2016-06-18 14:46:12 +02:00
|
|
|
/*************************************************************************/
|
|
|
|
/* stream_peer_openssl.cpp */
|
|
|
|
/*************************************************************************/
|
|
|
|
/* This file is part of: */
|
|
|
|
/* GODOT ENGINE */
|
2017-08-27 14:16:55 +02:00
|
|
|
/* https://godotengine.org */
|
2016-06-18 14:46:12 +02:00
|
|
|
/*************************************************************************/
|
2017-01-01 22:01:57 +01:00
|
|
|
/* Copyright (c) 2007-2017 Juan Linietsky, Ariel Manzur. */
|
2017-04-08 00:11:42 +02:00
|
|
|
/* Copyright (c) 2014-2017 Godot Engine contributors (cf. AUTHORS.md) */
|
2016-06-18 14:46:12 +02:00
|
|
|
/* */
|
|
|
|
/* Permission is hereby granted, free of charge, to any person obtaining */
|
|
|
|
/* a copy of this software and associated documentation files (the */
|
|
|
|
/* "Software"), to deal in the Software without restriction, including */
|
|
|
|
/* without limitation the rights to use, copy, modify, merge, publish, */
|
|
|
|
/* distribute, sublicense, and/or sell copies of the Software, and to */
|
|
|
|
/* permit persons to whom the Software is furnished to do so, subject to */
|
|
|
|
/* the following conditions: */
|
|
|
|
/* */
|
|
|
|
/* The above copyright notice and this permission notice shall be */
|
|
|
|
/* included in all copies or substantial portions of the Software. */
|
|
|
|
/* */
|
|
|
|
/* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, */
|
|
|
|
/* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF */
|
|
|
|
/* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.*/
|
|
|
|
/* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY */
|
|
|
|
/* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, */
|
|
|
|
/* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE */
|
|
|
|
/* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */
|
|
|
|
/*************************************************************************/
|
2014-05-01 14:53:37 +02:00
|
|
|
#include "stream_peer_openssl.h"
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-09-24 07:45:02 +02:00
|
|
|
// Compatibility with OpenSSL 1.1.0.
|
2017-10-18 04:03:00 +02:00
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
2017-09-24 07:45:02 +02:00
|
|
|
#define BIO_set_num(b, n)
|
|
|
|
#else
|
|
|
|
#define BIO_set_num(b, n) ((b)->num = (n))
|
|
|
|
|
|
|
|
#define BIO_set_init(b, i) ((b)->init = (i))
|
|
|
|
#define BIO_set_data(b, p) ((b)->ptr = (p))
|
|
|
|
#define BIO_get_data(b) ((b)->ptr)
|
|
|
|
#endif
|
|
|
|
|
2017-08-27 21:07:15 +02:00
|
|
|
//hostname matching code from curl
|
2014-04-29 02:56:43 +02:00
|
|
|
|
|
|
|
bool StreamPeerOpenSSL::_match_host_name(const char *name, const char *hostname) {
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
return Tool_Curl_cert_hostcheck(name, hostname) == CURL_HOST_MATCH;
|
2014-04-29 02:56:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
Error StreamPeerOpenSSL::_match_common_name(const char *hostname, const X509 *server_cert) {
|
|
|
|
|
|
|
|
// Find the position of the CN field in the Subject field of the certificate
|
2017-08-21 21:15:36 +02:00
|
|
|
int common_name_loc = X509_NAME_get_index_by_NID(X509_get_subject_name((X509 *)server_cert), NID_commonName, -1);
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
ERR_FAIL_COND_V(common_name_loc < 0, ERR_INVALID_PARAMETER);
|
2014-04-29 02:56:43 +02:00
|
|
|
|
|
|
|
// Extract the CN field
|
2017-08-21 21:15:36 +02:00
|
|
|
X509_NAME_ENTRY *common_name_entry = X509_NAME_get_entry(X509_get_subject_name((X509 *)server_cert), common_name_loc);
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
ERR_FAIL_COND_V(common_name_entry == NULL, ERR_INVALID_PARAMETER);
|
2014-04-29 02:56:43 +02:00
|
|
|
|
|
|
|
// Convert the CN field to a C string
|
2017-08-21 21:15:36 +02:00
|
|
|
ASN1_STRING *common_name_asn1 = X509_NAME_ENTRY_get_data(common_name_entry);
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
ERR_FAIL_COND_V(common_name_asn1 == NULL, ERR_INVALID_PARAMETER);
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-08-21 21:15:36 +02:00
|
|
|
char *common_name_str = (char *)ASN1_STRING_data(common_name_asn1);
|
2014-04-29 02:56:43 +02:00
|
|
|
|
|
|
|
// Make sure there isn't an embedded NUL character in the CN
|
|
|
|
bool malformed_certificate = (size_t)ASN1_STRING_length(common_name_asn1) != strlen(common_name_str);
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
ERR_FAIL_COND_V(malformed_certificate, ERR_INVALID_PARAMETER);
|
2014-04-29 02:56:43 +02:00
|
|
|
|
|
|
|
// Compare expected hostname with the CN
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
return _match_host_name(common_name_str, hostname) ? OK : FAILED;
|
2014-04-29 02:56:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Tries to find a match for hostname in the certificate's Subject Alternative Name extension.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
Error StreamPeerOpenSSL::_match_subject_alternative_name(const char *hostname, const X509 *server_cert) {
|
|
|
|
|
|
|
|
Error result = FAILED;
|
|
|
|
int i;
|
|
|
|
int san_names_nb = -1;
|
|
|
|
STACK_OF(GENERAL_NAME) *san_names = NULL;
|
|
|
|
|
|
|
|
// Try to extract the names within the SAN extension from the certificate
|
2017-03-05 16:44:50 +01:00
|
|
|
san_names = (STACK_OF(GENERAL_NAME) *)X509_get_ext_d2i((X509 *)server_cert, NID_subject_alt_name, NULL, NULL);
|
2014-04-29 02:56:43 +02:00
|
|
|
if (san_names == NULL) {
|
|
|
|
return ERR_FILE_NOT_FOUND;
|
|
|
|
}
|
|
|
|
san_names_nb = sk_GENERAL_NAME_num(san_names);
|
|
|
|
|
|
|
|
// Check each name within the extension
|
2017-03-05 16:44:50 +01:00
|
|
|
for (i = 0; i < san_names_nb; i++) {
|
2014-04-29 02:56:43 +02:00
|
|
|
const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(san_names, i);
|
|
|
|
|
|
|
|
if (current_name->type == GEN_DNS) {
|
|
|
|
// Current name is a DNS name, let's check it
|
2017-03-05 16:44:50 +01:00
|
|
|
char *dns_name = (char *)ASN1_STRING_data(current_name->d.dNSName);
|
2014-04-29 02:56:43 +02:00
|
|
|
|
|
|
|
// Make sure there isn't an embedded NUL character in the DNS name
|
|
|
|
if ((size_t)ASN1_STRING_length(current_name->d.dNSName) != strlen(dns_name)) {
|
|
|
|
result = ERR_INVALID_PARAMETER;
|
|
|
|
break;
|
2017-03-05 16:44:50 +01:00
|
|
|
} else { // Compare expected hostname with the DNS name
|
2014-04-29 02:56:43 +02:00
|
|
|
if (_match_host_name(dns_name, hostname)) {
|
|
|
|
result = OK;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
|
|
|
|
|
|
|
|
return result;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* See http://archives.seul.org/libevent/users/Jan-2013/msg00039.html */
|
|
|
|
int StreamPeerOpenSSL::_cert_verify_callback(X509_STORE_CTX *x509_ctx, void *arg) {
|
|
|
|
|
|
|
|
/* This is the function that OpenSSL would call if we hadn't called
|
|
|
|
* SSL_CTX_set_cert_verify_callback(). Therefore, we are "wrapping"
|
|
|
|
* the default functionality, rather than replacing it. */
|
|
|
|
|
|
|
|
bool base_cert_valid = X509_verify_cert(x509_ctx);
|
|
|
|
if (!base_cert_valid) {
|
2017-03-05 16:44:50 +01:00
|
|
|
print_line("Cause: " + String(X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_ctx))));
|
2014-05-01 14:53:37 +02:00
|
|
|
ERR_print_errors_fp(stdout);
|
2014-04-29 02:56:43 +02:00
|
|
|
}
|
|
|
|
X509 *server_cert = X509_STORE_CTX_get_current_cert(x509_ctx);
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
ERR_FAIL_COND_V(!server_cert, 0);
|
2014-04-29 02:56:43 +02:00
|
|
|
|
|
|
|
char cert_str[256];
|
2017-03-05 16:44:50 +01:00
|
|
|
X509_NAME_oneline(X509_get_subject_name(server_cert),
|
|
|
|
cert_str, sizeof(cert_str));
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
print_line("CERT STR: " + String(cert_str));
|
|
|
|
print_line("VALID: " + itos(base_cert_valid));
|
2014-04-29 02:56:43 +02:00
|
|
|
|
|
|
|
if (!base_cert_valid)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
StreamPeerOpenSSL *ssl = (StreamPeerOpenSSL *)arg;
|
|
|
|
|
|
|
|
if (ssl->validate_hostname) {
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
Error err = _match_subject_alternative_name(ssl->hostname.utf8().get_data(), server_cert);
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
if (err == ERR_FILE_NOT_FOUND) {
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
err = _match_common_name(ssl->hostname.utf8().get_data(), server_cert);
|
2014-04-29 02:56:43 +02:00
|
|
|
}
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
if (err != OK) {
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
ssl->status = STATUS_ERROR_HOSTNAME_MISMATCH;
|
2014-04-29 02:56:43 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
int StreamPeerOpenSSL::_bio_create(BIO *b) {
|
2017-09-24 07:45:02 +02:00
|
|
|
BIO_set_init(b, 1);
|
|
|
|
BIO_set_num(b, 0);
|
|
|
|
BIO_set_data(b, NULL);
|
|
|
|
BIO_clear_flags(b, ~0);
|
2014-04-29 02:56:43 +02:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
int StreamPeerOpenSSL::_bio_destroy(BIO *b) {
|
|
|
|
if (b == NULL)
|
2014-04-29 02:56:43 +02:00
|
|
|
return 0;
|
|
|
|
|
2017-09-24 07:45:02 +02:00
|
|
|
BIO_set_data(b, NULL); /* sb_tls_remove() will free it */
|
|
|
|
BIO_set_init(b, 0);
|
|
|
|
BIO_clear_flags(b, ~0);
|
2014-04-29 02:56:43 +02:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
int StreamPeerOpenSSL::_bio_read(BIO *b, char *buf, int len) {
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
if (buf == NULL || len <= 0) return 0;
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-09-24 07:45:02 +02:00
|
|
|
StreamPeerOpenSSL *sp = (StreamPeerOpenSSL *)BIO_get_data(b);
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
ERR_FAIL_COND_V(sp == NULL, 0);
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
BIO_clear_retry_flags(b);
|
2014-04-29 02:56:43 +02:00
|
|
|
if (sp->use_blocking) {
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
Error err = sp->base->get_data((uint8_t *)buf, len);
|
|
|
|
if (err != OK) {
|
2014-04-29 02:56:43 +02:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return len;
|
|
|
|
} else {
|
|
|
|
|
|
|
|
int got;
|
2017-03-05 16:44:50 +01:00
|
|
|
Error err = sp->base->get_partial_data((uint8_t *)buf, len, got);
|
|
|
|
if (err != OK) {
|
2014-04-29 02:56:43 +02:00
|
|
|
return -1;
|
|
|
|
}
|
2017-03-05 16:44:50 +01:00
|
|
|
if (got == 0) {
|
|
|
|
BIO_set_retry_read(b);
|
2014-04-29 02:56:43 +02:00
|
|
|
}
|
|
|
|
return got;
|
|
|
|
}
|
|
|
|
|
|
|
|
//unreachable
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
int StreamPeerOpenSSL::_bio_write(BIO *b, const char *buf, int len) {
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
if (buf == NULL || len <= 0) return 0;
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-09-24 07:45:02 +02:00
|
|
|
StreamPeerOpenSSL *sp = (StreamPeerOpenSSL *)BIO_get_data(b);
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
ERR_FAIL_COND_V(sp == NULL, 0);
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
BIO_clear_retry_flags(b);
|
2014-04-29 02:56:43 +02:00
|
|
|
if (sp->use_blocking) {
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
Error err = sp->base->put_data((const uint8_t *)buf, len);
|
|
|
|
if (err != OK) {
|
2014-04-29 02:56:43 +02:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return len;
|
|
|
|
} else {
|
|
|
|
|
|
|
|
int sent;
|
2017-03-05 16:44:50 +01:00
|
|
|
Error err = sp->base->put_partial_data((const uint8_t *)buf, len, sent);
|
|
|
|
if (err != OK) {
|
2014-04-29 02:56:43 +02:00
|
|
|
return -1;
|
|
|
|
}
|
2017-03-05 16:44:50 +01:00
|
|
|
if (sent == 0) {
|
|
|
|
BIO_set_retry_write(b);
|
2014-04-29 02:56:43 +02:00
|
|
|
}
|
|
|
|
return sent;
|
|
|
|
}
|
|
|
|
|
|
|
|
//unreachable
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
long StreamPeerOpenSSL::_bio_ctrl(BIO *b, int cmd, long num, void *ptr) {
|
|
|
|
if (cmd == BIO_CTRL_FLUSH) {
|
2014-04-29 02:56:43 +02:00
|
|
|
/* The OpenSSL library needs this */
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
int StreamPeerOpenSSL::_bio_gets(BIO *b, char *buf, int len) {
|
2014-04-29 02:56:43 +02:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
int StreamPeerOpenSSL::_bio_puts(BIO *b, const char *str) {
|
|
|
|
return _bio_write(b, str, strlen(str));
|
2014-04-29 02:56:43 +02:00
|
|
|
}
|
|
|
|
|
2017-10-18 04:03:00 +02:00
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
2017-09-24 07:45:02 +02:00
|
|
|
BIO_METHOD *StreamPeerOpenSSL::_bio_method = NULL;
|
|
|
|
|
|
|
|
BIO_METHOD *StreamPeerOpenSSL::_get_bio_method() {
|
|
|
|
if (_bio_method) // already initialized.
|
|
|
|
return _bio_method;
|
|
|
|
|
|
|
|
/* it's a source/sink BIO */
|
|
|
|
_bio_method = BIO_meth_new(100 | 0x400, "streampeer glue");
|
|
|
|
BIO_meth_set_write(_bio_method, _bio_write);
|
|
|
|
BIO_meth_set_read(_bio_method, _bio_read);
|
|
|
|
BIO_meth_set_puts(_bio_method, _bio_puts);
|
|
|
|
BIO_meth_set_gets(_bio_method, _bio_gets);
|
|
|
|
BIO_meth_set_ctrl(_bio_method, _bio_ctrl);
|
|
|
|
BIO_meth_set_create(_bio_method, _bio_create);
|
|
|
|
BIO_meth_set_destroy(_bio_method, _bio_destroy);
|
|
|
|
|
|
|
|
return _bio_method;
|
|
|
|
}
|
|
|
|
#else
|
2014-04-29 02:56:43 +02:00
|
|
|
BIO_METHOD StreamPeerOpenSSL::_bio_method = {
|
|
|
|
/* it's a source/sink BIO */
|
2017-03-05 16:44:50 +01:00
|
|
|
(100 | 0x400),
|
2014-04-29 02:56:43 +02:00
|
|
|
"streampeer glue",
|
|
|
|
_bio_write,
|
|
|
|
_bio_read,
|
|
|
|
_bio_puts,
|
|
|
|
_bio_gets,
|
|
|
|
_bio_ctrl,
|
|
|
|
_bio_create,
|
|
|
|
_bio_destroy
|
|
|
|
};
|
|
|
|
|
2017-09-24 07:45:02 +02:00
|
|
|
BIO_METHOD *StreamPeerOpenSSL::_get_bio_method() {
|
|
|
|
return &_bio_method;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
Error StreamPeerOpenSSL::connect_to_stream(Ref<StreamPeer> p_base, bool p_validate_certs, const String &p_for_hostname) {
|
2014-04-29 02:56:43 +02:00
|
|
|
|
|
|
|
if (connected)
|
2017-01-14 15:07:57 +01:00
|
|
|
disconnect_from_stream();
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
hostname = p_for_hostname;
|
|
|
|
status = STATUS_DISCONNECTED;
|
2014-04-29 02:56:43 +02:00
|
|
|
|
|
|
|
// Set up a SSL_CTX object, which will tell our BIO object how to do its work
|
|
|
|
ctx = SSL_CTX_new(SSLv23_client_method());
|
2017-03-05 16:44:50 +01:00
|
|
|
base = p_base;
|
|
|
|
validate_certs = p_validate_certs;
|
|
|
|
validate_hostname = p_for_hostname != "";
|
2016-06-29 16:19:52 +02:00
|
|
|
|
2014-04-29 02:56:43 +02:00
|
|
|
if (p_validate_certs) {
|
|
|
|
|
|
|
|
if (certs.size()) {
|
|
|
|
//yay for undocumented OpenSSL functions
|
|
|
|
|
|
|
|
X509_STORE *store = SSL_CTX_get_cert_store(ctx);
|
2017-03-05 16:44:50 +01:00
|
|
|
for (int i = 0; i < certs.size(); i++) {
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
X509_STORE_add_cert(store, certs[i]);
|
2014-04-29 02:56:43 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
//used for testing
|
|
|
|
//int res = SSL_CTX_load_verify_locations(ctx,"/etc/ssl/certs/ca-certificates.crt",NULL);
|
|
|
|
//print_line("verify locations res: "+itos(res));
|
|
|
|
|
|
|
|
/* Ask OpenSSL to verify the server certificate. Note that this
|
|
|
|
* does NOT include verifying that the hostname is correct.
|
|
|
|
* So, by itself, this means anyone with any legitimate
|
|
|
|
* CA-issued certificate for any website, can impersonate any
|
|
|
|
* other website in the world. This is not good. See "The
|
|
|
|
* Most Dangerous Code in the World" article at
|
|
|
|
* https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
|
|
|
|
*/
|
|
|
|
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
|
|
|
|
/* This is how we solve the problem mentioned in the previous
|
|
|
|
* comment. We "wrap" OpenSSL's validation routine in our
|
|
|
|
* own routine, which also validates the hostname by calling
|
|
|
|
* the code provided by iSECPartners. Note that even though
|
|
|
|
* the "Everything You've Always Wanted to Know About
|
|
|
|
* Certificate Validation With OpenSSL (But Were Afraid to
|
|
|
|
* Ask)" paper from iSECPartners says very explicitly not to
|
|
|
|
* call SSL_CTX_set_cert_verify_callback (at the bottom of
|
|
|
|
* page 2), what we're doing here is safe because our
|
|
|
|
* cert_verify_callback() calls X509_verify_cert(), which is
|
|
|
|
* OpenSSL's built-in routine which would have been called if
|
|
|
|
* we hadn't set the callback. Therefore, we're just
|
|
|
|
* "wrapping" OpenSSL's routine, not replacing it. */
|
2017-03-05 16:44:50 +01:00
|
|
|
SSL_CTX_set_cert_verify_callback(ctx, _cert_verify_callback, this);
|
2014-04-29 02:56:43 +02:00
|
|
|
|
|
|
|
//Let the verify_callback catch the verify_depth error so that we get an appropriate error in the logfile. (??)
|
2017-03-05 16:44:50 +01:00
|
|
|
SSL_CTX_set_verify_depth(ctx, max_cert_chain_depth + 1);
|
2014-04-29 02:56:43 +02:00
|
|
|
}
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
ssl = SSL_new(ctx);
|
2017-09-24 07:45:02 +02:00
|
|
|
bio = BIO_new(_get_bio_method());
|
|
|
|
BIO_set_data(bio, this);
|
2017-03-05 16:44:50 +01:00
|
|
|
SSL_set_bio(ssl, bio, bio);
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
if (p_for_hostname != String()) {
|
|
|
|
SSL_set_tlsext_host_name(ssl, p_for_hostname.utf8().get_data());
|
2016-06-29 16:19:52 +02:00
|
|
|
}
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
use_blocking = true; // let handshake use blocking
|
2014-04-29 02:56:43 +02:00
|
|
|
// Set the SSL to automatically retry on failure.
|
|
|
|
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
|
|
|
|
|
|
|
|
// Same as before, try to connect.
|
2017-03-05 16:44:50 +01:00
|
|
|
int result = SSL_connect(ssl);
|
2014-05-01 14:53:37 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
print_line("CONNECTION RESULT: " + itos(result));
|
|
|
|
if (result < 1) {
|
2014-05-14 06:22:15 +02:00
|
|
|
ERR_print_errors_fp(stdout);
|
2014-05-01 14:53:37 +02:00
|
|
|
_print_error(result);
|
|
|
|
}
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
X509 *peer = SSL_get_peer_certificate(ssl);
|
2014-04-29 02:56:43 +02:00
|
|
|
|
|
|
|
if (peer) {
|
|
|
|
bool cert_ok = SSL_get_verify_result(ssl) == X509_V_OK;
|
2017-03-05 16:44:50 +01:00
|
|
|
print_line("cert_ok: " + itos(cert_ok));
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
} else if (validate_certs) {
|
|
|
|
status = STATUS_ERROR_NO_CERTIFICATE;
|
2014-04-29 02:56:43 +02:00
|
|
|
}
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
connected = true;
|
|
|
|
status = STATUS_CONNECTED;
|
2014-04-29 02:56:43 +02:00
|
|
|
|
|
|
|
return OK;
|
|
|
|
}
|
|
|
|
|
2017-01-14 15:07:57 +01:00
|
|
|
Error StreamPeerOpenSSL::accept_stream(Ref<StreamPeer> p_base) {
|
2014-04-29 02:56:43 +02:00
|
|
|
|
|
|
|
return ERR_UNAVAILABLE;
|
|
|
|
}
|
|
|
|
|
|
|
|
void StreamPeerOpenSSL::_print_error(int err) {
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
err = SSL_get_error(ssl, err);
|
|
|
|
switch (err) {
|
2017-12-12 13:35:34 +01:00
|
|
|
case SSL_ERROR_NONE:
|
|
|
|
ERR_PRINT("NO ERROR: The TLS/SSL I/O operation completed");
|
|
|
|
break;
|
|
|
|
case SSL_ERROR_ZERO_RETURN:
|
|
|
|
ERR_PRINT("The TLS/SSL connection has been closed.");
|
|
|
|
break;
|
2014-04-29 02:56:43 +02:00
|
|
|
case SSL_ERROR_WANT_READ:
|
|
|
|
case SSL_ERROR_WANT_WRITE:
|
2017-03-05 16:44:50 +01:00
|
|
|
ERR_PRINT("The operation did not complete.");
|
|
|
|
break;
|
2014-04-29 02:56:43 +02:00
|
|
|
case SSL_ERROR_WANT_CONNECT:
|
|
|
|
case SSL_ERROR_WANT_ACCEPT:
|
2017-03-05 16:44:50 +01:00
|
|
|
ERR_PRINT("The connect/accept operation did not complete");
|
|
|
|
break;
|
2014-04-29 02:56:43 +02:00
|
|
|
case SSL_ERROR_WANT_X509_LOOKUP:
|
2017-03-05 16:44:50 +01:00
|
|
|
ERR_PRINT("The operation did not complete because an application callback set by SSL_CTX_set_client_cert_cb() has asked to be called again.");
|
|
|
|
break;
|
2014-04-29 02:56:43 +02:00
|
|
|
case SSL_ERROR_SYSCALL:
|
2017-03-05 16:44:50 +01:00
|
|
|
ERR_PRINT("Some I/O error occurred. The OpenSSL error queue may contain more information on the error.");
|
|
|
|
break;
|
2014-04-29 02:56:43 +02:00
|
|
|
case SSL_ERROR_SSL:
|
2017-03-05 16:44:50 +01:00
|
|
|
ERR_PRINT("A failure in the SSL library occurred, usually a protocol error.");
|
|
|
|
break;
|
2014-04-29 02:56:43 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
Error StreamPeerOpenSSL::put_data(const uint8_t *p_data, int p_bytes) {
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
ERR_FAIL_COND_V(!connected, ERR_UNCONFIGURED);
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
while (p_bytes > 0) {
|
|
|
|
int ret = SSL_write(ssl, p_data, p_bytes);
|
|
|
|
if (ret <= 0) {
|
2014-04-29 02:56:43 +02:00
|
|
|
_print_error(ret);
|
2017-01-14 15:07:57 +01:00
|
|
|
disconnect_from_stream();
|
2014-04-29 02:56:43 +02:00
|
|
|
return ERR_CONNECTION_ERROR;
|
|
|
|
}
|
2017-03-05 16:44:50 +01:00
|
|
|
p_data += ret;
|
|
|
|
p_bytes -= ret;
|
2014-04-29 02:56:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
return OK;
|
|
|
|
}
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
Error StreamPeerOpenSSL::put_partial_data(const uint8_t *p_data, int p_bytes, int &r_sent) {
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
ERR_FAIL_COND_V(!connected, ERR_UNCONFIGURED);
|
|
|
|
if (p_bytes == 0)
|
2014-04-29 02:56:43 +02:00
|
|
|
return OK;
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
Error err = put_data(p_data, p_bytes);
|
|
|
|
if (err != OK)
|
2014-04-29 02:56:43 +02:00
|
|
|
return err;
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
r_sent = p_bytes;
|
2014-04-29 02:56:43 +02:00
|
|
|
return OK;
|
|
|
|
}
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
Error StreamPeerOpenSSL::get_data(uint8_t *p_buffer, int p_bytes) {
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
ERR_FAIL_COND_V(!connected, ERR_UNCONFIGURED);
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
while (p_bytes > 0) {
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
int ret = SSL_read(ssl, p_buffer, p_bytes);
|
|
|
|
if (ret <= 0) {
|
2014-04-29 02:56:43 +02:00
|
|
|
_print_error(ret);
|
2017-01-14 15:07:57 +01:00
|
|
|
disconnect_from_stream();
|
2014-04-29 02:56:43 +02:00
|
|
|
return ERR_CONNECTION_ERROR;
|
|
|
|
}
|
2017-03-05 16:44:50 +01:00
|
|
|
p_buffer += ret;
|
|
|
|
p_bytes -= ret;
|
2014-04-29 02:56:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
return OK;
|
|
|
|
}
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
Error StreamPeerOpenSSL::get_partial_data(uint8_t *p_buffer, int p_bytes, int &r_received) {
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
ERR_FAIL_COND_V(!connected, ERR_UNCONFIGURED);
|
|
|
|
if (p_bytes == 0) {
|
|
|
|
r_received = 0;
|
2014-04-29 02:56:43 +02:00
|
|
|
return OK;
|
|
|
|
}
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
Error err = get_data(p_buffer, p_bytes);
|
|
|
|
if (err != OK)
|
2014-04-29 02:56:43 +02:00
|
|
|
return err;
|
2017-03-05 16:44:50 +01:00
|
|
|
r_received = p_bytes;
|
2014-04-29 02:56:43 +02:00
|
|
|
return OK;
|
|
|
|
}
|
|
|
|
|
2015-12-13 16:53:29 +01:00
|
|
|
int StreamPeerOpenSSL::get_available_bytes() const {
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
ERR_FAIL_COND_V(!connected, 0);
|
2015-12-13 16:53:29 +01:00
|
|
|
|
|
|
|
return SSL_pending(ssl);
|
|
|
|
}
|
2014-04-29 02:56:43 +02:00
|
|
|
StreamPeerOpenSSL::StreamPeerOpenSSL() {
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
ctx = NULL;
|
|
|
|
ssl = NULL;
|
|
|
|
bio = NULL;
|
|
|
|
connected = false;
|
|
|
|
use_blocking = true; //might be improved int the future, but for now it always blocks
|
|
|
|
max_cert_chain_depth = 9;
|
|
|
|
flags = 0;
|
2014-04-29 02:56:43 +02:00
|
|
|
}
|
|
|
|
|
2017-01-14 15:07:57 +01:00
|
|
|
void StreamPeerOpenSSL::disconnect_from_stream() {
|
2014-04-29 02:56:43 +02:00
|
|
|
|
|
|
|
if (!connected)
|
|
|
|
return;
|
2017-03-05 16:44:50 +01:00
|
|
|
SSL_shutdown(ssl);
|
|
|
|
SSL_free(ssl);
|
2014-04-29 02:56:43 +02:00
|
|
|
SSL_CTX_free(ctx);
|
2017-03-05 16:44:50 +01:00
|
|
|
base = Ref<StreamPeer>();
|
|
|
|
connected = false;
|
|
|
|
validate_certs = false;
|
|
|
|
validate_hostname = false;
|
|
|
|
status = STATUS_DISCONNECTED;
|
2014-04-29 02:56:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
StreamPeerOpenSSL::Status StreamPeerOpenSSL::get_status() const {
|
|
|
|
|
|
|
|
return status;
|
|
|
|
}
|
|
|
|
|
|
|
|
StreamPeerOpenSSL::~StreamPeerOpenSSL() {
|
2017-01-14 15:07:57 +01:00
|
|
|
disconnect_from_stream();
|
2014-04-29 02:56:43 +02:00
|
|
|
}
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
StreamPeerSSL *StreamPeerOpenSSL::_create_func() {
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
return memnew(StreamPeerOpenSSL);
|
2014-04-29 02:56:43 +02:00
|
|
|
}
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
Vector<X509 *> StreamPeerOpenSSL::certs;
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
void StreamPeerOpenSSL::_load_certs(const PoolByteArray &p_array) {
|
2016-03-12 14:44:12 +01:00
|
|
|
|
2017-01-11 04:52:51 +01:00
|
|
|
PoolByteArray::Read r = p_array.read();
|
2017-03-05 16:44:50 +01:00
|
|
|
BIO *mem = BIO_new(BIO_s_mem());
|
|
|
|
BIO_puts(mem, (const char *)r.ptr());
|
|
|
|
while (true) {
|
|
|
|
X509 *cert = PEM_read_bio_X509(mem, NULL, 0, NULL);
|
2016-03-12 14:44:12 +01:00
|
|
|
if (!cert)
|
|
|
|
break;
|
|
|
|
certs.push_back(cert);
|
|
|
|
}
|
|
|
|
BIO_free(mem);
|
|
|
|
}
|
|
|
|
|
2014-04-29 02:56:43 +02:00
|
|
|
void StreamPeerOpenSSL::initialize_ssl() {
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
available = true;
|
2016-03-12 14:44:12 +01:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
load_certs_func = _load_certs;
|
2016-03-12 14:44:12 +01:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
_create = _create_func;
|
2017-10-18 04:03:00 +02:00
|
|
|
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
2014-04-29 02:56:43 +02:00
|
|
|
CRYPTO_malloc_init(); // Initialize malloc, free, etc for OpenSSL's use
|
2017-09-24 07:45:02 +02:00
|
|
|
#endif
|
2014-04-29 02:56:43 +02:00
|
|
|
SSL_library_init(); // Initialize OpenSSL's SSL libraries
|
|
|
|
SSL_load_error_strings(); // Load SSL error strings
|
|
|
|
ERR_load_BIO_strings(); // Load BIO error strings
|
|
|
|
OpenSSL_add_all_algorithms(); // Load all available encryption algorithms
|
2017-03-05 16:44:50 +01:00
|
|
|
String certs_path = GLOBAL_DEF("network/ssl/certificates", "");
|
2017-07-19 22:00:46 +02:00
|
|
|
ProjectSettings::get_singleton()->set_custom_property_info("network/ssl/certificates", PropertyInfo(Variant::STRING, "network/ssl/certificates", PROPERTY_HINT_FILE, "*.crt"));
|
2017-03-05 16:44:50 +01:00
|
|
|
if (certs_path != "") {
|
2016-03-12 14:44:12 +01:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
FileAccess *f = FileAccess::open(certs_path, FileAccess::READ);
|
2016-03-12 14:44:12 +01:00
|
|
|
if (f) {
|
2017-01-11 04:52:51 +01:00
|
|
|
PoolByteArray arr;
|
2016-03-12 14:44:12 +01:00
|
|
|
int flen = f->get_len();
|
2017-03-05 16:44:50 +01:00
|
|
|
arr.resize(flen + 1);
|
2016-03-12 14:44:12 +01:00
|
|
|
{
|
2017-01-11 04:52:51 +01:00
|
|
|
PoolByteArray::Write w = arr.write();
|
2017-03-05 16:44:50 +01:00
|
|
|
f->get_buffer(w.ptr(), flen);
|
|
|
|
w[flen] = 0; //end f string
|
2014-04-29 02:56:43 +02:00
|
|
|
}
|
2016-03-12 14:44:12 +01:00
|
|
|
|
|
|
|
memdelete(f);
|
|
|
|
|
|
|
|
_load_certs(arr);
|
2017-03-05 16:44:50 +01:00
|
|
|
print_line("Loaded certs from '" + certs_path + "': " + itos(certs.size()));
|
2014-04-29 02:56:43 +02:00
|
|
|
}
|
|
|
|
}
|
2017-03-05 16:44:50 +01:00
|
|
|
String config_path = GLOBAL_DEF("network/ssl/config", "");
|
2017-07-19 22:00:46 +02:00
|
|
|
ProjectSettings::get_singleton()->set_custom_property_info("network/ssl/config", PropertyInfo(Variant::STRING, "network/ssl/config", PROPERTY_HINT_FILE, "*.cnf"));
|
2017-03-05 16:44:50 +01:00
|
|
|
if (config_path != "") {
|
2014-05-01 16:34:10 +02:00
|
|
|
|
|
|
|
Vector<uint8_t> data = FileAccess::get_file_as_array(config_path);
|
|
|
|
if (data.size()) {
|
|
|
|
data.push_back(0);
|
2017-03-05 16:44:50 +01:00
|
|
|
BIO *mem = BIO_new(BIO_s_mem());
|
|
|
|
BIO_puts(mem, (const char *)data.ptr());
|
2014-05-01 16:34:10 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
while (true) {
|
|
|
|
X509 *cert = PEM_read_bio_X509(mem, NULL, 0, NULL);
|
2014-05-01 16:34:10 +02:00
|
|
|
if (!cert)
|
|
|
|
break;
|
|
|
|
certs.push_back(cert);
|
|
|
|
}
|
|
|
|
BIO_free(mem);
|
|
|
|
}
|
2017-03-05 16:44:50 +01:00
|
|
|
print_line("Loaded certs from '" + certs_path + "': " + itos(certs.size()));
|
2014-05-01 16:34:10 +02:00
|
|
|
}
|
2014-04-29 02:56:43 +02:00
|
|
|
}
|
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
void StreamPeerOpenSSL::finalize_ssl() {
|
2014-04-29 02:56:43 +02:00
|
|
|
|
2017-03-05 16:44:50 +01:00
|
|
|
for (int i = 0; i < certs.size(); i++) {
|
2014-04-29 02:56:43 +02:00
|
|
|
X509_free(certs[i]);
|
|
|
|
}
|
|
|
|
certs.clear();
|
|
|
|
}
|