Apply system_default configuration on SSL_CTX_new(). (8a5ed9dc) · Commits · CYBER - Cyber Security / TS 103 523 MSP / ETS / ETS OpenSSL

doc/man3/SSL_read_early_data.pod

+1 −1

Original line number	Diff line number	Diff line
		@@ -180,7 +180,7 @@ server application will either use both of SSL_read_early_data() and
		SSL_CTX_set_max_early_data() (or SSL_set_max_early_data()), or neither of them,
		since there is no practical benefit from using only one of them. If the maximum
		early data setting for a server is non-zero then replay protection is
		automatically enabled (see L<REPLAY PROTECTION> below).
		automatically enabled (see L</REPLAY PROTECTION> below).

		In the event that the current maximum early data setting for the server is
		different to that originally specified in a session that a client is resuming

doc/man5/config.pod

+16 −0

Original line number	Diff line number	Diff line
		@@ -247,6 +247,22 @@ For example:
		ECDSA.Certificate = server-ecdsa.pem
		Ciphers = ALL:!RC4

		The system default configuration with name B<system_default> if present will
		be applied during any creation of the B<SSL_CTX> structure.

		Example of a configuration with the system default:

		ssl_conf = ssl_sect

		[ssl_sect]

		system_default = system_default_sect

		[system_default_sect]

		MinProtocol = TLSv1.2


		=head1 NOTES

		If a configuration file attempts to expand a variable that doesn't exist

ssl/ssl_lib.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -3112,6 +3112,8 @@ SSL_CTX SSL_CTX_new(const SSL_METHOD meth)
		*/
		ret->max_early_data = 0;

		ssl_ctx_system_config(ret);

		return ret;
		err:
		SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);

ssl/ssl_locl.h

+3 −0

Original line number	Diff line number	Diff line
		@@ -2587,6 +2587,9 @@ void custom_exts_free(custom_ext_methods *exts);

		void ssl_comp_free_compression_methods_int(void);

		/* ssl_mcnf.c */
		void ssl_ctx_system_config(SSL_CTX *ctx);

		# else /* OPENSSL_UNIT_TEST */

		# define ssl_init_wbio_buffer SSL_test_functions()->p_ssl_init_wbio_buffer

ssl/ssl_mcnf.c

+19 −6

Original line number	Diff line number	Diff line
		@@ -125,6 +125,7 @@ static const struct ssl_conf_name ssl_name_find(const char name)
		{
		size_t i;
		const struct ssl_conf_name *nm;

		if (name == NULL)
		return NULL;
		for (i = 0, nm = ssl_names; i < ssl_names_count; i++, nm++) {
		@@ -134,7 +135,7 @@ static const struct ssl_conf_name ssl_name_find(const char name)
		return NULL;
		}

		static int ssl_do_config(SSL s, SSL_CTX ctx, const char *name)
		static int ssl_do_config(SSL s, SSL_CTX ctx, const char *name, int system)
		{
		SSL_CONF_CTX *cctx = NULL;
		size_t i;
		@@ -143,20 +144,27 @@ static int ssl_do_config(SSL s, SSL_CTX ctx, const char *name)
		const SSL_METHOD *meth;
		const struct ssl_conf_name *nm;
		struct ssl_conf_cmd *cmd;

		if (s == NULL && ctx == NULL) {
		SSLerr(SSL_F_SSL_DO_CONFIG, ERR_R_PASSED_NULL_PARAMETER);
		goto err;
		}

		if (name == NULL && system)
		name = "system_default";
		nm = ssl_name_find(name);
		if (nm == NULL) {
		if (!system) {
		SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_INVALID_CONFIGURATION_NAME);
		ERR_add_error_data(2, "name=", name);
		}
		goto err;
		}
		cctx = SSL_CONF_CTX_new();
		if (cctx == NULL)
		goto err;
		flags = SSL_CONF_FLAG_FILE;
		if (!system)
		flags \|= SSL_CONF_FLAG_CERTIFICATE \| SSL_CONF_FLAG_REQUIRE_PRIVATE;
		if (s != NULL) {
		meth = s->method;
		@@ -190,10 +198,15 @@ static int ssl_do_config(SSL s, SSL_CTX ctx, const char *name)

		int SSL_config(SSL s, const char name)
		{
		return ssl_do_config(s, NULL, name);
		return ssl_do_config(s, NULL, name, 0);
		}

		int SSL_CTX_config(SSL_CTX ctx, const char name)
		{
		return ssl_do_config(NULL, ctx, name);
		return ssl_do_config(NULL, ctx, name, 0);
		}

		void ssl_ctx_system_config(SSL_CTX *ctx)
		{
		ssl_do_config(NULL, ctx, NULL, 1);
		}