tls: update to structure based atomics

[openssl.git] / ssl / ssl_cert.c

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 73338e5c6ebfdc6adb8f31b07d1c0933cb3b95fa..126be668fdd96fd3caf5b520fab5a39ba52f121f 100644 (file)
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -24,6 +24,16 @@
 #include "ssl_local.h"
 #include "ssl_cert_table.h"
 #include "internal/thread_once.h"
+#ifndef OPENSSL_NO_POSIX_IO
+# include <sys/stat.h>
+# ifdef _WIN32
+#  define stat _stat
+# endif
+# ifndef S_ISDIR
+#  define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR)
+# endif
+#endif
+
 
 static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
                                          int op, int bits, int nid, void *other,
@@ -48,23 +58,31 @@ int SSL_get_ex_data_X509_STORE_CTX_idx(void)
     return ssl_x509_store_ctx_idx;
 }
 
-CERT *ssl_cert_new(void)
+CERT *ssl_cert_new(size_t ssl_pkey_num)
 {
-    CERT *ret = OPENSSL_zalloc(sizeof(*ret));
+    CERT *ret = NULL;
 
-    if (ret == NULL) {
-        ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+    /* Should never happen */
+    if (!ossl_assert(ssl_pkey_num >= SSL_PKEY_NUM))
+        return NULL;
+
+    ret = OPENSSL_zalloc(sizeof(*ret));
+    if (ret == NULL)
+        return NULL;
+
+    ret->ssl_pkey_num = ssl_pkey_num;
+    ret->pkeys = OPENSSL_zalloc(ret->ssl_pkey_num * sizeof(CERT_PKEY));
+    if (ret->pkeys == NULL) {
+        OPENSSL_free(ret);
         return NULL;
     }
 
     ret->key = &(ret->pkeys[SSL_PKEY_RSA]);
-    ret->references = 1;
     ret->sec_cb = ssl_security_default_callback;
     ret->sec_level = OPENSSL_TLS_SECURITY_LEVEL;
     ret->sec_ex = NULL;
-    ret->lock = CRYPTO_THREAD_lock_new();
-    if (ret->lock == NULL) {
-        ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+    if (!CRYPTO_NEW_REF(&ret->references, 1)) {
+        OPENSSL_free(ret->pkeys);
         OPENSSL_free(ret);
         return NULL;
     }
@@ -75,18 +93,24 @@ CERT *ssl_cert_new(void)
 CERT *ssl_cert_dup(CERT *cert)
 {
     CERT *ret = OPENSSL_zalloc(sizeof(*ret));
-    int i;
+    size_t i;
+#ifndef OPENSSL_NO_COMP_ALG
+    int j;
+#endif
 
-    if (ret == NULL) {
-        ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+    if (ret == NULL)
+        return NULL;
+
+    ret->ssl_pkey_num = cert->ssl_pkey_num;
+    ret->pkeys = OPENSSL_zalloc(ret->ssl_pkey_num * sizeof(CERT_PKEY));
+    if (ret->pkeys == NULL) {
+        OPENSSL_free(ret);
         return NULL;
     }
 
-    ret->references = 1;
     ret->key = &ret->pkeys[cert->key - cert->pkeys];
-    ret->lock = CRYPTO_THREAD_lock_new();
-    if (ret->lock == NULL) {
-        ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+    if (!CRYPTO_NEW_REF(&ret->references, 1)) {
+        OPENSSL_free(ret->pkeys);
         OPENSSL_free(ret);
         return NULL;
     }
@@ -99,9 +123,10 @@ CERT *ssl_cert_dup(CERT *cert)
     ret->dh_tmp_cb = cert->dh_tmp_cb;
     ret->dh_tmp_auto = cert->dh_tmp_auto;
 
-    for (i = 0; i < SSL_PKEY_NUM; i++) {
+    for (i = 0; i < ret->ssl_pkey_num; i++) {
         CERT_PKEY *cpk = cert->pkeys + i;
         CERT_PKEY *rpk = ret->pkeys + i;
+
         if (cpk->x509 != NULL) {
             rpk->x509 = cpk->x509;
             X509_up_ref(rpk->x509);
@@ -115,22 +140,26 @@ CERT *ssl_cert_dup(CERT *cert)
         if (cpk->chain) {
             rpk->chain = X509_chain_up_ref(cpk->chain);
             if (!rpk->chain) {
-                ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+                ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB);
                 goto err;
             }
         }
-        if (cert->pkeys[i].serverinfo != NULL) {
+        if (cpk->serverinfo != NULL) {
             /* Just copy everything. */
-            ret->pkeys[i].serverinfo =
-                OPENSSL_malloc(cert->pkeys[i].serverinfo_length);
-            if (ret->pkeys[i].serverinfo == NULL) {
-                ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+            rpk->serverinfo = OPENSSL_memdup(cpk->serverinfo, cpk->serverinfo_length);
+            if (rpk->serverinfo == NULL)
                 goto err;
+            rpk->serverinfo_length = cpk->serverinfo_length;
+        }
+#ifndef OPENSSL_NO_COMP_ALG
+        for (j = TLSEXT_comp_cert_none; j < TLSEXT_comp_cert_limit; j++) {
+            if (cpk->comp_cert[j] != NULL) {
+                if (!OSSL_COMP_CERT_up_ref(cpk->comp_cert[j]))
+                    goto err;
+                rpk->comp_cert[j] = cpk->comp_cert[j];
             }
-            ret->pkeys[i].serverinfo_length = cert->pkeys[i].serverinfo_length;
-            memcpy(ret->pkeys[i].serverinfo,
-                   cert->pkeys[i].serverinfo, cert->pkeys[i].serverinfo_length);
         }
+#endif
     }
 
     /* Configured sigalgs copied across */
@@ -203,10 +232,14 @@ CERT *ssl_cert_dup(CERT *cert)
 
 void ssl_cert_clear_certs(CERT *c)
 {
-    int i;
+    size_t i;
+#ifndef OPENSSL_NO_COMP_ALG
+    int j;
+#endif
+    
     if (c == NULL)
         return;
-    for (i = 0; i < SSL_PKEY_NUM; i++) {
+    for (i = 0; i < c->ssl_pkey_num; i++) {
         CERT_PKEY *cpk = c->pkeys + i;
         X509_free(cpk->x509);
         cpk->x509 = NULL;
@@ -217,6 +250,13 @@ void ssl_cert_clear_certs(CERT *c)
         OPENSSL_free(cpk->serverinfo);
         cpk->serverinfo = NULL;
         cpk->serverinfo_length = 0;
+#ifndef OPENSSL_NO_COMP_ALG
+        for (j = 0; j < TLSEXT_comp_cert_limit; j++) {
+            OSSL_COMP_CERT_free(cpk->comp_cert[j]);
+            cpk->comp_cert[j] = NULL;
+            cpk->cert_comp_used = 0;
+        }
+#endif
     }
 }
 
@@ -226,7 +266,7 @@ void ssl_cert_free(CERT *c)
 
     if (c == NULL)
         return;
-    CRYPTO_DOWN_REF(&c->references, &i, c->lock);
+    CRYPTO_DOWN_REF(&c->references, &i);
     REF_PRINT_COUNT("CERT", c);
     if (i > 0)
         return;
@@ -244,7 +284,8 @@ void ssl_cert_free(CERT *c)
 #ifndef OPENSSL_NO_PSK
     OPENSSL_free(c->psk_identity_hint);
 #endif
-    CRYPTO_THREAD_lock_free(c->lock);
+    OPENSSL_free(c->pkeys);
+    CRYPTO_FREE_REF(&c->references);
     OPENSSL_free(c);
 }
 
@@ -272,6 +313,7 @@ int ssl_cert_set0_chain(SSL_CONNECTION *s, SSL_CTX *ctx, STACK_OF(X509) *chain)
 int ssl_cert_set1_chain(SSL_CONNECTION *s, SSL_CTX *ctx, STACK_OF(X509) *chain)
 {
     STACK_OF(X509) *dchain;
+
     if (!chain)
         return ssl_cert_set0_chain(s, ctx, NULL);
     dchain = X509_chain_up_ref(chain);
@@ -288,6 +330,7 @@ int ssl_cert_add0_chain_cert(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x)
 {
     int r;
     CERT_PKEY *cpk = s ? s->cert->key : ctx->cert->key;
+
     if (!cpk)
         return 0;
     r = ssl_security_cert(s, ctx, x, 0, 0);
@@ -312,10 +355,11 @@ int ssl_cert_add1_chain_cert(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x)
 
 int ssl_cert_select_current(CERT *c, X509 *x)
 {
-    int i;
+    size_t i;
+
     if (x == NULL)
         return 0;
-    for (i = 0; i < SSL_PKEY_NUM; i++) {
+    for (i = 0; i < c->ssl_pkey_num; i++) {
         CERT_PKEY *cpk = c->pkeys + i;
         if (cpk->x509 == x && cpk->privatekey) {
             c->key = cpk;
@@ -323,7 +367,7 @@ int ssl_cert_select_current(CERT *c, X509 *x)
         }
     }
 
-    for (i = 0; i < SSL_PKEY_NUM; i++) {
+    for (i = 0; i < c->ssl_pkey_num; i++) {
         CERT_PKEY *cpk = c->pkeys + i;
         if (cpk->privatekey && cpk->x509 && !X509_cmp(cpk->x509, x)) {
             c->key = cpk;
@@ -335,18 +379,19 @@ int ssl_cert_select_current(CERT *c, X509 *x)
 
 int ssl_cert_set_current(CERT *c, long op)
 {
-    int i, idx;
+    size_t i, idx;
+
     if (!c)
         return 0;
     if (op == SSL_CERT_SET_FIRST)
         idx = 0;
     else if (op == SSL_CERT_SET_NEXT) {
-        idx = (int)(c->key - c->pkeys + 1);
-        if (idx >= SSL_PKEY_NUM)
+        idx = (size_t)(c->key - c->pkeys + 1);
+        if (idx >= c->ssl_pkey_num)
             return 0;
     } else
         return 0;
-    for (i = idx; i < SSL_PKEY_NUM; i++) {
+    for (i = idx; i < c->ssl_pkey_num; i++) {
         CERT_PKEY *cpk = c->pkeys + i;
         if (cpk->x509 && cpk->privatekey) {
             c->key = cpk;
@@ -363,13 +408,13 @@ void ssl_cert_set_cert_cb(CERT *c, int (*cb) (SSL *ssl, void *arg), void *arg)
 }
 
 /*
- * Verify a certificate chain
+ * Verify a certificate chain/raw public key
  * Return codes:
  *  1: Verify success
  *  0: Verify failure or error
  * -1: Retry required
  */
-int ssl_verify_cert_chain(SSL_CONNECTION *s, STACK_OF(X509) *sk)
+static int ssl_verify_internal(SSL_CONNECTION *s, STACK_OF(X509) *sk, EVP_PKEY *rpk)
 {
     X509 *x;
     int i = 0;
@@ -378,7 +423,12 @@ int ssl_verify_cert_chain(SSL_CONNECTION *s, STACK_OF(X509) *sk)
     X509_VERIFY_PARAM *param;
     SSL_CTX *sctx;
 
-    if ((sk == NULL) || (sk_X509_num(sk) == 0))
+    /* Something must be passed in */
+    if ((sk == NULL || sk_X509_num(sk) == 0) && rpk == NULL)
+        return 0;
+
+    /* Only one can be set */
+    if (sk != NULL && rpk != NULL)
         return 0;
 
     sctx = SSL_CONNECTION_GET_CTX(s);
@@ -389,14 +439,21 @@ int ssl_verify_cert_chain(SSL_CONNECTION *s, STACK_OF(X509) *sk)
 
     ctx = X509_STORE_CTX_new_ex(sctx->libctx, sctx->propq);
     if (ctx == NULL) {
-        ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+        ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB);
         return 0;
     }
 
-    x = sk_X509_value(sk, 0);
-    if (!X509_STORE_CTX_init(ctx, verify_store, x, sk)) {
-        ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB);
-        goto end;
+    if (sk != NULL) {
+        x = sk_X509_value(sk, 0);
+        if (!X509_STORE_CTX_init(ctx, verify_store, x, sk)) {
+            ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB);
+            goto end;
+        }
+    } else {
+        if (!X509_STORE_CTX_init_rpk(ctx, verify_store, rpk)) {
+            ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB);
+            goto end;
+        }
     }
     param = X509_STORE_CTX_get0_param(ctx);
     /*
@@ -445,10 +502,11 @@ int ssl_verify_cert_chain(SSL_CONNECTION *s, STACK_OF(X509) *sk)
     s->verify_result = X509_STORE_CTX_get_error(ctx);
     OSSL_STACK_OF_X509_free(s->verified_chain);
     s->verified_chain = NULL;
-    if (X509_STORE_CTX_get0_chain(ctx) != NULL) {
+
+    if (sk != NULL && X509_STORE_CTX_get0_chain(ctx) != NULL) {
         s->verified_chain = X509_STORE_CTX_get1_chain(ctx);
         if (s->verified_chain == NULL) {
-            ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+            ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB);
             i = 0;
         }
     }
@@ -461,6 +519,30 @@ int ssl_verify_cert_chain(SSL_CONNECTION *s, STACK_OF(X509) *sk)
     return i;
 }
 
+/*
+ * Verify a raw public key
+ * Return codes:
+ *  1: Verify success
+ *  0: Verify failure or error
+ * -1: Retry required
+ */
+int ssl_verify_rpk(SSL_CONNECTION *s, EVP_PKEY *rpk)
+{
+    return ssl_verify_internal(s, NULL, rpk);
+}
+
+/*
+ * Verify a certificate chain
+ * Return codes:
+ *  1: Verify success
+ *  0: Verify failure or error
+ * -1: Retry required
+ */
+int ssl_verify_cert_chain(SSL_CONNECTION *s, STACK_OF(X509) *sk)
+{
+    return ssl_verify_internal(s, sk, NULL);
+}
+
 static void set0_CA_list(STACK_OF(X509_NAME) **ca_list,
                         STACK_OF(X509_NAME) *name_list)
 {
@@ -477,13 +559,13 @@ STACK_OF(X509_NAME) *SSL_dup_CA_list(const STACK_OF(X509_NAME) *sk)
 
     ret = sk_X509_NAME_new_reserve(NULL, num);
     if (ret == NULL) {
-        ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+        ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
         return NULL;
     }
     for (i = 0; i < num; i++) {
         name = X509_NAME_dup(sk_X509_NAME_value(sk, i));
         if (name == NULL) {
-            ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+            ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB);
             sk_X509_NAME_pop_free(ret, X509_NAME_free);
             return NULL;
         }
@@ -664,14 +746,18 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file_ex(const char *file,
     LHASH_OF(X509_NAME) *name_hash = lh_X509_NAME_new(xname_hash, xname_cmp);
     OSSL_LIB_CTX *prev_libctx = NULL;
 
-    if ((name_hash == NULL) || (in == NULL)) {
-        ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+    if (name_hash == NULL) {
+        ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
+        goto err;
+    }
+    if (in == NULL) {
+        ERR_raise(ERR_LIB_SSL, ERR_R_BIO_LIB);
         goto err;
     }
 
     x = X509_new_ex(libctx, propq);
     if (x == NULL) {
-        ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+        ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB);
         goto err;
     }
     if (BIO_read_filename(in, file) <= 0)
@@ -685,7 +771,7 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file_ex(const char *file,
         if (ret == NULL) {
             ret = sk_X509_NAME_new_null();
             if (ret == NULL) {
-                ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+                ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
                 goto err;
             }
         }
@@ -741,7 +827,7 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
     in = BIO_new(BIO_s_file());
 
     if (in == NULL) {
-        ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+        ERR_raise(ERR_LIB_SSL, ERR_R_BIO_LIB);
         goto err;
     }
 
@@ -789,7 +875,14 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
     while ((filename = OPENSSL_DIR_read(&d, dir))) {
         char buf[1024];
         int r;
+#ifndef OPENSSL_NO_POSIX_IO
+        struct stat st;
 
+#else
+        /* Cannot use stat so just skip current and parent directories */
+        if (strcmp(filename, ".") == 0 || strcmp(filename, "..") == 0)
+            continue;
+#endif
         if (strlen(dir) + strlen(filename) + 2 > sizeof(buf)) {
             ERR_raise(ERR_LIB_SSL, SSL_R_PATH_TOO_LONG);
             goto err;
@@ -798,6 +891,11 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
         r = BIO_snprintf(buf, sizeof(buf), "%s%s", dir, filename);
 #else
         r = BIO_snprintf(buf, sizeof(buf), "%s/%s", dir, filename);
+#endif
+#ifndef OPENSSL_NO_POSIX_IO
+        /* Skip subdirectories */
+        if (!stat(buf, &st) && S_ISDIR(st.st_mode))
+            continue;
 #endif
         if (r <= 0 || r >= (int)sizeof(buf))
             goto err;
@@ -927,7 +1025,7 @@ int ssl_build_cert_chain(SSL_CONNECTION *s, SSL_CTX *ctx, int flags)
 
     xs_ctx = X509_STORE_CTX_new_ex(real_ctx->libctx, real_ctx->propq);
     if (xs_ctx == NULL) {
-        ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+        ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB);
         goto err;
     }
     if (!X509_STORE_CTX_init(xs_ctx, chain_store, cpk->x509, untrusted)) {
@@ -1123,7 +1221,7 @@ int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, void *other)
                              ctx->cert->sec_ex);
 }
 
-int ssl_cert_lookup_by_nid(int nid, size_t *pidx)
+int ssl_cert_lookup_by_nid(int nid, size_t *pidx, SSL_CTX *ctx)
 {
     size_t i;
 
@@ -1133,16 +1231,22 @@ int ssl_cert_lookup_by_nid(int nid, size_t *pidx)
             return 1;
         }
     }
-
+    for (i = 0; i < ctx->sigalg_list_len; i++) {
+        if (ctx->ssl_cert_info[i].nid == nid) {
+            *pidx = SSL_PKEY_NUM + i;
+            return 1;
+        }
+    }
     return 0;
 }
 
-const SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk, size_t *pidx)
+SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk, size_t *pidx, SSL_CTX *ctx)
 {
     size_t i;
 
+    /* check classic pk types */
     for (i = 0; i < OSSL_NELEM(ssl_cert_info); i++) {
-        const SSL_CERT_LOOKUP *tmp_lu = &ssl_cert_info[i];
+        SSL_CERT_LOOKUP *tmp_lu = &ssl_cert_info[i];
 
         if (EVP_PKEY_is_a(pk, OBJ_nid2sn(tmp_lu->nid))
             || EVP_PKEY_is_a(pk, OBJ_nid2ln(tmp_lu->nid))) {
@@ -1151,13 +1255,26 @@ const SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk, size_t *pidx)
             return tmp_lu;
         }
     }
+    /* check provider-loaded pk types */
+    for (i = 0; ctx->sigalg_list_len; i++) {
+        SSL_CERT_LOOKUP *tmp_lu = &(ctx->ssl_cert_info[i]);
+
+        if (EVP_PKEY_is_a(pk, OBJ_nid2sn(tmp_lu->nid))
+            || EVP_PKEY_is_a(pk, OBJ_nid2ln(tmp_lu->nid))) {
+            if (pidx != NULL)
+                *pidx = SSL_PKEY_NUM + i;
+            return &ctx->ssl_cert_info[i];
+        }
+    }
 
     return NULL;
 }
 
-const SSL_CERT_LOOKUP *ssl_cert_lookup_by_idx(size_t idx)
+SSL_CERT_LOOKUP *ssl_cert_lookup_by_idx(size_t idx, SSL_CTX *ctx)
 {
-    if (idx >= OSSL_NELEM(ssl_cert_info))
+    if (idx >= (OSSL_NELEM(ssl_cert_info) + ctx->sigalg_list_len))
         return NULL;
+    else if (idx >= (OSSL_NELEM(ssl_cert_info)))
+        return &(ctx->ssl_cert_info[idx - SSL_PKEY_NUM]);
     return &ssl_cert_info[idx];
 }