modules/ssl/ssl_util_ssl.c

	ssl_util_ssl.c revision 44985e4f931d3a75a7e5108705010cc21605ee34
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny/* Licensed to the Apache Software Foundation (ASF) under one or more
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny * contributor license agreements.  See the NOTICE file distributed with
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny * this work for additional information regarding copyright ownership.
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny * The ASF licenses this file to You under the Apache License, Version 2.0
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny * (the "License"); you may not use this file except in compliance with
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny * the License.  You may obtain a copy of the License at
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny *
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny *     http://www.apache.org/licenses/LICENSE-2.0
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny *
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny * Unless required by applicable law or agreed to in writing, software
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny * distributed under the License is distributed on an "AS IS" BASIS,
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny * See the License for the specific language governing permissions and
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny * limitations under the License.
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny */
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny/*                      _             _
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny *  _ __ ___   ___   __| |    ___ ___| |  mod_ssl
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny * | '_ ` _ \ / _ \ / _` |   / __/ __| |  Apache Interface to OpenSSL
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny * | | | | | | (_) | (_| |   \__ \__ \ |
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny * |_| |_| |_|\___/ \__,_|___|___/___/_|
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny *                      |_____|
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny *  ssl_util_ssl.c
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny *  Additional Utility Functions for OpenSSL
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny */
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny#include "ssl_private.h"
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny/*  _________________________________________________________________
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny**
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny**  Additional High-Level Functions for OpenSSL
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny**  _________________________________________________________________
fdab7bbf8933351f6254438c30ff361cd748b15aJan Zeleny*/
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny/* we initialize this index at startup time
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny * and never write to it at request time,
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny * so this static is thread safe.
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny * also note that OpenSSL increments at static variable when
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny * SSL_get_ex_new_index() is called, so we _must_ do this at startup.
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny */
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zelenystatic int SSL_app_data2_idx = -1;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zelenyvoid SSL_init_app_data2_idx(void)
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny{
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    int i;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    if (SSL_app_data2_idx > -1) {
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        return;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    }
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    /* we _do_ need to call this twice */
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    for (i=0; i<=1; i++) {
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        SSL_app_data2_idx =
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny            SSL_get_ex_new_index(0,
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny                                 "Second Application Data for SSL",
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny                                 NULL, NULL, NULL);
fdab7bbf8933351f6254438c30ff361cd748b15aJan Zeleny    }
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny}
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zelenyvoid *SSL_get_app_data2(SSL *ssl)
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny{
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    return (void *)SSL_get_ex_data(ssl, SSL_app_data2_idx);
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny}
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zelenyvoid SSL_set_app_data2(SSL *ssl, void *arg)
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny{
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    SSL_set_ex_data(ssl, SSL_app_data2_idx, (char *)arg);
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    return;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny}
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny/*  _________________________________________________________________
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny**
fdab7bbf8933351f6254438c30ff361cd748b15aJan Zeleny**  High-Level Certificate / Private Key Loading
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny**  _________________________________________________________________
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny*/
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan ZelenyX509 *SSL_read_X509(char* filename, X509 **x509, pem_password_cb *cb)
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny{
fdab7bbf8933351f6254438c30ff361cd748b15aJan Zeleny    X509 *rc;
64ddff90c7fcc02ccb06824ac93af7d5f361a88fJan Zeleny    BIO *bioS;
64ddff90c7fcc02ccb06824ac93af7d5f361a88fJan Zeleny    BIO *bioF;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    /* 1. try PEM (= DER+Base64+headers) */
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    if ((bioS=BIO_new_file(filename, "r")) == NULL)
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        return NULL;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    rc = PEM_read_bio_X509 (bioS, x509, cb, NULL);
fdab7bbf8933351f6254438c30ff361cd748b15aJan Zeleny    BIO_free(bioS);
fdab7bbf8933351f6254438c30ff361cd748b15aJan Zeleny
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    if (rc == NULL) {
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        /* 2. try DER+Base64 */
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        if ((bioS=BIO_new_file(filename, "r")) == NULL)
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny            return NULL;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        if ((bioF = BIO_new(BIO_f_base64())) == NULL) {
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny            BIO_free(bioS);
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny            return NULL;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        }
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        bioS = BIO_push(bioF, bioS);
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        rc = d2i_X509_bio(bioS, NULL);
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        BIO_free_all(bioS);
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        if (rc == NULL) {
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny            /* 3. try plain DER */
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny            if ((bioS=BIO_new_file(filename, "r")) == NULL)
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny                return NULL;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny            rc = d2i_X509_bio(bioS, NULL);
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny            BIO_free(bioS);
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        }
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    }
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    if (rc != NULL && x509 != NULL) {
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        if (*x509 != NULL)
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny            X509_free(*x509);
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        *x509 = rc;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    }
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    return rc;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny}
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan ZelenyEVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, pem_password_cb *cb, void *s)
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny{
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    EVP_PKEY *rc;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    BIO *bioS;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    BIO *bioF;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny
92ec40e6aa25f75903ffdb166a8ec56b67bfd77dPavel Březina    /* 1. try PEM (= DER+Base64+headers) */
92ec40e6aa25f75903ffdb166a8ec56b67bfd77dPavel Březina    if ((bioS=BIO_new_file(filename, "r")) == NULL)
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        return NULL;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    rc = PEM_read_bio_PrivateKey(bioS, key, cb, s);
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    BIO_free(bioS);
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov    if (rc == NULL) {
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        /* 2. try DER+Base64 */
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov        if ((bioS = BIO_new_file(filename, "r")) == NULL)
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny            return NULL;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        if ((bioF = BIO_new(BIO_f_base64())) == NULL) {
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny            BIO_free(bioS);
fdab7bbf8933351f6254438c30ff361cd748b15aJan Zeleny            return NULL;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        }
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        bioS = BIO_push(bioF, bioS);
2f3ee3f49019f5b60adbe073070f31e6e2d7c7abStephen Gallagher        rc = d2i_PrivateKey_bio(bioS, NULL);
2f3ee3f49019f5b60adbe073070f31e6e2d7c7abStephen Gallagher        BIO_free_all(bioS);
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        if (rc == NULL) {
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny            /* 3. try plain DER */
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny            if ((bioS = BIO_new_file(filename, "r")) == NULL)
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny                return NULL;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny            rc = d2i_PrivateKey_bio(bioS, NULL);
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny            BIO_free(bioS);
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        }
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    }
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    if (rc != NULL && key != NULL) {
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        if (*key != NULL)
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny            EVP_PKEY_free(*key);
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        *key = rc;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    }
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    return rc;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny}
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny/*  _________________________________________________________________
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny**
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny**  Smart shutdown
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny**  _________________________________________________________________
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny*/
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zelenyint SSL_smart_shutdown(SSL *ssl)
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny{
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    int i;
0e65abe5cf2abf5d4b431cf6bd161b419f07901dLukas Slebodnik    int rc;
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    /*
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny     * Repeat the calls, because SSL_shutdown internally dispatches through a
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny     * little state machine. Usually only one or two interation should be
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny     * needed, so we restrict the total number of restrictions in order to
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny     * avoid process hangs in case the client played bad with the socket
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny     * connection and OpenSSL cannot recognize it.
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny     */
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    rc = 0;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    for (i = 0; i < 4 /* max 2x pending + 2x data = 4 */; i++) {
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        if ((rc = SSL_shutdown(ssl)))
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny            break;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    }
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    return rc;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny}
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny/*  _________________________________________________________________
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny**
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny**  Certificate Revocation List (CRL) Storage
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny**  _________________________________________________________________
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny*/
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan ZelenyX509_STORE *SSL_X509_STORE_create(char *cpFile, char *cpPath)
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny{
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    X509_STORE *pStore;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    X509_LOOKUP *pLookup;
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov    int rv = 1;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    ERR_clear_error();
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    if (cpFile == NULL && cpPath == NULL)
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        return NULL;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    if ((pStore = X509_STORE_new()) == NULL)
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        return NULL;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    if (cpFile != NULL) {
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        pLookup = X509_STORE_add_lookup(pStore, X509_LOOKUP_file());
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        if (pLookup == NULL) {
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny            X509_STORE_free(pStore);
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny            return NULL;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        }
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        rv = X509_LOOKUP_load_file(pLookup, cpFile, X509_FILETYPE_PEM);
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    }
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    if (cpPath != NULL && rv == 1) {
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        pLookup = X509_STORE_add_lookup(pStore, X509_LOOKUP_hash_dir());
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        if (pLookup == NULL) {
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny            X509_STORE_free(pStore);
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny            return NULL;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        }
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny        rv = X509_LOOKUP_add_dir(pLookup, cpPath, X509_FILETYPE_PEM);
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    }
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny    return rv == 1 ? pStore : NULL;
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny}
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zeleny
1a853121ca2ba8ede6df429ee76942131ffb0f65Jan Zelenyint SSL_X509_STORE_lookup(X509_STORE *pStore, int nType,
                          X509_NAME *pName, X509_OBJECT *pObj)
{
    X509_STORE_CTX pStoreCtx;
    int rc;

    X509_STORE_CTX_init(&pStoreCtx, pStore, NULL, NULL);
    rc = X509_STORE_get_by_subject(&pStoreCtx, nType, pName, pObj);
    X509_STORE_CTX_cleanup(&pStoreCtx);
    return rc;
}

/*  _________________________________________________________________
**
**  Cipher Suite Spec String Creation
**  _________________________________________________________________
*/

char *SSL_make_ciphersuite(apr_pool_t *p, SSL *ssl)
{
    STACK_OF(SSL_CIPHER) *sk;
    SSL_CIPHER *c;
    int i;
    int l;
    char *cpCipherSuite;
    char *cp;

    if (ssl == NULL)
        return "";
    if ((sk = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl)) == NULL)
        return "";
    l = 0;
    for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
        c = sk_SSL_CIPHER_value(sk, i);
        l += strlen(SSL_CIPHER_get_name(c))+2+1;
    }
    if (l == 0)
        return "";
    cpCipherSuite = (char *)apr_palloc(p, l+1);
    cp = cpCipherSuite;
    for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
        c = sk_SSL_CIPHER_value(sk, i);
        l = strlen(SSL_CIPHER_get_name(c));
        memcpy(cp, SSL_CIPHER_get_name(c), l);
        cp += l;
        *cp++ = '/';
        *cp++ = (c->valid == 1 ? '1' : '0');
        *cp++ = ':';
    }
    *(cp-1) = NUL;
    return cpCipherSuite;
}

/*  _________________________________________________________________
**
**  Certificate Checks
**  _________________________________________________________________
*/

/* check whether cert contains extended key usage with a SGC tag */
BOOL SSL_X509_isSGC(X509 *cert)
{
    int ext_nid;
    EXTENDED_KEY_USAGE *sk;
    BOOL is_sgc;
    int i;

    is_sgc = FALSE;
    sk = X509_get_ext_d2i(cert, NID_ext_key_usage, NULL, NULL);
    if (sk) {
        for (i = 0; i < sk_ASN1_OBJECT_num(sk); i++) {
            ext_nid = OBJ_obj2nid(sk_ASN1_OBJECT_value(sk, i));
            if (ext_nid == NID_ms_sgc || ext_nid == NID_ns_sgc) {
                is_sgc = TRUE;
                break;
            }
        }
    EXTENDED_KEY_USAGE_free(sk);
    }
    return is_sgc;
}

/* retrieve basic constraints ingredients */
BOOL SSL_X509_getBC(X509 *cert, int *ca, int *pathlen)
{
    BASIC_CONSTRAINTS *bc;
    BIGNUM *bn = NULL;
    char *cp;

    bc = X509_get_ext_d2i(cert, NID_basic_constraints, NULL, NULL);
    if (bc == NULL)
        return FALSE;
    *ca = bc->ca;
    *pathlen = -1 /* unlimited */;
    if (bc->pathlen != NULL) {
        if ((bn = ASN1_INTEGER_to_BN(bc->pathlen, NULL)) == NULL)
            return FALSE;
        if ((cp = BN_bn2dec(bn)) == NULL)
            return FALSE;
        *pathlen = atoi(cp);
        free(cp);
        BN_free(bn);
    }
    BASIC_CONSTRAINTS_free(bc);
    return TRUE;
}

/* convert a NAME_ENTRY to UTF8 string */
char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne)
{
    char *result = NULL;
    BIO* bio;
    int len;

    if ((bio = BIO_new(BIO_s_mem())) == NULL)
        return NULL;
    ASN1_STRING_print_ex(bio, X509_NAME_ENTRY_get_data(xsne),
                         ASN1_STRFLGS_ESC_CTRL|ASN1_STRFLGS_UTF8_CONVERT);
    len = BIO_pending(bio);
    result = apr_palloc(p, len+1);
    len = BIO_read(bio, result, len);
    result[len] = NUL;
    BIO_free(bio);
    ap_xlate_proto_from_ascii(result, len);
    return result;
}

/* retrieve subject CommonName of certificate */
BOOL SSL_X509_getCN(apr_pool_t *p, X509 *xs, char **cppCN)
{
    X509_NAME *xsn;
    X509_NAME_ENTRY *xsne;
    int i, nid;

    xsn = X509_get_subject_name(xs);
    for (i = 0; i < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *)
                                           xsn->entries); i++) {
        xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *)
                                        xsn->entries, i);
        nid = OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
        if (nid == NID_commonName) {
            *cppCN = SSL_X509_NAME_ENTRY_to_string(p, xsne);
            return TRUE;
        }
    }
    return FALSE;
}

/*  _________________________________________________________________
**
**  Low-Level CA Certificate Loading
**  _________________________________________________________________
*/

BOOL SSL_X509_INFO_load_file(apr_pool_t *ptemp,
                             STACK_OF(X509_INFO) *sk,
                             const char *filename)
{
    BIO *in;

    if (!(in = BIO_new(BIO_s_file()))) {
        return FALSE;
    }

    if (BIO_read_filename(in, filename) <= 0) {
        BIO_free(in);
        return FALSE;
    }

    ERR_clear_error();

    PEM_X509_INFO_read_bio(in, sk, NULL, NULL);

    BIO_free(in);

    return TRUE;
}

BOOL SSL_X509_INFO_load_path(apr_pool_t *ptemp,
                             STACK_OF(X509_INFO) *sk,
                             const char *pathname)
{
    /* XXX: this dir read code is exactly the same as that in
     * ssl_engine_init.c, only the call to handle the fullname is different,
     * should fold the duplication.
     */
    apr_dir_t *dir;
    apr_finfo_t dirent;
    apr_int32_t finfo_flags = APR_FINFO_TYPE|APR_FINFO_NAME;
    const char *fullname;
    BOOL ok = FALSE;

    if (apr_dir_open(&dir, pathname, ptemp) != APR_SUCCESS) {
        return FALSE;
    }

    while ((apr_dir_read(&dirent, finfo_flags, dir)) == APR_SUCCESS) {
        if (dirent.filetype == APR_DIR) {
            continue; /* don't try to load directories */
        }

        fullname = apr_pstrcat(ptemp,
                               pathname, "/", dirent.name,
                               NULL);

        if (SSL_X509_INFO_load_file(ptemp, sk, fullname)) {
            ok = TRUE;
        }
    }

    apr_dir_close(dir);

    return ok;
}

/*
 * Construct a stack of X509_INFO containing only certificates
 * that have signed the provided certificate or are an intermediary
 * signer of the certificate
*/
int SSL_X509_INFO_create_chain(const X509 *x509,
                             STACK_OF(X509_INFO) *ca_certs,
                             STACK_OF(X509_INFO) *chain)
{
    int can_proceed=1;
    int len=0;
    int i;
    X509 *certificate = (X509 *)x509;
    X509_INFO *info;
    X509_NAME *cert_issuer_name, *ca_name, *ca_issuer_name;

    while (can_proceed) {
        can_proceed = 0;
        cert_issuer_name = X509_get_issuer_name(certificate);

        for (i = 0; i < sk_X509_INFO_num(ca_certs); i++) {
            info = sk_X509_INFO_value(ca_certs, i);
            ca_name = X509_get_subject_name(info->x509);
            ca_issuer_name = X509_get_issuer_name(info->x509);

            if (X509_NAME_cmp(cert_issuer_name, ca_name) == 0) {
                /* Check for a self-signed cert (no issuer) */
                can_proceed=X509_NAME_cmp(ca_name, ca_issuer_name) == 0 ? 0 : 1;
                len++;
                certificate = info->x509;
                sk_X509_INFO_unshift(chain, info);
                break;
            }
        }
    }

    return len;
}

/*  _________________________________________________________________
**
**  Extra Server Certificate Chain Support
**  _________________________________________________________________
*/

/*
 * Read a file that optionally contains the server certificate in PEM
 * format, possibly followed by a sequence of CA certificates that
 * should be sent to the peer in the SSL Certificate message.
 */
int SSL_CTX_use_certificate_chain(
    SSL_CTX *ctx, char *file, int skipfirst, pem_password_cb *cb)
{
    BIO *bio;
    X509 *x509;
    unsigned long err;
    int n;
    STACK_OF(X509) *extra_certs;

    if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
        return -1;
    if (BIO_read_filename(bio, file) <= 0) {
        BIO_free(bio);
        return -1;
    }
    /* optionally skip a leading server certificate */
    if (skipfirst) {
        if ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) == NULL) {
            BIO_free(bio);
            return -1;
        }
        X509_free(x509);
    }
    /* free a perhaps already configured extra chain */
    extra_certs = ctx->extra_certs;
    if (extra_certs != NULL) {
        sk_X509_pop_free((STACK_OF(X509) *)extra_certs, X509_free);
        ctx->extra_certs = NULL;
    }
    /* create new extra chain by loading the certs */
    n = 0;
    while ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {
        if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) {
            X509_free(x509);
            BIO_free(bio);
            return -1;
        }
        n++;
    }
    /* Make sure that only the error is just an EOF */
    if ((err = ERR_peek_error()) > 0) {
        if (!(   ERR_GET_LIB(err) == ERR_LIB_PEM
              && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
            BIO_free(bio);
            return -1;
        }
        while (ERR_get_error() > 0) ;
    }
    BIO_free(bio);
    return n;
}

/*  _________________________________________________________________
**
**  Session Stuff
**  _________________________________________________________________
*/

char *SSL_SESSION_id2sz(unsigned char *id, int idlen,
                        char *str, int strsize)
{
    char *cp;
    int n;

    cp = str;
    for (n = 0; n < idlen && n < SSL_MAX_SSL_SESSION_ID_LENGTH; n++) {
        apr_snprintf(cp, strsize - (cp-str), "%02X", id[n]);
        cp += 2;
    }
    *cp = NUL;
    return str;
}