1/* 2 neon SSL/TLS support using OpenSSL 3 Copyright (C) 2002-2009, Joe Orton <joe@manyfish.co.uk> 4 5 This library is free software; you can redistribute it and/or 6 modify it under the terms of the GNU Library General Public 7 License as published by the Free Software Foundation; either 8 version 2 of the License, or (at your option) any later version. 9 10 This library is distributed in the hope that it will be useful, 11 but WITHOUT ANY WARRANTY; without even the implied warranty of 12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 Library General Public License for more details. 14 15 You should have received a copy of the GNU Library General Public 16 License along with this library; if not, write to the Free 17 Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, 18 MA 02111-1307, USA 19 20*/ 21 22#include "config.h" 23 24#include <sys/types.h> 25 26#ifdef HAVE_STRING_H 27#include <string.h> 28#endif 29 30#include <stdio.h> 31 32#include <openssl/ssl.h> 33#include <openssl/err.h> 34#include <openssl/pkcs12.h> 35#include <openssl/x509v3.h> 36#include <openssl/rand.h> 37#include <openssl/opensslv.h> 38 39#ifdef NE_HAVE_TS_SSL 40#include <stdlib.h> /* for abort() */ 41#include <pthread.h> 42#endif 43 44#include "ne_ssl.h" 45#include "ne_string.h" 46#include "ne_session.h" 47#include "ne_internal.h" 48 49#include "ne_private.h" 50#include "ne_privssl.h" 51 52/* OpenSSL 0.9.6 compatibility */ 53#if OPENSSL_VERSION_NUMBER < 0x0090700fL 54#define PKCS12_unpack_authsafes M_PKCS12_unpack_authsafes 55#define PKCS12_unpack_p7data M_PKCS12_unpack_p7data 56/* cast away lack of const-ness */ 57#define OBJ_cmp(a,b) OBJ_cmp((ASN1_OBJECT *)(a), (ASN1_OBJECT *)(b)) 58#endif 59 60/* Second argument for d2i_X509() changed type in 0.9.8. */ 61#if OPENSSL_VERSION_NUMBER < 0x0090800fL 62typedef unsigned char ne_d2i_uchar; 63#else 64typedef const unsigned char ne_d2i_uchar; 65#endif 66 67struct ne_ssl_dname_s { 68 X509_NAME *dn; 69}; 70 71struct ne_ssl_certificate_s { 72 ne_ssl_dname subj_dn, issuer_dn; 73 X509 *subject; 74 ne_ssl_certificate *issuer; 75 char *identity; 76}; 77 78struct ne_ssl_client_cert_s { 79 PKCS12 *p12; 80 int decrypted; /* non-zero if successfully decrypted. */ 81 ne_ssl_certificate cert; 82 EVP_PKEY *pkey; 83 char *friendly_name; 84}; 85 86#define NE_SSL_UNHANDLED (0x20) /* failure bit for unhandled case. */ 87 88/* Append an ASN.1 DirectoryString STR to buffer BUF as UTF-8. 89 * Returns zero on success or non-zero on error. */ 90static int append_dirstring(ne_buffer *buf, ASN1_STRING *str) 91{ 92 unsigned char *tmp = (unsigned char *)""; /* initialize to workaround 0.9.6 bug */ 93 int len; 94 95 switch (str->type) { 96 case V_ASN1_IA5STRING: /* definitely ASCII */ 97 case V_ASN1_VISIBLESTRING: /* probably ASCII */ 98 case V_ASN1_PRINTABLESTRING: /* subset of ASCII */ 99 ne_buffer_qappend(buf, str->data, str->length); 100 break; 101 case V_ASN1_UTF8STRING: 102 /* Fail for embedded NUL bytes. */ 103 if (strlen((char *)str->data) != (size_t)str->length) { 104 return -1; 105 } 106 ne_buffer_append(buf, (char *)str->data, str->length); 107 break; 108 case V_ASN1_UNIVERSALSTRING: 109 case V_ASN1_T61STRING: /* let OpenSSL convert it as ISO-8859-1 */ 110 case V_ASN1_BMPSTRING: 111 len = ASN1_STRING_to_UTF8(&tmp, str); 112 if (len > 0) { 113 /* Fail if there were embedded NUL bytes. */ 114 if (strlen((char *)tmp) != (size_t)len) { 115 OPENSSL_free(tmp); 116 return -1; 117 } 118 else { 119 ne_buffer_append(buf, (char *)tmp, len); 120 OPENSSL_free(tmp); 121 } 122 break; 123 } else { 124 ERR_clear_error(); 125 return -1; 126 } 127 break; 128 default: 129 NE_DEBUG(NE_DBG_SSL, "Could not convert DirectoryString type %d\n", 130 str->type); 131 return -1; 132 } 133 return 0; 134} 135 136/* Returns a malloc-allocated version of IA5 string AS, escaped for 137 * safety. */ 138static char *dup_ia5string(const ASN1_IA5STRING *as) 139{ 140 return ne_strnqdup(as->data, as->length); 141} 142 143char *ne_ssl_readable_dname(const ne_ssl_dname *name) 144{ 145 int n, flag = 0; 146 ne_buffer *dump = ne_buffer_create(); 147 const ASN1_OBJECT * const cname = OBJ_nid2obj(NID_commonName), 148 * const email = OBJ_nid2obj(NID_pkcs9_emailAddress); 149 150 for (n = X509_NAME_entry_count(name->dn); n > 0; n--) { 151 X509_NAME_ENTRY *ent = X509_NAME_get_entry(name->dn, n-1); 152 153 /* Skip commonName or emailAddress except if there is no other 154 * attribute in dname. */ 155 if ((OBJ_cmp(ent->object, cname) && OBJ_cmp(ent->object, email)) || 156 (!flag && n == 1)) { 157 if (flag++) 158 ne_buffer_append(dump, ", ", 2); 159 160 if (append_dirstring(dump, ent->value)) 161 ne_buffer_czappend(dump, "???"); 162 } 163 } 164 165 return ne_buffer_finish(dump); 166} 167 168int ne_ssl_dname_cmp(const ne_ssl_dname *dn1, const ne_ssl_dname *dn2) 169{ 170 return X509_NAME_cmp(dn1->dn, dn2->dn); 171} 172 173void ne_ssl_clicert_free(ne_ssl_client_cert *cc) 174{ 175 if (cc->p12) 176 PKCS12_free(cc->p12); 177 if (cc->decrypted) { 178 if (cc->cert.identity) ne_free(cc->cert.identity); 179 EVP_PKEY_free(cc->pkey); 180 X509_free(cc->cert.subject); 181 } 182 if (cc->friendly_name) ne_free(cc->friendly_name); 183 ne_free(cc); 184} 185 186/* Format an ASN1 time to a string. 'buf' must be at least of size 187 * 'NE_SSL_VDATELEN'. */ 188static time_t asn1time_to_timet(const ASN1_TIME *atm) 189{ 190 struct tm tm = {0}; 191 int i = atm->length; 192 193 if (i < 10) 194 return (time_t )-1; 195 196 tm.tm_year = (atm->data[0]-'0') * 10 + (atm->data[1]-'0'); 197 198 /* Deal with Year 2000 */ 199 if (tm.tm_year < 70) 200 tm.tm_year += 100; 201 202 tm.tm_mon = (atm->data[2]-'0') * 10 + (atm->data[3]-'0') - 1; 203 tm.tm_mday = (atm->data[4]-'0') * 10 + (atm->data[5]-'0'); 204 tm.tm_hour = (atm->data[6]-'0') * 10 + (atm->data[7]-'0'); 205 tm.tm_min = (atm->data[8]-'0') * 10 + (atm->data[9]-'0'); 206 tm.tm_sec = (atm->data[10]-'0') * 10 + (atm->data[11]-'0'); 207 208#ifdef HAVE_TIMEZONE 209 /* ANSI C time handling is... interesting. */ 210 return mktime(&tm) - timezone; 211#else 212 return mktime(&tm); 213#endif 214} 215 216void ne_ssl_cert_validity_time(const ne_ssl_certificate *cert, 217 time_t *from, time_t *until) 218{ 219 if (from) { 220 *from = asn1time_to_timet(X509_get_notBefore(cert->subject)); 221 } 222 if (until) { 223 *until = asn1time_to_timet(X509_get_notAfter(cert->subject)); 224 } 225} 226 227/* Check certificate identity. Returns zero if identity matches; 1 if 228 * identity does not match, or <0 if the certificate had no identity. 229 * If 'identity' is non-NULL, store the malloc-allocated identity in 230 * *identity. Logic specified by RFC 2818 and RFC 3280. */ 231static int check_identity(const ne_uri *server, X509 *cert, char **identity) 232{ 233 STACK_OF(GENERAL_NAME) *names; 234 int match = 0, found = 0; 235 const char *hostname; 236 237 hostname = server ? server->host : ""; 238 239 names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); 240 if (names) { 241 int n; 242 243 /* subjectAltName contains a sequence of GeneralNames */ 244 for (n = 0; n < sk_GENERAL_NAME_num(names) && !match; n++) { 245 GENERAL_NAME *nm = sk_GENERAL_NAME_value(names, n); 246 247 /* handle dNSName and iPAddress name extensions only. */ 248 if (nm->type == GEN_DNS) { 249 char *name = dup_ia5string(nm->d.ia5); 250 if (identity && !found) *identity = ne_strdup(name); 251 match = ne__ssl_match_hostname(name, strlen(name), hostname); 252 ne_free(name); 253 found = 1; 254 } 255 else if (nm->type == GEN_IPADD) { 256 /* compare IP address with server IP address. */ 257 ne_inet_addr *ia; 258 if (nm->d.ip->length == 4) 259 ia = ne_iaddr_make(ne_iaddr_ipv4, nm->d.ip->data); 260 else if (nm->d.ip->length == 16) 261 ia = ne_iaddr_make(ne_iaddr_ipv6, nm->d.ip->data); 262 else 263 ia = NULL; 264 /* ne_iaddr_make returns NULL if address type is unsupported */ 265 if (ia != NULL) { /* address type was supported. */ 266 char buf[128]; 267 268 match = strcmp(hostname, 269 ne_iaddr_print(ia, buf, sizeof buf)) == 0; 270 found = 1; 271 ne_iaddr_free(ia); 272 } else { 273 NE_DEBUG(NE_DBG_SSL, "iPAddress name with unsupported " 274 "address type (length %d), skipped.\n", 275 nm->d.ip->length); 276 } 277 } 278 else if (nm->type == GEN_URI) { 279 char *name = dup_ia5string(nm->d.ia5); 280 ne_uri uri; 281 282 if (ne_uri_parse(name, &uri) == 0 && uri.host && uri.scheme) { 283 ne_uri tmp; 284 285 if (identity && !found) *identity = ne_strdup(name); 286 found = 1; 287 288 if (server) { 289 /* For comparison purposes, all that matters is 290 * host, scheme and port; ignore the rest. */ 291 memset(&tmp, 0, sizeof tmp); 292 tmp.host = uri.host; 293 tmp.scheme = uri.scheme; 294 tmp.port = uri.port; 295 296 match = ne_uri_cmp(server, &tmp) == 0; 297 } 298 } 299 300 ne_uri_free(&uri); 301 ne_free(name); 302 } 303 } 304 /* free the whole stack. */ 305 sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free); 306 } 307 308 /* Check against the commonName if no DNS alt. names were found, 309 * as per RFC3280. */ 310 if (!found) { 311 X509_NAME *subj = X509_get_subject_name(cert); 312 X509_NAME_ENTRY *entry; 313 ne_buffer *cname = ne_buffer_ncreate(30); 314 int idx = -1, lastidx; 315 316 /* find the most specific commonName attribute. */ 317 do { 318 lastidx = idx; 319 idx = X509_NAME_get_index_by_NID(subj, NID_commonName, lastidx); 320 } while (idx >= 0); 321 322 if (lastidx < 0) { 323 /* no commonName attributes at all. */ 324 ne_buffer_destroy(cname); 325 return -1; 326 } 327 328 /* extract the string from the entry */ 329 entry = X509_NAME_get_entry(subj, lastidx); 330 if (append_dirstring(cname, X509_NAME_ENTRY_get_data(entry))) { 331 ne_buffer_destroy(cname); 332 return -1; 333 } 334 if (identity) *identity = ne_strdup(cname->data); 335 match = ne__ssl_match_hostname(cname->data, cname->used - 1, hostname); 336 ne_buffer_destroy(cname); 337 } 338 339 NE_DEBUG(NE_DBG_SSL, "Identity match for '%s': %s\n", hostname, 340 match ? "good" : "bad"); 341 return match ? 0 : 1; 342} 343 344/* Populate an ne_ssl_certificate structure from an X509 object. */ 345static ne_ssl_certificate *populate_cert(ne_ssl_certificate *cert, X509 *x5) 346{ 347 cert->subj_dn.dn = X509_get_subject_name(x5); 348 cert->issuer_dn.dn = X509_get_issuer_name(x5); 349 cert->issuer = NULL; 350 cert->subject = x5; 351 /* Retrieve the cert identity; pass a dummy hostname to match. */ 352 cert->identity = NULL; 353 check_identity(NULL, x5, &cert->identity); 354 return cert; 355} 356 357/* OpenSSL cert verification callback. This is invoked for *each* 358 * error which is encoutered whilst verifying the cert chain; multiple 359 * invocations for any particular cert in the chain are possible. */ 360static int verify_callback(int ok, X509_STORE_CTX *ctx) 361{ 362 /* OpenSSL, living in its own little happy world of global state, 363 * where userdata was just a twinkle in the eye of an API designer 364 * yet to be born. Or... "Seriously, wtf?" */ 365 SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, 366 SSL_get_ex_data_X509_STORE_CTX_idx()); 367 ne_session *sess = SSL_get_app_data(ssl); 368 int depth = X509_STORE_CTX_get_error_depth(ctx); 369 int err = X509_STORE_CTX_get_error(ctx); 370 int failures = 0; 371 372 /* If there's no error, nothing to do here. */ 373 if (ok) return ok; 374 375 NE_DEBUG(NE_DBG_SSL, "ssl: Verify callback @ %d => %d\n", depth, err); 376 377 /* Map the error code onto any of the exported cert validation 378 * errors, if possible. */ 379 switch (err) { 380 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: 381 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: 382 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: 383 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: 384 case X509_V_ERR_CERT_UNTRUSTED: 385 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: 386 failures |= NE_SSL_UNTRUSTED; 387 break; 388 case X509_V_ERR_CERT_NOT_YET_VALID: 389 failures |= depth > 0 ? NE_SSL_BADCHAIN : NE_SSL_NOTYETVALID; 390 break; 391 case X509_V_ERR_CERT_HAS_EXPIRED: 392 failures |= depth > 0 ? NE_SSL_BADCHAIN : NE_SSL_EXPIRED; 393 break; 394 case X509_V_OK: 395 break; 396 default: 397 /* Clear the failures bitmask so check_certificate knows this 398 * is a bailout. */ 399 sess->ssl_context->failures |= NE_SSL_UNHANDLED; 400 NE_DEBUG(NE_DBG_SSL, "ssl: Unhandled verification error %d -> %s\n", 401 err, X509_verify_cert_error_string(err)); 402 return 0; 403 } 404 405 sess->ssl_context->failures |= failures; 406 407 NE_DEBUG(NE_DBG_SSL, "ssl: Verify failures |= %d => %d\n", failures, 408 sess->ssl_context->failures); 409 410 return 1; 411} 412 413/* Return a linked list of certificate objects from an OpenSSL chain. */ 414static ne_ssl_certificate *make_chain(STACK_OF(X509) *chain) 415{ 416 int n, count = sk_X509_num(chain); 417 ne_ssl_certificate *top = NULL, *current = NULL; 418 419 NE_DEBUG(NE_DBG_SSL, "Chain depth: %d\n", count); 420 421 for (n = 0; n < count; n++) { 422 ne_ssl_certificate *cert = ne_malloc(sizeof *cert); 423 populate_cert(cert, X509_dup(sk_X509_value(chain, n))); 424#ifdef NE_DEBUGGING 425 if (ne_debug_mask & NE_DBG_SSL) { 426 fprintf(ne_debug_stream, "Cert #%d:\n", n); 427 X509_print_fp(ne_debug_stream, cert->subject); 428 } 429#endif 430 if (top == NULL) { 431 current = top = cert; 432 } else { 433 current->issuer = cert; 434 current = cert; 435 } 436 } 437 438 return top; 439} 440 441/* Verifies an SSL server certificate. */ 442static int check_certificate(ne_session *sess, SSL *ssl, ne_ssl_certificate *chain) 443{ 444 X509 *cert = chain->subject; 445 int ret, failures = sess->ssl_context->failures; 446 ne_uri server; 447 448 /* If the verification callback hit a case which can't be mapped 449 * to one of the exported error bits, it's treated as a hard 450 * failure rather than invoking the callback, which can't present 451 * a useful error to the user. "Um, something is wrong. OK?" */ 452 if (failures & NE_SSL_UNHANDLED) { 453 long result = SSL_get_verify_result(ssl); 454 455 ne_set_error(sess, _("Certificate verification error: %s"), 456 X509_verify_cert_error_string(result)); 457 458 return NE_ERROR; 459 } 460 461 /* Check certificate was issued to this server; pass URI of 462 * server. */ 463 memset(&server, 0, sizeof server); 464 ne_fill_server_uri(sess, &server); 465 ret = check_identity(&server, cert, NULL); 466 ne_uri_free(&server); 467 if (ret < 0) { 468 ne_set_error(sess, _("Server certificate was missing commonName " 469 "attribute in subject name")); 470 return NE_ERROR; 471 } else if (ret > 0) failures |= NE_SSL_IDMISMATCH; 472 473 if (failures == 0) { 474 /* verified OK! */ 475 ret = NE_OK; 476 } else { 477 /* Set up the error string. */ 478 ne__ssl_set_verify_err(sess, failures); 479 ret = NE_ERROR; 480 /* Allow manual override */ 481 if (sess->ssl_verify_fn && 482 sess->ssl_verify_fn(sess->ssl_verify_ud, failures, chain) == 0) 483 ret = NE_OK; 484 } 485 486 return ret; 487} 488 489/* Duplicate a client certificate, which must be in the decrypted state. */ 490static ne_ssl_client_cert *dup_client_cert(const ne_ssl_client_cert *cc) 491{ 492 ne_ssl_client_cert *newcc = ne_calloc(sizeof *newcc); 493 494 newcc->decrypted = 1; 495 newcc->pkey = cc->pkey; 496 if (cc->friendly_name) 497 newcc->friendly_name = ne_strdup(cc->friendly_name); 498 499 populate_cert(&newcc->cert, cc->cert.subject); 500 501 cc->cert.subject->references++; 502 cc->pkey->references++; 503 return newcc; 504} 505 506/* Callback invoked when the SSL server requests a client certificate. */ 507static int provide_client_cert(SSL *ssl, X509 **cert, EVP_PKEY **pkey) 508{ 509 ne_session *const sess = SSL_get_app_data(ssl); 510 511 if (!sess->client_cert && sess->ssl_provide_fn) { 512 ne_ssl_dname **dnames = NULL, *dnarray = NULL; 513 int n, count = 0; 514 STACK_OF(X509_NAME) *ca_list = SSL_get_client_CA_list(ssl); 515 516 count = ca_list ? sk_X509_NAME_num(ca_list) : 0; 517 518 if (count > 0) { 519 dnames = ne_malloc(count * sizeof(ne_ssl_dname *)); 520 dnarray = ne_malloc(count * sizeof(ne_ssl_dname)); 521 522 for (n = 0; n < count; n++) { 523 dnames[n] = &dnarray[n]; 524 dnames[n]->dn = sk_X509_NAME_value(ca_list, n); 525 } 526 } 527 528 NE_DEBUG(NE_DBG_SSL, "Calling client certificate provider...\n"); 529 sess->ssl_provide_fn(sess->ssl_provide_ud, sess, 530 (const ne_ssl_dname *const *)dnames, count); 531 if (count) { 532 ne_free(dnarray); 533 ne_free(dnames); 534 } 535 } 536 537 if (sess->client_cert) { 538 ne_ssl_client_cert *const cc = sess->client_cert; 539 NE_DEBUG(NE_DBG_SSL, "Supplying client certificate.\n"); 540 cc->pkey->references++; 541 cc->cert.subject->references++; 542 *cert = cc->cert.subject; 543 *pkey = cc->pkey; 544 return 1; 545 } else { 546 sess->ssl_cc_requested = 1; 547 NE_DEBUG(NE_DBG_SSL, "No client certificate supplied.\n"); 548 return 0; 549 } 550} 551 552void ne_ssl_set_clicert(ne_session *sess, const ne_ssl_client_cert *cc) 553{ 554 sess->client_cert = dup_client_cert(cc); 555} 556 557ne_ssl_context *ne_ssl_context_create(int mode) 558{ 559 ne_ssl_context *ctx = ne_calloc(sizeof *ctx); 560 if (mode == NE_SSL_CTX_CLIENT) { 561 ctx->ctx = SSL_CTX_new(SSLv23_client_method()); 562 ctx->sess = NULL; 563 /* set client cert callback. */ 564 SSL_CTX_set_client_cert_cb(ctx->ctx, provide_client_cert); 565 /* enable workarounds for buggy SSL server implementations */ 566 SSL_CTX_set_options(ctx->ctx, SSL_OP_ALL); 567 SSL_CTX_set_verify(ctx->ctx, SSL_VERIFY_PEER, verify_callback); 568 } else if (mode == NE_SSL_CTX_SERVER) { 569 ctx->ctx = SSL_CTX_new(SSLv23_server_method()); 570 SSL_CTX_set_session_cache_mode(ctx->ctx, SSL_SESS_CACHE_CLIENT); 571 } else { 572 ctx->ctx = SSL_CTX_new(SSLv2_server_method()); 573 SSL_CTX_set_session_cache_mode(ctx->ctx, SSL_SESS_CACHE_CLIENT); 574 } 575 return ctx; 576} 577 578void ne_ssl_context_set_flag(ne_ssl_context *ctx, int flag, int value) 579{ 580 long opts = SSL_CTX_get_options(ctx->ctx); 581 582 switch (flag) { 583 case NE_SSL_CTX_SSLv2: 584 if (value) { 585 /* Enable SSLv2 support; clear the "no SSLv2" flag. */ 586 opts &= ~SSL_OP_NO_SSLv2; 587 } else { 588 /* Disable it: set the flag. */ 589 opts |= SSL_OP_NO_SSLv2; 590 } 591 break; 592 } 593 594 SSL_CTX_set_options(ctx->ctx, opts); 595} 596 597int ne_ssl_context_keypair(ne_ssl_context *ctx, const char *cert, 598 const char *key) 599{ 600 int ret; 601 602 ret = SSL_CTX_use_PrivateKey_file(ctx->ctx, key, SSL_FILETYPE_PEM); 603 if (ret == 1) { 604 ret = SSL_CTX_use_certificate_chain_file(ctx->ctx, cert); 605 } 606 607 return ret == 1 ? 0 : -1; 608} 609 610int ne_ssl_context_set_verify(ne_ssl_context *ctx, 611 int required, 612 const char *ca_names, 613 const char *verify_cas) 614{ 615 if (required) { 616 SSL_CTX_set_verify(ctx->ctx, SSL_VERIFY_PEER | 617 SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); 618 } 619 if (ca_names) { 620 SSL_CTX_set_client_CA_list(ctx->ctx, 621 SSL_load_client_CA_file(ca_names)); 622 } 623 if (verify_cas) { 624 SSL_CTX_load_verify_locations(ctx->ctx, verify_cas, NULL); 625 } 626 return 0; 627} 628 629void ne_ssl_context_destroy(ne_ssl_context *ctx) 630{ 631 SSL_CTX_free(ctx->ctx); 632 if (ctx->sess) 633 SSL_SESSION_free(ctx->sess); 634 ne_free(ctx); 635} 636 637#if !defined(HAVE_SSL_SESSION_CMP) && !defined(SSL_SESSION_cmp) \ 638 && defined(OPENSSL_VERSION_NUMBER) \ 639 && OPENSSL_VERSION_NUMBER > 0x10000000L 640/* OpenSSL 1.0 removed SSL_SESSION_cmp for no apparent reason - hoping 641 * it is reasonable to assume that comparing the session IDs is 642 * sufficient. */ 643static int SSL_SESSION_cmp(SSL_SESSION *a, SSL_SESSION *b) 644{ 645 return a->session_id_length == b->session_id_length 646 && memcmp(a->session_id, b->session_id, a->session_id_length) == 0; 647} 648#endif 649 650/* For internal use only. */ 651int ne__negotiate_ssl(ne_session *sess) 652{ 653 ne_ssl_context *ctx = sess->ssl_context; 654 SSL *ssl; 655 STACK_OF(X509) *chain; 656 int freechain = 0; /* non-zero if chain should be free'd. */ 657 658 NE_DEBUG(NE_DBG_SSL, "Doing SSL negotiation.\n"); 659 660 /* Pass through the hostname if SNI is enabled. */ 661 ctx->hostname = 662 sess->flags[NE_SESSFLAG_TLS_SNI] ? sess->server.hostname : NULL; 663 664 sess->ssl_cc_requested = 0; 665 ctx->failures = 0; 666 667 if (ne_sock_connect_ssl(sess->socket, ctx, sess)) { 668 if (ctx->sess) { 669 /* remove cached session. */ 670 SSL_SESSION_free(ctx->sess); 671 ctx->sess = NULL; 672 } 673 if (sess->ssl_cc_requested) { 674 ne_set_error(sess, _("SSL handshake failed, " 675 "client certificate was requested: %s"), 676 ne_sock_error(sess->socket)); 677 } 678 else { 679 ne_set_error(sess, _("SSL handshake failed: %s"), 680 ne_sock_error(sess->socket)); 681 } 682 return NE_ERROR; 683 } 684 685 ssl = ne__sock_sslsock(sess->socket); 686 687 chain = SSL_get_peer_cert_chain(ssl); 688 /* For an SSLv2 connection, the cert chain will always be NULL. */ 689 if (chain == NULL) { 690 X509 *cert = SSL_get_peer_certificate(ssl); 691 if (cert) { 692 chain = sk_X509_new_null(); 693 sk_X509_push(chain, cert); 694 freechain = 1; 695 } 696 } 697 698 if (chain == NULL || sk_X509_num(chain) == 0) { 699 ne_set_error(sess, _("SSL server did not present certificate")); 700 return NE_ERROR; 701 } 702 703 if (sess->server_cert) { 704 int diff = X509_cmp(sk_X509_value(chain, 0), sess->server_cert->subject); 705 if (freechain) sk_X509_free(chain); /* no longer need the chain */ 706 if (diff) { 707 /* This could be a MITM attack: fail the request. */ 708 ne_set_error(sess, _("Server certificate changed: " 709 "connection intercepted?")); 710 return NE_ERROR; 711 } 712 /* certificate has already passed verification: no need to 713 * verify it again. */ 714 } else { 715 /* new connection: create the chain. */ 716 ne_ssl_certificate *cert = make_chain(chain); 717 718 if (freechain) sk_X509_free(chain); /* no longer need the chain */ 719 720 if (check_certificate(sess, ssl, cert)) { 721 NE_DEBUG(NE_DBG_SSL, "SSL certificate checks failed: %s\n", 722 sess->error); 723 ne_ssl_cert_free(cert); 724 return NE_ERROR; 725 } 726 /* remember the chain. */ 727 sess->server_cert = cert; 728 } 729 730 if (ctx->sess) { 731 SSL_SESSION *newsess = SSL_get0_session(ssl); 732 /* Replace the session if it has changed. */ 733 if (newsess != ctx->sess || SSL_SESSION_cmp(ctx->sess, newsess)) { 734 SSL_SESSION_free(ctx->sess); 735 ctx->sess = SSL_get1_session(ssl); /* bumping the refcount */ 736 } 737 } else { 738 /* Store the session. */ 739 ctx->sess = SSL_get1_session(ssl); 740 } 741 742 return NE_OK; 743} 744 745const ne_ssl_dname *ne_ssl_cert_issuer(const ne_ssl_certificate *cert) 746{ 747 return &cert->issuer_dn; 748} 749 750const ne_ssl_dname *ne_ssl_cert_subject(const ne_ssl_certificate *cert) 751{ 752 return &cert->subj_dn; 753} 754 755const ne_ssl_certificate *ne_ssl_cert_signedby(const ne_ssl_certificate *cert) 756{ 757 return cert->issuer; 758} 759 760const char *ne_ssl_cert_identity(const ne_ssl_certificate *cert) 761{ 762 return cert->identity; 763} 764 765void ne_ssl_context_trustcert(ne_ssl_context *ctx, const ne_ssl_certificate *cert) 766{ 767 X509_STORE *store = SSL_CTX_get_cert_store(ctx->ctx); 768 769 X509_STORE_add_cert(store, cert->subject); 770} 771 772void ne_ssl_trust_default_ca(ne_session *sess) 773{ 774 X509_STORE *store = SSL_CTX_get_cert_store(sess->ssl_context->ctx); 775 776#ifdef NE_SSL_CA_BUNDLE 777 X509_STORE_load_locations(store, NE_SSL_CA_BUNDLE, NULL); 778#else 779 X509_STORE_set_default_paths(store); 780#endif 781} 782 783/* Find a friendly name in a PKCS12 structure the hard way, without 784 * decrypting the parts which are encrypted.. */ 785static char *find_friendly_name(PKCS12 *p12) 786{ 787 STACK_OF(PKCS7) *safes = PKCS12_unpack_authsafes(p12); 788 int n, m; 789 char *name = NULL; 790 791 if (safes == NULL) return NULL; 792 793 /* Iterate over the unpacked authsafes: */ 794 for (n = 0; n < sk_PKCS7_num(safes) && !name; n++) { 795 PKCS7 *safe = sk_PKCS7_value(safes, n); 796 STACK_OF(PKCS12_SAFEBAG) *bags; 797 798 /* Only looking for unencrypted authsafes. */ 799 if (OBJ_obj2nid(safe->type) != NID_pkcs7_data) continue; 800 801 bags = PKCS12_unpack_p7data(safe); 802 if (!bags) continue; 803 804 /* Iterate through the bags, picking out a friendly name */ 805 for (m = 0; m < sk_PKCS12_SAFEBAG_num(bags) && !name; m++) { 806 PKCS12_SAFEBAG *bag = sk_PKCS12_SAFEBAG_value(bags, m); 807 name = PKCS12_get_friendlyname(bag); 808 } 809 810 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); 811 } 812 813 sk_PKCS7_pop_free(safes, PKCS7_free); 814 return name; 815} 816 817ne_ssl_client_cert *ne_ssl_clicert_read(const char *filename) 818{ 819 PKCS12 *p12; 820 FILE *fp; 821 X509 *cert; 822 EVP_PKEY *pkey; 823 ne_ssl_client_cert *cc; 824 825 fp = fopen(filename, "rb"); 826 if (fp == NULL) 827 return NULL; 828 829 p12 = d2i_PKCS12_fp(fp, NULL); 830 831 fclose(fp); 832 833 if (p12 == NULL) { 834 ERR_clear_error(); 835 return NULL; 836 } 837 838 /* Try parsing with no password. */ 839 if (PKCS12_parse(p12, NULL, &pkey, &cert, NULL) == 1) { 840 /* Success - no password needed for decryption. */ 841 int len = 0; 842 unsigned char *name; 843 844 if (!cert || !pkey) { 845 PKCS12_free(p12); 846 return NULL; 847 } 848 849 name = X509_alias_get0(cert, &len); 850 851 cc = ne_calloc(sizeof *cc); 852 cc->pkey = pkey; 853 cc->decrypted = 1; 854 if (name && len > 0) 855 cc->friendly_name = ne_strndup((char *)name, len); 856 populate_cert(&cc->cert, cert); 857 PKCS12_free(p12); 858 return cc; 859 } else { 860 /* Failed to parse the file */ 861 int err = ERR_get_error(); 862 ERR_clear_error(); 863 if (ERR_GET_LIB(err) == ERR_LIB_PKCS12 && 864 ERR_GET_REASON(err) == PKCS12_R_MAC_VERIFY_FAILURE) { 865 /* Decryption error due to bad password. */ 866 cc = ne_calloc(sizeof *cc); 867 cc->friendly_name = find_friendly_name(p12); 868 cc->p12 = p12; 869 return cc; 870 } else { 871 /* Some parse error, give up. */ 872 PKCS12_free(p12); 873 return NULL; 874 } 875 } 876} 877 878#ifdef HAVE_PAKCHOIS 879ne_ssl_client_cert *ne__ssl_clicert_exkey_import(const unsigned char *der, 880 size_t der_len, 881 const RSA_METHOD *method) 882{ 883 ne_ssl_client_cert *cc; 884 ne_d2i_uchar *p; 885 X509 *x5; 886 RSA *pk; 887 EVP_PKEY *epk, *tpk; 888 889 p = der; 890 x5 = d2i_X509(NULL, &p, der_len); /* p is incremented */ 891 if (x5 == NULL) { 892 ERR_clear_error(); 893 return NULL; 894 } 895 896 pk = RSA_new(); 897 RSA_set_method(pk, method); 898 epk = EVP_PKEY_new(); 899 EVP_PKEY_assign_RSA(epk, pk); 900 901 /* It is necessary to initialize pk->n otherwise OpenSSL will barf 902 * later calling RSA_size() on this RSA structure. 903 * X509_get_pubkey() forces the relevant RSA parameters to be 904 * extracted from the certificate. */ 905 tpk = X509_get_pubkey(x5); 906 pk->n = BN_dup(tpk->pkey.rsa->n); 907 EVP_PKEY_free(tpk); 908 909 cc = ne_calloc(sizeof *cc); 910 911 cc->decrypted = 1; 912 cc->pkey = epk; 913 914 populate_cert(&cc->cert, x5); 915 916 return cc; 917} 918#endif 919 920int ne_ssl_clicert_encrypted(const ne_ssl_client_cert *cc) 921{ 922 return !cc->decrypted; 923} 924 925int ne_ssl_clicert_decrypt(ne_ssl_client_cert *cc, const char *password) 926{ 927 X509 *cert; 928 EVP_PKEY *pkey; 929 930 if (PKCS12_parse(cc->p12, password, &pkey, &cert, NULL) != 1) { 931 ERR_clear_error(); 932 return -1; 933 } 934 935 if (X509_check_private_key(cert, pkey) != 1) { 936 ERR_clear_error(); 937 X509_free(cert); 938 EVP_PKEY_free(pkey); 939 NE_DEBUG(NE_DBG_SSL, "Decrypted private key/cert are not matched."); 940 return -1; 941 } 942 943 PKCS12_free(cc->p12); 944 populate_cert(&cc->cert, cert); 945 cc->pkey = pkey; 946 cc->decrypted = 1; 947 cc->p12 = NULL; 948 return 0; 949} 950 951const ne_ssl_certificate *ne_ssl_clicert_owner(const ne_ssl_client_cert *cc) 952{ 953 return &cc->cert; 954} 955 956const char *ne_ssl_clicert_name(const ne_ssl_client_cert *ccert) 957{ 958 return ccert->friendly_name; 959} 960 961ne_ssl_certificate *ne_ssl_cert_read(const char *filename) 962{ 963 FILE *fp = fopen(filename, "r"); 964 X509 *cert; 965 966 if (fp == NULL) 967 return NULL; 968 969 cert = PEM_read_X509(fp, NULL, NULL, NULL); 970 fclose(fp); 971 972 if (cert == NULL) { 973 NE_DEBUG(NE_DBG_SSL, "d2i_X509_fp failed: %s\n", 974 ERR_reason_error_string(ERR_get_error())); 975 ERR_clear_error(); 976 return NULL; 977 } 978 979 return populate_cert(ne_calloc(sizeof(struct ne_ssl_certificate_s)), cert); 980} 981 982int ne_ssl_cert_write(const ne_ssl_certificate *cert, const char *filename) 983{ 984 FILE *fp = fopen(filename, "w"); 985 986 if (fp == NULL) return -1; 987 988 if (PEM_write_X509(fp, cert->subject) != 1) { 989 ERR_clear_error(); 990 fclose(fp); 991 return -1; 992 } 993 994 if (fclose(fp) != 0) 995 return -1; 996 997 return 0; 998} 999 1000void ne_ssl_cert_free(ne_ssl_certificate *cert) 1001{ 1002 X509_free(cert->subject); 1003 if (cert->issuer) 1004 ne_ssl_cert_free(cert->issuer); 1005 if (cert->identity) 1006 ne_free(cert->identity); 1007 ne_free(cert); 1008} 1009 1010int ne_ssl_cert_cmp(const ne_ssl_certificate *c1, const ne_ssl_certificate *c2) 1011{ 1012 return X509_cmp(c1->subject, c2->subject); 1013} 1014 1015/* The certificate import/export format is the base64 encoding of the 1016 * raw DER; PEM without the newlines and wrapping. */ 1017 1018ne_ssl_certificate *ne_ssl_cert_import(const char *data) 1019{ 1020 unsigned char *der; 1021 ne_d2i_uchar *p; 1022 size_t len; 1023 X509 *x5; 1024 1025 /* decode the base64 to get the raw DER representation */ 1026 len = ne_unbase64(data, &der); 1027 if (len == 0) return NULL; 1028 1029 p = der; 1030 x5 = d2i_X509(NULL, &p, len); /* p is incremented */ 1031 ne_free(der); 1032 if (x5 == NULL) { 1033 ERR_clear_error(); 1034 return NULL; 1035 } 1036 1037 return populate_cert(ne_calloc(sizeof(struct ne_ssl_certificate_s)), x5); 1038} 1039 1040char *ne_ssl_cert_export(const ne_ssl_certificate *cert) 1041{ 1042 int len; 1043 unsigned char *der, *p; 1044 char *ret; 1045 1046 /* find the length of the DER encoding. */ 1047 len = i2d_X509(cert->subject, NULL); 1048 1049 p = der = ne_malloc(len); 1050 i2d_X509(cert->subject, &p); /* p is incremented */ 1051 1052 ret = ne_base64(der, len); 1053 ne_free(der); 1054 return ret; 1055} 1056 1057#if SHA_DIGEST_LENGTH != 20 1058# error SHA digest length is not 20 bytes 1059#endif 1060 1061int ne_ssl_cert_digest(const ne_ssl_certificate *cert, char *digest) 1062{ 1063 unsigned char sha1[EVP_MAX_MD_SIZE]; 1064 unsigned int len, j; 1065 char *p; 1066 1067 if (!X509_digest(cert->subject, EVP_sha1(), sha1, &len) || len != 20) { 1068 ERR_clear_error(); 1069 return -1; 1070 } 1071 1072 for (j = 0, p = digest; j < 20; j++) { 1073 *p++ = NE_HEX2ASC((sha1[j] >> 4) & 0x0f); 1074 *p++ = NE_HEX2ASC(sha1[j] & 0x0f); 1075 *p++ = ':'; 1076 } 1077 1078 p[-1] = '\0'; 1079 return 0; 1080} 1081 1082#ifdef NE_HAVE_TS_SSL 1083/* Implementation of locking callbacks to make OpenSSL thread-safe. 1084 * If the OpenSSL API was better designed, this wouldn't be necessary. 1085 * In OpenSSL releases without CRYPTO_set_idptr_callback, it's not 1086 * possible to implement the locking in a POSIX-compliant way, since 1087 * it's necessary to cast from a pthread_t to an unsigned long at some 1088 * point. */ 1089 1090static pthread_mutex_t *locks; 1091static size_t num_locks; 1092 1093#ifndef HAVE_CRYPTO_SET_IDPTR_CALLBACK 1094/* Named to be obvious when it shows up in a backtrace. */ 1095static unsigned long thread_id_neon(void) 1096{ 1097 /* This will break if pthread_t is a structure; upgrading OpenSSL 1098 * >= 0.9.9 (which does not require this callback) is the only 1099 * solution. */ 1100 return (unsigned long) pthread_self(); 1101} 1102#endif 1103 1104/* Another great API design win for OpenSSL: no return value! So if 1105 * the lock/unlock fails, all that can be done is to abort. */ 1106static void thread_lock_neon(int mode, int n, const char *file, int line) 1107{ 1108 if (mode & CRYPTO_LOCK) { 1109 if (pthread_mutex_lock(&locks[n])) { 1110 abort(); 1111 } 1112 } 1113 else { 1114 if (pthread_mutex_unlock(&locks[n])) { 1115 abort(); 1116 } 1117 } 1118} 1119 1120#endif 1121 1122/* ID_CALLBACK_IS_{NEON,OTHER} evaluate as true if the currently 1123 * registered OpenSSL ID callback is the neon function (_NEON), or has 1124 * been overwritten by some other app (_OTHER). */ 1125#ifdef HAVE_CRYPTO_SET_IDPTR_CALLBACK 1126#define ID_CALLBACK_IS_OTHER (0) 1127#define ID_CALLBACK_IS_NEON (1) 1128#else 1129#define ID_CALLBACK_IS_OTHER (CRYPTO_get_id_callback() != NULL) 1130#define ID_CALLBACK_IS_NEON (CRYPTO_get_id_callback() == thread_id_neon) 1131#endif 1132 1133int ne__ssl_init(void) 1134{ 1135 CRYPTO_malloc_init(); 1136 SSL_load_error_strings(); 1137 SSL_library_init(); 1138 OpenSSL_add_all_algorithms(); 1139 1140#ifdef NE_HAVE_TS_SSL 1141 /* If some other library has already come along and set up the 1142 * thread-safety callbacks, then it must be presumed that the 1143 * other library will have a longer lifetime in the process than 1144 * neon. If the library which has installed the callbacks is 1145 * unloaded, then all bets are off. */ 1146 if (ID_CALLBACK_IS_OTHER || CRYPTO_get_locking_callback() != NULL) { 1147 NE_DEBUG(NE_DBG_SOCKET, "ssl: OpenSSL thread-safety callbacks already installed.\n"); 1148 NE_DEBUG(NE_DBG_SOCKET, "ssl: neon will not replace existing callbacks.\n"); 1149 } else { 1150 size_t n; 1151 1152 num_locks = CRYPTO_num_locks(); 1153 1154 /* For releases where CRYPTO_set_idptr_callback is present, 1155 * the default ID callback should be sufficient. */ 1156#ifndef HAVE_CRYPTO_SET_IDPTR_CALLBACK 1157 CRYPTO_set_id_callback(thread_id_neon); 1158#endif 1159 CRYPTO_set_locking_callback(thread_lock_neon); 1160 1161 locks = malloc(num_locks * sizeof *locks); 1162 for (n = 0; n < num_locks; n++) { 1163 if (pthread_mutex_init(&locks[n], NULL)) { 1164 NE_DEBUG(NE_DBG_SOCKET, "ssl: Failed to initialize pthread mutex.\n"); 1165 return -1; 1166 } 1167 } 1168 1169 NE_DEBUG(NE_DBG_SOCKET, "ssl: Initialized OpenSSL thread-safety callbacks " 1170 "for %" NE_FMT_SIZE_T " locks.\n", num_locks); 1171 } 1172#endif 1173 1174 return 0; 1175} 1176 1177void ne__ssl_exit(void) 1178{ 1179 /* Cannot call ERR_free_strings() etc here in case any other code 1180 * in the process using OpenSSL. */ 1181 1182#ifdef NE_HAVE_TS_SSL 1183 /* Only unregister the callbacks if some *other* library has not 1184 * come along in the mean-time and trampled over the callbacks 1185 * installed by neon. */ 1186 if (CRYPTO_get_locking_callback() == thread_lock_neon 1187 && ID_CALLBACK_IS_NEON) { 1188 size_t n; 1189 1190#ifndef HAVE_CRYPTO_SET_IDPTR_CALLBACK 1191 CRYPTO_set_id_callback(NULL); 1192#endif 1193 CRYPTO_set_locking_callback(NULL); 1194 1195 for (n = 0; n < num_locks; n++) { 1196 pthread_mutex_destroy(&locks[n]); 1197 } 1198 1199 free(locks); 1200 } 1201#endif 1202} 1203