tls_domain.c

Go to the documentation of this file.
00001 /*
00002  * Copyright (C) 2001-2003 FhG FOKUS
00003  * Copyright (C) 2005,2006 iptelorg GmbH
00004  *
00005  * Permission to use, copy, modify, and distribute this software for any
00006  * purpose with or without fee is hereby granted, provided that the above
00007  * copyright notice and this permission notice appear in all copies.
00008  *
00009  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
00010  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
00011  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
00012  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
00013  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
00014  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
00015  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
00016  */
00017 
00026 #include <stdlib.h>
00027 #include <openssl/ssl.h>
00028 #include <openssl/opensslv.h>
00029 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
00030 # include <openssl/ui.h>
00031 #endif
00032 #include "../../ut.h"
00033 #include "../../mem/shm_mem.h"
00034 #include "../../pt.h"
00035 #include "../../cfg/cfg.h"
00036 #include "tls_server.h"
00037 #include "tls_util.h"
00038 #include "tls_mod.h"
00039 #include "tls_init.h"
00040 #include "tls_domain.h"
00041 #include "tls_cfg.h"
00042 
00043 
00053 tls_domain_t* tls_new_domain(int type, struct ip_addr *ip, unsigned short port)
00054 {
00055         tls_domain_t* d;
00056 
00057         d = shm_malloc(sizeof(tls_domain_t));
00058         if (d == NULL) {
00059                 ERR("Memory allocation failure\n");
00060                 return 0;
00061         }
00062         memset(d, '\0', sizeof(tls_domain_t));
00063 
00064         d->type = type;
00065         if (ip) memcpy(&d->ip, ip, sizeof(struct ip_addr));
00066         d->port = port;
00067         d->verify_cert = -1;
00068         d->verify_depth = -1;
00069         d->require_cert = -1;
00070         return d;
00071 }
00072 
00073 
00078 void tls_free_domain(tls_domain_t* d)
00079 {
00080         int i;
00081         int procs_no;
00082         
00083         if (!d) return;
00084         if (d->ctx) {
00085                 procs_no=get_max_procs();
00086                 for(i = 0; i < procs_no; i++) {
00087                         if (d->ctx[i]) SSL_CTX_free(d->ctx[i]);
00088                 }
00089                 shm_free(d->ctx);
00090         }
00091 
00092         if (d->cipher_list.s) shm_free(d->cipher_list.s);
00093         if (d->ca_file.s) shm_free(d->ca_file.s);
00094         if (d->crl_file.s) shm_free(d->crl_file.s);
00095         if (d->pkey_file.s) shm_free(d->pkey_file.s);
00096         if (d->cert_file.s) shm_free(d->cert_file.s);
00097         shm_free(d);
00098 }
00099 
00100 
00105 void tls_free_cfg(tls_domains_cfg_t* cfg)
00106 {
00107         tls_domain_t* p;
00108         while(cfg->srv_list) {
00109                 p = cfg->srv_list;
00110                 cfg->srv_list = cfg->srv_list->next;
00111                 tls_free_domain(p);
00112         }
00113         while(cfg->cli_list) {
00114                 p = cfg->cli_list;
00115                 cfg->cli_list = cfg->cli_list->next;
00116                 tls_free_domain(p);
00117         }
00118         if (cfg->srv_default) tls_free_domain(cfg->srv_default);
00119         if (cfg->cli_default) tls_free_domain(cfg->cli_default);
00120 }
00121 
00122 
00126 void tls_destroy_cfg(void)
00127 {
00128         tls_domains_cfg_t* ptr;
00129 
00130         if (tls_domains_cfg_lock) {
00131                 lock_destroy(tls_domains_cfg_lock);
00132                 lock_dealloc(tls_domains_cfg_lock);
00133                 tls_domains_cfg_lock = 0;
00134         }
00135 
00136         if (tls_domains_cfg) {
00137                 while(*tls_domains_cfg) {
00138                         ptr = *tls_domains_cfg;
00139                         *tls_domains_cfg = (*tls_domains_cfg)->next;
00140                         tls_free_cfg(ptr);
00141                 }
00142                 
00143                 shm_free(tls_domains_cfg);
00144                 tls_domains_cfg = 0;
00145         }
00146 }
00147 
00148 
00149 
00155 char* tls_domain_str(tls_domain_t* d)
00156 {
00157         static char buf[1024];
00158         char* p;
00159 
00160         buf[0] = '\0';
00161         p = buf;
00162         p = strcat(p, d->type & TLS_DOMAIN_SRV ? "TLSs<" : "TLSc<");
00163         if (d->type & TLS_DOMAIN_DEF) {
00164                 p = strcat(p, "default>");
00165         } else {
00166                 p = strcat(p, ip_addr2a(&d->ip));
00167                 p = strcat(p, ":");
00168                 p = strcat(p, int2str(d->port, 0));
00169                 p = strcat(p, ">");
00170         }
00171         return buf;
00172 }
00173 
00174 
00184 static int fill_missing(tls_domain_t* d, tls_domain_t* parent)
00185 {
00186         if (d->method == TLS_METHOD_UNSPEC) d->method = parent->method;
00187         LOG(L_INFO, "%s: tls_method=%d\n", tls_domain_str(d), d->method);
00188         
00189         if (d->method < 1 || d->method >= TLS_METHOD_MAX) {
00190                 ERR("%s: Invalid TLS method value\n", tls_domain_str(d));
00191                 return -1;
00192         }
00193         
00194         if (!d->cert_file.s) {
00195                 if (shm_asciiz_dup(&d->cert_file.s, parent->cert_file.s) < 0)
00196                         return -1;
00197                 d->cert_file.len = parent->cert_file.len;
00198         }
00199         LOG(L_INFO, "%s: certificate='%s'\n", tls_domain_str(d), d->cert_file.s);
00200         
00201         if (!d->ca_file.s){
00202                 if (shm_asciiz_dup(&d->ca_file.s, parent->ca_file.s) < 0)
00203                         return -1;
00204                 d->ca_file.len = parent->ca_file.len;
00205         }
00206         LOG(L_INFO, "%s: ca_list='%s'\n", tls_domain_str(d), d->ca_file.s);
00207 
00208         if (!d->crl_file.s) {
00209                 if (shm_asciiz_dup(&d->crl_file.s, parent->crl_file.s) < 0)
00210                         return -1;
00211                 d->crl_file.len = parent->crl_file.len;
00212         }
00213         LOG(L_INFO, "%s: crl='%s'\n", tls_domain_str(d), d->crl_file.s);
00214         
00215         if (d->require_cert == -1) d->require_cert = parent->require_cert;
00216         LOG(L_INFO, "%s: require_certificate=%d\n", tls_domain_str(d),
00217                         d->require_cert);
00218         
00219         if (!d->cipher_list.s) {
00220                 if ( shm_asciiz_dup(&d->cipher_list.s, parent->cipher_list.s) < 0)
00221                         return -1;
00222                 d->cipher_list.len = parent->cipher_list.len;
00223         }
00224         LOG(L_INFO, "%s: cipher_list='%s'\n", tls_domain_str(d), d->cipher_list.s);
00225         
00226         if (!d->pkey_file.s) {
00227                 if (shm_asciiz_dup(&d->pkey_file.s, parent->pkey_file.s) < 0)
00228                         return -1;
00229                 d->pkey_file.len = parent->pkey_file.len;
00230         }
00231         LOG(L_INFO, "%s: private_key='%s'\n", tls_domain_str(d), d->pkey_file.s);
00232         
00233         if (d->verify_cert == -1) d->verify_cert = parent->verify_cert;
00234         LOG(L_INFO, "%s: verify_certificate=%d\n", tls_domain_str(d),
00235                         d->verify_cert);
00236         
00237         if (d->verify_depth == -1) d->verify_depth = parent->verify_depth;
00238         LOG(L_INFO, "%s: verify_depth=%d\n", tls_domain_str(d), d->verify_depth);
00239 
00240         return 0;
00241 }
00242 
00243 
00251 typedef int (*per_ctx_cbk_f)(SSL_CTX* ctx, long larg, void* parg);
00252 
00253 
00262 static int tls_domain_foreach_CTX(tls_domain_t* d, per_ctx_cbk_f ctx_cbk,
00263                                                                         long l1, void* p2)
00264 {
00265         int i,ret;
00266         int procs_no;
00267         
00268         procs_no=get_max_procs();
00269         for(i = 0; i < procs_no; i++) {
00270                 if ((ret=ctx_cbk(d->ctx[i], l1, p2))<0)
00271                         return ret;
00272         }
00273         return 0;
00274 }
00275 
00276 
00285 static int tls_foreach_CTX_in_domain_lst(tls_domain_t* d,
00286                                                                                 per_ctx_cbk_f ctx_cbk,
00287                                                                                 long l1, void* p2)
00288 {
00289         int ret;
00290         for (; d; d=d->next)
00291                 if ((ret=tls_domain_foreach_CTX(d, ctx_cbk, l1, p2))<0)
00292                         return ret;
00293         return 0;
00294 }
00295 
00296 
00305 static int tls_foreach_CTX_in_srv_domains(tls_domains_cfg_t* cfg,
00306                                                                                         per_ctx_cbk_f ctx_cbk,
00307                                                                                         long l1, void* p2)
00308 {
00309         int ret;
00310         if ((ret = tls_domain_foreach_CTX(cfg->srv_default, ctx_cbk, l1, p2)) < 0)
00311                 return ret;
00312         if ((ret = tls_foreach_CTX_in_domain_lst(cfg->srv_list, ctx_cbk, l1, p2))
00313                         < 0)
00314                 return ret;
00315         return 0;
00316 }
00317 
00318 
00327 static int tls_foreach_CTX_in_cli_domains(tls_domains_cfg_t* cfg,
00328                                                                                         per_ctx_cbk_f ctx_cbk,
00329                                                                                         long l1, void* p2)
00330 {
00331         int ret;
00332         if ((ret = tls_domain_foreach_CTX(cfg->cli_default, ctx_cbk, l1, p2)) < 0)
00333                 return ret;
00334         if ((ret = tls_foreach_CTX_in_domain_lst(cfg->cli_list, ctx_cbk, l1, p2))
00335                         < 0)
00336                 return ret;
00337         return 0;
00338 }
00339 
00340 
00349 static int tls_foreach_CTX_in_cfg(tls_domains_cfg_t* cfg,
00350                                                                                 per_ctx_cbk_f ctx_cbk,
00351                                                                                 long l1, void* p2)
00352 {
00353         int ret;
00354 
00355         if ((ret = tls_foreach_CTX_in_srv_domains(cfg, ctx_cbk, l1, p2)) < 0)
00356                 return ret;
00357         if ((ret = tls_foreach_CTX_in_cli_domains(cfg, ctx_cbk, l1, p2)) < 0)
00358                 return ret;
00359         return 0;
00360 }
00361 
00362 
00363 
00364 
00377 int fix_shm_pathname(str* path)
00378 {
00379         str new_path;
00380         char* abs_path;
00381         
00382         if (path->s && path->len && *path->s != '.' && *path->s != '/') {
00383                 abs_path = get_abs_pathname(0, path);
00384                 if (abs_path == 0) return -1;
00385                 new_path.len = strlen(abs_path);
00386                 new_path.s = shm_malloc(new_path.len + 1);
00387                 memcpy(new_path.s, abs_path, new_path.len);
00388                 new_path.s[new_path.len] = 0;
00389                 shm_free(path->s);
00390                 *path = new_path;
00391         }
00392         return 0;
00393 }
00394 
00395 
00396 
00402 static int load_cert(tls_domain_t* d)
00403 {
00404         int i;
00405         int procs_no;
00406 
00407         if (!d->cert_file.s || !d->cert_file.len) {
00408                 DBG("%s: No certificate configured\n", tls_domain_str(d));
00409                 return 0;
00410         }
00411         if (fix_shm_pathname(&d->cert_file) < 0)
00412                 return -1;
00413         procs_no=get_max_procs();
00414         for(i = 0; i < procs_no; i++) {
00415                 if (!SSL_CTX_use_certificate_chain_file(d->ctx[i], d->cert_file.s)) {
00416                         ERR("%s: Unable to load certificate file '%s'\n",
00417                             tls_domain_str(d), d->cert_file.s);
00418                         TLS_ERR("load_cert:");
00419                         return -1;
00420                 }
00421                 
00422         }
00423         return 0;
00424 }
00425 
00426 
00432 static int load_ca_list(tls_domain_t* d)
00433 {
00434         int i;
00435         int procs_no;
00436 
00437         if (!d->ca_file.s || !d->ca_file.len) {
00438                 DBG("%s: No CA list configured\n", tls_domain_str(d));
00439                 return 0;
00440         }
00441         if (fix_shm_pathname(&d->ca_file) < 0)
00442                 return -1;
00443         procs_no=get_max_procs();
00444         for(i = 0; i < procs_no; i++) {
00445                 if (SSL_CTX_load_verify_locations(d->ctx[i], d->ca_file.s, 0) != 1) {
00446                         ERR("%s: Unable to load CA list '%s'\n", tls_domain_str(d),
00447                                         d->ca_file.s);
00448                         TLS_ERR("load_ca_list:");
00449                         return -1;
00450                 }
00451                 SSL_CTX_set_client_CA_list(d->ctx[i],
00452                                 SSL_load_client_CA_file(d->ca_file.s));
00453                 if (SSL_CTX_get_client_CA_list(d->ctx[i]) == 0) {
00454                         ERR("%s: Error while setting client CA list\n", tls_domain_str(d));
00455                         TLS_ERR("load_ca_list:");
00456                         return -1;
00457                 }
00458         }
00459         return 0;
00460 }
00461 
00462 
00468 static int load_crl(tls_domain_t* d)
00469 {
00470         int i;
00471         int procs_no;
00472         X509_STORE* store;
00473 
00474         if (!d->crl_file.s) {
00475                 DBG("%s: No CRL configured\n", tls_domain_str(d));
00476                 return 0;
00477         }
00478         if (fix_shm_pathname(&d->crl_file) < 0)
00479                 return -1;
00480         LOG(L_INFO, "%s: Certificate revocation lists will be checked (%.*s)\n",
00481                                 tls_domain_str(d), d->crl_file.len, d->crl_file.s);
00482         procs_no=get_max_procs();
00483         for(i = 0; i < procs_no; i++) {
00484                 if (SSL_CTX_load_verify_locations(d->ctx[i], d->crl_file.s, 0) != 1) {
00485                         ERR("%s: Unable to load certificate revocation list '%s'\n",
00486                                         tls_domain_str(d), d->crl_file.s);
00487                         TLS_ERR("load_crl:");
00488                         return -1;
00489                 }
00490                 store = SSL_CTX_get_cert_store(d->ctx[i]);
00491                 X509_STORE_set_flags(store,
00492                                                 X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
00493         }
00494         return 0;
00495 }
00496 
00497 
00498 #define C_DEF_NO_KRB5 "DEFAULT:!KRB5"
00499 #define C_DEF_NO_KRB5_LEN (sizeof(C_DEF_NO_KRB5)-1)
00500 #define C_NO_KRB5_SUFFIX ":!KRB5"
00501 #define C_NO_KRB5_SUFFIX_LEN (sizeof(C_NO_KRB5_SUFFIX)-1)
00502 
00508 static int set_cipher_list(tls_domain_t* d)
00509 {
00510         int i;
00511         int procs_no;
00512         char* cipher_list;
00513 
00514         cipher_list=d->cipher_list.s;
00515 #ifdef TLS_KSSL_WORKARROUND
00516         if (openssl_kssl_malloc_bug) { /* is openssl bug #1467 present ? */
00517                 if (d->cipher_list.s==0) {
00518                         /* use "DEFAULT:!KRB5" */
00519                         cipher_list="DEFAULT:!KRB5";
00520                 } else {
00521                         /* append ":!KRB5" */
00522                         cipher_list=shm_malloc(d->cipher_list.len+C_NO_KRB5_SUFFIX_LEN+1);
00523                         if (cipher_list) {
00524                                 memcpy(cipher_list, d->cipher_list.s, d->cipher_list.len);
00525                                 memcpy(cipher_list+d->cipher_list.len, C_NO_KRB5_SUFFIX,
00526                                                 C_NO_KRB5_SUFFIX_LEN);
00527                                 cipher_list[d->cipher_list.len+C_NO_KRB5_SUFFIX_LEN]=0;
00528                                 shm_free(d->cipher_list.s);
00529                                 d->cipher_list.s=cipher_list;
00530                                 d->cipher_list.len+=C_NO_KRB5_SUFFIX_LEN;
00531                         }
00532                 }
00533         }
00534 #endif /* TLS_KSSL_WORKARROUND */
00535         if (!cipher_list) return 0;
00536         procs_no=get_max_procs();
00537         for(i = 0; i < procs_no; i++) {
00538                 if (SSL_CTX_set_cipher_list(d->ctx[i], cipher_list) == 0 ) {
00539                         ERR("%s: Failure to set SSL context cipher list \"%s\"\n",
00540                                         tls_domain_str(d), cipher_list);
00541                         return -1;
00542                 }
00543         }
00544         return 0;
00545 }
00546 
00547 
00553 static int set_verification(tls_domain_t* d)
00554 {
00555         int verify_mode, i;
00556         int procs_no;
00557 
00558         if (d->require_cert) {
00559                 verify_mode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
00560                 LOG(L_INFO, "%s: %s MUST present valid certificate\n", 
00561                         tls_domain_str(d), d->type & TLS_DOMAIN_SRV ? "Client" : "Server");
00562         } else {
00563                 if (d->verify_cert) {
00564                         verify_mode = SSL_VERIFY_PEER;
00565                         if (d->type & TLS_DOMAIN_SRV) {
00566                                 LOG(L_INFO, "%s: IF client provides certificate then it"
00567                                                 " MUST be valid\n", tls_domain_str(d));
00568                         } else {
00569                                 LOG(L_INFO, "%s: Server MUST present valid certificate\n",
00570                                      tls_domain_str(d));
00571                         }
00572                 } else {
00573                         verify_mode = SSL_VERIFY_NONE;
00574                         if (d->type & TLS_DOMAIN_SRV) {
00575                                 LOG(L_INFO, "%s: No client certificate required and no checks"
00576                                                 " performed\n", tls_domain_str(d));
00577                         } else {
00578                                 LOG(L_INFO, "%s: Server MAY present invalid certificate\n",
00579                                      tls_domain_str(d));
00580                         }
00581                 }
00582         }
00583         
00584         procs_no=get_max_procs();
00585         for(i = 0; i < procs_no; i++) {
00586                 SSL_CTX_set_verify(d->ctx[i], verify_mode, 0);
00587                 SSL_CTX_set_verify_depth(d->ctx[i], d->verify_depth);
00588                 
00589         }
00590         return 0;
00591 }
00592 
00593 
00594 /* This callback function is executed when libssl processes the SSL
00595  * handshake and does SSL record layer stuff. It's used to trap
00596  * client-initiated renegotiations.
00597  */
00598 
00599 static void sr_ssl_ctx_info_callback(const SSL *ssl, int event, int ret)
00600 {
00601         struct tls_extra_data* data = 0;
00602         int tls_dbg;
00603 
00604         if (event & SSL_CB_HANDSHAKE_START) {
00605                 tls_dbg = cfg_get(tls, tls_cfg, debug);
00606                 LOG(tls_dbg, "SSL handshake started\n");
00607                 if(data==0)
00608                         data = (struct tls_extra_data*)SSL_get_app_data(ssl);
00609                 if(data->flags & F_TLS_CON_HANDSHAKED) {
00610                         LOG(tls_dbg, "SSL renegotiation initiated by client\n");
00611                         data->flags |= F_TLS_CON_RENEGOTIATION;
00612                 }
00613         }
00614         if (event & SSL_CB_HANDSHAKE_DONE) {
00615                 tls_dbg = cfg_get(tls, tls_cfg, debug);
00616                 if(data==0)
00617                         data = (struct tls_extra_data*)SSL_get_app_data(ssl);
00618                 LOG(tls_dbg, "SSL handshake done\n");
00619                 /* CVE-2009-3555 - disable renegotiation */
00620                 if (ssl->s3) {
00621                         LOG(tls_dbg, "SSL disable renegotiation\n");
00622                         ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
00623                 }
00624                 data->flags |= F_TLS_CON_HANDSHAKED;
00625         }
00626 }
00627 
00633 static int set_ssl_options(tls_domain_t* d)
00634 {
00635         int i;
00636         int procs_no;
00637         long options;
00638 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
00639         long ssl_version;
00640         STACK_OF(SSL_COMP)* comp_methods;
00641 #endif
00642         
00643         procs_no=get_max_procs();
00644         options=SSL_OP_ALL; /* all the bug workarrounds by default */
00645 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
00646         options|=SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
00647                                 SSL_OP_CIPHER_SERVER_PREFERENCE;
00648 #if             OPENSSL_VERSION_NUMBER >= 0x00908000L
00649         ssl_version=SSLeay();
00650         if ((ssl_version >= 0x0090800L) && (ssl_version < 0x0090803fL)){
00651                 /* if 0.9.8 <= openssl version < 0.9.8c and compression support is
00652                  * enabled disable SSL_OP_TLS_BLOCK_PADDING_BUG (set by SSL_OP_ALL),
00653                  * see openssl #1204 http://rt.openssl.org/Ticket/Display.html?id=1204
00654                  */
00655                 
00656                 comp_methods=SSL_COMP_get_compression_methods();
00657                 if (comp_methods && (sk_SSL_COMP_num(comp_methods) > 0)){
00658                         options &= ~SSL_OP_TLS_BLOCK_PADDING_BUG;
00659                         LOG(L_WARN, "tls: set_ssl_options: openssl "
00660                                         "SSL_OP_TLS_BLOCK_PADDING bug workaround enabled "
00661                                         "(openssl version %lx)\n", ssl_version);
00662                 }else{
00663                         LOG(L_INFO, "tls: set_ssl_options: detected openssl version (%lx) "
00664                                         " has the SSL_OP_TLS_BLOCK_PADDING bug, but compression "
00665                                         " is disabled so no workaround is needed\n", ssl_version);
00666                 }
00667         }
00668 #       endif
00669 #endif
00670         for(i = 0; i < procs_no; i++) {
00671                 SSL_CTX_set_options(d->ctx[i], options);
00672                 if(sr_tls_renegotiation==0)
00673                         SSL_CTX_set_info_callback(d->ctx[i], sr_ssl_ctx_info_callback);
00674         }
00675         return 0;
00676 }
00677 
00678 
00684 static int set_session_cache(tls_domain_t* d)
00685 {
00686         int i;
00687         int procs_no;
00688         str tls_session_id;
00689         
00690         procs_no=get_max_procs();
00691         tls_session_id=cfg_get(tls, tls_cfg, session_id);
00692         for(i = 0; i < procs_no; i++) {
00693                 /* janakj: I am not sure if session cache makes sense in ser, session
00694                  * cache is stored in SSL_CTX and we have one SSL_CTX per process,
00695                  * thus sessions among processes will not be reused
00696                  */
00697                 SSL_CTX_set_session_cache_mode(d->ctx[i],
00698                                 cfg_get(tls, tls_cfg, session_cache) ? SSL_SESS_CACHE_SERVER :
00699                                 SSL_SESS_CACHE_OFF);
00700                 /* not really needed is SSL_SESS_CACHE_OFF */
00701                 SSL_CTX_set_session_id_context(d->ctx[i],
00702                                         (unsigned char*)tls_session_id.s, tls_session_id.len);
00703         }
00704         return 0;
00705 }
00706 
00707 
00708 
00716 static int tls_ssl_ctx_mode(SSL_CTX* ctx, long mode, void* clear)
00717 {
00718         if (clear)
00719 #if OPENSSL_VERSION_NUMBER >= 0x01000000L || \
00720         defined SSL_CTX_clear_mode
00721                 SSL_CTX_clear_mode(ctx, mode);
00722 #else
00723         return -1;
00724 #endif
00725         else
00726                 SSL_CTX_set_mode(ctx, mode);
00727         return 0;
00728 }
00729 
00730 
00731 
00739 static int tls_ssl_ctx_set_freelist(SSL_CTX* ctx, long val, void* unused)
00740 {
00741         if (val >= 0)
00742 #if OPENSSL_VERSION_NUMBER >= 0x01000000L
00743 #ifndef OPENSSL_NO_BUF_FREELISTS
00744                 ctx->freelist_max_len = val;
00745 #endif
00746 #endif
00747 #if defined (OPENSSL_NO_BUF_FREELISTS) || OPENSSL_VERSION_NUMBER < 0x01000000L
00748                 return -1;
00749 #endif
00750         return 0;
00751 }
00752 
00760 static int tls_ssl_ctx_set_max_send_fragment(SSL_CTX* ctx, long val, void* unused)
00761 {
00762         if (val >= 0)
00763 #if OPENSSL_VERSION_NUMBER >= 0x00909000L
00764                 return SSL_CTX_set_max_send_fragment(ctx, val) -1;
00765 #else
00766                 return -1;
00767 #endif
00768         return 0;
00769 }
00770 
00771 
00772 
00780 static int tls_ssl_ctx_set_read_ahead(SSL_CTX* ctx, long val, void* unused)
00781 {
00782         if (val >= 0)
00783                 SSL_CTX_set_read_ahead(ctx, val);
00784         return 0;
00785 }
00786 
00792 static int fix_domain(tls_domain_t* d, tls_domain_t* def)
00793 {
00794         int i;
00795         int procs_no;
00796 
00797         if (fill_missing(d, def) < 0) return -1;
00798 
00799         procs_no=get_max_procs();
00800         d->ctx = (SSL_CTX**)shm_malloc(sizeof(SSL_CTX*) * procs_no);
00801         if (!d->ctx) {
00802                 ERR("%s: Cannot allocate shared memory\n", tls_domain_str(d));
00803                 return -1;
00804         }
00805         memset(d->ctx, 0, sizeof(SSL_CTX*) * procs_no);
00806         for(i = 0; i < procs_no; i++) {
00807                 d->ctx[i] = SSL_CTX_new((SSL_METHOD*)ssl_methods[d->method - 1]);
00808                 if (d->ctx[i] == NULL) {
00809                         ERR("%s: Cannot create SSL context\n", tls_domain_str(d));
00810                         return -1;
00811                 }
00812         }
00813         
00814         if (load_cert(d) < 0) return -1;
00815         if (load_ca_list(d) < 0) return -1;
00816         if (load_crl(d) < 0) return -1;
00817         if (set_cipher_list(d) < 0) return -1;
00818         if (set_verification(d) < 0) return -1;
00819         if (set_ssl_options(d) < 0) return -1;
00820         if (set_session_cache(d) < 0) return -1;
00821         return 0;
00822 }
00823 
00824 
00833 static int passwd_cb(char *buf, int size, int rwflag, void *filename)
00834 {
00835 #if OPENSSL_VERSION_NUMBER >= 0x00907000L       
00836         UI             *ui;
00837         const char     *prompt;
00838         
00839         ui = UI_new();
00840         if (ui == NULL)
00841                 goto err;
00842 
00843         prompt = UI_construct_prompt(ui, "passphrase", filename);
00844         UI_add_input_string(ui, prompt, 0, buf, 0, size - 1);
00845         UI_process(ui);
00846         UI_free(ui);
00847         return strlen(buf);
00848  
00849  err:
00850         ERR("passwd_cb: Error in passwd_cb\n");
00851         if (ui) {
00852                 UI_free(ui);
00853         }
00854         return 0;
00855         
00856 #else
00857         if (des_read_pw_string(buf, size-1, "Enter Private Key password:", 0)) {
00858                 ERR("Error in passwd_cb\n");
00859                 return 0;
00860         }
00861         return strlen(buf);
00862 #endif
00863 }
00864 
00865 
00871 static int load_private_key(tls_domain_t* d)
00872 {
00873         int idx, ret_pwd, i;
00874         int procs_no;
00875         
00876         if (!d->pkey_file.s || !d->pkey_file.len) {
00877                 DBG("%s: No private key specified\n", tls_domain_str(d));
00878                 return 0;
00879         }
00880         if (fix_shm_pathname(&d->pkey_file) < 0)
00881                 return -1;
00882 
00883         procs_no=get_max_procs();
00884         for(i = 0; i < procs_no; i++) {
00885                 SSL_CTX_set_default_passwd_cb(d->ctx[i], passwd_cb);
00886                 SSL_CTX_set_default_passwd_cb_userdata(d->ctx[i], d->pkey_file.s);
00887                 
00888                 for(idx = 0, ret_pwd = 0; idx < 3; idx++) {
00889                         ret_pwd = SSL_CTX_use_PrivateKey_file(d->ctx[i], d->pkey_file.s,
00890                                         SSL_FILETYPE_PEM);
00891                         if (ret_pwd) {
00892                                 break;
00893                         } else {
00894                                 ERR("%s: Unable to load private key '%s'\n",
00895                                     tls_domain_str(d), d->pkey_file.s);
00896                                 TLS_ERR("load_private_key:");
00897                                 continue;
00898                         }
00899                 }
00900                 
00901                 if (!ret_pwd) {
00902                         ERR("%s: Unable to load private key file '%s'\n",
00903                             tls_domain_str(d), d->pkey_file.s);
00904                         TLS_ERR("load_private_key:");
00905                         return -1;
00906                 }
00907                 
00908                 if (!SSL_CTX_check_private_key(d->ctx[i])) {
00909                         ERR("%s: Key '%s' does not match the public key of the"
00910                                         " certificate\n", tls_domain_str(d), d->pkey_file.s);
00911                         TLS_ERR("load_private_key:");
00912                         return -1;
00913                 }
00914         }               
00915 
00916         DBG("%s: Key '%s' successfuly loaded\n",
00917             tls_domain_str(d), d->pkey_file.s);
00918         return 0;
00919 }
00920 
00921 
00932 int tls_fix_domains_cfg(tls_domains_cfg_t* cfg, tls_domain_t* srv_defaults,
00933                                 tls_domain_t* cli_defaults)
00934 {
00935         tls_domain_t* d;
00936         int ssl_mode_release_buffers;
00937         int ssl_freelist_max_len;
00938         int ssl_max_send_fragment;
00939         int ssl_read_ahead;
00940 
00941         if (!cfg->cli_default) {
00942                 cfg->cli_default = tls_new_domain(TLS_DOMAIN_DEF | TLS_DOMAIN_CLI,
00943                                                                                         0, 0);
00944         }
00945 
00946         if (!cfg->srv_default) {
00947                 cfg->srv_default = tls_new_domain(TLS_DOMAIN_DEF | TLS_DOMAIN_SRV,
00948                                                                                         0, 0);
00949         }
00950 
00951         if (fix_domain(cfg->srv_default, srv_defaults) < 0) return -1;
00952         if (fix_domain(cfg->cli_default, cli_defaults) < 0) return -1;
00953 
00954         d = cfg->srv_list;
00955         while (d) {
00956                 if (fix_domain(d, srv_defaults) < 0) return -1;
00957                 d = d->next;
00958         }
00959 
00960         d = cfg->cli_list;
00961         while (d) {
00962                 if (fix_domain(d, cli_defaults) < 0) return -1;
00963                 d = d->next;
00964         }
00965 
00966              /* Ask for passwords as the last step */
00967         d = cfg->srv_list;
00968         while(d) {
00969                 if (load_private_key(d) < 0) return -1;
00970                 d = d->next;
00971         }
00972 
00973         d = cfg->cli_list;
00974         while(d) {
00975                 if (load_private_key(d) < 0) return -1;
00976                 d = d->next;
00977         }
00978 
00979         if (load_private_key(cfg->srv_default) < 0) return -1;
00980         if (load_private_key(cfg->cli_default) < 0) return -1;
00981 
00982         /* set various global per CTX options
00983          * (done here to show possible missing features messages only once)
00984          */
00985         ssl_mode_release_buffers = cfg_get(tls, tls_cfg, ssl_release_buffers);
00986         ssl_freelist_max_len = cfg_get(tls, tls_cfg, ssl_freelist_max);
00987         ssl_max_send_fragment = cfg_get(tls, tls_cfg, ssl_max_send_fragment);
00988         ssl_read_ahead = cfg_get(tls, tls_cfg, ssl_read_ahead);
00989 #if OPENSSL_VERSION_NUMBER >= 0x01000000L
00990         /* set SSL_MODE_RELEASE_BUFFERS if ssl_mode_release_buffers !=0,
00991            reset if == 0 and ignore if < 0 */
00992         /* only in >= 1.0.0 */
00993         if (ssl_mode_release_buffers >= 0 &&
00994                 tls_foreach_CTX_in_cfg(cfg, tls_ssl_ctx_mode, SSL_MODE_RELEASE_BUFFERS,
00995                                                                 (void*)(long)(ssl_mode_release_buffers==0))
00996                 < 0) {
00997                 ERR("invalid ssl_release_buffers value (%d)\n",
00998                                 ssl_mode_release_buffers);
00999                 return -1;
01000         }
01001 #else
01002         if (ssl_mode_release_buffers > 0)
01003                 ERR("cannot change openssl mode_release_buffers, the openssl version"
01004                                 " is too old (need at least 1.0.0)\n");
01005 #endif
01006         /* only in >= 1.0.0 */
01007 #if OPENSSL_VERSION_NUMBER >= 0x01000000L
01008 #ifndef OPENSSL_NO_BUF_FREELISTS
01009         if (tls_foreach_CTX_in_cfg(cfg, tls_ssl_ctx_set_freelist,
01010                                                                 ssl_freelist_max_len, 0) < 0) {
01011                 ERR("invalid ssl_freelist_max_len value (%d)\n",
01012                                 ssl_freelist_max_len);
01013                 return -1;
01014         }
01015 #endif
01016 #endif
01017 #if defined (OPENSSL_NO_BUF_FREELISTS) || OPENSSL_VERSION_NUMBER < 0x01000000L
01018         if (ssl_freelist_max_len >= 0)
01019                 ERR("cannot change openssl freelist_max_len, openssl too old"
01020                                 "(needed at least 1.0.0) or compiled without freelist support"
01021                                 " (OPENSSL_NO_BUF_FREELIST)\n");
01022 #endif
01023 #if OPENSSL_VERSION_NUMBER >= 0x00909000L
01024         /* only in >= 0.9.9 */
01025         if (tls_foreach_CTX_in_cfg(cfg, tls_ssl_ctx_set_max_send_fragment,
01026                                                                 ssl_max_send_fragment, 0) < 0) {
01027                 ERR("invalid ssl_max_send_fragment value (%d)\n",
01028                                 ssl_max_send_fragment);
01029                 return -1;
01030         }
01031 #else
01032         if (ssl_max_send_fragment > 0)
01033                 ERR("cannot change openssl max_send_fragment, the openssl version"
01034                                 " is too old (need at least 0.9.9)\n");
01035 #endif
01036         if (tls_foreach_CTX_in_cfg(cfg, tls_ssl_ctx_set_read_ahead,
01037                                                                 ssl_read_ahead, 0) < 0) {
01038                 ERR("invalid ssl_read_ahead value (%d)\n", ssl_read_ahead);
01039                 return -1;
01040         }
01041         /* set options for SSL_write:
01042                 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER - needed when queueing
01043                   clear text for a future write (WANTS_READ). In this case the
01044                   buffer address will change for the repeated SSL_write() and
01045                   without this option it will trigger the openssl sanity checks.
01046                 SSL_MODE_ENABLE_PARTIAL_WRITE - needed to deal with potentially
01047                   huge multi-record writes that don't fit in the default buffer
01048                   (the default buffer must have space for at least 1 record) */
01049         if (tls_foreach_CTX_in_cfg(cfg, tls_ssl_ctx_mode,
01050                                                                 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
01051                                                                 SSL_MODE_ENABLE_PARTIAL_WRITE,
01052                                                                 0) < 0) {
01053                 ERR("could not set SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER and"
01054                                 " SSL_MODE_ENABLE_PARTIAL_WRITE\n");
01055                 return -1;
01056         }
01057 
01058         return 0;
01059 }
01060 
01061 
01068 tls_domains_cfg_t* tls_new_cfg(void)
01069 {
01070         tls_domains_cfg_t* r;
01071 
01072         r = (tls_domains_cfg_t*)shm_malloc(sizeof(tls_domains_cfg_t));
01073         if (!r) {
01074                 ERR("No memory left\n");
01075                 return 0;
01076         }
01077         memset(r, 0, sizeof(tls_domains_cfg_t));
01078         return r;
01079 }
01080 
01081 
01090 tls_domain_t* tls_lookup_cfg(tls_domains_cfg_t* cfg, int type,
01091                                                                 struct ip_addr* ip, unsigned short port)
01092 {
01093         tls_domain_t *p;
01094 
01095         if (type & TLS_DOMAIN_DEF) {
01096                 if (type & TLS_DOMAIN_SRV) return cfg->srv_default;
01097                 else return cfg->cli_default;
01098         } else {
01099                 if (type & TLS_DOMAIN_SRV) p = cfg->srv_list;
01100                 else p = cfg->cli_list;
01101         }
01102 
01103         while (p) {
01104                 if ((p->port == port) && ip_addr_cmp(&p->ip, ip))
01105                         return p;
01106                 p = p->next;
01107         }
01108 
01109              /* No matching domain found, return default */
01110         if (type & TLS_DOMAIN_SRV) return cfg->srv_default;
01111         else return cfg->cli_default;
01112 }
01113 
01114 
01121 static int domain_exists(tls_domains_cfg_t* cfg, tls_domain_t* d)
01122 {
01123         tls_domain_t *p;
01124 
01125         if (d->type & TLS_DOMAIN_DEF) {
01126                 if (d->type & TLS_DOMAIN_SRV) return cfg->srv_default != NULL;
01127                 else return cfg->cli_default != NULL;
01128         } else {
01129                 if (d->type & TLS_DOMAIN_SRV) p = cfg->srv_list;
01130                 else p = cfg->cli_list;
01131         }
01132 
01133         while (p) {
01134                 if ((p->port == d->port) && ip_addr_cmp(&p->ip, &d->ip))
01135                         return 1;
01136                 p = p->next;
01137         }
01138 
01139         return 0;
01140 }
01141 
01142 
01149 int tls_add_domain(tls_domains_cfg_t* cfg, tls_domain_t* d)
01150 {
01151         if (!cfg) {
01152                 ERR("TLS configuration structure missing\n");
01153                 return -1;
01154         }
01155 
01156              /* Make sure the domain does not exist */
01157         if (domain_exists(cfg, d)) return 1;
01158 
01159         if (d->type & TLS_DOMAIN_DEF) {
01160                 if (d->type & TLS_DOMAIN_CLI) {
01161                         cfg->cli_default = d;
01162                 } else {
01163                         cfg->srv_default = d;
01164                 }
01165         } else {
01166                 if (d->type & TLS_DOMAIN_SRV) {
01167                         d->next = cfg->srv_list;
01168                         cfg->srv_list = d;
01169                 } else {
01170                         d->next = cfg->cli_list;
01171                         cfg->cli_list = d;
01172                 }
01173         }
01174         return 0;
01175 }
Generated on Tue May 22 2012 13:10:17 for SIP Router by  doxygen 1.7.1