+static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value)
+{
+ int onoff = -1, rv = 1;
+ if (!(cctx->flags & SSL_CONF_FLAG_SERVER))
+ return -2;
+ if (cctx->flags & SSL_CONF_FLAG_FILE) {
+ if (*value == '+') {
+ onoff = 1;
+ value++;
+ }
+ if (*value == '-') {
+ onoff = 0;
+ value++;
+ }
+ if (!strcasecmp(value, "automatic")) {
+ if (onoff == -1)
+ onoff = 1;
+ } else if (onoff != -1)
+ return 0;
+ } else if (cctx->flags & SSL_CONF_FLAG_CMDLINE) {
+ if (!strcmp(value, "auto"))
+ onoff = 1;
+ }
+
+ if (onoff != -1) {
+ if (cctx->ctx)
+ rv = SSL_CTX_set_ecdh_auto(cctx->ctx, onoff);
+ else if (cctx->ssl)
+ rv = SSL_set_ecdh_auto(cctx->ssl, onoff);
+ } else {
+ EC_KEY *ecdh;
+ int nid;
+ nid = EC_curve_nist2nid(value);
+ if (nid == NID_undef)
+ nid = OBJ_sn2nid(value);
+ if (nid == 0)
+ return 0;
+ ecdh = EC_KEY_new_by_curve_name(nid);
+ if (!ecdh)
+ return 0;
+ if (cctx->ctx)
+ rv = SSL_CTX_set_tmp_ecdh(cctx->ctx, ecdh);
+ else if (cctx->ssl)
+ rv = SSL_set_tmp_ecdh(cctx->ssl, ecdh);
+ EC_KEY_free(ecdh);
+ }
+
+ return rv > 0;
+}
+#endif
+static int cmd_CipherString(SSL_CONF_CTX *cctx, const char *value)
+{
+ int rv = 1;
+ if (cctx->ctx)
+ rv = SSL_CTX_set_cipher_list(cctx->ctx, value);
+ if (cctx->ssl)
+ rv = SSL_set_cipher_list(cctx->ssl, value);
+ return rv > 0;
+}
+
+static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value)
+{
+ static const ssl_flag_tbl ssl_protocol_list[] = {
+ SSL_FLAG_TBL_INV("ALL", SSL_OP_NO_SSL_MASK),
+ SSL_FLAG_TBL_INV("SSLv2", SSL_OP_NO_SSLv2),
+ SSL_FLAG_TBL_INV("SSLv3", SSL_OP_NO_SSLv3),
+ SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1),
+ SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1),
+ SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2)
+ };
+ if (!(cctx->flags & SSL_CONF_FLAG_FILE))
+ return -2;
+ cctx->tbl = ssl_protocol_list;
+ cctx->ntbl = sizeof(ssl_protocol_list) / sizeof(ssl_flag_tbl);
+ return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
+}
+
+static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
+{
+ static const ssl_flag_tbl ssl_option_list[] = {
+ SSL_FLAG_TBL_INV("SessionTicket", SSL_OP_NO_TICKET),
+ SSL_FLAG_TBL_INV("EmptyFragments",
+ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS),
+ SSL_FLAG_TBL("Bugs", SSL_OP_ALL),
+ SSL_FLAG_TBL_INV("Compression", SSL_OP_NO_COMPRESSION),
+ SSL_FLAG_TBL_SRV("ServerPreference", SSL_OP_CIPHER_SERVER_PREFERENCE),
+ SSL_FLAG_TBL_SRV("NoResumptionOnRenegotiation",
+ SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION),
+ SSL_FLAG_TBL_SRV("DHSingle", SSL_OP_SINGLE_DH_USE),
+ SSL_FLAG_TBL_SRV("ECDHSingle", SSL_OP_SINGLE_ECDH_USE),
+ SSL_FLAG_TBL("UnsafeLegacyRenegotiation",
+ SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION),
+ };
+ if (!(cctx->flags & SSL_CONF_FLAG_FILE))
+ return -2;
+ if (value == NULL)
+ return -3;
+ cctx->tbl = ssl_option_list;
+ cctx->ntbl = sizeof(ssl_option_list) / sizeof(ssl_flag_tbl);
+ return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
+}
+
+static int cmd_Certificate(SSL_CONF_CTX *cctx, const char *value)
+{
+ int rv = 1;
+ if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE))
+ return -2;
+ if (cctx->ctx)
+ rv = SSL_CTX_use_certificate_chain_file(cctx->ctx, value);
+ if (cctx->ssl)
+ rv = SSL_use_certificate_file(cctx->ssl, value, SSL_FILETYPE_PEM);
+ return rv > 0;
+}
+
+static int cmd_PrivateKey(SSL_CONF_CTX *cctx, const char *value)
+{
+ int rv = 1;
+ if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE))
+ return -2;
+ if (cctx->ctx)
+ rv = SSL_CTX_use_PrivateKey_file(cctx->ctx, value, SSL_FILETYPE_PEM);
+ if (cctx->ssl)
+ rv = SSL_use_PrivateKey_file(cctx->ssl, value, SSL_FILETYPE_PEM);
+ return rv > 0;
+}
+
+static int cmd_ServerInfoFile(SSL_CONF_CTX *cctx, const char *value)
+{
+ int rv = 1;
+ if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE))
+ return -2;
+ if (!(cctx->flags & SSL_CONF_FLAG_SERVER))
+ return -2;
+ if (cctx->ctx)
+ rv = SSL_CTX_use_serverinfo_file(cctx->ctx, value);
+ return rv > 0;
+}
+
+#ifndef OPENSSL_NO_DH
+static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value)
+{
+ int rv = 0;
+ DH *dh = NULL;
+ BIO *in = NULL;
+ if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE))
+ return -2;
+ if (cctx->ctx || cctx->ssl) {
+ in = BIO_new(BIO_s_file_internal());
+ if (!in)
+ goto end;
+ if (BIO_read_filename(in, value) <= 0)
+ goto end;
+ dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
+ if (!dh)
+ goto end;
+ } else
+ return 1;
+ if (cctx->ctx)
+ rv = SSL_CTX_set_tmp_dh(cctx->ctx, dh);
+ if (cctx->ssl)
+ rv = SSL_set_tmp_dh(cctx->ssl, dh);
+ end:
+ if (dh)
+ DH_free(dh);
+ if (in)
+ BIO_free(in);
+ return rv > 0;
+}