1 |
jpp |
1.1 |
#Note: provider_conf_activate() is introduced in downstream only. It is a rewrite |
2 |
|
|
#(partial) of the function provider_conf_load() under the 'if (activate) section. |
3 |
|
|
#If there is any change to this section, after deleting it in provider_conf_load() |
4 |
|
|
#ensure that you also add those changes to the provider_conf_activate() function. |
5 |
|
|
#additionally please add this check for cnf explicitly as shown below. |
6 |
|
|
#'ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;' |
7 |
|
|
diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provider_conf.c |
8 |
|
|
--- openssl-3.0.1/crypto/provider_conf.c.fipsact 2022-05-12 12:44:31.199034948 +0200 |
9 |
|
|
+++ openssl-3.0.1/crypto/provider_conf.c 2022-05-12 12:49:17.468318373 +0200 |
10 |
|
|
@@ -136,58 +136,18 @@ static int prov_already_activated(const |
11 |
|
|
return 0; |
12 |
|
|
} |
13 |
|
|
|
14 |
|
|
-static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, |
15 |
|
|
- const char *value, const CONF *cnf) |
16 |
|
|
+static int provider_conf_activate(OSSL_LIB_CTX *libctx,const char *name, |
17 |
|
|
+ const char *value, const char *path, |
18 |
|
|
+ int soft, const CONF *cnf) |
19 |
|
|
{ |
20 |
|
|
- int i; |
21 |
|
|
- STACK_OF(CONF_VALUE) *ecmds; |
22 |
|
|
- int soft = 0; |
23 |
|
|
- OSSL_PROVIDER *prov = NULL, *actual = NULL; |
24 |
|
|
- const char *path = NULL; |
25 |
|
|
- long activate = 0; |
26 |
|
|
int ok = 0; |
27 |
|
|
- |
28 |
|
|
- name = skip_dot(name); |
29 |
|
|
- OSSL_TRACE1(CONF, "Configuring provider %s\n", name); |
30 |
|
|
- /* Value is a section containing PROVIDER commands */ |
31 |
|
|
- ecmds = NCONF_get_section(cnf, value); |
32 |
|
|
- |
33 |
|
|
- if (!ecmds) { |
34 |
|
|
- ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR, |
35 |
|
|
- "section=%s not found", value); |
36 |
|
|
- return 0; |
37 |
|
|
- } |
38 |
|
|
- |
39 |
|
|
- /* Find the needed data first */ |
40 |
|
|
- for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) { |
41 |
|
|
- CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i); |
42 |
|
|
- const char *confname = skip_dot(ecmd->name); |
43 |
|
|
- const char *confvalue = ecmd->value; |
44 |
|
|
- |
45 |
|
|
- OSSL_TRACE2(CONF, "Provider command: %s = %s\n", |
46 |
|
|
- confname, confvalue); |
47 |
|
|
- |
48 |
|
|
- /* First handle some special pseudo confs */ |
49 |
|
|
- |
50 |
|
|
- /* Override provider name to use */ |
51 |
|
|
- if (strcmp(confname, "identity") == 0) |
52 |
|
|
- name = confvalue; |
53 |
|
|
- else if (strcmp(confname, "soft_load") == 0) |
54 |
|
|
- soft = 1; |
55 |
|
|
- /* Load a dynamic PROVIDER */ |
56 |
|
|
- else if (strcmp(confname, "module") == 0) |
57 |
|
|
- path = confvalue; |
58 |
|
|
- else if (strcmp(confname, "activate") == 0) |
59 |
|
|
- activate = 1; |
60 |
|
|
- } |
61 |
|
|
- |
62 |
|
|
- if (activate) { |
63 |
|
|
- PROVIDER_CONF_GLOBAL *pcgbl |
64 |
|
|
- = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX, |
65 |
|
|
- &provider_conf_ossl_ctx_method); |
66 |
|
|
+ OSSL_PROVIDER *prov = NULL, *actual = NULL; |
67 |
|
|
+ PROVIDER_CONF_GLOBAL *pcgbl |
68 |
|
|
+ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX, |
69 |
|
|
+ &provider_conf_ossl_ctx_method); |
70 |
|
|
|
71 |
|
|
if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) { |
72 |
|
|
- ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); |
73 |
|
|
+ ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); |
74 |
|
|
return 0; |
75 |
|
|
} |
76 |
|
|
if (!prov_already_activated(name, pcgbl->activated_providers)) { |
77 |
|
|
@@ -216,7 +176,7 @@ static int provider_conf_load(OSSL_LIB_C |
78 |
|
|
if (path != NULL) |
79 |
|
|
ossl_provider_set_module_path(prov, path); |
80 |
|
|
|
81 |
|
|
- ok = provider_conf_params(prov, NULL, NULL, value, cnf); |
82 |
|
|
+ ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1; |
83 |
|
|
|
84 |
|
|
if (ok) { |
85 |
|
|
if (!ossl_provider_activate(prov, 1, 0)) { |
86 |
|
|
@@ -244,8 +204,59 @@ static int provider_conf_load(OSSL_LIB_C |
87 |
|
|
} |
88 |
|
|
if (!ok) |
89 |
|
|
ossl_provider_free(prov); |
90 |
|
|
+ } else { /* No reason to activate the provider twice, returning OK */ |
91 |
|
|
+ ok = 1; |
92 |
|
|
} |
93 |
|
|
CRYPTO_THREAD_unlock(pcgbl->lock); |
94 |
|
|
+ return ok; |
95 |
|
|
+} |
96 |
|
|
+ |
97 |
|
|
+static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, |
98 |
|
|
+ const char *value, const CONF *cnf) |
99 |
|
|
+{ |
100 |
|
|
+ int i; |
101 |
|
|
+ STACK_OF(CONF_VALUE) *ecmds; |
102 |
|
|
+ int soft = 0; |
103 |
|
|
+ const char *path = NULL; |
104 |
|
|
+ long activate = 0; |
105 |
|
|
+ int ok = 0; |
106 |
|
|
+ |
107 |
|
|
+ name = skip_dot(name); |
108 |
|
|
+ OSSL_TRACE1(CONF, "Configuring provider %s\n", name); |
109 |
|
|
+ /* Value is a section containing PROVIDER commands */ |
110 |
|
|
+ ecmds = NCONF_get_section(cnf, value); |
111 |
|
|
+ |
112 |
|
|
+ if (!ecmds) { |
113 |
|
|
+ ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR, |
114 |
|
|
+ "section=%s not found", value); |
115 |
|
|
+ return 0; |
116 |
|
|
+ } |
117 |
|
|
+ |
118 |
|
|
+ /* Find the needed data first */ |
119 |
|
|
+ for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) { |
120 |
|
|
+ CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i); |
121 |
|
|
+ const char *confname = skip_dot(ecmd->name); |
122 |
|
|
+ const char *confvalue = ecmd->value; |
123 |
|
|
+ |
124 |
|
|
+ OSSL_TRACE2(CONF, "Provider command: %s = %s\n", |
125 |
|
|
+ confname, confvalue); |
126 |
|
|
+ |
127 |
|
|
+ /* First handle some special pseudo confs */ |
128 |
|
|
+ |
129 |
|
|
+ /* Override provider name to use */ |
130 |
|
|
+ if (strcmp(confname, "identity") == 0) |
131 |
|
|
+ name = confvalue; |
132 |
|
|
+ else if (strcmp(confname, "soft_load") == 0) |
133 |
|
|
+ soft = 1; |
134 |
|
|
+ /* Load a dynamic PROVIDER */ |
135 |
|
|
+ else if (strcmp(confname, "module") == 0) |
136 |
|
|
+ path = confvalue; |
137 |
|
|
+ else if (strcmp(confname, "activate") == 0) |
138 |
|
|
+ activate = 1; |
139 |
|
|
+ } |
140 |
|
|
+ |
141 |
|
|
+ if (activate) { |
142 |
|
|
+ ok = provider_conf_activate(libctx, name, value, path, soft, cnf); |
143 |
|
|
} else { |
144 |
|
|
OSSL_PROVIDER_INFO entry; |
145 |
|
|
|
146 |
|
|
@@ -306,6 +317,19 @@ static int provider_conf_init(CONF_IMODU |
147 |
|
|
return 0; |
148 |
|
|
} |
149 |
|
|
|
150 |
|
|
+ if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */ |
151 |
|
|
+ OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf); |
152 |
|
|
+ PROVIDER_CONF_GLOBAL *pcgbl |
153 |
|
|
+ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX, |
154 |
|
|
+ &provider_conf_ossl_ctx_method); |
155 |
|
|
+ if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1) |
156 |
|
|
+ return 0; |
157 |
|
|
+ if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1) |
158 |
|
|
+ return 0; |
159 |
|
|
+ if (EVP_default_properties_enable_fips(libctx, 1) != 1) |
160 |
|
|
+ return 0; |
161 |
|
|
+ } |
162 |
|
|
+ |
163 |
|
|
return 1; |
164 |
|
|
} |
165 |
|
|
|