X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl_conf.c;h=9c202708d7d9ddf7200af56e139c2e79c57c2b80;hp=63687b5ba1f4e798f1918dc516c6d9e7a474eb17;hb=3bb5e5b09e32defefda2b61087c113203005ffa0;hpb=582a17d662d123eafbb70c9eaaa140a2559b7cdb diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 63687b5ba1..9c202708d7 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -1,5 +1,5 @@ /* - * Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -12,6 +12,7 @@ #include #include #include +#include "internal/nelem.h" /* * structure holding name tables. This is used for permitted elements in lists @@ -202,17 +203,23 @@ static int cmd_ClientSignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value) return rv > 0; } -static int cmd_Curves(SSL_CONF_CTX *cctx, const char *value) +static int cmd_Groups(SSL_CONF_CTX *cctx, const char *value) { int rv; if (cctx->ssl) - rv = SSL_set1_curves_list(cctx->ssl, value); + rv = SSL_set1_groups_list(cctx->ssl, value); /* NB: ctx == NULL performs syntax checking only */ else - rv = SSL_CTX_set1_curves_list(cctx->ctx, value); + rv = SSL_CTX_set1_groups_list(cctx->ctx, value); return rv > 0; } +/* This is the old name for cmd_Groups - retained for backwards compatibility */ +static int cmd_Curves(SSL_CONF_CTX *cctx, const char *value) +{ + return cmd_Groups(cctx, value); +} + #ifndef OPENSSL_NO_EC /* ECDH temporary parameters */ static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value) @@ -221,6 +228,15 @@ static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value) EC_KEY *ecdh; int nid; + /* Ignore values supported by 1.0.2 for the automatic selection */ + if ((cctx->flags & SSL_CONF_FLAG_FILE) + && (strcasecmp(value, "+automatic") == 0 + || strcasecmp(value, "automatic") == 0)) + return 1; + if ((cctx->flags & SSL_CONF_FLAG_CMDLINE) && + strcmp(value, "auto") == 0) + return 1; + nid = EC_curve_nist2nid(value); if (nid == NID_undef) nid = OBJ_sn2nid(value); @@ -241,6 +257,7 @@ static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value) static int cmd_CipherString(SSL_CONF_CTX *cctx, const char *value) { int rv = 1; + if (cctx->ctx) rv = SSL_CTX_set_cipher_list(cctx->ctx, value); if (cctx->ssl) @@ -248,6 +265,17 @@ static int cmd_CipherString(SSL_CONF_CTX *cctx, const char *value) return rv > 0; } +static int cmd_Ciphersuites(SSL_CONF_CTX *cctx, const char *value) +{ + int rv = 1; + + if (cctx->ctx) + rv = SSL_CTX_set_ciphersuites(cctx->ctx, value); + if (cctx->ssl) + rv = SSL_set_ciphersuites(cctx->ssl, value); + return rv > 0; +} + static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value) { static const ssl_flag_tbl ssl_protocol_list[] = { @@ -351,6 +379,12 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) SSL_FLAG_TBL_SRV("ECDHSingle", SSL_OP_SINGLE_ECDH_USE), SSL_FLAG_TBL("UnsafeLegacyRenegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION), + SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC), + SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION), + SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX), + SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA), + SSL_FLAG_TBL("MiddleboxCompat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT), + SSL_FLAG_TBL_INV("AntiReplay", SSL_OP_NO_ANTI_REPLAY) }; if (value == NULL) return -3; @@ -366,7 +400,12 @@ static int cmd_VerifyMode(SSL_CONF_CTX *cctx, const char *value) SSL_FLAG_VFY_SRV("Request", SSL_VERIFY_PEER), SSL_FLAG_VFY_SRV("Require", SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), - SSL_FLAG_VFY_SRV("Once", SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE) + SSL_FLAG_VFY_SRV("Once", SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE), + SSL_FLAG_VFY_SRV("RequestPostHandshake", + SSL_VERIFY_PEER | SSL_VERIFY_POST_HANDSHAKE), + SSL_FLAG_VFY_SRV("RequirePostHandshake", + SSL_VERIFY_PEER | SSL_VERIFY_POST_HANDSHAKE | + SSL_VERIFY_FAIL_IF_NO_PEER_CERT), }; if (value == NULL) return -3; @@ -458,7 +497,7 @@ static int cmd_VerifyCAFile(SSL_CONF_CTX *cctx, const char *value) return do_store(cctx, value, NULL, 1); } -static int cmd_ClientCAFile(SSL_CONF_CTX *cctx, const char *value) +static int cmd_RequestCAFile(SSL_CONF_CTX *cctx, const char *value) { if (cctx->canames == NULL) cctx->canames = sk_X509_NAME_new_null(); @@ -467,7 +506,12 @@ static int cmd_ClientCAFile(SSL_CONF_CTX *cctx, const char *value) return SSL_add_file_cert_subjects_to_stack(cctx->canames, value); } -static int cmd_ClientCAPath(SSL_CONF_CTX *cctx, const char *value) +static int cmd_ClientCAFile(SSL_CONF_CTX *cctx, const char *value) +{ + return cmd_RequestCAFile(cctx, value); +} + +static int cmd_RequestCAPath(SSL_CONF_CTX *cctx, const char *value) { if (cctx->canames == NULL) cctx->canames = sk_X509_NAME_new_null(); @@ -476,6 +520,11 @@ static int cmd_ClientCAPath(SSL_CONF_CTX *cctx, const char *value) return SSL_add_dir_cert_subjects_to_stack(cctx->canames, value); } +static int cmd_ClientCAPath(SSL_CONF_CTX *cctx, const char *value) +{ + return cmd_RequestCAPath(cctx, value); +} + #ifndef OPENSSL_NO_DH static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value) { @@ -503,6 +552,40 @@ static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value) return rv > 0; } #endif + +static int cmd_RecordPadding(SSL_CONF_CTX *cctx, const char *value) +{ + int rv = 0; + int block_size = atoi(value); + + /* + * All we care about is a non-negative value, + * the setters check the range + */ + if (block_size >= 0) { + if (cctx->ctx) + rv = SSL_CTX_set_block_padding(cctx->ctx, block_size); + if (cctx->ssl) + rv = SSL_set_block_padding(cctx->ssl, block_size); + } + return rv; +} + + +static int cmd_NumTickets(SSL_CONF_CTX *cctx, const char *value) +{ + int rv = 0; + int num_tickets = atoi(value); + + if (num_tickets >= 0) { + if (cctx->ctx) + rv = SSL_CTX_set_num_tickets(cctx->ctx, num_tickets); + if (cctx->ssl) + rv = SSL_set_num_tickets(cctx->ssl, num_tickets); + } + return rv; +} + typedef struct { int (*cmd) (SSL_CONF_CTX *cctx, const char *value); const char *str_file; @@ -537,16 +620,24 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { SSL_CONF_CMD_SWITCH("serverpref", SSL_CONF_FLAG_SERVER), SSL_CONF_CMD_SWITCH("legacy_renegotiation", 0), SSL_CONF_CMD_SWITCH("legacy_server_connect", SSL_CONF_FLAG_SERVER), + SSL_CONF_CMD_SWITCH("no_renegotiation", 0), SSL_CONF_CMD_SWITCH("no_resumption_on_reneg", SSL_CONF_FLAG_SERVER), SSL_CONF_CMD_SWITCH("no_legacy_server_connect", SSL_CONF_FLAG_SERVER), + SSL_CONF_CMD_SWITCH("allow_no_dhe_kex", 0), + SSL_CONF_CMD_SWITCH("prioritize_chacha", SSL_CONF_FLAG_SERVER), SSL_CONF_CMD_SWITCH("strict", 0), + SSL_CONF_CMD_SWITCH("no_middlebox", 0), + SSL_CONF_CMD_SWITCH("anti_replay", SSL_CONF_FLAG_SERVER), + SSL_CONF_CMD_SWITCH("no_anti_replay", SSL_CONF_FLAG_SERVER), SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs", 0), SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs", 0), SSL_CONF_CMD_STRING(Curves, "curves", 0), + SSL_CONF_CMD_STRING(Groups, "groups", 0), #ifndef OPENSSL_NO_EC SSL_CONF_CMD_STRING(ECDHParameters, "named_curve", SSL_CONF_FLAG_SERVER), #endif SSL_CONF_CMD_STRING(CipherString, "cipher", 0), + SSL_CONF_CMD_STRING(Ciphersuites, "ciphersuites", 0), SSL_CONF_CMD_STRING(Protocol, NULL, 0), SSL_CONF_CMD_STRING(MinProtocol, "min_protocol", 0), SSL_CONF_CMD_STRING(MaxProtocol, "max_protocol", 0), @@ -567,17 +658,23 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { SSL_CONF_TYPE_DIR), SSL_CONF_CMD(VerifyCAFile, "verifyCAfile", SSL_CONF_FLAG_CERTIFICATE, SSL_CONF_TYPE_FILE), + SSL_CONF_CMD(RequestCAFile, "requestCAFile", SSL_CONF_FLAG_CERTIFICATE, + SSL_CONF_TYPE_FILE), SSL_CONF_CMD(ClientCAFile, NULL, SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, SSL_CONF_TYPE_FILE), + SSL_CONF_CMD(RequestCAPath, NULL, SSL_CONF_FLAG_CERTIFICATE, + SSL_CONF_TYPE_DIR), SSL_CONF_CMD(ClientCAPath, NULL, SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, SSL_CONF_TYPE_DIR), #ifndef OPENSSL_NO_DH SSL_CONF_CMD(DHParameters, "dhparam", SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, - SSL_CONF_TYPE_FILE) + SSL_CONF_TYPE_FILE), #endif + SSL_CONF_CMD_STRING(RecordPadding, "record_padding", 0), + SSL_CONF_CMD_STRING(NumTickets, "num_tickets", SSL_CONF_FLAG_SERVER), }; /* Supported switches: must match order of switches in ssl_conf_cmds */ @@ -597,11 +694,23 @@ static const ssl_switch_tbl ssl_cmd_switches[] = { {SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, 0}, /* legacy_server_connect */ {SSL_OP_LEGACY_SERVER_CONNECT, 0}, + /* no_renegotiation */ + {SSL_OP_NO_RENEGOTIATION, 0}, /* no_resumption_on_reneg */ {SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION, 0}, /* no_legacy_server_connect */ {SSL_OP_LEGACY_SERVER_CONNECT, SSL_TFLAG_INV}, + /* allow_no_dhe_kex */ + {SSL_OP_ALLOW_NO_DHE_KEX, 0}, + /* chacha reprioritization */ + {SSL_OP_PRIORITIZE_CHACHA, 0}, {SSL_CERT_FLAG_TLS_STRICT, SSL_TFLAG_CERT}, /* strict */ + /* no_middlebox */ + {SSL_OP_ENABLE_MIDDLEBOX_COMPAT, SSL_TFLAG_INV}, + /* anti_replay */ + {SSL_OP_NO_ANTI_REPLAY, SSL_TFLAG_INV}, + /* no_anti_replay */ + {SSL_OP_NO_ANTI_REPLAY, 0}, }; static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd) @@ -794,9 +903,9 @@ int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx) } if (cctx->canames) { if (cctx->ssl) - SSL_set_client_CA_list(cctx->ssl, cctx->canames); + SSL_set0_CA_list(cctx->ssl, cctx->canames); else if (cctx->ctx) - SSL_CTX_set_client_CA_list(cctx->ctx, cctx->canames); + SSL_CTX_set0_CA_list(cctx->ctx, cctx->canames); else sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free); cctx->canames = NULL;