2012-04-13 12:47:30 +00:00
|
|
|
/*
|
2015-02-24 18:19:20 +00:00
|
|
|
* SSLsplit - transparent SSL/TLS interception
|
|
|
|
* Copyright (c) 2009-2015, Daniel Roethlisberger <daniel@roe.ch>
|
2012-04-13 12:47:30 +00:00
|
|
|
* All rights reserved.
|
|
|
|
* http://www.roe.ch/SSLsplit
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
2015-02-24 18:19:20 +00:00
|
|
|
* notice, this list of conditions, and the following disclaimer.
|
2012-04-13 12:47:30 +00:00
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
|
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
|
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
|
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
|
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
|
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef SSL_H
|
|
|
|
#define SSL_H
|
|
|
|
|
|
|
|
#include "attrib.h"
|
|
|
|
|
|
|
|
#include <openssl/opensslv.h>
|
|
|
|
#include <openssl/ssl.h>
|
|
|
|
#include <openssl/err.h>
|
|
|
|
#include <openssl/rand.h>
|
|
|
|
#include <openssl/x509.h>
|
|
|
|
#include <openssl/x509v3.h>
|
|
|
|
|
2012-05-11 16:03:07 +00:00
|
|
|
/*
|
|
|
|
* ECDH is disabled when building against OpenSSL < 1.0.0e due to issues with
|
|
|
|
* thread-safety and security in server mode ephemereal ECDH cipher suites.
|
|
|
|
* http://www.openssl.org/news/secadv_20110906.txt
|
|
|
|
*/
|
2012-04-13 12:47:30 +00:00
|
|
|
#if (OPENSSL_VERSION_NUMBER < 0x10000000L) && !defined(OPENSSL_NO_THREADID)
|
|
|
|
#define OPENSSL_NO_THREADID
|
|
|
|
#endif
|
|
|
|
#if (OPENSSL_VERSION_NUMBER < 0x0090806FL) && !defined(OPENSSL_NO_TLSEXT)
|
|
|
|
#define OPENSSL_NO_TLSEXT
|
|
|
|
#endif
|
|
|
|
#if (OPENSSL_VERSION_NUMBER < 0x1000005FL) && !defined(OPENSSL_NO_ECDH)
|
|
|
|
#define OPENSSL_NO_ECDH
|
|
|
|
#endif
|
|
|
|
#if (OPENSSL_VERSION_NUMBER < 0x0090802FL) && !defined(OPENSSL_NO_ECDSA)
|
|
|
|
#define OPENSSL_NO_ECDSA
|
|
|
|
#endif
|
|
|
|
#if (OPENSSL_VERSION_NUMBER < 0x0090802FL) && !defined(OPENSSL_NO_EC)
|
|
|
|
#define OPENSSL_NO_EC
|
|
|
|
#endif
|
|
|
|
|
2014-11-19 21:38:21 +00:00
|
|
|
/*
|
|
|
|
* The constructors returning a SSL_METHOD * were changed to return
|
|
|
|
* a const SSL_METHOD * between 0.9.8 and 1.0.0.
|
|
|
|
*/
|
|
|
|
#if (OPENSSL_VERSION_NUMBER < 0x1000000fL)
|
|
|
|
#define CONST_SSL_METHOD SSL_METHOD
|
|
|
|
#else /* >= OpenSSL 1.0.0 */
|
|
|
|
#define CONST_SSL_METHOD const SSL_METHOD
|
|
|
|
#endif /* >= OpensSL 1.0.0 */
|
|
|
|
|
2013-04-24 15:08:55 +00:00
|
|
|
/*
|
2014-11-19 19:01:42 +00:00
|
|
|
* Workaround for bug in OpenSSL 0.9.8y, 1.0.0k and 1.0.1e
|
2013-04-24 15:08:55 +00:00
|
|
|
* http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703031
|
|
|
|
* http://openssl.6102.n7.nabble.com/NULL-ptr-deref-when-calling-SSL-get-certificate-with-1-0-0k-td43636.html
|
|
|
|
*/
|
2014-11-19 19:01:42 +00:00
|
|
|
#if (OPENSSL_VERSION_NUMBER == 0x0090819fL) || \
|
|
|
|
(OPENSSL_VERSION_NUMBER == 0x100000bfL) || \
|
2013-04-24 15:08:55 +00:00
|
|
|
(OPENSSL_VERSION_NUMBER == 0x1000105fL)
|
|
|
|
#define SSL_get_certificate(x) ssl_ssl_cert_get(x)
|
|
|
|
X509 * ssl_ssl_cert_get(SSL *);
|
2014-11-19 19:01:42 +00:00
|
|
|
#endif /* OpenSSL 0.9.8y or 1.0.0k or 1.0.1e */
|
2013-04-24 15:08:55 +00:00
|
|
|
|
2015-07-28 21:23:53 +00:00
|
|
|
/*
|
|
|
|
* SSL_OP_NO_* is used as an indication that OpenSSL is sufficiently recent
|
|
|
|
* to have the respective protocol implemented.
|
|
|
|
*
|
|
|
|
* OPENSSL_NO_SSL2 indicates the complete removal of SSL 2.0 support.
|
|
|
|
*
|
|
|
|
* OPENSSL_NO_SSL3 indicates that no SSL 3.0 connections will be made by
|
|
|
|
* default, but support is still present, unless OPENSSL_NO_SSL3_METHOD is
|
|
|
|
* also defined.
|
|
|
|
*/
|
|
|
|
#if defined(SSL_OP_NO_SSLv2) && !defined(OPENSSL_NO_SSL2) && \
|
|
|
|
defined(WITH_SSLV2)
|
|
|
|
#define HAVE_SSLV2
|
|
|
|
#endif /* SSL_OP_NO_SSLv2 && !OPENSSL_NO_SSL2 && WITH_SSLV2 */
|
|
|
|
#if defined(SSL_OP_NO_SSLv3) && !defined(OPENSSL_NO_SSL3_METHOD)
|
|
|
|
#define HAVE_SSLV3
|
|
|
|
#endif /* SSL_OP_NO_SSLv2 && !OPENSSL_NO_SSL3_METHOD */
|
|
|
|
#ifdef SSL_OP_NO_TLSv1
|
|
|
|
#define HAVE_TLSV10
|
|
|
|
#endif /* SSL_OP_NO_TLSv1 */
|
|
|
|
#ifdef SSL_OP_NO_TLSv1_1
|
|
|
|
#define HAVE_TLSV11
|
|
|
|
#endif /* SSL_OP_NO_TLSv1_1 */
|
|
|
|
#ifdef SSL_OP_NO_TLSv1_2
|
|
|
|
#define HAVE_TLSV12
|
|
|
|
#endif /* SSL_OP_NO_TLSv1_2 */
|
|
|
|
|
|
|
|
#ifdef HAVE_SSLV2
|
2014-11-05 19:06:11 +00:00
|
|
|
#define SSL2_S "ssl2 "
|
2015-07-28 21:23:53 +00:00
|
|
|
#else /* !HAVE_SSLV2 */
|
2014-11-05 19:06:11 +00:00
|
|
|
#define SSL2_S ""
|
2015-07-28 21:23:53 +00:00
|
|
|
#endif /* !HAVE_SSLV2 */
|
|
|
|
#ifdef HAVE_SSLV3
|
2014-11-05 19:06:11 +00:00
|
|
|
#define SSL3_S "ssl3 "
|
2015-07-28 21:23:53 +00:00
|
|
|
#else /* !HAVE_SSLV3 */
|
2014-11-05 19:06:11 +00:00
|
|
|
#define SSL3_S ""
|
2015-07-28 21:23:53 +00:00
|
|
|
#endif /* !HAVE_SSLV3 */
|
|
|
|
#ifdef HAVE_TLSV10
|
2014-11-05 19:06:11 +00:00
|
|
|
#define TLS10_S "tls10 "
|
2015-07-28 21:23:53 +00:00
|
|
|
#else /* !HAVE_TLSV10 */
|
2014-11-05 19:06:11 +00:00
|
|
|
#define TLS10_S ""
|
2015-07-28 21:23:53 +00:00
|
|
|
#endif /* !HAVE_TLSV10 */
|
|
|
|
#ifdef HAVE_TLSV11
|
2014-11-05 19:06:11 +00:00
|
|
|
#define TLS11_S "tls11 "
|
2015-07-28 21:23:53 +00:00
|
|
|
#else /* !HAVE_TLSV11 */
|
2014-11-05 19:06:11 +00:00
|
|
|
#define TLS11_S ""
|
2015-07-28 21:23:53 +00:00
|
|
|
#endif /* !HAVE_TLSV11 */
|
|
|
|
#ifdef HAVE_TLSV12
|
2014-11-05 19:06:11 +00:00
|
|
|
#define TLS12_S "tls12 "
|
2015-07-28 21:23:53 +00:00
|
|
|
#else /* !HAVE_TLSV12 */
|
2014-11-05 19:06:11 +00:00
|
|
|
#define TLS12_S ""
|
2015-07-28 21:23:53 +00:00
|
|
|
#endif /* !HAVE_TLSV12 */
|
2014-11-05 19:06:11 +00:00
|
|
|
#define SSL_PROTO_SUPPORT_S SSL2_S SSL3_S TLS10_S TLS11_S TLS12_S
|
|
|
|
|
2012-04-13 12:47:30 +00:00
|
|
|
void ssl_openssl_version(void);
|
2012-04-22 22:35:17 +00:00
|
|
|
int ssl_init(void) WUNRES;
|
2012-10-16 22:11:53 +00:00
|
|
|
void ssl_reinit(void);
|
2012-04-13 12:47:30 +00:00
|
|
|
void ssl_fini(void);
|
|
|
|
|
2014-12-12 22:50:55 +00:00
|
|
|
char * ssl_sha1_to_str(unsigned char *, int) NONNULL(1) MALLOC;
|
|
|
|
|
2014-01-11 16:28:41 +00:00
|
|
|
char * ssl_ssl_state_to_str(SSL *) NONNULL(1) MALLOC;
|
|
|
|
|
2012-04-13 12:47:30 +00:00
|
|
|
#ifndef OPENSSL_NO_DH
|
2014-01-06 13:28:33 +00:00
|
|
|
DH * ssl_tmp_dh_callback(SSL *, int, int) NONNULL(1) MALLOC;
|
|
|
|
DH * ssl_dh_load(const char *) NONNULL(1) MALLOC;
|
|
|
|
void ssl_dh_refcount_inc(DH *) NONNULL(1);
|
2012-04-13 12:47:30 +00:00
|
|
|
#endif /* !OPENSSL_NO_DH */
|
|
|
|
|
2012-05-11 15:39:12 +00:00
|
|
|
#ifndef OPENSSL_NO_EC
|
|
|
|
EC_KEY * ssl_ec_by_name(const char *) MALLOC;
|
|
|
|
#endif /* !OPENSSL_NO_EC */
|
2012-04-13 12:47:30 +00:00
|
|
|
|
2014-01-06 13:28:33 +00:00
|
|
|
EVP_PKEY * ssl_key_load(const char *) NONNULL(1) MALLOC;
|
2012-04-22 22:35:17 +00:00
|
|
|
EVP_PKEY * ssl_key_genrsa(const int) MALLOC;
|
2014-01-06 13:28:33 +00:00
|
|
|
void ssl_key_refcount_inc(EVP_PKEY *) NONNULL(1);
|
2014-12-12 16:38:34 +00:00
|
|
|
#define SSL_KEY_IDSZ 20
|
|
|
|
int ssl_key_identifier_sha1(EVP_PKEY *, unsigned char *) NONNULL(1,2);
|
2014-12-12 22:50:55 +00:00
|
|
|
char * ssl_key_identifier(EVP_PKEY *, int) NONNULL(1) MALLOC;
|
2012-04-13 12:47:30 +00:00
|
|
|
|
|
|
|
#ifndef OPENSSL_NO_TLSEXT
|
2014-01-06 13:28:33 +00:00
|
|
|
int ssl_x509_v3ext_add(X509V3_CTX *, X509 *, char *, char *) NONNULL(1,2,3,4);
|
|
|
|
int ssl_x509_v3ext_copy_by_nid(X509 *, X509 *, int) NONNULL(1,2);
|
2012-04-13 12:47:30 +00:00
|
|
|
#endif /* !OPENSSL_NO_TLSEXT */
|
2014-01-06 13:28:33 +00:00
|
|
|
int ssl_x509_serial_copyrand(X509 *, X509 *) NONNULL(1,2);
|
2012-04-22 22:35:17 +00:00
|
|
|
X509 * ssl_x509_forge(X509 *, EVP_PKEY *, X509 *, const char *, EVP_PKEY *)
|
2012-04-13 12:47:30 +00:00
|
|
|
NONNULL(1,2,3,5) MALLOC;
|
2014-01-06 13:28:33 +00:00
|
|
|
X509 * ssl_x509_load(const char *) NONNULL(1) MALLOC;
|
|
|
|
char * ssl_x509_subject(X509 *) NONNULL(1) MALLOC;
|
|
|
|
char * ssl_x509_subject_cn(X509 *, size_t *) NONNULL(1,2) MALLOC;
|
2012-04-13 12:47:30 +00:00
|
|
|
#define SSL_X509_FPRSZ 20
|
2014-01-06 13:28:33 +00:00
|
|
|
int ssl_x509_fingerprint_sha1(X509 *, unsigned char *) NONNULL(1,2);
|
2014-12-12 22:50:55 +00:00
|
|
|
char * ssl_x509_fingerprint(X509 *, int) NONNULL(1) MALLOC;
|
2014-01-06 13:28:33 +00:00
|
|
|
char ** ssl_x509_names(X509 *) NONNULL(1) MALLOC;
|
|
|
|
int ssl_x509_names_match(X509 *, const char *) NONNULL(1,2);
|
|
|
|
char * ssl_x509_names_to_str(X509 *) NONNULL(1) MALLOC;
|
2012-04-17 21:03:59 +00:00
|
|
|
char ** ssl_x509_aias(X509 *, const int) NONNULL(1) MALLOC;
|
2014-01-06 13:28:33 +00:00
|
|
|
char ** ssl_x509_ocsps(X509 *) NONNULL(1) MALLOC;
|
|
|
|
int ssl_x509_is_valid(X509 *) NONNULL(1) WUNRES;
|
|
|
|
char * ssl_x509_to_str(X509 *) NONNULL(1) MALLOC;
|
|
|
|
char * ssl_x509_to_pem(X509 *) NONNULL(1) MALLOC;
|
|
|
|
void ssl_x509_refcount_inc(X509 *) NONNULL(1);
|
2012-04-13 12:47:30 +00:00
|
|
|
|
|
|
|
int ssl_x509chain_load(X509 **, STACK_OF(X509) **, const char *) NONNULL(2,3);
|
2014-01-06 13:28:33 +00:00
|
|
|
void ssl_x509chain_use(SSL_CTX *, X509 *, STACK_OF(X509) *) NONNULL(1,2,3);
|
2012-04-13 12:47:30 +00:00
|
|
|
|
2014-01-06 13:28:33 +00:00
|
|
|
char * ssl_session_to_str(SSL_SESSION *) NONNULL(1) MALLOC;
|
|
|
|
int ssl_session_is_valid(SSL_SESSION *) NONNULL(1);
|
2012-04-13 12:47:30 +00:00
|
|
|
|
2014-01-06 13:28:33 +00:00
|
|
|
int ssl_is_ocspreq(const unsigned char *, size_t) NONNULL(1) WUNRES;
|
2012-04-22 16:02:58 +00:00
|
|
|
|
2012-04-13 12:47:30 +00:00
|
|
|
#ifndef OPENSSL_NO_TLSEXT
|
2012-04-22 22:35:17 +00:00
|
|
|
char * ssl_tls_clienthello_parse_sni(const unsigned char *, ssize_t *)
|
2014-01-06 13:28:33 +00:00
|
|
|
NONNULL(1,2) MALLOC;
|
2012-04-13 12:47:30 +00:00
|
|
|
#endif /* !OPENSSL_NO_TLSEXT */
|
2012-04-22 22:35:17 +00:00
|
|
|
int ssl_dnsname_match(const char *, size_t, const char *, size_t)
|
2014-01-06 13:28:33 +00:00
|
|
|
NONNULL(1,3) WUNRES;
|
|
|
|
char * ssl_wildcardify(const char *) NONNULL(1) MALLOC;
|
2012-04-13 12:47:30 +00:00
|
|
|
|
|
|
|
#endif /* !SSL_H */
|
|
|
|
|
|
|
|
/* vim: set noet ft=c: */
|