Add documentation for OSSL_LIB_CTX_set/get_conf_diagnostics

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24275)

CHANGES.md

@@ -39,7 +39,13 @@ OpenSSL 3.4
  * The X25519 and X448 key exchange implementation in the FIPS provider
    is unapproved and has `fips=no` property.
 
-   * Tomas Mraz*
+   *Tomáš Mráz*
+
+ * Setting `config_diagnostics=1` in the config file will cause errors to
+   be returned from SSL_CTX_new() and SSL_CTX_new_ex() if there is an error
+   in the ssl module configuration.
+
+   *Tomáš Mráz*
 
  * Use an empty renegotiate extension in TLS client hellos instead of
    the empty renegotiation SCSV, for all connections with a minimum TLS

doc/build.info

@@ -1739,6 +1739,10 @@ DEPEND[html/man3/OSSL_LIB_CTX.html]=man3/OSSL_LIB_CTX.pod
 GENERATE[html/man3/OSSL_LIB_CTX.html]=man3/OSSL_LIB_CTX.pod
 DEPEND[man/man3/OSSL_LIB_CTX.3]=man3/OSSL_LIB_CTX.pod
 GENERATE[man/man3/OSSL_LIB_CTX.3]=man3/OSSL_LIB_CTX.pod
+DEPEND[html/man3/OSSL_LIB_CTX_set_conf_diagnostics.html]=man3/OSSL_LIB_CTX_set_conf_diagnostics.pod
+GENERATE[html/man3/OSSL_LIB_CTX_set_conf_diagnostics.html]=man3/OSSL_LIB_CTX_set_conf_diagnostics.pod
+DEPEND[man/man3/OSSL_LIB_CTX_set_conf_diagnostics.3]=man3/OSSL_LIB_CTX_set_conf_diagnostics.pod
+GENERATE[man/man3/OSSL_LIB_CTX_set_conf_diagnostics.3]=man3/OSSL_LIB_CTX_set_conf_diagnostics.pod
 DEPEND[html/man3/OSSL_PARAM.html]=man3/OSSL_PARAM.pod
 GENERATE[html/man3/OSSL_PARAM.html]=man3/OSSL_PARAM.pod
 DEPEND[man/man3/OSSL_PARAM.3]=man3/OSSL_PARAM.pod
@@ -3402,6 +3406,7 @@ html/man3/OSSL_IETF_ATTR_SYNTAX.html \
 html/man3/OSSL_IETF_ATTR_SYNTAX_print.html \
 html/man3/OSSL_ITEM.html \
 html/man3/OSSL_LIB_CTX.html \
+html/man3/OSSL_LIB_CTX_set_conf_diagnostics.html \
 html/man3/OSSL_PARAM.html \
 html/man3/OSSL_PARAM_BLD.html \
 html/man3/OSSL_PARAM_allocate_from_text.html \
@@ -4056,6 +4061,7 @@ man/man3/OSSL_IETF_ATTR_SYNTAX.3 \
 man/man3/OSSL_IETF_ATTR_SYNTAX_print.3 \
 man/man3/OSSL_ITEM.3 \
 man/man3/OSSL_LIB_CTX.3 \
+man/man3/OSSL_LIB_CTX_set_conf_diagnostics.3 \
 man/man3/OSSL_PARAM.3 \
 man/man3/OSSL_PARAM_BLD.3 \
 man/man3/OSSL_PARAM_allocate_from_text.3 \

doc/man3/OSSL_LIB_CTX_set_conf_diagnostics.pod

@@ -0,0 +1,53 @@
+=pod
+
+=head1 NAME
+
+OSSL_LIB_CTX_set_conf_diagnostics, OSSL_LIB_CTX_get_conf_diagnostics
+- Set and get configuration diagnostics
+
+=head1 SYNOPSIS
+
+ #include <openssl/crypto.h>
+
+ void OSSL_LIB_CTX_set_conf_diagnostics(OSSL_LIB_CTX *ctx, int value);
+ int OSSL_LIB_CTX_get_conf_diagnostics(OSSL_LIB_CTX *ctx);
+
+=head1 DESCRIPTION
+
+OSSL_LIB_CTX_set_conf_diagnostics() sets the value of the configuration
+diagnostics flag. If I<value> is nonzero subsequent parsing and application
+of configuration data can report errors that would otherwise be ignored. In
+particular any errors in the ssl configuration module will cause a failure
+of L<SSL_CTX_new(3)> and L<SSL_CTX_new_ex(3)> calls. The configuration
+diagnostics flag can be also set when a configuration file is being loaded
+into B<OSSL_LIB_CTX> with L<OSSL_LIB_CTX_load_config(3)>. If the configuration
+sets a B<config_diagnostics> value as described in L<config(5)>, it will
+override the value set by OSSL_LIB_CTX_set_conf_diagnostics() before
+loading the configuration file.
+
+OSSL_LIB_CTX_get_conf_diagnostics() returns the current value of the
+configuration diagnostics flag.
+
+=head1 RETURN VALUES
+
+OSSL_LIB_CTX_get_conf_diagnostics() returns 0 if the configuration diagnostics
+should not be performed, nonzero otherwise.
+
+=head1 SEE ALSO
+
+L<SSL_CTX_new(3)>, L<OSSL_LIB_CTX_load_config(3)>, L<config(5)>
+
+=head1 HISTORY
+
+The functions described on this page were added in OpenSSL 3.4.
+
+=head1 COPYRIGHT
+
+Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut