]>
Commit | Line | Data |
---|---|---|
abbc2c40 | 1 | /* |
da1c088f | 2 | * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. |
abbc2c40 RL |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include <string.h> | |
11 | #include <openssl/trace.h> | |
12 | #include <openssl/err.h> | |
13 | #include <openssl/conf.h> | |
14 | #include <openssl/safestack.h> | |
6f25d3c4 | 15 | #include <openssl/provider.h> |
abbc2c40 | 16 | #include "internal/provider.h" |
460d2fbc | 17 | #include "internal/cryptlib.h" |
352d482a | 18 | #include "provider_local.h" |
927d0566 | 19 | #include "crypto/context.h" |
abbc2c40 | 20 | |
852c2ed2 | 21 | DEFINE_STACK_OF(OSSL_PROVIDER) |
852c2ed2 | 22 | |
abbc2c40 RL |
23 | /* PROVIDER config module */ |
24 | ||
460d2fbc | 25 | typedef struct { |
f38af125 | 26 | CRYPTO_RWLOCK *lock; |
460d2fbc MC |
27 | STACK_OF(OSSL_PROVIDER) *activated_providers; |
28 | } PROVIDER_CONF_GLOBAL; | |
29 | ||
927d0566 | 30 | void *ossl_prov_conf_ctx_new(OSSL_LIB_CTX *libctx) |
460d2fbc MC |
31 | { |
32 | PROVIDER_CONF_GLOBAL *pcgbl = OPENSSL_zalloc(sizeof(*pcgbl)); | |
33 | ||
34 | if (pcgbl == NULL) | |
35 | return NULL; | |
36 | ||
f38af125 MC |
37 | pcgbl->lock = CRYPTO_THREAD_lock_new(); |
38 | if (pcgbl->lock == NULL) { | |
39 | OPENSSL_free(pcgbl); | |
40 | return NULL; | |
41 | } | |
42 | ||
460d2fbc MC |
43 | return pcgbl; |
44 | } | |
45 | ||
927d0566 | 46 | void ossl_prov_conf_ctx_free(void *vpcgbl) |
460d2fbc MC |
47 | { |
48 | PROVIDER_CONF_GLOBAL *pcgbl = vpcgbl; | |
49 | ||
50 | sk_OSSL_PROVIDER_pop_free(pcgbl->activated_providers, | |
51 | ossl_provider_free); | |
52 | ||
53 | OSSL_TRACE(CONF, "Cleaned up providers\n"); | |
f38af125 | 54 | CRYPTO_THREAD_lock_free(pcgbl->lock); |
460d2fbc MC |
55 | OPENSSL_free(pcgbl); |
56 | } | |
57 | ||
abbc2c40 RL |
58 | static const char *skip_dot(const char *name) |
59 | { | |
60 | const char *p = strchr(name, '.'); | |
61 | ||
62 | if (p != NULL) | |
63 | return p + 1; | |
64 | return name; | |
65 | } | |
66 | ||
682fd21a NH |
67 | /* |
68 | * Parse the provider params section | |
69 | * Returns: | |
70 | * 1 for success | |
71 | * 0 for non-fatal errors | |
72 | * < 0 for fatal errors | |
73 | */ | |
74 | static int provider_conf_params_internal(OSSL_PROVIDER *prov, | |
75 | OSSL_PROVIDER_INFO *provinfo, | |
76 | const char *name, const char *value, | |
77 | const CONF *cnf, | |
78 | STACK_OF(OPENSSL_CSTRING) *visited) | |
abbc2c40 RL |
79 | { |
80 | STACK_OF(CONF_VALUE) *sect; | |
81 | int ok = 1; | |
682fd21a | 82 | int rc = 0; |
abbc2c40 | 83 | |
abbc2c40 RL |
84 | sect = NCONF_get_section(cnf, value); |
85 | if (sect != NULL) { | |
86 | int i; | |
87 | char buffer[512]; | |
88 | size_t buffer_len = 0; | |
89 | ||
71849dff RL |
90 | OSSL_TRACE1(CONF, "Provider params: start section %s\n", value); |
91 | ||
682fd21a NH |
92 | /* |
93 | * Check to see if the provided section value has already | |
94 | * been visited. If it has, then we have a recursive lookup | |
95 | * in the configuration which isn't valid. As such we should error | |
96 | * out | |
97 | */ | |
98 | for (i = 0; i < sk_OPENSSL_CSTRING_num(visited); i++) { | |
99 | if (sk_OPENSSL_CSTRING_value(visited, i) == value) { | |
100 | ERR_raise(ERR_LIB_CONF, CONF_R_RECURSIVE_SECTION_REFERENCE); | |
101 | return -1; | |
102 | } | |
103 | } | |
104 | ||
105 | /* | |
106 | * We've not visited this node yet, so record it on the stack | |
107 | */ | |
108 | if (!sk_OPENSSL_CSTRING_push(visited, value)) | |
109 | return -1; | |
110 | ||
abbc2c40 RL |
111 | if (name != NULL) { |
112 | OPENSSL_strlcpy(buffer, name, sizeof(buffer)); | |
113 | OPENSSL_strlcat(buffer, ".", sizeof(buffer)); | |
114 | buffer_len = strlen(buffer); | |
115 | } | |
116 | ||
117 | for (i = 0; i < sk_CONF_VALUE_num(sect); i++) { | |
118 | CONF_VALUE *sectconf = sk_CONF_VALUE_value(sect, i); | |
119 | ||
682fd21a NH |
120 | if (buffer_len + strlen(sectconf->name) >= sizeof(buffer)) { |
121 | sk_OPENSSL_CSTRING_pop(visited); | |
122 | return -1; | |
123 | } | |
abbc2c40 RL |
124 | buffer[buffer_len] = '\0'; |
125 | OPENSSL_strlcat(buffer, sectconf->name, sizeof(buffer)); | |
682fd21a NH |
126 | rc = provider_conf_params_internal(prov, provinfo, buffer, |
127 | sectconf->value, cnf, visited); | |
128 | if (rc < 0) { | |
129 | sk_OPENSSL_CSTRING_pop(visited); | |
130 | return rc; | |
131 | } | |
abbc2c40 | 132 | } |
682fd21a | 133 | sk_OPENSSL_CSTRING_pop(visited); |
71849dff RL |
134 | |
135 | OSSL_TRACE1(CONF, "Provider params: finish section %s\n", value); | |
abbc2c40 | 136 | } else { |
71849dff | 137 | OSSL_TRACE2(CONF, "Provider params: %s = %s\n", name, value); |
352d482a MC |
138 | if (prov != NULL) |
139 | ok = ossl_provider_add_parameter(prov, name, value); | |
140 | else | |
141 | ok = ossl_provider_info_add_parameter(provinfo, name, value); | |
abbc2c40 RL |
142 | } |
143 | ||
144 | return ok; | |
145 | } | |
146 | ||
682fd21a NH |
147 | /* |
148 | * recursively parse the provider configuration section | |
149 | * of the config file. | |
150 | * Returns | |
151 | * 1 on success | |
152 | * 0 on non-fatal error | |
153 | * < 0 on fatal errors | |
154 | */ | |
155 | static int provider_conf_params(OSSL_PROVIDER *prov, | |
156 | OSSL_PROVIDER_INFO *provinfo, | |
157 | const char *name, const char *value, | |
158 | const CONF *cnf) | |
159 | { | |
160 | int rc; | |
161 | STACK_OF(OPENSSL_CSTRING) *visited = sk_OPENSSL_CSTRING_new_null(); | |
162 | ||
163 | if (visited == NULL) | |
164 | return -1; | |
165 | ||
166 | rc = provider_conf_params_internal(prov, provinfo, name, | |
167 | value, cnf, visited); | |
168 | ||
169 | sk_OPENSSL_CSTRING_free(visited); | |
170 | ||
171 | return rc; | |
172 | } | |
173 | ||
6f25d3c4 MC |
174 | static int prov_already_activated(const char *name, |
175 | STACK_OF(OSSL_PROVIDER) *activated) | |
176 | { | |
177 | int i, max; | |
178 | ||
179 | if (activated == NULL) | |
180 | return 0; | |
181 | ||
182 | max = sk_OSSL_PROVIDER_num(activated); | |
183 | for (i = 0; i < max; i++) { | |
184 | OSSL_PROVIDER *tstprov = sk_OSSL_PROVIDER_value(activated, i); | |
185 | ||
186 | if (strcmp(OSSL_PROVIDER_get0_name(tstprov), name) == 0) { | |
187 | return 1; | |
188 | } | |
189 | } | |
190 | ||
191 | return 0; | |
192 | } | |
193 | ||
682fd21a NH |
194 | /* |
195 | * Attempt to activate a provider | |
196 | * Returns: | |
197 | * 1 on successful activation | |
198 | * 0 on failed activation for non-fatal error | |
199 | * < 0 on failed activation for fatal errors | |
200 | */ | |
07ba6948 DB |
201 | static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name, |
202 | const char *value, const char *path, | |
203 | int soft, const CONF *cnf) | |
204 | { | |
205 | PROVIDER_CONF_GLOBAL *pcgbl | |
927d0566 | 206 | = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX); |
07ba6948 DB |
207 | OSSL_PROVIDER *prov = NULL, *actual = NULL; |
208 | int ok = 0; | |
209 | ||
210 | if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) { | |
211 | ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); | |
682fd21a | 212 | return -1; |
07ba6948 DB |
213 | } |
214 | if (!prov_already_activated(name, pcgbl->activated_providers)) { | |
215 | /* | |
216 | * There is an attempt to activate a provider, so we should disable | |
217 | * loading of fallbacks. Otherwise a misconfiguration could mean the | |
218 | * intended provider does not get loaded. Subsequent fetches could | |
219 | * then fallback to the default provider - which may be the wrong | |
220 | * thing. | |
221 | */ | |
222 | if (!ossl_provider_disable_fallback_loading(libctx)) { | |
223 | CRYPTO_THREAD_unlock(pcgbl->lock); | |
224 | ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); | |
682fd21a | 225 | return -1; |
07ba6948 DB |
226 | } |
227 | prov = ossl_provider_find(libctx, name, 1); | |
228 | if (prov == NULL) | |
9d2f7e1f | 229 | prov = ossl_provider_new(libctx, name, NULL, NULL, 1); |
07ba6948 DB |
230 | if (prov == NULL) { |
231 | CRYPTO_THREAD_unlock(pcgbl->lock); | |
232 | if (soft) | |
233 | ERR_clear_error(); | |
682fd21a | 234 | return (soft == 0) ? -1 : 0; |
07ba6948 DB |
235 | } |
236 | ||
237 | if (path != NULL) | |
238 | ossl_provider_set_module_path(prov, path); | |
239 | ||
240 | ok = provider_conf_params(prov, NULL, NULL, value, cnf); | |
241 | ||
682fd21a | 242 | if (ok == 1) { |
07ba6948 DB |
243 | if (!ossl_provider_activate(prov, 1, 0)) { |
244 | ok = 0; | |
245 | } else if (!ossl_provider_add_to_store(prov, &actual, 0)) { | |
246 | ossl_provider_deactivate(prov, 1); | |
247 | ok = 0; | |
248 | } else if (actual != prov | |
249 | && !ossl_provider_activate(actual, 1, 0)) { | |
250 | ossl_provider_free(actual); | |
251 | ok = 0; | |
252 | } else { | |
253 | if (pcgbl->activated_providers == NULL) | |
254 | pcgbl->activated_providers = sk_OSSL_PROVIDER_new_null(); | |
255 | if (pcgbl->activated_providers == NULL | |
256 | || !sk_OSSL_PROVIDER_push(pcgbl->activated_providers, | |
257 | actual)) { | |
258 | ossl_provider_deactivate(actual, 1); | |
259 | ossl_provider_free(actual); | |
260 | ok = 0; | |
261 | } else { | |
262 | ok = 1; | |
263 | } | |
264 | } | |
265 | } | |
682fd21a NH |
266 | |
267 | if (ok <= 0) | |
07ba6948 DB |
268 | ossl_provider_free(prov); |
269 | } | |
270 | CRYPTO_THREAD_unlock(pcgbl->lock); | |
271 | ||
272 | return ok; | |
273 | } | |
274 | ||
9277ed0a NH |
275 | static int provider_conf_parse_bool_setting(const char *confname, |
276 | const char *confvalue, int *val) | |
277 | { | |
278 | ||
279 | if (confvalue == NULL) { | |
280 | ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR, | |
281 | "directive %s set to unrecognized value", | |
282 | confname); | |
283 | return 0; | |
284 | } | |
285 | if ((strcmp(confvalue, "1") == 0) | |
286 | || (strcmp(confvalue, "yes") == 0) | |
287 | || (strcmp(confvalue, "YES") == 0) | |
288 | || (strcmp(confvalue, "true") == 0) | |
289 | || (strcmp(confvalue, "TRUE") == 0) | |
290 | || (strcmp(confvalue, "on") == 0) | |
291 | || (strcmp(confvalue, "ON") == 0)) { | |
292 | *val = 1; | |
293 | } else if ((strcmp(confvalue, "0") == 0) | |
294 | || (strcmp(confvalue, "no") == 0) | |
295 | || (strcmp(confvalue, "NO") == 0) | |
296 | || (strcmp(confvalue, "false") == 0) | |
297 | || (strcmp(confvalue, "FALSE") == 0) | |
298 | || (strcmp(confvalue, "off") == 0) | |
299 | || (strcmp(confvalue, "OFF") == 0)) { | |
300 | *val = 0; | |
301 | } else { | |
302 | ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR, | |
303 | "directive %s set to unrecognized value", | |
304 | confname); | |
305 | return 0; | |
306 | } | |
307 | ||
308 | return 1; | |
309 | } | |
310 | ||
b4250010 | 311 | static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, |
abbc2c40 RL |
312 | const char *value, const CONF *cnf) |
313 | { | |
314 | int i; | |
315 | STACK_OF(CONF_VALUE) *ecmds; | |
316 | int soft = 0; | |
abbc2c40 | 317 | const char *path = NULL; |
9277ed0a | 318 | int activate = 0; |
abbc2c40 | 319 | int ok = 0; |
682fd21a | 320 | int added = 0; |
abbc2c40 RL |
321 | |
322 | name = skip_dot(name); | |
71849dff | 323 | OSSL_TRACE1(CONF, "Configuring provider %s\n", name); |
abbc2c40 RL |
324 | /* Value is a section containing PROVIDER commands */ |
325 | ecmds = NCONF_get_section(cnf, value); | |
326 | ||
327 | if (!ecmds) { | |
a150f8e1 RL |
328 | ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR, |
329 | "section=%s not found", value); | |
abbc2c40 RL |
330 | return 0; |
331 | } | |
332 | ||
333 | /* Find the needed data first */ | |
334 | for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) { | |
335 | CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i); | |
336 | const char *confname = skip_dot(ecmd->name); | |
337 | const char *confvalue = ecmd->value; | |
338 | ||
71849dff | 339 | OSSL_TRACE2(CONF, "Provider command: %s = %s\n", |
abbc2c40 RL |
340 | confname, confvalue); |
341 | ||
342 | /* First handle some special pseudo confs */ | |
343 | ||
344 | /* Override provider name to use */ | |
506ff206 | 345 | if (strcmp(confname, "identity") == 0) { |
abbc2c40 | 346 | name = confvalue; |
506ff206 | 347 | } else if (strcmp(confname, "soft_load") == 0) { |
9277ed0a NH |
348 | if (!provider_conf_parse_bool_setting(confname, |
349 | confvalue, &soft)) | |
350 | return 0; | |
abbc2c40 | 351 | /* Load a dynamic PROVIDER */ |
506ff206 | 352 | } else if (strcmp(confname, "module") == 0) { |
abbc2c40 | 353 | path = confvalue; |
506ff206 | 354 | } else if (strcmp(confname, "activate") == 0) { |
9277ed0a NH |
355 | if (!provider_conf_parse_bool_setting(confname, |
356 | confvalue, &activate)) | |
506ff206 | 357 | return 0; |
506ff206 | 358 | } |
abbc2c40 RL |
359 | } |
360 | ||
f38af125 | 361 | if (activate) { |
07ba6948 | 362 | ok = provider_conf_activate(libctx, name, value, path, soft, cnf); |
f38af125 | 363 | } else { |
b7248964 | 364 | OSSL_PROVIDER_INFO entry; |
352d482a MC |
365 | |
366 | memset(&entry, 0, sizeof(entry)); | |
367 | ok = 1; | |
368 | if (name != NULL) { | |
369 | entry.name = OPENSSL_strdup(name); | |
e077455e | 370 | if (entry.name == NULL) |
352d482a | 371 | ok = 0; |
352d482a MC |
372 | } |
373 | if (ok && path != NULL) { | |
374 | entry.path = OPENSSL_strdup(path); | |
e077455e | 375 | if (entry.path == NULL) |
352d482a | 376 | ok = 0; |
352d482a MC |
377 | } |
378 | if (ok) | |
379 | ok = provider_conf_params(NULL, &entry, NULL, value, cnf); | |
682fd21a | 380 | if (ok >= 1 && (entry.path != NULL || entry.parameters != NULL)) { |
352d482a | 381 | ok = ossl_provider_info_add_to_store(libctx, &entry); |
682fd21a | 382 | added = 1; |
352d482a | 383 | } |
682fd21a NH |
384 | if (added == 0) |
385 | ossl_provider_info_clear(&entry); | |
352d482a | 386 | } |
abbc2c40 | 387 | |
123ed334 | 388 | /* |
682fd21a NH |
389 | * Provider activation returns a tristate: |
390 | * 1 for successful activation | |
391 | * 0 for non-fatal activation failure | |
392 | * < 0 for fatal activation failure | |
393 | * We return success (1) for activation, (1) for non-fatal activation | |
394 | * failure, and (0) for fatal activation failure | |
123ed334 | 395 | */ |
682fd21a | 396 | return ok >= 0; |
abbc2c40 RL |
397 | } |
398 | ||
399 | static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf) | |
400 | { | |
401 | STACK_OF(CONF_VALUE) *elist; | |
402 | CONF_VALUE *cval; | |
403 | int i; | |
404 | ||
71849dff RL |
405 | OSSL_TRACE1(CONF, "Loading providers module: section %s\n", |
406 | CONF_imodule_get_value(md)); | |
407 | ||
abbc2c40 RL |
408 | /* Value is a section containing PROVIDERs to configure */ |
409 | elist = NCONF_get_section(cnf, CONF_imodule_get_value(md)); | |
410 | ||
411 | if (!elist) { | |
9311d0c4 | 412 | ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR); |
abbc2c40 RL |
413 | return 0; |
414 | } | |
415 | ||
416 | for (i = 0; i < sk_CONF_VALUE_num(elist); i++) { | |
417 | cval = sk_CONF_VALUE_value(elist, i); | |
6b750b89 | 418 | if (!provider_conf_load(NCONF_get0_libctx((CONF *)cnf), |
682fd21a | 419 | cval->name, cval->value, cnf)) |
abbc2c40 RL |
420 | return 0; |
421 | } | |
422 | ||
423 | return 1; | |
424 | } | |
425 | ||
abbc2c40 RL |
426 | void ossl_provider_add_conf_module(void) |
427 | { | |
71849dff | 428 | OSSL_TRACE(CONF, "Adding config module 'providers'\n"); |
460d2fbc | 429 | CONF_module_add("providers", provider_conf_init, NULL); |
abbc2c40 | 430 | } |