X-Git-Url: http://git.openwrt.org/?a=blobdiff_plain;f=ustream-polarssl.c;h=d334f15643970263a6bc79738871f18dc1df774a;hb=c2d73c22618e8ee444e8d346695eca908ecb72d3;hp=10221d39ad0e2e07c8fd44acebc2fce68268932b;hpb=2263994fef00cd53642c0337e893fb2d1b35c081;p=project%2Fustream-ssl.git

diff --git a/ustream-polarssl.c b/ustream-polarssl.c
index 10221d3..d334f15 100644
--- a/ustream-polarssl.c
+++ b/ustream-polarssl.c
@@ -20,6 +20,7 @@
 #include <fcntl.h>
 #include <unistd.h>
 #include <stdlib.h>
+#include <string.h>
 
 #include "ustream-ssl.h"
 #include "ustream-internal.h"
@@ -51,15 +52,16 @@ static int s_ustream_read(void *ctx, unsigned char *buf, size_t len)
 static int s_ustream_write(void *ctx, const unsigned char *buf, size_t len)
 {
 	struct ustream *s = ctx;
+	int ret;
 
-	len = ustream_write(s, (const char *) buf, len, false);
-	if (len < 0 || s->write_error)
+	ret = ustream_write(s, (const char *) buf, len, false);
+	if (ret < 0 || s->write_error)
 		return POLARSSL_ERR_NET_SEND_FAILED;
 
-	return len;
+	return ret;
 }
 
-__hidden void ustream_set_io(void *ctx, void *ssl, struct ustream *conn)
+__hidden void ustream_set_io(struct ustream_ssl_ctx *ctx, void *ssl, struct ustream *conn)
 {
 	ssl_set_bio(ssl, s_ustream_read, conn, s_ustream_write, conn);
 }
@@ -78,40 +80,42 @@ static bool urandom_init(void)
 
 static int _urandom(void *ctx, unsigned char *out, size_t len)
 {
-	read(urandom_fd, out, len);
+	if (read(urandom_fd, out, len) < 0)
+		return POLARSSL_ERR_ENTROPY_SOURCE_FAILED;
+
 	return 0;
 }
 
-__hidden void * __ustream_ssl_context_new(bool server)
+__hidden struct ustream_ssl_ctx *
+__ustream_ssl_context_new(bool server)
 {
-	struct ustream_polarssl_ctx *uctx;
+	struct ustream_ssl_ctx *ctx;
 
 	if (!urandom_init())
 		return NULL;
 
-	uctx = calloc(1, sizeof(*uctx));
-	if (!uctx)
+	ctx = calloc(1, sizeof(*ctx));
+	if (!ctx)
 		return NULL;
 
-	uctx->server = server;
+	ctx->server = server;
 #ifdef USE_VERSION_1_3
-	pk_init(&uctx->key);
+	pk_init(&ctx->key);
 #else
-	rsa_init(&uctx->key, RSA_PKCS_V15, 0);
+	rsa_init(&ctx->key, RSA_PKCS_V15, 0);
 #endif
 
-	return uctx;
+	return ctx;
 }
 
-__hidden int __ustream_ssl_set_crt_file(void *ctx, const char *file)
+__hidden int __ustream_ssl_add_ca_crt_file(struct ustream_ssl_ctx *ctx, const char *file)
 {
-	struct ustream_polarssl_ctx *uctx = ctx;
 	int ret;
 
 #ifdef USE_VERSION_1_3
-	ret = x509_crt_parse_file(&uctx->cert, file);
+	ret = x509_crt_parse_file(&ctx->ca_cert, file);
 #else
-	ret = x509parse_crtfile(&uctx->cert, file);
+	ret = x509parse_crtfile(&ctx->ca_cert, file);
 #endif
 	if (ret)
 		return -1;
@@ -119,15 +123,14 @@ __hidden int __ustream_ssl_set_crt_file(void *ctx, const char *file)
 	return 0;
 }
 
-__hidden int __ustream_ssl_set_key_file(void *ctx, const char *file)
+__hidden int __ustream_ssl_set_crt_file(struct ustream_ssl_ctx *ctx, const char *file)
 {
-	struct ustream_polarssl_ctx *uctx = ctx;
 	int ret;
 
 #ifdef USE_VERSION_1_3
-	ret = pk_parse_keyfile(&uctx->key, file, NULL);
+	ret = x509_crt_parse_file(&ctx->cert, file);
 #else
-	ret = x509parse_keyfile(&uctx->key, file, NULL);
+	ret = x509parse_crtfile(&ctx->cert, file);
 #endif
 	if (ret)
 		return -1;
@@ -135,16 +138,29 @@ __hidden int __ustream_ssl_set_key_file(void *ctx, const char *file)
 	return 0;
 }
 
-__hidden void __ustream_ssl_context_free(void *ctx)
+__hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char *file)
 {
-	struct ustream_polarssl_ctx *uctx = ctx;
+	int ret;
+
+#ifdef USE_VERSION_1_3
+	ret = pk_parse_keyfile(&ctx->key, file, NULL);
+#else
+	ret = x509parse_keyfile(&ctx->key, file, NULL);
+#endif
+	if (ret)
+		return -1;
 
+	return 0;
+}
+
+__hidden void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx)
+{
 #ifdef USE_VERSION_1_3
-	pk_free(&uctx->key);
-	x509_crt_free(&uctx->cert);
+	pk_free(&ctx->key);
+	x509_crt_free(&ctx->cert);
 #else
-	rsa_free(&uctx->key);
-	x509_free(&uctx->cert);
+	rsa_free(&ctx->key);
+	x509_free(&ctx->cert);
 #endif
 	free(ctx);
 }
@@ -166,14 +182,46 @@ static bool ssl_do_wait(int ret)
 	}
 }
 
+static void ustream_ssl_verify_cert(struct ustream_ssl *us)
+{
+	void *ssl = us->ssl;
+	const char *msg = NULL;
+	bool cn_mismatch;
+	int r;
+
+	r = ssl_get_verify_result(ssl);
+	cn_mismatch = r & BADCERT_CN_MISMATCH;
+	r &= ~BADCERT_CN_MISMATCH;
+
+	if (r & BADCERT_EXPIRED)
+		msg = "certificate has expired";
+	else if (r & BADCERT_REVOKED)
+		msg = "certificate has been revoked";
+	else if (r & BADCERT_NOT_TRUSTED)
+		msg = "certificate is self-signed or not signed by a trusted CA";
+	else
+		msg = "unknown error";
+
+	if (r) {
+		if (us->notify_verify_error)
+			us->notify_verify_error(us, r, msg);
+		return;
+	}
+
+	if (!cn_mismatch)
+		us->valid_cn = true;
+}
+
 __hidden enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us)
 {
 	void *ssl = us->ssl;
 	int r;
 
 	r = ssl_handshake(ssl);
-	if (r == 0)
+	if (r == 0) {
+		ustream_ssl_verify_cert(us);
 		return U_SSL_OK;
+	}
 
 	if (ssl_do_wait(r))
 		return U_SSL_PENDING;
@@ -185,17 +233,23 @@ __hidden enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us)
 __hidden int __ustream_ssl_write(struct ustream_ssl *us, const char *buf, int len)
 {
 	void *ssl = us->ssl;
-	int ret = ssl_write(ssl, (const unsigned char *) buf, len);
+	int done = 0, ret = 0;
 
-	if (ret < 0) {
-		if (ssl_do_wait(ret))
-			return 0;
+	while (done != len) {
+		ret = ssl_write(ssl, (const unsigned char *) buf + done, len - done);
 
-		ustream_ssl_error(us, ret);
-		return -1;
+		if (ret < 0) {
+			if (ssl_do_wait(ret))
+				return done;
+
+			ustream_ssl_error(us, ret);
+			return -1;
+		}
+
+		done += ret;
 	}
 
-	return ret;
+	return done;
 }
 
 __hidden int __ustream_ssl_read(struct ustream_ssl *us, char *buf, int len)
@@ -255,11 +309,11 @@ static const int default_ciphersuites[] =
     0
 };
 
-__hidden void *__ustream_ssl_session_new(void *ctx)
+__hidden void *__ustream_ssl_session_new(struct ustream_ssl_ctx *ctx)
 {
-	struct ustream_polarssl_ctx *uctx = ctx;
 	ssl_context *ssl;
-	int ep, auth;
+	int auth;
+	int ep;
 
 	ssl = calloc(1, sizeof(ssl_context));
 	if (!ssl)
@@ -270,7 +324,7 @@ __hidden void *__ustream_ssl_session_new(void *ctx)
 		return NULL;
 	}
 
-	if (uctx->server) {
+	if (ctx->server) {
 		ep = SSL_IS_SERVER;
 		auth = SSL_VERIFY_NONE;
 	} else {
@@ -283,10 +337,12 @@ __hidden void *__ustream_ssl_session_new(void *ctx)
 	ssl_set_authmode(ssl, auth);
 	ssl_set_rng(ssl, _urandom, NULL);
 
-	if (uctx->server) {
-		if (uctx->cert.next)
-			ssl_set_ca_chain(ssl, uctx->cert.next, NULL, NULL);
-		ssl_set_own_cert(ssl, &uctx->cert, &uctx->key);
+	if (ctx->server) {
+		if (ctx->cert.next)
+			ssl_set_ca_chain(ssl, ctx->cert.next, NULL, NULL);
+		ssl_set_own_cert(ssl, &ctx->cert, &ctx->key);
+	} else {
+		ssl_set_ca_chain(ssl, &ctx->cert, NULL, NULL);
 	}
 
 	ssl_session_reset(ssl);
@@ -299,3 +355,10 @@ __hidden void __ustream_ssl_session_free(void *ssl)
 	ssl_free(ssl);
 	free(ssl);
 }
+
+__hidden void __ustream_ssl_update_peer_cn(struct ustream_ssl *us)
+{
+	struct ustream_ssl_ctx *ctx = us->ctx;
+
+	ssl_set_ca_chain(us->ssl, &ctx->ca_cert, NULL, us->peer_cn);
+}