provider_conf.c@ 107935

Last change on this file since 107935 was 104078, checked in by vboxsync, 11 months ago
openssl-3.1.5: Applied and adjusted our OpenSSL changes to 3.1.4. bugref:10638
File size: 11.7 KB

Line
1	/*
2	* Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the Apache License 2.0 (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	#include <string.h>
11	#include <openssl/trace.h>
12	#include <openssl/err.h>
13	#include <openssl/conf.h>
14	#include <openssl/safestack.h>
15	#include <openssl/provider.h>
16	#include "internal/provider.h"
17	#include "internal/cryptlib.h"
18	#include "provider_local.h"
19	#include "crypto/context.h"
20
21	DEFINE_STACK_OF(OSSL_PROVIDER)
22
23	/* PROVIDER config module */
24
25	typedef struct {
26	CRYPTO_RWLOCK *lock;
27	STACK_OF(OSSL_PROVIDER) *activated_providers;
28	} PROVIDER_CONF_GLOBAL;
29
30	void ossl_prov_conf_ctx_new(OSSL_LIB_CTX libctx)
31	{
32	PROVIDER_CONF_GLOBAL pcgbl = OPENSSL_zalloc(sizeof(pcgbl));
33
34	if (pcgbl == NULL)
35	return NULL;
36
37	pcgbl->lock = CRYPTO_THREAD_lock_new();
38	if (pcgbl->lock == NULL) {
39	OPENSSL_free(pcgbl);
40	return NULL;
41	}
42
43	return pcgbl;
44	}
45
46	void ossl_prov_conf_ctx_free(void *vpcgbl)
47	{
48	PROVIDER_CONF_GLOBAL *pcgbl = vpcgbl;
49
50	sk_OSSL_PROVIDER_pop_free(pcgbl->activated_providers,
51	ossl_provider_free);
52
53	OSSL_TRACE(CONF, "Cleaned up providers\n");
54	CRYPTO_THREAD_lock_free(pcgbl->lock);
55	OPENSSL_free(pcgbl);
56	}
57
58	static const char skip_dot(const char name)
59	{
60	const char *p = strchr(name, '.');
61
62	if (p != NULL)
63	return p + 1;
64	return name;
65	}
66
67	/*
68	* Parse the provider params section
69	* Returns:
70	* 1 for success
71	* 0 for non-fatal errors
72	* < 0 for fatal errors
73	*/
74	static int provider_conf_params_internal(OSSL_PROVIDER *prov,
75	OSSL_PROVIDER_INFO *provinfo,
76	const char name, const char value,
77	const CONF *cnf,
78	STACK_OF(OPENSSL_CSTRING) *visited)
79	{
80	STACK_OF(CONF_VALUE) *sect;
81	int ok = 1;
82	int rc = 0;
83
84	sect = NCONF_get_section(cnf, value);
85	if (sect != NULL) {
86	int i;
87	char buffer[512];
88	size_t buffer_len = 0;
89
90	OSSL_TRACE1(CONF, "Provider params: start section %s\n", value);
91
92	/*
93	* Check to see if the provided section value has already
94	* been visited. If it has, then we have a recursive lookup
95	* in the configuration which isn't valid. As such we should error
96	* out
97	*/
98	for (i = 0; i < sk_OPENSSL_CSTRING_num(visited); i++) {
99	if (sk_OPENSSL_CSTRING_value(visited, i) == value) {
100	ERR_raise(ERR_LIB_CONF, CONF_R_RECURSIVE_SECTION_REFERENCE);
101	return -1;
102	}
103	}
104
105	/*
106	* We've not visited this node yet, so record it on the stack
107	*/
108	if (!sk_OPENSSL_CSTRING_push(visited, value))
109	return -1;
110
111	if (name != NULL) {
112	OPENSSL_strlcpy(buffer, name, sizeof(buffer));
113	OPENSSL_strlcat(buffer, ".", sizeof(buffer));
114	buffer_len = strlen(buffer);
115	}
116
117	for (i = 0; i < sk_CONF_VALUE_num(sect); i++) {
118	CONF_VALUE *sectconf = sk_CONF_VALUE_value(sect, i);
119
120	if (buffer_len + strlen(sectconf->name) >= sizeof(buffer)) {
121	sk_OPENSSL_CSTRING_pop(visited);
122	return -1;
123	}
124	buffer[buffer_len] = '\0';
125	OPENSSL_strlcat(buffer, sectconf->name, sizeof(buffer));
126	rc = provider_conf_params_internal(prov, provinfo, buffer,
127	sectconf->value, cnf, visited);
128	if (rc < 0) {
129	sk_OPENSSL_CSTRING_pop(visited);
130	return rc;
131	}
132	}
133	sk_OPENSSL_CSTRING_pop(visited);
134
135	OSSL_TRACE1(CONF, "Provider params: finish section %s\n", value);
136	} else {
137	OSSL_TRACE2(CONF, "Provider params: %s = %s\n", name, value);
138	if (prov != NULL)
139	ok = ossl_provider_add_parameter(prov, name, value);
140	else
141	ok = ossl_provider_info_add_parameter(provinfo, name, value);
142	}
143
144	return ok;
145	}
146
147	/*
148	* recursively parse the provider configuration section
149	* of the config file.
150	* Returns
151	* 1 on success
152	* 0 on non-fatal error
153	* < 0 on fatal errors
154	*/
155	static int provider_conf_params(OSSL_PROVIDER *prov,
156	OSSL_PROVIDER_INFO *provinfo,
157	const char name, const char value,
158	const CONF *cnf)
159	{
160	int rc;
161	STACK_OF(OPENSSL_CSTRING) *visited = sk_OPENSSL_CSTRING_new_null();
162
163	if (visited == NULL)
164	return -1;
165
166	rc = provider_conf_params_internal(prov, provinfo, name,
167	value, cnf, visited);
168
169	sk_OPENSSL_CSTRING_free(visited);
170
171	return rc;
172	}
173
174	static int prov_already_activated(const char *name,
175	STACK_OF(OSSL_PROVIDER) *activated)
176	{
177	int i, max;
178
179	if (activated == NULL)
180	return 0;
181
182	max = sk_OSSL_PROVIDER_num(activated);
183	for (i = 0; i < max; i++) {
184	OSSL_PROVIDER *tstprov = sk_OSSL_PROVIDER_value(activated, i);
185
186	if (strcmp(OSSL_PROVIDER_get0_name(tstprov), name) == 0) {
187	return 1;
188	}
189	}
190
191	return 0;
192	}
193
194	/*
195	* Attempt to activate a provider
196	* Returns:
197	* 1 on successful activation
198	* 0 on failed activation for non-fatal error
199	* < 0 on failed activation for fatal errors
200	*/
201	static int provider_conf_activate(OSSL_LIB_CTX libctx, const char name,
202	const char value, const char path,
203	int soft, const CONF *cnf)
204	{
205	PROVIDER_CONF_GLOBAL *pcgbl
206	= ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX);
207	OSSL_PROVIDER prov = NULL, actual = NULL;
208	int ok = 0;
209
210	if (pcgbl == NULL \|\| !CRYPTO_THREAD_write_lock(pcgbl->lock)) {
211	ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
212	return -1;
213	}
214	if (!prov_already_activated(name, pcgbl->activated_providers)) {
215	/*
216	* There is an attempt to activate a provider, so we should disable
217	* loading of fallbacks. Otherwise a misconfiguration could mean the
218	* intended provider does not get loaded. Subsequent fetches could
219	* then fallback to the default provider - which may be the wrong
220	* thing.
221	*/
222	if (!ossl_provider_disable_fallback_loading(libctx)) {
223	CRYPTO_THREAD_unlock(pcgbl->lock);
224	ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
225	return -1;
226	}
227	prov = ossl_provider_find(libctx, name, 1);
228	if (prov == NULL)
229	prov = ossl_provider_new(libctx, name, NULL, 1);
230	if (prov == NULL) {
231	CRYPTO_THREAD_unlock(pcgbl->lock);
232	if (soft)
233	ERR_clear_error();
234	return (soft == 0) ? -1 : 0;
235	}
236
237	if (path != NULL)
238	ossl_provider_set_module_path(prov, path);
239
240	ok = provider_conf_params(prov, NULL, NULL, value, cnf);
241
242	if (ok == 1) {
243	if (!ossl_provider_activate(prov, 1, 0)) {
244	ok = 0;
245	} else if (!ossl_provider_add_to_store(prov, &actual, 0)) {
246	ossl_provider_deactivate(prov, 1);
247	ok = 0;
248	} else if (actual != prov
249	&& !ossl_provider_activate(actual, 1, 0)) {
250	ossl_provider_free(actual);
251	ok = 0;
252	} else {
253	if (pcgbl->activated_providers == NULL)
254	pcgbl->activated_providers = sk_OSSL_PROVIDER_new_null();
255	if (pcgbl->activated_providers == NULL
256	\|\| !sk_OSSL_PROVIDER_push(pcgbl->activated_providers,
257	actual)) {
258	ossl_provider_deactivate(actual, 1);
259	ossl_provider_free(actual);
260	ok = 0;
261	} else {
262	ok = 1;
263	}
264	}
265	}
266
267	if (ok <= 0)
268	ossl_provider_free(prov);
269	}
270	CRYPTO_THREAD_unlock(pcgbl->lock);
271
272	return ok;
273	}
274
275	static int provider_conf_load(OSSL_LIB_CTX libctx, const char name,
276	const char value, const CONF cnf)
277	{
278	int i;
279	STACK_OF(CONF_VALUE) *ecmds;
280	int soft = 0;
281	const char *path = NULL;
282	long activate = 0;
283	int ok = 0;
284	int added = 0;
285
286	name = skip_dot(name);
287	OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
288	/* Value is a section containing PROVIDER commands */
289	ecmds = NCONF_get_section(cnf, value);
290
291	if (!ecmds) {
292	ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
293	"section=%s not found", value);
294	return 0;
295	}
296
297	/* Find the needed data first */
298	for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {
299	CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);
300	const char *confname = skip_dot(ecmd->name);
301	const char *confvalue = ecmd->value;
302
303	OSSL_TRACE2(CONF, "Provider command: %s = %s\n",
304	confname, confvalue);
305
306	/* First handle some special pseudo confs */
307
308	/* Override provider name to use */
309	if (strcmp(confname, "identity") == 0)
310	name = confvalue;
311	else if (strcmp(confname, "soft_load") == 0)
312	soft = 1;
313	/* Load a dynamic PROVIDER */
314	else if (strcmp(confname, "module") == 0)
315	path = confvalue;
316	else if (strcmp(confname, "activate") == 0)
317	activate = 1;
318	}
319
320	if (activate) {
321	ok = provider_conf_activate(libctx, name, value, path, soft, cnf);
322	} else {
323	OSSL_PROVIDER_INFO entry;
324
325	memset(&entry, 0, sizeof(entry));
326	ok = 1;
327	if (name != NULL) {
328	entry.name = OPENSSL_strdup(name);
329	if (entry.name == NULL) {
330	ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE);
331	ok = 0;
332	}
333	}
334	if (ok && path != NULL) {
335	entry.path = OPENSSL_strdup(path);
336	if (entry.path == NULL) {
337	ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE);
338	ok = 0;
339	}
340	}
341	if (ok)
342	ok = provider_conf_params(NULL, &entry, NULL, value, cnf);
343	if (ok >= 1 && (entry.path != NULL \|\| entry.parameters != NULL)) {
344	ok = ossl_provider_info_add_to_store(libctx, &entry);
345	added = 1;
346	}
347	if (added == 0)
348	ossl_provider_info_clear(&entry);
349	}
350
351	/*
352	* Provider activation returns a tristate:
353	* 1 for successful activation
354	* 0 for non-fatal activation failure
355	* < 0 for fatal activation failure
356	* We return success (1) for activation, (1) for non-fatal activation
357	* failure, and (0) for fatal activation failure
358	*/
359	return ok >= 0;
360	}
361
362	static int provider_conf_init(CONF_IMODULE md, const CONF cnf)
363	{
364	STACK_OF(CONF_VALUE) *elist;
365	CONF_VALUE *cval;
366	int i;
367
368	OSSL_TRACE1(CONF, "Loading providers module: section %s\n",
369	CONF_imodule_get_value(md));
370
371	/* Value is a section containing PROVIDERs to configure */
372	elist = NCONF_get_section(cnf, CONF_imodule_get_value(md));
373
374	if (!elist) {
375	ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR);
376	return 0;
377	}
378
379	for (i = 0; i < sk_CONF_VALUE_num(elist); i++) {
380	cval = sk_CONF_VALUE_value(elist, i);
381	if (!provider_conf_load(NCONF_get0_libctx((CONF *)cnf),
382	cval->name, cval->value, cnf))
383	return 0;
384	}
385
386	return 1;
387	}
388
389	void ossl_provider_add_conf_module(void)
390	{
391	OSSL_TRACE(CONF, "Adding config module 'providers'\n");
392	CONF_module_add("providers", provider_conf_init, NULL);
393	}

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/libs/openssl-3.1.7/crypto/provider_conf.c@ 107935

Download in other formats: