diff options
author | JackLivio <jack@livio.io> | 2018-10-19 15:05:09 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-10-19 15:05:09 -0400 |
commit | d36316738785c96dab2ee892762ed08c059fffde (patch) | |
tree | 168a7c0705b5bc8f0dee7ce4b511ccf71759d9b4 /src/components/security_manager/src/ssl_context_impl.cc | |
parent | 7f7fcbb998fb17f2954fd103349af67ea9b71a3f (diff) | |
parent | 83c5e805346d55ec7fb9f4ba8b6f6855d992273e (diff) | |
download | sdl_core-hotfix/templates_updates.tar.gz |
Merge pull request #2572 from smartdevicelink/release/5.0.05.0.0hotfix/templates_updatesfeature/show_app_menufeature/progress_bar_seekfeature/open-menu-rpcfeature/open-menu-rfeature/button
Release 5.0.0
Diffstat (limited to 'src/components/security_manager/src/ssl_context_impl.cc')
-rw-r--r-- | src/components/security_manager/src/ssl_context_impl.cc | 136 |
1 files changed, 125 insertions, 11 deletions
diff --git a/src/components/security_manager/src/ssl_context_impl.cc b/src/components/security_manager/src/ssl_context_impl.cc index 5be5ff8363..67be17db63 100644 --- a/src/components/security_manager/src/ssl_context_impl.cc +++ b/src/components/security_manager/src/ssl_context_impl.cc @@ -36,6 +36,7 @@ #include <map> #include <algorithm> #include <vector> +#include <time.h> #include <openssl/bio.h> #include <openssl/ssl.h> @@ -77,6 +78,7 @@ bool CryptoManagerImpl::SSLContextImpl::IsInitCompleted() const { SSLContext::HandshakeResult CryptoManagerImpl::SSLContextImpl::StartHandshake( const uint8_t** const out_data, size_t* out_data_size) { + LOG4CXX_AUTO_TRACE(logger_); is_handshake_pending_ = true; return DoHandshakeStep(NULL, 0, out_data, out_data_size); } @@ -112,6 +114,12 @@ size_t des_cbc3_sha_max_block_size(size_t mtu) { return 0; return ((mtu - 29) & 0xfffffff8) - 5; } +time_t get_time_zone_offset(time_t in_time) { + tm gmt_cert_tm = *gmtime(&in_time); + tm local_cert_tm = *localtime(&in_time); + + return mktime(&local_cert_tm) - mktime(&gmt_cert_tm); +} } // namespace std::map<std::string, CryptoManagerImpl::SSLContextImpl::BlockSizeGetter> @@ -174,6 +182,7 @@ const std::string CryptoManagerImpl::SSLContextImpl::RemoveDisallowedInfo( void CryptoManagerImpl::SSLContextImpl::PrintCertData( X509* cert, const std::string& cert_owner) { + LOG4CXX_AUTO_TRACE(logger_); if (!cert) { LOG4CXX_DEBUG(logger_, "Empty certificate data"); return; @@ -206,6 +215,7 @@ void CryptoManagerImpl::SSLContextImpl::PrintCertData( } void CryptoManagerImpl::SSLContextImpl::PrintCertInfo() { + LOG4CXX_AUTO_TRACE(logger_); PrintCertData(SSL_get_certificate(connection_), "HU's"); STACK_OF(X509)* peer_certs = SSL_get_peer_cert_chain(connection_); @@ -217,26 +227,47 @@ void CryptoManagerImpl::SSLContextImpl::PrintCertInfo() { SSLContext::HandshakeResult CryptoManagerImpl::SSLContextImpl::CheckCertContext() { + LOG4CXX_AUTO_TRACE(logger_); X509* cert = SSL_get_peer_certificate(connection_); if (!cert) { // According to the openssl documentation the peer certificate // might be ommitted for the SERVER but required for the cient. return CLIENT == mode_ ? Handshake_Result_Fail : Handshake_Result_Success; } + ASN1_TIME* notBefore = X509_get_notBefore(cert); + ASN1_TIME* notAfter = X509_get_notAfter(cert); - X509_NAME* subj_name = X509_get_subject_name(cert); + time_t start = convert_asn1_time_to_time_t(notBefore); + time_t end = convert_asn1_time_to_time_t(notAfter); - const std::string& cn = GetTextBy(subj_name, NID_commonName); - const std::string& sn = GetTextBy(subj_name, NID_serialNumber); + const double start_seconds = difftime(hsh_context_.system_time, start); + const double end_seconds = difftime(end, hsh_context_.system_time); - if (!(hsh_context_.expected_cn.CompareIgnoreCase(cn.c_str()))) { + if (start_seconds < 0) { LOG4CXX_ERROR(logger_, - "Trying to run handshake with wrong app name: " - << cn << ". Expected app name: " - << hsh_context_.expected_cn.AsMBString()); - return Handshake_Result_AppNameMismatch; + "Certificate is not yet valid. Time before validity " + << start_seconds << " seconds"); + return Handshake_Result_NotYetValid; + } else { + LOG4CXX_DEBUG(logger_, + "Time since certificate validity " << start_seconds + << "seconds"); } + if (end_seconds < 0) { + LOG4CXX_ERROR(logger_, + "Certificate already expired. Time after expiration " + << end_seconds << " seconds"); + return Handshake_Result_CertExpired; + } else { + LOG4CXX_DEBUG(logger_, + "Time until expiration " << end_seconds << "seconds"); + } + + X509_NAME* subj_name = X509_get_subject_name(cert); + + const std::string& sn = GetTextBy(subj_name, NID_serialNumber); + if (!(hsh_context_.expected_sn.CompareIgnoreCase(sn.c_str()))) { LOG4CXX_ERROR(logger_, "Trying to run handshake with wrong app id: " @@ -247,6 +278,60 @@ CryptoManagerImpl::SSLContextImpl::CheckCertContext() { return Handshake_Result_Success; } +int CryptoManagerImpl::SSLContextImpl::get_number_from_char_buf( + char* buf, int* idx) const { + if (!idx) { + return 0; + } + const int val = ((buf[*idx] - '0') * 10) + buf[(*idx) + 1] - '0'; + *idx = *idx + 2; + return val; +} + +time_t CryptoManagerImpl::SSLContextImpl::convert_asn1_time_to_time_t( + ASN1_TIME* time_to_convert) const { + struct tm cert_time; + memset(&cert_time, 0, sizeof(struct tm)); + // the minimum value for day of month is 1, otherwise exception will be thrown + cert_time.tm_mday = 1; + char* buf = reinterpret_cast<char*>(time_to_convert->data); + int index = 0; + const int year = get_number_from_char_buf(buf, &index); + if (V_ASN1_GENERALIZEDTIME == time_to_convert->type) { + cert_time.tm_year = + (year * 100 - 1900) + get_number_from_char_buf(buf, &index); + } else { + cert_time.tm_year = year < 50 ? year + 100 : year; + } + + const int mon = get_number_from_char_buf(buf, &index); + const int day = get_number_from_char_buf(buf, &index); + const int hour = get_number_from_char_buf(buf, &index); + const int mn = get_number_from_char_buf(buf, &index); + + cert_time.tm_mon = mon - 1; + cert_time.tm_mday = day; + cert_time.tm_hour = hour; + cert_time.tm_min = mn; + + if (buf[index] == 'Z') { + cert_time.tm_sec = 0; + } + if ((buf[index] == '+') || (buf[index] == '-')) { + const int mn = get_number_from_char_buf(buf, &index); + const int mn1 = get_number_from_char_buf(buf, &index); + cert_time.tm_sec = (mn * 3600) + (mn1 * 60); + } else { + const int sec = get_number_from_char_buf(buf, &index); + cert_time.tm_sec = sec; + } + + const time_t local_cert_time = mktime(&cert_time); + const time_t time_offset = get_time_zone_offset(local_cert_time); + + return local_cert_time + time_offset; +} + bool CryptoManagerImpl::SSLContextImpl::ReadHandshakeData( const uint8_t** const out_data, size_t* out_data_size) { LOG4CXX_AUTO_TRACE(logger_); @@ -280,7 +365,7 @@ bool CryptoManagerImpl::SSLContextImpl::WriteHandshakeData( if (ret <= 0) { is_handshake_pending_ = false; ResetConnection(); - return Handshake_Result_AbnormalFail; + return false; } } return true; @@ -288,7 +373,9 @@ bool CryptoManagerImpl::SSLContextImpl::WriteHandshakeData( SSLContext::HandshakeResult CryptoManagerImpl::SSLContextImpl::PerformHandshake() { + LOG4CXX_AUTO_TRACE(logger_); const int handshake_result = SSL_do_handshake(connection_); + LOG4CXX_TRACE(logger_, "Handshake result: " << handshake_result); if (handshake_result == 1) { const HandshakeResult result = CheckCertContext(); if (result != Handshake_Result_Success) { @@ -307,6 +394,7 @@ CryptoManagerImpl::SSLContextImpl::PerformHandshake() { is_handshake_pending_ = false; } else if (handshake_result == 0) { + LOG4CXX_DEBUG(logger_, "SSL handshake failed"); SSL_clear(connection_); is_handshake_pending_ = false; return Handshake_Result_Fail; @@ -403,25 +491,32 @@ bool CryptoManagerImpl::SSLContextImpl::Decrypt(const uint8_t* const in_data, size_t in_data_size, const uint8_t** const out_data, size_t* out_data_size) { + LOG4CXX_AUTO_TRACE(logger_); sync_primitives::AutoLock locker(bio_locker); if (!SSL_is_init_finished(connection_)) { + LOG4CXX_ERROR(logger_, "SSL initilization is not finished"); return false; } - if (!in_data || !in_data_size) { + if (!in_data || (0 == in_data_size)) { + LOG4CXX_ERROR(logger_, "IN data ptr or IN data size is 0"); return false; } + BIO_write(bioIn_, in_data, in_data_size); int len = BIO_ctrl_pending(bioFilter_); + ptrdiff_t offset = 0; *out_data_size = 0; - while (len) { + *out_data = NULL; + while (len > 0) { EnsureBufferSizeEnough(len + offset); len = BIO_read(bioFilter_, buffer_ + offset, len); // TODO(EZamakhov): investigate BIO_read return 0, -1 and -2 meanings if (len <= 0) { // Reset filter and connection deinitilization instead + LOG4CXX_ERROR(logger_, "Read error occured. Read data lenght : " << len); BIO_ctrl(bioFilter_, BIO_CTRL_RESET, 0, NULL); return false; } @@ -447,6 +542,25 @@ bool CryptoManagerImpl::SSLContextImpl::IsHandshakePending() const { return is_handshake_pending_; } +bool CryptoManagerImpl::SSLContextImpl::GetCertificateDueDate( + time_t& due_date) const { + LOG4CXX_AUTO_TRACE(logger_); + + X509* cert = SSL_get_certificate(connection_); + if (!cert) { + LOG4CXX_DEBUG(logger_, "Get certificate failed."); + return false; + } + + due_date = convert_asn1_time_to_time_t(X509_get_notAfter(cert)); + + return true; +} + +bool CryptoManagerImpl::SSLContextImpl::HasCertificate() const { + return SSL_get_certificate(connection_) != NULL; +} + CryptoManagerImpl::SSLContextImpl::~SSLContextImpl() { SSL_shutdown(connection_); SSL_free(connection_); |