aksdb
/
restemplate
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
restemplate/indy/Protocols/IdSSLOpenSSL.pas

4057 lines
122 KiB
Plaintext
Raw Normal View History

* Replaced fphttpclient with indy10. * Added compression support
2015-10-04 14:14:55 +02:00
{
$Project$
$Workfile$
$Revision$
$DateUTC$
$Id$
This file is part of the Indy (Internet Direct) project, and is offered
under the dual-licensing agreement described on the Indy website.
(http://www.indyproject.org/)
Copyright:
(c) 1993-2005, Chad Z. Hower and the Indy Pit Crew. All rights reserved.
}
{
$Log$
}
{
Rev 1.40 03/11/2009 09:04:00 AWinkelsdorf
Implemented fix for Vista+ SSL_Read and SSL_Write to allow connection
timeout.
Rev 1.39 16/02/2005 23:26:08 CCostelloe
Changed OnVerifyPeer. Breaks existing implementation of OnVerifyPeer. See
long comment near top of file.
Rev 1.38 1/31/05 6:02:28 PM RLebeau
Updated _GetThreadId() callback to reflect changes in IdGlobal unit
Rev 1.37 7/27/2004 1:54:26 AM JPMugaas
Now should use the Intercept property for sends.
Rev 1.36 2004-05-18 21:38:36 Mattias
Fixed unload bug
Rev 1.35 2004-05-07 16:34:26 Mattias
Implemented OpenSSL locking callbacks
Rev 1.34 27/04/2004 9:38:48 HHariri
Added compiler directive so it works in BCB
Rev 1.33 4/26/2004 12:41:10 AM BGooijen
Fixed WriteDirect
Rev 1.32 2004.04.08 10:55:30 PM czhower
IOHandler changes.
Rev 1.31 3/7/2004 9:02:58 PM JPMugaas
Fixed compiler warning about visibility.
Rev 1.30 2004.03.07 11:46:40 AM czhower
Flushbuffer fix + other minor ones found
Rev 1.29 2/7/2004 5:50:50 AM JPMugaas
Fixed Copyright.
Rev 1.28 2/6/2004 3:45:56 PM JPMugaas
Only a start on NET porting. This is not finished and will not compile on
DotNET>
Rev 1.27 2004.02.03 5:44:24 PM czhower
Name changes
Rev 1.26 1/21/2004 4:03:48 PM JPMugaas
InitComponent
Rev 1.25 1/14/2004 11:39:10 AM JPMugaas
Server IOHandler now works. Accept was commented out.
Rev 1.24 2003.11.29 10:19:28 AM czhower
Updated for core change to InputBuffer.
Rev 1.23 10/21/2003 10:09:14 AM JPMugaas
Intercept enabled.
Rev 1.22 10/21/2003 09:41:38 AM JPMugaas
Updated for new API. Verified with TIdFTP with active and passive transfers
as well as clear and protected data channels.
Rev 1.21 10/21/2003 07:32:38 AM JPMugaas
Checked in what I have. Porting still continues.
Rev 1.20 10/17/2003 1:08:08 AM DSiders
Added localization comments.
Rev 1.19 2003.10.12 6:36:44 PM czhower
Now compiles.
Rev 1.18 9/19/2003 11:24:58 AM JPMugaas
Should compile.
Rev 1.17 9/18/2003 10:20:32 AM JPMugaas
Updated for new API.
Rev 1.16 2003.07.16 3:26:52 PM czhower
Fixed for a core change.
Rev 1.15 6/30/2003 1:52:22 PM BGooijen
Changed for new buffer interface
Rev 1.14 6/29/2003 5:42:02 PM BGooijen
fixed problem in TIdSSLIOHandlerSocketOpenSSL.SetPassThrough that Henrick
Hellstrom reported
Rev 1.13 5/7/2003 7:13:00 PM BGooijen
changed Connected to BindingAllocated in ReadFromSource
Rev 1.12 3/30/2003 12:16:40 AM BGooijen
bugfixed+ added MakeFTPSvrPort/MakeFTPSvrPasv
Rev 1.11 3/14/2003 06:56:08 PM JPMugaas
Added a clone method to the SSLContext.
Rev 1.10 3/14/2003 05:29:10 PM JPMugaas
Change to prevent an AV when shutting down the FTP Server.
Rev 1.9 3/14/2003 10:00:38 PM BGooijen
Removed TIdServerIOHandlerSSLBase.PeerPassthrough, the ssl is now enabled in
the server-protocol-files
Rev 1.8 3/13/2003 11:55:38 AM JPMugaas
Updated registration framework to give more information.
Rev 1.7 3/13/2003 11:07:14 AM JPMugaas
OpenSSL classes renamed.
Rev 1.6 3/13/2003 10:28:16 AM JPMugaas
Forgot the reegistration - OOPS!!!
Rev 1.5 3/13/2003 09:49:42 AM JPMugaas
Now uses an abstract SSL base class instead of OpenSSL so 3rd-party vendors
can plug-in their products.
Rev 1.4 3/13/2003 10:20:08 AM BGooijen
Server side fibers
Rev 1.3 2003.02.25 3:56:22 AM czhower
Rev 1.2 2/5/2003 10:27:46 PM BGooijen
Fixed bug in OpenEncodedConnection
Rev 1.1 2/4/2003 6:31:22 PM BGooijen
Fixed for Indy 10
Rev 1.0 11/13/2002 08:01:24 AM JPMugaas
}
unit IdSSLOpenSSL;
{
Author: Gregor Ibic (gregor.ibic@intelicom.si)
Copyright: (c) Gregor Ibic, Intelicom d.o.o and Indy Working Group.
}
{
Indy OpenSSL now uses the standard OpenSSL libraries
for pre-compiled win32 dlls, see:
http://www.openssl.org/related/binaries.html
recommended v0.9.8a or later
}
{
Important information concerning OnVerifyPeer:
Rev 1.39 of February 2005 deliberately broke the OnVerifyPeer interface,
which (obviously?) only affects programs that implemented that callback
as part of the SSL negotiation. Note that you really should always
implement OnVerifyPeer, otherwise the certificate of the peer you are
connecting to is NOT checked to ensure it is valid.
Prior to this, if the SSL library detected a problem with a certificate
or the Depth was insufficient (i.e. the "Ok" parameter in VerifyCallback
is 0 / FALSE), then irrespective of whether your OnVerifyPeer returned True
or False, the SSL connection would be deliberately failed.
This created a problem in that even if there was only a very minor
problem with one of the certificates in the chain (OnVerifyPeer is called
once for each certificate in the certificate chain), which the user may
have been happy to accept, the SSL negotiation would be failed. However,
changing the code to allow the SSL connection when a user returned True
for OnVerifyPeer would have meant that existing code which depended on
automatic rejection of invalid certificates would then be accepting
invalid certificates, which would have been an unacceptable security
change.
Consequently, OnVerifyPeer was changed to deliberately break existing code
by adding an AOk parameter. To preserve the previous functionality, your
OnVerifyPeer event should do "Result := AOk;". If you wish to consider
accepting certificates that the SSL library has considered invalid, then
in your OnVerifyPeer, make sure you satisfy yourself that the certificate
really is valid and then set Result to True. In reality, in addition to
checking AOk, you should always implement code that ensures you are only
accepting certificates which are valid (at least from your point of view).
Ciaran Costelloe, ccostelloe@flogas.ie
}
{
RLebeau 1/12/2011: Breaking OnVerifyPeer event again, this time to add an
additional AError parameter (patch courtesy of "jvlad", dmda@yandex.ru).
This helps user code distinquish between Self-signed and invalid certificates.
}
interface
{$I IdCompilerDefines.inc}
{$IFNDEF USE_OPENSSL}
{$message error Should not compile if USE_OPENSSL is not defined!!!}
{$ENDIF}
{$TYPEDADDRESS OFF}
uses
//facilitate inlining only.
{$IFDEF WINDOWS}
Windows,
{$ENDIF}
Classes,
IdBuffer,
IdCTypes,
IdGlobal,
IdException,
IdStackConsts,
IdSocketHandle,
IdSSLOpenSSLHeaders,
IdComponent,
IdIOHandler,
IdGlobalProtocols,
IdTCPServer,
IdThread,
IdTCPConnection,
IdIntercept,
IdIOHandlerSocket,
IdSSL,
IdSocks,
IdScheduler,
IdYarn;
type
TIdSSLVersion = (sslvSSLv2, sslvSSLv23, sslvSSLv3, sslvTLSv1,sslvTLSv1_1,sslvTLSv1_2);
TIdSSLVersions = set of TIdSSLVersion;
TIdSSLMode = (sslmUnassigned, sslmClient, sslmServer, sslmBoth);
TIdSSLVerifyMode = (sslvrfPeer, sslvrfFailIfNoPeerCert, sslvrfClientOnce);
TIdSSLVerifyModeSet = set of TIdSSLVerifyMode;
TIdSSLCtxMode = (sslCtxClient, sslCtxServer);
TIdSSLAction = (sslRead, sslWrite);
const
DEF_SSLVERSION = sslvTLSv1;
DEF_SSLVERSIONS = [sslvTLSv1];
P12_FILETYPE = 3;
MAX_SSL_PASSWORD_LENGTH = 128;
type
TIdSSLULong = packed record
case Byte of
0: (B1, B2, B3, B4: UInt8);
1: (W1, W2: UInt16);
2: (L1: Int32);
3: (C1: UInt32);
end;
TIdSSLEVP_MD = record
Length: TIdC_UINT;
MD: Array [0 .. EVP_MAX_MD_SIZE - 1] of TIdAnsiChar;
end;
TIdSSLByteArray = record
Length: TIdC_UINT;
Data: PByte;
end;
TIdX509 = class;
TIdSSLIOHandlerSocketOpenSSL = class;
TIdSSLCipher = class;
TCallbackEvent = procedure(const AMsg: String) of object;
TCallbackExEvent = procedure(ASender : TObject; const AsslSocket: PSSL;
const AWhere, Aret: TIdC_INT; const AType, AMsg : String ) of object;
TPasswordEvent = procedure(var Password: String) of object;
TPasswordEventEx = procedure( ASender : TObject; var VPassword: String; const AIsWrite : Boolean) of object;
TVerifyPeerEvent = function(Certificate: TIdX509; AOk: Boolean; ADepth, AError: Integer): Boolean of object;
TIOHandlerNotify = procedure(ASender: TIdSSLIOHandlerSocketOpenSSL) of object;
TIdSSLOptions = class(TPersistent)
protected
fsRootCertFile,
fsCertFile,
fsKeyFile,
fsDHParamsFile: String;
fMethod: TIdSSLVersion;
fSSLVersions : TIdSSLVersions;
fMode: TIdSSLMode;
fVerifyDepth: Integer;
fVerifyMode: TIdSSLVerifyModeSet;
//fVerifyFile,
fVerifyDirs: String;
fCipherList: String;
procedure AssignTo(Destination: TPersistent); override;
procedure SetSSLVersions(const AValue : TIdSSLVersions);
procedure SetMethod(const AValue : TIdSSLVersion);
public
constructor Create;
// procedure Assign(ASource: TPersistent); override;
published
property RootCertFile: String read fsRootCertFile write fsRootCertFile;
property CertFile: String read fsCertFile write fsCertFile;
property KeyFile: String read fsKeyFile write fsKeyFile;
property DHParamsFile: String read fsDHParamsFile write fsDHParamsFile;
property Method: TIdSSLVersion read fMethod write SetMethod default DEF_SSLVERSION;
property SSLVersions : TIdSSLVersions read fSSLVersions write SetSSLVersions default DEF_SSLVERSIONS;
property Mode: TIdSSLMode read fMode write fMode;
property VerifyMode: TIdSSLVerifyModeSet read fVerifyMode write fVerifyMode;
property VerifyDepth: Integer read fVerifyDepth write fVerifyDepth;
// property VerifyFile: String read fVerifyFile write fVerifyFile;
property VerifyDirs: String read fVerifyDirs write fVerifyDirs;
property CipherList: String read fCipherList write fCipherList;
end;
TIdSSLContext = class(TObject)
protected
fMethod: TIdSSLVersion;
fSSLVersions : TIdSSLVersions;
fMode: TIdSSLMode;
fsRootCertFile, fsCertFile, fsKeyFile, fsDHParamsFile: String;
fVerifyDepth: Integer;
fVerifyMode: TIdSSLVerifyModeSet;
// fVerifyFile: String;
fVerifyDirs: String;
fCipherList: String;
fContext: PSSL_CTX;
fStatusInfoOn: Boolean;
// fPasswordRoutineOn: Boolean;
fVerifyOn: Boolean;
fSessionId: Integer;
fCtxMode: TIdSSLCtxMode;
procedure DestroyContext;
function SetSSLMethod: PSSL_METHOD;
procedure SetVerifyMode(Mode: TIdSSLVerifyModeSet; CheckRoutine: Boolean);
function GetVerifyMode: TIdSSLVerifyModeSet;
procedure InitContext(CtxMode: TIdSSLCtxMode);
public
Parent: TObject;
constructor Create;
destructor Destroy; override;
function Clone : TIdSSLContext;
function LoadRootCert: Boolean;
function LoadCert: Boolean;
function LoadKey: Boolean;
function LoadDHParams: Boolean;
property StatusInfoOn: Boolean read fStatusInfoOn write fStatusInfoOn;
// property PasswordRoutineOn: Boolean read fPasswordRoutineOn write fPasswordRoutineOn;
property VerifyOn: Boolean read fVerifyOn write fVerifyOn;
//THese can't be published in a TObject without a compiler warning.
// published
property SSLVersions : TIdSSLVersions read fSSLVersions write fSSLVersions;
property Method: TIdSSLVersion read fMethod write fMethod;
property Mode: TIdSSLMode read fMode write fMode;
property RootCertFile: String read fsRootCertFile write fsRootCertFile;
property CertFile: String read fsCertFile write fsCertFile;
property CipherList: String read fCipherList write fCipherList;
property KeyFile: String read fsKeyFile write fsKeyFile;
property DHParamsFile: String read fsDHParamsFile write fsDHParamsFile;
// property VerifyMode: TIdSSLVerifyModeSet read GetVerifyMode write SetVerifyMode;
// property VerifyFile: String read fVerifyFile write fVerifyFile;
property VerifyDirs: String read fVerifyDirs write fVerifyDirs;
property VerifyMode: TIdSSLVerifyModeSet read fVerifyMode write fVerifyMode;
property VerifyDepth: Integer read fVerifyDepth write fVerifyDepth;
end;
TIdSSLSocket = class(TObject)
protected
fParent: TObject;
fPeerCert: TIdX509;
fSSL: PSSL;
fSSLCipher: TIdSSLCipher;
fSSLContext: TIdSSLContext;
function GetPeerCert: TIdX509;
function GetSSLError(retCode: Integer): Integer;
function GetSSLCipher: TIdSSLCipher;
public
constructor Create(Parent: TObject);
destructor Destroy; override;
procedure Accept(const pHandle: TIdStackSocketHandle);
procedure Connect(const pHandle: TIdStackSocketHandle);
function Send(const ABuffer : TIdBytes; AOffset, ALength: Integer): Integer;
function Recv(var ABuffer : TIdBytes): Integer;
function GetSessionID: TIdSSLByteArray;
function GetSessionIDAsString:String;
procedure SetCipherList(CipherList: String);
//
property PeerCert: TIdX509 read GetPeerCert;
property Cipher: TIdSSLCipher read GetSSLCipher;
end;
// TIdSSLIOHandlerSocketOpenSSL and TIdServerIOHandlerSSLOpenSSL have some common
// functions, but they do not have a common ancestor, so this interface helps
// bridge the gap...
IIdSSLOpenSSLCallbackHelper = interface(IInterface)
['{583F1209-10BA-4E06-8810-155FAEC415FE}']
function GetPassword(const AIsWrite : Boolean): string;
procedure StatusInfo(const ASSL: PSSL; AWhere, ARet: TIdC_INT; const AStatusStr: string);
function VerifyPeer(ACertificate: TIdX509; AOk: Boolean; ADepth, AError: Integer): Boolean;
function GetIOHandlerSelf: TIdSSLIOHandlerSocketOpenSSL;
end;
TIdSSLIOHandlerSocketOpenSSL = class(TIdSSLIOHandlerSocketBase, IIdSSLOpenSSLCallbackHelper)
protected
fSSLContext: TIdSSLContext;
fxSSLOptions: TIdSSLOptions;
fSSLSocket: TIdSSLSocket;
//fPeerCert: TIdX509;
fOnStatusInfo: TCallbackEvent;
FOnStatusInfoEx : TCallbackExEvent;
fOnGetPassword: TPasswordEvent;
fOnGetPasswordEx : TPasswordEventEx;
fOnVerifyPeer: TVerifyPeerEvent;
fSSLLayerClosed: Boolean;
fOnBeforeConnect: TIOHandlerNotify;
// function GetPeerCert: TIdX509;
//procedure CreateSSLContext(axMode: TIdSSLMode);
//
procedure SetPassThrough(const Value: Boolean); override;
procedure DoBeforeConnect(ASender: TIdSSLIOHandlerSocketOpenSSL); virtual;
procedure DoStatusInfo(const AMsg: String); virtual;
procedure DoStatusInfoEx(const AsslSocket: PSSL;
const AWhere, Aret: TIdC_INT; const AWhereStr, ARetStr : String );
procedure DoGetPassword(var Password: String); virtual;
procedure DoGetPasswordEx(var VPassword: String; const AIsWrite : Boolean); virtual;
function DoVerifyPeer(Certificate: TIdX509; AOk: Boolean; ADepth, AError: Integer): Boolean; virtual;
function RecvEnc(var VBuffer: TIdBytes): Integer; override;
function SendEnc(const ABuffer: TIdBytes; const AOffset, ALength: Integer): Integer; override;
procedure Init;
procedure OpenEncodedConnection; virtual;
//some overrides from base classes
procedure InitComponent; override;
procedure ConnectClient; override;
function CheckForError(ALastResult: Integer): Integer; override;
procedure RaiseError(AError: Integer); override;
{ IIdSSLOpenSSLCallbackHelper }
function GetPassword(const AIsWrite : Boolean): string;
procedure StatusInfo(const ASslSocket: PSSL; AWhere, ARet: TIdC_INT; const AStatusStr: string);
function VerifyPeer(ACertificate: TIdX509; AOk: Boolean; ADepth, AError: Integer): Boolean;
function GetIOHandlerSelf: TIdSSLIOHandlerSocketOpenSSL;
public
destructor Destroy; override;
function Clone : TIdSSLIOHandlerSocketBase; override;
procedure StartSSL; override;
procedure AfterAccept; override;
procedure Close; override;
procedure Open; override;
function Readable(AMSec: Integer = IdTimeoutDefault): Boolean; override;
property SSLSocket: TIdSSLSocket read fSSLSocket write fSSLSocket;
property OnBeforeConnect: TIOHandlerNotify read fOnBeforeConnect write fOnBeforeConnect;
property SSLContext: TIdSSLContext read fSSLContext write fSSLContext;
published
property SSLOptions: TIdSSLOptions read fxSSLOptions write fxSSLOptions;
property OnStatusInfo: TCallbackEvent read fOnStatusInfo write fOnStatusInfo;
property OnStatusInfoEx: TCallbackExEvent read fOnStatusInfoEx write fOnStatusInfoEx;
property OnGetPassword: TPasswordEvent read fOnGetPassword write fOnGetPassword;
property OnGetPasswordEx : TPasswordEventEx read fOnGetPasswordEx write fOnGetPasswordEx;
property OnVerifyPeer: TVerifyPeerEvent read fOnVerifyPeer write fOnVerifyPeer;
end;
TIdServerIOHandlerSSLOpenSSL = class(TIdServerIOHandlerSSLBase, IIdSSLOpenSSLCallbackHelper)
protected
fxSSLOptions: TIdSSLOptions;
fSSLContext: TIdSSLContext;
fOnStatusInfo: TCallbackEvent;
FOnStatusInfoEx : TCallbackExEvent;
fOnGetPassword: TPasswordEvent;
fOnGetPasswordEx : TPasswordEventEx;
fOnVerifyPeer: TVerifyPeerEvent;
//
//procedure CreateSSLContext(axMode: TIdSSLMode);
//procedure CreateSSLContext;
//
procedure DoStatusInfo(const AMsg: String); virtual;
procedure DoStatusInfoEx(const AsslSocket: PSSL;
const AWhere, Aret: TIdC_INT; const AWhereStr, ARetStr : String );
procedure DoGetPassword(var Password: String); virtual;
//TPasswordEventEx
procedure DoGetPasswordEx(var VPassword: String; const AIsWrite : Boolean); virtual;
function DoVerifyPeer(Certificate: TIdX509; AOk: Boolean; ADepth, AError: Integer): Boolean; virtual;
procedure InitComponent; override;
{ IIdSSLOpenSSLCallbackHelper }
function GetPassword(const AIsWrite : Boolean): string;
procedure StatusInfo(const ASslSocket: PSSL; AWhere, ARet: TIdC_INT; const AStatusStr: string);
function VerifyPeer(ACertificate: TIdX509; AOk: Boolean; ADepth, AError: Integer): Boolean;
function GetIOHandlerSelf: TIdSSLIOHandlerSocketOpenSSL;
public
procedure Init; override;
procedure Shutdown; override;
// AListenerThread is a thread and not a yarn. Its the listener thread.
function Accept(ASocket: TIdSocketHandle; AListenerThread: TIdThread;
AYarn: TIdYarn): TIdIOHandler; override;
// function Accept(ASocket: TIdSocketHandle; AThread: TIdThread) : TIdIOHandler; override;
destructor Destroy; override;
function MakeClientIOHandler : TIdSSLIOHandlerSocketBase; override;
//
function MakeFTPSvrPort : TIdSSLIOHandlerSocketBase; override;
function MakeFTPSvrPasv : TIdSSLIOHandlerSocketBase; override;
//
property SSLContext: TIdSSLContext read fSSLContext;
published
property SSLOptions: TIdSSLOptions read fxSSLOptions write fxSSLOptions;
property OnStatusInfo: TCallbackEvent read fOnStatusInfo write fOnStatusInfo;
property OnStatusInfoEx: TCallbackExEvent read fOnStatusInfoEx write fOnStatusInfoEx;
property OnGetPassword: TPasswordEvent read fOnGetPassword write fOnGetPassword;
property OnGetPasswordEx : TPasswordEventEx read fOnGetPasswordEx write fOnGetPasswordEx;
property OnVerifyPeer: TVerifyPeerEvent read fOnVerifyPeer write fOnVerifyPeer;
end;
TIdX509Name = class(TObject)
protected
fX509Name: PX509_NAME;
function CertInOneLine: String;
function GetHash: TIdSSLULong;
function GetHashAsString: String;
public
constructor Create(aX509Name: PX509_NAME);
//
property Hash: TIdSSLULong read GetHash;
property HashAsString: string read GetHashAsString;
property OneLine: string read CertInOneLine;
end;
TIdX509Info = class(TObject)
protected
//Do not free this here because it belongs
//to the X509 or something else.
FX509 : PX509;
public
constructor Create( aX509: PX509);
end;
TIdX509Fingerprints = class(TIdX509Info)
protected
function GetMD5: TIdSSLEVP_MD;
function GetMD5AsString:String;
function GetSHA1: TIdSSLEVP_MD;
function GetSHA1AsString:String;
function GetSHA224 : TIdSSLEVP_MD;
function GetSHA224AsString : String;
function GetSHA256 : TIdSSLEVP_MD;
function GetSHA256AsString : String;
function GetSHA384 : TIdSSLEVP_MD;
function GetSHA384AsString : String;
function GetSHA512 : TIdSSLEVP_MD;
function GetSHA512AsString : String;
public
property MD5 : TIdSSLEVP_MD read GetMD5;
property MD5AsString : String read GetMD5AsString;
{IMPORTANT!!!
FIPS approves only these algorithms for hashing.
SHA-1
SHA-224
SHA-256
SHA-384
SHA-512
http://csrc.nist.gov/CryptoToolkit/tkhash.html
}
property SHA1 : TIdSSLEVP_MD read GetSHA1;
property SHA1AsString : String read GetSHA1AsString;
property SHA224 : TIdSSLEVP_MD read GetSHA224;
property SHA224AsString : String read GetSHA224AsString;
property SHA256 : TIdSSLEVP_MD read GetSHA256;
property SHA256AsString : String read GetSHA256AsString;
property SHA384 : TIdSSLEVP_MD read GetSHA384;
property SHA384AsString : String read GetSHA384AsString;
property SHA512 : TIdSSLEVP_MD read GetSHA512;
property SHA512AsString : String read GetSHA512AsString;
end;
TIdX509SigInfo = class(TIdX509Info)
protected
function GetSignature : String;
function GetSigType : TIdC_INT;
function GetSigTypeAsString : String;
public
property Signature : String read GetSignature;
property SigType : TIdC_INT read GetSigType ;
property SigTypeAsString : String read GetSigTypeAsString;
end;
TIdX509 = class(TObject)
protected
FFingerprints : TIdX509Fingerprints;
FSigInfo : TIdX509SigInfo;
FCanFreeX509 : Boolean;
FX509 : PX509;
FSubject : TIdX509Name;
FIssuer : TIdX509Name;
FDisplayInfo : TStrings;
function RSubject:TIdX509Name;
function RIssuer:TIdX509Name;
function RnotBefore:TDateTime;
function RnotAfter:TDateTime;
function RFingerprint:TIdSSLEVP_MD;
function RFingerprintAsString:String;
function GetSerialNumber: String;
function GetVersion : TIdC_LONG;
function GetDisplayInfo : TStrings;
public
Constructor Create(aX509: PX509; aCanFreeX509: Boolean = True); virtual;
Destructor Destroy; override;
property Version : TIdC_LONG read GetVersion;
//
property SigInfo : TIdX509SigInfo read FSigInfo;
property Fingerprints : TIdX509Fingerprints read FFingerprints;
//
property Fingerprint: TIdSSLEVP_MD read RFingerprint;
property FingerprintAsString: String read RFingerprintAsString;
property Subject: TIdX509Name read RSubject;
property Issuer: TIdX509Name read RIssuer;
property notBefore: TDateTime read RnotBefore;
property notAfter: TDateTime read RnotAfter;
property SerialNumber : string read GetSerialNumber;
property DisplayInfo : TStrings read GetDisplayInfo;
end;
TIdSSLCipher = class(TObject)
protected
FSSLSocket: TIdSSLSocket;
function GetDescription: String;
function GetName: String;
function GetBits: Integer;
function GetVersion: String;
public
constructor Create(AOwner: TIdSSLSocket);
destructor Destroy; override;
//These can't be published without a compiler warning.
// published
property Description: String read GetDescription;
property Name: String read GetName;
property Bits: Integer read GetBits;
property Version: String read GetVersion;
end;
EIdOSSLCouldNotLoadSSLLibrary = class(EIdOpenSSLError);
EIdOSSLModeNotSet = class(EIdOpenSSLError);
EIdOSSLGetMethodError = class(EIdOpenSSLError);
EIdOSSLCreatingSessionError = class(EIdOpenSSLError);
EIdOSSLCreatingContextError = class(EIdOpenSSLAPICryptoError);
EIdOSSLLoadingRootCertError = class(EIdOpenSSLAPICryptoError);
EIdOSSLLoadingCertError = class(EIdOpenSSLAPICryptoError);
EIdOSSLLoadingKeyError = class(EIdOpenSSLAPICryptoError);
EIdOSSLLoadingDHParamsError = class(EIdOpenSSLAPICryptoError);
EIdOSSLSettingCipherError = class(EIdOpenSSLError);
EIdOSSLFDSetError = class(EIdOpenSSLAPISSLError);
EIdOSSLDataBindingError = class(EIdOpenSSLAPISSLError);
EIdOSSLAcceptError = class(EIdOpenSSLAPISSLError);
EIdOSSLConnectError = class(EIdOpenSSLAPISSLError);
function LoadOpenSSLLibrary: Boolean;
procedure UnLoadOpenSSLLibrary;
function OpenSSLVersion: string;
implementation
uses
{$IFDEF HAS_UNIT_Generics_Collections}
System.Generics.Collections,
{$ENDIF}
{$IFDEF USE_VCL_POSIX}
Posix.SysTime,
Posix.Time,
Posix.Unistd,
{$ENDIF}
IdFIPS,
IdResourceStringsCore,
IdResourceStringsProtocols,
IdResourceStringsOpenSSL,
IdStack,
IdStackBSDBase,
IdAntiFreezeBase,
IdExceptionCore,
IdResourceStrings,
IdThreadSafe,
SysUtils,
SyncObjs;
type
// TODO: TIdThreadSafeObjectList instead?
{$IFDEF HAS_GENERICS_TThreadList}
TIdCriticalSectionThreadList = TThreadList<TIdCriticalSection>;
TIdCriticalSectionList = TList<TIdCriticalSection>;
{$ELSE}
// TODO: flesh out to match TThreadList<TIdCriticalSection> and TList<TIdCriticalSection> on non-Generics compilers
TIdCriticalSectionThreadList = TThreadList;
TIdCriticalSectionList = TList;
{$ENDIF}
var
SSLIsLoaded: TIdThreadSafeBoolean = nil;
LockInfoCB: TIdCriticalSection = nil;
LockPassCB: TIdCriticalSection = nil;
LockVerifyCB: TIdCriticalSection = nil;
CallbackLockList: TIdCriticalSectionThreadList = nil;
procedure GetStateVars(const sslSocket: PSSL; AWhere, Aret: TIdC_INT; var VTypeStr, VMsg : String);
{$IFDEF USE_INLINE}inline;{$ENDIF}
begin
case AWhere of
SSL_CB_ALERT :
begin
VTypeStr := IndyFormat( RSOSSLAlert,[SSL_alert_type_string_long(Aret)]);
VMsg := String(SSL_alert_type_string_long(Aret));
end;
SSL_CB_READ_ALERT :
begin
VTypeStr := IndyFormat(RSOSSLReadAlert,[SSL_alert_type_string_long(Aret)]);
VMsg := String( SSL_alert_desc_string_long(Aret));
end;
SSL_CB_WRITE_ALERT :
begin
VTypeStr := IndyFormat(RSOSSLWriteAlert,[SSL_alert_type_string_long(Aret)]);
VMsg := String( SSL_alert_desc_string_long(Aret));
end;
SSL_CB_ACCEPT_LOOP :
begin
VTypeStr := RSOSSLAcceptLoop;
VMsg := String( SSL_state_string_long(sslSocket));
end;
SSL_CB_ACCEPT_EXIT :
begin
if ARet < 0 then begin
VTypeStr := RSOSSLAcceptError;
end else begin
if ARet = 0 then begin
VTypeStr := RSOSSLAcceptFailed;
end else begin
VTypeStr := RSOSSLAcceptExit;
end;
end;
VMsg := String( SSL_state_string_long(sslSocket) );
end;
SSL_CB_CONNECT_LOOP :
begin
VTypeStr := RSOSSLConnectLoop;
VMsg := String( SSL_state_string_long(sslSocket) );
end;
SSL_CB_CONNECT_EXIT :
begin
if ARet < 0 then begin
VTypeStr := RSOSSLConnectError;
end else begin
if ARet = 0 then begin
VTypeStr := RSOSSLConnectFailed
end else begin
VTypeStr := RSOSSLConnectExit;
end;
end;
VMsg := String( SSL_state_string_long(sslSocket) );
end;
SSL_CB_HANDSHAKE_START :
begin
VTypeStr := RSOSSLHandshakeStart;
VMsg := String( SSL_state_string_long(sslSocket) );
end;
SSL_CB_HANDSHAKE_DONE :
begin
VTypeStr := RSOSSLHandshakeDone;
VMsg := String( SSL_state_string_long(sslSocket) );
end;
end;
{var LW : TIdC_INT;
begin
VMsg := '';
LW := Awhere and (not SSL_ST_MASK);
if (LW and SSL_ST_CONNECT) > 0 then begin
VWhereStr := 'SSL_connect:';
end else begin
if (LW and SSL_ST_ACCEPT) > 0 then begin
VWhereStr := ' SSL_accept:';
end else begin
VWhereStr := ' undefined:';
end;
end;
// IdSslStateStringLong
if (Awhere and SSL_CB_LOOP) > 0 then begin
VMsg := IdSslStateStringLong(sslSocket);
end else begin
if (Awhere and SSL_CB_ALERT) > 0 then begin
if (Awhere and SSL_CB_READ > 0) then begin
VWhereStr := VWhereStr + ' read:'+ IdSslAlertTypeStringLong(Aret);
end else begin
VWhereStr := VWhereStr + 'write:'+ IdSslAlertTypeStringLong(Aret);
end;;
VMsg := IdSslAlertDescStringLong(Aret);
end else begin
if (Awhere and SSL_CB_EXIT) > 0 then begin
if ARet = 0 then begin
VWhereStr := VWhereStr +'failed';
VMsg := IdSslStateStringLong(sslSocket);
end else begin
if ARet < 0 then begin
VWhereStr := VWhereStr +'error';
VMsg := IdSslStateStringLong(sslSocket);
end;
end;
end;
end;
end; }
end;
function PasswordCallback(buf: PIdAnsiChar; size: TIdC_INT; rwflag: TIdC_INT; userdata: Pointer): TIdC_INT; cdecl;
{$IFDEF USE_MARSHALLED_PTRS}
type
TBytesPtr = ^TBytes;
{$ENDIF}
var
Password: String;
{$IFDEF STRING_IS_UNICODE}
LPassword: TIdBytes;
{$ENDIF}
IdSSLContext: TIdSSLContext;
LErr : Integer;
LHelper: IIdSSLOpenSSLCallbackHelper;
begin
//Preserve last eror just in case OpenSSL is using it and we do something that
//clobers it. CYA.
LErr := GStack.WSGetLastError;
try
LockPassCB.Enter;
try
Password := ''; {Do not Localize}
IdSSLContext := TIdSSLContext(userdata);
if Supports(IdSSLContext.Parent, IIdSSLOpenSSLCallbackHelper, IInterface(LHelper)) then begin
Password := LHelper.GetPassword(rwflag > 0);
LHelper := nil;
end;
FillChar(buf^, size, 0);
{$IFDEF STRING_IS_UNICODE}
LPassword := IndyTextEncoding_OSDefault.GetBytes(Password);
if Length(LPassword) > 0 then begin
{$IFDEF USE_MARSHALLED_PTRS}
TMarshal.Copy(TBytesPtr(@LPassword)^, 0, TPtrWrapper.Create(buf), IndyMin(Length(LPassword), size));
{$ELSE}
Move(LPassword[0], buf^, IndyMin(Length(LPassword), size));
{$ENDIF}
end;
Result := Length(LPassword);
{$ELSE}
StrPLCopy(buf, Password, size);
Result := Length(Password);
{$ENDIF}
buf[size-1] := #0; // RLebeau: truncate the password if needed
finally
LockPassCB.Leave;
end;
finally
GStack.WSSetLastError(LErr);
end;
end;
procedure InfoCallback(const sslSocket: PSSL; where, ret: TIdC_INT); cdecl;
var
IdSSLSocket: TIdSSLSocket;
StatusStr : String;
LErr : Integer;
LHelper: IIdSSLOpenSSLCallbackHelper;
begin
{
You have to save the value of WSGetLastError as some Operating System API
function calls will reset that value and we can't know what a programmer will
do in this event. We need the value of WSGetLastError so we can report
an underlying socket error when the OpenSSL function returns.
JPM.
}
LErr := GStack.WSGetLastError;
try
LockInfoCB.Enter;
try
IdSSLSocket := TIdSSLSocket(SSL_get_app_data(sslSocket));
if Supports(IdSSLSocket.fParent, IIdSSLOpenSSLCallbackHelper, IInterface(LHelper)) then begin
StatusStr := IndyFormat(RSOSSLStatusString, [String(SSL_state_string_long(sslSocket))]);
LHelper.StatusInfo(sslSocket, where, ret, StatusStr);
LHelper := nil;
end;
finally
LockInfoCB.Leave;
end;
finally
GStack.WSSetLastError(LErr);
end;
end;
function TranslateInternalVerifyToSSL(Mode: TIdSSLVerifyModeSet): Integer;
{$IFDEF USE_INLINE} inline; {$ENDIF}
begin
Result := SSL_VERIFY_NONE;
if sslvrfPeer in Mode then begin
Result := Result or SSL_VERIFY_PEER;
end;
if sslvrfFailIfNoPeerCert in Mode then begin
Result:= Result or SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
end;
if sslvrfClientOnce in Mode then begin
Result:= Result or SSL_VERIFY_CLIENT_ONCE;
end;
end;
function VerifyCallback(Ok: TIdC_INT; ctx: PX509_STORE_CTX): TIdC_INT; cdecl;
var
hcert: PX509;
Certificate: TIdX509;
hSSL: PSSL;
IdSSLSocket: TIdSSLSocket;
// str: String;
VerifiedOK: Boolean;
Depth: Integer;
Error: Integer;
LOk: Boolean;
LHelper: IIdSSLOpenSSLCallbackHelper;
begin
LockVerifyCB.Enter;
try
VerifiedOK := True;
try
hSSL := X509_STORE_CTX_get_app_data(ctx);
if hSSL = nil then begin
Result := Ok;
Exit;
end;
hcert := X509_STORE_CTX_get_current_cert(ctx);
Certificate := TIdX509.Create(hcert, False); // the certificate is owned by the store
try
IdSSLSocket := TIdSSLSocket(SSL_get_app_data(hSSL));
Error := X509_STORE_CTX_get_error(ctx);
Depth := X509_STORE_CTX_get_error_depth(ctx);
if not ((Ok > 0) and (IdSSLSocket.fSSLContext.VerifyDepth >= Depth)) then begin
Ok := 0;
{if Error = X509_V_OK then begin
Error := X509_V_ERR_CERT_CHAIN_TOO_LONG;
end;}
end;
LOk := False;
if Ok = 1 then begin
LOk := True;
end;
if Supports(IdSSLSocket.fParent, IIdSSLOpenSSLCallbackHelper, IInterface(LHelper)) then begin
VerifiedOK := LHelper.VerifyPeer(Certificate, LOk, Depth, Error);
LHelper := nil;
end;
finally
FreeAndNil(Certificate);
end;
except
end;
//if VerifiedOK and (Ok > 0) then begin
if VerifiedOK {and (Ok > 0)} then begin
Result := 1;
end
else begin
Result := 0;
end;
// Result := Ok; // testing
finally
LockVerifyCB.Leave;
end;
end;
//////////////////////////////////////////////////////
// Utilities
//////////////////////////////////////////////////////
function IndySSL_load_client_CA_file(const AFileName: String) : PSTACK_OF_X509_NAME; forward;
function IndySSL_CTX_use_PrivateKey_file(ctx: PSSL_CTX; const AFileName: String;
AType: Integer): TIdC_INT; forward;
function IndySSL_CTX_use_certificate_file(ctx: PSSL_CTX; const AFileName: String;
AType: Integer): TIdC_INT; forward;
function IndySSL_CTX_use_certificate_chain_file(ctx :PSSL_CTX;
const AFileName: String) : TIdC_INT; forward;
function IndyX509_STORE_load_locations(ctx: PX509_STORE;
const AFileName, APathName: String): TIdC_INT; forward;
function IndySSL_CTX_load_verify_locations(ctx: PSSL_CTX;
const ACAFile, ACAPath: String): TIdC_INT; forward;
function IndySSL_CTX_use_DHparams_file(ctx: PSSL_CTX;
const AFileName: String; AType: Integer): TIdC_INT; forward;
// TODO
{
function d2i_DHparams_bio(bp: PBIO; x: PPointer): PDH; inline;
begin
Result := PDH(ASN1_d2i_bio(@DH_new, @d2i_DHparams, bp, x));
end;
}
// SSL_CTX_use_PrivateKey_file() and SSL_CTX_use_certificate_file() do not
// natively support PKCS12 certificates/keys, only PEM/ASN1, so load them
// manually...
function IndySSL_CTX_use_PrivateKey_file_PKCS12(ctx: PSSL_CTX; const AFileName: String): TIdC_INT;
var
LM: TMemoryStream;
B: PBIO;
LKey: PEVP_PKEY;
LCert: PX509;
P12: PPKCS12;
CertChain: PSTACK_OF_X509;
LPassword: array of TIdAnsiChar;
LPasswordPtr: PIdAnsiChar;
begin
Result := 0;
LM := nil;
try
LM := TMemoryStream.Create;
LM.LoadFromFile(AFileName);
except
// Surpress exception here since it's going to be called by the OpenSSL .DLL
// Follow the OpenSSL .DLL Error conventions.
SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB);
LM.Free;
Exit;
end;
try
B := BIO_new_mem_buf(LM.Memory, LM.Size);
if not Assigned(B) then begin
SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB);
Exit;
end;
try
SetLength(LPassword, MAX_SSL_PASSWORD_LENGTH+1);
LPassword[MAX_SSL_PASSWORD_LENGTH] := TIdAnsiChar(0);
LPasswordPtr := PIdAnsiChar(LPassword);
if Assigned(ctx^.default_passwd_callback) then begin
ctx^.default_passwd_callback(LPasswordPtr, MAX_SSL_PASSWORD_LENGTH, 0, ctx^.default_passwd_callback_userdata);
// TODO: check return value for failure
end else begin
// TODO: call PEM_def_callback(), like PEM_read_bio_X509() does
// when default_passwd_callback is nil
end;
P12 := d2i_PKCS12_bio(B, nil);
if not Assigned(P12) then begin
SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_PKCS12_LIB);
Exit;
end;
try
CertChain := nil;
if PKCS12_parse(P12, LPasswordPtr, LKey, LCert, @CertChain) <> 1 then begin
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PKCS12_LIB);
Exit;
end;
try
Result := SSL_CTX_use_PrivateKey(ctx, LKey);
finally
sk_pop_free(CertChain, @X509_free);
X509_free(LCert);
EVP_PKEY_free(LKey);
end;
finally
PKCS12_free(P12);
end;
finally
BIO_free(B);
end;
finally
FreeAndNil(LM);
end;
end;
function IndySSL_CTX_use_certificate_file_PKCS12(ctx: PSSL_CTX; const AFileName: String): TIdC_INT;
var
LM: TMemoryStream;
B: PBIO;
LCert: PX509;
P12: PPKCS12;
PKey: PEVP_PKEY;
CertChain: PSTACK_OF_X509;
LPassword: array of TIdAnsiChar;
LPasswordPtr: PIdAnsiChar;
begin
Result := 0;
LM := nil;
try
LM := TMemoryStream.Create;
LM.LoadFromFile(AFileName);
except
// Surpress exception here since it's going to be called by the OpenSSL .DLL
// Follow the OpenSSL .DLL Error conventions.
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
LM.Free;
Exit;
end;
try
B := BIO_new_mem_buf(LM.Memory, LM.Size);
if not Assigned(B) then begin
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
Exit;
end;
try
SetLength(LPassword, MAX_SSL_PASSWORD_LENGTH+1);
LPassword[MAX_SSL_PASSWORD_LENGTH] := TIdAnsiChar(0);
LPasswordPtr := PIdAnsiChar(LPassword);
if Assigned(ctx^.default_passwd_callback) then begin
ctx^.default_passwd_callback(LPasswordPtr, MAX_SSL_PASSWORD_LENGTH, 0, ctx^.default_passwd_callback_userdata);
// TODO: check return value for failure
end else begin
// TODO: call PEM_def_callback(), like PEM_read_bio_X509() does
// when default_passwd_callback is nil
end;
P12 := d2i_PKCS12_bio(B, nil);
if not Assigned(P12) then
begin
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PKCS12_LIB);
Exit;
end;
try
CertChain := nil;
if PKCS12_parse(P12, LPasswordPtr, PKey, LCert, @CertChain) <> 1 then begin
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PKCS12_LIB);
Exit;
end;
try
Result := SSL_CTX_use_certificate(ctx, LCert);
finally
sk_pop_free(CertChain, @X509_free);
X509_free(LCert);
EVP_PKEY_free(PKey);
end;
finally
PKCS12_free(P12);
end;
finally
BIO_free(B);
end;
finally
FreeAndNil(LM);
end;
end;
{
IMPORTANT!!!
OpenSSL can not handle Unicode file names at all. On Posix systems, UTF8 File
names can be used with OpenSSL. The Windows operating system does not accept
UTF8 file names at all so we have our own routines that will handle Unicode
filenames. Most of this section of code is based on code in the OpenSSL .DLL
which is copyrighted by the OpenSSL developers. Some of it is translated into
Pascal and made some modifications so that it will handle Unicode filenames.
}
{$IFDEF STRING_IS_UNICODE}
{$IFDEF WINDOWS}
function Indy_unicode_X509_load_cert_crl_file(ctx: PX509_LOOKUP; const AFileName: String;
const _type: TIdC_INT): TIdC_INT; forward;
function Indy_unicode_X509_load_cert_file(ctx: PX509_LOOKUP; const AFileName: String;
_type: TIdC_INT): TIdC_INT; forward;
{
This is for some file lookup definitions for a LOOKUP method that
uses Unicode filenames instead of ASCII or UTF8. It is not meant
to be portable at all.
}
function by_Indy_unicode_file_ctrl(ctx: PX509_LOOKUP; cmd: TIdC_INT;
const argc: PAnsiChar; argl: TIdC_LONG; out ret: PAnsiChar): TIdC_INT;
cdecl; forward;
const
Indy_x509_unicode_file_lookup: X509_LOOKUP_METHOD =
(
name: PAnsiChar('Load file into cache');
new_item: nil; // * new */
free: nil; // * free */
init: nil; // * init */
shutdown: nil; // * shutdown */
ctrl: by_Indy_unicode_file_ctrl; // * ctrl */
get_by_subject: nil; // * get_by_subject */
get_by_issuer_serial: nil; // * get_by_issuer_serial */
get_by_fingerprint: nil; // * get_by_fingerprint */
get_by_alias: nil // * get_by_alias */
);
function Indy_Unicode_X509_LOOKUP_file(): PX509_LOOKUP_METHOD cdecl;
{$IFDEF USE_INLINE} inline; {$ENDIF}
begin
Result := @Indy_x509_unicode_file_lookup;
end;
function by_Indy_unicode_file_ctrl(ctx: PX509_LOOKUP; cmd: TIdC_INT;
const argc: PAnsiChar; argl: TIdC_LONG; out ret: PAnsiChar): TIdC_INT; cdecl;
var
LOk: TIdC_INT;
LFileName: String;
begin
LOk := 0;
case cmd of
X509_L_FILE_LOAD:
begin
case argl of
X509_FILETYPE_DEFAULT:
begin
LFileName := GetEnvironmentVariable
(String(X509_get_default_cert_file_env));
if LFileName <> '' then begin
LOk := Ord(Indy_unicode_X509_load_cert_crl_file(ctx, LFileName,
X509_FILETYPE_PEM) <> 0);
end else begin
LOk := Ord(Indy_unicode_X509_load_cert_crl_file(ctx,
String(X509_get_default_cert_file), X509_FILETYPE_PEM) <> 0);
end;
if LOk = 0 then begin
X509err(X509_F_BY_FILE_CTRL, X509_R_LOADING_DEFAULTS);
end;
end;
X509_FILETYPE_PEM:
begin
// Note that typecasting an AnsiChar as a WideChar is normally a crazy
// thing to do. The thing is that the OpenSSL API is based on ASCII or
// UTF8, not Unicode and we are writing this just for Unicode filenames.
LFileName := PWideChar(argc);
LOk := Ord(Indy_unicode_X509_load_cert_crl_file(ctx, LFileName,
X509_FILETYPE_PEM) <> 0);
end;
else
LFileName := PWideChar(argc);
LOk := Ord(Indy_unicode_X509_load_cert_file(ctx, LFileName, TIdC_INT(argl)) <> 0);
end;
end;
end;
Result := LOk;
end;
function Indy_unicode_X509_load_cert_file(ctx: PX509_LOOKUP; const AFileName: String;
_type: TIdC_INT): TIdC_INT;
var
LM: TMemoryStream;
Lin: PBIO;
LX: PX509;
i, count: Integer;
begin
Result := 0;
count := 0;
Lin := nil;
if AFileName = '' then begin
Result := 1;
Exit;
end;
LM := nil;
try
LM := TMemoryStream.Create;
LM.LoadFromFile(AFileName);
except
// Surpress exception here since it's going to be called by the OpenSSL .DLL
// Follow the OpenSSL .DLL Error conventions.
X509err(X509_F_X509_LOAD_CERT_FILE, ERR_R_SYS_LIB);
LM.Free;
Exit;
end;
try
Lin := BIO_new_mem_buf(LM.Memory, LM.Size);
if not Assigned(Lin) then begin
X509err(X509_F_X509_LOAD_CERT_FILE, ERR_R_SYS_LIB);
Exit;
end;
case _type of
X509_FILETYPE_PEM:
begin
repeat
LX := PEM_read_bio_X509_AUX(Lin, nil, nil, nil);
if not Assigned(LX) then begin
if ((ERR_GET_REASON(ERR_peek_last_error())
= PEM_R_NO_START_LINE) and (count > 0)) then begin
ERR_clear_error();
Break;
end else begin
X509err(X509_F_X509_LOAD_CERT_FILE, ERR_R_PEM_LIB);
Exit;
end;
end;
i := X509_STORE_add_cert(ctx^.store_ctx, LX);
if i = 0 then begin
Exit;
end;
Inc(count);
X509_Free(LX);
until False;
Result := count;
end;
X509_FILETYPE_ASN1:
begin
LX := d2i_X509_bio(Lin, nil);
if not Assigned(LX) then begin
X509err(X509_F_X509_LOAD_CERT_FILE, ERR_R_ASN1_LIB);
Exit;
end;
i := X509_STORE_add_cert(ctx^.store_ctx, LX);
if i = 0 then begin
Exit;
end;
Result := i;
end;
else
X509err(X509_F_X509_LOAD_CERT_FILE, X509_R_BAD_X509_FILETYPE);
Exit;
end;
finally
BIO_free(Lin);
FreeAndNil(LM);
end;
end;
function Indy_unicode_X509_load_cert_crl_file(ctx: PX509_LOOKUP; const AFileName: String;
const _type: TIdC_INT): TIdC_INT;
var
LM: TMemoryStream;
Linf: PSTACK_OF_X509_INFO;
Litmp: PX509_INFO;
Lin: PBIO;
i, count: Integer;
begin
Result := 0;
count := 0;
LM := nil;
Lin := nil;
if _type <> X509_FILETYPE_PEM then begin
Result := Indy_unicode_X509_load_cert_file(ctx, AFileName, _type);
Exit;
end;
try
LM := TMemoryStream.Create;
LM.LoadFromFile(AFileName);
except
// Surpress exception here since it's going to be called by the OpenSSL .DLL
// Follow the OpenSSL .DLL Error conventions.
X509err(X509_F_X509_LOAD_CERT_CRL_FILE, ERR_R_SYS_LIB);
LM.Free;
Exit;
end;
try
Lin := BIO_new_mem_buf(LM.Memory, LM.Size);
if not Assigned(Lin) then begin
X509err(X509_F_X509_LOAD_CERT_CRL_FILE, ERR_R_SYS_LIB);
Exit;
end;
Linf := PEM_X509_INFO_read_bio(Lin, nil, nil, nil);
finally
BIO_free(Lin);
FreeAndNil(LM);
end;
if not Assigned(Linf) then begin
X509err(X509_F_X509_LOAD_CERT_CRL_FILE, ERR_R_PEM_LIB);
Exit;
end;
try
for i := 0 to sk_X509_INFO_num(Linf) - 1 do begin
Litmp := sk_X509_INFO_value(Linf, i);
if Assigned(Litmp^.x509) then begin
X509_STORE_add_cert(ctx^.store_ctx, Litmp^.x509);
Inc(count);
end;
if Assigned(Litmp^.crl) then begin
X509_STORE_add_crl(ctx^.store_ctx, Litmp^.crl);
Inc(count);
end;
end;
finally
sk_X509_INFO_pop_free(Linf, @X509_INFO_free);
end;
Result := count;
end;
procedure IndySSL_load_client_CA_file_err(var VRes: PSTACK_OF_X509_NAME);
{$IFDEF USE_INLINE} inline; {$ENDIF}
begin
if Assigned(VRes) then begin
sk_X509_NAME_pop_free(VRes, @X509_NAME_free);
VRes := nil;
end;
end;
function xname_cmp(const a, b: PPX509_NAME): TIdC_INT; cdecl;
begin
Result := X509_NAME_cmp(a^, b^);
end;
function IndySSL_load_client_CA_file(const AFileName: String): PSTACK_OF_X509_NAME;
var
LM: TMemoryStream;
LB: PBIO;
Lsk: PSTACK_OF_X509_NAME;
LX: PX509;
LXN, LXNDup: PX509_NAME;
Failed: Boolean;
begin
Result := nil;
Failed := False;
LX := nil;
Lsk := sk_X509_NAME_new(@xname_cmp);
if Assigned(Lsk) then begin
try
LM := nil;
try
LM := TMemoryStream.Create;
LM.LoadFromFile(AFileName);
except
// Surpress exception here since it's going to be called by the OpenSSL .DLL
// Follow the OpenSSL .DLL Error conventions.
SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE, ERR_R_SYS_LIB);
LM.Free;
Exit;
end;
try
LB := BIO_new_mem_buf(LM.Memory, LM.Size);
if Assigned(LB) then begin
try
try
repeat
LX := PEM_read_bio_X509(LB, nil, nil, nil);
if LX = nil then begin
Break;
end;
if not Assigned(Result) then begin
Result := sk_X509_NAME_new_null;
if not Assigned(Result) then begin
SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE, ERR_R_MALLOC_FAILURE);
Failed := True;
Exit;
end;
end;
LXN := X509_get_subject_name(LX);
if not Assigned(LXN) then begin
// error
IndySSL_load_client_CA_file_err(Result);
Failed := True;
Exit;
end;
// * check for duplicates */
LXNDup := X509_NAME_dup(LXN);
if not Assigned(LXNDup) then begin
// error
IndySSL_load_client_CA_file_err(Result);
Failed := True;
Exit;
end;
if (sk_X509_NAME_find(Lsk, LXNDup) >= 0) then begin
X509_NAME_free(LXNDup);
end else begin
sk_X509_NAME_push(Lsk, LXNDup);
sk_X509_NAME_push(Result, LXNDup);
end;
X509_free(LX);
LX := nil;
until False;
finally
if Assigned(LX) then begin
X509_free(LX);
end;
if Failed and Assigned(Result) then begin
sk_X509_NAME_pop_free(Result, @X509_NAME_free);
Result := nil;
end;
end;
finally
BIO_free(LB);
end;
end
else begin
SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE, ERR_R_MALLOC_FAILURE);
end;
finally
FreeAndNil(LM);
end;
finally
sk_X509_NAME_free(Lsk);
end;
end
else begin
SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE, ERR_R_MALLOC_FAILURE);
end;
if Assigned(Result) then begin
ERR_clear_error;
end;
end;
function IndySSL_CTX_use_PrivateKey_file(ctx: PSSL_CTX; const AFileName: String;
AType: Integer): TIdC_INT;
var
LM: TMemoryStream;
B: PBIO;
LKey: PEVP_PKEY;
j: TIdC_INT;
begin
Result := 0;
LM := nil;
try
LM := TMemoryStream.Create;
LM.LoadFromFile(AFileName);
except
// Surpress exception here since it's going to be called by the OpenSSL .DLL
// Follow the OpenSSL .DLL Error conventions.
SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB);
LM.Free;
Exit;
end;
try
B := BIO_new_mem_buf(LM.Memory, LM.Size);
if not Assigned(B) then begin
SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB);
Exit;
end;
try
case AType of
SSL_FILETYPE_PEM:
begin
j := ERR_R_PEM_LIB;
LKey := PEM_read_bio_PrivateKey(B, nil,
ctx^.default_passwd_callback,
ctx^.default_passwd_callback_userdata);
end;
SSL_FILETYPE_ASN1:
begin
j := ERR_R_ASN1_LIB;
LKey := d2i_PrivateKey_bio(B, nil);
end;
else
SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
Exit;
end;
if not Assigned(LKey) then begin
SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, j);
Exit;
end;
Result := SSL_CTX_use_PrivateKey(ctx, LKey);
EVP_PKEY_free(LKey);
finally
BIO_free(B);
end;
finally
FreeAndNil(LM);
end;
end;
function IndySSL_CTX_use_certificate_file(ctx: PSSL_CTX;
const AFileName: String; AType: Integer): TIdC_INT;
var
LM: TMemoryStream;
B: PBIO;
LX: PX509;
j: TIdC_INT;
begin
Result := 0;
LM := nil;
try
LM := TMemoryStream.Create;
LM.LoadFromFile(AFileName);
except
// Surpress exception here since it's going to be called by the OpenSSL .DLL
// Follow the OpenSSL .DLL Error conventions.
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
LM.Free;
Exit;
end;
try
B := BIO_new_mem_buf(LM.Memory, LM.Size);
if not Assigned(B) then begin
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
Exit;
end;
try
case AType of
SSL_FILETYPE_ASN1:
begin
j := ERR_R_ASN1_LIB;
LX := d2i_X509_bio(B, nil);
end;
SSL_FILETYPE_PEM:
begin
j := ERR_R_PEM_LIB;
LX := PEM_read_bio_X509(B, nil, ctx^.default_passwd_callback,
ctx^.default_passwd_callback_userdata);
end
else begin
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE);
Exit;
end;
end;
if not Assigned(LX) then begin
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, j);
Exit;
end;
Result := SSL_CTX_use_certificate(ctx, LX);
X509_free(LX);
finally
BIO_free(B);
end;
finally
FreeAndNil(LM);
end;
end;
function IndySSL_CTX_use_certificate_chain_file(ctx :PSSL_CTX;
const AFileName: String) : TIdC_INT;
var
LM: TMemoryStream;
B: PBIO;
LX: PX509;
ca :PX509;
r: TIdC_INT;
LErr :TIdC_ULONG;
begin
Result := 0;
ERR_clear_error(); //* clear error stack for
//* SSL_CTX_use_certificate() */
LM := nil;
try
LM := TMemoryStream.Create;
LM.LoadFromFile(AFileName);
except
// Surpress exception here since it's going to be called by the OpenSSL .DLL
// Follow the OpenSSL .DLL Error conventions.
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_SYS_LIB);
LM.Free;
Exit;
end;
try
B := BIO_new_mem_buf(LM.Memory, LM.Size);
if not Assigned(B) then begin
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
Exit;
end;
try
LX := PEM_read_bio_X509_AUX(B, nil, ctx^.default_passwd_callback,
ctx^.default_passwd_callback_userdata);
if (Lx = nil) then begin
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
end else begin
Result := SSL_CTX_use_certificate(ctx, Lx);
if (ERR_peek_error() <> 0) then begin
Result := 0; //* Key/certificate mismatch doesn't imply
//* ret==0 ... */
end;
if Result <> 0 then begin
SSL_CTX_clear_chain_certs(ctx);
repeat
ca := PEM_read_bio_X509(B, nil,
ctx^.default_passwd_callback,
ctx^.default_passwd_callback_userdata);
if ca = nil then begin
break;
end;
r := SSL_CTX_add0_chain_cert(ctx, ca);
if (r = 0) then begin
X509_free(ca);
Result := 0;
break;
// goto end;
end;
//*
//* Note that we must not free r if it was successfully added to
//* the chain (while we must free the main certificate, since its
//* reference count is increased by SSL_CTX_use_certificate).
// */
until False;
if ca <> nil then begin
//* When the while loop ends, it's usually just EOF. */
LErr := ERR_peek_last_error();
if (ERR_GET_LIB(Lerr) = ERR_LIB_PEM)
and (ERR_GET_REASON(Lerr) = PEM_R_NO_START_LINE) then begin
ERR_clear_error();
end else begin
Result := 0; //* some real error */
end;
end;
end;
//err:
if LX <> nil then begin
X509_free(LX);
end;
end;
finally
BIO_free(B);
end;
finally
FreeAndNil(LM);
end;
end;
function IndyX509_STORE_load_locations(ctx: PX509_STORE;
const AFileName, APathName: String): TIdC_INT;
var
lookup: PX509_LOOKUP;
begin
Result := 0;
if AFileName <> '' then begin
lookup := X509_STORE_add_lookup(ctx, Indy_Unicode_X509_LOOKUP_file);
if not Assigned(lookup) then begin
Exit;
end;
if (X509_LOOKUP_load_file(lookup, PAnsiChar(Pointer(AFileName)),
X509_FILETYPE_PEM) <> 1) then begin
Exit;
end;
end;
if APathName <> '' then begin
{ TODO: Figure out how to do the hash dir lookup with Unicode. }
if (X509_STORE_load_locations(ctx, nil, PAnsiChar(AnsiString(APathName))) <> 1) then begin
Exit;
end;
end;
if (AFileName = '') and (APathName = '') then begin
Exit;
end;
Result := 1;
end;
function IndySSL_CTX_load_verify_locations(ctx: PSSL_CTX;
const ACAFile, ACAPath: String): TIdC_INT;
{$IFDEF USE_INLINE} inline; {$ENDIF}
begin
Result := IndyX509_STORE_load_locations(ctx^.cert_store, ACAFile, ACAPath);
end;
function IndySSL_CTX_use_DHparams_file(ctx: PSSL_CTX;
const AFileName: String; AType: Integer): TIdC_INT;
var
LM: TMemoryStream;
B: PBIO;
LDH: PDH;
j: Integer;
begin
Result := 0;
LM := nil;
try
LM := TMemoryStream.Create;
LM.LoadFromFile(AFileName);
except
// Surpress exception here since it's going to be called by the OpenSSL .DLL
// Follow the OpenSSL .DLL Error conventions.
SSLerr(SSL_F_SSL3_CTRL, ERR_R_SYS_LIB);
LM.Free;
Exit;
end;
try
B := BIO_new_mem_buf(LM.Memory, LM.Size);
if not Assigned(B) then begin
SSLerr(SSL_F_SSL3_CTRL, ERR_R_BUF_LIB);
Exit;
end;
try
case AType of
// TODO
{
SSL_FILETYPE_ASN1:
begin
j := ERR_R_ASN1_LIB;
LDH := d2i_DHparams_bio(B, nil);
end;
}
SSL_FILETYPE_PEM:
begin
j := ERR_R_DH_LIB;
LDH := PEM_read_bio_DHparams(B, nil, ctx^.default_passwd_callback,
ctx^.default_passwd_callback_userdata);
end
else begin
SSLerr(SSL_F_SSL3_CTRL, SSL_R_BAD_SSL_FILETYPE);
Exit;
end;
end;
if not Assigned(LDH) then begin
SSLerr(SSL_F_SSL3_CTRL, j);
Exit;
end;
Result := SSL_CTX_set_tmp_dh(ctx, LDH);
DH_free(LDH);
finally
BIO_free(B);
end;
finally
FreeAndNil(LM);
end;
end;
{$ENDIF} // WINDOWS
{$IFDEF UNIX}
function IndySSL_load_client_CA_file(const AFileName: String) : PSTACK_OF_X509_NAME;
{$IFDEF USE_MARSHALLED_PTRS}
var
M: TMarshaller;
{$ENDIF}
begin
Result := SSL_load_client_CA_file(
{$IFDEF USE_MARSHALLED_PTRS}
M.AsUtf8(AFileName).ToPointer
{$ELSE}
PAnsiChar(UTF8String(AFileName))
{$ENDIF}
);
end;
function IndySSL_CTX_use_PrivateKey_file(ctx: PSSL_CTX; const AFileName: String;
AType: Integer): TIdC_INT;
{$IFDEF USE_INLINE} inline; {$ENDIF}
{$IFDEF USE_MARSHALLED_PTRS}
var
M: TMarshaller;
{$ENDIF}
begin
Result := SSL_CTX_use_PrivateKey_file(ctx,
{$IFDEF USE_MARSHALLED_PTRS}
M.AsUtf8(AFileName).ToPointer
{$ELSE}
PAnsiChar(UTF8String(AFileName))
{$ENDIF}
, AType);
end;
function IndySSL_CTX_use_certificate_file(ctx: PSSL_CTX;
const AFileName: String; AType: Integer): TIdC_INT;
{$IFDEF USE_INLINE} inline; {$ENDIF}
{$IFDEF USE_MARSHALLED_PTRS}
var
M: TMarshaller;
{$ENDIF}
begin
Result := SSL_CTX_use_certificate_file(ctx,
{$IFDEF USE_MARSHALLED_PTRS}
M.AsUtf8(AFileName).ToPointer
{$ELSE}
PAnsiChar(UTF8String(AFileName))
{$ENDIF}
, AType);
end;
function IndySSL_CTX_use_certificate_chain_file(ctx :PSSL_CTX;
const AFileName: String) : TIdC_INT;
{$IFDEF USE_INLINE} inline; {$ENDIF}
{$IFDEF USE_MARSHALLED_PTRS}
var
M: TMarshaller;
{$ENDIF}
begin
Result := SSL_CTX_use_certificate_chain_file(ctx,
{$IFDEF USE_MARSHALLED_PTRS}
M.AsUtf8(AFileName).ToPointer
{$ELSE}
PAnsiChar(UTF8String(AFileName))
{$ENDIF});
end;
function IndyX509_STORE_load_locations(ctx: PX509_STORE;
const AFileName, APathName: String): TIdC_INT;
{$IFDEF USE_INLINE} inline; {$ENDIF}
{$IFDEF USE_MARSHALLED_PTRS}
var
M: TMarshaller;
{$ENDIF}
begin
// RLebeau 4/18/2010: X509_STORE_load_locations() expects nil pointers
// for unused values, but casting a string directly to a PAnsiChar
// always produces a non-nil pointer, which causes X509_STORE_load_locations()
// to fail. Need to cast the string to an intermediate Pointer so the
// PAnsiChar cast is applied to the raw data and thus can be nil...
//
Result := X509_STORE_load_locations(ctx,
{$IFDEF USE_MARSHALLED_PTRS}
M.AsUtf8(AFileName).ToPointer,
M.AsUtf8(APathName).ToPointer
{$ELSE}
PAnsiChar(Pointer(UTF8String(AFileName))),
PAnsiChar(Pointer(UTF8String(APathName)))
{$ENDIF}
);
end;
function IndySSL_CTX_load_verify_locations(ctx: PSSL_CTX;
const ACAFile, ACAPath: String): TIdC_INT;
{$IFDEF USE_INLINE} inline; {$ENDIF}
begin
Result := IndyX509_STORE_load_locations(ctx^.cert_store, ACAFile, ACAPath);
end;
function IndySSL_CTX_use_DHparams_file(ctx: PSSL_CTX;
const AFileName: String; AType: Integer): TIdC_INT;
var
B: PBIO;
LDH: PDH;
j: Integer;
{$IFDEF USE_MARSHALLED_PTRS}
M: TMarshaller;
{$ENDIF}
begin
Result := 0;
B := BIO_new_file(
{$IFDEF USE_MARSHALLED_PTRS}
M.AsUtf8(AFileName).ToPointer
{$ELSE}
PAnsiChar(UTF8String(AFileName))
{$ENDIF}
, 'r');
if Assigned(B) then begin
try
case AType of
// TODO
{
SSL_FILETYPE_ASN1:
begin
j := ERR_R_ASN1_LIB;
LDH := d2i_DHparams_bio(B, nil);
end;
}
SSL_FILETYPE_PEM:
begin
j := ERR_R_DH_LIB;
LDH := PEM_read_bio_DHparams(B, nil, ctx^.default_passwd_callback,
ctx^.default_passwd_callback_userdata);
end
else begin
SSLerr(SSL_F_SSL3_CTRL, SSL_R_BAD_SSL_FILETYPE);
Exit;
end;
end;
if not Assigned(LDH) then begin
SSLerr(SSL_F_SSL3_CTRL, j);
Exit;
end;
Result := SSL_CTX_set_tmp_dh(ctx, LDH);
DH_free(LDH);
finally
BIO_free(B);
end;
end;
end;
{$ENDIF} // UNIX
{$ELSE} // STRING_IS_UNICODE
function IndySSL_load_client_CA_file(const AFileName: String) : PSTACK_OF_X509_NAME;
{$IFDEF USE_INLINE} inline; {$ENDIF}
begin
Result := SSL_load_client_CA_file(PAnsiChar(AFileName));
end;
function IndySSL_CTX_use_PrivateKey_file(ctx: PSSL_CTX; const AFileName: String;
AType: Integer): TIdC_INT;
{$IFDEF USE_INLINE} inline; {$ENDIF}
begin
Result := SSL_CTX_use_PrivateKey_file(ctx, PAnsiChar(AFileName), AType);
end;
function IndySSL_CTX_use_certificate_file(ctx: PSSL_CTX;
const AFileName: String; AType: Integer): TIdC_INT;
{$IFDEF USE_INLINE} inline; {$ENDIF}
begin
Result := SSL_CTX_use_certificate_file(ctx, PAnsiChar(AFileName), AType);
end;
function IndySSL_CTX_use_certificate_chain_file(ctx :PSSL_CTX;
const AFileName: String) : TIdC_INT;
{$IFDEF USE_INLINE} inline; {$ENDIF}
begin
Result := SSL_CTX_use_certificate_chain_file(ctx, PAnsiChar(AFileName));
end;
function IndyX509_STORE_load_locations(ctx: PX509_STORE;
const AFileName, APathName: String): TIdC_INT;
{$IFDEF USE_INLINE} inline; {$ENDIF}
begin
// RLebeau 4/18/2010: X509_STORE_load_locations() expects nil pointers
// for unused values, but casting a string directly to a PAnsiChar
// always produces a non-nil pointer, which causes X509_STORE_load_locations()
// to fail. Need to cast the string to an intermediate Pointer so the
// PAnsiChar cast is applied to the raw data and thus can be nil...
//
Result := X509_STORE_load_locations(ctx,
PAnsiChar(Pointer(AFileName)),
PAnsiChar(Pointer(APathName)));
end;
function IndySSL_CTX_load_verify_locations(ctx: PSSL_CTX;
const ACAFile, ACAPath: String): TIdC_INT;
begin
// RLebeau 4/18/2010: X509_STORE_load_locations() expects nil pointers
// for unused values, but casting a string directly to a PAnsiChar
// always produces a non-nil pointer, which causes X509_STORE_load_locations()
// to fail. Need to cast the string to an intermediate Pointer so the
// PAnsiChar cast is applied to the raw data and thus can be nil...
//
Result := SSL_CTX_load_verify_locations(ctx,
PAnsiChar(Pointer(ACAFile)),
PAnsiChar(Pointer(ACAPath)));
end;
function IndySSL_CTX_use_DHparams_file(ctx: PSSL_CTX;
const AFileName: String; AType: Integer): TIdC_INT;
var
B: PBIO;
LDH: PDH;
j: Integer;
begin
Result := 0;
B := BIO_new_file(PAnsiChar(AFileName), 'r');
if Assigned(B) then begin
try
case AType of
// TODO
{
SSL_FILETYPE_ASN1:
begin
j := ERR_R_ASN1_LIB;
LDH := d2i_DHparams_bio(B, nil);
end;
}
SSL_FILETYPE_PEM:
begin
j := ERR_R_DH_LIB;
LDH := PEM_read_bio_DHparams(B, nil, ctx^.default_passwd_callback,
ctx^.default_passwd_callback_userdata);
end
else begin
SSLerr(SSL_F_SSL3_CTRL, SSL_R_BAD_SSL_FILETYPE);
Exit;
end;
end;
if not Assigned(LDH) then begin
SSLerr(SSL_F_SSL3_CTRL, j);
Exit;
end;
Result := SSL_CTX_set_tmp_dh(ctx, LDH);
DH_free(LDH);
finally
BIO_free(B);
end;
end;
end;
{$ENDIF}
function AddMins(const DT: TDateTime; const Mins: Extended): TDateTime;
{$IFDEF USE_INLINE} inline; {$ENDIF}
begin
Result := DT + Mins / (60 * 24)
end;
function AddHrs(const DT: TDateTime; const Hrs: Extended): TDateTime;
{$IFDEF USE_INLINE} inline; {$ENDIF}
begin
Result := DT + Hrs / 24.0;
end;
function GetLocalTime(const DT: TDateTime): TDateTime;
{$IFDEF USE_INLINE} inline; {$ENDIF}
begin
Result := DT - TimeZoneBias { / (24 * 60) } ;
end;
{$IFDEF OPENSSL_SET_MEMORY_FUNCS}
function IdMalloc(num: UInt32): Pointer cdecl;
begin
Result := AllocMem(num);
end;
function IdRealloc(addr: Pointer; num: UInt32): Pointer cdecl;
begin
Result := addr;
ReallocMem(Result, num);
end;
procedure IdFree(addr: Pointer)cdecl;
begin
FreeMem(addr);
end;
procedure IdSslCryptoMallocInit;
// replaces the actual alloc routines
// this is useful if you are using a memory manager that can report on leaks
// at shutdown time.
var
r: Integer;
begin
r := CRYPTO_set_mem_functions(@IdMalloc, @IdRealloc, @IdFree);
Assert(r <> 0);
end;
{$ENDIF}
{$IFNDEF OPENSSL_NO_BIO}
procedure DumpCert(AOut: TStrings; AX509: PX509);
{$IFDEF USE_INLINE} inline; {$ENDIF}
var
LMem: PBIO;
LLen : TIdC_INT;
LBufPtr : Pointer;
begin
if Assigned(X509_print) then begin
LMem := BIO_new(BIO_s_mem);
try
X509_print(LMem, AX509);
LLen := BIO_get_mem_data( LMem, LBufPtr);
if (LLen > 0) and Assigned(LBufPtr) then begin
AOut.Text := IndyTextEncoding_UTF8.GetString(
{$IFNDEF VCL_6_OR_ABOVE}
// RLebeau: for some reason, Delphi 5 causes a "There is no overloaded
// version of 'GetString' that can be called with these arguments" compiler
// error if the PByte type-cast is used, even though GetString() actually
// expects a PByte as input. Must be a compiler bug, as it compiles fine
// in Delphi 6...
LBufPtr
{$ELSE}
PByte(LBufPtr)
{$ENDIF}
, LLen);
end;
finally
if Assigned(LMem) then begin
BIO_free(LMem);
end;
end;
end;
end;
{$ELSE}
procedure DumpCert(AOut: TStrings; AX509: PX509);
begin
end;
{$ENDIF}
{$IFNDEF WIN32_OR_WIN64}
procedure _threadid_func(id : PCRYPTO_THREADID) cdecl;
begin
if Assigned(CRYPTO_THREADID_set_numeric) then begin
CRYPTO_THREADID_set_numeric(id, TIdC_ULONG(CurrentThreadId));
end;
end;
function _GetThreadID: TIdC_ULONG; cdecl;
begin
// TODO: Verify how well this will work with fibers potentially running from
// thread to thread or many on the same thread.
Result := TIdC_ULONG(CurrentThreadId);
end;
{$ENDIF}
procedure SslLockingCallback(mode, n: TIdC_INT; Afile: PIdAnsiChar;
line: TIdC_INT)cdecl;
var
Lock: TIdCriticalSection;
LList: TIdCriticalSectionList;
begin
Assert(CallbackLockList <> nil);
Lock := nil;
LList := CallbackLockList.LockList;
try
if n < LList.Count then begin
Lock := {$IFDEF HAS_GENERICS_TList}LList.Items[n]{$ELSE}TIdCriticalSection(LList.Items[n]){$ENDIF};
end;
finally
CallbackLockList.UnlockList;
end;
Assert(Lock <> nil);
if (mode and CRYPTO_LOCK) = CRYPTO_LOCK then begin
Lock.Acquire;
end else begin
Lock.Release;
end;
end;
procedure PrepareOpenSSLLocking;
var
i, cnt: Integer;
Lock: TIdCriticalSection;
LList: TIdCriticalSectionList;
begin
LList := CallbackLockList.LockList;
try
cnt := _CRYPTO_num_locks;
for i := 0 to cnt - 1 do begin
Lock := TIdCriticalSection.Create;
try
LList.Add(Lock);
except
Lock.Free;
raise;
end;
end;
finally
CallbackLockList.UnlockList;
end;
end;
// Note that I define UCTTime as PASN1_STRING
function UTCTime2DateTime(UCTTime: PASN1_UTCTIME): TDateTime;
{$IFDEF USE_INLINE} inline; {$ENDIF}
var
year: Word;
month: Word;
day: Word;
hour: Word;
min: Word;
sec: Word;
tz_h: Integer;
tz_m: Integer;
begin
Result := 0;
if UTC_Time_Decode(UCTTime, year, month, day, hour, min, sec, tz_h,
tz_m) > 0 then begin
Result := EncodeDate(year, month, day) + EncodeTime(hour, min, sec, 0);
AddMins(Result, tz_m);
AddHrs(Result, tz_h);
Result := GetLocalTime(Result);
end;
end;
{
function RSACallback(sslSocket: PSSL; e: Integer; KeyLength: Integer):PRSA; cdecl;
const
RSA: PRSA = nil;
var
SSLSocket: TSSLWSocket;
IdSSLSocket: TIdSSLSocket;
begin
IdSSLSocket := TIdSSLSocket(IdSslGetAppData(sslSocket));
if Assigned(IdSSLSocket) then begin
IdSSLSocket.TriggerSSLRSACallback(KeyLength);
end;
Result := RSA_generate_key(KeyLength, RSA_F4, @RSAProgressCallback, ssl);
end;
}
function LogicalAnd(A, B: Integer): Boolean;
{$IFDEF USE_INLINE} inline; {$ENDIF}
begin
Result := (A and B) = B;
end;
function BytesToHexString(APtr: Pointer; ALen: Integer): String;
{$IFDEF USE_INLINE} inline; {$ENDIF}
var
i: Integer;
LPtr: PByte;
begin
Result := '';
LPtr := PByte(APtr);
for i := 0 to (ALen - 1) do begin
if i <> 0 then begin
Result := Result + ':'; { Do not Localize }
end;
Result := Result + IndyFormat('%.2x', [LPtr^]);
Inc(LPtr);
end;
end;
function MDAsString(const AMD: TIdSSLEVP_MD): String;
{$IFDEF USE_INLINE} inline; {$ENDIF}
var
i: Integer;
begin
Result := '';
for i := 0 to AMD.Length - 1 do begin
if i <> 0 then begin
Result := Result + ':'; { Do not Localize }
end;
Result := Result + IndyFormat('%.2x', [Byte(AMD.MD[i])]);
{ do not localize }
end;
end;
function LoadOpenSSLLibrary: Boolean;
begin
Assert(SSLIsLoaded <> nil);
SSLIsLoaded.Lock;
try
if SSLIsLoaded.Value then begin
Result := True;
Exit;
end;
Result := IdSSLOpenSSLHeaders.Load;
if not Result then begin
Exit;
end;
{$IFDEF OPENSSL_SET_MEMORY_FUNCS}
// has to be done before anything that uses memory
IdSslCryptoMallocInit;
{$ENDIF}
// required eg to encrypt a private key when writing
OpenSSL_add_all_ciphers;
OpenSSL_add_all_digests;
InitializeRandom;
// IdSslRandScreen;
SSL_load_error_strings;
// Successful loading if true
Result := SSLeay_add_ssl_algorithms > 0;
if not Result then begin
Exit;
end;
// Create locking structures, we need them for callback routines
Assert(LockInfoCB = nil);
LockInfoCB := TIdCriticalSection.Create;
LockPassCB := TIdCriticalSection.Create;
LockVerifyCB := TIdCriticalSection.Create;
// Handle internal OpenSSL locking
CallbackLockList := TIdCriticalSectionThreadList.Create;
PrepareOpenSSLLocking;
CRYPTO_set_locking_callback(@SslLockingCallback);
{$IFNDEF WIN32_OR_WIN64}
if Assigned(CRYPTO_THREADID_set_callback) then begin
CRYPTO_THREADID_set_callback(@_threadid_func);
end else begin
CRYPTO_set_id_callback(@_GetThreadID);
end;
{$ENDIF}
SSLIsLoaded.Value := True;
Result := True;
finally
SSLIsLoaded.Unlock;
end;
end;
procedure UnLoadOpenSSLLibrary;
// allow the user to call unload directly?
// will then need to implement reference count
{$IFNDEF USE_OBJECT_ARC}
var
i: Integer;
LList: TIdCriticalSectionList;
{$ENDIF}
begin
// ssl was never loaded
if Assigned(CRYPTO_set_locking_callback) then begin
CRYPTO_set_locking_callback(nil);
end;
IdSSLOpenSSLHeaders.Unload;
FreeAndNil(LockInfoCB);
FreeAndNil(LockPassCB);
FreeAndNil(LockVerifyCB);
if Assigned(CallbackLockList) then begin
{$IFDEF USE_OBJECT_ARC}
CallbackLockList.Clear; // Items are auto-freed
{$ELSE}
LList := CallbackLockList.LockList;
begin
try
for i := 0 to LList.Count - 1 do begin
{$IFDEF HAS_GENERICS_TList}LList.Items[i]{$ELSE}TIdCriticalSection(LList.Items[i]){$ENDIF}.Free;
end;
LList.Clear;
finally
CallbackLockList.UnlockList;
end;
end;
{$ENDIF}
FreeAndNil(CallbackLockList);
end;
SSLIsLoaded.Value := False;
end;
function OpenSSLVersion: string;
begin
Result := '';
// RLebeau 9/7/2015: even if LoadOpenSSLLibrary() fails, _SSLeay_version()
// might have been loaded OK before the failure occured. LoadOpenSSLLibrary()
// does not unload ..
IdSSLOpenSSL.LoadOpenSSLLibrary;
if Assigned(_SSLeay_version) then
begin
Result := String(_SSLeay_version(SSLEAY_VERSION));
end;
end;
//////////////////////////////////////////////////////
// TIdSSLOptions
///////////////////////////////////////////////////////
constructor TIdSSLOptions.Create;
begin
inherited Create;
fMethod := DEF_SSLVERSION;
fSSLVersions := DEF_SSLVERSIONS;
end;
procedure TIdSSLOptions.SetMethod(const AValue: TIdSSLVersion);
begin
fMethod := AValue;
case AValue of
sslvSSLv2 : fSSLVersions := [sslvSSLv2];
sslvSSLv23 : fSSLVersions := [sslvSSLv2,sslvSSLv3,sslvTLSv1,sslvTLSv1_1,sslvTLSv1_2];
sslvSSLv3 : fSSLVersions := [sslvSSLv3];
sslvTLSv1 : fSSLVersions := [sslvTLSv1];
sslvTLSv1_1 : fSSLVersions := [sslvTLSv1_1];
sslvTLSv1_2 : fSSLVersions := [sslvTLSv1_2];
end;
end;
procedure TIdSSLOptions.SetSSLVersions(const AValue: TIdSSLVersions);
begin
fSSLVersions := AValue;
if fSSLVersions = [sslvSSLv2] then begin
fMethod := sslvSSLv2;
end
else if fSSLVersions = [sslvSSLv3] then begin
fMethod := sslvSSLv3;
end
else if fSSLVersions = [sslvTLSv1] then begin
fMethod := sslvTLSv1;
end
else if fSSLVersions = [sslvTLSv1_1 ] then begin
fMethod := sslvTLSv1_1;
end
else if fSSLVersions = [sslvTLSv1_2 ] then begin
fMethod := sslvTLSv1_2;
end
else begin
fMethod := sslvSSLv23;
if sslvSSLv23 in fSSLVersions then begin
Exclude(fSSLVersions, sslvSSLv23);
if fSSLVersions = [] then begin
fSSLVersions := [sslvSSLv2,sslvSSLv3,sslvTLSv1,sslvTLSv1_1,sslvTLSv1_2];
end;
end;
end;
end;
procedure TIdSSLOptions.AssignTo(Destination: TPersistent);
var
LDest: TIdSSLOptions;
begin
if Destination is TIdSSLOptions then begin
LDest := TIdSSLOptions(Destination);
LDest.RootCertFile := RootCertFile;
LDest.CertFile := CertFile;
LDest.KeyFile := KeyFile;
LDest.DHParamsFile := DHParamsFile;
LDest.Method := Method;
LDest.SSLVersions := SSLVersions;
LDest.Mode := Mode;
LDest.VerifyMode := VerifyMode;
LDest.VerifyDepth := VerifyDepth;
LDest.VerifyDirs := VerifyDirs;
LDest.CipherList := CipherList;
end else begin
inherited AssignTo(Destination);
end;
end;
///////////////////////////////////////////////////////
// TIdServerIOHandlerSSLOpenSSL
///////////////////////////////////////////////////////
{ TIdServerIOHandlerSSLOpenSSL }
procedure TIdServerIOHandlerSSLOpenSSL.InitComponent;
begin
inherited InitComponent;
fxSSLOptions := TIdSSLOptions.Create;
end;
destructor TIdServerIOHandlerSSLOpenSSL.Destroy;
begin
FreeAndNil(fxSSLOptions);
inherited Destroy;
end;
procedure TIdServerIOHandlerSSLOpenSSL.Init;
//see also TIdSSLIOHandlerSocketOpenSSL.Init
begin
//ensure Init isn't called twice
Assert(fSSLContext = nil);
fSSLContext := TIdSSLContext.Create;
fSSLContext.Parent := Self;
fSSLContext.RootCertFile := SSLOptions.RootCertFile;
fSSLContext.CertFile := SSLOptions.CertFile;
fSSLContext.KeyFile := SSLOptions.KeyFile;
fSSLContext.DHParamsFile := SSLOptions.DHParamsFile;
fSSLContext.fVerifyDepth := SSLOptions.fVerifyDepth;
fSSLContext.fVerifyMode := SSLOptions.fVerifyMode;
// fSSLContext.fVerifyFile := SSLOptions.fVerifyFile;
fSSLContext.fVerifyDirs := SSLOptions.fVerifyDirs;
fSSLContext.fCipherList := SSLOptions.fCipherList;
fSSLContext.VerifyOn := Assigned(fOnVerifyPeer);
fSSLContext.StatusInfoOn := Assigned(fOnStatusInfo) or Assigned(FOnStatusInfoEx);
//fSSLContext.PasswordRoutineOn := Assigned(fOnGetPassword);
fSSLContext.fMethod := SSLOptions.Method;
fSSLContext.fMode := SSLOptions.Mode;
fSSLContext.fSSLVersions := SSLOptions.SSLVersions;
fSSLContext.InitContext(sslCtxServer);
end;
function TIdServerIOHandlerSSLOpenSSL.Accept(ASocket: TIdSocketHandle;
// This is a thread and not a yarn. Its the listener thread.
AListenerThread: TIdThread; AYarn: TIdYarn ): TIdIOHandler;
var
LIO: TIdSSLIOHandlerSocketOpenSSL;
begin
Assert(ASocket<>nil);
Assert(fSSLContext<>nil);
LIO := TIdSSLIOHandlerSocketOpenSSL.Create(nil);
try
LIO.PassThrough := True;
LIO.Open;
if LIO.Binding.Accept(ASocket.Handle) then begin
//we need to pass the SSLOptions for the socket from the server
FreeAndNil(LIO.fxSSLOptions);
LIO.IsPeer := True;
LIO.fxSSLOptions := fxSSLOptions;
LIO.fSSLSocket := TIdSSLSocket.Create(Self);
LIO.fSSLContext := fSSLContext;
end else begin
FreeAndNil(LIO);
end;
except
LIO.Free;
raise;
end;
Result := LIO;
end;
procedure TIdServerIOHandlerSSLOpenSSL.DoStatusInfo(const AMsg: String);
begin
if Assigned(fOnStatusInfo) then begin
fOnStatusInfo(AMsg);
end;
end;
procedure TIdServerIOHandlerSSLOpenSSL.DoStatusInfoEx(const AsslSocket: PSSL;
const AWhere, Aret: TIdC_INT; const AWhereStr, ARetStr: String);
begin
if Assigned(FOnStatusInfoEx) then begin
FOnStatusInfoEx(Self,AsslSocket,AWhere,Aret,AWHereStr,ARetStr);
end;
end;
procedure TIdServerIOHandlerSSLOpenSSL.DoGetPassword(var Password: String);
begin
if Assigned(fOnGetPassword) then begin
fOnGetPassword(Password);
end;
end;
procedure TIdServerIOHandlerSSLOpenSSL.DoGetPasswordEx(
var VPassword: String; const AIsWrite: Boolean);
begin
if Assigned(fOnGetPasswordEx) then begin
fOnGetPasswordEx(Self,VPassword,AIsWrite);
end;
end;
function TIdServerIOHandlerSSLOpenSSL.DoVerifyPeer(Certificate: TIdX509;
AOk: Boolean; ADepth, AError: Integer): Boolean;
begin
Result := True;
if Assigned(fOnVerifyPeer) then begin
Result := fOnVerifyPeer(Certificate, AOk, ADepth, AError);
end;
end;
function TIdServerIOHandlerSSLOpenSSL.MakeFTPSvrPort : TIdSSLIOHandlerSocketBase;
var
LIO : TIdSSLIOHandlerSocketOpenSSL;
begin
LIO := TIdSSLIOHandlerSocketOpenSSL.Create(nil);
try
LIO.PassThrough := True;
LIO.OnGetPassword := DoGetPassword;
LIO.OnGetPasswordEx := OnGetPasswordEx;
//todo memleak here - setting IsPeer causes SSLOptions to not free
LIO.IsPeer := True;
LIO.SSLOptions.Assign(SSLOptions);
LIO.SSLOptions.Mode := sslmBoth;{doesn't really matter}
LIO.SSLContext := SSLContext;
except
LIO.Free;
raise;
end;
Result := LIO;
end;
procedure TIdServerIOHandlerSSLOpenSSL.Shutdown;
begin
FreeAndNil(fSSLContext);
inherited Shutdown;
end;
function TIdServerIOHandlerSSLOpenSSL.MakeFTPSvrPasv : TIdSSLIOHandlerSocketBase;
var
LIO : TIdSSLIOHandlerSocketOpenSSL;
begin
LIO := TIdSSLIOHandlerSocketOpenSSL.Create(nil);
try
LIO.PassThrough := True;
LIO.OnGetPassword := DoGetPassword;
LIO.OnGetPasswordEx := OnGetPasswordEx;
//todo memleak here - setting IsPeer causes SSLOptions to not free
LIO.IsPeer := True;
LIO.SSLOptions.Assign(SSLOptions);
LIO.SSLOptions.Mode := sslmBoth;{or sslmServer}
LIO.SSLContext := nil;
except
LIO.Free;
raise;
end;
Result := LIO;
end;
{ IIdSSLOpenSSLCallbackHelper }
function TIdServerIOHandlerSSLOpenSSL.GetPassword(const AIsWrite : Boolean): string;
begin
DoGetPasswordEx(Result, AIsWrite);
if Result = '' then begin
DoGetPassword(Result);
end;
end;
procedure TIdServerIOHandlerSSLOpenSSL.StatusInfo(const ASslSocket: PSSL;
AWhere, ARet: TIdC_INT; const AStatusStr: string);
var
LType, LMsg: string;
begin
DoStatusInfo(AStatusStr);
if Assigned(fOnStatusInfoEx) then begin
GetStateVars(ASslSocket, AWhere, ARet, LType, LMsg);
DoStatusInfoEx(ASslSocket, AWhere, ARet, LType, LMsg);
end;
end;
function TIdServerIOHandlerSSLOpenSSL.VerifyPeer(ACertificate: TIdX509;
AOk: Boolean; ADepth, AError: Integer): Boolean;
begin
Result := DoVerifyPeer(ACertificate, AOk, ADepth, AError);
end;
function TIdServerIOHandlerSSLOpenSSL.GetIOHandlerSelf: TIdSSLIOHandlerSocketOpenSSL;
begin
Result := nil;
end;
///////////////////////////////////////////////////////
// TIdSSLIOHandlerSocketOpenSSL
///////////////////////////////////////////////////////
function TIdServerIOHandlerSSLOpenSSL.MakeClientIOHandler: TIdSSLIOHandlerSocketBase;
var
LIO : TIdSSLIOHandlerSocketOpenSSL;
begin
LIO := TIdSSLIOHandlerSocketOpenSSL.Create(nil);
try
LIO.PassThrough := True;
// LIO.SSLOptions.Free;
// LIO.SSLOptions := SSLOptions;
// LIO.SSLContext := SSLContext;
LIO.SSLOptions.Assign(SSLOptions);
// LIO.SSLContext := SSLContext;
LIO.SSLContext := nil;//SSLContext.Clone; // BGO: clone does not work, it must be either NIL, or SSLContext
LIO.OnGetPassword := DoGetPassword;
LIO.OnGetPasswordEx := OnGetPasswordEx;
except
LIO.Free;
raise;
end;
Result := LIO;
end;
{ TIdSSLIOHandlerSocketOpenSSL }
procedure TIdSSLIOHandlerSocketOpenSSL.InitComponent;
begin
inherited InitComponent;
IsPeer := False;
fxSSLOptions := TIdSSLOptions.Create;
fSSLLayerClosed := True;
fSSLContext := nil;
end;
destructor TIdSSLIOHandlerSocketOpenSSL.Destroy;
begin
FreeAndNil(fSSLSocket);
if not IsPeer then begin
//we do not destroy these in IsPeer equals true
//because these do not belong to us when we are in a server.
FreeAndNil(fSSLContext);
FreeAndNil(fxSSLOptions);
end;
inherited Destroy;
end;
procedure TIdSSLIOHandlerSocketOpenSSL.ConnectClient;
var
LPassThrough: Boolean;
begin
// RLebeau 1/11/07: In case a proxy is being used, pass through
// any data from the base class unencrypted when setting up that
// connection. We should do this anyway since SSL hasn't been
// initialized yet!
LPassThrough := fPassThrough;
fPassThrough := True;
try
inherited ConnectClient;
finally
fPassThrough := LPassThrough;
end;
DoBeforeConnect(Self);
// CreateSSLContext(sslmClient);
// CreateSSLContext(SSLOptions.fMode);
StartSSL;
end;
procedure TIdSSLIOHandlerSocketOpenSSL.StartSSL;
begin
try
Init;
except
on EIdOSSLCouldNotLoadSSLLibrary do begin
if not PassThrough then raise;
end;
end;
if not PassThrough then begin
OpenEncodedConnection;
end;
end;
procedure TIdSSLIOHandlerSocketOpenSSL.Close;
begin
FreeAndNil(fSSLSocket);
if not IsPeer then begin
FreeAndNil(fSSLContext);
end;
inherited Close;
end;
procedure TIdSSLIOHandlerSocketOpenSSL.Open;
begin
FOpened := False;
inherited Open;
end;
function TIdSSLIOHandlerSocketOpenSSL.Readable(AMSec: Integer = IdTimeoutDefault): Boolean;
begin
if not fPassThrough then
begin
Result := ssl_pending(fSSLSocket.fSSL) > 0;
if Result then Exit;
end;
Result := inherited Readable(AMSec);
end;
procedure TIdSSLIOHandlerSocketOpenSSL.SetPassThrough(const Value: Boolean);
begin
if fPassThrough <> Value then begin
if not Value then begin
if BindingAllocated then begin
if Assigned(fSSLContext) then begin
OpenEncodedConnection;
end else begin
raise EIdOSSLCouldNotLoadSSLLibrary.Create(RSOSSLCouldNotLoadSSLLibrary);
end;
end;
{$IFDEF WIN32_OR_WIN64}
// begin bug fix
end
else if BindingAllocated and IndyCheckWindowsVersion(6) then
begin
// disables Vista+ SSL_Read and SSL_Write timeout fix
Binding.SetSockOpt(Id_SOL_SOCKET, Id_SO_RCVTIMEO, 0);
Binding.SetSockOpt(Id_SOL_SOCKET, Id_SO_SNDTIMEO, 0);
// end bug fix
{$ENDIF}
end;
fPassThrough := Value;
end;
end;
function TIdSSLIOHandlerSocketOpenSSL.RecvEnc(var VBuffer: TIdBytes): Integer;
begin
Result := fSSLSocket.Recv(VBuffer);
end;
function TIdSSLIOHandlerSocketOpenSSL.SendEnc(const ABuffer: TIdBytes;
const AOffset, ALength: Integer): Integer;
begin
Result := fSSLSocket.Send(ABuffer, AOffset, ALength);
end;
procedure TIdSSLIOHandlerSocketOpenSSL.AfterAccept;
begin
try
inherited AfterAccept;
StartSSL;
except
Close;
raise;
end;
end;
procedure TIdSSLIOHandlerSocketOpenSSL.Init;
//see also TIdServerIOHandlerSSLOpenSSL.Init
begin
if not Assigned(fSSLContext) then begin
fSSLContext := TIdSSLContext.Create;
fSSLContext.Parent := Self;
fSSLContext.RootCertFile := SSLOptions.RootCertFile;
fSSLContext.CertFile := SSLOptions.CertFile;
fSSLContext.KeyFile := SSLOptions.KeyFile;
fSSLContext.DHParamsFile := SSLOptions.DHParamsFile;
fSSLContext.fVerifyDepth := SSLOptions.fVerifyDepth;
fSSLContext.fVerifyMode := SSLOptions.fVerifyMode;
// fSSLContext.fVerifyFile := SSLOptions.fVerifyFile;
fSSLContext.fVerifyDirs := SSLOptions.fVerifyDirs;
fSSLContext.fCipherList := SSLOptions.fCipherList;
fSSLContext.VerifyOn := Assigned(fOnVerifyPeer);
fSSLContext.StatusInfoOn := Assigned(fOnStatusInfo) or Assigned(fOnStatusInfoEx);
//fSSLContext.PasswordRoutineOn := Assigned(fOnGetPassword);
fSSLContext.fMethod := SSLOptions.Method;
fSSLContext.fSSLVersions := SSLOptions.SSLVersions;
fSSLContext.fMode := SSLOptions.Mode;
fSSLContext.InitContext(sslCtxClient);
end;
end;
//}
procedure TIdSSLIOHandlerSocketOpenSSL.DoStatusInfo(const AMsg: String);
begin
if Assigned(fOnStatusInfo) then begin
fOnStatusInfo(AMsg);
end;
end;
procedure TIdSSLIOHandlerSocketOpenSSL.DoStatusInfoEx(
const AsslSocket: PSSL; const AWhere, Aret: TIdC_INT; const AWhereStr,
ARetStr: String);
begin
if Assigned(FOnStatusInfoEx) then begin
FOnStatusInfoEx(Self,AsslSocket,AWhere,Aret,AWHereStr,ARetStr);
end;
end;
procedure TIdSSLIOHandlerSocketOpenSSL.DoGetPassword(var Password: String);
begin
if Assigned(fOnGetPassword) then begin
fOnGetPassword(Password);
end;
end;
procedure TIdSSLIOHandlerSocketOpenSSL.DoGetPasswordEx(var VPassword: String;
const AIsWrite: Boolean);
begin
if Assigned(fOnGetPasswordEx) then begin
fOnGetPasswordEx(Self,VPassword,AIsWrite);
end;
end;
function TIdSSLIOHandlerSocketOpenSSL.DoVerifyPeer(Certificate: TIdX509;
AOk: Boolean; ADepth, AError: Integer): Boolean;
begin
Result := True;
if Assigned(fOnVerifyPeer) then begin
Result := fOnVerifyPeer(Certificate, AOk, ADepth, AError);
end;
end;
procedure TIdSSLIOHandlerSocketOpenSSL.OpenEncodedConnection;
{$IFDEF WIN32_OR_WIN64}
var
LTimeout: Integer;
{$ENDIF}
begin
Assert(Binding<>nil);
if not Assigned(fSSLSocket) then begin
fSSLSocket := TIdSSLSocket.Create(Self);
end;
Assert(fSSLSocket.fSSLContext=nil);
fSSLSocket.fSSLContext := fSSLContext;
{$IFDEF WIN32_OR_WIN64}
// begin bug fix
if IndyCheckWindowsVersion(6) then
begin
// Note: Fix needed to allow SSL_Read and SSL_Write to timeout under
// Vista+ when connection is dropped
LTimeout := FReadTimeOut;
if LTimeout <= 0 then begin
LTimeout := 30000; // 30 seconds
end;
Binding.SetSockOpt(Id_SOL_SOCKET, Id_SO_RCVTIMEO, LTimeout);
Binding.SetSockOpt(Id_SOL_SOCKET, Id_SO_SNDTIMEO, LTimeout);
end;
// end bug fix
{$ENDIF}
// RLebeau 7/2/2015: do not rely on IsPeer to decide whether to call Connect()
// or Accept(). SSLContext.Mode controls whether a client or server method is
// used to handle the connection, so that same value should be used here as well.
// A user encountered a scenario where he needed to connect a TIdTCPClient to a
// TCP server on a hardware device, but run the client's SSLIOHandler as an SSL
// server because the device was initiating the SSL handshake as an SSL client.
// IsPeer was not designed to handle that scenario. Setting IsPeer to True
// allowed Accept() to be called here, but at the cost of causing memory leaks
// in TIdSSLIOHandlerSocketOpenSSL.Destroy() and TIdSSLIOHandlerSocketOpenSSL.Close()
// in client components! IsPeer is intended to be set to True only in server
// components...
case fSSLContext.Mode of
sslmClient: begin
fSSLSocket.Connect(Binding.Handle);
end;
sslmServer: begin
fSSLSocket.Accept(Binding.Handle);
end;
else
begin
// Mode must be sslmBoth, so just fall back to previous behavior for now,
// until we can figure out a better way to handle this scenario...
if IsPeer then begin
fSSLSocket.Accept(Binding.Handle);
end else begin
fSSLSocket.Connect(Binding.Handle);
end;
end;
end;
fPassThrough := False;
end;
procedure TIdSSLIOHandlerSocketOpenSSL.DoBeforeConnect(ASender: TIdSSLIOHandlerSocketOpenSSL);
begin
if Assigned(OnBeforeConnect) then begin
OnBeforeConnect(Self);
end;
end;
function TIdSSLIOHandlerSocketOpenSSL.Clone: TIdSSLIOHandlerSocketBase;
var
LIO : TIdSSLIOHandlerSocketOpenSSL;
begin
LIO := TIdSSLIOHandlerSocketOpenSSL.Create(nil);
try
LIO.SSLOptions.Assign( SSLOptions );
LIO.OnStatusInfo := DoStatusInfo;
LIO.OnGetPassword := DoGetPassword;
LIO.OnGetPasswordEx := OnGetPasswordEx;
LIO.OnVerifyPeer := DoVerifyPeer;
LIO.fSSLSocket := TIdSSLSocket.Create(Self);
except
LIO.Free;
raise;
end;
Result := LIO;
end;
function TIdSSLIOHandlerSocketOpenSSL.CheckForError(ALastResult: Integer): Integer;
//var
// err: Integer;
begin
if PassThrough then begin
Result := inherited CheckForError(ALastResult);
end else begin
Result := fSSLSocket.GetSSLError(ALastResult);
if Result = SSL_ERROR_NONE then begin
Result := 0;
Exit;
end;
if Result = SSL_ERROR_SYSCALL then begin
Result := inherited CheckForError(Integer(Id_SOCKET_ERROR));
Exit;
end;
EIdOpenSSLAPISSLError.RaiseExceptionCode(Result, ALastResult, '');
end;
end;
procedure TIdSSLIOHandlerSocketOpenSSL.RaiseError(AError: Integer);
begin
if (PassThrough) or (AError = Id_WSAESHUTDOWN) or (AError = Id_WSAECONNABORTED) or (AError = Id_WSAECONNRESET) then begin
inherited RaiseError(AError);
end else begin
EIdOpenSSLAPISSLError.RaiseException(fSSLSocket.fSSL, AError, '');
end;
end;
{ IIdSSLOpenSSLCallbackHelper }
function TIdSSLIOHandlerSocketOpenSSL.GetPassword(const AIsWrite : Boolean): string;
begin
DoGetPasswordEx(Result, AIsWrite);
if Result = '' then begin
DoGetPassword(Result);
end;
end;
procedure TIdSSLIOHandlerSocketOpenSSL.StatusInfo(const ASslSocket: PSSL;
AWhere, ARet: TIdC_INT; const AStatusStr: string);
var
LType, LMsg: string;
begin
DoStatusInfo(AStatusStr);
if Assigned(fOnStatusInfoEx) then begin
GetStateVars(ASslSocket, AWhere, ARet, LType, LMsg);
DoStatusInfoEx(ASslSocket, AWhere, ARet, LType, LMsg);
end;
end;
function TIdSSLIOHandlerSocketOpenSSL.VerifyPeer(ACertificate: TIdX509;
AOk: Boolean; ADepth, AError: Integer): Boolean;
begin
Result := DoVerifyPeer(ACertificate, AOk, ADepth, AError);
end;
function TIdSSLIOHandlerSocketOpenSSL.GetIOHandlerSelf: TIdSSLIOHandlerSocketOpenSSL;
begin
Result := Self;
end;
{ TIdSSLContext }
constructor TIdSSLContext.Create;
begin
inherited Create;
//an exception here probably means that you are using the wrong version
//of the openssl libraries. refer to comments at the top of this file.
if not LoadOpenSSLLibrary then begin
raise EIdOSSLCouldNotLoadSSLLibrary.Create(RSOSSLCouldNotLoadSSLLibrary);
end;
fVerifyMode := [];
fMode := sslmUnassigned;
fSessionId := 1;
end;
destructor TIdSSLContext.Destroy;
begin
DestroyContext;
inherited Destroy;
end;
procedure TIdSSLContext.DestroyContext;
begin
if fContext <> nil then begin
SSL_CTX_free(fContext);
fContext := nil;
end;
end;
procedure TIdSSLContext.InitContext(CtxMode: TIdSSLCtxMode);
var
SSLMethod: PSSL_METHOD;
error: TIdC_INT;
// pCAname: PSTACK_X509_NAME;
{$IFDEF USE_MARSHALLED_PTRS}
M: TMarshaller;
{$ENDIF}
begin
// Destroy the context first
DestroyContext;
if fMode = sslmUnassigned then begin
if CtxMode = sslCtxServer then begin
fMode := sslmServer;
end else begin
fMode := sslmClient;
end
end;
// get SSL method function (SSL2, SSL23, SSL3, TLS)
SSLMethod := SetSSLMethod;
// create new SSL context
fContext := SSL_CTX_new(SSLMethod);
if fContext = nil then begin
EIdOSSLCreatingContextError.RaiseException(RSSSLCreatingContextError);
end;
//set SSL Versions we will use
if not (sslvSSLv2 in SSLVersions) then begin
SSL_CTX_set_options(fContext, SSL_OP_NO_SSLv2)
end;
if not (sslvTLSv1 in SSLVersions) then begin
SSL_CTX_set_options(fContext, SSL_OP_NO_TLSv1);
end;
if not (sslvSSLv3 in SSLVersions) then begin
SSL_CTX_set_options(fContext, SSL_OP_NO_SSLv3);
end;
{IMPORTANT!!! Do not set SSL_CTX_set_options SSL_OP_NO_TLSv1_1 and
SSL_OP_NO_TLSv1_2 if that functionality is not available. OpenSSL 1.0 and
earlier do not support those flags. Those flags would only cause
an invalid MAC when doing SSL.}
if not (sslvTLSv1_1 in SSLVersions) then begin
if IsOpenSSL_TLSv1_1_Available then begin
SSL_CTX_set_options(fContext, SSL_OP_NO_TLSv1_1);
end;
end;
if not (sslvTLSv1_2 in SSLVersions) then begin
if IsOpenSSL_TLSv1_2_Available then begin
SSL_CTX_set_options(fContext, SSL_OP_NO_TLSv1_2);
end;
end;
SSL_CTX_set_mode(fContext, SSL_MODE_AUTO_RETRY);
// assign a password lookup routine
// if PasswordRoutineOn then begin
SSL_CTX_set_default_passwd_cb(fContext, @PasswordCallback);
SSL_CTX_set_default_passwd_cb_userdata(fContext, Self);
// end;
SSL_CTX_set_default_verify_paths(fContext);
// load key and certificate files
if (RootCertFile <> '') or (VerifyDirs <> '') then begin {Do not Localize}
if not LoadRootCert then begin
EIdOSSLLoadingRootCertError.RaiseException(RSSSLLoadingRootCertError);
end;
end;
if CertFile <> '' then begin {Do not Localize}
if not LoadCert then begin
EIdOSSLLoadingCertError.RaiseException(RSSSLLoadingCertError);
end;
end;
if KeyFile <> '' then begin {Do not Localize}
if not LoadKey then begin
EIdOSSLLoadingKeyError.RaiseException(RSSSLLoadingKeyError);
end;
end;
if DHParamsFile <> '' then begin {Do not Localize}
if not LoadDHParams then begin
EIdOSSLLoadingDHParamsError.RaiseException(RSSSLLoadingDHParamsError);
end;
end;
if StatusInfoOn then begin
SSL_CTX_set_info_callback(fContext, InfoCallback);
end;
//if_SSL_CTX_set_tmp_rsa_callback(hSSLContext, @RSACallback);
if fCipherList <> '' then begin {Do not Localize}
error := SSL_CTX_set_cipher_list(fContext,
{$IFDEF USE_MARSHALLED_PTRS}
M.AsAnsi(fCipherList).ToPointer
{$ELSE}
PAnsiChar(
{$IFDEF STRING_IS_ANSI}
fCipherList
{$ELSE}
AnsiString(fCipherList) // explicit cast to Ansi
{$ENDIF}
)
{$ENDIF}
);
end else begin
error := SSL_CTX_set_cipher_list(fContext,
{$IFDEF USE_MARSHALLED_PTRS}
M.AsAnsi(SSL_DEFAULT_CIPHER_LIST).ToPointer
{$ELSE}
SSL_DEFAULT_CIPHER_LIST
{$ENDIF}
);
end;
if error <= 0 then begin
// TODO: should this be using EIdOSSLSettingCipherError.RaiseException() instead?
raise EIdOSSLSettingCipherError.Create(RSSSLSettingCipherError);
end;
if fVerifyMode <> [] then begin
SetVerifyMode(fVerifyMode, VerifyOn);
end;
if CtxMode = sslCtxServer then begin
SSL_CTX_set_session_id_context(fContext, PByte(@fSessionId), SizeOf(fSessionId));
end;
// CA list
if RootCertFile <> '' then begin {Do not Localize}
SSL_CTX_set_client_CA_list(fContext, IndySSL_load_client_CA_file(RootCertFile));
end
end;
procedure TIdSSLContext.SetVerifyMode(Mode: TIdSSLVerifyModeSet; CheckRoutine: Boolean);
var
Func: TSSL_CTX_set_verify_callback;
begin
if fContext<>nil then begin
// SSL_CTX_set_default_verify_paths(fContext);
if CheckRoutine then begin
Func := VerifyCallback;
end else begin
Func := nil;
end;
SSL_CTX_set_verify(fContext, TranslateInternalVerifyToSSL(Mode), Func);
SSL_CTX_set_verify_depth(fContext, fVerifyDepth);
end;
end;
function TIdSSLContext.GetVerifyMode: TIdSSLVerifyModeSet;
begin
Result := fVerifyMode;
end;
{
function TIdSSLContext.LoadVerifyLocations(FileName: String; Dirs: String): Boolean;
begin
Result := False;
if (Dirs <> '') or (FileName <> '') then begin
if IndySSL_CTX_load_verify_locations(fContext, FileName, Dirs) <= 0 then begin
EIdOSSLCouldNotLoadSSLLibrary.RaiseException(RSOSSLCouldNotLoadSSLLibrary);
end;
end;
Result := True;
end;
}
function SelectTLS1Method(const AMode : TIdSSLMode) : PSSL_METHOD;
{$IFDEF USE_INLINE} inline; {$ENDIF}
begin
case AMode of
sslmServer : begin
if not Assigned(TLSv1_server_method) then begin
raise EIdOSSLGetMethodError.Create(RSSSLGetMethodError);
end;
Result := TLSv1_server_method;
end;
sslmClient : begin
if not Assigned(TLSv1_client_method) then begin
raise EIdOSSLGetMethodError.Create(RSSSLGetMethodError);
end;
Result := TLSv1_client_method;
end;
else
if not Assigned(TLSv1_method) then begin
raise EIdOSSLGetMethodError.Create(RSSSLGetMethodError);
end;
Result := TLSv1_method;
end;
end;
function TIdSSLContext.SetSSLMethod: PSSL_METHOD;
begin
if fMode = sslmUnassigned then begin
raise EIdOSSLModeNotSet.Create(RSOSSLModeNotSet);
end;
case fMethod of
sslvSSLv2:
case fMode of
sslmServer : begin
if not Assigned(SSLv2_server_method) then begin
raise EIdOSSLGetMethodError.Create(RSSSLGetMethodError);
end;
Result := SSLv2_server_method;
end;
sslmClient : begin
if not Assigned(SSLv2_client_method) then begin
raise EIdOSSLGetMethodError.Create(RSSSLGetMethodError);
end;
Result := SSLv2_client_method;
end;
else
if not Assigned(SSLv2_method) then begin
raise EIdOSSLGetMethodError.Create(RSSSLGetMethodError);
end;
Result := SSLv2_method;
end;
sslvSSLv23:
case fMode of
sslmServer : begin
if not Assigned(SSLv23_server_method) then begin
raise EIdOSSLGetMethodError.Create(RSSSLGetMethodError);
end;
Result := SSLv23_server_method;
end;
sslmClient : begin
if not Assigned(SSLv23_client_method) then begin
raise EIdOSSLGetMethodError.Create(RSSSLGetMethodError);
end;
Result := SSLv23_client_method;
end;
else
if not Assigned(SSLv23_method) then begin
raise EIdOSSLGetMethodError.Create(RSSSLGetMethodError);
end;
Result := SSLv23_method;
end;
sslvSSLv3:
case fMode of
sslmServer : begin
if not Assigned(SSLv3_server_method) then begin
raise EIdOSSLGetMethodError.Create(RSSSLGetMethodError);
end;
Result := SSLv3_server_method;
end;
sslmClient : begin
if not Assigned(SSLv3_client_method) then begin
raise EIdOSSLGetMethodError.Create(RSSSLGetMethodError);
end;
Result := SSLv3_client_method;
end;
else
if not Assigned(SSLv3_method) then begin
raise EIdOSSLGetMethodError.Create(RSSSLGetMethodError);
end;
Result := SSLv3_method;
end;
{IMPORTANT!!! fallback to TLS 1.0 if TLS 1.1 or 1.2 is not available.
This is important because OpenSSL earlier than 1.0.1 does not support this
functionality.
Todo: Figure out a better fallback.
}
sslvTLSv1:
Result := SelectTLS1Method(fMode);
sslvTLSv1_1:
case fMode of
sslmServer : begin
if Assigned(TLSv1_1_server_method) then begin
Result := TLSv1_1_server_method;
end else begin
Result := SelectTLS1Method(fMode);
end;
end;
sslmClient : begin
if Assigned(TLSv1_1_client_method) then begin
Result := TLSv1_1_client_method;
end else begin
Result := SelectTLS1Method(fMode);
end;
end;
else
if Assigned(TLSv1_1_method) then begin
Result := TLSv1_1_method;
end else begin
Result := SelectTLS1Method(fMode);
end;
end;
sslvTLSv1_2:
case fMode of
sslmServer : begin
if Assigned(TLSv1_2_server_method) then begin
Result := TLSv1_2_server_method;
end else begin
Result := SelectTLS1Method(fMode);
end;
end;
sslmClient : begin
if Assigned(TLSv1_2_client_method) then begin
Result := TLSv1_2_client_method;
end else begin
Result := SelectTLS1Method(fMode);
end;
end;
else
if Assigned(TLSv1_2_method) then begin
Result := TLSv1_2_method;
end else begin
Result := SelectTLS1Method(fMode);
end;
end;
else
raise EIdOSSLGetMethodError.Create(RSSSLGetMethodError);
end;
end;
function TIdSSLContext.LoadRootCert: Boolean;
begin
Result := IndySSL_CTX_load_verify_locations(fContext, RootCertFile, VerifyDirs) > 0;
end;
function TIdSSLContext.LoadCert: Boolean;
begin
if PosInStrArray(ExtractFileExt(CertFile), ['.p12', '.pfx'], False) <> -1 then begin
Result := IndySSL_CTX_use_certificate_file_PKCS12(fContext, CertFile) > 0;
end else begin
//OpenSSL 1.0.2 has a new function, SSL_CTX_use_certificate_chain_file
//that handles a chain of certificates in a PEM file. That is prefered.
if Assigned(SSL_CTX_use_certificate_chain_file) then begin
Result := IndySSL_CTX_use_certificate_chain_file(fContext, CertFile) >0;
end else begin
Result := IndySSL_CTX_use_certificate_file(fContext, CertFile, SSL_FILETYPE_PEM) > 0;
end;
end;
end;
function TIdSSLContext.LoadKey: Boolean;
begin
if PosInStrArray(ExtractFileExt(KeyFile), ['.p12', '.pfx'], False) <> -1 then begin
Result := IndySSL_CTX_use_PrivateKey_file_PKCS12(fContext, KeyFile) > 0;
end else begin
Result := IndySSL_CTX_use_PrivateKey_file(fContext, KeyFile, SSL_FILETYPE_PEM) > 0;
end;
if Result then begin
Result := SSL_CTX_check_private_key(fContext) > 0;
end;
end;
function TIdSSLContext.LoadDHParams: Boolean;
begin
Result := IndySSL_CTX_use_DHparams_file(fContext, fsDHParamsFile, SSL_FILETYPE_PEM) > 0;
end;
//////////////////////////////////////////////////////////////
function TIdSSLContext.Clone: TIdSSLContext;
begin
Result := TIdSSLContext.Create;
Result.StatusInfoOn := StatusInfoOn;
// property PasswordRoutineOn: Boolean read fPasswordRoutineOn write fPasswordRoutineOn;
Result.VerifyOn := VerifyOn;
Result.Method := Method;
Result.SSLVersions := SSLVersions;
Result.Mode := Mode;
Result.RootCertFile := RootCertFile;
Result.CertFile := CertFile;
Result.KeyFile := KeyFile;
Result.VerifyMode := VerifyMode;
Result.VerifyDepth := VerifyDepth;
end;
{ TIdSSLSocket }
constructor TIdSSLSocket.Create(Parent: TObject);
begin
inherited Create;
fParent := Parent;
end;
destructor TIdSSLSocket.Destroy;
begin
if fSSL <> nil then begin
// TODO: should this be moved to TIdSSLContext instead? Is this here
// just to make sure the SSL shutdown does not log any messages?
if (fSSLContext <> nil) and (fSSLContext.StatusInfoOn) and
(fSSLContext.fContext <> nil) then begin
SSL_CTX_set_info_callback(fSSLContext.fContext, nil);
end;
//SSL_set_shutdown(fSSL, SSL_SENT_SHUTDOWN);
SSL_shutdown(fSSL);
SSL_free(fSSL);
fSSL := nil;
end;
FreeAndNil(fSSLCipher);
FreeAndNil(fPeerCert);
inherited Destroy;
end;
function TIdSSLSocket.GetSSLError(retCode: Integer): Integer;
begin
// COMMENT!!!
// I found out that SSL layer should not interpret errors, cause they will pop up
// on the socket layer. Only thing that the SSL layer should consider is key
// or protocol renegotiation. This is done by loop in read and write
Result := SSL_get_error(fSSL, retCode);
case Result of
SSL_ERROR_NONE:
Result := SSL_ERROR_NONE;
SSL_ERROR_WANT_WRITE:
Result := SSL_ERROR_WANT_WRITE;
SSL_ERROR_WANT_READ:
Result := SSL_ERROR_WANT_READ;
SSL_ERROR_ZERO_RETURN:
Result := SSL_ERROR_ZERO_RETURN;
//Result := SSL_ERROR_NONE;
{
// ssl layer has been disconnected, it is not necessary that also
// socked has been closed
case Mode of
sslemClient: begin
case Action of
sslWrite: begin
if retCode = 0 then begin
Result := 0;
end
else begin
raise EIdException.Create(RSOSSLConnectionDropped);
end;
end;
end;
end;}
//raise EIdException.Create(RSOSSLConnectionDropped);
// X509_LOOKUP event is not really an error, just an event
// SSL_ERROR_WANT_X509_LOOKUP:
// raise EIdException.Create(RSOSSLCertificateLookup);
SSL_ERROR_SYSCALL:
Result := SSL_ERROR_SYSCALL;
// Result := SSL_ERROR_NONE;
{//raise EIdException.Create(RSOSSLInternal);
if (retCode <> 0) or (DataLen <> 0) then begin
raise EIdException.Create(RSOSSLConnectionDropped);
end
else begin
Result := 0;
end;}
SSL_ERROR_SSL:
// raise EIdException.Create(RSOSSLInternal);
Result := SSL_ERROR_SSL;
// Result := SSL_ERROR_NONE;
end;
end;
procedure TIdSSLSocket.Accept(const pHandle: TIdStackSocketHandle);
//Accept and Connect have a lot of duplicated code
var
error: Integer;
StatusStr: String;
LParentIO: TIdSSLIOHandlerSocketOpenSSL;
LHelper: IIdSSLOpenSSLCallbackHelper;
begin
Assert(fSSL=nil);
Assert(fSSLContext<>nil);
fSSL := SSL_new(fSSLContext.fContext);
if fSSL = nil then begin
raise EIdOSSLCreatingSessionError.Create(RSSSLCreatingSessionError);
end;
error := SSL_set_app_data(fSSL, Self);
if error <= 0 then begin
EIdOSSLDataBindingError.RaiseException(fSSL, error, RSSSLDataBindingError);
end;
error := SSL_set_fd(fSSL, pHandle);
if error <= 0 then begin
EIdOSSLFDSetError.RaiseException(fSSL, error, RSSSLFDSetError);
end;
// RLebeau: if this socket's IOHandler was cloned, no need to reuse the
// original IOHandler's active session ID, since this is a server socket
// that generates its own sessions...
error := SSL_accept(fSSL);
if error <= 0 then begin
EIdOSSLAcceptError.RaiseException(fSSL, error, RSSSLAcceptError);
end;
if Supports(fParent, IIdSSLOpenSSLCallbackHelper, IInterface(LHelper)) then begin
LParentIO := LHelper.GetIOHandlerSelf;
if LParentIO <> nil then begin
StatusStr := 'Cipher: name = ' + Cipher.Name + '; ' + {Do not Localize}
'description = ' + Cipher.Description + '; ' + {Do not Localize}
'bits = ' + IntToStr(Cipher.Bits) + '; ' + {Do not Localize}
'version = ' + Cipher.Version + '; '; {Do not Localize}
LParentIO.DoStatusInfo(StatusStr);
end;
LHelper := nil;
end;
end;
procedure TIdSSLSocket.Connect(const pHandle: TIdStackSocketHandle);
var
error: Integer;
StatusStr: String;
LParentIO: TIdSSLIOHandlerSocketOpenSSL;
LHelper: IIdSSLOpenSSLCallbackHelper;
begin
Assert(fSSL=nil);
Assert(fSSLContext<>nil);
if Supports(fParent, IIdSSLOpenSSLCallbackHelper, IInterface(LHelper)) then begin
LParentIO := LHelper.GetIOHandlerSelf;
end else begin
LParentIO := nil;
end;
fSSL := SSL_new(fSSLContext.fContext);
if fSSL = nil then begin
raise EIdOSSLCreatingSessionError.Create(RSSSLCreatingSessionError);
end;
error := SSL_set_app_data(fSSL, Self);
if error <= 0 then begin
EIdOSSLDataBindingError.RaiseException(fSSL, error, RSSSLDataBindingError);
end;
error := SSL_set_fd(fSSL, pHandle);
if error <= 0 then begin
EIdOSSLFDSetError.RaiseException(fSSL, error, RSSSLFDSetError);
end;
// RLebeau: if this socket's IOHandler was cloned, reuse the
// original IOHandler's active session ID...
if (LParentIO <> nil) and (LParentIO.fSSLSocket <> nil) and
(LParentIO.fSSLSocket <> Self) then
begin
SSL_copy_session_id(fSSL, LParentIO.fSSLSocket.fSSL);
end;
error := SSL_connect(fSSL);
if error <= 0 then begin
EIdOSSLConnectError.RaiseException(fSSL, error, RSSSLConnectError);
end;
// TODO: even if SSL_connect() returns success, the connection might
// still be insecure if SSL_connect() detected that certificate validation
// actually failed, but ignored it because SSL_VERIFY_PEER was disabled!
// It would report such a failure via SSL_get_verify_result() instead of
// returning an error code, so we should call SSL_get_verify_result() here
// to make sure...
if LParentIO <> nil then begin
StatusStr := 'Cipher: name = ' + Cipher.Name + '; ' + {Do not Localize}
'description = ' + Cipher.Description + '; ' + {Do not Localize}
'bits = ' + IntToStr(Cipher.Bits) + '; ' + {Do not Localize}
'version = ' + Cipher.Version + '; '; {Do not Localize}
LParentIO.DoStatusInfo(StatusStr);
end;
end;
function TIdSSLSocket.Recv(var ABuffer: TIdBytes): Integer;
var
ret, err: Integer;
begin
repeat
ret := SSL_read(fSSL, @ABuffer[0], Length(ABuffer));
if ret > 0 then begin
Result := ret;
Exit;
end;
err := GetSSLError(ret);
if (err = SSL_ERROR_WANT_READ) or (err = SSL_ERROR_WANT_WRITE) then begin
Continue;
end;
if err = SSL_ERROR_ZERO_RETURN then begin
Result := 0;
end else begin
Result := ret;
end;
Exit;
until False;
end;
function TIdSSLSocket.Send(const ABuffer: TIdBytes; AOffset, ALength: Integer): Integer;
var
ret, err: Integer;
begin
Result := 0;
repeat
ret := SSL_write(fSSL, @ABuffer[AOffset], ALength);
if ret > 0 then begin
Inc(Result, ret);
Inc(AOffset, ret);
Dec(ALength, ret);
if ALength < 1 then begin
Exit;
end;
Continue;
end;
err := GetSSLError(ret);
if (err = SSL_ERROR_WANT_READ) or (err = SSL_ERROR_WANT_WRITE) then begin
Continue;
end;
if err = SSL_ERROR_ZERO_RETURN then begin
Result := 0;
end else begin
Result := ret;
end;
Exit;
until False;
end;
function TIdSSLSocket.GetPeerCert: TIdX509;
var
LX509: PX509;
begin
if fPeerCert = nil then begin
LX509 := SSL_get_peer_certificate(fSSL);
if LX509 <> nil then begin
fPeerCert := TIdX509.Create(LX509, False);
end;
end;
Result := fPeerCert;
end;
function TIdSSLSocket.GetSSLCipher: TIdSSLCipher;
begin
if (fSSLCipher = nil) and (fSSL<>nil) then begin
fSSLCipher := TIdSSLCipher.Create(Self);
end;
Result := fSSLCipher;
end;
function TIdSSLSocket.GetSessionID: TIdSSLByteArray;
var
pSession: PSSL_SESSION;
begin
Result.Length := 0;
Result.Data := nil;
if Assigned(SSL_get_session) and Assigned(SSL_SESSION_get_id) then
begin
if fSSL <> nil then begin
pSession := SSL_get_session(fSSL);
if pSession <> nil then begin
Result.Data := PByte(SSL_SESSION_get_id(pSession, @Result.Length));
end;
end;
end;
end;
function TIdSSLSocket.GetSessionIDAsString:String;
var
Data: TIdSSLByteArray;
i: TIdC_UINT;
LDataPtr: PByte;
begin
Result := ''; {Do not Localize}
Data := GetSessionID;
if Data.Length > 0 then begin
for i := 0 to Data.Length-1 do begin
// RLebeau: not all Delphi versions support indexed access using PByte
LDataPtr := Data.Data;
Inc(LDataPtr, I);
Result := Result + IndyFormat('%.2x', [LDataPtr^]);{do not localize}
end;
end;
end;
procedure TIdSSLSocket.SetCipherList(CipherList: String);
//var
// tmpPStr: PAnsiChar;
begin
{
fCipherList := CipherList;
fCipherList_Ch := True;
aCipherList := aCipherList+#0;
if hSSL <> nil then f_SSL_set_cipher_list(hSSL, @aCipherList[1]);
}
end;
///////////////////////////////////////////////////////////////
// X509 Certificate
///////////////////////////////////////////////////////////////
{ TIdX509Name }
function TIdX509Name.CertInOneLine: String;
var
LOneLine: array[0..2048] of TIdAnsiChar;
begin
if FX509Name = nil then begin
Result := ''; {Do not Localize}
end else begin
Result := String(X509_NAME_oneline(FX509Name, @LOneLine[0], SizeOf(LOneLine)));
end;
end;
function TIdX509Name.GetHash: TIdSSLULong;
begin
if FX509Name = nil then begin
FillChar(Result, SizeOf(Result), 0)
end else begin
Result.C1 := X509_NAME_hash(FX509Name);
end;
end;
function TIdX509Name.GetHashAsString: String;
begin
Result := IndyFormat('%.8x', [Hash.L1]); {do not localize}
end;
constructor TIdX509Name.Create(aX509Name: PX509_NAME);
begin
Inherited Create;
FX509Name := aX509Name;
end;
///////////////////////////////////////////////////////////////
// X509 Certificate
///////////////////////////////////////////////////////////////
{ TIdX509Info }
constructor TIdX509Info.Create(aX509: PX509);
begin
inherited Create;
FX509 := aX509;
end;
{ TIdX509Fingerprints }
function TIdX509Fingerprints.GetMD5: TIdSSLEVP_MD;
begin
CheckMD5Permitted;
X509_digest(FX509, EVP_md5, PByte(@Result.MD), Result.Length);
end;
function TIdX509Fingerprints.GetMD5AsString: String;
begin
Result := MDAsString(MD5);
end;
function TIdX509Fingerprints.GetSHA1: TIdSSLEVP_MD;
begin
X509_digest(FX509, EVP_sha1, PByte(@Result.MD), Result.Length);
end;
function TIdX509Fingerprints.GetSHA1AsString: String;
begin
Result := MDAsString(SHA1);
end;
function TIdX509Fingerprints.GetSHA224 : TIdSSLEVP_MD;
begin
if Assigned(EVP_sha224) then begin
X509_digest(FX509, EVP_sha224, PByte(@Result.MD), Result.Length);
end else begin
FillChar(Result, SizeOf(Result), 0);
end;
end;
function TIdX509Fingerprints.GetSHA224AsString : String;
begin
if Assigned(EVP_sha224) then begin
Result := MDAsString(SHA224);
end else begin
Result := '';
end;
end;
function TIdX509Fingerprints.GetSHA256 : TIdSSLEVP_MD;
begin
if Assigned(EVP_sha256) then begin
X509_digest(FX509, EVP_sha256, PByte(@Result.MD), Result.Length);
end else begin
FillChar(Result, SizeOf(Result), 0);
end;
end;
function TIdX509Fingerprints.GetSHA256AsString : String;
begin
if Assigned(EVP_sha256) then begin
Result := MDAsString(SHA256);
end else begin
Result := '';
end;
end;
function TIdX509Fingerprints.GetSHA384 : TIdSSLEVP_MD;
begin
if Assigned(EVP_SHA384) then begin
X509_digest(FX509, EVP_SHA384, PByte(@Result.MD), Result.Length);
end else begin
FillChar(Result, SizeOf(Result), 0);
end;
end;
function TIdX509Fingerprints.GetSHA384AsString : String;
begin
if Assigned(EVP_SHA384) then begin
Result := MDAsString(SHA384);
end else begin
Result := '';
end;
end;
function TIdX509Fingerprints.GetSHA512 : TIdSSLEVP_MD;
begin
if Assigned(EVP_sha512) then begin
X509_digest(FX509, EVP_sha512, PByte(@Result.MD), Result.Length);
end else begin
FillChar(Result, SizeOf(Result), 0);
end;
end;
function TIdX509Fingerprints.GetSHA512AsString : String;
begin
if Assigned(EVP_sha512) then begin
Result := MDAsString(SHA512);
end else begin
Result := '';
end;
end;
{ TIdX509SigInfo }
function TIdX509SigInfo.GetSignature: String;
begin
Result := BytesToHexString(FX509^.signature^.data, FX509^.signature^.length);
end;
function TIdX509SigInfo.GetSigType: TIdC_INT;
begin
Result := X509_get_signature_type(FX509);
end;
function TIdX509SigInfo.GetSigTypeAsString: String;
begin
Result := String(OBJ_nid2ln(SigType));
end;
{ TIdX509 }
constructor TIdX509.Create(aX509: PX509; aCanFreeX509: Boolean = True);
begin
inherited Create;
//don't create FDisplayInfo unless specifically requested.
FDisplayInfo := nil;
FX509 := aX509;
FCanFreeX509 := aCanFreeX509;
FFingerprints := TIdX509Fingerprints.Create(FX509);
FSigInfo := TIdX509SigInfo.Create(FX509);
FSubject := nil;
FIssuer := nil;
end;
destructor TIdX509.Destroy;
begin
FreeAndNil(FDisplayInfo);
FreeAndNil(FSubject);
FreeAndNil(FIssuer);
FreeAndNil(FFingerprints);
FreeAndNil(FSigInfo);
{ If the X.509 certificate handle was obtained from a certificate
store or from the SSL connection as a peer certificate, then DO NOT
free it here! The memory is owned by the OpenSSL library and will
crash the library if Indy tries to free its private memory here }
if FCanFreeX509 then begin
X509_free(FX509);
end;
inherited Destroy;
end;
function TIdX509.GetDisplayInfo: TStrings;
begin
if not Assigned(FDisplayInfo) then begin
FDisplayInfo := TStringList.Create;
DumpCert(FDisplayInfo, FX509);
end;
Result := FDisplayInfo;
end;
function TIdX509.GetSerialNumber: String;
var
LSN : PASN1_INTEGER;
begin
if FX509 <> nil then begin
LSN := X509_get_serialNumber(FX509);
Result := BytesToHexString(LSN.data, LSN.length);
end else begin
Result := '';
end;
end;
function TIdX509.GetVersion : TIdC_LONG;
begin
Result := X509_get_version(FX509);
end;
function TIdX509.RSubject: TIdX509Name;
var
Lx509_name: PX509_NAME;
Begin
if not Assigned(FSubject) then begin
if FX509 <> nil then begin
Lx509_name := X509_get_subject_name(FX509);
end else begin
Lx509_name := nil;
end;
FSubject := TIdX509Name.Create(Lx509_name);
end;
Result := FSubject;
end;
function TIdX509.RIssuer: TIdX509Name;
var
Lx509_name: PX509_NAME;
begin
if not Assigned(FIssuer) then begin
if FX509 <> nil then begin
Lx509_name := X509_get_issuer_name(FX509);
end else begin
Lx509_name := nil;
end;
FIssuer := TIdX509Name.Create(Lx509_name);
End;
Result := FIssuer;
end;
function TIdX509.RFingerprint: TIdSSLEVP_MD;
begin
X509_digest(FX509, EVP_md5, PByte(@Result.MD), Result.Length);
end;
function TIdX509.RFingerprintAsString: String;
begin
Result := MDAsString(Fingerprint);
end;
function TIdX509.RnotBefore: TDateTime;
begin
if FX509 = nil then begin
Result := 0
end else begin
//This is a safe typecast since PASN1_UTCTIME and PASN1_TIME are really
//pointers to ASN1 strings since ASN1_UTCTIME amd ASM1_TIME are ASN1_STRING.
Result := UTCTime2DateTime(PASN1_UTCTIME(X509_get_notBefore(FX509)));
end;
end;
function TIdX509.RnotAfter:TDateTime;
begin
if FX509 = nil then begin
Result := 0
end else begin
Result := UTCTime2DateTime(PASN1_UTCTIME(X509_get_notAfter(FX509)));
end;
end;
///////////////////////////////////////////////////////////////
// TIdSSLCipher
///////////////////////////////////////////////////////////////
constructor TIdSSLCipher.Create(AOwner: TIdSSLSocket);
begin
inherited Create;
FSSLSocket := AOwner;
end;
destructor TIdSSLCipher.Destroy;
begin
inherited Destroy;
end;
function TIdSSLCipher.GetDescription;
var
Buf: array[0..1024] of TIdAnsiChar;
begin
Result := String(SSL_CIPHER_description(SSL_get_current_cipher(FSSLSocket.fSSL), @Buf[0], SizeOf(Buf)-1));
end;
function TIdSSLCipher.GetName:String;
begin
Result := String(SSL_CIPHER_get_name(SSL_get_current_cipher(FSSLSocket.fSSL)));
end;
function TIdSSLCipher.GetBits:TIdC_INT;
begin
SSL_CIPHER_get_bits(SSL_get_current_cipher(FSSLSocket.fSSL), Result);
end;
function TIdSSLCipher.GetVersion:String;
begin
Result := String(SSL_CIPHER_get_version(SSL_get_current_cipher(FSSLSocket.fSSL)));
end;
initialization
Assert(SSLIsLoaded=nil);
SSLIsLoaded := TIdThreadSafeBoolean.Create;
RegisterSSL('OpenSSL','Indy Pit Crew', {do not localize}
'Copyright '+Char(169)+' 1993 - 2014'#10#13 + {do not localize}
'Chad Z. Hower (Kudzu) and the Indy Pit Crew. All rights reserved.', {do not localize}
'Open SSL Support DLL Delphi and C++Builder interface', {do not localize}
'http://www.indyproject.org/'#10#13 + {do not localize}
'Original Author - Gregor Ibic', {do not localize}
TIdSSLIOHandlerSocketOpenSSL,
TIdServerIOHandlerSSLOpenSSL);
TIdSSLIOHandlerSocketOpenSSL.RegisterIOHandler;
finalization
// TODO: TIdSSLIOHandlerSocketOpenSSL.UnregisterIOHandler;
UnLoadOpenSSLLibrary;
//free the lock last as unload makes calls that use it
FreeAndNil(SSLIsLoaded);
end.