15 #include "tlsopensslbase.h" 24 #include <openssl/err.h> 25 #include <openssl/x509v3.h> 27 #ifndef OPENSSL_NO_COMP 28 #include <openssl/comp.h> 37 :
TLSBase( th, server ), m_ssl( 0 ), m_ctx( 0 ), m_buf( 0 ), m_bufsize( 17000 )
39 m_buf =
static_cast<char*
>( calloc( m_bufsize + 1,
sizeof(
char ) ) );
46 SSL_CTX_free( m_ctx );
47 SSL_shutdown( m_ssl );
54 const std::string& clientCerts,
57 #if defined OPENSSL_VERSION_NUMBER && ( OPENSSL_VERSION_NUMBER < 0x10100000 ) 60 #endif // OPENSSL_VERSION_NUMBER < 0x10100000 62 #ifndef OPENSSL_NO_COMP 63 SSL_COMP_add_compression_method( 193, COMP_zlib() );
64 #endif // OPENSSL_NO_COMP 66 OpenSSL_add_all_algorithms();
74 if( !SSL_CTX_set_cipher_list( m_ctx,
"HIGH:MEDIUM:AES:@STRENGTH" ) )
77 m_ssl = SSL_new( m_ctx );
81 if( !BIO_new_bio_pair( &m_ibio, 0, &m_nbio, 0 ) )
84 SSL_set_bio( m_ssl, m_ibio, m_ibio );
85 SSL_set_mode( m_ssl, SSL_MODE_AUTO_RETRY | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE );
87 ERR_load_crypto_strings();
88 SSL_load_error_strings();
107 doTLSOperation( TLSWrite );
113 m_recvBuffer += data;
121 doTLSOperation( TLSRead );
129 StringList::const_iterator it = m_cacerts.begin();
130 for( ; it != m_cacerts.end(); ++it )
131 SSL_CTX_load_verify_locations( m_ctx, (*it).c_str(), 0 );
136 m_clientKey = clientKey;
137 m_clientCerts = clientCerts;
139 if( !m_clientKey.empty() && !m_clientCerts.empty() )
141 if( SSL_CTX_use_certificate_chain_file( m_ctx, m_clientCerts.c_str() ) != 1 )
145 if( SSL_CTX_use_RSAPrivateKey_file( m_ctx, m_clientKey.c_str(), SSL_FILETYPE_PEM ) != 1 )
151 if ( SSL_CTX_check_private_key( m_ctx ) != 1 )
168 void OpenSSLBase::doTLSOperation( TLSOperation op )
174 bool onceAgain =
false;
181 ret = handshakeFunction();
184 ret = SSL_write( m_ssl, m_sendBuffer.c_str(),
static_cast<int>( m_sendBuffer.length() ) );
187 ret = SSL_read( m_ssl, m_buf, m_bufsize );
191 switch( SSL_get_error( m_ssl, ret ) )
193 case SSL_ERROR_WANT_READ:
194 case SSL_ERROR_WANT_WRITE:
198 if( op == TLSHandshake )
200 else if( op == TLSWrite )
201 m_sendBuffer.erase( 0, ret );
202 else if( op == TLSRead )
212 if( !onceAgain && !m_recvBuffer.length() )
217 while( ( ( onceAgain || m_recvBuffer.length() ) && ( !m_secure || op == TLSRead ) )
218 || ( ( op == TLSWrite ) && ( ret > 0 ) ));
221 int OpenSSLBase::ASN1Time2UnixTime( ASN1_TIME* time )
224 const char* str =
reinterpret_cast<const char*
>( time->data );
227 memset( &t, 0,
sizeof(t) );
229 if( time->type == V_ASN1_UTCTIME )
231 t.tm_year = ( str[i++] -
'0' ) * 10;
232 t.tm_year += ( str[i++] -
'0' );
237 else if( time->type == V_ASN1_GENERALIZEDTIME )
239 t.tm_year = ( str[i++] -
'0' ) * 1000;
240 t.tm_year += ( str[i++] -
'0' ) * 100;
241 t.tm_year += ( str[i++] -
'0' ) * 10;
242 t.tm_year += ( str[i++] -
'0' );
246 t.tm_mon = ( str[i++] -
'0' ) * 10;
247 t.tm_mon += ( str[i++] -
'0' ) - 1;
248 t.tm_mday = ( str[i++] -
'0' ) * 10;
249 t.tm_mday += ( str[i++] -
'0' );
250 t.tm_hour = ( str[i++] -
'0' ) * 10;
251 t.tm_hour += ( str[i++] -
'0' );
252 t.tm_min = ( str[i++] -
'0' ) * 10;
253 t.tm_min += ( str[i++] -
'0' );
254 t.tm_sec = ( str[i++] -
'0' ) * 10;
255 t.tm_sec += ( str[i++] -
'0' );
257 return static_cast<int>( mktime( &t ) );
260 #if defined OPENSSL_VERSION_NUMBER && ( OPENSSL_VERSION_NUMBER < 0x10100000 ) 261 int SSL_SESSION_get_protocol_version(
const SSL_SESSION* s )
263 return s->ssl_version;
265 #endif // OPENSSL_VERSION_NUMBER < 0x10100000 270 doTLSOperation( TLSHandshake );
275 long res = SSL_get_verify_result( m_ssl );
276 if( res != X509_V_OK )
281 X509* peer = SSL_get_peer_certificate( m_ssl );
285 X509_NAME_get_text_by_NID( X509_get_issuer_name( peer ), NID_commonName, peer_CN,
sizeof( peer_CN ) );
286 m_certInfo.
issuer = peer_CN;
287 X509_NAME_get_text_by_NID( X509_get_subject_name( peer ), NID_commonName, peer_CN,
sizeof( peer_CN ) );
288 m_certInfo.
server = peer_CN;
289 m_certInfo.
date_from = ASN1Time2UnixTime( X509_get_notBefore( peer ) );
290 m_certInfo.
date_to = ASN1Time2UnixTime( X509_get_notAfter( peer ) );
291 std::string p( peer_CN );
292 std::transform( p.begin(), p.end(), p.begin(), tolower );
294 #if defined OPENSSL_VERSION_NUMBER && ( OPENSSL_VERSION_NUMBER >= 0x10002000 ) 295 res = X509_check_host( peer, p.c_str(), p.length(), X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS, 0 );
301 #endif // OPENSSL_VERSION_NUMBER >= 0x10002000 303 if( ASN1_UTCTIME_cmp_time_t( X509_get_notBefore( peer ), time( 0 ) ) != -1 )
306 if( ASN1_UTCTIME_cmp_time_t( X509_get_notAfter( peer ), time( 0 ) ) != 1 )
317 tmp = SSL_get_cipher_name( m_ssl );
321 SSL_SESSION* sess = SSL_get_session( m_ssl );
324 switch( SSL_SESSION_get_protocol_version( sess ) )
335 #ifdef TLS1_3_VERSION 339 #endif // TLS1_3_VERSION 341 m_certInfo.
protocol =
"Unknown TLS version";
346 tmp = SSL_COMP_get_name( SSL_get_current_compression( m_ssl ) );
356 void OpenSSLBase::pushFunc()
363 while( ( wantwrite = BIO_pending( m_nbio ) ) > 0 )
365 if( wantwrite > m_bufsize )
366 wantwrite = m_bufsize;
371 frombio = BIO_read( m_nbio, m_buf, wantwrite );
377 while( ( wantread = BIO_ctrl_get_read_request( m_nbio ) ) > 0 )
379 if( wantread > m_recvBuffer.length() )
380 wantread = m_recvBuffer.length();
385 tobio = BIO_write( m_nbio, m_recvBuffer.c_str(),
static_cast<int>( wantread ) );
386 m_recvBuffer.erase( 0, tobio );
392 #endif // HAVE_OPENSSL
virtual void setClientCert(const std::string &clientKey, const std::string &clientCerts)
std::list< std::string > StringList
virtual void handleEncryptedData(const TLSBase *base, const std::string &data)=0
virtual int decrypt(const std::string &data)
virtual void setCACerts(const StringList &cacerts)
The namespace for the gloox library.
virtual bool encrypt(const std::string &data)
OpenSSLBase(TLSHandler *th, const std::string &server=EmptyString)
An abstract base class for TLS implementations.
virtual bool init(const std::string &clientKey=EmptyString, const std::string &clientCerts=EmptyString, const StringList &cacerts=StringList())
virtual void handleDecryptedData(const TLSBase *base, const std::string &data)=0
An interface that allows for interacting with TLS implementations derived from TLSBase.
virtual void handleHandshakeResult(const TLSBase *base, bool success, CertInfo &certinfo)=0