| Alexandre Lision | ddd731e | 2014-01-31 11:50:08 -0500 | [diff] [blame^] | 1 | // Copyright (C) 2010 David Sugar, Tycho Softworks. |
| 2 | // |
| 3 | // This file is part of GNU uCommon C++. |
| 4 | // |
| 5 | // GNU uCommon C++ is free software: you can redistribute it and/or modify |
| 6 | // it under the terms of the GNU Lesser General Public License as published |
| 7 | // by the Free Software Foundation, either version 3 of the License, or |
| 8 | // (at your option) any later version. |
| 9 | // |
| 10 | // GNU uCommon C++ is distributed in the hope that it will be useful, |
| 11 | // but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 12 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 13 | // GNU Lesser General Public License for more details. |
| 14 | // |
| 15 | // You should have received a copy of the GNU Lesser General Public License |
| 16 | // along with GNU uCommon C++. If not, see <http://www.gnu.org/licenses/>. |
| 17 | |
| 18 | #include "local.h" |
| 19 | |
| 20 | #ifdef HAVE_OPENSSL_FIPS_H |
| 21 | #include <openssl/fips.h> |
| 22 | #endif |
| 23 | |
| 24 | static mutex_t *private_locks = NULL; |
| 25 | |
| 26 | extern "C" { |
| 27 | static void ssl_lock(int mode, int n, const char *file, int line) |
| 28 | { |
| 29 | if((mode & 0x03) == CRYPTO_LOCK) |
| 30 | private_locks[n].acquire(); |
| 31 | else if((mode & 0x03) == CRYPTO_UNLOCK) |
| 32 | private_locks[n].release(); |
| 33 | } |
| 34 | |
| 35 | static unsigned long ssl_self(void) |
| 36 | { |
| 37 | #ifdef _MSWINDOWS_ |
| 38 | return GetCurrentThreadId(); |
| 39 | #else |
| 40 | return (long)Thread::self(); |
| 41 | #endif |
| 42 | } |
| 43 | } |
| 44 | |
| 45 | bool secure::fips(void) |
| 46 | { |
| 47 | #ifdef HAVE_OPENSSL_FIPS_H |
| 48 | |
| 49 | // must always be first init function called... |
| 50 | if(private_locks) |
| 51 | return false; |
| 52 | |
| 53 | if(!FIPS_mode_set(1)) |
| 54 | return false; |
| 55 | |
| 56 | return init(); |
| 57 | #else |
| 58 | return false; |
| 59 | #endif |
| 60 | } |
| 61 | |
| 62 | bool secure::init(void) |
| 63 | { |
| 64 | if(private_locks) |
| 65 | return true; |
| 66 | |
| 67 | Thread::init(); |
| 68 | Socket::init(); |
| 69 | |
| 70 | SSL_library_init(); |
| 71 | SSL_load_error_strings(); |
| 72 | ERR_load_BIO_strings(); |
| 73 | OpenSSL_add_all_algorithms(); |
| 74 | OpenSSL_add_all_digests(); |
| 75 | |
| 76 | if(CRYPTO_get_id_callback() != NULL) |
| 77 | return false; |
| 78 | |
| 79 | private_locks = new Mutex[CRYPTO_num_locks()]; |
| 80 | CRYPTO_set_id_callback(ssl_self); |
| 81 | CRYPTO_set_locking_callback(ssl_lock); |
| 82 | return true; |
| 83 | } |
| 84 | |
| 85 | void secure::cipher(secure *scontext, const char *ciphers) |
| 86 | { |
| 87 | context *ctx = (context *)scontext; |
| 88 | if(!ctx) |
| 89 | return; |
| 90 | |
| 91 | SSL_CTX_set_cipher_list(ctx->ctx, ciphers); |
| 92 | } |
| 93 | |
| 94 | secure::client_t secure::client(const char *ca) |
| 95 | { |
| 96 | context *ctx = new(context); |
| 97 | secure::init(); |
| 98 | |
| 99 | if(!ctx) |
| 100 | return NULL; |
| 101 | |
| 102 | ctx->error = secure::OK; |
| 103 | |
| 104 | ctx->ctx = SSL_CTX_new(SSLv23_client_method()); |
| 105 | |
| 106 | if(!ctx->ctx) { |
| 107 | ctx->error = secure::INVALID; |
| 108 | return ctx; |
| 109 | } |
| 110 | |
| 111 | if(!ca) |
| 112 | return ctx; |
| 113 | |
| 114 | if(eq(ca, "*")) |
| 115 | ca = oscerts(); |
| 116 | |
| 117 | if(!SSL_CTX_load_verify_locations(ctx->ctx, ca, 0)) { |
| 118 | ctx->error = secure::INVALID_AUTHORITY; |
| 119 | return ctx; |
| 120 | } |
| 121 | |
| 122 | return ctx; |
| 123 | } |
| 124 | |
| 125 | secure::server_t secure::server(const char *certfile, const char *ca) |
| 126 | { |
| 127 | context *ctx = new(context); |
| 128 | |
| 129 | if(!ctx) |
| 130 | return NULL; |
| 131 | |
| 132 | secure::init(); |
| 133 | ctx->error = secure::OK; |
| 134 | ctx->ctx = SSL_CTX_new(SSLv23_server_method()); |
| 135 | |
| 136 | if(!ctx->ctx) { |
| 137 | ctx->error = secure::INVALID; |
| 138 | return ctx; |
| 139 | } |
| 140 | |
| 141 | if(!SSL_CTX_use_certificate_chain_file(ctx->ctx, certfile)) { |
| 142 | ctx->error = secure::MISSING_CERTIFICATE; |
| 143 | return ctx; |
| 144 | } |
| 145 | |
| 146 | if(!SSL_CTX_use_PrivateKey_file(ctx->ctx, certfile, SSL_FILETYPE_PEM)) { |
| 147 | ctx->error = secure::MISSING_PRIVATEKEY; |
| 148 | return ctx; |
| 149 | } |
| 150 | |
| 151 | if(!SSL_CTX_check_private_key(ctx->ctx)) { |
| 152 | ctx->error = secure::INVALID_CERTIFICATE; |
| 153 | return ctx; |
| 154 | } |
| 155 | |
| 156 | if(!ca) |
| 157 | return ctx; |
| 158 | |
| 159 | if(eq(ca, "*")) |
| 160 | ca = oscerts(); |
| 161 | |
| 162 | if(!SSL_CTX_load_verify_locations(ctx->ctx, ca, 0)) { |
| 163 | ctx->error = secure::INVALID_AUTHORITY; |
| 164 | return ctx; |
| 165 | } |
| 166 | |
| 167 | return ctx; |
| 168 | } |
| 169 | |
| 170 | secure::error_t secure::verify(session_t session, const char *peername) |
| 171 | { |
| 172 | SSL *ssl = (SSL *)session; |
| 173 | |
| 174 | char peer_cn[256]; |
| 175 | |
| 176 | if(SSL_get_verify_result(ssl) != X509_V_OK) |
| 177 | return secure::INVALID_CERTIFICATE; |
| 178 | |
| 179 | if(!peername) |
| 180 | return secure::OK; |
| 181 | |
| 182 | X509 *peer = SSL_get_peer_certificate(ssl); |
| 183 | |
| 184 | if(!peer) |
| 185 | return secure::INVALID_PEERNAME; |
| 186 | |
| 187 | X509_NAME_get_text_by_NID( |
| 188 | X509_get_subject_name(peer), |
| 189 | NID_commonName, peer_cn, sizeof(peer_cn)); |
| 190 | if(!eq_case(peer_cn, peername)) |
| 191 | return secure::INVALID_PEERNAME; |
| 192 | |
| 193 | return secure::OK; |
| 194 | } |
| 195 | |
| 196 | secure::~secure() |
| 197 | { |
| 198 | } |
| 199 | |
| 200 | context::~context() |
| 201 | { |
| 202 | if(ctx) |
| 203 | SSL_CTX_free(ctx); |
| 204 | } |
| 205 | |
| 206 | |