| /* Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #ifndef SSL_PRIVATE_H |
| #define SSL_PRIVATE_H |
| |
| /* Exclude unused OpenSSL features |
| * even if the OpenSSL supports them |
| */ |
| #ifndef OPENSSL_NO_IDEA |
| #define OPENSSL_NO_IDEA |
| #endif |
| #ifndef OPENSSL_NO_KRB5 |
| #define OPENSSL_NO_KRB5 |
| #endif |
| #ifndef OPENSSL_NO_MDC2 |
| #define OPENSSL_NO_MDC2 |
| #endif |
| #ifndef OPENSSL_NO_RC5 |
| #define OPENSSL_NO_RC5 |
| #endif |
| |
| /* OpenSSL headers */ |
| #include <openssl/opensslv.h> |
| #include <openssl/ssl.h> |
| #include <openssl/err.h> |
| #include <openssl/x509.h> |
| #include <openssl/pem.h> |
| #include <openssl/pkcs12.h> |
| #include <openssl/crypto.h> |
| #include <openssl/evp.h> |
| #include <openssl/rand.h> |
| #include <openssl/x509v3.h> |
| #include <openssl/dh.h> |
| #include <openssl/bn.h> |
| /* Avoid tripping over an engine build installed globally and detected |
| * when the user points at an explicit non-engine flavor of OpenSSL |
| */ |
| #ifndef OPENSSL_NO_ENGINE |
| #include <openssl/engine.h> |
| #endif |
| |
| #ifndef RAND_MAX |
| #include <limits.h> |
| #define RAND_MAX INT_MAX |
| #endif |
| |
| #define SSL_AIDX_RSA (0) |
| #define SSL_AIDX_DSA (1) |
| #define SSL_AIDX_ECC (3) |
| #define SSL_AIDX_MAX (4) |
| |
| /* |
| * Define the SSL options |
| */ |
| #define SSL_OPT_NONE (0) |
| #define SSL_OPT_RELSET (1<<0) |
| #define SSL_OPT_STDENVVARS (1<<1) |
| #define SSL_OPT_EXPORTCERTDATA (1<<3) |
| #define SSL_OPT_FAKEBASICAUTH (1<<4) |
| #define SSL_OPT_STRICTREQUIRE (1<<5) |
| #define SSL_OPT_OPTRENEGOTIATE (1<<6) |
| #define SSL_OPT_ALL (SSL_OPT_STDENVVARS|SSL_OPT_EXPORTCERTDATA|SSL_OPT_FAKEBASICAUTH|SSL_OPT_STRICTREQUIRE|SSL_OPT_OPTRENEGOTIATE) |
| |
| /* |
| * Define the SSL Protocol options |
| */ |
| #define SSL_PROTOCOL_NONE (0) |
| #define SSL_PROTOCOL_SSLV2 (1<<0) |
| #define SSL_PROTOCOL_SSLV3 (1<<1) |
| #define SSL_PROTOCOL_TLSV1 (1<<2) |
| #define SSL_PROTOCOL_TLSV1_1 (1<<3) |
| #define SSL_PROTOCOL_TLSV1_2 (1<<4) |
| |
| #define SSL_MODE_CLIENT (0) |
| #define SSL_MODE_SERVER (1) |
| #define SSL_MODE_COMBINED (2) |
| |
| #define SSL_BIO_FLAG_RDONLY (1<<0) |
| #define SSL_BIO_FLAG_CALLBACK (1<<1) |
| #define SSL_DEFAULT_CACHE_SIZE (256) |
| #define SSL_DEFAULT_VHOST_NAME ("_default_:443") |
| #define SSL_MAX_STR_LEN (2048) |
| #define SSL_MAX_PASSWORD_LEN (256) |
| |
| #define SSL_CVERIFY_UNSET (-1) |
| #define SSL_CVERIFY_NONE (0) |
| #define SSL_CVERIFY_OPTIONAL (1) |
| #define SSL_CVERIFY_REQUIRE (2) |
| #define SSL_CVERIFY_OPTIONAL_NO_CA (3) |
| #define SSL_VERIFY_PEER_STRICT (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT) |
| |
| #define SSL_SHUTDOWN_TYPE_UNSET (0) |
| #define SSL_SHUTDOWN_TYPE_STANDARD (1) |
| #define SSL_SHUTDOWN_TYPE_UNCLEAN (2) |
| #define SSL_SHUTDOWN_TYPE_ACCURATE (3) |
| |
| #define SSL_TO_APR_ERROR(X) (APR_OS_START_USERERR + 1000 + X) |
| |
| #define SSL_INFO_SESSION_ID (0x0001) |
| #define SSL_INFO_CIPHER (0x0002) |
| #define SSL_INFO_CIPHER_USEKEYSIZE (0x0003) |
| #define SSL_INFO_CIPHER_ALGKEYSIZE (0x0004) |
| #define SSL_INFO_CIPHER_VERSION (0x0005) |
| #define SSL_INFO_CIPHER_DESCRIPTION (0x0006) |
| #define SSL_INFO_PROTOCOL (0x0007) |
| |
| #define SSL_INFO_CLIENT_S_DN (0x0010) |
| #define SSL_INFO_CLIENT_I_DN (0x0020) |
| #define SSL_INFO_SERVER_S_DN (0x0040) |
| #define SSL_INFO_SERVER_I_DN (0x0080) |
| |
| #define SSL_INFO_DN_COUNTRYNAME (0x0001) |
| #define SSL_INFO_DN_STATEORPROVINCENAME (0x0002) |
| #define SSL_INFO_DN_LOCALITYNAME (0x0003) |
| #define SSL_INFO_DN_ORGANIZATIONNAME (0x0004) |
| #define SSL_INFO_DN_ORGANIZATIONALUNITNAME (0x0005) |
| #define SSL_INFO_DN_COMMONNAME (0x0006) |
| #define SSL_INFO_DN_TITLE (0x0007) |
| #define SSL_INFO_DN_INITIALS (0x0008) |
| #define SSL_INFO_DN_GIVENNAME (0x0009) |
| #define SSL_INFO_DN_SURNAME (0x000A) |
| #define SSL_INFO_DN_DESCRIPTION (0x000B) |
| #define SSL_INFO_DN_UNIQUEIDENTIFIER (0x000C) |
| #define SSL_INFO_DN_EMAILADDRESS (0x000D) |
| |
| #define SSL_INFO_CLIENT_MASK (0x0100) |
| |
| #define SSL_INFO_CLIENT_M_VERSION (0x0101) |
| #define SSL_INFO_CLIENT_M_SERIAL (0x0102) |
| #define SSL_INFO_CLIENT_V_START (0x0103) |
| #define SSL_INFO_CLIENT_V_END (0x0104) |
| #define SSL_INFO_CLIENT_A_SIG (0x0105) |
| #define SSL_INFO_CLIENT_A_KEY (0x0106) |
| #define SSL_INFO_CLIENT_CERT (0x0107) |
| #define SSL_INFO_CLIENT_V_REMAIN (0x0108) |
| |
| #define SSL_INFO_SERVER_MASK (0x0200) |
| |
| #define SSL_INFO_SERVER_M_VERSION (0x0201) |
| #define SSL_INFO_SERVER_M_SERIAL (0x0202) |
| #define SSL_INFO_SERVER_V_START (0x0203) |
| #define SSL_INFO_SERVER_V_END (0x0204) |
| #define SSL_INFO_SERVER_A_SIG (0x0205) |
| #define SSL_INFO_SERVER_A_KEY (0x0206) |
| #define SSL_INFO_SERVER_CERT (0x0207) |
| #define SSL_INFO_CLIENT_CERT_CHAIN (0x0400) |
| |
| #define SSL_VERIFY_ERROR_IS_OPTIONAL(errnum) \ |
| ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \ |
| || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \ |
| || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \ |
| || (errnum == X509_V_ERR_CERT_UNTRUSTED) \ |
| || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) |
| |
| #define SSL_DEFAULT_PASS_PROMPT "Some of your private key files are encrypted for security reasons.\n" \ |
| "In order to read them you have to provide the pass phrases.\n" \ |
| "Enter password :" |
| |
| #define SSL_CIPHERS_ALWAYS_DISABLED ("!aNULL:!eNULL:!EXP:") |
| |
| #if defined(SSL_OP_NO_TLSv1_1) |
| #define HAVE_TLSV1_1 |
| #endif |
| |
| #if defined(SSL_OP_NO_TLSv1_2) |
| #define HAVE_TLSV1_2 |
| #endif |
| |
| /** |
| * The following features all depend on TLS extension support. |
| * Within this block, check again for features (not version numbers). |
| */ |
| #if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) |
| |
| #define HAVE_TLSEXT |
| |
| /* ECC */ |
| #if !defined(OPENSSL_NO_EC) && defined(TLSEXT_ECPOINTFORMAT_uncompressed) |
| #define HAVE_ECC |
| #endif |
| |
| /* OCSP stapling */ |
| #if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb) |
| #define HAVE_OCSP_STAPLING |
| #define OCSP_STATUS_OK 0 |
| #define OCSP_STATUS_REVOKED 1 |
| #define OCSP_STATUS_UNKNOWN 2 |
| #endif |
| |
| #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */ |
| |
| /* OpenSSL 1.0.2 compatibility */ |
| #if OPENSSL_VERSION_NUMBER < 0x10100000L |
| #define OpenSSL_version SSLeay_version |
| #define OpenSSL_version_num SSLeay |
| #define OPENSSL_VERSION SSLEAY_VERSION |
| #define OPENSSL_malloc_init CRYPTO_malloc_init |
| #define BN_get_rfc2409_prime_768 get_rfc2409_prime_768 |
| #define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024 |
| #define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536 |
| #define BN_get_rfc3526_prime_2048 get_rfc3526_prime_2048 |
| #define BN_get_rfc3526_prime_3072 get_rfc3526_prime_3072 |
| #define BN_get_rfc3526_prime_4096 get_rfc3526_prime_4096 |
| #define BN_get_rfc3526_prime_6144 get_rfc3526_prime_6144 |
| #define BN_get_rfc3526_prime_8192 get_rfc3526_prime_8192 |
| #define BIO_get_init(x) (x->init) |
| #define BIO_set_init(x,v) (x->init=v) |
| #define BIO_get_data(x) (x->ptr) |
| #define BIO_set_data(x,v) (x->ptr=v) |
| #define BIO_set_shutdown(x,v) (x->shutdown=v) |
| #define X509_REVOKED_get0_serialNumber(x) x->serialNumber |
| #define X509_STORE_CTX_get0_untrusted(x) (x->untrusted) |
| #define X509_OBJECT_free(x) {X509_OBJECT_free_contents(obj);\ |
| OPENSSL_free(obj);} |
| #define TLS_method SSLv23_method |
| #define TLS_client_method SSLv23_client_method |
| #define TLS_server_method SSLv23_server_method |
| #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ |
| |
| #define MAX_ALPN_NPN_PROTO_SIZE 65535 |
| #define SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL 1 |
| |
| typedef struct { |
| /* client can have any number of cert/key pairs */ |
| const char *cert_file; |
| const char *cert_path; |
| STACK_OF(X509_INFO) *certs; |
| } ssl_pkc_t; |
| |
| typedef struct tcn_ssl_ctxt_t tcn_ssl_ctxt_t; |
| |
| typedef struct { |
| char password[SSL_MAX_PASSWORD_LEN]; |
| const char *prompt; |
| tcn_callback_t cb; |
| } tcn_pass_cb_t; |
| |
| extern tcn_pass_cb_t tcn_password_callback; |
| |
| struct tcn_ssl_ctxt_t { |
| apr_pool_t *pool; |
| SSL_CTX *ctx; |
| BIO *bio_os; |
| BIO *bio_is; |
| |
| unsigned char context_id[SHA_DIGEST_LENGTH]; |
| |
| int protocol; |
| /* we are one or the other */ |
| int mode; |
| |
| /* certificate revocation list */ |
| X509_STORE *crl; |
| /* pointer to the context verify store */ |
| X509_STORE *store; |
| X509 *certs[SSL_AIDX_MAX]; |
| EVP_PKEY *keys[SSL_AIDX_MAX]; |
| |
| int ca_certs; |
| int shutdown_type; |
| char *rand_file; |
| |
| const char *cipher_suite; |
| /* for client or downstream server authentication */ |
| int verify_depth; |
| int verify_mode; |
| tcn_pass_cb_t *cb_data; |
| |
| /* for client: List of protocols to request via ALPN. |
| * for server: List of protocols to accept via ALPN. |
| */ |
| /* member alpn is array of protocol strings encoded as a list of bytes |
| * of length alpnlen, each protocol string is prepended with a byte |
| * containing the protocol string length (max 255), then follows the |
| * protocol string itself. |
| */ |
| char *alpn; |
| int alpnlen; |
| /* Add from netty-tcnative */ |
| /* certificate verifier callback */ |
| jobject verifier; |
| jmethodID verifier_method; |
| |
| unsigned char *next_proto_data; |
| unsigned int next_proto_len; |
| int next_selector_failure_behavior; |
| |
| /* Holds the alpn protocols, each of them prefixed with the len of the protocol */ |
| unsigned char *alpn_proto_data; |
| unsigned int alpn_proto_len; |
| int alpn_selector_failure_behavior; |
| /* End add from netty-tcnative */ |
| }; |
| |
| |
| typedef struct { |
| apr_pool_t *pool; |
| tcn_ssl_ctxt_t *ctx; |
| SSL *ssl; |
| X509 *peer; |
| int shutdown_type; |
| /* Track the handshake/renegotiation state for the connection so |
| * that all client-initiated renegotiations can be rejected, as a |
| * partial fix for CVE-2009-3555. |
| */ |
| enum { |
| RENEG_INIT = 0, /* Before initial handshake */ |
| RENEG_REJECT, /* After initial handshake; any client-initiated |
| * renegotiation should be rejected |
| */ |
| RENEG_ALLOW, /* A server-initated renegotiation is taking |
| * place (as dictated by configuration) |
| */ |
| RENEG_ABORT /* Renegotiation initiated by client, abort the |
| * connection |
| */ |
| } reneg_state; |
| apr_socket_t *sock; |
| apr_pollset_t *pollset; |
| } tcn_ssl_conn_t; |
| |
| |
| /* |
| * Additional Functions |
| */ |
| void SSL_init_app_data2_3_idx(void); |
| /* The app_data2 is used to store the tcn_ssl_ctxt_t pointer for the SSL instance. */ |
| void *SSL_get_app_data2(SSL *); |
| void SSL_set_app_data2(SSL *, void *); |
| /* The app_data3 is used to store the handshakeCount pointer for the SSL instance. */ |
| void *SSL_get_app_data3(const SSL *); |
| void SSL_set_app_data3(SSL *, void *); |
| int SSL_password_prompt(tcn_pass_cb_t *); |
| int SSL_password_callback(char *, int, int, void *); |
| void SSL_BIO_close(BIO *); |
| void SSL_BIO_doref(BIO *); |
| DH *SSL_get_dh_params(unsigned keylen); |
| DH *SSL_dh_GetParamFromFile(const char *); |
| #ifdef HAVE_ECC |
| EC_GROUP *SSL_ec_GetParamFromFile(const char *); |
| #endif |
| DH *SSL_callback_tmp_DH(SSL *, int, int); |
| void SSL_callback_handshake(const SSL *, int, int); |
| int SSL_CTX_use_certificate_chain(SSL_CTX *, const char *, int); |
| int SSL_callback_SSL_verify(int, X509_STORE_CTX *); |
| int SSL_rand_seed(const char *file); |
| int SSL_callback_next_protos(SSL *, const unsigned char **, unsigned int *, void *); |
| int SSL_callback_select_next_proto(SSL *, unsigned char **, unsigned char *, const unsigned char *, unsigned int,void *); |
| int SSL_callback_alpn_select_proto(SSL *, const unsigned char **, unsigned char *, const unsigned char *, unsigned int, void *); |
| |
| |
| #endif /* SSL_PRIVATE_H */ |