openssl/ssl/ssl_conf.c

/*! \file ssl/ssl_conf.c
 *  \brief SSL configuration functions
 */
/* ====================================================================
 * Copyright (c) 2012 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */

#ifdef REF_CHECK
#  include <assert.h>
#endif
#include <stdio.h>
#include "ssl_locl.h"
#include <openssl/conf.h>
#include <openssl/objects.h>

/* structure holding name tables. This is used for pemitted elements in
 * lists such as TLSv1 and single command line switches such as no_tls1
 */

typedef struct
	{
	const char *name;
	int namelen;
	unsigned int name_flags;
	unsigned long option_value;
	} ssl_flag_tbl;

/* Sense of name is inverted e.g. "TLSv1" will clear SSL_OP_NO_TLSv1 */
#define SSL_TFLAG_INV	0x1
/* Flags refers to cert_flags not options */
#define SSL_TFLAG_CERT	0x2
/* Option can only be used for clients */
#define SSL_TFLAG_CLIENT SSL_CONF_FLAG_CLIENT
/* Option can only be used for servers */
#define SSL_TFLAG_SERVER SSL_CONF_FLAG_SERVER
#define SSL_TFLAG_BOTH (SSL_TFLAG_CLIENT|SSL_TFLAG_SERVER)

#define SSL_FLAG_TBL(str, flag) \
	{str, (int)(sizeof(str) - 1), SSL_TFLAG_BOTH, flag}
#define SSL_FLAG_TBL_SRV(str, flag) \
	{str, (int)(sizeof(str) - 1), SSL_TFLAG_SERVER, flag}
#define SSL_FLAG_TBL_CLI(str, flag) \
	{str, (int)(sizeof(str) - 1), SSL_TFLAG_CLIENT, flag}
#define SSL_FLAG_TBL_INV(str, flag) \
	{str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_BOTH, flag}
#define SSL_FLAG_TBL_SRV_INV(str, flag) \
	{str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_SERVER, flag}
#define SSL_FLAG_TBL_CERT(str, flag) \
	{str, (int)(sizeof(str) - 1), SSL_TFLAG_CERT|SSL_TFLAG_BOTH, flag}

/* Opaque structure containing SSL configuration context.
 */

struct ssl_conf_ctx_st
	{
	/* Various flags indicating (among other things) which options we
	 * will recognise.
	 */
	unsigned int flags;
	/* Prefix and length of commands */
	char *prefix;
	size_t prefixlen;
	/* SSL_CTX or SSL structure to perform operations on */
	SSL_CTX *ctx;
	SSL *ssl;
	/* Pointer to SSL or SSL_CTX options field or NULL if none */
	unsigned long *poptions;
	/* Pointer to SSL or SSL_CTX cert_flags or NULL if none */
	unsigned int *pcert_flags;
	/* Current flag table being worked on */
	const ssl_flag_tbl *tbl;
	/* Size of table */
	size_t ntbl;
	};

static int ssl_match_option(SSL_CONF_CTX *cctx, const ssl_flag_tbl *tbl,
				const char *name, int namelen, int onoff)
	{
	/* If name not relevant for context skip */
	if (!(cctx->flags & tbl->name_flags & SSL_TFLAG_BOTH))
		return 0;
	if (namelen == -1)
		{
		if (strcmp(tbl->name, name))
			return 0;
		}
	else if (tbl->namelen != namelen || strncasecmp(tbl->name, name, namelen))
		return 0;
	if (cctx->poptions)
		{
		if (tbl->name_flags & SSL_TFLAG_INV)
			onoff ^= 1;
		if (tbl->name_flags & SSL_TFLAG_CERT)
			{
			if (onoff)
				*cctx->pcert_flags |= tbl->option_value;
			else
				*cctx->pcert_flags &= ~tbl->option_value;
			}
		else
			{
			if (onoff)
				*cctx->poptions |= tbl->option_value;
			else
				*cctx->poptions &= ~tbl->option_value;
			}
		}
	return 1;
	}

static int ssl_set_option_list(const char *elem, int len, void *usr)
	{
	SSL_CONF_CTX *cctx = usr;
	size_t i;
	const ssl_flag_tbl *tbl;
	int onoff = 1;
	/* len == -1 indicates not being called in list context, just for
	 * single command line switches, so don't allow +, -.
	 */
	if (len != -1)
		{
		if (*elem == '+')
			{
			elem++;
			len--;
			onoff = 1;
			}
		else if (*elem == '-')
			{
			elem++;
			len--;
			onoff = 0;
			}
		}
	for (i = 0, tbl = cctx->tbl; i < cctx->ntbl; i++, tbl++)
		{
		if (ssl_match_option(cctx, tbl, elem, len, onoff))
			return 1;
		}
	return 0;
	}

/* Single command line switches with no argument e.g. -no_ssl3 */
static int ctrl_str_option(SSL_CONF_CTX *cctx, const char *cmd)
	{
	static const ssl_flag_tbl ssl_option_single[] =
		{
		SSL_FLAG_TBL("no_ssl2", SSL_OP_NO_SSLv2),
		SSL_FLAG_TBL("no_ssl3", SSL_OP_NO_SSLv3),
		SSL_FLAG_TBL("no_tls1", SSL_OP_NO_TLSv1),
		SSL_FLAG_TBL("no_tls1_1", SSL_OP_NO_TLSv1_1),
		SSL_FLAG_TBL("no_tls1_2", SSL_OP_NO_TLSv1_2),
		SSL_FLAG_TBL("no_tls1_2", SSL_OP_NO_TLSv1_2),
		SSL_FLAG_TBL("bugs", SSL_OP_ALL),
		SSL_FLAG_TBL("no_comp", SSL_OP_NO_COMPRESSION),
#ifndef OPENSSL_NO_TLSEXT
		SSL_FLAG_TBL("no_ticket", SSL_OP_NO_TICKET),
#endif
		SSL_FLAG_TBL_SRV("serverpref", SSL_OP_CIPHER_SERVER_PREFERENCE),
		SSL_FLAG_TBL("legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION),
		SSL_FLAG_TBL_SRV("legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT),
		SSL_FLAG_TBL_SRV_INV("no_legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT),
		SSL_FLAG_TBL_CERT("strict", SSL_CERT_FLAG_TLS_STRICT),
#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
		SSL_FLAG_TBL_CERT("debug_broken_protocol", SSL_CERT_FLAG_BROKEN_PROTOCOL),
#endif
		};
	cctx->tbl = ssl_option_single;
	cctx->ntbl = sizeof(ssl_option_single)/sizeof(ssl_flag_tbl);
	return ssl_set_option_list(cmd, -1, cctx);
	}

/* Set supported signature algorithms */
static int cmd_sigalgs(SSL_CONF_CTX *cctx, const char *value)
	{
	int rv;
	if (cctx->ssl)
		rv = SSL_set1_sigalgs_list(cctx->ssl, value);
	/* NB: ctx == NULL performs syntax checking only */
	else
		rv = SSL_CTX_set1_sigalgs_list(cctx->ctx, value);
	return rv > 0;
	}
/* Set supported client signature algorithms */
static int cmd_client_sigalgs(SSL_CONF_CTX *cctx, const char *value)
	{
	int rv;
	if (cctx->ssl)
		rv = SSL_set1_client_sigalgs_list(cctx->ssl, value);
	/* NB: ctx == NULL performs syntax checking only */
	else
		rv = SSL_CTX_set1_client_sigalgs_list(cctx->ctx, value);
	return rv > 0;
	}

static int cmd_curves(SSL_CONF_CTX *cctx, const char *value)
	{
	int rv;
	if (cctx->ssl)
		rv = SSL_set1_curves_list(cctx->ssl, value);
	/* NB: ctx == NULL performs syntax checking only */
	else
		rv = SSL_CTX_set1_curves_list(cctx->ctx, value);
	return rv > 0;
	}

/* ECDH temporary parameters */
static int cmd_ecdhparam(SSL_CONF_CTX *cctx, const char *value)
	{
	int onoff = -1, rv = 1;
	if (!(cctx->flags & SSL_CONF_FLAG_SERVER))
		return -2;
	if (cctx->flags & SSL_CONF_FLAG_FILE)
		{
		if (*value == '+')
			{
			onoff = 1;
			value++;
			}
		if (*value == '-')
			{
			onoff = 0;
			value++;
			}
		if (!strcasecmp(value, "automatic"))
			{
			if (onoff == -1)
				onoff = 1;
			}
		else if (onoff != -1)
			return 0;
		}
	else if (cctx->flags & SSL_CONF_FLAG_CMDLINE)
		{
		if (!strcmp(value, "auto"))
			onoff = 1;
		}

	if (onoff != -1)
		{
		if (cctx->ctx)
			rv = SSL_CTX_set_ecdh_auto(cctx->ctx, onoff);
		else if (cctx->ssl)
			rv = SSL_set_ecdh_auto(cctx->ssl, onoff);
		}
	else
		{
		EC_KEY *ecdh;
		int nid;
		nid = EC_curve_nist2nid(value);
		if (nid == NID_undef)
			nid = OBJ_sn2nid(value);
		if (nid == 0)
			return 0;
		ecdh = EC_KEY_new_by_curve_name(nid);
		if (!ecdh)
			return 0;
		if (cctx->ctx)
			rv = SSL_CTX_set_tmp_ecdh(cctx->ctx, ecdh);
		else if (cctx->ssl)
			rv = SSL_set_tmp_ecdh(cctx->ssl, ecdh);
		EC_KEY_free(ecdh);
		}

	return rv > 0;
	}

static int cmd_cipher_list(SSL_CONF_CTX *cctx, const char *value)
	{
	int rv = 1;
	if (cctx->ctx)
		rv = SSL_CTX_set_cipher_list(cctx->ctx, value);
	if (cctx->ssl)
		rv = SSL_set_cipher_list(cctx->ssl, value);
	return rv > 0;
	}

static int cmd_protocol(SSL_CONF_CTX *cctx, const char *value)
	{
	static const ssl_flag_tbl ssl_protocol_list[] =
		{
		SSL_FLAG_TBL_INV("ALL", SSL_OP_NO_SSL_MASK),
		SSL_FLAG_TBL_INV("SSLv2", SSL_OP_NO_SSLv2),
		SSL_FLAG_TBL_INV("SSLv3", SSL_OP_NO_SSLv3),
		SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1),
		SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1),
		SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2)
		};
	if (!(cctx->flags & SSL_CONF_FLAG_FILE))
		return -2;
	cctx->tbl = ssl_protocol_list;
	cctx->ntbl = sizeof(ssl_protocol_list)/sizeof(ssl_flag_tbl);
	return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
	}

static int cmd_options(SSL_CONF_CTX *cctx, const char *value)
	{
	static const ssl_flag_tbl ssl_option_list[] =
		{
		SSL_FLAG_TBL_INV("SessionTicket", SSL_OP_NO_TICKET),
		SSL_FLAG_TBL_INV("EmptyFragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS),
		SSL_FLAG_TBL("Bugs", SSL_OP_ALL),
		SSL_FLAG_TBL_INV("Compression", SSL_OP_NO_COMPRESSION),
		SSL_FLAG_TBL_SRV("ServerPreference", SSL_OP_CIPHER_SERVER_PREFERENCE),
		SSL_FLAG_TBL_SRV("DHSingle", SSL_OP_SINGLE_DH_USE),
		SSL_FLAG_TBL_SRV("ECDHSingle", SSL_OP_SINGLE_ECDH_USE),
		SSL_FLAG_TBL("UnsafeLegacyRenegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION),
		};
	if (!(cctx->flags & SSL_CONF_FLAG_FILE))
		return -2;
	if (value == NULL)
		return -3;
	cctx->tbl = ssl_option_list;
	cctx->ntbl = sizeof(ssl_option_list)/sizeof(ssl_flag_tbl);
	return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
	}

typedef struct
	{
	int (*cmd)(SSL_CONF_CTX *cctx, const char *value);
	const char *str_file;
	const char *str_cmdline;
	} ssl_conf_cmd_tbl;

/* Table of supported patameters */

static ssl_conf_cmd_tbl ssl_conf_cmds[] = {
	{cmd_sigalgs,		"SignatureAlgorithms", "sigalgs"},
	{cmd_client_sigalgs,	"ClientSignatureAlgorithms", "client_sigalgs"},
	{cmd_curves,		"Curves", "curves"},
	{cmd_ecdhparam,		"ECDHParameters", "named_curve"},
	{cmd_cipher_list,	"CipherString", "cipher"},
	{cmd_protocol,		"Protocol", NULL},
	{cmd_options,		"Options", NULL},
};

int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value)
	{
	ssl_conf_cmd_tbl *t, *runcmd = NULL;
	size_t i;
	if (cmd == NULL)
		{
		SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_INVALID_NULL_CMD_NAME);
		return 0;
		}
	/* If a prefix is set, check and skip */
	if (cctx->prefix)
		{
		if (strlen(cmd) <= cctx->prefixlen)
			return -2;
		if (cctx->flags & SSL_CONF_FLAG_CMDLINE &&
			strncmp(cmd, cctx->prefix, cctx->prefixlen))
			return -2;
		if (cctx->flags & SSL_CONF_FLAG_FILE &&
			strncasecmp(cmd, cctx->prefix, cctx->prefixlen))
			return -2;
		cmd += cctx->prefixlen;
		}
	else if (cctx->flags & SSL_CONF_FLAG_CMDLINE)
		{
		if (*cmd != '-' || !cmd[1])
			return -2;
		cmd++;
		}

	/* Look for matching parameter name in table */
	for (i = 0, t = ssl_conf_cmds;
		i < sizeof(ssl_conf_cmds)/sizeof(ssl_conf_cmd_tbl); i++, t++)
		{
		if (cctx->flags & SSL_CONF_FLAG_CMDLINE)
			{
			if (t->str_cmdline && !strcmp(t->str_cmdline, cmd))
				{
				runcmd = t;
				break;
				}
			}
		if (cctx->flags & SSL_CONF_FLAG_FILE)
			{
			if (t->str_file && !strcasecmp(t->str_file, cmd))
				{
				runcmd = t;
				break;
				}
			}
		}

	if (runcmd)
		{
		int rv;
		if (value == NULL)
			return -3;
		rv = t->cmd(cctx, value);
		if (rv > 0)
			return 2;
		if (rv == -2)
			return -2;
		if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS)
			{
			SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_BAD_VALUE);
			ERR_add_error_data(4, "cmd=", cmd, ", value=", value);
			}
		return 0;
		}

	if (cctx->flags & SSL_CONF_FLAG_CMDLINE)
		{
		if (ctrl_str_option(cctx, cmd))
			return 1;
		}

	if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS)
		{
		SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_UNKNOWN_CMD_NAME);
		ERR_add_error_data(2, "cmd=", cmd);
		}

	return -2;
	}

int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv)
	{
	int rv;
	const char *arg = NULL, *argn;
	if (pargc && *pargc == 0)
		return 0;
	if (!pargc || *pargc > 0)
		arg = **pargv;
	if (arg == NULL)
		return 0;
	if (!pargc || *pargc > 1)
		argn = (*pargv)[1];
	else
		argn = NULL;
	cctx->flags &= ~SSL_CONF_FLAG_FILE;
	cctx->flags |= SSL_CONF_FLAG_CMDLINE;
	rv = SSL_CONF_cmd(cctx, arg, argn);
	if (rv > 0)
		{
		/* Success: update pargc, pargv */
		(*pargv) += rv;
		if (pargc)
			(*pargc) -= rv;
		return rv;
		}
	/* Unknown swicth: indicate no arguments processed */
	if (rv == -2)
		return 0;
	/* Some error occurred processing command, return fatal error */
	if (rv == 0)
		return -1;
	return rv;
	}

SSL_CONF_CTX *SSL_CONF_CTX_new(void)
	{
	SSL_CONF_CTX *ret;
	ret = OPENSSL_malloc(sizeof(SSL_CONF_CTX));
	if (ret)
		{
		ret->flags = 0;
		ret->prefix = NULL;
		ret->prefixlen = 0;
		ret->ssl = NULL;
		ret->ctx = NULL;
		ret->poptions = NULL;
		ret->pcert_flags = NULL;
		ret->tbl = NULL;
		ret->ntbl = 0;
		}
	return ret;
	}

void SSL_CONF_CTX_free(SSL_CONF_CTX *cctx)
	{
	if (cctx)
		{
		if (cctx->prefix)
			OPENSSL_free(cctx->prefix);
		OPENSSL_free(cctx);
		}
	}

unsigned int SSL_CONF_CTX_set_flags(SSL_CONF_CTX *cctx, unsigned int flags)
	{
	cctx->flags |= flags;
	return cctx->flags;
	}

unsigned int SSL_CONF_CTX_clear_flags(SSL_CONF_CTX *cctx, unsigned int flags)
	{
	cctx->flags &= ~flags;
	return cctx->flags;
	}

int SSL_CONF_CTX_set1_prefix(SSL_CONF_CTX *cctx, const char *pre)
	{
	char *tmp = NULL;
	if (pre)
		{
		tmp = BUF_strdup(pre);
		if (tmp == NULL)
			return 0;
		}
	if (cctx->prefix)
		OPENSSL_free(cctx->prefix);
	cctx->prefix = tmp;
	if (tmp)
		cctx->prefixlen = strlen(tmp);
	else
		cctx->prefixlen = 0;
	return 1;
	}

void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl)
	{
	cctx->ssl = ssl;
	cctx->ctx = NULL;
	if (ssl)
		{
		cctx->poptions = &ssl->options;
		cctx->pcert_flags = &ssl->cert->cert_flags;
		}
	else
		{
		cctx->poptions = NULL;
		cctx->pcert_flags = NULL;
		}
	}

void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx)
	{
	cctx->ctx = ctx;
	cctx->ssl = NULL;
	if (ctx)
		{
		cctx->poptions = &ctx->options;
		cctx->pcert_flags = &ctx->cert->cert_flags;
		}
	else
		{
		cctx->poptions = NULL;
		cctx->pcert_flags = NULL;
		}
	}