1 // ssl.h -- Support functions that find and load SSL support, if available
2 // Copyright (C) 2008-2009 Markus Gutschke <markus@shellinabox.com>
3 //
4 // This program is free software; you can redistribute it and/or modify
5 // it under the terms of the GNU General Public License version 2 as
6 // published by the Free Software Foundation.
7 //
8 // This program is distributed in the hope that it will be useful,
9 // but WITHOUT ANY WARRANTY; without even the implied warranty of
10 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
11 // GNU General Public License for more details.
12 //
13 // You should have received a copy of the GNU General Public License along
14 // with this program; if not, write to the Free Software Foundation, Inc.,
15 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
16 //
17 // In addition to these license terms, the author grants the following
18 // additional rights:
19 //
20 // If you modify this program, or any covered work, by linking or
21 // combining it with the OpenSSL project's OpenSSL library (or a
22 // modified version of that library), containing parts covered by the
23 // terms of the OpenSSL or SSLeay licenses, the author
24 // grants you additional permission to convey the resulting work.
25 // Corresponding Source for a non-source form of such a combination
26 // shall include the source code for the parts of OpenSSL used as well
27 // as that of the covered work.
28 //
29 // You may at your option choose to remove this additional permission from
30 // the work, or from any part of it.
31 //
32 // It is possible to build this program in a way that it loads OpenSSL
33 // libraries at run-time. If doing so, the following notices are required
34 // by the OpenSSL and SSLeay licenses:
35 //
36 // This product includes software developed by the OpenSSL Project
37 // for use in the OpenSSL Toolkit. (http://www.openssl.org/)
38 //
39 // This product includes cryptographic software written by Eric Young
40 // (eay@cryptsoft.com)
41 //
42 //
43 // The most up-to-date version of this program is always available from
44 // http://shellinabox.com
45 
46 #ifndef SSL_H__
47 #define SSL_H__
48 
49 #include "config.h"
50 
51 #include "libhttp/trie.h"
52 
53 #if defined(HAVE_OPENSSL_BIO_H) && \
54     defined(HAVE_OPENSSL_ERR_H) && \
55     defined(HAVE_OPENSSL_SSL_H)
56 #define HAVE_OPENSSL 1
57 #include <openssl/bio.h>
58 #include <openssl/err.h>
59 #include <openssl/ssl.h>
60 #include <openssl/safestack.h>
61 #else
62 #undef HAVE_OPENSSL
63 typedef struct BIO        BIO;
64 typedef struct BIO_METHOD BIO_METHOD;
65 typedef struct EC_KEY     EC_KEY;
66 typedef struct SSL        SSL;
67 typedef struct SSL_CTX    SSL_CTX;
68 typedef struct SSL_METHOD SSL_METHOD;
69 typedef struct X509       X509;
70 #define SSL_ERROR_WANT_READ  2
71 #define SSL_ERROR_WANT_WRITE 3
72 #endif
73 
74 // EC support was added to OpenSSL in 0.9.8, but it can be disabled in some
75 // distributions.
76 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL && !defined(OPENSSL_NO_EC)
77 # define HAVE_OPENSSL_EC
78 #endif
79 
80 #if defined(HAVE_DLOPEN)
81 #if !defined(DEFAULT_LIBCRYPTO_SO) || !defined(DEFAULT_LIBSSL_SO)
82 #undef DEFAULT_LIBCRYPTO_SO
83 #undef DEFAULT_LIBSSL_SO
84 #ifdef SHLIB_VERSION_NUMBER
85 #define DEFAULT_LIBCRYPTO_SO "libcrypto.so." SHLIB_VERSION_NUMBER
86 #define DEFAULT_LIBSSL_SO "libssl.so." SHLIB_VERSION_NUMBER
87 #else
88 #define DEFAULT_LIBCRYPTO_SO "libcrypto.so"
89 #define DEFAULT_LIBSSL_SO "libssl.so"
90 #endif
91 #endif
92 extern long    (*x_BIO_ctrl)(BIO *, int, long, void *);
93 extern BIO_METHOD *(*x_BIO_f_buffer)(void);
94 extern void    (*x_BIO_free_all)(BIO *);
95 extern BIO    *(*x_BIO_new)(BIO_METHOD *);
96 extern BIO    *(*x_BIO_new_socket)(int, int);
97 extern BIO    *(*x_BIO_next)(BIO *);
98 extern BIO    *(*x_BIO_pop)(BIO *);
99 extern BIO    *(*x_BIO_push)(BIO *, BIO *);
100 #if defined(HAVE_OPENSSL_EC)
101 extern void    (*x_EC_KEY_free)(EC_KEY *);
102 extern EC_KEY *(*x_EC_KEY_new_by_curve_name)(int);
103 #endif
104 extern void    (*x_ERR_clear_error)(void);
105 extern unsigned long (*x_ERR_peek_error)(void);
106 extern long    (*x_SSL_CTX_callback_ctrl)(SSL_CTX *, int, void (*)(void));
107 extern int     (*x_SSL_CTX_check_private_key)(const SSL_CTX *);
108 extern long    (*x_SSL_CTX_ctrl)(SSL_CTX *, int, long, void *);
109 extern void    (*x_SSL_CTX_free)(SSL_CTX *);
110 extern SSL_CTX*(*x_SSL_CTX_new)(SSL_METHOD *);
111 extern int     (*x_SSL_CTX_set_cipher_list)(SSL_CTX *, const char *);
112 extern void    (*x_SSL_CTX_set_info_callback)(SSL_CTX *,
113                                               void (*)(const SSL *, int, int));
114 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
115 extern unsigned long (*x_SSL_CTX_set_options)(SSL_CTX *, unsigned long);
116 #endif
117 extern int     (*x_SSL_CTX_use_PrivateKey_file)(SSL_CTX *, const char *, int);
118 extern int     (*x_SSL_CTX_use_PrivateKey_ASN1)(int, SSL_CTX *,
119                                                 const unsigned char *, long);
120 extern int     (*x_SSL_CTX_use_certificate_file)(SSL_CTX *, const char *, int);
121 extern int     (*x_SSL_CTX_use_certificate_ASN1)(SSL_CTX *, long,
122                                                  const unsigned char *);
123 extern long    (*x_SSL_ctrl)(SSL *, int, long, void *);
124 extern void    (*x_SSL_free)(SSL *);
125 extern int     (*x_SSL_get_error)(const SSL *, int);
126 extern void   *(*x_SSL_get_ex_data)(const SSL *, int);
127 extern BIO    *(*x_SSL_get_rbio)(const SSL *);
128 extern const char *(*x_SSL_get_servername)(const SSL *, int);
129 extern BIO    *(*x_SSL_get_wbio)(const SSL *);
130 #if OPENSSL_VERSION_NUMBER < 0x10100000L
131 extern int     (*x_SSL_library_init)(void);
132 #endif
133 extern SSL    *(*x_SSL_new)(SSL_CTX *);
134 extern int     (*x_SSL_read)(SSL *, void *, int);
135 extern SSL_CTX*(*x_SSL_set_SSL_CTX)(SSL *, SSL_CTX *);
136 extern void    (*x_SSL_set_accept_state)(SSL *);
137 extern void    (*x_SSL_set_bio)(SSL *, BIO *, BIO *);
138 extern int     (*x_SSL_set_ex_data)(SSL *, int, void *);
139 extern int     (*x_SSL_shutdown)(SSL *);
140 extern int     (*x_SSL_write)(SSL *, const void *, int);
141 #if OPENSSL_VERSION_NUMBER < 0x10100000L
142 extern SSL_METHOD *(*x_SSLv23_server_method)(void);
143 #else
144 extern SSL_METHOD *(*x_TLS_server_method)(void);
145 #endif
146 extern X509 *  (*x_d2i_X509)(X509 **px, const unsigned char **in, int len);
147 extern void    (*x_X509_free)(X509 *a);
148 #if OPENSSL_VERSION_NUMBER < 0x10100000L
149 extern void    (*x_sk_zero)(void *st);
150 #endif
151 extern void   *(*x_SSL_COMP_get_compression_methods)(void);
152 
153 #define BIO_ctrl                     x_BIO_ctrl
154 #define BIO_f_buffer                 x_BIO_f_buffer
155 #define BIO_free_all                 x_BIO_free_all
156 #define BIO_new                      x_BIO_new
157 #define BIO_new_socket               x_BIO_new_socket
158 #define BIO_next                     x_BIO_next
159 #define BIO_pop                      x_BIO_pop
160 #define BIO_push                     x_BIO_push
161 #define EC_KEY_free                  x_EC_KEY_free
162 #define EC_KEY_new_by_curve_name     x_EC_KEY_new_by_curve_name
163 #define ERR_clear_error              x_ERR_clear_error
164 #define ERR_peek_error               x_ERR_peek_error
165 #define SSL_CTX_callback_ctrl        x_SSL_CTX_callback_ctrl
166 #define SSL_CTX_check_private_key    x_SSL_CTX_check_private_key
167 #define SSL_CTX_ctrl                 x_SSL_CTX_ctrl
168 #define SSL_CTX_free                 x_SSL_CTX_free
169 #define SSL_CTX_new                  x_SSL_CTX_new
170 #define SSL_CTX_set_cipher_list      x_SSL_CTX_set_cipher_list
171 #define SSL_CTX_set_info_callback    x_SSL_CTX_set_info_callback
172 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
173 #define SSL_CTX_set_options          x_SSL_CTX_set_options
174 #endif
175 #define SSL_CTX_use_PrivateKey_file  x_SSL_CTX_use_PrivateKey_file
176 #define SSL_CTX_use_PrivateKey_ASN1  x_SSL_CTX_use_PrivateKey_ASN1
177 #define SSL_CTX_use_certificate_file x_SSL_CTX_use_certificate_file
178 #define SSL_CTX_use_certificate_ASN1 x_SSL_CTX_use_certificate_ASN1
179 #define SSL_ctrl                     x_SSL_ctrl
180 #define SSL_free                     x_SSL_free
181 #define SSL_get_error                x_SSL_get_error
182 #define SSL_get_ex_data              x_SSL_get_ex_data
183 #define SSL_get_rbio                 x_SSL_get_rbio
184 #define SSL_get_servername           x_SSL_get_servername
185 #define SSL_get_wbio                 x_SSL_get_wbio
186 #if OPENSSL_VERSION_NUMBER < 0x10100000L
187 #define SSL_library_init             x_SSL_library_init
188 #endif
189 #define SSL_new                      x_SSL_new
190 #define SSL_read                     x_SSL_read
191 #define SSL_set_SSL_CTX              x_SSL_set_SSL_CTX
192 #define SSL_set_accept_state         x_SSL_set_accept_state
193 #define SSL_set_bio                  x_SSL_set_bio
194 #define SSL_set_ex_data              x_SSL_set_ex_data
195 #define SSL_shutdown                 x_SSL_shutdown
196 #define SSL_write                    x_SSL_write
197 #if OPENSSL_VERSION_NUMBER < 0x10100000L
198 #define SSLv23_server_method         x_SSLv23_server_method
199 #else
200 #define TLS_server_method            x_TLS_server_method
201 #endif
202 #define d2i_X509                     x_d2i_X509
203 #define X509_free                    x_X509_free
204 #if OPENSSL_VERSION_NUMBER < 0x10100000L
205 #define sk_zero                      x_sk_zero
206 #endif
207 #define SSL_COMP_get_compression_methods    x_SSL_COMP_get_compression_methods
208 
209 #undef  BIO_set_buffer_read_data
210 #undef  SSL_CTX_set_tlsext_servername_arg
211 #undef  SSL_CTX_set_tlsext_servername_callback
212 #undef  SSL_CTX_set_tmp_ecdh
213 #undef  SSL_get_app_data
214 #undef  SSL_set_app_data
215 #undef  SSL_set_mode
216 #define BIO_set_buffer_read_data(b, buf, num)                                 \
217                                  (x_BIO_ctrl(b, BIO_C_SET_BUFF_READ_DATA,     \
218                                              num, buf))
219 #define SSL_CTX_set_tlsext_servername_arg(ctx, arg)                           \
220                                  (x_SSL_CTX_ctrl(ctx,                         \
221                                           SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG, \
222                                           0, (void *)arg))
223 #define SSL_CTX_set_tlsext_servername_callback(ctx, cb)                       \
224                                  (x_SSL_CTX_callback_ctrl(ctx,                \
225                                            SSL_CTRL_SET_TLSEXT_SERVERNAME_CB, \
226                                            (void (*)(void))cb))
227 #define SSL_CTX_set_tmp_ecdh(ctx, ecdh)                                       \
228                                  (x_SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH,  \
229                                                  0, (char *)ecdh))
230 #define SSL_get_app_data(s)      (x_SSL_get_ex_data(s, 0))
231 #define SSL_set_app_data(s, arg) (x_SSL_set_ex_data(s, 0, (char *)arg))
232 #define SSL_set_mode(ssl, op)    (x_SSL_ctrl((ssl), SSL_CTRL_MODE, (op), NULL))
233 #endif
234 
235 struct SSLSupport {
236   int         enabled;
237   int         force;
238   SSL_CTX     *sslContext;
239   char        *sniCertificatePattern;
240   int         generateMissing;
241   int         renegotiationCount;
242   struct Trie sniContexts;
243 };
244 
245 int  serverSupportsSSL(void);
246 struct SSLSupport *newSSL();
247 void initSSL(struct SSLSupport *ssl);
248 void destroySSL(struct SSLSupport *ssl);
249 void deleteSSL(struct SSLSupport *ssl);
250 void sslSetCertificate(struct SSLSupport *ssl, const char *filename,
251                        int autoGenerateMissing);
252 void sslSetCertificateFd(struct SSLSupport *ssl, int fd);
253 int  sslEnable(struct SSLSupport *ssl, int enabled);
254 int  sslForce(struct SSLSupport *ssl, int force);
255 void sslBlockSigPipe();
256 int  sslUnblockSigPipe();
257 int  sslPromoteToSSL(struct SSLSupport *ssl, SSL **sslHndl, int fd,
258                      const char *buf, int len);
259 void sslFreeHndl(SSL **sslHndl);
260 
261 #endif
262