diff options
author | Rémi Verschelde <rverschelde@gmail.com> | 2016-10-12 23:06:17 +0200 |
---|---|---|
committer | Rémi Verschelde <rverschelde@gmail.com> | 2016-10-15 11:50:41 +0200 |
commit | 422196759f93df249db38619f136cabd5dcf42cd (patch) | |
tree | 1e5846507af0f8f1bc7ca294ccfb0d4ac3392d17 /modules | |
parent | d9a291f6411f2e571c181da0ac89f550ba73f681 (diff) |
openssl: Move to a module and split thirdparty lib
Same rationale as the previous commits.
Diffstat (limited to 'modules')
-rw-r--r-- | modules/openssl/SCsub | 685 | ||||
-rw-r--r-- | modules/openssl/config.py | 6 | ||||
-rw-r--r-- | modules/openssl/curl_hostcheck.c | 217 | ||||
-rw-r--r-- | modules/openssl/curl_hostcheck.h | 39 | ||||
-rw-r--r-- | modules/openssl/register_types.cpp | 42 | ||||
-rw-r--r-- | modules/openssl/register_types.h | 30 | ||||
-rw-r--r-- | modules/openssl/stream_peer_openssl.cpp | 646 | ||||
-rw-r--r-- | modules/openssl/stream_peer_openssl.h | 109 |
8 files changed, 1774 insertions, 0 deletions
diff --git a/modules/openssl/SCsub b/modules/openssl/SCsub new file mode 100644 index 0000000000..4608055036 --- /dev/null +++ b/modules/openssl/SCsub @@ -0,0 +1,685 @@ +Import('env') +Import('env_modules') + + +# Thirdparty source files +if (env["openssl"] != "system"): # builtin + thirdparty_dir = "#thirdparty/openssl/" + + thirdparty_openssl_sources = [ + "ssl/t1_lib.c", + "ssl/t1_ext.c", + "ssl/s3_srvr.c", + "ssl/t1_enc.c", + "ssl/t1_meth.c", + "ssl/s23_clnt.c", + "ssl/ssl_asn1.c", + "ssl/tls_srp.c", + "ssl/kssl.c", + "ssl/d1_both.c", + "ssl/t1_clnt.c", + "ssl/bio_ssl.c", + "ssl/d1_srtp.c", + "ssl/t1_reneg.c", + "ssl/ssl_cert.c", + "ssl/s3_lib.c", + "ssl/d1_srvr.c", + "ssl/s23_meth.c", + "ssl/ssl_stat.c", + "ssl/ssl_err.c", + "ssl/ssl_algs.c", + "ssl/s3_cbc.c", + "ssl/d1_clnt.c", + "ssl/s3_pkt.c", + "ssl/d1_meth.c", + "ssl/s3_both.c", + "ssl/s2_enc.c", + "ssl/s3_meth.c", + "ssl/s3_enc.c", + "ssl/s23_pkt.c", + "ssl/s2_pkt.c", + "ssl/d1_pkt.c", + "ssl/ssl_rsa.c", + "ssl/s23_srvr.c", + "ssl/s2_meth.c", + "ssl/s3_clnt.c", + "ssl/s23_lib.c", + "ssl/t1_srvr.c", + "ssl/ssl_lib.c", + "ssl/ssl_txt.c", + "ssl/s2_srvr.c", + "ssl/ssl_sess.c", + "ssl/s2_clnt.c", + "ssl/d1_lib.c", + "ssl/s2_lib.c", + "ssl/ssl_err2.c", + "ssl/ssl_ciph.c", + "crypto/dsa/dsa_lib.c", + "crypto/dsa/dsa_pmeth.c", + "crypto/dsa/dsa_ossl.c", + "crypto/dsa/dsa_gen.c", + "crypto/dsa/dsa_asn1.c", + "crypto/dsa/dsa_prn.c", + "crypto/dsa/dsa_sign.c", + "crypto/dsa/dsa_key.c", + "crypto/dsa/dsa_vrf.c", + "crypto/dsa/dsa_err.c", + "crypto/dsa/dsa_ameth.c", + "crypto/dsa/dsa_depr.c", + "crypto/x509/x509_lu.c", + "crypto/x509/x509cset.c", + "crypto/x509/x509_set.c", + "crypto/x509/x509_d2.c", + "crypto/x509/x509_txt.c", + "crypto/x509/x509rset.c", + "crypto/x509/by_dir.c", + "crypto/x509/x509_vpm.c", + "crypto/x509/x509_vfy.c", + "crypto/x509/x509_trs.c", + "crypto/x509/by_file.c", + "crypto/x509/x509_obj.c", + "crypto/x509/x509spki.c", + "crypto/x509/x509_v3.c", + "crypto/x509/x509_req.c", + "crypto/x509/x509_att.c", + "crypto/x509/x_all.c", + "crypto/x509/x509_ext.c", + "crypto/x509/x509type.c", + "crypto/x509/x509_def.c", + "crypto/x509/x509_err.c", + "crypto/x509/x509name.c", + "crypto/x509/x509_r2x.c", + "crypto/x509/x509_cmp.c", + "crypto/asn1/x_pkey.c", + "crypto/asn1/a_gentm.c", + "crypto/asn1/x_sig.c", + "crypto/asn1/t_req.c", + "crypto/asn1/t_pkey.c", + "crypto/asn1/p8_pkey.c", + "crypto/asn1/a_i2d_fp.c", + "crypto/asn1/x_val.c", + "crypto/asn1/f_string.c", + "crypto/asn1/p5_pbe.c", + "crypto/asn1/bio_ndef.c", + "crypto/asn1/a_bool.c", + "crypto/asn1/asn1_gen.c", + "crypto/asn1/x_algor.c", + "crypto/asn1/bio_asn1.c", + "crypto/asn1/asn_mime.c", + "crypto/asn1/t_x509.c", + "crypto/asn1/a_strex.c", + "crypto/asn1/x_nx509.c", + "crypto/asn1/asn1_err.c", + "crypto/asn1/x_crl.c", + "crypto/asn1/a_print.c", + "crypto/asn1/a_type.c", + "crypto/asn1/tasn_new.c", + "crypto/asn1/n_pkey.c", + "crypto/asn1/x_bignum.c", + "crypto/asn1/asn_pack.c", + "crypto/asn1/evp_asn1.c", + "crypto/asn1/t_bitst.c", + "crypto/asn1/x_req.c", + "crypto/asn1/a_time.c", + "crypto/asn1/x_name.c", + "crypto/asn1/x_pubkey.c", + "crypto/asn1/tasn_typ.c", + "crypto/asn1/asn_moid.c", + "crypto/asn1/a_utctm.c", + "crypto/asn1/asn1_lib.c", + "crypto/asn1/x_x509a.c", + "crypto/asn1/a_set.c", + "crypto/asn1/t_crl.c", + "crypto/asn1/p5_pbev2.c", + "crypto/asn1/tasn_enc.c", + "crypto/asn1/a_mbstr.c", + "crypto/asn1/tasn_dec.c", + "crypto/asn1/x_x509.c", + "crypto/asn1/a_octet.c", + "crypto/asn1/x_long.c", + "crypto/asn1/a_bytes.c", + "crypto/asn1/t_x509a.c", + "crypto/asn1/a_enum.c", + "crypto/asn1/a_int.c", + "crypto/asn1/tasn_prn.c", + "crypto/asn1/i2d_pr.c", + "crypto/asn1/a_utf8.c", + "crypto/asn1/t_spki.c", + "crypto/asn1/a_digest.c", + "crypto/asn1/a_dup.c", + "crypto/asn1/i2d_pu.c", + "crypto/asn1/a_verify.c", + "crypto/asn1/f_enum.c", + "crypto/asn1/a_sign.c", + "crypto/asn1/d2i_pr.c", + "crypto/asn1/asn1_par.c", + "crypto/asn1/x_spki.c", + "crypto/asn1/a_d2i_fp.c", + "crypto/asn1/f_int.c", + "crypto/asn1/x_exten.c", + "crypto/asn1/tasn_utl.c", + "crypto/asn1/nsseq.c", + "crypto/asn1/a_bitstr.c", + "crypto/asn1/x_info.c", + "crypto/asn1/a_strnid.c", + "crypto/asn1/a_object.c", + "crypto/asn1/tasn_fre.c", + "crypto/asn1/d2i_pu.c", + "crypto/asn1/ameth_lib.c", + "crypto/asn1/x_attrib.c", + "crypto/evp/m_sha.c", + "crypto/evp/e_camellia.c", + "crypto/evp/e_aes.c", + "crypto/evp/bio_b64.c", + "crypto/evp/m_sigver.c", + "crypto/evp/m_wp.c", + "crypto/evp/m_sha1.c", + "crypto/evp/p_seal.c", + "crypto/evp/c_alld.c", + "crypto/evp/p5_crpt.c", + "crypto/evp/e_rc4.c", + "crypto/evp/m_ecdsa.c", + "crypto/evp/bio_enc.c", + "crypto/evp/e_des3.c", + "crypto/evp/m_null.c", + "crypto/evp/bio_ok.c", + "crypto/evp/pmeth_gn.c", + "crypto/evp/e_rc5.c", + "crypto/evp/e_rc2.c", + "crypto/evp/p_dec.c", + "crypto/evp/p_verify.c", + "crypto/evp/e_rc4_hmac_md5.c", + "crypto/evp/pmeth_lib.c", + "crypto/evp/m_ripemd.c", + "crypto/evp/m_md5.c", + "crypto/evp/e_bf.c", + "crypto/evp/p_enc.c", + "crypto/evp/m_dss.c", + "crypto/evp/bio_md.c", + "crypto/evp/evp_pbe.c", + "crypto/evp/e_seed.c", + "crypto/evp/e_cast.c", + "crypto/evp/p_open.c", + "crypto/evp/p5_crpt2.c", + "crypto/evp/m_dss1.c", + "crypto/evp/names.c", + "crypto/evp/evp_acnf.c", + "crypto/evp/e_des.c", + "crypto/evp/evp_cnf.c", + "crypto/evp/evp_lib.c", + "crypto/evp/digest.c", + "crypto/evp/evp_err.c", + "crypto/evp/evp_enc.c", + "crypto/evp/e_old.c", + "crypto/evp/c_all.c", + "crypto/evp/m_md2.c", + "crypto/evp/e_xcbc_d.c", + "crypto/evp/pmeth_fn.c", + "crypto/evp/p_lib.c", + "crypto/evp/evp_key.c", + "crypto/evp/encode.c", + "crypto/evp/e_aes_cbc_hmac_sha1.c", + "crypto/evp/e_aes_cbc_hmac_sha256.c", + "crypto/evp/m_mdc2.c", + "crypto/evp/e_null.c", + "crypto/evp/p_sign.c", + "crypto/evp/e_idea.c", + "crypto/evp/c_allc.c", + "crypto/evp/evp_pkey.c", + "crypto/evp/m_md4.c", + "crypto/ex_data.c", + "crypto/pkcs12/p12_p8e.c", + "crypto/pkcs12/p12_crt.c", + "crypto/pkcs12/p12_utl.c", + "crypto/pkcs12/p12_attr.c", + "crypto/pkcs12/p12_npas.c", + "crypto/pkcs12/p12_decr.c", + "crypto/pkcs12/p12_init.c", + "crypto/pkcs12/p12_kiss.c", + "crypto/pkcs12/p12_add.c", + "crypto/pkcs12/p12_p8d.c", + "crypto/pkcs12/p12_mutl.c", + "crypto/pkcs12/p12_crpt.c", + "crypto/pkcs12/pk12err.c", + "crypto/pkcs12/p12_asn.c", + "crypto/pkcs12/p12_key.c", + "crypto/ecdh/ech_key.c", + "crypto/ecdh/ech_ossl.c", + "crypto/ecdh/ech_lib.c", + "crypto/ecdh/ech_err.c", + "crypto/ecdh/ech_kdf.c", + "crypto/o_str.c", + "crypto/conf/conf_api.c", + "crypto/conf/conf_err.c", + "crypto/conf/conf_def.c", + "crypto/conf/conf_lib.c", + "crypto/conf/conf_mall.c", + "crypto/conf/conf_sap.c", + "crypto/conf/conf_mod.c", + "crypto/ebcdic.c", + "crypto/ecdsa/ecs_lib.c", + "crypto/ecdsa/ecs_asn1.c", + "crypto/ecdsa/ecs_ossl.c", + "crypto/ecdsa/ecs_vrf.c", + "crypto/ecdsa/ecs_sign.c", + "crypto/ecdsa/ecs_err.c", + "crypto/dso/dso_win32.c", + "crypto/dso/dso_lib.c", + "crypto/dso/dso_dlfcn.c", + "crypto/dso/dso_dl.c", + "crypto/dso/dso_beos.c", + "crypto/dso/dso_null.c", + "crypto/dso/dso_vms.c", + "crypto/dso/dso_err.c", + "crypto/dso/dso_openssl.c", + "crypto/cryptlib.c", + "crypto/md5/md5_one.c", + "crypto/md5/md5_dgst.c", + "crypto/pkcs7/pkcs7err.c", + "crypto/pkcs7/pk7_smime.c", + "crypto/pkcs7/bio_pk7.c", + "crypto/pkcs7/pk7_mime.c", + "crypto/pkcs7/pk7_lib.c", + "crypto/pkcs7/pk7_asn1.c", + "crypto/pkcs7/pk7_doit.c", + "crypto/pkcs7/pk7_attr.c", + "crypto/md4/md4_one.c", + "crypto/md4/md4_dgst.c", + "crypto/o_dir.c", + "crypto/buffer/buf_err.c", + "crypto/buffer/buf_str.c", + "crypto/buffer/buffer.c", + "crypto/cms/cms_lib.c", + "crypto/cms/cms_io.c", + "crypto/cms/cms_err.c", + "crypto/cms/cms_dd.c", + "crypto/cms/cms_smime.c", + "crypto/cms/cms_att.c", + "crypto/cms/cms_pwri.c", + "crypto/cms/cms_cd.c", + "crypto/cms/cms_sd.c", + "crypto/cms/cms_asn1.c", + "crypto/cms/cms_env.c", + "crypto/cms/cms_enc.c", + "crypto/cms/cms_ess.c", + "crypto/cms/cms_kari.c", + "crypto/mem_dbg.c", + "crypto/uid.c", + "crypto/stack/stack.c", + "crypto/ec/ec_ameth.c", + "crypto/ec/ec_err.c", + "crypto/ec/ec_lib.c", + "crypto/ec/ec_curve.c", + "crypto/ec/ec_oct.c", + "crypto/ec/ec_asn1.c", + "crypto/ec/ecp_oct.c", + "crypto/ec/ec_print.c", + "crypto/ec/ec2_smpl.c", + "crypto/ec/ecp_nistp224.c", + "crypto/ec/ec2_oct.c", + "crypto/ec/eck_prn.c", + "crypto/ec/ec_key.c", + "crypto/ec/ecp_nist.c", + "crypto/ec/ec_check.c", + "crypto/ec/ecp_smpl.c", + "crypto/ec/ec2_mult.c", + "crypto/ec/ecp_mont.c", + "crypto/ec/ecp_nistp521.c", + "crypto/ec/ec_mult.c", + "crypto/ec/ecp_nistputil.c", + "crypto/ec/ec_pmeth.c", + "crypto/ec/ec_cvt.c", + "crypto/ec/ecp_nistp256.c", + "crypto/krb5/krb5_asn.c", + "crypto/hmac/hmac.c", + "crypto/hmac/hm_ameth.c", + "crypto/hmac/hm_pmeth.c", + "crypto/comp/c_rle.c", + "crypto/comp/c_zlib.c", + "crypto/comp/comp_lib.c", + "crypto/comp/comp_err.c", + "crypto/des/fcrypt.c", + "crypto/des/str2key.c", + "crypto/des/cbc_cksm.c", + "crypto/des/des_enc.c", + "crypto/des/ofb_enc.c", + "crypto/des/read2pwd.c", + "crypto/des/ecb3_enc.c", + "crypto/des/rand_key.c", + "crypto/des/cfb64ede.c", + "crypto/des/rpc_enc.c", + "crypto/des/ofb64ede.c", + "crypto/des/qud_cksm.c", + "crypto/des/enc_writ.c", + "crypto/des/set_key.c", + "crypto/des/xcbc_enc.c", + "crypto/des/fcrypt_b.c", + "crypto/des/ede_cbcm_enc.c", + "crypto/des/des_old2.c", + "crypto/des/cfb_enc.c", + "crypto/des/ecb_enc.c", + "crypto/des/enc_read.c", + "crypto/des/des_old.c", + "crypto/des/ofb64enc.c", + "crypto/des/pcbc_enc.c", + "crypto/des/cbc_enc.c", + "crypto/des/cfb64enc.c", + "crypto/lhash/lh_stats.c", + "crypto/lhash/lhash.c", + "crypto/x509v3/v3_genn.c", + "crypto/x509v3/pcy_cache.c", + "crypto/x509v3/v3_sxnet.c", + "crypto/x509v3/v3_scts.c", + "crypto/x509v3/v3err.c", + "crypto/x509v3/v3_conf.c", + "crypto/x509v3/v3_utl.c", + "crypto/x509v3/v3_akeya.c", + "crypto/x509v3/v3_lib.c", + "crypto/x509v3/pcy_lib.c", + "crypto/x509v3/v3_cpols.c", + "crypto/x509v3/v3_ia5.c", + "crypto/x509v3/v3_bitst.c", + "crypto/x509v3/v3_skey.c", + "crypto/x509v3/v3_info.c", + "crypto/x509v3/v3_asid.c", + "crypto/x509v3/pcy_tree.c", + "crypto/x509v3/v3_pcons.c", + "crypto/x509v3/v3_bcons.c", + "crypto/x509v3/v3_pku.c", + "crypto/x509v3/v3_ocsp.c", + "crypto/x509v3/pcy_map.c", + "crypto/x509v3/v3_ncons.c", + "crypto/x509v3/v3_purp.c", + "crypto/x509v3/v3_enum.c", + "crypto/x509v3/v3_pmaps.c", + "crypto/x509v3/pcy_node.c", + "crypto/x509v3/v3_pcia.c", + "crypto/x509v3/v3_crld.c", + "crypto/x509v3/v3_pci.c", + "crypto/x509v3/v3_akey.c", + "crypto/x509v3/v3_addr.c", + "crypto/x509v3/v3_int.c", + "crypto/x509v3/v3_alt.c", + "crypto/x509v3/v3_extku.c", + "crypto/x509v3/v3_prn.c", + "crypto/x509v3/pcy_data.c", + "crypto/aes/aes_ofb.c", + "crypto/aes/aes_ctr.c", + "crypto/aes/aes_ecb.c", + "crypto/aes/aes_cfb.c", + "crypto/aes/aes_wrap.c", + "crypto/aes/aes_ige.c", + "crypto/aes/aes_misc.c", + "crypto/pqueue/pqueue.c", + "crypto/sha/sha_one.c", + "crypto/sha/sha_dgst.c", + "crypto/sha/sha512.c", + "crypto/sha/sha1_one.c", + "crypto/sha/sha1dgst.c", + "crypto/sha/sha256.c", + "crypto/whrlpool/wp_dgst.c", + "crypto/objects/obj_xref.c", + "crypto/objects/o_names.c", + "crypto/objects/obj_err.c", + "crypto/objects/obj_dat.c", + "crypto/objects/obj_lib.c", + "crypto/mem.c", + "crypto/fips_ers.c", + "crypto/o_fips.c", + "crypto/engine/eng_rdrand.c", + "crypto/engine/eng_err.c", + "crypto/engine/tb_ecdsa.c", + "crypto/engine/tb_rsa.c", + "crypto/engine/tb_cipher.c", + "crypto/engine/tb_dsa.c", + "crypto/engine/eng_lib.c", + "crypto/engine/tb_asnmth.c", + "crypto/engine/tb_ecdh.c", + "crypto/engine/tb_dh.c", + "crypto/engine/tb_store.c", + "crypto/engine/eng_init.c", + "crypto/engine/eng_cnf.c", + "crypto/engine/eng_all.c", + "crypto/engine/tb_digest.c", + "crypto/engine/tb_pkmeth.c", + "crypto/engine/eng_table.c", + "crypto/engine/eng_ctrl.c", + "crypto/engine/eng_list.c", + "crypto/engine/eng_cryptodev.c", + "crypto/engine/eng_pkey.c", + "crypto/engine/tb_rand.c", + "crypto/engine/eng_openssl.c", + "crypto/engine/eng_fat.c", + "crypto/engine/eng_dyn.c", + "crypto/ts/ts_rsp_verify.c", + "crypto/ts/ts_req_print.c", + "crypto/ts/ts_verify_ctx.c", + "crypto/ts/ts_req_utils.c", + "crypto/ts/ts_err.c", + "crypto/ts/ts_rsp_print.c", + "crypto/ts/ts_rsp_utils.c", + "crypto/ts/ts_lib.c", + "crypto/ts/ts_conf.c", + "crypto/ts/ts_asn1.c", + "crypto/ts/ts_rsp_sign.c", + "crypto/ocsp/ocsp_ext.c", + "crypto/ocsp/ocsp_cl.c", + "crypto/ocsp/ocsp_ht.c", + "crypto/ocsp/ocsp_lib.c", + "crypto/ocsp/ocsp_srv.c", + "crypto/ocsp/ocsp_vfy.c", + "crypto/ocsp/ocsp_err.c", + "crypto/ocsp/ocsp_prn.c", + "crypto/ocsp/ocsp_asn.c", + "crypto/bf/bf_cfb64.c", + "crypto/bf/bf_ecb.c", + "crypto/bf/bf_enc.c", + "crypto/bf/bf_skey.c", + "crypto/bf/bf_ofb64.c", + "crypto/idea/i_skey.c", + "crypto/idea/i_ofb64.c", + "crypto/idea/i_cbc.c", + "crypto/idea/i_ecb.c", + "crypto/idea/i_cfb64.c", + "crypto/cmac/cm_ameth.c", + "crypto/cmac/cmac.c", + "crypto/cmac/cm_pmeth.c", + "crypto/dh/dh_lib.c", + "crypto/dh/dh_key.c", + "crypto/dh/dh_asn1.c", + "crypto/dh/dh_depr.c", + "crypto/dh/dh_pmeth.c", + "crypto/dh/dh_prn.c", + "crypto/dh/dh_gen.c", + "crypto/dh/dh_ameth.c", + "crypto/dh/dh_check.c", + "crypto/dh/dh_err.c", + "crypto/dh/dh_kdf.c", + "crypto/dh/dh_rfc5114.c", + "crypto/modes/ccm128.c", + "crypto/modes/ofb128.c", + "crypto/modes/cts128.c", + "crypto/modes/ctr128.c", + "crypto/modes/gcm128.c", + "crypto/modes/cbc128.c", + "crypto/modes/cfb128.c", + "crypto/modes/xts128.c", + "crypto/modes/wrap128.c", + "crypto/camellia/cmll_cfb.c", + "crypto/camellia/cmll_ecb.c", + "crypto/camellia/cmll_utl.c", + "crypto/camellia/cmll_misc.c", + "crypto/camellia/cmll_ofb.c", + "crypto/camellia/cmll_ctr.c", + "crypto/seed/seed_ecb.c", + "crypto/seed/seed_cbc.c", + "crypto/seed/seed.c", + "crypto/seed/seed_ofb.c", + "crypto/seed/seed_cfb.c", + "crypto/txt_db/txt_db.c", + "crypto/cpt_err.c", + "crypto/pem/pem_pk8.c", + "crypto/pem/pem_lib.c", + "crypto/pem/pem_sign.c", + "crypto/pem/pem_all.c", + "crypto/pem/pem_info.c", + "crypto/pem/pem_pkey.c", + "crypto/pem/pem_seal.c", + "crypto/pem/pem_err.c", + "crypto/pem/pem_xaux.c", + "crypto/pem/pvkfmt.c", + "crypto/pem/pem_x509.c", + "crypto/pem/pem_oth.c", + "crypto/rand/rand_lib.c", + "crypto/rand/randfile.c", + "crypto/rand/rand_os2.c", + "crypto/rand/rand_unix.c", + "crypto/rand/rand_nw.c", + "crypto/rand/md_rand.c", + "crypto/rand/rand_err.c", + "crypto/rand/rand_win.c", + "crypto/rand/rand_egd.c", + "crypto/cversion.c", + "crypto/cast/c_ecb.c", + "crypto/cast/c_skey.c", + "crypto/cast/c_ofb64.c", + "crypto/cast/c_enc.c", + "crypto/cast/c_cfb64.c", + "crypto/o_time.c", + "crypto/mdc2/mdc2dgst.c", + "crypto/mdc2/mdc2_one.c", + "crypto/rc4/rc4_utl.c", + "crypto/ui/ui_compat.c", + "crypto/ui/ui_util.c", + "crypto/ui/ui_lib.c", + "crypto/ui/ui_err.c", + "crypto/ui/ui_openssl.c", + "crypto/bio/bf_buff.c", + "crypto/bio/bss_null.c", + "crypto/bio/bss_acpt.c", + "crypto/bio/bss_conn.c", + "crypto/bio/bss_fd.c", + "crypto/bio/bf_null.c", + "crypto/bio/bio_err.c", + "crypto/bio/bss_sock.c", + "crypto/bio/bss_mem.c", + "crypto/bio/b_dump.c", + "crypto/bio/b_print.c", + "crypto/bio/b_sock.c", + "crypto/bio/bss_dgram.c", + "crypto/bio/bf_nbio.c", + "crypto/bio/bio_lib.c", + "crypto/bio/bss_file.c", + "crypto/bio/bss_bio.c", + "crypto/bio/bss_log.c", + "crypto/bio/bio_cb.c", + "crypto/o_init.c", + "crypto/rc2/rc2_skey.c", + "crypto/rc2/rc2_cbc.c", + "crypto/rc2/rc2cfb64.c", + "crypto/rc2/rc2_ecb.c", + "crypto/rc2/rc2ofb64.c", + "crypto/bn/bn_x931p.c", + "crypto/bn/bn_blind.c", + "crypto/bn/bn_gf2m.c", + "crypto/bn/bn_const.c", + "crypto/bn/bn_sqr.c", + "crypto/bn/bn_nist.c", + "crypto/bn/bn_rand.c", + "crypto/bn/bn_err.c", + "crypto/bn/bn_div.c", + "crypto/bn/bn_kron.c", + "crypto/bn/bn_ctx.c", + "crypto/bn/bn_shift.c", + "crypto/bn/bn_mod.c", + "crypto/bn/bn_exp2.c", + "crypto/bn/bn_word.c", + "crypto/bn/bn_add.c", + "crypto/bn/bn_exp.c", + "crypto/bn/bn_mont.c", + "crypto/bn/bn_print.c", + "crypto/bn/bn_mul.c", + "crypto/bn/bn_prime.c", + "crypto/bn/bn_depr.c", + "crypto/bn/bn_gcd.c", + "crypto/bn/bn_mpi.c", + "crypto/bn/bn_sqrt.c", + "crypto/bn/bn_recp.c", + "crypto/bn/bn_lib.c", + "crypto/ripemd/rmd_dgst.c", + "crypto/ripemd/rmd_one.c", + "crypto/rsa/rsa_x931.c", + "crypto/rsa/rsa_depr.c", + "crypto/rsa/rsa_saos.c", + "crypto/rsa/rsa_crpt.c", + "crypto/rsa/rsa_pss.c", + "crypto/rsa/rsa_oaep.c", + "crypto/rsa/rsa_null.c", + "crypto/rsa/rsa_gen.c", + "crypto/rsa/rsa_prn.c", + "crypto/rsa/rsa_pmeth.c", + "crypto/rsa/rsa_asn1.c", + "crypto/rsa/rsa_ssl.c", + "crypto/rsa/rsa_ameth.c", + "crypto/rsa/rsa_pk1.c", + "crypto/rsa/rsa_err.c", + "crypto/rsa/rsa_lib.c", + "crypto/rsa/rsa_none.c", + "crypto/rsa/rsa_chk.c", + "crypto/rsa/rsa_eay.c", + "crypto/rsa/rsa_sign.c", + "crypto/srp/srp_lib.c", + "crypto/srp/srp_vfy.c", + "crypto/err/err.c", + "crypto/err/err_prn.c", + "crypto/err/err_all.c", + "crypto/mem_clr.c", + "crypto/rc4/rc4_skey.c", + "crypto/rc4/rc4_enc.c", + "crypto/camellia/camellia.c", + "crypto/camellia/cmll_cbc.c", + #"crypto/aes/aes_x86core.c", + "crypto/aes/aes_core.c", + "crypto/aes/aes_cbc.c", + "crypto/whrlpool/wp_block.c", + "crypto/bn/bn_asm.c", + ] + + if "platform" in env and env["platform"] == "winrt": + thirdparty_openssl_sources += ['winrt.cpp'] + + thirdparty_openssl_sources = [thirdparty_dir + file for file in thirdparty_openssl_sources] + + env_modules.add_source_files(env.modules_sources, thirdparty_openssl_sources) + + # FIXME: Clone the environment to make a env_openssl and not pollute the modules env + thirdparty_include_paths = [ + "", + "crypto", + "crypto/asn1", + "crypto/evp", + "crypto/modes", + "openssl", + ] + env_modules.Append(CPPPATH = [thirdparty_dir + "/" + dir for dir in thirdparty_include_paths]) + + env_modules.Append(CPPFLAGS = ["-DOPENSSL_NO_ASM", "-DOPENSSL_THREADS", "-DL_ENDIAN"]) + + # Workaround for compilation error with GCC/Clang when -Werror is too greedy (GH-4517) + import os + import methods + if not (os.name=="nt" and methods.msvc_is_detected()): # not Windows and not MSVC + env_modules.Append(CFLAGS = ["-Wno-error=implicit-function-declaration"]) + + +# Module sources +env_modules.add_source_files(env.modules_sources, "*.cpp") +env_modules.add_source_files(env.modules_sources, "*.c") + +# platform/winrt need to know openssl is available, pass to main env +if "platform" in env and env["platform"] == "winrt": + env.Append(CPPPATH = [thirdparty_dir]) + env.Append(CPPFLAGS = ['-DOPENSSL_ENABLED']); + +Export('env_modules') +Export('env') diff --git a/modules/openssl/config.py b/modules/openssl/config.py new file mode 100644 index 0000000000..368e97e152 --- /dev/null +++ b/modules/openssl/config.py @@ -0,0 +1,6 @@ + +def can_build(platform): + return True + +def configure(env): + pass diff --git a/modules/openssl/curl_hostcheck.c b/modules/openssl/curl_hostcheck.c new file mode 100644 index 0000000000..feef232619 --- /dev/null +++ b/modules/openssl/curl_hostcheck.c @@ -0,0 +1,217 @@ +/*************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at http://curl.haxx.se/docs/copyright.html. + * + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the COPYING file. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + ***************************************************************************/ + +/* This file is an amalgamation of hostcheck.c and most of rawstr.c + from cURL. The contents of the COPYING file mentioned above are: + +COPYRIGHT AND PERMISSION NOTICE + +Copyright (c) 1996 - 2013, Daniel Stenberg, <daniel@haxx.se>. + +All rights reserved. + +Permission to use, copy, modify, and distribute this software for any purpose +with or without fee is hereby granted, provided that the above copyright +notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN +NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, +DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR +OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE +OR OTHER DEALINGS IN THE SOFTWARE. + +Except as contained in this notice, the name of a copyright holder shall not +be used in advertising or otherwise to promote the sale, use or other dealings +in this Software without prior written authorization of the copyright holder. +*/ + +#include "curl_hostcheck.h" +#include <string.h> + +/* Portable, consistent toupper (remember EBCDIC). Do not use toupper() because + its behavior is altered by the current locale. */ +static char Curl_raw_toupper(char in) +{ + switch (in) { + case 'a': + return 'A'; + case 'b': + return 'B'; + case 'c': + return 'C'; + case 'd': + return 'D'; + case 'e': + return 'E'; + case 'f': + return 'F'; + case 'g': + return 'G'; + case 'h': + return 'H'; + case 'i': + return 'I'; + case 'j': + return 'J'; + case 'k': + return 'K'; + case 'l': + return 'L'; + case 'm': + return 'M'; + case 'n': + return 'N'; + case 'o': + return 'O'; + case 'p': + return 'P'; + case 'q': + return 'Q'; + case 'r': + return 'R'; + case 's': + return 'S'; + case 't': + return 'T'; + case 'u': + return 'U'; + case 'v': + return 'V'; + case 'w': + return 'W'; + case 'x': + return 'X'; + case 'y': + return 'Y'; + case 'z': + return 'Z'; + } + return in; +} + +/* + * Curl_raw_equal() is for doing "raw" case insensitive strings. This is meant + * to be locale independent and only compare strings we know are safe for + * this. See http://daniel.haxx.se/blog/2008/10/15/strcasecmp-in-turkish/ for + * some further explanation to why this function is necessary. + * + * The function is capable of comparing a-z case insensitively even for + * non-ascii. + */ + +static int Curl_raw_equal(const char *first, const char *second) +{ + while(*first && *second) { + if(Curl_raw_toupper(*first) != Curl_raw_toupper(*second)) + /* get out of the loop as soon as they don't match */ + break; + first++; + second++; + } + /* we do the comparison here (possibly again), just to make sure that if the + loop above is skipped because one of the strings reached zero, we must not + return this as a successful match */ + return (Curl_raw_toupper(*first) == Curl_raw_toupper(*second)); +} + +static int Curl_raw_nequal(const char *first, const char *second, size_t max) +{ + while(*first && *second && max) { + if(Curl_raw_toupper(*first) != Curl_raw_toupper(*second)) { + break; + } + max--; + first++; + second++; + } + if(0 == max) + return 1; /* they are equal this far */ + + return Curl_raw_toupper(*first) == Curl_raw_toupper(*second); +} + +/* + * Match a hostname against a wildcard pattern. + * E.g. + * "foo.host.com" matches "*.host.com". + * + * We use the matching rule described in RFC6125, section 6.4.3. + * http://tools.ietf.org/html/rfc6125#section-6.4.3 + */ + +static int hostmatch(const char *hostname, const char *pattern) +{ + const char *pattern_label_end, *pattern_wildcard, *hostname_label_end; + int wildcard_enabled; + size_t prefixlen, suffixlen; + pattern_wildcard = strchr(pattern, '*'); + if(pattern_wildcard == NULL) + return Curl_raw_equal(pattern, hostname) ? + CURL_HOST_MATCH : CURL_HOST_NOMATCH; + + /* We require at least 2 dots in pattern to avoid too wide wildcard + match. */ + wildcard_enabled = 1; + pattern_label_end = strchr(pattern, '.'); + if(pattern_label_end == NULL || strchr(pattern_label_end+1, '.') == NULL || + pattern_wildcard > pattern_label_end || + Curl_raw_nequal(pattern, "xn--", 4)) { + wildcard_enabled = 0; + } + if(!wildcard_enabled) + return Curl_raw_equal(pattern, hostname) ? + CURL_HOST_MATCH : CURL_HOST_NOMATCH; + + hostname_label_end = strchr(hostname, '.'); + if(hostname_label_end == NULL || + !Curl_raw_equal(pattern_label_end, hostname_label_end)) + return CURL_HOST_NOMATCH; + + /* The wildcard must match at least one character, so the left-most + label of the hostname is at least as large as the left-most label + of the pattern. */ + if(hostname_label_end - hostname < pattern_label_end - pattern) + return CURL_HOST_NOMATCH; + + prefixlen = pattern_wildcard - pattern; + suffixlen = pattern_label_end - (pattern_wildcard+1); + return Curl_raw_nequal(pattern, hostname, prefixlen) && + Curl_raw_nequal(pattern_wildcard+1, hostname_label_end - suffixlen, + suffixlen) ? + CURL_HOST_MATCH : CURL_HOST_NOMATCH; +} + +int Tool_Curl_cert_hostcheck(const char *match_pattern, const char *hostname) +{ + if(!match_pattern || !*match_pattern || + !hostname || !*hostname) /* sanity check */ + return 0; + + if(Curl_raw_equal(hostname, match_pattern)) /* trivial case */ + return 1; + + if(hostmatch(hostname,match_pattern) == CURL_HOST_MATCH) + return 1; + return 0; +} diff --git a/modules/openssl/curl_hostcheck.h b/modules/openssl/curl_hostcheck.h new file mode 100644 index 0000000000..1b7fbe81e3 --- /dev/null +++ b/modules/openssl/curl_hostcheck.h @@ -0,0 +1,39 @@ +#ifndef HEADER_TOOL_CURL_HOSTCHECK_H +#define HEADER_TOOL_CURL_HOSTCHECK_H + +#ifdef __cplusplus +extern "C" { +#endif + +/*************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at http://curl.haxx.se/docs/copyright.html. + * + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the COPYING file. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + ***************************************************************************/ + +#define CURL_HOST_NOMATCH 0 +#define CURL_HOST_MATCH 1 +int Tool_Curl_cert_hostcheck(const char *match_pattern, const char *hostname); + +#ifdef __cplusplus +} +#endif + +#endif /* HEADER_CURL_HOSTCHECK_H */ + diff --git a/modules/openssl/register_types.cpp b/modules/openssl/register_types.cpp new file mode 100644 index 0000000000..4aba9f530e --- /dev/null +++ b/modules/openssl/register_types.cpp @@ -0,0 +1,42 @@ +/*************************************************************************/ +/* register_types.cpp */ +/*************************************************************************/ +/* This file is part of: */ +/* GODOT ENGINE */ +/* http://www.godotengine.org */ +/*************************************************************************/ +/* Copyright (c) 2007-2016 Juan Linietsky, Ariel Manzur. */ +/* */ +/* Permission is hereby granted, free of charge, to any person obtaining */ +/* a copy of this software and associated documentation files (the */ +/* "Software"), to deal in the Software without restriction, including */ +/* without limitation the rights to use, copy, modify, merge, publish, */ +/* distribute, sublicense, and/or sell copies of the Software, and to */ +/* permit persons to whom the Software is furnished to do so, subject to */ +/* the following conditions: */ +/* */ +/* The above copyright notice and this permission notice shall be */ +/* included in all copies or substantial portions of the Software. */ +/* */ +/* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, */ +/* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF */ +/* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.*/ +/* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY */ +/* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, */ +/* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE */ +/* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ +/*************************************************************************/ +#include "register_types.h" + +#include "stream_peer_openssl.h" + +void register_openssl_types() { + + ObjectTypeDB::register_type<StreamPeerOpenSSL>(); + StreamPeerOpenSSL::initialize_ssl(); +} + +void unregister_openssl_types() { + + StreamPeerOpenSSL::finalize_ssl(); +} diff --git a/modules/openssl/register_types.h b/modules/openssl/register_types.h new file mode 100644 index 0000000000..2db140cc80 --- /dev/null +++ b/modules/openssl/register_types.h @@ -0,0 +1,30 @@ +/*************************************************************************/ +/* register_types.h */ +/*************************************************************************/ +/* This file is part of: */ +/* GODOT ENGINE */ +/* http://www.godotengine.org */ +/*************************************************************************/ +/* Copyright (c) 2007-2016 Juan Linietsky, Ariel Manzur. */ +/* */ +/* Permission is hereby granted, free of charge, to any person obtaining */ +/* a copy of this software and associated documentation files (the */ +/* "Software"), to deal in the Software without restriction, including */ +/* without limitation the rights to use, copy, modify, merge, publish, */ +/* distribute, sublicense, and/or sell copies of the Software, and to */ +/* permit persons to whom the Software is furnished to do so, subject to */ +/* the following conditions: */ +/* */ +/* The above copyright notice and this permission notice shall be */ +/* included in all copies or substantial portions of the Software. */ +/* */ +/* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, */ +/* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF */ +/* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.*/ +/* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY */ +/* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, */ +/* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE */ +/* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ +/*************************************************************************/ +void register_openssl_types(); +void unregister_openssl_types(); diff --git a/modules/openssl/stream_peer_openssl.cpp b/modules/openssl/stream_peer_openssl.cpp new file mode 100644 index 0000000000..b9bec4ca0b --- /dev/null +++ b/modules/openssl/stream_peer_openssl.cpp @@ -0,0 +1,646 @@ +/*************************************************************************/ +/* stream_peer_openssl.cpp */ +/*************************************************************************/ +/* This file is part of: */ +/* GODOT ENGINE */ +/* http://www.godotengine.org */ +/*************************************************************************/ +/* Copyright (c) 2007-2016 Juan Linietsky, Ariel Manzur. */ +/* */ +/* Permission is hereby granted, free of charge, to any person obtaining */ +/* a copy of this software and associated documentation files (the */ +/* "Software"), to deal in the Software without restriction, including */ +/* without limitation the rights to use, copy, modify, merge, publish, */ +/* distribute, sublicense, and/or sell copies of the Software, and to */ +/* permit persons to whom the Software is furnished to do so, subject to */ +/* the following conditions: */ +/* */ +/* The above copyright notice and this permission notice shall be */ +/* included in all copies or substantial portions of the Software. */ +/* */ +/* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, */ +/* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF */ +/* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.*/ +/* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY */ +/* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, */ +/* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE */ +/* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ +/*************************************************************************/ +#include "stream_peer_openssl.h" +//hostname matching code from curl + + +//#include <openssl/applink.c> // To prevent crashing (see the OpenSSL FAQ) + +bool StreamPeerOpenSSL::_match_host_name(const char *name, const char *hostname) { + + return Tool_Curl_cert_hostcheck(name,hostname)==CURL_HOST_MATCH; +// print_line("MATCH: "+String(name)+" vs "+String(hostname)); +// return true; +} + +Error StreamPeerOpenSSL::_match_common_name(const char *hostname, const X509 *server_cert) { + + int common_name_loc = -1; + X509_NAME_ENTRY *common_name_entry = NULL; + ASN1_STRING *common_name_asn1 = NULL; + char *common_name_str = NULL; + + // Find the position of the CN field in the Subject field of the certificate + common_name_loc = X509_NAME_get_index_by_NID(X509_get_subject_name((X509 *) server_cert), NID_commonName, -1); + + ERR_FAIL_COND_V(common_name_loc < 0, ERR_INVALID_PARAMETER ); + + // Extract the CN field + common_name_entry = X509_NAME_get_entry(X509_get_subject_name((X509 *) server_cert), common_name_loc); + + ERR_FAIL_COND_V(common_name_entry == NULL, ERR_INVALID_PARAMETER ); + + // Convert the CN field to a C string + common_name_asn1 = X509_NAME_ENTRY_get_data(common_name_entry); + + ERR_FAIL_COND_V(common_name_asn1 == NULL, ERR_INVALID_PARAMETER ); + + common_name_str = (char *) ASN1_STRING_data(common_name_asn1); + + // Make sure there isn't an embedded NUL character in the CN + bool malformed_certificate = (size_t)ASN1_STRING_length(common_name_asn1) != strlen(common_name_str); + + ERR_FAIL_COND_V(malformed_certificate, ERR_INVALID_PARAMETER ); + + + // Compare expected hostname with the CN + + + return _match_host_name(common_name_str,hostname)?OK:FAILED; + +} + + +/** +* Tries to find a match for hostname in the certificate's Subject Alternative Name extension. +* +*/ + +Error StreamPeerOpenSSL::_match_subject_alternative_name(const char *hostname, const X509 *server_cert) { + + Error result = FAILED; + int i; + int san_names_nb = -1; + STACK_OF(GENERAL_NAME) *san_names = NULL; + + // Try to extract the names within the SAN extension from the certificate + san_names = (STACK_OF(GENERAL_NAME) *)X509_get_ext_d2i((X509 *) server_cert, NID_subject_alt_name, NULL, NULL); + if (san_names == NULL) { + return ERR_FILE_NOT_FOUND; + } + san_names_nb = sk_GENERAL_NAME_num(san_names); + + // Check each name within the extension + for (i=0; i<san_names_nb; i++) { + const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(san_names, i); + + if (current_name->type == GEN_DNS) { + // Current name is a DNS name, let's check it + char *dns_name = (char *) ASN1_STRING_data(current_name->d.dNSName); + + // Make sure there isn't an embedded NUL character in the DNS name + if ((size_t)ASN1_STRING_length(current_name->d.dNSName) != strlen(dns_name)) { + result = ERR_INVALID_PARAMETER; + break; + } + else { // Compare expected hostname with the DNS name + if (_match_host_name(dns_name, hostname)) { + result = OK; + break; + } + } + } + } + sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free); + + return result; +} + +/* See http://archives.seul.org/libevent/users/Jan-2013/msg00039.html */ +int StreamPeerOpenSSL::_cert_verify_callback(X509_STORE_CTX *x509_ctx, void *arg) { + + /* This is the function that OpenSSL would call if we hadn't called + * SSL_CTX_set_cert_verify_callback(). Therefore, we are "wrapping" + * the default functionality, rather than replacing it. */ + + bool base_cert_valid = X509_verify_cert(x509_ctx); + if (!base_cert_valid) { + print_line("Cause: "+String(X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_ctx)))); + ERR_print_errors_fp(stdout); + } + X509 *server_cert = X509_STORE_CTX_get_current_cert(x509_ctx); + + ERR_FAIL_COND_V(!server_cert,0); + + char cert_str[256]; + X509_NAME_oneline(X509_get_subject_name (server_cert), + cert_str, sizeof (cert_str)); + + print_line("CERT STR: "+String(cert_str)); + print_line("VALID: "+itos(base_cert_valid)); + + if (!base_cert_valid) + return 0; + + StreamPeerOpenSSL *ssl = (StreamPeerOpenSSL *)arg; + + if (ssl->validate_hostname) { + + Error err = _match_subject_alternative_name(ssl->hostname.utf8().get_data(),server_cert); + + if (err==ERR_FILE_NOT_FOUND) { + + err = _match_common_name(ssl->hostname.utf8().get_data(),server_cert); + } + + if (err!=OK) { + + ssl->status=STATUS_ERROR_HOSTNAME_MISMATCH; + return 0; + } + } + + return 1; + +} + + + +int StreamPeerOpenSSL::_bio_create( BIO *b ) { + b->init = 1; + b->num = 0; + b->ptr = NULL; + b->flags = 0; + return 1; +} + +int StreamPeerOpenSSL::_bio_destroy( BIO *b ) +{ + if ( b == NULL ) + return 0; + + b->ptr = NULL; /* sb_tls_remove() will free it */ + b->init = 0; + b->flags = 0; + return 1; +} + +int StreamPeerOpenSSL::_bio_read( BIO *b, char *buf, int len ) { + + + if ( buf == NULL || len <= 0 ) return 0; + + StreamPeerOpenSSL *sp = (StreamPeerOpenSSL *)b->ptr; + + ERR_FAIL_COND_V( sp == NULL, 0); + + BIO_clear_retry_flags( b ); + if (sp->use_blocking) { + + Error err = sp->base->get_data((uint8_t*)buf,len); + if (err!=OK) { + return -1; + } + + return len; + } else { + + int got; + Error err = sp->base->get_partial_data((uint8_t*)buf,len,got); + if (err!=OK) { + return -1; + } + if (got==0) { + BIO_set_retry_read( b ); + } + return got; + } + + //unreachable + return 0; +} + +int StreamPeerOpenSSL::_bio_write( BIO *b, const char *buf, int len ) { + + if ( buf == NULL || len <= 0 ) return 0; + + StreamPeerOpenSSL *sp = (StreamPeerOpenSSL *)b->ptr; + + ERR_FAIL_COND_V( sp == NULL, 0); + + BIO_clear_retry_flags( b ); + if (sp->use_blocking) { + + Error err = sp->base->put_data((const uint8_t*)buf,len); + if (err!=OK) { + return -1; + } + + return len; + } else { + + int sent; + Error err = sp->base->put_partial_data((const uint8_t*)buf,len,sent); + if (err!=OK) { + return -1; + } + if (sent==0) { + BIO_set_retry_write( b ); + } + return sent; + + } + + //unreachable + return 0; +} + +long StreamPeerOpenSSL::_bio_ctrl( BIO *b, int cmd, long num, void *ptr ) +{ + if ( cmd == BIO_CTRL_FLUSH ) { + /* The OpenSSL library needs this */ + return 1; + } + return 0; +} + +int StreamPeerOpenSSL::_bio_gets( BIO *b, char *buf, int len ) +{ + return -1; +} + +int StreamPeerOpenSSL::_bio_puts( BIO *b, const char *str ) +{ + return _bio_write( b, str, strlen( str ) ); +} + +BIO_METHOD StreamPeerOpenSSL::_bio_method = { + /* it's a source/sink BIO */ + ( 100 | 0x400 ), + "streampeer glue", + _bio_write, + _bio_read, + _bio_puts, + _bio_gets, + _bio_ctrl, + _bio_create, + _bio_destroy +}; + +Error StreamPeerOpenSSL::connect(Ref<StreamPeer> p_base, bool p_validate_certs, const String& p_for_hostname) { + + if (connected) + disconnect(); + + + hostname=p_for_hostname; + status=STATUS_DISCONNECTED; + + // Set up a SSL_CTX object, which will tell our BIO object how to do its work + ctx = SSL_CTX_new(SSLv23_client_method()); + base=p_base; + validate_certs=p_validate_certs; + validate_hostname=p_for_hostname!=""; + + + + + if (p_validate_certs) { + + + if (certs.size()) { + //yay for undocumented OpenSSL functions + + X509_STORE *store = SSL_CTX_get_cert_store(ctx); + for(int i=0;i<certs.size();i++) { + + X509_STORE_add_cert(store,certs[i]); + + } +#if 0 + const unsigned char *in=(const unsigned char *)certs.ptr(); + X509 *Cert = d2i_X509(NULL, &in, certs.size()-1); + if (!Cert) { + print_line(String(ERR_error_string(ERR_get_error(),NULL))); + } + ERR_FAIL_COND_V(!Cert,ERR_PARSE_ERROR); + + X509_STORE *store = SSL_CTX_get_cert_store(ctx); + X509_STORE_add_cert(store,Cert); + + //char *str = X509_NAME_oneline(X509_get_subject_name(Cert),0,0); + //printf ("subject: %s\n", str); /* [1] */ +#endif + } + + //used for testing + //int res = SSL_CTX_load_verify_locations(ctx,"/etc/ssl/certs/ca-certificates.crt",NULL); + //print_line("verify locations res: "+itos(res)); + + + /* Ask OpenSSL to verify the server certificate. Note that this + * does NOT include verifying that the hostname is correct. + * So, by itself, this means anyone with any legitimate + * CA-issued certificate for any website, can impersonate any + * other website in the world. This is not good. See "The + * Most Dangerous Code in the World" article at + * https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html + */ + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); + /* This is how we solve the problem mentioned in the previous + * comment. We "wrap" OpenSSL's validation routine in our + * own routine, which also validates the hostname by calling + * the code provided by iSECPartners. Note that even though + * the "Everything You've Always Wanted to Know About + * Certificate Validation With OpenSSL (But Were Afraid to + * Ask)" paper from iSECPartners says very explicitly not to + * call SSL_CTX_set_cert_verify_callback (at the bottom of + * page 2), what we're doing here is safe because our + * cert_verify_callback() calls X509_verify_cert(), which is + * OpenSSL's built-in routine which would have been called if + * we hadn't set the callback. Therefore, we're just + * "wrapping" OpenSSL's routine, not replacing it. */ + SSL_CTX_set_cert_verify_callback (ctx, _cert_verify_callback,this); + + //Let the verify_callback catch the verify_depth error so that we get an appropriate error in the logfile. (??) + SSL_CTX_set_verify_depth(ctx,max_cert_chain_depth + 1); + + } + + + + + + ssl = SSL_new( ctx ); + bio = BIO_new( &_bio_method ); + bio->ptr = this; + SSL_set_bio( ssl, bio, bio ); + + if (p_for_hostname!=String()) { + SSL_set_tlsext_host_name(ssl,p_for_hostname.utf8().get_data()); + } + + use_blocking=true; // let handshake use blocking + // Set the SSL to automatically retry on failure. + SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); + + // Same as before, try to connect. + int result = SSL_connect( ssl ); + + print_line("CONNECTION RESULT: "+itos(result)); + if (result<1) { + ERR_print_errors_fp(stdout); + _print_error(result); + } + + X509 * peer = SSL_get_peer_certificate(ssl); + + if (peer) { + bool cert_ok = SSL_get_verify_result(ssl) == X509_V_OK; + print_line("cert_ok: "+itos(cert_ok)); + + } else if (validate_certs){ + status=STATUS_ERROR_NO_CERTIFICATE; + } + + connected=true; + status=STATUS_CONNECTED; + + return OK; +} + +Error StreamPeerOpenSSL::accept(Ref<StreamPeer> p_base) { + + + return ERR_UNAVAILABLE; +} + +void StreamPeerOpenSSL::_print_error(int err) { + + err = SSL_get_error(ssl,err); + switch(err) { + case SSL_ERROR_NONE: ERR_PRINT("NO ERROR: The TLS/SSL I/O operation completed"); break; + case SSL_ERROR_ZERO_RETURN: ERR_PRINT("The TLS/SSL connection has been closed."); + case SSL_ERROR_WANT_READ: + case SSL_ERROR_WANT_WRITE: + ERR_PRINT("The operation did not complete."); break; + case SSL_ERROR_WANT_CONNECT: + case SSL_ERROR_WANT_ACCEPT: + ERR_PRINT("The connect/accept operation did not complete"); break; + case SSL_ERROR_WANT_X509_LOOKUP: + ERR_PRINT("The operation did not complete because an application callback set by SSL_CTX_set_client_cert_cb() has asked to be called again."); break; + case SSL_ERROR_SYSCALL: + ERR_PRINT("Some I/O error occurred. The OpenSSL error queue may contain more information on the error."); break; + case SSL_ERROR_SSL: + ERR_PRINT("A failure in the SSL library occurred, usually a protocol error."); break; + + } +} + +Error StreamPeerOpenSSL::put_data(const uint8_t* p_data,int p_bytes) { + + ERR_FAIL_COND_V(!connected,ERR_UNCONFIGURED); + + while(p_bytes>0) { + int ret = SSL_write(ssl,p_data,p_bytes); + if (ret<=0) { + _print_error(ret); + disconnect(); + return ERR_CONNECTION_ERROR; + } + p_data+=ret; + p_bytes-=ret; + } + + return OK; + +} + +Error StreamPeerOpenSSL::put_partial_data(const uint8_t* p_data,int p_bytes, int &r_sent){ + + ERR_FAIL_COND_V(!connected,ERR_UNCONFIGURED); + if (p_bytes==0) + return OK; + + Error err = put_data(p_data,p_bytes); + if (err!=OK) + return err; + + r_sent=p_bytes; + return OK; + +} + +Error StreamPeerOpenSSL::get_data(uint8_t* p_buffer, int p_bytes){ + + ERR_FAIL_COND_V(!connected,ERR_UNCONFIGURED); + + while(p_bytes>0) { + + int ret = SSL_read(ssl,p_buffer,p_bytes); + if (ret<=0) { + _print_error(ret); + disconnect(); + return ERR_CONNECTION_ERROR; + } + p_buffer+=ret; + p_bytes-=ret; + } + + return OK; +} + +Error StreamPeerOpenSSL::get_partial_data(uint8_t* p_buffer, int p_bytes,int &r_received){ + + ERR_FAIL_COND_V(!connected,ERR_UNCONFIGURED); + if (p_bytes==0) { + r_received=0; + return OK; + } + + Error err = get_data(p_buffer,p_bytes); + if (err!=OK) + return err; + r_received=p_bytes; + return OK; +} + +int StreamPeerOpenSSL::get_available_bytes() const { + + ERR_FAIL_COND_V(!connected,0); + + return SSL_pending(ssl); + +} +StreamPeerOpenSSL::StreamPeerOpenSSL() { + + ctx=NULL; + ssl=NULL; + bio=NULL; + connected=false; + use_blocking=true; //might be improved int the future, but for now it always blocks + max_cert_chain_depth=9; + flags=0; +} + +void StreamPeerOpenSSL::disconnect() { + + if (!connected) + return; + SSL_shutdown( ssl ); + SSL_free( ssl ); + SSL_CTX_free(ctx); + base=Ref<StreamPeer>(); + connected=false; + validate_certs=false; + validate_hostname=false; + status=STATUS_DISCONNECTED; + + +} + +StreamPeerOpenSSL::Status StreamPeerOpenSSL::get_status() const { + + return status; +} + + +StreamPeerOpenSSL::~StreamPeerOpenSSL() { + disconnect(); +} + +StreamPeerSSL* StreamPeerOpenSSL::_create_func() { + + return memnew( StreamPeerOpenSSL ); +} + + +Vector<X509*> StreamPeerOpenSSL::certs; + + +void StreamPeerOpenSSL::_load_certs(const ByteArray& p_array) { + + ByteArray::Read r = p_array.read(); + BIO* mem = BIO_new(BIO_s_mem()); + BIO_puts(mem,(const char*)r.ptr()); + while(true) { + X509*cert = PEM_read_bio_X509(mem, NULL, 0, NULL); + if (!cert) + break; + certs.push_back(cert); + } + BIO_free(mem); +} + +void StreamPeerOpenSSL::initialize_ssl() { + + available=true; + + load_certs_func=_load_certs; + + _create=_create_func; + CRYPTO_malloc_init(); // Initialize malloc, free, etc for OpenSSL's use + SSL_library_init(); // Initialize OpenSSL's SSL libraries + SSL_load_error_strings(); // Load SSL error strings + ERR_load_BIO_strings(); // Load BIO error strings + OpenSSL_add_all_algorithms(); // Load all available encryption algorithms + String certs_path =GLOBAL_DEF("ssl/certificates",""); + Globals::get_singleton()->set_custom_property_info("ssl/certificates",PropertyInfo(Variant::STRING,"ssl/certificates",PROPERTY_HINT_FILE,"*.crt")); + if (certs_path!="") { + + + + FileAccess *f=FileAccess::open(certs_path,FileAccess::READ); + if (f) { + ByteArray arr; + int flen = f->get_len(); + arr.resize(flen+1); + { + ByteArray::Write w = arr.write(); + f->get_buffer(w.ptr(),flen); + w[flen]=0; //end f string + } + + memdelete(f); + + _load_certs(arr); + print_line("Loaded certs from '"+certs_path+"': "+itos(certs.size())); + } + } + String config_path =GLOBAL_DEF("ssl/config",""); + Globals::get_singleton()->set_custom_property_info("ssl/config",PropertyInfo(Variant::STRING,"ssl/config",PROPERTY_HINT_FILE,"*.cnf")); + if (config_path!="") { + + Vector<uint8_t> data = FileAccess::get_file_as_array(config_path); + if (data.size()) { + data.push_back(0); + BIO* mem = BIO_new(BIO_s_mem()); + BIO_puts(mem,(const char*) data.ptr()); + + while(true) { + X509*cert = PEM_read_bio_X509(mem, NULL, 0, NULL); + if (!cert) + break; + certs.push_back(cert); + } + BIO_free(mem); + } + print_line("Loaded certs from '"+certs_path+"': "+itos(certs.size())); + + } + +} + +void StreamPeerOpenSSL::finalize_ssl(){ + + for(int i=0;i<certs.size();i++) { + X509_free(certs[i]); + } + certs.clear(); +} diff --git a/modules/openssl/stream_peer_openssl.h b/modules/openssl/stream_peer_openssl.h new file mode 100644 index 0000000000..853ede2036 --- /dev/null +++ b/modules/openssl/stream_peer_openssl.h @@ -0,0 +1,109 @@ +/*************************************************************************/ +/* stream_peer_openssl.h */ +/*************************************************************************/ +/* This file is part of: */ +/* GODOT ENGINE */ +/* http://www.godotengine.org */ +/*************************************************************************/ +/* Copyright (c) 2007-2016 Juan Linietsky, Ariel Manzur. */ +/* */ +/* Permission is hereby granted, free of charge, to any person obtaining */ +/* a copy of this software and associated documentation files (the */ +/* "Software"), to deal in the Software without restriction, including */ +/* without limitation the rights to use, copy, modify, merge, publish, */ +/* distribute, sublicense, and/or sell copies of the Software, and to */ +/* permit persons to whom the Software is furnished to do so, subject to */ +/* the following conditions: */ +/* */ +/* The above copyright notice and this permission notice shall be */ +/* included in all copies or substantial portions of the Software. */ +/* */ +/* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, */ +/* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF */ +/* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.*/ +/* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY */ +/* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, */ +/* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE */ +/* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ +/*************************************************************************/ +#ifndef STREAM_PEER_OPEN_SSL_H +#define STREAM_PEER_OPEN_SSL_H + +#include <stdio.h> // If you don't know what this is for stop reading now. +#include "io/stream_peer_ssl.h" +#include "globals.h" +#include "os/file_access.h" +#include "curl_hostcheck.h" + +#include <openssl/bio.h> // BIO objects for I/O +#include <openssl/ssl.h> // SSL and SSL_CTX for SSL connections +#include <openssl/err.h> // Error reporting +#include <openssl/x509v3.h> + +class StreamPeerOpenSSL : public StreamPeerSSL { +private: + static int _bio_create( BIO *b ); + static int _bio_destroy( BIO *b ); + static int _bio_read( BIO *b, char *buf, int len ); + static int _bio_write( BIO *b, const char *buf, int len ); + static long _bio_ctrl( BIO *b, int cmd, long num, void *ptr ); + static int _bio_gets( BIO *b, char *buf, int len ); + static int _bio_puts( BIO *b, const char *str ); + + static BIO_METHOD _bio_method; + + static bool _match_host_name(const char *name, const char *hostname); + static Error _match_common_name(const char *hostname, const X509 *server_cert); + static Error _match_subject_alternative_name(const char *hostname, const X509 *server_cert); + + + static int _cert_verify_callback(X509_STORE_CTX *x509_ctx, void *arg); + + + Status status; + String hostname; + int max_cert_chain_depth; + SSL_CTX* ctx; + SSL* ssl; + BIO* bio; + bool connected; + int flags; + bool use_blocking; + bool validate_certs; + bool validate_hostname; + + Ref<StreamPeer> base; + + static StreamPeerSSL* _create_func(); + void _print_error(int err); + + static Vector<X509*> certs; + + static void _load_certs(const ByteArray& p_array); +protected: + static void _bind_methods(); +public: + + + virtual Error accept(Ref<StreamPeer> p_base); + virtual Error connect(Ref<StreamPeer> p_base,bool p_validate_certs=false,const String& p_for_hostname=String()); + virtual Status get_status() const; + + virtual void disconnect(); + + virtual Error put_data(const uint8_t* p_data,int p_bytes); + virtual Error put_partial_data(const uint8_t* p_data,int p_bytes, int &r_sent); + + virtual Error get_data(uint8_t* p_buffer, int p_bytes); + virtual Error get_partial_data(uint8_t* p_buffer, int p_bytes,int &r_received); + + virtual int get_available_bytes() const; + + static void initialize_ssl(); + static void finalize_ssl(); + + StreamPeerOpenSSL(); + ~StreamPeerOpenSSL(); +}; + +#endif // STREAM_PEER_SSL_H |