286 lines
9.3 KiB
Groff
286 lines
9.3 KiB
Groff
.\" $OpenBSD: CONF_modules_load_file.3,v 1.11 2023/07/21 10:46:54 tb Exp $
|
|
.\" full merge up to: e9b77246 Jan 20 19:58:49 2017 +0100
|
|
.\" selective merge up to: d090fc00 Feb 26 13:11:10 2019 +0800
|
|
.\"
|
|
.\" This file is a derived work.
|
|
.\" The changes are covered by the following Copyright and license:
|
|
.\"
|
|
.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
|
|
.\"
|
|
.\" Permission to use, copy, modify, and distribute this software for any
|
|
.\" purpose with or without fee is hereby granted, provided that the above
|
|
.\" copyright notice and this permission notice appear in all copies.
|
|
.\"
|
|
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
.\"
|
|
.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
|
|
.\" Copyright (c) 2000, 2015 The OpenSSL Project. All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\"
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\"
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in
|
|
.\" the documentation and/or other materials provided with the
|
|
.\" distribution.
|
|
.\"
|
|
.\" 3. All advertising materials mentioning features or use of this
|
|
.\" software must display the following acknowledgment:
|
|
.\" "This product includes software developed by the OpenSSL Project
|
|
.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
|
|
.\"
|
|
.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
|
.\" endorse or promote products derived from this software without
|
|
.\" prior written permission. For written permission, please contact
|
|
.\" openssl-core@openssl.org.
|
|
.\"
|
|
.\" 5. Products derived from this software may not be called "OpenSSL"
|
|
.\" nor may "OpenSSL" appear in their names without prior written
|
|
.\" permission of the OpenSSL Project.
|
|
.\"
|
|
.\" 6. Redistributions of any form whatsoever must retain the following
|
|
.\" acknowledgment:
|
|
.\" "This product includes software developed by the OpenSSL Project
|
|
.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)"
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
|
.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
|
.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
.\"
|
|
.Dd $Mdocdate: July 21 2023 $
|
|
.Dt CONF_MODULES_LOAD_FILE 3
|
|
.Os
|
|
.Sh NAME
|
|
.Nm CONF_modules_load_file ,
|
|
.Nm CONF_modules_load ,
|
|
.Nm X509_get_default_cert_area
|
|
.Nd OpenSSL configuration functions
|
|
.Sh SYNOPSIS
|
|
.In openssl/conf.h
|
|
.Ft int
|
|
.Fo CONF_modules_load_file
|
|
.Fa "const char *filename"
|
|
.Fa "const char *appname"
|
|
.Fa "unsigned long flags"
|
|
.Fc
|
|
.Ft int
|
|
.Fo CONF_modules_load
|
|
.Fa "const CONF *cnf"
|
|
.Fa "const char *appname"
|
|
.Fa "unsigned long flags"
|
|
.Fc
|
|
.In openssl/x509.h
|
|
.Ft const char *
|
|
.Fn X509_get_default_cert_area void
|
|
.Sh DESCRIPTION
|
|
The function
|
|
.Fn CONF_modules_load_file
|
|
configures OpenSSL using the file
|
|
.Fa filename
|
|
in
|
|
.Xr openssl.cnf 5
|
|
format and the application name
|
|
.Fa appname .
|
|
If
|
|
.Fa filename
|
|
is
|
|
.Dv NULL ,
|
|
the standard OpenSSL configuration file
|
|
.Pa /etc/ssl/openssl.cnf
|
|
is used.
|
|
If
|
|
.Fa appname
|
|
is
|
|
.Dv NULL ,
|
|
the standard OpenSSL application name
|
|
.Qq openssl_conf
|
|
is used.
|
|
The behaviour can be customized using
|
|
.Fa flags .
|
|
.Pp
|
|
See the
|
|
.Sx EXAMPLES
|
|
section for additional functions that may need to be called.
|
|
Calling configuration functions in the right order for the intended
|
|
effect can be tricky because many configuration functions internally
|
|
call each other.
|
|
.Pp
|
|
.Fn CONF_modules_load
|
|
is identical to
|
|
.Fn CONF_modules_load_file
|
|
except it reads configuration information from
|
|
.Fa cnf .
|
|
.Pp
|
|
The following
|
|
.Fa flags
|
|
are currently recognized:
|
|
.Bl -tag -width Ds
|
|
.It Dv CONF_MFLAGS_IGNORE_ERRORS
|
|
Ignore errors returned by individual configuration modules.
|
|
By default, the first module error is considered fatal and no further
|
|
modules are loaded.
|
|
.It Dv CONF_MFLAGS_SILENT
|
|
Do not add any error information.
|
|
By default, all module errors add error information to the error queue.
|
|
.It Dv CONF_MFLAGS_NO_DSO
|
|
Disable loading of configuration modules from DSOs.
|
|
This flag is provided for compatibility and has no effect.
|
|
.It Dv CONF_MFLAGS_IGNORE_MISSING_FILE
|
|
Let
|
|
.Fn CONF_modules_load_file
|
|
ignore missing configuration files.
|
|
By default, a missing configuration file returns an error.
|
|
.It CONF_MFLAGS_DEFAULT_SECTION
|
|
If
|
|
.Fa appname
|
|
is not
|
|
.Dv NULL
|
|
but does not exist, fall back to the default section
|
|
.Qq openssl_conf .
|
|
.El
|
|
.Pp
|
|
By using
|
|
.Fn CONF_modules_load_file
|
|
with appropriate flags, an application can customise application
|
|
configuration to best suit its needs.
|
|
In some cases the use of a configuration file is optional and its
|
|
absence is not an error: in this case
|
|
.Dv CONF_MFLAGS_IGNORE_MISSING_FILE
|
|
would be set.
|
|
.Pp
|
|
Errors during configuration may also be handled differently by
|
|
different applications.
|
|
For example in some cases an error may simply print out a warning
|
|
message and the application may continue.
|
|
In other cases an application might consider a configuration file
|
|
error fatal and exit immediately.
|
|
.Pp
|
|
Applications can use the
|
|
.Fn CONF_modules_load
|
|
function if they wish to load a configuration file themselves and
|
|
have finer control over how errors are treated.
|
|
.Sh RETURN VALUES
|
|
.Fn CONF_modules_load_file
|
|
and
|
|
.Fn CONF_modules_load
|
|
return 1 for success and zero or a negative value for failure.
|
|
If module errors are not ignored, the return code will reflect the return
|
|
value of the failing module (this will always be zero or negative).
|
|
.Pp
|
|
.Fn X509_get_default_cert_area
|
|
returns a pointer to the constant string
|
|
.Qq "/etc/ssl" .
|
|
.Sh FILES
|
|
.Bl -tag -width /etc/ssl/openssl.cnf -compact
|
|
.It Pa /etc/ssl
|
|
standard configuration directory
|
|
.It Pa /etc/ssl/openssl.cnf
|
|
standard configuration file
|
|
.El
|
|
.Sh EXAMPLES
|
|
Load a configuration file and print out any errors and exit (missing
|
|
file considered fatal):
|
|
.Bd -literal
|
|
if (CONF_modules_load_file(NULL, NULL, 0) <= 0) {
|
|
fprintf(stderr, "FATAL: error loading configuration file\en");
|
|
ERR_print_errors_fp(stderr);
|
|
exit(1);
|
|
}
|
|
.Ed
|
|
.Pp
|
|
Load default configuration file using the section indicated
|
|
by "myapp", tolerate missing files, but exit on other errors:
|
|
.Bd -literal
|
|
if (CONF_modules_load_file(NULL, "myapp",
|
|
CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0) {
|
|
fprintf(stderr, "FATAL: error loading configuration file\en");
|
|
ERR_print_errors_fp(stderr);
|
|
exit(1);
|
|
}
|
|
.Ed
|
|
.Pp
|
|
Load custom configuration file and section instead of the standard one,
|
|
only print warnings on error, missing configuration file ignored:
|
|
.Bd -literal
|
|
OPENSSL_no_config();
|
|
ENGINE_load_builtin_engines();
|
|
OPENSSL_load_builtin_modules();
|
|
if (CONF_modules_load_file("/something/app.cnf", "myapp",
|
|
CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0) {
|
|
fprintf(stderr, "WARNING: error loading configuration file\en");
|
|
ERR_print_errors_fp(stderr);
|
|
}
|
|
.Ed
|
|
.Pp
|
|
In the previous example, the call to
|
|
.Xr OPENSSL_no_config 3
|
|
is required first to suppress automatic loading
|
|
of the standard configuration file, and the calls to
|
|
.Xr ENGINE_load_builtin_engines 3
|
|
and
|
|
.Xr OPENSSL_load_builtin_modules 3
|
|
are needed so that the configuration of builtin modules and engines
|
|
is also loaded in addition to the configuration of
|
|
.Qq myapp .
|
|
.Pp
|
|
Load and parse configuration file manually, custom error handling:
|
|
.Bd -literal
|
|
FILE *fp;
|
|
CONF *cnf = NULL;
|
|
long eline;
|
|
|
|
fp = fopen("/somepath/app.cnf", "r");
|
|
if (fp == NULL) {
|
|
fprintf(stderr, "Error opening configuration file\en");
|
|
/* Other missing configuration file behaviour */
|
|
} else {
|
|
cnf = NCONF_new(NULL);
|
|
if (NCONF_load_fp(cnf, fp, &eline) == 0) {
|
|
fprintf(stderr, "Error on line %ld of configuration file\en",
|
|
eline);
|
|
ERR_print_errors_fp(stderr);
|
|
/* Other malformed configuration file behaviour */
|
|
} else if (CONF_modules_load(cnf, "appname", 0) <= 0) {
|
|
fprintf(stderr, "Error configuring application\en");
|
|
ERR_print_errors_fp(stderr);
|
|
/* Other configuration error behaviour */
|
|
}
|
|
fclose(fp);
|
|
NCONF_free(cnf);
|
|
}
|
|
.Ed
|
|
.Sh SEE ALSO
|
|
.Xr CONF_modules_free 3 ,
|
|
.Xr ENGINE_load_builtin_engines 3 ,
|
|
.Xr ERR 3 ,
|
|
.Xr OPENSSL_config 3 ,
|
|
.Xr OPENSSL_load_builtin_modules 3
|
|
.Sh HISTORY
|
|
.Fn X509_get_default_cert_area
|
|
first appeared in SSLeay 0.4.1 and has been available since
|
|
.Ox 2.4 .
|
|
.Pp
|
|
.Fn CONF_modules_load_file
|
|
and
|
|
.Fn CONF_modules_load
|
|
first appeared in OpenSSL 0.9.7 and have been available since
|
|
.Ox 3.2 .
|