#include "ink_config.h"
#include "libts.h"
#include "I_Layout.h"
#include "P_Net.h"
#include "ink_cap.h"
#include "P_OCSPStapling.h"
#include <string>
#include <openssl/err.h>
#include <openssl/bio.h>
#include <openssl/pem.h>
#include <openssl/x509.h>
#include <openssl/asn1.h>
#include <openssl/rand.h>
#include <unistd.h>
#include <termios.h>

Include dependency graph for SSLUtils.cc:

Data Structures
struct	ssl_user_config
struct	ssl_ticket_key_t
struct	passphrase_cb_userdata
struct	ssl_termios
Defines
#define	SSL_IP_TAG "dest_ip"
#define	SSL_CERT_TAG "ssl_cert_name"
#define	SSL_PRIVATE_KEY_TAG "ssl_key_name"
#define	SSL_CA_TAG "ssl_ca_name"
#define	SSL_SESSION_TICKET_ENABLED "ssl_ticket_enabled"
#define	SSL_SESSION_TICKET_KEY_FILE_TAG "ticket_key_name"
#define	SSL_KEY_DIALOG "ssl_key_dialog"
#define	SSL_CERT_SEPARATE_DELIM ','
#define	evp_md_func EVP_sha256()
#define	SSL_CLEAR_PW_REFERENCES(UD, CTX)
Typedefs
typedef SSL_METHOD *	ink_ssl_method_t
Functions
static unsigned long	SSL_pthreads_thread_id ()
static void	SSL_locking_callback (int mode, int type, const char *, int)
static bool	SSL_CTX_add_extra_chain_cert_file (SSL_CTX ctx, const char chainfile)
static SSL_CTX *	ssl_context_enable_sni (SSL_CTX ctx, SSLCertLookup lookup)
static SSL_CTX *	ssl_context_enable_ecdh (SSL_CTX *ctx)
static SSL_CTX *	ssl_context_enable_tickets (SSL_CTX ctx, const char ticket_key_path)
static int	ssl_getpassword (const char prompt, char buffer, int size)
static int	ssl_private_key_passphrase_callback_exec (char buf, int size, int rwflag, void userdata)
static int	ssl_private_key_passphrase_callback_builtin (char buf, int size, int rwflag, void userdata)
static bool	ssl_private_key_validate_exec (const char *cmdLine)
static int	SSLRecRawStatSyncCount (const char name, RecDataT data_type, RecData data, RecRawStatBlock *rsb, int id)
void	SSLInitializeLibrary ()
void	SSLInitializeStatistics ()
static bool	increment_ssl_client_error (unsigned long err)
static bool	increment_ssl_server_error (unsigned long err)
void	SSLDiagnostic (const SrcLoc &loc, bool debug, SSLNetVConnection vc, const char fmt,...)
const char *	SSLErrorName (int ssl_error)
void	SSLDebugBufferPrint (const char tag, const char buffer, unsigned buflen, const char *message)
SSL_CTX *	SSLDefaultServerContext ()
static bool	SSLPrivateKeyHandler (SSL_CTX ctx, const SSLConfigParams params, const ats_scoped_str &completeServerCertPath, const char *keyPath)
SSL_CTX *	SSLInitServerContext (const SSLConfigParams *params, const ssl_user_config &sslMultCertSettings)
SSL_CTX *	SSLInitClientContext (const SSLConfigParams *params)
static char *	asn1_strdup (ASN1_STRING *s)
static void	ssl_index_certificate (SSLCertLookup lookup, SSL_CTX ctx, const char *certfile)
static void	ssl_callback_info (const SSL *ssl, int where, int ret)
static bool	ssl_store_ssl_context (const SSLConfigParams params, SSLCertLookup lookup, const ssl_user_config &sslMultCertSettings)
static bool	ssl_extract_certificate (const matcher_line *line_info, ssl_user_config &sslMultCertSettings)
bool	SSLParseCertificateConfiguration (const SSLConfigParams params, SSLCertLookup lookup)
void	SSLReleaseContext (SSL_CTX *ctx)
Variables
static int	ssl_session_ticket_index = -1
static pthread_mutex_t *	mutex_buf = NULL
static bool	open_ssl_initialized = false
RecRawStatBlock *	ssl_rsb = NULL
static InkHashTable *	ssl_cipher_name_table = NULL

Detailed Description

License

Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Definition in file SSLUtils.cc.

Define Documentation

#define evp_md_func EVP_sha256()

Definition at line 74 of file SSLUtils.cc.

#define SSL_CA_TAG "ssl_ca_name"

Definition at line 59 of file SSLUtils.cc.

Referenced by ssl_extract_certificate().

#define SSL_CERT_SEPARATE_DELIM ','

Definition at line 63 of file SSLUtils.cc.

Referenced by ssl_extract_certificate(), and SSLInitServerContext().

#define SSL_CERT_TAG "ssl_cert_name"

Definition at line 57 of file SSLUtils.cc.

Referenced by ssl_extract_certificate().

#define SSL_CLEAR_PW_REFERENCES	(	UD,
		CTX
	)

Value:

{ \
  memset(static_cast<void *>(&UD),0,sizeof(UD));\
  SSL_CTX_set_default_passwd_cb(CTX, NULL);\
  SSL_CTX_set_default_passwd_cb_userdata(CTX, NULL);\
  }

Referenced by SSLInitServerContext().

#define SSL_IP_TAG "dest_ip"

Definition at line 56 of file SSLUtils.cc.

Referenced by ssl_extract_certificate().

#define SSL_KEY_DIALOG "ssl_key_dialog"

Definition at line 62 of file SSLUtils.cc.

Referenced by ssl_extract_certificate(), and SSLInitServerContext().

#define SSL_PRIVATE_KEY_TAG "ssl_key_name"

Definition at line 58 of file SSLUtils.cc.

Referenced by ssl_extract_certificate().

#define SSL_SESSION_TICKET_ENABLED "ssl_ticket_enabled"

Definition at line 60 of file SSLUtils.cc.

Referenced by ssl_extract_certificate().

#define SSL_SESSION_TICKET_KEY_FILE_TAG "ticket_key_name"

Definition at line 61 of file SSLUtils.cc.

Referenced by ssl_extract_certificate().

Typedef Documentation

typedef SSL_METHOD* ink_ssl_method_t

Definition at line 81 of file SSLUtils.cc.

Function Documentation

static char* asn1_strdup ( ASN1_STRING * s ) [static]

Definition at line 1212 of file SSLUtils.cc.

References ats_strndup, and ink_assert.

Referenced by ssl_index_certificate().

static bool increment_ssl_client_error ( unsigned long err ) [static]

Definition at line 716 of file SSLUtils.cc.

References SSL_INCREMENT_DYN_STAT, ssl_user_agent_bad_cert_stat, ssl_user_agent_cert_verify_failed_stat, ssl_user_agent_decryption_failed_stat, ssl_user_agent_expired_cert_stat, ssl_user_agent_other_errors_stat, ssl_user_agent_revoked_cert_stat, ssl_user_agent_unknown_ca_stat, ssl_user_agent_unknown_cert_stat, and ssl_user_agent_wrong_version_stat.

Referenced by SSLDiagnostic().

static bool increment_ssl_server_error ( unsigned long err ) [static]

Definition at line 763 of file SSLUtils.cc.

References SSL_INCREMENT_DYN_STAT, ssl_origin_server_bad_cert_stat, ssl_origin_server_cert_verify_failed_stat, ssl_origin_server_decryption_failed_stat, ssl_origin_server_expired_cert_stat, ssl_origin_server_other_errors_stat, ssl_origin_server_revoked_cert_stat, ssl_origin_server_unknown_ca_stat, ssl_origin_server_unknown_cert_stat, and ssl_origin_server_wrong_version_stat.

Referenced by SSLDiagnostic().

static void ssl_callback_info	(	const SSL *	ssl,
		int	where,
		int	ret
	)			`[static]`

Definition at line 1283 of file SSLUtils.cc.

References Debug, SSLNetVConnection::getSSLHandShakeComplete(), ink_hash_table_lookup(), SSLNetVConnection::setSSLClientRenegotiationAbort(), SSLConfigParams::ssl_allow_client_renegotiation, ssl_cipher_name_table, and SSL_INCREMENT_DYN_STAT.

Referenced by ssl_store_ssl_context().

static SSL_CTX* ssl_context_enable_ecdh ( SSL_CTX * ctx ) [static]

Definition at line 244 of file SSLUtils.cc.

Referenced by SSLInitServerContext().

static SSL_CTX* ssl_context_enable_sni	(	SSL_CTX *	ctx,
		SSLCertLookup *	lookup
	)			`[static]`

Definition at line 228 of file SSLUtils.cc.

References Debug.

Referenced by ssl_store_ssl_context().

static SSL_CTX* ssl_context_enable_tickets	(	SSL_CTX *	ctx,
		const char *	ticket_key_path
	)			`[static]`

Definition at line 264 of file SSLUtils.cc.

References ssl_ticket_key_t::aes_key, Error, ssl_ticket_key_t::hmac_secret, ssl_ticket_key_t::key_name, memcpy, readIntoBuffer(), and ssl_session_ticket_index.

Referenced by ssl_store_ssl_context().

static bool SSL_CTX_add_extra_chain_cert_file	(	SSL_CTX *	ctx,
		const char *	chainfile
	)			`[static]`

Definition at line 150 of file SSLUtils.cc.

Referenced by SSLInitServerContext().

static bool ssl_extract_certificate	(	const matcher_line *	line_info,
		ssl_user_config &	sslMultCertSettings
	)			`[static]`

static int ssl_getpassword	(	const char *	prompt,
		char *	buffer,
		int	size
	)			`[static]`

Definition at line 353 of file SSLUtils.cc.

References ssl_termios::ok().

Referenced by ssl_private_key_passphrase_callback_builtin().

static void ssl_index_certificate	(	SSLCertLookup *	lookup,
		SSL_CTX *	ctx,
		const char *	certfile
	)			`[static]`

Definition at line 1227 of file SSLUtils.cc.

References asn1_strdup(), Debug, and SSLCertLookup::insert().

Referenced by ssl_store_ssl_context().

static void SSL_locking_callback	(	int	mode,
		int	type,
		const char *	,
		int
	)			`[static]`

Definition at line 135 of file SSLUtils.cc.

References Debug, ink_assert, and mutex_buf.

Referenced by SSLInitializeLibrary().

static int ssl_private_key_passphrase_callback_builtin	(	char *	buf,
		int	size,
		int	rwflag,
		void *	userdata
	)			`[static]`

Definition at line 423 of file SSLUtils.cc.

References passphrase_cb_userdata::_serverCert, passphrase_cb_userdata::_serverDialog, passphrase_cb_userdata::_serverKey, Debug, and ssl_getpassword().

static int ssl_private_key_passphrase_callback_exec	(	char *	buf,
		int	size,
		int	rwflag,
		void *	userdata
	)			`[static]`

Definition at line 389 of file SSLUtils.cc.

References passphrase_cb_userdata::_serverDialog, Debug, and Error.

static bool ssl_private_key_validate_exec ( const char * cmdLine ) [static]

Definition at line 455 of file SSLUtils.cc.

References ats_free(), and ats_strdup.

Referenced by SSLInitServerContext().

static unsigned long SSL_pthreads_thread_id ( ) [static]

Definition at line 129 of file SSLUtils.cc.

Referenced by SSLInitializeLibrary().

static bool ssl_store_ssl_context	(	const SSLConfigParams *	params,
		SSLCertLookup *	lookup,
		const ssl_user_config &	sslMultCertSettings
	)			`[static]`

void SSLDebugBufferPrint	(	const char *	tag,
		const char *	buffer,
		unsigned	buflen,
		const char *	message
	)

Definition at line 885 of file SSLUtils.cc.

References is_debug_tag_set.

Referenced by ssl_read_from_net().

SSL_CTX* SSLDefaultServerContext ( )

Definition at line 899 of file SSLUtils.cc.

Referenced by SSLInitializeStatistics(), and SSLInitServerContext().

void SSLDiagnostic	(	const SrcLoc &	loc,
		bool	debug,
		SSLNetVConnection *	vc,
		const char *	fmt,
			...
	)

Definition at line 808 of file SSLUtils.cc.

References ats_ip_ntop(), diags, DL_Debug, DL_Error, Diags::error(), Diags::error_va(), SrcLoc::file, SrcLoc::func, NetVConnection::get_remote_addr(), SSLNetVConnection::getSSLClientConnection(), increment_ssl_client_error(), increment_ssl_server_error(), SrcLoc::line, Diags::log(), Diags::log_va(), Diags::on(), and unlikely.

const char* SSLErrorName ( int ssl_error )

Definition at line 863 of file SSLUtils.cc.

References countof.

Referenced by SSLNetVConnection::sslServerHandShakeEvent().

SSL_CTX* SSLInitClientContext ( const SSLConfigParams * params )

Definition at line 1124 of file SSLUtils.cc.

References SSLConfigParams::client_cipherSuite, SSLConfigParams::client_verify_depth, SSLConfigParams::clientCACertFilename, SSLConfigParams::clientCACertPath, SSLConfigParams::clientCertPath, SSLConfigParams::clientKeyPath, SSLConfigParams::clientVerify, SSLConfigParams::init_ssl_ctx_cb, SSLConfigParams::ssl_client_ctx_protocols, SSLConfigParams::ssl_ctx_options, and SSLError.

Referenced by SSLNetProcessor::start().

void SSLInitializeLibrary ( )

Definition at line 507 of file SSLUtils.cc.

References ats_free(), ats_malloc(), ats_realloc(), mutex_buf, open_ssl_initialized, SSL_locking_callback(), SSL_pthreads_thread_id(), ssl_session_ticket_index, and SSLError.

Referenced by SSLNetProcessor::start().

void SSLInitializeStatistics ( )

Definition at line 540 of file SSLUtils.cc.

Referenced by SSLNetProcessor::start().

SSL_CTX* SSLInitServerContext	(	const SSLConfigParams *	params,
		const ssl_user_config &	sslMultCertSettings
	)

Definition at line 939 of file SSLUtils.cc.

References passphrase_cb_userdata::_serverDialog, ssl_user_config::ca, ssl_user_config::cert, SSLConfigParams::cipherSuite, SSLConfigParams::clientCertLevel, Debug, ssl_user_config::dialog, Error, ssl_user_config::first_cert, SimpleTokenizer::getNext(), SimpleTokenizer::getNumTokensRemaining(), ssl_user_config::key, Layout::relative_to(), SSLConfigParams::serverCACertFilename, SSLConfigParams::serverCACertPath, SSLConfigParams::serverCertChainFilename, SSLConfigParams::serverCertPathOnly, SSL_CERT_SEPARATE_DELIM, SSL_CLEAR_PW_REFERENCES, ssl_context_enable_ecdh(), SSL_CTX_add_extra_chain_cert_file(), SSLConfigParams::ssl_ctx_options, SSL_KEY_DIALOG, ssl_private_key_validate_exec(), SSLConfigParams::ssl_session_cache, SSLConfigParams::SSL_SESSION_CACHE_MODE_OFF, SSLConfigParams::SSL_SESSION_CACHE_MODE_SERVER, SSLConfigParams::ssl_session_cache_size, SSLConfigParams::ssl_session_cache_timeout, SSLDefaultServerContext(), SSLError, SSLPrivateKeyHandler(), and SSLConfigParams::verify_depth.

Referenced by ssl_store_ssl_context().

bool SSLParseCertificateConfiguration	(	const SSLConfigParams *	params,
		SSLCertLookup *	lookup
	)

Definition at line 1458 of file SSLUtils.cc.

References ssl_user_config::addr, ats_strdup, SSLConfigParams::configFilePath, Error, Note, parseConfigLine(), readIntoBuffer(), REC_ReadConfigInteger, REC_SIGNAL_CONFIG_ERROR, RecSignalWarning(), SSLCertLookup::ssl_default, ssl_extract_certificate(), ssl_store_ssl_context(), and tokLine().

Referenced by SSLCertificateConfig::reconfigure().

static bool SSLPrivateKeyHandler	(	SSL_CTX *	ctx,
		const SSLConfigParams *	params,
		const ats_scoped_str &	completeServerCertPath,
		const char *	keyPath
	)			`[static]`