X-Git-Url: http://git.archive.openwrt.org/?p=project%2Fustream-ssl.git;a=blobdiff_plain;f=ustream-polarssl.c;h=615ac2d88bff5ce09b5dbe00eb6815ed949dfc42;hp=2117189ae61551e1dc6cb67451d99dc9dd4604e3;hb=a4ca61527236e89eb9efb782fd9bfd04796144e3;hpb=daa954de38f2bf4e2fbc41ac7917f8447d37a2a0

diff --git a/ustream-polarssl.c b/ustream-polarssl.c
index 2117189..615ac2d 100644
--- a/ustream-polarssl.c
+++ b/ustream-polarssl.c
@@ -51,15 +51,16 @@ static int s_ustream_read(void *ctx, unsigned char *buf, size_t len)
 static int s_ustream_write(void *ctx, const unsigned char *buf, size_t len)
 {
 	struct ustream *s = ctx;
+	int ret;
 
-	len = ustream_write(s, (const char *) buf, len, false);
-	if (len < 0 || s->write_error)
+	ret = ustream_write(s, (const char *) buf, len, false);
+	if (ret < 0 || s->write_error)
 		return POLARSSL_ERR_NET_SEND_FAILED;
 
-	return len;
+	return ret;
 }
 
-__hidden void ustream_set_io(void *ctx, void *ssl, struct ustream *conn)
+__hidden void ustream_set_io(struct ustream_ssl_ctx *ctx, void *ssl, struct ustream *conn)
 {
 	ssl_set_bio(ssl, s_ustream_read, conn, s_ustream_write, conn);
 }
@@ -78,53 +79,88 @@ static bool urandom_init(void)
 
 static int _urandom(void *ctx, unsigned char *out, size_t len)
 {
-	read(urandom_fd, out, len);
+	if (read(urandom_fd, out, len) < 0)
+		return POLARSSL_ERR_ENTROPY_SOURCE_FAILED;
+
 	return 0;
 }
 
-__hidden void * __ustream_ssl_context_new(bool server)
+__hidden struct ustream_ssl_ctx *
+__ustream_ssl_context_new(bool server)
 {
-	struct ustream_polarssl_ctx *uctx;
+	struct ustream_ssl_ctx *ctx;
 
 	if (!urandom_init())
 		return NULL;
 
-	uctx = calloc(1, sizeof(*uctx));
-	if (!uctx)
+	ctx = calloc(1, sizeof(*ctx));
+	if (!ctx)
 		return NULL;
 
-	uctx->server = server;
-	rsa_init(&uctx->key, RSA_PKCS_V15, 0);
+	ctx->server = server;
+#ifdef USE_VERSION_1_3
+	pk_init(&ctx->key);
+#else
+	rsa_init(&ctx->key, RSA_PKCS_V15, 0);
+#endif
 
-	return uctx;
+	return ctx;
 }
 
-__hidden int __ustream_ssl_set_crt_file(void *ctx, const char *file)
+__hidden int __ustream_ssl_add_ca_crt_file(struct ustream_ssl_ctx *ctx, const char *file)
 {
-	struct ustream_polarssl_ctx *uctx = ctx;
+	int ret;
 
-	if (x509parse_crtfile(&uctx->cert, file))
+#ifdef USE_VERSION_1_3
+	ret = x509_crt_parse_file(&ctx->ca_cert, file);
+#else
+	ret = x509parse_crtfile(&ctx->ca_cert, file);
+#endif
+	if (ret)
 		return -1;
 
 	return 0;
 }
 
-__hidden int __ustream_ssl_set_key_file(void *ctx, const char *file)
+__hidden int __ustream_ssl_set_crt_file(struct ustream_ssl_ctx *ctx, const char *file)
 {
-	struct ustream_polarssl_ctx *uctx = ctx;
+	int ret;
 
-	if (x509parse_keyfile(&uctx->key, file, NULL))
+#ifdef USE_VERSION_1_3
+	ret = x509_crt_parse_file(&ctx->cert, file);
+#else
+	ret = x509parse_crtfile(&ctx->cert, file);
+#endif
+	if (ret)
 		return -1;
 
 	return 0;
 }
 
-__hidden void __ustream_ssl_context_free(void *ctx)
+__hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char *file)
 {
-	struct ustream_polarssl_ctx *uctx = ctx;
+	int ret;
 
-	rsa_free(&uctx->key);
-	x509_free(&uctx->cert);
+#ifdef USE_VERSION_1_3
+	ret = pk_parse_keyfile(&ctx->key, file, NULL);
+#else
+	ret = x509parse_keyfile(&ctx->key, file, NULL);
+#endif
+	if (ret)
+		return -1;
+
+	return 0;
+}
+
+__hidden void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx)
+{
+#ifdef USE_VERSION_1_3
+	pk_free(&ctx->key);
+	x509_crt_free(&ctx->cert);
+#else
+	rsa_free(&ctx->key);
+	x509_free(&ctx->cert);
+#endif
 	free(ctx);
 }
 
@@ -145,14 +181,46 @@ static bool ssl_do_wait(int ret)
 	}
 }
 
+static void ustream_ssl_verify_cert(struct ustream_ssl *us)
+{
+	void *ssl = us->ssl;
+	const char *msg = NULL;
+	bool cn_mismatch;
+	int r;
+
+	r = ssl_get_verify_result(ssl);
+	cn_mismatch = r & BADCERT_CN_MISMATCH;
+	r &= ~BADCERT_CN_MISMATCH;
+
+	if (r & BADCERT_EXPIRED)
+		msg = "certificate has expired";
+	else if (r & BADCERT_REVOKED)
+		msg = "certificate has been revoked";
+	else if (r & BADCERT_NOT_TRUSTED)
+		msg = "certificate is self-signed or not signed by a trusted CA";
+	else
+		msg = "unknown error";
+
+	if (r) {
+		if (us->notify_verify_error)
+			us->notify_verify_error(us, r, msg);
+		return;
+	}
+
+	if (!cn_mismatch)
+		us->valid_cn = true;
+}
+
 __hidden enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us)
 {
 	void *ssl = us->ssl;
 	int r;
 
 	r = ssl_handshake(ssl);
-	if (r == 0)
+	if (r == 0) {
+		ustream_ssl_verify_cert(us);
 		return U_SSL_OK;
+	}
 
 	if (ssl_do_wait(r))
 		return U_SSL_PENDING;
@@ -164,17 +232,23 @@ __hidden enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us)
 __hidden int __ustream_ssl_write(struct ustream_ssl *us, const char *buf, int len)
 {
 	void *ssl = us->ssl;
-	int ret = ssl_write(ssl, (const unsigned char *) buf, len);
+	int done = 0, ret = 0;
 
-	if (ret < 0) {
-		if (ssl_do_wait(ret))
-			return 0;
+	while (done != len) {
+		ret = ssl_write(ssl, (const unsigned char *) buf + done, len - done);
 
-		ustream_ssl_error(us, ret);
-		return -1;
+		if (ret < 0) {
+			if (ssl_do_wait(ret))
+				return done;
+
+			ustream_ssl_error(us, ret);
+			return -1;
+		}
+
+		done += ret;
 	}
 
-	return ret;
+	return done;
 }
 
 __hidden int __ustream_ssl_read(struct ustream_ssl *us, char *buf, int len)
@@ -234,11 +308,11 @@ static const int default_ciphersuites[] =
     0
 };
 
-__hidden void *__ustream_ssl_session_new(void *ctx)
+__hidden void *__ustream_ssl_session_new(struct ustream_ssl_ctx *ctx)
 {
-	struct ustream_polarssl_ctx *uctx = ctx;
 	ssl_context *ssl;
-	int ep, auth;
+	int auth;
+	int ep;
 
 	ssl = calloc(1, sizeof(ssl_context));
 	if (!ssl)
@@ -249,7 +323,7 @@ __hidden void *__ustream_ssl_session_new(void *ctx)
 		return NULL;
 	}
 
-	if (uctx->server) {
+	if (ctx->server) {
 		ep = SSL_IS_SERVER;
 		auth = SSL_VERIFY_NONE;
 	} else {
@@ -262,10 +336,12 @@ __hidden void *__ustream_ssl_session_new(void *ctx)
 	ssl_set_authmode(ssl, auth);
 	ssl_set_rng(ssl, _urandom, NULL);
 
-	if (uctx->server) {
-		if (uctx->cert.next)
-			ssl_set_ca_chain(ssl, uctx->cert.next, NULL, NULL);
-		ssl_set_own_cert(ssl, &uctx->cert, &uctx->key);
+	if (ctx->server) {
+		if (ctx->cert.next)
+			ssl_set_ca_chain(ssl, ctx->cert.next, NULL, NULL);
+		ssl_set_own_cert(ssl, &ctx->cert, &ctx->key);
+	} else {
+		ssl_set_ca_chain(ssl, &ctx->cert, NULL, NULL);
 	}
 
 	ssl_session_reset(ssl);
@@ -278,3 +354,10 @@ __hidden void __ustream_ssl_session_free(void *ssl)
 	ssl_free(ssl);
 	free(ssl);
 }
+
+__hidden void __ustream_ssl_update_peer_cn(struct ustream_ssl *us)
+{
+	struct ustream_ssl_ctx *ctx = us->ctx;
+
+	ssl_set_ca_chain(us->ssl, &ctx->ca_cert, NULL, us->peer_cn);
+}