|
Packit |
90a5c9 |
/* Licensed to the Apache Software Foundation (ASF) under one or more
|
|
Packit |
90a5c9 |
* contributor license agreements. See the NOTICE file distributed with
|
|
Packit |
90a5c9 |
* this work for additional information regarding copyright ownership.
|
|
Packit |
90a5c9 |
* The ASF licenses this file to You under the Apache License, Version 2.0
|
|
Packit |
90a5c9 |
* (the "License"); you may not use this file except in compliance with
|
|
Packit |
90a5c9 |
* the License. You may obtain a copy of the License at
|
|
Packit |
90a5c9 |
*
|
|
Packit |
90a5c9 |
* http://www.apache.org/licenses/LICENSE-2.0
|
|
Packit |
90a5c9 |
*
|
|
Packit |
90a5c9 |
* Unless required by applicable law or agreed to in writing, software
|
|
Packit |
90a5c9 |
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
Packit |
90a5c9 |
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
Packit |
90a5c9 |
* See the License for the specific language governing permissions and
|
|
Packit |
90a5c9 |
* limitations under the License.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* _ _
|
|
Packit |
90a5c9 |
* _ __ ___ ___ __| | ___ ___| | mod_ssl
|
|
Packit |
90a5c9 |
* | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
|
|
Packit |
90a5c9 |
* | | | | | | (_) | (_| | \__ \__ \ |
|
|
Packit |
90a5c9 |
* |_| |_| |_|\___/ \__,_|___|___/___/_|
|
|
Packit |
90a5c9 |
* |_____|
|
|
Packit |
90a5c9 |
* ssl_util_ssl.c
|
|
Packit |
90a5c9 |
* Additional Utility Functions for OpenSSL
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#include "ssl_private.h"
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* _________________________________________________________________
|
|
Packit |
90a5c9 |
**
|
|
Packit |
90a5c9 |
** Additional High-Level Functions for OpenSSL
|
|
Packit |
90a5c9 |
** _________________________________________________________________
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* we initialize this index at startup time
|
|
Packit |
90a5c9 |
* and never write to it at request time,
|
|
Packit |
90a5c9 |
* so this static is thread safe.
|
|
Packit |
90a5c9 |
* also note that OpenSSL increments at static variable when
|
|
Packit |
90a5c9 |
* SSL_get_ex_new_index() is called, so we _must_ do this at startup.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
static int app_data2_idx = -1;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
void modssl_init_app_data2_idx(void)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
int i;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (app_data2_idx > -1) {
|
|
Packit |
90a5c9 |
return;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* we _do_ need to call this twice */
|
|
Packit |
90a5c9 |
for (i = 0; i <= 1; i++) {
|
|
Packit |
90a5c9 |
app_data2_idx =
|
|
Packit |
90a5c9 |
SSL_get_ex_new_index(0,
|
|
Packit |
90a5c9 |
"Second Application Data for SSL",
|
|
Packit |
90a5c9 |
NULL, NULL, NULL);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
void *modssl_get_app_data2(SSL *ssl)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
return (void *)SSL_get_ex_data(ssl, app_data2_idx);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
void modssl_set_app_data2(SSL *ssl, void *arg)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
SSL_set_ex_data(ssl, app_data2_idx, (char *)arg);
|
|
Packit |
90a5c9 |
return;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* _________________________________________________________________
|
|
Packit |
90a5c9 |
**
|
|
Packit |
90a5c9 |
** High-Level Private Key Loading
|
|
Packit |
90a5c9 |
** _________________________________________________________________
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
70c855 |
EVP_PKEY *modssl_read_privatekey(const char *filename, pem_password_cb *cb, void *s)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
EVP_PKEY *rc;
|
|
Packit |
90a5c9 |
BIO *bioS;
|
|
Packit |
90a5c9 |
BIO *bioF;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* 1. try PEM (= DER+Base64+headers) */
|
|
Packit |
90a5c9 |
if ((bioS=BIO_new_file(filename, "r")) == NULL)
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
70c855 |
rc = PEM_read_bio_PrivateKey(bioS, NULL, cb, s);
|
|
Packit |
90a5c9 |
BIO_free(bioS);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (rc == NULL) {
|
|
Packit |
90a5c9 |
/* 2. try DER+Base64 */
|
|
Packit |
90a5c9 |
if ((bioS = BIO_new_file(filename, "r")) == NULL)
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if ((bioF = BIO_new(BIO_f_base64())) == NULL) {
|
|
Packit |
90a5c9 |
BIO_free(bioS);
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
bioS = BIO_push(bioF, bioS);
|
|
Packit |
90a5c9 |
rc = d2i_PrivateKey_bio(bioS, NULL);
|
|
Packit |
90a5c9 |
BIO_free_all(bioS);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (rc == NULL) {
|
|
Packit |
90a5c9 |
/* 3. try plain DER */
|
|
Packit |
90a5c9 |
if ((bioS = BIO_new_file(filename, "r")) == NULL)
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
rc = d2i_PrivateKey_bio(bioS, NULL);
|
|
Packit |
90a5c9 |
BIO_free(bioS);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
return rc;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* _________________________________________________________________
|
|
Packit |
90a5c9 |
**
|
|
Packit |
90a5c9 |
** Smart shutdown
|
|
Packit |
90a5c9 |
** _________________________________________________________________
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
int modssl_smart_shutdown(SSL *ssl)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
int i;
|
|
Packit |
90a5c9 |
int rc;
|
|
Packit |
90a5c9 |
int flush;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Repeat the calls, because SSL_shutdown internally dispatches through a
|
|
Packit |
90a5c9 |
* little state machine. Usually only one or two interation should be
|
|
Packit |
90a5c9 |
* needed, so we restrict the total number of restrictions in order to
|
|
Packit |
90a5c9 |
* avoid process hangs in case the client played bad with the socket
|
|
Packit |
90a5c9 |
* connection and OpenSSL cannot recognize it.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
rc = 0;
|
|
Packit |
90a5c9 |
flush = !(SSL_get_shutdown(ssl) & SSL_SENT_SHUTDOWN);
|
|
Packit |
90a5c9 |
for (i = 0; i < 4 /* max 2x pending + 2x data = 4 */; i++) {
|
|
Packit |
90a5c9 |
rc = SSL_shutdown(ssl);
|
|
Packit |
90a5c9 |
if (rc >= 0 && flush && (SSL_get_shutdown(ssl) & SSL_SENT_SHUTDOWN)) {
|
|
Packit |
90a5c9 |
/* Once the close notity is sent through the output filters,
|
|
Packit |
90a5c9 |
* ensure it is flushed through the socket.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
if (BIO_flush(SSL_get_wbio(ssl)) <= 0) {
|
|
Packit |
90a5c9 |
rc = -1;
|
|
Packit |
90a5c9 |
break;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
flush = 0;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
if (rc != 0)
|
|
Packit |
90a5c9 |
break;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
return rc;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* _________________________________________________________________
|
|
Packit |
90a5c9 |
**
|
|
Packit |
90a5c9 |
** Certificate Checks
|
|
Packit |
90a5c9 |
** _________________________________________________________________
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* retrieve basic constraints ingredients */
|
|
Packit |
90a5c9 |
BOOL modssl_X509_getBC(X509 *cert, int *ca, int *pathlen)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
BASIC_CONSTRAINTS *bc;
|
|
Packit |
90a5c9 |
BIGNUM *bn = NULL;
|
|
Packit |
90a5c9 |
char *cp;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
bc = X509_get_ext_d2i(cert, NID_basic_constraints, NULL, NULL);
|
|
Packit |
90a5c9 |
if (bc == NULL)
|
|
Packit |
90a5c9 |
return FALSE;
|
|
Packit |
90a5c9 |
*ca = bc->ca;
|
|
Packit |
90a5c9 |
*pathlen = -1 /* unlimited */;
|
|
Packit |
90a5c9 |
if (bc->pathlen != NULL) {
|
|
Packit |
90a5c9 |
if ((bn = ASN1_INTEGER_to_BN(bc->pathlen, NULL)) == NULL) {
|
|
Packit |
90a5c9 |
BASIC_CONSTRAINTS_free(bc);
|
|
Packit |
90a5c9 |
return FALSE;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
if ((cp = BN_bn2dec(bn)) == NULL) {
|
|
Packit |
90a5c9 |
BN_free(bn);
|
|
Packit |
90a5c9 |
BASIC_CONSTRAINTS_free(bc);
|
|
Packit |
90a5c9 |
return FALSE;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
*pathlen = atoi(cp);
|
|
Packit |
90a5c9 |
OPENSSL_free(cp);
|
|
Packit |
90a5c9 |
BN_free(bn);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
BASIC_CONSTRAINTS_free(bc);
|
|
Packit |
90a5c9 |
return TRUE;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Convert ASN.1 string to a pool-allocated char * string, escaping
|
|
Packit |
90a5c9 |
* control characters. If raw is zero, convert to UTF-8, otherwise
|
|
Packit |
90a5c9 |
* unchanged from the character set. */
|
|
Packit |
90a5c9 |
static char *asn1_string_convert(apr_pool_t *p, ASN1_STRING *asn1str, int raw)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
char *result = NULL;
|
|
Packit |
90a5c9 |
BIO *bio;
|
|
Packit |
90a5c9 |
int len, flags = ASN1_STRFLGS_ESC_CTRL;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if ((bio = BIO_new(BIO_s_mem())) == NULL)
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!raw) flags |= ASN1_STRFLGS_UTF8_CONVERT;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ASN1_STRING_print_ex(bio, asn1str, flags);
|
|
Packit |
90a5c9 |
len = BIO_pending(bio);
|
|
Packit |
90a5c9 |
if (len > 0) {
|
|
Packit |
90a5c9 |
result = apr_palloc(p, len+1);
|
|
Packit |
90a5c9 |
len = BIO_read(bio, result, len);
|
|
Packit |
90a5c9 |
result[len] = NUL;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
BIO_free(bio);
|
|
Packit |
90a5c9 |
return result;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#define asn1_string_to_utf8(p, a) asn1_string_convert(p, a, 0)
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* convert a NAME_ENTRY to UTF8 string */
|
|
Packit |
90a5c9 |
char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne,
|
|
Packit |
90a5c9 |
int raw)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
char *result = asn1_string_convert(p, X509_NAME_ENTRY_get_data(xsne), raw);
|
|
Packit |
90a5c9 |
ap_xlate_proto_from_ascii(result, len);
|
|
Packit |
90a5c9 |
return result;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* convert an X509_NAME to an RFC 2253 formatted string, optionally truncated
|
|
Packit |
90a5c9 |
* to maxlen characters (specify a maxlen of 0 for no length limit)
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
char *modssl_X509_NAME_to_string(apr_pool_t *p, X509_NAME *dn, int maxlen)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
char *result = NULL;
|
|
Packit |
90a5c9 |
BIO *bio;
|
|
Packit |
90a5c9 |
int len;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if ((bio = BIO_new(BIO_s_mem())) == NULL)
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
X509_NAME_print_ex(bio, dn, 0, XN_FLAG_RFC2253);
|
|
Packit |
90a5c9 |
len = BIO_pending(bio);
|
|
Packit |
90a5c9 |
if (len > 0) {
|
|
Packit |
90a5c9 |
result = apr_palloc(p, (maxlen > 0) ? maxlen+1 : len+1);
|
|
Packit |
90a5c9 |
if (maxlen > 0 && maxlen < len) {
|
|
Packit |
90a5c9 |
len = BIO_read(bio, result, maxlen);
|
|
Packit |
90a5c9 |
if (maxlen > 2) {
|
|
Packit |
90a5c9 |
/* insert trailing ellipsis if there's enough space */
|
|
Packit |
90a5c9 |
apr_snprintf(result + maxlen - 3, 4, "...");
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
} else {
|
|
Packit |
90a5c9 |
len = BIO_read(bio, result, len);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
result[len] = NUL;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
BIO_free(bio);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return result;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static void parse_otherName_value(apr_pool_t *p, ASN1_TYPE *value,
|
|
Packit |
90a5c9 |
const char *onf, apr_array_header_t **entries)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
const char *str;
|
|
Packit |
90a5c9 |
int nid = onf ? OBJ_txt2nid(onf) : NID_undef;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!value || (nid == NID_undef) || !*entries)
|
|
Packit |
90a5c9 |
return;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Currently supported otherName forms (values for "onf"):
|
|
Packit |
90a5c9 |
* "msUPN" (1.3.6.1.4.1.311.20.2.3): Microsoft User Principal Name
|
|
Packit |
90a5c9 |
* "id-on-dnsSRV" (1.3.6.1.5.5.7.8.7): SRVName, as specified in RFC 4985
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
if ((nid == NID_ms_upn) && (value->type == V_ASN1_UTF8STRING) &&
|
|
Packit |
90a5c9 |
(str = asn1_string_to_utf8(p, value->value.utf8string))) {
|
|
Packit |
90a5c9 |
APR_ARRAY_PUSH(*entries, const char *) = str;
|
|
Packit |
90a5c9 |
} else if (strEQ(onf, "id-on-dnsSRV") &&
|
|
Packit |
90a5c9 |
(value->type == V_ASN1_IA5STRING) &&
|
|
Packit |
90a5c9 |
(str = asn1_string_to_utf8(p, value->value.ia5string))) {
|
|
Packit |
90a5c9 |
APR_ARRAY_PUSH(*entries, const char *) = str;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Return an array of subjectAltName entries of type "type". If idx is -1,
|
|
Packit |
90a5c9 |
* return all entries of the given type, otherwise return an array consisting
|
|
Packit |
90a5c9 |
* of the n-th occurrence of that type only. Currently supported types:
|
|
Packit |
90a5c9 |
* GEN_EMAIL (rfc822Name)
|
|
Packit |
90a5c9 |
* GEN_DNS (dNSName)
|
|
Packit |
90a5c9 |
* GEN_OTHERNAME (requires the otherName form ["onf"] argument to be supplied,
|
|
Packit |
90a5c9 |
* see parse_otherName_value for the currently supported forms)
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
BOOL modssl_X509_getSAN(apr_pool_t *p, X509 *x509, int type, const char *onf,
|
|
Packit |
90a5c9 |
int idx, apr_array_header_t **entries)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
STACK_OF(GENERAL_NAME) *names;
|
|
Packit |
90a5c9 |
int nid = onf ? OBJ_txt2nid(onf) : NID_undef;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!x509 || (type < GEN_OTHERNAME) ||
|
|
Packit |
90a5c9 |
((type == GEN_OTHERNAME) && (nid == NID_undef)) ||
|
|
Packit |
90a5c9 |
(type > GEN_RID) || (idx < -1) ||
|
|
Packit |
90a5c9 |
!(*entries = apr_array_make(p, 0, sizeof(char *)))) {
|
|
Packit |
90a5c9 |
*entries = NULL;
|
|
Packit |
90a5c9 |
return FALSE;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if ((names = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL))) {
|
|
Packit |
90a5c9 |
int i, n = 0;
|
|
Packit |
90a5c9 |
GENERAL_NAME *name;
|
|
Packit |
90a5c9 |
const char *utf8str;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
|
|
Packit |
90a5c9 |
name = sk_GENERAL_NAME_value(names, i);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (name->type != type)
|
|
Packit |
90a5c9 |
continue;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
switch (type) {
|
|
Packit |
90a5c9 |
case GEN_EMAIL:
|
|
Packit |
90a5c9 |
case GEN_DNS:
|
|
Packit |
90a5c9 |
if (((idx == -1) || (n == idx)) &&
|
|
Packit |
90a5c9 |
(utf8str = asn1_string_to_utf8(p, name->d.ia5))) {
|
|
Packit |
90a5c9 |
APR_ARRAY_PUSH(*entries, const char *) = utf8str;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
n++;
|
|
Packit |
90a5c9 |
break;
|
|
Packit |
90a5c9 |
case GEN_OTHERNAME:
|
|
Packit |
90a5c9 |
if (OBJ_obj2nid(name->d.otherName->type_id) == nid) {
|
|
Packit |
90a5c9 |
if (((idx == -1) || (n == idx))) {
|
|
Packit |
90a5c9 |
parse_otherName_value(p, name->d.otherName->value,
|
|
Packit |
90a5c9 |
onf, entries);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
n++;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
break;
|
|
Packit |
90a5c9 |
default:
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Not implemented right now:
|
|
Packit |
90a5c9 |
* GEN_X400 (x400Address)
|
|
Packit |
90a5c9 |
* GEN_DIRNAME (directoryName)
|
|
Packit |
90a5c9 |
* GEN_EDIPARTY (ediPartyName)
|
|
Packit |
90a5c9 |
* GEN_URI (uniformResourceIdentifier)
|
|
Packit |
90a5c9 |
* GEN_IPADD (iPAddress)
|
|
Packit |
90a5c9 |
* GEN_RID (registeredID)
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
break;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if ((idx != -1) && (n > idx))
|
|
Packit |
90a5c9 |
break;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return apr_is_empty_array(*entries) ? FALSE : TRUE;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a certificate */
|
|
Packit |
90a5c9 |
static BOOL getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
X509_NAME *subj;
|
|
Packit |
90a5c9 |
int i = -1;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* First, the DNS-IDs (dNSName entries in the subjectAltName extension) */
|
|
Packit |
90a5c9 |
if (!x509 ||
|
|
Packit |
90a5c9 |
(modssl_X509_getSAN(p, x509, GEN_DNS, NULL, -1, ids) == FALSE && !*ids)) {
|
|
Packit |
90a5c9 |
*ids = NULL;
|
|
Packit |
90a5c9 |
return FALSE;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Second, the CN-IDs (commonName attributes in the subject DN) */
|
|
Packit |
90a5c9 |
subj = X509_get_subject_name(x509);
|
|
Packit |
90a5c9 |
while ((i = X509_NAME_get_index_by_NID(subj, NID_commonName, i)) != -1) {
|
|
Packit |
90a5c9 |
APR_ARRAY_PUSH(*ids, const char *) =
|
|
Packit |
90a5c9 |
modssl_X509_NAME_ENTRY_to_string(p, X509_NAME_get_entry(subj, i), 0);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return apr_is_empty_array(*ids) ? FALSE : TRUE;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Check if a certificate matches for a particular name, by iterating over its
|
|
Packit |
90a5c9 |
* DNS-IDs and CN-IDs (RFC 6125), optionally with basic wildcard matching.
|
|
Packit |
90a5c9 |
* If server_rec is non-NULL, some (debug/trace) logging is enabled.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
BOOL modssl_X509_match_name(apr_pool_t *p, X509 *x509, const char *name,
|
|
Packit |
90a5c9 |
BOOL allow_wildcard, server_rec *s)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
BOOL matched = FALSE;
|
|
Packit |
90a5c9 |
apr_array_header_t *ids;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* At some day in the future, this might be replaced with X509_check_host()
|
|
Packit |
90a5c9 |
* (available in OpenSSL 1.0.2 and later), but two points should be noted:
|
|
Packit |
90a5c9 |
* 1) wildcard matching in X509_check_host() might yield different
|
|
Packit |
90a5c9 |
* results (by default, it supports a broader set of patterns, e.g.
|
|
Packit |
90a5c9 |
* wildcards in non-initial positions);
|
|
Packit |
90a5c9 |
* 2) we lose the option of logging each DNS- and CN-ID (until a match
|
|
Packit |
90a5c9 |
* is found).
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (getIDs(p, x509, &ids)) {
|
|
Packit |
90a5c9 |
const char *cp;
|
|
Packit |
90a5c9 |
int i;
|
|
Packit |
90a5c9 |
char **id = (char **)ids->elts;
|
|
Packit |
90a5c9 |
BOOL is_wildcard;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
for (i = 0; i < ids->nelts; i++) {
|
|
Packit |
90a5c9 |
if (!id[i])
|
|
Packit |
90a5c9 |
continue;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Determine if it is a wildcard ID - we're restrictive
|
|
Packit |
90a5c9 |
* in the sense that we require the wildcard character to be
|
|
Packit |
90a5c9 |
* THE left-most label (i.e., the ID must start with "*.")
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
is_wildcard = (*id[i] == '*' && *(id[i]+1) == '.') ? TRUE : FALSE;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* If the ID includes a wildcard character (and the caller is
|
|
Packit |
90a5c9 |
* allowing wildcards), check if it matches for the left-most
|
|
Packit |
90a5c9 |
* DNS label - i.e., the wildcard character is not allowed
|
|
Packit |
90a5c9 |
* to match a dot. Otherwise, try a simple string compare.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
if ((allow_wildcard == TRUE && is_wildcard == TRUE &&
|
|
Packit |
90a5c9 |
(cp = ap_strchr_c(name, '.')) && !strcasecmp(id[i]+1, cp)) ||
|
|
Packit |
90a5c9 |
!strcasecmp(id[i], name)) {
|
|
Packit |
90a5c9 |
matched = TRUE;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (s) {
|
|
Packit |
90a5c9 |
ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
|
|
Packit |
90a5c9 |
"[%s] modssl_X509_match_name: expecting name '%s', "
|
|
Packit |
90a5c9 |
"%smatched by ID '%s'",
|
|
Packit |
90a5c9 |
(mySrvConfig(s))->vhost_id, name,
|
|
Packit |
90a5c9 |
matched == TRUE ? "" : "NOT ", id[i]);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (matched == TRUE) {
|
|
Packit |
90a5c9 |
break;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (s) {
|
|
Packit |
90a5c9 |
ssl_log_xerror(SSLLOG_MARK, APLOG_DEBUG, 0, p, s, x509,
|
|
Packit |
90a5c9 |
APLOGNO(02412) "[%s] Cert %s for name '%s'",
|
|
Packit |
90a5c9 |
(mySrvConfig(s))->vhost_id,
|
|
Packit |
90a5c9 |
matched == TRUE ? "matches" : "does not match",
|
|
Packit |
90a5c9 |
name);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return matched;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* _________________________________________________________________
|
|
Packit |
90a5c9 |
**
|
|
Packit |
90a5c9 |
** Custom (EC)DH parameter support
|
|
Packit |
90a5c9 |
** _________________________________________________________________
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
DH *ssl_dh_GetParamFromFile(const char *file)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
DH *dh = NULL;
|
|
Packit |
90a5c9 |
BIO *bio;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if ((bio = BIO_new_file(file, "r")) == NULL)
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
|
|
Packit |
90a5c9 |
BIO_free(bio);
|
|
Packit |
90a5c9 |
return (dh);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#ifdef HAVE_ECC
|
|
Packit |
90a5c9 |
EC_GROUP *ssl_ec_GetParamFromFile(const char *file)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
EC_GROUP *group = NULL;
|
|
Packit |
90a5c9 |
BIO *bio;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if ((bio = BIO_new_file(file, "r")) == NULL)
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
group = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL);
|
|
Packit |
90a5c9 |
BIO_free(bio);
|
|
Packit |
90a5c9 |
return (group);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* _________________________________________________________________
|
|
Packit |
90a5c9 |
**
|
|
Packit |
90a5c9 |
** Session Stuff
|
|
Packit |
90a5c9 |
** _________________________________________________________________
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
char *modssl_SSL_SESSION_id2sz(IDCONST unsigned char *id, int idlen,
|
|
Packit |
90a5c9 |
char *str, int strsize)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
if (idlen > SSL_MAX_SSL_SESSION_ID_LENGTH)
|
|
Packit |
90a5c9 |
idlen = SSL_MAX_SSL_SESSION_ID_LENGTH;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* We must ensure not to process more than what would fit in the
|
|
Packit |
90a5c9 |
* destination buffer, including terminating NULL */
|
|
Packit |
90a5c9 |
if (idlen > (strsize-1) / 2)
|
|
Packit |
90a5c9 |
idlen = (strsize-1) / 2;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_bin2hex(id, idlen, str);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return str;
|
|
Packit |
90a5c9 |
}
|