generic-library/poco
1
0
Fork 0
mirror of https://github.com/pocoproject/poco.git synced 2025-10-28 11:31:53 +01:00
Code Issues Projects Releases Wiki Activity

style fixes for #2935; check OpenSSL version

Browse Source
This commit is contained in:
Günter Obiltschnig
2020-02-28 08:57:31 +01:00
parent edc975ab70
commit 7ca90cb0c3
5 changed files with 139 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
NetSSL_OpenSSL/include/Poco/Net/Context.h
View File

@@ -465,6 +465,12 @@ inline bool Context::extendedCertificateVerificationEnabled() const
} }
inline bool Context::ocspStaplingResponseVerificationEnabled() const
{
return _ocspStaplingResponseVerification;
}
} } // namespace Poco::Net } } // namespace Poco::Net

10
NetSSL_OpenSSL/include/Poco/Net/SSLManager.h
View File

@@ -272,17 +272,17 @@ protected:
/// The request is delegated to the PrivatekeyPassword event. This method returns the /// The request is delegated to the PrivatekeyPassword event. This method returns the
/// length of the password. /// length of the password.
static int verifyOCSPResponseCallback(SSL* pSSL, void* arg);
/// The return value of this method defines how errors in
/// verification are handled. Return 0 to terminate the handshake,
/// or 1 to continue despite the error.
static Poco::Util::AbstractConfiguration& appConfig(); static Poco::Util::AbstractConfiguration& appConfig();
/// Returns the application configuration. /// Returns the application configuration.
/// ///
/// Throws a InvalidStateException if not application instance /// Throws a InvalidStateException if not application instance
/// is available. /// is available.
static int verifyOCSPResponse(SSL *s, void *arg);
/// The return value of this method defines how errors in
/// verification are handled. Return 0 to terminate the handshake,
/// or 1 to continue despite the error.
private: private:
SSLManager(); SSLManager();
/// Creates the SSLManager. /// Creates the SSLManager.

10
NetSSL_OpenSSL/src/Context.cpp
View File

@@ -179,11 +179,17 @@ void Context::init(const Params& params)
SSL_CTX_set_mode(_pSSLContext, SSL_MODE_AUTO_RETRY); SSL_CTX_set_mode(_pSSLContext, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_session_cache_mode(_pSSLContext, SSL_SESS_CACHE_OFF); SSL_CTX_set_session_cache_mode(_pSSLContext, SSL_SESS_CACHE_OFF);
if (!isForServerUse() && params.ocspStaplingVerification){ if (!isForServerUse() && params.ocspStaplingVerification)
{
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
_ocspStaplingResponseVerification = true; _ocspStaplingResponseVerification = true;
SSL_CTX_set_tlsext_status_cb(_pSSLContext, &SSLManager::verifyOCSPResponse); SSL_CTX_set_tlsext_status_cb(_pSSLContext, &SSLManager::verifyOCSPResponseCallback);
SSL_CTX_set_tlsext_status_arg(_pSSLContext, this); SSL_CTX_set_tlsext_status_arg(_pSSLContext, this);
#else
throw SSLContextException("OCSP Stapling is not supported by this OpenSSL version");
#endif
} }
initDH(params.dhUse2048Bits, params.dhParamsFile); initDH(params.dhUse2048Bits, params.dhParamsFile);
initECDH(params.ecdhCurve); initECDH(params.ecdhCurve);
} }

167
NetSSL_OpenSSL/src/SSLManager.cpp
View File

@@ -24,9 +24,11 @@
#include "Poco/StringTokenizer.h" #include "Poco/StringTokenizer.h"
#include "Poco/Util/Application.h" #include "Poco/Util/Application.h"
#include "Poco/Util/OptionException.h" #include "Poco/Util/OptionException.h"
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
#include <openssl/ocsp.h> #include <openssl/ocsp.h>
#include <openssl/tls1.h> #include <openssl/tls1.h>
#endif
namespace Poco { namespace Poco {
namespace Net { namespace Net {
@@ -236,124 +238,147 @@ int SSLManager::privateKeyPassphraseCallback(char* pBuf, int size, int flag, voi
return size; return size;
} }
int SSLManager::verifyOCSPResponse(SSL *ssl, void *arg)
int SSLManager::verifyOCSPResponseCallback(SSL* pSSL, void* arg)
{ {
Poco::Net::Context* pocoCtx = (Poco::Net::Context*)arg; #if OPENSSL_VERSION_NUMBER >= 0x10001000L
//Fetch the OSCP verify flag const long OCSP_VALIDITY_LEEWAY = 5*60;
bool ocspverifyFlag = pocoCtx->ocspStaplingResponseVerificationEnabled();
const unsigned char *resp; Poco::Net::Context* pContext = static_cast<Poco::Net::Context*>(arg);
int len = SSL_get_tlsext_status_ocsp_resp(ssl,&resp);
if (!resp) { // Fetch the OSCP verify flag
//OCSP response not received bool ocspVerifyFlag = pContext->ocspStaplingResponseVerificationEnabled();
return ocspverifyFlag ? 0 : 1;
const unsigned char* pResp;
int len = SSL_get_tlsext_status_ocsp_resp(pSSL, &pResp);
if (!pResp)
{
// OCSP response not received
return ocspVerifyFlag ? 0 : 1;
} }
OCSP_RESPONSE *ocspResp = d2i_OCSP_RESPONSE(NULL,&resp,len); OCSP_RESPONSE* pOcspResp = d2i_OCSP_RESPONSE(NULL, &pResp, len);
if (!ocspResp) { if (!pOcspResp) return 0;
if (OCSP_response_status(pOcspResp) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
{
OCSP_RESPONSE_free(pOcspResp);
return 0; return 0;
} }
if (OCSP_response_status(ocspResp) != OCSP_RESPONSE_STATUS_SUCCESSFUL) { OCSP_BASICRESP* pBasicResp = OCSP_response_get1_basic(pOcspResp);
OCSP_RESPONSE_free(ocspResp); if (!pBasicResp)
{
OCSP_RESPONSE_free(pOcspResp);
return 0; return 0;
} }
OCSP_BASICRESP *basicResp = OCSP_response_get1_basic(ocspResp); X509* pPeerCert = SSL_get_peer_certificate(pSSL);
if (!basicResp) { if (!pPeerCert)
OCSP_RESPONSE_free(ocspResp); {
OCSP_BASICRESP_free(pBasicResp);
OCSP_RESPONSE_free(pOcspResp);
return 0; return 0;
} }
X509 *peerCert = SSL_get_peer_certificate(ssl); X509* pPeerIssuerCert = NULL;
if (!peerCert) { STACK_OF(X509)* pCertChain = SSL_get_peer_cert_chain(pSSL);
OCSP_BASICRESP_free(basicResp); unsigned certChainLen = sk_X509_num(pCertChain);
OCSP_RESPONSE_free(ocspResp); for (int i= 0; i < certChainLen ; i++)
return 0; {
} if (!pPeerIssuerCert)
{
X509 *peerIssuerCert = NULL; X509* pIssuerCert = sk_X509_value(pCertChain, i);
STACK_OF(X509) *certChain = SSL_get_peer_cert_chain(ssl); if (X509_check_issued(pIssuerCert, pPeerCert) == X509_V_OK)
unsigned certChainLen = sk_X509_num(certChain); {
for (int i= 0; i < certChainLen ; i++) { pPeerIssuerCert = pIssuerCert;
if(!peerIssuerCert){
X509 *issuer = sk_X509_value(certChain,i);
if (X509_check_issued(issuer,peerCert) == X509_V_OK){
peerIssuerCert = issuer;
break; break;
} }
} }
} }
if (!peerIssuerCert) { if (!pPeerIssuerCert)
X509_free(peerCert); {
OCSP_BASICRESP_free(basicResp); X509_free(pPeerCert);
OCSP_RESPONSE_free(ocspResp); OCSP_BASICRESP_free(pBasicResp);
OCSP_RESPONSE_free(pOcspResp);
return 0; return 0;
} }
STACK_OF(X509) *certs = sk_X509_new_null(); STACK_OF(X509)* pCerts = sk_X509_new_null();
if (certs) { if (pCerts)
X509 *cert = X509_dup(peerIssuerCert); {
if (cert && !sk_X509_push(certs,cert)) { X509* pCert = X509_dup(pPeerIssuerCert);
X509_free(cert); if (pCert && !sk_X509_push(pCerts, pCert))
sk_X509_free(certs); {
certs = NULL; X509_free(pCert);
sk_X509_free(pCerts);
pCerts = NULL;
} }
} }
X509_STORE *store = SSL_CTX_get_cert_store(SSL_get_SSL_CTX(ssl)); X509_STORE* pStore = SSL_CTX_get_cert_store(SSL_get_SSL_CTX(pSSL));
int verifyStatus = OCSP_basic_verify(basicResp,certs,store,OCSP_TRUSTOTHER); int verifyStatus = OCSP_basic_verify(pBasicResp, pCerts, pStore, OCSP_TRUSTOTHER);
sk_X509_pop_free(certs, X509_free); sk_X509_pop_free(pCerts, X509_free);
if (verifyStatus <= 0) { if (verifyStatus <= 0)
X509_free(peerCert); {
OCSP_BASICRESP_free(basicResp); X509_free(pPeerCert);
OCSP_RESPONSE_free(ocspResp); OCSP_BASICRESP_free(pBasicResp);
OCSP_RESPONSE_free(pOcspResp);
return 0; return 0;
} }
OCSP_CERTID *certId = OCSP_cert_to_id(NULL,peerCert,peerIssuerCert); OCSP_CERTID* pCertId = OCSP_cert_to_id(NULL, pPeerCert, pPeerIssuerCert);
if (!certId) { if (!pCertId)
X509_free(peerCert); {
OCSP_BASICRESP_free(basicResp); X509_free(pPeerCert);
OCSP_RESPONSE_free(ocspResp); OCSP_BASICRESP_free(pBasicResp);
OCSP_RESPONSE_free(pOcspResp);
return 0; return 0;
} }
X509_free(peerCert); X509_free(pPeerCert);
ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd; ASN1_GENERALIZEDTIME* pRevTime;
int certstatus,reason; ASN1_GENERALIZEDTIME* pThisUpdate;
if (!OCSP_resp_find_status(basicResp,certId,&certstatus,&reason,&revtime,&thisupd,&nextupd)) { ASN1_GENERALIZEDTIME* pNextUpdate;
OCSP_CERTID_free(certId); int certStatus;
OCSP_BASICRESP_free(basicResp); int reason;
OCSP_RESPONSE_free(ocspResp); if (!OCSP_resp_find_status(pBasicResp, pCertId, &certStatus, &reason, &pRevTime, &pThisUpdate, &pNextUpdate))
{
OCSP_CERTID_free(pCertId);
OCSP_BASICRESP_free(pBasicResp);
OCSP_RESPONSE_free(pOcspResp);
return 0; return 0;
} }
OCSP_CERTID_free(certId); OCSP_CERTID_free(pCertId);
if (certstatus != V_OCSP_CERTSTATUS_GOOD){ if (certStatus != V_OCSP_CERTSTATUS_GOOD)
OCSP_BASICRESP_free(basicResp); {
OCSP_RESPONSE_free(ocspResp); OCSP_BASICRESP_free(pBasicResp);
OCSP_RESPONSE_free(pOcspResp);
return 0; return 0;
} }
if (!OCSP_check_validity(thisupd,nextupd,5*60,-1)) { if (!OCSP_check_validity(pThisUpdate, pNextUpdate, OCSP_VALIDITY_LEEWAY, -1))
OCSP_BASICRESP_free(basicResp); {
OCSP_RESPONSE_free(ocspResp); OCSP_BASICRESP_free(pBasicResp);
OCSP_RESPONSE_free(pOcspResp);
return 0; return 0;
} }
OCSP_BASICRESP_free(basicResp); OCSP_BASICRESP_free(pBasicResp);
OCSP_RESPONSE_free(ocspResp); OCSP_RESPONSE_free(pOcspResp);
#endif
return 1; return 1;
} }
void SSLManager::initDefaultContext(bool server) void SSLManager::initDefaultContext(bool server)
{ {
if (server && _ptrDefaultServerContext) return; if (server && _ptrDefaultServerContext) return;

4
NetSSL_OpenSSL/src/SecureSocketImpl.cpp
View File

@@ -164,8 +164,12 @@ void SecureSocketImpl::connectSSL(bool performHandshake)
} }
#endif #endif
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
if(_pContext->ocspStaplingResponseVerificationEnabled()) if(_pContext->ocspStaplingResponseVerificationEnabled())
{
SSL_set_tlsext_status_type(_pSSL, TLSEXT_STATUSTYPE_ocsp); SSL_set_tlsext_status_type(_pSSL, TLSEXT_STATUSTYPE_ocsp);
}
#endif
if (_pSession) if (_pSession)
{ {