conf: add diagnostic option

Add an option to configuration files "config_diagnostics" that when set to a
non-zero value, overrides the error ignoring flags.  The outcome is that
diagnostic option is produced when e.g. sections are missing.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12663)

diff --git a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c
index aebf38292a3974c6a895aab27c41f2cfb0af6131..a0b9fd3b61553bd8e79fe8ca1ced4d60c0305faa 100644 (file)
--- a/crypto/conf/conf_mod.c
+++ b/crypto/conf/conf_mod.c
@@ -79,6 +79,18 @@ static int module_init(CONF_MODULE *pmod, const char *name, const char *value,
 static CONF_MODULE *module_load_dso(const CONF *cnf, const char *name,
                                     const char *value);
 
+static int conf_diagnostics(const CONF *cnf)
+{
+    long int lflag = 0;
+    int res;
+
+    ERR_set_mark();
+    res = NCONF_get_number(cnf, NULL, "config_diagnostics", &lflag)
+          && lflag != 0;
+    ERR_pop_to_mark();
+    return res;
+}
+
 /* Main function: load modules from a CONF structure */
 
 int CONF_modules_load(const CONF *cnf, const char *appname,
@@ -87,12 +99,17 @@ int CONF_modules_load(const CONF *cnf, const char *appname,
     STACK_OF(CONF_VALUE) *values;
     CONF_VALUE *vl;
     char *vsection = NULL;
-
     int ret, i;
 
     if (!cnf)
         return 1;
 
+    if (conf_diagnostics(cnf))
+        flags &= ~(CONF_MFLAGS_IGNORE_ERRORS
+                   | CONF_MFLAGS_IGNORE_RETURN_CODES
+                   | CONF_MFLAGS_SILENT
+                   | CONF_MFLAGS_IGNORE_MISSING_FILE);
+
     if (appname)
         vsection = NCONF_get_string(cnf, NULL, appname);
 
@@ -135,7 +152,7 @@ int CONF_modules_load_file_with_libctx(OPENSSL_CTX *libctx,
 {
     char *file = NULL;
     CONF *conf = NULL;
-    int ret = 0;
+    int ret = 0, diagnostics = 0;
 
     conf = NCONF_new_with_libctx(libctx, NULL);
     if (conf == NULL)
@@ -159,13 +176,14 @@ int CONF_modules_load_file_with_libctx(OPENSSL_CTX *libctx,
     }
 
     ret = CONF_modules_load(conf, appname, flags);
+    diagnostics = conf_diagnostics(conf);
 
  err:
     if (filename == NULL)
         OPENSSL_free(file);
     NCONF_free(conf);
 
-    if (flags & CONF_MFLAGS_IGNORE_RETURN_CODES)
+    if ((flags & CONF_MFLAGS_IGNORE_RETURN_CODES) != 0 && !diagnostics)
         return 1;
 
     return ret;

diff --git a/doc/man3/CONF_modules_load_file.pod b/doc/man3/CONF_modules_load_file.pod
index ba2c8b68b58e1b585150c49b6590ff17433ebbcd..7e99bb9d5a181eba240638a05e2b3a57281387cc 100644 (file)
--- a/doc/man3/CONF_modules_load_file.pod
+++ b/doc/man3/CONF_modules_load_file.pod
@@ -24,7 +24,8 @@ library context B<libctx> file B<filename> and application name B<appname>.
 If B<filename> is NULL the standard OpenSSL configuration file is used.
 If B<appname> is NULL the standard OpenSSL application name B<openssl_conf> is
 used.
-The behaviour can be customized using B<flags>.
+The behaviour can be customized using B<flags>. Note that, the error suppressing
+can be overriden by B<config_diagnostics> as described in L<config(5)>.
 
 CONF_modules_load_file() is the same as CONF_modules_load_file_with_libctx() but
 has a NULL library context.

diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index 2618cef588e2553c8b71d9c51c04517cc7bcfae3..46d60f6cedbc8de03d09d1b1573b086812f242f0 100644 (file)
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -160,6 +160,12 @@ how to configure any modules in the library. It is not an error to leave
 any module in its default configuration. An application can specify a
 different name by calling CONF_modules_load_file(), for example, directly.
 
+OpenSSL also looks up the value of B<config_diagnostics>.
+If this exists and has a nonzero numeric value, any error suppressing flags
+passed to CONF_modules_load() will be ignored.
+This is useful for diagnosing misconfigurations and should not be used in
+production.
+
  # This must be in the default section
  openssl_conf = openssl_init
 
@@ -482,6 +488,7 @@ L<openssl-x509(1)>, L<openssl-req(1)>, L<openssl-ca(1)>,
 L<openssl-fipsinstall(1)>,
 L<ASN1_generate_nconf(3)>,
 L<EVP_set_default_properties(3)>,
+L<CONF_modules_load(3)>,
 L<CONF_modules_load_file(3)>,
 L<fips_config(5)>, and
 L<x509v3_config(5)>.