The branch master has been updated
via d19dacd55f03cb36974fe69e6649bca16d80ab35 (commit)
via 09b430cd87bc3b018fb97879eb6a2ea540c8e923 (commit)
via ff215713655e721be505cc884aed5d1230c7759e (commit)
via 242dfd8a1b93326d200383948a8d57db5ce57de0 (commit)
via ac1e85f464568d14962162fe97670a53f11f6bfc (commit)
via 2f8f8e6fc941b4cc80e29fc1d553445b13a6a789 (commit)
via 12aa352f091c25bcc1a8d7518a33e10b9375313f (commit)
from 5303aa51c015ab7590187ac3e441b6d3c47a6e79 (commit)
- Log -----------------------------------------------------------------
commit d19dacd55f03cb36974fe69e6649bca16d80ab35
Author: Pauli <[email protected]>
Date: Thu Jul 8 11:38:06 2021 +1000
doc: document the new opt_legacy_okay() function's behaviour
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/16022)
commit 09b430cd87bc3b018fb97879eb6a2ea540c8e923
Author: Pauli <[email protected]>
Date: Thu Jul 8 11:25:11 2021 +1000
app: add library context and propq arguments to opt_md() and opt_cipher()
Also avoid calling EVP_get_XXXbyname() if legacy paths aren't allowed.
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/16022)
commit ff215713655e721be505cc884aed5d1230c7759e
Author: Pauli <[email protected]>
Date: Thu Jul 8 11:24:05 2021 +1000
apps: add a function opt_legacy_okay() that indicates if legacy paths are
permitted or not
By default they are. However, if a provider, provider path or a property
query has been specified
they are not. Likewise, if a library context or a property query has been
specified by the command, they are not.
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/16022)
commit 242dfd8a1b93326d200383948a8d57db5ce57de0
Author: Pauli <[email protected]>
Date: Thu Jul 8 11:22:14 2021 +1000
apps: add query to allow a command to know of a provider command line
option was processed
Better fixing:
Fixing #15683
Fixing #15686
Replacing rather than fixing:
Fixing #15414
Since that claims to fix another:
Fixing #15372
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/16022)
commit ac1e85f464568d14962162fe97670a53f11f6bfc
Author: Pauli <[email protected]>
Date: Thu Jul 8 11:09:39 2021 +1000
test: make build descriptions more consistent
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/16022)
commit 2f8f8e6fc941b4cc80e29fc1d553445b13a6a789
Author: Pauli <[email protected]>
Date: Thu Jul 8 10:55:01 2021 +1000
test: add a shim function for the apps's opt_legacy_okay() function
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/16022)
commit 12aa352f091c25bcc1a8d7518a33e10b9375313f
Author: Pauli <[email protected]>
Date: Thu Jul 8 10:53:05 2021 +1000
test: rename apps_mem.c to be apps_shims.c in anticipation of additonal
functions
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/16022)
-----------------------------------------------------------------------
Summary of changes:
apps/include/opt.h | 5 +++++
apps/lib/app_provider.c | 13 ++++++++++++
apps/lib/apps.c | 32 ++++++++++++++++++++++++++++++
apps/lib/opt.c | 19 +++++++++++++-----
doc/internal/man3/OPTIONS.pod | 10 +++++++++-
test/build.info | 6 +++---
test/testutil/{apps_mem.c => apps_shims.c} | 26 ++++++++++++++++++++++++
7 files changed, 102 insertions(+), 9 deletions(-)
rename test/testutil/{apps_mem.c => apps_shims.c} (68%)
diff --git a/apps/include/opt.h b/apps/include/opt.h
index ce0e35cd72..4f83a0ed53 100644
--- a/apps/include/opt.h
+++ b/apps/include/opt.h
@@ -388,8 +388,13 @@ int opt_pair(const char *arg, const OPT_PAIR * pairs, int
*result);
int opt_verify(int i, X509_VERIFY_PARAM *vpm);
int opt_rand(int i);
int opt_provider(int i);
+int opt_provider_option_given(void);
char **opt_rest(void);
int opt_num_rest(void);
+/* Returns non-zero if legacy paths are still available */
+int opt_legacy_okay(void);
+
+
#endif /* OSSL_APPS_OPT_H */
diff --git a/apps/lib/app_provider.c b/apps/lib/app_provider.c
index c3100b2fa8..63f78ae07d 100644
--- a/apps/lib/app_provider.c
+++ b/apps/lib/app_provider.c
@@ -13,6 +13,9 @@
#include <openssl/provider.h>
#include <openssl/safestack.h>
+/* Non-zero if any of the provider options have been seen */
+static int provider_option_given = 0;
+
DEFINE_STACK_OF(OSSL_PROVIDER)
/*
@@ -64,6 +67,9 @@ static int opt_provider_path(const char *path)
int opt_provider(int opt)
{
+ const int given = provider_option_given;
+
+ provider_option_given = 1;
switch ((enum prov_range)opt) {
case OPT_PROV__FIRST:
case OPT_PROV__LAST:
@@ -75,5 +81,12 @@ int opt_provider(int opt)
case OPT_PROV_PROPQUERY:
return app_set_propq(opt_arg());
}
+ /* Should never get here but if we do, undo what we did earlier */
+ provider_option_given = given;
return 0;
}
+
+int opt_provider_option_given(void)
+{
+ return provider_option_given;
+}
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index a767023197..a29d582990 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -15,6 +15,12 @@
# define _POSIX_C_SOURCE 2
#endif
+#ifndef OPENSSL_NO_ENGINE
+/* We need to use some deprecated APIs */
+# define OPENSSL_SUPPRESS_DEPRECATED
+# include <openssl/engine.h>
+#endif
+
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -3295,3 +3301,29 @@ EVP_PKEY *app_paramgen(EVP_PKEY_CTX *ctx, const char
*alg)
opt_getprog(), alg != NULL ? alg : "asymmetric");
return res;
}
+
+/*
+ * Return non-zero if the legacy path is still an option.
+ * This decision is based on the global command line operations and the
+ * behaviour thus far.
+ */
+int opt_legacy_okay(void)
+{
+ int provider_options = opt_provider_option_given();
+ int libctx = app_get0_libctx() != NULL || app_get0_propq() != NULL;
+#ifndef OPENSSL_NO_ENGINE
+ ENGINE *e = ENGINE_get_first();
+
+ if (e != NULL) {
+ ENGINE_free(e);
+ return 1;
+ }
+#endif
+ /*
+ * Having a provider option specified or a custom library context or
+ * property query, is a sure sign we're not using legacy.
+ */
+ if (provider_options || libctx)
+ return 0;
+ return 1;
+}
diff --git a/apps/lib/opt.c b/apps/lib/opt.c
index adb0417bd8..157367982d 100644
--- a/apps/lib/opt.c
+++ b/apps/lib/opt.c
@@ -378,8 +378,10 @@ int opt_cipher_silent(const char *name, EVP_CIPHER
**cipherp)
EVP_CIPHER *c;
ERR_set_mark();
- if ((c = EVP_CIPHER_fetch(NULL, name, NULL)) != NULL
- || (c = (EVP_CIPHER *)EVP_get_cipherbyname(name)) != NULL) {
+ if ((c = EVP_CIPHER_fetch(app_get0_libctx(), name,
+ app_get0_propq())) != NULL
+ || (opt_legacy_okay()
+ && (c = (EVP_CIPHER *)EVP_get_cipherbyname(name)) != NULL)) {
ERR_pop_to_mark();
if (cipherp != NULL) {
EVP_CIPHER_free(*cipherp);
@@ -429,12 +431,19 @@ int opt_cipher(const char *name, EVP_CIPHER **cipherp)
*/
int opt_md_silent(const char *name, EVP_MD **mdp)
{
- EVP_MD_free(*mdp);
+ EVP_MD *md;
ERR_set_mark();
- if ((*mdp = EVP_MD_fetch(NULL, name, NULL)) != NULL
- || (*mdp = (EVP_MD *)EVP_get_digestbyname(name)) != NULL) {
+ if ((md = EVP_MD_fetch(app_get0_libctx(), name, app_get0_propq())) != NULL
+ || (opt_legacy_okay()
+ && (md = (EVP_MD *)EVP_get_digestbyname(name)) != NULL)) {
ERR_pop_to_mark();
+ if (mdp != NULL) {
+ EVP_MD_free(*mdp);
+ *mdp = md;
+ } else {
+ EVP_MD_free(md);
+ }
return 1;
}
ERR_clear_last_mark();
diff --git a/doc/internal/man3/OPTIONS.pod b/doc/internal/man3/OPTIONS.pod
index d615aa3c28..1971c76241 100644
--- a/doc/internal/man3/OPTIONS.pod
+++ b/doc/internal/man3/OPTIONS.pod
@@ -8,7 +8,7 @@ opt_begin, opt_next, opt_flag, opt_arg, opt_unknown, opt_cipher,
opt_cipher_any, opt_cipher_silent, opt_md,
opt_int, opt_int_arg, opt_long, opt_ulong, opt_intmax, opt_uintmax,
opt_format, opt_isdir, opt_string, opt_pair,
-opt_num_rest, opt_rest
+opt_num_rest, opt_rest, opt_legacy_okay
- Option parsing for commands and tests
=head1 SYNOPSIS
@@ -53,6 +53,8 @@ opt_num_rest, opt_rest
int opt_num_rest(void);
char **opt_rest(void);
+ int opt_legacy_okay(void);
+
=head1 DESCRIPTION
The functions on this page provide a common set of option-parsing for
@@ -290,6 +292,12 @@ The opt_rest() function returns a pointer to the first
non-option.
If there were no parameters, it will point to the NULL that is
at the end of the standard I<argv> array.
+The opt_legacy_okay() function returns true if no options have been
+specified that would preclude using legacy code paths. Currently,
+the various provider options preclude legacy operation. This means,
+for example, that specifying both B<-provider> and B<-engine> in the
+same command line will not work as expected.
+
=head2 Common Options
There are a few groups of options that are common to many OpenSSL programs.
diff --git a/test/build.info b/test/build.info
index 568fcff3ed..af21e03255 100644
--- a/test/build.info
+++ b/test/build.info
@@ -21,7 +21,7 @@ IF[{- !$disabled{tests} -}]
testutil/format_output.c testutil/load.c testutil/fake_random.c \
testutil/test_cleanup.c testutil/main.c testutil/testutil_init.c \
testutil/options.c testutil/test_options.c testutil/provider.c \
- testutil/apps_mem.c testutil/random.c $LIBAPPSSRC
+ testutil/apps_shims.c testutil/random.c $LIBAPPSSRC
INCLUDE[libtestutil.a]=../include ../apps/include ..
DEPEND[libtestutil.a]=../libcrypto
@@ -859,9 +859,9 @@ IF[{- !$disabled{tests} -}]
DEPEND[namemap_internal_test]=../libcrypto.a libtestutil.a
PROGRAMS{noinst}=bio_prefix_text
- SOURCE[bio_prefix_text]=bio_prefix_text.c $LIBAPPSSRC
+ SOURCE[bio_prefix_text]=bio_prefix_text.c
INCLUDE[bio_prefix_text]=.. ../include ../apps/include
- DEPEND[bio_prefix_text]=../libcrypto
+ DEPEND[bio_prefix_text]=../libcrypto libtestutil.a
IF[{- !$disabled{'deprecated-3.0'} -}]
PROGRAMS{noinst}=pem_read_depr_test
diff --git a/test/testutil/apps_mem.c b/test/testutil/apps_shims.c
similarity index 68%
rename from test/testutil/apps_mem.c
rename to test/testutil/apps_shims.c
index ef5e266b25..53d851ffda 100644
--- a/test/testutil/apps_mem.c
+++ b/test/testutil/apps_shims.c
@@ -28,3 +28,29 @@ void *app_malloc(size_t sz, const char *what)
}
return vp;
}
+
+/* shim to prevent sucking in too much from apps */
+
+int opt_legacy_okay(void)
+{
+ return 1;
+}
+
+/*
+ * These three functions are defined here so that they don't need to come from
+ * the apps source code and pull in a lot of additional things.
+ */
+int opt_provider_option_given(void)
+{
+ return 0;
+}
+
+const char *app_get0_propq(void)
+{
+ return NULL;
+}
+
+OSSL_LIB_CTX *app_get0_libctx(void)
+{
+ return NULL;
+}
