE);
  87. return 0;
  88. }
  89. if ((a->buffer = BUF_MEM_new()) == NULL) {
  90. X509err(X509_F_NEW_DIR, ERR_R_MALLOC_FAILURE);
  91. goto err;
  92. }
  93. a->dirs = NULL;
  94. a->lock = CRYPTO_THREAD_lock_new();
  95. if (a->lock == NULL) {
  96. BUF_MEM_free(a->buffer);
  97. X509err(X509_F_NEW_DIR, ERR_R_MALLOC_FAILURE);
  98. goto err;
  99. }
  100. lu->method_data = a;
  101. return 1;
  102. err:
  103. OPENSSL_free(a);
  104. return 0;
  105. }
  106. static void by_dir_hash_free(BY_DIR_HASH *hash)
  107. {
  108. OPENSSL_free(hash);
  109. }
  110. static int by_dir_hash_cmp(const BY_DIR_HASH *const *a,
  111. const BY_DIR_HASH *const *b)
  112. {
  113. if ((*a)->hash > (*b)->hash)
  114. return 1;
  115. if ((*a)->hash < (*b)->hash)
  116. return -1;
  117. return 0;
  118. }
  119. static void by_dir_entry_free(BY_DIR_ENTRY *ent)
  120. {
  121. OPENSSL_free(ent->dir);
  122. sk_BY_DIR_HASH_pop_free(ent->hashes, by_dir_hash_free);
  123. OPENSSL_free(ent);
  124. }
  125. static void free_dir(X509_LOOKUP *lu)
  126. {
  127. BY_DIR *a = (BY_DIR *)lu->method_data;
  128. sk_BY_DIR_ENTRY_pop_free(a->dirs, by_dir_entry_free);
  129. BUF_MEM_free(a->buffer);
  130. CRYPTO_THREAD_lock_free(a->lock);
  131. OPENSSL_free(a);
  132. }
  133. static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
  134. {
  135. int j;
  136. size_t len;
  137. const char *s, *ss, *p;
  138. if (dir == NULL || *dir == '\0') {
  139. X509err(X509_F_ADD_CERT_DIR, X509_R_INVALID_DIRECTORY);
  140. return 0;
  141. }
  142. s = dir;
  143. p = s;
  144. do {
  145. if ((*p == LIST_SEPARATOR_CHAR) || (*p == '\0')) {
  146. BY_DIR_ENTRY *ent;
  147. ss = s;
  148. s = p + 1;
  149. len = p - ss;
  150. if (len == 0)
  151. continue;
  152. for (j = 0; j < sk_BY_DIR_ENTRY_num(ctx->dirs); j++) {
  153. ent = sk_BY_DIR_ENTRY_value(ctx->dirs, j);
  154. if (strlen(ent->dir) == len && strncmp(ent->dir, ss, len) == 0)
  155. break;
  156. }
  157. if (j < sk_BY_DIR_ENTRY_num(ctx->dirs))
  158. continue;
  159. if (ctx->dirs == NULL) {
  160. ctx->dirs = sk_BY_DIR_ENTRY_new_null();
  161. if (!ctx->dirs) {
  162. X509err(X509_F_ADD_CERT_DIR, ERR_R_MALLOC_FAILURE);
  163. return 0;
  164. }
  165. }
  166. ent = OPENSSL_malloc(sizeof(*ent));
  167. if (ent == NULL) {
  168. X509err(X509_F_ADD_CERT_DIR, ERR_R_MALLOC_FAILURE);
  169. return 0;
  170. }
  171. ent->dir_type = type;
  172. ent->hashes = sk_BY_DIR_HASH_new(by_dir_hash_cmp);
  173. ent->dir = OPENSSL_strndup(ss, len);
  174. if (ent->dir == NULL || ent->hashes == NULL) {
  175. by_dir_entry_free(ent);
  176. return 0;
  177. }
  178. if (!sk_BY_DIR_ENTRY_push(ctx->dirs, ent)) {
  179. by_dir_entry_free(ent);
  180. X509err(X509_F_ADD_CERT_DIR, ERR_R_MALLOC_FAILURE);
  181. return 0;
  182. }
  183. }
  184. } while (*p++ != '\0');
  185. return 1;
  186. }
  187. static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type,
  188. const X509_NAME *name, X509_OBJECT *ret)
  189. {
  190. BY_DIR *ctx;
  191. union {
  192. X509 st_x509;
  193. X509_CRL crl;
  194. } data;
  195. int ok = 0;
  196. int i, j, k;
  197. unsigned long h;
  198. BUF_MEM *b = NULL;
  199. X509_OBJECT stmp, *tmp;
  200. const char *postfix = "";
  201. if (name == NULL)
  202. return 0;
  203. stmp.type = type;
  204. if (type == X509_LU_X509) {
  205. data.st_x509.cert_info.subject = (X509_NAME *)name; /* won't modify it */
  206. stmp.data.x509 = &data.st_x509;
  207. postfix = "";
  208. } else if (type == X509_LU_CRL) {
  209. data.crl.crl.issuer = (X509_NAME *)name; /* won't modify it */
  210. stmp.data.crl = &data.crl;
  211. postfix = "r";
  212. } else {
  213. X509err(X509_F_GET_CERT_BY_SUBJECT, X509_R_WRONG_LOOKUP_TYPE);
  214. goto finish;
  215. }
  216. if ((b = BUF_MEM_new()) == NULL) {
  217. X509err(X509_F_GET_CERT_BY_SUBJECT, ERR_R_BUF_LIB);
  218. goto finish;
  219. }
  220. ctx = (BY_DIR *)xl->method_data;
  221. h = X509_NAME_hash(name);
  222. for (i = 0; i < sk_BY_DIR_ENTRY_num(ctx->dirs); i++) {
  223. BY_DIR_ENTRY *ent;
  224. int idx;
  225. BY_DIR_HASH htmp, *hent;
  226. ent = sk_BY_DIR_ENTRY_value(ctx->dirs, i);
  227. j = strlen(ent->dir) + 1 + 8 + 6 + 1 + 1;
  228. if (!BUF_MEM_grow(b, j)) {
  229. X509err(X509_F_GET_CERT_BY_SUBJECT, ERR_R_MALLOC_FAILURE);
  230. goto finish;
  231. }
  232. if (type == X509_LU_CRL && ent->hashes) {
  233. htmp.hash = h;
  234. CRYPTO_THREAD_read_lock(ctx->lock);
  235. idx = sk_BY_DIR_HASH_find(ent->hashes, &htmp);
  236. if (idx >= 0) {
  237. hent = sk_BY_DIR_HASH_value(ent->hashes, idx);
  238. k = hent->suffix;
  239. } else {
  240. hent = NULL;
  241. k = 0;
  242. }
  243. CRYPTO_THREAD_unlock(ctx->lock);
  244. } else {
  245. k = 0;
  246. hent = NULL;
  247. }
  248. for (;;) {
  249. char c = '/';
  250. #ifdef OPENSSL_SYS_VMS
  251. c = ent->dir[strlen(ent->dir) - 1];
  252. if (c != ':' && c != '>' && c != ']') {
  253. /*
  254. * If no separator is present, we assume the directory
  255. * specifier is a logical name, and add a colon. We really
  256. * should use better VMS routines for merging things like
  257. * this, but this will do for now... -- Richard Levitte
  258. */
  259. c = ':';
  260. } else {
  261. c = '\0';
  262. }
  263. #endif
  264. if (c == '\0') {
  265. /*
  266. * This is special. When c == '\0', no directory separator
  267. * should be added.
  268. */
  269. BIO_snprintf(b->data, b->max,
  270. "%s%08lx.%s%d", ent->dir, h, postfix, k);
  271. } else {
  272. BIO_snprintf(b->data, b->max,
  273. "%s%c%08lx.%s%d", ent->dir, c, h, postfix, k);
  274. }
  275. #ifndef OPENSSL_NO_POSIX_IO
  276. # ifdef _WIN32
  277. # define stat _stat
  278. # endif
  279. {
  280. struct stat st;
  281. if (stat(b->data, &st) < 0)
  282. break;
  283. }
  284. #endif
  285. /* found one. */
  286. if (type == X509_LU_X509) {
  287. if ((X509_load_cert_file(xl, b->data, ent->dir_type)) == 0)
  288. break;
  289. } else if (type == X509_LU_CRL) {
  290. if ((X509_load_crl_file(xl, b->data, ent->dir_type)) == 0)
  291. break;
  292. }
  293. /* else case will caught higher up */
  294. k++;
  295. }
  296. /*
  297. * we have added it to the cache so now pull it out again
  298. */
  299. X509_STORE_lock(xl->store_ctx);
  300. j = sk_X509_OBJECT_find(xl->store_ctx->objs, &stmp);
  301. tmp = sk_X509_OBJECT_value(xl->store_ctx->objs, j);
  302. X509_STORE_unlock(xl->store_ctx);
  303. /* If a CRL, update the last file suffix added for this */
  304. if (type == X509_LU_CRL) {
  305. CRYPTO_THREAD_write_lock(ctx->lock);
  306. /*
  307. * Look for entry again in case another thread added an entry
  308. * first.
  309. */
  310. if (hent == NULL) {
  311. htmp.hash = h;
  312. idx = sk_BY_DIR_HASH_find(ent->hashes, &htmp);
  313. hent = sk_BY_DIR_HASH_value(ent->hashes, idx);
  314. }
  315. if (hent == NULL) {
  316. hent = OPENSSL_malloc(sizeof(*hent));
  317. if (hent == NULL) {
  318. CRYPTO_THREAD_unlock(ctx->lock);
  319. X509err(X509_F_GET_CERT_BY_SUBJECT, ERR_R_MALLOC_FAILURE);
  320. ok = 0;
  321. goto finish;
  322. }
  323. hent->hash = h;
  324. hent->suffix = k;
  325. if (!sk_BY_DIR_HASH_push(ent->hashes, hent)) {
  326. CRYPTO_THREAD_unlock(ctx->lock);
  327. OPENSSL_free(hent);
  328. X509err(X509_F_GET_CERT_BY_SUBJECT, ERR_R_MALLOC_FAILURE);
  329. ok = 0;
  330. goto finish;
  331. }
  332. } else if (hent->suffix < k) {
  333. hent->suffix = k;
  334. }
  335. CRYPTO_THREAD_unlock(ctx->lock);
  336. }
  337. if (tmp != NULL) {
  338. ok = 1;
  339. ret->type = tmp->type;
  340. memcpy(&ret->data, &tmp->data, sizeof(ret->data));
  341. /*
  342. * Clear any errors that might have been raised processing empty
  343. * or malformed files.
  344. */
  345. ERR_clear_error();
  346. goto finish;
  347. }
  348. }
  349. finish:
  350. BUF_MEM_free(b);
  351. return ok;
  352. }