mirror of
https://github.com/openssl/openssl.git
synced 2024-11-21 01:15:20 +08:00
d8f031e890
The GOST engine needs to be loaded before we initialise libssl. Otherwise the GOST ciphersuites are not enabled. However the SSL conf module must be loaded before we initialise libcrypto. Otherwise we will fail to read the SSL config from a config file properly. Another problem is that an application may make use of both libcrypto and libssl. If it performs libcrypto stuff first and OPENSSL_init_crypto() is called and loads a config file it will fail if that config file has any libssl stuff in it. This commit separates out the loading of the SSL conf module from the interpretation of its contents. The loading piece doesn't know anything about SSL so this can be moved to libcrypto. The interpretation of what it means remains in libssl. This means we can load the SSL conf data before libssl is there and interpret it when it later becomes available. Fixes #5809 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5818)
100 lines
2.7 KiB
C
100 lines
2.7 KiB
C
/*
|
|
* Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
|
|
*
|
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
* in the file LICENSE in the source distribution or at
|
|
* https://www.openssl.org/source/license.html
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <openssl/conf.h>
|
|
#include <openssl/ssl.h>
|
|
#include "ssl_locl.h"
|
|
#include "internal/sslconf.h"
|
|
|
|
/* SSL library configuration module. */
|
|
|
|
void SSL_add_ssl_module(void)
|
|
{
|
|
/* Do nothing. This will be added automatically by libcrypto */
|
|
}
|
|
|
|
static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system)
|
|
{
|
|
SSL_CONF_CTX *cctx = NULL;
|
|
size_t i, idx, cmd_count;
|
|
int rv = 0;
|
|
unsigned int flags;
|
|
const SSL_METHOD *meth;
|
|
const SSL_CONF_CMD *cmds;
|
|
|
|
if (s == NULL && ctx == NULL) {
|
|
SSLerr(SSL_F_SSL_DO_CONFIG, ERR_R_PASSED_NULL_PARAMETER);
|
|
goto err;
|
|
}
|
|
|
|
if (name == NULL && system)
|
|
name = "system_default";
|
|
if (!conf_ssl_name_find(name, &idx)) {
|
|
if (!system) {
|
|
SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_INVALID_CONFIGURATION_NAME);
|
|
ERR_add_error_data(2, "name=", name);
|
|
}
|
|
goto err;
|
|
}
|
|
cmds = conf_ssl_get(idx, &name, &cmd_count);
|
|
cctx = SSL_CONF_CTX_new();
|
|
if (cctx == NULL)
|
|
goto err;
|
|
flags = SSL_CONF_FLAG_FILE;
|
|
if (!system)
|
|
flags |= SSL_CONF_FLAG_CERTIFICATE | SSL_CONF_FLAG_REQUIRE_PRIVATE;
|
|
if (s != NULL) {
|
|
meth = s->method;
|
|
SSL_CONF_CTX_set_ssl(cctx, s);
|
|
} else {
|
|
meth = ctx->method;
|
|
SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
|
|
}
|
|
if (meth->ssl_accept != ssl_undefined_function)
|
|
flags |= SSL_CONF_FLAG_SERVER;
|
|
if (meth->ssl_connect != ssl_undefined_function)
|
|
flags |= SSL_CONF_FLAG_CLIENT;
|
|
SSL_CONF_CTX_set_flags(cctx, flags);
|
|
for (i = 0; i < cmd_count; i++) {
|
|
char *cmdstr, *arg;
|
|
|
|
conf_ssl_get_cmd(cmds, i, &cmdstr, &arg);
|
|
rv = SSL_CONF_cmd(cctx, cmdstr, arg);
|
|
if (rv <= 0) {
|
|
if (rv == -2)
|
|
SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_UNKNOWN_COMMAND);
|
|
else
|
|
SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_BAD_VALUE);
|
|
ERR_add_error_data(6, "section=", name, ", cmd=", cmdstr,
|
|
", arg=", arg);
|
|
goto err;
|
|
}
|
|
}
|
|
rv = SSL_CONF_CTX_finish(cctx);
|
|
err:
|
|
SSL_CONF_CTX_free(cctx);
|
|
return rv <= 0 ? 0 : 1;
|
|
}
|
|
|
|
int SSL_config(SSL *s, const char *name)
|
|
{
|
|
return ssl_do_config(s, NULL, name, 0);
|
|
}
|
|
|
|
int SSL_CTX_config(SSL_CTX *ctx, const char *name)
|
|
{
|
|
return ssl_do_config(NULL, ctx, name, 0);
|
|
}
|
|
|
|
void ssl_ctx_system_config(SSL_CTX *ctx)
|
|
{
|
|
ssl_do_config(NULL, ctx, NULL, 1);
|
|
}
|