]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/provider_conf.c
projects / thirdparty / openssl.git / blob
? search:


d8454b7941c4cf08288d845757ea5a01885d3554
[thirdparty/openssl.git] / crypto / provider_conf.c
1 /*
2 * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <string.h>
11 #include <openssl/trace.h>
12 #include <openssl/err.h>
13 #include <openssl/conf.h>
14 #include <openssl/safestack.h>
15 #include <openssl/provider.h>
16 #include "internal/provider.h"
17 #include "internal/cryptlib.h"
18 #include "provider_local.h"
19 #include "crypto/context.h"
20
21 DEFINE_STACK_OF(OSSL_PROVIDER)
22
23 /* PROVIDER config module */
24
25 typedef struct {
26 CRYPTO_RWLOCK *lock;
27 STACK_OF(OSSL_PROVIDER) *activated_providers;
28 } PROVIDER_CONF_GLOBAL;
29
30 void *ossl_prov_conf_ctx_new(OSSL_LIB_CTX *libctx)
31 {
32 PROVIDER_CONF_GLOBAL *pcgbl = OPENSSL_zalloc(sizeof(*pcgbl));
33
34 if (pcgbl == NULL)
35 return NULL;
36
37 pcgbl->lock = CRYPTO_THREAD_lock_new();
38 if (pcgbl->lock == NULL) {
39 OPENSSL_free(pcgbl);
40 return NULL;
41 }
42
43 return pcgbl;
44 }
45
46 void ossl_prov_conf_ctx_free(void *vpcgbl)
47 {
48 PROVIDER_CONF_GLOBAL *pcgbl = vpcgbl;
49
50 sk_OSSL_PROVIDER_pop_free(pcgbl->activated_providers,
51 ossl_provider_free);
52
53 OSSL_TRACE(CONF, "Cleaned up providers\n");
54 CRYPTO_THREAD_lock_free(pcgbl->lock);
55 OPENSSL_free(pcgbl);
56 }
57
58 static const char *skip_dot(const char *name)
59 {
60 const char *p = strchr(name, '.');
61
62 if (p != NULL)
63 return p + 1;
64 return name;
65 }
66
67 static int provider_conf_params(OSSL_PROVIDER *prov,
68 OSSL_PROVIDER_INFO *provinfo,
69 const char *name, const char *value,
70 const CONF *cnf)
71 {
72 STACK_OF(CONF_VALUE) *sect;
73 int ok = 1;
74
75 sect = NCONF_get_section(cnf, value);
76 if (sect != NULL) {
77 int i;
78 char buffer[512];
79 size_t buffer_len = 0;
80
81 OSSL_TRACE1(CONF, "Provider params: start section %s\n", value);
82
83 if (name != NULL) {
84 OPENSSL_strlcpy(buffer, name, sizeof(buffer));
85 OPENSSL_strlcat(buffer, ".", sizeof(buffer));
86 buffer_len = strlen(buffer);
87 }
88
89 for (i = 0; i < sk_CONF_VALUE_num(sect); i++) {
90 CONF_VALUE *sectconf = sk_CONF_VALUE_value(sect, i);
91
92 if (buffer_len + strlen(sectconf->name) >= sizeof(buffer))
93 return 0;
94 buffer[buffer_len] = '\0';
95 OPENSSL_strlcat(buffer, sectconf->name, sizeof(buffer));
96 if (!provider_conf_params(prov, provinfo, buffer, sectconf->value,
97 cnf))
98 return 0;
99 }
100
101 OSSL_TRACE1(CONF, "Provider params: finish section %s\n", value);
102 } else {
103 OSSL_TRACE2(CONF, "Provider params: %s = %s\n", name, value);
104 if (prov != NULL)
105 ok = ossl_provider_add_parameter(prov, name, value);
106 else
107 ok = ossl_provider_info_add_parameter(provinfo, name, value);
108 }
109
110 return ok;
111 }
112
113 static int prov_already_activated(const char *name,
114 STACK_OF(OSSL_PROVIDER) *activated)
115 {
116 int i, max;
117
118 if (activated == NULL)
119 return 0;
120
121 max = sk_OSSL_PROVIDER_num(activated);
122 for (i = 0; i < max; i++) {
123 OSSL_PROVIDER *tstprov = sk_OSSL_PROVIDER_value(activated, i);
124
125 if (strcmp(OSSL_PROVIDER_get0_name(tstprov), name) == 0) {
126 return 1;
127 }
128 }
129
130 return 0;
131 }
132
133 static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name,
134 const char *value, const char *path,
135 int soft, const CONF *cnf)
136 {
137 PROVIDER_CONF_GLOBAL *pcgbl
138 = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX);
139 OSSL_PROVIDER *prov = NULL, *actual = NULL;
140 int ok = 0;
141
142 if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) {
143 ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
144 return 0;
145 }
146 if (!prov_already_activated(name, pcgbl->activated_providers)) {
147 /*
148 * There is an attempt to activate a provider, so we should disable
149 * loading of fallbacks. Otherwise a misconfiguration could mean the
150 * intended provider does not get loaded. Subsequent fetches could
151 * then fallback to the default provider - which may be the wrong
152 * thing.
153 */
154 if (!ossl_provider_disable_fallback_loading(libctx)) {
155 CRYPTO_THREAD_unlock(pcgbl->lock);
156 ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
157 return 0;
158 }
159 prov = ossl_provider_find(libctx, name, 1);
160 if (prov == NULL)
161 prov = ossl_provider_new(libctx, name, NULL, NULL, 1);
162 if (prov == NULL) {
163 CRYPTO_THREAD_unlock(pcgbl->lock);
164 if (soft)
165 ERR_clear_error();
166 return 0;
167 }
168
169 if (path != NULL)
170 ossl_provider_set_module_path(prov, path);
171
172 ok = provider_conf_params(prov, NULL, NULL, value, cnf);
173
174 if (ok) {
175 if (!ossl_provider_activate(prov, 1, 0)) {
176 ok = 0;
177 } else if (!ossl_provider_add_to_store(prov, &actual, 0)) {
178 ossl_provider_deactivate(prov, 1);
179 ok = 0;
180 } else if (actual != prov
181 && !ossl_provider_activate(actual, 1, 0)) {
182 ossl_provider_free(actual);
183 ok = 0;
184 } else {
185 if (pcgbl->activated_providers == NULL)
186 pcgbl->activated_providers = sk_OSSL_PROVIDER_new_null();
187 if (pcgbl->activated_providers == NULL
188 || !sk_OSSL_PROVIDER_push(pcgbl->activated_providers,
189 actual)) {
190 ossl_provider_deactivate(actual, 1);
191 ossl_provider_free(actual);
192 ok = 0;
193 } else {
194 ok = 1;
195 }
196 }
197 }
198 if (!ok)
199 ossl_provider_free(prov);
200 }
201 CRYPTO_THREAD_unlock(pcgbl->lock);
202
203 return ok;
204 }
205
206 static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
207 const char *value, const CONF *cnf)
208 {
209 int i;
210 STACK_OF(CONF_VALUE) *ecmds;
211 int soft = 0;
212 const char *path = NULL;
213 long activate = 0;
214 int ok = 0;
215
216 name = skip_dot(name);
217 OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
218 /* Value is a section containing PROVIDER commands */
219 ecmds = NCONF_get_section(cnf, value);
220
221 if (!ecmds) {
222 ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
223 "section=%s not found", value);
224 return 0;
225 }
226
227 /* Find the needed data first */
228 for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {
229 CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);
230 const char *confname = skip_dot(ecmd->name);
231 const char *confvalue = ecmd->value;
232
233 OSSL_TRACE2(CONF, "Provider command: %s = %s\n",
234 confname, confvalue);
235
236 /* First handle some special pseudo confs */
237
238 /* Override provider name to use */
239 if (strcmp(confname, "identity") == 0) {
240 name = confvalue;
241 } else if (strcmp(confname, "soft_load") == 0) {
242 soft = 1;
243 /* Load a dynamic PROVIDER */
244 } else if (strcmp(confname, "module") == 0) {
245 path = confvalue;
246 } else if (strcmp(confname, "activate") == 0) {
247 if (confvalue == NULL) {
248 ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
249 "section=%s activate set to unrecognized value",
250 value);
251 return 0;
252 }
253 if ((strcmp(confvalue, "1") == 0)
254 || (strcmp(confvalue, "yes") == 0)
255 || (strcmp(confvalue, "YES") == 0)
256 || (strcmp(confvalue, "true") == 0)
257 || (strcmp(confvalue, "TRUE") == 0)
258 || (strcmp(confvalue, "on") == 0)
259 || (strcmp(confvalue, "ON") == 0)) {
260 activate = 1;
261 } else if ((strcmp(confvalue, "0") == 0)
262 || (strcmp(confvalue, "no") == 0)
263 || (strcmp(confvalue, "NO") == 0)
264 || (strcmp(confvalue, "false") == 0)
265 || (strcmp(confvalue, "FALSE") == 0)
266 || (strcmp(confvalue, "off") == 0)
267 || (strcmp(confvalue, "OFF") == 0)) {
268 activate = 0;
269 } else {
270 ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
271 "section=%s activate set to unrecognized value",
272 value);
273 return 0;
274 }
275 }
276 }
277
278 if (activate) {
279 ok = provider_conf_activate(libctx, name, value, path, soft, cnf);
280 } else {
281 OSSL_PROVIDER_INFO entry;
282
283 memset(&entry, 0, sizeof(entry));
284 ok = 1;
285 if (name != NULL) {
286 entry.name = OPENSSL_strdup(name);
287 if (entry.name == NULL)
288 ok = 0;
289 }
290 if (ok && path != NULL) {
291 entry.path = OPENSSL_strdup(path);
292 if (entry.path == NULL)
293 ok = 0;
294 }
295 if (ok)
296 ok = provider_conf_params(NULL, &entry, NULL, value, cnf);
297 if (ok && (entry.path != NULL || entry.parameters != NULL))
298 ok = ossl_provider_info_add_to_store(libctx, &entry);
299 if (!ok || (entry.path == NULL && entry.parameters == NULL)) {
300 ossl_provider_info_clear(&entry);
301 }
302
303 }
304
305 /*
306 * Even if ok is 0, we still return success. Failure to load a provider is
307 * not fatal. We want to continue to load the rest of the config file.
308 */
309 return 1;
310 }
311
312 static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf)
313 {
314 STACK_OF(CONF_VALUE) *elist;
315 CONF_VALUE *cval;
316 int i;
317
318 OSSL_TRACE1(CONF, "Loading providers module: section %s\n",
319 CONF_imodule_get_value(md));
320
321 /* Value is a section containing PROVIDERs to configure */
322 elist = NCONF_get_section(cnf, CONF_imodule_get_value(md));
323
324 if (!elist) {
325 ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR);
326 return 0;
327 }
328
329 for (i = 0; i < sk_CONF_VALUE_num(elist); i++) {
330 cval = sk_CONF_VALUE_value(elist, i);
331 if (!provider_conf_load(NCONF_get0_libctx((CONF *)cnf),
332 cval->name, cval->value, cnf))
333 return 0;
334 }
335
336 return 1;
337 }
338
339 void ossl_provider_add_conf_module(void)
340 {
341 OSSL_TRACE(CONF, "Adding config module 'providers'\n");
342 CONF_module_add("providers", provider_conf_init, NULL);
343 }
A mirror of the official openssl repository