1 /* ====================================================================
2 * Licensed to the Apache Software Foundation (ASF) under one
3 * or more contributor license agreements. See the NOTICE file
4 * distributed with this work for additional information
5 * regarding copyright ownership. The ASF licenses this file
6 * to you under the Apache License, Version 2.0 (the
7 * "License"); you may not use this file except in compliance
8 * with the License. You may obtain a copy of the License at
10 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing,
13 * software distributed under the License is distributed on an
14 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15 * KIND, either express or implied. See the License for the
16 * specific language governing permissions and limitations
18 * ====================================================================
22 * Originally developed by Aaron Bannert and Justin Erenkrantz, eBuilt.
25 #include <apr_pools.h>
26 #include <apr_network_io.h>
27 #include <apr_portable.h>
28 #include <apr_strings.h>
29 #include <apr_base64.h>
30 #include <apr_version.h>
31 #include <apr_atomic.h>
34 #include "serf_private.h"
35 #include "serf_bucket_util.h"
37 #include <openssl/bio.h>
38 #include <openssl/ssl.h>
39 #include <openssl/err.h>
40 #include <openssl/pkcs12.h>
41 #include <openssl/x509v3.h>
43 #ifndef APR_VERSION_AT_LEAST /* Introduced in APR 1.3.0 */
44 #define APR_VERSION_AT_LEAST(major,minor,patch) \
45 (((major) < APR_MAJOR_VERSION) \
46 || ((major) == APR_MAJOR_VERSION && (minor) < APR_MINOR_VERSION) \
47 || ((major) == APR_MAJOR_VERSION && (minor) == APR_MINOR_VERSION && \
48 (patch) <= APR_PATCH_VERSION))
49 #endif /* APR_VERSION_AT_LEAST */
51 #ifndef APR_ARRAY_PUSH
52 #define APR_ARRAY_PUSH(ary,type) (*((type *)apr_array_push(ary)))
55 #if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L
56 #define USE_OPENSSL_1_1_API
61 * Here's an overview of the SSL bucket's relationship to OpenSSL and serf.
63 * HTTP request: SSLENCRYPT(REQUEST)
64 * [context.c reads from SSLENCRYPT and writes out to the socket]
65 * HTTP response: RESPONSE(SSLDECRYPT(SOCKET))
66 * [handler function reads from RESPONSE which in turn reads from SSLDECRYPT]
68 * HTTP request read call path:
71 * |- serf_bucket_read on SSLENCRYPT
73 * |- serf_databuf_read
74 * |- common_databuf_prep
76 * |- 1. Try to read pending encrypted data; If available, return.
77 * |- 2. Try to read from ctx->stream [REQUEST bucket]
78 * |- 3. Call SSL_write with read data
80 * |- bio_bucket_read can be called
81 * |- bio_bucket_write with encrypted data
83 * |- 4. If successful, read pending encrypted data and return.
84 * |- 5. If fails, place read data back in ctx->stream
86 * HTTP response read call path:
88 * read_from_connection
92 * |- serf_bucket_read(SSLDECRYPT)
94 * |- serf_databuf_read
96 * |- 1. SSL_read() for pending decrypted data; if any, return.
97 * |- 2. Try to read from ctx->stream [SOCKET bucket]
98 * |- 3. Append data to ssl_ctx->source
99 * |- 4. Call SSL_read()
101 * |- bio_bucket_write can be called
103 * |- read data from ssl_ctx->source
104 * |- If data read, return it.
105 * |- If an error, set the STATUS value and return.
109 typedef struct bucket_list {
110 serf_bucket_t *bucket;
111 struct bucket_list *next;
115 /* Helper to read data. Wraps stream. */
116 serf_databuf_t databuf;
118 /* Our source for more data. */
119 serf_bucket_t *stream;
121 /* The next set of buckets */
122 bucket_list_t *stream_next;
124 /* The status of the last thing we read. */
126 apr_status_t exhausted;
129 /* Data we've read but not processed. */
130 serf_bucket_t *pending;
133 struct serf_ssl_context_t {
134 /* How many open buckets refer to this context. */
137 /* The pool that this context uses. */
140 /* The allocator associated with the above pool. */
141 serf_bucket_alloc_t *allocator;
143 /* Internal OpenSSL parameters */
149 serf_ssl_stream_t encrypt;
150 serf_ssl_stream_t decrypt;
152 /* Client cert callbacks */
153 serf_ssl_need_client_cert_t cert_callback;
155 apr_pool_t *cert_cache_pool;
156 const char *cert_file_success;
158 /* Client cert PW callbacks */
159 serf_ssl_need_cert_password_t cert_pw_callback;
160 void *cert_pw_userdata;
161 apr_pool_t *cert_pw_cache_pool;
162 const char *cert_pw_success;
164 /* Server cert callbacks */
165 serf_ssl_need_server_cert_t server_cert_callback;
166 serf_ssl_server_cert_chain_cb_t server_cert_chain_callback;
167 void *server_cert_userdata;
169 const char *cert_path;
172 EVP_PKEY *cached_cert_pw;
174 apr_status_t pending_err;
176 /* Status of a fatal error, returned on subsequent encrypt or decrypt
178 apr_status_t fatal_err;
182 /* The bucket-independent ssl context that this bucket is associated with */
183 serf_ssl_context_t *ssl_ctx;
185 /* Pointer to the 'right' databuf. */
186 serf_databuf_t *databuf;
188 /* Pointer to our stream, so we can find it later. */
189 serf_bucket_t **our_stream;
192 struct serf_ssl_certificate_t {
197 static void disable_compression(serf_ssl_context_t *ssl_ctx);
199 pstrdup_escape_nul_bytes(const char *buf, int len, apr_pool_t *pool);
202 /* Log all ssl alerts that we receive from the server. */
204 apps_ssl_info_callback(const SSL *s, int where, int ret)
208 w = where & ~SSL_ST_MASK;
210 if (w & SSL_ST_CONNECT)
212 else if (w & SSL_ST_ACCEPT)
217 if (where & SSL_CB_LOOP) {
218 serf__log(SSL_VERBOSE, __FILE__, "%s:%s\n", str,
219 SSL_state_string_long(s));
221 else if (where & SSL_CB_ALERT) {
222 str = (where & SSL_CB_READ) ? "read" : "write";
223 serf__log(SSL_VERBOSE, __FILE__, "SSL3 alert %s:%s:%s\n",
225 SSL_alert_type_string_long(ret),
226 SSL_alert_desc_string_long(ret));
228 else if (where & SSL_CB_EXIT) {
230 serf__log(SSL_VERBOSE, __FILE__, "%s:failed in %s\n", str,
231 SSL_state_string_long(s));
233 serf__log(SSL_VERBOSE, __FILE__, "%s:error in %s\n", str,
234 SSL_state_string_long(s));
240 static void bio_set_data(BIO *bio, void *data)
242 #ifdef USE_OPENSSL_1_1_API
243 BIO_set_data(bio, data);
249 static void *bio_get_data(BIO *bio)
251 #ifdef USE_OPENSSL_1_1_API
252 return BIO_get_data(bio);
258 /* Returns the amount read. */
259 static int bio_bucket_read(BIO *bio, char *in, int inlen)
261 serf_ssl_context_t *ctx = bio_get_data(bio);
266 serf__log(SSL_VERBOSE, __FILE__, "bio_bucket_read called for %d bytes\n",
269 if (ctx->encrypt.status == SERF_ERROR_WAIT_CONN
270 && BIO_should_read(ctx->bio)) {
271 serf__log(SSL_VERBOSE, __FILE__,
272 "bio_bucket_read waiting: (%d %d %d)\n",
273 BIO_should_retry(ctx->bio), BIO_should_read(ctx->bio),
274 BIO_get_retry_flags(ctx->bio));
275 /* Falling back... */
276 ctx->encrypt.exhausted_reset = 1;
277 BIO_clear_retry_flags(bio);
280 status = serf_bucket_read(ctx->decrypt.pending, inlen, &data, &len);
282 ctx->decrypt.status = status;
284 serf__log(SSL_VERBOSE, __FILE__, "bio_bucket_read received %d bytes (%d)\n",
287 if (!SERF_BUCKET_READ_ERROR(status)) {
290 memcpy(in, data, len);
293 if (APR_STATUS_IS_EOF(status)) {
294 BIO_set_retry_read(bio);
302 /* Returns the amount written. */
303 static int bio_bucket_write(BIO *bio, const char *in, int inl)
305 serf_ssl_context_t *ctx = bio_get_data(bio);
308 serf__log(SSL_VERBOSE, __FILE__, "bio_bucket_write called for %d bytes\n",
311 if (ctx->encrypt.status == SERF_ERROR_WAIT_CONN
312 && !BIO_should_read(ctx->bio)) {
313 serf__log(SSL_VERBOSE, __FILE__,
314 "bio_bucket_write waiting: (%d %d %d)\n",
315 BIO_should_retry(ctx->bio), BIO_should_read(ctx->bio),
316 BIO_get_retry_flags(ctx->bio));
317 /* Falling back... */
318 ctx->encrypt.exhausted_reset = 1;
319 BIO_clear_retry_flags(bio);
322 tmp = serf_bucket_simple_copy_create(in, inl,
323 ctx->encrypt.pending->allocator);
325 serf_bucket_aggregate_append(ctx->encrypt.pending, tmp);
330 /* Returns the amount read. */
331 static int bio_file_read(BIO *bio, char *in, int inlen)
333 apr_file_t *file = bio_get_data(bio);
338 status = apr_file_read(file, in, &len);
340 if (!SERF_BUCKET_READ_ERROR(status)) {
342 if (APR_STATUS_IS_EOF(status)) {
352 /* Returns the amount written. */
353 static int bio_file_write(BIO *bio, const char *in, int inl)
355 apr_file_t *file = bio_get_data(bio);
358 BIO_clear_retry_flags(bio);
361 apr_file_write(file, in, &nbytes);
366 static int bio_file_gets(BIO *bio, char *in, int inlen)
368 apr_file_t *file = bio_get_data(bio);
371 status = apr_file_gets(in, inlen, file);
374 return (int)strlen(in);
375 } else if (APR_STATUS_IS_EOF(status)) {
378 return -1; /* Signal generic error */
382 static int bio_bucket_create(BIO *bio)
384 #ifdef USE_OPENSSL_1_1_API
385 BIO_set_shutdown(bio, 1);
386 BIO_set_init(bio, 1);
387 BIO_set_data(bio, NULL);
398 static int bio_bucket_destroy(BIO *bio)
400 /* Did we already free this? */
408 static long bio_bucket_ctrl(BIO *bio, int cmd, long num, void *ptr)
417 /* At this point we can't force a flush. */
427 #ifndef USE_OPENSSL_1_1_API
428 static BIO_METHOD bio_bucket_method = {
430 "Serf SSL encryption and decryption buckets",
433 NULL, /* Is this called? */
434 NULL, /* Is this called? */
438 #ifdef OPENSSL_VERSION_NUMBER
439 NULL /* sslc does not have the callback_ctrl field */
443 static BIO_METHOD bio_file_method = {
445 "Wrapper around APR file structures",
448 NULL, /* Is this called? */
449 bio_file_gets, /* Is this called? */
453 #ifdef OPENSSL_VERSION_NUMBER
454 NULL /* sslc does not have the callback_ctrl field */
459 static BIO_METHOD *bio_meth_bucket_new(void)
461 BIO_METHOD *biom = NULL;
463 #ifdef USE_OPENSSL_1_1_API
464 biom = BIO_meth_new(BIO_TYPE_MEM,
465 "Serf SSL encryption and decryption buckets");
467 BIO_meth_set_write(biom, bio_bucket_write);
468 BIO_meth_set_read(biom, bio_bucket_read);
469 BIO_meth_set_ctrl(biom, bio_bucket_ctrl);
470 BIO_meth_set_create(biom, bio_bucket_create);
471 BIO_meth_set_destroy(biom, bio_bucket_destroy);
474 biom = &bio_bucket_method;
480 static BIO_METHOD *bio_meth_file_new(void)
482 BIO_METHOD *biom = NULL;
484 #ifdef USE_OPENSSL_1_1_API
485 biom = BIO_meth_new(BIO_TYPE_FILE,
486 "Wrapper around APR file structures");
487 BIO_meth_set_write(biom, bio_file_write);
488 BIO_meth_set_read(biom, bio_file_read);
489 BIO_meth_set_gets(biom, bio_file_gets);
490 BIO_meth_set_ctrl(biom, bio_bucket_ctrl);
491 BIO_meth_set_create(biom, bio_bucket_create);
492 BIO_meth_set_destroy(biom, bio_bucket_destroy);
494 biom = &bio_file_method;
500 static void bio_meth_free(BIO_METHOD *biom)
502 #ifdef USE_OPENSSL_1_1_API
507 typedef enum san_copy_t {
508 EscapeNulAndCopy = 0,
514 get_subject_alt_names(apr_array_header_t **san_arr, X509 *ssl_cert,
515 san_copy_t copy_action, apr_pool_t *pool)
517 STACK_OF(GENERAL_NAME) *names;
519 /* assert: copy_action == ErrorOnNul || (san_arr && pool) */
525 /* Get subjectAltNames */
526 names = X509_get_ext_d2i(ssl_cert, NID_subject_alt_name, NULL, NULL);
528 int names_count = sk_GENERAL_NAME_num(names);
532 *san_arr = apr_array_make(pool, names_count, sizeof(char*));
533 for (name_idx = 0; name_idx < names_count; name_idx++) {
535 GENERAL_NAME *nm = sk_GENERAL_NAME_value(names, name_idx);
539 if (copy_action == ErrorOnNul &&
540 strlen(nm->d.ia5->data) != nm->d.ia5->length)
541 return SERF_ERROR_SSL_CERT_FAILED;
542 if (san_arr && *san_arr)
543 p = pstrdup_escape_nul_bytes((const char *)nm->d.ia5->data,
548 /* Don't know what to do - skip. */
553 APR_ARRAY_PUSH(*san_arr, char*) = p;
556 sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
562 static apr_status_t validate_cert_hostname(X509 *server_cert, apr_pool_t *pool)
568 ret = get_subject_alt_names(NULL, server_cert, ErrorOnNul, NULL);
572 /* Fail if the subject's CN field contains \0 characters. */
573 X509_NAME *subject = X509_get_subject_name(server_cert);
575 return SERF_ERROR_SSL_CERT_FAILED;
577 length = X509_NAME_get_text_by_NID(subject, NID_commonName, buf, 1024);
579 if (strlen(buf) != length)
580 return SERF_ERROR_SSL_CERT_FAILED;
587 validate_server_certificate(int cert_valid, X509_STORE_CTX *store_ctx)
590 serf_ssl_context_t *ctx;
596 ssl = X509_STORE_CTX_get_ex_data(store_ctx,
597 SSL_get_ex_data_X509_STORE_CTX_idx());
598 ctx = SSL_get_app_data(ssl);
600 server_cert = X509_STORE_CTX_get_current_cert(store_ctx);
601 depth = X509_STORE_CTX_get_error_depth(store_ctx);
603 /* If the certification was found invalid, get the error and convert it to
604 something our caller will understand. */
606 err = X509_STORE_CTX_get_error(store_ctx);
609 case X509_V_ERR_CERT_NOT_YET_VALID:
610 failures |= SERF_SSL_CERT_NOTYETVALID;
612 case X509_V_ERR_CERT_HAS_EXPIRED:
613 failures |= SERF_SSL_CERT_EXPIRED;
615 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
616 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
617 failures |= SERF_SSL_CERT_SELF_SIGNED;
619 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
620 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
621 case X509_V_ERR_CERT_UNTRUSTED:
622 case X509_V_ERR_INVALID_CA:
623 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
624 failures |= SERF_SSL_CERT_UNKNOWNCA;
626 case X509_V_ERR_CERT_REVOKED:
627 failures |= SERF_SSL_CERT_REVOKED;
630 failures |= SERF_SSL_CERT_UNKNOWN_FAILURE;
635 /* Validate hostname */
636 status = validate_cert_hostname(server_cert, ctx->pool);
638 failures |= SERF_SSL_CERT_UNKNOWN_FAILURE;
640 /* Check certificate expiry dates. */
641 if (X509_cmp_current_time(X509_get_notBefore(server_cert)) >= 0) {
642 failures |= SERF_SSL_CERT_NOTYETVALID;
644 else if (X509_cmp_current_time(X509_get_notAfter(server_cert)) <= 0) {
645 failures |= SERF_SSL_CERT_EXPIRED;
648 if (ctx->server_cert_callback &&
649 (depth == 0 || failures)) {
650 serf_ssl_certificate_t *cert;
653 apr_pool_create(&subpool, ctx->pool);
655 cert = apr_palloc(subpool, sizeof(serf_ssl_certificate_t));
656 cert->ssl_cert = server_cert;
659 /* Callback for further verification. */
660 status = ctx->server_cert_callback(ctx->server_cert_userdata,
662 if (status == APR_SUCCESS)
665 /* Even if openssl found the certificate valid, the application
666 told us to reject it. */
668 /* Pass the error back to the caller through the context-run. */
669 ctx->pending_err = status;
671 apr_pool_destroy(subpool);
674 if (ctx->server_cert_chain_callback
675 && (depth == 0 || failures)) {
676 STACK_OF(X509) *chain;
677 const serf_ssl_certificate_t **certs;
681 apr_pool_create(&subpool, ctx->pool);
683 /* Borrow the chain to pass to the callback. */
684 chain = X509_STORE_CTX_get_chain(store_ctx);
686 /* If the chain can't be retrieved, just pass the current
688 /* ### can this actually happen with _get_chain() ? */
690 serf_ssl_certificate_t *cert = apr_palloc(subpool, sizeof(*cert));
692 cert->ssl_cert = server_cert;
695 /* Room for the server_cert and a trailing NULL. */
696 certs = apr_palloc(subpool, sizeof(*certs) * 2);
703 certs_len = sk_X509_num(chain);
705 /* Room for all the certs and a trailing NULL. */
706 certs = apr_palloc(subpool, sizeof(*certs) * (certs_len + 1));
707 for (i = 0; i < certs_len; ++i) {
708 serf_ssl_certificate_t *cert;
710 cert = apr_palloc(subpool, sizeof(*cert));
711 cert->ssl_cert = sk_X509_value(chain, i);
717 certs[certs_len] = NULL;
719 /* Callback for further verification. */
720 status = ctx->server_cert_chain_callback(ctx->server_cert_userdata,
723 if (status == APR_SUCCESS) {
726 /* Even if openssl found the certificate valid, the application
727 told us to reject it. */
729 /* Pass the error back to the caller through the context-run. */
730 ctx->pending_err = status;
733 apr_pool_destroy(subpool);
736 /* Return a specific error if the server certificate is not accepted by
737 OpenSSL and the application has not set callbacks to override this. */
739 !ctx->server_cert_chain_callback &&
740 !ctx->server_cert_callback)
742 ctx->pending_err = SERF_ERROR_SSL_CERT_FAILED;
748 /* This function reads an encrypted stream and returns the decrypted stream. */
749 static apr_status_t ssl_decrypt(void *baton, apr_size_t bufsize,
750 char *buf, apr_size_t *len)
752 serf_ssl_context_t *ctx = baton;
759 return ctx->fatal_err;
761 serf__log(SSL_VERBOSE, __FILE__, "ssl_decrypt: begin %d\n", bufsize);
763 /* Is there some data waiting to be read? */
764 ssl_len = SSL_read(ctx->ssl, buf, bufsize);
766 serf__log(SSL_VERBOSE, __FILE__,
767 "ssl_decrypt: %d bytes (%d); status: %d; flags: %d\n",
768 ssl_len, bufsize, ctx->decrypt.status,
769 BIO_get_retry_flags(ctx->bio));
774 status = serf_bucket_read(ctx->decrypt.stream, bufsize, &data, &priv_len);
776 if (!SERF_BUCKET_READ_ERROR(status) && priv_len) {
779 serf__log(SSL_VERBOSE, __FILE__,
780 "ssl_decrypt: read %d bytes (%d); status: %d\n",
781 priv_len, bufsize, status);
783 tmp = serf_bucket_simple_copy_create(data, priv_len,
784 ctx->decrypt.pending->allocator);
786 serf_bucket_aggregate_append(ctx->decrypt.pending, tmp);
788 ssl_len = SSL_read(ctx->ssl, buf, bufsize);
792 ssl_err = SSL_get_error(ctx->ssl, ssl_len);
794 case SSL_ERROR_SYSCALL:
796 /* Return the underlying network error that caused OpenSSL
797 to fail. ### This can be a crypt error! */
798 status = ctx->decrypt.status;
800 case SSL_ERROR_WANT_READ:
801 case SSL_ERROR_WANT_WRITE:
807 if (ctx->pending_err) {
808 status = ctx->pending_err;
809 ctx->pending_err = 0;
811 ctx->fatal_err = status = SERF_ERROR_SSL_COMM_FAILED;
816 ctx->fatal_err = status = SERF_ERROR_SSL_COMM_FAILED;
819 } else if (ssl_len == 0) {
820 /* The server shut down the connection. */
821 int ssl_err, shutdown;
824 /* Check for SSL_RECEIVED_SHUTDOWN */
825 shutdown = SSL_get_shutdown(ctx->ssl);
826 /* Check for SSL_ERROR_ZERO_RETURN */
827 ssl_err = SSL_get_error(ctx->ssl, ssl_len);
829 if (shutdown == SSL_RECEIVED_SHUTDOWN &&
830 ssl_err == SSL_ERROR_ZERO_RETURN) {
831 /* The server closed the SSL session. While this doesn't
832 necessary mean the connection is closed, let's close
834 We can optimize this later. */
835 serf__log(SSL_VERBOSE, __FILE__,
836 "ssl_decrypt: SSL read error: server"
837 " shut down connection!\n");
840 /* A fatal error occurred. */
841 ctx->fatal_err = status = SERF_ERROR_SSL_COMM_FAILED;
845 serf__log(SSL_MSG_VERBOSE, __FILE__,
846 "---\n%.*s\n-(%d)-\n", *len, buf, *len);
852 serf__log(SSL_VERBOSE, __FILE__,
853 "ssl_decrypt: %d %d %d\n", status, *len,
854 BIO_get_retry_flags(ctx->bio));
859 /* This function reads a decrypted stream and returns an encrypted stream. */
860 static apr_status_t ssl_encrypt(void *baton, apr_size_t bufsize,
861 char *buf, apr_size_t *len)
864 apr_size_t interim_bufsize;
865 serf_ssl_context_t *ctx = baton;
869 return ctx->fatal_err;
871 serf__log(SSL_VERBOSE, __FILE__, "ssl_encrypt: begin %d\n", bufsize);
873 /* Try to read already encrypted but unread data first. */
874 status = serf_bucket_read(ctx->encrypt.pending, bufsize, &data, len);
875 if (SERF_BUCKET_READ_ERROR(status)) {
879 /* Aha, we read something. Return that now. */
881 memcpy(buf, data, *len);
882 if (APR_STATUS_IS_EOF(status)) {
883 status = APR_SUCCESS;
886 serf__log(SSL_VERBOSE, __FILE__, "ssl_encrypt: %d %d %d (quick read)\n",
887 status, *len, BIO_get_retry_flags(ctx->bio));
892 if (BIO_should_retry(ctx->bio) && BIO_should_write(ctx->bio)) {
893 serf__log(SSL_VERBOSE, __FILE__,
894 "ssl_encrypt: %d %d %d (should write exit)\n",
895 status, *len, BIO_get_retry_flags(ctx->bio));
900 /* If we were previously blocked, unblock ourselves now. */
901 if (BIO_should_read(ctx->bio)) {
902 serf__log(SSL_VERBOSE, __FILE__, "ssl_encrypt: reset %d %d (%d %d %d)\n",
903 status, ctx->encrypt.status,
904 BIO_should_retry(ctx->bio), BIO_should_read(ctx->bio),
905 BIO_get_retry_flags(ctx->bio));
907 ctx->encrypt.status = APR_SUCCESS;
908 ctx->encrypt.exhausted_reset = 0;
911 /* Oh well, read from our stream now. */
912 interim_bufsize = bufsize;
914 apr_size_t interim_len;
916 if (!ctx->encrypt.status) {
917 struct iovec vecs[64];
920 status = serf_bucket_read_iovec(ctx->encrypt.stream,
921 interim_bufsize, 64, vecs,
924 if (!SERF_BUCKET_READ_ERROR(status) && vecs_read) {
926 int i, cur, vecs_data_len;
929 /* Combine the buffers of the iovec into one buffer, as
930 that is with SSL_write requires. */
932 for (i = 0; i < vecs_read; i++) {
933 vecs_data_len += vecs[i].iov_len;
936 vecs_data = serf_bucket_mem_alloc(ctx->allocator,
940 for (i = 0; i < vecs_read; i++) {
941 memcpy(vecs_data + cur, vecs[i].iov_base, vecs[i].iov_len);
942 cur += vecs[i].iov_len;
945 interim_bufsize -= vecs_data_len;
946 interim_len = vecs_data_len;
948 serf__log(SSL_VERBOSE, __FILE__,
949 "ssl_encrypt: bucket read %d bytes; "\
950 "status %d\n", interim_len, status);
951 serf__log(SSL_MSG_VERBOSE, __FILE__, "---\n%.*s\n-(%d)-\n",
952 interim_len, vecs_data, interim_len);
954 /* Stash our status away. */
955 ctx->encrypt.status = status;
957 ssl_len = SSL_write(ctx->ssl, vecs_data, interim_len);
959 serf__log(SSL_VERBOSE, __FILE__,
960 "ssl_encrypt: SSL write: %d\n", ssl_len);
962 /* If we failed to write... */
966 /* Ah, bugger. We need to put that data back.
967 Note: use the copy here, we do not own the original iovec
968 data buffer so it will be freed on next read. */
969 serf_bucket_t *vecs_copy =
970 serf_bucket_simple_own_create(vecs_data,
973 serf_bucket_aggregate_prepend(ctx->encrypt.stream,
976 ssl_err = SSL_get_error(ctx->ssl, ssl_len);
978 serf__log(SSL_VERBOSE, __FILE__,
979 "ssl_encrypt: SSL write error: %d\n", ssl_err);
981 if (ssl_err == SSL_ERROR_SYSCALL) {
982 /* Return the underlying network error that caused OpenSSL
983 to fail. ### This can be a decrypt error! */
984 status = ctx->encrypt.status;
985 if (SERF_BUCKET_READ_ERROR(status)) {
991 if (ssl_err == SSL_ERROR_WANT_READ) {
992 status = SERF_ERROR_WAIT_CONN;
995 ctx->fatal_err = status =
996 SERF_ERROR_SSL_COMM_FAILED;
1000 serf__log(SSL_VERBOSE, __FILE__,
1001 "ssl_encrypt: SSL write error: %d %d\n",
1004 /* We're done with this data. */
1005 serf_bucket_mem_free(ctx->allocator, vecs_data);
1012 status = ctx->encrypt.status;
1015 } while (!status && interim_bufsize);
1017 /* Okay, we exhausted our underlying stream. */
1018 if (!SERF_BUCKET_READ_ERROR(status)) {
1019 apr_status_t agg_status;
1020 struct iovec vecs[64];
1023 /* We read something! */
1024 agg_status = serf_bucket_read_iovec(ctx->encrypt.pending, bufsize,
1025 64, vecs, &vecs_read);
1027 for (i = 0; i < vecs_read; i++) {
1028 memcpy(buf + *len, vecs[i].iov_base, vecs[i].iov_len);
1029 *len += vecs[i].iov_len;
1032 serf__log(SSL_VERBOSE, __FILE__,
1033 "ssl_encrypt read agg: %d %d %d %d\n", status, agg_status,
1034 ctx->encrypt.status, *len);
1037 status = agg_status;
1041 if (status == SERF_ERROR_WAIT_CONN
1042 && BIO_should_retry(ctx->bio) && BIO_should_read(ctx->bio)) {
1043 ctx->encrypt.exhausted = ctx->encrypt.status;
1044 ctx->encrypt.status = SERF_ERROR_WAIT_CONN;
1047 serf__log(SSL_VERBOSE, __FILE__,
1048 "ssl_encrypt finished: %d %d (%d %d %d)\n", status, *len,
1049 BIO_should_retry(ctx->bio), BIO_should_read(ctx->bio),
1050 BIO_get_retry_flags(ctx->bio));
1055 #if APR_HAS_THREADS && !defined(USE_OPENSSL_1_1_API)
1056 static apr_pool_t *ssl_pool;
1057 static apr_thread_mutex_t **ssl_locks;
1059 typedef struct CRYPTO_dynlock_value {
1060 apr_thread_mutex_t *lock;
1061 } CRYPTO_dynlock_value;
1063 static CRYPTO_dynlock_value *ssl_dyn_create(const char* file, int line)
1065 CRYPTO_dynlock_value *l;
1068 l = apr_palloc(ssl_pool, sizeof(CRYPTO_dynlock_value));
1069 rv = apr_thread_mutex_create(&l->lock, APR_THREAD_MUTEX_DEFAULT, ssl_pool);
1070 if (rv != APR_SUCCESS) {
1071 /* FIXME: return error here */
1076 static void ssl_dyn_lock(int mode, CRYPTO_dynlock_value *l, const char *file,
1079 if (mode & CRYPTO_LOCK) {
1080 apr_thread_mutex_lock(l->lock);
1082 else if (mode & CRYPTO_UNLOCK) {
1083 apr_thread_mutex_unlock(l->lock);
1087 static void ssl_dyn_destroy(CRYPTO_dynlock_value *l, const char *file,
1090 apr_thread_mutex_destroy(l->lock);
1093 static void ssl_lock(int mode, int n, const char *file, int line)
1095 if (mode & CRYPTO_LOCK) {
1096 apr_thread_mutex_lock(ssl_locks[n]);
1098 else if (mode & CRYPTO_UNLOCK) {
1099 apr_thread_mutex_unlock(ssl_locks[n]);
1103 static unsigned long ssl_id(void)
1105 /* FIXME: This is lame and not portable. -aaron */
1106 return (unsigned long) apr_os_thread_current();
1109 static apr_status_t cleanup_ssl(void *data)
1111 CRYPTO_set_locking_callback(NULL);
1112 CRYPTO_set_id_callback(NULL);
1113 CRYPTO_set_dynlock_create_callback(NULL);
1114 CRYPTO_set_dynlock_lock_callback(NULL);
1115 CRYPTO_set_dynlock_destroy_callback(NULL);
1122 #if !APR_VERSION_AT_LEAST(1,0,0)
1123 #define apr_atomic_cas32(mem, with, cmp) apr_atomic_cas(mem, with, cmp)
1128 INIT_UNINITIALIZED = 0,
1133 static volatile apr_uint32_t have_init_ssl = INIT_UNINITIALIZED;
1135 static void init_ssl_libraries(void)
1139 val = apr_atomic_cas32(&have_init_ssl, INIT_BUSY, INIT_UNINITIALIZED);
1142 #if APR_HAS_THREADS && !defined(USE_OPENSSL_1_1_API)
1147 /* Warn when compile-time and run-time version of OpenSSL differ in
1148 major/minor version number. */
1149 long libver = SSLeay();
1151 if ((libver ^ OPENSSL_VERSION_NUMBER) & 0xFFF00000) {
1152 serf__log(SSL_VERBOSE, __FILE__,
1153 "Warning: OpenSSL library version mismatch, compile-time "
1154 "was %lx, runtime is %lx.\n",
1155 OPENSSL_VERSION_NUMBER, libver);
1159 #ifdef USE_OPENSSL_1_1_API
1160 OPENSSL_malloc_init();
1162 CRYPTO_malloc_init();
1164 ERR_load_crypto_strings();
1165 SSL_load_error_strings();
1167 OpenSSL_add_all_algorithms();
1169 #if APR_HAS_THREADS && !defined(USE_OPENSSL_1_1_API)
1170 numlocks = CRYPTO_num_locks();
1171 apr_pool_create(&ssl_pool, NULL);
1172 ssl_locks = apr_palloc(ssl_pool, sizeof(apr_thread_mutex_t*)*numlocks);
1173 for (i = 0; i < numlocks; i++) {
1176 /* Intraprocess locks don't /need/ a filename... */
1177 rv = apr_thread_mutex_create(&ssl_locks[i],
1178 APR_THREAD_MUTEX_DEFAULT, ssl_pool);
1179 if (rv != APR_SUCCESS) {
1180 /* FIXME: error out here */
1183 CRYPTO_set_locking_callback(ssl_lock);
1184 CRYPTO_set_id_callback(ssl_id);
1185 CRYPTO_set_dynlock_create_callback(ssl_dyn_create);
1186 CRYPTO_set_dynlock_lock_callback(ssl_dyn_lock);
1187 CRYPTO_set_dynlock_destroy_callback(ssl_dyn_destroy);
1189 apr_pool_cleanup_register(ssl_pool, NULL, cleanup_ssl, cleanup_ssl);
1191 apr_atomic_cas32(&have_init_ssl, INIT_DONE, INIT_BUSY);
1195 /* Make sure we don't continue before the initialization in another
1196 thread has completed */
1197 while (val != INIT_DONE) {
1198 apr_sleep(APR_USEC_PER_SEC / 1000);
1200 val = apr_atomic_cas32(&have_init_ssl,
1202 INIT_UNINITIALIZED);
1207 static int ssl_need_client_cert(SSL *ssl, X509 **cert, EVP_PKEY **pkey)
1209 serf_ssl_context_t *ctx = SSL_get_app_data(ssl);
1210 apr_status_t status;
1212 if (ctx->cached_cert) {
1213 *cert = ctx->cached_cert;
1214 *pkey = ctx->cached_cert_pw;
1218 while (ctx->cert_callback) {
1219 const char *cert_path;
1220 apr_file_t *cert_file;
1225 int retrying_success = 0;
1227 if (ctx->cert_file_success) {
1228 status = APR_SUCCESS;
1229 cert_path = ctx->cert_file_success;
1230 ctx->cert_file_success = NULL;
1231 retrying_success = 1;
1233 status = ctx->cert_callback(ctx->cert_userdata, &cert_path);
1236 if (status || !cert_path) {
1240 /* Load the x.509 cert file stored in PKCS12 */
1241 status = apr_file_open(&cert_file, cert_path, APR_READ, APR_OS_DEFAULT,
1248 biom = bio_meth_file_new();
1249 bio = BIO_new(biom);
1250 bio_set_data(bio, cert_file);
1252 ctx->cert_path = cert_path;
1253 p12 = d2i_PKCS12_bio(bio, NULL);
1254 apr_file_close(cert_file);
1256 i = PKCS12_parse(p12, NULL, pkey, cert, NULL);
1260 bio_meth_free(biom);
1261 ctx->cached_cert = *cert;
1262 ctx->cached_cert_pw = *pkey;
1263 if (!retrying_success && ctx->cert_cache_pool) {
1266 c = apr_pstrdup(ctx->cert_cache_pool, ctx->cert_path);
1268 apr_pool_userdata_setn(c, "serf:ssl:cert",
1269 apr_pool_cleanup_null,
1270 ctx->cert_cache_pool);
1275 int err = ERR_get_error();
1277 if (ERR_GET_LIB(err) == ERR_LIB_PKCS12 &&
1278 ERR_GET_REASON(err) == PKCS12_R_MAC_VERIFY_FAILURE) {
1279 if (ctx->cert_pw_callback) {
1280 const char *password;
1282 if (ctx->cert_pw_success) {
1283 status = APR_SUCCESS;
1284 password = ctx->cert_pw_success;
1285 ctx->cert_pw_success = NULL;
1287 status = ctx->cert_pw_callback(ctx->cert_pw_userdata,
1292 if (!status && password) {
1293 i = PKCS12_parse(p12, password, pkey, cert, NULL);
1296 bio_meth_free(biom);
1297 ctx->cached_cert = *cert;
1298 ctx->cached_cert_pw = *pkey;
1299 if (!retrying_success && ctx->cert_cache_pool) {
1302 c = apr_pstrdup(ctx->cert_cache_pool,
1305 apr_pool_userdata_setn(c, "serf:ssl:cert",
1306 apr_pool_cleanup_null,
1307 ctx->cert_cache_pool);
1309 if (!retrying_success && ctx->cert_pw_cache_pool) {
1312 c = apr_pstrdup(ctx->cert_pw_cache_pool,
1315 apr_pool_userdata_setn(c, "serf:ssl:certpw",
1316 apr_pool_cleanup_null,
1317 ctx->cert_pw_cache_pool);
1324 bio_meth_free(biom);
1328 printf("OpenSSL cert error: %d %d %d\n", ERR_GET_LIB(err),
1330 ERR_GET_REASON(err));
1332 bio_meth_free(biom);
1341 void serf_ssl_client_cert_provider_set(
1342 serf_ssl_context_t *context,
1343 serf_ssl_need_client_cert_t callback,
1347 context->cert_callback = callback;
1348 context->cert_userdata = data;
1349 context->cert_cache_pool = cache_pool;
1350 if (context->cert_cache_pool) {
1351 apr_pool_userdata_get((void**)&context->cert_file_success,
1352 "serf:ssl:cert", cache_pool);
1357 void serf_ssl_client_cert_password_set(
1358 serf_ssl_context_t *context,
1359 serf_ssl_need_cert_password_t callback,
1363 context->cert_pw_callback = callback;
1364 context->cert_pw_userdata = data;
1365 context->cert_pw_cache_pool = cache_pool;
1366 if (context->cert_pw_cache_pool) {
1367 apr_pool_userdata_get((void**)&context->cert_pw_success,
1368 "serf:ssl:certpw", cache_pool);
1373 void serf_ssl_server_cert_callback_set(
1374 serf_ssl_context_t *context,
1375 serf_ssl_need_server_cert_t callback,
1378 context->server_cert_callback = callback;
1379 context->server_cert_userdata = data;
1382 void serf_ssl_server_cert_chain_callback_set(
1383 serf_ssl_context_t *context,
1384 serf_ssl_need_server_cert_t cert_callback,
1385 serf_ssl_server_cert_chain_cb_t cert_chain_callback,
1388 context->server_cert_callback = cert_callback;
1389 context->server_cert_chain_callback = cert_chain_callback;
1390 context->server_cert_userdata = data;
1393 static serf_ssl_context_t *ssl_init_context(serf_bucket_alloc_t *allocator)
1395 serf_ssl_context_t *ssl_ctx;
1397 init_ssl_libraries();
1399 ssl_ctx = serf_bucket_mem_alloc(allocator, sizeof(*ssl_ctx));
1401 ssl_ctx->refcount = 0;
1402 ssl_ctx->pool = serf_bucket_allocator_get_pool(allocator);
1403 ssl_ctx->allocator = allocator;
1405 /* Use the best possible protocol version, but disable the broken SSLv2/3 */
1406 ssl_ctx->ctx = SSL_CTX_new(SSLv23_client_method());
1407 SSL_CTX_set_options(ssl_ctx->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
1409 SSL_CTX_set_client_cert_cb(ssl_ctx->ctx, ssl_need_client_cert);
1410 ssl_ctx->cached_cert = 0;
1411 ssl_ctx->cached_cert_pw = 0;
1412 ssl_ctx->pending_err = APR_SUCCESS;
1413 ssl_ctx->fatal_err = APR_SUCCESS;
1415 ssl_ctx->cert_callback = NULL;
1416 ssl_ctx->cert_pw_callback = NULL;
1417 ssl_ctx->server_cert_callback = NULL;
1418 ssl_ctx->server_cert_chain_callback = NULL;
1420 SSL_CTX_set_verify(ssl_ctx->ctx, SSL_VERIFY_PEER,
1421 validate_server_certificate);
1422 SSL_CTX_set_options(ssl_ctx->ctx, SSL_OP_ALL);
1423 /* Disable SSL compression by default. */
1424 disable_compression(ssl_ctx);
1426 ssl_ctx->ssl = SSL_new(ssl_ctx->ctx);
1427 ssl_ctx->biom = bio_meth_bucket_new();
1428 ssl_ctx->bio = BIO_new(ssl_ctx->biom);
1429 bio_set_data(ssl_ctx->bio, ssl_ctx);
1431 SSL_set_bio(ssl_ctx->ssl, ssl_ctx->bio, ssl_ctx->bio);
1433 SSL_set_connect_state(ssl_ctx->ssl);
1435 SSL_set_app_data(ssl_ctx->ssl, ssl_ctx);
1438 SSL_CTX_set_info_callback(ssl_ctx->ctx, apps_ssl_info_callback);
1441 ssl_ctx->encrypt.stream = NULL;
1442 ssl_ctx->encrypt.stream_next = NULL;
1443 ssl_ctx->encrypt.pending = serf_bucket_aggregate_create(allocator);
1444 ssl_ctx->encrypt.status = APR_SUCCESS;
1445 serf_databuf_init(&ssl_ctx->encrypt.databuf);
1446 ssl_ctx->encrypt.databuf.read = ssl_encrypt;
1447 ssl_ctx->encrypt.databuf.read_baton = ssl_ctx;
1449 ssl_ctx->decrypt.stream = NULL;
1450 ssl_ctx->decrypt.pending = serf_bucket_aggregate_create(allocator);
1451 ssl_ctx->decrypt.status = APR_SUCCESS;
1452 serf_databuf_init(&ssl_ctx->decrypt.databuf);
1453 ssl_ctx->decrypt.databuf.read = ssl_decrypt;
1454 ssl_ctx->decrypt.databuf.read_baton = ssl_ctx;
1459 static apr_status_t ssl_free_context(
1460 serf_ssl_context_t *ssl_ctx)
1462 /* If never had the pending buckets, don't try to free them. */
1463 if (ssl_ctx->decrypt.pending != NULL) {
1464 serf_bucket_destroy(ssl_ctx->decrypt.pending);
1466 if (ssl_ctx->encrypt.pending != NULL) {
1467 serf_bucket_destroy(ssl_ctx->encrypt.pending);
1470 /* SSL_free implicitly frees the underlying BIO. */
1471 SSL_free(ssl_ctx->ssl);
1472 bio_meth_free(ssl_ctx->biom);
1473 SSL_CTX_free(ssl_ctx->ctx);
1475 serf_bucket_mem_free(ssl_ctx->allocator, ssl_ctx);
1480 static serf_bucket_t * serf_bucket_ssl_create(
1481 serf_ssl_context_t *ssl_ctx,
1482 serf_bucket_alloc_t *allocator,
1483 const serf_bucket_type_t *type)
1487 ctx = serf_bucket_mem_alloc(allocator, sizeof(*ctx));
1489 ctx->ssl_ctx = ssl_init_context(allocator);
1492 ctx->ssl_ctx = ssl_ctx;
1494 ctx->ssl_ctx->refcount++;
1496 return serf_bucket_create(type, allocator, ctx);
1499 apr_status_t serf_ssl_set_hostname(serf_ssl_context_t *context,
1500 const char * hostname)
1502 #ifdef SSL_set_tlsext_host_name
1503 if (SSL_set_tlsext_host_name(context->ssl, hostname) != 1) {
1510 apr_status_t serf_ssl_use_default_certificates(serf_ssl_context_t *ssl_ctx)
1512 X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx->ctx);
1514 int result = X509_STORE_set_default_paths(store);
1516 return result ? APR_SUCCESS : SERF_ERROR_SSL_CERT_FAILED;
1519 apr_status_t serf_ssl_load_cert_file(
1520 serf_ssl_certificate_t **cert,
1521 const char *file_path,
1524 FILE *fp = fopen(file_path, "r");
1527 X509 *ssl_cert = PEM_read_X509(fp, NULL, NULL, NULL);
1531 *cert = apr_palloc(pool, sizeof(serf_ssl_certificate_t));
1532 (*cert)->ssl_cert = ssl_cert;
1538 return SERF_ERROR_SSL_CERT_FAILED;
1542 apr_status_t serf_ssl_trust_cert(
1543 serf_ssl_context_t *ssl_ctx,
1544 serf_ssl_certificate_t *cert)
1546 X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx->ctx);
1548 int result = X509_STORE_add_cert(store, cert->ssl_cert);
1550 return result ? APR_SUCCESS : SERF_ERROR_SSL_CERT_FAILED;
1554 serf_bucket_t *serf_bucket_ssl_decrypt_create(
1555 serf_bucket_t *stream,
1556 serf_ssl_context_t *ssl_ctx,
1557 serf_bucket_alloc_t *allocator)
1562 bkt = serf_bucket_ssl_create(ssl_ctx, allocator,
1563 &serf_bucket_type_ssl_decrypt);
1567 ctx->databuf = &ctx->ssl_ctx->decrypt.databuf;
1568 if (ctx->ssl_ctx->decrypt.stream != NULL) {
1571 ctx->ssl_ctx->decrypt.stream = stream;
1572 ctx->our_stream = &ctx->ssl_ctx->decrypt.stream;
1578 serf_ssl_context_t *serf_bucket_ssl_decrypt_context_get(
1579 serf_bucket_t *bucket)
1581 ssl_context_t *ctx = bucket->data;
1582 return ctx->ssl_ctx;
1586 serf_bucket_t *serf_bucket_ssl_encrypt_create(
1587 serf_bucket_t *stream,
1588 serf_ssl_context_t *ssl_ctx,
1589 serf_bucket_alloc_t *allocator)
1594 bkt = serf_bucket_ssl_create(ssl_ctx, allocator,
1595 &serf_bucket_type_ssl_encrypt);
1599 ctx->databuf = &ctx->ssl_ctx->encrypt.databuf;
1600 ctx->our_stream = &ctx->ssl_ctx->encrypt.stream;
1601 if (ctx->ssl_ctx->encrypt.stream == NULL) {
1602 serf_bucket_t *tmp = serf_bucket_aggregate_create(stream->allocator);
1603 serf_bucket_aggregate_append(tmp, stream);
1604 ctx->ssl_ctx->encrypt.stream = tmp;
1607 bucket_list_t *new_list;
1609 new_list = serf_bucket_mem_alloc(ctx->ssl_ctx->allocator,
1611 new_list->bucket = stream;
1612 new_list->next = NULL;
1613 if (ctx->ssl_ctx->encrypt.stream_next == NULL) {
1614 ctx->ssl_ctx->encrypt.stream_next = new_list;
1617 bucket_list_t *scan = ctx->ssl_ctx->encrypt.stream_next;
1619 while (scan->next != NULL)
1621 scan->next = new_list;
1629 serf_ssl_context_t *serf_bucket_ssl_encrypt_context_get(
1630 serf_bucket_t *bucket)
1632 ssl_context_t *ctx = bucket->data;
1633 return ctx->ssl_ctx;
1636 /* Functions to read a serf_ssl_certificate structure. */
1638 /* Takes a counted length string and escapes any NUL bytes so that
1639 * it can be used as a C string. NUL bytes are escaped as 3 characters
1640 * "\00" (that's a literal backslash).
1641 * The returned string is allocated in POOL.
1644 pstrdup_escape_nul_bytes(const char *buf, int len, apr_pool_t *pool)
1646 int i, nul_count = 0;
1649 /* First determine if there are any nul bytes in the string. */
1650 for (i = 0; i < len; i++) {
1655 if (nul_count == 0) {
1656 /* There aren't so easy case to just copy the string */
1657 ret = apr_pstrdup(pool, buf);
1659 /* There are so we have to replace nul bytes with escape codes
1660 * Proper length is the length of the original string, plus
1661 * 2 times the number of nulls (for two digit hex code for
1662 * the value) + the trailing null. */
1664 ret = pos = apr_palloc(pool, len + 2 * nul_count + 1);
1665 for (i = 0; i < len; i++) {
1666 if (buf[i] != '\0') {
1680 /* Creates a hash_table with keys (E, CN, OU, O, L, ST and C). Any NUL bytes in
1681 these fields in the certificate will be escaped as \00. */
1683 convert_X509_NAME_to_table(X509_NAME *org, apr_pool_t *pool)
1688 apr_hash_t *tgt = apr_hash_make(pool);
1690 ret = X509_NAME_get_text_by_NID(org,
1694 apr_hash_set(tgt, "CN", APR_HASH_KEY_STRING,
1695 pstrdup_escape_nul_bytes(buf, ret, pool));
1696 ret = X509_NAME_get_text_by_NID(org,
1697 NID_pkcs9_emailAddress,
1700 apr_hash_set(tgt, "E", APR_HASH_KEY_STRING,
1701 pstrdup_escape_nul_bytes(buf, ret, pool));
1702 ret = X509_NAME_get_text_by_NID(org,
1703 NID_organizationalUnitName,
1706 apr_hash_set(tgt, "OU", APR_HASH_KEY_STRING,
1707 pstrdup_escape_nul_bytes(buf, ret, pool));
1708 ret = X509_NAME_get_text_by_NID(org,
1709 NID_organizationName,
1712 apr_hash_set(tgt, "O", APR_HASH_KEY_STRING,
1713 pstrdup_escape_nul_bytes(buf, ret, pool));
1714 ret = X509_NAME_get_text_by_NID(org,
1718 apr_hash_set(tgt, "L", APR_HASH_KEY_STRING,
1719 pstrdup_escape_nul_bytes(buf, ret, pool));
1720 ret = X509_NAME_get_text_by_NID(org,
1721 NID_stateOrProvinceName,
1724 apr_hash_set(tgt, "ST", APR_HASH_KEY_STRING,
1725 pstrdup_escape_nul_bytes(buf, ret, pool));
1726 ret = X509_NAME_get_text_by_NID(org,
1730 apr_hash_set(tgt, "C", APR_HASH_KEY_STRING,
1731 pstrdup_escape_nul_bytes(buf, ret, pool));
1737 int serf_ssl_cert_depth(const serf_ssl_certificate_t *cert)
1743 apr_hash_t *serf_ssl_cert_issuer(
1744 const serf_ssl_certificate_t *cert,
1747 X509_NAME *issuer = X509_get_issuer_name(cert->ssl_cert);
1752 return convert_X509_NAME_to_table(issuer, pool);
1756 apr_hash_t *serf_ssl_cert_subject(
1757 const serf_ssl_certificate_t *cert,
1760 X509_NAME *subject = X509_get_subject_name(cert->ssl_cert);
1765 return convert_X509_NAME_to_table(subject, pool);
1769 apr_hash_t *serf_ssl_cert_certificate(
1770 const serf_ssl_certificate_t *cert,
1773 apr_hash_t *tgt = apr_hash_make(pool);
1774 unsigned int md_size, i;
1775 unsigned char md[EVP_MAX_MD_SIZE];
1777 apr_array_header_t *san_arr;
1779 /* sha1 fingerprint */
1780 if (X509_digest(cert->ssl_cert, EVP_sha1(), md, &md_size)) {
1781 const char hex[] = "0123456789ABCDEF";
1782 char fingerprint[EVP_MAX_MD_SIZE * 3];
1784 for (i=0; i<md_size; i++) {
1785 fingerprint[3*i] = hex[(md[i] & 0xf0) >> 4];
1786 fingerprint[(3*i)+1] = hex[(md[i] & 0x0f)];
1787 fingerprint[(3*i)+2] = ':';
1790 fingerprint[(3*(md_size-1))+2] = '\0';
1792 fingerprint[0] = '\0';
1794 apr_hash_set(tgt, "sha1", APR_HASH_KEY_STRING,
1795 apr_pstrdup(pool, fingerprint));
1798 /* set expiry dates */
1799 bio = BIO_new(BIO_s_mem());
1801 ASN1_TIME *notBefore, *notAfter;
1804 memset (buf, 0, sizeof (buf));
1805 notBefore = X509_get_notBefore(cert->ssl_cert);
1806 if (ASN1_TIME_print(bio, notBefore)) {
1807 BIO_read(bio, buf, 255);
1808 apr_hash_set(tgt, "notBefore", APR_HASH_KEY_STRING,
1809 apr_pstrdup(pool, buf));
1811 memset (buf, 0, sizeof (buf));
1812 notAfter = X509_get_notAfter(cert->ssl_cert);
1813 if (ASN1_TIME_print(bio, notAfter)) {
1814 BIO_read(bio, buf, 255);
1815 apr_hash_set(tgt, "notAfter", APR_HASH_KEY_STRING,
1816 apr_pstrdup(pool, buf));
1821 /* Get subjectAltNames */
1822 if (!get_subject_alt_names(&san_arr, cert->ssl_cert, EscapeNulAndCopy, pool))
1823 apr_hash_set(tgt, "subjectAltName", APR_HASH_KEY_STRING, san_arr);
1829 const char *serf_ssl_cert_export(
1830 const serf_ssl_certificate_t *cert,
1836 unsigned char *unused;
1838 /* find the length of the DER encoding. */
1839 len = i2d_X509(cert->ssl_cert, NULL);
1844 binary_cert = apr_palloc(pool, len);
1845 unused = (unsigned char *)binary_cert;
1846 len = i2d_X509(cert->ssl_cert, &unused); /* unused is incremented */
1851 encoded_cert = apr_palloc(pool, apr_base64_encode_len(len));
1852 apr_base64_encode(encoded_cert, binary_cert, len);
1854 return encoded_cert;
1857 /* Disables compression for all SSL sessions. */
1858 static void disable_compression(serf_ssl_context_t *ssl_ctx)
1860 #ifdef SSL_OP_NO_COMPRESSION
1861 SSL_CTX_set_options(ssl_ctx->ctx, SSL_OP_NO_COMPRESSION);
1865 apr_status_t serf_ssl_use_compression(serf_ssl_context_t *ssl_ctx, int enabled)
1868 #ifdef SSL_OP_NO_COMPRESSION
1869 SSL_clear_options(ssl_ctx->ssl, SSL_OP_NO_COMPRESSION);
1873 #ifdef SSL_OP_NO_COMPRESSION
1874 SSL_set_options(ssl_ctx->ssl, SSL_OP_NO_COMPRESSION);
1879 return APR_EGENERAL;
1882 static void serf_ssl_destroy_and_data(serf_bucket_t *bucket)
1884 ssl_context_t *ctx = bucket->data;
1886 if (!--ctx->ssl_ctx->refcount) {
1887 ssl_free_context(ctx->ssl_ctx);
1890 serf_default_destroy_and_data(bucket);
1893 static void serf_ssl_decrypt_destroy_and_data(serf_bucket_t *bucket)
1895 ssl_context_t *ctx = bucket->data;
1897 serf_bucket_destroy(*ctx->our_stream);
1899 serf_ssl_destroy_and_data(bucket);
1902 static void serf_ssl_encrypt_destroy_and_data(serf_bucket_t *bucket)
1904 ssl_context_t *ctx = bucket->data;
1905 serf_ssl_context_t *ssl_ctx = ctx->ssl_ctx;
1907 if (ssl_ctx->encrypt.stream == *ctx->our_stream) {
1908 serf_bucket_destroy(*ctx->our_stream);
1909 serf_bucket_destroy(ssl_ctx->encrypt.pending);
1911 /* Reset our encrypted status and databuf. */
1912 ssl_ctx->encrypt.status = APR_SUCCESS;
1913 ssl_ctx->encrypt.databuf.status = APR_SUCCESS;
1915 /* Advance to the next stream - if we have one. */
1916 if (ssl_ctx->encrypt.stream_next == NULL) {
1917 ssl_ctx->encrypt.stream = NULL;
1918 ssl_ctx->encrypt.pending = NULL;
1923 cur = ssl_ctx->encrypt.stream_next;
1924 ssl_ctx->encrypt.stream = cur->bucket;
1925 ssl_ctx->encrypt.pending =
1926 serf_bucket_aggregate_create(cur->bucket->allocator);
1927 ssl_ctx->encrypt.stream_next = cur->next;
1928 serf_bucket_mem_free(ssl_ctx->allocator, cur);
1932 /* Ah, darn. We haven't sent this one along yet. */
1935 serf_ssl_destroy_and_data(bucket);
1938 static apr_status_t serf_ssl_read(serf_bucket_t *bucket,
1939 apr_size_t requested,
1940 const char **data, apr_size_t *len)
1942 ssl_context_t *ctx = bucket->data;
1944 return serf_databuf_read(ctx->databuf, requested, data, len);
1947 static apr_status_t serf_ssl_readline(serf_bucket_t *bucket,
1948 int acceptable, int *found,
1952 ssl_context_t *ctx = bucket->data;
1954 return serf_databuf_readline(ctx->databuf, acceptable, found, data, len);
1957 static apr_status_t serf_ssl_peek(serf_bucket_t *bucket,
1961 ssl_context_t *ctx = bucket->data;
1963 return serf_databuf_peek(ctx->databuf, data, len);
1967 const serf_bucket_type_t serf_bucket_type_ssl_encrypt = {
1971 serf_default_read_iovec,
1972 serf_default_read_for_sendfile,
1973 serf_default_read_bucket,
1975 serf_ssl_encrypt_destroy_and_data,
1978 const serf_bucket_type_t serf_bucket_type_ssl_decrypt = {
1982 serf_default_read_iovec,
1983 serf_default_read_for_sendfile,
1984 serf_default_read_bucket,
1986 serf_ssl_decrypt_destroy_and_data,