diff options
Diffstat (limited to 'crypto/encode_decode/decoder_pkey.c')
-rw-r--r-- | crypto/encode_decode/decoder_pkey.c | 762 |
1 files changed, 601 insertions, 161 deletions
diff --git a/crypto/encode_decode/decoder_pkey.c b/crypto/encode_decode/decoder_pkey.c index ad5e2805319b..f99566bde744 100644 --- a/crypto/encode_decode/decoder_pkey.c +++ b/crypto/encode_decode/decoder_pkey.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -17,7 +17,11 @@ #include <openssl/trace.h> #include "crypto/evp.h" #include "crypto/decoder.h" +#include "crypto/evp/evp_local.h" +#include "crypto/lhash.h" #include "encoder_local.h" +#include "internal/namemap.h" +#include "internal/sizes.h" int OSSL_DECODER_CTX_set_passphrase(OSSL_DECODER_CTX *ctx, const unsigned char *kstr, @@ -61,6 +65,7 @@ struct decoder_pkey_data_st { STACK_OF(EVP_KEYMGMT) *keymgmts; char *object_type; /* recorded object data type, may be NULL */ void **object; /* Where the result should end up */ + OSSL_DECODER_CTX *ctx; /* The parent decoder context */ }; static int decoder_construct_pkey(OSSL_DECODER_INSTANCE *decoder_inst, @@ -167,6 +172,14 @@ static int decoder_construct_pkey(OSSL_DECODER_INSTANCE *decoder_inst, keydata = import_data.keydata; import_data.keydata = NULL; } + /* + * When load or import fails, because this is not an acceptable key + * (despite the provided key material being syntactically valid), the + * reason why the key is rejected would be lost, unless we signal a + * hard error, and suppress resetting for another try. + */ + if (keydata == NULL) + ossl_decoder_ctx_set_harderr(data->ctx); if (keydata != NULL && (pkey = evp_keymgmt_util_make_pkey(keymgmt, keydata)) == NULL) @@ -199,53 +212,97 @@ static void decoder_clean_pkey_construct_arg(void *construct_data) } } -static void collect_name(const char *name, void *arg) -{ - STACK_OF(OPENSSL_CSTRING) *names = arg; +struct collect_data_st { + OSSL_LIB_CTX *libctx; + OSSL_DECODER_CTX *ctx; - sk_OPENSSL_CSTRING_push(names, name); -} + const char *keytype; /* the keytype requested, if any */ + int keytype_id; /* if keytype_resolved is set, keymgmt name_id; else 0 */ + int sm2_id; /* if keytype_resolved is set and EC, SM2 name_id; else 0 */ + int total; /* number of matching results */ + char error_occurred; + char keytype_resolved; -static void collect_keymgmt(EVP_KEYMGMT *keymgmt, void *arg) + STACK_OF(EVP_KEYMGMT) *keymgmts; +}; + +static void collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder, + void *provctx, struct collect_data_st *data) { - STACK_OF(EVP_KEYMGMT) *keymgmts = arg; + void *decoderctx = NULL; + OSSL_DECODER_INSTANCE *di = NULL; + + /* + * We already checked the EVP_KEYMGMT is applicable in check_keymgmt so we + * don't check it again here. + */ - if (!EVP_KEYMGMT_up_ref(keymgmt) /* ref++ */) + if (keymgmt->name_id != decoder->base.id) + /* Mismatch is not an error, continue. */ return; - if (sk_EVP_KEYMGMT_push(keymgmts, keymgmt) <= 0) { - EVP_KEYMGMT_free(keymgmt); /* ref-- */ + + if ((decoderctx = decoder->newctx(provctx)) == NULL) { + data->error_occurred = 1; return; } -} -struct collect_decoder_data_st { - STACK_OF(OPENSSL_CSTRING) *names; - OSSL_DECODER_CTX *ctx; + if ((di = ossl_decoder_instance_new(decoder, decoderctx)) == NULL) { + decoder->freectx(decoderctx); + data->error_occurred = 1; + return; + } - int total; - unsigned int error_occurred:1; -}; + /* + * Input types must be compatible, but we must accept DER encoders when the + * start input type is "PEM". + */ + if (data->ctx->start_input_type != NULL + && di->input_type != NULL + && OPENSSL_strcasecmp(di->input_type, data->ctx->start_input_type) != 0 + && (OPENSSL_strcasecmp(di->input_type, "DER") != 0 + || OPENSSL_strcasecmp(data->ctx->start_input_type, "PEM") != 0)) { + /* Mismatch is not an error, continue. */ + ossl_decoder_instance_free(di); + return; + } + + OSSL_TRACE_BEGIN(DECODER) { + BIO_printf(trc_out, + "(ctx %p) Checking out decoder %p:\n" + " %s with %s\n", + (void *)data->ctx, (void *)decoder, + OSSL_DECODER_get0_name(decoder), + OSSL_DECODER_get0_properties(decoder)); + } OSSL_TRACE_END(DECODER); + + if (!ossl_decoder_ctx_add_decoder_inst(data->ctx, di)) { + ossl_decoder_instance_free(di); + data->error_occurred = 1; + return; + } + + ++data->total; +} static void collect_decoder(OSSL_DECODER *decoder, void *arg) { - struct collect_decoder_data_st *data = arg; - size_t i, end_i; - const OSSL_PROVIDER *prov = OSSL_DECODER_get0_provider(decoder); - void *provctx = OSSL_PROVIDER_get0_provider_ctx(prov); + struct collect_data_st *data = arg; + STACK_OF(EVP_KEYMGMT) *keymgmts = data->keymgmts; + int i, end_i; + EVP_KEYMGMT *keymgmt; + const OSSL_PROVIDER *prov; + void *provctx; if (data->error_occurred) return; - if (data->names == NULL) { - data->error_occurred = 1; - return; - } + prov = OSSL_DECODER_get0_provider(decoder); + provctx = OSSL_PROVIDER_get0_provider_ctx(prov); /* - * Either the caller didn't give a selection, or if they did, - * the decoder must tell us if it supports that selection to - * be accepted. If the decoder doesn't have |does_selection|, - * it's seen as taking anything. + * Either the caller didn't give us a selection, or if they did, the decoder + * must tell us if it supports that selection to be accepted. If the decoder + * doesn't have |does_selection|, it's seen as taking anything. */ if (decoder->does_selection != NULL && !decoder->does_selection(provctx, data->ctx->selection)) @@ -260,68 +317,101 @@ static void collect_decoder(OSSL_DECODER *decoder, void *arg) OSSL_DECODER_get0_properties(decoder)); } OSSL_TRACE_END(DECODER); - end_i = sk_OPENSSL_CSTRING_num(data->names); - for (i = 0; i < end_i; i++) { - const char *name = sk_OPENSSL_CSTRING_value(data->names, i); + end_i = sk_EVP_KEYMGMT_num(keymgmts); + for (i = 0; i < end_i; ++i) { + keymgmt = sk_EVP_KEYMGMT_value(keymgmts, i); - if (OSSL_DECODER_is_a(decoder, name)) { - void *decoderctx = NULL; - OSSL_DECODER_INSTANCE *di = NULL; + collect_decoder_keymgmt(keymgmt, decoder, provctx, data); + if (data->error_occurred) + return; + } +} - if ((decoderctx = decoder->newctx(provctx)) == NULL) { - data->error_occurred = 1; - return; - } - if ((di = ossl_decoder_instance_new(decoder, decoderctx)) == NULL) { - decoder->freectx(decoderctx); - data->error_occurred = 1; - return; - } +/* + * Is this EVP_KEYMGMT applicable given the key type given in the call to + * ossl_decoder_ctx_setup_for_pkey (if any)? + */ +static int check_keymgmt(EVP_KEYMGMT *keymgmt, struct collect_data_st *data) +{ + /* If no keytype was specified, everything matches. */ + if (data->keytype == NULL) + return 1; - OSSL_TRACE_BEGIN(DECODER) { - BIO_printf(trc_out, - "(ctx %p) Checking out decoder %p:\n" - " %s with %s\n", - (void *)data->ctx, (void *)decoder, - OSSL_DECODER_get0_name(decoder), - OSSL_DECODER_get0_properties(decoder)); - } OSSL_TRACE_END(DECODER); + if (!data->keytype_resolved) { + /* We haven't cached the IDs from the keytype string yet. */ + OSSL_NAMEMAP *namemap = ossl_namemap_stored(data->libctx); + data->keytype_id = ossl_namemap_name2num(namemap, data->keytype); - if (!ossl_decoder_ctx_add_decoder_inst(data->ctx, di)) { - ossl_decoder_instance_free(di); - data->error_occurred = 1; - return; - } - data->total++; + /* + * If keytype is a value ambiguously used for both EC and SM2, + * collect the ID for SM2 as well. + */ + if (data->keytype_id != 0 + && (strcmp(data->keytype, "id-ecPublicKey") == 0 + || strcmp(data->keytype, "1.2.840.10045.2.1") == 0)) + data->sm2_id = ossl_namemap_name2num(namemap, "SM2"); - /* Success */ - return; - } + /* + * If keytype_id is zero the name was not found, but we still + * set keytype_resolved to avoid trying all this again. + */ + data->keytype_resolved = 1; } - /* Decoder not suitable - but not a fatal error */ - data->error_occurred = 0; + /* Specified keytype could not be resolved, so nothing matches. */ + if (data->keytype_id == 0) + return 0; + + /* Does not match the keytype specified, so skip. */ + if (keymgmt->name_id != data->keytype_id + && keymgmt->name_id != data->sm2_id) + return 0; + + return 1; } -int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx, - EVP_PKEY **pkey, const char *keytype, - OSSL_LIB_CTX *libctx, - const char *propquery) +static void collect_keymgmt(EVP_KEYMGMT *keymgmt, void *arg) { - struct decoder_pkey_data_st *process_data = NULL; - STACK_OF(OPENSSL_CSTRING) *names = NULL; - const char *input_type = ctx->start_input_type; - const char *input_structure = ctx->input_structure; - int ok = 0; - int isecoid = 0; - int i, end; + struct collect_data_st *data = arg; + + if (!check_keymgmt(keymgmt, data)) + return; + + /* + * We have to ref EVP_KEYMGMT here because in the success case, + * data->keymgmts is referenced by the constructor we register in the + * OSSL_DECODER_CTX. The registered cleanup function + * (decoder_clean_pkey_construct_arg) unrefs every element of the stack and + * frees it. + */ + if (!EVP_KEYMGMT_up_ref(keymgmt)) + return; + + if (sk_EVP_KEYMGMT_push(data->keymgmts, keymgmt) <= 0) { + EVP_KEYMGMT_free(keymgmt); + data->error_occurred = 1; + } +} - if (keytype != NULL - && (strcmp(keytype, "id-ecPublicKey") == 0 - || strcmp(keytype, "1.2.840.10045.2.1") == 0)) - isecoid = 1; +/* + * This function does the actual binding of decoders to the OSSL_DECODER_CTX. It + * searches for decoders matching 'keytype', which is a string like "RSA", "DH", + * etc. If 'keytype' is NULL, decoders for all keytypes are bound. + */ +static int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx, + const char *keytype, + OSSL_LIB_CTX *libctx, + const char *propquery) +{ + int ok = 0; + struct decoder_pkey_data_st *process_data = NULL; + struct collect_data_st collect_data = { NULL }; + STACK_OF(EVP_KEYMGMT) *keymgmts = NULL; OSSL_TRACE_BEGIN(DECODER) { + const char *input_type = ctx->start_input_type; + const char *input_structure = ctx->input_structure; + BIO_printf(trc_out, "(ctx %p) Looking for decoders producing %s%s%s%s%s%s\n", (void *)ctx, @@ -333,81 +423,66 @@ int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx, input_structure != NULL ? input_structure : ""); } OSSL_TRACE_END(DECODER); - if ((process_data = OPENSSL_zalloc(sizeof(*process_data))) == NULL - || (propquery != NULL - && (process_data->propq = OPENSSL_strdup(propquery)) == NULL) - || (process_data->keymgmts = sk_EVP_KEYMGMT_new_null()) == NULL - || (names = sk_OPENSSL_CSTRING_new_null()) == NULL) { - ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_MALLOC_FAILURE); + /* Allocate data. */ + if ((process_data = OPENSSL_zalloc(sizeof(*process_data))) == NULL) + goto err; + if ((propquery != NULL + && (process_data->propq = OPENSSL_strdup(propquery)) == NULL)) + goto err; + + /* Allocate our list of EVP_KEYMGMTs. */ + keymgmts = sk_EVP_KEYMGMT_new_null(); + if (keymgmts == NULL) { + ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_CRYPTO_LIB); goto err; } - process_data->object = (void **)pkey; - process_data->libctx = libctx; + process_data->object = NULL; + process_data->libctx = libctx; process_data->selection = ctx->selection; + process_data->keymgmts = keymgmts; - /* First, find all keymgmts to form goals */ - EVP_KEYMGMT_do_all_provided(libctx, collect_keymgmt, - process_data->keymgmts); + /* + * Enumerate all keymgmts into a stack. + * + * We could nest EVP_KEYMGMT_do_all_provided inside + * OSSL_DECODER_do_all_provided or vice versa but these functions become + * bottlenecks if called repeatedly, which is why we collect the + * EVP_KEYMGMTs into a stack here and call both functions only once. + * + * We resolve the keytype string to a name ID so we don't have to resolve it + * multiple times, avoiding repeated calls to EVP_KEYMGMT_is_a, which is a + * performance bottleneck. However, we do this lazily on the first call to + * collect_keymgmt made by EVP_KEYMGMT_do_all_provided, rather than do it + * upfront, as this ensures that the names for all loaded providers have + * been registered by the time we try to resolve the keytype string. + */ + collect_data.ctx = ctx; + collect_data.libctx = libctx; + collect_data.keymgmts = keymgmts; + collect_data.keytype = keytype; + EVP_KEYMGMT_do_all_provided(libctx, collect_keymgmt, &collect_data); - /* Then, we collect all the keymgmt names */ - end = sk_EVP_KEYMGMT_num(process_data->keymgmts); - for (i = 0; i < end; i++) { - EVP_KEYMGMT *keymgmt = sk_EVP_KEYMGMT_value(process_data->keymgmts, i); + if (collect_data.error_occurred) + goto err; - /* - * If the key type is given by the caller, we only use the matching - * KEYMGMTs, otherwise we use them all. - * We have to special case SM2 here because of its abuse of the EC OID. - * The EC OID can be used to identify an EC key or an SM2 key - so if - * we have seen that OID we try both key types - */ - if (keytype == NULL - || EVP_KEYMGMT_is_a(keymgmt, keytype) - || (isecoid && EVP_KEYMGMT_is_a(keymgmt, "SM2"))) { - if (!EVP_KEYMGMT_names_do_all(keymgmt, collect_name, names)) { - ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_INTERNAL_ERROR); - goto err; - } - } - } + /* Enumerate all matching decoders. */ + OSSL_DECODER_do_all_provided(libctx, collect_decoder, &collect_data); + + if (collect_data.error_occurred) + goto err; OSSL_TRACE_BEGIN(DECODER) { - end = sk_OPENSSL_CSTRING_num(names); BIO_printf(trc_out, - " Found %d keytypes (possibly with duplicates)", - end); - for (i = 0; i < end; i++) - BIO_printf(trc_out, "%s%s", - i == 0 ? ": " : ", ", - sk_OPENSSL_CSTRING_value(names, i)); - BIO_printf(trc_out, "\n"); + "(ctx %p) Got %d decoders producing keys\n", + (void *)ctx, collect_data.total); } OSSL_TRACE_END(DECODER); /* - * Finally, find all decoders that have any keymgmt of the collected - * keymgmt names + * Finish initializing the decoder context. If one or more decoders matched + * above then the number of decoders attached to the OSSL_DECODER_CTX will + * be nonzero. Else nothing was found and we do nothing. */ - { - struct collect_decoder_data_st collect_decoder_data = { NULL, }; - - collect_decoder_data.names = names; - collect_decoder_data.ctx = ctx; - OSSL_DECODER_do_all_provided(libctx, - collect_decoder, &collect_decoder_data); - sk_OPENSSL_CSTRING_free(names); - names = NULL; - - if (collect_decoder_data.error_occurred) - goto err; - - OSSL_TRACE_BEGIN(DECODER) { - BIO_printf(trc_out, - "(ctx %p) Got %d decoders producing keys\n", - (void *)ctx, collect_decoder_data.total); - } OSSL_TRACE_END(DECODER); - } - if (OSSL_DECODER_CTX_get_num_decoders(ctx) != 0) { if (!OSSL_DECODER_CTX_set_construct(ctx, decoder_construct_pkey) || !OSSL_DECODER_CTX_set_construct_data(ctx, process_data) @@ -421,11 +496,267 @@ int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx, ok = 1; err: decoder_clean_pkey_construct_arg(process_data); - sk_OPENSSL_CSTRING_free(names); - return ok; } +/* Only const here because deep_copy requires it */ +static EVP_KEYMGMT *keymgmt_dup(const EVP_KEYMGMT *keymgmt) +{ + if (!EVP_KEYMGMT_up_ref((EVP_KEYMGMT *)keymgmt)) + return NULL; + + return (EVP_KEYMGMT *)keymgmt; +} + +/* + * Duplicates a template OSSL_DECODER_CTX that has been setup for an EVP_PKEY + * operation and sets up the duplicate for a new operation. + * It does not duplicate the pwdata on the assumption that this does not form + * part of the template. That is set up later. + */ +static OSSL_DECODER_CTX * +ossl_decoder_ctx_for_pkey_dup(OSSL_DECODER_CTX *src, + EVP_PKEY **pkey, + const char *input_type, + const char *input_structure) +{ + OSSL_DECODER_CTX *dest; + struct decoder_pkey_data_st *process_data_src, *process_data_dest = NULL; + + if (src == NULL) + return NULL; + + if ((dest = OSSL_DECODER_CTX_new()) == NULL) { + ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_OSSL_DECODER_LIB); + return NULL; + } + + if (!OSSL_DECODER_CTX_set_input_type(dest, input_type) + || !OSSL_DECODER_CTX_set_input_structure(dest, input_structure)) { + ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_OSSL_DECODER_LIB); + goto err; + } + dest->selection = src->selection; + + if (src->decoder_insts != NULL) { + dest->decoder_insts + = sk_OSSL_DECODER_INSTANCE_deep_copy(src->decoder_insts, + ossl_decoder_instance_dup, + ossl_decoder_instance_free); + if (dest->decoder_insts == NULL) { + ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_OSSL_DECODER_LIB); + goto err; + } + } + + if (!OSSL_DECODER_CTX_set_construct(dest, + OSSL_DECODER_CTX_get_construct(src))) { + ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_OSSL_DECODER_LIB); + goto err; + } + + process_data_src = OSSL_DECODER_CTX_get_construct_data(src); + if (process_data_src != NULL) { + process_data_dest = OPENSSL_zalloc(sizeof(*process_data_dest)); + if (process_data_dest == NULL) { + ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_CRYPTO_LIB); + goto err; + } + if (process_data_src->propq != NULL) { + process_data_dest->propq = OPENSSL_strdup(process_data_src->propq); + if (process_data_dest->propq == NULL) { + ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_CRYPTO_LIB); + goto err; + } + } + + if (process_data_src->keymgmts != NULL) { + process_data_dest->keymgmts + = sk_EVP_KEYMGMT_deep_copy(process_data_src->keymgmts, + keymgmt_dup, + EVP_KEYMGMT_free); + if (process_data_dest->keymgmts == NULL) { + ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_EVP_LIB); + goto err; + } + } + + process_data_dest->object = (void **)pkey; + process_data_dest->libctx = process_data_src->libctx; + process_data_dest->selection = process_data_src->selection; + process_data_dest->ctx = dest; + if (!OSSL_DECODER_CTX_set_construct_data(dest, process_data_dest)) { + ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_OSSL_DECODER_LIB); + goto err; + } + process_data_dest = NULL; + } + + if (!OSSL_DECODER_CTX_set_cleanup(dest, + OSSL_DECODER_CTX_get_cleanup(src))) { + ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_OSSL_DECODER_LIB); + goto err; + } + + return dest; + err: + decoder_clean_pkey_construct_arg(process_data_dest); + OSSL_DECODER_CTX_free(dest); + return NULL; +} + +typedef struct { + char *input_type; + char *input_structure; + char *keytype; + int selection; + char *propquery; + OSSL_DECODER_CTX *template; +} DECODER_CACHE_ENTRY; + +DEFINE_LHASH_OF_EX(DECODER_CACHE_ENTRY); + +typedef struct { + CRYPTO_RWLOCK *lock; + LHASH_OF(DECODER_CACHE_ENTRY) *hashtable; +} DECODER_CACHE; + +static void decoder_cache_entry_free(DECODER_CACHE_ENTRY *entry) +{ + if (entry == NULL) + return; + OPENSSL_free(entry->input_type); + OPENSSL_free(entry->input_structure); + OPENSSL_free(entry->keytype); + OPENSSL_free(entry->propquery); + OSSL_DECODER_CTX_free(entry->template); + OPENSSL_free(entry); +} + +static unsigned long decoder_cache_entry_hash(const DECODER_CACHE_ENTRY *cache) +{ + unsigned long hash = 17; + + hash = (hash * 23) + + (cache->propquery == NULL + ? 0 : ossl_lh_strcasehash(cache->propquery)); + hash = (hash * 23) + + (cache->input_structure == NULL + ? 0 : ossl_lh_strcasehash(cache->input_structure)); + hash = (hash * 23) + + (cache->input_type == NULL + ? 0 : ossl_lh_strcasehash(cache->input_type)); + hash = (hash * 23) + + (cache->keytype == NULL + ? 0 : ossl_lh_strcasehash(cache->keytype)); + + hash ^= cache->selection; + + return hash; +} + +static ossl_inline int nullstrcmp(const char *a, const char *b, int casecmp) +{ + if (a == NULL || b == NULL) { + if (a == NULL) { + if (b == NULL) + return 0; + else + return 1; + } else { + return -1; + } + } else { + if (casecmp) + return OPENSSL_strcasecmp(a, b); + else + return strcmp(a, b); + } +} + +static int decoder_cache_entry_cmp(const DECODER_CACHE_ENTRY *a, + const DECODER_CACHE_ENTRY *b) +{ + int cmp; + + if (a->selection != b->selection) + return (a->selection < b->selection) ? -1 : 1; + + cmp = nullstrcmp(a->keytype, b->keytype, 1); + if (cmp != 0) + return cmp; + + cmp = nullstrcmp(a->input_type, b->input_type, 1); + if (cmp != 0) + return cmp; + + cmp = nullstrcmp(a->input_structure, b->input_structure, 1); + if (cmp != 0) + return cmp; + + cmp = nullstrcmp(a->propquery, b->propquery, 0); + + return cmp; +} + +void *ossl_decoder_cache_new(OSSL_LIB_CTX *ctx) +{ + DECODER_CACHE *cache = OPENSSL_malloc(sizeof(*cache)); + + if (cache == NULL) + return NULL; + + cache->lock = CRYPTO_THREAD_lock_new(); + if (cache->lock == NULL) { + OPENSSL_free(cache); + return NULL; + } + cache->hashtable = lh_DECODER_CACHE_ENTRY_new(decoder_cache_entry_hash, + decoder_cache_entry_cmp); + if (cache->hashtable == NULL) { + CRYPTO_THREAD_lock_free(cache->lock); + OPENSSL_free(cache); + return NULL; + } + + return cache; +} + +void ossl_decoder_cache_free(void *vcache) +{ + DECODER_CACHE *cache = (DECODER_CACHE *)vcache; + + lh_DECODER_CACHE_ENTRY_doall(cache->hashtable, decoder_cache_entry_free); + lh_DECODER_CACHE_ENTRY_free(cache->hashtable); + CRYPTO_THREAD_lock_free(cache->lock); + OPENSSL_free(cache); +} + +/* + * Called whenever a provider gets activated/deactivated. In that case the + * decoders that are available might change so we flush our cache. + */ +int ossl_decoder_cache_flush(OSSL_LIB_CTX *libctx) +{ + DECODER_CACHE *cache + = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_DECODER_CACHE_INDEX); + + if (cache == NULL) + return 0; + + + if (!CRYPTO_THREAD_write_lock(cache->lock)) { + ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_OSSL_DECODER_LIB); + return 0; + } + + lh_DECODER_CACHE_ENTRY_doall(cache->hashtable, decoder_cache_entry_free); + lh_DECODER_CACHE_ENTRY_flush(cache->hashtable); + + CRYPTO_THREAD_unlock(cache->lock); + return 1; +} + OSSL_DECODER_CTX * OSSL_DECODER_CTX_new_for_pkey(EVP_PKEY **pkey, const char *input_type, @@ -434,33 +765,142 @@ OSSL_DECODER_CTX_new_for_pkey(EVP_PKEY **pkey, OSSL_LIB_CTX *libctx, const char *propquery) { OSSL_DECODER_CTX *ctx = NULL; - - if ((ctx = OSSL_DECODER_CTX_new()) == NULL) { - ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_MALLOC_FAILURE); + OSSL_PARAM decoder_params[] = { + OSSL_PARAM_END, + OSSL_PARAM_END, + OSSL_PARAM_END + }; + DECODER_CACHE *cache + = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_DECODER_CACHE_INDEX); + DECODER_CACHE_ENTRY cacheent, *res, *newcache = NULL; + int i = 0; + + if (cache == NULL) { + ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_OSSL_DECODER_LIB); + return NULL; + } + if (input_structure != NULL) + decoder_params[i++] = + OSSL_PARAM_construct_utf8_string(OSSL_OBJECT_PARAM_DATA_STRUCTURE, + (char *)input_structure, 0); + if (propquery != NULL) + decoder_params[i++] = + OSSL_PARAM_construct_utf8_string(OSSL_DECODER_PARAM_PROPERTIES, + (char *)propquery, 0); + + /* It is safe to cast away the const here */ + cacheent.input_type = (char *)input_type; + cacheent.input_structure = (char *)input_structure; + cacheent.keytype = (char *)keytype; + cacheent.selection = selection; + cacheent.propquery = (char *)propquery; + + if (!CRYPTO_THREAD_read_lock(cache->lock)) { + ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_CRYPTO_LIB); return NULL; } - OSSL_TRACE_BEGIN(DECODER) { - BIO_printf(trc_out, - "(ctx %p) Looking for %s decoders with selection %d\n", - (void *)ctx, keytype, selection); - BIO_printf(trc_out, " input type: %s, input structure: %s\n", - input_type, input_structure); - } OSSL_TRACE_END(DECODER); + /* First see if we have a template OSSL_DECODER_CTX */ + res = lh_DECODER_CACHE_ENTRY_retrieve(cache->hashtable, &cacheent); + + if (res == NULL) { + /* + * There is no template so we will have to construct one. This will be + * time consuming so release the lock and we will later upgrade it to a + * write lock. + */ + CRYPTO_THREAD_unlock(cache->lock); + + if ((ctx = OSSL_DECODER_CTX_new()) == NULL) { + ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_OSSL_DECODER_LIB); + return NULL; + } - if (OSSL_DECODER_CTX_set_input_type(ctx, input_type) - && OSSL_DECODER_CTX_set_input_structure(ctx, input_structure) - && OSSL_DECODER_CTX_set_selection(ctx, selection) - && ossl_decoder_ctx_setup_for_pkey(ctx, pkey, keytype, - libctx, propquery) - && OSSL_DECODER_CTX_add_extra(ctx, libctx, propquery)) { OSSL_TRACE_BEGIN(DECODER) { - BIO_printf(trc_out, "(ctx %p) Got %d decoders\n", - (void *)ctx, OSSL_DECODER_CTX_get_num_decoders(ctx)); + BIO_printf(trc_out, + "(ctx %p) Looking for %s decoders with selection %d\n", + (void *)ctx, keytype, selection); + BIO_printf(trc_out, " input type: %s, input structure: %s\n", + input_type, input_structure); } OSSL_TRACE_END(DECODER); - return ctx; + + if (OSSL_DECODER_CTX_set_input_type(ctx, input_type) + && OSSL_DECODER_CTX_set_input_structure(ctx, input_structure) + && OSSL_DECODER_CTX_set_selection(ctx, selection) + && ossl_decoder_ctx_setup_for_pkey(ctx, keytype, libctx, propquery) + && OSSL_DECODER_CTX_add_extra(ctx, libctx, propquery) + && (propquery == NULL + || OSSL_DECODER_CTX_set_params(ctx, decoder_params))) { + OSSL_TRACE_BEGIN(DECODER) { + BIO_printf(trc_out, "(ctx %p) Got %d decoders\n", + (void *)ctx, OSSL_DECODER_CTX_get_num_decoders(ctx)); + } OSSL_TRACE_END(DECODER); + } else { + ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_OSSL_DECODER_LIB); + OSSL_DECODER_CTX_free(ctx); + return NULL; + } + + newcache = OPENSSL_zalloc(sizeof(*newcache)); + if (newcache == NULL) { + OSSL_DECODER_CTX_free(ctx); + return NULL; + } + + if (input_type != NULL) { + newcache->input_type = OPENSSL_strdup(input_type); + if (newcache->input_type == NULL) + goto err; + } + if (input_structure != NULL) { + newcache->input_structure = OPENSSL_strdup(input_structure); + if (newcache->input_structure == NULL) + goto err; + } + if (keytype != NULL) { + newcache->keytype = OPENSSL_strdup(keytype); + if (newcache->keytype == NULL) + goto err; + } + if (propquery != NULL) { + newcache->propquery = OPENSSL_strdup(propquery); + if (newcache->propquery == NULL) + goto err; + } + newcache->selection = selection; + newcache->template = ctx; + + if (!CRYPTO_THREAD_write_lock(cache->lock)) { + ctx = NULL; + ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_CRYPTO_LIB); + goto err; + } + res = lh_DECODER_CACHE_ENTRY_retrieve(cache->hashtable, &cacheent); + if (res == NULL) { + (void)lh_DECODER_CACHE_ENTRY_insert(cache->hashtable, newcache); + if (lh_DECODER_CACHE_ENTRY_error(cache->hashtable)) { + ctx = NULL; + ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_CRYPTO_LIB); + goto err; + } + } else { + /* + * We raced with another thread to construct this and lost. Free + * what we just created and use the entry from the hashtable instead + */ + decoder_cache_entry_free(newcache); + ctx = res->template; + } + } else { + ctx = res->template; } + ctx = ossl_decoder_ctx_for_pkey_dup(ctx, pkey, input_type, input_structure); + CRYPTO_THREAD_unlock(cache->lock); + + return ctx; + err: + decoder_cache_entry_free(newcache); OSSL_DECODER_CTX_free(ctx); return NULL; } |