diff options
author | Tomas Mraz <tmraz@fedoraproject.org> | 2018-03-19 10:01:39 -0400 |
---|---|---|
committer | Rich Salz <rsalz@openssl.org> | 2018-03-19 10:22:49 -0400 |
commit | 8a5ed9dce8ee36b4bb05cb928fa7a01aba6d8e41 (patch) | |
tree | 3b942fbfeb7c69a11ed45db6993cd39455ea7e0a /ssl | |
parent | 440bce8f813fa661437ce52378c3df38e2fd073b (diff) |
Apply system_default configuration on SSL_CTX_new().
When SSL_CTX is created preinitialize it with system default
configuration from system_default section.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4848)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/ssl_lib.c | 2 | ||||
-rw-r--r-- | ssl/ssl_locl.h | 3 | ||||
-rw-r--r-- | ssl/ssl_mcnf.c | 25 |
3 files changed, 24 insertions, 6 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index e42333160b..baf8a94aa6 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3112,6 +3112,8 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) */ ret->max_early_data = 0; + ssl_ctx_system_config(ret); + return ret; err: SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE); diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 83a033445d..9d4e0f17a7 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -2587,6 +2587,9 @@ void custom_exts_free(custom_ext_methods *exts); void ssl_comp_free_compression_methods_int(void); +/* ssl_mcnf.c */ +void ssl_ctx_system_config(SSL_CTX *ctx); + # else /* OPENSSL_UNIT_TEST */ # define ssl_init_wbio_buffer SSL_test_functions()->p_ssl_init_wbio_buffer diff --git a/ssl/ssl_mcnf.c b/ssl/ssl_mcnf.c index 59674f3d39..70c7ed811f 100644 --- a/ssl/ssl_mcnf.c +++ b/ssl/ssl_mcnf.c @@ -125,6 +125,7 @@ static const struct ssl_conf_name *ssl_name_find(const char *name) { size_t i; const struct ssl_conf_name *nm; + if (name == NULL) return NULL; for (i = 0, nm = ssl_names; i < ssl_names_count; i++, nm++) { @@ -134,7 +135,7 @@ static const struct ssl_conf_name *ssl_name_find(const char *name) return NULL; } -static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name) +static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system) { SSL_CONF_CTX *cctx = NULL; size_t i; @@ -143,21 +144,28 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name) const SSL_METHOD *meth; const struct ssl_conf_name *nm; struct ssl_conf_cmd *cmd; + if (s == NULL && ctx == NULL) { SSLerr(SSL_F_SSL_DO_CONFIG, ERR_R_PASSED_NULL_PARAMETER); goto err; } + + if (name == NULL && system) + name = "system_default"; nm = ssl_name_find(name); if (nm == NULL) { - SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_INVALID_CONFIGURATION_NAME); - ERR_add_error_data(2, "name=", name); + if (!system) { + SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_INVALID_CONFIGURATION_NAME); + ERR_add_error_data(2, "name=", name); + } goto err; } cctx = SSL_CONF_CTX_new(); if (cctx == NULL) goto err; flags = SSL_CONF_FLAG_FILE; - flags |= SSL_CONF_FLAG_CERTIFICATE | SSL_CONF_FLAG_REQUIRE_PRIVATE; + if (!system) + flags |= SSL_CONF_FLAG_CERTIFICATE | SSL_CONF_FLAG_REQUIRE_PRIVATE; if (s != NULL) { meth = s->method; SSL_CONF_CTX_set_ssl(cctx, s); @@ -190,10 +198,15 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name) int SSL_config(SSL *s, const char *name) { - return ssl_do_config(s, NULL, name); + return ssl_do_config(s, NULL, name, 0); } int SSL_CTX_config(SSL_CTX *ctx, const char *name) { - return ssl_do_config(NULL, ctx, name); + return ssl_do_config(NULL, ctx, name, 0); +} + +void ssl_ctx_system_config(SSL_CTX *ctx) +{ + ssl_do_config(NULL, ctx, NULL, 1); } |