diff options
Diffstat (limited to 'drivers/openssl')
| -rw-r--r-- | drivers/openssl/SCsub | 6 | ||||
| -rw-r--r-- | drivers/openssl/curl_hostcheck.c | 221 | ||||
| -rw-r--r-- | drivers/openssl/curl_hostcheck.h | 43 | ||||
| -rw-r--r-- | drivers/openssl/register_openssl.cpp | 47 | ||||
| -rw-r--r-- | drivers/openssl/register_openssl.h | 39 | ||||
| -rw-r--r-- | drivers/openssl/stream_peer_openssl.cpp | 649 | ||||
| -rw-r--r-- | drivers/openssl/stream_peer_openssl.h | 113 |
7 files changed, 0 insertions, 1118 deletions
diff --git a/drivers/openssl/SCsub b/drivers/openssl/SCsub deleted file mode 100644 index 40e3d0c0f0..0000000000 --- a/drivers/openssl/SCsub +++ /dev/null @@ -1,6 +0,0 @@ -Import('env_drivers') -Import('env') - -env_drivers.add_source_files(env.drivers_sources,"*.cpp") -env_drivers.add_source_files(env.drivers_sources,"*.c") - diff --git a/drivers/openssl/curl_hostcheck.c b/drivers/openssl/curl_hostcheck.c deleted file mode 100644 index f5d44bfaf1..0000000000 --- a/drivers/openssl/curl_hostcheck.c +++ /dev/null @@ -1,221 +0,0 @@ -/*************************************************************************** - * _ _ ____ _ - * Project ___| | | | _ \| | - * / __| | | | |_) | | - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * - * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms - * are also available at http://curl.haxx.se/docs/copyright.html. - * - * You may opt to use, copy, modify, merge, publish, distribute and/or sell - * copies of the Software, and permit persons to whom the Software is - * furnished to do so, under the terms of the COPYING file. - * - * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY - * KIND, either express or implied. - * - ***************************************************************************/ - -/* This file is an amalgamation of hostcheck.c and most of rawstr.c - from cURL. The contents of the COPYING file mentioned above are: - -COPYRIGHT AND PERMISSION NOTICE - -Copyright (c) 1996 - 2013, Daniel Stenberg, <daniel@haxx.se>. - -All rights reserved. - -Permission to use, copy, modify, and distribute this software for any purpose -with or without fee is hereby granted, provided that the above copyright -notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN -NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, -DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR -OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE -OR OTHER DEALINGS IN THE SOFTWARE. - -Except as contained in this notice, the name of a copyright holder shall not -be used in advertising or otherwise to promote the sale, use or other dealings -in this Software without prior written authorization of the copyright holder. -*/ - -#ifdef OPENSSL_ENABLED - -#include "curl_hostcheck.h" -#include <string.h> - -/* Portable, consistent toupper (remember EBCDIC). Do not use toupper() because - its behavior is altered by the current locale. */ -static char Curl_raw_toupper(char in) -{ - switch (in) { - case 'a': - return 'A'; - case 'b': - return 'B'; - case 'c': - return 'C'; - case 'd': - return 'D'; - case 'e': - return 'E'; - case 'f': - return 'F'; - case 'g': - return 'G'; - case 'h': - return 'H'; - case 'i': - return 'I'; - case 'j': - return 'J'; - case 'k': - return 'K'; - case 'l': - return 'L'; - case 'm': - return 'M'; - case 'n': - return 'N'; - case 'o': - return 'O'; - case 'p': - return 'P'; - case 'q': - return 'Q'; - case 'r': - return 'R'; - case 's': - return 'S'; - case 't': - return 'T'; - case 'u': - return 'U'; - case 'v': - return 'V'; - case 'w': - return 'W'; - case 'x': - return 'X'; - case 'y': - return 'Y'; - case 'z': - return 'Z'; - } - return in; -} - -/* - * Curl_raw_equal() is for doing "raw" case insensitive strings. This is meant - * to be locale independent and only compare strings we know are safe for - * this. See http://daniel.haxx.se/blog/2008/10/15/strcasecmp-in-turkish/ for - * some further explanation to why this function is necessary. - * - * The function is capable of comparing a-z case insensitively even for - * non-ascii. - */ - -static int Curl_raw_equal(const char *first, const char *second) -{ - while(*first && *second) { - if(Curl_raw_toupper(*first) != Curl_raw_toupper(*second)) - /* get out of the loop as soon as they don't match */ - break; - first++; - second++; - } - /* we do the comparison here (possibly again), just to make sure that if the - loop above is skipped because one of the strings reached zero, we must not - return this as a successful match */ - return (Curl_raw_toupper(*first) == Curl_raw_toupper(*second)); -} - -static int Curl_raw_nequal(const char *first, const char *second, size_t max) -{ - while(*first && *second && max) { - if(Curl_raw_toupper(*first) != Curl_raw_toupper(*second)) { - break; - } - max--; - first++; - second++; - } - if(0 == max) - return 1; /* they are equal this far */ - - return Curl_raw_toupper(*first) == Curl_raw_toupper(*second); -} - -/* - * Match a hostname against a wildcard pattern. - * E.g. - * "foo.host.com" matches "*.host.com". - * - * We use the matching rule described in RFC6125, section 6.4.3. - * http://tools.ietf.org/html/rfc6125#section-6.4.3 - */ - -static int hostmatch(const char *hostname, const char *pattern) -{ - const char *pattern_label_end, *pattern_wildcard, *hostname_label_end; - int wildcard_enabled; - size_t prefixlen, suffixlen; - pattern_wildcard = strchr(pattern, '*'); - if(pattern_wildcard == NULL) - return Curl_raw_equal(pattern, hostname) ? - CURL_HOST_MATCH : CURL_HOST_NOMATCH; - - /* We require at least 2 dots in pattern to avoid too wide wildcard - match. */ - wildcard_enabled = 1; - pattern_label_end = strchr(pattern, '.'); - if(pattern_label_end == NULL || strchr(pattern_label_end+1, '.') == NULL || - pattern_wildcard > pattern_label_end || - Curl_raw_nequal(pattern, "xn--", 4)) { - wildcard_enabled = 0; - } - if(!wildcard_enabled) - return Curl_raw_equal(pattern, hostname) ? - CURL_HOST_MATCH : CURL_HOST_NOMATCH; - - hostname_label_end = strchr(hostname, '.'); - if(hostname_label_end == NULL || - !Curl_raw_equal(pattern_label_end, hostname_label_end)) - return CURL_HOST_NOMATCH; - - /* The wildcard must match at least one character, so the left-most - label of the hostname is at least as large as the left-most label - of the pattern. */ - if(hostname_label_end - hostname < pattern_label_end - pattern) - return CURL_HOST_NOMATCH; - - prefixlen = pattern_wildcard - pattern; - suffixlen = pattern_label_end - (pattern_wildcard+1); - return Curl_raw_nequal(pattern, hostname, prefixlen) && - Curl_raw_nequal(pattern_wildcard+1, hostname_label_end - suffixlen, - suffixlen) ? - CURL_HOST_MATCH : CURL_HOST_NOMATCH; -} - -int Tool_Curl_cert_hostcheck(const char *match_pattern, const char *hostname) -{ - if(!match_pattern || !*match_pattern || - !hostname || !*hostname) /* sanity check */ - return 0; - - if(Curl_raw_equal(hostname, match_pattern)) /* trivial case */ - return 1; - - if(hostmatch(hostname,match_pattern) == CURL_HOST_MATCH) - return 1; - return 0; -} - -#endif diff --git a/drivers/openssl/curl_hostcheck.h b/drivers/openssl/curl_hostcheck.h deleted file mode 100644 index 7611c6e443..0000000000 --- a/drivers/openssl/curl_hostcheck.h +++ /dev/null @@ -1,43 +0,0 @@ -#ifndef HEADER_TOOL_CURL_HOSTCHECK_H -#define HEADER_TOOL_CURL_HOSTCHECK_H - -#ifdef OPENSSL_ENABLED - -#ifdef __cplusplus -extern "C" { -#endif - -/*************************************************************************** - * _ _ ____ _ - * Project ___| | | | _ \| | - * / __| | | | |_) | | - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * - * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms - * are also available at http://curl.haxx.se/docs/copyright.html. - * - * You may opt to use, copy, modify, merge, publish, distribute and/or sell - * copies of the Software, and permit persons to whom the Software is - * furnished to do so, under the terms of the COPYING file. - * - * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY - * KIND, either express or implied. - * - ***************************************************************************/ - -#define CURL_HOST_NOMATCH 0 -#define CURL_HOST_MATCH 1 -int Tool_Curl_cert_hostcheck(const char *match_pattern, const char *hostname); - -#ifdef __cplusplus -} -#endif - -#endif - -#endif /* HEADER_CURL_HOSTCHECK_H */ - diff --git a/drivers/openssl/register_openssl.cpp b/drivers/openssl/register_openssl.cpp deleted file mode 100644 index 0d2f9fd537..0000000000 --- a/drivers/openssl/register_openssl.cpp +++ /dev/null @@ -1,47 +0,0 @@ -/*************************************************************************/ -/* register_openssl.cpp */ -/*************************************************************************/ -/* This file is part of: */ -/* GODOT ENGINE */ -/* http://www.godotengine.org */ -/*************************************************************************/ -/* Copyright (c) 2007-2016 Juan Linietsky, Ariel Manzur. */ -/* */ -/* Permission is hereby granted, free of charge, to any person obtaining */ -/* a copy of this software and associated documentation files (the */ -/* "Software"), to deal in the Software without restriction, including */ -/* without limitation the rights to use, copy, modify, merge, publish, */ -/* distribute, sublicense, and/or sell copies of the Software, and to */ -/* permit persons to whom the Software is furnished to do so, subject to */ -/* the following conditions: */ -/* */ -/* The above copyright notice and this permission notice shall be */ -/* included in all copies or substantial portions of the Software. */ -/* */ -/* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, */ -/* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF */ -/* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.*/ -/* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY */ -/* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, */ -/* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE */ -/* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ -/*************************************************************************/ -#include "register_openssl.h" - -#include "stream_peer_openssl.h" -#ifdef OPENSSL_ENABLED - -void register_openssl() { - - ObjectTypeDB::register_type<StreamPeerOpenSSL>(); - StreamPeerOpenSSL::initialize_ssl(); - -} - -void unregister_openssl() { - - StreamPeerOpenSSL::finalize_ssl(); - -} -#endif - diff --git a/drivers/openssl/register_openssl.h b/drivers/openssl/register_openssl.h deleted file mode 100644 index a66ca1e9c0..0000000000 --- a/drivers/openssl/register_openssl.h +++ /dev/null @@ -1,39 +0,0 @@ -/*************************************************************************/ -/* register_openssl.h */ -/*************************************************************************/ -/* This file is part of: */ -/* GODOT ENGINE */ -/* http://www.godotengine.org */ -/*************************************************************************/ -/* Copyright (c) 2007-2016 Juan Linietsky, Ariel Manzur. */ -/* */ -/* Permission is hereby granted, free of charge, to any person obtaining */ -/* a copy of this software and associated documentation files (the */ -/* "Software"), to deal in the Software without restriction, including */ -/* without limitation the rights to use, copy, modify, merge, publish, */ -/* distribute, sublicense, and/or sell copies of the Software, and to */ -/* permit persons to whom the Software is furnished to do so, subject to */ -/* the following conditions: */ -/* */ -/* The above copyright notice and this permission notice shall be */ -/* included in all copies or substantial portions of the Software. */ -/* */ -/* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, */ -/* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF */ -/* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.*/ -/* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY */ -/* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, */ -/* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE */ -/* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ -/*************************************************************************/ -#ifndef REGISTER_OPENSSL_H -#define REGISTER_OPENSSL_H - -#ifdef OPENSSL_ENABLED - -void register_openssl(); -void unregister_openssl(); - -#endif - -#endif // REGISTER_OPENSSL_H diff --git a/drivers/openssl/stream_peer_openssl.cpp b/drivers/openssl/stream_peer_openssl.cpp deleted file mode 100644 index aa3d8a8f7f..0000000000 --- a/drivers/openssl/stream_peer_openssl.cpp +++ /dev/null @@ -1,649 +0,0 @@ -/*************************************************************************/ -/* stream_peer_openssl.cpp */ -/*************************************************************************/ -/* This file is part of: */ -/* GODOT ENGINE */ -/* http://www.godotengine.org */ -/*************************************************************************/ -/* Copyright (c) 2007-2016 Juan Linietsky, Ariel Manzur. */ -/* */ -/* Permission is hereby granted, free of charge, to any person obtaining */ -/* a copy of this software and associated documentation files (the */ -/* "Software"), to deal in the Software without restriction, including */ -/* without limitation the rights to use, copy, modify, merge, publish, */ -/* distribute, sublicense, and/or sell copies of the Software, and to */ -/* permit persons to whom the Software is furnished to do so, subject to */ -/* the following conditions: */ -/* */ -/* The above copyright notice and this permission notice shall be */ -/* included in all copies or substantial portions of the Software. */ -/* */ -/* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, */ -/* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF */ -/* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.*/ -/* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY */ -/* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, */ -/* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE */ -/* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ -/*************************************************************************/ -#ifdef OPENSSL_ENABLED -#include "stream_peer_openssl.h" -//hostname matching code from curl - - -//#include <openssl/applink.c> // To prevent crashing (see the OpenSSL FAQ) - -bool StreamPeerOpenSSL::_match_host_name(const char *name, const char *hostname) { - - return Tool_Curl_cert_hostcheck(name,hostname)==CURL_HOST_MATCH; -// print_line("MATCH: "+String(name)+" vs "+String(hostname)); -// return true; -} - -Error StreamPeerOpenSSL::_match_common_name(const char *hostname, const X509 *server_cert) { - - int common_name_loc = -1; - X509_NAME_ENTRY *common_name_entry = NULL; - ASN1_STRING *common_name_asn1 = NULL; - char *common_name_str = NULL; - - // Find the position of the CN field in the Subject field of the certificate - common_name_loc = X509_NAME_get_index_by_NID(X509_get_subject_name((X509 *) server_cert), NID_commonName, -1); - - ERR_FAIL_COND_V(common_name_loc < 0, ERR_INVALID_PARAMETER ); - - // Extract the CN field - common_name_entry = X509_NAME_get_entry(X509_get_subject_name((X509 *) server_cert), common_name_loc); - - ERR_FAIL_COND_V(common_name_entry == NULL, ERR_INVALID_PARAMETER ); - - // Convert the CN field to a C string - common_name_asn1 = X509_NAME_ENTRY_get_data(common_name_entry); - - ERR_FAIL_COND_V(common_name_asn1 == NULL, ERR_INVALID_PARAMETER ); - - common_name_str = (char *) ASN1_STRING_data(common_name_asn1); - - // Make sure there isn't an embedded NUL character in the CN - bool malformed_certificate = (size_t)ASN1_STRING_length(common_name_asn1) != strlen(common_name_str); - - ERR_FAIL_COND_V(malformed_certificate, ERR_INVALID_PARAMETER ); - - - // Compare expected hostname with the CN - - - return _match_host_name(common_name_str,hostname)?OK:FAILED; - -} - - -/** -* Tries to find a match for hostname in the certificate's Subject Alternative Name extension. -* -*/ - -Error StreamPeerOpenSSL::_match_subject_alternative_name(const char *hostname, const X509 *server_cert) { - - Error result = FAILED; - int i; - int san_names_nb = -1; - STACK_OF(GENERAL_NAME) *san_names = NULL; - - // Try to extract the names within the SAN extension from the certificate - san_names = (STACK_OF(GENERAL_NAME) *)X509_get_ext_d2i((X509 *) server_cert, NID_subject_alt_name, NULL, NULL); - if (san_names == NULL) { - return ERR_FILE_NOT_FOUND; - } - san_names_nb = sk_GENERAL_NAME_num(san_names); - - // Check each name within the extension - for (i=0; i<san_names_nb; i++) { - const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(san_names, i); - - if (current_name->type == GEN_DNS) { - // Current name is a DNS name, let's check it - char *dns_name = (char *) ASN1_STRING_data(current_name->d.dNSName); - - // Make sure there isn't an embedded NUL character in the DNS name - if ((size_t)ASN1_STRING_length(current_name->d.dNSName) != strlen(dns_name)) { - result = ERR_INVALID_PARAMETER; - break; - } - else { // Compare expected hostname with the DNS name - if (_match_host_name(dns_name, hostname)) { - result = OK; - break; - } - } - } - } - sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free); - - return result; -} - -/* See http://archives.seul.org/libevent/users/Jan-2013/msg00039.html */ -int StreamPeerOpenSSL::_cert_verify_callback(X509_STORE_CTX *x509_ctx, void *arg) { - - /* This is the function that OpenSSL would call if we hadn't called - * SSL_CTX_set_cert_verify_callback(). Therefore, we are "wrapping" - * the default functionality, rather than replacing it. */ - - bool base_cert_valid = X509_verify_cert(x509_ctx); - if (!base_cert_valid) { - print_line("Cause: "+String(X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_ctx)))); - ERR_print_errors_fp(stdout); - } - X509 *server_cert = X509_STORE_CTX_get_current_cert(x509_ctx); - - ERR_FAIL_COND_V(!server_cert,0); - - char cert_str[256]; - X509_NAME_oneline(X509_get_subject_name (server_cert), - cert_str, sizeof (cert_str)); - - print_line("CERT STR: "+String(cert_str)); - print_line("VALID: "+itos(base_cert_valid)); - - if (!base_cert_valid) - return 0; - - StreamPeerOpenSSL *ssl = (StreamPeerOpenSSL *)arg; - - if (ssl->validate_hostname) { - - Error err = _match_subject_alternative_name(ssl->hostname.utf8().get_data(),server_cert); - - if (err==ERR_FILE_NOT_FOUND) { - - err = _match_common_name(ssl->hostname.utf8().get_data(),server_cert); - } - - if (err!=OK) { - - ssl->status=STATUS_ERROR_HOSTNAME_MISMATCH; - return 0; - } - } - - return 1; - -} - - - -int StreamPeerOpenSSL::_bio_create( BIO *b ) { - b->init = 1; - b->num = 0; - b->ptr = NULL; - b->flags = 0; - return 1; -} - -int StreamPeerOpenSSL::_bio_destroy( BIO *b ) -{ - if ( b == NULL ) - return 0; - - b->ptr = NULL; /* sb_tls_remove() will free it */ - b->init = 0; - b->flags = 0; - return 1; -} - -int StreamPeerOpenSSL::_bio_read( BIO *b, char *buf, int len ) { - - - if ( buf == NULL || len <= 0 ) return 0; - - StreamPeerOpenSSL *sp = (StreamPeerOpenSSL *)b->ptr; - - ERR_FAIL_COND_V( sp == NULL, 0); - - BIO_clear_retry_flags( b ); - if (sp->use_blocking) { - - Error err = sp->base->get_data((uint8_t*)buf,len); - if (err!=OK) { - return -1; - } - - return len; - } else { - - int got; - Error err = sp->base->get_partial_data((uint8_t*)buf,len,got); - if (err!=OK) { - return -1; - } - if (got==0) { - BIO_set_retry_read( b ); - } - return got; - } - - //unreachable - return 0; -} - -int StreamPeerOpenSSL::_bio_write( BIO *b, const char *buf, int len ) { - - if ( buf == NULL || len <= 0 ) return 0; - - StreamPeerOpenSSL *sp = (StreamPeerOpenSSL *)b->ptr; - - ERR_FAIL_COND_V( sp == NULL, 0); - - BIO_clear_retry_flags( b ); - if (sp->use_blocking) { - - Error err = sp->base->put_data((const uint8_t*)buf,len); - if (err!=OK) { - return -1; - } - - return len; - } else { - - int sent; - Error err = sp->base->put_partial_data((const uint8_t*)buf,len,sent); - if (err!=OK) { - return -1; - } - if (sent==0) { - BIO_set_retry_write( b ); - } - return sent; - - } - - //unreachable - return 0; -} - -long StreamPeerOpenSSL::_bio_ctrl( BIO *b, int cmd, long num, void *ptr ) -{ - if ( cmd == BIO_CTRL_FLUSH ) { - /* The OpenSSL library needs this */ - return 1; - } - return 0; -} - -int StreamPeerOpenSSL::_bio_gets( BIO *b, char *buf, int len ) -{ - return -1; -} - -int StreamPeerOpenSSL::_bio_puts( BIO *b, const char *str ) -{ - return _bio_write( b, str, strlen( str ) ); -} - -BIO_METHOD StreamPeerOpenSSL::_bio_method = { - /* it's a source/sink BIO */ - ( 100 | 0x400 ), - "streampeer glue", - _bio_write, - _bio_read, - _bio_puts, - _bio_gets, - _bio_ctrl, - _bio_create, - _bio_destroy -}; - -Error StreamPeerOpenSSL::connect(Ref<StreamPeer> p_base, bool p_validate_certs, const String& p_for_hostname) { - - if (connected) - disconnect(); - - - hostname=p_for_hostname; - status=STATUS_DISCONNECTED; - - // Set up a SSL_CTX object, which will tell our BIO object how to do its work - ctx = SSL_CTX_new(SSLv23_client_method()); - base=p_base; - validate_certs=p_validate_certs; - validate_hostname=p_for_hostname!=""; - - - - - if (p_validate_certs) { - - - if (certs.size()) { - //yay for undocumented OpenSSL functions - - X509_STORE *store = SSL_CTX_get_cert_store(ctx); - for(int i=0;i<certs.size();i++) { - - X509_STORE_add_cert(store,certs[i]); - - } -#if 0 - const unsigned char *in=(const unsigned char *)certs.ptr(); - X509 *Cert = d2i_X509(NULL, &in, certs.size()-1); - if (!Cert) { - print_line(String(ERR_error_string(ERR_get_error(),NULL))); - } - ERR_FAIL_COND_V(!Cert,ERR_PARSE_ERROR); - - X509_STORE *store = SSL_CTX_get_cert_store(ctx); - X509_STORE_add_cert(store,Cert); - - //char *str = X509_NAME_oneline(X509_get_subject_name(Cert),0,0); - //printf ("subject: %s\n", str); /* [1] */ -#endif - } - - //used for testing - //int res = SSL_CTX_load_verify_locations(ctx,"/etc/ssl/certs/ca-certificates.crt",NULL); - //print_line("verify locations res: "+itos(res)); - - - /* Ask OpenSSL to verify the server certificate. Note that this - * does NOT include verifying that the hostname is correct. - * So, by itself, this means anyone with any legitimate - * CA-issued certificate for any website, can impersonate any - * other website in the world. This is not good. See "The - * Most Dangerous Code in the World" article at - * https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html - */ - SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); - /* This is how we solve the problem mentioned in the previous - * comment. We "wrap" OpenSSL's validation routine in our - * own routine, which also validates the hostname by calling - * the code provided by iSECPartners. Note that even though - * the "Everything You've Always Wanted to Know About - * Certificate Validation With OpenSSL (But Were Afraid to - * Ask)" paper from iSECPartners says very explicitly not to - * call SSL_CTX_set_cert_verify_callback (at the bottom of - * page 2), what we're doing here is safe because our - * cert_verify_callback() calls X509_verify_cert(), which is - * OpenSSL's built-in routine which would have been called if - * we hadn't set the callback. Therefore, we're just - * "wrapping" OpenSSL's routine, not replacing it. */ - SSL_CTX_set_cert_verify_callback (ctx, _cert_verify_callback,this); - - //Let the verify_callback catch the verify_depth error so that we get an appropriate error in the logfile. (??) - SSL_CTX_set_verify_depth(ctx,max_cert_chain_depth + 1); - - } - - - - - - ssl = SSL_new( ctx ); - bio = BIO_new( &_bio_method ); - bio->ptr = this; - SSL_set_bio( ssl, bio, bio ); - - if (p_for_hostname!=String()) { - SSL_set_tlsext_host_name(ssl,p_for_hostname.utf8().get_data()); - } - - use_blocking=true; // let handshake use blocking - // Set the SSL to automatically retry on failure. - SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); - - // Same as before, try to connect. - int result = SSL_connect( ssl ); - - print_line("CONNECTION RESULT: "+itos(result)); - if (result<1) { - ERR_print_errors_fp(stdout); - _print_error(result); - } - - X509 * peer = SSL_get_peer_certificate(ssl); - - if (peer) { - bool cert_ok = SSL_get_verify_result(ssl) == X509_V_OK; - print_line("cert_ok: "+itos(cert_ok)); - - } else if (validate_certs){ - status=STATUS_ERROR_NO_CERTIFICATE; - } - - connected=true; - status=STATUS_CONNECTED; - - return OK; -} - -Error StreamPeerOpenSSL::accept(Ref<StreamPeer> p_base) { - - - return ERR_UNAVAILABLE; -} - -void StreamPeerOpenSSL::_print_error(int err) { - - err = SSL_get_error(ssl,err); - switch(err) { - case SSL_ERROR_NONE: ERR_PRINT("NO ERROR: The TLS/SSL I/O operation completed"); break; - case SSL_ERROR_ZERO_RETURN: ERR_PRINT("The TLS/SSL connection has been closed."); - case SSL_ERROR_WANT_READ: - case SSL_ERROR_WANT_WRITE: - ERR_PRINT("The operation did not complete."); break; - case SSL_ERROR_WANT_CONNECT: - case SSL_ERROR_WANT_ACCEPT: - ERR_PRINT("The connect/accept operation did not complete"); break; - case SSL_ERROR_WANT_X509_LOOKUP: - ERR_PRINT("The operation did not complete because an application callback set by SSL_CTX_set_client_cert_cb() has asked to be called again."); break; - case SSL_ERROR_SYSCALL: - ERR_PRINT("Some I/O error occurred. The OpenSSL error queue may contain more information on the error."); break; - case SSL_ERROR_SSL: - ERR_PRINT("A failure in the SSL library occurred, usually a protocol error."); break; - - } -} - -Error StreamPeerOpenSSL::put_data(const uint8_t* p_data,int p_bytes) { - - ERR_FAIL_COND_V(!connected,ERR_UNCONFIGURED); - - while(p_bytes>0) { - int ret = SSL_write(ssl,p_data,p_bytes); - if (ret<=0) { - _print_error(ret); - disconnect(); - return ERR_CONNECTION_ERROR; - } - p_data+=ret; - p_bytes-=ret; - } - - return OK; - -} - -Error StreamPeerOpenSSL::put_partial_data(const uint8_t* p_data,int p_bytes, int &r_sent){ - - ERR_FAIL_COND_V(!connected,ERR_UNCONFIGURED); - if (p_bytes==0) - return OK; - - Error err = put_data(p_data,p_bytes); - if (err!=OK) - return err; - - r_sent=p_bytes; - return OK; - -} - -Error StreamPeerOpenSSL::get_data(uint8_t* p_buffer, int p_bytes){ - - ERR_FAIL_COND_V(!connected,ERR_UNCONFIGURED); - - while(p_bytes>0) { - - int ret = SSL_read(ssl,p_buffer,p_bytes); - if (ret<=0) { - _print_error(ret); - disconnect(); - return ERR_CONNECTION_ERROR; - } - p_buffer+=ret; - p_bytes-=ret; - } - - return OK; -} - -Error StreamPeerOpenSSL::get_partial_data(uint8_t* p_buffer, int p_bytes,int &r_received){ - - ERR_FAIL_COND_V(!connected,ERR_UNCONFIGURED); - if (p_bytes==0) { - r_received=0; - return OK; - } - - Error err = get_data(p_buffer,p_bytes); - if (err!=OK) - return err; - r_received=p_bytes; - return OK; -} - -int StreamPeerOpenSSL::get_available_bytes() const { - - ERR_FAIL_COND_V(!connected,0); - - return SSL_pending(ssl); - -} -StreamPeerOpenSSL::StreamPeerOpenSSL() { - - ctx=NULL; - ssl=NULL; - bio=NULL; - connected=false; - use_blocking=true; //might be improved int the future, but for now it always blocks - max_cert_chain_depth=9; - flags=0; -} - -void StreamPeerOpenSSL::disconnect() { - - if (!connected) - return; - SSL_shutdown( ssl ); - SSL_free( ssl ); - SSL_CTX_free(ctx); - base=Ref<StreamPeer>(); - connected=false; - validate_certs=false; - validate_hostname=false; - status=STATUS_DISCONNECTED; - - -} - -StreamPeerOpenSSL::Status StreamPeerOpenSSL::get_status() const { - - return status; -} - - -StreamPeerOpenSSL::~StreamPeerOpenSSL() { - disconnect(); -} - -StreamPeerSSL* StreamPeerOpenSSL::_create_func() { - - return memnew( StreamPeerOpenSSL ); -} - - -Vector<X509*> StreamPeerOpenSSL::certs; - - -void StreamPeerOpenSSL::_load_certs(const ByteArray& p_array) { - - ByteArray::Read r = p_array.read(); - BIO* mem = BIO_new(BIO_s_mem()); - BIO_puts(mem,(const char*)r.ptr()); - while(true) { - X509*cert = PEM_read_bio_X509(mem, NULL, 0, NULL); - if (!cert) - break; - certs.push_back(cert); - } - BIO_free(mem); -} - -void StreamPeerOpenSSL::initialize_ssl() { - - available=true; - - load_certs_func=_load_certs; - - _create=_create_func; - CRYPTO_malloc_init(); // Initialize malloc, free, etc for OpenSSL's use - SSL_library_init(); // Initialize OpenSSL's SSL libraries - SSL_load_error_strings(); // Load SSL error strings - ERR_load_BIO_strings(); // Load BIO error strings - OpenSSL_add_all_algorithms(); // Load all available encryption algorithms - String certs_path =GLOBAL_DEF("ssl/certificates",""); - Globals::get_singleton()->set_custom_property_info("ssl/certificates",PropertyInfo(Variant::STRING,"ssl/certificates",PROPERTY_HINT_FILE,"*.crt")); - if (certs_path!="") { - - - - FileAccess *f=FileAccess::open(certs_path,FileAccess::READ); - if (f) { - ByteArray arr; - int flen = f->get_len(); - arr.resize(flen+1); - { - ByteArray::Write w = arr.write(); - f->get_buffer(w.ptr(),flen); - w[flen]=0; //end f string - } - - memdelete(f); - - _load_certs(arr); - print_line("Loaded certs from '"+certs_path+"': "+itos(certs.size())); - } - } - String config_path =GLOBAL_DEF("ssl/config",""); - Globals::get_singleton()->set_custom_property_info("ssl/config",PropertyInfo(Variant::STRING,"ssl/config",PROPERTY_HINT_FILE,"*.cnf")); - if (config_path!="") { - - Vector<uint8_t> data = FileAccess::get_file_as_array(config_path); - if (data.size()) { - data.push_back(0); - BIO* mem = BIO_new(BIO_s_mem()); - BIO_puts(mem,(const char*) data.ptr()); - - while(true) { - X509*cert = PEM_read_bio_X509(mem, NULL, 0, NULL); - if (!cert) - break; - certs.push_back(cert); - } - BIO_free(mem); - } - print_line("Loaded certs from '"+certs_path+"': "+itos(certs.size())); - - } - -} - -void StreamPeerOpenSSL::finalize_ssl(){ - - for(int i=0;i<certs.size();i++) { - X509_free(certs[i]); - } - certs.clear(); -} - -#endif diff --git a/drivers/openssl/stream_peer_openssl.h b/drivers/openssl/stream_peer_openssl.h deleted file mode 100644 index f1f25f4fc5..0000000000 --- a/drivers/openssl/stream_peer_openssl.h +++ /dev/null @@ -1,113 +0,0 @@ -/*************************************************************************/ -/* stream_peer_openssl.h */ -/*************************************************************************/ -/* This file is part of: */ -/* GODOT ENGINE */ -/* http://www.godotengine.org */ -/*************************************************************************/ -/* Copyright (c) 2007-2016 Juan Linietsky, Ariel Manzur. */ -/* */ -/* Permission is hereby granted, free of charge, to any person obtaining */ -/* a copy of this software and associated documentation files (the */ -/* "Software"), to deal in the Software without restriction, including */ -/* without limitation the rights to use, copy, modify, merge, publish, */ -/* distribute, sublicense, and/or sell copies of the Software, and to */ -/* permit persons to whom the Software is furnished to do so, subject to */ -/* the following conditions: */ -/* */ -/* The above copyright notice and this permission notice shall be */ -/* included in all copies or substantial portions of the Software. */ -/* */ -/* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, */ -/* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF */ -/* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.*/ -/* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY */ -/* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, */ -/* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE */ -/* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ -/*************************************************************************/ -#ifndef STREAM_PEER_OPEN_SSL_H -#define STREAM_PEER_OPEN_SSL_H - -#ifdef OPENSSL_ENABLED - - -#include <stdio.h> // If you don't know what this is for stop reading now. -#include "io/stream_peer_ssl.h" -#include "globals.h" -#include "os/file_access.h" -#include "curl_hostcheck.h" - -#include <openssl/bio.h> // BIO objects for I/O -#include <openssl/ssl.h> // SSL and SSL_CTX for SSL connections -#include <openssl/err.h> // Error reporting -#include <openssl/x509v3.h> - -class StreamPeerOpenSSL : public StreamPeerSSL { -private: - static int _bio_create( BIO *b ); - static int _bio_destroy( BIO *b ); - static int _bio_read( BIO *b, char *buf, int len ); - static int _bio_write( BIO *b, const char *buf, int len ); - static long _bio_ctrl( BIO *b, int cmd, long num, void *ptr ); - static int _bio_gets( BIO *b, char *buf, int len ); - static int _bio_puts( BIO *b, const char *str ); - - static BIO_METHOD _bio_method; - - static bool _match_host_name(const char *name, const char *hostname); - static Error _match_common_name(const char *hostname, const X509 *server_cert); - static Error _match_subject_alternative_name(const char *hostname, const X509 *server_cert); - - - static int _cert_verify_callback(X509_STORE_CTX *x509_ctx, void *arg); - - - Status status; - String hostname; - int max_cert_chain_depth; - SSL_CTX* ctx; - SSL* ssl; - BIO* bio; - bool connected; - int flags; - bool use_blocking; - bool validate_certs; - bool validate_hostname; - - Ref<StreamPeer> base; - - static StreamPeerSSL* _create_func(); - void _print_error(int err); - - static Vector<X509*> certs; - - static void _load_certs(const ByteArray& p_array); -protected: - static void _bind_methods(); -public: - - - virtual Error accept(Ref<StreamPeer> p_base); - virtual Error connect(Ref<StreamPeer> p_base,bool p_validate_certs=false,const String& p_for_hostname=String()); - virtual Status get_status() const; - - virtual void disconnect(); - - virtual Error put_data(const uint8_t* p_data,int p_bytes); - virtual Error put_partial_data(const uint8_t* p_data,int p_bytes, int &r_sent); - - virtual Error get_data(uint8_t* p_buffer, int p_bytes); - virtual Error get_partial_data(uint8_t* p_buffer, int p_bytes,int &r_received); - - virtual int get_available_bytes() const; - - static void initialize_ssl(); - static void finalize_ssl(); - - StreamPeerOpenSSL(); - ~StreamPeerOpenSSL(); -}; - -#endif -#endif // STREAM_PEER_SSL_H |