modules/ssl/ssl_util_ssl.c

	ssl_util_ssl.c revision 76fd02ce6aa984189050fa979bb5142dc409fc66
4b22b9337f359bfd063322244f5336cc7c6ffcfars/* Licensed to the Apache Software Foundation (ASF) under one or more
4b22b9337f359bfd063322244f5336cc7c6ffcfars * contributor license agreements.  See the NOTICE file distributed with
cda73f64f20b8a0afc4909f5ea1f055ec7913856Toomas Soome * this work for additional information regarding copyright ownership.
4b22b9337f359bfd063322244f5336cc7c6ffcfars * The ASF licenses this file to You under the Apache License, Version 2.0
4b22b9337f359bfd063322244f5336cc7c6ffcfars * (the "License"); you may not use this file except in compliance with
4b22b9337f359bfd063322244f5336cc7c6ffcfars * the License.  You may obtain a copy of the License at
4b22b9337f359bfd063322244f5336cc7c6ffcfars *
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome *     http://www.apache.org/licenses/LICENSE-2.0
4b22b9337f359bfd063322244f5336cc7c6ffcfars *
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome * Unless required by applicable law or agreed to in writing, software
4b22b9337f359bfd063322244f5336cc7c6ffcfars * distributed under the License is distributed on an "AS IS" BASIS,
4b22b9337f359bfd063322244f5336cc7c6ffcfars * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
4b22b9337f359bfd063322244f5336cc7c6ffcfars * See the License for the specific language governing permissions and
4b22b9337f359bfd063322244f5336cc7c6ffcfars * limitations under the License.
4b22b9337f359bfd063322244f5336cc7c6ffcfars */
4b22b9337f359bfd063322244f5336cc7c6ffcfars
4b22b9337f359bfd063322244f5336cc7c6ffcfars/*                      _             _
4b22b9337f359bfd063322244f5336cc7c6ffcfars *  _ __ ___   ___   __| |    ___ ___| |  mod_ssl
4b22b9337f359bfd063322244f5336cc7c6ffcfars * | '_ ` _ \ / _ \ / _` |   / __/ __| |  Apache Interface to OpenSSL
4b22b9337f359bfd063322244f5336cc7c6ffcfars * | | | | | | (_) | (_| |   \__ \__ \ |
4b22b9337f359bfd063322244f5336cc7c6ffcfars * |_| |_| |_|\___/ \__,_|___|___/___/_|
4b22b9337f359bfd063322244f5336cc7c6ffcfars *                      |_____|
4b22b9337f359bfd063322244f5336cc7c6ffcfars *  ssl_util_ssl.c
4b22b9337f359bfd063322244f5336cc7c6ffcfars *  Additional Utility Functions for OpenSSL
4b22b9337f359bfd063322244f5336cc7c6ffcfars */
4b22b9337f359bfd063322244f5336cc7c6ffcfars
4b22b9337f359bfd063322244f5336cc7c6ffcfars#include "ssl_private.h"
4b22b9337f359bfd063322244f5336cc7c6ffcfars
4b22b9337f359bfd063322244f5336cc7c6ffcfars/*  _________________________________________________________________
4b22b9337f359bfd063322244f5336cc7c6ffcfars**
4b22b9337f359bfd063322244f5336cc7c6ffcfars**  Additional High-Level Functions for OpenSSL
4b22b9337f359bfd063322244f5336cc7c6ffcfars**  _________________________________________________________________
4b22b9337f359bfd063322244f5336cc7c6ffcfars*/
4b22b9337f359bfd063322244f5336cc7c6ffcfars
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome/* we initialize this index at startup time
4b22b9337f359bfd063322244f5336cc7c6ffcfars * and never write to it at request time,
4b22b9337f359bfd063322244f5336cc7c6ffcfars * so this static is thread safe.
4b22b9337f359bfd063322244f5336cc7c6ffcfars * also note that OpenSSL increments at static variable when
4b22b9337f359bfd063322244f5336cc7c6ffcfars * SSL_get_ex_new_index() is called, so we _must_ do this at startup.
4b22b9337f359bfd063322244f5336cc7c6ffcfars */
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soomestatic int SSL_app_data2_idx = -1;
4b22b9337f359bfd063322244f5336cc7c6ffcfars
4b22b9337f359bfd063322244f5336cc7c6ffcfarsvoid SSL_init_app_data2_idx(void)
4b22b9337f359bfd063322244f5336cc7c6ffcfars{
4b22b9337f359bfd063322244f5336cc7c6ffcfars    int i;
4b22b9337f359bfd063322244f5336cc7c6ffcfars
4b22b9337f359bfd063322244f5336cc7c6ffcfars    if (SSL_app_data2_idx > -1) {
4b22b9337f359bfd063322244f5336cc7c6ffcfars        return;
4b22b9337f359bfd063322244f5336cc7c6ffcfars    }
4b22b9337f359bfd063322244f5336cc7c6ffcfars
4b22b9337f359bfd063322244f5336cc7c6ffcfars    /* we _do_ need to call this twice */
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    for (i=0; i<=1; i++) {
4b22b9337f359bfd063322244f5336cc7c6ffcfars        SSL_app_data2_idx =
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            SSL_get_ex_new_index(0,
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                                 "Second Application Data for SSL",
4b22b9337f359bfd063322244f5336cc7c6ffcfars                                 NULL, NULL, NULL);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    }
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome}
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soomevoid *SSL_get_app_data2(SSL *ssl)
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome{
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    return (void *)SSL_get_ex_data(ssl, SSL_app_data2_idx);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome}
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soomevoid SSL_set_app_data2(SSL *ssl, void *arg)
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome{
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    SSL_set_ex_data(ssl, SSL_app_data2_idx, (char *)arg);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    return;
4b22b9337f359bfd063322244f5336cc7c6ffcfars}
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome/*  _________________________________________________________________
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome**
cda73f64f20b8a0afc4909f5ea1f055ec7913856Toomas Soome**  High-Level Certificate / Private Key Loading
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome**  _________________________________________________________________
4b22b9337f359bfd063322244f5336cc7c6ffcfars*/
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas SoomeX509 *SSL_read_X509(char* filename, X509 **x509, pem_password_cb *cb)
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome{
4b22b9337f359bfd063322244f5336cc7c6ffcfars    X509 *rc;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    BIO *bioS;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    BIO *bioF;
4b22b9337f359bfd063322244f5336cc7c6ffcfars
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    /* 1. try PEM (= DER+Base64+headers) */
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    if ((bioS=BIO_new_file(filename, "r")) == NULL)
4b22b9337f359bfd063322244f5336cc7c6ffcfars        return NULL;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    rc = PEM_read_bio_X509 (bioS, x509, cb, NULL);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    BIO_free(bioS);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    if (rc == NULL) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        /* 2. try DER+Base64 */
4b22b9337f359bfd063322244f5336cc7c6ffcfars        if ((bioS=BIO_new_file(filename, "r")) == NULL)
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            return NULL;
4b22b9337f359bfd063322244f5336cc7c6ffcfars
cda73f64f20b8a0afc4909f5ea1f055ec7913856Toomas Soome        if ((bioF = BIO_new(BIO_f_base64())) == NULL) {
4b22b9337f359bfd063322244f5336cc7c6ffcfars            BIO_free(bioS);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            return NULL;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        }
cda73f64f20b8a0afc4909f5ea1f055ec7913856Toomas Soome        bioS = BIO_push(bioF, bioS);
cda73f64f20b8a0afc4909f5ea1f055ec7913856Toomas Soome        rc = d2i_X509_bio(bioS, NULL);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        BIO_free_all(bioS);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
4b22b9337f359bfd063322244f5336cc7c6ffcfars        if (rc == NULL) {
4b22b9337f359bfd063322244f5336cc7c6ffcfars            /* 3. try plain DER */
4b22b9337f359bfd063322244f5336cc7c6ffcfars            if ((bioS=BIO_new_file(filename, "r")) == NULL)
4b22b9337f359bfd063322244f5336cc7c6ffcfars                return NULL;
4b22b9337f359bfd063322244f5336cc7c6ffcfars            rc = d2i_X509_bio(bioS, NULL);
4b22b9337f359bfd063322244f5336cc7c6ffcfars            BIO_free(bioS);
4b22b9337f359bfd063322244f5336cc7c6ffcfars        }
4b22b9337f359bfd063322244f5336cc7c6ffcfars    }
4b22b9337f359bfd063322244f5336cc7c6ffcfars    if (rc != NULL && x509 != NULL) {
4b22b9337f359bfd063322244f5336cc7c6ffcfars        if (*x509 != NULL)
4b22b9337f359bfd063322244f5336cc7c6ffcfars            X509_free(*x509);
4b22b9337f359bfd063322244f5336cc7c6ffcfars        *x509 = rc;
4b22b9337f359bfd063322244f5336cc7c6ffcfars    }
4b22b9337f359bfd063322244f5336cc7c6ffcfars    return rc;
4b22b9337f359bfd063322244f5336cc7c6ffcfars}
4b22b9337f359bfd063322244f5336cc7c6ffcfars
4b22b9337f359bfd063322244f5336cc7c6ffcfarsEVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, pem_password_cb *cb, void *s)
4b22b9337f359bfd063322244f5336cc7c6ffcfars{
4b22b9337f359bfd063322244f5336cc7c6ffcfars    EVP_PKEY *rc;
4b22b9337f359bfd063322244f5336cc7c6ffcfars    BIO *bioS;
4b22b9337f359bfd063322244f5336cc7c6ffcfars    BIO *bioF;
4b22b9337f359bfd063322244f5336cc7c6ffcfars
4b22b9337f359bfd063322244f5336cc7c6ffcfars    /* 1. try PEM (= DER+Base64+headers) */
4b22b9337f359bfd063322244f5336cc7c6ffcfars    if ((bioS=BIO_new_file(filename, "r")) == NULL)
4b22b9337f359bfd063322244f5336cc7c6ffcfars        return NULL;
4b22b9337f359bfd063322244f5336cc7c6ffcfars    rc = PEM_read_bio_PrivateKey(bioS, key, cb, s);
4b22b9337f359bfd063322244f5336cc7c6ffcfars    BIO_free(bioS);
4b22b9337f359bfd063322244f5336cc7c6ffcfars
4b22b9337f359bfd063322244f5336cc7c6ffcfars    if (rc == NULL) {
4b22b9337f359bfd063322244f5336cc7c6ffcfars        /* 2. try DER+Base64 */
4b22b9337f359bfd063322244f5336cc7c6ffcfars        if ((bioS = BIO_new_file(filename, "r")) == NULL)
4b22b9337f359bfd063322244f5336cc7c6ffcfars            return NULL;
4b22b9337f359bfd063322244f5336cc7c6ffcfars
4b22b9337f359bfd063322244f5336cc7c6ffcfars        if ((bioF = BIO_new(BIO_f_base64())) == NULL) {
4b22b9337f359bfd063322244f5336cc7c6ffcfars            BIO_free(bioS);
4b22b9337f359bfd063322244f5336cc7c6ffcfars            return NULL;
4b22b9337f359bfd063322244f5336cc7c6ffcfars        }
4b22b9337f359bfd063322244f5336cc7c6ffcfars        bioS = BIO_push(bioF, bioS);
4b22b9337f359bfd063322244f5336cc7c6ffcfars        rc = d2i_PrivateKey_bio(bioS, NULL);
4b22b9337f359bfd063322244f5336cc7c6ffcfars        BIO_free_all(bioS);
4b22b9337f359bfd063322244f5336cc7c6ffcfars
4b22b9337f359bfd063322244f5336cc7c6ffcfars        if (rc == NULL) {
4b22b9337f359bfd063322244f5336cc7c6ffcfars            /* 3. try plain DER */
4b22b9337f359bfd063322244f5336cc7c6ffcfars            if ((bioS = BIO_new_file(filename, "r")) == NULL)
4b22b9337f359bfd063322244f5336cc7c6ffcfars                return NULL;
4b22b9337f359bfd063322244f5336cc7c6ffcfars            rc = d2i_PrivateKey_bio(bioS, NULL);
4b22b9337f359bfd063322244f5336cc7c6ffcfars            BIO_free(bioS);
4b22b9337f359bfd063322244f5336cc7c6ffcfars        }
4b22b9337f359bfd063322244f5336cc7c6ffcfars    }
4b22b9337f359bfd063322244f5336cc7c6ffcfars    if (rc != NULL && key != NULL) {
4b22b9337f359bfd063322244f5336cc7c6ffcfars        if (*key != NULL)
4b22b9337f359bfd063322244f5336cc7c6ffcfars            EVP_PKEY_free(*key);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        *key = rc;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    }
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    return rc;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome}
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome/*  _________________________________________________________________
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome**
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome**  Smart shutdown
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome**  _________________________________________________________________
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome*/
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soomeint SSL_smart_shutdown(SSL *ssl)
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome{
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    int i;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    int rc;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    /*
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome     * Repeat the calls, because SSL_shutdown internally dispatches through a
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome     * little state machine. Usually only one or two interation should be
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome     * needed, so we restrict the total number of restrictions in order to
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome     * avoid process hangs in case the client played bad with the socket
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome     * connection and OpenSSL cannot recognize it.
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome     */
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    rc = 0;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    for (i = 0; i < 4 /* max 2x pending + 2x data = 4 */; i++) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        if ((rc = SSL_shutdown(ssl)))
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            break;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    }
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    return rc;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome}
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome/*  _________________________________________________________________
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome**
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome**  Certificate Checks
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome**  _________________________________________________________________
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome*/
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome/* check whether cert contains extended key usage with a SGC tag */
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas SoomeBOOL SSL_X509_isSGC(X509 *cert)
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome{
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    int ext_nid;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    EXTENDED_KEY_USAGE *sk;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    BOOL is_sgc;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    int i;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    is_sgc = FALSE;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    sk = X509_get_ext_d2i(cert, NID_ext_key_usage, NULL, NULL);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    if (sk) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        for (i = 0; i < sk_ASN1_OBJECT_num(sk); i++) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            ext_nid = OBJ_obj2nid(sk_ASN1_OBJECT_value(sk, i));
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            if (ext_nid == NID_ms_sgc || ext_nid == NID_ns_sgc) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                is_sgc = TRUE;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                break;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            }
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        }
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    EXTENDED_KEY_USAGE_free(sk);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    }
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    return is_sgc;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome}
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome/* retrieve basic constraints ingredients */
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas SoomeBOOL SSL_X509_getBC(X509 *cert, int *ca, int *pathlen)
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome{
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    BASIC_CONSTRAINTS *bc;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    BIGNUM *bn = NULL;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    char *cp;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    bc = X509_get_ext_d2i(cert, NID_basic_constraints, NULL, NULL);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    if (bc == NULL)
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        return FALSE;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    *ca = bc->ca;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    *pathlen = -1 /* unlimited */;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    if (bc->pathlen != NULL) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        if ((bn = ASN1_INTEGER_to_BN(bc->pathlen, NULL)) == NULL)
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            return FALSE;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        if ((cp = BN_bn2dec(bn)) == NULL)
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            return FALSE;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        *pathlen = atoi(cp);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        free(cp);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        BN_free(bn);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    }
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    BASIC_CONSTRAINTS_free(bc);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    return TRUE;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome}
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
4b22b9337f359bfd063322244f5336cc7c6ffcfars/* convert a NAME_ENTRY to UTF8 string */
4b22b9337f359bfd063322244f5336cc7c6ffcfarschar *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne)
4b22b9337f359bfd063322244f5336cc7c6ffcfars{
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    char *result = NULL;
4b22b9337f359bfd063322244f5336cc7c6ffcfars    BIO* bio;
4b22b9337f359bfd063322244f5336cc7c6ffcfars    int len;
4b22b9337f359bfd063322244f5336cc7c6ffcfars
4b22b9337f359bfd063322244f5336cc7c6ffcfars    if ((bio = BIO_new(BIO_s_mem())) == NULL)
4b22b9337f359bfd063322244f5336cc7c6ffcfars        return NULL;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    ASN1_STRING_print_ex(bio, X509_NAME_ENTRY_get_data(xsne),
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                         ASN1_STRFLGS_ESC_CTRL|ASN1_STRFLGS_UTF8_CONVERT);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    len = BIO_pending(bio);
4b22b9337f359bfd063322244f5336cc7c6ffcfars    result = apr_palloc(p, len+1);
4b22b9337f359bfd063322244f5336cc7c6ffcfars    len = BIO_read(bio, result, len);
4b22b9337f359bfd063322244f5336cc7c6ffcfars    result[len] = NUL;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    BIO_free(bio);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    ap_xlate_proto_from_ascii(result, len);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    return result;
4b22b9337f359bfd063322244f5336cc7c6ffcfars}
4b22b9337f359bfd063322244f5336cc7c6ffcfars
4b22b9337f359bfd063322244f5336cc7c6ffcfars/*
4b22b9337f359bfd063322244f5336cc7c6ffcfars * convert an X509_NAME to an RFC 2253 formatted string, optionally truncated
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome * to maxlen characters (specify a maxlen of 0 for no length limit)
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome */
4b22b9337f359bfd063322244f5336cc7c6ffcfarschar *SSL_X509_NAME_to_string(apr_pool_t *p, X509_NAME *dn, int maxlen)
4b22b9337f359bfd063322244f5336cc7c6ffcfars{
4b22b9337f359bfd063322244f5336cc7c6ffcfars    char *result = NULL;
4b22b9337f359bfd063322244f5336cc7c6ffcfars    BIO *bio;
4b22b9337f359bfd063322244f5336cc7c6ffcfars    int len;
4b22b9337f359bfd063322244f5336cc7c6ffcfars
4b22b9337f359bfd063322244f5336cc7c6ffcfars    if ((bio = BIO_new(BIO_s_mem())) == NULL)
4b22b9337f359bfd063322244f5336cc7c6ffcfars        return NULL;
4b22b9337f359bfd063322244f5336cc7c6ffcfars    X509_NAME_print_ex(bio, dn, 0, XN_FLAG_RFC2253);
4b22b9337f359bfd063322244f5336cc7c6ffcfars    len = BIO_pending(bio);
4b22b9337f359bfd063322244f5336cc7c6ffcfars    if (len > 0) {
4b22b9337f359bfd063322244f5336cc7c6ffcfars        result = apr_palloc(p, (maxlen > 0) ? maxlen+1 : len+1);
4b22b9337f359bfd063322244f5336cc7c6ffcfars        if (maxlen > 0 && maxlen < len) {
4b22b9337f359bfd063322244f5336cc7c6ffcfars            len = BIO_read(bio, result, maxlen);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            if (maxlen > 2) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                /* insert trailing ellipsis if there's enough space */
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                apr_snprintf(result + maxlen - 3, 4, "...");
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            }
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        } else {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            len = BIO_read(bio, result, len);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        }
4b22b9337f359bfd063322244f5336cc7c6ffcfars        result[len] = NUL;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    }
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    BIO_free(bio);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    return result;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome}
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome/* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a certificate */
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas SoomeBOOL SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids)
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome{
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    STACK_OF(GENERAL_NAME) *names;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    BIO *bio;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    X509_NAME *subj;
4b22b9337f359bfd063322244f5336cc7c6ffcfars    char **cpp;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    int i, n;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    if (!x509 || !(*ids = apr_array_make(p, 0, sizeof(char *)))) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        *ids = NULL;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        return FALSE;
4b22b9337f359bfd063322244f5336cc7c6ffcfars    }
4b22b9337f359bfd063322244f5336cc7c6ffcfars
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    /* First, the DNS-IDs (dNSName entries in the subjectAltName extension) */
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    if ((names = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL)) &&
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        (bio = BIO_new(BIO_s_mem()))) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        GENERAL_NAME *name;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            name = sk_GENERAL_NAME_value(names, i);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            if (name->type == GEN_DNS) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                ASN1_STRING_print_ex(bio, name->d.ia5, ASN1_STRFLGS_ESC_CTRL|
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                                     ASN1_STRFLGS_UTF8_CONVERT);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                n = BIO_pending(bio);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                if (n > 0) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                    cpp = (char **)apr_array_push(*ids);
4b22b9337f359bfd063322244f5336cc7c6ffcfars                    *cpp = apr_palloc(p, n+1);
4b22b9337f359bfd063322244f5336cc7c6ffcfars                    n = BIO_read(bio, *cpp, n);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                    (*cpp)[n] = NUL;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                }
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            }
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        }
4b22b9337f359bfd063322244f5336cc7c6ffcfars        BIO_free(bio);
4b22b9337f359bfd063322244f5336cc7c6ffcfars    }
4b22b9337f359bfd063322244f5336cc7c6ffcfars
4b22b9337f359bfd063322244f5336cc7c6ffcfars    if (names)
4b22b9337f359bfd063322244f5336cc7c6ffcfars        sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
4b22b9337f359bfd063322244f5336cc7c6ffcfars
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    /* Second, the CN-IDs (commonName attributes in the subject DN) */
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    subj = X509_get_subject_name(x509);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    i = -1;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    while ((i = X509_NAME_get_index_by_NID(subj, NID_commonName, i)) != -1) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        cpp = (char **)apr_array_push(*ids);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        *cpp = SSL_X509_NAME_ENTRY_to_string(p, X509_NAME_get_entry(subj, i));
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    }
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    return apr_is_empty_array(*ids) ? FALSE : TRUE;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome}
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome/*
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome * Check if a certificate matches for a particular name, by iterating over its
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome * DNS-IDs and CN-IDs (RFC 6125), optionally with basic wildcard matching.
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome * If server_rec is non-NULL, some (debug/trace) logging is enabled.
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome */
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas SoomeBOOL SSL_X509_match_name(apr_pool_t *p, X509 *x509, const char *name,
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                         BOOL allow_wildcard, server_rec *s)
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome{
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    BOOL matched = FALSE;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    apr_array_header_t *ids;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    /*
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome     * At some day in the future, this might be replaced with X509_check_host()
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome     * (available in OpenSSL 1.0.2 and later), but two points should be noted:
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome     * 1) wildcard matching in X509_check_host() might yield different
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome     *    results (by default, it supports a broader set of patterns, e.g.
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome     *    wildcards in non-initial positions);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome     * 2) we lose the option of logging each DNS- and CN-ID (until a match
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome     *    is found).
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome     */
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    if (SSL_X509_getIDs(p, x509, &ids)) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        const char *cp;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        int i;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        char **id = (char **)ids->elts;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        BOOL is_wildcard;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        for (i = 0; i < ids->nelts; i++) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            if (!id[i])
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                continue;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            /*
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome             * Determine if it is a wildcard ID - we're restrictive
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome             * in the sense that we require the wildcard character to be
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome             * THE left-most label (i.e., the ID must start with "*.")
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome             */
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            is_wildcard = (*id[i] == '*' && *(id[i]+1) == '.') ? TRUE : FALSE;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            /*
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome             * If the ID includes a wildcard character (and the caller is
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome             * allowing wildcards), check if it matches for the left-most
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome             * DNS label - i.e., the wildcard character is not allowed
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome             * to match a dot. Otherwise, try a simple string compare.
4b22b9337f359bfd063322244f5336cc7c6ffcfars             */
4b22b9337f359bfd063322244f5336cc7c6ffcfars            if ((allow_wildcard == TRUE && is_wildcard == TRUE &&
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                 (cp = ap_strchr_c(name, '.')) && !strcasecmp(id[i]+1, cp)) ||
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                !strcasecmp(id[i], name)) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                matched = TRUE;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            }
4b22b9337f359bfd063322244f5336cc7c6ffcfars
4b22b9337f359bfd063322244f5336cc7c6ffcfars            if (s) {
4b22b9337f359bfd063322244f5336cc7c6ffcfars                ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                             "[%s] SSL_X509_match_name: expecting name '%s', "
4b22b9337f359bfd063322244f5336cc7c6ffcfars                             "%smatched by ID '%s'",
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                             (mySrvConfig(s))->vhost_id, name,
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                             matched == TRUE ? "" : "NOT ", id[i]);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            }
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
4b22b9337f359bfd063322244f5336cc7c6ffcfars            if (matched == TRUE) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                break;
4b22b9337f359bfd063322244f5336cc7c6ffcfars            }
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        }
4b22b9337f359bfd063322244f5336cc7c6ffcfars
4b22b9337f359bfd063322244f5336cc7c6ffcfars    }
4b22b9337f359bfd063322244f5336cc7c6ffcfars
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    if (s) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        ssl_log_xerror(SSLLOG_MARK, APLOG_DEBUG, 0, p, s, x509,
4b22b9337f359bfd063322244f5336cc7c6ffcfars                       APLOGNO(02412) "[%s] Cert %s for name '%s'",
4b22b9337f359bfd063322244f5336cc7c6ffcfars                       (mySrvConfig(s))->vhost_id,
4b22b9337f359bfd063322244f5336cc7c6ffcfars                       matched == TRUE ? "matches" : "does not match",
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                       name);
4b22b9337f359bfd063322244f5336cc7c6ffcfars    }
4b22b9337f359bfd063322244f5336cc7c6ffcfars
4b22b9337f359bfd063322244f5336cc7c6ffcfars    return matched;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome}
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome/*  _________________________________________________________________
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome**
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome**  Low-Level CA Certificate Loading
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome**  _________________________________________________________________
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome*/
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas SoomeBOOL SSL_X509_INFO_load_file(apr_pool_t *ptemp,
4b22b9337f359bfd063322244f5336cc7c6ffcfars                             STACK_OF(X509_INFO) *sk,
4b22b9337f359bfd063322244f5336cc7c6ffcfars                             const char *filename)
4b22b9337f359bfd063322244f5336cc7c6ffcfars{
4b22b9337f359bfd063322244f5336cc7c6ffcfars    BIO *in;
4b22b9337f359bfd063322244f5336cc7c6ffcfars
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    if (!(in = BIO_new(BIO_s_file()))) {
4b22b9337f359bfd063322244f5336cc7c6ffcfars        return FALSE;
4b22b9337f359bfd063322244f5336cc7c6ffcfars    }
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    if (BIO_read_filename(in, filename) <= 0) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        BIO_free(in);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        return FALSE;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    }
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    ERR_clear_error();
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    PEM_X509_INFO_read_bio(in, sk, NULL, NULL);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    BIO_free(in);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    return TRUE;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome}
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas SoomeBOOL SSL_X509_INFO_load_path(apr_pool_t *ptemp,
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                             STACK_OF(X509_INFO) *sk,
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                             const char *pathname)
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome{
4b22b9337f359bfd063322244f5336cc7c6ffcfars    /* XXX: this dir read code is exactly the same as that in
4b22b9337f359bfd063322244f5336cc7c6ffcfars     * ssl_engine_init.c, only the call to handle the fullname is different,
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome     * should fold the duplication.
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome     */
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    apr_dir_t *dir;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    apr_finfo_t dirent;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    apr_int32_t finfo_flags = APR_FINFO_TYPE|APR_FINFO_NAME;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    const char *fullname;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    BOOL ok = FALSE;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    if (apr_dir_open(&dir, pathname, ptemp) != APR_SUCCESS) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        return FALSE;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    }
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    while ((apr_dir_read(&dirent, finfo_flags, dir)) == APR_SUCCESS) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        if (dirent.filetype == APR_DIR) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            continue; /* don't try to load directories */
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        }
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        fullname = apr_pstrcat(ptemp,
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                               pathname, "/", dirent.name,
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                               NULL);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        if (SSL_X509_INFO_load_file(ptemp, sk, fullname)) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            ok = TRUE;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        }
4b22b9337f359bfd063322244f5336cc7c6ffcfars    }
4b22b9337f359bfd063322244f5336cc7c6ffcfars
4b22b9337f359bfd063322244f5336cc7c6ffcfars    apr_dir_close(dir);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
4b22b9337f359bfd063322244f5336cc7c6ffcfars    return ok;
4b22b9337f359bfd063322244f5336cc7c6ffcfars}
4b22b9337f359bfd063322244f5336cc7c6ffcfars
4b22b9337f359bfd063322244f5336cc7c6ffcfars/*  _________________________________________________________________
4b22b9337f359bfd063322244f5336cc7c6ffcfars**
4b22b9337f359bfd063322244f5336cc7c6ffcfars**  Extra Server Certificate Chain Support
4b22b9337f359bfd063322244f5336cc7c6ffcfars**  _________________________________________________________________
4b22b9337f359bfd063322244f5336cc7c6ffcfars*/
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome/*
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome * Read a file that optionally contains the server certificate in PEM
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome * format, possibly followed by a sequence of CA certificates that
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome * should be sent to the peer in the SSL Certificate message.
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome */
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soomeint SSL_CTX_use_certificate_chain(
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    SSL_CTX *ctx, char *file, int skipfirst, pem_password_cb *cb)
4b22b9337f359bfd063322244f5336cc7c6ffcfars{
4b22b9337f359bfd063322244f5336cc7c6ffcfars    BIO *bio;
4b22b9337f359bfd063322244f5336cc7c6ffcfars    X509 *x509;
4b22b9337f359bfd063322244f5336cc7c6ffcfars    unsigned long err;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    int n;
4b22b9337f359bfd063322244f5336cc7c6ffcfars
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
4b22b9337f359bfd063322244f5336cc7c6ffcfars        return -1;
4b22b9337f359bfd063322244f5336cc7c6ffcfars    if (BIO_read_filename(bio, file) <= 0) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        BIO_free(bio);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        return -1;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    }
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    /* optionally skip a leading server certificate */
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    if (skipfirst) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        if ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) == NULL) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            BIO_free(bio);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            return -1;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        }
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        X509_free(x509);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    }
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    /* free a perhaps already configured extra chain */
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome#ifdef OPENSSL_NO_SSL_INTERN
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    SSL_CTX_clear_extra_chain_certs(ctx);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome#else
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    if (ctx->extra_certs != NULL) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        sk_X509_pop_free((STACK_OF(X509) *)ctx->extra_certs, X509_free);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        ctx->extra_certs = NULL;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    }
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome#endif
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    /* create new extra chain by loading the certs */
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    n = 0;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    while ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            X509_free(x509);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            BIO_free(bio);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            return -1;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        }
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        n++;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    }
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    /* Make sure that only the error is just an EOF */
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    if ((err = ERR_peek_error()) > 0) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        if (!(   ERR_GET_LIB(err) == ERR_LIB_PEM
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome              && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            BIO_free(bio);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome            return -1;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        }
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        while (ERR_get_error() > 0) ;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    }
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    BIO_free(bio);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    return n;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome}
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome/*  _________________________________________________________________
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome**
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome**  Session Stuff
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome**  _________________________________________________________________
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome*/
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soomechar *SSL_SESSION_id2sz(unsigned char *id, int idlen,
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome                        char *str, int strsize)
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome{
cda73f64f20b8a0afc4909f5ea1f055ec7913856Toomas Soome    if (idlen > SSL_MAX_SSL_SESSION_ID_LENGTH)
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        idlen = SSL_MAX_SSL_SESSION_ID_LENGTH;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    /* We must ensure not to process more than what would fit in the
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome     * destination buffer, including terminating NULL */
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    if (idlen > (strsize-1) / 2)
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome        idlen = (strsize-1) / 2;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    ap_bin2hex(id, idlen, str);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    /* XXX: is this ap_str_toupper() necessary ? */
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    ap_str_toupper(str);
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome    return str;
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome}
5ffb0c9b03b5149ff4f5821a62be4a52408ada2aToomas Soome