mirror of
https://github.com/openssl/openssl.git
synced 2024-12-21 06:09:35 +08:00
7ed6de997f
Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes
548 lines
14 KiB
C
548 lines
14 KiB
C
/*
|
|
* Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
|
|
*
|
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
* in the file LICENSE in the source distribution or at
|
|
* https://www.openssl.org/source/license.html
|
|
*/
|
|
|
|
#include "internal/namemap.h"
|
|
#include "internal/tsan_assist.h"
|
|
#include "internal/hashtable.h"
|
|
#include "internal/sizes.h"
|
|
#include "crypto/context.h"
|
|
|
|
#define NAMEMAP_HT_BUCKETS 2048
|
|
|
|
HT_START_KEY_DEFN(namenum_key)
|
|
HT_DEF_KEY_FIELD_CHAR_ARRAY(name, 64)
|
|
HT_END_KEY_DEFN(NAMENUM_KEY)
|
|
|
|
/*-
|
|
* The namemap itself
|
|
* ==================
|
|
*/
|
|
|
|
typedef char STRING;
|
|
typedef STACK_OF(STRING) NAMES;
|
|
|
|
DEFINE_STACK_OF(STRING)
|
|
DEFINE_STACK_OF(NAMES)
|
|
|
|
struct ossl_namemap_st {
|
|
/* Flags */
|
|
unsigned int stored:1; /* If 1, it's stored in a library context */
|
|
|
|
HT *namenum_ht; /* Name->number mapping */
|
|
|
|
CRYPTO_RWLOCK *lock;
|
|
STACK_OF(NAMES) *numnames;
|
|
|
|
TSAN_QUALIFIER int max_number; /* Current max number */
|
|
};
|
|
|
|
static void name_string_free(char *name)
|
|
{
|
|
OPENSSL_free(name);
|
|
}
|
|
|
|
static void names_free(NAMES *n)
|
|
{
|
|
sk_STRING_pop_free(n, name_string_free);
|
|
}
|
|
|
|
/* OSSL_LIB_CTX_METHOD functions for a namemap stored in a library context */
|
|
|
|
void *ossl_stored_namemap_new(OSSL_LIB_CTX *libctx)
|
|
{
|
|
OSSL_NAMEMAP *namemap = ossl_namemap_new(libctx);
|
|
|
|
if (namemap != NULL)
|
|
namemap->stored = 1;
|
|
|
|
return namemap;
|
|
}
|
|
|
|
void ossl_stored_namemap_free(void *vnamemap)
|
|
{
|
|
OSSL_NAMEMAP *namemap = vnamemap;
|
|
|
|
if (namemap != NULL) {
|
|
/* Pretend it isn't stored, or ossl_namemap_free() will do nothing */
|
|
namemap->stored = 0;
|
|
ossl_namemap_free(namemap);
|
|
}
|
|
}
|
|
|
|
/*-
|
|
* API functions
|
|
* =============
|
|
*/
|
|
|
|
int ossl_namemap_empty(OSSL_NAMEMAP *namemap)
|
|
{
|
|
#ifdef TSAN_REQUIRES_LOCKING
|
|
/* No TSAN support */
|
|
int rv;
|
|
|
|
if (namemap == NULL)
|
|
return 1;
|
|
|
|
if (!CRYPTO_THREAD_read_lock(namemap->lock))
|
|
return -1;
|
|
rv = namemap->max_number == 0;
|
|
CRYPTO_THREAD_unlock(namemap->lock);
|
|
return rv;
|
|
#else
|
|
/* Have TSAN support */
|
|
return namemap == NULL || tsan_load(&namemap->max_number) == 0;
|
|
#endif
|
|
}
|
|
|
|
/*
|
|
* Call the callback for all names in the namemap with the given number.
|
|
* A return value 1 means that the callback was called for all names. A
|
|
* return value of 0 means that the callback was not called for any names.
|
|
*/
|
|
int ossl_namemap_doall_names(const OSSL_NAMEMAP *namemap, int number,
|
|
void (*fn)(const char *name, void *data),
|
|
void *data)
|
|
{
|
|
int i;
|
|
NAMES *names;
|
|
|
|
if (namemap == NULL || number <= 0)
|
|
return 0;
|
|
|
|
/*
|
|
* We duplicate the NAMES stack under a read lock. Subsequently we call
|
|
* the user function, so that we're not holding the read lock when in user
|
|
* code. This could lead to deadlocks.
|
|
*/
|
|
if (!CRYPTO_THREAD_read_lock(namemap->lock))
|
|
return 0;
|
|
|
|
names = sk_NAMES_value(namemap->numnames, number - 1);
|
|
if (names != NULL)
|
|
names = sk_STRING_dup(names);
|
|
|
|
CRYPTO_THREAD_unlock(namemap->lock);
|
|
|
|
if (names == NULL)
|
|
return 0;
|
|
|
|
for (i = 0; i < sk_STRING_num(names); i++)
|
|
fn(sk_STRING_value(names, i), data);
|
|
|
|
sk_STRING_free(names);
|
|
return i > 0;
|
|
}
|
|
|
|
int ossl_namemap_name2num(const OSSL_NAMEMAP *namemap, const char *name)
|
|
{
|
|
int number = 0;
|
|
HT_VALUE *val;
|
|
NAMENUM_KEY key;
|
|
|
|
#ifndef FIPS_MODULE
|
|
if (namemap == NULL)
|
|
namemap = ossl_namemap_stored(NULL);
|
|
#endif
|
|
|
|
if (namemap == NULL)
|
|
return 0;
|
|
|
|
HT_INIT_KEY(&key);
|
|
HT_SET_KEY_STRING_CASE(&key, name, name);
|
|
|
|
val = ossl_ht_get(namemap->namenum_ht, TO_HT_KEY(&key));
|
|
|
|
if (val != NULL)
|
|
/* We store a (small) int directly instead of a pointer to it. */
|
|
number = (int)(intptr_t)val->value;
|
|
|
|
return number;
|
|
}
|
|
|
|
/* TODO: Optimize to avoid strndup() */
|
|
int ossl_namemap_name2num_n(const OSSL_NAMEMAP *namemap,
|
|
const char *name, size_t name_len)
|
|
{
|
|
char *tmp;
|
|
int ret;
|
|
|
|
if (name == NULL || (tmp = OPENSSL_strndup(name, name_len)) == NULL)
|
|
return 0;
|
|
|
|
ret = ossl_namemap_name2num(namemap, tmp);
|
|
OPENSSL_free(tmp);
|
|
return ret;
|
|
}
|
|
|
|
const char *ossl_namemap_num2name(const OSSL_NAMEMAP *namemap, int number,
|
|
size_t idx)
|
|
{
|
|
NAMES *names;
|
|
const char *ret = NULL;
|
|
|
|
if (namemap == NULL || number <= 0)
|
|
return NULL;
|
|
|
|
if (!CRYPTO_THREAD_read_lock(namemap->lock))
|
|
return NULL;
|
|
|
|
names = sk_NAMES_value(namemap->numnames, number - 1);
|
|
if (names != NULL)
|
|
ret = sk_STRING_value(names, idx);
|
|
|
|
CRYPTO_THREAD_unlock(namemap->lock);
|
|
|
|
return ret;
|
|
}
|
|
|
|
/* This function is not thread safe, the namemap must be locked */
|
|
static int numname_insert(OSSL_NAMEMAP *namemap, int number,
|
|
const char *name)
|
|
{
|
|
NAMES *names;
|
|
char *tmpname;
|
|
|
|
if (number > 0) {
|
|
names = sk_NAMES_value(namemap->numnames, number - 1);
|
|
if (!ossl_assert(names != NULL)) {
|
|
/* cannot happen */
|
|
return 0;
|
|
}
|
|
} else {
|
|
/* a completely new entry */
|
|
names = sk_STRING_new_null();
|
|
if (names == NULL)
|
|
return 0;
|
|
}
|
|
|
|
if ((tmpname = OPENSSL_strdup(name)) == NULL)
|
|
goto err;
|
|
|
|
if (!sk_STRING_push(names, tmpname))
|
|
goto err;
|
|
|
|
if (number <= 0) {
|
|
if (!sk_NAMES_push(namemap->numnames, names))
|
|
goto err;
|
|
number = sk_NAMES_num(namemap->numnames);
|
|
}
|
|
return number;
|
|
|
|
err:
|
|
if (number <= 0)
|
|
sk_STRING_free(names);
|
|
OPENSSL_free(tmpname);
|
|
return 0;
|
|
}
|
|
|
|
/* This function is not thread safe, the namemap must be locked */
|
|
static int namemap_add_name(OSSL_NAMEMAP *namemap, int number,
|
|
const char *name)
|
|
{
|
|
int ret;
|
|
HT_VALUE val = { 0 };
|
|
NAMENUM_KEY key;
|
|
|
|
/* If it already exists, we don't add it */
|
|
if ((ret = ossl_namemap_name2num(namemap, name)) != 0)
|
|
return ret;
|
|
|
|
if ((number = numname_insert(namemap, number, name)) == 0)
|
|
return 0;
|
|
|
|
/* Using tsan_store alone here is safe since we're under lock */
|
|
tsan_store(&namemap->max_number, number);
|
|
|
|
HT_INIT_KEY(&key);
|
|
HT_SET_KEY_STRING_CASE(&key, name, name);
|
|
val.value = (void *)(intptr_t)number;
|
|
ret = ossl_ht_insert(namemap->namenum_ht, TO_HT_KEY(&key), &val, NULL);
|
|
if (!ossl_assert(ret != 0)) /* cannot happen as we are under write lock */
|
|
return 0;
|
|
if (ret < 1) {
|
|
/* unable to insert due to too many collisions */
|
|
ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_TOO_MANY_NAMES);
|
|
return 0;
|
|
}
|
|
return number;
|
|
}
|
|
|
|
int ossl_namemap_add_name(OSSL_NAMEMAP *namemap, int number,
|
|
const char *name)
|
|
{
|
|
int tmp_number;
|
|
|
|
#ifndef FIPS_MODULE
|
|
if (namemap == NULL)
|
|
namemap = ossl_namemap_stored(NULL);
|
|
#endif
|
|
|
|
if (name == NULL || *name == 0 || namemap == NULL)
|
|
return 0;
|
|
|
|
if (!CRYPTO_THREAD_write_lock(namemap->lock))
|
|
return 0;
|
|
tmp_number = namemap_add_name(namemap, number, name);
|
|
CRYPTO_THREAD_unlock(namemap->lock);
|
|
return tmp_number;
|
|
}
|
|
|
|
int ossl_namemap_add_names(OSSL_NAMEMAP *namemap, int number,
|
|
const char *names, const char separator)
|
|
{
|
|
char *tmp, *p, *q, *endp;
|
|
|
|
/* Check that we have a namemap */
|
|
if (!ossl_assert(namemap != NULL)) {
|
|
ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_NULL_PARAMETER);
|
|
return 0;
|
|
}
|
|
|
|
if ((tmp = OPENSSL_strdup(names)) == NULL)
|
|
return 0;
|
|
|
|
if (!CRYPTO_THREAD_write_lock(namemap->lock)) {
|
|
OPENSSL_free(tmp);
|
|
return 0;
|
|
}
|
|
/*
|
|
* Check that no name is an empty string, and that all names have at
|
|
* most one numeric identity together.
|
|
*/
|
|
for (p = tmp; *p != '\0'; p = q) {
|
|
int this_number;
|
|
size_t l;
|
|
|
|
if ((q = strchr(p, separator)) == NULL) {
|
|
l = strlen(p); /* offset to \0 */
|
|
q = p + l;
|
|
} else {
|
|
l = q - p; /* offset to the next separator */
|
|
*q++ = '\0';
|
|
}
|
|
|
|
if (*p == '\0') {
|
|
ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_BAD_ALGORITHM_NAME);
|
|
number = 0;
|
|
goto end;
|
|
}
|
|
|
|
this_number = ossl_namemap_name2num(namemap, p);
|
|
|
|
if (number == 0) {
|
|
number = this_number;
|
|
} else if (this_number != 0 && this_number != number) {
|
|
ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_CONFLICTING_NAMES,
|
|
"\"%s\" has an existing different identity %d (from \"%s\")",
|
|
p, this_number, names);
|
|
number = 0;
|
|
goto end;
|
|
}
|
|
}
|
|
endp = p;
|
|
|
|
/* Now that we have checked, register all names */
|
|
for (p = tmp; p < endp; p = q) {
|
|
int this_number;
|
|
|
|
q = p + strlen(p) + 1;
|
|
|
|
this_number = namemap_add_name(namemap, number, p);
|
|
if (number == 0) {
|
|
number = this_number;
|
|
} else if (this_number != number) {
|
|
ERR_raise_data(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR,
|
|
"Got number %d when expecting %d",
|
|
this_number, number);
|
|
number = 0;
|
|
goto end;
|
|
}
|
|
}
|
|
|
|
end:
|
|
CRYPTO_THREAD_unlock(namemap->lock);
|
|
OPENSSL_free(tmp);
|
|
return number;
|
|
}
|
|
|
|
/*-
|
|
* Pre-population
|
|
* ==============
|
|
*/
|
|
|
|
#ifndef FIPS_MODULE
|
|
#include <openssl/evp.h>
|
|
|
|
/* Creates an initial namemap with names found in the legacy method db */
|
|
static void get_legacy_evp_names(int base_nid, int nid, const char *pem_name,
|
|
void *arg)
|
|
{
|
|
int num = 0;
|
|
ASN1_OBJECT *obj;
|
|
|
|
if (base_nid != NID_undef) {
|
|
num = ossl_namemap_add_name(arg, num, OBJ_nid2sn(base_nid));
|
|
num = ossl_namemap_add_name(arg, num, OBJ_nid2ln(base_nid));
|
|
}
|
|
|
|
if (nid != NID_undef) {
|
|
num = ossl_namemap_add_name(arg, num, OBJ_nid2sn(nid));
|
|
num = ossl_namemap_add_name(arg, num, OBJ_nid2ln(nid));
|
|
if ((obj = OBJ_nid2obj(nid)) != NULL) {
|
|
char txtoid[OSSL_MAX_NAME_SIZE];
|
|
|
|
if (OBJ_obj2txt(txtoid, sizeof(txtoid), obj, 1) > 0)
|
|
num = ossl_namemap_add_name(arg, num, txtoid);
|
|
}
|
|
}
|
|
if (pem_name != NULL)
|
|
num = ossl_namemap_add_name(arg, num, pem_name);
|
|
}
|
|
|
|
static void get_legacy_cipher_names(const OBJ_NAME *on, void *arg)
|
|
{
|
|
const EVP_CIPHER *cipher = (void *)OBJ_NAME_get(on->name, on->type);
|
|
|
|
if (cipher != NULL)
|
|
get_legacy_evp_names(NID_undef, EVP_CIPHER_get_type(cipher), NULL, arg);
|
|
}
|
|
|
|
static void get_legacy_md_names(const OBJ_NAME *on, void *arg)
|
|
{
|
|
const EVP_MD *md = (void *)OBJ_NAME_get(on->name, on->type);
|
|
|
|
if (md != NULL)
|
|
get_legacy_evp_names(0, EVP_MD_get_type(md), NULL, arg);
|
|
}
|
|
|
|
static void get_legacy_pkey_meth_names(const EVP_PKEY_ASN1_METHOD *ameth,
|
|
void *arg)
|
|
{
|
|
int nid = 0, base_nid = 0, flags = 0;
|
|
const char *pem_name = NULL;
|
|
|
|
EVP_PKEY_asn1_get0_info(&nid, &base_nid, &flags, NULL, &pem_name, ameth);
|
|
if (nid != NID_undef) {
|
|
if ((flags & ASN1_PKEY_ALIAS) == 0) {
|
|
switch (nid) {
|
|
case EVP_PKEY_DHX:
|
|
/* We know that the name "DHX" is used too */
|
|
get_legacy_evp_names(0, nid, "DHX", arg);
|
|
/* FALLTHRU */
|
|
default:
|
|
get_legacy_evp_names(0, nid, pem_name, arg);
|
|
}
|
|
} else {
|
|
/*
|
|
* Treat aliases carefully, some of them are undesirable, or
|
|
* should not be treated as such for providers.
|
|
*/
|
|
|
|
switch (nid) {
|
|
case EVP_PKEY_SM2:
|
|
/*
|
|
* SM2 is a separate keytype with providers, not an alias for
|
|
* EC.
|
|
*/
|
|
get_legacy_evp_names(0, nid, pem_name, arg);
|
|
break;
|
|
default:
|
|
/* Use the short name of the base nid as the common reference */
|
|
get_legacy_evp_names(base_nid, nid, pem_name, arg);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
#endif
|
|
|
|
/*-
|
|
* Constructors / destructors
|
|
* ==========================
|
|
*/
|
|
|
|
OSSL_NAMEMAP *ossl_namemap_stored(OSSL_LIB_CTX *libctx)
|
|
{
|
|
#ifndef FIPS_MODULE
|
|
int nms;
|
|
#endif
|
|
OSSL_NAMEMAP *namemap =
|
|
ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_NAMEMAP_INDEX);
|
|
|
|
if (namemap == NULL)
|
|
return NULL;
|
|
|
|
#ifndef FIPS_MODULE
|
|
nms = ossl_namemap_empty(namemap);
|
|
if (nms < 0) {
|
|
/*
|
|
* Could not get lock to make the count, so maybe internal objects
|
|
* weren't added. This seems safest.
|
|
*/
|
|
return NULL;
|
|
}
|
|
if (nms == 1) {
|
|
int i, end;
|
|
|
|
/* Before pilfering, we make sure the legacy database is populated */
|
|
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS
|
|
| OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
|
|
|
|
OBJ_NAME_do_all(OBJ_NAME_TYPE_CIPHER_METH,
|
|
get_legacy_cipher_names, namemap);
|
|
OBJ_NAME_do_all(OBJ_NAME_TYPE_MD_METH,
|
|
get_legacy_md_names, namemap);
|
|
|
|
/* We also pilfer data from the legacy EVP_PKEY_ASN1_METHODs */
|
|
for (i = 0, end = EVP_PKEY_asn1_get_count(); i < end; i++)
|
|
get_legacy_pkey_meth_names(EVP_PKEY_asn1_get0(i), namemap);
|
|
}
|
|
#endif
|
|
|
|
return namemap;
|
|
}
|
|
|
|
OSSL_NAMEMAP *ossl_namemap_new(OSSL_LIB_CTX *libctx)
|
|
{
|
|
OSSL_NAMEMAP *namemap;
|
|
HT_CONFIG htconf = { NULL, NULL, NULL, NAMEMAP_HT_BUCKETS, 1, 1 };
|
|
|
|
htconf.ctx = libctx;
|
|
|
|
if ((namemap = OPENSSL_zalloc(sizeof(*namemap))) == NULL)
|
|
goto err;
|
|
|
|
if ((namemap->lock = CRYPTO_THREAD_lock_new()) == NULL)
|
|
goto err;
|
|
|
|
if ((namemap->namenum_ht = ossl_ht_new(&htconf)) == NULL)
|
|
goto err;
|
|
|
|
if ((namemap->numnames = sk_NAMES_new_null()) == NULL)
|
|
goto err;
|
|
|
|
return namemap;
|
|
|
|
err:
|
|
ossl_namemap_free(namemap);
|
|
return NULL;
|
|
}
|
|
|
|
void ossl_namemap_free(OSSL_NAMEMAP *namemap)
|
|
{
|
|
if (namemap == NULL || namemap->stored)
|
|
return;
|
|
|
|
sk_NAMES_pop_free(namemap->numnames, names_free);
|
|
|
|
ossl_ht_free(namemap->namenum_ht);
|
|
|
|
CRYPTO_THREAD_lock_free(namemap->lock);
|
|
OPENSSL_free(namemap);
|
|
}
|