diff options
| author | Neil Horman <nhorman@openssl.org> | 2023-12-01 20:02:09 +0100 |
|---|---|---|
| committer | Neil Horman <nhorman@openssl.org> | 2023-12-21 15:22:40 +0100 |
| commit | 506ff20662a228b17840f0b49865a927a45c2908 (patch) | |
| tree | fa99ab163899cb138800889aea431aa364c588ee /crypto | |
| parent | Use GH action commands to group/collapse filtered output (diff) | |
| download | openssl-506ff20662a228b17840f0b49865a927a45c2908.tar.xz openssl-506ff20662a228b17840f0b49865a927a45c2908.zip | |
Make the activate setting more intuitive
Currently, a provider is activated from our config file using the
activate parameter. However, the presence of the config parameter is
sufficient to trigger activation, leading to a counterintuitive
situation in which setting "activate = 0" still activates the provider
Make activation more intuitive by requiring that activate be set to one
of yes|true|1 to trigger activation. Any other value, as well as
omitting the parameter entirely, prevents activation (and also maintains
backward compatibility.
It seems a bit heavyweight to create a test specifically to validate the
plurality of these settings. Instead, modify the exiting openssl config
files in the test directory to use variants of these settings, and
augment the default.cnf file to include a provider section that is
explicitly disabled
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22906)
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/provider_conf.c | 38 |
1 files changed, 33 insertions, 5 deletions
diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c index 288ade6b4d..d8454b7941 100644 --- a/crypto/provider_conf.c +++ b/crypto/provider_conf.c @@ -236,15 +236,43 @@ static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, /* First handle some special pseudo confs */ /* Override provider name to use */ - if (strcmp(confname, "identity") == 0) + if (strcmp(confname, "identity") == 0) { name = confvalue; - else if (strcmp(confname, "soft_load") == 0) + } else if (strcmp(confname, "soft_load") == 0) { soft = 1; /* Load a dynamic PROVIDER */ - else if (strcmp(confname, "module") == 0) + } else if (strcmp(confname, "module") == 0) { path = confvalue; - else if (strcmp(confname, "activate") == 0) - activate = 1; + } else if (strcmp(confname, "activate") == 0) { + if (confvalue == NULL) { + ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR, + "section=%s activate set to unrecognized value", + value); + return 0; + } + if ((strcmp(confvalue, "1") == 0) + || (strcmp(confvalue, "yes") == 0) + || (strcmp(confvalue, "YES") == 0) + || (strcmp(confvalue, "true") == 0) + || (strcmp(confvalue, "TRUE") == 0) + || (strcmp(confvalue, "on") == 0) + || (strcmp(confvalue, "ON") == 0)) { + activate = 1; + } else if ((strcmp(confvalue, "0") == 0) + || (strcmp(confvalue, "no") == 0) + || (strcmp(confvalue, "NO") == 0) + || (strcmp(confvalue, "false") == 0) + || (strcmp(confvalue, "FALSE") == 0) + || (strcmp(confvalue, "off") == 0) + || (strcmp(confvalue, "OFF") == 0)) { + activate = 0; + } else { + ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR, + "section=%s activate set to unrecognized value", + value); + return 0; + } + } } if (activate) { |