[openssl] master update
Dr. Paul Dale
pauli at openssl.org
Fri Aug 28 09:23:02 UTC 2020
The branch master has been updated
via 33855c0af6046c2b36d1c541b0962e534fa6f8d9 (commit)
via 3d94185718e592660fdf5b988bef294b6adf0739 (commit)
from cd84d8832d274357a5ba5433640d7ef76691b1ac (commit)
- Log -----------------------------------------------------------------
commit 33855c0af6046c2b36d1c541b0962e534fa6f8d9
Author: Pauli <paul.dale at oracle.com>
Date: Wed Aug 26 13:41:30 2020 +1000
conf: add diagnostic option
Add an option to configuration files "config_diagnostics" that when set to a
non-zero value, overrides the error ignoring flags. The outcome is that
diagnostic option is produced when e.g. sections are missing.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12663)
commit 3d94185718e592660fdf5b988bef294b6adf0739
Author: Pauli <paul.dale at oracle.com>
Date: Wed Aug 19 21:13:58 2020 +1000
provider_conf: report missing section on error
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12663)
-----------------------------------------------------------------------
Summary of changes:
crypto/conf/conf_mod.c | 24 +++++++++++++++++++++---
crypto/provider_conf.c | 1 +
doc/man3/CONF_modules_load_file.pod | 3 ++-
doc/man5/config.pod | 7 +++++++
4 files changed, 31 insertions(+), 4 deletions(-)
diff --git a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c
index aebf38292a..a0b9fd3b61 100644
--- a/crypto/conf/conf_mod.c
+++ b/crypto/conf/conf_mod.c
@@ -79,6 +79,18 @@ static int module_init(CONF_MODULE *pmod, const char *name, const char *value,
static CONF_MODULE *module_load_dso(const CONF *cnf, const char *name,
const char *value);
+static int conf_diagnostics(const CONF *cnf)
+{
+ long int lflag = 0;
+ int res;
+
+ ERR_set_mark();
+ res = NCONF_get_number(cnf, NULL, "config_diagnostics", &lflag)
+ && lflag != 0;
+ ERR_pop_to_mark();
+ return res;
+}
+
/* Main function: load modules from a CONF structure */
int CONF_modules_load(const CONF *cnf, const char *appname,
@@ -87,12 +99,17 @@ int CONF_modules_load(const CONF *cnf, const char *appname,
STACK_OF(CONF_VALUE) *values;
CONF_VALUE *vl;
char *vsection = NULL;
-
int ret, i;
if (!cnf)
return 1;
+ if (conf_diagnostics(cnf))
+ flags &= ~(CONF_MFLAGS_IGNORE_ERRORS
+ | CONF_MFLAGS_IGNORE_RETURN_CODES
+ | CONF_MFLAGS_SILENT
+ | CONF_MFLAGS_IGNORE_MISSING_FILE);
+
if (appname)
vsection = NCONF_get_string(cnf, NULL, appname);
@@ -135,7 +152,7 @@ int CONF_modules_load_file_with_libctx(OPENSSL_CTX *libctx,
{
char *file = NULL;
CONF *conf = NULL;
- int ret = 0;
+ int ret = 0, diagnostics = 0;
conf = NCONF_new_with_libctx(libctx, NULL);
if (conf == NULL)
@@ -159,13 +176,14 @@ int CONF_modules_load_file_with_libctx(OPENSSL_CTX *libctx,
}
ret = CONF_modules_load(conf, appname, flags);
+ diagnostics = conf_diagnostics(conf);
err:
if (filename == NULL)
OPENSSL_free(file);
NCONF_free(conf);
- if (flags & CONF_MFLAGS_IGNORE_RETURN_CODES)
+ if ((flags & CONF_MFLAGS_IGNORE_RETURN_CODES) != 0 && !diagnostics)
return 1;
return ret;
diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c
index ce09fae7d3..5007a726d2 100644
--- a/crypto/provider_conf.c
+++ b/crypto/provider_conf.c
@@ -89,6 +89,7 @@ static int provider_conf_load(OPENSSL_CTX *libctx, const char *name,
if (!ecmds) {
CRYPTOerr(CRYPTO_F_PROVIDER_CONF_LOAD, CRYPTO_R_PROVIDER_SECTION_ERROR);
+ ERR_add_error_data(3, "section=", value, " not found");
return 0;
}
diff --git a/doc/man3/CONF_modules_load_file.pod b/doc/man3/CONF_modules_load_file.pod
index ba2c8b68b5..7e99bb9d5a 100644
--- a/doc/man3/CONF_modules_load_file.pod
+++ b/doc/man3/CONF_modules_load_file.pod
@@ -24,7 +24,8 @@ library context B<libctx> file B<filename> and application name B<appname>.
If B<filename> is NULL the standard OpenSSL configuration file is used.
If B<appname> is NULL the standard OpenSSL application name B<openssl_conf> is
used.
-The behaviour can be customized using B<flags>.
+The behaviour can be customized using B<flags>. Note that, the error suppressing
+can be overriden by B<config_diagnostics> as described in L<config(5)>.
CONF_modules_load_file() is the same as CONF_modules_load_file_with_libctx() but
has a NULL library context.
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index 2618cef588..46d60f6ced 100644
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -160,6 +160,12 @@ how to configure any modules in the library. It is not an error to leave
any module in its default configuration. An application can specify a
different name by calling CONF_modules_load_file(), for example, directly.
+OpenSSL also looks up the value of B<config_diagnostics>.
+If this exists and has a nonzero numeric value, any error suppressing flags
+passed to CONF_modules_load() will be ignored.
+This is useful for diagnosing misconfigurations and should not be used in
+production.
+
# This must be in the default section
openssl_conf = openssl_init
@@ -482,6 +488,7 @@ L<openssl-x509(1)>, L<openssl-req(1)>, L<openssl-ca(1)>,
L<openssl-fipsinstall(1)>,
L<ASN1_generate_nconf(3)>,
L<EVP_set_default_properties(3)>,
+L<CONF_modules_load(3)>,
L<CONF_modules_load_file(3)>,
L<fips_config(5)>, and
L<x509v3_config(5)>.
More information about the openssl-commits
mailing list