Add support for passing the libctx to the config loader

The self tests for the fips module are triggered on startup and they need to know the
core's libctx in order to function correctly. As the provider can be autoloaded via configuration
it then needs to propagate the callers libctx down to the provider via the config load.

Note that OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, ..) is still called, but will only load the default
configuration if the OPENSSL_CONF environment variable is set.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11240)

4 files changed, 98 insertions, 23 deletions

diff --git a/doc/man3/CONF_modules_free.pod b/doc/man3/CONF_modules_free.pod
index 592189d600..1174bfec51 100644
--- a/doc/man3/CONF_modules_free.pod
+++ b/doc/man3/CONF_modules_free.pod
@@ -39,7 +39,7 @@ None of the functions return a value.
 =head1 SEE ALSO
 
 L<config(5)>, L<OPENSSL_config(3)>,
-L<CONF_modules_load_file(3)>
+L<CONF_modules_load_file_with_libctx(3)>
 
 =head1 HISTORY
 
diff --git a/doc/man3/CONF_modules_load_file.pod b/doc/man3/CONF_modules_load_file.pod
index c0623eb721..ba2c8b68b5 100644
--- a/doc/man3/CONF_modules_load_file.pod
+++ b/doc/man3/CONF_modules_load_file.pod
@@ -2,12 +2,16 @@
 
 =head1 NAME
 
-CONF_modules_load_file, CONF_modules_load - OpenSSL configuration functions
+CONF_modules_load_file_with_libctx, CONF_modules_load_file, CONF_modules_load
+- OpenSSL configuration functions
 
 =head1 SYNOPSIS
 
  #include <openssl/conf.h>
 
+ int CONF_modules_load_file_with_libctx(OPENSSL_CTX *libctx,
+                                        const char *filename,
+                                        const char *appname, unsigned long flags);
  int CONF_modules_load_file(const char *filename, const char *appname,
                             unsigned long flags);
  int CONF_modules_load(const CONF *cnf, const char *appname,
@@ -15,12 +19,16 @@ CONF_modules_load_file, CONF_modules_load - OpenSSL configuration functions
 
 =head1 DESCRIPTION
 
-The function CONF_modules_load_file() configures OpenSSL using file
-B<filename> and application name B<appname>. If B<filename> is NULL
-the standard OpenSSL configuration file is used. If B<appname> is
-NULL the standard OpenSSL application name B<openssl_conf> is used.
+The function CONF_modules_load_file_with_libctx() configures OpenSSL using
+library context B<libctx> file B<filename> and application name B<appname>.
+If B<filename> is NULL the standard OpenSSL configuration file is used.
+If B<appname> is NULL the standard OpenSSL application name B<openssl_conf> is
+used.
 The behaviour can be customized using B<flags>.
 
+CONF_modules_load_file() is the same as CONF_modules_load_file_with_libctx() but
+has a NULL library context.
+
 CONF_modules_load() is identical to CONF_modules_load_file() except it
 reads configuration information from B<cnf>.
 
@@ -40,8 +48,8 @@ returns success.
 This is used by default in L<OPENSSL_init_crypto(3)> to ignore any errors in
 the default system-wide configuration file, as having all OpenSSL applications
 fail to start when there are potentially minor issues in the file is too risky.
-Applications calling B<CONF_modules_load_file> explicitly should not generally
-set this flag.
+Applications calling B<CONF_modules_load_file_with_libctx> explicitly should not
+generally set this flag.
 
 If B<CONF_MFLAGS_NO_DSO> is set configuration module loading from DSOs is
 disabled.
@@ -53,10 +61,10 @@ return an error.
 B<CONF_MFLAGS_DEFAULT_SECTION> if set and B<appname> is not NULL will use the
 default section pointed to by B<openssl_conf> if B<appname> does not exist.
 
-By using CONF_modules_load_file() with appropriate flags an application can
-customise application configuration to best suit its needs. In some cases the
-use of a configuration file is optional and its absence is not an error: in
-this case B<CONF_MFLAGS_IGNORE_MISSING_FILE> would be set.
+By using CONF_modules_load_file_with_libctx() with appropriate flags an
+application can customise application configuration to best suit its needs.
+In some cases the use of a configuration file is optional and its absence is not
+an error: in this case B<CONF_MFLAGS_IGNORE_MISSING_FILE> would be set.
 
 Errors during configuration may also be handled differently by different
 applications. For example in some cases an error may simply print out a warning
@@ -78,7 +86,7 @@ return value of the failing module (this will always be zero or negative).
 Load a configuration file and print out any errors and exit (missing file
 considered fatal):
 
- if (CONF_modules_load_file(NULL, NULL, 0) <= 0) {
+ if (CONF_modules_load_file_with_libctx(libctx, NULL, NULL, 0) <= 0) {
      fprintf(stderr, "FATAL: error loading configuration file\n");
      ERR_print_errors_fp(stderr);
      exit(1);
@@ -87,8 +95,8 @@ considered fatal):
 Load default configuration file using the section indicated by "myapp",
 tolerate missing files, but exit on other errors:
 
- if (CONF_modules_load_file(NULL, "myapp",
-                            CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0) {
+ if (CONF_modules_load_file_with_libctx(NULL, NULL, "myapp",
+                                        CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0) {
      fprintf(stderr, "FATAL: error loading configuration file\n");
      ERR_print_errors_fp(stderr);
      exit(1);
@@ -97,8 +105,8 @@ tolerate missing files, but exit on other errors:
 Load custom configuration file and section, only print warnings on error,
 missing configuration file ignored:
 
- if (CONF_modules_load_file("/something/app.cnf", "myapp",
-                            CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0) {
+ if (CONF_modules_load_file_with_libctx(NULL, "/something/app.cnf", "myapp",
+                                        CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0) {
      fprintf(stderr, "WARNING: error loading configuration file\n");
      ERR_print_errors_fp(stderr);
  }
@@ -114,7 +122,7 @@ Load and parse configuration file manually, custom error handling:
      fprintf(stderr, "Error opening configuration file\n");
      /* Other missing configuration file behaviour */
  } else {
-     cnf = NCONF_new(NULL);
+     cnf = NCONF_new_with_libctx(libctx, NULL);
      if (NCONF_load_fp(cnf, fp, &eline) == 0) {
          fprintf(stderr, "Error on line %ld of configuration file\n", eline);
          ERR_print_errors_fp(stderr);
@@ -130,11 +138,13 @@ Load and parse configuration file manually, custom error handling:
 
 =head1 SEE ALSO
 
-L<config(5)>, L<OPENSSL_config(3)>
+L<config(5)>,
+L<OPENSSL_config(3)>,
+L<NCONF_new_with_libctx(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2004-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/NCONF_new_with_libctx.pod b/doc/man3/NCONF_new_with_libctx.pod
new file mode 100644
index 0000000000..b976d7f74c
--- /dev/null
+++ b/doc/man3/NCONF_new_with_libctx.pod
@@ -0,0 +1,59 @@
+=pod
+
+=head1 NAME
+
+NCONF_new_with_libctx, NCONF_new, NCONF_free, NCONF_default, NCONF_load
+- functionality to Load and parse configuration files manually
+
+=head1 SYNOPSIS
+
+ #include <openssl/conf.h>
+
+ CONF *NCONF_new_with_libctx(OPENSSL_CTX *libctx, CONF_METHOD *meth);
+ CONF *NCONF_new(CONF_METHOD *meth);
+ void NCONF_free(CONF *conf);
+ CONF_METHOD *NCONF_default(void);
+ int NCONF_load(CONF *conf, const char *file, long *eline);
+
+=head1 DESCRIPTION
+
+NCONF_new_with_libctx() creates a new CONF object in heap memory and assigns to
+it a context I<libctx> that can be used during loading. If the method table
+I<meth> is set to NULL then the default value of NCONF_default() is used.
+
+NCONF_new() is similar to NCONF_new_with_libctx() but sets the I<libctx> to NULL.
+
+NCONF_free() frees the data associated with I<conf> and then frees the I<conf>
+object.
+
+NCONF_load() parses the file named I<filename> and adds the values found to
+I<conf>. If an error occurs I<file> and I<eline> list the file and line that
+the load failed on if they are not NULL.
+
+NCONF_default() gets the default method table for processing a configuration file.
+
+=head1 RETURN VALUES
+
+NCONF_load() returns 1 on success or 0 on error.
+
+NCONF_new_with_libctx() and NCONF_new() return a newly created I<CONF> object
+or NULL if an error occurs.
+
+=head1 SEE ALSO
+
+L<CONF_modules_load_file(3)>,
+
+=head1 HISTORY
+
+NCONF_new_with_libctx() was added in OpenSSL 3.0.
+
+=head1 COPYRIGHT
+
+Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/OPENSSL_CTX.pod b/doc/man3/OPENSSL_CTX.pod
index d574a374d6..3301250756 100644
--- a/doc/man3/OPENSSL_CTX.pod
+++ b/doc/man3/OPENSSL_CTX.pod
@@ -2,7 +2,8 @@
 
 =head1 NAME
 
-OPENSSL_CTX, OPENSSL_CTX_new, OPENSSL_CTX_free - OpenSSL library context
+OPENSSL_CTX, OPENSSL_CTX_new, OPENSSL_CTX_free, OPENSSL_CTX_load_config
+- OpenSSL library context
 
 =head1 SYNOPSIS
 
@@ -11,6 +12,7 @@ OPENSSL_CTX, OPENSSL_CTX_new, OPENSSL_CTX_free - OpenSSL library context
  typedef struct openssl_ctx_st OPENSSL_CTX;
 
  OPENSSL_CTX *OPENSSL_CTX_new(void);
+ int OPENSSL_CTX_load_config(OPENSSL_CTX *ctx, const char *config_file);
  void OPENSSL_CTX_free(OPENSSL_CTX *ctx);
 
 =head1 DESCRIPTION
@@ -26,6 +28,10 @@ multi-threaded applications to properly clean up thread local resources before
 the OPENSSL_CTX is freed.
 See L<OPENSSL_thread_stop_ex(3)> for more information.
 
+OPENSSL_CTX_load_config() loads a configuration file using the given C<ctx>.
+This can be used to associate a libctx with providers that are loaded from
+a configuration.
+
 OPENSSL_CTX_free() frees the given C<ctx>.
 
 =head1 RETURN VALUES
@@ -37,12 +43,12 @@ OPENSSL_CTX_free() doesn't return any value.
 
 =head1 HISTORY
 
-OPENSSL_CTX, OPENSSL_CTX_new() and OPENSSL_CTX_free()
+OPENSSL_CTX, OPENSSL_CTX_new(), OPENSSL_CTX_load_config() and OPENSSL_CTX_free()
 were added in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy