[openssl] master update
Richard Levitte
levitte at openssl.org
Fri Apr 30 09:15:11 UTC 2021
The branch master has been updated
via c230e938c75c7c2d24b5d1d322a34ec369d92696 (commit)
via e73fc81345ae2cdcc4be55768345d8a00fed6453 (commit)
from 38230e30118e434ca1c41d05d03fe2c41042d97d (commit)
- Log -----------------------------------------------------------------
commit c230e938c75c7c2d24b5d1d322a34ec369d92696
Author: Richard Levitte <levitte at openssl.org>
Date: Wed Apr 28 21:28:11 2021 +0200
CORE: Rework the pre-population of the namemap
The pre-population of names has become more thorough.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15066)
commit e73fc81345ae2cdcc4be55768345d8a00fed6453
Author: Richard Levitte <levitte at openssl.org>
Date: Wed Apr 28 11:02:36 2021 +0200
STORE: Use the 'expect' param to limit the amount of decoders used
In the provider file: scheme loader implementation, the OSSL_DECODER_CTX
was set up with all sorts of implementations, even if the caller has
declared a limited expectation on what should be loaded, which means
that even though a certificate is expected, all the diverse decoders
to produce an EVP_PKEY are added to the decoding change.
This optimization looks more closely at the expected type, and only
adds the EVP_PKEY related decoder implementations to the chain if
there is no expectation, or if the expectation is one of
OSSL_STORE_INFO_PARAMS, OSSL_STORE_INFO_PUBKEY, OSSL_STORE_INFO_PKEY.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15066)
-----------------------------------------------------------------------
Summary of changes:
crypto/core_namemap.c | 71 +++++++++++-------------
providers/implementations/storemgmt/file_store.c | 14 +++--
2 files changed, 41 insertions(+), 44 deletions(-)
diff --git a/crypto/core_namemap.c b/crypto/core_namemap.c
index daf22c3af2..1009fb1e94 100644
--- a/crypto/core_namemap.c
+++ b/crypto/core_namemap.c
@@ -379,66 +379,62 @@ int ossl_namemap_add_names(OSSL_NAMEMAP *namemap, int number,
#include <openssl/evp.h>
/* Creates an initial namemap with names found in the legacy method db */
-static void get_legacy_evp_names(const char *name, const char *desc,
- const ASN1_OBJECT *obj, void *arg)
+static void get_legacy_evp_names(int base_nid, int nid, const char *pem_name,
+ void *arg)
{
- int num = ossl_namemap_add_name(arg, 0, name);
+ int num = 0;
+ ASN1_OBJECT *obj;
- /*
- * We currently treat the description ("long name" in OBJ speak) as an
- * alias.
- */
-
- /*
- * We could check that the returned value is the same as id, but since
- * this is a void function, there's no sane way to report the error.
- * The best we can do is trust ourselve to keep the legacy method
- * database conflict free.
- *
- * This registers any alias with the same number as the main name.
- * Should it be that the current |on| *has* the main name, this is
- * simply a no-op.
- */
- if (desc != NULL) {
- (void)ossl_namemap_add_name(arg, num, desc);
+ if (base_nid != NID_undef) {
+ num = ossl_namemap_add_name(arg, num, OBJ_nid2sn(base_nid));
+ num = ossl_namemap_add_name(arg, num, OBJ_nid2ln(base_nid));
}
- if (obj != NULL) {
- char txtoid[OSSL_MAX_NAME_SIZE];
+ if (nid != NID_undef) {
+ num = ossl_namemap_add_name(arg, num, OBJ_nid2sn(nid));
+ num = ossl_namemap_add_name(arg, num, OBJ_nid2ln(nid));
+ if ((obj = OBJ_nid2obj(nid)) != NULL) {
+ char txtoid[OSSL_MAX_NAME_SIZE];
- if (OBJ_obj2txt(txtoid, sizeof(txtoid), obj, 1))
- (void)ossl_namemap_add_name(arg, num, txtoid);
+ if (OBJ_obj2txt(txtoid, sizeof(txtoid), obj, 1))
+ num = ossl_namemap_add_name(arg, num, txtoid);
+ }
}
+ if (pem_name != NULL)
+ num = ossl_namemap_add_name(arg, num, pem_name);
}
static void get_legacy_cipher_names(const OBJ_NAME *on, void *arg)
{
const EVP_CIPHER *cipher = (void *)OBJ_NAME_get(on->name, on->type);
- int nid = EVP_CIPHER_type(cipher);
- get_legacy_evp_names(OBJ_nid2sn(nid), OBJ_nid2ln(nid), OBJ_nid2obj(nid),
- arg);
+ get_legacy_evp_names(NID_undef, EVP_CIPHER_type(cipher), NULL, arg);
}
static void get_legacy_md_names(const OBJ_NAME *on, void *arg)
{
const EVP_MD *md = (void *)OBJ_NAME_get(on->name, on->type);
- int nid = EVP_MD_type(md);
- get_legacy_evp_names(OBJ_nid2sn(nid), OBJ_nid2ln(nid), OBJ_nid2obj(nid),
- arg);
+ get_legacy_evp_names(0, EVP_MD_type(md), NULL, arg);
}
static void get_legacy_pkey_meth_names(const EVP_PKEY_ASN1_METHOD *ameth,
void *arg)
{
int nid = 0, base_nid = 0, flags = 0;
+ const char *pem_name = NULL;
- EVP_PKEY_asn1_get0_info(&nid, &base_nid, &flags, NULL, NULL, ameth);
+ EVP_PKEY_asn1_get0_info(&nid, &base_nid, &flags, NULL, &pem_name, ameth);
if (nid != NID_undef) {
if ((flags & ASN1_PKEY_ALIAS) == 0) {
- get_legacy_evp_names(OBJ_nid2sn(nid), OBJ_nid2ln(nid),
- OBJ_nid2obj(nid), arg);
+ switch (nid) {
+ case EVP_PKEY_DHX:
+ /* We know that the name "DHX" is used too */
+ get_legacy_evp_names(0, nid, "DHX", arg);
+ /* FALLTHRU */
+ default:
+ get_legacy_evp_names(0, nid, pem_name, arg);
+ }
} else {
/*
* Treat aliases carefully, some of them are undesirable, or
@@ -447,20 +443,15 @@ static void get_legacy_pkey_meth_names(const EVP_PKEY_ASN1_METHOD *ameth,
switch (nid) {
case EVP_PKEY_SM2:
- case EVP_PKEY_DHX:
/*
* SM2 is a separate keytype with providers, not an alias for
* EC.
- * DHX is a separate keytype with providers, not an alias for
- * DH.
*/
- get_legacy_evp_names(OBJ_nid2sn(nid), OBJ_nid2ln(nid),
- OBJ_nid2obj(nid), arg);
+ get_legacy_evp_names(0, nid, pem_name, arg);
break;
default:
/* Use the short name of the base nid as the common reference */
- get_legacy_evp_names(OBJ_nid2sn(base_nid), OBJ_nid2ln(nid),
- OBJ_nid2obj(nid), arg);
+ get_legacy_evp_names(base_nid, nid, pem_name, arg);
}
}
}
diff --git a/providers/implementations/storemgmt/file_store.c b/providers/implementations/storemgmt/file_store.c
index 37f2fcee67..033efb40ac 100644
--- a/providers/implementations/storemgmt/file_store.c
+++ b/providers/implementations/storemgmt/file_store.c
@@ -415,7 +415,7 @@ static int file_setup_decoders(struct file_ctx_st *ctx)
OSSL_DECODER_INSTANCE *to_obj_inst = NULL;
OSSL_DECODER_CLEANUP *old_cleanup = NULL;
void *old_construct_data = NULL;
- int ok = 0;
+ int ok = 0, expect_evp_pkey = 0;
/* Setup for this session, so only if not already done */
if (ctx->_.file.decoderctx == NULL) {
@@ -424,6 +424,11 @@ static int file_setup_decoders(struct file_ctx_st *ctx)
goto err;
}
+ expect_evp_pkey = (ctx->expected_type == 0
+ || ctx->expected_type == OSSL_STORE_INFO_PARAMS
+ || ctx->expected_type == OSSL_STORE_INFO_PUBKEY
+ || ctx->expected_type == OSSL_STORE_INFO_PKEY);
+
/* Make sure the input type is set */
if (!OSSL_DECODER_CTX_set_input_type(ctx->_.file.decoderctx,
ctx->_.file.input_type)) {
@@ -462,9 +467,10 @@ static int file_setup_decoders(struct file_ctx_st *ctx)
* Since we're setting up our own constructor, we don't need to care
* more than that...
*/
- if (!ossl_decoder_ctx_setup_for_pkey(ctx->_.file.decoderctx,
- &dummy, NULL,
- libctx, ctx->_.file.propq)
+ if ((expect_evp_pkey
+ && !ossl_decoder_ctx_setup_for_pkey(ctx->_.file.decoderctx,
+ &dummy, NULL,
+ libctx, ctx->_.file.propq))
|| !OSSL_DECODER_CTX_add_extra(ctx->_.file.decoderctx,
libctx, ctx->_.file.propq)) {
ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
More information about the openssl-commits
mailing list