]>
Commit | Line | Data |
---|---|---|
0f113f3e MC |
1 | /* |
2 | * ! \file ssl/ssl_conf.c \brief SSL configuration functions | |
3db935a9 DSH |
3 | */ |
4 | /* ==================================================================== | |
5 | * Copyright (c) 2012 The OpenSSL Project. All rights reserved. | |
6 | * | |
7 | * Redistribution and use in source and binary forms, with or without | |
8 | * modification, are permitted provided that the following conditions | |
9 | * are met: | |
10 | * | |
11 | * 1. Redistributions of source code must retain the above copyright | |
0f113f3e | 12 | * notice, this list of conditions and the following disclaimer. |
3db935a9 DSH |
13 | * |
14 | * 2. Redistributions in binary form must reproduce the above copyright | |
15 | * notice, this list of conditions and the following disclaimer in | |
16 | * the documentation and/or other materials provided with the | |
17 | * distribution. | |
18 | * | |
19 | * 3. All advertising materials mentioning features or use of this | |
20 | * software must display the following acknowledgment: | |
21 | * "This product includes software developed by the OpenSSL Project | |
22 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |
23 | * | |
24 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
25 | * endorse or promote products derived from this software without | |
26 | * prior written permission. For written permission, please contact | |
27 | * openssl-core@openssl.org. | |
28 | * | |
29 | * 5. Products derived from this software may not be called "OpenSSL" | |
30 | * nor may "OpenSSL" appear in their names without prior written | |
31 | * permission of the OpenSSL Project. | |
32 | * | |
33 | * 6. Redistributions of any form whatsoever must retain the following | |
34 | * acknowledgment: | |
35 | * "This product includes software developed by the OpenSSL Project | |
36 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |
37 | * | |
38 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
39 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
40 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
41 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
42 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
43 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
44 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
45 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
46 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
47 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
48 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
49 | * OF THE POSSIBILITY OF SUCH DAMAGE. | |
50 | * ==================================================================== | |
51 | * | |
52 | * This product includes cryptographic software written by Eric Young | |
53 | * (eay@cryptsoft.com). This product includes software written by Tim | |
54 | * Hudson (tjh@cryptsoft.com). | |
55 | * | |
56 | */ | |
57 | ||
58 | #ifdef REF_CHECK | |
0f113f3e | 59 | # include <assert.h> |
3db935a9 DSH |
60 | #endif |
61 | #include <stdio.h> | |
62 | #include "ssl_locl.h" | |
63 | #include <openssl/conf.h> | |
64 | #include <openssl/objects.h> | |
96e16bdd | 65 | #ifndef OPENSSL_NO_DH |
0f113f3e | 66 | # include <openssl/dh.h> |
96e16bdd | 67 | #endif |
3db935a9 | 68 | |
0f113f3e MC |
69 | /* |
70 | * structure holding name tables. This is used for pemitted elements in lists | |
656b2605 | 71 | * such as TLSv1. |
3db935a9 DSH |
72 | */ |
73 | ||
0f113f3e MC |
74 | typedef struct { |
75 | const char *name; | |
76 | int namelen; | |
77 | unsigned int name_flags; | |
78 | unsigned long option_value; | |
79 | } ssl_flag_tbl; | |
3db935a9 | 80 | |
656b2605 DSH |
81 | /* Switch table: use for single command line switches like no_tls2 */ |
82 | typedef struct { | |
83 | unsigned long option_value; | |
84 | unsigned int name_flags; | |
85 | } ssl_switch_tbl; | |
86 | ||
3db935a9 | 87 | /* Sense of name is inverted e.g. "TLSv1" will clear SSL_OP_NO_TLSv1 */ |
0f113f3e | 88 | #define SSL_TFLAG_INV 0x1 |
429261d0 DSH |
89 | /* Mask for type of flag referred to */ |
90 | #define SSL_TFLAG_TYPE_MASK 0xf00 | |
91 | /* Flag is for options */ | |
92 | #define SSL_TFLAG_OPTION 0x000 | |
93 | /* Flag is for cert_flags */ | |
94 | #define SSL_TFLAG_CERT 0x100 | |
95 | /* Flag is for verify mode */ | |
96 | #define SSL_TFLAG_VFY 0x200 | |
3db935a9 DSH |
97 | /* Option can only be used for clients */ |
98 | #define SSL_TFLAG_CLIENT SSL_CONF_FLAG_CLIENT | |
99 | /* Option can only be used for servers */ | |
100 | #define SSL_TFLAG_SERVER SSL_CONF_FLAG_SERVER | |
101 | #define SSL_TFLAG_BOTH (SSL_TFLAG_CLIENT|SSL_TFLAG_SERVER) | |
102 | ||
103 | #define SSL_FLAG_TBL(str, flag) \ | |
0f113f3e | 104 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_BOTH, flag} |
3db935a9 | 105 | #define SSL_FLAG_TBL_SRV(str, flag) \ |
0f113f3e | 106 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_SERVER, flag} |
3db935a9 | 107 | #define SSL_FLAG_TBL_CLI(str, flag) \ |
0f113f3e | 108 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_CLIENT, flag} |
3db935a9 | 109 | #define SSL_FLAG_TBL_INV(str, flag) \ |
0f113f3e | 110 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_BOTH, flag} |
3db935a9 | 111 | #define SSL_FLAG_TBL_SRV_INV(str, flag) \ |
0f113f3e | 112 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_SERVER, flag} |
3db935a9 | 113 | #define SSL_FLAG_TBL_CERT(str, flag) \ |
0f113f3e | 114 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_CERT|SSL_TFLAG_BOTH, flag} |
3db935a9 | 115 | |
429261d0 DSH |
116 | #define SSL_FLAG_VFY_CLI(str, flag) \ |
117 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_VFY | SSL_TFLAG_CLIENT, flag} | |
118 | #define SSL_FLAG_VFY_SRV(str, flag) \ | |
119 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_VFY | SSL_TFLAG_SERVER, flag} | |
120 | ||
0f113f3e MC |
121 | /* |
122 | * Opaque structure containing SSL configuration context. | |
3db935a9 DSH |
123 | */ |
124 | ||
0f113f3e MC |
125 | struct ssl_conf_ctx_st { |
126 | /* | |
127 | * Various flags indicating (among other things) which options we will | |
128 | * recognise. | |
129 | */ | |
130 | unsigned int flags; | |
131 | /* Prefix and length of commands */ | |
132 | char *prefix; | |
133 | size_t prefixlen; | |
134 | /* SSL_CTX or SSL structure to perform operations on */ | |
135 | SSL_CTX *ctx; | |
136 | SSL *ssl; | |
137 | /* Pointer to SSL or SSL_CTX options field or NULL if none */ | |
f7d53487 | 138 | uint32_t *poptions; |
2011b169 DSH |
139 | /* Certificate filenames for each type */ |
140 | char *cert_filename[SSL_PKEY_NUM]; | |
0f113f3e | 141 | /* Pointer to SSL or SSL_CTX cert_flags or NULL if none */ |
f7d53487 | 142 | uint32_t *pcert_flags; |
429261d0 DSH |
143 | /* Pointer to SSL or SSL_CTX verify_mode or NULL if none */ |
144 | uint32_t *pvfy_flags; | |
0f113f3e MC |
145 | /* Current flag table being worked on */ |
146 | const ssl_flag_tbl *tbl; | |
147 | /* Size of table */ | |
148 | size_t ntbl; | |
429261d0 DSH |
149 | /* Client CA names */ |
150 | STACK_OF(X509_NAME) *canames; | |
0f113f3e | 151 | }; |
3db935a9 | 152 | |
656b2605 DSH |
153 | static void ssl_set_option(SSL_CONF_CTX *cctx, unsigned int name_flags, |
154 | unsigned long option_value, int onoff) | |
155 | { | |
429261d0 | 156 | unint32_t *pflags; |
656b2605 DSH |
157 | if (cctx->poptions == NULL) |
158 | return; | |
159 | if (name_flags & SSL_TFLAG_INV) | |
160 | onoff ^= 1; | |
429261d0 DSH |
161 | switch (name_flags & SSL_TFLAG_TYPE_MASK) { |
162 | ||
163 | case SSL_TFLAG_CERT: | |
164 | pflags = cctx->pcert_flags; | |
165 | break; | |
166 | ||
167 | case SSL_TFLAG_VFY: | |
168 | pflags = cctx->pvfy_flags; | |
169 | break; | |
170 | ||
171 | case SSL_TFLAG_OPTION: | |
172 | pflags = cctx->poptions; | |
173 | break; | |
174 | ||
175 | default: | |
176 | return; | |
177 | ||
656b2605 | 178 | } |
429261d0 DSH |
179 | if (onoff) |
180 | *pflags |= option_value; | |
181 | else | |
182 | *pflags &= ~option_value; | |
656b2605 DSH |
183 | } |
184 | ||
3db935a9 | 185 | static int ssl_match_option(SSL_CONF_CTX *cctx, const ssl_flag_tbl *tbl, |
0f113f3e MC |
186 | const char *name, int namelen, int onoff) |
187 | { | |
188 | /* If name not relevant for context skip */ | |
189 | if (!(cctx->flags & tbl->name_flags & SSL_TFLAG_BOTH)) | |
190 | return 0; | |
191 | if (namelen == -1) { | |
192 | if (strcmp(tbl->name, name)) | |
193 | return 0; | |
194 | } else if (tbl->namelen != namelen | |
195 | || strncasecmp(tbl->name, name, namelen)) | |
196 | return 0; | |
656b2605 | 197 | ssl_set_option(cctx, tbl->name_flags, tbl->option_value, onoff); |
0f113f3e MC |
198 | return 1; |
199 | } | |
3db935a9 DSH |
200 | |
201 | static int ssl_set_option_list(const char *elem, int len, void *usr) | |
0f113f3e MC |
202 | { |
203 | SSL_CONF_CTX *cctx = usr; | |
204 | size_t i; | |
205 | const ssl_flag_tbl *tbl; | |
206 | int onoff = 1; | |
207 | /* | |
208 | * len == -1 indicates not being called in list context, just for single | |
209 | * command line switches, so don't allow +, -. | |
210 | */ | |
2747d73c KR |
211 | if (elem == NULL) |
212 | return 0; | |
0f113f3e MC |
213 | if (len != -1) { |
214 | if (*elem == '+') { | |
215 | elem++; | |
216 | len--; | |
217 | onoff = 1; | |
218 | } else if (*elem == '-') { | |
219 | elem++; | |
220 | len--; | |
221 | onoff = 0; | |
222 | } | |
223 | } | |
224 | for (i = 0, tbl = cctx->tbl; i < cctx->ntbl; i++, tbl++) { | |
225 | if (ssl_match_option(cctx, tbl, elem, len, onoff)) | |
226 | return 1; | |
227 | } | |
228 | return 0; | |
229 | } | |
3db935a9 | 230 | |
3db935a9 | 231 | /* Set supported signature algorithms */ |
ec2f7e56 | 232 | static int cmd_SignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value) |
0f113f3e MC |
233 | { |
234 | int rv; | |
235 | if (cctx->ssl) | |
236 | rv = SSL_set1_sigalgs_list(cctx->ssl, value); | |
237 | /* NB: ctx == NULL performs syntax checking only */ | |
238 | else | |
239 | rv = SSL_CTX_set1_sigalgs_list(cctx->ctx, value); | |
240 | return rv > 0; | |
241 | } | |
242 | ||
3db935a9 | 243 | /* Set supported client signature algorithms */ |
0f113f3e MC |
244 | static int cmd_ClientSignatureAlgorithms(SSL_CONF_CTX *cctx, |
245 | const char *value) | |
246 | { | |
247 | int rv; | |
248 | if (cctx->ssl) | |
249 | rv = SSL_set1_client_sigalgs_list(cctx->ssl, value); | |
250 | /* NB: ctx == NULL performs syntax checking only */ | |
251 | else | |
252 | rv = SSL_CTX_set1_client_sigalgs_list(cctx->ctx, value); | |
253 | return rv > 0; | |
254 | } | |
3db935a9 | 255 | |
ec2f7e56 | 256 | static int cmd_Curves(SSL_CONF_CTX *cctx, const char *value) |
0f113f3e MC |
257 | { |
258 | int rv; | |
259 | if (cctx->ssl) | |
260 | rv = SSL_set1_curves_list(cctx->ssl, value); | |
261 | /* NB: ctx == NULL performs syntax checking only */ | |
262 | else | |
263 | rv = SSL_CTX_set1_curves_list(cctx->ctx, value); | |
264 | return rv > 0; | |
265 | } | |
266 | ||
10bf4fc2 | 267 | #ifndef OPENSSL_NO_EC |
3db935a9 | 268 | /* ECDH temporary parameters */ |
ec2f7e56 | 269 | static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value) |
0f113f3e MC |
270 | { |
271 | int onoff = -1, rv = 1; | |
0f113f3e MC |
272 | if (cctx->flags & SSL_CONF_FLAG_FILE) { |
273 | if (*value == '+') { | |
274 | onoff = 1; | |
275 | value++; | |
276 | } | |
277 | if (*value == '-') { | |
278 | onoff = 0; | |
279 | value++; | |
280 | } | |
86885c28 | 281 | if (strcasecmp(value, "automatic") == 0) { |
0f113f3e MC |
282 | if (onoff == -1) |
283 | onoff = 1; | |
284 | } else if (onoff != -1) | |
285 | return 0; | |
286 | } else if (cctx->flags & SSL_CONF_FLAG_CMDLINE) { | |
86885c28 | 287 | if (strcmp(value, "auto") == 0) |
0f113f3e MC |
288 | onoff = 1; |
289 | } | |
290 | ||
291 | if (onoff != -1) { | |
292 | if (cctx->ctx) | |
293 | rv = SSL_CTX_set_ecdh_auto(cctx->ctx, onoff); | |
294 | else if (cctx->ssl) | |
295 | rv = SSL_set_ecdh_auto(cctx->ssl, onoff); | |
296 | } else { | |
297 | EC_KEY *ecdh; | |
298 | int nid; | |
299 | nid = EC_curve_nist2nid(value); | |
300 | if (nid == NID_undef) | |
301 | nid = OBJ_sn2nid(value); | |
302 | if (nid == 0) | |
303 | return 0; | |
304 | ecdh = EC_KEY_new_by_curve_name(nid); | |
305 | if (!ecdh) | |
306 | return 0; | |
307 | if (cctx->ctx) | |
308 | rv = SSL_CTX_set_tmp_ecdh(cctx->ctx, ecdh); | |
309 | else if (cctx->ssl) | |
310 | rv = SSL_set_tmp_ecdh(cctx->ssl, ecdh); | |
311 | EC_KEY_free(ecdh); | |
312 | } | |
313 | ||
314 | return rv > 0; | |
315 | } | |
14536c8c | 316 | #endif |
ec2f7e56 | 317 | static int cmd_CipherString(SSL_CONF_CTX *cctx, const char *value) |
0f113f3e MC |
318 | { |
319 | int rv = 1; | |
320 | if (cctx->ctx) | |
321 | rv = SSL_CTX_set_cipher_list(cctx->ctx, value); | |
322 | if (cctx->ssl) | |
323 | rv = SSL_set_cipher_list(cctx->ssl, value); | |
324 | return rv > 0; | |
325 | } | |
3db935a9 | 326 | |
ec2f7e56 | 327 | static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value) |
0f113f3e MC |
328 | { |
329 | static const ssl_flag_tbl ssl_protocol_list[] = { | |
330 | SSL_FLAG_TBL_INV("ALL", SSL_OP_NO_SSL_MASK), | |
331 | SSL_FLAG_TBL_INV("SSLv2", SSL_OP_NO_SSLv2), | |
332 | SSL_FLAG_TBL_INV("SSLv3", SSL_OP_NO_SSLv3), | |
333 | SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1), | |
334 | SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1), | |
335 | SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2) | |
336 | }; | |
0f113f3e | 337 | cctx->tbl = ssl_protocol_list; |
b6eb9827 | 338 | cctx->ntbl = OSSL_NELEM(ssl_protocol_list); |
0f113f3e MC |
339 | return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); |
340 | } | |
3db935a9 | 341 | |
ec2f7e56 | 342 | static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) |
0f113f3e MC |
343 | { |
344 | static const ssl_flag_tbl ssl_option_list[] = { | |
345 | SSL_FLAG_TBL_INV("SessionTicket", SSL_OP_NO_TICKET), | |
346 | SSL_FLAG_TBL_INV("EmptyFragments", | |
347 | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS), | |
348 | SSL_FLAG_TBL("Bugs", SSL_OP_ALL), | |
349 | SSL_FLAG_TBL_INV("Compression", SSL_OP_NO_COMPRESSION), | |
350 | SSL_FLAG_TBL_SRV("ServerPreference", SSL_OP_CIPHER_SERVER_PREFERENCE), | |
351 | SSL_FLAG_TBL_SRV("NoResumptionOnRenegotiation", | |
352 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION), | |
353 | SSL_FLAG_TBL_SRV("DHSingle", SSL_OP_SINGLE_DH_USE), | |
354 | SSL_FLAG_TBL_SRV("ECDHSingle", SSL_OP_SINGLE_ECDH_USE), | |
355 | SSL_FLAG_TBL("UnsafeLegacyRenegotiation", | |
356 | SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION), | |
357 | }; | |
0f113f3e MC |
358 | if (value == NULL) |
359 | return -3; | |
360 | cctx->tbl = ssl_option_list; | |
b6eb9827 | 361 | cctx->ntbl = OSSL_NELEM(ssl_option_list); |
0f113f3e MC |
362 | return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); |
363 | } | |
3db935a9 | 364 | |
429261d0 DSH |
365 | static int cmd_VerifyMode(SSL_CONF_CTX *cctx, const char *value) |
366 | { | |
367 | static const ssl_flag_tbl ssl_vfy_list[] = { | |
368 | SSL_FLAG_VFY_CLI("Peer", SSL_VERIFY_PEER), | |
369 | SSL_FLAG_VFY_SRV("Request", SSL_VERIFY_PEER), | |
370 | SSL_FLAG_VFY_SRV("Require", | |
371 | SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), | |
372 | SSL_FLAG_VFY_SRV("Once", SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE) | |
373 | }; | |
374 | if (value == NULL) | |
375 | return -3; | |
376 | cctx->tbl = ssl_vfy_list; | |
377 | cctx->ntbl = OSSL_NELEM(ssl_vfy_list); | |
378 | return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); | |
379 | } | |
380 | ||
ec2f7e56 | 381 | static int cmd_Certificate(SSL_CONF_CTX *cctx, const char *value) |
0f113f3e MC |
382 | { |
383 | int rv = 1; | |
2011b169 | 384 | CERT *c = NULL; |
2011b169 | 385 | if (cctx->ctx) { |
0f113f3e | 386 | rv = SSL_CTX_use_certificate_chain_file(cctx->ctx, value); |
2011b169 DSH |
387 | c = cctx->ctx->cert; |
388 | } | |
389 | if (cctx->ssl) { | |
fae4772c | 390 | rv = SSL_use_certificate_chain_file(cctx->ssl, value); |
2011b169 DSH |
391 | c = cctx->ssl->cert; |
392 | } | |
393 | if (rv > 0 && c && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) { | |
394 | char **pfilename = &cctx->cert_filename[c->key - c->pkeys]; | |
b548a1f1 | 395 | OPENSSL_free(*pfilename); |
2011b169 DSH |
396 | *pfilename = BUF_strdup(value); |
397 | if (!*pfilename) | |
398 | rv = 0; | |
399 | } | |
400 | ||
0f113f3e MC |
401 | return rv > 0; |
402 | } | |
ec2f7e56 DSH |
403 | |
404 | static int cmd_PrivateKey(SSL_CONF_CTX *cctx, const char *value) | |
0f113f3e MC |
405 | { |
406 | int rv = 1; | |
407 | if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE)) | |
408 | return -2; | |
409 | if (cctx->ctx) | |
410 | rv = SSL_CTX_use_PrivateKey_file(cctx->ctx, value, SSL_FILETYPE_PEM); | |
411 | if (cctx->ssl) | |
412 | rv = SSL_use_PrivateKey_file(cctx->ssl, value, SSL_FILETYPE_PEM); | |
413 | return rv > 0; | |
414 | } | |
5b7f36e8 DSH |
415 | |
416 | static int cmd_ServerInfoFile(SSL_CONF_CTX *cctx, const char *value) | |
0f113f3e MC |
417 | { |
418 | int rv = 1; | |
0f113f3e MC |
419 | if (cctx->ctx) |
420 | rv = SSL_CTX_use_serverinfo_file(cctx->ctx, value); | |
421 | return rv > 0; | |
422 | } | |
5b7f36e8 | 423 | |
429261d0 DSH |
424 | static int do_store(SSL_CONF_CTX *cctx, |
425 | const char *CAfile, const char *CApath, int verify_store) | |
426 | { | |
427 | CERT *cert; | |
428 | X509_STORE **st; | |
429 | if (cctx->ctx) | |
430 | cert = cctx->ctx->cert; | |
431 | else if (cctx->ssl) | |
432 | cert = cctx->ssl->cert; | |
433 | else | |
434 | return 1; | |
435 | st = verify_store ? &cert->verify_store : &cert->chain_store; | |
436 | if (*st == NULL) { | |
437 | *st = X509_STORE_new(); | |
438 | if (*st == NULL) | |
439 | return 0; | |
440 | } | |
441 | return X509_STORE_load_locations(*st, CAfile, CApath) > 0; | |
442 | } | |
443 | ||
444 | static int cmd_ChainCAPath(SSL_CONF_CTX *cctx, const char *value) | |
445 | { | |
446 | return do_store(cctx, NULL, value, 0); | |
447 | } | |
448 | ||
449 | static int cmd_ChainCAFile(SSL_CONF_CTX *cctx, const char *value) | |
450 | { | |
451 | return do_store(cctx, value, NULL, 0); | |
452 | } | |
453 | ||
454 | static int cmd_VerifyCAPath(SSL_CONF_CTX *cctx, const char *value) | |
455 | { | |
456 | return do_store(cctx, NULL, value, 1); | |
457 | } | |
458 | ||
459 | static int cmd_VerifyCAFile(SSL_CONF_CTX *cctx, const char *value) | |
460 | { | |
461 | return do_store(cctx, value, NULL, 1); | |
462 | } | |
463 | ||
464 | static int cmd_ClientCAFile(SSL_CONF_CTX *cctx, const char *value) | |
465 | { | |
466 | if (cctx->canames == NULL) | |
467 | cctx->canames = sk_X509_NAME_new_null(); | |
468 | if (cctx->canames == NULL) | |
469 | return 0; | |
470 | return SSL_add_file_cert_subjects_to_stack(cctx->canames, value); | |
471 | } | |
472 | ||
473 | static int cmd_ClientCAPath(SSL_CONF_CTX *cctx, const char *value) | |
474 | { | |
475 | if (cctx->canames == NULL) | |
476 | cctx->canames = sk_X509_NAME_new_null(); | |
477 | if (cctx->canames == NULL) | |
478 | return 0; | |
479 | return SSL_add_dir_cert_subjects_to_stack(cctx->canames, value); | |
480 | } | |
481 | ||
c557f921 DSH |
482 | #ifndef OPENSSL_NO_DH |
483 | static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value) | |
0f113f3e MC |
484 | { |
485 | int rv = 0; | |
486 | DH *dh = NULL; | |
487 | BIO *in = NULL; | |
0f113f3e MC |
488 | if (cctx->ctx || cctx->ssl) { |
489 | in = BIO_new(BIO_s_file_internal()); | |
490 | if (!in) | |
491 | goto end; | |
492 | if (BIO_read_filename(in, value) <= 0) | |
493 | goto end; | |
494 | dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL); | |
495 | if (!dh) | |
496 | goto end; | |
497 | } else | |
498 | return 1; | |
499 | if (cctx->ctx) | |
500 | rv = SSL_CTX_set_tmp_dh(cctx->ctx, dh); | |
501 | if (cctx->ssl) | |
502 | rv = SSL_set_tmp_dh(cctx->ssl, dh); | |
503 | end: | |
d6407083 | 504 | DH_free(dh); |
ca3a82c3 | 505 | BIO_free(in); |
0f113f3e MC |
506 | return rv > 0; |
507 | } | |
c557f921 | 508 | #endif |
0f113f3e MC |
509 | typedef struct { |
510 | int (*cmd) (SSL_CONF_CTX *cctx, const char *value); | |
511 | const char *str_file; | |
512 | const char *str_cmdline; | |
656b2605 DSH |
513 | unsigned short flags; |
514 | unsigned short value_type; | |
0f113f3e | 515 | } ssl_conf_cmd_tbl; |
3db935a9 | 516 | |
ec2f7e56 DSH |
517 | /* Table of supported parameters */ |
518 | ||
656b2605 DSH |
519 | #define SSL_CONF_CMD(name, cmdopt, flags, type) \ |
520 | {cmd_##name, #name, cmdopt, flags, type} | |
521 | ||
522 | #define SSL_CONF_CMD_STRING(name, cmdopt, flags) \ | |
523 | SSL_CONF_CMD(name, cmdopt, flags, SSL_CONF_TYPE_STRING) | |
ec2f7e56 | 524 | |
656b2605 DSH |
525 | #define SSL_CONF_CMD_SWITCH(name, flags) \ |
526 | {0, NULL, name, flags, SSL_CONF_TYPE_NONE} | |
3db935a9 | 527 | |
7e1b7485 | 528 | /* See apps/apps.h if you change this table. */ |
27f3b65f | 529 | static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { |
656b2605 DSH |
530 | SSL_CONF_CMD_SWITCH("no_ssl3", 0), |
531 | SSL_CONF_CMD_SWITCH("no_tls1", 0), | |
532 | SSL_CONF_CMD_SWITCH("no_tls1_1", 0), | |
533 | SSL_CONF_CMD_SWITCH("no_tls1_2", 0), | |
534 | SSL_CONF_CMD_SWITCH("bugs", 0), | |
535 | SSL_CONF_CMD_SWITCH("no_comp", 0), | |
536 | SSL_CONF_CMD_SWITCH("ecdh_single", SSL_CONF_FLAG_SERVER), | |
656b2605 | 537 | SSL_CONF_CMD_SWITCH("no_ticket", 0), |
656b2605 DSH |
538 | SSL_CONF_CMD_SWITCH("serverpref", SSL_CONF_FLAG_SERVER), |
539 | SSL_CONF_CMD_SWITCH("legacy_renegotiation", 0), | |
540 | SSL_CONF_CMD_SWITCH("legacy_server_connect", SSL_CONF_FLAG_SERVER), | |
541 | SSL_CONF_CMD_SWITCH("no_resumption_on_reneg", SSL_CONF_FLAG_SERVER), | |
542 | SSL_CONF_CMD_SWITCH("no_legacy_server_connect", SSL_CONF_FLAG_SERVER), | |
543 | SSL_CONF_CMD_SWITCH("strict", 0), | |
544 | #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL | |
545 | SSL_CONF_CMD_SWITCH("debug_broken_protocol", 0), | |
546 | #endif | |
547 | SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs", 0), | |
548 | SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs", 0), | |
549 | SSL_CONF_CMD_STRING(Curves, "curves", 0), | |
10bf4fc2 | 550 | #ifndef OPENSSL_NO_EC |
656b2605 | 551 | SSL_CONF_CMD_STRING(ECDHParameters, "named_curve", SSL_CONF_FLAG_SERVER), |
14536c8c | 552 | #endif |
656b2605 DSH |
553 | SSL_CONF_CMD_STRING(CipherString, "cipher", 0), |
554 | SSL_CONF_CMD_STRING(Protocol, NULL, 0), | |
555 | SSL_CONF_CMD_STRING(Options, NULL, 0), | |
429261d0 | 556 | SSL_CONF_CMD_STRING(VerifyMode, NULL, 0), |
656b2605 DSH |
557 | SSL_CONF_CMD(Certificate, "cert", SSL_CONF_FLAG_CERTIFICATE, |
558 | SSL_CONF_TYPE_FILE), | |
559 | SSL_CONF_CMD(PrivateKey, "key", SSL_CONF_FLAG_CERTIFICATE, | |
560 | SSL_CONF_TYPE_FILE), | |
561 | SSL_CONF_CMD(ServerInfoFile, NULL, | |
562 | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, | |
563 | SSL_CONF_TYPE_FILE), | |
429261d0 DSH |
564 | SSL_CONF_CMD(ChainCAPath, "chainCApath", SSL_CONF_FLAG_CERTIFICATE, |
565 | SSL_CONF_TYPE_DIR), | |
566 | SSL_CONF_CMD(ChainCAFile, "chainCAfile", SSL_CONF_FLAG_CERTIFICATE, | |
567 | SSL_CONF_TYPE_FILE), | |
568 | SSL_CONF_CMD(VerifyCAPath, "verifyCApath", SSL_CONF_FLAG_CERTIFICATE, | |
569 | SSL_CONF_TYPE_DIR), | |
570 | SSL_CONF_CMD(VerifyCAFile, "verifyCAfile", SSL_CONF_FLAG_CERTIFICATE, | |
571 | SSL_CONF_TYPE_FILE), | |
572 | SSL_CONF_CMD(ClientCAFile, NULL, | |
573 | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, | |
574 | SSL_CONF_TYPE_FILE), | |
575 | SSL_CONF_CMD(ClientCAPath, NULL, | |
576 | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, | |
577 | SSL_CONF_TYPE_DIR), | |
c557f921 | 578 | #ifndef OPENSSL_NO_DH |
656b2605 DSH |
579 | SSL_CONF_CMD(DHParameters, "dhparam", |
580 | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, | |
581 | SSL_CONF_TYPE_FILE) | |
582 | #endif | |
583 | }; | |
584 | ||
585 | /* Supported switches: must match order of switches in ssl_conf_cmds */ | |
586 | static const ssl_switch_tbl ssl_cmd_switches[] = { | |
587 | {SSL_OP_NO_SSLv3, 0}, /* no_ssl3 */ | |
588 | {SSL_OP_NO_TLSv1, 0}, /* no_tls1 */ | |
589 | {SSL_OP_NO_TLSv1_1, 0}, /* no_tls1_1 */ | |
590 | {SSL_OP_NO_TLSv1_2, 0}, /* no_tls1_2 */ | |
591 | {SSL_OP_ALL, 0}, /* bugs */ | |
592 | {SSL_OP_NO_COMPRESSION, 0}, /* no_comp */ | |
593 | {SSL_OP_SINGLE_ECDH_USE, 0}, /* ecdh_single */ | |
656b2605 | 594 | {SSL_OP_NO_TICKET, 0}, /* no_ticket */ |
656b2605 DSH |
595 | {SSL_OP_CIPHER_SERVER_PREFERENCE, 0}, /* serverpref */ |
596 | /* legacy_renegotiation */ | |
597 | {SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, 0}, | |
598 | /* legacy_server_connect */ | |
599 | {SSL_OP_LEGACY_SERVER_CONNECT, 0}, | |
600 | /* no_resumption_on_reneg */ | |
601 | {SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION, 0}, | |
602 | /* no_legacy_server_connect */ | |
603 | {SSL_OP_LEGACY_SERVER_CONNECT, SSL_TFLAG_INV}, | |
604 | {SSL_CERT_FLAG_TLS_STRICT, SSL_TFLAG_CERT}, /* strict */ | |
605 | #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL | |
606 | {SSL_CERT_FLAG_BROKEN_PROTOCOL, SSL_TFLAG_CERT} /* debug_broken_protocol */ | |
c557f921 | 607 | #endif |
3db935a9 DSH |
608 | }; |
609 | ||
ec2f7e56 | 610 | static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd) |
0f113f3e MC |
611 | { |
612 | if (!pcmd || !*pcmd) | |
613 | return 0; | |
614 | /* If a prefix is set, check and skip */ | |
615 | if (cctx->prefix) { | |
616 | if (strlen(*pcmd) <= cctx->prefixlen) | |
617 | return 0; | |
618 | if (cctx->flags & SSL_CONF_FLAG_CMDLINE && | |
619 | strncmp(*pcmd, cctx->prefix, cctx->prefixlen)) | |
620 | return 0; | |
621 | if (cctx->flags & SSL_CONF_FLAG_FILE && | |
622 | strncasecmp(*pcmd, cctx->prefix, cctx->prefixlen)) | |
623 | return 0; | |
624 | *pcmd += cctx->prefixlen; | |
625 | } else if (cctx->flags & SSL_CONF_FLAG_CMDLINE) { | |
626 | if (**pcmd != '-' || !(*pcmd)[1]) | |
627 | return 0; | |
628 | *pcmd += 1; | |
629 | } | |
630 | return 1; | |
631 | } | |
632 | ||
656b2605 DSH |
633 | /* Determine if a command is allowed according to cctx flags */ |
634 | static int ssl_conf_cmd_allowed(SSL_CONF_CTX *cctx, | |
635 | const ssl_conf_cmd_tbl * t) | |
636 | { | |
637 | unsigned int tfl = t->flags; | |
638 | unsigned int cfl = cctx->flags; | |
639 | if ((tfl & SSL_CONF_FLAG_SERVER) && !(cfl & SSL_CONF_FLAG_SERVER)) | |
640 | return 0; | |
641 | if ((tfl & SSL_CONF_FLAG_CLIENT) && !(cfl & SSL_CONF_FLAG_CLIENT)) | |
642 | return 0; | |
643 | if ((tfl & SSL_CONF_FLAG_CERTIFICATE) | |
644 | && !(cfl & SSL_CONF_FLAG_CERTIFICATE)) | |
645 | return 0; | |
646 | return 1; | |
647 | } | |
648 | ||
0f113f3e MC |
649 | static const ssl_conf_cmd_tbl *ssl_conf_cmd_lookup(SSL_CONF_CTX *cctx, |
650 | const char *cmd) | |
651 | { | |
652 | const ssl_conf_cmd_tbl *t; | |
653 | size_t i; | |
654 | if (cmd == NULL) | |
655 | return NULL; | |
656 | ||
657 | /* Look for matching parameter name in table */ | |
b6eb9827 | 658 | for (i = 0, t = ssl_conf_cmds; i < OSSL_NELEM(ssl_conf_cmds); i++, t++) { |
656b2605 DSH |
659 | if (ssl_conf_cmd_allowed(cctx, t)) { |
660 | if (cctx->flags & SSL_CONF_FLAG_CMDLINE) { | |
86885c28 | 661 | if (t->str_cmdline && strcmp(t->str_cmdline, cmd) == 0) |
656b2605 DSH |
662 | return t; |
663 | } | |
664 | if (cctx->flags & SSL_CONF_FLAG_FILE) { | |
86885c28 | 665 | if (t->str_file && strcasecmp(t->str_file, cmd) == 0) |
656b2605 DSH |
666 | return t; |
667 | } | |
0f113f3e MC |
668 | } |
669 | } | |
670 | return NULL; | |
671 | } | |
ec2f7e56 | 672 | |
656b2605 DSH |
673 | static int ctrl_switch_option(SSL_CONF_CTX *cctx, |
674 | const ssl_conf_cmd_tbl * cmd) | |
675 | { | |
676 | /* Find index of command in table */ | |
677 | size_t idx = cmd - ssl_conf_cmds; | |
678 | const ssl_switch_tbl *scmd; | |
679 | /* Sanity check index */ | |
680 | if (idx >= OSSL_NELEM(ssl_cmd_switches)) | |
681 | return 0; | |
682 | /* Obtain switches entry with same index */ | |
683 | scmd = ssl_cmd_switches + idx; | |
684 | ssl_set_option(cctx, scmd->name_flags, scmd->option_value, 1); | |
685 | return 1; | |
686 | } | |
687 | ||
ec2f7e56 | 688 | int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value) |
0f113f3e MC |
689 | { |
690 | const ssl_conf_cmd_tbl *runcmd; | |
691 | if (cmd == NULL) { | |
692 | SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_INVALID_NULL_CMD_NAME); | |
693 | return 0; | |
694 | } | |
695 | ||
696 | if (!ssl_conf_cmd_skip_prefix(cctx, &cmd)) | |
697 | return -2; | |
698 | ||
699 | runcmd = ssl_conf_cmd_lookup(cctx, cmd); | |
700 | ||
701 | if (runcmd) { | |
702 | int rv; | |
656b2605 DSH |
703 | if (runcmd->value_type == SSL_CONF_TYPE_NONE) { |
704 | return ctrl_switch_option(cctx, runcmd); | |
705 | } | |
0f113f3e MC |
706 | if (value == NULL) |
707 | return -3; | |
708 | rv = runcmd->cmd(cctx, value); | |
709 | if (rv > 0) | |
710 | return 2; | |
711 | if (rv == -2) | |
712 | return -2; | |
713 | if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) { | |
714 | SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_BAD_VALUE); | |
715 | ERR_add_error_data(4, "cmd=", cmd, ", value=", value); | |
716 | } | |
717 | return 0; | |
718 | } | |
719 | ||
0f113f3e MC |
720 | if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) { |
721 | SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_UNKNOWN_CMD_NAME); | |
722 | ERR_add_error_data(2, "cmd=", cmd); | |
723 | } | |
724 | ||
725 | return -2; | |
726 | } | |
3db935a9 DSH |
727 | |
728 | int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv) | |
0f113f3e MC |
729 | { |
730 | int rv; | |
731 | const char *arg = NULL, *argn; | |
732 | if (pargc && *pargc == 0) | |
733 | return 0; | |
734 | if (!pargc || *pargc > 0) | |
735 | arg = **pargv; | |
736 | if (arg == NULL) | |
737 | return 0; | |
738 | if (!pargc || *pargc > 1) | |
739 | argn = (*pargv)[1]; | |
740 | else | |
741 | argn = NULL; | |
742 | cctx->flags &= ~SSL_CONF_FLAG_FILE; | |
743 | cctx->flags |= SSL_CONF_FLAG_CMDLINE; | |
744 | rv = SSL_CONF_cmd(cctx, arg, argn); | |
745 | if (rv > 0) { | |
746 | /* Success: update pargc, pargv */ | |
747 | (*pargv) += rv; | |
748 | if (pargc) | |
749 | (*pargc) -= rv; | |
750 | return rv; | |
751 | } | |
752 | /* Unknown switch: indicate no arguments processed */ | |
753 | if (rv == -2) | |
754 | return 0; | |
755 | /* Some error occurred processing command, return fatal error */ | |
756 | if (rv == 0) | |
757 | return -1; | |
758 | return rv; | |
759 | } | |
3db935a9 | 760 | |
ec2f7e56 | 761 | int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd) |
0f113f3e MC |
762 | { |
763 | if (ssl_conf_cmd_skip_prefix(cctx, &cmd)) { | |
764 | const ssl_conf_cmd_tbl *runcmd; | |
765 | runcmd = ssl_conf_cmd_lookup(cctx, cmd); | |
766 | if (runcmd) | |
767 | return runcmd->value_type; | |
768 | } | |
769 | return SSL_CONF_TYPE_UNKNOWN; | |
770 | } | |
ec2f7e56 | 771 | |
3db935a9 | 772 | SSL_CONF_CTX *SSL_CONF_CTX_new(void) |
0f113f3e | 773 | { |
b4faea50 | 774 | SSL_CONF_CTX *ret = OPENSSL_malloc(sizeof(*ret)); |
2011b169 | 775 | size_t i; |
b4faea50 | 776 | |
0f113f3e MC |
777 | if (ret) { |
778 | ret->flags = 0; | |
779 | ret->prefix = NULL; | |
780 | ret->prefixlen = 0; | |
781 | ret->ssl = NULL; | |
782 | ret->ctx = NULL; | |
783 | ret->poptions = NULL; | |
784 | ret->pcert_flags = NULL; | |
429261d0 | 785 | ret->pvfy_flags = NULL; |
0f113f3e MC |
786 | ret->tbl = NULL; |
787 | ret->ntbl = 0; | |
2011b169 DSH |
788 | for (i = 0; i < SSL_PKEY_NUM; i++) |
789 | ret->cert_filename[i] = NULL; | |
429261d0 | 790 | ret->canames = NULL; |
0f113f3e MC |
791 | } |
792 | return ret; | |
793 | } | |
3db935a9 | 794 | |
ec2f7e56 | 795 | int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx) |
0f113f3e | 796 | { |
2011b169 DSH |
797 | /* See if any certificates are missing private keys */ |
798 | size_t i; | |
799 | CERT *c = NULL; | |
800 | if (cctx->ctx) | |
801 | c = cctx->ctx->cert; | |
802 | else if (cctx->ssl) | |
803 | c = cctx->ssl->cert; | |
804 | if (c && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) { | |
805 | for (i = 0; i < SSL_PKEY_NUM; i++) { | |
806 | const char *p = cctx->cert_filename[i]; | |
807 | /* | |
808 | * If missing private key try to load one from certificate file | |
809 | */ | |
810 | if (p && !c->pkeys[i].privatekey) { | |
811 | if (!cmd_PrivateKey(cctx, p)) | |
812 | return 0; | |
813 | } | |
814 | } | |
815 | } | |
429261d0 DSH |
816 | if (cctx->canames) { |
817 | if (cctx->ssl) | |
818 | SSL_set_client_CA_list(cctx->ssl, cctx->canames); | |
819 | else if (cctx->ctx) | |
820 | SSL_CTX_set_client_CA_list(cctx->ctx, cctx->canames); | |
821 | else | |
822 | sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free); | |
823 | cctx->canames = NULL; | |
824 | } | |
0f113f3e MC |
825 | return 1; |
826 | } | |
ec2f7e56 | 827 | |
3db935a9 | 828 | void SSL_CONF_CTX_free(SSL_CONF_CTX *cctx) |
0f113f3e MC |
829 | { |
830 | if (cctx) { | |
2011b169 | 831 | size_t i; |
656b2605 | 832 | for (i = 0; i < SSL_PKEY_NUM; i++) |
b548a1f1 | 833 | OPENSSL_free(cctx->cert_filename[i]); |
b548a1f1 | 834 | OPENSSL_free(cctx->prefix); |
0f113f3e | 835 | OPENSSL_free(cctx); |
429261d0 | 836 | sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free); |
0f113f3e MC |
837 | } |
838 | } | |
3db935a9 DSH |
839 | |
840 | unsigned int SSL_CONF_CTX_set_flags(SSL_CONF_CTX *cctx, unsigned int flags) | |
0f113f3e MC |
841 | { |
842 | cctx->flags |= flags; | |
843 | return cctx->flags; | |
844 | } | |
3db935a9 DSH |
845 | |
846 | unsigned int SSL_CONF_CTX_clear_flags(SSL_CONF_CTX *cctx, unsigned int flags) | |
0f113f3e MC |
847 | { |
848 | cctx->flags &= ~flags; | |
849 | return cctx->flags; | |
850 | } | |
3db935a9 DSH |
851 | |
852 | int SSL_CONF_CTX_set1_prefix(SSL_CONF_CTX *cctx, const char *pre) | |
0f113f3e MC |
853 | { |
854 | char *tmp = NULL; | |
855 | if (pre) { | |
856 | tmp = BUF_strdup(pre); | |
857 | if (tmp == NULL) | |
858 | return 0; | |
859 | } | |
b548a1f1 | 860 | OPENSSL_free(cctx->prefix); |
0f113f3e MC |
861 | cctx->prefix = tmp; |
862 | if (tmp) | |
863 | cctx->prefixlen = strlen(tmp); | |
864 | else | |
865 | cctx->prefixlen = 0; | |
866 | return 1; | |
867 | } | |
3db935a9 DSH |
868 | |
869 | void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl) | |
0f113f3e MC |
870 | { |
871 | cctx->ssl = ssl; | |
872 | cctx->ctx = NULL; | |
873 | if (ssl) { | |
874 | cctx->poptions = &ssl->options; | |
875 | cctx->pcert_flags = &ssl->cert->cert_flags; | |
429261d0 | 876 | cctx->pvfy_flags = &ssl->verify_mode; |
0f113f3e MC |
877 | } else { |
878 | cctx->poptions = NULL; | |
879 | cctx->pcert_flags = NULL; | |
429261d0 | 880 | cctx->pvfy_flags = NULL; |
0f113f3e MC |
881 | } |
882 | } | |
3db935a9 DSH |
883 | |
884 | void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx) | |
0f113f3e MC |
885 | { |
886 | cctx->ctx = ctx; | |
887 | cctx->ssl = NULL; | |
888 | if (ctx) { | |
889 | cctx->poptions = &ctx->options; | |
890 | cctx->pcert_flags = &ctx->cert->cert_flags; | |
429261d0 | 891 | cctx->pvfy_flags = &ctx->verify_mode; |
0f113f3e MC |
892 | } else { |
893 | cctx->poptions = NULL; | |
894 | cctx->pcert_flags = NULL; | |
429261d0 | 895 | cctx->pvfy_flags = NULL; |
0f113f3e MC |
896 | } |
897 | } |