/*
* This callback is issued during the TLS-SRP handshake.
* We can use this to get the userid from the TLS-SRP handshake.
* If a verifier file as provided, we must pull the SRP verifier
* parameters and invoke SSL_set_srp_server_param() with these
* values to allow the TLS handshake to succeed. If the application
* layer wants to use their own verifier store, they would
* hook into it here. They would lookup the verifier parameters
* based on the userid and return those parameters by invoking
* SSL_set_srp_server_param().
*/
static int process_ssl_srp_auth (SSL *s, int *ad, void *arg)
{
char *login = SSL_get_srp_username(s);
SRP_user_pwd *user;
if (!login)
return (-1);
user = SRP_VBASE_get_by_user(srp_db, login);
if (user == NULL) {
printf("User doesn't exist in SRP database\n");
return SSL3_AL_FATAL;
}
/*
* Get the SRP parameters for the user from the verifier database.
* Provide these parameters to TLS to complete the handshake
*/
if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
user->info) < 0) {
*ad = SSL_AD_INTERNAL_ERROR;
return SSL3_AL_FATAL;
}
printf("SRP parameters set: username = \"%s\" info=\"%s\" \n", login,
user->info);
user = NULL;
login = NULL;
fflush(stdout);
return SSL_ERROR_NONE;
}
static int SSLSRPServerParamCallback(SSL *s, int *ad, void *arg)
{
const char* userName = SSL_get_srp_username(s);
LOG(INFO) << "User " << userName;
const User* user = GetUser(userName);
if (!user)
{
LOG(ERROR) << "User " << userName << " doesn't exist";
*ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
return SSL3_AL_FATAL;
}
SRP_gN *GN = SRP_get_default_gN(FLAGS_srp_default_gN.c_str());
if(GN == NULL)
{
*ad = SSL_AD_INTERNAL_ERROR;
return SSL3_AL_FATAL;
}
if (!SSL_set_srp_server_param(s, GN->N, GN->g, user->GetSalt(), user->GetVerifier(), NULL))
{
*ad = SSL_AD_INTERNAL_ERROR;
return SSL3_AL_FATAL;
}
return SSL_ERROR_NONE;
}
static int srp_callback(SSL* s, int* ad, void* arg)
{
if (strcmp(SSL_get_srp_username(s), "USER") != 0) {
*ad = SSL_AD_INTERNAL_ERROR;
return SSL3_AL_FATAL;
}
if (SSL_set_srp_server_param_pw(s, "USER", "PASS", "1024") < 0) {
*ad = SSL_AD_INTERNAL_ERROR;
return SSL3_AL_FATAL;
}
return SSL_ERROR_NONE;
}
static char *ssl_var_lookup_ssl(apr_pool_t *p, SSLConnRec *sslconn,
request_rec *r, char *var)
{
char *result;
X509 *xs;
STACK_OF(X509) *sk;
SSL *ssl;
result = NULL;
ssl = sslconn->ssl;
if (strlen(var) > 8 && strcEQn(var, "VERSION_", 8)) {
result = ssl_var_lookup_ssl_version(p, var+8);
}
else if (ssl != NULL && strcEQ(var, "PROTOCOL")) {
result = (char *)SSL_get_version(ssl);
}
else if (ssl != NULL && strcEQ(var, "SESSION_ID")) {
char buf[MODSSL_SESSION_ID_STRING_LEN];
SSL_SESSION *pSession = SSL_get_session(ssl);
if (pSession) {
IDCONST unsigned char *id;
unsigned int idlen;
#ifdef OPENSSL_NO_SSL_INTERN
id = (unsigned char *)SSL_SESSION_get_id(pSession, &idlen);
#else
id = pSession->session_id;
idlen = pSession->session_id_length;
#endif
result = apr_pstrdup(p, modssl_SSL_SESSION_id2sz(id, idlen,
buf, sizeof(buf)));
}
}
else if(ssl != NULL && strcEQ(var, "SESSION_RESUMED")) {
if (SSL_session_reused(ssl) == 1)
result = "Resumed";
else
result = "Initial";
}
else if (ssl != NULL && strlen(var) >= 6 && strcEQn(var, "CIPHER", 6)) {
result = ssl_var_lookup_ssl_cipher(p, sslconn, var+6);
}
else if (ssl != NULL && strlen(var) > 18 && strcEQn(var, "CLIENT_CERT_CHAIN_", 18)) {
sk = SSL_get_peer_cert_chain(ssl);
result = ssl_var_lookup_ssl_cert_chain(p, sk, var+18);
}
else if (ssl != NULL && strcEQ(var, "CLIENT_CERT_RFC4523_CEA")) {
result = ssl_var_lookup_ssl_cert_rfc4523_cea(p, ssl);
}
else if (ssl != NULL && strcEQ(var, "CLIENT_VERIFY")) {
result = ssl_var_lookup_ssl_cert_verify(p, sslconn);
}
else if (ssl != NULL && strlen(var) > 7 && strcEQn(var, "CLIENT_", 7)) {
if ((xs = SSL_get_peer_certificate(ssl)) != NULL) {
result = ssl_var_lookup_ssl_cert(p, r, xs, var+7);
X509_free(xs);
}
}
else if (ssl != NULL && strlen(var) > 7 && strcEQn(var, "SERVER_", 7)) {
if ((xs = SSL_get_certificate(ssl)) != NULL) {
result = ssl_var_lookup_ssl_cert(p, r, xs, var+7);
/* SSL_get_certificate is different from SSL_get_peer_certificate.
* No need to X509_free(xs).
*/
}
}
else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
result = ssl_var_lookup_ssl_compress_meth(ssl);
}
#ifdef HAVE_TLSEXT
else if (ssl != NULL && strcEQ(var, "TLS_SNI")) {
result = apr_pstrdup(p, SSL_get_servername(ssl,
TLSEXT_NAMETYPE_host_name));
}
#endif
else if (ssl != NULL && strcEQ(var, "SECURE_RENEG")) {
int flag = 0;
#ifdef SSL_get_secure_renegotiation_support
flag = SSL_get_secure_renegotiation_support(ssl);
#endif
result = apr_pstrdup(p, flag ? "true" : "false");
}
#ifdef HAVE_SRP
else if (ssl != NULL && strcEQ(var, "SRP_USER")) {
if ((result = SSL_get_srp_username(ssl)) != NULL) {
result = apr_pstrdup(p, result);
}
}
else if (ssl != NULL && strcEQ(var, "SRP_USERINFO")) {
if ((result = SSL_get_srp_userinfo(ssl)) != NULL) {
result = apr_pstrdup(p, result);
}
}
#endif
return result;
}
