]>
Commit | Line | Data |
---|---|---|
f484cdf5 | 1 | |
2 | /* | |
262a0e14 | 3 | * $Id$ |
f484cdf5 | 4 | * |
5 | * AUTHOR: Benno Rice | |
27d8545c | 6 | * DEBUG: section 83 SSL accelerator support |
f484cdf5 | 7 | * |
8 | * SQUID Internet Object Cache http://squid.nlanr.net/Squid/ | |
9 | * ---------------------------------------------------------- | |
10 | * | |
11 | * Squid is the result of efforts by numerous individuals from the | |
12 | * Internet community. Development is led by Duane Wessels of the | |
13 | * National Laboratory for Applied Network Research and funded by the | |
14 | * National Science Foundation. Squid is Copyrighted (C) 1998 by | |
15 | * Duane Wessels and the University of California San Diego. Please | |
16 | * see the COPYRIGHT file for full details. Squid incorporates | |
17 | * software developed and/or copyrighted by other sources. Please see | |
18 | * the CREDITS file for full details. | |
19 | * | |
20 | * This program is free software; you can redistribute it and/or modify | |
21 | * it under the terms of the GNU General Public License as published by | |
22 | * the Free Software Foundation; either version 2 of the License, or | |
23 | * (at your option) any later version. | |
26ac0430 | 24 | * |
f484cdf5 | 25 | * This program is distributed in the hope that it will be useful, |
26 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
27 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
28 | * GNU General Public License for more details. | |
26ac0430 | 29 | * |
f484cdf5 | 30 | * You should have received a copy of the GNU General Public License |
31 | * along with this program; if not, write to the Free Software | |
32 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. | |
33 | * | |
34 | */ | |
35 | ||
36 | #include "squid.h" | |
454e8283 | 37 | |
38 | /* MS Visual Studio Projects are monolithic, so we need the following | |
39 | * #if to exclude the SSL code from compile process when not needed. | |
40 | */ | |
41 | #if USE_SSL | |
42 | ||
528b2c61 | 43 | #include "fde.h" |
c0941a6a | 44 | #include "acl/FilledChecklist.h" |
4d16918e | 45 | #include "ssl/ErrorDetail.h" |
4db984be | 46 | #include "ssl/support.h" |
95d2589c | 47 | #include "ssl/gadgets.h" |
f484cdf5 | 48 | |
63be0a78 | 49 | /** |
50 | \defgroup ServerProtocolSSLInternal Server-Side SSL Internals | |
51 | \ingroup ServerProtocolSSLAPI | |
52 | */ | |
53 | ||
54 | /// \ingroup ServerProtocolSSLInternal | |
307b83b7 | 55 | static int |
56 | ssl_ask_password_cb(char *buf, int size, int rwflag, void *userdata) | |
57 | { | |
58 | FILE *in; | |
59 | int len = 0; | |
60 | char cmdline[1024]; | |
61 | ||
62 | snprintf(cmdline, sizeof(cmdline), "\"%s\" \"%s\"", Config.Program.ssl_password, (const char *)userdata); | |
63 | in = popen(cmdline, "r"); | |
64 | ||
65 | if (fgets(buf, size, in)) | |
66 | ||
67 | len = strlen(buf); | |
68 | ||
69 | while (len > 0 && (buf[len - 1] == '\n' || buf[len - 1] == '\r')) | |
70 | ||
71 | len--; | |
72 | ||
73 | buf[len] = '\0'; | |
74 | ||
75 | pclose(in); | |
76 | ||
77 | return len; | |
78 | } | |
79 | ||
63be0a78 | 80 | /// \ingroup ServerProtocolSSLInternal |
307b83b7 | 81 | static void |
82 | ssl_ask_password(SSL_CTX * context, const char * prompt) | |
83 | { | |
84 | if (Config.Program.ssl_password) { | |
85 | SSL_CTX_set_default_passwd_cb(context, ssl_ask_password_cb); | |
86 | SSL_CTX_set_default_passwd_cb_userdata(context, (void *)prompt); | |
87 | } | |
88 | } | |
89 | ||
63be0a78 | 90 | /// \ingroup ServerProtocolSSLInternal |
f484cdf5 | 91 | static RSA * |
e6ccf245 | 92 | ssl_temp_rsa_cb(SSL * ssl, int anInt, int keylen) |
f484cdf5 | 93 | { |
e01f02ed | 94 | static RSA *rsa_512 = NULL; |
95 | static RSA *rsa_1024 = NULL; | |
96 | RSA *rsa = NULL; | |
97 | int newkey = 0; | |
f484cdf5 | 98 | |
e01f02ed | 99 | switch (keylen) { |
100 | ||
101 | case 512: | |
102 | ||
103 | if (!rsa_512) { | |
104 | rsa_512 = RSA_generate_key(512, RSA_F4, NULL, NULL); | |
105 | newkey = 1; | |
106 | } | |
107 | ||
108 | rsa = rsa_512; | |
109 | break; | |
110 | ||
111 | case 1024: | |
112 | ||
113 | if (!rsa_1024) { | |
114 | rsa_1024 = RSA_generate_key(1024, RSA_F4, NULL, NULL); | |
115 | newkey = 1; | |
116 | } | |
117 | ||
118 | rsa = rsa_1024; | |
119 | break; | |
120 | ||
121 | default: | |
bf8fe701 | 122 | debugs(83, 1, "ssl_temp_rsa_cb: Unexpected key length " << keylen); |
e01f02ed | 123 | return NULL; |
124 | } | |
125 | ||
126 | if (rsa == NULL) { | |
bf8fe701 | 127 | debugs(83, 1, "ssl_temp_rsa_cb: Failed to generate key " << keylen); |
e01f02ed | 128 | return NULL; |
129 | } | |
130 | ||
131 | if (newkey) { | |
132 | if (do_debug(83, 5)) | |
133 | PEM_write_RSAPrivateKey(debug_log, rsa, NULL, NULL, 0, NULL, NULL); | |
134 | ||
bf8fe701 | 135 | debugs(83, 1, "Generated ephemeral RSA key of length " << keylen); |
e01f02ed | 136 | } |
62e76326 | 137 | |
f484cdf5 | 138 | return rsa; |
139 | } | |
140 | ||
4d16918e CT |
141 | int Ssl::asn1timeToString(ASN1_TIME *tm, char *buf, int len) |
142 | { | |
143 | BIO *bio; | |
144 | int write = 0; | |
145 | bio = BIO_new(BIO_s_mem()); | |
146 | if (bio) { | |
e34763f4 A |
147 | if (ASN1_TIME_print(bio, tm)) |
148 | write = BIO_read(bio, buf, len-1); | |
149 | BIO_free(bio); | |
4d16918e CT |
150 | } |
151 | buf[write]='\0'; | |
152 | return write; | |
153 | } | |
154 | ||
155 | int Ssl::matchX509CommonNames(X509 *peer_cert, void *check_data, int (*check_func)(void *check_data, ASN1_STRING *cn_data)) | |
156 | { | |
157 | assert(peer_cert); | |
158 | ||
159 | X509_NAME *name = X509_get_subject_name(peer_cert); | |
160 | ||
161 | for (int i = X509_NAME_get_index_by_NID(name, NID_commonName, -1); i >= 0; i = X509_NAME_get_index_by_NID(name, NID_commonName, i)) { | |
e34763f4 | 162 | |
4d16918e CT |
163 | ASN1_STRING *cn_data = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, i)); |
164 | ||
165 | if ( (*check_func)(check_data, cn_data) == 0) | |
166 | return 1; | |
167 | } | |
168 | ||
169 | STACK_OF(GENERAL_NAME) * altnames; | |
170 | altnames = (STACK_OF(GENERAL_NAME)*)X509_get_ext_d2i(peer_cert, NID_subject_alt_name, NULL, NULL); | |
171 | ||
172 | if (altnames) { | |
173 | int numalts = sk_GENERAL_NAME_num(altnames); | |
174 | for (int i = 0; i < numalts; i++) { | |
175 | const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i); | |
176 | if (check->type != GEN_DNS) { | |
177 | continue; | |
178 | } | |
179 | ASN1_STRING *cn_data = check->d.dNSName; | |
e34763f4 | 180 | |
4d16918e CT |
181 | if ( (*check_func)(check_data, cn_data) == 0) |
182 | return 1; | |
183 | } | |
184 | sk_GENERAL_NAME_pop_free(altnames, GENERAL_NAME_free); | |
185 | } | |
186 | return 0; | |
187 | } | |
188 | ||
189 | static int check_domain( void *check_data, ASN1_STRING *cn_data) | |
190 | { | |
191 | char cn[1024]; | |
192 | const char *server = (const char *)check_data; | |
193 | ||
e34763f4 | 194 | if (cn_data->length > (int)sizeof(cn) - 1) { |
4d16918e CT |
195 | return 1; //if does not fit our buffer just ignore |
196 | } | |
197 | memcpy(cn, cn_data->data, cn_data->length); | |
198 | cn[cn_data->length] = '\0'; | |
199 | debugs(83, 4, "Verifying server domain " << server << " to certificate name/subjectAltName " << cn); | |
200 | return matchDomainName(server, cn[0] == '*' ? cn + 1 : cn); | |
201 | } | |
202 | ||
63be0a78 | 203 | /// \ingroup ServerProtocolSSLInternal |
f484cdf5 | 204 | static int |
205 | ssl_verify_cb(int ok, X509_STORE_CTX * ctx) | |
206 | { | |
7698a79c CT |
207 | // preserve original ctx->error before SSL_ calls can overwrite it |
208 | Ssl::ssl_error_t error_no = ok ? SSL_ERROR_NONE : ctx->error; | |
209 | ||
210 | char buffer[256] = ""; | |
a7ad6e4e | 211 | SSL *ssl = (SSL *)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); |
212 | SSL_CTX *sslctx = SSL_get_SSL_CTX(ssl); | |
213 | const char *server = (const char *)SSL_get_ex_data(ssl, ssl_ex_index_server); | |
214 | void *dont_verify_domain = SSL_CTX_get_ex_data(sslctx, ssl_ctx_ex_index_dont_verify_domain); | |
815eaa44 | 215 | ACLChecklist *check = (ACLChecklist*)SSL_get_ex_data(ssl, ssl_ex_index_cert_error_check); |
a7ad6e4e | 216 | X509 *peer_cert = ctx->cert; |
f484cdf5 | 217 | |
a7ad6e4e | 218 | X509_NAME_oneline(X509_get_subject_name(peer_cert), buffer, |
62e76326 | 219 | sizeof(buffer)); |
a7ad6e4e | 220 | |
221 | if (ok) { | |
bf8fe701 | 222 | debugs(83, 5, "SSL Certificate signature OK: " << buffer); |
62e76326 | 223 | |
e34763f4 | 224 | if (server) { |
4d16918e | 225 | int found = Ssl::matchX509CommonNames(peer_cert, (void *)server, check_domain); |
62e76326 | 226 | |
227 | if (!found) { | |
815eaa44 | 228 | debugs(83, 2, "SQUID_X509_V_ERR_DOMAIN_MISMATCH: Certificate " << buffer << " does not match domainname " << server); |
62e76326 | 229 | ok = 0; |
4d16918e | 230 | error_no = SQUID_X509_V_ERR_DOMAIN_MISMATCH; |
62e76326 | 231 | } |
232 | } | |
7698a79c | 233 | } |
0db46e4f | 234 | |
7698a79c CT |
235 | if (!ok) { |
236 | if (const char *err_descr = Ssl::GetErrorDescr(error_no)) | |
cf09bec7 CT |
237 | debugs(83, 5, err_descr << ": " << buffer); |
238 | else | |
7698a79c CT |
239 | debugs(83, DBG_IMPORTANT, "SSL unknown certificate error " << error_no << " in " << buffer); |
240 | ||
241 | if (check) { | |
242 | Filled(check)->ssl_error = error_no; | |
2efeb0b7 | 243 | if (check->fastCheck() == ACCESS_ALLOWED) { |
7698a79c CT |
244 | debugs(83, 3, "bypassing SSL error " << error_no << " in " << buffer); |
245 | ok = 1; | |
246 | } else { | |
247 | debugs(83, 5, "confirming SSL error " << error_no); | |
248 | } | |
815eaa44 | 249 | } |
a7ad6e4e | 250 | } |
62e76326 | 251 | |
26ac0430 | 252 | if (!dont_verify_domain && server) {} |
62e76326 | 253 | |
7698a79c | 254 | if (!ok && !SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_detail) ) { |
4d16918e | 255 | Ssl::ErrorDetail *errDetail = new Ssl::ErrorDetail(error_no, peer_cert); |
e34763f4 | 256 | if (!SSL_set_ex_data(ssl, ssl_ex_index_ssl_error_detail, errDetail)) { |
4d16918e CT |
257 | debugs(83, 2, "Failed to set Ssl::ErrorDetail in ssl_verify_cb: Certificate " << buffer); |
258 | delete errDetail; | |
259 | } | |
260 | } | |
261 | ||
f484cdf5 | 262 | return ok; |
263 | } | |
264 | ||
63be0a78 | 265 | /// \ingroup ServerProtocolSSLInternal |
26ac0430 | 266 | static struct ssl_option { |
79d4ccdf | 267 | const char *name; |
268 | long value; | |
62e76326 | 269 | } |
270 | ||
271 | ssl_options[] = { | |
79d4ccdf | 272 | |
32d002cb | 273 | #if SSL_OP_MICROSOFT_SESS_ID_BUG |
26ac0430 AJ |
274 | { |
275 | "MICROSOFT_SESS_ID_BUG", SSL_OP_MICROSOFT_SESS_ID_BUG | |
276 | }, | |
673cd7db | 277 | #endif |
32d002cb | 278 | #if SSL_OP_NETSCAPE_CHALLENGE_BUG |
26ac0430 AJ |
279 | { |
280 | "NETSCAPE_CHALLENGE_BUG", SSL_OP_NETSCAPE_CHALLENGE_BUG | |
281 | }, | |
673cd7db | 282 | #endif |
32d002cb | 283 | #if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG |
26ac0430 AJ |
284 | { |
285 | "NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG | |
286 | }, | |
673cd7db | 287 | #endif |
32d002cb | 288 | #if SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG |
26ac0430 AJ |
289 | { |
290 | "SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG | |
291 | }, | |
673cd7db | 292 | #endif |
32d002cb | 293 | #if SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER |
26ac0430 AJ |
294 | { |
295 | "MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER | |
296 | }, | |
673cd7db | 297 | #endif |
32d002cb | 298 | #if SSL_OP_MSIE_SSLV2_RSA_PADDING |
26ac0430 AJ |
299 | { |
300 | "MSIE_SSLV2_RSA_PADDING", SSL_OP_MSIE_SSLV2_RSA_PADDING | |
301 | }, | |
673cd7db | 302 | #endif |
32d002cb | 303 | #if SSL_OP_SSLEAY_080_CLIENT_DH_BUG |
26ac0430 AJ |
304 | { |
305 | "SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG | |
306 | }, | |
673cd7db | 307 | #endif |
32d002cb | 308 | #if SSL_OP_TLS_D5_BUG |
26ac0430 AJ |
309 | { |
310 | "TLS_D5_BUG", SSL_OP_TLS_D5_BUG | |
311 | }, | |
673cd7db | 312 | #endif |
32d002cb | 313 | #if SSL_OP_TLS_BLOCK_PADDING_BUG |
26ac0430 AJ |
314 | { |
315 | "TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG | |
316 | }, | |
673cd7db | 317 | #endif |
32d002cb | 318 | #if SSL_OP_TLS_ROLLBACK_BUG |
26ac0430 AJ |
319 | { |
320 | "TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG | |
321 | }, | |
673cd7db | 322 | #endif |
32d002cb | 323 | #if SSL_OP_ALL |
26ac0430 AJ |
324 | { |
325 | "ALL", SSL_OP_ALL | |
326 | }, | |
673cd7db | 327 | #endif |
32d002cb | 328 | #if SSL_OP_SINGLE_DH_USE |
26ac0430 AJ |
329 | { |
330 | "SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE | |
331 | }, | |
673cd7db | 332 | #endif |
32d002cb | 333 | #if SSL_OP_EPHEMERAL_RSA |
26ac0430 AJ |
334 | { |
335 | "EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA | |
336 | }, | |
673cd7db | 337 | #endif |
32d002cb | 338 | #if SSL_OP_PKCS1_CHECK_1 |
26ac0430 AJ |
339 | { |
340 | "PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1 | |
341 | }, | |
673cd7db | 342 | #endif |
32d002cb | 343 | #if SSL_OP_PKCS1_CHECK_2 |
26ac0430 AJ |
344 | { |
345 | "PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2 | |
346 | }, | |
673cd7db | 347 | #endif |
32d002cb | 348 | #if SSL_OP_NETSCAPE_CA_DN_BUG |
26ac0430 AJ |
349 | { |
350 | "NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG | |
351 | }, | |
673cd7db | 352 | #endif |
32d002cb | 353 | #if SSL_OP_NON_EXPORT_FIRST |
26ac0430 AJ |
354 | { |
355 | "NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST | |
356 | }, | |
673cd7db | 357 | #endif |
32d002cb | 358 | #if SSL_OP_CIPHER_SERVER_PREFERENCE |
26ac0430 AJ |
359 | { |
360 | "CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE | |
361 | }, | |
673cd7db | 362 | #endif |
32d002cb | 363 | #if SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG |
26ac0430 AJ |
364 | { |
365 | "NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG | |
366 | }, | |
673cd7db | 367 | #endif |
32d002cb | 368 | #if SSL_OP_NO_SSLv2 |
26ac0430 AJ |
369 | { |
370 | "NO_SSLv2", SSL_OP_NO_SSLv2 | |
371 | }, | |
673cd7db | 372 | #endif |
32d002cb | 373 | #if SSL_OP_NO_SSLv3 |
26ac0430 AJ |
374 | { |
375 | "NO_SSLv3", SSL_OP_NO_SSLv3 | |
376 | }, | |
673cd7db | 377 | #endif |
32d002cb | 378 | #if SSL_OP_NO_TLSv1 |
26ac0430 AJ |
379 | { |
380 | "NO_TLSv1", SSL_OP_NO_TLSv1 | |
381 | }, | |
673cd7db | 382 | #endif |
26ac0430 AJ |
383 | { |
384 | "", 0 | |
385 | }, | |
386 | { | |
387 | NULL, 0 | |
388 | } | |
389 | }; | |
79d4ccdf | 390 | |
63be0a78 | 391 | /// \ingroup ServerProtocolSSLInternal |
84f2d773 | 392 | static long |
79d4ccdf | 393 | ssl_parse_options(const char *options) |
394 | { | |
395 | long op = SSL_OP_ALL; | |
396 | char *tmp; | |
397 | char *option; | |
398 | ||
399 | if (!options) | |
62e76326 | 400 | goto no_options; |
79d4ccdf | 401 | |
402 | tmp = xstrdup(options); | |
62e76326 | 403 | |
79d4ccdf | 404 | option = strtok(tmp, ":,"); |
62e76326 | 405 | |
79d4ccdf | 406 | while (option) { |
62e76326 | 407 | |
408 | struct ssl_option *opt = NULL, *opttmp; | |
409 | long value = 0; | |
410 | enum { | |
411 | MODE_ADD, MODE_REMOVE | |
412 | } mode; | |
413 | ||
414 | switch (*option) { | |
415 | ||
416 | case '!': | |
417 | ||
418 | case '-': | |
419 | mode = MODE_REMOVE; | |
420 | option++; | |
421 | break; | |
422 | ||
423 | case '+': | |
424 | mode = MODE_ADD; | |
425 | option++; | |
426 | break; | |
427 | ||
428 | default: | |
429 | mode = MODE_ADD; | |
430 | break; | |
431 | } | |
432 | ||
433 | for (opttmp = ssl_options; opttmp->name; opttmp++) { | |
434 | if (strcmp(opttmp->name, option) == 0) { | |
435 | opt = opttmp; | |
436 | break; | |
437 | } | |
438 | } | |
439 | ||
440 | if (opt) | |
441 | value = opt->value; | |
442 | else if (strncmp(option, "0x", 2) == 0) { | |
443 | /* Special case.. hex specification */ | |
444 | value = strtol(option + 2, NULL, 16); | |
445 | } else { | |
446 | fatalf("Unknown SSL option '%s'", option); | |
447 | value = 0; /* Keep GCC happy */ | |
448 | } | |
449 | ||
450 | switch (mode) { | |
451 | ||
452 | case MODE_ADD: | |
453 | op |= value; | |
454 | break; | |
455 | ||
456 | case MODE_REMOVE: | |
457 | op &= ~value; | |
458 | break; | |
459 | } | |
460 | ||
461 | option = strtok(NULL, ":,"); | |
79d4ccdf | 462 | } |
463 | ||
464 | safe_free(tmp); | |
62e76326 | 465 | |
466 | no_options: | |
79d4ccdf | 467 | return op; |
468 | } | |
469 | ||
63be0a78 | 470 | /// \ingroup ServerProtocolSSLInternal |
a7ad6e4e | 471 | #define SSL_FLAG_NO_DEFAULT_CA (1<<0) |
63be0a78 | 472 | /// \ingroup ServerProtocolSSLInternal |
a7ad6e4e | 473 | #define SSL_FLAG_DELAYED_AUTH (1<<1) |
63be0a78 | 474 | /// \ingroup ServerProtocolSSLInternal |
a7ad6e4e | 475 | #define SSL_FLAG_DONT_VERIFY_PEER (1<<2) |
63be0a78 | 476 | /// \ingroup ServerProtocolSSLInternal |
a7ad6e4e | 477 | #define SSL_FLAG_DONT_VERIFY_DOMAIN (1<<3) |
63be0a78 | 478 | /// \ingroup ServerProtocolSSLInternal |
b13877cc | 479 | #define SSL_FLAG_NO_SESSION_REUSE (1<<4) |
63be0a78 | 480 | /// \ingroup ServerProtocolSSLInternal |
a82a4fe4 | 481 | #define SSL_FLAG_VERIFY_CRL (1<<5) |
63be0a78 | 482 | /// \ingroup ServerProtocolSSLInternal |
a82a4fe4 | 483 | #define SSL_FLAG_VERIFY_CRL_ALL (1<<6) |
a7ad6e4e | 484 | |
63be0a78 | 485 | /// \ingroup ServerProtocolSSLInternal |
a7ad6e4e | 486 | static long |
487 | ssl_parse_flags(const char *flags) | |
488 | { | |
489 | long fl = 0; | |
490 | char *tmp; | |
491 | char *flag; | |
492 | ||
493 | if (!flags) | |
62e76326 | 494 | return 0; |
a7ad6e4e | 495 | |
496 | tmp = xstrdup(flags); | |
62e76326 | 497 | |
a7ad6e4e | 498 | flag = strtok(tmp, ":,"); |
62e76326 | 499 | |
a7ad6e4e | 500 | while (flag) { |
62e76326 | 501 | if (strcmp(flag, "NO_DEFAULT_CA") == 0) |
502 | fl |= SSL_FLAG_NO_DEFAULT_CA; | |
503 | else if (strcmp(flag, "DELAYED_AUTH") == 0) | |
504 | fl |= SSL_FLAG_DELAYED_AUTH; | |
505 | else if (strcmp(flag, "DONT_VERIFY_PEER") == 0) | |
506 | fl |= SSL_FLAG_DONT_VERIFY_PEER; | |
507 | else if (strcmp(flag, "DONT_VERIFY_DOMAIN") == 0) | |
508 | fl |= SSL_FLAG_DONT_VERIFY_DOMAIN; | |
b13877cc | 509 | else if (strcmp(flag, "NO_SESSION_REUSE") == 0) |
510 | fl |= SSL_FLAG_NO_SESSION_REUSE; | |
a82a4fe4 | 511 | |
32d002cb | 512 | #if X509_V_FLAG_CRL_CHECK |
a82a4fe4 | 513 | |
514 | else if (strcmp(flag, "VERIFY_CRL") == 0) | |
515 | fl |= SSL_FLAG_VERIFY_CRL; | |
516 | else if (strcmp(flag, "VERIFY_CRL_ALL") == 0) | |
517 | fl |= SSL_FLAG_VERIFY_CRL_ALL; | |
518 | ||
519 | #endif | |
520 | ||
62e76326 | 521 | else |
522 | fatalf("Unknown ssl flag '%s'", flag); | |
523 | ||
524 | flag = strtok(NULL, ":,"); | |
a7ad6e4e | 525 | } |
62e76326 | 526 | |
a7ad6e4e | 527 | safe_free(tmp); |
528 | return fl; | |
529 | } | |
530 | ||
815eaa44 | 531 | // "dup" function for SSL_get_ex_new_index("cert_err_check") |
532 | static int | |
533 | ssl_dupAclChecklist(CRYPTO_EX_DATA *, CRYPTO_EX_DATA *, void *, | |
26ac0430 AJ |
534 | int, long, void *) |
535 | { | |
815eaa44 | 536 | // We do not support duplication of ACLCheckLists. |
537 | // If duplication is needed, we can count copies with cbdata. | |
538 | assert(false); | |
539 | return 0; | |
540 | } | |
541 | ||
542 | // "free" function for SSL_get_ex_new_index("cert_err_check") | |
543 | static void | |
544 | ssl_freeAclChecklist(void *, void *ptr, CRYPTO_EX_DATA *, | |
26ac0430 AJ |
545 | int, long, void *) |
546 | { | |
815eaa44 | 547 | delete static_cast<ACLChecklist *>(ptr); // may be NULL |
548 | } | |
a7ad6e4e | 549 | |
4d16918e CT |
550 | // "free" function for SSL_get_ex_new_index("ssl_error_detail") |
551 | static void | |
552 | ssl_free_ErrorDetail(void *, void *ptr, CRYPTO_EX_DATA *, | |
553 | int, long, void *) | |
554 | { | |
555 | Ssl::ErrorDetail *errDetail = static_cast <Ssl::ErrorDetail *>(ptr); | |
556 | delete errDetail; | |
557 | } | |
558 | ||
63be0a78 | 559 | /// \ingroup ServerProtocolSSLInternal |
a7ad6e4e | 560 | static void |
561 | ssl_initialize(void) | |
f484cdf5 | 562 | { |
d193a436 | 563 | static int ssl_initialized = 0; |
62e76326 | 564 | |
d193a436 | 565 | if (!ssl_initialized) { |
62e76326 | 566 | ssl_initialized = 1; |
567 | SSL_load_error_strings(); | |
568 | SSLeay_add_ssl_algorithms(); | |
32d002cb | 569 | #if HAVE_OPENSSL_ENGINE_H |
62e76326 | 570 | |
571 | if (Config.SSL.ssl_engine) { | |
572 | ENGINE *e; | |
573 | ||
574 | if (!(e = ENGINE_by_id(Config.SSL.ssl_engine))) { | |
575 | fatalf("Unable to find SSL engine '%s'\n", Config.SSL.ssl_engine); | |
576 | } | |
577 | ||
578 | if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { | |
579 | int ssl_error = ERR_get_error(); | |
580 | fatalf("Failed to initialise SSL engine: %s\n", | |
581 | ERR_error_string(ssl_error, NULL)); | |
582 | } | |
583 | } | |
584 | ||
a7ad6e4e | 585 | #else |
62e76326 | 586 | if (Config.SSL.ssl_engine) { |
587 | fatalf("Your OpenSSL has no SSL engine support\n"); | |
588 | } | |
589 | ||
a7ad6e4e | 590 | #endif |
62e76326 | 591 | |
d193a436 | 592 | } |
62e76326 | 593 | |
a7ad6e4e | 594 | ssl_ex_index_server = SSL_get_ex_new_index(0, (void *) "server", NULL, NULL, NULL); |
595 | ssl_ctx_ex_index_dont_verify_domain = SSL_CTX_get_ex_new_index(0, (void *) "dont_verify_domain", NULL, NULL, NULL); | |
815eaa44 | 596 | ssl_ex_index_cert_error_check = SSL_get_ex_new_index(0, (void *) "cert_error_check", NULL, &ssl_dupAclChecklist, &ssl_freeAclChecklist); |
4d16918e | 597 | ssl_ex_index_ssl_error_detail = SSL_get_ex_new_index(0, (void *) "ssl_error_detail", NULL, NULL, &ssl_free_ErrorDetail); |
a7ad6e4e | 598 | } |
599 | ||
63be0a78 | 600 | /// \ingroup ServerProtocolSSLInternal |
a82a4fe4 | 601 | static int |
602 | ssl_load_crl(SSL_CTX *sslContext, const char *CRLfile) | |
603 | { | |
604 | X509_STORE *st = SSL_CTX_get_cert_store(sslContext); | |
605 | X509_CRL *crl; | |
606 | BIO *in = BIO_new_file(CRLfile, "r"); | |
607 | int count = 0; | |
608 | ||
609 | if (!in) { | |
bf8fe701 | 610 | debugs(83, 2, "WARNING: Failed to open CRL file '" << CRLfile << "'"); |
a82a4fe4 | 611 | return 0; |
612 | } | |
613 | ||
614 | while ((crl = PEM_read_bio_X509_CRL(in,NULL,NULL,NULL))) { | |
615 | if (!X509_STORE_add_crl(st, crl)) | |
bf8fe701 | 616 | debugs(83, 2, "WARNING: Failed to add CRL from file '" << CRLfile << "'"); |
a82a4fe4 | 617 | else |
618 | count++; | |
619 | ||
620 | X509_CRL_free(crl); | |
621 | } | |
622 | ||
623 | BIO_free(in); | |
624 | return count; | |
625 | } | |
626 | ||
a7ad6e4e | 627 | SSL_CTX * |
a82a4fe4 | 628 | sslCreateServerContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *clientCA, const char *CAfile, const char *CApath, const char *CRLfile, const char *dhfile, const char *context) |
a7ad6e4e | 629 | { |
630 | int ssl_error; | |
f1c9c850 | 631 | #if OPENSSL_VERSION_NUMBER < 0x00909000L |
a7ad6e4e | 632 | SSL_METHOD *method; |
f1c9c850 AJ |
633 | #else |
634 | const SSL_METHOD *method; | |
635 | #endif | |
a7ad6e4e | 636 | SSL_CTX *sslContext; |
637 | long fl = ssl_parse_flags(flags); | |
638 | ||
639 | ssl_initialize(); | |
640 | ||
f484cdf5 | 641 | if (!keyfile) |
62e76326 | 642 | keyfile = certfile; |
643 | ||
f484cdf5 | 644 | if (!certfile) |
62e76326 | 645 | certfile = keyfile; |
646 | ||
a7ad6e4e | 647 | if (!CAfile) |
62e76326 | 648 | CAfile = clientCA; |
f484cdf5 | 649 | |
79d4ccdf | 650 | switch (version) { |
62e76326 | 651 | |
f484cdf5 | 652 | case 2: |
50b4c080 | 653 | #ifndef OPENSSL_NO_SSL2 |
bf8fe701 | 654 | debugs(83, 5, "Using SSLv2."); |
62e76326 | 655 | method = SSLv2_server_method(); |
50b4c080 | 656 | #else |
48e7baac | 657 | debugs(83, DBG_IMPORTANT, "SSLv2 is not available in this Proxy."); |
50b4c080 AJ |
658 | return NULL; |
659 | #endif | |
62e76326 | 660 | break; |
661 | ||
f484cdf5 | 662 | case 3: |
bf8fe701 | 663 | debugs(83, 5, "Using SSLv3."); |
62e76326 | 664 | method = SSLv3_server_method(); |
665 | break; | |
666 | ||
f484cdf5 | 667 | case 4: |
bf8fe701 | 668 | debugs(83, 5, "Using TLSv1."); |
62e76326 | 669 | method = TLSv1_server_method(); |
670 | break; | |
671 | ||
f484cdf5 | 672 | case 1: |
62e76326 | 673 | |
f484cdf5 | 674 | default: |
bf8fe701 | 675 | debugs(83, 5, "Using SSLv2/SSLv3."); |
62e76326 | 676 | method = SSLv23_server_method(); |
677 | break; | |
f484cdf5 | 678 | } |
679 | ||
680 | sslContext = SSL_CTX_new(method); | |
62e76326 | 681 | |
f484cdf5 | 682 | if (sslContext == NULL) { |
62e76326 | 683 | ssl_error = ERR_get_error(); |
684 | fatalf("Failed to allocate SSL context: %s\n", | |
685 | ERR_error_string(ssl_error, NULL)); | |
f484cdf5 | 686 | } |
62e76326 | 687 | |
79d4ccdf | 688 | SSL_CTX_set_options(sslContext, ssl_parse_options(options)); |
f484cdf5 | 689 | |
6b2936d5 | 690 | if (context && *context) { |
3de409f0 | 691 | SSL_CTX_set_session_id_context(sslContext, (const unsigned char *)context, strlen(context)); |
6b2936d5 | 692 | } |
693 | ||
b13877cc | 694 | if (fl & SSL_FLAG_NO_SESSION_REUSE) { |
695 | SSL_CTX_set_session_cache_mode(sslContext, SSL_SESS_CACHE_OFF); | |
696 | } | |
697 | ||
a9d79803 | 698 | if (Config.SSL.unclean_shutdown) { |
bf8fe701 | 699 | debugs(83, 5, "Enabling quiet SSL shutdowns (RFC violation)."); |
a9d79803 | 700 | |
701 | SSL_CTX_set_quiet_shutdown(sslContext, 1); | |
702 | } | |
703 | ||
79d4ccdf | 704 | if (cipher) { |
bf8fe701 | 705 | debugs(83, 5, "Using chiper suite " << cipher << "."); |
62e76326 | 706 | |
707 | if (!SSL_CTX_set_cipher_list(sslContext, cipher)) { | |
708 | ssl_error = ERR_get_error(); | |
709 | fatalf("Failed to set SSL cipher suite '%s': %s\n", | |
710 | cipher, ERR_error_string(ssl_error, NULL)); | |
711 | } | |
79d4ccdf | 712 | } |
62e76326 | 713 | |
48e7baac | 714 | debugs(83, DBG_IMPORTANT, "Using certificate in " << certfile); |
62e76326 | 715 | |
a7ad6e4e | 716 | if (!SSL_CTX_use_certificate_chain_file(sslContext, certfile)) { |
62e76326 | 717 | ssl_error = ERR_get_error(); |
48e7baac AJ |
718 | debugs(83, DBG_CRITICAL, "ERROR: Failed to acquire SSL certificate '" << certfile << "': " << ERR_error_string(ssl_error, NULL)); |
719 | SSL_CTX_free(sslContext); | |
720 | return NULL; | |
f484cdf5 | 721 | } |
62e76326 | 722 | |
48e7baac | 723 | debugs(83, DBG_IMPORTANT, "Using private key in " << keyfile); |
307b83b7 | 724 | ssl_ask_password(sslContext, keyfile); |
62e76326 | 725 | |
f484cdf5 | 726 | if (!SSL_CTX_use_PrivateKey_file(sslContext, keyfile, SSL_FILETYPE_PEM)) { |
62e76326 | 727 | ssl_error = ERR_get_error(); |
48e7baac AJ |
728 | debugs(83, DBG_CRITICAL, "ERROR: Failed to acquire SSL private key '" << keyfile << "': " << ERR_error_string(ssl_error, NULL)); |
729 | SSL_CTX_free(sslContext); | |
730 | return NULL; | |
f484cdf5 | 731 | } |
62e76326 | 732 | |
bf8fe701 | 733 | debugs(83, 5, "Comparing private and public SSL keys."); |
62e76326 | 734 | |
a7ad6e4e | 735 | if (!SSL_CTX_check_private_key(sslContext)) { |
62e76326 | 736 | ssl_error = ERR_get_error(); |
48e7baac AJ |
737 | debugs(83, DBG_CRITICAL, "ERROR: SSL private key '" << certfile << "' does not match public key '" << |
738 | keyfile << "': " << ERR_error_string(ssl_error, NULL)); | |
739 | SSL_CTX_free(sslContext); | |
740 | return NULL; | |
a7ad6e4e | 741 | } |
62e76326 | 742 | |
bf8fe701 | 743 | debugs(83, 9, "Setting RSA key generation callback."); |
a7ad6e4e | 744 | SSL_CTX_set_tmp_rsa_callback(sslContext, ssl_temp_rsa_cb); |
745 | ||
bf8fe701 | 746 | debugs(83, 9, "Setting CA certificate locations."); |
62e76326 | 747 | |
a82a4fe4 | 748 | if ((CAfile || CApath) && !SSL_CTX_load_verify_locations(sslContext, CAfile, CApath)) { |
62e76326 | 749 | ssl_error = ERR_get_error(); |
48e7baac | 750 | debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate locations: " << ERR_error_string(ssl_error, NULL)); |
a7ad6e4e | 751 | } |
62e76326 | 752 | |
a7ad6e4e | 753 | if (!(fl & SSL_FLAG_NO_DEFAULT_CA) && |
62e76326 | 754 | !SSL_CTX_set_default_verify_paths(sslContext)) { |
755 | ssl_error = ERR_get_error(); | |
48e7baac | 756 | debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting default CA certificate location: " << ERR_error_string(ssl_error, NULL)); |
a7ad6e4e | 757 | } |
62e76326 | 758 | |
a7ad6e4e | 759 | if (clientCA) { |
8c1ff4ef | 760 | STACK_OF(X509_NAME) *cert_names; |
bf8fe701 | 761 | debugs(83, 9, "Set client certifying authority list."); |
8c1ff4ef | 762 | cert_names = SSL_load_client_CA_file(clientCA); |
763 | ||
764 | if (cert_names == NULL) { | |
48e7baac AJ |
765 | debugs(83, DBG_IMPORTANT, "ERROR: loading the client CA certificates from '" << clientCA << "\': " << ERR_error_string(ERR_get_error(),NULL)); |
766 | SSL_CTX_free(sslContext); | |
767 | return NULL; | |
8c1ff4ef | 768 | } |
769 | ||
770 | ERR_clear_error(); | |
771 | SSL_CTX_set_client_CA_list(sslContext, cert_names); | |
62e76326 | 772 | |
773 | if (fl & SSL_FLAG_DELAYED_AUTH) { | |
bf8fe701 | 774 | debugs(83, 9, "Not requesting client certificates until acl processing requires one"); |
62e76326 | 775 | SSL_CTX_set_verify(sslContext, SSL_VERIFY_NONE, NULL); |
776 | } else { | |
bf8fe701 | 777 | debugs(83, 9, "Requiring client certificates."); |
62e76326 | 778 | SSL_CTX_set_verify(sslContext, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ssl_verify_cb); |
779 | } | |
a82a4fe4 | 780 | |
781 | if (CRLfile) { | |
782 | ssl_load_crl(sslContext, CRLfile); | |
783 | fl |= SSL_FLAG_VERIFY_CRL; | |
784 | } | |
785 | ||
32d002cb | 786 | #if X509_V_FLAG_CRL_CHECK |
a82a4fe4 | 787 | if (fl & SSL_FLAG_VERIFY_CRL_ALL) |
788 | X509_STORE_set_flags(SSL_CTX_get_cert_store(sslContext), X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); | |
789 | else if (fl & SSL_FLAG_VERIFY_CRL) | |
790 | X509_STORE_set_flags(SSL_CTX_get_cert_store(sslContext), X509_V_FLAG_CRL_CHECK); | |
791 | ||
792 | #endif | |
793 | ||
a7ad6e4e | 794 | } else { |
bf8fe701 | 795 | debugs(83, 9, "Not requiring any client certificates"); |
62e76326 | 796 | SSL_CTX_set_verify(sslContext, SSL_VERIFY_NONE, NULL); |
a7ad6e4e | 797 | } |
f484cdf5 | 798 | |
35105e4b | 799 | if (dhfile) { |
800 | FILE *in = fopen(dhfile, "r"); | |
801 | DH *dh = NULL; | |
802 | int codes; | |
803 | ||
804 | if (in) { | |
805 | dh = PEM_read_DHparams(in, NULL, NULL, NULL); | |
806 | fclose(in); | |
807 | } | |
808 | ||
809 | if (!dh) | |
48e7baac | 810 | debugs(83, DBG_IMPORTANT, "WARNING: Failed to read DH parameters '" << dhfile << "'"); |
35105e4b | 811 | else if (dh && DH_check(dh, &codes) == 0) { |
812 | if (codes) { | |
48e7baac | 813 | debugs(83, DBG_IMPORTANT, "WARNING: Failed to verify DH parameters '" << dhfile << "' (" << std::hex << codes << ")"); |
35105e4b | 814 | DH_free(dh); |
815 | dh = NULL; | |
816 | } | |
817 | } | |
818 | ||
819 | if (dh) | |
820 | SSL_CTX_set_tmp_dh(sslContext, dh); | |
821 | } | |
822 | ||
a7ad6e4e | 823 | if (fl & SSL_FLAG_DONT_VERIFY_DOMAIN) |
62e76326 | 824 | SSL_CTX_set_ex_data(sslContext, ssl_ctx_ex_index_dont_verify_domain, (void *) -1); |
825 | ||
a7ad6e4e | 826 | return sslContext; |
a7ad6e4e | 827 | } |
828 | ||
829 | SSL_CTX * | |
a82a4fe4 | 830 | sslCreateClientContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile) |
a7ad6e4e | 831 | { |
832 | int ssl_error; | |
f1c9c850 | 833 | #if OPENSSL_VERSION_NUMBER < 0x00909000L |
a7ad6e4e | 834 | SSL_METHOD *method; |
f1c9c850 AJ |
835 | #else |
836 | const SSL_METHOD *method; | |
837 | #endif | |
a7ad6e4e | 838 | SSL_CTX *sslContext; |
839 | long fl = ssl_parse_flags(flags); | |
840 | ||
841 | ssl_initialize(); | |
842 | ||
843 | if (!keyfile) | |
62e76326 | 844 | keyfile = certfile; |
845 | ||
a7ad6e4e | 846 | if (!certfile) |
62e76326 | 847 | certfile = keyfile; |
a7ad6e4e | 848 | |
a7ad6e4e | 849 | switch (version) { |
62e76326 | 850 | |
a7ad6e4e | 851 | case 2: |
50b4c080 | 852 | #ifndef OPENSSL_NO_SSL2 |
bf8fe701 | 853 | debugs(83, 5, "Using SSLv2."); |
62e76326 | 854 | method = SSLv2_client_method(); |
50b4c080 | 855 | #else |
48e7baac | 856 | debugs(83, DBG_IMPORTANT, "SSLv2 is not available in this Proxy."); |
50b4c080 AJ |
857 | return NULL; |
858 | #endif | |
62e76326 | 859 | break; |
860 | ||
a7ad6e4e | 861 | case 3: |
bf8fe701 | 862 | debugs(83, 5, "Using SSLv3."); |
62e76326 | 863 | method = SSLv3_client_method(); |
864 | break; | |
865 | ||
a7ad6e4e | 866 | case 4: |
bf8fe701 | 867 | debugs(83, 5, "Using TLSv1."); |
62e76326 | 868 | method = TLSv1_client_method(); |
869 | break; | |
870 | ||
a7ad6e4e | 871 | case 1: |
62e76326 | 872 | |
a7ad6e4e | 873 | default: |
bf8fe701 | 874 | debugs(83, 5, "Using SSLv2/SSLv3."); |
62e76326 | 875 | method = SSLv23_client_method(); |
876 | break; | |
a7ad6e4e | 877 | } |
878 | ||
879 | sslContext = SSL_CTX_new(method); | |
62e76326 | 880 | |
a7ad6e4e | 881 | if (sslContext == NULL) { |
62e76326 | 882 | ssl_error = ERR_get_error(); |
883 | fatalf("Failed to allocate SSL context: %s\n", | |
884 | ERR_error_string(ssl_error, NULL)); | |
a7ad6e4e | 885 | } |
62e76326 | 886 | |
a7ad6e4e | 887 | SSL_CTX_set_options(sslContext, ssl_parse_options(options)); |
888 | ||
889 | if (cipher) { | |
bf8fe701 | 890 | debugs(83, 5, "Using chiper suite " << cipher << "."); |
62e76326 | 891 | |
892 | if (!SSL_CTX_set_cipher_list(sslContext, cipher)) { | |
893 | ssl_error = ERR_get_error(); | |
894 | fatalf("Failed to set SSL cipher suite '%s': %s\n", | |
895 | cipher, ERR_error_string(ssl_error, NULL)); | |
896 | } | |
a7ad6e4e | 897 | } |
62e76326 | 898 | |
a7ad6e4e | 899 | if (certfile) { |
bf8fe701 | 900 | debugs(83, 1, "Using certificate in " << certfile); |
62e76326 | 901 | |
902 | if (!SSL_CTX_use_certificate_chain_file(sslContext, certfile)) { | |
903 | ssl_error = ERR_get_error(); | |
904 | fatalf("Failed to acquire SSL certificate '%s': %s\n", | |
905 | certfile, ERR_error_string(ssl_error, NULL)); | |
906 | } | |
907 | ||
bf8fe701 | 908 | debugs(83, 1, "Using private key in " << keyfile); |
307b83b7 | 909 | ssl_ask_password(sslContext, keyfile); |
62e76326 | 910 | |
911 | if (!SSL_CTX_use_PrivateKey_file(sslContext, keyfile, SSL_FILETYPE_PEM)) { | |
912 | ssl_error = ERR_get_error(); | |
913 | fatalf("Failed to acquire SSL private key '%s': %s\n", | |
914 | keyfile, ERR_error_string(ssl_error, NULL)); | |
915 | } | |
916 | ||
bf8fe701 | 917 | debugs(83, 5, "Comparing private and public SSL keys."); |
62e76326 | 918 | |
919 | if (!SSL_CTX_check_private_key(sslContext)) { | |
920 | ssl_error = ERR_get_error(); | |
921 | fatalf("SSL private key '%s' does not match public key '%s': %s\n", | |
922 | certfile, keyfile, ERR_error_string(ssl_error, NULL)); | |
923 | } | |
a7ad6e4e | 924 | } |
62e76326 | 925 | |
bf8fe701 | 926 | debugs(83, 9, "Setting RSA key generation callback."); |
f484cdf5 | 927 | SSL_CTX_set_tmp_rsa_callback(sslContext, ssl_temp_rsa_cb); |
928 | ||
a7ad6e4e | 929 | if (fl & SSL_FLAG_DONT_VERIFY_PEER) { |
48e7baac | 930 | debugs(83, 2, "NOTICE: Peer certificates are not verified for validity!"); |
62e76326 | 931 | SSL_CTX_set_verify(sslContext, SSL_VERIFY_NONE, NULL); |
a7ad6e4e | 932 | } else { |
bf8fe701 | 933 | debugs(83, 9, "Setting certificate verification callback."); |
62e76326 | 934 | SSL_CTX_set_verify(sslContext, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ssl_verify_cb); |
a7ad6e4e | 935 | } |
f484cdf5 | 936 | |
bf8fe701 | 937 | debugs(83, 9, "Setting CA certificate locations."); |
62e76326 | 938 | |
a82a4fe4 | 939 | if ((CAfile || CApath) && !SSL_CTX_load_verify_locations(sslContext, CAfile, CApath)) { |
940 | ssl_error = ERR_get_error(); | |
48e7baac | 941 | debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate locations: " << ERR_error_string(ssl_error, NULL)); |
a82a4fe4 | 942 | } |
943 | ||
944 | if (CRLfile) { | |
945 | ssl_load_crl(sslContext, CRLfile); | |
946 | fl |= SSL_FLAG_VERIFY_CRL; | |
947 | } | |
948 | ||
32d002cb | 949 | #if X509_V_FLAG_CRL_CHECK |
a82a4fe4 | 950 | if (fl & SSL_FLAG_VERIFY_CRL_ALL) |
951 | X509_STORE_set_flags(SSL_CTX_get_cert_store(sslContext), X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); | |
952 | else if (fl & SSL_FLAG_VERIFY_CRL) | |
953 | X509_STORE_set_flags(SSL_CTX_get_cert_store(sslContext), X509_V_FLAG_CRL_CHECK); | |
954 | ||
955 | #endif | |
62e76326 | 956 | |
a7ad6e4e | 957 | if (!(fl & SSL_FLAG_NO_DEFAULT_CA) && |
62e76326 | 958 | !SSL_CTX_set_default_verify_paths(sslContext)) { |
959 | ssl_error = ERR_get_error(); | |
48e7baac | 960 | debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting default CA certificate location: " << ERR_error_string(ssl_error, NULL)); |
f484cdf5 | 961 | } |
62e76326 | 962 | |
d193a436 | 963 | return sslContext; |
f484cdf5 | 964 | } |
965 | ||
63be0a78 | 966 | /// \ingroup ServerProtocolSSLInternal |
d193a436 | 967 | int |
e6ccf245 | 968 | ssl_read_method(int fd, char *buf, int len) |
f484cdf5 | 969 | { |
6de9e64b | 970 | SSL *ssl = fd_table[fd].ssl; |
79d4ccdf | 971 | int i; |
972 | ||
6de9e64b | 973 | #if DONT_DO_THIS |
974 | ||
975 | if (!SSL_is_init_finished(ssl)) { | |
976 | errno = ENOTCONN; | |
977 | return -1; | |
978 | } | |
79d4ccdf | 979 | |
6de9e64b | 980 | #endif |
981 | ||
982 | i = SSL_read(ssl, buf, len); | |
983 | ||
984 | if (i > 0 && SSL_pending(ssl) > 0) { | |
bf8fe701 | 985 | debugs(83, 2, "SSL FD " << fd << " is pending"); |
62e76326 | 986 | fd_table[fd].flags.read_pending = 1; |
79d4ccdf | 987 | } else |
62e76326 | 988 | fd_table[fd].flags.read_pending = 0; |
79d4ccdf | 989 | |
990 | return i; | |
f484cdf5 | 991 | } |
992 | ||
63be0a78 | 993 | /// \ingroup ServerProtocolSSLInternal |
d193a436 | 994 | int |
e6ccf245 | 995 | ssl_write_method(int fd, const char *buf, int len) |
f484cdf5 | 996 | { |
6de9e64b | 997 | SSL *ssl = fd_table[fd].ssl; |
998 | int i; | |
999 | ||
1000 | if (!SSL_is_init_finished(ssl)) { | |
1001 | errno = ENOTCONN; | |
1002 | return -1; | |
1003 | } | |
1004 | ||
1005 | i = SSL_write(ssl, buf, len); | |
1006 | ||
1007 | return i; | |
f484cdf5 | 1008 | } |
79d4ccdf | 1009 | |
1010 | void | |
e6ccf245 | 1011 | ssl_shutdown_method(int fd) |
79d4ccdf | 1012 | { |
1013 | SSL *ssl = fd_table[fd].ssl; | |
62e76326 | 1014 | |
79d4ccdf | 1015 | SSL_shutdown(ssl); |
1016 | } | |
a7ad6e4e | 1017 | |
63be0a78 | 1018 | /// \ingroup ServerProtocolSSLInternal |
a7ad6e4e | 1019 | static const char * |
1020 | ssl_get_attribute(X509_NAME * name, const char *attribute_name) | |
1021 | { | |
1022 | static char buffer[1024]; | |
1023 | int nid; | |
1024 | ||
1025 | buffer[0] = '\0'; | |
1026 | ||
1027 | if (strcmp(attribute_name, "DN") == 0) { | |
62e76326 | 1028 | X509_NAME_oneline(name, buffer, sizeof(buffer)); |
1029 | goto done; | |
a7ad6e4e | 1030 | } |
62e76326 | 1031 | |
a7ad6e4e | 1032 | nid = OBJ_txt2nid((char *) attribute_name); |
62e76326 | 1033 | |
a7ad6e4e | 1034 | if (nid == 0) { |
bf8fe701 | 1035 | debugs(83, 1, "WARNING: Unknown SSL attribute name '" << attribute_name << "'"); |
62e76326 | 1036 | return NULL; |
a7ad6e4e | 1037 | } |
62e76326 | 1038 | |
a7ad6e4e | 1039 | X509_NAME_get_text_by_NID(name, nid, buffer, sizeof(buffer)); |
62e76326 | 1040 | |
1041 | done: | |
a7ad6e4e | 1042 | return *buffer ? buffer : NULL; |
1043 | } | |
1044 | ||
63be0a78 | 1045 | /// \ingroup ServerProtocolSSLInternal |
a7ad6e4e | 1046 | const char * |
1047 | sslGetUserAttribute(SSL * ssl, const char *attribute_name) | |
1048 | { | |
1049 | X509 *cert; | |
1050 | X509_NAME *name; | |
23e6c4ae | 1051 | const char *ret; |
a7ad6e4e | 1052 | |
1053 | if (!ssl) | |
62e76326 | 1054 | return NULL; |
a7ad6e4e | 1055 | |
1056 | cert = SSL_get_peer_certificate(ssl); | |
62e76326 | 1057 | |
a7ad6e4e | 1058 | if (!cert) |
62e76326 | 1059 | return NULL; |
a7ad6e4e | 1060 | |
5a4684b6 | 1061 | name = X509_get_subject_name(cert); |
a7ad6e4e | 1062 | |
23e6c4ae | 1063 | ret = ssl_get_attribute(name, attribute_name); |
1064 | ||
1065 | X509_free(cert); | |
1066 | ||
23e6c4ae | 1067 | return ret; |
a7ad6e4e | 1068 | } |
1069 | ||
63be0a78 | 1070 | /// \ingroup ServerProtocolSSLInternal |
a7ad6e4e | 1071 | const char * |
1072 | sslGetCAAttribute(SSL * ssl, const char *attribute_name) | |
1073 | { | |
1074 | X509 *cert; | |
1075 | X509_NAME *name; | |
23e6c4ae | 1076 | const char *ret; |
a7ad6e4e | 1077 | |
1078 | if (!ssl) | |
62e76326 | 1079 | return NULL; |
a7ad6e4e | 1080 | |
1081 | cert = SSL_get_peer_certificate(ssl); | |
62e76326 | 1082 | |
a7ad6e4e | 1083 | if (!cert) |
62e76326 | 1084 | return NULL; |
a7ad6e4e | 1085 | |
5a4684b6 | 1086 | name = X509_get_issuer_name(cert); |
a7ad6e4e | 1087 | |
23e6c4ae | 1088 | ret = ssl_get_attribute(name, attribute_name); |
1089 | ||
1090 | X509_free(cert); | |
1091 | ||
23e6c4ae | 1092 | return ret; |
a7ad6e4e | 1093 | } |
1094 | ||
a7ad6e4e | 1095 | const char * |
1096 | sslGetUserEmail(SSL * ssl) | |
1097 | { | |
e6ceef10 | 1098 | return sslGetUserAttribute(ssl, "emailAddress"); |
a7ad6e4e | 1099 | } |
4ac9968f | 1100 | |
1101 | const char * | |
1102 | sslGetUserCertificatePEM(SSL *ssl) | |
1103 | { | |
1104 | X509 *cert; | |
1105 | BIO *mem; | |
1106 | static char *str = NULL; | |
1107 | char *ptr; | |
1108 | long len; | |
1109 | ||
1110 | safe_free(str); | |
1111 | ||
1112 | if (!ssl) | |
1113 | return NULL; | |
1114 | ||
1115 | cert = SSL_get_peer_certificate(ssl); | |
1116 | ||
1117 | if (!cert) | |
1118 | return NULL; | |
1119 | ||
1120 | mem = BIO_new(BIO_s_mem()); | |
1121 | ||
1122 | PEM_write_bio_X509(mem, cert); | |
1123 | ||
1124 | ||
1125 | len = BIO_get_mem_data(mem, &ptr); | |
1126 | ||
1127 | str = (char *)xmalloc(len + 1); | |
1128 | ||
1129 | memcpy(str, ptr, len); | |
1130 | ||
1131 | str[len] = '\0'; | |
1132 | ||
1133 | X509_free(cert); | |
1134 | ||
1135 | BIO_free(mem); | |
1136 | ||
1137 | return str; | |
1138 | } | |
3d61c476 | 1139 | |
1140 | const char * | |
1141 | sslGetUserCertificateChainPEM(SSL *ssl) | |
1142 | { | |
1143 | STACK_OF(X509) *chain; | |
1144 | BIO *mem; | |
1145 | static char *str = NULL; | |
1146 | char *ptr; | |
1147 | long len; | |
1148 | int i; | |
1149 | ||
1150 | safe_free(str); | |
1151 | ||
1152 | if (!ssl) | |
1153 | return NULL; | |
1154 | ||
1155 | chain = SSL_get_peer_cert_chain(ssl); | |
1156 | ||
1157 | if (!chain) | |
1158 | return sslGetUserCertificatePEM(ssl); | |
1159 | ||
1160 | mem = BIO_new(BIO_s_mem()); | |
1161 | ||
1162 | for (i = 0; i < sk_X509_num(chain); i++) { | |
1163 | X509 *cert = sk_X509_value(chain, i); | |
1164 | PEM_write_bio_X509(mem, cert); | |
1165 | } | |
1166 | ||
1167 | len = BIO_get_mem_data(mem, &ptr); | |
1168 | ||
1169 | str = (char *)xmalloc(len + 1); | |
1170 | memcpy(str, ptr, len); | |
1171 | str[len] = '\0'; | |
1172 | ||
1173 | BIO_free(mem); | |
1174 | ||
1175 | return str; | |
1176 | } | |
454e8283 | 1177 | |
95d2589c CT |
1178 | /// \ingroup ServerProtocolSSLInternal |
1179 | /// Create SSL context and apply ssl certificate and private key to it. | |
1180 | static SSL_CTX * createSSLContext(Ssl::X509_Pointer & x509, Ssl::EVP_PKEY_Pointer & pkey) | |
1181 | { | |
1182 | Ssl::SSL_CTX_Pointer sslContext(SSL_CTX_new(SSLv23_server_method())); | |
1183 | ||
1184 | if (!SSL_CTX_use_certificate(sslContext.get(), x509.get())) | |
1185 | return NULL; | |
1186 | ||
1187 | if (!SSL_CTX_use_PrivateKey(sslContext.get(), pkey.get())) | |
1188 | return NULL; | |
1189 | return sslContext.release(); | |
1190 | } | |
1191 | ||
1192 | SSL_CTX * Ssl::generateSslContextUsingPkeyAndCertFromMemory(const char * data) | |
1193 | { | |
1194 | Ssl::X509_Pointer cert; | |
1195 | Ssl::EVP_PKEY_Pointer pkey; | |
1196 | if (!readCertAndPrivateKeyFromMemory(cert, pkey, data)) | |
1197 | return NULL; | |
1198 | ||
1199 | if (!cert || !pkey) | |
1200 | return NULL; | |
1201 | ||
1202 | return createSSLContext(cert, pkey); | |
1203 | } | |
1204 | ||
1205 | SSL_CTX * Ssl::generateSslContext(char const *host, Ssl::X509_Pointer const & signedX509, Ssl::EVP_PKEY_Pointer const & signedPkey) | |
1206 | { | |
1207 | Ssl::X509_Pointer cert; | |
1208 | Ssl::EVP_PKEY_Pointer pkey; | |
1209 | if (!generateSslCertificateAndPrivateKey(host, signedX509, signedPkey, cert, pkey, NULL)) { | |
1210 | return NULL; | |
1211 | } | |
1212 | if (!cert) | |
1213 | return NULL; | |
1214 | ||
1215 | if (!pkey) | |
1216 | return NULL; | |
1217 | ||
1218 | return createSSLContext(cert, pkey); | |
1219 | } | |
1220 | ||
1221 | bool Ssl::verifySslCertificateDate(SSL_CTX * sslContext) | |
1222 | { | |
1223 | // Temporary ssl for getting X509 certificate from SSL_CTX. | |
1224 | Ssl::SSL_Pointer ssl(SSL_new(sslContext)); | |
1225 | X509 * cert = SSL_get_certificate(ssl.get()); | |
1226 | ASN1_TIME * time_notBefore = X509_get_notBefore(cert); | |
1227 | ASN1_TIME * time_notAfter = X509_get_notAfter(cert); | |
1228 | bool ret = (X509_cmp_current_time(time_notBefore) < 0 && X509_cmp_current_time(time_notAfter) > 0); | |
1229 | return ret; | |
1230 | } | |
1231 | ||
253749a8 CT |
1232 | bool |
1233 | Ssl::setClientSNI(SSL *ssl, const char *fqdn) | |
1234 | { | |
1235 | //The SSL_CTRL_SET_TLSEXT_HOSTNAME is a openssl macro which indicates | |
1236 | // if the TLS servername extension (SNI) is enabled in openssl library. | |
1237 | #if defined(SSL_CTRL_SET_TLSEXT_HOSTNAME) | |
1238 | if (!SSL_set_tlsext_host_name(ssl, fqdn)) { | |
1239 | const int ssl_error = ERR_get_error(); | |
1240 | debugs(83, 3, "WARNING: unable to set TLS servername extension (SNI): " << | |
1241 | ERR_error_string(ssl_error, NULL) << "\n"); | |
1242 | return false; | |
1243 | } | |
1244 | return true; | |
1245 | #else | |
1246 | debugs(83, 7, "no support for TLS servername extension (SNI)\n"); | |
1247 | return false; | |
1248 | #endif | |
1249 | } | |
1250 | ||
a594dbfa CT |
1251 | void Ssl::addChainToSslContext(SSL_CTX *sslContext, STACK_OF(X509) *chain) |
1252 | { | |
1253 | if (!chain) | |
1254 | return; | |
1255 | ||
1256 | for (int i = 0; i < sk_X509_num(chain); i++) { | |
1257 | X509 *cert = sk_X509_value(chain, i); | |
1258 | if (SSL_CTX_add_extra_chain_cert(sslContext, cert)) { | |
1259 | // increase the certificate lock | |
1260 | CRYPTO_add(&(cert->references),1,CRYPTO_LOCK_X509); | |
1261 | } else { | |
1262 | const int ssl_error = ERR_get_error(); | |
1263 | debugs(83, DBG_IMPORTANT, "WARNING: can not add certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL)); | |
1264 | } | |
1265 | } | |
1266 | } | |
1267 | ||
1268 | /** | |
1269 | \ingroup ServerProtocolSSLInternal | |
1270 | * Read certificate from file. | |
1271 | * See also: static readSslX509Certificate function, gadgets.cc file | |
1272 | */ | |
1273 | static X509 * readSslX509CertificatesChain(char const * certFilename, STACK_OF(X509)* chain) | |
1274 | { | |
1275 | if (!certFilename) | |
1276 | return NULL; | |
1277 | Ssl::BIO_Pointer bio(BIO_new(BIO_s_file_internal())); | |
1278 | if (!bio) | |
1279 | return NULL; | |
1280 | if (!BIO_read_filename(bio.get(), certFilename)) | |
1281 | return NULL; | |
1282 | X509 *certificate = PEM_read_bio_X509(bio.get(), NULL, NULL, NULL); | |
1283 | ||
1284 | if (certificate && chain) { | |
1285 | ||
c11211d9 | 1286 | if (X509_check_issued(certificate, certificate) == X509_V_OK) |
a594dbfa CT |
1287 | debugs(83, 5, "Certificate is self-signed, will not be chained"); |
1288 | else { | |
c11211d9 | 1289 | if (sk_X509_push(chain, certificate)) |
a594dbfa CT |
1290 | CRYPTO_add(&(certificate->references), 1, CRYPTO_LOCK_X509); |
1291 | else | |
1292 | debugs(83, DBG_IMPORTANT, "WARNING: unable to add signing certificate to cert chain"); | |
1293 | // and add to the chain any certificate loaded from the file | |
1294 | while (X509 *ca = PEM_read_bio_X509(bio.get(), NULL, NULL, NULL)) { | |
1295 | if (!sk_X509_push(chain, ca)) | |
1296 | debugs(83, DBG_IMPORTANT, "WARNING: unable to add CA certificate to cert chain"); | |
1297 | } | |
1298 | } | |
1299 | } | |
c11211d9 | 1300 | |
a594dbfa CT |
1301 | return certificate; |
1302 | } | |
1303 | ||
1304 | void Ssl::readCertChainAndPrivateKeyFromFiles(X509_Pointer & cert, EVP_PKEY_Pointer & pkey, X509_STACK_Pointer & chain, char const * certFilename, char const * keyFilename) | |
1305 | { | |
1306 | if (keyFilename == NULL) | |
1307 | keyFilename = certFilename; | |
1308 | if (!chain) | |
1309 | chain.reset(sk_X509_new_null()); | |
1310 | if (!chain) | |
1311 | debugs(83, DBG_IMPORTANT, "WARNING: unable to allocate memory for cert chain"); | |
1312 | pkey.reset(readSslPrivateKey(keyFilename)); | |
1313 | cert.reset(readSslX509CertificatesChain(certFilename, chain.get())); | |
1314 | if (!pkey || !cert || !X509_check_private_key(cert.get(), pkey.get())) { | |
1315 | pkey.reset(NULL); | |
1316 | cert.reset(NULL); | |
1317 | } | |
1318 | } | |
1319 | ||
454e8283 | 1320 | #endif /* USE_SSL */ |