-/* Copyright (C) 2009-2011, Martin Johansson <martin@fatbob.nu>
- Copyright (C) 2005-2011, Thorvald Natvig <thorvald@natvig.com>
+/* Copyright (C) 2009-2012, Martin Johansson <martin@fatbob.nu>
+ Copyright (C) 2005-2012, Thorvald Natvig <thorvald@natvig.com>
All rights reserved.
#include <polarssl/ssl.h>
#include <polarssl/net.h>
+#ifdef POLARSSL_API_V1_2
+int ciphers[] =
+{
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+ TLS_RSA_WITH_AES_256_CBC_SHA,
+ TLS_RSA_WITH_AES_128_CBC_SHA,
+ 0
+};
+#else
int ciphers[] =
{
SSL_EDH_RSA_AES_256_SHA,
- SSL_EDH_RSA_CAMELLIA_256_SHA,
- SSL_EDH_RSA_DES_168_SHA,
SSL_RSA_AES_256_SHA,
- SSL_RSA_CAMELLIA_256_SHA,
SSL_RSA_AES_128_SHA,
- SSL_RSA_CAMELLIA_128_SHA,
- SSL_RSA_DES_168_SHA,
- SSL_RSA_RC4_128_SHA,
- SSL_RSA_RC4_128_MD5,
0
};
+#endif
static x509_cert certificate;
static rsa_context key;
bool_t builtInTestCertificate;
/* Create SHA1 of last certificate in the peer's chain. */
bool_t SSLi_getSHA1Hash(SSL_handle_t *ssl, uint8_t *hash)
{
- x509_cert *cert = ssl->peer_cert;
- if (!ssl->peer_cert) {
- /* XXX what to do? */
+ x509_cert *cert;
+#ifdef POLARSSL_API_V1_2
+ cert = ssl_get_peer_cert(ssl);
+#else
+ cert = ssl->peer_cert;
+#endif
+ if (!cert) {
return false;
}
sha1(cert->raw.p, cert->raw.len, hash);
#else
ssl_set_ciphers(ssl, ciphers);
#endif
+
+#ifdef POLARSSL_API_V1_2
+ ssl_set_session(ssl, ssn);
+#else
ssl_set_session(ssl, 0, 0, ssn);
+#endif
ssl_set_ca_chain(ssl, &certificate, NULL, NULL);
ssl_set_own_cert(ssl, &certificate, &key);
{
const SSL_METHOD *method;
SSL *ssl;
- int i, offset = 0;
+ int i, offset = 0, cipherstringlen = 0;
STACK_OF(SSL_CIPHER) *cipherlist = NULL, *cipherlist_new = NULL;
SSL_CIPHER *cipher;
- char cipherstring[1024];
+ char *cipherstring, tempstring[128];
SSL_library_init();
OpenSSL_add_all_algorithms(); /* load & register all cryptos, etc. */
}
Log_debug("List of ciphers:");
if (cipherlist_new) {
- for ( i = 0; (cipher = sk_SSL_CIPHER_value(cipherlist_new, i)) != NULL; i++) {
+ for (i = 0; (cipher = sk_SSL_CIPHER_value(cipherlist_new, i)) != NULL; i++) {
Log_debug("%s", SSL_CIPHER_get_name(cipher));
- offset += snprintf(cipherstring + offset, 1024 - offset, "%s:", SSL_CIPHER_get_name(cipher));
+ cipherstringlen += strlen(SSL_CIPHER_get_name(cipher)) + 1;
+ }
+ cipherstring = malloc(cipherstringlen + 1);
+ if (cipherstring == NULL)
+ Log_fatal("Out of memory");
+ for (i = 0; (cipher = sk_SSL_CIPHER_value(cipherlist_new, i)) != NULL; i++) {
+ offset += sprintf(cipherstring + offset, "%s:", SSL_CIPHER_get_name(cipher));
}
- cipherstring[offset - 1] = '\0';
}
if (cipherlist_new)
if (SSL_CTX_set_cipher_list(context, cipherstring) == 0)
Log_fatal("Failed to set cipher list!");
+
+ free(cipherstring);
SSL_CTX_set_verify(context, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
verify_callback);
int len;
x509 = SSL_get_peer_certificate(ssl);
- if (x509) {
+ if (!x509) {
return false;
}
if (buf == NULL) {
Log_fatal("malloc");
}
+
+ p = buf;
+ i2d_X509(x509, &p);
- i2d_X509(x509, &p);
-
- SHA1(p, len, hash);
+ SHA1(buf, len, hash);
free(buf);
return true;
}
X509_STORE_CTX_set_error(ctx, err);
}
if (!preverify_ok) {
- Log_warn("verify error:num=%d:%s:depth=%d:%s\n", err,
+ Log_warn("SSL: verify error:num=%d:%s:depth=%d:%s\n", err,
X509_verify_cert_error_string(err), depth, buf);
}
/*
* At this point, err contains the last verification error. We can use
* it for something special
*/
- if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT))
- {
+ if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) {
X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256);
- Log_warn("issuer= %s", buf);
+ Log_warn("issuer= %s", buf);
}
return 1;
}