X-Git-Url: http://git.code-monkey.de/?a=blobdiff_plain;f=src%2Fssl.c;h=42385abd0b7f2cf34765a9609cdf0c83f7073a5a;hb=59d006faba0b4f526010c66e9d4b8d3768450a6b;hp=dc7218d0f0459859409c630996459a4ceac668ab;hpb=3d6597697af81724a9be288af0354c987a696114;p=umurmur.git

diff --git a/src/ssl.c b/src/ssl.c
index dc7218d..42385ab 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -1,5 +1,5 @@
-/* Copyright (C) 2009-2012, Martin Johansson <martin@fatbob.nu>
-   Copyright (C) 2005-2012, Thorvald Natvig <thorvald@natvig.com>
+/* Copyright (C) 2009-2014, Martin Johansson <martin@fatbob.nu>
+   Copyright (C) 2005-2014, Thorvald Natvig <thorvald@natvig.com>
 
    All rights reserved.
 
@@ -41,13 +41,14 @@
  * PolarSSL interface
  */
 
+#include <polarssl/config.h>
 #include <polarssl/havege.h>
 #include <polarssl/certs.h>
 #include <polarssl/x509.h>
 #include <polarssl/ssl.h>
 #include <polarssl/net.h>
 
-#ifdef POLARSSL_API_V1_2
+#ifdef POLARSSL_API_V1_2_ABOVE
 int ciphers[] =
 {
     TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
@@ -64,7 +65,30 @@ int ciphers[] =
     0
 };
 #endif
+
+#ifdef POLARSSL_API_V1_3_ABOVE
+static x509_crt certificate;
+static inline int x509parse_keyfile(rsa_context *rsa, const char *path,
+                                    const char *pwd)
+{
+    int ret;
+    pk_context pk;
+    
+    pk_init(&pk);
+    ret = pk_parse_keyfile(&pk, path, pwd);
+    if (ret == 0 && !pk_can_do( &pk, POLARSSL_PK_RSA))
+        ret = POLARSSL_ERR_PK_TYPE_MISMATCH;
+    if (ret == 0)
+        rsa_copy(rsa, pk_rsa(pk));
+    else
+        rsa_free(rsa);
+    pk_free(&pk);
+    return ret;
+}
+#else
 static x509_cert certificate;
+#endif
+
 static rsa_context key;
 bool_t builtInTestCertificate;
 
@@ -90,8 +114,13 @@ static void initTestCert()
 {
 	int rc;
 	builtInTestCertificate = true;
+#ifdef POLARSSL_API_V1_3_ABOVE
+	rc = x509_crt_parse_rsa(&certificate, (unsigned char *)test_srv_crt,
+		strlen(test_srv_crt));
+#else
 	rc = x509parse_crt(&certificate, (unsigned char *)test_srv_crt,
-					   strlen(test_srv_crt));	
+		strlen(test_srv_crt));
+#endif
 	if (rc != 0)
 		Log_fatal("Could not parse built-in test certificate");
 }
@@ -100,8 +129,8 @@ static void initTestKey()
 {
 	int rc;
 	
-	rc = x509parse_key(&key, (unsigned char *)test_srv_key,
-					   strlen(test_srv_key), NULL, 0);
+	rc = x509parse_key_rsa(&key, (unsigned char *)test_srv_key,
+	                       strlen(test_srv_key), NULL, 0);
 	if (rc != 0)
 		Log_fatal("Could not parse built-in test RSA key");
 }
@@ -126,7 +155,11 @@ static void initCert()
 #endif
 		return;
 	}
+#ifdef POLARSSL_API_V1_3_ABOVE
+	rc = x509_crt_parse_file(&certificate, crtfile);
+#else
 	rc = x509parse_crtfile(&certificate, crtfile);
+#endif
 	if (rc != 0) {
 #ifdef USE_POLARSSL_TESTCERT
 		Log_warn("Could not read certificate file '%s'. Falling back to test certificate.", crtfile);
@@ -154,13 +187,14 @@ static void initKey()
 int urandom_bytes(void *ctx, unsigned char *dest, size_t len)
 {
 	int cur;
-
+	
 	while (len) {
 		cur = read(urandom_fd, dest, len);
 		if (cur < 0)
 			continue;
 		len -= cur;
 	}
+	return 0;
 }
 #endif
 
@@ -195,28 +229,31 @@ void SSLi_init(void)
     urandom_fd = open("/dev/urandom", O_RDONLY);
     if (urandom_fd < 0)
 	    Log_fatal("Cannot open /dev/urandom");
-    Log_info("Using random number generator /dev/urandom");
 #endif
     
-#ifdef POLARSSL_VERSION_MAJOR
     version_get_string(verstring);
     Log_info("PolarSSL library version %s initialized", verstring);
-#else
-	Log_info("PolarSSL library initialized");
-#endif
 }
 
 void SSLi_deinit(void)
 {
+#ifdef POLARSSL_API_V1_3_ABOVE
+	x509_crt_free(&certificate);
+#else	
 	x509_free(&certificate);
+#endif
 	rsa_free(&key);
 }
 
 /* Create SHA1 of last certificate in the peer's chain. */
 bool_t SSLi_getSHA1Hash(SSL_handle_t *ssl, uint8_t *hash)
 {
+#ifdef POLARSSL_API_V1_3_ABOVE
+	x509_crt const *cert;
+#else
 	x509_cert const *cert;
-#ifdef POLARSSL_API_V1_2
+#endif
+#ifdef POLARSSL_API_V1_2_ABOVE
 	cert = ssl_get_peer_cert(ssl);
 #else
 	cert = ssl->peer_cert;
@@ -259,14 +296,18 @@ SSL_handle_t *SSLi_newconnection(int *fd, bool_t *SSLready)
 
 	ssl_set_ciphersuites(ssl, ciphers);
 
-#ifdef POLARSSL_API_V1_2
+#ifdef POLARSSL_API_V1_2_ABOVE
     ssl_set_session(ssl, ssn);
 #else
     ssl_set_session(ssl, 0, 0, ssn);
 #endif
     
     ssl_set_ca_chain(ssl, &certificate, NULL, NULL);
+#ifdef POLARSSL_API_V1_3_ABOVE
+	ssl_set_own_cert_rsa(ssl, &certificate, &key);
+#else
 	ssl_set_own_cert(ssl, &certificate, &key);
+#endif
 	ssl_set_dh_param(ssl, my_dhm_P, my_dhm_G);
 
 	return ssl;
@@ -280,7 +321,7 @@ int SSLi_nonblockaccept(SSL_handle_t *ssl, bool_t *SSLready)
 	if (rc != 0) {
 		if (rc == POLARSSL_ERR_NET_WANT_READ || rc == POLARSSL_ERR_NET_WANT_WRITE) {
 			return 0;
-		} else if (POLARSSL_ERR_X509_CERT_VERIFY_FAILED) { /* Allow this (selfsigned etc) */
+		} else if (rc == POLARSSL_ERR_X509_CERT_VERIFY_FAILED) { /* Allow this (selfsigned etc) */
 			return 0;			
 		} else {
 			Log_warn("SSL handshake failed: %d", rc);
@@ -329,7 +370,10 @@ void SSLi_shutdown(SSL_handle_t *ssl)
 void SSLi_free(SSL_handle_t *ssl)
 {
 	Log_debug("SSLi_free");
-	free(ssl->session); /* XXX - Hmmm. */
+#if (POLARSSL_VERSION_MINOR <= 2 && POLARSSL_VERSION_PATCH < 6)
+	free(ssl->session); /* Workaround for memory leak in PolarSSL < 1.2.6 */
+	ssl->session = NULL;
+#endif
 	ssl_free(ssl);
 	free(ssl);
 }
@@ -369,7 +413,7 @@ static X509 *SSL_readcert(char *certfile)
 	FILE *fp;
 	X509 *x509;
 			
-	/* open the private key file */
+	/* open the certificate file */
 	fp = fopen(certfile, "r");
 	if (fp == NULL) {
 		Log_warn("Unable to open the X509 file %s for reading.", certfile);
@@ -422,23 +466,15 @@ static RSA *SSL_readprivatekey(char *keyfile)
 static void SSL_writecert(char *certfile, X509 *x509)
 {
 	FILE *fp;
-	BIO *err_output;
-	
-	/* prepare a BIO for outputting error messages */
-	
-	err_output = BIO_new_fp(stderr,BIO_NOCLOSE);
-	
+		
 	/* open the private key file */
 	fp = fopen(certfile, "w");
 	if (fp == NULL) {
-		BIO_printf(err_output, "Unable to open the X509 file for writing.\n");
-		BIO_free(err_output);
+		Log_warn("Unable to open the X509 file %s for writing", certfile);
 		return;
-	}
-		
+	}		
 	if (PEM_write_X509(fp, x509) == 0) {
-		BIO_printf(err_output, "Error trying to write X509 info.\n");
-		ERR_print_errors(err_output);
+		Log_warn("Error trying to write X509 info.");
 	}
 	fclose(fp);
 }
@@ -446,27 +482,22 @@ static void SSL_writecert(char *certfile, X509 *x509)
 static void SSL_writekey(char *keyfile, RSA *rsa)
 {
 	FILE *fp;
-	BIO *err_output;
-	/* prepare a BIO for outputing error messages */	
-	err_output = BIO_new_fp(stderr, BIO_NOCLOSE);
 	
 	/* open the private key file for reading */
 	fp = fopen(keyfile, "w");
 	if (fp == NULL) {
-		BIO_printf(err_output, "Unable to open the private key file %s for writing.\n", keyfile);
-		BIO_free(err_output);
+		Log_warn("Unable to open the private key file %s for writing.", keyfile);
 		return;
 	}
 	
 	if (PEM_write_RSAPrivateKey(fp, rsa, NULL, NULL, 0, NULL, NULL) == 0) {
-		/* error reading the key - check the error stack */
-		BIO_printf(err_output, "Error trying to write private key\n");
-		ERR_print_errors(err_output);
+		Log_warn("Error trying to write private key");
 	}
 	fclose(fp);
 }
 
 static void SSL_initializeCert() {
+
 	char *crt, *key, *pass;
 	
 	crt = (char *)getStrConf(CERTIFICATE);
@@ -479,6 +510,7 @@ static void SSL_initializeCert() {
 		pkey = EVP_PKEY_new();
 		EVP_PKEY_assign_RSA(pkey, rsa);
 	}		
+
 	
 #if 0
 	/* Later ... */
@@ -512,14 +544,11 @@ static void SSL_initializeCert() {
 #endif
 	
 	if (!rsa || !x509) {
-		logthis("Generating new server certificate.");
+		Log_info("Generating new server certificate.");
 
-		BIO *bio_err;
 		
 		CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
-		
-		bio_err=BIO_new_fp(stderr, BIO_NOCLOSE);
-		
+				
 		x509 = X509_new();
 		pkey = EVP_PKEY_new();
 		rsa = RSA_generate_key(1024,RSA_F4,NULL,NULL);
@@ -558,16 +587,23 @@ void SSLi_init(void)
 	char *cipherstring, tempstring[128];
 		
 	SSL_library_init();
-    OpenSSL_add_all_algorithms();		/* load & register all cryptos, etc. */
-    SSL_load_error_strings();			/* load all error messages */
-    ERR_load_crypto_strings();			/* load all error messages */
-    method = SSLv23_server_method();		/* create new server-method instance */
-    context = SSL_CTX_new(method);			/* create new context from method */
-    if (context == NULL)
-    {
-        ERR_print_errors_fp(stderr);
-        abort();
-    }
+	OpenSSL_add_all_algorithms();		/* load & register all cryptos, etc. */
+	SSL_load_error_strings();			/* load all error messages */
+	ERR_load_crypto_strings();			/* load all error messages */
+	method = SSLv23_server_method();		/* create new server-method instance */
+	context = SSL_CTX_new(method);			/* create new context from method */
+	if (context == NULL)
+	{
+		ERR_print_errors_fp(stderr);
+		abort();
+	}
+	
+	char* sslCAPath = getStrConf(CAPATH);
+	if(sslCAPath != NULL)
+	{
+		SSL_CTX_load_verify_locations(context, NULL, sslCAPath);
+	}
+	
 	SSL_initializeCert();
 	if (SSL_CTX_use_certificate(context, x509) <= 0)
 		Log_fatal("Failed to initialize cert");
@@ -575,7 +611,7 @@ void SSLi_init(void)
 		ERR_print_errors_fp(stderr);
 		Log_fatal("Failed to initialize private key");
 	}
-
+	
 	/* Set cipher list */
 	ssl = SSL_new(context);	
 	cipherlist = (STACK_OF(SSL_CIPHER) *) SSL_get_ciphers(ssl);