Update libressl README.DRAGONFLY for v2.4.4
[dragonfly.git] / crypto / libressl / tls / tls_config.c
CommitLineData
f5b1c8a1
JM
1/* $OpenBSD: tls_config.c,v 1.21 2016/07/07 14:09:03 jsing Exp $ */
2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <ctype.h>
19#include <errno.h>
20#include <stdlib.h>
21
22#include <tls.h>
23#include "tls_internal.h"
24
25static int
26set_string(const char **dest, const char *src)
27{
28 free((char *)*dest);
29 *dest = NULL;
30 if (src != NULL)
31 if ((*dest = strdup(src)) == NULL)
32 return -1;
33 return 0;
34}
35
36static void *
37memdup(const void *in, size_t len)
38{
39 void *out;
40
41 if ((out = malloc(len)) == NULL)
42 return NULL;
43 memcpy(out, in, len);
44 return out;
45}
46
47static int
48set_mem(char **dest, size_t *destlen, const void *src, size_t srclen)
49{
50 free(*dest);
51 *dest = NULL;
52 *destlen = 0;
53 if (src != NULL)
54 if ((*dest = memdup(src, srclen)) == NULL)
55 return -1;
56 *destlen = srclen;
57 return 0;
58}
59
60static struct tls_keypair *
61tls_keypair_new()
62{
63 return calloc(1, sizeof(struct tls_keypair));
64}
65
66static int
67tls_keypair_set_cert_file(struct tls_keypair *keypair, const char *cert_file)
68{
69 return set_string(&keypair->cert_file, cert_file);
70}
71
72static int
73tls_keypair_set_cert_mem(struct tls_keypair *keypair, const uint8_t *cert,
74 size_t len)
75{
76 return set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len);
77}
78
79static int
80tls_keypair_set_key_file(struct tls_keypair *keypair, const char *key_file)
81{
82 return set_string(&keypair->key_file, key_file);
83}
84
85static int
86tls_keypair_set_key_mem(struct tls_keypair *keypair, const uint8_t *key,
87 size_t len)
88{
89 if (keypair->key_mem != NULL)
90 explicit_bzero(keypair->key_mem, keypair->key_len);
91 return set_mem(&keypair->key_mem, &keypair->key_len, key, len);
92}
93
94static void
95tls_keypair_clear(struct tls_keypair *keypair)
96{
97 tls_keypair_set_cert_mem(keypair, NULL, 0);
98 tls_keypair_set_key_mem(keypair, NULL, 0);
99}
100
101static void
102tls_keypair_free(struct tls_keypair *keypair)
103{
104 if (keypair == NULL)
105 return;
106
107 tls_keypair_clear(keypair);
108
109 free((char *)keypair->cert_file);
110 free(keypair->cert_mem);
111 free((char *)keypair->key_file);
112 free(keypair->key_mem);
113
114 free(keypair);
115}
116
117struct tls_config *
118tls_config_new(void)
119{
120 struct tls_config *config;
121
122 if ((config = calloc(1, sizeof(*config))) == NULL)
123 return (NULL);
124
125 if ((config->keypair = tls_keypair_new()) == NULL)
126 goto err;
127
128 /*
129 * Default configuration.
130 */
131 if (tls_config_set_ca_file(config, _PATH_SSL_CA_FILE) != 0)
132 goto err;
133 if (tls_config_set_dheparams(config, "none") != 0)
134 goto err;
135 if (tls_config_set_ecdhecurve(config, "auto") != 0)
136 goto err;
137 if (tls_config_set_ciphers(config, "secure") != 0)
138 goto err;
139
140 tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT);
141 tls_config_set_verify_depth(config, 6);
142
143 tls_config_prefer_ciphers_server(config);
144
145 tls_config_verify(config);
146
147 return (config);
148
149 err:
150 tls_config_free(config);
151 return (NULL);
152}
153
154void
155tls_config_free(struct tls_config *config)
156{
157 struct tls_keypair *kp, *nkp;
158
159 if (config == NULL)
160 return;
161
162 for (kp = config->keypair; kp != NULL; kp = nkp) {
163 nkp = kp->next;
164 tls_keypair_free(kp);
165 }
166
167 free(config->error.msg);
168
169 free((char *)config->ca_file);
170 free((char *)config->ca_mem);
171 free((char *)config->ca_path);
172 free((char *)config->ciphers);
173
174 free(config);
175}
176
177const char *
178tls_config_error(struct tls_config *config)
179{
180 return config->error.msg;
181}
182
183void
184tls_config_clear_keys(struct tls_config *config)
185{
186 struct tls_keypair *kp;
187
188 for (kp = config->keypair; kp != NULL; kp = kp->next)
189 tls_keypair_clear(kp);
190
191 tls_config_set_ca_mem(config, NULL, 0);
192}
193
194int
195tls_config_parse_protocols(uint32_t *protocols, const char *protostr)
196{
197 uint32_t proto, protos = 0;
198 char *s, *p, *q;
199 int negate;
200
201 if ((s = strdup(protostr)) == NULL)
202 return (-1);
203
204 q = s;
205 while ((p = strsep(&q, ",:")) != NULL) {
206 while (*p == ' ' || *p == '\t')
207 p++;
208
209 negate = 0;
210 if (*p == '!') {
211 negate = 1;
212 p++;
213 }
214
215 if (negate && protos == 0)
216 protos = TLS_PROTOCOLS_ALL;
217
218 proto = 0;
219 if (strcasecmp(p, "all") == 0 ||
220 strcasecmp(p, "legacy") == 0)
221 proto = TLS_PROTOCOLS_ALL;
222 else if (strcasecmp(p, "default") == 0 ||
223 strcasecmp(p, "secure") == 0)
224 proto = TLS_PROTOCOLS_DEFAULT;
225 if (strcasecmp(p, "tlsv1") == 0)
226 proto = TLS_PROTOCOL_TLSv1;
227 else if (strcasecmp(p, "tlsv1.0") == 0)
228 proto = TLS_PROTOCOL_TLSv1_0;
229 else if (strcasecmp(p, "tlsv1.1") == 0)
230 proto = TLS_PROTOCOL_TLSv1_1;
231 else if (strcasecmp(p, "tlsv1.2") == 0)
232 proto = TLS_PROTOCOL_TLSv1_2;
233
234 if (proto == 0) {
235 free(s);
236 return (-1);
237 }
238
239 if (negate)
240 protos &= ~proto;
241 else
242 protos |= proto;
243 }
244
245 *protocols = protos;
246
247 free(s);
248
249 return (0);
250}
251
252int
253tls_config_set_ca_file(struct tls_config *config, const char *ca_file)
254{
255 return set_string(&config->ca_file, ca_file);
256}
257
258int
259tls_config_set_ca_path(struct tls_config *config, const char *ca_path)
260{
261 return set_string(&config->ca_path, ca_path);
262}
263
264int
265tls_config_set_ca_mem(struct tls_config *config, const uint8_t *ca, size_t len)
266{
267 return set_mem(&config->ca_mem, &config->ca_len, ca, len);
268}
269
270int
271tls_config_set_cert_file(struct tls_config *config, const char *cert_file)
272{
273 return tls_keypair_set_cert_file(config->keypair, cert_file);
274}
275
276int
277tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert,
278 size_t len)
279{
280 return tls_keypair_set_cert_mem(config->keypair, cert, len);
281}
282
283int
284tls_config_set_ciphers(struct tls_config *config, const char *ciphers)
285{
286 SSL_CTX *ssl_ctx = NULL;
287
288 if (ciphers == NULL ||
289 strcasecmp(ciphers, "default") == 0 ||
290 strcasecmp(ciphers, "secure") == 0)
291 ciphers = TLS_CIPHERS_DEFAULT;
292 else if (strcasecmp(ciphers, "compat") == 0)
293 ciphers = TLS_CIPHERS_COMPAT;
294 else if (strcasecmp(ciphers, "legacy") == 0)
295 ciphers = TLS_CIPHERS_LEGACY;
296 else if (strcasecmp(ciphers, "all") == 0 ||
297 strcasecmp(ciphers, "insecure") == 0)
298 ciphers = TLS_CIPHERS_ALL;
299
300 if ((ssl_ctx = SSL_CTX_new(SSLv23_method())) == NULL) {
301 tls_config_set_errorx(config, "out of memory");
302 goto fail;
303 }
304 if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) != 1) {
305 tls_config_set_errorx(config, "no ciphers for '%s'", ciphers);
306 goto fail;
307 }
308
309 SSL_CTX_free(ssl_ctx);
310 return set_string(&config->ciphers, ciphers);
311
312 fail:
313 SSL_CTX_free(ssl_ctx);
314 return -1;
315}
316
317int
318tls_config_set_dheparams(struct tls_config *config, const char *params)
319{
320 int keylen;
321
322 if (params == NULL || strcasecmp(params, "none") == 0)
323 keylen = 0;
324 else if (strcasecmp(params, "auto") == 0)
325 keylen = -1;
326 else if (strcasecmp(params, "legacy") == 0)
327 keylen = 1024;
328 else {
329 tls_config_set_errorx(config, "invalid dhe param '%s'", params);
330 return (-1);
331 }
332
333 config->dheparams = keylen;
334
335 return (0);
336}
337
338int
339tls_config_set_ecdhecurve(struct tls_config *config, const char *name)
340{
341 int nid;
342
343 if (name == NULL || strcasecmp(name, "none") == 0)
344 nid = NID_undef;
345 else if (strcasecmp(name, "auto") == 0)
346 nid = -1;
347 else if ((nid = OBJ_txt2nid(name)) == NID_undef) {
348 tls_config_set_errorx(config, "invalid ecdhe curve '%s'", name);
349 return (-1);
350 }
351
352 config->ecdhecurve = nid;
353
354 return (0);
355}
356
357int
358tls_config_set_key_file(struct tls_config *config, const char *key_file)
359{
360 return tls_keypair_set_key_file(config->keypair, key_file);
361}
362
363int
364tls_config_set_key_mem(struct tls_config *config, const uint8_t *key,
365 size_t len)
366{
367 return tls_keypair_set_key_mem(config->keypair, key, len);
368}
369
370int
371tls_config_set_keypair_file(struct tls_config *config,
372 const char *cert_file, const char *key_file)
373{
374 if (tls_config_set_cert_file(config, cert_file) != 0)
375 return (-1);
376 if (tls_config_set_key_file(config, key_file) != 0)
377 return (-1);
378
379 return (0);
380}
381
382int
383tls_config_set_keypair_mem(struct tls_config *config, const uint8_t *cert,
384 size_t cert_len, const uint8_t *key, size_t key_len)
385{
386 if (tls_config_set_cert_mem(config, cert, cert_len) != 0)
387 return (-1);
388 if (tls_config_set_key_mem(config, key, key_len) != 0)
389 return (-1);
390
391 return (0);
392}
393
394void
395tls_config_set_protocols(struct tls_config *config, uint32_t protocols)
396{
397 config->protocols = protocols;
398}
399
400void
401tls_config_set_verify_depth(struct tls_config *config, int verify_depth)
402{
403 config->verify_depth = verify_depth;
404}
405
406void
407tls_config_prefer_ciphers_client(struct tls_config *config)
408{
409 config->ciphers_server = 0;
410}
411
412void
413tls_config_prefer_ciphers_server(struct tls_config *config)
414{
415 config->ciphers_server = 1;
416}
417
418void
419tls_config_insecure_noverifycert(struct tls_config *config)
420{
421 config->verify_cert = 0;
422}
423
424void
425tls_config_insecure_noverifyname(struct tls_config *config)
426{
427 config->verify_name = 0;
428}
429
430void
431tls_config_insecure_noverifytime(struct tls_config *config)
432{
433 config->verify_time = 0;
434}
435
436void
437tls_config_verify(struct tls_config *config)
438{
439 config->verify_cert = 1;
440 config->verify_name = 1;
441 config->verify_time = 1;
442}
443
444void
445tls_config_verify_client(struct tls_config *config)
446{
447 config->verify_client = 1;
448}
449
450void
451tls_config_verify_client_optional(struct tls_config *config)
452{
453 config->verify_client = 2;
454}