ssl-openssl.cpp@ 74723

Last change on this file since 74723 was 74723, checked in by vboxsync, 6 years ago
IPRT/ssl: deal with relatively old OpenSSL 1.1.0 releases which don't have the SSL_CTX protocol version getters.
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 15.5 KB

Line
1	/** @file
2	* IPRT - Crypto - Secure Socket Layer (SSL) / Transport Security Layer (TLS).
3	*/
4
5	/*
6	* Copyright (C) 2018 Oracle Corporation
7	*
8	* This file is part of VirtualBox Open Source Edition (OSE), as
9	* available from http://www.virtualbox.org. This file is free software;
10	* you can redistribute it and/or modify it under the terms of the GNU
11	* General Public License (GPL) as published by the Free Software
12	* Foundation, in version 2 as it comes in the "COPYING" file of the
13	* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
14	* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
15	*
16	* The contents of this file may alternatively be used under the terms
17	* of the Common Development and Distribution License Version 1.0
18	* (CDDL) only, as it comes in the "COPYING.CDDL" file of the
19	* VirtualBox OSE distribution, in which case the provisions of the
20	* CDDL are applicable instead of those of the GPL.
21	*
22	* You may elect to license modified versions of this file under the
23	* terms and conditions of either the GPL or the CDDL or both.
24	*/
25	#ifdef IPRT_WITH_OPENSSL /* whole file */
26
27
28	/*********************************************************************************************************************************
29	* Header Files *
30	*********************************************************************************************************************************/
31	# include "internal/iprt.h"
32	# include <iprt/crypto/ssl.h>
33
34	# include <iprt/asm.h>
35	# include <iprt/assert.h>
36	# include <iprt/file.h>
37	# include <iprt/mem.h>
38	# include <iprt/string.h>
39
40	# include "internal/magics.h"
41
42	# include "internal/iprt-openssl.h"
43	# include <openssl/ssl.h>
44	# include <openssl/tls1.h>
45
46
47	/*********************************************************************************************************************************
48	* Header Files *
49	*********************************************************************************************************************************/
50	/**
51	* SSL instance data for OpenSSL.
52	*/
53	typedef struct RTCRSSLINT
54	{
55	/** Magic value (RTCRSSLINT_MAGIC). */
56	uint32_t u32Magic;
57	/** Reference count. */
58	uint32_t volatile cRefs;
59	/** The SSL context. */
60	SSL_CTX *pCtx;
61	} RTCRSSLINT;
62
63	/**
64	* SSL session instance data for OpenSSL.
65	*/
66	typedef struct RTCRSSLSESSIONINT
67	{
68	/** Magic value (RTCRSSLSESSIONINT_MAGIC). */
69	uint32_t u32Magic;
70	/** Reference count. */
71	uint32_t volatile cRefs;
72	/** RTCRSSLSESSION_F_XXX. */
73	uint32_t fFlags;
74
75	/** The SSL instance. */
76	SSL *pSsl;
77	/** The socket BIO instance. */
78	BIO *pBio;
79	} RTCRSSLSESSIONINT;
80
81
82
83	RTDECL(int) RTCrSslCreate(PRTCRSSL phSsl, uint32_t fFlags)
84	{
85	AssertPtr(phSsl);
86	*phSsl = NIL_RTCRSSL;
87	AssertReturn(!fFlags, VERR_INVALID_FLAGS);
88
89	SSL_library_init();
90
91	/*
92	* We aim at TLSv1 or higher here by default.
93	*/
94	# if OPENSSL_VERSION_NUMBER >= 0x10100000
95	const SSL_METHOD *pSslMethod = TLS_method();
96	# elif OPENSSL_VERSION_NUMBER >= 0x10002000
97	const SSL_METHOD *pSslMethod = SSLv23_method();
98	# elif OPENSSL_VERSION_NUMBER >= 0x10000000
99	const SSL_METHOD *pSslMethod = TLSv1_method();
100	# else
101	SSL_METHOD *pSslMethod = TLSv1_method();
102	# endif
103	if (pSslMethod)
104	{
105	RTCRSSLINT pThis = (RTCRSSLINT )RTMemAllocZ(sizeof(*pThis));
106	if (pThis)
107	{
108	pThis->pCtx = SSL_CTX_new(pSslMethod);
109	if (pThis->pCtx)
110	{
111	/* Help with above aim. */
112	# if OPENSSL_VERSION_NUMBER >= 0x10100000
113	# ifndef SSL_CTX_get_min_proto_version
114	/* Some older OpenSSL 1.1.0 releases lack the getters, officially they were
115	* added with 1.1.1 but someone cherry picked them, just maybe too late. */
116	# define SSL_CTX_get_min_proto_version(ctx) (0)
117	# endif
118	if (SSL_CTX_get_min_proto_version(pThis->pCtx) < TLS1_VERSION)
119	SSL_CTX_set_min_proto_version(pThis->pCtx, TLS1_VERSION);
120	# elif OPENSSL_VERSION_NUMBER >= 0x10002000
121	SSL_CTX_set_options(pThis->pCtx, SSL_OP_NO_SSLv2);
122	SSL_CTX_set_options(pThis->pCtx, SSL_OP_NO_SSLv3);
123	# endif
124
125	/*
126	* Complete the instance and return it.
127	*/
128	pThis->u32Magic = RTCRSSLINT_MAGIC;
129	pThis->cRefs = 1;
130
131	*phSsl = pThis;
132	return VINF_SUCCESS;
133	}
134	}
135	return VERR_NO_MEMORY;
136	}
137	return VERR_NOT_SUPPORTED;
138	}
139
140
141	RTDECL(uint32_t) RTCrSslRetain(RTCRSSL hSsl)
142	{
143	RTCRSSLINT *pThis = hSsl;
144	AssertPtrReturn(pThis, UINT32_MAX);
145	AssertReturn(pThis->u32Magic == RTCRSSLINT_MAGIC, UINT32_MAX);
146
147	uint32_t cRefs = ASMAtomicIncU32(&pThis->cRefs);
148	Assert(cRefs > 1);
149	Assert(cRefs < 1024);
150	return cRefs;
151	}
152
153
154	/**
155	* Worker for RTCrSslRelease.
156	*/
157	static int rtCrSslDestroy(RTCRSSLINT *pThis)
158	{
159	ASMAtomicWriteU32(&pThis->u32Magic, ~RTCRSSLINT_MAGIC);
160	SSL_CTX_free(pThis->pCtx);
161	pThis->pCtx = NULL;
162	RTMemFree(pThis);
163	return 0;
164	}
165
166
167	RTDECL(uint32_t) RTCrSslRelease(RTCRSSL hSsl)
168	{
169	RTCRSSLINT *pThis = hSsl;
170	if (pThis == NIL_RTCRSSL)
171	return 0;
172	AssertPtrReturn(pThis, UINT32_MAX);
173	AssertReturn(pThis->u32Magic == RTCRSSLINT_MAGIC, UINT32_MAX);
174
175	uint32_t cRefs = ASMAtomicDecU32(&pThis->cRefs);
176	Assert(cRefs < 1024);
177	if (cRefs == 0)
178	return rtCrSslDestroy(pThis);
179	return cRefs;
180	}
181
182
183	RTDECL(int) RTCrSslSetCertificateFile(RTCRSSL hSsl, const char *pszFile, uint32_t fFlags)
184	{
185	RTCRSSLINT *pThis = hSsl;
186	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
187	AssertReturn(pThis->u32Magic == RTCRSSLINT_MAGIC, VERR_INVALID_HANDLE);
188	AssertReturn(!(fFlags & ~RTCRSSL_FILE_F_ASN1), VERR_INVALID_FLAGS);
189
190	int rcOssl = SSL_CTX_use_certificate_file(pThis->pCtx, pszFile,
191	RTCRSSL_FILE_F_ASN1 & fFlags ? SSL_FILETYPE_ASN1 : SSL_FILETYPE_PEM);
192	if (rcOssl != 0)
193	return VINF_SUCCESS;
194	return !pszFile \|\| !pszFile \|\| !RTFileExists(pszFile) ? VERR_FILE_NOT_FOUND : VERR_OPEN_FAILED; /* @todo Better status codes */
195	}
196
197
198	RTDECL(int) RTCrSslSetPrivateKeyFile(RTCRSSL hSsl, const char *pszFile, uint32_t fFlags)
199	{
200	RTCRSSLINT *pThis = hSsl;
201	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
202	AssertReturn(pThis->u32Magic == RTCRSSLINT_MAGIC, VERR_INVALID_HANDLE);
203	AssertReturn(!(fFlags & ~RTCRSSL_FILE_F_ASN1), VERR_INVALID_FLAGS);
204
205	int rcOssl = SSL_CTX_use_PrivateKey_file(pThis->pCtx, pszFile,
206	RTCRSSL_FILE_F_ASN1 & fFlags ? SSL_FILETYPE_ASN1 : SSL_FILETYPE_PEM);
207	if (rcOssl != 0)
208	return VINF_SUCCESS;
209	return !pszFile \|\| !pszFile \|\| !RTFileExists(pszFile) ? VERR_FILE_NOT_FOUND : VERR_OPEN_FAILED; /* @todo Better status codes */
210	}
211
212
213	RTDECL(int) RTCrSslLoadTrustedRootCerts(RTCRSSL hSsl, const char pszFile, const char pszDir)
214	{
215	RTCRSSLINT *pThis = hSsl;
216	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
217	AssertReturn(pThis->u32Magic == RTCRSSLINT_MAGIC, VERR_INVALID_HANDLE);
218
219	int rcOssl = SSL_CTX_load_verify_locations(pThis->pCtx, pszFile, pszDir);
220	if (rcOssl != 0)
221	return VINF_SUCCESS;
222
223	if (!pszFile \|\| !*pszFile \|\| !RTFileExists(pszFile))
224	return VERR_FILE_NOT_FOUND;
225	return VERR_OPEN_FAILED; /** @todo Better status codes */
226	}
227
228
229	RTDECL(int) RTCrSslSetNoPeerVerify(RTCRSSL hSsl)
230	{
231	RTCRSSLINT *pThis = hSsl;
232	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
233	AssertReturn(pThis->u32Magic == RTCRSSLINT_MAGIC, VERR_INVALID_HANDLE);
234
235	SSL_CTX_set_verify(pThis->pCtx, SSL_VERIFY_NONE, NULL);
236	return VINF_SUCCESS;
237	}
238
239
240
241	//RTDECL(int) RTCrSslCreateSession(RTCRSSL hSsl, RTSOCKET hSocket, uint32_t fFlags, PRTCRSSLSESSION phSslConn);
242
243	RTDECL(int) RTCrSslCreateSessionForNativeSocket(RTCRSSL hSsl, RTHCINTPTR hNativeSocket, uint32_t fFlags,
244	PRTCRSSLSESSION phSslSession)
245	{
246	/*
247	* Validate input.
248	*/
249	*phSslSession = NIL_RTCRSSLSESSION;
250
251	RTCRSSLINT *pThis = hSsl;
252	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
253	AssertReturn(pThis->u32Magic == RTCRSSLINT_MAGIC, VERR_INVALID_HANDLE);
254	AssertReturn(!(fFlags & ~RTCRSSLSESSION_F_NON_BLOCKING), VERR_INVALID_FLAGS);
255
256	/*
257	* Create a new session.
258	*/
259	int rc = VERR_NO_MEMORY;
260	RTCRSSLSESSIONINT pSession = (RTCRSSLSESSIONINT )RTMemAllocZ(sizeof(*pSession));
261	if (pSession)
262	{
263	pSession->pSsl = SSL_new(pThis->pCtx);
264	if (pSession->pSsl)
265	{
266	/* Disable read-ahead if non-blocking socket relying on select/poll. */
267	if (fFlags & RTCRSSLSESSION_F_NON_BLOCKING)
268	SSL_set_read_ahead(pSession->pSsl, 0);
269
270	/* Create a wrapper for the socket handle. */
271	pSession->pBio = BIO_new_socket(hNativeSocket, BIO_NOCLOSE);
272	if (pSession->pBio)
273	{
274	# if OPENSSL_VERSION_NUMBER >= 0x10100000
275	BIO_up_ref(pSession->pBio); /* our reference. */
276	# endif
277	SSL_set_bio(pSession->pSsl, pSession->pBio, pSession->pBio);
278
279	/*
280	* Done.
281	*/
282	pSession->cRefs = 1;
283	pSession->u32Magic = RTCRSSLSESSIONINT_MAGIC;
284	*phSslSession = pSession;
285	return VINF_SUCCESS;
286	}
287
288	SSL_free(pSession->pSsl);
289	pSession->pSsl = NULL;
290	}
291	RTMemFree(pThis);
292	}
293	return rc;
294	}
295
296
297	/*********************************************************************************************************************************
298	* Session implementation. *
299	*********************************************************************************************************************************/
300
301	RTDECL(uint32_t) RTCrSslSessionRetain(RTCRSSLSESSION hSslSession)
302	{
303	RTCRSSLSESSIONINT *pThis = hSslSession;
304	AssertPtrReturn(pThis, UINT32_MAX);
305	AssertReturn(pThis->u32Magic == RTCRSSLSESSIONINT_MAGIC, UINT32_MAX);
306
307	uint32_t cRefs = ASMAtomicIncU32(&pThis->cRefs);
308	Assert(cRefs > 1);
309	Assert(cRefs < 1024);
310	return cRefs;
311	}
312
313
314	/**
315	* Worker for RTCrSslRelease.
316	*/
317	static int rtCrSslSessionDestroy(RTCRSSLSESSIONINT *pThis)
318	{
319	ASMAtomicWriteU32(&pThis->u32Magic, ~RTCRSSLSESSIONINT_MAGIC);
320	SSL_free(pThis->pSsl);
321	pThis->pSsl = NULL;
322	# if OPENSSL_VERSION_NUMBER >= 0x10100000
323	BIO_free(pThis->pBio);
324	# endif
325	pThis->pBio = NULL;
326	RTMemFree(pThis);
327	return 0;
328	}
329
330
331	RTDECL(uint32_t) RTCrSslSessionRelease(RTCRSSLSESSION hSslSession)
332	{
333	RTCRSSLSESSIONINT *pThis = hSslSession;
334	if (pThis == NIL_RTCRSSLSESSION)
335	return 0;
336	AssertPtrReturn(pThis, UINT32_MAX);
337	AssertReturn(pThis->u32Magic == RTCRSSLSESSIONINT_MAGIC, UINT32_MAX);
338
339	uint32_t cRefs = ASMAtomicDecU32(&pThis->cRefs);
340	Assert(cRefs < 1024);
341	if (cRefs == 0)
342	return rtCrSslSessionDestroy(pThis);
343	return cRefs;
344	}
345
346
347	RTDECL(int) RTCrSslSessionAccept(RTCRSSLSESSION hSslSession, uint32_t fFlags)
348	{
349	RTCRSSLSESSIONINT *pThis = hSslSession;
350	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
351	AssertReturn(pThis->u32Magic == RTCRSSLSESSIONINT_MAGIC, VERR_INVALID_HANDLE);
352	AssertReturn(!fFlags, VERR_INVALID_FLAGS);
353
354	int rcOssl = SSL_accept(pThis->pSsl);
355	if (rcOssl > 0)
356	return VINF_SUCCESS;
357
358	/** @todo better status codes. */
359	if (BIO_should_retry(pThis->pBio))
360	return VERR_TRY_AGAIN;
361	return VERR_NOT_SUPPORTED;
362	}
363
364
365	RTDECL(int) RTCrSslSessionConnect(RTCRSSLSESSION hSslSession, uint32_t fFlags)
366	{
367	RTCRSSLSESSIONINT *pThis = hSslSession;
368	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
369	AssertReturn(pThis->u32Magic == RTCRSSLSESSIONINT_MAGIC, VERR_INVALID_HANDLE);
370	AssertReturn(!fFlags, VERR_INVALID_FLAGS);
371
372	int rcOssl = SSL_connect(pThis->pSsl);
373	if (rcOssl > 0)
374	return VINF_SUCCESS;
375
376	/** @todo better status codes. */
377	if (BIO_should_retry(pThis->pBio))
378	return VERR_TRY_AGAIN;
379	return VERR_NOT_SUPPORTED;
380	}
381
382
383	RTDECL(const char *) RTCrSslSessionGetVersion(RTCRSSLSESSION hSslSession)
384	{
385	RTCRSSLSESSIONINT *pThis = hSslSession;
386	AssertPtrReturn(pThis, NULL);
387	AssertReturn(pThis->u32Magic == RTCRSSLSESSIONINT_MAGIC, NULL);
388
389	return SSL_get_version(pThis->pSsl);
390	}
391
392
393	RTDECL(int) RTCrSslSessionGetCertIssuerNameAsString(RTCRSSLSESSION hSslSession, char pszBuf, size_t cbBuf, size_t pcbActual)
394	{
395	RTCRSSLSESSIONINT *pThis = hSslSession;
396	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
397	AssertReturn(pThis->u32Magic == RTCRSSLSESSIONINT_MAGIC, VERR_INVALID_HANDLE);
398	AssertPtrNull(pszBuf);
399	AssertPtrNull(pcbActual);
400	if (pcbActual)
401	*pcbActual = 0;
402
403	/*
404	* Get and format the certificate issuer name.
405	*/
406	int rc = VERR_NOT_AVAILABLE;
407	X509 *pCert = SSL_get_certificate(pThis->pSsl);
408	if (pCert)
409	{
410	X509_NAME *pIssuer = X509_get_issuer_name(pCert);
411	if (pIssuer)
412	{
413	char *pszSrc = X509_NAME_oneline(pIssuer, NULL, 0);
414	if (pszSrc)
415	{
416	/*
417	* Copy out the result and free it.
418	*/
419	size_t cbNeeded = strlen(pszSrc) + 1;
420	if (pcbActual)
421	*pcbActual = cbNeeded;
422
423	if (pszBuf != NULL && cbBuf > 0)
424	{
425	if (cbBuf >= cbNeeded)
426	{
427	memcpy(pszBuf, pszSrc, cbNeeded);
428	rc = VINF_SUCCESS;
429	}
430	else
431	{
432	memcpy(pszBuf, pszSrc, cbBuf - 1);
433	pszBuf[cbBuf - 1] = '\0';
434	rc = VERR_BUFFER_OVERFLOW;
435	}
436	}
437	else
438	rc = VERR_BUFFER_OVERFLOW;
439	OPENSSL_free(pszSrc);
440	}
441	}
442	}
443	return rc;
444	}
445
446
447	RTDECL(bool) RTCrSslSessionPending(RTCRSSLSESSION hSslSession)
448	{
449	RTCRSSLSESSIONINT *pThis = hSslSession;
450	AssertPtrReturn(pThis, true);
451	AssertReturn(pThis->u32Magic == RTCRSSLSESSIONINT_MAGIC, true);
452
453	return SSL_pending(pThis->pSsl) != 0;
454	}
455
456
457	RTDECL(ssize_t) RTCrSslSessionRead(RTCRSSLSESSION hSslSession, void *pvBuf, size_t cbToRead)
458	{
459	RTCRSSLSESSIONINT *pThis = hSslSession;
460	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
461	AssertReturn(pThis->u32Magic == RTCRSSLSESSIONINT_MAGIC, VERR_INVALID_HANDLE);
462
463	Assert((size_t)(int)cbToRead == cbToRead);
464
465	int cbActual = SSL_read(pThis->pSsl, pvBuf, (int)cbToRead);
466	if (cbActual > 0)
467	return cbActual;
468	if (BIO_should_retry(pThis->pBio))
469	return VERR_TRY_AGAIN;
470	return VERR_READ_ERROR; /** @todo better status codes. */
471	}
472
473
474	RTDECL(ssize_t) RTCrSslSessionWrite(RTCRSSLSESSION hSslSession, void const *pvBuf, size_t cbToWrite)
475	{
476	RTCRSSLSESSIONINT *pThis = hSslSession;
477	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
478	AssertReturn(pThis->u32Magic == RTCRSSLSESSIONINT_MAGIC, VERR_INVALID_HANDLE);
479
480	Assert((size_t)(int)cbToWrite == cbToWrite);
481	Assert(cbToWrite != 0 /* undefined behavior if zero */);
482
483	int cbActual = SSL_write(pThis->pSsl, pvBuf, (int)cbToWrite);
484	if (cbActual > 0)
485	return cbActual;
486	if (BIO_should_retry(pThis->pBio))
487	return VERR_TRY_AGAIN;
488	return VERR_WRITE_ERROR; /** @todo better status codes. */
489	}
490
491	#endif /* IPRT_WITH_OPENSSL */
492

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/VBox/Runtime/common/crypto/ssl-openssl.cpp@ 74723

Download in other formats: