/*
- * Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2012-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
if (namelen == -1) {
if (strcmp(tbl->name, name))
return 0;
- } else if (tbl->namelen != namelen || strncasecmp(tbl->name, name, namelen))
+ } else if (tbl->namelen != namelen
+ || OPENSSL_strncasecmp(tbl->name, name, namelen))
return 0;
ssl_set_option(cctx, tbl->name_flags, tbl->option_value, onoff);
return 1;
/* Ignore values supported by 1.0.2 for the automatic selection */
if ((cctx->flags & SSL_CONF_FLAG_FILE)
- && (strcasecmp(value, "+automatic") == 0
- || strcasecmp(value, "automatic") == 0))
+ && (OPENSSL_strcasecmp(value, "+automatic") == 0
+ || OPENSSL_strcasecmp(value, "automatic") == 0))
return 1;
if ((cctx->flags & SSL_CONF_FLAG_CMDLINE) &&
strcmp(value, "auto") == 0)
SSL_FLAG_TBL_SRV("ECDHSingle", SSL_OP_SINGLE_ECDH_USE),
SSL_FLAG_TBL("UnsafeLegacyRenegotiation",
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION),
+ SSL_FLAG_TBL("UnsafeLegacyServerConnect",
+ SSL_OP_LEGACY_SERVER_CONNECT),
SSL_FLAG_TBL("ClientRenegotiation",
SSL_OP_ALLOW_CLIENT_RENEGOTIATION),
SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),
SSL_FLAG_TBL_INV("AntiReplay", SSL_OP_NO_ANTI_REPLAY),
SSL_FLAG_TBL_INV("ExtendedMasterSecret", SSL_OP_NO_EXTENDED_MASTER_SECRET),
SSL_FLAG_TBL_INV("CANames", SSL_OP_DISABLE_TLSEXT_CA_NAMES),
- SSL_FLAG_TBL("KTLS", SSL_OP_ENABLE_KTLS)
+ SSL_FLAG_TBL("KTLS", SSL_OP_ENABLE_KTLS),
+ SSL_FLAG_TBL_CERT("StrictCertCheck", SSL_CERT_FLAG_TLS_STRICT),
+ SSL_FLAG_TBL_INV("TxCertificateCompression", SSL_OP_NO_TX_CERTIFICATE_COMPRESSION),
+ SSL_FLAG_TBL_INV("RxCertificateCompression", SSL_OP_NO_RX_CERTIFICATE_COMPRESSION),
+ SSL_FLAG_TBL("KTLSTxZerocopySendfile", SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE),
};
if (value == NULL)
return -3;
{
int rv = 1;
CERT *c = NULL;
- if (cctx->ctx) {
+ if (cctx->ctx != NULL) {
rv = SSL_CTX_use_certificate_chain_file(cctx->ctx, value);
c = cctx->ctx->cert;
}
- if (cctx->ssl) {
- rv = SSL_use_certificate_chain_file(cctx->ssl, value);
- c = cctx->ssl->cert;
+ if (cctx->ssl != NULL) {
+ SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(cctx->ssl);
+
+ if (sc != NULL) {
+ rv = SSL_use_certificate_chain_file(cctx->ssl, value);
+ c = sc->cert;
+ } else {
+ rv = 0;
+ }
}
- if (rv > 0 && c && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) {
+ if (rv > 0 && c != NULL && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) {
char **pfilename = &cctx->cert_filename[c->key - c->pkeys];
+
OPENSSL_free(*pfilename);
*pfilename = OPENSSL_strdup(value);
if (*pfilename == NULL)
cert = cctx->ctx->cert;
ctx = cctx->ctx;
} else if (cctx->ssl != NULL) {
- cert = cctx->ssl->cert;
+ SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(cctx->ssl);
+
+ if (sc == NULL)
+ return 0;
+
+ cert = sc->cert;
ctx = cctx->ssl->ctx;
} else {
return 1;
= OSSL_DECODER_CTX_new_for_pkey(&dhpkey, "PEM", NULL, "DH",
OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
sslctx->libctx, sslctx->propq);
- if (decoderctx == NULL
- || !OSSL_DECODER_from_bio(decoderctx, in)) {
- OSSL_DECODER_CTX_free(decoderctx);
+ if (decoderctx == NULL)
goto end;
- }
+ ERR_set_mark();
+ while (!OSSL_DECODER_from_bio(decoderctx, in)
+ && dhpkey == NULL
+ && !BIO_eof(in));
OSSL_DECODER_CTX_free(decoderctx);
- if (dhpkey == NULL)
+ if (dhpkey == NULL) {
+ ERR_clear_last_mark();
goto end;
+ }
+ ERR_pop_to_mark();
} else {
return 1;
}
SSL_CONF_CMD_SWITCH("bugs", 0),
SSL_CONF_CMD_SWITCH("no_comp", 0),
SSL_CONF_CMD_SWITCH("comp", 0),
+ SSL_CONF_CMD_SWITCH("no_tx_cert_comp", 0),
+ SSL_CONF_CMD_SWITCH("tx_cert_comp", 0),
+ SSL_CONF_CMD_SWITCH("no_rx_cert_comp", 0),
+ SSL_CONF_CMD_SWITCH("rx_cert_comp", 0),
SSL_CONF_CMD_SWITCH("ecdh_single", SSL_CONF_FLAG_SERVER),
SSL_CONF_CMD_SWITCH("no_ticket", 0),
SSL_CONF_CMD_SWITCH("serverpref", SSL_CONF_FLAG_SERVER),
SSL_CONF_CMD_SWITCH("legacy_server_connect", SSL_CONF_FLAG_CLIENT),
SSL_CONF_CMD_SWITCH("no_renegotiation", 0),
SSL_CONF_CMD_SWITCH("no_resumption_on_reneg", SSL_CONF_FLAG_SERVER),
- SSL_CONF_CMD_SWITCH("no_legacy_server_connect", SSL_CONF_FLAG_SERVER),
+ SSL_CONF_CMD_SWITCH("no_legacy_server_connect", SSL_CONF_FLAG_CLIENT),
SSL_CONF_CMD_SWITCH("allow_no_dhe_kex", 0),
SSL_CONF_CMD_SWITCH("prioritize_chacha", SSL_CONF_FLAG_SERVER),
SSL_CONF_CMD_SWITCH("strict", 0),
{SSL_OP_ALL, 0}, /* bugs */
{SSL_OP_NO_COMPRESSION, 0}, /* no_comp */
{SSL_OP_NO_COMPRESSION, SSL_TFLAG_INV}, /* comp */
+ {SSL_OP_NO_TX_CERTIFICATE_COMPRESSION, 0}, /* no_tx_cert_comp */
+ {SSL_OP_NO_TX_CERTIFICATE_COMPRESSION, SSL_TFLAG_INV}, /* tx_cert_comp */
+ {SSL_OP_NO_RX_CERTIFICATE_COMPRESSION, 0}, /* no_rx_cert_comp */
+ {SSL_OP_NO_RX_CERTIFICATE_COMPRESSION, SSL_TFLAG_INV}, /* rx_cert_comp */
{SSL_OP_SINGLE_ECDH_USE, 0}, /* ecdh_single */
{SSL_OP_NO_TICKET, 0}, /* no_ticket */
{SSL_OP_CIPHER_SERVER_PREFERENCE, 0}, /* serverpref */
strncmp(*pcmd, cctx->prefix, cctx->prefixlen))
return 0;
if (cctx->flags & SSL_CONF_FLAG_FILE &&
- strncasecmp(*pcmd, cctx->prefix, cctx->prefixlen))
+ OPENSSL_strncasecmp(*pcmd, cctx->prefix, cctx->prefixlen))
return 0;
*pcmd += cctx->prefixlen;
} else if (cctx->flags & SSL_CONF_FLAG_CMDLINE) {
return t;
}
if (cctx->flags & SSL_CONF_FLAG_FILE) {
- if (t->str_file && strcasecmp(t->str_file, cmd) == 0)
+ if (t->str_file && OPENSSL_strcasecmp(t->str_file, cmd) == 0)
return t;
}
}
/* See if any certificates are missing private keys */
size_t i;
CERT *c = NULL;
- if (cctx->ctx)
+
+ if (cctx->ctx != NULL) {
c = cctx->ctx->cert;
- else if (cctx->ssl)
- c = cctx->ssl->cert;
- if (c && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) {
+ } else if (cctx->ssl != NULL) {
+ SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(cctx->ssl);
+
+ if (sc != NULL)
+ c = sc->cert;
+ }
+ if (c != NULL && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) {
for (i = 0; i < SSL_PKEY_NUM; i++) {
const char *p = cctx->cert_filename[i];
/*
{
cctx->ssl = ssl;
cctx->ctx = NULL;
- if (ssl) {
- cctx->poptions = &ssl->options;
- cctx->min_version = &ssl->min_proto_version;
- cctx->max_version = &ssl->max_proto_version;
- cctx->pcert_flags = &ssl->cert->cert_flags;
- cctx->pvfy_flags = &ssl->verify_mode;
+ if (ssl != NULL) {
+ SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
+
+ if (sc == NULL)
+ return;
+ cctx->poptions = &sc->options;
+ cctx->min_version = &sc->min_proto_version;
+ cctx->max_version = &sc->max_proto_version;
+ cctx->pcert_flags = &sc->cert->cert_flags;
+ cctx->pvfy_flags = &sc->verify_mode;
} else {
cctx->poptions = NULL;
cctx->min_version = NULL;