Commit 9f78a290 authored by Deomid Ryabkov's avatar Deomid Ryabkov Committed by Cesanta Bot

Fix SSL stuff

Do not use CA bundle on CC3200, it doesn't work.
Make ssl_ca_cert = "*" mean "no verification" and make sure
SSL is enabled on the connection when it's required, even w/o verification.

PUBLISHED_FROM=c8710a5d24ecfe174ef45b7f81c114d41faf5c12
parent 613ae4ee
......@@ -13,7 +13,9 @@ signature: |
const char *ssl_key; /* Private key corresponding to the certificate.
If ssl_cert is set but ssl_key is not, ssl_cert
is used. */
const char *ssl_ca_cert; /* Verify server certificate using this CA bundle */
const char *ssl_ca_cert; /* Verify server certificate using this CA bundle.
If set to "*", then SSL is enabled but no cert
verification is performed. */
/*
* Server name verification. If ssl_ca_cert is set and the certificate has
......
......@@ -1994,7 +1994,7 @@ wMuPn7qlUkEFDIkAZy59/Hue/H2Q2vU/JsvVhHWCQBL4F1ofEAt50il6ZxR1QfFK\n\
static int mg_use_ca_cert(SSL_CTX *ctx, const char *cert) {
if (ctx == NULL) {
return -1;
} else if (cert == NULL || cert[0] == '\0') {
} else if (cert == NULL || strcmp(cert, "*") == 0) {
return 0;
}
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
......@@ -2316,6 +2316,22 @@ struct mg_connection *mg_connect(struct mg_mgr *mgr, const char *address,
return mg_connect_opt(mgr, address, callback, opts);
}
#ifdef MG_ENABLE_SSL
static void mg_set_ssl_server_name(struct mg_connection *nc,
const char *server_name) {
DBG(("%p '%s'", nc, server_name));
#ifdef SSL_KRYPTON
SSL_CTX_kr_set_verify_name(nc->ssl_ctx, server_name);
#elif defined(MG_SOCKET_SIMPLELINK)
nc->ssl_server_name = strdup(server_name);
#else
/* TODO(rojer): Implement server name verification on OpenSSL. */
(void) nc;
(void) server_name;
#endif
}
#endif /* MG_ENABLE_SSL */
struct mg_connection *mg_connect_opt(struct mg_mgr *mgr, const char *address,
mg_event_handler_t callback,
struct mg_connect_opts opts) {
......@@ -2343,9 +2359,10 @@ struct mg_connection *mg_connect_opt(struct mg_mgr *mgr, const char *address,
nc->user_data = opts.user_data;
#ifdef MG_ENABLE_SSL
DBG(("%p %s %s %s %s", nc, address, (opts.ssl_cert ? opts.ssl_cert : ""),
(opts.ssl_key ? opts.ssl_key : ""),
(opts.ssl_ca_cert ? opts.ssl_ca_cert : "")));
LOG(LL_DEBUG,
("%p %s %s,%s,%s", nc, address, (opts.ssl_cert ? opts.ssl_cert : "-"),
(opts.ssl_key ? opts.ssl_key : "-"),
(opts.ssl_ca_cert ? opts.ssl_ca_cert : "-")));
if (opts.ssl_cert != NULL || opts.ssl_ca_cert != NULL) {
const char *err =
......@@ -2355,21 +2372,10 @@ struct mg_connection *mg_connect_opt(struct mg_mgr *mgr, const char *address,
mg_destroy_conn(nc);
return NULL;
}
if (opts.ssl_ca_cert != NULL && (opts.ssl_server_name == NULL ||
strcmp(opts.ssl_server_name, "*") != 0)) {
if (opts.ssl_server_name == NULL) opts.ssl_server_name = host;
#ifdef SSL_KRYPTON
SSL_CTX_kr_set_verify_name(nc->ssl_ctx, opts.ssl_server_name);
#elif defined(MG_SOCKET_SIMPLELINK)
nc->ssl_server_name = strdup(opts.ssl_server_name);
#else
/* TODO(rojer): Implement server name verification on OpenSSL. */
MG_SET_PTRPTR(opts.error_string,
"Server name verification requested but is not supported");
mg_destroy_conn(nc);
return NULL;
#endif /* SSL_KRYPTON */
}
if (opts.ssl_ca_cert != NULL && opts.ssl_server_name != NULL &&
strcmp(opts.ssl_server_name, "*") != 0) {
mg_set_ssl_server_name(nc, opts.ssl_server_name);
}
#endif /* MG_ENABLE_SSL */
......@@ -2391,6 +2397,11 @@ struct mg_connection *mg_connect_opt(struct mg_mgr *mgr, const char *address,
}
nc->priv_2 = dns_conn;
nc->flags |= MG_F_RESOLVING;
#ifdef MG_ENABLE_SSL
if (opts.ssl_ca_cert != NULL && opts.ssl_server_name == NULL) {
mg_set_ssl_server_name(nc, host);
}
#endif
return nc;
#else
MG_SET_PTRPTR(opts.error_string, "Resolver is disabled");
......@@ -7165,32 +7176,26 @@ struct mg_connection *mg_connect_http_base(
return NULL;
}
#ifndef MG_ENABLE_SSL
LOG(LL_DEBUG, ("%s use_ssl? %d", url, use_ssl));
if (use_ssl) {
#ifdef MG_ENABLE_SSL
/*
* Schema requires SSL, but no SSL parameters were provided in opts.
* In order to maintain backward compatibility, use a faux-SSL with no
* verification.
*/
if (opts.ssl_ca_cert == NULL) {
opts.ssl_ca_cert = "*";
}
#else
MG_SET_PTRPTR(opts.error_string, "ssl is disabled");
MG_FREE(addr);
return NULL;
}
#endif
#if defined(MG_ENABLE_SSL) && defined(MG_SOCKET_SIMPLELINK)
if (use_ssl && opts.ssl_ca_cert == NULL) {
opts.ssl_ca_cert = "";
}
#endif
if ((nc = mg_connect_opt(mgr, *addr, ev_handler, opts)) != NULL) {
#if defined(MG_ENABLE_SSL) && !defined(MG_SOCKET_SIMPLELINK)
if (use_ssl && nc->ssl_ctx == NULL) {
/*
* Schema requires SSL, but no SSL parameters were provided in
* opts. In order to maintain backward compatibility, use
* NULL, NULL
*/
mg_set_ssl(nc, NULL, NULL);
}
#endif
mg_set_protocol_http_websocket(nc);
/* If the port was addred by us, restore the original host. */
if (port_i >= 0) (*addr)[port_i] = '\0';
}
......@@ -10414,8 +10419,8 @@ static sock_t mg_open_listening_socket(union socket_address *sa, int type,
#ifdef MG_ENABLE_SSL
const char *mg_set_ssl2(struct mg_connection *nc, const char *cert,
const char *key, const char *ca_cert) {
DBG(("%p %s,%s,%s", nc, (cert ? cert : ""), (key ? key : ""),
(ca_cert ? ca_cert : "")));
DBG(("%p %s,%s,%s", nc, (cert ? cert : "-"), (key ? key : "-"),
(ca_cert ? ca_cert : "-")));
if (nc->flags & MG_F_UDP) {
return "SSL for UDP is not supported";
......@@ -10429,7 +10434,9 @@ const char *mg_set_ssl2(struct mg_connection *nc, const char *cert,
return "both cert and key are required";
}
}
if (ca_cert != NULL) nc->ssl_ca_cert = strdup(ca_cert);
if (ca_cert != NULL && strcmp(ca_cert, "*") != 0) {
nc->ssl_ca_cert = strdup(ca_cert);
}
nc->flags |= MG_F_SSL;
......@@ -10438,10 +10445,10 @@ const char *mg_set_ssl2(struct mg_connection *nc, const char *cert,
int sl_set_ssl_opts(struct mg_connection *nc) {
int err;
DBG(("%p %s,%s,%s,%s", nc, (nc->ssl_cert ? nc->ssl_cert : ""),
(nc->ssl_key ? nc->ssl_cert : ""),
(nc->ssl_ca_cert ? nc->ssl_ca_cert : ""),
(nc->ssl_server_name ? nc->ssl_server_name : "")));
DBG(("%p %s,%s,%s,%s", nc, (nc->ssl_cert ? nc->ssl_cert : "-"),
(nc->ssl_key ? nc->ssl_cert : "-"),
(nc->ssl_ca_cert ? nc->ssl_ca_cert : "-"),
(nc->ssl_server_name ? nc->ssl_server_name : "-")));
if (nc->ssl_cert != NULL && nc->ssl_key != NULL) {
err = sl_SetSockOpt(nc->sock, SL_SOL_SOCKET,
SL_SO_SECURE_FILES_CERTIFICATE_FILE_NAME, nc->ssl_cert,
......@@ -10503,8 +10510,8 @@ void mg_if_connect_tcp(struct mg_connection *nc,
#endif
nc->err = sl_Connect(sock, &sa->sa, sizeof(sa->sin));
out:
DBG(("%p to %s:%d sock %d err %d", nc, inet_ntoa(sa->sin.sin_addr),
ntohs(sa->sin.sin_port), nc->sock, nc->err));
DBG(("%p to %s:%d sock %d %d err %d", nc, inet_ntoa(sa->sin.sin_addr),
ntohs(sa->sin.sin_port), nc->sock, proto, nc->err));
}
void mg_if_connect_udp(struct mg_connection *nc) {
......@@ -10702,6 +10709,7 @@ void mg_mgr_handle_conn(struct mg_connection *nc, int fd_flags, double now) {
* which will now return the real status. */
if (fd_flags & _MG_F_FD_CAN_WRITE) {
nc->err = sl_Connect(nc->sock, &nc->sa.sa, sizeof(nc->sa.sin));
DBG(("%p conn res=%d", nc, nc->err));
if (nc->err == SL_ESECSNOVERIFY ||
/* TODO(rojer): Provide API to set the date for verification. */
nc->err == SL_ESECDATEERROR) {
......
......@@ -1436,7 +1436,9 @@ struct mg_connect_opts {
const char *ssl_key; /* Private key corresponding to the certificate.
If ssl_cert is set but ssl_key is not, ssl_cert
is used. */
const char *ssl_ca_cert; /* Verify server certificate using this CA bundle */
const char *ssl_ca_cert; /* Verify server certificate using this CA bundle.
If set to "*", then SSL is enabled but no cert
verification is performed. */
/*
* Server name verification. If ssl_ca_cert is set and the certificate has
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment