📄 ssl_util_ssl.c
字号:
/* Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. *//* _ _ * _ __ ___ ___ __| | ___ ___| | mod_ssl * | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL * | | | | | | (_) | (_| | \__ \__ \ | * |_| |_| |_|\___/ \__,_|___|___/___/_| * |_____| * ssl_util_ssl.c * Additional Utility Functions for OpenSSL */#include "ssl_private.h"/* _________________________________________________________________**** Additional High-Level Functions for OpenSSL** _________________________________________________________________*//* we initialize this index at startup time * and never write to it at request time, * so this static is thread safe. * also note that OpenSSL increments at static variable when * SSL_get_ex_new_index() is called, so we _must_ do this at startup. */static int SSL_app_data2_idx = -1;void SSL_init_app_data2_idx(void){ int i; if (SSL_app_data2_idx > -1) { return; } /* we _do_ need to call this twice */ for (i=0; i<=1; i++) { SSL_app_data2_idx = SSL_get_ex_new_index(0, "Second Application Data for SSL", NULL, NULL, NULL); }}void *SSL_get_app_data2(SSL *ssl){ return (void *)SSL_get_ex_data(ssl, SSL_app_data2_idx);}void SSL_set_app_data2(SSL *ssl, void *arg){ SSL_set_ex_data(ssl, SSL_app_data2_idx, (char *)arg); return;}/* _________________________________________________________________**** High-Level Certificate / Private Key Loading** _________________________________________________________________*/X509 *SSL_read_X509(char* filename, X509 **x509, modssl_read_bio_cb_fn *cb){ X509 *rc; BIO *bioS; BIO *bioF; /* 1. try PEM (= DER+Base64+headers) */ if ((bioS=BIO_new_file(filename, "r")) == NULL) return NULL; rc = modssl_PEM_read_bio_X509 (bioS, x509, cb, NULL); BIO_free(bioS); if (rc == NULL) { /* 2. try DER+Base64 */ if ((bioS=BIO_new_file(filename, "r")) == NULL) return NULL; if ((bioF = BIO_new(BIO_f_base64())) == NULL) { BIO_free(bioS); return NULL; } bioS = BIO_push(bioF, bioS); rc = d2i_X509_bio(bioS, NULL); BIO_free_all(bioS); if (rc == NULL) { /* 3. try plain DER */ if ((bioS=BIO_new_file(filename, "r")) == NULL) return NULL; rc = d2i_X509_bio(bioS, NULL); BIO_free(bioS); } } if (rc != NULL && x509 != NULL) { if (*x509 != NULL) X509_free(*x509); *x509 = rc; } return rc;}#if SSL_LIBRARY_VERSION <= 0x00904100static EVP_PKEY *d2i_PrivateKey_bio(BIO *bio, EVP_PKEY **key){ return ((EVP_PKEY *)ASN1_d2i_bio( (char *(*)())EVP_PKEY_new, (char *(*)())d2i_PrivateKey, (bio), (unsigned char **)(key)));}#endifEVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, modssl_read_bio_cb_fn *cb, void *s){ EVP_PKEY *rc; BIO *bioS; BIO *bioF; /* 1. try PEM (= DER+Base64+headers) */ if ((bioS=BIO_new_file(filename, "r")) == NULL) return NULL; rc = modssl_PEM_read_bio_PrivateKey(bioS, key, cb, s); BIO_free(bioS); if (rc == NULL) { /* 2. try DER+Base64 */ if ((bioS = BIO_new_file(filename, "r")) == NULL) return NULL; if ((bioF = BIO_new(BIO_f_base64())) == NULL) { BIO_free(bioS); return NULL; } bioS = BIO_push(bioF, bioS); rc = d2i_PrivateKey_bio(bioS, NULL); BIO_free_all(bioS); if (rc == NULL) { /* 3. try plain DER */ if ((bioS = BIO_new_file(filename, "r")) == NULL) return NULL; rc = d2i_PrivateKey_bio(bioS, NULL); BIO_free(bioS); } } if (rc != NULL && key != NULL) { if (*key != NULL) EVP_PKEY_free(*key); *key = rc; } return rc;}/* _________________________________________________________________**** Smart shutdown** _________________________________________________________________*/int SSL_smart_shutdown(SSL *ssl){ int i; int rc; /* * Repeat the calls, because SSL_shutdown internally dispatches through a * little state machine. Usually only one or two interation should be * needed, so we restrict the total number of restrictions in order to * avoid process hangs in case the client played bad with the socket * connection and OpenSSL cannot recognize it. */ rc = 0; for (i = 0; i < 4 /* max 2x pending + 2x data = 4 */; i++) { if ((rc = SSL_shutdown(ssl))) break; } return rc;}/* _________________________________________________________________**** Certificate Revocation List (CRL) Storage** _________________________________________________________________*/X509_STORE *SSL_X509_STORE_create(char *cpFile, char *cpPath){ X509_STORE *pStore; X509_LOOKUP *pLookup; int rv = 1; ERR_clear_error(); if (cpFile == NULL && cpPath == NULL) return NULL; if ((pStore = X509_STORE_new()) == NULL) return NULL; if (cpFile != NULL) { pLookup = X509_STORE_add_lookup(pStore, X509_LOOKUP_file()); if (pLookup == NULL) { X509_STORE_free(pStore); return NULL; } rv = X509_LOOKUP_load_file(pLookup, cpFile, X509_FILETYPE_PEM); } if (cpPath != NULL && rv == 1) { pLookup = X509_STORE_add_lookup(pStore, X509_LOOKUP_hash_dir()); if (pLookup == NULL) { X509_STORE_free(pStore); return NULL; } rv = X509_LOOKUP_add_dir(pLookup, cpPath, X509_FILETYPE_PEM); } return rv == 1 ? pStore : NULL;}int SSL_X509_STORE_lookup(X509_STORE *pStore, int nType, X509_NAME *pName, X509_OBJECT *pObj){ X509_STORE_CTX pStoreCtx; int rc; X509_STORE_CTX_init(&pStoreCtx, pStore, NULL, NULL); rc = X509_STORE_get_by_subject(&pStoreCtx, nType, pName, pObj); X509_STORE_CTX_cleanup(&pStoreCtx); return rc;}/* _________________________________________________________________**** Cipher Suite Spec String Creation** _________________________________________________________________*/char *SSL_make_ciphersuite(apr_pool_t *p, SSL *ssl){ STACK_OF(SSL_CIPHER) *sk; SSL_CIPHER *c; int i; int l; char *cpCipherSuite; char *cp; if (ssl == NULL) return ""; if ((sk = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl)) == NULL) return ""; l = 0; for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { c = sk_SSL_CIPHER_value(sk, i); l += strlen(SSL_CIPHER_get_name(c))+2+1; } if (l == 0) return ""; cpCipherSuite = (char *)apr_palloc(p, l+1); cp = cpCipherSuite; for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { c = sk_SSL_CIPHER_value(sk, i); l = strlen(SSL_CIPHER_get_name(c)); memcpy(cp, SSL_CIPHER_get_name(c), l); cp += l; *cp++ = '/'; *cp++ = (SSL_CIPHER_get_valid(c) == 1 ? '1' : '0'); *cp++ = ':'; } *(cp-1) = NUL; return cpCipherSuite;}/* _________________________________________________________________**** Certificate Checks** _________________________________________________________________⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -