1 /* 2 * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* We need to use some engine deprecated APIs */ 11 #define OPENSSL_SUPPRESS_DEPRECATED 12 13 #include "eng_local.h" 14 #include "internal/dso.h" 15 #include <openssl/crypto.h> 16 17 /* 18 * Shared libraries implementing ENGINEs for use by the "dynamic" ENGINE 19 * loader should implement the hook-up functions with the following 20 * prototypes. 21 */ 22 23 /* Our ENGINE handlers */ 24 static int dynamic_init(ENGINE *e); 25 static int dynamic_finish(ENGINE *e); 26 static int dynamic_ctrl(ENGINE *e, int cmd, long i, void *p, 27 void (*f) (void)); 28 /* Predeclare our context type */ 29 typedef struct st_dynamic_data_ctx dynamic_data_ctx; 30 /* The implementation for the important control command */ 31 static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx); 32 33 #define DYNAMIC_CMD_SO_PATH ENGINE_CMD_BASE 34 #define DYNAMIC_CMD_NO_VCHECK (ENGINE_CMD_BASE + 1) 35 #define DYNAMIC_CMD_ID (ENGINE_CMD_BASE + 2) 36 #define DYNAMIC_CMD_LIST_ADD (ENGINE_CMD_BASE + 3) 37 #define DYNAMIC_CMD_DIR_LOAD (ENGINE_CMD_BASE + 4) 38 #define DYNAMIC_CMD_DIR_ADD (ENGINE_CMD_BASE + 5) 39 #define DYNAMIC_CMD_LOAD (ENGINE_CMD_BASE + 6) 40 41 /* The constants used when creating the ENGINE */ 42 static const char *engine_dynamic_id = "dynamic"; 43 static const char *engine_dynamic_name = "Dynamic engine loading support"; 44 static const ENGINE_CMD_DEFN dynamic_cmd_defns[] = { 45 {DYNAMIC_CMD_SO_PATH, 46 "SO_PATH", 47 "Specifies the path to the new ENGINE shared library", 48 ENGINE_CMD_FLAG_STRING}, 49 {DYNAMIC_CMD_NO_VCHECK, 50 "NO_VCHECK", 51 "Specifies to continue even if version checking fails (boolean)", 52 ENGINE_CMD_FLAG_NUMERIC}, 53 {DYNAMIC_CMD_ID, 54 "ID", 55 "Specifies an ENGINE id name for loading", 56 ENGINE_CMD_FLAG_STRING}, 57 {DYNAMIC_CMD_LIST_ADD, 58 "LIST_ADD", 59 "Whether to add a loaded ENGINE to the internal list (0=no,1=yes,2=mandatory)", 60 ENGINE_CMD_FLAG_NUMERIC}, 61 {DYNAMIC_CMD_DIR_LOAD, 62 "DIR_LOAD", 63 "Specifies whether to load from 'DIR_ADD' directories (0=no,1=yes,2=mandatory)", 64 ENGINE_CMD_FLAG_NUMERIC}, 65 {DYNAMIC_CMD_DIR_ADD, 66 "DIR_ADD", 67 "Adds a directory from which ENGINEs can be loaded", 68 ENGINE_CMD_FLAG_STRING}, 69 {DYNAMIC_CMD_LOAD, 70 "LOAD", 71 "Load up the ENGINE specified by other settings", 72 ENGINE_CMD_FLAG_NO_INPUT}, 73 {0, NULL, NULL, 0} 74 }; 75 76 /* 77 * Loading code stores state inside the ENGINE structure via the "ex_data" 78 * element. We load all our state into a single structure and use that as a 79 * single context in the "ex_data" stack. 80 */ 81 struct st_dynamic_data_ctx { 82 /* The DSO object we load that supplies the ENGINE code */ 83 DSO *dynamic_dso; 84 /* 85 * The function pointer to the version checking shared library function 86 */ 87 dynamic_v_check_fn v_check; 88 /* 89 * The function pointer to the engine-binding shared library function 90 */ 91 dynamic_bind_engine bind_engine; 92 /* The default name/path for loading the shared library */ 93 char *DYNAMIC_LIBNAME; 94 /* Whether to continue loading on a version check failure */ 95 int no_vcheck; 96 /* If non-NULL, stipulates the 'id' of the ENGINE to be loaded */ 97 char *engine_id; 98 /* 99 * If non-zero, a successfully loaded ENGINE should be added to the 100 * internal ENGINE list. If 2, the add must succeed or the entire load 101 * should fail. 102 */ 103 int list_add_value; 104 /* The symbol name for the version checking function */ 105 const char *DYNAMIC_F1; 106 /* The symbol name for the "initialise ENGINE structure" function */ 107 const char *DYNAMIC_F2; 108 /* 109 * Whether to never use 'dirs', use 'dirs' as a fallback, or only use 110 * 'dirs' for loading. Default is to use 'dirs' as a fallback. 111 */ 112 int dir_load; 113 /* A stack of directories from which ENGINEs could be loaded */ 114 STACK_OF(OPENSSL_STRING) *dirs; 115 }; 116 117 /* 118 * This is the "ex_data" index we obtain and reserve for use with our context 119 * structure. 120 */ 121 static int dynamic_ex_data_idx = -1; 122 123 static void int_free_str(char *s) 124 { 125 OPENSSL_free(s); 126 } 127 128 /* 129 * Because our ex_data element may or may not get allocated depending on 130 * whether a "first-use" occurs before the ENGINE is freed, we have a memory 131 * leak problem to solve. We can't declare a "new" handler for the ex_data as 132 * we don't want a dynamic_data_ctx in *all* ENGINE structures of all types 133 * (this is a bug in the design of CRYPTO_EX_DATA). As such, we just declare 134 * a "free" handler and that will get called if an ENGINE is being destroyed 135 * and there was an ex_data element corresponding to our context type. 136 */ 137 static void dynamic_data_ctx_free_func(void *parent, void *ptr, 138 CRYPTO_EX_DATA *ad, int idx, long argl, 139 void *argp) 140 { 141 if (ptr) { 142 dynamic_data_ctx *ctx = (dynamic_data_ctx *)ptr; 143 DSO_free(ctx->dynamic_dso); 144 OPENSSL_free(ctx->DYNAMIC_LIBNAME); 145 OPENSSL_free(ctx->engine_id); 146 sk_OPENSSL_STRING_pop_free(ctx->dirs, int_free_str); 147 OPENSSL_free(ctx); 148 } 149 } 150 151 /* 152 * Construct the per-ENGINE context. We create it blindly and then use a lock 153 * to check for a race - if so, all but one of the threads "racing" will have 154 * wasted their time. The alternative involves creating everything inside the 155 * lock which is far worse. 156 */ 157 static int dynamic_set_data_ctx(ENGINE *e, dynamic_data_ctx **ctx) 158 { 159 dynamic_data_ctx *c = OPENSSL_zalloc(sizeof(*c)); 160 int ret = 0; 161 162 if (c == NULL) { 163 ERR_raise(ERR_LIB_ENGINE, ERR_R_MALLOC_FAILURE); 164 return 0; 165 } 166 c->dirs = sk_OPENSSL_STRING_new_null(); 167 if (c->dirs == NULL) { 168 ERR_raise(ERR_LIB_ENGINE, ERR_R_MALLOC_FAILURE); 169 goto end; 170 } 171 c->DYNAMIC_F1 = "v_check"; 172 c->DYNAMIC_F2 = "bind_engine"; 173 c->dir_load = 1; 174 if (!CRYPTO_THREAD_write_lock(global_engine_lock)) 175 goto end; 176 if ((*ctx = (dynamic_data_ctx *)ENGINE_get_ex_data(e, 177 dynamic_ex_data_idx)) 178 == NULL) { 179 /* Good, we're the first */ 180 ret = ENGINE_set_ex_data(e, dynamic_ex_data_idx, c); 181 if (ret) { 182 *ctx = c; 183 c = NULL; 184 } 185 } 186 CRYPTO_THREAD_unlock(global_engine_lock); 187 ret = 1; 188 /* 189 * If we lost the race to set the context, c is non-NULL and *ctx is the 190 * context of the thread that won. 191 */ 192 end: 193 if (c != NULL) 194 sk_OPENSSL_STRING_free(c->dirs); 195 OPENSSL_free(c); 196 return ret; 197 } 198 199 /* 200 * This function retrieves the context structure from an ENGINE's "ex_data", 201 * or if it doesn't exist yet, sets it up. 202 */ 203 static dynamic_data_ctx *dynamic_get_data_ctx(ENGINE *e) 204 { 205 dynamic_data_ctx *ctx; 206 if (dynamic_ex_data_idx < 0) { 207 /* 208 * Create and register the ENGINE ex_data, and associate our "free" 209 * function with it to ensure any allocated contexts get freed when 210 * an ENGINE goes underground. 211 */ 212 int new_idx = ENGINE_get_ex_new_index(0, NULL, NULL, NULL, 213 dynamic_data_ctx_free_func); 214 if (new_idx == -1) { 215 ERR_raise(ERR_LIB_ENGINE, ENGINE_R_NO_INDEX); 216 return NULL; 217 } 218 if (!CRYPTO_THREAD_write_lock(global_engine_lock)) 219 return NULL; 220 /* Avoid a race by checking again inside this lock */ 221 if (dynamic_ex_data_idx < 0) { 222 /* Good, someone didn't beat us to it */ 223 dynamic_ex_data_idx = new_idx; 224 new_idx = -1; 225 } 226 CRYPTO_THREAD_unlock(global_engine_lock); 227 /* 228 * In theory we could "give back" the index here if (new_idx>-1), but 229 * it's not possible and wouldn't gain us much if it were. 230 */ 231 } 232 ctx = (dynamic_data_ctx *)ENGINE_get_ex_data(e, dynamic_ex_data_idx); 233 /* Check if the context needs to be created */ 234 if ((ctx == NULL) && !dynamic_set_data_ctx(e, &ctx)) 235 /* "set_data" will set errors if necessary */ 236 return NULL; 237 return ctx; 238 } 239 240 static ENGINE *engine_dynamic(void) 241 { 242 ENGINE *ret = ENGINE_new(); 243 if (ret == NULL) 244 return NULL; 245 if (!ENGINE_set_id(ret, engine_dynamic_id) || 246 !ENGINE_set_name(ret, engine_dynamic_name) || 247 !ENGINE_set_init_function(ret, dynamic_init) || 248 !ENGINE_set_finish_function(ret, dynamic_finish) || 249 !ENGINE_set_ctrl_function(ret, dynamic_ctrl) || 250 !ENGINE_set_flags(ret, ENGINE_FLAGS_BY_ID_COPY) || 251 !ENGINE_set_cmd_defns(ret, dynamic_cmd_defns)) { 252 ENGINE_free(ret); 253 return NULL; 254 } 255 return ret; 256 } 257 258 void engine_load_dynamic_int(void) 259 { 260 ENGINE *toadd = engine_dynamic(); 261 if (!toadd) 262 return; 263 264 ERR_set_mark(); 265 ENGINE_add(toadd); 266 /* 267 * If the "add" worked, it gets a structural reference. So either way, we 268 * release our just-created reference. 269 */ 270 ENGINE_free(toadd); 271 /* 272 * If the "add" didn't work, it was probably a conflict because it was 273 * already added (eg. someone calling ENGINE_load_blah then calling 274 * ENGINE_load_builtin_engines() perhaps). 275 */ 276 ERR_pop_to_mark(); 277 } 278 279 static int dynamic_init(ENGINE *e) 280 { 281 /* 282 * We always return failure - the "dynamic" engine itself can't be used 283 * for anything. 284 */ 285 return 0; 286 } 287 288 static int dynamic_finish(ENGINE *e) 289 { 290 /* 291 * This should never be called on account of "dynamic_init" always 292 * failing. 293 */ 294 return 0; 295 } 296 297 static int dynamic_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) 298 { 299 dynamic_data_ctx *ctx = dynamic_get_data_ctx(e); 300 int initialised; 301 302 if (!ctx) { 303 ERR_raise(ERR_LIB_ENGINE, ENGINE_R_NOT_LOADED); 304 return 0; 305 } 306 initialised = ((ctx->dynamic_dso == NULL) ? 0 : 1); 307 /* All our control commands require the ENGINE to be uninitialised */ 308 if (initialised) { 309 ERR_raise(ERR_LIB_ENGINE, ENGINE_R_ALREADY_LOADED); 310 return 0; 311 } 312 switch (cmd) { 313 case DYNAMIC_CMD_SO_PATH: 314 /* a NULL 'p' or a string of zero-length is the same thing */ 315 if (p && (strlen((const char *)p) < 1)) 316 p = NULL; 317 OPENSSL_free(ctx->DYNAMIC_LIBNAME); 318 if (p) 319 ctx->DYNAMIC_LIBNAME = OPENSSL_strdup(p); 320 else 321 ctx->DYNAMIC_LIBNAME = NULL; 322 return (ctx->DYNAMIC_LIBNAME ? 1 : 0); 323 case DYNAMIC_CMD_NO_VCHECK: 324 ctx->no_vcheck = ((i == 0) ? 0 : 1); 325 return 1; 326 case DYNAMIC_CMD_ID: 327 /* a NULL 'p' or a string of zero-length is the same thing */ 328 if (p && (strlen((const char *)p) < 1)) 329 p = NULL; 330 OPENSSL_free(ctx->engine_id); 331 if (p) 332 ctx->engine_id = OPENSSL_strdup(p); 333 else 334 ctx->engine_id = NULL; 335 return (ctx->engine_id ? 1 : 0); 336 case DYNAMIC_CMD_LIST_ADD: 337 if ((i < 0) || (i > 2)) { 338 ERR_raise(ERR_LIB_ENGINE, ENGINE_R_INVALID_ARGUMENT); 339 return 0; 340 } 341 ctx->list_add_value = (int)i; 342 return 1; 343 case DYNAMIC_CMD_LOAD: 344 return dynamic_load(e, ctx); 345 case DYNAMIC_CMD_DIR_LOAD: 346 if ((i < 0) || (i > 2)) { 347 ERR_raise(ERR_LIB_ENGINE, ENGINE_R_INVALID_ARGUMENT); 348 return 0; 349 } 350 ctx->dir_load = (int)i; 351 return 1; 352 case DYNAMIC_CMD_DIR_ADD: 353 /* a NULL 'p' or a string of zero-length is the same thing */ 354 if (p == NULL || (strlen((const char *)p) < 1)) { 355 ERR_raise(ERR_LIB_ENGINE, ENGINE_R_INVALID_ARGUMENT); 356 return 0; 357 } 358 { 359 char *tmp_str = OPENSSL_strdup(p); 360 if (tmp_str == NULL) { 361 ERR_raise(ERR_LIB_ENGINE, ERR_R_MALLOC_FAILURE); 362 return 0; 363 } 364 if (!sk_OPENSSL_STRING_push(ctx->dirs, tmp_str)) { 365 OPENSSL_free(tmp_str); 366 ERR_raise(ERR_LIB_ENGINE, ERR_R_MALLOC_FAILURE); 367 return 0; 368 } 369 } 370 return 1; 371 default: 372 break; 373 } 374 ERR_raise(ERR_LIB_ENGINE, ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED); 375 return 0; 376 } 377 378 static int int_load(dynamic_data_ctx *ctx) 379 { 380 int num, loop; 381 /* Unless told not to, try a direct load */ 382 if ((ctx->dir_load != 2) && (DSO_load(ctx->dynamic_dso, 383 ctx->DYNAMIC_LIBNAME, NULL, 384 0)) != NULL) 385 return 1; 386 /* If we're not allowed to use 'dirs' or we have none, fail */ 387 if (!ctx->dir_load || (num = sk_OPENSSL_STRING_num(ctx->dirs)) < 1) 388 return 0; 389 for (loop = 0; loop < num; loop++) { 390 const char *s = sk_OPENSSL_STRING_value(ctx->dirs, loop); 391 char *merge = DSO_merge(ctx->dynamic_dso, ctx->DYNAMIC_LIBNAME, s); 392 if (!merge) 393 return 0; 394 if (DSO_load(ctx->dynamic_dso, merge, NULL, 0)) { 395 /* Found what we're looking for */ 396 OPENSSL_free(merge); 397 return 1; 398 } 399 OPENSSL_free(merge); 400 } 401 return 0; 402 } 403 404 /* 405 * Unfortunately the version checker does not distinguish between 406 * engines built for openssl 1.1.x and openssl 3.x, but loading 407 * an engine that is built for openssl 1.1.x will cause a fatal 408 * error. Detect such engines, since EVP_PKEY_base_id is exported 409 * as a function in openssl 1.1.x, while it is named EVP_PKEY_get_base_id 410 * in openssl 3.x. Therefore we take the presence of that symbol 411 * as an indication that the engine will be incompatible. 412 */ 413 static int using_libcrypto_11(dynamic_data_ctx *ctx) 414 { 415 int ret; 416 417 ERR_set_mark(); 418 ret = DSO_bind_func(ctx->dynamic_dso, "EVP_PKEY_base_id") != NULL; 419 ERR_pop_to_mark(); 420 421 return ret; 422 } 423 424 static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx) 425 { 426 ENGINE cpy; 427 dynamic_fns fns; 428 429 if (ctx->dynamic_dso == NULL) 430 ctx->dynamic_dso = DSO_new(); 431 if (ctx->dynamic_dso == NULL) 432 return 0; 433 if (!ctx->DYNAMIC_LIBNAME) { 434 if (!ctx->engine_id) 435 return 0; 436 DSO_ctrl(ctx->dynamic_dso, DSO_CTRL_SET_FLAGS, 437 DSO_FLAG_NAME_TRANSLATION_EXT_ONLY, NULL); 438 ctx->DYNAMIC_LIBNAME = 439 DSO_convert_filename(ctx->dynamic_dso, ctx->engine_id); 440 } 441 if (!int_load(ctx)) { 442 ERR_raise(ERR_LIB_ENGINE, ENGINE_R_DSO_NOT_FOUND); 443 DSO_free(ctx->dynamic_dso); 444 ctx->dynamic_dso = NULL; 445 return 0; 446 } 447 /* We have to find a bind function otherwise it'll always end badly */ 448 if (! 449 (ctx->bind_engine = 450 (dynamic_bind_engine) DSO_bind_func(ctx->dynamic_dso, 451 ctx->DYNAMIC_F2))) { 452 ctx->bind_engine = NULL; 453 DSO_free(ctx->dynamic_dso); 454 ctx->dynamic_dso = NULL; 455 ERR_raise(ERR_LIB_ENGINE, ENGINE_R_DSO_FAILURE); 456 return 0; 457 } 458 /* Do we perform version checking? */ 459 if (!ctx->no_vcheck) { 460 unsigned long vcheck_res = 0; 461 /* 462 * Now we try to find a version checking function and decide how to 463 * cope with failure if/when it fails. 464 */ 465 ctx->v_check = 466 (dynamic_v_check_fn) DSO_bind_func(ctx->dynamic_dso, 467 ctx->DYNAMIC_F1); 468 if (ctx->v_check) 469 vcheck_res = ctx->v_check(OSSL_DYNAMIC_VERSION); 470 /* 471 * We fail if the version checker veto'd the load *or* if it is 472 * deferring to us (by returning its version) and we think it is too 473 * old. Also fail if this is engine for openssl 1.1.x. 474 */ 475 if (vcheck_res < OSSL_DYNAMIC_OLDEST || using_libcrypto_11(ctx)) { 476 /* Fail */ 477 ctx->bind_engine = NULL; 478 ctx->v_check = NULL; 479 DSO_free(ctx->dynamic_dso); 480 ctx->dynamic_dso = NULL; 481 ERR_raise(ERR_LIB_ENGINE, ENGINE_R_VERSION_INCOMPATIBILITY); 482 return 0; 483 } 484 } 485 /* 486 * First binary copy the ENGINE structure so that we can roll back if the 487 * hand-over fails 488 */ 489 memcpy(&cpy, e, sizeof(ENGINE)); 490 /* 491 * Provide the ERR, "ex_data", memory, and locking callbacks so the 492 * loaded library uses our state rather than its own. FIXME: As noted in 493 * engine.h, much of this would be simplified if each area of code 494 * provided its own "summary" structure of all related callbacks. It 495 * would also increase opaqueness. 496 */ 497 fns.static_state = ENGINE_get_static_state(); 498 CRYPTO_get_mem_functions(&fns.mem_fns.malloc_fn, &fns.mem_fns.realloc_fn, 499 &fns.mem_fns.free_fn); 500 /* 501 * Now that we've loaded the dynamic engine, make sure no "dynamic" 502 * ENGINE elements will show through. 503 */ 504 engine_set_all_null(e); 505 506 /* Try to bind the ENGINE onto our own ENGINE structure */ 507 if (!engine_add_dynamic_id(e, (ENGINE_DYNAMIC_ID)ctx->bind_engine, 1) 508 || !ctx->bind_engine(e, ctx->engine_id, &fns)) { 509 engine_remove_dynamic_id(e, 1); 510 ctx->bind_engine = NULL; 511 ctx->v_check = NULL; 512 DSO_free(ctx->dynamic_dso); 513 ctx->dynamic_dso = NULL; 514 ERR_raise(ERR_LIB_ENGINE, ENGINE_R_INIT_FAILED); 515 /* Copy the original ENGINE structure back */ 516 memcpy(e, &cpy, sizeof(ENGINE)); 517 return 0; 518 } 519 /* Do we try to add this ENGINE to the internal list too? */ 520 if (ctx->list_add_value > 0) { 521 if (!ENGINE_add(e)) { 522 /* Do we tolerate this or fail? */ 523 if (ctx->list_add_value > 1) { 524 /* 525 * Fail - NB: By this time, it's too late to rollback, and 526 * trying to do so allows the bind_engine() code to have 527 * created leaks. We just have to fail where we are, after 528 * the ENGINE has changed. 529 */ 530 ERR_raise(ERR_LIB_ENGINE, ENGINE_R_CONFLICTING_ENGINE_ID); 531 return 0; 532 } 533 /* Tolerate */ 534 ERR_clear_error(); 535 } 536 } 537 return 1; 538 } 539