From 8a5ed9dce8ee36b4bb05cb928fa7a01aba6d8e41 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 19 Mar 2018 10:01:39 -0400 Subject: [PATCH] Apply system_default configuration on SSL_CTX_new(). When SSL_CTX is created preinitialize it with system default configuration from system_default section. Reviewed-by: Tim Hudson Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/4848) --- doc/man3/SSL_read_early_data.pod | 2 +- doc/man5/config.pod | 16 ++++++++++ ssl/ssl_lib.c | 2 ++ ssl/ssl_locl.h | 3 ++ ssl/ssl_mcnf.c | 25 ++++++++++++---- test/build.info | 7 ++++- test/recipes/90-test_sysdefault.t | 23 ++++++++++++++ test/sysdefault.cnf | 15 ++++++++++ test/sysdefaulttest.c | 50 +++++++++++++++++++++++++++++++ 9 files changed, 135 insertions(+), 8 deletions(-) create mode 100644 test/recipes/90-test_sysdefault.t create mode 100644 test/sysdefault.cnf create mode 100644 test/sysdefaulttest.c diff --git a/doc/man3/SSL_read_early_data.pod b/doc/man3/SSL_read_early_data.pod index 1b14a7391e..cdfebc86d2 100644 --- a/doc/man3/SSL_read_early_data.pod +++ b/doc/man3/SSL_read_early_data.pod @@ -180,7 +180,7 @@ server application will either use both of SSL_read_early_data() and SSL_CTX_set_max_early_data() (or SSL_set_max_early_data()), or neither of them, since there is no practical benefit from using only one of them. If the maximum early data setting for a server is non-zero then replay protection is -automatically enabled (see L below). +automatically enabled (see L below). In the event that the current maximum early data setting for the server is different to that originally specified in a session that a client is resuming diff --git a/doc/man5/config.pod b/doc/man5/config.pod index 485ec0870b..7885d6a4b6 100644 --- a/doc/man5/config.pod +++ b/doc/man5/config.pod @@ -247,6 +247,22 @@ For example: ECDSA.Certificate = server-ecdsa.pem Ciphers = ALL:!RC4 +The system default configuration with name B if present will +be applied during any creation of the B structure. + +Example of a configuration with the system default: + + ssl_conf = ssl_sect + + [ssl_sect] + + system_default = system_default_sect + + [system_default_sect] + + MinProtocol = TLSv1.2 + + =head1 NOTES If a configuration file attempts to expand a variable that doesn't exist diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index e42333160b..baf8a94aa6 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3112,6 +3112,8 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) */ ret->max_early_data = 0; + ssl_ctx_system_config(ret); + return ret; err: SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE); diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 83a033445d..9d4e0f17a7 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -2587,6 +2587,9 @@ void custom_exts_free(custom_ext_methods *exts); void ssl_comp_free_compression_methods_int(void); +/* ssl_mcnf.c */ +void ssl_ctx_system_config(SSL_CTX *ctx); + # else /* OPENSSL_UNIT_TEST */ # define ssl_init_wbio_buffer SSL_test_functions()->p_ssl_init_wbio_buffer diff --git a/ssl/ssl_mcnf.c b/ssl/ssl_mcnf.c index 59674f3d39..70c7ed811f 100644 --- a/ssl/ssl_mcnf.c +++ b/ssl/ssl_mcnf.c @@ -125,6 +125,7 @@ static const struct ssl_conf_name *ssl_name_find(const char *name) { size_t i; const struct ssl_conf_name *nm; + if (name == NULL) return NULL; for (i = 0, nm = ssl_names; i < ssl_names_count; i++, nm++) { @@ -134,7 +135,7 @@ static const struct ssl_conf_name *ssl_name_find(const char *name) return NULL; } -static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name) +static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system) { SSL_CONF_CTX *cctx = NULL; size_t i; @@ -143,21 +144,28 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name) const SSL_METHOD *meth; const struct ssl_conf_name *nm; struct ssl_conf_cmd *cmd; + if (s == NULL && ctx == NULL) { SSLerr(SSL_F_SSL_DO_CONFIG, ERR_R_PASSED_NULL_PARAMETER); goto err; } + + if (name == NULL && system) + name = "system_default"; nm = ssl_name_find(name); if (nm == NULL) { - SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_INVALID_CONFIGURATION_NAME); - ERR_add_error_data(2, "name=", name); + if (!system) { + SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_INVALID_CONFIGURATION_NAME); + ERR_add_error_data(2, "name=", name); + } goto err; } cctx = SSL_CONF_CTX_new(); if (cctx == NULL) goto err; flags = SSL_CONF_FLAG_FILE; - flags |= SSL_CONF_FLAG_CERTIFICATE | SSL_CONF_FLAG_REQUIRE_PRIVATE; + if (!system) + flags |= SSL_CONF_FLAG_CERTIFICATE | SSL_CONF_FLAG_REQUIRE_PRIVATE; if (s != NULL) { meth = s->method; SSL_CONF_CTX_set_ssl(cctx, s); @@ -190,10 +198,15 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name) int SSL_config(SSL *s, const char *name) { - return ssl_do_config(s, NULL, name); + return ssl_do_config(s, NULL, name, 0); } int SSL_CTX_config(SSL_CTX *ctx, const char *name) { - return ssl_do_config(NULL, ctx, name); + return ssl_do_config(NULL, ctx, name, 0); +} + +void ssl_ctx_system_config(SSL_CTX *ctx) +{ + ssl_do_config(NULL, ctx, NULL, 1); } diff --git a/test/build.info b/test/build.info index 45e3fddce1..085f0faa10 100644 --- a/test/build.info +++ b/test/build.info @@ -48,7 +48,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN x509_time_test x509_dup_cert_test x509_check_cert_pkey_test \ recordlentest drbgtest sslbuffertest \ time_offset_test pemtest ssl_cert_table_internal_test ciphername_test \ - servername_test ocspapitest rsa_mp_test fatalerrtest tls13ccstest + servername_test ocspapitest rsa_mp_test fatalerrtest tls13ccstest \ + sysdefaulttest SOURCE[aborttest]=aborttest.c INCLUDE[aborttest]=../include @@ -513,6 +514,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN SOURCE[sslbuffertest]=sslbuffertest.c ssltestlib.c INCLUDE[sslbuffertest]=../include DEPEND[sslbuffertest]=../libcrypto ../libssl libtestutil.a + + SOURCE[sysdefaulttest]=sysdefaulttest.c + INCLUDE[sysdefaulttest]=../include + DEPEND[sysdefaulttest]=../libcrypto ../libssl libtestutil.a ENDIF {- diff --git a/test/recipes/90-test_sysdefault.t b/test/recipes/90-test_sysdefault.t new file mode 100644 index 0000000000..79d20a8d81 --- /dev/null +++ b/test/recipes/90-test_sysdefault.t @@ -0,0 +1,23 @@ +#! /usr/bin/env perl +# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Utils; +use OpenSSL::Test qw/:DEFAULT srctop_file/; + +my $test_name = "test_sysdefault"; +setup($test_name); + +plan skip_all => "$test_name is not supported in this build" + if disabled("tls1_2") || disabled("rsa"); + +plan tests => 1; + +$ENV{OPENSSL_CONF} = srctop_file("test", "sysdefault.cnf"); + +ok(run(test(["sysdefaulttest"])), "sysdefaulttest"); diff --git a/test/sysdefault.cnf b/test/sysdefault.cnf new file mode 100644 index 0000000000..5473d837c1 --- /dev/null +++ b/test/sysdefault.cnf @@ -0,0 +1,15 @@ +# Configuration file to test system default SSL configuration + +openssl_conf = default_conf + +[ default_conf ] + +ssl_conf = ssl_sect + +[ssl_sect] + +system_default = ssl_default_sect + +[ssl_default_sect] +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 diff --git a/test/sysdefaulttest.c b/test/sysdefaulttest.c new file mode 100644 index 0000000000..8ee4f243a1 --- /dev/null +++ b/test/sysdefaulttest.c @@ -0,0 +1,50 @@ +/* + * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include + +#include +#include +#include +#include +#include "testutil.h" + +static SSL_CTX *ctx; + +static int test_func(void) +{ + if (!TEST_int_eq(SSL_CTX_get_min_proto_version(ctx), TLS1_2_VERSION) + && !TEST_int_eq(SSL_CTX_get_max_proto_version(ctx), TLS1_2_VERSION)) { + TEST_info("min/max version setting incorrect"); + return 0; + } + return 1; +} + +int global_init(void) +{ + if (!OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN + | OPENSSL_INIT_LOAD_CONFIG, NULL)) + return 0; + return 1; +} + +int setup_tests(void) +{ + if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))) + return 0; + ADD_TEST(test_func); + return 1; +} + +void cleanup_tests(void) +{ + SSL_CTX_free(ctx); +} -- GitLab