15 #include "tlsopensslbase.h" 24 #include <openssl/err.h> 25 #include <openssl/comp.h> 26 #include <openssl/x509v3.h> 34 :
TLSBase( th, server ), m_ssl( 0 ), m_ctx( 0 ), m_buf( 0 ), m_bufsize( 17000 )
36 m_buf =
static_cast<char*
>( calloc( m_bufsize + 1,
sizeof(
char ) ) );
43 SSL_CTX_free( m_ctx );
44 SSL_shutdown( m_ssl );
51 const std::string& clientCerts,
54 #if defined OPENSSL_VERSION_NUMBER && ( OPENSSL_VERSION_NUMBER < 0x10100000 ) 57 #endif // OPENSSL_VERSION_NUMBER < 0x10100000 59 SSL_COMP_add_compression_method( 193, COMP_zlib() );
61 OpenSSL_add_all_algorithms();
69 if( !SSL_CTX_set_cipher_list( m_ctx,
"HIGH:MEDIUM:AES:@STRENGTH" ) )
72 m_ssl = SSL_new( m_ctx );
76 if( !BIO_new_bio_pair( &m_ibio, 0, &m_nbio, 0 ) )
79 SSL_set_bio( m_ssl, m_ibio, m_ibio );
80 SSL_set_mode( m_ssl, SSL_MODE_AUTO_RETRY | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE );
82 ERR_load_crypto_strings();
83 SSL_load_error_strings();
102 doTLSOperation( TLSWrite );
108 m_recvBuffer += data;
116 doTLSOperation( TLSRead );
124 StringList::const_iterator it = m_cacerts.begin();
125 for( ; it != m_cacerts.end(); ++it )
126 SSL_CTX_load_verify_locations( m_ctx, (*it).c_str(), 0 );
131 m_clientKey = clientKey;
132 m_clientCerts = clientCerts;
134 if( !m_clientKey.empty() && !m_clientCerts.empty() )
136 if( SSL_CTX_use_certificate_chain_file( m_ctx, m_clientCerts.c_str() ) != 1 )
140 if( SSL_CTX_use_RSAPrivateKey_file( m_ctx, m_clientKey.c_str(), SSL_FILETYPE_PEM ) != 1 )
146 if ( SSL_CTX_check_private_key( m_ctx ) != 1 )
163 void OpenSSLBase::doTLSOperation( TLSOperation op )
169 bool onceAgain =
false;
176 ret = handshakeFunction();
179 ret = SSL_write( m_ssl, m_sendBuffer.c_str(),
static_cast<int>( m_sendBuffer.length() ) );
182 ret = SSL_read( m_ssl, m_buf, m_bufsize );
186 switch( SSL_get_error( m_ssl, ret ) )
188 case SSL_ERROR_WANT_READ:
189 case SSL_ERROR_WANT_WRITE:
193 if( op == TLSHandshake )
195 else if( op == TLSWrite )
196 m_sendBuffer.erase( 0, ret );
197 else if( op == TLSRead )
207 if( !onceAgain && !m_recvBuffer.length() )
212 while( ( ( onceAgain || m_recvBuffer.length() ) && ( !m_secure || op == TLSRead ) )
213 || ( ( op == TLSWrite ) && ( ret > 0 ) ));
216 int OpenSSLBase::ASN1Time2UnixTime( ASN1_TIME* time )
219 const char* str =
reinterpret_cast<const char*
>( time->data );
222 memset( &t, 0,
sizeof(t) );
224 if( time->type == V_ASN1_UTCTIME )
226 t.tm_year = ( str[i++] -
'0' ) * 10;
227 t.tm_year += ( str[i++] -
'0' );
232 else if( time->type == V_ASN1_GENERALIZEDTIME )
234 t.tm_year = ( str[i++] -
'0' ) * 1000;
235 t.tm_year += ( str[i++] -
'0' ) * 100;
236 t.tm_year += ( str[i++] -
'0' ) * 10;
237 t.tm_year += ( str[i++] -
'0' );
241 t.tm_mon = ( str[i++] -
'0' ) * 10;
242 t.tm_mon += ( str[i++] -
'0' ) - 1;
243 t.tm_mday = ( str[i++] -
'0' ) * 10;
244 t.tm_mday += ( str[i++] -
'0' );
245 t.tm_hour = ( str[i++] -
'0' ) * 10;
246 t.tm_hour += ( str[i++] -
'0' );
247 t.tm_min = ( str[i++] -
'0' ) * 10;
248 t.tm_min += ( str[i++] -
'0' );
249 t.tm_sec = ( str[i++] -
'0' ) * 10;
250 t.tm_sec += ( str[i++] -
'0' );
252 return static_cast<int>( mktime( &t ) );
255 #if defined OPENSSL_VERSION_NUMBER && ( OPENSSL_VERSION_NUMBER < 0x10100000 ) 256 int SSL_SESSION_get_protocol_version(
const SSL_SESSION* s )
258 return s->ssl_version;
260 #endif // OPENSSL_VERSION_NUMBER < 0x10100000 265 doTLSOperation( TLSHandshake );
270 long res = SSL_get_verify_result( m_ssl );
271 if( res != X509_V_OK )
276 X509* peer = SSL_get_peer_certificate( m_ssl );
280 X509_NAME_get_text_by_NID( X509_get_issuer_name( peer ), NID_commonName, peer_CN,
sizeof( peer_CN ) );
281 m_certInfo.
issuer = peer_CN;
282 X509_NAME_get_text_by_NID( X509_get_subject_name( peer ), NID_commonName, peer_CN,
sizeof( peer_CN ) );
283 m_certInfo.
server = peer_CN;
284 m_certInfo.
date_from = ASN1Time2UnixTime( X509_get_notBefore( peer ) );
285 m_certInfo.
date_to = ASN1Time2UnixTime( X509_get_notAfter( peer ) );
286 std::string p( peer_CN );
287 std::transform( p.begin(), p.end(), p.begin(), tolower );
289 #if defined OPENSSL_VERSION_NUMBER && ( OPENSSL_VERSION_NUMBER >= 0x10002000 ) 290 res = X509_check_host( peer, p.c_str(), p.length(), X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS, 0 );
296 #endif // OPENSSL_VERSION_NUMBER >= 0x10002000 298 if( ASN1_UTCTIME_cmp_time_t( X509_get_notBefore( peer ), time( 0 ) ) != -1 )
301 if( ASN1_UTCTIME_cmp_time_t( X509_get_notAfter( peer ), time( 0 ) ) != 1 )
312 tmp = SSL_get_cipher_name( m_ssl );
316 SSL_SESSION* sess = SSL_get_session( m_ssl );
319 switch( SSL_SESSION_get_protocol_version( sess ) )
330 #ifdef TLS1_3_VERSION 334 #endif // TLS1_3_VERSION 336 m_certInfo.
protocol =
"Unknown TLS version";
341 tmp = SSL_COMP_get_name( SSL_get_current_compression( m_ssl ) );
351 void OpenSSLBase::pushFunc()
358 while( ( wantwrite = BIO_pending( m_nbio ) ) > 0 )
360 if( wantwrite > m_bufsize )
361 wantwrite = m_bufsize;
366 frombio = BIO_read( m_nbio, m_buf, wantwrite );
372 while( ( wantread = BIO_ctrl_get_read_request( m_nbio ) ) > 0 )
374 if( wantread > m_recvBuffer.length() )
375 wantread = m_recvBuffer.length();
380 tobio = BIO_write( m_nbio, m_recvBuffer.c_str(),
static_cast<int>( wantread ) );
381 m_recvBuffer.erase( 0, tobio );
387 #endif // HAVE_OPENSSL
virtual void setClientCert(const std::string &clientKey, const std::string &clientCerts)
std::list< std::string > StringList
virtual void handleEncryptedData(const TLSBase *base, const std::string &data)=0
virtual int decrypt(const std::string &data)
virtual void setCACerts(const StringList &cacerts)
The namespace for the gloox library.
virtual bool encrypt(const std::string &data)
OpenSSLBase(TLSHandler *th, const std::string &server=EmptyString)
An abstract base class for TLS implementations.
virtual bool init(const std::string &clientKey=EmptyString, const std::string &clientCerts=EmptyString, const StringList &cacerts=StringList())
virtual void handleDecryptedData(const TLSBase *base, const std::string &data)=0
An interface that allows for interacting with TLS implementations derived from TLSBase.
virtual void handleHandshakeResult(const TLSBase *base, bool success, CertInfo &certinfo)=0