1 /* 2 * Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include "ssl_locl.h" 12 #include <openssl/conf.h> 13 #include <openssl/objects.h> 14 #include <openssl/dh.h> 15 16 /* 17 * structure holding name tables. This is used for permitted elements in lists 18 * such as TLSv1. 19 */ 20 21 typedef struct { 22 const char *name; 23 int namelen; 24 unsigned int name_flags; 25 unsigned long option_value; 26 } ssl_flag_tbl; 27 28 /* Switch table: use for single command line switches like no_tls2 */ 29 typedef struct { 30 unsigned long option_value; 31 unsigned int name_flags; 32 } ssl_switch_tbl; 33 34 /* Sense of name is inverted e.g. "TLSv1" will clear SSL_OP_NO_TLSv1 */ 35 #define SSL_TFLAG_INV 0x1 36 /* Mask for type of flag referred to */ 37 #define SSL_TFLAG_TYPE_MASK 0xf00 38 /* Flag is for options */ 39 #define SSL_TFLAG_OPTION 0x000 40 /* Flag is for cert_flags */ 41 #define SSL_TFLAG_CERT 0x100 42 /* Flag is for verify mode */ 43 #define SSL_TFLAG_VFY 0x200 44 /* Option can only be used for clients */ 45 #define SSL_TFLAG_CLIENT SSL_CONF_FLAG_CLIENT 46 /* Option can only be used for servers */ 47 #define SSL_TFLAG_SERVER SSL_CONF_FLAG_SERVER 48 #define SSL_TFLAG_BOTH (SSL_TFLAG_CLIENT|SSL_TFLAG_SERVER) 49 50 #define SSL_FLAG_TBL(str, flag) \ 51 {str, (int)(sizeof(str) - 1), SSL_TFLAG_BOTH, flag} 52 #define SSL_FLAG_TBL_SRV(str, flag) \ 53 {str, (int)(sizeof(str) - 1), SSL_TFLAG_SERVER, flag} 54 #define SSL_FLAG_TBL_CLI(str, flag) \ 55 {str, (int)(sizeof(str) - 1), SSL_TFLAG_CLIENT, flag} 56 #define SSL_FLAG_TBL_INV(str, flag) \ 57 {str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_BOTH, flag} 58 #define SSL_FLAG_TBL_SRV_INV(str, flag) \ 59 {str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_SERVER, flag} 60 #define SSL_FLAG_TBL_CERT(str, flag) \ 61 {str, (int)(sizeof(str) - 1), SSL_TFLAG_CERT|SSL_TFLAG_BOTH, flag} 62 63 #define SSL_FLAG_VFY_CLI(str, flag) \ 64 {str, (int)(sizeof(str) - 1), SSL_TFLAG_VFY | SSL_TFLAG_CLIENT, flag} 65 #define SSL_FLAG_VFY_SRV(str, flag) \ 66 {str, (int)(sizeof(str) - 1), SSL_TFLAG_VFY | SSL_TFLAG_SERVER, flag} 67 68 /* 69 * Opaque structure containing SSL configuration context. 70 */ 71 72 struct ssl_conf_ctx_st { 73 /* 74 * Various flags indicating (among other things) which options we will 75 * recognise. 76 */ 77 unsigned int flags; 78 /* Prefix and length of commands */ 79 char *prefix; 80 size_t prefixlen; 81 /* SSL_CTX or SSL structure to perform operations on */ 82 SSL_CTX *ctx; 83 SSL *ssl; 84 /* Pointer to SSL or SSL_CTX options field or NULL if none */ 85 uint32_t *poptions; 86 /* Certificate filenames for each type */ 87 char *cert_filename[SSL_PKEY_NUM]; 88 /* Pointer to SSL or SSL_CTX cert_flags or NULL if none */ 89 uint32_t *pcert_flags; 90 /* Pointer to SSL or SSL_CTX verify_mode or NULL if none */ 91 uint32_t *pvfy_flags; 92 /* Pointer to SSL or SSL_CTX min_version field or NULL if none */ 93 int *min_version; 94 /* Pointer to SSL or SSL_CTX max_version field or NULL if none */ 95 int *max_version; 96 /* Current flag table being worked on */ 97 const ssl_flag_tbl *tbl; 98 /* Size of table */ 99 size_t ntbl; 100 /* Client CA names */ 101 STACK_OF(X509_NAME) *canames; 102 }; 103 104 static void ssl_set_option(SSL_CONF_CTX *cctx, unsigned int name_flags, 105 unsigned long option_value, int onoff) 106 { 107 uint32_t *pflags; 108 if (cctx->poptions == NULL) 109 return; 110 if (name_flags & SSL_TFLAG_INV) 111 onoff ^= 1; 112 switch (name_flags & SSL_TFLAG_TYPE_MASK) { 113 114 case SSL_TFLAG_CERT: 115 pflags = cctx->pcert_flags; 116 break; 117 118 case SSL_TFLAG_VFY: 119 pflags = cctx->pvfy_flags; 120 break; 121 122 case SSL_TFLAG_OPTION: 123 pflags = cctx->poptions; 124 break; 125 126 default: 127 return; 128 129 } 130 if (onoff) 131 *pflags |= option_value; 132 else 133 *pflags &= ~option_value; 134 } 135 136 static int ssl_match_option(SSL_CONF_CTX *cctx, const ssl_flag_tbl *tbl, 137 const char *name, int namelen, int onoff) 138 { 139 /* If name not relevant for context skip */ 140 if (!(cctx->flags & tbl->name_flags & SSL_TFLAG_BOTH)) 141 return 0; 142 if (namelen == -1) { 143 if (strcmp(tbl->name, name)) 144 return 0; 145 } else if (tbl->namelen != namelen || strncasecmp(tbl->name, name, namelen)) 146 return 0; 147 ssl_set_option(cctx, tbl->name_flags, tbl->option_value, onoff); 148 return 1; 149 } 150 151 static int ssl_set_option_list(const char *elem, int len, void *usr) 152 { 153 SSL_CONF_CTX *cctx = usr; 154 size_t i; 155 const ssl_flag_tbl *tbl; 156 int onoff = 1; 157 /* 158 * len == -1 indicates not being called in list context, just for single 159 * command line switches, so don't allow +, -. 160 */ 161 if (elem == NULL) 162 return 0; 163 if (len != -1) { 164 if (*elem == '+') { 165 elem++; 166 len--; 167 onoff = 1; 168 } else if (*elem == '-') { 169 elem++; 170 len--; 171 onoff = 0; 172 } 173 } 174 for (i = 0, tbl = cctx->tbl; i < cctx->ntbl; i++, tbl++) { 175 if (ssl_match_option(cctx, tbl, elem, len, onoff)) 176 return 1; 177 } 178 return 0; 179 } 180 181 /* Set supported signature algorithms */ 182 static int cmd_SignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value) 183 { 184 int rv; 185 if (cctx->ssl) 186 rv = SSL_set1_sigalgs_list(cctx->ssl, value); 187 /* NB: ctx == NULL performs syntax checking only */ 188 else 189 rv = SSL_CTX_set1_sigalgs_list(cctx->ctx, value); 190 return rv > 0; 191 } 192 193 /* Set supported client signature algorithms */ 194 static int cmd_ClientSignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value) 195 { 196 int rv; 197 if (cctx->ssl) 198 rv = SSL_set1_client_sigalgs_list(cctx->ssl, value); 199 /* NB: ctx == NULL performs syntax checking only */ 200 else 201 rv = SSL_CTX_set1_client_sigalgs_list(cctx->ctx, value); 202 return rv > 0; 203 } 204 205 static int cmd_Curves(SSL_CONF_CTX *cctx, const char *value) 206 { 207 int rv; 208 if (cctx->ssl) 209 rv = SSL_set1_curves_list(cctx->ssl, value); 210 /* NB: ctx == NULL performs syntax checking only */ 211 else 212 rv = SSL_CTX_set1_curves_list(cctx->ctx, value); 213 return rv > 0; 214 } 215 216 #ifndef OPENSSL_NO_EC 217 /* ECDH temporary parameters */ 218 static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value) 219 { 220 int rv = 1; 221 EC_KEY *ecdh; 222 int nid; 223 224 /* Ignore values supported by 1.0.2 for the automatic selection */ 225 if ((cctx->flags & SSL_CONF_FLAG_FILE) && 226 strcasecmp(value, "+automatic") == 0) 227 return 1; 228 if ((cctx->flags & SSL_CONF_FLAG_CMDLINE) && 229 strcmp(value, "auto") == 0) 230 return 1; 231 232 nid = EC_curve_nist2nid(value); 233 if (nid == NID_undef) 234 nid = OBJ_sn2nid(value); 235 if (nid == 0) 236 return 0; 237 ecdh = EC_KEY_new_by_curve_name(nid); 238 if (!ecdh) 239 return 0; 240 if (cctx->ctx) 241 rv = SSL_CTX_set_tmp_ecdh(cctx->ctx, ecdh); 242 else if (cctx->ssl) 243 rv = SSL_set_tmp_ecdh(cctx->ssl, ecdh); 244 EC_KEY_free(ecdh); 245 246 return rv > 0; 247 } 248 #endif 249 static int cmd_CipherString(SSL_CONF_CTX *cctx, const char *value) 250 { 251 int rv = 1; 252 if (cctx->ctx) 253 rv = SSL_CTX_set_cipher_list(cctx->ctx, value); 254 if (cctx->ssl) 255 rv = SSL_set_cipher_list(cctx->ssl, value); 256 return rv > 0; 257 } 258 259 static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value) 260 { 261 static const ssl_flag_tbl ssl_protocol_list[] = { 262 SSL_FLAG_TBL_INV("ALL", SSL_OP_NO_SSL_MASK), 263 SSL_FLAG_TBL_INV("SSLv2", SSL_OP_NO_SSLv2), 264 SSL_FLAG_TBL_INV("SSLv3", SSL_OP_NO_SSLv3), 265 SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1), 266 SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1), 267 SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2), 268 SSL_FLAG_TBL_INV("DTLSv1", SSL_OP_NO_DTLSv1), 269 SSL_FLAG_TBL_INV("DTLSv1.2", SSL_OP_NO_DTLSv1_2) 270 }; 271 cctx->tbl = ssl_protocol_list; 272 cctx->ntbl = OSSL_NELEM(ssl_protocol_list); 273 return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); 274 } 275 276 /* 277 * protocol_from_string - converts a protocol version string to a number 278 * 279 * Returns -1 on failure or the version on success 280 */ 281 static int protocol_from_string(const char *value) 282 { 283 struct protocol_versions { 284 const char *name; 285 int version; 286 }; 287 static const struct protocol_versions versions[] = { 288 {"None", 0}, 289 {"SSLv3", SSL3_VERSION}, 290 {"TLSv1", TLS1_VERSION}, 291 {"TLSv1.1", TLS1_1_VERSION}, 292 {"TLSv1.2", TLS1_2_VERSION}, 293 {"DTLSv1", DTLS1_VERSION}, 294 {"DTLSv1.2", DTLS1_2_VERSION} 295 }; 296 size_t i; 297 size_t n = OSSL_NELEM(versions); 298 299 for (i = 0; i < n; i++) 300 if (strcmp(versions[i].name, value) == 0) 301 return versions[i].version; 302 return -1; 303 } 304 305 static int min_max_proto(SSL_CONF_CTX *cctx, const char *value, int *bound) 306 { 307 int method_version; 308 int new_version; 309 310 if (cctx->ctx != NULL) 311 method_version = cctx->ctx->method->version; 312 else if (cctx->ssl != NULL) 313 method_version = cctx->ssl->ctx->method->version; 314 else 315 return 0; 316 if ((new_version = protocol_from_string(value)) < 0) 317 return 0; 318 return ssl_set_version_bound(method_version, new_version, bound); 319 } 320 321 /* 322 * cmd_MinProtocol - Set min protocol version 323 * @cctx: config structure to save settings in 324 * @value: The min protocol version in string form 325 * 326 * Returns 1 on success and 0 on failure. 327 */ 328 static int cmd_MinProtocol(SSL_CONF_CTX *cctx, const char *value) 329 { 330 return min_max_proto(cctx, value, cctx->min_version); 331 } 332 333 /* 334 * cmd_MaxProtocol - Set max protocol version 335 * @cctx: config structure to save settings in 336 * @value: The max protocol version in string form 337 * 338 * Returns 1 on success and 0 on failure. 339 */ 340 static int cmd_MaxProtocol(SSL_CONF_CTX *cctx, const char *value) 341 { 342 return min_max_proto(cctx, value, cctx->max_version); 343 } 344 345 static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) 346 { 347 static const ssl_flag_tbl ssl_option_list[] = { 348 SSL_FLAG_TBL_INV("SessionTicket", SSL_OP_NO_TICKET), 349 SSL_FLAG_TBL_INV("EmptyFragments", 350 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS), 351 SSL_FLAG_TBL("Bugs", SSL_OP_ALL), 352 SSL_FLAG_TBL_INV("Compression", SSL_OP_NO_COMPRESSION), 353 SSL_FLAG_TBL_SRV("ServerPreference", SSL_OP_CIPHER_SERVER_PREFERENCE), 354 SSL_FLAG_TBL_SRV("NoResumptionOnRenegotiation", 355 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION), 356 SSL_FLAG_TBL_SRV("DHSingle", SSL_OP_SINGLE_DH_USE), 357 SSL_FLAG_TBL_SRV("ECDHSingle", SSL_OP_SINGLE_ECDH_USE), 358 SSL_FLAG_TBL("UnsafeLegacyRenegotiation", 359 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION), 360 SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC), 361 SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION), 362 }; 363 if (value == NULL) 364 return -3; 365 cctx->tbl = ssl_option_list; 366 cctx->ntbl = OSSL_NELEM(ssl_option_list); 367 return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); 368 } 369 370 static int cmd_VerifyMode(SSL_CONF_CTX *cctx, const char *value) 371 { 372 static const ssl_flag_tbl ssl_vfy_list[] = { 373 SSL_FLAG_VFY_CLI("Peer", SSL_VERIFY_PEER), 374 SSL_FLAG_VFY_SRV("Request", SSL_VERIFY_PEER), 375 SSL_FLAG_VFY_SRV("Require", 376 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), 377 SSL_FLAG_VFY_SRV("Once", SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE) 378 }; 379 if (value == NULL) 380 return -3; 381 cctx->tbl = ssl_vfy_list; 382 cctx->ntbl = OSSL_NELEM(ssl_vfy_list); 383 return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); 384 } 385 386 static int cmd_Certificate(SSL_CONF_CTX *cctx, const char *value) 387 { 388 int rv = 1; 389 CERT *c = NULL; 390 if (cctx->ctx) { 391 rv = SSL_CTX_use_certificate_chain_file(cctx->ctx, value); 392 c = cctx->ctx->cert; 393 } 394 if (cctx->ssl) { 395 rv = SSL_use_certificate_chain_file(cctx->ssl, value); 396 c = cctx->ssl->cert; 397 } 398 if (rv > 0 && c && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) { 399 char **pfilename = &cctx->cert_filename[c->key - c->pkeys]; 400 OPENSSL_free(*pfilename); 401 *pfilename = OPENSSL_strdup(value); 402 if (!*pfilename) 403 rv = 0; 404 } 405 406 return rv > 0; 407 } 408 409 static int cmd_PrivateKey(SSL_CONF_CTX *cctx, const char *value) 410 { 411 int rv = 1; 412 if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE)) 413 return -2; 414 if (cctx->ctx) 415 rv = SSL_CTX_use_PrivateKey_file(cctx->ctx, value, SSL_FILETYPE_PEM); 416 if (cctx->ssl) 417 rv = SSL_use_PrivateKey_file(cctx->ssl, value, SSL_FILETYPE_PEM); 418 return rv > 0; 419 } 420 421 static int cmd_ServerInfoFile(SSL_CONF_CTX *cctx, const char *value) 422 { 423 int rv = 1; 424 if (cctx->ctx) 425 rv = SSL_CTX_use_serverinfo_file(cctx->ctx, value); 426 return rv > 0; 427 } 428 429 static int do_store(SSL_CONF_CTX *cctx, 430 const char *CAfile, const char *CApath, int verify_store) 431 { 432 CERT *cert; 433 X509_STORE **st; 434 if (cctx->ctx) 435 cert = cctx->ctx->cert; 436 else if (cctx->ssl) 437 cert = cctx->ssl->cert; 438 else 439 return 1; 440 st = verify_store ? &cert->verify_store : &cert->chain_store; 441 if (*st == NULL) { 442 *st = X509_STORE_new(); 443 if (*st == NULL) 444 return 0; 445 } 446 return X509_STORE_load_locations(*st, CAfile, CApath) > 0; 447 } 448 449 static int cmd_ChainCAPath(SSL_CONF_CTX *cctx, const char *value) 450 { 451 return do_store(cctx, NULL, value, 0); 452 } 453 454 static int cmd_ChainCAFile(SSL_CONF_CTX *cctx, const char *value) 455 { 456 return do_store(cctx, value, NULL, 0); 457 } 458 459 static int cmd_VerifyCAPath(SSL_CONF_CTX *cctx, const char *value) 460 { 461 return do_store(cctx, NULL, value, 1); 462 } 463 464 static int cmd_VerifyCAFile(SSL_CONF_CTX *cctx, const char *value) 465 { 466 return do_store(cctx, value, NULL, 1); 467 } 468 469 static int cmd_ClientCAFile(SSL_CONF_CTX *cctx, const char *value) 470 { 471 if (cctx->canames == NULL) 472 cctx->canames = sk_X509_NAME_new_null(); 473 if (cctx->canames == NULL) 474 return 0; 475 return SSL_add_file_cert_subjects_to_stack(cctx->canames, value); 476 } 477 478 static int cmd_ClientCAPath(SSL_CONF_CTX *cctx, const char *value) 479 { 480 if (cctx->canames == NULL) 481 cctx->canames = sk_X509_NAME_new_null(); 482 if (cctx->canames == NULL) 483 return 0; 484 return SSL_add_dir_cert_subjects_to_stack(cctx->canames, value); 485 } 486 487 #ifndef OPENSSL_NO_DH 488 static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value) 489 { 490 int rv = 0; 491 DH *dh = NULL; 492 BIO *in = NULL; 493 if (cctx->ctx || cctx->ssl) { 494 in = BIO_new(BIO_s_file()); 495 if (in == NULL) 496 goto end; 497 if (BIO_read_filename(in, value) <= 0) 498 goto end; 499 dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL); 500 if (dh == NULL) 501 goto end; 502 } else 503 return 1; 504 if (cctx->ctx) 505 rv = SSL_CTX_set_tmp_dh(cctx->ctx, dh); 506 if (cctx->ssl) 507 rv = SSL_set_tmp_dh(cctx->ssl, dh); 508 end: 509 DH_free(dh); 510 BIO_free(in); 511 return rv > 0; 512 } 513 #endif 514 typedef struct { 515 int (*cmd) (SSL_CONF_CTX *cctx, const char *value); 516 const char *str_file; 517 const char *str_cmdline; 518 unsigned short flags; 519 unsigned short value_type; 520 } ssl_conf_cmd_tbl; 521 522 /* Table of supported parameters */ 523 524 #define SSL_CONF_CMD(name, cmdopt, flags, type) \ 525 {cmd_##name, #name, cmdopt, flags, type} 526 527 #define SSL_CONF_CMD_STRING(name, cmdopt, flags) \ 528 SSL_CONF_CMD(name, cmdopt, flags, SSL_CONF_TYPE_STRING) 529 530 #define SSL_CONF_CMD_SWITCH(name, flags) \ 531 {0, NULL, name, flags, SSL_CONF_TYPE_NONE} 532 533 /* See apps/apps.h if you change this table. */ 534 static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { 535 SSL_CONF_CMD_SWITCH("no_ssl3", 0), 536 SSL_CONF_CMD_SWITCH("no_tls1", 0), 537 SSL_CONF_CMD_SWITCH("no_tls1_1", 0), 538 SSL_CONF_CMD_SWITCH("no_tls1_2", 0), 539 SSL_CONF_CMD_SWITCH("bugs", 0), 540 SSL_CONF_CMD_SWITCH("no_comp", 0), 541 SSL_CONF_CMD_SWITCH("comp", 0), 542 SSL_CONF_CMD_SWITCH("ecdh_single", SSL_CONF_FLAG_SERVER), 543 SSL_CONF_CMD_SWITCH("no_ticket", 0), 544 SSL_CONF_CMD_SWITCH("serverpref", SSL_CONF_FLAG_SERVER), 545 SSL_CONF_CMD_SWITCH("legacy_renegotiation", 0), 546 SSL_CONF_CMD_SWITCH("legacy_server_connect", SSL_CONF_FLAG_SERVER), 547 SSL_CONF_CMD_SWITCH("no_renegotiation", 0), 548 SSL_CONF_CMD_SWITCH("no_resumption_on_reneg", SSL_CONF_FLAG_SERVER), 549 SSL_CONF_CMD_SWITCH("no_legacy_server_connect", SSL_CONF_FLAG_SERVER), 550 SSL_CONF_CMD_SWITCH("strict", 0), 551 SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs", 0), 552 SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs", 0), 553 SSL_CONF_CMD_STRING(Curves, "curves", 0), 554 #ifndef OPENSSL_NO_EC 555 SSL_CONF_CMD_STRING(ECDHParameters, "named_curve", SSL_CONF_FLAG_SERVER), 556 #endif 557 SSL_CONF_CMD_STRING(CipherString, "cipher", 0), 558 SSL_CONF_CMD_STRING(Protocol, NULL, 0), 559 SSL_CONF_CMD_STRING(MinProtocol, "min_protocol", 0), 560 SSL_CONF_CMD_STRING(MaxProtocol, "max_protocol", 0), 561 SSL_CONF_CMD_STRING(Options, NULL, 0), 562 SSL_CONF_CMD_STRING(VerifyMode, NULL, 0), 563 SSL_CONF_CMD(Certificate, "cert", SSL_CONF_FLAG_CERTIFICATE, 564 SSL_CONF_TYPE_FILE), 565 SSL_CONF_CMD(PrivateKey, "key", SSL_CONF_FLAG_CERTIFICATE, 566 SSL_CONF_TYPE_FILE), 567 SSL_CONF_CMD(ServerInfoFile, NULL, 568 SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, 569 SSL_CONF_TYPE_FILE), 570 SSL_CONF_CMD(ChainCAPath, "chainCApath", SSL_CONF_FLAG_CERTIFICATE, 571 SSL_CONF_TYPE_DIR), 572 SSL_CONF_CMD(ChainCAFile, "chainCAfile", SSL_CONF_FLAG_CERTIFICATE, 573 SSL_CONF_TYPE_FILE), 574 SSL_CONF_CMD(VerifyCAPath, "verifyCApath", SSL_CONF_FLAG_CERTIFICATE, 575 SSL_CONF_TYPE_DIR), 576 SSL_CONF_CMD(VerifyCAFile, "verifyCAfile", SSL_CONF_FLAG_CERTIFICATE, 577 SSL_CONF_TYPE_FILE), 578 SSL_CONF_CMD(ClientCAFile, NULL, 579 SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, 580 SSL_CONF_TYPE_FILE), 581 SSL_CONF_CMD(ClientCAPath, NULL, 582 SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, 583 SSL_CONF_TYPE_DIR), 584 #ifndef OPENSSL_NO_DH 585 SSL_CONF_CMD(DHParameters, "dhparam", 586 SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, 587 SSL_CONF_TYPE_FILE) 588 #endif 589 }; 590 591 /* Supported switches: must match order of switches in ssl_conf_cmds */ 592 static const ssl_switch_tbl ssl_cmd_switches[] = { 593 {SSL_OP_NO_SSLv3, 0}, /* no_ssl3 */ 594 {SSL_OP_NO_TLSv1, 0}, /* no_tls1 */ 595 {SSL_OP_NO_TLSv1_1, 0}, /* no_tls1_1 */ 596 {SSL_OP_NO_TLSv1_2, 0}, /* no_tls1_2 */ 597 {SSL_OP_ALL, 0}, /* bugs */ 598 {SSL_OP_NO_COMPRESSION, 0}, /* no_comp */ 599 {SSL_OP_NO_COMPRESSION, SSL_TFLAG_INV}, /* comp */ 600 {SSL_OP_SINGLE_ECDH_USE, 0}, /* ecdh_single */ 601 {SSL_OP_NO_TICKET, 0}, /* no_ticket */ 602 {SSL_OP_CIPHER_SERVER_PREFERENCE, 0}, /* serverpref */ 603 /* legacy_renegotiation */ 604 {SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, 0}, 605 /* legacy_server_connect */ 606 {SSL_OP_LEGACY_SERVER_CONNECT, 0}, 607 /* no_renegotiation */ 608 {SSL_OP_NO_RENEGOTIATION, 0}, 609 /* no_resumption_on_reneg */ 610 {SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION, 0}, 611 /* no_legacy_server_connect */ 612 {SSL_OP_LEGACY_SERVER_CONNECT, SSL_TFLAG_INV}, 613 {SSL_CERT_FLAG_TLS_STRICT, SSL_TFLAG_CERT}, /* strict */ 614 }; 615 616 static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd) 617 { 618 if (!pcmd || !*pcmd) 619 return 0; 620 /* If a prefix is set, check and skip */ 621 if (cctx->prefix) { 622 if (strlen(*pcmd) <= cctx->prefixlen) 623 return 0; 624 if (cctx->flags & SSL_CONF_FLAG_CMDLINE && 625 strncmp(*pcmd, cctx->prefix, cctx->prefixlen)) 626 return 0; 627 if (cctx->flags & SSL_CONF_FLAG_FILE && 628 strncasecmp(*pcmd, cctx->prefix, cctx->prefixlen)) 629 return 0; 630 *pcmd += cctx->prefixlen; 631 } else if (cctx->flags & SSL_CONF_FLAG_CMDLINE) { 632 if (**pcmd != '-' || !(*pcmd)[1]) 633 return 0; 634 *pcmd += 1; 635 } 636 return 1; 637 } 638 639 /* Determine if a command is allowed according to cctx flags */ 640 static int ssl_conf_cmd_allowed(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl * t) 641 { 642 unsigned int tfl = t->flags; 643 unsigned int cfl = cctx->flags; 644 if ((tfl & SSL_CONF_FLAG_SERVER) && !(cfl & SSL_CONF_FLAG_SERVER)) 645 return 0; 646 if ((tfl & SSL_CONF_FLAG_CLIENT) && !(cfl & SSL_CONF_FLAG_CLIENT)) 647 return 0; 648 if ((tfl & SSL_CONF_FLAG_CERTIFICATE) 649 && !(cfl & SSL_CONF_FLAG_CERTIFICATE)) 650 return 0; 651 return 1; 652 } 653 654 static const ssl_conf_cmd_tbl *ssl_conf_cmd_lookup(SSL_CONF_CTX *cctx, 655 const char *cmd) 656 { 657 const ssl_conf_cmd_tbl *t; 658 size_t i; 659 if (cmd == NULL) 660 return NULL; 661 662 /* Look for matching parameter name in table */ 663 for (i = 0, t = ssl_conf_cmds; i < OSSL_NELEM(ssl_conf_cmds); i++, t++) { 664 if (ssl_conf_cmd_allowed(cctx, t)) { 665 if (cctx->flags & SSL_CONF_FLAG_CMDLINE) { 666 if (t->str_cmdline && strcmp(t->str_cmdline, cmd) == 0) 667 return t; 668 } 669 if (cctx->flags & SSL_CONF_FLAG_FILE) { 670 if (t->str_file && strcasecmp(t->str_file, cmd) == 0) 671 return t; 672 } 673 } 674 } 675 return NULL; 676 } 677 678 static int ctrl_switch_option(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl * cmd) 679 { 680 /* Find index of command in table */ 681 size_t idx = cmd - ssl_conf_cmds; 682 const ssl_switch_tbl *scmd; 683 /* Sanity check index */ 684 if (idx >= OSSL_NELEM(ssl_cmd_switches)) 685 return 0; 686 /* Obtain switches entry with same index */ 687 scmd = ssl_cmd_switches + idx; 688 ssl_set_option(cctx, scmd->name_flags, scmd->option_value, 1); 689 return 1; 690 } 691 692 int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value) 693 { 694 const ssl_conf_cmd_tbl *runcmd; 695 if (cmd == NULL) { 696 SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_INVALID_NULL_CMD_NAME); 697 return 0; 698 } 699 700 if (!ssl_conf_cmd_skip_prefix(cctx, &cmd)) 701 return -2; 702 703 runcmd = ssl_conf_cmd_lookup(cctx, cmd); 704 705 if (runcmd) { 706 int rv; 707 if (runcmd->value_type == SSL_CONF_TYPE_NONE) { 708 return ctrl_switch_option(cctx, runcmd); 709 } 710 if (value == NULL) 711 return -3; 712 rv = runcmd->cmd(cctx, value); 713 if (rv > 0) 714 return 2; 715 if (rv == -2) 716 return -2; 717 if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) { 718 SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_BAD_VALUE); 719 ERR_add_error_data(4, "cmd=", cmd, ", value=", value); 720 } 721 return 0; 722 } 723 724 if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) { 725 SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_UNKNOWN_CMD_NAME); 726 ERR_add_error_data(2, "cmd=", cmd); 727 } 728 729 return -2; 730 } 731 732 int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv) 733 { 734 int rv; 735 const char *arg = NULL, *argn; 736 if (pargc && *pargc == 0) 737 return 0; 738 if (!pargc || *pargc > 0) 739 arg = **pargv; 740 if (arg == NULL) 741 return 0; 742 if (!pargc || *pargc > 1) 743 argn = (*pargv)[1]; 744 else 745 argn = NULL; 746 cctx->flags &= ~SSL_CONF_FLAG_FILE; 747 cctx->flags |= SSL_CONF_FLAG_CMDLINE; 748 rv = SSL_CONF_cmd(cctx, arg, argn); 749 if (rv > 0) { 750 /* Success: update pargc, pargv */ 751 (*pargv) += rv; 752 if (pargc) 753 (*pargc) -= rv; 754 return rv; 755 } 756 /* Unknown switch: indicate no arguments processed */ 757 if (rv == -2) 758 return 0; 759 /* Some error occurred processing command, return fatal error */ 760 if (rv == 0) 761 return -1; 762 return rv; 763 } 764 765 int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd) 766 { 767 if (ssl_conf_cmd_skip_prefix(cctx, &cmd)) { 768 const ssl_conf_cmd_tbl *runcmd; 769 runcmd = ssl_conf_cmd_lookup(cctx, cmd); 770 if (runcmd) 771 return runcmd->value_type; 772 } 773 return SSL_CONF_TYPE_UNKNOWN; 774 } 775 776 SSL_CONF_CTX *SSL_CONF_CTX_new(void) 777 { 778 SSL_CONF_CTX *ret = OPENSSL_zalloc(sizeof(*ret)); 779 780 return ret; 781 } 782 783 int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx) 784 { 785 /* See if any certificates are missing private keys */ 786 size_t i; 787 CERT *c = NULL; 788 if (cctx->ctx) 789 c = cctx->ctx->cert; 790 else if (cctx->ssl) 791 c = cctx->ssl->cert; 792 if (c && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) { 793 for (i = 0; i < SSL_PKEY_NUM; i++) { 794 const char *p = cctx->cert_filename[i]; 795 /* 796 * If missing private key try to load one from certificate file 797 */ 798 if (p && !c->pkeys[i].privatekey) { 799 if (!cmd_PrivateKey(cctx, p)) 800 return 0; 801 } 802 } 803 } 804 if (cctx->canames) { 805 if (cctx->ssl) 806 SSL_set_client_CA_list(cctx->ssl, cctx->canames); 807 else if (cctx->ctx) 808 SSL_CTX_set_client_CA_list(cctx->ctx, cctx->canames); 809 else 810 sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free); 811 cctx->canames = NULL; 812 } 813 return 1; 814 } 815 816 void SSL_CONF_CTX_free(SSL_CONF_CTX *cctx) 817 { 818 if (cctx) { 819 size_t i; 820 for (i = 0; i < SSL_PKEY_NUM; i++) 821 OPENSSL_free(cctx->cert_filename[i]); 822 OPENSSL_free(cctx->prefix); 823 sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free); 824 OPENSSL_free(cctx); 825 } 826 } 827 828 unsigned int SSL_CONF_CTX_set_flags(SSL_CONF_CTX *cctx, unsigned int flags) 829 { 830 cctx->flags |= flags; 831 return cctx->flags; 832 } 833 834 unsigned int SSL_CONF_CTX_clear_flags(SSL_CONF_CTX *cctx, unsigned int flags) 835 { 836 cctx->flags &= ~flags; 837 return cctx->flags; 838 } 839 840 int SSL_CONF_CTX_set1_prefix(SSL_CONF_CTX *cctx, const char *pre) 841 { 842 char *tmp = NULL; 843 if (pre) { 844 tmp = OPENSSL_strdup(pre); 845 if (tmp == NULL) 846 return 0; 847 } 848 OPENSSL_free(cctx->prefix); 849 cctx->prefix = tmp; 850 if (tmp) 851 cctx->prefixlen = strlen(tmp); 852 else 853 cctx->prefixlen = 0; 854 return 1; 855 } 856 857 void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl) 858 { 859 cctx->ssl = ssl; 860 cctx->ctx = NULL; 861 if (ssl) { 862 cctx->poptions = &ssl->options; 863 cctx->min_version = &ssl->min_proto_version; 864 cctx->max_version = &ssl->max_proto_version; 865 cctx->pcert_flags = &ssl->cert->cert_flags; 866 cctx->pvfy_flags = &ssl->verify_mode; 867 } else { 868 cctx->poptions = NULL; 869 cctx->min_version = NULL; 870 cctx->max_version = NULL; 871 cctx->pcert_flags = NULL; 872 cctx->pvfy_flags = NULL; 873 } 874 } 875 876 void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx) 877 { 878 cctx->ctx = ctx; 879 cctx->ssl = NULL; 880 if (ctx) { 881 cctx->poptions = &ctx->options; 882 cctx->min_version = &ctx->min_proto_version; 883 cctx->max_version = &ctx->max_proto_version; 884 cctx->pcert_flags = &ctx->cert->cert_flags; 885 cctx->pvfy_flags = &ctx->verify_mode; 886 } else { 887 cctx->poptions = NULL; 888 cctx->min_version = NULL; 889 cctx->max_version = NULL; 890 cctx->pcert_flags = NULL; 891 cctx->pvfy_flags = NULL; 892 } 893 } 894