/**
* Set extra flags for handshake verification.
*/
static int meth_set_verify_ext(lua_State *L)
{
int i;
const char *str;
int crl_flag = 0;
int lsec_flag = 0;
SSL_CTX *ctx = lsec_checkcontext(L, 1);
int max = lua_gettop(L);
for (i = 2; i <= max; i++) {
str = luaL_checkstring(L, i);
if (!strcmp(str, "lsec_continue")) {
lsec_flag |= LSEC_VERIFY_CONTINUE;
} else if (!strcmp(str, "lsec_ignore_purpose")) {
lsec_flag |= LSEC_VERIFY_IGNORE_PURPOSE;
} else if (!strcmp(str, "crl_check")) {
crl_flag |= X509_V_FLAG_CRL_CHECK;
} else if (!strcmp(str, "crl_check_chain")) {
crl_flag |= X509_V_FLAG_CRL_CHECK_ALL;
} else {
lua_pushboolean(L, 0);
lua_pushfstring(L, "invalid verify option (%s)", str);
return 2;
}
}
/* Set callback? */
if (lsec_flag) {
SSL_CTX_set_verify(ctx, SSL_CTX_get_verify_mode(ctx), verify_cb);
SSL_CTX_set_cert_verify_callback(ctx, cert_verify_cb, (void*)ctx);
/* Save flag */
luaL_getmetatable(L, "SSL:Verify:Registry");
lua_pushlightuserdata(L, (void*)ctx);
lua_pushnumber(L, lsec_flag);
lua_settable(L, -3);
} else {
SSL_CTX_set_verify(ctx, SSL_CTX_get_verify_mode(ctx), NULL);
SSL_CTX_set_cert_verify_callback(ctx, NULL, NULL);
/* Remove flag */
luaL_getmetatable(L, "SSL:Verify:Registry");
lua_pushlightuserdata(L, (void*)ctx);
lua_pushnil(L);
lua_settable(L, -3);
}
/* X509 flag */
X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), crl_flag);
/* Ok */
lua_pushboolean(L, 1);
return 1;
}
tnet_dtls_socket_handle_t* tnet_dtls_socket_create(struct tnet_socket_s* wrapped_sock, struct ssl_ctx_st* ssl_ctx)
{
#if !HAVE_OPENSSL || !HAVE_OPENSSL_DTLS
TSK_DEBUG_ERROR("OpenSSL or DTLS not enabled");
return tsk_null;
#else
tnet_dtls_socket_t* socket;
if (!wrapped_sock || !ssl_ctx){
TSK_DEBUG_ERROR("Invalid parameter");
return tsk_null;
}
if ((socket = tsk_object_new(tnet_dtls_socket_def_t))) {
const tsk_bool_t set_mtu = TNET_SOCKET_TYPE_IS_DGRAM(wrapped_sock->type) || 1; //!\ This is required even if the local transport is TCP/TLS because the relayed (TURN) transport could be UDP
socket->wrapped_sock = tsk_object_ref(wrapped_sock);
if (!(socket->ssl = SSL_new(ssl_ctx))) {
TSK_DEBUG_ERROR("SSL_new(CTX) failed [%s]", ERR_error_string(ERR_get_error(), tsk_null));
TSK_OBJECT_SAFE_FREE(socket);
return tsk_null;
}
if (set_mtu) {
SSL_set_options(socket->ssl, SSL_OP_NO_QUERY_MTU);
SSL_set_mtu(socket->ssl, TNET_DTLS_MTU - 28);
socket->ssl->d1->mtu = TNET_DTLS_MTU - 28;
}
if (!(socket->rbio = BIO_new(BIO_s_mem())) || !(socket->wbio = BIO_new(BIO_s_mem()))){
TSK_DEBUG_ERROR("BIO_new_socket(%d) failed [%s]", socket->wrapped_sock->fd, ERR_error_string(ERR_get_error(), tsk_null));
if (socket->rbio){
BIO_free(socket->rbio);
}
if (socket->wbio){
BIO_free(socket->wbio);
}
TSK_OBJECT_SAFE_FREE(socket);
return tsk_null;
}
BIO_set_mem_eof_return(socket->rbio, -1);
BIO_set_mem_eof_return(socket->wbio, -1);
SSL_set_bio(socket->ssl, socket->rbio, socket->wbio);
SSL_set_mode(socket->ssl, SSL_MODE_AUTO_RETRY);
SSL_set_read_ahead(socket->ssl, 1);
if (set_mtu) {
BIO_ctrl(SSL_get_wbio(socket->ssl), BIO_CTRL_DGRAM_SET_MTU, TNET_DTLS_MTU - 28, NULL);
}
if ((socket->verify_peer = (SSL_CTX_get_verify_mode(ssl_ctx) != SSL_VERIFY_NONE))){
TSK_DEBUG_INFO("SSL cert verify: ON");
socket->verify_peer = tsk_true;
SSL_set_verify(socket->ssl, (SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), _tnet_dtls_verify_cert);
}
else {
TSK_DEBUG_ERROR("Verity not enabled");
}
SSL_set_app_data(socket->ssl, socket);
}
return socket;
#endif
}
IoSecureServer *IoSecureServer_rawClone(IoSecureServer *proto)
{
IoObject *self = IoObject_rawClonePrimitive(proto);
IoObject_setDataPointer_(self, (SecureServerData *)calloc(1, sizeof(SecureServerData)));
SSL_CTX *ctx = SSL_CTX_new(TLSv1_server_method());
DATA(self)->ssl_ctx = ctx;
SSL_CTX_set_default_passwd_cb(ctx, IoSecureSockets_Password_Callback);
SSL_CTX_set_default_passwd_cb_userdata(ctx, self);
SSL_CTX_set_verify(ctx, SSL_CTX_get_verify_mode(OCTX(proto)), SSL_CTX_get_verify_callback(OCTX(proto)));
//need to do more work for the copy to be correct, also need to copy SSL method and certs.
return self;
}
ret_t
cherokee_cryptor_libssl_find_vserver (SSL *ssl,
cherokee_server_t *srv,
cherokee_buffer_t *servername,
cherokee_connection_t *conn)
{
ret_t ret;
cherokee_virtual_server_t *vsrv = NULL;
SSL_CTX *ctx;
/* Try to match the connection to a server
*/
ret = cherokee_server_get_vserver(srv, servername, conn, &vsrv);
if ((ret != ret_ok) || (vsrv == NULL)) {
LOG_ERROR (CHEROKEE_ERROR_SSL_SRV_MATCH, servername->buf);
return ret_error;
}
TRACE (ENTRIES, "Setting new TLS context. Virtual host='%s'\n",
vsrv->name.buf);
/* Check whether the Virtual Server supports TLS
*/
if ((vsrv->cryptor == NULL) ||
(CRYPTOR_VSRV_SSL(vsrv->cryptor)->context == NULL))
{
TRACE (ENTRIES, "Virtual server '%s' does not support SSL\n", servername->buf);
return ret_error;
}
/* Set the new SSL context
*/
ctx = SSL_set_SSL_CTX (ssl, CRYPTOR_VSRV_SSL(vsrv->cryptor)->context);
if (ctx != CRYPTOR_VSRV_SSL(vsrv->cryptor)->context) {
LOG_ERROR (CHEROKEE_ERROR_SSL_CHANGE_CTX, servername->buf);
}
/* SSL_set_SSL_CTX() only change certificates. We need to
* changes more options by hand.
*/
SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx));
if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
(SSL_num_renegotiations(ssl) == 0)) {
SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
SSL_CTX_get_verify_callback(ssl->ctx));
}
return ret_ok;
}
IoSecureClient *IoSecureClient_rawClone(IoSecureClient *proto)
{
IoObject *self = IoObject_rawClonePrimitive(proto);
SSL_CTX *ctx = SSL_CTX_new(TLSv1_client_method());
if(ctx == NULL)
{
ERR_print_errors_fp(stderr);
}
IoObject_setDataPointer_(self, ctx);
SSL_CTX_set_default_passwd_cb(ctx, IoSecureSockets_Password_Callback);
SSL_CTX_set_default_passwd_cb_userdata(ctx, self);
SSL_CTX_set_verify(ctx, SSL_CTX_get_verify_mode(OCTX(proto)), SSL_CTX_get_verify_callback(OCTX(proto)));
//need to do more work for the copy to be correct, also need to copy SSL method and certs.
return self;
}
static void on_handshake_complete(h2o_socket_t *sock, const char *err)
{
h2o_socketpool_connect_request_t *req = sock->data;
assert(req->sock == sock);
if (err == h2o_socket_error_ssl_cert_name_mismatch && (SSL_CTX_get_verify_mode(req->pool->_ssl_ctx) & SSL_VERIFY_PEER) == 0) {
/* ignore CN mismatch if we are not verifying peer */
} else if (err != NULL) {
h2o_socket_close(sock);
req->sock = NULL;
}
call_connect_cb(req, err);
}
NOEXPORT int servername_cb(SSL *ssl, int *ad, void *arg) {
SERVICE_OPTIONS *section=(SERVICE_OPTIONS *)arg;
const char *servername=SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
SERVERNAME_LIST *list;
CLI *c;
#ifdef USE_LIBWRAP
char *accepted_address;
#endif /* USE_LIBWRAP */
/* leave the alert type at SSL_AD_UNRECOGNIZED_NAME */
(void)ad; /* squash the unused parameter warning */
if(!section->servername_list_head) {
s_log(LOG_DEBUG, "SNI: no virtual services defined");
return SSL_TLSEXT_ERR_OK;
}
if(!servername) {
s_log(LOG_NOTICE, "SNI: no servername received");
return SSL_TLSEXT_ERR_NOACK;
}
s_log(LOG_INFO, "SNI: requested servername: %s", servername);
for(list=section->servername_list_head; list; list=list->next)
if(matches_wildcard((char *)servername, list->servername)) {
s_log(LOG_DEBUG, "SNI: matched pattern: %s", list->servername);
c=SSL_get_ex_data(ssl, index_cli);
c->opt=list->opt;
SSL_set_SSL_CTX(ssl, c->opt->ctx);
SSL_set_verify(ssl, SSL_CTX_get_verify_mode(c->opt->ctx),
SSL_CTX_get_verify_callback(c->opt->ctx));
s_log(LOG_NOTICE, "SNI: switched to service [%s]",
c->opt->servname);
#ifdef USE_LIBWRAP
accepted_address=s_ntop(&c->peer_addr, c->peer_addr_len);
libwrap_auth(c, accepted_address); /* retry on a service switch */
str_free(accepted_address);
#endif /* USE_LIBWRAP */
return SSL_TLSEXT_ERR_OK;
}
s_log(LOG_ERR, "SNI: no pattern matched servername: %s", servername);
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
static PyObject *
PySSL_peercert(PySSLObject *self, PyObject *args)
{
PyObject *retval = NULL;
int len;
int verification;
PyObject *binary_mode = Py_None;
if (!PyArg_ParseTuple(args, "|O:peer_certificate", &binary_mode))
return NULL;
if (!self->peer_cert)
Py_RETURN_NONE;
if (PyObject_IsTrue(binary_mode)) {
/* return cert in DER-encoded format */
unsigned char *bytes_buf = NULL;
bytes_buf = NULL;
len = i2d_X509(self->peer_cert, &bytes_buf);
if (len < 0) {
PySSL_SetError(self, len, __FILE__, __LINE__);
return NULL;
}
/* this is actually an immutable bytes sequence */
retval = PyBytes_FromStringAndSize
((const char *) bytes_buf, len);
OPENSSL_free(bytes_buf);
return retval;
} else {
verification = SSL_CTX_get_verify_mode(self->ctx);
if ((verification & SSL_VERIFY_PEER) == 0)
return PyDict_New();
else
return _decode_certificate (self->peer_cert, 0);
}
}
static int openssl_ssl_ctx_verify_mode(lua_State*L)
{
SSL_CTX* ctx = CHECK_OBJECT(1, SSL_CTX, "openssl.ssl_ctx");
if (lua_gettop(L) > 1)
{
size_t i;
int mode = 0;
luaL_checktable(L, 2);
for (i = 0; i < lua_rawlen(L, 2); i++)
{
lua_rawgeti(L, 2, i + 1);
mode |= auxiliar_checkoption(L, -1, NULL, sVerifyMode_Options, iVerifyMode_Options);
lua_pop(L, 1);
}
luaL_argcheck(L, lua_isnoneornil(L, 3) || lua_isfunction(L, 3), 3, "must be function callback");
if (lua_isfunction(L, 3))
{
lua_pushvalue(L, 3);
openssl_setvalue(L, ctx, "verify_cb");
SSL_CTX_set_verify(ctx, mode, openssl_verify_cb);
}
else
{
SSL_CTX_set_verify(ctx, mode, openssl_verify_cb);
}
return 0;
}
else
{
int i = 0;
int mode = SSL_CTX_get_verify_mode(ctx);
lua_pushinteger(L, mode);
i += 1;
if (mode == SSL_VERIFY_NONE)
{
lua_pushstring(L, "none");
i += 1;
}
else
{
if (mode & SSL_VERIFY_PEER)
{
lua_pushstring(L, "peer");
i += 1;
}
if (mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
{
lua_pushstring(L, "fail_if_no_peer_cert");
i += 1;
}
if (mode & SSL_VERIFY_CLIENT_ONCE)
{
lua_pushstring(L, "client_once");
i += 1;
}
}
return i;
}
return 0;
}
