X-Git-Url: http://git.archive.openwrt.org/?p=project%2Fustream-ssl.git;a=blobdiff_plain;f=ustream-openssl.c;h=eb03dab1ac1dd08f4db5901d56c852d6607ce4fc;hp=efae44c28dd035022a5a3d783426191455636c1d;hb=HEAD;hpb=fc0b5ec804ee43c532978dd04ab0509c34baefb0 diff --git a/ustream-openssl.c b/ustream-openssl.c index efae44c..eb03dab 100644 --- a/ustream-openssl.c +++ b/ustream-openssl.c @@ -35,23 +35,26 @@ __ustream_ssl_context_new(bool server) _init = true; } -#ifdef CYASSL_OPENSSL_H_ if (server) +#ifdef CYASSL_OPENSSL_H_ m = SSLv23_server_method(); - else - m = SSLv23_client_method(); #else - if (server) - m = TLSv1_server_method(); - else - m = TLSv1_client_method(); + m = TLSv1_2_server_method(); #endif + else + m = SSLv23_client_method(); c = SSL_CTX_new((void *) m); if (!c) return NULL; SSL_CTX_set_verify(c, SSL_VERIFY_NONE, NULL); +#ifndef OPENSSL_NO_ECDH + SSL_CTX_set_ecdh_auto(c, 1); +#endif + if (server) + SSL_CTX_set_cipher_list(c, "DEFAULT:!RC4:@STRENGTH"); + SSL_CTX_set_quiet_shutdown(c, 1); return (void *) c; } @@ -100,6 +103,12 @@ __hidden void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx) SSL_CTX_free((void *) ctx); } +void __ustream_ssl_session_free(void *ssl) +{ + SSL_shutdown(ssl); + SSL_free(ssl); +} + static void ustream_ssl_error(struct ustream_ssl *us, int ret) { us->error = ret; @@ -108,109 +117,15 @@ static void ustream_ssl_error(struct ustream_ssl *us, int ret) #ifndef CYASSL_OPENSSL_H_ -static bool host_pattern_match(const unsigned char *pattern, const char *cn) -{ - char c; - - for (; (c = tolower(*pattern++)) != 0; cn++) { - if (c != '*') { - if (c != *cn) - return false; - continue; - } - - do { - c = tolower(*pattern++); - } while (c == '*'); - - while (*cn) { - if (c == tolower(*cn) && - host_pattern_match(pattern, cn)) - return true; - if (*cn == '.') - return false; - cn++; - } - - return !c; - } - return !*cn; -} - -static bool host_pattern_match_asn1(ASN1_STRING *asn1, const char *cn) -{ - unsigned char *pattern; - bool ret = false; - - if (ASN1_STRING_to_UTF8(&pattern, asn1) < 0) - return false; - - if (!pattern) - return false; - - if (strlen((char *) pattern) == ASN1_STRING_length(asn1)) - ret = host_pattern_match(pattern, cn); - - OPENSSL_free(pattern); - - return ret; -} - -static bool ustream_ssl_verify_cn_alt(struct ustream_ssl *us, X509 *cert) -{ - GENERAL_NAMES *alt_names; - int i, n_alt; - - alt_names = X509_get_ext_d2i (cert, NID_subject_alt_name, NULL, NULL); - if (!alt_names) - return false; - - n_alt = sk_GENERAL_NAME_num(alt_names); - for (i = 0; i < n_alt; i++) { - const GENERAL_NAME *name = sk_GENERAL_NAME_value(alt_names, i); - - if (!name) - continue; - - if (name->type != GEN_DNS) - continue; - - if (host_pattern_match_asn1(name->d.dNSName, us->peer_cn)) - return true; - } - - return false; -} - static bool ustream_ssl_verify_cn(struct ustream_ssl *us, X509 *cert) { - ASN1_STRING *astr; - X509_NAME *xname; - int i, last; + int ret; if (!us->peer_cn) return false; - if (ustream_ssl_verify_cn_alt(us, cert)) - return true; - - xname = X509_get_subject_name(cert); - - last = -1; - while (1) { - i = X509_NAME_get_index_by_NID(xname, NID_commonName, last); - if (i < 0) - break; - - last = i; - } - - if (last < 0) - return false; - - astr = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(xname, last)); - - return host_pattern_match_asn1(astr, us->peer_cn); + ret = X509_check_host(cert, us->peer_cn, 0, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, NULL); + return ret == 1; } @@ -220,10 +135,6 @@ static void ustream_ssl_verify_cert(struct ustream_ssl *us) X509 *cert; int res; - cert = SSL_get_peer_certificate(ssl); - if (!cert) - return; - res = SSL_get_verify_result(ssl); if (res != X509_V_OK) { if (us->notify_verify_error) @@ -231,8 +142,13 @@ static void ustream_ssl_verify_cert(struct ustream_ssl *us) return; } + cert = SSL_get_peer_certificate(ssl); + if (!cert) + return; + us->valid_cert = true; us->valid_cn = ustream_ssl_verify_cn(us, cert); + X509_free(cert); } #endif