The branch master has been updated via d19dacd55f03cb36974fe69e6649bca16d80ab35 (commit) via 09b430cd87bc3b018fb97879eb6a2ea540c8e923 (commit) via ff215713655e721be505cc884aed5d1230c7759e (commit) via 242dfd8a1b93326d200383948a8d57db5ce57de0 (commit) via ac1e85f464568d14962162fe97670a53f11f6bfc (commit) via 2f8f8e6fc941b4cc80e29fc1d553445b13a6a789 (commit) via 12aa352f091c25bcc1a8d7518a33e10b9375313f (commit) from 5303aa51c015ab7590187ac3e441b6d3c47a6e79 (commit)
- Log ----------------------------------------------------------------- commit d19dacd55f03cb36974fe69e6649bca16d80ab35 Author: Pauli <pa...@openssl.org> Date: Thu Jul 8 11:38:06 2021 +1000 doc: document the new opt_legacy_okay() function's behaviour Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16022) commit 09b430cd87bc3b018fb97879eb6a2ea540c8e923 Author: Pauli <pa...@openssl.org> Date: Thu Jul 8 11:25:11 2021 +1000 app: add library context and propq arguments to opt_md() and opt_cipher() Also avoid calling EVP_get_XXXbyname() if legacy paths aren't allowed. Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16022) commit ff215713655e721be505cc884aed5d1230c7759e Author: Pauli <pa...@openssl.org> Date: Thu Jul 8 11:24:05 2021 +1000 apps: add a function opt_legacy_okay() that indicates if legacy paths are permitted or not By default they are. However, if a provider, provider path or a property query has been specified they are not. Likewise, if a library context or a property query has been specified by the command, they are not. Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16022) commit 242dfd8a1b93326d200383948a8d57db5ce57de0 Author: Pauli <pa...@openssl.org> Date: Thu Jul 8 11:22:14 2021 +1000 apps: add query to allow a command to know of a provider command line option was processed Better fixing: Fixing #15683 Fixing #15686 Replacing rather than fixing: Fixing #15414 Since that claims to fix another: Fixing #15372 Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16022) commit ac1e85f464568d14962162fe97670a53f11f6bfc Author: Pauli <pa...@openssl.org> Date: Thu Jul 8 11:09:39 2021 +1000 test: make build descriptions more consistent Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16022) commit 2f8f8e6fc941b4cc80e29fc1d553445b13a6a789 Author: Pauli <pa...@openssl.org> Date: Thu Jul 8 10:55:01 2021 +1000 test: add a shim function for the apps's opt_legacy_okay() function Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16022) commit 12aa352f091c25bcc1a8d7518a33e10b9375313f Author: Pauli <pa...@openssl.org> Date: Thu Jul 8 10:53:05 2021 +1000 test: rename apps_mem.c to be apps_shims.c in anticipation of additonal functions Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16022) ----------------------------------------------------------------------- Summary of changes: apps/include/opt.h | 5 +++++ apps/lib/app_provider.c | 13 ++++++++++++ apps/lib/apps.c | 32 ++++++++++++++++++++++++++++++ apps/lib/opt.c | 19 +++++++++++++----- doc/internal/man3/OPTIONS.pod | 10 +++++++++- test/build.info | 6 +++--- test/testutil/{apps_mem.c => apps_shims.c} | 26 ++++++++++++++++++++++++ 7 files changed, 102 insertions(+), 9 deletions(-) rename test/testutil/{apps_mem.c => apps_shims.c} (68%) diff --git a/apps/include/opt.h b/apps/include/opt.h index ce0e35cd72..4f83a0ed53 100644 --- a/apps/include/opt.h +++ b/apps/include/opt.h @@ -388,8 +388,13 @@ int opt_pair(const char *arg, const OPT_PAIR * pairs, int *result); int opt_verify(int i, X509_VERIFY_PARAM *vpm); int opt_rand(int i); int opt_provider(int i); +int opt_provider_option_given(void); char **opt_rest(void); int opt_num_rest(void); +/* Returns non-zero if legacy paths are still available */ +int opt_legacy_okay(void); + + #endif /* OSSL_APPS_OPT_H */ diff --git a/apps/lib/app_provider.c b/apps/lib/app_provider.c index c3100b2fa8..63f78ae07d 100644 --- a/apps/lib/app_provider.c +++ b/apps/lib/app_provider.c @@ -13,6 +13,9 @@ #include <openssl/provider.h> #include <openssl/safestack.h> +/* Non-zero if any of the provider options have been seen */ +static int provider_option_given = 0; + DEFINE_STACK_OF(OSSL_PROVIDER) /* @@ -64,6 +67,9 @@ static int opt_provider_path(const char *path) int opt_provider(int opt) { + const int given = provider_option_given; + + provider_option_given = 1; switch ((enum prov_range)opt) { case OPT_PROV__FIRST: case OPT_PROV__LAST: @@ -75,5 +81,12 @@ int opt_provider(int opt) case OPT_PROV_PROPQUERY: return app_set_propq(opt_arg()); } + /* Should never get here but if we do, undo what we did earlier */ + provider_option_given = given; return 0; } + +int opt_provider_option_given(void) +{ + return provider_option_given; +} diff --git a/apps/lib/apps.c b/apps/lib/apps.c index a767023197..a29d582990 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -15,6 +15,12 @@ # define _POSIX_C_SOURCE 2 #endif +#ifndef OPENSSL_NO_ENGINE +/* We need to use some deprecated APIs */ +# define OPENSSL_SUPPRESS_DEPRECATED +# include <openssl/engine.h> +#endif + #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -3295,3 +3301,29 @@ EVP_PKEY *app_paramgen(EVP_PKEY_CTX *ctx, const char *alg) opt_getprog(), alg != NULL ? alg : "asymmetric"); return res; } + +/* + * Return non-zero if the legacy path is still an option. + * This decision is based on the global command line operations and the + * behaviour thus far. + */ +int opt_legacy_okay(void) +{ + int provider_options = opt_provider_option_given(); + int libctx = app_get0_libctx() != NULL || app_get0_propq() != NULL; +#ifndef OPENSSL_NO_ENGINE + ENGINE *e = ENGINE_get_first(); + + if (e != NULL) { + ENGINE_free(e); + return 1; + } +#endif + /* + * Having a provider option specified or a custom library context or + * property query, is a sure sign we're not using legacy. + */ + if (provider_options || libctx) + return 0; + return 1; +} diff --git a/apps/lib/opt.c b/apps/lib/opt.c index adb0417bd8..157367982d 100644 --- a/apps/lib/opt.c +++ b/apps/lib/opt.c @@ -378,8 +378,10 @@ int opt_cipher_silent(const char *name, EVP_CIPHER **cipherp) EVP_CIPHER *c; ERR_set_mark(); - if ((c = EVP_CIPHER_fetch(NULL, name, NULL)) != NULL - || (c = (EVP_CIPHER *)EVP_get_cipherbyname(name)) != NULL) { + if ((c = EVP_CIPHER_fetch(app_get0_libctx(), name, + app_get0_propq())) != NULL + || (opt_legacy_okay() + && (c = (EVP_CIPHER *)EVP_get_cipherbyname(name)) != NULL)) { ERR_pop_to_mark(); if (cipherp != NULL) { EVP_CIPHER_free(*cipherp); @@ -429,12 +431,19 @@ int opt_cipher(const char *name, EVP_CIPHER **cipherp) */ int opt_md_silent(const char *name, EVP_MD **mdp) { - EVP_MD_free(*mdp); + EVP_MD *md; ERR_set_mark(); - if ((*mdp = EVP_MD_fetch(NULL, name, NULL)) != NULL - || (*mdp = (EVP_MD *)EVP_get_digestbyname(name)) != NULL) { + if ((md = EVP_MD_fetch(app_get0_libctx(), name, app_get0_propq())) != NULL + || (opt_legacy_okay() + && (md = (EVP_MD *)EVP_get_digestbyname(name)) != NULL)) { ERR_pop_to_mark(); + if (mdp != NULL) { + EVP_MD_free(*mdp); + *mdp = md; + } else { + EVP_MD_free(md); + } return 1; } ERR_clear_last_mark(); diff --git a/doc/internal/man3/OPTIONS.pod b/doc/internal/man3/OPTIONS.pod index d615aa3c28..1971c76241 100644 --- a/doc/internal/man3/OPTIONS.pod +++ b/doc/internal/man3/OPTIONS.pod @@ -8,7 +8,7 @@ opt_begin, opt_next, opt_flag, opt_arg, opt_unknown, opt_cipher, opt_cipher_any, opt_cipher_silent, opt_md, opt_int, opt_int_arg, opt_long, opt_ulong, opt_intmax, opt_uintmax, opt_format, opt_isdir, opt_string, opt_pair, -opt_num_rest, opt_rest +opt_num_rest, opt_rest, opt_legacy_okay - Option parsing for commands and tests =head1 SYNOPSIS @@ -53,6 +53,8 @@ opt_num_rest, opt_rest int opt_num_rest(void); char **opt_rest(void); + int opt_legacy_okay(void); + =head1 DESCRIPTION The functions on this page provide a common set of option-parsing for @@ -290,6 +292,12 @@ The opt_rest() function returns a pointer to the first non-option. If there were no parameters, it will point to the NULL that is at the end of the standard I<argv> array. +The opt_legacy_okay() function returns true if no options have been +specified that would preclude using legacy code paths. Currently, +the various provider options preclude legacy operation. This means, +for example, that specifying both B<-provider> and B<-engine> in the +same command line will not work as expected. + =head2 Common Options There are a few groups of options that are common to many OpenSSL programs. diff --git a/test/build.info b/test/build.info index 568fcff3ed..af21e03255 100644 --- a/test/build.info +++ b/test/build.info @@ -21,7 +21,7 @@ IF[{- !$disabled{tests} -}] testutil/format_output.c testutil/load.c testutil/fake_random.c \ testutil/test_cleanup.c testutil/main.c testutil/testutil_init.c \ testutil/options.c testutil/test_options.c testutil/provider.c \ - testutil/apps_mem.c testutil/random.c $LIBAPPSSRC + testutil/apps_shims.c testutil/random.c $LIBAPPSSRC INCLUDE[libtestutil.a]=../include ../apps/include .. DEPEND[libtestutil.a]=../libcrypto @@ -859,9 +859,9 @@ IF[{- !$disabled{tests} -}] DEPEND[namemap_internal_test]=../libcrypto.a libtestutil.a PROGRAMS{noinst}=bio_prefix_text - SOURCE[bio_prefix_text]=bio_prefix_text.c $LIBAPPSSRC + SOURCE[bio_prefix_text]=bio_prefix_text.c INCLUDE[bio_prefix_text]=.. ../include ../apps/include - DEPEND[bio_prefix_text]=../libcrypto + DEPEND[bio_prefix_text]=../libcrypto libtestutil.a IF[{- !$disabled{'deprecated-3.0'} -}] PROGRAMS{noinst}=pem_read_depr_test diff --git a/test/testutil/apps_mem.c b/test/testutil/apps_shims.c similarity index 68% rename from test/testutil/apps_mem.c rename to test/testutil/apps_shims.c index ef5e266b25..53d851ffda 100644 --- a/test/testutil/apps_mem.c +++ b/test/testutil/apps_shims.c @@ -28,3 +28,29 @@ void *app_malloc(size_t sz, const char *what) } return vp; } + +/* shim to prevent sucking in too much from apps */ + +int opt_legacy_okay(void) +{ + return 1; +} + +/* + * These three functions are defined here so that they don't need to come from + * the apps source code and pull in a lot of additional things. + */ +int opt_provider_option_given(void) +{ + return 0; +} + +const char *app_get0_propq(void) +{ + return NULL; +} + +OSSL_LIB_CTX *app_get0_libctx(void) +{ + return NULL; +}