2 ** _ __ ___ ___ __| | ___ ___| | mod_ssl
3 ** | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
4 ** | | | | | | (_) | (_| | \__ \__ \ | www.modssl.org
5 ** |_| |_| |_|\___/ \__,_|___|___/___/_| ftp.modssl.org
8 ** Additional Utility Functions for OpenSSL
11 /* ====================================================================
12 * The Apache Software License, Version 1.1
14 * Copyright (c) 2000-2003 The Apache Software Foundation. All rights
17 * Redistribution and use in source and binary forms, with or without
18 * modification, are permitted provided that the following conditions
21 * 1. Redistributions of source code must retain the above copyright
22 * notice, this list of conditions and the following disclaimer.
24 * 2. Redistributions in binary form must reproduce the above copyright
25 * notice, this list of conditions and the following disclaimer in
26 * the documentation and/or other materials provided with the
29 * 3. The end-user documentation included with the redistribution,
30 * if any, must include the following acknowledgment:
31 * "This product includes software developed by the
32 * Apache Software Foundation (http://www.apache.org/)."
33 * Alternately, this acknowledgment may appear in the software itself,
34 * if and wherever such third-party acknowledgments normally appear.
36 * 4. The names "Apache" and "Apache Software Foundation" must
37 * not be used to endorse or promote products derived from this
38 * software without prior written permission. For written
39 * permission, please contact apache@apache.org.
41 * 5. Products derived from this software may not be called "Apache",
42 * nor may "Apache" appear in their name, without prior written
43 * permission of the Apache Software Foundation.
45 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
46 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
47 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
48 * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
49 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
50 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
51 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
52 * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
53 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
54 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
55 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
57 * ====================================================================
62 /* _________________________________________________________________
64 ** Additional High-Level Functions for OpenSSL
65 ** _________________________________________________________________
68 /* we initialize this index at startup time
69 * and never write to it at request time,
70 * so this static is thread safe.
71 * also note that OpenSSL increments at static variable when
72 * SSL_get_ex_new_index() is called, so we _must_ do this at startup.
74 static int SSL_app_data2_idx = -1;
76 void SSL_init_app_data2_idx(void)
80 if (SSL_app_data2_idx > -1) {
84 /* we _do_ need to call this twice */
85 for (i=0; i<=1; i++) {
87 SSL_get_ex_new_index(0,
88 "Second Application Data for SSL",
93 void *SSL_get_app_data2(SSL *ssl)
95 return (void *)SSL_get_ex_data(ssl, SSL_app_data2_idx);
98 void SSL_set_app_data2(SSL *ssl, void *arg)
100 SSL_set_ex_data(ssl, SSL_app_data2_idx, (char *)arg);
104 /* _________________________________________________________________
106 ** High-Level Certificate / Private Key Loading
107 ** _________________________________________________________________
110 X509 *SSL_read_X509(char* filename, X509 **x509, int (*cb)(char*,int,int,void*))
116 /* 1. try PEM (= DER+Base64+headers) */
117 if ((bioS=BIO_new_file(filename, "r")) == NULL)
119 rc = modssl_PEM_read_bio_X509 (bioS, x509, cb, NULL);
123 /* 2. try DER+Base64 */
124 if ((bioS=BIO_new_file(filename, "r")) == NULL)
127 if ((bioF = BIO_new(BIO_f_base64())) == NULL) {
131 bioS = BIO_push(bioF, bioS);
132 rc = d2i_X509_bio(bioS, NULL);
136 /* 3. try plain DER */
137 if ((bioS=BIO_new_file(filename, "r")) == NULL)
139 rc = d2i_X509_bio(bioS, NULL);
143 if (rc != NULL && x509 != NULL) {
151 #if SSL_LIBRARY_VERSION <= 0x00904100
152 static EVP_PKEY *d2i_PrivateKey_bio(BIO *bio, EVP_PKEY **key)
154 return ((EVP_PKEY *)ASN1_d2i_bio(
155 (char *(*)())EVP_PKEY_new,
156 (char *(*)())d2i_PrivateKey,
157 (bio), (unsigned char **)(key)));
161 EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, int (*cb)(char*,int,int,void*), void *s)
167 /* 1. try PEM (= DER+Base64+headers) */
168 if ((bioS=BIO_new_file(filename, "r")) == NULL)
170 rc = modssl_PEM_read_bio_PrivateKey(bioS, key, cb, s);
174 /* 2. try DER+Base64 */
175 if ((bioS = BIO_new_file(filename, "r")) == NULL)
178 if ((bioF = BIO_new(BIO_f_base64())) == NULL) {
182 bioS = BIO_push(bioF, bioS);
183 rc = d2i_PrivateKey_bio(bioS, NULL);
187 /* 3. try plain DER */
188 if ((bioS = BIO_new_file(filename, "r")) == NULL)
190 rc = d2i_PrivateKey_bio(bioS, NULL);
194 if (rc != NULL && key != NULL) {
202 /* _________________________________________________________________
205 ** _________________________________________________________________
208 int SSL_smart_shutdown(SSL *ssl)
214 * Repeat the calls, because SSL_shutdown internally dispatches through a
215 * little state machine. Usually only one or two interation should be
216 * needed, so we restrict the total number of restrictions in order to
217 * avoid process hangs in case the client played bad with the socket
218 * connection and OpenSSL cannot recognize it.
221 for (i = 0; i < 4 /* max 2x pending + 2x data = 4 */; i++) {
222 if ((rc = SSL_shutdown(ssl)))
228 /* _________________________________________________________________
230 ** Certificate Revocation List (CRL) Storage
231 ** _________________________________________________________________
234 X509_STORE *SSL_X509_STORE_create(char *cpFile, char *cpPath)
237 X509_LOOKUP *pLookup;
239 if (cpFile == NULL && cpPath == NULL)
241 if ((pStore = X509_STORE_new()) == NULL)
243 if (cpFile != NULL) {
244 pLookup = X509_STORE_add_lookup(pStore, X509_LOOKUP_file());
245 if (pLookup == NULL) {
246 X509_STORE_free(pStore);
249 X509_LOOKUP_load_file(pLookup, cpFile, X509_FILETYPE_PEM);
251 if (cpPath != NULL) {
252 pLookup = X509_STORE_add_lookup(pStore, X509_LOOKUP_hash_dir());
253 if (pLookup == NULL) {
254 X509_STORE_free(pStore);
257 X509_LOOKUP_add_dir(pLookup, cpPath, X509_FILETYPE_PEM);
262 int SSL_X509_STORE_lookup(X509_STORE *pStore, int nType,
263 X509_NAME *pName, X509_OBJECT *pObj)
265 X509_STORE_CTX pStoreCtx;
268 X509_STORE_CTX_init(&pStoreCtx, pStore, NULL, NULL);
269 rc = X509_STORE_get_by_subject(&pStoreCtx, nType, pName, pObj);
270 X509_STORE_CTX_cleanup(&pStoreCtx);
274 /* _________________________________________________________________
276 ** Cipher Suite Spec String Creation
277 ** _________________________________________________________________
280 char *SSL_make_ciphersuite(apr_pool_t *p, SSL *ssl)
282 STACK_OF(SSL_CIPHER) *sk;
291 if ((sk = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl)) == NULL)
294 for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
295 c = sk_SSL_CIPHER_value(sk, i);
296 l += strlen(SSL_CIPHER_get_name(c))+2+1;
300 cpCipherSuite = (char *)apr_palloc(p, l+1);
302 for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
303 c = sk_SSL_CIPHER_value(sk, i);
304 l = strlen(SSL_CIPHER_get_name(c));
305 memcpy(cp, SSL_CIPHER_get_name(c), l);
308 *cp++ = (SSL_CIPHER_get_valid(c) == 1 ? '1' : '0');
312 return cpCipherSuite;
315 /* _________________________________________________________________
317 ** Certificate Checks
318 ** _________________________________________________________________
321 /* check whether cert contains extended key usage with a SGC tag */
322 BOOL SSL_X509_isSGC(X509 *cert)
324 #ifdef HAVE_SSL_X509V3_EXT_d2i
333 idx = X509_get_ext_by_NID(cert, NID_ext_key_usage, -1);
335 ext = X509_get_ext(cert, idx);
336 if ((sk = (STACK *)X509V3_EXT_d2i(ext)) != NULL) {
337 for (i = 0; i < sk_num(sk); i++) {
338 ext_nid = OBJ_obj2nid((ASN1_OBJECT *)sk_value(sk, i));
339 if (ext_nid == NID_ms_sgc || ext_nid == NID_ns_sgc) {
352 /* retrieve basic constraints ingredients */
353 BOOL SSL_X509_getBC(X509 *cert, int *ca, int *pathlen)
355 #ifdef HAVE_SSL_X509V3_EXT_d2i
357 BASIC_CONSTRAINTS *bc;
362 if ((idx = X509_get_ext_by_NID(cert, NID_basic_constraints, -1)) < 0)
364 ext = X509_get_ext(cert, idx);
367 if ((bc = (BASIC_CONSTRAINTS *)X509V3_EXT_d2i(ext)) == NULL)
370 *pathlen = -1 /* unlimited */;
371 if (bc->pathlen != NULL) {
372 if ((bn = ASN1_INTEGER_to_BN(bc->pathlen, NULL)) == NULL)
374 if ((cp = BN_bn2dec(bn)) == NULL)
380 BASIC_CONSTRAINTS_free(bc);
387 /* retrieve subject CommonName of certificate */
388 BOOL SSL_X509_getCN(apr_pool_t *p, X509 *xs, char **cppCN)
391 X509_NAME_ENTRY *xsne;
393 unsigned char *data_ptr;
396 xsn = X509_get_subject_name(xs);
397 for (i = 0; i < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *)
398 X509_NAME_get_entries(xsn)); i++) {
399 xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *)
400 X509_NAME_get_entries(xsn), i);
401 nid = OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
402 if (nid == NID_commonName) {
403 data_ptr = X509_NAME_ENTRY_get_data_ptr(xsne);
404 data_len = X509_NAME_ENTRY_get_data_len(xsne);
405 *cppCN = apr_palloc(p, data_len+1);
406 apr_cpystrn(*cppCN, (char *)data_ptr, data_len+1);
407 (*cppCN)[data_len] = NUL;
408 #ifdef CHARSET_EBCDIC
409 ascii2ebcdic(*cppCN, *cppCN, strlen(*cppCN));
417 /* _________________________________________________________________
419 ** Low-Level CA Certificate Loading
420 ** _________________________________________________________________
423 BOOL SSL_X509_INFO_load_file(apr_pool_t *ptemp,
424 STACK_OF(X509_INFO) *sk,
425 const char *filename)
429 if (!(in = BIO_new(BIO_s_file()))) {
433 if (BIO_read_filename(in, filename) <= 0) {
440 modssl_PEM_X509_INFO_read_bio(in, sk, NULL, NULL);
447 BOOL SSL_X509_INFO_load_path(apr_pool_t *ptemp,
448 STACK_OF(X509_INFO) *sk,
449 const char *pathname)
451 /* XXX: this dir read code is exactly the same as that in
452 * ssl_engine_init.c, only the call to handle the fullname is different,
453 * should fold the duplication.
457 apr_int32_t finfo_flags = APR_FINFO_TYPE|APR_FINFO_NAME;
458 const char *fullname;
461 if (apr_dir_open(&dir, pathname, ptemp) != APR_SUCCESS) {
465 while ((apr_dir_read(&dirent, finfo_flags, dir)) == APR_SUCCESS) {
466 if (dirent.filetype == APR_DIR) {
467 continue; /* don't try to load directories */
470 fullname = apr_pstrcat(ptemp,
471 pathname, "/", dirent.name,
474 if (SSL_X509_INFO_load_file(ptemp, sk, fullname)) {
484 /* _________________________________________________________________
486 ** Extra Server Certificate Chain Support
487 ** _________________________________________________________________
491 * Read a file that optionally contains the server certificate in PEM
492 * format, possibly followed by a sequence of CA certificates that
493 * should be sent to the peer in the SSL Certificate message.
495 int SSL_CTX_use_certificate_chain(
496 SSL_CTX *ctx, char *file, int skipfirst, int (*cb)(char*,int,int,void*))
504 if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
506 if (BIO_read_filename(bio, file) <= 0) {
510 /* optionally skip a leading server certificate */
512 if ((x509 = modssl_PEM_read_bio_X509(bio, NULL, cb, NULL)) == NULL) {
518 /* free a perhaps already configured extra chain */
519 extra_certs=SSL_CTX_get_extra_certs(ctx);
520 if (extra_certs != NULL) {
521 sk_X509_pop_free((STACK_OF(X509) *)extra_certs, X509_free);
522 SSL_CTX_set_extra_certs(ctx,NULL);
524 /* create new extra chain by loading the certs */
526 while ((x509 = modssl_PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {
527 if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) {
534 /* Make sure that only the error is just an EOF */
535 if ((err = ERR_peek_error()) > 0) {
536 if (!( ERR_GET_LIB(err) == ERR_LIB_PEM
537 && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
541 while (ERR_get_error() > 0) ;
547 /* _________________________________________________________________
550 ** _________________________________________________________________
553 char *SSL_SESSION_id2sz(unsigned char *id, int idlen,
554 char *str, int strsize)
560 for (n = 0; n < idlen && n < SSL_MAX_SSL_SESSION_ID_LENGTH; n++) {
561 apr_snprintf(cp, strsize - (cp-str), "%02X", id[n]);
568 /* sslc+OpenSSL compat */
570 int modssl_session_get_time(SSL_SESSION *session)
572 #ifdef OPENSSL_VERSION_NUMBER
573 return SSL_SESSION_get_time(session);
574 #else /* assume sslc */
576 SSL_SESSION_get_time(session, &ct);
577 return CRYPTO_time_to_int(&ct);
581 #ifndef SSLC_VERSION_NUMBER
582 #define SSLC_VERSION_NUMBER 0x0000
585 DH *modssl_dh_configure(unsigned char *p, int plen,
586 unsigned char *g, int glen)
590 if (!(dh = DH_new())) {
594 #if defined(OPENSSL_VERSION_NUMBER) || (SSLC_VERSION_NUMBER < 0x2000)
595 dh->p = BN_bin2bn(p, plen, NULL);
596 dh->g = BN_bin2bn(g, glen, NULL);
597 if (!(dh->p && dh->g)) {
602 R_EITEMS_add(dh->data, PK_TYPE_DH, PK_DH_P, 0, p, plen, R_EITEMS_PF_COPY);
603 R_EITEMS_add(dh->data, PK_TYPE_DH, PK_DH_G, 0, g, glen, R_EITEMS_PF_COPY);