ssl_util_ssl.c

mod_ssl-2.8.31-1.3.41.tar.gz 好用的ssl工具

char *SSL_make_ciphersuite(pool *p, SSL *ssl)
{
    STACK_OF(SSL_CIPHER) *sk;
    SSL_CIPHER *c;
    int i;
    int l;
    char *cpCipherSuite;
    char *cp;

    if (ssl == NULL) 
        return "";
    if ((sk = SSL_get_ciphers(ssl)) == NULL)
        return "";
    l = 0;
    for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
        c = sk_SSL_CIPHER_value(sk, i);
        l += strlen(c->name)+2+1;
    }
    if (l == 0)
        return "";
    cpCipherSuite = (char *)ap_palloc(p, l+1);
    cp = cpCipherSuite;
    for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
        c = sk_SSL_CIPHER_value(sk, i);
        l = strlen(c->name);
        memcpy(cp, c->name, l);
        cp += l;
        *cp++ = '/';
        *cp++ = (c->valid == 1 ? '1' : '0');
        *cp++ = ':';
    }
    *(cp-1) = NUL;
    return cpCipherSuite;
}

/*  _________________________________________________________________
**
**  Certificate Checks
**  _________________________________________________________________
*/

/* check whether cert contains extended key usage with a SGC tag */
BOOL SSL_X509_isSGC(X509 *cert)
{
    X509_EXTENSION *ext;
    int ext_nid;
    STACK *sk;
    BOOL is_sgc;
    int idx;
    int i;
    
    is_sgc = FALSE;
    idx = X509_get_ext_by_NID(cert, NID_ext_key_usage, -1);
    if (idx >= 0) {
        ext = X509_get_ext(cert, idx);
        if ((sk = (STACK *)X509V3_EXT_d2i(ext)) != NULL) {
            for (i = 0; i < sk_num(sk); i++) {
                ext_nid = OBJ_obj2nid((ASN1_OBJECT *)sk_value(sk, i));
                if (ext_nid == NID_ms_sgc || ext_nid == NID_ns_sgc) {
                    is_sgc = TRUE;
                    break;
                }
            }
        }
    }
    return is_sgc;
}

/* retrieve basic constraints ingredients */
BOOL SSL_X509_getBC(X509 *cert, int *ca, int *pathlen)
{
    X509_EXTENSION *ext;
    BASIC_CONSTRAINTS *bc;
    int idx;
    BIGNUM *bn = NULL;
    char *cp;
    
    if ((idx = X509_get_ext_by_NID(cert, NID_basic_constraints, -1)) < 0)
        return FALSE;
    ext = X509_get_ext(cert, idx);
    if (ext == NULL)
        return FALSE;
    if ((bc = (BASIC_CONSTRAINTS *)X509V3_EXT_d2i(ext)) == NULL)
        return FALSE;
    *ca = bc->ca;
    *pathlen = -1 /* unlimited */;
    if (bc->pathlen != NULL) {
        if ((bn = ASN1_INTEGER_to_BN(bc->pathlen, NULL)) == NULL)
            return FALSE;
        if ((cp = BN_bn2dec(bn)) == NULL)
            return FALSE;
        *pathlen = atoi(cp);
        OPENSSL_free(cp);
        BN_free(bn);
    }
    BASIC_CONSTRAINTS_free(bc);
    return TRUE;
}

/* retrieve subject CommonName of certificate */
BOOL SSL_X509_getCN(pool *p, X509 *xs, char **cppCN)
{
    X509_NAME *xsn;
    X509_NAME_ENTRY *xsne;
    int i, nid;

    xsn = X509_get_subject_name(xs);
    for (i = 0; i < sk_X509_NAME_ENTRY_num(xsn->entries); i++) {
        xsne = sk_X509_NAME_ENTRY_value(xsn->entries, i);
        nid = OBJ_obj2nid(xsne->object);
        if (nid == NID_commonName) {
            *cppCN = ap_palloc(p, xsne->value->length+1);
            ap_cpystrn(*cppCN, (char *)xsne->value->data, xsne->value->length+1);
            (*cppCN)[xsne->value->length] = NUL;
#ifdef CHARSET_EBCDIC
            ascii2ebcdic(*cppCN, *cppCN, strlen(*cppCN));
#endif
            return TRUE;
        }
    }
    return FALSE;
}

/*  _________________________________________________________________
**
**  Low-Level CA Certificate Loading
**  _________________________________________________________________
*/

#ifdef SSL_EXPERIMENTAL_PROXY

BOOL SSL_load_CrtAndKeyInfo_file(pool *p, STACK_OF(X509_INFO) *sk, char *filename)
{
    BIO *in;

    if ((in = BIO_new(BIO_s_file())) == NULL)
        return FALSE;
    if (BIO_read_filename(in, filename) <= 0) {
        BIO_free(in);
        return FALSE;
    }
    ERR_clear_error();
#if SSL_LIBRARY_VERSION < 0x00904000
    PEM_X509_INFO_read_bio(in, sk, NULL);
#else
    PEM_X509_INFO_read_bio(in, sk, NULL, NULL);
#endif
    BIO_free(in);
    return TRUE;
}

BOOL SSL_load_CrtAndKeyInfo_path(pool *p, STACK_OF(X509_INFO) *sk, char *pathname)
{
    struct stat st;
    DIR *dir;
    pool *sp;
    struct dirent *nextent;
    char *fullname;
    BOOL ok;

    sp = ap_make_sub_pool(p);
    if ((dir = ap_popendir(sp, pathname)) == NULL) {
        ap_destroy_pool(sp);
        return FALSE;
    }
    ok = FALSE;
    while ((nextent = readdir(dir)) != NULL) {
        fullname = ap_pstrcat(sp, pathname, "/", nextent->d_name, NULL);
        if (stat(fullname, &st) != 0)
            continue;
        if (!S_ISREG(st.st_mode))
            continue;
        if (SSL_load_CrtAndKeyInfo_file(sp, sk, fullname))
            ok = TRUE;
    }
    ap_pclosedir(p, dir);
    ap_destroy_pool(sp);
    return ok;
}              

#endif /* SSL_EXPERIMENTAL_PROXY */

/*  _________________________________________________________________
**
**  Extra Server Certificate Chain Support
**  _________________________________________________________________
*/

/* 
 * Read a file that optionally contains the server certificate in PEM
 * format, possibly followed by a sequence of CA certificates that
 * should be sent to the peer in the SSL Certificate message.
 */
#if SSL_LIBRARY_VERSION < 0x00904000
int SSL_CTX_use_certificate_chain(
    SSL_CTX *ctx, char *file, int skipfirst, int (*cb)(char *, int, int))
#else
int SSL_CTX_use_certificate_chain(
    SSL_CTX *ctx, char *file, int skipfirst, int (*cb)(char *, int, int, void *))
#endif
{
    BIO *bio;
    X509 *x509;
    unsigned long err;
    int n;

    if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
        return -1;
    if (BIO_read_filename(bio, file) <= 0) {
        BIO_free(bio);
        return -1;
    }
    /* optionally skip a leading server certificate */
    if (skipfirst) {
#if SSL_LIBRARY_VERSION < 0x00904000
        if ((x509 = PEM_read_bio_X509(bio, NULL, cb)) == NULL) {
#else
        if ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) == NULL) {
#endif
            BIO_free(bio);
            return -1;
        }
        X509_free(x509);
    }
    /* free a perhaps already configured extra chain */
    if (ctx->extra_certs != NULL) {
        sk_X509_pop_free(ctx->extra_certs, X509_free);
        ctx->extra_certs = NULL;
    }
    /* create new extra chain by loading the certs */
    n = 0;
#if SSL_LIBRARY_VERSION < 0x00904000
    while ((x509 = PEM_read_bio_X509(bio, NULL, cb)) != NULL) {
#else
    while ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {
#endif
        if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) { 
            X509_free(x509);
            BIO_free(bio);
            return -1;
        }
        n++;
    }
    /* Make sure that only the error is just an EOF */
    if ((err = ERR_peek_error()) > 0) {
        if (!(   ERR_GET_LIB(err) == ERR_LIB_PEM 
              && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
            BIO_free(bio);
            return -1;
        }
        while (ERR_get_error() > 0) ;
    }
    BIO_free(bio);
    return n;
}

/*  _________________________________________________________________
**
**  Session Stuff
**  _________________________________________________________________
*/

char *SSL_SESSION_id2sz(unsigned char *id, int idlen)
{
    static char str[(SSL_MAX_SSL_SESSION_ID_LENGTH+1)*2];
    char *cp;
    int n;

    cp = str;
    for (n = 0; n < idlen && n < SSL_MAX_SSL_SESSION_ID_LENGTH; n++) {
        ap_snprintf(cp, sizeof(str)-(cp-str), "%02X", id[n]);
        cp += 2;
    }
    *cp = NUL;
    return str;
}