static int openssl_verify_callback (int preverify_ok, X509_STORE_CTX * x509_ctx) { GstDtlsConnection *self; SSL *ssl; BIO *bio; gchar *pem = NULL; gboolean accepted = FALSE; ssl = X509_STORE_CTX_get_ex_data (x509_ctx, SSL_get_ex_data_X509_STORE_CTX_idx ()); self = SSL_get_ex_data (ssl, connection_ex_index); g_return_val_if_fail (GST_IS_DTLS_CONNECTION (self), FALSE); pem = _gst_dtls_x509_to_pem (X509_STORE_CTX_get0_cert (x509_ctx)); if (!pem) { GST_WARNING_OBJECT (self, "failed to convert received certificate to pem format"); } else { bio = BIO_new (BIO_s_mem ()); if (bio) { gchar buffer[2048]; gint len; len = X509_NAME_print_ex (bio, X509_get_subject_name (X509_STORE_CTX_get0_cert (x509_ctx)), 1, XN_FLAG_MULTILINE); BIO_read (bio, buffer, len); buffer[len] = '\0'; GST_DEBUG_OBJECT (self, "Peer certificate received:\n%s", buffer); BIO_free (bio); } else { GST_DEBUG_OBJECT (self, "failed to create certificate print membio"); } g_signal_emit (self, signals[SIGNAL_ON_PEER_CERTIFICATE], 0, pem, &accepted); g_free (pem); } return accepted; }
static int verify_callback(int preverify_ok, X509_STORE_CTX* ctx) { // If the cert has already failed we're done. if (! preverify_ok) { return preverify_ok; } SSL* ssl = X509_STORE_CTX_get_ex_data( ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); // The verify callback is called for each cert in the chain. X509* current_cert = X509_STORE_CTX_get_current_cert(ctx); as_tls_context* asctxt = SSL_get_ex_data(ssl, s_ex_ctxt_index); if (! asctxt) { as_log_warn("Missing as_tls_context in TLS verify callback"); return 0; } pthread_mutex_lock(&asctxt->lock); if (asctxt->cert_blacklist) { // Is this cert blacklisted? char name[256]; X509_NAME* iname = X509_get_issuer_name(current_cert); X509_NAME_oneline(iname, name, sizeof(name)); ASN1_INTEGER* sn = X509_get_serialNumber(current_cert); BIGNUM* snbn = ASN1_INTEGER_to_BN(sn, NULL); char* snhex = BN_bn2hex(snbn); as_log_info("CERT: %s %s", snhex, name); bool blacklisted = cert_blacklist_check(asctxt->cert_blacklist, snhex, name); OPENSSL_free(snhex); BN_free(snbn); if (blacklisted) { as_log_warn("CERT: BLACKLISTED"); pthread_mutex_unlock(&asctxt->lock); return 0; } } pthread_mutex_unlock(&asctxt->lock); // If this is the peer cert, check the name #if OPENSSL_VERSION_NUMBER >= 0x10100000L X509* cert = X509_STORE_CTX_get0_cert(ctx); #else X509* cert = ctx->cert; #endif if (current_cert == cert) { char * hostname = SSL_get_ex_data(ssl, s_ex_name_index); if (! hostname) { as_log_warn("Missing hostname in TLS verify callback"); return 0; } bool allow_wildcard = true; bool matched = as_tls_match_name(cert, hostname, allow_wildcard); if (matched) { as_log_debug("TLS name '%s' matches", hostname); } else { as_log_warn("TLS name '%s' mismatch", hostname); } return matched ? 1 : 0; } // If we make it here we are a root or chain cert and are not // blacklisted. return 1; }