crypto/core_namemap.c

   1 /*
   2  * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include "internal/namemap.h"
  11 #include <openssl/lhash.h>
  12 #include "crypto/lhash.h"      /* ossl_lh_strcasehash */
  13 #include "internal/tsan_assist.h"
  14 #include "internal/sizes.h"
  15 #include "crypto/context.h"
  16
  17 /*-
  18  * The namenum entry
  19  * =================
  20  */
  21 typedef struct {
  22     char *name;
  23     int number;
  24 } NAMENUM_ENTRY;
  25
  26 DEFINE_LHASH_OF(NAMENUM_ENTRY);
  27
  28 /*-
  29  * The namemap itself
  30  * ==================
  31  */
  32
  33 struct ossl_namemap_st {
  34     /* Flags */
  35     unsigned int stored:1; /* If 1, it's stored in a library context */
  36
  37     CRYPTO_RWLOCK *lock;
  38     LHASH_OF(NAMENUM_ENTRY) *namenum;  /* Name->number mapping */
  39
  40     TSAN_QUALIFIER int max_number;     /* Current max number */
  41 };
  42
  43 /* LHASH callbacks */
  44
  45 static unsigned long namenum_hash(const NAMENUM_ENTRY *n)
  46 {
  47     return ossl_lh_strcasehash(n->name);
  48 }
  49
  50 static int namenum_cmp(const NAMENUM_ENTRY *a, const NAMENUM_ENTRY *b)
  51 {
  52     return OPENSSL_strcasecmp(a->name, b->name);
  53 }
  54
  55 static void namenum_free(NAMENUM_ENTRY *n)
  56 {
  57     if (n != NULL)
  58         OPENSSL_free(n->name);
  59     OPENSSL_free(n);
  60 }
  61
  62 /* OSSL_LIB_CTX_METHOD functions for a namemap stored in a library context */
  63
  64 void *ossl_stored_namemap_new(OSSL_LIB_CTX *libctx)
  65 {
  66     OSSL_NAMEMAP *namemap = ossl_namemap_new();
  67
  68     if (namemap != NULL)
  69         namemap->stored = 1;
  70
  71     return namemap;
  72 }
  73
  74 void ossl_stored_namemap_free(void *vnamemap)
  75 {
  76     OSSL_NAMEMAP *namemap = vnamemap;
  77
  78     if (namemap != NULL) {
  79         /* Pretend it isn't stored, or ossl_namemap_free() will do nothing */
  80         namemap->stored = 0;
  81         ossl_namemap_free(namemap);
  82     }
  83 }
  84
  85 /*-
  86  * API functions
  87  * =============
  88  */
  89
  90 int ossl_namemap_empty(OSSL_NAMEMAP *namemap)
  91 {
  92 #ifdef TSAN_REQUIRES_LOCKING
  93     /* No TSAN support */
  94     int rv;
  95
  96     if (namemap == NULL)
  97         return 1;
  98
  99     if (!CRYPTO_THREAD_read_lock(namemap->lock))
 100         return -1;
 101     rv = namemap->max_number == 0;
 102     CRYPTO_THREAD_unlock(namemap->lock);
 103     return rv;
 104 #else
 105     /* Have TSAN support */
 106     return namemap == NULL || tsan_load(&namemap->max_number) == 0;
 107 #endif
 108 }
 109
 110 typedef struct doall_names_data_st {
 111     int number;
 112     const char **names;
 113     int found;
 114 } DOALL_NAMES_DATA;
 115
 116 static void do_name(const NAMENUM_ENTRY *namenum, DOALL_NAMES_DATA *data)
 117 {
 118     if (namenum->number == data->number)
 119         data->names[data->found++] = namenum->name;
 120 }
 121
 122 IMPLEMENT_LHASH_DOALL_ARG_CONST(NAMENUM_ENTRY, DOALL_NAMES_DATA);
 123
 124 /*
 125  * Call the callback for all names in the namemap with the given number.
 126  * A return value 1 means that the callback was called for all names. A
 127  * return value of 0 means that the callback was not called for any names.
 128  */
 129 int ossl_namemap_doall_names(const OSSL_NAMEMAP *namemap, int number,
 130                              void (*fn)(const char *name, void *data),
 131                              void *data)
 132 {
 133     DOALL_NAMES_DATA cbdata;
 134     size_t num_names;
 135     int i;
 136
 137     cbdata.number = number;
 138     cbdata.found = 0;
 139
 140     /*
 141      * We collect all the names first under a read lock. Subsequently we call
 142      * the user function, so that we're not holding the read lock when in user
 143      * code. This could lead to deadlocks.
 144      */
 145     if (!CRYPTO_THREAD_read_lock(namemap->lock))
 146         return 0;
 147
 148     num_names = lh_NAMENUM_ENTRY_num_items(namemap->namenum);
 149     if (num_names == 0) {
 150         CRYPTO_THREAD_unlock(namemap->lock);
 151         return 0;
 152     }
 153     cbdata.names = OPENSSL_malloc(sizeof(*cbdata.names) * num_names);
 154     if (cbdata.names == NULL) {
 155         CRYPTO_THREAD_unlock(namemap->lock);
 156         return 0;
 157     }
 158     lh_NAMENUM_ENTRY_doall_DOALL_NAMES_DATA(namemap->namenum, do_name,
 159                                             &cbdata);
 160     CRYPTO_THREAD_unlock(namemap->lock);
 161
 162     for (i = 0; i < cbdata.found; i++)
 163         fn(cbdata.names[i], data);
 164
 165     OPENSSL_free(cbdata.names);
 166     return 1;
 167 }
 168
 169 static int namemap_name2num(const OSSL_NAMEMAP *namemap,
 170                             const char *name)
 171 {
 172     NAMENUM_ENTRY *namenum_entry, namenum_tmpl;
 173
 174     namenum_tmpl.name = (char *)name;
 175     namenum_tmpl.number = 0;
 176     namenum_entry =
 177         lh_NAMENUM_ENTRY_retrieve(namemap->namenum, &namenum_tmpl);
 178     return namenum_entry != NULL ? namenum_entry->number : 0;
 179 }
 180
 181 int ossl_namemap_name2num(const OSSL_NAMEMAP *namemap, const char *name)
 182 {
 183     int number;
 184
 185 #ifndef FIPS_MODULE
 186     if (namemap == NULL)
 187         namemap = ossl_namemap_stored(NULL);
 188 #endif
 189
 190     if (namemap == NULL)
 191         return 0;
 192
 193     if (!CRYPTO_THREAD_read_lock(namemap->lock))
 194         return 0;
 195     number = namemap_name2num(namemap, name);
 196     CRYPTO_THREAD_unlock(namemap->lock);
 197
 198     return number;
 199 }
 200
 201 int ossl_namemap_name2num_n(const OSSL_NAMEMAP *namemap,
 202                             const char *name, size_t name_len)
 203 {
 204     char *tmp;
 205     int ret;
 206
 207     if (name == NULL || (tmp = OPENSSL_strndup(name, name_len)) == NULL)
 208         return 0;
 209
 210     ret = ossl_namemap_name2num(namemap, tmp);
 211     OPENSSL_free(tmp);
 212     return ret;
 213 }
 214
 215 struct num2name_data_st {
 216     size_t idx;                  /* Countdown */
 217     const char *name;            /* Result */
 218 };
 219
 220 static void do_num2name(const char *name, void *vdata)
 221 {
 222     struct num2name_data_st *data = vdata;
 223
 224     if (data->idx > 0)
 225         data->idx--;
 226     else if (data->name == NULL)
 227         data->name = name;
 228 }
 229
 230 const char *ossl_namemap_num2name(const OSSL_NAMEMAP *namemap, int number,
 231                                   size_t idx)
 232 {
 233     struct num2name_data_st data;
 234
 235     data.idx = idx;
 236     data.name = NULL;
 237     if (!ossl_namemap_doall_names(namemap, number, do_num2name, &data))
 238         return NULL;
 239     return data.name;
 240 }
 241
 242 static int namemap_add_name_n(OSSL_NAMEMAP *namemap, int number,
 243                               const char *name, size_t name_len)
 244 {
 245     NAMENUM_ENTRY *namenum = NULL;
 246     int tmp_number;
 247     char *tmp = OPENSSL_strndup(name, name_len);
 248
 249     if (tmp == NULL)
 250         return 0;
 251
 252     /* If it already exists, we don't add it */
 253     if ((tmp_number = namemap_name2num(namemap, tmp)) != 0) {
 254         OPENSSL_free(tmp);
 255         return tmp_number;
 256     }
 257
 258     if ((namenum = OPENSSL_zalloc(sizeof(*namenum))) == NULL)
 259         goto err;
 260     namenum->name = tmp;
 261
 262     /* The tsan_counter use here is safe since we're under lock */
 263     namenum->number =
 264         number != 0 ? number : 1 + tsan_counter(&namemap->max_number);
 265     (void)lh_NAMENUM_ENTRY_insert(namemap->namenum, namenum);
 266
 267     if (lh_NAMENUM_ENTRY_error(namemap->namenum))
 268         goto err;
 269     return namenum->number;
 270
 271  err:
 272     OPENSSL_free(tmp);
 273     OPENSSL_free(namenum);
 274     return 0;
 275 }
 276
 277 int ossl_namemap_add_name_n(OSSL_NAMEMAP *namemap, int number,
 278                             const char *name, size_t name_len)
 279 {
 280     int tmp_number;
 281
 282 #ifndef FIPS_MODULE
 283     if (namemap == NULL)
 284         namemap = ossl_namemap_stored(NULL);
 285 #endif
 286
 287     if (name == NULL || name_len == 0 || namemap == NULL)
 288         return 0;
 289
 290     if (!CRYPTO_THREAD_write_lock(namemap->lock))
 291         return 0;
 292     tmp_number = namemap_add_name_n(namemap, number, name, name_len);
 293     CRYPTO_THREAD_unlock(namemap->lock);
 294     return tmp_number;
 295 }
 296
 297 int ossl_namemap_add_name(OSSL_NAMEMAP *namemap, int number, const char *name)
 298 {
 299     if (name == NULL)
 300         return 0;
 301
 302     return ossl_namemap_add_name_n(namemap, number, name, strlen(name));
 303 }
 304
 305 int ossl_namemap_add_names(OSSL_NAMEMAP *namemap, int number,
 306                            const char *names, const char separator)
 307 {
 308     const char *p, *q;
 309     size_t l;
 310
 311     /* Check that we have a namemap */
 312     if (!ossl_assert(namemap != NULL)) {
 313         ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_NULL_PARAMETER);
 314         return 0;
 315     }
 316
 317     if (!CRYPTO_THREAD_write_lock(namemap->lock))
 318         return 0;
 319     /*
 320      * Check that no name is an empty string, and that all names have at
 321      * most one numeric identity together.
 322      */
 323     for (p = names; *p != '\0'; p = (q == NULL ? p + l : q + 1)) {
 324         int this_number;
 325         char *allocated;
 326         const char *tmp;
 327
 328         if ((q = strchr(p, separator)) == NULL) {
 329             l = strlen(p);       /* offset to \0 */
 330             tmp = p;
 331             allocated = NULL;
 332         } else {
 333             l = q - p;           /* offset to the next separator */
 334             tmp = allocated = OPENSSL_strndup(p, l);
 335             if (tmp == NULL)
 336                 goto err;
 337         }
 338
 339         this_number = namemap_name2num(namemap, tmp);
 340         OPENSSL_free(allocated);
 341
 342         if (*p == '\0' || *p == separator) {
 343             ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_BAD_ALGORITHM_NAME);
 344             goto err;
 345         }
 346         if (number == 0) {
 347             number = this_number;
 348         } else if (this_number != 0 && this_number != number) {
 349             ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_CONFLICTING_NAMES,
 350                            "\"%.*s\" has an existing different identity %d (from \"%s\")",
 351                            l, p, this_number, names);
 352             goto err;
 353         }
 354     }
 355
 356     /* Now that we have checked, register all names */
 357     for (p = names; *p != '\0'; p = (q == NULL ? p + l : q + 1)) {
 358         int this_number;
 359
 360         if ((q = strchr(p, separator)) == NULL)
 361             l = strlen(p);       /* offset to \0 */
 362         else
 363             l = q - p;           /* offset to the next separator */
 364
 365         this_number = namemap_add_name_n(namemap, number, p, l);
 366         if (number == 0) {
 367             number = this_number;
 368         } else if (this_number != number) {
 369             ERR_raise_data(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR,
 370                            "Got number %d when expecting %d",
 371                            this_number, number);
 372             goto err;
 373         }
 374     }
 375
 376     CRYPTO_THREAD_unlock(namemap->lock);
 377     return number;
 378
 379  err:
 380     CRYPTO_THREAD_unlock(namemap->lock);
 381     return 0;
 382 }
 383
 384 /*-
 385  * Pre-population
 386  * ==============
 387  */
 388
 389 #ifndef FIPS_MODULE
 390 #include <openssl/evp.h>
 391
 392 /* Creates an initial namemap with names found in the legacy method db */
 393 static void get_legacy_evp_names(int base_nid, int nid, const char *pem_name,
 394                                  void *arg)
 395 {
 396     int num = 0;
 397     ASN1_OBJECT *obj;
 398
 399     if (base_nid != NID_undef) {
 400         num = ossl_namemap_add_name(arg, num, OBJ_nid2sn(base_nid));
 401         num = ossl_namemap_add_name(arg, num, OBJ_nid2ln(base_nid));
 402     }
 403
 404     if (nid != NID_undef) {
 405         num = ossl_namemap_add_name(arg, num, OBJ_nid2sn(nid));
 406         num = ossl_namemap_add_name(arg, num, OBJ_nid2ln(nid));
 407         if ((obj = OBJ_nid2obj(nid)) != NULL) {
 408             char txtoid[OSSL_MAX_NAME_SIZE];
 409
 410             if (OBJ_obj2txt(txtoid, sizeof(txtoid), obj, 1) > 0)
 411                 num = ossl_namemap_add_name(arg, num, txtoid);
 412         }
 413     }
 414     if (pem_name != NULL)
 415         num = ossl_namemap_add_name(arg, num, pem_name);
 416 }
 417
 418 static void get_legacy_cipher_names(const OBJ_NAME *on, void *arg)
 419 {
 420     const EVP_CIPHER *cipher = (void *)OBJ_NAME_get(on->name, on->type);
 421
 422     if (cipher != NULL)
 423         get_legacy_evp_names(NID_undef, EVP_CIPHER_get_type(cipher), NULL, arg);
 424 }
 425
 426 static void get_legacy_md_names(const OBJ_NAME *on, void *arg)
 427 {
 428     const EVP_MD *md = (void *)OBJ_NAME_get(on->name, on->type);
 429
 430     if (md != NULL)
 431         get_legacy_evp_names(0, EVP_MD_get_type(md), NULL, arg);
 432 }
 433
 434 static void get_legacy_pkey_meth_names(const EVP_PKEY_ASN1_METHOD *ameth,
 435                                        void *arg)
 436 {
 437     int nid = 0, base_nid = 0, flags = 0;
 438     const char *pem_name = NULL;
 439
 440     EVP_PKEY_asn1_get0_info(&nid, &base_nid, &flags, NULL, &pem_name, ameth);
 441     if (nid != NID_undef) {
 442         if ((flags & ASN1_PKEY_ALIAS) == 0) {
 443             switch (nid) {
 444             case EVP_PKEY_DHX:
 445                 /* We know that the name "DHX" is used too */
 446                 get_legacy_evp_names(0, nid, "DHX", arg);
 447                 /* FALLTHRU */
 448             default:
 449                 get_legacy_evp_names(0, nid, pem_name, arg);
 450             }
 451         } else {
 452             /*
 453              * Treat aliases carefully, some of them are undesirable, or
 454              * should not be treated as such for providers.
 455              */
 456
 457             switch (nid) {
 458             case EVP_PKEY_SM2:
 459                 /*
 460                  * SM2 is a separate keytype with providers, not an alias for
 461                  * EC.
 462                  */
 463                 get_legacy_evp_names(0, nid, pem_name, arg);
 464                 break;
 465             default:
 466                 /* Use the short name of the base nid as the common reference */
 467                 get_legacy_evp_names(base_nid, nid, pem_name, arg);
 468             }
 469         }
 470     }
 471 }
 472 #endif
 473
 474 /*-
 475  * Constructors / destructors
 476  * ==========================
 477  */
 478
 479 OSSL_NAMEMAP *ossl_namemap_stored(OSSL_LIB_CTX *libctx)
 480 {
 481 #ifndef FIPS_MODULE
 482     int nms;
 483 #endif
 484     OSSL_NAMEMAP *namemap =
 485         ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_NAMEMAP_INDEX);
 486
 487     if (namemap == NULL)
 488         return NULL;
 489
 490 #ifndef FIPS_MODULE
 491     nms = ossl_namemap_empty(namemap);
 492     if (nms < 0) {
 493         /*
 494          * Could not get lock to make the count, so maybe internal objects
 495          * weren't added. This seems safest.
 496          */
 497         return NULL;
 498     }
 499     if (nms == 1) {
 500         int i, end;
 501
 502         /* Before pilfering, we make sure the legacy database is populated */
 503         OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS
 504                             | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
 505
 506         OBJ_NAME_do_all(OBJ_NAME_TYPE_CIPHER_METH,
 507                         get_legacy_cipher_names, namemap);
 508         OBJ_NAME_do_all(OBJ_NAME_TYPE_MD_METH,
 509                         get_legacy_md_names, namemap);
 510
 511         /* We also pilfer data from the legacy EVP_PKEY_ASN1_METHODs */
 512         for (i = 0, end = EVP_PKEY_asn1_get_count(); i < end; i++)
 513             get_legacy_pkey_meth_names(EVP_PKEY_asn1_get0(i), namemap);
 514     }
 515 #endif
 516
 517     return namemap;
 518 }
 519
 520 OSSL_NAMEMAP *ossl_namemap_new(void)
 521 {
 522     OSSL_NAMEMAP *namemap;
 523
 524     if ((namemap = OPENSSL_zalloc(sizeof(*namemap))) != NULL
 525         && (namemap->lock = CRYPTO_THREAD_lock_new()) != NULL
 526         && (namemap->namenum =
 527             lh_NAMENUM_ENTRY_new(namenum_hash, namenum_cmp)) != NULL)
 528         return namemap;
 529
 530     ossl_namemap_free(namemap);
 531     return NULL;
 532 }
 533
 534 void ossl_namemap_free(OSSL_NAMEMAP *namemap)
 535 {
 536     if (namemap == NULL || namemap->stored)
 537         return;
 538
 539     lh_NAMENUM_ENTRY_doall(namemap->namenum, namenum_free);
 540     lh_NAMENUM_ENTRY_free(namemap->namenum);
 541
 542     CRYPTO_THREAD_lock_free(namemap->lock);
 543     OPENSSL_free(namemap);
 544 }