[0001]
[0002]
[0003]
[0004]
[0005]
[0006]
[0007]
[0008]
[0009]
[0010]
[0011]
[0012]
[0013]
[0014]
[0015]
[0016]
[0017]
[0018]
[0019]
[0020]
[0021]
[0022]
[0023]
[0024]
[0025]
[0026]
[0027]
[0028]
[0029]
[0030]
[0031]
[0032]
[0033]
[0034]
[0035]
[0036]
[0037]
[0038]
[0039]
[0040]
[0041]
[0042]
[0043]
[0044]
[0045]
[0046]
[0047]
[0048]
[0049]
[0050]
[0051]
[0052]
[0053]
[0054]
[0055]
[0056]
[0057]
[0058]
[0059]
[0060]
[0061]
[0062]
[0063]
[0064]
[0065]
[0066]
[0067]
[0068]
[0069]
[0070]
[0071]
[0072]
[0073]
[0074]
[0075]
[0076]
[0077]
[0078]
[0079]
[0080]
[0081]
[0082]
[0083]
[0084]
[0085]
[0086]
[0087]
[0088]
[0089]
[0090]
[0091]
[0092]
[0093]
[0094]
[0095]
[0096]
[0097]
[0098]
[0099]
[0100]
[0101]
[0102]
[0103]
[0104]
[0105]
[0106]
[0107]
[0108]
[0109]
[0110]
[0111]
[0112]
[0113]
[0114]
[0115]
[0116]
[0117]
[0118]
[0119]
[0120]
[0121]
[0122]
[0123]
[0124]
[0125]
[0126]
[0127]
[0128]
[0129]
[0130]
[0131]
[0132]
[0133]
[0134]
[0135]
[0136]
[0137]
[0138]
[0139]
[0140]
[0141]
[0142]
[0143]
[0144]
[0145]
[0146]
[0147]
[0148]
[0149]
[0150]
[0151]
[0152]
[0153]
[0154]
[0155]
[0156]
[0157]
[0158]
[0159]
[0160]
[0161]
[0162]
[0163]
[0164]
[0165]
[0166]
[0167]
[0168]
[0169]
[0170]
[0171]
[0172]
[0173]
[0174]
[0175]
[0176]
[0177]
[0178]
[0179]
[0180]
[0181]
[0182]
[0183]
[0184]
[0185]
[0186]
[0187]
[0188]
[0189]
[0190]
[0191]
[0192]
[0193]
[0194]
[0195]
[0196]
[0197]
[0198]
[0199]
[0200]
[0201]
[0202]
[0203]
[0204]
[0205]
[0206]
[0207]
[0208]
[0209]
[0210]
[0211]
[0212]
[0213]
[0214]
[0215]
[0216]
[0217]
[0218]
[0219]
[0220]
[0221]
[0222]
[0223]
[0224]
[0225]
[0226]
[0227]
[0228]
[0229]
[0230]
[0231]
[0232]
[0233]
[0234]
[0235]
[0236]
[0237]
[0238]
[0239]
[0240]
[0241]
[0242]
[0243]
[0244]
[0245]
[0246]
[0247]
[0248]
[0249]
[0250]
[0251]
[0252]
[0253]
[0254]
[0255]
[0256]
[0257]
[0258]
[0259]
[0260]
[0261]
[0262]
[0263]
[0264]
[0265]
[0266]
[0267]
[0268]
[0269]
[0270]
[0271]
[0272]
[0273]
[0274]
[0275]
[0276]
[0277]
[0278]
[0279]
[0280]
[0281]
[0282]
[0283]
[0284]
[0285]
[0286]
[0287]
[0288]
[0289]
[0290]
[0291]
[0292]
[0293]
[0294]
[0295]
[0296]
[0297]
[0298]
[0299]
[0300]
[0301]
[0302]
[0303]
[0304]
[0305]
[0306]
[0307]
[0308]
[0309]
[0310]
[0311]
[0312]
[0313]
[0314]
[0315]
[0316]
[0317]
[0318]
[0319]
[0320]
[0321]
[0322]
[0323]
[0324]
[0325]
[0326]
[0327]
[0328]
[0329]
[0330]
[0331]
[0332]
[0333]
[0334]
[0335]
[0336]
[0337]
[0338]
[0339]
[0340]
[0341]
[0342]
[0343]
[0344]
[0345]
[0346]
[0347]
[0348]
[0349]
[0350]
[0351]
[0352]
[0353]
[0354]
[0355]
[0356]
[0357]
[0358]
[0359]
[0360]
[0361]
[0362]
[0363]
[0364]
[0365]
[0366]
[0367]
[0368]
[0369]
[0370]
[0371]
[0372]
[0373]
[0374]
[0375]
[0376]
[0377]
[0378]
[0379]
[0380]
[0381]
[0382]
[0383]
[0384]
[0385]
[0386]
[0387]
[0388]
[0389]
[0390]
[0391]
[0392]
[0393]
[0394]
[0395]
[0396]
[0397]
[0398]
[0399]
[0400]
[0401]
[0402]
[0403]
[0404]
[0405]
[0406]
[0407]
[0408]
[0409]
[0410]
[0411]
[0412]
[0413]
[0414]
[0415]
[0416]
[0417]
[0418]
[0419]
[0420]
[0421]
[0422]
[0423]
[0424]
[0425]
[0426]
[0427]
[0428]
[0429]
[0430]
[0431]
[0432]
[0433]
[0434]
[0435]
[0436]
[0437]
[0438]
[0439]
[0440]
[0441]
[0442]
[0443]
[0444]
[0445]
[0446]
[0447]
[0448]
[0449]
[0450]
[0451]
[0452]
[0453]
[0454]
[0455]
[0456]
[0457]
[0458]
[0459]
[0460]
[0461]
[0462]
[0463]
[0464]
[0465]
[0466]
[0467]
[0468]
[0469]
[0470]
[0471]
[0472]
[0473]
[0474]
[0475]
[0476]
[0477]
[0478]
[0479]
[0480]
[0481]
[0482]
[0483]
[0484]
[0485]
[0486]
[0487]
[0488]
[0489]
[0490]
[0491]
[0492]
[0493]
[0494]
[0495]
[0496]
[0497]
[0498]
[0499]
[0500]
[0501]
[0502]
[0503]
[0504]
[0505]
[0506]
[0507]
[0508]
[0509]
[0510]
[0511]
[0512]
[0513]
[0514]
[0515]
[0516]
[0517]
[0518]
[0519]
[0520]
[0521]
[0522]
[0523]
[0524]
[0525]
[0526]
[0527]
[0528]
[0529]
[0530]
[0531]
[0532]
[0533]
[0534]
[0535]
[0536]
[0537]
[0538]
[0539]
[0540]
[0541]
[0542]
[0543]
[0544]
[0545]
[0546]
[0547]
[0548]
[0549]
[0550]
[0551]
[0552]
[0553]
[0554]
[0555]
[0556]
[0557]
[0558]
[0559]
[0560]
[0561]
[0562]
[0563]
[0564]
[0565]
[0566]
[0567]
[0568]
[0569]
[0570]
[0571]
[0572]
[0573]
[0574]
[0575]
[0576]
[0577]
[0578]
[0579]
[0580]
[0581]
[0582]
[0583]
[0584]
[0585]
[0586]
[0587]
[0588]
[0589]
[0590]
[0591]
[0592]
[0593]
[0594]
[0595]
[0596]
[0597]
[0598]
[0599]
[0600]
[0601]
[0602]
[0603]
[0604]
[0605]
[0606]
[0607]
[0608]
[0609]
[0610]
[0611]
[0612]
[0613]
[0614]
[0615]
[0616]
[0617]
[0618]
[0619]
[0620]
[0621]
[0622]
[0623]
[0624]
[0625]
[0626]
[0627]
[0628]
[0629]
[0630]
[0631]
[0632]
[0633]
[0634]
[0635]
[0636]
[0637]
[0638]
[0639]
[0640]
[0641]
[0642]
[0643]
[0644]
[0645]
[0646]
[0647]
[0648]
[0649]
[0650]
[0651]
[0652]
[0653]
[0654]
[0655]
[0656]
[0657]
[0658]
[0659]
[0660]
[0661]
[0662]
[0663]
[0664]
[0665]
[0666]
[0667]
[0668]
[0669]
[0670]
[0671]
[0672]
[0673]
[0674]
[0675]
[0676]
[0677]
[0678]
[0679]
[0680]
[0681]
[0682]
[0683]
[0684]
[0685]
[0686]
[0687]
[0688]
[0689]
[0690]
[0691]
[0692]
[0693]
[0694]
[0695]
[0696]
[0697]
[0698]
[0699]
[0700]
[0701]
[0702]
[0703]
[0704]
[0705]
[0706]
[0707]
[0708]
[0709]
[0710]
[0711]
[0712]
[0713]
[0714]
[0715]
[0716]
[0717]
[0718]
[0719]
[0720]
[0721]
[0722]
[0723]
[0724]
[0725]
[0726]
[0727]
[0728]
[0729]
[0730]
[0731]
[0732]
[0733]
[0734]
[0735]
[0736]
[0737]
[0738]
[0739]
[0740]
[0741]
[0742]
[0743]
[0744]
[0745]
[0746]
[0747]
[0748]
[0749]
[0750]
[0751]
[0752]
[0753]
[0754]
[0755]
[0756]
[0757]
[0758]
[0759]
[0760]
[0761]
[0762]
[0763]
[0764]
[0765]
[0766]
[0767]
[0768]
[0769]
[0770]
[0771]
[0772]
[0773]
[0774]
[0775]
[0776]
[0777]
[0778]
[0779]
[0780]
[0781]
[0782]
[0783]
[0784]
[0785]
[0786]
[0787]
[0788]
[0789]
[0790]
[0791]
[0792]
[0793]
[0794]
[0795]
[0796]
[0797]
[0798]
[0799]
[0800]
[0801]
[0802]
[0803]
[0804]
[0805]
[0806]
[0807]
[0808]
[0809]
[0810]
[0811]
[0812]
[0813]
[0814]
[0815]
[0816]
[0817]
[0818]
[0819]
[0820]
[0821]
[0822]
[0823]
[0824]
[0825]
[0826]
[0827]
[0828]
[0829]
[0830]
[0831]
[0832]
[0833]
[0834]
[0835]
[0836]
[0837]
[0838]
[0839]
[0840]
[0841]
[0842]
[0843]
[0844]
[0845]
[0846]
[0847]
[0848]
[0849]
[0850]
[0851]
[0852]
[0853]
[0854]
[0855]
[0856]
[0857]
[0858]
[0859]
[0860]
[0861]
[0862]
[0863]
[0864]
[0865]
[0866]
[0867]
[0868]
[0869]
[0870]
[0871]
[0872]
[0873]
[0874]
[0875]
[0876]
[0877]
[0878]
[0879]
[0880]
[0881]
[0882]
[0883]
[0884]
[0885]
[0886]
[0887]
[0888]
[0889]
[0890]
[0891]
[0892]
[0893]
[0894]
[0895]
[0896]
[0897]
[0898]
[0899]
[0900]
[0901]
[0902]
[0903]
[0904]
[0905]
[0906]
[0907]
[0908]
[0909]
[0910]
[0911]
[0912]
[0913]
[0914]
[0915]
[0916]
[0917]
[0918]
[0919]
[0920]
[0921]
[0922]
[0923]
[0924]
[0925]
[0926]
[0927]
[0928]
[0929]
[0930]
[0931]
[0932]
[0933]
[0934]
[0935]
[0936]
[0937]
[0938]
[0939]
[0940]
[0941]
[0942]
[0943]
[0944]
[0945]
[0946]
[0947]
[0948]
[0949]
[0950]
[0951]
[0952]
[0953]
[0954]
[0955]
[0956]
[0957]
[0958]
[0959]
[0960]
[0961]
[0962]
[0963]
[0964]
[0965]
[0966]
[0967]
[0968]
[0969]
[0970]
[0971]
[0972]
[0973]
[0974]
[0975]
[0976]
[0977]
[0978]
[0979]
[0980]
[0981]
[0982]
[0983]
[0984]
[0985]
[0986]
[0987]
[0988]
[0989]
[0990]
[0991]
[0992]
[0993]
[0994]
[0995]
[0996]
[0997]
[0998]
[0999]
[1000]
[1001]
[1002]
[1003]
[1004]
[1005]
[1006]
[1007]
[1008]
[1009]
[1010]
[1011]
[1012]
[1013]
[1014]
[1015]
[1016]
[1017]
[1018]
[1019]
[1020]
[1021]
[1022]
[1023]
[1024]
[1025]
[1026]
[1027]
[1028]
[1029]
[1030]
[1031]
[1032]
[1033]
[1034]
[1035]
[1036]
[1037]
[1038]
[1039]
[1040]
[1041]
[1042]
[1043]
[1044]
[1045]
[1046]
[1047]
[1048]
[1049]
[1050]
[1051]
[1052]
[1053]
[1054]
[1055]
[1056]
[1057]
[1058]
[1059]
[1060]
[1061]
[1062]
[1063]
[1064]
[1065]
[1066]
[1067]
[1068]
[1069]
[1070]
[1071]
[1072]
[1073]
[1074]
[1075]
[1076]
[1077]
[1078]
[1079]
[1080]
[1081]
[1082]
[1083]
[1084]
[1085]
[1086]
[1087]
[1088]
[1089]
[1090]
[1091]
[1092]
[1093]
[1094]
[1095]
[1096]
[1097]
[1098]
[1099]
[1100]
[1101]
[1102]
[1103]
[1104]
[1105]
[1106]
[1107]
[1108]
[1109]
[1110]
[1111]
[1112]
[1113]
[1114]
[1115]
[1116]
[1117]
[1118]
[1119]
[1120]
[1121]
[1122]
[1123]
[1124]
[1125]
[1126]
[1127]
[1128]
[1129]
[1130]
[1131]
[1132]
[1133]
[1134]
[1135]
[1136]
[1137]
[1138]
[1139]
[1140]
[1141]
[1142]
[1143]
[1144]
[1145]
[1146]
[1147]
[1148]
[1149]
[1150]
[1151]
[1152]
[1153]
[1154]
[1155]
[1156]
[1157]
[1158]
[1159]
[1160]
[1161]
[1162]
[1163]
[1164]
[1165]
[1166]
[1167]
[1168]
[1169]
[1170]
[1171]
[1172]
[1173]
[1174]
[1175]
[1176]
[1177]
[1178]
[1179]
[1180]
[1181]
[1182]
[1183]
[1184]
[1185]
[1186]
[1187]
[1188]
[1189]
[1190]
[1191]
[1192]
[1193]
[1194]
[1195]
[1196]
[1197]
[1198]
[1199]
[1200]
[1201]
[1202]
[1203]
[1204]
[1205]
[1206]
[1207]
[1208]
[1209]
[1210]
[1211]
[1212]
[1213]
[1214]
[1215]
[1216]
[1217]
[1218]
[1219]
[1220]
[1221]
[1222]
[1223]
[1224]
[1225]
[1226]
[1227]
[1228]
[1229]
[1230]
[1231]
[1232]
[1233]
[1234]
[1235]
[1236]
[1237]
[1238]
[1239]
[1240]
[1241]
[1242]
[1243]
[1244]
[1245]
[1246]
[1247]
[1248]
[1249]
[1250]
[1251]
[1252]
[1253]
[1254]
[1255]
[1256]
[1257]
[1258]
[1259]
[1260]
[1261]
[1262]
[1263]
[1264]
[1265]
[1266]
[1267]
[1268]
[1269]
[1270]
[1271]
[1272]
[1273]
[1274]
[1275]
[1276]
[1277]
[1278]
[1279]
[1280]
[1281]
[1282]
[1283]
[1284]
[1285]
[1286]
[1287]
[1288]
[1289]
[1290]
[1291]
[1292]
[1293]
[1294]
[1295]
[1296]
[1297]
[1298]
[1299]
[1300]
[1301]
[1302]
[1303]
[1304]
[1305]
[1306]
[1307]
[1308]
[1309]
[1310]
[1311]
[1312]
[1313]
[1314]
[1315]
[1316]
[1317]
[1318]
[1319]
[1320]
[1321]
[1322]
[1323]
[1324]
[1325]
[1326]
[1327]
[1328]
[1329]
[1330]
[1331]
[1332]
[1333]
[1334]
[1335]
[1336]
[1337]
[1338]
[1339]
[1340]
[1341]
[1342]
[1343]
[1344]
[1345]
[1346]
[1347]
[1348]
[1349]
[1350]
[1351]
[1352]
[1353]
[1354]
[1355]
[1356]
[1357]
[1358]
[1359]
[1360]
[1361]
[1362]
[1363]
[1364]
[1365]
[1366]
[1367]
[1368]
[1369]
[1370]
[1371]
[1372]
[1373]
[1374]
[1375]
[1376]
[1377]
[1378]
[1379]
[1380]
[1381]
[1382]
[1383]
[1384]
[1385]
[1386]
[1387]
[1388]
[1389]
[1390]
[1391]
[1392]
[1393]
[1394]
[1395]
[1396]
[1397]
[1398]
[1399]
[1400]
[1401]
[1402]
[1403]
[1404]
[1405]
[1406]
[1407]
[1408]
[1409]
[1410]
[1411]
[1412]
[1413]
[1414]
[1415]
[1416]
[1417]
[1418]
[1419]
[1420]
[1421]
[1422]
[1423]
[1424]
[1425]
[1426]
[1427]
[1428]
[1429]
[1430]
[1431]
[1432]
[1433]
[1434]
[1435]
[1436]
[1437]
[1438]
[1439]
[1440]
[1441]
[1442]
[1443]
[1444]
[1445]
[1446]
[1447]
[1448]
[1449]
[1450]
[1451]
[1452]
[1453]
[1454]
[1455]
[1456]
[1457]
[1458]
[1459]
[1460]
[1461]
[1462]
[1463]
[1464]
[1465]
[1466]
[1467]
[1468]
[1469]
[1470]
[1471]
[1472]
[1473]
[1474]
[1475]
[1476]
[1477]
[1478]
[1479]
[1480]
[1481]
[1482]
[1483]
[1484]
[1485]
[1486]
[1487]
[1488]
[1489]
[1490]
[1491]
[1492]
[1493]
[1494]
[1495]
[1496]
[1497]
[1498]
[1499]
[1500]
[1501]
[1502]
[1503]
[1504]
[1505]
[1506]
[1507]
[1508]
[1509]
[1510]
[1511]
[1512]
[1513]
[1514]
[1515]
[1516]
[1517]
[1518]
[1519]
[1520]
[1521]
[1522]
[1523]
[1524]
[1525]
[1526]
[1527]
[1528]
[1529]
[1530]
[1531]
[1532]
[1533]
[1534]
[1535]
[1536]
[1537]
[1538]
[1539]
[1540]
[1541]
[1542]
[1543]
[1544]
[1545]
[1546]
[1547]
[1548]
[1549]
[1550]
[1551]
[1552]
[1553]
[1554]
[1555]
[1556]
[1557]
[1558]
[1559]
[1560]
[1561]
[1562]
[1563]
[1564]
[1565]
[1566]
[1567]
[1568]
[1569]
[1570]
[1571]
[1572]
[1573]
[1574]
[1575]
[1576]
[1577]
[1578]
[1579]
[1580]
[1581]
[1582]
[1583]
[1584]
[1585]
[1586]
[1587]
[1588]
[1589]
[1590]
[1591]
[1592]
[1593]
[1594]
[1595]
[1596]
[1597]
[1598]
[1599]
[1600]
[1601]
[1602]
[1603]
[1604]
[1605]
[1606]
[1607]
[1608]
[1609]
[1610]
[1611]
[1612]
[1613]
[1614]
[1615]
[1616]
[1617]
[1618]
[1619]
[1620]
[1621]
[1622]
[1623]
[1624]
[1625]
[1626]
[1627]
[1628]
[1629]
[1630]
[1631]
[1632]
[1633]
[1634]
[1635]
[1636]
[1637]
[1638]
[1639]
[1640]
[1641]
[1642]
[1643]
[1644]
[1645]
[1646]
[1647]
[1648]
[1649]
[1650]
[1651]
[1652]
[1653]
[1654]
[1655]
[1656]
[1657]
[1658]
[1659]
[1660]
[1661]
[1662]
[1663]
[1664]
[1665]
[1666]
[1667]
[1668]
[1669]
[1670]
[1671]
[1672]
[1673]
[1674]
[1675]
[1676]
[1677]
[1678]
[1679]
[1680]
[1681]
[1682]
[1683]
[1684]
[1685]
[1686]
[1687]
[1688]
[1689]
[1690]
[1691]
[1692]
[1693]
[1694]
[1695]
[1696]
[1697]
[1698]
[1699]
[1700]
[1701]
[1702]
[1703]
[1704]
[1705]
[1706]
[1707]
[1708]
[1709]
[1710]
[1711]
[1712]
[1713]
[1714]
[1715]
[1716]
[1717]
[1718]
[1719]
[1720]
[1721]
[1722]
[1723]
[1724]
[1725]
[1726]
[1727]
[1728]
[1729]
[1730]
[1731]
[1732]
[1733]
[1734]
[1735]
[1736]
[1737]
[1738]
[1739]
[1740]
[1741]
[1742]
[1743]
[1744]
[1745]
[1746]
[1747]
[1748]
[1749]
[1750]
[1751]
[1752]
[1753]
[1754]
[1755]
[1756]
[1757]
[1758]
[1759]
[1760]
[1761]
[1762]
[1763]
[1764]
[1765]
[1766]
[1767]
[1768]
[1769]
[1770]
[1771]
[1772]
[1773]
[1774]
[1775]
[1776]
[1777]
[1778]
[1779]
[1780]
[1781]
[1782]
[1783]
[1784]
[1785]
[1786]
[1787]
[1788]
[1789]
[1790]
[1791]
[1792]
[1793]
[1794]
[1795]
[1796]
[1797]
[1798]
[1799]
[1800]
[1801]
[1802]
[1803]
[1804]
[1805]
[1806]
[1807]
[1808]
[1809]
[1810]
[1811]
[1812]
[1813]
[1814]
[1815]
[1816]
[1817]
[1818]
[1819]
[1820]
[1821]
[1822]
[1823]
[1824]
[1825]
[1826]
[1827]
[1828]
[1829]
[1830]
[1831]
[1832]
[1833]
[1834]
[1835]
[1836]
[1837]
[1838]
[1839]
[1840]
[1841]
[1842]
[1843]
[1844]
[1845]
[1846]
[1847]
[1848]
[1849]
[1850]
[1851]
[1852]
[1853]
[1854]
[1855]
[1856]
[1857]
[1858]
[1859]
[1860]
[1861]
[1862]
[1863]
[1864]
[1865]
[1866]
[1867]
[1868]
[1869]
[1870]
[1871]
[1872]
[1873]
[1874]
[1875]
[1876]
[1877]
[1878]
[1879]
[1880]
[1881]
[1882]
[1883]
[1884]
[1885]
[1886]
[1887]
[1888]
[1889]
[1890]
[1891]
[1892]
[1893]
[1894]
[1895]
[1896]
[1897]
[1898]
[1899]
[1900]
[1901]
[1902]
[1903]
[1904]
[1905]
[1906]
[1907]
[1908]
[1909]
[1910]
[1911]
[1912]
[1913]
[1914]
[1915]
[1916]
[1917]
[1918]
[1919]
[1920]
[1921]
[1922]
[1923]
[1924]
[1925]
[1926]
[1927]
[1928]
[1929]
[1930]
[1931]
[1932]
[1933]
[1934]
[1935]
[1936]
[1937]
[1938]
[1939]
[1940]
[1941]
[1942]
[1943]
[1944]
[1945]
[1946]
[1947]
[1948]
[1949]
[1950]
[1951]
[1952]
[1953]
[1954]
[1955]
[1956]
[1957]
[1958]
[1959]
[1960]
[1961]
[1962]
[1963]
[1964]
[1965]
[1966]
[1967]
[1968]
[1969]
[1970]
[1971]
[1972]
[1973]
[1974]
[1975]
[1976]
[1977]
[1978]
[1979]
[1980]
[1981]
[1982]
[1983]
[1984]
[1985]
[1986]
[1987]
[1988]
[1989]
[1990]
[1991]
[1992]
[1993]
[1994]
[1995]
[1996]
[1997]
[1998]
[1999]
[2000]
[2001]
[2002]
[2003]
[2004]
[2005]
[2006]
[2007]
[2008]
[2009]
[2010]
[2011]
[2012]
[2013]
[2014]
[2015]
[2016]
[2017]
[2018]
[2019]
[2020]
[2021]
[2022]
[2023]
[2024]
[2025]
[2026]
[2027]
[2028]
[2029]
[2030]
[2031]
[2032]
[2033]
[2034]
[2035]
[2036]
[2037]
[2038]
[2039]
[2040]
[2041]
[2042]
[2043]
[2044]
[2045]
[2046]
[2047]
[2048]
[2049]
[2050]
[2051]
[2052]
[2053]
[2054]
[2055]
[2056]
[2057]
[2058]
[2059]
[2060]
[2061]
[2062]
[2063]
[2064]
[2065]
[2066]
[2067]
[2068]
[2069]
[2070]
[2071]
[2072]
[2073]
[2074]
[2075]
[2076]
[2077]
[2078]
[2079]
[2080]
[2081]
[2082]
[2083]
[2084]
[2085]
[2086]
[2087]
[2088]
[2089]
[2090]
[2091]
[2092]
[2093]
[2094]
[2095]
[2096]
[2097]
[2098]
[2099]
[2100]
[2101]
[2102]
[2103]
[2104]
[2105]
[2106]
[2107]
[2108]
[2109]
[2110]
[2111]
[2112]
[2113]
[2114]
[2115]
[2116]
[2117]
[2118]
[2119]
[2120]
[2121]
[2122]
[2123]
[2124]
[2125]
[2126]
[2127]
[2128]
[2129]
[2130]
[2131]
[2132]
[2133]
[2134]
[2135]
[2136]
[2137]
[2138]
[2139]
[2140]
[2141]
[2142]
[2143]
[2144]
[2145]
[2146]
[2147]
[2148]
[2149]
[2150]
[2151]
[2152]
[2153]
[2154]
[2155]
[2156]
[2157]
[2158]
[2159]
[2160]
[2161]
[2162]
[2163]
[2164]
[2165]
[2166]
[2167]
[2168]
[2169]
[2170]
[2171]
[2172]
[2173]
[2174]
[2175]
[2176]
[2177]
[2178]
[2179]
[2180]
[2181]
[2182]
[2183]
[2184]
[2185]
[2186]
[2187]
[2188]
[2189]
[2190]
[2191]
[2192]
[2193]
[2194]
[2195]
[2196]
[2197]
[2198]
[2199]
[2200]
[2201]
[2202]
[2203]
[2204]
[2205]
[2206]
[2207]
[2208]
[2209]
[2210]
[2211]
[2212]
[2213]
[2214]
[2215]
[2216]
[2217]
[2218]
[2219]
[2220]
[2221]
[2222]
[2223]
[2224]
[2225]
[2226]
[2227]
[2228]
[2229]
[2230]
[2231]
[2232]
[2233]
[2234]
[2235]
[2236]
[2237]
[2238]
[2239]
[2240]
[2241]
[2242]
[2243]
[2244]
[2245]
[2246]
[2247]
[2248]
[2249]
[2250]
[2251]
[2252]
[2253]
[2254]
[2255]
[2256]
[2257]
[2258]
[2259]
[2260]
[2261]
[2262]
[2263]
[2264]
[2265]
[2266]
[2267]
[2268]
[2269]
[2270]
[2271]
[2272]
[2273]
[2274]
[2275]
[2276]
[2277]
[2278]
[2279]
[2280]
[2281]
[2282]
[2283]
[2284]
[2285]
[2286]
[2287]
[2288]
[2289]
[2290]
[2291]
[2292]
[2293]
[2294]
[2295]
[2296]
[2297]
[2298]
[2299]
[2300]
[2301]
[2302]
[2303]
[2304]
[2305]
[2306]
[2307]
[2308]
[2309]
[2310]
[2311]
[2312]
[2313]
[2314]
[2315]
[2316]
[2317]
[2318]
[2319]
[2320]
[2321]
[2322]
[2323]
[2324]
[2325]
[2326]
[2327]
[2328]
[2329]
[2330]
[2331]
[2332]
[2333]
[2334]
[2335]
[2336]
[2337]
[2338]
[2339]
[2340]
[2341]
[2342]
[2343]
[2344]
[2345]
[2346]
[2347]
[2348]
[2349]
[2350]
[2351]
[2352]
[2353]
[2354]
[2355]
[2356]
[2357]
[2358]
[2359]
[2360]
[2361]
[2362]
[2363]
[2364]
[2365]
[2366]
[2367]
[2368]
[2369]
[2370]
[2371]
[2372]
[2373]
[2374]
[2375]
[2376]
[2377]
[2378]
[2379]
[2380]
[2381]
[2382]
[2383]
[2384]
[2385]
[2386]
[2387]
[2388]
[2389]
[2390]
[2391]
[2392]
[2393]
[2394]
[2395]
[2396]
[2397]
[2398]
[2399]
[2400]
[2401]
[2402]
[2403]
[2404]
[2405]
[2406]
[2407]
[2408]
[2409]
[2410]
[2411]
[2412]
[2413]
[2414]
[2415]
[2416]
[2417]
[2418]
[2419]
[2420]
[2421]
[2422]
[2423]
[2424]
[2425]
[2426]
[2427]
[2428]
[2429]
[2430]
[2431]
[2432]
[2433]
[2434]
[2435]
[2436]
[2437]
[2438]
[2439]
[2440]
[2441]
[2442]
[2443]
[2444]
[2445]
[2446]
[2447]
[2448]
[2449]
[2450]
[2451]
[2452]
[2453]
[2454]
[2455]
[2456]
[2457]
[2458]
[2459]
[2460]
[2461]
[2462]
[2463]
[2464]
[2465]
[2466]
[2467]
[2468]
[2469]
[2470]
[2471]
[2472]
[2473]
[2474]
[2475]
[2476]
[2477]
[2478]
[2479]
[2480]
[2481]
[2482]
[2483]
[2484]
[2485]
[2486]
[2487]
[2488]
[2489]
[2490]
[2491]
[2492]
[2493]
[2494]
[2495]
[2496]
[2497]
[2498]
[2499]
[2500]
[2501]
[2502]
[2503]
[2504]
[2505]
[2506]
[2507]
[2508]
[2509]
[2510]
[2511]
[2512]
[2513]
[2514]
[2515]
[2516]
[2517]
[2518]
[2519]
[2520]
[2521]
[2522]
[2523]
[2524]
[2525]
[2526]
[2527]
[2528]
[2529]
[2530]
[2531]
[2532]
[2533]
[2534]
[2535]
[2536]
[2537]
[2538]
[2539]
[2540]
[2541]
[2542]
[2543]
[2544]
[2545]
[2546]
[2547]
[2548]
[2549]
[2550]
[2551]
[2552]
[2553]
[2554]
[2555]
[2556]
[2557]
[2558]
[2559]
[2560]
[2561]
[2562]
[2563]
[2564]
[2565]
[2566]
[2567]
[2568]
[2569]
[2570]
[2571]
[2572]
[2573]
[2574]
[2575]
[2576]
[2577]
[2578]
[2579]
[2580]
[2581]
[2582]
[2583]
[2584]
[2585]
[2586]
[2587]
[2588]
[2589]
[2590]
[2591]
[2592]
[2593]
[2594]
[2595]
[2596]
[2597]
[2598]
[2599]
[2600]
[2601]
[2602]
[2603]
[2604]
[2605]
[2606]
[2607]
[2608]
[2609]
[2610]
[2611]
[2612]
[2613]
[2614]
[2615]
[2616]
[2617]
[2618]
[2619]
[2620]
[2621]
[2622]
[2623]
[2624]
[2625]
[2626]
[2627]
[2628]
[2629]
[2630]
[2631]
[2632]
[2633]
[2634]
[2635]
[2636]
[2637]
[2638]
[2639]
[2640]
[2641]
[2642]
[2643]
[2644]
[2645]
[2646]
[2647]
[2648]
[2649]
[2650]
[2651]
[2652]
[2653]
[2654]
[2655]
[2656]
[2657]
[2658]
[2659]
[2660]
[2661]
[2662]
[2663]
[2664]
[2665]
[2666]
[2667]
[2668]
[2669]
[2670]
[2671]
[2672]
[2673]
[2674]
[2675]
[2676]
[2677]
[2678]
[2679]
[2680]
[2681]
[2682]
[2683]
[2684]
[2685]
[2686]
[2687]
[2688]
[2689]
[2690]
[2691]
[2692]
[2693]
[2694]
[2695]
[2696]
[2697]
[2698]
[2699]
[2700]
[2701]
[2702]
[2703]
[2704]
[2705]
[2706]
[2707]
[2708]
[2709]
[2710]
[2711]
[2712]
[2713]
[2714]
[2715]
[2716]
[2717]
[2718]
[2719]
[2720]
[2721]
[2722]
[2723]
[2724]
[2725]
[2726]
[2727]
[2728]
[2729]
[2730]
[2731]
[2732]
[2733]
[2734]
[2735]
[2736]
[2737]
[2738]
[2739]
[2740]
[2741]
[2742]
[2743]
[2744]
[2745]
[2746]
[2747]
[2748]
[2749]
[2750]
[2751]
[2752]
[2753]
[2754]
[2755]
[2756]
[2757]
[2758]
[2759]
[2760]
[2761]
[2762]
[2763]
[2764]
[2765]
[2766]
[2767]
[2768]
[2769]
[2770]
[2771]
[2772]
[2773]
[2774]
[2775]
[2776]
[2777]
[2778]
[2779]
[2780]
[2781]
[2782]
[2783]
[2784]
[2785]
[2786]
[2787]
[2788]
[2789]
[2790]
[2791]
[2792]
[2793]
[2794]
[2795]
[2796]
[2797]
[2798]
[2799]
[2800]
[2801]
[2802]
[2803]
[2804]
[2805]
[2806]
[2807]
[2808]
[2809]
[2810]
[2811]
[2812]
[2813]
[2814]
[2815]
[2816]
[2817]
[2818]
[2819]
[2820]
[2821]
[2822]
[2823]
[2824]
[2825]
[2826]
[2827]
[2828]
[2829]
[2830]
[2831]
[2832]
[2833]
[2834]
[2835]
[2836]
[2837]
[2838]
[2839]
[2840]
[2841]
[2842]
[2843]
[2844]
[2845]
[2846]
[2847]
[2848]
[2849]
[2850]
[2851]
[2852]
[2853]
[2854]
[2855]
[2856]
[2857]
[2858]
[2859]
[2860]
[2861]
[2862]
[2863]
[2864]
[2865]
[2866]
[2867]
[2868]
[2869]
[2870]
[2871]
[2872]
[2873]
[2874]
[2875]
[2876]
[2877]
[2878]
[2879]
[2880]
[2881]
[2882]
[2883]
[2884]
[2885]
[2886]
[2887]
[2888]
[2889]
[2890]
[2891]
[2892]
[2893]
[2894]
[2895]
[2896]
[2897]
[2898]
[2899]
[2900]
[2901]
[2902]
[2903]
[2904]
[2905]
[2906]
[2907]
[2908]
[2909]
[2910]
[2911]
[2912]
[2913]
[2914]
[2915]
[2916]
[2917]
[2918]
[2919]
[2920]
[2921]
[2922]
[2923]
[2924]
[2925]
[2926]
[2927]
[2928]
[2929]
[2930]
[2931]
[2932]
[2933]
[2934]
[2935]
[2936]
[2937]
[2938]
[2939]
[2940]
[2941]
[2942]
[2943]
[2944]
[2945]
[2946]
[2947]
[2948]
[2949]
[2950]
[2951]
[2952]
[2953]
[2954]
[2955]
[2956]
[2957]
[2958]
[2959]
[2960]
[2961]
[2962]
[2963]
[2964]
[2965]
[2966]
[2967]
[2968]
[2969]
[2970]
[2971]
[2972]
[2973]
[2974]
[2975]
[2976]
[2977]
[2978]
[2979]
[2980]
[2981]
[2982]
[2983]
[2984]
[2985]
[2986]
[2987]
[2988]
[2989]
[2990]
[2991]
[2992]
[2993]
[2994]
[2995]
[2996]
[2997]
[2998]
[2999]
[3000]
[3001]
[3002]
[3003]
[3004]
[3005]
[3006]
[3007]
[3008]
[3009]
[3010]
[3011]
[3012]
[3013]
[3014]
[3015]
[3016]
[3017]
[3018]
[3019]
[3020]
[3021]
[3022]
[3023]
[3024]
[3025]
[3026]
[3027]
[3028]
[3029]
[3030]
[3031]
[3032]
[3033]
[3034]
[3035]
[3036]
[3037]
[3038]
[3039]
[3040]
[3041]
[3042]
[3043]
[3044]
[3045]
[3046]
[3047]
[3048]
[3049]
[3050]
[3051]
[3052]
[3053]
[3054]
[3055]
[3056]
[3057]
[3058]
[3059]
[3060]
[3061]
[3062]
[3063]
[3064]
[3065]
[3066]
[3067]
[3068]
[3069]
[3070]
[3071]
[3072]
[3073]
[3074]
[3075]
[3076]
[3077]
[3078]
[3079]
[3080]
[3081]
[3082]
[3083]
[3084]
[3085]
[3086]
[3087]
[3088]
[3089]
[3090]
[3091]
[3092]
[3093]
[3094]
[3095]
[3096]
[3097]
[3098]
[3099]
[3100]
[3101]
[3102]
[3103]
[3104]
[3105]
[3106]
[3107]
[3108]
[3109]
[3110]
[3111]
[3112]
[3113]
[3114]
[3115]
[3116]
[3117]
[3118]
[3119]
[3120]
[3121]
[3122]
[3123]
[3124]
[3125]
[3126]
[3127]
[3128]
[3129]
[3130]
[3131]
[3132]
[3133]
[3134]
[3135]
[3136]
[3137]
[3138]
[3139]
[3140]
[3141]
[3142]
[3143]
[3144]
[3145]
[3146]
[3147]
[3148]
[3149]
[3150]
[3151]
[3152]
[3153]
[3154]
[3155]
[3156]
[3157]
[3158]
[3159]
[3160]
[3161]
[3162]
[3163]
[3164]
[3165]
[3166]
[3167]
[3168]
[3169]
[3170]
[3171]
[3172]
[3173]
[3174]
[3175]
[3176]
[3177]
[3178]
[3179]
[3180]
[3181]
[3182]
[3183]
[3184]
[3185]
[3186]
[3187]
[3188]
[3189]
[3190]
[3191]
[3192]
[3193]
[3194]
[3195]
[3196]
[3197]
[3198]
[3199]
[3200]
[3201]
[3202]
[3203]
[3204]
[3205]
[3206]
[3207]
[3208]
[3209]
[3210]
[3211]
[3212]
[3213]
[3214]
[3215]
[3216]
[3217]
[3218]
[3219]
[3220]
[3221]
[3222]
[3223]
[3224]
[3225]
[3226]
[3227]
[3228]
[3229]
[3230]
[3231]
[3232]
[3233]
[3234]
[3235]
[3236]
[3237]
[3238]
[3239]
[3240]
[3241]
[3242]
[3243]
[3244]
[3245]
[3246]
[3247]
[3248]
[3249]
[3250]
[3251]
[3252]
[3253]
[3254]
[3255]
[3256]
[3257]
[3258]
[3259]
[3260]
[3261]
[3262]
[3263]
[3264]
[3265]
[3266]
[3267]
[3268]
[3269]
[3270]
[3271]
[3272]
[3273]
[3274]
[3275]
[3276]
[3277]
[3278]
[3279]
[3280]
[3281]
[3282]
[3283]
[3284]
[3285]
[3286]
[3287]
[3288]
[3289]
[3290]
[3291]
[3292]
[3293]
[3294]
[3295]
[3296]
[3297]
[3298]
[3299]
[3300]
[3301]
[3302]
[3303]
[3304]
[3305]
[3306]
[3307]
[3308]
[3309]
[3310]
[3311]
[3312]
[3313]
[3314]
[3315]
[3316]
[3317]
[3318]
[3319]
[3320]
[3321]
[3322]
[3323]
[3324]
[3325]
[3326]
[3327]
[3328]
[3329]
[3330]
[3331]
[3332]
[3333]
[3334]
[3335]
[3336]
[3337]
[3338]
[3339]
[3340]
[3341]
[3342]
[3343]
[3344]
[3345]
[3346]
[3347]
[3348]
[3349]
[3350]
[3351]
[3352]
[3353]
[3354]
[3355]
[3356]
[3357]
[3358]
[3359]
[3360]
[3361]
[3362]
[3363]
[3364]
[3365]
[3366]
[3367]
[3368]
[3369]
[3370]
[3371]
[3372]
[3373]
[3374]
[3375]
[3376]
[3377]
[3378]
[3379]
[3380]
[3381]
[3382]
[3383]
[3384]
[3385]
[3386]
[3387]
[3388]
[3389]
[3390]
[3391]
[3392]
[3393]
[3394]
[3395]
[3396]
[3397]
[3398]
[3399]
[3400]
[3401]
[3402]
[3403]
[3404]
[3405]
[3406]
[3407]
[3408]
[3409]
[3410]
[3411]
[3412]
[3413]
[3414]
[3415]
[3416]
[3417]
[3418]
[3419]
[3420]
[3421]
[3422]
[3423]
[3424]
[3425]
[3426]
[3427]
[3428]
[3429]
[3430]
[3431]
[3432]
[3433]
[3434]
[3435]
[3436]
[3437]
[3438]
[3439]
[3440]
[3441]
[3442]
[3443]
[3444]
[3445]
[3446]
[3447]
[3448]
[3449]
[3450]
[3451]
[3452]
[3453]
[3454]
[3455]
[3456]
[3457]
[3458]
[3459]
[3460]
[3461]
[3462]
[3463]
[3464]
[3465]
[3466]
[3467]
[3468]
[3469]
[3470]
[3471]
[3472]
[3473]
[3474]
[3475]
[3476]
[3477]
[3478]
[3479]
[3480]
[3481]
[3482]
[3483]
[3484]
[3485]
[3486]
[3487]
[3488]
[3489]
[3490]
[3491]
[3492]
[3493]
[3494]
[3495]
[3496]
[3497]
[3498]
[3499]
[3500]
[3501]
[3502]
[3503]
[3504]
[3505]
[3506]
[3507]
[3508]
[3509]
[3510]
[3511]
[3512]
[3513]
[3514]
[3515]
[3516]
[3517]
[3518]
[3519]
[3520]
[3521]
[3522]
[3523]
[3524]
[3525]
[3526]
[3527]
[3528]
[3529]
[3530]
[3531]
[3532]
[3533]
[3534]
[3535]
[3536]
[3537]
[3538]
[3539]
[3540]
[3541]
[3542]
[3543]
[3544]
[3545]
[3546]
[3547]
[3548]
[3549]
[3550]
[3551]
[3552]
[3553]
[3554]
[3555]
[3556]
[3557]
[3558]
[3559]
[3560]
[3561]
[3562]
[3563]
[3564]
[3565]
[3566]
[3567]
[3568]
[3569]
[3570]
[3571]
[3572]
[3573]
[3574]
[3575]
[3576]
[3577]
[3578]
[3579]
[3580]
[3581]
[3582]
[3583]
[3584]
[3585]
[3586]
[3587]
[3588]
[3589]
[3590]
[3591]
[3592]
[3593]
[3594]
[3595]
[3596]
[3597]
[3598]
[3599]
[3600]
[3601]
[3602]
[3603]
[3604]
[3605]
[3606]
[3607]
[3608]
[3609]
[3610]
[3611]
[3612]
[3613]
[3614]
[3615]
[3616]
[3617]
[3618]
[3619]
[3620]
[3621]
[3622]
[3623]
[3624]
[3625]
[3626]
[3627]
[3628]
[3629]
[3630]
[3631]
[3632]
[3633]
[3634]
[3635]
[3636]
[3637]
[3638]
[3639]
[3640]
[3641]
[3642]
[3643]
[3644]
[3645]
[3646]
[3647]
[3648]
[3649]
[3650]
[3651]
[3652]
[3653]
[3654]
[3655]
[3656]
[3657]
[3658]
[3659]
[3660]
[3661]
[3662]
[3663]
[3664]
[3665]
[3666]
[3667]
[3668]
[3669]
[3670]
[3671]
[3672]
[3673]
[3674]
[3675]
[3676]
[3677]
[3678]
[3679]
[3680]
[3681]
[3682]
[3683]
[3684]
[3685]
[3686]
[3687]
[3688]
[3689]
[3690]
[3691]
[3692]
[3693]
[3694]
[3695]
[3696]
[3697]
[3698]
[3699]
[3700]
[3701]
[3702]
[3703]
[3704]
[3705]
[3706]
[3707]
[3708]
[3709]
[3710]
[3711]
[3712]
[3713]
[3714]
[3715]
[3716]
[3717]
[3718]
[3719]
[3720]
[3721]
[3722]
[3723]
[3724]
[3725]
[3726]
[3727]
[3728]
[3729]
[3730]
[3731]
[3732]
[3733]
[3734]
[3735]
[3736]
[3737]
[3738]
[3739]
[3740]
[3741]
[3742]
[3743]
[3744]
[3745]
[3746]
[3747]
[3748]
[3749]
[3750]
[3751]
[3752]
[3753]
[3754]
[3755]
[3756]
[3757]
[3758]
[3759]
[3760]
[3761]
[3762]
[3763]
[3764]
[3765]
[3766]
[3767]
[3768]
[3769]
[3770]
[3771]
[3772]
[3773]
[3774]
[3775]
[3776]
[3777]
[3778]
[3779]
[3780]
[3781]
[3782]
[3783]
[3784]
[3785]
[3786]
[3787]
[3788]
[3789]
[3790]
[3791]
[3792]
[3793]
[3794]
[3795]
[3796]
[3797]
[3798]
[3799]
[3800]
[3801]
[3802]
[3803]
[3804]
[3805]
[3806]
[3807]
[3808]
[3809]
[3810]
[3811]
[3812]
[3813]
[3814]
[3815]
[3816]
[3817]
[3818]
[3819]
[3820]
[3821]
[3822]
[3823]
[3824]
[3825]
[3826]
[3827]
[3828]
[3829]
[3830]
[3831]
[3832]
[3833]
[3834]
[3835]
[3836]
[3837]
[3838]
[3839]
[3840]
[3841]
[3842]
[3843]
[3844]
[3845]
[3846]
[3847]
[3848]
[3849]
[3850]
[3851]
[3852]
[3853]
[3854]
[3855]
[3856]
[3857]
[3858]
[3859]
[3860]
[3861]
[3862]
[3863]
[3864]
[3865]
[3866]
[3867]
[3868]
[3869]
[3870]
[3871]
[3872]
[3873]
[3874]
[3875]
[3876]
[3877]
[3878]
[3879]
[3880]
[3881]
[3882]
[3883]
[3884]
[3885]
[3886]
[3887]
[3888]
[3889]
[3890]
[3891]
[3892]
[3893]
[3894]
[3895]
[3896]
[3897]
[3898]
[3899]
[3900]
[3901]
[3902]
[3903]
[3904]
[3905]
[3906]
[3907]
[3908]
[3909]
[3910]
[3911]
[3912]
[3913]
[3914]
[3915]
[3916]
[3917]
[3918]
[3919]
[3920]
[3921]
[3922]
[3923]
[3924]
[3925]
[3926]
[3927]
[3928]
[3929]
[3930]
[3931]
[3932]
[3933]
[3934]
[3935]
[3936]
[3937]
[3938]
[3939]
[3940]
[3941]
[3942]
[3943]
[3944]
[3945]
[3946]
[3947]
[3948]
[3949]
[3950]
[3951]
[3952]
[3953]
[3954]
[3955]
[3956]
[3957]
[3958]
[3959]
[3960]
[3961]
[3962]
[3963]
[3964]
[3965]
[3966]
[3967]
[3968]
[3969]
[3970]
[3971]
[3972]
[3973]
[3974]
[3975]
[3976]
[3977]
[3978]
[3979]
[3980]
[3981]
[3982]
[3983]
[3984]
[3985]
[3986]
[3987]
[3988]
[3989]
[3990]
[3991]
[3992]
[3993]
[3994]
[3995]
[3996]
[3997]
[3998]
[3999]
[4000]
[4001]
[4002]
[4003]
[4004]
[4005]
[4006]
[4007]
[4008]
[4009]
[4010]
[4011]
[4012]
[4013]
[4014]
[4015]
[4016]
[4017]
[4018]
[4019]
[4020]
[4021]
[4022]
[4023]
[4024]
[4025]
[4026]
[4027]
[4028]
[4029]
[4030]
[4031]
[4032]
[4033]
[4034]
[4035]
[4036]
[4037]
[4038]
[4039]
[4040]
[4041]
[4042]
[4043]
[4044]
[4045]
[4046]
[4047]
[4048]
[4049]
[4050]
[4051]
[4052]
[4053]
[4054]
[4055]
[4056]
[4057]
[4058]
[4059]
[4060]
[4061]
[4062]
[4063]
[4064]
[4065]
[4066]
[4067]
[4068]
[4069]
[4070]
[4071]
[4072]
[4073]
[4074]
[4075]
[4076]
[4077]
[4078]
[4079]
[4080]
[4081]
[4082]
[4083]
[4084]
[4085]
[4086]
[4087]
[4088]
[4089]
[4090]
[4091]
[4092]
[4093]
[4094]
[4095]
[4096]
[4097]
[4098]
[4099]
[4100]
[4101]
[4102]
[4103]
[4104]
[4105]
[4106]
[4107]
[4108]
[4109]
[4110]
[4111]
[4112]
[4113]
[4114]
[4115]
[4116]
[4117]
[4118]
[4119]
[4120]
[4121]
[4122]
[4123]
[4124]
[4125]
[4126]
[4127]
[4128]
[4129]
[4130]
[4131]
[4132]
[4133]
[4134]
[4135]
[4136]
[4137]
[4138]
[4139]
[4140]
[4141]
[4142]
[4143]
[4144]
[4145]
[4146]
[4147]
[4148]
[4149]
[4150]
[4151]
[4152]
[4153]
[4154]
[4155]
[4156]
[4157]
[4158]
[4159]
[4160]
[4161]
[4162]
[4163]
[4164]
[4165]
[4166]
[4167]
[4168]
[4169]
[4170]
[4171]
[4172]
[4173]
[4174]
[4175]
[4176]
[4177]
[4178]
[4179]
[4180]
[4181]
[4182]
[4183]
[4184]
[4185]
[4186]
[4187]
[4188]
[4189]
[4190]
[4191]
[4192]
[4193]
[4194]
[4195]
[4196]
[4197]
[4198]
[4199]
[4200]
[4201]
[4202]
[4203]
[4204]
[4205]
[4206]
[4207]
[4208]
[4209]
[4210]
[4211]
[4212]
[4213]
[4214]
[4215]
[4216]
[4217]
[4218]
[4219]
[4220]
[4221]
[4222]
[4223]
[4224]
[4225]
[4226]
[4227]
[4228]
[4229]
[4230]
[4231]
[4232]
[4233]
[4234]
[4235]
[4236]
[4237]
[4238]
[4239]
[4240]
[4241]
[4242]
[4243]
[4244]
[4245]
[4246]
[4247]
[4248]
[4249]
[4250]
[4251]
[4252]
[4253]
[4254]
[4255]
[4256]
[4257]
[4258]
[4259]
[4260]
[4261]
[4262]
[4263]
[4264]
[4265]
[4266]
[4267]
[4268]
[4269]
[4270]
[4271]
[4272]
[4273]
[4274]
[4275]
[4276]
[4277]
[4278]
[4279]
[4280]
[4281]
[4282]
[4283]
[4284]
[4285]
[4286]
[4287]
[4288]
[4289]
[4290]
[4291]
[4292]
[4293]
[4294]
[4295]
[4296]
[4297]
[4298]
[4299]
[4300]
[4301]
[4302]
[4303]
[4304]
[4305]
[4306]
[4307]
[4308]
[4309]
[4310]
[4311]
[4312]
[4313]
[4314]
[4315]
[4316]
[4317]
[4318]
[4319]
[4320]
[4321]
[4322]
[4323]
[4324]
[4325]
[4326]
[4327]
[4328]
[4329]
[4330]
[4331]
[4332]
[4333]
[4334]
[4335]
[4336]
[4337]
[4338]
[4339]
[4340]
[4341]
[4342]
[4343]
[4344]
[4345]
[4346]
[4347]
[4348]
[4349]
[4350]
[4351]
[4352]
[4353]
[4354]
[4355]
[4356]
[4357]
[4358]
[4359]
[4360]
[4361]
[4362]
[4363]
[4364]
[4365]
[4366]
[4367]
[4368]
[4369]
[4370]
[4371]
[4372]
[4373]
[4374]
[4375]
[4376]
[4377]
[4378]
[4379]
[4380]
[4381]
[4382]
[4383]
[4384]
[4385]
[4386]
[4387]
[4388]
[4389]
[4390]
[4391]
[4392]
[4393]
[4394]
[4395]
[4396]
[4397]
[4398]
[4399]
[4400]
[4401]
[4402]
[4403]
[4404]
[4405]
[4406]
[4407]
[4408]
[4409]
[4410]
[4411]
[4412]
[4413]
[4414]
[4415]
[4416]
[4417]
[4418]
[4419]
[4420]
[4421]
[4422]
[4423]
[4424]
[4425]
[4426]
[4427]
[4428]
[4429]
[4430]
[4431]
[4432]
[4433]
[4434]
[4435]
[4436]
[4437]
[4438]
[4439]
[4440]
[4441]
[4442]
[4443]
[4444]
[4445]
[4446]
[4447]
[4448]
[4449]
[4450]
[4451]
[4452]
[4453]
[4454]
[4455]
[4456]
[4457]
[4458]
[4459]
[4460]
[4461]
[4462]
[4463]
[4464]
[4465]
[4466]
[4467]
[4468]
[4469]
[4470]
[4471]
[4472]
[4473]
[4474]
[4475]
[4476]
[4477]
[4478]
[4479]
[4480]
[4481]
[4482]
[4483]
[4484]
[4485]
[4486]
[4487]
[4488]
[4489]
[4490]
[4491]
[4492]
[4493]
[4494]
[4495]
[4496]
[4497]
[4498]
[4499]
[4500]
[4501]
[4502]
[4503]
[4504]
[4505]
[4506]
[4507]
[4508]
[4509]
[4510]
[4511]
[4512]
[4513]
[4514]
[4515]
[4516]
[4517]
[4518]
[4519]
[4520]
[4521]
[4522]
[4523]
[4524]
[4525]
[4526]
[4527]
[4528]
[4529]
[4530]
[4531]
[4532]
[4533]
[4534]
[4535]
[4536]
[4537]
[4538]
[4539]
[4540]
[4541]
[4542]
[4543]
[4544]
[4545]
[4546]
[4547]
[4548]
[4549]
[4550]
[4551]
[4552]
[4553]
[4554]
[4555]
[4556]
[4557]
[4558]
[4559]
[4560]
[4561]
[4562]
[4563]
[4564]
[4565]
[4566]
[4567]
[4568]
[4569]
[4570]
[4571]
[4572]
[4573]
[4574]
[4575]
[4576]
[4577]
[4578]
[4579]
[4580]
[4581]
[4582]
[4583]
[4584]
[4585]
[4586]
[4587]
[4588]
[4589]
[4590]
[4591]
[4592]
[4593]
[4594]
[4595]
[4596]
[4597]
[4598]
[4599]
[4600]
[4601]
[4602]
[4603]
[4604]
[4605]
[4606]
[4607]
[4608]
[4609]
[4610]
[4611]
[4612]
[4613]
[4614]
[4615]
[4616]
[4617]
[4618]
[4619]
[4620]
[4621]
[4622]
[4623]
[4624]
[4625]
[4626]
[4627]
[4628]
[4629]
[4630]
[4631]
[4632]
[4633]
[4634]
[4635]
[4636]
[4637]
[4638]
[4639]
[4640]
[4641]
[4642]
[4643]
[4644]
[4645]
[4646]
[4647]
[4648]
[4649]
[4650]
[4651]
[4652]
[4653]
[4654]
[4655]
[4656]
[4657]
[4658]
[4659]
[4660]
[4661]
[4662]
[4663]
[4664]
[4665]
[4666]
[4667]
[4668]
[4669]
[4670]
[4671]
[4672]
[4673]
[4674]
[4675]
[4676]
[4677]
[4678]
[4679]
[4680]
[4681]
[4682]
[4683]
[4684]
[4685]
[4686]
[4687]
[4688]
[4689]
[4690]
[4691]
[4692]
[4693]
[4694]
[4695]
[4696]
[4697]
[4698]
[4699]
[4700]
[4701]
[4702]
[4703]
[4704]
[4705]
[4706]
[4707]
[4708]
[4709]
[4710]
[4711]
[4712]
[4713]
[4714]
[4715]
[4716]
[4717]
[4718]
[4719]
[4720]
[4721]
[4722]
[4723]
[4724]
[4725]
[4726]
[4727]
[4728]
[4729]
[4730]
[4731]
[4732]
[4733]
[4734]
[4735]
[4736]
[4737]
[4738]
[4739]
[4740]
[4741]
[4742]
[4743]
[4744]
[4745]
[4746]
[4747]
[4748]
[4749]
[4750]
[4751]
[4752]
[4753]
[4754]
[4755]
[4756]
[4757]
[4758]
[4759]
[4760]
[4761]
[4762]
[4763]
[4764]
[4765]
[4766]
[4767]
[4768]
[4769]
[4770]
[4771]
[4772]
[4773]
[4774]
[4775]
[4776]
[4777]
[4778]
[4779]
[4780]
[4781]
[4782]
[4783]
[4784]
[4785]
[4786]
[4787]
[4788]
[4789]
[4790]
[4791]
[4792]
[4793]
[4794]
[4795]
[4796]
[4797]
[4798]
[4799]
[4800]
[4801]
[4802]
[4803]
[4804]
[4805]
[4806]
[4807]
[4808]
[4809]
[4810]
[4811]
[4812]
[4813]
[4814]
[4815]
[4816]
[4817]
[4818]
[4819]
[4820]
[4821]
[4822]
[4823]
[4824]
[4825]
[4826]
[4827]
[4828]
[4829]
[4830]
[4831]
[4832]
[4833]
[4834]
[4835]
[4836]
[4837]
[4838]
[4839]
[4840]
[4841]
[4842]
[4843]
[4844]
[4845]
[4846]
[4847]
[4848]
[4849]
[4850]
[4851]
[4852]
[4853]
[4854]
[4855]
[4856]
[4857]
[4858]
[4859]
[4860]
[4861]
[4862]
[4863]
[4864]
[4865]
[4866]
[4867]
[4868]
[4869]
[4870]
[4871]
[4872]
[4873]
[4874]
[4875]
[4876]
[4877]
[4878]
[4879]
[4880]
[4881]
[4882]
[4883]
[4884]
[4885]
[4886]
[4887]
[4888]
[4889]
[4890]
[4891]
[4892]
[4893]
[4894]
[4895]
[4896]
[4897]
[4898]
[4899]
[4900]
[4901]
[4902]
[4903]
[4904]
[4905]
[4906]
[4907]
[4908]
[4909]
[4910]
[4911]
[4912]
[4913]
[4914]
[4915]
[4916]
[4917]
[4918]
[4919]
[4920]
[4921]
[4922]
[4923]
[4924]
[4925]
[4926]
[4927]
[4928]
[4929]
[4930]
[4931]
[4932]
[4933]
[4934]
[4935]
[4936]
[4937]
[4938]
[4939]
[4940]
[4941]
[4942]
[4943]
[4944]
[4945]
[4946]
[4947]
[4948]
[4949]
[4950]
[4951]
[4952]
[4953]
[4954]
[4955]
[4956]
[4957]
[4958]
[4959]
[4960]
[4961]
[4962]
[4963]
[4964]
[4965]
[4966]
[4967]
[4968]
[4969]
[4970]
[4971]
[4972]
[4973]
[4974]
[4975]
[4976]
[4977]
[4978]
[4979]
[4980]
[4981]
[4982]
[4983]
[4984]
[4985]
[4986]
[4987]
[4988]
[4989]
[4990]
[4991]
[4992]
[4993]
[4994]
[4995]
[4996]
[4997]
[4998]
[4999]
[5000]
[5001]
[5002]
[5003]
[5004]
[5005]
[5006]
[5007]
[5008]
[5009]
[5010]
[5011]
[5012]
[5013]
[5014]
[5015]
[5016]
[5017]
[5018]
[5019]
[5020]
[5021]
[5022]
[5023]
[5024]
[5025]
[5026]
[5027]
[5028]
[5029]
[5030]
[5031]
[5032]
[5033]
[5034]
[5035]
[5036]
[5037]
[5038]
[5039]
[5040]
[5041]
[5042]
[5043]
[5044]
[5045]
[5046]
[5047]
[5048]
[5049]
[5050]
[5051]
[5052]
[5053]
[5054]
[5055]
[5056]
[5057]
[5058]
[5059]
[5060]
[5061]
[5062]
[5063]
[5064]
[5065]
[5066]
[5067]
[5068]
[5069]
[5070]
[5071]
[5072]
[5073]
[5074]
[5075]
[5076]
[5077]
[5078]
[5079]
[5080]
[5081]
[5082]
[5083]
[5084]
[5085]
[5086]
[5087]
[5088]
[5089]
[5090]
[5091]
[5092]
[5093]
[5094]
[5095]
[5096]
[5097]
[5098]
[5099]
[5100]
[5101]
[5102]
[5103]
[5104]
[5105]
[5106]
[5107]
[5108]
[5109]
[5110]
[5111]
[5112]
[5113]
[5114]
[5115]
[5116]
[5117]
[5118]
[5119]
[5120]
[5121]
[5122]
[5123]
[5124]
[5125]
[5126]
[5127]
[5128]
[5129]
[5130]
[5131]
[5132]
[5133]
[5134]
[5135]
[5136]
[5137]
[5138]
[5139]
[5140]
[5141]
[5142]
[5143]
[5144]
[5145]
[5146]
[5147]
[5148]
[5149]
[5150]
[5151]
[5152]
[5153]
[5154]
[5155]
[5156]
[5157]
[5158]
[5159]
[5160]
[5161]
[5162]
[5163]
[5164]
[5165]
[5166]
[5167]
[5168]
[5169]
[5170]
[5171]
[5172]
[5173]
[5174]
[5175]
[5176]
[5177]
[5178]
[5179]
[5180]
[5181]
[5182]
[5183]
[5184]
[5185]
[5186]
[5187]
[5188]
[5189]
[5190]
[5191]
[5192]
[5193]
[5194]
[5195]
[5196]
[5197]
[5198]
[5199]
[5200]
[5201]
[5202]
[5203]
[5204]
[5205]
[5206]
[5207]
[5208]
[5209]
[5210]
[5211]
[5212]
[5213]
[5214]
[5215]
[5216]
[5217]
[5218]
[5219]
[5220]
[5221]
[5222]
[5223]
[5224]
[5225]
[5226]
[5227]
[5228]
[5229]
[5230]
[5231]
[5232]
[5233]
[5234]
[5235]
[5236]
[5237]
[5238]
[5239]
[5240]
[5241]
[5242]
[5243]
[5244]
[5245]
[5246]
[5247]
[5248]
[5249]
[5250]
[5251]
[5252]
[5253]
[5254]
[5255]
[5256]
[5257]
[5258]
[5259]
[5260]
[5261]
[5262]
[5263]
[5264]
[5265]
[5266]
[5267]
[5268]
[5269]
[5270]
[5271]
[5272]
[5273]
[5274]
[5275]
[5276]
[5277]
[5278]
[5279]
[5280]
[5281]
[5282]
[5283]
[5284]
[5285]
[5286]
[5287]
[5288]
[5289]
[5290]
[5291]
[5292]
[5293]
[5294]
[5295]
[5296]
[5297]
[5298]
[5299]
[5300]
[5301]
[5302]
[5303]
[5304]
[5305]
[5306]
[5307]
[5308]
[5309]
[5310]
[5311]
[5312]
[5313]
[5314]
[5315]
[5316]
[5317]
[5318]
[5319]
[5320]
[5321]
[5322]
[5323]
[5324]
[5325]
[5326]
[5327]
[5328]
[5329]
[5330]
[5331]
[5332]
[5333]
[5334]
[5335]
[5336]
[5337]
[5338]
[5339]
[5340]
[5341]
[5342]
[5343]
[5344]
[5345]
[5346]
[5347]
[5348]
[5349]
[5350]
[5351]
[5352]
[5353]
[5354]
[5355]
[5356]
[5357]
[5358]
[5359]
[5360]
[5361]
[5362]
[5363]
[5364]
[5365]
[5366]
[5367]
[5368]
[5369]
[5370]
[5371]
[5372]
[5373]
[5374]
[5375]
[5376]
[5377]
[5378]
[5379]
[5380]
[5381]
[5382]
[5383]
[5384]
[5385]
[5386]
[5387]
[5388]
[5389]
[5390]
[5391]
[5392]
[5393]
[5394]
[5395]
[5396]
[5397]
[5398]
[5399]
[5400]
[5401]
[5402]
[5403]
[5404]
[5405]
[5406]
[5407]
[5408]
[5409]
[5410]
[5411]
[5412]
[5413]
[5414]
[5415]
[5416]
[5417]
[5418]
[5419]
[5420]
[5421]
[5422]
[5423]
[5424]
[5425]
[5426]
[5427]
[5428]
[5429]
[5430]
[5431]
[5432]
[5433]
[5434]
[5435]
[5436]
[5437]
[5438]
[5439]
[5440]
[5441]
[5442]
[5443]
[5444]
[5445]
[5446]
[5447]
[5448]
[5449]
[5450]
[5451]
[5452]
[5453]
[5454]
[5455]
[5456]
[5457]
[5458]
[5459]
[5460]
[5461]
[5462]
[5463]
[5464]
[5465]
[5466]
[5467]
[5468]
[5469]
[5470]
[5471]
[5472]
[5473]
[5474]
[5475]
[5476]
[5477]
[5478]
[5479]
[5480]
[5481]
[5482]
[5483]
[5484]
[5485]
[5486]
[5487]
[5488]
[5489]
[5490]
[5491]
[5492]
[5493]
[5494]
[5495]
[5496]
[5497]
[5498]
[5499]
[5500]
[5501]
[5502]
[5503]
[5504]
[5505]
[5506]
[5507]
[5508]
[5509]
[5510]
[5511]
[5512]
[5513]
[5514]
[5515]
[5516]
[5517]
[5518]
[5519]
[5520]
[5521]
[5522]
[5523]
[5524]
[5525]
[5526]
[5527]
[5528]
[5529]
[5530]
[5531]
[5532]
[5533]
[5534]
[5535]
[5536]
[5537]
[5538]
[5539]
[5540]
[5541]
[5542]
[5543]
[5544]
/*****************************************************************************/
/*
Sesola.c
THE GNU GENERAL PUBLIC LICENSE APPLIES DOUBLY TO ANYTHING TO DO WITH
AUTHENTICATION AND AUTHORIZATION!
This package is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License, or any later
version.
> This package is distributed in the hope that it will be useful,
> but WITHOUT ANY WARRANTY; without even the implied warranty of
> MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
GOOD ADVICE FROM THE README OF THE APACHE MOD_SSL SOURCE
--------------------------------------------------------
You should be very sensible when using cryptography software, because just
running an SSL server _DOES NOT_ mean your system is then secure! This is for
a number of reasons. The following questions illustrate some of the problems.
o SSL itself may not be secure. People think it is, do you?
o Does this code implement SSL correctly?
o Have the authors of the various components put in back doors?
o Does the code take appropriate measures to keep private keys private?
To what extent is your cooperation in this process required?
o Is your system physically secure?
o Is your system appropriately secured from intrusion over the network?
o Whom do you trust? Do you understand the trust relationship involved
in SSL certificates? Do your system administrators?
o Are your keys, and keys you trust, generated careful enough to
avoid reverse engineering of the private keys?
o How do you obtain certificates, keys, and the like, securely?
o Can you trust your users to safeguard their private keys?
o Can you trust your browser to safeguard its generated private key?
If you can't answer these questions to your personal satisfaction, then you
usually have a problem. Even if you can, you may still _NOT_ be secure. Don't
blame the authors if it all goes horribly wrong. Use it at your own risk!
GENERAL
-------
Be aware that export/import and/or use of cryptography software, or even just
providing cryptography hooks, is illegal in some parts of the world. When you
re-distribute this package or even email patches/suggestions to the author or
other people PLEASE PAY CLOSE ATTENTION TO ANY APPLICABLE EXPORT/IMPORT LAWS.
The author of this package is not liable for any violations you make here.
Named "Sesola" to avoid any confusion and/or conflict with OpenSSL routines.
SSL I/O is implemented as a OpenSSL BIO_METHOD, named "Sesola_method". It
provides NON-BLOCKING SSL input/output. All routines that are part of this
functionality are named "Sesola_..." and are grouped towards the end of this
module.
To provide some of the facilities available in this module it was necessary in
places to directly access some of the internals of structures used by OpenSSL.
Let's hope they don't change names too often!
OPENSSL
-------
With the retirement of Eric Young from OpenSource software and the creation of
the OpenSSL organisation this module will be based on this group's packages and
in particular the VMS port supported in large part by Richard Levitte.
levitte@openssl.org
http://www.openssl.org/~levitte/
The initial development was done using SSLeay v0.8.1
Modified for SSLeay 0.9.0b
A great leap forward with OpenSSL v0.9.3 (thanks Richard)
Tested against OpenSSL v0.9.4
Tested and modified for OpenSSL v0.9.5
Tested against OpenSSL v0.9.6
Tested against OpenSSL v0.9.6a
Tested against OpenSSL v0.9.6b
Tested against OpenSSL v0.9.6c
Tested against OpenSSL v0.9.6d
Tested against OpenSSL v0.9.6e
Tested against OpenSSL v0.9.6f
Tested against CPQ AXPVMS SSL V1.0-A
Tested and modified for OpenSSL v0.9.7-beta
Tested and (minor) modification for OpenSSL v0.9.8
Continued testing and configuration against OpenSSL v1.0.n
Tested against HP AXPVMS SSL1 V1.0-2C
Some code changes and conditional compilation required for OpenSSL v1.1.0(-pre6)
A general hard-copy reference (and there aren't many around) that has been
interesting and informative is "SSL and TLS, Designing and Building Secure
Systems", Eric Rescorla, 2001, Addison-Wesley (ISBN-201-61598-3). Though don't
blame the book's author for the code author's shortcomings!
2016 Update: some fifteen years later there is a substantial number more tomes.
LINKING/BUILDING AGAINST OLDER OPENSSL
--------------------------------------
Minimum supported OpenSSL version is v1.0.0.
This precludes HP SSL V1.4 (based on OpenSSL 0.9.8) and earlier.
It does allow building against HP SSL1 (based on 1.0.2c) and presumably later.
CLIENT CERTIFICATE AUTHORIZATION
--------------------------------
Thanks to Ralf S.Engelschall (rse@engelschall.com) and Apache 'mod_ssl' package
for hints on how to do some of this (all bits broken in the 'technology
transfer' are mine :^)
Client certificates may be used for authorization, against a realm name "X509".
This means that a client (user at a browser for instance) is prompted to supply
a X509 certificate as the authorization source. No username/password is
required, and the usual such dialogs are not generated.
Remote-User - Fingerprint
-------------------------
By default WASD uses the FINGERPRINT OF THE CERTIFICATE (without the usual
byte-delimiting colons) as the identifying username of the client. For
authorization purposes this username may used like any other (i.e. in rule
access restriction lists, added to group lists, etc.) The usual certificate
fingerprint looks like
10:6C:83:42:89:0A:17:03:AA:A5:17:31:7B:14:5B:F7
Such a 'fingerprint' username comprises 32 hexadecimal digits (without the
usual byte-delimiting colons) and looks like
106C8342890A1703AAA517317B145BF7
Such a fingerprint-username is UNIQUE (based on the MD5 algorithm) and a USEFUL
REPRESENTATION OF THE CERTIFICATE AND USER of the client, even though lacking
slightly in admin-friendly information. Some CGI variables (.e.g the
AUTH_X509... and AUTH_USER) provided more accessable information. A CGI script
can easily be designed to capture (and perhaps email) this information for use
by the administrator in setting up authorization, etc.
Remote-User - Subject DN Record
-------------------------------
Alternatively, using the directives described immediately below, it is possible
to specify that the server should derive the remote-user information from a
particular record in the client certificate Subject Distinguished Name. The
length of this identifying string is limited by AUTH_MAX_USERNAME_LENGTH
specified in AUTH.H and has all white-space converted to underscores
(white-space is not allowed for when processing authentication "usernames").
Any of the records identified in the 'SesolaCertDnRec' structure encoded below
may be used, but the more obvious candidates for such a use are /O=, /OU=,
/CN=, /S=, /Uid= and /EMAIL=.
Where multiple records can exist (e.g. common name) a pattern to match can be
used to select one from between them. For example, to select a common name for
remote user that uniformly begins with "WASD":
[ru:/CN=wasd*]
To eliminate any record containing "obvious" non-user characters, use a regular
expression to selectively eliminate those records. For example, the following
configuration excludes records containing values with a slash or equal symbol
(note the escaped reserved '[' and ']' characters):
[ru:/CN=^^\[^/=\]*$]
Note that when using this facility it is almost mandatory to put some further
access control on the certificate to prevent an unexpected, perhaps even a
user-generated and installed certificate's field contents from being used
(even considering CA verification is applied by default). The following is an
example of such an WASD_CONFIG_AUTH entry.
[X509]
/VMS/* r+w,param="[ru:/CN=][is:/O=WASD\ HTTPd\ CA\ Cert]"
Remote-User - Subject Alternative Name
--------------------------------------
The "Subject Alternative Name" (SAN) X509 V3 extension, a common extension for
providing identifying data in a certificate, can also be used to derive the
remote user string. In fact any extension data may be so used. The basic
syntax for this field is the full extension name, and the short-hand
equivalent, shown below:
[X509]
/VMS/* r+w,param="[ru:X509v3_subject_Alternative_Name]"
/VMS/* r+w,param="[ru:X509v3_SAN]"
The SAN extension (in common with many others) may contain multiple data
elements, each with a leading name, a colon, and a (if multi line)
carriage-control terminated value. WASD parses these into unqiue fields (and
from there into unique CGI variables/DCL symbols) using keywords fixed in
function SesolaCertKeyword() and site configurable logical name
WASD_X509_EXTENSION_KEYWORDS value. To select one of these fields, for example
the common (Microsoft) user principal name (UPN), append the required field
name to the extension name as shown in the following example (includes
"shorthand" equivalents, along with the underscore and equate variants).
Note that the identifying names are case-insensitive.
[X509]
/VMS/* r+w,param="[ru:X509V3_Subject_Alternative_Name_UserPrincipalName]"
/VMS/* r+w,param="[ru:X509V3_Subject_Alternative_Name=UserPrincipalName]"
/VMS/* r+w,param="[ru:X509v3_SAN_UPN]"
/VMS/* r+w,param="[ru:X509v3_SAN=UPN]"
/VMS/* r+w,param="[ru:X509V3_Subject_Alternative_Name_rfc822Name]"
/VMS/* r+w,param="[ru:X509V3_Subject_Alternative_Name=rfc822Name]"
/VMS/* r+w,param="[ru:X509v3_SAN_822]"
/VMS/* r+w,param="[ru:X509v3_SAN=822]"
Object Identifiers (OIDs) may be used for either record and field name (if an
unknown otherName) by prefixing with "OID_". For example, the SAN may be
alternatively selected, and the (Microsoft) user principal name, as in the
following examples.
[X509]
/VMS/* r+w,param="[ru:OID_2_5_29_17]"
/VMS/* r+w,param="[ru:OID_2_5_29_17_UPN]"
/VMS/* r+w,param="[ru:OID_2_5_29_17=UPN]"
/VMS/* r+w,param="[ru:X509v3_SAN_OID_1_3_6_1_20_2_3]"
/VMS/* r+w,param="[ru:X509v3_SAN_OID=1_3_6_1_20_2_3]"
X509 Extensions
---------------
X509 certificate extensions are in general visible from WATCH and accessible
via CGI variables (when enabled using SET SSLCGI=apache_mod_ssl_extens and
SSLCGI=apache_mod_ssl_client path mappings). The identifying names derived
from X509 extensions are built of the alphanumerics in the element names.
Non-alphanumerics (e.g. spaces) have underscores substituted. Multiple
underscore are compressed into singles. Where elements have identical names
the first multiple has TWO underscores and the digit two appended, the second
mutiple, two underscores and three appended, etc. Some examples:
WWW_SSL_CLIENT_E_X509V3_CERTIFICATE_POLICIES ==
"Policy: 1.3.6.1.4.1.13569.10.20.4.1.1. CPS: http://pki.sda.za/tst/pki."
WWW_SSL_CLIENT_E_X509V3_CERTIFICATE_POLICIES_CPS ==
"http://pki.sda.za/tst/pki"
WWW_SSL_CLIENT_E_X509V3_CERTIFICATE_POLICIES_POLICY ==
"1.3.6.1.4.1.13569.10.20.4.1.1"
WWW_SSL_CLIENT_E_X509V3_CRL_DISTRIBUTION_POINTS ==
".Full Name:. URI:http://pki.sda.za/tst/pki/crl/TSTGLOBAL_CA-Class_D-\
User1(1).crl. URI:ldap:///CN=CA%20-%20Class%20D%20-%20User1\
(1),CN=TM88,CN=PDC,CN=P%20Key%20Services,CN=Services,CN=Config\
uration,DC=tst,DC=loc?certificateRevocationList?base?objectClass=cRLDis\
tributionPoint."
WWW_SSL_CLIENT_E_X509V3_CRL_DISTRIBUTION_POINTS_FULL_NAME == ""
WWW_SSL_CLIENT_E_X509V3_CRL_DISTRIBUTION_POINTS_URI ==
"http://pki.sda.za/tst/pki/crl/TSTGLOBAL_CA-Class_D-User1(1).crl"
WWW_SSL_CLIENT_E_X509V3_CRL_DISTRIBUTION_POINTS_URI__2 ==
"ldap:///CN=CA%20-%20Class%20D%20-%20User1(1),CN=TM88,\
CN=PDC,CN=P20Key%20Services,CN=Services,CN=Configuration,DC=tst,\
DC=loc?certificateRevocationList?base?objectClass=cRLDistributionPoint"
Client Cert Authorization Directives/Conditionals
-------------------------------------------------
Conditionals provide extra control on which certificates and their content can
and can't be used during client X509 authentication. They contain strings that
set authentication parameters, or that are matched to specific elements of
certificate and it's negotiation, and only if matched are the corresponding
rules applied. The conditionals may contain the '*' and '%' wildcards, and
optionally be negated by an '!' at the start of the conditional string.
Conditionals are passed to the X509 authenticator via the 'param=""' in an
authorization rule, and are delimited by '[' and ']'. Directives that set
processing parameters must be one-per-directive. Conditional matching
containing multiple, space-separated conditions may be included within one
'[...]'. This behaves as a logical OR (i.e. the condition is true if only one
is matched). Multiple '[...]' conditionals may be included. These act as a
logical AND (i.e. all must have at least one condition matched). The result of
an entire conditional may be optionally negated by prefixing the '[' with a
'!'. Spaces must *not* be included in match strings. Reserved characters (i.e.
spaces, exclamation marks and ']') may be escaped using a preceding backslash.
Wildcards (asterisk and percent) cannot be escaped.
Once verified the following conditionals control whether that certificate is
allowed to be used for authentication. When string matching note that delimit
wildcards are often required. Matching is case-insensitive. Note that the
'IS' and 'SU' conditionals each have two variants. As always the '@' is
substituted here for '*' due to the issues with C comments.
[!]IS:/record=string cert issuer DN record (e.g. [is:/O=VeriSign\ Inc.])
[!]IS:string cert entire issuer DN (e.g. [is:@/O=VeriSign\ Inc./@])
[!]SU:/record=string cert subject DN record (e.g. [su:/CN=Mark\ Daniel])
[!]SU:string cert entire subject DN (e.g. [su:@/CN=Mark%Daniel@])
[!]KS:string minimum keysize (e.g. [ks:128])
[!]CI:string negotiation cipher (e.g. [ci:RC4-MD5])
Note that the "IS:" and "SU:" conditionals each have a "specific-record" and an
"entire-field" mode. If the conditional string begins with a slash then it is
considered to be a match against a specified record's content within the field.
If it begins with a wildcard then it is matched against the entire field's
content.
The following directives control how the certificate is to be processed.
DP:integer set the CA verification depth
LT:integer (re)set the authenticated session lifetime in minutes
RU:string remote-user from certificate subject record (e.g. "/CN=")
TO:integer set the session timeout in minutes ("EXPIRE" to expire)
VF:OPTIONAL authorize even if the issuing CA cannot be verified
VF:REQUIRED the issuing CA must be verified (default)
VF:NONE do not get peer certificate (cancels any existing)
Example WASD_CONFIG_AUTH entries:
["Just an example!"=X509]
/cgi-bin/show_cert_details r,\
param="[VF:OPTIONAL_NO_CA]"
/cgi-bin/show_verisign_details r,\
param="[VF:OPTIONAL_NO_CA] [IS:@/O=VeriSign\ Inc./@]"
/some/path/or/other r+w, \
param="[DP:1] [TO:10] [SU:@/Email=Mark.Daniel@wasd.vsm.com.au]"
/VMS/* r+w,param="[RU:/CN=]"
Remember the WATCH facility provides considerable detail during the processing
of all authorization mapping.
FORWARD SECRECY
----------------
Forward secrecy, sometimes known as perfect forward secrecy (PFS), is a
property of key-agreement protocols ensuring that a session key derived from a
set of long-term keys cannot be compromised if one of the long-term keys is
compromised in the future.
OpenSSL supports forward secrecy using Diffie-Hellman key exchange with
elliptic curve cryptography and this relies on generating emphemeral keys based
on unique, "strong" primes. These are expensive to generate and so this is
done infrequently, often during software build or installation.
In the case of WASD, to maximise flexibility, these "strong" primes are stored
in external PEM-format files, by default located in the WASD_ROOT:[LOCAL]
directory, or optionally located using the logical name WASD_DH_PARAM:. These
files are only briefly accessed during server startup SSL initialisation and
the content later used during network connection SSL negotiation to generate
the required ephemeral keys. Each file contains one prime for a certain key
size, 512, 1024, etc., generated using the OpenSSL dhparam utility.
$ openssl dhparam -out dh_param_<bits>.pem <bits>
$ openssl dhparam -out dh_param_512.pem 512
$ openssl dhparam -out dh_param_1024.pem 1024
$ openssl dhparam -out dh_param_2048.pem 2048
https://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh.html
NOTE: Ephemeral keys form part of PFS, the others being selection and ordering
of server ciphers, and ensuring the server determines the cipher used
(+OP_CIPHER_SERVER_PREFERENCE).
Further Note: There are also emphemeral RSA keys too but ...
"It is therefore strongly recommended to not use ephemeral RSA key exchange
and use DHE (Ephemeral Diffie-Hellman) key exchange instead in order to
achieve forward secrecy"!
https://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_rsa_callback.html
SESSION TICKETS
---------------
RFC 5077 extends TLS via use of session tickets, instead of using session IDs
and associated server cache. It defines a way to resume a TLS session without
requiring that session-specific state is stored at the TLS server.
When using session tickets, the TLS server stores its session-specific state in
a session ticket and sends the session ticket to the TLS client for storing.
The client resumes a TLS session by sending the session ticket to the server,
and the server resumes the TLS session according to the session-specific state
in the ticket. The session ticket is encrypted and authenticated by the
server, and the server verifies its validity before using its contents.
So as not to compromise Perfect Forward Secrecy, among other considerations,
the encryption keys for Session IDs need to be changed periodically, with a
maximum of daily suggested (by RFC4507 and confirmed by RFC5077). WASD does
this using the DLM and an internal /DO= "TICKET=USE" command, distributing a 48
byte key structure to all instances, per-node and cluster-wide as applicable.
The 48 byte set of keys is (re)generated daily at midnight (local time) and
then distributed to all instances. At that point all extant session tickets
are invalidated and require reissue. The command-line $ HTTPD /DO=TICKET=KEY
will perform the same task ad hoc. Session tickets have a maximum 24 hour
lifetime (~86340 seconds).
Cluster-wide instances are specially accomodated ensuring only one node's
InstanceSupervisor() TICKET=USE command is actually applied.
This relies on a 64 byte Lock Value Block (VMS V8.2 and later). Where the 64
bytes LVB is not supported, neither is cluster-wide session keys and tickets.
SSL COMMAND LINE OPTIONS
------------------------
The /SSL= qualifier allows certain SSL runtime parameters to be set. The
default is support of SSLv2/SSLv3, certificate file provided by WASD_SSL_CERT,
selected ciphers, and a session cache of 128.
/SSL=SSLv2 support only SSLv2
/SSL=noSSLv2 turn SSLv2 option off
/SSL=SSLv3 support only SSLv3
/SSL=noSSLv3 turn SSLv3 option off
/SSL=(SSLv2,SSLv3) support both SSLv2 and SSLv3
/SSL=(SSLv2v3) support both SSLv2 and SSLv3
/SSL=TLSvALL support all available TLS protocol versions
/SSL=TLSv1 support only TLSv1 (etc.)
/SSL=noTLSv1 turn TLSv1 option off
/SSL=TLSv1.1 support only TLSv1.1
/SSL=noTLSv1.1 turn TLSv1.1 option off
/SSL=TLSv1.2 support only TLSv1.2
/SSL=noTLSv1.2 turn TLSv1.2 option off
/SSL=TLSv1.3 support only TLSv1.3
/SSL=noTLSv1.3 turn TLSv1.3 option off
/SSL=(CACHE=integer) maximum number of records in session cache
/SSL=(CAFILE=file) location of default client verify CA certificate file
/SSL=(CERT=file) location of default OpenSSL-PEM certificate file
/SSL=(CIPHER=list) semi-colon-separated list of supported ciphers
/SSL=(ICACHE=SIZE=integer) maximum number of records in instance cache
/SSL=(ICACHE=RECORD=integer) size of record in instance cache (bytes)
/SSL=(KEY=file) location of default OpenSSL-PEM private key file
(if separate from the certificate information)
/SSL=noSNI disable Server Name Indication (SNI)
/SSL=(+OP_ALL,-OP_ALL,+<keyword>,-<keyword>) options on and off
/SSL=(OPTIONS=0xnn) hex SSL_OP_.. options (see [.INCLUDE.OPENSSL]SSL.H)
/SSL=(OPTIONS=+0xnn) OR in hex SSL_OP_.. options
/SSL=(OPTIONS=-0xnn) AND out hex SSL_OP_.. options
/SSL=(TIMEOUT=integer) set session cache timeout
/SSL=(VERIFY=integer) set client certificate CA chin verification depth
Multiple parameters may be included by separating with commas. Example:
/SSL=(CERT=HT_ROOT:[LOCAL]SITE.PEM,SSLV2,SSLV3,TIMEOUT=10)
CGI VARIABLES
-------------
CGI variables for scripting and SSI environments can be selectively generated
for "https:" requests. See the mapping SETting "SSLCGI=" in MAPURL.C module.
The Apache mod_SSL variables are based on the v2.7 documentation by Ralf S.
Engelschall (rse@engelschall.com). The Purveyor variables are based on
Purveyor documentation. The client certificate authentication AUTH_X509... are
always generated when there is X509 authentication.
Client Certificate Authorization
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o AUTH_X509_CIPHER ......... name of the cipher in use
o AUTH_X509_FINGERPRINT .... (MD5) fingerprint of X509 cert
o AUTH_X509_ISSUER ......... CA of client X509 cert
o AUTH_X509_KEYSIZE ........ 40, 56, 128, etc.
o AUTH_X509_SUBJECT ........ client details of X509 cert
Apache mod_SSL -like SSL variables
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o HTTPS .................... "true" indicating it's SSL
o SSL_PROTOCOL ............. version (e.g. "SSLv2", "SSLv3")
o SSL_SESSION_ID ........... hex-encoded SSL session ID
o SSL_CIPHER ............... cipher name (e.g. "RC4-MD5")
o SSL_CIPHER_EXPORT ........ "true" if export grade
o SSL_CIPHER_USEKEYSIZE .... bits cipher used for session
o SSL_CIPHER_ALGKEYSIZE .... bits cipher is capable of supporting
o SSL_CLIENT_M_VERSION ..... server cert version
o SSL_CLIENT_M_SERIAL ...... server cert serial number
o SSL_CLIENT_S_DN .......... subject cert distinguished name
o SSL_CLIENT_S_DN_x509 ..... subject cert DN components
o SSL_CLIENT_I_DN .......... issuer cert distinguished name
o SSL_CLIENT_I_DN_x509 ..... issuer cert DN components
o SSL_CLIENT_V_START ....... cert validity start date
o SSL_CLIENT_V_END ......... cert validity end date
o SSL_CLIENT_A_SIG ......... server cert signature algorithm
o SSL_CLIENT_A_KEY ......... server cert public key algorithm
o SSL_CLIENT_CERT .......... (see note in SesolaCgiVariablesApacheModSsl())
o SSL_SERVER_M_VERSION ..... server cert version
o SSL_SERVER_M_SERIAL ...... server cert serial number
o SSL_SERVER_S_DN .......... subject cert distinguished name
o SSL_SERVER_S_DN_x509 ..... subject cert DN components
o SSL_SERVER_I_DN .......... issuer cert distinguished name
o SSL_SERVER_I_DN_x509 ..... issuer cert DN components
o SSL_SERVER_V_START ....... cert validity start date
o SSL_SERVER_V_END ......... cert validity end date
o SSL_SERVER_A_SIG ......... server cert signature algorithm
o SSL_SERVER_A_KEY ......... server cert public key algorithm
o SSL_SERVER_CERT .......... (see note in SesolaCgiVariablesApacheModSsl())
o SSL_TLS_SNI .............. supplied Server Name Indication string
o SSL_VERSION_INTERFACE .... WASD server software ID
o SSL_VERSION_LIBRARY ...... OpenSSL version
"Purveyor"-like security/SSL variables
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o SECURITY_STATUS .......... "NONE" or "SSL"
o SSL_CIPHER ............... name of the cipher in use
o SSL_CIPHER_KEYSIZE ....... 40, 56, 128, etc.
o SSL_CLIENT_CA ............ client cert authority
o SSL_CLIENT_DN ............ client cert distinguished name
o SSL_SERVER_CA ............ server cert authority
o SSL_SERVER_DN ............ server cert distinguished name
o SSL_VERSION .............. SSL version (e.g. "SSLv2")
Certificate Extension variables
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o SSL_CLIENT_E_<name> ...... name=value for client certificate
o SSL_SERVER_E_<name> ...... name=value for server certificate
LOGICAL NAMES
-------------
The following logical names can be used to provide runtime information to the
SSL functionality. Configuration options provided by /SSL= and [service] or
/SERVICE= parameters override anything provided via these names.
WASD_SSL_CAFILE location of default client verify CA certificate file
WASD_SSL_CERT location of default OpenSSL-PEM certificate file
WASD_SSL_CIPHER comma-separated list of default supported ciphers
WASD_SSL_KEY location of default OpenSSL-PEM private key file
WASD_SSL_PARAMS the equivalent functionality of the /SSL= qualifier
WASD_OPENSSL_MEM_TRACK see SesolaInit()
WASD_VM_OPENSSL see VmOpenSslInit()
VERSION HISTORY
---------------
06-JUL-2021 MGD bugfix; SesoalReport() get client certificate
19-APR-2021 MGD [ServiceSSLcert] beginning '+' forces SesolaMkCert()
08-AUG-2020 MGD keep connect cert (->VerifyPeer) distinct from client cert
bugfix; SesolaInitService() enable ALPN for TLSv1.3
02-AUG-2020 MGD bugfix; SesolaSNICallback() needs to propagate newly set
context client verify parameters to SSL-specific
19-JUL-2020 MGD static fallback cert replaced by dynamic SesolaMkCert()
18-FEB-2020 MGD more OpenSSL memory instrumentation
19-JAN-2020 MGD verified against VSI SSL111 product
10-OCT-2018 MGD verified against OpenSSL v1.0.2 && v1.1.0 && v1.1.1
TLSv1.3 operational (though clients currently sparse)
03-JUN-2018 MGD SesolaControlReloadCerts() undoes SesolaControlReloadService()
because it didn't actually work :-/
02-FEB-2018 MGD SesolaControlReloadService() (was SesolaControlReloadCerts())
and uses latest configuration (e.g. certificate name)
allowing (SSL parameter) modification without restart
10-OCT-2017 MGD SesolaReport..() allow reporting using an HTTP service
02-AUG-2017 MGD bugfix; rationalise as OpenSSL_version[_num]() becomes
confused catering for OpenSSL v1.0.2 && v1.1.0 && v1.1.1
23-JUL-2017 MGD bugfix; SesolaOptionsAsString() doh!
09-JUN-2017 MGD SesolaInitService() when SSL_CTX_set_tmp_dh_callback() is
enabled (DH_PARAM_*..PEM files present) ensure flag
SSL_OP_CIPHER_SERVER_PREFERENCE is implicitly set
SesolaOptionsAsString() teases out options into string
09-MAY-2017 MGD bugfix; SesolaSessionTicketUseKey() sigh some more :-[
28-APR-2017 MGD SesolaSessionTicketUseKey() rework multi-instance/cluster
(sigh! yes again; the lack of a test cluster these days)
16-MAR-2017 MGD TLSv1.3, noTLSv1.3 (for OpenSSL 1.1.1 and later)
SesolaControlReloadCerts() implements /DO=SSL=CERT=LOAD
bugfix; SesolaControlReloadCA() do not proactively
X509_STORE_free() (leaves a dangling pointer?)
14-JAN-2017 MGD [ServiceSSLcert] specification can contain wildcard(s)
30-DEC-2016 MGD bugfix; SesolaSNICallback() port elimination
06-SEP-2016 MGD sesola.h |#include "openssl/rand.h"| to fix OpenSSL v1.1.0
static link error against rand_bytes() and rand_seed()
25-AUG-2016 MGD minimum supported OpenSSL version is now v1.0.0
which precludes HP SSL V1.4 (at least)
(and WASD for VAX must be close to its last SSL-gasp too!)
OpenSSL v1.1.0 required code changes including
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) in Sesola..()
modules, and introducing a version dependent build
use SSL_cache_hit() instead of ->hit
use SSL_CTX_get/set_cert_store() instead of ->cert_store
use SSL_SESSION_get_id() instead of ->session_id..
14-JUN-2016 MGD SesolaSessionTicket..() refresh and coordinate the
TLS session ticket key cluster-wide using the DLM
[SSLsessionCacheMax] default (of zero) now disables
in favour of the more efficient Session Ticket
SesolaReport() kludge for UTC flavoured timestamps
05-JUN-2016 MGD [SSLverifyPeerDataMax] configuration directive
22-APR-2016 MGD bugfix; SesolaInit() session cache max -1 disables cache
07-FEB-2016 MGD SSL_CTX_set_ecdh_auto() set elliptic curves selection
SesolaTmpDHCallback() further refinement
05-OCT-2015 MGD SesolaReport() list certificate extensions
SesolaTmpDHCallback() improve DH*.PEM flexibility
25-AUG-2015 MGD SesolaCertParseDn() strncmp() not strsame()
SesolaCertParseDn() select on pattern match
04-AUG-2015 MGD ALPN negotiation support for HTTP/2
22-FEB-2015 MGD strict transport security (RFC6707)
29-JAN-2015 MGD SesolaInitOptions() expand options keywords to include
most SSL_OP_.. flags using the OpenSSL flag #define as the
keyword minus the "SSL_" (e.g. OP_CIPHER_SERVER_PREFERENCE)
SesolaTmpDHCallback() for ephemeral keys enabling "perfect
forward secrecy"
increase SESOLA_SSL_ACCEPT_MAX, SESOLA_SSL_CONNECT_MAX
and SESOLA_SSL_SHUTDOWN_MAX
updated the internal fallback PEM cert/key
20-DEC-2014 MGD SesolaInitService() and SesolaInitClientService()
if cipher list begins '+', '-' or '!' append it to default
30-NOV-2014 MGD include SHA256 fingerprint
19-NOV-2014 MGD bugfix; SSL_CTX_set_default_passwd_cb_userdata()
16-NOV-2014 MGD NOTE: TLSv1, TLSv1.1, TLSv1.2 now ENABLED by default
SSLv2 and SSLv3 are now DISABLED by default
(as recommended post-POODLE)
WASD_CONFIG_GLOBAL [SSL..] directives
/SSL=(TLSvALL,TLSv1.1,noTLSv1.1,TLSv1.2,noTLSv1.2)
removed /SSL=(2|3|23) which must be altered to SSLv2, etc.
updated the internal fallback PEM cert/key
bugfix; SSLv23_method() appears to be a Swiss-army knife
significant rework of SSL version configuration
13-APR-2014 MGD SesolaVersion() include header origin and link data
14-SEP-2013 MGD rework SSL options parameters (and reporting) /SSL=
+OP_ALL, -OP_ALL, +OP_LEG_REN, -OP_LEG_REN,
+OP_NO_SES_RES, -OP_NO_SES_RES, +OP_SING_DH, -OP_SING_DH
establish a default cipher list based on best practise
SSL_get_certificate() bug workaround in SesolaReport()
TLS1 Server Name Indication (SNI) extension (RFC 4366)
/SSL=NOSNI parameter can disable
establish and use a separate list of SSL services
to expedite SSL service activities such as SNI
default set options SSL_OP_SINGLE_DH_USE and
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
if session cache size is zero then
SSL_CTX_sess_set_cache_mode() SSL_SESS_CACHE_OFF
SesolaReport() add "Fingerprint:" to client cert data
bugfix; SesolaInitService() (or refinement)
SSL_CTX_set_session_id_context() against each service
bugfix; SesolaReport() session hh:mm:ss minute
02-DEC-2012 MGD bugfix; SesolaInit() translate WASD_SSL_CIPHER logical name
report SSL_CTX_set_cipher_list() error
01-JUL-2012 MGD bugfix; SesolaCertParseDn() return NULL if record not found
02-SEP-2011 MGD SesolaInit() default is SSLv2 off and SSLv3/TLSv1 on
13-FEB-2008 MGD SesolaReport() rework "Current Session" 'Session:'
28-MAR-2006 MGD added SSL=ICACHE=SIZE= and SSL=ICACHE=RECORD=
to allow configuration of instance SSL session cache
move SesolaCacheInit() out after AuthConfigInit() so that
the record size can be increased if X509 realm is used
08-JUL-2005 MGD OpenSSL v0.9.8 changed macro name EVP_F_EVP_DECRYPTFINAL
25-MAY-2005 MGD SesolaWatchBioCallback() make >= 0 complete
19-APR-2005 MGD SesolaInitService() no longer needs to clone
21-AUG-2004 MGD significant refinements to SSL processing
22-JUL-2004 MGD persistent connections over SSL
14-JAN-2003 MGD DN record /email and /emailAddress
15-OCT-2002 MGD use internal ceritifcate and configuration in demo mode
28-AUG-2002 MGD add SHA1 fingerprint (everybody else has it ;^)
11-AUG-2002 MGD refine SesolaReport() for obtaining service ciphers
(OpenSSLv0.9.6f/0.9.7-beta break it),
built and tested against CPQ AXPVMS SSL V1.0-A,
internal PEM cert/key as fallback; mainly for VMS (Open)SSL
03-JUL-2002 MGD refine SesolaReport() so it obtains the service certificate
indirectly removing the need for SSL_LOCL.H (OpenSSL 0.9.7)
17-APR-2002 MGD bugfix; SesolaCertVerifyCallback()
02-JAN-2002 MGD rework SSL network functions into SESOLANET.C,
add HTTP-SSL proxy (gateway) service initialization
27-OCT-2001 MGD break up a burgeoning SSL module into more source files
29-SEP-2001 MGD instance support
04-AUG-2001 MGD support module WATCHing
01-JUL-2001 MGD refine private key password request functionality
20-MAY-2001 MGD add [RU:/xx=] to allow a site to specify a certificate
subject DN record as the authenticated remote-user,
change [IS:/name=string] and [SU:/name=string] to allow
individual issuer or subject DN records to be matched,
private key password optionally can now be supplied via
/DO=SSL=KEY=PASSWORD (see SesolaPrivateKeyPasswd())
11-APR-2001 MGD remove http: check from SesolaAccept(),
bugfix; SesolaFree() BioPtr
02-APR-2001 MGD refine SesolaClientCertVerifyCallback()
10-DEC-2000 MGD client certificate and authorization support,
Richard Levitte in a recent email to vms-web-daemon@KJSL.COM
points out using SSL_CTX_use_certificate_chain_file() is more
versatile than SSL_CTX_use_certificate_file(),
bugfix; SesolaCgiVariablesApacheModSsl()
22-NOV-2000 MGD where a service-specific certificate is supplied and no
service-specific key assume the key is in the specific cert
17-OCT-2000 MGD modify SSL initialization so that "fallback" conditions
(same port on same IP address) are more easily identified
26-SEP-2000 MGD built and verified against OpenSSL 0.9.6
change 'boolean' to 'BOOL' to accomodate new OpenSSL typedef
26-AUG-2000 MGD SesolaWatchPeek()
17-JUN-2000 MGD modifications for SERVICE.C requirements
06-MAY-2000 MGD added Apache mod_SSL style CGI variables
05-MAR-2000 MGD tested against OpenSSL v0.9.5
(SSL_OP_NON_EXPORT_FIRST generates error message, removed),
use FaolToNet(), et.al.
23-DEC-1999 MGD modify NEEDSTRUCT reported by DECC v6.2
19-OCT-1999 MGD SesolaInitServiceList() service errors not fatal at startup
11-SEP-1999 MGD tested against OpenSSL v0.9.4,
SSLeay no longer supported
18-AUG-1999 MGD add certificate CA and DN to SSL report,
bugfix; certificate/key pairs when initializing service
12-JUN-1999 MGD refine SSL connection handling
26-MAY-1999 MGD allow some SSL options to be set if desired,
set SSL_OP_NON_EXPORT_FIRST (for some certificate processing)
18-APR-1999 MGD improve error reporting during certificate loading
03-APR-1999 MGD support OpenSSL 0.9.3
(with initial, backward support for SSLeay 0.8 & 0.9),
add WATCH callbacks
31-MAR-1999 MGD bugfix; report request from non-SSL port
20-JAN-1999 MGD report format refinement
07-NOV-1998 MGD WATCH facility
24-OCT-1998 MGD per-service context (implies per-service certificate)
01-JUN-1998 MGD builds OK with SSLeay 0.9.0b
25-JAN-1998 MGD initial development for v5.0, SSLeay v0.8.1
*/
/*****************************************************************************/
#ifdef WASD_VMS_V7
#undef _VMS__V6__SOURCE
#define _VMS__V6__SOURCE
#undef __VMS_VER
#define __VMS_VER 70000000
#undef __CRTL_VER
#define __CRTL_VER 70000000
#endif
/* standard C header files */
#include <ctype.h>
#include <stdio.h>
#include <string.h>
/* VMS related header files */
#include <jpidef.h>
#include <ssdef.h>
#include <stsdef.h>
#include <starlet.h>
/* application header files */
#define SESOLA_REQUIRED
#include "Sesola.h"
/* OpenSSL v0.9.8 changed macro name (provide some backward compatibility) */
#ifndef EVP_F_EVP_DECRYPTFINAL_EX
# define EVP_F_EVP_DECRYPTFINAL_EX EVP_F_EVP_DECRYPTFINAL
#endif
/* not present with some earlier versions of HP SSL */
#ifndef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
# define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L
#endif
/* don't exist with (at least) HP AXPVMS SSL V1.4 */
#ifndef SSL_OP_NO_TLSv1_1
#define SSL_OP_NO_TLSv1_1 0x10000000L
#endif
#ifndef SSL_OP_NO_TLSv1_2
#define SSL_OP_NO_TLSv1_2 0x08000000L
#endif
#ifndef SSL_OP_NO_TLSv1_3
#define SSL_OP_NO_TLSv1_3 0x20000000L
#endif
#define WASD_MODULE "SESOLA"
/***************************************/
#ifdef SESOLA /* secure sockets layer */
/***************************************/
/******************/
/* global storage */
/******************/
BOOL ProtocolHttpsAvailable = true,
ProtocolHttpsConfigured = false,
ProtocolHttpsDisabled = false,
SesolaMemTrack,
SesolaMemVmTrack,
SesolaPrivateKeyPasswdRequested,
SesolaTLS1112,
SesolaTLS13,
SesolaSNI = true,
SesolaVerifyCAConfigured;
int SesolaDefaultVerifyDepth = SESOLA_DEFAULT_VERIFY_DEPTH,
SesolaGblSecStructSize = sizeof(struct SesolaGblSecStruct),
SesolaSessionCacheSize,
SesolaSessionCacheTimeout = SESOLA_DEFAULT_CACHE_TIMEOUT,
SesolaSessionLifetime,
SesolaPrivateKeyPasswdAttempt,
SesolaSessionTicketHit,
SesolaSessionTicketMiss,
SesolaSessionTicketNew,
SesolaSSLoptions,
SesolaVersionBitmap,
SesolaVersionOptions,
SesolaVerifyPeerDataMax;
ulong SesolaOpenSslVersionNumber,
SesolaFreeCount,
SesolaMallocCount,
SesolaPrevFreeCount,
SesolaPrevMallocCount,
SesolaPrevReallocCount,
SesolaReallocCount;
static ulong LastLookTime64;
int64 SesolaFreeBytes,
SesolaInUseBytes,
SesolaMallocBytes,
SesolaMaxBytes,
SesolaPrevAvailBytes,
SesolaPrevFreeBytes,
SesolaPrevInUseBytes,
SesolaPrevMallocBytes,
SesolaPrevMaxBytes;
char *SesolaDefaultCertPtr,
*SesolaDefaultCipherListPtr,
*SesolaDefaultKeyPtr,
*SesolaDefaultCaFilePtr,
*SesolaDefaultStrictTransSecPtr,
*SesolaTmpDHbitsPtr;
char SesolaParams [256],
SesolaVersionString [64];
/* the ticket key (being randomised) is also used as the session ID */
uchar /* size of tick_key_name + tick_hmac_key + tick_aes_key */
SesolaTicketKey [48];
int SesolaTicketKeySuperDay;
static int64 SesolaTicketKeyTime64;
/* the session ID is generated using shared session ticket key data */
uchar SesolaSessionId [16]; /* < SSL_MAX_SSL_SESSION_ID_LENGTH (32) */
char ErrorSslPort [] = "This is an SSL ("https:") port.",
HttpdSesola [] = " SSL",
SesolaDefaultOptions [] = SESOLA_DEFAULT_OPTIONS,
SesolaDefaultProtocol [] = SESOLA_DEFAULT_PROTOCOL;
/* local symbols of OpenSSL functions - see LINKING WITH OLDER SSL above */
#if SESOLA_BEFORE_110
extern const SSL_METHOD *SSLv2_method(void);
extern const SSL_METHOD *SSLv3_method(void);
extern const SSL_METHOD *TLSv1_1_method(void);
extern const SSL_METHOD *TLSv1_2_method(void);
int (*Sesola_SSL_get_servername)(SSL*, int) = SSL_get_servername;
int (*Sesola_TLSv1_1_method)() = TLSv1_1_method;
int (*Sesola_TLSv1_2_method)() = TLSv1_2_method;
int (*Sesola_SSLv2_method)() = SSLv2_method;
int (*Sesola_SSLv3_method)() = SSLv3_method;
#endif /* SESOLA_BEFORE_110 */
BIO *SesolaBioMemPtr;
/********************/
/* external storage */
/********************/
extern BOOL CliDemo,
Http2Enabled,
HttpdServerStartup,
ServiceWwwImplied;
extern int64 HttpdTime64;
extern int EfnWait,
ExitStatus,
HttpdTickSecond,
InstanceNodeConfig,
InstanceNodeCurrent,
OpcomMessages,
SesolaCacheRecordMax,
SesolaCacheRecordSize;
extern int ToLowerCase[],
ToUpperCase[];
extern ushort HttpdTime7[];
extern int64 HttpdStartTime64;
extern ulong SysPrvMask[];
extern char ErrorSanityCheck[],
ServerHostPort[],
SoftwareID[];
extern ACCOUNTING_STRUCT *AccountingPtr;
extern CONFIG_STRUCT Config;
extern HTTPD_GBLSEC *HttpdGblSecPtr;
extern HTTPD_PROCESS HttpdProcess;
extern MSG_STRUCT Msgs;
extern LIST_HEAD ServiceList;
extern WATCH_STRUCT Watch;
/* the link deposits an integer in this */
globalvalue int SESOLA_LIB_SSL_32;
/*****************************************************************************/
/*
*/
SesolaInit ()
{
char ch;
char *cptr, *sptr, *zptr,
*SslParamsPtr;
char buf [256];
CONFIG_STRUCT *cfptr;
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaInit()");
if (SysTrnLnm (WASD_OPENSSL_MEM_TRACK))
{
SesolaMemTrack = true;
SesolaMemVmTrack = VmOpenSslInit ();
if (!CRYPTO_set_mem_functions (SesolaMalloc,
SesolaRealloc,
SesolaFree))
ErrorExitVmsStatus (0, "CRYPTO_set_mem_functions()", FI_LI);
}
else
if (VmOpenSslInit ()) /* "WASD_VM_OPENSSL" */
{
/* OpenSSL memory management using WASD's own VM.C module */
if (!CRYPTO_set_mem_functions (VmOpenSslMalloc,
VmOpenSslRealloc,
VmOpenSslFree))
ErrorExitVmsStatus (0, "CRYPTO_set_mem_functions()", FI_LI);
}
SesolaOpenSslVersionNumber = OpenSSL_version_num();
FaoToStdout ("%HTTPD-I-SSL, !AZ (0x!8XL)\n",
OpenSSL_version (OPENSSL_VERSION), SesolaOpenSslVersionNumber);
if (SesolaOpenSslVersionNumber < 0x10000000L)
{
FaoToStdout ("%HTTPD-W-SSL, unsupported version (minimum 1.0.0)\n");
ProtocolHttpsDisabled = true;
return;
}
#if SESOLA_SINCE_110
SesolaTLS1112 = true;
if (SesolaOpenSslVersionNumber >= 0x10101000) SesolaTLS13 = true;
#else
/* older versions of HP SSL product do not support SNI */
if (!(SesolaSNI = Sesola_SSL_get_servername != 0))
FaoToStdout ("%HTTPD-W-SSL, SSL_get_servername() unresolved\n");
/* HP SSL V1.4 (at least) do not support TLSv1.1 or TLSv1.2 */
if (Sesola_TLSv1_1_method == 0)
FaoToStdout ("%HTTPD-W-SSL, TLSv1_1_method() unresolved\n");
if (Sesola_TLSv1_2_method == 0)
FaoToStdout ("%HTTPD-W-SSL, TLSv1_2_method() unresolved\n");
SesolaTLS1112 = (Sesola_TLSv1_1_method != 0 && Sesola_TLSv1_2_method != 0);
/* linking with default build of OpenSSL v1.1.0-pre5 */
if (Sesola_SSLv2_method == 0)
FaoToStdout ("%HTTPD-W-SSL, SSLv2_method() unresolved\n");
if (Sesola_SSLv3_method == 0)
FaoToStdout ("%HTTPD-W-SSL, SSLv3_method() unresolved\n");
#endif /* SESOLA_SINCE_110 */
/* command-line parameters, if none then use WASD_SSL_PARAMS */
SslParamsPtr = SesolaParams;
if (!*SslParamsPtr)
if (!(SslParamsPtr = v10orPrev10(CONFIG_SSL_PARAMS,0)))
SslParamsPtr = "";
if (strsame (SslParamsPtr, "/NOSSL", -1))
{
ProtocolHttpsDisabled = true;
FaoToStdout ("%HTTPD-W-SSL, disabled via /NOSSL\n");
return;
}
cfptr = &Config;
if (cfptr->cfSesola.Disabled)
{
ProtocolHttpsDisabled = true;
FaoToStdout ("%HTTPD-W-SSL, disabled via [SecureSocket]\n");
return;
}
/* lots and lots of non-determinate stuff */
RAND_seed (HttpdGblSecPtr, sizeof(HTTPD_GBLSEC));
#if SESOLA_SINCE_110
OPENSSL_init_ssl (0, NULL);
#else
SSL_load_error_strings ();
SSL_library_init ();
#endif
/* see [.APPS]S_SERVER.C */
SesolaSSLoptions = SSL_OP_ALL;
SesolaSSLoptions |= SSL_OP_SINGLE_DH_USE;
SesolaSSLoptions |= SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
/*********************************/
/* WASD_CONFIG_GLOBAL directives */
/*********************************/
if (cfptr->cfSesola.ProtocolVersion[0])
SesolaInitContext (cfptr->cfSesola.ProtocolVersion, NULL);
if (cfptr->cfSesola.CipherList[0])
SesolaDefaultCipherListPtr = cfptr->cfSesola.CipherList;
if (cfptr->cfSesola.ServerCert[0])
SesolaDefaultCertPtr = cfptr->cfSesola.ServerCert;
if (cfptr->cfSesola.PrivateKey[0])
SesolaDefaultKeyPtr = cfptr->cfSesola.PrivateKey;
if (cfptr->cfSesola.ProtocolOptions[0])
SesolaInitOptions (cfptr->cfSesola.ProtocolOptions, &SesolaSSLoptions);
else
SesolaInitOptions (SesolaDefaultOptions, &SesolaSSLoptions);
if (cfptr->cfSesola.StrictTransSec[0])
SesolaDefaultStrictTransSecPtr = cfptr->cfSesola.StrictTransSec;
if (cfptr->cfSesola.SessionCacheMax < 0)
SesolaSessionCacheSize = 0;
else
if (cfptr->cfSesola.SessionCacheMax)
SesolaSessionCacheSize = cfptr->cfSesola.SessionCacheMax;
if (cfptr->cfSesola.VerifyPeerDataMax < 0)
SesolaVerifyPeerDataMax = 0;
else
if (cfptr->cfSesola.VerifyPeerDataMax)
SesolaVerifyPeerDataMax = cfptr->cfSesola.VerifyPeerDataMax;
else
SesolaVerifyPeerDataMax = SESOLA_VERIFY_PEER_DATA_MAX_DEFAULT;
SesolaVerifyPeerDataMax *= 1024; /* in kBytes */
if (cfptr->cfSesola.InstanceSessionCacheMax)
SesolaCacheRecordMax = cfptr->cfSesola.InstanceSessionCacheMax;
if (cfptr->cfSesola.InstanceSessionCacheSize)
SesolaCacheRecordSize = cfptr->cfSesola.InstanceSessionCacheSize;
if (cfptr->cfSesola.VerifyPeer)
if (!(SesolaDefaultVerifyDepth = cfptr->cfSesola.VerifyPeerDepth))
SesolaDefaultVerifyDepth = 1;
if (cfptr->cfSesola.VerifyPeerCAFile[0])
SesolaDefaultCaFilePtr = cfptr->cfSesola.VerifyPeerCAFile;
SesolaSessionLifetime = cfptr->cfSesola.SessionLifetime;
/*********************************************/
/* command-line overrides WASD_CONFIG_GLOBAL */
/*********************************************/
/* lots of ill-defined historical hodge-podge catered for here */
cptr = SslParamsPtr;
while (*cptr)
{
while (*cptr == '(' || *cptr == ',' || *cptr == ')') cptr++;
sptr = cptr;
while (*cptr && *cptr != ',' && *cptr != ')') cptr++;
if (ch = *(zptr = cptr)) *cptr++ = '\0';
if (!*sptr) break;
if (strsame (sptr, "CAFILE=", 7))
SesolaDefaultCaFilePtr = sptr + 7;
else
if (strsame (sptr, "CERT=", 5))
SesolaDefaultCertPtr = sptr + 5;
else
if (strsame (sptr, "CIPHER=", 7))
SesolaDefaultCipherListPtr = sptr + 7;
else
if (strsame (sptr, "CACHE=", 6))
SesolaSessionCacheSize = atoi(sptr+6);
else
if (strsame (sptr, "ICACHE=SIZE=", 12))
SesolaCacheRecordMax = atoi(sptr+12);
else
if (strsame (sptr, "ICACHE=RECORD=", 14))
SesolaCacheRecordSize = atoi(sptr+14);
else
if (strsame (sptr, "KEY=", 4))
SesolaDefaultKeyPtr = sptr + 4;
else
if (strsame (sptr, "OPTIONS=", 8))
{
/* special case kludge - allow for parentheses :-( */
sptr += 8;
if (*sptr == '(')
{
*zptr = ch;
cptr = ++sptr;
while (*cptr && *cptr != ')') cptr++;
if (ch = *(zptr = cptr)) *cptr++ = '\0';
}
SesolaInitOptions (sptr, &SesolaSSLoptions);
}
else
if (strsame (sptr, "+OP_", 4) ||
strsame (sptr, "+0x", 3))
SesolaInitOptions (sptr, &SesolaSSLoptions);
else
if (strsame (sptr, "-OP_", 4) ||
strsame (sptr, "-0x", 3))
SesolaInitOptions (sptr, &SesolaSSLoptions);
else
if (strsame (sptr, "SNI", -1))
SesolaSNI = true;
else
if (strsame (sptr, "NOSNI", -1))
SesolaSNI = false;
else
if (strsame (sptr, "STRICT=", 7))
SesolaDefaultStrictTransSecPtr = sptr + 7;
else
if (strsame (sptr, "TIMEOUT=", 8))
SesolaSessionCacheTimeout = atoi(sptr+8);
else
if (strsame (sptr, "VERIFY=", 7))
SesolaDefaultVerifyDepth = atoi(sptr+7);
else
/* if not an SSL version parameter */
if (!(strsame(sptr,"SSLv",4) ||
strsame(sptr,"noSSLv",6) ||
strsame(sptr,"TLSv",4) ||
strsame(sptr,"noTLSv",6)))
{
FaoToStdout ("%HTTPD-E-SSL, unknown SSL parameter\n \\!AZ\\\n", sptr);
exit (STS$K_ERROR | STS$M_INHIB_MSG);
}
*zptr = ch;
}
/* process the /SSL= protocol version keywords */
SesolaInitContext (SslParamsPtr, NULL);
/************/
/* finalise */
/************/
/* if no protocol preferences expressed in WASD_CONFIG_GLOBAL or /SSL= */
if (!SesolaVersionBitmap) SesolaInitContext (SesolaDefaultProtocol, NULL);
FaoToStdout ("-SSL-I-PROTOCOL, !AZ\n", SesolaVersionString);
FaoToStdout ("-SSL-I-OPTIONS, 0x!8XL\n", SesolaSSLoptions);
FaoToStdout ("-SSL-!AZ-SNI, Server Name Indication !AZ\n",
SesolaSNI ? "I" : "W",
SesolaSNI ? "enabled" : "disabled");
/* initialise emphemeral DH params */
SesolaTmpDHCallback (NULL, 0, 0);
/* initialise the session ticket key */
SesolaSessionTicketNewKey ();
if (!SesolaDefaultCertPtr)
SesolaDefaultCertPtr = v10orPrev10(CONFIG_SSL_CERT,0);
if (!SesolaDefaultKeyPtr)
SesolaDefaultKeyPtr = v10orPrev10(CONFIG_SSL_KEY,0);
if (!SesolaDefaultCaFilePtr)
SesolaDefaultCaFilePtr = v10orPrev10(CONFIG_SSL_CAFILE,0);
if (!SesolaDefaultCipherListPtr)
if (SesolaDefaultCipherListPtr = v10orPrev10(CONFIG_SSL_CIPHER,0))
if (cptr = SysTrnLnm (SesolaDefaultCipherListPtr))
{
SesolaDefaultCipherListPtr = VmGet (strlen(cptr)+1);
strcpy (SesolaDefaultCipherListPtr, cptr);
}
/*
* A single, global memory BIO can be used when puts(), gets() and other
* OpenSSL string operations are required provided; 1) they are properly
* BIO_reset() after use (and before if you're belt and braces), and 2)
* only used within a (single) AST context (i.e. no concurrent usage).
*/
SesolaBioMemPtr = BIO_new (BIO_s_mem());
if (!SesolaBioMemPtr)
{
FaoToStdout ("-SSL-E-BIO, BIO_new(BIO_s_mem()) failed\n");
exit (STS$K_ERROR | STS$M_INHIB_MSG);
}
}
/*****************************************************************************/
/*
Establish an SSL context using a (WASD) protocol configuration string (from
either the command-line or service protocol configuration field. It ignores
(non-protocol) keywords it doesn't recognise. If a service structure is
supplied it sets that service's SSL context and protocol version string. If no
service struct is passed it configures global values. Returns the number of
protocols configured.
*/
void SesolaInitContext
(
char* ConfigString,
SESOLA_CONTEXT *scptr
)
{
int SSLversion,
SSLoptions,
TLSmax,
TLSmin,
VersionCount;
uint bit;
char ch;
char *cptr, *sptr, *zptr;
SSL_CTX *SslCtx;
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA,
"SesolaInitContext() !&Z", ConfigString);
if (ProtocolHttpsDisabled) return;
SslCtx = NULL;
SSLoptions = SSLversion = 0;
cptr = ConfigString;
while (*cptr)
{
/* kludge: will see but NO need to allow for (..) */
while (*cptr == '(' || *cptr == ',' || *cptr == ')') cptr++;
sptr = cptr;
while (*cptr && *cptr != ',' && *cptr != ')') cptr++;
if (ch = *(zptr = cptr)) *cptr++ = '\0';
if (!*sptr) break;
#if SESOLA_SINCE_110
if (strsame (sptr, "SSLv2", -1) ||
strsame (sptr, "+SSLv2", -1) ||
strsame (sptr, "noSSLv2", -1) ||
strsame (sptr, "-SSLv2", -1) ||
strsame (sptr, "SSLv3", -1) ||
strsame (sptr, "+SSLv3", -1) ||
strsame (sptr, "noSSLv3", -1) ||
strsame (sptr, "-SSLv3", -1) ||
strsame (sptr, "SSLv2v3", -1) ||
strsame (sptr, "+SSLv2v3", -1))
FaoToStdout ("-SSL-W-PROTOCOL, keyword obsolete\n \\!AZ\\\n", sptr);
else
#else /* SESOLA_SINCE_110 */
if (strsame (sptr, "SSLv2", -1) ||
strsame (sptr, "+SSLv2", -1))
SSLversion |= SESOLA_SSLV2;
else
if (strsame (sptr, "noSSLv2", -1) ||
strsame (sptr, "-SSLv2", -1))
SSLversion &= ~SESOLA_SSLV2;
else
if (strsame (sptr, "SSLv3", -1) ||
strsame (sptr, "+SSLv3", -1))
SSLversion |= SESOLA_SSLV3;
else
if (strsame (sptr, "noSSLv3", -1) ||
strsame (sptr, "-SSLv3", -1))
SSLversion &= ~SESOLA_SSLV3;
else
if (strsame (sptr, "SSLv2v3", -1) ||
strsame (sptr, "+SSLv2v3", -1))
SSLversion |= SESOLA_SSLV2 | SESOLA_SSLV3;
else
#endif /* SESOLA_SINCE_110 */
if (strsame (sptr, "TLSvALL", -1))
{
/* all (known) TLS protocol versions */
SSLversion |= SESOLA_TLSV1;
if (SesolaTLS13)
{
SSLversion |= SESOLA_TLSV1_1;
SSLversion |= SESOLA_TLSV1_2;
SSLversion |= SESOLA_TLSV1_3;
}
else
if (SesolaTLS1112)
{
SSLversion |= SESOLA_TLSV1_1;
SSLversion |= SESOLA_TLSV1_2;
}
}
else
if (strsame (sptr, "TLSv1", -1) ||
strsame (sptr, "+TLSv1", -1))
SSLversion |= SESOLA_TLSV1;
else
if (strsame (sptr, "noTLSv1", -1) ||
strsame (sptr, "-TLSv1", -1))
SSLversion &= ~SESOLA_TLSV1;
else
/* TLS 1.1 and TLS 1.2 */
if (SesolaTLS1112 &&
strsame (sptr, "TLSv1.1", -1) ||
strsame (sptr, "+TLSv1.1", -1) ||
strsame (sptr, "TLSv1_1", -1))
SSLversion |= SESOLA_TLSV1_1;
else
if (SesolaTLS1112 &&
(strsame (sptr, "noTLSv1.1", -1) ||
strsame (sptr, "-TLSv1.1", -1) ||
strsame (sptr, "noTLSv1_1", -1) ||
strsame (sptr, "-TLSv1_1", -1)))
SSLversion &= ~SESOLA_TLSV1_1;
else
if (SesolaTLS1112 &&
strsame (sptr, "TLSv1.2", -1) ||
strsame (sptr, "+TLSv1.2", -1) ||
strsame (sptr, "TLSv1_2", -1))
SSLversion |= SESOLA_TLSV1_2;
else
if (SesolaTLS1112 &&
(strsame (sptr, "noTLSv1.2", -1) ||
strsame (sptr, "-TLSv1.2", -1) ||
strsame (sptr, "noTLSv1_2", -1) ||
strsame (sptr, "-TLSv1_2", -1)))
SSLversion &= ~SESOLA_TLSV1_2;
else
#if SESOLA_SINCE_111
/* TLS 1.3 */
if (SesolaTLS13 &&
strsame (sptr, "TLSv1.3", -1) ||
strsame (sptr, "+TLSv1.3", -1) ||
strsame (sptr, "TLSv1_3", -1))
SSLversion |= SESOLA_TLSV1_3;
else
if (SesolaTLS13 &&
(strsame (sptr, "noTLSv1.3", -1) ||
strsame (sptr, "-TLSv1.3", -1) ||
strsame (sptr, "noTLSv1_3", -1) ||
strsame (sptr, "-TLSv1_3", -1)))
SSLversion &= ~SESOLA_TLSV1_3;
else
#endif /* SESOLA_SINCE_111 */
if (strsame(sptr,"SSLv",4) ||
strsame(sptr,"+SSLv",5) ||
strsame(sptr,"TLSv",4) ||
strsame(sptr,"+TLSv",5) ||
strsame(sptr,"noSSLv",6) ||
strsame(sptr,"-SSLv",5) ||
strsame(sptr,"noTLSv",6) ||
strsame(sptr,"-TLSv",5))
FaoToStdout ("-SSL-W-PROTOCOL, unknown keyword\n \\!AZ\\\n", sptr);
*zptr = ch;
}
VersionCount = 0;
for (bit = 1; bit; bit = bit << 1)
if (SSLversion & bit) VersionCount++;
if (!VersionCount && scptr)
{
/* when configuring a service use the server default */
SSLversion = SesolaVersionBitmap;
for (bit = 1; bit; bit = bit << 1)
if (SSLversion & bit) VersionCount++;
}
if (!VersionCount) return;
if (VersionCount > 1)
{
#if SESOLA_BEFORE_110
/* swiss-army knife method then disable using SesolaVersionOptions */
if (!(SSLversion & SESOLA_SSLV2)) SSLoptions |= SSL_OP_NO_SSLv2;
if (!(SSLversion & SESOLA_SSLV3)) SSLoptions |= SSL_OP_NO_SSLv3;
#endif
if (!(SSLversion & SESOLA_TLSV1)) SSLoptions |= SSL_OP_NO_TLSv1;
if (!(SSLversion & SESOLA_TLSV1_1)) SSLoptions |= SSL_OP_NO_TLSv1_1;
if (!(SSLversion & SESOLA_TLSV1_2)) SSLoptions |= SSL_OP_NO_TLSv1_2;
if (!(SSLversion & SESOLA_TLSV1_3)) SSLoptions |= SSL_OP_NO_TLSv1_3;
}
#if SESOLA_BEFORE_110
if (VersionCount > 1)
SslCtx = SSL_CTX_new (SSLv23_method());
else
if (SSLversion & SESOLA_SSLV2 && Sesola_SSLv2_method)
SslCtx = SSL_CTX_new (Sesola_SSLv3_method());
else
if (SSLversion & SESOLA_SSLV3 && Sesola_SSLv3_method)
SslCtx = SSL_CTX_new (Sesola_SSLv3_method());
else
if (SSLversion & SESOLA_TLSV1)
SslCtx = SSL_CTX_new (TLSv1_method());
else
if (SesolaTLS1112)
{
if (SSLversion & SESOLA_TLSV1_1)
SslCtx = SSL_CTX_new (TLSv1_1_method());
else
if (SSLversion & SESOLA_TLSV1_2)
SslCtx = SSL_CTX_new (TLSv1_2_method());
}
if (SslCtx == NULL)
{
SesolaPrintOpenSslErrorList ();
ErrorExitVmsStatus (0, "SSL_CTX_new()", FI_LI);
}
#else /* SESOLA_BEFORE_110 */
TLSmin = TLSmax = 0;
if (SSLversion & SESOLA_TLSV1) TLSmin = TLSmax = TLS1_VERSION;
if (SSLversion & SESOLA_TLSV1_1 && !TLSmin) TLSmin = TLS1_1_VERSION;
if (SSLversion & SESOLA_TLSV1_1) TLSmax = TLS1_1_VERSION;
if (SSLversion & SESOLA_TLSV1_2 && !TLSmin) TLSmin = TLS1_2_VERSION;
if (SSLversion & SESOLA_TLSV1_2) TLSmax = TLS1_2_VERSION;
#if SESOLA_SINCE_111
if (SSLversion & SESOLA_TLSV1_3 && !TLSmin) TLSmin = TLS1_3_VERSION;
if (SSLversion & SESOLA_TLSV1_3) TLSmax = TLS1_3_VERSION;
#endif
SslCtx = SSL_CTX_new (TLS_method());
if (SslCtx == NULL)
{
SesolaPrintOpenSslErrorList ();
ErrorExitVmsStatus (0, "SSL_CTX_new()", FI_LI);
}
if (!SSL_CTX_set_min_proto_version (SslCtx, TLSmin))
{
SesolaPrintOpenSslErrorList ();
ErrorExitVmsStatus (0, "SSL_CTX_set_min_proto_version()", FI_LI);
}
if (!SSL_CTX_set_max_proto_version (SslCtx, TLSmax))
{
SesolaPrintOpenSslErrorList ();
ErrorExitVmsStatus (0, "SSL_CTX_set_max_proto_version()", FI_LI);
}
#endif /* SESOLA_BEFORE_110 */
if (scptr)
cptr = scptr->VersionStringPtr = VmGet(sizeof(SesolaVersionString));
else
/* this string will be the default config for any service */
cptr = SesolaVersionString;
*(sptr = cptr) = '\0';
#if SESOLA_BEFORE_110
if (SSLversion & SESOLA_SSLV2)
sptr += sprintf(sptr, "SSLv2");
if (SSLversion & SESOLA_SSLV3)
sptr += sprintf(sptr, "%sSSLv3", *cptr ? "," : "");
#endif
if (SSLversion & SESOLA_TLSV1)
sptr += sprintf(sptr, "%sTLSv1", *cptr ? "," : "");
if (SSLversion & SESOLA_TLSV1_1)
sptr += sprintf(sptr, "%sTLSv1.1", *cptr ? "," : "");
if (SSLversion & SESOLA_TLSV1_2)
sptr += sprintf(sptr, "%sTLSv1.2", *cptr ? "," : "");
#if SESOLA_SINCE_111
if (SSLversion & SESOLA_TLSV1_3)
sptr += sprintf(sptr, "%sTLSv1.3", *cptr ? "," : "");
#endif
if (!*cptr) ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
if (SslCtx)
{
if (scptr)
{
/* initialising a service */
scptr->SslCtx = SslCtx;
scptr->VersionBitmap = SSLversion;
scptr->VersionOptions = SSLoptions;
}
else
{
/* initialising Secure Sockets capability */
free (SslCtx);
/* first from WASD_CONFIG_GLOBAL then second from /SSL= */
if (SSLversion) SesolaVersionBitmap = SSLversion;
if (SSLoptions) SesolaVersionOptions = SSLoptions;
}
}
}
/*****************************************************************************/
/*
Return an integer representing the OpenSSL options bitmask.
If the OptionsPtr is provided then use and set this value.
*/
uint SesolaInitOptions
(
char* ConfigString,
uint *OptionsPtr
)
{
uint options;
char ch;
char *cptr, *sptr, *zptr;
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA,
"SesolaInitOptions() !&Z", ConfigString);
if (OptionsPtr)
options = *OptionsPtr;
else
options = 0;
cptr = ConfigString;
while (*cptr)
{
/* kludge: never see parentheses */
while (*cptr == ',') cptr++;
sptr = cptr;
while (*cptr && *cptr != ',') cptr++;
if (ch = *(zptr = cptr)) *cptr++ = '\0';
if (!*sptr) break;
if (strsame(sptr,"0x",2))
/* will fully overwrite and therefore if used then use first */
options = (ulong)strtoul (sptr, NULL, 16);
else
if (strsame(sptr,"+0x",3))
/* bitwise OR this into the options */
options |= (ulong)strtoul (sptr+1, NULL, 16);
else
if (strsame(sptr,"-0x",3))
/* bitwise AND this from the options */
options &= ~(ulong)strtoul (sptr+1, NULL, 16);
else
if (strsame (sptr, "+OP_ALL", -1))
options |= SSL_OP_ALL;
else
if (strsame (sptr, "-OP_ALL", -1))
options &= ~SSL_OP_ALL;
else
if (strsame (sptr, "+OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION", -1) ||
strsame (sptr, "+OP_LEG_REN", -1))
options |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
else
if (strsame (sptr, "-OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION", -1) ||
strsame (sptr, "-OP_LEG_REN", -1))
options &= ~SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
else
if (strsame (sptr, "+OP_CIPHER_SERVER_PREFERENCE", -1))
options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
else
if (strsame (sptr, "-OP_CIPHER_SERVER_PREFERENCE", -1))
options &= ~SSL_OP_CIPHER_SERVER_PREFERENCE;
else
if (strsame (sptr, "+OP_LEGACY_SERVER_CONNECT", -1))
options |= SSL_OP_LEGACY_SERVER_CONNECT;
else
if (strsame (sptr, "-OP_LEGACY_SERVER_CONNECT", -1))
options &= ~SSL_OP_LEGACY_SERVER_CONNECT;
else
if (strsame (sptr, "+OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION", -1) ||
strsame (sptr, "+OP_NO_SES_RES", -1))
options |= SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
else
if (strsame (sptr, "-OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION", -1) ||
strsame (sptr, "-OP_NO_SES_RES", -1))
options &= ~SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
else
if (strsame (sptr, "+OP_NO_TICKET", -1))
options |= SSL_OP_NO_TICKET;
else
if (strsame (sptr, "-OP_NO_TICKET", -1))
options &= ~SSL_OP_NO_TICKET;
else
if (strsame (sptr, "+OP_SINGLE_DH_USE", -1) ||
strsame (sptr, "+OP_SING_DH", -1))
options |= SSL_OP_SINGLE_DH_USE;
else
if (strsame (sptr, "-OP_SINGLE_DH_USE", -1) ||
strsame (sptr, "-OP_SINGLE_DH", -1))
options &= ~SSL_OP_SINGLE_DH_USE;
else
if (strsame (sptr, "+OP_TLS_ROLLBACK_BUG", -1))
options |= SSL_OP_TLS_ROLLBACK_BUG;
else
if (strsame (sptr, "-OP_TLS_ROLLBACK_BUG", -1))
options &= ~SSL_OP_TLS_ROLLBACK_BUG;
else
if (*sptr != '+' && *sptr != '-' && !strsame(sptr,"0x",2))
FaoToStdout ("-SSL-W-OPTIONS, unknown keyword\n \\!AZ\\\n", sptr);
*zptr = ch;
}
if (OptionsPtr) *OptionsPtr = options;
return (options);
}
/*****************************************************************************/
/*
Called during service configuration to initialize an SSL service. SSL services
are either created from scratch or if sharing an IP address and port with
another SSL service are "cloned". Can also be called to implement server
"certificate reload", for which the only approach seems to be to tear-down the
existing SSL context and create a completely new one - we'll see!
*/
BOOL SesolaInitService (SERVICE_STRUCT *svptr)
{
BOOL CipherListSupplied,
KeySupplied,
StrictTransSecSupplied,
VerifyCAConfigured;
int value,
LocalOptions,
VerifyMode;
uint options;
ulong ErrorNumber;
char *cptr, *pemptr, *sptr;
RSA *RsaPtr;
SERVICE_STRUCT *tsvptr;
SESOLA_CONTEXT *scptr, *ssptr;
SSL_CTX *SslCtx;
X509 *CertPtr;
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA,
"SesolaInitService() !&X", svptr->SSLserverPtr);
FaoToStdout ("%HTTPD-I-SSL, !AZ\n", svptr->ServerHostPort);
if (ProtocolHttpsDisabled)
{
FaoToStdout ("-HTTPD-W-SSL, disabled\n");
return (false);
}
if (!(scptr = (SESOLA_CONTEXT*)svptr->SSLserverPtr)) return (false);
if (CliDemo)
{
scptr->CaFilePtr = scptr->CertFilePtr =
scptr->CipherListPtr = scptr->KeyFilePtr =
scptr->StrictTransSecPtr = "";
}
else
{
SesolaInitCertFile (svptr);
KeySupplied = false;
if (scptr->KeyFile[0])
{
KeySupplied = true;
scptr->KeyFilePtr = scptr->KeyFile;
}
else
{
if (scptr->CertFilePtr[0])
{
/* service has a specific certificate, assume the key's in that */
if (scptr->CertFilePtr[0] == '+')
scptr->KeyFilePtr = "";
else
scptr->KeyFilePtr = scptr->CertFilePtr;
}
else
if (SesolaDefaultKeyPtr)
{
/* use the separately specified key */
KeySupplied = true;
scptr->KeyFilePtr = SesolaDefaultKeyPtr;
}
else
{
/* if no default key then assume it's in the certificate file */
scptr->KeyFilePtr = scptr->CertFilePtr;
}
}
CipherListSupplied = false;
if (scptr->CipherList[0])
{
CipherListSupplied = true;
scptr->CipherListPtr = scptr->CipherList;
}
else
{
if (SesolaDefaultCipherListPtr)
{
CipherListSupplied = true;
scptr->CipherListPtr = SesolaDefaultCipherListPtr;
}
else
scptr->CipherListPtr = "";
}
if (scptr->CaFile[0])
{
VerifyCAConfigured = true;
scptr->CaFilePtr = scptr->CaFile;
}
else
{
if (SesolaDefaultCaFilePtr)
{
VerifyCAConfigured = true;
scptr->CaFilePtr = SesolaDefaultCaFilePtr;
}
else
{
VerifyCAConfigured = false;
scptr->CaFilePtr = "";
}
}
if (scptr->CaFilePtr[0])
/* set the global boolean as well (never reset it!) */
VerifyCAConfigured = SesolaVerifyCAConfigured = true;
else
VerifyCAConfigured = false;
if (isdigit(scptr->StrictTransSec[0]))
{
StrictTransSecSupplied = true;
scptr->StrictTransSecPtr = scptr->StrictTransSec;
}
else
{
if (SesolaDefaultStrictTransSecPtr &&
isdigit(*SesolaDefaultStrictTransSecPtr))
{
StrictTransSecSupplied = true;
scptr->StrictTransSecPtr = SesolaDefaultStrictTransSecPtr;
}
else
{
StrictTransSecSupplied = false;
scptr->StrictTransSecPtr = "";
}
}
if (KeySupplied)
FaoToStdout ("-SSL-I-KEY, !AZ\n", scptr->KeyFilePtr);
if (CipherListSupplied)
FaoToStdout ("-SSL-I-CIPHER, !AZ\n", scptr->CipherListPtr);
if (VerifyCAConfigured)
FaoToStdout ("-SSL-I-CAFILE, !AZ\n", scptr->CaFilePtr);
if (scptr->StrictTransSecPtr[0])
FaoToStdout ("-SSL-I-STRICT, HSTS transport security enabled\n");
else
FaoToStdout ("-SSL-W-STRICT, HSTS transport security disabled\n");
}
#if WATCH_OPENSSL_30
int64 dura64;
WatchDuration (&dura64, 0, 0);
#endif
SesolaInitContext (scptr->VersionString, svptr->SSLserverPtr);
SslCtx = ((SESOLA_CONTEXT*)svptr->SSLserverPtr)->SslCtx;
#if WATCH_OPENSSL_30
WatchDuration (&dura64, FI_LI);
#endif
cptr = scptr->CertFilePtr;
if (*cptr && *cptr != '+')
value = SSL_CTX_use_certificate_chain_file (SslCtx, cptr);
else
{
if (*cptr == '+' && isalpha(*(cptr+1)))
pemptr = SesolaMkCert(cptr+1);
else
pemptr = SesolaMkCert (svptr->ServerHostName);
BIO_reset (SesolaBioMemPtr);
BIO_puts (SesolaBioMemPtr, pemptr);
CertPtr = PEM_read_bio_X509 (SesolaBioMemPtr, NULL, NULL, NULL);
if (CertPtr)
{
value = SSL_CTX_use_certificate (SslCtx, CertPtr);
X509_free (CertPtr);
}
else
value = 0;
BIO_reset (SesolaBioMemPtr);
scptr->KeyFilePtr = "";
}
#if WATCH_OPENSSL_30
WatchDuration (&dura64, FI_LI);
#endif
if (!value)
{
SesolaPrintOpenSslErrorList ();
scptr->SslCtx = (void*)NULL;
return (false);
}
/* combination of SSL version disables and configured discrete options */
if (scptr->VersionOptions)
options = scptr->VersionOptions | SesolaSSLoptions;
else
options = SesolaVersionOptions | SesolaSSLoptions;
SesolaPrivateKeyPasswdAttempt = 1;
for (;;)
{
/* set private key password callback */
SSL_CTX_set_default_passwd_cb (SslCtx, &SesolaPrivateKeyPasswd);
SSL_CTX_set_default_passwd_cb_userdata (SslCtx, svptr);
SesolaPrivateKeyPasswdRequested = false;
if (scptr->KeyFilePtr[0])
value = SSL_CTX_use_RSAPrivateKey_file (SslCtx,
scptr->KeyFilePtr,
SSL_FILETYPE_PEM);
else
{
BIO_reset (SesolaBioMemPtr);
BIO_puts (SesolaBioMemPtr, pemptr);
RsaPtr = PEM_read_bio_RSAPrivateKey (SesolaBioMemPtr, NULL,
&SesolaPrivateKeyPasswd, scptr);
if (RsaPtr)
{
value = SSL_CTX_use_RSAPrivateKey (SslCtx, RsaPtr);
RSA_free (RsaPtr);
}
else
value = 0;
BIO_reset (SesolaBioMemPtr);
}
/* reset private key password callback */
SSL_CTX_set_default_passwd_cb (SslCtx, NULL);
SSL_CTX_set_default_passwd_cb_userdata (SslCtx, svptr);
if (value)
{
if (SesolaPrivateKeyPasswdRequested && OpcomMessages)
FaoToOpcom ("%HTTPD-I-PKPASSWD, password accepted");
break;
}
ErrorNumber = ERR_peek_error ();
SesolaPrintOpenSslErrorList ();
if (SesolaPrivateKeyPasswdRequested &&
ERR_GET_LIB(ErrorNumber) == ERR_LIB_EVP &&
/* obsolete from OpenSSL 3.0 */
// ERR_GET_FUNC(ErrorNumber) == EVP_F_EVP_DECRYPTFINAL_EX &&
ERR_GET_REASON(ErrorNumber) == EVP_R_BAD_DECRYPT)
{
if (++SesolaPrivateKeyPasswdAttempt <= SESOLA_PKPASSWD_ATTEMPTS)
{
/* give the controlling ControlLocalCommand() a chance to notice */
sleep (2);
continue;
}
}
if (OpcomMessages) FaoToOpcom ("-SSL-E-PKPASSWD, password not accepted");
scptr->SslCtx = (void*)NULL;
return (false);
}
#if WATCH_OPENSSL_30
WatchDuration (&dura64, FI_LI);
#endif
value = SSL_CTX_check_private_key (SslCtx);
if (!value)
{
SesolaPrintOpenSslErrorList ();
scptr->SslCtx = (void*)NULL;
return (false);
}
#if WATCH_OPENSSL_30
WatchDuration (&dura64, FI_LI);
#endif
if (*(cptr = scptr->CipherListPtr))
{
if (*cptr == '+' || *cptr == '-' || *cptr == '!')
{
/* modifying the default cipher list */
sptr = VmGet (sizeof(SESOLA_DEFAULT_CIPHER_LIST)+strlen(cptr)+4);
sprintf (sptr, "%s :: %s", SESOLA_DEFAULT_CIPHER_LIST, cptr);
scptr->CipherListPtr = cptr = sptr;
}
}
else
cptr = SESOLA_DEFAULT_CIPHER_LIST;
if (!SSL_CTX_set_cipher_list (SslCtx, cptr))
{
SesolaPrintOpenSslErrorList ();
scptr->SslCtx = (void*)NULL;
return (false);
}
#if WATCH_OPENSSL_30
WatchDuration (&dura64, FI_LI);
#endif
if (SesolaTmpDHbitsPtr)
{
#ifdef SSL_CTX_set_ecdh_auto
SSL_CTX_set_ecdh_auto (SslCtx, 1);
#endif
SSL_CTX_set_tmp_dh_callback (SslCtx, SesolaTmpDHCallback);
options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
}
#if WATCH_OPENSSL_30
WatchDuration (&dura64, FI_LI);
#endif
if (SesolaSessionCacheSize)
{
if (SesolaSessionCacheSize < SESOLA_DEFAULT_CACHE_RECORD_MAX)
SesolaSessionCacheSize = SESOLA_DEFAULT_CACHE_RECORD_MAX;
SSL_CTX_set_session_cache_mode (SslCtx, SSL_SESS_CACHE_SERVER);
SSL_CTX_sess_set_cache_size (SslCtx, SesolaSessionCacheSize);
if (scptr->SessionLifetime)
SSL_CTX_set_timeout (SslCtx, scptr->SessionLifetime);
else
if (SesolaSessionLifetime)
SSL_CTX_set_timeout (SslCtx, SesolaSessionLifetime);
else
SSL_CTX_set_timeout (SslCtx, SesolaSessionCacheTimeout*60);
/* inter-process session cache (if multiple per-node "instances") */
if (InstanceNodeConfig > 1)
{
SSL_CTX_sess_set_new_cb (SslCtx, &SesolaCacheAddRecord);
SSL_CTX_sess_set_get_cb (SslCtx, &SesolaCacheFindRecord);
SSL_CTX_sess_set_remove_cb (SslCtx, &SesolaCacheRemoveRecord);
}
}
else
{
SSL_CTX_set_session_cache_mode (SslCtx, SSL_SESS_CACHE_OFF);
if (scptr->SessionLifetime)
SSL_CTX_set_timeout (SslCtx, scptr->SessionLifetime);
else
if (SesolaSessionLifetime)
SSL_CTX_set_timeout (SslCtx, SesolaSessionLifetime);
}
#if WATCH_OPENSSL_30
WatchDuration (&dura64, FI_LI);
#endif
if (!(options & SSL_OP_NO_TICKET))
{
#ifndef SESOLA_SESSION_TICKET_CALLBACK
#define SESOLA_SESSION_TICKET_CALLBACK 1
#endif
#if SESOLA_SESSION_TICKET_CALLBACK
SSL_CTX_set_tlsext_ticket_key_cb (SslCtx, SesolaSessionTicketCallback);
#else
SSL_CTX_set_tlsext_ticket_keys (SslCtx, SesolaTicketKey,
sizeof(SesolaTicketKey));
#endif
}
#if WATCH_OPENSSL_30
WatchDuration (&dura64, FI_LI);
#endif
if (scptr->VerifyPeer == SESOLA_VERIFY_PEER_OPTIONAL)
VerifyMode = SSL_VERIFY_PEER;
else
if (scptr->VerifyPeer == SESOLA_VERIFY_PEER_REQUIRED)
VerifyMode = SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
else
VerifyMode = SSL_VERIFY_NONE;
SSL_CTX_set_verify (SslCtx, VerifyMode, &SesolaCertVerifyCallback);
if (scptr->VerifyDepth)
SSL_CTX_set_verify_depth (SslCtx, scptr->VerifyDepth);
else
SSL_CTX_set_verify_depth (SslCtx, SesolaDefaultVerifyDepth);
#if WATCH_OPENSSL_30
WatchDuration (&dura64, FI_LI);
#endif
if (scptr->CaFilePtr[0])
{
value = SSL_CTX_load_verify_locations (SslCtx,
scptr->CaFilePtr,
NULL);
#if WATCH_OPENSSL_30
WatchDuration (&dura64, FI_LI);
#endif
if (value) value = SSL_CTX_set_default_verify_paths (SslCtx);
if (!value)
{
SesolaPrintOpenSslErrorList ();
FaoToStdout ("-SSL-W-VERIFY, peer verification not enabled\n");
scptr->SslCtx = (void*)NULL;
return (false);
}
}
#if WATCH_OPENSSL_30
WatchDuration (&dura64, FI_LI);
#endif
/* the session ID ctx needs to be shared between instances or tickets fail */
if (!SSL_CTX_set_session_id_context (SslCtx, SesolaSessionId,
sizeof(SesolaSessionId)))
{
SesolaPrintOpenSslErrorList ();
FaoToStdout ("-SSL-W-SESSID, set CTX session ID failed\n");
scptr->SslCtx = (void*)NULL;
return (false);
}
#if WATCH_OPENSSL_30
WatchDuration (&dura64, FI_LI);
#endif
if (SesolaSNI)
{
if (scptr->VersionBitmap & SESOLA_TLSV1 ||
scptr->VersionBitmap & SESOLA_TLSV1_1 ||
#if SESOLA_SINCE_111
scptr->VersionBitmap & SESOLA_TLSV1_2 ||
scptr->VersionBitmap & SESOLA_TLSV1_3)
#else
scptr->VersionBitmap & SESOLA_TLSV1_2)
#endif
{
/* enable Server Name Indication */
if (!SSL_CTX_set_tlsext_servername_callback (SslCtx,
SesolaSNICallback))
{
SesolaSNI = false;
FaoToStdout ("%HTTPD-E-SSL, SNI unsupported by SSL library\n");
}
else
SSL_CTX_set_tlsext_servername_arg (SslCtx, 0);
}
}
#if WATCH_OPENSSL_30
WatchDuration (&dura64, FI_LI);
#endif
#if SESOLA_SINCE_111
if (scptr->VersionBitmap & SESOLA_TLSV1_2 ||
scptr->VersionBitmap & SESOLA_TLSV1_3)
{
/* enable Application Level Prototocol Negotiation */
SSL_CTX_set_alpn_select_cb (SslCtx, SesolaALPNCallback, NULL);
}
#else
#if SESOLA_SINCE_102
if (scptr->VersionBitmap & SESOLA_TLSV1_2)
{
/* enable Application Level Prototocol Negotiation */
SSL_CTX_set_alpn_select_cb (SslCtx, SesolaALPNCallback, NULL);
}
#endif
#endif
#if WATCH_OPENSSL_30
WatchDuration (&dura64, FI_LI);
#endif
SSL_CTX_set_options (SslCtx, options);
#if WATCH_OPENSSL_30
WatchDuration (&dura64, FI_LI);
#endif
return (true);
}
/*****************************************************************************/
/*
Return the number of TLS services in the global list.
*/
int SesolaServiceCount ()
{
int count;
SERVICE_STRUCT *svptr;
/*********/
/* begin */
/*********/
count = 0;
LIST_ITERATE (svptr, &ServiceList)
if (svptr->SchemeType == SCHEME_HTTPS) count++;
return (count);
}
/*****************************************************************************/
/*
Command-line service certificate reload function.
It seems to be able to be done with impunity and as often as might be
necessary. In-progress TLS requests continue unaffected. Hmmm. Too good to
be true? Perhaps. Of course, OpenSSL objects, including the likes of service
"contexts" and connections in-progress, are reference-counted and so can be
free()d while in use, with resources returned to pools when the references drop
to zero. In the case of memory, this may not reappear as unused until some
time after the reset.
*/
void SesolaControlReloadCerts ()
{
int ErrorCount,
SSLcount,
ReloadCount;
char *cptr;
SESOLA_CONTEXT *scptr;
SERVICE_STRUCT *svptr;
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaControlReloadCerts()");
/* enable SYSPRV to allow access to protected (certificate) files */
sys$setprv (1, &SysPrvMask, 0, 0);
ErrorCount = SSLcount = ReloadCount = 0;
LIST_ITERATE (svptr, &ServiceList)
{
if (svptr->SchemeType != SCHEME_HTTPS) continue;
SSLcount++;
scptr = (SESOLA_CONTEXT*)svptr->SSLserverPtr;
if (!scptr) continue;
if (!scptr->SslCtx) continue;
SSL_CTX_free ((SSL_CTX*)scptr->SslCtx);
scptr->SslCtx = NULL;
if (SesolaInitService (svptr))
ReloadCount++;
else
ErrorCount++;
}
sys$setprv (0, &SysPrvMask, 0, 0);
if (WATCH_CATEGORY (WATCH_INTERNAL))
WatchThis (WATCHALL, WATCH_INTERNAL,
"SSL (re)load !UL of !UL SSL certificates!&@",
ReloadCount, SSLcount,
ErrorCount ? ", !UL error!%s" : "", ErrorCount);
FaoToStdout ("%HTTPD-I-SSL, \
(re)load !UL of !UL SSL certificates!&@\n",
ReloadCount, SSLcount,
ErrorCount ? ", !UL error!%s" : "", ErrorCount);
if (OpcomMessages & OPCOM_HTTPD ||
OpcomMessages & OPCOM_AUTHORIZATION)
FaoToOpcom ("%HTTPD-I-SSL, \
(re)load !UL of !UL SSL certificates!&@",
ReloadCount, SSLcount,
ErrorCount ? ", !UL error!%s" : "", ErrorCount);
}
/*****************************************************************************/
/*
Parse the (potentially wildcarded) certificate file specification into an
actual certificate file name. The token ':*' inserts the port, and '*' inserts
the service host name (ODS-5 compatible, to make it ODS-2 compatible use '**').
Any other character is inserted as-is. Examples:
wasd_root:[local]*_bundle.crt -> wasd_root:[local]the^.host^.name_bundle.crt
wasd_root:[local]*_:*_bundle.crt -> wasd_root:[local]the^.host^.name_443_bundle.crt
wasd_root:[local]**_bundle.crt -> wasd_root:[local]the_host_name_bundle.crt
*/
void SesolaInitCertFile (SERVICE_STRUCT *svptr)
{
BOOL NameHit,
PortHit;
char CertFile [256];
char *aptr, *cptr, *sptr, *zptr;
SESOLA_CONTEXT *scptr;
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaInitCertFile()");
if (!(scptr = (SESOLA_CONTEXT*)svptr->SSLserverPtr)) return;
if (scptr->CertFile[0])
scptr->CertFilePtr = scptr->CertFile;
else
if (SesolaDefaultCertPtr)
scptr->CertFilePtr = SesolaDefaultCertPtr;
else
scptr->CertFilePtr = "";
if (strchr(scptr->CertFilePtr,'*'))
{
NameHit = PortHit = false;
zptr = (sptr = CertFile) + sizeof(CertFile)-1;
cptr = scptr->CertFilePtr;
while (*cptr && sptr < zptr)
{
if (NameHit && !PortHit && *(ushort*)cptr == ':*')
{
PortHit = true;
cptr += 2;
for (aptr = svptr->ServerPortString;
*aptr && sptr < zptr;
*sptr++ = *aptr++);
}
else
if (!NameHit && *cptr == '*')
{
NameHit = true;
cptr++;
if (*cptr == '*')
{
/* ODS-2 compatibility */
cptr++;
for (aptr = svptr->ServerHostName; *aptr && sptr < zptr; aptr++)
if (*aptr == '.')
*sptr++ = '_';
else
*sptr++ = *aptr;
}
else
{
/* ODS-5 compatibility */
for (aptr = svptr->ServerHostName;
*aptr && sptr < zptr;
*sptr++ = *aptr++);
}
}
else
*sptr++ = *cptr++;
}
*sptr = '\0';
scptr->CertFilePtr = VmGet (sptr - CertFile + 1);
memcpy (scptr->CertFilePtr, CertFile, sptr - CertFile);
}
FaoToStdout ("-SSL-I-CERT, !AZ\n", scptr->CertFilePtr &&
scptr->CertFilePtr[0] ?
scptr->CertFilePtr :
"none - make ex nihilo");
}
/*****************************************************************************/
/*
Configure the basics of the SSL client service (i.e. can originate outgoing SSL
sessions with SSL servers). Used by the HTTP-SSL proxy (gateway) service.
*/
BOOL SesolaInitClientService (SERVICE_STRUCT *svptr)
{
BOOL CipherListSupplied,
KeySupplied;
int value;
ulong ErrorNumber;
char *cptr, *pemptr, *sptr;
RSA *RsaPtr;
SSL_CTX *SslCtx;
SESOLA_CONTEXT *scptr;
X509 *CertPtr;
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaInitClientService()");
if (ProtocolHttpsDisabled)
{
FaoToStdout ("-HTTPD-W-SSL, disabled\n");
return (false);
}
if (!svptr->SSLclientPtr)
{
/* no client-specific context, use any associated server context */
if (svptr->SSLserverPtr)
{
svptr->SSLclientPtr = VmGet (sizeof(SESOLA_CONTEXT));
memcpy (svptr->SSLclientPtr,
svptr->SSLserverPtr,
sizeof(SESOLA_CONTEXT));
}
}
if (!(scptr = (SESOLA_CONTEXT*)svptr->SSLclientPtr)) return (false);
if (scptr->CertFile[0])
scptr->CertFilePtr = scptr->CertFile;
else
if (SesolaDefaultCertPtr)
scptr->CertFilePtr = SesolaDefaultCertPtr;
else
scptr->CertFilePtr = "";
KeySupplied = false;
if (scptr->KeyFile[0])
{
KeySupplied = true;
scptr->KeyFilePtr = scptr->KeyFile;
}
else
{
if (scptr->CertFilePtr[0])
{
/* service has a specific certificate, assume the key's in that */
if (scptr->CertFilePtr[0] == '+')
scptr->KeyFilePtr = "";
else
scptr->KeyFilePtr = scptr->CertFilePtr;
}
else
if (SesolaDefaultKeyPtr)
{
/* use the separately specified key */
KeySupplied = true;
scptr->KeyFilePtr = SesolaDefaultKeyPtr;
}
else
{
/* if no default key then assume it's in the certificate file */
scptr->KeyFilePtr = scptr->CertFilePtr;
}
}
if (scptr->CipherList[0])
{
CipherListSupplied = true;
scptr->CipherListPtr = scptr->CipherList;
}
else
{
if (SesolaDefaultCipherListPtr)
{
CipherListSupplied = true;
scptr->CipherListPtr = "";
}
else
{
CipherListSupplied = false;
scptr->CipherListPtr = "";
}
}
if (scptr->CaFile[0])
scptr->CaFilePtr = scptr->CaFile;
else
if (SesolaDefaultCaFilePtr)
scptr->CaFilePtr = SesolaDefaultCaFilePtr;
else
scptr->CaFilePtr = "";
if (CipherListSupplied)
FaoToStdout ("-SSL-I-CIPHER, (a/client) !AZ\n", scptr->CipherListPtr);
if (scptr->VerifyCA)
FaoToStdout ("-SSL-I-CAFILE, (a/client) !AZ\n", scptr->CaFilePtr);
SesolaInitContext (scptr->VersionString, svptr->SSLclientPtr);
SslCtx = ((SESOLA_CONTEXT*)svptr->SSLclientPtr)->SslCtx;
FaoToStdout ("-SSL-I-PROTOCOL, (a/client) version !AZ\n",
scptr->VersionStringPtr);
cptr = scptr->CertFilePtr;
if (*cptr && *cptr != '+')
value = SSL_CTX_use_certificate_chain_file (SslCtx, cptr);
else
{
if (*cptr == '+' && isalpha(*(cptr+1)))
pemptr = SesolaMkCert(cptr+1);
else
pemptr = SesolaMkCert (svptr->ServerHostName);
BIO_reset (SesolaBioMemPtr);
BIO_puts (SesolaBioMemPtr, pemptr);
CertPtr = PEM_read_bio_X509 (SesolaBioMemPtr, NULL, NULL, NULL);
if (CertPtr)
{
value = SSL_CTX_use_certificate (SslCtx, CertPtr);
X509_free (CertPtr);
}
else
value = 0;
BIO_reset (SesolaBioMemPtr);
scptr->KeyFilePtr = "";
}
if (!value)
{
SesolaPrintOpenSslErrorList ();
scptr->SslCtx = (void*)NULL;
return (false);
}
SesolaPrivateKeyPasswdAttempt = 1;
for (;;)
{
/* set private key password callback */
SSL_CTX_set_default_passwd_cb (SslCtx, &SesolaPrivateKeyPasswd);
SSL_CTX_set_default_passwd_cb_userdata (SslCtx, svptr);
SesolaPrivateKeyPasswdRequested = false;
if (scptr->KeyFilePtr[0])
value = SSL_CTX_use_RSAPrivateKey_file (SslCtx,
scptr->KeyFilePtr,
SSL_FILETYPE_PEM);
else
{
BIO_reset (SesolaBioMemPtr);
BIO_puts (SesolaBioMemPtr, pemptr);
RsaPtr = PEM_read_bio_RSAPrivateKey (SesolaBioMemPtr, NULL,
&SesolaPrivateKeyPasswd, scptr);
if (RsaPtr)
{
value = SSL_CTX_use_RSAPrivateKey (SslCtx, RsaPtr);
RSA_free (RsaPtr);
}
else
value = 0;
BIO_reset (SesolaBioMemPtr);
}
/* reset private key password callback */
SSL_CTX_set_default_passwd_cb (SslCtx, NULL);
SSL_CTX_set_default_passwd_cb_userdata (SslCtx, svptr);
if (value)
{
if (SesolaPrivateKeyPasswdRequested && OpcomMessages)
FaoToOpcom ("%HTTPD-I-PKPASSWD, password accepted");
break;
}
ErrorNumber = ERR_peek_error ();
SesolaPrintOpenSslErrorList ();
if (SesolaPrivateKeyPasswdRequested &&
ERR_GET_LIB(ErrorNumber) == ERR_LIB_EVP &&
/* obsolete from v3.0 */
#if !SESOLA_SINCE_111
ERR_GET_FUNC(ErrorNumber) == EVP_F_EVP_DECRYPTFINAL_EX &&
#endif
ERR_GET_REASON(ErrorNumber) == EVP_R_BAD_DECRYPT)
{
if (++SesolaPrivateKeyPasswdAttempt <= SESOLA_PKPASSWD_ATTEMPTS)
{
/* give the controlling ControlLocalCommand() a chance to notice */
sleep (2);
continue;
}
}
if (OpcomMessages) FaoToOpcom ("-SSL-E-PKPASSWD, password not accepted");
scptr->SslCtx = (void*)NULL;
return (false);
}
value = SSL_CTX_check_private_key (SslCtx);
if (!value)
{
SesolaPrintOpenSslErrorList ();
scptr->SslCtx = (void*)NULL;
return (false);
}
if (*(cptr = scptr->CipherListPtr))
{
if (*cptr == '+' || *cptr == '-' || *cptr == '!')
{
/* modifying the default cipher list */
sptr = VmGet (sizeof(SESOLA_DEFAULT_CIPHER_LIST)+strlen(cptr)+4);
sprintf (sptr, "%s :: %s", SESOLA_DEFAULT_CIPHER_LIST, cptr);
scptr->CipherListPtr = cptr = sptr;
}
}
else
cptr = SESOLA_DEFAULT_CIPHER_LIST;
if (!SSL_CTX_set_cipher_list (SslCtx, cptr))
{
SesolaPrintOpenSslErrorList ();
scptr->SslCtx = (void*)NULL;
return (false);
}
if (SesolaSessionCacheSize)
{
if (SesolaSessionCacheSize < SESOLA_DEFAULT_CACHE_RECORD_MAX)
SesolaSessionCacheSize = SESOLA_DEFAULT_CACHE_RECORD_MAX;
SSL_CTX_set_session_cache_mode (SslCtx, SSL_SESS_CACHE_SERVER);
SSL_CTX_sess_set_cache_size (SslCtx, SesolaSessionCacheSize);
SSL_CTX_set_timeout (SslCtx, SesolaSessionCacheTimeout*60);
/* inter-process session cache (if multiple per-node "instances") */
if (InstanceNodeConfig > 1)
{
SSL_CTX_sess_set_new_cb (SslCtx, &SesolaCacheAddRecord);
SSL_CTX_sess_set_get_cb (SslCtx, &SesolaCacheFindRecord);
SSL_CTX_sess_set_remove_cb (SslCtx, &SesolaCacheRemoveRecord);
}
}
else
SSL_CTX_set_session_cache_mode (SslCtx, SSL_SESS_CACHE_OFF);
if (scptr->VerifyCA)
SSL_CTX_set_verify (SslCtx, SSL_VERIFY_CLIENT_ONCE,
&SesolaCertVerifyCallback);
else
SSL_CTX_set_verify (SslCtx, SSL_VERIFY_NONE,
&SesolaCertVerifyCallback);
SSL_CTX_set_verify_depth (SslCtx, SesolaDefaultVerifyDepth);
if (scptr->CaFilePtr[0])
{
value = SSL_CTX_load_verify_locations (SslCtx,
scptr->CaFilePtr,
NULL);
if (value) value = SSL_CTX_set_default_verify_paths (SslCtx);
if (!value)
{
SesolaPrintOpenSslErrorList ();
FaoToStdout ("-SSL-W-SSL, (a/client) CA verification not enabled\n");
scptr->SslCtx = (void*)NULL;
return (false);
}
}
/* combination of SSL version disables and configured discrete options */
if (scptr->VersionOptions)
SSL_CTX_set_options (SslCtx, (scptr->VersionOptions | SesolaSSLoptions));
else
SSL_CTX_set_options (SslCtx, (SesolaVersionOptions | SesolaSSLoptions));
return (true);
}
/*****************************************************************************/
/*
If the private key in WASD_SSL_CERT, WASD_SSL_KEY, or the equivalent, does
not contain an embedded password (which is by far less "secure" against key
stealing) the private key callback set above results in this function being
called. Output a message to the console, to the monitor status message buffer,
and optionally if enabled to OPCOM, requesting that a password be manually
supplied. The password is input at the command line using the control
/DO=SSL=KEY=PASSWORD directive, which prompts for the password and then writes
it into the global section shared memory control directive buffer. This
function continues to poll that buffer at one second intervals looking for the
indicator of the password. When found it copies it into the 'PasswdBuffer'
and returns the length. If not supplied it eventually times-out resulting in
the startup being cancelled (which should then restart). Note that POLLING
MUST BE USED because user-mode ASTs are disabled during service (network)
initialization, rendering lock delivery and the like possibilities of
notification unusable (at this mode) during this period.
*/
int SesolaPrivateKeyPasswd
(
char *PasswdBuffer,
int SizeOfPasswdBuffer,
int UnknownParam,
void *UserData
)
{
int cnt,
PasswdLength;
char *cptr, *sptr, *zptr;
SERVICE_STRUCT *svptr;
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA,
"SesolaPrivateKeyPasswd() !UL !UL",
SizeOfPasswdBuffer, UserData);
/* indicates a private key password was required for this service */
SesolaPrivateKeyPasswdRequested = true;
svptr = (SERVICE_STRUCT*)UserData;
/* ensure we start with a nice empty buffer */
memset (HttpdGblSecPtr->PkPasswd, 0, sizeof(HttpdGblSecPtr->PkPasswd));
PasswdBuffer[0] = '\0';
/* wait for the password to magically appear!! (crude but effective) */
for (cnt = SESOLA_PKPASSWD_REQUEST_SECONDS; cnt; cnt--)
{
if (!(cnt % 60))
{
FaoToStdout ("%HTTPD-I-PKPASSWD, \
!20%D, request !UL/!UL for private key password, !AZ//!AZ\n",
0, SesolaPrivateKeyPasswdAttempt, SESOLA_PKPASSWD_ATTEMPTS,
svptr->SchemeNamePtr, svptr->ServerHostPort);
FaoToBuffer (HttpdGblSecPtr->StatusMessage,
sizeof(HttpdGblSecPtr->StatusMessage), NULL,
"%HTTPD-I-PKPASSWD, !20%D, \
!AZ request !UL/!UL for private key password, !AZ//!AZ",
0, InstanceNodeCurrent > 1 ? HttpdProcess.PrcNam : "",
SesolaPrivateKeyPasswdAttempt, SESOLA_PKPASSWD_ATTEMPTS,
svptr->SchemeNamePtr, svptr->ServerHostPort);
/* if any OPCOM at all is enabled then output this message */
if (OpcomMessages)
FaoToOpcom ("%HTTPD-I-PKPASSWD, \
request !UL/!UL for private key password, !AZ//!AZ",
SesolaPrivateKeyPasswdAttempt, SESOLA_PKPASSWD_ATTEMPTS,
svptr->SchemeNamePtr, svptr->ServerHostPort);
}
sleep (1);
/* if a password was supplied whilst sleeping */
if (HttpdGblSecPtr->PkPasswd[0]) break;
}
HttpdGblSecPtr->StatusMessage[0] = '\0';
if (!cnt)
{
/* timed-out waiting for a response */
ControlMessage ("timeout waiting for private key password");
sleep (1);
exit (SS$_CANCEL);
}
zptr = (sptr = PasswdBuffer) + SizeOfPasswdBuffer;
for (cptr = HttpdGblSecPtr->PkPasswd;
*cptr && sptr < zptr;
*sptr++ = *cptr++);
/* overflow just cancels the password */
if (sptr > zptr) sptr = PasswdBuffer;
*sptr = '\0';
PasswdLength = sptr - PasswdBuffer;
for (sptr = PasswdBuffer; *sptr && isspace(*sptr); sptr++);
if (!*sptr && sptr > PasswdBuffer)
{
/* password comprising all spaces is used to abort the startup */
ControlMessage ("empty private key password, aborting startup");
/* just exit the process */
ExitStatus = SS$_ABORT;
HttpdExit (&ExitStatus);
/* cancel any startup messages provided for the monitor */
HttpdGblSecPtr->StatusMessage[0] = '\0';
sys$delprc (0, 0);
}
/* remove the actual password from the control buffer */
memset (HttpdGblSecPtr->PkPasswd, 0, sizeof(HttpdGblSecPtr->PkPasswd));
ControlMessage ("password received");
return (PasswdLength);
}
/*****************************************************************************/
/*
Generate fresh random data used with the session ticket key and session ID
context. As the ticket key name (first 16 bytes) will be public make the
session ID the same data. Return a pointer to the key data.
*/
uchar* SesolaSessionTicketNewKey ()
{
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaSessionTicketNewKey()");
RAND_bytes (SesolaTicketKey, sizeof(SesolaTicketKey));
memmove (SesolaSessionId, SesolaTicketKey, sizeof(SesolaSessionId));
return (SesolaTicketKey);
}
/*****************************************************************************/
/*
Propagate supplied session ticket key data to global storage and applicable
services. Return a pointer to the key data. The ticket random data is also
used (with offset) to provide the session ID context. The session ID context
must be common across instances for session ticket reuse to be successful. As
the ticket key name (first 16 bytes) will be public make the session ID the
same data. Can be directly called by InstanceSessionTicketKey() and
(indirectly) by ControlHttpdAst() when being propagated over multiiple
instances (including cluster-wide).
*/
uchar* SesolaSessionTicketUseKey (uchar *keyptr)
{
int idx;
ulong options;
SERVICE_STRUCT *svptr;
SSL_CTX *SslCtx;
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaSessionTicketUseKey()");
if (WATCH_CATEGORY(WATCH_SESOLA))
{
WatchThis (WATCHALL, WATCH_SESOLA, "SESSION TICKET key");
WatchDataDump (keyptr, sizeof(SesolaTicketKey));
}
/* null-terminated string then 48 bytes of session key */
if (strsame (keyptr, CONTROL_SESSION_TICKET_KEY, -1))
keyptr += sizeof(CONTROL_SESSION_TICKET_KEY);
/* else no null-terminated string, just the 48 bytes of session key */
/* note the date-day the key was refreshed by InstanceSupervisor() */
SesolaTicketKeySuperDay = HttpdTime7[2];
/* time of this most recent refresh */
SesolaTicketKeyTime64 = HttpdTime64;
/* if the key is empty (16 byte lock value block) */
if (!*(ULONGPTR)keyptr) keyptr = SesolaSessionTicketNewKey();
memmove (SesolaTicketKey, keyptr, sizeof(SesolaTicketKey));
memmove (SesolaSessionId, keyptr, sizeof(SesolaSessionId));
/* propagate session ticket key to required services */
LIST_ITERATE (svptr, &ServiceList)
{
if (svptr->SchemeType != SCHEME_HTTPS) continue;
if (SslCtx = ((SESOLA_CONTEXT*)svptr->SSLserverPtr)->SslCtx)
{
options = SSL_CTX_get_options (SslCtx);
if (!(options & SSL_OP_NO_TICKET))
{
#if !SESOLA_SESSION_TICKET_CALLBACK
SSL_CTX_set_tlsext_ticket_keys (SslCtx, SesolaTicketKey,
sizeof(SesolaTicketKey));
#endif
/* the session ID ctx also needs to be shared between instances */
SSL_CTX_set_session_id_context (SslCtx, SesolaSessionId,
sizeof(SesolaSessionId));
}
}
}
return (SesolaTicketKey);
}
/*****************************************************************************/
/*
Session tickets, defined in RFC5077, provide an enhanced session resumption
capability where the server implementation is not required to maintain per
session state. The callback function will be called for every client
instigated TLS session when session ticket extension is presented in the TLS
hello message. It is the responsibility of this function to create or retrieve
the cryptographic parameters and to maintain their state. This function, in
conjunction with SesolaSessionTicketNewKey(), SesolaSessionTicketUseKey() and
InstanceSessionTicketKey() manage coherent usage of the session ticket keys
allowing multi-instance, cluster-wide if required, session resumption using
tickets, and refreshes those ticket keys once a day.
*/
#if SESOLA_SESSION_TICKET_CALLBACK
int SesolaSessionTicketCallback
(
SSL *SslPtr,
uchar *KeyName,
uchar *iv,
EVP_CIPHER_CTX *ectx,
HMAC_CTX *hctx,
int enc
)
{
#ifndef tlsext_tick_md
#ifdef OPENSSL_NO_SHA256
#define tlsext_tick_md EVP_sha1
#else
#define tlsext_tick_md EVP_sha256
#endif
#endif
static uchar *AesKeyPtr = SesolaTicketKey + 32,
*HmacKeyPtr = SesolaTicketKey + 16,
*NameKeyPtr = SesolaTicketKey;
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA,
"SesolaSessionTicketCallback() !UL !16&H", enc, KeyName);
if (enc)
{
/******************/
/* create session */
/******************/
memcpy (KeyName, NameKeyPtr, 16);
RAND_bytes (iv, 16);
if (!EVP_EncryptInit_ex (ectx, EVP_aes_128_cbc(), NULL, AesKeyPtr, iv))
return (-1);
if (!HMAC_Init_ex (hctx, HmacKeyPtr, 16, tlsext_tick_md(), NULL))
return (-1);
SesolaSessionTicketNew++;
}
else
{
/********************/
/* retrieve session */
/********************/
if (memcmp (KeyName, NameKeyPtr, 16))
{
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA,
"!16&H !!= !16&H", KeyName, NameKeyPtr);
SesolaSessionTicketMiss++;
return (0);
}
if (!HMAC_Init_ex (hctx, HmacKeyPtr, 16, tlsext_tick_md(), NULL))
return (-1);
if (!EVP_DecryptInit_ex (ectx, EVP_aes_128_cbc(), NULL, AesKeyPtr, iv))
return (-1);
SesolaSessionTicketHit++;
}
return (1);
}
#endif /* SESOLA_SESSION_TICKET_CALLBACK */
/*****************************************************************************/
/*
Temporary DH params supporting ephemeral keys (for "perfect forward security").
See explanation in module prologue under section "FORWARD SECRECY".
*/
DH* SesolaTmpDHCallback
(
SSL *SslPtr,
int IsExport,
int KeyLength
)
{
#define BITS_MAX 5
/* future proofing? :-} */
static int bits [BITS_MAX] = { 512, 1024, 2048, 4096, 8192 };
static DH *bitdh [BITS_MAX];
static int maxidx;
static ulong PrevTickSecond;
int keybit, idx;
char buf [256];
DH *dhptr;
REQUEST_STRUCT *rqptr;
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA,
"SesolaTmpDHCallback() !UL", KeyLength);
if (!SslPtr)
{
/**************/
/* initialise */
/**************/
char *sptr;
/* enable SYSPRV allowing access to should-be protected files */
sys$setprv (1, &SysPrvMask, 0, 0);
for (idx = 0; idx < BITS_MAX; idx++) bitdh[idx] = NULL;
for (idx = 0; idx < BITS_MAX; idx++)
{
FILE *pfile;
sprintf (buf, "WASD_ROOT:[LOCAL]DH_PARAM_%d.PEM", bits[idx]);
if ((pfile = fopen (buf, "r")) == NULL) continue;
bitdh[idx] = PEM_read_DHparams (pfile, NULL, NULL, NULL);
fclose (pfile);
maxidx = idx + 1;
}
sys$setprv (0, &SysPrvMask, 0, 0);
if (maxidx)
{
*(sptr = buf) = '\0';
for (idx = 0; idx < maxidx; idx++)
if (bitdh[idx] != NULL)
sptr += sprintf (sptr, "%s%d", buf[0] ? "," : "", bits[idx]);
strcpy (sptr, " bits");
SesolaTmpDHbitsPtr = VmGet(strlen(buf)+1);
strcpy (SesolaTmpDHbitsPtr, buf);
FaoToStdout ("-SSL-I-DH, ephemeral DH param !AZ\n", buf);
}
else
FaoToStdout ("-SSL-W-DH, no ephemeral DH param\n");
return ((DH*)SesolaTmpDHbitsPtr);
}
/************/
/* callback */
/************/
rqptr = (REQUEST_STRUCT*)SSL_get_app_data (SslPtr);
keybit = 0;
dhptr = NULL;
for (idx = 0; idx < maxidx; idx++)
{
if (bitdh[idx] == NULL) continue;
if (bits[idx] >= KeyLength)
{
if (WATCHING (rqptr, WATCH_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_SESOLA,
"DH key requested !UL got !UL bits",
KeyLength, bits[idx]);
return (bitdh[idx]);
}
keybit = bits[idx];
dhptr = bitdh[idx];
}
if (WATCHING (rqptr, WATCH_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_SESOLA,
"DH key requested !UL got !UL bits",
KeyLength, dhptr ? keybit : 0);
return (dhptr);
}
/*****************************************************************************/
/*
Implement Application-Layer Protocol Negotiation (ALPN), a TLS extension.
ALPN allows the application layer to negotiate which protocol should be
performed over a secure connection in a manner which avoids additional round
trips and which is independent of the application layer protocols.
*/
int SesolaALPNCallback
(
SSL *SslPtr,
uchar **out,
uchar *outlen,
uchar *in,
uint inlen,
void *arg
)
{
BOOL h2, http11, tls01;
uint cnt, retval;
char *cptr, *sptr, *zptr;
REQUEST_STRUCT *rqptr;
SESOLA_STRUCT *sesolaptr;
/*********/
/* begin */
/*********/
sesolaptr = (SESOLA_STRUCT*)SSL_get_ex_data (SslPtr, 0);
rqptr = (REQUEST_STRUCT*)sesolaptr->RequestPtr;
h2 = http11 = tls01 = false;
/* vector of 8-bit, length prefixed byte strings */
for (cptr = in; cptr < in + inlen; cptr += cnt)
{
cnt = *cptr++;
if (WATCHING (rqptr, WATCH_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_SESOLA, "ALPN !#AZ", cnt, cptr);
if (cnt == 2 && MATCH2 (cptr, "h2")) h2 = true;
if (cnt == 8 && MATCH8 (cptr, "http/1.1")) http11 = true;
if (cnt == 11 && MATCH11 (cptr, "tls-alpn-01")) tls01 = true;
}
retval = SSL_TLSEXT_ERR_NOACK;
if (tls01)
{
*out = sesolaptr->ALPNok = "tls-alpn-01";
*outlen = 11;
retval = SSL_TLSEXT_ERR_OK;
}
if (retval == SSL_TLSEXT_ERR_NOACK)
{
if (h2 && Http2Enabled && rqptr->ServicePtr->Http2Enabled)
{
*out = sesolaptr->ALPNok = "h2";
*outlen = 2;
retval = SSL_TLSEXT_ERR_OK;
}
}
if (retval == SSL_TLSEXT_ERR_NOACK)
{
if (http11)
{
*out = sesolaptr->ALPNok = "http/1.1";
*outlen = 8;
retval = SSL_TLSEXT_ERR_OK;
}
}
if (WATCHING (rqptr, WATCH_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_SESOLA, "OK !AZ",
sesolaptr->ALPNok ? sesolaptr->ALPNok : "(none)");
return (retval);
}
/*****************************************************************************/
/*
Implement TLS1 Server Name Indication (SNI) callback (from RFC 4366).
Searches the SSL service list for a matching name (certificates are issued
against a host name, not against a name:port combination). The first name
matched results in the SSL context being set/changed. Then continue and set
the virtual service if available (significantly more efficient than doing it
using ServiceFindVirtual() later).
*/
int SesolaSNICallback
(
SSL *SslPtr,
int *UnusedArg1,
void *UnusedArg2
)
{
BOOL wwwName;
int snlen,
ServerPort,
VerifyDepth,
VerifyMode;
char *cptr, *sptr, *snptr, *zptr;
REQUEST_STRUCT *rqptr;
SERVICE_STRUCT *svptr;
SESOLA_STRUCT *sesolaptr;
SSL_CTX *SslCtx;
X509_STORE_CTX *VerifyCallback;
/*********/
/* begin */
/*********/
sesolaptr = (SESOLA_STRUCT*)SSL_get_ex_data (SslPtr, 0);
snptr = SSL_get_servername (SslPtr, TLSEXT_NAMETYPE_host_name);
if (WATCHMOD (sesolaptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(sesolaptr), WATCH_MOD_SESOLA,
"SesolaSNICallback() !&Z", snptr);
if (!snptr) return (SSL_TLSEXT_ERR_OK);
if (ServiceWwwImplied)
wwwName = SAME4(snptr,'www.');
else
wwwName = false;
rqptr = (REQUEST_STRUCT*)sesolaptr->RequestPtr;
/* note the original service port number */
ServerPort = rqptr->ServicePtr->ServerPort;
/* used to emulate the Apache SSL_TLS_SNI variable */
zptr = (sptr = sesolaptr->SNIServerName) +
sizeof(sesolaptr->SNIServerName)-1;
for (cptr = snptr; *cptr && sptr < zptr; *sptr++ = *cptr++);
*sptr = '\0';
snlen = cptr - snptr;
LIST_ITERATE (svptr, &ServiceList)
{
if (svptr->SchemeType != SCHEME_HTTPS) continue;
if (!((SESOLA_CONTEXT*)svptr->SSLserverPtr)->SslCtx) continue;
if (!wwwName || snlen != svptr->ServerHostNameLength + 4)
if (snlen != svptr->ServerHostNameLength)
continue;
/* match the SNI name to the service name */
sptr = snptr;
if (wwwName && !MATCH4 (sptr, "www.")) sptr += 4;
cptr = svptr->ServerHostName;
if (snlen >= 8)
{
if (!MATCH8 (sptr, cptr)) continue;
sptr += 8;
cptr += 8;
}
while (*cptr && *sptr && *cptr == *sptr)
{
cptr++;
sptr++;
}
if (*sptr || *cptr) continue;
/* match to the original port */
if (ServerPort != svptr->ServerPort) continue;
/* name+port match! */
if (!sesolaptr->SNIctxSet)
{
/* set the SSL context */
SSL_set_SSL_CTX (SslPtr,
((SESOLA_CONTEXT*)svptr->SSLserverPtr)->SslCtx);
sesolaptr->SNIctxSet = true;
/* propagate newly set context client verify to SSL-specific */
SslCtx = SSL_get_SSL_CTX (SslPtr);
VerifyMode = SSL_CTX_get_verify_mode (SslCtx);
VerifyDepth = SSL_CTX_get_verify_depth (SslCtx);
VerifyCallback = SSL_CTX_get_verify_callback (SslCtx);
SSL_set_verify (SslPtr, VerifyMode, VerifyCallback);
SSL_set_verify_depth (SslPtr, VerifyDepth);
if (WATCHING (rqptr, WATCH_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_SESOLA, "SNI match !AZ,!UL",
snptr, svptr->ServerPort);
}
/* change to this service */
rqptr->ServicePtr = svptr;
sesolaptr->NetIoPtr->ServicePtr = svptr;
sesolaptr->SNIserviceSet = true;
if (WATCHPNT(rqptr))
{
if (WATCH_CATEGORY(WATCH_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_SESOLA, "SNI VIRTUAL !AZ",
svptr->ServerHostPort);
else
if (WATCH_CATEGORY(WATCH_CONNECT))
WatchThis (WATCHITM(rqptr), WATCH_CONNECT, "VIRTUAL (SNI) !AZ",
svptr->ServerHostPort);
}
break;
}
if (WATCHING (rqptr, WATCH_SESOLA))
if (!sesolaptr->SNIctxSet)
WatchThis (WATCHITM(rqptr), WATCH_SESOLA, "SNI FAIL !AZ", snptr);
return (SSL_TLSEXT_ERR_OK);
}
/*****************************************************************************/
/*
Return a TLS Application Level Protocol Negotiation string or NULL.
*/
char* SesolaRequestALPN (REQUEST_STRUCT *rqptr)
{
SESOLA_STRUCT *sesolaptr;
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaRequestALPN()");
if (!(sesolaptr = SesolaRequestSesolaPtr (rqptr))) return (NULL);
return (sesolaptr->ALPNok);
}
/*****************************************************************************/
/*
Return a request's secure socket pointer or NULL.
*/
void* SesolaRequestSesolaPtr (REQUEST_STRUCT *rqptr)
{
SESOLA_STRUCT *sesolaptr;
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaRequestSesolaPtr()");
if (!rqptr) return (NULL);
sesolaptr = NULL;
if (HTTP2_REQUEST(rqptr))
sesolaptr = (SESOLA_STRUCT*)rqptr->
Http2Stream.Http2Ptr->NetIoPtr->SesolaPtr;
if (!sesolaptr) sesolaptr = (SESOLA_STRUCT*)rqptr->NetIoPtr->SesolaPtr;
return (sesolaptr);
}
/*****************************************************************************/
/*
Return the value for ServiceFindVirtual() to use.
This stub function just used to dereference (void*).
*/
BOOL SesolaSNIserviceSet (SESOLA_STRUCT *sesolaptr)
{
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA,
"SesolaSNIserviceSet() !&B", sesolaptr->SNIserviceSet);
return (sesolaptr->SNIserviceSet);
}
/*****************************************************************************/
/*
Called by WatchSetWatch().
*/
int SesolaGetWatch (SESOLA_STRUCT *sesolaptr)
{
return (sesolaptr->WatchItem);
}
/*****************************************************************************/
/*
Called by WatchSetWatch().
*/
void SesolaSetWatch
(
SESOLA_STRUCT *sesolaptr,
int item
)
{
sesolaptr->WatchItem = item;
sesolaptr->NetIoPtr->WatchItem = item;
}
/*****************************************************************************/
/*
Print out the OpenSSL error list. For reporting errors associated with
certificate loading. Based on [.CRYPTO.ERR]ERR_PRN.C. The error number (based
on [.CRYPTO.ERR]ERR.H ERR_PACK macro) is a bit-vector comprising 31..24 (8
bits) the library code, 23..12 (12 bits) the function code 11..0 (12 bits)
the reason code. A fatal error is the decimal value 32 (bit 6) and is used in
various bit-wise operations.
*/
SesolaPrintOpenSslErrorList ()
{
int LineNumber,
Flags;
ulong ErrorNumber;
char *FileNamePtr,
*DataStringPtr;
char Buffer [256];
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA,
"SesolaPrintOpenSslErrorList()");
while (ErrorNumber =
ERR_get_error_line_data (&FileNamePtr, &LineNumber,
&DataStringPtr, &Flags))
{
FaoToStdout (
"-SSL-W-ERROR, \"!AZ\" (!AZ !SL)!&?\"\r\r!AZ!&?\"\r\r\n",
ERR_error_string (ErrorNumber, Buffer),
FileNamePtr, LineNumber,
((Flags & ERR_TXT_STRING)),
((Flags & ERR_TXT_STRING) ? DataStringPtr : ""),
((Flags & ERR_TXT_STRING)));
}
}
/*****************************************************************************/
/*
Provides OpenSSL status information at various states of SSL processing via the
WATCH facility.
*/
#if WATCH_CAT
SesolaWatchInfoCallback
(
SSL *SslPtr,
int WhereExactly,
int value
)
{
int item;
char *cptr;
SESOLA_STRUCT *sesolaptr;
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA,
"SesolaWatchInfoCallback() !UL !SL", WhereExactly, value);
sesolaptr = (SESOLA_STRUCT*)SSL_get_ex_data (SslPtr, 0);
if (!sesolaptr->WatchItem) return;
switch (WhereExactly & SSL_ST_MASK)
{
case SSL_CB_LOOP :
WatchThis (WATCHITM(sesolaptr), WATCH_SESOLA,
"LOOP !AZ", SSL_state_string_long(SslPtr));
break;
case SSL_CB_EXIT :
if (value == 0)
WatchThis (WATCHITM(sesolaptr), WATCH_SESOLA,
"EXIT alert failed in !AZ",
SSL_state_string_long(SslPtr));
else
if (value < 0)
WatchThis (WATCHITM(sesolaptr), WATCH_SESOLA,
"EXIT error/blocking in !AZ",
SSL_state_string_long(SslPtr));
break;
case SSL_CB_READ :
WatchThis (WATCHITM(sesolaptr), WATCH_SESOLA,
"READ read !AZ", SSL_state_string_long(SslPtr));
break;
case SSL_CB_WRITE :
WatchThis (WATCHITM(sesolaptr), WATCH_SESOLA,
"WRITE !AZ", SSL_state_string_long(SslPtr));
break;
case SSL_CB_ALERT :
WatchThis (WATCHITM(sesolaptr), WATCH_SESOLA,
"ALERT !AZ !AZ:!AZ",
(WhereExactly & SSL_CB_READ) ? "read" : "write",
SSL_alert_type_string_long(value),
SSL_alert_desc_string_long(value));
break;
case SSL_CB_READ_ALERT :
WatchThis (WATCHITM(sesolaptr), WATCH_SESOLA,
"READ ALERT !AZ:!AZ",
SSL_alert_type_string_long(value),
SSL_alert_desc_string_long(value));
break;
case SSL_CB_WRITE_ALERT :
WatchThis (WATCHITM(sesolaptr), WATCH_SESOLA,
"WRITE ALERT !AZ:!AZ",
SSL_alert_type_string_long(value),
SSL_alert_desc_string_long(value));
break;
case SSL_CB_ACCEPT_LOOP :
WatchThis (WATCHITM(sesolaptr), WATCH_SESOLA,
"ACCEPT LOOP !AZ", SSL_state_string_long(SslPtr));
break;
case SSL_CB_ACCEPT_EXIT :
WatchThis (WATCHITM(sesolaptr), WATCH_SESOLA,
"ACCEPT EXIT !AZ", SSL_state_string_long(SslPtr));
break;
case SSL_CB_CONNECT_LOOP :
WatchThis (WATCHITM(sesolaptr), WATCH_SESOLA,
"CONNECT LOOP !AZ", SSL_state_string_long(SslPtr));
break;
case SSL_CB_CONNECT_EXIT :
WatchThis (WATCHITM(sesolaptr), WATCH_SESOLA,
"CONNECT EXIT !AZ", SSL_state_string_long(SslPtr));
break;
case SSL_CB_HANDSHAKE_START :
WatchThis (WATCHITM(sesolaptr), WATCH_SESOLA, "START handshake");
break;
case SSL_CB_HANDSHAKE_DONE :
WatchThis (WATCHITM(sesolaptr), WATCH_SESOLA, "DONE handshake");
break;
default :
WatchThis (WATCHITM(sesolaptr), WATCH_SESOLA, "!&X !AZ",
WhereExactly, SSL_state_string_long(SslPtr));
}
}
#endif /* WATCH_CAT */
/*****************************************************************************/
/*
Provides OpenSSL Input/Output information each time an SSL read or write occurs
via the WATCH facility. These macros can be found in [.CRYPTO.BIO]BIO.H
*/
int SesolaWatchBioCallback
(
BIO *bioptr,
int cmd,
char *argp,
int argi,
long argl,
long retval
)
{
#if WATCH_CAT
SESOLA_STRUCT *sesolaptr;
/*********/
/* begin */
/*********/
sesolaptr = (SESOLA_STRUCT*)BIO_get_callback_arg (bioptr);
if (!sesolaptr->WatchItem) return (retval);
if (WATCH_MODULE(WATCH_MOD_SESOLA))
{
WatchThis (WATCHITM(sesolaptr), WATCH_MOD_SESOLA,
"SesolaWatchBioCallback() !&X !&X !SL !SL !SL",
cmd, argp, argi, argl, retval);
switch (cmd & 0xf)
{
case BIO_CB_READ :
WatchThis (WATCHITM(sesolaptr), WATCH_MOD_SESOLA,
"!&?after\rbefore\r READ !UL !SL",
cmd & BIO_CB_RETURN, argi, retval);
break;
case BIO_CB_WRITE :
WatchThis (WATCHITM(sesolaptr), WATCH_MOD_SESOLA,
"!&?after\rbefore\r WRITE !UL !SL",
cmd & BIO_CB_RETURN, argi, retval);
break;
case BIO_CB_FREE :
WatchThis (WATCHITM(sesolaptr), WATCH_MOD_SESOLA,
"!&?after\rbefore\r FREE !SL !SL",
cmd & BIO_CB_RETURN, argi, retval);
break;
case BIO_CB_CTRL :
WatchThis (WATCHITM(sesolaptr), WATCH_MOD_SESOLA,
"!&?after\rbefore\r CTRL !SL !SL",
cmd & BIO_CB_RETURN, argi, retval);
break;
default :
WatchThis (WATCHITM(sesolaptr), WATCH_MOD_SESOLA,
"!&?after\rbefore\r !&X !UL !SL",
cmd & BIO_CB_RETURN, cmd, argi, retval);
}
return (retval);
}
if (!(cmd & BIO_CB_RETURN)) return (retval);
switch (cmd & 0xf)
{
case BIO_CB_READ :
WatchThis (WATCHITM(sesolaptr), WATCH_SESOLA,
"READ !UL/!SL!&? (complete)\r (outstanding)\r",
argi, retval, retval > 0);
break;
case BIO_CB_WRITE :
WatchThis (WATCHITM(sesolaptr), WATCH_SESOLA,
"WRITE !UL/!SL!&? (complete)\r (outstanding)\r",
argi, retval, retval > 0);
break;
case BIO_CB_FREE :
WatchThis (WATCHITM(sesolaptr), WATCH_SESOLA,
"FREE !SL !SL", argi, retval);
break;
case BIO_CB_CTRL :
WatchThis (WATCHITM(sesolaptr), WATCH_SESOLA,
"CTRL !SL !SL", argi, retval);
break;
default :
WatchThis (WATCHITM(sesolaptr), WATCH_SESOLA,
"!&X !UL !SL", cmd, argi, retval);
}
#endif /* WATCH_CAT */
return (retval);
}
/*****************************************************************************/
/*
Provide WATCH information after final SSL session establishment show version
and cipher in use.
*/
SesolaWatchSession (SESOLA_STRUCT *sesolaptr)
{
#if WATCH_CAT
int AlgKeySize,
UseKeySize;
char *cptr;
SSL *SslPtr;
SSL_CIPHER *CipherPtr;
X509 *CertPtr;
/*********/
/* begin */
/*********/
if (WATCHMOD (sesolaptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(sesolaptr), WATCH_MOD_SESOLA,
"SesolaWatchSession()");
SslPtr = sesolaptr->SslPtr;
if (CipherPtr = SSL_get_current_cipher (SslPtr))
{
cptr = (char*)SSL_CIPHER_get_name (CipherPtr);
UseKeySize = SSL_CIPHER_get_bits(CipherPtr, &AlgKeySize);
}
else
{
AlgKeySize = UseKeySize = 0;
cptr = "(none)";
}
WatchThis (WATCHITM(sesolaptr), WATCH_SESOLA,
"SESSION hit:!AZ protocol:!AZ cipher:!AZ keysize:!UL/!UL X509:!AZ",
SSL_cache_hit(sesolaptr->SslPtr) ? "yes" : "no",
(char*)SSL_get_version(SslPtr), cptr, UseKeySize, AlgKeySize,
(CertPtr = SSL_get_peer_certificate (SslPtr)) ? "yes" : "no");
if (CertPtr) X509_free (CertPtr);
#endif /* WATCH_CAT */
}
/*****************************************************************************/
/*
Provide some OpenSSL-internal error information.
(Based on code from [.CRYPTO.ERR]ERR_PRN.C)
*/
SesolaWatchErrors (SESOLA_STRUCT *sesolaptr)
{
#if WATCH_CAT
int cnt, flags,
LineNumber;
ulong ErrorNumber;
char ErrorString [256],
ModuleName [256];
char *cptr, *cptr1, *cptr2, *cptr3, *sptr,
*FileNamePtr, *DataPtr;
/*********/
/* begin */
/*********/
if (WATCHMOD (sesolaptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(sesolaptr), WATCH_MOD_SESOLA,
"SesolaWatchErrors()");
while (cnt = ERR_get_error_line_data (&FileNamePtr, &LineNumber,
&DataPtr, &flags))
{
ERR_error_string_n (cnt, ErrorString, sizeof(ErrorString));
for (cptr1 = ErrorString; *cptr1 && *cptr1 != ':'; cptr1++);
if (*cptr1) cptr1++;
while (*cptr1 && *cptr1 != ':') cptr1++;
if (*cptr1) cptr1++;
for (cptr2 = cptr1; *cptr2 && *cptr2 != ':'; cptr2++);
if (*cptr2) *cptr2++ = '\0';
for (cptr3 = cptr2; *cptr3 && *cptr3 != ':'; cptr3++);
if (*cptr3) *cptr3++ = '\0';
for (cptr = FileNamePtr; *cptr; cptr++);
while (cptr > FileNamePtr && *cptr != ']') cptr--;
if (*cptr == ']') cptr++;
sptr = ModuleName;
while (*cptr && *cptr != ';') *sptr++ = *cptr++;
*sptr = '\0';
WatchThis (WATCHITM(sesolaptr), WATCH_SESOLA,
"!AZ !AZ !AZ !AZ!&? \r\r(!AZ:!UL)",
cptr1, cptr2, cptr3,
flags & ERR_TXT_STRING ? DataPtr : "",
flags & ERR_TXT_STRING, ModuleName, LineNumber);
}
#endif /* WATCH_CAT */
}
/*****************************************************************************/
/*
Peek at selected SesolaStruct data. The 'rqptr' is the request doing the
peeking, the 'rqeptr' is the request being peeked at. If 'rqptr' is NULL then
the information is written to SYS$OUTPUT.
*/
void SesolaWatchPeek
(
REQUEST_STRUCT *rqptr,
void *SeSoLaPtr
)
{
static char HexDigits [] = "0123456789abcdef";
static char SesolaFao [] =
"|\n\
!33<SesolaPtr->!> !&X\n\
!33<SslPtr!> protocol:!AZ cipher:!AZ keysize:!UL/!UL\n\
!33<session_id!> !AZ\n\
!33<ConnectCertPtr!> !AZ\n\
!33<ClientCertPtr!> !AZ\n\
!33<CertVerifyFailed!> !&B\n\
!33<ClientAstFunction!> !&A\n\
!33<NetIoPtr->Channel!> !UL (!AZ)\n\
!33<ReadInProgress!> !&B\n\
!33<ReadIsComplete!> !&B\n\
!33<SslStateFunction!> !&A\n\
!33<ReadPtr!> !&X\n\
!33<ReadSize!> !UL\n\
!33<WriteInProgress!> !&B\n\
!33<WriteIsComplete!> !&B\n\
!33<WritePtr!> !&X\n\
!33<WriteLength!> !UL\n\
!33<HTTPduringHandshake!> !&B\n\
!33<SSHduringHandshake!> !&B\n\
!33<SslAcceptCount!> !UL\n\
!33<SslConnectCount!> !UL\n\
!33<SslShutdownCount!> !UL\n";
int cnt, status,
AlgKeySize,
SessionHint,
UseKeySize;
ushort Length;
ulong *vecptr;
ulong FaoVector [48];
char *cptr, *sptr, *zptr,
*CipherNamePtr;
char Buffer [4096],
CertFingerprintMD5 [64],
CertFingerprintSHA1 [64],
CertFingerprintSHA256 [128],
ClientCertBuffer [1024],
ConnectCertBuffer [1024],
NetDevName [64],
IssuerString [256],
NotAfterString [32],
SessionId [64],
SubjectString [256];
SESOLA_STRUCT *sesolaptr;
SSL *SslPtr;
SSL_CIPHER *CipherPtr;
SSL_SESSION *SessionPtr;
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaWatchPeek()\n");
if ((sesolaptr = (SESOLA_STRUCT*)SeSoLaPtr) == NULL) return;
NetGetBgDevice (sesolaptr->NetIoPtr->Channel,
NetDevName, sizeof(NetDevName));
SslPtr = sesolaptr->SslPtr;
SessionPtr = SSL_get_session (SslPtr);
if (CipherPtr = SSL_get_current_cipher (SslPtr))
{
CipherNamePtr = (char*)SSL_CIPHER_get_name (CipherPtr);
UseKeySize = SSL_CIPHER_get_bits(CipherPtr, &AlgKeySize);
}
else
AlgKeySize = UseKeySize = 0;
if (sesolaptr->ConnectCertPtr)
{
X509_NAME_oneline (X509_get_issuer_name(sesolaptr->ConnectCertPtr),
IssuerString, sizeof(SubjectString));
X509_NAME_oneline (X509_get_subject_name(sesolaptr->ConnectCertPtr),
SubjectString, sizeof(SubjectString));
SesolaCertFingerprint (sesolaptr->ConnectCertPtr, &EVP_sha256,
CertFingerprintSHA256,
sizeof(CertFingerprintSHA256));
SesolaCertFingerprint (sesolaptr->ConnectCertPtr, &EVP_sha1,
CertFingerprintSHA1, sizeof(CertFingerprintSHA1));
SesolaCertFingerprint (sesolaptr->ConnectCertPtr, &EVP_md5,
CertFingerprintMD5, sizeof(CertFingerprintMD5));
ASN1_UTCTIME_print (SesolaBioMemPtr,
X509_get_notAfter(sesolaptr->ConnectCertPtr));
BIO_gets (SesolaBioMemPtr, NotAfterString, sizeof(NotAfterString));
FaoToBuffer (ConnectCertBuffer, sizeof(ConnectCertBuffer), NULL,
"issuer=!AZ\n\
!33<!> subject=!AZ\n\
!33<!> notAfter=!AZ\n\
!33<!> SHA256=!AZ\n\
!33<!> SHA1=!AZ\n\
!33<!> MD5=!AZ",
IssuerString, SubjectString, NotAfterString,
CertFingerprintSHA256, CertFingerprintSHA1,
CertFingerprintMD5);
}
else
strcpy (ConnectCertBuffer, "0x00000000");
if (sesolaptr->ClientCertPtr)
{
X509_NAME_oneline (X509_get_issuer_name(sesolaptr->ClientCertPtr),
IssuerString, sizeof(SubjectString));
X509_NAME_oneline (X509_get_subject_name(sesolaptr->ClientCertPtr),
SubjectString, sizeof(SubjectString));
SesolaCertFingerprint (sesolaptr->ClientCertPtr, &EVP_sha256,
CertFingerprintSHA256,
sizeof(CertFingerprintSHA256));
SesolaCertFingerprint (sesolaptr->ClientCertPtr, &EVP_sha1,
CertFingerprintSHA1, sizeof(CertFingerprintSHA1));
SesolaCertFingerprint (sesolaptr->ClientCertPtr, &EVP_md5,
CertFingerprintMD5, sizeof(CertFingerprintMD5));
ASN1_UTCTIME_print (SesolaBioMemPtr,
X509_get_notAfter(sesolaptr->ClientCertPtr));
BIO_gets (SesolaBioMemPtr, NotAfterString, sizeof(NotAfterString));
FaoToBuffer (ClientCertBuffer, sizeof(ClientCertBuffer), NULL,
"issuer=!AZ\n\
!33<!> subject=!AZ\n\
!33<!> notAfter=!AZ\n\
!33<!> SHA256=!AZ\n\
!33<!> SHA1=!AZ\n\
!33<!> MD5=!AZ",
IssuerString, SubjectString, NotAfterString,
CertFingerprintSHA256, CertFingerprintSHA1,
CertFingerprintMD5);
}
else
strcpy (ClientCertBuffer, "0x00000000");
cptr = SSL_SESSION_get_id (SessionPtr, &cnt);
zptr = (sptr = SessionId) + sizeof(SessionId)-1;
if (cnt)
{
while (cnt--)
{
if (sptr >= zptr) break;
*sptr++ = HexDigits[(*cptr >> 4) & 0x0f];
if (sptr >= zptr) break;
*sptr++ = HexDigits[*cptr++ & 0x0f];
}
}
else
for (cptr = "(none)"; *cptr; *sptr++ = *cptr++);
*sptr = '\0';
vecptr = FaoVector;
*vecptr++ = sesolaptr;
*vecptr++ = SSL_get_version(SslPtr);
*vecptr++ = CipherNamePtr;
*vecptr++ = UseKeySize;
*vecptr++ = AlgKeySize;
*vecptr++ = SessionId;
*vecptr++ = ConnectCertBuffer;
*vecptr++ = ClientCertBuffer;
*vecptr++ = sesolaptr->CertVerifyFailed;
*vecptr++ = sesolaptr->ClientCertAstFunction;
*vecptr++ = sesolaptr->NetIoPtr->Channel;
*vecptr++ = NetDevName+1;
*vecptr++ = sesolaptr->ReadInProgress;
*vecptr++ = sesolaptr->ReadIsComplete;
*vecptr++ = sesolaptr->SslStateFunction;
*vecptr++ = sesolaptr->ReadPtr;
*vecptr++ = sesolaptr->ReadSize;
*vecptr++ = sesolaptr->WriteInProgress;
*vecptr++ = sesolaptr->WriteIsComplete;
*vecptr++ = sesolaptr->WritePtr;
*vecptr++ = sesolaptr->WriteLength;
*vecptr++ = sesolaptr->HTTPduringHandshake;
*vecptr++ = sesolaptr->SSHduringHandshake;
*vecptr++ = sesolaptr->SslAcceptCount;
*vecptr++ = sesolaptr->SslConnectCount;
*vecptr++ = sesolaptr->SslShutdownCount;
status = FaolToBuffer (Buffer, sizeof(Buffer), &Length,
SesolaFao, &FaoVector);
if (VMSnok (status) || status == SS$_BUFFEROVF)
ErrorNoticed (rqptr, status, NULL, FI_LI);
if (rqptr)
WatchWrite (Buffer, Length);
else
fputs (Buffer, stdout);
}
/*****************************************************************************/
/*
Brief report on this or a virtual service SSL context statistics and any
current session information.
*/
SesolaReport
(
REQUEST_STRUCT *rqptr,
char *VirtualHostPort
)
{
static char VirtualFao [] =
"<script language=\"JavaScript\">\n\
function reportVirtual()\n\
{\n\
var virt = document.getElementById(\'virtual\');\n\
var value = virt.options[virt.selectedIndex].value;\n\
var href = window.location.href;\n\
var rloc = href.indexOf(\'?virtual=\');\n\
if (rloc > 0) href = href.substr(0,rloc);\n\
href += \'?virtual=\' + value;\n\
window.location.replace(href);\n\
return false;\n\
}\n\
</script>\n\
<form action=\"!AZ\" onsubmit=\"return reportVirtual()\">\n\
<p><table class=\"ctgry\">\n\
<tr><th class=\"ctttl\" >Virtual SSL Server</th></tr>\n\
<tr><td><nobr>\n\
<select name=\"virtual\" id=\"virtual\">\n\
<option!&?\r SELECT\r value=\"\">!&?none configured\rfor this service\r\n";
static char ServerInfo1Fao [] =
"</select>\n\
<input type=\"submit\" value=\" select \">\n\
</nobr>\n\
</td></tr>\n\
</table>\n\
</form>\n\
<p><table class=\"ctgry\">\n\
<tr><th class=\"ctttl\">!AZ</th></tr>\n\
<tr><td>\n\
<table class=\"rghtlft\">\n\
<tr><th>Version:</th><td>!AZ (0x!8XL)</td></tr>\n\
<tr><th>Build:</th><td>!AZ</td></tr>\n\
<tr><th>Protocol:</th><td>!AZ</td></tr>\n\
<tr><th>Options:</th><td style=\"white-space:normal;\">\
0x!8XL<!!-- 0x!8XL -->; !AZ</td></tr>\n\
<tr><th>DH param:</th><td>!AZ</td></tr>\n\
<tr><th>Server Certificate:</th><td>!AZ</td></tr>\n\
<tr><th></th><td>\n\
<table cellpadding=\"0\" cellspacing=\"2\" border=\"0\">\n\
<tr><th>Issuer:</th>\
<td style=\"white-space:pre;\">!AZ</td></tr>\n\
<tr><th>Subject:</th>\
<td style=\"white-space:pre;\">!AZ</td></tr>\n\
<tr><th>Extensions:</th>\
<td><table style=\"display:inline-table;\
line-height:1em;margin-top:0;\">\n";
static char ExtensionFao [] =
"<tr><th style=\"align:right;vertical-align:top;\">!UL.</th>\
<td style=\"white-space:pre;\">!AZ</td></tr>\n";
static char ExtensionNone [] = "<tr><td><i>(none)</i></td></tr>\n";
static char ServerInfo2Fao [] =
"</table>\n\
</td></tr>\n\
<tr><th>Begins:</th><td>!AZ</td></tr>\n\
<tr><th>Expires:</th><td>!AZ</td></tr>\n\
<tr><th>SHA256:</th><td>!AZ</td></tr>\n\
<tr><th>SHA1:</th><td>!AZ</td></tr>\n\
<tr><th>MD5:</th><td>!AZ</td></tr>\n\
</table>\n\
</td></tr>\n\
<tr><th>Private Key:</th><td>!AZ</td></tr>\n\
<tr><th>CA Verify File:</th><td>!&@</td></tr>\n\
<tr><th>CA Verify Depth:</th><td>!&@</td></tr>\n\
<tr><th>Cipher List:</th>\
<td style=\"white-space:normal;\">!AZ!AZ</td></tr>\n\
<tr><th>Supported Ciphers:</th>\
<td>\n\
<table class=\"rghtlft\" style=\"margin-top:0;\">\n\
<tr><th></th><th class=\"talft\">Version</th>\
<th class=\"talft\">Name</th></tr>\n";
static char CiphersFao [] =
"<tr style=\"font-size:90%;\"><th>!UL.</th>\
<td>!AZ</td>\
<td>!AZ</td>\
</tr>\n";
static char CiphersNoneFao [] =
"<tr style=\"font-size:90%;\"><th></th>\
<td colspan=\"2\"><i>(n/a)</i></td></tr>\n";
static char EndCiphersFao [] =
"</table>\n\
</td></tr>\n\
<tr><th>TLS/SSL:</th><td>\
<table class=\"rghtlft\" style=\"margin-top:0;\">\n\
<tr><th>Connect:</th><td>!UL</td><td>(!UL%)</td></tr>\n\
<tr><th>Request:</th><td>!UL</td><td>(!UL%)</td></tr>\n"
#if SESOLA_SINCE_111
"<tr><th>TLSv1.3:</th><td>!UL</td><td>(!UL%)</td></tr>\n"
#endif
"<tr><th>TLSv1.2:</th><td>!UL</td><td>(!UL%)</td></tr>\n\
<tr><th>TLSv1.1:</th><td>!UL</td><td>(!UL%)</td></tr>\n"
"<tr><th>TLSv1:</th><td>!UL</td><td>(!UL%)</td></tr>\n"
#if SESOLA_BEFORE_111
"<tr><th>SSLv3:</th><td>!UL</td><td>(!UL%)</td></tr>\n"
#endif
"</table>\n\
<tr><th>Session Ticket:</th><td>\n\
<table class=\"rghtlft\" style=\"margin-top:0;\">\n\
!&@\
</table>\n\
</td></tr>\n\
<tr><tr><th>Session ID Cache:</th><td>\n\
<table class=\"rghtlft\" style=\"margin-top:0;\">\n\
!&@\
</table>\n\
</td></tr>\n";
static char EndServerInfoFao [] =
"</table>\n\
</td></tr>\n\
</table>\n";
static char CurrentSessionFao [] =
"<p><table class=\"ctgry\">\n\
<tr><th class=\"ctttl\">Current Session</th></tr>\n\
<tr><td>\n\
<table class=\"rghtlft\">\n\
<tr><th>Session:</th>\
<td>!AZ (!2ZL:!2ZL:!2ZL ago), timeout (!2ZL:!2ZL:!2ZL) at !AZ</td></tr>\n";
static char ClientCert1Fao [] =
"<tr><th>Client Certificate:</th><td>\n\
<table cellpadding=\"0\" cellspacing=\"2\" border=\"0\">\n\
<tr><th>Issuer:</th>\
<td style=\"white-space:pre;\">!AZ</td></tr>\n\
<tr><th>Subject:</th>\
<td style=\"white-space:pre;\">!AZ</td></tr>\n\
<tr><th>Extensions:</th>\
<td><table style=\"display:inline-table;\
line-height:1em;margin-top:0;\">\n";
static char ClientCert2Fao [] =
"</table>\n\
<tr><th>Begins:</th><td>!AZ</td></tr>\n\
<tr><th>Expires:</th><td>!AZ</td></tr>\n\
<tr><th>SHA256:</th><td>!AZ</td></tr>\n\
<tr><th>SHA1:</th><td>!AZ</td></tr>\n\
<tr><th>MD5:</th><td>!AZ</td></tr>\n\
<tr><th>Fingerprint:</th><td>!AZ</td></tr>\n\
</table>\n\
</td></tr>\n";
static char ClientCertNoneFao [] =
"<tr><th>Client Certificate:</th>\
<td>!AZ \"!AZ\">Get Client Certificate!AZ</td></tr>\n";
static char CurrentSessionEndFao [] =
"</table>\n\
</td></tr>\n";
static char EndPageFao [] =
"</table>\n\
</div>\n\
</body>\n\
</html>\n";
int options, status,
AlgKeySize,
Count,
SessionHits,
SessionTimeout,
SessionTimeCSec,
SessionTimeoutCSec,
ServiceCount,
VersionTotal,
Total,
UseKeySize,
UtcOffset;
char *cptr, *sptr, *zptr;
ulong /* WARNING: really does need to be fairly large!! */
FaoVector [256];
ulong *vecptr;
char AuthFingerprint [64],
CertString [256],
CertCaString [256],
CertDnString [256],
CertFingerprintMD5 [64],
CertFingerprintSHA1 [64],
CertFingerprintSHA256 [128],
CertNotAfterString [32],
CertNotBeforeString [32],
ScratchString [256],
TimeString [32],
TimeoutString [32];
SESOLA_STRUCT *sesolaptr;
SERVICE_STRUCT *svptr,
*tsvptr;
struct tm *tmptr;
SESOLA_CONTEXT *scptr;
SSL *SslPtr;
SSL_CTX *SslCtx;
SSL_CIPHER *CipherPtr;
SSL_SESSION *SessionPtr;
STACK_OF(SSL_CIPHER) *CipherStackPtr;
X509 *ServerCertPtr;
/*********/
/* begin */
/*********/
/* as this is also called as an AST (!!) avoid WATCHing parameters */
if (WATCHMOD (rqptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_MOD_SESOLA, "SesolaReport()");
sesolaptr = NULL;
if (HTTP2_REQUEST(rqptr))
sesolaptr = (SESOLA_STRUCT*)rqptr->Http2Stream.Http2Ptr->NetIoPtr->SesolaPtr;
if (!sesolaptr) sesolaptr = (SESOLA_STRUCT*)rqptr->NetIoPtr->SesolaPtr;
if (sesolaptr)
{
if (sesolaptr->ReportClientCertState)
{
/* unbuffer this if called from an SSL renegotiate AST (see below) */
VirtualHostPort = sesolaptr->ReportVirtualHostPort;
}
}
/* now (!!) we can report "parameters" */
if (WATCHMOD (rqptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_MOD_SESOLA, "!&Z", VirtualHostPort);
if (VirtualHostPort[0])
{
LIST_ITERATE (svptr, &ServiceList)
{
if (svptr->SchemeType != SCHEME_HTTPS) continue;
if (strsame (svptr->ServerHostPort, VirtualHostPort, -1)) break;
}
if (!svptr)
{
rqptr->rqResponse.HttpStatus = 500;
ErrorGeneral (rqptr, "No such virtual service.", FI_LI);
AdminEnd (rqptr);
return;
}
}
else
svptr = rqptr->ServicePtr;
/* if request's service not SSL then choose the first in the list */
if (svptr->SchemeType != SCHEME_HTTPS)
{
LIST_ITERATE (svptr, &ServiceList)
if (svptr->SchemeType != SCHEME_HTTPS) continue;
if (svptr) VirtualHostPort = svptr->ServerHostPort;
}
if (svptr->SchemeType != SCHEME_HTTPS)
{
rqptr->rqResponse.HttpStatus = 500;
ErrorGeneral (rqptr, "No SSL service found!", FI_LI);
AdminEnd (rqptr);
return;
}
ServiceCount = SesolaServiceCount();
if (sesolaptr)
{
if (strsame (rqptr->rqHeader.PathInfoPtr, ADMIN_REPORT_SSL_CLIENT, -1))
{
/*
Include any client certificate information.
Note that if SesolaClientCert() completes asynchronously this
function will be called again as an AST - with only one argument!!
(the 'rqptr') This is not a major issue (apart for the purists ;^)
VirtualHostPort is buffered and unbuffered around such a call here.
(I could have made it a variable argument function, but this
should work just as well!)
*/
if (!sesolaptr->ReportClientCertState)
{
sesolaptr->ReportClientCertState = 1;
zptr = (sptr = sesolaptr->ReportVirtualHostPort) +
sizeof(sesolaptr->ReportVirtualHostPort)-1;
for (cptr = VirtualHostPort;
*cptr && sptr < zptr;
*sptr++ = *cptr++);
*sptr = '\0';
status = SesolaClientCert (rqptr, SESOLA_VERIFY_PEER_OPTIONAL,
&SesolaReport);
/* this faux status indicates renegotiation is underway */
if (status == SS$_WAITUSRLBL) return;
sesolaptr->ReportClientCertState = 0;
}
}
}
/**********/
/* report */
/**********/
/* the sesola service context */
scptr = (SESOLA_CONTEXT*)svptr->SSLserverPtr;
/* this is the service's context - not the current session's! */
SslCtx = ((SESOLA_CONTEXT*)svptr->SSLserverPtr)->SslCtx;
/* get the service's certificate and ciphers - not the current session's! */
SslPtr = SSL_new (SslCtx);
if (!SslPtr)
{
ErrorNoticed (rqptr, 0, "SSL_new() failed", FI_LI);
ErrorGeneral (rqptr, "SSL_new() failed.", FI_LI);
AdminEnd (rqptr);
return;
}
ServerCertPtr = SSL_get_certificate (SslPtr);
CipherStackPtr = SSL_get_ciphers (SslPtr);
#ifndef SESOLA_REPORT_DN
SesolaCertReportName (ServerCertPtr, "ISSUER",
CertCaString, sizeof(CertCaString));
SesolaCertReportName (ServerCertPtr, "SUBJECT",
CertDnString, sizeof(CertDnString));
#else
X509_NAME_oneline (X509_get_issuer_name(ServerCertPtr),
CertString, sizeof(CertString));
SesolaCertReportDn (CertString, CertCaString, sizeof(CertCaString));
X509_NAME_oneline (X509_get_subject_name(ServerCertPtr),
CertString, sizeof(CertString));
SesolaCertReportDn (CertString, CertDnString, sizeof(CertDnString));
#endif
ASN1_UTCTIME_print (SesolaBioMemPtr, X509_get_notBefore(ServerCertPtr));
BIO_gets (SesolaBioMemPtr, CertNotBeforeString, sizeof(CertNotBeforeString));
ASN1_UTCTIME_print (SesolaBioMemPtr, X509_get_notAfter(ServerCertPtr));
BIO_gets (SesolaBioMemPtr, CertNotAfterString, sizeof(CertNotAfterString));
SesolaCertFingerprint (ServerCertPtr, &EVP_sha256,
CertFingerprintSHA256, sizeof(CertFingerprintSHA256));
SesolaCertFingerprint (ServerCertPtr, &EVP_sha1,
CertFingerprintSHA1, sizeof(CertFingerprintSHA1));
SesolaCertFingerprint (ServerCertPtr, &EVP_md5,
CertFingerprintMD5, sizeof(CertFingerprintMD5));
FaoToBuffer (ScratchString, sizeof(ScratchString), NULL,
"SSL Report – !AZ", svptr->ServerHostPort);
AdminPageTitle (rqptr, ScratchString);
vecptr = FaoVector;
*vecptr++ = ADMIN_REPORT_SSL;
*vecptr++ = VirtualHostPort[0];
*vecptr++ = (ServiceCount == 1);
status = FaolToNet (rqptr, VirtualFao, &FaoVector);
if (VMSnok (status)) ErrorNoticed (rqptr, status, NULL, FI_LI);
if (ServiceCount > 1)
{
LIST_ITERATE (tsvptr, &ServiceList)
{
if (tsvptr->SchemeType != SCHEME_HTTPS) continue;
vecptr = FaoVector;
*vecptr++ = tsvptr->ServerHostPort;
*vecptr++ = strsame (tsvptr->ServerHostPort, VirtualHostPort, -1);
*vecptr++ = tsvptr->ServerHostPort;
status = FaolToNet (rqptr,
"<option value=\"!AZ\"!&? selected\r\r>!AZ\n",
&FaoVector);
if (VMSnok (status)) ErrorNoticed (rqptr, status, NULL, FI_LI);
}
}
vecptr = FaoVector;
*vecptr++ = svptr->ServerHostPort;
*vecptr++ = OpenSSL_version (OPENSSL_VERSION);
*vecptr++ = SesolaOpenSslVersionNumber;
cptr = (char*)OpenSSL_version (OPENSSL_BUILT_ON);
if (sptr = strstr (cptr, "uilt on"))
{
cptr = sptr + 7;
while (*cptr && (*cptr == ' ' || *cptr == ':')) cptr++;
}
*vecptr++ = cptr;
*vecptr++ = SesolaVersionString;
*vecptr++ = SesolaSSLoptions;
*vecptr++ = SesolaVersionOptions;
*vecptr++ = SesolaOptionsAsString(&SesolaSSLoptions);
if (SesolaTmpDHbitsPtr)
*vecptr++ = SesolaTmpDHbitsPtr;
else
*vecptr++ = "<i>(none)</i>";
if (scptr->CertFilePtr[0])
*vecptr++ = scptr->CertFilePtr;
else
*vecptr++ = "<i>(internal)</i>";
*vecptr++ = CertCaString;
*vecptr++ = CertDnString;
status = FaolToNet (rqptr, ServerInfo1Fao, &FaoVector);
if (VMSnok (status)) ErrorNoticed (rqptr, status, NULL, FI_LI);
Count = 0;
SesolaCertExtension (ServerCertPtr, (char*)-1);
while (cptr = SesolaCertExtension (NULL, NULL))
{
status = FaoToNet (rqptr, ExtensionFao, ++Count, cptr);
if (VMSnok (status)) ErrorNoticed (rqptr, status, NULL, FI_LI);
}
if (!Count) FaoToNet (rqptr, ExtensionNone);
vecptr = FaoVector;
*vecptr++ = CertNotBeforeString;
*vecptr++ = CertNotAfterString;
*vecptr++ = CertFingerprintSHA256;
*vecptr++ = CertFingerprintSHA1;
*vecptr++ = CertFingerprintMD5;
if (scptr->KeyFilePtr[0])
*vecptr++ = scptr->KeyFilePtr;
else
*vecptr++ = "<i>(internal)</i>";
if (scptr->CaFilePtr[0])
{
*vecptr++ =
"<span style=\"padding-right:1em;\">!AZ</span>\
<a class=\"abttn bttn400\" href=\"!AZ?do=report&virtual=!AZ\">report</a>\
<a class=\"abttn bttn400\" href=\"!AZ?virtual=!AZ\">list</a>\
<a class=\"abttn bttn400\" href=\"!AZ?do=edit&virtual=!AZ\">edit</a>";
*vecptr++ = scptr->CaFilePtr;
*vecptr++ = ADMIN_REPORT_SSL_CA;
*vecptr++ = VirtualHostPort;
*vecptr++ = ADMIN_REPORT_SSL_CA;
*vecptr++ = VirtualHostPort;
*vecptr++ = ADMIN_REVISE_SSL_CA;
*vecptr++ = VirtualHostPort;
*vecptr++ = "!UL";
*vecptr++ = SSL_CTX_get_verify_depth (SslCtx);
}
else
{
*vecptr++ = "<i>(none)</i>";
*vecptr++ = "<i>(none)</i>";
}
if (scptr->CipherListPtr[0])
{
*vecptr++ = "";
*vecptr++ = scptr->CipherListPtr;
}
else
{
*vecptr++ = "<i>(default)</i><br>";
*vecptr++ = SESOLA_DEFAULT_CIPHER_LIST;
}
status = FaolToNet (rqptr, ServerInfo2Fao, &FaoVector);
if (VMSnok (status)) ErrorNoticed (rqptr, status, NULL, FI_LI);
/*********************/
/* supported ciphers */
/*********************/
if (CipherStackPtr = SSL_get_ciphers (SslPtr))
Total = sk_SSL_CIPHER_num (CipherStackPtr);
else
Total = -1;
if (Total == -1)
status = FaoToNet (rqptr, CiphersNoneFao);
else
for (Count = 0; Count < Total; Count++)
{
CipherPtr = (SSL_CIPHER *)sk_value (CipherStackPtr, Count);
vecptr = FaoVector;
*vecptr++ = Count + 1;
*vecptr++ = SSL_CIPHER_get_version (CipherPtr);
*vecptr++ = SSL_CIPHER_get_name (CipherPtr);
status = FaolToNet (rqptr, CiphersFao, &FaoVector);
}
if (VMSnok (status)) ErrorNoticed (rqptr, status, NULL, FI_LI);
/* dispose of this as soon as finished with it */
SSL_free (SslPtr);
vecptr = FaoVector;
*vecptr++ = AccountingPtr->ConnectSSLCount;
*vecptr++ = PercentOf32(AccountingPtr->ConnectSSLCount,
AccountingPtr->ConnectCount[HTTP12]);
*vecptr++ = AccountingPtr->RequestSSLCount;
*vecptr++ = PercentOf32(AccountingPtr->RequestSSLCount,
AccountingPtr->ProcessingTotalCount[HTTP12]);
VersionTotal = AccountingPtr->ConnectTLS13Count +
AccountingPtr->ConnectTLS12Count +
AccountingPtr->ConnectTLS11Count +
AccountingPtr->ConnectTLS1Count +
AccountingPtr->ConnectSSL3Count;
#if SESOLA_SINCE_111
*vecptr++ = AccountingPtr->ConnectTLS13Count;
*vecptr++ = PercentOf32(AccountingPtr->ConnectTLS13Count, VersionTotal);
*vecptr++ = AccountingPtr->ConnectTLS12Count;
*vecptr++ = PercentOf32(AccountingPtr->ConnectTLS12Count, VersionTotal);
*vecptr++ = AccountingPtr->ConnectTLS11Count;
*vecptr++ = PercentOf32(AccountingPtr->ConnectTLS11Count, VersionTotal);
#endif
*vecptr++ = AccountingPtr->ConnectTLS1Count;
*vecptr++ = PercentOf32(AccountingPtr->ConnectTLS1Count, VersionTotal);
#if SESOLA_BEFORE_111
*vecptr++ = AccountingPtr->ConnectSSL3Count;
*vecptr++ = PercentOf32(AccountingPtr->ConnectSSL3Count, VersionTotal);
#endif
options = SSL_CTX_get_options (SslCtx);
if (!(options & SSL_OP_NO_TICKET))
{
*vecptr++ =
"<tr><th>Refresh:</th><td>!20&W</td></tr>\n\
<tr><th>Name:</th><td>!16&H</td></tr>\n\
<tr><th>New:</th><td>!UL</td></tr>\n\
<tr><th>Hit:</th><td>!UL</td></tr>\n\
<tr><th>Miss:</th><td>!UL</td></tr>\n";
*vecptr++ = &SesolaTicketKeyTime64;
*vecptr++ = SesolaTicketKey;
*vecptr++ = SesolaSessionTicketNew;
*vecptr++ = SesolaSessionTicketHit;
*vecptr++ = SesolaSessionTicketMiss;
}
else
*vecptr++ = "<tr><td><i>(disabled)</i></td></tr>\n";
if (SesolaSessionCacheSize)
{
*vecptr++ =
"<tr><th>Size:</th><td>!UL</td></tr>\n\
<tr><th>Current:</th><td>!UL</td></tr>\n\
<tr><th>Full:</th><td>!UL</td></tr>\n\
<tr><th>Hit:</th><td>!UL</td></tr>\n\
<tr><th>Miss:</th><td>!UL</td></tr>\n\
<tr><th>Timeout:</th><td>!UL</td></tr>\n";
*vecptr++ = SSL_CTX_sess_get_cache_size (SslCtx);
*vecptr++ = SSL_CTX_sess_number (SslCtx);
*vecptr++ = SSL_CTX_sess_cache_full (SslCtx);
*vecptr++ = SesolaSessionCacheSize ? SSL_CTX_sess_hits (SslCtx) : 0;
*vecptr++ = SesolaSessionCacheSize ? SSL_CTX_sess_misses (SslCtx) : 0;
*vecptr++ = SSL_CTX_sess_timeouts (SslCtx);
}
else
*vecptr++ = "<tr><td><i>(disabled)</i></td></tr>\n";
status = FaolToNet (rqptr, EndCiphersFao, &FaoVector);
if (VMSnok (status)) ErrorNoticed (rqptr, status, NULL, FI_LI);
SesolaCacheStats (rqptr);
status = FaolToNet (rqptr, EndServerInfoFao, NULL);
if (VMSnok (status)) ErrorNoticed (rqptr, status, NULL, FI_LI);
if (sesolaptr)
{
/*******************/
/* current session */
/*******************/
SessionPtr = SSL_get_session (sesolaptr->SslPtr);
SessionTimeCSec = SSL_get_time (SessionPtr);
tmptr = localtime (&SessionTimeCSec);
if (!strftime (TimeString, sizeof(TimeString), "%b %d %T %Y", tmptr))
strcpy (TimeString, "strftime() error");
SessionTimeout = SSL_get_timeout (SessionPtr);
SessionTimeoutCSec = SessionTimeCSec + SessionTimeout;
tmptr = localtime (&SessionTimeoutCSec);
if (!strftime (TimeoutString, sizeof(TimeoutString),
"%b %d %T %Y", tmptr))
strcpy (TimeoutString, "strftime() error");
/* for some reason (no locale?) these are sometimes UTC - adjust back */
time (&UtcOffset);
(int)UtcOffset = (int)UtcOffset - (int)HttpdTickSecond;
SessionTimeCSec -= UtcOffset;
vecptr = FaoVector;
*vecptr++ = TimeString;
*vecptr++ = (HttpdTickSecond - SessionTimeCSec) / 3600;
*vecptr++ = ((HttpdTickSecond - SessionTimeCSec) % 3600) / 60;
*vecptr++ = (HttpdTickSecond - SessionTimeCSec) % 60;
*vecptr++ = SessionTimeout / 3600;
*vecptr++ = (SessionTimeout % 3600) / 60;
*vecptr++ = SessionTimeout % 60;
*vecptr++ = TimeoutString;
status = FaolToNet (rqptr, CurrentSessionFao, &FaoVector);
if (VMSnok (status)) ErrorNoticed (rqptr, status, NULL, FI_LI);
if (sesolaptr->ClientCertPtr == NULL)
{
if (sesolaptr->ReportVirtualHostPort[0])
status = FaoToNet (rqptr, ClientCertNoneFao,
"<!--", "", "--><i>(none)</i>");
else
{
if (HTTP2_REQUEST(rqptr))
status = FaoToNet (rqptr, ClientCertNoneFao,
"<a class=\"abttn dbttn\"",
"",
"</a> (due to HTTP/2)");
else
status = FaoToNet (rqptr, ClientCertNoneFao,
"<a class=\"abttn\" href=",
ADMIN_REPORT_SSL_CLIENT,
"</a>");
}
if (VMSnok (status)) ErrorNoticed (rqptr, status, NULL, FI_LI);
}
else
{
#ifndef SESOLA_REPORT_DN
SesolaCertReportName (sesolaptr->ClientCertPtr, "ISSUER",
CertCaString, sizeof(CertCaString));
SesolaCertReportName (sesolaptr->ClientCertPtr, "SUBJECT",
CertDnString, sizeof(CertDnString));
#else
X509_NAME_oneline (X509_get_issuer_name(sesolaptr->ClientCertPtr),
CertString, sizeof(CertString));
SesolaCertReportDn (CertString, CertCaString, sizeof(CertCaString));
X509_NAME_oneline (X509_get_subject_name(sesolaptr->ClientCertPtr),
CertString, sizeof(CertString));
SesolaCertReportDn (CertString, CertDnString, sizeof(CertDnString));
#endif
ASN1_UTCTIME_print (SesolaBioMemPtr,
X509_get_notBefore(sesolaptr->ClientCertPtr));
BIO_gets (SesolaBioMemPtr, CertNotBeforeString,
sizeof(CertNotBeforeString));
ASN1_UTCTIME_print (SesolaBioMemPtr,
X509_get_notAfter(sesolaptr->ClientCertPtr));
BIO_gets (SesolaBioMemPtr, CertNotAfterString,
sizeof(CertNotAfterString));
SesolaCertFingerprint (sesolaptr->ClientCertPtr, &EVP_sha256,
CertFingerprintSHA256,
sizeof(CertFingerprintSHA256));
SesolaCertFingerprint (sesolaptr->ClientCertPtr, &EVP_sha1,
CertFingerprintSHA1,
sizeof(CertFingerprintSHA1));
SesolaCertFingerprint (sesolaptr->ClientCertPtr, &EVP_md5,
CertFingerprintMD5, sizeof(CertFingerprintMD5));
/* fingerprint for authentication purposes is sans colons */
zptr = (sptr = AuthFingerprint) + sizeof(AuthFingerprint)-1;
for (cptr = CertFingerprintMD5; *cptr; cptr++)
if (*cptr != ':') *sptr++ = *cptr;
*sptr = '\0';
vecptr = FaoVector;
*vecptr++ = CertCaString;
*vecptr++ = CertDnString;
status = FaolToNet (rqptr, ClientCert1Fao, &FaoVector);
if (VMSnok (status)) ErrorNoticed (rqptr, status, NULL, FI_LI);
Count = 0;
SesolaCertExtension (sesolaptr->ClientCertPtr, (char*)-1);
while (cptr = SesolaCertExtension (NULL, NULL))
{
status = FaoToNet (rqptr, ExtensionFao, ++Count, cptr);
if (VMSnok (status)) ErrorNoticed (rqptr, status, NULL, FI_LI);
}
if (!Count) FaoToNet (rqptr, ExtensionNone);
vecptr = FaoVector;
*vecptr++ = CertNotBeforeString;
*vecptr++ = CertNotAfterString;
*vecptr++ = CertFingerprintSHA256;
*vecptr++ = CertFingerprintSHA1;
*vecptr++ = CertFingerprintMD5;
*vecptr++ = AuthFingerprint;
status = FaolToNet (rqptr, ClientCert2Fao, &FaoVector);
if (VMSnok (status)) ErrorNoticed (rqptr, status, NULL, FI_LI);
}
/* use the Apache SSL variables as a basis for session information */
rqptr->rqPathSet.CgiPrefixPtr = "";
status = SesolaCgiVariablesApacheModSsl (rqptr, CGI_VARIABLE_STREAM);
if (VMSnok (status))
{
rqptr->rqResponse.HttpStatus = 500;
ErrorGeneral (rqptr, "Woops.", FI_LI);
AdminEnd (rqptr);
return;
}
cptr = rqptr->rqCgi.BufferPtr;
for (;;)
{
if (!*(USHORTPTR)cptr) break;
vecptr = FaoVector;
cptr += sizeof(short);
if (!MATCH4 (cptr, "SSL_"))
{
while (*cptr) cptr++;
cptr++;
continue;
}
zptr = sptr = (cptr += 4);
if (*sptr != '=') *zptr++ = *sptr++;
while (*sptr && *sptr != '=') *zptr++ = TOLO(*sptr++);
*vecptr++ = sptr - cptr;
*vecptr++ = cptr;
if (*sptr) sptr++;
cptr = sptr;
while (*sptr) sptr++;
*vecptr++ = sptr - cptr;
*vecptr++ = cptr;
FaolToNet (rqptr,
"<tr><th>!#AZ:</th><td>!#&;AZ</td></tr>\n",
&FaoVector);
cptr = ++sptr;
}
status = FaolToNet (rqptr, CurrentSessionEndFao, NULL);
if (VMSnok (status)) ErrorNoticed (rqptr, status, NULL, FI_LI);
}
if (cptr = SesolaMemTrackReport())
{
status = FaoToNet (rqptr, "<!!-- !AZ -->\n", cptr);
if (VMSnok (status)) ErrorNoticed (rqptr, status, NULL, FI_LI);
}
status = FaoToNet (rqptr, "<!!-- !AZ -->\n", SesolaNetStats());
if (VMSnok (status)) ErrorNoticed (rqptr, status, NULL, FI_LI);
/**************/
/* end report */
/**************/
status = FaolToNet (rqptr, EndPageFao, NULL);
if (VMSnok (status)) ErrorNoticed (rqptr, status, NULL, FI_LI);
rqptr->rqResponse.PreExpired = PRE_EXPIRE_ADMIN;
ResponseHeader200 (rqptr, "text/html", &rqptr->NetWriteBufferDsc);
AdminEnd (rqptr);
}
/*****************************************************************************/
/*
Derived from [.CRYPTO.X509]X509_LU.C using hints from X509_STORE_add_cert().
List the CA certificates in the client certificate verification store.
*/
SesolaReportCA
(
REQUEST_STRUCT *rqptr,
char *VirtualHostPort
)
{
static char BeginPageFao [] =
"<p><table class=\"ctgry\">\n\
<tr><th class=\"ctttl\">!AZ</th></tr>\n\
<tr><td>\n\
<table class=\"rghtlft\">\n\
<tr><th>CA Verify File:</th><td>!AZ</td></tr>\n\
<tr><th>CA Verify Depth:</th><td>!UL</td></tr>\n";
static char CertStoreNull [] =
"<tr><td><i>(none)</i></td></tr>\n";
static char CertFao [] =
"<tr><td colspan=\"2\">\
<hr size=\"1\" width=\"100%\" align=\"left\" noshade></td></tr>\n\
<tr><td colspan=\"2\">\n\
<table class=\"rghtlft\">\n\
<tr><th>!UL.</th>\
<th>Issuer:</th>\
<td style=\"white-space:pre;\">!AZ</td></tr>\n\
<tr><th></th><th>Subject:</th>\
<td style=\"white-space:pre;\">!AZ</td></tr>\n\
<tr><th></th><th>Begins:</th><td>!AZ</td></tr>\n\
<tr><th></th><th>Expires:</th><td>!AZ</td></tr>\n\
</table>\n\
</td></tr>\n";
static char EndPageFao [] =
"<tr><td colspan=\"2\">\
<hr size=\"1\" width=\"100%\" align=\"left\" noshade></td></tr>\n\
<tr><td colspan=\"2\">\n\
<a class=\"abttn bttn300\" href=\"!AZ?do=edit&virtual=!AZ\">Edit</a>\n\
<a class=\"abttn bttn300\" href=\"!AZ?virtual=!AZ\">List</a>\n\
<a class=\"abttn bttn300\" href=\"!AZ\">Reload</a>\n\
</td></tr>\n\
</table>\n\
</td></tr>\n\
</table>\n\
</div>\n\
</body>\n\
</html>\n";
int idx,
status,
Count,
ObjectCount;
ulong FaoVector [16];
ulong *vecptr;
char *cptr, *sptr, *zptr;
char CertString [256],
CertCaString [256],
CertDnString [256],
CertNotAfterString [32],
CertNotBeforeString [32];
SERVICE_STRUCT *svptr;
SESOLA_CONTEXT *scptr;
SSL_CTX *SslCtx;
X509 *CertPtr;
X509_OBJECT *CertObjectPtr;
X509_STORE *CertStorePtr;
#if SESOLA_SINCE_110
STACK_OF(X509_OBJECT) *ObjectsPtr;
#endif
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_MOD_SESOLA, "SesolaReportCA() !AZ",
VirtualHostPort);
if (VirtualHostPort[0])
{
LIST_ITERATE (svptr, &ServiceList)
if (strsame (svptr->ServerHostPort, VirtualHostPort, -1)) break;
if (!svptr)
{
rqptr->rqResponse.HttpStatus = 500;
ErrorGeneral (rqptr, "No such virtual service.", FI_LI);
AdminEnd (rqptr);
return;
}
}
else
svptr = rqptr->ServicePtr;
/* if the service is not SSL then choose the first in the list */
if (svptr->SchemeType != SCHEME_HTTPS)
{
LIST_ITERATE (svptr, &ServiceList)
if (svptr->SchemeType != SCHEME_HTTPS) continue;
if (svptr) VirtualHostPort = svptr->ServerHostPort;
}
if (svptr->SchemeType != SCHEME_HTTPS)
{
rqptr->rqResponse.HttpStatus = 500;
ErrorGeneral (rqptr, "No SSL service found!", FI_LI);
AdminEnd (rqptr);
return;
}
/* the sesola service context */
scptr = (SESOLA_CONTEXT*)svptr->SSLserverPtr;
/* this is the service's context - not the current session's! */
SslCtx = ((SESOLA_CONTEXT*)svptr->SSLserverPtr)->SslCtx;
AdminPageTitle (rqptr, "SSL Report, CA Verification");
vecptr = FaoVector;
*vecptr++ = svptr->ServerHostPort;
*vecptr++ = scptr->CaFilePtr;
*vecptr++ = SSL_CTX_get_verify_depth (SslCtx);
status = FaolToNet (rqptr, BeginPageFao, &FaoVector);
if (VMSnok (status)) ErrorNoticed (rqptr, status, NULL, FI_LI);
if (!(CertStorePtr = SSL_CTX_get_cert_store (SslCtx)))
{
status = FaolToNet (rqptr, CertStoreNull, NULL);
if (VMSnok (status)) ErrorNoticed (rqptr, status, NULL, FI_LI);
}
else
{
Count = 0;
#if SESOLA_SINCE_110
ObjectsPtr = X509_STORE_get0_objects(CertStorePtr);
ObjectCount = sk_X509_OBJECT_num(ObjectsPtr);
for (idx = 0; idx < ObjectCount; idx++)
{
CertObjectPtr = sk_X509_OBJECT_value (ObjectsPtr, idx);
if (X509_OBJECT_get_type(CertObjectPtr) != X509_LU_X509) continue;
CertPtr = X509_OBJECT_get0_X509 (CertObjectPtr);
#else /* SESOLA_SINCE_110 */
ObjectCount = sk_X509_OBJECT_num(CertStorePtr->objs);
for (idx = 0; idx < ObjectCount; idx++)
{
CertObjectPtr = sk_X509_OBJECT_value (CertStorePtr->objs, idx);
if (CertObjectPtr->type != X509_LU_X509) continue;
CertPtr = (X509*)CertObjectPtr->data.x509;
#endif /* SESOLA_SINCE_110 */
Count++;
#ifndef SESOLA_REPORT_DN
SesolaCertReportName (CertPtr, "ISSUER",
CertCaString, sizeof(CertCaString));
SesolaCertReportName (CertPtr, "SUBJECT",
CertDnString, sizeof(CertDnString));
#else
X509_NAME_oneline (X509_get_issuer_name(CertPtr),
CertString, sizeof(CertString));
SesolaCertReportDn (CertString, CertCaString, sizeof(CertCaString));
X509_NAME_oneline (X509_get_subject_name(CertPtr),
CertString, sizeof(CertString));
SesolaCertReportDn (CertString, CertDnString, sizeof(CertDnString));
#endif
ASN1_UTCTIME_print (SesolaBioMemPtr, X509_get_notBefore(CertPtr));
BIO_gets (SesolaBioMemPtr, CertNotBeforeString,
sizeof(CertNotBeforeString));
ASN1_UTCTIME_print (SesolaBioMemPtr, X509_get_notAfter(CertPtr));
BIO_gets (SesolaBioMemPtr, CertNotAfterString,
sizeof(CertNotAfterString));
vecptr = FaoVector;
*vecptr++ = Count;
*vecptr++ = CertCaString;
*vecptr++ = CertDnString;
*vecptr++ = CertNotBeforeString;
*vecptr++ = CertNotAfterString;
status = FaolToNet (rqptr, CertFao, &FaoVector);
if (VMSnok (status)) ErrorNoticed (rqptr, status, NULL, FI_LI);
}
}
vecptr = FaoVector;
*vecptr++ = ADMIN_REVISE_SSL_CA;
*vecptr++ = svptr->ServerHostPort;
*vecptr++ = ADMIN_REPORT_SSL_CA;
*vecptr++ = svptr->ServerHostPort;
*vecptr++ = ADMIN_CONTROL_SSL_CA_LOAD;
status = FaolToNet (rqptr, EndPageFao, &FaoVector);
if (VMSnok (status)) ErrorNoticed (rqptr, status, NULL, FI_LI);
rqptr->rqResponse.PreExpired = PRE_EXPIRE_ADMIN;
ResponseHeader200 (rqptr, "text/html", &rqptr->NetWriteBufferDsc);
AdminEnd (rqptr);
}
/*****************************************************************************/
/*
Command-line CA verification file reload function.
*/
void SesolaControlReloadCA ()
{
int cnt, value,
ErrorCount,
SSLcount,
ReloadCount;
SERVICE_STRUCT *svptr;
SESOLA_CONTEXT *scptr;
SSL_CTX *SslCtx;
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaControlReloadCA()");
/* enable SYSPRV to allow access to a possibly protected file */
sys$setprv (1, &SysPrvMask, 0, 0);
ErrorCount = SSLcount = ReloadCount = 0;
LIST_ITERATE (svptr, &ServiceList)
{
if (svptr->SchemeType != SCHEME_HTTPS) continue;
for (cnt = 0; cnt < 2; cnt++)
{
if (cnt)
scptr = (SESOLA_CONTEXT*)svptr->SSLclientPtr;
else
scptr = (SESOLA_CONTEXT*)svptr->SSLserverPtr;
if (!scptr) continue;
if (!scptr->SslCtx) continue;
SSLcount++;
if (!scptr->CaFilePtr[0]) continue;
SslCtx = (SSL_CTX*)scptr->SslCtx;
SSL_CTX_set_cert_store (SslCtx, X509_STORE_new());
/* load the file in afresh */
value = SSL_CTX_load_verify_locations (SslCtx,
scptr->CaFilePtr,
NULL);
if (value) value = SSL_CTX_set_default_verify_paths (SslCtx);
if (value)
ReloadCount++;
else
{
ErrorCount++;
FaoToStdout ("%HTTPD-W-SSL, !AZ\n \\!AZ\\\n",
svptr->ServerHostPort, scptr->CaFilePtr);
SesolaPrintOpenSslErrorList ();
FaoToStdout ("%HTTPD-W-SSL, client verification not enabled\n");
}
}
}
sys$setprv (0, &SysPrvMask, 0, 0);
FaoToStdout ("%HTTPD-I-SSL, \
reloaded CAs for !UL of !UL SSL contexts!&@\n",
ReloadCount, SSLcount,
ErrorCount ? ", !UL error!%s" : "", ErrorCount);
if (OpcomMessages & OPCOM_HTTPD ||
OpcomMessages & OPCOM_AUTHORIZATION)
FaoToOpcom ("%HTTPD-I-SSL, \
reloaded CAs for !UL of !UL SSL contexts!&@",
ReloadCount, SSLcount,
ErrorCount ? ", !UL error!%s" : "", ErrorCount);
}
/*****************************************************************************/
/*
*/
char* SesolaRequestCipher (SESOLA_STRUCT *sesolaptr)
{
char *cptr;
SSL_CIPHER *CipherPtr;
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaRequestCipher()");
if (CipherPtr = SSL_get_current_cipher (sesolaptr->SslPtr))
cptr = (char*)SSL_CIPHER_get_name (CipherPtr);
else
cptr = "*BUGCHECK*";
return (cptr);
}
/*****************************************************************************/
/*
*/
BOOL SesolaRequestSessionReused (SESOLA_STRUCT *sesolaptr)
{
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaRequestSessionReused()");
return ((BOOL)SSL_cache_hit(sesolaptr->SslPtr));
}
/*****************************************************************************/
/*
*/
char* SesolaRequestVersion (SESOLA_STRUCT *sesolaptr)
{
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaRequestVersion()");
return ((char*)SSL_get_version(sesolaptr->SslPtr));
}
/*****************************************************************************/
/*
Return a pointer to a static string containing the string equivalent of the bit
vector that is OpenSSL options. Parameter is byt reference.
*/
char* SesolaOptionsAsString (ulong *optptr)
{
static char buf [1024];
ulong bit, options;
char *cptr, *sptr, *zptr;
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaOptionsAsString()");
options = *optptr;
zptr = (sptr = buf) + sizeof(buf)-4;
for (bit = 0x80000000; bit; bit = bit >> 1)
{
switch (bit & options)
{
case 0 : cptr = NULL; break;
case 0x00000001 : cptr = "microsoft_sess_id_bug"; break;
case 0x00000002 : cptr = "netscape_challenge_bug"; break;
case 0x00000004 : cptr = "legacy_server_connect"; break;
case 0x00000008 : cptr = "netscape_reuse_cipher_change_bug"; break;
case 0x00000010 : cptr = "tlsext_padding"; break;
case 0x00000020 : cptr = "microsoft_big_sslv3_buffer"; break;
case 0x00000040 : cptr = "safari_ecdhe_ecdsa_bug"; break;
case 0x00000080 : cptr = "ssleay_080_client_dh_bug"; break;
case 0x00000100 : cptr = "tls_d5_bug"; break;
case 0x00000200 : cptr = "tls_block_padding_bug"; break;
case 0x00000400 : cptr = "msie_sslv2_rsa_padding"; break;
case 0x00000800 : cptr = "sslref2_reuse_cert_type_bug"; break;
case 0x00001000 : cptr = "no_query_mtu"; break;
case 0x00002000 : cptr = "cookie_exchange"; break;
case 0x00004000 : cptr = "no_ticket"; break;
case 0x00008000 : cptr = "cisco_anyconnect"; break;
case 0x00010000 : cptr = "no_session_resumption_on_renegotiation"; break;
case 0x00020000 : cptr = "no_compression"; break;
case 0x00040000 : cptr = "allow_unsafe_legacy_renegotiation"; break;
case 0x00080000 : cptr = "single_ecdh_use"; break;
case 0x00100000 : cptr = "single_dh_use"; break;
case 0x00200000 : cptr = "ephemeral_rsa"; break;
case 0x00400000 : cptr = "cipher_server_preference"; break;
case 0x00800000 : cptr = "tls_rollback_bug"; break;
case 0x01000000 : cptr = "no_sslv2"; break;
case 0x02000000 : cptr = "no_sslv3"; break;
case 0x04000000 : cptr = "no_tlsv1"; break;
case 0x08000000 : cptr = "no_tlsv1_2"; break;
case 0x10000000 : cptr = "no_tlsv1_1"; break;
case 0x20000000 : cptr = "netscape_ca_dn_bug"; break;
case 0x40000000 : cptr = "netscape_demo_cipher_change_bug"; break;
case 0x80000000 : cptr = "cryptopro_tlsext_bug"; break;
default : cptr = "BUGCHECK";
}
if (cptr)
{
if (sptr > buf)
{
if (sptr < zptr) *sptr++ = ',';
if (sptr < zptr) *sptr++ = ' ';
}
while (*cptr && sptr < zptr) *sptr++ = *cptr++;
}
}
if (sptr >= zptr) for (cptr = "..."; *cptr; *sptr++ = *cptr++);
*sptr = '\0';
return (buf);
}
/*****************************************************************************/
/*
This is basically for inclusion in the WATCH report header.
*/
char* SesolaVersion (BOOL full)
{
static char String [256];
static $DESCRIPTOR (StringDsc, String);
static $DESCRIPTOR (FullVersionFaoDsc, "!AZ (!AZ) !AZ*.H !AZ\n\0");
static $DESCRIPTOR (VersionFaoDsc, "!AZ (!AZ)\n\0");
char *cptr, *sptr;
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaVersion()");
cptr = (char*)OpenSSL_version (OPENSSL_BUILT_ON);
if (sptr = strstr (cptr, "uilt on"))
{
cptr = sptr + 7;
while (*cptr && (*cptr == ' ' || *cptr == ':')) cptr++;
}
/* this globavalue is set by the linker when building the image */
switch (SESOLA_LIB_SSL_32)
{
case 11 : sptr = "SSLLIB:LIBSSL.OLB"; break;
case 12 : sptr = "SSLLIB:SSL_LIBSSL32.OLB"; break;
case 21 : sptr = "SYS$COMMON:[SYSLIB]SSL$LIBSSL_SHR32.EXE"; break;
case 22 : sptr = "SYS$COMMON:[SYSLIB]SSL1$LIBSSL_SHR32.EXE"; break;
case 23 : sptr = "SYS$COMMON:[SYSLIB]SSL111$LIBSSL_SHR32.EXE"; break;
case 31 : sptr = "OPENSSL097E_LIBSSL_SHR32.EXE"; break;
case 41 : sptr = "WASD [ALPHA.EXE.SSL]SSL_LIBSSL32.OLB"; break;
case 42 : sptr = "WASD [ALPHA.EXE.SSL]LIBSSL.OLB"; break;
case 51 : sptr = "WASD [AXP.EXE.SSL]SSL_LIBSSL32.OLB"; break;
case 52 : sptr = "WASD [IA64.EXE.SSL]SSL_LIBSSL32.OLB"; break;
case 53 : sptr = "WASD [X86_64.EXE.SSL]SSL_LIBSSL32.OLB"; break;
case 54 : sptr = "WASD [AXP.EXE.SSL]SSL_LIBSSL32.OLB"; break;
case 55 : sptr = "WASD [IA64.EXE.SSL]SSL_LIBSSL32.OLB"; break;
case 56 : sptr = "WASD [X86_64.EXE.SSL]SSL_LIBSSL32.OLB"; break;
case 61 : sptr = "OSSL$LIB:OSSL$LIBCRYPTO32.OLB"; break;
case 62 : sptr = "OSSL$SHARE:OSSL$LIBSSL0101_SHR32.EXE"; break;
case 71 : sptr = "WASD [WASD.ALPHA]LIBSSL32.OLB"; break;
case 72 : sptr = "WASD [WASD.IA64]LIBSSL32.OLB"; break;
case 73 : sptr = "WASD [WASD.X86_64]LIBSSL32.OLB"; break;
default : sptr = "?"; break;
}
if (full)
sys$fao (&FullVersionFaoDsc, 0, &StringDsc,
OpenSSL_version (OPENSSL_VERSION), cptr, LIB_SSL_32, sptr);
else
sys$fao (&VersionFaoDsc, 0, &StringDsc,
OpenSSL_version (OPENSSL_VERSION), cptr);
return (String);
}
/*****************************************************************************/
/*
Fudge what's not in these versions.
*/
#if SESOLA_BEFORE_110
unsigned long OpenSSL_version_num(void)
{
int fix = 0, maj = 0, min = 0;
ulong vnum = 0;
char pch = 0;
char *cptr;
/* ulong with MNNFFPPS: major minor fix patch status */
for (cptr = OpenSSL_version(OPENSSL_VERSION);
*cptr && !isdigit(*cptr);
cptr++);
sscanf (cptr, "%d.%d.%d%c", &maj, &min, &fix, &pch);
if (!isalpha(pch)) pch = 0;
if (pch >= 'a' && pch <= 'z') pch -= 96;
vnum = maj * 0x10000000L + min * 0x00100000L +
fix * 0x00001000L + pch * 0x00000010L;
return (vnum);
}
const char* OpenSSL_version (int t)
{
return (SSLeay_version(t));
}
#endif /* SESOLA_BEFORE_110 */
/*****************************************************************************/
/*
Wrapper for keeping track of OpenSSL malloc()s for debug/development.
*/
void* SesolaMalloc (int size)
{
void *mptr;
/*********/
/* begin */
/*********/
if (SesolaMemVmTrack)
mptr = VmOpenSslMalloc (size + sizeof(ulong)*2);
else
mptr = malloc (size + sizeof(ulong)*2);
if (!mptr) return (mptr);
*(ulong*)mptr = size;
(uchar*)mptr += sizeof(ulong);
*(ulong*)mptr = 0xfee1dead;
(uchar*)mptr += sizeof(ulong);
SesolaMallocCount++;
SesolaMallocBytes += (ulong)size;
SesolaInUseBytes = SesolaMallocBytes - SesolaFreeBytes;
if (SesolaInUseBytes > SesolaMaxBytes) SesolaMaxBytes = SesolaInUseBytes;
return (mptr);
}
/*****************************************************************************/
/*
Wrapper for keeping track of OpenSSL realloc()s for debug/development.
*/
void* SesolaRealloc (void *mptr, int size)
{
ulong msize;
/*********/
/* begin */
/*********/
if (!mptr) return (SesolaMalloc (size));
(uchar*)mptr -= sizeof(ulong);
if (*(ulong*)mptr != 0xfee1dead)
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
(uchar*)mptr -= sizeof(ulong);
msize = *(ulong*)mptr;
if (size <= msize)
{
(uchar*)mptr += sizeof(ulong)*2;
return (mptr);
}
if (SesolaMemVmTrack)
mptr = VmOpenSslRealloc (mptr, size + sizeof(ulong)*2);
else
mptr = realloc (mptr, size + sizeof(ulong)*2);
if (!mptr) return (mptr);
(uchar*)mptr += sizeof(ulong)*2;
SesolaReallocCount++;
/* with VmOpenSslRealloc() this is done as an alloc and free */
SesolaMallocBytes += (ulong)size;
SesolaFreeBytes += msize;
SesolaInUseBytes = SesolaMallocBytes - SesolaFreeBytes;
if (SesolaInUseBytes > SesolaMaxBytes) SesolaMaxBytes = SesolaInUseBytes;
return (mptr);
}
/*****************************************************************************/
/*
Wrapper for keeping track of OpenSSL free()s for debug/development.
*/
void SesolaFree (void *mptr)
{
ulong msize;
/*********/
/* begin */
/*********/
if (!mptr) return;
(uchar*)mptr -= sizeof(ulong);
if (*(ulong*)mptr != 0xfee1dead)
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
(uchar*)mptr -= sizeof(ulong);
msize = *(ulong*)mptr;
if (SesolaMemVmTrack)
VmOpenSslFree (mptr);
else
free (mptr);
SesolaFreeCount++;
SesolaFreeBytes += (ulong)msize;
SesolaInUseBytes = SesolaMallocBytes - SesolaFreeBytes;
if (SesolaInUseBytes > SesolaMaxBytes) SesolaMaxBytes = SesolaInUseBytes;
}
/*****************************************************************************/
/*
Return a pointer to a buffer containing the memory track report.
*/
char* SesolaMemTrackReport (void)
{
static ulong LastLookTime64;
static char buf [192];
int status;
int64 avail64,
davail64,
dinuse64,
dmax64,
max64;
char LastLookAgo [64];
/*********/
/* begin */
/*********/
if (!SesolaMemTrack) return (NULL);
ThisLongAgo (&LastLookTime64, LastLookAgo);
dinuse64 = SesolaInUseBytes - SesolaPrevInUseBytes;
dmax64 = SesolaMaxBytes - SesolaPrevMaxBytes;
avail64 = SesolaMaxBytes - SesolaInUseBytes;
davail64 = avail64 - SesolaPrevAvailBytes;
status = FaoToBuffer (buf, sizeof(buf), NULL,
"!AZ malloc:!&,UL (!&,UL) realloc:!&,UL (!&,UL) free:!&,UL (!&,UL) \
inuse:!&,@SQ (!AZ!&,@SQ) max:!&,@SQ (!AZ!&,@SQ) avail:!&,@SQ (!AZ!&,@SQ) (!AZ)",
LastLookAgo,
SesolaMallocCount,
SesolaMallocCount - SesolaPrevMallocCount,
SesolaReallocCount,
SesolaReallocCount - SesolaPrevReallocCount,
SesolaFreeCount,
SesolaFreeCount - SesolaPrevFreeCount,
&SesolaInUseBytes, dinuse64 > 0 ? "+" : "", &dinuse64,
&SesolaMaxBytes, dmax64 > 0 ? "+" : "", &dmax64,
&avail64, davail64 > 0 ? "+" : "", &davail64,
SesolaMemVmTrack ? "VM" : "DECC");
if (VMSnok (status)) ErrorNoticed (NULL, status, NULL, FI_LI);
SesolaPrevFreeCount = SesolaFreeCount;
SesolaPrevMallocCount = SesolaMallocCount;
SesolaPrevReallocCount = SesolaReallocCount;
SesolaPrevInUseBytes = SesolaInUseBytes;
SesolaPrevMaxBytes = SesolaMaxBytes;
SesolaPrevAvailBytes = avail64;
sys$gettim (&LastLookTime64);
return (buf);
}
/*****************************************************************************/
/*
Reset the counters.
*/
void SesolaMemTrackReset (void)
{
/*********/
/* begin */
/*********/
SesolaFreeCount = SesolaMallocCount = SesolaReallocCount =
SesolaPrevFreeCount = SesolaPrevMallocCount = SesolaPrevReallocCount = 0;
SesolaFreeBytes = SesolaInUseBytes = SesolaMallocBytes = SesolaMaxBytes =
SesolaPrevAvailBytes = SesolaPrevFreeBytes = SesolaPrevInUseBytes =
SesolaPrevMallocBytes = SesolaPrevMaxBytes = 0;
}
/*****************************************************************************/
/*
For compilations without SSL these functions provide LINKage stubs for the
rest of the HTTPd modules, allowing for just recompiling the Sesola module to
integrate the SSL functionality.
*/
/*********************/
#else /* not SESOLA */
/*********************/
/* required global storage */
BOOL ProtocolHttpsAvailable = false,
ProtocolHttpsConfigured = false,
SesolaVerifyCAConfigured;
/* i.e. disabled */
int SesolaGblSecStructSize = 0,
SesolaTicketKeySuperDay,
SesolaVersionBitmap = -1;
char HttpdSesola [] = "",
SesolaAvailableVersions [] = "",
SesolaParams [256] = "",
SesolaTicketKey [] = "";
/* external storage */
extern char ErrorSanityCheck[];
extern WATCH_STRUCT Watch;
SesolaInit ()
{
if (SesolaVersionBitmap <= 0) return;
FaoToStdout ("%HTTPD-E-SSL, non-SSL version\n");
exit (STS$K_ERROR | STS$M_INHIB_MSG);
}
SesolaInitService (SERVICE_STRUCT *svptr)
{
return;
}
BOOL SesolaInitClientService (SERVICE_STRUCT *svptr)
{
return (true);
}
BOOL SesolaSNIserviceSet (void *sesolaptr)
{
return (false);
}
SesolaClientCert
(
REQUEST_STRUCT *rqptr,
int VerifyMode,
REQUEST_AST AstFunction
)
{
return (AUTH_DENIED_BY_OTHER);
}
SesolaReport
(
REQUEST_STRUCT *rqptr,
char *VirtualHostPort
)
{
if (WATCHMOD (rqptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_MOD_SESOLA, "SesolaReport()");
rqptr->rqResponse.HttpStatus = 403;
ErrorGeneral (rqptr, "This is a non-SSL version.", FI_LI);
AdminEnd (rqptr);
}
void SesolaAdminReloadCA (REQUEST_STRUCT *rqptr)
{
if (WATCHMOD (rqptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_MOD_SESOLA, "SesolaAdminReloadCA()");
rqptr->rqResponse.HttpStatus = 403;
ErrorGeneral (rqptr, "This is a non-SSL version.", FI_LI);
AdminEnd (rqptr);
}
void SesolaControlReloadCA ()
{
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaControlReloadCA()");
}
void SesolaControlReloadCerts ()
{
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaControlReloadCerts()");
}
SesolaReportCA
(
REQUEST_STRUCT *rqptr,
char *VirtualHostPort
)
{
if (WATCHMOD (rqptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_MOD_SESOLA, "SesolaReportCA()");
rqptr->rqResponse.HttpStatus = 403;
ErrorGeneral (rqptr, "This is a non-SSL version.", FI_LI);
AdminEnd (rqptr);
}
char* SesolaRequestCipher (void *sesolaptr)
{
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaRequestCipher()");
return ("*BUGCHECK*");
}
BOOL SesolaRequestSessionReused (void *sesolaptr)
{
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaRequestSessionReused()");
return (false);
}
char* SesolaRequestVersion (void *sesolaptr)
{
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaRequestVersion()");
return ("*BUGCHECK*");
}
char* SesolaSessionTicketNewKey ()
{
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaSessionTicketNewKey()");
return;
}
char* SesolaSessionTicketUseKey (uchar* keyptr)
{
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaSessionTicketUseKey()");
return;
}
char* SesolaRequestALPN (REQUEST_STRUCT *rqptr)
{
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaRequestALPN()");
return (NULL);
}
void* SesolaRequestSesolaPtr (REQUEST_STRUCT *rqptr)
{
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaRequestSesolaPtr()");
return (NULL);
}
void SesolaSetWatch
(
void *sesolaptr,
int item
)
{
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaSetWatch()");
}
char* SesolaVersion (BOOL full)
{
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaVersion()");
return ("");
}
SesolaWatchPeek
(
REQUEST_STRUCT *rqptr,
void *SeSoLaPtr
)
{
if (WATCHMOD (rqptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_MOD_SESOLA, "SesolaWatchPeek()");
return;
}
/*****************************************************************************/
/************************/
#endif /* ifdef SESOLA */
/************************/
/*****************************************************************************/