xref: /openssl/crypto/engine/eng_dyn.c (revision e077455e)
1 /*
2  * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /* We need to use some engine deprecated APIs */
11 #define OPENSSL_SUPPRESS_DEPRECATED
12 
13 #include "eng_local.h"
14 #include "internal/dso.h"
15 #include <openssl/crypto.h>
16 
17 /*
18  * Shared libraries implementing ENGINEs for use by the "dynamic" ENGINE
19  * loader should implement the hook-up functions with the following
20  * prototypes.
21  */
22 
23 /* Our ENGINE handlers */
24 static int dynamic_init(ENGINE *e);
25 static int dynamic_finish(ENGINE *e);
26 static int dynamic_ctrl(ENGINE *e, int cmd, long i, void *p,
27                         void (*f) (void));
28 /* Predeclare our context type */
29 typedef struct st_dynamic_data_ctx dynamic_data_ctx;
30 /* The implementation for the important control command */
31 static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx);
32 
33 #define DYNAMIC_CMD_SO_PATH             ENGINE_CMD_BASE
34 #define DYNAMIC_CMD_NO_VCHECK           (ENGINE_CMD_BASE + 1)
35 #define DYNAMIC_CMD_ID                  (ENGINE_CMD_BASE + 2)
36 #define DYNAMIC_CMD_LIST_ADD            (ENGINE_CMD_BASE + 3)
37 #define DYNAMIC_CMD_DIR_LOAD            (ENGINE_CMD_BASE + 4)
38 #define DYNAMIC_CMD_DIR_ADD             (ENGINE_CMD_BASE + 5)
39 #define DYNAMIC_CMD_LOAD                (ENGINE_CMD_BASE + 6)
40 
41 /* The constants used when creating the ENGINE */
42 static const char *engine_dynamic_id = "dynamic";
43 static const char *engine_dynamic_name = "Dynamic engine loading support";
44 static const ENGINE_CMD_DEFN dynamic_cmd_defns[] = {
45     {DYNAMIC_CMD_SO_PATH,
46      "SO_PATH",
47      "Specifies the path to the new ENGINE shared library",
48      ENGINE_CMD_FLAG_STRING},
49     {DYNAMIC_CMD_NO_VCHECK,
50      "NO_VCHECK",
51      "Specifies to continue even if version checking fails (boolean)",
52      ENGINE_CMD_FLAG_NUMERIC},
53     {DYNAMIC_CMD_ID,
54      "ID",
55      "Specifies an ENGINE id name for loading",
56      ENGINE_CMD_FLAG_STRING},
57     {DYNAMIC_CMD_LIST_ADD,
58      "LIST_ADD",
59      "Whether to add a loaded ENGINE to the internal list (0=no,1=yes,2=mandatory)",
60      ENGINE_CMD_FLAG_NUMERIC},
61     {DYNAMIC_CMD_DIR_LOAD,
62      "DIR_LOAD",
63      "Specifies whether to load from 'DIR_ADD' directories (0=no,1=yes,2=mandatory)",
64      ENGINE_CMD_FLAG_NUMERIC},
65     {DYNAMIC_CMD_DIR_ADD,
66      "DIR_ADD",
67      "Adds a directory from which ENGINEs can be loaded",
68      ENGINE_CMD_FLAG_STRING},
69     {DYNAMIC_CMD_LOAD,
70      "LOAD",
71      "Load up the ENGINE specified by other settings",
72      ENGINE_CMD_FLAG_NO_INPUT},
73     {0, NULL, NULL, 0}
74 };
75 
76 /*
77  * Loading code stores state inside the ENGINE structure via the "ex_data"
78  * element. We load all our state into a single structure and use that as a
79  * single context in the "ex_data" stack.
80  */
81 struct st_dynamic_data_ctx {
82     /* The DSO object we load that supplies the ENGINE code */
83     DSO *dynamic_dso;
84     /*
85      * The function pointer to the version checking shared library function
86      */
87     dynamic_v_check_fn v_check;
88     /*
89      * The function pointer to the engine-binding shared library function
90      */
91     dynamic_bind_engine bind_engine;
92     /* The default name/path for loading the shared library */
93     char *DYNAMIC_LIBNAME;
94     /* Whether to continue loading on a version check failure */
95     int no_vcheck;
96     /* If non-NULL, stipulates the 'id' of the ENGINE to be loaded */
97     char *engine_id;
98     /*
99      * If non-zero, a successfully loaded ENGINE should be added to the
100      * internal ENGINE list. If 2, the add must succeed or the entire load
101      * should fail.
102      */
103     int list_add_value;
104     /* The symbol name for the version checking function */
105     const char *DYNAMIC_F1;
106     /* The symbol name for the "initialise ENGINE structure" function */
107     const char *DYNAMIC_F2;
108     /*
109      * Whether to never use 'dirs', use 'dirs' as a fallback, or only use
110      * 'dirs' for loading. Default is to use 'dirs' as a fallback.
111      */
112     int dir_load;
113     /* A stack of directories from which ENGINEs could be loaded */
114     STACK_OF(OPENSSL_STRING) *dirs;
115 };
116 
117 /*
118  * This is the "ex_data" index we obtain and reserve for use with our context
119  * structure.
120  */
121 static int dynamic_ex_data_idx = -1;
122 
int_free_str(char * s)123 static void int_free_str(char *s)
124 {
125     OPENSSL_free(s);
126 }
127 
128 /*
129  * Because our ex_data element may or may not get allocated depending on
130  * whether a "first-use" occurs before the ENGINE is freed, we have a memory
131  * leak problem to solve. We can't declare a "new" handler for the ex_data as
132  * we don't want a dynamic_data_ctx in *all* ENGINE structures of all types
133  * (this is a bug in the design of CRYPTO_EX_DATA). As such, we just declare
134  * a "free" handler and that will get called if an ENGINE is being destroyed
135  * and there was an ex_data element corresponding to our context type.
136  */
dynamic_data_ctx_free_func(void * parent,void * ptr,CRYPTO_EX_DATA * ad,int idx,long argl,void * argp)137 static void dynamic_data_ctx_free_func(void *parent, void *ptr,
138                                        CRYPTO_EX_DATA *ad, int idx, long argl,
139                                        void *argp)
140 {
141     if (ptr) {
142         dynamic_data_ctx *ctx = (dynamic_data_ctx *)ptr;
143         DSO_free(ctx->dynamic_dso);
144         OPENSSL_free(ctx->DYNAMIC_LIBNAME);
145         OPENSSL_free(ctx->engine_id);
146         sk_OPENSSL_STRING_pop_free(ctx->dirs, int_free_str);
147         OPENSSL_free(ctx);
148     }
149 }
150 
151 /*
152  * Construct the per-ENGINE context. We create it blindly and then use a lock
153  * to check for a race - if so, all but one of the threads "racing" will have
154  * wasted their time. The alternative involves creating everything inside the
155  * lock which is far worse.
156  */
dynamic_set_data_ctx(ENGINE * e,dynamic_data_ctx ** ctx)157 static int dynamic_set_data_ctx(ENGINE *e, dynamic_data_ctx **ctx)
158 {
159     dynamic_data_ctx *c = OPENSSL_zalloc(sizeof(*c));
160     int ret = 0;
161 
162     if (c == NULL)
163         return 0;
164     c->dirs = sk_OPENSSL_STRING_new_null();
165     if (c->dirs == NULL) {
166         ERR_raise(ERR_LIB_ENGINE, ERR_R_CRYPTO_LIB);
167         goto end;
168     }
169     c->DYNAMIC_F1 = "v_check";
170     c->DYNAMIC_F2 = "bind_engine";
171     c->dir_load = 1;
172     if (!CRYPTO_THREAD_write_lock(global_engine_lock))
173         goto end;
174     if ((*ctx = (dynamic_data_ctx *)ENGINE_get_ex_data(e,
175                                                        dynamic_ex_data_idx))
176         == NULL) {
177         /* Good, we're the first */
178         ret = ENGINE_set_ex_data(e, dynamic_ex_data_idx, c);
179         if (ret) {
180             *ctx = c;
181             c = NULL;
182         }
183     }
184     CRYPTO_THREAD_unlock(global_engine_lock);
185     ret = 1;
186     /*
187      * If we lost the race to set the context, c is non-NULL and *ctx is the
188      * context of the thread that won.
189      */
190 end:
191     if (c != NULL)
192         sk_OPENSSL_STRING_free(c->dirs);
193     OPENSSL_free(c);
194     return ret;
195 }
196 
197 /*
198  * This function retrieves the context structure from an ENGINE's "ex_data",
199  * or if it doesn't exist yet, sets it up.
200  */
dynamic_get_data_ctx(ENGINE * e)201 static dynamic_data_ctx *dynamic_get_data_ctx(ENGINE *e)
202 {
203     dynamic_data_ctx *ctx;
204     if (dynamic_ex_data_idx < 0) {
205         /*
206          * Create and register the ENGINE ex_data, and associate our "free"
207          * function with it to ensure any allocated contexts get freed when
208          * an ENGINE goes underground.
209          */
210         int new_idx = ENGINE_get_ex_new_index(0, NULL, NULL, NULL,
211                                               dynamic_data_ctx_free_func);
212         if (new_idx == -1) {
213             ERR_raise(ERR_LIB_ENGINE, ENGINE_R_NO_INDEX);
214             return NULL;
215         }
216         if (!CRYPTO_THREAD_write_lock(global_engine_lock))
217             return NULL;
218         /* Avoid a race by checking again inside this lock */
219         if (dynamic_ex_data_idx < 0) {
220             /* Good, someone didn't beat us to it */
221             dynamic_ex_data_idx = new_idx;
222             new_idx = -1;
223         }
224         CRYPTO_THREAD_unlock(global_engine_lock);
225         /*
226          * In theory we could "give back" the index here if (new_idx>-1), but
227          * it's not possible and wouldn't gain us much if it were.
228          */
229     }
230     ctx = (dynamic_data_ctx *)ENGINE_get_ex_data(e, dynamic_ex_data_idx);
231     /* Check if the context needs to be created */
232     if ((ctx == NULL) && !dynamic_set_data_ctx(e, &ctx))
233         /* "set_data" will set errors if necessary */
234         return NULL;
235     return ctx;
236 }
237 
engine_dynamic(void)238 static ENGINE *engine_dynamic(void)
239 {
240     ENGINE *ret = ENGINE_new();
241     if (ret == NULL)
242         return NULL;
243     if (!ENGINE_set_id(ret, engine_dynamic_id) ||
244         !ENGINE_set_name(ret, engine_dynamic_name) ||
245         !ENGINE_set_init_function(ret, dynamic_init) ||
246         !ENGINE_set_finish_function(ret, dynamic_finish) ||
247         !ENGINE_set_ctrl_function(ret, dynamic_ctrl) ||
248         !ENGINE_set_flags(ret, ENGINE_FLAGS_BY_ID_COPY) ||
249         !ENGINE_set_cmd_defns(ret, dynamic_cmd_defns)) {
250         ENGINE_free(ret);
251         return NULL;
252     }
253     return ret;
254 }
255 
engine_load_dynamic_int(void)256 void engine_load_dynamic_int(void)
257 {
258     ENGINE *toadd = engine_dynamic();
259     if (!toadd)
260         return;
261 
262     ERR_set_mark();
263     ENGINE_add(toadd);
264     /*
265      * If the "add" worked, it gets a structural reference. So either way, we
266      * release our just-created reference.
267      */
268     ENGINE_free(toadd);
269     /*
270      * If the "add" didn't work, it was probably a conflict because it was
271      * already added (eg. someone calling ENGINE_load_blah then calling
272      * ENGINE_load_builtin_engines() perhaps).
273      */
274     ERR_pop_to_mark();
275 }
276 
dynamic_init(ENGINE * e)277 static int dynamic_init(ENGINE *e)
278 {
279     /*
280      * We always return failure - the "dynamic" engine itself can't be used
281      * for anything.
282      */
283     return 0;
284 }
285 
dynamic_finish(ENGINE * e)286 static int dynamic_finish(ENGINE *e)
287 {
288     /*
289      * This should never be called on account of "dynamic_init" always
290      * failing.
291      */
292     return 0;
293 }
294 
dynamic_ctrl(ENGINE * e,int cmd,long i,void * p,void (* f)(void))295 static int dynamic_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void))
296 {
297     dynamic_data_ctx *ctx = dynamic_get_data_ctx(e);
298     int initialised;
299 
300     if (!ctx) {
301         ERR_raise(ERR_LIB_ENGINE, ENGINE_R_NOT_LOADED);
302         return 0;
303     }
304     initialised = ((ctx->dynamic_dso == NULL) ? 0 : 1);
305     /* All our control commands require the ENGINE to be uninitialised */
306     if (initialised) {
307         ERR_raise(ERR_LIB_ENGINE, ENGINE_R_ALREADY_LOADED);
308         return 0;
309     }
310     switch (cmd) {
311     case DYNAMIC_CMD_SO_PATH:
312         /* a NULL 'p' or a string of zero-length is the same thing */
313         if (p && (strlen((const char *)p) < 1))
314             p = NULL;
315         OPENSSL_free(ctx->DYNAMIC_LIBNAME);
316         if (p)
317             ctx->DYNAMIC_LIBNAME = OPENSSL_strdup(p);
318         else
319             ctx->DYNAMIC_LIBNAME = NULL;
320         return (ctx->DYNAMIC_LIBNAME ? 1 : 0);
321     case DYNAMIC_CMD_NO_VCHECK:
322         ctx->no_vcheck = ((i == 0) ? 0 : 1);
323         return 1;
324     case DYNAMIC_CMD_ID:
325         /* a NULL 'p' or a string of zero-length is the same thing */
326         if (p && (strlen((const char *)p) < 1))
327             p = NULL;
328         OPENSSL_free(ctx->engine_id);
329         if (p)
330             ctx->engine_id = OPENSSL_strdup(p);
331         else
332             ctx->engine_id = NULL;
333         return (ctx->engine_id ? 1 : 0);
334     case DYNAMIC_CMD_LIST_ADD:
335         if ((i < 0) || (i > 2)) {
336             ERR_raise(ERR_LIB_ENGINE, ENGINE_R_INVALID_ARGUMENT);
337             return 0;
338         }
339         ctx->list_add_value = (int)i;
340         return 1;
341     case DYNAMIC_CMD_LOAD:
342         return dynamic_load(e, ctx);
343     case DYNAMIC_CMD_DIR_LOAD:
344         if ((i < 0) || (i > 2)) {
345             ERR_raise(ERR_LIB_ENGINE, ENGINE_R_INVALID_ARGUMENT);
346             return 0;
347         }
348         ctx->dir_load = (int)i;
349         return 1;
350     case DYNAMIC_CMD_DIR_ADD:
351         /* a NULL 'p' or a string of zero-length is the same thing */
352         if (p == NULL || (strlen((const char *)p) < 1)) {
353             ERR_raise(ERR_LIB_ENGINE, ENGINE_R_INVALID_ARGUMENT);
354             return 0;
355         }
356         {
357             char *tmp_str = OPENSSL_strdup(p);
358             if (tmp_str == NULL)
359                 return 0;
360             if (!sk_OPENSSL_STRING_push(ctx->dirs, tmp_str)) {
361                 OPENSSL_free(tmp_str);
362                 ERR_raise(ERR_LIB_ENGINE, ERR_R_CRYPTO_LIB);
363                 return 0;
364             }
365         }
366         return 1;
367     default:
368         break;
369     }
370     ERR_raise(ERR_LIB_ENGINE, ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED);
371     return 0;
372 }
373 
int_load(dynamic_data_ctx * ctx)374 static int int_load(dynamic_data_ctx *ctx)
375 {
376     int num, loop;
377     /* Unless told not to, try a direct load */
378     if ((ctx->dir_load != 2) && (DSO_load(ctx->dynamic_dso,
379                                           ctx->DYNAMIC_LIBNAME, NULL,
380                                           0)) != NULL)
381         return 1;
382     /* If we're not allowed to use 'dirs' or we have none, fail */
383     if (!ctx->dir_load || (num = sk_OPENSSL_STRING_num(ctx->dirs)) < 1)
384         return 0;
385     for (loop = 0; loop < num; loop++) {
386         const char *s = sk_OPENSSL_STRING_value(ctx->dirs, loop);
387         char *merge = DSO_merge(ctx->dynamic_dso, ctx->DYNAMIC_LIBNAME, s);
388         if (!merge)
389             return 0;
390         if (DSO_load(ctx->dynamic_dso, merge, NULL, 0)) {
391             /* Found what we're looking for */
392             OPENSSL_free(merge);
393             return 1;
394         }
395         OPENSSL_free(merge);
396     }
397     return 0;
398 }
399 
400 /*
401  * Unfortunately the version checker does not distinguish between
402  * engines built for openssl 1.1.x and openssl 3.x, but loading
403  * an engine that is built for openssl 1.1.x will cause a fatal
404  * error.  Detect such engines, since EVP_PKEY_base_id is exported
405  * as a function in openssl 1.1.x, while it is named EVP_PKEY_get_base_id
406  * in openssl 3.x.  Therefore we take the presence of that symbol
407  * as an indication that the engine will be incompatible.
408  */
using_libcrypto_11(dynamic_data_ctx * ctx)409 static int using_libcrypto_11(dynamic_data_ctx *ctx)
410 {
411     int ret;
412 
413     ERR_set_mark();
414     ret = DSO_bind_func(ctx->dynamic_dso, "EVP_PKEY_base_id") != NULL;
415     ERR_pop_to_mark();
416 
417     return ret;
418 }
419 
dynamic_load(ENGINE * e,dynamic_data_ctx * ctx)420 static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)
421 {
422     ENGINE cpy;
423     dynamic_fns fns;
424 
425     if (ctx->dynamic_dso == NULL)
426         ctx->dynamic_dso = DSO_new();
427     if (ctx->dynamic_dso == NULL)
428         return 0;
429     if (!ctx->DYNAMIC_LIBNAME) {
430         if (!ctx->engine_id)
431             return 0;
432         DSO_ctrl(ctx->dynamic_dso, DSO_CTRL_SET_FLAGS,
433                  DSO_FLAG_NAME_TRANSLATION_EXT_ONLY, NULL);
434         ctx->DYNAMIC_LIBNAME =
435             DSO_convert_filename(ctx->dynamic_dso, ctx->engine_id);
436     }
437     if (!int_load(ctx)) {
438         ERR_raise(ERR_LIB_ENGINE, ENGINE_R_DSO_NOT_FOUND);
439         DSO_free(ctx->dynamic_dso);
440         ctx->dynamic_dso = NULL;
441         return 0;
442     }
443     /* We have to find a bind function otherwise it'll always end badly */
444     if (!
445         (ctx->bind_engine =
446          (dynamic_bind_engine) DSO_bind_func(ctx->dynamic_dso,
447                                              ctx->DYNAMIC_F2))) {
448         ctx->bind_engine = NULL;
449         DSO_free(ctx->dynamic_dso);
450         ctx->dynamic_dso = NULL;
451         ERR_raise(ERR_LIB_ENGINE, ENGINE_R_DSO_FAILURE);
452         return 0;
453     }
454     /* Do we perform version checking? */
455     if (!ctx->no_vcheck) {
456         unsigned long vcheck_res = 0;
457         /*
458          * Now we try to find a version checking function and decide how to
459          * cope with failure if/when it fails.
460          */
461         ctx->v_check =
462             (dynamic_v_check_fn) DSO_bind_func(ctx->dynamic_dso,
463                                                ctx->DYNAMIC_F1);
464         if (ctx->v_check)
465             vcheck_res = ctx->v_check(OSSL_DYNAMIC_VERSION);
466         /*
467          * We fail if the version checker veto'd the load *or* if it is
468          * deferring to us (by returning its version) and we think it is too
469          * old. Also fail if this is engine for openssl 1.1.x.
470          */
471         if (vcheck_res < OSSL_DYNAMIC_OLDEST || using_libcrypto_11(ctx)) {
472             /* Fail */
473             ctx->bind_engine = NULL;
474             ctx->v_check = NULL;
475             DSO_free(ctx->dynamic_dso);
476             ctx->dynamic_dso = NULL;
477             ERR_raise(ERR_LIB_ENGINE, ENGINE_R_VERSION_INCOMPATIBILITY);
478             return 0;
479         }
480     }
481     /*
482      * First binary copy the ENGINE structure so that we can roll back if the
483      * hand-over fails
484      */
485     memcpy(&cpy, e, sizeof(ENGINE));
486     /*
487      * Provide the ERR, "ex_data", memory, and locking callbacks so the
488      * loaded library uses our state rather than its own. FIXME: As noted in
489      * engine.h, much of this would be simplified if each area of code
490      * provided its own "summary" structure of all related callbacks. It
491      * would also increase opaqueness.
492      */
493     fns.static_state = ENGINE_get_static_state();
494     CRYPTO_get_mem_functions(&fns.mem_fns.malloc_fn, &fns.mem_fns.realloc_fn,
495                              &fns.mem_fns.free_fn);
496     /*
497      * Now that we've loaded the dynamic engine, make sure no "dynamic"
498      * ENGINE elements will show through.
499      */
500     engine_set_all_null(e);
501 
502     /* Try to bind the ENGINE onto our own ENGINE structure */
503     if (!engine_add_dynamic_id(e, (ENGINE_DYNAMIC_ID)ctx->bind_engine, 1)
504             || !ctx->bind_engine(e, ctx->engine_id, &fns)) {
505         engine_remove_dynamic_id(e, 1);
506         ctx->bind_engine = NULL;
507         ctx->v_check = NULL;
508         DSO_free(ctx->dynamic_dso);
509         ctx->dynamic_dso = NULL;
510         ERR_raise(ERR_LIB_ENGINE, ENGINE_R_INIT_FAILED);
511         /* Copy the original ENGINE structure back */
512         memcpy(e, &cpy, sizeof(ENGINE));
513         return 0;
514     }
515     /* Do we try to add this ENGINE to the internal list too? */
516     if (ctx->list_add_value > 0) {
517         if (!ENGINE_add(e)) {
518             /* Do we tolerate this or fail? */
519             if (ctx->list_add_value > 1) {
520                 /*
521                  * Fail - NB: By this time, it's too late to rollback, and
522                  * trying to do so allows the bind_engine() code to have
523                  * created leaks. We just have to fail where we are, after
524                  * the ENGINE has changed.
525                  */
526                 ERR_raise(ERR_LIB_ENGINE, ENGINE_R_CONFLICTING_ENGINE_ID);
527                 return 0;
528             }
529             /* Tolerate */
530             ERR_clear_error();
531         }
532     }
533     return 1;
534 }
535