2 * ustream-ssl - library for SSL over ustream
4 * Copyright (C) 2012 Felix Fietkau <nbd@openwrt.org>
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 #include <openssl/x509v3.h>
22 #include "ustream-ssl.h"
23 #include "ustream-internal.h"
25 __hidden
struct ustream_ssl_ctx
*
26 __ustream_ssl_context_new(bool server
)
28 static bool _init
= false;
33 SSL_load_error_strings();
38 #ifdef CYASSL_OPENSSL_H_
40 m
= SSLv23_server_method();
42 m
= SSLv23_client_method();
45 m
= TLSv1_server_method();
47 m
= TLSv1_client_method();
50 c
= SSL_CTX_new((void *) m
);
54 SSL_CTX_set_verify(c
, SSL_VERIFY_NONE
, NULL
);
59 __hidden
int __ustream_ssl_add_ca_crt_file(struct ustream_ssl_ctx
*ctx
, const char *file
)
63 ret
= SSL_CTX_load_verify_locations((void *) ctx
, file
, NULL
);
70 __hidden
int __ustream_ssl_set_crt_file(struct ustream_ssl_ctx
*ctx
, const char *file
)
74 ret
= SSL_CTX_use_certificate_chain_file((void *) ctx
, file
);
76 ret
= SSL_CTX_use_certificate_file((void *) ctx
, file
, SSL_FILETYPE_ASN1
);
84 __hidden
int __ustream_ssl_set_key_file(struct ustream_ssl_ctx
*ctx
, const char *file
)
88 ret
= SSL_CTX_use_PrivateKey_file((void *) ctx
, file
, SSL_FILETYPE_PEM
);
90 ret
= SSL_CTX_use_PrivateKey_file((void *) ctx
, file
, SSL_FILETYPE_ASN1
);
98 __hidden
void __ustream_ssl_context_free(struct ustream_ssl_ctx
*ctx
)
100 SSL_CTX_free((void *) ctx
);
103 static void ustream_ssl_error(struct ustream_ssl
*us
, int ret
)
106 uloop_timeout_set(&us
->error_timer
, 0);
109 #ifndef CYASSL_OPENSSL_H_
111 static bool host_pattern_match(const unsigned char *pattern
, const char *cn
)
115 for (; (c
= tolower(*pattern
++)) != 0; cn
++) {
123 c
= tolower(*pattern
++);
127 if (c
== tolower(*cn
) &&
128 host_pattern_match(pattern
, cn
))
140 static bool host_pattern_match_asn1(ASN1_STRING
*asn1
, const char *cn
)
142 unsigned char *pattern
;
145 if (ASN1_STRING_to_UTF8(&pattern
, asn1
) < 0)
151 if (strlen((char *) pattern
) == ASN1_STRING_length(asn1
))
152 ret
= host_pattern_match(pattern
, cn
);
154 OPENSSL_free(pattern
);
159 static bool ustream_ssl_verify_cn_alt(struct ustream_ssl
*us
, X509
*cert
)
161 GENERAL_NAMES
*alt_names
;
164 alt_names
= X509_get_ext_d2i (cert
, NID_subject_alt_name
, NULL
, NULL
);
168 n_alt
= sk_GENERAL_NAME_num(alt_names
);
169 for (i
= 0; i
< n_alt
; i
++) {
170 const GENERAL_NAME
*name
= sk_GENERAL_NAME_value(alt_names
, i
);
175 if (name
->type
!= GEN_DNS
)
178 if (host_pattern_match_asn1(name
->d
.dNSName
, us
->peer_cn
))
185 static bool ustream_ssl_verify_cn(struct ustream_ssl
*us
, X509
*cert
)
194 if (ustream_ssl_verify_cn_alt(us
, cert
))
197 xname
= X509_get_subject_name(cert
);
201 i
= X509_NAME_get_index_by_NID(xname
, NID_commonName
, last
);
211 astr
= X509_NAME_ENTRY_get_data(X509_NAME_get_entry(xname
, last
));
213 return host_pattern_match_asn1(astr
, us
->peer_cn
);
217 static void ustream_ssl_verify_cert(struct ustream_ssl
*us
)
223 res
= SSL_get_verify_result(ssl
);
224 if (res
!= X509_V_OK
) {
225 if (us
->notify_verify_error
)
226 us
->notify_verify_error(us
, res
, X509_verify_cert_error_string(res
));
230 cert
= SSL_get_peer_certificate(ssl
);
234 us
->valid_cert
= true;
235 us
->valid_cn
= ustream_ssl_verify_cn(us
, cert
);
241 __hidden
enum ssl_conn_status
__ustream_ssl_connect(struct ustream_ssl
*us
)
249 r
= SSL_connect(ssl
);
252 #ifndef CYASSL_OPENSSL_H_
253 ustream_ssl_verify_cert(us
);
258 r
= SSL_get_error(ssl
, r
);
259 if (r
== SSL_ERROR_WANT_READ
|| r
== SSL_ERROR_WANT_WRITE
)
260 return U_SSL_PENDING
;
262 ustream_ssl_error(us
, r
);
266 __hidden
int __ustream_ssl_write(struct ustream_ssl
*us
, const char *buf
, int len
)
269 int ret
= SSL_write(ssl
, buf
, len
);
272 int err
= SSL_get_error(ssl
, ret
);
273 if (err
== SSL_ERROR_WANT_WRITE
)
276 ustream_ssl_error(us
, err
);
283 __hidden
int __ustream_ssl_read(struct ustream_ssl
*us
, char *buf
, int len
)
285 int ret
= SSL_read(us
->ssl
, buf
, len
);
288 ret
= SSL_get_error(us
->ssl
, ret
);
289 if (ret
== SSL_ERROR_WANT_READ
)
290 return U_SSL_PENDING
;
292 ustream_ssl_error(us
, ret
);