Unable to use crypto API without loading in config file #21470

justanotherminh · 2023-03-30T19:34:33Z

justanotherminh
Mar 30, 2023

I am using OpenSSL APIs in an environment where loading in files during runtime is restricted, and thus I need to disable all attempts by OpenSSL to load the config file during runtime. However, in crypto/provider_core.c:1352, we see this hard-coded line
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
This means that even if we configure our OpenSSL installation to avoid using and loading config files, this line would still be called, and a config load would still be attempted. In my case, I was trying to use EVP_MAC_fetch(). How should I address this issue?

Answered by kulkarniamit

Jul 15, 2023

Options

If OpenSSL < 1.1.0, use OPENSSL_no_config() to disable configuration file
If OpenSSL > 1.1.0, use OPENSSL_init_crypto() with OPENSSL_INIT_NO_LOAD_CONFIG option to suppress loading OpenSSL configuration files

Sample program

#include <stdio.h>
#include <stdlib.h>
#include <openssl/evp.h>
#include <openssl/conf.h>
#include <openssl/crypto.h>

int main() {
#if 0
    /* Use if OpenSSL < 1.1.0 */
    OPENSSL_no_config();
#endif
    OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL);
    EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
    ...
    exit(EXIT_SUCCESS);
}

Without code to disable loading configuration

$ strace -e trace=open ./program
open("/etc/ld.so.cache", O_RDONLY…

View full answer

kulkarniamit · 2023-07-15T00:01:52Z

kulkarniamit
Jul 15, 2023

Options

If OpenSSL < 1.1.0, use OPENSSL_no_config() to disable configuration file
If OpenSSL > 1.1.0, use OPENSSL_init_crypto() with OPENSSL_INIT_NO_LOAD_CONFIG option to suppress loading OpenSSL configuration files

Sample program

#include <stdio.h>
#include <stdlib.h>
#include <openssl/evp.h>
#include <openssl/conf.h>
#include <openssl/crypto.h>

int main() {
#if 0
    /* Use if OpenSSL < 1.1.0 */
    OPENSSL_no_config();
#endif
    OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL);
    EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
    ...
    exit(EXIT_SUCCESS);
}

Without code to disable loading configuration

$ strace -e trace=open ./program
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
open("/usr/local/ssl/openssl.cnf", O_RDONLY) = 3
Generated HMAC: CAF8182F3FC48CEAE5786966554ACDDA726DCB7697E95F1A0D0A8CD2F2E387C6
+++ exited with 0 +++

With code to disable loading configuration

$ strace -e trace=open ./program
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
Generated HMAC: CAF8182F3FC48CEAE5786966554ACDDA726DCB7697E95F1A0D0A8CD2F2E387C6
+++ exited with 0 +++

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unable to use crypto API without loading in config file #21470

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Unable to use crypto API without loading in config file #21470

justanotherminh Mar 30, 2023

Options

Sample program

Without code to disable loading configuration

Replies: 1 comment

kulkarniamit Jul 15, 2023

Options

Sample program

Without code to disable loading configuration

With code to disable loading configuration

justanotherminh
Mar 30, 2023

kulkarniamit
Jul 15, 2023