PROV: Update the PEM to DER deserializer to handle encrypted legacy PEM

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12410)

providers/implementations/serializers/deserialize_pem2der.c

@@ -13,13 +13,17 @@
  */
 #include "internal/deprecated.h"
 
+#include <string.h>
+
 #include <openssl/core_dispatch.h>
 #include <openssl/core_names.h>
 #include <openssl/crypto.h>
+#include <openssl/err.h>
 #include <openssl/params.h>
 #include <openssl/pem.h>
 #include "prov/bio.h"
-#include "prov/implementations.h"
+#include "prov/bio.h"
+#include "prov/providercommonerr.h"
 #include "serializer_local.h"
 
 static OSSL_FUNC_deserializer_newctx_fn pem2der_newctx;
@@ -28,13 +32,42 @@ static OSSL_FUNC_deserializer_gettable_params_fn pem2der_gettable_params;
 static OSSL_FUNC_deserializer_get_params_fn pem2der_get_params;
 static OSSL_FUNC_deserializer_deserialize_fn pem2der_deserialize;
 
+/*
+ * Context used for PEM to DER deserialization.
+ */
+struct pem2der_ctx_st {
+    PROV_CTX *provctx;
+
+    /* Set to 1 if intending to encrypt/decrypt, otherwise 0 */
+    int cipher_intent;
+
+    EVP_CIPHER *cipher;
+
+    /* Passphrase that was passed by the caller */
+    void *cipher_pass;
+    size_t cipher_pass_length;
+
+    /* This callback is only used if |cipher_pass| is NULL */
+    OSSL_PASSPHRASE_CALLBACK *cb;
+    void *cbarg;
+};
+
 static void *pem2der_newctx(void *provctx)
 {
-    return provctx;
+    struct pem2der_ctx_st *ctx = OPENSSL_zalloc(sizeof(*ctx));
+
+    if (ctx != NULL)
+        ctx->provctx = provctx;
+    return ctx;
 }
 
 static void pem2der_freectx(void *vctx)
 {
+    struct pem2der_ctx_st *ctx = vctx;
+
+    EVP_CIPHER_free(ctx->cipher);
+    OPENSSL_clear_free(ctx->cipher_pass, ctx->cipher_pass_length);
+    OPENSSL_free(ctx);
 }
 
 static const OSSL_PARAM *pem2der_gettable_params(void)
@@ -58,39 +91,79 @@ static int pem2der_get_params(OSSL_PARAM params[])
     return 1;
 }
 
+static const OSSL_PARAM *pem2der_settable_ctx_params(void)
+{
+    static const OSSL_PARAM settables[] = {
+        OSSL_PARAM_octet_string(OSSL_DESERIALIZER_PARAM_PASS, NULL, 0),
+        OSSL_PARAM_END,
+    };
+
+    return settables;
+}
+
+static int pem2der_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+{
+    struct pem2der_ctx_st *ctx = vctx;
+    const OSSL_PARAM *p;
+
+    if ((p = OSSL_PARAM_locate_const(params, OSSL_DESERIALIZER_PARAM_PASS))
+        != NULL) {
+        OPENSSL_clear_free(ctx->cipher_pass, ctx->cipher_pass_length);
+        ctx->cipher_pass = NULL;
+        if (!OSSL_PARAM_get_octet_string(p, &ctx->cipher_pass, 0,
+                                         &ctx->cipher_pass_length))
+            return 0;
+    }
+    return 1;
+}
+
+/* pem_password_cb compatible function */
+static int pem2der_pass_helper(char *buf, int num, int w, void *data)
+{
+    struct pem2der_ctx_st *ctx = data;
+    size_t plen;
+
+    if (ctx->cipher_pass != NULL) {
+        if (ctx->cipher_pass_length < (size_t)num - 1) {
+            strncpy(buf, ctx->cipher_pass, ctx->cipher_pass_length);
+            buf[ctx->cipher_pass_length] = '\0';
+        } else {
+            OPENSSL_strlcpy(buf, ctx->cipher_pass, num);
+        }
+    } else if (ctx->cb == NULL
+               || !ctx->cb(buf, num, &plen, NULL, ctx->cbarg)) {
+        return -1;
+    }
+    return (int)ctx->cipher_pass_length;
+}
+
 static int pem2der_deserialize(void *vctx, OSSL_CORE_BIO *cin,
                                OSSL_CALLBACK *data_cb, void *data_cbarg,
                                OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)
 {
-    PROV_CTX *ctx = vctx;
+    struct pem2der_ctx_st *ctx = vctx;
     char *pem_name = NULL, *pem_header = NULL;
     unsigned char *der = NULL;
     long der_len = 0;
     int ok = 0;
 
-    if (ossl_prov_read_pem(ctx, cin, &pem_name, &pem_header,
+    if (ossl_prov_read_pem(ctx->provctx, cin, &pem_name, &pem_header,
                            &der, &der_len) <= 0)
         return 0;
 
-#if 0                            /* PEM decryption coming soon */
     /*
      * 10 is the number of characters in "Proc-Type:", which
      * PEM_get_EVP_CIPHER_INFO() requires to be present.
      * If the PEM header has less characters than that, it's
      * not worth spending cycles on it.
      */
-    if (strlen(*pem_header) > 10) {
+    if (strlen(pem_header) > 10) {
         EVP_CIPHER_INFO cipher;
-        struct pem_pass_data pass_data;
 
-        if (!PEM_get_EVP_CIPHER_INFO(*pem_header, &cipher)
-            || !file_fill_pem_pass_data(&pass_data, "PEM pass phrase", uri,
-                                        ui_method, ui_data)
-            || !PEM_do_header(&cipher, *data, len, file_get_pem_pass,
-                              &pass_data))
+        if (!PEM_get_EVP_CIPHER_INFO(pem_header, &cipher)
+            || !PEM_do_header(&cipher, der, &der_len, pem2der_pass_helper, ctx))
             goto end;
     }
-#endif
 
     {
         OSSL_PARAM params[3];
@@ -106,6 +179,7 @@ static int pem2der_deserialize(void *vctx, OSSL_CORE_BIO *cin,
         ok = data_cb(params, data_cbarg);
     }
 
+ end:
     OPENSSL_free(pem_name);
     OPENSSL_free(pem_header);
     OPENSSL_free(der);
@@ -117,7 +191,12 @@ const OSSL_DISPATCH pem_to_der_deserializer_functions[] = {
     { OSSL_FUNC_DESERIALIZER_FREECTX, (void (*)(void))pem2der_freectx },
     { OSSL_FUNC_DESERIALIZER_GETTABLE_PARAMS,
       (void (*)(void))pem2der_gettable_params },
-    { OSSL_FUNC_DESERIALIZER_GET_PARAMS, (void (*)(void))pem2der_get_params },
+    { OSSL_FUNC_DESERIALIZER_GET_PARAMS,
+      (void (*)(void))pem2der_get_params },
+    { OSSL_FUNC_DESERIALIZER_SETTABLE_CTX_PARAMS,
+      (void (*)(void))pem2der_settable_ctx_params },
+    { OSSL_FUNC_DESERIALIZER_SET_CTX_PARAMS,
+      (void (*)(void))pem2der_set_ctx_params },
     { OSSL_FUNC_DESERIALIZER_DESERIALIZE, (void (*)(void))pem2der_deserialize },
     { 0, NULL }
 };