]>
Commit | Line | Data |
---|---|---|
ae5c8664 MC |
1 | /* |
2 | * ! \file ssl/ssl_conf.c \brief SSL configuration functions | |
49ef33fa DSH |
3 | */ |
4 | /* ==================================================================== | |
5 | * Copyright (c) 2012 The OpenSSL Project. All rights reserved. | |
6 | * | |
7 | * Redistribution and use in source and binary forms, with or without | |
8 | * modification, are permitted provided that the following conditions | |
9 | * are met: | |
10 | * | |
11 | * 1. Redistributions of source code must retain the above copyright | |
ae5c8664 | 12 | * notice, this list of conditions and the following disclaimer. |
49ef33fa DSH |
13 | * |
14 | * 2. Redistributions in binary form must reproduce the above copyright | |
15 | * notice, this list of conditions and the following disclaimer in | |
16 | * the documentation and/or other materials provided with the | |
17 | * distribution. | |
18 | * | |
19 | * 3. All advertising materials mentioning features or use of this | |
20 | * software must display the following acknowledgment: | |
21 | * "This product includes software developed by the OpenSSL Project | |
22 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |
23 | * | |
24 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
25 | * endorse or promote products derived from this software without | |
26 | * prior written permission. For written permission, please contact | |
27 | * openssl-core@openssl.org. | |
28 | * | |
29 | * 5. Products derived from this software may not be called "OpenSSL" | |
30 | * nor may "OpenSSL" appear in their names without prior written | |
31 | * permission of the OpenSSL Project. | |
32 | * | |
33 | * 6. Redistributions of any form whatsoever must retain the following | |
34 | * acknowledgment: | |
35 | * "This product includes software developed by the OpenSSL Project | |
36 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |
37 | * | |
38 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
39 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
40 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
41 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
42 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
43 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
44 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
45 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
46 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
47 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
48 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
49 | * OF THE POSSIBILITY OF SUCH DAMAGE. | |
50 | * ==================================================================== | |
51 | * | |
52 | * This product includes cryptographic software written by Eric Young | |
53 | * (eay@cryptsoft.com). This product includes software written by Tim | |
54 | * Hudson (tjh@cryptsoft.com). | |
55 | * | |
56 | */ | |
57 | ||
58 | #ifdef REF_CHECK | |
ae5c8664 | 59 | # include <assert.h> |
49ef33fa DSH |
60 | #endif |
61 | #include <stdio.h> | |
62 | #include "ssl_locl.h" | |
63 | #include <openssl/conf.h> | |
64 | #include <openssl/objects.h> | |
163d7948 | 65 | #ifndef OPENSSL_NO_DH |
ae5c8664 | 66 | # include <openssl/dh.h> |
163d7948 | 67 | #endif |
49ef33fa | 68 | |
ae5c8664 MC |
69 | /* |
70 | * structure holding name tables. This is used for pemitted elements in lists | |
71 | * such as TLSv1 and single command line switches such as no_tls1 | |
49ef33fa DSH |
72 | */ |
73 | ||
ae5c8664 MC |
74 | typedef struct { |
75 | const char *name; | |
76 | int namelen; | |
77 | unsigned int name_flags; | |
78 | unsigned long option_value; | |
79 | } ssl_flag_tbl; | |
49ef33fa DSH |
80 | |
81 | /* Sense of name is inverted e.g. "TLSv1" will clear SSL_OP_NO_TLSv1 */ | |
ae5c8664 | 82 | #define SSL_TFLAG_INV 0x1 |
49ef33fa | 83 | /* Flags refers to cert_flags not options */ |
ae5c8664 | 84 | #define SSL_TFLAG_CERT 0x2 |
49ef33fa DSH |
85 | /* Option can only be used for clients */ |
86 | #define SSL_TFLAG_CLIENT SSL_CONF_FLAG_CLIENT | |
87 | /* Option can only be used for servers */ | |
88 | #define SSL_TFLAG_SERVER SSL_CONF_FLAG_SERVER | |
89 | #define SSL_TFLAG_BOTH (SSL_TFLAG_CLIENT|SSL_TFLAG_SERVER) | |
90 | ||
91 | #define SSL_FLAG_TBL(str, flag) \ | |
ae5c8664 | 92 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_BOTH, flag} |
49ef33fa | 93 | #define SSL_FLAG_TBL_SRV(str, flag) \ |
ae5c8664 | 94 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_SERVER, flag} |
49ef33fa | 95 | #define SSL_FLAG_TBL_CLI(str, flag) \ |
ae5c8664 | 96 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_CLIENT, flag} |
49ef33fa | 97 | #define SSL_FLAG_TBL_INV(str, flag) \ |
ae5c8664 | 98 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_BOTH, flag} |
49ef33fa | 99 | #define SSL_FLAG_TBL_SRV_INV(str, flag) \ |
ae5c8664 | 100 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_SERVER, flag} |
49ef33fa | 101 | #define SSL_FLAG_TBL_CERT(str, flag) \ |
ae5c8664 | 102 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_CERT|SSL_TFLAG_BOTH, flag} |
49ef33fa | 103 | |
ae5c8664 MC |
104 | /* |
105 | * Opaque structure containing SSL configuration context. | |
49ef33fa DSH |
106 | */ |
107 | ||
ae5c8664 MC |
108 | struct ssl_conf_ctx_st { |
109 | /* | |
110 | * Various flags indicating (among other things) which options we will | |
111 | * recognise. | |
112 | */ | |
113 | unsigned int flags; | |
114 | /* Prefix and length of commands */ | |
115 | char *prefix; | |
116 | size_t prefixlen; | |
117 | /* SSL_CTX or SSL structure to perform operations on */ | |
118 | SSL_CTX *ctx; | |
119 | SSL *ssl; | |
120 | /* Pointer to SSL or SSL_CTX options field or NULL if none */ | |
121 | unsigned long *poptions; | |
122 | /* Pointer to SSL or SSL_CTX cert_flags or NULL if none */ | |
123 | unsigned int *pcert_flags; | |
124 | /* Current flag table being worked on */ | |
125 | const ssl_flag_tbl *tbl; | |
126 | /* Size of table */ | |
127 | size_t ntbl; | |
128 | }; | |
49ef33fa DSH |
129 | |
130 | static int ssl_match_option(SSL_CONF_CTX *cctx, const ssl_flag_tbl *tbl, | |
ae5c8664 MC |
131 | const char *name, int namelen, int onoff) |
132 | { | |
133 | /* If name not relevant for context skip */ | |
134 | if (!(cctx->flags & tbl->name_flags & SSL_TFLAG_BOTH)) | |
135 | return 0; | |
136 | if (namelen == -1) { | |
137 | if (strcmp(tbl->name, name)) | |
138 | return 0; | |
139 | } else if (tbl->namelen != namelen | |
140 | || strncasecmp(tbl->name, name, namelen)) | |
141 | return 0; | |
142 | if (cctx->poptions) { | |
143 | if (tbl->name_flags & SSL_TFLAG_INV) | |
144 | onoff ^= 1; | |
145 | if (tbl->name_flags & SSL_TFLAG_CERT) { | |
146 | if (onoff) | |
147 | *cctx->pcert_flags |= tbl->option_value; | |
148 | else | |
149 | *cctx->pcert_flags &= ~tbl->option_value; | |
150 | } else { | |
151 | if (onoff) | |
152 | *cctx->poptions |= tbl->option_value; | |
153 | else | |
154 | *cctx->poptions &= ~tbl->option_value; | |
155 | } | |
156 | } | |
157 | return 1; | |
158 | } | |
49ef33fa DSH |
159 | |
160 | static int ssl_set_option_list(const char *elem, int len, void *usr) | |
ae5c8664 MC |
161 | { |
162 | SSL_CONF_CTX *cctx = usr; | |
163 | size_t i; | |
164 | const ssl_flag_tbl *tbl; | |
165 | int onoff = 1; | |
166 | /* | |
167 | * len == -1 indicates not being called in list context, just for single | |
168 | * command line switches, so don't allow +, -. | |
169 | */ | |
63c1d16b KR |
170 | if (elem == NULL) |
171 | return 0; | |
ae5c8664 MC |
172 | if (len != -1) { |
173 | if (*elem == '+') { | |
174 | elem++; | |
175 | len--; | |
176 | onoff = 1; | |
177 | } else if (*elem == '-') { | |
178 | elem++; | |
179 | len--; | |
180 | onoff = 0; | |
181 | } | |
182 | } | |
183 | for (i = 0, tbl = cctx->tbl; i < cctx->ntbl; i++, tbl++) { | |
184 | if (ssl_match_option(cctx, tbl, elem, len, onoff)) | |
185 | return 1; | |
186 | } | |
187 | return 0; | |
188 | } | |
49ef33fa DSH |
189 | |
190 | /* Single command line switches with no argument e.g. -no_ssl3 */ | |
191 | static int ctrl_str_option(SSL_CONF_CTX *cctx, const char *cmd) | |
ae5c8664 MC |
192 | { |
193 | static const ssl_flag_tbl ssl_option_single[] = { | |
194 | SSL_FLAG_TBL("no_ssl2", SSL_OP_NO_SSLv2), | |
195 | SSL_FLAG_TBL("no_ssl3", SSL_OP_NO_SSLv3), | |
196 | SSL_FLAG_TBL("no_tls1", SSL_OP_NO_TLSv1), | |
197 | SSL_FLAG_TBL("no_tls1_1", SSL_OP_NO_TLSv1_1), | |
198 | SSL_FLAG_TBL("no_tls1_2", SSL_OP_NO_TLSv1_2), | |
199 | SSL_FLAG_TBL("bugs", SSL_OP_ALL), | |
200 | SSL_FLAG_TBL("no_comp", SSL_OP_NO_COMPRESSION), | |
201 | SSL_FLAG_TBL_SRV("ecdh_single", SSL_OP_SINGLE_ECDH_USE), | |
49ef33fa | 202 | #ifndef OPENSSL_NO_TLSEXT |
ae5c8664 | 203 | SSL_FLAG_TBL("no_ticket", SSL_OP_NO_TICKET), |
49ef33fa | 204 | #endif |
ae5c8664 MC |
205 | SSL_FLAG_TBL_SRV("serverpref", SSL_OP_CIPHER_SERVER_PREFERENCE), |
206 | SSL_FLAG_TBL("legacy_renegotiation", | |
207 | SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION), | |
208 | SSL_FLAG_TBL_SRV("legacy_server_connect", | |
209 | SSL_OP_LEGACY_SERVER_CONNECT), | |
210 | SSL_FLAG_TBL_SRV("no_resumption_on_reneg", | |
211 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION), | |
212 | SSL_FLAG_TBL_SRV_INV("no_legacy_server_connect", | |
213 | SSL_OP_LEGACY_SERVER_CONNECT), | |
214 | SSL_FLAG_TBL_CERT("strict", SSL_CERT_FLAG_TLS_STRICT), | |
49ef33fa | 215 | #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL |
ae5c8664 MC |
216 | SSL_FLAG_TBL_CERT("debug_broken_protocol", |
217 | SSL_CERT_FLAG_BROKEN_PROTOCOL), | |
49ef33fa | 218 | #endif |
ae5c8664 MC |
219 | }; |
220 | cctx->tbl = ssl_option_single; | |
221 | cctx->ntbl = sizeof(ssl_option_single) / sizeof(ssl_flag_tbl); | |
222 | return ssl_set_option_list(cmd, -1, cctx); | |
223 | } | |
49ef33fa DSH |
224 | |
225 | /* Set supported signature algorithms */ | |
044f8ca8 | 226 | static int cmd_SignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value) |
ae5c8664 MC |
227 | { |
228 | int rv; | |
229 | if (cctx->ssl) | |
230 | rv = SSL_set1_sigalgs_list(cctx->ssl, value); | |
231 | /* NB: ctx == NULL performs syntax checking only */ | |
232 | else | |
233 | rv = SSL_CTX_set1_sigalgs_list(cctx->ctx, value); | |
234 | return rv > 0; | |
235 | } | |
236 | ||
49ef33fa | 237 | /* Set supported client signature algorithms */ |
ae5c8664 MC |
238 | static int cmd_ClientSignatureAlgorithms(SSL_CONF_CTX *cctx, |
239 | const char *value) | |
240 | { | |
241 | int rv; | |
242 | if (cctx->ssl) | |
243 | rv = SSL_set1_client_sigalgs_list(cctx->ssl, value); | |
244 | /* NB: ctx == NULL performs syntax checking only */ | |
245 | else | |
246 | rv = SSL_CTX_set1_client_sigalgs_list(cctx->ctx, value); | |
247 | return rv > 0; | |
248 | } | |
49ef33fa | 249 | |
044f8ca8 | 250 | static int cmd_Curves(SSL_CONF_CTX *cctx, const char *value) |
ae5c8664 MC |
251 | { |
252 | int rv; | |
253 | if (cctx->ssl) | |
254 | rv = SSL_set1_curves_list(cctx->ssl, value); | |
255 | /* NB: ctx == NULL performs syntax checking only */ | |
256 | else | |
257 | rv = SSL_CTX_set1_curves_list(cctx->ctx, value); | |
258 | return rv > 0; | |
259 | } | |
260 | ||
5b430cfc | 261 | #ifndef OPENSSL_NO_ECDH |
49ef33fa | 262 | /* ECDH temporary parameters */ |
044f8ca8 | 263 | static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value) |
ae5c8664 MC |
264 | { |
265 | int onoff = -1, rv = 1; | |
266 | if (!(cctx->flags & SSL_CONF_FLAG_SERVER)) | |
267 | return -2; | |
268 | if (cctx->flags & SSL_CONF_FLAG_FILE) { | |
269 | if (*value == '+') { | |
270 | onoff = 1; | |
271 | value++; | |
272 | } | |
273 | if (*value == '-') { | |
274 | onoff = 0; | |
275 | value++; | |
276 | } | |
277 | if (!strcasecmp(value, "automatic")) { | |
278 | if (onoff == -1) | |
279 | onoff = 1; | |
280 | } else if (onoff != -1) | |
281 | return 0; | |
282 | } else if (cctx->flags & SSL_CONF_FLAG_CMDLINE) { | |
283 | if (!strcmp(value, "auto")) | |
284 | onoff = 1; | |
285 | } | |
286 | ||
287 | if (onoff != -1) { | |
288 | if (cctx->ctx) | |
289 | rv = SSL_CTX_set_ecdh_auto(cctx->ctx, onoff); | |
290 | else if (cctx->ssl) | |
291 | rv = SSL_set_ecdh_auto(cctx->ssl, onoff); | |
292 | } else { | |
293 | EC_KEY *ecdh; | |
294 | int nid; | |
295 | nid = EC_curve_nist2nid(value); | |
296 | if (nid == NID_undef) | |
297 | nid = OBJ_sn2nid(value); | |
298 | if (nid == 0) | |
299 | return 0; | |
300 | ecdh = EC_KEY_new_by_curve_name(nid); | |
301 | if (!ecdh) | |
302 | return 0; | |
303 | if (cctx->ctx) | |
304 | rv = SSL_CTX_set_tmp_ecdh(cctx->ctx, ecdh); | |
305 | else if (cctx->ssl) | |
306 | rv = SSL_set_tmp_ecdh(cctx->ssl, ecdh); | |
307 | EC_KEY_free(ecdh); | |
308 | } | |
309 | ||
310 | return rv > 0; | |
311 | } | |
5b430cfc | 312 | #endif |
044f8ca8 | 313 | static int cmd_CipherString(SSL_CONF_CTX *cctx, const char *value) |
ae5c8664 MC |
314 | { |
315 | int rv = 1; | |
316 | if (cctx->ctx) | |
317 | rv = SSL_CTX_set_cipher_list(cctx->ctx, value); | |
318 | if (cctx->ssl) | |
319 | rv = SSL_set_cipher_list(cctx->ssl, value); | |
320 | return rv > 0; | |
321 | } | |
49ef33fa | 322 | |
044f8ca8 | 323 | static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value) |
ae5c8664 MC |
324 | { |
325 | static const ssl_flag_tbl ssl_protocol_list[] = { | |
326 | SSL_FLAG_TBL_INV("ALL", SSL_OP_NO_SSL_MASK), | |
327 | SSL_FLAG_TBL_INV("SSLv2", SSL_OP_NO_SSLv2), | |
328 | SSL_FLAG_TBL_INV("SSLv3", SSL_OP_NO_SSLv3), | |
329 | SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1), | |
330 | SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1), | |
331 | SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2) | |
332 | }; | |
9dfd2be8 VD |
333 | int ret; |
334 | int sslv2off; | |
335 | ||
ae5c8664 MC |
336 | if (!(cctx->flags & SSL_CONF_FLAG_FILE)) |
337 | return -2; | |
338 | cctx->tbl = ssl_protocol_list; | |
339 | cctx->ntbl = sizeof(ssl_protocol_list) / sizeof(ssl_flag_tbl); | |
9dfd2be8 VD |
340 | |
341 | sslv2off = *cctx->poptions & SSL_OP_NO_SSLv2; | |
342 | ret = CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); | |
343 | /* Never turn on SSLv2 through configuration */ | |
344 | *cctx->poptions |= sslv2off; | |
345 | return ret; | |
ae5c8664 | 346 | } |
49ef33fa | 347 | |
044f8ca8 | 348 | static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) |
ae5c8664 MC |
349 | { |
350 | static const ssl_flag_tbl ssl_option_list[] = { | |
351 | SSL_FLAG_TBL_INV("SessionTicket", SSL_OP_NO_TICKET), | |
352 | SSL_FLAG_TBL_INV("EmptyFragments", | |
353 | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS), | |
354 | SSL_FLAG_TBL("Bugs", SSL_OP_ALL), | |
355 | SSL_FLAG_TBL_INV("Compression", SSL_OP_NO_COMPRESSION), | |
356 | SSL_FLAG_TBL_SRV("ServerPreference", SSL_OP_CIPHER_SERVER_PREFERENCE), | |
357 | SSL_FLAG_TBL_SRV("NoResumptionOnRenegotiation", | |
358 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION), | |
359 | SSL_FLAG_TBL_SRV("DHSingle", SSL_OP_SINGLE_DH_USE), | |
360 | SSL_FLAG_TBL_SRV("ECDHSingle", SSL_OP_SINGLE_ECDH_USE), | |
361 | SSL_FLAG_TBL("UnsafeLegacyRenegotiation", | |
362 | SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION), | |
363 | }; | |
364 | if (!(cctx->flags & SSL_CONF_FLAG_FILE)) | |
365 | return -2; | |
366 | if (value == NULL) | |
367 | return -3; | |
368 | cctx->tbl = ssl_option_list; | |
369 | cctx->ntbl = sizeof(ssl_option_list) / sizeof(ssl_flag_tbl); | |
370 | return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); | |
371 | } | |
49ef33fa | 372 | |
044f8ca8 | 373 | static int cmd_Certificate(SSL_CONF_CTX *cctx, const char *value) |
ae5c8664 MC |
374 | { |
375 | int rv = 1; | |
376 | if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE)) | |
377 | return -2; | |
378 | if (cctx->ctx) | |
379 | rv = SSL_CTX_use_certificate_chain_file(cctx->ctx, value); | |
380 | if (cctx->ssl) | |
381 | rv = SSL_use_certificate_file(cctx->ssl, value, SSL_FILETYPE_PEM); | |
382 | return rv > 0; | |
383 | } | |
044f8ca8 DSH |
384 | |
385 | static int cmd_PrivateKey(SSL_CONF_CTX *cctx, const char *value) | |
ae5c8664 MC |
386 | { |
387 | int rv = 1; | |
388 | if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE)) | |
389 | return -2; | |
390 | if (cctx->ctx) | |
391 | rv = SSL_CTX_use_PrivateKey_file(cctx->ctx, value, SSL_FILETYPE_PEM); | |
392 | if (cctx->ssl) | |
393 | rv = SSL_use_PrivateKey_file(cctx->ssl, value, SSL_FILETYPE_PEM); | |
394 | return rv > 0; | |
395 | } | |
396 | ||
8b844953 DSH |
397 | static int cmd_ServerInfoFile(SSL_CONF_CTX *cctx, const char *value) |
398 | { | |
399 | int rv = 1; | |
400 | if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE)) | |
401 | return -2; | |
402 | if (!(cctx->flags & SSL_CONF_FLAG_SERVER)) | |
403 | return -2; | |
404 | if (cctx->ctx) | |
405 | rv = SSL_CTX_use_serverinfo_file(cctx->ctx, value); | |
406 | return rv > 0; | |
407 | } | |
408 | ||
0b33466b DSH |
409 | #ifndef OPENSSL_NO_DH |
410 | static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value) | |
ae5c8664 MC |
411 | { |
412 | int rv = 0; | |
413 | DH *dh = NULL; | |
414 | BIO *in = NULL; | |
415 | if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE)) | |
416 | return -2; | |
417 | if (cctx->ctx || cctx->ssl) { | |
418 | in = BIO_new(BIO_s_file_internal()); | |
419 | if (!in) | |
420 | goto end; | |
421 | if (BIO_read_filename(in, value) <= 0) | |
422 | goto end; | |
423 | dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL); | |
424 | if (!dh) | |
425 | goto end; | |
426 | } else | |
427 | return 1; | |
428 | if (cctx->ctx) | |
429 | rv = SSL_CTX_set_tmp_dh(cctx->ctx, dh); | |
430 | if (cctx->ssl) | |
431 | rv = SSL_set_tmp_dh(cctx->ssl, dh); | |
432 | end: | |
433 | if (dh) | |
434 | DH_free(dh); | |
435 | if (in) | |
436 | BIO_free(in); | |
437 | return rv > 0; | |
438 | } | |
0b33466b | 439 | #endif |
ae5c8664 MC |
440 | typedef struct { |
441 | int (*cmd) (SSL_CONF_CTX *cctx, const char *value); | |
442 | const char *str_file; | |
443 | const char *str_cmdline; | |
444 | unsigned int value_type; | |
445 | } ssl_conf_cmd_tbl; | |
49ef33fa | 446 | |
044f8ca8 DSH |
447 | /* Table of supported parameters */ |
448 | ||
449 | #define SSL_CONF_CMD(name, cmdopt, type) \ | |
ae5c8664 | 450 | {cmd_##name, #name, cmdopt, type} |
044f8ca8 DSH |
451 | |
452 | #define SSL_CONF_CMD_STRING(name, cmdopt) \ | |
ae5c8664 | 453 | SSL_CONF_CMD(name, cmdopt, SSL_CONF_TYPE_STRING) |
49ef33fa | 454 | |
738a224b | 455 | static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { |
ae5c8664 MC |
456 | SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs"), |
457 | SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs"), | |
458 | SSL_CONF_CMD_STRING(Curves, "curves"), | |
5b430cfc | 459 | #ifndef OPENSSL_NO_ECDH |
ae5c8664 | 460 | SSL_CONF_CMD_STRING(ECDHParameters, "named_curve"), |
5b430cfc | 461 | #endif |
ae5c8664 MC |
462 | SSL_CONF_CMD_STRING(CipherString, "cipher"), |
463 | SSL_CONF_CMD_STRING(Protocol, NULL), | |
464 | SSL_CONF_CMD_STRING(Options, NULL), | |
465 | SSL_CONF_CMD(Certificate, "cert", SSL_CONF_TYPE_FILE), | |
466 | SSL_CONF_CMD(PrivateKey, "key", SSL_CONF_TYPE_FILE), | |
8b844953 | 467 | SSL_CONF_CMD(ServerInfoFile, NULL, SSL_CONF_TYPE_FILE), |
0b33466b | 468 | #ifndef OPENSSL_NO_DH |
ae5c8664 | 469 | SSL_CONF_CMD(DHParameters, "dhparam", SSL_CONF_TYPE_FILE) |
0b33466b | 470 | #endif |
49ef33fa DSH |
471 | }; |
472 | ||
044f8ca8 | 473 | static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd) |
ae5c8664 MC |
474 | { |
475 | if (!pcmd || !*pcmd) | |
476 | return 0; | |
477 | /* If a prefix is set, check and skip */ | |
478 | if (cctx->prefix) { | |
479 | if (strlen(*pcmd) <= cctx->prefixlen) | |
480 | return 0; | |
481 | if (cctx->flags & SSL_CONF_FLAG_CMDLINE && | |
482 | strncmp(*pcmd, cctx->prefix, cctx->prefixlen)) | |
483 | return 0; | |
484 | if (cctx->flags & SSL_CONF_FLAG_FILE && | |
485 | strncasecmp(*pcmd, cctx->prefix, cctx->prefixlen)) | |
486 | return 0; | |
487 | *pcmd += cctx->prefixlen; | |
488 | } else if (cctx->flags & SSL_CONF_FLAG_CMDLINE) { | |
489 | if (**pcmd != '-' || !(*pcmd)[1]) | |
490 | return 0; | |
491 | *pcmd += 1; | |
492 | } | |
493 | return 1; | |
494 | } | |
495 | ||
496 | static const ssl_conf_cmd_tbl *ssl_conf_cmd_lookup(SSL_CONF_CTX *cctx, | |
497 | const char *cmd) | |
498 | { | |
499 | const ssl_conf_cmd_tbl *t; | |
500 | size_t i; | |
501 | if (cmd == NULL) | |
502 | return NULL; | |
503 | ||
504 | /* Look for matching parameter name in table */ | |
505 | for (i = 0, t = ssl_conf_cmds; | |
506 | i < sizeof(ssl_conf_cmds) / sizeof(ssl_conf_cmd_tbl); i++, t++) { | |
507 | if (cctx->flags & SSL_CONF_FLAG_CMDLINE) { | |
508 | if (t->str_cmdline && !strcmp(t->str_cmdline, cmd)) | |
509 | return t; | |
510 | } | |
511 | if (cctx->flags & SSL_CONF_FLAG_FILE) { | |
512 | if (t->str_file && !strcasecmp(t->str_file, cmd)) | |
513 | return t; | |
514 | } | |
515 | } | |
516 | return NULL; | |
517 | } | |
044f8ca8 DSH |
518 | |
519 | int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value) | |
ae5c8664 MC |
520 | { |
521 | const ssl_conf_cmd_tbl *runcmd; | |
522 | if (cmd == NULL) { | |
523 | SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_INVALID_NULL_CMD_NAME); | |
524 | return 0; | |
525 | } | |
526 | ||
527 | if (!ssl_conf_cmd_skip_prefix(cctx, &cmd)) | |
528 | return -2; | |
529 | ||
530 | runcmd = ssl_conf_cmd_lookup(cctx, cmd); | |
531 | ||
532 | if (runcmd) { | |
533 | int rv; | |
534 | if (value == NULL) | |
535 | return -3; | |
536 | rv = runcmd->cmd(cctx, value); | |
537 | if (rv > 0) | |
538 | return 2; | |
539 | if (rv == -2) | |
540 | return -2; | |
541 | if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) { | |
542 | SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_BAD_VALUE); | |
543 | ERR_add_error_data(4, "cmd=", cmd, ", value=", value); | |
544 | } | |
545 | return 0; | |
546 | } | |
547 | ||
548 | if (cctx->flags & SSL_CONF_FLAG_CMDLINE) { | |
549 | if (ctrl_str_option(cctx, cmd)) | |
550 | return 1; | |
551 | } | |
552 | ||
553 | if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) { | |
554 | SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_UNKNOWN_CMD_NAME); | |
555 | ERR_add_error_data(2, "cmd=", cmd); | |
556 | } | |
557 | ||
558 | return -2; | |
559 | } | |
49ef33fa DSH |
560 | |
561 | int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv) | |
ae5c8664 MC |
562 | { |
563 | int rv; | |
564 | const char *arg = NULL, *argn; | |
565 | if (pargc && *pargc == 0) | |
566 | return 0; | |
567 | if (!pargc || *pargc > 0) | |
568 | arg = **pargv; | |
569 | if (arg == NULL) | |
570 | return 0; | |
571 | if (!pargc || *pargc > 1) | |
572 | argn = (*pargv)[1]; | |
573 | else | |
574 | argn = NULL; | |
575 | cctx->flags &= ~SSL_CONF_FLAG_FILE; | |
576 | cctx->flags |= SSL_CONF_FLAG_CMDLINE; | |
577 | rv = SSL_CONF_cmd(cctx, arg, argn); | |
578 | if (rv > 0) { | |
579 | /* Success: update pargc, pargv */ | |
580 | (*pargv) += rv; | |
581 | if (pargc) | |
582 | (*pargc) -= rv; | |
583 | return rv; | |
584 | } | |
585 | /* Unknown switch: indicate no arguments processed */ | |
586 | if (rv == -2) | |
587 | return 0; | |
588 | /* Some error occurred processing command, return fatal error */ | |
589 | if (rv == 0) | |
590 | return -1; | |
591 | return rv; | |
592 | } | |
49ef33fa | 593 | |
044f8ca8 | 594 | int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd) |
ae5c8664 MC |
595 | { |
596 | if (ssl_conf_cmd_skip_prefix(cctx, &cmd)) { | |
597 | const ssl_conf_cmd_tbl *runcmd; | |
598 | runcmd = ssl_conf_cmd_lookup(cctx, cmd); | |
599 | if (runcmd) | |
600 | return runcmd->value_type; | |
601 | } | |
602 | return SSL_CONF_TYPE_UNKNOWN; | |
603 | } | |
044f8ca8 | 604 | |
49ef33fa | 605 | SSL_CONF_CTX *SSL_CONF_CTX_new(void) |
ae5c8664 MC |
606 | { |
607 | SSL_CONF_CTX *ret; | |
608 | ret = OPENSSL_malloc(sizeof(SSL_CONF_CTX)); | |
609 | if (ret) { | |
610 | ret->flags = 0; | |
611 | ret->prefix = NULL; | |
612 | ret->prefixlen = 0; | |
613 | ret->ssl = NULL; | |
614 | ret->ctx = NULL; | |
615 | ret->poptions = NULL; | |
616 | ret->pcert_flags = NULL; | |
617 | ret->tbl = NULL; | |
618 | ret->ntbl = 0; | |
619 | } | |
620 | return ret; | |
621 | } | |
49ef33fa | 622 | |
044f8ca8 | 623 | int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx) |
ae5c8664 MC |
624 | { |
625 | return 1; | |
626 | } | |
044f8ca8 | 627 | |
49ef33fa | 628 | void SSL_CONF_CTX_free(SSL_CONF_CTX *cctx) |
ae5c8664 MC |
629 | { |
630 | if (cctx) { | |
631 | if (cctx->prefix) | |
632 | OPENSSL_free(cctx->prefix); | |
633 | OPENSSL_free(cctx); | |
634 | } | |
635 | } | |
49ef33fa DSH |
636 | |
637 | unsigned int SSL_CONF_CTX_set_flags(SSL_CONF_CTX *cctx, unsigned int flags) | |
ae5c8664 MC |
638 | { |
639 | cctx->flags |= flags; | |
640 | return cctx->flags; | |
641 | } | |
49ef33fa DSH |
642 | |
643 | unsigned int SSL_CONF_CTX_clear_flags(SSL_CONF_CTX *cctx, unsigned int flags) | |
ae5c8664 MC |
644 | { |
645 | cctx->flags &= ~flags; | |
646 | return cctx->flags; | |
647 | } | |
49ef33fa DSH |
648 | |
649 | int SSL_CONF_CTX_set1_prefix(SSL_CONF_CTX *cctx, const char *pre) | |
ae5c8664 MC |
650 | { |
651 | char *tmp = NULL; | |
652 | if (pre) { | |
653 | tmp = BUF_strdup(pre); | |
654 | if (tmp == NULL) | |
655 | return 0; | |
656 | } | |
657 | if (cctx->prefix) | |
658 | OPENSSL_free(cctx->prefix); | |
659 | cctx->prefix = tmp; | |
660 | if (tmp) | |
661 | cctx->prefixlen = strlen(tmp); | |
662 | else | |
663 | cctx->prefixlen = 0; | |
664 | return 1; | |
665 | } | |
49ef33fa DSH |
666 | |
667 | void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl) | |
ae5c8664 MC |
668 | { |
669 | cctx->ssl = ssl; | |
670 | cctx->ctx = NULL; | |
671 | if (ssl) { | |
672 | cctx->poptions = &ssl->options; | |
673 | cctx->pcert_flags = &ssl->cert->cert_flags; | |
674 | } else { | |
675 | cctx->poptions = NULL; | |
676 | cctx->pcert_flags = NULL; | |
677 | } | |
678 | } | |
49ef33fa DSH |
679 | |
680 | void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx) | |
ae5c8664 MC |
681 | { |
682 | cctx->ctx = ctx; | |
683 | cctx->ssl = NULL; | |
684 | if (ctx) { | |
685 | cctx->poptions = &ctx->options; | |
686 | cctx->pcert_flags = &ctx->cert->cert_flags; | |
687 | } else { | |
688 | cctx->poptions = NULL; | |
689 | cctx->pcert_flags = NULL; | |
690 | } | |
691 | } |