908 lines
30 KiB
ObjectPascal
908 lines
30 KiB
ObjectPascal
|
{==============================================================================|
|
||
|
| Project : Ararat Synapse | 001.003.000 |
|
||
|
|==============================================================================|
|
||
|
| Content: SSL support by OpenSSL and the CAPI engine |
|
||
|
|==============================================================================|
|
||
|
| Copyright (c)2018, Pepak |
|
||
|
| All rights reserved. |
|
||
|
| |
|
||
|
| Redistribution and use in source and binary forms, with or without |
|
||
|
| modification, are permitted provided that the following conditions are met: |
|
||
|
| |
|
||
|
| Redistributions of source code must retain the above copyright notice, this |
|
||
|
| list of conditions and the following disclaimer. |
|
||
|
| |
|
||
|
| Redistributions in binary form must reproduce the above copyright notice, |
|
||
|
| this list of conditions and the following disclaimer in the documentation |
|
||
|
| and/or other materials provided with the distribution. |
|
||
|
| |
|
||
|
| Neither the name of Lukas Gebauer nor the names of its contributors may |
|
||
|
| be used to endorse or promote products derived from this software without |
|
||
|
| specific prior written permission. |
|
||
|
| |
|
||
|
| THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" |
|
||
|
| AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
|
||
|
| IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
|
||
|
| ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR |
|
||
|
| ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
|
||
|
| DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR |
|
||
|
| SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER |
|
||
|
| CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
|
||
|
| LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
|
||
|
| OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH |
|
||
|
| DAMAGE. |
|
||
|
|==============================================================================|
|
||
|
| The Initial Developer of the Original Code is Pepak (Czech Republic). |
|
||
|
| Portions created by Pepak are Copyright (c)2018. |
|
||
|
| All Rights Reserved. |
|
||
|
|==============================================================================|
|
||
|
| Contributor(s): |
|
||
|
|==============================================================================|
|
||
|
| History: see HISTORY.HTM from distribution package |
|
||
|
| (Found at URL: http://www.ararat.cz/synapse/) |
|
||
|
|==============================================================================}
|
||
|
|
||
|
//requires OpenSSL libraries, including the CAPI engine (capi.dll)!
|
||
|
//recommended source: Stunnel (https://www.stunnel.org)
|
||
|
|
||
|
{:@abstract(SSL plugin for OpenSSL and the CAPI engine)
|
||
|
|
||
|
Compatibility with OpenSSL versions:
|
||
|
|
||
|
1.0.2 works fine.
|
||
|
|
||
|
1.1.x does not work properly out of the box. I was never able to get CAPI
|
||
|
to work with pre-built binaries or binaries that I built myself, even in
|
||
|
third party applications such as STunnel. The only config which works for
|
||
|
me involves custom-building OpenSSL with engines statically compiled into
|
||
|
libcrypto:
|
||
|
|
||
|
1) Install PERL (e.g. C:\PERL). Make sure the BIN subdirectory is in
|
||
|
the PATH (SET PATH=%PATH%;C:\PERL\BIN).
|
||
|
|
||
|
2) Download DMAKE ( https://metacpan.org/release/dmake ) and unpack it
|
||
|
into the Perl directory (you will get C:\PERL\DMAKE\DMAKE.EXE and
|
||
|
other files). Add the DMAKE directory to PATH as well.
|
||
|
|
||
|
3) Start Visual Studio Development Prompt, either 32 or 64bit. All the
|
||
|
following commands should be run in this prompt.
|
||
|
|
||
|
4) Install the Text::Template module by running:
|
||
|
cpan -i Text::Template
|
||
|
|
||
|
5) Download and unpack the OpenSSL sources into e.g. C:\SOURCE\OPENSSL.
|
||
|
|
||
|
6) Download and unpack the Zlib sources into e.g. C:\SOURCE\ZLIB.
|
||
|
|
||
|
7) Go to the ZLIB directory and run:
|
||
|
nmake -f win32/Makefile.msc
|
||
|
|
||
|
8) Go to the OpenSSL directory and run:
|
||
|
32bit:
|
||
|
perl Configure shared enable-static-engine enable-zlib --with-zlib-include=C:\SOURCE\ZLIB --with-zlib-lib=C:\SOURCE\ZLIB\zlib.lib VC-WIN32
|
||
|
64bit:
|
||
|
perl Configure shared enable-static-engine enable-zlib --with-zlib-include=C:\SOURCE\ZLIB --with-zlib-lib=C:\SOURCE\ZLIB\zlib.lib VC-WIN64A
|
||
|
Make sure to replace both instances of C:\SOURCE\ZLIB with the actual
|
||
|
path to the Zlib library.
|
||
|
|
||
|
9) If you want to build the OpenSSL DLLs without external dependencies
|
||
|
(e.g. on the Visual Studio Runtime), edit the generated makefile:
|
||
|
|
||
|
- Change the "/MD" flag in CNF_FLAGS to "/MT".
|
||
|
- Add "/NODEFAULTLIB:MSVCRT" to CNF_LDFLAGS.
|
||
|
|
||
|
10) In the OpenSSL directory, run:
|
||
|
nmake
|
||
|
|
||
|
11) When all is done, copy LIBCRYPTO-1_1*.DLL and LIBSSH-1_1*.DLL to
|
||
|
your application's binary directory.
|
||
|
|
||
|
|
||
|
OpenSSL libraries are loaded dynamically - you do not need the librares even if
|
||
|
you compile your application with this unit. SSL just won't work if you don't
|
||
|
have the OpenSSL libraries.
|
||
|
|
||
|
The plugin is built on the standard OpenSSL plugin, giving it all the features
|
||
|
of it. In fact, if you do not have the CAPI engine, the plugin will behave in
|
||
|
exactly the same way as the original plugin - the CAPI engine is completely
|
||
|
optional, the plugin will work without it - obviously without the support for
|
||
|
Windows Certificate Stores.
|
||
|
|
||
|
The windows certificate stores are supported through the following properties:
|
||
|
|
||
|
@link(TSSLOpenSSLCapi.SigningCertificate) - expects pointer to the certificate
|
||
|
context of the signing certificate (PCCERT_CONTENT). @br
|
||
|
|
||
|
Note that due to the limitations of OpenSSL, it is not possible to switch
|
||
|
between different engines (e.g. CAPI and default) on the fly - the engine is
|
||
|
a global setting for the whole of OpenSSL. For that reason, once the engine
|
||
|
is enabled (either explicitly or by using a Windows certificate for a connection),
|
||
|
it will stay enabled and there is no method for disabling it.
|
||
|
|
||
|
}
|
||
|
|
||
|
{$IFDEF FPC}
|
||
|
{$MODE DELPHI}
|
||
|
{$ENDIF}
|
||
|
{$H+}
|
||
|
|
||
|
{$INCLUDE 'jedi.inc'}
|
||
|
|
||
|
{$DEFINE USE_ENGINE_POOL}
|
||
|
|
||
|
unit ssl_openssl_capi;
|
||
|
|
||
|
interface
|
||
|
|
||
|
uses
|
||
|
Windows, Crypt32, SysUtils, Classes, SyncObjs,
|
||
|
blcksock, ssl_openssl, ssl_openssl_lib;
|
||
|
|
||
|
type
|
||
|
PENGINE = Pointer;
|
||
|
|
||
|
type
|
||
|
TWindowsCertStoreLocation = (
|
||
|
wcslCurrentUser
|
||
|
, wcslCurrentUserGroupPolicy
|
||
|
, wcslUsers
|
||
|
, wcslCurrentService
|
||
|
, wcslServices
|
||
|
, wcslLocalMachine
|
||
|
, wcslLocalMachineGroupPolicy
|
||
|
, wcslLocalMachineEnterprise
|
||
|
);
|
||
|
|
||
|
type
|
||
|
{:@abstract(class extending the OpenSSL SSL plugin with CAPI support.)
|
||
|
Instance of this class will be created for each @link(TTCPBlockSocket).
|
||
|
You not need to create instance of this class, all is done by Synapse itself!}
|
||
|
TSSLOpenSSLCapi = class(TSSLOpenSSL)
|
||
|
private
|
||
|
FEngine: PENGINE;
|
||
|
FEngineInitialized: boolean;
|
||
|
FSigningCertificateLocation: TWindowsCertStoreLocation;
|
||
|
FSigningCertificateStore: string;
|
||
|
FSigningCertificateID: string;
|
||
|
function GetEngine: PENGINE;
|
||
|
protected
|
||
|
{:Loads a certificate context into the CAPI engine for signing/decryption.}
|
||
|
function LoadSigningCertificate: boolean;
|
||
|
{:See @inherited}
|
||
|
function SetSslKeys: boolean; override;
|
||
|
{:See @inherited}
|
||
|
function NeedSigningCertificate: boolean; override;
|
||
|
{:Returns true if the signing certificate should be used.}
|
||
|
function SigningCertificateSpecified: boolean;
|
||
|
{:Provides a cryptographic engine for OpenSSL}
|
||
|
property Engine: PENGINE read GetEngine;
|
||
|
public
|
||
|
{:See @inherited}
|
||
|
constructor Create(const Value: TTCPBlockSocket); override;
|
||
|
{:See @inherited}
|
||
|
destructor Destroy; override;
|
||
|
{:See @inherited}
|
||
|
procedure Assign(const Value: TCustomSSL); override;
|
||
|
{:Use this function to load the CAPI engine and/or verify that the engine
|
||
|
is available. The plugin will load CAPI itself when it is needed, so you
|
||
|
may skip this function completely, but it may be useful to perform a manual
|
||
|
CAPI load early during the application startup to make sure all connection
|
||
|
use the same cryptographic engine (and, as a result, behave the same way).}
|
||
|
class function InitEngine: boolean;
|
||
|
{:Location of the certificate store used for the communication.}
|
||
|
property SigningCertificateLocation: TWindowsCertStoreLocation read FSigningCertificateLocation write FSigningCertificateLocation;
|
||
|
{:Certificate store used for the communication. The most common is "MY",
|
||
|
or the user's private certificates.}
|
||
|
property SigningCertificateStore: string read FSigningCertificateStore write FSigningCertificateStore;
|
||
|
{:ID of the certificate to use. For standard CAPI, this is the friendly name
|
||
|
of the certificate. For the client-side SSL it is not really necessary, as
|
||
|
long as it is non-empty (which signifies that the CAPI engine should be
|
||
|
used). For the server side, it must be a substring of the SubjectName of
|
||
|
the certificate. The first matching certificate will be used.}
|
||
|
property SigningCertificateID: string read FSigningCertificateID write FSigningCertificateID;
|
||
|
end;
|
||
|
|
||
|
implementation
|
||
|
|
||
|
{$IFDEF SUPPORTS_REGION}{$REGION 'Support and compatibility functions'}{$ENDIF}
|
||
|
{==============================================================================}
|
||
|
{Support and compatibility functions }
|
||
|
{------------------------------------------------------------------------------}
|
||
|
|
||
|
function GetModuleFileNamePAS(Handle: THandle; out FileName: string): boolean;
|
||
|
var
|
||
|
FN: string;
|
||
|
n: integer;
|
||
|
begin
|
||
|
Result := False;
|
||
|
if Handle = 0 then
|
||
|
Exit;
|
||
|
SetLength(FN, MAX_PATH);
|
||
|
n := GetModuleFileName(Handle, @FN[1], Length(FN));
|
||
|
if (n > 0) and (GetLastError = ERROR_INSUFFICIENT_BUFFER) then
|
||
|
begin
|
||
|
SetLength(FN, n);
|
||
|
n := GetModuleFileName(Handle, @FN[1], Length(FN));
|
||
|
end;
|
||
|
if (n > 0) and (GetLastError = ERROR_SUCCESS) then
|
||
|
begin
|
||
|
SetLength(FN, n);
|
||
|
FileName := FN;
|
||
|
Result := True;
|
||
|
end;
|
||
|
end;
|
||
|
|
||
|
{$IFNDEF UNICODE}
|
||
|
type
|
||
|
PPointer = ^Pointer;
|
||
|
|
||
|
procedure RaiseLastOSError;
|
||
|
begin
|
||
|
RaiseLastWin32Error;
|
||
|
end;
|
||
|
{$ENDIF}
|
||
|
|
||
|
{$IFDEF SUPPORTS_REGION}{$ENDREGION}{$ENDIF}
|
||
|
|
||
|
{$IFDEF SUPPORTS_REGION}{$REGION 'Imported functions'}{$ENDIF}
|
||
|
{==============================================================================}
|
||
|
{Imported functions }
|
||
|
{------------------------------------------------------------------------------}
|
||
|
|
||
|
const
|
||
|
CapiEngineID = 'capi';
|
||
|
DLLCapiName = CapiEngineID + '.dll';
|
||
|
|
||
|
const
|
||
|
SSL_CTRL_OPTIONS = 32;
|
||
|
SSL_OP_NO_TLSv1_2 = $08000000;
|
||
|
|
||
|
const
|
||
|
ENGINE_METHOD_ALL = $ffff;
|
||
|
|
||
|
type
|
||
|
PPX509 = ^PX509;
|
||
|
|
||
|
var
|
||
|
FEngineCS: TCriticalSection = nil;
|
||
|
FEngineNeedsSHA2Workaround: boolean = False;
|
||
|
|
||
|
var
|
||
|
FEngineInterfaceInitialized: boolean = False;
|
||
|
FENGINE_cleanup: procedure; cdecl = nil;
|
||
|
FENGINE_load_builtin_engines: procedure; cdecl = nil;
|
||
|
FENGINE_by_id: function(id: PAnsiChar): PENGINE; cdecl = nil;
|
||
|
FENGINE_ctrl_cmd_string: function(e: PENGINE; cmd_name, arg: PAnsiChar; cmd_optional: integer): integer; cdecl = nil;
|
||
|
FENGINE_init: function(e: PENGINE): integer; cdecl = nil;
|
||
|
FENGINE_finish: function(e: PENGINE): integer; cdecl = nil;
|
||
|
FENGINE_free: function(e: PENGINE): integer; cdecl = nil;
|
||
|
FENGINE_set_default: function(e: PENGINE; flags: DWORD): integer; cdecl = nil;
|
||
|
FENGINE_load_private_key: function(e: PENGINE; key_id: PAnsiChar; ui_method: Pointer; callback_data: Pointer): EVP_PKEY; cdecl = nil;
|
||
|
FSSL_CTX_set_client_cert_engine: function(ctx: PSSL_CTX; e: PENGINE): integer; cdecl = nil;
|
||
|
Fd2i_X509: function(px: PPX509; data: PPointer; len: integer): PX509; cdecl = nil;
|
||
|
|
||
|
function InitEngineInterface: boolean;
|
||
|
var
|
||
|
OpenSSLFileName: string;
|
||
|
VerInfoSize: DWORD;
|
||
|
VerInfo: Pointer;
|
||
|
VerHandle: DWORD;
|
||
|
SpecVerInfo: PVsFixedFileInfo;
|
||
|
begin
|
||
|
if FEngineInterfaceInitialized then
|
||
|
begin
|
||
|
Result := True;
|
||
|
Exit;
|
||
|
end;
|
||
|
FEngineCS.Enter;
|
||
|
try
|
||
|
if FEngineInterfaceInitialized then
|
||
|
begin
|
||
|
Result := True;
|
||
|
Exit;
|
||
|
end;
|
||
|
Result := False;
|
||
|
if not InitSSLInterface then
|
||
|
Exit;
|
||
|
if SSLUtilHandle = 0 then
|
||
|
Exit;
|
||
|
if SSLLibHandle = 0 then
|
||
|
Exit;
|
||
|
FENGINE_cleanup := GetProcAddress(SSLUtilHandle, 'ENGINE_cleanup');
|
||
|
FENGINE_load_builtin_engines := GetProcAddress(SSLUtilHandle, 'ENGINE_load_builtin_engines');
|
||
|
FENGINE_by_id := GetProcAddress(SSLUtilHandle, 'ENGINE_by_id');
|
||
|
FENGINE_ctrl_cmd_string := GetProcAddress(SSLUtilHandle, 'ENGINE_ctrl_cmd_string');
|
||
|
FENGINE_init := GetProcAddress(SSLUtilHandle, 'ENGINE_init');
|
||
|
FENGINE_finish := GetProcAddress(SSLUtilHandle, 'ENGINE_finish');
|
||
|
FENGINE_free := GetProcAddress(SSLUtilHandle, 'ENGINE_free');
|
||
|
FENGINE_set_default := GetProcAddress(SSLUtilHandle, 'ENGINE_set_default');
|
||
|
FENGINE_load_private_key := GetProcAddress(SSLUtilHandle, 'ENGINE_load_private_key');
|
||
|
FSSL_CTX_set_client_cert_engine := GetProcAddress(SSLLibHandle, 'SSL_CTX_set_client_cert_engine');
|
||
|
Fd2i_X509 := GetProcAddress(SSLUtilHandle, 'd2i_X509');
|
||
|
FEngineInterfaceInitialized := True;
|
||
|
//---- Workaround for a CAPI engine bug ------------------------------------
|
||
|
// https://www.stunnel.org/pipermail/stunnel-users/2017-February/005720.html
|
||
|
//
|
||
|
// The capi ENGINE in OpenSSL 1.0.2 and earlier uses the CSP attached
|
||
|
// to the key for cryptographic operations. Unfortunately this means that
|
||
|
// SHA2 algorithms are not supported for client authentication.
|
||
|
//
|
||
|
// OpenSSL 1.1.0 adds a workaround for this issue. If you disable TLS 1.2
|
||
|
// in earlier versions of OpenSSL it will not use SHA2 for client auth so
|
||
|
// that will also work.
|
||
|
begin
|
||
|
FEngineNeedsSHA2Workaround := False;
|
||
|
if GetModuleFileNamePAS(SSLUtilHandle, OpenSSLFileName) then
|
||
|
begin
|
||
|
VerInfoSize := GetFileVersionInfoSize(PChar(OpenSSLFileName), VerHandle);
|
||
|
if VerInfoSize > 0 then
|
||
|
begin
|
||
|
GetMem(VerInfo, VerInfoSize);
|
||
|
try
|
||
|
if GetFileVersionInfo(PChar(OpenSSLFileName), VerHandle, VerInfoSize, VerInfo) then
|
||
|
if VerQueryValue(VerInfo, '\', Pointer(SpecVerInfo), VerInfoSize) then
|
||
|
begin
|
||
|
if SpecVerInfo^.dwFileVersionMS < (65536*1 + 1) then
|
||
|
FEngineNeedsSHA2Workaround := True;
|
||
|
end;
|
||
|
finally
|
||
|
FreeMem(VerInfo);
|
||
|
end;
|
||
|
end;
|
||
|
end;
|
||
|
end;
|
||
|
//---- Workaround end ------------------------------------------------------
|
||
|
Result := True;
|
||
|
finally
|
||
|
FEngineCS.Leave;
|
||
|
end;
|
||
|
end;
|
||
|
|
||
|
procedure DestroyEngineInterface;
|
||
|
begin
|
||
|
FEngineCS.Enter;
|
||
|
try
|
||
|
if Assigned(FENGINE_cleanup) then
|
||
|
FENGINE_cleanup;
|
||
|
FENGINE_cleanup := nil;
|
||
|
FENGINE_load_builtin_engines := nil;
|
||
|
FENGINE_by_id := nil;
|
||
|
FENGINE_ctrl_cmd_string := nil;
|
||
|
FENGINE_init := nil;
|
||
|
FENGINE_finish := nil;
|
||
|
FENGINE_free := nil;
|
||
|
FENGINE_set_default := nil;
|
||
|
FENGINE_load_private_key := nil;
|
||
|
FSSL_CTX_set_client_cert_engine := nil;
|
||
|
Fd2i_X509 := nil;
|
||
|
FEngineInterfaceInitialized := False;
|
||
|
finally
|
||
|
FEngineCS.Leave;
|
||
|
end;
|
||
|
end;
|
||
|
|
||
|
procedure ENGINE_load_builtin_engines;
|
||
|
begin
|
||
|
if InitEngineInterface and Assigned(FENGINE_load_builtin_engines) then
|
||
|
FENGINE_load_builtin_engines;
|
||
|
end;
|
||
|
|
||
|
function ENGINE_by_id(id: PAnsiChar): PENGINE;
|
||
|
begin
|
||
|
if InitEngineInterface and Assigned(FENGINE_by_id) then
|
||
|
Result := FENGINE_by_id(id)
|
||
|
else
|
||
|
Result := nil;
|
||
|
end;
|
||
|
|
||
|
function ENGINE_ctrl_cmd_string(e: PENGINE; cmd_name, arg: PAnsiChar; cmd_optional: integer): integer;
|
||
|
begin
|
||
|
if InitEngineInterface and Assigned(FENGINE_ctrl_cmd_string) then
|
||
|
Result := FENGINE_ctrl_cmd_string(e, cmd_name, arg, cmd_optional)
|
||
|
else
|
||
|
Result := 0;
|
||
|
end;
|
||
|
|
||
|
function ENGINE_init(e: PENGINE): integer;
|
||
|
begin
|
||
|
if InitEngineInterface and Assigned(FENGINE_init) then
|
||
|
Result := FENGINE_init(e)
|
||
|
else
|
||
|
Result := 0;
|
||
|
end;
|
||
|
|
||
|
function ENGINE_finish(e: PENGINE): integer;
|
||
|
begin
|
||
|
if InitEngineInterface and Assigned(FENGINE_finish) then
|
||
|
Result := FENGINE_finish(e)
|
||
|
else
|
||
|
Result := 0;
|
||
|
end;
|
||
|
|
||
|
function ENGINE_free(e: PENGINE): integer;
|
||
|
begin
|
||
|
if InitEngineInterface and Assigned(FENGINE_free) then
|
||
|
Result := FENGINE_free(e)
|
||
|
else
|
||
|
Result := 0;
|
||
|
end;
|
||
|
|
||
|
function ENGINE_set_default(e: PENGINE; flags: DWORD): integer;
|
||
|
begin
|
||
|
if InitEngineInterface and Assigned(FENGINE_set_default) then
|
||
|
Result := FENGINE_set_default(e, flags)
|
||
|
else
|
||
|
Result := 0;
|
||
|
end;
|
||
|
|
||
|
function ENGINE_load_private_key(e: PENGINE; key_id: PAnsiChar; ui_method: Pointer; callback_data: Pointer): EVP_PKEY;
|
||
|
begin
|
||
|
if InitEngineInterface and Assigned(FENGINE_load_private_key) then
|
||
|
Result := FENGINE_load_private_key(e, key_id, ui_method, callback_data)
|
||
|
else
|
||
|
Result := nil;
|
||
|
end;
|
||
|
|
||
|
function SSL_CTX_set_client_cert_engine(ctx: PSSL_CTX; e: PENGINE): integer;
|
||
|
begin
|
||
|
if InitEngineInterface and Assigned(FSSL_CTX_set_client_cert_engine) then
|
||
|
Result := FSSL_CTX_set_client_cert_engine(ctx, e)
|
||
|
else
|
||
|
Result := 0;
|
||
|
end;
|
||
|
|
||
|
function d2i_X509(px: PPX509; data: PPointer; len: integer): PX509;
|
||
|
begin
|
||
|
if InitEngineInterface and Assigned(Fd2i_X509) then
|
||
|
Result := Fd2i_X509(px, data, len)
|
||
|
else
|
||
|
Result := nil;
|
||
|
end;
|
||
|
|
||
|
{$IFDEF SUPPORTS_REGION}{$ENDREGION}{$ENDIF}
|
||
|
|
||
|
{$IFDEF SUPPORTS_REGION}{$REGION 'CAPI engine support'}{$ENDIF}
|
||
|
{==============================================================================}
|
||
|
{CAPI engine support }
|
||
|
{------------------------------------------------------------------------------}
|
||
|
|
||
|
var
|
||
|
FGlobalEngineInitialized: boolean = False;
|
||
|
FGlobalEngine: PENGINE = nil;
|
||
|
|
||
|
function PrepareCapiEngine(out Engine: PENGINE): boolean;
|
||
|
|
||
|
function LoadCapiEngine(Engine: PENGINE; const FileName: string): boolean;
|
||
|
begin
|
||
|
Result := False;
|
||
|
if ENGINE_ctrl_cmd_string(Engine, 'SO_PATH', PAnsiChar(AnsiString(FileName)), 0) <> 0 then
|
||
|
if ENGINE_ctrl_cmd_string(Engine, 'LOAD', nil, 0) <> 0 then
|
||
|
Result := True;
|
||
|
end;
|
||
|
|
||
|
function LoadCapiEngineDynamic(out Engine: PENGINE): boolean;
|
||
|
var
|
||
|
OpenSSLFileName: string;
|
||
|
TempEngine: PENGINE;
|
||
|
begin
|
||
|
Result := False;
|
||
|
if not GetModuleFileNamePAS(SSLUtilHandle, OpenSSLFileName) then
|
||
|
Exit;
|
||
|
TempEngine := ENGINE_by_id('dynamic');
|
||
|
try
|
||
|
if TempEngine <> nil then
|
||
|
begin
|
||
|
if LoadCapiEngine(TempEngine, ExtractFilePath(OpenSSLFileName) + DLLCapiName) then // need a version match! Same dir suggests the versions could be the same
|
||
|
if ENGINE_init(TempEngine) <> 0 then
|
||
|
begin
|
||
|
Engine := TempEngine;
|
||
|
TempEngine := nil;
|
||
|
Result := True;
|
||
|
end;
|
||
|
end;
|
||
|
finally
|
||
|
if TempEngine <> nil then
|
||
|
begin
|
||
|
ENGINE_free(TempEngine);
|
||
|
//TempEngine := nil; // triggers a hint
|
||
|
end;
|
||
|
end;
|
||
|
end;
|
||
|
|
||
|
function LoadCapiEngineStatic(out Engine: PENGINE): boolean;
|
||
|
var
|
||
|
TempEngine: PENGINE;
|
||
|
begin
|
||
|
Result := False;
|
||
|
TempEngine := ENGINE_by_id(CapiEngineID);
|
||
|
try
|
||
|
if TempEngine <> nil then
|
||
|
begin
|
||
|
if ENGINE_init(TempEngine) <> 0 then
|
||
|
begin
|
||
|
Engine := TempEngine;
|
||
|
TempEngine := nil;
|
||
|
Result := True;
|
||
|
end;
|
||
|
end;
|
||
|
finally
|
||
|
if TempEngine <> nil then
|
||
|
begin
|
||
|
ENGINE_free(TempEngine);
|
||
|
//TempEngine := nil; // triggers a hint
|
||
|
end;
|
||
|
end;
|
||
|
end;
|
||
|
|
||
|
begin
|
||
|
Result := LoadCapiEngineStatic(Engine) or LoadCapiEngineDynamic(Engine);
|
||
|
end;
|
||
|
|
||
|
function InitCapiEngine: boolean;
|
||
|
var
|
||
|
E: PENGINE;
|
||
|
begin
|
||
|
Result := FGlobalEngine <> nil;
|
||
|
if FGlobalEngineInitialized then
|
||
|
Exit;
|
||
|
FEngineCS.Enter;
|
||
|
try
|
||
|
if FGlobalEngineInitialized then
|
||
|
Exit;
|
||
|
ENGINE_load_builtin_engines();
|
||
|
if PrepareCapiEngine(E) then
|
||
|
begin
|
||
|
if not Assigned(FSSL_CTX_set_client_cert_engine) then
|
||
|
begin
|
||
|
if ENGINE_set_default(E, ENGINE_METHOD_ALL) = 0 then
|
||
|
begin
|
||
|
ENGINE_finish(E);
|
||
|
ENGINE_free(E);
|
||
|
E := nil;
|
||
|
end;
|
||
|
end;
|
||
|
FGlobalEngine := E;
|
||
|
end;
|
||
|
FGlobalEngineInitialized := True;
|
||
|
Result := FGlobalEngine <> nil;
|
||
|
finally
|
||
|
FEngineCS.Leave;
|
||
|
end;
|
||
|
end;
|
||
|
|
||
|
{$IFDEF SUPPORTS_REGION}{$ENDREGION}{$ENDIF}
|
||
|
|
||
|
{$IFDEF SUPPORTS_REGION}{$REGION 'Pool of engines'}{$ENDIF}
|
||
|
{==============================================================================}
|
||
|
{Pool of engines, to reduce the time to get a working connection }
|
||
|
{------------------------------------------------------------------------------}
|
||
|
|
||
|
{$IFDEF USE_ENGINE_POOL}
|
||
|
|
||
|
type
|
||
|
TEnginePool = class
|
||
|
private
|
||
|
fLock: TCriticalSection;
|
||
|
fAvailableList: TList;
|
||
|
protected
|
||
|
procedure Lock;
|
||
|
procedure Unlock;
|
||
|
public
|
||
|
constructor Create;
|
||
|
destructor Destroy; override;
|
||
|
function Acquire(out Engine: PENGINE): boolean;
|
||
|
procedure Release(var Engine: PENGINE);
|
||
|
procedure Clear;
|
||
|
end;
|
||
|
|
||
|
var
|
||
|
FEnginePool: TEnginePool = nil;
|
||
|
|
||
|
{ TEnginePool }
|
||
|
|
||
|
function TEnginePool.Acquire(out Engine: PENGINE): boolean;
|
||
|
var
|
||
|
n: integer;
|
||
|
begin
|
||
|
if fAvailableList.Count > 0 then
|
||
|
begin
|
||
|
Lock;
|
||
|
try
|
||
|
for n := Pred(fAvailableList.Count) downto 0 do
|
||
|
begin
|
||
|
Engine := fAvailableList[n];
|
||
|
if Engine <> nil then
|
||
|
begin
|
||
|
fAvailableList.Delete(n);
|
||
|
Result := True;
|
||
|
Exit;
|
||
|
end;
|
||
|
end;
|
||
|
finally
|
||
|
Unlock;
|
||
|
end;
|
||
|
end;
|
||
|
Result := InitCapiEngine and PrepareCapiEngine(Engine);
|
||
|
end;
|
||
|
|
||
|
procedure TEnginePool.Clear;
|
||
|
var
|
||
|
i: integer;
|
||
|
E: PENGINE;
|
||
|
begin
|
||
|
Lock;
|
||
|
try
|
||
|
for i := 0 to Pred(fAvailableList.Count) do
|
||
|
begin
|
||
|
E := fAvailableList[i];
|
||
|
fAvailableList[i] := nil;
|
||
|
if E <> nil then
|
||
|
begin
|
||
|
ENGINE_finish(E);
|
||
|
ENGINE_free(E);
|
||
|
end;
|
||
|
end;
|
||
|
fAvailableList.Clear;
|
||
|
finally
|
||
|
Unlock;
|
||
|
end;
|
||
|
end;
|
||
|
|
||
|
constructor TEnginePool.Create;
|
||
|
begin
|
||
|
inherited Create;
|
||
|
fLock := TCriticalSection.Create;
|
||
|
fAvailableList := TList.Create;
|
||
|
end;
|
||
|
|
||
|
destructor TEnginePool.Destroy;
|
||
|
begin
|
||
|
Clear;
|
||
|
FreeAndNil(fAvailableList);
|
||
|
FreeAndNil(fLock);
|
||
|
inherited;
|
||
|
end;
|
||
|
|
||
|
procedure TEnginePool.Lock;
|
||
|
begin
|
||
|
fLock.Enter;
|
||
|
end;
|
||
|
|
||
|
procedure TEnginePool.Release(var Engine: PENGINE);
|
||
|
begin
|
||
|
if Engine = nil then
|
||
|
Exit;
|
||
|
Lock;
|
||
|
try
|
||
|
fAvailableList.Add(Engine);
|
||
|
Engine := nil;
|
||
|
finally
|
||
|
Unlock;
|
||
|
end;
|
||
|
end;
|
||
|
|
||
|
procedure TEnginePool.Unlock;
|
||
|
begin
|
||
|
fLock.Leave;
|
||
|
end;
|
||
|
|
||
|
{$ENDIF}
|
||
|
|
||
|
{$IFDEF SUPPORTS_REGION}{$ENDREGION}{$ENDIF}
|
||
|
|
||
|
{$IFDEF SUPPORTS_REGION}{$REGION 'The plugin'}{$ENDIF}
|
||
|
{==============================================================================}
|
||
|
{The plugin }
|
||
|
{------------------------------------------------------------------------------}
|
||
|
|
||
|
{ TSSLOpenSSLCapi }
|
||
|
|
||
|
class function TSSLOpenSSLCapi.InitEngine: boolean;
|
||
|
begin
|
||
|
Result := InitCapiEngine;
|
||
|
end;
|
||
|
|
||
|
procedure TSSLOpenSSLCapi.Assign(const Value: TCustomSSL);
|
||
|
var
|
||
|
CAPIValue: TSSLOpenSSLCapi;
|
||
|
begin
|
||
|
inherited;
|
||
|
if (Value <> nil) and (Value is TSSLOpenSSLCapi) then
|
||
|
begin
|
||
|
CAPIValue := TSSLOpenSSLCapi(Value);
|
||
|
Self.FSigningCertificateLocation := CAPIValue.FSigningCertificateLocation;
|
||
|
Self.FSigningCertificateStore := CAPIValue.FSigningCertificateStore;
|
||
|
Self.FSigningCertificateID := CAPIValue.FSigningCertificateID;
|
||
|
end;
|
||
|
end;
|
||
|
|
||
|
constructor TSSLOpenSSLCapi.Create(const Value: TTCPBlockSocket);
|
||
|
begin
|
||
|
inherited;
|
||
|
FEngine := nil;
|
||
|
FEngineInitialized := False;
|
||
|
FSigningCertificateLocation := wcslCurrentUser;
|
||
|
FSigningCertificateStore := 'MY';
|
||
|
FSigningCertificateID := '';
|
||
|
end;
|
||
|
|
||
|
destructor TSSLOpenSSLCapi.Destroy;
|
||
|
begin
|
||
|
if FEngine <> nil then
|
||
|
begin
|
||
|
{$IFDEF USE_ENGINE_POOL}
|
||
|
FEnginePool.Release(FEngine);
|
||
|
{$ELSE}
|
||
|
ENGINE_finish(FEngine);
|
||
|
ENGINE_free(FEngine);
|
||
|
{$ENDIF}
|
||
|
FEngineInitialized := False;
|
||
|
end;
|
||
|
inherited;
|
||
|
end;
|
||
|
|
||
|
function TSSLOpenSSLCapi.GetEngine: PENGINE;
|
||
|
begin
|
||
|
if not FEngineInitialized then
|
||
|
begin
|
||
|
{$IFDEF USE_ENGINE_POOL}
|
||
|
if not FEnginePool.Acquire(FEngine) then
|
||
|
FEngine := nil;
|
||
|
{$ELSE}
|
||
|
if (not InitEngine) or (not PrepareCapiEngine(FEngine)) then
|
||
|
FEngine := nil;
|
||
|
{$ENDIF}
|
||
|
FEngineInitialized := True;
|
||
|
end;
|
||
|
Result := FEngine;
|
||
|
end;
|
||
|
|
||
|
function TSSLOpenSSLCapi.LoadSigningCertificate: boolean;
|
||
|
var
|
||
|
pkey: EVP_PKEY;
|
||
|
pdata: Pointer;
|
||
|
cert: PX509;
|
||
|
store: HCERTSTORE;
|
||
|
certctx: PCCERT_CONTEXT;
|
||
|
flags: DWORD;
|
||
|
begin
|
||
|
Result := False;
|
||
|
if not SigningCertificateSpecified then
|
||
|
Exit;
|
||
|
if not InitEngine then
|
||
|
Exit;
|
||
|
if Engine = nil then
|
||
|
Exit;
|
||
|
if not Assigned(FSSL_CTX_set_client_cert_engine) then
|
||
|
Exit;
|
||
|
if SSL_CTX_set_client_cert_engine(Fctx, Engine) = 0 then
|
||
|
Exit;
|
||
|
if ENGINE_ctrl_cmd_string(Engine, 'store_name', PAnsiChar( {$IFDEF UNICODE} AnsiString {$ENDIF} (SigningCertificateStore)), 0) = 0 then
|
||
|
Exit;
|
||
|
if ENGINE_ctrl_cmd_string(Engine, 'lookup_method', '1', 0) = 0 then
|
||
|
Exit;
|
||
|
case SigningCertificateLocation of
|
||
|
wcslCurrentUser:
|
||
|
if ENGINE_ctrl_cmd_string(Engine, 'store_flags', '0', 0) = 0 then
|
||
|
Exit;
|
||
|
wcslLocalMachine:
|
||
|
if ENGINE_ctrl_cmd_string(Engine, 'store_flags', '1', 0) = 0 then
|
||
|
Exit;
|
||
|
else
|
||
|
Exit; // other store flags are not supported by the CAPI engine
|
||
|
end;
|
||
|
if Server then
|
||
|
begin
|
||
|
cert := nil;
|
||
|
pkey := nil;
|
||
|
try
|
||
|
// Need to find the context and the store for the certificate. Unfortunately,
|
||
|
// due to the CAPI engine limitations (see capi_load_privkey), I can only use
|
||
|
// a very limited set of criteria for finding the certificate
|
||
|
flags := 0;
|
||
|
case SigningCertificateLocation of
|
||
|
wcslCurrentUser:
|
||
|
flags := flags or CERT_SYSTEM_STORE_CURRENT_USER;
|
||
|
wcslLocalMachine:
|
||
|
flags := flags or CERT_SYSTEM_STORE_LOCAL_MACHINE;
|
||
|
else
|
||
|
Exit; // other store flags are not supported by the CAPI engine
|
||
|
end;
|
||
|
store := CertOpenStore(CERT_STORE_PROV_SYSTEM_W, 0, 0, flags, PWideChar(WideString(SigningCertificateStore)));
|
||
|
if store <> 0 then
|
||
|
begin
|
||
|
try
|
||
|
certctx := CertFindCertificateInStore(store, X509_ASN_ENCODING, 0, CERT_FIND_SUBJECT_STR_A, PAnsiChar( {$IFDEF UNICODE} AnsiString {$ENDIF} (SigningCertificateID)), nil);
|
||
|
if certctx = nil then
|
||
|
Exit;
|
||
|
pkey := ENGINE_load_private_key(Engine, PAnsiChar( {$IFDEF UNICODE} AnsiString {$ENDIF} (SigningCertificateID)), nil, nil);
|
||
|
if pkey = nil then
|
||
|
Exit;
|
||
|
pdata := certctx.pbCertEncoded;
|
||
|
cert := d2i_X509(nil, @pdata, certctx.cbCertEncoded);
|
||
|
if cert = nil then
|
||
|
Exit;
|
||
|
if SSLCTXusecertificate(Fctx, cert) <= 0 then
|
||
|
Exit;
|
||
|
if SSLCTXusePrivateKey(Fctx, pkey) <= 0 then
|
||
|
Exit;
|
||
|
Result := True;
|
||
|
finally
|
||
|
CertCloseStore(store, 0);
|
||
|
end;
|
||
|
end;
|
||
|
finally
|
||
|
if pkey <> nil then
|
||
|
EvpPkeyFree(pkey);
|
||
|
if cert <> nil then
|
||
|
X509free(cert);
|
||
|
end;
|
||
|
end
|
||
|
else
|
||
|
begin
|
||
|
Result := True;
|
||
|
end;
|
||
|
if Result then
|
||
|
if FEngineNeedsSHA2Workaround then
|
||
|
SslCtxCtrl(Fctx, SSL_CTRL_OPTIONS, SslCtxCtrl(Fctx, SSL_CTRL_OPTIONS, 0, nil) or SSL_OP_NO_TLSv1_2, nil);
|
||
|
end;
|
||
|
|
||
|
function TSSLOpenSSLCapi.NeedSigningCertificate: boolean;
|
||
|
begin
|
||
|
Result := SigningCertificateSpecified and inherited NeedSigningCertificate;
|
||
|
end;
|
||
|
|
||
|
function TSSLOpenSSLCapi.SetSslKeys: boolean;
|
||
|
begin
|
||
|
Result := False;
|
||
|
if not assigned(FCtx) then
|
||
|
Exit;
|
||
|
try
|
||
|
if SigningCertificateSpecified and InitEngine then
|
||
|
begin
|
||
|
if not LoadSigningCertificate then
|
||
|
Exit;
|
||
|
Result := True;
|
||
|
end;
|
||
|
if inherited SetSslKeys then
|
||
|
Result := True;
|
||
|
finally
|
||
|
SSLCheck;
|
||
|
end;
|
||
|
end;
|
||
|
|
||
|
function TSSLOpenSSLCapi.SigningCertificateSpecified: boolean;
|
||
|
begin
|
||
|
Result := (SigningCertificateID <> '');
|
||
|
end;
|
||
|
|
||
|
{$IFDEF SUPPORTS_REGION}{$ENDREGION}{$ENDIF}
|
||
|
|
||
|
{$IFDEF SUPPORTS_REGION}{$REGION 'Initialization and finalization'}{$ENDIF}
|
||
|
{==============================================================================}
|
||
|
{Initialization and finalization }
|
||
|
{------------------------------------------------------------------------------}
|
||
|
|
||
|
initialization
|
||
|
begin
|
||
|
FEngineCS := TCriticalSection.Create;
|
||
|
if InitSSLInterface and ((SSLImplementation = TSSLNone) or (SSLImplementation = TSSLOpenSSL)) then
|
||
|
SSLImplementation := TSSLOpenSSLCapi;
|
||
|
{$IFDEF USE_ENGINE_POOL}
|
||
|
FEnginePool := TEnginePool.Create;
|
||
|
{$ENDIF}
|
||
|
end;
|
||
|
|
||
|
finalization
|
||
|
begin
|
||
|
DestroyEngineInterface;
|
||
|
{$IFDEF USE_ENGINE_POOL}
|
||
|
FreeAndNil(FEnginePool);
|
||
|
{$ENDIF}
|
||
|
FreeAndNil(FEngineCS);
|
||
|
end;
|
||
|
|
||
|
{$IFDEF SUPPORTS_REGION}{$ENDREGION}{$ENDIF}
|
||
|
|
||
|
end.
|