void
lws_ssl_info_callback(const SSL *ssl, int where, int ret)
{
struct lws *wsi;
struct lws_context *context;
struct lws_ssl_info si;
#ifndef USE_WOLFSSL
context = (struct lws_context *)SSL_CTX_get_ex_data(
SSL_get_SSL_CTX(ssl),
openssl_SSL_CTX_private_data_index);
#else
context = (struct lws_context *)SSL_CTX_get_ex_data(
SSL_get_SSL_CTX((SSL*) ssl),
openssl_SSL_CTX_private_data_index);
#endif
if (!context)
return;
wsi = wsi_from_fd(context, SSL_get_fd(ssl));
if (!wsi)
return;
if (!(where & wsi->vhost->tls.ssl_info_event_mask))
return;
si.where = where;
si.ret = ret;
if (user_callback_handle_rxflow(wsi->protocol->callback,
wsi, LWS_CALLBACK_SSL_INFO,
wsi->user_space, &si, 0))
lws_set_timeout(wsi, PENDING_TIMEOUT_KILLED_BY_SSL_INFO, -1);
}
BOOL ssl_add_cert_auth_internal( int sslContextHandle, const char* certificate,
int cert_len, const char* szCertPwd )
{
SSL *ssl = NULL;
int ret = FALSE;
if((sslContextHandle >= ARRAYSIZE(g_SSL_Driver.m_sslContextArray)) || (sslContextHandle < 0))
{
goto error;
}
ssl = (SSL*)g_SSL_Driver.m_sslContextArray[sslContextHandle].SslContext;
if (ssl == NULL)
{
goto error;
}
// SSL_CTX_load_verify_locations is defined to accept a filename, however since
// we do not support a filesystem the low level OpenSSL file access routines
// have been written to fake file support via directly reading from a binary blob
ret = SSL_CTX_load_verify_locations( SSL_get_SSL_CTX(ssl), certificate, NULL );
error:
return ret;
}
/**
* Call Lua user function to get the DH key.
*/
static DH *dhparam_cb(SSL *ssl, int is_export, int keylength)
{
BIO *bio;
lua_State *L;
DH *dh_tmp = NULL;
SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
L = (lua_State*)SSL_CTX_get_app_data(ctx);
/* Get the callback */
luaL_getmetatable(L, "SSL:DH:Registry");
lua_pushlightuserdata(L, (void*)ctx);
lua_gettable(L, -2);
/* Invoke the callback */
lua_pushnumber(L, is_export);
lua_pushnumber(L, keylength);
lua_call(L, 2, 1);
/* Load parameters from returned value */
if (lua_type(L, -1) != LUA_TSTRING) {
lua_pop(L, 2); /* Remove values from stack */
return NULL;
}
bio = BIO_new_mem_buf((void*)lua_tostring(L, -1),
lua_rawlen(L, -1));
if (bio) {
dh_tmp = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
BIO_free(bio);
}
lua_pop(L, 2); /* Remove values from stack */
return dh_tmp;
}
/**
* This callback implements the "continue on error" flag and log the errors.
*/
static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
{
int err;
int verify;
SSL *ssl;
SSL_CTX *ctx;
p_context pctx;
lua_State *L;
/* Short-circuit optimization */
if (preverify_ok)
return 1;
ssl = X509_STORE_CTX_get_ex_data(x509_ctx,
SSL_get_ex_data_X509_STORE_CTX_idx());
ctx = SSL_get_SSL_CTX(ssl);
pctx = (p_context)SSL_CTX_get_app_data(ctx);
L = pctx->L;
/* Get verify flags */
luaL_getmetatable(L, "SSL:Verify:Registry");
lua_pushlightuserdata(L, (void*)ctx);
lua_gettable(L, -2);
verify = (int)lua_tonumber(L, -1);
lua_pop(L, 2); /* Remove values from stack */
err = X509_STORE_CTX_get_error(x509_ctx);
if (err != X509_V_OK)
add_cert_error(L, ssl, err, X509_STORE_CTX_get_error_depth(x509_ctx));
return (verify & LSEC_VERIFY_CONTINUE ? 1 : preverify_ok);
}
static int tlsext_servername_callback(SSL *ssl, int *ad, void *arg)
{
SSL_CTX *newctx = NULL;
SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
lua_State *L = SSL_CTX_get_app_data(ctx);
const char *name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
/* No name, use default context */
if (!name)
return SSL_TLSEXT_ERR_NOACK;
/* Search for the name in the map */
openssl_getvalue(L, ctx, "tlsext_servername");
if (lua_istable(L, -1))
{
lua_getfield(L, -1, name);
if (auxiliar_isclass(L, "openssl.ssl_ctx", -1))
{
newctx = CHECK_OBJECT(-1, SSL_CTX, "openssl.ssl_ctx");
SSL_set_SSL_CTX(ssl, newctx);
lua_pop(L, 2);
return SSL_TLSEXT_ERR_OK;
}
}
else if (lua_isfunction(L, -1))
{
}
else
{
}
lua_pop(L, 1);
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
static int ticket_cb(SSL *con, unsigned char name[], unsigned char iv[],
EVP_CIPHER_CTX * ctx, HMAC_CTX * hctx, int create)
{
static const EVP_MD *sha256;
static const EVP_CIPHER *aes128;
TLS_TICKET_KEY *key;
TLS_SESS_STATE *TLScontext = SSL_get_ex_data(con, TLScontext_index);
int timeout = ((int) SSL_CTX_get_timeout(SSL_get_SSL_CTX(con))) / 2;
if ((!sha256 && (sha256 = EVP_sha256()) == 0)
|| (!aes128 && (aes128 = EVP_aes_128_cbc()) == 0)
|| (key = tls_mgr_key(create ? 0 : name, timeout)) == 0
|| (create && RAND_bytes(iv, TLS_TICKET_IVLEN) <= 0))
return (create ? TLS_TKT_NOKEYS : TLS_TKT_STALE);
HMAC_Init_ex(hctx, key->hmac, TLS_TICKET_MACLEN, sha256, NOENGINE);
if (create) {
EVP_EncryptInit_ex(ctx, aes128, NOENGINE, key->bits, iv);
memcpy((char *) name, (char *) key->name, TLS_TICKET_NAMELEN);
if (TLScontext->log_mask & TLS_LOG_CACHE)
msg_info("%s: Issuing session ticket, key expiration: %ld",
TLScontext->namaddr, (long) key->tout);
} else {
EVP_DecryptInit_ex(ctx, aes128, NOENGINE, key->bits, iv);
if (TLScontext->log_mask & TLS_LOG_CACHE)
msg_info("%s: Decrypting session ticket, key expiration: %ld",
TLScontext->namaddr, (long) key->tout);
}
TLScontext->ticketed = 1;
return (TLS_TKT_ACCEPT);
}
int verify_cb(int ok, X509_STORE_CTX* store) {
SSL* ssl = (SSL *)X509_STORE_CTX_get_app_data(store);
SSL_CTX* ssl_ctx = ssl_ctx = SSL_get_SSL_CTX(ssl);
void* p = SSL_CTX_get_ex_data(ssl_ctx, get_ssl_ctx_idx());
// get the pointer to the go Ctx object and pass it back into the thunk
return verify_cb_thunk(p, ok, store);
}
static int certVerifyCallback(int ok, X509_STORE_CTX* ctx)
{
// whether the verification of the certificate in question was passed (preverify_ok=1) or not (preverify_ok=0)
unsigned err = X509_STORE_CTX_get_error(ctx);
if (!err)
return 1;
SSL* ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
SSL_CTX* sslctx = SSL_get_SSL_CTX(ssl);
ResourceHandle* job = reinterpret_cast<ResourceHandle*>(SSL_CTX_get_app_data(sslctx));
String host = job->firstRequest().url().host();
ResourceHandleInternal* d = job->getInternal();
d->m_sslErrors = sslCertificateFlag(err);
#if PLATFORM(WIN)
HashMap<String, ListHashSet<String>>::iterator it = allowedHosts.find(host);
ok = (it != allowedHosts.end());
#else
ListHashSet<String> certificates;
if (!pemData(ctx, certificates))
return 0;
ok = sslIgnoreHTTPSCertificate(host.lower(), certificates);
#endif
if (ok) {
// if the host and the certificate are stored for the current handle that means is enabled,
// so don't need to curl verifies the authenticity of the peer's certificate
curl_easy_setopt(d->m_handle, CURLOPT_SSL_VERIFYPEER, false);
}
return ok;
}
lws_tls_ctx *
lws_tls_ctx_from_wsi(struct lws *wsi)
{
if (!wsi->tls.ssl)
return NULL;
return SSL_get_SSL_CTX(wsi->tls.ssl);
}
int _qvd_verify_cert_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
{
SSL *ssl;
SSL_CTX *sslctx;
qvdclient *qvd ;
ssl = X509_STORE_CTX_get_ex_data(x509_ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
sslctx = SSL_get_SSL_CTX(ssl);
qvd = SSL_CTX_get_ex_data(sslctx, _qvd_ssl_index);
X509 *cert = X509_STORE_CTX_get_current_cert(x509_ctx);
int depth = X509_STORE_CTX_get_error_depth(x509_ctx);
int err = X509_STORE_CTX_get_error(x509_ctx);
/* save the certificate by incrementing the reference count and
* keeping a pointer */
if (depth < MAX_CERTS && !certificate[depth]) {
certificate[depth] = cert;
certificate_error[depth] = err;
cert->references++;
}
/* See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html# */
if (preverify_ok)
{
qvd_printf("_qvd_verify_cert_callback: Certificate was validated\n");
return preverify_ok;
}
if (qvd->ssl_verify_callback == NULL)
{
qvd_printf("_qvd_verify_cert_callback: No callback specified returning false (specify if you wissh callbacks for unknown certs with qvd_set_unknown_cert_callback)\n");
return 0;
}
BIO *bio_out = BIO_new(BIO_s_mem());
BUF_MEM *biomem;
int result;
PEM_write_bio_X509(bio_out, certificate[depth]);
BIO_get_mem_ptr(bio_out, &biomem);
char cert_info[1024];
char issuer[256], subject[256];
X509_NAME_oneline(X509_get_issuer_name(certificate[depth]), issuer, 256);
X509_NAME_oneline(X509_get_subject_name(certificate[depth]), subject, 256);
snprintf(cert_info, 1023, "Serial: %lu\n\nIssuer: %s\n\nValidity:\n\tNot before: %s\n\tNot after: %s\n\nSubject: %s\n",
ASN1_INTEGER_get(X509_get_serialNumber(certificate[depth])), issuer,
X509_get_notBefore(certificate[depth])->data, X509_get_notAfter(cert)->data, subject);
cert_info[1023] = '\0';
result = qvd->ssl_verify_callback(qvd, cert_info, biomem->data);
if (result)
{
_qvd_save_certificate(qvd, certificate[depth], depth, biomem);
}
BIO_free(bio_out);
return result;
}
static int
lws_ssl_server_name_cb(SSL *ssl, int *ad, void *arg)
{
struct lws_context *context;
struct lws_vhost *vhost, *vh;
const char *servername;
int port;
if (!ssl)
return SSL_TLSEXT_ERR_NOACK;
context = (struct lws_context *)SSL_CTX_get_ex_data(
SSL_get_SSL_CTX(ssl),
openssl_SSL_CTX_private_data_index);
/*
* We can only get ssl accepted connections by using a vhost's ssl_ctx
* find out which listening one took us and only match vhosts on the
* same port.
*/
vh = context->vhost_list;
while (vh) {
if (!vh->being_destroyed && vh->ssl_ctx == SSL_get_SSL_CTX(ssl))
break;
vh = vh->vhost_next;
}
assert(vh); /* we cannot get an ssl without using a vhost ssl_ctx */
port = vh->listen_port;
servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
if (servername) {
vhost = lws_select_vhost(context, port, servername);
if (vhost) {
lwsl_debug("SNI: Found: %s (port %d)\n",
servername, port);
SSL_set_SSL_CTX(ssl, vhost->ssl_ctx);
return SSL_TLSEXT_ERR_OK;
}
lwsl_err("SNI: Unknown ServerName: %s\n", servername);
}
return SSL_TLSEXT_ERR_OK;
}
/* Close io sockets. */
void
io_close(struct io *io)
{
if (io->ssl != NULL) {
SSL_CTX_free(SSL_get_SSL_CTX(io->ssl));
SSL_free(io->ssl);
}
close(io->fd);
}
/* {{{ data_close
*/
databuf_t*
data_close(ftpbuf_t *ftp, databuf_t *data)
{
#if HAVE_OPENSSL_EXT
SSL_CTX *ctx;
#endif
if (data == NULL) {
return NULL;
}
if (data->listener != -1) {
#if HAVE_OPENSSL_EXT
if (data->ssl_active) {
ctx = SSL_get_SSL_CTX(data->ssl_handle);
SSL_CTX_free(ctx);
SSL_shutdown(data->ssl_handle);
SSL_free(data->ssl_handle);
data->ssl_active = 0;
}
#endif
closesocket(data->listener);
}
if (data->fd != -1) {
#if HAVE_OPENSSL_EXT
if (data->ssl_active) {
ctx = SSL_get_SSL_CTX(data->ssl_handle);
SSL_CTX_free(ctx);
SSL_shutdown(data->ssl_handle);
SSL_free(data->ssl_handle);
data->ssl_active = 0;
}
#endif
closesocket(data->fd);
}
if (ftp) {
ftp->data = NULL;
}
efree(data);
return NULL;
}
static int openssl_ssl_getpeerverification(lua_State *L)
{
long err;
SSL* ssl = CHECK_OBJECT(1, SSL, "openssl.ssl");
SSL_CTX* ctx = SSL_get_SSL_CTX(ssl);
err = SSL_get_verify_result(ssl);
lua_pushboolean(L, err == X509_V_OK);
openssl_getvalue(L, ssl, "verify_cert");
return 2;
}
int SSLSessionCacheManager::newSessionCallback(SSL* ssl, SSL_SESSION* session) {
SSLSessionCacheManager* manager = nullptr;
SSL_CTX* ctx = SSL_get_SSL_CTX(ssl);
manager = (SSLSessionCacheManager *)SSL_CTX_get_ex_data(ctx, sExDataIndex_);
if (manager == nullptr) {
LOG(FATAL) << "Null SSLSessionCacheManager in callback";
return -1;
}
return manager->newSession(ssl, session);
}
int
TLSTicketKeyManager::callback(SSL* ssl, unsigned char* keyName,
unsigned char* iv,
EVP_CIPHER_CTX* cipherCtx,
HMAC_CTX* hmacCtx, int encrypt) {
TLSTicketKeyManager* manager = nullptr;
SSL_CTX* ctx = SSL_get_SSL_CTX(ssl);
manager = (TLSTicketKeyManager *)SSL_CTX_get_ex_data(ctx, sExDataIndex_);
if (manager == nullptr) {
LOG(FATAL) << "Null TLSTicketKeyManager in callback" ;
}
return manager->processTicket(ssl, keyName, iv, cipherCtx, hmacCtx, encrypt);
}
SSL_SESSION* SSLSessionCacheManager::getSessionCallback(SSL* ssl,
unsigned char* sess_id,
int id_len,
int* copyflag) {
SSLSessionCacheManager* manager = nullptr;
SSL_CTX* ctx = SSL_get_SSL_CTX(ssl);
manager = (SSLSessionCacheManager *)SSL_CTX_get_ex_data(ctx, sExDataIndex_);
if (manager == nullptr) {
LOG(FATAL) << "Null SSLSessionCacheManager in callback";
return nullptr;
}
return manager->getSession(ssl, sess_id, id_len, copyflag);
}
static int
lws_ssl_server_name_cb(SSL *ssl, int *ad, void *arg)
{
struct lws_context *context = (struct lws_context *)arg;
struct lws_vhost *vhost, *vh;
const char *servername;
if (!ssl)
return SSL_TLSEXT_ERR_NOACK;
/*
* We can only get ssl accepted connections by using a vhost's ssl_ctx
* find out which listening one took us and only match vhosts on the
* same port.
*/
vh = context->vhost_list;
while (vh) {
if (!vh->being_destroyed &&
vh->tls.ssl_ctx == SSL_get_SSL_CTX(ssl))
break;
vh = vh->vhost_next;
}
if (!vh) {
assert(vh); /* can't match the incoming vh? */
return SSL_TLSEXT_ERR_OK;
}
servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
if (!servername) {
/* the client doesn't know what hostname it wants */
lwsl_info("SNI: Unknown ServerName: %s\n", servername);
return SSL_TLSEXT_ERR_OK;
}
vhost = lws_select_vhost(context, vh->listen_port, servername);
if (!vhost) {
lwsl_info("SNI: none: %s:%d\n", servername, vh->listen_port);
return SSL_TLSEXT_ERR_OK;
}
lwsl_info("SNI: Found: %s:%d\n", servername, vh->listen_port);
/* select the ssl ctx from the selected vhost for this conn */
SSL_set_SSL_CTX(ssl, vhost->tls.ssl_ctx);
return SSL_TLSEXT_ERR_OK;
}
bool SSLSocket::verifyKeyprint(const string& expKP, bool allowUntrusted) noexcept
{
if (!ssl)
return true;
if (expKP.empty() || expKP.find("/") == string::npos)
return allowUntrusted;
verifyData.reset(new CryptoManager::SSLVerifyData(allowUntrusted, expKP));
SSL_set_ex_data(ssl, CryptoManager::idxVerifyData, verifyData.get());
SSL_CTX* ssl_ctx = SSL_get_SSL_CTX(ssl);
X509_STORE* store = X509_STORE_new();
bool result = false;
int err = SSL_get_verify_result(ssl);
if (ssl_ctx && store)
{
X509_STORE_CTX* vrfy_ctx = X509_STORE_CTX_new();
X509* cert = SSL_get_peer_certificate(ssl);
if (vrfy_ctx && cert && X509_STORE_CTX_init(vrfy_ctx, store, cert, SSL_get_peer_cert_chain(ssl)))
{
X509_STORE_CTX_set_ex_data(vrfy_ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), ssl);
X509_STORE_CTX_set_verify_cb(vrfy_ctx, SSL_CTX_get_verify_callback(ssl_ctx));
int verify_result = 0;
if ((verify_result = X509_verify_cert(vrfy_ctx)) >= 0)
{
err = X509_STORE_CTX_get_error(vrfy_ctx);
// Watch out for weird library errors that might not set the context error code
if (err == X509_V_OK && verify_result <= 0)
err = X509_V_ERR_UNSPECIFIED;
// This is for people who don't restart their clients and have low expiration time on their cert
result = (err == X509_V_OK || err == X509_V_ERR_CERT_HAS_EXPIRED) || (allowUntrusted && err != X509_V_ERR_APPLICATION_VERIFICATION);
}
}
if (cert) X509_free(cert);
if (vrfy_ctx) X509_STORE_CTX_free(vrfy_ctx);
if (store) X509_STORE_free(store);
}
// KeyPrint is a strong indicator of trust
SSL_set_verify_result(ssl, err);
return result;
}
extern "C" int32_t CryptoNative_SslAddExtraChainCert(SSL* ssl, X509* x509)
{
if (!x509 || !ssl)
{
return 0;
}
SSL_CTX* ssl_ctx = SSL_get_SSL_CTX(ssl);
if (SSL_CTX_add_extra_chain_cert(ssl_ctx, x509) == 1)
{
return 1;
}
return 0;
}
static int openssl_ssl_ctx(lua_State*L)
{
SSL* s = CHECK_OBJECT(1, SSL, "openssl.ssl");
if (lua_isnoneornil(L, 2))
{
SSL_CTX *ctx = SSL_get_SSL_CTX(s);
openssl_refrence(L, ctx, +1);
PUSH_OBJECT(ctx, "openssl.ssl_ctx");
}
else
{
SSL_CTX *ctx = CHECK_OBJECT(2, SSL_CTX, "openssl.ssl_ctx");
ctx = SSL_set_SSL_CTX(s, ctx);
PUSH_OBJECT(ctx, "openssl.ssl_ctx");
}
return 1;
}
void ssl_clear_cert_auth_internal( int sslContextHandle )
{
SSL *ssl = NULL;
if((sslContextHandle >= ARRAYSIZE(g_SSL_Driver.m_sslContextArray)) || (sslContextHandle < 0))
{
return;
}
ssl = (SSL*)g_SSL_Driver.m_sslContextArray[sslContextHandle].SslContext;
if (ssl == NULL)
{
return;
}
// Set a NULL cert store, SSL_CTX_set_cert_store will free the existing cert store
SSL_CTX_set_cert_store( SSL_get_SSL_CTX(ssl), NULL );
}
static int
lws_mbedtls_sni_cb(void *arg, mbedtls_ssl_context *mbedtls_ctx,
const unsigned char *servername, size_t len)
{
SSL *ssl = SSL_SSL_from_mbedtls_ssl_context(mbedtls_ctx);
struct lws_context *context = (struct lws_context *)arg;
struct lws_vhost *vhost, *vh;
lwsl_notice("%s: %s\n", __func__, servername);
/*
* We can only get ssl accepted connections by using a vhost's ssl_ctx
* find out which listening one took us and only match vhosts on the
* same port.
*/
vh = context->vhost_list;
while (vh) {
if (!vh->being_destroyed &&
vh->ssl_ctx == SSL_get_SSL_CTX(ssl))
break;
vh = vh->vhost_next;
}
if (!vh) {
assert(vh); /* can't match the incoming vh? */
return 0;
}
vhost = lws_select_vhost(context, vh->listen_port,
(const char *)servername);
if (!vhost) {
lwsl_info("SNI: none: %s:%d\n", servername, vh->listen_port);
return 0;
}
lwsl_info("SNI: Found: %s:%d at vhost '%s'\n", servername,
vh->listen_port, vhost->name);
/* select the ssl ctx from the selected vhost for this conn */
SSL_set_SSL_CTX(ssl, vhost->ssl_ctx);
return 0;
}
/**
* Call Lua user function to get the DH key.
*/
static DH *dhparam_cb(SSL *ssl, int is_export, int keylength)
{
BIO *bio;
lua_State *L;
DH *dh_tmp = NULL;
SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
p_context pctx = (p_context)SSL_CTX_get_app_data(ctx);
L = pctx->L;
/* Get the callback */
luaL_getmetatable(L, "SSL:DH:Registry");
lua_pushlightuserdata(L, (void*)ctx);
lua_gettable(L, -2);
/* Invoke the callback */
lua_pushboolean(L, is_export);
lua_pushnumber(L, keylength);
lua_call(L, 2, 1);
/* Load parameters from returned value */
if (lua_type(L, -1) != LUA_TSTRING) {
lua_pop(L, 2); /* Remove values from stack */
return NULL;
}
bio = BIO_new_mem_buf((void*)lua_tostring(L, -1),
lua_rawlen(L, -1));
if (bio) {
dh_tmp = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
BIO_free(bio);
}
/*
* OpenSSL exepcts the callback to maintain a reference to the DH*. So,
* cache it here, and clean up the previous set of parameters. Any remaining
* set is cleaned up when destroying the LuaSec context.
*/
if (pctx->dh_param)
DH_free(pctx->dh_param);
pctx->dh_param = dh_tmp;
lua_pop(L, 2); /* Remove values from stack */
return dh_tmp;
}
BOOL tls_send_alert(rdpTls* tls)
{
if (!tls)
return FALSE;
if (!tls->ssl)
return TRUE;
/**
* FIXME: The following code does not work on OpenSSL > 1.1.0 because the
* SSL struct is opaqe now
*/
#if OPENSSL_VERSION_NUMBER < 0x10100000L
if (tls->alertDescription != TLS_ALERT_DESCRIPTION_CLOSE_NOTIFY)
{
/**
* OpenSSL doesn't really expose an API for sending a TLS alert manually.
*
* The following code disables the sending of the default "close notify"
* and then proceeds to force sending a custom TLS alert before shutting down.
*
* Manually sending a TLS alert is necessary in certain cases,
* like when server-side NLA results in an authentication failure.
*/
SSL_SESSION* ssl_session = SSL_get_session(tls->ssl);
SSL_CTX* ssl_ctx = SSL_get_SSL_CTX(tls->ssl);
SSL_set_quiet_shutdown(tls->ssl, 1);
if ((tls->alertLevel == TLS_ALERT_LEVEL_FATAL) && (ssl_session))
SSL_CTX_remove_session(ssl_ctx, ssl_session);
tls->ssl->s3->alert_dispatch = 1;
tls->ssl->s3->send_alert[0] = tls->alertLevel;
tls->ssl->s3->send_alert[1] = tls->alertDescription;
if (tls->ssl->s3->wbuf.left == 0)
tls->ssl->method->ssl_dispatch_alert(tls->ssl);
}
#endif
return TRUE;
}
NOEXPORT SSL_SESSION *cache_get(SSL *ssl,
const unsigned char *key, int key_len) {
unsigned char *val, *val_tmp=NULL;
ssize_t val_len=0;
SSL_SESSION *sess;
cache_transfer(SSL_get_SSL_CTX(ssl), CACHE_CMD_GET, 0,
key, (size_t)key_len, NULL, 0, &val, (size_t *)&val_len);
if(!val)
return NULL;
val_tmp=val;
sess=d2i_SSL_SESSION(NULL,
#if OPENSSL_VERSION_NUMBER>=0x0090800fL
(const unsigned char **)
#endif /* OpenSSL version >= 0.8.0 */
&val_tmp, (long)val_len);
str_free(val);
return sess;
}
NOEXPORT SSL_SESSION *sess_get_cb(SSL *ssl,
unsigned char *key, int key_len, int *do_copy) {
unsigned char *val, *val_tmp=NULL;
ssize_t val_len=0;
SSL_SESSION *sess;
*do_copy = 0; /* allow the session to be freed autmatically */
cache_transfer(SSL_get_SSL_CTX(ssl), CACHE_CMD_GET, 0,
key, (size_t)key_len, NULL, 0, &val, (size_t *)&val_len);
if(!val)
return NULL;
val_tmp=val;
sess=d2i_SSL_SESSION(NULL,
#if OPENSSL_VERSION_NUMBER>=0x0090800fL
(const unsigned char **)
#endif /* OpenSSL version >= 0.8.0 */
&val_tmp, val_len);
str_free(val);
return sess;
}
static int BSslCertVerifyCB(int iOK, X509_STORE_CTX *pXsCtx)
{
int iError, iDepth;
SSL *pSSL;
SSL_CTX *pSCtx;
SslServerBind const *pSSLB;
X509 *pCert;
iError = X509_STORE_CTX_get_error(pXsCtx);
iDepth = X509_STORE_CTX_get_error_depth(pXsCtx);
if ((pSSL = (SSL *)
X509_STORE_CTX_get_ex_data(pXsCtx, SSL_get_ex_data_X509_STORE_CTX_idx())) == NULL)
return iOK;
pSCtx = SSL_get_SSL_CTX(pSSL);
pSSLB = (SslServerBind const *) SSL_CTX_get_app_data(pSCtx);
pCert = X509_STORE_CTX_get_current_cert(pXsCtx);
#ifdef DEBUG_OSSL
char *pszVal;
pszVal = X509_NAME_oneline(X509_get_issuer_name(pCert), 0, 0);
SysLogMessage(LOG_LEV_MESSAGE, "CERT Issuer: %s\n", pszVal);
OPENSSL_free(pszVal);
pszVal = X509_NAME_oneline(X509_get_subject_name(pCert), 0, 0);
SysLogMessage(LOG_LEV_MESSAGE, "CERT Subject: %s\n", pszVal);
OPENSSL_free(pszVal);
#endif
if (!iOK) {
SysLogMessage(LOG_LEV_MESSAGE, "CERT verify error: depth = %d error = '%s'\n",
iDepth, X509_verify_cert_error_string(iError));
if (iError == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT &&
pSSLB->ulFlags & BSSLF_ALLOW_SEFLSIGNED) {
SysLogMessage(LOG_LEV_MESSAGE, "Self signed CERT allowed (override)\n");
iOK = 1;
}
}
return iOK;
}
static int meth_sni(lua_State *L)
{
int strict;
SSL_CTX *aux;
const char *name;
p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
SSL_CTX *ctx = SSL_get_SSL_CTX(ssl->ssl);
p_context pctx = (p_context)SSL_CTX_get_app_data(ctx);
if (pctx->mode == LSEC_MODE_CLIENT) {
name = luaL_checkstring(L, 2);
SSL_set_tlsext_host_name(ssl->ssl, name);
return 0;
} else if (pctx->mode == LSEC_MODE_SERVER) {
luaL_checktype(L, 2, LUA_TTABLE);
strict = lua_toboolean(L, 3);
/* Check if the table contains only (string -> context) */
lua_pushnil(L);
while (lua_next(L, 2)) {
luaL_checkstring(L, -2);
aux = lsec_checkcontext(L, -1);
/* Set callback in every context */
SSL_CTX_set_tlsext_servername_callback(aux, sni_cb);
/* leave the next key on the stack */
lua_pop(L, 1);
}
/* Save table in the register */
luaL_getmetatable(L, "SSL:SNI:Registry");
lua_pushlightuserdata(L, (void*)ssl->ssl);
lua_newtable(L);
lua_pushstring(L, "map");
lua_pushvalue(L, 2);
lua_settable(L, -3);
lua_pushstring(L, "strict");
lua_pushboolean(L, strict);
lua_settable(L, -3);
lua_settable(L, -3);
/* Set callback in the default context */
SSL_CTX_set_tlsext_servername_callback(ctx, sni_cb);
}
return 0;
}
NOEXPORT void cache_new(SSL *ssl, SSL_SESSION *sess) {
unsigned char *val, *val_tmp;
ssize_t val_len;
const unsigned char *session_id;
unsigned int session_id_length;
val_len=i2d_SSL_SESSION(sess, NULL);
val_tmp=val=str_alloc((size_t)val_len);
i2d_SSL_SESSION(sess, &val_tmp);
#if OPENSSL_VERSION_NUMBER>=0x0090800fL
session_id=SSL_SESSION_get_id(sess, &session_id_length);
#else
session_id=(const unsigned char *)sess->session_id;
session_id_length=sess->session_id_length;
#endif
cache_transfer(SSL_get_SSL_CTX(ssl), CACHE_CMD_NEW,
SSL_SESSION_get_timeout(sess),
session_id, session_id_length, val, (size_t)val_len, NULL, NULL);
str_free(val);
}
