[openssl-commits] [openssl] master update
Dr. Stephen Henson
steve at openssl.org
Tue Dec 22 15:46:09 UTC 2015
The branch master has been updated
via 5378186199eec800e0508c5ac1c3545d072b8c31 (commit)
via a470fdab6d04e4da68840e5324c1ac1d334f425f (commit)
via a2074b92874aa5784874e75c969e95086010dddd (commit)
via 913592d2c58571a39540d8e4aeb3ea3b4db6a9f0 (commit)
via 43d956fa65c66629f335b7bb7d4e190da5e99da7 (commit)
via 287d0b948d184dbba782de15a9895189c5e34854 (commit)
via f33bad332182f401d0f8d68808df4ff4858e98df (commit)
via 540912cd4b62470f611ba696c09058b11d274521 (commit)
via 59b1696c0c752aeba67f40c91d6769afbc40469b (commit)
from 4fae386cb0563a0c05c2817a5ccb3c18e6d62d8d (commit)
- Log -----------------------------------------------------------------
commit 5378186199eec800e0508c5ac1c3545d072b8c31
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Tue Dec 22 15:16:56 2015 +0000
make update
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit a470fdab6d04e4da68840e5324c1ac1d334f425f
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Tue Dec 22 03:49:02 2015 +0000
unload modules in ssltest
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit a2074b92874aa5784874e75c969e95086010dddd
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Mon Dec 21 19:34:23 2015 +0000
make errors
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit 913592d2c58571a39540d8e4aeb3ea3b4db6a9f0
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Thu Jul 9 18:43:30 2015 +0100
SSL configuration module docs
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit 43d956fa65c66629f335b7bb7d4e190da5e99da7
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Thu Jul 9 18:24:24 2015 +0100
Demo server using SSL_CTX_config
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit 287d0b948d184dbba782de15a9895189c5e34854
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Wed Jul 8 23:09:52 2015 +0100
Add ssl configuration support to s_server and s_client
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit f33bad332182f401d0f8d68808df4ff4858e98df
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Thu Apr 23 21:03:44 2015 +0100
Load module in SSL_library_init
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit 540912cd4b62470f611ba696c09058b11d274521
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Sun Apr 19 13:14:40 2015 +0100
Add ssl_mcnf.c to Makefile
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit 59b1696c0c752aeba67f40c91d6769afbc40469b
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Sat Mar 14 01:36:30 2015 +0000
SSL library configuration module.
This adds support for SSL/TLS configuration using configuration modules.
Sets of command value pairs are store and can be replayed through an
SSL_CTX or SSL structure using SSL_CTX_config or SSL_config.
Reviewed-by: Richard Levitte <levitte at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
apps/openssl.c | 1 +
apps/s_client.c | 16 ++-
apps/s_server.c | 16 ++-
demos/bio/cmod.cnf | 24 ++++
demos/bio/{saccept.c => server-cmod.c} | 56 +++-----
demos/bio/server-ec.pem | 17 +++
doc/apps/config.pod | 28 ++++
doc/ssl/SSL_CTX_config.pod | 84 +++++++++++
include/openssl/ssl.h | 15 +-
ssl/Makefile | 24 +++-
ssl/ssl_algs.c | 1 +
ssl/ssl_err.c | 18 ++-
ssl/ssl_mcnf.c | 248 +++++++++++++++++++++++++++++++++
test/ssltest.c | 1 +
util/ssleay.num | 3 +
15 files changed, 511 insertions(+), 41 deletions(-)
create mode 100644 demos/bio/cmod.cnf
copy demos/bio/{saccept.c => server-cmod.c} (68%)
create mode 100644 demos/bio/server-ec.pem
create mode 100644 doc/ssl/SSL_CTX_config.pod
create mode 100644 ssl/ssl_mcnf.c
diff --git a/apps/openssl.c b/apps/openssl.c
index 5ce04ce..f2c7ccf 100644
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -176,6 +176,7 @@ static int apps_startup()
ERR_load_SSL_strings();
OPENSSL_load_builtin_modules();
+ SSL_add_ssl_module();
#ifndef OPENSSL_NO_ENGINE
ENGINE_load_builtin_engines();
#endif
diff --git a/apps/s_client.c b/apps/s_client.c
index dbeb770..2f98966 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -466,7 +466,7 @@ typedef enum OPTION_choice {
OPT_MSG, OPT_MSGFILE, OPT_ENGINE, OPT_TRACE, OPT_SECURITY_DEBUG,
OPT_SECURITY_DEBUG_VERBOSE, OPT_SHOWCERTS, OPT_NBIO_TEST, OPT_STATE,
OPT_PSK_IDENTITY, OPT_PSK, OPT_SRPUSER, OPT_SRPPASS, OPT_SRP_STRENGTH,
- OPT_SRP_LATEUSER, OPT_SRP_MOREGROUPS, OPT_SSL3,
+ OPT_SRP_LATEUSER, OPT_SRP_MOREGROUPS, OPT_SSL3, OPT_SSL_CONFIG,
OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_KEYFORM, OPT_PASS,
OPT_CERT_CHAIN, OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH,
@@ -561,6 +561,7 @@ OPTIONS s_client_options[] = {
{"alpn", OPT_ALPN, 's',
"Enable ALPN extension, considering named protocols supported (comma-separated list)"},
{"async", OPT_ASYNC, '-', "Support asynchronous operation"},
+ {"ssl_config", OPT_SSL_CONFIG, 's'},
OPT_S_OPTIONS,
OPT_V_OPTIONS,
OPT_X_OPTIONS,
@@ -686,6 +687,7 @@ int s_client_main(int argc, char **argv)
char *servername = NULL;
const char *alpn_in = NULL;
tlsextctx tlsextcbp = { NULL, 0 };
+ const char *ssl_config = NULL;
#define MAX_SI_TYPES 100
unsigned short serverinfo_types[MAX_SI_TYPES];
int serverinfo_count = 0, start = 0, len;
@@ -940,6 +942,9 @@ int s_client_main(int argc, char **argv)
case OPT_SRP_MOREGROUPS:
break;
#endif
+ case OPT_SSL_CONFIG:
+ ssl_config = opt_arg();
+ break;
case OPT_SSL3:
#ifndef OPENSSL_NO_SSL3
meth = SSLv3_client_method();
@@ -1200,6 +1205,15 @@ int s_client_main(int argc, char **argv)
if (sdebug)
ssl_ctx_security_debug(ctx, sdebug);
+ if (ssl_config) {
+ if (SSL_CTX_config(ctx, ssl_config) == 0) {
+ BIO_printf(bio_err, "Error using configuration \"%s\"\n",
+ ssl_config);
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
+
if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) {
BIO_printf(bio_err, "Error setting verify params\n");
ERR_print_errors(bio_err);
diff --git a/apps/s_server.c b/apps/s_server.c
index de96445..e0eac55 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -807,7 +807,7 @@ typedef enum OPTION_choice {
OPT_QUIET, OPT_BRIEF, OPT_NO_DHE,
OPT_NO_RESUME_EPHEMERAL, OPT_PSK_HINT, OPT_PSK, OPT_SRPVFILE,
OPT_SRPUSERSEED, OPT_REV, OPT_WWW, OPT_UPPER_WWW, OPT_HTTP, OPT_ASYNC,
- OPT_SSL3,
+ OPT_SSL_CONFIG, OPT_SSL3,
OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_CHAIN, OPT_LISTEN,
OPT_ID_PREFIX, OPT_RAND, OPT_SERVERNAME, OPT_SERVERNAME_FATAL,
@@ -915,6 +915,7 @@ OPTIONS s_server_options[] = {
{"brief", OPT_BRIEF, '-'},
{"rev", OPT_REV, '-'},
{"async", OPT_ASYNC, '-', "Operate in asynchronous mode"},
+ {"ssl_config", OPT_SSL_CONFIG, 's'},
OPT_S_OPTIONS,
OPT_V_OPTIONS,
OPT_X_OPTIONS,
@@ -1009,6 +1010,7 @@ int s_server_main(int argc, char *argv[])
EVP_PKEY *s_key2 = NULL;
X509 *s_cert2 = NULL;
tlsextctx tlsextcbp = { NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING };
+ const char *ssl_config = NULL;
#ifndef OPENSSL_NO_NEXTPROTONEG
const char *next_proto_neg_in = NULL;
tlsextnextprotoctx next_proto = { NULL, 0 };
@@ -1336,6 +1338,9 @@ int s_server_main(int argc, char *argv[])
case OPT_HTTP:
www = 3;
break;
+ case OPT_SSL_CONFIG:
+ ssl_config = opt_arg();
+ break;
case OPT_SSL3:
#ifndef OPENSSL_NO_SSL3
meth = SSLv3_server_method();
@@ -1613,6 +1618,15 @@ int s_server_main(int argc, char *argv[])
ERR_print_errors(bio_err);
goto end;
}
+ if (ssl_config) {
+ if (SSL_CTX_config(ctx, ssl_config) == 0) {
+ BIO_printf(bio_err, "Error using configuration \"%s\"\n",
+ ssl_config);
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
+
if (session_id_prefix) {
if (strlen(session_id_prefix) >= 32)
BIO_printf(bio_err,
diff --git a/demos/bio/cmod.cnf b/demos/bio/cmod.cnf
new file mode 100644
index 0000000..4c45dfb
--- /dev/null
+++ b/demos/bio/cmod.cnf
@@ -0,0 +1,24 @@
+# Example config module configuration
+
+# Name supplied by application to CONF_modules_load_file
+# and section containing configuration
+testapp = test_sect
+
+[test_sect]
+# list of confuration modules
+
+# SSL configuration module
+ssl_conf = ssl_sect
+
+[ssl_sect]
+# list of SSL configurations
+server = server_sect
+
+[server_sect]
+# Only support 3 curves
+Curves = P-521:P-384:P-256
+# Restricted signature algorithms
+SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512
+# Certificates and keys
+RSA.Certificate=server.pem
+ECDSA.Certificate=server-ec.pem
diff --git a/demos/bio/saccept.c b/demos/bio/server-cmod.c
similarity index 68%
copy from demos/bio/saccept.c
copy to demos/bio/server-cmod.c
index 0d173aa..4f0b0c0 100644
--- a/demos/bio/saccept.c
+++ b/demos/bio/server-cmod.c
@@ -1,57 +1,42 @@
/* NOCW */
-/* demos/bio/saccept.c */
+/* demos/bio/server-cmod.c */
-/*-
- * A minimal program to serve an SSL connection.
- * It uses blocking.
- * saccept host:port
- * host is the interface IP to use. If any interface, use *:port
- * The default it *:4433
- *
- * cc -I../../include saccept.c -L../.. -lssl -lcrypto -ldl
+/*
+ * A minimal TLS server it ses SSL_CTX_config and a configuration file to
+ * set most server parameters.
*/
#include <stdio.h>
#include <signal.h>
#include <openssl/err.h>
#include <openssl/ssl.h>
-
-#define CERT_FILE "server.pem"
-
-BIO *in = NULL;
-
-void close_up()
-{
- BIO_free(in);
-}
+#include <openssl/conf.h>
int main(int argc, char *argv[])
{
- char *port = NULL;
+ unsigned char buf[512];
+ char *port = "*:4433";
+ BIO *in = NULL;
BIO *ssl_bio, *tmp;
SSL_CTX *ctx;
- char buf[512];
int ret = 1, i;
- if (argc <= 1)
- port = "*:4433";
- else
- port = argv[1];
-
- signal(SIGINT, close_up);
-
SSL_load_error_strings();
/* Add ciphers and message digests */
OpenSSL_add_ssl_algorithms();
- ctx = SSL_CTX_new(TLS_server_method());
- if (!SSL_CTX_use_certificate_file(ctx, CERT_FILE, SSL_FILETYPE_PEM))
- goto err;
- if (!SSL_CTX_use_PrivateKey_file(ctx, CERT_FILE, SSL_FILETYPE_PEM))
+ if (CONF_modules_load_file("cmod.cnf", "testapp", 0) <= 0) {
+ fprintf(stderr, "Error processing config file\n");
goto err;
- if (!SSL_CTX_check_private_key(ctx))
+ }
+
+ ctx = SSL_CTX_new(TLS_server_method());
+
+ if (SSL_CTX_config(ctx, "server") == 0) {
+ fprintf(stderr, "Error configuring server.\n");
goto err;
+ }
/* Setup server side SSL bio */
ssl_bio = BIO_new_ssl(ctx, 0);
@@ -77,7 +62,7 @@ int main(int argc, char *argv[])
goto err;
for (;;) {
- i = BIO_read(in, buf, 512);
+ i = BIO_read(in, buf, sizeof(buf));
if (i == 0) {
/*
* If we have finished, remove the underlying BIO stack so the
@@ -89,8 +74,11 @@ int main(int argc, char *argv[])
BIO_free_all(tmp);
goto again;
}
- if (i < 0)
+ if (i < 0) {
+ if (BIO_should_retry(in))
+ continue;
goto err;
+ }
fwrite(buf, 1, i, stdout);
fflush(stdout);
}
diff --git a/demos/bio/server-ec.pem b/demos/bio/server-ec.pem
new file mode 100644
index 0000000..a13fdc7
--- /dev/null
+++ b/demos/bio/server-ec.pem
@@ -0,0 +1,17 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg/5kYU3PUlHwfdjEN
+lC1xTZEx3o55RgtSOuOCTryDfomhRANCAARW/qUFg+qZzjcFWrST4bmkRCFu8/rn
+KTHjW2vpBXYGXKDn4AbAfYXYhM9J7v1HkkrZBPPGx53eVzs61/Pgr6Rc
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIBsTCCAVegAwIBAgIJALChLe0vZzgoMAoGCCqGSM49BAMCMDUxHzAdBgNVBAsM
+FlRlc3QgRUNEU0EgQ2VydGlmaWNhdGUxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0x
+NTEyMjIxNDUxMDRaFw00NDAxMDQxNDUxMDRaMDUxHzAdBgNVBAsMFlRlc3QgRUNE
+U0EgQ2VydGlmaWNhdGUxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
+CCqGSM49AwEHA0IABFb+pQWD6pnONwVatJPhuaREIW7z+ucpMeNba+kFdgZcoOfg
+BsB9hdiEz0nu/UeSStkE88bHnd5XOzrX8+CvpFyjUDBOMB0GA1UdDgQWBBROhkTJ
+lsm8Qd8pEgrrapccfFY5gjAfBgNVHSMEGDAWgBROhkTJlsm8Qd8pEgrrapccfFY5
+gjAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIFhyU/WZRcihilTpwFVm
+fly1JhwisouiZjLnPkRYZVzHAiEAgqxXfRQl1/phnEgO9gRcv2nFp9xvJiDgKPse
+VktDYjE=
+-----END CERTIFICATE-----
diff --git a/doc/apps/config.pod b/doc/apps/config.pod
index 9547bc5..474b478 100644
--- a/doc/apps/config.pod
+++ b/doc/apps/config.pod
@@ -208,6 +208,34 @@ For example:
fips_mode = on
+=head2 SSL CONFIGURATION MODULE
+
+This module has the name B<ssl_conf> which points to a section containing
+SSL configurations.
+
+Each line in the SSL configuration section contains the name of the
+configuration and the section containing it.
+
+Each configuration section consists of command value pairs for B<SSL_CONF>.
+Each pair will be passed to a B<SSL_CTX> or B<SSL> structure if it calls
+SSL_CTX_config() or SSL_config() with the appropriate configuration name.
+
+Note: any characters before an initial dot in the configuration section are
+ignored so the same command can be used multiple times.
+
+For example:
+
+ ssl_conf = ssl_sect
+
+ [ssl_sect]
+
+ server = server_section
+
+ [server_section]
+
+ RSA.Certificate = server-rsa.pem
+ ECDSA.Certificate = server-ecdsa.pem
+ Ciphers = ALL:!RC4
=head1 NOTES
diff --git a/doc/ssl/SSL_CTX_config.pod b/doc/ssl/SSL_CTX_config.pod
new file mode 100644
index 0000000..0cf93dd
--- /dev/null
+++ b/doc/ssl/SSL_CTX_config.pod
@@ -0,0 +1,84 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_config, SSL_config - configure SSL_CTX or SSL structure.
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_CTX_config(SSL_CTX *ctx, const char *name);
+ int SSL_config(SSL *s, const char *name);
+
+=head1 DESCRIPTION
+
+The functions SSL_CTX_config() and SSL_config() configure an B<SSL_CTX> or
+B<SSL> structure using the configuration B<name>.
+
+=head1 NOTES
+
+By calling SSL_CTX_config() or SSL_config() an application can perform many
+complex tasks based on the contents of the configuration file: greatly
+simplifying application configuration code. A degree of future proofing
+can also be achieved: an application can support configuration features
+in newer versions of OpenSSL automatically.
+
+A configuration file must have been previously loaded, for example using
+CONF_modules_load_file(). See L<config(3)> for details of the configuration
+file syntax.
+
+=head1 RETURN VALUES
+
+SSL_CTX_config() and SSL_config() return 1 for success or 0 if an error
+occurred.
+
+=head1 EXAMPLE
+
+If the file "config.cnf" contains the following:
+
+ testapp = test_sect
+
+ [test_sect]
+ # list of confuration modules
+
+ ssl_conf = ssl_sect
+
+ [ssl_sect]
+
+ server = server_section
+
+ [server_section]
+
+ RSA.Certificate = server-rsa.pem
+ ECDSA.Certificate = server-ecdsa.pem
+ Ciphers = ALL:!RC4
+
+An application could call:
+
+ if (CONF_modules_load_file("config.cnf", "testapp", 0) <= 0) {
+ fprintf(stderr, "Error processing config file\n");
+ goto err;
+ }
+
+ ctx = SSL_CTX_new(TLS_server_method());
+
+ if (SSL_CTX_config(ctx, "server") == 0) {
+ fprintf(stderr, "Error configuring server.\n");
+ goto err;
+ }
+
+In this example two certificates and the cipher list are configured without
+the need for any additional application code.
+
+=head1 SEE ALSO
+
+L<config(3)>,
+L<SSL_CONF_cmd(3)>,
+L<CONF_modules_load_file(3)>
+
+=head1 HISTORY
+
+SSL_CTX_config() and SSL_config() were first added to OpenSSL 1.1.0
+
+=cut
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index d6d05ae..f700828 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1796,6 +1796,10 @@ __owur int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value);
__owur int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv);
__owur int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd);
+void SSL_add_ssl_module(void);
+int SSL_config(SSL *s, const char *name);
+int SSL_CTX_config(SSL_CTX *ctx, const char *name);
+
# ifndef OPENSSL_NO_SSL_TRACE
void SSL_trace(int write_p, int version, int content_type,
const void *buf, size_t len, SSL *ssl, void *arg);
@@ -1956,6 +1960,7 @@ void ERR_load_SSL_strings(void);
# define SSL_F_SSL3_DIGEST_CACHED_RECORDS 293
# define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC 292
# define SSL_F_SSL3_ENC 134
+# define SSL_F_SSL3_FINAL_FINISH_MAC 285
# define SSL_F_SSL3_GENERATE_KEY_BLOCK 238
# define SSL_F_SSL3_GENERATE_MASTER_SECRET 388
# define SSL_F_SSL3_GET_CERTIFICATE_REQUEST 135
@@ -1974,7 +1979,6 @@ void ERR_load_SSL_strings(void);
# define SSL_F_SSL3_GET_SERVER_CERTIFICATE 144
# define SSL_F_SSL3_GET_SERVER_DONE 145
# define SSL_F_SSL3_GET_SERVER_HELLO 146
-# define SSL_F_SSL3_FINAL_FINISH_MAC 285
# define SSL_F_SSL3_NEW_SESSION_TICKET 287
# define SSL_F_SSL3_OUTPUT_CERT_CHAIN 147
# define SSL_F_SSL3_PEEK 235
@@ -2045,6 +2049,7 @@ void ERR_load_SSL_strings(void);
# define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 179
# define SSL_F_SSL_CTX_USE_SERVERINFO 336
# define SSL_F_SSL_CTX_USE_SERVERINFO_FILE 337
+# define SSL_F_SSL_DO_CONFIG 391
# define SSL_F_SSL_DO_HANDSHAKE 180
# define SSL_F_SSL_GET_NEW_SESSION 181
# define SSL_F_SSL_GET_PREV_SESSION 217
@@ -2054,6 +2059,7 @@ void ERR_load_SSL_strings(void);
# define SSL_F_SSL_GET_SIGN_PKEY 183
# define SSL_F_SSL_INIT_WBIO_BUFFER 184
# define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185
+# define SSL_F_SSL_MODULE_INIT 392
# define SSL_F_SSL_NEW 186
# define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 300
# define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 302
@@ -2252,6 +2258,7 @@ void ERR_load_SSL_strings(void);
# define SSL_R_INCONSISTENT_EXTMS 104
# define SSL_R_INVALID_COMMAND 280
# define SSL_R_INVALID_COMPRESSION_ALGORITHM 341
+# define SSL_R_INVALID_CONFIGURATION_NAME 113
# define SSL_R_INVALID_NULL_CMD_NAME 385
# define SSL_R_INVALID_PURPOSE 278
# define SSL_R_INVALID_SEQUENCE_NUMBER 402
@@ -2356,10 +2363,14 @@ void ERR_load_SSL_strings(void);
# define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041
# define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
# define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043
+# define SSL_R_SSL_COMMAND_SECTION_EMPTY 117
+# define SSL_R_SSL_COMMAND_SECTION_NOT_FOUND 125
# define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 228
# define SSL_R_SSL_HANDSHAKE_FAILURE 229
# define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 230
# define SSL_R_SSL_NEGATIVE_LENGTH 372
+# define SSL_R_SSL_SECTION_EMPTY 126
+# define SSL_R_SSL_SECTION_NOT_FOUND 136
# define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED 301
# define SSL_R_SSL_SESSION_ID_CONFLICT 302
# define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 273
@@ -2368,6 +2379,7 @@ void ERR_load_SSL_strings(void);
# define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050
# define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021
# define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051
+# define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060
# define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086
# define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
# define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
@@ -2404,6 +2416,7 @@ void ERR_load_SSL_strings(void);
# define SSL_R_UNKNOWN_CIPHER_RETURNED 248
# define SSL_R_UNKNOWN_CIPHER_TYPE 249
# define SSL_R_UNKNOWN_CMD_NAME 386
+# define SSL_R_UNKNOWN_COMMAND 139
# define SSL_R_UNKNOWN_DIGEST 368
# define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 250
# define SSL_R_UNKNOWN_PKEY_TYPE 251
diff --git a/ssl/Makefile b/ssl/Makefile
index e197fb0..f398c9a 100644
--- a/ssl/Makefile
+++ b/ssl/Makefile
@@ -24,7 +24,7 @@ LIBSRC= \
statem/statem_dtls.c d1_srtp.c \
ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \
ssl_ciph.c ssl_stat.c ssl_rsa.c \
- ssl_asn1.c ssl_txt.c ssl_algs.c ssl_conf.c \
+ ssl_asn1.c ssl_txt.c ssl_algs.c ssl_conf.c ssl_mcnf.c \
bio_ssl.c ssl_err.c t1_reneg.c tls_srp.c t1_trce.c ssl_utst.c \
record/ssl3_buffer.c record/ssl3_record.c record/dtls1_bitmap.c \
statem/statem.c
@@ -36,7 +36,7 @@ LIBOBJ= \
statem/statem_dtls.o d1_srtp.o\
ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \
ssl_ciph.o ssl_stat.o ssl_rsa.o \
- ssl_asn1.o ssl_txt.o ssl_algs.o ssl_conf.o \
+ ssl_asn1.o ssl_txt.o ssl_algs.o ssl_conf.o ssl_mcnf.o \
bio_ssl.o ssl_err.o t1_reneg.o tls_srp.o t1_trce.o ssl_utst.o \
record/ssl3_buffer.o record/ssl3_record.o record/dtls1_bitmap.o \
statem/statem.o
@@ -548,6 +548,26 @@ ssl_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
ssl_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
ssl_lib.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h
ssl_lib.o: packet_locl.h record/record.h ssl_lib.c ssl_locl.h statem/statem.h
+ssl_mcnf.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/async.h
+ssl_mcnf.o: ../include/openssl/bio.h ../include/openssl/bn.h
+ssl_mcnf.o: ../include/openssl/buffer.h ../include/openssl/comp.h
+ssl_mcnf.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+ssl_mcnf.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+ssl_mcnf.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ssl_mcnf.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssl_mcnf.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+ssl_mcnf.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ssl_mcnf.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_mcnf.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ssl_mcnf.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_mcnf.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+ssl_mcnf.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_mcnf.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+ssl_mcnf.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+ssl_mcnf.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_mcnf.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_mcnf.o: ../include/openssl/x509_vfy.h packet_locl.h record/record.h
+ssl_mcnf.o: ssl_locl.h ssl_mcnf.c statem/statem.h
ssl_rsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/async.h
ssl_rsa.o: ../include/openssl/bio.h ../include/openssl/bn.h
ssl_rsa.o: ../include/openssl/buffer.h ../include/openssl/comp.h
diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c
index fc6af90..1bb9cb6 100644
--- a/ssl/ssl_algs.c
+++ b/ssl/ssl_algs.c
@@ -133,5 +133,6 @@ int SSL_library_init(void)
#endif
/* initialize cipher/digest methods table */
ssl_load_ciphers();
+ SSL_add_ssl_module();
return (1);
}
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 0623104..c29c36b 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -139,6 +139,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
{ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC),
"ssl3_do_change_cipher_spec"},
{ERR_FUNC(SSL_F_SSL3_ENC), "ssl3_enc"},
+ {ERR_FUNC(SSL_F_SSL3_FINAL_FINISH_MAC), "ssl3_final_finish_mac"},
{ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK), "ssl3_generate_key_block"},
{ERR_FUNC(SSL_F_SSL3_GENERATE_MASTER_SECRET),
"ssl3_generate_master_secret"},
@@ -164,7 +165,6 @@ static ERR_STRING_DATA SSL_str_functs[] = {
"ssl3_get_server_certificate"},
{ERR_FUNC(SSL_F_SSL3_GET_SERVER_DONE), "ssl3_get_server_done"},
{ERR_FUNC(SSL_F_SSL3_GET_SERVER_HELLO), "ssl3_get_server_hello"},
- {ERR_FUNC(SSL_F_SSL3_FINAL_FINISH_MAC), "ssl3_final_finish_mac"},
{ERR_FUNC(SSL_F_SSL3_NEW_SESSION_TICKET), "SSL3_NEW_SESSION_TICKET"},
{ERR_FUNC(SSL_F_SSL3_OUTPUT_CERT_CHAIN), "ssl3_output_cert_chain"},
{ERR_FUNC(SSL_F_SSL3_PEEK), "ssl3_peek"},
@@ -262,6 +262,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
{ERR_FUNC(SSL_F_SSL_CTX_USE_SERVERINFO), "SSL_CTX_use_serverinfo"},
{ERR_FUNC(SSL_F_SSL_CTX_USE_SERVERINFO_FILE),
"SSL_CTX_use_serverinfo_file"},
+ {ERR_FUNC(SSL_F_SSL_DO_CONFIG), "ssl_do_config"},
{ERR_FUNC(SSL_F_SSL_DO_HANDSHAKE), "SSL_do_handshake"},
{ERR_FUNC(SSL_F_SSL_GET_NEW_SESSION), "ssl_get_new_session"},
{ERR_FUNC(SSL_F_SSL_GET_PREV_SESSION), "ssl_get_prev_session"},
@@ -271,6 +272,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
{ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY), "ssl_get_sign_pkey"},
{ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "ssl_init_wbio_buffer"},
{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"},
+ {ERR_FUNC(SSL_F_SSL_MODULE_INIT), "ssl_module_init"},
{ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"},
{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT),
"ssl_parse_clienthello_renegotiate_ext"},
@@ -316,7 +318,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
{ERR_FUNC(SSL_F_SSL_SET_WFD), "SSL_set_wfd"},
{ERR_FUNC(SSL_F_SSL_SHUTDOWN), "SSL_shutdown"},
{ERR_FUNC(SSL_F_SSL_SRP_CTX_INIT), "SSL_SRP_CTX_init"},
- {ERR_FUNC(SSL_F_SSL_START_ASYNC_JOB), "SSL_START_ASYNC_JOB"},
+ {ERR_FUNC(SSL_F_SSL_START_ASYNC_JOB), "ssl_start_async_job"},
{ERR_FUNC(SSL_F_SSL_UNDEFINED_CONST_FUNCTION),
"ssl_undefined_const_function"},
{ERR_FUNC(SSL_F_SSL_UNDEFINED_FUNCTION), "ssl_undefined_function"},
@@ -432,6 +434,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_REASON(SSL_R_BAD_ECC_CERT), "bad ecc cert"},
{ERR_REASON(SSL_R_BAD_ECDSA_SIGNATURE), "bad ecdsa signature"},
{ERR_REASON(SSL_R_BAD_ECPOINT), "bad ecpoint"},
+ {ERR_REASON(SSL_R_BAD_GOST_SIGNATURE), "bad gost signature"},
{ERR_REASON(SSL_R_BAD_HANDSHAKE_LENGTH), "bad handshake length"},
{ERR_REASON(SSL_R_BAD_HELLO_REQUEST), "bad hello request"},
{ERR_REASON(SSL_R_BAD_LENGTH), "bad length"},
@@ -537,6 +540,8 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_REASON(SSL_R_INVALID_COMMAND), "invalid command"},
{ERR_REASON(SSL_R_INVALID_COMPRESSION_ALGORITHM),
"invalid compression algorithm"},
+ {ERR_REASON(SSL_R_INVALID_CONFIGURATION_NAME),
+ "invalid configuration name"},
{ERR_REASON(SSL_R_INVALID_NULL_CMD_NAME), "invalid null cmd name"},
{ERR_REASON(SSL_R_INVALID_PURPOSE), "invalid purpose"},
{ERR_REASON(SSL_R_INVALID_SEQUENCE_NUMBER), "invalid sequence number"},
@@ -678,12 +683,18 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
"sslv3 alert unexpected message"},
{ERR_REASON(SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE),
"sslv3 alert unsupported certificate"},
+ {ERR_REASON(SSL_R_SSL_COMMAND_SECTION_EMPTY),
+ "ssl command section empty"},
+ {ERR_REASON(SSL_R_SSL_COMMAND_SECTION_NOT_FOUND),
+ "ssl command section not found"},
{ERR_REASON(SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION),
"ssl ctx has no default ssl version"},
{ERR_REASON(SSL_R_SSL_HANDSHAKE_FAILURE), "ssl handshake failure"},
{ERR_REASON(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS),
"ssl library has no ciphers"},
{ERR_REASON(SSL_R_SSL_NEGATIVE_LENGTH), "ssl negative length"},
+ {ERR_REASON(SSL_R_SSL_SECTION_EMPTY), "ssl section empty"},
+ {ERR_REASON(SSL_R_SSL_SECTION_NOT_FOUND), "ssl section not found"},
{ERR_REASON(SSL_R_SSL_SESSION_ID_CALLBACK_FAILED),
"ssl session id callback failed"},
{ERR_REASON(SSL_R_SSL_SESSION_ID_CONFLICT), "ssl session id conflict"},
@@ -698,6 +709,8 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
"tlsv1 alert decryption failed"},
{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),
"tlsv1 alert decrypt error"},
+ {ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),
+ "tlsv1 alert export restriction"},
{ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK),
"tlsv1 alert inappropriate fallback"},
{ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),
@@ -760,6 +773,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_REASON(SSL_R_UNKNOWN_CIPHER_RETURNED), "unknown cipher returned"},
{ERR_REASON(SSL_R_UNKNOWN_CIPHER_TYPE), "unknown cipher type"},
{ERR_REASON(SSL_R_UNKNOWN_CMD_NAME), "unknown cmd name"},
+ {ERR_REASON(SSL_R_UNKNOWN_COMMAND), "unknown command"},
{ERR_REASON(SSL_R_UNKNOWN_DIGEST), "unknown digest"},
{ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE),
"unknown key exchange type"},
diff --git a/ssl/ssl_mcnf.c b/ssl/ssl_mcnf.c
new file mode 100644
index 0000000..a223c73
--- /dev/null
+++ b/ssl/ssl_mcnf.c
@@ -0,0 +1,248 @@
+/* ssl_mcnf.c */
+/*
+ * Written by Stephen Henson (steve at openssl.org) for the OpenSSL project
+ * 2015.
+ */
+/* ====================================================================
+ * Copyright (c) 2015 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing at OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay at cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh at cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/conf.h>
+#include <openssl/ssl.h>
+#include "ssl_locl.h"
+
+/* SSL library configuration module. */
+
+struct ssl_conf_name {
+ /* Name of this set of commands */
+ char *name;
+ /* List of commands */
+ struct ssl_conf_cmd *cmds;
+ /* Number of commands */
+ size_t cmd_count;
+};
+
+struct ssl_conf_cmd {
+ /* Command */
+ char *cmd;
+ /* Argument */
+ char *arg;
+};
+
+static struct ssl_conf_name *ssl_names;
+static size_t ssl_names_count;
+
+static void ssl_module_free()
+{
+ size_t i, j;
+ if (ssl_names == NULL)
+ return;
+ for (i = 0; i < ssl_names_count; i++) {
+ struct ssl_conf_name *tname = ssl_names + i;
+ OPENSSL_free(tname->name);
+ for (j = 0; j < tname->cmd_count; j++) {
+ OPENSSL_free(tname->cmds[j].cmd);
+ OPENSSL_free(tname->cmds[j].arg);
+ }
+ OPENSSL_free(tname->cmds);
+ }
+ OPENSSL_free(ssl_names);
+ ssl_names = NULL;
+ ssl_names_count = 0;
+}
+
+static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
+{
+ size_t i, j, cnt;
+ int rv = 0;
+ const char *ssl_conf_section;
+ STACK_OF(CONF_VALUE) *cmd_lists;
+ ssl_conf_section = CONF_imodule_get_value(md);
+ cmd_lists = NCONF_get_section(cnf, ssl_conf_section);
+ if (sk_CONF_VALUE_num(cmd_lists) <= 0){
+ if (cmd_lists == NULL)
+ SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_SECTION_NOT_FOUND);
+ else
+ SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_SECTION_EMPTY);
+ ERR_add_error_data(2, "section=", ssl_conf_section);
+ goto err;
+ }
+ cnt = sk_CONF_VALUE_num(cmd_lists);
+ ssl_names = OPENSSL_zalloc(sizeof(*ssl_names) * cnt);
+ ssl_names_count = cnt;
+ for (i = 0; i < ssl_names_count; i++) {
+ struct ssl_conf_name *ssl_name = ssl_names + i;
+ CONF_VALUE *sect = sk_CONF_VALUE_value(cmd_lists, i);
+ STACK_OF(CONF_VALUE) *cmds = NCONF_get_section(cnf, sect->value);
+ if (sk_CONF_VALUE_num(cmds) <= 0) {
+ if (cmds == NULL)
+ SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_COMMAND_SECTION_NOT_FOUND);
+ else
+ SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_COMMAND_SECTION_EMPTY);
+ ERR_add_error_data(4, "name=", sect->name, ", value=", sect->value);
+ goto err;
+ }
+ ssl_name->name = BUF_strdup(sect->name);
+ if (ssl_name->name == NULL)
+ goto err;
+ cnt = sk_CONF_VALUE_num(cmds);
+ ssl_name->cmds = OPENSSL_zalloc(cnt * sizeof(struct ssl_conf_cmd));
+ if (ssl_name->cmds == NULL)
+ goto err;
+ ssl_name->cmd_count = cnt;
+ for (j = 0; j < cnt; j++) {
+ const char *name;
+ CONF_VALUE *cmd_conf = sk_CONF_VALUE_value(cmds, j);
+ struct ssl_conf_cmd *cmd = ssl_name->cmds + j;
+ /* Skip any initial dot in name */
+ name = strchr(cmd_conf->name, '.');
+ if (name != NULL)
+ name++;
+ else
+ name = cmd_conf->name;
+ cmd->cmd = BUF_strdup(name);
+ cmd->arg = BUF_strdup(cmd_conf->value);
+ if (cmd->cmd == NULL || cmd->arg == NULL)
+ goto err;
+ }
+
+ }
+ rv = 1;
+ err:
+ if (rv == 0)
+ ssl_module_free();
+ return rv;
+}
+
+void SSL_add_ssl_module(void)
+{
+ CONF_module_add("ssl_conf", ssl_module_init, ssl_module_free);
+}
+
+static const struct ssl_conf_name *ssl_name_find(const char *name)
+{
+ size_t i;
+ const struct ssl_conf_name *nm;
+ if (name == NULL)
+ return NULL;
+ for (i = 0, nm = ssl_names; i < ssl_names_count; i++, nm++) {
+ if (strcmp(nm->name, name) == 0)
+ return nm;
+ }
+ return NULL;
+}
+
+static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name)
+{
+ SSL_CONF_CTX *cctx = NULL;
+ size_t i;
+ int rv = 0;
+ unsigned int flags;
+ const SSL_METHOD *meth;
+ const struct ssl_conf_name *nm;
+ struct ssl_conf_cmd *cmd;
+ if (s == NULL && ctx == NULL) {
+ SSLerr(SSL_F_SSL_DO_CONFIG, ERR_R_PASSED_NULL_PARAMETER);
+ goto err;
+ }
+ nm = ssl_name_find(name);
+ if (nm == NULL) {
+ SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_INVALID_CONFIGURATION_NAME);
+ ERR_add_error_data(2, "name=", name);
+ goto err;
+ }
+ cctx = SSL_CONF_CTX_new();
+ if (cctx == NULL)
+ goto err;
+ flags = SSL_CONF_FLAG_FILE;
+ flags |= SSL_CONF_FLAG_CERTIFICATE | SSL_CONF_FLAG_REQUIRE_PRIVATE;
+ if (s != NULL) {
+ meth = s->method;
+ SSL_CONF_CTX_set_ssl(cctx, s);
+ } else {
+ meth = ctx->method;
+ SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
+ }
+ if (meth->ssl_accept != ssl_undefined_function)
+ flags |= SSL_CONF_FLAG_SERVER;
+ if (meth->ssl_connect != ssl_undefined_function)
+ flags |= SSL_CONF_FLAG_CLIENT;
+ SSL_CONF_CTX_set_flags(cctx, flags);
+ for (i = 0, cmd = nm->cmds; i < nm->cmd_count; i++, cmd++) {
+ rv = SSL_CONF_cmd(cctx, cmd->cmd, cmd->arg);
+ if (rv <= 0) {
+ if (rv == -2)
+ SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_UNKNOWN_COMMAND);
+ else
+ SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_BAD_VALUE);
+ ERR_add_error_data(6, "section=", name, ", cmd=", cmd->cmd,
+ ", arg=", cmd->arg);
+ goto err;
+ }
+ }
+ rv = SSL_CONF_CTX_finish(cctx);
+ err:
+ SSL_CONF_CTX_free(cctx);
+ return rv <= 0 ? 0 : 1;
+}
+
+int SSL_config(SSL *s, const char *name)
+{
+ return ssl_do_config(s, NULL, name);
+}
+
+int SSL_CTX_config(SSL_CTX *ctx, const char *name)
+{
+ return ssl_do_config(NULL, ctx, name);
+}
diff --git a/test/ssltest.c b/test/ssltest.c
index fd356c7..01b6058 100644
--- a/test/ssltest.c
+++ b/test/ssltest.c
@@ -1711,6 +1711,7 @@ int main(int argc, char *argv[])
#ifndef OPENSSL_NO_ENGINE
ENGINE_cleanup();
#endif
+ CONF_modules_unload(1);
CRYPTO_cleanup_all_ex_data();
ERR_free_strings();
ERR_remove_thread_state(NULL);
diff --git a/util/ssleay.num b/util/ssleay.num
index eef617b..cf841a0 100755
--- a/util/ssleay.num
+++ b/util/ssleay.num
@@ -413,3 +413,6 @@ SSL_set_default_passwd_cb 447 1_1_0 EXIST::FUNCTION:
SSL_set_default_passwd_cb_userdata 448 1_1_0 EXIST::FUNCTION:
SSL_waiting_for_async 449 1_1_0 EXIST::FUNCTION:
SSL_get_async_wait_fd 450 1_1_0 EXIST::FUNCTION:
+SSL_add_ssl_module 451 1_1_0 EXIST::FUNCTION:
+SSL_CTX_config 452 1_1_0 EXIST::FUNCTION:
+SSL_config 453 1_1_0 EXIST::FUNCTION:
More information about the openssl-commits
mailing list