1 /* Copyright (C) 2009-2010, Martin Johansson <martin@fatbob.nu>
2 Copyright (C) 2005-2010, Thorvald Natvig <thorvald@natvig.com>
6 Redistribution and use in source and binary forms, with or without
7 modification, are permitted provided that the following conditions
10 - Redistributions of source code must retain the above copyright notice,
11 this list of conditions and the following disclaimer.
12 - Redistributions in binary form must reproduce the above copyright notice,
13 this list of conditions and the following disclaimer in the documentation
14 and/or other materials provided with the distribution.
15 - Neither the name of the Developers nor the names of its contributors may
16 be used to endorse or promote products derived from this software without
17 specific prior written permission.
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
22 A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR
23 CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
24 EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
25 PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
26 PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
27 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
28 NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
29 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
43 #include <polarssl/havege.h>
44 #include <polarssl/certs.h>
45 #include <polarssl/x509.h>
46 #include <polarssl/ssl.h>
47 #include <polarssl/net.h>
49 #define CA_CRT_FILENAME "ca.crt"
53 SSL_EDH_RSA_AES_256_SHA,
54 SSL_EDH_RSA_CAMELLIA_256_SHA,
55 SSL_EDH_RSA_DES_168_SHA,
57 SSL_RSA_CAMELLIA_256_SHA,
59 SSL_RSA_CAMELLIA_128_SHA,
65 static x509_cert certificate;
66 static rsa_context key;
67 bool_t builtInTestCertificate;
69 havege_state hs; /* exported to crypt.c */
73 "9CE85640903BF123906947FEDE767261" \
74 "D9B4A973EB8F7D984A8C656E2BCC161C" \
75 "183D4CA471BA78225F940F16D1D99CA3" \
76 "E66152CC68EDCE1311A390F307741835" \
77 "44FF6AB553EC7073AD0CB608F2A3B480" \
78 "19E6C02BCED40BD30E91BB2469089670" \
79 "DEF409C08E8AC24D1732A6128D2220DC53";
82 static void initTestCert()
85 builtInTestCertificate = true;
86 rc = x509parse_crt(&certificate, (unsigned char *)test_srv_crt,
87 strlen(test_srv_crt));
89 Log_fatal("Could not parse built-in test certificate");
90 rc = x509parse_crt(&certificate, (unsigned char *)test_ca_crt,
93 Log_fatal("Could not parse built-in test CA certificate");
96 static void initTestKey()
100 rc = x509parse_key(&key, (unsigned char *)test_srv_key,
101 strlen(test_srv_key), NULL, 0);
103 Log_fatal("Could not parse built-in test RSA key");
107 * openssl genrsa 1024 > host.key
108 * openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.cert
110 static void initCert()
113 char *crtfile = (char *)getStrConf(CERTIFICATE);
116 if (crtfile == NULL) {
117 Log_warn("No certificate file specified");
121 rc = x509parse_crtfile(&certificate, crtfile);
123 Log_warn("Could not read certificate file %s", crtfile);
128 /* Look for CA certificate file in same dir */
129 ca_file = malloc(strlen(crtfile) + strlen(CA_CRT_FILENAME) + 1);
130 strcpy(ca_file, crtfile);
131 p = strrchr(ca_file, '/');
133 strcpy(p + 1, CA_CRT_FILENAME);
135 strcpy(ca_file, CA_CRT_FILENAME);
137 rc = x509parse_crtfile(&certificate, ca_file);
138 if (rc != 0) { /* No CA certifiacte found. Assume self-signed. */
139 Log_info("CA certificate file %s not found. Assuming self-signed certificate.", ca_file);
143 * PolarSSL 0.11 - 0.12,1 has a bug; it ignores the last certificate in the chain.
144 * Read the certificate again so that it gets last in chain. Later releases like 0.14.0 works
145 * fine with the extra certificate, so I don't see any harm in doing so.
147 rc = x509parse_crtfile(&certificate, crtfile);
149 Log_fatal("Could not read certificate file %s", crtfile);
154 static void initKey()
157 char *keyfile = (char *)getStrConf(KEY);
160 Log_fatal("No key file specified");
161 rc = x509parse_keyfile(&key, keyfile, NULL);
163 Log_fatal("Could not read RSA key file %s", keyfile);
166 #define DEBUG_LEVEL 0
167 static void pssl_debug(void *ctx, int level, const char *str)
169 if (level <= DEBUG_LEVEL)
170 Log_debug("PolarSSL [level %d]: %s", level, str);
176 if (builtInTestCertificate) {
177 Log_warn("*** Using built-in test certificate and RSA key ***");
178 Log_warn("*** This is not secure! Please use a CA-signed certificate or create a self-signed certificate ***");
184 Log_info("PolarSSL library initialized");
187 void SSLi_deinit(void)
189 x509_free(&certificate);
193 SSL_handle_t *SSLi_newconnection(int *fd, bool_t *SSLready)
199 ssl = malloc(sizeof(ssl_context));
200 ssn = malloc(sizeof(ssl_session));
202 Log_fatal("Out of memory");
203 memset(ssl, 0, sizeof(ssl_context));
204 memset(ssn, 0, sizeof(ssl_session));
208 Log_fatal("Failed to initalize: %d", rc);
210 ssl_set_endpoint(ssl, SSL_IS_SERVER);
211 ssl_set_authmode(ssl, SSL_VERIFY_OPTIONAL);
213 ssl_set_rng(ssl, havege_rand, &hs);
214 ssl_set_dbg(ssl, pssl_debug, NULL);
215 ssl_set_bio(ssl, net_recv, fd, net_send, fd);
217 ssl_set_ciphers(ssl, ciphers);
218 ssl_set_session(ssl, 0, 0, ssn);
220 ssl_set_ca_chain(ssl, certificate.next, NULL, NULL);
221 ssl_set_own_cert(ssl, &certificate, &key);
222 ssl_set_dh_param(ssl, my_dhm_P, my_dhm_G);
227 int SSLi_nonblockaccept(SSL_handle_t *ssl, bool_t *SSLready)
231 rc = ssl_handshake(ssl);
233 if (rc == POLARSSL_ERR_NET_TRY_AGAIN) {
236 Log_warn("SSL handshake failed: %d", rc);
244 int SSLi_read(SSL_handle_t *ssl, uint8_t *buf, int len)
247 rc = ssl_read(ssl, buf, len);
248 if (rc == POLARSSL_ERR_NET_TRY_AGAIN)
249 return SSLI_ERROR_WANT_READ;
253 int SSLi_write(SSL_handle_t *ssl, uint8_t *buf, int len)
256 rc = ssl_write(ssl, buf, len);
257 if (rc == POLARSSL_ERR_NET_TRY_AGAIN)
258 return SSLI_ERROR_WANT_WRITE;
262 int SSLi_get_error(SSL_handle_t *ssl, int code)
267 bool_t SSLi_data_pending(SSL_handle_t *ssl)
269 return ssl_get_bytes_avail(ssl) > 0;
272 void SSLi_shutdown(SSL_handle_t *ssl)
274 ssl_close_notify(ssl);
277 void SSLi_free(SSL_handle_t *ssl)
279 Log_debug("SSLi_free");
280 free(ssl->session); /* XXX - Hmmm. */
290 #include <openssl/x509v3.h>
291 #include <openssl/ssl.h>
292 #include <openssl/err.h>
293 #include <openssl/safestack.h>
296 static SSL_CTX *context;
297 static EVP_PKEY *pkey;
299 static int SSL_add_ext(X509 * crt, int nid, char *value) {
302 X509V3_set_ctx_nodb(&ctx);
303 X509V3_set_ctx(&ctx, crt, crt, NULL, NULL, 0);
304 ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value);
308 X509_add_ext(crt, ex, -1);
309 X509_EXTENSION_free(ex);
313 static X509 *SSL_readcert(char *certfile)
318 /* open the private key file */
319 fp = fopen(certfile, "r");
321 Log_warn("Unable to open the X509 file %s for reading.", certfile);
325 /* allocate memory for the cert structure */
328 if (PEM_read_X509(fp, &x509, NULL, NULL) == 0) {
329 /* error reading the x509 information - check the error stack */
330 Log_warn("Error trying to read X509 info.");
339 static RSA *SSL_readprivatekey(char *keyfile)
344 /* open the private key file for reading */
345 fp = fopen(keyfile, "r");
347 Log_warn("Unable to open the private key file %s for reading.", keyfile);
351 /* allocate memory for the RSA structure */
354 /* assign a callback function for the password */
356 /* read a private key from file */
357 if (PEM_read_RSAPrivateKey(fp, &rsa, NULL, NULL) <= 0) {
358 /* error reading the key - check the error stack */
359 Log_warn("Error trying to read private key.");
368 static void SSL_writecert(char *certfile, X509 *x509)
373 /* prepare a BIO for outputting error messages */
375 err_output = BIO_new_fp(stderr,BIO_NOCLOSE);
377 /* open the private key file */
378 fp = fopen(certfile, "w");
380 BIO_printf(err_output, "Unable to open the X509 file for writing.\n");
381 BIO_free(err_output);
385 if (PEM_write_X509(fp, x509) == 0) {
386 BIO_printf(err_output, "Error trying to write X509 info.\n");
387 ERR_print_errors(err_output);
392 static void SSL_writekey(char *keyfile, RSA *rsa)
396 /* prepare a BIO for outputing error messages */
397 err_output = BIO_new_fp(stderr, BIO_NOCLOSE);
399 /* open the private key file for reading */
400 fp = fopen(keyfile, "w");
402 BIO_printf(err_output, "Unable to open the private key file %s for writing.\n", keyfile);
403 BIO_free(err_output);
407 if (PEM_write_RSAPrivateKey(fp, rsa, NULL, NULL, 0, NULL, NULL) == 0) {
408 /* error reading the key - check the error stack */
409 BIO_printf(err_output, "Error trying to write private key\n");
410 ERR_print_errors(err_output);
415 static void SSL_initializeCert() {
416 char *crt, *key, *pass;
418 crt = (char *)getStrConf(CERTIFICATE);
419 key = (char *)getStrConf(KEY);
420 pass = (char *)getStrConf(PASSPHRASE);
422 x509 = SSL_readcert(crt);
423 rsa = SSL_readprivatekey(key);
425 pkey = EVP_PKEY_new();
426 EVP_PKEY_assign_RSA(pkey, rsa);
432 qscCert = QSslCertificate(key);
433 if (! qscCert.isNull()) {
434 logthis("Using certificate from key.");
438 if (! qscCert.isNull()) {
439 QSsl::KeyAlgorithm alg = qscCert.publicKey().algorithm();
440 /* Fetch algorith from cert */
441 if (! key.isEmpty()) {
443 qskKey = QSslKey(key, alg, QSsl::Pem, QSsl::PrivateKey, pass);
444 if (qskKey.isNull()) {
445 logthis("Failed to parse key.");
449 if (! crt.isEmpty() && qskKey.isNull()) {
450 /* get key from certificate */
451 qskKey = QSslKey(crt, alg, QSsl::Pem, QSsl::PrivateKey, pass);
452 if (! qskKey.isNull()) {
453 logthis("Using key from certificate.");
461 logthis("Generating new server certificate.");
465 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
467 bio_err=BIO_new_fp(stderr, BIO_NOCLOSE);
470 pkey = EVP_PKEY_new();
471 rsa = RSA_generate_key(1024,RSA_F4,NULL,NULL);
472 EVP_PKEY_assign_RSA(pkey, rsa);
474 X509_set_version(x509, 2);
475 ASN1_INTEGER_set(X509_get_serialNumber(x509),1);
476 X509_gmtime_adj(X509_get_notBefore(x509),0);
477 X509_gmtime_adj(X509_get_notAfter(x509),60*60*24*365);
478 X509_set_pubkey(x509, pkey);
480 X509_NAME *name=X509_get_subject_name(x509);
482 X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (const uint8_t *)"Murmur Autogenerated Certificate v2", -1, -1, 0);
483 X509_set_issuer_name(x509, name);
484 SSL_add_ext(x509, NID_basic_constraints, "critical,CA:FALSE");
485 SSL_add_ext(x509, NID_ext_key_usage, "serverAuth,clientAuth");
486 SSL_add_ext(x509, NID_subject_key_identifier, "hash");
487 SSL_add_ext(x509, NID_netscape_comment, "Generated from umurmur");
489 X509_sign(x509, pkey, EVP_md5());
491 SSL_writecert(crt, x509);
492 SSL_writekey(key, rsa);
499 const SSL_METHOD *method;
502 STACK_OF(SSL_CIPHER) *cipherlist = NULL, *cipherlist_new = NULL;
504 char cipherstring[1024];
507 OpenSSL_add_all_algorithms(); /* load & register all cryptos, etc. */
508 SSL_load_error_strings(); /* load all error messages */
509 ERR_load_crypto_strings(); /* load all error messages */
510 method = SSLv23_server_method(); /* create new server-method instance */
511 context = SSL_CTX_new(method); /* create new context from method */
514 ERR_print_errors_fp(stderr);
517 SSL_initializeCert();
518 if (SSL_CTX_use_certificate(context, x509) <= 0)
519 Log_fatal("Failed to initialize cert");
520 if (SSL_CTX_use_PrivateKey(context, pkey) <= 0) {
521 ERR_print_errors_fp(stderr);
522 Log_fatal("Failed to initialize private key");
525 /* Set cipher list */
526 ssl = SSL_new(context);
527 cipherlist = (STACK_OF(SSL_CIPHER) *) SSL_get_ciphers(ssl);
528 cipherlist_new = (STACK_OF(SSL_CIPHER) *) sk_SSL_CIPHER_new_null();
530 for ( i = 0; (cipher = sk_SSL_CIPHER_value(cipherlist, i)) != NULL; i++) {
531 if (SSL_CIPHER_get_bits(cipher, NULL) >= 128) {
532 sk_SSL_CIPHER_push(cipherlist_new, cipher);
535 Log_debug("List of ciphers:");
536 if (cipherlist_new) {
537 for ( i = 0; (cipher = sk_SSL_CIPHER_value(cipherlist_new, i)) != NULL; i++) {
538 Log_debug("%s", SSL_CIPHER_get_name(cipher));
539 offset += snprintf(cipherstring + offset, 1024 - offset, "%s:", SSL_CIPHER_get_name(cipher));
541 cipherstring[offset - 1] = '\0';
545 sk_SSL_CIPHER_free(cipherlist_new);
547 if (strlen(cipherstring) == 0)
548 Log_fatal("No suitable ciphers found!");
550 if (SSL_CTX_set_cipher_list(context, cipherstring) == 0)
551 Log_fatal("Failed to set cipher list!");
555 Log_info("OpenSSL library initialized");
559 void SSLi_deinit(void)
561 SSL_CTX_free(context);
565 int SSLi_nonblockaccept(SSL_handle_t *ssl, bool_t *SSLready)
568 rc = SSL_accept(ssl);
570 if (SSL_get_error(ssl, rc) == SSL_ERROR_WANT_READ ||
571 SSL_get_error(ssl, rc) == SSL_ERROR_WANT_WRITE) {
572 Log_debug("SSL not ready");
575 Log_warn("SSL error: %s", ERR_error_string(SSL_get_error(ssl, rc), NULL));
583 SSL_handle_t *SSLi_newconnection(int *fd, bool_t *SSLready)
588 ssl = SSL_new(context);
589 SSL_set_fd(ssl, *fd);
590 if (SSLi_nonblockaccept(ssl, SSLready) < 0) {
597 void SSLi_closeconnection(SSL_handle_t *ssl)
602 void SSLi_shutdown(SSL_handle_t *ssl)
607 int SSLi_read(SSL_handle_t *ssl, uint8_t *buf, int len)
609 return SSL_read(ssl, buf, len);
612 int SSLi_write(SSL_handle_t *ssl, uint8_t *buf, int len)
614 return SSL_write(ssl, buf, len);
617 int SSLi_get_error(SSL_handle_t *ssl, int code)
619 return SSL_get_error(ssl, code);
622 bool_t SSLi_data_pending(SSL_handle_t *ssl)
624 return SSL_pending(ssl);
627 void SSLi_free(SSL_handle_t *ssl)