diff options
| author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2019-01-01 02:53:24 -0500 |
|---|---|---|
| committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2019-01-07 13:53:52 -0500 |
| commit | 25eb9299cec4404a4cdf3167056bd147af2582f3 (patch) | |
| tree | 5ac56b44b67281dc303b00d583418362182cc790 /doc | |
| parent | 1bfd76b3afa0abc275e9a60ee0ea7b22c4fb842a (diff) | |
More configurable crypto and ssl library initialization
1. In addition to overriding the default application name,
one can now also override the configuration file name
and flags passed to CONF_modules_load_file().
2. By default we still keep going when configuration file
processing fails. But, applications that want to be
strict about initialization errors can now make explicit
flag choices via non-null OPENSSL_INIT_SETTINGS that omit
the CONF_MFLAGS_IGNORE_RETURN_CODES flag (which had so far
been both undocumented and unused).
3. In OPENSSL_init_ssl() do not request OPENSSL_INIT_LOAD_CONFIG
if the options already include OPENSSL_INIT_NO_LOAD_CONFIG.
4. Don't set up atexit() handlers when called with opts equal to
OPENSSL_INIT_BASE_ONLY (this flag should only be used alone).
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7969)
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/man3/CONF_modules_load_file.pod | 10 | ||||
| -rw-r--r-- | doc/man3/OPENSSL_init_crypto.pod | 37 |
2 files changed, 35 insertions, 12 deletions
diff --git a/doc/man3/CONF_modules_load_file.pod b/doc/man3/CONF_modules_load_file.pod index ecf294a2c6..211eca06fa 100644 --- a/doc/man3/CONF_modules_load_file.pod +++ b/doc/man3/CONF_modules_load_file.pod @@ -28,13 +28,21 @@ reads configuration information from B<cnf>. The following B<flags> are currently recognized: -B<CONF_MFLAGS_IGNORE_ERRORS> if set errors returned by individual +If B<CONF_MFLAGS_IGNORE_ERRORS> is set errors returned by individual configuration modules are ignored. If not set the first module error is considered fatal and no further modules are loaded. Normally any modules errors will add error information to the error queue. If B<CONF_MFLAGS_SILENT> is set no error information is added. +If B<CONF_MFLAGS_IGNORE_RETURN_CODES> is set the function unconditionally +returns success. +This is used by default in L<OPENSSL_init_crypto(3)> to ignore any errors in +the default system-wide configuration file, as having all OpenSSL applications +fail to start when there are potentially minor issues in the file is too risky. +Applications calling B<CONF_modules_load_file> explicitly should not generally +set this flag. + If B<CONF_MFLAGS_NO_DSO> is set configuration module loading from DSOs is disabled. diff --git a/doc/man3/OPENSSL_init_crypto.pod b/doc/man3/OPENSSL_init_crypto.pod index b53ab6bd10..a6425265a9 100644 --- a/doc/man3/OPENSSL_init_crypto.pod +++ b/doc/man3/OPENSSL_init_crypto.pod @@ -2,10 +2,11 @@ =head1 NAME -OPENSSL_INIT_new, OPENSSL_INIT_set_config_appname, OPENSSL_INIT_free, -OPENSSL_init_crypto, OPENSSL_cleanup, -OPENSSL_atexit, OPENSSL_thread_stop - OpenSSL -initialisation and deinitialisation functions +OPENSSL_INIT_new, OPENSSL_INIT_set_config_filename, +OPENSSL_INIT_set_config_appname, OPENSSL_INIT_set_config_file_flags, +OPENSSL_INIT_free, OPENSSL_init_crypto, OPENSSL_cleanup, OPENSSL_atexit, +OPENSSL_thread_stop - OpenSSL initialisation +and deinitialisation functions =head1 SYNOPSIS @@ -17,6 +18,10 @@ initialisation and deinitialisation functions void OPENSSL_thread_stop(void); OPENSSL_INIT_SETTINGS *OPENSSL_INIT_new(void); + int OPENSSL_INIT_set_config_filename(OPENSSL_INIT_SETTINGS *init, + const char* filename); + int OPENSSL_INIT_set_config_file_flags(OPENSSL_INIT_SETTINGS *init, + unsigned long flags); int OPENSSL_INIT_set_config_appname(OPENSSL_INIT_SETTINGS *init, const char* name); void OPENSSL_INIT_free(OPENSSL_INIT_SETTINGS *init); @@ -96,7 +101,7 @@ B<OPENSSL_INIT_ADD_ALL_DIGESTS> will be ignored. With this option an OpenSSL configuration file will be automatically loaded and used by calling OPENSSL_config(). This is not a default option for libcrypto. -From OpenSSL 1.1.1 this is a default option for libssl (see +As of OpenSSL 1.1.1 this is a default option for libssl (see L<OPENSSL_init_ssl(3)> for further details about libssl initialisation). See the description of OPENSSL_INIT_new(), below. @@ -203,12 +208,22 @@ the library when the thread exits. This should only be called directly if resources should be freed at an earlier time, or under the circumstances described in the NOTES section below. -The B<OPENSSL_INIT_LOAD_CONFIG> flag will load a default configuration -file. For optional configuration file settings, an B<OPENSSL_INIT_SETTINGS> -must be created and used. -The routines OPENSSL_init_new() and OPENSSL_INIT_set_config_appname() can -be used to allocate the object and set the application name, and then the -object can be released with OPENSSL_INIT_free() when done. +The B<OPENSSL_INIT_LOAD_CONFIG> flag will load a configuration file, as with +L<CONF_modules_load_file(3)> with NULL filename and application name and the +B<CONF_MFLAGS_IGNORE_MISSING_FILE>, B<CONF_MFLAGS_IGNORE_RETURN_CODES> and +B<CONF_MFLAGS_DEFAULT_SECTION> flags. +The filename, application name, and flags can be customized by providing a +non-null B<OPENSSL_INIT_SETTINGS> object. +The object can be allocated via B<OPENSSL_init_new()>. +The B<OPENSSL_INIT_set_config_filename()> function can be used to specify a +non-default filename, which is copied and need not refer to persistent storage. +Similarly, OPENSSL_INIT_set_config_appname() can be used to specify a +non-default application name. +Finally, OPENSSL_INIT_set_file_flags can be used to specify non-default flags. +If the B<CONF_MFLAGS_IGNORE_RETURN_CODES> flag is not included, any errors in +the configuration file will cause an error return from B<OPENSSL_init_crypto> +or indirectly L<OPENSSL_init_ssl(3)>. +The object can be released with OPENSSL_INIT_free() when done. =head1 NOTES |