pegasus/src/Pegasus/Common/SSLContext.cpp - diff

Return to SSLContext.cpp CVS log

Up to [Pegasus] / pegasus / src / Pegasus / Common

Diff for /pegasus/src/Pegasus/Common/SSLContext.cpp between version 1.43 and 1.60

version 1.43, 2004/12/08 21:53:32

version 1.60, 2005/11/30 21:16:11

Line 1

//%2004////////////////////////////////////////////////////////////////////////

//%2005////////////////////////////////////////////////////////////////////////

// Company, L.P.; IBM Corp.; The Open Group; Tivoli Systems.

Line 6

// IBM Corp.; EMC Corporation, The Open Group.

// IBM Corp.; EMC Corporation; VERITAS Software Corporation; The Open Group.

// EMC Corporation; VERITAS Software Corporation; The Open Group.

// Permission is hereby granted, free of charge, to any person obtaining a copy

// of this software and associated documentation files (the "Software"), to

Line 32

Line 34

// Sushma Fernandes, Hewlett-Packard Company (sushma_fernandes@hp.com)

// Heather Sterling, IBM (hsterl@us.ibm.com)

// Amit K Arora, IBM (amita@in.ibm.com) for Bug#1090

// David Dillard, Symantec Corp. (david_dillard@symantec.com)

//%/////////////////////////////////////////////////////////////////////////////

#ifdef PEGASUS_HAS_SSL

#ifdef PEGASUS_PLATFORM_WIN32_IX86_MSVC

#include <Pegasus/Common/Config.h>

#ifdef PEGASUS_OS_TYPE_WINDOWS

//Bugzilla 2366

//Use the X509_NAME in wincrypt.h on Windows. See X509.h for more info.

#include <windows.h>

Line 51

Line 56

#else

#define SSL_CTX void

#endif // end of PEGASUS_HAS_SSL

#include <Pegasus/Common/Destroyer.h>

#include <Pegasus/Common/Socket.h>

#include <Pegasus/Common/Tracer.h>

#include <Pegasus/Common/FileSystem.h>

Line 62

Line 66

#include "SSLContext.h"

#include "SSLContextRep.h"

#ifdef PEGASUS_OS_OS400

#include "SSLWrapperOS400.h"

#endif

// Typedef's for OpenSSL callback functions.

Line 204

Line 211

// Callback function that is called by the OpenSSL library. This function

// checks whether the certificate is listed in any of the CRL's

// return 1 if revoked, 0 otherwise

int SSLCallback::verificationCRLCallback(int ok, X509_STORE_CTX *ctx, X509_STORE* sslCRLStore)

{

PEG_METHOD_ENTER(TRC_SSL, "SSLCallback::verificationCRLCallback");

X509_OBJECT obj;

char buf[1024];

X509_NAME *subject;

X509_NAME *issuer;

X509 *xs;

X509_CRL *crl;

X509_REVOKED *revoked;

long serial;

BIO *bio;

int i, n, rc;

char *cp;

char *cp2;

//check whether a CRL store was specified

if (sslCRLStore == NULL)

{

Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL: CRL store is NULL");

PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL3, "---> SSL: CRL store is NULL");

return ok;

return 0;

}

//ATTN: The following excerpt is based off of modssl's callback function

//get the current certificate info

//We may need to do something here for legal purposes. I have informed Warren of this, will resolve before 2.5 ships.

X509* currentCert;

X509_NAME* issuerName;

X509_NAME* subjectName;

ASN1_INTEGER* serialNumber;

currentCert = X509_STORE_CTX_get_current_cert(ctx);

* Determine certificate ingredients in advance

subjectName = X509_get_subject_name(currentCert);

issuerName = X509_get_issuer_name(currentCert);

xs = X509_STORE_CTX_get_current_cert(ctx);

serialNumber = X509_get_serialNumber(currentCert);

subject = X509_get_subject_name(xs);

issuer = X509_get_issuer_name(xs);

//log certificate information

//this is information in the "public" key, so it does no harm to log it

X509_NAME_oneline(issuerName, buf, sizeof(buf));

* OpenSSL provides the general mechanism to deal with CRLs but does not

PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "---> SSL: Certificate Data: Issuer/Subject");

* use them automatically when verifying certificates, so we do it

PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, buf);

* explicitly here. We will check the CRL for the currently checked

X509_NAME_oneline(subjectName, buf, sizeof(buf));

* certificate, if there is such a CRL in the store.

PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, buf);

* We come through this procedure for each certificate in the certificate

//initialize the CRL store

* chain, starting with the root-CA's certificate. At each step we've to

X509_STORE_CTX crlStoreCtx;

* both verify the signature on the CRL (to make sure it's a valid CRL)

X509_STORE_CTX_init(&crlStoreCtx, sslCRLStore, NULL, NULL);

* and it's revocation list (to make sure the current certificate isn't

* revoked). But because to check the signature on the CRL we need the

* public key of the issuing CA certificate (which was already processed

* one round before), we've a little problem. But we can both solve it and

* at the same time optimize the processing by using the following

* verification scheme (idea and code snippets borrowed from the GLOBUS

* project):

* 1. We'll check the signature of a CRL in each step when we find a CRL

* through the _subject_ name of the current certificate. This CRL

* itself will be needed the first time in the next round, of course.

* But we do the signature processing one round before this where the

* public key of the CA is available.

* 2. We'll check the revocation list of a CRL in each step when

* we find a CRL through the _issuer_ name of the current certificate.

* This CRLs signature was then already verified one round before.

* This verification scheme allows a CA to revoke its own certificate as

* well, of course.

* Try to retrieve a CRL corresponding to the _subject_ of

* the current certificate in order to verify it's integrity.

memset((char *)&obj, 0, sizeof(obj));

X509_STORE_CTX pStoreCtx;

X509_STORE_CTX_init(&pStoreCtx, sslCRLStore, NULL, NULL);

rc = X509_STORE_get_by_subject(&pStoreCtx, X509_LU_CRL, subject, &obj);

X509_STORE_CTX_cleanup(&pStoreCtx);

crl = obj.data.crl;

//////////////////////////////////////////

Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL : return code is %d", rc);

if (rc > 0 && crl != NULL)

{

Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL: CRL found");

// Log information about CRL

// (A little bit complicated because of ASN.1 and BIOs...)

bio = BIO_new(BIO_s_mem());

BIO_printf(bio, "lastUpdate: ");

ASN1_UTCTIME_print(bio, X509_CRL_get_lastUpdate(crl));

BIO_printf(bio, ", nextUpdate: ");

ASN1_UTCTIME_print(bio, X509_CRL_get_nextUpdate(crl));

n = BIO_pending(bio);

cp = (char*) malloc(n+1);

n = BIO_read(bio, cp, n);

cp[n] = '\0';

BIO_free(bio);

cp2 = X509_NAME_oneline(subject, NULL, 0);

Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL : CRL Issuer : %s, %s", cp2, cp);

//ATTN: This throws a memory error

//free(cp2);

free(cp);

// Verify the signature on this CRL

if (X509_CRL_verify(crl, X509_get_pubkey(xs)) <= 0)

{

Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL : Invalid signature on CRL");

//ATTN: Do we need to set this?

//X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);

//X509_OBJECT_free_contents(&obj);

PEG_METHOD_EXIT();

return 0;

}

PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "---> SSL: Initialized CRL store");

// Check date of CRL to make sure it's not expired

//attempt to get a CRL issued by the certificate's issuer

i = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl));

X509_OBJECT obj;

if (i == 0)

if (X509_STORE_get_by_subject(&crlStoreCtx, X509_LU_CRL, issuerName, &obj) <= 0)

{

Tracer::trace(TRC_SSL, Tracer::LEVEL2, "CRL has invalid nextUpdate field\n");

PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL3, "---> SSL: No CRL by that issuer");

//ATTN: Do we need to set this?

//X509_STORE_CTX_set_error(ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);

//X509_OBJECT_free_contents(&obj);

PEG_METHOD_EXIT();

return 0;

}

if (i < 0)

X509_STORE_CTX_cleanup(&crlStoreCtx);

//get CRL

X509_CRL* crl = obj.data.crl;

if (crl == NULL)

{

Tracer::trace(TRC_SSL, Tracer::LEVEL2, "CRL has expired\n");

PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "---> SSL: CRL is null");

//ATTN: Do we need to set this?

//X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_HAS_EXPIRED);

//X509_OBJECT_free_contents(&obj);

PEG_METHOD_EXIT();

return 0;

}

X509_OBJECT_free_contents(&obj);

} else

{

Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL: No CRL for that subject found");

PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "---> SSL: Found CRL by that issuer");

}

Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL: CRL checks out ok\n");

//get revoked certificates

STACK_OF(X509_REVOKED)* revokedCerts = NULL;

revokedCerts = X509_CRL_get_REVOKED(crl);

// Try to retrieve a CRL corresponding to the _issuer_ of

int numRevoked = sk_X509_REVOKED_num(revokedCerts);

// the current certificate in order to check for revocation.

Tracer::trace(TRC_SSL, Tracer::LEVEL4,"---> SSL: Number of certificates revoked by the issuer %d\n", numRevoked);

memset((char *)&obj, 0, sizeof(obj));

X509_STORE_CTX_init(&pStoreCtx, sslCRLStore, NULL, NULL);

rc = X509_STORE_get_by_subject(&pStoreCtx, X509_LU_CRL, issuer, &obj);

X509_STORE_CTX_cleanup(&pStoreCtx);

crl = obj.data.crl;

if (rc > 0 && crl != NULL)

{

// Check if the current certificate is revoked by this CRL

#if SSL_LIBRARY_VERSION < 0x00904000

n = sk_num(X509_CRL_get_REVOKED(crl));

#else

n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));

#endif

Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL: Number of certificates revoked by the issuer %d", n);

for (i = 0; i < n; i++)

//check whether the subject's certificate is revoked

X509_REVOKED* revokedCert = NULL;

for (int i = 0; i < sk_X509_REVOKED_num(revokedCerts); i++)

{

#if SSL_LIBRARY_VERSION < 0x00904000

revokedCert = (X509_REVOKED *)sk_value(X509_CRL_get_REVOKED(crl), i);

revoked = (X509_REVOKED *)sk_value(X509_CRL_get_REVOKED(crl), i);

#else

revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);

#endif

serial = ASN1_INTEGER_get(revoked->serialNumber);

printf("Got serial number %ld\n", serial);

if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(xs)) == 0)

//a matching serial number indicates revocation

if (ASN1_INTEGER_cmp(revokedCert->serialNumber, serialNumber) == 0)

{

serial = ASN1_INTEGER_get(revoked->serialNumber);

PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL2, "---> SSL: Certificate is revoked");

cp = X509_NAME_oneline(issuer, NULL, 0);

Tracer::trace(TRC_SSL, Tracer::LEVEL4,

"---> SSL : Certificate with serial %ld revoked per CRL from issuer %s\n", serial, cp);

//ATTN: Mem error if uncomment following

//free(cp);

X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED);

X509_OBJECT_free_contents(&obj);

return 1;

PEG_METHOD_EXIT();

return 0;

}

X509_OBJECT_free_contents(&obj);

PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "---> SSL: Certificate is not revoked at this level");

}

PEG_METHOD_EXIT();

return ok;

return 0;

}

Line 446

Line 329

// simply return the preverification error (or check the CRL)

// We do not need to go through the additional steps.

if (exData->verifyCertificateCallback == NULL)

if (exData->_rep->verifyCertificateCallback == NULL)

{

Tracer::trace(TRC_SSL, Tracer::LEVEL4,

"--->SSL: No verification callback specified");

if (exData->_crlStore == NULL)

if (exData->_rep->crlStore != NULL)

{

PEG_METHOD_EXIT();

revoked = verificationCRLCallback(preVerifyOk,ctx,exData->_rep->crlStore);

return (preVerifyOk);

Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL: CRL callback returned %d", revoked);

} else

if (revoked) //with the SSL callbacks '0' indicates failure

{

revoked = verificationCRLCallback(preVerifyOk,ctx,exData->_crlStore);

PEG_METHOD_EXIT();

return (revoked);

return 0;

}

// Check to see if a CRL path is defined

if (exData->_crlStore)

if (exData->_rep->crlStore != NULL)

{

revoked = verificationCRLCallback(preVerifyOk,ctx,exData->_crlStore);

revoked = verificationCRLCallback(preVerifyOk,ctx,exData->_rep->crlStore);

Tracer::trace(TRC_SSL, Tracer::LEVEL4,

Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL: CRL callback returned %d", revoked);

"---> SSL: CRL callback returned %d", revoked);

if (revoked) //with the SSL callbacks '0' indicates failure

{

PEG_METHOD_EXIT();

return 0;

}

Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL: CRL callback returned %d", revoked);

// get the current certificate

Line 541

Line 432

// Create the certificate object

exData->_peerCertificate = new SSLCertificateInfo(subjectName, issuerName, version, serialNumber,

if (exData->_rep->peerCertificate != NULL)

{

//Delete an existing certificate object from a previous call.

//SSL validates the certificate chain starting with the root CA and working down to the peer certificate.

//With this strategy, we end up with the peer certificate as the last certificate stored in the SSLCallbackInfo

//so we can retrieve the correct certificate info and username.

delete exData->_rep->peerCertificate;

exData->_rep->peerCertificate = NULL;

}

exData->_rep->peerCertificate = new SSLCertificateInfo(subjectName, issuerName, version, serialNumber,

notBefore, notAfter, depth, errorCode, errorStr, preVerifyOk);

// Call the application callback.

// Call the user-specified application callback if it is specified. If it is null, return OpenSSL's verification code.

// Note that the verification result does not automatically get set to X509_V_OK if the callback is successful.

// This is because OpenSSL retains the original default error in case we want to use it later.

// To set the error, we could use X509_STORE_CTX_set_error(ctx, verifyError); but there is no real benefit to doing that here.

if (exData->verifyCertificateCallback(*exData->_peerCertificate))

if (exData->_rep->verifyCertificateCallback == NULL)

{

return preVerifyOk;

} else

{

if (exData->_rep->verifyCertificateCallback(*exData->_rep->peerCertificate))

{

Tracer::trace(TRC_SSL, Tracer::LEVEL4,

"--> SSL: verifyCertificateCallback() returned X509_V_OK");

"--> SSL: _rep->verifyCertificateCallback() returned X509_V_OK");

PEG_METHOD_EXIT();

return 1;

Line 561

Line 468

else // verification failed, handshake will be immediately terminated

{

Tracer::trace(TRC_SSL, Tracer::LEVEL4,

"--> SSL: verifyCertificateCallback() returned error %d", exData->_peerCertificate->getErrorCode());

"--> SSL: _rep->verifyCertificateCallback() returned error %d", exData->_rep->peerCertificate->getErrorCode());

PEG_METHOD_EXIT();

return 0;

}

// Callback function called by OpenSSL. This request is merely forwarded to the static

Line 612

Line 520

PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4,

"Initialized SSL callback.");

#ifdef PEGASUS_OS_OS400

// Load the OpenSSL library and get the exports

SSL_OS400_Init();

#endif

_sslLocks= new Mutex[CRYPTO_num_locks()];

// Set the ID callback. The ID callback returns a thread ID.

Line 729

Line 642

_certPath = sslContextRep._certPath;

_keyPath = sslContextRep._keyPath;

_crlPath = sslContextRep._crlPath;

_crlStore = sslContextRep._crlStore;

_verifyPeer = sslContextRep._verifyPeer;

_certificateVerifyFunction = sslContextRep._certificateVerifyFunction;

_randomFile = sslContextRep._randomFile;

Line 845

Line 759

// Try to do more seeding

long seedNumber;

#if defined(PEGASUS_PLATFORM_WIN32_IX86_MSVC)

#if defined(PEGASUS_COMPILER_MSVC)

srand((unsigned int)time(NULL)); // Initialize

seedNumber = rand();

#else

Line 925

Line 839

SSL_CTX_set_quiet_shutdown(sslContext, 1);

SSL_CTX_set_mode(sslContext, SSL_MODE_AUTO_RETRY);

SSL_CTX_set_options(sslContext,SSL_OP_ALL);

SSL_CTX_set_session_cache_mode(sslContext, SSL_SESS_CACHE_OFF);

int options = SSL_OP_ALL;

#ifndef PEGASUS_ENABLE_SSLV2 //SSLv2 is disabled by default

options |= SSL_OP_NO_SSLv2;

#endif

SSL_CTX_set_options(sslContext, options);

if (_verifyPeer)

{

//ATTN: We might still need a flag to specify SSL_VERIFY_FAIL_IF_NO_PEER_CERT

Line 1206

Line 1125

return _keyPath;

}

#ifdef PEGASUS_USE_DEPRECATED_INTERFACES

String SSLContextRep::getTrustStoreUserName() const

{

return String::EMPTY;

}

#endif

String SSLContextRep::getCRLPath() const

{

return _crlPath;

Line 1216

Line 1142

return _crlStore;

}

void SSLContextRep::setCRLStore(X509_STORE* store)

{

_crlStore = store;

}

Boolean SSLContextRep::isPeerVerificationEnabled() const

{

return _verifyPeer;

Line 1257

Line 1188

String SSLContextRep::getKeyPath() const { return String::EMPTY; }

#ifdef PEGASUS_USE_DEPRECATED_INTERFACES

String SSLContextRep::getTrustStoreUserName() const { return String::EMPTY; }

#endif

String SSLContextRep::getCRLPath() const { return String::EMPTY; }

X509_STORE* SSLContextRep::getCRLStore() const { return NULL; }

void SSLContextRep::setCRLStore(X509_STORE* store) { }

Boolean SSLContextRep::isPeerVerificationEnabled() const { return false; }

SSLCertificateVerifyFunction* SSLContextRep::getSSLCertificateVerifyFunction() const { return NULL; }

Line 1308

Line 1245

_rep = new SSLContextRep(trustStore, certPath, keyPath, crlPath, verifyCert, randomFile);

}

#ifdef PEGASUS_USE_DEPRECATED_INTERFACES

SSLContext::SSLContext(

const String& trustStore,

const String& certPath,

const String& keyPath,

SSLCertificateVerifyFunction* verifyCert,

String trustStoreUserName,

const String& randomFile)

{

_rep = new SSLContextRep(trustStore, certPath, keyPath, String::EMPTY, verifyCert, randomFile);

}

#endif

SSLContext::SSLContext(const SSLContext& sslContext)

{

_rep = new SSLContextRep(*sslContext._rep);

Line 1353

Line 1303

return (_rep->isPeerVerificationEnabled());

}

#ifdef PEGASUS_USE_DEPRECATED_INTERFACES

String SSLContext::getTrustStoreUserName() const

{

return (_rep->getTrustStoreUserName());

}

#endif

SSLCertificateVerifyFunction* SSLContext::getSSLCertificateVerifyFunction() const

{

return (_rep->getSSLCertificateVerifyFunction());

Line 1579

Line 1536

sprintf(buf, "Version number: %d\n", _rep->versionNumber);

s.append(buf);

sprintf(buf, "Serial number: %ld\n", _rep->serialNumber);

sprintf(buf, "Serial number: %lu\n", _rep->serialNumber);

s.append(buf);

s.append("Not before date: ");

Line 1593

Line 1550

return s;

}

///////////////////////////////////////////////////////////////////////////////

// SSLCallbackInfo

///////////////////////////////////////////////////////////////////////////////

SSLCallbackInfo::SSLCallbackInfo(SSLCertificateVerifyFunction* verifyCert)

{

_rep = new SSLCallbackInfoRep();

_rep->verifyCertificateCallback = verifyCert;

_rep->crlStore = NULL;

_rep->peerCertificate = NULL;

}

SSLCallbackInfo::SSLCallbackInfo(SSLCertificateVerifyFunction* verifyCert, X509_STORE* crlStore)

{

verifyCertificateCallback = verifyCert;

_rep = new SSLCallbackInfoRep();

_crlStore = crlStore;

_rep->verifyCertificateCallback = verifyCert;

_peerCertificate = NULL;

_rep->crlStore = crlStore;

_rep->peerCertificate = NULL;

}

SSLCallbackInfo::~SSLCallbackInfo()

{

if (_peerCertificate)

if (_rep->peerCertificate)

{

delete _peerCertificate;

delete _rep->peerCertificate;

}

delete _rep;

}

PEGASUS_NAMESPACE_END

Legend:

Removed from v.1.43
changed lines
	Added in v.1.60

No CVS admin address has been configured