15 #include "tlsopensslbase.h"
24 #include <openssl/err.h>
25 #include <openssl/comp.h>
26 #include <openssl/x509v3.h>
32 :
TLSBase( th, server ), m_ssl( 0 ), m_ctx( 0 ), m_buf( 0 ), m_bufsize( 17000 )
34 m_buf = (
char*)calloc( m_bufsize + 1,
sizeof(
char ) );
41 SSL_CTX_free( m_ctx );
42 SSL_shutdown( m_ssl );
49 const std::string& clientCerts,
55 SSL_COMP_add_compression_method( 193, COMP_zlib() );
57 OpenSSL_add_all_algorithms();
65 if( !SSL_CTX_set_cipher_list( m_ctx,
"HIGH:MEDIUM:AES:@STRENGTH" ) )
68 m_ssl = SSL_new( m_ctx );
72 if( !BIO_new_bio_pair( &m_ibio, 0, &m_nbio, 0 ) )
75 SSL_set_bio( m_ssl, m_ibio, m_ibio );
76 SSL_set_mode( m_ssl, SSL_MODE_AUTO_RETRY | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE );
78 ERR_load_crypto_strings();
79 SSL_load_error_strings();
98 doTLSOperation( TLSWrite );
104 m_recvBuffer += data;
112 doTLSOperation( TLSRead );
120 StringList::const_iterator it = m_cacerts.begin();
121 for( ; it != m_cacerts.end(); ++it )
122 SSL_CTX_load_verify_locations( m_ctx, (*it).c_str(), 0 );
127 m_clientKey = clientKey;
128 m_clientCerts = clientCerts;
130 if( !m_clientKey.empty() && !m_clientCerts.empty() )
132 if( SSL_CTX_use_certificate_chain_file( m_ctx, m_clientCerts.c_str() ) != 1 )
136 if( SSL_CTX_use_RSAPrivateKey_file( m_ctx, m_clientKey.c_str(), SSL_FILETYPE_PEM ) != 1 )
142 if ( SSL_CTX_check_private_key( m_ctx ) != 1 )
159 void OpenSSLBase::doTLSOperation( TLSOperation op )
165 bool onceAgain =
false;
172 ret = handshakeFunction();
175 ret = SSL_write( m_ssl, m_sendBuffer.c_str(), m_sendBuffer.length() );
178 ret = SSL_read( m_ssl, m_buf, m_bufsize );
182 switch( SSL_get_error( m_ssl, ret ) )
184 case SSL_ERROR_WANT_READ:
185 case SSL_ERROR_WANT_WRITE:
189 if( op == TLSHandshake )
191 else if( op == TLSWrite )
192 m_sendBuffer.erase( 0, ret );
193 else if( op == TLSRead )
203 if( !onceAgain && !m_recvBuffer.length() )
208 while( ( ( onceAgain || m_recvBuffer.length() ) && ( !m_secure || op == TLSRead ) )
209 || ( ( op == TLSWrite ) && ( ret > 0 ) ));
212 int OpenSSLBase::openSSLTime2UnixTime(
const char* time_string )
218 for(
int n = 0; n < 12; n += 2 )
220 tstring[m] = time_string[n];
221 tstring[m + 1] = time_string[n + 1];
228 time_st.tm_year = ( atoi( &tstring[3 * 0] ) >= 70 ) ? atoi( &tstring[3 * 0] )
229 : atoi( &tstring[3 * 0] ) + 100;
230 time_st.tm_mon = atoi( &tstring[3 * 1] ) - 1;
231 time_st.tm_mday = atoi( &tstring[3 * 2] );
232 time_st.tm_hour = atoi( &tstring[3 * 3] );
233 time_st.tm_min = atoi( &tstring[3 * 4] );
234 time_st.tm_sec = atoi( &tstring[3 * 5] );
236 time_t unixt = mktime( &time_st );
243 doTLSOperation( TLSHandshake );
248 int res = SSL_get_verify_result( m_ssl );
249 if( res != X509_V_OK )
254 X509* peer = SSL_get_peer_certificate( m_ssl );
258 X509_NAME_get_text_by_NID( X509_get_issuer_name( peer ), NID_commonName, peer_CN,
sizeof( peer_CN ) );
259 m_certInfo.
issuer = peer_CN;
260 X509_NAME_get_text_by_NID( X509_get_subject_name( peer ), NID_commonName, peer_CN,
sizeof( peer_CN ) );
261 m_certInfo.
server = peer_CN;
262 m_certInfo.
date_from = openSSLTime2UnixTime( (
char*) (peer->cert_info->validity->notBefore->data) );
263 m_certInfo.
date_to = openSSLTime2UnixTime( (
char*) (peer->cert_info->validity->notAfter->data) );
264 std::string p( peer_CN );
265 std::transform( p.begin(), p.end(), p.begin(), tolower );
267 #if defined OPENSSL_VERSION_NUMBER && ( OPENSSL_VERSION_NUMBER >= 0x10002000 )
268 res = X509_check_host( peer, p.c_str(), p.length(), X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS, 0 );
274 #endif // OPENSSL_VERSION_NUMBER >= 0x10002000
276 if( ASN1_UTCTIME_cmp_time_t( X509_get_notBefore( peer ), time( 0 ) ) != -1 )
279 if( ASN1_UTCTIME_cmp_time_t( X509_get_notAfter( peer ), time( 0 ) ) != 1 )
290 tmp = SSL_get_cipher_name( m_ssl );
294 tmp = SSL_get_cipher_version( m_ssl );
298 tmp = SSL_COMP_get_name( SSL_get_current_compression( m_ssl ) );
308 void OpenSSLBase::pushFunc()
315 while( ( wantwrite = BIO_ctrl_pending( m_nbio ) ) > 0 )
317 if( wantwrite > m_bufsize )
318 wantwrite = m_bufsize;
323 frombio = BIO_read( m_nbio, m_buf, wantwrite );
329 while( ( wantread = BIO_ctrl_get_read_request( m_nbio ) ) > 0 )
331 if( wantread > m_recvBuffer.length() )
332 wantread = m_recvBuffer.length();
337 tobio = BIO_write( m_nbio, m_recvBuffer.c_str(), wantread );
338 m_recvBuffer.erase( 0, tobio );
344 #endif // HAVE_OPENSSL
virtual void setClientCert(const std::string &clientKey, const std::string &clientCerts)
std::list< std::string > StringList
virtual void handleEncryptedData(const TLSBase *base, const std::string &data)=0
virtual int decrypt(const std::string &data)
virtual void setCACerts(const StringList &cacerts)
The namespace for the gloox library.
virtual bool encrypt(const std::string &data)
OpenSSLBase(TLSHandler *th, const std::string &server=EmptyString)
An abstract base class for TLS implementations.
virtual bool init(const std::string &clientKey=EmptyString, const std::string &clientCerts=EmptyString, const StringList &cacerts=StringList())
virtual void handleDecryptedData(const TLSBase *base, const std::string &data)=0
An interface that allows for interacting with TLS implementations derived from TLSBase.
virtual void handleHandshakeResult(const TLSBase *base, bool success, CertInfo &certinfo)=0