conf: add diagnostic option

Add an option to configuration files "config_diagnostics" that when set to a non-zero value, overrides the error ignoring flags. The outcome is that diagnostic option is produced when e.g. sections are missing. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12663)
2025-04-06 20:20:50 +08:00 · 2020-08-26 13:41:30 +10:00 · 2020-08-26 13:41:30 +10:00 · 33855c0af6
commit 33855c0af6
parent 3d94185718
3 changed files with 30 additions and 4 deletions
--- a/crypto/conf/conf_mod.c
+++ b/crypto/conf/conf_mod.c
@ -79,6 +79,18 @@ static int module_init(CONF_MODULE *pmod, const char *name, const char *value,
 static CONF_MODULE *module_load_dso(const CONF *cnf, const char *name,
                                    const char *value);

+static int conf_diagnostics(const CONF *cnf)
+{
+    long int lflag = 0;
+    int res;
+
+    ERR_set_mark();
+    res = NCONF_get_number(cnf, NULL, "config_diagnostics", &lflag)
+          && lflag != 0;
+    ERR_pop_to_mark();
+    return res;
+}
+
 /* Main function: load modules from a CONF structure */

 int CONF_modules_load(const CONF *cnf, const char *appname,
@ -87,12 +99,17 @@ int CONF_modules_load(const CONF *cnf, const char *appname,
    STACK_OF(CONF_VALUE) *values;
    CONF_VALUE *vl;
    char *vsection = NULL;
-
    int ret, i;

    if (!cnf)
        return 1;

+    if (conf_diagnostics(cnf))
+        flags &= ~(CONF_MFLAGS_IGNORE_ERRORS
+                   | CONF_MFLAGS_IGNORE_RETURN_CODES
+                   | CONF_MFLAGS_SILENT
+                   | CONF_MFLAGS_IGNORE_MISSING_FILE);
+
    if (appname)
        vsection = NCONF_get_string(cnf, NULL, appname);

@ -135,7 +152,7 @@ int CONF_modules_load_file_with_libctx(OPENSSL_CTX *libctx,
 {
    char *file = NULL;
    CONF *conf = NULL;
-    int ret = 0;
+    int ret = 0, diagnostics = 0;

    conf = NCONF_new_with_libctx(libctx, NULL);
    if (conf == NULL)
@ -159,13 +176,14 @@ int CONF_modules_load_file_with_libctx(OPENSSL_CTX *libctx,
    }

    ret = CONF_modules_load(conf, appname, flags);
+    diagnostics = conf_diagnostics(conf);

 err:
    if (filename == NULL)
        OPENSSL_free(file);
    NCONF_free(conf);

-    if (flags & CONF_MFLAGS_IGNORE_RETURN_CODES)
+    if ((flags & CONF_MFLAGS_IGNORE_RETURN_CODES) != 0 && !diagnostics)
        return 1;

    return ret;
--- a/doc/man3/CONF_modules_load_file.pod
+++ b/doc/man3/CONF_modules_load_file.pod
@ -24,7 +24,8 @@ library context B<libctx> file B<filename> and application name B<appname>.
 If B<filename> is NULL the standard OpenSSL configuration file is used.
 If B<appname> is NULL the standard OpenSSL application name B<openssl_conf> is
 used.
-The behaviour can be customized using B<flags>.
+The behaviour can be customized using B<flags>. Note that, the error suppressing
+can be overriden by B<config_diagnostics> as described in L<config(5)>.

 CONF_modules_load_file() is the same as CONF_modules_load_file_with_libctx() but
 has a NULL library context.
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@ -160,6 +160,12 @@ how to configure any modules in the library. It is not an error to leave
 any module in its default configuration. An application can specify a
 different name by calling CONF_modules_load_file(), for example, directly.

+OpenSSL also looks up the value of B<config_diagnostics>.
+If this exists and has a nonzero numeric value, any error suppressing flags
+passed to CONF_modules_load() will be ignored.
+This is useful for diagnosing misconfigurations and should not be used in
+production.
+
 # This must be in the default section
 openssl_conf = openssl_init

@ -482,6 +488,7 @@ L<openssl-x509(1)>, L<openssl-req(1)>, L<openssl-ca(1)>,
 L<openssl-fipsinstall(1)>,
 L<ASN1_generate_nconf(3)>,
 L<EVP_set_default_properties(3)>,
+L<CONF_modules_load(3)>,
 L<CONF_modules_load_file(3)>,
 L<fips_config(5)>, and
 L<x509v3_config(5)>.