SSL_CONF table reorganisation.

The value is a directory name.

=item B<SSL_CONF_TYPE_NONE>

The value string is not used e.g. a command line option which doesn't take an

argument.

=back

=head1 NOTES

B<SSL_OP_NO_SSL2> doesn't have effect anymore since 1.1.0 but the define is kept

for backward compatibility.

B<SSL_CONF_TYPE_NONE> was first added to OpenSSL 1.1.0. In earlier versions of

OpenSSL passing a command which didn't take an argument would return

B<SSL_CONF_TYPE_UNKNOWN>.

=cut

# define SSL_CONF_TYPE_STRING            0x1

# define SSL_CONF_TYPE_FILE              0x2

# define SSL_CONF_TYPE_DIR               0x3

# define SSL_CONF_TYPE_NONE              0x4

/*

 * Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, they

/*

 * structure holding name tables. This is used for pemitted elements in lists

 * such as TLSv1 and single command line switches such as no_tls1

 * such as TLSv1.

 */

typedef struct {

    unsigned long option_value;

} ssl_flag_tbl;

/* Switch table: use for single command line switches like no_tls2 */

typedef struct {

    unsigned long option_value;

    unsigned int name_flags;

} ssl_switch_tbl;

/* Sense of name is inverted e.g. "TLSv1" will clear SSL_OP_NO_TLSv1 */

#define SSL_TFLAG_INV   0x1

/* Flags refers to cert_flags not options */

    size_t ntbl;

};

static void ssl_set_option(SSL_CONF_CTX *cctx, unsigned int name_flags,

                           unsigned long option_value, int onoff)

{

    if (cctx->poptions == NULL)

        return;

    if (name_flags & SSL_TFLAG_INV)

        onoff ^= 1;

    if (name_flags & SSL_TFLAG_CERT) {

        if (onoff)

            *cctx->pcert_flags |= option_value;

        else

            *cctx->pcert_flags &= ~option_value;

    } else {

        if (onoff)

            *cctx->poptions |= option_value;

        else

            *cctx->poptions &= ~option_value;

    }

}

static int ssl_match_option(SSL_CONF_CTX *cctx, const ssl_flag_tbl *tbl,

                            const char *name, int namelen, int onoff)

{

    } else if (tbl->namelen != namelen

               || strncasecmp(tbl->name, name, namelen))

        return 0;

    if (cctx->poptions) {

        if (tbl->name_flags & SSL_TFLAG_INV)

            onoff ^= 1;

        if (tbl->name_flags & SSL_TFLAG_CERT) {

            if (onoff)

                *cctx->pcert_flags |= tbl->option_value;

            else

                *cctx->pcert_flags &= ~tbl->option_value;

        } else {

            if (onoff)

                *cctx->poptions |= tbl->option_value;

            else

                *cctx->poptions &= ~tbl->option_value;

        }

    }

    ssl_set_option(cctx, tbl->name_flags, tbl->option_value, onoff);

    return 1;

}

    return 0;

}

/* Single command line switches with no argument e.g. -no_ssl3 */

static int ctrl_str_option(SSL_CONF_CTX *cctx, const char *cmd)

{

    /* See apps/apps.h if you change this table. */

    static const ssl_flag_tbl ssl_option_single[] = {

        SSL_FLAG_TBL("no_ssl3", SSL_OP_NO_SSLv3),

        SSL_FLAG_TBL("no_tls1", SSL_OP_NO_TLSv1),

        SSL_FLAG_TBL("no_tls1_1", SSL_OP_NO_TLSv1_1),

        SSL_FLAG_TBL("no_tls1_2", SSL_OP_NO_TLSv1_2),

        SSL_FLAG_TBL("bugs", SSL_OP_ALL),

        SSL_FLAG_TBL("no_comp", SSL_OP_NO_COMPRESSION),

        SSL_FLAG_TBL_SRV("ecdh_single", SSL_OP_SINGLE_ECDH_USE),

#ifndef OPENSSL_NO_TLSEXT

        SSL_FLAG_TBL("no_ticket", SSL_OP_NO_TICKET),

#endif

        SSL_FLAG_TBL_SRV("serverpref", SSL_OP_CIPHER_SERVER_PREFERENCE),

        SSL_FLAG_TBL("legacy_renegotiation",

                     SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION),

        SSL_FLAG_TBL_SRV("legacy_server_connect",

                         SSL_OP_LEGACY_SERVER_CONNECT),

        SSL_FLAG_TBL_SRV("no_resumption_on_reneg",

                         SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION),

        SSL_FLAG_TBL_SRV_INV("no_legacy_server_connect",

                             SSL_OP_LEGACY_SERVER_CONNECT),

        SSL_FLAG_TBL_CERT("strict", SSL_CERT_FLAG_TLS_STRICT),

#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL

        SSL_FLAG_TBL_CERT("debug_broken_protocol",

                          SSL_CERT_FLAG_BROKEN_PROTOCOL),

#endif

    };

    cctx->tbl = ssl_option_single;

    cctx->ntbl = OSSL_NELEM(ssl_option_single);

    return ssl_set_option_list(cmd, -1, cctx);

}

/* Set supported signature algorithms */

static int cmd_SignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value)

{

static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value)

{

    int onoff = -1, rv = 1;

    if (!(cctx->flags & SSL_CONF_FLAG_SERVER))

        return -2;

    if (cctx->flags & SSL_CONF_FLAG_FILE) {

        if (*value == '+') {

            onoff = 1;

        SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1),

        SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2)

    };

    if (!(cctx->flags & SSL_CONF_FLAG_FILE))

        return -2;

    cctx->tbl = ssl_protocol_list;

    cctx->ntbl = OSSL_NELEM(ssl_protocol_list);

    return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);

        SSL_FLAG_TBL("UnsafeLegacyRenegotiation",

                     SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION),

    };

    if (!(cctx->flags & SSL_CONF_FLAG_FILE))

        return -2;

    if (value == NULL)

        return -3;

    cctx->tbl = ssl_option_list;

{

    int rv = 1;

    CERT *c = NULL;

    if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE))

        return -2;

    if (cctx->ctx) {

        rv = SSL_CTX_use_certificate_chain_file(cctx->ctx, value);

        c = cctx->ctx->cert;

static int cmd_ServerInfoFile(SSL_CONF_CTX *cctx, const char *value)

{

    int rv = 1;

    if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE))

        return -2;

    if (!(cctx->flags & SSL_CONF_FLAG_SERVER))

        return -2;

    if (cctx->ctx)

        rv = SSL_CTX_use_serverinfo_file(cctx->ctx, value);

    return rv > 0;

    int rv = 0;

    DH *dh = NULL;

    BIO *in = NULL;

    if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE))

        return -2;

    if (cctx->ctx || cctx->ssl) {

        in = BIO_new(BIO_s_file_internal());

        if (!in)

    int (*cmd) (SSL_CONF_CTX *cctx, const char *value);

    const char *str_file;

    const char *str_cmdline;

    unsigned int value_type;

    unsigned short flags;

    unsigned short value_type;

} ssl_conf_cmd_tbl;

/* Table of supported parameters */

#define SSL_CONF_CMD(name, cmdopt, type) \

        {cmd_##name, #name, cmdopt, type}

#define SSL_CONF_CMD(name, cmdopt, flags, type) \

        {cmd_##name, #name, cmdopt, flags, type}

#define SSL_CONF_CMD_STRING(name, cmdopt) \

        SSL_CONF_CMD(name, cmdopt, SSL_CONF_TYPE_STRING)

#define SSL_CONF_CMD_STRING(name, cmdopt, flags) \

        SSL_CONF_CMD(name, cmdopt, flags, SSL_CONF_TYPE_STRING)

#define SSL_CONF_CMD_SWITCH(name, flags) \

        {0, NULL, name, flags, SSL_CONF_TYPE_NONE}

/* See apps/apps.h if you change this table. */

static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {

    SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs"),

    SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs"),

    SSL_CONF_CMD_STRING(Curves, "curves"),

    SSL_CONF_CMD_SWITCH("no_ssl3", 0),

    SSL_CONF_CMD_SWITCH("no_tls1", 0),

    SSL_CONF_CMD_SWITCH("no_tls1_1", 0),

    SSL_CONF_CMD_SWITCH("no_tls1_2", 0),

    SSL_CONF_CMD_SWITCH("bugs", 0),

    SSL_CONF_CMD_SWITCH("no_comp", 0),

    SSL_CONF_CMD_SWITCH("ecdh_single", SSL_CONF_FLAG_SERVER),

#ifndef OPENSSL_NO_TLSEXT

    SSL_CONF_CMD_SWITCH("no_ticket", 0),

#endif

    SSL_CONF_CMD_SWITCH("serverpref", SSL_CONF_FLAG_SERVER),

    SSL_CONF_CMD_SWITCH("legacy_renegotiation", 0),

    SSL_CONF_CMD_SWITCH("legacy_server_connect", SSL_CONF_FLAG_SERVER),

    SSL_CONF_CMD_SWITCH("no_resumption_on_reneg", SSL_CONF_FLAG_SERVER),

    SSL_CONF_CMD_SWITCH("no_legacy_server_connect", SSL_CONF_FLAG_SERVER),

    SSL_CONF_CMD_SWITCH("strict", 0),

#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL

    SSL_CONF_CMD_SWITCH("debug_broken_protocol", 0),

#endif

    SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs", 0),

    SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs", 0),

    SSL_CONF_CMD_STRING(Curves, "curves", 0),

#ifndef OPENSSL_NO_EC

    SSL_CONF_CMD_STRING(ECDHParameters, "named_curve"),

    SSL_CONF_CMD_STRING(ECDHParameters, "named_curve", SSL_CONF_FLAG_SERVER),

#endif

    SSL_CONF_CMD_STRING(CipherString, "cipher"),

    SSL_CONF_CMD_STRING(Protocol, NULL),

    SSL_CONF_CMD_STRING(Options, NULL),

    SSL_CONF_CMD(Certificate, "cert", SSL_CONF_TYPE_FILE),

    SSL_CONF_CMD(PrivateKey, "key", SSL_CONF_TYPE_FILE),

    SSL_CONF_CMD(ServerInfoFile, NULL, SSL_CONF_TYPE_FILE),

    SSL_CONF_CMD_STRING(CipherString, "cipher", 0),

    SSL_CONF_CMD_STRING(Protocol, NULL, 0),

    SSL_CONF_CMD_STRING(Options, NULL, 0),

    SSL_CONF_CMD(Certificate, "cert", SSL_CONF_FLAG_CERTIFICATE,

                 SSL_CONF_TYPE_FILE),

    SSL_CONF_CMD(PrivateKey, "key", SSL_CONF_FLAG_CERTIFICATE,

                 SSL_CONF_TYPE_FILE),

    SSL_CONF_CMD(ServerInfoFile, NULL,

                 SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,

                 SSL_CONF_TYPE_FILE),

#ifndef OPENSSL_NO_DH

    SSL_CONF_CMD(DHParameters, "dhparam", SSL_CONF_TYPE_FILE)

    SSL_CONF_CMD(DHParameters, "dhparam",

                 SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,

                 SSL_CONF_TYPE_FILE)

#endif

};

/* Supported switches: must match order of switches in ssl_conf_cmds */

static const ssl_switch_tbl ssl_cmd_switches[] = {

    {SSL_OP_NO_SSLv3, 0},       /* no_ssl3 */

    {SSL_OP_NO_TLSv1, 0},       /* no_tls1 */

    {SSL_OP_NO_TLSv1_1, 0},     /* no_tls1_1 */

    {SSL_OP_NO_TLSv1_2, 0},     /* no_tls1_2 */

    {SSL_OP_ALL, 0},            /* bugs */

    {SSL_OP_NO_COMPRESSION, 0}, /* no_comp */

    {SSL_OP_SINGLE_ECDH_USE, 0}, /* ecdh_single */

#ifndef OPENSSL_NO_TLSEXT

    {SSL_OP_NO_TICKET, 0},      /* no_ticket */

#endif

    {SSL_OP_CIPHER_SERVER_PREFERENCE, 0}, /* serverpref */

    /* legacy_renegotiation */

    {SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, 0},

    /* legacy_server_connect */

    {SSL_OP_LEGACY_SERVER_CONNECT, 0},

    /* no_resumption_on_reneg */

    {SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION, 0},

    /* no_legacy_server_connect */

    {SSL_OP_LEGACY_SERVER_CONNECT, SSL_TFLAG_INV},

    {SSL_CERT_FLAG_TLS_STRICT, SSL_TFLAG_CERT}, /* strict */

#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL

    {SSL_CERT_FLAG_BROKEN_PROTOCOL, SSL_TFLAG_CERT} /* debug_broken_protocol */

#endif

};

    return 1;

}

/* Determine if a command is allowed according to cctx flags */

static int ssl_conf_cmd_allowed(SSL_CONF_CTX *cctx,

                                const ssl_conf_cmd_tbl * t)

{

    unsigned int tfl = t->flags;

    unsigned int cfl = cctx->flags;

    if ((tfl & SSL_CONF_FLAG_SERVER) && !(cfl & SSL_CONF_FLAG_SERVER))

        return 0;

    if ((tfl & SSL_CONF_FLAG_CLIENT) && !(cfl & SSL_CONF_FLAG_CLIENT))

        return 0;

    if ((tfl & SSL_CONF_FLAG_CERTIFICATE)

        && !(cfl & SSL_CONF_FLAG_CERTIFICATE))

        return 0;

    return 1;

}

static const ssl_conf_cmd_tbl *ssl_conf_cmd_lookup(SSL_CONF_CTX *cctx,

                                                   const char *cmd)

{

    /* Look for matching parameter name in table */

    for (i = 0, t = ssl_conf_cmds; i < OSSL_NELEM(ssl_conf_cmds); i++, t++) {

        if (ssl_conf_cmd_allowed(cctx, t)) {

            if (cctx->flags & SSL_CONF_FLAG_CMDLINE) {

                if (t->str_cmdline && !strcmp(t->str_cmdline, cmd))

                    return t;

                    return t;

            }

        }

    }

    return NULL;

}

static int ctrl_switch_option(SSL_CONF_CTX *cctx,

                              const ssl_conf_cmd_tbl * cmd)

{

    /* Find index of command in table */

    size_t idx = cmd - ssl_conf_cmds;

    const ssl_switch_tbl *scmd;

    /* Sanity check index */

    if (idx >= OSSL_NELEM(ssl_cmd_switches))

        return 0;

    /* Obtain switches entry with same index */

    scmd = ssl_cmd_switches + idx;

    ssl_set_option(cctx, scmd->name_flags, scmd->option_value, 1);

    return 1;

}

int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value)

{

    const ssl_conf_cmd_tbl *runcmd;

    if (runcmd) {

        int rv;

        if (runcmd->value_type == SSL_CONF_TYPE_NONE) {

            return ctrl_switch_option(cctx, runcmd);

        }

        if (value == NULL)

            return -3;

        rv = runcmd->cmd(cctx, value);

        return 0;

    }

    if (cctx->flags & SSL_CONF_FLAG_CMDLINE) {

        if (ctrl_str_option(cctx, cmd))

            return 1;

    }

    if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) {

        SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_UNKNOWN_CMD_NAME);

        ERR_add_error_data(2, "cmd=", cmd);

{

    if (cctx) {

        size_t i;

        for (i = 0; i < SSL_PKEY_NUM; i++) {

        for (i = 0; i < SSL_PKEY_NUM; i++)

            OPENSSL_free(cctx->cert_filename[i]);

        }

        OPENSSL_free(cctx->prefix);

        OPENSSL_free(cctx);

    }