Move the loading of the ssl_conf module to libcrypto

The GOST engine needs to be loaded before we initialise libssl. Otherwise the GOST ciphersuites are not enabled. However the SSL conf module must be loaded before we initialise libcrypto. Otherwise we will fail to read the SSL config from a config file properly. Another problem is that an application may make use of both libcrypto and libssl. If it performs libcrypto stuff first and OPENSSL_init_crypto() is called and loads a config file it will fail if that config file has any libssl stuff in it. This commit separates out the loading of the SSL conf module from the interpretation of its contents. The loading piece doesn't know anything about SSL so this can be moved to libcrypto. The interpretation of what it means remains in libssl. This means we can load the SSL conf data before libssl is there and interpret it when it later becomes available. Fixes #5809 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5818)
author: Matt Caswell <matt@openssl.org> 2018-03-30 19:19:56 +0100
committer: Matt Caswell <matt@openssl.org> 2018-04-05 15:30:12 +0100
commit: d8f031e890d35887047c35b60347ac385b989065 (patch)
tree: ee6c353be64840cf86030b5e5ffca02321310641 /ssl/ssl_mcnf.c
parent: 4845aeba4c49e1bd65259a5014d7e3ab38657d42 (diff)
1 files changed, 13 insertions, 126 deletions
diff --git a/ssl/ssl_mcnf.c b/ssl/ssl_mcnf.c
index 1471a0dc72..a0e2657714 100644
--- a/ssl/ssl_mcnf.c
+++ b/ssl/ssl_mcnf.c
@@ -11,139 +11,23 @@
 #include <openssl/conf.h>
 #include <openssl/ssl.h>
 #include "ssl_locl.h"
+#include "internal/sslconf.h"
 
 /* SSL library configuration module. */
 
-struct ssl_conf_name {
-    /* Name of this set of commands */
-    char *name;
-    /* List of commands */
-    struct ssl_conf_cmd *cmds;
-    /* Number of commands */
-    size_t cmd_count;
-};
-
-struct ssl_conf_cmd {
-    /* Command */
-    char *cmd;
-    /* Argument */
-    char *arg;
-};
-
-static struct ssl_conf_name *ssl_names;
-static size_t ssl_names_count;
-
-static void ssl_module_free(CONF_IMODULE *md)
-{
-    size_t i, j;
-    if (ssl_names == NULL)
-        return;
-    for (i = 0; i < ssl_names_count; i++) {
-        struct ssl_conf_name *tname = ssl_names + i;
-        OPENSSL_free(tname->name);
-        for (j = 0; j < tname->cmd_count; j++) {
-            OPENSSL_free(tname->cmds[j].cmd);
-            OPENSSL_free(tname->cmds[j].arg);
-        }
-        OPENSSL_free(tname->cmds);
-    }
-    OPENSSL_free(ssl_names);
-    ssl_names = NULL;
-    ssl_names_count = 0;
-}
-
-static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
-{
-    size_t i, j, cnt;
-    int rv = 0;
-    const char *ssl_conf_section;
-    STACK_OF(CONF_VALUE) *cmd_lists;
-    ssl_conf_section = CONF_imodule_get_value(md);
-    cmd_lists = NCONF_get_section(cnf, ssl_conf_section);
-    if (sk_CONF_VALUE_num(cmd_lists) <= 0) {
-        if (cmd_lists == NULL)
-            SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_SECTION_NOT_FOUND);
-        else
-            SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_SECTION_EMPTY);
-        ERR_add_error_data(2, "section=", ssl_conf_section);
-        goto err;
-    }
-    cnt = sk_CONF_VALUE_num(cmd_lists);
-    ssl_names = OPENSSL_zalloc(sizeof(*ssl_names) * cnt);
-    ssl_names_count = cnt;
-    for (i = 0; i < ssl_names_count; i++) {
-        struct ssl_conf_name *ssl_name = ssl_names + i;
-        CONF_VALUE *sect = sk_CONF_VALUE_value(cmd_lists, (int)i);
-        STACK_OF(CONF_VALUE) *cmds = NCONF_get_section(cnf, sect->value);
-        if (sk_CONF_VALUE_num(cmds) <= 0) {
-            if (cmds == NULL)
-                SSLerr(SSL_F_SSL_MODULE_INIT,
-                       SSL_R_SSL_COMMAND_SECTION_NOT_FOUND);
-            else
-                SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_COMMAND_SECTION_EMPTY);
-            ERR_add_error_data(4, "name=", sect->name, ", value=", sect->value);
-            goto err;
-        }
-        ssl_name->name = BUF_strdup(sect->name);
-        if (ssl_name->name == NULL)
-            goto err;
-        cnt = sk_CONF_VALUE_num(cmds);
-        ssl_name->cmds = OPENSSL_zalloc(cnt * sizeof(struct ssl_conf_cmd));
-        if (ssl_name->cmds == NULL)
-            goto err;
-        ssl_name->cmd_count = cnt;
-        for (j = 0; j < cnt; j++) {
-            const char *name;
-            CONF_VALUE *cmd_conf = sk_CONF_VALUE_value(cmds, (int)j);
-            struct ssl_conf_cmd *cmd = ssl_name->cmds + j;
-            /* Skip any initial dot in name */
-            name = strchr(cmd_conf->name, '.');
-            if (name != NULL)
-                name++;
-            else
-                name = cmd_conf->name;
-            cmd->cmd = BUF_strdup(name);
-            cmd->arg = BUF_strdup(cmd_conf->value);
-            if (cmd->cmd == NULL || cmd->arg == NULL)
-                goto err;
-        }
-
-    }
-    rv = 1;
- err:
-    if (rv == 0)
-        ssl_module_free(md);
-    return rv;
-}
-
 void SSL_add_ssl_module(void)
 {
-    CONF_module_add("ssl_conf", ssl_module_init, ssl_module_free);
-}
-
-static const struct ssl_conf_name *ssl_name_find(const char *name)
-{
-    size_t i;
-    const struct ssl_conf_name *nm;
-
-    if (name == NULL)
-        return NULL;
-    for (i = 0, nm = ssl_names; i < ssl_names_count; i++, nm++) {
-        if (strcmp(nm->name, name) == 0)
-            return nm;
-    }
-    return NULL;
+    /* Do nothing. This will be added automatically by libcrypto */
 }
 
 static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system)
 {
     SSL_CONF_CTX *cctx = NULL;
-    size_t i;
+    size_t i, idx, cmd_count;
     int rv = 0;
     unsigned int flags;
     const SSL_METHOD *meth;
-    const struct ssl_conf_name *nm;
-    struct ssl_conf_cmd *cmd;
+    const SSL_CONF_CMD *cmds;
 
     if (s == NULL && ctx == NULL) {
         SSLerr(SSL_F_SSL_DO_CONFIG, ERR_R_PASSED_NULL_PARAMETER);
@@ -152,14 +36,14 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system)
 
     if (name == NULL && system)
         name = "system_default";
-    nm = ssl_name_find(name);
-    if (nm == NULL) {
+    if (!conf_ssl_name_find(name, &idx)) {
         if (!system) {
             SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_INVALID_CONFIGURATION_NAME);
             ERR_add_error_data(2, "name=", name);
         }
         goto err;
     }
+    cmds = conf_ssl_get(idx, &name, &cmd_count);
     cctx = SSL_CONF_CTX_new();
     if (cctx == NULL)
         goto err;
@@ -178,15 +62,18 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system)
     if (meth->ssl_connect != ssl_undefined_function)
         flags |= SSL_CONF_FLAG_CLIENT;
     SSL_CONF_CTX_set_flags(cctx, flags);
-    for (i = 0, cmd = nm->cmds; i < nm->cmd_count; i++, cmd++) {
-        rv = SSL_CONF_cmd(cctx, cmd->cmd, cmd->arg);
+    for (i = 0; i < cmd_count; i++) {
+        char *cmdstr, *arg;
+
+        conf_ssl_get_cmd(cmds, i, &cmdstr, &arg);
+        rv = SSL_CONF_cmd(cctx, cmdstr, arg);
         if (rv <= 0) {
             if (rv == -2)
                 SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_UNKNOWN_COMMAND);
             else
                 SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_BAD_VALUE);
-            ERR_add_error_data(6, "section=", name, ", cmd=", cmd->cmd,
-                               ", arg=", cmd->arg);
+            ERR_add_error_data(6, "section=", name, ", cmd=", cmdstr,
+                               ", arg=", arg);
             goto err;
         }
     }
author	Matt Caswell <matt@openssl.org>	2018-03-30 19:19:56 +0100
committer	Matt Caswell <matt@openssl.org>	2018-04-05 15:30:12 +0100
commit	d8f031e890d35887047c35b60347ac385b989065 (patch)
tree	ee6c353be64840cf86030b5e5ffca02321310641 /ssl/ssl_mcnf.c
parent	4845aeba4c49e1bd65259a5014d7e3ab38657d42 (diff)