#include "ssl_trusted_cert_storage.h" #include "MESA_htable_aux.h" #include #include #include #include #include #include #include #include struct ssl_X509_object { char* filename; enum ssl_X509_obj_type type; }; static void free_ssl_x509_obj(void* data) { struct ssl_X509_object* obj=(struct ssl_X509_object*)data; free(obj->filename); free(obj); return; } struct ssl_trusted_cert_storage { char* pem_bundle, *pem_dir; MESA_htable_handle hash_table; pthread_rwlock_t rwlock; X509_STORE* effective_store; }; static int _X509_add_cert_or_crl_add(X509_STORE* store, enum ssl_X509_obj_type type, const char* filename) { int ret=0; BIO *bio=NULL; X509* x=NULL; X509_CRL* x_crl=NULL; int error; bio=BIO_new_file(filename, "r"); if(bio==NULL) { return -1; } ret=0; if(type==SSL_X509_OBJ_CERT) { while(NULL!=(x=PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL))) { ret=X509_STORE_add_cert(store, x); if(ret==0) { X509_free(x); break; } } } else if(type==SSL_X509_OBJ_CRL) { while(NULL!=(x_crl=PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL))) { ret=X509_STORE_add_crl(store, x_crl); if(ret==0) { X509_CRL_free(x_crl); break; } } } if(ret==0) { BIO_free(bio); return -1; } BIO_free(bio); return 1; } static int filter_pem_fn(const struct dirent * ent) { const char* fn_suffix=".pem"; if(strlen(ent->d_name)< strlen(fn_suffix)) { return 0; } if(0!=strcmp(ent->d_name+strlen(ent->d_name)-strlen(fn_suffix), fn_suffix)) { return 0; } return 1; } static X509_STORE* _X509_store_create(const char* pem_bundle, const char* pem_dir) { int ret=0, n=0, i=0; X509_STORE* store=X509_STORE_new(); char path[TFE_STRING_MAX]={0}; if (store == NULL) { return NULL; } ret = X509_STORE_set_default_paths(store); if (ret == 0) { return NULL; } ret = X509_STORE_load_locations(store, pem_bundle, NULL); if (ret == 0) { return NULL; } X509_VERIFY_PARAM *param=NULL; param = X509_VERIFY_PARAM_new(); X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); X509_STORE_set1_param(store, param); X509_VERIFY_PARAM_free(param); struct dirent **namelist = NULL; n=tfe_scandir(pem_dir, &namelist, NULL, (int (*)(const void*, const void*))alphasort); if(n < 0) { return store; } for(i=0;id_name); if(0==strcasecmp(namelist[i]->d_name+strlen(namelist[i]->d_name)-strlen(".pem"), ".pem")) { _X509_add_cert_or_crl_add(store, SSL_X509_OBJ_CERT, path); } else if(0==strcasecmp(namelist[i]->d_name+strlen(namelist[i]->d_name)-strlen(".crl"), ".crl")) { _X509_add_cert_or_crl_add(store, SSL_X509_OBJ_CRL, path); } TFE_LOG_INFO(g_default_logger, "Found X509 additive trust CA: %s", path); free(namelist[i]); } free(namelist); return store; } static MESA_htable_handle _create_mesa_htable(void) { int ret=0; MESA_htable_handle htable = MESA_htable_born(); ret = __wrapper_MESA_htable_set_opt_int(htable, MHO_SCREEN_PRINT_CTRL, 0); ret = __wrapper_MESA_htable_set_opt_int(htable, MHO_THREAD_SAFE, 0); ret = __wrapper_MESA_htable_set_opt_int(htable, MHO_MUTEX_NUM, 16); ret = __wrapper_MESA_htable_set_opt_int(htable, MHO_HASH_SLOT_SIZE, 1024*4); ret = __wrapper_MESA_htable_set_opt_int(htable, MHO_HASH_MAX_ELEMENT_NUM, 0); ret = __wrapper_MESA_htable_set_opt_int(htable, MHO_EXPIRE_TIME, 0); ret = __wrapper_MESA_htable_set_opt_int(htable, MHO_ELIMIMINATE_TYPE, HASH_ELIMINATE_ALGO_FIFO); ret = __wrapper_MESA_htable_set_opt_func(htable, MHO_CBFUN_DATA_FREE, (void *)free_ssl_x509_obj, sizeof(&free_ssl_x509_obj)); //ret = __wrapper_MESA_htable_set_opt(htable, MHO_CBFUN_DATA_EXPIRE_NOTIFY, // (void *)key_keeper_verify_cb); ret = MESA_htable_mature(htable); return htable; } struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem_bundle, const char* pem_dir) { int ret=0; struct ssl_trusted_cert_storage* storage=ALLOC(struct ssl_trusted_cert_storage, 1); storage->effective_store=_X509_store_create(pem_bundle, pem_dir); if (storage->effective_store == NULL) { return NULL; } storage->pem_bundle=tfe_strdup(pem_bundle); storage->pem_dir=tfe_strdup(pem_dir); storage->hash_table=_create_mesa_htable(); pthread_rwlock_init(&(storage->rwlock), NULL); return storage; } void ssl_trusted_cert_storage_destroy(struct ssl_trusted_cert_storage* storage) { return; } int ssl_trusted_cert_storage_add(struct ssl_trusted_cert_storage* storage, enum ssl_X509_obj_type type, const char* filename) { int ret=0; struct ssl_X509_object* obj=NULL; void* data=NULL; pthread_rwlock_wrlock(&(storage->rwlock)); data=MESA_htable_search(storage->hash_table, (const unsigned char*)filename, strlen(filename)); if(data!=NULL)//duplicated { ret=-1; goto error_out; } ret=_X509_add_cert_or_crl_add(storage->effective_store, type, filename); if(ret<0) { ret=-1; goto error_out; } obj=ALLOC(struct ssl_X509_object, 1); obj->type=SSL_X509_OBJ_CERT; obj->filename=tfe_strdup(filename); ret=MESA_htable_add(storage->hash_table, (const unsigned char*)obj->filename, strlen(obj->filename), obj); assert(ret>0); ret=1; error_out: pthread_rwlock_unlock(&(storage->rwlock)); return ret; } static void cert_storage_htable_traverse_cb(const uchar * key, uint size, void * data, void * user) { X509_STORE* store=(X509_STORE* )user; struct ssl_X509_object* obj=(struct ssl_X509_object*)data; _X509_add_cert_or_crl_add(store, obj->type, obj->filename); return; } int ssl_trusted_cert_storage_del(struct ssl_trusted_cert_storage* storage, enum ssl_X509_obj_type type, const char* filename) { int ret=0; X509_STORE* temp_store=NULL; pthread_rwlock_wrlock(&(storage->rwlock)); ret=MESA_htable_del(storage->hash_table, (const unsigned char*)filename, strlen(filename), NULL); if(ret<0) { ret=-1; goto error_out; } temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir); MESA_htable_iterate(storage->hash_table, cert_storage_htable_traverse_cb, temp_store); X509_STORE_free(storage->effective_store); storage->effective_store=temp_store; ret=1; error_out: pthread_rwlock_unlock(&(storage->rwlock)); return ret; } void ssl_trusted_cert_storage_reset(struct ssl_trusted_cert_storage* storage) { X509_STORE* temp_store=NULL; MESA_htable_destroy(storage->hash_table, NULL); storage->hash_table=_create_mesa_htable(); temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir); pthread_rwlock_wrlock(&(storage->rwlock)); X509_STORE_free(storage->effective_store); storage->effective_store=temp_store; pthread_rwlock_unlock(&(storage->rwlock)); return; } int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storage, const SSL * ssl, char* reason, size_t n_reason) { int ret = 0, err_code=0; char *subj=NULL, *issuer=NULL; STACK_OF(X509) * cert_chain = SSL_get_peer_cert_chain(ssl); if (cert_chain == NULL) { // The peer certificate chain is not necessarily available after reusing a session, in which case a NULL pointer is returned. return 1; } X509_STORE_CTX * ctx = X509_STORE_CTX_new(); X509 * cert = sk_X509_value(cert_chain, 0); pthread_rwlock_rdlock(&(storage->rwlock)); ret = X509_STORE_CTX_init(ctx, storage->effective_store, cert, cert_chain); assert(ret == 1); //If a complete chain can be built and validated this function returns 1, otherwise it return zero or negtive code. ret = X509_verify_cert(ctx); err_code=X509_STORE_CTX_get_error(ctx); if(ret!=1 && err_code!=X509_V_ERR_UNABLE_TO_GET_CRL && err_code!=X509_V_ERR_DIFFERENT_CRL_SCOPE && err_code!=X509_V_ERR_CRL_HAS_EXPIRED) { subj=ssl_x509_subject(cert); issuer=ssl_x509_issuer(cert); snprintf(reason, n_reason, "%s : subject - %s issuer - %s" , X509_verify_cert_error_string(err_code) , subj , issuer); free(subj); free(issuer); ret=0; } else { ret=1; } X509_STORE_CTX_free(ctx); pthread_rwlock_unlock(&(storage->rwlock)); return ret; }