/src/openssl/crypto/provider_conf.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | #include <string.h> |
11 | | #include <openssl/trace.h> |
12 | | #include <openssl/err.h> |
13 | | #include <openssl/conf.h> |
14 | | #include <openssl/safestack.h> |
15 | | #include <openssl/provider.h> |
16 | | #include "internal/provider.h" |
17 | | #include "internal/cryptlib.h" |
18 | | #include "provider_local.h" |
19 | | #include "crypto/context.h" |
20 | | |
21 | | DEFINE_STACK_OF(OSSL_PROVIDER) |
22 | | |
23 | | /* PROVIDER config module */ |
24 | | |
25 | | typedef struct { |
26 | | CRYPTO_RWLOCK *lock; |
27 | | STACK_OF(OSSL_PROVIDER) *activated_providers; |
28 | | } PROVIDER_CONF_GLOBAL; |
29 | | |
30 | | void *ossl_prov_conf_ctx_new(OSSL_LIB_CTX *libctx) |
31 | 4 | { |
32 | 4 | PROVIDER_CONF_GLOBAL *pcgbl = OPENSSL_zalloc(sizeof(*pcgbl)); |
33 | | |
34 | 4 | if (pcgbl == NULL) |
35 | 0 | return NULL; |
36 | | |
37 | 4 | pcgbl->lock = CRYPTO_THREAD_lock_new(); |
38 | 4 | if (pcgbl->lock == NULL) { |
39 | 0 | OPENSSL_free(pcgbl); |
40 | 0 | return NULL; |
41 | 0 | } |
42 | | |
43 | 4 | return pcgbl; |
44 | 4 | } |
45 | | |
46 | | void ossl_prov_conf_ctx_free(void *vpcgbl) |
47 | 4 | { |
48 | 4 | PROVIDER_CONF_GLOBAL *pcgbl = vpcgbl; |
49 | | |
50 | 4 | sk_OSSL_PROVIDER_pop_free(pcgbl->activated_providers, |
51 | 4 | ossl_provider_free); |
52 | | |
53 | 4 | OSSL_TRACE(CONF, "Cleaned up providers\n"); |
54 | 4 | CRYPTO_THREAD_lock_free(pcgbl->lock); |
55 | 4 | OPENSSL_free(pcgbl); |
56 | 4 | } |
57 | | |
58 | | static const char *skip_dot(const char *name) |
59 | 0 | { |
60 | 0 | const char *p = strchr(name, '.'); |
61 | |
|
62 | 0 | if (p != NULL) |
63 | 0 | return p + 1; |
64 | 0 | return name; |
65 | 0 | } |
66 | | |
67 | | /* |
68 | | * Parse the provider params section |
69 | | * Returns: |
70 | | * 1 for success |
71 | | * 0 for non-fatal errors |
72 | | * < 0 for fatal errors |
73 | | */ |
74 | | static int provider_conf_params_internal(OSSL_PROVIDER *prov, |
75 | | OSSL_PROVIDER_INFO *provinfo, |
76 | | const char *name, const char *value, |
77 | | const CONF *cnf, |
78 | | STACK_OF(OPENSSL_CSTRING) *visited) |
79 | 0 | { |
80 | 0 | STACK_OF(CONF_VALUE) *sect; |
81 | 0 | int ok = 1; |
82 | 0 | int rc = 0; |
83 | |
|
84 | 0 | sect = NCONF_get_section(cnf, value); |
85 | 0 | if (sect != NULL) { |
86 | 0 | int i; |
87 | 0 | char buffer[512]; |
88 | 0 | size_t buffer_len = 0; |
89 | |
|
90 | 0 | OSSL_TRACE1(CONF, "Provider params: start section %s\n", value); |
91 | | |
92 | | /* |
93 | | * Check to see if the provided section value has already |
94 | | * been visited. If it has, then we have a recursive lookup |
95 | | * in the configuration which isn't valid. As such we should error |
96 | | * out |
97 | | */ |
98 | 0 | for (i = 0; i < sk_OPENSSL_CSTRING_num(visited); i++) { |
99 | 0 | if (sk_OPENSSL_CSTRING_value(visited, i) == value) { |
100 | 0 | ERR_raise(ERR_LIB_CONF, CONF_R_RECURSIVE_SECTION_REFERENCE); |
101 | 0 | return -1; |
102 | 0 | } |
103 | 0 | } |
104 | | |
105 | | /* |
106 | | * We've not visited this node yet, so record it on the stack |
107 | | */ |
108 | 0 | if (!sk_OPENSSL_CSTRING_push(visited, value)) |
109 | 0 | return -1; |
110 | | |
111 | 0 | if (name != NULL) { |
112 | 0 | OPENSSL_strlcpy(buffer, name, sizeof(buffer)); |
113 | 0 | OPENSSL_strlcat(buffer, ".", sizeof(buffer)); |
114 | 0 | buffer_len = strlen(buffer); |
115 | 0 | } |
116 | |
|
117 | 0 | for (i = 0; i < sk_CONF_VALUE_num(sect); i++) { |
118 | 0 | CONF_VALUE *sectconf = sk_CONF_VALUE_value(sect, i); |
119 | |
|
120 | 0 | if (buffer_len + strlen(sectconf->name) >= sizeof(buffer)) { |
121 | 0 | sk_OPENSSL_CSTRING_pop(visited); |
122 | 0 | return -1; |
123 | 0 | } |
124 | 0 | buffer[buffer_len] = '\0'; |
125 | 0 | OPENSSL_strlcat(buffer, sectconf->name, sizeof(buffer)); |
126 | 0 | rc = provider_conf_params_internal(prov, provinfo, buffer, |
127 | 0 | sectconf->value, cnf, visited); |
128 | 0 | if (rc < 0) { |
129 | 0 | sk_OPENSSL_CSTRING_pop(visited); |
130 | 0 | return rc; |
131 | 0 | } |
132 | 0 | } |
133 | 0 | sk_OPENSSL_CSTRING_pop(visited); |
134 | |
|
135 | 0 | OSSL_TRACE1(CONF, "Provider params: finish section %s\n", value); |
136 | 0 | } else { |
137 | 0 | OSSL_TRACE2(CONF, "Provider params: %s = %s\n", name, value); |
138 | 0 | if (prov != NULL) |
139 | 0 | ok = ossl_provider_add_parameter(prov, name, value); |
140 | 0 | else |
141 | 0 | ok = ossl_provider_info_add_parameter(provinfo, name, value); |
142 | 0 | } |
143 | | |
144 | 0 | return ok; |
145 | 0 | } |
146 | | |
147 | | /* |
148 | | * recursively parse the provider configuration section |
149 | | * of the config file. |
150 | | * Returns |
151 | | * 1 on success |
152 | | * 0 on non-fatal error |
153 | | * < 0 on fatal errors |
154 | | */ |
155 | | static int provider_conf_params(OSSL_PROVIDER *prov, |
156 | | OSSL_PROVIDER_INFO *provinfo, |
157 | | const char *name, const char *value, |
158 | | const CONF *cnf) |
159 | 0 | { |
160 | 0 | int rc; |
161 | 0 | STACK_OF(OPENSSL_CSTRING) *visited = sk_OPENSSL_CSTRING_new_null(); |
162 | |
|
163 | 0 | if (visited == NULL) |
164 | 0 | return -1; |
165 | | |
166 | 0 | rc = provider_conf_params_internal(prov, provinfo, name, |
167 | 0 | value, cnf, visited); |
168 | |
|
169 | 0 | sk_OPENSSL_CSTRING_free(visited); |
170 | |
|
171 | 0 | return rc; |
172 | 0 | } |
173 | | |
174 | | static int prov_already_activated(const char *name, |
175 | | STACK_OF(OSSL_PROVIDER) *activated) |
176 | 0 | { |
177 | 0 | int i, max; |
178 | |
|
179 | 0 | if (activated == NULL) |
180 | 0 | return 0; |
181 | | |
182 | 0 | max = sk_OSSL_PROVIDER_num(activated); |
183 | 0 | for (i = 0; i < max; i++) { |
184 | 0 | OSSL_PROVIDER *tstprov = sk_OSSL_PROVIDER_value(activated, i); |
185 | |
|
186 | 0 | if (strcmp(OSSL_PROVIDER_get0_name(tstprov), name) == 0) { |
187 | 0 | return 1; |
188 | 0 | } |
189 | 0 | } |
190 | | |
191 | 0 | return 0; |
192 | 0 | } |
193 | | |
194 | | /* |
195 | | * Attempt to activate a provider |
196 | | * Returns: |
197 | | * 1 on successful activation |
198 | | * 0 on failed activation for non-fatal error |
199 | | * < 0 on failed activation for fatal errors |
200 | | */ |
201 | | static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name, |
202 | | const char *value, const char *path, |
203 | | int soft, const CONF *cnf) |
204 | 0 | { |
205 | 0 | PROVIDER_CONF_GLOBAL *pcgbl |
206 | 0 | = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX); |
207 | 0 | OSSL_PROVIDER *prov = NULL, *actual = NULL; |
208 | 0 | int ok = 0; |
209 | |
|
210 | 0 | if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) { |
211 | 0 | ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); |
212 | 0 | return -1; |
213 | 0 | } |
214 | 0 | if (!prov_already_activated(name, pcgbl->activated_providers)) { |
215 | | /* |
216 | | * There is an attempt to activate a provider, so we should disable |
217 | | * loading of fallbacks. Otherwise a misconfiguration could mean the |
218 | | * intended provider does not get loaded. Subsequent fetches could |
219 | | * then fallback to the default provider - which may be the wrong |
220 | | * thing. |
221 | | */ |
222 | 0 | if (!ossl_provider_disable_fallback_loading(libctx)) { |
223 | 0 | CRYPTO_THREAD_unlock(pcgbl->lock); |
224 | 0 | ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); |
225 | 0 | return -1; |
226 | 0 | } |
227 | 0 | prov = ossl_provider_find(libctx, name, 1); |
228 | 0 | if (prov == NULL) |
229 | 0 | prov = ossl_provider_new(libctx, name, NULL, NULL, 1); |
230 | 0 | if (prov == NULL) { |
231 | 0 | CRYPTO_THREAD_unlock(pcgbl->lock); |
232 | 0 | if (soft) |
233 | 0 | ERR_clear_error(); |
234 | 0 | return (soft == 0) ? -1 : 0; |
235 | 0 | } |
236 | | |
237 | 0 | if (path != NULL) |
238 | 0 | ossl_provider_set_module_path(prov, path); |
239 | |
|
240 | 0 | ok = provider_conf_params(prov, NULL, NULL, value, cnf); |
241 | |
|
242 | 0 | if (ok == 1) { |
243 | 0 | if (!ossl_provider_activate(prov, 1, 0)) { |
244 | 0 | ok = 0; |
245 | 0 | } else if (!ossl_provider_add_to_store(prov, &actual, 0)) { |
246 | 0 | ossl_provider_deactivate(prov, 1); |
247 | 0 | ok = 0; |
248 | 0 | } else if (actual != prov |
249 | 0 | && !ossl_provider_activate(actual, 1, 0)) { |
250 | 0 | ossl_provider_free(actual); |
251 | 0 | ok = 0; |
252 | 0 | } else { |
253 | 0 | if (pcgbl->activated_providers == NULL) |
254 | 0 | pcgbl->activated_providers = sk_OSSL_PROVIDER_new_null(); |
255 | 0 | if (pcgbl->activated_providers == NULL |
256 | 0 | || !sk_OSSL_PROVIDER_push(pcgbl->activated_providers, |
257 | 0 | actual)) { |
258 | 0 | ossl_provider_deactivate(actual, 1); |
259 | 0 | ossl_provider_free(actual); |
260 | 0 | ok = 0; |
261 | 0 | } else { |
262 | 0 | ok = 1; |
263 | 0 | } |
264 | 0 | } |
265 | 0 | } |
266 | |
|
267 | 0 | if (ok <= 0) |
268 | 0 | ossl_provider_free(prov); |
269 | 0 | } |
270 | 0 | CRYPTO_THREAD_unlock(pcgbl->lock); |
271 | |
|
272 | 0 | return ok; |
273 | 0 | } |
274 | | |
275 | | static int provider_conf_parse_bool_setting(const char *confname, |
276 | | const char *confvalue, int *val) |
277 | 0 | { |
278 | |
|
279 | 0 | if (confvalue == NULL) { |
280 | 0 | ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR, |
281 | 0 | "directive %s set to unrecognized value", |
282 | 0 | confname); |
283 | 0 | return 0; |
284 | 0 | } |
285 | 0 | if ((strcmp(confvalue, "1") == 0) |
286 | 0 | || (strcmp(confvalue, "yes") == 0) |
287 | 0 | || (strcmp(confvalue, "YES") == 0) |
288 | 0 | || (strcmp(confvalue, "true") == 0) |
289 | 0 | || (strcmp(confvalue, "TRUE") == 0) |
290 | 0 | || (strcmp(confvalue, "on") == 0) |
291 | 0 | || (strcmp(confvalue, "ON") == 0)) { |
292 | 0 | *val = 1; |
293 | 0 | } else if ((strcmp(confvalue, "0") == 0) |
294 | 0 | || (strcmp(confvalue, "no") == 0) |
295 | 0 | || (strcmp(confvalue, "NO") == 0) |
296 | 0 | || (strcmp(confvalue, "false") == 0) |
297 | 0 | || (strcmp(confvalue, "FALSE") == 0) |
298 | 0 | || (strcmp(confvalue, "off") == 0) |
299 | 0 | || (strcmp(confvalue, "OFF") == 0)) { |
300 | 0 | *val = 0; |
301 | 0 | } else { |
302 | 0 | ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR, |
303 | 0 | "directive %s set to unrecognized value", |
304 | 0 | confname); |
305 | 0 | return 0; |
306 | 0 | } |
307 | | |
308 | 0 | return 1; |
309 | 0 | } |
310 | | |
311 | | static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, |
312 | | const char *value, const CONF *cnf) |
313 | 0 | { |
314 | 0 | int i; |
315 | 0 | STACK_OF(CONF_VALUE) *ecmds; |
316 | 0 | int soft = 0; |
317 | 0 | const char *path = NULL; |
318 | 0 | int activate = 0; |
319 | 0 | int ok = 0; |
320 | 0 | int added = 0; |
321 | |
|
322 | 0 | name = skip_dot(name); |
323 | 0 | OSSL_TRACE1(CONF, "Configuring provider %s\n", name); |
324 | | /* Value is a section containing PROVIDER commands */ |
325 | 0 | ecmds = NCONF_get_section(cnf, value); |
326 | |
|
327 | 0 | if (!ecmds) { |
328 | 0 | ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR, |
329 | 0 | "section=%s not found", value); |
330 | 0 | return 0; |
331 | 0 | } |
332 | | |
333 | | /* Find the needed data first */ |
334 | 0 | for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) { |
335 | 0 | CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i); |
336 | 0 | const char *confname = skip_dot(ecmd->name); |
337 | 0 | const char *confvalue = ecmd->value; |
338 | |
|
339 | 0 | OSSL_TRACE2(CONF, "Provider command: %s = %s\n", |
340 | 0 | confname, confvalue); |
341 | | |
342 | | /* First handle some special pseudo confs */ |
343 | | |
344 | | /* Override provider name to use */ |
345 | 0 | if (strcmp(confname, "identity") == 0) { |
346 | 0 | name = confvalue; |
347 | 0 | } else if (strcmp(confname, "soft_load") == 0) { |
348 | 0 | if (!provider_conf_parse_bool_setting(confname, |
349 | 0 | confvalue, &soft)) |
350 | 0 | return 0; |
351 | | /* Load a dynamic PROVIDER */ |
352 | 0 | } else if (strcmp(confname, "module") == 0) { |
353 | 0 | path = confvalue; |
354 | 0 | } else if (strcmp(confname, "activate") == 0) { |
355 | 0 | if (!provider_conf_parse_bool_setting(confname, |
356 | 0 | confvalue, &activate)) |
357 | 0 | return 0; |
358 | 0 | } |
359 | 0 | } |
360 | | |
361 | 0 | if (activate) { |
362 | 0 | ok = provider_conf_activate(libctx, name, value, path, soft, cnf); |
363 | 0 | } else { |
364 | 0 | OSSL_PROVIDER_INFO entry; |
365 | |
|
366 | 0 | memset(&entry, 0, sizeof(entry)); |
367 | 0 | ok = 1; |
368 | 0 | if (name != NULL) { |
369 | 0 | entry.name = OPENSSL_strdup(name); |
370 | 0 | if (entry.name == NULL) |
371 | 0 | ok = 0; |
372 | 0 | } |
373 | 0 | if (ok && path != NULL) { |
374 | 0 | entry.path = OPENSSL_strdup(path); |
375 | 0 | if (entry.path == NULL) |
376 | 0 | ok = 0; |
377 | 0 | } |
378 | 0 | if (ok) |
379 | 0 | ok = provider_conf_params(NULL, &entry, NULL, value, cnf); |
380 | 0 | if (ok >= 1 && (entry.path != NULL || entry.parameters != NULL)) { |
381 | 0 | ok = ossl_provider_info_add_to_store(libctx, &entry); |
382 | 0 | added = 1; |
383 | 0 | } |
384 | 0 | if (added == 0) |
385 | 0 | ossl_provider_info_clear(&entry); |
386 | 0 | } |
387 | | |
388 | | /* |
389 | | * Provider activation returns a tristate: |
390 | | * 1 for successful activation |
391 | | * 0 for non-fatal activation failure |
392 | | * < 0 for fatal activation failure |
393 | | * We return success (1) for activation, (1) for non-fatal activation |
394 | | * failure, and (0) for fatal activation failure |
395 | | */ |
396 | 0 | return ok >= 0; |
397 | 0 | } |
398 | | |
399 | | static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf) |
400 | 0 | { |
401 | 0 | STACK_OF(CONF_VALUE) *elist; |
402 | 0 | CONF_VALUE *cval; |
403 | 0 | int i; |
404 | |
|
405 | 0 | OSSL_TRACE1(CONF, "Loading providers module: section %s\n", |
406 | 0 | CONF_imodule_get_value(md)); |
407 | | |
408 | | /* Value is a section containing PROVIDERs to configure */ |
409 | 0 | elist = NCONF_get_section(cnf, CONF_imodule_get_value(md)); |
410 | |
|
411 | 0 | if (!elist) { |
412 | 0 | ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR); |
413 | 0 | return 0; |
414 | 0 | } |
415 | | |
416 | 0 | for (i = 0; i < sk_CONF_VALUE_num(elist); i++) { |
417 | 0 | cval = sk_CONF_VALUE_value(elist, i); |
418 | 0 | if (!provider_conf_load(NCONF_get0_libctx((CONF *)cnf), |
419 | 0 | cval->name, cval->value, cnf)) |
420 | 0 | return 0; |
421 | 0 | } |
422 | | |
423 | 0 | return 1; |
424 | 0 | } |
425 | | |
426 | | void ossl_provider_add_conf_module(void) |
427 | 0 | { |
428 | 0 | OSSL_TRACE(CONF, "Adding config module 'providers'\n"); |
429 | 0 | CONF_module_add("providers", provider_conf_init, NULL); |
430 | 0 | } |