VirtualBox

source: vbox/trunk/src/VBox/Runtime/common/crypto/ssl-openssl.cpp@ 86103

Last change on this file since 86103 was 85121, checked in by vboxsync, 5 years ago

iprt/cdefs.h: Refactored the typedef use of DECLCALLBACK as well as DECLCALLBACKMEMBER to wrap the whole expression, similar to the DECLR?CALLBACKMEMBER macros. This allows adding a throw() at the end when compiling with the VC++ compiler to indicate that the callbacks won't throw anything, so we can stop supressing the C5039 warning about passing functions that can potential throw C++ exceptions to extern C code that can't necessarily cope with such (unwind,++). Introduced a few _EX variations that allows specifying different/no calling convention too, as that's handy when dynamically resolving host APIs. Fixed numerous places missing DECLCALLBACK and such. Left two angry @todos regarding use of CreateThread. bugref:9794

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 15.7 KB
Line 
1/** @file
2 * IPRT - Crypto - Secure Socket Layer (SSL) / Transport Security Layer (TLS).
3 */
4
5/*
6 * Copyright (C) 2018-2020 Oracle Corporation
7 *
8 * This file is part of VirtualBox Open Source Edition (OSE), as
9 * available from http://www.virtualbox.org. This file is free software;
10 * you can redistribute it and/or modify it under the terms of the GNU
11 * General Public License (GPL) as published by the Free Software
12 * Foundation, in version 2 as it comes in the "COPYING" file of the
13 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
14 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
15 *
16 * The contents of this file may alternatively be used under the terms
17 * of the Common Development and Distribution License Version 1.0
18 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
19 * VirtualBox OSE distribution, in which case the provisions of the
20 * CDDL are applicable instead of those of the GPL.
21 *
22 * You may elect to license modified versions of this file under the
23 * terms and conditions of either the GPL or the CDDL or both.
24 */
25#ifdef IPRT_WITH_OPENSSL /* whole file */
26
27
28/*********************************************************************************************************************************
29* Header Files *
30*********************************************************************************************************************************/
31# include "internal/iprt.h"
32# include <iprt/crypto/ssl.h>
33
34# include <iprt/asm.h>
35# include <iprt/assert.h>
36# include <iprt/err.h>
37# include <iprt/file.h>
38# include <iprt/mem.h>
39# include <iprt/string.h>
40
41# include "internal/magics.h"
42
43# include "internal/iprt-openssl.h"
44# include "internal/openssl-pre.h"
45# include <openssl/ssl.h>
46# include <openssl/tls1.h>
47# include "internal/openssl-post.h"
48
49
50/*********************************************************************************************************************************
51* Header Files *
52*********************************************************************************************************************************/
53/**
54 * SSL instance data for OpenSSL.
55 */
56typedef struct RTCRSSLINT
57{
58 /** Magic value (RTCRSSLINT_MAGIC). */
59 uint32_t u32Magic;
60 /** Reference count. */
61 uint32_t volatile cRefs;
62 /** The SSL context. */
63 SSL_CTX *pCtx;
64} RTCRSSLINT;
65
66/**
67 * SSL session instance data for OpenSSL.
68 */
69typedef struct RTCRSSLSESSIONINT
70{
71 /** Magic value (RTCRSSLSESSIONINT_MAGIC). */
72 uint32_t u32Magic;
73 /** Reference count. */
74 uint32_t volatile cRefs;
75 /** RTCRSSLSESSION_F_XXX. */
76 uint32_t fFlags;
77
78 /** The SSL instance. */
79 SSL *pSsl;
80 /** The socket BIO instance. */
81 BIO *pBio;
82} RTCRSSLSESSIONINT;
83
84
85
86RTDECL(int) RTCrSslCreate(PRTCRSSL phSsl, uint32_t fFlags)
87{
88 AssertPtr(phSsl);
89 *phSsl = NIL_RTCRSSL;
90 AssertReturn(!fFlags, VERR_INVALID_FLAGS);
91
92 SSL_library_init();
93
94 /*
95 * We aim at TLSv1 or higher here by default.
96 */
97# if OPENSSL_VERSION_NUMBER >= 0x10100000
98 const SSL_METHOD *pSslMethod = TLS_method();
99# elif OPENSSL_VERSION_NUMBER >= 0x10002000
100 const SSL_METHOD *pSslMethod = SSLv23_method();
101# elif OPENSSL_VERSION_NUMBER >= 0x10000000
102 const SSL_METHOD *pSslMethod = TLSv1_method();
103# else
104 SSL_METHOD *pSslMethod = TLSv1_method();
105# endif
106 if (pSslMethod)
107 {
108 RTCRSSLINT *pThis = (RTCRSSLINT *)RTMemAllocZ(sizeof(*pThis));
109 if (pThis)
110 {
111 pThis->pCtx = SSL_CTX_new(pSslMethod);
112 if (pThis->pCtx)
113 {
114 /* Help with above aim. */
115# if OPENSSL_VERSION_NUMBER >= 0x10100000
116# ifndef SSL_CTX_get_min_proto_version
117/* Some older OpenSSL 1.1.0 releases lack the getters, officially they were
118 * added with 1.1.1 but someone cherry picked them, just maybe too late. */
119# define SSL_CTX_get_min_proto_version(ctx) (0)
120# endif
121 if (SSL_CTX_get_min_proto_version(pThis->pCtx) < TLS1_VERSION)
122 SSL_CTX_set_min_proto_version(pThis->pCtx, TLS1_VERSION);
123# elif OPENSSL_VERSION_NUMBER >= 0x10002000
124 SSL_CTX_set_options(pThis->pCtx, SSL_OP_NO_SSLv2);
125 SSL_CTX_set_options(pThis->pCtx, SSL_OP_NO_SSLv3);
126# endif
127
128 /*
129 * Complete the instance and return it.
130 */
131 pThis->u32Magic = RTCRSSLINT_MAGIC;
132 pThis->cRefs = 1;
133
134 *phSsl = pThis;
135 return VINF_SUCCESS;
136 }
137 }
138 return VERR_NO_MEMORY;
139 }
140 return VERR_NOT_SUPPORTED;
141}
142
143
144RTDECL(uint32_t) RTCrSslRetain(RTCRSSL hSsl)
145{
146 RTCRSSLINT *pThis = hSsl;
147 AssertPtrReturn(pThis, UINT32_MAX);
148 AssertReturn(pThis->u32Magic == RTCRSSLINT_MAGIC, UINT32_MAX);
149
150 uint32_t cRefs = ASMAtomicIncU32(&pThis->cRefs);
151 Assert(cRefs > 1);
152 Assert(cRefs < 1024);
153 return cRefs;
154}
155
156
157/**
158 * Worker for RTCrSslRelease.
159 */
160static int rtCrSslDestroy(RTCRSSLINT *pThis)
161{
162 ASMAtomicWriteU32(&pThis->u32Magic, ~RTCRSSLINT_MAGIC);
163 SSL_CTX_free(pThis->pCtx);
164 pThis->pCtx = NULL;
165 RTMemFree(pThis);
166 return 0;
167}
168
169
170RTDECL(uint32_t) RTCrSslRelease(RTCRSSL hSsl)
171{
172 RTCRSSLINT *pThis = hSsl;
173 if (pThis == NIL_RTCRSSL)
174 return 0;
175 AssertPtrReturn(pThis, UINT32_MAX);
176 AssertReturn(pThis->u32Magic == RTCRSSLINT_MAGIC, UINT32_MAX);
177
178 uint32_t cRefs = ASMAtomicDecU32(&pThis->cRefs);
179 Assert(cRefs < 1024);
180 if (cRefs == 0)
181 return rtCrSslDestroy(pThis);
182 return cRefs;
183}
184
185
186RTDECL(int) RTCrSslSetCertificateFile(RTCRSSL hSsl, const char *pszFile, uint32_t fFlags)
187{
188 RTCRSSLINT *pThis = hSsl;
189 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
190 AssertReturn(pThis->u32Magic == RTCRSSLINT_MAGIC, VERR_INVALID_HANDLE);
191 AssertReturn(!(fFlags & ~RTCRSSL_FILE_F_ASN1), VERR_INVALID_FLAGS);
192
193 int rcOssl = SSL_CTX_use_certificate_file(pThis->pCtx, pszFile,
194 RTCRSSL_FILE_F_ASN1 & fFlags ? SSL_FILETYPE_ASN1 : SSL_FILETYPE_PEM);
195 if (rcOssl != 0)
196 return VINF_SUCCESS;
197 return !pszFile || !*pszFile || !RTFileExists(pszFile) ? VERR_FILE_NOT_FOUND : VERR_OPEN_FAILED; /** @todo Better status codes */
198}
199
200
201RTDECL(int) RTCrSslSetPrivateKeyFile(RTCRSSL hSsl, const char *pszFile, uint32_t fFlags)
202{
203 RTCRSSLINT *pThis = hSsl;
204 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
205 AssertReturn(pThis->u32Magic == RTCRSSLINT_MAGIC, VERR_INVALID_HANDLE);
206 AssertReturn(!(fFlags & ~RTCRSSL_FILE_F_ASN1), VERR_INVALID_FLAGS);
207
208 int rcOssl = SSL_CTX_use_PrivateKey_file(pThis->pCtx, pszFile,
209 RTCRSSL_FILE_F_ASN1 & fFlags ? SSL_FILETYPE_ASN1 : SSL_FILETYPE_PEM);
210 if (rcOssl != 0)
211 return VINF_SUCCESS;
212 return !pszFile || !*pszFile || !RTFileExists(pszFile) ? VERR_FILE_NOT_FOUND : VERR_OPEN_FAILED; /** @todo Better status codes */
213}
214
215
216RTDECL(int) RTCrSslLoadTrustedRootCerts(RTCRSSL hSsl, const char *pszFile, const char *pszDir)
217{
218 RTCRSSLINT *pThis = hSsl;
219 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
220 AssertReturn(pThis->u32Magic == RTCRSSLINT_MAGIC, VERR_INVALID_HANDLE);
221
222 int rcOssl = SSL_CTX_load_verify_locations(pThis->pCtx, pszFile, pszDir);
223 if (rcOssl != 0)
224 return VINF_SUCCESS;
225
226 if (!pszFile || !*pszFile || !RTFileExists(pszFile))
227 return VERR_FILE_NOT_FOUND;
228 return VERR_OPEN_FAILED; /** @todo Better status codes */
229}
230
231
232RTDECL(int) RTCrSslSetNoPeerVerify(RTCRSSL hSsl)
233{
234 RTCRSSLINT *pThis = hSsl;
235 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
236 AssertReturn(pThis->u32Magic == RTCRSSLINT_MAGIC, VERR_INVALID_HANDLE);
237
238 SSL_CTX_set_verify(pThis->pCtx, SSL_VERIFY_NONE, NULL);
239 return VINF_SUCCESS;
240}
241
242
243
244//RTDECL(int) RTCrSslCreateSession(RTCRSSL hSsl, RTSOCKET hSocket, uint32_t fFlags, PRTCRSSLSESSION phSslConn);
245
246RTDECL(int) RTCrSslCreateSessionForNativeSocket(RTCRSSL hSsl, RTHCINTPTR hNativeSocket, uint32_t fFlags,
247 PRTCRSSLSESSION phSslSession)
248{
249 /*
250 * Validate input.
251 */
252 *phSslSession = NIL_RTCRSSLSESSION;
253
254 RTCRSSLINT *pThis = hSsl;
255 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
256 AssertReturn(pThis->u32Magic == RTCRSSLINT_MAGIC, VERR_INVALID_HANDLE);
257 AssertReturn(!(fFlags & ~RTCRSSLSESSION_F_NON_BLOCKING), VERR_INVALID_FLAGS);
258
259 /*
260 * Create a new session.
261 */
262 int rc = VERR_NO_MEMORY;
263 RTCRSSLSESSIONINT *pSession = (RTCRSSLSESSIONINT *)RTMemAllocZ(sizeof(*pSession));
264 if (pSession)
265 {
266 pSession->pSsl = SSL_new(pThis->pCtx);
267 if (pSession->pSsl)
268 {
269 /* Disable read-ahead if non-blocking socket relying on select/poll. */
270 if (fFlags & RTCRSSLSESSION_F_NON_BLOCKING)
271 SSL_set_read_ahead(pSession->pSsl, 0);
272
273 /* Create a wrapper for the socket handle. */
274 pSession->pBio = BIO_new_socket(hNativeSocket, BIO_NOCLOSE);
275 if (pSession->pBio)
276 {
277# if (OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)) || LIBRESSL_VERSION_NUMBER >= 0x2070000f
278 BIO_up_ref(pSession->pBio); /* our reference. */
279# endif
280 SSL_set_bio(pSession->pSsl, pSession->pBio, pSession->pBio);
281
282 /*
283 * Done.
284 */
285 pSession->cRefs = 1;
286 pSession->u32Magic = RTCRSSLSESSIONINT_MAGIC;
287 *phSslSession = pSession;
288 return VINF_SUCCESS;
289 }
290
291 SSL_free(pSession->pSsl);
292 pSession->pSsl = NULL;
293 }
294 RTMemFree(pThis);
295 }
296 return rc;
297}
298
299
300/*********************************************************************************************************************************
301* Session implementation. *
302*********************************************************************************************************************************/
303
304RTDECL(uint32_t) RTCrSslSessionRetain(RTCRSSLSESSION hSslSession)
305{
306 RTCRSSLSESSIONINT *pThis = hSslSession;
307 AssertPtrReturn(pThis, UINT32_MAX);
308 AssertReturn(pThis->u32Magic == RTCRSSLSESSIONINT_MAGIC, UINT32_MAX);
309
310 uint32_t cRefs = ASMAtomicIncU32(&pThis->cRefs);
311 Assert(cRefs > 1);
312 Assert(cRefs < 1024);
313 return cRefs;
314}
315
316
317/**
318 * Worker for RTCrSslRelease.
319 */
320static int rtCrSslSessionDestroy(RTCRSSLSESSIONINT *pThis)
321{
322 ASMAtomicWriteU32(&pThis->u32Magic, ~RTCRSSLSESSIONINT_MAGIC);
323 SSL_free(pThis->pSsl);
324 pThis->pSsl = NULL;
325# if (OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)) || LIBRESSL_VERSION_NUMBER >= 0x2070000f
326 BIO_free(pThis->pBio);
327# endif
328 pThis->pBio = NULL;
329 RTMemFree(pThis);
330 return 0;
331}
332
333
334RTDECL(uint32_t) RTCrSslSessionRelease(RTCRSSLSESSION hSslSession)
335{
336 RTCRSSLSESSIONINT *pThis = hSslSession;
337 if (pThis == NIL_RTCRSSLSESSION)
338 return 0;
339 AssertPtrReturn(pThis, UINT32_MAX);
340 AssertReturn(pThis->u32Magic == RTCRSSLSESSIONINT_MAGIC, UINT32_MAX);
341
342 uint32_t cRefs = ASMAtomicDecU32(&pThis->cRefs);
343 Assert(cRefs < 1024);
344 if (cRefs == 0)
345 return rtCrSslSessionDestroy(pThis);
346 return cRefs;
347}
348
349
350RTDECL(int) RTCrSslSessionAccept(RTCRSSLSESSION hSslSession, uint32_t fFlags)
351{
352 RTCRSSLSESSIONINT *pThis = hSslSession;
353 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
354 AssertReturn(pThis->u32Magic == RTCRSSLSESSIONINT_MAGIC, VERR_INVALID_HANDLE);
355 AssertReturn(!fFlags, VERR_INVALID_FLAGS);
356
357 int rcOssl = SSL_accept(pThis->pSsl);
358 if (rcOssl > 0)
359 return VINF_SUCCESS;
360
361 /** @todo better status codes. */
362 if (BIO_should_retry(pThis->pBio))
363 return VERR_TRY_AGAIN;
364 return VERR_NOT_SUPPORTED;
365}
366
367
368RTDECL(int) RTCrSslSessionConnect(RTCRSSLSESSION hSslSession, uint32_t fFlags)
369{
370 RTCRSSLSESSIONINT *pThis = hSslSession;
371 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
372 AssertReturn(pThis->u32Magic == RTCRSSLSESSIONINT_MAGIC, VERR_INVALID_HANDLE);
373 AssertReturn(!fFlags, VERR_INVALID_FLAGS);
374
375 int rcOssl = SSL_connect(pThis->pSsl);
376 if (rcOssl > 0)
377 return VINF_SUCCESS;
378
379 /** @todo better status codes. */
380 if (BIO_should_retry(pThis->pBio))
381 return VERR_TRY_AGAIN;
382 return VERR_NOT_SUPPORTED;
383}
384
385
386RTDECL(const char *) RTCrSslSessionGetVersion(RTCRSSLSESSION hSslSession)
387{
388 RTCRSSLSESSIONINT *pThis = hSslSession;
389 AssertPtrReturn(pThis, NULL);
390 AssertReturn(pThis->u32Magic == RTCRSSLSESSIONINT_MAGIC, NULL);
391
392 return SSL_get_version(pThis->pSsl);
393}
394
395
396RTDECL(int) RTCrSslSessionGetCertIssuerNameAsString(RTCRSSLSESSION hSslSession, char *pszBuf, size_t cbBuf, size_t *pcbActual)
397{
398 RTCRSSLSESSIONINT *pThis = hSslSession;
399 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
400 AssertReturn(pThis->u32Magic == RTCRSSLSESSIONINT_MAGIC, VERR_INVALID_HANDLE);
401 AssertPtrNull(pszBuf);
402 AssertPtrNull(pcbActual);
403 if (pcbActual)
404 *pcbActual = 0;
405
406 /*
407 * Get and format the certificate issuer name.
408 */
409 int rc = VERR_NOT_AVAILABLE;
410 X509 *pCert = SSL_get_certificate(pThis->pSsl);
411 if (pCert)
412 {
413 X509_NAME *pIssuer = X509_get_issuer_name(pCert);
414 if (pIssuer)
415 {
416 char *pszSrc = X509_NAME_oneline(pIssuer, NULL, 0);
417 if (pszSrc)
418 {
419 /*
420 * Copy out the result and free it.
421 */
422 size_t cbNeeded = strlen(pszSrc) + 1;
423 if (pcbActual)
424 *pcbActual = cbNeeded;
425
426 if (pszBuf != NULL && cbBuf > 0)
427 {
428 if (cbBuf >= cbNeeded)
429 {
430 memcpy(pszBuf, pszSrc, cbNeeded);
431 rc = VINF_SUCCESS;
432 }
433 else
434 {
435 memcpy(pszBuf, pszSrc, cbBuf - 1);
436 pszBuf[cbBuf - 1] = '\0';
437 rc = VERR_BUFFER_OVERFLOW;
438 }
439 }
440 else
441 rc = VERR_BUFFER_OVERFLOW;
442 OPENSSL_free(pszSrc);
443 }
444 }
445 }
446 return rc;
447}
448
449
450RTDECL(bool) RTCrSslSessionPending(RTCRSSLSESSION hSslSession)
451{
452 RTCRSSLSESSIONINT *pThis = hSslSession;
453 AssertPtrReturn(pThis, true);
454 AssertReturn(pThis->u32Magic == RTCRSSLSESSIONINT_MAGIC, true);
455
456 return SSL_pending(pThis->pSsl) != 0;
457}
458
459
460RTDECL(ssize_t) RTCrSslSessionRead(RTCRSSLSESSION hSslSession, void *pvBuf, size_t cbToRead)
461{
462 RTCRSSLSESSIONINT *pThis = hSslSession;
463 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
464 AssertReturn(pThis->u32Magic == RTCRSSLSESSIONINT_MAGIC, VERR_INVALID_HANDLE);
465
466 Assert((size_t)(int)cbToRead == cbToRead);
467
468 int cbActual = SSL_read(pThis->pSsl, pvBuf, (int)cbToRead);
469 if (cbActual > 0)
470 return cbActual;
471 if (BIO_should_retry(pThis->pBio))
472 return VERR_TRY_AGAIN;
473 return VERR_READ_ERROR; /** @todo better status codes. */
474}
475
476
477RTDECL(ssize_t) RTCrSslSessionWrite(RTCRSSLSESSION hSslSession, void const *pvBuf, size_t cbToWrite)
478{
479 RTCRSSLSESSIONINT *pThis = hSslSession;
480 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
481 AssertReturn(pThis->u32Magic == RTCRSSLSESSIONINT_MAGIC, VERR_INVALID_HANDLE);
482
483 Assert((size_t)(int)cbToWrite == cbToWrite);
484 Assert(cbToWrite != 0 /* undefined behavior if zero */);
485
486 int cbActual = SSL_write(pThis->pSsl, pvBuf, (int)cbToWrite);
487 if (cbActual > 0)
488 return cbActual;
489 if (BIO_should_retry(pThis->pBio))
490 return VERR_TRY_AGAIN;
491 return VERR_WRITE_ERROR; /** @todo better status codes. */
492}
493
494#endif /* IPRT_WITH_OPENSSL */
495
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette