Lines 33-38
Link Here
|
33 |
#include "util_md5.h" |
33 |
#include "util_md5.h" |
34 |
#include "scoreboard.h" |
34 |
#include "scoreboard.h" |
35 |
|
35 |
|
|
|
36 |
#if OPENSSL_VERSION_NUMBER < 0x10100000L |
37 |
#define TLS_ST_OK SSL_ST_OK |
38 |
#endif |
39 |
|
36 |
static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); |
40 |
static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); |
37 |
#ifdef HAVE_TLSEXT |
41 |
#ifdef HAVE_TLSEXT |
38 |
static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s); |
42 |
static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s); |
Lines 80-86
static apr_status_t upgrade_connection(r
Link Here
|
80 |
SSL_set_accept_state(ssl); |
84 |
SSL_set_accept_state(ssl); |
81 |
SSL_do_handshake(ssl); |
85 |
SSL_do_handshake(ssl); |
82 |
|
86 |
|
83 |
if (SSL_get_state(ssl) != SSL_ST_OK) { |
87 |
if (SSL_get_state(ssl) != TLS_ST_OK) { |
84 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030) |
88 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030) |
85 |
"TLS upgrade handshake failed"); |
89 |
"TLS upgrade handshake failed"); |
86 |
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); |
90 |
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); |
Lines 432-438
int ssl_hook_Access(request_rec *r)
Link Here
|
432 |
X509 *cert; |
436 |
X509 *cert; |
433 |
X509 *peercert; |
437 |
X509 *peercert; |
434 |
X509_STORE *cert_store = NULL; |
438 |
X509_STORE *cert_store = NULL; |
435 |
X509_STORE_CTX cert_store_ctx; |
439 |
X509_STORE_CTX *cert_store_ctx; |
436 |
STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL; |
440 |
STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL; |
437 |
const SSL_CIPHER *cipher = NULL; |
441 |
const SSL_CIPHER *cipher = NULL; |
438 |
int depth, verify_old, verify, n, is_slave = 0; |
442 |
int depth, verify_old, verify, n, is_slave = 0; |
Lines 456-462
int ssl_hook_Access(request_rec *r)
Link Here
|
456 |
* forbidden in the latter case, let ap_die() handle |
460 |
* forbidden in the latter case, let ap_die() handle |
457 |
* this recursive (same) error. |
461 |
* this recursive (same) error. |
458 |
*/ |
462 |
*/ |
459 |
if (SSL_get_state(ssl) != SSL_ST_OK) { |
463 |
if (SSL_get_state(ssl) != TLS_ST_OK) { |
460 |
return HTTP_FORBIDDEN; |
464 |
return HTTP_FORBIDDEN; |
461 |
} |
465 |
} |
462 |
ctx = SSL_get_SSL_CTX(ssl); |
466 |
ctx = SSL_get_SSL_CTX(ssl); |
Lines 622-628
int ssl_hook_Access(request_rec *r)
Link Here
|
622 |
!renegotiate && (n < sk_SSL_CIPHER_num(cipher_list)); |
626 |
!renegotiate && (n < sk_SSL_CIPHER_num(cipher_list)); |
623 |
n++) |
627 |
n++) |
624 |
{ |
628 |
{ |
625 |
SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list, n); |
629 |
const SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list, n); |
626 |
|
630 |
|
627 |
if (sk_SSL_CIPHER_find(cipher_list_old, value) < 0) { |
631 |
if (sk_SSL_CIPHER_find(cipher_list_old, value) < 0) { |
628 |
renegotiate = TRUE; |
632 |
renegotiate = TRUE; |
Lines 633-639
int ssl_hook_Access(request_rec *r)
Link Here
|
633 |
!renegotiate && (n < sk_SSL_CIPHER_num(cipher_list_old)); |
637 |
!renegotiate && (n < sk_SSL_CIPHER_num(cipher_list_old)); |
634 |
n++) |
638 |
n++) |
635 |
{ |
639 |
{ |
636 |
SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list_old, n); |
640 |
const SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list_old, n); |
637 |
|
641 |
|
638 |
if (sk_SSL_CIPHER_find(cipher_list, value) < 0) { |
642 |
if (sk_SSL_CIPHER_find(cipher_list, value) < 0) { |
639 |
renegotiate = TRUE; |
643 |
renegotiate = TRUE; |
Lines 914-938
int ssl_hook_Access(request_rec *r)
Link Here
|
914 |
cert = sk_X509_value(cert_stack, 0); |
918 |
cert = sk_X509_value(cert_stack, 0); |
915 |
} |
919 |
} |
916 |
|
920 |
|
917 |
X509_STORE_CTX_init(&cert_store_ctx, cert_store, cert, cert_stack); |
921 |
cert_store_ctx = X509_STORE_CTX_new(); |
|
|
922 |
X509_STORE_CTX_init(cert_store_ctx, cert_store, cert, cert_stack); |
918 |
depth = SSL_get_verify_depth(ssl); |
923 |
depth = SSL_get_verify_depth(ssl); |
919 |
|
924 |
|
920 |
if (depth >= 0) { |
925 |
if (depth >= 0) { |
921 |
X509_STORE_CTX_set_depth(&cert_store_ctx, depth); |
926 |
X509_STORE_CTX_set_depth(cert_store_ctx, depth); |
922 |
} |
927 |
} |
923 |
|
928 |
|
924 |
X509_STORE_CTX_set_ex_data(&cert_store_ctx, |
929 |
X509_STORE_CTX_set_ex_data(cert_store_ctx, |
925 |
SSL_get_ex_data_X509_STORE_CTX_idx(), |
930 |
SSL_get_ex_data_X509_STORE_CTX_idx(), |
926 |
(char *)ssl); |
931 |
(char *)ssl); |
927 |
|
932 |
|
928 |
if (!X509_verify_cert(&cert_store_ctx)) { |
933 |
if (!X509_verify_cert(cert_store_ctx)) { |
929 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02224) |
934 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02224) |
930 |
"Re-negotiation verification step failed"); |
935 |
"Re-negotiation verification step failed"); |
931 |
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); |
936 |
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); |
932 |
} |
937 |
} |
933 |
|
938 |
|
934 |
SSL_set_verify_result(ssl, cert_store_ctx.error); |
939 |
SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(cert_store_ctx)); |
935 |
X509_STORE_CTX_cleanup(&cert_store_ctx); |
940 |
X509_STORE_CTX_free(cert_store_ctx); |
936 |
|
941 |
|
937 |
if (cert_stack != SSL_get_peer_cert_chain(ssl)) { |
942 |
if (cert_stack != SSL_get_peer_cert_chain(ssl)) { |
938 |
/* we created this ourselves, so free it */ |
943 |
/* we created this ourselves, so free it */ |
Lines 983-989
int ssl_hook_Access(request_rec *r)
Link Here
|
983 |
SSL_renegotiate(ssl); |
988 |
SSL_renegotiate(ssl); |
984 |
SSL_do_handshake(ssl); |
989 |
SSL_do_handshake(ssl); |
985 |
|
990 |
|
986 |
if (SSL_get_state(ssl) != SSL_ST_OK) { |
991 |
if (SSL_get_state(ssl) != TLS_ST_OK) { |
987 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02225) |
992 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02225) |
988 |
"Re-negotiation request failed"); |
993 |
"Re-negotiation request failed"); |
989 |
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); |
994 |
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); |
Lines 995-1014
int ssl_hook_Access(request_rec *r)
Link Here
|
995 |
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02226) |
1000 |
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02226) |
996 |
"Awaiting re-negotiation handshake"); |
1001 |
"Awaiting re-negotiation handshake"); |
997 |
|
1002 |
|
998 |
/* XXX: Should replace setting state with SSL_renegotiate(ssl); |
1003 |
/* XXX: Why is this done twice? */ |
999 |
* However, this causes failures in perl-framework currently, |
1004 |
SSL_renegotiate(ssl); |
1000 |
* perhaps pre-test if we have already negotiated? |
1005 |
/* XXX: Return value ignored, uses SSL_get_state instead? */ |
1001 |
*/ |
|
|
1002 |
#ifdef OPENSSL_NO_SSL_INTERN |
1003 |
SSL_set_state(ssl, SSL_ST_ACCEPT); |
1004 |
#else |
1005 |
ssl->state = SSL_ST_ACCEPT; |
1006 |
#endif |
1007 |
SSL_do_handshake(ssl); |
1006 |
SSL_do_handshake(ssl); |
1008 |
|
1007 |
|
1009 |
sslconn->reneg_state = RENEG_REJECT; |
1008 |
sslconn->reneg_state = RENEG_REJECT; |
1010 |
|
1009 |
|
1011 |
if (SSL_get_state(ssl) != SSL_ST_OK) { |
1010 |
if (SSL_get_state(ssl) != TLS_ST_OK) { |
1012 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261) |
1011 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261) |
1013 |
"Re-negotiation handshake failed"); |
1012 |
"Re-negotiation handshake failed"); |
1014 |
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); |
1013 |
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); |
Lines 1513-1519
DH *ssl_callback_TmpDH(SSL *ssl, int exp
Link Here
|
1513 |
SSL_set_current_cert(ssl, SSL_CERT_SET_SERVER); |
1512 |
SSL_set_current_cert(ssl, SSL_CERT_SET_SERVER); |
1514 |
#endif |
1513 |
#endif |
1515 |
pkey = SSL_get_privatekey(ssl); |
1514 |
pkey = SSL_get_privatekey(ssl); |
1516 |
type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE; |
1515 |
type = pkey ? EVP_PKEY_base_id(pkey) : EVP_PKEY_NONE; |
1517 |
|
1516 |
|
1518 |
/* |
1517 |
/* |
1519 |
* OpenSSL will call us with either keylen == 512 or keylen == 1024 |
1518 |
* OpenSSL will call us with either keylen == 512 or keylen == 1024 |
Lines 1725-1735
static void modssl_proxy_info_log(conn_r
Link Here
|
1725 |
* so we need to increment here to prevent them from |
1724 |
* so we need to increment here to prevent them from |
1726 |
* being freed. |
1725 |
* being freed. |
1727 |
*/ |
1726 |
*/ |
|
|
1727 |
|
1728 |
#if OPENSSL_VERSION_NUMBER >= 0x10100000L |
1729 |
#define modssl_set_cert_info(info, cert, pkey) \ |
1730 |
*cert = info->x509; \ |
1731 |
X509_up_ref(*cert); \ |
1732 |
*pkey = info->x_pkey->dec_pkey; \ |
1733 |
EVP_PKEY_up_ref(*pkey) |
1734 |
#else |
1728 |
#define modssl_set_cert_info(info, cert, pkey) \ |
1735 |
#define modssl_set_cert_info(info, cert, pkey) \ |
1729 |
*cert = info->x509; \ |
1736 |
*cert = info->x509; \ |
1730 |
CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \ |
1737 |
CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \ |
1731 |
*pkey = info->x_pkey->dec_pkey; \ |
1738 |
*pkey = info->x_pkey->dec_pkey; \ |
1732 |
CRYPTO_add(&(*pkey)->references, +1, CRYPTO_LOCK_X509_PKEY) |
1739 |
CRYPTO_add(&(*pkey)->references, +1, CRYPTO_LOCK_X509_PKEY) |
|
|
1740 |
#endif |
1733 |
|
1741 |
|
1734 |
int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey) |
1742 |
int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey) |
1735 |
{ |
1743 |
{ |
Lines 1823-1829
int ssl_callback_proxy_cert(SSL *ssl, X5
Link Here
|
1823 |
|
1831 |
|
1824 |
static void ssl_session_log(server_rec *s, |
1832 |
static void ssl_session_log(server_rec *s, |
1825 |
const char *request, |
1833 |
const char *request, |
1826 |
unsigned char *id, |
1834 |
const unsigned char *id, |
1827 |
unsigned int idlen, |
1835 |
unsigned int idlen, |
1828 |
const char *status, |
1836 |
const char *status, |
1829 |
const char *result, |
1837 |
const char *result, |
Lines 1907-1913
int ssl_callback_NewSessionCacheEntry(SS
Link Here
|
1907 |
* of our other Apache pre-forked server processes. |
1915 |
* of our other Apache pre-forked server processes. |
1908 |
*/ |
1916 |
*/ |
1909 |
SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *ssl, |
1917 |
SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *ssl, |
1910 |
unsigned char *id, |
1918 |
const unsigned char *id, |
1911 |
int idlen, int *do_copy) |
1919 |
int idlen, int *do_copy) |
1912 |
{ |
1920 |
{ |
1913 |
/* Get Apache context back through OpenSSL context */ |
1921 |
/* Get Apache context back through OpenSSL context */ |
Lines 2070-2077
void ssl_callback_Info(const SSL *ssl, i
Link Here
|
2070 |
if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) { |
2078 |
if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) { |
2071 |
int state = SSL_get_state((SSL *)ssl); |
2079 |
int state = SSL_get_state((SSL *)ssl); |
2072 |
|
2080 |
|
|
|
2081 |
#if OPENSSL_VERSION_NUMBER >= 0x10100000L |
2082 |
if (state == TLS_ST_SR_CLNT_HELLO) { |
2083 |
#else |
2073 |
if (state == SSL3_ST_SR_CLNT_HELLO_A |
2084 |
if (state == SSL3_ST_SR_CLNT_HELLO_A |
2074 |
|| state == SSL23_ST_SR_CLNT_HELLO_A) { |
2085 |
|| state == SSL23_ST_SR_CLNT_HELLO_A) { |
|
|
2086 |
#endif |
2075 |
scr->reneg_state = RENEG_ABORT; |
2087 |
scr->reneg_state = RENEG_ABORT; |
2076 |
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042) |
2088 |
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042) |
2077 |
"rejecting client initiated renegotiation"); |
2089 |
"rejecting client initiated renegotiation"); |
Lines 2279-2285
int ssl_callback_SessionTicket(SSL *ssl,
Link Here
|
2279 |
} |
2291 |
} |
2280 |
|
2292 |
|
2281 |
memcpy(keyname, ticket_key->key_name, 16); |
2293 |
memcpy(keyname, ticket_key->key_name, 16); |
2282 |
RAND_pseudo_bytes(iv, EVP_MAX_IV_LENGTH); |
2294 |
/* XXX: Return value not checked. */ |
|
|
2295 |
RAND_bytes(iv, EVP_MAX_IV_LENGTH); |
2283 |
EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL, |
2296 |
EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL, |
2284 |
ticket_key->aes_key, iv); |
2297 |
ticket_key->aes_key, iv); |
2285 |
HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL); |
2298 |
HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL); |
Lines 2416-2433
int ssl_callback_SRPServerParams(SSL *ss
Link Here
|
2416 |
SRP_user_pwd *u; |
2429 |
SRP_user_pwd *u; |
2417 |
|
2430 |
|
2418 |
if (username == NULL |
2431 |
if (username == NULL |
2419 |
|| (u = SRP_VBASE_get_by_user(mctx->srp_vbase, username)) == NULL) { |
2432 |
|| (u = SRP_VBASE_get1_by_user(mctx->srp_vbase, username)) == NULL) { |
2420 |
*ad = SSL_AD_UNKNOWN_PSK_IDENTITY; |
2433 |
*ad = SSL_AD_UNKNOWN_PSK_IDENTITY; |
2421 |
return SSL3_AL_FATAL; |
2434 |
return SSL3_AL_FATAL; |
2422 |
} |
2435 |
} |
2423 |
|
2436 |
|
2424 |
if (SSL_set_srp_server_param(ssl, u->N, u->g, u->s, u->v, u->info) < 0) { |
2437 |
if (SSL_set_srp_server_param(ssl, u->N, u->g, u->s, u->v, u->info) < 0) { |
|
|
2438 |
SRP_user_pwd_free(u); |
2425 |
*ad = SSL_AD_INTERNAL_ERROR; |
2439 |
*ad = SSL_AD_INTERNAL_ERROR; |
2426 |
return SSL3_AL_FATAL; |
2440 |
return SSL3_AL_FATAL; |
2427 |
} |
2441 |
} |
2428 |
|
2442 |
|
2429 |
/* reset all other options */ |
2443 |
/* reset all other options */ |
2430 |
SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify); |
2444 |
SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify); |
|
|
2445 |
SRP_user_pwd_free(u); |
2431 |
return SSL_ERROR_NONE; |
2446 |
return SSL_ERROR_NONE; |
2432 |
} |
2447 |
} |
2433 |
|
2448 |
|