TLS/SSL and crypto library
Revision | ec0ce188f44b7ab261b1d691e34913b338479b1f (tree) |
---|---|
Zeit | 2020-09-14 03:52:48 |
Autor | Richard Levitte <levitte@open...> |
Commiter | Richard Levitte |
EVP: Centralise fetching error reporting
Instead of sometimes, and sometimes not reporting an error in the
caller of EVP_XXX_fetch(), where the error may or may not be very
accurate, it's now centralised to the inner EVP fetch functionality.
It's made in such a way that it can determine if an error occured
because the algorithm in question is not there, or if something else
went wrong, and will report EVP_R_UNSUPPORTED_ALGORITHM for the
former, and EVP_R_FETCH_FAILED for the latter.
This helps our own test/evp_test.c when it tries to figure out why an
EVP_PKEY it tried to load failed to do so.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12857)
@@ -213,10 +213,8 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) | ||
213 | 213 | #else |
214 | 214 | EVP_MD *provmd = EVP_MD_fetch(NULL, OBJ_nid2sn(type->type), ""); |
215 | 215 | |
216 | - if (provmd == NULL) { | |
217 | - EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_INITIALIZATION_ERROR); | |
216 | + if (provmd == NULL) | |
218 | 217 | return 0; |
219 | - } | |
220 | 218 | type = provmd; |
221 | 219 | EVP_MD_free(ctx->fetched_digest); |
222 | 220 | ctx->fetched_digest = provmd; |
@@ -174,10 +174,8 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, | ||
174 | 174 | : OBJ_nid2sn(cipher->nid), |
175 | 175 | ""); |
176 | 176 | |
177 | - if (provciph == NULL) { | |
178 | - EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR); | |
177 | + if (provciph == NULL) | |
179 | 178 | return 0; |
180 | - } | |
181 | 179 | cipher = provciph; |
182 | 180 | EVP_CIPHER_free(ctx->fetched_cipher); |
183 | 181 | ctx->fetched_cipher = provciph; |
@@ -47,6 +47,9 @@ struct evp_method_data_st { | ||
47 | 47 | int name_id; /* For get_evp_method_from_store() */ |
48 | 48 | const char *names; /* For get_evp_method_from_store() */ |
49 | 49 | const char *propquery; /* For get_evp_method_from_store() */ |
50 | + | |
51 | + unsigned int flag_construct_error_occured : 1; | |
52 | + | |
50 | 53 | void *(*method_from_dispatch)(int name_id, const OSSL_DISPATCH *, |
51 | 54 | OSSL_PROVIDER *); |
52 | 55 | int (*refcnt_up_method)(void *method); |
@@ -186,11 +189,23 @@ static void *construct_evp_method(const OSSL_ALGORITHM *algodef, | ||
186 | 189 | OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); |
187 | 190 | const char *names = algodef->algorithm_names; |
188 | 191 | int name_id = ossl_namemap_add_names(namemap, 0, names, NAME_SEPARATOR); |
192 | + void *method; | |
189 | 193 | |
190 | 194 | if (name_id == 0) |
191 | 195 | return NULL; |
192 | - return methdata->method_from_dispatch(name_id, algodef->implementation, | |
193 | - prov); | |
196 | + | |
197 | + method = methdata->method_from_dispatch(name_id, algodef->implementation, | |
198 | + prov); | |
199 | + | |
200 | + /* | |
201 | + * Flag to indicate that there was actual construction errors. This | |
202 | + * helps inner_evp_generic_fetch() determine what error it should | |
203 | + * record on inaccessible algorithms. | |
204 | + */ | |
205 | + if (method == NULL) | |
206 | + methdata->flag_construct_error_occured = 1; | |
207 | + | |
208 | + return method; | |
194 | 209 | } |
195 | 210 | |
196 | 211 | static void destruct_evp_method(void *method, void *data) |
@@ -200,6 +215,19 @@ static void destruct_evp_method(void *method, void *data) | ||
200 | 215 | methdata->destruct_method(method); |
201 | 216 | } |
202 | 217 | |
218 | +static const char *libctx_descriptor(OPENSSL_CTX *libctx) | |
219 | +{ | |
220 | +#ifdef FIPS_MODULE | |
221 | + return "FIPS internal library context"; | |
222 | +#else | |
223 | + if (openssl_ctx_is_global_default(libctx)) | |
224 | + return "Global default library context"; | |
225 | + if (openssl_ctx_is_default(libctx)) | |
226 | + return "Thread-local default library context"; | |
227 | + return "Non-default library context"; | |
228 | +#endif | |
229 | +} | |
230 | + | |
203 | 231 | static void * |
204 | 232 | inner_evp_generic_fetch(OPENSSL_CTX *libctx, int operation_id, |
205 | 233 | int name_id, const char *name, |
@@ -214,23 +242,30 @@ inner_evp_generic_fetch(OPENSSL_CTX *libctx, int operation_id, | ||
214 | 242 | OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); |
215 | 243 | uint32_t meth_id = 0; |
216 | 244 | void *method = NULL; |
245 | + int unsupported = 0; | |
217 | 246 | |
218 | - if (store == NULL || namemap == NULL) | |
247 | + if (store == NULL || namemap == NULL) { | |
248 | + ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT); | |
219 | 249 | return NULL; |
250 | + } | |
220 | 251 | |
221 | 252 | /* |
222 | 253 | * If there's ever an operation_id == 0 passed, we have an internal |
223 | 254 | * programming error. |
224 | 255 | */ |
225 | - if (!ossl_assert(operation_id > 0)) | |
256 | + if (!ossl_assert(operation_id > 0)) { | |
257 | + ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); | |
226 | 258 | return NULL; |
259 | + } | |
227 | 260 | |
228 | 261 | /* |
229 | 262 | * If we have been passed neither a name_id or a name, we have an |
230 | 263 | * internal programming error. |
231 | 264 | */ |
232 | - if (!ossl_assert(name_id != 0 || name != NULL)) | |
265 | + if (!ossl_assert(name_id != 0 || name != NULL)) { | |
266 | + ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); | |
233 | 267 | return NULL; |
268 | + } | |
234 | 269 | |
235 | 270 | /* If we haven't received a name id yet, try to get one for the name */ |
236 | 271 | if (name_id == 0) |
@@ -242,9 +277,19 @@ inner_evp_generic_fetch(OPENSSL_CTX *libctx, int operation_id, | ||
242 | 277 | * evp_method_id returns 0 if we have too many operations (more than |
243 | 278 | * about 2^8) or too many names (more than about 2^24). In that case, |
244 | 279 | * we can't create any new method. |
280 | + * For all intents and purposes, this is an internal error. | |
245 | 281 | */ |
246 | - if (name_id != 0 && (meth_id = evp_method_id(name_id, operation_id)) == 0) | |
282 | + if (name_id != 0 && (meth_id = evp_method_id(name_id, operation_id)) == 0) { | |
283 | + ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); | |
247 | 284 | return NULL; |
285 | + } | |
286 | + | |
287 | + /* | |
288 | + * If we haven't found the name yet, chances are that the algorithm to | |
289 | + * be fetched is unsupported. | |
290 | + */ | |
291 | + if (name_id == 0) | |
292 | + unsupported = 1; | |
248 | 293 | |
249 | 294 | if (meth_id == 0 |
250 | 295 | || !ossl_method_store_cache_get(store, meth_id, properties, &method)) { |
@@ -267,6 +312,7 @@ inner_evp_generic_fetch(OPENSSL_CTX *libctx, int operation_id, | ||
267 | 312 | mcmdata.method_from_dispatch = new_method; |
268 | 313 | mcmdata.refcnt_up_method = up_ref_method; |
269 | 314 | mcmdata.destruct_method = free_method; |
315 | + mcmdata.flag_construct_error_occured = 0; | |
270 | 316 | if ((method = ossl_method_construct(libctx, operation_id, |
271 | 317 | 0 /* !force_cache */, |
272 | 318 | &mcm, &mcmdata)) != NULL) { |
@@ -282,21 +328,29 @@ inner_evp_generic_fetch(OPENSSL_CTX *libctx, int operation_id, | ||
282 | 328 | ossl_method_store_cache_set(store, meth_id, properties, method, |
283 | 329 | up_ref_method, free_method); |
284 | 330 | } |
331 | + | |
332 | + /* | |
333 | + * If we never were in the constructor, the algorithm to be fetched | |
334 | + * is unsupported. | |
335 | + */ | |
336 | + unsupported = !mcmdata.flag_construct_error_occured; | |
285 | 337 | } |
286 | 338 | |
287 | - return method; | |
288 | -} | |
339 | + if (method == NULL) { | |
340 | + int code = | |
341 | + unsupported ? EVP_R_UNSUPPORTED_ALGORITHM : EVP_R_FETCH_FAILED; | |
289 | 342 | |
290 | -#ifndef FIPS_MODULE | |
291 | -static const char *libctx_descriptor(OPENSSL_CTX *libctx) | |
292 | -{ | |
293 | - if (openssl_ctx_is_global_default(libctx)) | |
294 | - return "Global default library context"; | |
295 | - if (openssl_ctx_is_default(libctx)) | |
296 | - return "Thread-local default library context"; | |
297 | - return "Non-default library context"; | |
343 | + if (name == NULL) | |
344 | + name = ossl_namemap_num2name(namemap, name_id, 0); | |
345 | + ERR_raise_data(ERR_LIB_EVP, code, | |
346 | + "%s, Algorithm (%s : %d), Properties (%s)", | |
347 | + libctx_descriptor(libctx), | |
348 | + name = NULL ? "<null>" : name, name_id, | |
349 | + properties == NULL ? "<null>" : properties); | |
350 | + } | |
351 | + | |
352 | + return method; | |
298 | 353 | } |
299 | -#endif | |
300 | 354 | |
301 | 355 | void *evp_generic_fetch(OPENSSL_CTX *libctx, int operation_id, |
302 | 356 | const char *name, const char *properties, |
@@ -306,24 +360,9 @@ void *evp_generic_fetch(OPENSSL_CTX *libctx, int operation_id, | ||
306 | 360 | int (*up_ref_method)(void *), |
307 | 361 | void (*free_method)(void *)) |
308 | 362 | { |
309 | - void *ret = inner_evp_generic_fetch(libctx, | |
310 | - operation_id, 0, name, properties, | |
311 | - new_method, up_ref_method, free_method); | |
312 | - | |
313 | - if (ret == NULL) { | |
314 | - int code = EVP_R_FETCH_FAILED; | |
315 | - | |
316 | -#ifdef FIPS_MODULE | |
317 | - ERR_raise(ERR_LIB_EVP, code); | |
318 | -#else | |
319 | - ERR_raise_data(ERR_LIB_EVP, code, | |
320 | - "%s, Algorithm (%s), Properties (%s)", | |
321 | - libctx_descriptor(libctx), | |
322 | - name = NULL ? "<null>" : name, | |
323 | - properties == NULL ? "<null>" : properties); | |
324 | -#endif | |
325 | - } | |
326 | - return ret; | |
363 | + return inner_evp_generic_fetch(libctx, | |
364 | + operation_id, 0, name, properties, | |
365 | + new_method, up_ref_method, free_method); | |
327 | 366 | } |
328 | 367 | |
329 | 368 | /* |
@@ -341,32 +380,10 @@ void *evp_generic_fetch_by_number(OPENSSL_CTX *libctx, int operation_id, | ||
341 | 380 | int (*up_ref_method)(void *), |
342 | 381 | void (*free_method)(void *)) |
343 | 382 | { |
344 | - void *ret = inner_evp_generic_fetch(libctx, | |
345 | - operation_id, name_id, NULL, | |
346 | - properties, new_method, up_ref_method, | |
347 | - free_method); | |
348 | - | |
349 | - if (ret == NULL) { | |
350 | - int code = EVP_R_FETCH_FAILED; | |
351 | - | |
352 | -#ifdef FIPS_MODULE | |
353 | - ERR_raise(ERR_LIB_EVP, code); | |
354 | -#else | |
355 | - { | |
356 | - OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); | |
357 | - const char *name = (namemap == NULL) | |
358 | - ? NULL | |
359 | - : ossl_namemap_num2name(namemap, name_id, 0); | |
360 | - | |
361 | - ERR_raise_data(ERR_LIB_EVP, code, | |
362 | - "%s, Algorithm (%s), Properties (%s)", | |
363 | - libctx_descriptor(libctx), | |
364 | - name = NULL ? "<null>" : name, | |
365 | - properties == NULL ? "<null>" : properties); | |
366 | - } | |
367 | -#endif | |
368 | - } | |
369 | - return ret; | |
383 | + return inner_evp_generic_fetch(libctx, | |
384 | + operation_id, name_id, NULL, | |
385 | + properties, new_method, up_ref_method, | |
386 | + free_method); | |
370 | 387 | } |
371 | 388 | |
372 | 389 | void evp_method_store_flush(OPENSSL_CTX *libctx) |
@@ -3254,8 +3254,7 @@ static int key_unsupported(void) | ||
3254 | 3254 | long err = ERR_peek_last_error(); |
3255 | 3255 | |
3256 | 3256 | if (ERR_GET_LIB(err) == ERR_LIB_EVP |
3257 | - && (ERR_GET_REASON(err) == EVP_R_UNSUPPORTED_ALGORITHM | |
3258 | - || ERR_GET_REASON(err) == EVP_R_FETCH_FAILED)) { | |
3257 | + && (ERR_GET_REASON(err) == EVP_R_UNSUPPORTED_ALGORITHM)) { | |
3259 | 3258 | ERR_clear_error(); |
3260 | 3259 | return 1; |
3261 | 3260 | } |