projects / thirdparty / openssl.git / blame
| Commit | Line | Data |
|---|---|---|
| 3db935a9 DSH |
1 | /*! \file ssl/ssl_conf.c |
| 2 | * \brief SSL configuration functions | |
| 3 | */ | |
| 4 | /* ==================================================================== | |
| 5 | * Copyright (c) 2012 The OpenSSL Project. All rights reserved. | |
| 6 | * | |
| 7 | * Redistribution and use in source and binary forms, with or without | |
| 8 | * modification, are permitted provided that the following conditions | |
| 9 | * are met: | |
| 10 | * | |
| 11 | * 1. Redistributions of source code must retain the above copyright | |
| 12 | * notice, this list of conditions and the following disclaimer. | |
| 13 | * | |
| 14 | * 2. Redistributions in binary form must reproduce the above copyright | |
| 15 | * notice, this list of conditions and the following disclaimer in | |
| 16 | * the documentation and/or other materials provided with the | |
| 17 | * distribution. | |
| 18 | * | |
| 19 | * 3. All advertising materials mentioning features or use of this | |
| 20 | * software must display the following acknowledgment: | |
| 21 | * "This product includes software developed by the OpenSSL Project | |
| 22 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |
| 23 | * | |
| 24 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
| 25 | * endorse or promote products derived from this software without | |
| 26 | * prior written permission. For written permission, please contact | |
| 27 | * openssl-core@openssl.org. | |
| 28 | * | |
| 29 | * 5. Products derived from this software may not be called "OpenSSL" | |
| 30 | * nor may "OpenSSL" appear in their names without prior written | |
| 31 | * permission of the OpenSSL Project. | |
| 32 | * | |
| 33 | * 6. Redistributions of any form whatsoever must retain the following | |
| 34 | * acknowledgment: | |
| 35 | * "This product includes software developed by the OpenSSL Project | |
| 36 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |
| 37 | * | |
| 38 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
| 39 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
| 40 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
| 41 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
| 42 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
| 43 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
| 44 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
| 45 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
| 46 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
| 47 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
| 48 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
| 49 | * OF THE POSSIBILITY OF SUCH DAMAGE. | |
| 50 | * ==================================================================== | |
| 51 | * | |
| 52 | * This product includes cryptographic software written by Eric Young | |
| 53 | * (eay@cryptsoft.com). This product includes software written by Tim | |
| 54 | * Hudson (tjh@cryptsoft.com). | |
| 55 | * | |
| 56 | */ | |
| 57 | ||
| 58 | #ifdef REF_CHECK | |
| 59 | # include <assert.h> | |
| 60 | #endif | |
| 61 | #include <stdio.h> | |
| 62 | #include "ssl_locl.h" | |
| 63 | #include <openssl/conf.h> | |
| 64 | #include <openssl/objects.h> | |
| 96e16bdd DSH |
65 | #ifndef OPENSSL_NO_DH |
| 66 | #include <openssl/dh.h> | |
| 67 | #endif | |
| 3db935a9 DSH |
68 | |
| 69 | /* structure holding name tables. This is used for pemitted elements in | |
| 70 | * lists such as TLSv1 and single command line switches such as no_tls1 | |
| 71 | */ | |
| 72 | ||
| 73 | typedef struct | |
| 74 | { | |
| 75 | const char *name; | |
| 76 | int namelen; | |
| 77 | unsigned int name_flags; | |
| 78 | unsigned long option_value; | |
| 79 | } ssl_flag_tbl; | |
| 80 | ||
| 81 | /* Sense of name is inverted e.g. "TLSv1" will clear SSL_OP_NO_TLSv1 */ | |
| 82 | #define SSL_TFLAG_INV 0x1 | |
| 83 | /* Flags refers to cert_flags not options */ | |
| 84 | #define SSL_TFLAG_CERT 0x2 | |
| 85 | /* Option can only be used for clients */ | |
| 86 | #define SSL_TFLAG_CLIENT SSL_CONF_FLAG_CLIENT | |
| 87 | /* Option can only be used for servers */ | |
| 88 | #define SSL_TFLAG_SERVER SSL_CONF_FLAG_SERVER | |
| 89 | #define SSL_TFLAG_BOTH (SSL_TFLAG_CLIENT|SSL_TFLAG_SERVER) | |
| 90 | ||
| 91 | #define SSL_FLAG_TBL(str, flag) \ | |
| 92 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_BOTH, flag} | |
| 93 | #define SSL_FLAG_TBL_SRV(str, flag) \ | |
| 94 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_SERVER, flag} | |
| 95 | #define SSL_FLAG_TBL_CLI(str, flag) \ | |
| 96 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_CLIENT, flag} | |
| 97 | #define SSL_FLAG_TBL_INV(str, flag) \ | |
| 98 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_BOTH, flag} | |
| 99 | #define SSL_FLAG_TBL_SRV_INV(str, flag) \ | |
| 100 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_SERVER, flag} | |
| 101 | #define SSL_FLAG_TBL_CERT(str, flag) \ | |
| 102 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_CERT|SSL_TFLAG_BOTH, flag} | |
| 103 | ||
| 104 | /* Opaque structure containing SSL configuration context. | |
| 105 | */ | |
| 106 | ||
| 107 | struct ssl_conf_ctx_st | |
| 108 | { | |
| 109 | /* Various flags indicating (among other things) which options we | |
| 110 | * will recognise. | |
| 111 | */ | |
| 112 | unsigned int flags; | |
| 113 | /* Prefix and length of commands */ | |
| 114 | char *prefix; | |
| 115 | size_t prefixlen; | |
| 116 | /* SSL_CTX or SSL structure to perform operations on */ | |
| 117 | SSL_CTX *ctx; | |
| 118 | SSL *ssl; | |
| 119 | /* Pointer to SSL or SSL_CTX options field or NULL if none */ | |
| 120 | unsigned long *poptions; | |
| 121 | /* Pointer to SSL or SSL_CTX cert_flags or NULL if none */ | |
| 122 | unsigned int *pcert_flags; | |
| 123 | /* Current flag table being worked on */ | |
| 124 | const ssl_flag_tbl *tbl; | |
| 125 | /* Size of table */ | |
| 126 | size_t ntbl; | |
| 127 | }; | |
| 128 | ||
| 129 | static int ssl_match_option(SSL_CONF_CTX *cctx, const ssl_flag_tbl *tbl, | |
| 130 | const char *name, int namelen, int onoff) | |
| 131 | { | |
| 132 | /* If name not relevant for context skip */ | |
| 133 | if (!(cctx->flags & tbl->name_flags & SSL_TFLAG_BOTH)) | |
| 134 | return 0; | |
| 135 | if (namelen == -1) | |
| 136 | { | |
| 137 | if (strcmp(tbl->name, name)) | |
| 138 | return 0; | |
| 139 | } | |
| 140 | else if (tbl->namelen != namelen || strncasecmp(tbl->name, name, namelen)) | |
| 141 | return 0; | |
| 142 | if (cctx->poptions) | |
| 143 | { | |
| 144 | if (tbl->name_flags & SSL_TFLAG_INV) | |
| 145 | onoff ^= 1; | |
| 146 | if (tbl->name_flags & SSL_TFLAG_CERT) | |
| 147 | { | |
| 148 | if (onoff) | |
| 149 | *cctx->pcert_flags |= tbl->option_value; | |
| 150 | else | |
| 151 | *cctx->pcert_flags &= ~tbl->option_value; | |
| 152 | } | |
| 153 | else | |
| 154 | { | |
| 155 | if (onoff) | |
| 156 | *cctx->poptions |= tbl->option_value; | |
| 157 | else | |
| 158 | *cctx->poptions &= ~tbl->option_value; | |
| 159 | } | |
| 160 | } | |
| 161 | return 1; | |
| 162 | } | |
| 163 | ||
| 164 | static int ssl_set_option_list(const char *elem, int len, void *usr) | |
| 165 | { | |
| 166 | SSL_CONF_CTX *cctx = usr; | |
| 167 | size_t i; | |
| 168 | const ssl_flag_tbl *tbl; | |
| 169 | int onoff = 1; | |
| 170 | /* len == -1 indicates not being called in list context, just for | |
| 171 | * single command line switches, so don't allow +, -. | |
| 172 | */ | |
| 173 | if (len != -1) | |
| 174 | { | |
| 175 | if (*elem == '+') | |
| 176 | { | |
| 177 | elem++; | |
| 178 | len--; | |
| 179 | onoff = 1; | |
| 180 | } | |
| 181 | else if (*elem == '-') | |
| 182 | { | |
| 183 | elem++; | |
| 184 | len--; | |
| 185 | onoff = 0; | |
| 186 | } | |
| 187 | } | |
| 188 | for (i = 0, tbl = cctx->tbl; i < cctx->ntbl; i++, tbl++) | |
| 189 | { | |
| 190 | if (ssl_match_option(cctx, tbl, elem, len, onoff)) | |
| 191 | return 1; | |
| 192 | } | |
| 193 | return 0; | |
| 194 | } | |
| 195 | ||
| 196 | /* Single command line switches with no argument e.g. -no_ssl3 */ | |
| 197 | static int ctrl_str_option(SSL_CONF_CTX *cctx, const char *cmd) | |
| 198 | { | |
| 199 | static const ssl_flag_tbl ssl_option_single[] = | |
| 200 | { | |
| 201 | SSL_FLAG_TBL("no_ssl2", SSL_OP_NO_SSLv2), | |
| 202 | SSL_FLAG_TBL("no_ssl3", SSL_OP_NO_SSLv3), | |
| 203 | SSL_FLAG_TBL("no_tls1", SSL_OP_NO_TLSv1), | |
| 204 | SSL_FLAG_TBL("no_tls1_1", SSL_OP_NO_TLSv1_1), | |
| 205 | SSL_FLAG_TBL("no_tls1_2", SSL_OP_NO_TLSv1_2), | |
| 3db935a9 DSH |
206 | SSL_FLAG_TBL("bugs", SSL_OP_ALL), |
| 207 | SSL_FLAG_TBL("no_comp", SSL_OP_NO_COMPRESSION), | |
| a9bc1af9 | 208 | SSL_FLAG_TBL_SRV("ecdh_single", SSL_OP_SINGLE_ECDH_USE), |
| 3db935a9 DSH |
209 | #ifndef OPENSSL_NO_TLSEXT |
| 210 | SSL_FLAG_TBL("no_ticket", SSL_OP_NO_TICKET), | |
| 211 | #endif | |
| 212 | SSL_FLAG_TBL_SRV("serverpref", SSL_OP_CIPHER_SERVER_PREFERENCE), | |
| 213 | SSL_FLAG_TBL("legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION), | |
| 214 | SSL_FLAG_TBL_SRV("legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT), | |
| 215 | SSL_FLAG_TBL_SRV_INV("no_legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT), | |
| 216 | SSL_FLAG_TBL_CERT("strict", SSL_CERT_FLAG_TLS_STRICT), | |
| 217 | #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL | |
| 218 | SSL_FLAG_TBL_CERT("debug_broken_protocol", SSL_CERT_FLAG_BROKEN_PROTOCOL), | |
| 219 | #endif | |
| 220 | }; | |
| 221 | cctx->tbl = ssl_option_single; | |
| 222 | cctx->ntbl = sizeof(ssl_option_single)/sizeof(ssl_flag_tbl); | |
| 223 | return ssl_set_option_list(cmd, -1, cctx); | |
| 224 | } | |
| 225 | ||
| 226 | /* Set supported signature algorithms */ | |
| ec2f7e56 | 227 | static int cmd_SignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value) |
| 3db935a9 DSH |
228 | { |
| 229 | int rv; | |
| 230 | if (cctx->ssl) | |
| 231 | rv = SSL_set1_sigalgs_list(cctx->ssl, value); | |
| 232 | /* NB: ctx == NULL performs syntax checking only */ | |
| 233 | else | |
| 234 | rv = SSL_CTX_set1_sigalgs_list(cctx->ctx, value); | |
| 235 | return rv > 0; | |
| 236 | } | |
| 237 | /* Set supported client signature algorithms */ | |
| ec2f7e56 | 238 | static int cmd_ClientSignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value) |
| 3db935a9 DSH |
239 | { |
| 240 | int rv; | |
| 241 | if (cctx->ssl) | |
| 242 | rv = SSL_set1_client_sigalgs_list(cctx->ssl, value); | |
| 243 | /* NB: ctx == NULL performs syntax checking only */ | |
| 244 | else | |
| 245 | rv = SSL_CTX_set1_client_sigalgs_list(cctx->ctx, value); | |
| 246 | return rv > 0; | |
| 247 | } | |
| 248 | ||
| ec2f7e56 | 249 | static int cmd_Curves(SSL_CONF_CTX *cctx, const char *value) |
| 3db935a9 DSH |
250 | { |
| 251 | int rv; | |
| 3db935a9 DSH |
252 | if (cctx->ssl) |
| 253 | rv = SSL_set1_curves_list(cctx->ssl, value); | |
| 254 | /* NB: ctx == NULL performs syntax checking only */ | |
| 255 | else | |
| 256 | rv = SSL_CTX_set1_curves_list(cctx->ctx, value); | |
| 257 | return rv > 0; | |
| 258 | } | |
| 14536c8c | 259 | #ifndef OPENSSL_NO_ECDH |
| 3db935a9 | 260 | /* ECDH temporary parameters */ |
| ec2f7e56 | 261 | static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value) |
| 3db935a9 DSH |
262 | { |
| 263 | int onoff = -1, rv = 1; | |
| 264 | if (!(cctx->flags & SSL_CONF_FLAG_SERVER)) | |
| 265 | return -2; | |
| 266 | if (cctx->flags & SSL_CONF_FLAG_FILE) | |
| 267 | { | |
| 268 | if (*value == '+') | |
| 269 | { | |
| 270 | onoff = 1; | |
| 271 | value++; | |
| 272 | } | |
| 273 | if (*value == '-') | |
| 274 | { | |
| 275 | onoff = 0; | |
| 276 | value++; | |
| 277 | } | |
| f1f5c70a DSH |
278 | if (!strcasecmp(value, "automatic")) |
| 279 | { | |
| 1edf8f1b | 280 | if (onoff == -1) |
| f1f5c70a DSH |
281 | onoff = 1; |
| 282 | } | |
| 283 | else if (onoff != -1) | |
| 3db935a9 DSH |
284 | return 0; |
| 285 | } | |
| 286 | else if (cctx->flags & SSL_CONF_FLAG_CMDLINE) | |
| 287 | { | |
| 288 | if (!strcmp(value, "auto")) | |
| 289 | onoff = 1; | |
| 290 | } | |
| 291 | ||
| 292 | if (onoff != -1) | |
| 293 | { | |
| 294 | if (cctx->ctx) | |
| 295 | rv = SSL_CTX_set_ecdh_auto(cctx->ctx, onoff); | |
| 296 | else if (cctx->ssl) | |
| 297 | rv = SSL_set_ecdh_auto(cctx->ssl, onoff); | |
| 298 | } | |
| 299 | else | |
| 300 | { | |
| 301 | EC_KEY *ecdh; | |
| 302 | int nid; | |
| 303 | nid = EC_curve_nist2nid(value); | |
| 304 | if (nid == NID_undef) | |
| 305 | nid = OBJ_sn2nid(value); | |
| 306 | if (nid == 0) | |
| 307 | return 0; | |
| 308 | ecdh = EC_KEY_new_by_curve_name(nid); | |
| 309 | if (!ecdh) | |
| 310 | return 0; | |
| 311 | if (cctx->ctx) | |
| 312 | rv = SSL_CTX_set_tmp_ecdh(cctx->ctx, ecdh); | |
| 313 | else if (cctx->ssl) | |
| 314 | rv = SSL_set_tmp_ecdh(cctx->ssl, ecdh); | |
| 315 | EC_KEY_free(ecdh); | |
| 316 | } | |
| 317 | ||
| 318 | return rv > 0; | |
| 319 | } | |
| 14536c8c | 320 | #endif |
| ec2f7e56 | 321 | static int cmd_CipherString(SSL_CONF_CTX *cctx, const char *value) |
| 3db935a9 DSH |
322 | { |
| 323 | int rv = 1; | |
| 324 | if (cctx->ctx) | |
| 325 | rv = SSL_CTX_set_cipher_list(cctx->ctx, value); | |
| 326 | if (cctx->ssl) | |
| 327 | rv = SSL_set_cipher_list(cctx->ssl, value); | |
| 878b5d07 | 328 | return rv > 0; |
| 3db935a9 DSH |
329 | } |
| 330 | ||
| ec2f7e56 | 331 | static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value) |
| 3db935a9 DSH |
332 | { |
| 333 | static const ssl_flag_tbl ssl_protocol_list[] = | |
| 334 | { | |
| 335 | SSL_FLAG_TBL_INV("ALL", SSL_OP_NO_SSL_MASK), | |
| 336 | SSL_FLAG_TBL_INV("SSLv2", SSL_OP_NO_SSLv2), | |
| 337 | SSL_FLAG_TBL_INV("SSLv3", SSL_OP_NO_SSLv3), | |
| 338 | SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1), | |
| 339 | SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1), | |
| 340 | SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2) | |
| 341 | }; | |
| 342 | if (!(cctx->flags & SSL_CONF_FLAG_FILE)) | |
| 343 | return -2; | |
| 344 | cctx->tbl = ssl_protocol_list; | |
| 345 | cctx->ntbl = sizeof(ssl_protocol_list)/sizeof(ssl_flag_tbl); | |
| 346 | return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); | |
| 347 | } | |
| 348 | ||
| ec2f7e56 | 349 | static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) |
| 3db935a9 DSH |
350 | { |
| 351 | static const ssl_flag_tbl ssl_option_list[] = | |
| 352 | { | |
| 353 | SSL_FLAG_TBL_INV("SessionTicket", SSL_OP_NO_TICKET), | |
| 354 | SSL_FLAG_TBL_INV("EmptyFragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS), | |
| 355 | SSL_FLAG_TBL("Bugs", SSL_OP_ALL), | |
| 356 | SSL_FLAG_TBL_INV("Compression", SSL_OP_NO_COMPRESSION), | |
| 357 | SSL_FLAG_TBL_SRV("ServerPreference", SSL_OP_CIPHER_SERVER_PREFERENCE), | |
| 358 | SSL_FLAG_TBL_SRV("DHSingle", SSL_OP_SINGLE_DH_USE), | |
| 359 | SSL_FLAG_TBL_SRV("ECDHSingle", SSL_OP_SINGLE_ECDH_USE), | |
| 360 | SSL_FLAG_TBL("UnsafeLegacyRenegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION), | |
| 361 | }; | |
| 362 | if (!(cctx->flags & SSL_CONF_FLAG_FILE)) | |
| 363 | return -2; | |
| 364 | if (value == NULL) | |
| 365 | return -3; | |
| 366 | cctx->tbl = ssl_option_list; | |
| 367 | cctx->ntbl = sizeof(ssl_option_list)/sizeof(ssl_flag_tbl); | |
| 368 | return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); | |
| 369 | } | |
| 370 | ||
| ec2f7e56 DSH |
371 | static int cmd_Certificate(SSL_CONF_CTX *cctx, const char *value) |
| 372 | { | |
| 373 | int rv = 1; | |
| 374 | if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE)) | |
| 375 | return -2; | |
| 376 | if (cctx->ctx) | |
| 377 | rv = SSL_CTX_use_certificate_chain_file(cctx->ctx, value); | |
| 378 | if (cctx->ssl) | |
| 379 | rv = SSL_use_certificate_file(cctx->ssl, value, SSL_FILETYPE_PEM); | |
| 380 | return rv > 0; | |
| 381 | } | |
| 382 | ||
| 383 | static int cmd_PrivateKey(SSL_CONF_CTX *cctx, const char *value) | |
| 384 | { | |
| 385 | int rv = 1; | |
| 386 | if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE)) | |
| 387 | return -2; | |
| 388 | if (cctx->ctx) | |
| 389 | rv = SSL_CTX_use_PrivateKey_file(cctx->ctx, value, SSL_FILETYPE_PEM); | |
| 390 | if (cctx->ssl) | |
| 391 | rv = SSL_use_PrivateKey_file(cctx->ssl, value, SSL_FILETYPE_PEM); | |
| 392 | return rv > 0; | |
| 393 | } | |
| c557f921 DSH |
394 | #ifndef OPENSSL_NO_DH |
| 395 | static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value) | |
| 396 | { | |
| 397 | int rv = 0; | |
| 398 | DH *dh = NULL; | |
| 399 | BIO *in = NULL; | |
| 400 | if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE)) | |
| 401 | return -2; | |
| 402 | if (cctx->ctx || cctx->ssl) | |
| 403 | { | |
| 404 | in = BIO_new(BIO_s_file_internal()); | |
| 405 | if (!in) | |
| 406 | goto end; | |
| 407 | if (BIO_read_filename(in, value) <= 0) | |
| 408 | goto end; | |
| 409 | dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL); | |
| 410 | if (!dh) | |
| 411 | goto end; | |
| 412 | } | |
| 413 | else | |
| 414 | return 1; | |
| 415 | if (cctx->ctx) | |
| 416 | rv = SSL_CTX_set_tmp_dh(cctx->ctx, dh); | |
| 417 | if (cctx->ssl) | |
| 418 | rv = SSL_set_tmp_dh(cctx->ssl, dh); | |
| 419 | end: | |
| 420 | if (dh) | |
| 421 | DH_free(dh); | |
| 422 | if (in) | |
| 423 | BIO_free(in); | |
| 424 | return rv > 0; | |
| 425 | } | |
| 426 | #endif | |
| 3db935a9 DSH |
427 | typedef struct |
| 428 | { | |
| 429 | int (*cmd)(SSL_CONF_CTX *cctx, const char *value); | |
| 430 | const char *str_file; | |
| 431 | const char *str_cmdline; | |
| ec2f7e56 | 432 | unsigned int value_type; |
| 3db935a9 DSH |
433 | } ssl_conf_cmd_tbl; |
| 434 | ||
| ec2f7e56 DSH |
435 | /* Table of supported parameters */ |
| 436 | ||
| 437 | #define SSL_CONF_CMD(name, cmdopt, type) \ | |
| 438 | {cmd_##name, #name, cmdopt, type} | |
| 439 | ||
| 440 | #define SSL_CONF_CMD_STRING(name, cmdopt) \ | |
| 441 | SSL_CONF_CMD(name, cmdopt, SSL_CONF_TYPE_STRING) | |
| 3db935a9 | 442 | |
| 27f3b65f | 443 | static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { |
| ec2f7e56 DSH |
444 | SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs"), |
| 445 | SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs"), | |
| 446 | SSL_CONF_CMD_STRING(Curves, "curves"), | |
| 14536c8c | 447 | #ifndef OPENSSL_NO_ECDH |
| ec2f7e56 | 448 | SSL_CONF_CMD_STRING(ECDHParameters, "named_curve"), |
| 14536c8c | 449 | #endif |
| ec2f7e56 DSH |
450 | SSL_CONF_CMD_STRING(CipherString, "cipher"), |
| 451 | SSL_CONF_CMD_STRING(Protocol, NULL), | |
| 452 | SSL_CONF_CMD_STRING(Options, NULL), | |
| 453 | SSL_CONF_CMD(Certificate, "cert", SSL_CONF_TYPE_FILE), | |
| c557f921 DSH |
454 | SSL_CONF_CMD(PrivateKey, "key", SSL_CONF_TYPE_FILE), |
| 455 | #ifndef OPENSSL_NO_DH | |
| 456 | SSL_CONF_CMD(DHParameters, "dhparam", SSL_CONF_TYPE_FILE) | |
| 457 | #endif | |
| 3db935a9 DSH |
458 | }; |
| 459 | ||
| ec2f7e56 | 460 | static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd) |
| 3db935a9 | 461 | { |
| ec2f7e56 | 462 | if (!pcmd || !*pcmd) |
| 3db935a9 | 463 | return 0; |
| 3db935a9 DSH |
464 | /* If a prefix is set, check and skip */ |
| 465 | if (cctx->prefix) | |
| 466 | { | |
| ec2f7e56 DSH |
467 | if (strlen(*pcmd) <= cctx->prefixlen) |
| 468 | return 0; | |
| 3db935a9 | 469 | if (cctx->flags & SSL_CONF_FLAG_CMDLINE && |
| ec2f7e56 DSH |
470 | strncmp(*pcmd, cctx->prefix, cctx->prefixlen)) |
| 471 | return 0; | |
| 3db935a9 | 472 | if (cctx->flags & SSL_CONF_FLAG_FILE && |
| ec2f7e56 DSH |
473 | strncasecmp(*pcmd, cctx->prefix, cctx->prefixlen)) |
| 474 | return 0; | |
| 475 | *pcmd += cctx->prefixlen; | |
| 3db935a9 DSH |
476 | } |
| 477 | else if (cctx->flags & SSL_CONF_FLAG_CMDLINE) | |
| 478 | { | |
| abf840e4 | 479 | if (**pcmd != '-' || !(*pcmd)[1]) |
| ec2f7e56 DSH |
480 | return 0; |
| 481 | *pcmd += 1; | |
| 3db935a9 | 482 | } |
| ec2f7e56 DSH |
483 | return 1; |
| 484 | } | |
| 485 | ||
| 27f3b65f | 486 | static const ssl_conf_cmd_tbl *ssl_conf_cmd_lookup(SSL_CONF_CTX *cctx, const char *cmd) |
| ec2f7e56 | 487 | { |
| 27f3b65f | 488 | const ssl_conf_cmd_tbl *t; |
| ec2f7e56 DSH |
489 | size_t i; |
| 490 | if (cmd == NULL) | |
| 491 | return NULL; | |
| 3db935a9 DSH |
492 | |
| 493 | /* Look for matching parameter name in table */ | |
| 494 | for (i = 0, t = ssl_conf_cmds; | |
| 495 | i < sizeof(ssl_conf_cmds)/sizeof(ssl_conf_cmd_tbl); i++, t++) | |
| 496 | { | |
| 497 | if (cctx->flags & SSL_CONF_FLAG_CMDLINE) | |
| 498 | { | |
| 499 | if (t->str_cmdline && !strcmp(t->str_cmdline, cmd)) | |
| ec2f7e56 | 500 | return t; |
| 3db935a9 DSH |
501 | } |
| 502 | if (cctx->flags & SSL_CONF_FLAG_FILE) | |
| 503 | { | |
| 504 | if (t->str_file && !strcasecmp(t->str_file, cmd)) | |
| ec2f7e56 | 505 | return t; |
| 3db935a9 DSH |
506 | } |
| 507 | } | |
| ec2f7e56 DSH |
508 | return NULL; |
| 509 | } | |
| 510 | ||
| 511 | int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value) | |
| 512 | { | |
| 27f3b65f | 513 | const ssl_conf_cmd_tbl *runcmd; |
| ec2f7e56 DSH |
514 | if (cmd == NULL) |
| 515 | { | |
| 516 | SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_INVALID_NULL_CMD_NAME); | |
| 517 | return 0; | |
| 518 | } | |
| 519 | ||
| 520 | if (!ssl_conf_cmd_skip_prefix(cctx, &cmd)) | |
| 521 | return -2; | |
| 522 | ||
| 523 | runcmd = ssl_conf_cmd_lookup(cctx, cmd); | |
| 3db935a9 DSH |
524 | |
| 525 | if (runcmd) | |
| 526 | { | |
| 878b5d07 | 527 | int rv; |
| 3db935a9 DSH |
528 | if (value == NULL) |
| 529 | return -3; | |
| ec2f7e56 | 530 | rv = runcmd->cmd(cctx, value); |
| 878b5d07 | 531 | if (rv > 0) |
| 3db935a9 | 532 | return 2; |
| 878b5d07 DSH |
533 | if (rv == -2) |
| 534 | return -2; | |
| 3db935a9 DSH |
535 | if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) |
| 536 | { | |
| 4842dde8 | 537 | SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_BAD_VALUE); |
| 3db935a9 DSH |
538 | ERR_add_error_data(4, "cmd=", cmd, ", value=", value); |
| 539 | } | |
| 878b5d07 | 540 | return 0; |
| 3db935a9 DSH |
541 | } |
| 542 | ||
| 543 | if (cctx->flags & SSL_CONF_FLAG_CMDLINE) | |
| 544 | { | |
| 545 | if (ctrl_str_option(cctx, cmd)) | |
| 546 | return 1; | |
| 547 | } | |
| 548 | ||
| 549 | if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) | |
| 550 | { | |
| 4842dde8 | 551 | SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_UNKNOWN_CMD_NAME); |
| 3db935a9 DSH |
552 | ERR_add_error_data(2, "cmd=", cmd); |
| 553 | } | |
| 554 | ||
| 555 | return -2; | |
| 556 | } | |
| 557 | ||
| 558 | int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv) | |
| 559 | { | |
| 560 | int rv; | |
| ddd13d67 | 561 | const char *arg = NULL, *argn; |
| 3db935a9 DSH |
562 | if (pargc && *pargc == 0) |
| 563 | return 0; | |
| 564 | if (!pargc || *pargc > 0) | |
| 565 | arg = **pargv; | |
| 566 | if (arg == NULL) | |
| 567 | return 0; | |
| 568 | if (!pargc || *pargc > 1) | |
| 569 | argn = (*pargv)[1]; | |
| 570 | else | |
| 571 | argn = NULL; | |
| 572 | cctx->flags &= ~SSL_CONF_FLAG_FILE; | |
| 573 | cctx->flags |= SSL_CONF_FLAG_CMDLINE; | |
| 574 | rv = SSL_CONF_cmd(cctx, arg, argn); | |
| 575 | if (rv > 0) | |
| 576 | { | |
| 577 | /* Success: update pargc, pargv */ | |
| 578 | (*pargv) += rv; | |
| 579 | if (pargc) | |
| 580 | (*pargc) -= rv; | |
| 581 | return rv; | |
| 582 | } | |
| 13af1451 | 583 | /* Unknown switch: indicate no arguments processed */ |
| 3db935a9 DSH |
584 | if (rv == -2) |
| 585 | return 0; | |
| 586 | /* Some error occurred processing command, return fatal error */ | |
| 587 | if (rv == 0) | |
| 588 | return -1; | |
| 589 | return rv; | |
| 590 | } | |
| 591 | ||
| ec2f7e56 DSH |
592 | int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd) |
| 593 | { | |
| 594 | if (ssl_conf_cmd_skip_prefix(cctx, &cmd)) | |
| 595 | { | |
| 27f3b65f | 596 | const ssl_conf_cmd_tbl *runcmd; |
| ec2f7e56 DSH |
597 | runcmd = ssl_conf_cmd_lookup(cctx, cmd); |
| 598 | if (runcmd) | |
| 599 | return runcmd->value_type; | |
| 600 | } | |
| 601 | return SSL_CONF_TYPE_UNKNOWN; | |
| 602 | } | |
| 603 | ||
| 3db935a9 DSH |
604 | SSL_CONF_CTX *SSL_CONF_CTX_new(void) |
| 605 | { | |
| 606 | SSL_CONF_CTX *ret; | |
| 607 | ret = OPENSSL_malloc(sizeof(SSL_CONF_CTX)); | |
| 608 | if (ret) | |
| 609 | { | |
| 610 | ret->flags = 0; | |
| 611 | ret->prefix = NULL; | |
| 612 | ret->prefixlen = 0; | |
| 613 | ret->ssl = NULL; | |
| 614 | ret->ctx = NULL; | |
| 615 | ret->poptions = NULL; | |
| 616 | ret->pcert_flags = NULL; | |
| 617 | ret->tbl = NULL; | |
| 618 | ret->ntbl = 0; | |
| 619 | } | |
| 620 | return ret; | |
| 621 | } | |
| 622 | ||
| ec2f7e56 DSH |
623 | int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx) |
| 624 | { | |
| 625 | return 1; | |
| 626 | } | |
| 627 | ||
| 3db935a9 DSH |
628 | void SSL_CONF_CTX_free(SSL_CONF_CTX *cctx) |
| 629 | { | |
| 630 | if (cctx) | |
| 631 | { | |
| 632 | if (cctx->prefix) | |
| 633 | OPENSSL_free(cctx->prefix); | |
| 634 | OPENSSL_free(cctx); | |
| 635 | } | |
| 636 | } | |
| 637 | ||
| 638 | unsigned int SSL_CONF_CTX_set_flags(SSL_CONF_CTX *cctx, unsigned int flags) | |
| 639 | { | |
| 640 | cctx->flags |= flags; | |
| 641 | return cctx->flags; | |
| 642 | } | |
| 643 | ||
| 644 | unsigned int SSL_CONF_CTX_clear_flags(SSL_CONF_CTX *cctx, unsigned int flags) | |
| 645 | { | |
| 646 | cctx->flags &= ~flags; | |
| 647 | return cctx->flags; | |
| 648 | } | |
| 649 | ||
| 650 | int SSL_CONF_CTX_set1_prefix(SSL_CONF_CTX *cctx, const char *pre) | |
| 651 | { | |
| 652 | char *tmp = NULL; | |
| 653 | if (pre) | |
| 654 | { | |
| 655 | tmp = BUF_strdup(pre); | |
| 656 | if (tmp == NULL) | |
| 657 | return 0; | |
| 658 | } | |
| 659 | if (cctx->prefix) | |
| 660 | OPENSSL_free(cctx->prefix); | |
| 661 | cctx->prefix = tmp; | |
| 662 | if (tmp) | |
| 663 | cctx->prefixlen = strlen(tmp); | |
| 664 | else | |
| 665 | cctx->prefixlen = 0; | |
| 666 | return 1; | |
| 667 | } | |
| 668 | ||
| 669 | void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl) | |
| 670 | { | |
| 671 | cctx->ssl = ssl; | |
| 672 | cctx->ctx = NULL; | |
| 673 | if (ssl) | |
| 674 | { | |
| 675 | cctx->poptions = &ssl->options; | |
| 676 | cctx->pcert_flags = &ssl->cert->cert_flags; | |
| 677 | } | |
| 678 | else | |
| 679 | { | |
| 680 | cctx->poptions = NULL; | |
| 681 | cctx->pcert_flags = NULL; | |
| 682 | } | |
| 683 | } | |
| 684 | ||
| 685 | void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx) | |
| 686 | { | |
| 687 | cctx->ctx = ctx; | |
| 688 | cctx->ssl = NULL; | |
| 689 | if (ctx) | |
| 690 | { | |
| 691 | cctx->poptions = &ctx->options; | |
| 692 | cctx->pcert_flags = &ctx->cert->cert_flags; | |
| 693 | } | |
| 694 | else | |
| 695 | { | |
| 696 | cctx->poptions = NULL; | |
| 697 | cctx->pcert_flags = NULL; | |
| 698 | } | |
| 699 | } |