[openssl-commits] [openssl] master update

Dr. Stephen Henson steve at openssl.org
Tue Dec 22 15:46:09 UTC 2015


The branch master has been updated
       via  5378186199eec800e0508c5ac1c3545d072b8c31 (commit)
       via  a470fdab6d04e4da68840e5324c1ac1d334f425f (commit)
       via  a2074b92874aa5784874e75c969e95086010dddd (commit)
       via  913592d2c58571a39540d8e4aeb3ea3b4db6a9f0 (commit)
       via  43d956fa65c66629f335b7bb7d4e190da5e99da7 (commit)
       via  287d0b948d184dbba782de15a9895189c5e34854 (commit)
       via  f33bad332182f401d0f8d68808df4ff4858e98df (commit)
       via  540912cd4b62470f611ba696c09058b11d274521 (commit)
       via  59b1696c0c752aeba67f40c91d6769afbc40469b (commit)
      from  4fae386cb0563a0c05c2817a5ccb3c18e6d62d8d (commit)


- Log -----------------------------------------------------------------
commit 5378186199eec800e0508c5ac1c3545d072b8c31
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Tue Dec 22 15:16:56 2015 +0000

    make update
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit a470fdab6d04e4da68840e5324c1ac1d334f425f
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Tue Dec 22 03:49:02 2015 +0000

    unload modules in ssltest
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit a2074b92874aa5784874e75c969e95086010dddd
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Mon Dec 21 19:34:23 2015 +0000

    make errors
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit 913592d2c58571a39540d8e4aeb3ea3b4db6a9f0
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Thu Jul 9 18:43:30 2015 +0100

    SSL configuration module docs
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit 43d956fa65c66629f335b7bb7d4e190da5e99da7
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Thu Jul 9 18:24:24 2015 +0100

    Demo server using SSL_CTX_config
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit 287d0b948d184dbba782de15a9895189c5e34854
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Wed Jul 8 23:09:52 2015 +0100

    Add ssl configuration support to s_server and s_client
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit f33bad332182f401d0f8d68808df4ff4858e98df
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Thu Apr 23 21:03:44 2015 +0100

    Load module in SSL_library_init
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit 540912cd4b62470f611ba696c09058b11d274521
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sun Apr 19 13:14:40 2015 +0100

    Add ssl_mcnf.c to Makefile
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit 59b1696c0c752aeba67f40c91d6769afbc40469b
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sat Mar 14 01:36:30 2015 +0000

    SSL library configuration module.
    
    This adds support for SSL/TLS configuration using configuration modules.
    Sets of command value pairs are store and can be replayed through an
    SSL_CTX or SSL structure using SSL_CTX_config or SSL_config.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/openssl.c                         |   1 +
 apps/s_client.c                        |  16 ++-
 apps/s_server.c                        |  16 ++-
 demos/bio/cmod.cnf                     |  24 ++++
 demos/bio/{saccept.c => server-cmod.c} |  56 +++-----
 demos/bio/server-ec.pem                |  17 +++
 doc/apps/config.pod                    |  28 ++++
 doc/ssl/SSL_CTX_config.pod             |  84 +++++++++++
 include/openssl/ssl.h                  |  15 +-
 ssl/Makefile                           |  24 +++-
 ssl/ssl_algs.c                         |   1 +
 ssl/ssl_err.c                          |  18 ++-
 ssl/ssl_mcnf.c                         | 248 +++++++++++++++++++++++++++++++++
 test/ssltest.c                         |   1 +
 util/ssleay.num                        |   3 +
 15 files changed, 511 insertions(+), 41 deletions(-)
 create mode 100644 demos/bio/cmod.cnf
 copy demos/bio/{saccept.c => server-cmod.c} (68%)
 create mode 100644 demos/bio/server-ec.pem
 create mode 100644 doc/ssl/SSL_CTX_config.pod
 create mode 100644 ssl/ssl_mcnf.c

diff --git a/apps/openssl.c b/apps/openssl.c
index 5ce04ce..f2c7ccf 100644
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -176,6 +176,7 @@ static int apps_startup()
     ERR_load_SSL_strings();
 
     OPENSSL_load_builtin_modules();
+    SSL_add_ssl_module();
 #ifndef OPENSSL_NO_ENGINE
     ENGINE_load_builtin_engines();
 #endif
diff --git a/apps/s_client.c b/apps/s_client.c
index dbeb770..2f98966 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -466,7 +466,7 @@ typedef enum OPTION_choice {
     OPT_MSG, OPT_MSGFILE, OPT_ENGINE, OPT_TRACE, OPT_SECURITY_DEBUG,
     OPT_SECURITY_DEBUG_VERBOSE, OPT_SHOWCERTS, OPT_NBIO_TEST, OPT_STATE,
     OPT_PSK_IDENTITY, OPT_PSK, OPT_SRPUSER, OPT_SRPPASS, OPT_SRP_STRENGTH,
-    OPT_SRP_LATEUSER, OPT_SRP_MOREGROUPS, OPT_SSL3,
+    OPT_SRP_LATEUSER, OPT_SRP_MOREGROUPS, OPT_SSL3, OPT_SSL_CONFIG,
     OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
     OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_KEYFORM, OPT_PASS,
     OPT_CERT_CHAIN, OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH,
@@ -561,6 +561,7 @@ OPTIONS s_client_options[] = {
     {"alpn", OPT_ALPN, 's',
      "Enable ALPN extension, considering named protocols supported (comma-separated list)"},
     {"async", OPT_ASYNC, '-', "Support asynchronous operation"},
+    {"ssl_config", OPT_SSL_CONFIG, 's'},
     OPT_S_OPTIONS,
     OPT_V_OPTIONS,
     OPT_X_OPTIONS,
@@ -686,6 +687,7 @@ int s_client_main(int argc, char **argv)
     char *servername = NULL;
     const char *alpn_in = NULL;
     tlsextctx tlsextcbp = { NULL, 0 };
+    const char *ssl_config = NULL;
 #define MAX_SI_TYPES 100
     unsigned short serverinfo_types[MAX_SI_TYPES];
     int serverinfo_count = 0, start = 0, len;
@@ -940,6 +942,9 @@ int s_client_main(int argc, char **argv)
         case OPT_SRP_MOREGROUPS:
             break;
 #endif
+        case OPT_SSL_CONFIG:
+            ssl_config = opt_arg();
+            break;
         case OPT_SSL3:
 #ifndef OPENSSL_NO_SSL3
             meth = SSLv3_client_method();
@@ -1200,6 +1205,15 @@ int s_client_main(int argc, char **argv)
     if (sdebug)
         ssl_ctx_security_debug(ctx, sdebug);
 
+    if (ssl_config) {
+        if (SSL_CTX_config(ctx, ssl_config) == 0) {
+            BIO_printf(bio_err, "Error using configuration \"%s\"\n",
+                       ssl_config);
+        ERR_print_errors(bio_err);
+        goto end;
+        }
+    }
+
     if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) {
         BIO_printf(bio_err, "Error setting verify params\n");
         ERR_print_errors(bio_err);
diff --git a/apps/s_server.c b/apps/s_server.c
index de96445..e0eac55 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -807,7 +807,7 @@ typedef enum OPTION_choice {
     OPT_QUIET, OPT_BRIEF, OPT_NO_DHE,
     OPT_NO_RESUME_EPHEMERAL, OPT_PSK_HINT, OPT_PSK, OPT_SRPVFILE,
     OPT_SRPUSERSEED, OPT_REV, OPT_WWW, OPT_UPPER_WWW, OPT_HTTP, OPT_ASYNC,
-    OPT_SSL3,
+    OPT_SSL_CONFIG, OPT_SSL3,
     OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
     OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_CHAIN, OPT_LISTEN,
     OPT_ID_PREFIX, OPT_RAND, OPT_SERVERNAME, OPT_SERVERNAME_FATAL,
@@ -915,6 +915,7 @@ OPTIONS s_server_options[] = {
     {"brief", OPT_BRIEF, '-'},
     {"rev", OPT_REV, '-'},
     {"async", OPT_ASYNC, '-', "Operate in asynchronous mode"},
+    {"ssl_config", OPT_SSL_CONFIG, 's'},
     OPT_S_OPTIONS,
     OPT_V_OPTIONS,
     OPT_X_OPTIONS,
@@ -1009,6 +1010,7 @@ int s_server_main(int argc, char *argv[])
     EVP_PKEY *s_key2 = NULL;
     X509 *s_cert2 = NULL;
     tlsextctx tlsextcbp = { NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING };
+    const char *ssl_config = NULL;
 #ifndef OPENSSL_NO_NEXTPROTONEG
     const char *next_proto_neg_in = NULL;
     tlsextnextprotoctx next_proto = { NULL, 0 };
@@ -1336,6 +1338,9 @@ int s_server_main(int argc, char *argv[])
         case OPT_HTTP:
             www = 3;
             break;
+        case OPT_SSL_CONFIG:
+            ssl_config = opt_arg();
+            break;
         case OPT_SSL3:
 #ifndef OPENSSL_NO_SSL3
             meth = SSLv3_server_method();
@@ -1613,6 +1618,15 @@ int s_server_main(int argc, char *argv[])
         ERR_print_errors(bio_err);
         goto end;
     }
+    if (ssl_config) {
+        if (SSL_CTX_config(ctx, ssl_config) == 0) {
+            BIO_printf(bio_err, "Error using configuration \"%s\"\n",
+                       ssl_config);
+        ERR_print_errors(bio_err);
+        goto end;
+        }
+    }
+
     if (session_id_prefix) {
         if (strlen(session_id_prefix) >= 32)
             BIO_printf(bio_err,
diff --git a/demos/bio/cmod.cnf b/demos/bio/cmod.cnf
new file mode 100644
index 0000000..4c45dfb
--- /dev/null
+++ b/demos/bio/cmod.cnf
@@ -0,0 +1,24 @@
+# Example config module configuration
+
+# Name supplied by application to CONF_modules_load_file
+# and section containing configuration
+testapp = test_sect
+
+[test_sect]
+# list of confuration modules
+
+# SSL configuration module
+ssl_conf = ssl_sect
+
+[ssl_sect]
+# list of SSL configurations
+server = server_sect
+
+[server_sect]
+# Only support 3 curves
+Curves = P-521:P-384:P-256
+# Restricted signature algorithms
+SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512
+# Certificates and keys
+RSA.Certificate=server.pem
+ECDSA.Certificate=server-ec.pem
diff --git a/demos/bio/saccept.c b/demos/bio/server-cmod.c
similarity index 68%
copy from demos/bio/saccept.c
copy to demos/bio/server-cmod.c
index 0d173aa..4f0b0c0 100644
--- a/demos/bio/saccept.c
+++ b/demos/bio/server-cmod.c
@@ -1,57 +1,42 @@
 /* NOCW */
-/* demos/bio/saccept.c */
+/* demos/bio/server-cmod.c */
 
-/*-
- * A minimal program to serve an SSL connection.
- * It uses blocking.
- * saccept host:port
- * host is the interface IP to use.  If any interface, use *:port
- * The default it *:4433
- *
- * cc -I../../include saccept.c -L../.. -lssl -lcrypto -ldl
+/*
+ * A minimal TLS server it ses SSL_CTX_config and a configuration file to
+ * set most server parameters.
  */
 
 #include <stdio.h>
 #include <signal.h>
 #include <openssl/err.h>
 #include <openssl/ssl.h>
-
-#define CERT_FILE       "server.pem"
-
-BIO *in = NULL;
-
-void close_up()
-{
-    BIO_free(in);
-}
+#include <openssl/conf.h>
 
 int main(int argc, char *argv[])
 {
-    char *port = NULL;
+    unsigned char buf[512];
+    char *port = "*:4433";
+    BIO *in = NULL;
     BIO *ssl_bio, *tmp;
     SSL_CTX *ctx;
-    char buf[512];
     int ret = 1, i;
 
-    if (argc <= 1)
-        port = "*:4433";
-    else
-        port = argv[1];
-
-    signal(SIGINT, close_up);
-
     SSL_load_error_strings();
 
     /* Add ciphers and message digests */
     OpenSSL_add_ssl_algorithms();
 
-    ctx = SSL_CTX_new(TLS_server_method());
-    if (!SSL_CTX_use_certificate_file(ctx, CERT_FILE, SSL_FILETYPE_PEM))
-        goto err;
-    if (!SSL_CTX_use_PrivateKey_file(ctx, CERT_FILE, SSL_FILETYPE_PEM))
+    if (CONF_modules_load_file("cmod.cnf", "testapp", 0) <= 0) {
+        fprintf(stderr, "Error processing config file\n");
         goto err;
-    if (!SSL_CTX_check_private_key(ctx))
+    }
+
+    ctx = SSL_CTX_new(TLS_server_method());
+
+    if (SSL_CTX_config(ctx, "server") == 0) {
+        fprintf(stderr, "Error configuring server.\n");
         goto err;
+    }
 
     /* Setup server side SSL bio */
     ssl_bio = BIO_new_ssl(ctx, 0);
@@ -77,7 +62,7 @@ int main(int argc, char *argv[])
         goto err;
 
     for (;;) {
-        i = BIO_read(in, buf, 512);
+        i = BIO_read(in, buf, sizeof(buf));
         if (i == 0) {
             /*
              * If we have finished, remove the underlying BIO stack so the
@@ -89,8 +74,11 @@ int main(int argc, char *argv[])
             BIO_free_all(tmp);
             goto again;
         }
-        if (i < 0)
+        if (i < 0) {
+            if (BIO_should_retry(in))
+                continue;
             goto err;
+        }
         fwrite(buf, 1, i, stdout);
         fflush(stdout);
     }
diff --git a/demos/bio/server-ec.pem b/demos/bio/server-ec.pem
new file mode 100644
index 0000000..a13fdc7
--- /dev/null
+++ b/demos/bio/server-ec.pem
@@ -0,0 +1,17 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg/5kYU3PUlHwfdjEN
+lC1xTZEx3o55RgtSOuOCTryDfomhRANCAARW/qUFg+qZzjcFWrST4bmkRCFu8/rn
+KTHjW2vpBXYGXKDn4AbAfYXYhM9J7v1HkkrZBPPGx53eVzs61/Pgr6Rc
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIBsTCCAVegAwIBAgIJALChLe0vZzgoMAoGCCqGSM49BAMCMDUxHzAdBgNVBAsM
+FlRlc3QgRUNEU0EgQ2VydGlmaWNhdGUxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0x
+NTEyMjIxNDUxMDRaFw00NDAxMDQxNDUxMDRaMDUxHzAdBgNVBAsMFlRlc3QgRUNE
+U0EgQ2VydGlmaWNhdGUxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
+CCqGSM49AwEHA0IABFb+pQWD6pnONwVatJPhuaREIW7z+ucpMeNba+kFdgZcoOfg
+BsB9hdiEz0nu/UeSStkE88bHnd5XOzrX8+CvpFyjUDBOMB0GA1UdDgQWBBROhkTJ
+lsm8Qd8pEgrrapccfFY5gjAfBgNVHSMEGDAWgBROhkTJlsm8Qd8pEgrrapccfFY5
+gjAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIFhyU/WZRcihilTpwFVm
+fly1JhwisouiZjLnPkRYZVzHAiEAgqxXfRQl1/phnEgO9gRcv2nFp9xvJiDgKPse
+VktDYjE=
+-----END CERTIFICATE-----
diff --git a/doc/apps/config.pod b/doc/apps/config.pod
index 9547bc5..474b478 100644
--- a/doc/apps/config.pod
+++ b/doc/apps/config.pod
@@ -208,6 +208,34 @@ For example:
 
  fips_mode = on
 
+=head2 SSL CONFIGURATION MODULE
+
+This module has the name B<ssl_conf> which points to a section containing
+SSL configurations.
+
+Each line in the SSL configuration section contains the name of the
+configuration and the section containing it.
+
+Each configuration section consists of command value pairs for B<SSL_CONF>.
+Each pair will be passed to a B<SSL_CTX> or B<SSL> structure if it calls
+SSL_CTX_config() or SSL_config() with the appropriate configuration name.
+
+Note: any characters before an initial dot in the configuration section are
+ignored so the same command can be used multiple times.
+
+For example:
+
+ ssl_conf = ssl_sect
+
+ [ssl_sect]
+
+ server = server_section
+
+ [server_section]
+
+ RSA.Certificate = server-rsa.pem
+ ECDSA.Certificate = server-ecdsa.pem
+ Ciphers = ALL:!RC4
 
 =head1 NOTES
 
diff --git a/doc/ssl/SSL_CTX_config.pod b/doc/ssl/SSL_CTX_config.pod
new file mode 100644
index 0000000..0cf93dd
--- /dev/null
+++ b/doc/ssl/SSL_CTX_config.pod
@@ -0,0 +1,84 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_config, SSL_config - configure SSL_CTX or SSL structure.
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_CTX_config(SSL_CTX *ctx, const char *name);
+ int SSL_config(SSL *s, const char *name);
+
+=head1 DESCRIPTION
+
+The functions SSL_CTX_config() and SSL_config() configure an B<SSL_CTX> or
+B<SSL> structure using the configuration B<name>.
+
+=head1 NOTES
+
+By calling SSL_CTX_config() or SSL_config() an application can perform many
+complex tasks based on the contents of the configuration file: greatly
+simplifying application configuration code. A degree of future proofing
+can also be achieved: an application can support configuration features
+in newer versions of OpenSSL automatically.
+
+A configuration file must have been previously loaded, for example using
+CONF_modules_load_file(). See L<config(3)> for details of the configuration
+file syntax.
+
+=head1 RETURN VALUES
+
+SSL_CTX_config() and SSL_config() return 1 for success or 0 if an error
+occurred.
+
+=head1 EXAMPLE
+
+If the file "config.cnf" contains the following:
+
+ testapp = test_sect
+
+ [test_sect]
+ # list of confuration modules
+
+ ssl_conf = ssl_sect
+
+ [ssl_sect]
+
+ server = server_section
+
+ [server_section]
+
+ RSA.Certificate = server-rsa.pem
+ ECDSA.Certificate = server-ecdsa.pem
+ Ciphers = ALL:!RC4
+
+An application could call:
+
+ if (CONF_modules_load_file("config.cnf", "testapp", 0) <= 0) {
+      fprintf(stderr, "Error processing config file\n");
+      goto err;
+ }
+
+ ctx = SSL_CTX_new(TLS_server_method());
+
+ if (SSL_CTX_config(ctx, "server") == 0) {
+     fprintf(stderr, "Error configuring server.\n");
+     goto err;
+ }
+
+In this example two certificates and the cipher list are configured without
+the need for any additional application code.
+
+=head1 SEE ALSO
+
+L<config(3)>,
+L<SSL_CONF_cmd(3)>,
+L<CONF_modules_load_file(3)>
+
+=head1 HISTORY
+
+SSL_CTX_config() and SSL_config() were first added to OpenSSL 1.1.0
+
+=cut
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index d6d05ae..f700828 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1796,6 +1796,10 @@ __owur int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value);
 __owur int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv);
 __owur int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd);
 
+void SSL_add_ssl_module(void);
+int SSL_config(SSL *s, const char *name);
+int SSL_CTX_config(SSL_CTX *ctx, const char *name);
+
 # ifndef OPENSSL_NO_SSL_TRACE
 void SSL_trace(int write_p, int version, int content_type,
                const void *buf, size_t len, SSL *ssl, void *arg);
@@ -1956,6 +1960,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_F_SSL3_DIGEST_CACHED_RECORDS                 293
 # define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC                 292
 # define SSL_F_SSL3_ENC                                   134
+# define SSL_F_SSL3_FINAL_FINISH_MAC                      285
 # define SSL_F_SSL3_GENERATE_KEY_BLOCK                    238
 # define SSL_F_SSL3_GENERATE_MASTER_SECRET                388
 # define SSL_F_SSL3_GET_CERTIFICATE_REQUEST               135
@@ -1974,7 +1979,6 @@ void ERR_load_SSL_strings(void);
 # define SSL_F_SSL3_GET_SERVER_CERTIFICATE                144
 # define SSL_F_SSL3_GET_SERVER_DONE                       145
 # define SSL_F_SSL3_GET_SERVER_HELLO                      146
-# define SSL_F_SSL3_FINAL_FINISH_MAC                      285
 # define SSL_F_SSL3_NEW_SESSION_TICKET                    287
 # define SSL_F_SSL3_OUTPUT_CERT_CHAIN                     147
 # define SSL_F_SSL3_PEEK                                  235
@@ -2045,6 +2049,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE             179
 # define SSL_F_SSL_CTX_USE_SERVERINFO                     336
 # define SSL_F_SSL_CTX_USE_SERVERINFO_FILE                337
+# define SSL_F_SSL_DO_CONFIG                              391
 # define SSL_F_SSL_DO_HANDSHAKE                           180
 # define SSL_F_SSL_GET_NEW_SESSION                        181
 # define SSL_F_SSL_GET_PREV_SESSION                       217
@@ -2054,6 +2059,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_F_SSL_GET_SIGN_PKEY                          183
 # define SSL_F_SSL_INIT_WBIO_BUFFER                       184
 # define SSL_F_SSL_LOAD_CLIENT_CA_FILE                    185
+# define SSL_F_SSL_MODULE_INIT                            392
 # define SSL_F_SSL_NEW                                    186
 # define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT      300
 # define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT               302
@@ -2252,6 +2258,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_R_INCONSISTENT_EXTMS                         104
 # define SSL_R_INVALID_COMMAND                            280
 # define SSL_R_INVALID_COMPRESSION_ALGORITHM              341
+# define SSL_R_INVALID_CONFIGURATION_NAME                 113
 # define SSL_R_INVALID_NULL_CMD_NAME                      385
 # define SSL_R_INVALID_PURPOSE                            278
 # define SSL_R_INVALID_SEQUENCE_NUMBER                    402
@@ -2356,10 +2363,14 @@ void ERR_load_SSL_strings(void);
 # define SSL_R_SSLV3_ALERT_NO_CERTIFICATE                 1041
 # define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE             1010
 # define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE        1043
+# define SSL_R_SSL_COMMAND_SECTION_EMPTY                  117
+# define SSL_R_SSL_COMMAND_SECTION_NOT_FOUND              125
 # define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION         228
 # define SSL_R_SSL_HANDSHAKE_FAILURE                      229
 # define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS                 230
 # define SSL_R_SSL_NEGATIVE_LENGTH                        372
+# define SSL_R_SSL_SECTION_EMPTY                          126
+# define SSL_R_SSL_SECTION_NOT_FOUND                      136
 # define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED             301
 # define SSL_R_SSL_SESSION_ID_CONFLICT                    302
 # define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG            273
@@ -2368,6 +2379,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_R_TLSV1_ALERT_DECODE_ERROR                   1050
 # define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED              1021
 # define SSL_R_TLSV1_ALERT_DECRYPT_ERROR                  1051
+# define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION             1060
 # define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK         1086
 # define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY          1071
 # define SSL_R_TLSV1_ALERT_INTERNAL_ERROR                 1080
@@ -2404,6 +2416,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_R_UNKNOWN_CIPHER_RETURNED                    248
 # define SSL_R_UNKNOWN_CIPHER_TYPE                        249
 # define SSL_R_UNKNOWN_CMD_NAME                           386
+# define SSL_R_UNKNOWN_COMMAND                            139
 # define SSL_R_UNKNOWN_DIGEST                             368
 # define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE                  250
 # define SSL_R_UNKNOWN_PKEY_TYPE                          251
diff --git a/ssl/Makefile b/ssl/Makefile
index e197fb0..f398c9a 100644
--- a/ssl/Makefile
+++ b/ssl/Makefile
@@ -24,7 +24,7 @@ LIBSRC=	\
 	statem/statem_dtls.c d1_srtp.c \
 	ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \
 	ssl_ciph.c ssl_stat.c ssl_rsa.c \
-	ssl_asn1.c ssl_txt.c ssl_algs.c ssl_conf.c \
+	ssl_asn1.c ssl_txt.c ssl_algs.c ssl_conf.c  ssl_mcnf.c \
 	bio_ssl.c ssl_err.c t1_reneg.c tls_srp.c t1_trce.c ssl_utst.c \
 	record/ssl3_buffer.c record/ssl3_record.c record/dtls1_bitmap.c \
 	statem/statem.c
@@ -36,7 +36,7 @@ LIBOBJ= \
 	statem/statem_dtls.o d1_srtp.o\
 	ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \
 	ssl_ciph.o ssl_stat.o ssl_rsa.o \
-	ssl_asn1.o ssl_txt.o ssl_algs.o ssl_conf.o \
+	ssl_asn1.o ssl_txt.o ssl_algs.o ssl_conf.o ssl_mcnf.o \
 	bio_ssl.o ssl_err.o t1_reneg.o tls_srp.o t1_trce.o ssl_utst.o \
 	record/ssl3_buffer.o record/ssl3_record.o record/dtls1_bitmap.o \
 	statem/statem.o
@@ -548,6 +548,26 @@ ssl_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 ssl_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
 ssl_lib.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h
 ssl_lib.o: packet_locl.h record/record.h ssl_lib.c ssl_locl.h statem/statem.h
+ssl_mcnf.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/async.h
+ssl_mcnf.o: ../include/openssl/bio.h ../include/openssl/bn.h
+ssl_mcnf.o: ../include/openssl/buffer.h ../include/openssl/comp.h
+ssl_mcnf.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+ssl_mcnf.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+ssl_mcnf.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ssl_mcnf.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssl_mcnf.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+ssl_mcnf.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ssl_mcnf.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_mcnf.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ssl_mcnf.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_mcnf.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+ssl_mcnf.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_mcnf.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+ssl_mcnf.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+ssl_mcnf.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_mcnf.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_mcnf.o: ../include/openssl/x509_vfy.h packet_locl.h record/record.h
+ssl_mcnf.o: ssl_locl.h ssl_mcnf.c statem/statem.h
 ssl_rsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/async.h
 ssl_rsa.o: ../include/openssl/bio.h ../include/openssl/bn.h
 ssl_rsa.o: ../include/openssl/buffer.h ../include/openssl/comp.h
diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c
index fc6af90..1bb9cb6 100644
--- a/ssl/ssl_algs.c
+++ b/ssl/ssl_algs.c
@@ -133,5 +133,6 @@ int SSL_library_init(void)
 #endif
     /* initialize cipher/digest methods table */
     ssl_load_ciphers();
+    SSL_add_ssl_module();
     return (1);
 }
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 0623104..c29c36b 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -139,6 +139,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
     {ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC),
      "ssl3_do_change_cipher_spec"},
     {ERR_FUNC(SSL_F_SSL3_ENC), "ssl3_enc"},
+    {ERR_FUNC(SSL_F_SSL3_FINAL_FINISH_MAC), "ssl3_final_finish_mac"},
     {ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK), "ssl3_generate_key_block"},
     {ERR_FUNC(SSL_F_SSL3_GENERATE_MASTER_SECRET),
      "ssl3_generate_master_secret"},
@@ -164,7 +165,6 @@ static ERR_STRING_DATA SSL_str_functs[] = {
      "ssl3_get_server_certificate"},
     {ERR_FUNC(SSL_F_SSL3_GET_SERVER_DONE), "ssl3_get_server_done"},
     {ERR_FUNC(SSL_F_SSL3_GET_SERVER_HELLO), "ssl3_get_server_hello"},
-    {ERR_FUNC(SSL_F_SSL3_FINAL_FINISH_MAC), "ssl3_final_finish_mac"},
     {ERR_FUNC(SSL_F_SSL3_NEW_SESSION_TICKET), "SSL3_NEW_SESSION_TICKET"},
     {ERR_FUNC(SSL_F_SSL3_OUTPUT_CERT_CHAIN), "ssl3_output_cert_chain"},
     {ERR_FUNC(SSL_F_SSL3_PEEK), "ssl3_peek"},
@@ -262,6 +262,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
     {ERR_FUNC(SSL_F_SSL_CTX_USE_SERVERINFO), "SSL_CTX_use_serverinfo"},
     {ERR_FUNC(SSL_F_SSL_CTX_USE_SERVERINFO_FILE),
      "SSL_CTX_use_serverinfo_file"},
+    {ERR_FUNC(SSL_F_SSL_DO_CONFIG), "ssl_do_config"},
     {ERR_FUNC(SSL_F_SSL_DO_HANDSHAKE), "SSL_do_handshake"},
     {ERR_FUNC(SSL_F_SSL_GET_NEW_SESSION), "ssl_get_new_session"},
     {ERR_FUNC(SSL_F_SSL_GET_PREV_SESSION), "ssl_get_prev_session"},
@@ -271,6 +272,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
     {ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY), "ssl_get_sign_pkey"},
     {ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "ssl_init_wbio_buffer"},
     {ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"},
+    {ERR_FUNC(SSL_F_SSL_MODULE_INIT), "ssl_module_init"},
     {ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"},
     {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT),
      "ssl_parse_clienthello_renegotiate_ext"},
@@ -316,7 +318,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
     {ERR_FUNC(SSL_F_SSL_SET_WFD), "SSL_set_wfd"},
     {ERR_FUNC(SSL_F_SSL_SHUTDOWN), "SSL_shutdown"},
     {ERR_FUNC(SSL_F_SSL_SRP_CTX_INIT), "SSL_SRP_CTX_init"},
-    {ERR_FUNC(SSL_F_SSL_START_ASYNC_JOB), "SSL_START_ASYNC_JOB"},
+    {ERR_FUNC(SSL_F_SSL_START_ASYNC_JOB), "ssl_start_async_job"},
     {ERR_FUNC(SSL_F_SSL_UNDEFINED_CONST_FUNCTION),
      "ssl_undefined_const_function"},
     {ERR_FUNC(SSL_F_SSL_UNDEFINED_FUNCTION), "ssl_undefined_function"},
@@ -432,6 +434,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
     {ERR_REASON(SSL_R_BAD_ECC_CERT), "bad ecc cert"},
     {ERR_REASON(SSL_R_BAD_ECDSA_SIGNATURE), "bad ecdsa signature"},
     {ERR_REASON(SSL_R_BAD_ECPOINT), "bad ecpoint"},
+    {ERR_REASON(SSL_R_BAD_GOST_SIGNATURE), "bad gost signature"},
     {ERR_REASON(SSL_R_BAD_HANDSHAKE_LENGTH), "bad handshake length"},
     {ERR_REASON(SSL_R_BAD_HELLO_REQUEST), "bad hello request"},
     {ERR_REASON(SSL_R_BAD_LENGTH), "bad length"},
@@ -537,6 +540,8 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
     {ERR_REASON(SSL_R_INVALID_COMMAND), "invalid command"},
     {ERR_REASON(SSL_R_INVALID_COMPRESSION_ALGORITHM),
      "invalid compression algorithm"},
+    {ERR_REASON(SSL_R_INVALID_CONFIGURATION_NAME),
+     "invalid configuration name"},
     {ERR_REASON(SSL_R_INVALID_NULL_CMD_NAME), "invalid null cmd name"},
     {ERR_REASON(SSL_R_INVALID_PURPOSE), "invalid purpose"},
     {ERR_REASON(SSL_R_INVALID_SEQUENCE_NUMBER), "invalid sequence number"},
@@ -678,12 +683,18 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
      "sslv3 alert unexpected message"},
     {ERR_REASON(SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE),
      "sslv3 alert unsupported certificate"},
+    {ERR_REASON(SSL_R_SSL_COMMAND_SECTION_EMPTY),
+     "ssl command section empty"},
+    {ERR_REASON(SSL_R_SSL_COMMAND_SECTION_NOT_FOUND),
+     "ssl command section not found"},
     {ERR_REASON(SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION),
      "ssl ctx has no default ssl version"},
     {ERR_REASON(SSL_R_SSL_HANDSHAKE_FAILURE), "ssl handshake failure"},
     {ERR_REASON(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS),
      "ssl library has no ciphers"},
     {ERR_REASON(SSL_R_SSL_NEGATIVE_LENGTH), "ssl negative length"},
+    {ERR_REASON(SSL_R_SSL_SECTION_EMPTY), "ssl section empty"},
+    {ERR_REASON(SSL_R_SSL_SECTION_NOT_FOUND), "ssl section not found"},
     {ERR_REASON(SSL_R_SSL_SESSION_ID_CALLBACK_FAILED),
      "ssl session id callback failed"},
     {ERR_REASON(SSL_R_SSL_SESSION_ID_CONFLICT), "ssl session id conflict"},
@@ -698,6 +709,8 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
      "tlsv1 alert decryption failed"},
     {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),
      "tlsv1 alert decrypt error"},
+    {ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),
+     "tlsv1 alert export restriction"},
     {ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK),
      "tlsv1 alert inappropriate fallback"},
     {ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),
@@ -760,6 +773,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
     {ERR_REASON(SSL_R_UNKNOWN_CIPHER_RETURNED), "unknown cipher returned"},
     {ERR_REASON(SSL_R_UNKNOWN_CIPHER_TYPE), "unknown cipher type"},
     {ERR_REASON(SSL_R_UNKNOWN_CMD_NAME), "unknown cmd name"},
+    {ERR_REASON(SSL_R_UNKNOWN_COMMAND), "unknown command"},
     {ERR_REASON(SSL_R_UNKNOWN_DIGEST), "unknown digest"},
     {ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE),
      "unknown key exchange type"},
diff --git a/ssl/ssl_mcnf.c b/ssl/ssl_mcnf.c
new file mode 100644
index 0000000..a223c73
--- /dev/null
+++ b/ssl/ssl_mcnf.c
@@ -0,0 +1,248 @@
+/* ssl_mcnf.c */
+/*
+ * Written by Stephen Henson (steve at openssl.org) for the OpenSSL project
+ * 2015.
+ */
+/* ====================================================================
+ * Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing at OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay at cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh at cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/conf.h>
+#include <openssl/ssl.h>
+#include "ssl_locl.h"
+
+/* SSL library configuration module. */
+
+struct ssl_conf_name {
+    /* Name of this set of commands */
+    char *name;
+    /* List of commands */
+    struct ssl_conf_cmd *cmds;
+    /* Number of commands */
+    size_t cmd_count;
+};
+
+struct ssl_conf_cmd {
+    /* Command */
+    char *cmd;
+    /* Argument */
+    char *arg;
+};
+
+static struct ssl_conf_name *ssl_names;
+static size_t ssl_names_count;
+
+static void ssl_module_free()
+{
+    size_t i, j;
+    if (ssl_names == NULL)
+        return;
+    for (i = 0; i < ssl_names_count; i++) {
+        struct ssl_conf_name *tname = ssl_names + i;
+        OPENSSL_free(tname->name);
+        for (j = 0; j < tname->cmd_count; j++) {
+            OPENSSL_free(tname->cmds[j].cmd);
+            OPENSSL_free(tname->cmds[j].arg);
+        }
+        OPENSSL_free(tname->cmds);
+    }
+    OPENSSL_free(ssl_names);
+    ssl_names = NULL;
+    ssl_names_count = 0;
+}
+
+static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
+{
+    size_t i, j, cnt;
+    int rv = 0;
+    const char *ssl_conf_section;
+    STACK_OF(CONF_VALUE) *cmd_lists;
+    ssl_conf_section = CONF_imodule_get_value(md);
+    cmd_lists = NCONF_get_section(cnf, ssl_conf_section);
+    if (sk_CONF_VALUE_num(cmd_lists) <= 0){
+        if (cmd_lists == NULL)
+            SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_SECTION_NOT_FOUND);
+        else
+            SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_SECTION_EMPTY);
+        ERR_add_error_data(2, "section=", ssl_conf_section);
+        goto err;
+    }
+    cnt = sk_CONF_VALUE_num(cmd_lists);
+    ssl_names = OPENSSL_zalloc(sizeof(*ssl_names) * cnt);
+    ssl_names_count = cnt;
+    for (i = 0; i < ssl_names_count; i++) {
+        struct ssl_conf_name *ssl_name = ssl_names + i;
+        CONF_VALUE *sect = sk_CONF_VALUE_value(cmd_lists, i);
+        STACK_OF(CONF_VALUE) *cmds = NCONF_get_section(cnf, sect->value);
+        if (sk_CONF_VALUE_num(cmds) <= 0) {
+            if (cmds == NULL)
+                SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_COMMAND_SECTION_NOT_FOUND);
+            else
+                SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_COMMAND_SECTION_EMPTY);
+            ERR_add_error_data(4, "name=", sect->name, ", value=", sect->value);
+            goto err;
+        }
+        ssl_name->name = BUF_strdup(sect->name);
+        if (ssl_name->name == NULL)
+            goto err;
+        cnt = sk_CONF_VALUE_num(cmds);
+        ssl_name->cmds = OPENSSL_zalloc(cnt * sizeof(struct ssl_conf_cmd));
+        if (ssl_name->cmds == NULL)
+            goto err;
+        ssl_name->cmd_count = cnt;
+        for (j = 0; j < cnt; j++) {
+            const char *name;
+            CONF_VALUE *cmd_conf = sk_CONF_VALUE_value(cmds, j);
+            struct ssl_conf_cmd *cmd = ssl_name->cmds + j;
+            /* Skip any initial dot in name */
+            name = strchr(cmd_conf->name, '.');
+            if (name != NULL)
+                name++;
+            else
+                name = cmd_conf->name;
+            cmd->cmd = BUF_strdup(name);
+            cmd->arg = BUF_strdup(cmd_conf->value);
+            if (cmd->cmd == NULL || cmd->arg == NULL)
+                goto err;
+        }
+
+    }
+    rv = 1;
+    err:
+    if (rv == 0)
+        ssl_module_free();
+    return rv;
+}
+
+void SSL_add_ssl_module(void)
+{
+    CONF_module_add("ssl_conf", ssl_module_init, ssl_module_free);
+}
+
+static const struct ssl_conf_name *ssl_name_find(const char *name)
+{
+    size_t i;
+    const struct ssl_conf_name *nm;
+    if (name == NULL)
+        return NULL;
+    for (i = 0, nm = ssl_names; i < ssl_names_count; i++, nm++) {
+        if (strcmp(nm->name, name) == 0)
+            return nm;
+    }
+    return NULL;
+}
+
+static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name)
+{
+    SSL_CONF_CTX *cctx = NULL;
+    size_t i;
+    int rv = 0;
+    unsigned int flags;
+    const SSL_METHOD *meth;
+    const struct ssl_conf_name *nm;
+    struct ssl_conf_cmd *cmd;
+    if (s == NULL && ctx == NULL) {
+        SSLerr(SSL_F_SSL_DO_CONFIG, ERR_R_PASSED_NULL_PARAMETER);
+        goto err;
+    }
+    nm = ssl_name_find(name);
+    if (nm == NULL) {
+        SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_INVALID_CONFIGURATION_NAME);
+        ERR_add_error_data(2, "name=", name);
+        goto err;
+    }
+    cctx = SSL_CONF_CTX_new();
+    if (cctx == NULL)
+        goto err;
+    flags = SSL_CONF_FLAG_FILE;
+    flags |= SSL_CONF_FLAG_CERTIFICATE | SSL_CONF_FLAG_REQUIRE_PRIVATE;
+    if (s != NULL) {
+        meth = s->method;
+        SSL_CONF_CTX_set_ssl(cctx, s);
+    } else {
+        meth = ctx->method;
+        SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
+    }
+    if (meth->ssl_accept != ssl_undefined_function)
+            flags |= SSL_CONF_FLAG_SERVER;
+    if (meth->ssl_connect != ssl_undefined_function)
+            flags |= SSL_CONF_FLAG_CLIENT;
+    SSL_CONF_CTX_set_flags(cctx, flags);
+    for (i = 0, cmd = nm->cmds; i < nm->cmd_count; i++, cmd++) {
+        rv = SSL_CONF_cmd(cctx, cmd->cmd, cmd->arg);
+        if (rv <= 0) {
+            if (rv == -2)
+                SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_UNKNOWN_COMMAND);
+            else 
+                SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_BAD_VALUE);
+            ERR_add_error_data(6, "section=", name, ", cmd=", cmd->cmd,
+                                    ", arg=", cmd->arg);
+            goto err;
+        }
+    }
+    rv = SSL_CONF_CTX_finish(cctx);
+    err:
+    SSL_CONF_CTX_free(cctx);
+    return rv <= 0 ? 0 : 1;
+}
+
+int SSL_config(SSL *s, const char *name)
+{
+    return ssl_do_config(s, NULL, name);
+}
+
+int SSL_CTX_config(SSL_CTX *ctx, const char *name)
+{
+    return ssl_do_config(NULL, ctx, name);
+}
diff --git a/test/ssltest.c b/test/ssltest.c
index fd356c7..01b6058 100644
--- a/test/ssltest.c
+++ b/test/ssltest.c
@@ -1711,6 +1711,7 @@ int main(int argc, char *argv[])
 #ifndef OPENSSL_NO_ENGINE
     ENGINE_cleanup();
 #endif
+    CONF_modules_unload(1);
     CRYPTO_cleanup_all_ex_data();
     ERR_free_strings();
     ERR_remove_thread_state(NULL);
diff --git a/util/ssleay.num b/util/ssleay.num
index eef617b..cf841a0 100755
--- a/util/ssleay.num
+++ b/util/ssleay.num
@@ -413,3 +413,6 @@ SSL_set_default_passwd_cb               447	1_1_0	EXIST::FUNCTION:
 SSL_set_default_passwd_cb_userdata      448	1_1_0	EXIST::FUNCTION:
 SSL_waiting_for_async                   449	1_1_0	EXIST::FUNCTION:
 SSL_get_async_wait_fd                   450	1_1_0	EXIST::FUNCTION:
+SSL_add_ssl_module                      451	1_1_0	EXIST::FUNCTION:
+SSL_CTX_config                          452	1_1_0	EXIST::FUNCTION:
+SSL_config                              453	1_1_0	EXIST::FUNCTION:


More information about the openssl-commits mailing list