2 * ustream-ssl - library for SSL over ustream
4 * Copyright (C) 2012 Felix Fietkau <nbd@openwrt.org>
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 #include <openssl/x509v3.h>
22 #include "ustream-ssl.h"
23 #include "ustream-internal.h"
25 __hidden
struct ustream_ssl_ctx
*
26 __ustream_ssl_context_new(bool server
)
28 static bool _init
= false;
33 SSL_load_error_strings();
38 #ifdef CYASSL_OPENSSL_H_
40 m
= SSLv23_server_method();
42 m
= SSLv23_client_method();
45 m
= TLSv1_server_method();
47 m
= TLSv1_client_method();
50 c
= SSL_CTX_new((void *) m
);
54 SSL_CTX_set_verify(c
, SSL_VERIFY_NONE
, NULL
);
59 __hidden
int __ustream_ssl_add_ca_crt_file(struct ustream_ssl_ctx
*ctx
, const char *file
)
63 ret
= SSL_CTX_load_verify_locations((void *) ctx
, file
, NULL
);
70 __hidden
int __ustream_ssl_set_crt_file(struct ustream_ssl_ctx
*ctx
, const char *file
)
74 ret
= SSL_CTX_use_certificate_chain_file((void *) ctx
, file
);
76 ret
= SSL_CTX_use_certificate_file((void *) ctx
, file
, SSL_FILETYPE_ASN1
);
84 __hidden
int __ustream_ssl_set_key_file(struct ustream_ssl_ctx
*ctx
, const char *file
)
88 ret
= SSL_CTX_use_PrivateKey_file((void *) ctx
, file
, SSL_FILETYPE_PEM
);
90 ret
= SSL_CTX_use_PrivateKey_file((void *) ctx
, file
, SSL_FILETYPE_ASN1
);
98 __hidden
void __ustream_ssl_context_free(struct ustream_ssl_ctx
*ctx
)
100 SSL_CTX_free((void *) ctx
);
103 void __ustream_ssl_session_free(void *ssl
)
109 static void ustream_ssl_error(struct ustream_ssl
*us
, int ret
)
112 uloop_timeout_set(&us
->error_timer
, 0);
115 #ifndef CYASSL_OPENSSL_H_
117 static bool host_pattern_match(const unsigned char *pattern
, const char *cn
)
121 for (; (c
= tolower(*pattern
++)) != 0; cn
++) {
129 c
= tolower(*pattern
++);
133 if (c
== tolower(*cn
) &&
134 host_pattern_match(pattern
, cn
))
146 static bool host_pattern_match_asn1(ASN1_STRING
*asn1
, const char *cn
)
148 unsigned char *pattern
;
151 if (ASN1_STRING_to_UTF8(&pattern
, asn1
) < 0)
157 if (strlen((char *) pattern
) == ASN1_STRING_length(asn1
))
158 ret
= host_pattern_match(pattern
, cn
);
160 OPENSSL_free(pattern
);
165 static bool ustream_ssl_verify_cn_alt(struct ustream_ssl
*us
, X509
*cert
)
167 GENERAL_NAMES
*alt_names
;
171 alt_names
= X509_get_ext_d2i (cert
, NID_subject_alt_name
, NULL
, NULL
);
175 n_alt
= sk_GENERAL_NAME_num(alt_names
);
176 for (i
= 0; i
< n_alt
; i
++) {
177 const GENERAL_NAME
*name
= sk_GENERAL_NAME_value(alt_names
, i
);
182 if (name
->type
!= GEN_DNS
)
185 if (host_pattern_match_asn1(name
->d
.dNSName
, us
->peer_cn
)) {
191 sk_GENERAL_NAME_free(alt_names
);
195 static bool ustream_ssl_verify_cn(struct ustream_ssl
*us
, X509
*cert
)
204 if (ustream_ssl_verify_cn_alt(us
, cert
))
207 xname
= X509_get_subject_name(cert
);
211 i
= X509_NAME_get_index_by_NID(xname
, NID_commonName
, last
);
221 astr
= X509_NAME_ENTRY_get_data(X509_NAME_get_entry(xname
, last
));
223 return host_pattern_match_asn1(astr
, us
->peer_cn
);
227 static void ustream_ssl_verify_cert(struct ustream_ssl
*us
)
233 res
= SSL_get_verify_result(ssl
);
234 if (res
!= X509_V_OK
) {
235 if (us
->notify_verify_error
)
236 us
->notify_verify_error(us
, res
, X509_verify_cert_error_string(res
));
240 cert
= SSL_get_peer_certificate(ssl
);
244 us
->valid_cert
= true;
245 us
->valid_cn
= ustream_ssl_verify_cn(us
, cert
);
251 __hidden
enum ssl_conn_status
__ustream_ssl_connect(struct ustream_ssl
*us
)
259 r
= SSL_connect(ssl
);
262 #ifndef CYASSL_OPENSSL_H_
263 ustream_ssl_verify_cert(us
);
268 r
= SSL_get_error(ssl
, r
);
269 if (r
== SSL_ERROR_WANT_READ
|| r
== SSL_ERROR_WANT_WRITE
)
270 return U_SSL_PENDING
;
272 ustream_ssl_error(us
, r
);
276 __hidden
int __ustream_ssl_write(struct ustream_ssl
*us
, const char *buf
, int len
)
279 int ret
= SSL_write(ssl
, buf
, len
);
282 int err
= SSL_get_error(ssl
, ret
);
283 if (err
== SSL_ERROR_WANT_WRITE
)
286 ustream_ssl_error(us
, err
);
293 __hidden
int __ustream_ssl_read(struct ustream_ssl
*us
, char *buf
, int len
)
295 int ret
= SSL_read(us
->ssl
, buf
, len
);
298 ret
= SSL_get_error(us
->ssl
, ret
);
299 if (ret
== SSL_ERROR_WANT_READ
)
300 return U_SSL_PENDING
;
302 ustream_ssl_error(us
, ret
);