1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * _ __ ___ ___ __| | ___ ___| | mod_ssl
19 * | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
20 * | | | | | | (_) | (_| | \__ \__ \ |
21 * |_| |_| |_|\___/ \__,_|___|___/___/_|
24 * Additional Utility Functions for OpenSSL
29 /* _________________________________________________________________
31 ** Additional High-Level Functions for OpenSSL
32 ** _________________________________________________________________
35 /* we initialize this index at startup time
36 * and never write to it at request time,
37 * so this static is thread safe.
38 * also note that OpenSSL increments at static variable when
39 * SSL_get_ex_new_index() is called, so we _must_ do this at startup.
41 static int SSL_app_data2_idx = -1;
43 void SSL_init_app_data2_idx(void)
47 if (SSL_app_data2_idx > -1) {
51 /* we _do_ need to call this twice */
52 for (i=0; i<=1; i++) {
54 SSL_get_ex_new_index(0,
55 "Second Application Data for SSL",
60 void *SSL_get_app_data2(SSL *ssl)
62 return (void *)SSL_get_ex_data(ssl, SSL_app_data2_idx);
65 void SSL_set_app_data2(SSL *ssl, void *arg)
67 SSL_set_ex_data(ssl, SSL_app_data2_idx, (char *)arg);
71 /* _________________________________________________________________
73 ** High-Level Certificate / Private Key Loading
74 ** _________________________________________________________________
77 X509 *SSL_read_X509(char* filename, X509 **x509, modssl_read_bio_cb_fn *cb)
83 /* 1. try PEM (= DER+Base64+headers) */
84 if ((bioS=BIO_new_file(filename, "r")) == NULL)
86 rc = modssl_PEM_read_bio_X509 (bioS, x509, cb, NULL);
90 /* 2. try DER+Base64 */
91 if ((bioS=BIO_new_file(filename, "r")) == NULL)
94 if ((bioF = BIO_new(BIO_f_base64())) == NULL) {
98 bioS = BIO_push(bioF, bioS);
99 rc = d2i_X509_bio(bioS, NULL);
103 /* 3. try plain DER */
104 if ((bioS=BIO_new_file(filename, "r")) == NULL)
106 rc = d2i_X509_bio(bioS, NULL);
110 if (rc != NULL && x509 != NULL) {
118 #if SSL_LIBRARY_VERSION <= 0x00904100
119 static EVP_PKEY *d2i_PrivateKey_bio(BIO *bio, EVP_PKEY **key)
121 return ((EVP_PKEY *)ASN1_d2i_bio(
122 (char *(*)())EVP_PKEY_new,
123 (char *(*)())d2i_PrivateKey,
124 (bio), (unsigned char **)(key)));
128 EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, modssl_read_bio_cb_fn *cb, void *s)
134 /* 1. try PEM (= DER+Base64+headers) */
135 if ((bioS=BIO_new_file(filename, "r")) == NULL)
137 rc = modssl_PEM_read_bio_PrivateKey(bioS, key, cb, s);
141 /* 2. try DER+Base64 */
142 if ((bioS = BIO_new_file(filename, "r")) == NULL)
145 if ((bioF = BIO_new(BIO_f_base64())) == NULL) {
149 bioS = BIO_push(bioF, bioS);
150 rc = d2i_PrivateKey_bio(bioS, NULL);
154 /* 3. try plain DER */
155 if ((bioS = BIO_new_file(filename, "r")) == NULL)
157 rc = d2i_PrivateKey_bio(bioS, NULL);
161 if (rc != NULL && key != NULL) {
169 /* _________________________________________________________________
172 ** _________________________________________________________________
175 int SSL_smart_shutdown(SSL *ssl)
181 * Repeat the calls, because SSL_shutdown internally dispatches through a
182 * little state machine. Usually only one or two interation should be
183 * needed, so we restrict the total number of restrictions in order to
184 * avoid process hangs in case the client played bad with the socket
185 * connection and OpenSSL cannot recognize it.
188 for (i = 0; i < 4 /* max 2x pending + 2x data = 4 */; i++) {
189 if ((rc = SSL_shutdown(ssl)))
195 /* _________________________________________________________________
197 ** Certificate Revocation List (CRL) Storage
198 ** _________________________________________________________________
201 X509_STORE *SSL_X509_STORE_create(char *cpFile, char *cpPath)
204 X509_LOOKUP *pLookup;
206 if (cpFile == NULL && cpPath == NULL)
208 if ((pStore = X509_STORE_new()) == NULL)
210 if (cpFile != NULL) {
211 pLookup = X509_STORE_add_lookup(pStore, X509_LOOKUP_file());
212 if (pLookup == NULL) {
213 X509_STORE_free(pStore);
216 X509_LOOKUP_load_file(pLookup, cpFile, X509_FILETYPE_PEM);
218 if (cpPath != NULL) {
219 pLookup = X509_STORE_add_lookup(pStore, X509_LOOKUP_hash_dir());
220 if (pLookup == NULL) {
221 X509_STORE_free(pStore);
224 X509_LOOKUP_add_dir(pLookup, cpPath, X509_FILETYPE_PEM);
229 int SSL_X509_STORE_lookup(X509_STORE *pStore, int nType,
230 X509_NAME *pName, X509_OBJECT *pObj)
232 X509_STORE_CTX pStoreCtx;
235 X509_STORE_CTX_init(&pStoreCtx, pStore, NULL, NULL);
236 rc = X509_STORE_get_by_subject(&pStoreCtx, nType, pName, pObj);
237 X509_STORE_CTX_cleanup(&pStoreCtx);
241 /* _________________________________________________________________
243 ** Cipher Suite Spec String Creation
244 ** _________________________________________________________________
247 char *SSL_make_ciphersuite(apr_pool_t *p, SSL *ssl)
249 STACK_OF(SSL_CIPHER) *sk;
258 if ((sk = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl)) == NULL)
261 for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
262 c = sk_SSL_CIPHER_value(sk, i);
263 l += strlen(SSL_CIPHER_get_name(c))+2+1;
267 cpCipherSuite = (char *)apr_palloc(p, l+1);
269 for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
270 c = sk_SSL_CIPHER_value(sk, i);
271 l = strlen(SSL_CIPHER_get_name(c));
272 memcpy(cp, SSL_CIPHER_get_name(c), l);
275 *cp++ = (SSL_CIPHER_get_valid(c) == 1 ? '1' : '0');
279 return cpCipherSuite;
282 /* _________________________________________________________________
284 ** Certificate Checks
285 ** _________________________________________________________________
288 /* check whether cert contains extended key usage with a SGC tag */
289 BOOL SSL_X509_isSGC(X509 *cert)
291 #ifdef HAVE_SSL_X509V3_EXT_d2i
300 idx = X509_get_ext_by_NID(cert, NID_ext_key_usage, -1);
302 ext = X509_get_ext(cert, idx);
303 if ((sk = (STACK *)X509V3_EXT_d2i(ext)) != NULL) {
304 for (i = 0; i < sk_num(sk); i++) {
305 ext_nid = OBJ_obj2nid((ASN1_OBJECT *)sk_value(sk, i));
306 if (ext_nid == NID_ms_sgc || ext_nid == NID_ns_sgc) {
319 /* retrieve basic constraints ingredients */
320 BOOL SSL_X509_getBC(X509 *cert, int *ca, int *pathlen)
322 #ifdef HAVE_SSL_X509V3_EXT_d2i
324 BASIC_CONSTRAINTS *bc;
329 if ((idx = X509_get_ext_by_NID(cert, NID_basic_constraints, -1)) < 0)
331 ext = X509_get_ext(cert, idx);
334 if ((bc = (BASIC_CONSTRAINTS *)X509V3_EXT_d2i(ext)) == NULL)
337 *pathlen = -1 /* unlimited */;
338 if (bc->pathlen != NULL) {
339 if ((bn = ASN1_INTEGER_to_BN(bc->pathlen, NULL)) == NULL)
341 if ((cp = BN_bn2dec(bn)) == NULL)
347 BASIC_CONSTRAINTS_free(bc);
354 /* retrieve subject CommonName of certificate */
355 BOOL SSL_X509_getCN(apr_pool_t *p, X509 *xs, char **cppCN)
358 X509_NAME_ENTRY *xsne;
360 unsigned char *data_ptr;
363 xsn = X509_get_subject_name(xs);
364 for (i = 0; i < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *)
365 X509_NAME_get_entries(xsn)); i++) {
366 xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *)
367 X509_NAME_get_entries(xsn), i);
368 nid = OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
369 if (nid == NID_commonName) {
370 data_ptr = X509_NAME_ENTRY_get_data_ptr(xsne);
371 data_len = X509_NAME_ENTRY_get_data_len(xsne);
372 *cppCN = apr_palloc(p, data_len+1);
373 apr_cpystrn(*cppCN, (char *)data_ptr, data_len+1);
374 (*cppCN)[data_len] = NUL;
375 #ifdef CHARSET_EBCDIC
376 ascii2ebcdic(*cppCN, *cppCN, strlen(*cppCN));
384 /* _________________________________________________________________
386 ** Low-Level CA Certificate Loading
387 ** _________________________________________________________________
390 BOOL SSL_X509_INFO_load_file(apr_pool_t *ptemp,
391 STACK_OF(X509_INFO) *sk,
392 const char *filename)
396 if (!(in = BIO_new(BIO_s_file()))) {
400 if (BIO_read_filename(in, MODSSL_PCHAR_CAST filename) <= 0) {
407 modssl_PEM_X509_INFO_read_bio(in, sk, NULL, NULL);
414 BOOL SSL_X509_INFO_load_path(apr_pool_t *ptemp,
415 STACK_OF(X509_INFO) *sk,
416 const char *pathname)
418 /* XXX: this dir read code is exactly the same as that in
419 * ssl_engine_init.c, only the call to handle the fullname is different,
420 * should fold the duplication.
424 apr_int32_t finfo_flags = APR_FINFO_TYPE|APR_FINFO_NAME;
425 const char *fullname;
428 if (apr_dir_open(&dir, pathname, ptemp) != APR_SUCCESS) {
432 while ((apr_dir_read(&dirent, finfo_flags, dir)) == APR_SUCCESS) {
433 if (dirent.filetype == APR_DIR) {
434 continue; /* don't try to load directories */
437 fullname = apr_pstrcat(ptemp,
438 pathname, "/", dirent.name,
441 if (SSL_X509_INFO_load_file(ptemp, sk, fullname)) {
451 /* _________________________________________________________________
453 ** Extra Server Certificate Chain Support
454 ** _________________________________________________________________
458 * Read a file that optionally contains the server certificate in PEM
459 * format, possibly followed by a sequence of CA certificates that
460 * should be sent to the peer in the SSL Certificate message.
462 int SSL_CTX_use_certificate_chain(
463 SSL_CTX *ctx, char *file, int skipfirst, modssl_read_bio_cb_fn *cb)
471 if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
473 if (BIO_read_filename(bio, file) <= 0) {
477 /* optionally skip a leading server certificate */
479 if ((x509 = modssl_PEM_read_bio_X509(bio, NULL, cb, NULL)) == NULL) {
485 /* free a perhaps already configured extra chain */
486 extra_certs=SSL_CTX_get_extra_certs(ctx);
487 if (extra_certs != NULL) {
488 sk_X509_pop_free((STACK_OF(X509) *)extra_certs, X509_free);
489 SSL_CTX_set_extra_certs(ctx,NULL);
491 /* create new extra chain by loading the certs */
493 while ((x509 = modssl_PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {
494 if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) {
501 /* Make sure that only the error is just an EOF */
502 if ((err = ERR_peek_error()) > 0) {
503 if (!( ERR_GET_LIB(err) == ERR_LIB_PEM
504 && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
508 while (ERR_get_error() > 0) ;
514 /* _________________________________________________________________
517 ** _________________________________________________________________
520 char *SSL_SESSION_id2sz(unsigned char *id, int idlen,
521 char *str, int strsize)
527 for (n = 0; n < idlen && n < SSL_MAX_SSL_SESSION_ID_LENGTH; n++) {
528 apr_snprintf(cp, strsize - (cp-str), "%02X", id[n]);
535 /* sslc+OpenSSL compat */
537 int modssl_session_get_time(SSL_SESSION *session)
539 #ifdef OPENSSL_VERSION_NUMBER
540 return SSL_SESSION_get_time(session);
541 #else /* assume sslc */
543 SSL_SESSION_get_time(session, &ct);
544 return CRYPTO_time_to_int(&ct);
548 #ifndef SSLC_VERSION_NUMBER
549 #define SSLC_VERSION_NUMBER 0x0000
552 DH *modssl_dh_configure(unsigned char *p, int plen,
553 unsigned char *g, int glen)
557 if (!(dh = DH_new())) {
561 #if defined(OPENSSL_VERSION_NUMBER) || (SSLC_VERSION_NUMBER < 0x2000)
562 dh->p = BN_bin2bn(p, plen, NULL);
563 dh->g = BN_bin2bn(g, glen, NULL);
564 if (!(dh->p && dh->g)) {
569 R_EITEMS_add(dh->data, PK_TYPE_DH, PK_DH_P, 0, p, plen, R_EITEMS_PF_COPY);
570 R_EITEMS_add(dh->data, PK_TYPE_DH, PK_DH_G, 0, g, glen, R_EITEMS_PF_COPY);