Introduce SSL_CTX_new_with_libex()

We add the ability to specify an OPENSSL_CTX (which may be NULL for the default context) and a property query string for use during algorithm fetch operations. For example, in this way one SSL_CTX could be used the default provider, and another one could be used with the FIPS provider. At this stage we don't use these values. That will come later. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10866)
2024-11-27 05:21:51 +08:00 · 2020-01-16 12:13:09 +00:00 · 2020-01-16 12:13:09 +00:00 · ba18627e4a
commit ba18627e4a
parent 7b131de2bb
4 changed files with 30 additions and 8 deletions
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@ -1524,6 +1524,8 @@ void BIO_ssl_shutdown(BIO *ssl_bio);

 __owur int SSL_CTX_set_cipher_list(SSL_CTX *, const char *str);
 __owur SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
+__owur SSL_CTX *SSL_CTX_new_with_libctx(OPENSSL_CTX *libctx, const char *propq,
+                                        const SSL_METHOD *meth);
 int SSL_CTX_up_ref(SSL_CTX *ctx);
 void SSL_CTX_free(SSL_CTX *);
 __owur long SSL_CTX_set_timeout(SSL_CTX *ctx, long t);
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@ -3032,12 +3032,13 @@ static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b)
 * via ssl.h.
 */

-SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
+SSL_CTX *SSL_CTX_new_with_libctx(OPENSSL_CTX *libctx, const char *propq,
+                                 const SSL_METHOD *meth)
 {
    SSL_CTX *ret = NULL;

    if (meth == NULL) {
-        SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_NULL_SSL_METHOD_PASSED);
+        SSLerr(0, SSL_R_NULL_SSL_METHOD_PASSED);
        return NULL;
    }

@ -3045,13 +3046,20 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
        return NULL;

    if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {
-        SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
+        SSLerr(0, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
        goto err;
    }
    ret = OPENSSL_zalloc(sizeof(*ret));
    if (ret == NULL)
        goto err;

+    ret->libctx = libctx;
+    if (propq != NULL) {
+        ret->propq = OPENSSL_strdup(propq);
+        if (ret->propq == NULL)
+            goto err;
+    }
+
    ret->method = meth;
    ret->min_proto_version = 0;
    ret->max_proto_version = 0;
@ -3063,7 +3071,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
    ret->references = 1;
    ret->lock = CRYPTO_THREAD_lock_new();
    if (ret->lock == NULL) {
-        SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
+        SSLerr(0, ERR_R_MALLOC_FAILURE);
        OPENSSL_free(ret);
        return NULL;
    }
@ -3092,7 +3100,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
                                &ret->cipher_list, &ret->cipher_list_by_id,
                                OSSL_default_cipher_list(), ret->cert)
        || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
-        SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
+        SSLerr(0, SSL_R_LIBRARY_HAS_NO_CIPHERS);
        goto err2;
    }

@ -3101,11 +3109,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
        goto err;

    if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) {
-        SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
+        SSLerr(0, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
        goto err2;
    }
    if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) {
-        SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
+        SSLerr(0, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
        goto err2;
    }

@ -3215,12 +3223,17 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)

    return ret;
 err:
-    SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
+    SSLerr(0, ERR_R_MALLOC_FAILURE);
 err2:
    SSL_CTX_free(ret);
    return NULL;
 }

+SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
+{
+    return SSL_CTX_new_with_libctx(NULL, NULL, meth);
+}
+
 int SSL_CTX_up_ref(SSL_CTX *ctx)
 {
    int i;
@ -3294,6 +3307,8 @@ void SSL_CTX_free(SSL_CTX *a)

    CRYPTO_THREAD_lock_free(a->lock);

+    OPENSSL_free(a->propq);
+
    OPENSSL_free(a);
 }

--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@ -738,6 +738,8 @@ typedef struct ssl_ctx_ext_secure_st {
 } SSL_CTX_EXT_SECURE;

 struct ssl_ctx_st {
+    OPENSSL_CTX *libctx;
+
    const SSL_METHOD *method;
    STACK_OF(SSL_CIPHER) *cipher_list;
    /* same as above but sorted for lookup */
@ -1073,6 +1075,8 @@ struct ssl_ctx_st {
    /* Callback for SSL async handling */
    SSL_async_callback_fn async_cb;
    void *async_cb_arg;
+
+    char *propq;
 };

 typedef struct cert_pkey_st CERT_PKEY;
--- a/util/libssl.num
+++ b/util/libssl.num
@ -511,3 +511,4 @@ SSL_CTX_set_default_verify_store        ?	3_0_0	EXIST::FUNCTION:
 SSL_CTX_load_verify_file                ?	3_0_0	EXIST::FUNCTION:
 SSL_CTX_load_verify_dir                 ?	3_0_0	EXIST::FUNCTION:
 SSL_CTX_load_verify_store               ?	3_0_0	EXIST::FUNCTION:
+SSL_CTX_new_with_libctx                 ?	3_0_0	EXIST::FUNCTION: