/*
- * Copyright 2012-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2012-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
return 1;
/* ECDHParameters accepts a single group name */
- if (strstr(value, ":") != NULL)
+ if (strchr(value, ':') != NULL)
return 0;
if (cctx->ctx)
if (cctx->ctx != NULL)
method_version = cctx->ctx->method->version;
else if (cctx->ssl != NULL)
- method_version = cctx->ssl->ctx->method->version;
+ method_version = cctx->ssl->defltmeth->version;
else
return 0;
if ((new_version = protocol_from_string(value)) < 0)
SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),
SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION),
SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
+ SSL_FLAG_TBL("PreferNoDHEKEX", SSL_OP_PREFER_NO_DHE_KEX),
SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA),
SSL_FLAG_TBL("MiddleboxCompat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT),
SSL_FLAG_TBL_INV("AntiReplay", SSL_OP_NO_ANTI_REPLAY),
SSL_FLAG_TBL_INV("TxCertificateCompression", SSL_OP_NO_TX_CERTIFICATE_COMPRESSION),
SSL_FLAG_TBL_INV("RxCertificateCompression", SSL_OP_NO_RX_CERTIFICATE_COMPRESSION),
SSL_FLAG_TBL("KTLSTxZerocopySendfile", SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE),
+ SSL_FLAG_TBL("IgnoreUnexpectedEOF", SSL_OP_IGNORE_UNEXPECTED_EOF),
};
if (value == NULL)
return -3;
SSL_CONF_CMD_SWITCH("no_resumption_on_reneg", SSL_CONF_FLAG_SERVER),
SSL_CONF_CMD_SWITCH("no_legacy_server_connect", SSL_CONF_FLAG_CLIENT),
SSL_CONF_CMD_SWITCH("allow_no_dhe_kex", 0),
+ SSL_CONF_CMD_SWITCH("prefer_no_dhe_kex", 0),
SSL_CONF_CMD_SWITCH("prioritize_chacha", SSL_CONF_FLAG_SERVER),
SSL_CONF_CMD_SWITCH("strict", 0),
SSL_CONF_CMD_SWITCH("no_middlebox", 0),
{SSL_OP_LEGACY_SERVER_CONNECT, SSL_TFLAG_INV},
/* allow_no_dhe_kex */
{SSL_OP_ALLOW_NO_DHE_KEX, 0},
+ /* prefer_no_dhe_kex */
+ {SSL_OP_PREFER_NO_DHE_KEX, 0},
/* chacha reprioritization */
{SSL_OP_PRIORITIZE_CHACHA, 0},
{SSL_CERT_FLAG_TLS_STRICT, SSL_TFLAG_CERT}, /* strict */
}
/* Determine if a command is allowed according to cctx flags */
-static int ssl_conf_cmd_allowed(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl * t)
+static int ssl_conf_cmd_allowed(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl *t)
{
unsigned int tfl = t->flags;
unsigned int cfl = cctx->flags;
return NULL;
}
-static int ctrl_switch_option(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl * cmd)
+static int ctrl_switch_option(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl *cmd)
{
/* Find index of command in table */
size_t idx = cmd - ssl_conf_cmds;
const ssl_switch_tbl *scmd;
+
/* Sanity check index */
- if (idx >= OSSL_NELEM(ssl_cmd_switches))
+ if (idx >= OSSL_NELEM(ssl_cmd_switches)) {
+ ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
return 0;
+ }
/* Obtain switches entry with same index */
scmd = ssl_cmd_switches + idx;
ssl_set_option(cctx, scmd->name_flags, scmd->option_value, 1);
}
if (!ssl_conf_cmd_skip_prefix(cctx, &cmd))
- return -2;
+ goto unknown_cmd;
runcmd = ssl_conf_cmd_lookup(cctx, cmd);
if (runcmd) {
- int rv;
+ int rv = -3;
+
if (runcmd->value_type == SSL_CONF_TYPE_NONE) {
return ctrl_switch_option(cctx, runcmd);
}
if (value == NULL)
- return -3;
+ goto bad_value;
rv = runcmd->cmd(cctx, value);
if (rv > 0)
return 2;
- if (rv == -2)
- return -2;
+ if (rv != -2)
+ rv = 0;
+
+ bad_value:
if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS)
ERR_raise_data(ERR_LIB_SSL, SSL_R_BAD_VALUE,
- "cmd=%s, value=%s", cmd, value);
- return 0;
+ "cmd=%s, value=%s", cmd,
+ value != NULL ? value : "<EMPTY>");
+ return rv;
}
+ unknown_cmd:
if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS)
ERR_raise_data(ERR_LIB_SSL, SSL_R_UNKNOWN_CMD_NAME, "cmd=%s", cmd);