esock_openssl.c

来自「OTP是开放电信平台的简称」· C语言 代码 · 共 1,212 行 · 第 1/3 页

	    DEBUGF(("ERROR: Cannot set default verify paths\n"));
	    MAYBE_SET_ERRSTR("ecacertfile");
	    goto err_end;
	}
    }

    /* For a server the following sets the list of CA distinguished
     * names that it sends to its client when it requests the
     * certificate from the client.  
     * XXX The names of certs in cacertdir ignored.  
     */
    if (cp->origin == ORIG_LISTEN && cacertfile) {
	DEBUGF(("set_ssl_parameters: SSL_CTX_set_client_CA_list\n"));
	VOID_FOPEN_WORKAROUND(SSL_CTX_set_client_CA_list(ctx,
			           SSL_load_client_CA_file(cacertfile)));
	if (!SSL_CTX_get_client_CA_list(ctx)) {
	    DEBUGF(("ERROR: Cannot set client CA list\n"));
	    MAYBE_SET_ERRSTR("ecacertfile");
	    goto err_end;
	}
    }

    /* Use certificate file if key file has not been set. */
    if (!keyfile)
	keyfile = certfile;

    if (certfile) {
	int res;
	DEBUGF(("set_ssl_parameters: SSL_CTX_use_certificate_file\n"));
	FOPEN_WORKAROUND(res, SSL_CTX_use_certificate_file(ctx, certfile,
							   SSL_FILETYPE_PEM));
	if (res <= 0) {
	    DEBUGF(("ERROR: Cannot set certificate file\n"));
	    MAYBE_SET_ERRSTR("ecertfile");
	    goto err_end;
	}
    }
    if (keyfile) { 
	int res;
	DEBUGF(("set_ssl_parameters: SSL_CTX_use_PrivateKey_file\n"));
	FOPEN_WORKAROUND(res, SSL_CTX_use_PrivateKey_file(ctx, keyfile, 
					SSL_FILETYPE_PEM));
	if (res <= 0) {
	    DEBUGF(("ERROR: Cannot set private key file\n"));
	    MAYBE_SET_ERRSTR("ekeyfile");
	    goto err_end;
	}
    }
    if(certfile && keyfile) {
	DEBUGF(("set_ssl_parameters: SSL_CTX_check_private_key\n"));
	if (!SSL_CTX_check_private_key(ctx)) {
	    DEBUGF(("ERROR: Private key does not match the certificate\n")); 
	    MAYBE_SET_ERRSTR("ekeymismatch");
	    goto err_end;
	}
    }    

    /* Ciphers */
    if (ciphers) {
	DEBUGF(("set_ssl_parameters: SSL_CTX_set_cipher_list\n"));
	if (!SSL_CTX_set_cipher_list(ctx, ciphers)) {
	    DEBUGF(("ERROR: Cannot set cipher list\n"));
	    MAYBE_SET_ERRSTR("ecipher");
	    goto err_end;
	}
    }

    /* Verify depth */
    DEBUGF(("set_ssl_parameters: SSL_CTX_set_verify_depth (depth = %d)\n", 
	    verify_depth)); 
    SSL_CTX_set_verify_depth(ctx, verify_depth);

    /* Verify mode and callback */
    /* XXX Why precisely these modes? */
    switch (verify) {
    case 0:
	verify_mode = SSL_VERIFY_NONE;
	break;
    case 1:
	verify_mode = SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE;
	break;
    case 2:
	verify_mode = SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE|
	    SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
	break;
    default:
	verify_mode = SSL_VERIFY_NONE;
    }
    DEBUGF(("set_ssl_parameters: SSL_CTX_set_verify (verify = %d)\n", 
	    verify)); 
    SSL_CTX_set_verify(ctx, verify_mode, verify_callback);

    /* Session id context. Should be an option really. */
    if (cp->origin == ORIG_LISTEN) {
	unsigned char *sid = "Erlang/OTP/ssl";
	SSL_CTX_set_session_id_context(ctx, sid, strlen(sid));
    }

    /* info callback */
    if (debug) 
	SSL_CTX_set_info_callback(ctx, info_callback);

    DEBUGF(("set_ssl_parameters: done\n"));
    /* Free arg list */
    for (i = 0; argv[i]; i++)
	esock_free(argv[i]);
    esock_free(argv);
    return 0;

 err_end:
    DEBUGF(("set_ssl_parameters: error\n"));
    /* Free arg list */
    for (i = 0; argv[i]; i++)
	esock_free(argv[i]);
    esock_free(argv);
    return -1;
}

/* Call back functions */

static int verify_callback(int ok, X509_STORE_CTX *x509_ctx)
{
    X509 *cert;
    int cert_err, depth;
    SSL *ssl;
    SSL_CTX *ctx;
    callback_data *cb_data;

    cert = X509_STORE_CTX_get_current_cert(x509_ctx);
    cert_err = X509_STORE_CTX_get_error(x509_ctx);
    depth = X509_STORE_CTX_get_error_depth(x509_ctx);

    ssl = X509_STORE_CTX_get_ex_data(x509_ctx, 
				     SSL_get_ex_data_X509_STORE_CTX_idx());
    ctx = SSL_get_SSL_CTX(ssl);
    cb_data = SSL_CTX_get_ex_data(ctx, callback_data_index);

    X509_NAME_oneline(X509_get_subject_name(cert), x509_buf, sizeof(x509_buf));
    DEBUGF(("  +vfy: depth = %d\n", depth));
    DEBUGF(("        subject = %s\n", x509_buf));
    X509_NAME_oneline(X509_get_issuer_name(cert),  x509_buf, sizeof(x509_buf));
    DEBUGF(("        issuer = %s\n", x509_buf));

    if (!ok) {
	DEBUGF(("  +vfy: error = %d [%s]\n", cert_err,
		X509_verify_cert_error_string(cert_err)));
	if (depth >= cb_data->verify_depth) 
	    ok = 1;
    }

    switch (cert_err) {
    case X509_V_OK:
    case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
	ok = 1;
	break;
    case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
    case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
	MAYBE_SET_ERRSTR("enoissuercert");
	break;
    case X509_V_ERR_CERT_HAS_EXPIRED:
	MAYBE_SET_ERRSTR("epeercertexpired");
	break;
    case X509_V_ERR_CERT_NOT_YET_VALID:
    case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
    case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
	MAYBE_SET_ERRSTR("epeercertinvalid");
	break;
    case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
	MAYBE_SET_ERRSTR("eselfsignedcert");
	break;
    case X509_V_ERR_CERT_CHAIN_TOO_LONG:
	MAYBE_SET_ERRSTR("echaintoolong");
	break;
    default:
	MAYBE_SET_ERRSTR("epeercert");
	break;
    }
    DEBUGF(("  +vfy: return = %d\n",ok));
    return ok;
}

static int passwd_callback(char *buf, int num, int rwflag, void *userdata)
{
    callback_data *cb_data = userdata;
    int len;

    if (cb_data && cb_data->passwd) {
	DEBUGF(("  +passwd: %s\n", cb_data->passwd));
	strncpy(buf, cb_data->passwd, num);
	len = strlen(cb_data->passwd);
	return len;
    }
    DEBUGF(("  +passwd: ERROR: No password set.\n"));
    return 0;
}

static void info_callback(const SSL *ssl, int where, int ret)
{
    char *str;

    if (where & SSL_CB_LOOP) {
	DEBUGF(("  info: %s\n",SSL_state_string_long(ssl)));
    } else if (where & SSL_CB_ALERT) {
	str = (where & SSL_CB_READ) ? "read" : "write";
	DEBUGF(("  info: SSL3 alert %s:%s:%s\n", str, 
		SSL_alert_type_string_long(ret),
		SSL_alert_desc_string_long(ret)));
    } else if (where & SSL_CB_EXIT) {
	if (ret == 0) {
	    DEBUGF(("  info: failed in %s\n", SSL_state_string_long(ssl)));
	} else if (ret < 0) {
	    DEBUGF(("  info: error in %s\n", SSL_state_string_long(ssl)));
	}
    }
}

/* This function is called whenever a SSL_CTX *ctx structure is
 * freed. 
*/
static void callback_data_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, 
			       int idx, long arg1, void *argp)
{
    callback_data *cb_data = ptr;
    
    if (cb_data) {
	if (cb_data->passwd) 
	    esock_free(cb_data->passwd);
	esock_free(cb_data);
    }
}

static RSA *tmp_rsa_callback(SSL *ssl, int is_export, int keylen)
{
    static RSA *rsa512 = NULL;
    static RSA *rsa1024 = NULL;

    switch (keylen) {
    case 512:
	if (!rsa512)
	    rsa512 = RSA_generate_key(keylen, RSA_F4, NULL, NULL);
	return rsa512;
	break;
    case 1024:
	if (!rsa1024)
	    rsa1024 = RSA_generate_key(keylen, RSA_F4, NULL, NULL);
	return rsa1024;
	break;
    default:
	if (rsa1024)
	    return rsa1024;
	if (rsa512)
	    return rsa512;
	rsa512 = RSA_generate_key(keylen, RSA_F4, NULL, NULL);
	return rsa512;
    }
}

/* Restrict protocols (SSLv2, SSLv3, TLSv1) */
static void restrict_protocols(SSL_CTX *ctx)
{
    long options = 0;

    if (protocol_version) {
	if ((protocol_version & ESOCK_SSLv2) == 0) 
	    options |= SSL_OP_NO_SSLv2;
	if ((protocol_version & ESOCK_SSLv3) == 0) 
	    options |= SSL_OP_NO_SSLv3;
	if ((protocol_version & ESOCK_TLSv1) == 0) 
	    options |= SSL_OP_NO_TLSv1;
	SSL_CTX_set_options(ctx, options);
    }
}


static unsigned char randvec [] = {
    181, 177, 237, 240, 107, 24, 43, 148, 
    105, 4, 248, 13, 199, 255, 23, 58, 
    71, 181, 57, 151, 156, 25, 165, 7, 
    73, 80, 80, 231, 70, 110, 96, 162, 
    24, 205, 178, 178, 67, 122, 210, 180, 
    92, 6, 156, 182, 84, 159, 85, 6, 
    175, 66, 165, 167, 137, 34, 179, 237, 
    77, 90, 87, 185, 21, 106, 92, 115, 
    137, 65, 233, 42, 164, 153, 208, 133, 
    160, 172, 129, 202, 46, 220, 98, 66, 
    115, 66, 46, 28, 226, 200, 140, 145, 
    207, 194, 58, 71, 56, 203, 113, 34, 
    221, 116, 63, 114, 188, 210, 45, 238, 
    200, 123, 35, 150, 2, 78, 160, 22, 
    226, 167, 162, 10, 182, 75, 109, 97, 
    86, 252, 93, 125, 117, 214, 220, 37, 
    105, 160, 56, 158, 97, 57, 22, 14, 
    73, 169, 111, 190, 222, 176, 14, 82, 
    111, 42, 87, 90, 136, 236, 22, 209, 
    156, 207, 40, 251, 88, 141, 51, 211, 
    31, 158, 153, 91, 119, 83, 255, 60, 
    55, 94, 5, 115, 119, 210, 224, 185, 
    163, 163, 5, 3, 197, 106, 110, 206, 
    109, 132, 50, 190, 177, 133, 175, 129, 
    225, 161, 156, 244, 77, 150, 99, 38, 
    17, 111, 46, 230, 152, 64, 50, 164, 
    19, 78, 3, 164, 169, 175, 104, 97, 
    103, 158, 91, 168, 186, 191, 73, 88, 
    118, 112, 41, 188, 219, 0, 198, 209, 
    206, 7, 5, 169, 127, 180, 80, 74, 
    124, 4, 4, 108, 197, 67, 204, 29, 
    101, 95, 174, 147, 64, 163, 89, 160, 
    10, 5, 56, 134, 209, 69, 209, 55, 
    214, 136, 45, 212, 113, 85, 159, 133, 
    141, 249, 75, 40, 175, 91, 142, 13, 
    179, 179, 51, 0, 136, 63, 148, 175, 
    103, 162, 8, 214, 4, 24, 59, 71, 
    9, 185, 48, 127, 159, 165, 8, 8, 
    135, 151, 92, 214, 132, 151, 204, 169, 
    24, 112, 229, 59, 236, 81, 238, 64, 
    150, 196, 97, 213, 140, 159, 20, 24, 
    79, 210, 191, 53, 130, 33, 157, 87, 
    16, 180, 175, 217, 56, 123, 115, 196, 
    130, 6, 155, 37, 220, 80, 232, 129, 
    240, 57, 199, 249, 196, 152, 28, 111, 
    124, 192, 59, 46, 29, 21, 178, 51, 
    156, 17, 248, 61, 254, 80, 201, 131, 
    203, 59, 227, 191, 71, 121, 134, 181, 
    55, 79, 130, 225, 246, 36, 179, 224, 
    189, 243, 200, 75, 73, 41, 251, 41, 
    71, 251, 78, 146, 99, 101, 104, 69, 
    18, 122, 65, 24, 232, 84, 246, 242, 
    209, 18, 241, 114, 3, 65, 177, 99, 
    49, 99, 215, 59, 9, 175, 195, 11, 
    25, 46, 43, 120, 109, 179, 159, 250, 
    239, 246, 135, 78, 2, 238, 214, 237, 
    64, 170, 50, 44, 68, 67, 111, 232, 
    225, 230, 224, 124, 76, 32, 52, 158, 
    151, 54, 184, 135, 122, 66, 211, 215, 
    121, 90, 124, 158, 55, 73, 116, 137, 
    240, 15, 38, 31, 183, 86, 93, 49, 
    148, 184, 125, 250, 155, 216, 84, 246, 
    27, 172, 141, 54, 80, 158, 227, 254, 
    189, 164, 238, 229, 68, 26, 231, 11, 
    198, 222, 15, 141, 98, 8, 124, 219, 
    60, 125, 170, 213, 114, 24, 189, 65, 
    80, 186, 71, 126, 223, 153, 20, 141, 
    110, 73, 173, 218, 214, 63, 205, 177, 
    132, 115, 184, 28, 122, 232, 210, 72, 
    237, 41, 93, 17, 152, 95, 242, 138, 
    79, 98, 47, 197, 36, 17, 137, 230, 
    15, 73, 193, 1, 181, 123, 0, 186, 
    185, 135, 142, 200, 139, 78, 57, 145, 
    191, 32, 98, 250, 113, 188, 71, 32, 
    205, 81, 219, 99, 60, 87, 42, 95, 
    249, 252, 121, 125, 246, 230, 74, 162, 
    73, 59, 179, 142, 178, 47, 163, 161, 
    236, 14, 123, 219, 18, 6, 102, 140, 
    215, 210, 76, 9, 119, 147, 252, 63, 
    13, 51, 161, 172, 180, 116, 212, 129, 
    116, 237, 38, 64, 213, 222, 35, 14, 
    183, 237, 78, 204, 250, 250, 5, 41, 
    142, 5, 207, 154, 65, 183, 108, 82, 
    1, 43, 149, 233, 89, 195, 25, 233, 
    4, 34, 19, 122, 16, 58, 121, 5, 
    118, 168, 22, 213, 49, 226, 163, 169, 
    21, 78, 179, 232, 125, 216, 198, 147, 
    245, 196, 199, 138, 185, 167, 179, 82, 
    175, 53, 6, 162, 5, 141, 180, 212, 
    95, 201, 234, 169, 111, 175, 138, 197, 
    177, 246, 154, 41, 185, 201, 134, 187, 
    88, 99, 231, 23, 190, 36, 72, 174, 
    244, 185, 205, 50, 230, 226, 210, 119, 
    175, 107, 109, 244, 12, 122, 84, 51, 
    146, 95, 68, 74, 76, 212, 221, 103, 
    244, 71, 63, 133, 149, 233, 48, 3, 
    176, 168, 6, 98, 88, 226, 120, 190, 
    205, 249, 38, 157, 205, 148, 250, 203, 
    147, 62, 195, 229, 219, 109, 177, 119, 
    120, 43, 165, 99, 253, 210, 180, 32, 
    227, 180, 174, 64, 156, 139, 251, 53, 
    205, 132, 210, 208, 3, 199, 115, 64, 
    59, 27, 249, 164, 224, 191, 124, 241, 
    142, 10, 19, 120, 227, 46, 174, 231, 
    48, 65, 41, 56, 51, 38, 185, 95, 
    250, 182, 100, 40, 196, 124, 173, 119, 
    162, 148, 170, 34, 51, 68, 175, 60, 
    242, 201, 225, 34, 146, 157, 159, 0, 
    144, 148, 82, 72, 149, 53, 201, 10, 
    248, 206, 154, 126, 33, 153, 56, 48, 
    5, 90, 194, 22, 251, 173, 211, 202, 
    203, 253, 112, 147, 188, 200, 142, 206, 
    206, 175, 233, 76, 93, 104, 125, 41, 
    64, 145, 202, 53, 130, 251, 23, 90, 
    28, 199, 13, 128, 185, 154, 53, 194, 
    195, 55, 80, 56, 151, 216, 195, 138, 
    7, 170, 143, 236, 74, 141, 229, 174, 
    32, 165, 131, 68, 174, 104, 35, 143, 
    183, 41, 80, 191, 120, 79, 166, 240, 
    123, 55, 60, 2, 128, 56, 4, 199, 
    122, 85, 90, 76, 246, 29, 13, 6, 
    126, 229, 14, 203, 244, 73, 121, 42, 
    169, 35, 44, 202, 18, 69, 153, 120, 
    141, 77, 124, 191, 215, 18, 115, 187, 
    108, 246, 135, 151, 225, 192, 50, 89, 
    128, 45, 39, 253, 149, 234, 203, 84, 
    51, 174, 15, 237, 17, 57, 76, 81, 
    39, 107, 40, 36, 22, 52, 92, 39};