]>
Commit | Line | Data |
---|---|---|
0f113f3e | 1 | /* |
846e33c7 | 2 | * Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved. |
3db935a9 | 3 | * |
846e33c7 RS |
4 | * Licensed under the OpenSSL license (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
3db935a9 DSH |
8 | */ |
9 | ||
3db935a9 DSH |
10 | #include <stdio.h> |
11 | #include "ssl_locl.h" | |
12 | #include <openssl/conf.h> | |
13 | #include <openssl/objects.h> | |
3c27208f | 14 | #include <openssl/dh.h> |
3db935a9 | 15 | |
0f113f3e | 16 | /* |
f430ba31 | 17 | * structure holding name tables. This is used for permitted elements in lists |
656b2605 | 18 | * such as TLSv1. |
3db935a9 DSH |
19 | */ |
20 | ||
0f113f3e MC |
21 | typedef struct { |
22 | const char *name; | |
23 | int namelen; | |
24 | unsigned int name_flags; | |
25 | unsigned long option_value; | |
26 | } ssl_flag_tbl; | |
3db935a9 | 27 | |
656b2605 DSH |
28 | /* Switch table: use for single command line switches like no_tls2 */ |
29 | typedef struct { | |
30 | unsigned long option_value; | |
31 | unsigned int name_flags; | |
32 | } ssl_switch_tbl; | |
33 | ||
3db935a9 | 34 | /* Sense of name is inverted e.g. "TLSv1" will clear SSL_OP_NO_TLSv1 */ |
0f113f3e | 35 | #define SSL_TFLAG_INV 0x1 |
429261d0 DSH |
36 | /* Mask for type of flag referred to */ |
37 | #define SSL_TFLAG_TYPE_MASK 0xf00 | |
38 | /* Flag is for options */ | |
39 | #define SSL_TFLAG_OPTION 0x000 | |
40 | /* Flag is for cert_flags */ | |
41 | #define SSL_TFLAG_CERT 0x100 | |
42 | /* Flag is for verify mode */ | |
43 | #define SSL_TFLAG_VFY 0x200 | |
3db935a9 DSH |
44 | /* Option can only be used for clients */ |
45 | #define SSL_TFLAG_CLIENT SSL_CONF_FLAG_CLIENT | |
46 | /* Option can only be used for servers */ | |
47 | #define SSL_TFLAG_SERVER SSL_CONF_FLAG_SERVER | |
48 | #define SSL_TFLAG_BOTH (SSL_TFLAG_CLIENT|SSL_TFLAG_SERVER) | |
49 | ||
50 | #define SSL_FLAG_TBL(str, flag) \ | |
0f113f3e | 51 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_BOTH, flag} |
3db935a9 | 52 | #define SSL_FLAG_TBL_SRV(str, flag) \ |
0f113f3e | 53 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_SERVER, flag} |
3db935a9 | 54 | #define SSL_FLAG_TBL_CLI(str, flag) \ |
0f113f3e | 55 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_CLIENT, flag} |
3db935a9 | 56 | #define SSL_FLAG_TBL_INV(str, flag) \ |
0f113f3e | 57 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_BOTH, flag} |
3db935a9 | 58 | #define SSL_FLAG_TBL_SRV_INV(str, flag) \ |
0f113f3e | 59 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_SERVER, flag} |
3db935a9 | 60 | #define SSL_FLAG_TBL_CERT(str, flag) \ |
0f113f3e | 61 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_CERT|SSL_TFLAG_BOTH, flag} |
3db935a9 | 62 | |
429261d0 DSH |
63 | #define SSL_FLAG_VFY_CLI(str, flag) \ |
64 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_VFY | SSL_TFLAG_CLIENT, flag} | |
65 | #define SSL_FLAG_VFY_SRV(str, flag) \ | |
66 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_VFY | SSL_TFLAG_SERVER, flag} | |
67 | ||
0f113f3e MC |
68 | /* |
69 | * Opaque structure containing SSL configuration context. | |
3db935a9 DSH |
70 | */ |
71 | ||
0f113f3e MC |
72 | struct ssl_conf_ctx_st { |
73 | /* | |
74 | * Various flags indicating (among other things) which options we will | |
75 | * recognise. | |
76 | */ | |
77 | unsigned int flags; | |
78 | /* Prefix and length of commands */ | |
79 | char *prefix; | |
80 | size_t prefixlen; | |
81 | /* SSL_CTX or SSL structure to perform operations on */ | |
82 | SSL_CTX *ctx; | |
83 | SSL *ssl; | |
84 | /* Pointer to SSL or SSL_CTX options field or NULL if none */ | |
f7d53487 | 85 | uint32_t *poptions; |
2011b169 DSH |
86 | /* Certificate filenames for each type */ |
87 | char *cert_filename[SSL_PKEY_NUM]; | |
0f113f3e | 88 | /* Pointer to SSL or SSL_CTX cert_flags or NULL if none */ |
f7d53487 | 89 | uint32_t *pcert_flags; |
429261d0 DSH |
90 | /* Pointer to SSL or SSL_CTX verify_mode or NULL if none */ |
91 | uint32_t *pvfy_flags; | |
7946ab33 KR |
92 | /* Pointer to SSL or SSL_CTX min_version field or NULL if none */ |
93 | int *min_version; | |
94 | /* Pointer to SSL or SSL_CTX max_version field or NULL if none */ | |
95 | int *max_version; | |
0f113f3e MC |
96 | /* Current flag table being worked on */ |
97 | const ssl_flag_tbl *tbl; | |
98 | /* Size of table */ | |
99 | size_t ntbl; | |
429261d0 DSH |
100 | /* Client CA names */ |
101 | STACK_OF(X509_NAME) *canames; | |
0f113f3e | 102 | }; |
3db935a9 | 103 | |
656b2605 DSH |
104 | static void ssl_set_option(SSL_CONF_CTX *cctx, unsigned int name_flags, |
105 | unsigned long option_value, int onoff) | |
106 | { | |
4fdf17a0 | 107 | uint32_t *pflags; |
656b2605 DSH |
108 | if (cctx->poptions == NULL) |
109 | return; | |
110 | if (name_flags & SSL_TFLAG_INV) | |
111 | onoff ^= 1; | |
429261d0 DSH |
112 | switch (name_flags & SSL_TFLAG_TYPE_MASK) { |
113 | ||
114 | case SSL_TFLAG_CERT: | |
115 | pflags = cctx->pcert_flags; | |
116 | break; | |
117 | ||
118 | case SSL_TFLAG_VFY: | |
a230b26e | 119 | pflags = cctx->pvfy_flags; |
429261d0 DSH |
120 | break; |
121 | ||
122 | case SSL_TFLAG_OPTION: | |
123 | pflags = cctx->poptions; | |
124 | break; | |
125 | ||
126 | default: | |
127 | return; | |
128 | ||
656b2605 | 129 | } |
429261d0 DSH |
130 | if (onoff) |
131 | *pflags |= option_value; | |
132 | else | |
133 | *pflags &= ~option_value; | |
656b2605 DSH |
134 | } |
135 | ||
3db935a9 | 136 | static int ssl_match_option(SSL_CONF_CTX *cctx, const ssl_flag_tbl *tbl, |
0f113f3e MC |
137 | const char *name, int namelen, int onoff) |
138 | { | |
139 | /* If name not relevant for context skip */ | |
140 | if (!(cctx->flags & tbl->name_flags & SSL_TFLAG_BOTH)) | |
141 | return 0; | |
142 | if (namelen == -1) { | |
143 | if (strcmp(tbl->name, name)) | |
144 | return 0; | |
a230b26e | 145 | } else if (tbl->namelen != namelen || strncasecmp(tbl->name, name, namelen)) |
0f113f3e | 146 | return 0; |
656b2605 | 147 | ssl_set_option(cctx, tbl->name_flags, tbl->option_value, onoff); |
0f113f3e MC |
148 | return 1; |
149 | } | |
3db935a9 DSH |
150 | |
151 | static int ssl_set_option_list(const char *elem, int len, void *usr) | |
0f113f3e MC |
152 | { |
153 | SSL_CONF_CTX *cctx = usr; | |
154 | size_t i; | |
155 | const ssl_flag_tbl *tbl; | |
156 | int onoff = 1; | |
157 | /* | |
158 | * len == -1 indicates not being called in list context, just for single | |
159 | * command line switches, so don't allow +, -. | |
160 | */ | |
2747d73c KR |
161 | if (elem == NULL) |
162 | return 0; | |
0f113f3e MC |
163 | if (len != -1) { |
164 | if (*elem == '+') { | |
165 | elem++; | |
166 | len--; | |
167 | onoff = 1; | |
168 | } else if (*elem == '-') { | |
169 | elem++; | |
170 | len--; | |
171 | onoff = 0; | |
172 | } | |
173 | } | |
174 | for (i = 0, tbl = cctx->tbl; i < cctx->ntbl; i++, tbl++) { | |
175 | if (ssl_match_option(cctx, tbl, elem, len, onoff)) | |
176 | return 1; | |
177 | } | |
178 | return 0; | |
179 | } | |
3db935a9 | 180 | |
3db935a9 | 181 | /* Set supported signature algorithms */ |
ec2f7e56 | 182 | static int cmd_SignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value) |
0f113f3e MC |
183 | { |
184 | int rv; | |
185 | if (cctx->ssl) | |
186 | rv = SSL_set1_sigalgs_list(cctx->ssl, value); | |
187 | /* NB: ctx == NULL performs syntax checking only */ | |
188 | else | |
189 | rv = SSL_CTX_set1_sigalgs_list(cctx->ctx, value); | |
190 | return rv > 0; | |
191 | } | |
192 | ||
3db935a9 | 193 | /* Set supported client signature algorithms */ |
a230b26e | 194 | static int cmd_ClientSignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value) |
0f113f3e MC |
195 | { |
196 | int rv; | |
197 | if (cctx->ssl) | |
198 | rv = SSL_set1_client_sigalgs_list(cctx->ssl, value); | |
199 | /* NB: ctx == NULL performs syntax checking only */ | |
200 | else | |
201 | rv = SSL_CTX_set1_client_sigalgs_list(cctx->ctx, value); | |
202 | return rv > 0; | |
203 | } | |
3db935a9 | 204 | |
de4d764e | 205 | static int cmd_Groups(SSL_CONF_CTX *cctx, const char *value) |
0f113f3e MC |
206 | { |
207 | int rv; | |
208 | if (cctx->ssl) | |
de4d764e | 209 | rv = SSL_set1_groups_list(cctx->ssl, value); |
0f113f3e MC |
210 | /* NB: ctx == NULL performs syntax checking only */ |
211 | else | |
de4d764e | 212 | rv = SSL_CTX_set1_groups_list(cctx->ctx, value); |
0f113f3e MC |
213 | return rv > 0; |
214 | } | |
215 | ||
de4d764e MC |
216 | /* This is the old name for cmd_Groups - retained for backwards compatibility */ |
217 | static int cmd_Curves(SSL_CONF_CTX *cctx, const char *value) | |
218 | { | |
219 | return cmd_Groups(cctx, value); | |
220 | } | |
221 | ||
10bf4fc2 | 222 | #ifndef OPENSSL_NO_EC |
3db935a9 | 223 | /* ECDH temporary parameters */ |
ec2f7e56 | 224 | static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value) |
0f113f3e | 225 | { |
fe6ef247 KR |
226 | int rv = 1; |
227 | EC_KEY *ecdh; | |
228 | int nid; | |
0f113f3e | 229 | |
fe6ef247 KR |
230 | nid = EC_curve_nist2nid(value); |
231 | if (nid == NID_undef) | |
232 | nid = OBJ_sn2nid(value); | |
233 | if (nid == 0) | |
234 | return 0; | |
235 | ecdh = EC_KEY_new_by_curve_name(nid); | |
236 | if (!ecdh) | |
237 | return 0; | |
238 | if (cctx->ctx) | |
239 | rv = SSL_CTX_set_tmp_ecdh(cctx->ctx, ecdh); | |
240 | else if (cctx->ssl) | |
241 | rv = SSL_set_tmp_ecdh(cctx->ssl, ecdh); | |
242 | EC_KEY_free(ecdh); | |
0f113f3e MC |
243 | |
244 | return rv > 0; | |
245 | } | |
14536c8c | 246 | #endif |
ec2f7e56 | 247 | static int cmd_CipherString(SSL_CONF_CTX *cctx, const char *value) |
0f113f3e MC |
248 | { |
249 | int rv = 1; | |
250 | if (cctx->ctx) | |
251 | rv = SSL_CTX_set_cipher_list(cctx->ctx, value); | |
252 | if (cctx->ssl) | |
253 | rv = SSL_set_cipher_list(cctx->ssl, value); | |
254 | return rv > 0; | |
255 | } | |
3db935a9 | 256 | |
ec2f7e56 | 257 | static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value) |
0f113f3e MC |
258 | { |
259 | static const ssl_flag_tbl ssl_protocol_list[] = { | |
260 | SSL_FLAG_TBL_INV("ALL", SSL_OP_NO_SSL_MASK), | |
261 | SSL_FLAG_TBL_INV("SSLv2", SSL_OP_NO_SSLv2), | |
262 | SSL_FLAG_TBL_INV("SSLv3", SSL_OP_NO_SSLv3), | |
263 | SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1), | |
264 | SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1), | |
7946ab33 | 265 | SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2), |
582a17d6 | 266 | SSL_FLAG_TBL_INV("TLSv1.3", SSL_OP_NO_TLSv1_3), |
7946ab33 KR |
267 | SSL_FLAG_TBL_INV("DTLSv1", SSL_OP_NO_DTLSv1), |
268 | SSL_FLAG_TBL_INV("DTLSv1.2", SSL_OP_NO_DTLSv1_2) | |
0f113f3e | 269 | }; |
0f113f3e | 270 | cctx->tbl = ssl_protocol_list; |
b6eb9827 | 271 | cctx->ntbl = OSSL_NELEM(ssl_protocol_list); |
0f113f3e MC |
272 | return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); |
273 | } | |
3db935a9 | 274 | |
7946ab33 KR |
275 | /* |
276 | * protocol_from_string - converts a protocol version string to a number | |
277 | * | |
278 | * Returns -1 on failure or the version on success | |
279 | */ | |
280 | static int protocol_from_string(const char *value) | |
281 | { | |
282 | struct protocol_versions { | |
283 | const char *name; | |
284 | int version; | |
285 | }; | |
286 | static const struct protocol_versions versions[] = { | |
869e978c | 287 | {"None", 0}, |
7946ab33 KR |
288 | {"SSLv3", SSL3_VERSION}, |
289 | {"TLSv1", TLS1_VERSION}, | |
290 | {"TLSv1.1", TLS1_1_VERSION}, | |
291 | {"TLSv1.2", TLS1_2_VERSION}, | |
582a17d6 | 292 | {"TLSv1.3", TLS1_3_VERSION}, |
7946ab33 | 293 | {"DTLSv1", DTLS1_VERSION}, |
a230b26e EK |
294 | {"DTLSv1.2", DTLS1_2_VERSION} |
295 | }; | |
7946ab33 KR |
296 | size_t i; |
297 | size_t n = OSSL_NELEM(versions); | |
298 | ||
299 | for (i = 0; i < n; i++) | |
300 | if (strcmp(versions[i].name, value) == 0) | |
301 | return versions[i].version; | |
302 | return -1; | |
303 | } | |
304 | ||
4fa52141 VD |
305 | static int min_max_proto(SSL_CONF_CTX *cctx, const char *value, int *bound) |
306 | { | |
307 | int method_version; | |
308 | int new_version; | |
309 | ||
310 | if (cctx->ctx != NULL) | |
311 | method_version = cctx->ctx->method->version; | |
312 | else if (cctx->ssl != NULL) | |
313 | method_version = cctx->ssl->ctx->method->version; | |
314 | else | |
315 | return 0; | |
316 | if ((new_version = protocol_from_string(value)) < 0) | |
317 | return 0; | |
318 | return ssl_set_version_bound(method_version, new_version, bound); | |
319 | } | |
320 | ||
7946ab33 KR |
321 | /* |
322 | * cmd_MinProtocol - Set min protocol version | |
323 | * @cctx: config structure to save settings in | |
324 | * @value: The min protocol version in string form | |
325 | * | |
326 | * Returns 1 on success and 0 on failure. | |
327 | */ | |
328 | static int cmd_MinProtocol(SSL_CONF_CTX *cctx, const char *value) | |
329 | { | |
4fa52141 | 330 | return min_max_proto(cctx, value, cctx->min_version); |
7946ab33 KR |
331 | } |
332 | ||
333 | /* | |
334 | * cmd_MaxProtocol - Set max protocol version | |
335 | * @cctx: config structure to save settings in | |
336 | * @value: The max protocol version in string form | |
337 | * | |
338 | * Returns 1 on success and 0 on failure. | |
339 | */ | |
340 | static int cmd_MaxProtocol(SSL_CONF_CTX *cctx, const char *value) | |
341 | { | |
4fa52141 | 342 | return min_max_proto(cctx, value, cctx->max_version); |
7946ab33 KR |
343 | } |
344 | ||
ec2f7e56 | 345 | static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) |
0f113f3e MC |
346 | { |
347 | static const ssl_flag_tbl ssl_option_list[] = { | |
348 | SSL_FLAG_TBL_INV("SessionTicket", SSL_OP_NO_TICKET), | |
349 | SSL_FLAG_TBL_INV("EmptyFragments", | |
350 | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS), | |
351 | SSL_FLAG_TBL("Bugs", SSL_OP_ALL), | |
352 | SSL_FLAG_TBL_INV("Compression", SSL_OP_NO_COMPRESSION), | |
353 | SSL_FLAG_TBL_SRV("ServerPreference", SSL_OP_CIPHER_SERVER_PREFERENCE), | |
354 | SSL_FLAG_TBL_SRV("NoResumptionOnRenegotiation", | |
355 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION), | |
356 | SSL_FLAG_TBL_SRV("DHSingle", SSL_OP_SINGLE_DH_USE), | |
357 | SSL_FLAG_TBL_SRV("ECDHSingle", SSL_OP_SINGLE_ECDH_USE), | |
358 | SSL_FLAG_TBL("UnsafeLegacyRenegotiation", | |
359 | SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION), | |
360 | }; | |
0f113f3e MC |
361 | if (value == NULL) |
362 | return -3; | |
363 | cctx->tbl = ssl_option_list; | |
b6eb9827 | 364 | cctx->ntbl = OSSL_NELEM(ssl_option_list); |
0f113f3e MC |
365 | return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); |
366 | } | |
3db935a9 | 367 | |
429261d0 DSH |
368 | static int cmd_VerifyMode(SSL_CONF_CTX *cctx, const char *value) |
369 | { | |
370 | static const ssl_flag_tbl ssl_vfy_list[] = { | |
371 | SSL_FLAG_VFY_CLI("Peer", SSL_VERIFY_PEER), | |
372 | SSL_FLAG_VFY_SRV("Request", SSL_VERIFY_PEER), | |
373 | SSL_FLAG_VFY_SRV("Require", | |
374 | SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), | |
375 | SSL_FLAG_VFY_SRV("Once", SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE) | |
376 | }; | |
377 | if (value == NULL) | |
378 | return -3; | |
379 | cctx->tbl = ssl_vfy_list; | |
380 | cctx->ntbl = OSSL_NELEM(ssl_vfy_list); | |
381 | return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); | |
382 | } | |
383 | ||
ec2f7e56 | 384 | static int cmd_Certificate(SSL_CONF_CTX *cctx, const char *value) |
0f113f3e MC |
385 | { |
386 | int rv = 1; | |
2011b169 | 387 | CERT *c = NULL; |
2011b169 | 388 | if (cctx->ctx) { |
0f113f3e | 389 | rv = SSL_CTX_use_certificate_chain_file(cctx->ctx, value); |
2011b169 DSH |
390 | c = cctx->ctx->cert; |
391 | } | |
392 | if (cctx->ssl) { | |
fae4772c | 393 | rv = SSL_use_certificate_chain_file(cctx->ssl, value); |
2011b169 DSH |
394 | c = cctx->ssl->cert; |
395 | } | |
396 | if (rv > 0 && c && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) { | |
397 | char **pfilename = &cctx->cert_filename[c->key - c->pkeys]; | |
b548a1f1 | 398 | OPENSSL_free(*pfilename); |
7644a9ae | 399 | *pfilename = OPENSSL_strdup(value); |
2011b169 DSH |
400 | if (!*pfilename) |
401 | rv = 0; | |
402 | } | |
403 | ||
0f113f3e MC |
404 | return rv > 0; |
405 | } | |
ec2f7e56 DSH |
406 | |
407 | static int cmd_PrivateKey(SSL_CONF_CTX *cctx, const char *value) | |
0f113f3e MC |
408 | { |
409 | int rv = 1; | |
410 | if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE)) | |
411 | return -2; | |
412 | if (cctx->ctx) | |
413 | rv = SSL_CTX_use_PrivateKey_file(cctx->ctx, value, SSL_FILETYPE_PEM); | |
414 | if (cctx->ssl) | |
415 | rv = SSL_use_PrivateKey_file(cctx->ssl, value, SSL_FILETYPE_PEM); | |
416 | return rv > 0; | |
417 | } | |
5b7f36e8 DSH |
418 | |
419 | static int cmd_ServerInfoFile(SSL_CONF_CTX *cctx, const char *value) | |
0f113f3e MC |
420 | { |
421 | int rv = 1; | |
0f113f3e MC |
422 | if (cctx->ctx) |
423 | rv = SSL_CTX_use_serverinfo_file(cctx->ctx, value); | |
424 | return rv > 0; | |
425 | } | |
5b7f36e8 | 426 | |
429261d0 DSH |
427 | static int do_store(SSL_CONF_CTX *cctx, |
428 | const char *CAfile, const char *CApath, int verify_store) | |
429 | { | |
430 | CERT *cert; | |
431 | X509_STORE **st; | |
432 | if (cctx->ctx) | |
433 | cert = cctx->ctx->cert; | |
434 | else if (cctx->ssl) | |
435 | cert = cctx->ssl->cert; | |
436 | else | |
437 | return 1; | |
438 | st = verify_store ? &cert->verify_store : &cert->chain_store; | |
439 | if (*st == NULL) { | |
440 | *st = X509_STORE_new(); | |
441 | if (*st == NULL) | |
442 | return 0; | |
443 | } | |
444 | return X509_STORE_load_locations(*st, CAfile, CApath) > 0; | |
445 | } | |
446 | ||
447 | static int cmd_ChainCAPath(SSL_CONF_CTX *cctx, const char *value) | |
448 | { | |
449 | return do_store(cctx, NULL, value, 0); | |
450 | } | |
451 | ||
452 | static int cmd_ChainCAFile(SSL_CONF_CTX *cctx, const char *value) | |
453 | { | |
454 | return do_store(cctx, value, NULL, 0); | |
455 | } | |
456 | ||
457 | static int cmd_VerifyCAPath(SSL_CONF_CTX *cctx, const char *value) | |
458 | { | |
459 | return do_store(cctx, NULL, value, 1); | |
460 | } | |
461 | ||
462 | static int cmd_VerifyCAFile(SSL_CONF_CTX *cctx, const char *value) | |
463 | { | |
464 | return do_store(cctx, value, NULL, 1); | |
465 | } | |
466 | ||
467 | static int cmd_ClientCAFile(SSL_CONF_CTX *cctx, const char *value) | |
468 | { | |
469 | if (cctx->canames == NULL) | |
470 | cctx->canames = sk_X509_NAME_new_null(); | |
471 | if (cctx->canames == NULL) | |
472 | return 0; | |
473 | return SSL_add_file_cert_subjects_to_stack(cctx->canames, value); | |
474 | } | |
475 | ||
476 | static int cmd_ClientCAPath(SSL_CONF_CTX *cctx, const char *value) | |
477 | { | |
478 | if (cctx->canames == NULL) | |
479 | cctx->canames = sk_X509_NAME_new_null(); | |
480 | if (cctx->canames == NULL) | |
481 | return 0; | |
482 | return SSL_add_dir_cert_subjects_to_stack(cctx->canames, value); | |
483 | } | |
484 | ||
c557f921 DSH |
485 | #ifndef OPENSSL_NO_DH |
486 | static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value) | |
0f113f3e MC |
487 | { |
488 | int rv = 0; | |
489 | DH *dh = NULL; | |
490 | BIO *in = NULL; | |
0f113f3e | 491 | if (cctx->ctx || cctx->ssl) { |
9982cbbb | 492 | in = BIO_new(BIO_s_file()); |
a71edf3b | 493 | if (in == NULL) |
0f113f3e MC |
494 | goto end; |
495 | if (BIO_read_filename(in, value) <= 0) | |
496 | goto end; | |
497 | dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL); | |
a71edf3b | 498 | if (dh == NULL) |
0f113f3e MC |
499 | goto end; |
500 | } else | |
501 | return 1; | |
502 | if (cctx->ctx) | |
503 | rv = SSL_CTX_set_tmp_dh(cctx->ctx, dh); | |
504 | if (cctx->ssl) | |
505 | rv = SSL_set_tmp_dh(cctx->ssl, dh); | |
506 | end: | |
d6407083 | 507 | DH_free(dh); |
ca3a82c3 | 508 | BIO_free(in); |
0f113f3e MC |
509 | return rv > 0; |
510 | } | |
c557f921 | 511 | #endif |
0f113f3e MC |
512 | typedef struct { |
513 | int (*cmd) (SSL_CONF_CTX *cctx, const char *value); | |
514 | const char *str_file; | |
515 | const char *str_cmdline; | |
656b2605 DSH |
516 | unsigned short flags; |
517 | unsigned short value_type; | |
0f113f3e | 518 | } ssl_conf_cmd_tbl; |
3db935a9 | 519 | |
ec2f7e56 DSH |
520 | /* Table of supported parameters */ |
521 | ||
656b2605 DSH |
522 | #define SSL_CONF_CMD(name, cmdopt, flags, type) \ |
523 | {cmd_##name, #name, cmdopt, flags, type} | |
524 | ||
525 | #define SSL_CONF_CMD_STRING(name, cmdopt, flags) \ | |
526 | SSL_CONF_CMD(name, cmdopt, flags, SSL_CONF_TYPE_STRING) | |
ec2f7e56 | 527 | |
656b2605 DSH |
528 | #define SSL_CONF_CMD_SWITCH(name, flags) \ |
529 | {0, NULL, name, flags, SSL_CONF_TYPE_NONE} | |
3db935a9 | 530 | |
7e1b7485 | 531 | /* See apps/apps.h if you change this table. */ |
27f3b65f | 532 | static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { |
656b2605 DSH |
533 | SSL_CONF_CMD_SWITCH("no_ssl3", 0), |
534 | SSL_CONF_CMD_SWITCH("no_tls1", 0), | |
535 | SSL_CONF_CMD_SWITCH("no_tls1_1", 0), | |
536 | SSL_CONF_CMD_SWITCH("no_tls1_2", 0), | |
582a17d6 | 537 | SSL_CONF_CMD_SWITCH("no_tls1_3", 0), |
656b2605 | 538 | SSL_CONF_CMD_SWITCH("bugs", 0), |
cc5a9ba4 | 539 | SSL_CONF_CMD_SWITCH("no_comp", 0), |
dc5744cb | 540 | SSL_CONF_CMD_SWITCH("comp", 0), |
656b2605 | 541 | SSL_CONF_CMD_SWITCH("ecdh_single", SSL_CONF_FLAG_SERVER), |
656b2605 | 542 | SSL_CONF_CMD_SWITCH("no_ticket", 0), |
656b2605 DSH |
543 | SSL_CONF_CMD_SWITCH("serverpref", SSL_CONF_FLAG_SERVER), |
544 | SSL_CONF_CMD_SWITCH("legacy_renegotiation", 0), | |
545 | SSL_CONF_CMD_SWITCH("legacy_server_connect", SSL_CONF_FLAG_SERVER), | |
546 | SSL_CONF_CMD_SWITCH("no_resumption_on_reneg", SSL_CONF_FLAG_SERVER), | |
547 | SSL_CONF_CMD_SWITCH("no_legacy_server_connect", SSL_CONF_FLAG_SERVER), | |
548 | SSL_CONF_CMD_SWITCH("strict", 0), | |
656b2605 DSH |
549 | SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs", 0), |
550 | SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs", 0), | |
551 | SSL_CONF_CMD_STRING(Curves, "curves", 0), | |
de4d764e | 552 | SSL_CONF_CMD_STRING(Groups, "groups", 0), |
10bf4fc2 | 553 | #ifndef OPENSSL_NO_EC |
656b2605 | 554 | SSL_CONF_CMD_STRING(ECDHParameters, "named_curve", SSL_CONF_FLAG_SERVER), |
14536c8c | 555 | #endif |
656b2605 DSH |
556 | SSL_CONF_CMD_STRING(CipherString, "cipher", 0), |
557 | SSL_CONF_CMD_STRING(Protocol, NULL, 0), | |
453dfd8d EK |
558 | SSL_CONF_CMD_STRING(MinProtocol, "min_protocol", 0), |
559 | SSL_CONF_CMD_STRING(MaxProtocol, "max_protocol", 0), | |
656b2605 | 560 | SSL_CONF_CMD_STRING(Options, NULL, 0), |
429261d0 | 561 | SSL_CONF_CMD_STRING(VerifyMode, NULL, 0), |
656b2605 DSH |
562 | SSL_CONF_CMD(Certificate, "cert", SSL_CONF_FLAG_CERTIFICATE, |
563 | SSL_CONF_TYPE_FILE), | |
564 | SSL_CONF_CMD(PrivateKey, "key", SSL_CONF_FLAG_CERTIFICATE, | |
565 | SSL_CONF_TYPE_FILE), | |
566 | SSL_CONF_CMD(ServerInfoFile, NULL, | |
567 | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, | |
568 | SSL_CONF_TYPE_FILE), | |
429261d0 DSH |
569 | SSL_CONF_CMD(ChainCAPath, "chainCApath", SSL_CONF_FLAG_CERTIFICATE, |
570 | SSL_CONF_TYPE_DIR), | |
571 | SSL_CONF_CMD(ChainCAFile, "chainCAfile", SSL_CONF_FLAG_CERTIFICATE, | |
572 | SSL_CONF_TYPE_FILE), | |
573 | SSL_CONF_CMD(VerifyCAPath, "verifyCApath", SSL_CONF_FLAG_CERTIFICATE, | |
574 | SSL_CONF_TYPE_DIR), | |
575 | SSL_CONF_CMD(VerifyCAFile, "verifyCAfile", SSL_CONF_FLAG_CERTIFICATE, | |
576 | SSL_CONF_TYPE_FILE), | |
577 | SSL_CONF_CMD(ClientCAFile, NULL, | |
578 | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, | |
579 | SSL_CONF_TYPE_FILE), | |
580 | SSL_CONF_CMD(ClientCAPath, NULL, | |
581 | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, | |
582 | SSL_CONF_TYPE_DIR), | |
c557f921 | 583 | #ifndef OPENSSL_NO_DH |
656b2605 DSH |
584 | SSL_CONF_CMD(DHParameters, "dhparam", |
585 | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, | |
586 | SSL_CONF_TYPE_FILE) | |
587 | #endif | |
588 | }; | |
589 | ||
590 | /* Supported switches: must match order of switches in ssl_conf_cmds */ | |
591 | static const ssl_switch_tbl ssl_cmd_switches[] = { | |
592 | {SSL_OP_NO_SSLv3, 0}, /* no_ssl3 */ | |
593 | {SSL_OP_NO_TLSv1, 0}, /* no_tls1 */ | |
594 | {SSL_OP_NO_TLSv1_1, 0}, /* no_tls1_1 */ | |
595 | {SSL_OP_NO_TLSv1_2, 0}, /* no_tls1_2 */ | |
582a17d6 | 596 | {SSL_OP_NO_TLSv1_3, 0}, /* no_tls1_3 */ |
656b2605 | 597 | {SSL_OP_ALL, 0}, /* bugs */ |
cc5a9ba4 VD |
598 | {SSL_OP_NO_COMPRESSION, 0}, /* no_comp */ |
599 | {SSL_OP_NO_COMPRESSION, SSL_TFLAG_INV}, /* comp */ | |
656b2605 | 600 | {SSL_OP_SINGLE_ECDH_USE, 0}, /* ecdh_single */ |
656b2605 | 601 | {SSL_OP_NO_TICKET, 0}, /* no_ticket */ |
656b2605 DSH |
602 | {SSL_OP_CIPHER_SERVER_PREFERENCE, 0}, /* serverpref */ |
603 | /* legacy_renegotiation */ | |
604 | {SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, 0}, | |
605 | /* legacy_server_connect */ | |
606 | {SSL_OP_LEGACY_SERVER_CONNECT, 0}, | |
607 | /* no_resumption_on_reneg */ | |
608 | {SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION, 0}, | |
609 | /* no_legacy_server_connect */ | |
610 | {SSL_OP_LEGACY_SERVER_CONNECT, SSL_TFLAG_INV}, | |
611 | {SSL_CERT_FLAG_TLS_STRICT, SSL_TFLAG_CERT}, /* strict */ | |
3db935a9 DSH |
612 | }; |
613 | ||
ec2f7e56 | 614 | static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd) |
0f113f3e MC |
615 | { |
616 | if (!pcmd || !*pcmd) | |
617 | return 0; | |
618 | /* If a prefix is set, check and skip */ | |
619 | if (cctx->prefix) { | |
620 | if (strlen(*pcmd) <= cctx->prefixlen) | |
621 | return 0; | |
622 | if (cctx->flags & SSL_CONF_FLAG_CMDLINE && | |
623 | strncmp(*pcmd, cctx->prefix, cctx->prefixlen)) | |
624 | return 0; | |
625 | if (cctx->flags & SSL_CONF_FLAG_FILE && | |
626 | strncasecmp(*pcmd, cctx->prefix, cctx->prefixlen)) | |
627 | return 0; | |
628 | *pcmd += cctx->prefixlen; | |
629 | } else if (cctx->flags & SSL_CONF_FLAG_CMDLINE) { | |
630 | if (**pcmd != '-' || !(*pcmd)[1]) | |
631 | return 0; | |
632 | *pcmd += 1; | |
633 | } | |
634 | return 1; | |
635 | } | |
636 | ||
656b2605 | 637 | /* Determine if a command is allowed according to cctx flags */ |
a230b26e | 638 | static int ssl_conf_cmd_allowed(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl * t) |
656b2605 DSH |
639 | { |
640 | unsigned int tfl = t->flags; | |
641 | unsigned int cfl = cctx->flags; | |
642 | if ((tfl & SSL_CONF_FLAG_SERVER) && !(cfl & SSL_CONF_FLAG_SERVER)) | |
643 | return 0; | |
644 | if ((tfl & SSL_CONF_FLAG_CLIENT) && !(cfl & SSL_CONF_FLAG_CLIENT)) | |
645 | return 0; | |
646 | if ((tfl & SSL_CONF_FLAG_CERTIFICATE) | |
647 | && !(cfl & SSL_CONF_FLAG_CERTIFICATE)) | |
648 | return 0; | |
649 | return 1; | |
650 | } | |
651 | ||
0f113f3e MC |
652 | static const ssl_conf_cmd_tbl *ssl_conf_cmd_lookup(SSL_CONF_CTX *cctx, |
653 | const char *cmd) | |
654 | { | |
655 | const ssl_conf_cmd_tbl *t; | |
656 | size_t i; | |
657 | if (cmd == NULL) | |
658 | return NULL; | |
659 | ||
660 | /* Look for matching parameter name in table */ | |
b6eb9827 | 661 | for (i = 0, t = ssl_conf_cmds; i < OSSL_NELEM(ssl_conf_cmds); i++, t++) { |
656b2605 DSH |
662 | if (ssl_conf_cmd_allowed(cctx, t)) { |
663 | if (cctx->flags & SSL_CONF_FLAG_CMDLINE) { | |
86885c28 | 664 | if (t->str_cmdline && strcmp(t->str_cmdline, cmd) == 0) |
656b2605 DSH |
665 | return t; |
666 | } | |
667 | if (cctx->flags & SSL_CONF_FLAG_FILE) { | |
86885c28 | 668 | if (t->str_file && strcasecmp(t->str_file, cmd) == 0) |
656b2605 DSH |
669 | return t; |
670 | } | |
0f113f3e MC |
671 | } |
672 | } | |
673 | return NULL; | |
674 | } | |
ec2f7e56 | 675 | |
a230b26e | 676 | static int ctrl_switch_option(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl * cmd) |
656b2605 DSH |
677 | { |
678 | /* Find index of command in table */ | |
679 | size_t idx = cmd - ssl_conf_cmds; | |
680 | const ssl_switch_tbl *scmd; | |
681 | /* Sanity check index */ | |
682 | if (idx >= OSSL_NELEM(ssl_cmd_switches)) | |
683 | return 0; | |
684 | /* Obtain switches entry with same index */ | |
685 | scmd = ssl_cmd_switches + idx; | |
686 | ssl_set_option(cctx, scmd->name_flags, scmd->option_value, 1); | |
687 | return 1; | |
688 | } | |
689 | ||
ec2f7e56 | 690 | int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value) |
0f113f3e MC |
691 | { |
692 | const ssl_conf_cmd_tbl *runcmd; | |
693 | if (cmd == NULL) { | |
694 | SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_INVALID_NULL_CMD_NAME); | |
695 | return 0; | |
696 | } | |
697 | ||
698 | if (!ssl_conf_cmd_skip_prefix(cctx, &cmd)) | |
699 | return -2; | |
700 | ||
701 | runcmd = ssl_conf_cmd_lookup(cctx, cmd); | |
702 | ||
703 | if (runcmd) { | |
704 | int rv; | |
656b2605 DSH |
705 | if (runcmd->value_type == SSL_CONF_TYPE_NONE) { |
706 | return ctrl_switch_option(cctx, runcmd); | |
707 | } | |
0f113f3e MC |
708 | if (value == NULL) |
709 | return -3; | |
710 | rv = runcmd->cmd(cctx, value); | |
711 | if (rv > 0) | |
712 | return 2; | |
713 | if (rv == -2) | |
714 | return -2; | |
715 | if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) { | |
716 | SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_BAD_VALUE); | |
717 | ERR_add_error_data(4, "cmd=", cmd, ", value=", value); | |
718 | } | |
719 | return 0; | |
720 | } | |
721 | ||
0f113f3e MC |
722 | if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) { |
723 | SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_UNKNOWN_CMD_NAME); | |
724 | ERR_add_error_data(2, "cmd=", cmd); | |
725 | } | |
726 | ||
727 | return -2; | |
728 | } | |
3db935a9 DSH |
729 | |
730 | int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv) | |
0f113f3e MC |
731 | { |
732 | int rv; | |
733 | const char *arg = NULL, *argn; | |
734 | if (pargc && *pargc == 0) | |
735 | return 0; | |
736 | if (!pargc || *pargc > 0) | |
737 | arg = **pargv; | |
738 | if (arg == NULL) | |
739 | return 0; | |
740 | if (!pargc || *pargc > 1) | |
741 | argn = (*pargv)[1]; | |
742 | else | |
743 | argn = NULL; | |
744 | cctx->flags &= ~SSL_CONF_FLAG_FILE; | |
745 | cctx->flags |= SSL_CONF_FLAG_CMDLINE; | |
746 | rv = SSL_CONF_cmd(cctx, arg, argn); | |
747 | if (rv > 0) { | |
748 | /* Success: update pargc, pargv */ | |
749 | (*pargv) += rv; | |
750 | if (pargc) | |
751 | (*pargc) -= rv; | |
752 | return rv; | |
753 | } | |
754 | /* Unknown switch: indicate no arguments processed */ | |
755 | if (rv == -2) | |
756 | return 0; | |
757 | /* Some error occurred processing command, return fatal error */ | |
758 | if (rv == 0) | |
759 | return -1; | |
760 | return rv; | |
761 | } | |
3db935a9 | 762 | |
ec2f7e56 | 763 | int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd) |
0f113f3e MC |
764 | { |
765 | if (ssl_conf_cmd_skip_prefix(cctx, &cmd)) { | |
766 | const ssl_conf_cmd_tbl *runcmd; | |
767 | runcmd = ssl_conf_cmd_lookup(cctx, cmd); | |
768 | if (runcmd) | |
769 | return runcmd->value_type; | |
770 | } | |
771 | return SSL_CONF_TYPE_UNKNOWN; | |
772 | } | |
ec2f7e56 | 773 | |
3db935a9 | 774 | SSL_CONF_CTX *SSL_CONF_CTX_new(void) |
0f113f3e | 775 | { |
64b25758 | 776 | SSL_CONF_CTX *ret = OPENSSL_zalloc(sizeof(*ret)); |
b4faea50 | 777 | |
0f113f3e MC |
778 | return ret; |
779 | } | |
3db935a9 | 780 | |
ec2f7e56 | 781 | int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx) |
0f113f3e | 782 | { |
2011b169 DSH |
783 | /* See if any certificates are missing private keys */ |
784 | size_t i; | |
785 | CERT *c = NULL; | |
786 | if (cctx->ctx) | |
787 | c = cctx->ctx->cert; | |
788 | else if (cctx->ssl) | |
789 | c = cctx->ssl->cert; | |
790 | if (c && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) { | |
791 | for (i = 0; i < SSL_PKEY_NUM; i++) { | |
792 | const char *p = cctx->cert_filename[i]; | |
793 | /* | |
794 | * If missing private key try to load one from certificate file | |
795 | */ | |
796 | if (p && !c->pkeys[i].privatekey) { | |
797 | if (!cmd_PrivateKey(cctx, p)) | |
798 | return 0; | |
799 | } | |
800 | } | |
801 | } | |
429261d0 DSH |
802 | if (cctx->canames) { |
803 | if (cctx->ssl) | |
804 | SSL_set_client_CA_list(cctx->ssl, cctx->canames); | |
805 | else if (cctx->ctx) | |
806 | SSL_CTX_set_client_CA_list(cctx->ctx, cctx->canames); | |
807 | else | |
808 | sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free); | |
809 | cctx->canames = NULL; | |
810 | } | |
0f113f3e MC |
811 | return 1; |
812 | } | |
ec2f7e56 | 813 | |
3db935a9 | 814 | void SSL_CONF_CTX_free(SSL_CONF_CTX *cctx) |
0f113f3e MC |
815 | { |
816 | if (cctx) { | |
2011b169 | 817 | size_t i; |
656b2605 | 818 | for (i = 0; i < SSL_PKEY_NUM; i++) |
b548a1f1 | 819 | OPENSSL_free(cctx->cert_filename[i]); |
b548a1f1 | 820 | OPENSSL_free(cctx->prefix); |
429261d0 | 821 | sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free); |
4445704f | 822 | OPENSSL_free(cctx); |
0f113f3e MC |
823 | } |
824 | } | |
3db935a9 DSH |
825 | |
826 | unsigned int SSL_CONF_CTX_set_flags(SSL_CONF_CTX *cctx, unsigned int flags) | |
0f113f3e MC |
827 | { |
828 | cctx->flags |= flags; | |
829 | return cctx->flags; | |
830 | } | |
3db935a9 DSH |
831 | |
832 | unsigned int SSL_CONF_CTX_clear_flags(SSL_CONF_CTX *cctx, unsigned int flags) | |
0f113f3e MC |
833 | { |
834 | cctx->flags &= ~flags; | |
835 | return cctx->flags; | |
836 | } | |
3db935a9 DSH |
837 | |
838 | int SSL_CONF_CTX_set1_prefix(SSL_CONF_CTX *cctx, const char *pre) | |
0f113f3e MC |
839 | { |
840 | char *tmp = NULL; | |
841 | if (pre) { | |
7644a9ae | 842 | tmp = OPENSSL_strdup(pre); |
0f113f3e MC |
843 | if (tmp == NULL) |
844 | return 0; | |
845 | } | |
b548a1f1 | 846 | OPENSSL_free(cctx->prefix); |
0f113f3e MC |
847 | cctx->prefix = tmp; |
848 | if (tmp) | |
849 | cctx->prefixlen = strlen(tmp); | |
850 | else | |
851 | cctx->prefixlen = 0; | |
852 | return 1; | |
853 | } | |
3db935a9 DSH |
854 | |
855 | void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl) | |
0f113f3e MC |
856 | { |
857 | cctx->ssl = ssl; | |
858 | cctx->ctx = NULL; | |
859 | if (ssl) { | |
860 | cctx->poptions = &ssl->options; | |
7946ab33 KR |
861 | cctx->min_version = &ssl->min_proto_version; |
862 | cctx->max_version = &ssl->max_proto_version; | |
0f113f3e | 863 | cctx->pcert_flags = &ssl->cert->cert_flags; |
429261d0 | 864 | cctx->pvfy_flags = &ssl->verify_mode; |
0f113f3e MC |
865 | } else { |
866 | cctx->poptions = NULL; | |
7946ab33 KR |
867 | cctx->min_version = NULL; |
868 | cctx->max_version = NULL; | |
0f113f3e | 869 | cctx->pcert_flags = NULL; |
429261d0 | 870 | cctx->pvfy_flags = NULL; |
0f113f3e MC |
871 | } |
872 | } | |
3db935a9 DSH |
873 | |
874 | void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx) | |
0f113f3e MC |
875 | { |
876 | cctx->ctx = ctx; | |
877 | cctx->ssl = NULL; | |
878 | if (ctx) { | |
879 | cctx->poptions = &ctx->options; | |
7946ab33 KR |
880 | cctx->min_version = &ctx->min_proto_version; |
881 | cctx->max_version = &ctx->max_proto_version; | |
0f113f3e | 882 | cctx->pcert_flags = &ctx->cert->cert_flags; |
429261d0 | 883 | cctx->pvfy_flags = &ctx->verify_mode; |
0f113f3e MC |
884 | } else { |
885 | cctx->poptions = NULL; | |
7946ab33 KR |
886 | cctx->min_version = NULL; |
887 | cctx->max_version = NULL; | |
0f113f3e | 888 | cctx->pcert_flags = NULL; |
429261d0 | 889 | cctx->pvfy_flags = NULL; |
0f113f3e MC |
890 | } |
891 | } |