static int ssl_setup(int *rfd, SSL **ssl, SSL_CTX **ctx,
enum action action, struct conf **confs)
{
BIO *sbio=NULL;
ssl_load_globals();
if(!(*ctx=ssl_initialise_ctx(confs)))
{
logp("error initialising ssl ctx\n");
return -1;
}
SSL_CTX_set_session_id_context(*ctx,
(const uint8_t *)&s_server_session_id_context,
sizeof(s_server_session_id_context));
if((*rfd=init_client_socket(get_string(confs[OPT_SERVER]),
action==ACTION_MONITOR?
get_string(confs[OPT_STATUS_PORT]):get_string(confs[OPT_PORT])))<0)
return -1;
if(!(*ssl=SSL_new(*ctx))
|| !(sbio=BIO_new_socket(*rfd, BIO_NOCLOSE)))
{
logp_ssl_err("Problem joining SSL to the socket\n");
return -1;
}
SSL_set_bio(*ssl, sbio, sbio);
if(SSL_connect(*ssl)<=0)
{
logp_ssl_err("SSL connect error\n");
return -1;
}
return 0;
}
int ssl_do_accept(SSL *ssl)
{
while(1)
{
int r;
ERR_clear_error();
switch((r=SSL_accept(ssl)))
{
case 1:
return 0;
case 0:
goto error;
default:
switch(SSL_get_error(ssl, r))
{
case SSL_ERROR_WANT_READ:
continue;
default:
goto error;
}
break;
}
}
error:
logp_ssl_err("SSL_accept error\n");
return -1;
}
int ssl_load_dh_params(SSL_CTX *ctx, struct conf **confs)
{
DH *ret=0;
BIO *bio=NULL;
const char *ssl_dhfile=get_string(confs[OPT_SSL_DHFILE]);
if(!(bio=BIO_new_file(ssl_dhfile, "r")))
{
logp_ssl_err("Couldn't open ssl_dhfile: %s\n", ssl_dhfile);
return -1;
}
ret=PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
BIO_free(bio);
if(SSL_CTX_set_tmp_dh(ctx, ret)<0)
{
logp_ssl_err("Couldn't set DH parameters");
return -1;
}
return 0;
}
int ssl_check_cert(SSL *ssl, struct conf **confs)
{
X509 *peer;
char tmpbuf[256]="";
const char *ssl_peer_cn=get_string(confs[OPT_SSL_PEER_CN]);
if(!ssl_peer_cn)
{
logp("ssl_peer_cn not set.\n");
return -1;
}
SSL_CIPHER_description(SSL_get_current_cipher(ssl),
tmpbuf, sizeof(tmpbuf));
logp("SSL is using cipher: %s\n", tmpbuf);
if(!(peer=SSL_get_peer_certificate(ssl)))
{
logp("Could not get peer certificate.\n");
return -1;
}
if(SSL_get_verify_result(ssl)!=X509_V_OK)
{
logp_ssl_err("Certificate doesn't verify.\n");
return -1;
}
X509_NAME_get_text_by_NID(X509_get_subject_name(peer),
NID_commonName, tmpbuf, sizeof(tmpbuf));
if(strcasecmp(tmpbuf, ssl_peer_cn))
{
logp("cert common name doesn't match configured ssl_peer_cn\n");
logp("'%s'!='%s'\n", tmpbuf, ssl_peer_cn);
return -1;
}
#ifndef HAVE_WIN32
if(setenv_x509(X509_get_subject_name(peer), "PEER")
|| setenv_x509(X509_get_issuer_name(peer), "ISSUER"))
return -1;
if(setenv_x509_date(X509_get_notBefore(peer), "X509_PEER_NOT_BEFORE")
|| setenv_x509_date(X509_get_notAfter(peer), "X509_PEER_NOT_AFTER"))
return -1;
if(setenv_x509_serialnumber(X509_get_serialNumber(peer),
"X509_PEER_SERIALNUMBER"))
return -1;
#endif
//if((comp=SSL_get_current_compression(ssl)))
// logp("SSL is using compression: %s\n", comp->name);
return 0;
}
static int ssl_load_keys_and_certs(SSL_CTX *ctx, struct conf **confs)
{
char *ssl_key=NULL;
struct stat statp;
const char *ssl_cert=get_string(confs[OPT_SSL_CERT]);
const char *ssl_cert_ca=get_string(confs[OPT_SSL_CERT_CA]);
// Load our keys and certificates if the path exists.
if(ssl_cert && !lstat(ssl_cert, &statp)
&& !SSL_CTX_use_certificate_chain_file(ctx, ssl_cert))
{
logp_ssl_err("Can't read ssl_cert: %s\n", ssl_cert);
return -1;
}
pass=get_string(confs[OPT_SSL_KEY_PASSWORD]);
SSL_CTX_set_default_passwd_cb(ctx, password_cb);
ssl_key=get_string(confs[OPT_SSL_KEY]);
if(!ssl_key) ssl_key=get_string(confs[OPT_SSL_CERT]);
// Load the key file, if the path exists.
if(ssl_key && !lstat(ssl_key, &statp)
&& !SSL_CTX_use_PrivateKey_file(ctx,ssl_key,SSL_FILETYPE_PEM))
{
logp_ssl_err("Can't read ssl_key file: %s\n", ssl_key);
return -1;
}
// Load the CAs we trust, if the path exists.
if(ssl_cert_ca && !lstat(ssl_cert_ca, &statp)
&& !SSL_CTX_load_verify_locations(ctx, ssl_cert_ca, 0))
{
logp_ssl_err("Can't read ssl_cert_ca file: %s\n", ssl_cert_ca);
return -1;
}
return 0;
}
int ca_x509_verify_crl(struct conf **confs,
X509 *peer_cert, const char *ssl_peer_cn)
{
int n;
int i;
int ret=-1;
BIO *in=NULL;
BIGNUM *bnser=NULL;
X509_CRL *crl=NULL;
X509_REVOKED *revoked;
ASN1_INTEGER *serial=NULL;
char *crl_path=NULL;
const char *ca_name=get_string(confs[OPT_CA_NAME]);
int crl_check=get_int(confs[OPT_CA_CRL_CHECK]);
if(!crl_check
|| !ca_name || !*ca_name
|| !gca_dir)
{
ret=0;
goto end;
}
if(!(crl_path=get_crl_path(ca_name)))
goto end;
if(!(in=BIO_new_file(crl_path, "r")))
{
logp("CRL: cannot read: %s\n", crl_path);
goto end;
}
if(!(crl=PEM_read_bio_X509_CRL(in, NULL, NULL, NULL)))
{
logp_ssl_err("CRL: cannot read CRL from file %s\n", crl_path);
goto end;
}
if(X509_NAME_cmp(X509_CRL_get_issuer(crl),
X509_get_issuer_name(peer_cert)))
{
logp_ssl_err("CRL: CRL %s is from a different issuer than the issuer of certificate %\ns", crl_path, ssl_peer_cn);
goto end;
}
n=sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
for(i=0; i<n; i++)
{
revoked=(X509_REVOKED *)
sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
if(!ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(peer_cert)))
{
serial=X509_get_serialNumber(peer_cert);
bnser=ASN1_INTEGER_to_BN(serial, NULL);
logp_ssl_err("CRL check failed: %s (%s) is revoked\n",
ssl_peer_cn,
serial ? BN_bn2hex(bnser):"not available");
goto end;
}
}
ret=0;
end:
if(in) BIO_free(in);
if(crl) X509_CRL_free(crl);
free_w(&crl_path);
return ret;
}