ssl.c

mini http server,可以集成嵌入到程序中,实现简单的web功能

/*____________________________________________________________________________*\

 Copyright (c) 1997-2003 John Roy, Holger Zimmermann. All rights reserved.

 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions
 are met:

 1. Redistributions of source code must retain the above copyright
    notice, this list of conditions and the following disclaimer. 

 2. Redistributions in binary form must reproduce the above copyright
    notice, this list of conditions and the following disclaimer in
    the documentation and/or other materials provided with the
    distribution.

 3. The name of the author may not be used to endorse or promote products
    derived from this software without specific prior written permission. 

 THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
 WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 IN NO EVENT SHALL THE AUTHORS OR ITS CONTRIBUTORS BE LIABLE FOR ANY
 DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
 GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 OF THE POSSIBILITY OF SUCH DAMAGE.

 *____________________________________________________________________________*|
 *
 * $Source: /cvsroot/pi3web/Pi3Web_200/Source/SSL/SSL.c,v $
 * $Date: 2004/07/04 19:44:06 $
 *
 Description:

	SSL layer based on OpenSSL (http://www.openssl.org), formerly known as
	Eric Youngs SSLeay.

	The SSLeay BIO architecture is very similar to the PIIO object 
	server loadable class. They both provide an abstract interface to
	an IO layer than can be a terminal transport or a filter layer to
	another IO object. This makes them both pretty easy to integrate.
	
	The transport IO object is created and wrapped in an SSLeay BIO
	object. This is then used to create an SSLeay SSL object which
	in turn is made to look like a PIIO object so other components in pi3
	can use it as an IO object.

	Fragments of source code in this file were copied from Eric Youngs
	SSL distribution. His copyright statement is included along with
	this file, its called COPYRIGHT.eay

	TODO:
		- Test client setup.
		- Remove SSL_debug stuff.

\*____________________________________________________________________________*/
/* $SourceTop:$ */

/*
** Top level flags
*/
#define PISSL_DEBUG	0	/* development time flag */

#include <assert.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

#include "openssl/ssl.h"		/* From OpenSSL */
#include "openssl/err.h"		/* From OpenSSL */
#include "openssl/rand.h"		/* From OpenSSL */

#define INIT_ERR(fp) \
	{ \
	ERR_print_errors_fp(stderr); \
	if ( fp ) { ERR_print_errors_fp(fp); }; \
	}
#define RUNTIME_ERR(fp,x) \
	{ \
	if ( fp ) { ERR_print_errors_fp(fp); }; \
	fprintf(stderr,"SSL[%s, %d]: %s\n", __FILE__, __LINE__, (x) ); \
	}

#if PISSL_DEBUG
	enum { s_quiet = 0 };
#	define D { fprintf(stderr,"%s: %d\n", __FILE__, __LINE__ ); }
#else
	enum { s_quiet = 1 };
#	define D
#endif

#include "PiAPI.h"
#include "Pi2API.h"

/*____________________________________________________________________________*\
 Description:
	Documentation for this IO object.
\*____________________________________________________________________________*/

#if 0
/*___+++HTMLDOC_BEGIN+++___*/
Name:
	SSL

Description:
	Perform SSL (secure sockets layer) on a pi3 IO channel. An instance
	of this IO class would normally be inserted between a TCPIP transport
	IO object and a higher level logic component implementing a TCP
	service to make the service secure, e.g. (HTTP-->HTTPS). 
<P>
	However this IO filter can be used on any IO chain, both for
	other transports (shared memory, named pipes) and other uses, FastCGI
	connections, FTP connections etc.
<P>
	Typically an instance of this object is inserted into the IO chain
	using code like the following.
<PRE>
	Substitute:

	...
	IOObject TheTransportIO 
	...

	With:
	
	...
	IOObject SSL IOObject="TheTransportIO"
	...

</PRE>

	This SSL pi3 component is implemented using the OpenSSL library (
	formerly known as Eric Youngs SSLeay library, thus -
<PRE>
   &quot;This product includes software developed by the OpenSSL Project
	for use in the OpenSSL Toolkit (http://www.openssl.org/).&quot;
</PRE>

Options:
<H5>Overview</H5>
<TABLE BORDER=1>
<TH>Option
<TH>Default
<TH>Values
<TH>Short Description
<TH>Example(s)

<TR>
<TD>IOObject
<TD>+
<TD>&lt;pi3objectname&gt;
<TD>A Pi3 object
<TD>IOObject="TCPIPIO"

<TR>
<TD>Type
<TD>Passive
<TD>Active|Passive
<TD>Specify IO layer type
<TD>Type="Passive"

<TR>
<TD>Version
<TD>23
<TD>2, 3, 23 or 10
<TD>Version of SSL/TLS to accept
<TD>Version=3

<TR>
<TD>Verify
<TD>0
<TD>0, 1 or 2
<TD>Client certificate verification requirements
<TD>Verify=2

<TR>
<TD>VerifyDepth
<TD>8
<TD>An integer value
<TD>Level to verify peer certificate
<TD>VerifyDepth=2

<TR>
<TD>CACertificatePath
<TD>-
<TD>&lt;pathname&gt;
<TD>CA Path 
<TD>CACertificatePath="./certs"

<TR>
<TD>CACertificateFile
<TD>-
<TD>&lt;filename&gt;
<TD>CA Certificate file to use
<TD>CACertificateFile="./ca.pem"

<TR>
<TD>PrivateKeyFile
<TD>+*
<TD>&lt;filename&gt;
<TD>A private key file
<TD>PrivateKeyFile="./key.pem"

<TR>
<TD>CertificateFile
<TD>+*
<TD>&lt;filename&gt;
<TD>Certificate file
<TD>CertificateFile="./cert.pem"

<TR>
<TD>Flag
<TD>-
<TD>"Bugs"
<TD>Flag
<TD>Flag="Bugs"

<TR>
<TD>DebugFile
<TD>-
<TD>"STDOUT", "STDERR" or &lt;filename&gt;
<TD>Specific an SSL debug file
<TD>DebugFile="./ssl.dbg"

<TR>
<TD>CipherList
<TD>-
<TD>
<TD>List of acceptable ciphers
<TD>CipherList "!ADH:RC4+RSA:HIGH:MEDIUM:LOW:EXP:+SSLv2:+EXP"
("DEFAULT", "NULL-MD5" - Read the openssl documentation for details)


</TABLE>
<STRONG>-</STRONG> in the <IT>default</IT> indicates no default<BR>
<STRONG>+</STRONG> in the <IT>default</IT> indicates the field is mandatory<BR>
<STRONG>+*</STRONG> in the <IT>default</IT> indicates
the field is mandatory for server connections only<BR>

<H4>Description of Options</H4>
<H5>IOObject</H5>
Lower level IO object which will be loaded to provide the transport for
this layer.

<H5>Type</H5>
Type of the IO filter layer, active (client) or passive (server).

<H5>Version</H5>
Version of SSL to accept, 2=SSLv2 only; 3=SSLv3 only; 23=SSLv2 or SSLv3; 10=TLS1.0

<H5>Verify</H5>
Client certificate verification mode. 
<UL>
<LI>0: No certificate verification is performed.
<LI>1: Certificate is verified, but not mandatory.
<LI>2: Certificate must be present.
</UL>

<H5>VerifyDepth</H5>
Depth to verify peer cetificate to before giving up.

<H5>CACertificatePath</H5>
CACertificate verification path.

<H5>CACertificateFile</H5>
CACertificate file.

<H5>PrivateKeyFile</H5>
Private keyfile.

<H5>CertificateFile</H5>
Certificate file.

<H5>Flag</H5>
Specify a flag which effects the behaviour of SSL. This directive
can be repeated multiple times to add different flags.
<UL>
<LI>Bugs: Turn on SSL bug compatibility.
<LI>Hacks: Turn on special SSLeay hacks.
<LI>Disable: Switch off SSL (Raw TCP connection).
</UL>

<H5>DebugFile</H5>
Produce an SSL debug file. Since the debug file is global to all
SSL IO object instances, the first SSL IO to specify a debug file
will determine the debug file created. If the filename is 'STDOUT'
or 'STDERR' the debugging will be output to the standard output
and standard error streams respectively.

<H5>CipherList</H5>
List of acceptable ciphers.

Returns:
	PIAPI_COMPLETED on success.
	PIAPI_ERROR and PIAPI_ABORT respectively for generic and severe
	error conditions.

Example:
	<PRE>

	&lt;Object&gt;
		Name SSL
		Class SSLClass
		IOObject TCPIPIOObject
	&lt;/Object&gt;

	</PRE>
/*___+++HTMLDOC_END+++___*/
#endif

/*____________________________________________________________________________*\
 *
 Description:
	Prototypes.
\*____________________________________________________________________________*/
static int PIIO_SSLeay_write(BIO *h,const char *buf,int num);
static int PIIO_SSLeay_read(BIO *h,char *buf,int size);
static int PIIO_SSLeay_puts(BIO *h,const char *str);
static long PIIO_SSLeay_ctrl(BIO *h,int cmd,long arg1,char *arg2);
static int PIIO_SSLeay_new(BIO *h);
static int PIIO_SSLeay_free(BIO *data);
typedef int cbPassword(char *buf, int bufsize);


/*____________________________________________________________________________*\
 *
 Description:
	Data structures.
\*____________________________________________________________________________*/
struct _SSLConf
{
	/* ---
	
	Data global to all connections.

	Typically just configuration data.
	If any connections modify this data then mutex's must to used to ensure
	synchronization amoungst multiple threads
	--- */
	int iVersion;				/* SSL version to accept */
	int iVerify;				/* client verification to perform */
	int iVerifyDepth;			/* verification depth */
	char *pKeyF;				/* keyfile */
	char *pCertF;				/* certfile */
	char *pCACertP;				/* ca certificate path */
	char *pCACertF;				/* ca certificate file */
	char *pRandomSeedFile;		/* random seed file */
	unsigned int iRandomSize;	/* size of random seed */
	SSL_CTX *pCtx;				/* SSL_CTX */
	int iServer;				/* is this a server or client connection? */
	int iBugs;					/* SSL bug compatibility */
	int iHack;					/* not documented */
	int iDisable;				/* swith off SSL */
	char *pDebugFile;			/* debug file name */
	FILE *pStdioDebug;			/* stdio debug file */
	BIO *pBIODebug;				/* BIO debug file */
	char *pCipherList;			/* cipher list */
	char *pPassPhrase;			/* private key passphrase */
	cbPassword *pPasswordDlg;	/* passphrase dialog */
};
typedef struct _SSLConf SSLConf;

struct _SSL
{
	/* ---

	Per connection (SSL) data:

	Data unique to this connection. Since only one connection will
	modify the data at a time it may safely be used without thread
	synchronization
	--- */
	SSLConf *pConf;		/* pointer to configuration struct */
	int iIsPrototype;			/* true for prototype, false otherwise */
	PIObject *pIOObject;		/* IO object for this connection, or 
								** prototype object.
								*/
	int iError;					/* error flag */
	PIDB *pSaveDB;				/* save the DB */
	BIO *pBio;					/* BIO object */
	SSL *pSSL;					/* SSL structure */
};
typedef struct _SSL PISSL;

struct _CipherInformation
{
	/* ---

	Information on ciphers, key sizes, etc.

	--- */
	const char *pName;
	int iKeySize;
	int iSecretKeySize;
};
typedef struct _CipherInformation CipherInformation;
const CipherInformation aCiphers[]=
{
/*
** Stuff shared between SSLv2 and SSLv3
*/
{ SSL_TXT_NULL_WITH_MD5,					0,		0 },
{ SSL_TXT_RC4_128_WITH_MD5,					128,	128 },
{ SSL_TXT_RC4_128_EXPORT40_WITH_MD5,		128,	40 },
{ SSL_TXT_RC2_128_CBC_WITH_MD5,				128,	128 },
{ SSL_TXT_RC2_128_CBC_EXPORT40_WITH_MD5,	128,	40 },
{ SSL_TXT_IDEA_128_CBC_WITH_MD5,			128,	128 },
{ SSL_TXT_DES_64_CBC_WITH_MD5,				56,		56 },
{ SSL_TXT_DES_64_CBC_WITH_SHA,				56,		56 },
{ SSL_TXT_DES_192_EDE3_CBC_WITH_MD5,		168,	168 },
{ SSL_TXT_DES_192_EDE3_CBC_WITH_SHA,		168,	168 },
{ SSL_TXT_NULL,								0,		0 },


/*
** New with SSLv3
*/
{ SSL3_TXT_RSA_NULL_MD5,					0,		0 },
{ SSL3_TXT_RSA_NULL_SHA,					0,		0 },
{ SSL3_TXT_RSA_RC4_40_MD5,					128,	40 },
{ SSL3_TXT_RSA_RC4_128_MD5,					128,	128 },
{ SSL3_TXT_RSA_RC4_128_SHA,					128,	128 },
{ SSL3_TXT_RSA_RC2_40_MD5,					128,	40 },
{ SSL3_TXT_RSA_IDEA_128_SHA,				128,	128 },
{ SSL3_TXT_RSA_DES_40_CBC_SHA,				40,		40 },
{ SSL3_TXT_RSA_DES_64_CBC_SHA,				56,		56 },
{ SSL3_TXT_RSA_DES_192_CBC3_SHA,			168,	168 },
{ SSL3_TXT_DH_DSS_DES_40_CBC_SHA,			40,		40 },
{ SSL3_TXT_DH_DSS_DES_64_CBC_SHA,			56,		56 },
{ SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,			168,	168 },
{ SSL3_TXT_DH_RSA_DES_40_CBC_SHA,			40,		40 },
{ SSL3_TXT_DH_RSA_DES_64_CBC_SHA,			56,		56 },
{ SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,			168,	168 },
{ SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,			40,		40 },
{ SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,			56,		56 },
{ SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,		168,	168 },
{ SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,			40,		40 },
{ SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,			56,		56 },
{ SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,		168,	168 },
{ SSL3_TXT_ADH_RC4_40_MD5,					128,	40 },
{ SSL3_TXT_ADH_RC4_128_MD5,					128,	128 },
{ SSL3_TXT_ADH_DES_40_CBC_SHA,				40,		40 },
{ SSL3_TXT_ADH_DES_64_CBC_SHA,				56,		56 },
//{ SSL3_TXT_ADH_DES_196_CBC_SHA,				168,	168 },
{ SSL3_TXT_FZA_DMS_NULL_SHA,				0,		0 },
{ SSL3_TXT_FZA_DMS_FZA_SHA,					96,		96 },
{ SSL3_TXT_FZA_DMS_RC4_SHA,					96,		96 },

/*
** New with TLSv1
*/
{ TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5,		56,	56 },
{ TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,	56, 56 },
{ TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,		56,	56 },