Commit Graph

52 Commits

Author SHA1 Message Date
Jakub Zelenka
3f37050e33 Fix typos in the OSSL_METHOD_STORE doc
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9825)
2019-09-09 13:19:19 +02:00
Richard Levitte
3ca9d210c9 Refactor how KEYMGMT methods get associated with other methods
KEYMGMT methods were attached to other methods after those were fully
created and registered, thereby creating a potential data race, if two
threads tried to create the exact same method at the same time.

Instead of this, we change the method creating function to take an
extra data parameter, passed all the way from the public fetching
function.  In the case of EVP_KEYEXCH, we pass all the necessary data
that evp_keyexch_from_dispatch() needs to be able to fetch the
appropriate KEYMGMT method on the fly.

Fixes #9592

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9678)
2019-09-03 10:36:49 +02:00
Richard Levitte
c1d56231ef Modify ossl_method_store_add() to accept an OSSL_PROVIDER and check for it
If ossl_method_store_add() gets called with a method that already exists
(i.e. the store has one with matching provider, nid and properties), that
method should not be stored.  We do this check inside ossl_method_store_add()
because it has all the locking required to do so safely.

Fixes #9561

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9650)
2019-08-22 01:50:30 +02:00
Richard Levitte
b1d40ddfe2 Modify ossl_method_store_add() to handle reference counting
Because this function affects the reference count on failure (the call
to impl_free() does this), it may as well handle incrementing it as
well to indicate the extra reference in the method store.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9650)
2019-08-22 01:50:30 +02:00
Pauli
5fa7789f1b Constify param builder string functions.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9649)
2019-08-21 15:30:56 +10:00
Richard Levitte
e74bd29053 Prepare EVP_MAC infrastructure for moving all MACs to providers
Quite a few adaptations are needed, most prominently the added code
to allow provider based MACs.

As part of this, all the old information functions are gone, except
for EVP_MAC_name().  Some of them will reappear later, for example
EVP_MAC_do_all() in some form.

MACs by EVP_PKEY was particularly difficult to deal with, as they
need to allocate and deallocate EVP_MAC_CTXs "under the hood", and
thereby implicitly fetch the corresponding EVP_MAC.  This means that
EVP_MACs can't be constant in a EVP_MAC_CTX, as their reference count
may need to be incremented and decremented as part of the allocation
or deallocation of the EVP_MAC_CTX.  It may be that other provider
based EVP operation types may need to be handled in a similar manner.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8877)
2019-08-15 22:12:25 +02:00
Richard Levitte
dca97d0062 Rename provider and core get_param_types functions
It was argued that names like SOMETHING_set_param_types were confusing,
and a rename has been proposed to SOMETHING_settable_params, and by
consequence, SOMETHING_get_param_types is renamed
SOMETHING_gettable_params.

This changes implements this change for the dispatched provider and
core functions.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9591)
2019-08-15 11:58:25 +02:00
Matt Caswell
29dc6e00f2 Load the config file by default
Previously we only loaded the config file by default for libssl. Now we do
it for libcrypto too.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9492)
2019-08-01 09:59:20 +01:00
FdaSilvaYY
8c00f267b8 CAdES : lowercase name for now internal methods.
CAdES : rework CAdES signing API.
Make it private, as it is unused outside library bounds.
Fix varous doc-nits.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
2019-07-31 19:14:12 +10:00
Richard Levitte
36f5ec55e6 Add functions to see if a provider is available for use.
Public function OSSL_PROVIDER_available() takes a library context and
a provider name, and returns 1 if it's available for use, i.e. if it's
possible to fetch implementations from it, otherwise 0.

Internal function ossl_provider_activated() returns 1 if the given
OSSL_PROVIDER is activated, otherwise 0.

To make this possible, the activation of fallbacks got refactored out
to a separate function, which ended up simplifying the code.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9398)
2019-07-26 18:14:41 +02:00
Richard Levitte
2617501348 Replace OSSL_ITEM with OSSL_PARAM as parameter descriptor, everywhere
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9346)
2019-07-23 07:30:33 +02:00
Richard Levitte
a883c02faa Add internal function ossl_algorithm_do_all()
This function is used to traverse all the implementations provided by
one provider, or all implementation for a specific operation across
all loaded providers, or both, and execute a given function for each
occurence.

This will be used by ossl_method_construct(), but also by information
processing functions.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9356)
2019-07-23 06:34:09 +02:00
Richard Levitte
fa9faf0104 Add an internal API to access the KEYMGMT provider functions
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9312)
2019-07-22 06:19:43 +02:00
Richard Levitte
4cae07fef3 Add evp_keymgmt_clear_pkey_cache() and use it
This function clears the cache of provider key references, and is used
in evp_keymgmt_export_to_provider() when the internal key is dirty, as
well as by EVP_PKEY_free_it().

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9312)
2019-07-22 06:19:42 +02:00
Richard Levitte
70a1f7b4d7 Add evp_keymgmt_export_to_provider(), for key transfer between providers
This function is used to transport private key materia from whatever
is already attached to the EVP_PKEY to the new provider, using key
data export and import functionality.

If a legacy lower level key has been assigned to the EVP_PKEY, we use
its data to create a provider side key, and thereby have a bridge
between old style public key types and the EVP_PKEY on providers.

If successful, this function returns a reference to the appropriate
provider side data for the key.

This can be used by any operation that wants to use this key.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9312)
2019-07-22 06:18:58 +02:00
Pauli
7312ef3fc4 Add param builder free function.
This means include deallocation information in the return from
the ossl_param_bld_to_param function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9404)
2019-07-19 01:14:07 +10:00
Richard Levitte
a1c5cefaf4 Correct some OSSL_PARAM documentation
The documentation wasn't quite in sync with the implementation.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9408)
2019-07-18 18:20:16 +10:00
Pauli
3c93fbacf6 Parameter building utilities.
A fuller implementation of PARAMS_TEMPLATE as per #9266 but renamed.
This introduces a statis data type which can be used to constructor a
description of a parameter array.  It can then be converted into a OSSL_PARAM
array and the allocated storage freed by a single call to OPENSSL_free.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9305)
2019-07-17 16:59:09 +10:00
Richard Levitte
4674aaf4f2 In documentation, consistently refer to OpenSSL 3.0
3.0.0 is a habit from pre-3.0 OpenSSL, which doesn't make sense with
the new version scheme.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9376)
2019-07-15 15:13:41 +02:00
Matt Caswell
6694e51dba Provide rand_bytes_ex and rand_priv_bytes_ex
We provider internal versions of RAND_bytes() and RAND_priv_bytes() which
have the addition of taking an OPENSSL_CTX as a parameter.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9193)
2019-07-02 16:49:18 +01:00
Richard Levitte
7c95390ef0 ossl_provider_upref to ossl_provider_up_ref
Common pattern is that the routines to increment the reference count
are called something_up_ref, not something_upref.  Adapt
ossl_provider_upref() accordingly.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9293)
2019-07-02 16:30:56 +02:00
Antoine Cœur
c2969ff6e7 Fix Typos
CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9288)
2019-07-02 14:22:29 +02:00
Matt Caswell
4cecf7a127 Add a nid 2 algorithm name mapping capability
Providers that link against libcrypto can just use OBJ_nid2sn() to look
up the name of an algorithm given a NID. However that doesn't work for the
FIPS provider because OBJ_nid2sn() is not available there (due to the
reliance of the code on ASN.1 types). Therefore we provider a new function
to do this mapping. For providers linking against libcrypto the new function
just wraps OBJ_nid2sn(). For the FIPS provider it has a look up for all the
NIDs known there.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9035)
2019-06-28 10:22:21 +01:00
Richard Levitte
651d44183e Replumbing: add support for multiple names per algorithm
Algorithms may have multiple names, as seen in the legacy names
database.  We need to support that as well.

This implementations modifies ossl_namemap to support multiple names
for the same identifier.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8967)
2019-06-24 10:58:13 +02:00
Richard Levitte
3bbec1afed Enhance and update the docs of the internal ossl_provider API
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9200)
2019-06-24 07:57:03 +02:00
Pauli
4e7991b497 Change OSSL_PARAM return size to not be a pointer.
Instead of referencing the return size from the OSSL_PARAM structure, make the
size a field within the structure.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9135)
2019-06-24 14:43:55 +10:00
Matt Caswell
1ff030c0a6 Fix a doc-nits failure
We need blank lines on each side of a section heading.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9192)
2019-06-19 13:31:08 +01:00
Matt Caswell
a1998897f6 Add some internal documentation for some thread related functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9186)
2019-06-19 11:54:34 +01:00
Richard Levitte
b4d3f203da doc/internal/man3/ossl_method_construct.pod: follow common conventions
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9109)
2019-06-10 08:01:58 +02:00
Richard Levitte
2ccb1b4eca EVP fetching: make operation_id part of the method identity
Because the operation identity wasn't integrated with the created
methods, the following code would give unexpected results:

    EVP_MD *md = EVP_MD_fetch(NULL, "MD5", NULL);
    EVP_CIPHER *cipher = EVP_CIPHER_fetch(NULL, "MD5", NULL);

    if (md != NULL)
        printf("MD5 is a digest\n");
    if (cipher != NULL)
        printf("MD5 is a cipher\n");

The message is that MD5 is both a digest and a cipher.

Partially fixes #9106

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9109)
2019-06-10 08:01:19 +02:00
Richard Levitte
0211740fcc EVP_FETCH: remove the need to transport the legacy NID through construction
Now that the legacy NID isn't used as a main index for fetched
algorithms, the legacy NID was just transported around unnecessarily.
This is removed, and the legacy NID is simply set by EVP_{API}_fetch()
after the construction process is done.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8878)
2019-05-12 13:43:38 -07:00
Richard Levitte
2e49c05472 EVP_FETCH: deal with names without pre-defined NIDs
We didn't deal very well with names that didn't have pre-defined NIDs,
as the NID zero travelled through the full process and resulted in an
inaccessible method.  By consequence, we need to refactor the method
construction callbacks to rely more on algorithm names.

We must, however, still store the legacy NID with the method, for the
sake of other code that depend on it (for example, CMS).

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8878)
2019-05-12 13:43:38 -07:00
Richard Levitte
f2182a4e6f Create internal number<->name mapping API
This can be used as a general name to identity map.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8878)
2019-05-12 13:43:38 -07:00
Matt Caswell
25b25b0f80 Update internal documentation after global data move to OPENSSL_CTX
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8857)
2019-05-02 22:42:09 +01:00
Richard Levitte
a39eb84006 Replumbing: give the possibility for the provider to create a context
OSSL_provider_init() gets another output parameter, holding a pointer
to a provider side context.  It's entirely up to the provider to
define the context and what it's being used for.  This pointer is
passed back to other provider functions, typically the provider global
get_params and set_params functions, and also the diverse algorithm
context creators, and of course, the teardown function.

With this, a provider can be instantiated more than once, or be
re-loaded as the case may be, while maintaining instance state.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8848)
2019-04-30 15:34:23 +02:00
Matt Caswell
dc46e3dde5 Use the right NID when putting a method in the store
When we attempt to fetch a method with a given NID we will ask the
providers for it if we don't already know about it. During that process
we may be told about other methods with a different NID. We need to
make sure we don't confuse the two.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8541)
2019-04-09 10:24:43 +01:00
Richard Levitte
e55008a9f2 Replumbing: add fallback provider capability
To ensure that old applications aren't left without any provider, and
at the same time not forcing any default provider on applications that
know how to deal with them, we device the concept of fallback
providers, which are automatically activated if no other provider is
already activated.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8480)
2019-03-19 14:06:58 +01:00
Richard Levitte
c13d2ab439 Add generic EVP method fetcher
This is an interface between Core dispatch table fetching and
EVP_{method}_fetch().  All that's needed from the diverse method
fetchers are the functions to create a method structure from a
dispatch table, a function that ups the method reference counter and a
function to free the method (in case of failure).

This routine is internal to the EVP API andis therefore only made
accessible within crypto/evp, by including evp_locl.h

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8341)
2019-03-18 14:27:02 +01:00
Richard Levitte
a383083194 Replumbing: better reference counter control in ossl_method_construct()
Fully assume that the method constructors use reference counting.
Otherwise, we may leak memory, or loose track and do a double free.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8341)
2019-03-18 14:27:02 +01:00
Richard Levitte
9e11fe0d85 Replumbing: Add constructor of libcrypto internal method structures
This queries the provider for its available functionality (unless a
matching method structured is already cached, in which case that's
used instead), and creates method structure with the help of a passed
constructor.  The result is cached if the provider allows it (or if
caching is forced).

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8340)
2019-03-12 20:25:46 +01:00
Richard Levitte
099bd33920 Replumbing: Add support for the provider query_operation function
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8340)
2019-03-12 20:25:46 +01:00
Richard Levitte
85e2417c0d Replumbing: Add an OSSL_PROVIDER iterator with callback
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8340)
2019-03-12 20:25:46 +01:00
Richard Levitte
c453283421 Add documentation
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8287)
2019-03-11 20:40:13 +01:00
Pauli
8ab53b193a Make the sparse array code use ossl_uintmax_t as its index rather than size_t.
This should never reduce the range covered and might increase it on some
platforms.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8415)
2019-03-06 13:50:54 +10:00
Paul Yang
4564e77ae9 Place return values after examples in doc
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8338)
2019-02-28 21:38:19 +08:00
Richard Levitte
4ce738d083 Fixup internal documentation
There were some faults that got caught by the updated doc-nits

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8270)
2019-02-19 09:41:09 +01:00
Richard Levitte
1ad2d9404d Conform to proper NAME section format
The NAME section format is comma separated names to the left of the
left of the dash, free form on the right.  If we don't follow that
form, programs like apropos(1) and whatis(1) can't do their job
properly.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8267)
2019-02-18 14:32:58 +01:00
Richard Levitte
0a79572a29 Property: naming and manual clarifiations
- Add a bit more text about that is expected of the user or
  OSSL_METHOD_STOREs.
- Clarify what a method and what a numeric identity are.
- Change all mentions of 'implementation' and 'result' to 'method'.

To clarify further: OpenSSL has used the term 'method' for structures
that mainly contains function pointers.  Those are the methods that
are expected to be stored away in OSSL_METHOD_STOREs.  In the end,
however, it's the caller's responsibility to define exactly what they
want to store, as long as its 'methods' are associated with a numeric
identity and properties.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8265)
2019-02-18 10:58:57 +01:00
Pauli
1bdbdaffdc Properties for implementation selection.
Properties are a sequence of comma separated name=value pairs.  A name
without a corresponding value is assumed to be a Boolean and have the
true value 'yes'.  Values are either strings or numbers.  Strings can be
quoted either _"_ or _'_ or unquoted (with restrictions).  There are no
escape characters inside strings.  Number are either decimal digits or
'0x' followed by hexidecimal digits.  Numbers are represented internally
as signed sixty four bit values.

Queries on properties are a sequence comma separated conditional tests.
These take the form of name=value (equality test), name!=value (inequality
test) or name (Boolean test for truth).  Queries can be parsed, compared
against a definition or merged pairwise.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8224)
2019-02-18 13:28:14 +10:00
Richard Levitte
d64b62998b Add an OpenSSL library context
The context builds on CRYPTO_EX_DATA, allowing it to be dynamically
extended with new data from the different parts of libcrypto.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8225)
2019-02-16 00:29:42 +01:00