/*
- * Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2012-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
return 1;
/* ECDHParameters accepts a single group name */
- if (strstr(value, ":") != NULL)
+ if (strchr(value, ':') != NULL)
return 0;
if (cctx->ctx)
if (cctx->ctx != NULL)
method_version = cctx->ctx->method->version;
else if (cctx->ssl != NULL)
- method_version = cctx->ssl->ctx->method->version;
+ method_version = cctx->ssl->defltmeth->version;
else
return 0;
if ((new_version = protocol_from_string(value)) < 0)
SSL_FLAG_TBL_SRV("ECDHSingle", SSL_OP_SINGLE_ECDH_USE),
SSL_FLAG_TBL("UnsafeLegacyRenegotiation",
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION),
+ SSL_FLAG_TBL("UnsafeLegacyServerConnect",
+ SSL_OP_LEGACY_SERVER_CONNECT),
SSL_FLAG_TBL("ClientRenegotiation",
SSL_OP_ALLOW_CLIENT_RENEGOTIATION),
SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),
SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION),
SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
+ SSL_FLAG_TBL("PreferNoDHEKEX", SSL_OP_PREFER_NO_DHE_KEX),
SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA),
SSL_FLAG_TBL("MiddleboxCompat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT),
SSL_FLAG_TBL_INV("AntiReplay", SSL_OP_NO_ANTI_REPLAY),
SSL_FLAG_TBL_INV("ExtendedMasterSecret", SSL_OP_NO_EXTENDED_MASTER_SECRET),
SSL_FLAG_TBL_INV("CANames", SSL_OP_DISABLE_TLSEXT_CA_NAMES),
- SSL_FLAG_TBL("KTLS", SSL_OP_ENABLE_KTLS)
+ SSL_FLAG_TBL("KTLS", SSL_OP_ENABLE_KTLS),
+ SSL_FLAG_TBL_CERT("StrictCertCheck", SSL_CERT_FLAG_TLS_STRICT),
+ SSL_FLAG_TBL_INV("TxCertificateCompression", SSL_OP_NO_TX_CERTIFICATE_COMPRESSION),
+ SSL_FLAG_TBL_INV("RxCertificateCompression", SSL_OP_NO_RX_CERTIFICATE_COMPRESSION),
+ SSL_FLAG_TBL("KTLSTxZerocopySendfile", SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE),
+ SSL_FLAG_TBL("IgnoreUnexpectedEOF", SSL_OP_IGNORE_UNEXPECTED_EOF),
};
if (value == NULL)
return -3;
{
int rv = 1;
CERT *c = NULL;
- if (cctx->ctx) {
+ if (cctx->ctx != NULL) {
rv = SSL_CTX_use_certificate_chain_file(cctx->ctx, value);
c = cctx->ctx->cert;
}
- if (cctx->ssl) {
- rv = SSL_use_certificate_chain_file(cctx->ssl, value);
- c = cctx->ssl->cert;
+ if (cctx->ssl != NULL) {
+ SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(cctx->ssl);
+
+ if (sc != NULL) {
+ rv = SSL_use_certificate_chain_file(cctx->ssl, value);
+ c = sc->cert;
+ } else {
+ rv = 0;
+ }
}
- if (rv > 0 && c && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) {
+ if (rv > 0 && c != NULL && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) {
char **pfilename = &cctx->cert_filename[c->key - c->pkeys];
+
OPENSSL_free(*pfilename);
*pfilename = OPENSSL_strdup(value);
if (*pfilename == NULL)
cert = cctx->ctx->cert;
ctx = cctx->ctx;
} else if (cctx->ssl != NULL) {
- cert = cctx->ssl->cert;
+ SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(cctx->ssl);
+
+ if (sc == NULL)
+ return 0;
+
+ cert = sc->cert;
ctx = cctx->ssl->ctx;
} else {
return 1;
SSL_CONF_CMD_SWITCH("bugs", 0),
SSL_CONF_CMD_SWITCH("no_comp", 0),
SSL_CONF_CMD_SWITCH("comp", 0),
+ SSL_CONF_CMD_SWITCH("no_tx_cert_comp", 0),
+ SSL_CONF_CMD_SWITCH("tx_cert_comp", 0),
+ SSL_CONF_CMD_SWITCH("no_rx_cert_comp", 0),
+ SSL_CONF_CMD_SWITCH("rx_cert_comp", 0),
SSL_CONF_CMD_SWITCH("ecdh_single", SSL_CONF_FLAG_SERVER),
SSL_CONF_CMD_SWITCH("no_ticket", 0),
SSL_CONF_CMD_SWITCH("serverpref", SSL_CONF_FLAG_SERVER),
SSL_CONF_CMD_SWITCH("legacy_server_connect", SSL_CONF_FLAG_CLIENT),
SSL_CONF_CMD_SWITCH("no_renegotiation", 0),
SSL_CONF_CMD_SWITCH("no_resumption_on_reneg", SSL_CONF_FLAG_SERVER),
- SSL_CONF_CMD_SWITCH("no_legacy_server_connect", SSL_CONF_FLAG_SERVER),
+ SSL_CONF_CMD_SWITCH("no_legacy_server_connect", SSL_CONF_FLAG_CLIENT),
SSL_CONF_CMD_SWITCH("allow_no_dhe_kex", 0),
+ SSL_CONF_CMD_SWITCH("prefer_no_dhe_kex", 0),
SSL_CONF_CMD_SWITCH("prioritize_chacha", SSL_CONF_FLAG_SERVER),
SSL_CONF_CMD_SWITCH("strict", 0),
SSL_CONF_CMD_SWITCH("no_middlebox", 0),
{SSL_OP_ALL, 0}, /* bugs */
{SSL_OP_NO_COMPRESSION, 0}, /* no_comp */
{SSL_OP_NO_COMPRESSION, SSL_TFLAG_INV}, /* comp */
+ {SSL_OP_NO_TX_CERTIFICATE_COMPRESSION, 0}, /* no_tx_cert_comp */
+ {SSL_OP_NO_TX_CERTIFICATE_COMPRESSION, SSL_TFLAG_INV}, /* tx_cert_comp */
+ {SSL_OP_NO_RX_CERTIFICATE_COMPRESSION, 0}, /* no_rx_cert_comp */
+ {SSL_OP_NO_RX_CERTIFICATE_COMPRESSION, SSL_TFLAG_INV}, /* rx_cert_comp */
{SSL_OP_SINGLE_ECDH_USE, 0}, /* ecdh_single */
{SSL_OP_NO_TICKET, 0}, /* no_ticket */
{SSL_OP_CIPHER_SERVER_PREFERENCE, 0}, /* serverpref */
{SSL_OP_LEGACY_SERVER_CONNECT, SSL_TFLAG_INV},
/* allow_no_dhe_kex */
{SSL_OP_ALLOW_NO_DHE_KEX, 0},
+ /* prefer_no_dhe_kex */
+ {SSL_OP_PREFER_NO_DHE_KEX, 0},
/* chacha reprioritization */
{SSL_OP_PRIORITIZE_CHACHA, 0},
{SSL_CERT_FLAG_TLS_STRICT, SSL_TFLAG_CERT}, /* strict */
}
/* Determine if a command is allowed according to cctx flags */
-static int ssl_conf_cmd_allowed(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl * t)
+static int ssl_conf_cmd_allowed(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl *t)
{
unsigned int tfl = t->flags;
unsigned int cfl = cctx->flags;
return NULL;
}
-static int ctrl_switch_option(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl * cmd)
+static int ctrl_switch_option(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl *cmd)
{
/* Find index of command in table */
size_t idx = cmd - ssl_conf_cmds;
const ssl_switch_tbl *scmd;
+
/* Sanity check index */
- if (idx >= OSSL_NELEM(ssl_cmd_switches))
+ if (idx >= OSSL_NELEM(ssl_cmd_switches)) {
+ ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
return 0;
+ }
/* Obtain switches entry with same index */
scmd = ssl_cmd_switches + idx;
ssl_set_option(cctx, scmd->name_flags, scmd->option_value, 1);
}
if (!ssl_conf_cmd_skip_prefix(cctx, &cmd))
- return -2;
+ goto unknown_cmd;
runcmd = ssl_conf_cmd_lookup(cctx, cmd);
if (runcmd) {
- int rv;
+ int rv = -3;
+
if (runcmd->value_type == SSL_CONF_TYPE_NONE) {
return ctrl_switch_option(cctx, runcmd);
}
if (value == NULL)
- return -3;
+ goto bad_value;
rv = runcmd->cmd(cctx, value);
if (rv > 0)
return 2;
- if (rv == -2)
- return -2;
+ if (rv != -2)
+ rv = 0;
+
+ bad_value:
if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS)
ERR_raise_data(ERR_LIB_SSL, SSL_R_BAD_VALUE,
- "cmd=%s, value=%s", cmd, value);
- return 0;
+ "cmd=%s, value=%s", cmd,
+ value != NULL ? value : "<EMPTY>");
+ return rv;
}
+ unknown_cmd:
if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS)
ERR_raise_data(ERR_LIB_SSL, SSL_R_UNKNOWN_CMD_NAME, "cmd=%s", cmd);
/* See if any certificates are missing private keys */
size_t i;
CERT *c = NULL;
- if (cctx->ctx)
+
+ if (cctx->ctx != NULL) {
c = cctx->ctx->cert;
- else if (cctx->ssl)
- c = cctx->ssl->cert;
- if (c && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) {
+ } else if (cctx->ssl != NULL) {
+ SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(cctx->ssl);
+
+ if (sc != NULL)
+ c = sc->cert;
+ }
+ if (c != NULL && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) {
for (i = 0; i < SSL_PKEY_NUM; i++) {
const char *p = cctx->cert_filename[i];
/*
{
cctx->ssl = ssl;
cctx->ctx = NULL;
- if (ssl) {
- cctx->poptions = &ssl->options;
- cctx->min_version = &ssl->min_proto_version;
- cctx->max_version = &ssl->max_proto_version;
- cctx->pcert_flags = &ssl->cert->cert_flags;
- cctx->pvfy_flags = &ssl->verify_mode;
+ if (ssl != NULL) {
+ SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
+
+ if (sc == NULL)
+ return;
+ cctx->poptions = &sc->options;
+ cctx->min_version = &sc->min_proto_version;
+ cctx->max_version = &sc->max_proto_version;
+ cctx->pcert_flags = &sc->cert->cert_flags;
+ cctx->pvfy_flags = &sc->verify_mode;
} else {
cctx->poptions = NULL;
cctx->min_version = NULL;