2 * ustream-ssl - library for SSL over ustream
4 * Copyright (C) 2012 Felix Fietkau <nbd@openwrt.org>
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 #include <openssl/x509v3.h>
22 #include "ustream-ssl.h"
23 #include "ustream-internal.h"
25 __hidden
struct ustream_ssl_ctx
*
26 __ustream_ssl_context_new(bool server
)
28 static bool _init
= false;
33 SSL_load_error_strings();
38 #ifdef CYASSL_OPENSSL_H_
40 m
= SSLv23_server_method();
42 m
= SSLv23_client_method();
45 m
= TLSv1_server_method();
47 m
= TLSv1_client_method();
50 c
= SSL_CTX_new((void *) m
);
54 SSL_CTX_set_verify(c
, SSL_VERIFY_NONE
, NULL
);
59 __hidden
int __ustream_ssl_add_ca_crt_file(struct ustream_ssl_ctx
*ctx
, const char *file
)
63 ret
= SSL_CTX_load_verify_locations((void *) ctx
, file
, NULL
);
70 __hidden
int __ustream_ssl_set_crt_file(struct ustream_ssl_ctx
*ctx
, const char *file
)
74 ret
= SSL_CTX_use_certificate_chain_file((void *) ctx
, file
);
76 ret
= SSL_CTX_use_certificate_file((void *) ctx
, file
, SSL_FILETYPE_ASN1
);
84 __hidden
int __ustream_ssl_set_key_file(struct ustream_ssl_ctx
*ctx
, const char *file
)
88 ret
= SSL_CTX_use_PrivateKey_file((void *) ctx
, file
, SSL_FILETYPE_PEM
);
90 ret
= SSL_CTX_use_PrivateKey_file((void *) ctx
, file
, SSL_FILETYPE_ASN1
);
98 __hidden
void __ustream_ssl_context_free(struct ustream_ssl_ctx
*ctx
)
100 SSL_CTX_free((void *) ctx
);
103 static void ustream_ssl_error(struct ustream_ssl
*us
, int ret
)
106 uloop_timeout_set(&us
->error_timer
, 0);
109 #ifndef CYASSL_OPENSSL_H_
111 static bool host_pattern_match(const unsigned char *pattern
, const char *cn
)
115 for (; (c
= tolower(*pattern
++)) != 0; cn
++) {
123 c
= tolower(*pattern
++);
127 if (c
== tolower(*cn
) &&
128 host_pattern_match(pattern
, cn
))
140 static bool host_pattern_match_asn1(ASN1_STRING
*asn1
, const char *cn
)
142 unsigned char *pattern
;
145 if (ASN1_STRING_to_UTF8(&pattern
, asn1
) < 0)
151 if (strlen((char *) pattern
) == ASN1_STRING_length(asn1
))
152 ret
= host_pattern_match(pattern
, cn
);
154 OPENSSL_free(pattern
);
159 static bool ustream_ssl_verify_cn_alt(struct ustream_ssl
*us
, X509
*cert
)
161 GENERAL_NAMES
*alt_names
;
165 alt_names
= X509_get_ext_d2i (cert
, NID_subject_alt_name
, NULL
, NULL
);
169 n_alt
= sk_GENERAL_NAME_num(alt_names
);
170 for (i
= 0; i
< n_alt
; i
++) {
171 const GENERAL_NAME
*name
= sk_GENERAL_NAME_value(alt_names
, i
);
176 if (name
->type
!= GEN_DNS
)
179 if (host_pattern_match_asn1(name
->d
.dNSName
, us
->peer_cn
)) {
185 sk_GENERAL_NAME_free(alt_names
);
189 static bool ustream_ssl_verify_cn(struct ustream_ssl
*us
, X509
*cert
)
198 if (ustream_ssl_verify_cn_alt(us
, cert
))
201 xname
= X509_get_subject_name(cert
);
205 i
= X509_NAME_get_index_by_NID(xname
, NID_commonName
, last
);
215 astr
= X509_NAME_ENTRY_get_data(X509_NAME_get_entry(xname
, last
));
217 return host_pattern_match_asn1(astr
, us
->peer_cn
);
221 static void ustream_ssl_verify_cert(struct ustream_ssl
*us
)
227 res
= SSL_get_verify_result(ssl
);
228 if (res
!= X509_V_OK
) {
229 if (us
->notify_verify_error
)
230 us
->notify_verify_error(us
, res
, X509_verify_cert_error_string(res
));
234 cert
= SSL_get_peer_certificate(ssl
);
238 us
->valid_cert
= true;
239 us
->valid_cn
= ustream_ssl_verify_cn(us
, cert
);
245 __hidden
enum ssl_conn_status
__ustream_ssl_connect(struct ustream_ssl
*us
)
253 r
= SSL_connect(ssl
);
256 #ifndef CYASSL_OPENSSL_H_
257 ustream_ssl_verify_cert(us
);
262 r
= SSL_get_error(ssl
, r
);
263 if (r
== SSL_ERROR_WANT_READ
|| r
== SSL_ERROR_WANT_WRITE
)
264 return U_SSL_PENDING
;
266 ustream_ssl_error(us
, r
);
270 __hidden
int __ustream_ssl_write(struct ustream_ssl
*us
, const char *buf
, int len
)
273 int ret
= SSL_write(ssl
, buf
, len
);
276 int err
= SSL_get_error(ssl
, ret
);
277 if (err
== SSL_ERROR_WANT_WRITE
)
280 ustream_ssl_error(us
, err
);
287 __hidden
int __ustream_ssl_read(struct ustream_ssl
*us
, char *buf
, int len
)
289 int ret
= SSL_read(us
->ssl
, buf
, len
);
292 ret
= SSL_get_error(us
->ssl
, ret
);
293 if (ret
== SSL_ERROR_WANT_READ
)
294 return U_SSL_PENDING
;
296 ustream_ssl_error(us
, ret
);