apr_crypto_openssl: Add provider support on OpenSSL3+.

git-svn-id: https://svn.apache.org/repos/asf/apr/apr/trunk@1924449 13f79535-47bb-0310-9956-ffa450edef68

Author: minfrin

CHANGES

@@ -1,6 +1,9 @@
                                                      -*- coding: utf-8 -*-
 Changes for APR 2.0.0
 
+  *) apr_crypto_openssl: Add provider support on OpenSSL3+.
+     [Graham Leggett]
+
   *) apr_ldap: Add write capability to the LDAP API. Support for
      add, modify, rename, delete, and extended operations.
      [Graham Leggett]

crypto/apr_crypto_openssl.c

@@ -87,19 +87,30 @@
 #else
 #define APR_USE_OPENSSL_PRE_3_0_API     0
 #endif
+#if OPENSSL_VERSION_NUMBER < 0x30500000L
+#define APR_USE_OPENSSL_PRE_3_5_API     1
+#else
+#define APR_USE_OPENSSL_PRE_3_5_API     0
+#endif
 
 #endif /* defined(LIBRESSL_VERSION_NUMBER) */
 
 #if APR_USE_OPENSSL_PRE_3_0_API
 #define APR_USE_OPENSSL_ENGINE_API 1
+#define APR_USE_OPENSSL_PROVIDER_API 0
 #else
 #define APR_USE_OPENSSL_ENGINE_API 0
+#define APR_USE_OPENSSL_PROVIDER_API 1
 #endif
 
 #if APR_USE_OPENSSL_ENGINE_API
 #include <openssl/engine.h>
 #endif
 
+#if APR_USE_OPENSSL_PROVIDER_API
+#include <openssl/provider.h>
+#endif
+
 #define LOG_PREFIX "apr_crypto_openssl: "
 
 struct apr_crypto_t {
@@ -118,6 +129,9 @@ struct apr_crypto_config_t {
 #else
     void *engine;
 #endif
+#if APR_USE_OPENSSL_PROVIDER_API
+    OSSL_LIB_CTX *libctx;
+#endif
 };
 
 struct apr_crypto_key_t {
@@ -407,6 +421,11 @@ static apr_status_t crypto_cleanup(apr_crypto_t *f)
         ENGINE_free(f->config->engine);
         f->config->engine = NULL;
     }
+#endif
+#if APR_USE_OPENSSL_PROVIDER_API
+    if (f->config->libctx) {
+        OSSL_LIB_CTX_free(f->config->libctx);
+    }
 #endif
     return APR_SUCCESS;
 
@@ -418,6 +437,15 @@ static apr_status_t crypto_cleanup_helper(void *data)
     return crypto_cleanup(f);
 }
 
+#if APR_USE_OPENSSL_PROVIDER_API
+static apr_status_t provider_cleanup(void *data)
+{
+    OSSL_PROVIDER *prov = data;
+    OSSL_PROVIDER_unload(prov);
+    return APR_SUCCESS;
+}
+#endif
+
 /**
  * @brief Create a context for supporting encryption. Keys, certificates,
  *        algorithms and other parameters will be set per context. More than
@@ -452,8 +480,24 @@ static apr_status_t crypto_make(apr_crypto_t **ff,
     char *elt;
     int i = 0, j;
 
+#if APR_USE_OPENSSL_PROVIDER_API
+    OSSL_PROVIDER *prov = NULL;
+    const char *path = NULL;
+#endif
+
     *ff = NULL;
 
+    f = apr_pcalloc(pool, sizeof(apr_crypto_t));
+    if (!f) {
+        return APR_ENOMEM;
+    }
+    f->config = config = apr_pcalloc(pool, sizeof(apr_crypto_config_t));
+    if (!config) {
+        return APR_ENOMEM;
+    }
+    f->pool = pool;
+    f->provider = provider;
+
     if (params) {
         if (APR_SUCCESS != (status = apr_tokenize_to_argv(params, &elts, pool))) {
             return status;
@@ -481,22 +525,54 @@ static apr_status_t crypto_make(apr_crypto_t **ff,
                 }
             }
 
+#if APR_USE_OPENSSL_PROVIDER_API
+            if (!strcasecmp("provider-path", elt)) {
+                path = ptr;
+            }
+            else if (!strcasecmp("provider", elt)) {
+
+                /* first provider, avoid loading the default by loading null */
+                if (!config->libctx) {
+                    prov = OSSL_PROVIDER_load(NULL, "null");
+                    config->libctx = OSSL_LIB_CTX_new();
+                    if (!config->libctx) {
+                        return APR_ENOMEM;
+                    }
+
+                    apr_pool_cleanup_register(pool, prov, provider_cleanup,
+                                              apr_pool_cleanup_null);
+                }
+
+                if (path) {
+                    OSSL_PROVIDER_set_default_search_path(config->libctx, path);
+                    path = NULL;
+                }
+
+                prov = OSSL_PROVIDER_load(config->libctx, ptr);
+                if (!prov) {
+                    return APR_ENOENGINE;
+                }
+
+                apr_pool_cleanup_register(pool, prov, provider_cleanup,
+                                          apr_pool_cleanup_null);
+            }
+            else if (prov) {
+                /* options after a provider apply to the provider */
+#if !APR_USE_OPENSSL_PRE_3_5_API
+                if (!OSSL_PROVIDER_add_conf_parameter(prov, elt, ptr)) {
+                    return PR_EINVAL;
+                }
+#else
+                return APR_ENOTIMPL;
+#endif
+            }
+#endif
+
             i++;
         }
         engine = fields[0].value;
     }
 
-    f = apr_pcalloc(pool, sizeof(apr_crypto_t));
-    if (!f) {
-        return APR_ENOMEM;
-    }
-    f->config = config = apr_pcalloc(pool, sizeof(apr_crypto_config_t));
-    if (!config) {
-        return APR_ENOMEM;
-    }
-    f->pool = pool;
-    f->provider = provider;
-
     /* The default/builtin "openssl" engine is the same as NULL though with
      * openssl-3+ it's called something else, keep NULL for that name.
      */

include/apr_crypto.h

@@ -608,8 +608,11 @@ APR_DECLARE(apr_status_t) apr_crypto_error(const apu_err_t **result,
  * @return APR_ENOENGINE when the engine specified does not exist. APR_EINITENGINE
  * if the engine cannot be initialised.
  * @remarks NSS: currently no params are supported.
- * @remarks OpenSSL: the params can have "engine" as a key, followed by an equal
- *  sign and a value.
+ * @remarks OpenSSL legacy: prior to v3, use "engine=[engine]" to set the engine.
+ * @remarks OpenSSL3+: use "provider=[provider]" to set the provider to load, can
+ *          be specified more than once.
+ * @remarks OpenSSL3.5+: "name=[value]" params specified after each "provider"
+ *          are applied to that provider.
  */
 APR_DECLARE(apr_status_t) apr_crypto_make(apr_crypto_t **f,
         const apr_crypto_driver_t *driver, const char *params,

test/testcrypto.c

@@ -107,12 +107,19 @@ static apr_crypto_t *make(abts_case *tc, apr_pool_t *pool,
 
     apr_crypto_t *f = NULL;
 
+    apr_status_t status;
+
     if (!driver) {
         return NULL;
     }
 
     /* get the context */
-    apr_crypto_make(&f, driver, "engine=openssl", pool);
+    status = apr_crypto_make(&f, driver, "engine=openssl", pool);
+
+    if (APR_ENOTIMPL == status) {
+        apr_crypto_make(&f, driver, "provider=default", pool);
+    }
+
     ABTS_ASSERT(tc, "apr_crypto_make returned NULL", f != NULL);
 
     return f;