06053e6fb661556a66da8f4cf7f70349ace2eb5b
2 * ustream-ssl - library for SSL over ustream
4 * Copyright (C) 2012 Felix Fietkau <nbd@openwrt.org>
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 #include <openssl/x509v3.h>
22 #include "ustream-ssl.h"
23 #include "ustream-internal.h"
25 __hidden
struct ustream_ssl_ctx
*
26 __ustream_ssl_context_new(bool server
)
28 static bool _init
= false;
33 SSL_load_error_strings();
38 #ifdef CYASSL_OPENSSL_H_
40 m
= SSLv23_server_method();
42 m
= SSLv23_client_method();
45 m
= TLSv1_server_method();
47 m
= TLSv1_client_method();
50 c
= SSL_CTX_new((void *) m
);
54 SSL_CTX_set_verify(c
, SSL_VERIFY_NONE
, NULL
);
55 SSL_CTX_set_quiet_shutdown(c
, 1);
60 __hidden
int __ustream_ssl_add_ca_crt_file(struct ustream_ssl_ctx
*ctx
, const char *file
)
64 ret
= SSL_CTX_load_verify_locations((void *) ctx
, file
, NULL
);
71 __hidden
int __ustream_ssl_set_crt_file(struct ustream_ssl_ctx
*ctx
, const char *file
)
75 ret
= SSL_CTX_use_certificate_chain_file((void *) ctx
, file
);
77 ret
= SSL_CTX_use_certificate_file((void *) ctx
, file
, SSL_FILETYPE_ASN1
);
85 __hidden
int __ustream_ssl_set_key_file(struct ustream_ssl_ctx
*ctx
, const char *file
)
89 ret
= SSL_CTX_use_PrivateKey_file((void *) ctx
, file
, SSL_FILETYPE_PEM
);
91 ret
= SSL_CTX_use_PrivateKey_file((void *) ctx
, file
, SSL_FILETYPE_ASN1
);
99 __hidden
void __ustream_ssl_context_free(struct ustream_ssl_ctx
*ctx
)
101 SSL_CTX_free((void *) ctx
);
104 void __ustream_ssl_session_free(void *ssl
)
110 static void ustream_ssl_error(struct ustream_ssl
*us
, int ret
)
113 uloop_timeout_set(&us
->error_timer
, 0);
116 #ifndef CYASSL_OPENSSL_H_
118 static bool host_pattern_match(const unsigned char *pattern
, const char *cn
)
122 for (; (c
= tolower(*pattern
++)) != 0; cn
++) {
130 c
= tolower(*pattern
++);
134 if (c
== tolower(*cn
) &&
135 host_pattern_match(pattern
, cn
))
147 static bool host_pattern_match_asn1(ASN1_STRING
*asn1
, const char *cn
)
149 unsigned char *pattern
;
152 if (ASN1_STRING_to_UTF8(&pattern
, asn1
) < 0)
158 if (strlen((char *) pattern
) == ASN1_STRING_length(asn1
))
159 ret
= host_pattern_match(pattern
, cn
);
161 OPENSSL_free(pattern
);
166 static bool ustream_ssl_verify_cn_alt(struct ustream_ssl
*us
, X509
*cert
)
168 GENERAL_NAMES
*alt_names
;
172 alt_names
= X509_get_ext_d2i (cert
, NID_subject_alt_name
, NULL
, NULL
);
176 n_alt
= sk_GENERAL_NAME_num(alt_names
);
177 for (i
= 0; i
< n_alt
; i
++) {
178 const GENERAL_NAME
*name
= sk_GENERAL_NAME_value(alt_names
, i
);
183 if (name
->type
!= GEN_DNS
)
186 if (host_pattern_match_asn1(name
->d
.dNSName
, us
->peer_cn
)) {
192 sk_GENERAL_NAME_free(alt_names
);
196 static bool ustream_ssl_verify_cn(struct ustream_ssl
*us
, X509
*cert
)
205 if (ustream_ssl_verify_cn_alt(us
, cert
))
208 xname
= X509_get_subject_name(cert
);
212 i
= X509_NAME_get_index_by_NID(xname
, NID_commonName
, last
);
222 astr
= X509_NAME_ENTRY_get_data(X509_NAME_get_entry(xname
, last
));
224 return host_pattern_match_asn1(astr
, us
->peer_cn
);
228 static void ustream_ssl_verify_cert(struct ustream_ssl
*us
)
234 res
= SSL_get_verify_result(ssl
);
235 if (res
!= X509_V_OK
) {
236 if (us
->notify_verify_error
)
237 us
->notify_verify_error(us
, res
, X509_verify_cert_error_string(res
));
241 cert
= SSL_get_peer_certificate(ssl
);
245 us
->valid_cert
= true;
246 us
->valid_cn
= ustream_ssl_verify_cn(us
, cert
);
252 __hidden
enum ssl_conn_status
__ustream_ssl_connect(struct ustream_ssl
*us
)
260 r
= SSL_connect(ssl
);
263 #ifndef CYASSL_OPENSSL_H_
264 ustream_ssl_verify_cert(us
);
269 r
= SSL_get_error(ssl
, r
);
270 if (r
== SSL_ERROR_WANT_READ
|| r
== SSL_ERROR_WANT_WRITE
)
271 return U_SSL_PENDING
;
273 ustream_ssl_error(us
, r
);
277 __hidden
int __ustream_ssl_write(struct ustream_ssl
*us
, const char *buf
, int len
)
280 int ret
= SSL_write(ssl
, buf
, len
);
283 int err
= SSL_get_error(ssl
, ret
);
284 if (err
== SSL_ERROR_WANT_WRITE
)
287 ustream_ssl_error(us
, err
);
294 __hidden
int __ustream_ssl_read(struct ustream_ssl
*us
, char *buf
, int len
)
296 int ret
= SSL_read(us
->ssl
, buf
, len
);
299 ret
= SSL_get_error(us
->ssl
, ret
);
300 if (ret
== SSL_ERROR_WANT_READ
)
301 return U_SSL_PENDING
;
303 ustream_ssl_error(us
, ret
);