X-Git-Url: http://git.archive.openwrt.org/?p=project%2Fustream-ssl.git;a=blobdiff_plain;f=ustream-openssl.c;h=eb03dab1ac1dd08f4db5901d56c852d6607ce4fc;hp=635d34ce29726b50f141999f13090d13e4e40be1;hb=HEAD;hpb=02d7535a45290974e7ed51afc90cf2b562c4c74c;ds=sidebyside diff --git a/ustream-openssl.c b/ustream-openssl.c index 635d34c..eb03dab 100644 --- a/ustream-openssl.c +++ b/ustream-openssl.c @@ -35,23 +35,25 @@ __ustream_ssl_context_new(bool server) _init = true; } -#ifdef CYASSL_OPENSSL_H_ if (server) +#ifdef CYASSL_OPENSSL_H_ m = SSLv23_server_method(); - else - m = SSLv23_client_method(); #else - if (server) - m = TLSv1_server_method(); - else - m = TLSv1_client_method(); + m = TLSv1_2_server_method(); #endif + else + m = SSLv23_client_method(); c = SSL_CTX_new((void *) m); if (!c) return NULL; SSL_CTX_set_verify(c, SSL_VERIFY_NONE, NULL); +#ifndef OPENSSL_NO_ECDH + SSL_CTX_set_ecdh_auto(c, 1); +#endif + if (server) + SSL_CTX_set_cipher_list(c, "DEFAULT:!RC4:@STRENGTH"); SSL_CTX_set_quiet_shutdown(c, 1); return (void *) c; @@ -115,113 +117,15 @@ static void ustream_ssl_error(struct ustream_ssl *us, int ret) #ifndef CYASSL_OPENSSL_H_ -static bool host_pattern_match(const unsigned char *pattern, const char *cn) -{ - char c; - - for (; (c = tolower(*pattern++)) != 0; cn++) { - if (c != '*') { - if (c != tolower(*cn)) - return false; - continue; - } - - do { - c = tolower(*pattern++); - } while (c == '*'); - - while (*cn) { - if (c == tolower(*cn) && - host_pattern_match(pattern, cn)) - return true; - if (*cn == '.') - return false; - cn++; - } - - return !c; - } - return !*cn; -} - -static bool host_pattern_match_asn1(ASN1_STRING *asn1, const char *cn) -{ - unsigned char *pattern; - bool ret = false; - - if (ASN1_STRING_to_UTF8(&pattern, asn1) < 0) - return false; - - if (!pattern) - return false; - - if (strlen((char *) pattern) == ASN1_STRING_length(asn1)) - ret = host_pattern_match(pattern, cn); - - OPENSSL_free(pattern); - - return ret; -} - -static bool ustream_ssl_verify_cn_alt(struct ustream_ssl *us, X509 *cert) -{ - GENERAL_NAMES *alt_names; - int i, n_alt; - bool ret = false; - - alt_names = X509_get_ext_d2i (cert, NID_subject_alt_name, NULL, NULL); - if (!alt_names) - return false; - - n_alt = sk_GENERAL_NAME_num(alt_names); - for (i = 0; i < n_alt; i++) { - const GENERAL_NAME *name = sk_GENERAL_NAME_value(alt_names, i); - - if (!name) - continue; - - if (name->type != GEN_DNS) - continue; - - if (host_pattern_match_asn1(name->d.dNSName, us->peer_cn)) { - ret = true; - break; - } - } - - sk_GENERAL_NAME_free(alt_names); - return ret; -} - static bool ustream_ssl_verify_cn(struct ustream_ssl *us, X509 *cert) { - ASN1_STRING *astr; - X509_NAME *xname; - int i, last; + int ret; if (!us->peer_cn) return false; - if (ustream_ssl_verify_cn_alt(us, cert)) - return true; - - xname = X509_get_subject_name(cert); - - last = -1; - while (1) { - i = X509_NAME_get_index_by_NID(xname, NID_commonName, last); - if (i < 0) - break; - - last = i; - } - - if (last < 0) - return false; - - astr = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(xname, last)); - - return host_pattern_match_asn1(astr, us->peer_cn); + ret = X509_check_host(cert, us->peer_cn, 0, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, NULL); + return ret == 1; }