]> git.ipfire.org Git - thirdparty/squid.git/blob - src/ssl/support.cc
projects / thirdparty / squid.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merged from trunk (r12098, v3.2.0.16+).
[thirdparty/squid.git] / src / ssl / support.cc
1
2 /*
3 * $Id$
4 *
5 * AUTHOR: Benno Rice
6 * DEBUG: section 83 SSL accelerator support
7 *
8 * SQUID Internet Object Cache http://squid.nlanr.net/Squid/
9 * ----------------------------------------------------------
10 *
11 * Squid is the result of efforts by numerous individuals from the
12 * Internet community. Development is led by Duane Wessels of the
13 * National Laboratory for Applied Network Research and funded by the
14 * National Science Foundation. Squid is Copyrighted (C) 1998 by
15 * Duane Wessels and the University of California San Diego. Please
16 * see the COPYRIGHT file for full details. Squid incorporates
17 * software developed and/or copyrighted by other sources. Please see
18 * the CREDITS file for full details.
19 *
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License as published by
22 * the Free Software Foundation; either version 2 of the License, or
23 * (at your option) any later version.
24 *
25 * This program is distributed in the hope that it will be useful,
26 * but WITHOUT ANY WARRANTY; without even the implied warranty of
27 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
28 * GNU General Public License for more details.
29 *
30 * You should have received a copy of the GNU General Public License
31 * along with this program; if not, write to the Free Software
32 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
33 *
34 */
35
36 #include "squid-old.h"
37
38 /* MS Visual Studio Projects are monolithic, so we need the following
39 * #if to exclude the SSL code from compile process when not needed.
40 */
41 #if USE_SSL
42
43 #include "fde.h"
44 #include "acl/FilledChecklist.h"
45 #include "ssl/ErrorDetail.h"
46 #include "ssl/support.h"
47 #include "ssl/gadgets.h"
48
49 /**
50 \defgroup ServerProtocolSSLInternal Server-Side SSL Internals
51 \ingroup ServerProtocolSSLAPI
52 */
53
54 /// \ingroup ServerProtocolSSLInternal
55 static int
56 ssl_ask_password_cb(char *buf, int size, int rwflag, void *userdata)
57 {
58 FILE *in;
59 int len = 0;
60 char cmdline[1024];
61
62 snprintf(cmdline, sizeof(cmdline), "\"%s\" \"%s\"", Config.Program.ssl_password, (const char *)userdata);
63 in = popen(cmdline, "r");
64
65 if (fgets(buf, size, in))
66
67 len = strlen(buf);
68
69 while (len > 0 && (buf[len - 1] == '\n' || buf[len - 1] == '\r'))
70
71 len--;
72
73 buf[len] = '\0';
74
75 pclose(in);
76
77 return len;
78 }
79
80 /// \ingroup ServerProtocolSSLInternal
81 static void
82 ssl_ask_password(SSL_CTX * context, const char * prompt)
83 {
84 if (Config.Program.ssl_password) {
85 SSL_CTX_set_default_passwd_cb(context, ssl_ask_password_cb);
86 SSL_CTX_set_default_passwd_cb_userdata(context, (void *)prompt);
87 }
88 }
89
90 /// \ingroup ServerProtocolSSLInternal
91 static RSA *
92 ssl_temp_rsa_cb(SSL * ssl, int anInt, int keylen)
93 {
94 static RSA *rsa_512 = NULL;
95 static RSA *rsa_1024 = NULL;
96 RSA *rsa = NULL;
97 int newkey = 0;
98
99 switch (keylen) {
100
101 case 512:
102
103 if (!rsa_512) {
104 rsa_512 = RSA_generate_key(512, RSA_F4, NULL, NULL);
105 newkey = 1;
106 }
107
108 rsa = rsa_512;
109 break;
110
111 case 1024:
112
113 if (!rsa_1024) {
114 rsa_1024 = RSA_generate_key(1024, RSA_F4, NULL, NULL);
115 newkey = 1;
116 }
117
118 rsa = rsa_1024;
119 break;
120
121 default:
122 debugs(83, 1, "ssl_temp_rsa_cb: Unexpected key length " << keylen);
123 return NULL;
124 }
125
126 if (rsa == NULL) {
127 debugs(83, 1, "ssl_temp_rsa_cb: Failed to generate key " << keylen);
128 return NULL;
129 }
130
131 if (newkey) {
132 if (do_debug(83, 5))
133 PEM_write_RSAPrivateKey(debug_log, rsa, NULL, NULL, 0, NULL, NULL);
134
135 debugs(83, 1, "Generated ephemeral RSA key of length " << keylen);
136 }
137
138 return rsa;
139 }
140
141 int Ssl::asn1timeToString(ASN1_TIME *tm, char *buf, int len)
142 {
143 BIO *bio;
144 int write = 0;
145 bio = BIO_new(BIO_s_mem());
146 if (bio) {
147 if (ASN1_TIME_print(bio, tm))
148 write = BIO_read(bio, buf, len-1);
149 BIO_free(bio);
150 }
151 buf[write]='\0';
152 return write;
153 }
154
155 int Ssl::matchX509CommonNames(X509 *peer_cert, void *check_data, int (*check_func)(void *check_data, ASN1_STRING *cn_data))
156 {
157 assert(peer_cert);
158
159 X509_NAME *name = X509_get_subject_name(peer_cert);
160
161 for (int i = X509_NAME_get_index_by_NID(name, NID_commonName, -1); i >= 0; i = X509_NAME_get_index_by_NID(name, NID_commonName, i)) {
162
163 ASN1_STRING *cn_data = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, i));
164
165 if ( (*check_func)(check_data, cn_data) == 0)
166 return 1;
167 }
168
169 STACK_OF(GENERAL_NAME) * altnames;
170 altnames = (STACK_OF(GENERAL_NAME)*)X509_get_ext_d2i(peer_cert, NID_subject_alt_name, NULL, NULL);
171
172 if (altnames) {
173 int numalts = sk_GENERAL_NAME_num(altnames);
174 for (int i = 0; i < numalts; i++) {
175 const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i);
176 if (check->type != GEN_DNS) {
177 continue;
178 }
179 ASN1_STRING *cn_data = check->d.dNSName;
180
181 if ( (*check_func)(check_data, cn_data) == 0)
182 return 1;
183 }
184 sk_GENERAL_NAME_pop_free(altnames, GENERAL_NAME_free);
185 }
186 return 0;
187 }
188
189 static int check_domain( void *check_data, ASN1_STRING *cn_data)
190 {
191 char cn[1024];
192 const char *server = (const char *)check_data;
193
194 if (cn_data->length > (int)sizeof(cn) - 1) {
195 return 1; //if does not fit our buffer just ignore
196 }
197 memcpy(cn, cn_data->data, cn_data->length);
198 cn[cn_data->length] = '\0';
199 debugs(83, 4, "Verifying server domain " << server << " to certificate name/subjectAltName " << cn);
200 return matchDomainName(server, cn[0] == '*' ? cn + 1 : cn);
201 }
202
203 bool Ssl::checkX509ServerValidity(X509 *cert, const char *server)
204 {
205 return matchX509CommonNames(cert, (void *)server, check_domain);
206 }
207
208 /// \ingroup ServerProtocolSSLInternal
209 static int
210 ssl_verify_cb(int ok, X509_STORE_CTX * ctx)
211 {
212 // preserve original ctx->error before SSL_ calls can overwrite it
213 Ssl::ssl_error_t error_no = ok ? SSL_ERROR_NONE : ctx->error;
214
215 char buffer[256] = "";
216 SSL *ssl = (SSL *)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
217 SSL_CTX *sslctx = SSL_get_SSL_CTX(ssl);
218 const char *server = (const char *)SSL_get_ex_data(ssl, ssl_ex_index_server);
219 void *dont_verify_domain = SSL_CTX_get_ex_data(sslctx, ssl_ctx_ex_index_dont_verify_domain);
220 ACLChecklist *check = (ACLChecklist*)SSL_get_ex_data(ssl, ssl_ex_index_cert_error_check);
221 X509 *peeked_cert = (X509 *)SSL_get_ex_data(ssl, ssl_ex_index_ssl_peeked_cert);
222 X509 *peer_cert = ctx->cert;
223
224 X509_NAME_oneline(X509_get_subject_name(peer_cert), buffer,
225 sizeof(buffer));
226
227 if (ok) {
228 debugs(83, 5, "SSL Certificate signature OK: " << buffer);
229
230 if (server) {
231 if (!Ssl::checkX509ServerValidity(peer_cert, server)) {
232 debugs(83, 2, "SQUID_X509_V_ERR_DOMAIN_MISMATCH: Certificate " << buffer << " does not match domainname " << server);
233 ok = 0;
234 error_no = SQUID_X509_V_ERR_DOMAIN_MISMATCH;
235 }
236 }
237 }
238
239 if (ok && peeked_cert) {
240 /*Check if the already peeked certificate match the new one*/
241 if (X509_cmp(peer_cert, peeked_cert) != 0) {
242 debugs(83, 2, "SQUID_X509_V_ERR_CERT_CHANGE: Certificate " << buffer << " does not match peeked certificate");
243 ok = 0;
244 error_no = SQUID_X509_V_ERR_CERT_CHANGE;
245 }
246 }
247
248 if (!ok) {
249 Ssl::Errors *errNoList = static_cast<Ssl::Errors *>(SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_sslerrno));
250 if (!errNoList) {
251 errNoList = new Ssl::Errors(error_no);
252 if (!SSL_set_ex_data(ssl, ssl_ex_index_ssl_error_sslerrno, (void *)errNoList)) {
253 debugs(83, 2, "Failed to set ssl error_no in ssl_verify_cb: Certificate " << buffer);
254 delete errNoList;
255 errNoList = NULL;
256 }
257 }
258 else // Append the err no to the SSL errors lists.
259 errNoList->push_back_unique(error_no);
260
261 if (const char *err_descr = Ssl::GetErrorDescr(error_no))
262 debugs(83, 5, err_descr << ": " << buffer);
263 else
264 debugs(83, DBG_IMPORTANT, "SSL unknown certificate error " << error_no << " in " << buffer);
265
266 if (check) {
267 ACLFilledChecklist *filledCheck = Filled(check);
268 assert(filledCheck->sslErrorList == NULL);
269 filledCheck->sslErrorList = new Ssl::Errors(error_no);
270 if (check->fastCheck() == ACCESS_ALLOWED) {
271 debugs(83, 3, "bypassing SSL error " << error_no << " in " << buffer);
272 ok = 1;
273 } else {
274 debugs(83, 5, "confirming SSL error " << error_no);
275 }
276 // Delete the ssl error list
277 delete filledCheck->sslErrorList;
278 filledCheck->sslErrorList = NULL;
279 }
280 }
281
282 if (!dont_verify_domain && server) {}
283
284 if (!ok && !SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_detail) ) {
285
286 // Find the broken certificate. It may be intermediate.
287 X509 *broken_cert = peer_cert; // reasonable default if search fails
288 // Our SQUID_X509_V_ERR_DOMAIN_MISMATCH implies peer_cert is at fault.
289 if (error_no != SQUID_X509_V_ERR_DOMAIN_MISMATCH) {
290 if (X509 *last_used_cert = X509_STORE_CTX_get_current_cert(ctx))
291 broken_cert = last_used_cert;
292 }
293
294 Ssl::ErrorDetail *errDetail =
295 new Ssl::ErrorDetail(error_no, peer_cert, broken_cert);
296
297 if (!SSL_set_ex_data(ssl, ssl_ex_index_ssl_error_detail, errDetail)) {
298 debugs(83, 2, "Failed to set Ssl::ErrorDetail in ssl_verify_cb: Certificate " << buffer);
299 delete errDetail;
300 }
301 }
302
303 return ok;
304 }
305
306 /// \ingroup ServerProtocolSSLInternal
307 static struct ssl_option {
308 const char *name;
309 long value;
310 }
311
312 ssl_options[] = {
313
314 #if SSL_OP_MICROSOFT_SESS_ID_BUG
315 {
316 "MICROSOFT_SESS_ID_BUG", SSL_OP_MICROSOFT_SESS_ID_BUG
317 },
318 #endif
319 #if SSL_OP_NETSCAPE_CHALLENGE_BUG
320 {
321 "NETSCAPE_CHALLENGE_BUG", SSL_OP_NETSCAPE_CHALLENGE_BUG
322 },
323 #endif
324 #if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
325 {
326 "NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
327 },
328 #endif
329 #if SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
330 {
331 "SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
332 },
333 #endif
334 #if SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
335 {
336 "MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
337 },
338 #endif
339 #if SSL_OP_MSIE_SSLV2_RSA_PADDING
340 {
341 "MSIE_SSLV2_RSA_PADDING", SSL_OP_MSIE_SSLV2_RSA_PADDING
342 },
343 #endif
344 #if SSL_OP_SSLEAY_080_CLIENT_DH_BUG
345 {
346 "SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG
347 },
348 #endif
349 #if SSL_OP_TLS_D5_BUG
350 {
351 "TLS_D5_BUG", SSL_OP_TLS_D5_BUG
352 },
353 #endif
354 #if SSL_OP_TLS_BLOCK_PADDING_BUG
355 {
356 "TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG
357 },
358 #endif
359 #if SSL_OP_TLS_ROLLBACK_BUG
360 {
361 "TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG
362 },
363 #endif
364 #if SSL_OP_ALL
365 {
366 "ALL", (long)SSL_OP_ALL
367 },
368 #endif
369 #if SSL_OP_SINGLE_DH_USE
370 {
371 "SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE
372 },
373 #endif
374 #if SSL_OP_EPHEMERAL_RSA
375 {
376 "EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA
377 },
378 #endif
379 #if SSL_OP_PKCS1_CHECK_1
380 {
381 "PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1
382 },
383 #endif
384 #if SSL_OP_PKCS1_CHECK_2
385 {
386 "PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2
387 },
388 #endif
389 #if SSL_OP_NETSCAPE_CA_DN_BUG
390 {
391 "NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG
392 },
393 #endif
394 #if SSL_OP_NON_EXPORT_FIRST
395 {
396 "NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST
397 },
398 #endif
399 #if SSL_OP_CIPHER_SERVER_PREFERENCE
400 {
401 "CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE
402 },
403 #endif
404 #if SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
405 {
406 "NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
407 },
408 #endif
409 #if SSL_OP_NO_SSLv2
410 {
411 "NO_SSLv2", SSL_OP_NO_SSLv2
412 },
413 #endif
414 #if SSL_OP_NO_SSLv3
415 {
416 "NO_SSLv3", SSL_OP_NO_SSLv3
417 },
418 #endif
419 #if SSL_OP_NO_TLSv1
420 {
421 "NO_TLSv1", SSL_OP_NO_TLSv1
422 },
423 #endif
424 {
425 "", 0
426 },
427 {
428 NULL, 0
429 }
430 };
431
432 /// \ingroup ServerProtocolSSLInternal
433 static long
434 ssl_parse_options(const char *options)
435 {
436 long op = 0;
437 char *tmp;
438 char *option;
439
440 if (!options)
441 goto no_options;
442
443 tmp = xstrdup(options);
444
445 option = strtok(tmp, ":,");
446
447 while (option) {
448
449 struct ssl_option *opt = NULL, *opttmp;
450 long value = 0;
451 enum {
452 MODE_ADD, MODE_REMOVE
453 } mode;
454
455 switch (*option) {
456
457 case '!':
458
459 case '-':
460 mode = MODE_REMOVE;
461 option++;
462 break;
463
464 case '+':
465 mode = MODE_ADD;
466 option++;
467 break;
468
469 default:
470 mode = MODE_ADD;
471 break;
472 }
473
474 for (opttmp = ssl_options; opttmp->name; opttmp++) {
475 if (strcmp(opttmp->name, option) == 0) {
476 opt = opttmp;
477 break;
478 }
479 }
480
481 if (opt)
482 value = opt->value;
483 else if (strncmp(option, "0x", 2) == 0) {
484 /* Special case.. hex specification */
485 value = strtol(option + 2, NULL, 16);
486 } else {
487 fatalf("Unknown SSL option '%s'", option);
488 value = 0; /* Keep GCC happy */
489 }
490
491 switch (mode) {
492
493 case MODE_ADD:
494 op |= value;
495 break;
496
497 case MODE_REMOVE:
498 op &= ~value;
499 break;
500 }
501
502 option = strtok(NULL, ":,");
503 }
504
505 safe_free(tmp);
506
507 no_options:
508 return op;
509 }
510
511 /// \ingroup ServerProtocolSSLInternal
512 #define SSL_FLAG_NO_DEFAULT_CA (1<<0)
513 /// \ingroup ServerProtocolSSLInternal
514 #define SSL_FLAG_DELAYED_AUTH (1<<1)
515 /// \ingroup ServerProtocolSSLInternal
516 #define SSL_FLAG_DONT_VERIFY_PEER (1<<2)
517 /// \ingroup ServerProtocolSSLInternal
518 #define SSL_FLAG_DONT_VERIFY_DOMAIN (1<<3)
519 /// \ingroup ServerProtocolSSLInternal
520 #define SSL_FLAG_NO_SESSION_REUSE (1<<4)
521 /// \ingroup ServerProtocolSSLInternal
522 #define SSL_FLAG_VERIFY_CRL (1<<5)
523 /// \ingroup ServerProtocolSSLInternal
524 #define SSL_FLAG_VERIFY_CRL_ALL (1<<6)
525
526 /// \ingroup ServerProtocolSSLInternal
527 static long
528 ssl_parse_flags(const char *flags)
529 {
530 long fl = 0;
531 char *tmp;
532 char *flag;
533
534 if (!flags)
535 return 0;
536
537 tmp = xstrdup(flags);
538
539 flag = strtok(tmp, ":,");
540
541 while (flag) {
542 if (strcmp(flag, "NO_DEFAULT_CA") == 0)
543 fl |= SSL_FLAG_NO_DEFAULT_CA;
544 else if (strcmp(flag, "DELAYED_AUTH") == 0)
545 fl |= SSL_FLAG_DELAYED_AUTH;
546 else if (strcmp(flag, "DONT_VERIFY_PEER") == 0)
547 fl |= SSL_FLAG_DONT_VERIFY_PEER;
548 else if (strcmp(flag, "DONT_VERIFY_DOMAIN") == 0)
549 fl |= SSL_FLAG_DONT_VERIFY_DOMAIN;
550 else if (strcmp(flag, "NO_SESSION_REUSE") == 0)
551 fl |= SSL_FLAG_NO_SESSION_REUSE;
552
553 #if X509_V_FLAG_CRL_CHECK
554
555 else if (strcmp(flag, "VERIFY_CRL") == 0)
556 fl |= SSL_FLAG_VERIFY_CRL;
557 else if (strcmp(flag, "VERIFY_CRL_ALL") == 0)
558 fl |= SSL_FLAG_VERIFY_CRL_ALL;
559
560 #endif
561
562 else
563 fatalf("Unknown ssl flag '%s'", flag);
564
565 flag = strtok(NULL, ":,");
566 }
567
568 safe_free(tmp);
569 return fl;
570 }
571
572 // "dup" function for SSL_get_ex_new_index("cert_err_check")
573 static int
574 ssl_dupAclChecklist(CRYPTO_EX_DATA *, CRYPTO_EX_DATA *, void *,
575 int, long, void *)
576 {
577 // We do not support duplication of ACLCheckLists.
578 // If duplication is needed, we can count copies with cbdata.
579 assert(false);
580 return 0;
581 }
582
583 // "free" function for SSL_get_ex_new_index("cert_err_check")
584 static void
585 ssl_freeAclChecklist(void *, void *ptr, CRYPTO_EX_DATA *,
586 int, long, void *)
587 {
588 delete static_cast<ACLChecklist *>(ptr); // may be NULL
589 }
590
591 // "free" function for SSL_get_ex_new_index("ssl_error_detail")
592 static void
593 ssl_free_ErrorDetail(void *, void *ptr, CRYPTO_EX_DATA *,
594 int, long, void *)
595 {
596 Ssl::ErrorDetail *errDetail = static_cast <Ssl::ErrorDetail *>(ptr);
597 delete errDetail;
598 }
599
600 static void
601 ssl_free_SslErrNoList(void *, void *ptr, CRYPTO_EX_DATA *,
602 int, long, void *)
603 {
604 Ssl::Errors *errNo = static_cast <Ssl::Errors *>(ptr);
605 delete errNo;
606 }
607
608 // "free" function for X509 certificates
609 static void
610 ssl_free_X509(void *, void *ptr, CRYPTO_EX_DATA *,
611 int, long, void *)
612 {
613 X509 *cert = static_cast <X509 *>(ptr);
614 X509_free(cert);
615 }
616
617 /// \ingroup ServerProtocolSSLInternal
618 static void
619 ssl_initialize(void)
620 {
621 static int ssl_initialized = 0;
622
623 if (!ssl_initialized) {
624 ssl_initialized = 1;
625 SSL_load_error_strings();
626 SSLeay_add_ssl_algorithms();
627 #if HAVE_OPENSSL_ENGINE_H
628
629 if (Config.SSL.ssl_engine) {
630 ENGINE *e;
631
632 if (!(e = ENGINE_by_id(Config.SSL.ssl_engine))) {
633 fatalf("Unable to find SSL engine '%s'\n", Config.SSL.ssl_engine);
634 }
635
636 if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
637 int ssl_error = ERR_get_error();
638 fatalf("Failed to initialise SSL engine: %s\n",
639 ERR_error_string(ssl_error, NULL));
640 }
641 }
642
643 #else
644 if (Config.SSL.ssl_engine) {
645 fatalf("Your OpenSSL has no SSL engine support\n");
646 }
647
648 #endif
649
650 }
651
652 ssl_ex_index_server = SSL_get_ex_new_index(0, (void *) "server", NULL, NULL, NULL);
653 ssl_ctx_ex_index_dont_verify_domain = SSL_CTX_get_ex_new_index(0, (void *) "dont_verify_domain", NULL, NULL, NULL);
654 ssl_ex_index_cert_error_check = SSL_get_ex_new_index(0, (void *) "cert_error_check", NULL, &ssl_dupAclChecklist, &ssl_freeAclChecklist);
655 ssl_ex_index_ssl_error_detail = SSL_get_ex_new_index(0, (void *) "ssl_error_detail", NULL, NULL, &ssl_free_ErrorDetail);
656 ssl_ex_index_ssl_peeked_cert = SSL_get_ex_new_index(0, (void *) "ssl_peeked_cert", NULL, NULL, &ssl_free_X509);
657 ssl_ex_index_ssl_error_sslerrno = SSL_get_ex_new_index(0, (void *) "ssl_error_sslerrno", NULL, NULL, &ssl_free_SslErrNoList);
658 }
659
660 /// \ingroup ServerProtocolSSLInternal
661 static int
662 ssl_load_crl(SSL_CTX *sslContext, const char *CRLfile)
663 {
664 X509_STORE *st = SSL_CTX_get_cert_store(sslContext);
665 X509_CRL *crl;
666 BIO *in = BIO_new_file(CRLfile, "r");
667 int count = 0;
668
669 if (!in) {
670 debugs(83, 2, "WARNING: Failed to open CRL file '" << CRLfile << "'");
671 return 0;
672 }
673
674 while ((crl = PEM_read_bio_X509_CRL(in,NULL,NULL,NULL))) {
675 if (!X509_STORE_add_crl(st, crl))
676 debugs(83, 2, "WARNING: Failed to add CRL from file '" << CRLfile << "'");
677 else
678 count++;
679
680 X509_CRL_free(crl);
681 }
682
683 BIO_free(in);
684 return count;
685 }
686
687 SSL_CTX *
688 sslCreateServerContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *clientCA, const char *CAfile, const char *CApath, const char *CRLfile, const char *dhfile, const char *context)
689 {
690 int ssl_error;
691 #if OPENSSL_VERSION_NUMBER < 0x00909000L
692 SSL_METHOD *method;
693 #else
694 const SSL_METHOD *method;
695 #endif
696 SSL_CTX *sslContext;
697 long fl = ssl_parse_flags(flags);
698
699 ssl_initialize();
700
701 if (!keyfile)
702 keyfile = certfile;
703
704 if (!certfile)
705 certfile = keyfile;
706
707 if (!CAfile)
708 CAfile = clientCA;
709
710 if (!certfile) {
711 debugs(83, DBG_CRITICAL, "ERROR: No certificate file");
712 return NULL;
713 }
714
715 switch (version) {
716
717 case 2:
718 #ifndef OPENSSL_NO_SSL2
719 debugs(83, 5, "Using SSLv2.");
720 method = SSLv2_server_method();
721 #else
722 debugs(83, DBG_IMPORTANT, "SSLv2 is not available in this Proxy.");
723 return NULL;
724 #endif
725 break;
726
727 case 3:
728 debugs(83, 5, "Using SSLv3.");
729 method = SSLv3_server_method();
730 break;
731
732 case 4:
733 debugs(83, 5, "Using TLSv1.");
734 method = TLSv1_server_method();
735 break;
736
737 case 1:
738
739 default:
740 debugs(83, 5, "Using SSLv2/SSLv3.");
741 method = SSLv23_server_method();
742 break;
743 }
744
745 sslContext = SSL_CTX_new(method);
746
747 if (sslContext == NULL) {
748 ssl_error = ERR_get_error();
749 debugs(83, DBG_CRITICAL, "ERROR: Failed to allocate SSL context: " << ERR_error_string(ssl_error, NULL));
750 return NULL;
751 }
752
753 SSL_CTX_set_options(sslContext, ssl_parse_options(options));
754
755 if (context && *context) {
756 SSL_CTX_set_session_id_context(sslContext, (const unsigned char *)context, strlen(context));
757 }
758
759 if (fl & SSL_FLAG_NO_SESSION_REUSE) {
760 SSL_CTX_set_session_cache_mode(sslContext, SSL_SESS_CACHE_OFF);
761 }
762
763 if (Config.SSL.unclean_shutdown) {
764 debugs(83, 5, "Enabling quiet SSL shutdowns (RFC violation).");
765
766 SSL_CTX_set_quiet_shutdown(sslContext, 1);
767 }
768
769 if (cipher) {
770 debugs(83, 5, "Using chiper suite " << cipher << ".");
771
772 if (!SSL_CTX_set_cipher_list(sslContext, cipher)) {
773 ssl_error = ERR_get_error();
774 debugs(83, DBG_CRITICAL, "ERROR: Failed to set SSL cipher suite '" << cipher << "': " << ERR_error_string(ssl_error, NULL));
775 SSL_CTX_free(sslContext);
776 return NULL;
777 }
778 }
779
780 debugs(83, DBG_IMPORTANT, "Using certificate in " << certfile);
781
782 if (!SSL_CTX_use_certificate_chain_file(sslContext, certfile)) {
783 ssl_error = ERR_get_error();
784 debugs(83, DBG_CRITICAL, "ERROR: Failed to acquire SSL certificate '" << certfile << "': " << ERR_error_string(ssl_error, NULL));
785 SSL_CTX_free(sslContext);
786 return NULL;
787 }
788
789 debugs(83, DBG_IMPORTANT, "Using private key in " << keyfile);
790 ssl_ask_password(sslContext, keyfile);
791
792 if (!SSL_CTX_use_PrivateKey_file(sslContext, keyfile, SSL_FILETYPE_PEM)) {
793 ssl_error = ERR_get_error();
794 debugs(83, DBG_CRITICAL, "ERROR: Failed to acquire SSL private key '" << keyfile << "': " << ERR_error_string(ssl_error, NULL));
795 SSL_CTX_free(sslContext);
796 return NULL;
797 }
798
799 debugs(83, 5, "Comparing private and public SSL keys.");
800
801 if (!SSL_CTX_check_private_key(sslContext)) {
802 ssl_error = ERR_get_error();
803 debugs(83, DBG_CRITICAL, "ERROR: SSL private key '" << certfile << "' does not match public key '" <<
804 keyfile << "': " << ERR_error_string(ssl_error, NULL));
805 SSL_CTX_free(sslContext);
806 return NULL;
807 }
808
809 debugs(83, 9, "Setting RSA key generation callback.");
810 SSL_CTX_set_tmp_rsa_callback(sslContext, ssl_temp_rsa_cb);
811
812 debugs(83, 9, "Setting CA certificate locations.");
813
814 if ((CAfile || CApath) && !SSL_CTX_load_verify_locations(sslContext, CAfile, CApath)) {
815 ssl_error = ERR_get_error();
816 debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate locations: " << ERR_error_string(ssl_error, NULL));
817 }
818
819 if (!(fl & SSL_FLAG_NO_DEFAULT_CA) &&
820 !SSL_CTX_set_default_verify_paths(sslContext)) {
821 ssl_error = ERR_get_error();
822 debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting default CA certificate location: " << ERR_error_string(ssl_error, NULL));
823 }
824
825 if (clientCA) {
826 STACK_OF(X509_NAME) *cert_names;
827 debugs(83, 9, "Set client certifying authority list.");
828 cert_names = SSL_load_client_CA_file(clientCA);
829
830 if (cert_names == NULL) {
831 debugs(83, DBG_IMPORTANT, "ERROR: loading the client CA certificates from '" << clientCA << "\': " << ERR_error_string(ERR_get_error(),NULL));
832 SSL_CTX_free(sslContext);
833 return NULL;
834 }
835
836 ERR_clear_error();
837 SSL_CTX_set_client_CA_list(sslContext, cert_names);
838
839 if (fl & SSL_FLAG_DELAYED_AUTH) {
840 debugs(83, 9, "Not requesting client certificates until acl processing requires one");
841 SSL_CTX_set_verify(sslContext, SSL_VERIFY_NONE, NULL);
842 } else {
843 debugs(83, 9, "Requiring client certificates.");
844 SSL_CTX_set_verify(sslContext, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ssl_verify_cb);
845 }
846
847 if (CRLfile) {
848 ssl_load_crl(sslContext, CRLfile);
849 fl |= SSL_FLAG_VERIFY_CRL;
850 }
851
852 #if X509_V_FLAG_CRL_CHECK
853 if (fl & SSL_FLAG_VERIFY_CRL_ALL)
854 X509_STORE_set_flags(SSL_CTX_get_cert_store(sslContext), X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
855 else if (fl & SSL_FLAG_VERIFY_CRL)
856 X509_STORE_set_flags(SSL_CTX_get_cert_store(sslContext), X509_V_FLAG_CRL_CHECK);
857
858 #endif
859
860 } else {
861 debugs(83, 9, "Not requiring any client certificates");
862 SSL_CTX_set_verify(sslContext, SSL_VERIFY_NONE, NULL);
863 }
864
865 if (dhfile) {
866 FILE *in = fopen(dhfile, "r");
867 DH *dh = NULL;
868 int codes;
869
870 if (in) {
871 dh = PEM_read_DHparams(in, NULL, NULL, NULL);
872 fclose(in);
873 }
874
875 if (!dh)
876 debugs(83, DBG_IMPORTANT, "WARNING: Failed to read DH parameters '" << dhfile << "'");
877 else if (dh && DH_check(dh, &codes) == 0) {
878 if (codes) {
879 debugs(83, DBG_IMPORTANT, "WARNING: Failed to verify DH parameters '" << dhfile << "' (" << std::hex << codes << ")");
880 DH_free(dh);
881 dh = NULL;
882 }
883 }
884
885 if (dh)
886 SSL_CTX_set_tmp_dh(sslContext, dh);
887 }
888
889 if (fl & SSL_FLAG_DONT_VERIFY_DOMAIN)
890 SSL_CTX_set_ex_data(sslContext, ssl_ctx_ex_index_dont_verify_domain, (void *) -1);
891
892 return sslContext;
893 }
894
895 SSL_CTX *
896 sslCreateClientContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile)
897 {
898 int ssl_error;
899 #if OPENSSL_VERSION_NUMBER < 0x00909000L
900 SSL_METHOD *method;
901 #else
902 const SSL_METHOD *method;
903 #endif
904 SSL_CTX *sslContext;
905 long fl = ssl_parse_flags(flags);
906
907 ssl_initialize();
908
909 if (!keyfile)
910 keyfile = certfile;
911
912 if (!certfile)
913 certfile = keyfile;
914
915 switch (version) {
916
917 case 2:
918 #ifndef OPENSSL_NO_SSL2
919 debugs(83, 5, "Using SSLv2.");
920 method = SSLv2_client_method();
921 #else
922 debugs(83, DBG_IMPORTANT, "SSLv2 is not available in this Proxy.");
923 return NULL;
924 #endif
925 break;
926
927 case 3:
928 debugs(83, 5, "Using SSLv3.");
929 method = SSLv3_client_method();
930 break;
931
932 case 4:
933 debugs(83, 5, "Using TLSv1.");
934 method = TLSv1_client_method();
935 break;
936
937 case 1:
938
939 default:
940 debugs(83, 5, "Using SSLv2/SSLv3.");
941 method = SSLv23_client_method();
942 break;
943 }
944
945 sslContext = SSL_CTX_new(method);
946
947 if (sslContext == NULL) {
948 ssl_error = ERR_get_error();
949 fatalf("Failed to allocate SSL context: %s\n",
950 ERR_error_string(ssl_error, NULL));
951 }
952
953 SSL_CTX_set_options(sslContext, ssl_parse_options(options));
954
955 if (cipher) {
956 debugs(83, 5, "Using chiper suite " << cipher << ".");
957
958 if (!SSL_CTX_set_cipher_list(sslContext, cipher)) {
959 ssl_error = ERR_get_error();
960 fatalf("Failed to set SSL cipher suite '%s': %s\n",
961 cipher, ERR_error_string(ssl_error, NULL));
962 }
963 }
964
965 if (certfile) {
966 debugs(83, 1, "Using certificate in " << certfile);
967
968 if (!SSL_CTX_use_certificate_chain_file(sslContext, certfile)) {
969 ssl_error = ERR_get_error();
970 fatalf("Failed to acquire SSL certificate '%s': %s\n",
971 certfile, ERR_error_string(ssl_error, NULL));
972 }
973
974 debugs(83, 1, "Using private key in " << keyfile);
975 ssl_ask_password(sslContext, keyfile);
976
977 if (!SSL_CTX_use_PrivateKey_file(sslContext, keyfile, SSL_FILETYPE_PEM)) {
978 ssl_error = ERR_get_error();
979 fatalf("Failed to acquire SSL private key '%s': %s\n",
980 keyfile, ERR_error_string(ssl_error, NULL));
981 }
982
983 debugs(83, 5, "Comparing private and public SSL keys.");
984
985 if (!SSL_CTX_check_private_key(sslContext)) {
986 ssl_error = ERR_get_error();
987 fatalf("SSL private key '%s' does not match public key '%s': %s\n",
988 certfile, keyfile, ERR_error_string(ssl_error, NULL));
989 }
990 }
991
992 debugs(83, 9, "Setting RSA key generation callback.");
993 SSL_CTX_set_tmp_rsa_callback(sslContext, ssl_temp_rsa_cb);
994
995 if (fl & SSL_FLAG_DONT_VERIFY_PEER) {
996 debugs(83, 2, "NOTICE: Peer certificates are not verified for validity!");
997 SSL_CTX_set_verify(sslContext, SSL_VERIFY_NONE, NULL);
998 } else {
999 debugs(83, 9, "Setting certificate verification callback.");
1000 SSL_CTX_set_verify(sslContext, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ssl_verify_cb);
1001 }
1002
1003 debugs(83, 9, "Setting CA certificate locations.");
1004
1005 if ((CAfile || CApath) && !SSL_CTX_load_verify_locations(sslContext, CAfile, CApath)) {
1006 ssl_error = ERR_get_error();
1007 debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate locations: " << ERR_error_string(ssl_error, NULL));
1008 }
1009
1010 if (CRLfile) {
1011 ssl_load_crl(sslContext, CRLfile);
1012 fl |= SSL_FLAG_VERIFY_CRL;
1013 }
1014
1015 #if X509_V_FLAG_CRL_CHECK
1016 if (fl & SSL_FLAG_VERIFY_CRL_ALL)
1017 X509_STORE_set_flags(SSL_CTX_get_cert_store(sslContext), X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
1018 else if (fl & SSL_FLAG_VERIFY_CRL)
1019 X509_STORE_set_flags(SSL_CTX_get_cert_store(sslContext), X509_V_FLAG_CRL_CHECK);
1020
1021 #endif
1022
1023 if (!(fl & SSL_FLAG_NO_DEFAULT_CA) &&
1024 !SSL_CTX_set_default_verify_paths(sslContext)) {
1025 ssl_error = ERR_get_error();
1026 debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting default CA certificate location: " << ERR_error_string(ssl_error, NULL));
1027 }
1028
1029 return sslContext;
1030 }
1031
1032 /// \ingroup ServerProtocolSSLInternal
1033 int
1034 ssl_read_method(int fd, char *buf, int len)
1035 {
1036 SSL *ssl = fd_table[fd].ssl;
1037 int i;
1038
1039 #if DONT_DO_THIS
1040
1041 if (!SSL_is_init_finished(ssl)) {
1042 errno = ENOTCONN;
1043 return -1;
1044 }
1045
1046 #endif
1047
1048 i = SSL_read(ssl, buf, len);
1049
1050 if (i > 0 && SSL_pending(ssl) > 0) {
1051 debugs(83, 2, "SSL FD " << fd << " is pending");
1052 fd_table[fd].flags.read_pending = 1;
1053 } else
1054 fd_table[fd].flags.read_pending = 0;
1055
1056 return i;
1057 }
1058
1059 /// \ingroup ServerProtocolSSLInternal
1060 int
1061 ssl_write_method(int fd, const char *buf, int len)
1062 {
1063 SSL *ssl = fd_table[fd].ssl;
1064 int i;
1065
1066 if (!SSL_is_init_finished(ssl)) {
1067 errno = ENOTCONN;
1068 return -1;
1069 }
1070
1071 i = SSL_write(ssl, buf, len);
1072
1073 return i;
1074 }
1075
1076 void
1077 ssl_shutdown_method(SSL *ssl)
1078 {
1079 SSL_shutdown(ssl);
1080 }
1081
1082 /// \ingroup ServerProtocolSSLInternal
1083 static const char *
1084 ssl_get_attribute(X509_NAME * name, const char *attribute_name)
1085 {
1086 static char buffer[1024];
1087 int nid;
1088
1089 buffer[0] = '\0';
1090
1091 if (strcmp(attribute_name, "DN") == 0) {
1092 X509_NAME_oneline(name, buffer, sizeof(buffer));
1093 goto done;
1094 }
1095
1096 nid = OBJ_txt2nid((char *) attribute_name);
1097
1098 if (nid == 0) {
1099 debugs(83, 1, "WARNING: Unknown SSL attribute name '" << attribute_name << "'");
1100 return NULL;
1101 }
1102
1103 X509_NAME_get_text_by_NID(name, nid, buffer, sizeof(buffer));
1104
1105 done:
1106 return *buffer ? buffer : NULL;
1107 }
1108
1109 /// \ingroup ServerProtocolSSLInternal
1110 const char *
1111 sslGetUserAttribute(SSL * ssl, const char *attribute_name)
1112 {
1113 X509 *cert;
1114 X509_NAME *name;
1115 const char *ret;
1116
1117 if (!ssl)
1118 return NULL;
1119
1120 cert = SSL_get_peer_certificate(ssl);
1121
1122 if (!cert)
1123 return NULL;
1124
1125 name = X509_get_subject_name(cert);
1126
1127 ret = ssl_get_attribute(name, attribute_name);
1128
1129 X509_free(cert);
1130
1131 return ret;
1132 }
1133
1134 /// \ingroup ServerProtocolSSLInternal
1135 const char *
1136 sslGetCAAttribute(SSL * ssl, const char *attribute_name)
1137 {
1138 X509 *cert;
1139 X509_NAME *name;
1140 const char *ret;
1141
1142 if (!ssl)
1143 return NULL;
1144
1145 cert = SSL_get_peer_certificate(ssl);
1146
1147 if (!cert)
1148 return NULL;
1149
1150 name = X509_get_issuer_name(cert);
1151
1152 ret = ssl_get_attribute(name, attribute_name);
1153
1154 X509_free(cert);
1155
1156 return ret;
1157 }
1158
1159 const char *
1160 sslGetUserEmail(SSL * ssl)
1161 {
1162 return sslGetUserAttribute(ssl, "emailAddress");
1163 }
1164
1165 const char *
1166 sslGetUserCertificatePEM(SSL *ssl)
1167 {
1168 X509 *cert;
1169 BIO *mem;
1170 static char *str = NULL;
1171 char *ptr;
1172 long len;
1173
1174 safe_free(str);
1175
1176 if (!ssl)
1177 return NULL;
1178
1179 cert = SSL_get_peer_certificate(ssl);
1180
1181 if (!cert)
1182 return NULL;
1183
1184 mem = BIO_new(BIO_s_mem());
1185
1186 PEM_write_bio_X509(mem, cert);
1187
1188
1189 len = BIO_get_mem_data(mem, &ptr);
1190
1191 str = (char *)xmalloc(len + 1);
1192
1193 memcpy(str, ptr, len);
1194
1195 str[len] = '\0';
1196
1197 X509_free(cert);
1198
1199 BIO_free(mem);
1200
1201 return str;
1202 }
1203
1204 const char *
1205 sslGetUserCertificateChainPEM(SSL *ssl)
1206 {
1207 STACK_OF(X509) *chain;
1208 BIO *mem;
1209 static char *str = NULL;
1210 char *ptr;
1211 long len;
1212 int i;
1213
1214 safe_free(str);
1215
1216 if (!ssl)
1217 return NULL;
1218
1219 chain = SSL_get_peer_cert_chain(ssl);
1220
1221 if (!chain)
1222 return sslGetUserCertificatePEM(ssl);
1223
1224 mem = BIO_new(BIO_s_mem());
1225
1226 for (i = 0; i < sk_X509_num(chain); i++) {
1227 X509 *cert = sk_X509_value(chain, i);
1228 PEM_write_bio_X509(mem, cert);
1229 }
1230
1231 len = BIO_get_mem_data(mem, &ptr);
1232
1233 str = (char *)xmalloc(len + 1);
1234 memcpy(str, ptr, len);
1235 str[len] = '\0';
1236
1237 BIO_free(mem);
1238
1239 return str;
1240 }
1241
1242 /// \ingroup ServerProtocolSSLInternal
1243 /// Create SSL context and apply ssl certificate and private key to it.
1244 static SSL_CTX * createSSLContext(Ssl::X509_Pointer & x509, Ssl::EVP_PKEY_Pointer & pkey)
1245 {
1246 Ssl::SSL_CTX_Pointer sslContext(SSL_CTX_new(SSLv23_server_method()));
1247
1248 if (!SSL_CTX_use_certificate(sslContext.get(), x509.get()))
1249 return NULL;
1250
1251 if (!SSL_CTX_use_PrivateKey(sslContext.get(), pkey.get()))
1252 return NULL;
1253 return sslContext.release();
1254 }
1255
1256 SSL_CTX * Ssl::generateSslContextUsingPkeyAndCertFromMemory(const char * data)
1257 {
1258 Ssl::X509_Pointer cert;
1259 Ssl::EVP_PKEY_Pointer pkey;
1260 if (!readCertAndPrivateKeyFromMemory(cert, pkey, data))
1261 return NULL;
1262
1263 if (!cert || !pkey)
1264 return NULL;
1265
1266 return createSSLContext(cert, pkey);
1267 }
1268
1269 SSL_CTX * Ssl::generateSslContext(CertificateProperties const &properties)
1270 {
1271 Ssl::X509_Pointer cert;
1272 Ssl::EVP_PKEY_Pointer pkey;
1273 if (!generateSslCertificate(cert, pkey, properties))
1274 return NULL;
1275
1276 if (!cert)
1277 return NULL;
1278
1279 if (!pkey)
1280 return NULL;
1281
1282 return createSSLContext(cert, pkey);
1283 }
1284
1285 bool Ssl::verifySslCertificate(SSL_CTX * sslContext, CertificateProperties const &properties)
1286 {
1287 // Temporary ssl for getting X509 certificate from SSL_CTX.
1288 Ssl::SSL_Pointer ssl(SSL_new(sslContext));
1289 X509 * cert = SSL_get_certificate(ssl.get());
1290 ASN1_TIME * time_notBefore = X509_get_notBefore(cert);
1291 ASN1_TIME * time_notAfter = X509_get_notAfter(cert);
1292 bool ret = (X509_cmp_current_time(time_notBefore) < 0 && X509_cmp_current_time(time_notAfter) > 0);
1293 if (!ret)
1294 return false;
1295
1296 return certificateMatchesProperties(cert, properties);
1297 }
1298
1299 bool
1300 Ssl::setClientSNI(SSL *ssl, const char *fqdn)
1301 {
1302 //The SSL_CTRL_SET_TLSEXT_HOSTNAME is a openssl macro which indicates
1303 // if the TLS servername extension (SNI) is enabled in openssl library.
1304 #if defined(SSL_CTRL_SET_TLSEXT_HOSTNAME)
1305 if (!SSL_set_tlsext_host_name(ssl, fqdn)) {
1306 const int ssl_error = ERR_get_error();
1307 debugs(83, 3, "WARNING: unable to set TLS servername extension (SNI): " <<
1308 ERR_error_string(ssl_error, NULL) << "\n");
1309 return false;
1310 }
1311 return true;
1312 #else
1313 debugs(83, 7, "no support for TLS servername extension (SNI)\n");
1314 return false;
1315 #endif
1316 }
1317
1318 void Ssl::addChainToSslContext(SSL_CTX *sslContext, STACK_OF(X509) *chain)
1319 {
1320 if (!chain)
1321 return;
1322
1323 for (int i = 0; i < sk_X509_num(chain); i++) {
1324 X509 *cert = sk_X509_value(chain, i);
1325 if (SSL_CTX_add_extra_chain_cert(sslContext, cert)) {
1326 // increase the certificate lock
1327 CRYPTO_add(&(cert->references),1,CRYPTO_LOCK_X509);
1328 } else {
1329 const int ssl_error = ERR_get_error();
1330 debugs(83, DBG_IMPORTANT, "WARNING: can not add certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL));
1331 }
1332 }
1333 }
1334
1335 /**
1336 \ingroup ServerProtocolSSLInternal
1337 * Read certificate from file.
1338 * See also: static readSslX509Certificate function, gadgets.cc file
1339 */
1340 static X509 * readSslX509CertificatesChain(char const * certFilename, STACK_OF(X509)* chain)
1341 {
1342 if (!certFilename)
1343 return NULL;
1344 Ssl::BIO_Pointer bio(BIO_new(BIO_s_file_internal()));
1345 if (!bio)
1346 return NULL;
1347 if (!BIO_read_filename(bio.get(), certFilename))
1348 return NULL;
1349 X509 *certificate = PEM_read_bio_X509(bio.get(), NULL, NULL, NULL);
1350
1351 if (certificate && chain) {
1352
1353 if (X509_check_issued(certificate, certificate) == X509_V_OK)
1354 debugs(83, 5, "Certificate is self-signed, will not be chained");
1355 else {
1356 if (sk_X509_push(chain, certificate))
1357 CRYPTO_add(&(certificate->references), 1, CRYPTO_LOCK_X509);
1358 else
1359 debugs(83, DBG_IMPORTANT, "WARNING: unable to add signing certificate to cert chain");
1360 // and add to the chain any certificate loaded from the file
1361 while (X509 *ca = PEM_read_bio_X509(bio.get(), NULL, NULL, NULL)) {
1362 if (!sk_X509_push(chain, ca))
1363 debugs(83, DBG_IMPORTANT, "WARNING: unable to add CA certificate to cert chain");
1364 }
1365 }
1366 }
1367
1368 return certificate;
1369 }
1370
1371 void Ssl::readCertChainAndPrivateKeyFromFiles(X509_Pointer & cert, EVP_PKEY_Pointer & pkey, X509_STACK_Pointer & chain, char const * certFilename, char const * keyFilename)
1372 {
1373 if (keyFilename == NULL)
1374 keyFilename = certFilename;
1375 if (!chain)
1376 chain.reset(sk_X509_new_null());
1377 if (!chain)
1378 debugs(83, DBG_IMPORTANT, "WARNING: unable to allocate memory for cert chain");
1379 pkey.reset(readSslPrivateKey(keyFilename, ssl_ask_password_cb));
1380 cert.reset(readSslX509CertificatesChain(certFilename, chain.get()));
1381 if (!pkey || !cert || !X509_check_private_key(cert.get(), pkey.get())) {
1382 pkey.reset(NULL);
1383 cert.reset(NULL);
1384 }
1385 }
1386
1387 static const char *getSubjectEntry(X509 *x509, int nid)
1388 {
1389 static char name[1024] = ""; // stores common name (CN)
1390
1391 if (!x509)
1392 return NULL;
1393
1394 // TODO: What if the entry is a UTF8String? See X509_NAME_get_index_by_NID(3ssl).
1395 const int nameLen = X509_NAME_get_text_by_NID(
1396 X509_get_subject_name(x509),
1397 nid, name, sizeof(name));
1398
1399 if (nameLen > 0)
1400 return name;
1401
1402 return NULL;
1403 }
1404
1405 const char *Ssl::CommonHostName(X509 *x509)
1406 {
1407 return getSubjectEntry(x509, NID_commonName);
1408 }
1409
1410 static const char *getOrganization(X509 *x509)
1411 {
1412 return getSubjectEntry(x509, NID_organizationName);
1413 }
1414
1415 bool Ssl::generateUntrustedCert(X509_Pointer &untrustedCert, EVP_PKEY_Pointer &untrustedPkey, X509_Pointer const &cert, EVP_PKEY_Pointer const & pkey)
1416 {
1417 // Generate the self-signed certificate, using a hard-coded subject prefix
1418 Ssl::CertificateProperties certProperties;
1419 if (const char *cn = CommonHostName(cert.get())) {
1420 certProperties.commonName = "Not trusted by \"";
1421 certProperties.commonName += cn;
1422 certProperties.commonName += "\"";
1423 }
1424 else if (const char *org = getOrganization(cert.get())) {
1425 certProperties.commonName = "Not trusted by \"";
1426 certProperties.commonName += org;
1427 certProperties.commonName += "\"";
1428 }
1429 else
1430 certProperties.commonName = "Not trusted";
1431 certProperties.setCommonName = true;
1432 // O, OU, and other CA subject fields will be mimicked
1433 // Expiration date and other common properties will be mimicked
1434 certProperties.signAlgorithm = Ssl::algSignSelf;
1435 certProperties.signWithPkey.resetAndLock(pkey.get());
1436 certProperties.mimicCert.resetAndLock(cert.get());
1437 return Ssl::generateSslCertificate(untrustedCert, untrustedPkey, certProperties);
1438 }
1439
1440 #endif /* USE_SSL */
Mirror of https://github.com/squid-cache/squid.git