ssl/ssl_mcnf.c

   1 /*
   2  * Written by Stephen Henson (steve@openssl.org) for the OpenSSL project
   3  * 2015.
   4  */
   5 /* ====================================================================
   6  * Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted provided that the following conditions
  10  * are met:
  11  *
  12  * 1. Redistributions of source code must retain the above copyright
  13  *    notice, this list of conditions and the following disclaimer.
  14  *
  15  * 2. Redistributions in binary form must reproduce the above copyright
  16  *    notice, this list of conditions and the following disclaimer in
  17  *    the documentation and/or other materials provided with the
  18  *    distribution.
  19  *
  20  * 3. All advertising materials mentioning features or use of this
  21  *    software must display the following acknowledgment:
  22  *    "This product includes software developed by the OpenSSL Project
  23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  24  *
  25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  26  *    endorse or promote products derived from this software without
  27  *    prior written permission. For written permission, please contact
  28  *    licensing@OpenSSL.org.
  29  *
  30  * 5. Products derived from this software may not be called "OpenSSL"
  31  *    nor may "OpenSSL" appear in their names without prior written
  32  *    permission of the OpenSSL Project.
  33  *
  34  * 6. Redistributions of any form whatsoever must retain the following
  35  *    acknowledgment:
  36  *    "This product includes software developed by the OpenSSL Project
  37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  38  *
  39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
  43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  50  * OF THE POSSIBILITY OF SUCH DAMAGE.
  51  * ====================================================================
  52  *
  53  * This product includes cryptographic software written by Eric Young
  54  * (eay@cryptsoft.com).  This product includes software written by Tim
  55  * Hudson (tjh@cryptsoft.com).
  56  *
  57  */
  58
  59 #include <stdio.h>
  60 #include <openssl/conf.h>
  61 #include <openssl/ssl.h>
  62 #include "ssl_locl.h"
  63
  64 /* SSL library configuration module. */
  65
  66 struct ssl_conf_name {
  67     /* Name of this set of commands */
  68     char *name;
  69     /* List of commands */
  70     struct ssl_conf_cmd *cmds;
  71     /* Number of commands */
  72     size_t cmd_count;
  73 };
  74
  75 struct ssl_conf_cmd {
  76     /* Command */
  77     char *cmd;
  78     /* Argument */
  79     char *arg;
  80 };
  81
  82 static struct ssl_conf_name *ssl_names;
  83 static size_t ssl_names_count;
  84
  85 static void ssl_module_free(CONF_IMODULE *md)
  86 {
  87     size_t i, j;
  88     if (ssl_names == NULL)
  89         return;
  90     for (i = 0; i < ssl_names_count; i++) {
  91         struct ssl_conf_name *tname = ssl_names + i;
  92         OPENSSL_free(tname->name);
  93         for (j = 0; j < tname->cmd_count; j++) {
  94             OPENSSL_free(tname->cmds[j].cmd);
  95             OPENSSL_free(tname->cmds[j].arg);
  96         }
  97         OPENSSL_free(tname->cmds);
  98     }
  99     OPENSSL_free(ssl_names);
 100     ssl_names = NULL;
 101     ssl_names_count = 0;
 102 }
 103
 104 static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
 105 {
 106     size_t i, j, cnt;
 107     int rv = 0;
 108     const char *ssl_conf_section;
 109     STACK_OF(CONF_VALUE) *cmd_lists;
 110     ssl_conf_section = CONF_imodule_get_value(md);
 111     cmd_lists = NCONF_get_section(cnf, ssl_conf_section);
 112     if (sk_CONF_VALUE_num(cmd_lists) <= 0){
 113         if (cmd_lists == NULL)
 114             SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_SECTION_NOT_FOUND);
 115         else
 116             SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_SECTION_EMPTY);
 117         ERR_add_error_data(2, "section=", ssl_conf_section);
 118         goto err;
 119     }
 120     cnt = sk_CONF_VALUE_num(cmd_lists);
 121     ssl_names = OPENSSL_zalloc(sizeof(*ssl_names) * cnt);
 122     ssl_names_count = cnt;
 123     for (i = 0; i < ssl_names_count; i++) {
 124         struct ssl_conf_name *ssl_name = ssl_names + i;
 125         CONF_VALUE *sect = sk_CONF_VALUE_value(cmd_lists, i);
 126         STACK_OF(CONF_VALUE) *cmds = NCONF_get_section(cnf, sect->value);
 127         if (sk_CONF_VALUE_num(cmds) <= 0) {
 128             if (cmds == NULL)
 129                 SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_COMMAND_SECTION_NOT_FOUND);
 130             else
 131                 SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_COMMAND_SECTION_EMPTY);
 132             ERR_add_error_data(4, "name=", sect->name, ", value=", sect->value);
 133             goto err;
 134         }
 135         ssl_name->name = BUF_strdup(sect->name);
 136         if (ssl_name->name == NULL)
 137             goto err;
 138         cnt = sk_CONF_VALUE_num(cmds);
 139         ssl_name->cmds = OPENSSL_zalloc(cnt * sizeof(struct ssl_conf_cmd));
 140         if (ssl_name->cmds == NULL)
 141             goto err;
 142         ssl_name->cmd_count = cnt;
 143         for (j = 0; j < cnt; j++) {
 144             const char *name;
 145             CONF_VALUE *cmd_conf = sk_CONF_VALUE_value(cmds, j);
 146             struct ssl_conf_cmd *cmd = ssl_name->cmds + j;
 147             /* Skip any initial dot in name */
 148             name = strchr(cmd_conf->name, '.');
 149             if (name != NULL)
 150                 name++;
 151             else
 152                 name = cmd_conf->name;
 153             cmd->cmd = BUF_strdup(name);
 154             cmd->arg = BUF_strdup(cmd_conf->value);
 155             if (cmd->cmd == NULL || cmd->arg == NULL)
 156                 goto err;
 157         }
 158
 159     }
 160     rv = 1;
 161     err:
 162     if (rv == 0)
 163         ssl_module_free(md);
 164     return rv;
 165 }
 166
 167 void SSL_add_ssl_module(void)
 168 {
 169     CONF_module_add("ssl_conf", ssl_module_init, ssl_module_free);
 170 }
 171
 172 static const struct ssl_conf_name *ssl_name_find(const char *name)
 173 {
 174     size_t i;
 175     const struct ssl_conf_name *nm;
 176     if (name == NULL)
 177         return NULL;
 178     for (i = 0, nm = ssl_names; i < ssl_names_count; i++, nm++) {
 179         if (strcmp(nm->name, name) == 0)
 180             return nm;
 181     }
 182     return NULL;
 183 }
 184
 185 static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name)
 186 {
 187     SSL_CONF_CTX *cctx = NULL;
 188     size_t i;
 189     int rv = 0;
 190     unsigned int flags;
 191     const SSL_METHOD *meth;
 192     const struct ssl_conf_name *nm;
 193     struct ssl_conf_cmd *cmd;
 194     if (s == NULL && ctx == NULL) {
 195         SSLerr(SSL_F_SSL_DO_CONFIG, ERR_R_PASSED_NULL_PARAMETER);
 196         goto err;
 197     }
 198     nm = ssl_name_find(name);
 199     if (nm == NULL) {
 200         SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_INVALID_CONFIGURATION_NAME);
 201         ERR_add_error_data(2, "name=", name);
 202         goto err;
 203     }
 204     cctx = SSL_CONF_CTX_new();
 205     if (cctx == NULL)
 206         goto err;
 207     flags = SSL_CONF_FLAG_FILE;
 208     flags |= SSL_CONF_FLAG_CERTIFICATE | SSL_CONF_FLAG_REQUIRE_PRIVATE;
 209     if (s != NULL) {
 210         meth = s->method;
 211         SSL_CONF_CTX_set_ssl(cctx, s);
 212     } else {
 213         meth = ctx->method;
 214         SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
 215     }
 216     if (meth->ssl_accept != ssl_undefined_function)
 217             flags |= SSL_CONF_FLAG_SERVER;
 218     if (meth->ssl_connect != ssl_undefined_function)
 219             flags |= SSL_CONF_FLAG_CLIENT;
 220     SSL_CONF_CTX_set_flags(cctx, flags);
 221     for (i = 0, cmd = nm->cmds; i < nm->cmd_count; i++, cmd++) {
 222         rv = SSL_CONF_cmd(cctx, cmd->cmd, cmd->arg);
 223         if (rv <= 0) {
 224             if (rv == -2)
 225                 SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_UNKNOWN_COMMAND);
 226             else
 227                 SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_BAD_VALUE);
 228             ERR_add_error_data(6, "section=", name, ", cmd=", cmd->cmd,
 229                                     ", arg=", cmd->arg);
 230             goto err;
 231         }
 232     }
 233     rv = SSL_CONF_CTX_finish(cctx);
 234     err:
 235     SSL_CONF_CTX_free(cctx);
 236     return rv <= 0 ? 0 : 1;
 237 }
 238
 239 int SSL_config(SSL *s, const char *name)
 240 {
 241     return ssl_do_config(s, NULL, name);
 242 }
 243
 244 int SSL_CTX_config(SSL_CTX *ctx, const char *name)
 245 {
 246     return ssl_do_config(NULL, ctx, name);
 247 }