]>
Commit | Line | Data |
---|---|---|
f484cdf5 | 1 | |
2 | /* | |
f484cdf5 | 3 | * AUTHOR: Benno Rice |
27d8545c | 4 | * DEBUG: section 83 SSL accelerator support |
f484cdf5 | 5 | * |
6 | * SQUID Internet Object Cache http://squid.nlanr.net/Squid/ | |
7 | * ---------------------------------------------------------- | |
8 | * | |
9 | * Squid is the result of efforts by numerous individuals from the | |
10 | * Internet community. Development is led by Duane Wessels of the | |
11 | * National Laboratory for Applied Network Research and funded by the | |
12 | * National Science Foundation. Squid is Copyrighted (C) 1998 by | |
13 | * Duane Wessels and the University of California San Diego. Please | |
14 | * see the COPYRIGHT file for full details. Squid incorporates | |
15 | * software developed and/or copyrighted by other sources. Please see | |
16 | * the CREDITS file for full details. | |
17 | * | |
18 | * This program is free software; you can redistribute it and/or modify | |
19 | * it under the terms of the GNU General Public License as published by | |
20 | * the Free Software Foundation; either version 2 of the License, or | |
21 | * (at your option) any later version. | |
26ac0430 | 22 | * |
f484cdf5 | 23 | * This program is distributed in the hope that it will be useful, |
24 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
25 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
26 | * GNU General Public License for more details. | |
26ac0430 | 27 | * |
f484cdf5 | 28 | * You should have received a copy of the GNU General Public License |
29 | * along with this program; if not, write to the Free Software | |
30 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. | |
31 | * | |
32 | */ | |
33 | ||
582c2af2 | 34 | #include "squid.h" |
454e8283 | 35 | |
36 | /* MS Visual Studio Projects are monolithic, so we need the following | |
37 | * #if to exclude the SSL code from compile process when not needed. | |
38 | */ | |
cb4f4424 | 39 | #if USE_OPENSSL |
454e8283 | 40 | |
c0941a6a | 41 | #include "acl/FilledChecklist.h" |
86660d64 | 42 | #include "anyp/PortCfg.h" |
b3a8ae1b | 43 | #include "fd.h" |
582c2af2 FC |
44 | #include "fde.h" |
45 | #include "globals.h" | |
86c63190 | 46 | #include "ipc/MemMap.h" |
4d5904f7 | 47 | #include "SquidConfig.h" |
10a69fc0 | 48 | #include "SquidTime.h" |
b3a8ae1b | 49 | #include "ssl/bio.h" |
2cef0ca6 | 50 | #include "ssl/Config.h" |
4d16918e | 51 | #include "ssl/ErrorDetail.h" |
95d2589c | 52 | #include "ssl/gadgets.h" |
602d9612 | 53 | #include "ssl/support.h" |
fc54b8d2 | 54 | #include "URL.h" |
f484cdf5 | 55 | |
1a30fdf5 | 56 | #include <cerrno> |
21d845b1 | 57 | |
10a69fc0 CT |
58 | static void setSessionCallbacks(SSL_CTX *ctx); |
59 | Ipc::MemMap *SslSessionCache = NULL; | |
60 | const char *SslSessionCacheName = "ssl_session_cache"; | |
61 | ||
caf3666d AR |
62 | const char *Ssl::BumpModeStr[] = { |
63 | "none", | |
64 | "client-first", | |
65 | "server-first", | |
5d65362c CT |
66 | "peek", |
67 | "stare", | |
68 | "bump", | |
7f4e9b73 | 69 | "splice", |
5d65362c | 70 | "terminate", |
1110989a | 71 | /*"err",*/ |
caf3666d AR |
72 | NULL |
73 | }; | |
74 | ||
63be0a78 | 75 | /** |
76 | \defgroup ServerProtocolSSLInternal Server-Side SSL Internals | |
77 | \ingroup ServerProtocolSSLAPI | |
78 | */ | |
79 | ||
80 | /// \ingroup ServerProtocolSSLInternal | |
307b83b7 | 81 | static int |
82 | ssl_ask_password_cb(char *buf, int size, int rwflag, void *userdata) | |
83 | { | |
84 | FILE *in; | |
85 | int len = 0; | |
86 | char cmdline[1024]; | |
87 | ||
88 | snprintf(cmdline, sizeof(cmdline), "\"%s\" \"%s\"", Config.Program.ssl_password, (const char *)userdata); | |
89 | in = popen(cmdline, "r"); | |
90 | ||
91 | if (fgets(buf, size, in)) | |
92 | ||
93 | len = strlen(buf); | |
94 | ||
95 | while (len > 0 && (buf[len - 1] == '\n' || buf[len - 1] == '\r')) | |
5e263176 | 96 | --len; |
307b83b7 | 97 | |
98 | buf[len] = '\0'; | |
99 | ||
100 | pclose(in); | |
101 | ||
102 | return len; | |
103 | } | |
104 | ||
63be0a78 | 105 | /// \ingroup ServerProtocolSSLInternal |
307b83b7 | 106 | static void |
107 | ssl_ask_password(SSL_CTX * context, const char * prompt) | |
108 | { | |
109 | if (Config.Program.ssl_password) { | |
110 | SSL_CTX_set_default_passwd_cb(context, ssl_ask_password_cb); | |
111 | SSL_CTX_set_default_passwd_cb_userdata(context, (void *)prompt); | |
112 | } | |
113 | } | |
114 | ||
63be0a78 | 115 | /// \ingroup ServerProtocolSSLInternal |
f484cdf5 | 116 | static RSA * |
e6ccf245 | 117 | ssl_temp_rsa_cb(SSL * ssl, int anInt, int keylen) |
f484cdf5 | 118 | { |
e01f02ed | 119 | static RSA *rsa_512 = NULL; |
120 | static RSA *rsa_1024 = NULL; | |
121 | RSA *rsa = NULL; | |
122 | int newkey = 0; | |
f484cdf5 | 123 | |
e01f02ed | 124 | switch (keylen) { |
125 | ||
126 | case 512: | |
127 | ||
128 | if (!rsa_512) { | |
129 | rsa_512 = RSA_generate_key(512, RSA_F4, NULL, NULL); | |
130 | newkey = 1; | |
131 | } | |
132 | ||
133 | rsa = rsa_512; | |
134 | break; | |
135 | ||
136 | case 1024: | |
137 | ||
138 | if (!rsa_1024) { | |
139 | rsa_1024 = RSA_generate_key(1024, RSA_F4, NULL, NULL); | |
140 | newkey = 1; | |
141 | } | |
142 | ||
143 | rsa = rsa_1024; | |
144 | break; | |
145 | ||
146 | default: | |
e0236918 | 147 | debugs(83, DBG_IMPORTANT, "ssl_temp_rsa_cb: Unexpected key length " << keylen); |
e01f02ed | 148 | return NULL; |
149 | } | |
150 | ||
151 | if (rsa == NULL) { | |
e0236918 | 152 | debugs(83, DBG_IMPORTANT, "ssl_temp_rsa_cb: Failed to generate key " << keylen); |
e01f02ed | 153 | return NULL; |
154 | } | |
155 | ||
156 | if (newkey) { | |
157 | if (do_debug(83, 5)) | |
158 | PEM_write_RSAPrivateKey(debug_log, rsa, NULL, NULL, 0, NULL, NULL); | |
159 | ||
e0236918 | 160 | debugs(83, DBG_IMPORTANT, "Generated ephemeral RSA key of length " << keylen); |
e01f02ed | 161 | } |
62e76326 | 162 | |
f484cdf5 | 163 | return rsa; |
164 | } | |
165 | ||
4d16918e CT |
166 | int Ssl::asn1timeToString(ASN1_TIME *tm, char *buf, int len) |
167 | { | |
168 | BIO *bio; | |
169 | int write = 0; | |
170 | bio = BIO_new(BIO_s_mem()); | |
171 | if (bio) { | |
e34763f4 A |
172 | if (ASN1_TIME_print(bio, tm)) |
173 | write = BIO_read(bio, buf, len-1); | |
174 | BIO_free(bio); | |
4d16918e CT |
175 | } |
176 | buf[write]='\0'; | |
177 | return write; | |
178 | } | |
179 | ||
180 | int Ssl::matchX509CommonNames(X509 *peer_cert, void *check_data, int (*check_func)(void *check_data, ASN1_STRING *cn_data)) | |
181 | { | |
182 | assert(peer_cert); | |
183 | ||
184 | X509_NAME *name = X509_get_subject_name(peer_cert); | |
185 | ||
186 | for (int i = X509_NAME_get_index_by_NID(name, NID_commonName, -1); i >= 0; i = X509_NAME_get_index_by_NID(name, NID_commonName, i)) { | |
e34763f4 | 187 | |
4d16918e CT |
188 | ASN1_STRING *cn_data = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, i)); |
189 | ||
190 | if ( (*check_func)(check_data, cn_data) == 0) | |
191 | return 1; | |
192 | } | |
193 | ||
194 | STACK_OF(GENERAL_NAME) * altnames; | |
195 | altnames = (STACK_OF(GENERAL_NAME)*)X509_get_ext_d2i(peer_cert, NID_subject_alt_name, NULL, NULL); | |
196 | ||
197 | if (altnames) { | |
198 | int numalts = sk_GENERAL_NAME_num(altnames); | |
d7ae3534 | 199 | for (int i = 0; i < numalts; ++i) { |
4d16918e CT |
200 | const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i); |
201 | if (check->type != GEN_DNS) { | |
202 | continue; | |
203 | } | |
204 | ASN1_STRING *cn_data = check->d.dNSName; | |
e34763f4 | 205 | |
40dd2b59 CT |
206 | if ( (*check_func)(check_data, cn_data) == 0) { |
207 | sk_GENERAL_NAME_pop_free(altnames, GENERAL_NAME_free); | |
4d16918e | 208 | return 1; |
40dd2b59 | 209 | } |
4d16918e CT |
210 | } |
211 | sk_GENERAL_NAME_pop_free(altnames, GENERAL_NAME_free); | |
212 | } | |
213 | return 0; | |
214 | } | |
215 | ||
216 | static int check_domain( void *check_data, ASN1_STRING *cn_data) | |
217 | { | |
218 | char cn[1024]; | |
219 | const char *server = (const char *)check_data; | |
220 | ||
e34763f4 | 221 | if (cn_data->length > (int)sizeof(cn) - 1) { |
4d16918e CT |
222 | return 1; //if does not fit our buffer just ignore |
223 | } | |
224 | memcpy(cn, cn_data->data, cn_data->length); | |
225 | cn[cn_data->length] = '\0'; | |
226 | debugs(83, 4, "Verifying server domain " << server << " to certificate name/subjectAltName " << cn); | |
227 | return matchDomainName(server, cn[0] == '*' ? cn + 1 : cn); | |
228 | } | |
229 | ||
8eb0a7ee CT |
230 | bool Ssl::checkX509ServerValidity(X509 *cert, const char *server) |
231 | { | |
232 | return matchX509CommonNames(cert, (void *)server, check_domain); | |
233 | } | |
234 | ||
63be0a78 | 235 | /// \ingroup ServerProtocolSSLInternal |
f484cdf5 | 236 | static int |
237 | ssl_verify_cb(int ok, X509_STORE_CTX * ctx) | |
238 | { | |
7698a79c CT |
239 | // preserve original ctx->error before SSL_ calls can overwrite it |
240 | Ssl::ssl_error_t error_no = ok ? SSL_ERROR_NONE : ctx->error; | |
241 | ||
242 | char buffer[256] = ""; | |
a7ad6e4e | 243 | SSL *ssl = (SSL *)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); |
244 | SSL_CTX *sslctx = SSL_get_SSL_CTX(ssl); | |
245 | const char *server = (const char *)SSL_get_ex_data(ssl, ssl_ex_index_server); | |
246 | void *dont_verify_domain = SSL_CTX_get_ex_data(sslctx, ssl_ctx_ex_index_dont_verify_domain); | |
815eaa44 | 247 | ACLChecklist *check = (ACLChecklist*)SSL_get_ex_data(ssl, ssl_ex_index_cert_error_check); |
e7bcc25f | 248 | X509 *peeked_cert = (X509 *)SSL_get_ex_data(ssl, ssl_ex_index_ssl_peeked_cert); |
a7ad6e4e | 249 | X509 *peer_cert = ctx->cert; |
f484cdf5 | 250 | |
a7ad6e4e | 251 | X509_NAME_oneline(X509_get_subject_name(peer_cert), buffer, |
62e76326 | 252 | sizeof(buffer)); |
a7ad6e4e | 253 | |
0ad3ff51 CT |
254 | // detect infinite loops |
255 | uint32_t *validationCounter = static_cast<uint32_t *>(SSL_get_ex_data(ssl, ssl_ex_index_ssl_validation_counter)); | |
256 | if (!validationCounter) { | |
257 | validationCounter = new uint32_t(1); | |
258 | SSL_set_ex_data(ssl, ssl_ex_index_ssl_validation_counter, validationCounter); | |
259 | } else { | |
260 | // overflows allowed if SQUID_CERT_VALIDATION_ITERATION_MAX >= UINT32_MAX | |
261 | (*validationCounter)++; | |
262 | } | |
263 | ||
264 | if ((*validationCounter) >= SQUID_CERT_VALIDATION_ITERATION_MAX) { | |
265 | ok = 0; // or the validation loop will never stop | |
266 | error_no = SQUID_X509_V_ERR_INFINITE_VALIDATION; | |
267 | debugs(83, 2, "SQUID_X509_V_ERR_INFINITE_VALIDATION: " << | |
268 | *validationCounter << " iterations while checking " << buffer); | |
269 | } | |
270 | ||
a7ad6e4e | 271 | if (ok) { |
bf8fe701 | 272 | debugs(83, 5, "SSL Certificate signature OK: " << buffer); |
62e76326 | 273 | |
4747ea4c CT |
274 | // Check for domain mismatch only if the current certificate is the peer certificate. |
275 | if (server && peer_cert == X509_STORE_CTX_get_current_cert(ctx)) { | |
8eb0a7ee | 276 | if (!Ssl::checkX509ServerValidity(peer_cert, server)) { |
815eaa44 | 277 | debugs(83, 2, "SQUID_X509_V_ERR_DOMAIN_MISMATCH: Certificate " << buffer << " does not match domainname " << server); |
62e76326 | 278 | ok = 0; |
4d16918e | 279 | error_no = SQUID_X509_V_ERR_DOMAIN_MISMATCH; |
62e76326 | 280 | } |
281 | } | |
7698a79c | 282 | } |
0db46e4f | 283 | |
e7bcc25f | 284 | if (ok && peeked_cert) { |
7a957a93 | 285 | // Check whether the already peeked certificate matches the new one. |
e7bcc25f CT |
286 | if (X509_cmp(peer_cert, peeked_cert) != 0) { |
287 | debugs(83, 2, "SQUID_X509_V_ERR_CERT_CHANGE: Certificate " << buffer << " does not match peeked certificate"); | |
288 | ok = 0; | |
289 | error_no = SQUID_X509_V_ERR_CERT_CHANGE; | |
290 | } | |
291 | } | |
292 | ||
7698a79c | 293 | if (!ok) { |
62a7607e CT |
294 | X509 *broken_cert = X509_STORE_CTX_get_current_cert(ctx); |
295 | if (!broken_cert) | |
296 | broken_cert = peer_cert; | |
297 | ||
298 | Ssl::CertErrors *errs = static_cast<Ssl::CertErrors *>(SSL_get_ex_data(ssl, ssl_ex_index_ssl_errors)); | |
7a957a93 | 299 | if (!errs) { |
62a7607e | 300 | errs = new Ssl::CertErrors(Ssl::CertError(error_no, broken_cert)); |
7a957a93 | 301 | if (!SSL_set_ex_data(ssl, ssl_ex_index_ssl_errors, (void *)errs)) { |
fb2178bb | 302 | debugs(83, 2, "Failed to set ssl error_no in ssl_verify_cb: Certificate " << buffer); |
7a957a93 AR |
303 | delete errs; |
304 | errs = NULL; | |
fb2178bb | 305 | } |
87f237a9 | 306 | } else // remember another error number |
62a7607e | 307 | errs->push_back_unique(Ssl::CertError(error_no, broken_cert)); |
fb2178bb | 308 | |
7698a79c | 309 | if (const char *err_descr = Ssl::GetErrorDescr(error_no)) |
cf09bec7 CT |
310 | debugs(83, 5, err_descr << ": " << buffer); |
311 | else | |
7698a79c CT |
312 | debugs(83, DBG_IMPORTANT, "SSL unknown certificate error " << error_no << " in " << buffer); |
313 | ||
0ad3ff51 CT |
314 | // Check if the certificate error can be bypassed. |
315 | // Infinity validation loop errors can not bypassed. | |
316 | if (error_no != SQUID_X509_V_ERR_INFINITE_VALIDATION) { | |
317 | if (check) { | |
318 | ACLFilledChecklist *filledCheck = Filled(check); | |
319 | assert(!filledCheck->sslErrors); | |
320 | filledCheck->sslErrors = new Ssl::CertErrors(Ssl::CertError(error_no, broken_cert)); | |
321 | filledCheck->serverCert.resetAndLock(peer_cert); | |
322 | if (check->fastCheck() == ACCESS_ALLOWED) { | |
323 | debugs(83, 3, "bypassing SSL error " << error_no << " in " << buffer); | |
324 | ok = 1; | |
325 | } else { | |
326 | debugs(83, 5, "confirming SSL error " << error_no); | |
327 | } | |
328 | delete filledCheck->sslErrors; | |
329 | filledCheck->sslErrors = NULL; | |
330 | filledCheck->serverCert.reset(NULL); | |
7698a79c | 331 | } |
0ad3ff51 CT |
332 | // If the certificate validator is used then we need to allow all errors and |
333 | // pass them to certficate validator for more processing | |
334 | else if (Ssl::TheConfig.ssl_crt_validator) { | |
7698a79c | 335 | ok = 1; |
0ad3ff51 CT |
336 | // Check if we have stored certificates chain. Store if not. |
337 | if (!SSL_get_ex_data(ssl, ssl_ex_index_ssl_cert_chain)) { | |
338 | STACK_OF(X509) *certStack = X509_STORE_CTX_get1_chain(ctx); | |
339 | if (certStack && !SSL_set_ex_data(ssl, ssl_ex_index_ssl_cert_chain, certStack)) | |
340 | sk_X509_pop_free(certStack, X509_free); | |
341 | } | |
7698a79c | 342 | } |
815eaa44 | 343 | } |
a7ad6e4e | 344 | } |
62e76326 | 345 | |
26ac0430 | 346 | if (!dont_verify_domain && server) {} |
62e76326 | 347 | |
7698a79c | 348 | if (!ok && !SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_detail) ) { |
f622c461 MF |
349 | |
350 | // Find the broken certificate. It may be intermediate. | |
351 | X509 *broken_cert = peer_cert; // reasonable default if search fails | |
352 | // Our SQUID_X509_V_ERR_DOMAIN_MISMATCH implies peer_cert is at fault. | |
353 | if (error_no != SQUID_X509_V_ERR_DOMAIN_MISMATCH) { | |
354 | if (X509 *last_used_cert = X509_STORE_CTX_get_current_cert(ctx)) | |
355 | broken_cert = last_used_cert; | |
356 | } | |
357 | ||
358 | Ssl::ErrorDetail *errDetail = | |
de878a55 | 359 | new Ssl::ErrorDetail(error_no, peer_cert, broken_cert); |
f622c461 | 360 | |
e34763f4 | 361 | if (!SSL_set_ex_data(ssl, ssl_ex_index_ssl_error_detail, errDetail)) { |
4d16918e CT |
362 | debugs(83, 2, "Failed to set Ssl::ErrorDetail in ssl_verify_cb: Certificate " << buffer); |
363 | delete errDetail; | |
364 | } | |
365 | } | |
366 | ||
f484cdf5 | 367 | return ok; |
368 | } | |
369 | ||
63be0a78 | 370 | /// \ingroup ServerProtocolSSLInternal |
26ac0430 | 371 | static struct ssl_option { |
79d4ccdf | 372 | const char *name; |
373 | long value; | |
62e76326 | 374 | } |
375 | ||
376 | ssl_options[] = { | |
79d4ccdf | 377 | |
32d002cb | 378 | #if SSL_OP_MICROSOFT_SESS_ID_BUG |
26ac0430 AJ |
379 | { |
380 | "MICROSOFT_SESS_ID_BUG", SSL_OP_MICROSOFT_SESS_ID_BUG | |
381 | }, | |
673cd7db | 382 | #endif |
32d002cb | 383 | #if SSL_OP_NETSCAPE_CHALLENGE_BUG |
26ac0430 AJ |
384 | { |
385 | "NETSCAPE_CHALLENGE_BUG", SSL_OP_NETSCAPE_CHALLENGE_BUG | |
386 | }, | |
673cd7db | 387 | #endif |
32d002cb | 388 | #if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG |
26ac0430 AJ |
389 | { |
390 | "NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG | |
391 | }, | |
673cd7db | 392 | #endif |
32d002cb | 393 | #if SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG |
26ac0430 AJ |
394 | { |
395 | "SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG | |
396 | }, | |
673cd7db | 397 | #endif |
32d002cb | 398 | #if SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER |
26ac0430 AJ |
399 | { |
400 | "MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER | |
401 | }, | |
673cd7db | 402 | #endif |
32d002cb | 403 | #if SSL_OP_MSIE_SSLV2_RSA_PADDING |
26ac0430 AJ |
404 | { |
405 | "MSIE_SSLV2_RSA_PADDING", SSL_OP_MSIE_SSLV2_RSA_PADDING | |
406 | }, | |
673cd7db | 407 | #endif |
32d002cb | 408 | #if SSL_OP_SSLEAY_080_CLIENT_DH_BUG |
26ac0430 AJ |
409 | { |
410 | "SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG | |
411 | }, | |
673cd7db | 412 | #endif |
32d002cb | 413 | #if SSL_OP_TLS_D5_BUG |
26ac0430 AJ |
414 | { |
415 | "TLS_D5_BUG", SSL_OP_TLS_D5_BUG | |
416 | }, | |
673cd7db | 417 | #endif |
32d002cb | 418 | #if SSL_OP_TLS_BLOCK_PADDING_BUG |
26ac0430 AJ |
419 | { |
420 | "TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG | |
421 | }, | |
673cd7db | 422 | #endif |
32d002cb | 423 | #if SSL_OP_TLS_ROLLBACK_BUG |
26ac0430 AJ |
424 | { |
425 | "TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG | |
426 | }, | |
673cd7db | 427 | #endif |
32d002cb | 428 | #if SSL_OP_ALL |
26ac0430 | 429 | { |
866eafc6 | 430 | "ALL", (long)SSL_OP_ALL |
26ac0430 | 431 | }, |
673cd7db | 432 | #endif |
32d002cb | 433 | #if SSL_OP_SINGLE_DH_USE |
26ac0430 AJ |
434 | { |
435 | "SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE | |
436 | }, | |
673cd7db | 437 | #endif |
32d002cb | 438 | #if SSL_OP_EPHEMERAL_RSA |
26ac0430 AJ |
439 | { |
440 | "EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA | |
441 | }, | |
673cd7db | 442 | #endif |
32d002cb | 443 | #if SSL_OP_PKCS1_CHECK_1 |
26ac0430 AJ |
444 | { |
445 | "PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1 | |
446 | }, | |
673cd7db | 447 | #endif |
32d002cb | 448 | #if SSL_OP_PKCS1_CHECK_2 |
26ac0430 AJ |
449 | { |
450 | "PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2 | |
451 | }, | |
673cd7db | 452 | #endif |
32d002cb | 453 | #if SSL_OP_NETSCAPE_CA_DN_BUG |
26ac0430 AJ |
454 | { |
455 | "NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG | |
456 | }, | |
673cd7db | 457 | #endif |
32d002cb | 458 | #if SSL_OP_NON_EXPORT_FIRST |
26ac0430 AJ |
459 | { |
460 | "NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST | |
461 | }, | |
673cd7db | 462 | #endif |
32d002cb | 463 | #if SSL_OP_CIPHER_SERVER_PREFERENCE |
26ac0430 AJ |
464 | { |
465 | "CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE | |
466 | }, | |
673cd7db | 467 | #endif |
32d002cb | 468 | #if SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG |
26ac0430 AJ |
469 | { |
470 | "NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG | |
471 | }, | |
673cd7db | 472 | #endif |
32d002cb | 473 | #if SSL_OP_NO_SSLv2 |
26ac0430 AJ |
474 | { |
475 | "NO_SSLv2", SSL_OP_NO_SSLv2 | |
476 | }, | |
673cd7db | 477 | #endif |
32d002cb | 478 | #if SSL_OP_NO_SSLv3 |
26ac0430 AJ |
479 | { |
480 | "NO_SSLv3", SSL_OP_NO_SSLv3 | |
481 | }, | |
673cd7db | 482 | #endif |
32d002cb | 483 | #if SSL_OP_NO_TLSv1 |
26ac0430 AJ |
484 | { |
485 | "NO_TLSv1", SSL_OP_NO_TLSv1 | |
486 | }, | |
3d96b0e8 AJ |
487 | #endif |
488 | #if SSL_OP_NO_TLSv1_1 | |
489 | { | |
490 | "NO_TLSv1_1", SSL_OP_NO_TLSv1_1 | |
491 | }, | |
492 | #endif | |
493 | #if SSL_OP_NO_TLSv1_2 | |
494 | { | |
495 | "NO_TLSv1_2", SSL_OP_NO_TLSv1_2 | |
496 | }, | |
71606c88 SW |
497 | #endif |
498 | #if SSL_OP_NO_COMPRESSION | |
499 | { | |
500 | "No_Compression", SSL_OP_NO_COMPRESSION | |
501 | }, | |
673cd7db | 502 | #endif |
26ac0430 AJ |
503 | { |
504 | "", 0 | |
505 | }, | |
506 | { | |
507 | NULL, 0 | |
508 | } | |
509 | }; | |
79d4ccdf | 510 | |
63be0a78 | 511 | /// \ingroup ServerProtocolSSLInternal |
86660d64 CT |
512 | long |
513 | Ssl::parse_options(const char *options) | |
79d4ccdf | 514 | { |
943c5f16 | 515 | long op = 0; |
79d4ccdf | 516 | char *tmp; |
517 | char *option; | |
518 | ||
519 | if (!options) | |
62e76326 | 520 | goto no_options; |
79d4ccdf | 521 | |
522 | tmp = xstrdup(options); | |
62e76326 | 523 | |
79d4ccdf | 524 | option = strtok(tmp, ":,"); |
62e76326 | 525 | |
79d4ccdf | 526 | while (option) { |
62e76326 | 527 | |
528 | struct ssl_option *opt = NULL, *opttmp; | |
529 | long value = 0; | |
530 | enum { | |
531 | MODE_ADD, MODE_REMOVE | |
532 | } mode; | |
533 | ||
534 | switch (*option) { | |
535 | ||
536 | case '!': | |
537 | ||
538 | case '-': | |
539 | mode = MODE_REMOVE; | |
d7ae3534 | 540 | ++option; |
62e76326 | 541 | break; |
542 | ||
543 | case '+': | |
544 | mode = MODE_ADD; | |
d7ae3534 | 545 | ++option; |
62e76326 | 546 | break; |
547 | ||
548 | default: | |
549 | mode = MODE_ADD; | |
550 | break; | |
551 | } | |
552 | ||
d7ae3534 | 553 | for (opttmp = ssl_options; opttmp->name; ++opttmp) { |
62e76326 | 554 | if (strcmp(opttmp->name, option) == 0) { |
555 | opt = opttmp; | |
556 | break; | |
557 | } | |
558 | } | |
559 | ||
560 | if (opt) | |
561 | value = opt->value; | |
562 | else if (strncmp(option, "0x", 2) == 0) { | |
563 | /* Special case.. hex specification */ | |
564 | value = strtol(option + 2, NULL, 16); | |
565 | } else { | |
566 | fatalf("Unknown SSL option '%s'", option); | |
567 | value = 0; /* Keep GCC happy */ | |
568 | } | |
569 | ||
570 | switch (mode) { | |
571 | ||
572 | case MODE_ADD: | |
573 | op |= value; | |
574 | break; | |
575 | ||
576 | case MODE_REMOVE: | |
577 | op &= ~value; | |
578 | break; | |
579 | } | |
580 | ||
581 | option = strtok(NULL, ":,"); | |
79d4ccdf | 582 | } |
583 | ||
584 | safe_free(tmp); | |
62e76326 | 585 | |
586 | no_options: | |
79d4ccdf | 587 | return op; |
588 | } | |
589 | ||
63be0a78 | 590 | /// \ingroup ServerProtocolSSLInternal |
a7ad6e4e | 591 | #define SSL_FLAG_NO_DEFAULT_CA (1<<0) |
63be0a78 | 592 | /// \ingroup ServerProtocolSSLInternal |
a7ad6e4e | 593 | #define SSL_FLAG_DELAYED_AUTH (1<<1) |
63be0a78 | 594 | /// \ingroup ServerProtocolSSLInternal |
a7ad6e4e | 595 | #define SSL_FLAG_DONT_VERIFY_PEER (1<<2) |
63be0a78 | 596 | /// \ingroup ServerProtocolSSLInternal |
a7ad6e4e | 597 | #define SSL_FLAG_DONT_VERIFY_DOMAIN (1<<3) |
63be0a78 | 598 | /// \ingroup ServerProtocolSSLInternal |
b13877cc | 599 | #define SSL_FLAG_NO_SESSION_REUSE (1<<4) |
63be0a78 | 600 | /// \ingroup ServerProtocolSSLInternal |
a82a4fe4 | 601 | #define SSL_FLAG_VERIFY_CRL (1<<5) |
63be0a78 | 602 | /// \ingroup ServerProtocolSSLInternal |
a82a4fe4 | 603 | #define SSL_FLAG_VERIFY_CRL_ALL (1<<6) |
a7ad6e4e | 604 | |
63be0a78 | 605 | /// \ingroup ServerProtocolSSLInternal |
86660d64 CT |
606 | long |
607 | Ssl::parse_flags(const char *flags) | |
a7ad6e4e | 608 | { |
609 | long fl = 0; | |
610 | char *tmp; | |
611 | char *flag; | |
612 | ||
613 | if (!flags) | |
62e76326 | 614 | return 0; |
a7ad6e4e | 615 | |
616 | tmp = xstrdup(flags); | |
62e76326 | 617 | |
a7ad6e4e | 618 | flag = strtok(tmp, ":,"); |
62e76326 | 619 | |
a7ad6e4e | 620 | while (flag) { |
62e76326 | 621 | if (strcmp(flag, "NO_DEFAULT_CA") == 0) |
622 | fl |= SSL_FLAG_NO_DEFAULT_CA; | |
623 | else if (strcmp(flag, "DELAYED_AUTH") == 0) | |
624 | fl |= SSL_FLAG_DELAYED_AUTH; | |
625 | else if (strcmp(flag, "DONT_VERIFY_PEER") == 0) | |
626 | fl |= SSL_FLAG_DONT_VERIFY_PEER; | |
627 | else if (strcmp(flag, "DONT_VERIFY_DOMAIN") == 0) | |
628 | fl |= SSL_FLAG_DONT_VERIFY_DOMAIN; | |
b13877cc | 629 | else if (strcmp(flag, "NO_SESSION_REUSE") == 0) |
630 | fl |= SSL_FLAG_NO_SESSION_REUSE; | |
a82a4fe4 | 631 | |
32d002cb | 632 | #if X509_V_FLAG_CRL_CHECK |
a82a4fe4 | 633 | |
634 | else if (strcmp(flag, "VERIFY_CRL") == 0) | |
635 | fl |= SSL_FLAG_VERIFY_CRL; | |
636 | else if (strcmp(flag, "VERIFY_CRL_ALL") == 0) | |
637 | fl |= SSL_FLAG_VERIFY_CRL_ALL; | |
638 | ||
639 | #endif | |
640 | ||
62e76326 | 641 | else |
642 | fatalf("Unknown ssl flag '%s'", flag); | |
643 | ||
644 | flag = strtok(NULL, ":,"); | |
a7ad6e4e | 645 | } |
62e76326 | 646 | |
a7ad6e4e | 647 | safe_free(tmp); |
648 | return fl; | |
649 | } | |
650 | ||
815eaa44 | 651 | // "dup" function for SSL_get_ex_new_index("cert_err_check") |
652 | static int | |
653 | ssl_dupAclChecklist(CRYPTO_EX_DATA *, CRYPTO_EX_DATA *, void *, | |
26ac0430 AJ |
654 | int, long, void *) |
655 | { | |
815eaa44 | 656 | // We do not support duplication of ACLCheckLists. |
657 | // If duplication is needed, we can count copies with cbdata. | |
658 | assert(false); | |
659 | return 0; | |
660 | } | |
661 | ||
662 | // "free" function for SSL_get_ex_new_index("cert_err_check") | |
663 | static void | |
664 | ssl_freeAclChecklist(void *, void *ptr, CRYPTO_EX_DATA *, | |
26ac0430 AJ |
665 | int, long, void *) |
666 | { | |
815eaa44 | 667 | delete static_cast<ACLChecklist *>(ptr); // may be NULL |
668 | } | |
a7ad6e4e | 669 | |
4d16918e CT |
670 | // "free" function for SSL_get_ex_new_index("ssl_error_detail") |
671 | static void | |
672 | ssl_free_ErrorDetail(void *, void *ptr, CRYPTO_EX_DATA *, | |
673 | int, long, void *) | |
674 | { | |
675 | Ssl::ErrorDetail *errDetail = static_cast <Ssl::ErrorDetail *>(ptr); | |
676 | delete errDetail; | |
677 | } | |
678 | ||
fb2178bb | 679 | static void |
7a957a93 | 680 | ssl_free_SslErrors(void *, void *ptr, CRYPTO_EX_DATA *, |
87f237a9 | 681 | int, long, void *) |
fb2178bb | 682 | { |
62a7607e | 683 | Ssl::CertErrors *errs = static_cast <Ssl::CertErrors*>(ptr); |
7a957a93 | 684 | delete errs; |
fb2178bb CT |
685 | } |
686 | ||
0ad3ff51 CT |
687 | // "free" function for SSL_get_ex_new_index("ssl_ex_index_ssl_validation_counter") |
688 | static void | |
689 | ssl_free_int(void *, void *ptr, CRYPTO_EX_DATA *, | |
3cc296c4 | 690 | int, long, void *) |
0ad3ff51 CT |
691 | { |
692 | uint32_t *counter = static_cast <uint32_t *>(ptr); | |
693 | delete counter; | |
694 | } | |
695 | ||
4747ea4c CT |
696 | /// \ingroup ServerProtocolSSLInternal |
697 | /// Callback handler function to release STACK_OF(X509) "ex" data stored | |
698 | /// in an SSL object. | |
699 | static void | |
700 | ssl_free_CertChain(void *, void *ptr, CRYPTO_EX_DATA *, | |
701 | int, long, void *) | |
702 | { | |
703 | STACK_OF(X509) *certsChain = static_cast <STACK_OF(X509) *>(ptr); | |
704 | sk_X509_pop_free(certsChain,X509_free); | |
705 | } | |
706 | ||
e7bcc25f CT |
707 | // "free" function for X509 certificates |
708 | static void | |
709 | ssl_free_X509(void *, void *ptr, CRYPTO_EX_DATA *, | |
87f237a9 | 710 | int, long, void *) |
e7bcc25f CT |
711 | { |
712 | X509 *cert = static_cast <X509 *>(ptr); | |
713 | X509_free(cert); | |
714 | } | |
715 | ||
63be0a78 | 716 | /// \ingroup ServerProtocolSSLInternal |
a7ad6e4e | 717 | static void |
718 | ssl_initialize(void) | |
f484cdf5 | 719 | { |
56a35ad1 AR |
720 | static bool initialized = false; |
721 | if (initialized) | |
722 | return; | |
723 | initialized = true; | |
62e76326 | 724 | |
56a35ad1 AR |
725 | SSL_load_error_strings(); |
726 | SSLeay_add_ssl_algorithms(); | |
62e76326 | 727 | |
56a35ad1 AR |
728 | #if HAVE_OPENSSL_ENGINE_H |
729 | if (Config.SSL.ssl_engine) { | |
730 | ENGINE *e; | |
731 | if (!(e = ENGINE_by_id(Config.SSL.ssl_engine))) | |
732 | fatalf("Unable to find SSL engine '%s'\n", Config.SSL.ssl_engine); | |
733 | ||
734 | if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { | |
735 | int ssl_error = ERR_get_error(); | |
736 | fatalf("Failed to initialise SSL engine: %s\n", ERR_error_string(ssl_error, NULL)); | |
62e76326 | 737 | } |
56a35ad1 | 738 | } |
a7ad6e4e | 739 | #else |
56a35ad1 AR |
740 | if (Config.SSL.ssl_engine) |
741 | fatalf("Your OpenSSL has no SSL engine support\n"); | |
a7ad6e4e | 742 | #endif |
62e76326 | 743 | |
a7ad6e4e | 744 | ssl_ex_index_server = SSL_get_ex_new_index(0, (void *) "server", NULL, NULL, NULL); |
745 | ssl_ctx_ex_index_dont_verify_domain = SSL_CTX_get_ex_new_index(0, (void *) "dont_verify_domain", NULL, NULL, NULL); | |
815eaa44 | 746 | ssl_ex_index_cert_error_check = SSL_get_ex_new_index(0, (void *) "cert_error_check", NULL, &ssl_dupAclChecklist, &ssl_freeAclChecklist); |
4d16918e | 747 | ssl_ex_index_ssl_error_detail = SSL_get_ex_new_index(0, (void *) "ssl_error_detail", NULL, NULL, &ssl_free_ErrorDetail); |
e7bcc25f | 748 | ssl_ex_index_ssl_peeked_cert = SSL_get_ex_new_index(0, (void *) "ssl_peeked_cert", NULL, NULL, &ssl_free_X509); |
7a957a93 | 749 | ssl_ex_index_ssl_errors = SSL_get_ex_new_index(0, (void *) "ssl_errors", NULL, NULL, &ssl_free_SslErrors); |
4747ea4c | 750 | ssl_ex_index_ssl_cert_chain = SSL_get_ex_new_index(0, (void *) "ssl_cert_chain", NULL, NULL, &ssl_free_CertChain); |
0ad3ff51 | 751 | ssl_ex_index_ssl_validation_counter = SSL_get_ex_new_index(0, (void *) "ssl_validation_counter", NULL, NULL, &ssl_free_int); |
a7ad6e4e | 752 | } |
753 | ||
63be0a78 | 754 | /// \ingroup ServerProtocolSSLInternal |
a82a4fe4 | 755 | static int |
756 | ssl_load_crl(SSL_CTX *sslContext, const char *CRLfile) | |
757 | { | |
758 | X509_STORE *st = SSL_CTX_get_cert_store(sslContext); | |
759 | X509_CRL *crl; | |
760 | BIO *in = BIO_new_file(CRLfile, "r"); | |
761 | int count = 0; | |
762 | ||
763 | if (!in) { | |
bf8fe701 | 764 | debugs(83, 2, "WARNING: Failed to open CRL file '" << CRLfile << "'"); |
a82a4fe4 | 765 | return 0; |
766 | } | |
767 | ||
768 | while ((crl = PEM_read_bio_X509_CRL(in,NULL,NULL,NULL))) { | |
769 | if (!X509_STORE_add_crl(st, crl)) | |
bf8fe701 | 770 | debugs(83, 2, "WARNING: Failed to add CRL from file '" << CRLfile << "'"); |
a82a4fe4 | 771 | else |
d7ae3534 | 772 | ++count; |
a82a4fe4 | 773 | |
774 | X509_CRL_free(crl); | |
775 | } | |
776 | ||
777 | BIO_free(in); | |
778 | return count; | |
779 | } | |
780 | ||
86660d64 CT |
781 | STACK_OF(X509_CRL) * |
782 | Ssl::loadCrl(const char *CRLFile, long &flags) | |
a7ad6e4e | 783 | { |
86660d64 CT |
784 | X509_CRL *crl; |
785 | BIO *in = BIO_new_file(CRLFile, "r"); | |
786 | if (!in) { | |
787 | debugs(83, 2, "WARNING: Failed to open CRL file '" << CRLFile << "'"); | |
f4e4d4d6 CT |
788 | return NULL; |
789 | } | |
790 | ||
86660d64 CT |
791 | STACK_OF(X509_CRL) *CRLs = sk_X509_CRL_new_null(); |
792 | if (!CRLs) { | |
793 | debugs(83, 2, "WARNING: Failed to allocate X509_CRL stack to load file '" << CRLFile << "'"); | |
50b4c080 | 794 | return NULL; |
86660d64 | 795 | } |
62e76326 | 796 | |
86660d64 CT |
797 | int count = 0; |
798 | while ((crl = PEM_read_bio_X509_CRL(in,NULL,NULL,NULL))) { | |
799 | if (!sk_X509_CRL_push(CRLs, crl)) | |
800 | debugs(83, 2, "WARNING: Failed to add CRL from file '" << CRLFile << "'"); | |
801 | else | |
802 | ++count; | |
803 | } | |
804 | BIO_free(in); | |
62e76326 | 805 | |
86660d64 CT |
806 | if (count) |
807 | flags |= SSL_FLAG_VERIFY_CRL; | |
3d96b0e8 | 808 | |
86660d64 CT |
809 | return CRLs; |
810 | } | |
3d96b0e8 | 811 | |
86660d64 CT |
812 | DH * |
813 | Ssl::readDHParams(const char *dhfile) | |
814 | { | |
815 | FILE *in = fopen(dhfile, "r"); | |
816 | DH *dh = NULL; | |
817 | int codes; | |
62e76326 | 818 | |
86660d64 CT |
819 | if (in) { |
820 | dh = PEM_read_DHparams(in, NULL, NULL, NULL); | |
821 | fclose(in); | |
f484cdf5 | 822 | } |
823 | ||
86660d64 CT |
824 | if (!dh) |
825 | debugs(83, DBG_IMPORTANT, "WARNING: Failed to read DH parameters '" << dhfile << "'"); | |
826 | else if (dh && DH_check(dh, &codes) == 0) { | |
827 | if (codes) { | |
828 | debugs(83, DBG_IMPORTANT, "WARNING: Failed to verify DH parameters '" << dhfile << "' (" << std::hex << codes << ")"); | |
829 | DH_free(dh); | |
830 | dh = NULL; | |
831 | } | |
f484cdf5 | 832 | } |
86660d64 CT |
833 | return dh; |
834 | } | |
62e76326 | 835 | |
86660d64 CT |
836 | static bool |
837 | configureSslContext(SSL_CTX *sslContext, AnyP::PortCfg &port) | |
838 | { | |
839 | int ssl_error; | |
840 | SSL_CTX_set_options(sslContext, port.sslOptions); | |
f484cdf5 | 841 | |
86660d64 CT |
842 | if (port.sslContextSessionId) |
843 | SSL_CTX_set_session_id_context(sslContext, (const unsigned char *)port.sslContextSessionId, strlen(port.sslContextSessionId)); | |
6b2936d5 | 844 | |
86660d64 | 845 | if (port.sslContextFlags & SSL_FLAG_NO_SESSION_REUSE) { |
b13877cc | 846 | SSL_CTX_set_session_cache_mode(sslContext, SSL_SESS_CACHE_OFF); |
847 | } | |
848 | ||
a9d79803 | 849 | if (Config.SSL.unclean_shutdown) { |
bf8fe701 | 850 | debugs(83, 5, "Enabling quiet SSL shutdowns (RFC violation)."); |
a9d79803 | 851 | |
852 | SSL_CTX_set_quiet_shutdown(sslContext, 1); | |
853 | } | |
854 | ||
86660d64 CT |
855 | if (port.cipher) { |
856 | debugs(83, 5, "Using chiper suite " << port.cipher << "."); | |
62e76326 | 857 | |
86660d64 | 858 | if (!SSL_CTX_set_cipher_list(sslContext, port.cipher)) { |
62e76326 | 859 | ssl_error = ERR_get_error(); |
86660d64 CT |
860 | debugs(83, DBG_CRITICAL, "ERROR: Failed to set SSL cipher suite '" << port.cipher << "': " << ERR_error_string(ssl_error, NULL)); |
861 | return false; | |
62e76326 | 862 | } |
79d4ccdf | 863 | } |
62e76326 | 864 | |
bf8fe701 | 865 | debugs(83, 9, "Setting RSA key generation callback."); |
a7ad6e4e | 866 | SSL_CTX_set_tmp_rsa_callback(sslContext, ssl_temp_rsa_cb); |
867 | ||
bf8fe701 | 868 | debugs(83, 9, "Setting CA certificate locations."); |
62e76326 | 869 | |
86660d64 CT |
870 | const char *cafile = port.cafile ? port.cafile : port.clientca; |
871 | if ((cafile || port.capath) && !SSL_CTX_load_verify_locations(sslContext, cafile, port.capath)) { | |
62e76326 | 872 | ssl_error = ERR_get_error(); |
48e7baac | 873 | debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate locations: " << ERR_error_string(ssl_error, NULL)); |
a7ad6e4e | 874 | } |
62e76326 | 875 | |
86660d64 | 876 | if (!(port.sslContextFlags & SSL_FLAG_NO_DEFAULT_CA) && |
62e76326 | 877 | !SSL_CTX_set_default_verify_paths(sslContext)) { |
878 | ssl_error = ERR_get_error(); | |
48e7baac | 879 | debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting default CA certificate location: " << ERR_error_string(ssl_error, NULL)); |
a7ad6e4e | 880 | } |
62e76326 | 881 | |
86660d64 | 882 | if (port.clientCA.get()) { |
8c1ff4ef | 883 | ERR_clear_error(); |
86660d64 | 884 | SSL_CTX_set_client_CA_list(sslContext, port.clientCA.get()); |
62e76326 | 885 | |
86660d64 | 886 | if (port.sslContextFlags & SSL_FLAG_DELAYED_AUTH) { |
bf8fe701 | 887 | debugs(83, 9, "Not requesting client certificates until acl processing requires one"); |
62e76326 | 888 | SSL_CTX_set_verify(sslContext, SSL_VERIFY_NONE, NULL); |
889 | } else { | |
bf8fe701 | 890 | debugs(83, 9, "Requiring client certificates."); |
62e76326 | 891 | SSL_CTX_set_verify(sslContext, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ssl_verify_cb); |
892 | } | |
a82a4fe4 | 893 | |
86660d64 CT |
894 | if (port.clientVerifyCrls.get()) { |
895 | X509_STORE *st = SSL_CTX_get_cert_store(sslContext); | |
896 | for (int i = 0; i < sk_X509_CRL_num(port.clientVerifyCrls.get()); ++i) { | |
897 | X509_CRL *crl = sk_X509_CRL_value(port.clientVerifyCrls.get(), i); | |
898 | if (!X509_STORE_add_crl(st, crl)) | |
899 | debugs(83, 2, "WARNING: Failed to add CRL"); | |
900 | } | |
a82a4fe4 | 901 | } |
902 | ||
32d002cb | 903 | #if X509_V_FLAG_CRL_CHECK |
86660d64 | 904 | if (port.sslContextFlags & SSL_FLAG_VERIFY_CRL_ALL) |
a82a4fe4 | 905 | X509_STORE_set_flags(SSL_CTX_get_cert_store(sslContext), X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); |
86660d64 | 906 | else if (port.sslContextFlags & SSL_FLAG_VERIFY_CRL) |
a82a4fe4 | 907 | X509_STORE_set_flags(SSL_CTX_get_cert_store(sslContext), X509_V_FLAG_CRL_CHECK); |
a82a4fe4 | 908 | #endif |
909 | ||
a7ad6e4e | 910 | } else { |
bf8fe701 | 911 | debugs(83, 9, "Not requiring any client certificates"); |
62e76326 | 912 | SSL_CTX_set_verify(sslContext, SSL_VERIFY_NONE, NULL); |
a7ad6e4e | 913 | } |
f484cdf5 | 914 | |
86660d64 CT |
915 | if (port.dhParams.get()) { |
916 | SSL_CTX_set_tmp_dh(sslContext, port.dhParams.get()); | |
917 | } | |
35105e4b | 918 | |
86660d64 CT |
919 | if (port.sslContextFlags & SSL_FLAG_DONT_VERIFY_DOMAIN) |
920 | SSL_CTX_set_ex_data(sslContext, ssl_ctx_ex_index_dont_verify_domain, (void *) -1); | |
921 | ||
10a69fc0 CT |
922 | setSessionCallbacks(sslContext); |
923 | ||
86660d64 CT |
924 | return true; |
925 | } | |
926 | ||
927 | SSL_CTX * | |
928 | sslCreateServerContext(AnyP::PortCfg &port) | |
929 | { | |
930 | int ssl_error; | |
931 | SSL_CTX *sslContext; | |
932 | const char *keyfile, *certfile; | |
933 | certfile = port.cert; | |
934 | keyfile = port.key; | |
935 | ||
936 | ssl_initialize(); | |
937 | ||
938 | if (!keyfile) | |
939 | keyfile = certfile; | |
940 | ||
941 | if (!certfile) | |
942 | certfile = keyfile; | |
943 | ||
944 | sslContext = SSL_CTX_new(port.contextMethod); | |
945 | ||
946 | if (sslContext == NULL) { | |
947 | ssl_error = ERR_get_error(); | |
948 | debugs(83, DBG_CRITICAL, "ERROR: Failed to allocate SSL context: " << ERR_error_string(ssl_error, NULL)); | |
949 | return NULL; | |
950 | } | |
951 | ||
952 | if (!SSL_CTX_use_certificate(sslContext, port.signingCert.get())) { | |
953 | ssl_error = ERR_get_error(); | |
954 | debugs(83, DBG_CRITICAL, "ERROR: Failed to acquire SSL certificate '" << certfile << "': " << ERR_error_string(ssl_error, NULL)); | |
955 | SSL_CTX_free(sslContext); | |
956 | return NULL; | |
957 | } | |
958 | ||
959 | if (!SSL_CTX_use_PrivateKey(sslContext, port.signPkey.get())) { | |
960 | ssl_error = ERR_get_error(); | |
961 | debugs(83, DBG_CRITICAL, "ERROR: Failed to acquire SSL private key '" << keyfile << "': " << ERR_error_string(ssl_error, NULL)); | |
962 | SSL_CTX_free(sslContext); | |
963 | return NULL; | |
964 | } | |
965 | ||
966 | Ssl::addChainToSslContext(sslContext, port.certsToChain.get()); | |
967 | ||
968 | /* Alternate code; | |
969 | debugs(83, DBG_IMPORTANT, "Using certificate in " << certfile); | |
970 | ||
971 | if (!SSL_CTX_use_certificate_chain_file(sslContext, certfile)) { | |
972 | ssl_error = ERR_get_error(); | |
973 | debugs(83, DBG_CRITICAL, "ERROR: Failed to acquire SSL certificate '" << certfile << "': " << ERR_error_string(ssl_error, NULL)); | |
974 | SSL_CTX_free(sslContext); | |
975 | return NULL; | |
35105e4b | 976 | } |
977 | ||
86660d64 CT |
978 | debugs(83, DBG_IMPORTANT, "Using private key in " << keyfile); |
979 | ssl_ask_password(sslContext, keyfile); | |
980 | ||
981 | if (!SSL_CTX_use_PrivateKey_file(sslContext, keyfile, SSL_FILETYPE_PEM)) { | |
982 | ssl_error = ERR_get_error(); | |
983 | debugs(83, DBG_CRITICAL, "ERROR: Failed to acquire SSL private key '" << keyfile << "': " << ERR_error_string(ssl_error, NULL)); | |
984 | SSL_CTX_free(sslContext); | |
985 | return NULL; | |
35105e4b | 986 | } |
987 | ||
86660d64 | 988 | debugs(83, 5, "Comparing private and public SSL keys."); |
35105e4b | 989 | |
86660d64 CT |
990 | if (!SSL_CTX_check_private_key(sslContext)) { |
991 | ssl_error = ERR_get_error(); | |
992 | debugs(83, DBG_CRITICAL, "ERROR: SSL private key '" << certfile << "' does not match public key '" << | |
993 | keyfile << "': " << ERR_error_string(ssl_error, NULL)); | |
994 | SSL_CTX_free(sslContext); | |
995 | return NULL; | |
996 | } | |
997 | */ | |
998 | ||
999 | if (!configureSslContext(sslContext, port)) { | |
1000 | debugs(83, DBG_CRITICAL, "ERROR: Configuring static SSL context"); | |
1001 | SSL_CTX_free(sslContext); | |
1002 | return NULL; | |
1003 | } | |
62e76326 | 1004 | |
a7ad6e4e | 1005 | return sslContext; |
a7ad6e4e | 1006 | } |
1007 | ||
d620ae0e | 1008 | int Ssl::OpenSSLtoSquidSSLVersion(int sslVersion) |
a7ad6e4e | 1009 | { |
e1f72a8b | 1010 | if (sslVersion == SSL2_VERSION) |
d620ae0e | 1011 | return 2; |
e1f72a8b | 1012 | else if (sslVersion == SSL3_VERSION) |
d620ae0e | 1013 | return 3; |
e1f72a8b | 1014 | else if (sslVersion == TLS1_VERSION) |
d620ae0e CT |
1015 | return 4; |
1016 | #if OPENSSL_VERSION_NUMBER >= 0x10001000L | |
e1f72a8b | 1017 | else if (sslVersion == TLS1_1_VERSION) |
d620ae0e | 1018 | return 5; |
e1f72a8b | 1019 | else if (sslVersion == TLS1_2_VERSION) |
d620ae0e CT |
1020 | return 6; |
1021 | #endif | |
1022 | else | |
1023 | return 1; | |
1024 | } | |
1025 | ||
f1c9c850 | 1026 | #if OPENSSL_VERSION_NUMBER < 0x00909000L |
d620ae0e | 1027 | SSL_METHOD * |
f1c9c850 | 1028 | #else |
d620ae0e | 1029 | const SSL_METHOD * |
f1c9c850 | 1030 | #endif |
d620ae0e CT |
1031 | Ssl::method(int version) |
1032 | { | |
1033 | switch (version) { | |
a7ad6e4e | 1034 | |
d620ae0e | 1035 | case 2: |
8693472e | 1036 | #if !defined(OPENSSL_NO_SSL2) |
d620ae0e CT |
1037 | debugs(83, 5, "Using SSLv2."); |
1038 | return SSLv2_client_method(); | |
1039 | #else | |
1040 | debugs(83, DBG_IMPORTANT, "SSLv2 is not available in this Proxy."); | |
1041 | return NULL; | |
1042 | #endif | |
1043 | break; | |
a7ad6e4e | 1044 | |
d620ae0e CT |
1045 | case 3: |
1046 | debugs(83, 5, "Using SSLv3."); | |
1047 | return SSLv3_client_method(); | |
1048 | break; | |
62e76326 | 1049 | |
d620ae0e CT |
1050 | case 4: |
1051 | debugs(83, 5, "Using TLSv1."); | |
1052 | return TLSv1_client_method(); | |
1053 | break; | |
1054 | ||
1055 | case 5: | |
1056 | #if OPENSSL_VERSION_NUMBER >= 0x10001000L // NP: not sure exactly which sub-version yet. | |
1057 | debugs(83, 5, "Using TLSv1.1."); | |
1058 | return TLSv1_1_client_method(); | |
1059 | #else | |
1060 | debugs(83, DBG_IMPORTANT, "TLSv1.1 is not available in this Proxy."); | |
1061 | return NULL; | |
1062 | #endif | |
1063 | break; | |
1064 | ||
1065 | case 6: | |
1066 | #if OPENSSL_VERSION_NUMBER >= 0x10001000L // NP: not sure exactly which sub-version yet. | |
1067 | debugs(83, 5, "Using TLSv1.2"); | |
1068 | return TLSv1_2_client_method(); | |
1069 | #else | |
1070 | debugs(83, DBG_IMPORTANT, "TLSv1.2 is not available in this Proxy."); | |
1071 | return NULL; | |
1072 | #endif | |
1073 | break; | |
a7ad6e4e | 1074 | |
d620ae0e CT |
1075 | case 1: |
1076 | ||
1077 | default: | |
1078 | debugs(83, 5, "Using SSLv2/SSLv3."); | |
1079 | return SSLv23_client_method(); | |
1080 | break; | |
1081 | } | |
1082 | ||
1083 | //Not reached | |
1084 | return NULL; | |
1085 | } | |
1086 | ||
1087 | const SSL_METHOD * | |
1088 | Ssl::serverMethod(int version) | |
1089 | { | |
a7ad6e4e | 1090 | switch (version) { |
62e76326 | 1091 | |
a7ad6e4e | 1092 | case 2: |
50b4c080 | 1093 | #ifndef OPENSSL_NO_SSL2 |
bf8fe701 | 1094 | debugs(83, 5, "Using SSLv2."); |
d620ae0e | 1095 | return SSLv2_server_method(); |
50b4c080 | 1096 | #else |
48e7baac | 1097 | debugs(83, DBG_IMPORTANT, "SSLv2 is not available in this Proxy."); |
50b4c080 AJ |
1098 | return NULL; |
1099 | #endif | |
62e76326 | 1100 | break; |
1101 | ||
a7ad6e4e | 1102 | case 3: |
bf8fe701 | 1103 | debugs(83, 5, "Using SSLv3."); |
d620ae0e | 1104 | return SSLv3_server_method(); |
62e76326 | 1105 | break; |
1106 | ||
a7ad6e4e | 1107 | case 4: |
bf8fe701 | 1108 | debugs(83, 5, "Using TLSv1."); |
d620ae0e | 1109 | return TLSv1_server_method(); |
62e76326 | 1110 | break; |
1111 | ||
3d96b0e8 AJ |
1112 | case 5: |
1113 | #if OPENSSL_VERSION_NUMBER >= 0x10001000L // NP: not sure exactly which sub-version yet. | |
1114 | debugs(83, 5, "Using TLSv1.1."); | |
d620ae0e | 1115 | return TLSv1_1_server_method(); |
3d96b0e8 AJ |
1116 | #else |
1117 | debugs(83, DBG_IMPORTANT, "TLSv1.1 is not available in this Proxy."); | |
1118 | return NULL; | |
1119 | #endif | |
1120 | break; | |
1121 | ||
1122 | case 6: | |
1123 | #if OPENSSL_VERSION_NUMBER >= 0x10001000L // NP: not sure exactly which sub-version yet. | |
1124 | debugs(83, 5, "Using TLSv1.2"); | |
d620ae0e | 1125 | return TLSv1_2_server_method(); |
3d96b0e8 AJ |
1126 | #else |
1127 | debugs(83, DBG_IMPORTANT, "TLSv1.2 is not available in this Proxy."); | |
1128 | return NULL; | |
1129 | #endif | |
1130 | break; | |
1131 | ||
a7ad6e4e | 1132 | case 1: |
62e76326 | 1133 | |
a7ad6e4e | 1134 | default: |
bf8fe701 | 1135 | debugs(83, 5, "Using SSLv2/SSLv3."); |
d620ae0e | 1136 | return SSLv23_server_method(); |
62e76326 | 1137 | break; |
a7ad6e4e | 1138 | } |
1139 | ||
d620ae0e CT |
1140 | //Not reached |
1141 | return NULL; | |
1142 | } | |
1143 | ||
1144 | SSL_CTX * | |
1145 | sslCreateClientContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile) | |
1146 | { | |
1147 | int ssl_error; | |
31855516 CT |
1148 | Ssl::ContextMethod method; |
1149 | SSL_CTX * sslContext; | |
d620ae0e CT |
1150 | long fl = Ssl::parse_flags(flags); |
1151 | ||
1152 | ssl_initialize(); | |
1153 | ||
1154 | if (!keyfile) | |
1155 | keyfile = certfile; | |
1156 | ||
1157 | if (!certfile) | |
1158 | certfile = keyfile; | |
1159 | ||
1160 | if (!(method = Ssl::method(version))) | |
1161 | return NULL; | |
e1f72a8b | 1162 | |
a7ad6e4e | 1163 | sslContext = SSL_CTX_new(method); |
62e76326 | 1164 | |
a7ad6e4e | 1165 | if (sslContext == NULL) { |
62e76326 | 1166 | ssl_error = ERR_get_error(); |
1167 | fatalf("Failed to allocate SSL context: %s\n", | |
1168 | ERR_error_string(ssl_error, NULL)); | |
a7ad6e4e | 1169 | } |
62e76326 | 1170 | |
86660d64 | 1171 | SSL_CTX_set_options(sslContext, Ssl::parse_options(options)); |
a7ad6e4e | 1172 | |
1173 | if (cipher) { | |
bf8fe701 | 1174 | debugs(83, 5, "Using chiper suite " << cipher << "."); |
62e76326 | 1175 | |
1176 | if (!SSL_CTX_set_cipher_list(sslContext, cipher)) { | |
1177 | ssl_error = ERR_get_error(); | |
1178 | fatalf("Failed to set SSL cipher suite '%s': %s\n", | |
1179 | cipher, ERR_error_string(ssl_error, NULL)); | |
1180 | } | |
a7ad6e4e | 1181 | } |
62e76326 | 1182 | |
a7ad6e4e | 1183 | if (certfile) { |
e0236918 | 1184 | debugs(83, DBG_IMPORTANT, "Using certificate in " << certfile); |
62e76326 | 1185 | |
1186 | if (!SSL_CTX_use_certificate_chain_file(sslContext, certfile)) { | |
1187 | ssl_error = ERR_get_error(); | |
1188 | fatalf("Failed to acquire SSL certificate '%s': %s\n", | |
1189 | certfile, ERR_error_string(ssl_error, NULL)); | |
1190 | } | |
1191 | ||
e0236918 | 1192 | debugs(83, DBG_IMPORTANT, "Using private key in " << keyfile); |
307b83b7 | 1193 | ssl_ask_password(sslContext, keyfile); |
62e76326 | 1194 | |
1195 | if (!SSL_CTX_use_PrivateKey_file(sslContext, keyfile, SSL_FILETYPE_PEM)) { | |
1196 | ssl_error = ERR_get_error(); | |
1197 | fatalf("Failed to acquire SSL private key '%s': %s\n", | |
1198 | keyfile, ERR_error_string(ssl_error, NULL)); | |
1199 | } | |
1200 | ||
bf8fe701 | 1201 | debugs(83, 5, "Comparing private and public SSL keys."); |
62e76326 | 1202 | |
1203 | if (!SSL_CTX_check_private_key(sslContext)) { | |
1204 | ssl_error = ERR_get_error(); | |
1205 | fatalf("SSL private key '%s' does not match public key '%s': %s\n", | |
1206 | certfile, keyfile, ERR_error_string(ssl_error, NULL)); | |
1207 | } | |
a7ad6e4e | 1208 | } |
62e76326 | 1209 | |
bf8fe701 | 1210 | debugs(83, 9, "Setting RSA key generation callback."); |
f484cdf5 | 1211 | SSL_CTX_set_tmp_rsa_callback(sslContext, ssl_temp_rsa_cb); |
1212 | ||
a7ad6e4e | 1213 | if (fl & SSL_FLAG_DONT_VERIFY_PEER) { |
48e7baac | 1214 | debugs(83, 2, "NOTICE: Peer certificates are not verified for validity!"); |
62e76326 | 1215 | SSL_CTX_set_verify(sslContext, SSL_VERIFY_NONE, NULL); |
a7ad6e4e | 1216 | } else { |
bf8fe701 | 1217 | debugs(83, 9, "Setting certificate verification callback."); |
62e76326 | 1218 | SSL_CTX_set_verify(sslContext, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ssl_verify_cb); |
a7ad6e4e | 1219 | } |
f484cdf5 | 1220 | |
bf8fe701 | 1221 | debugs(83, 9, "Setting CA certificate locations."); |
62e76326 | 1222 | |
a82a4fe4 | 1223 | if ((CAfile || CApath) && !SSL_CTX_load_verify_locations(sslContext, CAfile, CApath)) { |
1224 | ssl_error = ERR_get_error(); | |
48e7baac | 1225 | debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate locations: " << ERR_error_string(ssl_error, NULL)); |
a82a4fe4 | 1226 | } |
1227 | ||
1228 | if (CRLfile) { | |
1229 | ssl_load_crl(sslContext, CRLfile); | |
1230 | fl |= SSL_FLAG_VERIFY_CRL; | |
1231 | } | |
1232 | ||
32d002cb | 1233 | #if X509_V_FLAG_CRL_CHECK |
a82a4fe4 | 1234 | if (fl & SSL_FLAG_VERIFY_CRL_ALL) |
1235 | X509_STORE_set_flags(SSL_CTX_get_cert_store(sslContext), X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); | |
1236 | else if (fl & SSL_FLAG_VERIFY_CRL) | |
1237 | X509_STORE_set_flags(SSL_CTX_get_cert_store(sslContext), X509_V_FLAG_CRL_CHECK); | |
1238 | ||
1239 | #endif | |
62e76326 | 1240 | |
a7ad6e4e | 1241 | if (!(fl & SSL_FLAG_NO_DEFAULT_CA) && |
62e76326 | 1242 | !SSL_CTX_set_default_verify_paths(sslContext)) { |
1243 | ssl_error = ERR_get_error(); | |
48e7baac | 1244 | debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting default CA certificate location: " << ERR_error_string(ssl_error, NULL)); |
f484cdf5 | 1245 | } |
62e76326 | 1246 | |
d193a436 | 1247 | return sslContext; |
f484cdf5 | 1248 | } |
1249 | ||
63be0a78 | 1250 | /// \ingroup ServerProtocolSSLInternal |
d193a436 | 1251 | int |
e6ccf245 | 1252 | ssl_read_method(int fd, char *buf, int len) |
f484cdf5 | 1253 | { |
6de9e64b | 1254 | SSL *ssl = fd_table[fd].ssl; |
79d4ccdf | 1255 | int i; |
1256 | ||
6de9e64b | 1257 | #if DONT_DO_THIS |
1258 | ||
1259 | if (!SSL_is_init_finished(ssl)) { | |
1260 | errno = ENOTCONN; | |
1261 | return -1; | |
1262 | } | |
79d4ccdf | 1263 | |
6de9e64b | 1264 | #endif |
1265 | ||
1266 | i = SSL_read(ssl, buf, len); | |
1267 | ||
1268 | if (i > 0 && SSL_pending(ssl) > 0) { | |
bf8fe701 | 1269 | debugs(83, 2, "SSL FD " << fd << " is pending"); |
be4d35dc | 1270 | fd_table[fd].flags.read_pending = true; |
79d4ccdf | 1271 | } else |
be4d35dc | 1272 | fd_table[fd].flags.read_pending = false; |
79d4ccdf | 1273 | |
1274 | return i; | |
f484cdf5 | 1275 | } |
1276 | ||
63be0a78 | 1277 | /// \ingroup ServerProtocolSSLInternal |
d193a436 | 1278 | int |
e6ccf245 | 1279 | ssl_write_method(int fd, const char *buf, int len) |
f484cdf5 | 1280 | { |
6de9e64b | 1281 | SSL *ssl = fd_table[fd].ssl; |
1282 | int i; | |
1283 | ||
1284 | if (!SSL_is_init_finished(ssl)) { | |
1285 | errno = ENOTCONN; | |
1286 | return -1; | |
1287 | } | |
1288 | ||
1289 | i = SSL_write(ssl, buf, len); | |
1290 | ||
1291 | return i; | |
f484cdf5 | 1292 | } |
79d4ccdf | 1293 | |
1294 | void | |
575d05c4 | 1295 | ssl_shutdown_method(SSL *ssl) |
79d4ccdf | 1296 | { |
79d4ccdf | 1297 | SSL_shutdown(ssl); |
1298 | } | |
a7ad6e4e | 1299 | |
63be0a78 | 1300 | /// \ingroup ServerProtocolSSLInternal |
a7ad6e4e | 1301 | static const char * |
1302 | ssl_get_attribute(X509_NAME * name, const char *attribute_name) | |
1303 | { | |
1304 | static char buffer[1024]; | |
1305 | int nid; | |
1306 | ||
1307 | buffer[0] = '\0'; | |
1308 | ||
1309 | if (strcmp(attribute_name, "DN") == 0) { | |
62e76326 | 1310 | X509_NAME_oneline(name, buffer, sizeof(buffer)); |
1311 | goto done; | |
a7ad6e4e | 1312 | } |
62e76326 | 1313 | |
a7ad6e4e | 1314 | nid = OBJ_txt2nid((char *) attribute_name); |
62e76326 | 1315 | |
a7ad6e4e | 1316 | if (nid == 0) { |
e0236918 | 1317 | debugs(83, DBG_IMPORTANT, "WARNING: Unknown SSL attribute name '" << attribute_name << "'"); |
62e76326 | 1318 | return NULL; |
a7ad6e4e | 1319 | } |
62e76326 | 1320 | |
a7ad6e4e | 1321 | X509_NAME_get_text_by_NID(name, nid, buffer, sizeof(buffer)); |
62e76326 | 1322 | |
1323 | done: | |
a7ad6e4e | 1324 | return *buffer ? buffer : NULL; |
1325 | } | |
1326 | ||
63be0a78 | 1327 | /// \ingroup ServerProtocolSSLInternal |
a7ad6e4e | 1328 | const char * |
00352183 | 1329 | Ssl::GetX509UserAttribute(X509 * cert, const char *attribute_name) |
a7ad6e4e | 1330 | { |
a7ad6e4e | 1331 | X509_NAME *name; |
23e6c4ae | 1332 | const char *ret; |
a7ad6e4e | 1333 | |
a7ad6e4e | 1334 | if (!cert) |
62e76326 | 1335 | return NULL; |
a7ad6e4e | 1336 | |
5a4684b6 | 1337 | name = X509_get_subject_name(cert); |
a7ad6e4e | 1338 | |
23e6c4ae | 1339 | ret = ssl_get_attribute(name, attribute_name); |
1340 | ||
23e6c4ae | 1341 | return ret; |
a7ad6e4e | 1342 | } |
1343 | ||
00352183 AR |
1344 | const char * |
1345 | Ssl::GetX509Fingerprint(X509 * cert, const char *) | |
1346 | { | |
1347 | static char buf[1024]; | |
1348 | if (!cert) | |
1349 | return NULL; | |
960e100b | 1350 | |
00352183 AR |
1351 | unsigned int n; |
1352 | unsigned char md[EVP_MAX_MD_SIZE]; | |
1353 | if (!X509_digest(cert, EVP_sha1(), md, &n)) | |
1354 | return NULL; | |
1355 | ||
1356 | assert(3 * n + 1 < sizeof(buf)); | |
1357 | ||
1358 | char *s = buf; | |
1359 | for (unsigned int i=0; i < n; ++i, s += 3) { | |
1360 | const char term = (i + 1 < n) ? ':' : '\0'; | |
1361 | snprintf(s, 4, "%02X%c", md[i], term); | |
1362 | } | |
1363 | ||
1364 | return buf; | |
1365 | } | |
1366 | ||
63be0a78 | 1367 | /// \ingroup ServerProtocolSSLInternal |
a7ad6e4e | 1368 | const char * |
00352183 | 1369 | Ssl::GetX509CAAttribute(X509 * cert, const char *attribute_name) |
a7ad6e4e | 1370 | { |
00352183 | 1371 | |
a7ad6e4e | 1372 | X509_NAME *name; |
23e6c4ae | 1373 | const char *ret; |
a7ad6e4e | 1374 | |
a7ad6e4e | 1375 | if (!cert) |
62e76326 | 1376 | return NULL; |
a7ad6e4e | 1377 | |
5a4684b6 | 1378 | name = X509_get_issuer_name(cert); |
a7ad6e4e | 1379 | |
23e6c4ae | 1380 | ret = ssl_get_attribute(name, attribute_name); |
1381 | ||
00352183 AR |
1382 | return ret; |
1383 | } | |
1384 | ||
1385 | const char *sslGetUserAttribute(SSL *ssl, const char *attribute_name) | |
1386 | { | |
1387 | if (!ssl) | |
1388 | return NULL; | |
1389 | ||
1390 | X509 *cert = SSL_get_peer_certificate(ssl); | |
1391 | ||
1392 | const char *attr = Ssl::GetX509UserAttribute(cert, attribute_name); | |
1393 | ||
23e6c4ae | 1394 | X509_free(cert); |
00352183 AR |
1395 | return attr; |
1396 | } | |
23e6c4ae | 1397 | |
00352183 AR |
1398 | const char *sslGetCAAttribute(SSL *ssl, const char *attribute_name) |
1399 | { | |
1400 | if (!ssl) | |
1401 | return NULL; | |
1402 | ||
1403 | X509 *cert = SSL_get_peer_certificate(ssl); | |
1404 | ||
1405 | const char *attr = Ssl::GetX509CAAttribute(cert, attribute_name); | |
1406 | ||
1407 | X509_free(cert); | |
1408 | return attr; | |
a7ad6e4e | 1409 | } |
1410 | ||
a7ad6e4e | 1411 | const char * |
1412 | sslGetUserEmail(SSL * ssl) | |
1413 | { | |
e6ceef10 | 1414 | return sslGetUserAttribute(ssl, "emailAddress"); |
a7ad6e4e | 1415 | } |
4ac9968f | 1416 | |
1417 | const char * | |
1418 | sslGetUserCertificatePEM(SSL *ssl) | |
1419 | { | |
1420 | X509 *cert; | |
1421 | BIO *mem; | |
1422 | static char *str = NULL; | |
1423 | char *ptr; | |
1424 | long len; | |
1425 | ||
1426 | safe_free(str); | |
1427 | ||
1428 | if (!ssl) | |
1429 | return NULL; | |
1430 | ||
1431 | cert = SSL_get_peer_certificate(ssl); | |
1432 | ||
1433 | if (!cert) | |
1434 | return NULL; | |
1435 | ||
1436 | mem = BIO_new(BIO_s_mem()); | |
1437 | ||
1438 | PEM_write_bio_X509(mem, cert); | |
1439 | ||
4ac9968f | 1440 | len = BIO_get_mem_data(mem, &ptr); |
1441 | ||
1442 | str = (char *)xmalloc(len + 1); | |
1443 | ||
1444 | memcpy(str, ptr, len); | |
1445 | ||
1446 | str[len] = '\0'; | |
1447 | ||
1448 | X509_free(cert); | |
1449 | ||
1450 | BIO_free(mem); | |
1451 | ||
1452 | return str; | |
1453 | } | |
3d61c476 | 1454 | |
1455 | const char * | |
1456 | sslGetUserCertificateChainPEM(SSL *ssl) | |
1457 | { | |
1458 | STACK_OF(X509) *chain; | |
1459 | BIO *mem; | |
1460 | static char *str = NULL; | |
1461 | char *ptr; | |
1462 | long len; | |
1463 | int i; | |
1464 | ||
1465 | safe_free(str); | |
1466 | ||
1467 | if (!ssl) | |
1468 | return NULL; | |
1469 | ||
1470 | chain = SSL_get_peer_cert_chain(ssl); | |
1471 | ||
1472 | if (!chain) | |
1473 | return sslGetUserCertificatePEM(ssl); | |
1474 | ||
1475 | mem = BIO_new(BIO_s_mem()); | |
1476 | ||
d7ae3534 | 1477 | for (i = 0; i < sk_X509_num(chain); ++i) { |
3d61c476 | 1478 | X509 *cert = sk_X509_value(chain, i); |
1479 | PEM_write_bio_X509(mem, cert); | |
1480 | } | |
1481 | ||
1482 | len = BIO_get_mem_data(mem, &ptr); | |
1483 | ||
1484 | str = (char *)xmalloc(len + 1); | |
1485 | memcpy(str, ptr, len); | |
1486 | str[len] = '\0'; | |
1487 | ||
1488 | BIO_free(mem); | |
1489 | ||
1490 | return str; | |
1491 | } | |
454e8283 | 1492 | |
86660d64 CT |
1493 | Ssl::ContextMethod |
1494 | Ssl::contextMethod(int version) | |
1495 | { | |
1496 | Ssl::ContextMethod method; | |
1497 | ||
1498 | switch (version) { | |
1499 | ||
1500 | case 2: | |
1501 | #ifndef OPENSSL_NO_SSL2 | |
1502 | debugs(83, 5, "Using SSLv2."); | |
1503 | method = SSLv2_server_method(); | |
1504 | #else | |
1505 | debugs(83, DBG_IMPORTANT, "SSLv2 is not available in this Proxy."); | |
1506 | return NULL; | |
1507 | #endif | |
1508 | break; | |
1509 | ||
1510 | case 3: | |
1511 | debugs(83, 5, "Using SSLv3."); | |
1512 | method = SSLv3_server_method(); | |
1513 | break; | |
1514 | ||
1515 | case 4: | |
1516 | debugs(83, 5, "Using TLSv1."); | |
1517 | method = TLSv1_server_method(); | |
1518 | break; | |
1519 | ||
1520 | case 5: | |
1521 | #if OPENSSL_VERSION_NUMBER >= 0x10001000L // NP: not sure exactly which sub-version yet. | |
1522 | debugs(83, 5, "Using TLSv1.1."); | |
1523 | method = TLSv1_1_server_method(); | |
1524 | #else | |
1525 | debugs(83, DBG_IMPORTANT, "TLSv1.1 is not available in this Proxy."); | |
1526 | return NULL; | |
1527 | #endif | |
1528 | break; | |
1529 | ||
1530 | case 6: | |
1531 | #if OPENSSL_VERSION_NUMBER >= 0x10001000L // NP: not sure exactly which sub-version yet. | |
1532 | debugs(83, 5, "Using TLSv1.2"); | |
1533 | method = TLSv1_2_server_method(); | |
1534 | #else | |
1535 | debugs(83, DBG_IMPORTANT, "TLSv1.2 is not available in this Proxy."); | |
1536 | return NULL; | |
1537 | #endif | |
1538 | break; | |
1539 | ||
1540 | case 1: | |
1541 | ||
1542 | default: | |
1543 | debugs(83, 5, "Using SSLv2/SSLv3."); | |
1544 | method = SSLv23_server_method(); | |
1545 | break; | |
1546 | } | |
1547 | return method; | |
1548 | } | |
1549 | ||
95d2589c CT |
1550 | /// \ingroup ServerProtocolSSLInternal |
1551 | /// Create SSL context and apply ssl certificate and private key to it. | |
d620ae0e CT |
1552 | SSL_CTX * |
1553 | Ssl::createSSLContext(Ssl::X509_Pointer & x509, Ssl::EVP_PKEY_Pointer & pkey, AnyP::PortCfg &port) | |
95d2589c | 1554 | { |
86660d64 | 1555 | Ssl::SSL_CTX_Pointer sslContext(SSL_CTX_new(port.contextMethod)); |
95d2589c CT |
1556 | |
1557 | if (!SSL_CTX_use_certificate(sslContext.get(), x509.get())) | |
1558 | return NULL; | |
1559 | ||
1560 | if (!SSL_CTX_use_PrivateKey(sslContext.get(), pkey.get())) | |
1561 | return NULL; | |
86660d64 CT |
1562 | |
1563 | if (!configureSslContext(sslContext.get(), port)) | |
1564 | return NULL; | |
1565 | ||
95d2589c CT |
1566 | return sslContext.release(); |
1567 | } | |
1568 | ||
86660d64 CT |
1569 | SSL_CTX * |
1570 | Ssl::generateSslContextUsingPkeyAndCertFromMemory(const char * data, AnyP::PortCfg &port) | |
95d2589c CT |
1571 | { |
1572 | Ssl::X509_Pointer cert; | |
1573 | Ssl::EVP_PKEY_Pointer pkey; | |
1574 | if (!readCertAndPrivateKeyFromMemory(cert, pkey, data)) | |
1575 | return NULL; | |
1576 | ||
1577 | if (!cert || !pkey) | |
1578 | return NULL; | |
1579 | ||
86660d64 | 1580 | return createSSLContext(cert, pkey, port); |
95d2589c CT |
1581 | } |
1582 | ||
86660d64 CT |
1583 | SSL_CTX * |
1584 | Ssl::generateSslContext(CertificateProperties const &properties, AnyP::PortCfg &port) | |
95d2589c CT |
1585 | { |
1586 | Ssl::X509_Pointer cert; | |
1587 | Ssl::EVP_PKEY_Pointer pkey; | |
aebe6888 | 1588 | if (!generateSslCertificate(cert, pkey, properties)) |
95d2589c | 1589 | return NULL; |
9a90aace | 1590 | |
95d2589c CT |
1591 | if (!cert) |
1592 | return NULL; | |
1593 | ||
1594 | if (!pkey) | |
1595 | return NULL; | |
1596 | ||
86660d64 | 1597 | return createSSLContext(cert, pkey, port); |
95d2589c CT |
1598 | } |
1599 | ||
d620ae0e CT |
1600 | bool |
1601 | Ssl::configureSSL(SSL *ssl, CertificateProperties const &properties, AnyP::PortCfg &port) | |
1602 | { | |
1603 | Ssl::X509_Pointer cert; | |
1604 | Ssl::EVP_PKEY_Pointer pkey; | |
1605 | if (!generateSslCertificate(cert, pkey, properties)) | |
1606 | return false; | |
1607 | ||
1608 | if (!cert) | |
1609 | return false; | |
1610 | ||
1611 | if (!pkey) | |
1612 | return false; | |
1613 | ||
1614 | if (!SSL_use_certificate(ssl, cert.get())) | |
1615 | return false; | |
1616 | ||
1617 | if (!SSL_use_PrivateKey(ssl, pkey.get())) | |
1618 | return false; | |
1619 | ||
1620 | return true; | |
1621 | } | |
1622 | ||
1623 | bool | |
1624 | Ssl::configureSSLUsingPkeyAndCertFromMemory(SSL *ssl, const char *data, AnyP::PortCfg &port) | |
1625 | { | |
1626 | Ssl::X509_Pointer cert; | |
1627 | Ssl::EVP_PKEY_Pointer pkey; | |
1628 | if (!readCertAndPrivateKeyFromMemory(cert, pkey, data)) | |
1629 | return false; | |
1630 | ||
1631 | if (!cert || !pkey) | |
1632 | return false; | |
1633 | ||
1634 | if (!SSL_use_certificate(ssl, cert.get())) | |
1635 | return false; | |
1636 | ||
1637 | if (!SSL_use_PrivateKey(ssl, pkey.get())) | |
1638 | return false; | |
1639 | ||
1640 | return true; | |
1641 | } | |
1642 | ||
4ece76b2 | 1643 | bool Ssl::verifySslCertificate(SSL_CTX * sslContext, CertificateProperties const &properties) |
95d2589c | 1644 | { |
b8658552 CT |
1645 | // SSL_get_certificate is buggy in openssl versions 1.0.1d and 1.0.1e |
1646 | // Try to retrieve certificate directly from SSL_CTX object | |
fc321c30 | 1647 | #if SQUID_USE_SSLGETCERTIFICATE_HACK |
b8658552 CT |
1648 | X509 ***pCert = (X509 ***)sslContext->cert; |
1649 | X509 * cert = pCert && *pCert ? **pCert : NULL; | |
fc321c30 CT |
1650 | #elif SQUID_SSLGETCERTIFICATE_BUGGY |
1651 | X509 * cert = NULL; | |
1652 | assert(0); | |
b8658552 | 1653 | #else |
95d2589c CT |
1654 | // Temporary ssl for getting X509 certificate from SSL_CTX. |
1655 | Ssl::SSL_Pointer ssl(SSL_new(sslContext)); | |
1656 | X509 * cert = SSL_get_certificate(ssl.get()); | |
b8658552 CT |
1657 | #endif |
1658 | if (!cert) | |
1659 | return false; | |
95d2589c CT |
1660 | ASN1_TIME * time_notBefore = X509_get_notBefore(cert); |
1661 | ASN1_TIME * time_notAfter = X509_get_notAfter(cert); | |
1662 | bool ret = (X509_cmp_current_time(time_notBefore) < 0 && X509_cmp_current_time(time_notAfter) > 0); | |
e7bcc25f CT |
1663 | if (!ret) |
1664 | return false; | |
1665 | ||
4ece76b2 | 1666 | return certificateMatchesProperties(cert, properties); |
95d2589c CT |
1667 | } |
1668 | ||
253749a8 CT |
1669 | bool |
1670 | Ssl::setClientSNI(SSL *ssl, const char *fqdn) | |
1671 | { | |
1672 | //The SSL_CTRL_SET_TLSEXT_HOSTNAME is a openssl macro which indicates | |
1673 | // if the TLS servername extension (SNI) is enabled in openssl library. | |
1674 | #if defined(SSL_CTRL_SET_TLSEXT_HOSTNAME) | |
1675 | if (!SSL_set_tlsext_host_name(ssl, fqdn)) { | |
1676 | const int ssl_error = ERR_get_error(); | |
1677 | debugs(83, 3, "WARNING: unable to set TLS servername extension (SNI): " << | |
1678 | ERR_error_string(ssl_error, NULL) << "\n"); | |
1679 | return false; | |
1680 | } | |
1681 | return true; | |
1682 | #else | |
1683 | debugs(83, 7, "no support for TLS servername extension (SNI)\n"); | |
1684 | return false; | |
1685 | #endif | |
1686 | } | |
1687 | ||
a594dbfa CT |
1688 | void Ssl::addChainToSslContext(SSL_CTX *sslContext, STACK_OF(X509) *chain) |
1689 | { | |
1690 | if (!chain) | |
1691 | return; | |
1692 | ||
d7ae3534 | 1693 | for (int i = 0; i < sk_X509_num(chain); ++i) { |
a594dbfa CT |
1694 | X509 *cert = sk_X509_value(chain, i); |
1695 | if (SSL_CTX_add_extra_chain_cert(sslContext, cert)) { | |
1696 | // increase the certificate lock | |
1697 | CRYPTO_add(&(cert->references),1,CRYPTO_LOCK_X509); | |
1698 | } else { | |
1699 | const int ssl_error = ERR_get_error(); | |
1700 | debugs(83, DBG_IMPORTANT, "WARNING: can not add certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL)); | |
1701 | } | |
1702 | } | |
1703 | } | |
1704 | ||
1705 | /** | |
1706 | \ingroup ServerProtocolSSLInternal | |
1707 | * Read certificate from file. | |
1708 | * See also: static readSslX509Certificate function, gadgets.cc file | |
1709 | */ | |
1710 | static X509 * readSslX509CertificatesChain(char const * certFilename, STACK_OF(X509)* chain) | |
1711 | { | |
1712 | if (!certFilename) | |
1713 | return NULL; | |
1714 | Ssl::BIO_Pointer bio(BIO_new(BIO_s_file_internal())); | |
1715 | if (!bio) | |
1716 | return NULL; | |
1717 | if (!BIO_read_filename(bio.get(), certFilename)) | |
1718 | return NULL; | |
1719 | X509 *certificate = PEM_read_bio_X509(bio.get(), NULL, NULL, NULL); | |
1720 | ||
1721 | if (certificate && chain) { | |
1722 | ||
c11211d9 | 1723 | if (X509_check_issued(certificate, certificate) == X509_V_OK) |
a594dbfa CT |
1724 | debugs(83, 5, "Certificate is self-signed, will not be chained"); |
1725 | else { | |
a411d213 | 1726 | // and add to the chain any other certificate exist in the file |
a594dbfa CT |
1727 | while (X509 *ca = PEM_read_bio_X509(bio.get(), NULL, NULL, NULL)) { |
1728 | if (!sk_X509_push(chain, ca)) | |
1729 | debugs(83, DBG_IMPORTANT, "WARNING: unable to add CA certificate to cert chain"); | |
1730 | } | |
1731 | } | |
1732 | } | |
c11211d9 | 1733 | |
a594dbfa CT |
1734 | return certificate; |
1735 | } | |
1736 | ||
1737 | void Ssl::readCertChainAndPrivateKeyFromFiles(X509_Pointer & cert, EVP_PKEY_Pointer & pkey, X509_STACK_Pointer & chain, char const * certFilename, char const * keyFilename) | |
1738 | { | |
1739 | if (keyFilename == NULL) | |
1740 | keyFilename = certFilename; | |
86660d64 CT |
1741 | |
1742 | if (certFilename == NULL) | |
1743 | certFilename = keyFilename; | |
1744 | ||
1745 | debugs(83, DBG_IMPORTANT, "Using certificate in " << certFilename); | |
1746 | ||
a594dbfa CT |
1747 | if (!chain) |
1748 | chain.reset(sk_X509_new_null()); | |
1749 | if (!chain) | |
1750 | debugs(83, DBG_IMPORTANT, "WARNING: unable to allocate memory for cert chain"); | |
37144aca AR |
1751 | // XXX: ssl_ask_password_cb needs SSL_CTX_set_default_passwd_cb_userdata() |
1752 | // so this may not fully work iff Config.Program.ssl_password is set. | |
1753 | pem_password_cb *cb = ::Config.Program.ssl_password ? &ssl_ask_password_cb : NULL; | |
1754 | pkey.reset(readSslPrivateKey(keyFilename, cb)); | |
a594dbfa CT |
1755 | cert.reset(readSslX509CertificatesChain(certFilename, chain.get())); |
1756 | if (!pkey || !cert || !X509_check_private_key(cert.get(), pkey.get())) { | |
1757 | pkey.reset(NULL); | |
1758 | cert.reset(NULL); | |
1759 | } | |
1760 | } | |
1761 | ||
95588170 CT |
1762 | bool Ssl::generateUntrustedCert(X509_Pointer &untrustedCert, EVP_PKEY_Pointer &untrustedPkey, X509_Pointer const &cert, EVP_PKEY_Pointer const & pkey) |
1763 | { | |
1764 | // Generate the self-signed certificate, using a hard-coded subject prefix | |
1765 | Ssl::CertificateProperties certProperties; | |
1766 | if (const char *cn = CommonHostName(cert.get())) { | |
1767 | certProperties.commonName = "Not trusted by \""; | |
1768 | certProperties.commonName += cn; | |
1769 | certProperties.commonName += "\""; | |
87f237a9 | 1770 | } else if (const char *org = getOrganization(cert.get())) { |
95588170 CT |
1771 | certProperties.commonName = "Not trusted by \""; |
1772 | certProperties.commonName += org; | |
1773 | certProperties.commonName += "\""; | |
87f237a9 | 1774 | } else |
95588170 CT |
1775 | certProperties.commonName = "Not trusted"; |
1776 | certProperties.setCommonName = true; | |
1777 | // O, OU, and other CA subject fields will be mimicked | |
1778 | // Expiration date and other common properties will be mimicked | |
1779 | certProperties.signAlgorithm = Ssl::algSignSelf; | |
1780 | certProperties.signWithPkey.resetAndLock(pkey.get()); | |
1781 | certProperties.mimicCert.resetAndLock(cert.get()); | |
1782 | return Ssl::generateSslCertificate(untrustedCert, untrustedPkey, certProperties); | |
1783 | } | |
1784 | ||
b3a8ae1b | 1785 | SSL * |
d620ae0e | 1786 | SslCreate(SSL_CTX *sslContext, const int fd, Ssl::Bio::Type type, const char *squidCtx) |
b3a8ae1b AR |
1787 | { |
1788 | const char *errAction = NULL; | |
1789 | int errCode = 0; | |
1790 | if (SSL *ssl = SSL_new(sslContext)) { | |
1791 | // without BIO, we would call SSL_set_fd(ssl, fd) instead | |
d620ae0e | 1792 | if (BIO *bio = Ssl::Bio::Create(fd, type)) { |
b3a8ae1b AR |
1793 | Ssl::Bio::Link(ssl, bio); // cannot fail |
1794 | ||
1795 | fd_table[fd].ssl = ssl; | |
1796 | fd_table[fd].read_method = &ssl_read_method; | |
1797 | fd_table[fd].write_method = &ssl_write_method; | |
1798 | fd_note(fd, squidCtx); | |
1799 | ||
1800 | return ssl; | |
1801 | } | |
1802 | errCode = ERR_get_error(); | |
1803 | errAction = "failed to initialize I/O"; | |
1804 | SSL_free(ssl); | |
1805 | } else { | |
1806 | errCode = ERR_get_error(); | |
1807 | errAction = "failed to allocate handle"; | |
1808 | } | |
1809 | ||
1810 | debugs(83, DBG_IMPORTANT, "ERROR: " << squidCtx << ' ' << errAction << | |
1811 | ": " << ERR_error_string(errCode, NULL)); | |
1812 | return NULL; | |
1813 | } | |
1814 | ||
d620ae0e CT |
1815 | SSL * |
1816 | Ssl::CreateClient(SSL_CTX *sslContext, const int fd, const char *squidCtx) | |
1817 | { | |
1818 | return SslCreate(sslContext, fd, Ssl::Bio::BIO_TO_SERVER, squidCtx); | |
1819 | } | |
1820 | ||
1821 | SSL * | |
1822 | Ssl::CreateServer(SSL_CTX *sslContext, const int fd, const char *squidCtx) | |
1823 | { | |
1824 | return SslCreate(sslContext, fd, Ssl::Bio::BIO_TO_CLIENT, squidCtx); | |
1825 | } | |
1826 | ||
62a7607e | 1827 | Ssl::CertError::CertError(ssl_error_t anErr, X509 *aCert): code(anErr) |
170cb017 | 1828 | { |
62a7607e CT |
1829 | cert.resetAndLock(aCert); |
1830 | } | |
1831 | ||
1832 | Ssl::CertError::CertError(CertError const &err): code(err.code) | |
1833 | { | |
1834 | cert.resetAndLock(err.cert.get()); | |
1835 | } | |
1836 | ||
1837 | Ssl::CertError & | |
170cb017 | 1838 | Ssl::CertError::operator = (const CertError &old) |
62a7607e | 1839 | { |
170cb017 | 1840 | code = old.code; |
62a7607e CT |
1841 | cert.resetAndLock(old.cert.get()); |
1842 | return *this; | |
1843 | } | |
1844 | ||
1845 | bool | |
1846 | Ssl::CertError::operator == (const CertError &ce) const | |
1847 | { | |
1848 | return code == ce.code && cert.get() == ce.cert.get(); | |
1849 | } | |
1850 | ||
1851 | bool | |
1852 | Ssl::CertError::operator != (const CertError &ce) const | |
1853 | { | |
1854 | return code != ce.code || cert.get() != ce.cert.get(); | |
1855 | } | |
1856 | ||
10a69fc0 CT |
1857 | static int |
1858 | store_session_cb(SSL *ssl, SSL_SESSION *session) | |
1859 | { | |
1860 | if (!SslSessionCache) | |
1861 | return 0; | |
1862 | ||
1863 | debugs(83, 5, "Request to store SSL Session "); | |
1864 | ||
1865 | SSL_SESSION_set_timeout(session, Config.SSL.session_ttl); | |
1866 | ||
1867 | unsigned char *id = session->session_id; | |
1868 | unsigned int idlen = session->session_id_length; | |
1869 | unsigned char key[MEMMAP_SLOT_KEY_SIZE]; | |
1870 | // Session ids are of size 32bytes. They should always fit to a | |
86c63190 | 1871 | // MemMap::Slot::key |
10a69fc0 CT |
1872 | assert(idlen <= MEMMAP_SLOT_KEY_SIZE); |
1873 | memset(key, 0, sizeof(key)); | |
1874 | memcpy(key, id, idlen); | |
1875 | int pos; | |
1876 | Ipc::MemMap::Slot *slotW = SslSessionCache->openForWriting((const cache_key*)key, pos); | |
1877 | if (slotW) { | |
1878 | int lenRequired = i2d_SSL_SESSION(session, NULL); | |
1879 | if (lenRequired < MEMMAP_SLOT_DATA_SIZE) { | |
1880 | unsigned char *p = (unsigned char *)slotW->p; | |
1881 | lenRequired = i2d_SSL_SESSION(session, &p); | |
1882 | slotW->set(key, NULL, lenRequired, squid_curtime + Config.SSL.session_ttl); | |
1883 | } | |
1884 | SslSessionCache->closeForWriting(pos); | |
1885 | debugs(83, 5, "wrote an ssl session entry of size " << lenRequired << " at pos " << pos); | |
1886 | } | |
1887 | return 0; | |
1888 | } | |
1889 | ||
1890 | static void | |
1891 | remove_session_cb(SSL_CTX *, SSL_SESSION *sessionID) | |
1892 | { | |
1893 | if (!SslSessionCache) | |
1894 | return ; | |
1895 | ||
1896 | debugs(83, 5, "Request to remove corrupted or not valid SSL Session "); | |
1897 | int pos; | |
1898 | Ipc::MemMap::Slot const *slot = SslSessionCache->openForReading((const cache_key*)sessionID, pos); | |
1899 | if (slot == NULL) | |
1900 | return; | |
1901 | SslSessionCache->closeForReading(pos); | |
1902 | // TODO: | |
1903 | // What if we are not able to remove the session? | |
1904 | // Maybe schedule a job to remove it later? | |
1905 | // For now we just have an invalid entry in cache until will be expired | |
1906 | // The openSSL will reject it when we try to use it | |
1907 | SslSessionCache->free(pos); | |
1908 | } | |
1909 | ||
1910 | static SSL_SESSION * | |
1911 | get_session_cb(SSL *, unsigned char *sessionID, int len, int *copy) | |
1912 | { | |
1913 | if (!SslSessionCache) | |
1914 | return NULL; | |
1915 | ||
1916 | SSL_SESSION *session = NULL; | |
1917 | const unsigned int *p; | |
1918 | p = (unsigned int *)sessionID; | |
1919 | debugs(83, 5, "Request to search for SSL Session of len:" << | |
1920 | len << p[0] << ":" << p[1]); | |
1921 | ||
1922 | int pos; | |
1923 | Ipc::MemMap::Slot const *slot = SslSessionCache->openForReading((const cache_key*)sessionID, pos); | |
1924 | if (slot != NULL) { | |
1925 | if (slot->expire > squid_curtime) { | |
1926 | const unsigned char *ptr = slot->p; | |
1927 | session = d2i_SSL_SESSION(NULL, &ptr, slot->pSize); | |
1928 | debugs(83, 5, "Session retrieved from cache at pos " << pos); | |
1929 | } else | |
1930 | debugs(83, 5, "Session in cache expired"); | |
1931 | SslSessionCache->closeForReading(pos); | |
1932 | } | |
1933 | ||
1934 | if (!session) | |
1935 | debugs(83, 5, "Failed to retrieved from cache\n"); | |
1936 | ||
1937 | // With the parameter copy the callback can require the SSL engine | |
1938 | // to increment the reference count of the SSL_SESSION object, Normally | |
1939 | // the reference count is not incremented and therefore the session must | |
1940 | // not be explicitly freed with SSL_SESSION_free(3). | |
1941 | *copy = 0; | |
1942 | return session; | |
1943 | } | |
1944 | ||
1945 | static void | |
1946 | setSessionCallbacks(SSL_CTX *ctx) | |
1947 | { | |
1948 | if (SslSessionCache) { | |
1949 | SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL); | |
1950 | SSL_CTX_sess_set_new_cb(ctx, store_session_cb); | |
1951 | SSL_CTX_sess_set_remove_cb(ctx, remove_session_cb); | |
1952 | SSL_CTX_sess_set_get_cb(ctx, get_session_cb); | |
1953 | } | |
1954 | } | |
1955 | ||
1956 | static bool | |
1957 | isSslServer() | |
1958 | { | |
d00790b2 | 1959 | if (HttpsPortList != NULL) |
10a69fc0 CT |
1960 | return true; |
1961 | ||
fa720bfb | 1962 | for (AnyP::PortCfgPointer s = HttpPortList; s != NULL; s = s->next) { |
10a69fc0 CT |
1963 | if (s->flags.tunnelSslBumping) |
1964 | return true; | |
1965 | } | |
1966 | ||
1967 | return false; | |
1968 | } | |
1969 | ||
1970 | #define SSL_SESSION_ID_SIZE 32 | |
1971 | #define SSL_SESSION_MAX_SIZE 10*1024 | |
1972 | ||
1973 | void | |
1974 | Ssl::initialize_session_cache() | |
1975 | { | |
1976 | ||
1977 | if (!isSslServer()) //no need to configure ssl session cache. | |
1978 | return; | |
1979 | ||
86c63190 | 1980 | // Check if the MemMap keys and data are enough big to hold |
10a69fc0 CT |
1981 | // session ids and session data |
1982 | assert(SSL_SESSION_ID_SIZE >= MEMMAP_SLOT_KEY_SIZE); | |
1983 | assert(SSL_SESSION_MAX_SIZE >= MEMMAP_SLOT_DATA_SIZE); | |
1984 | ||
1985 | int configuredItems = ::Config.SSL.sessionCacheSize / sizeof(Ipc::MemMap::Slot); | |
1986 | if (IamWorkerProcess() && configuredItems) | |
1987 | SslSessionCache = new Ipc::MemMap(SslSessionCacheName); | |
1988 | else { | |
1989 | SslSessionCache = NULL; | |
1990 | return; | |
1991 | } | |
1992 | ||
fa720bfb | 1993 | for (AnyP::PortCfgPointer s = HttpsPortList; s != NULL; s = s->next) { |
10a69fc0 CT |
1994 | if (s->staticSslContext.get() != NULL) |
1995 | setSessionCallbacks(s->staticSslContext.get()); | |
1996 | } | |
1997 | ||
fa720bfb | 1998 | for (AnyP::PortCfgPointer s = HttpPortList; s != NULL; s = s->next) { |
10a69fc0 CT |
1999 | if (s->staticSslContext.get() != NULL) |
2000 | setSessionCallbacks(s->staticSslContext.get()); | |
2001 | } | |
2002 | } | |
2003 | ||
2004 | void | |
2005 | destruct_session_cache() | |
2006 | { | |
2007 | delete SslSessionCache; | |
2008 | } | |
2009 | ||
2010 | /// initializes shared memory segments used by MemStore | |
2011 | class SharedSessionCacheRr: public Ipc::Mem::RegisteredRunner | |
2012 | { | |
2013 | public: | |
2014 | /* RegisteredRunner API */ | |
2015 | SharedSessionCacheRr(): owner(NULL) {} | |
21b7990f | 2016 | virtual void useConfig(); |
10a69fc0 CT |
2017 | virtual ~SharedSessionCacheRr(); |
2018 | ||
2019 | protected: | |
21b7990f | 2020 | virtual void create(); |
10a69fc0 CT |
2021 | |
2022 | private: | |
2023 | Ipc::MemMap::Owner *owner; | |
2024 | }; | |
2025 | ||
21b7990f | 2026 | RunnerRegistrationEntry(SharedSessionCacheRr); |
10a69fc0 CT |
2027 | |
2028 | void | |
21b7990f | 2029 | SharedSessionCacheRr::useConfig() |
10a69fc0 | 2030 | { |
21b7990f | 2031 | Ipc::Mem::RegisteredRunner::useConfig(); |
10a69fc0 CT |
2032 | } |
2033 | ||
2034 | void | |
21b7990f | 2035 | SharedSessionCacheRr::create() |
10a69fc0 CT |
2036 | { |
2037 | if (!isSslServer()) //no need to configure ssl session cache. | |
2038 | return; | |
2039 | ||
2040 | int items; | |
2041 | items = Config.SSL.sessionCacheSize / sizeof(Ipc::MemMap::Slot); | |
2042 | if (items) | |
2043 | owner = Ipc::MemMap::Init(SslSessionCacheName, items); | |
2044 | } | |
2045 | ||
2046 | SharedSessionCacheRr::~SharedSessionCacheRr() | |
2047 | { | |
2048 | delete owner; | |
2049 | } | |
d620ae0e | 2050 | |
cb4f4424 | 2051 | #endif /* USE_OPENSSL */ |