|
 |
bf760f |
#Note: provider_conf_activate() is introduced in downstream only. It is a rewrite
|
|
|
bf760f |
#(partial) of the function provider_conf_load() under the 'if (activate) section.
|
|
|
bf760f |
#If there is any change to this section, after deleting it in provider_conf_load()
|
|
|
bf760f |
#ensure that you also add those changes to the provider_conf_activate() function.
|
|
|
bf760f |
#additionally please add this check for cnf explicitly as shown below.
|
|
|
bf760f |
#'ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;'
|
|
|
727bdf |
diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provider_conf.c
|
|
|
727bdf |
--- openssl-3.0.1/crypto/provider_conf.c.fipsact 2022-05-12 12:44:31.199034948 +0200
|
|
|
727bdf |
+++ openssl-3.0.1/crypto/provider_conf.c 2022-05-12 12:49:17.468318373 +0200
|
|
|
bf760f |
@@ -136,58 +136,18 @@ static int prov_already_activated(const
|
|
|
bf760f |
return 0;
|
|
|
bf760f |
}
|
|
|
727bdf |
|
|
|
bf760f |
-static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
|
|
|
bf760f |
- const char *value, const CONF *cnf)
|
|
|
bf760f |
+static int provider_conf_activate(OSSL_LIB_CTX *libctx,const char *name,
|
|
|
bf760f |
+ const char *value, const char *path,
|
|
|
bf760f |
+ int soft, const CONF *cnf)
|
|
|
bf760f |
{
|
|
|
bf760f |
- int i;
|
|
|
bf760f |
- STACK_OF(CONF_VALUE) *ecmds;
|
|
|
bf760f |
- int soft = 0;
|
|
|
bf760f |
- OSSL_PROVIDER *prov = NULL, *actual = NULL;
|
|
|
bf760f |
- const char *path = NULL;
|
|
|
bf760f |
- long activate = 0;
|
|
|
bf760f |
int ok = 0;
|
|
|
bf760f |
-
|
|
|
bf760f |
- name = skip_dot(name);
|
|
|
bf760f |
- OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
|
|
|
bf760f |
- /* Value is a section containing PROVIDER commands */
|
|
|
bf760f |
- ecmds = NCONF_get_section(cnf, value);
|
|
|
bf760f |
-
|
|
|
bf760f |
- if (!ecmds) {
|
|
|
bf760f |
- ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
|
|
|
bf760f |
- "section=%s not found", value);
|
|
|
bf760f |
- return 0;
|
|
|
bf760f |
- }
|
|
|
bf760f |
-
|
|
|
bf760f |
- /* Find the needed data first */
|
|
|
bf760f |
- for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {
|
|
|
bf760f |
- CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);
|
|
|
bf760f |
- const char *confname = skip_dot(ecmd->name);
|
|
|
bf760f |
- const char *confvalue = ecmd->value;
|
|
|
bf760f |
-
|
|
|
bf760f |
- OSSL_TRACE2(CONF, "Provider command: %s = %s\n",
|
|
|
bf760f |
- confname, confvalue);
|
|
|
bf760f |
-
|
|
|
bf760f |
- /* First handle some special pseudo confs */
|
|
|
bf760f |
-
|
|
|
bf760f |
- /* Override provider name to use */
|
|
|
bf760f |
- if (strcmp(confname, "identity") == 0)
|
|
|
bf760f |
- name = confvalue;
|
|
|
bf760f |
- else if (strcmp(confname, "soft_load") == 0)
|
|
|
bf760f |
- soft = 1;
|
|
|
bf760f |
- /* Load a dynamic PROVIDER */
|
|
|
bf760f |
- else if (strcmp(confname, "module") == 0)
|
|
|
bf760f |
- path = confvalue;
|
|
|
bf760f |
- else if (strcmp(confname, "activate") == 0)
|
|
|
bf760f |
- activate = 1;
|
|
|
bf760f |
- }
|
|
|
bf760f |
-
|
|
|
bf760f |
- if (activate) {
|
|
|
bf760f |
- PROVIDER_CONF_GLOBAL *pcgbl
|
|
|
bf760f |
- = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
|
|
|
bf760f |
- &provider_conf_ossl_ctx_method);
|
|
|
bf760f |
+ OSSL_PROVIDER *prov = NULL, *actual = NULL;
|
|
|
bf760f |
+ PROVIDER_CONF_GLOBAL *pcgbl
|
|
|
bf760f |
+ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
|
|
|
bf760f |
+ &provider_conf_ossl_ctx_method);
|
|
|
bf760f |
|
|
|
bf760f |
if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) {
|
|
|
bf760f |
- ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
|
|
|
bf760f |
+ ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
|
|
|
bf760f |
return 0;
|
|
|
bf760f |
}
|
|
|
bf760f |
if (!prov_already_activated(name, pcgbl->activated_providers)) {
|
|
|
bf760f |
@@ -216,7 +176,7 @@ static int provider_conf_load(OSSL_LIB_C
|
|
|
bf760f |
if (path != NULL)
|
|
|
bf760f |
ossl_provider_set_module_path(prov, path);
|
|
|
bf760f |
|
|
|
bf760f |
- ok = provider_conf_params(prov, NULL, NULL, value, cnf);
|
|
|
bf760f |
+ ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;
|
|
|
bf760f |
|
|
|
bf760f |
if (ok) {
|
|
|
bf760f |
if (!ossl_provider_activate(prov, 1, 0)) {
|
|
|
727bdf |
@@ -244,8 +204,59 @@ static int provider_conf_load(OSSL_LIB_C
|
|
|
727bdf |
}
|
|
|
727bdf |
if (!ok)
|
|
|
bf760f |
ossl_provider_free(prov);
|
|
|
727bdf |
+ } else { /* No reason to activate the provider twice, returning OK */
|
|
|
727bdf |
+ ok = 1;
|
|
|
bf760f |
}
|
|
|
bf760f |
CRYPTO_THREAD_unlock(pcgbl->lock);
|
|
|
bf760f |
+ return ok;
|
|
|
bf760f |
+}
|
|
|
bf760f |
+
|
|
|
bf760f |
+static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
|
|
|
bf760f |
+ const char *value, const CONF *cnf)
|
|
|
bf760f |
+{
|
|
|
bf760f |
+ int i;
|
|
|
bf760f |
+ STACK_OF(CONF_VALUE) *ecmds;
|
|
|
bf760f |
+ int soft = 0;
|
|
|
bf760f |
+ const char *path = NULL;
|
|
|
bf760f |
+ long activate = 0;
|
|
|
bf760f |
+ int ok = 0;
|
|
|
bf760f |
+
|
|
|
bf760f |
+ name = skip_dot(name);
|
|
|
bf760f |
+ OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
|
|
|
bf760f |
+ /* Value is a section containing PROVIDER commands */
|
|
|
bf760f |
+ ecmds = NCONF_get_section(cnf, value);
|
|
|
bf760f |
+
|
|
|
bf760f |
+ if (!ecmds) {
|
|
|
bf760f |
+ ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
|
|
|
bf760f |
+ "section=%s not found", value);
|
|
|
bf760f |
+ return 0;
|
|
|
bf760f |
+ }
|
|
|
bf760f |
+
|
|
|
bf760f |
+ /* Find the needed data first */
|
|
|
bf760f |
+ for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {
|
|
|
bf760f |
+ CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);
|
|
|
bf760f |
+ const char *confname = skip_dot(ecmd->name);
|
|
|
bf760f |
+ const char *confvalue = ecmd->value;
|
|
|
bf760f |
+
|
|
|
bf760f |
+ OSSL_TRACE2(CONF, "Provider command: %s = %s\n",
|
|
|
bf760f |
+ confname, confvalue);
|
|
|
bf760f |
+
|
|
|
bf760f |
+ /* First handle some special pseudo confs */
|
|
|
bf760f |
+
|
|
|
bf760f |
+ /* Override provider name to use */
|
|
|
bf760f |
+ if (strcmp(confname, "identity") == 0)
|
|
|
bf760f |
+ name = confvalue;
|
|
|
bf760f |
+ else if (strcmp(confname, "soft_load") == 0)
|
|
|
bf760f |
+ soft = 1;
|
|
|
bf760f |
+ /* Load a dynamic PROVIDER */
|
|
|
bf760f |
+ else if (strcmp(confname, "module") == 0)
|
|
|
bf760f |
+ path = confvalue;
|
|
|
bf760f |
+ else if (strcmp(confname, "activate") == 0)
|
|
|
bf760f |
+ activate = 1;
|
|
|
bf760f |
+ }
|
|
|
bf760f |
+
|
|
|
bf760f |
+ if (activate) {
|
|
|
bf760f |
+ ok = provider_conf_activate(libctx, name, value, path, soft, cnf);
|
|
|
bf760f |
} else {
|
|
|
bf760f |
OSSL_PROVIDER_INFO entry;
|
|
|
bf760f |
|
|
|
727bdf |
@@ -306,6 +317,19 @@ static int provider_conf_init(CONF_IMODU
|
|
|
bf760f |
return 0;
|
|
|
bf760f |
}
|
|
|
bf760f |
|
|
|
bf760f |
+ if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */
|
|
|
bf760f |
+ OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf);
|
|
|
bf760f |
+ PROVIDER_CONF_GLOBAL *pcgbl
|
|
|
bf760f |
+ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
|
|
|
bf760f |
+ &provider_conf_ossl_ctx_method);
|
|
|
bf760f |
+ if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
|
|
|
bf760f |
+ return 0;
|
|
|
bf760f |
+ if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)
|
|
|
bf760f |
+ return 0;
|
|
|
bf760f |
+ if (EVP_default_properties_enable_fips(libctx, 1) != 1)
|
|
|
bf760f |
+ return 0;
|
|
|
bf760f |
+ }
|
|
|
bf760f |
+
|
|
|
bf760f |
return 1;
|
|
|
bf760f |
}
|
|
|
bf760f |
|