2019-02-25 14:48:22 +01:00
|
|
|
/* Icinga 2 | (c) 2012 Icinga GmbH | GPLv2+ */
|
2012-05-10 12:06:41 +02:00
|
|
|
|
2014-05-25 16:23:35 +02:00
|
|
|
#include "base/tlsstream.hpp"
|
2019-05-24 09:19:15 +02:00
|
|
|
#include "base/application.hpp"
|
2014-05-25 16:23:35 +02:00
|
|
|
#include "base/utility.hpp"
|
|
|
|
#include "base/exception.hpp"
|
2014-10-19 14:21:12 +02:00
|
|
|
#include "base/logger.hpp"
|
2018-09-13 18:05:31 +02:00
|
|
|
#include "base/configuration.hpp"
|
|
|
|
#include "base/convert.hpp"
|
2019-02-08 14:23:10 +01:00
|
|
|
#include <boost/asio/ssl/context.hpp>
|
2019-02-25 16:18:48 +01:00
|
|
|
#include <boost/asio/ssl/verify_context.hpp>
|
|
|
|
#include <boost/asio/ssl/verify_mode.hpp>
|
2014-06-05 15:34:54 +02:00
|
|
|
#include <iostream>
|
2019-02-25 16:18:48 +01:00
|
|
|
#include <openssl/ssl.h>
|
|
|
|
#include <openssl/tls1.h>
|
|
|
|
#include <openssl/x509.h>
|
|
|
|
#include <sstream>
|
2012-04-24 14:02:15 +02:00
|
|
|
|
|
|
|
using namespace icinga;
|
|
|
|
|
2019-02-25 16:18:48 +01:00
|
|
|
bool UnbufferedAsioTlsStream::IsVerifyOK() const
|
|
|
|
{
|
|
|
|
return m_VerifyOK;
|
|
|
|
}
|
|
|
|
|
|
|
|
String UnbufferedAsioTlsStream::GetVerifyError() const
|
|
|
|
{
|
|
|
|
return m_VerifyError;
|
|
|
|
}
|
|
|
|
|
2019-02-25 17:22:00 +01:00
|
|
|
std::shared_ptr<X509> UnbufferedAsioTlsStream::GetPeerCertificate()
|
|
|
|
{
|
|
|
|
return std::shared_ptr<X509>(SSL_get_peer_certificate(native_handle()), X509_free);
|
|
|
|
}
|
|
|
|
|
2019-02-25 16:18:48 +01:00
|
|
|
void UnbufferedAsioTlsStream::BeforeHandshake(handshake_type type)
|
|
|
|
{
|
|
|
|
namespace ssl = boost::asio::ssl;
|
|
|
|
|
2021-08-13 09:28:57 +02:00
|
|
|
if (!m_Hostname.IsEmpty()) {
|
|
|
|
X509_VERIFY_PARAM_set1_host(SSL_get0_param(native_handle()), m_Hostname.CStr(), m_Hostname.GetLength());
|
|
|
|
}
|
|
|
|
|
2019-02-25 16:18:48 +01:00
|
|
|
set_verify_mode(ssl::verify_peer | ssl::verify_client_once);
|
|
|
|
|
|
|
|
set_verify_callback([this](bool preverified, ssl::verify_context& ctx) {
|
|
|
|
if (!preverified) {
|
|
|
|
m_VerifyOK = false;
|
|
|
|
|
|
|
|
std::ostringstream msgbuf;
|
|
|
|
int err = X509_STORE_CTX_get_error(ctx.native_handle());
|
|
|
|
|
|
|
|
msgbuf << "code " << err << ": " << X509_verify_cert_error_string(err);
|
|
|
|
m_VerifyError = msgbuf.str();
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
|
|
|
});
|
|
|
|
|
|
|
|
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
|
|
|
|
if (type == client && !m_Hostname.IsEmpty()) {
|
|
|
|
String environmentName = Application::GetAppEnvironment();
|
|
|
|
String serverName = m_Hostname;
|
|
|
|
|
|
|
|
if (!environmentName.IsEmpty())
|
|
|
|
serverName += ":" + environmentName;
|
|
|
|
|
|
|
|
SSL_set_tlsext_host_name(native_handle(), serverName.CStr());
|
|
|
|
}
|
|
|
|
#endif /* SSL_CTRL_SET_TLSEXT_HOSTNAME */
|
|
|
|
}
|