generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

SSL_CONF table reorganisation.

Browse Source 
Add command line switch entries to table and return SSL_CONF_TYPE_NONE for
them in SSL_CONF_cmd_value_type.

Update docs.

Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Dr. Stephen Henson 2015-04-26 13:56:40 +01:00
parent 4c9b0a0314
commit 656b26055c
3 changed files with 155 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
doc/ssl/SSL_CONF_cmd.pod
View File

@ -332,6 +332,11 @@ The value is a file name.
The value is a directory name. The value is a directory name.
=item B<SSL_CONF_TYPE_NONE>
The value string is not used e.g. a command line option which doesn't take an
argument.
=back =back
=head1 NOTES =head1 NOTES
@ -438,4 +443,8 @@ SSL_CONF_cmd() was first added to OpenSSL 1.0.2
B<SSL_OP_NO_SSL2> doesn't have effect anymore since 1.1.0 but the define is kept B<SSL_OP_NO_SSL2> doesn't have effect anymore since 1.1.0 but the define is kept
for backward compatibility. for backward compatibility.
B<SSL_CONF_TYPE_NONE> was first added to OpenSSL 1.1.0. In earlier versions of
OpenSSL passing a command which didn't take an argument would return
B<SSL_CONF_TYPE_UNKNOWN>.
=cut =cut

1
include/openssl/ssl.h
View File

@ -594,6 +594,7 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type,
# define SSL_CONF_TYPE_STRING 0x1 # define SSL_CONF_TYPE_STRING 0x1
# define SSL_CONF_TYPE_FILE 0x2 # define SSL_CONF_TYPE_FILE 0x2
# define SSL_CONF_TYPE_DIR 0x3 # define SSL_CONF_TYPE_DIR 0x3
# define SSL_CONF_TYPE_NONE 0x4
/* /*
* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, they * Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, they

227
ssl/ssl_conf.c
View File

@ -68,7 +68,7 @@
/* /*
* structure holding name tables. This is used for pemitted elements in lists * structure holding name tables. This is used for pemitted elements in lists
* such as TLSv1 and single command line switches such as no_tls1 * such as TLSv1.
*/ */
typedef struct { typedef struct {
@ -78,6 +78,12 @@ typedef struct {
unsigned long option_value; unsigned long option_value;
} ssl_flag_tbl; } ssl_flag_tbl;
/* Switch table: use for single command line switches like no_tls2 */
typedef struct {
unsigned long option_value;
unsigned int name_flags;
} ssl_switch_tbl;
/* Sense of name is inverted e.g. "TLSv1" will clear SSL_OP_NO_TLSv1 */ /* Sense of name is inverted e.g. "TLSv1" will clear SSL_OP_NO_TLSv1 */
#define SSL_TFLAG_INV 0x1 #define SSL_TFLAG_INV 0x1
/* Flags refers to cert_flags not options */ /* Flags refers to cert_flags not options */
@ -129,6 +135,26 @@ struct ssl_conf_ctx_st {
size_t ntbl; size_t ntbl;
}; };
static void ssl_set_option(SSL_CONF_CTX *cctx, unsigned int name_flags,
unsigned long option_value, int onoff)
{
if (cctx->poptions == NULL)
return;
if (name_flags & SSL_TFLAG_INV)
onoff ^= 1;
if (name_flags & SSL_TFLAG_CERT) {
if (onoff)
*cctx->pcert_flags |= option_value;
else
*cctx->pcert_flags &= ~option_value;
} else {
if (onoff)
*cctx->poptions |= option_value;
else
*cctx->poptions &= ~option_value;
}
}
static int ssl_match_option(SSL_CONF_CTX *cctx, const ssl_flag_tbl *tbl, static int ssl_match_option(SSL_CONF_CTX *cctx, const ssl_flag_tbl *tbl,
const char *name, int namelen, int onoff) const char *name, int namelen, int onoff)
{ {
@ -141,21 +167,7 @@ static int ssl_match_option(SSL_CONF_CTX *cctx, const ssl_flag_tbl *tbl,
} else if (tbl->namelen != namelen } else if (tbl->namelen != namelen
|| strncasecmp(tbl->name, name, namelen)) || strncasecmp(tbl->name, name, namelen))
return 0; return 0;
if (cctx->poptions) { ssl_set_option(cctx, tbl->name_flags, tbl->option_value, onoff);
if (tbl->name_flags & SSL_TFLAG_INV)
onoff ^= 1;
if (tbl->name_flags & SSL_TFLAG_CERT) {
if (onoff)
*cctx->pcert_flags |= tbl->option_value;
else
*cctx->pcert_flags &= ~tbl->option_value;
} else {
if (onoff)
*cctx->poptions |= tbl->option_value;
else
*cctx->poptions &= ~tbl->option_value;
}
}
return 1; return 1;
} }
@ -189,41 +201,6 @@ static int ssl_set_option_list(const char *elem, int len, void *usr)
return 0; return 0;
} }
/* Single command line switches with no argument e.g. -no_ssl3 */
static int ctrl_str_option(SSL_CONF_CTX *cctx, const char *cmd)
{
/* See apps/apps.h if you change this table. */
static const ssl_flag_tbl ssl_option_single[] = {
SSL_FLAG_TBL("no_ssl3", SSL_OP_NO_SSLv3),
SSL_FLAG_TBL("no_tls1", SSL_OP_NO_TLSv1),
SSL_FLAG_TBL("no_tls1_1", SSL_OP_NO_TLSv1_1),
SSL_FLAG_TBL("no_tls1_2", SSL_OP_NO_TLSv1_2),
SSL_FLAG_TBL("bugs", SSL_OP_ALL),
SSL_FLAG_TBL("no_comp", SSL_OP_NO_COMPRESSION),
SSL_FLAG_TBL_SRV("ecdh_single", SSL_OP_SINGLE_ECDH_USE),
#ifndef OPENSSL_NO_TLSEXT
SSL_FLAG_TBL("no_ticket", SSL_OP_NO_TICKET),
#endif
SSL_FLAG_TBL_SRV("serverpref", SSL_OP_CIPHER_SERVER_PREFERENCE),
SSL_FLAG_TBL("legacy_renegotiation",
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION),
SSL_FLAG_TBL_SRV("legacy_server_connect",
SSL_OP_LEGACY_SERVER_CONNECT),
SSL_FLAG_TBL_SRV("no_resumption_on_reneg",
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION),
SSL_FLAG_TBL_SRV_INV("no_legacy_server_connect",
SSL_OP_LEGACY_SERVER_CONNECT),
SSL_FLAG_TBL_CERT("strict", SSL_CERT_FLAG_TLS_STRICT),
#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
SSL_FLAG_TBL_CERT("debug_broken_protocol",
SSL_CERT_FLAG_BROKEN_PROTOCOL),
#endif
};
cctx->tbl = ssl_option_single;
cctx->ntbl = OSSL_NELEM(ssl_option_single);
return ssl_set_option_list(cmd, -1, cctx);
}
/* Set supported signature algorithms */ /* Set supported signature algorithms */
static int cmd_SignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value) static int cmd_SignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value)
{ {
@ -265,8 +242,6 @@ static int cmd_Curves(SSL_CONF_CTX *cctx, const char *value)
static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value) static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value)
{ {
int onoff = -1, rv = 1; int onoff = -1, rv = 1;
if (!(cctx->flags & SSL_CONF_FLAG_SERVER))
return -2;
if (cctx->flags & SSL_CONF_FLAG_FILE) { if (cctx->flags & SSL_CONF_FLAG_FILE) {
if (*value == '+') { if (*value == '+') {
onoff = 1; onoff = 1;
@ -332,8 +307,6 @@ static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value)
SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1), SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1),
SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2) SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2)
}; };
if (!(cctx->flags & SSL_CONF_FLAG_FILE))
return -2;
cctx->tbl = ssl_protocol_list; cctx->tbl = ssl_protocol_list;
cctx->ntbl = OSSL_NELEM(ssl_protocol_list); cctx->ntbl = OSSL_NELEM(ssl_protocol_list);
return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
@ -355,8 +328,6 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
SSL_FLAG_TBL("UnsafeLegacyRenegotiation", SSL_FLAG_TBL("UnsafeLegacyRenegotiation",
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION), SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION),
}; };
if (!(cctx->flags & SSL_CONF_FLAG_FILE))
return -2;
if (value == NULL) if (value == NULL)
return -3; return -3;
cctx->tbl = ssl_option_list; cctx->tbl = ssl_option_list;
@ -368,8 +339,6 @@ static int cmd_Certificate(SSL_CONF_CTX *cctx, const char *value)
{ {
int rv = 1; int rv = 1;
CERT *c = NULL; CERT *c = NULL;
if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE))
return -2;
if (cctx->ctx) { if (cctx->ctx) {
rv = SSL_CTX_use_certificate_chain_file(cctx->ctx, value); rv = SSL_CTX_use_certificate_chain_file(cctx->ctx, value);
c = cctx->ctx->cert; c = cctx->ctx->cert;
@ -404,10 +373,6 @@ static int cmd_PrivateKey(SSL_CONF_CTX *cctx, const char *value)
static int cmd_ServerInfoFile(SSL_CONF_CTX *cctx, const char *value) static int cmd_ServerInfoFile(SSL_CONF_CTX *cctx, const char *value)
{ {
int rv = 1; int rv = 1;
if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE))
return -2;
if (!(cctx->flags & SSL_CONF_FLAG_SERVER))
return -2;
if (cctx->ctx) if (cctx->ctx)
rv = SSL_CTX_use_serverinfo_file(cctx->ctx, value); rv = SSL_CTX_use_serverinfo_file(cctx->ctx, value);
return rv > 0; return rv > 0;
@ -419,8 +384,6 @@ static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value)
int rv = 0; int rv = 0;
DH *dh = NULL; DH *dh = NULL;
BIO *in = NULL; BIO *in = NULL;
if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE))
return -2;
if (cctx->ctx || cctx->ssl) { if (cctx->ctx || cctx->ssl) {
in = BIO_new(BIO_s_file_internal()); in = BIO_new(BIO_s_file_internal());
if (!in) if (!in)
@ -446,33 +409,89 @@ typedef struct {
int (*cmd) (SSL_CONF_CTX *cctx, const char *value); int (*cmd) (SSL_CONF_CTX *cctx, const char *value);
const char *str_file; const char *str_file;
const char *str_cmdline; const char *str_cmdline;
unsigned int value_type; unsigned short flags;
unsigned short value_type;
} ssl_conf_cmd_tbl; } ssl_conf_cmd_tbl;
/* Table of supported parameters */ /* Table of supported parameters */
#define SSL_CONF_CMD(name, cmdopt, type) \ #define SSL_CONF_CMD(name, cmdopt, flags, type) \
{cmd_##name, #name, cmdopt, type} {cmd_##name, #name, cmdopt, flags, type}
#define SSL_CONF_CMD_STRING(name, cmdopt) \ #define SSL_CONF_CMD_STRING(name, cmdopt, flags) \
SSL_CONF_CMD(name, cmdopt, SSL_CONF_TYPE_STRING) SSL_CONF_CMD(name, cmdopt, flags, SSL_CONF_TYPE_STRING)
#define SSL_CONF_CMD_SWITCH(name, flags) \
{0, NULL, name, flags, SSL_CONF_TYPE_NONE}
/* See apps/apps.h if you change this table. */ /* See apps/apps.h if you change this table. */
static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs"), SSL_CONF_CMD_SWITCH("no_ssl3", 0),
SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs"), SSL_CONF_CMD_SWITCH("no_tls1", 0),
SSL_CONF_CMD_STRING(Curves, "curves"), SSL_CONF_CMD_SWITCH("no_tls1_1", 0),
#ifndef OPENSSL_NO_EC SSL_CONF_CMD_SWITCH("no_tls1_2", 0),
SSL_CONF_CMD_STRING(ECDHParameters, "named_curve"), SSL_CONF_CMD_SWITCH("bugs", 0),
SSL_CONF_CMD_SWITCH("no_comp", 0),
SSL_CONF_CMD_SWITCH("ecdh_single", SSL_CONF_FLAG_SERVER),
#ifndef OPENSSL_NO_TLSEXT
SSL_CONF_CMD_SWITCH("no_ticket", 0),
#endif #endif
SSL_CONF_CMD_STRING(CipherString, "cipher"), SSL_CONF_CMD_SWITCH("serverpref", SSL_CONF_FLAG_SERVER),
SSL_CONF_CMD_STRING(Protocol, NULL), SSL_CONF_CMD_SWITCH("legacy_renegotiation", 0),
SSL_CONF_CMD_STRING(Options, NULL), SSL_CONF_CMD_SWITCH("legacy_server_connect", SSL_CONF_FLAG_SERVER),
SSL_CONF_CMD(Certificate, "cert", SSL_CONF_TYPE_FILE), SSL_CONF_CMD_SWITCH("no_resumption_on_reneg", SSL_CONF_FLAG_SERVER),
SSL_CONF_CMD(PrivateKey, "key", SSL_CONF_TYPE_FILE), SSL_CONF_CMD_SWITCH("no_legacy_server_connect", SSL_CONF_FLAG_SERVER),
SSL_CONF_CMD(ServerInfoFile, NULL, SSL_CONF_TYPE_FILE), SSL_CONF_CMD_SWITCH("strict", 0),
#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
SSL_CONF_CMD_SWITCH("debug_broken_protocol", 0),
#endif
SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs", 0),
SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs", 0),
SSL_CONF_CMD_STRING(Curves, "curves", 0),
#ifndef OPENSSL_NO_EC
SSL_CONF_CMD_STRING(ECDHParameters, "named_curve", SSL_CONF_FLAG_SERVER),
#endif
SSL_CONF_CMD_STRING(CipherString, "cipher", 0),
SSL_CONF_CMD_STRING(Protocol, NULL, 0),
SSL_CONF_CMD_STRING(Options, NULL, 0),
SSL_CONF_CMD(Certificate, "cert", SSL_CONF_FLAG_CERTIFICATE,
SSL_CONF_TYPE_FILE),
SSL_CONF_CMD(PrivateKey, "key", SSL_CONF_FLAG_CERTIFICATE,
SSL_CONF_TYPE_FILE),
SSL_CONF_CMD(ServerInfoFile, NULL,
SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,
SSL_CONF_TYPE_FILE),
#ifndef OPENSSL_NO_DH #ifndef OPENSSL_NO_DH
SSL_CONF_CMD(DHParameters, "dhparam", SSL_CONF_TYPE_FILE) SSL_CONF_CMD(DHParameters, "dhparam",
SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,
SSL_CONF_TYPE_FILE)
#endif
};
/* Supported switches: must match order of switches in ssl_conf_cmds */
static const ssl_switch_tbl ssl_cmd_switches[] = {
{SSL_OP_NO_SSLv3, 0}, /* no_ssl3 */
{SSL_OP_NO_TLSv1, 0}, /* no_tls1 */
{SSL_OP_NO_TLSv1_1, 0}, /* no_tls1_1 */
{SSL_OP_NO_TLSv1_2, 0}, /* no_tls1_2 */
{SSL_OP_ALL, 0}, /* bugs */
{SSL_OP_NO_COMPRESSION, 0}, /* no_comp */
{SSL_OP_SINGLE_ECDH_USE, 0}, /* ecdh_single */
#ifndef OPENSSL_NO_TLSEXT
{SSL_OP_NO_TICKET, 0}, /* no_ticket */
#endif
{SSL_OP_CIPHER_SERVER_PREFERENCE, 0}, /* serverpref */
/* legacy_renegotiation */
{SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, 0},
/* legacy_server_connect */
{SSL_OP_LEGACY_SERVER_CONNECT, 0},
/* no_resumption_on_reneg */
{SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION, 0},
/* no_legacy_server_connect */
{SSL_OP_LEGACY_SERVER_CONNECT, SSL_TFLAG_INV},
{SSL_CERT_FLAG_TLS_STRICT, SSL_TFLAG_CERT}, /* strict */
#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
{SSL_CERT_FLAG_BROKEN_PROTOCOL, SSL_TFLAG_CERT} /* debug_broken_protocol */
#endif #endif
}; };
@ -499,6 +518,22 @@ static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd)
return 1; return 1;
} }
/* Determine if a command is allowed according to cctx flags */
static int ssl_conf_cmd_allowed(SSL_CONF_CTX *cctx,
const ssl_conf_cmd_tbl * t)
{
unsigned int tfl = t->flags;
unsigned int cfl = cctx->flags;
if ((tfl & SSL_CONF_FLAG_SERVER) && !(cfl & SSL_CONF_FLAG_SERVER))
return 0;
if ((tfl & SSL_CONF_FLAG_CLIENT) && !(cfl & SSL_CONF_FLAG_CLIENT))
return 0;
if ((tfl & SSL_CONF_FLAG_CERTIFICATE)
&& !(cfl & SSL_CONF_FLAG_CERTIFICATE))
return 0;
return 1;
}
static const ssl_conf_cmd_tbl *ssl_conf_cmd_lookup(SSL_CONF_CTX *cctx, static const ssl_conf_cmd_tbl *ssl_conf_cmd_lookup(SSL_CONF_CTX *cctx,
const char *cmd) const char *cmd)
{ {
@ -509,6 +544,7 @@ static const ssl_conf_cmd_tbl *ssl_conf_cmd_lookup(SSL_CONF_CTX *cctx,
/* Look for matching parameter name in table */ /* Look for matching parameter name in table */
for (i = 0, t = ssl_conf_cmds; i < OSSL_NELEM(ssl_conf_cmds); i++, t++) { for (i = 0, t = ssl_conf_cmds; i < OSSL_NELEM(ssl_conf_cmds); i++, t++) {
if (ssl_conf_cmd_allowed(cctx, t)) {
if (cctx->flags & SSL_CONF_FLAG_CMDLINE) { if (cctx->flags & SSL_CONF_FLAG_CMDLINE) {
if (t->str_cmdline && !strcmp(t->str_cmdline, cmd)) if (t->str_cmdline && !strcmp(t->str_cmdline, cmd))
return t; return t;
@ -518,9 +554,25 @@ static const ssl_conf_cmd_tbl *ssl_conf_cmd_lookup(SSL_CONF_CTX *cctx,
return t; return t;
} }
} }
}
return NULL; return NULL;
} }
static int ctrl_switch_option(SSL_CONF_CTX *cctx,
const ssl_conf_cmd_tbl * cmd)
{
/* Find index of command in table */
size_t idx = cmd - ssl_conf_cmds;
const ssl_switch_tbl *scmd;
/* Sanity check index */
if (idx >= OSSL_NELEM(ssl_cmd_switches))
return 0;
/* Obtain switches entry with same index */
scmd = ssl_cmd_switches + idx;
ssl_set_option(cctx, scmd->name_flags, scmd->option_value, 1);
return 1;
}
int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value) int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value)
{ {
const ssl_conf_cmd_tbl *runcmd; const ssl_conf_cmd_tbl *runcmd;
@ -536,6 +588,9 @@ int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value)
if (runcmd) { if (runcmd) {
int rv; int rv;
if (runcmd->value_type == SSL_CONF_TYPE_NONE) {
return ctrl_switch_option(cctx, runcmd);
}
if (value == NULL) if (value == NULL)
return -3; return -3;
rv = runcmd->cmd(cctx, value); rv = runcmd->cmd(cctx, value);
@ -550,11 +605,6 @@ int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value)
return 0; return 0;
} }
if (cctx->flags & SSL_CONF_FLAG_CMDLINE) {
if (ctrl_str_option(cctx, cmd))
return 1;
}
if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) { if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) {
SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_UNKNOWN_CMD_NAME); SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_UNKNOWN_CMD_NAME);
ERR_add_error_data(2, "cmd=", cmd); ERR_add_error_data(2, "cmd=", cmd);
@ -656,9 +706,8 @@ void SSL_CONF_CTX_free(SSL_CONF_CTX *cctx)
{ {
if (cctx) { if (cctx) {
size_t i; size_t i;
for (i = 0; i < SSL_PKEY_NUM; i++) { for (i = 0; i < SSL_PKEY_NUM; i++)
OPENSSL_free(cctx->cert_filename[i]); OPENSSL_free(cctx->cert_filename[i]);
}
OPENSSL_free(cctx->prefix); OPENSSL_free(cctx->prefix);
OPENSSL_free(cctx); OPENSSL_free(cctx);
} }