/*
- * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
*/
#include <stddef.h>
-#include <openssl/ossl_typ.h>
+#include <openssl/types.h>
#include <openssl/evp.h>
#include <openssl/core.h>
#include "internal/cryptlib.h"
#include "internal/thread_once.h"
-#include "internal/asn1_int.h"
#include "internal/property.h"
#include "internal/core.h"
-#include "internal/evp_int.h" /* evp_locl.h needs it */
-#include "evp_locl.h"
+#include "internal/provider.h"
+#include "internal/namemap.h"
+#include "crypto/evp.h" /* evp_local.h needs it */
+#include "evp_local.h"
-/* The OpenSSL library context index for the default method store */
-static int default_method_store_index = -1;
+#define NAME_SEPARATOR ':'
-static void default_method_store_free(void *vstore)
+static void evp_method_store_free(void *vstore)
{
ossl_method_store_free(vstore);
}
-static void *default_method_store_new(void)
+static void *evp_method_store_new(OPENSSL_CTX *ctx)
{
- return ossl_method_store_new();
+ return ossl_method_store_new(ctx);
}
-static const OPENSSL_CTX_METHOD default_method_store_method = {
- default_method_store_new,
- default_method_store_free,
+static const OPENSSL_CTX_METHOD evp_method_store_method = {
+ evp_method_store_new,
+ evp_method_store_free,
};
-static int default_method_store_init(void)
-{
- default_method_store_index =
- openssl_ctx_new_index(&default_method_store_method);
-
- return default_method_store_index != -1;
-}
-
-static CRYPTO_ONCE default_method_store_init_flag = CRYPTO_ONCE_STATIC_INIT;
-DEFINE_RUN_ONCE_STATIC(do_default_method_store_init)
-{
- return OPENSSL_init_crypto(0, NULL)
- && default_method_store_init();
-}
-
/* Data to be passed through ossl_method_construct() */
-struct method_data_st {
- const char *name;
- int nid;
+struct evp_method_data_st {
+ OPENSSL_CTX *libctx;
OSSL_METHOD_CONSTRUCT_METHOD *mcm;
- void *(*method_from_dispatch)(int nid, const OSSL_DISPATCH *,
+ int operation_id; /* For get_evp_method_from_store() */
+ int name_id; /* For get_evp_method_from_store() */
+ const char *names; /* For get_evp_method_from_store() */
+ const char *propquery; /* For get_evp_method_from_store() */
+ void *(*method_from_dispatch)(int name_id, const OSSL_DISPATCH *,
OSSL_PROVIDER *);
int (*refcnt_up_method)(void *method);
void (*destruct_method)(void *method);
/*
* Generic routines to fetch / create EVP methods with ossl_method_construct()
*/
-static void *alloc_tmp_method_store(void)
+static void *alloc_tmp_evp_method_store(OPENSSL_CTX *ctx)
{
- return ossl_method_store_new();
+ return ossl_method_store_new(ctx);
}
- static void dealloc_tmp_method_store(void *store)
+ static void dealloc_tmp_evp_method_store(void *store)
{
if (store != NULL)
ossl_method_store_free(store);
}
-static OSSL_METHOD_STORE *get_default_method_store(OPENSSL_CTX *libctx)
+static OSSL_METHOD_STORE *get_evp_method_store(OPENSSL_CTX *libctx)
{
- if (!RUN_ONCE(&default_method_store_init_flag,
- do_default_method_store_init))
- return NULL;
- return openssl_ctx_get_data(libctx, default_method_store_index);
+ return openssl_ctx_get_data(libctx, OPENSSL_CTX_EVP_METHOD_STORE_INDEX,
+ &evp_method_store_method);
+}
+
+/*
+ * To identify the method in the EVP method store, we mix the name identity
+ * with the operation identity, under the assumption that we don't have more
+ * than 2^24 names or more than 2^8 operation types.
+ *
+ * The resulting identity is a 32-bit integer, composed like this:
+ *
+ * +---------24 bits--------+-8 bits-+
+ * | name identity | op id |
+ * +------------------------+--------+
+ */
+static uint32_t evp_method_id(int name_id, unsigned int operation_id)
+{
+ if (!ossl_assert(name_id > 0 && name_id < (1 << 24))
+ || !ossl_assert(operation_id > 0 && operation_id < (1 << 8)))
+ return 0;
+ return ((name_id << 8) & 0xFFFFFF00) | (operation_id & 0x000000FF);
}
-static void *get_method_from_store(OPENSSL_CTX *libctx, void *store,
- const char *propquery, void *data)
+static void *get_evp_method_from_store(OPENSSL_CTX *libctx, void *store,
+ void *data)
{
- struct method_data_st *methdata = data;
+ struct evp_method_data_st *methdata = data;
void *method = NULL;
+ int name_id;
+ uint32_t meth_id;
+
+ /*
+ * get_evp_method_from_store() is only called to try and get the method
+ * that evp_generic_fetch() is asking for, and the operation id as well
+ * as the name or name id are passed via methdata.
+ */
+ if ((name_id = methdata->name_id) == 0) {
+ OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx);
+ const char *names = methdata->names;
+ const char *q = strchr(names, NAME_SEPARATOR);
+ size_t l = (q == NULL ? strlen(names) : (size_t)(q - names));
+
+ if (namemap == 0)
+ return NULL;
+ name_id = ossl_namemap_name2num_n(namemap, names, l);
+ }
- if (store == NULL
- && (store = get_default_method_store(libctx)) == NULL)
+ if (name_id == 0
+ || (meth_id = evp_method_id(name_id, methdata->operation_id)) == 0)
return NULL;
- (void)ossl_method_store_fetch(store, methdata->nid, propquery, &method);
+ if (store == NULL
+ && (store = get_evp_method_store(libctx)) == NULL)
+ return NULL;
- if (method != NULL
- && !methdata->refcnt_up_method(method)) {
- method = NULL;
- }
+ if (!ossl_method_store_fetch(store, meth_id, methdata->propquery,
+ &method))
+ return NULL;
return method;
}
-static int put_method_in_store(OPENSSL_CTX *libctx, void *store,
- const char *propdef, void *method,
- void *data)
+static int put_evp_method_in_store(OPENSSL_CTX *libctx, void *store,
+ void *method, const OSSL_PROVIDER *prov,
+ int operation_id, const char *names,
+ const char *propdef, void *data)
{
- struct method_data_st *methdata = data;
+ struct evp_method_data_st *methdata = data;
+ OSSL_NAMEMAP *namemap;
+ int name_id;
+ uint32_t meth_id;
+ size_t l = 0;
+
+ /*
+ * put_evp_method_in_store() is only called with an EVP method that was
+ * successfully created by construct_method() below, which means that
+ * all the names should already be stored in the namemap with the same
+ * numeric identity, so just use the first to get that identity.
+ */
+ if (names != NULL) {
+ const char *q = strchr(names, NAME_SEPARATOR);
+
+ l = (q == NULL ? strlen(names) : (size_t)(q - names));
+ }
+
+ if ((namemap = ossl_namemap_stored(libctx)) == NULL
+ || (name_id = ossl_namemap_name2num_n(namemap, names, l)) == 0
+ || (meth_id = evp_method_id(name_id, operation_id)) == 0)
+ return 0;
if (store == NULL
- && (store = get_default_method_store(libctx)) == NULL)
+ && (store = get_evp_method_store(libctx)) == NULL)
return 0;
- if (methdata->refcnt_up_method(method)
- && ossl_method_store_add(store, methdata->nid, propdef, method,
- methdata->destruct_method))
- return 1;
- return 0;
+ return ossl_method_store_add(store, prov, meth_id, propdef, method,
+ methdata->refcnt_up_method,
+ methdata->destruct_method);
}
-static void *construct_method(const OSSL_DISPATCH *fns, OSSL_PROVIDER *prov,
- void *data)
+/*
+ * The core fetching functionality passes the name of the implementation.
+ * This function is responsible to getting an identity number for it.
+ */
+static void *construct_evp_method(const OSSL_ALGORITHM *algodef,
+ OSSL_PROVIDER *prov, void *data)
{
- struct method_data_st *methdata = data;
- void *method = NULL;
-
- if (methdata->nid == NID_undef) {
- /* Create a new NID for that name on the fly */
- ASN1_OBJECT tmpobj;
-
- /* This is the same as OBJ_create() but without requiring a OID */
- tmpobj.nid = OBJ_new_nid(1);
- tmpobj.sn = tmpobj.ln = methdata->name;
- tmpobj.flags = ASN1_OBJECT_FLAG_DYNAMIC;
- tmpobj.length = 0;
- tmpobj.data = NULL;
-
- methdata->nid = OBJ_add_object(&tmpobj);
- }
-
- if (methdata->nid == NID_undef)
- return NULL;
-
- method = methdata->method_from_dispatch(methdata->nid, fns, prov);
- if (method == NULL)
+ /*
+ * This function is only called if get_evp_method_from_store() returned
+ * NULL, so it's safe to say that of all the spots to create a new
+ * namemap entry, this is it. Should the name already exist there, we
+ * know that ossl_namemap_add_name() will return its corresponding
+ * number.
+ */
+ struct evp_method_data_st *methdata = data;
+ OPENSSL_CTX *libctx = ossl_provider_library_context(prov);
+ OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx);
+ const char *names = algodef->algorithm_names;
+ int name_id = ossl_namemap_add_names(namemap, 0, names, NAME_SEPARATOR);
+
+ if (name_id == 0)
return NULL;
- return method;
+ return methdata->method_from_dispatch(name_id, algodef->implementation,
+ prov);
}
-static void destruct_method(void *method, void *data)
+static void destruct_evp_method(void *method, void *data)
{
- struct method_data_st *methdata = data;
+ struct evp_method_data_st *methdata = data;
methdata->destruct_method(method);
}
-void *evp_generic_fetch(OPENSSL_CTX *libctx, int operation_id,
- const char *algorithm, const char *properties,
- void *(*new_method)(int nid, const OSSL_DISPATCH *fns,
+static void *
+inner_evp_generic_fetch(OPENSSL_CTX *libctx, int operation_id,
+ int name_id, const char *name,
+ const char *properties,
+ void *(*new_method)(int name_id,
+ const OSSL_DISPATCH *fns,
OSSL_PROVIDER *prov),
- int (*upref_method)(void *),
+ int (*up_ref_method)(void *),
void (*free_method)(void *))
{
- int nid = OBJ_sn2nid(algorithm);
+ OSSL_METHOD_STORE *store = get_evp_method_store(libctx);
+ OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx);
+ uint32_t meth_id = 0;
void *method = NULL;
- if (nid == NID_undef
- || !ossl_method_store_cache_get(NULL, nid, properties, &method)) {
+ if (store == NULL || namemap == NULL)
+ return NULL;
+
+ /*
+ * If there's ever an operation_id == 0 passed, we have an internal
+ * programming error.
+ */
+ if (!ossl_assert(operation_id > 0))
+ return NULL;
+
+ /*
+ * If we have been passed neither a name_id or a name, we have an
+ * internal programming error.
+ */
+ if (!ossl_assert(name_id != 0 || name != NULL))
+ return NULL;
+
+ /* If we haven't received a name id yet, try to get one for the name */
+ if (name_id == 0)
+ name_id = ossl_namemap_name2num(namemap, name);
+
+ /*
+ * If we have a name id, calculate a method id with evp_method_id().
+ *
+ * evp_method_id returns 0 if we have too many operations (more than
+ * about 2^8) or too many names (more than about 2^24). In that case,
+ * we can't create any new method.
+ */
+ if (name_id != 0 && (meth_id = evp_method_id(name_id, operation_id)) == 0)
+ return NULL;
+
+ if (meth_id == 0
+ || !ossl_method_store_cache_get(store, meth_id, properties, &method)) {
OSSL_METHOD_CONSTRUCT_METHOD mcm = {
- alloc_tmp_method_store,
- dealloc_tmp_method_store,
- get_method_from_store,
- put_method_in_store,
- construct_method,
- destruct_method
+ alloc_tmp_evp_method_store,
+ dealloc_tmp_evp_method_store,
+ get_evp_method_from_store,
+ put_evp_method_in_store,
+ construct_evp_method,
+ destruct_evp_method
};
- struct method_data_st mcmdata;
+ struct evp_method_data_st mcmdata;
- mcmdata.nid = nid;
mcmdata.mcm = &mcm;
+ mcmdata.libctx = libctx;
+ mcmdata.operation_id = operation_id;
+ mcmdata.name_id = name_id;
+ mcmdata.names = name;
+ mcmdata.propquery = properties;
mcmdata.method_from_dispatch = new_method;
+ mcmdata.refcnt_up_method = up_ref_method;
mcmdata.destruct_method = free_method;
- mcmdata.refcnt_up_method = upref_method;
- mcmdata.destruct_method = free_method;
- method = ossl_method_construct(libctx, operation_id, algorithm,
- properties, 0 /* !force_cache */,
- &mcm, &mcmdata);
- ossl_method_store_cache_set(NULL, nid, properties, method);
+ if ((method = ossl_method_construct(libctx, operation_id,
+ 0 /* !force_cache */,
+ &mcm, &mcmdata)) != NULL) {
+ /*
+ * If construction did create a method for us, we know that
+ * there is a correct name_id and meth_id, since those have
+ * already been calculated in get_evp_method_from_store() and
+ * put_evp_method_in_store() above.
+ */
+ if (name_id == 0)
+ name_id = ossl_namemap_name2num(namemap, name);
+ meth_id = evp_method_id(name_id, operation_id);
+ ossl_method_store_cache_set(store, meth_id, properties, method,
+ up_ref_method, free_method);
+ }
}
return method;
}
+void *evp_generic_fetch(OPENSSL_CTX *libctx, int operation_id,
+ const char *name, const char *properties,
+ void *(*new_method)(int name_id,
+ const OSSL_DISPATCH *fns,
+ OSSL_PROVIDER *prov),
+ int (*up_ref_method)(void *),
+ void (*free_method)(void *))
+{
+ void *ret = inner_evp_generic_fetch(libctx,
+ operation_id, 0, name, properties,
+ new_method, up_ref_method, free_method);
+
+ if (ret == NULL) {
+ int code = EVP_R_FETCH_FAILED;
+
+#ifdef FIPS_MODULE
+ ERR_raise(ERR_LIB_EVP, code);
+#else
+ ERR_raise_data(ERR_LIB_EVP, code,
+ "%s, Algorithm (%s), Properties (%s)",
+ (openssl_ctx_is_default(libctx)
+ ? "Default library context"
+ : "Non-default library context"),
+ name = NULL ? "<null>" : name,
+ properties == NULL ? "<null>" : properties);
+#endif
+ }
+ return ret;
+}
+
+/*
+ * evp_generic_fetch_by_number() is special, and only returns methods for
+ * already known names, i.e. it refuses to work if no name_id can be found
+ * (it's considered an internal programming error).
+ * This is meant to be used when one method needs to fetch an associated
+ * other method.
+ */
+void *evp_generic_fetch_by_number(OPENSSL_CTX *libctx, int operation_id,
+ int name_id, const char *properties,
+ void *(*new_method)(int name_id,
+ const OSSL_DISPATCH *fns,
+ OSSL_PROVIDER *prov),
+ int (*up_ref_method)(void *),
+ void (*free_method)(void *))
+{
+ void *ret = inner_evp_generic_fetch(libctx,
+ operation_id, name_id, NULL,
+ properties, new_method, up_ref_method,
+ free_method);
+
+ if (ret == NULL) {
+ int code = EVP_R_FETCH_FAILED;
+
+#ifdef FIPS_MODULE
+ ERR_raise(ERR_LIB_EVP, code);
+#else
+ {
+ OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx);
+ const char *name = (namemap == NULL)
+ ? NULL
+ : ossl_namemap_num2name(namemap, name_id, 0);
+
+ ERR_raise_data(ERR_LIB_EVP, code,
+ "%s, Algorithm (%s), Properties (%s)",
+ (openssl_ctx_is_default(libctx)
+ ? "Default library context"
+ : "Non-default library context"),
+ name = NULL ? "<null>" : name,
+ properties == NULL ? "<null>" : properties);
+ }
+#endif
+ }
+ return ret;
+}
+
int EVP_set_default_properties(OPENSSL_CTX *libctx, const char *propq)
{
- OSSL_METHOD_STORE *store = get_default_method_store(libctx);
+ OSSL_METHOD_STORE *store = get_evp_method_store(libctx);
if (store != NULL)
return ossl_method_store_set_global_properties(store, propq);
- EVPerr(EVP_F_EVP_SET_DEFAULT_PROPERTIES, ERR_R_INTERNAL_ERROR);
+ EVPerr(0, ERR_R_INTERNAL_ERROR);
+ return 0;
+}
+
+
+static int evp_default_properties_merge(OPENSSL_CTX *libctx, const char *propq)
+{
+ OSSL_METHOD_STORE *store = get_evp_method_store(libctx);
+
+ if (store != NULL)
+ return ossl_method_store_merge_global_properties(store, propq);
+ EVPerr(0, ERR_R_INTERNAL_ERROR);
return 0;
}
+
+static int evp_default_property_is_enabled(OPENSSL_CTX *libctx,
+ const char *prop_name)
+{
+ OSSL_METHOD_STORE *store = get_evp_method_store(libctx);
+
+ return ossl_method_store_global_property_is_enabled(store, prop_name);
+}
+
+int EVP_default_properties_is_fips_enabled(OPENSSL_CTX *libctx)
+{
+ return evp_default_property_is_enabled(libctx, "fips");
+}
+
+int EVP_default_properties_enable_fips(OPENSSL_CTX *libctx, int enable)
+{
+ const char *query = (enable != 0) ? "fips=yes" : "-fips";
+
+ return evp_default_properties_merge(libctx, query);
+}
+
+
+struct do_all_data_st {
+ void (*user_fn)(void *method, void *arg);
+ void *user_arg;
+ void *(*new_method)(const int name_id, const OSSL_DISPATCH *fns,
+ OSSL_PROVIDER *prov);
+ void (*free_method)(void *);
+};
+
+static void do_one(OSSL_PROVIDER *provider, const OSSL_ALGORITHM *algo,
+ int no_store, void *vdata)
+{
+ struct do_all_data_st *data = vdata;
+ OPENSSL_CTX *libctx = ossl_provider_library_context(provider);
+ OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx);
+ int name_id = ossl_namemap_add_names(namemap, 0, algo->algorithm_names,
+ NAME_SEPARATOR);
+ void *method = NULL;
+
+ if (name_id != 0)
+ method = data->new_method(name_id, algo->implementation, provider);
+
+ if (method != NULL) {
+ data->user_fn(method, data->user_arg);
+ data->free_method(method);
+ }
+}
+
+void evp_generic_do_all(OPENSSL_CTX *libctx, int operation_id,
+ void (*user_fn)(void *method, void *arg),
+ void *user_arg,
+ void *(*new_method)(int name_id,
+ const OSSL_DISPATCH *fns,
+ OSSL_PROVIDER *prov),
+ void (*free_method)(void *))
+{
+ struct do_all_data_st data;
+
+ data.new_method = new_method;
+ data.free_method = free_method;
+ data.user_fn = user_fn;
+ data.user_arg = user_arg;
+
+ /*
+ * No pre- or post-condition for this call, as this only creates methods
+ * temporarly and then promptly destroys them.
+ */
+ ossl_algorithm_do_all(libctx, operation_id, NULL, NULL, do_one, NULL,
+ &data);
+}
+
+const char *evp_first_name(const OSSL_PROVIDER *prov, int name_id)
+{
+ OPENSSL_CTX *libctx = ossl_provider_library_context(prov);
+ OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx);
+
+ return ossl_namemap_num2name(namemap, name_id, 0);
+}
+
+int evp_is_a(OSSL_PROVIDER *prov, int number,
+ const char *legacy_name, const char *name)
+{
+ /*
+ * For a |prov| that is NULL, the library context will be NULL
+ */
+ OPENSSL_CTX *libctx = ossl_provider_library_context(prov);
+ OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx);
+
+ if (prov == NULL)
+ number = ossl_namemap_name2num(namemap, legacy_name);
+ return ossl_namemap_name2num(namemap, name) == number;
+}
+
+void evp_names_do_all(OSSL_PROVIDER *prov, int number,
+ void (*fn)(const char *name, void *data),
+ void *data)
+{
+ OPENSSL_CTX *libctx = ossl_provider_library_context(prov);
+ OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx);
+
+ ossl_namemap_doall_names(namemap, number, fn, data);
+}