/* ====================================================================
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
* ====================================================================
*/
#include "serf.h"
#include "test_server.h"
#include "serf_private.h"
#include <openssl/bio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L
#define USE_OPENSSL_1_1_API
#endif
static int init_done = 0;
typedef struct ssl_context_t {
int handshake_done;
SSL_CTX* ctx;
SSL* ssl;
BIO *bio;
BIO_METHOD *biom;
} ssl_context_t;
static int pem_passwd_cb(char *buf, int size, int rwflag, void *userdata)
{
strncpy(buf, "serftest", size);
buf[size - 1] = '\0';
return strlen(buf);
}
static void bio_set_data(BIO *bio, void *data)
{
#ifdef USE_OPENSSL_1_1_API
BIO_set_data(bio, data);
#else
bio->ptr = data;
#endif
}
static void *bio_get_data(BIO *bio)
{
#ifdef USE_OPENSSL_1_1_API
return BIO_get_data(bio);
#else
return bio->ptr;
#endif
}
static int bio_apr_socket_create(BIO *bio)
{
#ifdef USE_OPENSSL_1_1_API
BIO_set_shutdown(bio, 1);
BIO_set_init(bio, 1);
BIO_set_data(bio, NULL);
#else
bio->shutdown = 1;
bio->init = 1;
bio->num = -1;
bio->ptr = NULL;
#endif
return 1;
}
static int bio_apr_socket_destroy(BIO *bio)
{
/* Did we already free this? */
if (bio == NULL) {
return 0;
}
return 1;
}
static long bio_apr_socket_ctrl(BIO *bio, int cmd, long num, void *ptr)
{
long ret = 1;
switch (cmd) {
default:
/* abort(); */
break;
case BIO_CTRL_FLUSH:
/* At this point we can't force a flush. */
break;
case BIO_CTRL_PUSH:
case BIO_CTRL_POP:
ret = 0;
break;
}
return ret;
}
/* Returns the amount read. */
static int bio_apr_socket_read(BIO *bio, char *in, int inlen)
{
apr_size_t len = inlen;
serv_ctx_t *serv_ctx = bio_get_data(bio);
apr_status_t status;
BIO_clear_retry_flags(bio);
status = apr_socket_recv(serv_ctx->client_sock, in, &len);
serv_ctx->bio_read_status = status;
serf__log_skt(TEST_VERBOSE, __FILE__, serv_ctx->client_sock,
"Read %d bytes from socket with status %d.\n", len, status);
if (status == APR_EAGAIN) {
BIO_set_retry_read(bio);
if (len == 0)
return -1;
}
if (SERF_BUCKET_READ_ERROR(status))
return -1;
return len;
}
/* Returns the amount written. */
static int bio_apr_socket_write(BIO *bio, const char *in, int inlen)
{
apr_size_t len = inlen;
serv_ctx_t *serv_ctx = bio_get_data(bio);
apr_status_t status = apr_socket_send(serv_ctx->client_sock, in, &len);
serf__log_skt(TEST_VERBOSE, __FILE__, serv_ctx->client_sock,
"Wrote %d of %d bytes to socket with status %d.\n",
len, inlen, status);
if (SERF_BUCKET_READ_ERROR(status))
return -1;
return len;
}
#ifndef USE_OPENSSL_1_1_API
static BIO_METHOD bio_apr_socket_method = {
BIO_TYPE_SOCKET,
"APR sockets",
bio_apr_socket_write,
bio_apr_socket_read,
NULL, /* Is this called? */
NULL, /* Is this called? */
bio_apr_socket_ctrl,
bio_apr_socket_create,
bio_apr_socket_destroy,
#ifdef OPENSSL_VERSION_NUMBER
NULL /* sslc does not have the callback_ctrl field */
#endif
};
#endif
static BIO_METHOD *bio_meth_apr_socket_new(void)
{
BIO_METHOD *biom = NULL;
#ifdef USE_OPENSSL_1_1_API
biom = BIO_meth_new(BIO_TYPE_SOCKET, "APR sockets");
if (biom) {
BIO_meth_set_write(biom, bio_apr_socket_write);
BIO_meth_set_read(biom, bio_apr_socket_read);
BIO_meth_set_ctrl(biom, bio_apr_socket_ctrl);
BIO_meth_set_create(biom, bio_apr_socket_create);
BIO_meth_set_destroy(biom, bio_apr_socket_destroy);
}
#else
biom = &bio_apr_socket_method;
#endif
return biom;
}
static int validate_client_certificate(int preverify_ok, X509_STORE_CTX *ctx)
{
serf__log(TEST_VERBOSE, __FILE__, "validate_client_certificate called, "
"preverify code: %d.\n", preverify_ok);
return preverify_ok;
}
static apr_status_t init_ssl(serv_ctx_t *serv_ctx)
{
ssl_context_t *ssl_ctx = serv_ctx->ssl_ctx;
ssl_ctx->ssl = SSL_new(ssl_ctx->ctx);
SSL_set_cipher_list(ssl_ctx->ssl, "ALL");
SSL_set_bio(ssl_ctx->ssl, ssl_ctx->bio, ssl_ctx->bio);
return APR_SUCCESS;
}
static apr_status_t
init_ssl_context(serv_ctx_t *serv_ctx,
const char *keyfile,
const char **certfiles,
const char *client_cn)
{
ssl_context_t *ssl_ctx = apr_pcalloc(serv_ctx->pool, sizeof(*ssl_ctx));
serv_ctx->ssl_ctx = ssl_ctx;
serv_ctx->client_cn = client_cn;
serv_ctx->bio_read_status = APR_SUCCESS;
/* Init OpenSSL globally */
if (!init_done)
{
#ifdef USE_OPENSSL_1_1_API
OPENSSL_malloc_init();
#else
CRYPTO_malloc_init();
#endif
ERR_load_crypto_strings();
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();
init_done = 1;
}
/* Init this connection */
if (!ssl_ctx->ctx) {
X509_STORE *store;
const char *certfile;
int i;
int rv;
ssl_ctx->ctx = SSL_CTX_new(SSLv23_server_method());
SSL_CTX_set_default_passwd_cb(ssl_ctx->ctx, pem_passwd_cb);
rv = SSL_CTX_use_PrivateKey_file(ssl_ctx->ctx, keyfile,
SSL_FILETYPE_PEM);
if (rv != 1) {
fprintf(stderr, "Cannot load private key from file '%s'\n", keyfile);
exit(1);
}
/* Set server certificate, add ca certificates if provided. */
certfile = certfiles[0];
rv = SSL_CTX_use_certificate_file(ssl_ctx->ctx, certfile, SSL_FILETYPE_PEM);
if (rv != 1) {
fprintf(stderr, "Cannot load certficate from file '%s'\n", certfile);
exit(1);
}
i = 1;
certfile = certfiles[i++];
store = SSL_CTX_get_cert_store(ssl_ctx->ctx);
while(certfile) {
FILE *fp = fopen(certfile, "r");
if (fp) {
X509 *ssl_cert = PEM_read_X509(fp, NULL, NULL, NULL);
fclose(fp);
SSL_CTX_add_extra_chain_cert(ssl_ctx->ctx, ssl_cert);
X509_STORE_add_cert(store, ssl_cert);
}
certfile = certfiles[i++];
}
/* This makes the server send a client certificate request during
handshake. The client certificate is optional (most tests don't
send one) by default, but mandatory if client_cn was specified. */
SSL_CTX_set_verify(ssl_ctx->ctx, SSL_VERIFY_PEER,
validate_client_certificate);
SSL_CTX_set_mode(ssl_ctx->ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
ssl_ctx->biom = bio_meth_apr_socket_new();
ssl_ctx->bio = BIO_new(ssl_ctx->biom);
bio_set_data(ssl_ctx->bio, serv_ctx);
init_ssl(serv_ctx);
}
return APR_SUCCESS;
}
static apr_status_t ssl_reset(serv_ctx_t *serv_ctx)
{
ssl_context_t *ssl_ctx = serv_ctx->ssl_ctx;
serf__log(TEST_VERBOSE, __FILE__, "Reset ssl context.\n");
ssl_ctx->handshake_done = 0;
if (ssl_ctx)
SSL_clear(ssl_ctx->ssl);
init_ssl(serv_ctx);
return APR_SUCCESS;
}
static apr_status_t ssl_handshake(serv_ctx_t *serv_ctx)
{
ssl_context_t *ssl_ctx = serv_ctx->ssl_ctx;
int result;
if (ssl_ctx->handshake_done)
return APR_SUCCESS;
/* SSL handshake */
result = SSL_accept(ssl_ctx->ssl);
if (result == 1) {
X509 *peer;
serf__log(TEST_VERBOSE, __FILE__, "Handshake successful.\n");
/* Check client certificate */
peer = SSL_get_peer_certificate(ssl_ctx->ssl);
if (peer)
{
serf__log(TEST_VERBOSE, __FILE__, "Peer cert received.\n");
if (SSL_get_verify_result(ssl_ctx->ssl) == X509_V_OK)
{
/* The client sent a certificate which verified OK */
char buf[1024];
int ret;
X509_NAME *subject = X509_get_subject_name(peer);
ret = X509_NAME_get_text_by_NID(subject,
NID_commonName,
buf, 1024);
if (ret != -1 && strcmp(serv_ctx->client_cn, buf) != 0) {
serf__log(TEST_VERBOSE, __FILE__, "Client cert common name "
"\"%s\" doesn't match expected \"%s\".\n", buf,
serv_ctx->client_cn);
return SERF_ERROR_ISSUE_IN_TESTSUITE;
}
}
} else {
if (serv_ctx->client_cn) {
serf__log(TEST_VERBOSE, __FILE__, "Client cert expected but not"
" received.\n");
return SERF_ERROR_ISSUE_IN_TESTSUITE;
}
}
ssl_ctx->handshake_done = 1;
}
else {
int ssl_err;
ssl_err = SSL_get_error(ssl_ctx->ssl, result);
switch (ssl_err) {
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
return APR_EAGAIN;
case SSL_ERROR_SYSCALL:
return serv_ctx->bio_read_status; /* Usually APR_EAGAIN */
default:
serf__log(TEST_VERBOSE, __FILE__, "SSL Error %d: ", ssl_err);
ERR_print_errors_fp(stderr);
serf__log_nopref(TEST_VERBOSE, "\n");
return SERF_ERROR_ISSUE_IN_TESTSUITE;
}
}
return APR_EAGAIN;
}
static apr_status_t
ssl_socket_write(serv_ctx_t *serv_ctx, const char *data,
apr_size_t *len)
{
ssl_context_t *ssl_ctx = serv_ctx->ssl_ctx;
int result = SSL_write(ssl_ctx->ssl, data, *len);
if (result > 0) {
*len = result;
return APR_SUCCESS;
}
if (result == 0)
return APR_EAGAIN;
serf__log(TEST_VERBOSE, __FILE__, "ssl_socket_write: ssl error?\n");
return SERF_ERROR_ISSUE_IN_TESTSUITE;
}
static apr_status_t
ssl_socket_read(serv_ctx_t *serv_ctx, char *data,
apr_size_t *len)
{
ssl_context_t *ssl_ctx = serv_ctx->ssl_ctx;
int result = SSL_read(ssl_ctx->ssl, data, *len);
if (result > 0) {
*len = result;
return APR_SUCCESS;
} else {
int ssl_err;
ssl_err = SSL_get_error(ssl_ctx->ssl, result);
switch (ssl_err) {
case SSL_ERROR_SYSCALL:
/* error in bio_bucket_read, probably APR_EAGAIN or APR_EOF */
*len = 0;
return serv_ctx->bio_read_status;
case SSL_ERROR_WANT_READ:
*len = 0;
return APR_EAGAIN;
case SSL_ERROR_SSL:
default:
*len = 0;
serf__log(TEST_VERBOSE, __FILE__,
"ssl_socket_read SSL Error %d: ", ssl_err);
ERR_print_errors_fp(stderr);
serf__log_nopref(TEST_VERBOSE, "\n");
return SERF_ERROR_ISSUE_IN_TESTSUITE;
}
}
/* not reachable */
return SERF_ERROR_ISSUE_IN_TESTSUITE;
}
static apr_status_t cleanup_https_server(void *baton)
{
serv_ctx_t *servctx = baton;
ssl_context_t *ssl_ctx = servctx->ssl_ctx;
if (ssl_ctx) {
if (ssl_ctx->ssl) {
SSL_clear(ssl_ctx->ssl);
#ifdef USE_OPENSSL_1_1_API
BIO_meth_free(ssl_ctx->biom);
#endif
}
SSL_CTX_free(ssl_ctx->ctx);
}
return APR_SUCCESS;
}
void setup_https_test_server(serv_ctx_t **servctx_p,
apr_sockaddr_t *address,
test_server_message_t *message_list,
apr_size_t message_count,
test_server_action_t *action_list,
apr_size_t action_count,
apr_int32_t options,
const char *keyfile,
const char **certfiles,
const char *client_cn,
apr_pool_t *pool)
{
serv_ctx_t *servctx;
setup_test_server(servctx_p, address, message_list,
message_count, action_list, action_count,
options, pool);
servctx = *servctx_p;
apr_pool_cleanup_register(pool, servctx,
cleanup_https_server,
apr_pool_cleanup_null);
servctx->handshake = ssl_handshake;
servctx->reset = ssl_reset;
/* Override with SSL encrypt/decrypt functions */
servctx->read = ssl_socket_read;
servctx->send = ssl_socket_write;
init_ssl_context(servctx, keyfile, certfiles, client_cn);
}