From 92c03668c0cd77434006b613e3429888a0a8ecfe Mon Sep 17 00:00:00 2001
From: Pauli <pauli@openssl.org>
Date: Thu, 29 Jul 2021 09:55:09 +1000
Subject: [PATCH] Add config_diagnostics to our configuration files.

The change to a more configuration based approach to enable FIPS mode
operation highlights a shortcoming in the default should do something
approach we've taken for bad configuration files.

Currently, a bad configuration file will be automatically loaded and
once the badness is detected, it will silently stop processing the
configuration and continue normal operations. This is good for remote
servers, allowing changes to be made without bricking things. It's bad
when a user thinks they've configured what they want but got something
wrong and it still appears to work.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16171)
---
 apps/openssl-vms.cnf               | 3 +--
 apps/openssl.cnf                   | 3 +--
 demos/bio/accept.cnf               | 6 ++++++
 demos/bio/cmod.cnf                 | 3 +++
 demos/bio/connect.cnf              | 6 ++++++
 demos/certs/apps/apps.cnf          | 4 ++++
 demos/certs/ca.cnf                 | 3 +++
 test/CAtsa.cnf                     | 3 +++
 test/ca-and-certs.cnf              | 3 +++
 test/ct/log_list.cnf               | 3 +++
 test/default-and-fips.cnf          | 3 +++
 test/default-and-legacy.cnf        | 3 +++
 test/default.cnf                   | 3 +++
 test/fips-and-base.cnf             | 3 +++
 test/fips.cnf                      | 3 +++
 test/legacy.cnf                    | 3 +++
 test/provider_internal_test.cnf.in | 3 +++
 test/proxy.cnf                     | 3 +++
 test/smime-certs/ca.cnf            | 3 +++
 test/sysdefault.cnf                | 3 +++
 20 files changed, 63 insertions(+), 4 deletions(-)

diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf
index f18e63c351..4d96a1f32d 100644
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@@ -16,8 +16,7 @@ HOME			= .
  # Use this in order to automatically load providers.
 openssl_conf = openssl_init
 
-# Comment this out if you deliberately want to ignore
-# configuration errors
+# Comment out the next line to ignore configuration errors
 config_diagnostics = 1
 
 # Extra OBJECT IDENTIFIER info:
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 97567a67be..ffb424a871 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -16,8 +16,7 @@ HOME			= .
  # Use this in order to automatically load providers.
 openssl_conf = openssl_init
 
-# Comment this out if you deliberately want to ignore
-# configuration errors
+# Comment out the next line to ignore configuration errors
 config_diagnostics = 1
 
 # Extra OBJECT IDENTIFIER info:
diff --git a/demos/bio/accept.cnf b/demos/bio/accept.cnf
index cb0cefba75..ce36678ee9 100644
--- a/demos/bio/accept.cnf
+++ b/demos/bio/accept.cnf
@@ -1,10 +1,16 @@
 # Example configuration file
+
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 # Port to listen on
 Port = 4433
+
 # Disable TLS v1.2 for test.
 # Protocol = ALL, -TLSv1.2
 # Only support 3 curves
 Curves = P-521:P-384:P-256
+
 # Restricted signature algorithms
 SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512
 Certificate=server.pem
diff --git a/demos/bio/cmod.cnf b/demos/bio/cmod.cnf
index 39ac54edd9..df514dba79 100644
--- a/demos/bio/cmod.cnf
+++ b/demos/bio/cmod.cnf
@@ -4,6 +4,9 @@
 # and section containing configuration
 testapp = test_sect
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 [test_sect]
 # list of configuration modules
 
diff --git a/demos/bio/connect.cnf b/demos/bio/connect.cnf
index ab764403a4..0049a77b2d 100644
--- a/demos/bio/connect.cnf
+++ b/demos/bio/connect.cnf
@@ -1,9 +1,15 @@
 # Example configuration file
+
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 # Connects to the default port of s_server
 Connect = localhost:4433
+
 # Disable TLS v1.2 for test.
 # Protocol = ALL, -TLSv1.2
 # Only support 3 curves
 Curves = P-521:P-384:P-256
+
 # Restricted signature algorithms
 SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512
diff --git a/demos/certs/apps/apps.cnf b/demos/certs/apps/apps.cnf
index 07a3d10b55..72ed70de75 100644
--- a/demos/certs/apps/apps.cnf
+++ b/demos/certs/apps/apps.cnf
@@ -7,6 +7,10 @@
 HOME			= .
 CN			= "Not Defined"
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
+
 ####################################################################
 [ req ]
 default_bits		= 2048
diff --git a/demos/certs/ca.cnf b/demos/certs/ca.cnf
index 2fbf20490b..e0c73c4eef 100644
--- a/demos/certs/ca.cnf
+++ b/demos/certs/ca.cnf
@@ -8,6 +8,9 @@ HOME			= .
 CN			= "Not Defined"
 default_ca		= ca
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 ####################################################################
 [ req ]
 default_bits		= 1024
diff --git a/test/CAtsa.cnf b/test/CAtsa.cnf
index e232e7023e..50f68cbc19 100644
--- a/test/CAtsa.cnf
+++ b/test/CAtsa.cnf
@@ -3,6 +3,9 @@
 # This config is used by the Time Stamp Authority tests.
 #
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 # Extra OBJECT IDENTIFIER info:
 oid_section		= new_oids
 
diff --git a/test/ca-and-certs.cnf b/test/ca-and-certs.cnf
index f6663924ae..463b49954c 100644
--- a/test/ca-and-certs.cnf
+++ b/test/ca-and-certs.cnf
@@ -1,4 +1,7 @@
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 CN2 = Brother 2
 
 ####################################################################
diff --git a/test/ct/log_list.cnf b/test/ct/log_list.cnf
index 4b68e53558..b723b8c9f6 100644
--- a/test/ct/log_list.cnf
+++ b/test/ct/log_list.cnf
@@ -1,5 +1,8 @@
 enabled_logs=test,pilot,aviator,rocketeer,digicert,certly,izempe,symantec,venafi
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 [test]
 description = https://github.com/google/certificate-transparency/tree/99218b6445906a81f219d84e9c6d2683e13e4e58/test/testdata
 key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmXg8sUUzwBYaWrRb+V0IopzQ6o3UyEJ04r5ZrRXGdpYM8K+hB0pXrGRLI0eeWz+3skXrS0IO83AhA3GpRL6s6w==
diff --git a/test/default-and-fips.cnf b/test/default-and-fips.cnf
index 7a4d765591..2ca6487fd2 100644
--- a/test/default-and-fips.cnf
+++ b/test/default-and-fips.cnf
@@ -1,5 +1,8 @@
 openssl_conf = openssl_init
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 .include fipsmodule.cnf
 
 [openssl_init]
diff --git a/test/default-and-legacy.cnf b/test/default-and-legacy.cnf
index adfa225f64..4e288a45ea 100644
--- a/test/default-and-legacy.cnf
+++ b/test/default-and-legacy.cnf
@@ -1,5 +1,8 @@
 openssl_conf = openssl_init
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 [openssl_init]
 providers = provider_sect
 
diff --git a/test/default.cnf b/test/default.cnf
index 12da8cb5bd..f29d0e92ba 100644
--- a/test/default.cnf
+++ b/test/default.cnf
@@ -1,5 +1,8 @@
 openssl_conf = openssl_init
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 [openssl_init]
 providers = provider_sect
 
diff --git a/test/fips-and-base.cnf b/test/fips-and-base.cnf
index 0caf2b88a4..494e96a87e 100644
--- a/test/fips-and-base.cnf
+++ b/test/fips-and-base.cnf
@@ -1,5 +1,8 @@
 openssl_conf = openssl_init
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 .include fipsmodule.cnf
 
 [openssl_init]
diff --git a/test/fips.cnf b/test/fips.cnf
index fa131a8bf6..74349c80ae 100644
--- a/test/fips.cnf
+++ b/test/fips.cnf
@@ -1,5 +1,8 @@
 openssl_conf = openssl_init
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 .include fipsmodule.cnf
 
 [openssl_init]
diff --git a/test/legacy.cnf b/test/legacy.cnf
index 60b09a1e34..ffbcbd16ba 100644
--- a/test/legacy.cnf
+++ b/test/legacy.cnf
@@ -1,5 +1,8 @@
 openssl_conf = openssl_init
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 [openssl_init]
 providers = provider_sect
 
diff --git a/test/provider_internal_test.cnf.in b/test/provider_internal_test.cnf.in
index 12c292437e..16c555c844 100644
--- a/test/provider_internal_test.cnf.in
+++ b/test/provider_internal_test.cnf.in
@@ -1,3 +1,6 @@
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 {- use platform -}
 openssl_conf = openssl_init
 
diff --git a/test/proxy.cnf b/test/proxy.cnf
index ceac227c04..cfb862cbda 100644
--- a/test/proxy.cnf
+++ b/test/proxy.cnf
@@ -1,6 +1,9 @@
 
 ## Config file for proxy certificate testing.
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 [ req ]
 distinguished_name	= req_distinguished_name_p1
 encrypt_rsa_key		= no
diff --git a/test/smime-certs/ca.cnf b/test/smime-certs/ca.cnf
index 00d40e7479..31bddea1fa 100644
--- a/test/smime-certs/ca.cnf
+++ b/test/smime-certs/ca.cnf
@@ -2,6 +2,9 @@
 # OpenSSL example configuration file for automated certificate creation.
 #
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 # This definition stops the following lines choking if HOME or CN
 # is undefined.
 HOME			= .
diff --git a/test/sysdefault.cnf b/test/sysdefault.cnf
index 5473d837c1..0094831608 100644
--- a/test/sysdefault.cnf
+++ b/test/sysdefault.cnf
@@ -1,5 +1,8 @@
 # Configuration file to test system default SSL configuration
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 openssl_conf = default_conf
 
 [ default_conf ]
-- 
2.34.1