Initial ENGINE config module, docs to follow. Fix buffer overrun errors in OPENSSL_conf().

c9501c22 · Dr. Stephen Henson · 9dd5ae65 · c9501c22 · c9501c22 · c9501c22
9 changed file
--- a/CHANGES
+++ b/CHANGES
@@ -12,6 +12,9 @@
         *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7
         +) applies to 0.9.7 only

+  +) Prelminary ENGINE config module.
+     [Steve Henson]
+
  *) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of
     ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag
     variable as an indication that a ClientHello message has been

--- a/crypto/conf/conf.h
+++ b/crypto/conf/conf.h
@@ -188,6 +188,8 @@ void CONF_imodule_set_flags(CONF_IMODULE *md, unsigned long flags);
 void *CONF_module_get_usr_data(CONF_MODULE *pmod);
 void CONF_module_set_usr_data(CONF_MODULE *pmod, void *usr_data);

+char *CONF_get1_default_config_file(void);
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
 * made after this point may be overwritten when the script is next run.

--- a/crypto/conf/conf_mall.c
+++ b/crypto/conf/conf_mall.c
@@ -63,11 +63,13 @@
 #include <openssl/dso.h>
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
+#include <openssl/engine.h>

 void OPENSSL_load_builtin_modules(void)
 	{
 	/* Add builtin modules here */
 	ASN1_add_oid_module();
+	ENGINE_add_conf_module();
 	}

 /* This is the automatic configuration loader: it is called automatically by
@@ -77,32 +79,24 @@ void OPENSSL_load_builtin_modules(void)

 static int openssl_configured = 0;

-#if 0 /* Disabled because of obvious buffer overflow.
-       * This is not yet actually used anywhere -- but it shouldn't
-       * unless it is fixed first. */
 void OPENSSL_config(void)
 	{
-	char *file, config_name[256];
+	int ret;
+	char *file;
 	if (openssl_configured)
 		return;

 	OPENSSL_load_builtin_modules();

-	file = getenv("OPENSSL_CONF");
+	file = CONF_get1_default_config_file();
 	if (!file)
-                {
-		strcpy(config_name,X509_get_default_cert_area());
-#ifndef OPENSSL_SYS_VMS
-		strcat(config_name,"/");
-#endif
-		strcat(config_name,OPENSSL_CONF);
-		file=config_name;
-                }
+		return;

-	if(CONF_modules_load_file(file, "openssl_config", 0) <= 0)
+	ret = CONF_modules_load_file(file, "openssl_config", 0);
+	OPENSSL_free(file);
+	if (ret <= 0)
 		{
 		BIO *bio_err;
-
 		ERR_load_crypto_strings();
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			{
@@ -116,7 +110,6 @@ void OPENSSL_config(void)
 	return;

 	}
-#endif

 void OPENSSL_no_config()
 	{

--- a/crypto/conf/conf_mod.c
+++ b/crypto/conf/conf_mod.c
@@ -520,3 +520,32 @@ void CONF_module_set_usr_data(CONF_MODULE *pmod, void *usr_data)
 	pmod->usr_data = usr_data;
 	}

+/* Return default config file name */
+
+char *CONF_get1_default_config_file(void)
+	{
+	char *file;
+	int len;
+
+	file = getenv("OPENSSL_CONF");
+	if (file) 
+		return BUF_strdup(file);
+
+	len = strlen(X509_get_default_cert_area());
+#ifndef OPENSSL_SYS_VMS
+	len++;
+#endif
+	len += strlen(OPENSSL_CONF);
+
+	file = OPENSSL_malloc(len + 1);
+
+	if (!file)
+		return NULL;
+	strcpy(file,X509_get_default_cert_area());
+#ifndef OPENSSL_SYS_VMS
+	strcat(file,"/");
+#endif
+	strcat(file,OPENSSL_CONF);
+
+	return file;
+	}
--- a/crypto/engine/Makefile.ssl
+++ b/crypto/engine/Makefile.ssl
@@ -26,13 +26,13 @@ LIB=$(TOP)/libcrypto.a
 LIBSRC= eng_err.c eng_lib.c eng_list.c eng_init.c eng_ctrl.c \
 	eng_table.c eng_pkey.c eng_fat.c eng_all.c \
 	tb_rsa.c tb_dsa.c tb_dh.c tb_rand.c tb_cipher.c tb_digest.c \
-	eng_openssl.c eng_dyn.c \
+	eng_openssl.c eng_dyn.c eng_cnf.c \
 	hw_atalla.c hw_cswift.c hw_ncipher.c hw_nuron.c hw_ubsec.c \
 	hw_openbsd_dev_crypto.c
 LIBOBJ= eng_err.o eng_lib.o eng_list.o eng_init.o eng_ctrl.o \
 	eng_table.o eng_pkey.o eng_fat.o eng_all.o \
 	tb_rsa.o tb_dsa.o tb_dh.o tb_rand.o tb_cipher.o tb_digest.o \
-	eng_openssl.o eng_dyn.o \
+	eng_openssl.o eng_dyn.o eng_cnf.o \
 	hw_atalla.o hw_cswift.o hw_ncipher.o hw_nuron.o hw_ubsec.o \
 	hw_openbsd_dev_crypto.o


--- a/crypto/engine/eng_cnf.c
+++ b/crypto/engine/eng_cnf.c
+/* eng_cnf.c */
+/* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/engine.h>
+
+/* #define ENGINE_CONF_DEBUG */
+
+/* ENGINE config module */
+
+static char *skip_dot(char *name)
+	{
+	char *p;
+	p = strchr(name, '.');
+	if (p)
+		return p + 1;
+	return name;
+	}
+
+int int_engine_configure(char *name, char *value, const CONF *cnf)
+	{
+	int i;
+	int ret = 0;
+	STACK_OF(CONF_VALUE) *ecmds;
+	CONF_VALUE *ecmd;
+	char *ctrlname, *ctrlvalue;
+	ENGINE *e = NULL;
+	name = skip_dot(name);
+#ifdef ENGINE_CONF_DEBUG
+	fprintf(stderr, "Configuring engine %s\n", name);
+#endif
+	/* Value is a section containing ENGINE commands */
+	ecmds = NCONF_get_section(cnf, value);
+
+	if (!ecmds)
+		{
+		ENGINEerr(ENGINE_F_INT_ENGINE_CONFIGURE, ENGINE_R_ENGINE_SECTION_ERROR);
+		return 0;
+		}
+
+	for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++)
+		{
+		ecmd = sk_CONF_VALUE_value(ecmds, i);
+		ctrlname = skip_dot(ecmd->name);
+		ctrlvalue = ecmd->value;
+#ifdef ENGINE_CONF_DEBUG
+	fprintf(stderr, "ENGINE conf: doing ctrl(%s,%s)\n", ctrlname, ctrlvalue);
+#endif
+
+		/* First handle some special pseudo ctrls */
+
+		/* Override engine name to use */
+		if (!strcmp(ctrlname, "engine_id"))
+			name = ctrlvalue;
+		/* Load a dynamic ENGINE */
+		else if (!strcmp(ctrlname, "dynamic_path"))
+			{
+			e = ENGINE_by_id("dynamic");
+			if (!e)
+				goto err;
+			if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", ctrlvalue, 0))
+				goto err;
+			if (!ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0))
+				goto err;
+			}
+		/* ... add other pseudos here ... */
+		else
+			{
+			/* At this point we need an ENGINE structural reference
+			 * if we don't already have one.
+			 */
+			if (!e)
+				{
+				e = ENGINE_by_id(name);
+				if (!e)
+					return 0;
+				}
+			/* Allow "EMPTY" to mean no value: this allows a valid
+			 * "value" to be passed to ctrls of type NO_INPUT
+		 	 */
+			if (!strcmp(ctrlvalue, "EMPTY"))
+				ctrlvalue = NULL;
+			if (!ENGINE_ctrl_cmd_string(e,
+					ctrlname, ctrlvalue, 0))
+				return 0;
+			}
+
+
+		}
+	ret = 1;
+	err:
+	if (e)
+		ENGINE_free(e);
+	return ret;
+	}
+	
+
+static int int_engine_module_init(CONF_IMODULE *md, const CONF *cnf)
+	{
+	STACK_OF(CONF_VALUE) *elist;
+	CONF_VALUE *cval;
+	int i;
+#ifdef ENGINE_CONF_DEBUG
+	fprintf(stderr, "Called engine module: name %s, value %s\n",
+			CONF_imodule_get_name(md), CONF_imodule_get_value(md));
+#endif
+	/* Value is a section containing ENGINEs to configure */
+	elist = NCONF_get_section(cnf, CONF_imodule_get_value(md));
+
+	if (!elist)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_MODULE_INIT, ENGINE_R_ENGINES_SECTION_ERROR);
+		return 0;
+		}
+
+	for (i = 0; i < sk_CONF_VALUE_num(elist); i++)
+		{
+		cval = sk_CONF_VALUE_value(elist, i);
+		if (!int_engine_configure(cval->name, cval->value, cnf))
+			return 0;
+		}
+
+	return 1;
+	}
+
+void ENGINE_add_conf_module(void)
+	{
+	CONF_module_add("engines", int_engine_module_init, 0);
+	}
--- a/crypto/engine/eng_err.c
+++ b/crypto/engine/eng_err.c
@@ -87,6 +87,7 @@ static ERR_STRING_DATA ENGINE_str_functs[]=
 {ERR_PACK(0,ENGINE_F_ENGINE_LIST_REMOVE,0),	"ENGINE_LIST_REMOVE"},
 {ERR_PACK(0,ENGINE_F_ENGINE_LOAD_PRIVATE_KEY,0),	"ENGINE_load_private_key"},
 {ERR_PACK(0,ENGINE_F_ENGINE_LOAD_PUBLIC_KEY,0),	"ENGINE_load_public_key"},
+{ERR_PACK(0,ENGINE_F_ENGINE_MODULE_INIT,0),	"ENGINE_MODULE_INIT"},
 {ERR_PACK(0,ENGINE_F_ENGINE_NEW,0),	"ENGINE_new"},
 {ERR_PACK(0,ENGINE_F_ENGINE_REMOVE,0),	"ENGINE_remove"},
 {ERR_PACK(0,ENGINE_F_ENGINE_SET_DEFAULT_TYPE,0),	"ENGINE_SET_DEFAULT_TYPE"},
@@ -95,6 +96,7 @@ static ERR_STRING_DATA ENGINE_str_functs[]=
 {ERR_PACK(0,ENGINE_F_ENGINE_TABLE_REGISTER,0),	"ENGINE_TABLE_REGISTER"},
 {ERR_PACK(0,ENGINE_F_ENGINE_UNLOAD_KEY,0),	"ENGINE_UNLOAD_KEY"},
 {ERR_PACK(0,ENGINE_F_INT_CTRL_HELPER,0),	"INT_CTRL_HELPER"},
+{ERR_PACK(0,ENGINE_F_INT_ENGINE_CONFIGURE,0),	"INT_ENGINE_CONFIGURE"},
 {ERR_PACK(0,ENGINE_F_LOG_MESSAGE,0),	"LOG_MESSAGE"},
 {ERR_PACK(0,ENGINE_F_SET_DATA_CTX,0),	"SET_DATA_CTX"},
 {0,NULL}
@@ -118,7 +120,9 @@ static ERR_STRING_DATA ENGINE_str_reasons[]=
 {ENGINE_R_DSO_FAILURE                    ,"DSO failure"},
 {ENGINE_R_DSO_FUNCTION_NOT_FOUND         ,"dso function not found"},
 {ENGINE_R_DSO_NOT_FOUND                  ,"dso not found"},
+{ENGINE_R_ENGINES_SECTION_ERROR          ,"engines section error"},
 {ENGINE_R_ENGINE_IS_NOT_IN_LIST          ,"engine is not in the list"},
+{ENGINE_R_ENGINE_SECTION_ERROR           ,"engine section error"},
 {ENGINE_R_FAILED_LOADING_PRIVATE_KEY     ,"failed loading private key"},
 {ENGINE_R_FAILED_LOADING_PUBLIC_KEY      ,"failed loading public key"},
 {ENGINE_R_FINISH_FAILED                  ,"finish failed"},

--- a/crypto/engine/eng_list.c
+++ b/crypto/engine/eng_list.c
@@ -374,7 +374,10 @@ ENGINE *ENGINE_by_id(const char *id)
 		}
 	CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
 	if(iterator == NULL)
+		{
 		ENGINEerr(ENGINE_F_ENGINE_BY_ID,
 			ENGINE_R_NO_SUCH_ENGINE);
+		ERR_add_error_data(2, "id=", id);
+		}
 	return iterator;
 	}
--- a/crypto/engine/engine.h
+++ b/crypto/engine/engine.h
@@ -517,6 +517,8 @@ int ENGINE_set_default_digests(ENGINE *e);
 * selective functions. */
 int ENGINE_set_default(ENGINE *e, unsigned int flags);

+void ENGINE_add_conf_module(void);
+
 /* Deprecated functions ... */
 /* int ENGINE_clear_defaults(void); */

@@ -622,7 +624,6 @@ typedef int (*dynamic_bind_engine)(ENGINE *e, const char *id,
 * made after this point may be overwritten when the script is next run.
 */
 void ERR_load_ENGINE_strings(void);
-
 /* Error codes for the ENGINE functions. */

 /* Function codes. */
@@ -647,6 +648,7 @@ void ERR_load_ENGINE_strings(void);
 #define ENGINE_F_ENGINE_LIST_REMOVE			 121
 #define ENGINE_F_ENGINE_LOAD_PRIVATE_KEY		 150
 #define ENGINE_F_ENGINE_LOAD_PUBLIC_KEY			 151
+#define ENGINE_F_ENGINE_MODULE_INIT			 187
 #define ENGINE_F_ENGINE_NEW				 122
 #define ENGINE_F_ENGINE_REMOVE				 123
 #define ENGINE_F_ENGINE_SET_DEFAULT_TYPE		 126
@@ -655,6 +657,7 @@ void ERR_load_ENGINE_strings(void);
 #define ENGINE_F_ENGINE_TABLE_REGISTER			 184
 #define ENGINE_F_ENGINE_UNLOAD_KEY			 152
 #define ENGINE_F_INT_CTRL_HELPER			 172
+#define ENGINE_F_INT_ENGINE_CONFIGURE			 188
 #define ENGINE_F_LOG_MESSAGE				 141
 #define ENGINE_F_SET_DATA_CTX				 183

@@ -675,7 +678,9 @@ void ERR_load_ENGINE_strings(void);
 #define ENGINE_R_DSO_FAILURE				 104
 #define ENGINE_R_DSO_FUNCTION_NOT_FOUND			 131
 #define ENGINE_R_DSO_NOT_FOUND				 132
+#define ENGINE_R_ENGINES_SECTION_ERROR			 148
 #define ENGINE_R_ENGINE_IS_NOT_IN_LIST			 105
+#define ENGINE_R_ENGINE_SECTION_ERROR			 149
 #define ENGINE_R_FAILED_LOADING_PRIVATE_KEY		 128
 #define ENGINE_R_FAILED_LOADING_PUBLIC_KEY		 129
 #define ENGINE_R_FINISH_FAILED				 106