From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Fri, 1 Apr 2016 08:46:12 +0000 (+0200)
Subject: priorities: preload the system priorities on library loading time
X-Git-Tag: gnutls_3_5_0~211
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=006b89d4464ae1bb6d545ea5716998654124df45;p=thirdparty%2Fgnutls.git

priorities: preload the system priorities on library loading time

This allows to rely on the system priorities even in the case of
applications that chroot(). This also introduces the environment
variable GNUTLS_SYSTEM_PRIORITY_FILE which can be used to override
the global priority file.
---

diff --git a/configure.ac b/configure.ac
index ad1c45f14c..36426db605 100644
--- a/configure.ac
+++ b/configure.ac
@@ -214,7 +214,7 @@ AC_C_BIGENDIAN
 
 dnl No fork on MinGW, disable some self-tests until we fix them.
 dnl Check clock_gettime and pthread_mutex_lock in libc (avoid linking to other libs)
-AC_CHECK_FUNCS([fork inet_ntop inet_pton getrusage getpwuid_r nanosleep daemon getpid clock_gettime iconv localtime vasprintf],,)
+AC_CHECK_FUNCS([fork inet_ntop inet_pton getrusage getpwuid_r nanosleep daemon getpid clock_gettime iconv localtime fmemopen vasprintf],,)
 if test "$ac_cv_func_vasprintf" != "yes";then
   AC_MSG_CHECKING([for va_copy])
   AC_LINK_IFELSE([AC_LANG_PROGRAM([
diff --git a/lib/global.c b/lib/global.c
index c26543d570..f55851e7ea 100644
--- a/lib/global.c
+++ b/lib/global.c
@@ -38,6 +38,7 @@
 #include <atfork.h>
 #include <system-keys.h>
 #include "str.h"
+#include "global.h"
 
 /* Minimum library versions we accept. */
 #define GNUTLS_MIN_LIBTASN1_VERSION "0.3.4"
@@ -356,6 +357,7 @@ int gnutls_global_init(void)
 
 	_gnutls_register_accel_crypto();
 	_gnutls_cryptodev_init();
+	_gnutls_load_system_priorities();
 
 #ifdef ENABLE_FIPS140
 	/* These self tests are performed on the overriden algorithms
@@ -406,6 +408,7 @@ static void _gnutls_global_deinit(unsigned destructor)
 		_gnutls_cryptodev_deinit();
 
 		_gnutls_supplemental_deinit();
+		_gnutls_unload_system_priorities();
 
 #ifdef ENABLE_PKCS11
 		/* Do not try to deinitialize the PKCS #11 libraries
diff --git a/lib/global.h b/lib/global.h
index e1a8f2e25c..45d8dcaff8 100644
--- a/lib/global.h
+++ b/lib/global.h
@@ -45,4 +45,7 @@ extern int gnutls_crypto_init(void);
 extern void gnutls_crypto_deinit(void);
 extern void _gnutls_tpm_global_deinit(void);
 
+extern void _gnutls_load_system_priorities(void);
+extern void _gnutls_unload_system_priorities(void);
+
 #endif
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index de51dcc60c..4cccd3525a 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -1130,8 +1130,9 @@ GNUTLS_PRIVATE_3_4 {
 	_gnutls_mpi_ops;
 	_gnutls_mpi_log;
 	_gnutls_mpi_release;
-	# Internal symbols needed by tests/pkcs12_s2k:
+	# Internal symbols needed by tests/:
 	_gnutls_pkcs12_string_to_key;
 	_gnutls_bin2hex;
 	_gnutls_mac_to_entry;
+	_gnutls_resolve_priorities;
 };
diff --git a/lib/priority.c b/lib/priority.c
index be247be518..4934e3af15 100644
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -34,6 +34,7 @@
 
 #define MAX_ELEMENTS 64
 
+char *_gnutls_resolve_priorities(const char* priorities);
 static void prio_remove(priority_st * priority_list, unsigned int algo);
 static void prio_add(priority_st * priority_list, unsigned int algo);
 static void
@@ -892,6 +893,40 @@ static char *check_str(char *line, size_t line_size, const char *needle, size_t
 	return NULL;
 }
 
+static const char *system_priority_file = SYSTEM_PRIORITY_FILE;
+static char *system_priority_buf = NULL;
+static size_t system_priority_buf_size = 0;
+
+void _gnutls_load_system_priorities(void)
+{
+	gnutls_datum_t data;
+	const char *p;
+	int ret;
+
+	p = getenv("GNUTLS_SYSTEM_PRIORITY_FILE");
+	if (p != NULL)
+		system_priority_file = p;
+
+#ifdef HAVE_FMEMOPEN
+	ret = gnutls_load_file(system_priority_file, &data);
+	if (ret < 0)
+		return;
+
+	system_priority_buf = (char*)data.data;
+	system_priority_buf_size = data.size;
+#endif
+	return;
+}
+
+void _gnutls_unload_system_priorities(void)
+{
+#ifdef HAVE_FMEMOPEN
+	gnutls_free(system_priority_buf);
+#endif
+	system_priority_buf = NULL;
+	system_priority_buf_size = 0;
+}
+
 /* Returns the new priorities if SYSTEM is specified in
  * an allocated string, or just a copy of the provided
  * priorities, appended with any additional present in
@@ -899,7 +934,7 @@ static char *check_str(char *line, size_t line_size, const char *needle, size_t
  *
  * The returned string must be released using free().
  */
-static char *resolve_priorities(const char* priorities)
+char *_gnutls_resolve_priorities(const char* priorities)
 {
 char *p = (char*)priorities;
 char *additional = NULL;
@@ -924,7 +959,11 @@ size_t n, n2 = 0, line_size;
 			ss_len = strlen(ss);
 		}
 
-		fp = fopen(SYSTEM_PRIORITY_FILE, "r");
+#ifdef HAVE_FMEMOPEN
+		fp = fmemopen(system_priority_buf, system_priority_buf_size, "r");
+#endif
+		if (fp == NULL)
+			fp = fopen(system_priority_file, "r");
 		if (fp == NULL) {/* fail */
 			ret = NULL;
 			goto finish;
@@ -1095,7 +1134,7 @@ gnutls_priority_init(gnutls_priority_t * priority_cache,
 	if (priorities == NULL)
 		priorities = "NORMAL";
 
-	darg = resolve_priorities(priorities);
+	darg = _gnutls_resolve_priorities(priorities);
 	if (darg == NULL) {
 		gnutls_assert();
 		goto error;