/*
- * Copyright 2012-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
*/
#include <stdio.h>
-#include "ssl_locl.h"
+#include "ssl_local.h"
#include <openssl/conf.h>
#include <openssl/objects.h>
#include <openssl/dh.h>
int nid;
/* Ignore values supported by 1.0.2 for the automatic selection */
- if ((cctx->flags & SSL_CONF_FLAG_FILE) &&
- strcasecmp(value, "+automatic") == 0)
+ if ((cctx->flags & SSL_CONF_FLAG_FILE)
+ && (strcasecmp(value, "+automatic") == 0
+ || strcasecmp(value, "automatic") == 0))
return 1;
if ((cctx->flags & SSL_CONF_FLAG_CMDLINE) &&
strcmp(value, "auto") == 0)
static int cmd_CipherString(SSL_CONF_CTX *cctx, const char *value)
{
int rv = 1;
+
if (cctx->ctx)
rv = SSL_CTX_set_cipher_list(cctx->ctx, value);
if (cctx->ssl)
return rv > 0;
}
+static int cmd_Ciphersuites(SSL_CONF_CTX *cctx, const char *value)
+{
+ int rv = 1;
+
+ if (cctx->ctx)
+ rv = SSL_CTX_set_ciphersuites(cctx->ctx, value);
+ if (cctx->ssl)
+ rv = SSL_set_ciphersuites(cctx->ssl, value);
+ return rv > 0;
+}
+
static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value)
{
static const ssl_flag_tbl ssl_protocol_list[] = {
SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION),
SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA),
- SSL_FLAG_TBL("MiddleboxCompat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT)
+ SSL_FLAG_TBL("MiddleboxCompat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT),
+ SSL_FLAG_TBL_INV("AntiReplay", SSL_OP_NO_ANTI_REPLAY)
};
if (value == NULL)
return -3;
SSL_FLAG_VFY_SRV("Request", SSL_VERIFY_PEER),
SSL_FLAG_VFY_SRV("Require",
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
- SSL_FLAG_VFY_SRV("Once", SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE)
+ SSL_FLAG_VFY_SRV("Once", SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE),
+ SSL_FLAG_VFY_SRV("RequestPostHandshake",
+ SSL_VERIFY_PEER | SSL_VERIFY_POST_HANDSHAKE),
+ SSL_FLAG_VFY_SRV("RequirePostHandshake",
+ SSL_VERIFY_PEER | SSL_VERIFY_POST_HANDSHAKE |
+ SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
};
if (value == NULL)
return -3;
return rv;
}
+
+static int cmd_NumTickets(SSL_CONF_CTX *cctx, const char *value)
+{
+ int rv = 0;
+ int num_tickets = atoi(value);
+
+ if (num_tickets >= 0) {
+ if (cctx->ctx)
+ rv = SSL_CTX_set_num_tickets(cctx->ctx, num_tickets);
+ if (cctx->ssl)
+ rv = SSL_set_num_tickets(cctx->ssl, num_tickets);
+ }
+ return rv;
+}
+
typedef struct {
int (*cmd) (SSL_CONF_CTX *cctx, const char *value);
const char *str_file;
SSL_CONF_CMD_SWITCH("prioritize_chacha", SSL_CONF_FLAG_SERVER),
SSL_CONF_CMD_SWITCH("strict", 0),
SSL_CONF_CMD_SWITCH("no_middlebox", 0),
+ SSL_CONF_CMD_SWITCH("anti_replay", SSL_CONF_FLAG_SERVER),
+ SSL_CONF_CMD_SWITCH("no_anti_replay", SSL_CONF_FLAG_SERVER),
SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs", 0),
SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs", 0),
SSL_CONF_CMD_STRING(Curves, "curves", 0),
SSL_CONF_CMD_STRING(ECDHParameters, "named_curve", SSL_CONF_FLAG_SERVER),
#endif
SSL_CONF_CMD_STRING(CipherString, "cipher", 0),
+ SSL_CONF_CMD_STRING(Ciphersuites, "ciphersuites", 0),
SSL_CONF_CMD_STRING(Protocol, NULL, 0),
SSL_CONF_CMD_STRING(MinProtocol, "min_protocol", 0),
SSL_CONF_CMD_STRING(MaxProtocol, "max_protocol", 0),
SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,
SSL_CONF_TYPE_FILE),
#endif
- SSL_CONF_CMD_STRING(RecordPadding, "record_padding", 0)
+ SSL_CONF_CMD_STRING(RecordPadding, "record_padding", 0),
+ SSL_CONF_CMD_STRING(NumTickets, "num_tickets", SSL_CONF_FLAG_SERVER),
};
/* Supported switches: must match order of switches in ssl_conf_cmds */
{SSL_CERT_FLAG_TLS_STRICT, SSL_TFLAG_CERT}, /* strict */
/* no_middlebox */
{SSL_OP_ENABLE_MIDDLEBOX_COMPAT, SSL_TFLAG_INV},
+ /* anti_replay */
+ {SSL_OP_NO_ANTI_REPLAY, SSL_TFLAG_INV},
+ /* no_anti_replay */
+ {SSL_OP_NO_ANTI_REPLAY, 0},
};
static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd)