summaryrefslogtreecommitdiffstats
path: root/runtime
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--runtime/net_ossl.c29
-rw-r--r--runtime/net_ossl.h39
-rw-r--r--runtime/nsd_ossl.c25
3 files changed, 50 insertions, 43 deletions
diff --git a/runtime/net_ossl.c b/runtime/net_ossl.c
index 60e3fa2..7008731 100644
--- a/runtime/net_ossl.c
+++ b/runtime/net_ossl.c
@@ -52,6 +52,20 @@ DEFobjCurrIf(glbl)
DEFobjCurrIf(net)
DEFobjCurrIf(nsd_ptcp)
+/* Prototypes for openssl helper functions */
+void net_ossl_lastOpenSSLErrorMsg
+ (uchar *fromHost, int ret, SSL *ssl, int severity, const char* pszCallSource, const char* pszOsslApi);
+void net_ossl_set_ssl_verify_callback(SSL *pSsl, int flags);
+void net_ossl_set_ctx_verify_callback(SSL_CTX *pCtx, int flags);
+void net_ossl_set_bio_callback(BIO *conn);
+int net_ossl_verify_callback(int status, X509_STORE_CTX *store);
+rsRetVal net_ossl_apply_tlscgfcmd(net_ossl_t *pThis, uchar *tlscfgcmd);
+rsRetVal net_ossl_chkpeercertvalidity(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP);
+X509* net_ossl_getpeercert(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP);
+rsRetVal net_ossl_peerfingerprint(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP);
+rsRetVal net_ossl_chkpeername(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP);
+
+
/*--------------------------------------MT OpenSSL helpers ------------------------------------------*/
static MUTEX_TYPE *mutex_buf = NULL;
static sbool openssl_initialized = 0; // Avoid multiple initialization / deinitialization
@@ -1174,9 +1188,18 @@ CODESTARTobjQueryInterface(net_ossl)
if(pIf->ifVersion != net_osslCURR_IF_VERSION) {/* check for current version, increment on each change */
ABORT_FINALIZE(RS_RET_INTERFACE_NOT_SUPPORTED);
}
- pIf->Construct = (rsRetVal(*)(net_ossl_t**)) net_osslConstruct;
- pIf->Destruct = (rsRetVal(*)(net_ossl_t**)) net_osslDestruct;
- pIf->osslCtxInit = net_ossl_osslCtxInit;
+ pIf->Construct = (rsRetVal(*)(net_ossl_t**)) net_osslConstruct;
+ pIf->Destruct = (rsRetVal(*)(net_ossl_t**)) net_osslDestruct;
+ pIf->osslCtxInit = net_ossl_osslCtxInit;
+ pIf->osslChkpeername = net_ossl_chkpeername;
+ pIf->osslPeerfingerprint = net_ossl_peerfingerprint;
+ pIf->osslGetpeercert = net_ossl_getpeercert;
+ pIf->osslChkpeercertvalidity = net_ossl_chkpeercertvalidity;
+ pIf->osslApplyTlscgfcmd = net_ossl_apply_tlscgfcmd;
+ pIf->osslSetBioCallback = net_ossl_set_bio_callback;
+ pIf->osslSetCtxVerifyCallback = net_ossl_set_ctx_verify_callback;
+ pIf->osslSetSslVerifyCallback = net_ossl_set_ssl_verify_callback;
+ pIf->osslLastOpenSSLErrorMsg = net_ossl_lastOpenSSLErrorMsg;
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
pIf->osslCtxInitCookie = net_ossl_ctx_init_cookie;
#endif
diff --git a/runtime/net_ossl.h b/runtime/net_ossl.h
index 6e8a61f..eef69dd 100644
--- a/runtime/net_ossl.h
+++ b/runtime/net_ossl.h
@@ -83,6 +83,17 @@ BEGINinterface(net_ossl) /* name must also be changed in ENDinterface macro! */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
rsRetVal (*osslCtxInitCookie)(net_ossl_t *pThis);
#endif // OPENSSL_VERSION_NUMBER >= 0x10100000L
+ // OpenSSL Helper function exports
+ rsRetVal (*osslChkpeername)(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP);
+ rsRetVal (*osslPeerfingerprint)(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP);
+ X509* (*osslGetpeercert)(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP);
+ rsRetVal (*osslChkpeercertvalidity)(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP);
+ rsRetVal (*osslApplyTlscgfcmd)(net_ossl_t *pThis, uchar *tlscfgcmd);
+ void (*osslSetBioCallback)(BIO *conn);
+ void (*osslSetCtxVerifyCallback)(SSL_CTX *pCtx, int flags);
+ void (*osslSetSslVerifyCallback)(SSL *pSsl, int flags);
+ void (*osslLastOpenSSLErrorMsg)(uchar *fromHost,
+ const int ret, SSL *ssl, int severity, const char* pszCallSource, const char* pszOsslApi);
ENDinterface(net_ossl)
#define net_osslCURR_IF_VERSION 1 /* increment whenever you change the interface structure! */
@@ -134,34 +145,6 @@ void osslGlblExit(void);
/*-----------------------------------------------------------------------------*/
-/* Prototypes for openssl helper functions */
-__attribute__((visibility("default"))) void net_ossl_lastOpenSSLErrorMsg
- (uchar *fromHost, const int ret, SSL *ssl, int severity, const char* pszCallSource, const char* pszOsslApi);
-__attribute__((visibility("default"))) void net_ossl_set_ssl_verify_callback(SSL *pSsl, int flags);
-__attribute__((visibility("default"))) void net_ossl_set_ctx_verify_callback(SSL_CTX *pCtx, int flags);
-__attribute__((visibility("default"))) void net_ossl_set_bio_callback(BIO *conn);
-__attribute__((visibility("default"))) int net_ossl_verify_callback(int status, X509_STORE_CTX *store);
-__attribute__((visibility("default"))) rsRetVal net_ossl_apply_tlscgfcmd(net_ossl_t *pThis, uchar *tlscfgcmd);
-__attribute__((visibility("default"))) rsRetVal
- net_ossl_chkpeercertvalidity(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP);
-__attribute__((visibility("default"))) X509*
- net_ossl_getpeercert(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP);
-__attribute__((visibility("default"))) rsRetVal
- net_ossl_peerfingerprint(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP);
-__attribute__((visibility("default"))) rsRetVal
- net_ossl_chkpeername(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP);
-
-/*
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined(LIBRESSL_VERSION_NUMBER)
-long RSYSLOG_BIO_debug_callback_ex(BIO *bio, int cmd, const char __attribute__((unused)) *argp,
- size_t __attribute__((unused)) len, int argi, long __attribute__((unused)) argl,
- int ret, size_t __attribute__((unused)) *processed);
-#else
-long RSYSLOG_BIO_debug_callback(BIO *bio, int cmd, const char __attribute__((unused)) *argp,
- int argi, long __attribute__((unused)) argl, long ret);
-#endif
-*/
-
/* prototypes */
PROTOTYPEObj(net_ossl);
diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c
index 2d70fb6..095328b 100644
--- a/runtime/nsd_ossl.c
+++ b/runtime/nsd_ossl.c
@@ -80,7 +80,7 @@ void nsd_ossl_lastOpenSSLErrorMsg(nsd_ossl_t const *pThis, const int ret, SSL *s
}
// Call helper in net_ossl
- net_ossl_lastOpenSSLErrorMsg(fromHost, ret, ssl, severity, pszCallSource, pszOsslApi);
+ net_ossl.osslLastOpenSSLErrorMsg(fromHost, ret, ssl, severity, pszCallSource, pszOsslApi);
free(fromHost);
errno = errno_store;
@@ -278,7 +278,8 @@ osslInitSession(nsd_ossl_t *pThis, osslSslState_t osslType) /* , nsd_ossl_t *pSe
dbgprintf("osslInitSession: enable certificate checking (Mode=%d, VerifyDepth=%d)\n",
pThis->pNetOssl->authMode, pThis->DrvrVerifyDepth);
/* Enable certificate valid checking */
- net_ossl_set_ssl_verify_callback(pThis->pNetOssl->ssl, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
+ net_ossl.osslSetSslVerifyCallback(pThis->pNetOssl->ssl,
+ SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
if (pThis->DrvrVerifyDepth != 0) {
SSL_set_verify_depth(pThis->pNetOssl->ssl, pThis->DrvrVerifyDepth);
}
@@ -305,7 +306,7 @@ osslInitSession(nsd_ossl_t *pThis, osslSslState_t osslType) /* , nsd_ossl_t *pSe
dbgprintf("osslInitSession: Init conn BIO[%p] done\n", (void *)conn);
/* Set debug Callback for conn BIO as well! */
- net_ossl_set_bio_callback(conn);
+ net_ossl.osslSetBioCallback(conn);
/* TODO: still needed? Set to NON blocking ! */
BIO_set_nbio( conn, 1 );
@@ -347,25 +348,25 @@ osslChkPeerAuth(nsd_ossl_t *pThis)
switch(pThis->pNetOssl->authMode) {
case OSSL_AUTH_CERTNAME:
/* if we check the name, we must ensure the cert is valid */
- certpeer = net_ossl_getpeercert(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP);
+ certpeer = net_ossl.osslGetpeercert(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP);
dbgprintf("osslChkPeerAuth: Check peer certname[%p]=%s\n",
(void *)pThis->pNetOssl->ssl, (certpeer != NULL ? "VALID" : "NULL"));
- CHKiRet(net_ossl_chkpeercertvalidity(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP));
- CHKiRet(net_ossl_chkpeername(pThis->pNetOssl, certpeer, fromHostIP));
+ CHKiRet(net_ossl.osslChkpeercertvalidity(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP));
+ CHKiRet(net_ossl.osslChkpeername(pThis->pNetOssl, certpeer, fromHostIP));
break;
case OSSL_AUTH_CERTFINGERPRINT:
- certpeer = net_ossl_getpeercert(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP);
+ certpeer = net_ossl.osslGetpeercert(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP);
dbgprintf("osslChkPeerAuth: Check peer fingerprint[%p]=%s\n",
(void *)pThis->pNetOssl->ssl, (certpeer != NULL ? "VALID" : "NULL"));
- CHKiRet(net_ossl_chkpeercertvalidity(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP));
- CHKiRet(net_ossl_peerfingerprint(pThis->pNetOssl, certpeer, fromHostIP));
+ CHKiRet(net_ossl.osslChkpeercertvalidity(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP));
+ CHKiRet(net_ossl.osslPeerfingerprint(pThis->pNetOssl, certpeer, fromHostIP));
break;
case OSSL_AUTH_CERTVALID:
- certpeer = net_ossl_getpeercert(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP);
+ certpeer = net_ossl.osslGetpeercert(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP);
dbgprintf("osslChkPeerAuth: Check peer valid[%p]=%s\n",
(void *)pThis->pNetOssl->ssl, (certpeer != NULL ? "VALID" : "NULL"));
- CHKiRet(net_ossl_chkpeercertvalidity(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP));
+ CHKiRet(net_ossl.osslChkpeercertvalidity(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP));
break;
case OSSL_AUTH_CERTANON:
FINALIZE;
@@ -1277,7 +1278,7 @@ applyGnutlsPriorityString(nsd_ossl_t *const pThis)
if(pThis->gnutlsPriorityString == NULL || pThis->pNetOssl->ctx == NULL) {
FINALIZE;
} else {
- CHKiRet(net_ossl_apply_tlscgfcmd(pThis->pNetOssl, pThis->gnutlsPriorityString));
+ CHKiRet(net_ossl.osslApplyTlscgfcmd(pThis->pNetOssl, pThis->gnutlsPriorityString));
}
#endif