]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the OpenSSL license (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include <stdio.h> | |
11 | #include "ssl_locl.h" | |
12 | #include <openssl/conf.h> | |
13 | #include <openssl/objects.h> | |
14 | #include <openssl/dh.h> | |
15 | #include "internal/nelem.h" | |
16 | ||
17 | /* | |
18 | * structure holding name tables. This is used for permitted elements in lists | |
19 | * such as TLSv1. | |
20 | */ | |
21 | ||
22 | typedef struct { | |
23 | const char *name; | |
24 | int namelen; | |
25 | unsigned int name_flags; | |
26 | unsigned long option_value; | |
27 | } ssl_flag_tbl; | |
28 | ||
29 | /* Switch table: use for single command line switches like no_tls2 */ | |
30 | typedef struct { | |
31 | unsigned long option_value; | |
32 | unsigned int name_flags; | |
33 | } ssl_switch_tbl; | |
34 | ||
35 | /* Sense of name is inverted e.g. "TLSv1" will clear SSL_OP_NO_TLSv1 */ | |
36 | #define SSL_TFLAG_INV 0x1 | |
37 | /* Mask for type of flag referred to */ | |
38 | #define SSL_TFLAG_TYPE_MASK 0xf00 | |
39 | /* Flag is for options */ | |
40 | #define SSL_TFLAG_OPTION 0x000 | |
41 | /* Flag is for cert_flags */ | |
42 | #define SSL_TFLAG_CERT 0x100 | |
43 | /* Flag is for verify mode */ | |
44 | #define SSL_TFLAG_VFY 0x200 | |
45 | /* Option can only be used for clients */ | |
46 | #define SSL_TFLAG_CLIENT SSL_CONF_FLAG_CLIENT | |
47 | /* Option can only be used for servers */ | |
48 | #define SSL_TFLAG_SERVER SSL_CONF_FLAG_SERVER | |
49 | #define SSL_TFLAG_BOTH (SSL_TFLAG_CLIENT|SSL_TFLAG_SERVER) | |
50 | ||
51 | #define SSL_FLAG_TBL(str, flag) \ | |
52 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_BOTH, flag} | |
53 | #define SSL_FLAG_TBL_SRV(str, flag) \ | |
54 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_SERVER, flag} | |
55 | #define SSL_FLAG_TBL_CLI(str, flag) \ | |
56 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_CLIENT, flag} | |
57 | #define SSL_FLAG_TBL_INV(str, flag) \ | |
58 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_BOTH, flag} | |
59 | #define SSL_FLAG_TBL_SRV_INV(str, flag) \ | |
60 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_SERVER, flag} | |
61 | #define SSL_FLAG_TBL_CERT(str, flag) \ | |
62 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_CERT|SSL_TFLAG_BOTH, flag} | |
63 | ||
64 | #define SSL_FLAG_VFY_CLI(str, flag) \ | |
65 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_VFY | SSL_TFLAG_CLIENT, flag} | |
66 | #define SSL_FLAG_VFY_SRV(str, flag) \ | |
67 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_VFY | SSL_TFLAG_SERVER, flag} | |
68 | ||
69 | /* | |
70 | * Opaque structure containing SSL configuration context. | |
71 | */ | |
72 | ||
73 | struct ssl_conf_ctx_st { | |
74 | /* | |
75 | * Various flags indicating (among other things) which options we will | |
76 | * recognise. | |
77 | */ | |
78 | unsigned int flags; | |
79 | /* Prefix and length of commands */ | |
80 | char *prefix; | |
81 | size_t prefixlen; | |
82 | /* SSL_CTX or SSL structure to perform operations on */ | |
83 | SSL_CTX *ctx; | |
84 | SSL *ssl; | |
85 | /* Pointer to SSL or SSL_CTX options field or NULL if none */ | |
86 | uint32_t *poptions; | |
87 | /* Certificate filenames for each type */ | |
88 | char *cert_filename[SSL_PKEY_NUM]; | |
89 | /* Pointer to SSL or SSL_CTX cert_flags or NULL if none */ | |
90 | uint32_t *pcert_flags; | |
91 | /* Pointer to SSL or SSL_CTX verify_mode or NULL if none */ | |
92 | uint32_t *pvfy_flags; | |
93 | /* Pointer to SSL or SSL_CTX min_version field or NULL if none */ | |
94 | int *min_version; | |
95 | /* Pointer to SSL or SSL_CTX max_version field or NULL if none */ | |
96 | int *max_version; | |
97 | /* Current flag table being worked on */ | |
98 | const ssl_flag_tbl *tbl; | |
99 | /* Size of table */ | |
100 | size_t ntbl; | |
101 | /* Client CA names */ | |
102 | STACK_OF(X509_NAME) *canames; | |
103 | }; | |
104 | ||
105 | static void ssl_set_option(SSL_CONF_CTX *cctx, unsigned int name_flags, | |
106 | unsigned long option_value, int onoff) | |
107 | { | |
108 | uint32_t *pflags; | |
109 | if (cctx->poptions == NULL) | |
110 | return; | |
111 | if (name_flags & SSL_TFLAG_INV) | |
112 | onoff ^= 1; | |
113 | switch (name_flags & SSL_TFLAG_TYPE_MASK) { | |
114 | ||
115 | case SSL_TFLAG_CERT: | |
116 | pflags = cctx->pcert_flags; | |
117 | break; | |
118 | ||
119 | case SSL_TFLAG_VFY: | |
120 | pflags = cctx->pvfy_flags; | |
121 | break; | |
122 | ||
123 | case SSL_TFLAG_OPTION: | |
124 | pflags = cctx->poptions; | |
125 | break; | |
126 | ||
127 | default: | |
128 | return; | |
129 | ||
130 | } | |
131 | if (onoff) | |
132 | *pflags |= option_value; | |
133 | else | |
134 | *pflags &= ~option_value; | |
135 | } | |
136 | ||
137 | static int ssl_match_option(SSL_CONF_CTX *cctx, const ssl_flag_tbl *tbl, | |
138 | const char *name, int namelen, int onoff) | |
139 | { | |
140 | /* If name not relevant for context skip */ | |
141 | if (!(cctx->flags & tbl->name_flags & SSL_TFLAG_BOTH)) | |
142 | return 0; | |
143 | if (namelen == -1) { | |
144 | if (strcmp(tbl->name, name)) | |
145 | return 0; | |
146 | } else if (tbl->namelen != namelen || strncasecmp(tbl->name, name, namelen)) | |
147 | return 0; | |
148 | ssl_set_option(cctx, tbl->name_flags, tbl->option_value, onoff); | |
149 | return 1; | |
150 | } | |
151 | ||
152 | static int ssl_set_option_list(const char *elem, int len, void *usr) | |
153 | { | |
154 | SSL_CONF_CTX *cctx = usr; | |
155 | size_t i; | |
156 | const ssl_flag_tbl *tbl; | |
157 | int onoff = 1; | |
158 | /* | |
159 | * len == -1 indicates not being called in list context, just for single | |
160 | * command line switches, so don't allow +, -. | |
161 | */ | |
162 | if (elem == NULL) | |
163 | return 0; | |
164 | if (len != -1) { | |
165 | if (*elem == '+') { | |
166 | elem++; | |
167 | len--; | |
168 | onoff = 1; | |
169 | } else if (*elem == '-') { | |
170 | elem++; | |
171 | len--; | |
172 | onoff = 0; | |
173 | } | |
174 | } | |
175 | for (i = 0, tbl = cctx->tbl; i < cctx->ntbl; i++, tbl++) { | |
176 | if (ssl_match_option(cctx, tbl, elem, len, onoff)) | |
177 | return 1; | |
178 | } | |
179 | return 0; | |
180 | } | |
181 | ||
182 | /* Set supported signature algorithms */ | |
183 | static int cmd_SignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value) | |
184 | { | |
185 | int rv; | |
186 | if (cctx->ssl) | |
187 | rv = SSL_set1_sigalgs_list(cctx->ssl, value); | |
188 | /* NB: ctx == NULL performs syntax checking only */ | |
189 | else | |
190 | rv = SSL_CTX_set1_sigalgs_list(cctx->ctx, value); | |
191 | return rv > 0; | |
192 | } | |
193 | ||
194 | /* Set supported client signature algorithms */ | |
195 | static int cmd_ClientSignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value) | |
196 | { | |
197 | int rv; | |
198 | if (cctx->ssl) | |
199 | rv = SSL_set1_client_sigalgs_list(cctx->ssl, value); | |
200 | /* NB: ctx == NULL performs syntax checking only */ | |
201 | else | |
202 | rv = SSL_CTX_set1_client_sigalgs_list(cctx->ctx, value); | |
203 | return rv > 0; | |
204 | } | |
205 | ||
206 | static int cmd_Groups(SSL_CONF_CTX *cctx, const char *value) | |
207 | { | |
208 | int rv; | |
209 | if (cctx->ssl) | |
210 | rv = SSL_set1_groups_list(cctx->ssl, value); | |
211 | /* NB: ctx == NULL performs syntax checking only */ | |
212 | else | |
213 | rv = SSL_CTX_set1_groups_list(cctx->ctx, value); | |
214 | return rv > 0; | |
215 | } | |
216 | ||
217 | /* This is the old name for cmd_Groups - retained for backwards compatibility */ | |
218 | static int cmd_Curves(SSL_CONF_CTX *cctx, const char *value) | |
219 | { | |
220 | return cmd_Groups(cctx, value); | |
221 | } | |
222 | ||
223 | #ifndef OPENSSL_NO_EC | |
224 | /* ECDH temporary parameters */ | |
225 | static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value) | |
226 | { | |
227 | int rv = 1; | |
228 | EC_KEY *ecdh; | |
229 | int nid; | |
230 | ||
231 | /* Ignore values supported by 1.0.2 for the automatic selection */ | |
232 | if ((cctx->flags & SSL_CONF_FLAG_FILE) | |
233 | && (strcasecmp(value, "+automatic") == 0 | |
234 | || strcasecmp(value, "automatic") == 0)) | |
235 | return 1; | |
236 | if ((cctx->flags & SSL_CONF_FLAG_CMDLINE) && | |
237 | strcmp(value, "auto") == 0) | |
238 | return 1; | |
239 | ||
240 | nid = EC_curve_nist2nid(value); | |
241 | if (nid == NID_undef) | |
242 | nid = OBJ_sn2nid(value); | |
243 | if (nid == 0) | |
244 | return 0; | |
245 | ecdh = EC_KEY_new_by_curve_name(nid); | |
246 | if (!ecdh) | |
247 | return 0; | |
248 | if (cctx->ctx) | |
249 | rv = SSL_CTX_set_tmp_ecdh(cctx->ctx, ecdh); | |
250 | else if (cctx->ssl) | |
251 | rv = SSL_set_tmp_ecdh(cctx->ssl, ecdh); | |
252 | EC_KEY_free(ecdh); | |
253 | ||
254 | return rv > 0; | |
255 | } | |
256 | #endif | |
257 | static int cmd_CipherString(SSL_CONF_CTX *cctx, const char *value) | |
258 | { | |
259 | int rv = 1; | |
260 | ||
261 | if (cctx->ctx) | |
262 | rv = SSL_CTX_set_cipher_list(cctx->ctx, value); | |
263 | if (cctx->ssl) | |
264 | rv = SSL_set_cipher_list(cctx->ssl, value); | |
265 | return rv > 0; | |
266 | } | |
267 | ||
268 | static int cmd_Ciphersuites(SSL_CONF_CTX *cctx, const char *value) | |
269 | { | |
270 | int rv = 1; | |
271 | ||
272 | if (cctx->ctx) | |
273 | rv = SSL_CTX_set_ciphersuites(cctx->ctx, value); | |
274 | if (cctx->ssl) | |
275 | rv = SSL_set_ciphersuites(cctx->ssl, value); | |
276 | return rv > 0; | |
277 | } | |
278 | ||
279 | static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value) | |
280 | { | |
281 | static const ssl_flag_tbl ssl_protocol_list[] = { | |
282 | SSL_FLAG_TBL_INV("ALL", SSL_OP_NO_SSL_MASK), | |
283 | SSL_FLAG_TBL_INV("SSLv2", SSL_OP_NO_SSLv2), | |
284 | SSL_FLAG_TBL_INV("SSLv3", SSL_OP_NO_SSLv3), | |
285 | SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1), | |
286 | SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1), | |
287 | SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2), | |
288 | SSL_FLAG_TBL_INV("TLSv1.3", SSL_OP_NO_TLSv1_3), | |
289 | SSL_FLAG_TBL_INV("DTLSv1", SSL_OP_NO_DTLSv1), | |
290 | SSL_FLAG_TBL_INV("DTLSv1.2", SSL_OP_NO_DTLSv1_2) | |
291 | }; | |
292 | cctx->tbl = ssl_protocol_list; | |
293 | cctx->ntbl = OSSL_NELEM(ssl_protocol_list); | |
294 | return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); | |
295 | } | |
296 | ||
297 | /* | |
298 | * protocol_from_string - converts a protocol version string to a number | |
299 | * | |
300 | * Returns -1 on failure or the version on success | |
301 | */ | |
302 | static int protocol_from_string(const char *value) | |
303 | { | |
304 | struct protocol_versions { | |
305 | const char *name; | |
306 | int version; | |
307 | }; | |
308 | static const struct protocol_versions versions[] = { | |
309 | {"None", 0}, | |
310 | {"SSLv3", SSL3_VERSION}, | |
311 | {"TLSv1", TLS1_VERSION}, | |
312 | {"TLSv1.1", TLS1_1_VERSION}, | |
313 | {"TLSv1.2", TLS1_2_VERSION}, | |
314 | {"TLSv1.3", TLS1_3_VERSION}, | |
315 | {"DTLSv1", DTLS1_VERSION}, | |
316 | {"DTLSv1.2", DTLS1_2_VERSION} | |
317 | }; | |
318 | size_t i; | |
319 | size_t n = OSSL_NELEM(versions); | |
320 | ||
321 | for (i = 0; i < n; i++) | |
322 | if (strcmp(versions[i].name, value) == 0) | |
323 | return versions[i].version; | |
324 | return -1; | |
325 | } | |
326 | ||
327 | static int min_max_proto(SSL_CONF_CTX *cctx, const char *value, int *bound) | |
328 | { | |
329 | int method_version; | |
330 | int new_version; | |
331 | ||
332 | if (cctx->ctx != NULL) | |
333 | method_version = cctx->ctx->method->version; | |
334 | else if (cctx->ssl != NULL) | |
335 | method_version = cctx->ssl->ctx->method->version; | |
336 | else | |
337 | return 0; | |
338 | if ((new_version = protocol_from_string(value)) < 0) | |
339 | return 0; | |
340 | return ssl_set_version_bound(method_version, new_version, bound); | |
341 | } | |
342 | ||
343 | /* | |
344 | * cmd_MinProtocol - Set min protocol version | |
345 | * @cctx: config structure to save settings in | |
346 | * @value: The min protocol version in string form | |
347 | * | |
348 | * Returns 1 on success and 0 on failure. | |
349 | */ | |
350 | static int cmd_MinProtocol(SSL_CONF_CTX *cctx, const char *value) | |
351 | { | |
352 | return min_max_proto(cctx, value, cctx->min_version); | |
353 | } | |
354 | ||
355 | /* | |
356 | * cmd_MaxProtocol - Set max protocol version | |
357 | * @cctx: config structure to save settings in | |
358 | * @value: The max protocol version in string form | |
359 | * | |
360 | * Returns 1 on success and 0 on failure. | |
361 | */ | |
362 | static int cmd_MaxProtocol(SSL_CONF_CTX *cctx, const char *value) | |
363 | { | |
364 | return min_max_proto(cctx, value, cctx->max_version); | |
365 | } | |
366 | ||
367 | static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) | |
368 | { | |
369 | static const ssl_flag_tbl ssl_option_list[] = { | |
370 | SSL_FLAG_TBL_INV("SessionTicket", SSL_OP_NO_TICKET), | |
371 | SSL_FLAG_TBL_INV("EmptyFragments", | |
372 | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS), | |
373 | SSL_FLAG_TBL("Bugs", SSL_OP_ALL), | |
374 | SSL_FLAG_TBL_INV("Compression", SSL_OP_NO_COMPRESSION), | |
375 | SSL_FLAG_TBL_SRV("ServerPreference", SSL_OP_CIPHER_SERVER_PREFERENCE), | |
376 | SSL_FLAG_TBL_SRV("NoResumptionOnRenegotiation", | |
377 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION), | |
378 | SSL_FLAG_TBL_SRV("DHSingle", SSL_OP_SINGLE_DH_USE), | |
379 | SSL_FLAG_TBL_SRV("ECDHSingle", SSL_OP_SINGLE_ECDH_USE), | |
380 | SSL_FLAG_TBL("UnsafeLegacyRenegotiation", | |
381 | SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION), | |
382 | SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC), | |
383 | SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION), | |
384 | SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX), | |
385 | SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA), | |
386 | SSL_FLAG_TBL("MiddleboxCompat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT) | |
387 | }; | |
388 | if (value == NULL) | |
389 | return -3; | |
390 | cctx->tbl = ssl_option_list; | |
391 | cctx->ntbl = OSSL_NELEM(ssl_option_list); | |
392 | return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); | |
393 | } | |
394 | ||
395 | static int cmd_VerifyMode(SSL_CONF_CTX *cctx, const char *value) | |
396 | { | |
397 | static const ssl_flag_tbl ssl_vfy_list[] = { | |
398 | SSL_FLAG_VFY_CLI("Peer", SSL_VERIFY_PEER), | |
399 | SSL_FLAG_VFY_SRV("Request", SSL_VERIFY_PEER), | |
400 | SSL_FLAG_VFY_SRV("Require", | |
401 | SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), | |
402 | SSL_FLAG_VFY_SRV("Once", SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE), | |
403 | SSL_FLAG_VFY_SRV("RequestPostHandshake", | |
404 | SSL_VERIFY_PEER | SSL_VERIFY_POST_HANDSHAKE), | |
405 | SSL_FLAG_VFY_SRV("RequirePostHandshake", | |
406 | SSL_VERIFY_PEER | SSL_VERIFY_POST_HANDSHAKE | | |
407 | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), | |
408 | }; | |
409 | if (value == NULL) | |
410 | return -3; | |
411 | cctx->tbl = ssl_vfy_list; | |
412 | cctx->ntbl = OSSL_NELEM(ssl_vfy_list); | |
413 | return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); | |
414 | } | |
415 | ||
416 | static int cmd_Certificate(SSL_CONF_CTX *cctx, const char *value) | |
417 | { | |
418 | int rv = 1; | |
419 | CERT *c = NULL; | |
420 | if (cctx->ctx) { | |
421 | rv = SSL_CTX_use_certificate_chain_file(cctx->ctx, value); | |
422 | c = cctx->ctx->cert; | |
423 | } | |
424 | if (cctx->ssl) { | |
425 | rv = SSL_use_certificate_chain_file(cctx->ssl, value); | |
426 | c = cctx->ssl->cert; | |
427 | } | |
428 | if (rv > 0 && c && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) { | |
429 | char **pfilename = &cctx->cert_filename[c->key - c->pkeys]; | |
430 | OPENSSL_free(*pfilename); | |
431 | *pfilename = OPENSSL_strdup(value); | |
432 | if (!*pfilename) | |
433 | rv = 0; | |
434 | } | |
435 | ||
436 | return rv > 0; | |
437 | } | |
438 | ||
439 | static int cmd_PrivateKey(SSL_CONF_CTX *cctx, const char *value) | |
440 | { | |
441 | int rv = 1; | |
442 | if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE)) | |
443 | return -2; | |
444 | if (cctx->ctx) | |
445 | rv = SSL_CTX_use_PrivateKey_file(cctx->ctx, value, SSL_FILETYPE_PEM); | |
446 | if (cctx->ssl) | |
447 | rv = SSL_use_PrivateKey_file(cctx->ssl, value, SSL_FILETYPE_PEM); | |
448 | return rv > 0; | |
449 | } | |
450 | ||
451 | static int cmd_ServerInfoFile(SSL_CONF_CTX *cctx, const char *value) | |
452 | { | |
453 | int rv = 1; | |
454 | if (cctx->ctx) | |
455 | rv = SSL_CTX_use_serverinfo_file(cctx->ctx, value); | |
456 | return rv > 0; | |
457 | } | |
458 | ||
459 | static int do_store(SSL_CONF_CTX *cctx, | |
460 | const char *CAfile, const char *CApath, int verify_store) | |
461 | { | |
462 | CERT *cert; | |
463 | X509_STORE **st; | |
464 | if (cctx->ctx) | |
465 | cert = cctx->ctx->cert; | |
466 | else if (cctx->ssl) | |
467 | cert = cctx->ssl->cert; | |
468 | else | |
469 | return 1; | |
470 | st = verify_store ? &cert->verify_store : &cert->chain_store; | |
471 | if (*st == NULL) { | |
472 | *st = X509_STORE_new(); | |
473 | if (*st == NULL) | |
474 | return 0; | |
475 | } | |
476 | return X509_STORE_load_locations(*st, CAfile, CApath) > 0; | |
477 | } | |
478 | ||
479 | static int cmd_ChainCAPath(SSL_CONF_CTX *cctx, const char *value) | |
480 | { | |
481 | return do_store(cctx, NULL, value, 0); | |
482 | } | |
483 | ||
484 | static int cmd_ChainCAFile(SSL_CONF_CTX *cctx, const char *value) | |
485 | { | |
486 | return do_store(cctx, value, NULL, 0); | |
487 | } | |
488 | ||
489 | static int cmd_VerifyCAPath(SSL_CONF_CTX *cctx, const char *value) | |
490 | { | |
491 | return do_store(cctx, NULL, value, 1); | |
492 | } | |
493 | ||
494 | static int cmd_VerifyCAFile(SSL_CONF_CTX *cctx, const char *value) | |
495 | { | |
496 | return do_store(cctx, value, NULL, 1); | |
497 | } | |
498 | ||
499 | static int cmd_RequestCAFile(SSL_CONF_CTX *cctx, const char *value) | |
500 | { | |
501 | if (cctx->canames == NULL) | |
502 | cctx->canames = sk_X509_NAME_new_null(); | |
503 | if (cctx->canames == NULL) | |
504 | return 0; | |
505 | return SSL_add_file_cert_subjects_to_stack(cctx->canames, value); | |
506 | } | |
507 | ||
508 | static int cmd_ClientCAFile(SSL_CONF_CTX *cctx, const char *value) | |
509 | { | |
510 | return cmd_RequestCAFile(cctx, value); | |
511 | } | |
512 | ||
513 | static int cmd_RequestCAPath(SSL_CONF_CTX *cctx, const char *value) | |
514 | { | |
515 | if (cctx->canames == NULL) | |
516 | cctx->canames = sk_X509_NAME_new_null(); | |
517 | if (cctx->canames == NULL) | |
518 | return 0; | |
519 | return SSL_add_dir_cert_subjects_to_stack(cctx->canames, value); | |
520 | } | |
521 | ||
522 | static int cmd_ClientCAPath(SSL_CONF_CTX *cctx, const char *value) | |
523 | { | |
524 | return cmd_RequestCAPath(cctx, value); | |
525 | } | |
526 | ||
527 | #ifndef OPENSSL_NO_DH | |
528 | static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value) | |
529 | { | |
530 | int rv = 0; | |
531 | DH *dh = NULL; | |
532 | BIO *in = NULL; | |
533 | if (cctx->ctx || cctx->ssl) { | |
534 | in = BIO_new(BIO_s_file()); | |
535 | if (in == NULL) | |
536 | goto end; | |
537 | if (BIO_read_filename(in, value) <= 0) | |
538 | goto end; | |
539 | dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL); | |
540 | if (dh == NULL) | |
541 | goto end; | |
542 | } else | |
543 | return 1; | |
544 | if (cctx->ctx) | |
545 | rv = SSL_CTX_set_tmp_dh(cctx->ctx, dh); | |
546 | if (cctx->ssl) | |
547 | rv = SSL_set_tmp_dh(cctx->ssl, dh); | |
548 | end: | |
549 | DH_free(dh); | |
550 | BIO_free(in); | |
551 | return rv > 0; | |
552 | } | |
553 | #endif | |
554 | ||
555 | static int cmd_RecordPadding(SSL_CONF_CTX *cctx, const char *value) | |
556 | { | |
557 | int rv = 0; | |
558 | int block_size = atoi(value); | |
559 | ||
560 | /* | |
561 | * All we care about is a non-negative value, | |
562 | * the setters check the range | |
563 | */ | |
564 | if (block_size >= 0) { | |
565 | if (cctx->ctx) | |
566 | rv = SSL_CTX_set_block_padding(cctx->ctx, block_size); | |
567 | if (cctx->ssl) | |
568 | rv = SSL_set_block_padding(cctx->ssl, block_size); | |
569 | } | |
570 | return rv; | |
571 | } | |
572 | ||
573 | typedef struct { | |
574 | int (*cmd) (SSL_CONF_CTX *cctx, const char *value); | |
575 | const char *str_file; | |
576 | const char *str_cmdline; | |
577 | unsigned short flags; | |
578 | unsigned short value_type; | |
579 | } ssl_conf_cmd_tbl; | |
580 | ||
581 | /* Table of supported parameters */ | |
582 | ||
583 | #define SSL_CONF_CMD(name, cmdopt, flags, type) \ | |
584 | {cmd_##name, #name, cmdopt, flags, type} | |
585 | ||
586 | #define SSL_CONF_CMD_STRING(name, cmdopt, flags) \ | |
587 | SSL_CONF_CMD(name, cmdopt, flags, SSL_CONF_TYPE_STRING) | |
588 | ||
589 | #define SSL_CONF_CMD_SWITCH(name, flags) \ | |
590 | {0, NULL, name, flags, SSL_CONF_TYPE_NONE} | |
591 | ||
592 | /* See apps/apps.h if you change this table. */ | |
593 | static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { | |
594 | SSL_CONF_CMD_SWITCH("no_ssl3", 0), | |
595 | SSL_CONF_CMD_SWITCH("no_tls1", 0), | |
596 | SSL_CONF_CMD_SWITCH("no_tls1_1", 0), | |
597 | SSL_CONF_CMD_SWITCH("no_tls1_2", 0), | |
598 | SSL_CONF_CMD_SWITCH("no_tls1_3", 0), | |
599 | SSL_CONF_CMD_SWITCH("bugs", 0), | |
600 | SSL_CONF_CMD_SWITCH("no_comp", 0), | |
601 | SSL_CONF_CMD_SWITCH("comp", 0), | |
602 | SSL_CONF_CMD_SWITCH("ecdh_single", SSL_CONF_FLAG_SERVER), | |
603 | SSL_CONF_CMD_SWITCH("no_ticket", 0), | |
604 | SSL_CONF_CMD_SWITCH("serverpref", SSL_CONF_FLAG_SERVER), | |
605 | SSL_CONF_CMD_SWITCH("legacy_renegotiation", 0), | |
606 | SSL_CONF_CMD_SWITCH("legacy_server_connect", SSL_CONF_FLAG_SERVER), | |
607 | SSL_CONF_CMD_SWITCH("no_renegotiation", 0), | |
608 | SSL_CONF_CMD_SWITCH("no_resumption_on_reneg", SSL_CONF_FLAG_SERVER), | |
609 | SSL_CONF_CMD_SWITCH("no_legacy_server_connect", SSL_CONF_FLAG_SERVER), | |
610 | SSL_CONF_CMD_SWITCH("allow_no_dhe_kex", 0), | |
611 | SSL_CONF_CMD_SWITCH("prioritize_chacha", SSL_CONF_FLAG_SERVER), | |
612 | SSL_CONF_CMD_SWITCH("strict", 0), | |
613 | SSL_CONF_CMD_SWITCH("no_middlebox", 0), | |
614 | SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs", 0), | |
615 | SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs", 0), | |
616 | SSL_CONF_CMD_STRING(Curves, "curves", 0), | |
617 | SSL_CONF_CMD_STRING(Groups, "groups", 0), | |
618 | #ifndef OPENSSL_NO_EC | |
619 | SSL_CONF_CMD_STRING(ECDHParameters, "named_curve", SSL_CONF_FLAG_SERVER), | |
620 | #endif | |
621 | SSL_CONF_CMD_STRING(CipherString, "cipher", 0), | |
622 | SSL_CONF_CMD_STRING(Ciphersuites, "ciphersuites", 0), | |
623 | SSL_CONF_CMD_STRING(Protocol, NULL, 0), | |
624 | SSL_CONF_CMD_STRING(MinProtocol, "min_protocol", 0), | |
625 | SSL_CONF_CMD_STRING(MaxProtocol, "max_protocol", 0), | |
626 | SSL_CONF_CMD_STRING(Options, NULL, 0), | |
627 | SSL_CONF_CMD_STRING(VerifyMode, NULL, 0), | |
628 | SSL_CONF_CMD(Certificate, "cert", SSL_CONF_FLAG_CERTIFICATE, | |
629 | SSL_CONF_TYPE_FILE), | |
630 | SSL_CONF_CMD(PrivateKey, "key", SSL_CONF_FLAG_CERTIFICATE, | |
631 | SSL_CONF_TYPE_FILE), | |
632 | SSL_CONF_CMD(ServerInfoFile, NULL, | |
633 | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, | |
634 | SSL_CONF_TYPE_FILE), | |
635 | SSL_CONF_CMD(ChainCAPath, "chainCApath", SSL_CONF_FLAG_CERTIFICATE, | |
636 | SSL_CONF_TYPE_DIR), | |
637 | SSL_CONF_CMD(ChainCAFile, "chainCAfile", SSL_CONF_FLAG_CERTIFICATE, | |
638 | SSL_CONF_TYPE_FILE), | |
639 | SSL_CONF_CMD(VerifyCAPath, "verifyCApath", SSL_CONF_FLAG_CERTIFICATE, | |
640 | SSL_CONF_TYPE_DIR), | |
641 | SSL_CONF_CMD(VerifyCAFile, "verifyCAfile", SSL_CONF_FLAG_CERTIFICATE, | |
642 | SSL_CONF_TYPE_FILE), | |
643 | SSL_CONF_CMD(RequestCAFile, "requestCAFile", SSL_CONF_FLAG_CERTIFICATE, | |
644 | SSL_CONF_TYPE_FILE), | |
645 | SSL_CONF_CMD(ClientCAFile, NULL, | |
646 | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, | |
647 | SSL_CONF_TYPE_FILE), | |
648 | SSL_CONF_CMD(RequestCAPath, NULL, SSL_CONF_FLAG_CERTIFICATE, | |
649 | SSL_CONF_TYPE_DIR), | |
650 | SSL_CONF_CMD(ClientCAPath, NULL, | |
651 | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, | |
652 | SSL_CONF_TYPE_DIR), | |
653 | #ifndef OPENSSL_NO_DH | |
654 | SSL_CONF_CMD(DHParameters, "dhparam", | |
655 | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, | |
656 | SSL_CONF_TYPE_FILE), | |
657 | #endif | |
658 | SSL_CONF_CMD_STRING(RecordPadding, "record_padding", 0) | |
659 | }; | |
660 | ||
661 | /* Supported switches: must match order of switches in ssl_conf_cmds */ | |
662 | static const ssl_switch_tbl ssl_cmd_switches[] = { | |
663 | {SSL_OP_NO_SSLv3, 0}, /* no_ssl3 */ | |
664 | {SSL_OP_NO_TLSv1, 0}, /* no_tls1 */ | |
665 | {SSL_OP_NO_TLSv1_1, 0}, /* no_tls1_1 */ | |
666 | {SSL_OP_NO_TLSv1_2, 0}, /* no_tls1_2 */ | |
667 | {SSL_OP_NO_TLSv1_3, 0}, /* no_tls1_3 */ | |
668 | {SSL_OP_ALL, 0}, /* bugs */ | |
669 | {SSL_OP_NO_COMPRESSION, 0}, /* no_comp */ | |
670 | {SSL_OP_NO_COMPRESSION, SSL_TFLAG_INV}, /* comp */ | |
671 | {SSL_OP_SINGLE_ECDH_USE, 0}, /* ecdh_single */ | |
672 | {SSL_OP_NO_TICKET, 0}, /* no_ticket */ | |
673 | {SSL_OP_CIPHER_SERVER_PREFERENCE, 0}, /* serverpref */ | |
674 | /* legacy_renegotiation */ | |
675 | {SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, 0}, | |
676 | /* legacy_server_connect */ | |
677 | {SSL_OP_LEGACY_SERVER_CONNECT, 0}, | |
678 | /* no_renegotiation */ | |
679 | {SSL_OP_NO_RENEGOTIATION, 0}, | |
680 | /* no_resumption_on_reneg */ | |
681 | {SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION, 0}, | |
682 | /* no_legacy_server_connect */ | |
683 | {SSL_OP_LEGACY_SERVER_CONNECT, SSL_TFLAG_INV}, | |
684 | /* allow_no_dhe_kex */ | |
685 | {SSL_OP_ALLOW_NO_DHE_KEX, 0}, | |
686 | /* chacha reprioritization */ | |
687 | {SSL_OP_PRIORITIZE_CHACHA, 0}, | |
688 | {SSL_CERT_FLAG_TLS_STRICT, SSL_TFLAG_CERT}, /* strict */ | |
689 | /* no_middlebox */ | |
690 | {SSL_OP_ENABLE_MIDDLEBOX_COMPAT, SSL_TFLAG_INV}, | |
691 | }; | |
692 | ||
693 | static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd) | |
694 | { | |
695 | if (!pcmd || !*pcmd) | |
696 | return 0; | |
697 | /* If a prefix is set, check and skip */ | |
698 | if (cctx->prefix) { | |
699 | if (strlen(*pcmd) <= cctx->prefixlen) | |
700 | return 0; | |
701 | if (cctx->flags & SSL_CONF_FLAG_CMDLINE && | |
702 | strncmp(*pcmd, cctx->prefix, cctx->prefixlen)) | |
703 | return 0; | |
704 | if (cctx->flags & SSL_CONF_FLAG_FILE && | |
705 | strncasecmp(*pcmd, cctx->prefix, cctx->prefixlen)) | |
706 | return 0; | |
707 | *pcmd += cctx->prefixlen; | |
708 | } else if (cctx->flags & SSL_CONF_FLAG_CMDLINE) { | |
709 | if (**pcmd != '-' || !(*pcmd)[1]) | |
710 | return 0; | |
711 | *pcmd += 1; | |
712 | } | |
713 | return 1; | |
714 | } | |
715 | ||
716 | /* Determine if a command is allowed according to cctx flags */ | |
717 | static int ssl_conf_cmd_allowed(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl * t) | |
718 | { | |
719 | unsigned int tfl = t->flags; | |
720 | unsigned int cfl = cctx->flags; | |
721 | if ((tfl & SSL_CONF_FLAG_SERVER) && !(cfl & SSL_CONF_FLAG_SERVER)) | |
722 | return 0; | |
723 | if ((tfl & SSL_CONF_FLAG_CLIENT) && !(cfl & SSL_CONF_FLAG_CLIENT)) | |
724 | return 0; | |
725 | if ((tfl & SSL_CONF_FLAG_CERTIFICATE) | |
726 | && !(cfl & SSL_CONF_FLAG_CERTIFICATE)) | |
727 | return 0; | |
728 | return 1; | |
729 | } | |
730 | ||
731 | static const ssl_conf_cmd_tbl *ssl_conf_cmd_lookup(SSL_CONF_CTX *cctx, | |
732 | const char *cmd) | |
733 | { | |
734 | const ssl_conf_cmd_tbl *t; | |
735 | size_t i; | |
736 | if (cmd == NULL) | |
737 | return NULL; | |
738 | ||
739 | /* Look for matching parameter name in table */ | |
740 | for (i = 0, t = ssl_conf_cmds; i < OSSL_NELEM(ssl_conf_cmds); i++, t++) { | |
741 | if (ssl_conf_cmd_allowed(cctx, t)) { | |
742 | if (cctx->flags & SSL_CONF_FLAG_CMDLINE) { | |
743 | if (t->str_cmdline && strcmp(t->str_cmdline, cmd) == 0) | |
744 | return t; | |
745 | } | |
746 | if (cctx->flags & SSL_CONF_FLAG_FILE) { | |
747 | if (t->str_file && strcasecmp(t->str_file, cmd) == 0) | |
748 | return t; | |
749 | } | |
750 | } | |
751 | } | |
752 | return NULL; | |
753 | } | |
754 | ||
755 | static int ctrl_switch_option(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl * cmd) | |
756 | { | |
757 | /* Find index of command in table */ | |
758 | size_t idx = cmd - ssl_conf_cmds; | |
759 | const ssl_switch_tbl *scmd; | |
760 | /* Sanity check index */ | |
761 | if (idx >= OSSL_NELEM(ssl_cmd_switches)) | |
762 | return 0; | |
763 | /* Obtain switches entry with same index */ | |
764 | scmd = ssl_cmd_switches + idx; | |
765 | ssl_set_option(cctx, scmd->name_flags, scmd->option_value, 1); | |
766 | return 1; | |
767 | } | |
768 | ||
769 | int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value) | |
770 | { | |
771 | const ssl_conf_cmd_tbl *runcmd; | |
772 | if (cmd == NULL) { | |
773 | SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_INVALID_NULL_CMD_NAME); | |
774 | return 0; | |
775 | } | |
776 | ||
777 | if (!ssl_conf_cmd_skip_prefix(cctx, &cmd)) | |
778 | return -2; | |
779 | ||
780 | runcmd = ssl_conf_cmd_lookup(cctx, cmd); | |
781 | ||
782 | if (runcmd) { | |
783 | int rv; | |
784 | if (runcmd->value_type == SSL_CONF_TYPE_NONE) { | |
785 | return ctrl_switch_option(cctx, runcmd); | |
786 | } | |
787 | if (value == NULL) | |
788 | return -3; | |
789 | rv = runcmd->cmd(cctx, value); | |
790 | if (rv > 0) | |
791 | return 2; | |
792 | if (rv == -2) | |
793 | return -2; | |
794 | if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) { | |
795 | SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_BAD_VALUE); | |
796 | ERR_add_error_data(4, "cmd=", cmd, ", value=", value); | |
797 | } | |
798 | return 0; | |
799 | } | |
800 | ||
801 | if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) { | |
802 | SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_UNKNOWN_CMD_NAME); | |
803 | ERR_add_error_data(2, "cmd=", cmd); | |
804 | } | |
805 | ||
806 | return -2; | |
807 | } | |
808 | ||
809 | int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv) | |
810 | { | |
811 | int rv; | |
812 | const char *arg = NULL, *argn; | |
813 | if (pargc && *pargc == 0) | |
814 | return 0; | |
815 | if (!pargc || *pargc > 0) | |
816 | arg = **pargv; | |
817 | if (arg == NULL) | |
818 | return 0; | |
819 | if (!pargc || *pargc > 1) | |
820 | argn = (*pargv)[1]; | |
821 | else | |
822 | argn = NULL; | |
823 | cctx->flags &= ~SSL_CONF_FLAG_FILE; | |
824 | cctx->flags |= SSL_CONF_FLAG_CMDLINE; | |
825 | rv = SSL_CONF_cmd(cctx, arg, argn); | |
826 | if (rv > 0) { | |
827 | /* Success: update pargc, pargv */ | |
828 | (*pargv) += rv; | |
829 | if (pargc) | |
830 | (*pargc) -= rv; | |
831 | return rv; | |
832 | } | |
833 | /* Unknown switch: indicate no arguments processed */ | |
834 | if (rv == -2) | |
835 | return 0; | |
836 | /* Some error occurred processing command, return fatal error */ | |
837 | if (rv == 0) | |
838 | return -1; | |
839 | return rv; | |
840 | } | |
841 | ||
842 | int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd) | |
843 | { | |
844 | if (ssl_conf_cmd_skip_prefix(cctx, &cmd)) { | |
845 | const ssl_conf_cmd_tbl *runcmd; | |
846 | runcmd = ssl_conf_cmd_lookup(cctx, cmd); | |
847 | if (runcmd) | |
848 | return runcmd->value_type; | |
849 | } | |
850 | return SSL_CONF_TYPE_UNKNOWN; | |
851 | } | |
852 | ||
853 | SSL_CONF_CTX *SSL_CONF_CTX_new(void) | |
854 | { | |
855 | SSL_CONF_CTX *ret = OPENSSL_zalloc(sizeof(*ret)); | |
856 | ||
857 | return ret; | |
858 | } | |
859 | ||
860 | int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx) | |
861 | { | |
862 | /* See if any certificates are missing private keys */ | |
863 | size_t i; | |
864 | CERT *c = NULL; | |
865 | if (cctx->ctx) | |
866 | c = cctx->ctx->cert; | |
867 | else if (cctx->ssl) | |
868 | c = cctx->ssl->cert; | |
869 | if (c && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) { | |
870 | for (i = 0; i < SSL_PKEY_NUM; i++) { | |
871 | const char *p = cctx->cert_filename[i]; | |
872 | /* | |
873 | * If missing private key try to load one from certificate file | |
874 | */ | |
875 | if (p && !c->pkeys[i].privatekey) { | |
876 | if (!cmd_PrivateKey(cctx, p)) | |
877 | return 0; | |
878 | } | |
879 | } | |
880 | } | |
881 | if (cctx->canames) { | |
882 | if (cctx->ssl) | |
883 | SSL_set0_CA_list(cctx->ssl, cctx->canames); | |
884 | else if (cctx->ctx) | |
885 | SSL_CTX_set0_CA_list(cctx->ctx, cctx->canames); | |
886 | else | |
887 | sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free); | |
888 | cctx->canames = NULL; | |
889 | } | |
890 | return 1; | |
891 | } | |
892 | ||
893 | void SSL_CONF_CTX_free(SSL_CONF_CTX *cctx) | |
894 | { | |
895 | if (cctx) { | |
896 | size_t i; | |
897 | for (i = 0; i < SSL_PKEY_NUM; i++) | |
898 | OPENSSL_free(cctx->cert_filename[i]); | |
899 | OPENSSL_free(cctx->prefix); | |
900 | sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free); | |
901 | OPENSSL_free(cctx); | |
902 | } | |
903 | } | |
904 | ||
905 | unsigned int SSL_CONF_CTX_set_flags(SSL_CONF_CTX *cctx, unsigned int flags) | |
906 | { | |
907 | cctx->flags |= flags; | |
908 | return cctx->flags; | |
909 | } | |
910 | ||
911 | unsigned int SSL_CONF_CTX_clear_flags(SSL_CONF_CTX *cctx, unsigned int flags) | |
912 | { | |
913 | cctx->flags &= ~flags; | |
914 | return cctx->flags; | |
915 | } | |
916 | ||
917 | int SSL_CONF_CTX_set1_prefix(SSL_CONF_CTX *cctx, const char *pre) | |
918 | { | |
919 | char *tmp = NULL; | |
920 | if (pre) { | |
921 | tmp = OPENSSL_strdup(pre); | |
922 | if (tmp == NULL) | |
923 | return 0; | |
924 | } | |
925 | OPENSSL_free(cctx->prefix); | |
926 | cctx->prefix = tmp; | |
927 | if (tmp) | |
928 | cctx->prefixlen = strlen(tmp); | |
929 | else | |
930 | cctx->prefixlen = 0; | |
931 | return 1; | |
932 | } | |
933 | ||
934 | void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl) | |
935 | { | |
936 | cctx->ssl = ssl; | |
937 | cctx->ctx = NULL; | |
938 | if (ssl) { | |
939 | cctx->poptions = &ssl->options; | |
940 | cctx->min_version = &ssl->min_proto_version; | |
941 | cctx->max_version = &ssl->max_proto_version; | |
942 | cctx->pcert_flags = &ssl->cert->cert_flags; | |
943 | cctx->pvfy_flags = &ssl->verify_mode; | |
944 | } else { | |
945 | cctx->poptions = NULL; | |
946 | cctx->min_version = NULL; | |
947 | cctx->max_version = NULL; | |
948 | cctx->pcert_flags = NULL; | |
949 | cctx->pvfy_flags = NULL; | |
950 | } | |
951 | } | |
952 | ||
953 | void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx) | |
954 | { | |
955 | cctx->ctx = ctx; | |
956 | cctx->ssl = NULL; | |
957 | if (ctx) { | |
958 | cctx->poptions = &ctx->options; | |
959 | cctx->min_version = &ctx->min_proto_version; | |
960 | cctx->max_version = &ctx->max_proto_version; | |
961 | cctx->pcert_flags = &ctx->cert->cert_flags; | |
962 | cctx->pvfy_flags = &ctx->verify_mode; | |
963 | } else { | |
964 | cctx->poptions = NULL; | |
965 | cctx->min_version = NULL; | |
966 | cctx->max_version = NULL; | |
967 | cctx->pcert_flags = NULL; | |
968 | cctx->pvfy_flags = NULL; | |
969 | } | |
970 | } |