priorities: preload the system priorities on library loading time

This allows to rely on the system priorities even in the case of
applications that chroot(). This also introduces the environment
variable GNUTLS_SYSTEM_PRIORITY_FILE which can be used to override
the global priority file.

diff --git a/configure.ac b/configure.ac
index ad1c45f14c3d0d3c4acb07d98a6dd92eee6dce47..36426db605f0e90f28d76eed46aea01d16c9a581 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -214,7 +214,7 @@ AC_C_BIGENDIAN
 
 dnl No fork on MinGW, disable some self-tests until we fix them.
 dnl Check clock_gettime and pthread_mutex_lock in libc (avoid linking to other libs)
-AC_CHECK_FUNCS([fork inet_ntop inet_pton getrusage getpwuid_r nanosleep daemon getpid clock_gettime iconv localtime vasprintf],,)
+AC_CHECK_FUNCS([fork inet_ntop inet_pton getrusage getpwuid_r nanosleep daemon getpid clock_gettime iconv localtime fmemopen vasprintf],,)
 if test "$ac_cv_func_vasprintf" != "yes";then
   AC_MSG_CHECKING([for va_copy])
   AC_LINK_IFELSE([AC_LANG_PROGRAM([

diff --git a/lib/global.c b/lib/global.c
index c26543d57077115b009c480bf701b30353377e7c..f55851e7ea94a9959e5fffd4d6a390ee88e447ac 100644 (file)
--- a/lib/global.c
+++ b/lib/global.c
@@ -38,6 +38,7 @@
 #include <atfork.h>
 #include <system-keys.h>
 #include "str.h"
+#include "global.h"
 
 /* Minimum library versions we accept. */
 #define GNUTLS_MIN_LIBTASN1_VERSION "0.3.4"
@@ -356,6 +357,7 @@ int gnutls_global_init(void)
 
        _gnutls_register_accel_crypto();
        _gnutls_cryptodev_init();
+       _gnutls_load_system_priorities();
 
 #ifdef ENABLE_FIPS140
        /* These self tests are performed on the overriden algorithms
@@ -406,6 +408,7 @@ static void _gnutls_global_deinit(unsigned destructor)
                _gnutls_cryptodev_deinit();
 
                _gnutls_supplemental_deinit();
+               _gnutls_unload_system_priorities();
 
 #ifdef ENABLE_PKCS11
                /* Do not try to deinitialize the PKCS #11 libraries

diff --git a/lib/global.h b/lib/global.h
index e1a8f2e25c63c1b9508348a16e69db1c02af14b2..45d8dcaff8752aab786765e9f2fca3f3ab29e462 100644 (file)
--- a/lib/global.h
+++ b/lib/global.h
@@ -45,4 +45,7 @@ extern int gnutls_crypto_init(void);
 extern void gnutls_crypto_deinit(void);
 extern void _gnutls_tpm_global_deinit(void);
 
+extern void _gnutls_load_system_priorities(void);
+extern void _gnutls_unload_system_priorities(void);
+
 #endif

diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index de51dcc60ce393d5258acf8abdc6f22b8be24568..4cccd3525a1f1b90552dde3325e34d63c867113a 100644 (file)
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -1130,8 +1130,9 @@ GNUTLS_PRIVATE_3_4 {
        _gnutls_mpi_ops;
        _gnutls_mpi_log;
        _gnutls_mpi_release;
-       # Internal symbols needed by tests/pkcs12_s2k:
+       # Internal symbols needed by tests/:
        _gnutls_pkcs12_string_to_key;
        _gnutls_bin2hex;
        _gnutls_mac_to_entry;
+       _gnutls_resolve_priorities;
 };

diff --git a/lib/priority.c b/lib/priority.c
index be247be5182d6f6586163fe0458b9e8ac03d19c3..4934e3af159920279ad95e7a0c4249e9184363cf 100644 (file)
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -34,6 +34,7 @@
 
 #define MAX_ELEMENTS 64
 
+char *_gnutls_resolve_priorities(const char* priorities);
 static void prio_remove(priority_st * priority_list, unsigned int algo);
 static void prio_add(priority_st * priority_list, unsigned int algo);
 static void
@@ -892,6 +893,40 @@ static char *check_str(char *line, size_t line_size, const char *needle, size_t
        return NULL;
 }
 
+static const char *system_priority_file = SYSTEM_PRIORITY_FILE;
+static char *system_priority_buf = NULL;
+static size_t system_priority_buf_size = 0;
+
+void _gnutls_load_system_priorities(void)
+{
+       gnutls_datum_t data;
+       const char *p;
+       int ret;
+
+       p = getenv("GNUTLS_SYSTEM_PRIORITY_FILE");
+       if (p != NULL)
+               system_priority_file = p;
+
+#ifdef HAVE_FMEMOPEN
+       ret = gnutls_load_file(system_priority_file, &data);
+       if (ret < 0)
+               return;
+
+       system_priority_buf = (char*)data.data;
+       system_priority_buf_size = data.size;
+#endif
+       return;
+}
+
+void _gnutls_unload_system_priorities(void)
+{
+#ifdef HAVE_FMEMOPEN
+       gnutls_free(system_priority_buf);
+#endif
+       system_priority_buf = NULL;
+       system_priority_buf_size = 0;
+}
+
 /* Returns the new priorities if SYSTEM is specified in
  * an allocated string, or just a copy of the provided
  * priorities, appended with any additional present in
@@ -899,7 +934,7 @@ static char *check_str(char *line, size_t line_size, const char *needle, size_t
  *
  * The returned string must be released using free().
  */
-static char *resolve_priorities(const char* priorities)
+char *_gnutls_resolve_priorities(const char* priorities)
 {
 char *p = (char*)priorities;
 char *additional = NULL;
@@ -924,7 +959,11 @@ size_t n, n2 = 0, line_size;
                        ss_len = strlen(ss);
                }
 
-               fp = fopen(SYSTEM_PRIORITY_FILE, "r");
+#ifdef HAVE_FMEMOPEN
+               fp = fmemopen(system_priority_buf, system_priority_buf_size, "r");
+#endif
+               if (fp == NULL)
+                       fp = fopen(system_priority_file, "r");
                if (fp == NULL) {/* fail */
                        ret = NULL;
                        goto finish;
@@ -1095,7 +1134,7 @@ gnutls_priority_init(gnutls_priority_t * priority_cache,
        if (priorities == NULL)
                priorities = "NORMAL";
 
-       darg = resolve_priorities(priorities);
+       darg = _gnutls_resolve_priorities(priorities);
        if (darg == NULL) {
                gnutls_assert();
                goto error;