[thirdparty/openssl.git] / ssl / ssl_conf.c

/*! \file ssl/ssl_conf.c
 *  \brief SSL configuration functions
 */
/* ====================================================================
 * Copyright (c) 2012 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */

#ifdef REF_CHECK
#  include <assert.h>
#endif
#include <stdio.h>
#include "ssl_locl.h"
#include <openssl/conf.h>
#include <openssl/objects.h>

/* structure holding name tables. This is used for pemitted elements in
 * lists such as TLSv1 and single command line switches such as no_tls1
 */

typedef struct
	{
	const char *name;
	int namelen;
	unsigned int name_flags;
	unsigned long option_value;
	} ssl_flag_tbl;

/* Sense of name is inverted e.g. "TLSv1" will clear SSL_OP_NO_TLSv1 */
#define SSL_TFLAG_INV	0x1
/* Flags refers to cert_flags not options */
#define SSL_TFLAG_CERT	0x2
/* Option can only be used for clients */
#define SSL_TFLAG_CLIENT SSL_CONF_FLAG_CLIENT
/* Option can only be used for servers */
#define SSL_TFLAG_SERVER SSL_CONF_FLAG_SERVER
#define SSL_TFLAG_BOTH (SSL_TFLAG_CLIENT|SSL_TFLAG_SERVER)

#define SSL_FLAG_TBL(str, flag) \
	{str, (int)(sizeof(str) - 1), SSL_TFLAG_BOTH, flag}
#define SSL_FLAG_TBL_SRV(str, flag) \
	{str, (int)(sizeof(str) - 1), SSL_TFLAG_SERVER, flag}
#define SSL_FLAG_TBL_CLI(str, flag) \
	{str, (int)(sizeof(str) - 1), SSL_TFLAG_CLIENT, flag}
#define SSL_FLAG_TBL_INV(str, flag) \
	{str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_BOTH, flag}
#define SSL_FLAG_TBL_SRV_INV(str, flag) \
	{str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_SERVER, flag}
#define SSL_FLAG_TBL_CERT(str, flag) \
	{str, (int)(sizeof(str) - 1), SSL_TFLAG_CERT|SSL_TFLAG_BOTH, flag}

/* Opaque structure containing SSL configuration context.
 */

struct ssl_conf_ctx_st
	{
	/* Various flags indicating (among other things) which options we
	 * will recognise.
	 */
	unsigned int flags;
	/* Prefix and length of commands */
	char *prefix;
	size_t prefixlen;
	/* SSL_CTX or SSL structure to perform operations on */
	SSL_CTX *ctx;
	SSL *ssl;
	/* Pointer to SSL or SSL_CTX options field or NULL if none */
	unsigned long *poptions;
	/* Pointer to SSL or SSL_CTX cert_flags or NULL if none */
	unsigned int *pcert_flags;
	/* Current flag table being worked on */
	const ssl_flag_tbl *tbl;
	/* Size of table */
	size_t ntbl;
	};

static int ssl_match_option(SSL_CONF_CTX *cctx, const ssl_flag_tbl *tbl,
				const char *name, int namelen, int onoff)
	{
	/* If name not relevant for context skip */
	if (!(cctx->flags & tbl->name_flags & SSL_TFLAG_BOTH))
		return 0;
	if (namelen == -1)
		{
		if (strcmp(tbl->name, name))
			return 0;
		}
	else if (tbl->namelen != namelen || strncasecmp(tbl->name, name, namelen))
		return 0;
	if (cctx->poptions)
		{
		if (tbl->name_flags & SSL_TFLAG_INV)
			onoff ^= 1;
		if (tbl->name_flags & SSL_TFLAG_CERT)
			{
			if (onoff)
				*cctx->pcert_flags |= tbl->option_value;
			else
				*cctx->pcert_flags &= ~tbl->option_value;
			}
		else
			{
			if (onoff)
				*cctx->poptions |= tbl->option_value;
			else
				*cctx->poptions &= ~tbl->option_value;
			}
		}
	return 1;
	}

static int ssl_set_option_list(const char *elem, int len, void *usr)
	{
	SSL_CONF_CTX *cctx = usr;
	size_t i;
	const ssl_flag_tbl *tbl;
	int onoff = 1;
	/* len == -1 indicates not being called in list context, just for
	 * single command line switches, so don't allow +, -.
	 */
	if (len != -1)
		{
		if (*elem == '+')
			{
			elem++;
			len--;
			onoff = 1;
			}
		else if (*elem == '-')
			{
			elem++;
			len--;
			onoff = 0;
			}
		}
	for (i = 0, tbl = cctx->tbl; i < cctx->ntbl; i++, tbl++)
		{
		if (ssl_match_option(cctx, tbl, elem, len, onoff))
			return 1;
		}
	return 0;
	}

/* Single command line switches with no argument e.g. -no_ssl3 */
static int ctrl_str_option(SSL_CONF_CTX *cctx, const char *cmd)
	{
	static const ssl_flag_tbl ssl_option_single[] =
		{
		SSL_FLAG_TBL("no_ssl2", SSL_OP_NO_SSLv2),
		SSL_FLAG_TBL("no_ssl3", SSL_OP_NO_SSLv3),
		SSL_FLAG_TBL("no_tls1", SSL_OP_NO_TLSv1),
		SSL_FLAG_TBL("no_tls1_1", SSL_OP_NO_TLSv1_1),
		SSL_FLAG_TBL("no_tls1_2", SSL_OP_NO_TLSv1_2),
		SSL_FLAG_TBL("no_tls1_2", SSL_OP_NO_TLSv1_2),
		SSL_FLAG_TBL("bugs", SSL_OP_ALL),
		SSL_FLAG_TBL("no_comp", SSL_OP_NO_COMPRESSION),
#ifndef OPENSSL_NO_TLSEXT
		SSL_FLAG_TBL("no_ticket", SSL_OP_NO_TICKET),
#endif
		SSL_FLAG_TBL_SRV("serverpref", SSL_OP_CIPHER_SERVER_PREFERENCE),
		SSL_FLAG_TBL("legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION),
		SSL_FLAG_TBL_SRV("legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT),
		SSL_FLAG_TBL_SRV_INV("no_legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT),
		SSL_FLAG_TBL_CERT("strict", SSL_CERT_FLAG_TLS_STRICT),
#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
		SSL_FLAG_TBL_CERT("debug_broken_protocol", SSL_CERT_FLAG_BROKEN_PROTOCOL),
#endif
		};
	cctx->tbl = ssl_option_single;
	cctx->ntbl = sizeof(ssl_option_single)/sizeof(ssl_flag_tbl);
	return ssl_set_option_list(cmd, -1, cctx);
	}

/* Set supported signature algorithms */
static int cmd_sigalgs(SSL_CONF_CTX *cctx, const char *value)
	{
	int rv;
	if (cctx->ssl)
		rv = SSL_set1_sigalgs_list(cctx->ssl, value);
	/* NB: ctx == NULL performs syntax checking only */
	else
		rv = SSL_CTX_set1_sigalgs_list(cctx->ctx, value);
	return rv > 0;
	}
/* Set supported client signature algorithms */
static int cmd_client_sigalgs(SSL_CONF_CTX *cctx, const char *value)
	{
	int rv;
	if (cctx->ssl)
		rv = SSL_set1_client_sigalgs_list(cctx->ssl, value);
	/* NB: ctx == NULL performs syntax checking only */
	else
		rv = SSL_CTX_set1_client_sigalgs_list(cctx->ctx, value);
	return rv > 0;
	}

static int cmd_curves(SSL_CONF_CTX *cctx, const char *value)
	{
	int rv;
	if (cctx->ssl)
		rv = SSL_set1_curves_list(cctx->ssl, value);
	/* NB: ctx == NULL performs syntax checking only */
	else
		rv = SSL_CTX_set1_curves_list(cctx->ctx, value);
	return rv > 0;
	}

/* ECDH temporary parameters */
static int cmd_ecdhparam(SSL_CONF_CTX *cctx, const char *value)
	{
	int onoff = -1, rv = 1;
	if (!(cctx->flags & SSL_CONF_FLAG_SERVER))
		return -2;
	if (cctx->flags & SSL_CONF_FLAG_FILE)
		{
		if (*value == '+')
			{
			onoff = 1;
			value++;
			}
		if (*value == '-')
			{
			onoff = 0;
			value++;
			}
		if (!strcasecmp(value, "automatic"))
			{
			if (onoff != -1)
				onoff = 1;
			}
		else if (onoff != -1)
			return 0;
		}
	else if (cctx->flags & SSL_CONF_FLAG_CMDLINE)
		{
		if (!strcmp(value, "auto"))
			onoff = 1;
		}

	if (onoff != -1)
		{
		if (cctx->ctx)
			rv = SSL_CTX_set_ecdh_auto(cctx->ctx, onoff);
		else if (cctx->ssl)
			rv = SSL_set_ecdh_auto(cctx->ssl, onoff);
		}
	else
		{
		EC_KEY *ecdh;
		int nid;
		nid = EC_curve_nist2nid(value);
		if (nid == NID_undef)
			nid = OBJ_sn2nid(value);
		if (nid == 0)
			return 0;
		ecdh = EC_KEY_new_by_curve_name(nid);
		if (!ecdh)
			return 0;
		if (cctx->ctx)
			rv = SSL_CTX_set_tmp_ecdh(cctx->ctx, ecdh);
		else if (cctx->ssl)
			rv = SSL_set_tmp_ecdh(cctx->ssl, ecdh);
		EC_KEY_free(ecdh);
		}

	return rv > 0;
	}

static int cmd_cipher_list(SSL_CONF_CTX *cctx, const char *value)
	{
	int rv = 1;
	if (cctx->ctx)
		rv = SSL_CTX_set_cipher_list(cctx->ctx, value);
	if (cctx->ssl)
		rv = SSL_set_cipher_list(cctx->ssl, value);
	return rv > 0;
	}

static int cmd_protocol(SSL_CONF_CTX *cctx, const char *value)
	{
	static const ssl_flag_tbl ssl_protocol_list[] =
		{
		SSL_FLAG_TBL_INV("ALL", SSL_OP_NO_SSL_MASK),
		SSL_FLAG_TBL_INV("SSLv2", SSL_OP_NO_SSLv2),
		SSL_FLAG_TBL_INV("SSLv3", SSL_OP_NO_SSLv3),
		SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1),
		SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1),
		SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2)
		};
	if (!(cctx->flags & SSL_CONF_FLAG_FILE))
		return -2;
	cctx->tbl = ssl_protocol_list;
	cctx->ntbl = sizeof(ssl_protocol_list)/sizeof(ssl_flag_tbl);
	return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
	}

static int cmd_options(SSL_CONF_CTX *cctx, const char *value)
	{
	static const ssl_flag_tbl ssl_option_list[] =
		{
		SSL_FLAG_TBL_INV("SessionTicket", SSL_OP_NO_TICKET),
		SSL_FLAG_TBL_INV("EmptyFragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS),
		SSL_FLAG_TBL("Bugs", SSL_OP_ALL),
		SSL_FLAG_TBL_INV("Compression", SSL_OP_NO_COMPRESSION),
		SSL_FLAG_TBL_SRV("ServerPreference", SSL_OP_CIPHER_SERVER_PREFERENCE),
		SSL_FLAG_TBL_SRV("DHSingle", SSL_OP_SINGLE_DH_USE),
		SSL_FLAG_TBL_SRV("ECDHSingle", SSL_OP_SINGLE_ECDH_USE),
		SSL_FLAG_TBL("UnsafeLegacyRenegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION),
		};
	if (!(cctx->flags & SSL_CONF_FLAG_FILE))
		return -2;
	if (value == NULL)
		return -3;
	cctx->tbl = ssl_option_list;
	cctx->ntbl = sizeof(ssl_option_list)/sizeof(ssl_flag_tbl);
	return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
	}

typedef struct
	{
	int (*cmd)(SSL_CONF_CTX *cctx, const char *value);
	const char *str_file;
	const char *str_cmdline;
	} ssl_conf_cmd_tbl;

/* Table of supported patameters */

static ssl_conf_cmd_tbl ssl_conf_cmds[] = {
	{cmd_sigalgs,		"SignatureAlgorithms", "sigalgs"},
	{cmd_client_sigalgs,	"ClientSignatureAlgorithms", "client_sigalgs"},
	{cmd_curves,		"Curves", "curves"},
	{cmd_ecdhparam,		"ECDHParameters", "named_curve"},
	{cmd_cipher_list,	"CipherString", "cipher"},
	{cmd_protocol,		"Protocol", NULL},
	{cmd_options,		"Options", NULL},
};

int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value)
	{
	ssl_conf_cmd_tbl *t, *runcmd = NULL;
	size_t i;
	if (cmd == NULL)
		{
		SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_INVALID_NULL_CMD_NAME);
		return 0;
		}
	/* If a prefix is set, check and skip */
	if (cctx->prefix)
		{
		if (strlen(cmd) <= cctx->prefixlen)
			return -2;
		if (cctx->flags & SSL_CONF_FLAG_CMDLINE &&
			strncmp(cmd, cctx->prefix, cctx->prefixlen))
			return -2;
		if (cctx->flags & SSL_CONF_FLAG_FILE &&
			strncasecmp(cmd, cctx->prefix, cctx->prefixlen))
			return -2;
		cmd += cctx->prefixlen;
		}
	else if (cctx->flags & SSL_CONF_FLAG_CMDLINE)
		{
		if (*cmd != '-' || !cmd[1])
			return -2;
		cmd++;
		}

	/* Look for matching parameter name in table */
	for (i = 0, t = ssl_conf_cmds;
		i < sizeof(ssl_conf_cmds)/sizeof(ssl_conf_cmd_tbl); i++, t++)
		{
		if (cctx->flags & SSL_CONF_FLAG_CMDLINE)
			{
			if (t->str_cmdline && !strcmp(t->str_cmdline, cmd))
				{
				runcmd = t;
				break;
				}
			}
		if (cctx->flags & SSL_CONF_FLAG_FILE)
			{
			if (t->str_file && !strcasecmp(t->str_file, cmd))
				{
				runcmd = t;
				break;
				}
			}
		}

	if (runcmd)
		{
		int rv;
		if (value == NULL)
			return -3;
		rv = t->cmd(cctx, value);
		if (rv > 0)
			return 2;
		if (rv == -2)
			return -2;
		if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS)
			{
			SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_BAD_VALUE);
			ERR_add_error_data(4, "cmd=", cmd, ", value=", value);
			}
		return 0;
		}

	if (cctx->flags & SSL_CONF_FLAG_CMDLINE)
		{
		if (ctrl_str_option(cctx, cmd))
			return 1;
		}

	if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS)
		{
		SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_UNKNOWN_CMD_NAME);
		ERR_add_error_data(2, "cmd=", cmd);
		}

	return -2;
	}

int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv)
	{
	int rv;
	const char *arg = NULL, *argn;
	if (pargc && *pargc == 0)
		return 0;
	if (!pargc || *pargc > 0)
		arg = **pargv;
	if (arg == NULL)
		return 0;
	if (!pargc || *pargc > 1)
		argn = (*pargv)[1];
	else
		argn = NULL;
	cctx->flags &= ~SSL_CONF_FLAG_FILE;
	cctx->flags |= SSL_CONF_FLAG_CMDLINE;
	rv = SSL_CONF_cmd(cctx, arg, argn);
	if (rv > 0)
		{
		/* Success: update pargc, pargv */
		(*pargv) += rv;
		if (pargc)
			(*pargc) -= rv;
		return rv;
		}
	/* Unknown swicth: indicate no arguments processed */
	if (rv == -2)
		return 0;
	/* Some error occurred processing command, return fatal error */
	if (rv == 0)
		return -1;
	return rv;
	}

SSL_CONF_CTX *SSL_CONF_CTX_new(void)
	{
	SSL_CONF_CTX *ret;
	ret = OPENSSL_malloc(sizeof(SSL_CONF_CTX));
	if (ret)
		{
		ret->flags = 0;
		ret->prefix = NULL;
		ret->prefixlen = 0;
		ret->ssl = NULL;
		ret->ctx = NULL;
		ret->poptions = NULL;
		ret->pcert_flags = NULL;
		ret->tbl = NULL;
		ret->ntbl = 0;
		}
	return ret;
	}

void SSL_CONF_CTX_free(SSL_CONF_CTX *cctx)
	{
	if (cctx)
		{
		if (cctx->prefix)
			OPENSSL_free(cctx->prefix);
		OPENSSL_free(cctx);
		}
	}

unsigned int SSL_CONF_CTX_set_flags(SSL_CONF_CTX *cctx, unsigned int flags)
	{
	cctx->flags |= flags;
	return cctx->flags;
	}

unsigned int SSL_CONF_CTX_clear_flags(SSL_CONF_CTX *cctx, unsigned int flags)
	{
	cctx->flags &= ~flags;
	return cctx->flags;
	}

int SSL_CONF_CTX_set1_prefix(SSL_CONF_CTX *cctx, const char *pre)
	{
	char *tmp = NULL;
	if (pre)
		{
		tmp = BUF_strdup(pre);
		if (tmp == NULL)
			return 0;
		}
	if (cctx->prefix)
		OPENSSL_free(cctx->prefix);
	cctx->prefix = tmp;
	if (tmp)
		cctx->prefixlen = strlen(tmp);
	else
		cctx->prefixlen = 0;
	return 1;
	}

void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl)
	{
	cctx->ssl = ssl;
	cctx->ctx = NULL;
	if (ssl)
		{
		cctx->poptions = &ssl->options;
		cctx->pcert_flags = &ssl->cert->cert_flags;
		}
	else
		{
		cctx->poptions = NULL;
		cctx->pcert_flags = NULL;
		}
	}

void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx)
	{
	cctx->ctx = ctx;
	cctx->ssl = NULL;
	if (ctx)
		{
		cctx->poptions = &ctx->options;
		cctx->pcert_flags = &ctx->cert->cert_flags;
		}
	else
		{
		cctx->poptions = NULL;
		cctx->pcert_flags = NULL;
		}
	}
Commit	Line	Data
3db935a9 DSH	1	/*! \file ssl/ssl_conf.c
	2	* \brief SSL configuration functions
	3	*/
	4	/* ====================================================================
	5	* Copyright (c) 2012 The OpenSSL Project. All rights reserved.
	6	*
	7	* Redistribution and use in source and binary forms, with or without
	8	* modification, are permitted provided that the following conditions
	9	* are met:
	10	*
	11	* 1. Redistributions of source code must retain the above copyright
	12	* notice, this list of conditions and the following disclaimer.
	13	*
	14	* 2. Redistributions in binary form must reproduce the above copyright
	15	* notice, this list of conditions and the following disclaimer in
	16	* the documentation and/or other materials provided with the
	17	* distribution.
	18	*
	19	* 3. All advertising materials mentioning features or use of this
	20	* software must display the following acknowledgment:
	21	* "This product includes software developed by the OpenSSL Project
	22	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
	23	*
	24	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
	25	* endorse or promote products derived from this software without
	26	* prior written permission. For written permission, please contact
	27	* openssl-core@openssl.org.
	28	*
	29	* 5. Products derived from this software may not be called "OpenSSL"
	30	* nor may "OpenSSL" appear in their names without prior written
	31	* permission of the OpenSSL Project.
	32	*
	33	* 6. Redistributions of any form whatsoever must retain the following
	34	* acknowledgment:
	35	* "This product includes software developed by the OpenSSL Project
	36	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
	37	*
	38	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
	39	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	40	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	41	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
	42	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	43	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	44	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	45	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	46	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	47	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	48	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
	49	* OF THE POSSIBILITY OF SUCH DAMAGE.
	50	* ====================================================================
	51	*
	52	* This product includes cryptographic software written by Eric Young
	53	* (eay@cryptsoft.com). This product includes software written by Tim
	54	* Hudson (tjh@cryptsoft.com).
	55	*
	56	*/
	57
	58	#ifdef REF_CHECK
	59	# include <assert.h>
	60	#endif
	61	#include <stdio.h>
	62	#include "ssl_locl.h"
	63	#include <openssl/conf.h>
	64	#include <openssl/objects.h>
65
66	/* structure holding name tables. This is used for pemitted elements in
67	* lists such as TLSv1 and single command line switches such as no_tls1
68	*/
69
70	typedef struct
71	{
72	const char *name;
73	int namelen;
74	unsigned int name_flags;
75	unsigned long option_value;
76	} ssl_flag_tbl;
77
78	/* Sense of name is inverted e.g. "TLSv1" will clear SSL_OP_NO_TLSv1 */
79	#define SSL_TFLAG_INV 0x1
80	/* Flags refers to cert_flags not options */
81	#define SSL_TFLAG_CERT 0x2
82	/* Option can only be used for clients */
83	#define SSL_TFLAG_CLIENT SSL_CONF_FLAG_CLIENT
84	/* Option can only be used for servers */
85	#define SSL_TFLAG_SERVER SSL_CONF_FLAG_SERVER
86	#define SSL_TFLAG_BOTH (SSL_TFLAG_CLIENT\|SSL_TFLAG_SERVER)
87
88	#define SSL_FLAG_TBL(str, flag) \
89	{str, (int)(sizeof(str) - 1), SSL_TFLAG_BOTH, flag}
90	#define SSL_FLAG_TBL_SRV(str, flag) \
91	{str, (int)(sizeof(str) - 1), SSL_TFLAG_SERVER, flag}
92	#define SSL_FLAG_TBL_CLI(str, flag) \
93	{str, (int)(sizeof(str) - 1), SSL_TFLAG_CLIENT, flag}
94	#define SSL_FLAG_TBL_INV(str, flag) \
95	{str, (int)(sizeof(str) - 1), SSL_TFLAG_INV\|SSL_TFLAG_BOTH, flag}
96	#define SSL_FLAG_TBL_SRV_INV(str, flag) \
97	{str, (int)(sizeof(str) - 1), SSL_TFLAG_INV\|SSL_TFLAG_SERVER, flag}
98	#define SSL_FLAG_TBL_CERT(str, flag) \
99	{str, (int)(sizeof(str) - 1), SSL_TFLAG_CERT\|SSL_TFLAG_BOTH, flag}
100
101	/* Opaque structure containing SSL configuration context.
102	*/
103
104	struct ssl_conf_ctx_st
105	{
106	/* Various flags indicating (among other things) which options we
107	* will recognise.
108	*/
109	unsigned int flags;
110	/* Prefix and length of commands */
111	char *prefix;
112	size_t prefixlen;
113	/* SSL_CTX or SSL structure to perform operations on */
114	SSL_CTX *ctx;
115	SSL *ssl;
116	/* Pointer to SSL or SSL_CTX options field or NULL if none */
117	unsigned long *poptions;
118	/* Pointer to SSL or SSL_CTX cert_flags or NULL if none */
119	unsigned int *pcert_flags;
120	/* Current flag table being worked on */
121	const ssl_flag_tbl *tbl;
122	/* Size of table */
123	size_t ntbl;
124	};
125
126	static int ssl_match_option(SSL_CONF_CTX cctx, const ssl_flag_tbl tbl,
127	const char *name, int namelen, int onoff)
128	{
129	/* If name not relevant for context skip */
130	if (!(cctx->flags & tbl->name_flags & SSL_TFLAG_BOTH))
131	return 0;
132	if (namelen == -1)
133	{
134	if (strcmp(tbl->name, name))
135	return 0;
136	}
137	else if (tbl->namelen != namelen \|\| strncasecmp(tbl->name, name, namelen))
138	return 0;
139	if (cctx->poptions)
140	{
141	if (tbl->name_flags & SSL_TFLAG_INV)
142	onoff ^= 1;
143	if (tbl->name_flags & SSL_TFLAG_CERT)
144	{
145	if (onoff)
146	*cctx->pcert_flags \|= tbl->option_value;
147	else
148	*cctx->pcert_flags &= ~tbl->option_value;
149	}
150	else
151	{
152	if (onoff)
153	*cctx->poptions \|= tbl->option_value;
154	else
155	*cctx->poptions &= ~tbl->option_value;
156	}
157	}
158	return 1;
159	}
160
161	static int ssl_set_option_list(const char elem, int len, void usr)
162	{
163	SSL_CONF_CTX *cctx = usr;
164	size_t i;
165	const ssl_flag_tbl *tbl;
166	int onoff = 1;
167	/* len == -1 indicates not being called in list context, just for
168	* single command line switches, so don't allow +, -.
169	*/
170	if (len != -1)
171	{
172	if (*elem == '+')
173	{
174	elem++;
175	len--;
176	onoff = 1;
177	}
178	else if (*elem == '-')
179	{
180	elem++;
181	len--;
182	onoff = 0;
183	}
184	}
185	for (i = 0, tbl = cctx->tbl; i < cctx->ntbl; i++, tbl++)
186	{
187	if (ssl_match_option(cctx, tbl, elem, len, onoff))
188	return 1;
189	}
190	return 0;
191	}
192
193	/* Single command line switches with no argument e.g. -no_ssl3 */
194	static int ctrl_str_option(SSL_CONF_CTX cctx, const char cmd)
195	{
196	static const ssl_flag_tbl ssl_option_single[] =
197	{
198	SSL_FLAG_TBL("no_ssl2", SSL_OP_NO_SSLv2),
199	SSL_FLAG_TBL("no_ssl3", SSL_OP_NO_SSLv3),
200	SSL_FLAG_TBL("no_tls1", SSL_OP_NO_TLSv1),
201	SSL_FLAG_TBL("no_tls1_1", SSL_OP_NO_TLSv1_1),
202	SSL_FLAG_TBL("no_tls1_2", SSL_OP_NO_TLSv1_2),
203	SSL_FLAG_TBL("no_tls1_2", SSL_OP_NO_TLSv1_2),
204	SSL_FLAG_TBL("bugs", SSL_OP_ALL),
205	SSL_FLAG_TBL("no_comp", SSL_OP_NO_COMPRESSION),
206	#ifndef OPENSSL_NO_TLSEXT
207	SSL_FLAG_TBL("no_ticket", SSL_OP_NO_TICKET),
208	#endif
209	SSL_FLAG_TBL_SRV("serverpref", SSL_OP_CIPHER_SERVER_PREFERENCE),
210	SSL_FLAG_TBL("legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION),
211	SSL_FLAG_TBL_SRV("legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT),
212	SSL_FLAG_TBL_SRV_INV("no_legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT),
213	SSL_FLAG_TBL_CERT("strict", SSL_CERT_FLAG_TLS_STRICT),
214	#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
215	SSL_FLAG_TBL_CERT("debug_broken_protocol", SSL_CERT_FLAG_BROKEN_PROTOCOL),
216	#endif
217	};
218	cctx->tbl = ssl_option_single;
219	cctx->ntbl = sizeof(ssl_option_single)/sizeof(ssl_flag_tbl);
220	return ssl_set_option_list(cmd, -1, cctx);
221	}
222
223	/* Set supported signature algorithms */
224	static int cmd_sigalgs(SSL_CONF_CTX cctx, const char value)
225	{
226	int rv;
227	if (cctx->ssl)
228	rv = SSL_set1_sigalgs_list(cctx->ssl, value);
229	/* NB: ctx == NULL performs syntax checking only */
230	else
231	rv = SSL_CTX_set1_sigalgs_list(cctx->ctx, value);
232	return rv > 0;
233	}
234	/* Set supported client signature algorithms */
235	static int cmd_client_sigalgs(SSL_CONF_CTX cctx, const char value)
236	{
237	int rv;
238	if (cctx->ssl)
239	rv = SSL_set1_client_sigalgs_list(cctx->ssl, value);
240	/* NB: ctx == NULL performs syntax checking only */
241	else
242	rv = SSL_CTX_set1_client_sigalgs_list(cctx->ctx, value);
243	return rv > 0;
244	}
245
246	static int cmd_curves(SSL_CONF_CTX cctx, const char value)
247	{
248	int rv;
3db935a9 DSH	249	if (cctx->ssl)
	250	rv = SSL_set1_curves_list(cctx->ssl, value);
	251	/* NB: ctx == NULL performs syntax checking only */
	252	else
	253	rv = SSL_CTX_set1_curves_list(cctx->ctx, value);
	254	return rv > 0;
	255	}
	256
	257	/* ECDH temporary parameters */
	258	static int cmd_ecdhparam(SSL_CONF_CTX cctx, const char value)
	259	{
	260	int onoff = -1, rv = 1;
	261	if (!(cctx->flags & SSL_CONF_FLAG_SERVER))
	262	return -2;
	263	if (cctx->flags & SSL_CONF_FLAG_FILE)
	264	{
	265	if (*value == '+')
	266	{
	267	onoff = 1;
	268	value++;
	269	}
	270	if (*value == '-')
	271	{
	272	onoff = 0;
	273	value++;
	274	}
f1f5c70a DSH	275	if (!strcasecmp(value, "automatic"))
	276	{
	277	if (onoff != -1)
	278	onoff = 1;
	279	}
	280	else if (onoff != -1)
3db935a9 DSH	281	return 0;
	282	}
	283	else if (cctx->flags & SSL_CONF_FLAG_CMDLINE)
	284	{
	285	if (!strcmp(value, "auto"))
	286	onoff = 1;
	287	}
	288
	289	if (onoff != -1)
	290	{
	291	if (cctx->ctx)
	292	rv = SSL_CTX_set_ecdh_auto(cctx->ctx, onoff);
	293	else if (cctx->ssl)
	294	rv = SSL_set_ecdh_auto(cctx->ssl, onoff);
	295	}
	296	else
	297	{
	298	EC_KEY *ecdh;
	299	int nid;
	300	nid = EC_curve_nist2nid(value);
	301	if (nid == NID_undef)
	302	nid = OBJ_sn2nid(value);
	303	if (nid == 0)
	304	return 0;
	305	ecdh = EC_KEY_new_by_curve_name(nid);
	306	if (!ecdh)
	307	return 0;
	308	if (cctx->ctx)
	309	rv = SSL_CTX_set_tmp_ecdh(cctx->ctx, ecdh);
	310	else if (cctx->ssl)
	311	rv = SSL_set_tmp_ecdh(cctx->ssl, ecdh);
	312	EC_KEY_free(ecdh);
	313	}
	314
	315	return rv > 0;
	316	}
	317
	318	static int cmd_cipher_list(SSL_CONF_CTX cctx, const char value)
	319	{
	320	int rv = 1;
	321	if (cctx->ctx)
	322	rv = SSL_CTX_set_cipher_list(cctx->ctx, value);
	323	if (cctx->ssl)
	324	rv = SSL_set_cipher_list(cctx->ssl, value);
878b5d07	325	return rv > 0;
3db935a9 DSH	326	}
	327
	328	static int cmd_protocol(SSL_CONF_CTX cctx, const char value)
	329	{
	330	static const ssl_flag_tbl ssl_protocol_list[] =
	331	{
	332	SSL_FLAG_TBL_INV("ALL", SSL_OP_NO_SSL_MASK),
	333	SSL_FLAG_TBL_INV("SSLv2", SSL_OP_NO_SSLv2),
	334	SSL_FLAG_TBL_INV("SSLv3", SSL_OP_NO_SSLv3),
	335	SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1),
	336	SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1),
	337	SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2)
	338	};
	339	if (!(cctx->flags & SSL_CONF_FLAG_FILE))
	340	return -2;
	341	cctx->tbl = ssl_protocol_list;
	342	cctx->ntbl = sizeof(ssl_protocol_list)/sizeof(ssl_flag_tbl);
	343	return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
	344	}
	345
	346	static int cmd_options(SSL_CONF_CTX cctx, const char value)
	347	{
	348	static const ssl_flag_tbl ssl_option_list[] =
	349	{
	350	SSL_FLAG_TBL_INV("SessionTicket", SSL_OP_NO_TICKET),
	351	SSL_FLAG_TBL_INV("EmptyFragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS),
	352	SSL_FLAG_TBL("Bugs", SSL_OP_ALL),
	353	SSL_FLAG_TBL_INV("Compression", SSL_OP_NO_COMPRESSION),
	354	SSL_FLAG_TBL_SRV("ServerPreference", SSL_OP_CIPHER_SERVER_PREFERENCE),
	355	SSL_FLAG_TBL_SRV("DHSingle", SSL_OP_SINGLE_DH_USE),
	356	SSL_FLAG_TBL_SRV("ECDHSingle", SSL_OP_SINGLE_ECDH_USE),
	357	SSL_FLAG_TBL("UnsafeLegacyRenegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION),
	358	};
	359	if (!(cctx->flags & SSL_CONF_FLAG_FILE))
	360	return -2;
	361	if (value == NULL)
	362	return -3;
	363	cctx->tbl = ssl_option_list;
	364	cctx->ntbl = sizeof(ssl_option_list)/sizeof(ssl_flag_tbl);
	365	return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
	366	}
	367
	368	typedef struct
	369	{
	370	int (cmd)(SSL_CONF_CTX cctx, const char *value);
	371	const char *str_file;
	372	const char *str_cmdline;
	373	} ssl_conf_cmd_tbl;
	374
	375	/* Table of supported patameters */
	376
	377	static ssl_conf_cmd_tbl ssl_conf_cmds[] = {
	378	{cmd_sigalgs, "SignatureAlgorithms", "sigalgs"},
	379	{cmd_client_sigalgs, "ClientSignatureAlgorithms", "client_sigalgs"},
	380	{cmd_curves, "Curves", "curves"},
	381	{cmd_ecdhparam, "ECDHParameters", "named_curve"},
	382	{cmd_cipher_list, "CipherString", "cipher"},
	383	{cmd_protocol, "Protocol", NULL},
	384	{cmd_options, "Options", NULL},
	385	};
	386
	387	int SSL_CONF_cmd(SSL_CONF_CTX cctx, const char cmd, const char *value)
	388	{
	389	ssl_conf_cmd_tbl t, runcmd = NULL;
390	size_t i;
391	if (cmd == NULL)
392	{
4842dde8	393	SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_INVALID_NULL_CMD_NAME);
3db935a9 DSH	394	return 0;
	395	}
	396	/* If a prefix is set, check and skip */
	397	if (cctx->prefix)
	398	{
	399	if (strlen(cmd) <= cctx->prefixlen)
	400	return -2;
	401	if (cctx->flags & SSL_CONF_FLAG_CMDLINE &&
	402	strncmp(cmd, cctx->prefix, cctx->prefixlen))
	403	return -2;
	404	if (cctx->flags & SSL_CONF_FLAG_FILE &&
	405	strncasecmp(cmd, cctx->prefix, cctx->prefixlen))
	406	return -2;
	407	cmd += cctx->prefixlen;
	408	}
	409	else if (cctx->flags & SSL_CONF_FLAG_CMDLINE)
	410	{
	411	if (*cmd != '-' \|\| !cmd[1])
	412	return -2;
	413	cmd++;
	414	}
	415
	416	/* Look for matching parameter name in table */
	417	for (i = 0, t = ssl_conf_cmds;
	418	i < sizeof(ssl_conf_cmds)/sizeof(ssl_conf_cmd_tbl); i++, t++)
	419	{
	420	if (cctx->flags & SSL_CONF_FLAG_CMDLINE)
	421	{
	422	if (t->str_cmdline && !strcmp(t->str_cmdline, cmd))
	423	{
	424	runcmd = t;
	425	break;
	426	}
	427	}
	428	if (cctx->flags & SSL_CONF_FLAG_FILE)
	429	{
	430	if (t->str_file && !strcasecmp(t->str_file, cmd))
	431	{
	432	runcmd = t;
	433	break;
	434	}
	435	}
	436	}
	437
	438	if (runcmd)
	439	{
878b5d07	440	int rv;
3db935a9 DSH	441	if (value == NULL)
3db935a9 DSH	442	return -3;
878b5d07 DSH	443	rv = t->cmd(cctx, value);
878b5d07 DSH	444	if (rv > 0)
3db935a9	445	return 2;
878b5d07 DSH	446	if (rv == -2)
878b5d07 DSH	447	return -2;
3db935a9 DSH	448	if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS)
3db935a9 DSH	449	{
4842dde8	450	SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_BAD_VALUE);
3db935a9 DSH	451	ERR_add_error_data(4, "cmd=", cmd, ", value=", value);
3db935a9 DSH	452	}
878b5d07	453	return 0;
3db935a9 DSH	454	}
	455
	456	if (cctx->flags & SSL_CONF_FLAG_CMDLINE)
	457	{
	458	if (ctrl_str_option(cctx, cmd))
	459	return 1;
	460	}
	461
	462	if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS)
	463	{
4842dde8	464	SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_UNKNOWN_CMD_NAME);
3db935a9 DSH	465	ERR_add_error_data(2, "cmd=", cmd);
	466	}
	467
	468	return -2;
	469	}
	470
	471	int SSL_CONF_cmd_argv(SSL_CONF_CTX cctx, int pargc, char ***pargv)
	472	{
	473	int rv;
ddd13d67	474	const char arg = NULL, argn;
3db935a9 DSH	475	if (pargc && *pargc == 0)
	476	return 0;
	477	if (!pargc \|\| *pargc > 0)
	478	arg = **pargv;
	479	if (arg == NULL)
	480	return 0;
	481	if (!pargc \|\| *pargc > 1)
	482	argn = (*pargv)[1];
	483	else
	484	argn = NULL;
	485	cctx->flags &= ~SSL_CONF_FLAG_FILE;
	486	cctx->flags \|= SSL_CONF_FLAG_CMDLINE;
	487	rv = SSL_CONF_cmd(cctx, arg, argn);
	488	if (rv > 0)
	489	{
	490	/* Success: update pargc, pargv */
	491	(*pargv) += rv;
	492	if (pargc)
	493	(*pargc) -= rv;
	494	return rv;
	495	}
	496	/* Unknown swicth: indicate no arguments processed */
	497	if (rv == -2)
	498	return 0;
	499	/* Some error occurred processing command, return fatal error */
	500	if (rv == 0)
	501	return -1;
	502	return rv;
	503	}
	504
	505	SSL_CONF_CTX *SSL_CONF_CTX_new(void)
	506	{
	507	SSL_CONF_CTX *ret;
	508	ret = OPENSSL_malloc(sizeof(SSL_CONF_CTX));
	509	if (ret)
	510	{
	511	ret->flags = 0;
	512	ret->prefix = NULL;
	513	ret->prefixlen = 0;
	514	ret->ssl = NULL;
	515	ret->ctx = NULL;
	516	ret->poptions = NULL;
	517	ret->pcert_flags = NULL;
	518	ret->tbl = NULL;
	519	ret->ntbl = 0;
	520	}
	521	return ret;
	522	}
	523
	524	void SSL_CONF_CTX_free(SSL_CONF_CTX *cctx)
	525	{
	526	if (cctx)
	527	{
	528	if (cctx->prefix)
	529	OPENSSL_free(cctx->prefix);
	530	OPENSSL_free(cctx);
	531	}
	532	}
	533
	534	unsigned int SSL_CONF_CTX_set_flags(SSL_CONF_CTX *cctx, unsigned int flags)
	535	{
	536	cctx->flags \|= flags;
	537	return cctx->flags;
	538	}
539
540	unsigned int SSL_CONF_CTX_clear_flags(SSL_CONF_CTX *cctx, unsigned int flags)
541	{
542	cctx->flags &= ~flags;
543	return cctx->flags;
544	}
545
546	int SSL_CONF_CTX_set1_prefix(SSL_CONF_CTX cctx, const char pre)
547	{
548	char *tmp = NULL;
549	if (pre)
550	{
551	tmp = BUF_strdup(pre);
552	if (tmp == NULL)
553	return 0;
554	}
555	if (cctx->prefix)
556	OPENSSL_free(cctx->prefix);
557	cctx->prefix = tmp;
558	if (tmp)
559	cctx->prefixlen = strlen(tmp);
560	else
561	cctx->prefixlen = 0;
562	return 1;
563	}
564
565	void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX cctx, SSL ssl)
566	{
567	cctx->ssl = ssl;
568	cctx->ctx = NULL;
569	if (ssl)
570	{
571	cctx->poptions = &ssl->options;
572	cctx->pcert_flags = &ssl->cert->cert_flags;
573	}
574	else
575	{
576	cctx->poptions = NULL;
577	cctx->pcert_flags = NULL;
578	}
579	}
580
581	void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX cctx, SSL_CTX ctx)
582	{
583	cctx->ctx = ctx;
584	cctx->ssl = NULL;
585	if (ctx)
586	{
587	cctx->poptions = &ctx->options;
588	cctx->pcert_flags = &ctx->cert->cert_flags;
589	}
590	else
591	{
592	cctx->poptions = NULL;
593	cctx->pcert_flags = NULL;
594	}
595	}