1 // ssl.h -- Support functions that find and load SSL support, if available 2 // Copyright (C) 2008-2009 Markus Gutschke <markus@shellinabox.com> 3 // 4 // This program is free software; you can redistribute it and/or modify 5 // it under the terms of the GNU General Public License version 2 as 6 // published by the Free Software Foundation. 7 // 8 // This program is distributed in the hope that it will be useful, 9 // but WITHOUT ANY WARRANTY; without even the implied warranty of 10 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 // GNU General Public License for more details. 12 // 13 // You should have received a copy of the GNU General Public License along 14 // with this program; if not, write to the Free Software Foundation, Inc., 15 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 16 // 17 // In addition to these license terms, the author grants the following 18 // additional rights: 19 // 20 // If you modify this program, or any covered work, by linking or 21 // combining it with the OpenSSL project's OpenSSL library (or a 22 // modified version of that library), containing parts covered by the 23 // terms of the OpenSSL or SSLeay licenses, the author 24 // grants you additional permission to convey the resulting work. 25 // Corresponding Source for a non-source form of such a combination 26 // shall include the source code for the parts of OpenSSL used as well 27 // as that of the covered work. 28 // 29 // You may at your option choose to remove this additional permission from 30 // the work, or from any part of it. 31 // 32 // It is possible to build this program in a way that it loads OpenSSL 33 // libraries at run-time. If doing so, the following notices are required 34 // by the OpenSSL and SSLeay licenses: 35 // 36 // This product includes software developed by the OpenSSL Project 37 // for use in the OpenSSL Toolkit. (http://www.openssl.org/) 38 // 39 // This product includes cryptographic software written by Eric Young 40 // (eay@cryptsoft.com) 41 // 42 // 43 // The most up-to-date version of this program is always available from 44 // http://shellinabox.com 45 46 #ifndef SSL_H__ 47 #define SSL_H__ 48 49 #include "config.h" 50 51 #include "libhttp/trie.h" 52 53 #if defined(HAVE_OPENSSL_BIO_H) && \ 54 defined(HAVE_OPENSSL_ERR_H) && \ 55 defined(HAVE_OPENSSL_SSL_H) 56 #define HAVE_OPENSSL 1 57 #include <openssl/bio.h> 58 #include <openssl/err.h> 59 #include <openssl/ssl.h> 60 #include <openssl/safestack.h> 61 #else 62 #undef HAVE_OPENSSL 63 typedef struct BIO BIO; 64 typedef struct BIO_METHOD BIO_METHOD; 65 typedef struct EC_KEY EC_KEY; 66 typedef struct SSL SSL; 67 typedef struct SSL_CTX SSL_CTX; 68 typedef struct SSL_METHOD SSL_METHOD; 69 typedef struct X509 X509; 70 #define SSL_ERROR_WANT_READ 2 71 #define SSL_ERROR_WANT_WRITE 3 72 #endif 73 74 // EC support was added to OpenSSL in 0.9.8, but it can be disabled in some 75 // distributions. 76 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL && !defined(OPENSSL_NO_EC) 77 # define HAVE_OPENSSL_EC 78 #endif 79 80 #if defined(HAVE_DLOPEN) 81 #if !defined(DEFAULT_LIBCRYPTO_SO) || !defined(DEFAULT_LIBSSL_SO) 82 #undef DEFAULT_LIBCRYPTO_SO 83 #undef DEFAULT_LIBSSL_SO 84 #ifdef SHLIB_VERSION_NUMBER 85 #define DEFAULT_LIBCRYPTO_SO "libcrypto.so." SHLIB_VERSION_NUMBER 86 #define DEFAULT_LIBSSL_SO "libssl.so." SHLIB_VERSION_NUMBER 87 #else 88 #define DEFAULT_LIBCRYPTO_SO "libcrypto.so" 89 #define DEFAULT_LIBSSL_SO "libssl.so" 90 #endif 91 #endif 92 extern long (*x_BIO_ctrl)(BIO *, int, long, void *); 93 extern BIO_METHOD *(*x_BIO_f_buffer)(void); 94 extern void (*x_BIO_free_all)(BIO *); 95 extern BIO *(*x_BIO_new)(BIO_METHOD *); 96 extern BIO *(*x_BIO_new_socket)(int, int); 97 extern BIO *(*x_BIO_next)(BIO *); 98 extern BIO *(*x_BIO_pop)(BIO *); 99 extern BIO *(*x_BIO_push)(BIO *, BIO *); 100 #if defined(HAVE_OPENSSL_EC) 101 extern void (*x_EC_KEY_free)(EC_KEY *); 102 extern EC_KEY *(*x_EC_KEY_new_by_curve_name)(int); 103 #endif 104 extern void (*x_ERR_clear_error)(void); 105 extern unsigned long (*x_ERR_peek_error)(void); 106 extern long (*x_SSL_CTX_callback_ctrl)(SSL_CTX *, int, void (*)(void)); 107 extern int (*x_SSL_CTX_check_private_key)(const SSL_CTX *); 108 extern long (*x_SSL_CTX_ctrl)(SSL_CTX *, int, long, void *); 109 extern void (*x_SSL_CTX_free)(SSL_CTX *); 110 extern SSL_CTX*(*x_SSL_CTX_new)(SSL_METHOD *); 111 extern int (*x_SSL_CTX_set_cipher_list)(SSL_CTX *, const char *); 112 extern void (*x_SSL_CTX_set_info_callback)(SSL_CTX *, 113 void (*)(const SSL *, int, int)); 114 #if OPENSSL_VERSION_NUMBER >= 0x10100000L 115 extern unsigned long (*x_SSL_CTX_set_options)(SSL_CTX *, unsigned long); 116 #endif 117 extern int (*x_SSL_CTX_use_PrivateKey_file)(SSL_CTX *, const char *, int); 118 extern int (*x_SSL_CTX_use_PrivateKey_ASN1)(int, SSL_CTX *, 119 const unsigned char *, long); 120 extern int (*x_SSL_CTX_use_certificate_file)(SSL_CTX *, const char *, int); 121 extern int (*x_SSL_CTX_use_certificate_ASN1)(SSL_CTX *, long, 122 const unsigned char *); 123 extern long (*x_SSL_ctrl)(SSL *, int, long, void *); 124 extern void (*x_SSL_free)(SSL *); 125 extern int (*x_SSL_get_error)(const SSL *, int); 126 extern void *(*x_SSL_get_ex_data)(const SSL *, int); 127 extern BIO *(*x_SSL_get_rbio)(const SSL *); 128 extern const char *(*x_SSL_get_servername)(const SSL *, int); 129 extern BIO *(*x_SSL_get_wbio)(const SSL *); 130 #if OPENSSL_VERSION_NUMBER < 0x10100000L 131 extern int (*x_SSL_library_init)(void); 132 #endif 133 extern SSL *(*x_SSL_new)(SSL_CTX *); 134 extern int (*x_SSL_read)(SSL *, void *, int); 135 extern SSL_CTX*(*x_SSL_set_SSL_CTX)(SSL *, SSL_CTX *); 136 extern void (*x_SSL_set_accept_state)(SSL *); 137 extern void (*x_SSL_set_bio)(SSL *, BIO *, BIO *); 138 extern int (*x_SSL_set_ex_data)(SSL *, int, void *); 139 extern int (*x_SSL_shutdown)(SSL *); 140 extern int (*x_SSL_write)(SSL *, const void *, int); 141 #if OPENSSL_VERSION_NUMBER < 0x10100000L 142 extern SSL_METHOD *(*x_SSLv23_server_method)(void); 143 #else 144 extern SSL_METHOD *(*x_TLS_server_method)(void); 145 #endif 146 extern X509 * (*x_d2i_X509)(X509 **px, const unsigned char **in, int len); 147 extern void (*x_X509_free)(X509 *a); 148 #if OPENSSL_VERSION_NUMBER < 0x10100000L 149 extern void (*x_sk_zero)(void *st); 150 #endif 151 extern void *(*x_SSL_COMP_get_compression_methods)(void); 152 153 #define BIO_ctrl x_BIO_ctrl 154 #define BIO_f_buffer x_BIO_f_buffer 155 #define BIO_free_all x_BIO_free_all 156 #define BIO_new x_BIO_new 157 #define BIO_new_socket x_BIO_new_socket 158 #define BIO_next x_BIO_next 159 #define BIO_pop x_BIO_pop 160 #define BIO_push x_BIO_push 161 #define EC_KEY_free x_EC_KEY_free 162 #define EC_KEY_new_by_curve_name x_EC_KEY_new_by_curve_name 163 #define ERR_clear_error x_ERR_clear_error 164 #define ERR_peek_error x_ERR_peek_error 165 #define SSL_CTX_callback_ctrl x_SSL_CTX_callback_ctrl 166 #define SSL_CTX_check_private_key x_SSL_CTX_check_private_key 167 #define SSL_CTX_ctrl x_SSL_CTX_ctrl 168 #define SSL_CTX_free x_SSL_CTX_free 169 #define SSL_CTX_new x_SSL_CTX_new 170 #define SSL_CTX_set_cipher_list x_SSL_CTX_set_cipher_list 171 #define SSL_CTX_set_info_callback x_SSL_CTX_set_info_callback 172 #if OPENSSL_VERSION_NUMBER >= 0x10100000L 173 #define SSL_CTX_set_options x_SSL_CTX_set_options 174 #endif 175 #define SSL_CTX_use_PrivateKey_file x_SSL_CTX_use_PrivateKey_file 176 #define SSL_CTX_use_PrivateKey_ASN1 x_SSL_CTX_use_PrivateKey_ASN1 177 #define SSL_CTX_use_certificate_file x_SSL_CTX_use_certificate_file 178 #define SSL_CTX_use_certificate_ASN1 x_SSL_CTX_use_certificate_ASN1 179 #define SSL_ctrl x_SSL_ctrl 180 #define SSL_free x_SSL_free 181 #define SSL_get_error x_SSL_get_error 182 #define SSL_get_ex_data x_SSL_get_ex_data 183 #define SSL_get_rbio x_SSL_get_rbio 184 #define SSL_get_servername x_SSL_get_servername 185 #define SSL_get_wbio x_SSL_get_wbio 186 #if OPENSSL_VERSION_NUMBER < 0x10100000L 187 #define SSL_library_init x_SSL_library_init 188 #endif 189 #define SSL_new x_SSL_new 190 #define SSL_read x_SSL_read 191 #define SSL_set_SSL_CTX x_SSL_set_SSL_CTX 192 #define SSL_set_accept_state x_SSL_set_accept_state 193 #define SSL_set_bio x_SSL_set_bio 194 #define SSL_set_ex_data x_SSL_set_ex_data 195 #define SSL_shutdown x_SSL_shutdown 196 #define SSL_write x_SSL_write 197 #if OPENSSL_VERSION_NUMBER < 0x10100000L 198 #define SSLv23_server_method x_SSLv23_server_method 199 #else 200 #define TLS_server_method x_TLS_server_method 201 #endif 202 #define d2i_X509 x_d2i_X509 203 #define X509_free x_X509_free 204 #if OPENSSL_VERSION_NUMBER < 0x10100000L 205 #define sk_zero x_sk_zero 206 #endif 207 #define SSL_COMP_get_compression_methods x_SSL_COMP_get_compression_methods 208 209 #undef BIO_set_buffer_read_data 210 #undef SSL_CTX_set_tlsext_servername_arg 211 #undef SSL_CTX_set_tlsext_servername_callback 212 #undef SSL_CTX_set_tmp_ecdh 213 #undef SSL_get_app_data 214 #undef SSL_set_app_data 215 #undef SSL_set_mode 216 #define BIO_set_buffer_read_data(b, buf, num) \ 217 (x_BIO_ctrl(b, BIO_C_SET_BUFF_READ_DATA, \ 218 num, buf)) 219 #define SSL_CTX_set_tlsext_servername_arg(ctx, arg) \ 220 (x_SSL_CTX_ctrl(ctx, \ 221 SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG, \ 222 0, (void *)arg)) 223 #define SSL_CTX_set_tlsext_servername_callback(ctx, cb) \ 224 (x_SSL_CTX_callback_ctrl(ctx, \ 225 SSL_CTRL_SET_TLSEXT_SERVERNAME_CB, \ 226 (void (*)(void))cb)) 227 #define SSL_CTX_set_tmp_ecdh(ctx, ecdh) \ 228 (x_SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH, \ 229 0, (char *)ecdh)) 230 #define SSL_get_app_data(s) (x_SSL_get_ex_data(s, 0)) 231 #define SSL_set_app_data(s, arg) (x_SSL_set_ex_data(s, 0, (char *)arg)) 232 #define SSL_set_mode(ssl, op) (x_SSL_ctrl((ssl), SSL_CTRL_MODE, (op), NULL)) 233 #endif 234 235 struct SSLSupport { 236 int enabled; 237 int force; 238 SSL_CTX *sslContext; 239 char *sniCertificatePattern; 240 int generateMissing; 241 int renegotiationCount; 242 struct Trie sniContexts; 243 }; 244 245 int serverSupportsSSL(void); 246 struct SSLSupport *newSSL(); 247 void initSSL(struct SSLSupport *ssl); 248 void destroySSL(struct SSLSupport *ssl); 249 void deleteSSL(struct SSLSupport *ssl); 250 void sslSetCertificate(struct SSLSupport *ssl, const char *filename, 251 int autoGenerateMissing); 252 void sslSetCertificateFd(struct SSLSupport *ssl, int fd); 253 int sslEnable(struct SSLSupport *ssl, int enabled); 254 int sslForce(struct SSLSupport *ssl, int force); 255 void sslBlockSigPipe(); 256 int sslUnblockSigPipe(); 257 int sslPromoteToSSL(struct SSLSupport *ssl, SSL **sslHndl, int fd, 258 const char *buf, int len); 259 void sslFreeHndl(SSL **sslHndl); 260 261 #endif 262