/
ssl_private.h
409 lines (355 loc) · 14.3 KB
/
ssl_private.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
/* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef SSL_PRIVATE_H
#define SSL_PRIVATE_H
/* Exclude unused OpenSSL features
* even if the OpenSSL supports them
*/
#ifndef OPENSSL_NO_IDEA
#define OPENSSL_NO_IDEA
#endif
#ifndef OPENSSL_NO_KRB5
#define OPENSSL_NO_KRB5
#endif
#ifndef OPENSSL_NO_MDC2
#define OPENSSL_NO_MDC2
#endif
#ifndef OPENSSL_NO_RC5
#define OPENSSL_NO_RC5
#endif
/* OpenSSL headers */
#include <openssl/opensslv.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/pkcs12.h>
#include <openssl/crypto.h>
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/x509v3.h>
#include <openssl/dh.h>
#include <openssl/bn.h>
/* Avoid tripping over an engine build installed globally and detected
* when the user points at an explicit non-engine flavor of OpenSSL
*/
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
extern ENGINE *tcn_ssl_engine;
#endif
#ifndef RAND_MAX
#include <limits.h>
#define RAND_MAX INT_MAX
#endif
#define SSL_AIDX_RSA (0)
#define SSL_AIDX_DSA (1)
#define SSL_AIDX_ECC (3)
#define SSL_AIDX_MAX (4)
/*
* Define the SSL options
*/
#define SSL_OPT_NONE (0)
#define SSL_OPT_RELSET (1<<0)
#define SSL_OPT_STDENVVARS (1<<1)
#define SSL_OPT_EXPORTCERTDATA (1<<3)
#define SSL_OPT_FAKEBASICAUTH (1<<4)
#define SSL_OPT_STRICTREQUIRE (1<<5)
#define SSL_OPT_OPTRENEGOTIATE (1<<6)
#define SSL_OPT_ALL (SSL_OPT_STDENVVARS|SSL_OPT_EXPORTCERTDATA|SSL_OPT_FAKEBASICAUTH|SSL_OPT_STRICTREQUIRE|SSL_OPT_OPTRENEGOTIATE)
/*
* Define the SSL Protocol options
*/
#define SSL_PROTOCOL_NONE (0)
#define SSL_PROTOCOL_SSLV2 (1<<0)
#define SSL_PROTOCOL_SSLV3 (1<<1)
#define SSL_PROTOCOL_TLSV1 (1<<2)
#define SSL_PROTOCOL_TLSV1_1 (1<<3)
#define SSL_PROTOCOL_TLSV1_2 (1<<4)
#define SSL_PROTOCOL_TLSV1_3 (1<<5)
#define SSL_MODE_CLIENT (0)
#define SSL_MODE_SERVER (1)
#define SSL_MODE_COMBINED (2)
#define SSL_BIO_FLAG_RDONLY (1<<0)
#define SSL_BIO_FLAG_CALLBACK (1<<1)
#define SSL_DEFAULT_CACHE_SIZE (256)
#define SSL_DEFAULT_VHOST_NAME ("_default_:443")
#define SSL_MAX_STR_LEN (2048)
#define SSL_MAX_PASSWORD_LEN (256)
#define SSL_CVERIFY_UNSET (-1)
#define SSL_CVERIFY_NONE (0)
#define SSL_CVERIFY_OPTIONAL (1)
#define SSL_CVERIFY_REQUIRE (2)
#define SSL_CVERIFY_OPTIONAL_NO_CA (3)
#define SSL_VERIFY_PEER_STRICT (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
#define SSL_SHUTDOWN_TYPE_UNSET (0)
#define SSL_SHUTDOWN_TYPE_STANDARD (1)
#define SSL_SHUTDOWN_TYPE_UNCLEAN (2)
#define SSL_SHUTDOWN_TYPE_ACCURATE (3)
#define SSL_TO_APR_ERROR(X) (APR_OS_START_USERERR + 1000 + X)
#define SSL_INFO_SESSION_ID (0x0001)
#define SSL_INFO_CIPHER (0x0002)
#define SSL_INFO_CIPHER_USEKEYSIZE (0x0003)
#define SSL_INFO_CIPHER_ALGKEYSIZE (0x0004)
#define SSL_INFO_CIPHER_VERSION (0x0005)
#define SSL_INFO_CIPHER_DESCRIPTION (0x0006)
#define SSL_INFO_PROTOCOL (0x0007)
#define SSL_INFO_CLIENT_S_DN (0x0010)
#define SSL_INFO_CLIENT_I_DN (0x0020)
#define SSL_INFO_SERVER_S_DN (0x0040)
#define SSL_INFO_SERVER_I_DN (0x0080)
#define SSL_INFO_DN_COUNTRYNAME (0x0001)
#define SSL_INFO_DN_STATEORPROVINCENAME (0x0002)
#define SSL_INFO_DN_LOCALITYNAME (0x0003)
#define SSL_INFO_DN_ORGANIZATIONNAME (0x0004)
#define SSL_INFO_DN_ORGANIZATIONALUNITNAME (0x0005)
#define SSL_INFO_DN_COMMONNAME (0x0006)
#define SSL_INFO_DN_TITLE (0x0007)
#define SSL_INFO_DN_INITIALS (0x0008)
#define SSL_INFO_DN_GIVENNAME (0x0009)
#define SSL_INFO_DN_SURNAME (0x000A)
#define SSL_INFO_DN_DESCRIPTION (0x000B)
#define SSL_INFO_DN_UNIQUEIDENTIFIER (0x000C)
#define SSL_INFO_DN_EMAILADDRESS (0x000D)
#define SSL_INFO_CLIENT_MASK (0x0100)
#define SSL_INFO_CLIENT_M_VERSION (0x0101)
#define SSL_INFO_CLIENT_M_SERIAL (0x0102)
#define SSL_INFO_CLIENT_V_START (0x0103)
#define SSL_INFO_CLIENT_V_END (0x0104)
#define SSL_INFO_CLIENT_A_SIG (0x0105)
#define SSL_INFO_CLIENT_A_KEY (0x0106)
#define SSL_INFO_CLIENT_CERT (0x0107)
#define SSL_INFO_CLIENT_V_REMAIN (0x0108)
#define SSL_INFO_SERVER_MASK (0x0200)
#define SSL_INFO_SERVER_M_VERSION (0x0201)
#define SSL_INFO_SERVER_M_SERIAL (0x0202)
#define SSL_INFO_SERVER_V_START (0x0203)
#define SSL_INFO_SERVER_V_END (0x0204)
#define SSL_INFO_SERVER_A_SIG (0x0205)
#define SSL_INFO_SERVER_A_KEY (0x0206)
#define SSL_INFO_SERVER_CERT (0x0207)
#define SSL_INFO_CLIENT_CERT_CHAIN (0x0400)
#define SSL_VERIFY_ERROR_IS_OPTIONAL(errnum) \
((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \
|| (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \
|| (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \
|| (errnum == X509_V_ERR_CERT_UNTRUSTED) \
|| (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
#define SSL_DEFAULT_PASS_PROMPT "Some of your private key files are encrypted for security reasons.\n" \
"In order to read them you have to provide the pass phrases.\n" \
"Enter password :"
#define SSL_CIPHERS_ALWAYS_DISABLED ("!aNULL:!eNULL:!EXP:")
#if defined(SSL_OP_NO_TLSv1_1)
#define HAVE_TLSV1_1
#endif
#if defined(SSL_OP_NO_TLSv1_2)
#define HAVE_TLSV1_2
#endif
#if defined(SSL_OP_NO_TLSv1_3)
#define HAVE_TLSV1_3
#endif
/* Check for SSL_CONF support */
#if defined(SSL_CONF_FLAG_FILE)
#define HAVE_SSL_CONF_CMD
#endif
/**
* The following features all depend on TLS extension support.
* Within this block, check again for features (not version numbers).
*/
#if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name)
#define HAVE_TLSEXT
/* ECC */
#if !defined(OPENSSL_NO_EC) && defined(TLSEXT_ECPOINTFORMAT_uncompressed)
#define HAVE_ECC
#endif
/* OCSP stapling */
#if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb)
#define HAVE_OCSP_STAPLING
#define OCSP_STATUS_OK 0
#define OCSP_STATUS_REVOKED 1
#define OCSP_STATUS_UNKNOWN 2
#endif
#endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
/* OpenSSL 1.0.2 compatibility */
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
#define OpenSSL_version SSLeay_version
#define OpenSSL_version_num SSLeay
#define OPENSSL_VERSION SSLEAY_VERSION
#define OPENSSL_malloc_init CRYPTO_malloc_init
#define BN_get_rfc2409_prime_768 get_rfc2409_prime_768
#define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024
#define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536
#define BN_get_rfc3526_prime_2048 get_rfc3526_prime_2048
#define BN_get_rfc3526_prime_3072 get_rfc3526_prime_3072
#define BN_get_rfc3526_prime_4096 get_rfc3526_prime_4096
#define BN_get_rfc3526_prime_6144 get_rfc3526_prime_6144
#define BN_get_rfc3526_prime_8192 get_rfc3526_prime_8192
#define BIO_get_init(x) (x->init)
#define BIO_set_init(x,v) (x->init=v)
#define BIO_get_data(x) (x->ptr)
#define BIO_set_data(x,v) (x->ptr=v)
#define BIO_set_shutdown(x,v) (x->shutdown=v)
#define X509_REVOKED_get0_serialNumber(x) x->serialNumber
#define X509_STORE_CTX_get0_untrusted(x) (x->untrusted)
#define X509_OBJECT_free(x) {X509_OBJECT_free_contents(obj);\
OPENSSL_free(obj);}
#define TLS_method SSLv23_method
#define TLS_client_method SSLv23_client_method
#define TLS_server_method SSLv23_server_method
#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) */
#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
#define HAVE_KEYLOG_CALLBACK
#endif
#define MAX_ALPN_NPN_PROTO_SIZE 65535
#define SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL 1
typedef struct {
/* client can have any number of cert/key pairs */
const char *cert_file;
const char *cert_path;
STACK_OF(X509_INFO) *certs;
} ssl_pkc_t;
typedef struct tcn_ssl_ctxt_t tcn_ssl_ctxt_t;
typedef struct {
char password[SSL_MAX_PASSWORD_LEN];
const char *prompt;
tcn_callback_t cb;
} tcn_pass_cb_t;
extern tcn_pass_cb_t tcn_password_callback;
struct tcn_ssl_ctxt_t {
apr_pool_t *pool;
SSL_CTX *ctx;
BIO *bio_os;
BIO *bio_is;
unsigned char context_id[SHA_DIGEST_LENGTH];
int protocol;
/* we are one or the other */
int mode;
/* certificate revocation list */
X509_STORE *crl;
/* pointer to the context verify store */
X509_STORE *store;
X509 *certs[SSL_AIDX_MAX];
EVP_PKEY *keys[SSL_AIDX_MAX];
int ca_certs;
int shutdown_type;
char *rand_file;
const char *cipher_suite;
/* for client or downstream server authentication */
int verify_depth;
int verify_mode;
tcn_pass_cb_t *cb_data;
/* for client: List of protocols to request via ALPN.
* for server: List of protocols to accept via ALPN.
*/
/* member alpn is array of protocol strings encoded as a list of bytes
* of length alpnlen, each protocol string is prepended with a byte
* containing the protocol string length (max 255), then follows the
* protocol string itself.
*/
char *alpn;
int alpnlen;
/* Add from netty-tcnative */
/* certificate verifier callback */
jobject verifier;
jmethodID verifier_method;
unsigned char *next_proto_data;
unsigned int next_proto_len;
int next_selector_failure_behavior;
/* Holds the alpn protocols, each of them prefixed with the len of the protocol */
unsigned char *alpn_proto_data;
unsigned int alpn_proto_len;
int alpn_selector_failure_behavior;
/* End add from netty-tcnative */
int no_ocsp_check;
};
#ifdef HAVE_SSL_CONF_CMD
typedef struct tcn_ssl_conf_ctxt_t tcn_ssl_conf_ctxt_t;
struct tcn_ssl_conf_ctxt_t {
apr_pool_t *pool;
SSL_CONF_CTX *cctx;
int no_ocsp_check;
};
#endif
typedef struct {
apr_pool_t *pool;
tcn_ssl_ctxt_t *ctx;
SSL *ssl;
X509 *peer;
int shutdown_type;
/* Track the handshake/renegotiation state for the connection so
* that all client-initiated renegotiations can be rejected, as a
* partial fix for CVE-2009-3555.
*/
enum {
RENEG_INIT = 0, /* Before initial handshake */
RENEG_REJECT, /* After initial handshake; any client-initiated
* renegotiation should be rejected
*/
RENEG_ALLOW, /* A server-initated renegotiation is taking
* place (as dictated by configuration)
*/
RENEG_ABORT /* Renegotiation initiated by client, abort the
* connection
*/
} reneg_state;
enum {
PHA_NONE = 0, /* Before PHA */
PHA_STARTED, /* PHA req sent to client but no response */
PHA_COMPLETE /* Client has returned cert */
} pha_state;
apr_socket_t *sock;
apr_pollset_t *pollset;
} tcn_ssl_conn_t;
/*
* Additional Functions
*/
void SSL_init_app_data_idx(void);
/* The app_data2 is used to store the tcn_ssl_ctxt_t pointer for the SSL instance. */
void *SSL_get_app_data2(SSL *);
void SSL_set_app_data2(SSL *, void *);
/* The app_data3 is used to store the handshakeCount pointer for the SSL instance. */
void *SSL_get_app_data3(const SSL *);
void SSL_set_app_data3(SSL *, void *);
/* The app_data4 is used to store the destroyCount pointer for the SSL instance. */
void *SSL_get_app_data4(const SSL *);
void SSL_set_app_data4(SSL *, void *);
int SSL_password_prompt(tcn_pass_cb_t *);
int SSL_password_callback(char *, int, int, void *);
void SSL_BIO_close(BIO *);
void SSL_BIO_doref(BIO *);
DH *SSL_get_dh_params(unsigned keylen);
DH *SSL_dh_GetParamFromFile(const char *);
#ifdef HAVE_ECC
EC_GROUP *SSL_ec_GetParamFromFile(const char *);
#endif
DH *SSL_callback_tmp_DH(SSL *, int, int);
void SSL_callback_handshake(const SSL *, int, int);
int SSL_CTX_use_certificate_chain(SSL_CTX *, const char *, int);
int SSL_callback_SSL_verify(int, X509_STORE_CTX *);
int SSL_rand_seed(const char *file);
int SSL_callback_next_protos(SSL *, const unsigned char **, unsigned int *, void *);
int SSL_callback_select_next_proto(SSL *, unsigned char **, unsigned char *, const unsigned char *, unsigned int,void *);
int SSL_callback_alpn_select_proto(SSL *, const unsigned char **, unsigned char *, const unsigned char *, unsigned int, void *);
#ifdef HAVE_KEYLOG_CALLBACK
void SSL_callback_add_keylog(SSL_CTX *);
#endif
#if (OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)) && ! (defined(WIN32) || defined(WIN64))
unsigned long SSL_ERR_get(void);
void SSL_ERR_clear(void);
#else
#define SSL_ERR_get() ERR_get_error()
#define SSL_ERR_clear() ERR_clear_error()
#endif
#endif /* SSL_PRIVATE_H */