X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl_conf.c;h=419400aa2408f6757784f3301c92105955600287;hp=4b083019aa1bc2e6e18b7781ad8b8a8cb660e3ca;hb=0ebc965b9ca4352e407bb7cfa65ac235942117f6;hpb=ec2f7e568ea18a22ab57326fffe78ef2aa6884f5

diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
index 4b083019aa..419400aa24 100644
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -62,6 +62,9 @@
 #include "ssl_locl.h"
 #include <openssl/conf.h>
 #include <openssl/objects.h>
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
 
 /* structure holding name tables. This is used for pemitted elements in
  * lists such as TLSv1 and single command line switches such as no_tls1
@@ -200,9 +203,9 @@ static int ctrl_str_option(SSL_CONF_CTX *cctx, const char *cmd)
 		SSL_FLAG_TBL("no_tls1", SSL_OP_NO_TLSv1),
 		SSL_FLAG_TBL("no_tls1_1", SSL_OP_NO_TLSv1_1),
 		SSL_FLAG_TBL("no_tls1_2", SSL_OP_NO_TLSv1_2),
-		SSL_FLAG_TBL("no_tls1_2", SSL_OP_NO_TLSv1_2),
 		SSL_FLAG_TBL("bugs", SSL_OP_ALL),
 		SSL_FLAG_TBL("no_comp", SSL_OP_NO_COMPRESSION),
+		SSL_FLAG_TBL_SRV("ecdh_single", SSL_OP_SINGLE_ECDH_USE),
 #ifndef OPENSSL_NO_TLSEXT
 		SSL_FLAG_TBL("no_ticket", SSL_OP_NO_TICKET),
 #endif
@@ -389,6 +392,51 @@ static int cmd_PrivateKey(SSL_CONF_CTX *cctx, const char *value)
 	return rv > 0;
 	}
 
+static int cmd_ServerInfoFile(SSL_CONF_CTX *cctx, const char *value)
+	{
+	int rv = 1;
+	if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE))
+		return -2;
+	if (!(cctx->flags & SSL_CONF_FLAG_SERVER))
+		return -2;
+	if (cctx->ctx)
+		rv = SSL_CTX_use_serverinfo_file(cctx->ctx, value);
+	return rv > 0;
+	}
+
+#ifndef OPENSSL_NO_DH
+static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value)
+	{
+	int rv = 0;
+	DH *dh = NULL;
+	BIO *in = NULL;
+	if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE))
+		return -2;
+	if (cctx->ctx || cctx->ssl)
+		{
+		in = BIO_new(BIO_s_file_internal());
+		if (!in)
+			goto end;
+		if (BIO_read_filename(in, value) <= 0)
+			goto end;
+		dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
+		if (!dh)
+			goto end;
+		}
+	else
+		return 1;
+	if (cctx->ctx)
+		rv = SSL_CTX_set_tmp_dh(cctx->ctx, dh);
+	if (cctx->ssl)
+		rv = SSL_set_tmp_dh(cctx->ssl, dh);
+	end:
+	if (dh)
+		DH_free(dh);
+	if (in)
+		BIO_free(in);
+	return rv > 0;
+	}
+#endif
 typedef struct
 	{
 	int (*cmd)(SSL_CONF_CTX *cctx, const char *value);
@@ -405,7 +453,7 @@ typedef struct
 #define SSL_CONF_CMD_STRING(name, cmdopt) \
 	SSL_CONF_CMD(name, cmdopt, SSL_CONF_TYPE_STRING)
 
-static ssl_conf_cmd_tbl ssl_conf_cmds[] = {
+static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
 	SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs"),
 	SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs"),
 	SSL_CONF_CMD_STRING(Curves, "curves"),
@@ -416,7 +464,11 @@ static ssl_conf_cmd_tbl ssl_conf_cmds[] = {
 	SSL_CONF_CMD_STRING(Protocol, NULL),
 	SSL_CONF_CMD_STRING(Options, NULL),
 	SSL_CONF_CMD(Certificate, "cert", SSL_CONF_TYPE_FILE),
-	SSL_CONF_CMD(PrivateKey, "key", SSL_CONF_TYPE_FILE)
+	SSL_CONF_CMD(PrivateKey, "key", SSL_CONF_TYPE_FILE),
+	SSL_CONF_CMD(ServerInfoFile, NULL, SSL_CONF_TYPE_FILE),
+#ifndef OPENSSL_NO_DH
+	SSL_CONF_CMD(DHParameters, "dhparam", SSL_CONF_TYPE_FILE)
+#endif
 };
 
 static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd)
@@ -438,16 +490,16 @@ static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd)
 		}
 	else if (cctx->flags & SSL_CONF_FLAG_CMDLINE)
 		{
-		if (**pcmd != '-' || !*pcmd[1])
+		if (**pcmd != '-' || !(*pcmd)[1])
 			return 0;
 		*pcmd += 1;
 		}
 	return 1;
 	}
 
-static ssl_conf_cmd_tbl *ssl_conf_cmd_lookup(SSL_CONF_CTX *cctx, const char *cmd)
+static const ssl_conf_cmd_tbl *ssl_conf_cmd_lookup(SSL_CONF_CTX *cctx, const char *cmd)
 	{
-	ssl_conf_cmd_tbl *t;
+	const ssl_conf_cmd_tbl *t;
 	size_t i;
 	if (cmd == NULL)
 		return NULL;
@@ -472,7 +524,7 @@ static ssl_conf_cmd_tbl *ssl_conf_cmd_lookup(SSL_CONF_CTX *cctx, const char *cmd
 
 int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value)
 	{
-	ssl_conf_cmd_tbl *runcmd;
+	const ssl_conf_cmd_tbl *runcmd;
 	if (cmd == NULL)
 		{
 		SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_INVALID_NULL_CMD_NAME);
@@ -555,7 +607,7 @@ int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd)
 	{
 	if (ssl_conf_cmd_skip_prefix(cctx, &cmd))
 		{
-		ssl_conf_cmd_tbl *runcmd;
+		const ssl_conf_cmd_tbl *runcmd;
 		runcmd = ssl_conf_cmd_lookup(cctx, cmd);
 		if (runcmd)
 			return runcmd->value_type;