diff options
-rw-r--r-- | crypto/conf/conf_mod.c | 1 | ||||
-rw-r--r-- | crypto/context.c | 17 | ||||
-rw-r--r-- | crypto/err/openssl.txt | 1 | ||||
-rw-r--r-- | include/openssl/crypto.h.in | 2 | ||||
-rw-r--r-- | include/openssl/sslerr.h | 1 | ||||
-rw-r--r-- | ssl/ssl_err.c | 2 | ||||
-rw-r--r-- | ssl/ssl_lib.c | 5 | ||||
-rw-r--r-- | ssl/ssl_local.h | 2 | ||||
-rw-r--r-- | ssl/ssl_mcnf.c | 13 | ||||
-rw-r--r-- | test/sysdefaulttest.c | 18 | ||||
-rw-r--r-- | util/libcrypto.num | 2 |
11 files changed, 48 insertions, 16 deletions
diff --git a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c index ccd28a146a..3fa216dc1f 100644 --- a/crypto/conf/conf_mod.c +++ b/crypto/conf/conf_mod.c @@ -214,6 +214,7 @@ int CONF_modules_load_file_ex(OSSL_LIB_CTX *libctx, const char *filename, ret = CONF_modules_load(conf, appname, flags); diagnostics = conf_diagnostics(conf); + OSSL_LIB_CTX_set_conf_diagnostics(libctx, diagnostics); err: if (filename == NULL) diff --git a/crypto/context.c b/crypto/context.c index 3d55084d7b..fa46abab6b 100644 --- a/crypto/context.c +++ b/crypto/context.c @@ -50,6 +50,7 @@ struct ossl_lib_ctx_st { #endif unsigned int ischild:1; + unsigned int conf_diagnostics:1; }; int ossl_lib_ctx_write_lock(OSSL_LIB_CTX *ctx) @@ -666,3 +667,19 @@ CRYPTO_THREAD_LOCAL *ossl_lib_ctx_get_rcukey(OSSL_LIB_CTX *libctx) return NULL; return &libctx->rcu_local_key; } + +int OSSL_LIB_CTX_get_conf_diagnostics(OSSL_LIB_CTX *libctx) +{ + libctx = ossl_lib_ctx_get_concrete(libctx); + if (libctx == NULL) + return 0; + return libctx->conf_diagnostics; +} + +void OSSL_LIB_CTX_set_conf_diagnostics(OSSL_LIB_CTX *libctx, unsigned int value) +{ + libctx = ossl_lib_ctx_get_concrete(libctx); + if (libctx == NULL) + return; + libctx->conf_diagnostics = value != 0; +} diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 5102c481e3..0584f687c9 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1400,6 +1400,7 @@ SSL_R_EMPTY_RAW_PUBLIC_KEY:349:empty raw public key SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST:354:empty srtp protection profile list SSL_R_ENCRYPTED_LENGTH_TOO_LONG:150:encrypted length too long SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST:151:error in received cipher list +SSL_R_ERROR_IN_SYSTEM_DEFAULT_CONFIG:419:error in system default config SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN:204:error setting tlsa base domain SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE:194:exceeds max fragment size SSL_R_EXCESSIVE_MESSAGE_SIZE:152:excessive message size diff --git a/include/openssl/crypto.h.in b/include/openssl/crypto.h.in index 5d7d3fd2e1..04d99e2092 100644 --- a/include/openssl/crypto.h.in +++ b/include/openssl/crypto.h.in @@ -536,6 +536,8 @@ int OSSL_LIB_CTX_load_config(OSSL_LIB_CTX *ctx, const char *config_file); void OSSL_LIB_CTX_free(OSSL_LIB_CTX *); OSSL_LIB_CTX *OSSL_LIB_CTX_get0_global_default(void); OSSL_LIB_CTX *OSSL_LIB_CTX_set0_default(OSSL_LIB_CTX *libctx); +int OSSL_LIB_CTX_get_conf_diagnostics(OSSL_LIB_CTX *ctx); +void OSSL_LIB_CTX_set_conf_diagnostics(OSSL_LIB_CTX *ctx, unsigned int value); void OSSL_sleep(uint64_t millis); diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h index 980a6c7b2f..16305674ca 100644 --- a/include/openssl/sslerr.h +++ b/include/openssl/sslerr.h @@ -117,6 +117,7 @@ # define SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST 354 # define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150 # define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151 +# define SSL_R_ERROR_IN_SYSTEM_DEFAULT_CONFIG 419 # define SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN 204 # define SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE 194 # define SSL_R_EXCESSIVE_MESSAGE_SIZE 152 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index a1da9fde39..ddd0e2a36a 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -164,6 +164,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { "encrypted length too long"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST), "error in received cipher list"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ERROR_IN_SYSTEM_DEFAULT_CONFIG), + "error in system default config"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN), "error setting tlsa base domain"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE), diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index ed3522c7f5..6af23612ee 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -4096,7 +4096,10 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, /* By default we send two session tickets automatically in TLSv1.3 */ ret->num_tickets = 2; - ssl_ctx_system_config(ret); + if (!ssl_ctx_system_config(ret)) { + ERR_raise(ERR_LIB_SSL, SSL_R_ERROR_IN_SYSTEM_DEFAULT_CONFIG); + goto err; + } return ret; err: diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index f448cfdbc9..78e16354e0 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2919,7 +2919,7 @@ void custom_exts_free(custom_ext_methods *exts); void ssl_comp_free_compression_methods_int(void); /* ssl_mcnf.c */ -void ssl_ctx_system_config(SSL_CTX *ctx); +int ssl_ctx_system_config(SSL_CTX *ctx); const EVP_CIPHER *ssl_evp_cipher_fetch(OSSL_LIB_CTX *libctx, int nid, diff --git a/ssl/ssl_mcnf.c b/ssl/ssl_mcnf.c index 8bccce84d4..66416b61cf 100644 --- a/ssl/ssl_mcnf.c +++ b/ssl/ssl_mcnf.c @@ -26,6 +26,7 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system) size_t i, idx, cmd_count; int err = 1; unsigned int flags; + unsigned int conf_diagnostics = 0; const SSL_METHOD *meth; const SSL_CONF_CMD *cmds; OSSL_LIB_CTX *prev_libctx = NULL; @@ -46,8 +47,11 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system) } cmds = conf_ssl_get(idx, &name, &cmd_count); cctx = SSL_CONF_CTX_new(); - if (cctx == NULL) + if (cctx == NULL) { + /* this is a fatal error, always report */ + system = 0; goto err; + } flags = SSL_CONF_FLAG_FILE; if (!system) flags |= SSL_CONF_FLAG_CERTIFICATE | SSL_CONF_FLAG_REQUIRE_PRIVATE; @@ -60,6 +64,7 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system) SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); libctx = ctx->libctx; } + conf_diagnostics = OSSL_LIB_CTX_get_conf_diagnostics(libctx); if (meth->ssl_accept != ssl_undefined_function) flags |= SSL_CONF_FLAG_SERVER; if (meth->ssl_connect != ssl_undefined_function) @@ -81,7 +86,7 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system) err: OSSL_LIB_CTX_set0_default(prev_libctx); SSL_CONF_CTX_free(cctx); - return err == 0; + return err == 0 || (system && !conf_diagnostics); } int SSL_config(SSL *s, const char *name) @@ -94,7 +99,7 @@ int SSL_CTX_config(SSL_CTX *ctx, const char *name) return ssl_do_config(NULL, ctx, name, 0); } -void ssl_ctx_system_config(SSL_CTX *ctx) +int ssl_ctx_system_config(SSL_CTX *ctx) { - ssl_do_config(NULL, ctx, NULL, 1); + return ssl_do_config(NULL, ctx, NULL, 1); } diff --git a/test/sysdefaulttest.c b/test/sysdefaulttest.c index 350867cdcd..5cd09bd08c 100644 --- a/test/sysdefaulttest.c +++ b/test/sysdefaulttest.c @@ -16,16 +16,21 @@ #include <openssl/tls1.h> #include "testutil.h" -static SSL_CTX *ctx; static int test_func(void) { + int ret = 1; + SSL_CTX *ctx; + + if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))) + return 0; if (!TEST_int_eq(SSL_CTX_get_min_proto_version(ctx), TLS1_2_VERSION) && !TEST_int_eq(SSL_CTX_get_max_proto_version(ctx), TLS1_2_VERSION)) { TEST_info("min/max version setting incorrect"); - return 0; + ret = 0; } - return 1; + SSL_CTX_free(ctx); + return ret; } int global_init(void) @@ -38,13 +43,6 @@ int global_init(void) int setup_tests(void) { - if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))) - return 0; ADD_TEST(test_func); return 1; } - -void cleanup_tests(void) -{ - SSL_CTX_free(ctx); -} diff --git a/util/libcrypto.num b/util/libcrypto.num index 3f52107eda..a5f9bb32cb 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5644,3 +5644,5 @@ OSSL_IETF_ATTR_SYNTAX_get0_value ? 3_4_0 EXIST::FUNCTION: OSSL_IETF_ATTR_SYNTAX_add1_value ? 3_4_0 EXIST::FUNCTION: OSSL_IETF_ATTR_SYNTAX_print ? 3_4_0 EXIST::FUNCTION: X509_ACERT_add_attr_nconf ? 3_4_0 EXIST::FUNCTION: +OSSL_LIB_CTX_get_conf_diagnostics ? 3_4_0 EXIST::FUNCTION: +OSSL_LIB_CTX_set_conf_diagnostics ? 3_4_0 EXIST::FUNCTION: |