Move the loading of the ssl_conf module to libcrypto
The GOST engine needs to be loaded before we initialise libssl. Otherwise the GOST ciphersuites are not enabled. However the SSL conf module must be loaded before we initialise libcrypto. Otherwise we will fail to read the SSL config from a config file properly. Another problem is that an application may make use of both libcrypto and libssl. If it performs libcrypto stuff first and OPENSSL_init_crypto() is called and loads a config file it will fail if that config file has any libssl stuff in it. This commit separates out the loading of the SSL conf module from the interpretation of its contents. The loading piece doesn't know anything about SSL so this can be moved to libcrypto. The interpretation of what it means remains in libssl. This means we can load the SSL conf data before libssl is there and interpret it when it later becomes available. Fixes #5809 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5818)
This commit is contained in:
parent
4845aeba4c
commit
d8f031e890
12 changed files with 253 additions and 131 deletions
|
@ -1,4 +1,4 @@
|
||||||
LIBS=../../libcrypto
|
LIBS=../../libcrypto
|
||||||
SOURCE[../../libcrypto]= \
|
SOURCE[../../libcrypto]= \
|
||||||
conf_err.c conf_lib.c conf_api.c conf_def.c conf_mod.c \
|
conf_err.c conf_lib.c conf_api.c conf_def.c conf_mod.c \
|
||||||
conf_mall.c conf_sap.c
|
conf_mall.c conf_sap.c conf_ssl.c
|
||||||
|
|
|
@ -36,6 +36,7 @@ static const ERR_STRING_DATA CONF_str_functs[] = {
|
||||||
{ERR_PACK(ERR_LIB_CONF, CONF_F_NCONF_LOAD_FP, 0), "NCONF_load_fp"},
|
{ERR_PACK(ERR_LIB_CONF, CONF_F_NCONF_LOAD_FP, 0), "NCONF_load_fp"},
|
||||||
{ERR_PACK(ERR_LIB_CONF, CONF_F_NCONF_NEW, 0), "NCONF_new"},
|
{ERR_PACK(ERR_LIB_CONF, CONF_F_NCONF_NEW, 0), "NCONF_new"},
|
||||||
{ERR_PACK(ERR_LIB_CONF, CONF_F_PROCESS_INCLUDE, 0), "process_include"},
|
{ERR_PACK(ERR_LIB_CONF, CONF_F_PROCESS_INCLUDE, 0), "process_include"},
|
||||||
|
{ERR_PACK(ERR_LIB_CONF, CONF_F_SSL_MODULE_INIT, 0), "ssl_module_init"},
|
||||||
{ERR_PACK(ERR_LIB_CONF, CONF_F_STR_COPY, 0), "str_copy"},
|
{ERR_PACK(ERR_LIB_CONF, CONF_F_STR_COPY, 0), "str_copy"},
|
||||||
{0, NULL}
|
{0, NULL}
|
||||||
};
|
};
|
||||||
|
@ -61,6 +62,13 @@ static const ERR_STRING_DATA CONF_str_reasons[] = {
|
||||||
{ERR_PACK(ERR_LIB_CONF, 0, CONF_R_NO_VALUE), "no value"},
|
{ERR_PACK(ERR_LIB_CONF, 0, CONF_R_NO_VALUE), "no value"},
|
||||||
{ERR_PACK(ERR_LIB_CONF, 0, CONF_R_RECURSIVE_DIRECTORY_INCLUDE),
|
{ERR_PACK(ERR_LIB_CONF, 0, CONF_R_RECURSIVE_DIRECTORY_INCLUDE),
|
||||||
"recursive directory include"},
|
"recursive directory include"},
|
||||||
|
{ERR_PACK(ERR_LIB_CONF, 0, CONF_R_SSL_COMMAND_SECTION_EMPTY),
|
||||||
|
"ssl command section empty"},
|
||||||
|
{ERR_PACK(ERR_LIB_CONF, 0, CONF_R_SSL_COMMAND_SECTION_NOT_FOUND),
|
||||||
|
"ssl command section not found"},
|
||||||
|
{ERR_PACK(ERR_LIB_CONF, 0, CONF_R_SSL_SECTION_EMPTY), "ssl section empty"},
|
||||||
|
{ERR_PACK(ERR_LIB_CONF, 0, CONF_R_SSL_SECTION_NOT_FOUND),
|
||||||
|
"ssl section not found"},
|
||||||
{ERR_PACK(ERR_LIB_CONF, 0, CONF_R_UNABLE_TO_CREATE_NEW_SECTION),
|
{ERR_PACK(ERR_LIB_CONF, 0, CONF_R_UNABLE_TO_CREATE_NEW_SECTION),
|
||||||
"unable to create new section"},
|
"unable to create new section"},
|
||||||
{ERR_PACK(ERR_LIB_CONF, 0, CONF_R_UNKNOWN_MODULE_NAME),
|
{ERR_PACK(ERR_LIB_CONF, 0, CONF_R_UNKNOWN_MODULE_NAME),
|
||||||
|
|
11
crypto/conf/conf_lcl.h
Normal file
11
crypto/conf/conf_lcl.h
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
*
|
||||||
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
|
* in the file LICENSE in the source distribution or at
|
||||||
|
* https://www.openssl.org/source/license.html
|
||||||
|
*/
|
||||||
|
|
||||||
|
void conf_add_ssl_module(void);
|
||||||
|
|
|
@ -14,6 +14,7 @@
|
||||||
#include <openssl/x509.h>
|
#include <openssl/x509.h>
|
||||||
#include <openssl/asn1.h>
|
#include <openssl/asn1.h>
|
||||||
#include <openssl/engine.h>
|
#include <openssl/engine.h>
|
||||||
|
#include "conf_lcl.h"
|
||||||
|
|
||||||
/* Load all OpenSSL builtin modules */
|
/* Load all OpenSSL builtin modules */
|
||||||
|
|
||||||
|
@ -26,4 +27,5 @@ void OPENSSL_load_builtin_modules(void)
|
||||||
ENGINE_add_conf_module();
|
ENGINE_add_conf_module();
|
||||||
#endif
|
#endif
|
||||||
EVP_add_alg_module();
|
EVP_add_alg_module();
|
||||||
|
conf_add_ssl_module();
|
||||||
}
|
}
|
||||||
|
|
178
crypto/conf/conf_ssl.c
Normal file
178
crypto/conf/conf_ssl.c
Normal file
|
@ -0,0 +1,178 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
*
|
||||||
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
|
* in the file LICENSE in the source distribution or at
|
||||||
|
* https://www.openssl.org/source/license.html
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <openssl/conf.h>
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#include "internal/sslconf.h"
|
||||||
|
#include "conf_lcl.h"
|
||||||
|
|
||||||
|
/*
|
||||||
|
* SSL library configuration module placeholder. We load it here but defer
|
||||||
|
* all decisions about its contents to libssl.
|
||||||
|
*/
|
||||||
|
|
||||||
|
struct ssl_conf_name_st {
|
||||||
|
/* Name of this set of commands */
|
||||||
|
char *name;
|
||||||
|
/* List of commands */
|
||||||
|
SSL_CONF_CMD *cmds;
|
||||||
|
/* Number of commands */
|
||||||
|
size_t cmd_count;
|
||||||
|
};
|
||||||
|
|
||||||
|
struct ssl_conf_cmd_st {
|
||||||
|
/* Command */
|
||||||
|
char *cmd;
|
||||||
|
/* Argument */
|
||||||
|
char *arg;
|
||||||
|
};
|
||||||
|
|
||||||
|
static struct ssl_conf_name_st *ssl_names;
|
||||||
|
static size_t ssl_names_count;
|
||||||
|
|
||||||
|
static void ssl_module_free(CONF_IMODULE *md)
|
||||||
|
{
|
||||||
|
size_t i, j;
|
||||||
|
if (ssl_names == NULL)
|
||||||
|
return;
|
||||||
|
for (i = 0; i < ssl_names_count; i++) {
|
||||||
|
struct ssl_conf_name_st *tname = ssl_names + i;
|
||||||
|
|
||||||
|
OPENSSL_free(tname->name);
|
||||||
|
for (j = 0; j < tname->cmd_count; j++) {
|
||||||
|
OPENSSL_free(tname->cmds[j].cmd);
|
||||||
|
OPENSSL_free(tname->cmds[j].arg);
|
||||||
|
}
|
||||||
|
OPENSSL_free(tname->cmds);
|
||||||
|
}
|
||||||
|
OPENSSL_free(ssl_names);
|
||||||
|
ssl_names = NULL;
|
||||||
|
ssl_names_count = 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
|
||||||
|
{
|
||||||
|
size_t i, j, cnt;
|
||||||
|
int rv = 0;
|
||||||
|
const char *ssl_conf_section;
|
||||||
|
STACK_OF(CONF_VALUE) *cmd_lists;
|
||||||
|
|
||||||
|
ssl_conf_section = CONF_imodule_get_value(md);
|
||||||
|
cmd_lists = NCONF_get_section(cnf, ssl_conf_section);
|
||||||
|
if (sk_CONF_VALUE_num(cmd_lists) <= 0) {
|
||||||
|
if (cmd_lists == NULL)
|
||||||
|
CONFerr(CONF_F_SSL_MODULE_INIT, CONF_R_SSL_SECTION_NOT_FOUND);
|
||||||
|
else
|
||||||
|
CONFerr(CONF_F_SSL_MODULE_INIT, CONF_R_SSL_SECTION_EMPTY);
|
||||||
|
ERR_add_error_data(2, "section=", ssl_conf_section);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
cnt = sk_CONF_VALUE_num(cmd_lists);
|
||||||
|
ssl_names = OPENSSL_zalloc(sizeof(*ssl_names) * cnt);
|
||||||
|
ssl_names_count = cnt;
|
||||||
|
for (i = 0; i < ssl_names_count; i++) {
|
||||||
|
struct ssl_conf_name_st *ssl_name = ssl_names + i;
|
||||||
|
CONF_VALUE *sect = sk_CONF_VALUE_value(cmd_lists, (int)i);
|
||||||
|
STACK_OF(CONF_VALUE) *cmds = NCONF_get_section(cnf, sect->value);
|
||||||
|
|
||||||
|
if (sk_CONF_VALUE_num(cmds) <= 0) {
|
||||||
|
if (cmds == NULL)
|
||||||
|
CONFerr(CONF_F_SSL_MODULE_INIT,
|
||||||
|
CONF_R_SSL_COMMAND_SECTION_NOT_FOUND);
|
||||||
|
else
|
||||||
|
CONFerr(CONF_F_SSL_MODULE_INIT,
|
||||||
|
CONF_R_SSL_COMMAND_SECTION_EMPTY);
|
||||||
|
ERR_add_error_data(4, "name=", sect->name, ", value=", sect->value);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
ssl_name->name = OPENSSL_strdup(sect->name);
|
||||||
|
if (ssl_name->name == NULL)
|
||||||
|
goto err;
|
||||||
|
cnt = sk_CONF_VALUE_num(cmds);
|
||||||
|
ssl_name->cmds = OPENSSL_zalloc(cnt * sizeof(struct ssl_conf_cmd_st));
|
||||||
|
if (ssl_name->cmds == NULL)
|
||||||
|
goto err;
|
||||||
|
ssl_name->cmd_count = cnt;
|
||||||
|
for (j = 0; j < cnt; j++) {
|
||||||
|
const char *name;
|
||||||
|
CONF_VALUE *cmd_conf = sk_CONF_VALUE_value(cmds, (int)j);
|
||||||
|
struct ssl_conf_cmd_st *cmd = ssl_name->cmds + j;
|
||||||
|
|
||||||
|
/* Skip any initial dot in name */
|
||||||
|
name = strchr(cmd_conf->name, '.');
|
||||||
|
if (name != NULL)
|
||||||
|
name++;
|
||||||
|
else
|
||||||
|
name = cmd_conf->name;
|
||||||
|
cmd->cmd = OPENSSL_strdup(name);
|
||||||
|
cmd->arg = OPENSSL_strdup(cmd_conf->value);
|
||||||
|
if (cmd->cmd == NULL || cmd->arg == NULL)
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
rv = 1;
|
||||||
|
err:
|
||||||
|
if (rv == 0)
|
||||||
|
ssl_module_free(md);
|
||||||
|
return rv;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Returns the set of commands with index |idx| previously searched for via
|
||||||
|
* conf_ssl_name_find. Also stores the name of the set of commands in |*name|
|
||||||
|
* and the number of commands in the set in |*cnt|.
|
||||||
|
*/
|
||||||
|
const SSL_CONF_CMD *conf_ssl_get(size_t idx, const char **name, size_t *cnt)
|
||||||
|
{
|
||||||
|
*name = ssl_names[idx].name;
|
||||||
|
*cnt = ssl_names[idx].cmd_count;
|
||||||
|
return ssl_names[idx].cmds;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Search for the named set of commands given in |name|. On success return the
|
||||||
|
* index for the command set in |*idx|.
|
||||||
|
* Returns 1 on success or 0 on failure.
|
||||||
|
*/
|
||||||
|
int conf_ssl_name_find(const char *name, size_t *idx)
|
||||||
|
{
|
||||||
|
size_t i;
|
||||||
|
const struct ssl_conf_name_st *nm;
|
||||||
|
|
||||||
|
if (name == NULL)
|
||||||
|
return 0;
|
||||||
|
for (i = 0, nm = ssl_names; i < ssl_names_count; i++, nm++) {
|
||||||
|
if (strcmp(nm->name, name) == 0) {
|
||||||
|
*idx = i;
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Given a command set |cmd|, return details on the command at index |idx| which
|
||||||
|
* must be less than the number of commands in the set (as returned by
|
||||||
|
* conf_ssl_get). The name of the command will be returned in |*cmdstr| and the
|
||||||
|
* argument is returned in |*arg|.
|
||||||
|
*/
|
||||||
|
void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr,
|
||||||
|
char **arg)
|
||||||
|
{
|
||||||
|
*cmdstr = cmd[idx].cmd;
|
||||||
|
*arg = cmd[idx].arg;
|
||||||
|
}
|
||||||
|
|
||||||
|
void conf_add_ssl_module(void)
|
||||||
|
{
|
||||||
|
CONF_module_add("ssl_conf", ssl_module_init, ssl_module_free);
|
||||||
|
}
|
|
@ -335,6 +335,7 @@ CONF_F_NCONF_LOAD_BIO:110:NCONF_load_bio
|
||||||
CONF_F_NCONF_LOAD_FP:114:NCONF_load_fp
|
CONF_F_NCONF_LOAD_FP:114:NCONF_load_fp
|
||||||
CONF_F_NCONF_NEW:111:NCONF_new
|
CONF_F_NCONF_NEW:111:NCONF_new
|
||||||
CONF_F_PROCESS_INCLUDE:116:process_include
|
CONF_F_PROCESS_INCLUDE:116:process_include
|
||||||
|
CONF_F_SSL_MODULE_INIT:122:ssl_module_init
|
||||||
CONF_F_STR_COPY:101:str_copy
|
CONF_F_STR_COPY:101:str_copy
|
||||||
CRYPTO_F_CRYPTO_DUP_EX_DATA:110:CRYPTO_dup_ex_data
|
CRYPTO_F_CRYPTO_DUP_EX_DATA:110:CRYPTO_dup_ex_data
|
||||||
CRYPTO_F_CRYPTO_FREE_EX_DATA:111:CRYPTO_free_ex_data
|
CRYPTO_F_CRYPTO_FREE_EX_DATA:111:CRYPTO_free_ex_data
|
||||||
|
@ -1952,6 +1953,10 @@ CONF_R_NO_SECTION:107:no section
|
||||||
CONF_R_NO_SUCH_FILE:114:no such file
|
CONF_R_NO_SUCH_FILE:114:no such file
|
||||||
CONF_R_NO_VALUE:108:no value
|
CONF_R_NO_VALUE:108:no value
|
||||||
CONF_R_RECURSIVE_DIRECTORY_INCLUDE:111:recursive directory include
|
CONF_R_RECURSIVE_DIRECTORY_INCLUDE:111:recursive directory include
|
||||||
|
CONF_R_SSL_COMMAND_SECTION_EMPTY:117:ssl command section empty
|
||||||
|
CONF_R_SSL_COMMAND_SECTION_NOT_FOUND:118:ssl command section not found
|
||||||
|
CONF_R_SSL_SECTION_EMPTY:119:ssl section empty
|
||||||
|
CONF_R_SSL_SECTION_NOT_FOUND:120:ssl section not found
|
||||||
CONF_R_UNABLE_TO_CREATE_NEW_SECTION:103:unable to create new section
|
CONF_R_UNABLE_TO_CREATE_NEW_SECTION:103:unable to create new section
|
||||||
CONF_R_UNKNOWN_MODULE_NAME:113:unknown module name
|
CONF_R_UNKNOWN_MODULE_NAME:113:unknown module name
|
||||||
CONF_R_VARIABLE_EXPANSION_TOO_LONG:116:variable expansion too long
|
CONF_R_VARIABLE_EXPANSION_TOO_LONG:116:variable expansion too long
|
||||||
|
|
20
include/internal/sslconf.h
Normal file
20
include/internal/sslconf.h
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
*
|
||||||
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
|
* in the file LICENSE in the source distribution or at
|
||||||
|
* https://www.openssl.org/source/license.html
|
||||||
|
*/
|
||||||
|
|
||||||
|
#ifndef HEADER_SSLCONF_H
|
||||||
|
# define HEADER_SSLCONF_H
|
||||||
|
|
||||||
|
typedef struct ssl_conf_cmd_st SSL_CONF_CMD;
|
||||||
|
|
||||||
|
const SSL_CONF_CMD *conf_ssl_get(size_t idx, const char **name, size_t *cnt);
|
||||||
|
int conf_ssl_name_find(const char *name, size_t *idx);
|
||||||
|
void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr,
|
||||||
|
char **arg);
|
||||||
|
|
||||||
|
#endif
|
|
@ -40,6 +40,7 @@ int ERR_load_CONF_strings(void);
|
||||||
# define CONF_F_NCONF_LOAD_FP 114
|
# define CONF_F_NCONF_LOAD_FP 114
|
||||||
# define CONF_F_NCONF_NEW 111
|
# define CONF_F_NCONF_NEW 111
|
||||||
# define CONF_F_PROCESS_INCLUDE 116
|
# define CONF_F_PROCESS_INCLUDE 116
|
||||||
|
# define CONF_F_SSL_MODULE_INIT 122
|
||||||
# define CONF_F_STR_COPY 101
|
# define CONF_F_STR_COPY 101
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -58,6 +59,10 @@ int ERR_load_CONF_strings(void);
|
||||||
# define CONF_R_NO_SUCH_FILE 114
|
# define CONF_R_NO_SUCH_FILE 114
|
||||||
# define CONF_R_NO_VALUE 108
|
# define CONF_R_NO_VALUE 108
|
||||||
# define CONF_R_RECURSIVE_DIRECTORY_INCLUDE 111
|
# define CONF_R_RECURSIVE_DIRECTORY_INCLUDE 111
|
||||||
|
# define CONF_R_SSL_COMMAND_SECTION_EMPTY 117
|
||||||
|
# define CONF_R_SSL_COMMAND_SECTION_NOT_FOUND 118
|
||||||
|
# define CONF_R_SSL_SECTION_EMPTY 119
|
||||||
|
# define CONF_R_SSL_SECTION_NOT_FOUND 120
|
||||||
# define CONF_R_UNABLE_TO_CREATE_NEW_SECTION 103
|
# define CONF_R_UNABLE_TO_CREATE_NEW_SECTION 103
|
||||||
# define CONF_R_UNKNOWN_MODULE_NAME 113
|
# define CONF_R_UNKNOWN_MODULE_NAME 113
|
||||||
# define CONF_R_VARIABLE_EXPANSION_TOO_LONG 116
|
# define CONF_R_VARIABLE_EXPANSION_TOO_LONG 116
|
||||||
|
|
|
@ -106,7 +106,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_base)
|
||||||
fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
|
fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
|
||||||
"SSL_add_ssl_module()\n");
|
"SSL_add_ssl_module()\n");
|
||||||
#endif
|
#endif
|
||||||
SSL_add_ssl_module();
|
|
||||||
/*
|
/*
|
||||||
* We ignore an error return here. Not much we can do - but not that bad
|
* We ignore an error return here. Not much we can do - but not that bad
|
||||||
* either. We can still safely continue.
|
* either. We can still safely continue.
|
||||||
|
@ -195,11 +194,14 @@ int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS * settings)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!RUN_ONCE(&ssl_base, ossl_init_ssl_base))
|
if (!OPENSSL_init_crypto(opts
|
||||||
|
| OPENSSL_INIT_LOAD_CONFIG
|
||||||
|
| OPENSSL_INIT_ADD_ALL_CIPHERS
|
||||||
|
| OPENSSL_INIT_ADD_ALL_DIGESTS,
|
||||||
|
settings))
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
if (!OPENSSL_init_crypto(opts | OPENSSL_INIT_ADD_ALL_CIPHERS
|
if (!RUN_ONCE(&ssl_base, ossl_init_ssl_base))
|
||||||
| OPENSSL_INIT_ADD_ALL_DIGESTS, settings))
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
if ((opts & OPENSSL_INIT_NO_LOAD_SSL_STRINGS)
|
if ((opts & OPENSSL_INIT_NO_LOAD_SSL_STRINGS)
|
||||||
|
|
139
ssl/ssl_mcnf.c
139
ssl/ssl_mcnf.c
|
@ -11,139 +11,23 @@
|
||||||
#include <openssl/conf.h>
|
#include <openssl/conf.h>
|
||||||
#include <openssl/ssl.h>
|
#include <openssl/ssl.h>
|
||||||
#include "ssl_locl.h"
|
#include "ssl_locl.h"
|
||||||
|
#include "internal/sslconf.h"
|
||||||
|
|
||||||
/* SSL library configuration module. */
|
/* SSL library configuration module. */
|
||||||
|
|
||||||
struct ssl_conf_name {
|
|
||||||
/* Name of this set of commands */
|
|
||||||
char *name;
|
|
||||||
/* List of commands */
|
|
||||||
struct ssl_conf_cmd *cmds;
|
|
||||||
/* Number of commands */
|
|
||||||
size_t cmd_count;
|
|
||||||
};
|
|
||||||
|
|
||||||
struct ssl_conf_cmd {
|
|
||||||
/* Command */
|
|
||||||
char *cmd;
|
|
||||||
/* Argument */
|
|
||||||
char *arg;
|
|
||||||
};
|
|
||||||
|
|
||||||
static struct ssl_conf_name *ssl_names;
|
|
||||||
static size_t ssl_names_count;
|
|
||||||
|
|
||||||
static void ssl_module_free(CONF_IMODULE *md)
|
|
||||||
{
|
|
||||||
size_t i, j;
|
|
||||||
if (ssl_names == NULL)
|
|
||||||
return;
|
|
||||||
for (i = 0; i < ssl_names_count; i++) {
|
|
||||||
struct ssl_conf_name *tname = ssl_names + i;
|
|
||||||
OPENSSL_free(tname->name);
|
|
||||||
for (j = 0; j < tname->cmd_count; j++) {
|
|
||||||
OPENSSL_free(tname->cmds[j].cmd);
|
|
||||||
OPENSSL_free(tname->cmds[j].arg);
|
|
||||||
}
|
|
||||||
OPENSSL_free(tname->cmds);
|
|
||||||
}
|
|
||||||
OPENSSL_free(ssl_names);
|
|
||||||
ssl_names = NULL;
|
|
||||||
ssl_names_count = 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
|
|
||||||
{
|
|
||||||
size_t i, j, cnt;
|
|
||||||
int rv = 0;
|
|
||||||
const char *ssl_conf_section;
|
|
||||||
STACK_OF(CONF_VALUE) *cmd_lists;
|
|
||||||
ssl_conf_section = CONF_imodule_get_value(md);
|
|
||||||
cmd_lists = NCONF_get_section(cnf, ssl_conf_section);
|
|
||||||
if (sk_CONF_VALUE_num(cmd_lists) <= 0) {
|
|
||||||
if (cmd_lists == NULL)
|
|
||||||
SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_SECTION_NOT_FOUND);
|
|
||||||
else
|
|
||||||
SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_SECTION_EMPTY);
|
|
||||||
ERR_add_error_data(2, "section=", ssl_conf_section);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
cnt = sk_CONF_VALUE_num(cmd_lists);
|
|
||||||
ssl_names = OPENSSL_zalloc(sizeof(*ssl_names) * cnt);
|
|
||||||
ssl_names_count = cnt;
|
|
||||||
for (i = 0; i < ssl_names_count; i++) {
|
|
||||||
struct ssl_conf_name *ssl_name = ssl_names + i;
|
|
||||||
CONF_VALUE *sect = sk_CONF_VALUE_value(cmd_lists, (int)i);
|
|
||||||
STACK_OF(CONF_VALUE) *cmds = NCONF_get_section(cnf, sect->value);
|
|
||||||
if (sk_CONF_VALUE_num(cmds) <= 0) {
|
|
||||||
if (cmds == NULL)
|
|
||||||
SSLerr(SSL_F_SSL_MODULE_INIT,
|
|
||||||
SSL_R_SSL_COMMAND_SECTION_NOT_FOUND);
|
|
||||||
else
|
|
||||||
SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_COMMAND_SECTION_EMPTY);
|
|
||||||
ERR_add_error_data(4, "name=", sect->name, ", value=", sect->value);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
ssl_name->name = BUF_strdup(sect->name);
|
|
||||||
if (ssl_name->name == NULL)
|
|
||||||
goto err;
|
|
||||||
cnt = sk_CONF_VALUE_num(cmds);
|
|
||||||
ssl_name->cmds = OPENSSL_zalloc(cnt * sizeof(struct ssl_conf_cmd));
|
|
||||||
if (ssl_name->cmds == NULL)
|
|
||||||
goto err;
|
|
||||||
ssl_name->cmd_count = cnt;
|
|
||||||
for (j = 0; j < cnt; j++) {
|
|
||||||
const char *name;
|
|
||||||
CONF_VALUE *cmd_conf = sk_CONF_VALUE_value(cmds, (int)j);
|
|
||||||
struct ssl_conf_cmd *cmd = ssl_name->cmds + j;
|
|
||||||
/* Skip any initial dot in name */
|
|
||||||
name = strchr(cmd_conf->name, '.');
|
|
||||||
if (name != NULL)
|
|
||||||
name++;
|
|
||||||
else
|
|
||||||
name = cmd_conf->name;
|
|
||||||
cmd->cmd = BUF_strdup(name);
|
|
||||||
cmd->arg = BUF_strdup(cmd_conf->value);
|
|
||||||
if (cmd->cmd == NULL || cmd->arg == NULL)
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
rv = 1;
|
|
||||||
err:
|
|
||||||
if (rv == 0)
|
|
||||||
ssl_module_free(md);
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
|
|
||||||
void SSL_add_ssl_module(void)
|
void SSL_add_ssl_module(void)
|
||||||
{
|
{
|
||||||
CONF_module_add("ssl_conf", ssl_module_init, ssl_module_free);
|
/* Do nothing. This will be added automatically by libcrypto */
|
||||||
}
|
|
||||||
|
|
||||||
static const struct ssl_conf_name *ssl_name_find(const char *name)
|
|
||||||
{
|
|
||||||
size_t i;
|
|
||||||
const struct ssl_conf_name *nm;
|
|
||||||
|
|
||||||
if (name == NULL)
|
|
||||||
return NULL;
|
|
||||||
for (i = 0, nm = ssl_names; i < ssl_names_count; i++, nm++) {
|
|
||||||
if (strcmp(nm->name, name) == 0)
|
|
||||||
return nm;
|
|
||||||
}
|
|
||||||
return NULL;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system)
|
static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system)
|
||||||
{
|
{
|
||||||
SSL_CONF_CTX *cctx = NULL;
|
SSL_CONF_CTX *cctx = NULL;
|
||||||
size_t i;
|
size_t i, idx, cmd_count;
|
||||||
int rv = 0;
|
int rv = 0;
|
||||||
unsigned int flags;
|
unsigned int flags;
|
||||||
const SSL_METHOD *meth;
|
const SSL_METHOD *meth;
|
||||||
const struct ssl_conf_name *nm;
|
const SSL_CONF_CMD *cmds;
|
||||||
struct ssl_conf_cmd *cmd;
|
|
||||||
|
|
||||||
if (s == NULL && ctx == NULL) {
|
if (s == NULL && ctx == NULL) {
|
||||||
SSLerr(SSL_F_SSL_DO_CONFIG, ERR_R_PASSED_NULL_PARAMETER);
|
SSLerr(SSL_F_SSL_DO_CONFIG, ERR_R_PASSED_NULL_PARAMETER);
|
||||||
|
@ -152,14 +36,14 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system)
|
||||||
|
|
||||||
if (name == NULL && system)
|
if (name == NULL && system)
|
||||||
name = "system_default";
|
name = "system_default";
|
||||||
nm = ssl_name_find(name);
|
if (!conf_ssl_name_find(name, &idx)) {
|
||||||
if (nm == NULL) {
|
|
||||||
if (!system) {
|
if (!system) {
|
||||||
SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_INVALID_CONFIGURATION_NAME);
|
SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_INVALID_CONFIGURATION_NAME);
|
||||||
ERR_add_error_data(2, "name=", name);
|
ERR_add_error_data(2, "name=", name);
|
||||||
}
|
}
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
|
cmds = conf_ssl_get(idx, &name, &cmd_count);
|
||||||
cctx = SSL_CONF_CTX_new();
|
cctx = SSL_CONF_CTX_new();
|
||||||
if (cctx == NULL)
|
if (cctx == NULL)
|
||||||
goto err;
|
goto err;
|
||||||
|
@ -178,15 +62,18 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system)
|
||||||
if (meth->ssl_connect != ssl_undefined_function)
|
if (meth->ssl_connect != ssl_undefined_function)
|
||||||
flags |= SSL_CONF_FLAG_CLIENT;
|
flags |= SSL_CONF_FLAG_CLIENT;
|
||||||
SSL_CONF_CTX_set_flags(cctx, flags);
|
SSL_CONF_CTX_set_flags(cctx, flags);
|
||||||
for (i = 0, cmd = nm->cmds; i < nm->cmd_count; i++, cmd++) {
|
for (i = 0; i < cmd_count; i++) {
|
||||||
rv = SSL_CONF_cmd(cctx, cmd->cmd, cmd->arg);
|
char *cmdstr, *arg;
|
||||||
|
|
||||||
|
conf_ssl_get_cmd(cmds, i, &cmdstr, &arg);
|
||||||
|
rv = SSL_CONF_cmd(cctx, cmdstr, arg);
|
||||||
if (rv <= 0) {
|
if (rv <= 0) {
|
||||||
if (rv == -2)
|
if (rv == -2)
|
||||||
SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_UNKNOWN_COMMAND);
|
SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_UNKNOWN_COMMAND);
|
||||||
else
|
else
|
||||||
SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_BAD_VALUE);
|
SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_BAD_VALUE);
|
||||||
ERR_add_error_data(6, "section=", name, ", cmd=", cmd->cmd,
|
ERR_add_error_data(6, "section=", name, ", cmd=", cmdstr,
|
||||||
", arg=", cmd->arg);
|
", arg=", arg);
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -4524,3 +4524,6 @@ SM2_do_verify 4465 1_1_1 EXIST::FUNCTION:SM2
|
||||||
SM2_sign 4466 1_1_1 EXIST::FUNCTION:SM2
|
SM2_sign 4466 1_1_1 EXIST::FUNCTION:SM2
|
||||||
ERR_load_SM2_strings 4467 1_1_1 EXIST::FUNCTION:SM2
|
ERR_load_SM2_strings 4467 1_1_1 EXIST::FUNCTION:SM2
|
||||||
SM2_plaintext_size 4468 1_1_1 EXIST::FUNCTION:SM2
|
SM2_plaintext_size 4468 1_1_1 EXIST::FUNCTION:SM2
|
||||||
|
conf_ssl_name_find 4469 1_1_0i EXIST::FUNCTION:
|
||||||
|
conf_ssl_get_cmd 4470 1_1_0i EXIST::FUNCTION:
|
||||||
|
conf_ssl_get 4471 1_1_0i EXIST::FUNCTION:
|
||||||
|
|
|
@ -241,6 +241,7 @@ my $crypto ="include/internal/dso.h";
|
||||||
$crypto.=" include/internal/o_dir.h";
|
$crypto.=" include/internal/o_dir.h";
|
||||||
$crypto.=" include/internal/o_str.h";
|
$crypto.=" include/internal/o_str.h";
|
||||||
$crypto.=" include/internal/err.h";
|
$crypto.=" include/internal/err.h";
|
||||||
|
$crypto.=" include/internal/sslconf.h";
|
||||||
foreach my $f ( glob(catfile($config{sourcedir},'include/openssl/*.h')) ) {
|
foreach my $f ( glob(catfile($config{sourcedir},'include/openssl/*.h')) ) {
|
||||||
my $fn = "include/openssl/" . lc(basename($f));
|
my $fn = "include/openssl/" . lc(basename($f));
|
||||||
$crypto .= " $fn" if !defined $skipthese{$fn};
|
$crypto .= " $fn" if !defined $skipthese{$fn};
|
||||||
|
|
Loading…
Reference in a new issue