OSSL_PROVIDER_load_ex #21604
OSSL_PROVIDER_load_ex #21604
Conversation
|
It's an attempt to implement #21350 function using available API. @openssl/committers the comments wanted. I tried to implement as an extension of |
github-actions
bot
added
the
severity: fips change
beldmit
added
branch: master
|
I've pushed a draft of API design for better clarity |
github-actions
bot
added
the
severity: fips change
There was a problem hiding this comment.
My feeling is this really needs some active discussion within the OTC to find out what we want to do here. We should avoid requiring changes to existing providers if they would like to use this functionality if at all possible. I assume some changes will be inevitable if we want to support setting the parameters to providers after they are loaded & initialized but at least for the initial load it should be possible to use the current callback.
beldmit
force-pushed
the
OSSL_PROVIDER_activate
branch
from
756dc6f
to
25e0bfa
Compare
There was a problem hiding this comment.
So having thought about this some more I think I agree with a OSSL_LIB_CTX_load_provider() call where the provider config is entirely provided via the params option.
However I am entirely against OSSL_PROVIDER_set_params_by_name(), I think mixing static and dynamic config or attempting to change config will be error prone, difficult to debug for all involved (openssl, provider and application developers), and ultimately not a good pattern.
If a provider is already loaded this call should fail, btw, up to the app to decide what to do with it.
In general I think if the config is in a config file users should tweak the config file. |
|
Note that if you decide something like OSSL_PROVIDER_set_params() is the way you want to go you really need to also add a OSSL_PROVIDER_settable_params() so the provider can tell you what params can be set, and be prepared for that list to change after initialization... |
beldmit
force-pushed
the
OSSL_PROVIDER_activate
branch
2 times, most recently
from
ece77c3
to
a108c78
Compare
|
Thanks, added |
beldmit
force-pushed
the
OSSL_PROVIDER_activate
branch
2 times, most recently
from
a0fcdec
to
66c79cd
Compare
|
OK, I realized how to pass the data to the provider in more or less standard way. |
|
This test failure seems to be unrelated to the patch but may be of interest for @hlandau https://github.com/openssl/openssl/actions/runs/5741052478/job/15560296780?pr=21604 |
beldmit
added
tests: present
beldmit
force-pushed
the
OSSL_PROVIDER_activate
branch
from
e9e8369
to
d83a0bd
Compare
beldmit
changed the title
|
@openssl/committers any review/feedback, please? |
beldmit
force-pushed
the
OSSL_PROVIDER_activate
branch
from
1553eac
to
f5578c4
Compare
|
Rebased to resolve the trivial conflict in util/libcrypto.num |
t-j-h
added
approval: done
openssl-machine
added
approval: ready to merge
|
This pull request is ready to merge |
|
Merged. Thanks for the review! |
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from #21604)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from #21604)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from #21604)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from openssl#21604)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from openssl#21604)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from openssl#21604)
| Several instances of the same provider in the same context using different | ||
| section names, module names (e.g. via symlinks) and provider names. But unless | ||
| the provider does not support some configuration options, the algorithms in | ||
| this case will have the same `provider` property and the result of fetching is | ||
| not determined. We strongly discourage against this trick. |
There was a problem hiding this comment.
The intention of this paragraph is not obvious to me. Is this a suggested or discouraged scenario?
| Several instances of the same provider in the same context using different | |
| section names, module names (e.g. via symlinks) and provider names. But unless | |
| the provider does not support some configuration options, the algorithms in | |
| this case will have the same `provider` property and the result of fetching is | |
| not determined. We strongly discourage against this trick. | |
| Several instances of the same provider can be loaded in the same context using different | |
| section names, module names (e.g. via symlinks) and provider names. But unless | |
| the provider supports some configuration options, the algorithms in | |
| this case will have the same `provider` property and the result of fetching is | |
| not determined. We strongly discourage against this trick. |
There was a problem hiding this comment.
Added, but is this indeed what you meant to say? (You may answer this question in PR #22029)
| OSSL_PARAM_BLD_push_utf8_string(bld, "greeting", custom_buf, strlen(custom_buf)); | ||
| params = OSSL_PARAM_BLD_to_param(bld); | ||
|
|
||
| OSSL_PARAM_BLD_free(bld); |
There was a problem hiding this comment.
This test just passes an unknown parameter to the provider which gets ignored. So it does not actually prove the usefulnes of the api, it's just a "hello world" example.
Would it be possible to add a proof-of-concept test that loads the "default" or "fips" provider using extra parameters that actually changes the behaviour of the provider in a measurable (testable) effect?
There was a problem hiding this comment.
The parameter is not unknown, but I understand your reasons and yes, a FIPS provider test would be better.
| We need a possibility to initialize providers on per-application level | ||
| according to per-application parameters. It's necessary for example for PKCS#11 |
There was a problem hiding this comment.
Looking at provider-base, it seems possible to dispense of the configuration file entirely using the new extended api.
Additionally, provider specific configuration parameters from the
config file are available, in dotted name form.
The dotted name form is a concatenation of section names and final
config command name separated by periods.
If that's the case, it would be great to have a test case and/or example as a proof-of concept to show that this can be achieved using your new extended API.
Probably some example of its usage could also be added to the ossl-guide-libcrypto-introduction manpage?
(If you agree, I will create a separate issue for this)
There was a problem hiding this comment.
I agree though I totally missed this point
|
@mspncp could you please raise your documentation updates as a PR? |
Late review comments for pull request openssl#21604, sort of.
Late review comments for pull request openssl#21604, sort of.
|
See PR #22029. Please also reconsider the conversations which I did not mark as resolved yet. |
Late review comments for pull request openssl#21604, sort of.
to configure provider in load-time.
The tests are to be written, the documentation is also to be written.
Checklist