If a malformed config file is provided such as the following:
openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
[provider_sect]
= provider_sect
The config parsing library will crash overflowing the stack, as it
recursively parses the same provider_sect ad nauseum.
Prevent this by maintaing a list of visited nodes as we recurse through
referenced sections, and erroring out in the event we visit any given
section node more than once.
Note, adding the test for this revealed that our diagnostic code
inadvertently pops recorded errors off the error stack because
provider_conf_load returns success even in the event that a
configuration parse failed. The call path to provider_conf_load has been
updated in this commit to address that shortcoming, allowing recorded
errors to be visibile to calling applications.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22898)
/*
* Generated by util/mkerr.pl DO NOT EDIT
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
"openssl conf references missing section"},
{ERR_PACK(ERR_LIB_CONF, 0, CONF_R_RECURSIVE_DIRECTORY_INCLUDE),
"recursive directory include"},
"openssl conf references missing section"},
{ERR_PACK(ERR_LIB_CONF, 0, CONF_R_RECURSIVE_DIRECTORY_INCLUDE),
"recursive directory include"},
+ {ERR_PACK(ERR_LIB_CONF, 0, CONF_R_RECURSIVE_SECTION_REFERENCE),
+ "recursive section reference"},
{ERR_PACK(ERR_LIB_CONF, 0, CONF_R_RELATIVE_PATH), "relative path"},
{ERR_PACK(ERR_LIB_CONF, 0, CONF_R_SSL_COMMAND_SECTION_EMPTY),
"ssl command section empty"},
{ERR_PACK(ERR_LIB_CONF, 0, CONF_R_RELATIVE_PATH), "relative path"},
{ERR_PACK(ERR_LIB_CONF, 0, CONF_R_SSL_COMMAND_SECTION_EMPTY),
"ssl command section empty"},
CONF_R_OPENSSL_CONF_REFERENCES_MISSING_SECTION:124:\
openssl conf references missing section
CONF_R_RECURSIVE_DIRECTORY_INCLUDE:111:recursive directory include
CONF_R_OPENSSL_CONF_REFERENCES_MISSING_SECTION:124:\
openssl conf references missing section
CONF_R_RECURSIVE_DIRECTORY_INCLUDE:111:recursive directory include
+CONF_R_RECURSIVE_SECTION_REFERENCE:126:recursive section reference
CONF_R_RELATIVE_PATH:125:relative path
CONF_R_SSL_COMMAND_SECTION_EMPTY:117:ssl command section empty
CONF_R_SSL_COMMAND_SECTION_NOT_FOUND:118:ssl command section not found
CONF_R_RELATIVE_PATH:125:relative path
CONF_R_SSL_COMMAND_SECTION_EMPTY:117:ssl command section empty
CONF_R_SSL_COMMAND_SECTION_NOT_FOUND:118:ssl command section not found
-static int provider_conf_params(OSSL_PROVIDER *prov,
- OSSL_PROVIDER_INFO *provinfo,
- const char *name, const char *value,
- const CONF *cnf)
+/*
+ * Parse the provider params section
+ * Returns:
+ * 1 for success
+ * 0 for non-fatal errors
+ * < 0 for fatal errors
+ */
+static int provider_conf_params_internal(OSSL_PROVIDER *prov,
+ OSSL_PROVIDER_INFO *provinfo,
+ const char *name, const char *value,
+ const CONF *cnf,
+ STACK_OF(OPENSSL_CSTRING) *visited)
{
STACK_OF(CONF_VALUE) *sect;
int ok = 1;
{
STACK_OF(CONF_VALUE) *sect;
int ok = 1;
sect = NCONF_get_section(cnf, value);
if (sect != NULL) {
sect = NCONF_get_section(cnf, value);
if (sect != NULL) {
OSSL_TRACE1(CONF, "Provider params: start section %s\n", value);
OSSL_TRACE1(CONF, "Provider params: start section %s\n", value);
+ /*
+ * Check to see if the provided section value has already
+ * been visited. If it has, then we have a recursive lookup
+ * in the configuration which isn't valid. As such we should error
+ * out
+ */
+ for (i = 0; i < sk_OPENSSL_CSTRING_num(visited); i++) {
+ if (sk_OPENSSL_CSTRING_value(visited, i) == value) {
+ ERR_raise(ERR_LIB_CONF, CONF_R_RECURSIVE_SECTION_REFERENCE);
+ return -1;
+ }
+ }
+
+ /*
+ * We've not visited this node yet, so record it on the stack
+ */
+ if (!sk_OPENSSL_CSTRING_push(visited, value))
+ return -1;
+
if (name != NULL) {
OPENSSL_strlcpy(buffer, name, sizeof(buffer));
OPENSSL_strlcat(buffer, ".", sizeof(buffer));
if (name != NULL) {
OPENSSL_strlcpy(buffer, name, sizeof(buffer));
OPENSSL_strlcat(buffer, ".", sizeof(buffer));
for (i = 0; i < sk_CONF_VALUE_num(sect); i++) {
CONF_VALUE *sectconf = sk_CONF_VALUE_value(sect, i);
for (i = 0; i < sk_CONF_VALUE_num(sect); i++) {
CONF_VALUE *sectconf = sk_CONF_VALUE_value(sect, i);
- if (buffer_len + strlen(sectconf->name) >= sizeof(buffer))
- return 0;
+ if (buffer_len + strlen(sectconf->name) >= sizeof(buffer)) {
+ sk_OPENSSL_CSTRING_pop(visited);
+ return -1;
+ }
buffer[buffer_len] = '\0';
OPENSSL_strlcat(buffer, sectconf->name, sizeof(buffer));
buffer[buffer_len] = '\0';
OPENSSL_strlcat(buffer, sectconf->name, sizeof(buffer));
- if (!provider_conf_params(prov, provinfo, buffer, sectconf->value,
- cnf))
- return 0;
+ rc = provider_conf_params_internal(prov, provinfo, buffer,
+ sectconf->value, cnf, visited);
+ if (rc < 0) {
+ sk_OPENSSL_CSTRING_pop(visited);
+ return rc;
+ }
+ sk_OPENSSL_CSTRING_pop(visited);
OSSL_TRACE1(CONF, "Provider params: finish section %s\n", value);
} else {
OSSL_TRACE1(CONF, "Provider params: finish section %s\n", value);
} else {
+/*
+ * recursively parse the provider configuration section
+ * of the config file.
+ * Returns
+ * 1 on success
+ * 0 on non-fatal error
+ * < 0 on fatal errors
+ */
+static int provider_conf_params(OSSL_PROVIDER *prov,
+ OSSL_PROVIDER_INFO *provinfo,
+ const char *name, const char *value,
+ const CONF *cnf)
+{
+ int rc;
+ STACK_OF(OPENSSL_CSTRING) *visited = sk_OPENSSL_CSTRING_new_null();
+
+ if (visited == NULL)
+ return -1;
+
+ rc = provider_conf_params_internal(prov, provinfo, name,
+ value, cnf, visited);
+
+ sk_OPENSSL_CSTRING_free(visited);
+
+ return rc;
+}
+
static int prov_already_activated(const char *name,
STACK_OF(OSSL_PROVIDER) *activated)
{
static int prov_already_activated(const char *name,
STACK_OF(OSSL_PROVIDER) *activated)
{
+/*
+ * Attempt to activate a provider
+ * Returns:
+ * 1 on successful activation
+ * 0 on failed activation for non-fatal error
+ * < 0 on failed activation for fatal errors
+ */
static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name,
const char *value, const char *path,
int soft, const CONF *cnf)
static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name,
const char *value, const char *path,
int soft, const CONF *cnf)
if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) {
ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) {
ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
}
if (!prov_already_activated(name, pcgbl->activated_providers)) {
/*
}
if (!prov_already_activated(name, pcgbl->activated_providers)) {
/*
if (!ossl_provider_disable_fallback_loading(libctx)) {
CRYPTO_THREAD_unlock(pcgbl->lock);
ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
if (!ossl_provider_disable_fallback_loading(libctx)) {
CRYPTO_THREAD_unlock(pcgbl->lock);
ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
}
prov = ossl_provider_find(libctx, name, 1);
if (prov == NULL)
}
prov = ossl_provider_find(libctx, name, 1);
if (prov == NULL)
CRYPTO_THREAD_unlock(pcgbl->lock);
if (soft)
ERR_clear_error();
CRYPTO_THREAD_unlock(pcgbl->lock);
if (soft)
ERR_clear_error();
+ return (soft == 0) ? -1 : 0;
ok = provider_conf_params(prov, NULL, NULL, value, cnf);
ok = provider_conf_params(prov, NULL, NULL, value, cnf);
if (!ossl_provider_activate(prov, 1, 0)) {
ok = 0;
} else if (!ossl_provider_add_to_store(prov, &actual, 0)) {
if (!ossl_provider_activate(prov, 1, 0)) {
ok = 0;
} else if (!ossl_provider_add_to_store(prov, &actual, 0)) {
ossl_provider_free(prov);
}
CRYPTO_THREAD_unlock(pcgbl->lock);
ossl_provider_free(prov);
}
CRYPTO_THREAD_unlock(pcgbl->lock);
const char *path = NULL;
long activate = 0;
int ok = 0;
const char *path = NULL;
long activate = 0;
int ok = 0;
name = skip_dot(name);
OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
name = skip_dot(name);
OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
}
if (ok)
ok = provider_conf_params(NULL, &entry, NULL, value, cnf);
}
if (ok)
ok = provider_conf_params(NULL, &entry, NULL, value, cnf);
- if (ok && (entry.path != NULL || entry.parameters != NULL))
+ if (ok >= 1 && (entry.path != NULL || entry.parameters != NULL)) {
ok = ossl_provider_info_add_to_store(libctx, &entry);
ok = ossl_provider_info_add_to_store(libctx, &entry);
- if (!ok || (entry.path == NULL && entry.parameters == NULL)) {
- ossl_provider_info_clear(&entry);
+ if (added == 0)
+ ossl_provider_info_clear(&entry);
- * Even if ok is 0, we still return success. Failure to load a provider is
- * not fatal. We want to continue to load the rest of the config file.
+ * Provider activation returns a tristate:
+ * 1 for successful activation
+ * 0 for non-fatal activation failure
+ * < 0 for fatal activation failure
+ * We return success (1) for activation, (1) for non-fatal activation
+ * failure, and (0) for fatal activation failure
}
static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf)
}
static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf)
for (i = 0; i < sk_CONF_VALUE_num(elist); i++) {
cval = sk_CONF_VALUE_value(elist, i);
if (!provider_conf_load(NCONF_get0_libctx((CONF *)cnf),
for (i = 0; i < sk_CONF_VALUE_num(elist); i++) {
cval = sk_CONF_VALUE_value(elist, i);
if (!provider_conf_load(NCONF_get0_libctx((CONF *)cnf),
- cval->name, cval->value, cnf))
+ cval->name, cval->value, cnf))
/*
* Generated by util/mkerr.pl DO NOT EDIT
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
/*
* Generated by util/mkerr.pl DO NOT EDIT
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
# define CONF_R_NUMBER_TOO_LARGE 121
# define CONF_R_OPENSSL_CONF_REFERENCES_MISSING_SECTION 124
# define CONF_R_RECURSIVE_DIRECTORY_INCLUDE 111
# define CONF_R_NUMBER_TOO_LARGE 121
# define CONF_R_OPENSSL_CONF_REFERENCES_MISSING_SECTION 124
# define CONF_R_RECURSIVE_DIRECTORY_INCLUDE 111
+# define CONF_R_RECURSIVE_SECTION_REFERENCE 126
# define CONF_R_RELATIVE_PATH 125
# define CONF_R_SSL_COMMAND_SECTION_EMPTY 117
# define CONF_R_SSL_COMMAND_SECTION_NOT_FOUND 118
# define CONF_R_RELATIVE_PATH 125
# define CONF_R_SSL_COMMAND_SECTION_EMPTY 117
# define CONF_R_SSL_COMMAND_SECTION_NOT_FOUND 118
context_internal_test aesgcmtest params_test evp_pkey_dparams_test \
keymgmt_internal_test hexstr_test provider_status_test defltfips_test \
bio_readbuffer_test user_property_test pkcs7_test upcallstest \
context_internal_test aesgcmtest params_test evp_pkey_dparams_test \
keymgmt_internal_test hexstr_test provider_status_test defltfips_test \
bio_readbuffer_test user_property_test pkcs7_test upcallstest \
- provfetchtest prov_config_test rand_test ca_internals_test \
- bio_tfo_test membio_test bio_dgram_test list_test fips_version_test \
- x509_test hpke_test pairwise_fail_test nodefltctxtest \
- evp_xof_test x509_load_cert_file_test
+ provfetchtest prov_config_test rand_test \
+ ca_internals_test bio_tfo_test membio_test bio_dgram_test list_test \
+ fips_version_test x509_test hpke_test pairwise_fail_test \
+ nodefltctxtest evp_xof_test x509_load_cert_file_test
IF[{- !$disabled{'rpk'} -}]
PROGRAMS{noinst}=rpktest
IF[{- !$disabled{'rpk'} -}]
PROGRAMS{noinst}=rpktest
*/
#include <openssl/evp.h>
*/
#include <openssl/evp.h>
+#include <openssl/conf.h>
#include "testutil.h"
static char *configfile = NULL;
#include "testutil.h"
static char *configfile = NULL;
+static char *recurseconfigfile = NULL;
/*
* Test to make sure there are no leaks or failures from loading the config
/*
* Test to make sure there are no leaks or failures from loading the config
+static int test_recursive_config(void)
+{
+ OSSL_LIB_CTX *ctx = OSSL_LIB_CTX_new();
+ int testresult = 0;
+ unsigned long err;
+
+ if (!TEST_ptr(recurseconfigfile))
+ goto err;
+
+ if (!TEST_ptr(ctx))
+ goto err;
+
+ if (!TEST_false(OSSL_LIB_CTX_load_config(ctx, recurseconfigfile)))
+ goto err;
+
+ err = ERR_peek_error();
+ /* We expect to get a recursion error here */
+ if (ERR_GET_REASON(err) == CONF_R_RECURSIVE_SECTION_REFERENCE)
+ testresult = 1;
+ err:
+ OSSL_LIB_CTX_free(ctx);
+ return testresult;
+}
+
OPT_TEST_DECLARE_USAGE("configfile\n")
int setup_tests(void)
OPT_TEST_DECLARE_USAGE("configfile\n")
int setup_tests(void)
if (!TEST_ptr(configfile = test_get_argument(0)))
return 0;
if (!TEST_ptr(configfile = test_get_argument(0)))
return 0;
+ if (!TEST_ptr(recurseconfigfile = test_get_argument(1)))
+ return 0;
+
+ ADD_TEST(test_recursive_config);
ADD_TEST(test_double_config);
return 1;
}
ADD_TEST(test_double_config);
return 1;
}
-ok(run(test(["prov_config_test", srctop_file("test", "default.cnf")])),
+ok(run(test(["prov_config_test", srctop_file("test", "default.cnf"),
+ srctop_file("test", "recursive.cnf")])),
"running prov_config_test default.cnf");
"running prov_config_test default.cnf");
SKIP: {
skip "Skipping FIPS test in this build", 1 if $no_fips;
SKIP: {
skip "Skipping FIPS test in this build", 1 if $no_fips;
- ok(run(test(["prov_config_test", srctop_file("test", "fips.cnf")])),
+ ok(run(test(["prov_config_test", srctop_file("test", "fips.cnf"),
+ srctop_file("test", "recursive.cnf")])),
"running prov_config_test fips.cnf");
}
"running prov_config_test fips.cnf");
}
--- /dev/null
+openssl_conf = openssl_init
+config_diagnostics = yes
+
+[openssl_init]
+providers = provider_sect
+
+[provider_sect]
+ = provider_sect