/* Copyright (c) 2009-2015 by Jakob Schröter This file is part of the gloox library. http://camaya.net/gloox This software is distributed under a license. The full license agreement can be found in the file LICENSE in this distribution. This software may not be copied, modified, sold or distributed other than expressed in the named license agreement. This software is distributed without any warranty. */ #include "tlsopensslbase.h" #ifdef HAVE_OPENSSL #include #include #include #include #include #include namespace gloox { OpenSSLBase::OpenSSLBase( TLSHandler* th, const std::string& server ) : TLSBase( th, server ), m_ssl( 0 ), m_ctx( 0 ), m_buf( 0 ), m_bufsize( 17000 ) { m_buf = (char*)calloc( m_bufsize + 1, sizeof( char ) ); } OpenSSLBase::~OpenSSLBase() { m_handler = 0; free( m_buf ); SSL_CTX_free( m_ctx ); SSL_shutdown( m_ssl ); SSL_free( m_ssl ); BIO_free( m_nbio ); cleanup(); } bool OpenSSLBase::init( const std::string& clientKey, const std::string& clientCerts, const StringList& cacerts ) { if( m_initLib ) SSL_library_init(); SSL_COMP_add_compression_method( 193, COMP_zlib() ); OpenSSL_add_all_algorithms(); if( !setType() ) //inits m_ctx return false; setClientCert( clientKey, clientCerts ); setCACerts( cacerts ); if( !SSL_CTX_set_cipher_list( m_ctx, "HIGH:MEDIUM:AES:@STRENGTH" ) ) return false; m_ssl = SSL_new( m_ctx ); if( !m_ssl ) return false; if( !BIO_new_bio_pair( &m_ibio, 0, &m_nbio, 0 ) ) return false; SSL_set_bio( m_ssl, m_ibio, m_ibio ); SSL_set_mode( m_ssl, SSL_MODE_AUTO_RETRY | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE ); ERR_load_crypto_strings(); SSL_load_error_strings(); if( !privateInit() ) return false; m_valid = true; return true; } bool OpenSSLBase::encrypt( const std::string& data ) { m_sendBuffer += data; if( !m_secure ) { handshake(); return 0; } doTLSOperation( TLSWrite ); return true; } int OpenSSLBase::decrypt( const std::string& data ) { m_recvBuffer += data; if( !m_secure ) { handshake(); return 0; } doTLSOperation( TLSRead ); return true; } void OpenSSLBase::setCACerts( const StringList& cacerts ) { m_cacerts = cacerts; StringList::const_iterator it = m_cacerts.begin(); for( ; it != m_cacerts.end(); ++it ) SSL_CTX_load_verify_locations( m_ctx, (*it).c_str(), 0 ); } void OpenSSLBase::setClientCert( const std::string& clientKey, const std::string& clientCerts ) { m_clientKey = clientKey; m_clientCerts = clientCerts; if( !m_clientKey.empty() && !m_clientCerts.empty() ) { if( SSL_CTX_use_certificate_chain_file( m_ctx, m_clientCerts.c_str() ) != 1 ) { // FIXME } if( SSL_CTX_use_RSAPrivateKey_file( m_ctx, m_clientKey.c_str(), SSL_FILETYPE_PEM ) != 1 ) { // FIXME } } if ( SSL_CTX_check_private_key( m_ctx ) != 1 ) { // FIXME } } void OpenSSLBase::cleanup() { if( !m_mutex.trylock() ) return; m_secure = false; m_valid = false; m_mutex.unlock(); } void OpenSSLBase::doTLSOperation( TLSOperation op ) { if( !m_handler ) return; int ret = 0; bool onceAgain = false; do { switch( op ) { case TLSHandshake: ret = handshakeFunction(); break; case TLSWrite: ret = SSL_write( m_ssl, m_sendBuffer.c_str(), m_sendBuffer.length() ); break; case TLSRead: ret = SSL_read( m_ssl, m_buf, m_bufsize ); break; } switch( SSL_get_error( m_ssl, ret ) ) { case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_WRITE: pushFunc(); break; case SSL_ERROR_NONE: if( op == TLSHandshake ) m_secure = true; else if( op == TLSWrite ) m_sendBuffer.erase( 0, ret ); else if( op == TLSRead ) m_handler->handleDecryptedData( this, std::string( m_buf, ret ) ); pushFunc(); break; default: if( !m_secure ) m_handler->handleHandshakeResult( this, false, m_certInfo ); return; break; } if( !onceAgain && !m_recvBuffer.length() ) onceAgain = true; else if( onceAgain ) onceAgain = false; } while( ( ( onceAgain || m_recvBuffer.length() ) && ( !m_secure || op == TLSRead ) ) || ( ( op == TLSWrite ) && ( ret > 0 ) )); } int OpenSSLBase::openSSLTime2UnixTime( const char* time_string ) { char tstring[19]; // making seperate c string out of time string int m = 0; for( int n = 0; n < 12; n += 2 ) { tstring[m] = time_string[n]; tstring[m + 1] = time_string[n + 1]; tstring[m + 2] = 0; m += 3; } // converting to struct tm tm time_st; time_st.tm_year = ( atoi( &tstring[3 * 0] ) >= 70 ) ? atoi( &tstring[3 * 0] ) : atoi( &tstring[3 * 0] ) + 100; time_st.tm_mon = atoi( &tstring[3 * 1] ) - 1; time_st.tm_mday = atoi( &tstring[3 * 2] ); time_st.tm_hour = atoi( &tstring[3 * 3] ); time_st.tm_min = atoi( &tstring[3 * 4] ); time_st.tm_sec = atoi( &tstring[3 * 5] ); time_t unixt = mktime( &time_st ); return unixt; } bool OpenSSLBase::handshake() { doTLSOperation( TLSHandshake ); if( !m_secure ) return true; int res = SSL_get_verify_result( m_ssl ); if( res != X509_V_OK ) m_certInfo.status = CertInvalid; else m_certInfo.status = CertOk; X509* peer = SSL_get_peer_certificate( m_ssl ); if( peer ) { char peer_CN[256]; X509_NAME_get_text_by_NID( X509_get_issuer_name( peer ), NID_commonName, peer_CN, sizeof( peer_CN ) ); m_certInfo.issuer = peer_CN; X509_NAME_get_text_by_NID( X509_get_subject_name( peer ), NID_commonName, peer_CN, sizeof( peer_CN ) ); m_certInfo.server = peer_CN; m_certInfo.date_from = openSSLTime2UnixTime( (char*) (peer->cert_info->validity->notBefore->data) ); m_certInfo.date_to = openSSLTime2UnixTime( (char*) (peer->cert_info->validity->notAfter->data) ); std::string p( peer_CN ); std::transform( p.begin(), p.end(), p.begin(), tolower ); if( p != m_server ) m_certInfo.status |= CertWrongPeer; if( ASN1_UTCTIME_cmp_time_t( X509_get_notBefore( peer ), time( 0 ) ) != -1 ) m_certInfo.status |= CertNotActive; if( ASN1_UTCTIME_cmp_time_t( X509_get_notAfter( peer ), time( 0 ) ) != 1 ) m_certInfo.status |= CertExpired; X509_free( peer ); } else { m_certInfo.status = CertInvalid; } const char* tmp; tmp = SSL_get_cipher_name( m_ssl ); if( tmp ) m_certInfo.cipher = tmp; tmp = SSL_get_cipher_version( m_ssl ); if( tmp ) m_certInfo.protocol = tmp; tmp = SSL_COMP_get_name( SSL_get_current_compression( m_ssl ) ); if( tmp ) m_certInfo.compression = tmp; m_valid = true; m_handler->handleHandshakeResult( this, true, m_certInfo ); return true; } void OpenSSLBase::pushFunc() { int wantwrite; size_t wantread; int frombio; int tobio; while( ( wantwrite = BIO_ctrl_pending( m_nbio ) ) > 0 ) { if( wantwrite > m_bufsize ) wantwrite = m_bufsize; if( !wantwrite ) break; frombio = BIO_read( m_nbio, m_buf, wantwrite ); if( m_handler ) m_handler->handleEncryptedData( this, std::string( m_buf, frombio ) ); } while( ( wantread = BIO_ctrl_get_read_request( m_nbio ) ) > 0 ) { if( wantread > m_recvBuffer.length() ) wantread = m_recvBuffer.length(); if( !wantread ) break; tobio = BIO_write( m_nbio, m_recvBuffer.c_str(), wantread ); m_recvBuffer.erase( 0, tobio ); } } } #endif // HAVE_OPENSSL