/src/openssl/ssl/ssl_conf.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2012-2024 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | #include <stdio.h> |
11 | | #include "ssl_local.h" |
12 | | #include <openssl/conf.h> |
13 | | #include <openssl/objects.h> |
14 | | #include <openssl/decoder.h> |
15 | | #include <openssl/core_dispatch.h> |
16 | | #include "internal/nelem.h" |
17 | | |
18 | | /* |
19 | | * structure holding name tables. This is used for permitted elements in lists |
20 | | * such as TLSv1. |
21 | | */ |
22 | | |
23 | | typedef struct { |
24 | | const char *name; |
25 | | int namelen; |
26 | | unsigned int name_flags; |
27 | | uint64_t option_value; |
28 | | } ssl_flag_tbl; |
29 | | |
30 | | /* Switch table: use for single command line switches like no_tls2 */ |
31 | | typedef struct { |
32 | | uint64_t option_value; |
33 | | unsigned int name_flags; |
34 | | } ssl_switch_tbl; |
35 | | |
36 | | /* Sense of name is inverted e.g. "TLSv1" will clear SSL_OP_NO_TLSv1 */ |
37 | 0 | #define SSL_TFLAG_INV 0x1 |
38 | | /* Mask for type of flag referred to */ |
39 | 0 | #define SSL_TFLAG_TYPE_MASK 0xf00 |
40 | | /* Flag is for options */ |
41 | 0 | #define SSL_TFLAG_OPTION 0x000 |
42 | | /* Flag is for cert_flags */ |
43 | 0 | #define SSL_TFLAG_CERT 0x100 |
44 | | /* Flag is for verify mode */ |
45 | 0 | #define SSL_TFLAG_VFY 0x200 |
46 | | /* Option can only be used for clients */ |
47 | 0 | #define SSL_TFLAG_CLIENT SSL_CONF_FLAG_CLIENT |
48 | | /* Option can only be used for servers */ |
49 | 0 | #define SSL_TFLAG_SERVER SSL_CONF_FLAG_SERVER |
50 | 0 | #define SSL_TFLAG_BOTH (SSL_TFLAG_CLIENT|SSL_TFLAG_SERVER) |
51 | | |
52 | | #define SSL_FLAG_TBL(str, flag) \ |
53 | 0 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_BOTH, flag} |
54 | | #define SSL_FLAG_TBL_SRV(str, flag) \ |
55 | 0 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_SERVER, flag} |
56 | | #define SSL_FLAG_TBL_CLI(str, flag) \ |
57 | | {str, (int)(sizeof(str) - 1), SSL_TFLAG_CLIENT, flag} |
58 | | #define SSL_FLAG_TBL_INV(str, flag) \ |
59 | 0 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_BOTH, flag} |
60 | | #define SSL_FLAG_TBL_SRV_INV(str, flag) \ |
61 | | {str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_SERVER, flag} |
62 | | #define SSL_FLAG_TBL_CERT(str, flag) \ |
63 | 0 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_CERT|SSL_TFLAG_BOTH, flag} |
64 | | |
65 | | #define SSL_FLAG_VFY_CLI(str, flag) \ |
66 | 0 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_VFY | SSL_TFLAG_CLIENT, flag} |
67 | | #define SSL_FLAG_VFY_SRV(str, flag) \ |
68 | 0 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_VFY | SSL_TFLAG_SERVER, flag} |
69 | | |
70 | | /* |
71 | | * Opaque structure containing SSL configuration context. |
72 | | */ |
73 | | |
74 | | struct ssl_conf_ctx_st { |
75 | | /* |
76 | | * Various flags indicating (among other things) which options we will |
77 | | * recognise. |
78 | | */ |
79 | | unsigned int flags; |
80 | | /* Prefix and length of commands */ |
81 | | char *prefix; |
82 | | size_t prefixlen; |
83 | | /* SSL_CTX or SSL structure to perform operations on */ |
84 | | SSL_CTX *ctx; |
85 | | SSL *ssl; |
86 | | /* Pointer to SSL or SSL_CTX options field or NULL if none */ |
87 | | uint64_t *poptions; |
88 | | /* Certificate filenames for each type */ |
89 | | char *cert_filename[SSL_PKEY_NUM]; |
90 | | /* Pointer to SSL or SSL_CTX cert_flags or NULL if none */ |
91 | | uint32_t *pcert_flags; |
92 | | /* Pointer to SSL or SSL_CTX verify_mode or NULL if none */ |
93 | | uint32_t *pvfy_flags; |
94 | | /* Pointer to SSL or SSL_CTX min_version field or NULL if none */ |
95 | | int *min_version; |
96 | | /* Pointer to SSL or SSL_CTX max_version field or NULL if none */ |
97 | | int *max_version; |
98 | | /* Current flag table being worked on */ |
99 | | const ssl_flag_tbl *tbl; |
100 | | /* Size of table */ |
101 | | size_t ntbl; |
102 | | /* Client CA names */ |
103 | | STACK_OF(X509_NAME) *canames; |
104 | | }; |
105 | | |
106 | | static void ssl_set_option(SSL_CONF_CTX *cctx, unsigned int name_flags, |
107 | | uint64_t option_value, int onoff) |
108 | 0 | { |
109 | 0 | uint32_t *pflags; |
110 | |
|
111 | 0 | if (cctx->poptions == NULL) |
112 | 0 | return; |
113 | 0 | if (name_flags & SSL_TFLAG_INV) |
114 | 0 | onoff ^= 1; |
115 | 0 | switch (name_flags & SSL_TFLAG_TYPE_MASK) { |
116 | | |
117 | 0 | case SSL_TFLAG_CERT: |
118 | 0 | pflags = cctx->pcert_flags; |
119 | 0 | break; |
120 | | |
121 | 0 | case SSL_TFLAG_VFY: |
122 | 0 | pflags = cctx->pvfy_flags; |
123 | 0 | break; |
124 | | |
125 | 0 | case SSL_TFLAG_OPTION: |
126 | 0 | if (onoff) |
127 | 0 | *cctx->poptions |= option_value; |
128 | 0 | else |
129 | 0 | *cctx->poptions &= ~option_value; |
130 | 0 | return; |
131 | | |
132 | 0 | default: |
133 | 0 | return; |
134 | |
|
135 | 0 | } |
136 | 0 | if (onoff) |
137 | 0 | *pflags |= option_value; |
138 | 0 | else |
139 | 0 | *pflags &= ~option_value; |
140 | 0 | } |
141 | | |
142 | | static int ssl_match_option(SSL_CONF_CTX *cctx, const ssl_flag_tbl *tbl, |
143 | | const char *name, int namelen, int onoff) |
144 | 0 | { |
145 | | /* If name not relevant for context skip */ |
146 | 0 | if (!(cctx->flags & tbl->name_flags & SSL_TFLAG_BOTH)) |
147 | 0 | return 0; |
148 | 0 | if (namelen == -1) { |
149 | 0 | if (strcmp(tbl->name, name)) |
150 | 0 | return 0; |
151 | 0 | } else if (tbl->namelen != namelen |
152 | 0 | || OPENSSL_strncasecmp(tbl->name, name, namelen)) |
153 | 0 | return 0; |
154 | 0 | ssl_set_option(cctx, tbl->name_flags, tbl->option_value, onoff); |
155 | 0 | return 1; |
156 | 0 | } |
157 | | |
158 | | static int ssl_set_option_list(const char *elem, int len, void *usr) |
159 | 0 | { |
160 | 0 | SSL_CONF_CTX *cctx = usr; |
161 | 0 | size_t i; |
162 | 0 | const ssl_flag_tbl *tbl; |
163 | 0 | int onoff = 1; |
164 | | /* |
165 | | * len == -1 indicates not being called in list context, just for single |
166 | | * command line switches, so don't allow +, -. |
167 | | */ |
168 | 0 | if (elem == NULL) |
169 | 0 | return 0; |
170 | 0 | if (len != -1) { |
171 | 0 | if (*elem == '+') { |
172 | 0 | elem++; |
173 | 0 | len--; |
174 | 0 | onoff = 1; |
175 | 0 | } else if (*elem == '-') { |
176 | 0 | elem++; |
177 | 0 | len--; |
178 | 0 | onoff = 0; |
179 | 0 | } |
180 | 0 | } |
181 | 0 | for (i = 0, tbl = cctx->tbl; i < cctx->ntbl; i++, tbl++) { |
182 | 0 | if (ssl_match_option(cctx, tbl, elem, len, onoff)) |
183 | 0 | return 1; |
184 | 0 | } |
185 | 0 | return 0; |
186 | 0 | } |
187 | | |
188 | | /* Set supported signature algorithms */ |
189 | | static int cmd_SignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value) |
190 | 0 | { |
191 | 0 | int rv; |
192 | 0 | if (cctx->ssl) |
193 | 0 | rv = SSL_set1_sigalgs_list(cctx->ssl, value); |
194 | | /* NB: ctx == NULL performs syntax checking only */ |
195 | 0 | else |
196 | 0 | rv = SSL_CTX_set1_sigalgs_list(cctx->ctx, value); |
197 | 0 | return rv > 0; |
198 | 0 | } |
199 | | |
200 | | /* Set supported client signature algorithms */ |
201 | | static int cmd_ClientSignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value) |
202 | 0 | { |
203 | 0 | int rv; |
204 | 0 | if (cctx->ssl) |
205 | 0 | rv = SSL_set1_client_sigalgs_list(cctx->ssl, value); |
206 | | /* NB: ctx == NULL performs syntax checking only */ |
207 | 0 | else |
208 | 0 | rv = SSL_CTX_set1_client_sigalgs_list(cctx->ctx, value); |
209 | 0 | return rv > 0; |
210 | 0 | } |
211 | | |
212 | | static int cmd_Groups(SSL_CONF_CTX *cctx, const char *value) |
213 | 0 | { |
214 | 0 | int rv; |
215 | 0 | if (cctx->ssl) |
216 | 0 | rv = SSL_set1_groups_list(cctx->ssl, value); |
217 | | /* NB: ctx == NULL performs syntax checking only */ |
218 | 0 | else |
219 | 0 | rv = SSL_CTX_set1_groups_list(cctx->ctx, value); |
220 | 0 | return rv > 0; |
221 | 0 | } |
222 | | |
223 | | /* This is the old name for cmd_Groups - retained for backwards compatibility */ |
224 | | static int cmd_Curves(SSL_CONF_CTX *cctx, const char *value) |
225 | 0 | { |
226 | 0 | return cmd_Groups(cctx, value); |
227 | 0 | } |
228 | | |
229 | | /* ECDH temporary parameters */ |
230 | | static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value) |
231 | 0 | { |
232 | 0 | int rv = 1; |
233 | | |
234 | | /* Ignore values supported by 1.0.2 for the automatic selection */ |
235 | 0 | if ((cctx->flags & SSL_CONF_FLAG_FILE) |
236 | 0 | && (OPENSSL_strcasecmp(value, "+automatic") == 0 |
237 | 0 | || OPENSSL_strcasecmp(value, "automatic") == 0)) |
238 | 0 | return 1; |
239 | 0 | if ((cctx->flags & SSL_CONF_FLAG_CMDLINE) && |
240 | 0 | strcmp(value, "auto") == 0) |
241 | 0 | return 1; |
242 | | |
243 | | /* ECDHParameters accepts a single group name */ |
244 | 0 | if (strchr(value, ':') != NULL) |
245 | 0 | return 0; |
246 | | |
247 | 0 | if (cctx->ctx) |
248 | 0 | rv = SSL_CTX_set1_groups_list(cctx->ctx, value); |
249 | 0 | else if (cctx->ssl) |
250 | 0 | rv = SSL_set1_groups_list(cctx->ssl, value); |
251 | |
|
252 | 0 | return rv > 0; |
253 | 0 | } |
254 | | |
255 | | static int cmd_CipherString(SSL_CONF_CTX *cctx, const char *value) |
256 | 0 | { |
257 | 0 | int rv = 1; |
258 | |
|
259 | 0 | if (cctx->ctx) |
260 | 0 | rv = SSL_CTX_set_cipher_list(cctx->ctx, value); |
261 | 0 | if (cctx->ssl) |
262 | 0 | rv = SSL_set_cipher_list(cctx->ssl, value); |
263 | 0 | return rv > 0; |
264 | 0 | } |
265 | | |
266 | | static int cmd_Ciphersuites(SSL_CONF_CTX *cctx, const char *value) |
267 | 0 | { |
268 | 0 | int rv = 1; |
269 | |
|
270 | 0 | if (cctx->ctx) |
271 | 0 | rv = SSL_CTX_set_ciphersuites(cctx->ctx, value); |
272 | 0 | if (cctx->ssl) |
273 | 0 | rv = SSL_set_ciphersuites(cctx->ssl, value); |
274 | 0 | return rv > 0; |
275 | 0 | } |
276 | | |
277 | | static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value) |
278 | 0 | { |
279 | 0 | static const ssl_flag_tbl ssl_protocol_list[] = { |
280 | 0 | SSL_FLAG_TBL_INV("ALL", SSL_OP_NO_SSL_MASK), |
281 | 0 | SSL_FLAG_TBL_INV("SSLv2", SSL_OP_NO_SSLv2), |
282 | 0 | SSL_FLAG_TBL_INV("SSLv3", SSL_OP_NO_SSLv3), |
283 | 0 | SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1), |
284 | 0 | SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1), |
285 | 0 | SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2), |
286 | 0 | SSL_FLAG_TBL_INV("TLSv1.3", SSL_OP_NO_TLSv1_3), |
287 | 0 | SSL_FLAG_TBL_INV("DTLSv1", SSL_OP_NO_DTLSv1), |
288 | 0 | SSL_FLAG_TBL_INV("DTLSv1.2", SSL_OP_NO_DTLSv1_2) |
289 | 0 | }; |
290 | 0 | cctx->tbl = ssl_protocol_list; |
291 | 0 | cctx->ntbl = OSSL_NELEM(ssl_protocol_list); |
292 | 0 | return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); |
293 | 0 | } |
294 | | |
295 | | /* |
296 | | * protocol_from_string - converts a protocol version string to a number |
297 | | * |
298 | | * Returns -1 on failure or the version on success |
299 | | */ |
300 | | static int protocol_from_string(const char *value) |
301 | 0 | { |
302 | 0 | struct protocol_versions { |
303 | 0 | const char *name; |
304 | 0 | int version; |
305 | 0 | }; |
306 | | /* |
307 | | * Note: To avoid breaking previously valid configurations, we must retain |
308 | | * legacy entries in this table even if the underlying protocol is no |
309 | | * longer supported. This also means that the constants SSL3_VERSION, ... |
310 | | * need to be retained indefinitely. This table can only grow, never |
311 | | * shrink. |
312 | | */ |
313 | 0 | static const struct protocol_versions versions[] = { |
314 | 0 | {"None", 0}, |
315 | 0 | {"SSLv3", SSL3_VERSION}, |
316 | 0 | {"TLSv1", TLS1_VERSION}, |
317 | 0 | {"TLSv1.1", TLS1_1_VERSION}, |
318 | 0 | {"TLSv1.2", TLS1_2_VERSION}, |
319 | 0 | {"TLSv1.3", TLS1_3_VERSION}, |
320 | 0 | {"DTLSv1", DTLS1_VERSION}, |
321 | 0 | {"DTLSv1.2", DTLS1_2_VERSION} |
322 | 0 | }; |
323 | 0 | size_t i; |
324 | 0 | size_t n = OSSL_NELEM(versions); |
325 | |
|
326 | 0 | for (i = 0; i < n; i++) |
327 | 0 | if (strcmp(versions[i].name, value) == 0) |
328 | 0 | return versions[i].version; |
329 | 0 | return -1; |
330 | 0 | } |
331 | | |
332 | | static int min_max_proto(SSL_CONF_CTX *cctx, const char *value, int *bound) |
333 | 0 | { |
334 | 0 | int method_version; |
335 | 0 | int new_version; |
336 | |
|
337 | 0 | if (cctx->ctx != NULL) |
338 | 0 | method_version = cctx->ctx->method->version; |
339 | 0 | else if (cctx->ssl != NULL) |
340 | 0 | method_version = cctx->ssl->defltmeth->version; |
341 | 0 | else |
342 | 0 | return 0; |
343 | 0 | if ((new_version = protocol_from_string(value)) < 0) |
344 | 0 | return 0; |
345 | 0 | return ssl_set_version_bound(method_version, new_version, bound); |
346 | 0 | } |
347 | | |
348 | | /* |
349 | | * cmd_MinProtocol - Set min protocol version |
350 | | * @cctx: config structure to save settings in |
351 | | * @value: The min protocol version in string form |
352 | | * |
353 | | * Returns 1 on success and 0 on failure. |
354 | | */ |
355 | | static int cmd_MinProtocol(SSL_CONF_CTX *cctx, const char *value) |
356 | 0 | { |
357 | 0 | return min_max_proto(cctx, value, cctx->min_version); |
358 | 0 | } |
359 | | |
360 | | /* |
361 | | * cmd_MaxProtocol - Set max protocol version |
362 | | * @cctx: config structure to save settings in |
363 | | * @value: The max protocol version in string form |
364 | | * |
365 | | * Returns 1 on success and 0 on failure. |
366 | | */ |
367 | | static int cmd_MaxProtocol(SSL_CONF_CTX *cctx, const char *value) |
368 | 0 | { |
369 | 0 | return min_max_proto(cctx, value, cctx->max_version); |
370 | 0 | } |
371 | | |
372 | | static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) |
373 | 0 | { |
374 | 0 | static const ssl_flag_tbl ssl_option_list[] = { |
375 | 0 | SSL_FLAG_TBL_INV("SessionTicket", SSL_OP_NO_TICKET), |
376 | 0 | SSL_FLAG_TBL_INV("EmptyFragments", |
377 | 0 | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS), |
378 | 0 | SSL_FLAG_TBL("Bugs", SSL_OP_ALL), |
379 | 0 | SSL_FLAG_TBL_INV("Compression", SSL_OP_NO_COMPRESSION), |
380 | 0 | SSL_FLAG_TBL_SRV("ServerPreference", SSL_OP_CIPHER_SERVER_PREFERENCE), |
381 | 0 | SSL_FLAG_TBL_SRV("NoResumptionOnRenegotiation", |
382 | 0 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION), |
383 | 0 | SSL_FLAG_TBL_SRV("DHSingle", SSL_OP_SINGLE_DH_USE), |
384 | 0 | SSL_FLAG_TBL_SRV("ECDHSingle", SSL_OP_SINGLE_ECDH_USE), |
385 | 0 | SSL_FLAG_TBL("UnsafeLegacyRenegotiation", |
386 | 0 | SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION), |
387 | 0 | SSL_FLAG_TBL("UnsafeLegacyServerConnect", |
388 | 0 | SSL_OP_LEGACY_SERVER_CONNECT), |
389 | 0 | SSL_FLAG_TBL("ClientRenegotiation", |
390 | 0 | SSL_OP_ALLOW_CLIENT_RENEGOTIATION), |
391 | 0 | SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC), |
392 | 0 | SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION), |
393 | 0 | SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX), |
394 | 0 | SSL_FLAG_TBL("PreferNoDHEKEX", SSL_OP_PREFER_NO_DHE_KEX), |
395 | 0 | SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA), |
396 | 0 | SSL_FLAG_TBL("MiddleboxCompat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT), |
397 | 0 | SSL_FLAG_TBL_INV("AntiReplay", SSL_OP_NO_ANTI_REPLAY), |
398 | 0 | SSL_FLAG_TBL_INV("ExtendedMasterSecret", SSL_OP_NO_EXTENDED_MASTER_SECRET), |
399 | 0 | SSL_FLAG_TBL_INV("CANames", SSL_OP_DISABLE_TLSEXT_CA_NAMES), |
400 | 0 | SSL_FLAG_TBL("KTLS", SSL_OP_ENABLE_KTLS), |
401 | 0 | SSL_FLAG_TBL_CERT("StrictCertCheck", SSL_CERT_FLAG_TLS_STRICT), |
402 | 0 | SSL_FLAG_TBL_INV("TxCertificateCompression", SSL_OP_NO_TX_CERTIFICATE_COMPRESSION), |
403 | 0 | SSL_FLAG_TBL_INV("RxCertificateCompression", SSL_OP_NO_RX_CERTIFICATE_COMPRESSION), |
404 | 0 | SSL_FLAG_TBL("KTLSTxZerocopySendfile", SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE), |
405 | 0 | SSL_FLAG_TBL("IgnoreUnexpectedEOF", SSL_OP_IGNORE_UNEXPECTED_EOF), |
406 | 0 | }; |
407 | 0 | if (value == NULL) |
408 | 0 | return -3; |
409 | 0 | cctx->tbl = ssl_option_list; |
410 | 0 | cctx->ntbl = OSSL_NELEM(ssl_option_list); |
411 | 0 | return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); |
412 | 0 | } |
413 | | |
414 | | static int cmd_VerifyMode(SSL_CONF_CTX *cctx, const char *value) |
415 | 0 | { |
416 | 0 | static const ssl_flag_tbl ssl_vfy_list[] = { |
417 | 0 | SSL_FLAG_VFY_CLI("Peer", SSL_VERIFY_PEER), |
418 | 0 | SSL_FLAG_VFY_SRV("Request", SSL_VERIFY_PEER), |
419 | 0 | SSL_FLAG_VFY_SRV("Require", |
420 | 0 | SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), |
421 | 0 | SSL_FLAG_VFY_SRV("Once", SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE), |
422 | 0 | SSL_FLAG_VFY_SRV("RequestPostHandshake", |
423 | 0 | SSL_VERIFY_PEER | SSL_VERIFY_POST_HANDSHAKE), |
424 | 0 | SSL_FLAG_VFY_SRV("RequirePostHandshake", |
425 | 0 | SSL_VERIFY_PEER | SSL_VERIFY_POST_HANDSHAKE | |
426 | 0 | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), |
427 | 0 | }; |
428 | 0 | if (value == NULL) |
429 | 0 | return -3; |
430 | 0 | cctx->tbl = ssl_vfy_list; |
431 | 0 | cctx->ntbl = OSSL_NELEM(ssl_vfy_list); |
432 | 0 | return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); |
433 | 0 | } |
434 | | |
435 | | static int cmd_Certificate(SSL_CONF_CTX *cctx, const char *value) |
436 | 0 | { |
437 | 0 | int rv = 1; |
438 | 0 | CERT *c = NULL; |
439 | 0 | if (cctx->ctx != NULL) { |
440 | 0 | rv = SSL_CTX_use_certificate_chain_file(cctx->ctx, value); |
441 | 0 | c = cctx->ctx->cert; |
442 | 0 | } |
443 | 0 | if (cctx->ssl != NULL) { |
444 | 0 | SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(cctx->ssl); |
445 | |
|
446 | 0 | if (sc != NULL) { |
447 | 0 | rv = SSL_use_certificate_chain_file(cctx->ssl, value); |
448 | 0 | c = sc->cert; |
449 | 0 | } else { |
450 | 0 | rv = 0; |
451 | 0 | } |
452 | 0 | } |
453 | 0 | if (rv > 0 && c != NULL && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) { |
454 | 0 | char **pfilename = &cctx->cert_filename[c->key - c->pkeys]; |
455 | |
|
456 | 0 | OPENSSL_free(*pfilename); |
457 | 0 | *pfilename = OPENSSL_strdup(value); |
458 | 0 | if (*pfilename == NULL) |
459 | 0 | rv = 0; |
460 | 0 | } |
461 | |
|
462 | 0 | return rv > 0; |
463 | 0 | } |
464 | | |
465 | | static int cmd_PrivateKey(SSL_CONF_CTX *cctx, const char *value) |
466 | 0 | { |
467 | 0 | int rv = 1; |
468 | 0 | if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE)) |
469 | 0 | return -2; |
470 | 0 | if (cctx->ctx) |
471 | 0 | rv = SSL_CTX_use_PrivateKey_file(cctx->ctx, value, SSL_FILETYPE_PEM); |
472 | 0 | if (cctx->ssl) |
473 | 0 | rv = SSL_use_PrivateKey_file(cctx->ssl, value, SSL_FILETYPE_PEM); |
474 | 0 | return rv > 0; |
475 | 0 | } |
476 | | |
477 | | static int cmd_ServerInfoFile(SSL_CONF_CTX *cctx, const char *value) |
478 | 0 | { |
479 | 0 | int rv = 1; |
480 | 0 | if (cctx->ctx) |
481 | 0 | rv = SSL_CTX_use_serverinfo_file(cctx->ctx, value); |
482 | 0 | return rv > 0; |
483 | 0 | } |
484 | | |
485 | | static int do_store(SSL_CONF_CTX *cctx, |
486 | | const char *CAfile, const char *CApath, const char *CAstore, |
487 | | int verify_store) |
488 | 0 | { |
489 | 0 | CERT *cert; |
490 | 0 | X509_STORE **st; |
491 | 0 | SSL_CTX *ctx; |
492 | 0 | OSSL_LIB_CTX *libctx = NULL; |
493 | 0 | const char *propq = NULL; |
494 | |
|
495 | 0 | if (cctx->ctx != NULL) { |
496 | 0 | cert = cctx->ctx->cert; |
497 | 0 | ctx = cctx->ctx; |
498 | 0 | } else if (cctx->ssl != NULL) { |
499 | 0 | SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(cctx->ssl); |
500 | |
|
501 | 0 | if (sc == NULL) |
502 | 0 | return 0; |
503 | | |
504 | 0 | cert = sc->cert; |
505 | 0 | ctx = cctx->ssl->ctx; |
506 | 0 | } else { |
507 | 0 | return 1; |
508 | 0 | } |
509 | 0 | if (ctx != NULL) { |
510 | 0 | libctx = ctx->libctx; |
511 | 0 | propq = ctx->propq; |
512 | 0 | } |
513 | 0 | st = verify_store ? &cert->verify_store : &cert->chain_store; |
514 | 0 | if (*st == NULL) { |
515 | 0 | *st = X509_STORE_new(); |
516 | 0 | if (*st == NULL) |
517 | 0 | return 0; |
518 | 0 | } |
519 | | |
520 | 0 | if (CAfile != NULL && !X509_STORE_load_file_ex(*st, CAfile, libctx, propq)) |
521 | 0 | return 0; |
522 | 0 | if (CApath != NULL && !X509_STORE_load_path(*st, CApath)) |
523 | 0 | return 0; |
524 | 0 | if (CAstore != NULL && !X509_STORE_load_store_ex(*st, CAstore, libctx, |
525 | 0 | propq)) |
526 | 0 | return 0; |
527 | 0 | return 1; |
528 | 0 | } |
529 | | |
530 | | static int cmd_ChainCAPath(SSL_CONF_CTX *cctx, const char *value) |
531 | 0 | { |
532 | 0 | return do_store(cctx, NULL, value, NULL, 0); |
533 | 0 | } |
534 | | |
535 | | static int cmd_ChainCAFile(SSL_CONF_CTX *cctx, const char *value) |
536 | 0 | { |
537 | 0 | return do_store(cctx, value, NULL, NULL, 0); |
538 | 0 | } |
539 | | |
540 | | static int cmd_ChainCAStore(SSL_CONF_CTX *cctx, const char *value) |
541 | 0 | { |
542 | 0 | return do_store(cctx, NULL, NULL, value, 0); |
543 | 0 | } |
544 | | |
545 | | static int cmd_VerifyCAPath(SSL_CONF_CTX *cctx, const char *value) |
546 | 0 | { |
547 | 0 | return do_store(cctx, NULL, value, NULL, 1); |
548 | 0 | } |
549 | | |
550 | | static int cmd_VerifyCAFile(SSL_CONF_CTX *cctx, const char *value) |
551 | 0 | { |
552 | 0 | return do_store(cctx, value, NULL, NULL, 1); |
553 | 0 | } |
554 | | |
555 | | static int cmd_VerifyCAStore(SSL_CONF_CTX *cctx, const char *value) |
556 | 0 | { |
557 | 0 | return do_store(cctx, NULL, NULL, value, 1); |
558 | 0 | } |
559 | | |
560 | | static int cmd_RequestCAFile(SSL_CONF_CTX *cctx, const char *value) |
561 | 0 | { |
562 | 0 | if (cctx->canames == NULL) |
563 | 0 | cctx->canames = sk_X509_NAME_new_null(); |
564 | 0 | if (cctx->canames == NULL) |
565 | 0 | return 0; |
566 | 0 | return SSL_add_file_cert_subjects_to_stack(cctx->canames, value); |
567 | 0 | } |
568 | | |
569 | | static int cmd_ClientCAFile(SSL_CONF_CTX *cctx, const char *value) |
570 | 0 | { |
571 | 0 | return cmd_RequestCAFile(cctx, value); |
572 | 0 | } |
573 | | |
574 | | static int cmd_RequestCAPath(SSL_CONF_CTX *cctx, const char *value) |
575 | 0 | { |
576 | 0 | if (cctx->canames == NULL) |
577 | 0 | cctx->canames = sk_X509_NAME_new_null(); |
578 | 0 | if (cctx->canames == NULL) |
579 | 0 | return 0; |
580 | 0 | return SSL_add_dir_cert_subjects_to_stack(cctx->canames, value); |
581 | 0 | } |
582 | | |
583 | | static int cmd_ClientCAPath(SSL_CONF_CTX *cctx, const char *value) |
584 | 0 | { |
585 | 0 | return cmd_RequestCAPath(cctx, value); |
586 | 0 | } |
587 | | |
588 | | static int cmd_RequestCAStore(SSL_CONF_CTX *cctx, const char *value) |
589 | 0 | { |
590 | 0 | if (cctx->canames == NULL) |
591 | 0 | cctx->canames = sk_X509_NAME_new_null(); |
592 | 0 | if (cctx->canames == NULL) |
593 | 0 | return 0; |
594 | 0 | return SSL_add_store_cert_subjects_to_stack(cctx->canames, value); |
595 | 0 | } |
596 | | |
597 | | static int cmd_ClientCAStore(SSL_CONF_CTX *cctx, const char *value) |
598 | 0 | { |
599 | 0 | return cmd_RequestCAStore(cctx, value); |
600 | 0 | } |
601 | | |
602 | | static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value) |
603 | 0 | { |
604 | 0 | int rv = 0; |
605 | 0 | EVP_PKEY *dhpkey = NULL; |
606 | 0 | BIO *in = NULL; |
607 | 0 | SSL_CTX *sslctx = (cctx->ssl != NULL) ? cctx->ssl->ctx : cctx->ctx; |
608 | 0 | OSSL_DECODER_CTX *decoderctx = NULL; |
609 | |
|
610 | 0 | if (cctx->ctx != NULL || cctx->ssl != NULL) { |
611 | 0 | in = BIO_new(BIO_s_file()); |
612 | 0 | if (in == NULL) |
613 | 0 | goto end; |
614 | 0 | if (BIO_read_filename(in, value) <= 0) |
615 | 0 | goto end; |
616 | | |
617 | 0 | decoderctx |
618 | 0 | = OSSL_DECODER_CTX_new_for_pkey(&dhpkey, "PEM", NULL, "DH", |
619 | 0 | OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, |
620 | 0 | sslctx->libctx, sslctx->propq); |
621 | 0 | if (decoderctx == NULL) |
622 | 0 | goto end; |
623 | 0 | ERR_set_mark(); |
624 | 0 | while (!OSSL_DECODER_from_bio(decoderctx, in) |
625 | 0 | && dhpkey == NULL |
626 | 0 | && !BIO_eof(in)); |
627 | 0 | OSSL_DECODER_CTX_free(decoderctx); |
628 | |
|
629 | 0 | if (dhpkey == NULL) { |
630 | 0 | ERR_clear_last_mark(); |
631 | 0 | goto end; |
632 | 0 | } |
633 | 0 | ERR_pop_to_mark(); |
634 | 0 | } else { |
635 | 0 | return 1; |
636 | 0 | } |
637 | | |
638 | 0 | if (cctx->ctx != NULL) { |
639 | 0 | if ((rv = SSL_CTX_set0_tmp_dh_pkey(cctx->ctx, dhpkey)) > 0) |
640 | 0 | dhpkey = NULL; |
641 | 0 | } |
642 | 0 | if (cctx->ssl != NULL) { |
643 | 0 | if ((rv = SSL_set0_tmp_dh_pkey(cctx->ssl, dhpkey)) > 0) |
644 | 0 | dhpkey = NULL; |
645 | 0 | } |
646 | 0 | end: |
647 | 0 | EVP_PKEY_free(dhpkey); |
648 | 0 | BIO_free(in); |
649 | 0 | return rv > 0; |
650 | 0 | } |
651 | | |
652 | | /* |
653 | | * |value| input is "<number[,number]>" |
654 | | * where the first number is the padding block size for |
655 | | * application data, and the optional second is the |
656 | | * padding block size for handshake messages |
657 | | */ |
658 | | static int cmd_RecordPadding(SSL_CONF_CTX *cctx, const char *value) |
659 | 0 | { |
660 | 0 | int rv = 0; |
661 | 0 | unsigned long block_padding = 0, hs_padding = 0; |
662 | 0 | char *commap = NULL, *copy = NULL; |
663 | 0 | char *endptr = NULL; |
664 | |
|
665 | 0 | copy = OPENSSL_strdup(value); |
666 | 0 | if (copy == NULL) |
667 | 0 | return 0; |
668 | 0 | commap = strstr(copy, ","); |
669 | 0 | if (commap != NULL) { |
670 | 0 | *commap = '\0'; |
671 | 0 | if (*(commap + 1) == '\0') { |
672 | 0 | OPENSSL_free(copy); |
673 | 0 | return 0; |
674 | 0 | } |
675 | 0 | if (!OPENSSL_strtoul(commap + 1, &endptr, 0, &hs_padding)) |
676 | 0 | return 0; |
677 | 0 | } |
678 | 0 | if (!OPENSSL_strtoul(copy, &endptr, 0, &block_padding)) |
679 | 0 | return 0; |
680 | 0 | if (commap == NULL) |
681 | 0 | hs_padding = block_padding; |
682 | 0 | OPENSSL_free(copy); |
683 | | |
684 | | /* |
685 | | * All we care about are non-negative values, |
686 | | * the setters check the range |
687 | | */ |
688 | 0 | if (cctx->ctx) |
689 | 0 | rv = SSL_CTX_set_block_padding_ex(cctx->ctx, (size_t)block_padding, |
690 | 0 | (size_t)hs_padding); |
691 | 0 | if (cctx->ssl) |
692 | 0 | rv = SSL_set_block_padding_ex(cctx->ssl, (size_t)block_padding, |
693 | 0 | (size_t)hs_padding); |
694 | 0 | return rv; |
695 | 0 | } |
696 | | |
697 | | |
698 | | static int cmd_NumTickets(SSL_CONF_CTX *cctx, const char *value) |
699 | 0 | { |
700 | 0 | int rv = 0; |
701 | 0 | int num_tickets = atoi(value); |
702 | |
|
703 | 0 | if (num_tickets >= 0) { |
704 | 0 | if (cctx->ctx) |
705 | 0 | rv = SSL_CTX_set_num_tickets(cctx->ctx, num_tickets); |
706 | 0 | if (cctx->ssl) |
707 | 0 | rv = SSL_set_num_tickets(cctx->ssl, num_tickets); |
708 | 0 | } |
709 | 0 | return rv; |
710 | 0 | } |
711 | | |
712 | | typedef struct { |
713 | | int (*cmd) (SSL_CONF_CTX *cctx, const char *value); |
714 | | const char *str_file; |
715 | | const char *str_cmdline; |
716 | | unsigned short flags; |
717 | | unsigned short value_type; |
718 | | } ssl_conf_cmd_tbl; |
719 | | |
720 | | /* Table of supported parameters */ |
721 | | |
722 | | #define SSL_CONF_CMD(name, cmdopt, flags, type) \ |
723 | | {cmd_##name, #name, cmdopt, flags, type} |
724 | | |
725 | | #define SSL_CONF_CMD_STRING(name, cmdopt, flags) \ |
726 | | SSL_CONF_CMD(name, cmdopt, flags, SSL_CONF_TYPE_STRING) |
727 | | |
728 | | #define SSL_CONF_CMD_SWITCH(name, flags) \ |
729 | | {0, NULL, name, flags, SSL_CONF_TYPE_NONE} |
730 | | |
731 | | /* See apps/include/opt.h if you change this table. */ |
732 | | /* The SSL_CONF_CMD_SWITCH should be the same order as ssl_cmd_switches */ |
733 | | static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { |
734 | | SSL_CONF_CMD_SWITCH("no_ssl3", 0), |
735 | | SSL_CONF_CMD_SWITCH("no_tls1", 0), |
736 | | SSL_CONF_CMD_SWITCH("no_tls1_1", 0), |
737 | | SSL_CONF_CMD_SWITCH("no_tls1_2", 0), |
738 | | SSL_CONF_CMD_SWITCH("no_tls1_3", 0), |
739 | | SSL_CONF_CMD_SWITCH("bugs", 0), |
740 | | SSL_CONF_CMD_SWITCH("no_comp", 0), |
741 | | SSL_CONF_CMD_SWITCH("comp", 0), |
742 | | SSL_CONF_CMD_SWITCH("no_tx_cert_comp", 0), |
743 | | SSL_CONF_CMD_SWITCH("tx_cert_comp", 0), |
744 | | SSL_CONF_CMD_SWITCH("no_rx_cert_comp", 0), |
745 | | SSL_CONF_CMD_SWITCH("rx_cert_comp", 0), |
746 | | SSL_CONF_CMD_SWITCH("ecdh_single", SSL_CONF_FLAG_SERVER), |
747 | | SSL_CONF_CMD_SWITCH("no_ticket", 0), |
748 | | SSL_CONF_CMD_SWITCH("serverpref", SSL_CONF_FLAG_SERVER), |
749 | | SSL_CONF_CMD_SWITCH("legacy_renegotiation", 0), |
750 | | SSL_CONF_CMD_SWITCH("client_renegotiation", SSL_CONF_FLAG_SERVER), |
751 | | SSL_CONF_CMD_SWITCH("legacy_server_connect", SSL_CONF_FLAG_CLIENT), |
752 | | SSL_CONF_CMD_SWITCH("no_renegotiation", 0), |
753 | | SSL_CONF_CMD_SWITCH("no_resumption_on_reneg", SSL_CONF_FLAG_SERVER), |
754 | | SSL_CONF_CMD_SWITCH("no_legacy_server_connect", SSL_CONF_FLAG_CLIENT), |
755 | | SSL_CONF_CMD_SWITCH("allow_no_dhe_kex", 0), |
756 | | SSL_CONF_CMD_SWITCH("prefer_no_dhe_kex", 0), |
757 | | SSL_CONF_CMD_SWITCH("prioritize_chacha", SSL_CONF_FLAG_SERVER), |
758 | | SSL_CONF_CMD_SWITCH("strict", 0), |
759 | | SSL_CONF_CMD_SWITCH("no_middlebox", 0), |
760 | | SSL_CONF_CMD_SWITCH("anti_replay", SSL_CONF_FLAG_SERVER), |
761 | | SSL_CONF_CMD_SWITCH("no_anti_replay", SSL_CONF_FLAG_SERVER), |
762 | | SSL_CONF_CMD_SWITCH("no_etm", 0), |
763 | | SSL_CONF_CMD_SWITCH("no_ems", 0), |
764 | | SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs", 0), |
765 | | SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs", 0), |
766 | | SSL_CONF_CMD_STRING(Curves, "curves", 0), |
767 | | SSL_CONF_CMD_STRING(Groups, "groups", 0), |
768 | | SSL_CONF_CMD_STRING(ECDHParameters, "named_curve", SSL_CONF_FLAG_SERVER), |
769 | | SSL_CONF_CMD_STRING(CipherString, "cipher", 0), |
770 | | SSL_CONF_CMD_STRING(Ciphersuites, "ciphersuites", 0), |
771 | | SSL_CONF_CMD_STRING(Protocol, NULL, 0), |
772 | | SSL_CONF_CMD_STRING(MinProtocol, "min_protocol", 0), |
773 | | SSL_CONF_CMD_STRING(MaxProtocol, "max_protocol", 0), |
774 | | SSL_CONF_CMD_STRING(Options, NULL, 0), |
775 | | SSL_CONF_CMD_STRING(VerifyMode, NULL, 0), |
776 | | SSL_CONF_CMD(Certificate, "cert", SSL_CONF_FLAG_CERTIFICATE, |
777 | | SSL_CONF_TYPE_FILE), |
778 | | SSL_CONF_CMD(PrivateKey, "key", SSL_CONF_FLAG_CERTIFICATE, |
779 | | SSL_CONF_TYPE_FILE), |
780 | | SSL_CONF_CMD(ServerInfoFile, NULL, |
781 | | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, |
782 | | SSL_CONF_TYPE_FILE), |
783 | | SSL_CONF_CMD(ChainCAPath, "chainCApath", SSL_CONF_FLAG_CERTIFICATE, |
784 | | SSL_CONF_TYPE_DIR), |
785 | | SSL_CONF_CMD(ChainCAFile, "chainCAfile", SSL_CONF_FLAG_CERTIFICATE, |
786 | | SSL_CONF_TYPE_FILE), |
787 | | SSL_CONF_CMD(ChainCAStore, "chainCAstore", SSL_CONF_FLAG_CERTIFICATE, |
788 | | SSL_CONF_TYPE_STORE), |
789 | | SSL_CONF_CMD(VerifyCAPath, "verifyCApath", SSL_CONF_FLAG_CERTIFICATE, |
790 | | SSL_CONF_TYPE_DIR), |
791 | | SSL_CONF_CMD(VerifyCAFile, "verifyCAfile", SSL_CONF_FLAG_CERTIFICATE, |
792 | | SSL_CONF_TYPE_FILE), |
793 | | SSL_CONF_CMD(VerifyCAStore, "verifyCAstore", SSL_CONF_FLAG_CERTIFICATE, |
794 | | SSL_CONF_TYPE_STORE), |
795 | | SSL_CONF_CMD(RequestCAFile, "requestCAFile", SSL_CONF_FLAG_CERTIFICATE, |
796 | | SSL_CONF_TYPE_FILE), |
797 | | SSL_CONF_CMD(ClientCAFile, NULL, |
798 | | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, |
799 | | SSL_CONF_TYPE_FILE), |
800 | | SSL_CONF_CMD(RequestCAPath, NULL, SSL_CONF_FLAG_CERTIFICATE, |
801 | | SSL_CONF_TYPE_DIR), |
802 | | SSL_CONF_CMD(ClientCAPath, NULL, |
803 | | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, |
804 | | SSL_CONF_TYPE_DIR), |
805 | | SSL_CONF_CMD(RequestCAStore, "requestCAStore", SSL_CONF_FLAG_CERTIFICATE, |
806 | | SSL_CONF_TYPE_STORE), |
807 | | SSL_CONF_CMD(ClientCAStore, NULL, |
808 | | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, |
809 | | SSL_CONF_TYPE_STORE), |
810 | | SSL_CONF_CMD(DHParameters, "dhparam", |
811 | | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, |
812 | | SSL_CONF_TYPE_FILE), |
813 | | SSL_CONF_CMD_STRING(RecordPadding, "record_padding", 0), |
814 | | SSL_CONF_CMD_STRING(NumTickets, "num_tickets", SSL_CONF_FLAG_SERVER), |
815 | | }; |
816 | | |
817 | | /* Supported switches: must match order of switches in ssl_conf_cmds */ |
818 | | static const ssl_switch_tbl ssl_cmd_switches[] = { |
819 | | {SSL_OP_NO_SSLv3, 0}, /* no_ssl3 */ |
820 | | {SSL_OP_NO_TLSv1, 0}, /* no_tls1 */ |
821 | | {SSL_OP_NO_TLSv1_1, 0}, /* no_tls1_1 */ |
822 | | {SSL_OP_NO_TLSv1_2, 0}, /* no_tls1_2 */ |
823 | | {SSL_OP_NO_TLSv1_3, 0}, /* no_tls1_3 */ |
824 | | {SSL_OP_ALL, 0}, /* bugs */ |
825 | | {SSL_OP_NO_COMPRESSION, 0}, /* no_comp */ |
826 | | {SSL_OP_NO_COMPRESSION, SSL_TFLAG_INV}, /* comp */ |
827 | | {SSL_OP_NO_TX_CERTIFICATE_COMPRESSION, 0}, /* no_tx_cert_comp */ |
828 | | {SSL_OP_NO_TX_CERTIFICATE_COMPRESSION, SSL_TFLAG_INV}, /* tx_cert_comp */ |
829 | | {SSL_OP_NO_RX_CERTIFICATE_COMPRESSION, 0}, /* no_rx_cert_comp */ |
830 | | {SSL_OP_NO_RX_CERTIFICATE_COMPRESSION, SSL_TFLAG_INV}, /* rx_cert_comp */ |
831 | | {SSL_OP_SINGLE_ECDH_USE, 0}, /* ecdh_single */ |
832 | | {SSL_OP_NO_TICKET, 0}, /* no_ticket */ |
833 | | {SSL_OP_CIPHER_SERVER_PREFERENCE, 0}, /* serverpref */ |
834 | | /* legacy_renegotiation */ |
835 | | {SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, 0}, |
836 | | /* Allow client renegotiation */ |
837 | | {SSL_OP_ALLOW_CLIENT_RENEGOTIATION, 0}, |
838 | | /* legacy_server_connect */ |
839 | | {SSL_OP_LEGACY_SERVER_CONNECT, 0}, |
840 | | /* no_renegotiation */ |
841 | | {SSL_OP_NO_RENEGOTIATION, 0}, |
842 | | /* no_resumption_on_reneg */ |
843 | | {SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION, 0}, |
844 | | /* no_legacy_server_connect */ |
845 | | {SSL_OP_LEGACY_SERVER_CONNECT, SSL_TFLAG_INV}, |
846 | | /* allow_no_dhe_kex */ |
847 | | {SSL_OP_ALLOW_NO_DHE_KEX, 0}, |
848 | | /* prefer_no_dhe_kex */ |
849 | | {SSL_OP_PREFER_NO_DHE_KEX, 0}, |
850 | | /* chacha reprioritization */ |
851 | | {SSL_OP_PRIORITIZE_CHACHA, 0}, |
852 | | {SSL_CERT_FLAG_TLS_STRICT, SSL_TFLAG_CERT}, /* strict */ |
853 | | /* no_middlebox */ |
854 | | {SSL_OP_ENABLE_MIDDLEBOX_COMPAT, SSL_TFLAG_INV}, |
855 | | /* anti_replay */ |
856 | | {SSL_OP_NO_ANTI_REPLAY, SSL_TFLAG_INV}, |
857 | | /* no_anti_replay */ |
858 | | {SSL_OP_NO_ANTI_REPLAY, 0}, |
859 | | /* no Encrypt-then-Mac */ |
860 | | {SSL_OP_NO_ENCRYPT_THEN_MAC, 0}, |
861 | | /* no Extended master secret */ |
862 | | {SSL_OP_NO_EXTENDED_MASTER_SECRET, 0}, |
863 | | }; |
864 | | |
865 | | static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd) |
866 | 0 | { |
867 | 0 | if (pcmd == NULL || *pcmd == NULL) |
868 | 0 | return 0; |
869 | | /* If a prefix is set, check and skip */ |
870 | 0 | if (cctx->prefix) { |
871 | 0 | if (strlen(*pcmd) <= cctx->prefixlen) |
872 | 0 | return 0; |
873 | 0 | if (cctx->flags & SSL_CONF_FLAG_CMDLINE && |
874 | 0 | strncmp(*pcmd, cctx->prefix, cctx->prefixlen)) |
875 | 0 | return 0; |
876 | 0 | if (cctx->flags & SSL_CONF_FLAG_FILE && |
877 | 0 | OPENSSL_strncasecmp(*pcmd, cctx->prefix, cctx->prefixlen)) |
878 | 0 | return 0; |
879 | 0 | *pcmd += cctx->prefixlen; |
880 | 0 | } else if (cctx->flags & SSL_CONF_FLAG_CMDLINE) { |
881 | 0 | if (**pcmd != '-' || !(*pcmd)[1]) |
882 | 0 | return 0; |
883 | 0 | *pcmd += 1; |
884 | 0 | } |
885 | 0 | return 1; |
886 | 0 | } |
887 | | |
888 | | /* Determine if a command is allowed according to cctx flags */ |
889 | | static int ssl_conf_cmd_allowed(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl *t) |
890 | 0 | { |
891 | 0 | unsigned int tfl = t->flags; |
892 | 0 | unsigned int cfl = cctx->flags; |
893 | 0 | if ((tfl & SSL_CONF_FLAG_SERVER) && !(cfl & SSL_CONF_FLAG_SERVER)) |
894 | 0 | return 0; |
895 | 0 | if ((tfl & SSL_CONF_FLAG_CLIENT) && !(cfl & SSL_CONF_FLAG_CLIENT)) |
896 | 0 | return 0; |
897 | 0 | if ((tfl & SSL_CONF_FLAG_CERTIFICATE) |
898 | 0 | && !(cfl & SSL_CONF_FLAG_CERTIFICATE)) |
899 | 0 | return 0; |
900 | 0 | return 1; |
901 | 0 | } |
902 | | |
903 | | static const ssl_conf_cmd_tbl *ssl_conf_cmd_lookup(SSL_CONF_CTX *cctx, |
904 | | const char *cmd) |
905 | 0 | { |
906 | 0 | const ssl_conf_cmd_tbl *t; |
907 | 0 | size_t i; |
908 | 0 | if (cmd == NULL) |
909 | 0 | return NULL; |
910 | | |
911 | | /* Look for matching parameter name in table */ |
912 | 0 | for (i = 0, t = ssl_conf_cmds; i < OSSL_NELEM(ssl_conf_cmds); i++, t++) { |
913 | 0 | if (ssl_conf_cmd_allowed(cctx, t)) { |
914 | 0 | if (cctx->flags & SSL_CONF_FLAG_CMDLINE) { |
915 | 0 | if (t->str_cmdline && strcmp(t->str_cmdline, cmd) == 0) |
916 | 0 | return t; |
917 | 0 | } |
918 | 0 | if (cctx->flags & SSL_CONF_FLAG_FILE) { |
919 | 0 | if (t->str_file && OPENSSL_strcasecmp(t->str_file, cmd) == 0) |
920 | 0 | return t; |
921 | 0 | } |
922 | 0 | } |
923 | 0 | } |
924 | 0 | return NULL; |
925 | 0 | } |
926 | | |
927 | | static int ctrl_switch_option(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl *cmd) |
928 | 0 | { |
929 | | /* Find index of command in table */ |
930 | 0 | size_t idx = cmd - ssl_conf_cmds; |
931 | 0 | const ssl_switch_tbl *scmd; |
932 | | |
933 | | /* Sanity check index */ |
934 | 0 | if (idx >= OSSL_NELEM(ssl_cmd_switches)) { |
935 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
936 | 0 | return 0; |
937 | 0 | } |
938 | | /* Obtain switches entry with same index */ |
939 | 0 | scmd = ssl_cmd_switches + idx; |
940 | 0 | ssl_set_option(cctx, scmd->name_flags, scmd->option_value, 1); |
941 | 0 | return 1; |
942 | 0 | } |
943 | | |
944 | | int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value) |
945 | 0 | { |
946 | 0 | const ssl_conf_cmd_tbl *runcmd; |
947 | 0 | if (cmd == NULL) { |
948 | 0 | ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_NULL_CMD_NAME); |
949 | 0 | return 0; |
950 | 0 | } |
951 | | |
952 | 0 | if (!ssl_conf_cmd_skip_prefix(cctx, &cmd)) |
953 | 0 | goto unknown_cmd; |
954 | | |
955 | 0 | runcmd = ssl_conf_cmd_lookup(cctx, cmd); |
956 | |
|
957 | 0 | if (runcmd) { |
958 | 0 | int rv = -3; |
959 | |
|
960 | 0 | if (runcmd->value_type == SSL_CONF_TYPE_NONE) { |
961 | 0 | return ctrl_switch_option(cctx, runcmd); |
962 | 0 | } |
963 | 0 | if (value == NULL) |
964 | 0 | goto bad_value; |
965 | 0 | rv = runcmd->cmd(cctx, value); |
966 | 0 | if (rv > 0) |
967 | 0 | return 2; |
968 | 0 | if (rv != -2) |
969 | 0 | rv = 0; |
970 | |
|
971 | 0 | bad_value: |
972 | 0 | if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) |
973 | 0 | ERR_raise_data(ERR_LIB_SSL, SSL_R_BAD_VALUE, |
974 | 0 | "cmd=%s, value=%s", cmd, |
975 | 0 | value != NULL ? value : "<EMPTY>"); |
976 | 0 | return rv; |
977 | 0 | } |
978 | | |
979 | 0 | unknown_cmd: |
980 | 0 | if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) |
981 | 0 | ERR_raise_data(ERR_LIB_SSL, SSL_R_UNKNOWN_CMD_NAME, "cmd=%s", cmd); |
982 | |
|
983 | 0 | return -2; |
984 | 0 | } |
985 | | |
986 | | int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv) |
987 | 0 | { |
988 | 0 | int rv; |
989 | 0 | const char *arg = NULL, *argn; |
990 | |
|
991 | 0 | if (pargc != NULL && *pargc == 0) |
992 | 0 | return 0; |
993 | 0 | if (pargc == NULL || *pargc > 0) |
994 | 0 | arg = **pargv; |
995 | 0 | if (arg == NULL) |
996 | 0 | return 0; |
997 | 0 | if (pargc == NULL || *pargc > 1) |
998 | 0 | argn = (*pargv)[1]; |
999 | 0 | else |
1000 | 0 | argn = NULL; |
1001 | 0 | cctx->flags &= ~SSL_CONF_FLAG_FILE; |
1002 | 0 | cctx->flags |= SSL_CONF_FLAG_CMDLINE; |
1003 | 0 | rv = SSL_CONF_cmd(cctx, arg, argn); |
1004 | 0 | if (rv > 0) { |
1005 | | /* Success: update pargc, pargv */ |
1006 | 0 | (*pargv) += rv; |
1007 | 0 | if (pargc) |
1008 | 0 | (*pargc) -= rv; |
1009 | 0 | return rv; |
1010 | 0 | } |
1011 | | /* Unknown switch: indicate no arguments processed */ |
1012 | 0 | if (rv == -2) |
1013 | 0 | return 0; |
1014 | | /* Some error occurred processing command, return fatal error */ |
1015 | 0 | if (rv == 0) |
1016 | 0 | return -1; |
1017 | 0 | return rv; |
1018 | 0 | } |
1019 | | |
1020 | | int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd) |
1021 | 0 | { |
1022 | 0 | if (ssl_conf_cmd_skip_prefix(cctx, &cmd)) { |
1023 | 0 | const ssl_conf_cmd_tbl *runcmd; |
1024 | 0 | runcmd = ssl_conf_cmd_lookup(cctx, cmd); |
1025 | 0 | if (runcmd) |
1026 | 0 | return runcmd->value_type; |
1027 | 0 | } |
1028 | 0 | return SSL_CONF_TYPE_UNKNOWN; |
1029 | 0 | } |
1030 | | |
1031 | | SSL_CONF_CTX *SSL_CONF_CTX_new(void) |
1032 | 0 | { |
1033 | 0 | SSL_CONF_CTX *ret = OPENSSL_zalloc(sizeof(*ret)); |
1034 | |
|
1035 | 0 | return ret; |
1036 | 0 | } |
1037 | | |
1038 | | int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx) |
1039 | 0 | { |
1040 | | /* See if any certificates are missing private keys */ |
1041 | 0 | size_t i; |
1042 | 0 | CERT *c = NULL; |
1043 | |
|
1044 | 0 | if (cctx->ctx != NULL) { |
1045 | 0 | c = cctx->ctx->cert; |
1046 | 0 | } else if (cctx->ssl != NULL) { |
1047 | 0 | SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(cctx->ssl); |
1048 | |
|
1049 | 0 | if (sc != NULL) |
1050 | 0 | c = sc->cert; |
1051 | 0 | } |
1052 | 0 | if (c != NULL && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) { |
1053 | 0 | for (i = 0; i < SSL_PKEY_NUM; i++) { |
1054 | 0 | const char *p = cctx->cert_filename[i]; |
1055 | | /* |
1056 | | * If missing private key try to load one from certificate file |
1057 | | */ |
1058 | 0 | if (p && !c->pkeys[i].privatekey) { |
1059 | 0 | if (!cmd_PrivateKey(cctx, p)) |
1060 | 0 | return 0; |
1061 | 0 | } |
1062 | 0 | } |
1063 | 0 | } |
1064 | 0 | if (cctx->canames) { |
1065 | 0 | if (cctx->ssl) |
1066 | 0 | SSL_set0_CA_list(cctx->ssl, cctx->canames); |
1067 | 0 | else if (cctx->ctx) |
1068 | 0 | SSL_CTX_set0_CA_list(cctx->ctx, cctx->canames); |
1069 | 0 | else |
1070 | 0 | sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free); |
1071 | 0 | cctx->canames = NULL; |
1072 | 0 | } |
1073 | 0 | return 1; |
1074 | 0 | } |
1075 | | |
1076 | | void SSL_CONF_CTX_free(SSL_CONF_CTX *cctx) |
1077 | 5.18k | { |
1078 | 5.18k | if (cctx) { |
1079 | 0 | size_t i; |
1080 | 0 | for (i = 0; i < SSL_PKEY_NUM; i++) |
1081 | 0 | OPENSSL_free(cctx->cert_filename[i]); |
1082 | 0 | OPENSSL_free(cctx->prefix); |
1083 | 0 | sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free); |
1084 | 0 | OPENSSL_free(cctx); |
1085 | 0 | } |
1086 | 5.18k | } |
1087 | | |
1088 | | unsigned int SSL_CONF_CTX_set_flags(SSL_CONF_CTX *cctx, unsigned int flags) |
1089 | 0 | { |
1090 | 0 | cctx->flags |= flags; |
1091 | 0 | return cctx->flags; |
1092 | 0 | } |
1093 | | |
1094 | | unsigned int SSL_CONF_CTX_clear_flags(SSL_CONF_CTX *cctx, unsigned int flags) |
1095 | 0 | { |
1096 | 0 | cctx->flags &= ~flags; |
1097 | 0 | return cctx->flags; |
1098 | 0 | } |
1099 | | |
1100 | | int SSL_CONF_CTX_set1_prefix(SSL_CONF_CTX *cctx, const char *pre) |
1101 | 0 | { |
1102 | 0 | char *tmp = NULL; |
1103 | 0 | if (pre) { |
1104 | 0 | tmp = OPENSSL_strdup(pre); |
1105 | 0 | if (tmp == NULL) |
1106 | 0 | return 0; |
1107 | 0 | } |
1108 | 0 | OPENSSL_free(cctx->prefix); |
1109 | 0 | cctx->prefix = tmp; |
1110 | 0 | if (tmp) |
1111 | 0 | cctx->prefixlen = strlen(tmp); |
1112 | 0 | else |
1113 | 0 | cctx->prefixlen = 0; |
1114 | 0 | return 1; |
1115 | 0 | } |
1116 | | |
1117 | | void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl) |
1118 | 0 | { |
1119 | 0 | cctx->ssl = ssl; |
1120 | 0 | cctx->ctx = NULL; |
1121 | 0 | if (ssl != NULL) { |
1122 | 0 | SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl); |
1123 | |
|
1124 | 0 | if (sc == NULL) |
1125 | 0 | return; |
1126 | 0 | cctx->poptions = &sc->options; |
1127 | 0 | cctx->min_version = &sc->min_proto_version; |
1128 | 0 | cctx->max_version = &sc->max_proto_version; |
1129 | 0 | cctx->pcert_flags = &sc->cert->cert_flags; |
1130 | 0 | cctx->pvfy_flags = &sc->verify_mode; |
1131 | 0 | } else { |
1132 | 0 | cctx->poptions = NULL; |
1133 | 0 | cctx->min_version = NULL; |
1134 | 0 | cctx->max_version = NULL; |
1135 | 0 | cctx->pcert_flags = NULL; |
1136 | 0 | cctx->pvfy_flags = NULL; |
1137 | 0 | } |
1138 | 0 | } |
1139 | | |
1140 | | void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx) |
1141 | 0 | { |
1142 | 0 | cctx->ctx = ctx; |
1143 | 0 | cctx->ssl = NULL; |
1144 | 0 | if (ctx) { |
1145 | 0 | cctx->poptions = &ctx->options; |
1146 | 0 | cctx->min_version = &ctx->min_proto_version; |
1147 | 0 | cctx->max_version = &ctx->max_proto_version; |
1148 | 0 | cctx->pcert_flags = &ctx->cert->cert_flags; |
1149 | 0 | cctx->pvfy_flags = &ctx->verify_mode; |
1150 | 0 | } else { |
1151 | 0 | cctx->poptions = NULL; |
1152 | 0 | cctx->min_version = NULL; |
1153 | 0 | cctx->max_version = NULL; |
1154 | 0 | cctx->pcert_flags = NULL; |
1155 | 0 | cctx->pvfy_flags = NULL; |
1156 | 0 | } |
1157 | 0 | } |