Coverage Report

Created: 2024-07-27 06:36

/src/openssl/ssl/ssl_conf.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright 2012-2024 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9
10
#include <stdio.h>
11
#include "ssl_local.h"
12
#include <openssl/conf.h>
13
#include <openssl/objects.h>
14
#include <openssl/decoder.h>
15
#include <openssl/core_dispatch.h>
16
#include "internal/nelem.h"
17
18
/*
19
 * structure holding name tables. This is used for permitted elements in lists
20
 * such as TLSv1.
21
 */
22
23
typedef struct {
24
    const char *name;
25
    int namelen;
26
    unsigned int name_flags;
27
    uint64_t option_value;
28
} ssl_flag_tbl;
29
30
/* Switch table: use for single command line switches like no_tls2 */
31
typedef struct {
32
    uint64_t option_value;
33
    unsigned int name_flags;
34
} ssl_switch_tbl;
35
36
/* Sense of name is inverted e.g. "TLSv1" will clear SSL_OP_NO_TLSv1 */
37
0
#define SSL_TFLAG_INV   0x1
38
/* Mask for type of flag referred to */
39
0
#define SSL_TFLAG_TYPE_MASK 0xf00
40
/* Flag is for options */
41
0
#define SSL_TFLAG_OPTION    0x000
42
/* Flag is for cert_flags */
43
0
#define SSL_TFLAG_CERT      0x100
44
/* Flag is for verify mode */
45
0
#define SSL_TFLAG_VFY       0x200
46
/* Option can only be used for clients */
47
0
#define SSL_TFLAG_CLIENT SSL_CONF_FLAG_CLIENT
48
/* Option can only be used for servers */
49
0
#define SSL_TFLAG_SERVER SSL_CONF_FLAG_SERVER
50
0
#define SSL_TFLAG_BOTH (SSL_TFLAG_CLIENT|SSL_TFLAG_SERVER)
51
52
#define SSL_FLAG_TBL(str, flag) \
53
0
        {str, (int)(sizeof(str) - 1), SSL_TFLAG_BOTH, flag}
54
#define SSL_FLAG_TBL_SRV(str, flag) \
55
0
        {str, (int)(sizeof(str) - 1), SSL_TFLAG_SERVER, flag}
56
#define SSL_FLAG_TBL_CLI(str, flag) \
57
        {str, (int)(sizeof(str) - 1), SSL_TFLAG_CLIENT, flag}
58
#define SSL_FLAG_TBL_INV(str, flag) \
59
0
        {str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_BOTH, flag}
60
#define SSL_FLAG_TBL_SRV_INV(str, flag) \
61
        {str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_SERVER, flag}
62
#define SSL_FLAG_TBL_CERT(str, flag) \
63
0
        {str, (int)(sizeof(str) - 1), SSL_TFLAG_CERT|SSL_TFLAG_BOTH, flag}
64
65
#define SSL_FLAG_VFY_CLI(str, flag) \
66
0
        {str, (int)(sizeof(str) - 1), SSL_TFLAG_VFY | SSL_TFLAG_CLIENT, flag}
67
#define SSL_FLAG_VFY_SRV(str, flag) \
68
0
        {str, (int)(sizeof(str) - 1), SSL_TFLAG_VFY | SSL_TFLAG_SERVER, flag}
69
70
/*
71
 * Opaque structure containing SSL configuration context.
72
 */
73
74
struct ssl_conf_ctx_st {
75
    /*
76
     * Various flags indicating (among other things) which options we will
77
     * recognise.
78
     */
79
    unsigned int flags;
80
    /* Prefix and length of commands */
81
    char *prefix;
82
    size_t prefixlen;
83
    /* SSL_CTX or SSL structure to perform operations on */
84
    SSL_CTX *ctx;
85
    SSL *ssl;
86
    /* Pointer to SSL or SSL_CTX options field or NULL if none */
87
    uint64_t *poptions;
88
    /* Certificate filenames for each type */
89
    char *cert_filename[SSL_PKEY_NUM];
90
    /* Pointer to SSL or SSL_CTX cert_flags or NULL if none */
91
    uint32_t *pcert_flags;
92
    /* Pointer to SSL or SSL_CTX verify_mode or NULL if none */
93
    uint32_t *pvfy_flags;
94
    /* Pointer to SSL or SSL_CTX min_version field or NULL if none */
95
    int *min_version;
96
    /* Pointer to SSL or SSL_CTX max_version field or NULL if none */
97
    int *max_version;
98
    /* Current flag table being worked on */
99
    const ssl_flag_tbl *tbl;
100
    /* Size of table */
101
    size_t ntbl;
102
    /* Client CA names */
103
    STACK_OF(X509_NAME) *canames;
104
};
105
106
static void ssl_set_option(SSL_CONF_CTX *cctx, unsigned int name_flags,
107
                           uint64_t option_value, int onoff)
108
0
{
109
0
    uint32_t *pflags;
110
111
0
    if (cctx->poptions == NULL)
112
0
        return;
113
0
    if (name_flags & SSL_TFLAG_INV)
114
0
        onoff ^= 1;
115
0
    switch (name_flags & SSL_TFLAG_TYPE_MASK) {
116
117
0
    case SSL_TFLAG_CERT:
118
0
        pflags = cctx->pcert_flags;
119
0
        break;
120
121
0
    case SSL_TFLAG_VFY:
122
0
        pflags = cctx->pvfy_flags;
123
0
        break;
124
125
0
    case SSL_TFLAG_OPTION:
126
0
        if (onoff)
127
0
            *cctx->poptions |= option_value;
128
0
        else
129
0
            *cctx->poptions &= ~option_value;
130
0
        return;
131
132
0
    default:
133
0
        return;
134
135
0
    }
136
0
    if (onoff)
137
0
        *pflags |= option_value;
138
0
    else
139
0
        *pflags &= ~option_value;
140
0
}
141
142
static int ssl_match_option(SSL_CONF_CTX *cctx, const ssl_flag_tbl *tbl,
143
                            const char *name, int namelen, int onoff)
144
0
{
145
    /* If name not relevant for context skip */
146
0
    if (!(cctx->flags & tbl->name_flags & SSL_TFLAG_BOTH))
147
0
        return 0;
148
0
    if (namelen == -1) {
149
0
        if (strcmp(tbl->name, name))
150
0
            return 0;
151
0
    } else if (tbl->namelen != namelen
152
0
               || OPENSSL_strncasecmp(tbl->name, name, namelen))
153
0
        return 0;
154
0
    ssl_set_option(cctx, tbl->name_flags, tbl->option_value, onoff);
155
0
    return 1;
156
0
}
157
158
static int ssl_set_option_list(const char *elem, int len, void *usr)
159
0
{
160
0
    SSL_CONF_CTX *cctx = usr;
161
0
    size_t i;
162
0
    const ssl_flag_tbl *tbl;
163
0
    int onoff = 1;
164
    /*
165
     * len == -1 indicates not being called in list context, just for single
166
     * command line switches, so don't allow +, -.
167
     */
168
0
    if (elem == NULL)
169
0
        return 0;
170
0
    if (len != -1) {
171
0
        if (*elem == '+') {
172
0
            elem++;
173
0
            len--;
174
0
            onoff = 1;
175
0
        } else if (*elem == '-') {
176
0
            elem++;
177
0
            len--;
178
0
            onoff = 0;
179
0
        }
180
0
    }
181
0
    for (i = 0, tbl = cctx->tbl; i < cctx->ntbl; i++, tbl++) {
182
0
        if (ssl_match_option(cctx, tbl, elem, len, onoff))
183
0
            return 1;
184
0
    }
185
0
    return 0;
186
0
}
187
188
/* Set supported signature algorithms */
189
static int cmd_SignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value)
190
0
{
191
0
    int rv;
192
0
    if (cctx->ssl)
193
0
        rv = SSL_set1_sigalgs_list(cctx->ssl, value);
194
    /* NB: ctx == NULL performs syntax checking only */
195
0
    else
196
0
        rv = SSL_CTX_set1_sigalgs_list(cctx->ctx, value);
197
0
    return rv > 0;
198
0
}
199
200
/* Set supported client signature algorithms */
201
static int cmd_ClientSignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value)
202
0
{
203
0
    int rv;
204
0
    if (cctx->ssl)
205
0
        rv = SSL_set1_client_sigalgs_list(cctx->ssl, value);
206
    /* NB: ctx == NULL performs syntax checking only */
207
0
    else
208
0
        rv = SSL_CTX_set1_client_sigalgs_list(cctx->ctx, value);
209
0
    return rv > 0;
210
0
}
211
212
static int cmd_Groups(SSL_CONF_CTX *cctx, const char *value)
213
0
{
214
0
    int rv;
215
0
    if (cctx->ssl)
216
0
        rv = SSL_set1_groups_list(cctx->ssl, value);
217
    /* NB: ctx == NULL performs syntax checking only */
218
0
    else
219
0
        rv = SSL_CTX_set1_groups_list(cctx->ctx, value);
220
0
    return rv > 0;
221
0
}
222
223
/* This is the old name for cmd_Groups - retained for backwards compatibility */
224
static int cmd_Curves(SSL_CONF_CTX *cctx, const char *value)
225
0
{
226
0
    return cmd_Groups(cctx, value);
227
0
}
228
229
/* ECDH temporary parameters */
230
static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value)
231
0
{
232
0
    int rv = 1;
233
234
    /* Ignore values supported by 1.0.2 for the automatic selection */
235
0
    if ((cctx->flags & SSL_CONF_FLAG_FILE)
236
0
            && (OPENSSL_strcasecmp(value, "+automatic") == 0
237
0
                || OPENSSL_strcasecmp(value, "automatic") == 0))
238
0
        return 1;
239
0
    if ((cctx->flags & SSL_CONF_FLAG_CMDLINE) &&
240
0
        strcmp(value, "auto") == 0)
241
0
        return 1;
242
243
    /* ECDHParameters accepts a single group name */
244
0
    if (strchr(value, ':') != NULL)
245
0
        return 0;
246
247
0
    if (cctx->ctx)
248
0
        rv = SSL_CTX_set1_groups_list(cctx->ctx, value);
249
0
    else if (cctx->ssl)
250
0
        rv = SSL_set1_groups_list(cctx->ssl, value);
251
252
0
    return rv > 0;
253
0
}
254
255
static int cmd_CipherString(SSL_CONF_CTX *cctx, const char *value)
256
0
{
257
0
    int rv = 1;
258
259
0
    if (cctx->ctx)
260
0
        rv = SSL_CTX_set_cipher_list(cctx->ctx, value);
261
0
    if (cctx->ssl)
262
0
        rv = SSL_set_cipher_list(cctx->ssl, value);
263
0
    return rv > 0;
264
0
}
265
266
static int cmd_Ciphersuites(SSL_CONF_CTX *cctx, const char *value)
267
0
{
268
0
    int rv = 1;
269
270
0
    if (cctx->ctx)
271
0
        rv = SSL_CTX_set_ciphersuites(cctx->ctx, value);
272
0
    if (cctx->ssl)
273
0
        rv = SSL_set_ciphersuites(cctx->ssl, value);
274
0
    return rv > 0;
275
0
}
276
277
static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value)
278
0
{
279
0
    static const ssl_flag_tbl ssl_protocol_list[] = {
280
0
        SSL_FLAG_TBL_INV("ALL", SSL_OP_NO_SSL_MASK),
281
0
        SSL_FLAG_TBL_INV("SSLv2", SSL_OP_NO_SSLv2),
282
0
        SSL_FLAG_TBL_INV("SSLv3", SSL_OP_NO_SSLv3),
283
0
        SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1),
284
0
        SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1),
285
0
        SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2),
286
0
        SSL_FLAG_TBL_INV("TLSv1.3", SSL_OP_NO_TLSv1_3),
287
0
        SSL_FLAG_TBL_INV("DTLSv1", SSL_OP_NO_DTLSv1),
288
0
        SSL_FLAG_TBL_INV("DTLSv1.2", SSL_OP_NO_DTLSv1_2)
289
0
    };
290
0
    cctx->tbl = ssl_protocol_list;
291
0
    cctx->ntbl = OSSL_NELEM(ssl_protocol_list);
292
0
    return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
293
0
}
294
295
/*
296
 * protocol_from_string - converts a protocol version string to a number
297
 *
298
 * Returns -1 on failure or the version on success
299
 */
300
static int protocol_from_string(const char *value)
301
0
{
302
0
    struct protocol_versions {
303
0
        const char *name;
304
0
        int version;
305
0
    };
306
    /*
307
     * Note: To avoid breaking previously valid configurations, we must retain
308
     * legacy entries in this table even if the underlying protocol is no
309
     * longer supported.  This also means that the constants SSL3_VERSION, ...
310
     * need to be retained indefinitely.  This table can only grow, never
311
     * shrink.
312
     */
313
0
    static const struct protocol_versions versions[] = {
314
0
        {"None", 0},
315
0
        {"SSLv3", SSL3_VERSION},
316
0
        {"TLSv1", TLS1_VERSION},
317
0
        {"TLSv1.1", TLS1_1_VERSION},
318
0
        {"TLSv1.2", TLS1_2_VERSION},
319
0
        {"TLSv1.3", TLS1_3_VERSION},
320
0
        {"DTLSv1", DTLS1_VERSION},
321
0
        {"DTLSv1.2", DTLS1_2_VERSION}
322
0
    };
323
0
    size_t i;
324
0
    size_t n = OSSL_NELEM(versions);
325
326
0
    for (i = 0; i < n; i++)
327
0
        if (strcmp(versions[i].name, value) == 0)
328
0
            return versions[i].version;
329
0
    return -1;
330
0
}
331
332
static int min_max_proto(SSL_CONF_CTX *cctx, const char *value, int *bound)
333
0
{
334
0
    int method_version;
335
0
    int new_version;
336
337
0
    if (cctx->ctx != NULL)
338
0
        method_version = cctx->ctx->method->version;
339
0
    else if (cctx->ssl != NULL)
340
0
        method_version = cctx->ssl->defltmeth->version;
341
0
    else
342
0
        return 0;
343
0
    if ((new_version = protocol_from_string(value)) < 0)
344
0
        return 0;
345
0
    return ssl_set_version_bound(method_version, new_version, bound);
346
0
}
347
348
/*
349
 * cmd_MinProtocol - Set min protocol version
350
 * @cctx: config structure to save settings in
351
 * @value: The min protocol version in string form
352
 *
353
 * Returns 1 on success and 0 on failure.
354
 */
355
static int cmd_MinProtocol(SSL_CONF_CTX *cctx, const char *value)
356
0
{
357
0
    return min_max_proto(cctx, value, cctx->min_version);
358
0
}
359
360
/*
361
 * cmd_MaxProtocol - Set max protocol version
362
 * @cctx: config structure to save settings in
363
 * @value: The max protocol version in string form
364
 *
365
 * Returns 1 on success and 0 on failure.
366
 */
367
static int cmd_MaxProtocol(SSL_CONF_CTX *cctx, const char *value)
368
0
{
369
0
    return min_max_proto(cctx, value, cctx->max_version);
370
0
}
371
372
static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
373
0
{
374
0
    static const ssl_flag_tbl ssl_option_list[] = {
375
0
        SSL_FLAG_TBL_INV("SessionTicket", SSL_OP_NO_TICKET),
376
0
        SSL_FLAG_TBL_INV("EmptyFragments",
377
0
                         SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS),
378
0
        SSL_FLAG_TBL("Bugs", SSL_OP_ALL),
379
0
        SSL_FLAG_TBL_INV("Compression", SSL_OP_NO_COMPRESSION),
380
0
        SSL_FLAG_TBL_SRV("ServerPreference", SSL_OP_CIPHER_SERVER_PREFERENCE),
381
0
        SSL_FLAG_TBL_SRV("NoResumptionOnRenegotiation",
382
0
                         SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION),
383
0
        SSL_FLAG_TBL_SRV("DHSingle", SSL_OP_SINGLE_DH_USE),
384
0
        SSL_FLAG_TBL_SRV("ECDHSingle", SSL_OP_SINGLE_ECDH_USE),
385
0
        SSL_FLAG_TBL("UnsafeLegacyRenegotiation",
386
0
                     SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION),
387
0
        SSL_FLAG_TBL("UnsafeLegacyServerConnect",
388
0
                     SSL_OP_LEGACY_SERVER_CONNECT),
389
0
        SSL_FLAG_TBL("ClientRenegotiation",
390
0
                     SSL_OP_ALLOW_CLIENT_RENEGOTIATION),
391
0
        SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),
392
0
        SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION),
393
0
        SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
394
0
        SSL_FLAG_TBL("PreferNoDHEKEX", SSL_OP_PREFER_NO_DHE_KEX),
395
0
        SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA),
396
0
        SSL_FLAG_TBL("MiddleboxCompat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT),
397
0
        SSL_FLAG_TBL_INV("AntiReplay", SSL_OP_NO_ANTI_REPLAY),
398
0
        SSL_FLAG_TBL_INV("ExtendedMasterSecret", SSL_OP_NO_EXTENDED_MASTER_SECRET),
399
0
        SSL_FLAG_TBL_INV("CANames", SSL_OP_DISABLE_TLSEXT_CA_NAMES),
400
0
        SSL_FLAG_TBL("KTLS", SSL_OP_ENABLE_KTLS),
401
0
        SSL_FLAG_TBL_CERT("StrictCertCheck", SSL_CERT_FLAG_TLS_STRICT),
402
0
        SSL_FLAG_TBL_INV("TxCertificateCompression", SSL_OP_NO_TX_CERTIFICATE_COMPRESSION),
403
0
        SSL_FLAG_TBL_INV("RxCertificateCompression", SSL_OP_NO_RX_CERTIFICATE_COMPRESSION),
404
0
        SSL_FLAG_TBL("KTLSTxZerocopySendfile", SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE),
405
0
        SSL_FLAG_TBL("IgnoreUnexpectedEOF", SSL_OP_IGNORE_UNEXPECTED_EOF),
406
0
    };
407
0
    if (value == NULL)
408
0
        return -3;
409
0
    cctx->tbl = ssl_option_list;
410
0
    cctx->ntbl = OSSL_NELEM(ssl_option_list);
411
0
    return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
412
0
}
413
414
static int cmd_VerifyMode(SSL_CONF_CTX *cctx, const char *value)
415
0
{
416
0
    static const ssl_flag_tbl ssl_vfy_list[] = {
417
0
        SSL_FLAG_VFY_CLI("Peer", SSL_VERIFY_PEER),
418
0
        SSL_FLAG_VFY_SRV("Request", SSL_VERIFY_PEER),
419
0
        SSL_FLAG_VFY_SRV("Require",
420
0
                         SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
421
0
        SSL_FLAG_VFY_SRV("Once", SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE),
422
0
        SSL_FLAG_VFY_SRV("RequestPostHandshake",
423
0
                         SSL_VERIFY_PEER | SSL_VERIFY_POST_HANDSHAKE),
424
0
        SSL_FLAG_VFY_SRV("RequirePostHandshake",
425
0
                         SSL_VERIFY_PEER | SSL_VERIFY_POST_HANDSHAKE |
426
0
                         SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
427
0
    };
428
0
    if (value == NULL)
429
0
        return -3;
430
0
    cctx->tbl = ssl_vfy_list;
431
0
    cctx->ntbl = OSSL_NELEM(ssl_vfy_list);
432
0
    return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
433
0
}
434
435
static int cmd_Certificate(SSL_CONF_CTX *cctx, const char *value)
436
0
{
437
0
    int rv = 1;
438
0
    CERT *c = NULL;
439
0
    if (cctx->ctx != NULL) {
440
0
        rv = SSL_CTX_use_certificate_chain_file(cctx->ctx, value);
441
0
        c = cctx->ctx->cert;
442
0
    }
443
0
    if (cctx->ssl != NULL) {
444
0
        SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(cctx->ssl);
445
446
0
        if (sc != NULL) {
447
0
            rv = SSL_use_certificate_chain_file(cctx->ssl, value);
448
0
            c = sc->cert;
449
0
        } else {
450
0
            rv = 0;
451
0
        }
452
0
    }
453
0
    if (rv > 0 && c != NULL && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) {
454
0
        char **pfilename = &cctx->cert_filename[c->key - c->pkeys];
455
456
0
        OPENSSL_free(*pfilename);
457
0
        *pfilename = OPENSSL_strdup(value);
458
0
        if (*pfilename == NULL)
459
0
            rv = 0;
460
0
    }
461
462
0
    return rv > 0;
463
0
}
464
465
static int cmd_PrivateKey(SSL_CONF_CTX *cctx, const char *value)
466
0
{
467
0
    int rv = 1;
468
0
    if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE))
469
0
        return -2;
470
0
    if (cctx->ctx)
471
0
        rv = SSL_CTX_use_PrivateKey_file(cctx->ctx, value, SSL_FILETYPE_PEM);
472
0
    if (cctx->ssl)
473
0
        rv = SSL_use_PrivateKey_file(cctx->ssl, value, SSL_FILETYPE_PEM);
474
0
    return rv > 0;
475
0
}
476
477
static int cmd_ServerInfoFile(SSL_CONF_CTX *cctx, const char *value)
478
0
{
479
0
    int rv = 1;
480
0
    if (cctx->ctx)
481
0
        rv = SSL_CTX_use_serverinfo_file(cctx->ctx, value);
482
0
    return rv > 0;
483
0
}
484
485
static int do_store(SSL_CONF_CTX *cctx,
486
                    const char *CAfile, const char *CApath, const char *CAstore,
487
                    int verify_store)
488
0
{
489
0
    CERT *cert;
490
0
    X509_STORE **st;
491
0
    SSL_CTX *ctx;
492
0
    OSSL_LIB_CTX *libctx = NULL;
493
0
    const char *propq = NULL;
494
495
0
    if (cctx->ctx != NULL) {
496
0
        cert = cctx->ctx->cert;
497
0
        ctx = cctx->ctx;
498
0
    } else if (cctx->ssl != NULL) {
499
0
        SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(cctx->ssl);
500
501
0
        if (sc == NULL)
502
0
            return 0;
503
504
0
        cert = sc->cert;
505
0
        ctx = cctx->ssl->ctx;
506
0
    } else {
507
0
        return 1;
508
0
    }
509
0
    if (ctx != NULL) {
510
0
        libctx = ctx->libctx;
511
0
        propq = ctx->propq;
512
0
    }
513
0
    st = verify_store ? &cert->verify_store : &cert->chain_store;
514
0
    if (*st == NULL) {
515
0
        *st = X509_STORE_new();
516
0
        if (*st == NULL)
517
0
            return 0;
518
0
    }
519
520
0
    if (CAfile != NULL && !X509_STORE_load_file_ex(*st, CAfile, libctx, propq))
521
0
        return 0;
522
0
    if (CApath != NULL && !X509_STORE_load_path(*st, CApath))
523
0
        return 0;
524
0
    if (CAstore != NULL && !X509_STORE_load_store_ex(*st, CAstore, libctx,
525
0
                                                     propq))
526
0
        return 0;
527
0
    return 1;
528
0
}
529
530
static int cmd_ChainCAPath(SSL_CONF_CTX *cctx, const char *value)
531
0
{
532
0
    return do_store(cctx, NULL, value, NULL, 0);
533
0
}
534
535
static int cmd_ChainCAFile(SSL_CONF_CTX *cctx, const char *value)
536
0
{
537
0
    return do_store(cctx, value, NULL, NULL, 0);
538
0
}
539
540
static int cmd_ChainCAStore(SSL_CONF_CTX *cctx, const char *value)
541
0
{
542
0
    return do_store(cctx, NULL, NULL, value, 0);
543
0
}
544
545
static int cmd_VerifyCAPath(SSL_CONF_CTX *cctx, const char *value)
546
0
{
547
0
    return do_store(cctx, NULL, value, NULL, 1);
548
0
}
549
550
static int cmd_VerifyCAFile(SSL_CONF_CTX *cctx, const char *value)
551
0
{
552
0
    return do_store(cctx, value, NULL, NULL, 1);
553
0
}
554
555
static int cmd_VerifyCAStore(SSL_CONF_CTX *cctx, const char *value)
556
0
{
557
0
    return do_store(cctx, NULL, NULL, value, 1);
558
0
}
559
560
static int cmd_RequestCAFile(SSL_CONF_CTX *cctx, const char *value)
561
0
{
562
0
    if (cctx->canames == NULL)
563
0
        cctx->canames = sk_X509_NAME_new_null();
564
0
    if (cctx->canames == NULL)
565
0
        return 0;
566
0
    return SSL_add_file_cert_subjects_to_stack(cctx->canames, value);
567
0
}
568
569
static int cmd_ClientCAFile(SSL_CONF_CTX *cctx, const char *value)
570
0
{
571
0
    return cmd_RequestCAFile(cctx, value);
572
0
}
573
574
static int cmd_RequestCAPath(SSL_CONF_CTX *cctx, const char *value)
575
0
{
576
0
    if (cctx->canames == NULL)
577
0
        cctx->canames = sk_X509_NAME_new_null();
578
0
    if (cctx->canames == NULL)
579
0
        return 0;
580
0
    return SSL_add_dir_cert_subjects_to_stack(cctx->canames, value);
581
0
}
582
583
static int cmd_ClientCAPath(SSL_CONF_CTX *cctx, const char *value)
584
0
{
585
0
    return cmd_RequestCAPath(cctx, value);
586
0
}
587
588
static int cmd_RequestCAStore(SSL_CONF_CTX *cctx, const char *value)
589
0
{
590
0
    if (cctx->canames == NULL)
591
0
        cctx->canames = sk_X509_NAME_new_null();
592
0
    if (cctx->canames == NULL)
593
0
        return 0;
594
0
    return SSL_add_store_cert_subjects_to_stack(cctx->canames, value);
595
0
}
596
597
static int cmd_ClientCAStore(SSL_CONF_CTX *cctx, const char *value)
598
0
{
599
0
    return cmd_RequestCAStore(cctx, value);
600
0
}
601
602
static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value)
603
0
{
604
0
    int rv = 0;
605
0
    EVP_PKEY *dhpkey = NULL;
606
0
    BIO *in = NULL;
607
0
    SSL_CTX *sslctx = (cctx->ssl != NULL) ? cctx->ssl->ctx : cctx->ctx;
608
0
    OSSL_DECODER_CTX *decoderctx = NULL;
609
610
0
    if (cctx->ctx != NULL || cctx->ssl != NULL) {
611
0
        in = BIO_new(BIO_s_file());
612
0
        if (in == NULL)
613
0
            goto end;
614
0
        if (BIO_read_filename(in, value) <= 0)
615
0
            goto end;
616
617
0
        decoderctx
618
0
            = OSSL_DECODER_CTX_new_for_pkey(&dhpkey, "PEM", NULL, "DH",
619
0
                                            OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
620
0
                                            sslctx->libctx, sslctx->propq);
621
0
        if (decoderctx == NULL)
622
0
            goto end;
623
0
        ERR_set_mark();
624
0
        while (!OSSL_DECODER_from_bio(decoderctx, in)
625
0
               && dhpkey == NULL
626
0
               && !BIO_eof(in));
627
0
        OSSL_DECODER_CTX_free(decoderctx);
628
629
0
        if (dhpkey == NULL) {
630
0
            ERR_clear_last_mark();
631
0
            goto end;
632
0
        }
633
0
        ERR_pop_to_mark();
634
0
    } else {
635
0
        return 1;
636
0
    }
637
638
0
    if (cctx->ctx != NULL) {
639
0
        if ((rv = SSL_CTX_set0_tmp_dh_pkey(cctx->ctx, dhpkey)) > 0)
640
0
            dhpkey = NULL;
641
0
    }
642
0
    if (cctx->ssl != NULL) {
643
0
        if ((rv = SSL_set0_tmp_dh_pkey(cctx->ssl, dhpkey)) > 0)
644
0
            dhpkey = NULL;
645
0
    }
646
0
 end:
647
0
    EVP_PKEY_free(dhpkey);
648
0
    BIO_free(in);
649
0
    return rv > 0;
650
0
}
651
652
/*
653
 * |value| input is "<number[,number]>"
654
 * where the first number is the padding block size for
655
 * application data, and the optional second is the
656
 * padding block size for handshake messages
657
 */
658
static int cmd_RecordPadding(SSL_CONF_CTX *cctx, const char *value)
659
0
{
660
0
    int rv = 0;
661
0
    unsigned long block_padding = 0, hs_padding = 0;
662
0
    char *commap = NULL, *copy = NULL;
663
0
    char *endptr = NULL;
664
665
0
    copy = OPENSSL_strdup(value);
666
0
    if (copy == NULL)
667
0
        return 0;
668
0
    commap = strstr(copy, ",");
669
0
    if (commap != NULL) {
670
0
        *commap = '\0';
671
0
        if (*(commap + 1) == '\0') {
672
0
            OPENSSL_free(copy);
673
0
            return 0;
674
0
        }
675
0
        if (!OPENSSL_strtoul(commap + 1, &endptr, 0, &hs_padding))
676
0
            return 0;
677
0
    }
678
0
    if (!OPENSSL_strtoul(copy, &endptr, 0, &block_padding))
679
0
        return 0;
680
0
    if (commap == NULL)
681
0
        hs_padding = block_padding;
682
0
    OPENSSL_free(copy);
683
684
    /*
685
     * All we care about are non-negative values,
686
     * the setters check the range
687
     */
688
0
    if (cctx->ctx)
689
0
        rv = SSL_CTX_set_block_padding_ex(cctx->ctx, (size_t)block_padding,
690
0
                                          (size_t)hs_padding);
691
0
    if (cctx->ssl)
692
0
        rv = SSL_set_block_padding_ex(cctx->ssl, (size_t)block_padding,
693
0
                                      (size_t)hs_padding);
694
0
    return rv;
695
0
}
696
697
698
static int cmd_NumTickets(SSL_CONF_CTX *cctx, const char *value)
699
0
{
700
0
    int rv = 0;
701
0
    int num_tickets = atoi(value);
702
703
0
    if (num_tickets >= 0) {
704
0
        if (cctx->ctx)
705
0
            rv = SSL_CTX_set_num_tickets(cctx->ctx, num_tickets);
706
0
        if (cctx->ssl)
707
0
            rv = SSL_set_num_tickets(cctx->ssl, num_tickets);
708
0
    }
709
0
    return rv;
710
0
}
711
712
typedef struct {
713
    int (*cmd) (SSL_CONF_CTX *cctx, const char *value);
714
    const char *str_file;
715
    const char *str_cmdline;
716
    unsigned short flags;
717
    unsigned short value_type;
718
} ssl_conf_cmd_tbl;
719
720
/* Table of supported parameters */
721
722
#define SSL_CONF_CMD(name, cmdopt, flags, type) \
723
        {cmd_##name, #name, cmdopt, flags, type}
724
725
#define SSL_CONF_CMD_STRING(name, cmdopt, flags) \
726
        SSL_CONF_CMD(name, cmdopt, flags, SSL_CONF_TYPE_STRING)
727
728
#define SSL_CONF_CMD_SWITCH(name, flags) \
729
        {0, NULL, name, flags, SSL_CONF_TYPE_NONE}
730
731
/* See apps/include/opt.h if you change this table. */
732
/* The SSL_CONF_CMD_SWITCH should be the same order as ssl_cmd_switches */
733
static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
734
    SSL_CONF_CMD_SWITCH("no_ssl3", 0),
735
    SSL_CONF_CMD_SWITCH("no_tls1", 0),
736
    SSL_CONF_CMD_SWITCH("no_tls1_1", 0),
737
    SSL_CONF_CMD_SWITCH("no_tls1_2", 0),
738
    SSL_CONF_CMD_SWITCH("no_tls1_3", 0),
739
    SSL_CONF_CMD_SWITCH("bugs", 0),
740
    SSL_CONF_CMD_SWITCH("no_comp", 0),
741
    SSL_CONF_CMD_SWITCH("comp", 0),
742
    SSL_CONF_CMD_SWITCH("no_tx_cert_comp", 0),
743
    SSL_CONF_CMD_SWITCH("tx_cert_comp", 0),
744
    SSL_CONF_CMD_SWITCH("no_rx_cert_comp", 0),
745
    SSL_CONF_CMD_SWITCH("rx_cert_comp", 0),
746
    SSL_CONF_CMD_SWITCH("ecdh_single", SSL_CONF_FLAG_SERVER),
747
    SSL_CONF_CMD_SWITCH("no_ticket", 0),
748
    SSL_CONF_CMD_SWITCH("serverpref", SSL_CONF_FLAG_SERVER),
749
    SSL_CONF_CMD_SWITCH("legacy_renegotiation", 0),
750
    SSL_CONF_CMD_SWITCH("client_renegotiation", SSL_CONF_FLAG_SERVER),
751
    SSL_CONF_CMD_SWITCH("legacy_server_connect", SSL_CONF_FLAG_CLIENT),
752
    SSL_CONF_CMD_SWITCH("no_renegotiation", 0),
753
    SSL_CONF_CMD_SWITCH("no_resumption_on_reneg", SSL_CONF_FLAG_SERVER),
754
    SSL_CONF_CMD_SWITCH("no_legacy_server_connect", SSL_CONF_FLAG_CLIENT),
755
    SSL_CONF_CMD_SWITCH("allow_no_dhe_kex", 0),
756
    SSL_CONF_CMD_SWITCH("prefer_no_dhe_kex", 0),
757
    SSL_CONF_CMD_SWITCH("prioritize_chacha", SSL_CONF_FLAG_SERVER),
758
    SSL_CONF_CMD_SWITCH("strict", 0),
759
    SSL_CONF_CMD_SWITCH("no_middlebox", 0),
760
    SSL_CONF_CMD_SWITCH("anti_replay", SSL_CONF_FLAG_SERVER),
761
    SSL_CONF_CMD_SWITCH("no_anti_replay", SSL_CONF_FLAG_SERVER),
762
    SSL_CONF_CMD_SWITCH("no_etm", 0),
763
    SSL_CONF_CMD_SWITCH("no_ems", 0),
764
    SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs", 0),
765
    SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs", 0),
766
    SSL_CONF_CMD_STRING(Curves, "curves", 0),
767
    SSL_CONF_CMD_STRING(Groups, "groups", 0),
768
    SSL_CONF_CMD_STRING(ECDHParameters, "named_curve", SSL_CONF_FLAG_SERVER),
769
    SSL_CONF_CMD_STRING(CipherString, "cipher", 0),
770
    SSL_CONF_CMD_STRING(Ciphersuites, "ciphersuites", 0),
771
    SSL_CONF_CMD_STRING(Protocol, NULL, 0),
772
    SSL_CONF_CMD_STRING(MinProtocol, "min_protocol", 0),
773
    SSL_CONF_CMD_STRING(MaxProtocol, "max_protocol", 0),
774
    SSL_CONF_CMD_STRING(Options, NULL, 0),
775
    SSL_CONF_CMD_STRING(VerifyMode, NULL, 0),
776
    SSL_CONF_CMD(Certificate, "cert", SSL_CONF_FLAG_CERTIFICATE,
777
                 SSL_CONF_TYPE_FILE),
778
    SSL_CONF_CMD(PrivateKey, "key", SSL_CONF_FLAG_CERTIFICATE,
779
                 SSL_CONF_TYPE_FILE),
780
    SSL_CONF_CMD(ServerInfoFile, NULL,
781
                 SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,
782
                 SSL_CONF_TYPE_FILE),
783
    SSL_CONF_CMD(ChainCAPath, "chainCApath", SSL_CONF_FLAG_CERTIFICATE,
784
                 SSL_CONF_TYPE_DIR),
785
    SSL_CONF_CMD(ChainCAFile, "chainCAfile", SSL_CONF_FLAG_CERTIFICATE,
786
                 SSL_CONF_TYPE_FILE),
787
    SSL_CONF_CMD(ChainCAStore, "chainCAstore", SSL_CONF_FLAG_CERTIFICATE,
788
                 SSL_CONF_TYPE_STORE),
789
    SSL_CONF_CMD(VerifyCAPath, "verifyCApath", SSL_CONF_FLAG_CERTIFICATE,
790
                 SSL_CONF_TYPE_DIR),
791
    SSL_CONF_CMD(VerifyCAFile, "verifyCAfile", SSL_CONF_FLAG_CERTIFICATE,
792
                 SSL_CONF_TYPE_FILE),
793
    SSL_CONF_CMD(VerifyCAStore, "verifyCAstore", SSL_CONF_FLAG_CERTIFICATE,
794
                 SSL_CONF_TYPE_STORE),
795
    SSL_CONF_CMD(RequestCAFile, "requestCAFile", SSL_CONF_FLAG_CERTIFICATE,
796
                 SSL_CONF_TYPE_FILE),
797
    SSL_CONF_CMD(ClientCAFile, NULL,
798
                 SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,
799
                 SSL_CONF_TYPE_FILE),
800
    SSL_CONF_CMD(RequestCAPath, NULL, SSL_CONF_FLAG_CERTIFICATE,
801
                 SSL_CONF_TYPE_DIR),
802
    SSL_CONF_CMD(ClientCAPath, NULL,
803
                 SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,
804
                 SSL_CONF_TYPE_DIR),
805
    SSL_CONF_CMD(RequestCAStore, "requestCAStore", SSL_CONF_FLAG_CERTIFICATE,
806
                 SSL_CONF_TYPE_STORE),
807
    SSL_CONF_CMD(ClientCAStore, NULL,
808
                 SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,
809
                 SSL_CONF_TYPE_STORE),
810
    SSL_CONF_CMD(DHParameters, "dhparam",
811
                 SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,
812
                 SSL_CONF_TYPE_FILE),
813
    SSL_CONF_CMD_STRING(RecordPadding, "record_padding", 0),
814
    SSL_CONF_CMD_STRING(NumTickets, "num_tickets", SSL_CONF_FLAG_SERVER),
815
};
816
817
/* Supported switches: must match order of switches in ssl_conf_cmds */
818
static const ssl_switch_tbl ssl_cmd_switches[] = {
819
    {SSL_OP_NO_SSLv3, 0},       /* no_ssl3 */
820
    {SSL_OP_NO_TLSv1, 0},       /* no_tls1 */
821
    {SSL_OP_NO_TLSv1_1, 0},     /* no_tls1_1 */
822
    {SSL_OP_NO_TLSv1_2, 0},     /* no_tls1_2 */
823
    {SSL_OP_NO_TLSv1_3, 0},     /* no_tls1_3 */
824
    {SSL_OP_ALL, 0},            /* bugs */
825
    {SSL_OP_NO_COMPRESSION, 0}, /* no_comp */
826
    {SSL_OP_NO_COMPRESSION, SSL_TFLAG_INV}, /* comp */
827
    {SSL_OP_NO_TX_CERTIFICATE_COMPRESSION, 0}, /* no_tx_cert_comp */
828
    {SSL_OP_NO_TX_CERTIFICATE_COMPRESSION, SSL_TFLAG_INV}, /* tx_cert_comp */
829
    {SSL_OP_NO_RX_CERTIFICATE_COMPRESSION, 0}, /* no_rx_cert_comp */
830
    {SSL_OP_NO_RX_CERTIFICATE_COMPRESSION, SSL_TFLAG_INV}, /* rx_cert_comp */
831
    {SSL_OP_SINGLE_ECDH_USE, 0}, /* ecdh_single */
832
    {SSL_OP_NO_TICKET, 0},      /* no_ticket */
833
    {SSL_OP_CIPHER_SERVER_PREFERENCE, 0}, /* serverpref */
834
    /* legacy_renegotiation */
835
    {SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, 0},
836
    /* Allow client renegotiation */
837
    {SSL_OP_ALLOW_CLIENT_RENEGOTIATION, 0},
838
    /* legacy_server_connect */
839
    {SSL_OP_LEGACY_SERVER_CONNECT, 0},
840
    /* no_renegotiation */
841
    {SSL_OP_NO_RENEGOTIATION, 0},
842
    /* no_resumption_on_reneg */
843
    {SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION, 0},
844
    /* no_legacy_server_connect */
845
    {SSL_OP_LEGACY_SERVER_CONNECT, SSL_TFLAG_INV},
846
    /* allow_no_dhe_kex */
847
    {SSL_OP_ALLOW_NO_DHE_KEX, 0},
848
    /* prefer_no_dhe_kex */
849
    {SSL_OP_PREFER_NO_DHE_KEX, 0},
850
    /* chacha reprioritization */
851
    {SSL_OP_PRIORITIZE_CHACHA, 0},
852
    {SSL_CERT_FLAG_TLS_STRICT, SSL_TFLAG_CERT}, /* strict */
853
    /* no_middlebox */
854
    {SSL_OP_ENABLE_MIDDLEBOX_COMPAT, SSL_TFLAG_INV},
855
    /* anti_replay */
856
    {SSL_OP_NO_ANTI_REPLAY, SSL_TFLAG_INV},
857
    /* no_anti_replay */
858
    {SSL_OP_NO_ANTI_REPLAY, 0},
859
    /* no Encrypt-then-Mac */
860
    {SSL_OP_NO_ENCRYPT_THEN_MAC, 0},
861
    /* no Extended master secret */
862
    {SSL_OP_NO_EXTENDED_MASTER_SECRET, 0},
863
};
864
865
static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd)
866
0
{
867
0
    if (pcmd == NULL || *pcmd == NULL)
868
0
        return 0;
869
    /* If a prefix is set, check and skip */
870
0
    if (cctx->prefix) {
871
0
        if (strlen(*pcmd) <= cctx->prefixlen)
872
0
            return 0;
873
0
        if (cctx->flags & SSL_CONF_FLAG_CMDLINE &&
874
0
            strncmp(*pcmd, cctx->prefix, cctx->prefixlen))
875
0
            return 0;
876
0
        if (cctx->flags & SSL_CONF_FLAG_FILE &&
877
0
            OPENSSL_strncasecmp(*pcmd, cctx->prefix, cctx->prefixlen))
878
0
            return 0;
879
0
        *pcmd += cctx->prefixlen;
880
0
    } else if (cctx->flags & SSL_CONF_FLAG_CMDLINE) {
881
0
        if (**pcmd != '-' || !(*pcmd)[1])
882
0
            return 0;
883
0
        *pcmd += 1;
884
0
    }
885
0
    return 1;
886
0
}
887
888
/* Determine if a command is allowed according to cctx flags */
889
static int ssl_conf_cmd_allowed(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl *t)
890
0
{
891
0
    unsigned int tfl = t->flags;
892
0
    unsigned int cfl = cctx->flags;
893
0
    if ((tfl & SSL_CONF_FLAG_SERVER) && !(cfl & SSL_CONF_FLAG_SERVER))
894
0
        return 0;
895
0
    if ((tfl & SSL_CONF_FLAG_CLIENT) && !(cfl & SSL_CONF_FLAG_CLIENT))
896
0
        return 0;
897
0
    if ((tfl & SSL_CONF_FLAG_CERTIFICATE)
898
0
        && !(cfl & SSL_CONF_FLAG_CERTIFICATE))
899
0
        return 0;
900
0
    return 1;
901
0
}
902
903
static const ssl_conf_cmd_tbl *ssl_conf_cmd_lookup(SSL_CONF_CTX *cctx,
904
                                                   const char *cmd)
905
0
{
906
0
    const ssl_conf_cmd_tbl *t;
907
0
    size_t i;
908
0
    if (cmd == NULL)
909
0
        return NULL;
910
911
    /* Look for matching parameter name in table */
912
0
    for (i = 0, t = ssl_conf_cmds; i < OSSL_NELEM(ssl_conf_cmds); i++, t++) {
913
0
        if (ssl_conf_cmd_allowed(cctx, t)) {
914
0
            if (cctx->flags & SSL_CONF_FLAG_CMDLINE) {
915
0
                if (t->str_cmdline && strcmp(t->str_cmdline, cmd) == 0)
916
0
                    return t;
917
0
            }
918
0
            if (cctx->flags & SSL_CONF_FLAG_FILE) {
919
0
                if (t->str_file && OPENSSL_strcasecmp(t->str_file, cmd) == 0)
920
0
                    return t;
921
0
            }
922
0
        }
923
0
    }
924
0
    return NULL;
925
0
}
926
927
static int ctrl_switch_option(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl *cmd)
928
0
{
929
    /* Find index of command in table */
930
0
    size_t idx = cmd - ssl_conf_cmds;
931
0
    const ssl_switch_tbl *scmd;
932
933
    /* Sanity check index */
934
0
    if (idx >= OSSL_NELEM(ssl_cmd_switches)) {
935
0
        ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
936
0
        return 0;
937
0
    }
938
    /* Obtain switches entry with same index */
939
0
    scmd = ssl_cmd_switches + idx;
940
0
    ssl_set_option(cctx, scmd->name_flags, scmd->option_value, 1);
941
0
    return 1;
942
0
}
943
944
int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value)
945
0
{
946
0
    const ssl_conf_cmd_tbl *runcmd;
947
0
    if (cmd == NULL) {
948
0
        ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_NULL_CMD_NAME);
949
0
        return 0;
950
0
    }
951
952
0
    if (!ssl_conf_cmd_skip_prefix(cctx, &cmd))
953
0
        goto unknown_cmd;
954
955
0
    runcmd = ssl_conf_cmd_lookup(cctx, cmd);
956
957
0
    if (runcmd) {
958
0
        int rv = -3;
959
960
0
        if (runcmd->value_type == SSL_CONF_TYPE_NONE) {
961
0
            return ctrl_switch_option(cctx, runcmd);
962
0
        }
963
0
        if (value == NULL)
964
0
            goto bad_value;
965
0
        rv = runcmd->cmd(cctx, value);
966
0
        if (rv > 0)
967
0
            return 2;
968
0
        if (rv != -2)
969
0
            rv = 0;
970
971
0
 bad_value:
972
0
        if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS)
973
0
            ERR_raise_data(ERR_LIB_SSL, SSL_R_BAD_VALUE,
974
0
                           "cmd=%s, value=%s", cmd,
975
0
                           value != NULL ? value : "<EMPTY>");
976
0
        return rv;
977
0
    }
978
979
0
 unknown_cmd:
980
0
    if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS)
981
0
        ERR_raise_data(ERR_LIB_SSL, SSL_R_UNKNOWN_CMD_NAME, "cmd=%s", cmd);
982
983
0
    return -2;
984
0
}
985
986
int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv)
987
0
{
988
0
    int rv;
989
0
    const char *arg = NULL, *argn;
990
991
0
    if (pargc != NULL && *pargc == 0)
992
0
        return 0;
993
0
    if (pargc == NULL || *pargc > 0)
994
0
        arg = **pargv;
995
0
    if (arg == NULL)
996
0
        return 0;
997
0
    if (pargc == NULL || *pargc > 1)
998
0
        argn = (*pargv)[1];
999
0
    else
1000
0
        argn = NULL;
1001
0
    cctx->flags &= ~SSL_CONF_FLAG_FILE;
1002
0
    cctx->flags |= SSL_CONF_FLAG_CMDLINE;
1003
0
    rv = SSL_CONF_cmd(cctx, arg, argn);
1004
0
    if (rv > 0) {
1005
        /* Success: update pargc, pargv */
1006
0
        (*pargv) += rv;
1007
0
        if (pargc)
1008
0
            (*pargc) -= rv;
1009
0
        return rv;
1010
0
    }
1011
    /* Unknown switch: indicate no arguments processed */
1012
0
    if (rv == -2)
1013
0
        return 0;
1014
    /* Some error occurred processing command, return fatal error */
1015
0
    if (rv == 0)
1016
0
        return -1;
1017
0
    return rv;
1018
0
}
1019
1020
int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd)
1021
0
{
1022
0
    if (ssl_conf_cmd_skip_prefix(cctx, &cmd)) {
1023
0
        const ssl_conf_cmd_tbl *runcmd;
1024
0
        runcmd = ssl_conf_cmd_lookup(cctx, cmd);
1025
0
        if (runcmd)
1026
0
            return runcmd->value_type;
1027
0
    }
1028
0
    return SSL_CONF_TYPE_UNKNOWN;
1029
0
}
1030
1031
SSL_CONF_CTX *SSL_CONF_CTX_new(void)
1032
0
{
1033
0
    SSL_CONF_CTX *ret = OPENSSL_zalloc(sizeof(*ret));
1034
1035
0
    return ret;
1036
0
}
1037
1038
int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx)
1039
0
{
1040
    /* See if any certificates are missing private keys */
1041
0
    size_t i;
1042
0
    CERT *c = NULL;
1043
1044
0
    if (cctx->ctx != NULL) {
1045
0
        c = cctx->ctx->cert;
1046
0
    } else if (cctx->ssl != NULL) {
1047
0
        SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(cctx->ssl);
1048
1049
0
        if (sc != NULL)
1050
0
            c = sc->cert;
1051
0
    }
1052
0
    if (c != NULL && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) {
1053
0
        for (i = 0; i < SSL_PKEY_NUM; i++) {
1054
0
            const char *p = cctx->cert_filename[i];
1055
            /*
1056
             * If missing private key try to load one from certificate file
1057
             */
1058
0
            if (p && !c->pkeys[i].privatekey) {
1059
0
                if (!cmd_PrivateKey(cctx, p))
1060
0
                    return 0;
1061
0
            }
1062
0
        }
1063
0
    }
1064
0
    if (cctx->canames) {
1065
0
        if (cctx->ssl)
1066
0
            SSL_set0_CA_list(cctx->ssl, cctx->canames);
1067
0
        else if (cctx->ctx)
1068
0
            SSL_CTX_set0_CA_list(cctx->ctx, cctx->canames);
1069
0
        else
1070
0
            sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free);
1071
0
        cctx->canames = NULL;
1072
0
    }
1073
0
    return 1;
1074
0
}
1075
1076
void SSL_CONF_CTX_free(SSL_CONF_CTX *cctx)
1077
5.18k
{
1078
5.18k
    if (cctx) {
1079
0
        size_t i;
1080
0
        for (i = 0; i < SSL_PKEY_NUM; i++)
1081
0
            OPENSSL_free(cctx->cert_filename[i]);
1082
0
        OPENSSL_free(cctx->prefix);
1083
0
        sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free);
1084
0
        OPENSSL_free(cctx);
1085
0
    }
1086
5.18k
}
1087
1088
unsigned int SSL_CONF_CTX_set_flags(SSL_CONF_CTX *cctx, unsigned int flags)
1089
0
{
1090
0
    cctx->flags |= flags;
1091
0
    return cctx->flags;
1092
0
}
1093
1094
unsigned int SSL_CONF_CTX_clear_flags(SSL_CONF_CTX *cctx, unsigned int flags)
1095
0
{
1096
0
    cctx->flags &= ~flags;
1097
0
    return cctx->flags;
1098
0
}
1099
1100
int SSL_CONF_CTX_set1_prefix(SSL_CONF_CTX *cctx, const char *pre)
1101
0
{
1102
0
    char *tmp = NULL;
1103
0
    if (pre) {
1104
0
        tmp = OPENSSL_strdup(pre);
1105
0
        if (tmp == NULL)
1106
0
            return 0;
1107
0
    }
1108
0
    OPENSSL_free(cctx->prefix);
1109
0
    cctx->prefix = tmp;
1110
0
    if (tmp)
1111
0
        cctx->prefixlen = strlen(tmp);
1112
0
    else
1113
0
        cctx->prefixlen = 0;
1114
0
    return 1;
1115
0
}
1116
1117
void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl)
1118
0
{
1119
0
    cctx->ssl = ssl;
1120
0
    cctx->ctx = NULL;
1121
0
    if (ssl != NULL) {
1122
0
        SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
1123
1124
0
        if (sc == NULL)
1125
0
            return;
1126
0
        cctx->poptions = &sc->options;
1127
0
        cctx->min_version = &sc->min_proto_version;
1128
0
        cctx->max_version = &sc->max_proto_version;
1129
0
        cctx->pcert_flags = &sc->cert->cert_flags;
1130
0
        cctx->pvfy_flags = &sc->verify_mode;
1131
0
    } else {
1132
0
        cctx->poptions = NULL;
1133
0
        cctx->min_version = NULL;
1134
0
        cctx->max_version = NULL;
1135
0
        cctx->pcert_flags = NULL;
1136
0
        cctx->pvfy_flags = NULL;
1137
0
    }
1138
0
}
1139
1140
void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx)
1141
0
{
1142
0
    cctx->ctx = ctx;
1143
0
    cctx->ssl = NULL;
1144
0
    if (ctx) {
1145
0
        cctx->poptions = &ctx->options;
1146
0
        cctx->min_version = &ctx->min_proto_version;
1147
0
        cctx->max_version = &ctx->max_proto_version;
1148
0
        cctx->pcert_flags = &ctx->cert->cert_flags;
1149
0
        cctx->pvfy_flags = &ctx->verify_mode;
1150
0
    } else {
1151
0
        cctx->poptions = NULL;
1152
0
        cctx->min_version = NULL;
1153
0
        cctx->max_version = NULL;
1154
0
        cctx->pcert_flags = NULL;
1155
0
        cctx->pvfy_flags = NULL;
1156
0
    }
1157
0
}