]>
Commit | Line | Data |
---|---|---|
0f113f3e | 1 | /* |
da1c088f | 2 | * Copyright 2012-2023 The OpenSSL Project Authors. All Rights Reserved. |
3db935a9 | 3 | * |
2c18d164 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
846e33c7 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
3db935a9 DSH |
8 | */ |
9 | ||
3db935a9 | 10 | #include <stdio.h> |
706457b7 | 11 | #include "ssl_local.h" |
3db935a9 DSH |
12 | #include <openssl/conf.h> |
13 | #include <openssl/objects.h> | |
163f6dc1 MC |
14 | #include <openssl/decoder.h> |
15 | #include <openssl/core_dispatch.h> | |
677963e5 | 16 | #include "internal/nelem.h" |
3db935a9 | 17 | |
0f113f3e | 18 | /* |
f430ba31 | 19 | * structure holding name tables. This is used for permitted elements in lists |
656b2605 | 20 | * such as TLSv1. |
3db935a9 DSH |
21 | */ |
22 | ||
0f113f3e MC |
23 | typedef struct { |
24 | const char *name; | |
25 | int namelen; | |
26 | unsigned int name_flags; | |
56bd1783 | 27 | uint64_t option_value; |
0f113f3e | 28 | } ssl_flag_tbl; |
3db935a9 | 29 | |
656b2605 DSH |
30 | /* Switch table: use for single command line switches like no_tls2 */ |
31 | typedef struct { | |
56bd1783 | 32 | uint64_t option_value; |
656b2605 DSH |
33 | unsigned int name_flags; |
34 | } ssl_switch_tbl; | |
35 | ||
3db935a9 | 36 | /* Sense of name is inverted e.g. "TLSv1" will clear SSL_OP_NO_TLSv1 */ |
0f113f3e | 37 | #define SSL_TFLAG_INV 0x1 |
429261d0 DSH |
38 | /* Mask for type of flag referred to */ |
39 | #define SSL_TFLAG_TYPE_MASK 0xf00 | |
40 | /* Flag is for options */ | |
41 | #define SSL_TFLAG_OPTION 0x000 | |
42 | /* Flag is for cert_flags */ | |
43 | #define SSL_TFLAG_CERT 0x100 | |
44 | /* Flag is for verify mode */ | |
45 | #define SSL_TFLAG_VFY 0x200 | |
3db935a9 DSH |
46 | /* Option can only be used for clients */ |
47 | #define SSL_TFLAG_CLIENT SSL_CONF_FLAG_CLIENT | |
48 | /* Option can only be used for servers */ | |
49 | #define SSL_TFLAG_SERVER SSL_CONF_FLAG_SERVER | |
50 | #define SSL_TFLAG_BOTH (SSL_TFLAG_CLIENT|SSL_TFLAG_SERVER) | |
51 | ||
52 | #define SSL_FLAG_TBL(str, flag) \ | |
0f113f3e | 53 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_BOTH, flag} |
3db935a9 | 54 | #define SSL_FLAG_TBL_SRV(str, flag) \ |
0f113f3e | 55 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_SERVER, flag} |
3db935a9 | 56 | #define SSL_FLAG_TBL_CLI(str, flag) \ |
0f113f3e | 57 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_CLIENT, flag} |
3db935a9 | 58 | #define SSL_FLAG_TBL_INV(str, flag) \ |
0f113f3e | 59 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_BOTH, flag} |
3db935a9 | 60 | #define SSL_FLAG_TBL_SRV_INV(str, flag) \ |
0f113f3e | 61 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_SERVER, flag} |
3db935a9 | 62 | #define SSL_FLAG_TBL_CERT(str, flag) \ |
0f113f3e | 63 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_CERT|SSL_TFLAG_BOTH, flag} |
3db935a9 | 64 | |
429261d0 DSH |
65 | #define SSL_FLAG_VFY_CLI(str, flag) \ |
66 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_VFY | SSL_TFLAG_CLIENT, flag} | |
67 | #define SSL_FLAG_VFY_SRV(str, flag) \ | |
68 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_VFY | SSL_TFLAG_SERVER, flag} | |
69 | ||
0f113f3e MC |
70 | /* |
71 | * Opaque structure containing SSL configuration context. | |
3db935a9 DSH |
72 | */ |
73 | ||
0f113f3e MC |
74 | struct ssl_conf_ctx_st { |
75 | /* | |
76 | * Various flags indicating (among other things) which options we will | |
77 | * recognise. | |
78 | */ | |
79 | unsigned int flags; | |
80 | /* Prefix and length of commands */ | |
81 | char *prefix; | |
82 | size_t prefixlen; | |
83 | /* SSL_CTX or SSL structure to perform operations on */ | |
84 | SSL_CTX *ctx; | |
85 | SSL *ssl; | |
86 | /* Pointer to SSL or SSL_CTX options field or NULL if none */ | |
56bd1783 | 87 | uint64_t *poptions; |
2011b169 DSH |
88 | /* Certificate filenames for each type */ |
89 | char *cert_filename[SSL_PKEY_NUM]; | |
0f113f3e | 90 | /* Pointer to SSL or SSL_CTX cert_flags or NULL if none */ |
f7d53487 | 91 | uint32_t *pcert_flags; |
429261d0 DSH |
92 | /* Pointer to SSL or SSL_CTX verify_mode or NULL if none */ |
93 | uint32_t *pvfy_flags; | |
7946ab33 KR |
94 | /* Pointer to SSL or SSL_CTX min_version field or NULL if none */ |
95 | int *min_version; | |
96 | /* Pointer to SSL or SSL_CTX max_version field or NULL if none */ | |
97 | int *max_version; | |
0f113f3e MC |
98 | /* Current flag table being worked on */ |
99 | const ssl_flag_tbl *tbl; | |
100 | /* Size of table */ | |
101 | size_t ntbl; | |
429261d0 DSH |
102 | /* Client CA names */ |
103 | STACK_OF(X509_NAME) *canames; | |
0f113f3e | 104 | }; |
3db935a9 | 105 | |
656b2605 | 106 | static void ssl_set_option(SSL_CONF_CTX *cctx, unsigned int name_flags, |
f04bb0bc | 107 | uint64_t option_value, int onoff) |
656b2605 | 108 | { |
4fdf17a0 | 109 | uint32_t *pflags; |
56bd1783 | 110 | |
656b2605 DSH |
111 | if (cctx->poptions == NULL) |
112 | return; | |
113 | if (name_flags & SSL_TFLAG_INV) | |
114 | onoff ^= 1; | |
429261d0 DSH |
115 | switch (name_flags & SSL_TFLAG_TYPE_MASK) { |
116 | ||
117 | case SSL_TFLAG_CERT: | |
118 | pflags = cctx->pcert_flags; | |
119 | break; | |
120 | ||
121 | case SSL_TFLAG_VFY: | |
a230b26e | 122 | pflags = cctx->pvfy_flags; |
429261d0 | 123 | break; |
f04bb0bc | 124 | |
429261d0 | 125 | case SSL_TFLAG_OPTION: |
56bd1783 RS |
126 | if (onoff) |
127 | *cctx->poptions |= option_value; | |
128 | else | |
129 | *cctx->poptions &= ~option_value; | |
130 | return; | |
429261d0 DSH |
131 | |
132 | default: | |
133 | return; | |
134 | ||
656b2605 | 135 | } |
429261d0 DSH |
136 | if (onoff) |
137 | *pflags |= option_value; | |
138 | else | |
139 | *pflags &= ~option_value; | |
656b2605 DSH |
140 | } |
141 | ||
3db935a9 | 142 | static int ssl_match_option(SSL_CONF_CTX *cctx, const ssl_flag_tbl *tbl, |
0f113f3e MC |
143 | const char *name, int namelen, int onoff) |
144 | { | |
145 | /* If name not relevant for context skip */ | |
146 | if (!(cctx->flags & tbl->name_flags & SSL_TFLAG_BOTH)) | |
147 | return 0; | |
148 | if (namelen == -1) { | |
149 | if (strcmp(tbl->name, name)) | |
150 | return 0; | |
fba140c7 DB |
151 | } else if (tbl->namelen != namelen |
152 | || OPENSSL_strncasecmp(tbl->name, name, namelen)) | |
0f113f3e | 153 | return 0; |
656b2605 | 154 | ssl_set_option(cctx, tbl->name_flags, tbl->option_value, onoff); |
0f113f3e MC |
155 | return 1; |
156 | } | |
3db935a9 DSH |
157 | |
158 | static int ssl_set_option_list(const char *elem, int len, void *usr) | |
0f113f3e MC |
159 | { |
160 | SSL_CONF_CTX *cctx = usr; | |
161 | size_t i; | |
162 | const ssl_flag_tbl *tbl; | |
163 | int onoff = 1; | |
164 | /* | |
165 | * len == -1 indicates not being called in list context, just for single | |
166 | * command line switches, so don't allow +, -. | |
167 | */ | |
2747d73c KR |
168 | if (elem == NULL) |
169 | return 0; | |
0f113f3e MC |
170 | if (len != -1) { |
171 | if (*elem == '+') { | |
172 | elem++; | |
173 | len--; | |
174 | onoff = 1; | |
175 | } else if (*elem == '-') { | |
176 | elem++; | |
177 | len--; | |
178 | onoff = 0; | |
179 | } | |
180 | } | |
181 | for (i = 0, tbl = cctx->tbl; i < cctx->ntbl; i++, tbl++) { | |
182 | if (ssl_match_option(cctx, tbl, elem, len, onoff)) | |
183 | return 1; | |
184 | } | |
185 | return 0; | |
186 | } | |
3db935a9 | 187 | |
3db935a9 | 188 | /* Set supported signature algorithms */ |
ec2f7e56 | 189 | static int cmd_SignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value) |
0f113f3e MC |
190 | { |
191 | int rv; | |
192 | if (cctx->ssl) | |
193 | rv = SSL_set1_sigalgs_list(cctx->ssl, value); | |
194 | /* NB: ctx == NULL performs syntax checking only */ | |
195 | else | |
196 | rv = SSL_CTX_set1_sigalgs_list(cctx->ctx, value); | |
197 | return rv > 0; | |
198 | } | |
199 | ||
3db935a9 | 200 | /* Set supported client signature algorithms */ |
a230b26e | 201 | static int cmd_ClientSignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value) |
0f113f3e MC |
202 | { |
203 | int rv; | |
204 | if (cctx->ssl) | |
205 | rv = SSL_set1_client_sigalgs_list(cctx->ssl, value); | |
206 | /* NB: ctx == NULL performs syntax checking only */ | |
207 | else | |
208 | rv = SSL_CTX_set1_client_sigalgs_list(cctx->ctx, value); | |
209 | return rv > 0; | |
210 | } | |
3db935a9 | 211 | |
de4d764e | 212 | static int cmd_Groups(SSL_CONF_CTX *cctx, const char *value) |
0f113f3e MC |
213 | { |
214 | int rv; | |
215 | if (cctx->ssl) | |
de4d764e | 216 | rv = SSL_set1_groups_list(cctx->ssl, value); |
0f113f3e MC |
217 | /* NB: ctx == NULL performs syntax checking only */ |
218 | else | |
de4d764e | 219 | rv = SSL_CTX_set1_groups_list(cctx->ctx, value); |
0f113f3e MC |
220 | return rv > 0; |
221 | } | |
222 | ||
de4d764e MC |
223 | /* This is the old name for cmd_Groups - retained for backwards compatibility */ |
224 | static int cmd_Curves(SSL_CONF_CTX *cctx, const char *value) | |
225 | { | |
226 | return cmd_Groups(cctx, value); | |
227 | } | |
228 | ||
3db935a9 | 229 | /* ECDH temporary parameters */ |
ec2f7e56 | 230 | static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value) |
0f113f3e | 231 | { |
fe6ef247 | 232 | int rv = 1; |
0f113f3e | 233 | |
1c7aa0db | 234 | /* Ignore values supported by 1.0.2 for the automatic selection */ |
ededc88d | 235 | if ((cctx->flags & SSL_CONF_FLAG_FILE) |
fba140c7 DB |
236 | && (OPENSSL_strcasecmp(value, "+automatic") == 0 |
237 | || OPENSSL_strcasecmp(value, "automatic") == 0)) | |
1c7aa0db TM |
238 | return 1; |
239 | if ((cctx->flags & SSL_CONF_FLAG_CMDLINE) && | |
240 | strcmp(value, "auto") == 0) | |
241 | return 1; | |
242 | ||
462f4f4b MC |
243 | /* ECDHParameters accepts a single group name */ |
244 | if (strstr(value, ":") != NULL) | |
fe6ef247 | 245 | return 0; |
9b1c0e00 | 246 | |
fe6ef247 | 247 | if (cctx->ctx) |
462f4f4b | 248 | rv = SSL_CTX_set1_groups_list(cctx->ctx, value); |
fe6ef247 | 249 | else if (cctx->ssl) |
462f4f4b | 250 | rv = SSL_set1_groups_list(cctx->ssl, value); |
0f113f3e MC |
251 | |
252 | return rv > 0; | |
253 | } | |
462f4f4b | 254 | |
ec2f7e56 | 255 | static int cmd_CipherString(SSL_CONF_CTX *cctx, const char *value) |
0f113f3e MC |
256 | { |
257 | int rv = 1; | |
f865b081 | 258 | |
0f113f3e MC |
259 | if (cctx->ctx) |
260 | rv = SSL_CTX_set_cipher_list(cctx->ctx, value); | |
261 | if (cctx->ssl) | |
262 | rv = SSL_set_cipher_list(cctx->ssl, value); | |
263 | return rv > 0; | |
264 | } | |
3db935a9 | 265 | |
f865b081 MC |
266 | static int cmd_Ciphersuites(SSL_CONF_CTX *cctx, const char *value) |
267 | { | |
268 | int rv = 1; | |
269 | ||
270 | if (cctx->ctx) | |
271 | rv = SSL_CTX_set_ciphersuites(cctx->ctx, value); | |
272 | if (cctx->ssl) | |
273 | rv = SSL_set_ciphersuites(cctx->ssl, value); | |
274 | return rv > 0; | |
275 | } | |
276 | ||
ec2f7e56 | 277 | static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value) |
0f113f3e MC |
278 | { |
279 | static const ssl_flag_tbl ssl_protocol_list[] = { | |
280 | SSL_FLAG_TBL_INV("ALL", SSL_OP_NO_SSL_MASK), | |
281 | SSL_FLAG_TBL_INV("SSLv2", SSL_OP_NO_SSLv2), | |
282 | SSL_FLAG_TBL_INV("SSLv3", SSL_OP_NO_SSLv3), | |
283 | SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1), | |
284 | SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1), | |
7946ab33 | 285 | SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2), |
582a17d6 | 286 | SSL_FLAG_TBL_INV("TLSv1.3", SSL_OP_NO_TLSv1_3), |
7946ab33 KR |
287 | SSL_FLAG_TBL_INV("DTLSv1", SSL_OP_NO_DTLSv1), |
288 | SSL_FLAG_TBL_INV("DTLSv1.2", SSL_OP_NO_DTLSv1_2) | |
0f113f3e | 289 | }; |
0f113f3e | 290 | cctx->tbl = ssl_protocol_list; |
b6eb9827 | 291 | cctx->ntbl = OSSL_NELEM(ssl_protocol_list); |
0f113f3e MC |
292 | return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); |
293 | } | |
3db935a9 | 294 | |
7946ab33 KR |
295 | /* |
296 | * protocol_from_string - converts a protocol version string to a number | |
297 | * | |
298 | * Returns -1 on failure or the version on success | |
299 | */ | |
300 | static int protocol_from_string(const char *value) | |
301 | { | |
302 | struct protocol_versions { | |
303 | const char *name; | |
304 | int version; | |
305 | }; | |
77174598 VD |
306 | /* |
307 | * Note: To avoid breaking previously valid configurations, we must retain | |
308 | * legacy entries in this table even if the underlying protocol is no | |
309 | * longer supported. This also means that the constants SSL3_VERSION, ... | |
310 | * need to be retained indefinitely. This table can only grow, never | |
311 | * shrink. | |
312 | */ | |
7946ab33 | 313 | static const struct protocol_versions versions[] = { |
869e978c | 314 | {"None", 0}, |
7946ab33 KR |
315 | {"SSLv3", SSL3_VERSION}, |
316 | {"TLSv1", TLS1_VERSION}, | |
317 | {"TLSv1.1", TLS1_1_VERSION}, | |
318 | {"TLSv1.2", TLS1_2_VERSION}, | |
582a17d6 | 319 | {"TLSv1.3", TLS1_3_VERSION}, |
7946ab33 | 320 | {"DTLSv1", DTLS1_VERSION}, |
a230b26e EK |
321 | {"DTLSv1.2", DTLS1_2_VERSION} |
322 | }; | |
7946ab33 KR |
323 | size_t i; |
324 | size_t n = OSSL_NELEM(versions); | |
325 | ||
326 | for (i = 0; i < n; i++) | |
327 | if (strcmp(versions[i].name, value) == 0) | |
328 | return versions[i].version; | |
329 | return -1; | |
330 | } | |
331 | ||
4fa52141 VD |
332 | static int min_max_proto(SSL_CONF_CTX *cctx, const char *value, int *bound) |
333 | { | |
334 | int method_version; | |
335 | int new_version; | |
336 | ||
337 | if (cctx->ctx != NULL) | |
338 | method_version = cctx->ctx->method->version; | |
339 | else if (cctx->ssl != NULL) | |
a7f41885 | 340 | method_version = cctx->ssl->defltmeth->version; |
4fa52141 VD |
341 | else |
342 | return 0; | |
343 | if ((new_version = protocol_from_string(value)) < 0) | |
344 | return 0; | |
345 | return ssl_set_version_bound(method_version, new_version, bound); | |
346 | } | |
347 | ||
7946ab33 KR |
348 | /* |
349 | * cmd_MinProtocol - Set min protocol version | |
350 | * @cctx: config structure to save settings in | |
351 | * @value: The min protocol version in string form | |
352 | * | |
353 | * Returns 1 on success and 0 on failure. | |
354 | */ | |
355 | static int cmd_MinProtocol(SSL_CONF_CTX *cctx, const char *value) | |
356 | { | |
4fa52141 | 357 | return min_max_proto(cctx, value, cctx->min_version); |
7946ab33 KR |
358 | } |
359 | ||
360 | /* | |
361 | * cmd_MaxProtocol - Set max protocol version | |
362 | * @cctx: config structure to save settings in | |
363 | * @value: The max protocol version in string form | |
364 | * | |
365 | * Returns 1 on success and 0 on failure. | |
366 | */ | |
367 | static int cmd_MaxProtocol(SSL_CONF_CTX *cctx, const char *value) | |
368 | { | |
4fa52141 | 369 | return min_max_proto(cctx, value, cctx->max_version); |
7946ab33 KR |
370 | } |
371 | ||
ec2f7e56 | 372 | static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) |
0f113f3e MC |
373 | { |
374 | static const ssl_flag_tbl ssl_option_list[] = { | |
375 | SSL_FLAG_TBL_INV("SessionTicket", SSL_OP_NO_TICKET), | |
376 | SSL_FLAG_TBL_INV("EmptyFragments", | |
377 | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS), | |
378 | SSL_FLAG_TBL("Bugs", SSL_OP_ALL), | |
379 | SSL_FLAG_TBL_INV("Compression", SSL_OP_NO_COMPRESSION), | |
380 | SSL_FLAG_TBL_SRV("ServerPreference", SSL_OP_CIPHER_SERVER_PREFERENCE), | |
381 | SSL_FLAG_TBL_SRV("NoResumptionOnRenegotiation", | |
382 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION), | |
383 | SSL_FLAG_TBL_SRV("DHSingle", SSL_OP_SINGLE_DH_USE), | |
384 | SSL_FLAG_TBL_SRV("ECDHSingle", SSL_OP_SINGLE_ECDH_USE), | |
385 | SSL_FLAG_TBL("UnsafeLegacyRenegotiation", | |
386 | SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION), | |
65b2bb9c TM |
387 | SSL_FLAG_TBL("UnsafeLegacyServerConnect", |
388 | SSL_OP_LEGACY_SERVER_CONNECT), | |
55373bfd RS |
389 | SSL_FLAG_TBL("ClientRenegotiation", |
390 | SSL_OP_ALLOW_CLIENT_RENEGOTIATION), | |
b3618f44 | 391 | SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC), |
db0f35dd | 392 | SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION), |
e1c7871d | 393 | SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX), |
b8590b2f | 394 | SSL_FLAG_TBL("PreferNoDHEKEX", SSL_OP_PREFER_NO_DHE_KEX), |
a5816a5a | 395 | SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA), |
3bb5e5b0 | 396 | SSL_FLAG_TBL("MiddleboxCompat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT), |
088dfa13 | 397 | SSL_FLAG_TBL_INV("AntiReplay", SSL_OP_NO_ANTI_REPLAY), |
90fc2c26 | 398 | SSL_FLAG_TBL_INV("ExtendedMasterSecret", SSL_OP_NO_EXTENDED_MASTER_SECRET), |
a3a54179 | 399 | SSL_FLAG_TBL_INV("CANames", SSL_OP_DISABLE_TLSEXT_CA_NAMES), |
336d92eb | 400 | SSL_FLAG_TBL("KTLS", SSL_OP_ENABLE_KTLS), |
b67cb09f TS |
401 | SSL_FLAG_TBL_CERT("StrictCertCheck", SSL_CERT_FLAG_TLS_STRICT), |
402 | SSL_FLAG_TBL_INV("TxCertificateCompression", SSL_OP_NO_TX_CERTIFICATE_COMPRESSION), | |
403 | SSL_FLAG_TBL_INV("RxCertificateCompression", SSL_OP_NO_RX_CERTIFICATE_COMPRESSION), | |
cd715b7e | 404 | SSL_FLAG_TBL("KTLSTxZerocopySendfile", SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE), |
51cf0344 | 405 | SSL_FLAG_TBL("IgnoreUnexpectedEOF", SSL_OP_IGNORE_UNEXPECTED_EOF), |
0f113f3e | 406 | }; |
0f113f3e MC |
407 | if (value == NULL) |
408 | return -3; | |
409 | cctx->tbl = ssl_option_list; | |
b6eb9827 | 410 | cctx->ntbl = OSSL_NELEM(ssl_option_list); |
0f113f3e MC |
411 | return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); |
412 | } | |
3db935a9 | 413 | |
429261d0 DSH |
414 | static int cmd_VerifyMode(SSL_CONF_CTX *cctx, const char *value) |
415 | { | |
416 | static const ssl_flag_tbl ssl_vfy_list[] = { | |
417 | SSL_FLAG_VFY_CLI("Peer", SSL_VERIFY_PEER), | |
418 | SSL_FLAG_VFY_SRV("Request", SSL_VERIFY_PEER), | |
419 | SSL_FLAG_VFY_SRV("Require", | |
420 | SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), | |
9d75dce3 TS |
421 | SSL_FLAG_VFY_SRV("Once", SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE), |
422 | SSL_FLAG_VFY_SRV("RequestPostHandshake", | |
423 | SSL_VERIFY_PEER | SSL_VERIFY_POST_HANDSHAKE), | |
424 | SSL_FLAG_VFY_SRV("RequirePostHandshake", | |
425 | SSL_VERIFY_PEER | SSL_VERIFY_POST_HANDSHAKE | | |
426 | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), | |
429261d0 DSH |
427 | }; |
428 | if (value == NULL) | |
429 | return -3; | |
430 | cctx->tbl = ssl_vfy_list; | |
431 | cctx->ntbl = OSSL_NELEM(ssl_vfy_list); | |
432 | return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); | |
433 | } | |
434 | ||
ec2f7e56 | 435 | static int cmd_Certificate(SSL_CONF_CTX *cctx, const char *value) |
0f113f3e MC |
436 | { |
437 | int rv = 1; | |
2011b169 | 438 | CERT *c = NULL; |
38b051a1 | 439 | if (cctx->ctx != NULL) { |
0f113f3e | 440 | rv = SSL_CTX_use_certificate_chain_file(cctx->ctx, value); |
2011b169 DSH |
441 | c = cctx->ctx->cert; |
442 | } | |
38b051a1 TM |
443 | if (cctx->ssl != NULL) { |
444 | SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(cctx->ssl); | |
445 | ||
446 | if (sc != NULL) { | |
447 | rv = SSL_use_certificate_chain_file(cctx->ssl, value); | |
448 | c = sc->cert; | |
449 | } else { | |
450 | rv = 0; | |
451 | } | |
2011b169 | 452 | } |
38b051a1 | 453 | if (rv > 0 && c != NULL && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) { |
2011b169 | 454 | char **pfilename = &cctx->cert_filename[c->key - c->pkeys]; |
38b051a1 | 455 | |
b548a1f1 | 456 | OPENSSL_free(*pfilename); |
7644a9ae | 457 | *pfilename = OPENSSL_strdup(value); |
12a765a5 | 458 | if (*pfilename == NULL) |
2011b169 DSH |
459 | rv = 0; |
460 | } | |
461 | ||
0f113f3e MC |
462 | return rv > 0; |
463 | } | |
ec2f7e56 DSH |
464 | |
465 | static int cmd_PrivateKey(SSL_CONF_CTX *cctx, const char *value) | |
0f113f3e MC |
466 | { |
467 | int rv = 1; | |
468 | if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE)) | |
469 | return -2; | |
470 | if (cctx->ctx) | |
471 | rv = SSL_CTX_use_PrivateKey_file(cctx->ctx, value, SSL_FILETYPE_PEM); | |
472 | if (cctx->ssl) | |
473 | rv = SSL_use_PrivateKey_file(cctx->ssl, value, SSL_FILETYPE_PEM); | |
474 | return rv > 0; | |
475 | } | |
5b7f36e8 DSH |
476 | |
477 | static int cmd_ServerInfoFile(SSL_CONF_CTX *cctx, const char *value) | |
0f113f3e MC |
478 | { |
479 | int rv = 1; | |
0f113f3e MC |
480 | if (cctx->ctx) |
481 | rv = SSL_CTX_use_serverinfo_file(cctx->ctx, value); | |
482 | return rv > 0; | |
483 | } | |
5b7f36e8 | 484 | |
429261d0 | 485 | static int do_store(SSL_CONF_CTX *cctx, |
6dcb100f RL |
486 | const char *CAfile, const char *CApath, const char *CAstore, |
487 | int verify_store) | |
429261d0 DSH |
488 | { |
489 | CERT *cert; | |
490 | X509_STORE **st; | |
6725682d | 491 | SSL_CTX *ctx; |
b4250010 | 492 | OSSL_LIB_CTX *libctx = NULL; |
6725682d | 493 | const char *propq = NULL; |
6dcb100f | 494 | |
6725682d | 495 | if (cctx->ctx != NULL) { |
429261d0 | 496 | cert = cctx->ctx->cert; |
6725682d SL |
497 | ctx = cctx->ctx; |
498 | } else if (cctx->ssl != NULL) { | |
38b051a1 TM |
499 | SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(cctx->ssl); |
500 | ||
501 | if (sc == NULL) | |
502 | return 0; | |
503 | ||
504 | cert = sc->cert; | |
6725682d SL |
505 | ctx = cctx->ssl->ctx; |
506 | } else { | |
429261d0 | 507 | return 1; |
6725682d SL |
508 | } |
509 | if (ctx != NULL) { | |
510 | libctx = ctx->libctx; | |
511 | propq = ctx->propq; | |
512 | } | |
429261d0 DSH |
513 | st = verify_store ? &cert->verify_store : &cert->chain_store; |
514 | if (*st == NULL) { | |
515 | *st = X509_STORE_new(); | |
516 | if (*st == NULL) | |
517 | return 0; | |
518 | } | |
6dcb100f | 519 | |
d8652be0 | 520 | if (CAfile != NULL && !X509_STORE_load_file_ex(*st, CAfile, libctx, propq)) |
6dcb100f RL |
521 | return 0; |
522 | if (CApath != NULL && !X509_STORE_load_path(*st, CApath)) | |
523 | return 0; | |
d8652be0 MC |
524 | if (CAstore != NULL && !X509_STORE_load_store_ex(*st, CAstore, libctx, |
525 | propq)) | |
6dcb100f RL |
526 | return 0; |
527 | return 1; | |
429261d0 DSH |
528 | } |
529 | ||
530 | static int cmd_ChainCAPath(SSL_CONF_CTX *cctx, const char *value) | |
531 | { | |
6dcb100f | 532 | return do_store(cctx, NULL, value, NULL, 0); |
429261d0 DSH |
533 | } |
534 | ||
535 | static int cmd_ChainCAFile(SSL_CONF_CTX *cctx, const char *value) | |
536 | { | |
6dcb100f RL |
537 | return do_store(cctx, value, NULL, NULL, 0); |
538 | } | |
539 | ||
540 | static int cmd_ChainCAStore(SSL_CONF_CTX *cctx, const char *value) | |
541 | { | |
542 | return do_store(cctx, NULL, NULL, value, 0); | |
429261d0 DSH |
543 | } |
544 | ||
545 | static int cmd_VerifyCAPath(SSL_CONF_CTX *cctx, const char *value) | |
546 | { | |
6dcb100f | 547 | return do_store(cctx, NULL, value, NULL, 1); |
429261d0 DSH |
548 | } |
549 | ||
550 | static int cmd_VerifyCAFile(SSL_CONF_CTX *cctx, const char *value) | |
551 | { | |
6dcb100f RL |
552 | return do_store(cctx, value, NULL, NULL, 1); |
553 | } | |
554 | ||
555 | static int cmd_VerifyCAStore(SSL_CONF_CTX *cctx, const char *value) | |
556 | { | |
557 | return do_store(cctx, NULL, NULL, value, 1); | |
429261d0 DSH |
558 | } |
559 | ||
be885d50 | 560 | static int cmd_RequestCAFile(SSL_CONF_CTX *cctx, const char *value) |
429261d0 DSH |
561 | { |
562 | if (cctx->canames == NULL) | |
563 | cctx->canames = sk_X509_NAME_new_null(); | |
564 | if (cctx->canames == NULL) | |
565 | return 0; | |
566 | return SSL_add_file_cert_subjects_to_stack(cctx->canames, value); | |
567 | } | |
568 | ||
be885d50 DSH |
569 | static int cmd_ClientCAFile(SSL_CONF_CTX *cctx, const char *value) |
570 | { | |
571 | return cmd_RequestCAFile(cctx, value); | |
572 | } | |
573 | ||
574 | static int cmd_RequestCAPath(SSL_CONF_CTX *cctx, const char *value) | |
429261d0 DSH |
575 | { |
576 | if (cctx->canames == NULL) | |
577 | cctx->canames = sk_X509_NAME_new_null(); | |
578 | if (cctx->canames == NULL) | |
579 | return 0; | |
580 | return SSL_add_dir_cert_subjects_to_stack(cctx->canames, value); | |
581 | } | |
582 | ||
be885d50 DSH |
583 | static int cmd_ClientCAPath(SSL_CONF_CTX *cctx, const char *value) |
584 | { | |
585 | return cmd_RequestCAPath(cctx, value); | |
586 | } | |
587 | ||
6dcb100f RL |
588 | static int cmd_RequestCAStore(SSL_CONF_CTX *cctx, const char *value) |
589 | { | |
590 | if (cctx->canames == NULL) | |
591 | cctx->canames = sk_X509_NAME_new_null(); | |
592 | if (cctx->canames == NULL) | |
593 | return 0; | |
594 | return SSL_add_store_cert_subjects_to_stack(cctx->canames, value); | |
595 | } | |
596 | ||
597 | static int cmd_ClientCAStore(SSL_CONF_CTX *cctx, const char *value) | |
598 | { | |
599 | return cmd_RequestCAStore(cctx, value); | |
600 | } | |
601 | ||
c557f921 | 602 | static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value) |
0f113f3e MC |
603 | { |
604 | int rv = 0; | |
163f6dc1 | 605 | EVP_PKEY *dhpkey = NULL; |
0f113f3e | 606 | BIO *in = NULL; |
163f6dc1 MC |
607 | SSL_CTX *sslctx = (cctx->ssl != NULL) ? cctx->ssl->ctx : cctx->ctx; |
608 | OSSL_DECODER_CTX *decoderctx = NULL; | |
609 | ||
610 | if (cctx->ctx != NULL || cctx->ssl != NULL) { | |
9982cbbb | 611 | in = BIO_new(BIO_s_file()); |
a71edf3b | 612 | if (in == NULL) |
0f113f3e MC |
613 | goto end; |
614 | if (BIO_read_filename(in, value) <= 0) | |
615 | goto end; | |
163f6dc1 MC |
616 | |
617 | decoderctx | |
fe75766c TM |
618 | = OSSL_DECODER_CTX_new_for_pkey(&dhpkey, "PEM", NULL, "DH", |
619 | OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, | |
620 | sslctx->libctx, sslctx->propq); | |
b2b8d188 | 621 | if (decoderctx == NULL) |
163f6dc1 | 622 | goto end; |
b2b8d188 DF |
623 | ERR_set_mark(); |
624 | while (!OSSL_DECODER_from_bio(decoderctx, in) | |
625 | && dhpkey == NULL | |
626 | && !BIO_eof(in)); | |
163f6dc1 MC |
627 | OSSL_DECODER_CTX_free(decoderctx); |
628 | ||
b2b8d188 DF |
629 | if (dhpkey == NULL) { |
630 | ERR_clear_last_mark(); | |
0f113f3e | 631 | goto end; |
b2b8d188 DF |
632 | } |
633 | ERR_pop_to_mark(); | |
163f6dc1 | 634 | } else { |
0f113f3e | 635 | return 1; |
163f6dc1 MC |
636 | } |
637 | ||
638 | if (cctx->ctx != NULL) { | |
639 | if ((rv = SSL_CTX_set0_tmp_dh_pkey(cctx->ctx, dhpkey)) > 0) | |
640 | dhpkey = NULL; | |
641 | } | |
642 | if (cctx->ssl != NULL) { | |
643 | if ((rv = SSL_set0_tmp_dh_pkey(cctx->ssl, dhpkey)) > 0) | |
644 | dhpkey = NULL; | |
645 | } | |
0f113f3e | 646 | end: |
163f6dc1 | 647 | EVP_PKEY_free(dhpkey); |
ca3a82c3 | 648 | BIO_free(in); |
0f113f3e MC |
649 | return rv > 0; |
650 | } | |
c649d10d TS |
651 | |
652 | static int cmd_RecordPadding(SSL_CONF_CTX *cctx, const char *value) | |
653 | { | |
654 | int rv = 0; | |
655 | int block_size = atoi(value); | |
656 | ||
657 | /* | |
658 | * All we care about is a non-negative value, | |
659 | * the setters check the range | |
660 | */ | |
661 | if (block_size >= 0) { | |
662 | if (cctx->ctx) | |
663 | rv = SSL_CTX_set_block_padding(cctx->ctx, block_size); | |
664 | if (cctx->ssl) | |
665 | rv = SSL_set_block_padding(cctx->ssl, block_size); | |
666 | } | |
667 | return rv; | |
668 | } | |
669 | ||
394159da MC |
670 | |
671 | static int cmd_NumTickets(SSL_CONF_CTX *cctx, const char *value) | |
672 | { | |
673 | int rv = 0; | |
674 | int num_tickets = atoi(value); | |
675 | ||
676 | if (num_tickets >= 0) { | |
677 | if (cctx->ctx) | |
678 | rv = SSL_CTX_set_num_tickets(cctx->ctx, num_tickets); | |
679 | if (cctx->ssl) | |
680 | rv = SSL_set_num_tickets(cctx->ssl, num_tickets); | |
681 | } | |
682 | return rv; | |
683 | } | |
684 | ||
0f113f3e MC |
685 | typedef struct { |
686 | int (*cmd) (SSL_CONF_CTX *cctx, const char *value); | |
687 | const char *str_file; | |
688 | const char *str_cmdline; | |
656b2605 DSH |
689 | unsigned short flags; |
690 | unsigned short value_type; | |
0f113f3e | 691 | } ssl_conf_cmd_tbl; |
3db935a9 | 692 | |
ec2f7e56 DSH |
693 | /* Table of supported parameters */ |
694 | ||
656b2605 DSH |
695 | #define SSL_CONF_CMD(name, cmdopt, flags, type) \ |
696 | {cmd_##name, #name, cmdopt, flags, type} | |
697 | ||
698 | #define SSL_CONF_CMD_STRING(name, cmdopt, flags) \ | |
699 | SSL_CONF_CMD(name, cmdopt, flags, SSL_CONF_TYPE_STRING) | |
ec2f7e56 | 700 | |
656b2605 DSH |
701 | #define SSL_CONF_CMD_SWITCH(name, flags) \ |
702 | {0, NULL, name, flags, SSL_CONF_TYPE_NONE} | |
3db935a9 | 703 | |
4832560b DB |
704 | /* See apps/include/opt.h if you change this table. */ |
705 | /* The SSL_CONF_CMD_SWITCH should be the same order as ssl_cmd_switches */ | |
27f3b65f | 706 | static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { |
656b2605 DSH |
707 | SSL_CONF_CMD_SWITCH("no_ssl3", 0), |
708 | SSL_CONF_CMD_SWITCH("no_tls1", 0), | |
709 | SSL_CONF_CMD_SWITCH("no_tls1_1", 0), | |
710 | SSL_CONF_CMD_SWITCH("no_tls1_2", 0), | |
582a17d6 | 711 | SSL_CONF_CMD_SWITCH("no_tls1_3", 0), |
656b2605 | 712 | SSL_CONF_CMD_SWITCH("bugs", 0), |
cc5a9ba4 | 713 | SSL_CONF_CMD_SWITCH("no_comp", 0), |
dc5744cb | 714 | SSL_CONF_CMD_SWITCH("comp", 0), |
b67cb09f TS |
715 | SSL_CONF_CMD_SWITCH("no_tx_cert_comp", 0), |
716 | SSL_CONF_CMD_SWITCH("tx_cert_comp", 0), | |
717 | SSL_CONF_CMD_SWITCH("no_rx_cert_comp", 0), | |
718 | SSL_CONF_CMD_SWITCH("rx_cert_comp", 0), | |
656b2605 | 719 | SSL_CONF_CMD_SWITCH("ecdh_single", SSL_CONF_FLAG_SERVER), |
656b2605 | 720 | SSL_CONF_CMD_SWITCH("no_ticket", 0), |
656b2605 DSH |
721 | SSL_CONF_CMD_SWITCH("serverpref", SSL_CONF_FLAG_SERVER), |
722 | SSL_CONF_CMD_SWITCH("legacy_renegotiation", 0), | |
55373bfd | 723 | SSL_CONF_CMD_SWITCH("client_renegotiation", SSL_CONF_FLAG_SERVER), |
cbbbc8fc | 724 | SSL_CONF_CMD_SWITCH("legacy_server_connect", SSL_CONF_FLAG_CLIENT), |
db0f35dd | 725 | SSL_CONF_CMD_SWITCH("no_renegotiation", 0), |
656b2605 | 726 | SSL_CONF_CMD_SWITCH("no_resumption_on_reneg", SSL_CONF_FLAG_SERVER), |
d1b3b674 | 727 | SSL_CONF_CMD_SWITCH("no_legacy_server_connect", SSL_CONF_FLAG_CLIENT), |
e3c0d76b | 728 | SSL_CONF_CMD_SWITCH("allow_no_dhe_kex", 0), |
b8590b2f | 729 | SSL_CONF_CMD_SWITCH("prefer_no_dhe_kex", 0), |
e1c7871d | 730 | SSL_CONF_CMD_SWITCH("prioritize_chacha", SSL_CONF_FLAG_SERVER), |
656b2605 | 731 | SSL_CONF_CMD_SWITCH("strict", 0), |
db37d32c | 732 | SSL_CONF_CMD_SWITCH("no_middlebox", 0), |
3bb5e5b0 MC |
733 | SSL_CONF_CMD_SWITCH("anti_replay", SSL_CONF_FLAG_SERVER), |
734 | SSL_CONF_CMD_SWITCH("no_anti_replay", SSL_CONF_FLAG_SERVER), | |
4832560b | 735 | SSL_CONF_CMD_SWITCH("no_etm", 0), |
a829d53a | 736 | SSL_CONF_CMD_SWITCH("no_ems", 0), |
656b2605 DSH |
737 | SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs", 0), |
738 | SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs", 0), | |
739 | SSL_CONF_CMD_STRING(Curves, "curves", 0), | |
de4d764e | 740 | SSL_CONF_CMD_STRING(Groups, "groups", 0), |
656b2605 | 741 | SSL_CONF_CMD_STRING(ECDHParameters, "named_curve", SSL_CONF_FLAG_SERVER), |
656b2605 | 742 | SSL_CONF_CMD_STRING(CipherString, "cipher", 0), |
f865b081 | 743 | SSL_CONF_CMD_STRING(Ciphersuites, "ciphersuites", 0), |
656b2605 | 744 | SSL_CONF_CMD_STRING(Protocol, NULL, 0), |
453dfd8d EK |
745 | SSL_CONF_CMD_STRING(MinProtocol, "min_protocol", 0), |
746 | SSL_CONF_CMD_STRING(MaxProtocol, "max_protocol", 0), | |
656b2605 | 747 | SSL_CONF_CMD_STRING(Options, NULL, 0), |
429261d0 | 748 | SSL_CONF_CMD_STRING(VerifyMode, NULL, 0), |
656b2605 DSH |
749 | SSL_CONF_CMD(Certificate, "cert", SSL_CONF_FLAG_CERTIFICATE, |
750 | SSL_CONF_TYPE_FILE), | |
751 | SSL_CONF_CMD(PrivateKey, "key", SSL_CONF_FLAG_CERTIFICATE, | |
752 | SSL_CONF_TYPE_FILE), | |
753 | SSL_CONF_CMD(ServerInfoFile, NULL, | |
754 | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, | |
755 | SSL_CONF_TYPE_FILE), | |
429261d0 DSH |
756 | SSL_CONF_CMD(ChainCAPath, "chainCApath", SSL_CONF_FLAG_CERTIFICATE, |
757 | SSL_CONF_TYPE_DIR), | |
758 | SSL_CONF_CMD(ChainCAFile, "chainCAfile", SSL_CONF_FLAG_CERTIFICATE, | |
759 | SSL_CONF_TYPE_FILE), | |
6dcb100f RL |
760 | SSL_CONF_CMD(ChainCAStore, "chainCAstore", SSL_CONF_FLAG_CERTIFICATE, |
761 | SSL_CONF_TYPE_STORE), | |
429261d0 DSH |
762 | SSL_CONF_CMD(VerifyCAPath, "verifyCApath", SSL_CONF_FLAG_CERTIFICATE, |
763 | SSL_CONF_TYPE_DIR), | |
764 | SSL_CONF_CMD(VerifyCAFile, "verifyCAfile", SSL_CONF_FLAG_CERTIFICATE, | |
765 | SSL_CONF_TYPE_FILE), | |
6dcb100f RL |
766 | SSL_CONF_CMD(VerifyCAStore, "verifyCAstore", SSL_CONF_FLAG_CERTIFICATE, |
767 | SSL_CONF_TYPE_STORE), | |
be885d50 DSH |
768 | SSL_CONF_CMD(RequestCAFile, "requestCAFile", SSL_CONF_FLAG_CERTIFICATE, |
769 | SSL_CONF_TYPE_FILE), | |
429261d0 DSH |
770 | SSL_CONF_CMD(ClientCAFile, NULL, |
771 | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, | |
772 | SSL_CONF_TYPE_FILE), | |
be885d50 DSH |
773 | SSL_CONF_CMD(RequestCAPath, NULL, SSL_CONF_FLAG_CERTIFICATE, |
774 | SSL_CONF_TYPE_DIR), | |
429261d0 DSH |
775 | SSL_CONF_CMD(ClientCAPath, NULL, |
776 | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, | |
777 | SSL_CONF_TYPE_DIR), | |
6dcb100f RL |
778 | SSL_CONF_CMD(RequestCAStore, "requestCAStore", SSL_CONF_FLAG_CERTIFICATE, |
779 | SSL_CONF_TYPE_STORE), | |
780 | SSL_CONF_CMD(ClientCAStore, NULL, | |
781 | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, | |
782 | SSL_CONF_TYPE_STORE), | |
656b2605 DSH |
783 | SSL_CONF_CMD(DHParameters, "dhparam", |
784 | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, | |
c649d10d | 785 | SSL_CONF_TYPE_FILE), |
394159da | 786 | SSL_CONF_CMD_STRING(RecordPadding, "record_padding", 0), |
3bb5e5b0 | 787 | SSL_CONF_CMD_STRING(NumTickets, "num_tickets", SSL_CONF_FLAG_SERVER), |
656b2605 DSH |
788 | }; |
789 | ||
790 | /* Supported switches: must match order of switches in ssl_conf_cmds */ | |
791 | static const ssl_switch_tbl ssl_cmd_switches[] = { | |
792 | {SSL_OP_NO_SSLv3, 0}, /* no_ssl3 */ | |
793 | {SSL_OP_NO_TLSv1, 0}, /* no_tls1 */ | |
794 | {SSL_OP_NO_TLSv1_1, 0}, /* no_tls1_1 */ | |
795 | {SSL_OP_NO_TLSv1_2, 0}, /* no_tls1_2 */ | |
582a17d6 | 796 | {SSL_OP_NO_TLSv1_3, 0}, /* no_tls1_3 */ |
656b2605 | 797 | {SSL_OP_ALL, 0}, /* bugs */ |
cc5a9ba4 VD |
798 | {SSL_OP_NO_COMPRESSION, 0}, /* no_comp */ |
799 | {SSL_OP_NO_COMPRESSION, SSL_TFLAG_INV}, /* comp */ | |
b67cb09f TS |
800 | {SSL_OP_NO_TX_CERTIFICATE_COMPRESSION, 0}, /* no_tx_cert_comp */ |
801 | {SSL_OP_NO_TX_CERTIFICATE_COMPRESSION, SSL_TFLAG_INV}, /* tx_cert_comp */ | |
802 | {SSL_OP_NO_RX_CERTIFICATE_COMPRESSION, 0}, /* no_rx_cert_comp */ | |
803 | {SSL_OP_NO_RX_CERTIFICATE_COMPRESSION, SSL_TFLAG_INV}, /* rx_cert_comp */ | |
656b2605 | 804 | {SSL_OP_SINGLE_ECDH_USE, 0}, /* ecdh_single */ |
656b2605 | 805 | {SSL_OP_NO_TICKET, 0}, /* no_ticket */ |
656b2605 DSH |
806 | {SSL_OP_CIPHER_SERVER_PREFERENCE, 0}, /* serverpref */ |
807 | /* legacy_renegotiation */ | |
808 | {SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, 0}, | |
55373bfd RS |
809 | /* Allow client renegotiation */ |
810 | {SSL_OP_ALLOW_CLIENT_RENEGOTIATION, 0}, | |
656b2605 DSH |
811 | /* legacy_server_connect */ |
812 | {SSL_OP_LEGACY_SERVER_CONNECT, 0}, | |
db0f35dd TS |
813 | /* no_renegotiation */ |
814 | {SSL_OP_NO_RENEGOTIATION, 0}, | |
656b2605 DSH |
815 | /* no_resumption_on_reneg */ |
816 | {SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION, 0}, | |
817 | /* no_legacy_server_connect */ | |
818 | {SSL_OP_LEGACY_SERVER_CONNECT, SSL_TFLAG_INV}, | |
e3c0d76b MC |
819 | /* allow_no_dhe_kex */ |
820 | {SSL_OP_ALLOW_NO_DHE_KEX, 0}, | |
b8590b2f MM |
821 | /* prefer_no_dhe_kex */ |
822 | {SSL_OP_PREFER_NO_DHE_KEX, 0}, | |
e1c7871d TS |
823 | /* chacha reprioritization */ |
824 | {SSL_OP_PRIORITIZE_CHACHA, 0}, | |
656b2605 | 825 | {SSL_CERT_FLAG_TLS_STRICT, SSL_TFLAG_CERT}, /* strict */ |
a5816a5a MC |
826 | /* no_middlebox */ |
827 | {SSL_OP_ENABLE_MIDDLEBOX_COMPAT, SSL_TFLAG_INV}, | |
3bb5e5b0 MC |
828 | /* anti_replay */ |
829 | {SSL_OP_NO_ANTI_REPLAY, SSL_TFLAG_INV}, | |
830 | /* no_anti_replay */ | |
831 | {SSL_OP_NO_ANTI_REPLAY, 0}, | |
4832560b DB |
832 | /* no Encrypt-then-Mac */ |
833 | {SSL_OP_NO_ENCRYPT_THEN_MAC, 0}, | |
a829d53a | 834 | /* no Extended master secret */ |
835 | {SSL_OP_NO_EXTENDED_MASTER_SECRET, 0}, | |
3db935a9 DSH |
836 | }; |
837 | ||
ec2f7e56 | 838 | static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd) |
0f113f3e | 839 | { |
12a765a5 | 840 | if (pcmd == NULL || *pcmd == NULL) |
0f113f3e MC |
841 | return 0; |
842 | /* If a prefix is set, check and skip */ | |
843 | if (cctx->prefix) { | |
844 | if (strlen(*pcmd) <= cctx->prefixlen) | |
845 | return 0; | |
846 | if (cctx->flags & SSL_CONF_FLAG_CMDLINE && | |
847 | strncmp(*pcmd, cctx->prefix, cctx->prefixlen)) | |
848 | return 0; | |
849 | if (cctx->flags & SSL_CONF_FLAG_FILE && | |
fba140c7 | 850 | OPENSSL_strncasecmp(*pcmd, cctx->prefix, cctx->prefixlen)) |
0f113f3e MC |
851 | return 0; |
852 | *pcmd += cctx->prefixlen; | |
853 | } else if (cctx->flags & SSL_CONF_FLAG_CMDLINE) { | |
854 | if (**pcmd != '-' || !(*pcmd)[1]) | |
855 | return 0; | |
856 | *pcmd += 1; | |
857 | } | |
858 | return 1; | |
859 | } | |
860 | ||
656b2605 | 861 | /* Determine if a command is allowed according to cctx flags */ |
bbaeadb0 | 862 | static int ssl_conf_cmd_allowed(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl *t) |
656b2605 DSH |
863 | { |
864 | unsigned int tfl = t->flags; | |
865 | unsigned int cfl = cctx->flags; | |
866 | if ((tfl & SSL_CONF_FLAG_SERVER) && !(cfl & SSL_CONF_FLAG_SERVER)) | |
867 | return 0; | |
868 | if ((tfl & SSL_CONF_FLAG_CLIENT) && !(cfl & SSL_CONF_FLAG_CLIENT)) | |
869 | return 0; | |
870 | if ((tfl & SSL_CONF_FLAG_CERTIFICATE) | |
871 | && !(cfl & SSL_CONF_FLAG_CERTIFICATE)) | |
872 | return 0; | |
873 | return 1; | |
874 | } | |
875 | ||
0f113f3e MC |
876 | static const ssl_conf_cmd_tbl *ssl_conf_cmd_lookup(SSL_CONF_CTX *cctx, |
877 | const char *cmd) | |
878 | { | |
879 | const ssl_conf_cmd_tbl *t; | |
880 | size_t i; | |
881 | if (cmd == NULL) | |
882 | return NULL; | |
883 | ||
884 | /* Look for matching parameter name in table */ | |
b6eb9827 | 885 | for (i = 0, t = ssl_conf_cmds; i < OSSL_NELEM(ssl_conf_cmds); i++, t++) { |
656b2605 DSH |
886 | if (ssl_conf_cmd_allowed(cctx, t)) { |
887 | if (cctx->flags & SSL_CONF_FLAG_CMDLINE) { | |
86885c28 | 888 | if (t->str_cmdline && strcmp(t->str_cmdline, cmd) == 0) |
656b2605 DSH |
889 | return t; |
890 | } | |
891 | if (cctx->flags & SSL_CONF_FLAG_FILE) { | |
fba140c7 | 892 | if (t->str_file && OPENSSL_strcasecmp(t->str_file, cmd) == 0) |
656b2605 DSH |
893 | return t; |
894 | } | |
0f113f3e MC |
895 | } |
896 | } | |
897 | return NULL; | |
898 | } | |
ec2f7e56 | 899 | |
bbaeadb0 | 900 | static int ctrl_switch_option(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl *cmd) |
656b2605 DSH |
901 | { |
902 | /* Find index of command in table */ | |
903 | size_t idx = cmd - ssl_conf_cmds; | |
904 | const ssl_switch_tbl *scmd; | |
905 | /* Sanity check index */ | |
906 | if (idx >= OSSL_NELEM(ssl_cmd_switches)) | |
907 | return 0; | |
908 | /* Obtain switches entry with same index */ | |
909 | scmd = ssl_cmd_switches + idx; | |
910 | ssl_set_option(cctx, scmd->name_flags, scmd->option_value, 1); | |
911 | return 1; | |
912 | } | |
913 | ||
ec2f7e56 | 914 | int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value) |
0f113f3e MC |
915 | { |
916 | const ssl_conf_cmd_tbl *runcmd; | |
917 | if (cmd == NULL) { | |
6849b73c | 918 | ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_NULL_CMD_NAME); |
0f113f3e MC |
919 | return 0; |
920 | } | |
921 | ||
922 | if (!ssl_conf_cmd_skip_prefix(cctx, &cmd)) | |
923 | return -2; | |
924 | ||
925 | runcmd = ssl_conf_cmd_lookup(cctx, cmd); | |
926 | ||
927 | if (runcmd) { | |
928 | int rv; | |
656b2605 DSH |
929 | if (runcmd->value_type == SSL_CONF_TYPE_NONE) { |
930 | return ctrl_switch_option(cctx, runcmd); | |
931 | } | |
0f113f3e MC |
932 | if (value == NULL) |
933 | return -3; | |
934 | rv = runcmd->cmd(cctx, value); | |
935 | if (rv > 0) | |
936 | return 2; | |
937 | if (rv == -2) | |
938 | return -2; | |
c48ffbcc RL |
939 | if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) |
940 | ERR_raise_data(ERR_LIB_SSL, SSL_R_BAD_VALUE, | |
941 | "cmd=%s, value=%s", cmd, value); | |
0f113f3e MC |
942 | return 0; |
943 | } | |
944 | ||
c48ffbcc RL |
945 | if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) |
946 | ERR_raise_data(ERR_LIB_SSL, SSL_R_UNKNOWN_CMD_NAME, "cmd=%s", cmd); | |
0f113f3e MC |
947 | |
948 | return -2; | |
949 | } | |
3db935a9 DSH |
950 | |
951 | int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv) | |
0f113f3e MC |
952 | { |
953 | int rv; | |
954 | const char *arg = NULL, *argn; | |
12a765a5 RS |
955 | |
956 | if (pargc != NULL && *pargc == 0) | |
0f113f3e | 957 | return 0; |
12a765a5 | 958 | if (pargc == NULL || *pargc > 0) |
0f113f3e MC |
959 | arg = **pargv; |
960 | if (arg == NULL) | |
961 | return 0; | |
12a765a5 | 962 | if (pargc == NULL || *pargc > 1) |
0f113f3e MC |
963 | argn = (*pargv)[1]; |
964 | else | |
965 | argn = NULL; | |
966 | cctx->flags &= ~SSL_CONF_FLAG_FILE; | |
967 | cctx->flags |= SSL_CONF_FLAG_CMDLINE; | |
968 | rv = SSL_CONF_cmd(cctx, arg, argn); | |
969 | if (rv > 0) { | |
970 | /* Success: update pargc, pargv */ | |
971 | (*pargv) += rv; | |
972 | if (pargc) | |
973 | (*pargc) -= rv; | |
974 | return rv; | |
975 | } | |
976 | /* Unknown switch: indicate no arguments processed */ | |
977 | if (rv == -2) | |
978 | return 0; | |
979 | /* Some error occurred processing command, return fatal error */ | |
980 | if (rv == 0) | |
981 | return -1; | |
982 | return rv; | |
983 | } | |
3db935a9 | 984 | |
ec2f7e56 | 985 | int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd) |
0f113f3e MC |
986 | { |
987 | if (ssl_conf_cmd_skip_prefix(cctx, &cmd)) { | |
988 | const ssl_conf_cmd_tbl *runcmd; | |
989 | runcmd = ssl_conf_cmd_lookup(cctx, cmd); | |
990 | if (runcmd) | |
991 | return runcmd->value_type; | |
992 | } | |
993 | return SSL_CONF_TYPE_UNKNOWN; | |
994 | } | |
ec2f7e56 | 995 | |
3db935a9 | 996 | SSL_CONF_CTX *SSL_CONF_CTX_new(void) |
0f113f3e | 997 | { |
64b25758 | 998 | SSL_CONF_CTX *ret = OPENSSL_zalloc(sizeof(*ret)); |
b4faea50 | 999 | |
0f113f3e MC |
1000 | return ret; |
1001 | } | |
3db935a9 | 1002 | |
ec2f7e56 | 1003 | int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx) |
0f113f3e | 1004 | { |
2011b169 DSH |
1005 | /* See if any certificates are missing private keys */ |
1006 | size_t i; | |
1007 | CERT *c = NULL; | |
38b051a1 TM |
1008 | |
1009 | if (cctx->ctx != NULL) { | |
2011b169 | 1010 | c = cctx->ctx->cert; |
38b051a1 TM |
1011 | } else if (cctx->ssl != NULL) { |
1012 | SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(cctx->ssl); | |
1013 | ||
1014 | if (sc != NULL) | |
1015 | c = sc->cert; | |
1016 | } | |
1017 | if (c != NULL && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) { | |
2011b169 DSH |
1018 | for (i = 0; i < SSL_PKEY_NUM; i++) { |
1019 | const char *p = cctx->cert_filename[i]; | |
1020 | /* | |
1021 | * If missing private key try to load one from certificate file | |
1022 | */ | |
1023 | if (p && !c->pkeys[i].privatekey) { | |
1024 | if (!cmd_PrivateKey(cctx, p)) | |
1025 | return 0; | |
1026 | } | |
1027 | } | |
1028 | } | |
429261d0 DSH |
1029 | if (cctx->canames) { |
1030 | if (cctx->ssl) | |
be885d50 | 1031 | SSL_set0_CA_list(cctx->ssl, cctx->canames); |
429261d0 | 1032 | else if (cctx->ctx) |
be885d50 | 1033 | SSL_CTX_set0_CA_list(cctx->ctx, cctx->canames); |
429261d0 DSH |
1034 | else |
1035 | sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free); | |
1036 | cctx->canames = NULL; | |
1037 | } | |
0f113f3e MC |
1038 | return 1; |
1039 | } | |
ec2f7e56 | 1040 | |
3db935a9 | 1041 | void SSL_CONF_CTX_free(SSL_CONF_CTX *cctx) |
0f113f3e MC |
1042 | { |
1043 | if (cctx) { | |
2011b169 | 1044 | size_t i; |
656b2605 | 1045 | for (i = 0; i < SSL_PKEY_NUM; i++) |
b548a1f1 | 1046 | OPENSSL_free(cctx->cert_filename[i]); |
b548a1f1 | 1047 | OPENSSL_free(cctx->prefix); |
429261d0 | 1048 | sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free); |
4445704f | 1049 | OPENSSL_free(cctx); |
0f113f3e MC |
1050 | } |
1051 | } | |
3db935a9 DSH |
1052 | |
1053 | unsigned int SSL_CONF_CTX_set_flags(SSL_CONF_CTX *cctx, unsigned int flags) | |
0f113f3e MC |
1054 | { |
1055 | cctx->flags |= flags; | |
1056 | return cctx->flags; | |
1057 | } | |
3db935a9 DSH |
1058 | |
1059 | unsigned int SSL_CONF_CTX_clear_flags(SSL_CONF_CTX *cctx, unsigned int flags) | |
0f113f3e MC |
1060 | { |
1061 | cctx->flags &= ~flags; | |
1062 | return cctx->flags; | |
1063 | } | |
3db935a9 DSH |
1064 | |
1065 | int SSL_CONF_CTX_set1_prefix(SSL_CONF_CTX *cctx, const char *pre) | |
0f113f3e MC |
1066 | { |
1067 | char *tmp = NULL; | |
1068 | if (pre) { | |
7644a9ae | 1069 | tmp = OPENSSL_strdup(pre); |
0f113f3e MC |
1070 | if (tmp == NULL) |
1071 | return 0; | |
1072 | } | |
b548a1f1 | 1073 | OPENSSL_free(cctx->prefix); |
0f113f3e MC |
1074 | cctx->prefix = tmp; |
1075 | if (tmp) | |
1076 | cctx->prefixlen = strlen(tmp); | |
1077 | else | |
1078 | cctx->prefixlen = 0; | |
1079 | return 1; | |
1080 | } | |
3db935a9 DSH |
1081 | |
1082 | void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl) | |
0f113f3e MC |
1083 | { |
1084 | cctx->ssl = ssl; | |
1085 | cctx->ctx = NULL; | |
38b051a1 TM |
1086 | if (ssl != NULL) { |
1087 | SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl); | |
1088 | ||
1089 | if (sc == NULL) | |
1090 | return; | |
1091 | cctx->poptions = &sc->options; | |
1092 | cctx->min_version = &sc->min_proto_version; | |
1093 | cctx->max_version = &sc->max_proto_version; | |
1094 | cctx->pcert_flags = &sc->cert->cert_flags; | |
1095 | cctx->pvfy_flags = &sc->verify_mode; | |
0f113f3e MC |
1096 | } else { |
1097 | cctx->poptions = NULL; | |
7946ab33 KR |
1098 | cctx->min_version = NULL; |
1099 | cctx->max_version = NULL; | |
0f113f3e | 1100 | cctx->pcert_flags = NULL; |
429261d0 | 1101 | cctx->pvfy_flags = NULL; |
0f113f3e MC |
1102 | } |
1103 | } | |
3db935a9 DSH |
1104 | |
1105 | void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx) | |
0f113f3e MC |
1106 | { |
1107 | cctx->ctx = ctx; | |
1108 | cctx->ssl = NULL; | |
1109 | if (ctx) { | |
1110 | cctx->poptions = &ctx->options; | |
7946ab33 KR |
1111 | cctx->min_version = &ctx->min_proto_version; |
1112 | cctx->max_version = &ctx->max_proto_version; | |
0f113f3e | 1113 | cctx->pcert_flags = &ctx->cert->cert_flags; |
429261d0 | 1114 | cctx->pvfy_flags = &ctx->verify_mode; |
0f113f3e MC |
1115 | } else { |
1116 | cctx->poptions = NULL; | |
7946ab33 KR |
1117 | cctx->min_version = NULL; |
1118 | cctx->max_version = NULL; | |
0f113f3e | 1119 | cctx->pcert_flags = NULL; |
429261d0 | 1120 | cctx->pvfy_flags = NULL; |
0f113f3e MC |
1121 | } |
1122 | } |