The branch master has been updated
       via  d19dacd55f03cb36974fe69e6649bca16d80ab35 (commit)
       via  09b430cd87bc3b018fb97879eb6a2ea540c8e923 (commit)
       via  ff215713655e721be505cc884aed5d1230c7759e (commit)
       via  242dfd8a1b93326d200383948a8d57db5ce57de0 (commit)
       via  ac1e85f464568d14962162fe97670a53f11f6bfc (commit)
       via  2f8f8e6fc941b4cc80e29fc1d553445b13a6a789 (commit)
       via  12aa352f091c25bcc1a8d7518a33e10b9375313f (commit)
      from  5303aa51c015ab7590187ac3e441b6d3c47a6e79 (commit)


- Log -----------------------------------------------------------------
commit d19dacd55f03cb36974fe69e6649bca16d80ab35
Author: Pauli <pa...@openssl.org>
Date:   Thu Jul 8 11:38:06 2021 +1000

    doc: document the new opt_legacy_okay() function's behaviour
    
    Reviewed-by: Tomas Mraz <to...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16022)

commit 09b430cd87bc3b018fb97879eb6a2ea540c8e923
Author: Pauli <pa...@openssl.org>
Date:   Thu Jul 8 11:25:11 2021 +1000

    app: add library context and propq arguments to opt_md() and opt_cipher()
    
    Also avoid calling EVP_get_XXXbyname() if legacy paths aren't allowed.
    
    Reviewed-by: Tomas Mraz <to...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16022)

commit ff215713655e721be505cc884aed5d1230c7759e
Author: Pauli <pa...@openssl.org>
Date:   Thu Jul 8 11:24:05 2021 +1000

    apps: add a function opt_legacy_okay() that indicates if legacy paths are 
permitted or not
    
    By default they are.  However, if a provider, provider path or a property 
query has been specified
    they are not.  Likewise, if a library context or a property query has been
    specified by the command, they are not.
    
    Reviewed-by: Tomas Mraz <to...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16022)

commit 242dfd8a1b93326d200383948a8d57db5ce57de0
Author: Pauli <pa...@openssl.org>
Date:   Thu Jul 8 11:22:14 2021 +1000

    apps: add query to allow a command to know of a provider command line 
option was processed
    
    Better fixing:
    Fixing #15683
    Fixing #15686
    
    Replacing rather than fixing:
    Fixing #15414
    
    Since that claims to fix another:
    Fixing #15372
    
    Reviewed-by: Tomas Mraz <to...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16022)

commit ac1e85f464568d14962162fe97670a53f11f6bfc
Author: Pauli <pa...@openssl.org>
Date:   Thu Jul 8 11:09:39 2021 +1000

    test: make build descriptions more consistent
    
    Reviewed-by: Tomas Mraz <to...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16022)

commit 2f8f8e6fc941b4cc80e29fc1d553445b13a6a789
Author: Pauli <pa...@openssl.org>
Date:   Thu Jul 8 10:55:01 2021 +1000

    test: add a shim function for the apps's opt_legacy_okay() function
    
    Reviewed-by: Tomas Mraz <to...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16022)

commit 12aa352f091c25bcc1a8d7518a33e10b9375313f
Author: Pauli <pa...@openssl.org>
Date:   Thu Jul 8 10:53:05 2021 +1000

    test: rename apps_mem.c to be apps_shims.c in anticipation of additonal 
functions
    
    Reviewed-by: Tomas Mraz <to...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16022)

-----------------------------------------------------------------------

Summary of changes:
 apps/include/opt.h                         |  5 +++++
 apps/lib/app_provider.c                    | 13 ++++++++++++
 apps/lib/apps.c                            | 32 ++++++++++++++++++++++++++++++
 apps/lib/opt.c                             | 19 +++++++++++++-----
 doc/internal/man3/OPTIONS.pod              | 10 +++++++++-
 test/build.info                            |  6 +++---
 test/testutil/{apps_mem.c => apps_shims.c} | 26 ++++++++++++++++++++++++
 7 files changed, 102 insertions(+), 9 deletions(-)
 rename test/testutil/{apps_mem.c => apps_shims.c} (68%)

diff --git a/apps/include/opt.h b/apps/include/opt.h
index ce0e35cd72..4f83a0ed53 100644
--- a/apps/include/opt.h
+++ b/apps/include/opt.h
@@ -388,8 +388,13 @@ int opt_pair(const char *arg, const OPT_PAIR * pairs, int 
*result);
 int opt_verify(int i, X509_VERIFY_PARAM *vpm);
 int opt_rand(int i);
 int opt_provider(int i);
+int opt_provider_option_given(void);
 
 char **opt_rest(void);
 int opt_num_rest(void);
 
+/* Returns non-zero if legacy paths are still available */
+int opt_legacy_okay(void);
+
+
 #endif /* OSSL_APPS_OPT_H */
diff --git a/apps/lib/app_provider.c b/apps/lib/app_provider.c
index c3100b2fa8..63f78ae07d 100644
--- a/apps/lib/app_provider.c
+++ b/apps/lib/app_provider.c
@@ -13,6 +13,9 @@
 #include <openssl/provider.h>
 #include <openssl/safestack.h>
 
+/* Non-zero if any of the provider options have been seen */
+static int provider_option_given = 0;
+
 DEFINE_STACK_OF(OSSL_PROVIDER)
 
 /*
@@ -64,6 +67,9 @@ static int opt_provider_path(const char *path)
 
 int opt_provider(int opt)
 {
+    const int given = provider_option_given;
+
+    provider_option_given = 1;
     switch ((enum prov_range)opt) {
     case OPT_PROV__FIRST:
     case OPT_PROV__LAST:
@@ -75,5 +81,12 @@ int opt_provider(int opt)
     case OPT_PROV_PROPQUERY:
         return app_set_propq(opt_arg());
     }
+    /* Should never get here but if we do, undo what we did earlier */
+    provider_option_given = given;
     return 0;
 }
+
+int opt_provider_option_given(void)
+{
+    return provider_option_given;
+}
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index a767023197..a29d582990 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -15,6 +15,12 @@
 # define _POSIX_C_SOURCE 2
 #endif
 
+#ifndef OPENSSL_NO_ENGINE
+/* We need to use some deprecated APIs */
+# define OPENSSL_SUPPRESS_DEPRECATED
+# include <openssl/engine.h>
+#endif
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -3295,3 +3301,29 @@ EVP_PKEY *app_paramgen(EVP_PKEY_CTX *ctx, const char 
*alg)
                      opt_getprog(), alg != NULL ? alg : "asymmetric");
     return res;
 }
+
+/*
+ * Return non-zero if the legacy path is still an option.
+ * This decision is based on the global command line operations and the
+ * behaviour thus far.
+ */
+int opt_legacy_okay(void)
+{
+    int provider_options = opt_provider_option_given();
+    int libctx = app_get0_libctx() != NULL || app_get0_propq() != NULL;
+#ifndef OPENSSL_NO_ENGINE
+    ENGINE *e = ENGINE_get_first();
+
+    if (e != NULL) {
+        ENGINE_free(e);
+        return 1;
+    }
+#endif
+    /*
+     * Having a provider option specified or a custom library context or
+     * property query, is a sure sign we're not using legacy.
+     */
+    if (provider_options || libctx)
+        return 0;
+    return 1;
+}
diff --git a/apps/lib/opt.c b/apps/lib/opt.c
index adb0417bd8..157367982d 100644
--- a/apps/lib/opt.c
+++ b/apps/lib/opt.c
@@ -378,8 +378,10 @@ int opt_cipher_silent(const char *name, EVP_CIPHER 
**cipherp)
     EVP_CIPHER *c;
 
     ERR_set_mark();
-    if ((c = EVP_CIPHER_fetch(NULL, name, NULL)) != NULL
-        || (c = (EVP_CIPHER *)EVP_get_cipherbyname(name)) != NULL) {
+    if ((c = EVP_CIPHER_fetch(app_get0_libctx(), name,
+                              app_get0_propq())) != NULL
+        || (opt_legacy_okay()
+            && (c = (EVP_CIPHER *)EVP_get_cipherbyname(name)) != NULL)) {
         ERR_pop_to_mark();
         if (cipherp != NULL) {
             EVP_CIPHER_free(*cipherp);
@@ -429,12 +431,19 @@ int opt_cipher(const char *name, EVP_CIPHER **cipherp)
  */
 int opt_md_silent(const char *name, EVP_MD **mdp)
 {
-    EVP_MD_free(*mdp);
+    EVP_MD *md;
 
     ERR_set_mark();
-    if ((*mdp = EVP_MD_fetch(NULL, name, NULL)) != NULL
-        || (*mdp = (EVP_MD *)EVP_get_digestbyname(name)) != NULL) {
+    if ((md = EVP_MD_fetch(app_get0_libctx(), name, app_get0_propq())) != NULL
+        || (opt_legacy_okay()
+            && (md = (EVP_MD *)EVP_get_digestbyname(name)) != NULL)) {
         ERR_pop_to_mark();
+        if (mdp != NULL) {
+            EVP_MD_free(*mdp);
+            *mdp = md;
+        } else {
+            EVP_MD_free(md);
+        }
         return 1;
     }
     ERR_clear_last_mark();
diff --git a/doc/internal/man3/OPTIONS.pod b/doc/internal/man3/OPTIONS.pod
index d615aa3c28..1971c76241 100644
--- a/doc/internal/man3/OPTIONS.pod
+++ b/doc/internal/man3/OPTIONS.pod
@@ -8,7 +8,7 @@ opt_begin, opt_next, opt_flag, opt_arg, opt_unknown, opt_cipher,
 opt_cipher_any, opt_cipher_silent, opt_md,
 opt_int, opt_int_arg, opt_long, opt_ulong, opt_intmax, opt_uintmax,
 opt_format, opt_isdir, opt_string, opt_pair,
-opt_num_rest, opt_rest
+opt_num_rest, opt_rest, opt_legacy_okay
 - Option parsing for commands and tests
 
 =head1 SYNOPSIS
@@ -53,6 +53,8 @@ opt_num_rest, opt_rest
  int opt_num_rest(void);
  char **opt_rest(void);
 
+ int opt_legacy_okay(void);
+
 =head1 DESCRIPTION
 
 The functions on this page provide a common set of option-parsing for
@@ -290,6 +292,12 @@ The opt_rest() function returns a pointer to the first 
non-option.
 If there were no parameters, it will point to the NULL that is
 at the end of the standard I<argv> array.
 
+The opt_legacy_okay() function returns true if no options have been
+specified that would preclude using legacy code paths.  Currently,
+the various provider options preclude legacy operation.  This means,
+for example, that specifying both B<-provider> and B<-engine> in the
+same command line will not work as expected.
+
 =head2 Common Options
 
 There are a few groups of options that are common to many OpenSSL programs.
diff --git a/test/build.info b/test/build.info
index 568fcff3ed..af21e03255 100644
--- a/test/build.info
+++ b/test/build.info
@@ -21,7 +21,7 @@ IF[{- !$disabled{tests} -}]
           testutil/format_output.c testutil/load.c testutil/fake_random.c \
           testutil/test_cleanup.c testutil/main.c testutil/testutil_init.c \
           testutil/options.c testutil/test_options.c testutil/provider.c \
-          testutil/apps_mem.c testutil/random.c $LIBAPPSSRC
+          testutil/apps_shims.c testutil/random.c $LIBAPPSSRC
   INCLUDE[libtestutil.a]=../include ../apps/include ..
   DEPEND[libtestutil.a]=../libcrypto
 
@@ -859,9 +859,9 @@ IF[{- !$disabled{tests} -}]
   DEPEND[namemap_internal_test]=../libcrypto.a libtestutil.a
 
   PROGRAMS{noinst}=bio_prefix_text
-  SOURCE[bio_prefix_text]=bio_prefix_text.c $LIBAPPSSRC
+  SOURCE[bio_prefix_text]=bio_prefix_text.c
   INCLUDE[bio_prefix_text]=.. ../include ../apps/include
-  DEPEND[bio_prefix_text]=../libcrypto
+  DEPEND[bio_prefix_text]=../libcrypto libtestutil.a
 
   IF[{- !$disabled{'deprecated-3.0'} -}]
     PROGRAMS{noinst}=pem_read_depr_test
diff --git a/test/testutil/apps_mem.c b/test/testutil/apps_shims.c
similarity index 68%
rename from test/testutil/apps_mem.c
rename to test/testutil/apps_shims.c
index ef5e266b25..53d851ffda 100644
--- a/test/testutil/apps_mem.c
+++ b/test/testutil/apps_shims.c
@@ -28,3 +28,29 @@ void *app_malloc(size_t sz, const char *what)
     }
     return vp;
 }
+
+/* shim to prevent sucking in too much from apps */
+
+int opt_legacy_okay(void)
+{
+    return 1;
+}
+
+/*
+ * These three functions are defined here so that they don't need to come from
+ * the apps source code and pull in a lot of additional things.
+ */
+int opt_provider_option_given(void)
+{
+    return 0;
+}
+
+const char *app_get0_propq(void)
+{
+    return NULL;
+}
+
+OSSL_LIB_CTX *app_get0_libctx(void)
+{
+    return NULL;
+}

Reply via email to