X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=crypto%2Fevp%2Fevp_fetch.c;h=2f0d0e15b0afb8b06da1d28eb950c249d198044d;hp=69ca6a03004ac5fbe7c4fb771be2bac434304212;hb=4333b89f504e7a8de9c42a0d27f68530b5301848;hpb=6a835fcfb10ba004498f9e39873db3d2b9011609 diff --git a/crypto/evp/evp_fetch.c b/crypto/evp/evp_fetch.c index 69ca6a0300..2f0d0e15b0 100644 --- a/crypto/evp/evp_fetch.c +++ b/crypto/evp/evp_fetch.c @@ -1,5 +1,5 @@ /* - * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -17,6 +17,7 @@ #include "internal/core.h" #include "internal/provider.h" #include "internal/namemap.h" +#include "internal/property.h" #include "crypto/evp.h" /* evp_local.h needs it */ #include "evp_local.h" @@ -27,161 +28,38 @@ static void evp_method_store_free(void *vstore) ossl_method_store_free(vstore); } -static void *evp_method_store_new(OPENSSL_CTX *ctx) +static void *evp_method_store_new(OSSL_LIB_CTX *ctx) { return ossl_method_store_new(ctx); } -static const OPENSSL_CTX_METHOD evp_method_store_method = { +static const OSSL_LIB_CTX_METHOD evp_method_store_method = { evp_method_store_new, evp_method_store_free, }; /* Data to be passed through ossl_method_construct() */ struct evp_method_data_st { - OPENSSL_CTX *libctx; + OSSL_LIB_CTX *libctx; OSSL_METHOD_CONSTRUCT_METHOD *mcm; int operation_id; /* For get_evp_method_from_store() */ int name_id; /* For get_evp_method_from_store() */ const char *names; /* For get_evp_method_from_store() */ const char *propquery; /* For get_evp_method_from_store() */ + + unsigned int flag_construct_error_occured : 1; + void *(*method_from_dispatch)(int name_id, const OSSL_DISPATCH *, OSSL_PROVIDER *); int (*refcnt_up_method)(void *method); void (*destruct_method)(void *method); }; -static int add_names_to_namemap(OSSL_NAMEMAP *namemap, - const char *names) -{ - const char *p, *q; - size_t l; - int id = 0; - - /* Check that we have a namemap and that there is at least one name */ - if (namemap == NULL) { - ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER); - return 0; - } - - /* - * Check that no name is an empty string, and that all names have at - * most one numeric identity together. - */ - for (p = names; *p != '\0'; p = (q == NULL ? p + l : q + 1)) { - int this_id; - - if ((q = strchr(p, NAME_SEPARATOR)) == NULL) - l = strlen(p); /* offset to \0 */ - else - l = q - p; /* offset to the next separator */ - - this_id = ossl_namemap_name2num_n(namemap, p, l); - - if (*p == '\0' || *p == NAME_SEPARATOR) { - ERR_raise(ERR_LIB_EVP, EVP_R_BAD_ALGORITHM_NAME); - return 0; - } - if (id == 0) - id = this_id; - else if (this_id != 0 && this_id != id) { - ERR_raise_data(ERR_LIB_EVP, EVP_R_CONFLICTING_ALGORITHM_NAME, - "\"%.*s\" has an existing different identity %d (from \"%s\")", - l, p, this_id, names); - return 0; - } - } - - /* Now that we have checked, register all names */ - for (p = names; *p != '\0'; p = (q == NULL ? p + l : q + 1)) { - int this_id; - - if ((q = strchr(p, NAME_SEPARATOR)) == NULL) - l = strlen(p); /* offset to \0 */ - else - l = q - p; /* offset to the next separator */ - - this_id = ossl_namemap_add_n(namemap, id, p, l); - if (id == 0) - id = this_id; - else if (this_id != id) { - ERR_raise_data(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR, - "Got id %d when expecting %d", this_id, id); - return 0; - } - } - - return id; -} - -#ifndef FIPS_MODE -/* Creates an initial namemap with names found in the legacy method db */ -static void get_legacy_evp_names(const char *main_name, const char *alias, - void *arg) -{ - int main_id = ossl_namemap_add(arg, 0, main_name); - - /* - * We could check that the returned value is the same as main_id, - * but since this is a void function, there's no sane way to report - * the error. The best we can do is trust ourselve to keep the legacy - * method database conflict free. - * - * This registers any alias with the same number as the main name. - * Should it be that the current |on| *has* the main name, this is - * simply a no-op. - */ - if (alias != NULL) - (void)ossl_namemap_add(arg, main_id, alias); -} - -static void get_legacy_cipher_names(const OBJ_NAME *on, void *arg) -{ - const EVP_CIPHER *cipher = (void *)OBJ_NAME_get(on->name, on->type); - - get_legacy_evp_names(EVP_CIPHER_name(cipher), on->name, arg); -} - -static void get_legacy_md_names(const OBJ_NAME *on, void *arg) -{ - const EVP_MD *md = (void *)OBJ_NAME_get(on->name, on->type); - /* We don't want the pkey_type names, so we need some extra care */ - int snid, lnid; - - snid = OBJ_sn2nid(on->name); - lnid = OBJ_ln2nid(on->name); - if (snid != EVP_MD_pkey_type(md) && lnid != EVP_MD_pkey_type(md)) - get_legacy_evp_names(EVP_MD_name(md), on->name, arg); - else - get_legacy_evp_names(EVP_MD_name(md), NULL, arg); -} -#endif - -static OSSL_NAMEMAP *get_prepopulated_namemap(OPENSSL_CTX *libctx) -{ - OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); - -#ifndef FIPS_MODE - if (namemap != NULL && ossl_namemap_empty(namemap)) { - /* Before pilfering, we make sure the legacy database is populated */ - OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS - |OPENSSL_INIT_ADD_ALL_DIGESTS, NULL); - - OBJ_NAME_do_all(OBJ_NAME_TYPE_CIPHER_METH, - get_legacy_cipher_names, namemap); - OBJ_NAME_do_all(OBJ_NAME_TYPE_MD_METH, - get_legacy_md_names, namemap); - } -#endif - - return namemap; -} - /* * Generic routines to fetch / create EVP methods with ossl_method_construct() */ -static void *alloc_tmp_evp_method_store(OPENSSL_CTX *ctx) +static void *alloc_tmp_evp_method_store(OSSL_LIB_CTX *ctx) { return ossl_method_store_new(ctx); } @@ -192,15 +70,15 @@ static void *alloc_tmp_evp_method_store(OPENSSL_CTX *ctx) ossl_method_store_free(store); } -static OSSL_METHOD_STORE *get_evp_method_store(OPENSSL_CTX *libctx) +static OSSL_METHOD_STORE *get_evp_method_store(OSSL_LIB_CTX *libctx) { - return openssl_ctx_get_data(libctx, OPENSSL_CTX_EVP_METHOD_STORE_INDEX, - &evp_method_store_method); + return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_EVP_METHOD_STORE_INDEX, + &evp_method_store_method); } /* - * To identity the method in the EVP method store, we mix the name identity - * with the operation identity, with the assumption that we don't have more + * To identify the method in the EVP method store, we mix the name identity + * with the operation identity, under the assumption that we don't have more * than 2^24 names or more than 2^8 operation types. * * The resulting identity is a 32-bit integer, composed like this: @@ -209,15 +87,15 @@ static OSSL_METHOD_STORE *get_evp_method_store(OPENSSL_CTX *libctx) * | name identity | op id | * +------------------------+--------+ */ -static uint32_t evp_method_id(unsigned int operation_id, int name_id) +static uint32_t evp_method_id(int name_id, unsigned int operation_id) { - if (!ossl_assert(name_id < (1 << 24) || operation_id < (1 << 8)) - || !ossl_assert(name_id > 0 && operation_id > 0)) + if (!ossl_assert(name_id > 0 && name_id < (1 << 24)) + || !ossl_assert(operation_id > 0 && operation_id < (1 << 8))) return 0; return ((name_id << 8) & 0xFFFFFF00) | (operation_id & 0x000000FF); } -static void *get_evp_method_from_store(OPENSSL_CTX *libctx, void *store, +static void *get_evp_method_from_store(OSSL_LIB_CTX *libctx, void *store, void *data) { struct evp_method_data_st *methdata = data; @@ -242,7 +120,7 @@ static void *get_evp_method_from_store(OPENSSL_CTX *libctx, void *store, } if (name_id == 0 - || (meth_id = evp_method_id(methdata->operation_id, name_id)) == 0) + || (meth_id = evp_method_id(name_id, methdata->operation_id)) == 0) return NULL; if (store == NULL @@ -255,7 +133,7 @@ static void *get_evp_method_from_store(OPENSSL_CTX *libctx, void *store, return method; } -static int put_evp_method_in_store(OPENSSL_CTX *libctx, void *store, +static int put_evp_method_in_store(OSSL_LIB_CTX *libctx, void *store, void *method, const OSSL_PROVIDER *prov, int operation_id, const char *names, const char *propdef, void *data) @@ -280,7 +158,7 @@ static int put_evp_method_in_store(OPENSSL_CTX *libctx, void *store, if ((namemap = ossl_namemap_stored(libctx)) == NULL || (name_id = ossl_namemap_name2num_n(namemap, names, l)) == 0 - || (meth_id = evp_method_id(operation_id, name_id)) == 0) + || (meth_id = evp_method_id(name_id, operation_id)) == 0) return 0; if (store == NULL @@ -296,23 +174,38 @@ static int put_evp_method_in_store(OPENSSL_CTX *libctx, void *store, * The core fetching functionality passes the name of the implementation. * This function is responsible to getting an identity number for it. */ -static void *construct_evp_method(const char *names, const OSSL_DISPATCH *fns, +static void *construct_evp_method(const OSSL_ALGORITHM *algodef, OSSL_PROVIDER *prov, void *data) { /* * This function is only called if get_evp_method_from_store() returned * NULL, so it's safe to say that of all the spots to create a new * namemap entry, this is it. Should the name already exist there, we - * know that ossl_namemap_add() will return its corresponding number. + * know that ossl_namemap_add_name() will return its corresponding + * number. */ struct evp_method_data_st *methdata = data; - OPENSSL_CTX *libctx = ossl_provider_library_context(prov); + OSSL_LIB_CTX *libctx = ossl_provider_libctx(prov); OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); - int name_id = add_names_to_namemap(namemap, names); + const char *names = algodef->algorithm_names; + int name_id = ossl_namemap_add_names(namemap, 0, names, NAME_SEPARATOR); + void *method; if (name_id == 0) return NULL; - return methdata->method_from_dispatch(name_id, fns, prov); + + method = methdata->method_from_dispatch(name_id, algodef->implementation, + prov); + + /* + * Flag to indicate that there was actual construction errors. This + * helps inner_evp_generic_fetch() determine what error it should + * record on inaccessible algorithms. + */ + if (method == NULL) + methdata->flag_construct_error_occured = 1; + + return method; } static void destruct_evp_method(void *method, void *data) @@ -323,7 +216,7 @@ static void destruct_evp_method(void *method, void *data) } static void * -inner_evp_generic_fetch(OPENSSL_CTX *libctx, int operation_id, +inner_evp_generic_fetch(OSSL_LIB_CTX *libctx, int operation_id, int name_id, const char *name, const char *properties, void *(*new_method)(int name_id, @@ -333,26 +226,33 @@ inner_evp_generic_fetch(OPENSSL_CTX *libctx, int operation_id, void (*free_method)(void *)) { OSSL_METHOD_STORE *store = get_evp_method_store(libctx); - OSSL_NAMEMAP *namemap = get_prepopulated_namemap(libctx); + OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); uint32_t meth_id = 0; void *method = NULL; + int unsupported = 0; - if (store == NULL || namemap == NULL) + if (store == NULL || namemap == NULL) { + ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_INVALID_ARGUMENT); return NULL; + } /* * If there's ever an operation_id == 0 passed, we have an internal * programming error. */ - if (!ossl_assert(operation_id > 0)) + if (!ossl_assert(operation_id > 0)) { + ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); return NULL; + } /* * If we have been passed neither a name_id or a name, we have an * internal programming error. */ - if (!ossl_assert(name_id != 0 || name != NULL)) + if (!ossl_assert(name_id != 0 || name != NULL)) { + ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); return NULL; + } /* If we haven't received a name id yet, try to get one for the name */ if (name_id == 0) @@ -364,9 +264,19 @@ inner_evp_generic_fetch(OPENSSL_CTX *libctx, int operation_id, * evp_method_id returns 0 if we have too many operations (more than * about 2^8) or too many names (more than about 2^24). In that case, * we can't create any new method. + * For all intents and purposes, this is an internal error. */ - if (name_id != 0 && (meth_id = evp_method_id(operation_id, name_id)) == 0) + if (name_id != 0 && (meth_id = evp_method_id(name_id, operation_id)) == 0) { + ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); return NULL; + } + + /* + * If we haven't found the name yet, chances are that the algorithm to + * be fetched is unsupported. + */ + if (name_id == 0) + unsupported = 1; if (meth_id == 0 || !ossl_method_store_cache_get(store, meth_id, properties, &method)) { @@ -389,6 +299,7 @@ inner_evp_generic_fetch(OPENSSL_CTX *libctx, int operation_id, mcmdata.method_from_dispatch = new_method; mcmdata.refcnt_up_method = up_ref_method; mcmdata.destruct_method = free_method; + mcmdata.flag_construct_error_occured = 0; if ((method = ossl_method_construct(libctx, operation_id, 0 /* !force_cache */, &mcm, &mcmdata)) != NULL) { @@ -400,16 +311,34 @@ inner_evp_generic_fetch(OPENSSL_CTX *libctx, int operation_id, */ if (name_id == 0) name_id = ossl_namemap_name2num(namemap, name); - meth_id = evp_method_id(operation_id, name_id); + meth_id = evp_method_id(name_id, operation_id); ossl_method_store_cache_set(store, meth_id, properties, method, up_ref_method, free_method); } + + /* + * If we never were in the constructor, the algorithm to be fetched + * is unsupported. + */ + unsupported = !mcmdata.flag_construct_error_occured; + } + + if (method == NULL) { + int code = unsupported ? ERR_R_UNSUPPORTED : ERR_R_FETCH_FAILED; + + if (name == NULL) + name = ossl_namemap_num2name(namemap, name_id, 0); + ERR_raise_data(ERR_LIB_EVP, code, + "%s, Algorithm (%s : %d), Properties (%s)", + ossl_lib_ctx_get_descriptor(libctx), + name = NULL ? "" : name, name_id, + properties == NULL ? "" : properties); } return method; } -void *evp_generic_fetch(OPENSSL_CTX *libctx, int operation_id, +void *evp_generic_fetch(OSSL_LIB_CTX *libctx, int operation_id, const char *name, const char *properties, void *(*new_method)(int name_id, const OSSL_DISPATCH *fns, @@ -429,7 +358,7 @@ void *evp_generic_fetch(OPENSSL_CTX *libctx, int operation_id, * This is meant to be used when one method needs to fetch an associated * other method. */ -void *evp_generic_fetch_by_number(OPENSSL_CTX *libctx, int operation_id, +void *evp_generic_fetch_by_number(OSSL_LIB_CTX *libctx, int operation_id, int name_id, const char *properties, void *(*new_method)(int name_id, const OSSL_DISPATCH *fns, @@ -438,20 +367,97 @@ void *evp_generic_fetch_by_number(OPENSSL_CTX *libctx, int operation_id, void (*free_method)(void *)) { return inner_evp_generic_fetch(libctx, - operation_id, name_id, NULL, properties, - new_method, up_ref_method, free_method); + operation_id, name_id, NULL, + properties, new_method, up_ref_method, + free_method); } -int EVP_set_default_properties(OPENSSL_CTX *libctx, const char *propq) +void evp_method_store_flush(OSSL_LIB_CTX *libctx) { OSSL_METHOD_STORE *store = get_evp_method_store(libctx); if (store != NULL) - return ossl_method_store_set_global_properties(store, propq); - EVPerr(EVP_F_EVP_SET_DEFAULT_PROPERTIES, ERR_R_INTERNAL_ERROR); + ossl_method_store_flush_cache(store, 1); +} + +static int evp_set_parsed_default_properties(OSSL_LIB_CTX *libctx, + OSSL_PROPERTY_LIST *def_prop, + int loadconfig) +{ + OSSL_METHOD_STORE *store = get_evp_method_store(libctx); + OSSL_PROPERTY_LIST **plp = ossl_ctx_global_properties(libctx, loadconfig); + + if (plp != NULL) { + ossl_property_free(*plp); + *plp = def_prop; + if (store != NULL) + ossl_method_store_flush_cache(store, 0); + return 1; + } + ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); return 0; } +int evp_set_default_properties_int(OSSL_LIB_CTX *libctx, const char *propq, + int loadconfig) +{ + OSSL_PROPERTY_LIST *pl = NULL; + + if (propq != NULL && (pl = ossl_parse_query(libctx, propq)) == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_DEFAULT_QUERY_PARSE_ERROR); + return 0; + } + return evp_set_parsed_default_properties(libctx, pl, loadconfig); +} + +int EVP_set_default_properties(OSSL_LIB_CTX *libctx, const char *propq) +{ + return evp_set_default_properties_int(libctx, propq, 1); +} + +static int evp_default_properties_merge(OSSL_LIB_CTX *libctx, const char *propq) +{ + OSSL_PROPERTY_LIST **plp = ossl_ctx_global_properties(libctx, 1); + OSSL_PROPERTY_LIST *pl1, *pl2; + + if (propq == NULL) + return 1; + if (plp == NULL || *plp == NULL) + return EVP_set_default_properties(libctx, propq); + if ((pl1 = ossl_parse_query(libctx, propq)) == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_DEFAULT_QUERY_PARSE_ERROR); + return 0; + } + pl2 = ossl_property_merge(pl1, *plp); + ossl_property_free(pl1); + if (pl2 == NULL) { + ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE); + return 0; + } + return evp_set_parsed_default_properties(libctx, pl2, 0); +} + +static int evp_default_property_is_enabled(OSSL_LIB_CTX *libctx, + const char *prop_name) +{ + OSSL_PROPERTY_LIST **plp = ossl_ctx_global_properties(libctx, 1); + + return plp != NULL && ossl_property_is_enabled(libctx, prop_name, *plp); +} + +int EVP_default_properties_is_fips_enabled(OSSL_LIB_CTX *libctx) +{ + return evp_default_property_is_enabled(libctx, "fips"); +} + +int EVP_default_properties_enable_fips(OSSL_LIB_CTX *libctx, int enable) +{ + const char *query = (enable != 0) ? "fips=yes" : "-fips"; + + return evp_default_properties_merge(libctx, query); +} + + struct do_all_data_st { void (*user_fn)(void *method, void *arg); void *user_arg; @@ -464,9 +470,10 @@ static void do_one(OSSL_PROVIDER *provider, const OSSL_ALGORITHM *algo, int no_store, void *vdata) { struct do_all_data_st *data = vdata; - OPENSSL_CTX *libctx = ossl_provider_library_context(provider); + OSSL_LIB_CTX *libctx = ossl_provider_libctx(provider); OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); - int name_id = add_names_to_namemap(namemap, algo->algorithm_names); + int name_id = ossl_namemap_add_names(namemap, 0, algo->algorithm_names, + NAME_SEPARATOR); void *method = NULL; if (name_id != 0) @@ -478,7 +485,7 @@ static void do_one(OSSL_PROVIDER *provider, const OSSL_ALGORITHM *algo, } } -void evp_generic_do_all(OPENSSL_CTX *libctx, int operation_id, +void evp_generic_do_all(OSSL_LIB_CTX *libctx, int operation_id, void (*user_fn)(void *method, void *arg), void *user_arg, void *(*new_method)(int name_id, @@ -492,22 +499,34 @@ void evp_generic_do_all(OPENSSL_CTX *libctx, int operation_id, data.free_method = free_method; data.user_fn = user_fn; data.user_arg = user_arg; - ossl_algorithm_do_all(libctx, operation_id, NULL, do_one, &data); + + /* + * No pre- or post-condition for this call, as this only creates methods + * temporarly and then promptly destroys them. + */ + ossl_algorithm_do_all(libctx, operation_id, NULL, NULL, do_one, NULL, + &data); } -const char *evp_first_name(OSSL_PROVIDER *prov, int name_id) +const char *evp_first_name(const OSSL_PROVIDER *prov, int name_id) { - OPENSSL_CTX *libctx = ossl_provider_library_context(prov); + OSSL_LIB_CTX *libctx = ossl_provider_libctx(prov); OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); return ossl_namemap_num2name(namemap, name_id, 0); } -int evp_is_a(OSSL_PROVIDER *prov, int number, const char *name) +int evp_is_a(OSSL_PROVIDER *prov, int number, + const char *legacy_name, const char *name) { - OPENSSL_CTX *libctx = ossl_provider_library_context(prov); + /* + * For a |prov| that is NULL, the library context will be NULL + */ + OSSL_LIB_CTX *libctx = ossl_provider_libctx(prov); OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); + if (prov == NULL) + number = ossl_namemap_name2num(namemap, legacy_name); return ossl_namemap_name2num(namemap, name) == number; } @@ -515,7 +534,7 @@ void evp_names_do_all(OSSL_PROVIDER *prov, int number, void (*fn)(const char *name, void *data), void *data) { - OPENSSL_CTX *libctx = ossl_provider_library_context(prov); + OSSL_LIB_CTX *libctx = ossl_provider_libctx(prov); OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); ossl_namemap_doall_names(namemap, number, fn, data);