diff --git a/crypto/conf/conf_lib.c b/crypto/conf/conf_lib.c index 07110d8502a4e79175d8c439c51c4d05e16155bb..4ae7bd234271d1f88f12adda7222e26a06bdb3b0 100644 --- a/crypto/conf/conf_lib.c +++ b/crypto/conf/conf_lib.c @@ -358,11 +358,36 @@ OPENSSL_INIT_SETTINGS *OPENSSL_INIT_new(void) if (ret != NULL) memset(ret, 0, sizeof(*ret)); + ret->flags = DEFAULT_CONF_MFLAGS; + return ret; } #ifndef OPENSSL_NO_STDIO +int OPENSSL_INIT_set_config_filename(OPENSSL_INIT_SETTINGS *settings, + const char *filename) +{ + char *newfilename = NULL; + + if (filename != NULL) { + newfilename = strdup(filename); + if (newfilename == NULL) + return 0; + } + + free(settings->filename); + settings->filename = newfilename; + + return 1; +} + +void OPENSSL_INIT_set_config_file_flags(OPENSSL_INIT_SETTINGS *settings, + unsigned long flags) +{ + settings->flags = flags; +} + int OPENSSL_INIT_set_config_appname(OPENSSL_INIT_SETTINGS *settings, const char *appname) { @@ -383,6 +408,7 @@ int OPENSSL_INIT_set_config_appname(OPENSSL_INIT_SETTINGS *settings, void OPENSSL_INIT_free(OPENSSL_INIT_SETTINGS *settings) { + free(settings->filename); free(settings->appname); free(settings); } diff --git a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c index 51f262e774dd60db355b0c8ea93b7c287842ee0f..f1794e21581a50108022c3b24872814da18dd709 100644 --- a/crypto/conf/conf_mod.c +++ b/crypto/conf/conf_mod.c @@ -142,6 +142,9 @@ int CONF_modules_load_file(const char *filename, const char *appname, OPENSSL_free(file); NCONF_free(conf); + if (flags & CONF_MFLAGS_IGNORE_RETURN_CODES) + return 1; + return ret; } diff --git a/crypto/conf/conf_sap.c b/crypto/conf/conf_sap.c index 3d2e065e5b07c54d42c46b11d8f0830fe257bdaf..a3306d02dd17552d911fce5cba1544c1446bb996 100644 --- a/crypto/conf/conf_sap.c +++ b/crypto/conf/conf_sap.c @@ -39,10 +39,24 @@ void OPENSSL_config(const char *appname) } #endif -void openssl_config_int(const char *appname) +int openssl_config_int(const OPENSSL_INIT_SETTINGS *settings) { + int ret; + const char *filename; + const char *appname; + unsigned long flags; + if (openssl_configured) - return; + return 1; + + filename = settings ? settings->filename : NULL; + appname = settings ? settings->appname : NULL; + flags = settings ? settings->flags : DEFAULT_CONF_MFLAGS; + +#ifdef OPENSSL_INIT_DEBUG + fprintf(stderr, "OPENSSL_INIT: openssl_config_int(%s, %s, %lu)\n", + filename, appname, flags); +#endif OPENSSL_load_builtin_modules(); #ifndef OPENSSL_NO_ENGINE @@ -51,11 +65,10 @@ void openssl_config_int(const char *appname) #endif ERR_clear_error(); #ifndef OPENSSL_SYS_UEFI - CONF_modules_load_file(NULL, appname, - CONF_MFLAGS_DEFAULT_SECTION | - CONF_MFLAGS_IGNORE_MISSING_FILE); + ret = CONF_modules_load_file(filename, appname, flags); #endif openssl_configured = 1; + return ret; } void openssl_no_config_int(void) diff --git a/crypto/err/err.c b/crypto/err/err.c index aef2543d60b04494b258ec7417de1f5dd25f9fea..7bac6776c82fda5416087c454fe98d288972aac0 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -741,6 +741,18 @@ int err_shelve_state(void **state) { int saveerrno = get_last_sys_error(); + /* + * Note, at present our only caller is OPENSSL_init_crypto(), indirectly + * via ossl_init_load_crypto_nodelete(), by which point the requested + * "base" initialization has already been performed, so the below call is a + * NOOP, that re-enters OPENSSL_init_crypto() only to quickly return. + * + * If are no other valid callers of this function, the call below can be + * removed, avoiding the re-entry into OPENSSL_init_crypto(). If there are + * potential uses that are not from inside OPENSSL_init_crypto(), then this + * call is needed, but some care is required to make sure that the re-entry + * remains a NOOP. + */ if (!OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL)) return 0; diff --git a/crypto/init.c b/crypto/init.c index 46ba67d3e406b362315bf4d453bf9f1c7de10a46..c881fc7382d1c22af0231973cac7833137094c0b 100644 --- a/crypto/init.c +++ b/crypto/init.c @@ -288,17 +288,12 @@ DEFINE_RUN_ONCE_STATIC_ALT(ossl_init_no_add_all_digests, static CRYPTO_ONCE config = CRYPTO_ONCE_STATIC_INIT; static int config_inited = 0; -static const char *appname; +static const OPENSSL_INIT_SETTINGS *conf_settings = NULL; DEFINE_RUN_ONCE_STATIC(ossl_init_config) { -#ifdef OPENSSL_INIT_DEBUG - fprintf(stderr, - "OPENSSL_INIT: ossl_init_config: openssl_config(%s)\n", - appname == NULL ? "NULL" : appname); -#endif - openssl_config_int(appname); + int ret = openssl_config_int(conf_settings); config_inited = 1; - return 1; + return ret; } DEFINE_RUN_ONCE_STATIC_ALT(ossl_init_no_config, ossl_init_config) { @@ -631,9 +626,28 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) return 0; } + /* + * When the caller specifies OPENSSL_INIT_BASE_ONLY, that should be the + * *only* option specified. With that option we return immediately after + * doing the requested limited initialization. Note that + * err_shelve_state() called by us via ossl_init_load_crypto_nodelete() + * re-enters OPENSSL_init_crypto() with OPENSSL_INIT_BASE_ONLY, but with + * base already initialized this is a harmless NOOP. + * + * If we remain the only caller of err_shelve_state() the recursion should + * perhaps be removed, but if in doubt, it can be left in place. + */ if (!RUN_ONCE(&base, ossl_init_base)) return 0; + if (opts & OPENSSL_INIT_BASE_ONLY) + return 1; + /* + * Now we don't always set up exit handlers, the INIT_BASE_ONLY calls + * should not have the side-effect of setting up exit handlers, and + * therefore, this code block is below the INIT_BASE_ONLY-conditioned early + * return above. + */ if ((opts & OPENSSL_INIT_NO_ATEXIT) != 0) { if (!RUN_ONCE_ALT(®ister_atexit, ossl_init_no_register_atexit, ossl_init_register_atexit)) @@ -642,9 +656,7 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) return 0; } - if (!(opts & OPENSSL_INIT_BASE_ONLY) - && !RUN_ONCE(&load_crypto_nodelete, - ossl_init_load_crypto_nodelete)) + if (!RUN_ONCE(&load_crypto_nodelete, ossl_init_load_crypto_nodelete)) return 0; if ((opts & OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS) @@ -686,8 +698,9 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) if (opts & OPENSSL_INIT_LOAD_CONFIG) { int ret; CRYPTO_THREAD_write_lock(init_lock); - appname = (settings == NULL) ? NULL : settings->appname; + conf_settings = settings; ret = RUN_ONCE(&config, ossl_init_config); + conf_settings = NULL; CRYPTO_THREAD_unlock(init_lock); if (!ret) return 0; diff --git a/doc/man3/CONF_modules_load_file.pod b/doc/man3/CONF_modules_load_file.pod index ecf294a2c60dcf01b5e9f66f88b65b9d7c59eef5..211eca06fac8b0bd9578aadf358163008c602222 100644 --- a/doc/man3/CONF_modules_load_file.pod +++ b/doc/man3/CONF_modules_load_file.pod @@ -28,13 +28,21 @@ reads configuration information from B. The following B are currently recognized: -B if set errors returned by individual +If B is set errors returned by individual configuration modules are ignored. If not set the first module error is considered fatal and no further modules are loaded. Normally any modules errors will add error information to the error queue. If B is set no error information is added. +If B is set the function unconditionally +returns success. +This is used by default in L to ignore any errors in +the default system-wide configuration file, as having all OpenSSL applications +fail to start when there are potentially minor issues in the file is too risky. +Applications calling B explicitly should not generally +set this flag. + If B is set configuration module loading from DSOs is disabled. diff --git a/doc/man3/OPENSSL_init_crypto.pod b/doc/man3/OPENSSL_init_crypto.pod index b53ab6bd10957d37b395a0604ed55387946bff49..a6425265a9d7c3bb6fd7a2a7c9cd926c546bfa89 100644 --- a/doc/man3/OPENSSL_init_crypto.pod +++ b/doc/man3/OPENSSL_init_crypto.pod @@ -2,10 +2,11 @@ =head1 NAME -OPENSSL_INIT_new, OPENSSL_INIT_set_config_appname, OPENSSL_INIT_free, -OPENSSL_init_crypto, OPENSSL_cleanup, -OPENSSL_atexit, OPENSSL_thread_stop - OpenSSL -initialisation and deinitialisation functions +OPENSSL_INIT_new, OPENSSL_INIT_set_config_filename, +OPENSSL_INIT_set_config_appname, OPENSSL_INIT_set_config_file_flags, +OPENSSL_INIT_free, OPENSSL_init_crypto, OPENSSL_cleanup, OPENSSL_atexit, +OPENSSL_thread_stop - OpenSSL initialisation +and deinitialisation functions =head1 SYNOPSIS @@ -17,6 +18,10 @@ initialisation and deinitialisation functions void OPENSSL_thread_stop(void); OPENSSL_INIT_SETTINGS *OPENSSL_INIT_new(void); + int OPENSSL_INIT_set_config_filename(OPENSSL_INIT_SETTINGS *init, + const char* filename); + int OPENSSL_INIT_set_config_file_flags(OPENSSL_INIT_SETTINGS *init, + unsigned long flags); int OPENSSL_INIT_set_config_appname(OPENSSL_INIT_SETTINGS *init, const char* name); void OPENSSL_INIT_free(OPENSSL_INIT_SETTINGS *init); @@ -96,7 +101,7 @@ B will be ignored. With this option an OpenSSL configuration file will be automatically loaded and used by calling OPENSSL_config(). This is not a default option for libcrypto. -From OpenSSL 1.1.1 this is a default option for libssl (see +As of OpenSSL 1.1.1 this is a default option for libssl (see L for further details about libssl initialisation). See the description of OPENSSL_INIT_new(), below. @@ -203,12 +208,22 @@ the library when the thread exits. This should only be called directly if resources should be freed at an earlier time, or under the circumstances described in the NOTES section below. -The B flag will load a default configuration -file. For optional configuration file settings, an B -must be created and used. -The routines OPENSSL_init_new() and OPENSSL_INIT_set_config_appname() can -be used to allocate the object and set the application name, and then the -object can be released with OPENSSL_INIT_free() when done. +The B flag will load a configuration file, as with +L with NULL filename and application name and the +B, B and +B flags. +The filename, application name, and flags can be customized by providing a +non-null B object. +The object can be allocated via B. +The B function can be used to specify a +non-default filename, which is copied and need not refer to persistent storage. +Similarly, OPENSSL_INIT_set_config_appname() can be used to specify a +non-default application name. +Finally, OPENSSL_INIT_set_file_flags can be used to specify non-default flags. +If the B flag is not included, any errors in +the configuration file will cause an error return from B +or indirectly L. +The object can be released with OPENSSL_INIT_free() when done. =head1 NOTES diff --git a/include/internal/conf.h b/include/internal/conf.h index dc1e72508ace59b74c9dc87b3a78d49707b3209d..0b818c6d926ddf1ac5e0ee1b5a0de5583b120d61 100644 --- a/include/internal/conf.h +++ b/include/internal/conf.h @@ -12,11 +12,18 @@ #include +#define DEFAULT_CONF_MFLAGS \ + (CONF_MFLAGS_DEFAULT_SECTION | \ + CONF_MFLAGS_IGNORE_MISSING_FILE | \ + CONF_MFLAGS_IGNORE_RETURN_CODES) + struct ossl_init_settings_st { + char *filename; char *appname; + unsigned long flags; }; -void openssl_config_int(const char *appname); +int openssl_config_int(const OPENSSL_INIT_SETTINGS *); void openssl_no_config_int(void); void conf_modules_free_int(void); diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h index d23d9b315672fab071400fbc94e64dff5651ec43..150fc1ae5481bf0b610f6383c177ad72d3e14c85 100644 --- a/include/openssl/crypto.h +++ b/include/openssl/crypto.h @@ -397,8 +397,12 @@ void OPENSSL_thread_stop(void); /* Low-level control of initialization */ OPENSSL_INIT_SETTINGS *OPENSSL_INIT_new(void); # ifndef OPENSSL_NO_STDIO +int OPENSSL_INIT_set_config_filename(OPENSSL_INIT_SETTINGS *settings, + const char *config_filename); +void OPENSSL_INIT_set_config_file_flags(OPENSSL_INIT_SETTINGS *settings, + unsigned long flags); int OPENSSL_INIT_set_config_appname(OPENSSL_INIT_SETTINGS *settings, - const char *config_file); + const char *config_appname); # endif void OPENSSL_INIT_free(OPENSSL_INIT_SETTINGS *settings); diff --git a/ssl/ssl_init.c b/ssl/ssl_init.c index 96526472c57e3a8bf235aaba559e5583a33839e6..e8353ecd4253e8a93665e31d427280e6f21c9eef 100644 --- a/ssl/ssl_init.c +++ b/ssl/ssl_init.c @@ -195,13 +195,14 @@ int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS * settings) return 0; } - if (!OPENSSL_init_crypto(opts + opts |= OPENSSL_INIT_ADD_ALL_CIPHERS + | OPENSSL_INIT_ADD_ALL_DIGESTS; #ifndef OPENSSL_NO_AUTOLOAD_CONFIG - | OPENSSL_INIT_LOAD_CONFIG + if ((opts & OPENSSL_INIT_NO_LOAD_CONFIG) == 0) + opts |= OPENSSL_INIT_LOAD_CONFIG; #endif - | OPENSSL_INIT_ADD_ALL_CIPHERS - | OPENSSL_INIT_ADD_ALL_DIGESTS, - settings)) + + if (!OPENSSL_init_crypto(opts, settings)) return 0; if (!RUN_ONCE(&ssl_base, ossl_init_ssl_base)) diff --git a/util/libcrypto.num b/util/libcrypto.num index bad3a3814ecdc1ba7f16bb395dd93c7b1907c980..32c64cb2c7933256d04e62616af5d5234f9dbd69 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4577,3 +4577,5 @@ OCSP_resp_get0_respdata 4530 1_1_0j EXIST::FUNCTION:OCSP EVP_MD_CTX_set_pkey_ctx 4531 1_1_1 EXIST::FUNCTION: EVP_PKEY_meth_set_digest_custom 4532 1_1_1 EXIST::FUNCTION: EVP_PKEY_meth_get_digest_custom 4533 1_1_1 EXIST::FUNCTION: +OPENSSL_INIT_set_config_filename 4534 1_1_1b EXIST::FUNCTION:STDIO +OPENSSL_INIT_set_config_file_flags 4535 1_1_1b EXIST::FUNCTION:STDIO