27 #include <openssl/x509_vfy.h>
38 err_cert = X509_STORE_CTX_get_current_cert(ctx);
39 err = X509_STORE_CTX_get_error(ctx);
40 depth = X509_STORE_CTX_get_error_depth(ctx);
45 if (!preverify_ok && err == X509_V_ERR_UNABLE_TO_GET_CRL) {
46 _sx_debug(
ZONE,
"ignoring verify error:num=%d:%s:depth=%d:%s\n", err,
47 X509_verify_cert_error_string(err), depth, buf);
55 ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
56 X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256);
60 X509_verify_cert_error_string(err), depth, buf);
71 if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT))
73 X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256);
101 char *ns = NULL, *to = NULL, *from = NULL, *version = NULL;
119 _sx_debug(
ZONE,
"starttls requested on already encrypted channel, dropping packet");
125 _sx_debug(
ZONE,
"starttls requested on already compressed channel, dropping packet");
148 if(s->
ns != NULL) ns = strdup(s->
ns);
163 if(ns != NULL) free(ns);
164 if(to != NULL) free(to);
165 if(from != NULL) free(from);
166 if(version != NULL) free(version);
183 _sx_debug(
ZONE,
"server can't handle ssl, business as usual");
218 X509_NAME_ENTRY *entry;
220 X509_EXTENSION *extension;
221 STACK_OF(GENERAL_NAME) *altnames;
222 GENERAL_NAME *altname;
223 OTHERNAME *othername;
226 int id_on_xmppAddr_nid;
227 ASN1_OBJECT *id_on_xmppAddr_obj;
229 int i, j, count,
id = 0, len;
232 if ((cert = SSL_get_peer_certificate(sc->ssl) ) == NULL)
237 id_on_xmppAddr_nid = OBJ_create(
"1.3.6.1.5.5.7.8.5",
"id-on-xmppAddr",
"XMPP Address Identity");
238 id_on_xmppAddr_obj = OBJ_nid2obj(id_on_xmppAddr_nid);
239 _sx_debug(
ZONE,
"external_id: Created id-on-xmppAddr SSL object");
242 for (i = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1);
244 i = X509_get_ext_by_NID(cert, NID_subject_alt_name, i)) {
246 if ((extension = X509_get_ext(cert, i)) == NULL) {
247 _sx_debug(
ZONE,
"external_id: Can't get subjectAltName. Possibly malformed cert.");
251 if ((altnames = X509V3_EXT_d2i(extension)) == NULL) {
252 _sx_debug(
ZONE,
"external_id: Can't get all AltNames. Possibly malformed cert.");
256 count = sk_GENERAL_NAME_num(altnames);
257 for (j = 0; j < count; j++) {
258 if ((altname = sk_GENERAL_NAME_value(altnames, j)) == NULL) {
259 _sx_debug(
ZONE,
"external_id: Can't get AltName. Possibly malformed cert.");
263 if (altname->type == GEN_OTHERNAME &&
264 OBJ_cmp(altname->d.otherName->type_id, id_on_xmppAddr_obj) == 0) {
265 othername = altname->d.otherName;
266 len = ASN1_STRING_to_UTF8((
unsigned char **) &buff, othername->value->value.utf8string);
269 sc->external_id[id] = (
char *) malloc(
sizeof(
char) * (len + 1));
270 memcpy(sc->external_id[
id], buff, len);
271 sc->external_id[id][len] =
'\0';
272 _sx_debug(
ZONE,
"external_id: Found(%d) subjectAltName/id-on-xmppAddr: '%s'",
id, sc->external_id[
id]);
275 }
else if (altname->type == GEN_DNS) {
276 len = ASN1_STRING_length(altname->d.dNSName);
277 sc->external_id[id] = (
char *) malloc(
sizeof(
char) * (len + 1));
278 memcpy(sc->external_id[
id], ASN1_STRING_data(altname->d.dNSName), len);
279 sc->external_id[id][len] =
'\0';
280 _sx_debug(
ZONE,
"external_id: Found(%d) subjectAltName/dNSName: '%s'",
id, sc->external_id[
id]);
285 sk_GENERAL_NAME_pop_free(altnames, GENERAL_NAME_free);
290 sk_GENERAL_NAME_pop_free(altnames, GENERAL_NAME_free);
293 name = X509_get_subject_name(cert);
294 for (i = X509_NAME_get_index_by_NID(name, NID_commonName, -1);
296 i = X509_NAME_get_index_by_NID(name, NID_commonName, i)) {
298 if ((entry = X509_NAME_get_entry(name, i)) == NULL) {
299 _sx_debug(
ZONE,
"external_id: Can't get commonName(%d). Possibly malformed cert. Continuing.", i);
303 len = ASN1_STRING_to_UTF8((
unsigned char **) &buff, X509_NAME_ENTRY_get_data(entry));
307 sc->external_id[id] = (
char *) malloc(
sizeof(
char) * (len + 1));
308 memcpy(sc->external_id[
id], buff, len);
309 sc->external_id[id][len] =
'\0';
310 _sx_debug(
ZONE,
"external_id: Found(%d) commonName: '%s'",
id, sc->external_id[
id]);
328 while(!SSL_is_init_finished(sc->ssl)) {
329 _sx_debug(
ZONE,
"secure channel not established, handshake in progress");
332 if(sc->last_state == SX_SSL_STATE_WANT_READ && BIO_pending(sc->rbio) == 0)
337 ret = SSL_connect(sc->ssl);
339 ret = SSL_accept(sc->ssl);
344 sc->last_state = SX_SSL_STATE_NONE;
346 s->
ssf = SSL_get_cipher_bits(sc->ssl, NULL);
348 _sx_debug(
ZONE,
"using cipher %s (%d bits)", SSL_get_cipher_name(sc->ssl), s->
ssf);
356 err = SSL_get_error(sc->ssl, ret);
358 if(err == SSL_ERROR_WANT_READ)
359 sc->last_state = SX_SSL_STATE_WANT_READ;
360 else if(err == SSL_ERROR_WANT_WRITE)
361 sc->last_state = SX_SSL_STATE_WANT_WRITE;
365 sc->last_state = SX_SSL_STATE_ERROR;
367 errstring = ERR_error_string(ERR_get_error(), NULL);
397 if(sc->last_state == SX_SSL_STATE_ERROR)
424 ret = SSL_write(sc->ssl, wbuf->data, wbuf->len);
430 jqueue_push(sc->wq, wbuf, (sc->wq->front != NULL) ? sc->wq->front->priority + 1 : 0);
433 err = SSL_get_error(sc->ssl, ret);
435 if(err == SSL_ERROR_ZERO_RETURN) {
440 if(err == SSL_ERROR_WANT_READ) {
443 sc->last_state = SX_SSL_STATE_WANT_READ;
447 sc->last_state = SX_SSL_STATE_ERROR;
450 errstring = ERR_error_string(ERR_get_error(), NULL);
470 if(BIO_pending(sc->wbio) > 0) {
471 int bytes_pending = BIO_pending(sc->wbio);
472 assert(buf->
len == 0);
474 BIO_read(sc->wbio, buf->
data, bytes_pending);
475 buf->
len += bytes_pending;
479 buf->
notify = wbuf->notify;
488 if(sc->last_state == SX_SSL_STATE_WANT_READ || sc->last_state == SX_SSL_STATE_NONE)
496 int est, ret, err, pending;
501 if(sc->last_state == SX_SSL_STATE_ERROR)
510 BIO_write(sc->rbio, buf->
data, buf->
len);
523 pending = SSL_pending(sc->ssl);
525 pending = BIO_pending(sc->rbio);
528 while((pending = SSL_pending(sc->ssl)) > 0 || (pending = BIO_pending(sc->rbio)) > 0) {
531 ret = SSL_read(sc->ssl, &(buf->
data[buf->
len]), pending);
541 if (SSL_get_shutdown(sc->ssl) == SSL_RECEIVED_SHUTDOWN)
552 err = SSL_get_error(sc->ssl, ret);
557 if(err == SSL_ERROR_ZERO_RETURN) {
568 err = SSL_get_error(sc->ssl, ret);
571 if(err == SSL_ERROR_WANT_READ) {
572 sc->last_state = SX_SSL_STATE_WANT_READ;
583 sc->last_state = SX_SSL_STATE_ERROR;
585 errstring = ERR_error_string(ERR_get_error(), NULL);
607 if(BIO_pending(sc->wbio) > 0 || (est > 0 &&
jqueue_size(sc->wq) > 0))
611 if(sc->last_state == SX_SSL_STATE_WANT_READ || sc->last_state == SX_SSL_STATE_NONE)
623 char *pemfile = NULL;
640 assert((
int) (ctx != NULL));
642 sc = (_sx_ssl_conn_t) calloc(1,
sizeof(
struct _sx_ssl_conn_st));
645 sc->rbio = BIO_new(BIO_s_mem());
646 sc->wbio = BIO_new(BIO_s_mem());
649 sc->ssl = SSL_new(ctx);
650 SSL_set_bio(sc->ssl, sc->rbio, sc->wbio);
651 SSL_set_connect_state(sc->ssl);
652 SSL_set_ssl_method(sc->ssl, TLSv1_client_method());
657 sc->external_id[i] = NULL;
669 if(pemfile != NULL) {
671 ret = SSL_use_certificate_file(sc->ssl, pemfile, SSL_FILETYPE_PEM);
673 _sx_debug(
ZONE,
"couldn't load alternate certificate from %s", pemfile);
681 ret = SSL_use_PrivateKey_file(sc->ssl, pemfile, SSL_FILETYPE_PEM);
683 _sx_debug(
ZONE,
"couldn't load alternate private key from %s", pemfile);
691 ret = SSL_check_private_key(sc->ssl);
693 _sx_debug(
ZONE,
"private key does not match certificate public key");
733 assert((
int) (ctx != NULL));
735 sc = (_sx_ssl_conn_t) calloc(1,
sizeof(
struct _sx_ssl_conn_st));
738 sc->rbio = BIO_new(BIO_s_mem());
739 sc->wbio = BIO_new(BIO_s_mem());
742 sc->ssl = SSL_new(ctx);
743 SSL_set_bio(sc->ssl, sc->rbio, sc->wbio);
744 SSL_set_accept_state(sc->ssl);
748 sc->external_id[i] = NULL;
776 if(sc->external_id[i] != NULL)
777 free(sc->external_id[i]);
781 if(sc->pemfile != NULL) free(sc->pemfile);
783 if(sc->ssl != NULL) SSL_free(sc->ssl);
804 SSL_CTX_free((SSL_CTX *) ctx);
814 char *name, *pemfile, *cachain;
820 name = va_arg(args,
char *);
821 pemfile = va_arg(args,
char *);
828 cachain = va_arg(args,
char *);
829 mode = va_arg(args,
int);
836 SSL_load_error_strings();
864 STACK_OF(X509_NAME) *cert_names;
883 ctx = SSL_CTX_new(SSLv23_method());
885 _sx_debug(
ZONE,
"ssl context creation failed; %s", ERR_error_string(ERR_get_error(), NULL));
890 if (SSL_CTX_set_cipher_list(ctx,
"ALL:!LOW:!SSLv2:!EXP:!aNULL") != 1) {
891 _sx_debug(
ZONE,
"Can't set cipher list for SSL context: %s", ERR_error_string(ERR_get_error(), NULL));
897 if (cachain != NULL) {
898 ret = SSL_CTX_load_verify_locations (ctx, cachain, NULL);
900 _sx_debug(
ZONE,
"WARNING: couldn't load CA chain: %s; %s", cachain, ERR_error_string(ERR_get_error(), NULL));
902 _sx_debug(
ZONE,
"Loaded CA verify location chain: %s", cachain);
904 cert_names = SSL_load_client_CA_file(cachain);
905 if (cert_names != NULL) {
906 SSL_CTX_set_client_CA_list(ctx, cert_names);
909 _sx_debug(
ZONE,
"WARNING: couldn't load client CA chain: %s", cachain);
917 SSL_CTX_set_default_verify_paths(ctx);
918 _sx_debug(
ZONE,
"No CA chain specified. Loading SSL default CA certs: /etc/ssl/certs");
921 store = SSL_CTX_get_cert_store(ctx);
924 X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
927 ret = SSL_CTX_use_certificate_chain_file(ctx, pemfile);
929 _sx_debug(
ZONE,
"couldn't load certificate from %s; %s", pemfile, ERR_error_string(ERR_get_error(), NULL));
935 ret = SSL_CTX_use_PrivateKey_file(ctx, pemfile, SSL_FILETYPE_PEM);
937 _sx_debug(
ZONE,
"couldn't load private key from %s; %s", pemfile, ERR_error_string(ERR_get_error(), NULL));
943 ret = SSL_CTX_check_private_key(ctx);
945 _sx_debug(
ZONE,
"private key does not match certificate public key; %s", ERR_error_string(ERR_get_error(), NULL));
950 _sx_debug(
ZONE,
"setting ssl context '%s' verify mode to %02x", name, mode);
954 if(contexts == NULL) {
956 p->
private = (
void *) contexts;
959 if(!(name[0] ==
'*' && name[1] == 0)) {
971 _sx_debug(
ZONE,
"ssl context '%s' initialised; certificate and key loaded from %s", name, pemfile);
976 SSL_CTX_free((SSL_CTX *) tmp);
984 assert((
int) (p != NULL));
985 assert((
int) (s != NULL));
989 _sx_debug(
ZONE,
"wrong conn type or state for client starttls");
1002 if(pemfile != NULL) {
1003 s->
plugin_data[p->
index] = (_sx_ssl_conn_t) calloc(1,
sizeof(
struct _sx_ssl_conn_st));