by_dir.c 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394
  1. /*
  2. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include "e_os.h"
  10. #include "internal/cryptlib.h"
  11. #include <stdio.h>
  12. #include <time.h>
  13. #include <errno.h>
  14. #include <sys/types.h>
  15. #ifndef OPENSSL_NO_POSIX_IO
  16. # include <sys/stat.h>
  17. #endif
  18. #include <openssl/x509.h>
  19. #include "internal/x509_int.h"
  20. #include "x509_lcl.h"
  21. struct lookup_dir_hashes_st {
  22. unsigned long hash;
  23. int suffix;
  24. };
  25. struct lookup_dir_entry_st {
  26. char *dir;
  27. int dir_type;
  28. STACK_OF(BY_DIR_HASH) *hashes;
  29. };
  30. typedef struct lookup_dir_st {
  31. BUF_MEM *buffer;
  32. STACK_OF(BY_DIR_ENTRY) *dirs;
  33. CRYPTO_RWLOCK *lock;
  34. } BY_DIR;
  35. static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
  36. char **ret);
  37. static int new_dir(X509_LOOKUP *lu);
  38. static void free_dir(X509_LOOKUP *lu);
  39. static int add_cert_dir(BY_DIR *ctx, const char *dir, int type);
  40. static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type,
  41. X509_NAME *name, X509_OBJECT *ret);
  42. static X509_LOOKUP_METHOD x509_dir_lookup = {
  43. "Load certs from files in a directory",
  44. new_dir, /* new_item */
  45. free_dir, /* free */
  46. NULL, /* init */
  47. NULL, /* shutdown */
  48. dir_ctrl, /* ctrl */
  49. get_cert_by_subject, /* get_by_subject */
  50. NULL, /* get_by_issuer_serial */
  51. NULL, /* get_by_fingerprint */
  52. NULL, /* get_by_alias */
  53. };
  54. X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void)
  55. {
  56. return &x509_dir_lookup;
  57. }
  58. static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
  59. char **retp)
  60. {
  61. int ret = 0;
  62. BY_DIR *ld = (BY_DIR *)ctx->method_data;
  63. switch (cmd) {
  64. case X509_L_ADD_DIR:
  65. if (argl == X509_FILETYPE_DEFAULT) {
  66. const char *dir = getenv(X509_get_default_cert_dir_env());
  67. if (dir)
  68. ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
  69. else
  70. ret = add_cert_dir(ld, X509_get_default_cert_dir(),
  71. X509_FILETYPE_PEM);
  72. if (!ret) {
  73. X509err(X509_F_DIR_CTRL, X509_R_LOADING_CERT_DIR);
  74. }
  75. } else
  76. ret = add_cert_dir(ld, argp, (int)argl);
  77. break;
  78. }
  79. return ret;
  80. }
  81. static int new_dir(X509_LOOKUP *lu)
  82. {
  83. BY_DIR *a = OPENSSL_malloc(sizeof(*a));
  84. if (a == NULL) {
  85. X509err(X509_F_NEW_DIR, ERR_R_MALLOC_FAILURE);
  86. return 0;
  87. }
  88. if ((a->buffer = BUF_MEM_new()) == NULL) {
  89. X509err(X509_F_NEW_DIR, ERR_R_MALLOC_FAILURE);
  90. goto err;
  91. }
  92. a->dirs = NULL;
  93. a->lock = CRYPTO_THREAD_lock_new();
  94. if (a->lock == NULL) {
  95. BUF_MEM_free(a->buffer);
  96. X509err(X509_F_NEW_DIR, ERR_R_MALLOC_FAILURE);
  97. goto err;
  98. }
  99. lu->method_data = a;
  100. return 1;
  101. err:
  102. OPENSSL_free(a);
  103. return 0;
  104. }
  105. static void by_dir_hash_free(BY_DIR_HASH *hash)
  106. {
  107. OPENSSL_free(hash);
  108. }
  109. static int by_dir_hash_cmp(const BY_DIR_HASH *const *a,
  110. const BY_DIR_HASH *const *b)
  111. {
  112. if ((*a)->hash > (*b)->hash)
  113. return 1;
  114. if ((*a)->hash < (*b)->hash)
  115. return -1;
  116. return 0;
  117. }
  118. static void by_dir_entry_free(BY_DIR_ENTRY *ent)
  119. {
  120. OPENSSL_free(ent->dir);
  121. sk_BY_DIR_HASH_pop_free(ent->hashes, by_dir_hash_free);
  122. OPENSSL_free(ent);
  123. }
  124. static void free_dir(X509_LOOKUP *lu)
  125. {
  126. BY_DIR *a = (BY_DIR *)lu->method_data;
  127. sk_BY_DIR_ENTRY_pop_free(a->dirs, by_dir_entry_free);
  128. BUF_MEM_free(a->buffer);
  129. CRYPTO_THREAD_lock_free(a->lock);
  130. OPENSSL_free(a);
  131. }
  132. static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
  133. {
  134. int j;
  135. size_t len;
  136. const char *s, *ss, *p;
  137. if (dir == NULL || !*dir) {
  138. X509err(X509_F_ADD_CERT_DIR, X509_R_INVALID_DIRECTORY);
  139. return 0;
  140. }
  141. s = dir;
  142. p = s;
  143. do {
  144. if ((*p == LIST_SEPARATOR_CHAR) || (*p == '\0')) {
  145. BY_DIR_ENTRY *ent;
  146. ss = s;
  147. s = p + 1;
  148. len = p - ss;
  149. if (len == 0)
  150. continue;
  151. for (j = 0; j < sk_BY_DIR_ENTRY_num(ctx->dirs); j++) {
  152. ent = sk_BY_DIR_ENTRY_value(ctx->dirs, j);
  153. if (strlen(ent->dir) == len && strncmp(ent->dir, ss, len) == 0)
  154. break;
  155. }
  156. if (j < sk_BY_DIR_ENTRY_num(ctx->dirs))
  157. continue;
  158. if (ctx->dirs == NULL) {
  159. ctx->dirs = sk_BY_DIR_ENTRY_new_null();
  160. if (!ctx->dirs) {
  161. X509err(X509_F_ADD_CERT_DIR, ERR_R_MALLOC_FAILURE);
  162. return 0;
  163. }
  164. }
  165. ent = OPENSSL_malloc(sizeof(*ent));
  166. if (ent == NULL) {
  167. X509err(X509_F_ADD_CERT_DIR, ERR_R_MALLOC_FAILURE);
  168. return 0;
  169. }
  170. ent->dir_type = type;
  171. ent->hashes = sk_BY_DIR_HASH_new(by_dir_hash_cmp);
  172. ent->dir = OPENSSL_strndup(ss, len);
  173. if (ent->dir == NULL || ent->hashes == NULL) {
  174. by_dir_entry_free(ent);
  175. return 0;
  176. }
  177. if (!sk_BY_DIR_ENTRY_push(ctx->dirs, ent)) {
  178. by_dir_entry_free(ent);
  179. X509err(X509_F_ADD_CERT_DIR, ERR_R_MALLOC_FAILURE);
  180. return 0;
  181. }
  182. }
  183. } while (*p++ != '\0');
  184. return 1;
  185. }
  186. static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type,
  187. X509_NAME *name, X509_OBJECT *ret)
  188. {
  189. BY_DIR *ctx;
  190. union {
  191. X509 st_x509;
  192. X509_CRL crl;
  193. } data;
  194. int ok = 0;
  195. int i, j, k;
  196. unsigned long h;
  197. BUF_MEM *b = NULL;
  198. X509_OBJECT stmp, *tmp;
  199. const char *postfix = "";
  200. if (name == NULL)
  201. return 0;
  202. stmp.type = type;
  203. if (type == X509_LU_X509) {
  204. data.st_x509.cert_info.subject = name;
  205. stmp.data.x509 = &data.st_x509;
  206. postfix = "";
  207. } else if (type == X509_LU_CRL) {
  208. data.crl.crl.issuer = name;
  209. stmp.data.crl = &data.crl;
  210. postfix = "r";
  211. } else {
  212. X509err(X509_F_GET_CERT_BY_SUBJECT, X509_R_WRONG_LOOKUP_TYPE);
  213. goto finish;
  214. }
  215. if ((b = BUF_MEM_new()) == NULL) {
  216. X509err(X509_F_GET_CERT_BY_SUBJECT, ERR_R_BUF_LIB);
  217. goto finish;
  218. }
  219. ctx = (BY_DIR *)xl->method_data;
  220. h = X509_NAME_hash(name);
  221. for (i = 0; i < sk_BY_DIR_ENTRY_num(ctx->dirs); i++) {
  222. BY_DIR_ENTRY *ent;
  223. int idx;
  224. BY_DIR_HASH htmp, *hent;
  225. ent = sk_BY_DIR_ENTRY_value(ctx->dirs, i);
  226. j = strlen(ent->dir) + 1 + 8 + 6 + 1 + 1;
  227. if (!BUF_MEM_grow(b, j)) {
  228. X509err(X509_F_GET_CERT_BY_SUBJECT, ERR_R_MALLOC_FAILURE);
  229. goto finish;
  230. }
  231. if (type == X509_LU_CRL && ent->hashes) {
  232. htmp.hash = h;
  233. CRYPTO_THREAD_read_lock(ctx->lock);
  234. idx = sk_BY_DIR_HASH_find(ent->hashes, &htmp);
  235. if (idx >= 0) {
  236. hent = sk_BY_DIR_HASH_value(ent->hashes, idx);
  237. k = hent->suffix;
  238. } else {
  239. hent = NULL;
  240. k = 0;
  241. }
  242. CRYPTO_THREAD_unlock(ctx->lock);
  243. } else {
  244. k = 0;
  245. hent = NULL;
  246. }
  247. for (;;) {
  248. char c = '/';
  249. #ifdef OPENSSL_SYS_VMS
  250. c = ent->dir[strlen(ent->dir) - 1];
  251. if (c != ':' && c != '>' && c != ']') {
  252. /*
  253. * If no separator is present, we assume the directory
  254. * specifier is a logical name, and add a colon. We really
  255. * should use better VMS routines for merging things like
  256. * this, but this will do for now... -- Richard Levitte
  257. */
  258. c = ':';
  259. } else {
  260. c = '\0';
  261. }
  262. #endif
  263. if (c == '\0') {
  264. /*
  265. * This is special. When c == '\0', no directory separator
  266. * should be added.
  267. */
  268. BIO_snprintf(b->data, b->max,
  269. "%s%08lx.%s%d", ent->dir, h, postfix, k);
  270. } else {
  271. BIO_snprintf(b->data, b->max,
  272. "%s%c%08lx.%s%d", ent->dir, c, h, postfix, k);
  273. }
  274. #ifndef OPENSSL_NO_POSIX_IO
  275. # ifdef _WIN32
  276. # define stat _stat
  277. # endif
  278. {
  279. struct stat st;
  280. if (stat(b->data, &st) < 0)
  281. break;
  282. }
  283. #endif
  284. /* found one. */
  285. if (type == X509_LU_X509) {
  286. if ((X509_load_cert_file(xl, b->data, ent->dir_type)) == 0)
  287. break;
  288. } else if (type == X509_LU_CRL) {
  289. if ((X509_load_crl_file(xl, b->data, ent->dir_type)) == 0)
  290. break;
  291. }
  292. /* else case will caught higher up */
  293. k++;
  294. }
  295. /*
  296. * we have added it to the cache so now pull it out again
  297. */
  298. CRYPTO_THREAD_write_lock(ctx->lock);
  299. j = sk_X509_OBJECT_find(xl->store_ctx->objs, &stmp);
  300. if (j != -1)
  301. tmp = sk_X509_OBJECT_value(xl->store_ctx->objs, j);
  302. else
  303. tmp = NULL;
  304. CRYPTO_THREAD_unlock(ctx->lock);
  305. /* If a CRL, update the last file suffix added for this */
  306. if (type == X509_LU_CRL) {
  307. CRYPTO_THREAD_write_lock(ctx->lock);
  308. /*
  309. * Look for entry again in case another thread added an entry
  310. * first.
  311. */
  312. if (!hent) {
  313. htmp.hash = h;
  314. idx = sk_BY_DIR_HASH_find(ent->hashes, &htmp);
  315. if (idx >= 0)
  316. hent = sk_BY_DIR_HASH_value(ent->hashes, idx);
  317. }
  318. if (hent == NULL) {
  319. hent = OPENSSL_malloc(sizeof(*hent));
  320. if (hent == NULL) {
  321. CRYPTO_THREAD_unlock(ctx->lock);
  322. X509err(X509_F_GET_CERT_BY_SUBJECT, ERR_R_MALLOC_FAILURE);
  323. ok = 0;
  324. goto finish;
  325. }
  326. hent->hash = h;
  327. hent->suffix = k;
  328. if (!sk_BY_DIR_HASH_push(ent->hashes, hent)) {
  329. CRYPTO_THREAD_unlock(ctx->lock);
  330. OPENSSL_free(hent);
  331. X509err(X509_F_GET_CERT_BY_SUBJECT, ERR_R_MALLOC_FAILURE);
  332. ok = 0;
  333. goto finish;
  334. }
  335. } else if (hent->suffix < k) {
  336. hent->suffix = k;
  337. }
  338. CRYPTO_THREAD_unlock(ctx->lock);
  339. }
  340. if (tmp != NULL) {
  341. ok = 1;
  342. ret->type = tmp->type;
  343. memcpy(&ret->data, &tmp->data, sizeof(ret->data));
  344. /*
  345. * Clear any errors that might have been raised processing empty
  346. * or malformed files.
  347. */
  348. ERR_clear_error();
  349. goto finish;
  350. }
  351. }
  352. finish:
  353. BUF_MEM_free(b);
  354. return ok;
  355. }