OLD | NEW |
| 1 /* |
| 2 * Copyright 2016 The Netty Project |
| 3 * |
| 4 * The Netty Project licenses this file to you under the Apache License, |
| 5 * version 2.0 (the "License"); you may not use this file except in compliance |
| 6 * with the License. You may obtain a copy of the License at: |
| 7 * |
| 8 * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 * |
| 10 * Unless required by applicable law or agreed to in writing, software |
| 11 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 12 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| 13 * License for the specific language governing permissions and limitations |
| 14 * under the License. |
| 15 */ |
1 /* Licensed to the Apache Software Foundation (ASF) under one or more | 16 /* Licensed to the Apache Software Foundation (ASF) under one or more |
2 * contributor license agreements. See the NOTICE file distributed with | 17 * contributor license agreements. See the NOTICE file distributed with |
3 * this work for additional information regarding copyright ownership. | 18 * this work for additional information regarding copyright ownership. |
4 * The ASF licenses this file to You under the Apache License, Version 2.0 | 19 * The ASF licenses this file to You under the Apache License, Version 2.0 |
5 * (the "License"); you may not use this file except in compliance with | 20 * (the "License"); you may not use this file except in compliance with |
6 * the License. You may obtain a copy of the License at | 21 * the License. You may obtain a copy of the License at |
7 * | 22 * |
8 * http://www.apache.org/licenses/LICENSE-2.0 | 23 * http://www.apache.org/licenses/LICENSE-2.0 |
9 * | 24 * |
10 * Unless required by applicable law or agreed to in writing, software | 25 * Unless required by applicable law or agreed to in writing, software |
11 * distributed under the License is distributed on an "AS IS" BASIS, | 26 * distributed under the License is distributed on an "AS IS" BASIS, |
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | 27 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
13 * See the License for the specific language governing permissions and | 28 * See the License for the specific language governing permissions and |
14 * limitations under the License. | 29 * limitations under the License. |
15 */ | 30 */ |
16 | 31 |
17 /* | |
18 * | |
19 * @author Mladen Turk | |
20 * @version $Id: ssl_private.h 1658728 2015-02-10 14:45:19Z kkolinko $ | |
21 */ | |
22 | |
23 #ifndef SSL_PRIVATE_H | 32 #ifndef SSL_PRIVATE_H |
24 #define SSL_PRIVATE_H | 33 #define SSL_PRIVATE_H |
25 | 34 |
26 /* Exclude unused OpenSSL features | 35 /* Exclude unused OpenSSL features |
27 * even if the OpenSSL supports them | 36 * even if the OpenSSL supports them |
28 */ | 37 */ |
29 #ifndef OPENSSL_NO_IDEA | 38 #ifndef OPENSSL_NO_IDEA |
30 #define OPENSSL_NO_IDEA | 39 #define OPENSSL_NO_IDEA |
31 #endif | 40 #endif |
32 #ifndef OPENSSL_NO_KRB5 | 41 #ifndef OPENSSL_NO_KRB5 |
33 #define OPENSSL_NO_KRB5 | 42 #define OPENSSL_NO_KRB5 |
34 #endif | 43 #endif |
35 #ifndef OPENSSL_NO_MDC2 | 44 #ifndef OPENSSL_NO_MDC2 |
36 #define OPENSSL_NO_MDC2 | 45 #define OPENSSL_NO_MDC2 |
37 #endif | 46 #endif |
38 #ifndef OPENSSL_NO_RC5 | 47 #ifndef OPENSSL_NO_RC5 |
39 #define OPENSSL_NO_RC5 | 48 #define OPENSSL_NO_RC5 |
40 #endif | 49 #endif |
41 | 50 |
42 #include "apr_thread_rwlock.h" | 51 #include "apr_thread_rwlock.h" |
| 52 #include "apr_atomic.h" |
| 53 #include <stdbool.h> |
43 | 54 |
44 /* OpenSSL headers */ | 55 /* OpenSSL headers */ |
45 #include <openssl/opensslv.h> | 56 #include <openssl/opensslv.h> |
46 #include <openssl/ssl.h> | 57 #include <openssl/ssl.h> |
47 #include <openssl/err.h> | 58 #include <openssl/err.h> |
48 #include <openssl/x509.h> | 59 #include <openssl/x509.h> |
49 #include <openssl/pem.h> | 60 #include <openssl/pem.h> |
50 #include <openssl/pkcs12.h> | 61 #include <openssl/pkcs12.h> |
51 #include <openssl/crypto.h> | 62 #include <openssl/crypto.h> |
52 #include <openssl/evp.h> | 63 #include <openssl/evp.h> |
53 #include <openssl/rand.h> | 64 #include <openssl/rand.h> |
54 #include <openssl/x509v3.h> | 65 #include <openssl/x509v3.h> |
| 66 |
| 67 #define ERR_LEN 256 |
| 68 |
55 /* Avoid tripping over an engine build installed globally and detected | 69 /* Avoid tripping over an engine build installed globally and detected |
56 * when the user points at an explicit non-engine flavor of OpenSSL | 70 * when the user points at an explicit non-engine flavor of OpenSSL |
57 */ | 71 */ |
58 #ifndef OPENSSL_NO_ENGINE | 72 #ifndef OPENSSL_NO_ENGINE |
59 #include <openssl/engine.h> | 73 #include <openssl/engine.h> |
60 #endif | 74 #endif |
61 | 75 |
62 #ifndef RAND_MAX | 76 #ifndef RAND_MAX |
63 #include <limits.h> | 77 #include <limits.h> |
64 #define RAND_MAX INT_MAX | 78 #define RAND_MAX INT_MAX |
65 #endif | 79 #endif |
66 | 80 |
67 #define SSL_ALGO_UNKNOWN (0) | |
68 #define SSL_ALGO_RSA (1<<0) | |
69 #define SSL_ALGO_DSA (1<<1) | |
70 #define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA) | |
71 | |
72 #define SSL_AIDX_RSA (0) | |
73 #define SSL_AIDX_DSA (1) | |
74 #define SSL_AIDX_MAX (2) | |
75 | |
76 /* | 81 /* |
77 * Define IDs for the temporary RSA keys and DH params | 82 * Define IDs for the temporary RSA keys and DH params |
78 */ | 83 */ |
79 | 84 |
80 #define SSL_TMP_KEY_RSA_512 (0) | 85 #define SSL_TMP_KEY_DH_512 (1) |
81 #define SSL_TMP_KEY_RSA_1024 (1) | 86 #define SSL_TMP_KEY_DH_1024 (2) |
82 #define SSL_TMP_KEY_RSA_2048 (2) | 87 #define SSL_TMP_KEY_DH_2048 (3) |
83 #define SSL_TMP_KEY_RSA_4096 (3) | 88 #define SSL_TMP_KEY_DH_4096 (4) |
84 #define SSL_TMP_KEY_DH_512 (4) | 89 #define SSL_TMP_KEY_MAX (5) |
85 #define SSL_TMP_KEY_DH_1024 (5) | |
86 #define SSL_TMP_KEY_DH_2048 (6) | |
87 #define SSL_TMP_KEY_DH_4096 (7) | |
88 #define SSL_TMP_KEY_MAX (8) | |
89 | |
90 #define SSL_CRT_FORMAT_UNDEF (0) | |
91 #define SSL_CRT_FORMAT_ASN1 (1) | |
92 #define SSL_CRT_FORMAT_TEXT (2) | |
93 #define SSL_CRT_FORMAT_PEM (3) | |
94 #define SSL_CRT_FORMAT_NETSCAPE (4) | |
95 #define SSL_CRT_FORMAT_PKCS12 (5) | |
96 #define SSL_CRT_FORMAT_SMIME (6) | |
97 #define SSL_CRT_FORMAT_ENGINE (7) | |
98 /* XXX this stupid macro helps us to avoid | |
99 * adding yet another param to load_*key() | |
100 */ | |
101 #define SSL_KEY_FORMAT_IISSGC (8) | |
102 | |
103 /* | |
104 * Define the SSL options | |
105 */ | |
106 #define SSL_OPT_NONE (0) | |
107 #define SSL_OPT_RELSET (1<<0) | |
108 #define SSL_OPT_STDENVVARS (1<<1) | |
109 #define SSL_OPT_EXPORTCERTDATA (1<<3) | |
110 #define SSL_OPT_FAKEBASICAUTH (1<<4) | |
111 #define SSL_OPT_STRICTREQUIRE (1<<5) | |
112 #define SSL_OPT_OPTRENEGOTIATE (1<<6) | |
113 #define SSL_OPT_ALL (SSL_OPT_STDENVVARS|SSL_OPT_EXPORTCERTDATA|SSL_O
PT_FAKEBASICAUTH|SSL_OPT_STRICTREQUIRE|SSL_OPT_OPTRENEGOTIATE) | |
114 | 90 |
115 /* | 91 /* |
116 * Define the SSL Protocol options | 92 * Define the SSL Protocol options |
117 */ | 93 */ |
118 #define SSL_PROTOCOL_NONE (0) | 94 #define SSL_PROTOCOL_NONE (0) |
119 #define SSL_PROTOCOL_SSLV2 (1<<0) | 95 #define SSL_PROTOCOL_SSLV2 (1<<0) |
120 #define SSL_PROTOCOL_SSLV3 (1<<1) | 96 #define SSL_PROTOCOL_SSLV3 (1<<1) |
121 #define SSL_PROTOCOL_TLSV1 (1<<2) | 97 #define SSL_PROTOCOL_TLSV1 (1<<2) |
122 #define SSL_PROTOCOL_TLSV1_1 (1<<3) | 98 #define SSL_PROTOCOL_TLSV1_1 (1<<3) |
123 #define SSL_PROTOCOL_TLSV1_2 (1<<4) | 99 #define SSL_PROTOCOL_TLSV1_2 (1<<4) |
124 #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTO
COL_TLSV1|SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2) | 100 /* TLS_*method according to https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_n
ew.html */ |
| 101 #define SSL_PROTOCOL_TLS (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1|SSL_PROTO
COL_TLSV1_1|SSL_PROTOCOL_TLSV1_2) |
| 102 #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_TLS) |
125 | 103 |
126 #define SSL_MODE_CLIENT (0) | 104 #define SSL_MODE_CLIENT (0) |
127 #define SSL_MODE_SERVER (1) | 105 #define SSL_MODE_SERVER (1) |
128 #define SSL_MODE_COMBINED (2) | 106 #define SSL_MODE_COMBINED (2) |
129 | 107 |
130 #define SSL_BIO_FLAG_RDONLY (1<<0) | |
131 #define SSL_BIO_FLAG_CALLBACK (1<<1) | |
132 #define SSL_DEFAULT_CACHE_SIZE (256) | 108 #define SSL_DEFAULT_CACHE_SIZE (256) |
133 #define SSL_DEFAULT_VHOST_NAME ("_default_:443") | 109 #define SSL_DEFAULT_VHOST_NAME ("_default_:443") |
134 #define SSL_MAX_STR_LEN (2048) | |
135 #define SSL_MAX_PASSWORD_LEN (256) | |
136 | 110 |
137 #define SSL_CVERIFY_UNSET (-1) | 111 #define SSL_CVERIFY_IGNORED (-1) |
138 #define SSL_CVERIFY_NONE (0) | 112 #define SSL_CVERIFY_NONE (0) |
139 #define SSL_CVERIFY_OPTIONAL (1) | 113 #define SSL_CVERIFY_OPTIONAL (1) |
140 #define SSL_CVERIFY_REQUIRE (2) | 114 #define SSL_CVERIFY_REQUIRED (2) |
141 #define SSL_CVERIFY_OPTIONAL_NO_CA (3) | |
142 #define SSL_VERIFY_PEER_STRICT (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_
CERT) | |
143 | |
144 #define SSL_SHUTDOWN_TYPE_UNSET (0) | |
145 #define SSL_SHUTDOWN_TYPE_STANDARD (1) | |
146 #define SSL_SHUTDOWN_TYPE_UNCLEAN (2) | |
147 #define SSL_SHUTDOWN_TYPE_ACCURATE (3) | |
148 | 115 |
149 #define SSL_TO_APR_ERROR(X) (APR_OS_START_USERERR + 1000 + X) | 116 #define SSL_TO_APR_ERROR(X) (APR_OS_START_USERERR + 1000 + X) |
150 | 117 |
151 #define SSL_INFO_SESSION_ID (0x0001) | 118 #define MAX_ALPN_NPN_PROTO_SIZE 65535 |
152 #define SSL_INFO_CIPHER (0x0002) | |
153 #define SSL_INFO_CIPHER_USEKEYSIZE (0x0003) | |
154 #define SSL_INFO_CIPHER_ALGKEYSIZE (0x0004) | |
155 #define SSL_INFO_CIPHER_VERSION (0x0005) | |
156 #define SSL_INFO_CIPHER_DESCRIPTION (0x0006) | |
157 #define SSL_INFO_PROTOCOL (0x0007) | |
158 | 119 |
159 #define SSL_INFO_CLIENT_S_DN (0x0010) | 120 extern const char* TCN_UNKNOWN_AUTH_METHOD; |
160 #define SSL_INFO_CLIENT_I_DN (0x0020) | |
161 #define SSL_INFO_SERVER_S_DN (0x0040) | |
162 #define SSL_INFO_SERVER_I_DN (0x0080) | |
163 | |
164 #define SSL_INFO_DN_COUNTRYNAME (0x0001) | |
165 #define SSL_INFO_DN_STATEORPROVINCENAME (0x0002) | |
166 #define SSL_INFO_DN_LOCALITYNAME (0x0003) | |
167 #define SSL_INFO_DN_ORGANIZATIONNAME (0x0004) | |
168 #define SSL_INFO_DN_ORGANIZATIONALUNITNAME (0x0005) | |
169 #define SSL_INFO_DN_COMMONNAME (0x0006) | |
170 #define SSL_INFO_DN_TITLE (0x0007) | |
171 #define SSL_INFO_DN_INITIALS (0x0008) | |
172 #define SSL_INFO_DN_GIVENNAME (0x0009) | |
173 #define SSL_INFO_DN_SURNAME (0x000A) | |
174 #define SSL_INFO_DN_DESCRIPTION (0x000B) | |
175 #define SSL_INFO_DN_UNIQUEIDENTIFIER (0x000C) | |
176 #define SSL_INFO_DN_EMAILADDRESS (0x000D) | |
177 | |
178 #define SSL_INFO_CLIENT_MASK (0x0100) | |
179 | |
180 #define SSL_INFO_CLIENT_M_VERSION (0x0101) | |
181 #define SSL_INFO_CLIENT_M_SERIAL (0x0102) | |
182 #define SSL_INFO_CLIENT_V_START (0x0103) | |
183 #define SSL_INFO_CLIENT_V_END (0x0104) | |
184 #define SSL_INFO_CLIENT_A_SIG (0x0105) | |
185 #define SSL_INFO_CLIENT_A_KEY (0x0106) | |
186 #define SSL_INFO_CLIENT_CERT (0x0107) | |
187 #define SSL_INFO_CLIENT_V_REMAIN (0x0108) | |
188 | |
189 #define SSL_INFO_SERVER_MASK (0x0200) | |
190 | |
191 #define SSL_INFO_SERVER_M_VERSION (0x0201) | |
192 #define SSL_INFO_SERVER_M_SERIAL (0x0202) | |
193 #define SSL_INFO_SERVER_V_START (0x0203) | |
194 #define SSL_INFO_SERVER_V_END (0x0204) | |
195 #define SSL_INFO_SERVER_A_SIG (0x0205) | |
196 #define SSL_INFO_SERVER_A_KEY (0x0206) | |
197 #define SSL_INFO_SERVER_CERT (0x0207) | |
198 #define SSL_INFO_CLIENT_CERT_CHAIN (0x0400) | |
199 | |
200 #define SSL_VERIFY_ERROR_IS_OPTIONAL(errnum) \ | |
201 ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \ | |
202 || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \ | |
203 || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \ | |
204 || (errnum == X509_V_ERR_CERT_UNTRUSTED) \ | |
205 || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) | |
206 | |
207 #define SSL_DEFAULT_PASS_PROMPT "Some of your private key files are encrypted fo
r security reasons.\n" \ | |
208 "In order to read them you have to provide the p
ass phrases.\n" \ | |
209 "Enter password :" | |
210 | |
211 #define OCSP_STATUS_OK 0 | |
212 #define OCSP_STATUS_REVOKED 1 | |
213 #define OCSP_STATUS_UNKNOWN 2 | |
214 | |
215 #define MAX_ALPN_NPN_PROTO_SIZE 65535 | |
216 | 121 |
217 /* ECC: make sure we have at least 1.0.0 */ | 122 /* ECC: make sure we have at least 1.0.0 */ |
218 #if !defined(OPENSSL_NO_EC) && defined(TLSEXT_ECPOINTFORMAT_uncompressed) | 123 #if !defined(OPENSSL_NO_EC) && defined(TLSEXT_ECPOINTFORMAT_uncompressed) |
219 #define HAVE_ECC 1 | 124 #define HAVE_ECC 1 |
220 #endif | 125 #endif |
221 | 126 |
| 127 /* OpenSSL 1.0.2 compatibility */ |
| 128 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) |
| 129 #define TLS_method SSLv23_method |
| 130 #define TLS_client_method SSLv23_client_method |
| 131 #define TLS_server_method SSLv23_server_method |
| 132 #define OPENSSL_VERSION SSLEAY_VERSION |
| 133 #define OpenSSL_version SSLeay_version |
| 134 #define OPENSSL_malloc_init CRYPTO_malloc_init |
| 135 #define X509_REVOKED_get0_serialNumber(x) x->serialNumber |
| 136 #define OpenSSL_version_num SSLeay |
| 137 #define BIO_get_init(x) ((x)->init) |
| 138 #define BIO_set_init(x,v) ((x)->init=(v)) |
| 139 #define BIO_get_data(x) ((x)->ptr) |
| 140 #define BIO_set_data(x,v) ((x)->ptr=(v)) |
| 141 #define BIO_set_shutdown(x,v) ((x)->shutdown=(v)) |
| 142 #define BIO_get_shutdown(x) ((x)->shutdown) |
| 143 #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ |
222 | 144 |
223 #define SSL_SELECTOR_FAILURE_NO_ADVERTISE 0 | 145 #define SSL_SELECTOR_FAILURE_NO_ADVERTISE 0 |
224 #define SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL 1 | 146 #define SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL 1 |
225 | 147 |
226 #define SSL_SESSION_TICKET_KEY_NAME_LEN 16 | 148 #define SSL_SESSION_TICKET_KEY_NAME_LEN 16 |
227 #define SSL_SESSION_TICKET_AES_KEY_LEN 16 | 149 #define SSL_SESSION_TICKET_AES_KEY_LEN 16 |
228 #define SSL_SESSION_TICKET_HMAC_KEY_LEN 16 | 150 #define SSL_SESSION_TICKET_HMAC_KEY_LEN 16 |
229 #define SSL_SESSION_TICKET_KEY_SIZE 48 | 151 #define SSL_SESSION_TICKET_KEY_SIZE 48 |
230 | 152 |
231 extern void *SSL_temp_keys[SSL_TMP_KEY_MAX]; | 153 extern void *SSL_temp_keys[SSL_TMP_KEY_MAX]; |
232 | 154 |
233 typedef struct { | 155 // HACK! |
234 /* client can have any number of cert/key pairs */ | 156 // LibreSSL 2.4.x doesn't support the X509_V_ERR_UNSPECIFIED so we introduce a w
ork around to make sure a supported alert is used. |
235 const char *cert_file; | 157 // This should be reverted when we support LibreSSL 2.5.x (which does support X5
09_V_ERR_UNSPECIFIED). |
236 const char *cert_path; | 158 #ifndef X509_V_ERR_UNSPECIFIED |
237 STACK_OF(X509_INFO) *certs; | 159 #define TCN_X509_V_ERR_UNSPECIFIED 99999 |
238 } ssl_pkc_t; | 160 #else |
| 161 #define TCN_X509_V_ERR_UNSPECIFIED (X509_V_ERR_UNSPECIFIED) |
| 162 #endif /*X509_V_ERR_UNSPECIFIED*/ |
239 | 163 |
240 typedef struct tcn_ssl_ctxt_t tcn_ssl_ctxt_t; | 164 typedef struct tcn_ssl_ctxt_t tcn_ssl_ctxt_t; |
241 | 165 |
242 typedef struct { | 166 typedef struct { |
243 char password[SSL_MAX_PASSWORD_LEN]; | |
244 const char *prompt; | |
245 tcn_callback_t cb; | |
246 } tcn_pass_cb_t; | |
247 | |
248 extern tcn_pass_cb_t tcn_password_callback; | |
249 | |
250 typedef struct { | |
251 unsigned char key_name[SSL_SESSION_TICKET_KEY_NAME_LEN]; | 167 unsigned char key_name[SSL_SESSION_TICKET_KEY_NAME_LEN]; |
252 unsigned char hmac_key[SSL_SESSION_TICKET_HMAC_KEY_LEN]; | 168 unsigned char hmac_key[SSL_SESSION_TICKET_HMAC_KEY_LEN]; |
253 unsigned char aes_key[SSL_SESSION_TICKET_AES_KEY_LEN]; | 169 unsigned char aes_key[SSL_SESSION_TICKET_AES_KEY_LEN]; |
254 } tcn_ssl_ticket_key_t; | 170 } tcn_ssl_ticket_key_t; |
255 | 171 |
| 172 typedef struct { |
| 173 int verify_depth; |
| 174 int verify_mode; |
| 175 } tcn_ssl_verify_config_t; |
| 176 |
256 struct tcn_ssl_ctxt_t { | 177 struct tcn_ssl_ctxt_t { |
257 apr_pool_t *pool; | 178 apr_pool_t* pool; |
258 SSL_CTX *ctx; | 179 SSL_CTX* ctx; |
259 BIO *bio_os; | |
260 BIO *bio_is; | |
261 | 180 |
262 unsigned char context_id[SHA_DIGEST_LENGTH]; | 181 /* Holds the alpn protocols, each of them prefixed with the len of the proto
col */ |
| 182 unsigned char* alpn_proto_data; |
| 183 unsigned char* next_proto_data; |
263 | 184 |
264 int protocol; | 185 /* for client or downstream server authentication */ |
265 /* we are one or the other */ | 186 char* password; |
266 int mode; | |
267 | 187 |
268 /* certificate revocation list */ | 188 apr_thread_rwlock_t* mutex; // Session ticket mutext |
269 X509_STORE *crl; | 189 tcn_ssl_ticket_key_t* ticket_keys; |
270 /* pointer to the context verify store */ | |
271 X509_STORE *store; | |
272 const char *cert_files[SSL_AIDX_MAX]; | |
273 const char *key_files[SSL_AIDX_MAX]; | |
274 X509 *certs[SSL_AIDX_MAX]; | |
275 EVP_PKEY *keys[SSL_AIDX_MAX]; | |
276 | |
277 int ca_certs; | |
278 int shutdown_type; | |
279 char *rand_file; | |
280 | |
281 const char *cipher_suite; | |
282 /* for client or downstream server authentication */ | |
283 int verify_depth; | |
284 int verify_mode; | |
285 tcn_pass_cb_t *cb_data; | |
286 | 190 |
287 /* certificate verifier callback */ | 191 /* certificate verifier callback */ |
288 jobject verifier; | 192 jobject verifier; |
289 jmethodID verifier_method; | 193 jmethodID verifier_method; |
290 | 194 |
291 unsigned char *next_proto_data; | 195 jobject cert_requested_callback; |
292 unsigned int next_proto_len; | 196 jmethodID cert_requested_callback_method; |
293 int next_selector_failure_behavior; | |
294 | 197 |
295 /* Holds the alpn protocols, each of them prefixed with the len of the proto
col */ | 198 tcn_ssl_verify_config_t verify_config; |
296 unsigned char *alpn_proto_data; | |
297 unsigned int alpn_proto_len; | |
298 int alpn_selector_failure_behavior; | |
299 | 199 |
300 apr_thread_rwlock_t *mutex; | 200 int protocol; |
301 tcn_ssl_ticket_key_t *ticket_keys; | 201 /* we are one or the other */ |
302 unsigned int ticket_keys_len; | 202 int mode; |
| 203 |
| 204 unsigned int next_proto_len; |
| 205 int next_selector_failure_behavior; |
| 206 |
| 207 unsigned int alpn_proto_len; |
| 208 int alpn_selector_failure_behavior; |
| 209 |
| 210 unsigned int ticket_keys_len; |
| 211 unsigned int pad; |
| 212 |
| 213 /* TLS ticket key session resumption statistics */ |
| 214 |
| 215 // The client did not present a ticket and we issued a new one. |
| 216 apr_uint32_t ticket_keys_new; |
| 217 // The client presented a ticket derived from the primary key |
| 218 apr_uint32_t ticket_keys_resume; |
| 219 // The client presented a ticket derived from an older key, and we upgraded
to the primary key. |
| 220 apr_uint32_t ticket_keys_renew; |
| 221 // The client presented a ticket that did not match any key in the list. |
| 222 apr_uint32_t ticket_keys_fail; |
| 223 |
| 224 unsigned char context_id[SHA_DIGEST_LENGTH]; |
303 }; | 225 }; |
304 | 226 |
305 | |
306 typedef struct { | |
307 apr_pool_t *pool; | |
308 tcn_ssl_ctxt_t *ctx; | |
309 SSL *ssl; | |
310 X509 *peer; | |
311 int shutdown_type; | |
312 /* Track the handshake/renegotiation state for the connection so | |
313 * that all client-initiated renegotiations can be rejected, as a | |
314 * partial fix for CVE-2009-3555. | |
315 */ | |
316 enum { | |
317 RENEG_INIT = 0, /* Before initial handshake */ | |
318 RENEG_REJECT, /* After initial handshake; any client-initiated | |
319 * renegotiation should be rejected | |
320 */ | |
321 RENEG_ALLOW, /* A server-initated renegotiation is taking | |
322 * place (as dictated by configuration) | |
323 */ | |
324 RENEG_ABORT /* Renegotiation initiated by client, abort the | |
325 * connection | |
326 */ | |
327 } reneg_state; | |
328 apr_socket_t *sock; | |
329 apr_pollset_t *pollset; | |
330 } tcn_ssl_conn_t; | |
331 | |
332 | |
333 /* | 227 /* |
334 * Additional Functions | 228 * Additional Functions |
335 */ | 229 */ |
336 void SSL_init_app_data2_3_idx(void); | 230 void SSL_init_app_data_idx(void); |
337 // The app_data2 is used to store the tcn_ssl_ctxt_t pointer for the SSL instanc
e. | 231 // The app_data2 is used to store the tcn_ssl_ctxt_t pointer for the SSL instanc
e. |
338 void *SSL_get_app_data2(SSL *); | 232 void *SSL_get_app_data2(SSL *); |
339 void SSL_set_app_data2(SSL *, void *); | 233 void SSL_set_app_data2(SSL *, void *); |
340 // The app_data3 is used to store the handshakeCount pointer for the SSL instanc
e. | 234 // The app_data3 is used to store the handshakeCount pointer for the SSL instanc
e. |
341 void *SSL_get_app_data3(SSL *); | 235 void *SSL_get_app_data3(SSL *); |
342 void SSL_set_app_data3(SSL *, void *); | 236 void SSL_set_app_data3(SSL *, void *); |
343 int SSL_password_prompt(tcn_pass_cb_t *); | 237 // The app_data4 is used to store the tcn_ssl_verify_config_t pointer for the SS
L instance. |
| 238 // This will initially point back to the tcn_ssl_ctxt_t in tcn_ssl_ctxt_t. |
| 239 void *SSL_get_app_data4(SSL *); |
| 240 void SSL_set_app_data4(SSL *, void *); |
344 int SSL_password_callback(char *, int, int, void *); | 241 int SSL_password_callback(char *, int, int, void *); |
345 void SSL_BIO_close(BIO *); | |
346 void SSL_BIO_doref(BIO *); | |
347 DH *SSL_dh_get_tmp_param(int); | 242 DH *SSL_dh_get_tmp_param(int); |
348 DH *SSL_dh_get_param_from_file(const char *); | |
349 RSA *SSL_callback_tmp_RSA(SSL *, int, int); | |
350 DH *SSL_callback_tmp_DH(SSL *, int, int); | 243 DH *SSL_callback_tmp_DH(SSL *, int, int); |
351 void SSL_callback_handshake(const SSL *, int, int); | 244 // The following provided callbacks will always return DH of a given length. |
352 int SSL_CTX_use_certificate_chain(SSL_CTX *, const char *, int); | 245 // See https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_tmp_dh_callback.ht
ml |
353 int SSL_CTX_use_certificate_chain_bio(SSL_CTX *, BIO *, int); | 246 DH *SSL_callback_tmp_DH_512(SSL *, int, int); |
354 int SSL_callback_SSL_verify(int, X509_STORE_CTX *); | 247 DH *SSL_callback_tmp_DH_1024(SSL *, int, int); |
355 int SSL_rand_seed(const char *file); | 248 DH *SSL_callback_tmp_DH_2048(SSL *, int, int); |
| 249 DH *SSL_callback_tmp_DH_4096(SSL *, int, int); |
| 250 int SSL_CTX_use_certificate_chain(SSL_CTX *, const char *, bool); |
| 251 int SSL_CTX_use_certificate_chain_bio(SSL_CTX *, BIO *, bool); |
| 252 int SSL_CTX_use_client_CA_bio(SSL_CTX *, BIO *); |
| 253 int SSL_use_certificate_chain_bio(SSL *, BIO *, bool); |
| 254 X509 *load_pem_cert_bio(const char *, const BIO *); |
| 255 EVP_PKEY *load_pem_key_bio(const char *, const BIO *); |
| 256 int tcn_set_verify_config(tcn_ssl_verify_config_t* c, jint tcn_mode, jin
t depth); |
| 257 int tcn_EVP_PKEY_up_ref(EVP_PKEY* pkey); |
| 258 int tcn_X509_up_ref(X509* cert); |
356 int SSL_callback_next_protos(SSL *, const unsigned char **, unsigned int
*, void *); | 259 int SSL_callback_next_protos(SSL *, const unsigned char **, unsigned int
*, void *); |
357 int SSL_callback_select_next_proto(SSL *, unsigned char **, unsigned cha
r *, const unsigned char *, unsigned int,void *); | 260 int SSL_callback_select_next_proto(SSL *, unsigned char **, unsigned cha
r *, const unsigned char *, unsigned int,void *); |
358 int SSL_callback_alpn_select_proto(SSL *, const unsigned char **, unsign
ed char *, const unsigned char *, unsigned int, void *); | 261 int SSL_callback_alpn_select_proto(SSL *, const unsigned char **, unsign
ed char *, const unsigned char *, unsigned int, void *); |
359 | 262 const char *SSL_cipher_authentication_method(const SSL_CIPHER *); |
360 | 263 |
361 #if defined(__GNUC__) || defined(__GNUG__) | 264 #if defined(__GNUC__) || defined(__GNUG__) |
362 // only supported with GCC, this will be used to support different openssl v
ersions at the same time. | 265 // only supported with GCC, this will be used to support different openssl v
ersions at the same time. |
363 extern int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos
, | 266 extern int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos
, |
364 unsigned protos_len) __attribute__((weak)); | 267 unsigned protos_len) __attribute__((weak)); |
365 extern void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl, co
nst unsigned char **out, | 268 extern void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl, co
nst unsigned char **out, |
366 unsigned char *outlen, const unsigned char *in, unsigned int inlen, | 269 unsigned char *outlen, const unsigned char *in, unsigned int inlen, |
367 void *arg), void *arg) __attribute__((weak)); | 270 void *arg), void *arg) __attribute__((weak)); |
368 extern void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **dat
a, | 271 extern void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **dat
a, |
369 unsigned *len) __attribute__((weak)); | 272 unsigned *len) __attribute__((weak)); |
370 #endif | 273 #endif |
371 | 274 |
372 #endif /* SSL_PRIVATE_H */ | 275 #endif /* SSL_PRIVATE_H */ |
OLD | NEW |