From: Tomas Mraz Date: Fri, 26 Apr 2024 15:23:13 +0000 (+0200) Subject: Make conf_diagnostics apply also to the SSL conf errors X-Git-Tag: openssl-3.4.0-alpha1~582 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=21819f78b057c254254646a7854bfad0cd40ed83;p=thirdparty%2Fopenssl.git Make conf_diagnostics apply also to the SSL conf errors Reviewed-by: Paul Dale Reviewed-by: Neil Horman (Merged from https://github.com/openssl/openssl/pull/24275) --- diff --git a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c index ccd28a146a7..3fa216dc1f4 100644 --- a/crypto/conf/conf_mod.c +++ b/crypto/conf/conf_mod.c @@ -214,6 +214,7 @@ int CONF_modules_load_file_ex(OSSL_LIB_CTX *libctx, const char *filename, ret = CONF_modules_load(conf, appname, flags); diagnostics = conf_diagnostics(conf); + OSSL_LIB_CTX_set_conf_diagnostics(libctx, diagnostics); err: if (filename == NULL) diff --git a/crypto/context.c b/crypto/context.c index 3d55084d7bd..fa46abab6b2 100644 --- a/crypto/context.c +++ b/crypto/context.c @@ -50,6 +50,7 @@ struct ossl_lib_ctx_st { #endif unsigned int ischild:1; + unsigned int conf_diagnostics:1; }; int ossl_lib_ctx_write_lock(OSSL_LIB_CTX *ctx) @@ -666,3 +667,19 @@ CRYPTO_THREAD_LOCAL *ossl_lib_ctx_get_rcukey(OSSL_LIB_CTX *libctx) return NULL; return &libctx->rcu_local_key; } + +int OSSL_LIB_CTX_get_conf_diagnostics(OSSL_LIB_CTX *libctx) +{ + libctx = ossl_lib_ctx_get_concrete(libctx); + if (libctx == NULL) + return 0; + return libctx->conf_diagnostics; +} + +void OSSL_LIB_CTX_set_conf_diagnostics(OSSL_LIB_CTX *libctx, unsigned int value) +{ + libctx = ossl_lib_ctx_get_concrete(libctx); + if (libctx == NULL) + return; + libctx->conf_diagnostics = value != 0; +} diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 5102c481e34..0584f687c92 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1400,6 +1400,7 @@ SSL_R_EMPTY_RAW_PUBLIC_KEY:349:empty raw public key SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST:354:empty srtp protection profile list SSL_R_ENCRYPTED_LENGTH_TOO_LONG:150:encrypted length too long SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST:151:error in received cipher list +SSL_R_ERROR_IN_SYSTEM_DEFAULT_CONFIG:419:error in system default config SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN:204:error setting tlsa base domain SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE:194:exceeds max fragment size SSL_R_EXCESSIVE_MESSAGE_SIZE:152:excessive message size diff --git a/include/openssl/crypto.h.in b/include/openssl/crypto.h.in index 5d7d3fd2e1e..04d99e20923 100644 --- a/include/openssl/crypto.h.in +++ b/include/openssl/crypto.h.in @@ -536,6 +536,8 @@ int OSSL_LIB_CTX_load_config(OSSL_LIB_CTX *ctx, const char *config_file); void OSSL_LIB_CTX_free(OSSL_LIB_CTX *); OSSL_LIB_CTX *OSSL_LIB_CTX_get0_global_default(void); OSSL_LIB_CTX *OSSL_LIB_CTX_set0_default(OSSL_LIB_CTX *libctx); +int OSSL_LIB_CTX_get_conf_diagnostics(OSSL_LIB_CTX *ctx); +void OSSL_LIB_CTX_set_conf_diagnostics(OSSL_LIB_CTX *ctx, unsigned int value); void OSSL_sleep(uint64_t millis); diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h index 980a6c7b2fd..16305674ca1 100644 --- a/include/openssl/sslerr.h +++ b/include/openssl/sslerr.h @@ -117,6 +117,7 @@ # define SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST 354 # define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150 # define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151 +# define SSL_R_ERROR_IN_SYSTEM_DEFAULT_CONFIG 419 # define SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN 204 # define SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE 194 # define SSL_R_EXCESSIVE_MESSAGE_SIZE 152 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index a1da9fde394..ddd0e2a36af 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -164,6 +164,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { "encrypted length too long"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST), "error in received cipher list"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ERROR_IN_SYSTEM_DEFAULT_CONFIG), + "error in system default config"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN), "error setting tlsa base domain"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE), diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index ed3522c7f5a..6af23612ee5 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -4096,7 +4096,10 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, /* By default we send two session tickets automatically in TLSv1.3 */ ret->num_tickets = 2; - ssl_ctx_system_config(ret); + if (!ssl_ctx_system_config(ret)) { + ERR_raise(ERR_LIB_SSL, SSL_R_ERROR_IN_SYSTEM_DEFAULT_CONFIG); + goto err; + } return ret; err: diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index f448cfdbc94..78e16354e02 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2919,7 +2919,7 @@ void custom_exts_free(custom_ext_methods *exts); void ssl_comp_free_compression_methods_int(void); /* ssl_mcnf.c */ -void ssl_ctx_system_config(SSL_CTX *ctx); +int ssl_ctx_system_config(SSL_CTX *ctx); const EVP_CIPHER *ssl_evp_cipher_fetch(OSSL_LIB_CTX *libctx, int nid, diff --git a/ssl/ssl_mcnf.c b/ssl/ssl_mcnf.c index 8bccce84d46..66416b61cf3 100644 --- a/ssl/ssl_mcnf.c +++ b/ssl/ssl_mcnf.c @@ -26,6 +26,7 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system) size_t i, idx, cmd_count; int err = 1; unsigned int flags; + unsigned int conf_diagnostics = 0; const SSL_METHOD *meth; const SSL_CONF_CMD *cmds; OSSL_LIB_CTX *prev_libctx = NULL; @@ -46,8 +47,11 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system) } cmds = conf_ssl_get(idx, &name, &cmd_count); cctx = SSL_CONF_CTX_new(); - if (cctx == NULL) + if (cctx == NULL) { + /* this is a fatal error, always report */ + system = 0; goto err; + } flags = SSL_CONF_FLAG_FILE; if (!system) flags |= SSL_CONF_FLAG_CERTIFICATE | SSL_CONF_FLAG_REQUIRE_PRIVATE; @@ -60,6 +64,7 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system) SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); libctx = ctx->libctx; } + conf_diagnostics = OSSL_LIB_CTX_get_conf_diagnostics(libctx); if (meth->ssl_accept != ssl_undefined_function) flags |= SSL_CONF_FLAG_SERVER; if (meth->ssl_connect != ssl_undefined_function) @@ -81,7 +86,7 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system) err: OSSL_LIB_CTX_set0_default(prev_libctx); SSL_CONF_CTX_free(cctx); - return err == 0; + return err == 0 || (system && !conf_diagnostics); } int SSL_config(SSL *s, const char *name) @@ -94,7 +99,7 @@ int SSL_CTX_config(SSL_CTX *ctx, const char *name) return ssl_do_config(NULL, ctx, name, 0); } -void ssl_ctx_system_config(SSL_CTX *ctx) +int ssl_ctx_system_config(SSL_CTX *ctx) { - ssl_do_config(NULL, ctx, NULL, 1); + return ssl_do_config(NULL, ctx, NULL, 1); } diff --git a/test/sysdefaulttest.c b/test/sysdefaulttest.c index 350867cdcd5..5cd09bd08c8 100644 --- a/test/sysdefaulttest.c +++ b/test/sysdefaulttest.c @@ -16,16 +16,21 @@ #include #include "testutil.h" -static SSL_CTX *ctx; static int test_func(void) { + int ret = 1; + SSL_CTX *ctx; + + if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))) + return 0; if (!TEST_int_eq(SSL_CTX_get_min_proto_version(ctx), TLS1_2_VERSION) && !TEST_int_eq(SSL_CTX_get_max_proto_version(ctx), TLS1_2_VERSION)) { TEST_info("min/max version setting incorrect"); - return 0; + ret = 0; } - return 1; + SSL_CTX_free(ctx); + return ret; } int global_init(void) @@ -38,13 +43,6 @@ int global_init(void) int setup_tests(void) { - if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))) - return 0; ADD_TEST(test_func); return 1; } - -void cleanup_tests(void) -{ - SSL_CTX_free(ctx); -} diff --git a/util/libcrypto.num b/util/libcrypto.num index 3f52107edaf..a5f9bb32cb1 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5644,3 +5644,5 @@ OSSL_IETF_ATTR_SYNTAX_get0_value ? 3_4_0 EXIST::FUNCTION: OSSL_IETF_ATTR_SYNTAX_add1_value ? 3_4_0 EXIST::FUNCTION: OSSL_IETF_ATTR_SYNTAX_print ? 3_4_0 EXIST::FUNCTION: X509_ACERT_add_attr_nconf ? 3_4_0 EXIST::FUNCTION: +OSSL_LIB_CTX_get_conf_diagnostics ? 3_4_0 EXIST::FUNCTION: +OSSL_LIB_CTX_set_conf_diagnostics ? 3_4_0 EXIST::FUNCTION: