Move the loading of the ssl_conf module to libcrypto
authorMatt Caswell <matt@openssl.org>
Fri, 30 Mar 2018 18:19:56 +0000 (19:19 +0100)
committerMatt Caswell <matt@openssl.org>
Thu, 5 Apr 2018 14:30:12 +0000 (15:30 +0100)
The GOST engine needs to be loaded before we initialise libssl. Otherwise
the GOST ciphersuites are not enabled. However the SSL conf module must
be loaded before we initialise libcrypto. Otherwise we will fail to read
the SSL config from a config file properly.

Another problem is that an application may make use of both libcrypto and
libssl. If it performs libcrypto stuff first and OPENSSL_init_crypto()
is called and loads a config file it will fail if that config file has
any libssl stuff in it.

This commit separates out the loading of the SSL conf module from the
interpretation of its contents. The loading piece doesn't know anything
about SSL so this can be moved to libcrypto. The interpretation of what it
means remains in libssl. This means we can load the SSL conf data before
libssl is there and interpret it when it later becomes available.

Fixes #5809

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5818)

12 files changed:
crypto/conf/build.info
crypto/conf/conf_err.c
crypto/conf/conf_lcl.h [new file with mode: 0644]
crypto/conf/conf_mall.c
crypto/conf/conf_ssl.c [new file with mode: 0644]
crypto/err/openssl.txt
include/internal/sslconf.h [new file with mode: 0644]
include/openssl/conferr.h
ssl/ssl_init.c
ssl/ssl_mcnf.c
util/libcrypto.num
util/mkdef.pl

index 4438eb42620f4a8675da37c2f0efc7ddb56217c1..ff367994ea091498b557105539b95f56cb4ad42b 100644 (file)
@@ -1,4 +1,4 @@
 LIBS=../../libcrypto
 SOURCE[../../libcrypto]= \
         conf_err.c conf_lib.c conf_api.c conf_def.c conf_mod.c \
-        conf_mall.c conf_sap.c
+        conf_mall.c conf_sap.c conf_ssl.c
index ebef728456ad501fd1698b6f85cdfe80376e20c2..01f98da87ac2f65019dac1b882ab9cac3a33af22 100644 (file)
@@ -36,6 +36,7 @@ static const ERR_STRING_DATA CONF_str_functs[] = {
     {ERR_PACK(ERR_LIB_CONF, CONF_F_NCONF_LOAD_FP, 0), "NCONF_load_fp"},
     {ERR_PACK(ERR_LIB_CONF, CONF_F_NCONF_NEW, 0), "NCONF_new"},
     {ERR_PACK(ERR_LIB_CONF, CONF_F_PROCESS_INCLUDE, 0), "process_include"},
+    {ERR_PACK(ERR_LIB_CONF, CONF_F_SSL_MODULE_INIT, 0), "ssl_module_init"},
     {ERR_PACK(ERR_LIB_CONF, CONF_F_STR_COPY, 0), "str_copy"},
     {0, NULL}
 };
@@ -61,6 +62,13 @@ static const ERR_STRING_DATA CONF_str_reasons[] = {
     {ERR_PACK(ERR_LIB_CONF, 0, CONF_R_NO_VALUE), "no value"},
     {ERR_PACK(ERR_LIB_CONF, 0, CONF_R_RECURSIVE_DIRECTORY_INCLUDE),
     "recursive directory include"},
+    {ERR_PACK(ERR_LIB_CONF, 0, CONF_R_SSL_COMMAND_SECTION_EMPTY),
+    "ssl command section empty"},
+    {ERR_PACK(ERR_LIB_CONF, 0, CONF_R_SSL_COMMAND_SECTION_NOT_FOUND),
+    "ssl command section not found"},
+    {ERR_PACK(ERR_LIB_CONF, 0, CONF_R_SSL_SECTION_EMPTY), "ssl section empty"},
+    {ERR_PACK(ERR_LIB_CONF, 0, CONF_R_SSL_SECTION_NOT_FOUND),
+    "ssl section not found"},
     {ERR_PACK(ERR_LIB_CONF, 0, CONF_R_UNABLE_TO_CREATE_NEW_SECTION),
     "unable to create new section"},
     {ERR_PACK(ERR_LIB_CONF, 0, CONF_R_UNKNOWN_MODULE_NAME),
diff --git a/crypto/conf/conf_lcl.h b/crypto/conf/conf_lcl.h
new file mode 100644 (file)
index 0000000..6e1f7fe
--- /dev/null
@@ -0,0 +1,11 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+void conf_add_ssl_module(void);
+
index 4e7a434e0e4d9806177a8878dcb3b330cc942641..5aab42963973eb3a1e702bd99fb3a4f4c1353c5b 100644 (file)
@@ -14,6 +14,7 @@
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
 #include <openssl/engine.h>
+#include "conf_lcl.h"
 
 /* Load all OpenSSL builtin modules */
 
@@ -26,4 +27,5 @@ void OPENSSL_load_builtin_modules(void)
     ENGINE_add_conf_module();
 #endif
     EVP_add_alg_module();
+    conf_add_ssl_module();
 }
diff --git a/crypto/conf/conf_ssl.c b/crypto/conf/conf_ssl.c
new file mode 100644 (file)
index 0000000..015c46c
--- /dev/null
@@ -0,0 +1,178 @@
+/*
+ * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include "internal/sslconf.h"
+#include "conf_lcl.h"
+
+/*
+ * SSL library configuration module placeholder. We load it here but defer
+ * all decisions about its contents to libssl.
+ */
+
+struct ssl_conf_name_st {
+    /* Name of this set of commands */
+    char *name;
+    /* List of commands */
+    SSL_CONF_CMD *cmds;
+    /* Number of commands */
+    size_t cmd_count;
+};
+
+struct ssl_conf_cmd_st {
+    /* Command */
+    char *cmd;
+    /* Argument */
+    char *arg;
+};
+
+static struct ssl_conf_name_st *ssl_names;
+static size_t ssl_names_count;
+
+static void ssl_module_free(CONF_IMODULE *md)
+{
+    size_t i, j;
+    if (ssl_names == NULL)
+        return;
+    for (i = 0; i < ssl_names_count; i++) {
+        struct ssl_conf_name_st *tname = ssl_names + i;
+
+        OPENSSL_free(tname->name);
+        for (j = 0; j < tname->cmd_count; j++) {
+            OPENSSL_free(tname->cmds[j].cmd);
+            OPENSSL_free(tname->cmds[j].arg);
+        }
+        OPENSSL_free(tname->cmds);
+    }
+    OPENSSL_free(ssl_names);
+    ssl_names = NULL;
+    ssl_names_count = 0;
+}
+
+static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
+{
+    size_t i, j, cnt;
+    int rv = 0;
+    const char *ssl_conf_section;
+    STACK_OF(CONF_VALUE) *cmd_lists;
+
+    ssl_conf_section = CONF_imodule_get_value(md);
+    cmd_lists = NCONF_get_section(cnf, ssl_conf_section);
+    if (sk_CONF_VALUE_num(cmd_lists) <= 0) {
+        if (cmd_lists == NULL)
+            CONFerr(CONF_F_SSL_MODULE_INIT, CONF_R_SSL_SECTION_NOT_FOUND);
+        else
+            CONFerr(CONF_F_SSL_MODULE_INIT, CONF_R_SSL_SECTION_EMPTY);
+        ERR_add_error_data(2, "section=", ssl_conf_section);
+        goto err;
+    }
+    cnt = sk_CONF_VALUE_num(cmd_lists);
+    ssl_names = OPENSSL_zalloc(sizeof(*ssl_names) * cnt);
+    ssl_names_count = cnt;
+    for (i = 0; i < ssl_names_count; i++) {
+        struct ssl_conf_name_st *ssl_name = ssl_names + i;
+        CONF_VALUE *sect = sk_CONF_VALUE_value(cmd_lists, (int)i);
+        STACK_OF(CONF_VALUE) *cmds = NCONF_get_section(cnf, sect->value);
+
+        if (sk_CONF_VALUE_num(cmds) <= 0) {
+            if (cmds == NULL)
+                CONFerr(CONF_F_SSL_MODULE_INIT,
+                        CONF_R_SSL_COMMAND_SECTION_NOT_FOUND);
+            else
+                CONFerr(CONF_F_SSL_MODULE_INIT,
+                        CONF_R_SSL_COMMAND_SECTION_EMPTY);
+            ERR_add_error_data(4, "name=", sect->name, ", value=", sect->value);
+            goto err;
+        }
+        ssl_name->name = OPENSSL_strdup(sect->name);
+        if (ssl_name->name == NULL)
+            goto err;
+        cnt = sk_CONF_VALUE_num(cmds);
+        ssl_name->cmds = OPENSSL_zalloc(cnt * sizeof(struct ssl_conf_cmd_st));
+        if (ssl_name->cmds == NULL)
+            goto err;
+        ssl_name->cmd_count = cnt;
+        for (j = 0; j < cnt; j++) {
+            const char *name;
+            CONF_VALUE *cmd_conf = sk_CONF_VALUE_value(cmds, (int)j);
+            struct ssl_conf_cmd_st *cmd = ssl_name->cmds + j;
+
+            /* Skip any initial dot in name */
+            name = strchr(cmd_conf->name, '.');
+            if (name != NULL)
+                name++;
+            else
+                name = cmd_conf->name;
+            cmd->cmd = OPENSSL_strdup(name);
+            cmd->arg = OPENSSL_strdup(cmd_conf->value);
+            if (cmd->cmd == NULL || cmd->arg == NULL)
+                goto err;
+        }
+
+    }
+    rv = 1;
+ err:
+    if (rv == 0)
+        ssl_module_free(md);
+    return rv;
+}
+
+/*
+ * Returns the set of commands with index |idx| previously searched for via
+ * conf_ssl_name_find. Also stores the name of the set of commands in |*name|
+ * and the number of commands in the set in |*cnt|.
+ */
+const SSL_CONF_CMD *conf_ssl_get(size_t idx, const char **name, size_t *cnt)
+{
+    *name = ssl_names[idx].name;
+    *cnt = ssl_names[idx].cmd_count;
+    return ssl_names[idx].cmds;
+}
+
+/*
+ * Search for the named set of commands given in |name|. On success return the
+ * index for the command set in |*idx|.
+ * Returns 1 on success or 0 on failure.
+ */
+int conf_ssl_name_find(const char *name, size_t *idx)
+{
+    size_t i;
+    const struct ssl_conf_name_st *nm;
+
+    if (name == NULL)
+        return 0;
+    for (i = 0, nm = ssl_names; i < ssl_names_count; i++, nm++) {
+        if (strcmp(nm->name, name) == 0) {
+            *idx = i;
+            return 1;
+        }
+    }
+    return 0;
+}
+
+/*
+ * Given a command set |cmd|, return details on the command at index |idx| which
+ * must be less than the number of commands in the set (as returned by
+ * conf_ssl_get). The name of the command will be returned in |*cmdstr| and the
+ * argument is returned in |*arg|.
+ */
+void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr,
+                      char **arg)
+{
+    *cmdstr = cmd[idx].cmd;
+    *arg = cmd[idx].arg;
+}
+
+void conf_add_ssl_module(void)
+{
+    CONF_module_add("ssl_conf", ssl_module_init, ssl_module_free);
+}
index 0f15dd8d6e35122ada7c160b554e8f44b3ccfa14..51bd461316309ff5915fe6e29422dc5b4173f1c9 100644 (file)
@@ -335,6 +335,7 @@ CONF_F_NCONF_LOAD_BIO:110:NCONF_load_bio
 CONF_F_NCONF_LOAD_FP:114:NCONF_load_fp
 CONF_F_NCONF_NEW:111:NCONF_new
 CONF_F_PROCESS_INCLUDE:116:process_include
+CONF_F_SSL_MODULE_INIT:122:ssl_module_init
 CONF_F_STR_COPY:101:str_copy
 CRYPTO_F_CRYPTO_DUP_EX_DATA:110:CRYPTO_dup_ex_data
 CRYPTO_F_CRYPTO_FREE_EX_DATA:111:CRYPTO_free_ex_data
@@ -1952,6 +1953,10 @@ CONF_R_NO_SECTION:107:no section
 CONF_R_NO_SUCH_FILE:114:no such file
 CONF_R_NO_VALUE:108:no value
 CONF_R_RECURSIVE_DIRECTORY_INCLUDE:111:recursive directory include
+CONF_R_SSL_COMMAND_SECTION_EMPTY:117:ssl command section empty
+CONF_R_SSL_COMMAND_SECTION_NOT_FOUND:118:ssl command section not found
+CONF_R_SSL_SECTION_EMPTY:119:ssl section empty
+CONF_R_SSL_SECTION_NOT_FOUND:120:ssl section not found
 CONF_R_UNABLE_TO_CREATE_NEW_SECTION:103:unable to create new section
 CONF_R_UNKNOWN_MODULE_NAME:113:unknown module name
 CONF_R_VARIABLE_EXPANSION_TOO_LONG:116:variable expansion too long
diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h
new file mode 100644 (file)
index 0000000..d538f86
--- /dev/null
@@ -0,0 +1,20 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef HEADER_SSLCONF_H
+# define HEADER_SSLCONF_H
+
+typedef struct ssl_conf_cmd_st SSL_CONF_CMD;
+
+const SSL_CONF_CMD *conf_ssl_get(size_t idx, const char **name, size_t *cnt);
+int conf_ssl_name_find(const char *name, size_t *idx);
+void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr,
+                      char **arg);
+
+#endif
index 56071e3397d515aa827539ad3f4183ab5a213b60..e2317d8ebb739bbbec6e248bb7c495928c6fa030 100644 (file)
@@ -40,6 +40,7 @@ int ERR_load_CONF_strings(void);
 # define CONF_F_NCONF_LOAD_FP                             114
 # define CONF_F_NCONF_NEW                                 111
 # define CONF_F_PROCESS_INCLUDE                           116
+# define CONF_F_SSL_MODULE_INIT                           122
 # define CONF_F_STR_COPY                                  101
 
 /*
@@ -58,6 +59,10 @@ int ERR_load_CONF_strings(void);
 # define CONF_R_NO_SUCH_FILE                              114
 # define CONF_R_NO_VALUE                                  108
 # define CONF_R_RECURSIVE_DIRECTORY_INCLUDE               111
+# define CONF_R_SSL_COMMAND_SECTION_EMPTY                 117
+# define CONF_R_SSL_COMMAND_SECTION_NOT_FOUND             118
+# define CONF_R_SSL_SECTION_EMPTY                         119
+# define CONF_R_SSL_SECTION_NOT_FOUND                     120
 # define CONF_R_UNABLE_TO_CREATE_NEW_SECTION              103
 # define CONF_R_UNKNOWN_MODULE_NAME                       113
 # define CONF_R_VARIABLE_EXPANSION_TOO_LONG               116
index 34e67736d1b4636abc5c67e64f4ff80b746c798b..bc84aa8473c0b9f78e1c09a86403001e42e04665 100644 (file)
@@ -106,7 +106,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_base)
     fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
             "SSL_add_ssl_module()\n");
 #endif
-    SSL_add_ssl_module();
     /*
      * We ignore an error return here. Not much we can do - but not that bad
      * either. We can still safely continue.
@@ -195,11 +194,14 @@ int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS * settings)
         return 0;
     }
 
-    if (!RUN_ONCE(&ssl_base, ossl_init_ssl_base))
+    if (!OPENSSL_init_crypto(opts
+                             | OPENSSL_INIT_LOAD_CONFIG
+                             | OPENSSL_INIT_ADD_ALL_CIPHERS
+                             | OPENSSL_INIT_ADD_ALL_DIGESTS,
+                             settings))
         return 0;
 
-    if (!OPENSSL_init_crypto(opts | OPENSSL_INIT_ADD_ALL_CIPHERS
-                             | OPENSSL_INIT_ADD_ALL_DIGESTS, settings))
+    if (!RUN_ONCE(&ssl_base, ossl_init_ssl_base))
         return 0;
 
     if ((opts & OPENSSL_INIT_NO_LOAD_SSL_STRINGS)
index 1471a0dc724f6ed147c7f896c9de3077452c13a0..a0e265771449174e65f0b466cd24670e3a0ab91b 100644 (file)
 #include <openssl/conf.h>
 #include <openssl/ssl.h>
 #include "ssl_locl.h"
+#include "internal/sslconf.h"
 
 /* SSL library configuration module. */
 
-struct ssl_conf_name {
-    /* Name of this set of commands */
-    char *name;
-    /* List of commands */
-    struct ssl_conf_cmd *cmds;
-    /* Number of commands */
-    size_t cmd_count;
-};
-
-struct ssl_conf_cmd {
-    /* Command */
-    char *cmd;
-    /* Argument */
-    char *arg;
-};
-
-static struct ssl_conf_name *ssl_names;
-static size_t ssl_names_count;
-
-static void ssl_module_free(CONF_IMODULE *md)
-{
-    size_t i, j;
-    if (ssl_names == NULL)
-        return;
-    for (i = 0; i < ssl_names_count; i++) {
-        struct ssl_conf_name *tname = ssl_names + i;
-        OPENSSL_free(tname->name);
-        for (j = 0; j < tname->cmd_count; j++) {
-            OPENSSL_free(tname->cmds[j].cmd);
-            OPENSSL_free(tname->cmds[j].arg);
-        }
-        OPENSSL_free(tname->cmds);
-    }
-    OPENSSL_free(ssl_names);
-    ssl_names = NULL;
-    ssl_names_count = 0;
-}
-
-static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
-{
-    size_t i, j, cnt;
-    int rv = 0;
-    const char *ssl_conf_section;
-    STACK_OF(CONF_VALUE) *cmd_lists;
-    ssl_conf_section = CONF_imodule_get_value(md);
-    cmd_lists = NCONF_get_section(cnf, ssl_conf_section);
-    if (sk_CONF_VALUE_num(cmd_lists) <= 0) {
-        if (cmd_lists == NULL)
-            SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_SECTION_NOT_FOUND);
-        else
-            SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_SECTION_EMPTY);
-        ERR_add_error_data(2, "section=", ssl_conf_section);
-        goto err;
-    }
-    cnt = sk_CONF_VALUE_num(cmd_lists);
-    ssl_names = OPENSSL_zalloc(sizeof(*ssl_names) * cnt);
-    ssl_names_count = cnt;
-    for (i = 0; i < ssl_names_count; i++) {
-        struct ssl_conf_name *ssl_name = ssl_names + i;
-        CONF_VALUE *sect = sk_CONF_VALUE_value(cmd_lists, (int)i);
-        STACK_OF(CONF_VALUE) *cmds = NCONF_get_section(cnf, sect->value);
-        if (sk_CONF_VALUE_num(cmds) <= 0) {
-            if (cmds == NULL)
-                SSLerr(SSL_F_SSL_MODULE_INIT,
-                       SSL_R_SSL_COMMAND_SECTION_NOT_FOUND);
-            else
-                SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_COMMAND_SECTION_EMPTY);
-            ERR_add_error_data(4, "name=", sect->name, ", value=", sect->value);
-            goto err;
-        }
-        ssl_name->name = BUF_strdup(sect->name);
-        if (ssl_name->name == NULL)
-            goto err;
-        cnt = sk_CONF_VALUE_num(cmds);
-        ssl_name->cmds = OPENSSL_zalloc(cnt * sizeof(struct ssl_conf_cmd));
-        if (ssl_name->cmds == NULL)
-            goto err;
-        ssl_name->cmd_count = cnt;
-        for (j = 0; j < cnt; j++) {
-            const char *name;
-            CONF_VALUE *cmd_conf = sk_CONF_VALUE_value(cmds, (int)j);
-            struct ssl_conf_cmd *cmd = ssl_name->cmds + j;
-            /* Skip any initial dot in name */
-            name = strchr(cmd_conf->name, '.');
-            if (name != NULL)
-                name++;
-            else
-                name = cmd_conf->name;
-            cmd->cmd = BUF_strdup(name);
-            cmd->arg = BUF_strdup(cmd_conf->value);
-            if (cmd->cmd == NULL || cmd->arg == NULL)
-                goto err;
-        }
-
-    }
-    rv = 1;
- err:
-    if (rv == 0)
-        ssl_module_free(md);
-    return rv;
-}
-
 void SSL_add_ssl_module(void)
 {
-    CONF_module_add("ssl_conf", ssl_module_init, ssl_module_free);
-}
-
-static const struct ssl_conf_name *ssl_name_find(const char *name)
-{
-    size_t i;
-    const struct ssl_conf_name *nm;
-
-    if (name == NULL)
-        return NULL;
-    for (i = 0, nm = ssl_names; i < ssl_names_count; i++, nm++) {
-        if (strcmp(nm->name, name) == 0)
-            return nm;
-    }
-    return NULL;
+    /* Do nothing. This will be added automatically by libcrypto */
 }
 
 static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system)
 {
     SSL_CONF_CTX *cctx = NULL;
-    size_t i;
+    size_t i, idx, cmd_count;
     int rv = 0;
     unsigned int flags;
     const SSL_METHOD *meth;
-    const struct ssl_conf_name *nm;
-    struct ssl_conf_cmd *cmd;
+    const SSL_CONF_CMD *cmds;
 
     if (s == NULL && ctx == NULL) {
         SSLerr(SSL_F_SSL_DO_CONFIG, ERR_R_PASSED_NULL_PARAMETER);
@@ -152,14 +36,14 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system)
 
     if (name == NULL && system)
         name = "system_default";
-    nm = ssl_name_find(name);
-    if (nm == NULL) {
+    if (!conf_ssl_name_find(name, &idx)) {
         if (!system) {
             SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_INVALID_CONFIGURATION_NAME);
             ERR_add_error_data(2, "name=", name);
         }
         goto err;
     }
+    cmds = conf_ssl_get(idx, &name, &cmd_count);
     cctx = SSL_CONF_CTX_new();
     if (cctx == NULL)
         goto err;
@@ -178,15 +62,18 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system)
     if (meth->ssl_connect != ssl_undefined_function)
         flags |= SSL_CONF_FLAG_CLIENT;
     SSL_CONF_CTX_set_flags(cctx, flags);
-    for (i = 0, cmd = nm->cmds; i < nm->cmd_count; i++, cmd++) {
-        rv = SSL_CONF_cmd(cctx, cmd->cmd, cmd->arg);
+    for (i = 0; i < cmd_count; i++) {
+        char *cmdstr, *arg;
+
+        conf_ssl_get_cmd(cmds, i, &cmdstr, &arg);
+        rv = SSL_CONF_cmd(cctx, cmdstr, arg);
         if (rv <= 0) {
             if (rv == -2)
                 SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_UNKNOWN_COMMAND);
             else
                 SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_BAD_VALUE);
-            ERR_add_error_data(6, "section=", name, ", cmd=", cmd->cmd,
-                               ", arg=", cmd->arg);
+            ERR_add_error_data(6, "section=", name, ", cmd=", cmdstr,
+                               ", arg=", arg);
             goto err;
         }
     }
index 07d9d27d21e0a9945644cdb988e808088f4c8788..e87c4b704e2de5a3e22e1fc6e1f4f6167f9ef7e1 100644 (file)
@@ -4524,3 +4524,6 @@ SM2_do_verify                           4465      1_1_1   EXIST::FUNCTION:SM2
 SM2_sign                                4466   1_1_1   EXIST::FUNCTION:SM2
 ERR_load_SM2_strings                    4467   1_1_1   EXIST::FUNCTION:SM2
 SM2_plaintext_size                      4468   1_1_1   EXIST::FUNCTION:SM2
+conf_ssl_name_find                      4469   1_1_0i  EXIST::FUNCTION:
+conf_ssl_get_cmd                        4470   1_1_0i  EXIST::FUNCTION:
+conf_ssl_get                            4471   1_1_0i  EXIST::FUNCTION:
index 7b5e28c3344a15a590bf299f4754a392fce32ce1..669589c8017d80f687b95fa173ba8ecf5dd3d815 100755 (executable)
@@ -241,6 +241,7 @@ my $crypto ="include/internal/dso.h";
 $crypto.=" include/internal/o_dir.h";
 $crypto.=" include/internal/o_str.h";
 $crypto.=" include/internal/err.h";
+$crypto.=" include/internal/sslconf.h";
 foreach my $f ( glob(catfile($config{sourcedir},'include/openssl/*.h')) ) {
     my $fn = "include/openssl/" . lc(basename($f));
     $crypto .= " $fn" if !defined $skipthese{$fn};