-/* _ _
-** _ __ ___ ___ __| | ___ ___| | mod_ssl
-** | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
-** | | | | | | (_) | (_| | \__ \__ \ | www.modssl.org
-** |_| |_| |_|\___/ \__,_|___|___/___/_| ftp.modssl.org
-** |_____|
-** ssl_util_ssl.c
-** Additional Utility Functions for OpenSSL
-*/
-
-/* ====================================================================
- * The Apache Software License, Version 1.1
- *
- * Copyright (c) 2000-2002 The Apache Software Foundation. All rights
- * reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
+/* Copyright 2001-2006 The Apache Software Foundation or its licensors, as
+ * applicable.
*
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
*
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
+ * http://www.apache.org/licenses/LICENSE-2.0
*
- * 3. The end-user documentation included with the redistribution,
- * if any, must include the following acknowledgment:
- * "This product includes software developed by the
- * Apache Software Foundation (http://www.apache.org/)."
- * Alternately, this acknowledgment may appear in the software itself,
- * if and wherever such third-party acknowledgments normally appear.
- *
- * 4. The names "Apache" and "Apache Software Foundation" must
- * not be used to endorse or promote products derived from this
- * software without prior written permission. For written
- * permission, please contact apache@apache.org.
- *
- * 5. Products derived from this software may not be called "Apache",
- * nor may "Apache" appear in their name, without prior written
- * permission of the Apache Software Foundation.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
- * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
- * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
- * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * ====================================================================
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/* _ _
+ * _ __ ___ ___ __| | ___ ___| | mod_ssl
+ * | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
+ * | | | | | | (_) | (_| | \__ \__ \ |
+ * |_| |_| |_|\___/ \__,_|___|___/___/_|
+ * |_____|
+ * ssl_util_ssl.c
+ * Additional Utility Functions for OpenSSL
*/
-#include "mod_ssl.h"
+#include "ssl_private.h"
/* _________________________________________________________________
**
** _________________________________________________________________
*/
-X509 *SSL_read_X509(char* filename, X509 **x509, int (*cb)(char*,int,int,void*))
+X509 *SSL_read_X509(char* filename, X509 **x509, modssl_read_bio_cb_fn *cb)
{
X509 *rc;
BIO *bioS;
BIO *bioF;
/* 1. try PEM (= DER+Base64+headers) */
- if ((bioS=BIO_new_file(filename, "r")) == NULL)
- return NULL;
- rc=PEM_read_bio_X509 (bioS, x509, cb, NULL);
- BIO_free(bioS);
+ if ((bioS=BIO_new_file(filename, "r")) == NULL)
+ return NULL;
+ rc = modssl_PEM_read_bio_X509 (bioS, x509, cb, NULL);
+ BIO_free(bioS);
if (rc == NULL) {
/* 2. try DER+Base64 */
- if ((bioS=BIO_new_file(filename, "r")) == NULL)
- return NULL;
-
- if ((bioF = BIO_new(BIO_f_base64())) == NULL) {
+ if ((bioS=BIO_new_file(filename, "r")) == NULL)
+ return NULL;
+
+ if ((bioF = BIO_new(BIO_f_base64())) == NULL) {
BIO_free(bioS);
return NULL;
}
bioS = BIO_push(bioF, bioS);
rc = d2i_X509_bio(bioS, NULL);
BIO_free_all(bioS);
+
if (rc == NULL) {
/* 3. try plain DER */
- if ((bioS=BIO_new_file(filename, "r")) == NULL)
- return NULL;
+ if ((bioS=BIO_new_file(filename, "r")) == NULL)
+ return NULL;
rc = d2i_X509_bio(bioS, NULL);
BIO_free(bioS);
}
static EVP_PKEY *d2i_PrivateKey_bio(BIO *bio, EVP_PKEY **key)
{
return ((EVP_PKEY *)ASN1_d2i_bio(
- (char *(*)())EVP_PKEY_new,
- (char *(*)())d2i_PrivateKey,
+ (char *(*)())EVP_PKEY_new,
+ (char *(*)())d2i_PrivateKey,
(bio), (unsigned char **)(key)));
}
#endif
-EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, int (*cb)(char*,int,int,void*), void *s)
+EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, modssl_read_bio_cb_fn *cb, void *s)
{
EVP_PKEY *rc;
BIO *bioS;
BIO *bioF;
/* 1. try PEM (= DER+Base64+headers) */
- if ((bioS=BIO_new_file(filename, "r")) == NULL)
- return NULL;
- rc = PEM_read_bio_PrivateKey(bioS, key, cb, s);
- BIO_free(bioS);
+ if ((bioS=BIO_new_file(filename, "r")) == NULL)
+ return NULL;
+ rc = modssl_PEM_read_bio_PrivateKey(bioS, key, cb, s);
+ BIO_free(bioS);
if (rc == NULL) {
/* 2. try DER+Base64 */
- if ( (bioS = BIO_new_file(filename, "r")) == NULL )
- return NULL;
+ if ((bioS = BIO_new_file(filename, "r")) == NULL)
+ return NULL;
- if ((bioF = BIO_new(BIO_f_base64())) == NULL) {
+ if ((bioF = BIO_new(BIO_f_base64())) == NULL) {
BIO_free(bioS);
return NULL;
}
bioS = BIO_push(bioF, bioS);
rc = d2i_PrivateKey_bio(bioS, NULL);
BIO_free_all(bioS);
+
if (rc == NULL) {
/* 3. try plain DER */
- if ( (bioS = BIO_new_file(filename, "r")) == NULL )
- return NULL;
+ if ((bioS = BIO_new_file(filename, "r")) == NULL)
+ return NULL;
rc = d2i_PrivateKey_bio(bioS, NULL);
BIO_free(bioS);
}
{
X509_STORE *pStore;
X509_LOOKUP *pLookup;
+ int rv = 1;
+
+ ERR_clear_error();
if (cpFile == NULL && cpPath == NULL)
return NULL;
if ((pStore = X509_STORE_new()) == NULL)
return NULL;
if (cpFile != NULL) {
- if ((pLookup = X509_STORE_add_lookup(pStore, X509_LOOKUP_file())) == NULL) {
+ pLookup = X509_STORE_add_lookup(pStore, X509_LOOKUP_file());
+ if (pLookup == NULL) {
X509_STORE_free(pStore);
return NULL;
}
- X509_LOOKUP_load_file(pLookup, cpFile, X509_FILETYPE_PEM);
+ rv = X509_LOOKUP_load_file(pLookup, cpFile, X509_FILETYPE_PEM);
}
- if (cpPath != NULL) {
- if ((pLookup = X509_STORE_add_lookup(pStore, X509_LOOKUP_hash_dir())) == NULL) {
+ if (cpPath != NULL && rv == 1) {
+ pLookup = X509_STORE_add_lookup(pStore, X509_LOOKUP_hash_dir());
+ if (pLookup == NULL) {
X509_STORE_free(pStore);
return NULL;
}
- X509_LOOKUP_add_dir(pLookup, cpPath, X509_FILETYPE_PEM);
+ rv = X509_LOOKUP_add_dir(pLookup, cpPath, X509_FILETYPE_PEM);
}
- return pStore;
+ return rv == 1 ? pStore : NULL;
}
int SSL_X509_STORE_lookup(X509_STORE *pStore, int nType,
char *cpCipherSuite;
char *cp;
- if (ssl == NULL)
+ if (ssl == NULL)
return "";
if ((sk = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl)) == NULL)
return "";
/* check whether cert contains extended key usage with a SGC tag */
BOOL SSL_X509_isSGC(X509 *cert)
{
+#ifdef HAVE_SSL_X509V3_EXT_d2i
X509_EXTENSION *ext;
int ext_nid;
STACK *sk;
BOOL is_sgc;
int idx;
int i;
-
+
is_sgc = FALSE;
idx = X509_get_ext_by_NID(cert, NID_ext_key_usage, -1);
if (idx >= 0) {
}
}
return is_sgc;
+#else
+ return FALSE;
+#endif
}
/* retrieve basic constraints ingredients */
BOOL SSL_X509_getBC(X509 *cert, int *ca, int *pathlen)
{
+#ifdef HAVE_SSL_X509V3_EXT_d2i
X509_EXTENSION *ext;
BASIC_CONSTRAINTS *bc;
int idx;
BIGNUM *bn = NULL;
char *cp;
-
+
if ((idx = X509_get_ext_by_NID(cert, NID_basic_constraints, -1)) < 0)
return FALSE;
ext = X509_get_ext(cert, idx);
}
BASIC_CONSTRAINTS_free(bc);
return TRUE;
+#else
+ return FALSE;
+#endif
}
/* retrieve subject CommonName of certificate */
X509_NAME *xsn;
X509_NAME_ENTRY *xsne;
int i, nid;
- char *data_ptr;
+ unsigned char *data_ptr;
int data_len;
xsn = X509_get_subject_name(xs);
*cppCN = apr_palloc(p, data_len+1);
apr_cpystrn(*cppCN, (char *)data_ptr, data_len+1);
(*cppCN)[data_len] = NUL;
-#ifdef CHARSET_EBCDIC
- ascii2ebcdic(*cppCN, *cppCN, strlen(*cppCN));
-#endif
+ ap_xlate_proto_from_ascii(*cppCN, data_len);
return TRUE;
}
}
** _________________________________________________________________
*/
-#ifdef SSL_EXPERIMENTAL_PROXY
-
-BOOL SSL_load_CrtAndKeyInfo_file(apr_pool_t *p, STACK_OF(X509_INFO) *sk, char *filename)
+BOOL SSL_X509_INFO_load_file(apr_pool_t *ptemp,
+ STACK_OF(X509_INFO) *sk,
+ const char *filename)
{
BIO *in;
- if ((in = BIO_new(BIO_s_file())) == NULL)
+ if (!(in = BIO_new(BIO_s_file()))) {
return FALSE;
- if (BIO_read_filename(in, filename) <= 0) {
+ }
+
+ if (BIO_read_filename(in, MODSSL_PCHAR_CAST filename) <= 0) {
BIO_free(in);
return FALSE;
}
+
ERR_clear_error();
-#if SSL_LIBRARY_VERSION < 0x00904000
- PEM_X509_INFO_read_bio(in, sk, NULL);
-#else
- PEM_X509_INFO_read_bio(in, sk, NULL, NULL);
-#endif
+
+ modssl_PEM_X509_INFO_read_bio(in, sk, NULL, NULL);
+
BIO_free(in);
+
return TRUE;
}
-BOOL SSL_load_CrtAndKeyInfo_path(apr_pool_t *p, STACK_OF(X509_INFO) *sk, char *pathname)
+BOOL SSL_X509_INFO_load_path(apr_pool_t *ptemp,
+ STACK_OF(X509_INFO) *sk,
+ const char *pathname)
{
- apr_pool_t *sp;
+ /* XXX: this dir read code is exactly the same as that in
+ * ssl_engine_init.c, only the call to handle the fullname is different,
+ * should fold the duplication.
+ */
apr_dir_t *dir;
apr_finfo_t dirent;
- char *fullname;
- BOOL ok;
+ apr_int32_t finfo_flags = APR_FINFO_TYPE|APR_FINFO_NAME;
+ const char *fullname;
+ BOOL ok = FALSE;
- apr_pool_sub_make(&sp, p, NULL);
- if (apr_dir_open(&dir, pathname, sp)) != APR_SUCCESS) {
- apr_pool_destroy(sp);
+ if (apr_dir_open(&dir, pathname, ptemp) != APR_SUCCESS) {
return FALSE;
}
- ok = FALSE;
- while ((apr_dir_read(&dirent, APR_FINFO_DIRENT, dir)) == APR_SUCCESS) {
- fullname = apr_pstrcat(sp, pathname, "/", dirent.name, NULL);
- if (dirent.filetype != APR_REG)
- continue;
- if (SSL_load_CrtAndKeyInfo_file(sp, sk, fullname))
+
+ while ((apr_dir_read(&dirent, finfo_flags, dir)) == APR_SUCCESS) {
+ if (dirent.filetype == APR_DIR) {
+ continue; /* don't try to load directories */
+ }
+
+ fullname = apr_pstrcat(ptemp,
+ pathname, "/", dirent.name,
+ NULL);
+
+ if (SSL_X509_INFO_load_file(ptemp, sk, fullname)) {
ok = TRUE;
+ }
}
+
apr_dir_close(dir);
- apr_pool_destroy(sp);
- return ok;
-}
-#endif /* SSL_EXPERIMENTAL_PROXY */
+ return ok;
+}
/* _________________________________________________________________
**
** _________________________________________________________________
*/
-/*
+/*
* Read a file that optionally contains the server certificate in PEM
* format, possibly followed by a sequence of CA certificates that
* should be sent to the peer in the SSL Certificate message.
*/
int SSL_CTX_use_certificate_chain(
- SSL_CTX *ctx, char *file, int skipfirst, int (*cb)(char*,int,int,void*))
+ SSL_CTX *ctx, char *file, int skipfirst, modssl_read_bio_cb_fn *cb)
{
BIO *bio;
X509 *x509;
}
/* optionally skip a leading server certificate */
if (skipfirst) {
-#if SSL_LIBRARY_VERSION < 0x00904000
- if ((x509 = PEM_read_bio_X509(bio, NULL, cb)) == NULL) {
-#else
- if ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) == NULL) {
-#endif
+ if ((x509 = modssl_PEM_read_bio_X509(bio, NULL, cb, NULL)) == NULL) {
BIO_free(bio);
return -1;
}
}
/* create new extra chain by loading the certs */
n = 0;
-#if SSL_LIBRARY_VERSION < 0x00904000
- while ((x509 = PEM_read_bio_X509(bio, NULL, cb)) != NULL) {
-#else
- while ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {
-#endif
- if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) {
+ while ((x509 = modssl_PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {
+ if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) {
X509_free(x509);
BIO_free(bio);
return -1;
}
/* Make sure that only the error is just an EOF */
if ((err = ERR_peek_error()) > 0) {
- if (!( ERR_GET_LIB(err) == ERR_LIB_PEM
+ if (!( ERR_GET_LIB(err) == ERR_LIB_PEM
&& ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
BIO_free(bio);
return -1;
return str;
}
+/* sslc+OpenSSL compat */
+
+int modssl_session_get_time(SSL_SESSION *session)
+{
+#ifdef OPENSSL_VERSION_NUMBER
+ return SSL_SESSION_get_time(session);
+#else /* assume sslc */
+ CRYPTO_TIME_T ct;
+ SSL_SESSION_get_time(session, &ct);
+ return CRYPTO_time_to_int(&ct);
+#endif
+}
+
+#ifndef SSLC_VERSION_NUMBER
+#define SSLC_VERSION_NUMBER 0x0000
+#endif
+
+DH *modssl_dh_configure(unsigned char *p, int plen,
+ unsigned char *g, int glen)
+{
+ DH *dh;
+
+ if (!(dh = DH_new())) {
+ return NULL;
+ }
+
+#if defined(OPENSSL_VERSION_NUMBER) || (SSLC_VERSION_NUMBER < 0x2000)
+ dh->p = BN_bin2bn(p, plen, NULL);
+ dh->g = BN_bin2bn(g, glen, NULL);
+ if (!(dh->p && dh->g)) {
+ DH_free(dh);
+ return NULL;
+ }
+#else
+ R_EITEMS_add(dh->data, PK_TYPE_DH, PK_DH_P, 0, p, plen, R_EITEMS_PF_COPY);
+ R_EITEMS_add(dh->data, PK_TYPE_DH, PK_DH_G, 0, g, glen, R_EITEMS_PF_COPY);
+#endif
+
+ return dh;
+}