5 // Created by Martin Baulig on 4/11/16.
6 // Copyright © 2016 Xamarin. All rights reserved.
9 #include <btls-ssl-ctx.h>
10 #include <btls-x509-verify-param.h>
12 struct MonoBtlsSslCtx {
13 CRYPTO_refcount_t references;
18 MonoBtlsVerifyFunc verify_func;
19 MonoBtlsSelectFunc select_func;
22 #define debug_print(ptr,message) \
23 do { if (mono_btls_ssl_ctx_is_debug_enabled(ptr)) \
24 mono_btls_ssl_ctx_debug_printf (ptr, "%s:%d:%s(): " message, __FILE__, __LINE__, \
25 __func__); } while (0)
27 #define debug_printf(ptr,fmt, ...) \
28 do { if (mono_btls_ssl_ctx_is_debug_enabled(ptr)) \
29 mono_btls_ssl_ctx_debug_printf (ptr, "%s:%d:%s(): " fmt, __FILE__, __LINE__, \
30 __func__, __VA_ARGS__); } while (0)
32 void ssl_cipher_preference_list_free (struct ssl_cipher_preference_list_st *cipher_list);
35 mono_btls_ssl_ctx_is_debug_enabled (MonoBtlsSslCtx *ctx)
37 return ctx->debug_bio != NULL;
41 mono_btls_ssl_ctx_debug_printf (MonoBtlsSslCtx *ctx, const char *format, ...)
49 va_start (args, format);
50 ret = mono_btls_debug_printf (ctx->debug_bio, format, args);
55 MONO_API MonoBtlsSslCtx *
56 mono_btls_ssl_ctx_new (void)
60 ctx = OPENSSL_malloc (sizeof (MonoBtlsSslCtx));
64 memset (ctx, 0, sizeof (MonoBtlsSslCtx));
66 ctx->ctx = SSL_CTX_new (TLS_method ());
68 // enable the default ciphers but disable any RC4 based ciphers
69 // since they're insecure: RFC 7465 "Prohibiting RC4 Cipher Suites"
70 SSL_CTX_set_cipher_list (ctx->ctx, "DEFAULT:!RC4");
72 // disable SSLv2 and SSLv3 by default, they are deprecated
73 // and should generally not be used according to the openssl docs
74 SSL_CTX_set_options (ctx->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
79 MONO_API MonoBtlsSslCtx *
80 mono_btls_ssl_ctx_up_ref (MonoBtlsSslCtx *ctx)
82 CRYPTO_refcount_inc (&ctx->references);
87 mono_btls_ssl_ctx_free (MonoBtlsSslCtx *ctx)
89 if (!CRYPTO_refcount_dec_and_test_zero (&ctx->references))
91 SSL_CTX_free (ctx->ctx);
98 mono_btls_ssl_ctx_get_ctx (MonoBtlsSslCtx *ctx)
104 mono_btls_ssl_ctx_set_debug_bio (MonoBtlsSslCtx *ctx, BIO *debug_bio)
107 ctx->debug_bio = BIO_up_ref(debug_bio);
109 ctx->debug_bio = NULL;
113 mono_btls_ssl_ctx_initialize (MonoBtlsSslCtx *ctx, void *instance)
115 ctx->instance = instance;
119 cert_verify_callback (X509_STORE_CTX *storeCtx, void *arg)
121 MonoBtlsSslCtx *ptr = (MonoBtlsSslCtx*)arg;
124 debug_printf (ptr, "cert_verify_callback(): %p\n", ptr->verify_func);
125 ret = X509_verify_cert (storeCtx);
126 debug_printf (ptr, "cert_verify_callback() #1: %d\n", ret);
128 if (ptr->verify_func)
129 ret = ptr->verify_func (ptr->instance, ret, storeCtx);
135 mono_btls_ssl_ctx_set_cert_verify_callback (MonoBtlsSslCtx *ptr, MonoBtlsVerifyFunc func, int cert_required)
139 ptr->verify_func = func;
140 SSL_CTX_set_cert_verify_callback (ptr->ctx, cert_verify_callback, ptr);
142 mode = SSL_VERIFY_PEER;
144 mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
146 SSL_CTX_set_verify (ptr->ctx, mode, NULL);
150 cert_select_callback (SSL *ssl, void *arg)
152 MonoBtlsSslCtx *ptr = (MonoBtlsSslCtx*)arg;
155 debug_printf (ptr, "cert_select_callback(): %p\n", ptr->select_func);
156 if (ptr->select_func)
157 ret = ptr->select_func (ptr->instance);
158 debug_printf (ptr, "cert_select_callback() #1: %d\n", ret);
164 mono_btls_ssl_ctx_set_cert_select_callback (MonoBtlsSslCtx *ptr, MonoBtlsSelectFunc func)
166 ptr->select_func = func;
167 SSL_CTX_set_cert_cb (ptr->ctx, cert_select_callback, ptr);
170 MONO_API X509_STORE *
171 mono_btls_ssl_ctx_peek_store (MonoBtlsSslCtx *ctx)
173 return SSL_CTX_get_cert_store (ctx->ctx);
177 mono_btls_ssl_ctx_set_min_version (MonoBtlsSslCtx *ctx, int version)
179 SSL_CTX_set_min_version (ctx->ctx, version);
183 mono_btls_ssl_ctx_set_max_version (MonoBtlsSslCtx *ctx, int version)
185 SSL_CTX_set_max_version (ctx->ctx, version);
189 mono_btls_ssl_ctx_is_cipher_supported (MonoBtlsSslCtx *ctx, uint16_t value)
191 const SSL_CIPHER *cipher;
193 cipher = SSL_get_cipher_by_value (value);
194 return cipher != NULL;
198 mono_btls_ssl_ctx_set_ciphers (MonoBtlsSslCtx *ctx, int count, const uint16_t *data,
199 int allow_unsupported)
201 STACK_OF(SSL_CIPHER) *ciphers = NULL;
202 struct ssl_cipher_preference_list_st *pref_list = NULL;
203 uint8_t *in_group_flags = NULL;
206 ciphers = sk_SSL_CIPHER_new_null ();
210 for (i = 0; i < count; i++) {
211 const SSL_CIPHER *cipher = SSL_get_cipher_by_value (data [i]);
213 debug_printf (ctx, "mono_btls_ssl_ctx_set_ciphers(): unknown cipher %02x", data [i]);
214 if (!allow_unsupported)
218 if (!sk_SSL_CIPHER_push (ciphers, cipher))
222 pref_list = OPENSSL_malloc (sizeof (struct ssl_cipher_preference_list_st));
226 memset (pref_list, 0, sizeof (struct ssl_cipher_preference_list_st));
227 pref_list->ciphers = sk_SSL_CIPHER_dup (ciphers);
228 if (!pref_list->ciphers)
230 pref_list->in_group_flags = OPENSSL_malloc (sk_SSL_CIPHER_num (ciphers));
231 if (!pref_list->in_group_flags)
234 if (ctx->ctx->cipher_list)
235 ssl_cipher_preference_list_free (ctx->ctx->cipher_list);
236 if (ctx->ctx->cipher_list_by_id)
237 sk_SSL_CIPHER_free (ctx->ctx->cipher_list_by_id);
238 if (ctx->ctx->cipher_list_tls10) {
239 ssl_cipher_preference_list_free (ctx->ctx->cipher_list_tls10);
240 ctx->ctx->cipher_list_tls10 = NULL;
242 if (ctx->ctx->cipher_list_tls11) {
243 ssl_cipher_preference_list_free (ctx->ctx->cipher_list_tls11);
244 ctx->ctx->cipher_list_tls11 = NULL;
247 ctx->ctx->cipher_list = pref_list;
248 ctx->ctx->cipher_list_by_id = ciphers;
250 return (int)sk_SSL_CIPHER_num (ciphers);
253 sk_SSL_CIPHER_free (ciphers);
254 OPENSSL_free (pref_list);
255 OPENSSL_free (in_group_flags);
260 mono_btls_ssl_ctx_set_verify_param (MonoBtlsSslCtx *ctx, const MonoBtlsX509VerifyParam *param)
262 return SSL_CTX_set1_param (ctx->ctx, mono_btls_x509_verify_param_peek_param (param));