88
93
if (!CRYPTO_get_id_callback())
89
94
CRYPTO_set_id_callback(&openssl_id_function);
97
iqxmlrpc_ssl_data_idx = SSL_get_ex_new_index(0, (void*)"iqxmlrpc verifier", NULL, NULL, NULL);
94
boost::once_flag ssl_init;
97
104
Ctx* Ctx::client_server( const std::string& cert_path, const std::string& key_path )
115
Ctx::Ctx( const std::string& cert_path, const std::string& key_path, bool client )
124
set_common_options(SSL_CTX* ctx)
126
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
130
iqxmlrpc_SSL_verify(int prev_ok, X509_STORE_CTX* ctx)
132
SSL* ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
133
ConnectionVerifier* v = reinterpret_cast<ConnectionVerifier*>(SSL_get_ex_data(ssl, iqxmlrpc_ssl_data_idx));
134
return v->verify(prev_ok, ctx);
137
} // anonymous namespace
140
// ConnectionVerifier
143
ConnectionVerifier::~ConnectionVerifier()
148
ConnectionVerifier::verify(bool prev_ok, X509_STORE_CTX* ctx) const
151
return do_verify(prev_ok, ctx);
153
// TODO: log ability?
159
ConnectionVerifier::cert_finger_sha256(X509_STORE_CTX* ctx) const
161
X509* x = X509_STORE_CTX_get_current_cert(ctx);
162
const EVP_MD* digest = EVP_get_digestbyname("sha256");
164
unsigned char md[EVP_MAX_MD_SIZE];
165
X509_digest(x, digest, md, &n);
167
std::ostringstream ss;
168
for(int i = 0; i < 32; i++)
169
ss << std::hex << int(md[i]);
178
Ctx::Ctx( const std::string& cert_path, const std::string& key_path, bool client ):
181
require_client_cert_(false)
117
183
boost::call_once(ssl_init, init_library);
118
184
ctx = SSL_CTX_new( client ? SSLv23_method() : SSLv23_server_method() );
119
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
185
set_common_options(ctx);
122
188
!SSL_CTX_use_certificate_file( ctx, cert_path.c_str(), SSL_FILETYPE_PEM ) ||
199
require_client_cert_(false)
132
201
boost::call_once(ssl_init, init_library);
133
202
ctx = SSL_CTX_new( SSLv23_client_method() );
134
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
203
set_common_options(ctx);
212
Ctx::verify_server(ConnectionVerifier* v)
214
server_verifier_ = v;
218
Ctx::verify_client(bool require_certificate, ConnectionVerifier* v)
220
require_client_cert_ = require_certificate;
221
client_verifier_ = v;
225
Ctx::prepare_verify(SSL* ssl, bool server)
227
ConnectionVerifier* v = server ? client_verifier_ : server_verifier_;
228
int mode = v ? SSL_VERIFY_PEER : SSL_VERIFY_NONE;
230
if (server && require_client_cert_)
231
mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
234
SSL_set_verify(ssl, mode, iqxmlrpc_SSL_verify);
235
SSL_set_ex_data(ssl, iqxmlrpc_ssl_data_idx, (void*)v);
237
SSL_set_verify(ssl, mode, 0);
143
241
// ----------------------------------------------------------------------------
144
242
exception::exception() throw():