1 1.1 christos /* 2 1.1.1.2 christos * Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved. 3 1.1 christos * 4 1.1.1.2 christos * Licensed under the OpenSSL license (the "License"). You may not use 5 1.1.1.2 christos * this file except in compliance with the License. You can obtain a copy 6 1.1.1.2 christos * in the file LICENSE in the source distribution or at 7 1.1.1.2 christos * https://www.openssl.org/source/license.html 8 1.1 christos */ 9 1.1 christos 10 1.1 christos #include <stdio.h> 11 1.1.1.2 christos #include "ssl_local.h" 12 1.1 christos #include <openssl/conf.h> 13 1.1 christos #include <openssl/objects.h> 14 1.1.1.2 christos #include <openssl/dh.h> 15 1.1.1.2 christos #include "internal/nelem.h" 16 1.1 christos 17 1.1 christos /* 18 1.1.1.2 christos * structure holding name tables. This is used for permitted elements in lists 19 1.1.1.2 christos * such as TLSv1. 20 1.1 christos */ 21 1.1 christos 22 1.1 christos typedef struct { 23 1.1 christos const char *name; 24 1.1 christos int namelen; 25 1.1 christos unsigned int name_flags; 26 1.1 christos unsigned long option_value; 27 1.1 christos } ssl_flag_tbl; 28 1.1 christos 29 1.1.1.2 christos /* Switch table: use for single command line switches like no_tls2 */ 30 1.1.1.2 christos typedef struct { 31 1.1.1.2 christos unsigned long option_value; 32 1.1.1.2 christos unsigned int name_flags; 33 1.1.1.2 christos } ssl_switch_tbl; 34 1.1.1.2 christos 35 1.1 christos /* Sense of name is inverted e.g. "TLSv1" will clear SSL_OP_NO_TLSv1 */ 36 1.1 christos #define SSL_TFLAG_INV 0x1 37 1.1.1.2 christos /* Mask for type of flag referred to */ 38 1.1.1.2 christos #define SSL_TFLAG_TYPE_MASK 0xf00 39 1.1.1.2 christos /* Flag is for options */ 40 1.1.1.2 christos #define SSL_TFLAG_OPTION 0x000 41 1.1.1.2 christos /* Flag is for cert_flags */ 42 1.1.1.2 christos #define SSL_TFLAG_CERT 0x100 43 1.1.1.2 christos /* Flag is for verify mode */ 44 1.1.1.2 christos #define SSL_TFLAG_VFY 0x200 45 1.1 christos /* Option can only be used for clients */ 46 1.1 christos #define SSL_TFLAG_CLIENT SSL_CONF_FLAG_CLIENT 47 1.1 christos /* Option can only be used for servers */ 48 1.1 christos #define SSL_TFLAG_SERVER SSL_CONF_FLAG_SERVER 49 1.1 christos #define SSL_TFLAG_BOTH (SSL_TFLAG_CLIENT|SSL_TFLAG_SERVER) 50 1.1 christos 51 1.1 christos #define SSL_FLAG_TBL(str, flag) \ 52 1.1 christos {str, (int)(sizeof(str) - 1), SSL_TFLAG_BOTH, flag} 53 1.1 christos #define SSL_FLAG_TBL_SRV(str, flag) \ 54 1.1 christos {str, (int)(sizeof(str) - 1), SSL_TFLAG_SERVER, flag} 55 1.1 christos #define SSL_FLAG_TBL_CLI(str, flag) \ 56 1.1 christos {str, (int)(sizeof(str) - 1), SSL_TFLAG_CLIENT, flag} 57 1.1 christos #define SSL_FLAG_TBL_INV(str, flag) \ 58 1.1 christos {str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_BOTH, flag} 59 1.1 christos #define SSL_FLAG_TBL_SRV_INV(str, flag) \ 60 1.1 christos {str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_SERVER, flag} 61 1.1 christos #define SSL_FLAG_TBL_CERT(str, flag) \ 62 1.1 christos {str, (int)(sizeof(str) - 1), SSL_TFLAG_CERT|SSL_TFLAG_BOTH, flag} 63 1.1 christos 64 1.1.1.2 christos #define SSL_FLAG_VFY_CLI(str, flag) \ 65 1.1.1.2 christos {str, (int)(sizeof(str) - 1), SSL_TFLAG_VFY | SSL_TFLAG_CLIENT, flag} 66 1.1.1.2 christos #define SSL_FLAG_VFY_SRV(str, flag) \ 67 1.1.1.2 christos {str, (int)(sizeof(str) - 1), SSL_TFLAG_VFY | SSL_TFLAG_SERVER, flag} 68 1.1.1.2 christos 69 1.1 christos /* 70 1.1 christos * Opaque structure containing SSL configuration context. 71 1.1 christos */ 72 1.1 christos 73 1.1 christos struct ssl_conf_ctx_st { 74 1.1 christos /* 75 1.1 christos * Various flags indicating (among other things) which options we will 76 1.1 christos * recognise. 77 1.1 christos */ 78 1.1 christos unsigned int flags; 79 1.1 christos /* Prefix and length of commands */ 80 1.1 christos char *prefix; 81 1.1 christos size_t prefixlen; 82 1.1 christos /* SSL_CTX or SSL structure to perform operations on */ 83 1.1 christos SSL_CTX *ctx; 84 1.1 christos SSL *ssl; 85 1.1 christos /* Pointer to SSL or SSL_CTX options field or NULL if none */ 86 1.1.1.2 christos uint32_t *poptions; 87 1.1.1.2 christos /* Certificate filenames for each type */ 88 1.1.1.2 christos char *cert_filename[SSL_PKEY_NUM]; 89 1.1 christos /* Pointer to SSL or SSL_CTX cert_flags or NULL if none */ 90 1.1.1.2 christos uint32_t *pcert_flags; 91 1.1.1.2 christos /* Pointer to SSL or SSL_CTX verify_mode or NULL if none */ 92 1.1.1.2 christos uint32_t *pvfy_flags; 93 1.1.1.2 christos /* Pointer to SSL or SSL_CTX min_version field or NULL if none */ 94 1.1.1.2 christos int *min_version; 95 1.1.1.2 christos /* Pointer to SSL or SSL_CTX max_version field or NULL if none */ 96 1.1.1.2 christos int *max_version; 97 1.1 christos /* Current flag table being worked on */ 98 1.1 christos const ssl_flag_tbl *tbl; 99 1.1 christos /* Size of table */ 100 1.1 christos size_t ntbl; 101 1.1.1.2 christos /* Client CA names */ 102 1.1.1.2 christos STACK_OF(X509_NAME) *canames; 103 1.1 christos }; 104 1.1 christos 105 1.1.1.2 christos static void ssl_set_option(SSL_CONF_CTX *cctx, unsigned int name_flags, 106 1.1.1.2 christos unsigned long option_value, int onoff) 107 1.1.1.2 christos { 108 1.1.1.2 christos uint32_t *pflags; 109 1.1.1.2 christos if (cctx->poptions == NULL) 110 1.1.1.2 christos return; 111 1.1.1.2 christos if (name_flags & SSL_TFLAG_INV) 112 1.1.1.2 christos onoff ^= 1; 113 1.1.1.2 christos switch (name_flags & SSL_TFLAG_TYPE_MASK) { 114 1.1.1.2 christos 115 1.1.1.2 christos case SSL_TFLAG_CERT: 116 1.1.1.2 christos pflags = cctx->pcert_flags; 117 1.1.1.2 christos break; 118 1.1.1.2 christos 119 1.1.1.2 christos case SSL_TFLAG_VFY: 120 1.1.1.2 christos pflags = cctx->pvfy_flags; 121 1.1.1.2 christos break; 122 1.1.1.2 christos 123 1.1.1.2 christos case SSL_TFLAG_OPTION: 124 1.1.1.2 christos pflags = cctx->poptions; 125 1.1.1.2 christos break; 126 1.1.1.2 christos 127 1.1.1.2 christos default: 128 1.1.1.2 christos return; 129 1.1.1.2 christos 130 1.1.1.2 christos } 131 1.1.1.2 christos if (onoff) 132 1.1.1.2 christos *pflags |= option_value; 133 1.1.1.2 christos else 134 1.1.1.2 christos *pflags &= ~option_value; 135 1.1.1.2 christos } 136 1.1.1.2 christos 137 1.1 christos static int ssl_match_option(SSL_CONF_CTX *cctx, const ssl_flag_tbl *tbl, 138 1.1 christos const char *name, int namelen, int onoff) 139 1.1 christos { 140 1.1 christos /* If name not relevant for context skip */ 141 1.1 christos if (!(cctx->flags & tbl->name_flags & SSL_TFLAG_BOTH)) 142 1.1 christos return 0; 143 1.1 christos if (namelen == -1) { 144 1.1 christos if (strcmp(tbl->name, name)) 145 1.1 christos return 0; 146 1.1.1.2 christos } else if (tbl->namelen != namelen || strncasecmp(tbl->name, name, namelen)) 147 1.1 christos return 0; 148 1.1.1.2 christos ssl_set_option(cctx, tbl->name_flags, tbl->option_value, onoff); 149 1.1 christos return 1; 150 1.1 christos } 151 1.1 christos 152 1.1 christos static int ssl_set_option_list(const char *elem, int len, void *usr) 153 1.1 christos { 154 1.1 christos SSL_CONF_CTX *cctx = usr; 155 1.1 christos size_t i; 156 1.1 christos const ssl_flag_tbl *tbl; 157 1.1 christos int onoff = 1; 158 1.1 christos /* 159 1.1 christos * len == -1 indicates not being called in list context, just for single 160 1.1 christos * command line switches, so don't allow +, -. 161 1.1 christos */ 162 1.1 christos if (elem == NULL) 163 1.1 christos return 0; 164 1.1 christos if (len != -1) { 165 1.1 christos if (*elem == '+') { 166 1.1 christos elem++; 167 1.1 christos len--; 168 1.1 christos onoff = 1; 169 1.1 christos } else if (*elem == '-') { 170 1.1 christos elem++; 171 1.1 christos len--; 172 1.1 christos onoff = 0; 173 1.1 christos } 174 1.1 christos } 175 1.1 christos for (i = 0, tbl = cctx->tbl; i < cctx->ntbl; i++, tbl++) { 176 1.1 christos if (ssl_match_option(cctx, tbl, elem, len, onoff)) 177 1.1 christos return 1; 178 1.1 christos } 179 1.1 christos return 0; 180 1.1 christos } 181 1.1 christos 182 1.1 christos /* Set supported signature algorithms */ 183 1.1 christos static int cmd_SignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value) 184 1.1 christos { 185 1.1 christos int rv; 186 1.1 christos if (cctx->ssl) 187 1.1 christos rv = SSL_set1_sigalgs_list(cctx->ssl, value); 188 1.1 christos /* NB: ctx == NULL performs syntax checking only */ 189 1.1 christos else 190 1.1 christos rv = SSL_CTX_set1_sigalgs_list(cctx->ctx, value); 191 1.1 christos return rv > 0; 192 1.1 christos } 193 1.1 christos 194 1.1 christos /* Set supported client signature algorithms */ 195 1.1.1.2 christos static int cmd_ClientSignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value) 196 1.1 christos { 197 1.1 christos int rv; 198 1.1 christos if (cctx->ssl) 199 1.1 christos rv = SSL_set1_client_sigalgs_list(cctx->ssl, value); 200 1.1 christos /* NB: ctx == NULL performs syntax checking only */ 201 1.1 christos else 202 1.1 christos rv = SSL_CTX_set1_client_sigalgs_list(cctx->ctx, value); 203 1.1 christos return rv > 0; 204 1.1 christos } 205 1.1 christos 206 1.1.1.2 christos static int cmd_Groups(SSL_CONF_CTX *cctx, const char *value) 207 1.1 christos { 208 1.1 christos int rv; 209 1.1 christos if (cctx->ssl) 210 1.1.1.2 christos rv = SSL_set1_groups_list(cctx->ssl, value); 211 1.1 christos /* NB: ctx == NULL performs syntax checking only */ 212 1.1 christos else 213 1.1.1.2 christos rv = SSL_CTX_set1_groups_list(cctx->ctx, value); 214 1.1 christos return rv > 0; 215 1.1 christos } 216 1.1 christos 217 1.1.1.2 christos /* This is the old name for cmd_Groups - retained for backwards compatibility */ 218 1.1.1.2 christos static int cmd_Curves(SSL_CONF_CTX *cctx, const char *value) 219 1.1.1.2 christos { 220 1.1.1.2 christos return cmd_Groups(cctx, value); 221 1.1.1.2 christos } 222 1.1.1.2 christos 223 1.1.1.2 christos #ifndef OPENSSL_NO_EC 224 1.1 christos /* ECDH temporary parameters */ 225 1.1 christos static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value) 226 1.1 christos { 227 1.1.1.2 christos int rv = 1; 228 1.1.1.2 christos EC_KEY *ecdh; 229 1.1.1.2 christos int nid; 230 1.1 christos 231 1.1.1.2 christos /* Ignore values supported by 1.0.2 for the automatic selection */ 232 1.1.1.2 christos if ((cctx->flags & SSL_CONF_FLAG_FILE) 233 1.1.1.2 christos && (strcasecmp(value, "+automatic") == 0 234 1.1.1.2 christos || strcasecmp(value, "automatic") == 0)) 235 1.1.1.2 christos return 1; 236 1.1.1.2 christos if ((cctx->flags & SSL_CONF_FLAG_CMDLINE) && 237 1.1.1.2 christos strcmp(value, "auto") == 0) 238 1.1.1.2 christos return 1; 239 1.1.1.2 christos 240 1.1.1.2 christos nid = EC_curve_nist2nid(value); 241 1.1.1.2 christos if (nid == NID_undef) 242 1.1.1.2 christos nid = OBJ_sn2nid(value); 243 1.1.1.2 christos if (nid == 0) 244 1.1.1.2 christos return 0; 245 1.1.1.2 christos ecdh = EC_KEY_new_by_curve_name(nid); 246 1.1.1.2 christos if (!ecdh) 247 1.1.1.2 christos return 0; 248 1.1.1.2 christos if (cctx->ctx) 249 1.1.1.2 christos rv = SSL_CTX_set_tmp_ecdh(cctx->ctx, ecdh); 250 1.1.1.2 christos else if (cctx->ssl) 251 1.1.1.2 christos rv = SSL_set_tmp_ecdh(cctx->ssl, ecdh); 252 1.1.1.2 christos EC_KEY_free(ecdh); 253 1.1 christos 254 1.1 christos return rv > 0; 255 1.1 christos } 256 1.1 christos #endif 257 1.1 christos static int cmd_CipherString(SSL_CONF_CTX *cctx, const char *value) 258 1.1 christos { 259 1.1 christos int rv = 1; 260 1.1.1.2 christos 261 1.1 christos if (cctx->ctx) 262 1.1 christos rv = SSL_CTX_set_cipher_list(cctx->ctx, value); 263 1.1 christos if (cctx->ssl) 264 1.1 christos rv = SSL_set_cipher_list(cctx->ssl, value); 265 1.1 christos return rv > 0; 266 1.1 christos } 267 1.1 christos 268 1.1.1.2 christos static int cmd_Ciphersuites(SSL_CONF_CTX *cctx, const char *value) 269 1.1.1.2 christos { 270 1.1.1.2 christos int rv = 1; 271 1.1.1.2 christos 272 1.1.1.2 christos if (cctx->ctx) 273 1.1.1.2 christos rv = SSL_CTX_set_ciphersuites(cctx->ctx, value); 274 1.1.1.2 christos if (cctx->ssl) 275 1.1.1.2 christos rv = SSL_set_ciphersuites(cctx->ssl, value); 276 1.1.1.2 christos return rv > 0; 277 1.1.1.2 christos } 278 1.1.1.2 christos 279 1.1 christos static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value) 280 1.1 christos { 281 1.1 christos static const ssl_flag_tbl ssl_protocol_list[] = { 282 1.1 christos SSL_FLAG_TBL_INV("ALL", SSL_OP_NO_SSL_MASK), 283 1.1 christos SSL_FLAG_TBL_INV("SSLv2", SSL_OP_NO_SSLv2), 284 1.1 christos SSL_FLAG_TBL_INV("SSLv3", SSL_OP_NO_SSLv3), 285 1.1 christos SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1), 286 1.1 christos SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1), 287 1.1.1.2 christos SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2), 288 1.1.1.2 christos SSL_FLAG_TBL_INV("TLSv1.3", SSL_OP_NO_TLSv1_3), 289 1.1.1.2 christos SSL_FLAG_TBL_INV("DTLSv1", SSL_OP_NO_DTLSv1), 290 1.1.1.2 christos SSL_FLAG_TBL_INV("DTLSv1.2", SSL_OP_NO_DTLSv1_2) 291 1.1 christos }; 292 1.1 christos cctx->tbl = ssl_protocol_list; 293 1.1.1.2 christos cctx->ntbl = OSSL_NELEM(ssl_protocol_list); 294 1.1.1.2 christos return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); 295 1.1.1.2 christos } 296 1.1 christos 297 1.1.1.2 christos /* 298 1.1.1.2 christos * protocol_from_string - converts a protocol version string to a number 299 1.1.1.2 christos * 300 1.1.1.2 christos * Returns -1 on failure or the version on success 301 1.1.1.2 christos */ 302 1.1.1.2 christos static int protocol_from_string(const char *value) 303 1.1.1.2 christos { 304 1.1.1.2 christos struct protocol_versions { 305 1.1.1.2 christos const char *name; 306 1.1.1.2 christos int version; 307 1.1.1.2 christos }; 308 1.1.1.2 christos /* 309 1.1.1.2 christos * Note: To avoid breaking previously valid configurations, we must retain 310 1.1.1.2 christos * legacy entries in this table even if the underlying protocol is no 311 1.1.1.2 christos * longer supported. This also means that the constants SSL3_VERSION, ... 312 1.1.1.2 christos * need to be retained indefinitely. This table can only grow, never 313 1.1.1.2 christos * shrink. 314 1.1.1.2 christos */ 315 1.1.1.2 christos static const struct protocol_versions versions[] = { 316 1.1.1.2 christos {"None", 0}, 317 1.1.1.2 christos {"SSLv3", SSL3_VERSION}, 318 1.1.1.2 christos {"TLSv1", TLS1_VERSION}, 319 1.1.1.2 christos {"TLSv1.1", TLS1_1_VERSION}, 320 1.1.1.2 christos {"TLSv1.2", TLS1_2_VERSION}, 321 1.1.1.2 christos {"TLSv1.3", TLS1_3_VERSION}, 322 1.1.1.2 christos {"DTLSv1", DTLS1_VERSION}, 323 1.1.1.2 christos {"DTLSv1.2", DTLS1_2_VERSION} 324 1.1.1.2 christos }; 325 1.1.1.2 christos size_t i; 326 1.1.1.2 christos size_t n = OSSL_NELEM(versions); 327 1.1.1.2 christos 328 1.1.1.2 christos for (i = 0; i < n; i++) 329 1.1.1.2 christos if (strcmp(versions[i].name, value) == 0) 330 1.1.1.2 christos return versions[i].version; 331 1.1.1.2 christos return -1; 332 1.1.1.2 christos } 333 1.1.1.2 christos 334 1.1.1.2 christos static int min_max_proto(SSL_CONF_CTX *cctx, const char *value, int *bound) 335 1.1.1.2 christos { 336 1.1.1.2 christos int method_version; 337 1.1.1.2 christos int new_version; 338 1.1.1.2 christos 339 1.1.1.2 christos if (cctx->ctx != NULL) 340 1.1.1.2 christos method_version = cctx->ctx->method->version; 341 1.1.1.2 christos else if (cctx->ssl != NULL) 342 1.1.1.2 christos method_version = cctx->ssl->ctx->method->version; 343 1.1.1.2 christos else 344 1.1.1.2 christos return 0; 345 1.1.1.2 christos if ((new_version = protocol_from_string(value)) < 0) 346 1.1.1.2 christos return 0; 347 1.1.1.2 christos return ssl_set_version_bound(method_version, new_version, bound); 348 1.1.1.2 christos } 349 1.1.1.2 christos 350 1.1.1.2 christos /* 351 1.1.1.2 christos * cmd_MinProtocol - Set min protocol version 352 1.1.1.2 christos * @cctx: config structure to save settings in 353 1.1.1.2 christos * @value: The min protocol version in string form 354 1.1.1.2 christos * 355 1.1.1.2 christos * Returns 1 on success and 0 on failure. 356 1.1.1.2 christos */ 357 1.1.1.2 christos static int cmd_MinProtocol(SSL_CONF_CTX *cctx, const char *value) 358 1.1.1.2 christos { 359 1.1.1.2 christos return min_max_proto(cctx, value, cctx->min_version); 360 1.1.1.2 christos } 361 1.1.1.2 christos 362 1.1.1.2 christos /* 363 1.1.1.2 christos * cmd_MaxProtocol - Set max protocol version 364 1.1.1.2 christos * @cctx: config structure to save settings in 365 1.1.1.2 christos * @value: The max protocol version in string form 366 1.1.1.2 christos * 367 1.1.1.2 christos * Returns 1 on success and 0 on failure. 368 1.1.1.2 christos */ 369 1.1.1.2 christos static int cmd_MaxProtocol(SSL_CONF_CTX *cctx, const char *value) 370 1.1.1.2 christos { 371 1.1.1.2 christos return min_max_proto(cctx, value, cctx->max_version); 372 1.1 christos } 373 1.1 christos 374 1.1 christos static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) 375 1.1 christos { 376 1.1 christos static const ssl_flag_tbl ssl_option_list[] = { 377 1.1 christos SSL_FLAG_TBL_INV("SessionTicket", SSL_OP_NO_TICKET), 378 1.1 christos SSL_FLAG_TBL_INV("EmptyFragments", 379 1.1 christos SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS), 380 1.1 christos SSL_FLAG_TBL("Bugs", SSL_OP_ALL), 381 1.1 christos SSL_FLAG_TBL_INV("Compression", SSL_OP_NO_COMPRESSION), 382 1.1 christos SSL_FLAG_TBL_SRV("ServerPreference", SSL_OP_CIPHER_SERVER_PREFERENCE), 383 1.1 christos SSL_FLAG_TBL_SRV("NoResumptionOnRenegotiation", 384 1.1 christos SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION), 385 1.1 christos SSL_FLAG_TBL_SRV("DHSingle", SSL_OP_SINGLE_DH_USE), 386 1.1 christos SSL_FLAG_TBL_SRV("ECDHSingle", SSL_OP_SINGLE_ECDH_USE), 387 1.1 christos SSL_FLAG_TBL("UnsafeLegacyRenegotiation", 388 1.1 christos SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION), 389 1.1.1.2 christos SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC), 390 1.1.1.2 christos SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION), 391 1.1.1.2 christos SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX), 392 1.1.1.2 christos SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA), 393 1.1.1.2 christos SSL_FLAG_TBL("MiddleboxCompat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT), 394 1.1.1.2 christos SSL_FLAG_TBL_INV("AntiReplay", SSL_OP_NO_ANTI_REPLAY) 395 1.1 christos }; 396 1.1 christos if (value == NULL) 397 1.1 christos return -3; 398 1.1 christos cctx->tbl = ssl_option_list; 399 1.1.1.2 christos cctx->ntbl = OSSL_NELEM(ssl_option_list); 400 1.1.1.2 christos return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); 401 1.1.1.2 christos } 402 1.1.1.2 christos 403 1.1.1.2 christos static int cmd_VerifyMode(SSL_CONF_CTX *cctx, const char *value) 404 1.1.1.2 christos { 405 1.1.1.2 christos static const ssl_flag_tbl ssl_vfy_list[] = { 406 1.1.1.2 christos SSL_FLAG_VFY_CLI("Peer", SSL_VERIFY_PEER), 407 1.1.1.2 christos SSL_FLAG_VFY_SRV("Request", SSL_VERIFY_PEER), 408 1.1.1.2 christos SSL_FLAG_VFY_SRV("Require", 409 1.1.1.2 christos SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), 410 1.1.1.2 christos SSL_FLAG_VFY_SRV("Once", SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE), 411 1.1.1.2 christos SSL_FLAG_VFY_SRV("RequestPostHandshake", 412 1.1.1.2 christos SSL_VERIFY_PEER | SSL_VERIFY_POST_HANDSHAKE), 413 1.1.1.2 christos SSL_FLAG_VFY_SRV("RequirePostHandshake", 414 1.1.1.2 christos SSL_VERIFY_PEER | SSL_VERIFY_POST_HANDSHAKE | 415 1.1.1.2 christos SSL_VERIFY_FAIL_IF_NO_PEER_CERT), 416 1.1.1.2 christos }; 417 1.1.1.2 christos if (value == NULL) 418 1.1.1.2 christos return -3; 419 1.1.1.2 christos cctx->tbl = ssl_vfy_list; 420 1.1.1.2 christos cctx->ntbl = OSSL_NELEM(ssl_vfy_list); 421 1.1 christos return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); 422 1.1 christos } 423 1.1 christos 424 1.1 christos static int cmd_Certificate(SSL_CONF_CTX *cctx, const char *value) 425 1.1 christos { 426 1.1 christos int rv = 1; 427 1.1.1.2 christos CERT *c = NULL; 428 1.1.1.2 christos if (cctx->ctx) { 429 1.1 christos rv = SSL_CTX_use_certificate_chain_file(cctx->ctx, value); 430 1.1.1.2 christos c = cctx->ctx->cert; 431 1.1.1.2 christos } 432 1.1.1.2 christos if (cctx->ssl) { 433 1.1.1.2 christos rv = SSL_use_certificate_chain_file(cctx->ssl, value); 434 1.1.1.2 christos c = cctx->ssl->cert; 435 1.1.1.2 christos } 436 1.1.1.2 christos if (rv > 0 && c && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) { 437 1.1.1.2 christos char **pfilename = &cctx->cert_filename[c->key - c->pkeys]; 438 1.1.1.2 christos OPENSSL_free(*pfilename); 439 1.1.1.2 christos *pfilename = OPENSSL_strdup(value); 440 1.1.1.2 christos if (!*pfilename) 441 1.1.1.2 christos rv = 0; 442 1.1.1.2 christos } 443 1.1.1.2 christos 444 1.1 christos return rv > 0; 445 1.1 christos } 446 1.1 christos 447 1.1 christos static int cmd_PrivateKey(SSL_CONF_CTX *cctx, const char *value) 448 1.1 christos { 449 1.1 christos int rv = 1; 450 1.1 christos if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE)) 451 1.1 christos return -2; 452 1.1 christos if (cctx->ctx) 453 1.1 christos rv = SSL_CTX_use_PrivateKey_file(cctx->ctx, value, SSL_FILETYPE_PEM); 454 1.1 christos if (cctx->ssl) 455 1.1 christos rv = SSL_use_PrivateKey_file(cctx->ssl, value, SSL_FILETYPE_PEM); 456 1.1 christos return rv > 0; 457 1.1 christos } 458 1.1 christos 459 1.1 christos static int cmd_ServerInfoFile(SSL_CONF_CTX *cctx, const char *value) 460 1.1 christos { 461 1.1 christos int rv = 1; 462 1.1 christos if (cctx->ctx) 463 1.1 christos rv = SSL_CTX_use_serverinfo_file(cctx->ctx, value); 464 1.1 christos return rv > 0; 465 1.1 christos } 466 1.1 christos 467 1.1.1.2 christos static int do_store(SSL_CONF_CTX *cctx, 468 1.1.1.2 christos const char *CAfile, const char *CApath, int verify_store) 469 1.1.1.2 christos { 470 1.1.1.2 christos CERT *cert; 471 1.1.1.2 christos X509_STORE **st; 472 1.1.1.2 christos if (cctx->ctx) 473 1.1.1.2 christos cert = cctx->ctx->cert; 474 1.1.1.2 christos else if (cctx->ssl) 475 1.1.1.2 christos cert = cctx->ssl->cert; 476 1.1.1.2 christos else 477 1.1.1.2 christos return 1; 478 1.1.1.2 christos st = verify_store ? &cert->verify_store : &cert->chain_store; 479 1.1.1.2 christos if (*st == NULL) { 480 1.1.1.2 christos *st = X509_STORE_new(); 481 1.1.1.2 christos if (*st == NULL) 482 1.1.1.2 christos return 0; 483 1.1.1.2 christos } 484 1.1.1.2 christos return X509_STORE_load_locations(*st, CAfile, CApath) > 0; 485 1.1.1.2 christos } 486 1.1.1.2 christos 487 1.1.1.2 christos static int cmd_ChainCAPath(SSL_CONF_CTX *cctx, const char *value) 488 1.1.1.2 christos { 489 1.1.1.2 christos return do_store(cctx, NULL, value, 0); 490 1.1.1.2 christos } 491 1.1.1.2 christos 492 1.1.1.2 christos static int cmd_ChainCAFile(SSL_CONF_CTX *cctx, const char *value) 493 1.1.1.2 christos { 494 1.1.1.2 christos return do_store(cctx, value, NULL, 0); 495 1.1.1.2 christos } 496 1.1.1.2 christos 497 1.1.1.2 christos static int cmd_VerifyCAPath(SSL_CONF_CTX *cctx, const char *value) 498 1.1.1.2 christos { 499 1.1.1.2 christos return do_store(cctx, NULL, value, 1); 500 1.1.1.2 christos } 501 1.1.1.2 christos 502 1.1.1.2 christos static int cmd_VerifyCAFile(SSL_CONF_CTX *cctx, const char *value) 503 1.1.1.2 christos { 504 1.1.1.2 christos return do_store(cctx, value, NULL, 1); 505 1.1.1.2 christos } 506 1.1.1.2 christos 507 1.1.1.2 christos static int cmd_RequestCAFile(SSL_CONF_CTX *cctx, const char *value) 508 1.1.1.2 christos { 509 1.1.1.2 christos if (cctx->canames == NULL) 510 1.1.1.2 christos cctx->canames = sk_X509_NAME_new_null(); 511 1.1.1.2 christos if (cctx->canames == NULL) 512 1.1.1.2 christos return 0; 513 1.1.1.2 christos return SSL_add_file_cert_subjects_to_stack(cctx->canames, value); 514 1.1.1.2 christos } 515 1.1.1.2 christos 516 1.1.1.2 christos static int cmd_ClientCAFile(SSL_CONF_CTX *cctx, const char *value) 517 1.1.1.2 christos { 518 1.1.1.2 christos return cmd_RequestCAFile(cctx, value); 519 1.1.1.2 christos } 520 1.1.1.2 christos 521 1.1.1.2 christos static int cmd_RequestCAPath(SSL_CONF_CTX *cctx, const char *value) 522 1.1.1.2 christos { 523 1.1.1.2 christos if (cctx->canames == NULL) 524 1.1.1.2 christos cctx->canames = sk_X509_NAME_new_null(); 525 1.1.1.2 christos if (cctx->canames == NULL) 526 1.1.1.2 christos return 0; 527 1.1.1.2 christos return SSL_add_dir_cert_subjects_to_stack(cctx->canames, value); 528 1.1.1.2 christos } 529 1.1.1.2 christos 530 1.1.1.2 christos static int cmd_ClientCAPath(SSL_CONF_CTX *cctx, const char *value) 531 1.1.1.2 christos { 532 1.1.1.2 christos return cmd_RequestCAPath(cctx, value); 533 1.1.1.2 christos } 534 1.1.1.2 christos 535 1.1 christos #ifndef OPENSSL_NO_DH 536 1.1 christos static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value) 537 1.1 christos { 538 1.1 christos int rv = 0; 539 1.1 christos DH *dh = NULL; 540 1.1 christos BIO *in = NULL; 541 1.1 christos if (cctx->ctx || cctx->ssl) { 542 1.1.1.2 christos in = BIO_new(BIO_s_file()); 543 1.1.1.2 christos if (in == NULL) 544 1.1 christos goto end; 545 1.1 christos if (BIO_read_filename(in, value) <= 0) 546 1.1 christos goto end; 547 1.1 christos dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL); 548 1.1.1.2 christos if (dh == NULL) 549 1.1 christos goto end; 550 1.1 christos } else 551 1.1 christos return 1; 552 1.1 christos if (cctx->ctx) 553 1.1 christos rv = SSL_CTX_set_tmp_dh(cctx->ctx, dh); 554 1.1 christos if (cctx->ssl) 555 1.1 christos rv = SSL_set_tmp_dh(cctx->ssl, dh); 556 1.1 christos end: 557 1.1.1.2 christos DH_free(dh); 558 1.1.1.2 christos BIO_free(in); 559 1.1 christos return rv > 0; 560 1.1 christos } 561 1.1 christos #endif 562 1.1.1.2 christos 563 1.1.1.2 christos static int cmd_RecordPadding(SSL_CONF_CTX *cctx, const char *value) 564 1.1.1.2 christos { 565 1.1.1.2 christos int rv = 0; 566 1.1.1.2 christos int block_size = atoi(value); 567 1.1.1.2 christos 568 1.1.1.2 christos /* 569 1.1.1.2 christos * All we care about is a non-negative value, 570 1.1.1.2 christos * the setters check the range 571 1.1.1.2 christos */ 572 1.1.1.2 christos if (block_size >= 0) { 573 1.1.1.2 christos if (cctx->ctx) 574 1.1.1.2 christos rv = SSL_CTX_set_block_padding(cctx->ctx, block_size); 575 1.1.1.2 christos if (cctx->ssl) 576 1.1.1.2 christos rv = SSL_set_block_padding(cctx->ssl, block_size); 577 1.1.1.2 christos } 578 1.1.1.2 christos return rv; 579 1.1.1.2 christos } 580 1.1.1.2 christos 581 1.1.1.2 christos 582 1.1.1.2 christos static int cmd_NumTickets(SSL_CONF_CTX *cctx, const char *value) 583 1.1.1.2 christos { 584 1.1.1.2 christos int rv = 0; 585 1.1.1.2 christos int num_tickets = atoi(value); 586 1.1.1.2 christos 587 1.1.1.2 christos if (num_tickets >= 0) { 588 1.1.1.2 christos if (cctx->ctx) 589 1.1.1.2 christos rv = SSL_CTX_set_num_tickets(cctx->ctx, num_tickets); 590 1.1.1.2 christos if (cctx->ssl) 591 1.1.1.2 christos rv = SSL_set_num_tickets(cctx->ssl, num_tickets); 592 1.1.1.2 christos } 593 1.1.1.2 christos return rv; 594 1.1.1.2 christos } 595 1.1.1.2 christos 596 1.1 christos typedef struct { 597 1.1 christos int (*cmd) (SSL_CONF_CTX *cctx, const char *value); 598 1.1 christos const char *str_file; 599 1.1 christos const char *str_cmdline; 600 1.1.1.2 christos unsigned short flags; 601 1.1.1.2 christos unsigned short value_type; 602 1.1 christos } ssl_conf_cmd_tbl; 603 1.1 christos 604 1.1 christos /* Table of supported parameters */ 605 1.1 christos 606 1.1.1.2 christos #define SSL_CONF_CMD(name, cmdopt, flags, type) \ 607 1.1.1.2 christos {cmd_##name, #name, cmdopt, flags, type} 608 1.1 christos 609 1.1.1.2 christos #define SSL_CONF_CMD_STRING(name, cmdopt, flags) \ 610 1.1.1.2 christos SSL_CONF_CMD(name, cmdopt, flags, SSL_CONF_TYPE_STRING) 611 1.1 christos 612 1.1.1.2 christos #define SSL_CONF_CMD_SWITCH(name, flags) \ 613 1.1.1.2 christos {0, NULL, name, flags, SSL_CONF_TYPE_NONE} 614 1.1.1.2 christos 615 1.1.1.2 christos /* See apps/apps.h if you change this table. */ 616 1.1 christos static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { 617 1.1.1.2 christos SSL_CONF_CMD_SWITCH("no_ssl3", 0), 618 1.1.1.2 christos SSL_CONF_CMD_SWITCH("no_tls1", 0), 619 1.1.1.2 christos SSL_CONF_CMD_SWITCH("no_tls1_1", 0), 620 1.1.1.2 christos SSL_CONF_CMD_SWITCH("no_tls1_2", 0), 621 1.1.1.2 christos SSL_CONF_CMD_SWITCH("no_tls1_3", 0), 622 1.1.1.2 christos SSL_CONF_CMD_SWITCH("bugs", 0), 623 1.1.1.2 christos SSL_CONF_CMD_SWITCH("no_comp", 0), 624 1.1.1.2 christos SSL_CONF_CMD_SWITCH("comp", 0), 625 1.1.1.2 christos SSL_CONF_CMD_SWITCH("ecdh_single", SSL_CONF_FLAG_SERVER), 626 1.1.1.2 christos SSL_CONF_CMD_SWITCH("no_ticket", 0), 627 1.1.1.2 christos SSL_CONF_CMD_SWITCH("serverpref", SSL_CONF_FLAG_SERVER), 628 1.1.1.2 christos SSL_CONF_CMD_SWITCH("legacy_renegotiation", 0), 629 1.1.1.2 christos SSL_CONF_CMD_SWITCH("legacy_server_connect", SSL_CONF_FLAG_SERVER), 630 1.1.1.2 christos SSL_CONF_CMD_SWITCH("no_renegotiation", 0), 631 1.1.1.2 christos SSL_CONF_CMD_SWITCH("no_resumption_on_reneg", SSL_CONF_FLAG_SERVER), 632 1.1.1.2 christos SSL_CONF_CMD_SWITCH("no_legacy_server_connect", SSL_CONF_FLAG_SERVER), 633 1.1.1.2 christos SSL_CONF_CMD_SWITCH("allow_no_dhe_kex", 0), 634 1.1.1.2 christos SSL_CONF_CMD_SWITCH("prioritize_chacha", SSL_CONF_FLAG_SERVER), 635 1.1.1.2 christos SSL_CONF_CMD_SWITCH("strict", 0), 636 1.1.1.2 christos SSL_CONF_CMD_SWITCH("no_middlebox", 0), 637 1.1.1.2 christos SSL_CONF_CMD_SWITCH("anti_replay", SSL_CONF_FLAG_SERVER), 638 1.1.1.2 christos SSL_CONF_CMD_SWITCH("no_anti_replay", SSL_CONF_FLAG_SERVER), 639 1.1.1.2 christos SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs", 0), 640 1.1.1.2 christos SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs", 0), 641 1.1.1.2 christos SSL_CONF_CMD_STRING(Curves, "curves", 0), 642 1.1.1.2 christos SSL_CONF_CMD_STRING(Groups, "groups", 0), 643 1.1.1.2 christos #ifndef OPENSSL_NO_EC 644 1.1.1.2 christos SSL_CONF_CMD_STRING(ECDHParameters, "named_curve", SSL_CONF_FLAG_SERVER), 645 1.1 christos #endif 646 1.1.1.2 christos SSL_CONF_CMD_STRING(CipherString, "cipher", 0), 647 1.1.1.2 christos SSL_CONF_CMD_STRING(Ciphersuites, "ciphersuites", 0), 648 1.1.1.2 christos SSL_CONF_CMD_STRING(Protocol, NULL, 0), 649 1.1.1.2 christos SSL_CONF_CMD_STRING(MinProtocol, "min_protocol", 0), 650 1.1.1.2 christos SSL_CONF_CMD_STRING(MaxProtocol, "max_protocol", 0), 651 1.1.1.2 christos SSL_CONF_CMD_STRING(Options, NULL, 0), 652 1.1.1.2 christos SSL_CONF_CMD_STRING(VerifyMode, NULL, 0), 653 1.1.1.2 christos SSL_CONF_CMD(Certificate, "cert", SSL_CONF_FLAG_CERTIFICATE, 654 1.1.1.2 christos SSL_CONF_TYPE_FILE), 655 1.1.1.2 christos SSL_CONF_CMD(PrivateKey, "key", SSL_CONF_FLAG_CERTIFICATE, 656 1.1.1.2 christos SSL_CONF_TYPE_FILE), 657 1.1.1.2 christos SSL_CONF_CMD(ServerInfoFile, NULL, 658 1.1.1.2 christos SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, 659 1.1.1.2 christos SSL_CONF_TYPE_FILE), 660 1.1.1.2 christos SSL_CONF_CMD(ChainCAPath, "chainCApath", SSL_CONF_FLAG_CERTIFICATE, 661 1.1.1.2 christos SSL_CONF_TYPE_DIR), 662 1.1.1.2 christos SSL_CONF_CMD(ChainCAFile, "chainCAfile", SSL_CONF_FLAG_CERTIFICATE, 663 1.1.1.2 christos SSL_CONF_TYPE_FILE), 664 1.1.1.2 christos SSL_CONF_CMD(VerifyCAPath, "verifyCApath", SSL_CONF_FLAG_CERTIFICATE, 665 1.1.1.2 christos SSL_CONF_TYPE_DIR), 666 1.1.1.2 christos SSL_CONF_CMD(VerifyCAFile, "verifyCAfile", SSL_CONF_FLAG_CERTIFICATE, 667 1.1.1.2 christos SSL_CONF_TYPE_FILE), 668 1.1.1.2 christos SSL_CONF_CMD(RequestCAFile, "requestCAFile", SSL_CONF_FLAG_CERTIFICATE, 669 1.1.1.2 christos SSL_CONF_TYPE_FILE), 670 1.1.1.2 christos SSL_CONF_CMD(ClientCAFile, NULL, 671 1.1.1.2 christos SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, 672 1.1.1.2 christos SSL_CONF_TYPE_FILE), 673 1.1.1.2 christos SSL_CONF_CMD(RequestCAPath, NULL, SSL_CONF_FLAG_CERTIFICATE, 674 1.1.1.2 christos SSL_CONF_TYPE_DIR), 675 1.1.1.2 christos SSL_CONF_CMD(ClientCAPath, NULL, 676 1.1.1.2 christos SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, 677 1.1.1.2 christos SSL_CONF_TYPE_DIR), 678 1.1 christos #ifndef OPENSSL_NO_DH 679 1.1.1.2 christos SSL_CONF_CMD(DHParameters, "dhparam", 680 1.1.1.2 christos SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, 681 1.1.1.2 christos SSL_CONF_TYPE_FILE), 682 1.1 christos #endif 683 1.1.1.2 christos SSL_CONF_CMD_STRING(RecordPadding, "record_padding", 0), 684 1.1.1.2 christos SSL_CONF_CMD_STRING(NumTickets, "num_tickets", SSL_CONF_FLAG_SERVER), 685 1.1.1.2 christos }; 686 1.1.1.2 christos 687 1.1.1.2 christos /* Supported switches: must match order of switches in ssl_conf_cmds */ 688 1.1.1.2 christos static const ssl_switch_tbl ssl_cmd_switches[] = { 689 1.1.1.2 christos {SSL_OP_NO_SSLv3, 0}, /* no_ssl3 */ 690 1.1.1.2 christos {SSL_OP_NO_TLSv1, 0}, /* no_tls1 */ 691 1.1.1.2 christos {SSL_OP_NO_TLSv1_1, 0}, /* no_tls1_1 */ 692 1.1.1.2 christos {SSL_OP_NO_TLSv1_2, 0}, /* no_tls1_2 */ 693 1.1.1.2 christos {SSL_OP_NO_TLSv1_3, 0}, /* no_tls1_3 */ 694 1.1.1.2 christos {SSL_OP_ALL, 0}, /* bugs */ 695 1.1.1.2 christos {SSL_OP_NO_COMPRESSION, 0}, /* no_comp */ 696 1.1.1.2 christos {SSL_OP_NO_COMPRESSION, SSL_TFLAG_INV}, /* comp */ 697 1.1.1.2 christos {SSL_OP_SINGLE_ECDH_USE, 0}, /* ecdh_single */ 698 1.1.1.2 christos {SSL_OP_NO_TICKET, 0}, /* no_ticket */ 699 1.1.1.2 christos {SSL_OP_CIPHER_SERVER_PREFERENCE, 0}, /* serverpref */ 700 1.1.1.2 christos /* legacy_renegotiation */ 701 1.1.1.2 christos {SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, 0}, 702 1.1.1.2 christos /* legacy_server_connect */ 703 1.1.1.2 christos {SSL_OP_LEGACY_SERVER_CONNECT, 0}, 704 1.1.1.2 christos /* no_renegotiation */ 705 1.1.1.2 christos {SSL_OP_NO_RENEGOTIATION, 0}, 706 1.1.1.2 christos /* no_resumption_on_reneg */ 707 1.1.1.2 christos {SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION, 0}, 708 1.1.1.2 christos /* no_legacy_server_connect */ 709 1.1.1.2 christos {SSL_OP_LEGACY_SERVER_CONNECT, SSL_TFLAG_INV}, 710 1.1.1.2 christos /* allow_no_dhe_kex */ 711 1.1.1.2 christos {SSL_OP_ALLOW_NO_DHE_KEX, 0}, 712 1.1.1.2 christos /* chacha reprioritization */ 713 1.1.1.2 christos {SSL_OP_PRIORITIZE_CHACHA, 0}, 714 1.1.1.2 christos {SSL_CERT_FLAG_TLS_STRICT, SSL_TFLAG_CERT}, /* strict */ 715 1.1.1.2 christos /* no_middlebox */ 716 1.1.1.2 christos {SSL_OP_ENABLE_MIDDLEBOX_COMPAT, SSL_TFLAG_INV}, 717 1.1.1.2 christos /* anti_replay */ 718 1.1.1.2 christos {SSL_OP_NO_ANTI_REPLAY, SSL_TFLAG_INV}, 719 1.1.1.2 christos /* no_anti_replay */ 720 1.1.1.2 christos {SSL_OP_NO_ANTI_REPLAY, 0}, 721 1.1 christos }; 722 1.1 christos 723 1.1 christos static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd) 724 1.1 christos { 725 1.1 christos if (!pcmd || !*pcmd) 726 1.1 christos return 0; 727 1.1 christos /* If a prefix is set, check and skip */ 728 1.1 christos if (cctx->prefix) { 729 1.1 christos if (strlen(*pcmd) <= cctx->prefixlen) 730 1.1 christos return 0; 731 1.1 christos if (cctx->flags & SSL_CONF_FLAG_CMDLINE && 732 1.1 christos strncmp(*pcmd, cctx->prefix, cctx->prefixlen)) 733 1.1 christos return 0; 734 1.1 christos if (cctx->flags & SSL_CONF_FLAG_FILE && 735 1.1 christos strncasecmp(*pcmd, cctx->prefix, cctx->prefixlen)) 736 1.1 christos return 0; 737 1.1 christos *pcmd += cctx->prefixlen; 738 1.1 christos } else if (cctx->flags & SSL_CONF_FLAG_CMDLINE) { 739 1.1 christos if (**pcmd != '-' || !(*pcmd)[1]) 740 1.1 christos return 0; 741 1.1 christos *pcmd += 1; 742 1.1 christos } 743 1.1 christos return 1; 744 1.1 christos } 745 1.1 christos 746 1.1.1.2 christos /* Determine if a command is allowed according to cctx flags */ 747 1.1.1.2 christos static int ssl_conf_cmd_allowed(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl * t) 748 1.1.1.2 christos { 749 1.1.1.2 christos unsigned int tfl = t->flags; 750 1.1.1.2 christos unsigned int cfl = cctx->flags; 751 1.1.1.2 christos if ((tfl & SSL_CONF_FLAG_SERVER) && !(cfl & SSL_CONF_FLAG_SERVER)) 752 1.1.1.2 christos return 0; 753 1.1.1.2 christos if ((tfl & SSL_CONF_FLAG_CLIENT) && !(cfl & SSL_CONF_FLAG_CLIENT)) 754 1.1.1.2 christos return 0; 755 1.1.1.2 christos if ((tfl & SSL_CONF_FLAG_CERTIFICATE) 756 1.1.1.2 christos && !(cfl & SSL_CONF_FLAG_CERTIFICATE)) 757 1.1.1.2 christos return 0; 758 1.1.1.2 christos return 1; 759 1.1.1.2 christos } 760 1.1.1.2 christos 761 1.1 christos static const ssl_conf_cmd_tbl *ssl_conf_cmd_lookup(SSL_CONF_CTX *cctx, 762 1.1 christos const char *cmd) 763 1.1 christos { 764 1.1 christos const ssl_conf_cmd_tbl *t; 765 1.1 christos size_t i; 766 1.1 christos if (cmd == NULL) 767 1.1 christos return NULL; 768 1.1 christos 769 1.1 christos /* Look for matching parameter name in table */ 770 1.1.1.2 christos for (i = 0, t = ssl_conf_cmds; i < OSSL_NELEM(ssl_conf_cmds); i++, t++) { 771 1.1.1.2 christos if (ssl_conf_cmd_allowed(cctx, t)) { 772 1.1.1.2 christos if (cctx->flags & SSL_CONF_FLAG_CMDLINE) { 773 1.1.1.2 christos if (t->str_cmdline && strcmp(t->str_cmdline, cmd) == 0) 774 1.1.1.2 christos return t; 775 1.1.1.2 christos } 776 1.1.1.2 christos if (cctx->flags & SSL_CONF_FLAG_FILE) { 777 1.1.1.2 christos if (t->str_file && strcasecmp(t->str_file, cmd) == 0) 778 1.1.1.2 christos return t; 779 1.1.1.2 christos } 780 1.1 christos } 781 1.1 christos } 782 1.1 christos return NULL; 783 1.1 christos } 784 1.1 christos 785 1.1.1.2 christos static int ctrl_switch_option(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl * cmd) 786 1.1.1.2 christos { 787 1.1.1.2 christos /* Find index of command in table */ 788 1.1.1.2 christos size_t idx = cmd - ssl_conf_cmds; 789 1.1.1.2 christos const ssl_switch_tbl *scmd; 790 1.1.1.2 christos /* Sanity check index */ 791 1.1.1.2 christos if (idx >= OSSL_NELEM(ssl_cmd_switches)) 792 1.1.1.2 christos return 0; 793 1.1.1.2 christos /* Obtain switches entry with same index */ 794 1.1.1.2 christos scmd = ssl_cmd_switches + idx; 795 1.1.1.2 christos ssl_set_option(cctx, scmd->name_flags, scmd->option_value, 1); 796 1.1.1.2 christos return 1; 797 1.1.1.2 christos } 798 1.1.1.2 christos 799 1.1 christos int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value) 800 1.1 christos { 801 1.1 christos const ssl_conf_cmd_tbl *runcmd; 802 1.1 christos if (cmd == NULL) { 803 1.1 christos SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_INVALID_NULL_CMD_NAME); 804 1.1 christos return 0; 805 1.1 christos } 806 1.1 christos 807 1.1 christos if (!ssl_conf_cmd_skip_prefix(cctx, &cmd)) 808 1.1 christos return -2; 809 1.1 christos 810 1.1 christos runcmd = ssl_conf_cmd_lookup(cctx, cmd); 811 1.1 christos 812 1.1 christos if (runcmd) { 813 1.1 christos int rv; 814 1.1.1.2 christos if (runcmd->value_type == SSL_CONF_TYPE_NONE) { 815 1.1.1.2 christos return ctrl_switch_option(cctx, runcmd); 816 1.1.1.2 christos } 817 1.1 christos if (value == NULL) 818 1.1 christos return -3; 819 1.1 christos rv = runcmd->cmd(cctx, value); 820 1.1 christos if (rv > 0) 821 1.1 christos return 2; 822 1.1 christos if (rv == -2) 823 1.1 christos return -2; 824 1.1 christos if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) { 825 1.1 christos SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_BAD_VALUE); 826 1.1 christos ERR_add_error_data(4, "cmd=", cmd, ", value=", value); 827 1.1 christos } 828 1.1 christos return 0; 829 1.1 christos } 830 1.1 christos 831 1.1 christos if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) { 832 1.1 christos SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_UNKNOWN_CMD_NAME); 833 1.1 christos ERR_add_error_data(2, "cmd=", cmd); 834 1.1 christos } 835 1.1 christos 836 1.1 christos return -2; 837 1.1 christos } 838 1.1 christos 839 1.1 christos int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv) 840 1.1 christos { 841 1.1 christos int rv; 842 1.1 christos const char *arg = NULL, *argn; 843 1.1 christos if (pargc && *pargc == 0) 844 1.1 christos return 0; 845 1.1 christos if (!pargc || *pargc > 0) 846 1.1 christos arg = **pargv; 847 1.1 christos if (arg == NULL) 848 1.1 christos return 0; 849 1.1 christos if (!pargc || *pargc > 1) 850 1.1 christos argn = (*pargv)[1]; 851 1.1 christos else 852 1.1 christos argn = NULL; 853 1.1 christos cctx->flags &= ~SSL_CONF_FLAG_FILE; 854 1.1 christos cctx->flags |= SSL_CONF_FLAG_CMDLINE; 855 1.1 christos rv = SSL_CONF_cmd(cctx, arg, argn); 856 1.1 christos if (rv > 0) { 857 1.1 christos /* Success: update pargc, pargv */ 858 1.1 christos (*pargv) += rv; 859 1.1 christos if (pargc) 860 1.1 christos (*pargc) -= rv; 861 1.1 christos return rv; 862 1.1 christos } 863 1.1 christos /* Unknown switch: indicate no arguments processed */ 864 1.1 christos if (rv == -2) 865 1.1 christos return 0; 866 1.1 christos /* Some error occurred processing command, return fatal error */ 867 1.1 christos if (rv == 0) 868 1.1 christos return -1; 869 1.1 christos return rv; 870 1.1 christos } 871 1.1 christos 872 1.1 christos int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd) 873 1.1 christos { 874 1.1 christos if (ssl_conf_cmd_skip_prefix(cctx, &cmd)) { 875 1.1 christos const ssl_conf_cmd_tbl *runcmd; 876 1.1 christos runcmd = ssl_conf_cmd_lookup(cctx, cmd); 877 1.1 christos if (runcmd) 878 1.1 christos return runcmd->value_type; 879 1.1 christos } 880 1.1 christos return SSL_CONF_TYPE_UNKNOWN; 881 1.1 christos } 882 1.1 christos 883 1.1 christos SSL_CONF_CTX *SSL_CONF_CTX_new(void) 884 1.1 christos { 885 1.1.1.2 christos SSL_CONF_CTX *ret = OPENSSL_zalloc(sizeof(*ret)); 886 1.1.1.2 christos 887 1.1 christos return ret; 888 1.1 christos } 889 1.1 christos 890 1.1 christos int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx) 891 1.1 christos { 892 1.1.1.2 christos /* See if any certificates are missing private keys */ 893 1.1.1.2 christos size_t i; 894 1.1.1.2 christos CERT *c = NULL; 895 1.1.1.2 christos if (cctx->ctx) 896 1.1.1.2 christos c = cctx->ctx->cert; 897 1.1.1.2 christos else if (cctx->ssl) 898 1.1.1.2 christos c = cctx->ssl->cert; 899 1.1.1.2 christos if (c && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) { 900 1.1.1.2 christos for (i = 0; i < SSL_PKEY_NUM; i++) { 901 1.1.1.2 christos const char *p = cctx->cert_filename[i]; 902 1.1.1.2 christos /* 903 1.1.1.2 christos * If missing private key try to load one from certificate file 904 1.1.1.2 christos */ 905 1.1.1.2 christos if (p && !c->pkeys[i].privatekey) { 906 1.1.1.2 christos if (!cmd_PrivateKey(cctx, p)) 907 1.1.1.2 christos return 0; 908 1.1.1.2 christos } 909 1.1.1.2 christos } 910 1.1.1.2 christos } 911 1.1.1.2 christos if (cctx->canames) { 912 1.1.1.2 christos if (cctx->ssl) 913 1.1.1.2 christos SSL_set0_CA_list(cctx->ssl, cctx->canames); 914 1.1.1.2 christos else if (cctx->ctx) 915 1.1.1.2 christos SSL_CTX_set0_CA_list(cctx->ctx, cctx->canames); 916 1.1.1.2 christos else 917 1.1.1.2 christos sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free); 918 1.1.1.2 christos cctx->canames = NULL; 919 1.1.1.2 christos } 920 1.1 christos return 1; 921 1.1 christos } 922 1.1 christos 923 1.1 christos void SSL_CONF_CTX_free(SSL_CONF_CTX *cctx) 924 1.1 christos { 925 1.1 christos if (cctx) { 926 1.1.1.2 christos size_t i; 927 1.1.1.2 christos for (i = 0; i < SSL_PKEY_NUM; i++) 928 1.1.1.2 christos OPENSSL_free(cctx->cert_filename[i]); 929 1.1.1.2 christos OPENSSL_free(cctx->prefix); 930 1.1.1.2 christos sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free); 931 1.1 christos OPENSSL_free(cctx); 932 1.1 christos } 933 1.1 christos } 934 1.1 christos 935 1.1 christos unsigned int SSL_CONF_CTX_set_flags(SSL_CONF_CTX *cctx, unsigned int flags) 936 1.1 christos { 937 1.1 christos cctx->flags |= flags; 938 1.1 christos return cctx->flags; 939 1.1 christos } 940 1.1 christos 941 1.1 christos unsigned int SSL_CONF_CTX_clear_flags(SSL_CONF_CTX *cctx, unsigned int flags) 942 1.1 christos { 943 1.1 christos cctx->flags &= ~flags; 944 1.1 christos return cctx->flags; 945 1.1 christos } 946 1.1 christos 947 1.1 christos int SSL_CONF_CTX_set1_prefix(SSL_CONF_CTX *cctx, const char *pre) 948 1.1 christos { 949 1.1 christos char *tmp = NULL; 950 1.1 christos if (pre) { 951 1.1.1.2 christos tmp = OPENSSL_strdup(pre); 952 1.1 christos if (tmp == NULL) 953 1.1 christos return 0; 954 1.1 christos } 955 1.1.1.2 christos OPENSSL_free(cctx->prefix); 956 1.1 christos cctx->prefix = tmp; 957 1.1 christos if (tmp) 958 1.1 christos cctx->prefixlen = strlen(tmp); 959 1.1 christos else 960 1.1 christos cctx->prefixlen = 0; 961 1.1 christos return 1; 962 1.1 christos } 963 1.1 christos 964 1.1 christos void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl) 965 1.1 christos { 966 1.1 christos cctx->ssl = ssl; 967 1.1 christos cctx->ctx = NULL; 968 1.1 christos if (ssl) { 969 1.1 christos cctx->poptions = &ssl->options; 970 1.1.1.2 christos cctx->min_version = &ssl->min_proto_version; 971 1.1.1.2 christos cctx->max_version = &ssl->max_proto_version; 972 1.1 christos cctx->pcert_flags = &ssl->cert->cert_flags; 973 1.1.1.2 christos cctx->pvfy_flags = &ssl->verify_mode; 974 1.1 christos } else { 975 1.1 christos cctx->poptions = NULL; 976 1.1.1.2 christos cctx->min_version = NULL; 977 1.1.1.2 christos cctx->max_version = NULL; 978 1.1 christos cctx->pcert_flags = NULL; 979 1.1.1.2 christos cctx->pvfy_flags = NULL; 980 1.1 christos } 981 1.1 christos } 982 1.1 christos 983 1.1 christos void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx) 984 1.1 christos { 985 1.1 christos cctx->ctx = ctx; 986 1.1 christos cctx->ssl = NULL; 987 1.1 christos if (ctx) { 988 1.1 christos cctx->poptions = &ctx->options; 989 1.1.1.2 christos cctx->min_version = &ctx->min_proto_version; 990 1.1.1.2 christos cctx->max_version = &ctx->max_proto_version; 991 1.1 christos cctx->pcert_flags = &ctx->cert->cert_flags; 992 1.1.1.2 christos cctx->pvfy_flags = &ctx->verify_mode; 993 1.1 christos } else { 994 1.1 christos cctx->poptions = NULL; 995 1.1.1.2 christos cctx->min_version = NULL; 996 1.1.1.2 christos cctx->max_version = NULL; 997 1.1 christos cctx->pcert_flags = NULL; 998 1.1.1.2 christos cctx->pvfy_flags = NULL; 999 1.1 christos } 1000 1.1 christos } 1001
Indexes created Sat Feb 28 05:31:39 UTC 2026