diff options
| author | Matt Caswell <matt@openssl.org> | 2018-06-15 14:55:06 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2018-07-02 15:06:12 +0100 |
| commit | 3bb5e5b09e32defefda2b61087c113203005ffa0 (patch) | |
| tree | 47b35b54cfc423ea594f73cf603e24844e78ff96 /ssl/ssl_conf.c | |
| parent | 5a42141565a4074167b006e7a28a822176b40f86 (diff) | |
Add the ability to configure anti-replay via SSL_CONF
This also adds the ability to control this through s_server
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6469)
Diffstat (limited to 'ssl/ssl_conf.c')
| -rw-r--r-- | ssl/ssl_conf.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 758f012938..9c202708d7 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -383,7 +383,8 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION), SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX), SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA), - SSL_FLAG_TBL("MiddleboxCompat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT) + SSL_FLAG_TBL("MiddleboxCompat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT), + SSL_FLAG_TBL_INV("AntiReplay", SSL_OP_NO_ANTI_REPLAY) }; if (value == NULL) return -3; @@ -626,6 +627,8 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { SSL_CONF_CMD_SWITCH("prioritize_chacha", SSL_CONF_FLAG_SERVER), SSL_CONF_CMD_SWITCH("strict", 0), SSL_CONF_CMD_SWITCH("no_middlebox", 0), + SSL_CONF_CMD_SWITCH("anti_replay", SSL_CONF_FLAG_SERVER), + SSL_CONF_CMD_SWITCH("no_anti_replay", SSL_CONF_FLAG_SERVER), SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs", 0), SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs", 0), SSL_CONF_CMD_STRING(Curves, "curves", 0), @@ -671,7 +674,7 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { SSL_CONF_TYPE_FILE), #endif SSL_CONF_CMD_STRING(RecordPadding, "record_padding", 0), - SSL_CONF_CMD_STRING(NumTickets, "num_tickets", SSL_CONF_FLAG_SERVER) + SSL_CONF_CMD_STRING(NumTickets, "num_tickets", SSL_CONF_FLAG_SERVER), }; /* Supported switches: must match order of switches in ssl_conf_cmds */ @@ -704,6 +707,10 @@ static const ssl_switch_tbl ssl_cmd_switches[] = { {SSL_CERT_FLAG_TLS_STRICT, SSL_TFLAG_CERT}, /* strict */ /* no_middlebox */ {SSL_OP_ENABLE_MIDDLEBOX_COMPAT, SSL_TFLAG_INV}, + /* anti_replay */ + {SSL_OP_NO_ANTI_REPLAY, SSL_TFLAG_INV}, + /* no_anti_replay */ + {SSL_OP_NO_ANTI_REPLAY, 0}, }; static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd) |