leviathan
/
openssl
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

APPS: Allow OPENSSL_CONF to be empty, not loading a config file

Browse Source 
Also document the function CONF_get1_default_config_file()

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)
master
Dr. David von Oheimb 3 years ago committed by Dr. David von Oheimb
parent ec2bfb7d23
commit 1579594383
14 changed files with 67 additions and 76 deletions
Show Stats Download Patch File Download Diff File

4
apps/ca.c
Unescape Escape View File

@ -494,9 +494,7 @@ end_of_options:
argc = opt_num_rest();
argv = opt_rest();
BIO_printf(bio_err, "Using configuration from %s\n", configfile);
if ((conf = app_load_config(configfile)) == NULL)
if ((conf = app_load_config_verbose(configfile, 1)) == NULL)
goto end;
if (configfile != default_config_file && !app_load_modules(conf))
goto end;

8
apps/include/apps.h
Unescape Escape View File

@ -48,7 +48,7 @@
void app_RAND_load_conf(CONF *c, const char *section);
void app_RAND_write(void);
extern char *default_config_file;
extern char *default_config_file; /* may be "" */
extern BIO *bio_in;
extern BIO *bio_out;
extern BIO *bio_err;
@ -63,8 +63,10 @@ BIO *bio_open_owner(const char *filename, int format, int private);
BIO *bio_open_default(const char *filename, char mode, int format);
BIO *bio_open_default_quiet(const char *filename, char mode, int format);
CONF *app_load_config_bio(BIO *in, const char *filename);
CONF *app_load_config(const char *filename);
CONF *app_load_config_quiet(const char *filename);
#define app_load_config(filename) app_load_config_internal(filename, 0)
#define app_load_config_quiet(filename) app_load_config_internal(filename, 1)
CONF *app_load_config_internal(const char *filename, int quiet);
CONF *app_load_config_verbose(const char *filename, int verbose);
int app_load_modules(const CONF *config);
CONF *app_load_config_modules(const char *configfile);
void unbuffer(FILE *fp);

37
apps/lib/apps.c
Unescape Escape View File

@ -54,6 +54,9 @@ static int WIN32_rename(const char *from, const char *to);
# define _kbhit kbhit
#endif
static BIO *bio_open_default_(const char *filename, char mode, int format,
int quiet);
#define PASS_SOURCE_SIZE_MAX 4
DEFINE_STACK_OF(CONF)
@ -379,29 +382,25 @@ CONF *app_load_config_bio(BIO *in, const char *filename)
return NULL;
}
CONF *app_load_config(const char *filename)
CONF *app_load_config_verbose(const char *filename, int verbose)
{
BIO *in;
CONF *conf;
in = bio_open_default(filename, 'r', FORMAT_TEXT);
if (in == NULL)
return NULL;
conf = app_load_config_bio(in, filename);
BIO_free(in);
return conf;
if (verbose) {
if (*filename == '\0')
BIO_printf(bio_err, "No configuration used\n");
else
BIO_printf(bio_err, "Using configuration from %s\n", filename);
}
return app_load_config_internal(filename, 0);
}
CONF *app_load_config_quiet(const char *filename)
CONF *app_load_config_internal(const char *filename, int quiet)
{
BIO *in;
BIO *in = NULL; /* leads to empty config in case filename == "" */
CONF *conf;
in = bio_open_default_quiet(filename, 'r', FORMAT_TEXT);
if (in == NULL)
if (*filename != '\0'
&& (in = bio_open_default_(filename, 'r', FORMAT_TEXT, quiet)) == NULL)
return NULL;
conf = app_load_config_bio(in, filename);
BIO_free(in);
return conf;
@ -457,9 +456,7 @@ CONF *app_load_config_modules(const char *configfile)
CONF *conf = NULL;
if (configfile != NULL) {
BIO_printf(bio_err, "Using configuration from %s\n", configfile);
if ((conf = app_load_config(configfile)) == NULL)
if ((conf = app_load_config_verbose(configfile, 1)) == NULL)
return NULL;
if (configfile != default_config_file && !app_load_modules(conf)) {
NCONF_free(conf);
@ -2789,7 +2786,7 @@ static BIO *bio_open_default_(const char *filename, char mode, int format,
if (ret != NULL)
return ret;
BIO_printf(bio_err,
"Can't open %s for %s, %s\n",
"Can't open \"%s\" for %s, %s\n",
filename, modeverb(mode), strerror(errno));
}
ERR_print_errors(bio_err);

40
apps/req.c
Unescape Escape View File

@ -466,9 +466,7 @@ int req_main(int argc, char **argv)
goto end;
}
if (verbose)
BIO_printf(bio_err, "Using configuration from %s\n", template);
if ((req_conf = app_load_config(template)) == NULL)
if ((req_conf = app_load_config_verbose(template, verbose)) == NULL)
goto end;
if (addext_bio != NULL) {
if (verbose)
@ -635,7 +633,7 @@ int req_main(int argc, char **argv)
if (genctx == NULL) {
genctx = set_keygen_ctx(NULL, &pkey_type, &newkey,
&keyalgstr, gen_eng);
if (!genctx)
if (genctx == NULL)
goto end;
}
@ -645,7 +643,6 @@ int req_main(int argc, char **argv)
genopt = sk_OPENSSL_STRING_value(pkeyopts, i);
if (pkey_ctrl_string(genctx, genopt) <= 0) {
BIO_printf(bio_err, "parameter error \"%s\"\n", genopt);
ERR_print_errors(bio_err);
goto end;
}
}
@ -743,7 +740,6 @@ int req_main(int argc, char **argv)
if ((x509ss = X509_new_ex(app_get0_libctx(), app_get0_propq())) == NULL)
goto end;
/* Set version to V3 */
if (serial != NULL) {
if (!X509_set_serialNumber(x509ss, serial))
goto end;
@ -768,7 +764,6 @@ int req_main(int argc, char **argv)
goto end;
/* Set up V3 context struct */
X509V3_set_ctx(&ext_ctx, x509ss, x509ss, NULL, NULL, X509V3_CTX_REPLACE);
X509V3_set_nconf(&ext_ctx, req_conf);
@ -797,10 +792,8 @@ int req_main(int argc, char **argv)
}
i = do_X509_sign(x509ss, pkey, digest, sigopts, &ext_ctx);
if (!i) {
ERR_print_errors(bio_err);
if (!i)
goto end;
}
} else {
X509V3_CTX ext_ctx;
@ -824,10 +817,8 @@ int req_main(int argc, char **argv)
goto end;
}
i = do_X509_REQ_sign(req, pkey, digest, sigopts);
if (!i) {
ERR_print_errors(bio_err);
if (!i)
goto end;
}
}
}
@ -893,7 +884,6 @@ int req_main(int argc, char **argv)
if (tpubkey == NULL) {
BIO_printf(bio_err, "Error getting public key\n");
ERR_print_errors(bio_err);
goto end;
}
PEM_write_bio_PUBKEY(out, tpubkey);
@ -911,7 +901,6 @@ int req_main(int argc, char **argv)
else
BIO_printf(bio_err, "Error printing certificate request\n");
ERR_print_errors(bio_err);
goto end;
}
}
@ -1008,7 +997,7 @@ static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn,
{
int ret = 0, i;
char no_prompt = 0;
STACK_OF(CONF_VALUE) *dn_sk, *attr_sk = NULL;
STACK_OF(CONF_VALUE) *dn_sk = NULL, *attr_sk = NULL;
char *tmp, *dn_sect, *attr_sect;
tmp = NCONF_get_string(req_conf, section, PROMPT);
@ -1019,20 +1008,18 @@ static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn,
dn_sect = NCONF_get_string(req_conf, section, DISTINGUISHED_NAME);
if (dn_sect == NULL) {
BIO_printf(bio_err, "unable to find '%s' in config\n",
DISTINGUISHED_NAME);
goto err;
}
dn_sk = NCONF_get_section(req_conf, dn_sect);
if (dn_sk == NULL) {
BIO_printf(bio_err, "unable to get '%s' section\n", dn_sect);
goto err;
ERR_clear_error();
} else {
dn_sk = NCONF_get_section(req_conf, dn_sect);
if (dn_sk == NULL) {
BIO_printf(bio_err, "unable to get '%s' section\n", dn_sect);
goto err;
}
}
attr_sect = NCONF_get_string(req_conf, section, ATTRIBUTES);
if (attr_sect == NULL) {
ERR_clear_error();
attr_sk = NULL;
} else {
attr_sk = NCONF_get_section(req_conf, attr_sect);
if (attr_sk == NULL) {
@ -1583,20 +1570,17 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
if (gctx == NULL) {
BIO_puts(bio_err, "Error allocating keygen context\n");
ERR_print_errors(bio_err);
return NULL;
}
if (EVP_PKEY_keygen_init(gctx) <= 0) {
BIO_puts(bio_err, "Error initializing keygen context\n");
ERR_print_errors(bio_err);
EVP_PKEY_CTX_free(gctx);
return NULL;
}
if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1)) {
if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0) {
BIO_puts(bio_err, "Error setting RSA keysize\n");
ERR_print_errors(bio_err);
EVP_PKEY_CTX_free(gctx);
return NULL;
}

5
apps/srp.c
Unescape Escape View File

@ -338,10 +338,7 @@ int srp_main(int argc, char **argv)
if (configfile == NULL)
configfile = default_config_file;
if (verbose)
BIO_printf(bio_err, "Using configuration from %s\n",
configfile);
conf = app_load_config(configfile);
conf = app_load_config_verbose(configfile, verbose);
if (conf == NULL)
goto end;
if (configfile != default_config_file && !app_load_modules(conf))

4
crypto/conf/conf_api.c
Unescape Escape View File

@ -27,7 +27,7 @@ CONF_VALUE *_CONF_get_section(const CONF *conf, const char *section)
return NULL;
vv.name = NULL;
vv.section = (char *)section;
return lh_CONF_VALUE_retrieve(conf->data, &vv);
return conf->data != NULL ? lh_CONF_VALUE_retrieve(conf->data, &vv) : NULL;
}
STACK_OF(CONF_VALUE) *_CONF_get_section_values(const CONF *conf,
@ -72,6 +72,8 @@ char *_CONF_get_string(const CONF *conf, const char *section,
return NULL;
if (conf == NULL)
return ossl_safe_getenv(name);
if (conf->data == NULL)
return NULL;
if (section != NULL) {
vv.name = (char *)name;
vv.section = (char *)section;

5
crypto/conf/conf_def.c
Unescape Escape View File

@ -239,11 +239,12 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
p = &(buff->data[bufnum]);
*p = '\0';
read_retry:
BIO_gets(in, p, CONFBUFSIZE - 1);
if (in != NULL && BIO_gets(in, p, CONFBUFSIZE - 1) < 0)
goto err;
p[CONFBUFSIZE - 1] = '\0';
ii = i = strlen(p);
if (i == 0 && !again) {
/* the currently processed BIO is at EOF */
/* the currently processed BIO is NULL or at EOF */
BIO *parent;
#ifndef OPENSSL_NO_POSIX_IO

11
crypto/conf/conf_mod.c
Unescape Escape View File

@ -156,11 +156,6 @@ int CONF_modules_load_file_ex(OSSL_LIB_CTX *libctx, const char *filename,
CONF *conf = NULL;
int ret = 0, diagnostics = 0;
ERR_set_mark();
conf = NCONF_new_ex(libctx, NULL);
if (conf == NULL)
goto err;
if (filename == NULL) {
file = CONF_get1_default_config_file();
if (file == NULL)
@ -169,6 +164,11 @@ int CONF_modules_load_file_ex(OSSL_LIB_CTX *libctx, const char *filename,
file = (char *)filename;
}
ERR_set_mark();
conf = NCONF_new_ex(libctx, NULL);
if (conf == NULL)
goto err;
if (NCONF_load(conf, file, NULL) <= 0) {
if ((flags & CONF_MFLAGS_IGNORE_MISSING_FILE) &&
(ERR_GET_REASON(ERR_peek_last_error()) == CONF_R_NO_SUCH_FILE)) {
@ -539,7 +539,6 @@ void CONF_module_set_usr_data(CONF_MODULE *pmod, void *usr_data)
}
/* Return default config file name */
char *CONF_get1_default_config_file(void)
{
const char *t;

11
doc/man1/openssl.pod
Unescape Escape View File

@ -83,10 +83,13 @@ Many commands use an external configuration file for some or all of their
arguments and have a B<-config> option to specify that file.
The default name of the file is F<openssl.cnf> in the default certificate
storage area, which can be determined from the L<openssl-version(1)>
command. This can be used to load modules.
The environment variable B<OPENSSL_CONF> can be used to specify
a different location of the file.
See L<openssl-env(7)>.
command using the B<-d> or B<-a> option.
The environment variable B<OPENSSL_CONF> can be used to specify a different
file location or to disable loading a configuration (using the empty string).
Among others, the configuration file can be used to load modules
and to specify parameters for generating certificates and random numbers.
See L<config(5)> for details.
=head2 Standard Commands

12
doc/man3/CONF_modules_load_file.pod
Unescape Escape View File

@ -2,6 +2,7 @@
=head1 NAME
CONF_get1_default_config_file,
CONF_modules_load_file_ex, CONF_modules_load_file, CONF_modules_load
- OpenSSL configuration functions
@ -9,6 +10,7 @@ CONF_modules_load_file_ex, CONF_modules_load_file, CONF_modules_load
#include <openssl/conf.h>
char *CONF_get1_default_config_file(void);
int CONF_modules_load_file_ex(OSSL_LIB_CTX *libctx, const char *filename,
const char *appname, unsigned long flags);
int CONF_modules_load_file(const char *filename, const char *appname,
@ -18,9 +20,17 @@ CONF_modules_load_file_ex, CONF_modules_load_file, CONF_modules_load
=head1 DESCRIPTION
The function CONF_get1_default_config_file() determines the default
configuration file pathname as follows.
If the B<OPENSSL_CONF> environment variable is set its value is returned.
Else the function returns the path obtained using
L<X509_get_default_cert_area(3)> with the filename C<"openssl.cnf"> appended.
The caller is responsible for freeing any string returned.
The function CONF_modules_load_file_ex() configures OpenSSL using
library context B<libctx> file B<filename> and application name B<appname>.
If B<filename> is NULL the standard OpenSSL configuration file is used.
If B<filename> is NULL the standard OpenSSL configuration file is used
as determined by calling CONF_get1_default_config_file().
If B<appname> is NULL the standard OpenSSL application name B<openssl_conf> is
used.
The behaviour can be customized using B<flags>. Note that, the error suppressing

2
doc/man5/config.pod
Unescape Escape View File

@ -502,7 +502,7 @@ F<sample>.
=item B<OPENSSL_CONF>
The path to the config file.
The path to the config file, or the empty string for none.
Ignored in set-user-ID and set-group-ID programs.
=item B<OPENSSL_ENGINES>

2
doc/man7/openssl-env.pod
Unescape Escape View File

@ -28,7 +28,7 @@ and by the B<CA.pl> script (see L<CA.pl(1)/NOTES>
Specifies the path to a configuration file and the directory for
included files.
See L<openssl(1)> and L<config(5)>.
See L<config(5)>.
=item B<OPENSSL_CONFIG>

1
util/missingcrypto.txt
Unescape Escape View File

@ -379,7 +379,6 @@ COMP_zlib(3)
CONF_dump_bio(3)
CONF_dump_fp(3)
CONF_free(3)
CONF_get1_default_config_file(3)
CONF_get_number(3)
CONF_get_section(3)
CONF_get_string(3)

1
util/missingcrypto111.txt
Unescape Escape View File

@ -403,7 +403,6 @@ COMP_zlib(3)
CONF_dump_bio(3)
CONF_dump_fp(3)
CONF_free(3)
CONF_get1_default_config_file(3)
CONF_get_number(3)
CONF_get_section(3)
CONF_get_string(3)

Write Preview
Loading…
Cancel
Save