Select Git revision
manage_code_file_headers.py
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
VioSSLFactoriesFd.cc 9.70 KiB
/*
** Virtual I/O library
** Written by Andrei Errapart <andreie@no.spam.ee>
*/
#include "vio-global.h"
#ifdef VIO_HAVE_OPENSSL
#ifdef __GNUC__
#pragma implementation // gcc: Class implementation
#endif
#include <netinet/in.h>
#include <openssl/x509.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/asn1.h>
VIO_NS_BEGIN
#define this_ssl_method my_static_cast(SSL_METHOD*)(this->ssl_method_)
#define this_ssl_context my_static_cast(SSL_CTX*)(this->ssl_context_)
typedef unsigned char* ssl_data_ptr_t;
static bool ssl_algorithms_added = FALSE;
static bool ssl_error_strings_loaded= FALSE;
static int verify_depth = 0;
static int verify_error = X509_V_OK;
static int
vio_verify_callback(int ok, X509_STORE_CTX *ctx)
{
DBUG_ENTER("vio_verify_callback");
DBUG_PRINT("enter", ("ok=%d, ctx=%p", ok, ctx));
char buf[256];
X509* err_cert;
int err,depth;
err_cert=X509_STORE_CTX_get_current_cert(ctx);
err= X509_STORE_CTX_get_error(ctx);
depth= X509_STORE_CTX_get_error_depth(ctx);
X509_NAME_oneline(X509_get_subject_name(err_cert),buf,sizeof(buff));
if (!ok)
{
DBUG_PRINT("error",("verify error:num=%d:%s\n",err,
X509_verify_cert_error_string(err)));
if (verify_depth >= depth)
{
ok=1;
verify_error=X509_V_OK;
}
else
{
ok=0;
verify_error=X509_V_ERR_CERT_CHAIN_TOO_LONG;
}
}
switch (ctx->error) {
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256);
DBUG_PRINT("info",("issuer= %s\n",buf));
break;
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
DBUG_PRINT("error", ("notBefore"));
//ASN1_TIME_print_fp(stderr,X509_get_notBefore(ctx->current_cert));
break; case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
DBUG_PRINT("error", ("notAfter error"));
//ASN1_TIME_print_fp(stderr,X509_get_notAfter(ctx->current_cert));
break;
}
DBUG_PRINT("exit", ("r=%d", ok));
DBUG_RETURN(ok);
}
static int
vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
{
DBUG_ENTER("vio_set_cert_stuff");
DBUG_PRINT("enter", ("ctx=%p, cert_file=%p, key_file=%p",
ctx, cert_file, key_file));
if (cert_file != NULL)
{
if (SSL_CTX_use_certificate_file(ctx,cert_file,SSL_FILETYPE_PEM) <= 0)
{
DBUG_PRINT("error",("unable to get certificate from '%s'\n",cert_file));
/* FIX stderr */
ERR_print_errors_fp(stderr);
DBUG_RETURN(0);
}
if (key_file == NULL)
key_file = cert_file;
if (SSL_CTX_use_PrivateKey_file(ctx,key_file,
SSL_FILETYPE_PEM) <= 0)
{
DBUG_PRINT("error", ("unable to get private key from '%s'\n",key_file));
/* FIX stderr */
ERR_print_errors_fp(stderr);
DBUG_RETURN(0);
}
/* If we are using DSA, we can copy the parameters from
* the private key */
/* Now we know that a key and cert have been set against
* the SSL context */
if (!SSL_CTX_check_private_key(ctx))
{
DBUG_PRINT("error", ("Private key does not match the certificate public key\n"));
DBUG_RETURN(0);
}
}
DBUG_RETURN(1);
}
/************************ VioSSLConnectorFd **********************************/
VioSSLConnectorFd::VioSSLConnectorFd(const char* key_file,
const char* cert_file,
const char* ca_file,
const char* ca_path)
:ssl_context_(0),ssl_method_(0)
{
DBUG_ENTER("VioSSLConnectorFd::VioSSLConnectorFd");
DBUG_PRINT("enter",
("this=%p, key_file=%s, cert_file=%s, ca_path=%s, ca_file=%s",
this, key_file, cert_file, ca_path, ca_file));
/* FIXME: constants! */
int verify = SSL_VERIFY_PEER;
if (!ssl_algorithms_added)
{
DBUG_PRINT("info", ("todo: SSLeay_add_ssl_algorithms()"));
ssl_algorithms_added = true;
SSLeay_add_ssl_algorithms(); }
if (!ssl_error_strings_loaded)
{
DBUG_PRINT("info", ("todo:SSL_load_error_strings()"));
ssl_error_strings_loaded = true;
SSL_load_error_strings();
}
ssl_method_ = SSLv3_client_method();
ssl_context_ = SSL_CTX_new(this_ssl_method);
if (ssl_context_ == 0)
{
DBUG_PRINT("error", ("SSL_CTX_new failed"));
report_errors();
goto ctor_failure;
}
/*
* SSL_CTX_set_options
* SSL_CTX_set_info_callback
* SSL_CTX_set_cipher_list
*/
SSL_CTX_set_verify(this_ssl_context, verify, vio_verify_callback);
if (vio_set_cert_stuff(this_ssl_context, cert_file, key_file) == -1)
{
DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
report_errors();
goto ctor_failure;
}
if (SSL_CTX_load_verify_locations( this_ssl_context, ca_file,ca_path)==0)
{
DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed"));
if (SSL_CTX_set_default_verify_paths(this_ssl_context)==0)
{
DBUG_PRINT("error", ("SSL_CTX_set_default_verify_paths failed"));
report_errors();
goto ctor_failure;
}
}
DBUG_VOID_RETURN;
ctor_failure:
DBUG_PRINT("exit", ("there was an error"));
DBUG_VOID_RETURN;
}
VioSSLConnectorFd::~VioSSLConnectorFd()
{
DBUG_ENTER("VioSSLConnectorFd::~VioSSLConnectorFd");
DBUG_PRINT("enter", ("this=%p", this));
if (ssl_context_!=0)
SSL_CTX_free(this_ssl_context);
DBUG_VOID_RETURN;
}
VioSSL* VioSSLConnectorFd::connect( int fd)
{
DBUG_ENTER("VioSSLConnectorFd::connect");
DBUG_PRINT("enter", ("this=%p, fd=%d", this, fd));
DBUG_RETURN(new VioSSL(fd, ssl_context_, VioSSL::state_connect));
}
VioSSL*
VioSSLConnectorFd::connect( VioSocket* sd)
{
DBUG_ENTER("VioSSLConnectorFd::connect");
DBUG_PRINT("enter", ("this=%p, sd=%s", this, sd->description()));
DBUG_RETURN(new VioSSL(sd, ssl_context_, VioSSL::state_connect));
}
void
VioSSLConnectorFd::report_errors()
{ unsigned long l;
const char* file;
const char* data;
int line,flags;
DBUG_ENTER("VioSSLConnectorFd::report_errors");
DBUG_PRINT("enter", ("this=%p", this));
while ((l=ERR_get_error_line_data(&file,&line,&data,&flags)) != 0)
{
char buf[200];
DBUG_PRINT("error", ("OpenSSL: %s:%s:%d:%s\n", ERR_error_string(l,buf),
file,line,(flags&ERR_TXT_STRING)?data:"")) ;
}
DBUG_VOID_RETURN;
}
/************************ VioSSLAcceptorFd **********************************/
VioSSLAcceptorFd::VioSSLAcceptorFd(const char* key_file,
const char* cert_file,
const char* ca_file,
const char* ca_path)
:ssl_context_(0), ssl_method_(0)
{
DBUG_ENTER("VioSSLAcceptorFd::VioSSLAcceptorFd");
DBUG_PRINT("enter",
("this=%p, key_file=%s, cert_file=%s, ca_path=%s, ca_file=%s",
this, key_file, cert_file, ca_path, ca_file));
/* FIXME: constants! */
int verify = (SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
SSL_VERIFY_CLIENT_ONCE);
session_id_context_ = static_cast<vio_ptr>(this);
if (!ssl_algorithms_added)
{
DBUG_PRINT("info", ("todo: SSLeay_add_ssl_algorithms()"));
ssl_algorithms_added = true;
SSLeay_add_ssl_algorithms();
}
if (!ssl_error_strings_loaded)
{
DBUG_PRINT("info", ("todo: SSL_load_error_strings()"));
ssl_error_strings_loaded = true;
SSL_load_error_strings();
}
ssl_method_ = SSLv3_server_method();
ssl_context_ = SSL_CTX_new(this_ssl_method);
if (ssl_context_==0)
{
DBUG_PRINT("error", ("SSL_CTX_new failed"));
report_errors();
goto ctor_failure;
}
/*
* SSL_CTX_set_quiet_shutdown(ctx,1);
*
*/
SSL_CTX_sess_set_cache_size(this_ssl_context,128);
/* DH?
*/
SSL_CTX_set_verify(this_ssl_context, verify, vio_verify_callback);
/*
* Double cast needed at least for egcs-1.1.2 to
* supress warnings:
* 1) ANSI C++ blaah implicit cast from 'void*' to 'unsigned char*'
* 2) static_cast from 'void**' to 'unsigned char*' * Wish I had a copy of standard handy...
*/
SSL_CTX_set_session_id_context(this_ssl_context,
my_static_cast(ssl_data_ptr_t)
(my_static_cast(void*)(&session_id_context_)),
sizeof(session_id_context_));
/*
* SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
*/
if (vio_set_cert_stuff(this_ssl_context, cert_file, key_file) == -1)
{
DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
report_errors();
goto ctor_failure;
}
if (SSL_CTX_load_verify_locations( this_ssl_context, ca_file, ca_path)==0)
{
DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed"));
if (SSL_CTX_set_default_verify_paths(this_ssl_context)==0)
{
DBUG_PRINT("error", ("SSL_CTX_set_default_verify_paths failed"));
report_errors();
goto ctor_failure;
}
}
DBUG_VOID_RETURN;
ctor_failure:
DBUG_PRINT("exit", ("there was an error"));
DBUG_VOID_RETURN;
}
VioSSLAcceptorFd::~VioSSLAcceptorFd()
{
DBUG_ENTER("VioSSLAcceptorFd::~VioSSLAcceptorFd");
DBUG_PRINT("enter", ("this=%p", this));
if (ssl_context_!=0)
SSL_CTX_free(this_ssl_context);
DBUG_VOID_RETURN;
}
VioSSL*
VioSSLAcceptorFd::accept(int fd)
{
DBUG_ENTER("VioSSLAcceptorFd::accept");
DBUG_PRINT("enter", ("this=%p, fd=%d", this, fd));
DBUG_RETURN(new VioSSL(fd, ssl_context_, VioSSL::state_accept));
}
VioSSL*
VioSSLAcceptorFd::accept(VioSocket* sd)
{
DBUG_ENTER("VioSSLAcceptorFd::accept");
DBUG_PRINT("enter", ("this=%p, sd=%s", this, sd->description()));
DBUG_RETURN(new VioSSL(sd, ssl_context_, VioSSL::state_accept));
}
void
VioSSLAcceptorFd::report_errors()
{
unsigned long l;
const char* file;
const char* data;
int line,flags;
DBUG_ENTER("VioSSLConnectorFd::report_errors");
DBUG_PRINT("enter", ("this=%p", this));
while ((l=ERR_get_error_line_data(&file,&line,&data,&flags)) != 0)
{ char buf[200];
DBUG_PRINT("error", ("OpenSSL: %s:%s:%d:%s\n", ERR_error_string(l,buf),
file,line,(flags&ERR_TXT_STRING)?data:"")) ;
}
DBUG_VOID_RETURN;
}
VIO_NS_END
#endif /* VIO_HAVE_OPENSSL */