X-Git-Url: http://git.archive.openwrt.org/?p=project%2Fustream-ssl.git;a=blobdiff_plain;f=ustream-polarssl.c;h=e5c84557381dd5a1d56e14923bdef6c2b1dbb134;hp=c32d1d8c591f9e19350800b123cade2da09b88af;hb=881cfb34f60967931ddced1f87152fd045b5bcff;hpb=b0325eb88c76d02563a4d77117ff3dd809a549ea diff --git a/ustream-polarssl.c b/ustream-polarssl.c index c32d1d8..e5c8455 100644 --- a/ustream-polarssl.c +++ b/ustream-polarssl.c @@ -51,15 +51,16 @@ static int s_ustream_read(void *ctx, unsigned char *buf, size_t len) static int s_ustream_write(void *ctx, const unsigned char *buf, size_t len) { struct ustream *s = ctx; + int ret; - len = ustream_write(s, (const char *) buf, len, false); - if (len < 0 || s->write_error) + ret = ustream_write(s, (const char *) buf, len, false); + if (ret < 0 || s->write_error) return POLARSSL_ERR_NET_SEND_FAILED; - return len; + return ret; } -__hidden void ustream_set_io(void *ctx, void *ssl, struct ustream *conn) +__hidden void ustream_set_io(struct ustream_ssl_ctx *ctx, void *ssl, struct ustream *conn) { ssl_set_bio(ssl, s_ustream_read, conn, s_ustream_write, conn); } @@ -82,49 +83,82 @@ static int _urandom(void *ctx, unsigned char *out, size_t len) return 0; } -__hidden void * __ustream_ssl_context_new(bool server) +__hidden struct ustream_ssl_ctx * +__ustream_ssl_context_new(bool server) { - struct ustream_polarssl_ctx *uctx; + struct ustream_ssl_ctx *ctx; if (!urandom_init()) return NULL; - uctx = calloc(1, sizeof(*uctx)); - if (!uctx) + ctx = calloc(1, sizeof(*ctx)); + if (!ctx) return NULL; - uctx->server = server; - rsa_init(&uctx->key, RSA_PKCS_V15, 0); + ctx->server = server; +#ifdef USE_VERSION_1_3 + pk_init(&ctx->key); +#else + rsa_init(&ctx->key, RSA_PKCS_V15, 0); +#endif - return uctx; + return ctx; } -__hidden int __ustream_ssl_set_crt_file(void *ctx, const char *file) +__hidden int __ustream_ssl_add_ca_crt_file(struct ustream_ssl_ctx *ctx, const char *file) { - struct ustream_polarssl_ctx *uctx = ctx; - - if (x509parse_crtfile(&uctx->cert, file)) + int ret; + +#ifdef USE_VERSION_1_3 + ret = x509_crt_parse_file(&ctx->ca_cert, file); +#else + ret = x509parse_crtfile(&ctx->ca_cert, file); +#endif + if (ret) return -1; return 0; } -__hidden int __ustream_ssl_set_key_file(void *ctx, const char *file) +__hidden int __ustream_ssl_set_crt_file(struct ustream_ssl_ctx *ctx, const char *file) { - struct ustream_polarssl_ctx *uctx = ctx; - - if (x509parse_keyfile(&uctx->key, file, NULL)) + int ret; + +#ifdef USE_VERSION_1_3 + ret = x509_crt_parse_file(&ctx->cert, file); +#else + ret = x509parse_crtfile(&ctx->cert, file); +#endif + if (ret) return -1; return 0; } -__hidden void __ustream_ssl_context_free(void *ctx) +__hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char *file) { - struct ustream_polarssl_ctx *uctx = ctx; + int ret; + +#ifdef USE_VERSION_1_3 + ret = pk_parse_keyfile(&ctx->key, file, NULL); +#else + ret = x509parse_keyfile(&ctx->key, file, NULL); +#endif + if (ret) + return -1; + + return 0; +} - rsa_free(&uctx->key); - x509_free(&uctx->cert); +__hidden void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx) +{ +#ifdef USE_VERSION_1_3 + pk_free(&ctx->key); + x509_crt_free(&ctx->cert); +#else + rsa_free(&ctx->key); + x509_free(&ctx->cert); +#endif free(ctx); } @@ -145,14 +179,46 @@ static bool ssl_do_wait(int ret) } } +static void ustream_ssl_verify_cert(struct ustream_ssl *us) +{ + void *ssl = us->ssl; + const char *msg = NULL; + bool cn_mismatch; + int r; + + r = ssl_get_verify_result(ssl); + cn_mismatch = r & BADCERT_CN_MISMATCH; + r &= ~BADCERT_CN_MISMATCH; + + if (r & BADCERT_EXPIRED) + msg = "certificate has expired"; + else if (r & BADCERT_REVOKED) + msg = "certificate has been revoked"; + else if (r & BADCERT_NOT_TRUSTED) + msg = "certificate is self-signed or not signed by a trusted CA"; + else + msg = "unknown error"; + + if (r) { + if (us->notify_verify_error) + us->notify_verify_error(us, r, msg); + return; + } + + if (!cn_mismatch) + us->valid_cn = true; +} + __hidden enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us) { void *ssl = us->ssl; int r; r = ssl_handshake(ssl); - if (r == 0) + if (r == 0) { + ustream_ssl_verify_cert(us); return U_SSL_OK; + } if (ssl_do_wait(r)) return U_SSL_PENDING; @@ -192,11 +258,53 @@ __hidden int __ustream_ssl_read(struct ustream_ssl *us, char *buf, int len) return ret; } -__hidden void *__ustream_ssl_session_new(void *ctx) +static const int default_ciphersuites[] = +{ +#if defined(POLARSSL_AES_C) +#if defined(POLARSSL_SHA2_C) + TLS_RSA_WITH_AES_256_CBC_SHA256, +#endif /* POLARSSL_SHA2_C */ +#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C) + TLS_RSA_WITH_AES_256_GCM_SHA384, +#endif /* POLARSSL_SHA2_C */ + TLS_RSA_WITH_AES_256_CBC_SHA, +#endif +#if defined(POLARSSL_CAMELLIA_C) +#if defined(POLARSSL_SHA2_C) + TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256, +#endif /* POLARSSL_SHA2_C */ + TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, +#endif +#if defined(POLARSSL_AES_C) +#if defined(POLARSSL_SHA2_C) + TLS_RSA_WITH_AES_128_CBC_SHA256, +#endif /* POLARSSL_SHA2_C */ +#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C) + TLS_RSA_WITH_AES_128_GCM_SHA256, +#endif /* POLARSSL_SHA2_C */ + TLS_RSA_WITH_AES_128_CBC_SHA, +#endif +#if defined(POLARSSL_CAMELLIA_C) +#if defined(POLARSSL_SHA2_C) + TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256, +#endif /* POLARSSL_SHA2_C */ + TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, +#endif +#if defined(POLARSSL_DES_C) + TLS_RSA_WITH_3DES_EDE_CBC_SHA, +#endif +#if defined(POLARSSL_ARC4_C) + TLS_RSA_WITH_RC4_128_SHA, + TLS_RSA_WITH_RC4_128_MD5, +#endif + 0 +}; + +__hidden void *__ustream_ssl_session_new(struct ustream_ssl_ctx *ctx) { - struct ustream_polarssl_ctx *uctx = ctx; ssl_context *ssl; - int ep, auth; + int auth; + int ep; ssl = calloc(1, sizeof(ssl_context)); if (!ssl) @@ -207,7 +315,7 @@ __hidden void *__ustream_ssl_session_new(void *ctx) return NULL; } - if (uctx->server) { + if (ctx->server) { ep = SSL_IS_SERVER; auth = SSL_VERIFY_NONE; } else { @@ -215,14 +323,17 @@ __hidden void *__ustream_ssl_session_new(void *ctx) auth = SSL_VERIFY_OPTIONAL; } + ssl_set_ciphersuites(ssl, default_ciphersuites); ssl_set_endpoint(ssl, ep); ssl_set_authmode(ssl, auth); ssl_set_rng(ssl, _urandom, NULL); - if (uctx->server) { - if (uctx->cert.next) - ssl_set_ca_chain(ssl, uctx->cert.next, NULL, NULL); - ssl_set_own_cert(ssl, &uctx->cert, &uctx->key); + if (ctx->server) { + if (ctx->cert.next) + ssl_set_ca_chain(ssl, ctx->cert.next, NULL, NULL); + ssl_set_own_cert(ssl, &ctx->cert, &ctx->key); + } else { + ssl_set_ca_chain(ssl, &ctx->cert, NULL, NULL); } ssl_session_reset(ssl); @@ -235,3 +346,10 @@ __hidden void __ustream_ssl_session_free(void *ssl) ssl_free(ssl); free(ssl); } + +__hidden void __ustream_ssl_update_peer_cn(struct ustream_ssl *us) +{ + struct ustream_ssl_ctx *ctx = us->ctx; + + ssl_set_ca_chain(us->ssl, &ctx->ca_cert, NULL, us->peer_cn); +}