2018-09-27 23:56:48 +02:00
|
|
|
/*
|
|
|
|
* IXSocketOpenSSL.cpp
|
2019-09-30 05:09:51 +02:00
|
|
|
* Author: Benjamin Sergeant, Matt DeBoer
|
|
|
|
* Copyright (c) 2017-2019 Machine Zone, Inc. All rights reserved.
|
2018-09-27 23:56:48 +02:00
|
|
|
*
|
|
|
|
* Adapted from Satori SDK OpenSSL code.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "IXSocketOpenSSL.h"
|
2018-12-15 01:28:11 +01:00
|
|
|
|
2019-09-23 03:06:15 +02:00
|
|
|
#include "IXSocketConnect.h"
|
2018-09-27 23:56:48 +02:00
|
|
|
#include <cassert>
|
|
|
|
#include <errno.h>
|
2019-09-23 03:06:15 +02:00
|
|
|
#include <fnmatch.h>
|
|
|
|
#include <openssl/x509v3.h>
|
2018-09-27 23:56:48 +02:00
|
|
|
#define socketerrno errno
|
|
|
|
|
2019-02-21 03:59:07 +01:00
|
|
|
namespace ix
|
2018-09-27 23:56:48 +02:00
|
|
|
{
|
2019-09-30 05:07:53 +02:00
|
|
|
const std::string kDefaultCiphers =
|
|
|
|
"ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA "
|
|
|
|
"ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 "
|
|
|
|
"ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA "
|
|
|
|
"ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 "
|
2019-10-02 00:43:37 +02:00
|
|
|
"DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA "
|
2019-10-10 18:37:27 +02:00
|
|
|
"DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 AES128-SHA";
|
2019-09-30 05:07:53 +02:00
|
|
|
|
2019-01-05 20:42:25 +01:00
|
|
|
std::atomic<bool> SocketOpenSSL::_openSSLInitializationSuccessful(false);
|
2019-03-21 02:34:24 +01:00
|
|
|
std::once_flag SocketOpenSSL::_openSSLInitFlag;
|
2019-01-05 20:42:25 +01:00
|
|
|
|
2019-09-23 03:06:15 +02:00
|
|
|
SocketOpenSSL::SocketOpenSSL(const SocketTLSOptions& tlsOptions, int fd)
|
|
|
|
: Socket(fd)
|
|
|
|
, _ssl_connection(nullptr)
|
|
|
|
, _ssl_context(nullptr)
|
2019-09-30 05:07:53 +02:00
|
|
|
, _tlsOptions(tlsOptions)
|
2018-09-27 23:56:48 +02:00
|
|
|
{
|
2019-01-05 20:42:25 +01:00
|
|
|
std::call_once(_openSSLInitFlag, &SocketOpenSSL::openSSLInitialize, this);
|
2018-09-27 23:56:48 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
SocketOpenSSL::~SocketOpenSSL()
|
|
|
|
{
|
|
|
|
SocketOpenSSL::close();
|
|
|
|
}
|
|
|
|
|
2019-01-05 20:42:25 +01:00
|
|
|
void SocketOpenSSL::openSSLInitialize()
|
|
|
|
{
|
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
|
if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, nullptr)) return;
|
|
|
|
#else
|
|
|
|
(void) OPENSSL_config(nullptr);
|
|
|
|
#endif
|
|
|
|
|
|
|
|
(void) OpenSSL_add_ssl_algorithms();
|
|
|
|
(void) SSL_load_error_strings();
|
|
|
|
|
|
|
|
_openSSLInitializationSuccessful = true;
|
|
|
|
}
|
|
|
|
|
2018-09-27 23:56:48 +02:00
|
|
|
std::string SocketOpenSSL::getSSLError(int ret)
|
|
|
|
{
|
|
|
|
unsigned long e;
|
|
|
|
|
|
|
|
int err = SSL_get_error(_ssl_connection, ret);
|
|
|
|
|
|
|
|
if (err == SSL_ERROR_WANT_CONNECT || err == SSL_ERROR_WANT_ACCEPT)
|
|
|
|
{
|
|
|
|
return "OpenSSL failed - connection failure";
|
|
|
|
}
|
|
|
|
else if (err == SSL_ERROR_WANT_X509_LOOKUP)
|
|
|
|
{
|
|
|
|
return "OpenSSL failed - x509 error";
|
|
|
|
}
|
|
|
|
else if (err == SSL_ERROR_SYSCALL)
|
|
|
|
{
|
|
|
|
e = ERR_get_error();
|
|
|
|
if (e > 0)
|
|
|
|
{
|
|
|
|
std::string errMsg("OpenSSL failed - ");
|
|
|
|
errMsg += ERR_error_string(e, nullptr);
|
|
|
|
return errMsg;
|
|
|
|
}
|
|
|
|
else if (e == 0 && ret == 0)
|
|
|
|
{
|
|
|
|
return "OpenSSL failed - received early EOF";
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
return "OpenSSL failed - underlying BIO reported an I/O error";
|
|
|
|
}
|
|
|
|
}
|
2019-02-21 03:59:07 +01:00
|
|
|
else if (err == SSL_ERROR_SSL)
|
2018-09-27 23:56:48 +02:00
|
|
|
{
|
|
|
|
e = ERR_get_error();
|
|
|
|
std::string errMsg("OpenSSL failed - ");
|
|
|
|
errMsg += ERR_error_string(e, nullptr);
|
|
|
|
return errMsg;
|
|
|
|
}
|
|
|
|
else if (err == SSL_ERROR_NONE)
|
|
|
|
{
|
|
|
|
return "OpenSSL failed - err none";
|
|
|
|
}
|
|
|
|
else if (err == SSL_ERROR_ZERO_RETURN)
|
|
|
|
{
|
|
|
|
return "OpenSSL failed - err zero return";
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
return "OpenSSL failed - unknown error";
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
SSL_CTX* SocketOpenSSL::openSSLCreateContext(std::string& errMsg)
|
|
|
|
{
|
|
|
|
const SSL_METHOD* method = SSLv23_client_method();
|
|
|
|
if (method == nullptr)
|
|
|
|
{
|
|
|
|
errMsg = "SSLv23_client_method failure";
|
|
|
|
return nullptr;
|
|
|
|
}
|
|
|
|
_ssl_method = method;
|
|
|
|
|
|
|
|
SSL_CTX* ctx = SSL_CTX_new(_ssl_method);
|
|
|
|
if (ctx)
|
|
|
|
{
|
2019-10-02 00:43:37 +02:00
|
|
|
SSL_CTX_set_mode(ctx,
|
|
|
|
SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
|
|
|
|
|
2019-09-30 05:07:53 +02:00
|
|
|
SSL_CTX_set_options(
|
|
|
|
ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_CIPHER_SERVER_PREFERENCE);
|
2018-09-27 23:56:48 +02:00
|
|
|
}
|
|
|
|
return ctx;
|
|
|
|
}
|
|
|
|
|
2018-10-05 21:08:45 +02:00
|
|
|
/**
|
|
|
|
* Check whether a hostname matches a pattern
|
|
|
|
*/
|
2019-09-23 03:06:15 +02:00
|
|
|
bool SocketOpenSSL::checkHost(const std::string& host, const char* pattern)
|
2018-10-05 21:08:45 +02:00
|
|
|
{
|
2018-10-06 03:45:33 +02:00
|
|
|
return fnmatch(pattern, host.c_str(), 0) != FNM_NOMATCH;
|
2018-10-05 21:08:45 +02:00
|
|
|
}
|
|
|
|
|
2019-09-23 03:06:15 +02:00
|
|
|
bool SocketOpenSSL::openSSLCheckServerCert(SSL* ssl,
|
2018-10-05 21:08:45 +02:00
|
|
|
const std::string& hostname,
|
|
|
|
std::string& errMsg)
|
|
|
|
{
|
2019-09-23 03:06:15 +02:00
|
|
|
X509* server_cert = SSL_get_peer_certificate(ssl);
|
2018-10-05 21:08:45 +02:00
|
|
|
if (server_cert == nullptr)
|
|
|
|
{
|
|
|
|
errMsg = "OpenSSL failed - peer didn't present a X509 certificate.";
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
|
// Check server name
|
|
|
|
bool hostname_verifies_ok = false;
|
2019-09-23 03:06:15 +02:00
|
|
|
STACK_OF(GENERAL_NAME)* san_names = (STACK_OF(GENERAL_NAME)*) X509_get_ext_d2i(
|
|
|
|
(X509*) server_cert, NID_subject_alt_name, NULL, NULL);
|
2018-10-05 21:08:45 +02:00
|
|
|
if (san_names)
|
|
|
|
{
|
2019-09-23 03:06:15 +02:00
|
|
|
for (int i = 0; i < sk_GENERAL_NAME_num(san_names); i++)
|
2018-10-05 21:08:45 +02:00
|
|
|
{
|
2019-09-23 03:06:15 +02:00
|
|
|
const GENERAL_NAME* sk_name = sk_GENERAL_NAME_value(san_names, i);
|
2018-10-05 21:08:45 +02:00
|
|
|
if (sk_name->type == GEN_DNS)
|
|
|
|
{
|
2019-09-23 03:06:15 +02:00
|
|
|
char* name = (char*) ASN1_STRING_data(sk_name->d.dNSName);
|
|
|
|
if ((size_t) ASN1_STRING_length(sk_name->d.dNSName) == strlen(name) &&
|
2019-02-21 03:59:07 +01:00
|
|
|
checkHost(hostname, name))
|
2018-10-05 21:08:45 +02:00
|
|
|
{
|
|
|
|
hostname_verifies_ok = true;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
|
|
|
|
|
|
|
|
if (!hostname_verifies_ok)
|
|
|
|
{
|
2019-09-23 03:06:15 +02:00
|
|
|
int cn_pos = X509_NAME_get_index_by_NID(
|
|
|
|
X509_get_subject_name((X509*) server_cert), NID_commonName, -1);
|
2018-10-05 21:08:45 +02:00
|
|
|
if (cn_pos)
|
|
|
|
{
|
2019-09-23 03:06:15 +02:00
|
|
|
X509_NAME_ENTRY* cn_entry =
|
|
|
|
X509_NAME_get_entry(X509_get_subject_name((X509*) server_cert), cn_pos);
|
2018-10-05 21:08:45 +02:00
|
|
|
|
|
|
|
if (cn_entry)
|
|
|
|
{
|
2019-09-23 03:06:15 +02:00
|
|
|
ASN1_STRING* cn_asn1 = X509_NAME_ENTRY_get_data(cn_entry);
|
|
|
|
char* cn = (char*) ASN1_STRING_data(cn_asn1);
|
2018-10-05 21:08:45 +02:00
|
|
|
|
2019-09-23 03:06:15 +02:00
|
|
|
if ((size_t) ASN1_STRING_length(cn_asn1) == strlen(cn) &&
|
|
|
|
checkHost(hostname, cn))
|
2018-10-05 21:08:45 +02:00
|
|
|
{
|
|
|
|
hostname_verifies_ok = true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!hostname_verifies_ok)
|
|
|
|
{
|
|
|
|
errMsg = "OpenSSL failed - certificate was issued for a different domain.";
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
X509_free(server_cert);
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2019-10-01 06:24:25 +02:00
|
|
|
bool SocketOpenSSL::openSSLClientHandshake(const std::string& host, std::string& errMsg)
|
2018-09-27 23:56:48 +02:00
|
|
|
{
|
|
|
|
while (true)
|
|
|
|
{
|
|
|
|
if (_ssl_connection == nullptr || _ssl_context == nullptr)
|
|
|
|
{
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
ERR_clear_error();
|
|
|
|
int connect_result = SSL_connect(_ssl_connection);
|
|
|
|
if (connect_result == 1)
|
|
|
|
{
|
2018-10-05 21:08:45 +02:00
|
|
|
return openSSLCheckServerCert(_ssl_connection, host, errMsg);
|
2018-09-27 23:56:48 +02:00
|
|
|
}
|
|
|
|
int reason = SSL_get_error(_ssl_connection, connect_result);
|
|
|
|
|
|
|
|
bool rc = false;
|
|
|
|
if (reason == SSL_ERROR_WANT_READ || reason == SSL_ERROR_WANT_WRITE)
|
|
|
|
{
|
|
|
|
rc = true;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
errMsg = getSSLError(connect_result);
|
|
|
|
rc = false;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!rc)
|
|
|
|
{
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-10-02 00:43:37 +02:00
|
|
|
bool SocketOpenSSL::openSSLServerHandshake(std::string& errMsg)
|
|
|
|
{
|
|
|
|
while (true)
|
|
|
|
{
|
|
|
|
if (_ssl_connection == nullptr || _ssl_context == nullptr)
|
|
|
|
{
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
ERR_clear_error();
|
|
|
|
int accept_result = SSL_accept(_ssl_connection);
|
|
|
|
if (accept_result == 1)
|
|
|
|
{
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
int reason = SSL_get_error(_ssl_connection, accept_result);
|
|
|
|
|
|
|
|
bool rc = false;
|
|
|
|
if (reason == SSL_ERROR_WANT_READ || reason == SSL_ERROR_WANT_WRITE)
|
|
|
|
{
|
|
|
|
rc = true;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
errMsg = getSSLError(accept_result);
|
|
|
|
rc = false;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!rc)
|
|
|
|
{
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-09-30 05:07:53 +02:00
|
|
|
bool SocketOpenSSL::handleTLSOptions(std::string& errMsg)
|
|
|
|
{
|
|
|
|
ERR_clear_error();
|
|
|
|
if (_tlsOptions.hasCertAndKey())
|
|
|
|
{
|
2019-10-01 02:52:39 +02:00
|
|
|
if (SSL_CTX_use_certificate_chain_file(_ssl_context, _tlsOptions.certFile.c_str()) != 1)
|
2019-09-30 05:07:53 +02:00
|
|
|
{
|
|
|
|
auto sslErr = ERR_get_error();
|
|
|
|
errMsg = "OpenSSL failed - SSL_CTX_use_certificate_chain_file(\"" +
|
|
|
|
_tlsOptions.certFile + "\") failed: ";
|
|
|
|
errMsg += ERR_error_string(sslErr, nullptr);
|
|
|
|
}
|
|
|
|
else if (SSL_CTX_use_PrivateKey_file(
|
|
|
|
_ssl_context, _tlsOptions.keyFile.c_str(), SSL_FILETYPE_PEM) != 1)
|
|
|
|
{
|
|
|
|
auto sslErr = ERR_get_error();
|
2019-10-01 02:52:39 +02:00
|
|
|
errMsg = "OpenSSL failed - SSL_CTX_use_PrivateKey_file(\"" + _tlsOptions.keyFile +
|
|
|
|
"\") failed: ";
|
2019-09-30 05:07:53 +02:00
|
|
|
errMsg += ERR_error_string(sslErr, nullptr);
|
|
|
|
}
|
|
|
|
else if (!SSL_CTX_check_private_key(_ssl_context))
|
|
|
|
{
|
|
|
|
auto sslErr = ERR_get_error();
|
|
|
|
errMsg = "OpenSSL failed - cert/key mismatch(\"" + _tlsOptions.certFile + ", " +
|
|
|
|
_tlsOptions.keyFile + "\")";
|
|
|
|
errMsg += ERR_error_string(sslErr, nullptr);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
ERR_clear_error();
|
|
|
|
if (!_tlsOptions.isPeerVerifyDisabled())
|
|
|
|
{
|
|
|
|
if (_tlsOptions.isUsingSystemDefaults())
|
|
|
|
{
|
|
|
|
if (SSL_CTX_set_default_verify_paths(_ssl_context) == 0)
|
|
|
|
{
|
|
|
|
auto sslErr = ERR_get_error();
|
|
|
|
errMsg = "OpenSSL failed - SSL_CTX_default_verify_paths loading failed: ";
|
|
|
|
errMsg += ERR_error_string(sslErr, nullptr);
|
2019-09-30 06:13:11 +02:00
|
|
|
return false;
|
2019-09-30 05:07:53 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
else if (SSL_CTX_load_verify_locations(
|
|
|
|
_ssl_context, _tlsOptions.caFile.c_str(), NULL) != 1)
|
|
|
|
{
|
|
|
|
auto sslErr = ERR_get_error();
|
2019-10-01 02:52:39 +02:00
|
|
|
errMsg = "OpenSSL failed - SSL_CTX_load_verify_locations(\"" + _tlsOptions.caFile +
|
|
|
|
"\") failed: ";
|
2019-09-30 05:07:53 +02:00
|
|
|
errMsg += ERR_error_string(sslErr, nullptr);
|
2019-09-30 06:13:11 +02:00
|
|
|
return false;
|
2019-09-30 05:07:53 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
SSL_CTX_set_verify(_ssl_context,
|
|
|
|
SSL_VERIFY_PEER,
|
|
|
|
[](int preverify, X509_STORE_CTX*) -> int { return preverify; });
|
|
|
|
SSL_CTX_set_verify_depth(_ssl_context, 4);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
SSL_CTX_set_verify(_ssl_context, SSL_VERIFY_NONE, nullptr);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (_tlsOptions.isUsingDefaultCiphers())
|
|
|
|
{
|
|
|
|
if (SSL_CTX_set_cipher_list(_ssl_context, kDefaultCiphers.c_str()) != 1)
|
|
|
|
{
|
|
|
|
auto sslErr = ERR_get_error();
|
2019-10-01 02:52:39 +02:00
|
|
|
errMsg = "OpenSSL failed - SSL_CTX_set_cipher_list(\"" + kDefaultCiphers +
|
|
|
|
"\") failed: ";
|
2019-09-30 05:07:53 +02:00
|
|
|
errMsg += ERR_error_string(sslErr, nullptr);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else if (SSL_CTX_set_cipher_list(_ssl_context, _tlsOptions.ciphers.c_str()) != 1)
|
|
|
|
{
|
|
|
|
auto sslErr = ERR_get_error();
|
2019-10-01 02:52:39 +02:00
|
|
|
errMsg = "OpenSSL failed - SSL_CTX_set_cipher_list(\"" + _tlsOptions.ciphers +
|
|
|
|
"\") failed: ";
|
2019-09-30 05:07:53 +02:00
|
|
|
errMsg += ERR_error_string(sslErr, nullptr);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2019-10-02 00:43:37 +02:00
|
|
|
bool SocketOpenSSL::accept(std::string& errMsg)
|
|
|
|
{
|
|
|
|
bool handshakeSuccessful = false;
|
|
|
|
{
|
|
|
|
std::lock_guard<std::mutex> lock(_mutex);
|
|
|
|
|
|
|
|
if (!_openSSLInitializationSuccessful)
|
|
|
|
{
|
|
|
|
errMsg = "OPENSSL_init_ssl failure";
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (_sockfd == -1)
|
|
|
|
{
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
const SSL_METHOD* method = SSLv23_server_method();
|
|
|
|
if (method == nullptr)
|
|
|
|
{
|
|
|
|
errMsg = "SSLv23_server_method failure";
|
|
|
|
_ssl_context = nullptr;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
_ssl_method = method;
|
|
|
|
|
|
|
|
_ssl_context = SSL_CTX_new(_ssl_method);
|
|
|
|
if (_ssl_context)
|
|
|
|
{
|
|
|
|
SSL_CTX_set_mode(_ssl_context, SSL_MODE_ENABLE_PARTIAL_WRITE);
|
|
|
|
SSL_CTX_set_mode(_ssl_context, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
|
|
|
|
SSL_CTX_set_options(_ssl_context,
|
|
|
|
SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (_ssl_context == nullptr)
|
|
|
|
{
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
ERR_clear_error();
|
|
|
|
if (_tlsOptions.hasCertAndKey())
|
|
|
|
{
|
|
|
|
if (SSL_CTX_use_certificate_chain_file(_ssl_context,
|
|
|
|
_tlsOptions.certFile.c_str()) != 1)
|
|
|
|
{
|
|
|
|
auto sslErr = ERR_get_error();
|
|
|
|
errMsg = "OpenSSL failed - SSL_CTX_use_certificate_chain_file(\"" +
|
|
|
|
_tlsOptions.certFile + "\") failed: ";
|
|
|
|
errMsg += ERR_error_string(sslErr, nullptr);
|
|
|
|
}
|
|
|
|
else if (SSL_CTX_use_PrivateKey_file(
|
|
|
|
_ssl_context, _tlsOptions.keyFile.c_str(), SSL_FILETYPE_PEM) != 1)
|
|
|
|
{
|
|
|
|
auto sslErr = ERR_get_error();
|
|
|
|
errMsg = "OpenSSL failed - SSL_CTX_use_PrivateKey_file(\"" +
|
|
|
|
_tlsOptions.keyFile + "\") failed: ";
|
|
|
|
errMsg += ERR_error_string(sslErr, nullptr);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
ERR_clear_error();
|
|
|
|
if (!_tlsOptions.isPeerVerifyDisabled())
|
|
|
|
{
|
|
|
|
if (_tlsOptions.isUsingSystemDefaults())
|
|
|
|
{
|
|
|
|
if (SSL_CTX_set_default_verify_paths(_ssl_context) == 0)
|
|
|
|
{
|
|
|
|
auto sslErr = ERR_get_error();
|
|
|
|
errMsg = "OpenSSL failed - SSL_CTX_default_verify_paths loading failed: ";
|
|
|
|
errMsg += ERR_error_string(sslErr, nullptr);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
const char* root_ca_file = _tlsOptions.caFile.c_str();
|
|
|
|
STACK_OF(X509_NAME) * rootCAs;
|
|
|
|
rootCAs = SSL_load_client_CA_file(root_ca_file);
|
|
|
|
if (rootCAs == NULL)
|
|
|
|
{
|
|
|
|
auto sslErr = ERR_get_error();
|
|
|
|
errMsg = "OpenSSL failed - SSL_load_client_CA_file('" + _tlsOptions.caFile +
|
|
|
|
"') failed: ";
|
|
|
|
errMsg += ERR_error_string(sslErr, nullptr);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
SSL_CTX_set_client_CA_list(_ssl_context, rootCAs);
|
|
|
|
if (SSL_CTX_load_verify_locations(_ssl_context, root_ca_file, nullptr) != 1)
|
|
|
|
{
|
|
|
|
auto sslErr = ERR_get_error();
|
|
|
|
errMsg = "OpenSSL failed - SSL_CTX_load_verify_locations(\"" +
|
|
|
|
_tlsOptions.caFile + "\") failed: ";
|
|
|
|
errMsg += ERR_error_string(sslErr, nullptr);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
SSL_CTX_set_verify(
|
|
|
|
_ssl_context, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
|
|
|
|
SSL_CTX_set_verify_depth(_ssl_context, 4);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
SSL_CTX_set_verify(_ssl_context, SSL_VERIFY_NONE, nullptr);
|
|
|
|
}
|
|
|
|
if (_tlsOptions.isUsingDefaultCiphers())
|
|
|
|
{
|
|
|
|
if (SSL_CTX_set_cipher_list(_ssl_context, kDefaultCiphers.c_str()) != 1)
|
|
|
|
{
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else if (SSL_CTX_set_cipher_list(_ssl_context, _tlsOptions.ciphers.c_str()) != 1)
|
|
|
|
{
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
_ssl_connection = SSL_new(_ssl_context);
|
|
|
|
if (_ssl_connection == nullptr)
|
|
|
|
{
|
|
|
|
errMsg = "OpenSSL failed to connect";
|
|
|
|
SSL_CTX_free(_ssl_context);
|
|
|
|
_ssl_context = nullptr;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
SSL_set_ecdh_auto(_ssl_connection, 1);
|
|
|
|
|
|
|
|
SSL_set_fd(_ssl_connection, _sockfd);
|
|
|
|
|
|
|
|
handshakeSuccessful = openSSLServerHandshake(errMsg);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!handshakeSuccessful)
|
|
|
|
{
|
|
|
|
close();
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2018-09-27 23:56:48 +02:00
|
|
|
bool SocketOpenSSL::connect(const std::string& host,
|
|
|
|
int port,
|
2018-12-10 02:56:20 +01:00
|
|
|
std::string& errMsg,
|
2018-12-15 01:28:11 +01:00
|
|
|
const CancellationRequest& isCancellationRequested)
|
2018-09-27 23:56:48 +02:00
|
|
|
{
|
|
|
|
bool handshakeSuccessful = false;
|
|
|
|
{
|
|
|
|
std::lock_guard<std::mutex> lock(_mutex);
|
|
|
|
|
2019-01-05 20:42:25 +01:00
|
|
|
if (!_openSSLInitializationSuccessful)
|
2018-09-27 23:56:48 +02:00
|
|
|
{
|
2019-01-05 20:42:25 +01:00
|
|
|
errMsg = "OPENSSL_init_ssl failure";
|
2018-09-27 23:56:48 +02:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2018-12-10 02:56:20 +01:00
|
|
|
_sockfd = SocketConnect::connect(host, port, errMsg, isCancellationRequested);
|
2018-09-27 23:56:48 +02:00
|
|
|
if (_sockfd == -1) return false;
|
|
|
|
|
|
|
|
_ssl_context = openSSLCreateContext(errMsg);
|
|
|
|
if (_ssl_context == nullptr)
|
|
|
|
{
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2019-09-30 05:07:53 +02:00
|
|
|
if (!handleTLSOptions(errMsg))
|
2018-09-27 23:56:48 +02:00
|
|
|
{
|
2019-09-30 05:07:53 +02:00
|
|
|
return false;
|
2018-09-27 23:56:48 +02:00
|
|
|
}
|
|
|
|
|
2019-01-05 20:42:25 +01:00
|
|
|
_ssl_connection = SSL_new(_ssl_context);
|
|
|
|
if (_ssl_connection == nullptr)
|
2018-09-27 23:56:48 +02:00
|
|
|
{
|
|
|
|
errMsg = "OpenSSL failed to connect";
|
|
|
|
SSL_CTX_free(_ssl_context);
|
|
|
|
_ssl_context = nullptr;
|
|
|
|
return false;
|
|
|
|
}
|
2019-01-05 20:42:25 +01:00
|
|
|
SSL_set_fd(_ssl_connection, _sockfd);
|
2018-09-27 23:56:48 +02:00
|
|
|
|
2018-10-02 02:36:21 +02:00
|
|
|
// SNI support
|
|
|
|
SSL_set_tlsext_host_name(_ssl_connection, host.c_str());
|
|
|
|
|
2018-10-06 03:45:33 +02:00
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
|
|
|
|
// Support for server name verification
|
|
|
|
// (The docs say that this should work from 1.0.2, and is the default from
|
2019-09-30 05:07:53 +02:00
|
|
|
// 1.1.0, but it does not. To be on the safe side, the manual test
|
|
|
|
// below is enabled for all versions prior to 1.1.0.)
|
2019-09-23 03:06:15 +02:00
|
|
|
X509_VERIFY_PARAM* param = SSL_get0_param(_ssl_connection);
|
2018-10-06 03:45:33 +02:00
|
|
|
X509_VERIFY_PARAM_set1_host(param, host.c_str(), 0);
|
|
|
|
#endif
|
2019-10-01 06:24:25 +02:00
|
|
|
handshakeSuccessful = openSSLClientHandshake(host, errMsg);
|
2018-09-27 23:56:48 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
if (!handshakeSuccessful)
|
|
|
|
{
|
|
|
|
close();
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
void SocketOpenSSL::close()
|
|
|
|
{
|
|
|
|
std::lock_guard<std::mutex> lock(_mutex);
|
|
|
|
|
|
|
|
if (_ssl_connection != nullptr)
|
|
|
|
{
|
|
|
|
SSL_free(_ssl_connection);
|
|
|
|
_ssl_connection = nullptr;
|
|
|
|
}
|
|
|
|
if (_ssl_context != nullptr)
|
|
|
|
{
|
|
|
|
SSL_CTX_free(_ssl_context);
|
|
|
|
_ssl_context = nullptr;
|
|
|
|
}
|
|
|
|
|
|
|
|
Socket::close();
|
|
|
|
}
|
|
|
|
|
2019-01-06 05:53:50 +01:00
|
|
|
ssize_t SocketOpenSSL::send(char* buf, size_t nbyte)
|
2018-09-27 23:56:48 +02:00
|
|
|
{
|
|
|
|
ssize_t sent = 0;
|
|
|
|
|
|
|
|
while (nbyte > 0)
|
|
|
|
{
|
|
|
|
std::lock_guard<std::mutex> lock(_mutex);
|
|
|
|
|
|
|
|
if (_ssl_connection == nullptr || _ssl_context == nullptr)
|
|
|
|
{
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
ERR_clear_error();
|
2019-01-06 05:53:50 +01:00
|
|
|
ssize_t write_result = SSL_write(_ssl_connection, buf + sent, (int) nbyte);
|
2019-04-20 00:03:49 +02:00
|
|
|
int reason = SSL_get_error(_ssl_connection, (int) write_result);
|
2018-09-27 23:56:48 +02:00
|
|
|
|
2019-09-23 03:06:15 +02:00
|
|
|
if (reason == SSL_ERROR_NONE)
|
|
|
|
{
|
2018-09-27 23:56:48 +02:00
|
|
|
nbyte -= write_result;
|
|
|
|
sent += write_result;
|
2019-09-23 03:06:15 +02:00
|
|
|
}
|
|
|
|
else if (reason == SSL_ERROR_WANT_READ || reason == SSL_ERROR_WANT_WRITE)
|
|
|
|
{
|
2018-09-27 23:56:48 +02:00
|
|
|
errno = EWOULDBLOCK;
|
|
|
|
return -1;
|
2019-09-23 03:06:15 +02:00
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
2018-09-27 23:56:48 +02:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
}
|
2019-01-06 05:53:50 +01:00
|
|
|
return sent;
|
2018-09-27 23:56:48 +02:00
|
|
|
}
|
|
|
|
|
2019-01-06 05:53:50 +01:00
|
|
|
ssize_t SocketOpenSSL::send(const std::string& buffer)
|
2018-09-27 23:56:48 +02:00
|
|
|
{
|
2019-09-23 03:06:15 +02:00
|
|
|
return send((char*) &buffer[0], buffer.size());
|
2018-09-27 23:56:48 +02:00
|
|
|
}
|
|
|
|
|
2019-01-06 05:53:50 +01:00
|
|
|
ssize_t SocketOpenSSL::recv(void* buf, size_t nbyte)
|
2018-09-27 23:56:48 +02:00
|
|
|
{
|
|
|
|
while (true)
|
|
|
|
{
|
|
|
|
std::lock_guard<std::mutex> lock(_mutex);
|
|
|
|
|
|
|
|
if (_ssl_connection == nullptr || _ssl_context == nullptr)
|
|
|
|
{
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
ERR_clear_error();
|
2019-01-06 05:53:50 +01:00
|
|
|
ssize_t read_result = SSL_read(_ssl_connection, buf, (int) nbyte);
|
2018-09-27 23:56:48 +02:00
|
|
|
|
|
|
|
if (read_result > 0)
|
|
|
|
{
|
|
|
|
return read_result;
|
|
|
|
}
|
|
|
|
|
2019-04-20 00:03:49 +02:00
|
|
|
int reason = SSL_get_error(_ssl_connection, (int) read_result);
|
2018-09-27 23:56:48 +02:00
|
|
|
|
|
|
|
if (reason == SSL_ERROR_WANT_READ || reason == SSL_ERROR_WANT_WRITE)
|
|
|
|
{
|
|
|
|
errno = EWOULDBLOCK;
|
|
|
|
}
|
2018-12-15 01:28:11 +01:00
|
|
|
return -1;
|
2018-09-27 23:56:48 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-09-23 03:06:15 +02:00
|
|
|
} // namespace ix
|