Make the activate setting more intuitive

Currently, a provider is activated from our config file using the activate parameter. However, the presence of the config parameter is sufficient to trigger activation, leading to a counterintuitive situation in which setting "activate = 0" still activates the provider Make activation more intuitive by requiring that activate be set to one of yes|true|1 to trigger activation. Any other value, as well as omitting the parameter entirely, prevents activation (and also maintains backward compatibility. It seems a bit heavyweight to create a test specifically to validate the plurality of these settings. Instead, modify the exiting openssl config files in the test directory to use variants of these settings, and augment the default.cnf file to include a provider section that is explicitly disabled Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22906)
author: Neil Horman <nhorman@openssl.org> 2023-12-01 20:02:09 +0100
committer: Neil Horman <nhorman@openssl.org> 2023-12-21 15:22:40 +0100
commit: 506ff20662a228b17840f0b49865a927a45c2908 (patch)
tree: fa99ab163899cb138800889aea431aa364c588ee
parent: Use GH action commands to group/collapse filtered output (diff)
download: openssl-506ff20662a228b17840f0b49865a927a45c2908.tar.xz
openssl-506ff20662a228b17840f0b49865a927a45c2908.zip
6 files changed, 74 insertions, 9 deletions
diff --git a/CHANGES.md b/CHANGES.md
index f1c8bce1b3..0f8db22dce 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -28,6 +28,14 @@ OpenSSL 3.3
 
 ### Changes between 3.2 and 3.3 [xx XXX xxxx]
 
+ * The activate configuration setting for providers in openssl.cnf has been
+   updated to require a value of [1|yes|true|on] (in lower or UPPER case) to
+   activate the provider.  Conversely a setting [0|no|false|off] will prevent
+   provider activation.  All other values, or the omission of a value for this
+   setting will result in an error.
+
+    *Neil Horman*
+
  * In `openssl speed`, changed the default hash function used with `hmac` from
    `md5` to `sha256`.
 
diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c
index 288ade6b4d..d8454b7941 100644
--- a/crypto/provider_conf.c
+++ b/crypto/provider_conf.c
@@ -236,15 +236,43 @@ static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
         /* First handle some special pseudo confs */
 
         /* Override provider name to use */
-        if (strcmp(confname, "identity") == 0)
+        if (strcmp(confname, "identity") == 0) {
             name = confvalue;
-        else if (strcmp(confname, "soft_load") == 0)
+        } else if (strcmp(confname, "soft_load") == 0) {
             soft = 1;
         /* Load a dynamic PROVIDER */
-        else if (strcmp(confname, "module") == 0)
+        } else if (strcmp(confname, "module") == 0) {
             path = confvalue;
-        else if (strcmp(confname, "activate") == 0)
-            activate = 1;
+        } else if (strcmp(confname, "activate") == 0) {
+            if (confvalue == NULL) {
+                ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
+                               "section=%s activate set to unrecognized value",
+                               value);
+                return 0;
+            }
+            if ((strcmp(confvalue, "1") == 0)
+                || (strcmp(confvalue, "yes") == 0)
+                || (strcmp(confvalue, "YES") == 0)
+                || (strcmp(confvalue, "true") == 0)
+                || (strcmp(confvalue, "TRUE") == 0)
+                || (strcmp(confvalue, "on") == 0)
+                || (strcmp(confvalue, "ON") == 0)) {
+                activate = 1;
+            } else if ((strcmp(confvalue, "0") == 0)
+                       || (strcmp(confvalue, "no") == 0)
+                       || (strcmp(confvalue, "NO") == 0)
+                       || (strcmp(confvalue, "false") == 0)
+                       || (strcmp(confvalue, "FALSE") == 0)
+                       || (strcmp(confvalue, "off") == 0)
+                       || (strcmp(confvalue, "OFF") == 0)) {
+                activate = 0;
+            } else {
+                ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
+                               "section=%s activate set to unrecognized value",
+                               value);
+                return 0;
+            }
+        }
     }
 
     if (activate) {
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index 8d312c661f..96eaa6ffd3 100644
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -265,8 +265,11 @@ Specifies the pathname of the module (typically a shared library) to load.
 
 =item B<activate>
 
-If present, the module is activated. The value assigned to this name is not
-significant.
+If present and set to one of the values yes, on, true or 1, then the associated
+provider will be activated. Conversely, setting this value to no, off, false, or
+0 will prevent the provider from being activated. Settings can be given in lower
+or uppercase. Setting activate to any other setting, or omitting a setting
+value will result in an error.
 
 =back
 
diff --git a/test/default-and-fips.cnf b/test/default-and-fips.cnf
index 2ca6487fd2..71af0a385a 100644
--- a/test/default-and-fips.cnf
+++ b/test/default-and-fips.cnf
@@ -13,4 +13,4 @@ default = default_sect
 fips = fips_sect
 
 [default_sect]
-activate = 1
+activate = yes
diff --git a/test/default.cnf b/test/default.cnf
index f29d0e92ba..21c7e070a9 100644
--- a/test/default.cnf
+++ b/test/default.cnf
@@ -8,6 +8,10 @@ providers = provider_sect
 
 [provider_sect]
 default = default_sect
+legacy  = legacy_sect
 
 [default_sect]
-activate = 1
+activate = true
+
+[legacy_sect]
+activate = false
diff --git a/test/evp_fetch_prov_test.c b/test/evp_fetch_prov_test.c
index 19e780d856..876d6ccc0a 100644
--- a/test/evp_fetch_prov_test.c
+++ b/test/evp_fetch_prov_test.c
@@ -121,6 +121,27 @@ static void unload_providers(OSSL_LIB_CTX **libctx, OSSL_PROVIDER *prov[])
     }
 }
 
+static int test_legacy_provider_unloaded(void)
+{
+    OSSL_LIB_CTX *ctx = NULL;
+    int rc = 0;
+
+    ctx = OSSL_LIB_CTX_new();
+    if (!TEST_ptr(ctx))
+        goto err;
+
+    if (!TEST_true(OSSL_LIB_CTX_load_config(ctx, config_file)))
+        goto err;
+
+    if (!TEST_int_eq(OSSL_PROVIDER_available(ctx, "legacy"), 0))
+        goto err;
+
+    rc = 1;
+err:
+    OSSL_LIB_CTX_free(ctx);
+    return rc;
+}
+
 static X509_ALGOR *make_algor(int nid)
 {
     X509_ALGOR *algor;
@@ -379,6 +400,7 @@ int setup_tests(void)
             return 0;
         }
     }
+    ADD_TEST(test_legacy_provider_unloaded);
     if (strcmp(alg, "digest") == 0) {
         ADD_TEST(test_implicit_EVP_MD_fetch);
         ADD_TEST(test_explicit_EVP_MD_fetch_by_name);
author	Neil Horman <nhorman@openssl.org>	2023-12-01 20:02:09 +0100
committer	Neil Horman <nhorman@openssl.org>	2023-12-21 15:22:40 +0100
commit	506ff20662a228b17840f0b49865a927a45c2908 (patch)
tree	fa99ab163899cb138800889aea431aa364c588ee
parent	Use GH action commands to group/collapse filtered output (diff)
download	openssl-506ff20662a228b17840f0b49865a927a45c2908.tar.xz openssl-506ff20662a228b17840f0b49865a927a45c2908.zip