ssl_conf.c@ 97371

Last change on this file since 97371 was 95219, checked in by vboxsync, 3 years ago
libs/openssl: Switched to v3.0.3, bugref:10128
File size: 33.4 KB

Line
1	/*
2	* Copyright 2012-2022 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the Apache License 2.0 (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	#include <stdio.h>
11	#include "ssl_local.h"
12	#include <openssl/conf.h>
13	#include <openssl/objects.h>
14	#include <openssl/decoder.h>
15	#include <openssl/core_dispatch.h>
16	#include "internal/nelem.h"
17
18	/*
19	* structure holding name tables. This is used for permitted elements in lists
20	* such as TLSv1.
21	*/
22
23	typedef struct {
24	const char *name;
25	int namelen;
26	unsigned int name_flags;
27	uint64_t option_value;
28	} ssl_flag_tbl;
29
30	/* Switch table: use for single command line switches like no_tls2 */
31	typedef struct {
32	uint64_t option_value;
33	unsigned int name_flags;
34	} ssl_switch_tbl;
35
36	/* Sense of name is inverted e.g. "TLSv1" will clear SSL_OP_NO_TLSv1 */
37	#define SSL_TFLAG_INV 0x1
38	/* Mask for type of flag referred to */
39	#define SSL_TFLAG_TYPE_MASK 0xf00
40	/* Flag is for options */
41	#define SSL_TFLAG_OPTION 0x000
42	/* Flag is for cert_flags */
43	#define SSL_TFLAG_CERT 0x100
44	/* Flag is for verify mode */
45	#define SSL_TFLAG_VFY 0x200
46	/* Option can only be used for clients */
47	#define SSL_TFLAG_CLIENT SSL_CONF_FLAG_CLIENT
48	/* Option can only be used for servers */
49	#define SSL_TFLAG_SERVER SSL_CONF_FLAG_SERVER
50	#define SSL_TFLAG_BOTH (SSL_TFLAG_CLIENT\|SSL_TFLAG_SERVER)
51
52	#define SSL_FLAG_TBL(str, flag) \
53	{str, (int)(sizeof(str) - 1), SSL_TFLAG_BOTH, flag}
54	#define SSL_FLAG_TBL_SRV(str, flag) \
55	{str, (int)(sizeof(str) - 1), SSL_TFLAG_SERVER, flag}
56	#define SSL_FLAG_TBL_CLI(str, flag) \
57	{str, (int)(sizeof(str) - 1), SSL_TFLAG_CLIENT, flag}
58	#define SSL_FLAG_TBL_INV(str, flag) \
59	{str, (int)(sizeof(str) - 1), SSL_TFLAG_INV\|SSL_TFLAG_BOTH, flag}
60	#define SSL_FLAG_TBL_SRV_INV(str, flag) \
61	{str, (int)(sizeof(str) - 1), SSL_TFLAG_INV\|SSL_TFLAG_SERVER, flag}
62	#define SSL_FLAG_TBL_CERT(str, flag) \
63	{str, (int)(sizeof(str) - 1), SSL_TFLAG_CERT\|SSL_TFLAG_BOTH, flag}
64
65	#define SSL_FLAG_VFY_CLI(str, flag) \
66	{str, (int)(sizeof(str) - 1), SSL_TFLAG_VFY \| SSL_TFLAG_CLIENT, flag}
67	#define SSL_FLAG_VFY_SRV(str, flag) \
68	{str, (int)(sizeof(str) - 1), SSL_TFLAG_VFY \| SSL_TFLAG_SERVER, flag}
69
70	/*
71	* Opaque structure containing SSL configuration context.
72	*/
73
74	struct ssl_conf_ctx_st {
75	/*
76	* Various flags indicating (among other things) which options we will
77	* recognise.
78	*/
79	unsigned int flags;
80	/* Prefix and length of commands */
81	char *prefix;
82	size_t prefixlen;
83	/* SSL_CTX or SSL structure to perform operations on */
84	SSL_CTX *ctx;
85	SSL *ssl;
86	/* Pointer to SSL or SSL_CTX options field or NULL if none */
87	uint64_t *poptions;
88	/* Certificate filenames for each type */
89	char *cert_filename[SSL_PKEY_NUM];
90	/* Pointer to SSL or SSL_CTX cert_flags or NULL if none */
91	uint32_t *pcert_flags;
92	/* Pointer to SSL or SSL_CTX verify_mode or NULL if none */
93	uint32_t *pvfy_flags;
94	/* Pointer to SSL or SSL_CTX min_version field or NULL if none */
95	int *min_version;
96	/* Pointer to SSL or SSL_CTX max_version field or NULL if none */
97	int *max_version;
98	/* Current flag table being worked on */
99	const ssl_flag_tbl *tbl;
100	/* Size of table */
101	size_t ntbl;
102	/* Client CA names */
103	STACK_OF(X509_NAME) *canames;
104	};
105
106	static void ssl_set_option(SSL_CONF_CTX *cctx, unsigned int name_flags,
107	uint64_t option_value, int onoff)
108	{
109	uint32_t *pflags;
110
111	if (cctx->poptions == NULL)
112	return;
113	if (name_flags & SSL_TFLAG_INV)
114	onoff ^= 1;
115	switch (name_flags & SSL_TFLAG_TYPE_MASK) {
116
117	case SSL_TFLAG_CERT:
118	pflags = cctx->pcert_flags;
119	break;
120
121	case SSL_TFLAG_VFY:
122	pflags = cctx->pvfy_flags;
123	break;
124
125	case SSL_TFLAG_OPTION:
126	if (onoff)
127	*cctx->poptions \|= option_value;
128	else
129	*cctx->poptions &= ~option_value;
130	return;
131
132	default:
133	return;
134
135	}
136	if (onoff)
137	*pflags \|= option_value;
138	else
139	*pflags &= ~option_value;
140	}
141
142	static int ssl_match_option(SSL_CONF_CTX cctx, const ssl_flag_tbl tbl,
143	const char *name, int namelen, int onoff)
144	{
145	/* If name not relevant for context skip */
146	if (!(cctx->flags & tbl->name_flags & SSL_TFLAG_BOTH))
147	return 0;
148	if (namelen == -1) {
149	if (strcmp(tbl->name, name))
150	return 0;
151	} else if (tbl->namelen != namelen
152	\|\| OPENSSL_strncasecmp(tbl->name, name, namelen))
153	return 0;
154	ssl_set_option(cctx, tbl->name_flags, tbl->option_value, onoff);
155	return 1;
156	}
157
158	static int ssl_set_option_list(const char elem, int len, void usr)
159	{
160	SSL_CONF_CTX *cctx = usr;
161	size_t i;
162	const ssl_flag_tbl *tbl;
163	int onoff = 1;
164	/*
165	* len == -1 indicates not being called in list context, just for single
166	* command line switches, so don't allow +, -.
167	*/
168	if (elem == NULL)
169	return 0;
170	if (len != -1) {
171	if (*elem == '+') {
172	elem++;
173	len--;
174	onoff = 1;
175	} else if (*elem == '-') {
176	elem++;
177	len--;
178	onoff = 0;
179	}
180	}
181	for (i = 0, tbl = cctx->tbl; i < cctx->ntbl; i++, tbl++) {
182	if (ssl_match_option(cctx, tbl, elem, len, onoff))
183	return 1;
184	}
185	return 0;
186	}
187
188	/* Set supported signature algorithms */
189	static int cmd_SignatureAlgorithms(SSL_CONF_CTX cctx, const char value)
190	{
191	int rv;
192	if (cctx->ssl)
193	rv = SSL_set1_sigalgs_list(cctx->ssl, value);
194	/* NB: ctx == NULL performs syntax checking only */
195	else
196	rv = SSL_CTX_set1_sigalgs_list(cctx->ctx, value);
197	return rv > 0;
198	}
199
200	/* Set supported client signature algorithms */
201	static int cmd_ClientSignatureAlgorithms(SSL_CONF_CTX cctx, const char value)
202	{
203	int rv;
204	if (cctx->ssl)
205	rv = SSL_set1_client_sigalgs_list(cctx->ssl, value);
206	/* NB: ctx == NULL performs syntax checking only */
207	else
208	rv = SSL_CTX_set1_client_sigalgs_list(cctx->ctx, value);
209	return rv > 0;
210	}
211
212	static int cmd_Groups(SSL_CONF_CTX cctx, const char value)
213	{
214	int rv;
215	if (cctx->ssl)
216	rv = SSL_set1_groups_list(cctx->ssl, value);
217	/* NB: ctx == NULL performs syntax checking only */
218	else
219	rv = SSL_CTX_set1_groups_list(cctx->ctx, value);
220	return rv > 0;
221	}
222
223	/* This is the old name for cmd_Groups - retained for backwards compatibility */
224	static int cmd_Curves(SSL_CONF_CTX cctx, const char value)
225	{
226	return cmd_Groups(cctx, value);
227	}
228
229	/* ECDH temporary parameters */
230	static int cmd_ECDHParameters(SSL_CONF_CTX cctx, const char value)
231	{
232	int rv = 1;
233
234	/* Ignore values supported by 1.0.2 for the automatic selection */
235	if ((cctx->flags & SSL_CONF_FLAG_FILE)
236	&& (OPENSSL_strcasecmp(value, "+automatic") == 0
237	\|\| OPENSSL_strcasecmp(value, "automatic") == 0))
238	return 1;
239	if ((cctx->flags & SSL_CONF_FLAG_CMDLINE) &&
240	strcmp(value, "auto") == 0)
241	return 1;
242
243	/* ECDHParameters accepts a single group name */
244	if (strstr(value, ":") != NULL)
245	return 0;
246
247	if (cctx->ctx)
248	rv = SSL_CTX_set1_groups_list(cctx->ctx, value);
249	else if (cctx->ssl)
250	rv = SSL_set1_groups_list(cctx->ssl, value);
251
252	return rv > 0;
253	}
254
255	static int cmd_CipherString(SSL_CONF_CTX cctx, const char value)
256	{
257	int rv = 1;
258
259	if (cctx->ctx)
260	rv = SSL_CTX_set_cipher_list(cctx->ctx, value);
261	if (cctx->ssl)
262	rv = SSL_set_cipher_list(cctx->ssl, value);
263	return rv > 0;
264	}
265
266	static int cmd_Ciphersuites(SSL_CONF_CTX cctx, const char value)
267	{
268	int rv = 1;
269
270	if (cctx->ctx)
271	rv = SSL_CTX_set_ciphersuites(cctx->ctx, value);
272	if (cctx->ssl)
273	rv = SSL_set_ciphersuites(cctx->ssl, value);
274	return rv > 0;
275	}
276
277	static int cmd_Protocol(SSL_CONF_CTX cctx, const char value)
278	{
279	static const ssl_flag_tbl ssl_protocol_list[] = {
280	SSL_FLAG_TBL_INV("ALL", SSL_OP_NO_SSL_MASK),
281	SSL_FLAG_TBL_INV("SSLv2", SSL_OP_NO_SSLv2),
282	SSL_FLAG_TBL_INV("SSLv3", SSL_OP_NO_SSLv3),
283	SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1),
284	SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1),
285	SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2),
286	SSL_FLAG_TBL_INV("TLSv1.3", SSL_OP_NO_TLSv1_3),
287	SSL_FLAG_TBL_INV("DTLSv1", SSL_OP_NO_DTLSv1),
288	SSL_FLAG_TBL_INV("DTLSv1.2", SSL_OP_NO_DTLSv1_2)
289	};
290	cctx->tbl = ssl_protocol_list;
291	cctx->ntbl = OSSL_NELEM(ssl_protocol_list);
292	return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
293	}
294
295	/*
296	* protocol_from_string - converts a protocol version string to a number
297	*
298	* Returns -1 on failure or the version on success
299	*/
300	static int protocol_from_string(const char *value)
301	{
302	struct protocol_versions {
303	const char *name;
304	int version;
305	};
306	/*
307	* Note: To avoid breaking previously valid configurations, we must retain
308	* legacy entries in this table even if the underlying protocol is no
309	* longer supported. This also means that the constants SSL3_VERSION, ...
310	* need to be retained indefinitely. This table can only grow, never
311	* shrink.
312	*/
313	static const struct protocol_versions versions[] = {
314	{"None", 0},
315	{"SSLv3", SSL3_VERSION},
316	{"TLSv1", TLS1_VERSION},
317	{"TLSv1.1", TLS1_1_VERSION},
318	{"TLSv1.2", TLS1_2_VERSION},
319	{"TLSv1.3", TLS1_3_VERSION},
320	{"DTLSv1", DTLS1_VERSION},
321	{"DTLSv1.2", DTLS1_2_VERSION}
322	};
323	size_t i;
324	size_t n = OSSL_NELEM(versions);
325
326	for (i = 0; i < n; i++)
327	if (strcmp(versions[i].name, value) == 0)
328	return versions[i].version;
329	return -1;
330	}
331
332	static int min_max_proto(SSL_CONF_CTX cctx, const char value, int *bound)
333	{
334	int method_version;
335	int new_version;
336
337	if (cctx->ctx != NULL)
338	method_version = cctx->ctx->method->version;
339	else if (cctx->ssl != NULL)
340	method_version = cctx->ssl->ctx->method->version;
341	else
342	return 0;
343	if ((new_version = protocol_from_string(value)) < 0)
344	return 0;
345	return ssl_set_version_bound(method_version, new_version, bound);
346	}
347
348	/*
349	* cmd_MinProtocol - Set min protocol version
350	* @cctx: config structure to save settings in
351	* @value: The min protocol version in string form
352	*
353	* Returns 1 on success and 0 on failure.
354	*/
355	static int cmd_MinProtocol(SSL_CONF_CTX cctx, const char value)
356	{
357	return min_max_proto(cctx, value, cctx->min_version);
358	}
359
360	/*
361	* cmd_MaxProtocol - Set max protocol version
362	* @cctx: config structure to save settings in
363	* @value: The max protocol version in string form
364	*
365	* Returns 1 on success and 0 on failure.
366	*/
367	static int cmd_MaxProtocol(SSL_CONF_CTX cctx, const char value)
368	{
369	return min_max_proto(cctx, value, cctx->max_version);
370	}
371
372	static int cmd_Options(SSL_CONF_CTX cctx, const char value)
373	{
374	static const ssl_flag_tbl ssl_option_list[] = {
375	SSL_FLAG_TBL_INV("SessionTicket", SSL_OP_NO_TICKET),
376	SSL_FLAG_TBL_INV("EmptyFragments",
377	SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS),
378	SSL_FLAG_TBL("Bugs", SSL_OP_ALL),
379	SSL_FLAG_TBL_INV("Compression", SSL_OP_NO_COMPRESSION),
380	SSL_FLAG_TBL_SRV("ServerPreference", SSL_OP_CIPHER_SERVER_PREFERENCE),
381	SSL_FLAG_TBL_SRV("NoResumptionOnRenegotiation",
382	SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION),
383	SSL_FLAG_TBL_SRV("DHSingle", SSL_OP_SINGLE_DH_USE),
384	SSL_FLAG_TBL_SRV("ECDHSingle", SSL_OP_SINGLE_ECDH_USE),
385	SSL_FLAG_TBL("UnsafeLegacyRenegotiation",
386	SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION),
387	SSL_FLAG_TBL("ClientRenegotiation",
388	SSL_OP_ALLOW_CLIENT_RENEGOTIATION),
389	SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),
390	SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION),
391	SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
392	SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA),
393	SSL_FLAG_TBL("MiddleboxCompat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT),
394	SSL_FLAG_TBL_INV("AntiReplay", SSL_OP_NO_ANTI_REPLAY),
395	SSL_FLAG_TBL_INV("ExtendedMasterSecret", SSL_OP_NO_EXTENDED_MASTER_SECRET),
396	SSL_FLAG_TBL_INV("CANames", SSL_OP_DISABLE_TLSEXT_CA_NAMES),
397	SSL_FLAG_TBL("KTLS", SSL_OP_ENABLE_KTLS)
398	};
399	if (value == NULL)
400	return -3;
401	cctx->tbl = ssl_option_list;
402	cctx->ntbl = OSSL_NELEM(ssl_option_list);
403	return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
404	}
405
406	static int cmd_VerifyMode(SSL_CONF_CTX cctx, const char value)
407	{
408	static const ssl_flag_tbl ssl_vfy_list[] = {
409	SSL_FLAG_VFY_CLI("Peer", SSL_VERIFY_PEER),
410	SSL_FLAG_VFY_SRV("Request", SSL_VERIFY_PEER),
411	SSL_FLAG_VFY_SRV("Require",
412	SSL_VERIFY_PEER \| SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
413	SSL_FLAG_VFY_SRV("Once", SSL_VERIFY_PEER \| SSL_VERIFY_CLIENT_ONCE),
414	SSL_FLAG_VFY_SRV("RequestPostHandshake",
415	SSL_VERIFY_PEER \| SSL_VERIFY_POST_HANDSHAKE),
416	SSL_FLAG_VFY_SRV("RequirePostHandshake",
417	SSL_VERIFY_PEER \| SSL_VERIFY_POST_HANDSHAKE \|
418	SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
419	};
420	if (value == NULL)
421	return -3;
422	cctx->tbl = ssl_vfy_list;
423	cctx->ntbl = OSSL_NELEM(ssl_vfy_list);
424	return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
425	}
426
427	static int cmd_Certificate(SSL_CONF_CTX cctx, const char value)
428	{
429	int rv = 1;
430	CERT *c = NULL;
431	if (cctx->ctx) {
432	rv = SSL_CTX_use_certificate_chain_file(cctx->ctx, value);
433	c = cctx->ctx->cert;
434	}
435	if (cctx->ssl) {
436	rv = SSL_use_certificate_chain_file(cctx->ssl, value);
437	c = cctx->ssl->cert;
438	}
439	if (rv > 0 && c && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) {
440	char **pfilename = &cctx->cert_filename[c->key - c->pkeys];
441	OPENSSL_free(*pfilename);
442	*pfilename = OPENSSL_strdup(value);
443	if (*pfilename == NULL)
444	rv = 0;
445	}
446
447	return rv > 0;
448	}
449
450	static int cmd_PrivateKey(SSL_CONF_CTX cctx, const char value)
451	{
452	int rv = 1;
453	if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE))
454	return -2;
455	if (cctx->ctx)
456	rv = SSL_CTX_use_PrivateKey_file(cctx->ctx, value, SSL_FILETYPE_PEM);
457	if (cctx->ssl)
458	rv = SSL_use_PrivateKey_file(cctx->ssl, value, SSL_FILETYPE_PEM);
459	return rv > 0;
460	}
461
462	static int cmd_ServerInfoFile(SSL_CONF_CTX cctx, const char value)
463	{
464	int rv = 1;
465	if (cctx->ctx)
466	rv = SSL_CTX_use_serverinfo_file(cctx->ctx, value);
467	return rv > 0;
468	}
469
470	static int do_store(SSL_CONF_CTX *cctx,
471	const char CAfile, const char CApath, const char *CAstore,
472	int verify_store)
473	{
474	CERT *cert;
475	X509_STORE **st;
476	SSL_CTX *ctx;
477	OSSL_LIB_CTX *libctx = NULL;
478	const char *propq = NULL;
479
480	if (cctx->ctx != NULL) {
481	cert = cctx->ctx->cert;
482	ctx = cctx->ctx;
483	} else if (cctx->ssl != NULL) {
484	cert = cctx->ssl->cert;
485	ctx = cctx->ssl->ctx;
486	} else {
487	return 1;
488	}
489	if (ctx != NULL) {
490	libctx = ctx->libctx;
491	propq = ctx->propq;
492	}
493	st = verify_store ? &cert->verify_store : &cert->chain_store;
494	if (*st == NULL) {
495	*st = X509_STORE_new();
496	if (*st == NULL)
497	return 0;
498	}
499
500	if (CAfile != NULL && !X509_STORE_load_file_ex(*st, CAfile, libctx, propq))
501	return 0;
502	if (CApath != NULL && !X509_STORE_load_path(*st, CApath))
503	return 0;
504	if (CAstore != NULL && !X509_STORE_load_store_ex(*st, CAstore, libctx,
505	propq))
506	return 0;
507	return 1;
508	}
509
510	static int cmd_ChainCAPath(SSL_CONF_CTX cctx, const char value)
511	{
512	return do_store(cctx, NULL, value, NULL, 0);
513	}
514
515	static int cmd_ChainCAFile(SSL_CONF_CTX cctx, const char value)
516	{
517	return do_store(cctx, value, NULL, NULL, 0);
518	}
519
520	static int cmd_ChainCAStore(SSL_CONF_CTX cctx, const char value)
521	{
522	return do_store(cctx, NULL, NULL, value, 0);
523	}
524
525	static int cmd_VerifyCAPath(SSL_CONF_CTX cctx, const char value)
526	{
527	return do_store(cctx, NULL, value, NULL, 1);
528	}
529
530	static int cmd_VerifyCAFile(SSL_CONF_CTX cctx, const char value)
531	{
532	return do_store(cctx, value, NULL, NULL, 1);
533	}
534
535	static int cmd_VerifyCAStore(SSL_CONF_CTX cctx, const char value)
536	{
537	return do_store(cctx, NULL, NULL, value, 1);
538	}
539
540	static int cmd_RequestCAFile(SSL_CONF_CTX cctx, const char value)
541	{
542	if (cctx->canames == NULL)
543	cctx->canames = sk_X509_NAME_new_null();
544	if (cctx->canames == NULL)
545	return 0;
546	return SSL_add_file_cert_subjects_to_stack(cctx->canames, value);
547	}
548
549	static int cmd_ClientCAFile(SSL_CONF_CTX cctx, const char value)
550	{
551	return cmd_RequestCAFile(cctx, value);
552	}
553
554	static int cmd_RequestCAPath(SSL_CONF_CTX cctx, const char value)
555	{
556	if (cctx->canames == NULL)
557	cctx->canames = sk_X509_NAME_new_null();
558	if (cctx->canames == NULL)
559	return 0;
560	return SSL_add_dir_cert_subjects_to_stack(cctx->canames, value);
561	}
562
563	static int cmd_ClientCAPath(SSL_CONF_CTX cctx, const char value)
564	{
565	return cmd_RequestCAPath(cctx, value);
566	}
567
568	static int cmd_RequestCAStore(SSL_CONF_CTX cctx, const char value)
569	{
570	if (cctx->canames == NULL)
571	cctx->canames = sk_X509_NAME_new_null();
572	if (cctx->canames == NULL)
573	return 0;
574	return SSL_add_store_cert_subjects_to_stack(cctx->canames, value);
575	}
576
577	static int cmd_ClientCAStore(SSL_CONF_CTX cctx, const char value)
578	{
579	return cmd_RequestCAStore(cctx, value);
580	}
581
582	static int cmd_DHParameters(SSL_CONF_CTX cctx, const char value)
583	{
584	int rv = 0;
585	EVP_PKEY *dhpkey = NULL;
586	BIO *in = NULL;
587	SSL_CTX *sslctx = (cctx->ssl != NULL) ? cctx->ssl->ctx : cctx->ctx;
588	OSSL_DECODER_CTX *decoderctx = NULL;
589
590	if (cctx->ctx != NULL \|\| cctx->ssl != NULL) {
591	in = BIO_new(BIO_s_file());
592	if (in == NULL)
593	goto end;
594	if (BIO_read_filename(in, value) <= 0)
595	goto end;
596
597	decoderctx
598	= OSSL_DECODER_CTX_new_for_pkey(&dhpkey, "PEM", NULL, "DH",
599	OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
600	sslctx->libctx, sslctx->propq);
601	if (decoderctx == NULL)
602	goto end;
603	ERR_set_mark();
604	while (!OSSL_DECODER_from_bio(decoderctx, in)
605	&& dhpkey == NULL
606	&& !BIO_eof(in));
607	OSSL_DECODER_CTX_free(decoderctx);
608
609	if (dhpkey == NULL) {
610	ERR_clear_last_mark();
611	goto end;
612	}
613	ERR_pop_to_mark();
614	} else {
615	return 1;
616	}
617
618	if (cctx->ctx != NULL) {
619	if ((rv = SSL_CTX_set0_tmp_dh_pkey(cctx->ctx, dhpkey)) > 0)
620	dhpkey = NULL;
621	}
622	if (cctx->ssl != NULL) {
623	if ((rv = SSL_set0_tmp_dh_pkey(cctx->ssl, dhpkey)) > 0)
624	dhpkey = NULL;
625	}
626	end:
627	EVP_PKEY_free(dhpkey);
628	BIO_free(in);
629	return rv > 0;
630	}
631
632	static int cmd_RecordPadding(SSL_CONF_CTX cctx, const char value)
633	{
634	int rv = 0;
635	int block_size = atoi(value);
636
637	/*
638	* All we care about is a non-negative value,
639	* the setters check the range
640	*/
641	if (block_size >= 0) {
642	if (cctx->ctx)
643	rv = SSL_CTX_set_block_padding(cctx->ctx, block_size);
644	if (cctx->ssl)
645	rv = SSL_set_block_padding(cctx->ssl, block_size);
646	}
647	return rv;
648	}
649
650
651	static int cmd_NumTickets(SSL_CONF_CTX cctx, const char value)
652	{
653	int rv = 0;
654	int num_tickets = atoi(value);
655
656	if (num_tickets >= 0) {
657	if (cctx->ctx)
658	rv = SSL_CTX_set_num_tickets(cctx->ctx, num_tickets);
659	if (cctx->ssl)
660	rv = SSL_set_num_tickets(cctx->ssl, num_tickets);
661	}
662	return rv;
663	}
664
665	typedef struct {
666	int (cmd) (SSL_CONF_CTX cctx, const char *value);
667	const char *str_file;
668	const char *str_cmdline;
669	unsigned short flags;
670	unsigned short value_type;
671	} ssl_conf_cmd_tbl;
672
673	/* Table of supported parameters */
674
675	#define SSL_CONF_CMD(name, cmdopt, flags, type) \
676	{cmd_##name, #name, cmdopt, flags, type}
677
678	#define SSL_CONF_CMD_STRING(name, cmdopt, flags) \
679	SSL_CONF_CMD(name, cmdopt, flags, SSL_CONF_TYPE_STRING)
680
681	#define SSL_CONF_CMD_SWITCH(name, flags) \
682	{0, NULL, name, flags, SSL_CONF_TYPE_NONE}
683
684	/* See apps/include/opt.h if you change this table. */
685	/* The SSL_CONF_CMD_SWITCH should be the same order as ssl_cmd_switches */
686	static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
687	SSL_CONF_CMD_SWITCH("no_ssl3", 0),
688	SSL_CONF_CMD_SWITCH("no_tls1", 0),
689	SSL_CONF_CMD_SWITCH("no_tls1_1", 0),
690	SSL_CONF_CMD_SWITCH("no_tls1_2", 0),
691	SSL_CONF_CMD_SWITCH("no_tls1_3", 0),
692	SSL_CONF_CMD_SWITCH("bugs", 0),
693	SSL_CONF_CMD_SWITCH("no_comp", 0),
694	SSL_CONF_CMD_SWITCH("comp", 0),
695	SSL_CONF_CMD_SWITCH("ecdh_single", SSL_CONF_FLAG_SERVER),
696	SSL_CONF_CMD_SWITCH("no_ticket", 0),
697	SSL_CONF_CMD_SWITCH("serverpref", SSL_CONF_FLAG_SERVER),
698	SSL_CONF_CMD_SWITCH("legacy_renegotiation", 0),
699	SSL_CONF_CMD_SWITCH("client_renegotiation", SSL_CONF_FLAG_SERVER),
700	SSL_CONF_CMD_SWITCH("legacy_server_connect", SSL_CONF_FLAG_CLIENT),
701	SSL_CONF_CMD_SWITCH("no_renegotiation", 0),
702	SSL_CONF_CMD_SWITCH("no_resumption_on_reneg", SSL_CONF_FLAG_SERVER),
703	SSL_CONF_CMD_SWITCH("no_legacy_server_connect", SSL_CONF_FLAG_SERVER),
704	SSL_CONF_CMD_SWITCH("allow_no_dhe_kex", 0),
705	SSL_CONF_CMD_SWITCH("prioritize_chacha", SSL_CONF_FLAG_SERVER),
706	SSL_CONF_CMD_SWITCH("strict", 0),
707	SSL_CONF_CMD_SWITCH("no_middlebox", 0),
708	SSL_CONF_CMD_SWITCH("anti_replay", SSL_CONF_FLAG_SERVER),
709	SSL_CONF_CMD_SWITCH("no_anti_replay", SSL_CONF_FLAG_SERVER),
710	SSL_CONF_CMD_SWITCH("no_etm", 0),
711	SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs", 0),
712	SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs", 0),
713	SSL_CONF_CMD_STRING(Curves, "curves", 0),
714	SSL_CONF_CMD_STRING(Groups, "groups", 0),
715	SSL_CONF_CMD_STRING(ECDHParameters, "named_curve", SSL_CONF_FLAG_SERVER),
716	SSL_CONF_CMD_STRING(CipherString, "cipher", 0),
717	SSL_CONF_CMD_STRING(Ciphersuites, "ciphersuites", 0),
718	SSL_CONF_CMD_STRING(Protocol, NULL, 0),
719	SSL_CONF_CMD_STRING(MinProtocol, "min_protocol", 0),
720	SSL_CONF_CMD_STRING(MaxProtocol, "max_protocol", 0),
721	SSL_CONF_CMD_STRING(Options, NULL, 0),
722	SSL_CONF_CMD_STRING(VerifyMode, NULL, 0),
723	SSL_CONF_CMD(Certificate, "cert", SSL_CONF_FLAG_CERTIFICATE,
724	SSL_CONF_TYPE_FILE),
725	SSL_CONF_CMD(PrivateKey, "key", SSL_CONF_FLAG_CERTIFICATE,
726	SSL_CONF_TYPE_FILE),
727	SSL_CONF_CMD(ServerInfoFile, NULL,
728	SSL_CONF_FLAG_SERVER \| SSL_CONF_FLAG_CERTIFICATE,
729	SSL_CONF_TYPE_FILE),
730	SSL_CONF_CMD(ChainCAPath, "chainCApath", SSL_CONF_FLAG_CERTIFICATE,
731	SSL_CONF_TYPE_DIR),
732	SSL_CONF_CMD(ChainCAFile, "chainCAfile", SSL_CONF_FLAG_CERTIFICATE,
733	SSL_CONF_TYPE_FILE),
734	SSL_CONF_CMD(ChainCAStore, "chainCAstore", SSL_CONF_FLAG_CERTIFICATE,
735	SSL_CONF_TYPE_STORE),
736	SSL_CONF_CMD(VerifyCAPath, "verifyCApath", SSL_CONF_FLAG_CERTIFICATE,
737	SSL_CONF_TYPE_DIR),
738	SSL_CONF_CMD(VerifyCAFile, "verifyCAfile", SSL_CONF_FLAG_CERTIFICATE,
739	SSL_CONF_TYPE_FILE),
740	SSL_CONF_CMD(VerifyCAStore, "verifyCAstore", SSL_CONF_FLAG_CERTIFICATE,
741	SSL_CONF_TYPE_STORE),
742	SSL_CONF_CMD(RequestCAFile, "requestCAFile", SSL_CONF_FLAG_CERTIFICATE,
743	SSL_CONF_TYPE_FILE),
744	SSL_CONF_CMD(ClientCAFile, NULL,
745	SSL_CONF_FLAG_SERVER \| SSL_CONF_FLAG_CERTIFICATE,
746	SSL_CONF_TYPE_FILE),
747	SSL_CONF_CMD(RequestCAPath, NULL, SSL_CONF_FLAG_CERTIFICATE,
748	SSL_CONF_TYPE_DIR),
749	SSL_CONF_CMD(ClientCAPath, NULL,
750	SSL_CONF_FLAG_SERVER \| SSL_CONF_FLAG_CERTIFICATE,
751	SSL_CONF_TYPE_DIR),
752	SSL_CONF_CMD(RequestCAStore, "requestCAStore", SSL_CONF_FLAG_CERTIFICATE,
753	SSL_CONF_TYPE_STORE),
754	SSL_CONF_CMD(ClientCAStore, NULL,
755	SSL_CONF_FLAG_SERVER \| SSL_CONF_FLAG_CERTIFICATE,
756	SSL_CONF_TYPE_STORE),
757	SSL_CONF_CMD(DHParameters, "dhparam",
758	SSL_CONF_FLAG_SERVER \| SSL_CONF_FLAG_CERTIFICATE,
759	SSL_CONF_TYPE_FILE),
760	SSL_CONF_CMD_STRING(RecordPadding, "record_padding", 0),
761	SSL_CONF_CMD_STRING(NumTickets, "num_tickets", SSL_CONF_FLAG_SERVER),
762	};
763
764	/* Supported switches: must match order of switches in ssl_conf_cmds */
765	static const ssl_switch_tbl ssl_cmd_switches[] = {
766	{SSL_OP_NO_SSLv3, 0}, /* no_ssl3 */
767	{SSL_OP_NO_TLSv1, 0}, /* no_tls1 */
768	{SSL_OP_NO_TLSv1_1, 0}, /* no_tls1_1 */
769	{SSL_OP_NO_TLSv1_2, 0}, /* no_tls1_2 */
770	{SSL_OP_NO_TLSv1_3, 0}, /* no_tls1_3 */
771	{SSL_OP_ALL, 0}, /* bugs */
772	{SSL_OP_NO_COMPRESSION, 0}, /* no_comp */
773	{SSL_OP_NO_COMPRESSION, SSL_TFLAG_INV}, /* comp */
774	{SSL_OP_SINGLE_ECDH_USE, 0}, /* ecdh_single */
775	{SSL_OP_NO_TICKET, 0}, /* no_ticket */
776	{SSL_OP_CIPHER_SERVER_PREFERENCE, 0}, /* serverpref */
777	/* legacy_renegotiation */
778	{SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, 0},
779	/* Allow client renegotiation */
780	{SSL_OP_ALLOW_CLIENT_RENEGOTIATION, 0},
781	/* legacy_server_connect */
782	{SSL_OP_LEGACY_SERVER_CONNECT, 0},
783	/* no_renegotiation */
784	{SSL_OP_NO_RENEGOTIATION, 0},
785	/* no_resumption_on_reneg */
786	{SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION, 0},
787	/* no_legacy_server_connect */
788	{SSL_OP_LEGACY_SERVER_CONNECT, SSL_TFLAG_INV},
789	/* allow_no_dhe_kex */
790	{SSL_OP_ALLOW_NO_DHE_KEX, 0},
791	/* chacha reprioritization */
792	{SSL_OP_PRIORITIZE_CHACHA, 0},
793	{SSL_CERT_FLAG_TLS_STRICT, SSL_TFLAG_CERT}, /* strict */
794	/* no_middlebox */
795	{SSL_OP_ENABLE_MIDDLEBOX_COMPAT, SSL_TFLAG_INV},
796	/* anti_replay */
797	{SSL_OP_NO_ANTI_REPLAY, SSL_TFLAG_INV},
798	/* no_anti_replay */
799	{SSL_OP_NO_ANTI_REPLAY, 0},
800	/* no Encrypt-then-Mac */
801	{SSL_OP_NO_ENCRYPT_THEN_MAC, 0},
802	};
803
804	static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX cctx, const char *pcmd)
805	{
806	if (pcmd == NULL \|\| *pcmd == NULL)
807	return 0;
808	/* If a prefix is set, check and skip */
809	if (cctx->prefix) {
810	if (strlen(*pcmd) <= cctx->prefixlen)
811	return 0;
812	if (cctx->flags & SSL_CONF_FLAG_CMDLINE &&
813	strncmp(*pcmd, cctx->prefix, cctx->prefixlen))
814	return 0;
815	if (cctx->flags & SSL_CONF_FLAG_FILE &&
816	OPENSSL_strncasecmp(*pcmd, cctx->prefix, cctx->prefixlen))
817	return 0;
818	*pcmd += cctx->prefixlen;
819	} else if (cctx->flags & SSL_CONF_FLAG_CMDLINE) {
820	if (*pcmd != '-' \|\| !(pcmd)[1])
821	return 0;
822	*pcmd += 1;
823	}
824	return 1;
825	}
826
827	/* Determine if a command is allowed according to cctx flags */
828	static int ssl_conf_cmd_allowed(SSL_CONF_CTX cctx, const ssl_conf_cmd_tbl t)
829	{
830	unsigned int tfl = t->flags;
831	unsigned int cfl = cctx->flags;
832	if ((tfl & SSL_CONF_FLAG_SERVER) && !(cfl & SSL_CONF_FLAG_SERVER))
833	return 0;
834	if ((tfl & SSL_CONF_FLAG_CLIENT) && !(cfl & SSL_CONF_FLAG_CLIENT))
835	return 0;
836	if ((tfl & SSL_CONF_FLAG_CERTIFICATE)
837	&& !(cfl & SSL_CONF_FLAG_CERTIFICATE))
838	return 0;
839	return 1;
840	}
841
842	static const ssl_conf_cmd_tbl ssl_conf_cmd_lookup(SSL_CONF_CTX cctx,
843	const char *cmd)
844	{
845	const ssl_conf_cmd_tbl *t;
846	size_t i;
847	if (cmd == NULL)
848	return NULL;
849
850	/* Look for matching parameter name in table */
851	for (i = 0, t = ssl_conf_cmds; i < OSSL_NELEM(ssl_conf_cmds); i++, t++) {
852	if (ssl_conf_cmd_allowed(cctx, t)) {
853	if (cctx->flags & SSL_CONF_FLAG_CMDLINE) {
854	if (t->str_cmdline && strcmp(t->str_cmdline, cmd) == 0)
855	return t;
856	}
857	if (cctx->flags & SSL_CONF_FLAG_FILE) {
858	if (t->str_file && OPENSSL_strcasecmp(t->str_file, cmd) == 0)
859	return t;
860	}
861	}
862	}
863	return NULL;
864	}
865
866	static int ctrl_switch_option(SSL_CONF_CTX cctx, const ssl_conf_cmd_tbl cmd)
867	{
868	/* Find index of command in table */
869	size_t idx = cmd - ssl_conf_cmds;
870	const ssl_switch_tbl *scmd;
871	/* Sanity check index */
872	if (idx >= OSSL_NELEM(ssl_cmd_switches))
873	return 0;
874	/* Obtain switches entry with same index */
875	scmd = ssl_cmd_switches + idx;
876	ssl_set_option(cctx, scmd->name_flags, scmd->option_value, 1);
877	return 1;
878	}
879
880	int SSL_CONF_cmd(SSL_CONF_CTX cctx, const char cmd, const char *value)
881	{
882	const ssl_conf_cmd_tbl *runcmd;
883	if (cmd == NULL) {
884	ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_NULL_CMD_NAME);
885	return 0;
886	}
887
888	if (!ssl_conf_cmd_skip_prefix(cctx, &cmd))
889	return -2;
890
891	runcmd = ssl_conf_cmd_lookup(cctx, cmd);
892
893	if (runcmd) {
894	int rv;
895	if (runcmd->value_type == SSL_CONF_TYPE_NONE) {
896	return ctrl_switch_option(cctx, runcmd);
897	}
898	if (value == NULL)
899	return -3;
900	rv = runcmd->cmd(cctx, value);
901	if (rv > 0)
902	return 2;
903	if (rv == -2)
904	return -2;
905	if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS)
906	ERR_raise_data(ERR_LIB_SSL, SSL_R_BAD_VALUE,
907	"cmd=%s, value=%s", cmd, value);
908	return 0;
909	}
910
911	if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS)
912	ERR_raise_data(ERR_LIB_SSL, SSL_R_UNKNOWN_CMD_NAME, "cmd=%s", cmd);
913
914	return -2;
915	}
916
917	int SSL_CONF_cmd_argv(SSL_CONF_CTX cctx, int pargc, char ***pargv)
918	{
919	int rv;
920	const char arg = NULL, argn;
921
922	if (pargc != NULL && *pargc == 0)
923	return 0;
924	if (pargc == NULL \|\| *pargc > 0)
925	arg = **pargv;
926	if (arg == NULL)
927	return 0;
928	if (pargc == NULL \|\| *pargc > 1)
929	argn = (*pargv)[1];
930	else
931	argn = NULL;
932	cctx->flags &= ~SSL_CONF_FLAG_FILE;
933	cctx->flags \|= SSL_CONF_FLAG_CMDLINE;
934	rv = SSL_CONF_cmd(cctx, arg, argn);
935	if (rv > 0) {
936	/* Success: update pargc, pargv */
937	(*pargv) += rv;
938	if (pargc)
939	(*pargc) -= rv;
940	return rv;
941	}
942	/* Unknown switch: indicate no arguments processed */
943	if (rv == -2)
944	return 0;
945	/* Some error occurred processing command, return fatal error */
946	if (rv == 0)
947	return -1;
948	return rv;
949	}
950
951	int SSL_CONF_cmd_value_type(SSL_CONF_CTX cctx, const char cmd)
952	{
953	if (ssl_conf_cmd_skip_prefix(cctx, &cmd)) {
954	const ssl_conf_cmd_tbl *runcmd;
955	runcmd = ssl_conf_cmd_lookup(cctx, cmd);
956	if (runcmd)
957	return runcmd->value_type;
958	}
959	return SSL_CONF_TYPE_UNKNOWN;
960	}
961
962	SSL_CONF_CTX *SSL_CONF_CTX_new(void)
963	{
964	SSL_CONF_CTX ret = OPENSSL_zalloc(sizeof(ret));
965
966	return ret;
967	}
968
969	int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx)
970	{
971	/* See if any certificates are missing private keys */
972	size_t i;
973	CERT *c = NULL;
974	if (cctx->ctx)
975	c = cctx->ctx->cert;
976	else if (cctx->ssl)
977	c = cctx->ssl->cert;
978	if (c && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) {
979	for (i = 0; i < SSL_PKEY_NUM; i++) {
980	const char *p = cctx->cert_filename[i];
981	/*
982	* If missing private key try to load one from certificate file
983	*/
984	if (p && !c->pkeys[i].privatekey) {
985	if (!cmd_PrivateKey(cctx, p))
986	return 0;
987	}
988	}
989	}
990	if (cctx->canames) {
991	if (cctx->ssl)
992	SSL_set0_CA_list(cctx->ssl, cctx->canames);
993	else if (cctx->ctx)
994	SSL_CTX_set0_CA_list(cctx->ctx, cctx->canames);
995	else
996	sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free);
997	cctx->canames = NULL;
998	}
999	return 1;
1000	}
1001
1002	void SSL_CONF_CTX_free(SSL_CONF_CTX *cctx)
1003	{
1004	if (cctx) {
1005	size_t i;
1006	for (i = 0; i < SSL_PKEY_NUM; i++)
1007	OPENSSL_free(cctx->cert_filename[i]);
1008	OPENSSL_free(cctx->prefix);
1009	sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free);
1010	OPENSSL_free(cctx);
1011	}
1012	}
1013
1014	unsigned int SSL_CONF_CTX_set_flags(SSL_CONF_CTX *cctx, unsigned int flags)
1015	{
1016	cctx->flags \|= flags;
1017	return cctx->flags;
1018	}
1019
1020	unsigned int SSL_CONF_CTX_clear_flags(SSL_CONF_CTX *cctx, unsigned int flags)
1021	{
1022	cctx->flags &= ~flags;
1023	return cctx->flags;
1024	}
1025
1026	int SSL_CONF_CTX_set1_prefix(SSL_CONF_CTX cctx, const char pre)
1027	{
1028	char *tmp = NULL;
1029	if (pre) {
1030	tmp = OPENSSL_strdup(pre);
1031	if (tmp == NULL)
1032	return 0;
1033	}
1034	OPENSSL_free(cctx->prefix);
1035	cctx->prefix = tmp;
1036	if (tmp)
1037	cctx->prefixlen = strlen(tmp);
1038	else
1039	cctx->prefixlen = 0;
1040	return 1;
1041	}
1042
1043	void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX cctx, SSL ssl)
1044	{
1045	cctx->ssl = ssl;
1046	cctx->ctx = NULL;
1047	if (ssl) {
1048	cctx->poptions = &ssl->options;
1049	cctx->min_version = &ssl->min_proto_version;
1050	cctx->max_version = &ssl->max_proto_version;
1051	cctx->pcert_flags = &ssl->cert->cert_flags;
1052	cctx->pvfy_flags = &ssl->verify_mode;
1053	} else {
1054	cctx->poptions = NULL;
1055	cctx->min_version = NULL;
1056	cctx->max_version = NULL;
1057	cctx->pcert_flags = NULL;
1058	cctx->pvfy_flags = NULL;
1059	}
1060	}
1061
1062	void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX cctx, SSL_CTX ctx)
1063	{
1064	cctx->ctx = ctx;
1065	cctx->ssl = NULL;
1066	if (ctx) {
1067	cctx->poptions = &ctx->options;
1068	cctx->min_version = &ctx->min_proto_version;
1069	cctx->max_version = &ctx->max_proto_version;
1070	cctx->pcert_flags = &ctx->cert->cert_flags;
1071	cctx->pvfy_flags = &ctx->verify_mode;
1072	} else {
1073	cctx->poptions = NULL;
1074	cctx->min_version = NULL;
1075	cctx->max_version = NULL;
1076	cctx->pcert_flags = NULL;
1077	cctx->pvfy_flags = NULL;
1078	}
1079	}

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/libs/openssl-3.0.7/ssl/ssl_conf.c@ 97371

Download in other formats: