Support CLI and API setting of provider configuration parameters

Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26427)
author: Viktor Dukhovni <openssl-users@dukhovni.org> 2025-01-16 09:44:14 +0100
committer: Viktor Dukhovni <openssl-users@dukhovni.org> 2025-01-17 17:46:37 +0100
commit: 38a0926528791762cf8f0f4e3ed0e2f590b894b9 (patch)
tree: c1b6120d859a098d508b1edff9d3dd6d03150964 /apps
parent: Work around to get llvm-mingw working on aarch64 (diff)
download: openssl-38a0926528791762cf8f0f4e3ed0e2f590b894b9.tar.xz
openssl-38a0926528791762cf8f0f4e3ed0e2f590b894b9.zip
2 files changed, 78 insertions, 0 deletions
diff --git a/apps/include/opt.h b/apps/include/opt.h
index 2bd2fb2484..637dff2fd2 100644
--- a/apps/include/opt.h
+++ b/apps/include/opt.h
@@ -295,6 +295,7 @@
 # define OPT_PROV_ENUM \
         OPT_PROV__FIRST=1600, \
         OPT_PROV_PROVIDER, OPT_PROV_PROVIDER_PATH, OPT_PROV_PROPQUERY, \
+        OPT_PROV_PARAM, \
         OPT_PROV__LAST
 
 # define OPT_CONFIG_OPTION \
@@ -304,12 +305,14 @@
         OPT_SECTION("Provider"), \
         { "provider-path", OPT_PROV_PROVIDER_PATH, 's', "Provider load path (must be before 'provider' argument if required)" }, \
         { "provider", OPT_PROV_PROVIDER, 's', "Provider to load (can be specified multiple times)" }, \
+        { "provparam", OPT_PROV_PARAM, 's', "Set a provider key-value parameter" }, \
         { "propquery", OPT_PROV_PROPQUERY, 's', "Property query used when fetching algorithms" }
 
 # define OPT_PROV_CASES \
         OPT_PROV__FIRST: case OPT_PROV__LAST: break; \
         case OPT_PROV_PROVIDER: \
         case OPT_PROV_PROVIDER_PATH: \
+        case OPT_PROV_PARAM: \
         case OPT_PROV_PROPQUERY
 
 /*
diff --git a/apps/lib/app_provider.c b/apps/lib/app_provider.c
index 63f78ae07d..85475a9be5 100644
--- a/apps/lib/app_provider.c
+++ b/apps/lib/app_provider.c
@@ -8,6 +8,7 @@
  */
 
 #include "apps.h"
+#include <ctype.h>
 #include <string.h>
 #include <openssl/err.h>
 #include <openssl/provider.h>
@@ -65,6 +66,78 @@ static int opt_provider_path(const char *path)
     return OSSL_PROVIDER_set_default_search_path(app_get0_libctx(), path);
 }
 
+struct prov_param_st {
+    char *name;
+    char *key;
+    char *val;
+    int found;
+};
+
+static int set_prov_param(OSSL_PROVIDER *prov, void *vp)
+{
+    struct prov_param_st *p = (struct prov_param_st *)vp;
+
+    if (p->name != NULL && strcmp(OSSL_PROVIDER_get0_name(prov), p->name) != 0)
+        return 1;
+    p->found = 1;
+    return OSSL_PROVIDER_add_conf_parameter(prov, p->key, p->val);
+}
+
+static int opt_provider_param(const char *arg)
+{
+    struct prov_param_st p;
+    char *copy, *tmp;
+    int ret = 0;
+
+    if ((copy = OPENSSL_strdup(arg)) == NULL
+        || (p.val = strchr(copy, '=')) == NULL) {
+        opt_printf_stderr("%s: malformed '-provparam' option value: '%s'\n",
+                          opt_getprog(), arg);
+        goto end;
+    }
+
+    /* Drop whitespace on both sides of the '=' sign */
+    *(tmp = p.val++) = '\0';
+    while (tmp > copy && isspace(_UC(*--tmp)))
+        *tmp = '\0';
+    while (isspace(_UC(*p.val)))
+        ++p.val;
+
+    /*
+     * Split the key on ':', to get the optional provider, empty or missing
+     * means all.
+     */
+    if ((p.key = strchr(copy, ':')) != NULL) {
+        *p.key++ = '\0';
+        p.name = *copy != '\0' ? copy : NULL;
+    } else {
+        p.name = NULL;
+        p.key = copy;
+    }
+
+    /* The key must not be empty */
+    if (*p.key == '\0') {
+        opt_printf_stderr("%s: malformed '-provparam' option value: '%s'\n",
+                          opt_getprog(), arg);
+        goto end;
+    }
+
+    p.found = 0;
+    ret = OSSL_PROVIDER_do_all(app_get0_libctx(), set_prov_param, (void *)&p);
+    if (ret == 0) {
+        opt_printf_stderr("%s: Error setting provider '%s' parameter '%s'\n",
+                          opt_getprog(), p.name, p.key);
+    } else if (p.found == 0) {
+        opt_printf_stderr("%s: No provider named '%s' is loaded\n",
+                          opt_getprog(), p.name);
+        ret = 0;
+    }
+
+  end:
+    OPENSSL_free(copy);
+    return ret;
+}
+
 int opt_provider(int opt)
 {
     const int given = provider_option_given;
@@ -78,6 +151,8 @@ int opt_provider(int opt)
         return app_provider_load(app_get0_libctx(), opt_arg());
     case OPT_PROV_PROVIDER_PATH:
         return opt_provider_path(opt_arg());
+    case OPT_PROV_PARAM:
+        return opt_provider_param(opt_arg());
     case OPT_PROV_PROPQUERY:
         return app_set_propq(opt_arg());
     }
author	Viktor Dukhovni <openssl-users@dukhovni.org>	2025-01-16 09:44:14 +0100
committer	Viktor Dukhovni <openssl-users@dukhovni.org>	2025-01-17 17:46:37 +0100
commit	38a0926528791762cf8f0f4e3ed0e2f590b894b9 (patch)
tree	c1b6120d859a098d508b1edff9d3dd6d03150964 /apps
parent	Work around to get llvm-mingw working on aarch64 (diff)
download	openssl-38a0926528791762cf8f0f4e3ed0e2f590b894b9.tar.xz openssl-38a0926528791762cf8f0f4e3ed0e2f590b894b9.zip