ssl_util.c revision f4311d5c9112156f84d47a1ca2ff6811de838031
/* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/* _ _
* _ __ ___ ___ __| | ___ ___| | mod_ssl
* | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
* | | | | | | (_) | (_| | \__ \__ \ |
* |_| |_| |_|\___/ \__,_|___|___/___/_|
* |_____|
* ssl_util.c
* Utility Functions
*/
/* ``Every day of my life
I am forced to add another
name to the list of people
who piss me off!''
-- Calvin */
#include "ssl_private.h"
#include "ap_mpm.h"
#include "apr_thread_mutex.h"
/* _________________________________________________________________
**
** Utility Functions
** _________________________________________________________________
*/
char *ssl_util_vhostid(apr_pool_t *p, server_rec *s)
{
char *id;
SSLSrvConfigRec *sc;
char *host;
apr_port_t port;
host = s->server_hostname;
if (s->port != 0)
port = s->port;
else {
sc = mySrvConfig(s);
if (sc->enabled == TRUE)
port = DEFAULT_HTTPS_PORT;
else
port = DEFAULT_HTTP_PORT;
}
id = apr_psprintf(p, "%s:%lu", host, (unsigned long)port);
return id;
}
apr_file_t *ssl_util_ppopen(server_rec *s, apr_pool_t *p, const char *cmd,
const char * const *argv)
{
apr_procattr_t *procattr;
apr_proc_t *proc;
if (apr_procattr_create(&procattr, p) != APR_SUCCESS)
return NULL;
if (apr_procattr_io_set(procattr, APR_FULL_BLOCK, APR_FULL_BLOCK,
APR_FULL_BLOCK) != APR_SUCCESS)
return NULL;
if (apr_procattr_dir_set(procattr,
ap_make_dirstr_parent(p, cmd)) != APR_SUCCESS)
return NULL;
if (apr_procattr_cmdtype_set(procattr, APR_PROGRAM) != APR_SUCCESS)
return NULL;
if ((proc = (apr_proc_t *)apr_pcalloc(p, sizeof(apr_proc_t))) == NULL)
return NULL;
if (apr_proc_create(proc, cmd, argv, NULL, procattr, p) != APR_SUCCESS)
return NULL;
return proc->out;
}
void ssl_util_ppclose(server_rec *s, apr_pool_t *p, apr_file_t *fp)
{
apr_file_close(fp);
return;
}
/*
* Run a filter program and read the first line of its stdout output
*/
char *ssl_util_readfilter(server_rec *s, apr_pool_t *p, const char *cmd,
const char * const *argv)
{
static char buf[MAX_STRING_LEN];
apr_file_t *fp;
apr_size_t nbytes = 1;
char c;
int k;
if ((fp = ssl_util_ppopen(s, p, cmd, argv)) == NULL)
return NULL;
/* XXX: we are reading 1 byte at a time here */
for (k = 0; apr_file_read(fp, &c, &nbytes) == APR_SUCCESS
&& nbytes == 1 && (k < MAX_STRING_LEN-1) ; ) {
if (c == '\n' || c == '\r')
break;
buf[k++] = c;
}
buf[k] = NUL;
ssl_util_ppclose(s, p, fp);
return buf;
}
BOOL ssl_util_path_check(ssl_pathcheck_t pcm, const char *path, apr_pool_t *p)
{
apr_finfo_t finfo;
if (path == NULL)
return FALSE;
if (pcm & SSL_PCM_EXISTS && apr_stat(&finfo, path,
APR_FINFO_TYPE|APR_FINFO_SIZE, p) != 0)
return FALSE;
if (pcm & SSL_PCM_ISREG && finfo.filetype != APR_REG)
return FALSE;
if (pcm & SSL_PCM_ISDIR && finfo.filetype != APR_DIR)
return FALSE;
if (pcm & SSL_PCM_ISNONZERO && finfo.size <= 0)
return FALSE;
return TRUE;
}
ssl_algo_t ssl_util_algotypeof(X509 *pCert, EVP_PKEY *pKey)
{
ssl_algo_t t;
EVP_PKEY *pFreeKey = NULL;
t = SSL_ALGO_UNKNOWN;
if (pCert != NULL)
pFreeKey = pKey = X509_get_pubkey(pCert);
if (pKey != NULL) {
switch (EVP_PKEY_key_type(pKey)) {
case EVP_PKEY_RSA:
t = SSL_ALGO_RSA;
break;
case EVP_PKEY_DSA:
t = SSL_ALGO_DSA;
break;
default:
break;
}
}
#ifdef OPENSSL_VERSION_NUMBER
/* Only refcounted in OpenSSL */
if (pFreeKey != NULL)
EVP_PKEY_free(pFreeKey);
#endif
return t;
}
char *ssl_util_algotypestr(ssl_algo_t t)
{
char *cp;
cp = "UNKNOWN";
switch (t) {
case SSL_ALGO_RSA:
cp = "RSA";
break;
case SSL_ALGO_DSA:
cp = "DSA";
break;
default:
break;
}
return cp;
}
/*
* certain key and cert data needs to survive restarts,
* which are stored in the user data table of s->process->pool.
* to prevent "leaking" of this data, we use malloc/free
* rather than apr_palloc and these wrappers to help make sure
* we do not leak the malloc-ed data.
*/
unsigned char *ssl_asn1_table_set(apr_hash_t *table,
const char *key,
long int length)
{
apr_ssize_t klen = strlen(key);
ssl_asn1_t *asn1 = apr_hash_get(table, key, klen);
/*
* if a value for this key already exists,
* reuse as much of the already malloc-ed data
* as possible.
*/
if (asn1) {
if (asn1->nData != length) {
free(asn1->cpData); /* XXX: realloc? */
asn1->cpData = NULL;
}
}
else {
asn1 = malloc(sizeof(*asn1));
asn1->source_mtime = 0; /* used as a note for encrypted private keys */
asn1->cpData = NULL;
}
asn1->nData = length;
if (!asn1->cpData) {
asn1->cpData = malloc(length);
}
apr_hash_set(table, key, klen, asn1);
return asn1->cpData; /* caller will assign a value to this */
}
ssl_asn1_t *ssl_asn1_table_get(apr_hash_t *table,
const char *key)
{
return (ssl_asn1_t *)apr_hash_get(table, key, APR_HASH_KEY_STRING);
}
void ssl_asn1_table_unset(apr_hash_t *table,
const char *key)
{
apr_ssize_t klen = strlen(key);
ssl_asn1_t *asn1 = apr_hash_get(table, key, klen);
if (!asn1) {
return;
}
if (asn1->cpData) {
free(asn1->cpData);
}
free(asn1);
apr_hash_set(table, key, klen, NULL);
}
static const char *ssl_asn1_key_types[] = {"RSA", "DSA"};
const char *ssl_asn1_keystr(int keytype)
{
if (keytype >= SSL_AIDX_MAX) {
return NULL;
}
return ssl_asn1_key_types[keytype];
}
const char *ssl_asn1_table_keyfmt(apr_pool_t *p,
const char *id,
int keytype)
{
const char *keystr = ssl_asn1_keystr(keytype);
return apr_pstrcat(p, id, ":", keystr, NULL);
}
STACK_OF(X509) *ssl_read_pkcs7(server_rec *s, const char *pkcs7)
{
PKCS7 *p7;
STACK_OF(X509) *certs = NULL;
FILE *f;
f = fopen(pkcs7, "r");
if (!f) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Can't open %s", pkcs7);
ssl_die();
}
p7 = PEM_read_PKCS7(f, NULL, NULL, NULL);
if (!p7) {
ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, s,
"Can't read PKCS7 object %s", pkcs7);
ssl_log_ssl_error(APLOG_MARK, APLOG_CRIT, s);
exit(1);
}
switch (OBJ_obj2nid(p7->type)) {
case NID_pkcs7_signed:
certs = p7->d.sign->cert;
break;
case NID_pkcs7_signedAndEnveloped:
certs = p7->d.signed_and_enveloped->cert;
break;
default:
ap_log_error(APLOG_MARK, APLOG_CRIT|APLOG_NOERRNO, 0, s,
"Don't understand PKCS7 file %s", pkcs7);
ssl_die();
}
if (!certs) {
ap_log_error(APLOG_MARK, APLOG_CRIT|APLOG_NOERRNO, 0, s,
"No certificates in %s", pkcs7);
ssl_die();
}
fclose(f);
return certs;
}
#if APR_HAS_THREADS
/*
* To ensure thread-safetyness in OpenSSL - work in progress
*/
static apr_thread_mutex_t **lock_cs;
static int lock_num_locks;
#ifdef HAVE_SSLC
#if SSLC_VERSION_NUMBER >= 0x2000
static int ssl_util_thr_lock(int mode, int type,
char *file, int line)
#else
static void ssl_util_thr_lock(int mode, int type,
char *file, int line)
#endif
#else
static void ssl_util_thr_lock(int mode, int type,
const char *file, int line)
#endif
{
if (type < lock_num_locks) {
if (mode & CRYPTO_LOCK) {
apr_thread_mutex_lock(lock_cs[type]);
}
else {
apr_thread_mutex_unlock(lock_cs[type]);
}
#ifdef HAVE_SSLC
#if SSLC_VERSION_NUMBER >= 0x2000
return 1;
}
else {
return -1;
#endif
#endif
}
}
static unsigned long ssl_util_thr_id(void)
{
/* OpenSSL needs this to return an unsigned long. On OS/390, the pthread
* id is a structure twice that big. Use the TCB pointer instead as a
* unique unsigned long.
*/
#ifdef __MVS__
struct PSA {
char unmapped[540];
unsigned long PSATOLD;
} *psaptr = 0;
return psaptr->PSATOLD;
#else
return (unsigned long) apr_os_thread_current();
#endif
}
static apr_status_t ssl_util_thread_cleanup(void *data)
{
CRYPTO_set_locking_callback(NULL);
CRYPTO_set_id_callback(NULL);
/* Let the registered mutex cleanups do their own thing
*/
return APR_SUCCESS;
}
void ssl_util_thread_setup(apr_pool_t *p)
{
int i;
lock_num_locks = CRYPTO_num_locks();
lock_cs = apr_palloc(p, lock_num_locks * sizeof(*lock_cs));
for (i = 0; i < lock_num_locks; i++) {
apr_thread_mutex_create(&(lock_cs[i]), APR_THREAD_MUTEX_DEFAULT, p);
}
CRYPTO_set_id_callback(ssl_util_thr_id);
CRYPTO_set_locking_callback(ssl_util_thr_lock);
apr_pool_cleanup_register(p, NULL, ssl_util_thread_cleanup,
apr_pool_cleanup_null);
}
#endif