diff options
author | Tomas Mraz <tomas@openssl.org> | 2024-04-26 17:23:13 +0200 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2024-05-09 09:20:25 +0200 |
commit | 21819f78b057c254254646a7854bfad0cd40ed83 (patch) | |
tree | 296fa3737de9f8a5f4fe2374ba2447ea0e9c663d /ssl | |
parent | f6ce48f5b8ad4d8d748ea87d2490cbed08db9936 (diff) |
Make conf_diagnostics apply also to the SSL conf errors
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24275)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/ssl_err.c | 2 | ||||
-rw-r--r-- | ssl/ssl_lib.c | 5 | ||||
-rw-r--r-- | ssl/ssl_local.h | 2 | ||||
-rw-r--r-- | ssl/ssl_mcnf.c | 13 |
4 files changed, 16 insertions, 6 deletions
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index a1da9fde39..ddd0e2a36a 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -164,6 +164,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { "encrypted length too long"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST), "error in received cipher list"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ERROR_IN_SYSTEM_DEFAULT_CONFIG), + "error in system default config"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN), "error setting tlsa base domain"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE), diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index ed3522c7f5..6af23612ee 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -4096,7 +4096,10 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, /* By default we send two session tickets automatically in TLSv1.3 */ ret->num_tickets = 2; - ssl_ctx_system_config(ret); + if (!ssl_ctx_system_config(ret)) { + ERR_raise(ERR_LIB_SSL, SSL_R_ERROR_IN_SYSTEM_DEFAULT_CONFIG); + goto err; + } return ret; err: diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index f448cfdbc9..78e16354e0 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2919,7 +2919,7 @@ void custom_exts_free(custom_ext_methods *exts); void ssl_comp_free_compression_methods_int(void); /* ssl_mcnf.c */ -void ssl_ctx_system_config(SSL_CTX *ctx); +int ssl_ctx_system_config(SSL_CTX *ctx); const EVP_CIPHER *ssl_evp_cipher_fetch(OSSL_LIB_CTX *libctx, int nid, diff --git a/ssl/ssl_mcnf.c b/ssl/ssl_mcnf.c index 8bccce84d4..66416b61cf 100644 --- a/ssl/ssl_mcnf.c +++ b/ssl/ssl_mcnf.c @@ -26,6 +26,7 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system) size_t i, idx, cmd_count; int err = 1; unsigned int flags; + unsigned int conf_diagnostics = 0; const SSL_METHOD *meth; const SSL_CONF_CMD *cmds; OSSL_LIB_CTX *prev_libctx = NULL; @@ -46,8 +47,11 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system) } cmds = conf_ssl_get(idx, &name, &cmd_count); cctx = SSL_CONF_CTX_new(); - if (cctx == NULL) + if (cctx == NULL) { + /* this is a fatal error, always report */ + system = 0; goto err; + } flags = SSL_CONF_FLAG_FILE; if (!system) flags |= SSL_CONF_FLAG_CERTIFICATE | SSL_CONF_FLAG_REQUIRE_PRIVATE; @@ -60,6 +64,7 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system) SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); libctx = ctx->libctx; } + conf_diagnostics = OSSL_LIB_CTX_get_conf_diagnostics(libctx); if (meth->ssl_accept != ssl_undefined_function) flags |= SSL_CONF_FLAG_SERVER; if (meth->ssl_connect != ssl_undefined_function) @@ -81,7 +86,7 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system) err: OSSL_LIB_CTX_set0_default(prev_libctx); SSL_CONF_CTX_free(cctx); - return err == 0; + return err == 0 || (system && !conf_diagnostics); } int SSL_config(SSL *s, const char *name) @@ -94,7 +99,7 @@ int SSL_CTX_config(SSL_CTX *ctx, const char *name) return ssl_do_config(NULL, ctx, name, 0); } -void ssl_ctx_system_config(SSL_CTX *ctx) +int ssl_ctx_system_config(SSL_CTX *ctx) { - ssl_do_config(NULL, ctx, NULL, 1); + return ssl_do_config(NULL, ctx, NULL, 1); } |