1
/*
2
 * Copyright 2012-2025 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9

10
#include "internal/e_os.h"
11

12
#include <stdio.h>
13
#include "ssl_local.h"
14
#include <openssl/conf.h>
15
#include <openssl/objects.h>
16
#include <openssl/decoder.h>
17
#include <openssl/core_dispatch.h>
18
#include "internal/nelem.h"
19
#include "internal/ssl_unwrap.h"
20

21
/*
22
 * structure holding name tables. This is used for permitted elements in lists
23
 * such as TLSv1.
24
 */
25

26
typedef struct {
27
    const char *name;
28
    int namelen;
29
    unsigned int name_flags;
30
    uint64_t option_value;
31
} ssl_flag_tbl;
32

33
/* Switch table: use for single command line switches like no_tls2 */
34
typedef struct {
35
    uint64_t option_value;
36
    unsigned int name_flags;
37
} ssl_switch_tbl;
38

39
/* Sense of name is inverted e.g. "TLSv1" will clear SSL_OP_NO_TLSv1 */
40
#define SSL_TFLAG_INV   0x1
41
/* Mask for type of flag referred to */
42
#define SSL_TFLAG_TYPE_MASK 0xf00
43
/* Flag is for options */
44
#define SSL_TFLAG_OPTION    0x000
45
/* Flag is for cert_flags */
46
#define SSL_TFLAG_CERT      0x100
47
/* Flag is for verify mode */
48
#define SSL_TFLAG_VFY       0x200
49
/* Option can only be used for clients */
50
#define SSL_TFLAG_CLIENT SSL_CONF_FLAG_CLIENT
51
/* Option can only be used for servers */
52
#define SSL_TFLAG_SERVER SSL_CONF_FLAG_SERVER
53
#define SSL_TFLAG_BOTH (SSL_TFLAG_CLIENT|SSL_TFLAG_SERVER)
54

55
#define SSL_FLAG_TBL(str, flag) \
56
        {str, (int)(sizeof(str) - 1), SSL_TFLAG_BOTH, flag}
57
#define SSL_FLAG_TBL_SRV(str, flag) \
58
        {str, (int)(sizeof(str) - 1), SSL_TFLAG_SERVER, flag}
59
#define SSL_FLAG_TBL_CLI(str, flag) \
60
        {str, (int)(sizeof(str) - 1), SSL_TFLAG_CLIENT, flag}
61
#define SSL_FLAG_TBL_INV(str, flag) \
62
        {str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_BOTH, flag}
63
#define SSL_FLAG_TBL_SRV_INV(str, flag) \
64
        {str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_SERVER, flag}
65
#define SSL_FLAG_TBL_CERT(str, flag) \
66
        {str, (int)(sizeof(str) - 1), SSL_TFLAG_CERT|SSL_TFLAG_BOTH, flag}
67

68
#define SSL_FLAG_VFY_CLI(str, flag) \
69
        {str, (int)(sizeof(str) - 1), SSL_TFLAG_VFY | SSL_TFLAG_CLIENT, flag}
70
#define SSL_FLAG_VFY_SRV(str, flag) \
71
        {str, (int)(sizeof(str) - 1), SSL_TFLAG_VFY | SSL_TFLAG_SERVER, flag}
72

73
/*
74
 * Opaque structure containing SSL configuration context.
75
 */
76

77
struct ssl_conf_ctx_st {
78
    /*
79
     * Various flags indicating (among other things) which options we will
80
     * recognise.
81
     */
82
    unsigned int flags;
83
    /* Prefix and length of commands */
84
    char *prefix;
85
    size_t prefixlen;
86
    /* SSL_CTX or SSL structure to perform operations on */
87
    SSL_CTX *ctx;
88
    SSL *ssl;
89
    /* Pointer to SSL or SSL_CTX options field or NULL if none */
90
    uint64_t *poptions;
91
    /* Certificate filenames for each type */
92
    char **cert_filename;
93
    /* Number of elements in the cert_filename array */
94
    size_t num_cert_filename;
95
    /* Pointer to SSL or SSL_CTX cert_flags or NULL if none */
96
    uint32_t *pcert_flags;
97
    /* Pointer to SSL or SSL_CTX verify_mode or NULL if none */
98
    uint32_t *pvfy_flags;
99
    /* Pointer to SSL or SSL_CTX min_version field or NULL if none */
100
    int *min_version;
101
    /* Pointer to SSL or SSL_CTX max_version field or NULL if none */
102
    int *max_version;
103
    /* Current flag table being worked on */
104
    const ssl_flag_tbl *tbl;
105
    /* Size of table */
106
    size_t ntbl;
107
    /* Client CA names */
108
    STACK_OF(X509_NAME) *canames;
109
};
110

111
static void ssl_set_option(SSL_CONF_CTX *cctx, unsigned int name_flags,
112
                           uint64_t option_value, int onoff)
113
{
114
    uint32_t *pflags;
115

116
    if (cctx->poptions == NULL)
117
        return;
118
    if (name_flags & SSL_TFLAG_INV)
119
        onoff ^= 1;
120
    switch (name_flags & SSL_TFLAG_TYPE_MASK) {
121

122
    case SSL_TFLAG_CERT:
123
        pflags = cctx->pcert_flags;
124
        break;
125

126
    case SSL_TFLAG_VFY:
127
        pflags = cctx->pvfy_flags;
128
        break;
129

130
    case SSL_TFLAG_OPTION:
131
        if (onoff)
132
            *cctx->poptions |= option_value;
133
        else
134
            *cctx->poptions &= ~option_value;
135
        return;
136

137
    default:
138
        return;
139

140
    }
141
    if (onoff)
142
        *pflags |= option_value;
143
    else
144
        *pflags &= ~option_value;
145
}
146

147
static int ssl_match_option(SSL_CONF_CTX *cctx, const ssl_flag_tbl *tbl,
148
                            const char *name, int namelen, int onoff)
149
{
150
    /* If name not relevant for context skip */
151
    if (!(cctx->flags & tbl->name_flags & SSL_TFLAG_BOTH))
152
        return 0;
153
    if (namelen == -1) {
154
        if (strcmp(tbl->name, name))
155
            return 0;
156
    } else if (tbl->namelen != namelen
157
               || OPENSSL_strncasecmp(tbl->name, name, namelen))
158
        return 0;
159
    ssl_set_option(cctx, tbl->name_flags, tbl->option_value, onoff);
160
    return 1;
161
}
162

163
static int ssl_set_option_list(const char *elem, int len, void *usr)
164
{
165
    SSL_CONF_CTX *cctx = usr;
166
    size_t i;
167
    const ssl_flag_tbl *tbl;
168
    int onoff = 1;
169
    /*
170
     * len == -1 indicates not being called in list context, just for single
171
     * command line switches, so don't allow +, -.
172
     */
173
    if (elem == NULL)
174
        return 0;
175
    if (len != -1) {
176
        if (*elem == '+') {
177
            elem++;
178
            len--;
179
            onoff = 1;
180
        } else if (*elem == '-') {
181
            elem++;
182
            len--;
183
            onoff = 0;
184
        }
185
    }
186
    for (i = 0, tbl = cctx->tbl; i < cctx->ntbl; i++, tbl++) {
187
        if (ssl_match_option(cctx, tbl, elem, len, onoff))
188
            return 1;
189
    }
190
    return 0;
191
}
192

193
/* Set supported signature algorithms */
194
static int cmd_SignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value)
195
{
196
    int rv;
197
    if (cctx->ssl)
198
        rv = SSL_set1_sigalgs_list(cctx->ssl, value);
199
    /* NB: ctx == NULL performs syntax checking only */
200
    else
201
        rv = SSL_CTX_set1_sigalgs_list(cctx->ctx, value);
202
    return rv > 0;
203
}
204

205
/* Set supported client signature algorithms */
206
static int cmd_ClientSignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value)
207
{
208
    int rv;
209
    if (cctx->ssl)
210
        rv = SSL_set1_client_sigalgs_list(cctx->ssl, value);
211
    /* NB: ctx == NULL performs syntax checking only */
212
    else
213
        rv = SSL_CTX_set1_client_sigalgs_list(cctx->ctx, value);
214
    return rv > 0;
215
}
216

217
static int cmd_Groups(SSL_CONF_CTX *cctx, const char *value)
218
{
219
    int rv;
220
    if (cctx->ssl)
221
        rv = SSL_set1_groups_list(cctx->ssl, value);
222
    /* NB: ctx == NULL performs syntax checking only */
223
    else
224
        rv = SSL_CTX_set1_groups_list(cctx->ctx, value);
225
    return rv > 0;
226
}
227

228
/* This is the old name for cmd_Groups - retained for backwards compatibility */
229
static int cmd_Curves(SSL_CONF_CTX *cctx, const char *value)
230
{
231
    return cmd_Groups(cctx, value);
232
}
233

234
/* ECDH temporary parameters */
235
static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value)
236
{
237
    int rv = 1;
238

239
    /* Ignore values supported by 1.0.2 for the automatic selection */
240
    if ((cctx->flags & SSL_CONF_FLAG_FILE)
241
            && (OPENSSL_strcasecmp(value, "+automatic") == 0
242
                || OPENSSL_strcasecmp(value, "automatic") == 0))
243
        return 1;
244
    if ((cctx->flags & SSL_CONF_FLAG_CMDLINE) &&
245
        strcmp(value, "auto") == 0)
246
        return 1;
247

248
    /* ECDHParameters accepts a single group name */
249
    if (strchr(value, ':') != NULL)
250
        return 0;
251

252
    if (cctx->ctx)
253
        rv = SSL_CTX_set1_groups_list(cctx->ctx, value);
254
    else if (cctx->ssl)
255
        rv = SSL_set1_groups_list(cctx->ssl, value);
256

257
    return rv > 0;
258
}
259

260
static int cmd_CipherString(SSL_CONF_CTX *cctx, const char *value)
261
{
262
    int rv = 1;
263

264
    if (cctx->ctx)
265
        rv = SSL_CTX_set_cipher_list(cctx->ctx, value);
266
    if (cctx->ssl)
267
        rv = SSL_set_cipher_list(cctx->ssl, value);
268
    return rv > 0;
269
}
270

271
static int cmd_Ciphersuites(SSL_CONF_CTX *cctx, const char *value)
272
{
273
    int rv = 1;
274

275
    if (cctx->ctx)
276
        rv = SSL_CTX_set_ciphersuites(cctx->ctx, value);
277
    if (cctx->ssl)
278
        rv = SSL_set_ciphersuites(cctx->ssl, value);
279
    return rv > 0;
280
}
281

282
static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value)
283
{
284
    static const ssl_flag_tbl ssl_protocol_list[] = {
285
        SSL_FLAG_TBL_INV("ALL", SSL_OP_NO_SSL_MASK),
286
        SSL_FLAG_TBL_INV("SSLv2", SSL_OP_NO_SSLv2),
287
        SSL_FLAG_TBL_INV("SSLv3", SSL_OP_NO_SSLv3),
288
        SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1),
289
        SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1),
290
        SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2),
291
        SSL_FLAG_TBL_INV("TLSv1.3", SSL_OP_NO_TLSv1_3),
292
        SSL_FLAG_TBL_INV("DTLSv1", SSL_OP_NO_DTLSv1),
293
        SSL_FLAG_TBL_INV("DTLSv1.2", SSL_OP_NO_DTLSv1_2)
294
    };
295
    cctx->tbl = ssl_protocol_list;
296
    cctx->ntbl = OSSL_NELEM(ssl_protocol_list);
297
    return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
298
}
299

300
/*
301
 * protocol_from_string - converts a protocol version string to a number
302
 *
303
 * Returns -1 on failure or the version on success
304
 */
305
static int protocol_from_string(const char *value)
306
{
307
    struct protocol_versions {
308
        const char *name;
309
        int version;
310
    };
311
    /*
312
     * Note: To avoid breaking previously valid configurations, we must retain
313
     * legacy entries in this table even if the underlying protocol is no
314
     * longer supported.  This also means that the constants SSL3_VERSION, ...
315
     * need to be retained indefinitely.  This table can only grow, never
316
     * shrink.
317
     */
318
    static const struct protocol_versions versions[] = {
319
        {"None", 0},
320
        {"SSLv3", SSL3_VERSION},
321
        {"TLSv1", TLS1_VERSION},
322
        {"TLSv1.1", TLS1_1_VERSION},
323
        {"TLSv1.2", TLS1_2_VERSION},
324
        {"TLSv1.3", TLS1_3_VERSION},
325
        {"DTLSv1", DTLS1_VERSION},
326
        {"DTLSv1.2", DTLS1_2_VERSION}
327
    };
328
    size_t i;
329
    size_t n = OSSL_NELEM(versions);
330

331
    for (i = 0; i < n; i++)
332
        if (strcmp(versions[i].name, value) == 0)
333
            return versions[i].version;
334
    return -1;
335
}
336

337
static int min_max_proto(SSL_CONF_CTX *cctx, const char *value, int *bound)
338
{
339
    int method_version;
340
    int new_version;
341

342
    if (cctx->ctx != NULL)
343
        method_version = cctx->ctx->method->version;
344
    else if (cctx->ssl != NULL)
345
        method_version = cctx->ssl->defltmeth->version;
346
    else
347
        return 0;
348
    if ((new_version = protocol_from_string(value)) < 0)
349
        return 0;
350
    return ssl_set_version_bound(method_version, new_version, bound);
351
}
352

353
/*
354
 * cmd_MinProtocol - Set min protocol version
355
 * @cctx: config structure to save settings in
356
 * @value: The min protocol version in string form
357
 *
358
 * Returns 1 on success and 0 on failure.
359
 */
360
static int cmd_MinProtocol(SSL_CONF_CTX *cctx, const char *value)
361
{
362
    return min_max_proto(cctx, value, cctx->min_version);
363
}
364

365
/*
366
 * cmd_MaxProtocol - Set max protocol version
367
 * @cctx: config structure to save settings in
368
 * @value: The max protocol version in string form
369
 *
370
 * Returns 1 on success and 0 on failure.
371
 */
372
static int cmd_MaxProtocol(SSL_CONF_CTX *cctx, const char *value)
373
{
374
    return min_max_proto(cctx, value, cctx->max_version);
375
}
376

377
static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
378
{
379
    static const ssl_flag_tbl ssl_option_list[] = {
380
        SSL_FLAG_TBL_INV("SessionTicket", SSL_OP_NO_TICKET),
381
        SSL_FLAG_TBL_INV("EmptyFragments",
382
                         SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS),
383
        SSL_FLAG_TBL("Bugs", SSL_OP_ALL),
384
        SSL_FLAG_TBL_INV("Compression", SSL_OP_NO_COMPRESSION),
385
        SSL_FLAG_TBL_SRV("ServerPreference", SSL_OP_CIPHER_SERVER_PREFERENCE),
386
        SSL_FLAG_TBL_SRV("NoResumptionOnRenegotiation",
387
                         SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION),
388
        SSL_FLAG_TBL_SRV("DHSingle", SSL_OP_SINGLE_DH_USE),
389
        SSL_FLAG_TBL_SRV("ECDHSingle", SSL_OP_SINGLE_ECDH_USE),
390
        SSL_FLAG_TBL("UnsafeLegacyRenegotiation",
391
                     SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION),
392
        SSL_FLAG_TBL("UnsafeLegacyServerConnect",
393
                     SSL_OP_LEGACY_SERVER_CONNECT),
394
        SSL_FLAG_TBL("ClientRenegotiation",
395
                     SSL_OP_ALLOW_CLIENT_RENEGOTIATION),
396
        SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),
397
        SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION),
398
        SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
399
        SSL_FLAG_TBL("PreferNoDHEKEX", SSL_OP_PREFER_NO_DHE_KEX),
400
        SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA),
401
        SSL_FLAG_TBL("MiddleboxCompat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT),
402
        SSL_FLAG_TBL_INV("AntiReplay", SSL_OP_NO_ANTI_REPLAY),
403
        SSL_FLAG_TBL_INV("ExtendedMasterSecret", SSL_OP_NO_EXTENDED_MASTER_SECRET),
404
        SSL_FLAG_TBL_INV("CANames", SSL_OP_DISABLE_TLSEXT_CA_NAMES),
405
        SSL_FLAG_TBL("KTLS", SSL_OP_ENABLE_KTLS),
406
        SSL_FLAG_TBL_CERT("StrictCertCheck", SSL_CERT_FLAG_TLS_STRICT),
407
        SSL_FLAG_TBL_INV("TxCertificateCompression", SSL_OP_NO_TX_CERTIFICATE_COMPRESSION),
408
        SSL_FLAG_TBL_INV("RxCertificateCompression", SSL_OP_NO_RX_CERTIFICATE_COMPRESSION),
409
        SSL_FLAG_TBL("KTLSTxZerocopySendfile", SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE),
410
        SSL_FLAG_TBL("IgnoreUnexpectedEOF", SSL_OP_IGNORE_UNEXPECTED_EOF),
411
    };
412
    if (value == NULL)
413
        return -3;
414
    cctx->tbl = ssl_option_list;
415
    cctx->ntbl = OSSL_NELEM(ssl_option_list);
416
    return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
417
}
418

419
static int cmd_VerifyMode(SSL_CONF_CTX *cctx, const char *value)
420
{
421
    static const ssl_flag_tbl ssl_vfy_list[] = {
422
        SSL_FLAG_VFY_CLI("Peer", SSL_VERIFY_PEER),
423
        SSL_FLAG_VFY_SRV("Request", SSL_VERIFY_PEER),
424
        SSL_FLAG_VFY_SRV("Require",
425
                         SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
426
        SSL_FLAG_VFY_SRV("Once", SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE),
427
        SSL_FLAG_VFY_SRV("RequestPostHandshake",
428
                         SSL_VERIFY_PEER | SSL_VERIFY_POST_HANDSHAKE),
429
        SSL_FLAG_VFY_SRV("RequirePostHandshake",
430
                         SSL_VERIFY_PEER | SSL_VERIFY_POST_HANDSHAKE |
431
                         SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
432
    };
433
    if (value == NULL)
434
        return -3;
435
    cctx->tbl = ssl_vfy_list;
436
    cctx->ntbl = OSSL_NELEM(ssl_vfy_list);
437
    return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
438
}
439

440
static int cmd_Certificate(SSL_CONF_CTX *cctx, const char *value)
441
{
442
    int rv = 1;
443
    CERT *c = NULL;
444
    if (cctx->ctx != NULL) {
445
        rv = SSL_CTX_use_certificate_chain_file(cctx->ctx, value);
446
        c = cctx->ctx->cert;
447
    }
448
    if (cctx->ssl != NULL) {
449
        SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(cctx->ssl);
450

451
        if (sc != NULL) {
452
            rv = SSL_use_certificate_chain_file(cctx->ssl, value);
453
            c = sc->cert;
454
        } else {
455
            rv = 0;
456
        }
457
    }
458
    if (rv > 0 && c != NULL && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) {
459
        size_t fileidx = c->key - c->pkeys;
460

461
        if (fileidx >= cctx->num_cert_filename) {
462
            rv = 0;
463
        } else {
464
            char **pfilename = &cctx->cert_filename[c->key - c->pkeys];
465

466
            OPENSSL_free(*pfilename);
467
            *pfilename = OPENSSL_strdup(value);
468
            if (*pfilename == NULL)
469
                rv = 0;
470
        }
471
    }
472

473
    return rv > 0;
474
}
475

476
static int cmd_PrivateKey(SSL_CONF_CTX *cctx, const char *value)
477
{
478
    int rv = 1;
479
    if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE))
480
        return -2;
481
    if (cctx->ctx)
482
        rv = SSL_CTX_use_PrivateKey_file(cctx->ctx, value, SSL_FILETYPE_PEM);
483
    if (cctx->ssl)
484
        rv = SSL_use_PrivateKey_file(cctx->ssl, value, SSL_FILETYPE_PEM);
485
    return rv > 0;
486
}
487

488
static int cmd_ServerInfoFile(SSL_CONF_CTX *cctx, const char *value)
489
{
490
    int rv = 1;
491
    if (cctx->ctx)
492
        rv = SSL_CTX_use_serverinfo_file(cctx->ctx, value);
493
    return rv > 0;
494
}
495

496
static int do_store(SSL_CONF_CTX *cctx,
497
                    const char *CAfile, const char *CApath, const char *CAstore,
498
                    int verify_store)
499
{
500
    CERT *cert;
501
    X509_STORE **st;
502
    SSL_CTX *ctx;
503
    OSSL_LIB_CTX *libctx = NULL;
504
    const char *propq = NULL;
505

506
    if (cctx->ctx != NULL) {
507
        cert = cctx->ctx->cert;
508
        ctx = cctx->ctx;
509
    } else if (cctx->ssl != NULL) {
510
        SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(cctx->ssl);
511

512
        if (sc == NULL)
513
            return 0;
514

515
        cert = sc->cert;
516
        ctx = cctx->ssl->ctx;
517
    } else {
518
        return 1;
519
    }
520
    if (ctx != NULL) {
521
        libctx = ctx->libctx;
522
        propq = ctx->propq;
523
    }
524
    st = verify_store ? &cert->verify_store : &cert->chain_store;
525
    if (*st == NULL) {
526
        *st = X509_STORE_new();
527
        if (*st == NULL)
528
            return 0;
529
    }
530

531
    if (CAfile != NULL && !X509_STORE_load_file_ex(*st, CAfile, libctx, propq))
532
        return 0;
533
    if (CApath != NULL && !X509_STORE_load_path(*st, CApath))
534
        return 0;
535
    if (CAstore != NULL && !X509_STORE_load_store_ex(*st, CAstore, libctx,
536
                                                     propq))
537
        return 0;
538
    return 1;
539
}
540

541
static int cmd_ChainCAPath(SSL_CONF_CTX *cctx, const char *value)
542
{
543
    return do_store(cctx, NULL, value, NULL, 0);
544
}
545

546
static int cmd_ChainCAFile(SSL_CONF_CTX *cctx, const char *value)
547
{
548
    return do_store(cctx, value, NULL, NULL, 0);
549
}
550

551
static int cmd_ChainCAStore(SSL_CONF_CTX *cctx, const char *value)
552
{
553
    return do_store(cctx, NULL, NULL, value, 0);
554
}
555

556
static int cmd_VerifyCAPath(SSL_CONF_CTX *cctx, const char *value)
557
{
558
    return do_store(cctx, NULL, value, NULL, 1);
559
}
560

561
static int cmd_VerifyCAFile(SSL_CONF_CTX *cctx, const char *value)
562
{
563
    return do_store(cctx, value, NULL, NULL, 1);
564
}
565

566
static int cmd_VerifyCAStore(SSL_CONF_CTX *cctx, const char *value)
567
{
568
    return do_store(cctx, NULL, NULL, value, 1);
569
}
570

571
static int cmd_RequestCAFile(SSL_CONF_CTX *cctx, const char *value)
572
{
573
    if (cctx->canames == NULL)
574
        cctx->canames = sk_X509_NAME_new_null();
575
    if (cctx->canames == NULL)
576
        return 0;
577
    return SSL_add_file_cert_subjects_to_stack(cctx->canames, value);
578
}
579

580
static int cmd_ClientCAFile(SSL_CONF_CTX *cctx, const char *value)
581
{
582
    return cmd_RequestCAFile(cctx, value);
583
}
584

585
static int cmd_RequestCAPath(SSL_CONF_CTX *cctx, const char *value)
586
{
587
    if (cctx->canames == NULL)
588
        cctx->canames = sk_X509_NAME_new_null();
589
    if (cctx->canames == NULL)
590
        return 0;
591
    return SSL_add_dir_cert_subjects_to_stack(cctx->canames, value);
592
}
593

594
static int cmd_ClientCAPath(SSL_CONF_CTX *cctx, const char *value)
595
{
596
    return cmd_RequestCAPath(cctx, value);
597
}
598

599
static int cmd_RequestCAStore(SSL_CONF_CTX *cctx, const char *value)
600
{
601
    if (cctx->canames == NULL)
602
        cctx->canames = sk_X509_NAME_new_null();
603
    if (cctx->canames == NULL)
604
        return 0;
605
    return SSL_add_store_cert_subjects_to_stack(cctx->canames, value);
606
}
607

608
static int cmd_ClientCAStore(SSL_CONF_CTX *cctx, const char *value)
609
{
610
    return cmd_RequestCAStore(cctx, value);
611
}
612

613
static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value)
614
{
615
    int rv = 0;
616
    EVP_PKEY *dhpkey = NULL;
617
    BIO *in = NULL;
618
    SSL_CTX *sslctx = (cctx->ssl != NULL) ? cctx->ssl->ctx : cctx->ctx;
619
    OSSL_DECODER_CTX *decoderctx = NULL;
620

621
    if (cctx->ctx != NULL || cctx->ssl != NULL) {
622
        in = BIO_new(BIO_s_file());
623
        if (in == NULL)
624
            goto end;
625
        if (BIO_read_filename(in, value) <= 0)
626
            goto end;
627

628
        decoderctx
629
            = OSSL_DECODER_CTX_new_for_pkey(&dhpkey, "PEM", NULL, "DH",
630
                                            OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
631
                                            sslctx->libctx, sslctx->propq);
632
        if (decoderctx == NULL)
633
            goto end;
634
        ERR_set_mark();
635
        while (!OSSL_DECODER_from_bio(decoderctx, in)
636
               && dhpkey == NULL
637
               && !BIO_eof(in));
638
        OSSL_DECODER_CTX_free(decoderctx);
639

640
        if (dhpkey == NULL) {
641
            ERR_clear_last_mark();
642
            goto end;
643
        }
644
        ERR_pop_to_mark();
645
    } else {
646
        return 1;
647
    }
648

649
    if (cctx->ctx != NULL) {
650
        if ((rv = SSL_CTX_set0_tmp_dh_pkey(cctx->ctx, dhpkey)) > 0)
651
            dhpkey = NULL;
652
    }
653
    if (cctx->ssl != NULL) {
654
        if ((rv = SSL_set0_tmp_dh_pkey(cctx->ssl, dhpkey)) > 0)
655
            dhpkey = NULL;
656
    }
657
 end:
658
    EVP_PKEY_free(dhpkey);
659
    BIO_free(in);
660
    return rv > 0;
661
}
662

663
/*
664
 * |value| input is "<number[,number]>"
665
 * where the first number is the padding block size for
666
 * application data, and the optional second is the
667
 * padding block size for handshake messages
668
 */
669
static int cmd_RecordPadding(SSL_CONF_CTX *cctx, const char *value)
670
{
671
    int rv = 0;
672
    unsigned long block_padding = 0, hs_padding = 0;
673
    char *commap = NULL, *copy = NULL;
674
    char *endptr = NULL;
675

676
    copy = OPENSSL_strdup(value);
677
    if (copy == NULL)
678
        goto out;
679
    commap = strstr(copy, ",");
680
    if (commap != NULL) {
681
        *commap = '\0';
682
        if (*(commap + 1) == '\0')
683
            goto out;
684
        if (!OPENSSL_strtoul(commap + 1, &endptr, 0, &hs_padding))
685
            goto out;
686
    }
687
    if (!OPENSSL_strtoul(copy, &endptr, 0, &block_padding))
688
        goto out;
689
    if (commap == NULL)
690
        hs_padding = block_padding;
691

692
    /*
693
     * All we care about are non-negative values,
694
     * the setters check the range
695
     */
696
    if (cctx->ctx)
697
        rv = SSL_CTX_set_block_padding_ex(cctx->ctx, (size_t)block_padding,
698
                                          (size_t)hs_padding);
699
    if (cctx->ssl)
700
        rv = SSL_set_block_padding_ex(cctx->ssl, (size_t)block_padding,
701
                                      (size_t)hs_padding);
702
out:
703
    OPENSSL_free(copy);
704
    return rv;
705
}
706

707

708
static int cmd_NumTickets(SSL_CONF_CTX *cctx, const char *value)
709
{
710
    int rv = 0;
711
    int num_tickets = atoi(value);
712

713
    if (num_tickets >= 0) {
714
        if (cctx->ctx)
715
            rv = SSL_CTX_set_num_tickets(cctx->ctx, num_tickets);
716
        if (cctx->ssl)
717
            rv = SSL_set_num_tickets(cctx->ssl, num_tickets);
718
    }
719
    return rv;
720
}
721

722
typedef struct {
723
    int (*cmd) (SSL_CONF_CTX *cctx, const char *value);
724
    const char *str_file;
725
    const char *str_cmdline;
726
    unsigned short flags;
727
    unsigned short value_type;
728
} ssl_conf_cmd_tbl;
729

730
/* Table of supported parameters */
731

732
#define SSL_CONF_CMD(name, cmdopt, flags, type) \
733
        {cmd_##name, #name, cmdopt, flags, type}
734

735
#define SSL_CONF_CMD_STRING(name, cmdopt, flags) \
736
        SSL_CONF_CMD(name, cmdopt, flags, SSL_CONF_TYPE_STRING)
737

738
#define SSL_CONF_CMD_SWITCH(name, flags) \
739
        {0, NULL, name, flags, SSL_CONF_TYPE_NONE}
740

741
/* See apps/include/opt.h if you change this table. */
742
/* The SSL_CONF_CMD_SWITCH should be the same order as ssl_cmd_switches */
743
static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
744
    SSL_CONF_CMD_SWITCH("no_ssl3", 0),
745
    SSL_CONF_CMD_SWITCH("no_tls1", 0),
746
    SSL_CONF_CMD_SWITCH("no_tls1_1", 0),
747
    SSL_CONF_CMD_SWITCH("no_tls1_2", 0),
748
    SSL_CONF_CMD_SWITCH("no_tls1_3", 0),
749
    SSL_CONF_CMD_SWITCH("bugs", 0),
750
    SSL_CONF_CMD_SWITCH("no_comp", 0),
751
    SSL_CONF_CMD_SWITCH("comp", 0),
752
    SSL_CONF_CMD_SWITCH("no_tx_cert_comp", 0),
753
    SSL_CONF_CMD_SWITCH("tx_cert_comp", 0),
754
    SSL_CONF_CMD_SWITCH("no_rx_cert_comp", 0),
755
    SSL_CONF_CMD_SWITCH("rx_cert_comp", 0),
756
    SSL_CONF_CMD_SWITCH("ecdh_single", SSL_CONF_FLAG_SERVER),
757
    SSL_CONF_CMD_SWITCH("no_ticket", 0),
758
    SSL_CONF_CMD_SWITCH("serverpref", SSL_CONF_FLAG_SERVER),
759
    SSL_CONF_CMD_SWITCH("legacy_renegotiation", 0),
760
    SSL_CONF_CMD_SWITCH("client_renegotiation", SSL_CONF_FLAG_SERVER),
761
    SSL_CONF_CMD_SWITCH("legacy_server_connect", SSL_CONF_FLAG_CLIENT),
762
    SSL_CONF_CMD_SWITCH("no_renegotiation", 0),
763
    SSL_CONF_CMD_SWITCH("no_resumption_on_reneg", SSL_CONF_FLAG_SERVER),
764
    SSL_CONF_CMD_SWITCH("no_legacy_server_connect", SSL_CONF_FLAG_CLIENT),
765
    SSL_CONF_CMD_SWITCH("allow_no_dhe_kex", 0),
766
    SSL_CONF_CMD_SWITCH("prefer_no_dhe_kex", 0),
767
    SSL_CONF_CMD_SWITCH("prioritize_chacha", SSL_CONF_FLAG_SERVER),
768
    SSL_CONF_CMD_SWITCH("strict", 0),
769
    SSL_CONF_CMD_SWITCH("no_middlebox", 0),
770
    SSL_CONF_CMD_SWITCH("anti_replay", SSL_CONF_FLAG_SERVER),
771
    SSL_CONF_CMD_SWITCH("no_anti_replay", SSL_CONF_FLAG_SERVER),
772
    SSL_CONF_CMD_SWITCH("no_etm", 0),
773
    SSL_CONF_CMD_SWITCH("no_ems", 0),
774
    SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs", 0),
775
    SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs", 0),
776
    SSL_CONF_CMD_STRING(Curves, "curves", 0),
777
    SSL_CONF_CMD_STRING(Groups, "groups", 0),
778
    SSL_CONF_CMD_STRING(ECDHParameters, "named_curve", SSL_CONF_FLAG_SERVER),
779
    SSL_CONF_CMD_STRING(CipherString, "cipher", 0),
780
    SSL_CONF_CMD_STRING(Ciphersuites, "ciphersuites", 0),
781
    SSL_CONF_CMD_STRING(Protocol, NULL, 0),
782
    SSL_CONF_CMD_STRING(MinProtocol, "min_protocol", 0),
783
    SSL_CONF_CMD_STRING(MaxProtocol, "max_protocol", 0),
784
    SSL_CONF_CMD_STRING(Options, NULL, 0),
785
    SSL_CONF_CMD_STRING(VerifyMode, NULL, 0),
786
    SSL_CONF_CMD(Certificate, "cert", SSL_CONF_FLAG_CERTIFICATE,
787
                 SSL_CONF_TYPE_FILE),
788
    SSL_CONF_CMD(PrivateKey, "key", SSL_CONF_FLAG_CERTIFICATE,
789
                 SSL_CONF_TYPE_FILE),
790
    SSL_CONF_CMD(ServerInfoFile, NULL,
791
                 SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,
792
                 SSL_CONF_TYPE_FILE),
793
    SSL_CONF_CMD(ChainCAPath, "chainCApath", SSL_CONF_FLAG_CERTIFICATE,
794
                 SSL_CONF_TYPE_DIR),
795
    SSL_CONF_CMD(ChainCAFile, "chainCAfile", SSL_CONF_FLAG_CERTIFICATE,
796
                 SSL_CONF_TYPE_FILE),
797
    SSL_CONF_CMD(ChainCAStore, "chainCAstore", SSL_CONF_FLAG_CERTIFICATE,
798
                 SSL_CONF_TYPE_STORE),
799
    SSL_CONF_CMD(VerifyCAPath, "verifyCApath", SSL_CONF_FLAG_CERTIFICATE,
800
                 SSL_CONF_TYPE_DIR),
801
    SSL_CONF_CMD(VerifyCAFile, "verifyCAfile", SSL_CONF_FLAG_CERTIFICATE,
802
                 SSL_CONF_TYPE_FILE),
803
    SSL_CONF_CMD(VerifyCAStore, "verifyCAstore", SSL_CONF_FLAG_CERTIFICATE,
804
                 SSL_CONF_TYPE_STORE),
805
    SSL_CONF_CMD(RequestCAFile, "requestCAFile", SSL_CONF_FLAG_CERTIFICATE,
806
                 SSL_CONF_TYPE_FILE),
807
    SSL_CONF_CMD(ClientCAFile, NULL,
808
                 SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,
809
                 SSL_CONF_TYPE_FILE),
810
    SSL_CONF_CMD(RequestCAPath, NULL, SSL_CONF_FLAG_CERTIFICATE,
811
                 SSL_CONF_TYPE_DIR),
812
    SSL_CONF_CMD(ClientCAPath, NULL,
813
                 SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,
814
                 SSL_CONF_TYPE_DIR),
815
    SSL_CONF_CMD(RequestCAStore, "requestCAStore", SSL_CONF_FLAG_CERTIFICATE,
816
                 SSL_CONF_TYPE_STORE),
817
    SSL_CONF_CMD(ClientCAStore, NULL,
818
                 SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,
819
                 SSL_CONF_TYPE_STORE),
820
    SSL_CONF_CMD(DHParameters, "dhparam",
821
                 SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,
822
                 SSL_CONF_TYPE_FILE),
823
    SSL_CONF_CMD_STRING(RecordPadding, "record_padding", 0),
824
    SSL_CONF_CMD_STRING(NumTickets, "num_tickets", SSL_CONF_FLAG_SERVER),
825
};
826

827
/* Supported switches: must match order of switches in ssl_conf_cmds */
828
static const ssl_switch_tbl ssl_cmd_switches[] = {
829
    {SSL_OP_NO_SSLv3, 0},       /* no_ssl3 */
830
    {SSL_OP_NO_TLSv1, 0},       /* no_tls1 */
831
    {SSL_OP_NO_TLSv1_1, 0},     /* no_tls1_1 */
832
    {SSL_OP_NO_TLSv1_2, 0},     /* no_tls1_2 */
833
    {SSL_OP_NO_TLSv1_3, 0},     /* no_tls1_3 */
834
    {SSL_OP_ALL, 0},            /* bugs */
835
    {SSL_OP_NO_COMPRESSION, 0}, /* no_comp */
836
    {SSL_OP_NO_COMPRESSION, SSL_TFLAG_INV}, /* comp */
837
    {SSL_OP_NO_TX_CERTIFICATE_COMPRESSION, 0}, /* no_tx_cert_comp */
838
    {SSL_OP_NO_TX_CERTIFICATE_COMPRESSION, SSL_TFLAG_INV}, /* tx_cert_comp */
839
    {SSL_OP_NO_RX_CERTIFICATE_COMPRESSION, 0}, /* no_rx_cert_comp */
840
    {SSL_OP_NO_RX_CERTIFICATE_COMPRESSION, SSL_TFLAG_INV}, /* rx_cert_comp */
841
    {SSL_OP_SINGLE_ECDH_USE, 0}, /* ecdh_single */
842
    {SSL_OP_NO_TICKET, 0},      /* no_ticket */
843
    {SSL_OP_CIPHER_SERVER_PREFERENCE, 0}, /* serverpref */
844
    /* legacy_renegotiation */
845
    {SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, 0},
846
    /* Allow client renegotiation */
847
    {SSL_OP_ALLOW_CLIENT_RENEGOTIATION, 0},
848
    /* legacy_server_connect */
849
    {SSL_OP_LEGACY_SERVER_CONNECT, 0},
850
    /* no_renegotiation */
851
    {SSL_OP_NO_RENEGOTIATION, 0},
852
    /* no_resumption_on_reneg */
853
    {SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION, 0},
854
    /* no_legacy_server_connect */
855
    {SSL_OP_LEGACY_SERVER_CONNECT, SSL_TFLAG_INV},
856
    /* allow_no_dhe_kex */
857
    {SSL_OP_ALLOW_NO_DHE_KEX, 0},
858
    /* prefer_no_dhe_kex */
859
    {SSL_OP_PREFER_NO_DHE_KEX, 0},
860
    /* chacha reprioritization */
861
    {SSL_OP_PRIORITIZE_CHACHA, 0},
862
    {SSL_CERT_FLAG_TLS_STRICT, SSL_TFLAG_CERT}, /* strict */
863
    /* no_middlebox */
864
    {SSL_OP_ENABLE_MIDDLEBOX_COMPAT, SSL_TFLAG_INV},
865
    /* anti_replay */
866
    {SSL_OP_NO_ANTI_REPLAY, SSL_TFLAG_INV},
867
    /* no_anti_replay */
868
    {SSL_OP_NO_ANTI_REPLAY, 0},
869
    /* no Encrypt-then-Mac */
870
    {SSL_OP_NO_ENCRYPT_THEN_MAC, 0},
871
    /* no Extended master secret */
872
    {SSL_OP_NO_EXTENDED_MASTER_SECRET, 0},
873
};
874

875
static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd)
876
{
877
    if (pcmd == NULL || *pcmd == NULL)
878
        return 0;
879
    /* If a prefix is set, check and skip */
880
    if (cctx->prefix) {
881
        if (strlen(*pcmd) <= cctx->prefixlen)
882
            return 0;
883
        if (cctx->flags & SSL_CONF_FLAG_CMDLINE &&
884
            strncmp(*pcmd, cctx->prefix, cctx->prefixlen))
885
            return 0;
886
        if (cctx->flags & SSL_CONF_FLAG_FILE &&
887
            OPENSSL_strncasecmp(*pcmd, cctx->prefix, cctx->prefixlen))
888
            return 0;
889
        *pcmd += cctx->prefixlen;
890
    } else if (cctx->flags & SSL_CONF_FLAG_CMDLINE) {
891
        if (**pcmd != '-' || !(*pcmd)[1])
892
            return 0;
893
        *pcmd += 1;
894
    }
895
    return 1;
896
}
897

898
/* Determine if a command is allowed according to cctx flags */
899
static int ssl_conf_cmd_allowed(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl *t)
900
{
901
    unsigned int tfl = t->flags;
902
    unsigned int cfl = cctx->flags;
903
    if ((tfl & SSL_CONF_FLAG_SERVER) && !(cfl & SSL_CONF_FLAG_SERVER))
904
        return 0;
905
    if ((tfl & SSL_CONF_FLAG_CLIENT) && !(cfl & SSL_CONF_FLAG_CLIENT))
906
        return 0;
907
    if ((tfl & SSL_CONF_FLAG_CERTIFICATE)
908
        && !(cfl & SSL_CONF_FLAG_CERTIFICATE))
909
        return 0;
910
    return 1;
911
}
912

913
static const ssl_conf_cmd_tbl *ssl_conf_cmd_lookup(SSL_CONF_CTX *cctx,
914
                                                   const char *cmd)
915
{
916
    const ssl_conf_cmd_tbl *t;
917
    size_t i;
918
    if (cmd == NULL)
919
        return NULL;
920

921
    /* Look for matching parameter name in table */
922
    for (i = 0, t = ssl_conf_cmds; i < OSSL_NELEM(ssl_conf_cmds); i++, t++) {
923
        if (ssl_conf_cmd_allowed(cctx, t)) {
924
            if (cctx->flags & SSL_CONF_FLAG_CMDLINE) {
925
                if (t->str_cmdline && strcmp(t->str_cmdline, cmd) == 0)
926
                    return t;
927
            }
928
            if (cctx->flags & SSL_CONF_FLAG_FILE) {
929
                if (t->str_file && OPENSSL_strcasecmp(t->str_file, cmd) == 0)
930
                    return t;
931
            }
932
        }
933
    }
934
    return NULL;
935
}
936

937
static int ctrl_switch_option(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl *cmd)
938
{
939
    /* Find index of command in table */
940
    size_t idx = cmd - ssl_conf_cmds;
941
    const ssl_switch_tbl *scmd;
942

943
    /* Sanity check index */
944
    if (idx >= OSSL_NELEM(ssl_cmd_switches)) {
945
        ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
946
        return 0;
947
    }
948
    /* Obtain switches entry with same index */
949
    scmd = ssl_cmd_switches + idx;
950
    ssl_set_option(cctx, scmd->name_flags, scmd->option_value, 1);
951
    return 1;
952
}
953

954
int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value)
955
{
956
    const ssl_conf_cmd_tbl *runcmd;
957
    if (cmd == NULL) {
958
        ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_NULL_CMD_NAME);
959
        return 0;
960
    }
961

962
    if (!ssl_conf_cmd_skip_prefix(cctx, &cmd))
963
        goto unknown_cmd;
964

965
    runcmd = ssl_conf_cmd_lookup(cctx, cmd);
966

967
    if (runcmd) {
968
        int rv = -3;
969

970
        if (runcmd->value_type == SSL_CONF_TYPE_NONE) {
971
            return ctrl_switch_option(cctx, runcmd);
972
        }
973
        if (value == NULL)
974
            goto bad_value;
975
        rv = runcmd->cmd(cctx, value);
976
        if (rv > 0)
977
            return 2;
978
        if (rv != -2)
979
            rv = 0;
980

981
 bad_value:
982
        if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS)
983
            ERR_raise_data(ERR_LIB_SSL, SSL_R_BAD_VALUE,
984
                           "cmd=%s, value=%s", cmd,
985
                           value != NULL ? value : "<EMPTY>");
986
        return rv;
987
    }
988

989
 unknown_cmd:
990
    if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS)
991
        ERR_raise_data(ERR_LIB_SSL, SSL_R_UNKNOWN_CMD_NAME, "cmd=%s", cmd);
992

993
    return -2;
994
}
995

996
int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv)
997
{
998
    int rv;
999
    const char *arg = NULL, *argn;
1000

1001
    if (pargc != NULL && *pargc == 0)
1002
        return 0;
1003
    if (pargc == NULL || *pargc > 0)
1004
        arg = **pargv;
1005
    if (arg == NULL)
1006
        return 0;
1007
    if (pargc == NULL || *pargc > 1)
1008
        argn = (*pargv)[1];
1009
    else
1010
        argn = NULL;
1011
    cctx->flags &= ~SSL_CONF_FLAG_FILE;
1012
    cctx->flags |= SSL_CONF_FLAG_CMDLINE;
1013
    rv = SSL_CONF_cmd(cctx, arg, argn);
1014
    if (rv > 0) {
1015
        /* Success: update pargc, pargv */
1016
        (*pargv) += rv;
1017
        if (pargc)
1018
            (*pargc) -= rv;
1019
        return rv;
1020
    }
1021
    /* Unknown switch: indicate no arguments processed */
1022
    if (rv == -2)
1023
        return 0;
1024
    /* Some error occurred processing command, return fatal error */
1025
    if (rv == 0)
1026
        return -1;
1027
    return rv;
1028
}
1029

1030
int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd)
1031
{
1032
    if (ssl_conf_cmd_skip_prefix(cctx, &cmd)) {
1033
        const ssl_conf_cmd_tbl *runcmd;
1034
        runcmd = ssl_conf_cmd_lookup(cctx, cmd);
1035
        if (runcmd)
1036
            return runcmd->value_type;
1037
    }
1038
    return SSL_CONF_TYPE_UNKNOWN;
1039
}
1040

1041
SSL_CONF_CTX *SSL_CONF_CTX_new(void)
1042
{
1043
    SSL_CONF_CTX *ret = OPENSSL_zalloc(sizeof(*ret));
1044

1045
    return ret;
1046
}
1047

1048
int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx)
1049
{
1050
    /* See if any certificates are missing private keys */
1051
    size_t i;
1052
    CERT *c = NULL;
1053

1054
    if (cctx->ctx != NULL) {
1055
        c = cctx->ctx->cert;
1056
    } else if (cctx->ssl != NULL) {
1057
        SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(cctx->ssl);
1058

1059
        if (sc != NULL)
1060
            c = sc->cert;
1061
    }
1062
    if (c != NULL && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) {
1063
        for (i = 0; i < cctx->num_cert_filename; i++) {
1064
            const char *p = cctx->cert_filename[i];
1065

1066
            /*
1067
             * If missing private key try to load one from certificate file
1068
             */
1069
            if (p != NULL && c->pkeys[i].privatekey == NULL) {
1070
                if (!cmd_PrivateKey(cctx, p))
1071
                    return 0;
1072
            }
1073
        }
1074
    }
1075
    if (cctx->canames) {
1076
        if (cctx->ssl)
1077
            SSL_set0_CA_list(cctx->ssl, cctx->canames);
1078
        else if (cctx->ctx)
1079
            SSL_CTX_set0_CA_list(cctx->ctx, cctx->canames);
1080
        else
1081
            sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free);
1082
        cctx->canames = NULL;
1083
    }
1084
    return 1;
1085
}
1086

1087
static void free_cert_filename(SSL_CONF_CTX *cctx)
1088
{
1089
    size_t i;
1090

1091
    for (i = 0; i < cctx->num_cert_filename; i++)
1092
        OPENSSL_free(cctx->cert_filename[i]);
1093
    OPENSSL_free(cctx->cert_filename);
1094
    cctx->cert_filename = NULL;
1095
    cctx->num_cert_filename = 0;
1096
}
1097

1098
void SSL_CONF_CTX_free(SSL_CONF_CTX *cctx)
1099
{
1100
    if (cctx) {
1101
        free_cert_filename(cctx);
1102
        OPENSSL_free(cctx->prefix);
1103
        sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free);
1104
        OPENSSL_free(cctx);
1105
    }
1106
}
1107

1108
unsigned int SSL_CONF_CTX_set_flags(SSL_CONF_CTX *cctx, unsigned int flags)
1109
{
1110
    cctx->flags |= flags;
1111
    return cctx->flags;
1112
}
1113

1114
unsigned int SSL_CONF_CTX_clear_flags(SSL_CONF_CTX *cctx, unsigned int flags)
1115
{
1116
    cctx->flags &= ~flags;
1117
    return cctx->flags;
1118
}
1119

1120
int SSL_CONF_CTX_set1_prefix(SSL_CONF_CTX *cctx, const char *pre)
1121
{
1122
    char *tmp = NULL;
1123
    if (pre) {
1124
        tmp = OPENSSL_strdup(pre);
1125
        if (tmp == NULL)
1126
            return 0;
1127
    }
1128
    OPENSSL_free(cctx->prefix);
1129
    cctx->prefix = tmp;
1130
    if (tmp)
1131
        cctx->prefixlen = strlen(tmp);
1132
    else
1133
        cctx->prefixlen = 0;
1134
    return 1;
1135
}
1136

1137
void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl)
1138
{
1139
    cctx->ssl = ssl;
1140
    cctx->ctx = NULL;
1141
    free_cert_filename(cctx);
1142
    if (ssl != NULL) {
1143
        SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
1144

1145
        if (sc == NULL)
1146
            return;
1147
        cctx->poptions = &sc->options;
1148
        cctx->min_version = &sc->min_proto_version;
1149
        cctx->max_version = &sc->max_proto_version;
1150
        cctx->pcert_flags = &sc->cert->cert_flags;
1151
        cctx->pvfy_flags = &sc->verify_mode;
1152
        cctx->cert_filename = OPENSSL_zalloc(sc->ssl_pkey_num
1153
                                             * sizeof(*cctx->cert_filename));
1154
        if (cctx->cert_filename != NULL)
1155
            cctx->num_cert_filename = sc->ssl_pkey_num;
1156
    } else {
1157
        cctx->poptions = NULL;
1158
        cctx->min_version = NULL;
1159
        cctx->max_version = NULL;
1160
        cctx->pcert_flags = NULL;
1161
        cctx->pvfy_flags = NULL;
1162
    }
1163
}
1164

1165
void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx)
1166
{
1167
    cctx->ctx = ctx;
1168
    cctx->ssl = NULL;
1169
    free_cert_filename(cctx);
1170
    if (ctx) {
1171
        cctx->poptions = &ctx->options;
1172
        cctx->min_version = &ctx->min_proto_version;
1173
        cctx->max_version = &ctx->max_proto_version;
1174
        cctx->pcert_flags = &ctx->cert->cert_flags;
1175
        cctx->pvfy_flags = &ctx->verify_mode;
1176
        cctx->cert_filename = OPENSSL_zalloc((SSL_PKEY_NUM + ctx->sigalg_list_len)
1177
                                             * sizeof(*cctx->cert_filename));
1178
        if (cctx->cert_filename != NULL)
1179
            cctx->num_cert_filename = SSL_PKEY_NUM + ctx->sigalg_list_len;
1180
    } else {
1181
        cctx->poptions = NULL;
1182
        cctx->min_version = NULL;
1183
        cctx->max_version = NULL;
1184
        cctx->pcert_flags = NULL;
1185
        cctx->pvfy_flags = NULL;
1186
    }
1187
}
1188

1189