Move the loading of the ssl_conf module to libcrypto

The GOST engine needs to be loaded before we initialise libssl. Otherwise
the GOST ciphersuites are not enabled. However the SSL conf module must
be loaded before we initialise libcrypto. Otherwise we will fail to read
the SSL config from a config file properly.

Another problem is that an application may make use of both libcrypto and
libssl. If it performs libcrypto stuff first and OPENSSL_init_crypto()
is called and loads a config file it will fail if that config file has
any libssl stuff in it.

This commit separates out the loading of the SSL conf module from the
interpretation of its contents. The loading piece doesn't know anything
about SSL so this can be moved to libcrypto. The interpretation of what it
means remains in libssl. This means we can load the SSL conf data before
libssl is there and interpret it when it later becomes available.

Fixes #5809

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5879)

diff --git a/crypto/conf/build.info b/crypto/conf/build.info
index 4438eb42620f4a8675da37c2f0efc7ddb56217c1..ff367994ea091498b557105539b95f56cb4ad42b 100644 (file)
--- a/crypto/conf/build.info
+++ b/crypto/conf/build.info
@@ -1,4 +1,4 @@
 LIBS=../../libcrypto
 SOURCE[../../libcrypto]= \
         conf_err.c conf_lib.c conf_api.c conf_def.c conf_mod.c \
-        conf_mall.c conf_sap.c
+        conf_mall.c conf_sap.c conf_ssl.c

diff --git a/crypto/conf/conf_err.c b/crypto/conf/conf_err.c
index 0863bc4d3616f232afe627408e0f9df04b4c2134..19f480d5b32b855a113083b39357bb8f802ace9d 100644 (file)
--- a/crypto/conf/conf_err.c
+++ b/crypto/conf/conf_err.c
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -37,6 +37,7 @@ static ERR_STRING_DATA CONF_str_functs[] = {
     {ERR_FUNC(CONF_F_NCONF_LOAD_BIO), "NCONF_load_bio"},
     {ERR_FUNC(CONF_F_NCONF_LOAD_FP), "NCONF_load_fp"},
     {ERR_FUNC(CONF_F_NCONF_NEW), "NCONF_new"},
+    {ERR_FUNC(CONF_F_SSL_MODULE_INIT), "ssl_module_init"},
     {ERR_FUNC(CONF_F_STR_COPY), "str_copy"},
     {0, NULL}
 };
@@ -57,6 +58,12 @@ static ERR_STRING_DATA CONF_str_reasons[] = {
     {ERR_REASON(CONF_R_NO_SECTION), "no section"},
     {ERR_REASON(CONF_R_NO_SUCH_FILE), "no such file"},
     {ERR_REASON(CONF_R_NO_VALUE), "no value"},
+    {ERR_REASON(CONF_R_SSL_COMMAND_SECTION_EMPTY),
+     "ssl command section empty"},
+    {ERR_REASON(CONF_R_SSL_COMMAND_SECTION_NOT_FOUND),
+     "ssl command section not found"},
+    {ERR_REASON(CONF_R_SSL_SECTION_EMPTY), "ssl section empty"},
+    {ERR_REASON(CONF_R_SSL_SECTION_NOT_FOUND), "ssl section not found"},
     {ERR_REASON(CONF_R_UNABLE_TO_CREATE_NEW_SECTION),
      "unable to create new section"},
     {ERR_REASON(CONF_R_UNKNOWN_MODULE_NAME), "unknown module name"},

diff --git a/crypto/conf/conf_lcl.h b/crypto/conf/conf_lcl.h
new file mode 100644 (file)
index 0000000..6e1f7fe
--- /dev/null
+++ b/crypto/conf/conf_lcl.h
@@ -0,0 +1,11 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+void conf_add_ssl_module(void);
+

diff --git a/crypto/conf/conf_mall.c b/crypto/conf/conf_mall.c
index 4e7a434e0e4d9806177a8878dcb3b330cc942641..5aab42963973eb3a1e702bd99fb3a4f4c1353c5b 100644 (file)
--- a/crypto/conf/conf_mall.c
+++ b/crypto/conf/conf_mall.c
@@ -14,6 +14,7 @@
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
 #include <openssl/engine.h>
+#include "conf_lcl.h"
 
 /* Load all OpenSSL builtin modules */
 
@@ -26,4 +27,5 @@ void OPENSSL_load_builtin_modules(void)
     ENGINE_add_conf_module();
 #endif
     EVP_add_alg_module();
+    conf_add_ssl_module();
 }

diff --git a/crypto/conf/conf_ssl.c b/crypto/conf/conf_ssl.c
new file mode 100644 (file)
index 0000000..015c46c
--- /dev/null
+++ b/crypto/conf/conf_ssl.c
@@ -0,0 +1,178 @@
+/*
+ * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include "internal/sslconf.h"
+#include "conf_lcl.h"
+
+/*
+ * SSL library configuration module placeholder. We load it here but defer
+ * all decisions about its contents to libssl.
+ */
+
+struct ssl_conf_name_st {
+    /* Name of this set of commands */
+    char *name;
+    /* List of commands */
+    SSL_CONF_CMD *cmds;
+    /* Number of commands */
+    size_t cmd_count;
+};
+
+struct ssl_conf_cmd_st {
+    /* Command */
+    char *cmd;
+    /* Argument */
+    char *arg;
+};
+
+static struct ssl_conf_name_st *ssl_names;
+static size_t ssl_names_count;
+
+static void ssl_module_free(CONF_IMODULE *md)
+{
+    size_t i, j;
+    if (ssl_names == NULL)
+        return;
+    for (i = 0; i < ssl_names_count; i++) {
+        struct ssl_conf_name_st *tname = ssl_names + i;
+
+        OPENSSL_free(tname->name);
+        for (j = 0; j < tname->cmd_count; j++) {
+            OPENSSL_free(tname->cmds[j].cmd);
+            OPENSSL_free(tname->cmds[j].arg);
+        }
+        OPENSSL_free(tname->cmds);
+    }
+    OPENSSL_free(ssl_names);
+    ssl_names = NULL;
+    ssl_names_count = 0;
+}
+
+static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
+{
+    size_t i, j, cnt;
+    int rv = 0;
+    const char *ssl_conf_section;
+    STACK_OF(CONF_VALUE) *cmd_lists;
+
+    ssl_conf_section = CONF_imodule_get_value(md);
+    cmd_lists = NCONF_get_section(cnf, ssl_conf_section);
+    if (sk_CONF_VALUE_num(cmd_lists) <= 0) {
+        if (cmd_lists == NULL)
+            CONFerr(CONF_F_SSL_MODULE_INIT, CONF_R_SSL_SECTION_NOT_FOUND);
+        else
+            CONFerr(CONF_F_SSL_MODULE_INIT, CONF_R_SSL_SECTION_EMPTY);
+        ERR_add_error_data(2, "section=", ssl_conf_section);
+        goto err;
+    }
+    cnt = sk_CONF_VALUE_num(cmd_lists);
+    ssl_names = OPENSSL_zalloc(sizeof(*ssl_names) * cnt);
+    ssl_names_count = cnt;
+    for (i = 0; i < ssl_names_count; i++) {
+        struct ssl_conf_name_st *ssl_name = ssl_names + i;
+        CONF_VALUE *sect = sk_CONF_VALUE_value(cmd_lists, (int)i);
+        STACK_OF(CONF_VALUE) *cmds = NCONF_get_section(cnf, sect->value);
+
+        if (sk_CONF_VALUE_num(cmds) <= 0) {
+            if (cmds == NULL)
+                CONFerr(CONF_F_SSL_MODULE_INIT,
+                        CONF_R_SSL_COMMAND_SECTION_NOT_FOUND);
+            else
+                CONFerr(CONF_F_SSL_MODULE_INIT,
+                        CONF_R_SSL_COMMAND_SECTION_EMPTY);
+            ERR_add_error_data(4, "name=", sect->name, ", value=", sect->value);
+            goto err;
+        }
+        ssl_name->name = OPENSSL_strdup(sect->name);
+        if (ssl_name->name == NULL)
+            goto err;
+        cnt = sk_CONF_VALUE_num(cmds);
+        ssl_name->cmds = OPENSSL_zalloc(cnt * sizeof(struct ssl_conf_cmd_st));
+        if (ssl_name->cmds == NULL)
+            goto err;
+        ssl_name->cmd_count = cnt;
+        for (j = 0; j < cnt; j++) {
+            const char *name;
+            CONF_VALUE *cmd_conf = sk_CONF_VALUE_value(cmds, (int)j);
+            struct ssl_conf_cmd_st *cmd = ssl_name->cmds + j;
+
+            /* Skip any initial dot in name */
+            name = strchr(cmd_conf->name, '.');
+            if (name != NULL)
+                name++;
+            else
+                name = cmd_conf->name;
+            cmd->cmd = OPENSSL_strdup(name);
+            cmd->arg = OPENSSL_strdup(cmd_conf->value);
+            if (cmd->cmd == NULL || cmd->arg == NULL)
+                goto err;
+        }
+
+    }
+    rv = 1;
+ err:
+    if (rv == 0)
+        ssl_module_free(md);
+    return rv;
+}
+
+/*
+ * Returns the set of commands with index |idx| previously searched for via
+ * conf_ssl_name_find. Also stores the name of the set of commands in |*name|
+ * and the number of commands in the set in |*cnt|.
+ */
+const SSL_CONF_CMD *conf_ssl_get(size_t idx, const char **name, size_t *cnt)
+{
+    *name = ssl_names[idx].name;
+    *cnt = ssl_names[idx].cmd_count;
+    return ssl_names[idx].cmds;
+}
+
+/*
+ * Search for the named set of commands given in |name|. On success return the
+ * index for the command set in |*idx|.
+ * Returns 1 on success or 0 on failure.
+ */
+int conf_ssl_name_find(const char *name, size_t *idx)
+{
+    size_t i;
+    const struct ssl_conf_name_st *nm;
+
+    if (name == NULL)
+        return 0;
+    for (i = 0, nm = ssl_names; i < ssl_names_count; i++, nm++) {
+        if (strcmp(nm->name, name) == 0) {
+            *idx = i;
+            return 1;
+        }
+    }
+    return 0;
+}
+
+/*
+ * Given a command set |cmd|, return details on the command at index |idx| which
+ * must be less than the number of commands in the set (as returned by
+ * conf_ssl_get). The name of the command will be returned in |*cmdstr| and the
+ * argument is returned in |*arg|.
+ */
+void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr,
+                      char **arg)
+{
+    *cmdstr = cmd[idx].cmd;
+    *arg = cmd[idx].arg;
+}
+
+void conf_add_ssl_module(void)
+{
+    CONF_module_add("ssl_conf", ssl_module_init, ssl_module_free);
+}

diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h
new file mode 100644 (file)
index 0000000..d538f86
--- /dev/null
+++ b/include/internal/sslconf.h
@@ -0,0 +1,20 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef HEADER_SSLCONF_H
+# define HEADER_SSLCONF_H
+
+typedef struct ssl_conf_cmd_st SSL_CONF_CMD;
+
+const SSL_CONF_CMD *conf_ssl_get(size_t idx, const char **name, size_t *cnt);
+int conf_ssl_name_find(const char *name, size_t *idx);
+void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr,
+                      char **arg);
+
+#endif

diff --git a/include/openssl/conf.h b/include/openssl/conf.h
index 980a51b157f456688df3d0784b9c388f858f80b2..845abf55a58fe9f2811c3f0ccdf46ef4b3a180a3 100644 (file)
--- a/include/openssl/conf.h
+++ b/include/openssl/conf.h
@@ -191,6 +191,7 @@ int ERR_load_CONF_strings(void);
 # define CONF_F_NCONF_LOAD_BIO                            110
 # define CONF_F_NCONF_LOAD_FP                             114
 # define CONF_F_NCONF_NEW                                 111
+# define CONF_F_SSL_MODULE_INIT                           122
 # define CONF_F_STR_COPY                                  101
 
 /* Reason codes. */
@@ -206,6 +207,10 @@ int ERR_load_CONF_strings(void);
 # define CONF_R_NO_SECTION                                107
 # define CONF_R_NO_SUCH_FILE                              114
 # define CONF_R_NO_VALUE                                  108
+# define CONF_R_SSL_COMMAND_SECTION_EMPTY                 117
+# define CONF_R_SSL_COMMAND_SECTION_NOT_FOUND             118
+# define CONF_R_SSL_SECTION_EMPTY                         119
+# define CONF_R_SSL_SECTION_NOT_FOUND                     120
 # define CONF_R_UNABLE_TO_CREATE_NEW_SECTION              103
 # define CONF_R_UNKNOWN_MODULE_NAME                       113
 # define CONF_R_VARIABLE_EXPANSION_TOO_LONG               116

diff --git a/ssl/ssl_init.c b/ssl/ssl_init.c
index 3e62d4811102aec238f0ee9f17d339cccd2704fb..c91e1c56e2854007c460fb01eaf1d173cbb56873 100644 (file)
--- a/ssl/ssl_init.c
+++ b/ssl/ssl_init.c
@@ -12,6 +12,7 @@
 #include "internal/err.h"
 #include <openssl/crypto.h>
 #include <openssl/evp.h>
+#include <openssl/conf.h>
 #include <assert.h>
 #include "ssl_locl.h"
 #include "internal/thread_once.h"
@@ -191,11 +192,13 @@ int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS * settings)
         return 0;
     }
 
-    if (!RUN_ONCE(&ssl_base, ossl_init_ssl_base))
+    if (!OPENSSL_init_crypto(opts
+                             | OPENSSL_INIT_ADD_ALL_CIPHERS
+                             | OPENSSL_INIT_ADD_ALL_DIGESTS,
+                             settings))
         return 0;
 
-    if (!OPENSSL_init_crypto(opts | OPENSSL_INIT_ADD_ALL_CIPHERS
-                             | OPENSSL_INIT_ADD_ALL_DIGESTS, settings))
+    if (!RUN_ONCE(&ssl_base, ossl_init_ssl_base))
         return 0;
 
     if ((opts & OPENSSL_INIT_NO_LOAD_SSL_STRINGS)

diff --git a/ssl/ssl_mcnf.c b/ssl/ssl_mcnf.c
index c2d9dba64ac9b1608423578e5c88f1fe8dabfcf8..20549ebea671d8542d1f7358c1c444e734649e5b 100644 (file)
--- a/ssl/ssl_mcnf.c
+++ b/ssl/ssl_mcnf.c
@@ -11,148 +11,35 @@
 #include <openssl/conf.h>
 #include <openssl/ssl.h>
 #include "ssl_locl.h"
+#include "internal/sslconf.h"
 
 /* SSL library configuration module. */
 
-struct ssl_conf_name {
-    /* Name of this set of commands */
-    char *name;
-    /* List of commands */
-    struct ssl_conf_cmd *cmds;
-    /* Number of commands */
-    size_t cmd_count;
-};
-
-struct ssl_conf_cmd {
-    /* Command */
-    char *cmd;
-    /* Argument */
-    char *arg;
-};
-
-static struct ssl_conf_name *ssl_names;
-static size_t ssl_names_count;
-
-static void ssl_module_free(CONF_IMODULE *md)
-{
-    size_t i, j;
-    if (ssl_names == NULL)
-        return;
-    for (i = 0; i < ssl_names_count; i++) {
-        struct ssl_conf_name *tname = ssl_names + i;
-        OPENSSL_free(tname->name);
-        for (j = 0; j < tname->cmd_count; j++) {
-            OPENSSL_free(tname->cmds[j].cmd);
-            OPENSSL_free(tname->cmds[j].arg);
-        }
-        OPENSSL_free(tname->cmds);
-    }
-    OPENSSL_free(ssl_names);
-    ssl_names = NULL;
-    ssl_names_count = 0;
-}
-
-static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
-{
-    size_t i, j, cnt;
-    int rv = 0;
-    const char *ssl_conf_section;
-    STACK_OF(CONF_VALUE) *cmd_lists;
-    ssl_conf_section = CONF_imodule_get_value(md);
-    cmd_lists = NCONF_get_section(cnf, ssl_conf_section);
-    if (sk_CONF_VALUE_num(cmd_lists) <= 0) {
-        if (cmd_lists == NULL)
-            SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_SECTION_NOT_FOUND);
-        else
-            SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_SECTION_EMPTY);
-        ERR_add_error_data(2, "section=", ssl_conf_section);
-        goto err;
-    }
-    cnt = sk_CONF_VALUE_num(cmd_lists);
-    ssl_names = OPENSSL_zalloc(sizeof(*ssl_names) * cnt);
-    ssl_names_count = cnt;
-    for (i = 0; i < ssl_names_count; i++) {
-        struct ssl_conf_name *ssl_name = ssl_names + i;
-        CONF_VALUE *sect = sk_CONF_VALUE_value(cmd_lists, i);
-        STACK_OF(CONF_VALUE) *cmds = NCONF_get_section(cnf, sect->value);
-        if (sk_CONF_VALUE_num(cmds) <= 0) {
-            if (cmds == NULL)
-                SSLerr(SSL_F_SSL_MODULE_INIT,
-                       SSL_R_SSL_COMMAND_SECTION_NOT_FOUND);
-            else
-                SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_COMMAND_SECTION_EMPTY);
-            ERR_add_error_data(4, "name=", sect->name, ", value=", sect->value);
-            goto err;
-        }
-        ssl_name->name = BUF_strdup(sect->name);
-        if (ssl_name->name == NULL)
-            goto err;
-        cnt = sk_CONF_VALUE_num(cmds);
-        ssl_name->cmds = OPENSSL_zalloc(cnt * sizeof(struct ssl_conf_cmd));
-        if (ssl_name->cmds == NULL)
-            goto err;
-        ssl_name->cmd_count = cnt;
-        for (j = 0; j < cnt; j++) {
-            const char *name;
-            CONF_VALUE *cmd_conf = sk_CONF_VALUE_value(cmds, j);
-            struct ssl_conf_cmd *cmd = ssl_name->cmds + j;
-            /* Skip any initial dot in name */
-            name = strchr(cmd_conf->name, '.');
-            if (name != NULL)
-                name++;
-            else
-                name = cmd_conf->name;
-            cmd->cmd = BUF_strdup(name);
-            cmd->arg = BUF_strdup(cmd_conf->value);
-            if (cmd->cmd == NULL || cmd->arg == NULL)
-                goto err;
-        }
-
-    }
-    rv = 1;
- err:
-    if (rv == 0)
-        ssl_module_free(md);
-    return rv;
-}
-
 void SSL_add_ssl_module(void)
 {
-    CONF_module_add("ssl_conf", ssl_module_init, ssl_module_free);
-}
-
-static const struct ssl_conf_name *ssl_name_find(const char *name)
-{
-    size_t i;
-    const struct ssl_conf_name *nm;
-    if (name == NULL)
-        return NULL;
-    for (i = 0, nm = ssl_names; i < ssl_names_count; i++, nm++) {
-        if (strcmp(nm->name, name) == 0)
-            return nm;
-    }
-    return NULL;
+    /* Just load all of the crypto builtin modules. This includes the SSL one */
+    OPENSSL_load_builtin_modules();
 }
 
 static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name)
 {
     SSL_CONF_CTX *cctx = NULL;
-    size_t i;
+    size_t i, idx, cmd_count;
     int rv = 0;
     unsigned int flags;
     const SSL_METHOD *meth;
-    const struct ssl_conf_name *nm;
-    struct ssl_conf_cmd *cmd;
+    const SSL_CONF_CMD *cmds;
+
     if (s == NULL && ctx == NULL) {
         SSLerr(SSL_F_SSL_DO_CONFIG, ERR_R_PASSED_NULL_PARAMETER);
         goto err;
     }
-    nm = ssl_name_find(name);
-    if (nm == NULL) {
+    if (!conf_ssl_name_find(name, &idx)) {
         SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_INVALID_CONFIGURATION_NAME);
         ERR_add_error_data(2, "name=", name);
         goto err;
     }
+    cmds = conf_ssl_get(idx, &name, &cmd_count);
     cctx = SSL_CONF_CTX_new();
     if (cctx == NULL)
         goto err;
@@ -170,15 +57,18 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name)
     if (meth->ssl_connect != ssl_undefined_function)
         flags |= SSL_CONF_FLAG_CLIENT;
     SSL_CONF_CTX_set_flags(cctx, flags);
-    for (i = 0, cmd = nm->cmds; i < nm->cmd_count; i++, cmd++) {
-        rv = SSL_CONF_cmd(cctx, cmd->cmd, cmd->arg);
+    for (i = 0; i < cmd_count; i++) {
+        char *cmdstr, *arg;
+
+        conf_ssl_get_cmd(cmds, i, &cmdstr, &arg);
+        rv = SSL_CONF_cmd(cctx, cmdstr, arg);
         if (rv <= 0) {
             if (rv == -2)
                 SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_UNKNOWN_COMMAND);
             else
                 SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_BAD_VALUE);
-            ERR_add_error_data(6, "section=", name, ", cmd=", cmd->cmd,
-                               ", arg=", cmd->arg);
+            ERR_add_error_data(6, "section=", name, ", cmd=", cmdstr,
+                               ", arg=", arg);
             goto err;
         }
     }

diff --git a/util/libcrypto.num b/util/libcrypto.num
index 8414d97ff11412406ac1f5dd922ffb6132f8417f..461bd8a0982b79355105b0b5ddeefe183ca48421 100644 (file)
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4234,3 +4234,6 @@ CRYPTO_secure_clear_free                4315      1_1_0g  EXIST::FUNCTION:
 EVP_PKEY_set1_engine                    4347   1_1_0g  EXIST::FUNCTION:ENGINE
 OCSP_resp_get0_signer                   4374   1_1_0h  EXIST::FUNCTION:OCSP
 X509_get0_authority_key_id              4448   1_1_0h  EXIST::FUNCTION:
+conf_ssl_name_find                      4469   1_1_0i  EXIST::FUNCTION:
+conf_ssl_get_cmd                        4470   1_1_0i  EXIST::FUNCTION:
+conf_ssl_get                            4471   1_1_0i  EXIST::FUNCTION:

diff --git a/util/mkdef.pl b/util/mkdef.pl
index 66db26c3b9562c7497dccca767a0e5b6b76a6113..eb303e603b39bba4e35386b98be0cc3bc136c85e 100755 (executable)
--- a/util/mkdef.pl
+++ b/util/mkdef.pl
@@ -252,6 +252,7 @@ $crypto.=" include/internal/o_dir.h";
 $crypto.=" include/internal/o_str.h";
 $crypto.=" include/internal/err.h";
 $crypto.=" include/internal/asn1t.h";
+$crypto.=" include/internal/sslconf.h";
 $crypto.=" include/openssl/des.h" ; # unless $no_des;
 $crypto.=" include/openssl/idea.h" ; # unless $no_idea;
 $crypto.=" include/openssl/rc4.h" ; # unless $no_rc4;