a45e2f49714fb67fa787e481d90ef3e945178533
2 * ustream-ssl - library for SSL over ustream
4 * Copyright (C) 2012 Felix Fietkau <nbd@openwrt.org>
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 #include <openssl/x509v3.h>
21 #include "ustream-ssl.h"
22 #include "ustream-internal.h"
24 __hidden
struct ustream_ssl_ctx
*
25 __ustream_ssl_context_new(bool server
)
27 static bool _init
= false;
32 SSL_load_error_strings();
37 #ifdef CYASSL_OPENSSL_H_
39 m
= SSLv23_server_method();
41 m
= SSLv23_client_method();
44 m
= TLSv1_server_method();
46 m
= TLSv1_client_method();
49 c
= SSL_CTX_new((void *) m
);
53 SSL_CTX_set_verify(c
, SSL_VERIFY_NONE
, NULL
);
58 __hidden
int __ustream_ssl_add_ca_crt_file(struct ustream_ssl_ctx
*ctx
, const char *file
)
62 ret
= SSL_CTX_load_verify_locations((void *) ctx
, file
, NULL
);
69 __hidden
int __ustream_ssl_set_crt_file(struct ustream_ssl_ctx
*ctx
, const char *file
)
73 ret
= SSL_CTX_use_certificate_chain_file((void *) ctx
, file
);
75 ret
= SSL_CTX_use_certificate_file((void *) ctx
, file
, SSL_FILETYPE_ASN1
);
83 __hidden
int __ustream_ssl_set_key_file(struct ustream_ssl_ctx
*ctx
, const char *file
)
87 ret
= SSL_CTX_use_PrivateKey_file((void *) ctx
, file
, SSL_FILETYPE_PEM
);
89 ret
= SSL_CTX_use_PrivateKey_file((void *) ctx
, file
, SSL_FILETYPE_ASN1
);
97 __hidden
void __ustream_ssl_context_free(struct ustream_ssl_ctx
*ctx
)
99 SSL_CTX_free((void *) ctx
);
102 static void ustream_ssl_error(struct ustream_ssl
*us
, int ret
)
105 uloop_timeout_set(&us
->error_timer
, 0);
108 static bool host_pattern_match(const unsigned char *pattern
, const char *cn
)
112 for (; (c
= tolower(*pattern
++)) != 0; cn
++) {
120 c
= tolower(*pattern
++);
124 if (c
== tolower(*cn
) &&
125 host_pattern_match(pattern
, cn
))
137 static bool host_pattern_match_asn1(ASN1_STRING
*asn1
, const char *cn
)
139 unsigned char *pattern
;
142 if (ASN1_STRING_to_UTF8(&pattern
, asn1
) < 0)
148 if (strlen((char *) pattern
) == ASN1_STRING_length(asn1
))
149 ret
= host_pattern_match(pattern
, cn
);
151 OPENSSL_free(pattern
);
156 static bool ustream_ssl_verify_cn_alt(struct ustream_ssl
*us
, X509
*cert
)
158 GENERAL_NAMES
*alt_names
;
161 alt_names
= X509_get_ext_d2i (cert
, NID_subject_alt_name
, NULL
, NULL
);
165 n_alt
= sk_GENERAL_NAME_num(alt_names
);
166 for (i
= 0; i
< n_alt
; i
++) {
167 const GENERAL_NAME
*name
= sk_GENERAL_NAME_value(alt_names
, i
);
172 if (name
->type
!= GEN_DNS
)
175 if (host_pattern_match_asn1(name
->d
.dNSName
, us
->peer_cn
))
182 static bool ustream_ssl_verify_cn(struct ustream_ssl
*us
, X509
*cert
)
191 if (ustream_ssl_verify_cn_alt(us
, cert
))
194 xname
= X509_get_subject_name(cert
);
198 i
= X509_NAME_get_index_by_NID(xname
, NID_commonName
, last
);
208 astr
= X509_NAME_ENTRY_get_data(X509_NAME_get_entry(xname
, last
));
210 return host_pattern_match_asn1(astr
, us
->peer_cn
);
214 static void ustream_ssl_verify_cert(struct ustream_ssl
*us
)
220 cert
= SSL_get_peer_certificate(ssl
);
224 res
= SSL_get_verify_result(ssl
);
225 if (res
!= X509_V_OK
) {
226 if (us
->notify_verify_error
)
227 us
->notify_verify_error(us
, res
, X509_verify_cert_error_string(res
));
231 us
->valid_cert
= true;
232 us
->valid_cn
= ustream_ssl_verify_cn(us
, cert
);
235 __hidden
enum ssl_conn_status
__ustream_ssl_connect(struct ustream_ssl
*us
)
243 r
= SSL_connect(ssl
);
246 ustream_ssl_verify_cert(us
);
250 r
= SSL_get_error(ssl
, r
);
251 if (r
== SSL_ERROR_WANT_READ
|| r
== SSL_ERROR_WANT_WRITE
)
252 return U_SSL_PENDING
;
254 ustream_ssl_error(us
, r
);
258 __hidden
int __ustream_ssl_write(struct ustream_ssl
*us
, const char *buf
, int len
)
261 int ret
= SSL_write(ssl
, buf
, len
);
264 int err
= SSL_get_error(ssl
, ret
);
265 if (err
== SSL_ERROR_WANT_WRITE
)
268 ustream_ssl_error(us
, err
);
275 __hidden
int __ustream_ssl_read(struct ustream_ssl
*us
, char *buf
, int len
)
277 int ret
= SSL_read(us
->ssl
, buf
, len
);
280 ret
= SSL_get_error(us
->ssl
, ret
);
281 if (ret
== SSL_ERROR_WANT_READ
)
282 return U_SSL_PENDING
;
284 ustream_ssl_error(us
, ret
);