X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=crypto%2Fprovider_core.c;h=8b868fdb6b563e572ebab0d649cea9afb7f771ba;hp=2a463550d67b9131dd04cc17c12830d459e34283;hb=c8567c392c1dc3dd15651c0d2746a5b87b5a88dd;hpb=d16d0b71a9a31bf61289518a8ae523131f293faf diff --git a/crypto/provider_core.c b/crypto/provider_core.c index 2a463550d6..8b868fdb6b 100644 --- a/crypto/provider_core.c +++ b/crypto/provider_core.c @@ -1,5 +1,5 @@ /* - * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -19,7 +19,7 @@ #include "internal/provider.h" #include "internal/refcount.h" #include "provider_local.h" -#ifndef FIPS_MODE +#ifndef FIPS_MODULE # include #endif @@ -42,7 +42,8 @@ struct provider_store_st; /* Forward declaration */ struct ossl_provider_st { /* Flag bits */ unsigned int flag_initialized:1; - unsigned int flag_fallback:1; + unsigned int flag_fallback:1; /* Can be used as fallback */ + unsigned int flag_activated_as_fallback:1; /* OpenSSL library side data */ CRYPTO_REF_COUNT refcnt; @@ -54,7 +55,7 @@ struct ossl_provider_st { STACK_OF(INFOPAIR) *parameters; OPENSSL_CTX *libctx; /* The library context this instance is in */ struct provider_store_st *store; /* The store this instance belongs to */ -#ifndef FIPS_MODE +#ifndef FIPS_MODULE /* * In the FIPS module inner provider, this isn't needed, since the * error upcalls are always direct calls to the outer provider. @@ -71,6 +72,13 @@ struct ossl_provider_st { OSSL_provider_get_params_fn *get_params; OSSL_provider_query_operation_fn *query_operation; + /* + * Cache of bit to indicate of query_operation() has been called on + * a specific operation or not. + */ + unsigned char *operation_bits; + size_t operation_bits_sz; + /* Provider side data */ void *provctx; }; @@ -97,6 +105,24 @@ struct provider_store_st { unsigned int use_fallbacks:1; }; +/* + * provider_deactivate_free() is a wrapper around ossl_provider_free() + * that also makes sure that activated fallback providers are deactivated. + * This is simply done by freeing them an extra time, to compensate for the + * refcount that provider_activate_fallbacks() gives them. + * Since this is only called when the provider store is being emptied, we + * don't need to care about any lock. + */ +static void provider_deactivate_free(OSSL_PROVIDER *prov) +{ + int extra_free = (prov->flag_initialized + && prov->flag_activated_as_fallback); + + if (extra_free) + ossl_provider_free(prov); + ossl_provider_free(prov); +} + static void provider_store_free(void *vstore) { struct provider_store_st *store = vstore; @@ -104,7 +130,7 @@ static void provider_store_free(void *vstore) if (store == NULL) return; OPENSSL_free(store->default_path); - sk_OSSL_PROVIDER_pop_free(store->providers, ossl_provider_free); + sk_OSSL_PROVIDER_pop_free(store->providers, provider_deactivate_free); CRYPTO_THREAD_lock_free(store->lock); OPENSSL_free(store); } @@ -140,7 +166,7 @@ static void *provider_store_new(OPENSSL_CTX *ctx) } prov->libctx = ctx; prov->store = store; -#ifndef FIPS_MODE +#ifndef FIPS_MODULE prov->error_lib = ERR_get_next_error_library(); #endif if(p->is_fallback) @@ -176,7 +202,7 @@ OSSL_PROVIDER *ossl_provider_find(OPENSSL_CTX *libctx, const char *name, OSSL_PROVIDER tmpl = { 0, }; int i; -#ifndef FIPS_MODE +#ifndef FIPS_MODULE /* * Make sure any providers are loaded from config before we try to find * them. @@ -264,7 +290,7 @@ OSSL_PROVIDER *ossl_provider_new(OPENSSL_CTX *libctx, const char *name, } else { prov->libctx = libctx; prov->store = store; -#ifndef FIPS_MODE +#ifndef FIPS_MODULE prov->error_lib = ERR_get_next_error_library(); #endif } @@ -303,13 +329,13 @@ void ossl_provider_free(OSSL_PROVIDER *prov) * When that happens, the provider is inactivated. */ if (ref < 2 && prov->flag_initialized) { -#ifndef FIPS_MODE +#ifndef FIPS_MODULE ossl_init_thread_deregister(prov); #endif if (prov->teardown != NULL) prov->teardown(prov->provctx); #ifndef OPENSSL_NO_ERR -# ifndef FIPS_MODE +# ifndef FIPS_MODULE if (prov->error_strings != NULL) { ERR_unload_strings(prov->error_lib, prov->error_strings); OPENSSL_free(prov->error_strings); @@ -317,6 +343,9 @@ void ossl_provider_free(OSSL_PROVIDER *prov) } # endif #endif + OPENSSL_free(prov->operation_bits); + prov->operation_bits = NULL; + prov->operation_bits_sz = 0; prov->flag_initialized = 0; } @@ -325,7 +354,7 @@ void ossl_provider_free(OSSL_PROVIDER *prov) * the store. All we have to do here is clean it out. */ if (ref == 0) { -#ifndef FIPS_MODE +#ifndef FIPS_MODULE DSO_free(prov->module); #endif OPENSSL_free(prov->name); @@ -418,8 +447,9 @@ int OSSL_PROVIDER_set_default_search_path(OPENSSL_CTX *libctx, const char *path) static int provider_activate(OSSL_PROVIDER *prov) { const OSSL_DISPATCH *provider_dispatch = NULL; + void *tmp_provctx = NULL; /* safety measure */ #ifndef OPENSSL_NO_ERR -# ifndef FIPS_MODE +# ifndef FIPS_MODULE OSSL_provider_get_reason_strings_fn *p_get_reason_strings = NULL; # endif #endif @@ -432,7 +462,7 @@ static int provider_activate(OSSL_PROVIDER *prov) * a loadable module. */ if (prov->init_function == NULL) { -#ifdef FIPS_MODE +#ifdef FIPS_MODULE return 0; #else if (prov->module == NULL) { @@ -487,16 +517,17 @@ static int provider_activate(OSSL_PROVIDER *prov) /* Call the initialise function for the provider. */ if (prov->init_function == NULL - || !prov->init_function(prov, core_dispatch, &provider_dispatch, - &prov->provctx)) { + || !prov->init_function((OSSL_CORE_HANDLE *)prov, core_dispatch, + &provider_dispatch, &tmp_provctx)) { ERR_raise_data(ERR_LIB_CRYPTO, ERR_R_INIT_FAIL, NULL, "name=%s", prov->name); -#ifndef FIPS_MODE +#ifndef FIPS_MODULE DSO_free(prov->module); prov->module = NULL; #endif return 0; } + prov->provctx = tmp_provctx; for (; provider_dispatch->function_id != 0; provider_dispatch++) { switch (provider_dispatch->function_id) { @@ -517,7 +548,7 @@ static int provider_activate(OSSL_PROVIDER *prov) OSSL_get_provider_query_operation(provider_dispatch); break; #ifndef OPENSSL_NO_ERR -# ifndef FIPS_MODE +# ifndef FIPS_MODULE case OSSL_FUNC_PROVIDER_GET_REASON_STRINGS: p_get_reason_strings = OSSL_get_provider_get_reason_strings(provider_dispatch); @@ -528,7 +559,7 @@ static int provider_activate(OSSL_PROVIDER *prov) } #ifndef OPENSSL_NO_ERR -# ifndef FIPS_MODE +# ifndef FIPS_MODULE if (p_get_reason_strings != NULL) { const OSSL_ITEM *reasonstrings = p_get_reason_strings(prov->provctx); size_t cnt, cnt2; @@ -540,12 +571,13 @@ static int provider_activate(OSSL_PROVIDER *prov) * with the error library number, so we need to make a copy of that * array either way. */ - cnt = 1; /* One for the terminating item */ + cnt = 0; while (reasonstrings[cnt].id != 0) { if (ERR_GET_LIB(reasonstrings[cnt].id) != 0) return 0; cnt++; } + cnt++; /* One for the terminating item */ /* Allocate one extra item for the "library" name */ prov->error_strings = @@ -641,13 +673,22 @@ static void provider_activate_fallbacks(struct provider_store_st *store) OSSL_PROVIDER *prov = sk_OSSL_PROVIDER_value(store->providers, i); /* - * Note that we don't care if the activation succeeds or not. - * If it doesn't succeed, then any attempt to use any of the - * fallback providers will fail anyway. + * Activated fallback providers get an extra refcount, to + * simulate a regular load. + * Note that we don't care if the activation succeeds or not, + * other than to maintain a correct refcount. If the activation + * doesn't succeed, then any future attempt to use the fallback + * provider will fail anyway. */ if (prov->flag_fallback) { - activated_fallback_count++; - provider_activate(prov); + if (ossl_provider_up_ref(prov)) { + if (!provider_activate(prov)) { + ossl_provider_free(prov); + } else { + prov->flag_activated_as_fallback = 1; + activated_fallback_count++; + } + } } } @@ -670,7 +711,7 @@ int ossl_provider_forall_loaded(OPENSSL_CTX *ctx, int ret = 1; struct provider_store_st *store = get_provider_store(ctx); -#ifndef FIPS_MODE +#ifndef FIPS_MODULE /* * Make sure any providers are loaded from config before we try to use * them. @@ -729,7 +770,7 @@ const DSO *ossl_provider_dso(const OSSL_PROVIDER *prov) const char *ossl_provider_module_name(const OSSL_PROVIDER *prov) { -#ifdef FIPS_MODE +#ifdef FIPS_MODULE return NULL; #else return DSO_get_filename(prov->module); @@ -738,7 +779,7 @@ const char *ossl_provider_module_name(const OSSL_PROVIDER *prov) const char *ossl_provider_module_path(const OSSL_PROVIDER *prov) { -#ifdef FIPS_MODE +#ifdef FIPS_MODULE return NULL; #else /* FIXME: Ensure it's a full path */ @@ -779,6 +820,42 @@ const OSSL_ALGORITHM *ossl_provider_query_operation(const OSSL_PROVIDER *prov, return prov->query_operation(prov->provctx, operation_id, no_cache); } +int ossl_provider_set_operation_bit(OSSL_PROVIDER *provider, size_t bitnum) +{ + size_t byte = bitnum / 8; + unsigned char bit = (1 << (bitnum % 8)) & 0xFF; + + if (provider->operation_bits_sz <= byte) { + provider->operation_bits = OPENSSL_realloc(provider->operation_bits, + byte + 1); + if (provider->operation_bits == NULL) { + ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); + return 0; + } + memset(provider->operation_bits + provider->operation_bits_sz, + '\0', byte + 1 - provider->operation_bits_sz); + } + provider->operation_bits[byte] |= bit; + return 1; +} + +int ossl_provider_test_operation_bit(OSSL_PROVIDER *provider, size_t bitnum, + int *result) +{ + size_t byte = bitnum / 8; + unsigned char bit = (1 << (bitnum % 8)) & 0xFF; + + if (!ossl_assert(result != NULL)) { + ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + + *result = 0; + if (provider->operation_bits_sz > byte) + *result = ((provider->operation_bits[byte] & bit) != 0); + return 1; +} + /*- * Core functions for the provider * =============================== @@ -792,8 +869,13 @@ const OSSL_ALGORITHM *ossl_provider_query_operation(const OSSL_PROVIDER *prov, * never knows. */ static const OSSL_PARAM param_types[] = { - OSSL_PARAM_DEFN("openssl-version", OSSL_PARAM_UTF8_PTR, NULL, 0), - OSSL_PARAM_DEFN("provider-name", OSSL_PARAM_UTF8_PTR, NULL, 0), + OSSL_PARAM_DEFN(OSSL_PROV_PARAM_CORE_VERSION, OSSL_PARAM_UTF8_PTR, NULL, 0), + OSSL_PARAM_DEFN(OSSL_PROV_PARAM_CORE_PROV_NAME, OSSL_PARAM_UTF8_PTR, + NULL, 0), +#ifndef FIPS_MODULE + OSSL_PARAM_DEFN(OSSL_PROV_PARAM_CORE_MODULE_FILENAME, OSSL_PARAM_UTF8_PTR, + NULL, 0), +#endif OSSL_PARAM_END }; @@ -806,7 +888,7 @@ static OSSL_core_gettable_params_fn core_gettable_params; static OSSL_core_get_params_fn core_get_params; static OSSL_core_thread_start_fn core_thread_start; static OSSL_core_get_library_context_fn core_get_libctx; -#ifndef FIPS_MODE +#ifndef FIPS_MODULE static OSSL_core_new_error_fn core_new_error; static OSSL_core_set_error_debug_fn core_set_error_debug; static OSSL_core_vset_error_fn core_vset_error; @@ -815,23 +897,29 @@ static OSSL_core_clear_last_error_mark_fn core_clear_last_error_mark; static OSSL_core_pop_error_to_mark_fn core_pop_error_to_mark; #endif -static const OSSL_PARAM *core_gettable_params(const OSSL_PROVIDER *prov) +static const OSSL_PARAM *core_gettable_params(const OSSL_CORE_HANDLE *handle) { return param_types; } -static int core_get_params(const OSSL_PROVIDER *prov, OSSL_PARAM params[]) +static int core_get_params(const OSSL_CORE_HANDLE *handle, OSSL_PARAM params[]) { int i; OSSL_PARAM *p; + /* + * We created this object originally and we know it is actually an + * OSSL_PROVIDER *, so the cast is safe + */ + OSSL_PROVIDER *prov = (OSSL_PROVIDER *)handle; - if ((p = OSSL_PARAM_locate(params, "openssl-version")) != NULL) + if ((p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_CORE_VERSION)) != NULL) OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR); - if ((p = OSSL_PARAM_locate(params, "provider-name")) != NULL) + if ((p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_CORE_PROV_NAME)) != NULL) OSSL_PARAM_set_utf8_ptr(p, prov->name); -#ifndef FIPS_MODE - if ((p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_MODULE_FILENAME)) != NULL) +#ifndef FIPS_MODULE + if ((p = OSSL_PARAM_locate(params, + OSSL_PROV_PARAM_CORE_MODULE_FILENAME)) != NULL) OSSL_PARAM_set_utf8_ptr(p, ossl_provider_module_path(prov)); #endif @@ -847,14 +935,26 @@ static int core_get_params(const OSSL_PROVIDER *prov, OSSL_PARAM params[]) return 1; } -static OPENSSL_CTX *core_get_libctx(const OSSL_PROVIDER *prov) +static OPENSSL_CORE_CTX *core_get_libctx(const OSSL_CORE_HANDLE *handle) { - return ossl_provider_library_context(prov); + /* + * We created this object originally and we know it is actually an + * OSSL_PROVIDER *, so the cast is safe + */ + OSSL_PROVIDER *prov = (OSSL_PROVIDER *)handle; + + return (OPENSSL_CORE_CTX *)ossl_provider_library_context(prov); } -static int core_thread_start(const OSSL_PROVIDER *prov, +static int core_thread_start(const OSSL_CORE_HANDLE *handle, OSSL_thread_stop_handler_fn handfn) { + /* + * We created this object originally and we know it is actually an + * OSSL_PROVIDER *, so the cast is safe + */ + OSSL_PROVIDER *prov = (OSSL_PROVIDER *)handle; + return ossl_init_thread_start(prov, prov->provctx, handfn); } @@ -863,28 +963,34 @@ static int core_thread_start(const OSSL_PROVIDER *prov, * needed there, since the FIPS module upcalls are always the outer provider * ones. */ -#ifndef FIPS_MODE +#ifndef FIPS_MODULE /* - * TODO(3.0) These error functions should use |prov| to select the proper + * TODO(3.0) These error functions should use |handle| to select the proper * library context to report in the correct error stack, at least if error * stacks become tied to the library context. * We cannot currently do that since there's no support for it in the * ERR subsystem. */ -static void core_new_error(const OSSL_PROVIDER *prov) +static void core_new_error(const OSSL_CORE_HANDLE *handle) { ERR_new(); } -static void core_set_error_debug(const OSSL_PROVIDER *prov, +static void core_set_error_debug(const OSSL_CORE_HANDLE *handle, const char *file, int line, const char *func) { ERR_set_debug(file, line, func); } -static void core_vset_error(const OSSL_PROVIDER *prov, +static void core_vset_error(const OSSL_CORE_HANDLE *handle, uint32_t reason, const char *fmt, va_list args) { + /* + * We created this object originally and we know it is actually an + * OSSL_PROVIDER *, so the cast is safe + */ + OSSL_PROVIDER *prov = (OSSL_PROVIDER *)handle; + /* * If the uppermost 8 bits are non-zero, it's an OpenSSL library * error and will be treated as such. Otherwise, it's a new style @@ -897,21 +1003,21 @@ static void core_vset_error(const OSSL_PROVIDER *prov, } } -static int core_set_error_mark(const OSSL_PROVIDER *prov) +static int core_set_error_mark(const OSSL_CORE_HANDLE *handle) { return ERR_set_mark(); } -static int core_clear_last_error_mark(const OSSL_PROVIDER *prov) +static int core_clear_last_error_mark(const OSSL_CORE_HANDLE *handle) { return ERR_clear_last_mark(); } -static int core_pop_error_to_mark(const OSSL_PROVIDER *prov) +static int core_pop_error_to_mark(const OSSL_CORE_HANDLE *handle) { return ERR_pop_to_mark(); } -#endif /* FIPS_MODE */ +#endif /* FIPS_MODULE */ /* * Functions provided by the core. Blank line separates "families" of related @@ -922,7 +1028,7 @@ static const OSSL_DISPATCH core_dispatch_[] = { { OSSL_FUNC_CORE_GET_PARAMS, (void (*)(void))core_get_params }, { OSSL_FUNC_CORE_GET_LIBRARY_CONTEXT, (void (*)(void))core_get_libctx }, { OSSL_FUNC_CORE_THREAD_START, (void (*)(void))core_thread_start }, -#ifndef FIPS_MODE +#ifndef FIPS_MODULE { OSSL_FUNC_CORE_NEW_ERROR, (void (*)(void))core_new_error }, { OSSL_FUNC_CORE_SET_ERROR_DEBUG, (void (*)(void))core_set_error_debug }, { OSSL_FUNC_CORE_VSET_ERROR, (void (*)(void))core_vset_error }, @@ -933,6 +1039,7 @@ static const OSSL_DISPATCH core_dispatch_[] = { { OSSL_FUNC_BIO_NEW_FILE, (void (*)(void))BIO_new_file }, { OSSL_FUNC_BIO_NEW_MEMBUF, (void (*)(void))BIO_new_mem_buf }, { OSSL_FUNC_BIO_READ_EX, (void (*)(void))BIO_read_ex }, + { OSSL_FUNC_BIO_WRITE_EX, (void (*)(void))BIO_write_ex }, { OSSL_FUNC_BIO_FREE, (void (*)(void))BIO_free }, { OSSL_FUNC_BIO_VPRINTF, (void (*)(void))BIO_vprintf }, { OSSL_FUNC_BIO_VSNPRINTF, (void (*)(void))BIO_vsnprintf },