core_namemap.c 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535
  1. /*
  2. * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include "internal/namemap.h"
  10. #include <openssl/lhash.h>
  11. #include "crypto/lhash.h" /* ossl_lh_strcasehash */
  12. #include "internal/tsan_assist.h"
  13. #include "internal/sizes.h"
  14. #include "crypto/context.h"
  15. /*-
  16. * The namenum entry
  17. * =================
  18. */
  19. typedef struct {
  20. char *name;
  21. int number;
  22. } NAMENUM_ENTRY;
  23. DEFINE_LHASH_OF_EX(NAMENUM_ENTRY);
  24. /*-
  25. * The namemap itself
  26. * ==================
  27. */
  28. struct ossl_namemap_st {
  29. /* Flags */
  30. unsigned int stored:1; /* If 1, it's stored in a library context */
  31. CRYPTO_RWLOCK *lock;
  32. LHASH_OF(NAMENUM_ENTRY) *namenum; /* Name->number mapping */
  33. TSAN_QUALIFIER int max_number; /* Current max number */
  34. };
  35. /* LHASH callbacks */
  36. static unsigned long namenum_hash(const NAMENUM_ENTRY *n)
  37. {
  38. return ossl_lh_strcasehash(n->name);
  39. }
  40. static int namenum_cmp(const NAMENUM_ENTRY *a, const NAMENUM_ENTRY *b)
  41. {
  42. return OPENSSL_strcasecmp(a->name, b->name);
  43. }
  44. static void namenum_free(NAMENUM_ENTRY *n)
  45. {
  46. if (n != NULL)
  47. OPENSSL_free(n->name);
  48. OPENSSL_free(n);
  49. }
  50. /* OSSL_LIB_CTX_METHOD functions for a namemap stored in a library context */
  51. void *ossl_stored_namemap_new(OSSL_LIB_CTX *libctx)
  52. {
  53. OSSL_NAMEMAP *namemap = ossl_namemap_new();
  54. if (namemap != NULL)
  55. namemap->stored = 1;
  56. return namemap;
  57. }
  58. void ossl_stored_namemap_free(void *vnamemap)
  59. {
  60. OSSL_NAMEMAP *namemap = vnamemap;
  61. if (namemap != NULL) {
  62. /* Pretend it isn't stored, or ossl_namemap_free() will do nothing */
  63. namemap->stored = 0;
  64. ossl_namemap_free(namemap);
  65. }
  66. }
  67. /*-
  68. * API functions
  69. * =============
  70. */
  71. int ossl_namemap_empty(OSSL_NAMEMAP *namemap)
  72. {
  73. #ifdef TSAN_REQUIRES_LOCKING
  74. /* No TSAN support */
  75. int rv;
  76. if (namemap == NULL)
  77. return 1;
  78. if (!CRYPTO_THREAD_read_lock(namemap->lock))
  79. return -1;
  80. rv = namemap->max_number == 0;
  81. CRYPTO_THREAD_unlock(namemap->lock);
  82. return rv;
  83. #else
  84. /* Have TSAN support */
  85. return namemap == NULL || tsan_load(&namemap->max_number) == 0;
  86. #endif
  87. }
  88. typedef struct doall_names_data_st {
  89. int number;
  90. const char **names;
  91. int found;
  92. } DOALL_NAMES_DATA;
  93. static void do_name(const NAMENUM_ENTRY *namenum, DOALL_NAMES_DATA *data)
  94. {
  95. if (namenum->number == data->number)
  96. data->names[data->found++] = namenum->name;
  97. }
  98. IMPLEMENT_LHASH_DOALL_ARG_CONST(NAMENUM_ENTRY, DOALL_NAMES_DATA);
  99. /*
  100. * Call the callback for all names in the namemap with the given number.
  101. * A return value 1 means that the callback was called for all names. A
  102. * return value of 0 means that the callback was not called for any names.
  103. */
  104. int ossl_namemap_doall_names(const OSSL_NAMEMAP *namemap, int number,
  105. void (*fn)(const char *name, void *data),
  106. void *data)
  107. {
  108. DOALL_NAMES_DATA cbdata;
  109. size_t num_names;
  110. int i;
  111. cbdata.number = number;
  112. cbdata.found = 0;
  113. if (namemap == NULL)
  114. return 0;
  115. /*
  116. * We collect all the names first under a read lock. Subsequently we call
  117. * the user function, so that we're not holding the read lock when in user
  118. * code. This could lead to deadlocks.
  119. */
  120. if (!CRYPTO_THREAD_read_lock(namemap->lock))
  121. return 0;
  122. num_names = lh_NAMENUM_ENTRY_num_items(namemap->namenum);
  123. if (num_names == 0) {
  124. CRYPTO_THREAD_unlock(namemap->lock);
  125. return 0;
  126. }
  127. cbdata.names = OPENSSL_malloc(sizeof(*cbdata.names) * num_names);
  128. if (cbdata.names == NULL) {
  129. CRYPTO_THREAD_unlock(namemap->lock);
  130. return 0;
  131. }
  132. lh_NAMENUM_ENTRY_doall_DOALL_NAMES_DATA(namemap->namenum, do_name,
  133. &cbdata);
  134. CRYPTO_THREAD_unlock(namemap->lock);
  135. for (i = 0; i < cbdata.found; i++)
  136. fn(cbdata.names[i], data);
  137. OPENSSL_free(cbdata.names);
  138. return 1;
  139. }
  140. /* This function is not thread safe, the namemap must be locked */
  141. static int namemap_name2num(const OSSL_NAMEMAP *namemap,
  142. const char *name)
  143. {
  144. NAMENUM_ENTRY *namenum_entry, namenum_tmpl;
  145. namenum_tmpl.name = (char *)name;
  146. namenum_tmpl.number = 0;
  147. namenum_entry =
  148. lh_NAMENUM_ENTRY_retrieve(namemap->namenum, &namenum_tmpl);
  149. return namenum_entry != NULL ? namenum_entry->number : 0;
  150. }
  151. int ossl_namemap_name2num(const OSSL_NAMEMAP *namemap, const char *name)
  152. {
  153. int number;
  154. #ifndef FIPS_MODULE
  155. if (namemap == NULL)
  156. namemap = ossl_namemap_stored(NULL);
  157. #endif
  158. if (namemap == NULL)
  159. return 0;
  160. if (!CRYPTO_THREAD_read_lock(namemap->lock))
  161. return 0;
  162. number = namemap_name2num(namemap, name);
  163. CRYPTO_THREAD_unlock(namemap->lock);
  164. return number;
  165. }
  166. int ossl_namemap_name2num_n(const OSSL_NAMEMAP *namemap,
  167. const char *name, size_t name_len)
  168. {
  169. char *tmp;
  170. int ret;
  171. if (name == NULL || (tmp = OPENSSL_strndup(name, name_len)) == NULL)
  172. return 0;
  173. ret = ossl_namemap_name2num(namemap, tmp);
  174. OPENSSL_free(tmp);
  175. return ret;
  176. }
  177. struct num2name_data_st {
  178. size_t idx; /* Countdown */
  179. const char *name; /* Result */
  180. };
  181. static void do_num2name(const char *name, void *vdata)
  182. {
  183. struct num2name_data_st *data = vdata;
  184. if (data->idx > 0)
  185. data->idx--;
  186. else if (data->name == NULL)
  187. data->name = name;
  188. }
  189. const char *ossl_namemap_num2name(const OSSL_NAMEMAP *namemap, int number,
  190. size_t idx)
  191. {
  192. struct num2name_data_st data;
  193. data.idx = idx;
  194. data.name = NULL;
  195. if (!ossl_namemap_doall_names(namemap, number, do_num2name, &data))
  196. return NULL;
  197. return data.name;
  198. }
  199. /* This function is not thread safe, the namemap must be locked */
  200. static int namemap_add_name(OSSL_NAMEMAP *namemap, int number,
  201. const char *name)
  202. {
  203. NAMENUM_ENTRY *namenum = NULL;
  204. int tmp_number;
  205. /* If it already exists, we don't add it */
  206. if ((tmp_number = namemap_name2num(namemap, name)) != 0)
  207. return tmp_number;
  208. if ((namenum = OPENSSL_zalloc(sizeof(*namenum))) == NULL)
  209. return 0;
  210. if ((namenum->name = OPENSSL_strdup(name)) == NULL)
  211. goto err;
  212. /* The tsan_counter use here is safe since we're under lock */
  213. namenum->number =
  214. number != 0 ? number : 1 + tsan_counter(&namemap->max_number);
  215. (void)lh_NAMENUM_ENTRY_insert(namemap->namenum, namenum);
  216. if (lh_NAMENUM_ENTRY_error(namemap->namenum))
  217. goto err;
  218. return namenum->number;
  219. err:
  220. namenum_free(namenum);
  221. return 0;
  222. }
  223. int ossl_namemap_add_name(OSSL_NAMEMAP *namemap, int number,
  224. const char *name)
  225. {
  226. int tmp_number;
  227. #ifndef FIPS_MODULE
  228. if (namemap == NULL)
  229. namemap = ossl_namemap_stored(NULL);
  230. #endif
  231. if (name == NULL || *name == 0 || namemap == NULL)
  232. return 0;
  233. if (!CRYPTO_THREAD_write_lock(namemap->lock))
  234. return 0;
  235. tmp_number = namemap_add_name(namemap, number, name);
  236. CRYPTO_THREAD_unlock(namemap->lock);
  237. return tmp_number;
  238. }
  239. int ossl_namemap_add_names(OSSL_NAMEMAP *namemap, int number,
  240. const char *names, const char separator)
  241. {
  242. char *tmp, *p, *q, *endp;
  243. /* Check that we have a namemap */
  244. if (!ossl_assert(namemap != NULL)) {
  245. ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_NULL_PARAMETER);
  246. return 0;
  247. }
  248. if ((tmp = OPENSSL_strdup(names)) == NULL)
  249. return 0;
  250. if (!CRYPTO_THREAD_write_lock(namemap->lock)) {
  251. OPENSSL_free(tmp);
  252. return 0;
  253. }
  254. /*
  255. * Check that no name is an empty string, and that all names have at
  256. * most one numeric identity together.
  257. */
  258. for (p = tmp; *p != '\0'; p = q) {
  259. int this_number;
  260. size_t l;
  261. if ((q = strchr(p, separator)) == NULL) {
  262. l = strlen(p); /* offset to \0 */
  263. q = p + l;
  264. } else {
  265. l = q - p; /* offset to the next separator */
  266. *q++ = '\0';
  267. }
  268. if (*p == '\0') {
  269. ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_BAD_ALGORITHM_NAME);
  270. number = 0;
  271. goto end;
  272. }
  273. this_number = namemap_name2num(namemap, p);
  274. if (number == 0) {
  275. number = this_number;
  276. } else if (this_number != 0 && this_number != number) {
  277. ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_CONFLICTING_NAMES,
  278. "\"%s\" has an existing different identity %d (from \"%s\")",
  279. p, this_number, names);
  280. number = 0;
  281. goto end;
  282. }
  283. }
  284. endp = p;
  285. /* Now that we have checked, register all names */
  286. for (p = tmp; p < endp; p = q) {
  287. int this_number;
  288. q = p + strlen(p) + 1;
  289. this_number = namemap_add_name(namemap, number, p);
  290. if (number == 0) {
  291. number = this_number;
  292. } else if (this_number != number) {
  293. ERR_raise_data(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR,
  294. "Got number %d when expecting %d",
  295. this_number, number);
  296. number = 0;
  297. goto end;
  298. }
  299. }
  300. end:
  301. CRYPTO_THREAD_unlock(namemap->lock);
  302. OPENSSL_free(tmp);
  303. return number;
  304. }
  305. /*-
  306. * Pre-population
  307. * ==============
  308. */
  309. #ifndef FIPS_MODULE
  310. #include <openssl/evp.h>
  311. /* Creates an initial namemap with names found in the legacy method db */
  312. static void get_legacy_evp_names(int base_nid, int nid, const char *pem_name,
  313. void *arg)
  314. {
  315. int num = 0;
  316. ASN1_OBJECT *obj;
  317. if (base_nid != NID_undef) {
  318. num = ossl_namemap_add_name(arg, num, OBJ_nid2sn(base_nid));
  319. num = ossl_namemap_add_name(arg, num, OBJ_nid2ln(base_nid));
  320. }
  321. if (nid != NID_undef) {
  322. num = ossl_namemap_add_name(arg, num, OBJ_nid2sn(nid));
  323. num = ossl_namemap_add_name(arg, num, OBJ_nid2ln(nid));
  324. if ((obj = OBJ_nid2obj(nid)) != NULL) {
  325. char txtoid[OSSL_MAX_NAME_SIZE];
  326. if (OBJ_obj2txt(txtoid, sizeof(txtoid), obj, 1) > 0)
  327. num = ossl_namemap_add_name(arg, num, txtoid);
  328. }
  329. }
  330. if (pem_name != NULL)
  331. num = ossl_namemap_add_name(arg, num, pem_name);
  332. }
  333. static void get_legacy_cipher_names(const OBJ_NAME *on, void *arg)
  334. {
  335. const EVP_CIPHER *cipher = (void *)OBJ_NAME_get(on->name, on->type);
  336. if (cipher != NULL)
  337. get_legacy_evp_names(NID_undef, EVP_CIPHER_get_type(cipher), NULL, arg);
  338. }
  339. static void get_legacy_md_names(const OBJ_NAME *on, void *arg)
  340. {
  341. const EVP_MD *md = (void *)OBJ_NAME_get(on->name, on->type);
  342. if (md != NULL)
  343. get_legacy_evp_names(0, EVP_MD_get_type(md), NULL, arg);
  344. }
  345. static void get_legacy_pkey_meth_names(const EVP_PKEY_ASN1_METHOD *ameth,
  346. void *arg)
  347. {
  348. int nid = 0, base_nid = 0, flags = 0;
  349. const char *pem_name = NULL;
  350. EVP_PKEY_asn1_get0_info(&nid, &base_nid, &flags, NULL, &pem_name, ameth);
  351. if (nid != NID_undef) {
  352. if ((flags & ASN1_PKEY_ALIAS) == 0) {
  353. switch (nid) {
  354. case EVP_PKEY_DHX:
  355. /* We know that the name "DHX" is used too */
  356. get_legacy_evp_names(0, nid, "DHX", arg);
  357. /* FALLTHRU */
  358. default:
  359. get_legacy_evp_names(0, nid, pem_name, arg);
  360. }
  361. } else {
  362. /*
  363. * Treat aliases carefully, some of them are undesirable, or
  364. * should not be treated as such for providers.
  365. */
  366. switch (nid) {
  367. case EVP_PKEY_SM2:
  368. /*
  369. * SM2 is a separate keytype with providers, not an alias for
  370. * EC.
  371. */
  372. get_legacy_evp_names(0, nid, pem_name, arg);
  373. break;
  374. default:
  375. /* Use the short name of the base nid as the common reference */
  376. get_legacy_evp_names(base_nid, nid, pem_name, arg);
  377. }
  378. }
  379. }
  380. }
  381. #endif
  382. /*-
  383. * Constructors / destructors
  384. * ==========================
  385. */
  386. OSSL_NAMEMAP *ossl_namemap_stored(OSSL_LIB_CTX *libctx)
  387. {
  388. #ifndef FIPS_MODULE
  389. int nms;
  390. #endif
  391. OSSL_NAMEMAP *namemap =
  392. ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_NAMEMAP_INDEX);
  393. if (namemap == NULL)
  394. return NULL;
  395. #ifndef FIPS_MODULE
  396. nms = ossl_namemap_empty(namemap);
  397. if (nms < 0) {
  398. /*
  399. * Could not get lock to make the count, so maybe internal objects
  400. * weren't added. This seems safest.
  401. */
  402. return NULL;
  403. }
  404. if (nms == 1) {
  405. int i, end;
  406. /* Before pilfering, we make sure the legacy database is populated */
  407. OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS
  408. | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
  409. OBJ_NAME_do_all(OBJ_NAME_TYPE_CIPHER_METH,
  410. get_legacy_cipher_names, namemap);
  411. OBJ_NAME_do_all(OBJ_NAME_TYPE_MD_METH,
  412. get_legacy_md_names, namemap);
  413. /* We also pilfer data from the legacy EVP_PKEY_ASN1_METHODs */
  414. for (i = 0, end = EVP_PKEY_asn1_get_count(); i < end; i++)
  415. get_legacy_pkey_meth_names(EVP_PKEY_asn1_get0(i), namemap);
  416. }
  417. #endif
  418. return namemap;
  419. }
  420. OSSL_NAMEMAP *ossl_namemap_new(void)
  421. {
  422. OSSL_NAMEMAP *namemap;
  423. if ((namemap = OPENSSL_zalloc(sizeof(*namemap))) != NULL
  424. && (namemap->lock = CRYPTO_THREAD_lock_new()) != NULL
  425. && (namemap->namenum =
  426. lh_NAMENUM_ENTRY_new(namenum_hash, namenum_cmp)) != NULL)
  427. return namemap;
  428. ossl_namemap_free(namemap);
  429. return NULL;
  430. }
  431. void ossl_namemap_free(OSSL_NAMEMAP *namemap)
  432. {
  433. if (namemap == NULL || namemap->stored)
  434. return;
  435. lh_NAMENUM_ENTRY_doall(namemap->namenum, namenum_free);
  436. lh_NAMENUM_ENTRY_free(namemap->namenum);
  437. CRYPTO_THREAD_lock_free(namemap->lock);
  438. OPENSSL_free(namemap);
  439. }