openssl: use 1.0.2 openssl API for host name validation

[project/ustream-ssl.git] / ustream-openssl.c

diff --git a/ustream-openssl.c b/ustream-openssl.c
index 2d569f3..0d4a8ff 100644 (file)
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -16,10 +16,14 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
+#include <string.h>
+#include <ctype.h>
+#include <openssl/x509v3.h>
 #include "ustream-ssl.h"
 #include "ustream-internal.h"
 
-__hidden void * __ustream_ssl_context_new(bool server)
+__hidden struct ustream_ssl_ctx *
+__ustream_ssl_context_new(bool server)
 {
        static bool _init = false;
        const void *m;
@@ -47,19 +51,30 @@ __hidden void * __ustream_ssl_context_new(bool server)
        if (!c)
                return NULL;
 
-       if (server)
-               SSL_CTX_set_verify(c, SSL_VERIFY_NONE, NULL);
+       SSL_CTX_set_verify(c, SSL_VERIFY_NONE, NULL);
+       SSL_CTX_set_quiet_shutdown(c, 1);
+
+       return (void *) c;
+}
+
+__hidden int __ustream_ssl_add_ca_crt_file(struct ustream_ssl_ctx *ctx, const char *file)
+{
+       int ret;
+
+       ret = SSL_CTX_load_verify_locations((void *) ctx, file, NULL);
+       if (ret < 1)
+               return -1;
 
-       return c;
+       return 0;
 }
 
-__hidden int __ustream_ssl_set_crt_file(void *ctx, const char *file)
+__hidden int __ustream_ssl_set_crt_file(struct ustream_ssl_ctx *ctx, const char *file)
 {
        int ret;
 
-       ret = SSL_CTX_use_certificate_file(ctx, file, SSL_FILETYPE_PEM);
+       ret = SSL_CTX_use_certificate_chain_file((void *) ctx, file);
        if (ret < 1)
-               ret = SSL_CTX_use_certificate_file(ctx, file, SSL_FILETYPE_ASN1);
+               ret = SSL_CTX_use_certificate_file((void *) ctx, file, SSL_FILETYPE_ASN1);
 
        if (ret < 1)
                return -1;
@@ -67,13 +82,13 @@ __hidden int __ustream_ssl_set_crt_file(void *ctx, const char *file)
        return 0;
 }
 
-__hidden int __ustream_ssl_set_key_file(void *ctx, const char *file)
+__hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char *file)
 {
        int ret;
 
-       ret = SSL_CTX_use_PrivateKey_file(ctx, file, SSL_FILETYPE_PEM);
+       ret = SSL_CTX_use_PrivateKey_file((void *) ctx, file, SSL_FILETYPE_PEM);
        if (ret < 1)
-               ret = SSL_CTX_use_PrivateKey_file(ctx, file, SSL_FILETYPE_ASN1);
+               ret = SSL_CTX_use_PrivateKey_file((void *) ctx, file, SSL_FILETYPE_ASN1);
 
        if (ret < 1)
                return -1;
@@ -81,9 +96,15 @@ __hidden int __ustream_ssl_set_key_file(void *ctx, const char *file)
        return 0;
 }
 
-__hidden void __ustream_ssl_context_free(void *ctx)
+__hidden void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx)
+{
+       SSL_CTX_free((void *) ctx);
+}
+
+void __ustream_ssl_session_free(void *ssl)
 {
-       SSL_CTX_free(ctx);
+       SSL_shutdown(ssl);
+       SSL_free(ssl);
 }
 
 static void ustream_ssl_error(struct ustream_ssl *us, int ret)
@@ -92,6 +113,44 @@ static void ustream_ssl_error(struct ustream_ssl *us, int ret)
        uloop_timeout_set(&us->error_timer, 0);
 }
 
+#ifndef CYASSL_OPENSSL_H_
+
+static bool ustream_ssl_verify_cn(struct ustream_ssl *us, X509 *cert)
+{
+       int ret;
+
+       if (!us->peer_cn)
+               return false;
+
+       ret = X509_check_host(cert, us->peer_cn, 0, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, NULL);
+       return ret == 1;
+}
+
+
+static void ustream_ssl_verify_cert(struct ustream_ssl *us)
+{
+       void *ssl = us->ssl;
+       X509 *cert;
+       int res;
+
+       res = SSL_get_verify_result(ssl);
+       if (res != X509_V_OK) {
+               if (us->notify_verify_error)
+                       us->notify_verify_error(us, res, X509_verify_cert_error_string(res));
+               return;
+       }
+
+       cert = SSL_get_peer_certificate(ssl);
+       if (!cert)
+               return;
+
+       us->valid_cert = true;
+       us->valid_cn = ustream_ssl_verify_cn(us, cert);
+       X509_free(cert);
+}
+
+#endif
+
 __hidden enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us)
 {
        void *ssl = us->ssl;
@@ -102,8 +161,12 @@ __hidden enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us)
        else
                r = SSL_connect(ssl);
 
-       if (r == 1)
+       if (r == 1) {
+#ifndef CYASSL_OPENSSL_H_
+               ustream_ssl_verify_cert(us);
+#endif
                return U_SSL_OK;
+       }
 
        r = SSL_get_error(ssl, r);
        if (r == SSL_ERROR_WANT_READ || r == SSL_ERROR_WANT_WRITE)