]>
Commit | Line | Data |
---|---|---|
abbc2c40 | 1 | /* |
fecb3aae | 2 | * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. |
abbc2c40 RL |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include <string.h> | |
11 | #include <openssl/trace.h> | |
12 | #include <openssl/err.h> | |
13 | #include <openssl/conf.h> | |
14 | #include <openssl/safestack.h> | |
6f25d3c4 | 15 | #include <openssl/provider.h> |
abbc2c40 | 16 | #include "internal/provider.h" |
460d2fbc | 17 | #include "internal/cryptlib.h" |
352d482a | 18 | #include "provider_local.h" |
927d0566 | 19 | #include "crypto/context.h" |
abbc2c40 | 20 | |
852c2ed2 | 21 | DEFINE_STACK_OF(OSSL_PROVIDER) |
852c2ed2 | 22 | |
abbc2c40 RL |
23 | /* PROVIDER config module */ |
24 | ||
460d2fbc | 25 | typedef struct { |
f38af125 | 26 | CRYPTO_RWLOCK *lock; |
460d2fbc MC |
27 | STACK_OF(OSSL_PROVIDER) *activated_providers; |
28 | } PROVIDER_CONF_GLOBAL; | |
29 | ||
927d0566 | 30 | void *ossl_prov_conf_ctx_new(OSSL_LIB_CTX *libctx) |
460d2fbc MC |
31 | { |
32 | PROVIDER_CONF_GLOBAL *pcgbl = OPENSSL_zalloc(sizeof(*pcgbl)); | |
33 | ||
34 | if (pcgbl == NULL) | |
35 | return NULL; | |
36 | ||
f38af125 MC |
37 | pcgbl->lock = CRYPTO_THREAD_lock_new(); |
38 | if (pcgbl->lock == NULL) { | |
39 | OPENSSL_free(pcgbl); | |
40 | return NULL; | |
41 | } | |
42 | ||
460d2fbc MC |
43 | return pcgbl; |
44 | } | |
45 | ||
927d0566 | 46 | void ossl_prov_conf_ctx_free(void *vpcgbl) |
460d2fbc MC |
47 | { |
48 | PROVIDER_CONF_GLOBAL *pcgbl = vpcgbl; | |
49 | ||
50 | sk_OSSL_PROVIDER_pop_free(pcgbl->activated_providers, | |
51 | ossl_provider_free); | |
52 | ||
53 | OSSL_TRACE(CONF, "Cleaned up providers\n"); | |
f38af125 | 54 | CRYPTO_THREAD_lock_free(pcgbl->lock); |
460d2fbc MC |
55 | OPENSSL_free(pcgbl); |
56 | } | |
57 | ||
abbc2c40 RL |
58 | static const char *skip_dot(const char *name) |
59 | { | |
60 | const char *p = strchr(name, '.'); | |
61 | ||
62 | if (p != NULL) | |
63 | return p + 1; | |
64 | return name; | |
65 | } | |
66 | ||
67 | static int provider_conf_params(OSSL_PROVIDER *prov, | |
b7248964 | 68 | OSSL_PROVIDER_INFO *provinfo, |
abbc2c40 RL |
69 | const char *name, const char *value, |
70 | const CONF *cnf) | |
71 | { | |
72 | STACK_OF(CONF_VALUE) *sect; | |
73 | int ok = 1; | |
74 | ||
abbc2c40 RL |
75 | sect = NCONF_get_section(cnf, value); |
76 | if (sect != NULL) { | |
77 | int i; | |
78 | char buffer[512]; | |
79 | size_t buffer_len = 0; | |
80 | ||
71849dff RL |
81 | OSSL_TRACE1(CONF, "Provider params: start section %s\n", value); |
82 | ||
abbc2c40 RL |
83 | if (name != NULL) { |
84 | OPENSSL_strlcpy(buffer, name, sizeof(buffer)); | |
85 | OPENSSL_strlcat(buffer, ".", sizeof(buffer)); | |
86 | buffer_len = strlen(buffer); | |
87 | } | |
88 | ||
89 | for (i = 0; i < sk_CONF_VALUE_num(sect); i++) { | |
90 | CONF_VALUE *sectconf = sk_CONF_VALUE_value(sect, i); | |
91 | ||
92 | if (buffer_len + strlen(sectconf->name) >= sizeof(buffer)) | |
93 | return 0; | |
94 | buffer[buffer_len] = '\0'; | |
95 | OPENSSL_strlcat(buffer, sectconf->name, sizeof(buffer)); | |
352d482a MC |
96 | if (!provider_conf_params(prov, provinfo, buffer, sectconf->value, |
97 | cnf)) | |
abbc2c40 RL |
98 | return 0; |
99 | } | |
71849dff RL |
100 | |
101 | OSSL_TRACE1(CONF, "Provider params: finish section %s\n", value); | |
abbc2c40 | 102 | } else { |
71849dff | 103 | OSSL_TRACE2(CONF, "Provider params: %s = %s\n", name, value); |
352d482a MC |
104 | if (prov != NULL) |
105 | ok = ossl_provider_add_parameter(prov, name, value); | |
106 | else | |
107 | ok = ossl_provider_info_add_parameter(provinfo, name, value); | |
abbc2c40 RL |
108 | } |
109 | ||
110 | return ok; | |
111 | } | |
112 | ||
6f25d3c4 MC |
113 | static int prov_already_activated(const char *name, |
114 | STACK_OF(OSSL_PROVIDER) *activated) | |
115 | { | |
116 | int i, max; | |
117 | ||
118 | if (activated == NULL) | |
119 | return 0; | |
120 | ||
121 | max = sk_OSSL_PROVIDER_num(activated); | |
122 | for (i = 0; i < max; i++) { | |
123 | OSSL_PROVIDER *tstprov = sk_OSSL_PROVIDER_value(activated, i); | |
124 | ||
125 | if (strcmp(OSSL_PROVIDER_get0_name(tstprov), name) == 0) { | |
126 | return 1; | |
127 | } | |
128 | } | |
129 | ||
130 | return 0; | |
131 | } | |
132 | ||
07ba6948 DB |
133 | static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name, |
134 | const char *value, const char *path, | |
135 | int soft, const CONF *cnf) | |
136 | { | |
137 | PROVIDER_CONF_GLOBAL *pcgbl | |
927d0566 | 138 | = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX); |
07ba6948 DB |
139 | OSSL_PROVIDER *prov = NULL, *actual = NULL; |
140 | int ok = 0; | |
141 | ||
142 | if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) { | |
143 | ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); | |
144 | return 0; | |
145 | } | |
146 | if (!prov_already_activated(name, pcgbl->activated_providers)) { | |
147 | /* | |
148 | * There is an attempt to activate a provider, so we should disable | |
149 | * loading of fallbacks. Otherwise a misconfiguration could mean the | |
150 | * intended provider does not get loaded. Subsequent fetches could | |
151 | * then fallback to the default provider - which may be the wrong | |
152 | * thing. | |
153 | */ | |
154 | if (!ossl_provider_disable_fallback_loading(libctx)) { | |
155 | CRYPTO_THREAD_unlock(pcgbl->lock); | |
156 | ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); | |
157 | return 0; | |
158 | } | |
159 | prov = ossl_provider_find(libctx, name, 1); | |
160 | if (prov == NULL) | |
161 | prov = ossl_provider_new(libctx, name, NULL, 1); | |
162 | if (prov == NULL) { | |
163 | CRYPTO_THREAD_unlock(pcgbl->lock); | |
164 | if (soft) | |
165 | ERR_clear_error(); | |
166 | return 0; | |
167 | } | |
168 | ||
169 | if (path != NULL) | |
170 | ossl_provider_set_module_path(prov, path); | |
171 | ||
172 | ok = provider_conf_params(prov, NULL, NULL, value, cnf); | |
173 | ||
174 | if (ok) { | |
175 | if (!ossl_provider_activate(prov, 1, 0)) { | |
176 | ok = 0; | |
177 | } else if (!ossl_provider_add_to_store(prov, &actual, 0)) { | |
178 | ossl_provider_deactivate(prov, 1); | |
179 | ok = 0; | |
180 | } else if (actual != prov | |
181 | && !ossl_provider_activate(actual, 1, 0)) { | |
182 | ossl_provider_free(actual); | |
183 | ok = 0; | |
184 | } else { | |
185 | if (pcgbl->activated_providers == NULL) | |
186 | pcgbl->activated_providers = sk_OSSL_PROVIDER_new_null(); | |
187 | if (pcgbl->activated_providers == NULL | |
188 | || !sk_OSSL_PROVIDER_push(pcgbl->activated_providers, | |
189 | actual)) { | |
190 | ossl_provider_deactivate(actual, 1); | |
191 | ossl_provider_free(actual); | |
192 | ok = 0; | |
193 | } else { | |
194 | ok = 1; | |
195 | } | |
196 | } | |
197 | } | |
198 | if (!ok) | |
199 | ossl_provider_free(prov); | |
200 | } | |
201 | CRYPTO_THREAD_unlock(pcgbl->lock); | |
202 | ||
203 | return ok; | |
204 | } | |
205 | ||
b4250010 | 206 | static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, |
abbc2c40 RL |
207 | const char *value, const CONF *cnf) |
208 | { | |
209 | int i; | |
210 | STACK_OF(CONF_VALUE) *ecmds; | |
211 | int soft = 0; | |
abbc2c40 RL |
212 | const char *path = NULL; |
213 | long activate = 0; | |
214 | int ok = 0; | |
215 | ||
216 | name = skip_dot(name); | |
71849dff | 217 | OSSL_TRACE1(CONF, "Configuring provider %s\n", name); |
abbc2c40 RL |
218 | /* Value is a section containing PROVIDER commands */ |
219 | ecmds = NCONF_get_section(cnf, value); | |
220 | ||
221 | if (!ecmds) { | |
a150f8e1 RL |
222 | ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR, |
223 | "section=%s not found", value); | |
abbc2c40 RL |
224 | return 0; |
225 | } | |
226 | ||
227 | /* Find the needed data first */ | |
228 | for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) { | |
229 | CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i); | |
230 | const char *confname = skip_dot(ecmd->name); | |
231 | const char *confvalue = ecmd->value; | |
232 | ||
71849dff | 233 | OSSL_TRACE2(CONF, "Provider command: %s = %s\n", |
abbc2c40 RL |
234 | confname, confvalue); |
235 | ||
236 | /* First handle some special pseudo confs */ | |
237 | ||
238 | /* Override provider name to use */ | |
239 | if (strcmp(confname, "identity") == 0) | |
240 | name = confvalue; | |
241 | else if (strcmp(confname, "soft_load") == 0) | |
242 | soft = 1; | |
243 | /* Load a dynamic PROVIDER */ | |
244 | else if (strcmp(confname, "module") == 0) | |
245 | path = confvalue; | |
246 | else if (strcmp(confname, "activate") == 0) | |
247 | activate = 1; | |
248 | } | |
249 | ||
f38af125 | 250 | if (activate) { |
07ba6948 | 251 | ok = provider_conf_activate(libctx, name, value, path, soft, cnf); |
f38af125 | 252 | } else { |
b7248964 | 253 | OSSL_PROVIDER_INFO entry; |
352d482a MC |
254 | |
255 | memset(&entry, 0, sizeof(entry)); | |
256 | ok = 1; | |
257 | if (name != NULL) { | |
258 | entry.name = OPENSSL_strdup(name); | |
259 | if (entry.name == NULL) { | |
260 | ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); | |
261 | ok = 0; | |
262 | } | |
263 | } | |
264 | if (ok && path != NULL) { | |
265 | entry.path = OPENSSL_strdup(path); | |
266 | if (entry.path == NULL) { | |
267 | ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); | |
268 | ok = 0; | |
269 | } | |
270 | } | |
271 | if (ok) | |
272 | ok = provider_conf_params(NULL, &entry, NULL, value, cnf); | |
273 | if (ok && (entry.path != NULL || entry.parameters != NULL)) | |
274 | ok = ossl_provider_info_add_to_store(libctx, &entry); | |
275 | if (!ok || (entry.path == NULL && entry.parameters == NULL)) { | |
276 | ossl_provider_info_clear(&entry); | |
277 | } | |
278 | ||
279 | } | |
abbc2c40 | 280 | |
123ed334 MC |
281 | /* |
282 | * Even if ok is 0, we still return success. Failure to load a provider is | |
283 | * not fatal. We want to continue to load the rest of the config file. | |
284 | */ | |
285 | return 1; | |
abbc2c40 RL |
286 | } |
287 | ||
288 | static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf) | |
289 | { | |
290 | STACK_OF(CONF_VALUE) *elist; | |
291 | CONF_VALUE *cval; | |
292 | int i; | |
293 | ||
71849dff RL |
294 | OSSL_TRACE1(CONF, "Loading providers module: section %s\n", |
295 | CONF_imodule_get_value(md)); | |
296 | ||
abbc2c40 RL |
297 | /* Value is a section containing PROVIDERs to configure */ |
298 | elist = NCONF_get_section(cnf, CONF_imodule_get_value(md)); | |
299 | ||
300 | if (!elist) { | |
9311d0c4 | 301 | ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR); |
abbc2c40 RL |
302 | return 0; |
303 | } | |
304 | ||
305 | for (i = 0; i < sk_CONF_VALUE_num(elist); i++) { | |
306 | cval = sk_CONF_VALUE_value(elist, i); | |
6b750b89 RS |
307 | if (!provider_conf_load(NCONF_get0_libctx((CONF *)cnf), |
308 | cval->name, cval->value, cnf)) | |
abbc2c40 RL |
309 | return 0; |
310 | } | |
311 | ||
312 | return 1; | |
313 | } | |
314 | ||
abbc2c40 RL |
315 | void ossl_provider_add_conf_module(void) |
316 | { | |
71849dff | 317 | OSSL_TRACE(CONF, "Adding config module 'providers'\n"); |
460d2fbc | 318 | CONF_module_add("providers", provider_conf_init, NULL); |
abbc2c40 | 319 | } |