Blame - ap/app/cwmp/netcwmp/libcwmp/src/ssl.c - T106_DC

blob: 888d433c9479e28023ecba27ac95f1e943911687 [file] [log] [blame]

lh	9ed821d	2023-04-07 01:36:19 -0700	[diff] [blame^]	1
				2	#include "cwmp/http.h"
				3	#include "cwmp/log.h"
				4	//#include "cwmp_private.h"
				5	#include <cwmp/md5.h>
				6
				7
				8
				9
				10
				11	#ifdef USE_CWMP_OPENSSL
				12
				13	static char openssl_password[32];
				14
				15
				16	BIO *bio_err=0;
				17	static char *pass;
				18	static int password_cb(char *buf,int num,
				19	int rwflag,void *userdata);
				20	static void sigpipe_handle(int x);
				21
				22	/* A simple error and exit routine*/
				23	int err_exit(string)
				24	char *string;
				25	{
				26	cwmp_log_error("%s\n",string);
				27	//exit(0);
				28	}
				29
				30	/* Print SSL errors and exit*/
				31	int berr_exit(string)
				32	char *string;
				33	{
				34	cwmp_log_error("%s\n",string);
				35	ERR_print_errors(bio_err);
				36	//exit(0);
				37	}
				38
				39	/The password code is not thread safe/
				40	static int password_cb(char *buf,int num,
				41	int rwflag,void *userdata)
				42	{
				43	if(num<strlen(pass)+1)
				44	return(0);
				45
				46	strcpy(buf,pass);
				47	return(strlen(pass));
				48	}
				49
				50	static void sigpipe_handle(int x){
				51	}
				52
				53	SSL_CTX openssl_initialize_ctx(char keyfile,char *password)
				54	{
				55	SSL_METHOD *meth;
				56	SSL_CTX *ctx;
				57
				58	if(!bio_err){
				59	/* Global system initialization*/
				60	SSL_library_init();
				61	SSL_load_error_strings();
				62
				63	/* An error write context */
				64	bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
				65	}
				66
				67	/* Set up a SIGPIPE handler */
				68	//signal(SIGPIPE,sigpipe_handle);
				69
				70	/* Create our context*/
				71	meth=SSLv23_method();
				72	ctx=SSL_CTX_new(meth);
				73
				74	/* Load our keys and certificates*/
				75	if(!(SSL_CTX_use_certificate_chain_file(ctx,
				76	keyfile)))
				77	berr_exit("Can't read certificate file");
				78
				79	pass=password;
				80	SSL_CTX_set_default_passwd_cb(ctx,
				81	password_cb);
				82	if(!(SSL_CTX_use_PrivateKey_file(ctx,
				83	keyfile,SSL_FILETYPE_PEM)))
				84	berr_exit("Can't read key file");
				85
				86	/* Load the CAs we trust*/
				87	/*
				88	if(!(SSL_CTX_load_verify_locations(ctx,
				89	CA_LIST,0)))
				90	berr_exit("Can't read CA list");
				91	*/
				92
				93	#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
				94	SSL_CTX_set_verify_depth(ctx,1);
				95	#endif
				96
				97	return ctx;
				98	}
				99
				100	void openssl_destroy_ctx(ctx)
				101	SSL_CTX *ctx;
				102	{
				103	SSL_CTX_free(ctx);
				104	}
				105
				106
				107	SSL * openssl_connect(SSL_CTX * ctx, int fd)
				108	{
				109	BIO *sbio;
				110	SSL * ssl=SSL_new(ctx);
				111	sbio=BIO_new_socket(fd,BIO_NOCLOSE);
				112	SSL_set_bio(ssl,sbio,sbio);
				113
				114	if(SSL_connect(ssl)<=0)
				115	{
				116	cwmp_log_alert("SSL connect error");
				117	SSL_free(ssl);
				118	return NULL;
				119	}
				120	else
				121	{
				122	cwmp_log_info("SSL connect to host ok.\n");
				123
				124	}
				125
				126	return ssl;
				127
				128	}
				129
				130
				131
				132	/*
				133
				134	static int openssl_password_cb(char buf, int num, int rwflag, void userdata)
				135	{
				136	if (num < strlen(openssl_password)+1)
				137	return 0;
				138
				139	strcpy(buf,openssl_password);
				140	return(strlen(buf));
				141	}
				142
				143
				144	void openssl_init(void) {
				145
				146	}
				147
				148
				149
				150	int openssl_verify_callback(int ok, X509_STORE_CTX *store) {
				151	char data[256];
				152
				153	if (!ok) {
				154	X509 *cert = X509_STORE_CTX_get_current_cert(store);
				155	int depth = X509_STORE_CTX_get_error_depth(store);
				156	int err = X509_STORE_CTX_get_error(store);
				157
				158	cwmp_log_error("Error with certificate at depth: %i\n", depth);
				159	X509_NAME_oneline(X509_get_issuer_name(cert), data, 256);
				160	cwmp_log_error("issuer = %s\n", data);
				161	X509_NAME_oneline(X509_get_subject_name(cert), data, 256);
				162	cwmp_log_error("subject = %s\n", data);
				163	cwmp_log_error("err %i:%s\n", err, X509_verify_cert_error_string(err));
				164	}
				165
				166	return ok;
				167	}
				168
				169	*/
				170
				171	//SSL_CTX openssl_setup_client_ctx(const char cafile, const char * password)
				172	//{
				173	// SSL_CTX *ctx;
				174	//
				175	// if (!SSL_library_init()) {
				176	// fprintf(stderr, "OpenSSL initialization failed!\n");
				177	// cwmp_log_error("OpenSSL initialization failed!\n");
				178	// exit(-1);
				179	// }
				180	// SSL_load_error_strings();
				181	//
				182	// ctx = SSL_CTX_new(SSLv3_client_method());
				183	//
				184	// /* Load our keys and certificates*/
				185	// if(!(SSL_CTX_use_certificate_chain_file(ctx, cafile)))
				186	// {
				187	// cwmp_log_error("Can't read certificate file");
				188	//
				189	// //return NULL;
				190	// }
				191	//
				192	// strncpy(openssl_password, password, 32);
				193	//
				194	// SSL_CTX_set_default_passwd_cb(ctx, openssl_password_cb);
				195	// if(!(SSL_CTX_use_PrivateKey_file(ctx,
				196	// cafile,SSL_FILETYPE_PEM)))
				197	// {
				198	// cwmp_log_error("Can't read key file");
				199	// //return NULL
				200	// }
				201	//
				202	// /* Load the CAs we trust*/
				203	// /*if(!(SSL_CTX_load_verify_locations(ctx, CA_LIST,0)))
				204	// {
				205	// cwmp_log_error("Can't read CA list");
				206	// //return NULL
				207	// }
				208	// */
				209	// SSL_CTX_set_verify_depth(ctx,4);
				210	// SSL_CTX_set_options(ctx, SSL_OP_ALL\|SSL_OP_NO_SSLv2);
				211	//
				212	//
				213	///*
				214	//
				215	// if (SSL_CTX_load_verify_locations(ctx, cafile, cadir) != 1)
				216	// cwmp_log_error("Error loading CA file and/or directory");
				217	// if (SSL_CTX_set_default_verify_paths(ctx) != 1)
				218	// cwmp_log_error("Error loading default CA file and/or directory");
				219	//
				220	// SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, openssl_verify_callback);
				221	// SSL_CTX_set_verify_depth(ctx, 4);
				222	// SSL_CTX_set_options(ctx, SSL_OP_ALL\|SSL_OP_NO_SSLv2);
				223	// if (SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) != 1)
				224	// cwmp_log_error("Error setting cipher list (no valid ciphers)");
				225	//
				226	//*/
				227	// cwmp_log_debug("init openssl success.\n");
				228	// return ctx;
				229	//}
				230
				231
				232
				233	int openssl_check_cert(SSL ssl, char host)
				234	{
				235	X509 *peer;
				236	char peer_CN[256];
				237
				238	if(SSL_get_verify_result(ssl)!=X509_V_OK)
				239	{
				240	cwmp_log_error("Certificate doesn't verify");
				241	//return CWMP_ERROR;
				242	}
				243
				244	/*Check the cert chain. The chain length
				245	is automatically checked by OpenSSL when
				246	we set the verify depth in the ctx */
				247
				248	/Check the common name/
				249	peer=SSL_get_peer_certificate(ssl);
				250	X509_NAME_get_text_by_NID
				251	(X509_get_subject_name(peer),
				252	NID_commonName, peer_CN, 256);
				253	if(strcasecmp(peer_CN,host))
				254	{
				255	cwmp_log_error("Common name doesn't match host name");
				256	//return CWMP_ERROR;
				257	}
				258
				259	return CWMP_OK;
				260
				261	}
				262
				263
				264	//int http_socket_ssl_create(http_socket_t *news, SSL_CTX ctx, pool_t * pool)
				265	//{
				266	// int stat;
				267	// stat = http_socket_calloc(news, pool);
				268	// if (stat == CWMP_ERROR)
				269	// {
				270	// return CWMP_ERROR;
				271	// }
				272	//
				273	// if(! (*news)->use_ssl)
				274	// {
				275	// return CWMP_ERROR;
				276	// }
				277	//
				278	// (*news)->ssl = SSL_new(ctx);
				279	// return CWMP_OK;
				280	//}
				281	//
				282
				283
				284
				285	#endif
				286