/*
- * Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved.
*
- * Licensed under the OpenSSL license (the "License"). You may not use
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
#include <openssl/conf.h>
#include <openssl/objects.h>
#include <openssl/dh.h>
+#include "internal/nelem.h"
/*
* structure holding name tables. This is used for permitted elements in lists
static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value)
{
int rv = 1;
- EC_KEY *ecdh;
int nid;
+ /* Ignore values supported by 1.0.2 for the automatic selection */
+ if ((cctx->flags & SSL_CONF_FLAG_FILE)
+ && (strcasecmp(value, "+automatic") == 0
+ || strcasecmp(value, "automatic") == 0))
+ return 1;
+ if ((cctx->flags & SSL_CONF_FLAG_CMDLINE) &&
+ strcmp(value, "auto") == 0)
+ return 1;
+
nid = EC_curve_nist2nid(value);
if (nid == NID_undef)
nid = OBJ_sn2nid(value);
if (nid == 0)
return 0;
- ecdh = EC_KEY_new_by_curve_name(nid);
- if (!ecdh)
- return 0;
+
if (cctx->ctx)
- rv = SSL_CTX_set_tmp_ecdh(cctx->ctx, ecdh);
+ rv = SSL_CTX_set1_groups(cctx->ctx, &nid, 1);
else if (cctx->ssl)
- rv = SSL_set_tmp_ecdh(cctx->ssl, ecdh);
- EC_KEY_free(ecdh);
+ rv = SSL_set1_groups(cctx->ssl, &nid, 1);
return rv > 0;
}
static int cmd_CipherString(SSL_CONF_CTX *cctx, const char *value)
{
int rv = 1;
+
if (cctx->ctx)
rv = SSL_CTX_set_cipher_list(cctx->ctx, value);
if (cctx->ssl)
return rv > 0;
}
+static int cmd_Ciphersuites(SSL_CONF_CTX *cctx, const char *value)
+{
+ int rv = 1;
+
+ if (cctx->ctx)
+ rv = SSL_CTX_set_ciphersuites(cctx->ctx, value);
+ if (cctx->ssl)
+ rv = SSL_set_ciphersuites(cctx->ssl, value);
+ return rv > 0;
+}
+
static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value)
{
static const ssl_flag_tbl ssl_protocol_list[] = {
SSL_FLAG_TBL("UnsafeLegacyRenegotiation",
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION),
SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),
+ SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION),
+ SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
+ SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA),
+ SSL_FLAG_TBL("MiddleboxCompat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT),
+ SSL_FLAG_TBL_INV("AntiReplay", SSL_OP_NO_ANTI_REPLAY),
+ SSL_FLAG_TBL_INV("ExtendedMasterSecret", SSL_OP_NO_EXTENDED_MASTER_SECRET)
};
if (value == NULL)
return -3;
SSL_FLAG_VFY_SRV("Request", SSL_VERIFY_PEER),
SSL_FLAG_VFY_SRV("Require",
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
- SSL_FLAG_VFY_SRV("Once", SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE)
+ SSL_FLAG_VFY_SRV("Once", SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE),
+ SSL_FLAG_VFY_SRV("RequestPostHandshake",
+ SSL_VERIFY_PEER | SSL_VERIFY_POST_HANDSHAKE),
+ SSL_FLAG_VFY_SRV("RequirePostHandshake",
+ SSL_VERIFY_PEER | SSL_VERIFY_POST_HANDSHAKE |
+ SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
};
if (value == NULL)
return -3;
return rv;
}
+
+static int cmd_NumTickets(SSL_CONF_CTX *cctx, const char *value)
+{
+ int rv = 0;
+ int num_tickets = atoi(value);
+
+ if (num_tickets >= 0) {
+ if (cctx->ctx)
+ rv = SSL_CTX_set_num_tickets(cctx->ctx, num_tickets);
+ if (cctx->ssl)
+ rv = SSL_set_num_tickets(cctx->ssl, num_tickets);
+ }
+ return rv;
+}
+
typedef struct {
int (*cmd) (SSL_CONF_CTX *cctx, const char *value);
const char *str_file;
SSL_CONF_CMD_SWITCH("serverpref", SSL_CONF_FLAG_SERVER),
SSL_CONF_CMD_SWITCH("legacy_renegotiation", 0),
SSL_CONF_CMD_SWITCH("legacy_server_connect", SSL_CONF_FLAG_SERVER),
+ SSL_CONF_CMD_SWITCH("no_renegotiation", 0),
SSL_CONF_CMD_SWITCH("no_resumption_on_reneg", SSL_CONF_FLAG_SERVER),
SSL_CONF_CMD_SWITCH("no_legacy_server_connect", SSL_CONF_FLAG_SERVER),
+ SSL_CONF_CMD_SWITCH("allow_no_dhe_kex", 0),
+ SSL_CONF_CMD_SWITCH("prioritize_chacha", SSL_CONF_FLAG_SERVER),
SSL_CONF_CMD_SWITCH("strict", 0),
+ SSL_CONF_CMD_SWITCH("no_middlebox", 0),
+ SSL_CONF_CMD_SWITCH("anti_replay", SSL_CONF_FLAG_SERVER),
+ SSL_CONF_CMD_SWITCH("no_anti_replay", SSL_CONF_FLAG_SERVER),
SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs", 0),
SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs", 0),
SSL_CONF_CMD_STRING(Curves, "curves", 0),
SSL_CONF_CMD_STRING(ECDHParameters, "named_curve", SSL_CONF_FLAG_SERVER),
#endif
SSL_CONF_CMD_STRING(CipherString, "cipher", 0),
+ SSL_CONF_CMD_STRING(Ciphersuites, "ciphersuites", 0),
SSL_CONF_CMD_STRING(Protocol, NULL, 0),
SSL_CONF_CMD_STRING(MinProtocol, "min_protocol", 0),
SSL_CONF_CMD_STRING(MaxProtocol, "max_protocol", 0),
SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,
SSL_CONF_TYPE_FILE),
#endif
- SSL_CONF_CMD_STRING(RecordPadding, "record_padding", 0)
+ SSL_CONF_CMD_STRING(RecordPadding, "record_padding", 0),
+ SSL_CONF_CMD_STRING(NumTickets, "num_tickets", SSL_CONF_FLAG_SERVER),
};
/* Supported switches: must match order of switches in ssl_conf_cmds */
{SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, 0},
/* legacy_server_connect */
{SSL_OP_LEGACY_SERVER_CONNECT, 0},
+ /* no_renegotiation */
+ {SSL_OP_NO_RENEGOTIATION, 0},
/* no_resumption_on_reneg */
{SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION, 0},
/* no_legacy_server_connect */
{SSL_OP_LEGACY_SERVER_CONNECT, SSL_TFLAG_INV},
+ /* allow_no_dhe_kex */
+ {SSL_OP_ALLOW_NO_DHE_KEX, 0},
+ /* chacha reprioritization */
+ {SSL_OP_PRIORITIZE_CHACHA, 0},
{SSL_CERT_FLAG_TLS_STRICT, SSL_TFLAG_CERT}, /* strict */
+ /* no_middlebox */
+ {SSL_OP_ENABLE_MIDDLEBOX_COMPAT, SSL_TFLAG_INV},
+ /* anti_replay */
+ {SSL_OP_NO_ANTI_REPLAY, SSL_TFLAG_INV},
+ /* no_anti_replay */
+ {SSL_OP_NO_ANTI_REPLAY, 0},
};
static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd)
projects / openssl.git / blobdiff