poco icon indicating copy to clipboard operation
poco copied to clipboard
verified publisher icon pocoproject

Add possibility to load providers and use them in Poco

Open mapogu opened this issue 1 year ago • 5 comments

We have need to externally configure and load providers to OpenSSL 3.x and I noticed that current implementation of the Poco::Net::Context does not provide a way to do this. In my understanding the library context needs to be configured for OpenSSL to search for Providers at an appropriate location. In addition to this, the actual external providers need to be loaded and kept alive until shutdown. These two steps have to happen prior to creation of the SSL Context in order to use providers.

Therefore, I've created this patch as a suggestion to add this improvement to Poco.

mapogu avatar Aug 28 '24 08:08 mapogu

OK so two failed checks. Is it correct that CIFuzz and CodeQL build with OpenSSL version < 3.x ? In that case the correct way would be to add #if OPENSSL_VERSION_NUMBER >= 0x10100000L around changes, as the OpenSSL Provider API (replacement to Engine) is to my understanding a OpenSSL 3.x addition to OpenSSL ?

mapogu avatar Aug 30 '24 05:08 mapogu

@mapogu is it possible to add a unit test here? I'm not sure what provider(s) are reasonable to expect on different platforms

aleks-f avatar Sep 10 '24 15:09 aleks-f

Sorry for the late response. I can try to add unit test. To my understanding the Provider API in OpenSSL should be available on all platforms from OpenSSL 3.x. It can be used to load for instance:

  • Default Provider : standard built-in OpenSSL algorithm
  • Legacy Provider: collection of legacy algorithms (md2, md4, ... BF, DES)
  • FIPS Provider: algorithms conforming to FIPS standards
  • Base Provider: small sub-set of non-cryptographic algorithms available in the default provider.
  • Null Provider: "built-in" to libcrypto and contains no algorithm implementations. Guarantees that the default provider is not loaded.

A note in the docs seems to be that if a provider is loaded then the default provider is not automatically loaded by OpenSSL (has to be explicitly).

Hence I could try to write a test where we load for instance FIPS provider through Poco and check that the default provider is not available.

I guess this addition could be useful when you want to run the combination Poco, OpenSSL 3.x and only FIPS approved algorithms.

mapogu avatar Sep 23 '24 07:09 mapogu

Since this is explicitly for OpenSSL 3.x is there any good compiler flag for the unit test framework so that the test case doesn't run on OpenSSL 1.x ?

mapogu avatar Sep 23 '24 07:09 mapogu

Since this is explicitly for OpenSSL 3.x is there any good compiler flag for the unit test framework so that the test case doesn't run on OpenSSL 1.x ?

@mapogu see openssl3 CI jobs

aleks-f avatar Oct 03 '24 08:10 aleks-f