ret = CONF_modules_load(conf, appname, flags);
diagnostics = conf_diagnostics(conf);
+ OSSL_LIB_CTX_set_conf_diagnostics(libctx, diagnostics);
err:
if (filename == NULL)
#endif
unsigned int ischild:1;
+ unsigned int conf_diagnostics:1;
};
int ossl_lib_ctx_write_lock(OSSL_LIB_CTX *ctx)
return NULL;
return &libctx->rcu_local_key;
}
+
+int OSSL_LIB_CTX_get_conf_diagnostics(OSSL_LIB_CTX *libctx)
+{
+ libctx = ossl_lib_ctx_get_concrete(libctx);
+ if (libctx == NULL)
+ return 0;
+ return libctx->conf_diagnostics;
+}
+
+void OSSL_LIB_CTX_set_conf_diagnostics(OSSL_LIB_CTX *libctx, unsigned int value)
+{
+ libctx = ossl_lib_ctx_get_concrete(libctx);
+ if (libctx == NULL)
+ return;
+ libctx->conf_diagnostics = value != 0;
+}
SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST:354:empty srtp protection profile list
SSL_R_ENCRYPTED_LENGTH_TOO_LONG:150:encrypted length too long
SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST:151:error in received cipher list
+SSL_R_ERROR_IN_SYSTEM_DEFAULT_CONFIG:419:error in system default config
SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN:204:error setting tlsa base domain
SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE:194:exceeds max fragment size
SSL_R_EXCESSIVE_MESSAGE_SIZE:152:excessive message size
void OSSL_LIB_CTX_free(OSSL_LIB_CTX *);
OSSL_LIB_CTX *OSSL_LIB_CTX_get0_global_default(void);
OSSL_LIB_CTX *OSSL_LIB_CTX_set0_default(OSSL_LIB_CTX *libctx);
+int OSSL_LIB_CTX_get_conf_diagnostics(OSSL_LIB_CTX *ctx);
+void OSSL_LIB_CTX_set_conf_diagnostics(OSSL_LIB_CTX *ctx, unsigned int value);
void OSSL_sleep(uint64_t millis);
# define SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST 354
# define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150
# define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151
+# define SSL_R_ERROR_IN_SYSTEM_DEFAULT_CONFIG 419
# define SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN 204
# define SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE 194
# define SSL_R_EXCESSIVE_MESSAGE_SIZE 152
"encrypted length too long"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST),
"error in received cipher list"},
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ERROR_IN_SYSTEM_DEFAULT_CONFIG),
+ "error in system default config"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN),
"error setting tlsa base domain"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE),
/* By default we send two session tickets automatically in TLSv1.3 */
ret->num_tickets = 2;
- ssl_ctx_system_config(ret);
+ if (!ssl_ctx_system_config(ret)) {
+ ERR_raise(ERR_LIB_SSL, SSL_R_ERROR_IN_SYSTEM_DEFAULT_CONFIG);
+ goto err;
+ }
return ret;
err:
void ssl_comp_free_compression_methods_int(void);
/* ssl_mcnf.c */
-void ssl_ctx_system_config(SSL_CTX *ctx);
+int ssl_ctx_system_config(SSL_CTX *ctx);
const EVP_CIPHER *ssl_evp_cipher_fetch(OSSL_LIB_CTX *libctx,
int nid,
size_t i, idx, cmd_count;
int err = 1;
unsigned int flags;
+ unsigned int conf_diagnostics = 0;
const SSL_METHOD *meth;
const SSL_CONF_CMD *cmds;
OSSL_LIB_CTX *prev_libctx = NULL;
}
cmds = conf_ssl_get(idx, &name, &cmd_count);
cctx = SSL_CONF_CTX_new();
- if (cctx == NULL)
+ if (cctx == NULL) {
+ /* this is a fatal error, always report */
+ system = 0;
goto err;
+ }
flags = SSL_CONF_FLAG_FILE;
if (!system)
flags |= SSL_CONF_FLAG_CERTIFICATE | SSL_CONF_FLAG_REQUIRE_PRIVATE;
SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
libctx = ctx->libctx;
}
+ conf_diagnostics = OSSL_LIB_CTX_get_conf_diagnostics(libctx);
if (meth->ssl_accept != ssl_undefined_function)
flags |= SSL_CONF_FLAG_SERVER;
if (meth->ssl_connect != ssl_undefined_function)
err:
OSSL_LIB_CTX_set0_default(prev_libctx);
SSL_CONF_CTX_free(cctx);
- return err == 0;
+ return err == 0 || (system && !conf_diagnostics);
}
int SSL_config(SSL *s, const char *name)
return ssl_do_config(NULL, ctx, name, 0);
}
-void ssl_ctx_system_config(SSL_CTX *ctx)
+int ssl_ctx_system_config(SSL_CTX *ctx)
{
- ssl_do_config(NULL, ctx, NULL, 1);
+ return ssl_do_config(NULL, ctx, NULL, 1);
}
#include <openssl/tls1.h>
#include "testutil.h"
-static SSL_CTX *ctx;
static int test_func(void)
{
+ int ret = 1;
+ SSL_CTX *ctx;
+
+ if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method())))
+ return 0;
if (!TEST_int_eq(SSL_CTX_get_min_proto_version(ctx), TLS1_2_VERSION)
&& !TEST_int_eq(SSL_CTX_get_max_proto_version(ctx), TLS1_2_VERSION)) {
TEST_info("min/max version setting incorrect");
- return 0;
+ ret = 0;
}
- return 1;
+ SSL_CTX_free(ctx);
+ return ret;
}
int global_init(void)
int setup_tests(void)
{
- if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method())))
- return 0;
ADD_TEST(test_func);
return 1;
}
-
-void cleanup_tests(void)
-{
- SSL_CTX_free(ctx);
-}
OSSL_IETF_ATTR_SYNTAX_add1_value ? 3_4_0 EXIST::FUNCTION:
OSSL_IETF_ATTR_SYNTAX_print ? 3_4_0 EXIST::FUNCTION:
X509_ACERT_add_attr_nconf ? 3_4_0 EXIST::FUNCTION:
+OSSL_LIB_CTX_get_conf_diagnostics ? 3_4_0 EXIST::FUNCTION:
+OSSL_LIB_CTX_set_conf_diagnostics ? 3_4_0 EXIST::FUNCTION: