Add SSL options to mg_{bind,connect}_opt

PUBLISHED_FROM=7e28eb43742b76c073c9c2c879c64d7b4d3e9a7e
2024-11-24 02:59:01 +08:00 · 2016-02-24 14:14:07 +01:00 · 2016-02-24 14:14:07 +01:00 · 4a0cc8223e
commit 4a0cc8223e
parent 7db10857b3
2 changed files with 65 additions and 7 deletions
--- a/mongoose.c
+++ b/mongoose.c
@ -2525,6 +2525,10 @@ const char *mg_set_ssl(struct mg_connection *nc, const char *cert,
  const char *result = NULL;
  DBG(("%p %s %s", nc, (cert ? cert : ""), (ca_cert ? ca_cert : "")));

+  if (nc->flags & MG_F_UDP) {
+    return "SSL for UDP is not supported";
+  }
+
  if (nc->ssl != NULL) {
    SSL_free(nc->ssl);
    nc->ssl = NULL;
@ -2786,6 +2790,30 @@ struct mg_connection *mg_connect_opt(struct mg_mgr *mgr, const char *address,
  nc->flags |= (proto == SOCK_DGRAM) ? MG_F_UDP : 0;
  nc->user_data = opts.user_data;

+#ifdef MG_ENABLE_SSL
+  if (opts.ssl_cert != NULL || opts.ssl_ca_cert != NULL) {
+    const char *err = mg_set_ssl(nc, opts.ssl_cert, opts.ssl_ca_cert);
+    if (err != NULL) {
+      MG_SET_PTRPTR(opts.error_string, err);
+      mg_destroy_conn(nc);
+      return NULL;
+    }
+    if (opts.ssl_ca_cert != NULL && (opts.ssl_server_name == NULL ||
+                                     strcmp(opts.ssl_server_name, "*") != 0)) {
+      if (opts.ssl_server_name == NULL) opts.ssl_server_name = host;
+#ifdef SSL_KRYPTON
+      SSL_CTX_kr_set_verify_name(nc->ssl_ctx, opts.ssl_server_name);
+#else
+      /* TODO(rojer): Implement server name verification on OpenSSL. */
+      MG_SET_PTRPTR(opts.error_string,
+                    "Server name verification requested but is not supported");
+      mg_destroy_conn(nc);
+      return NULL;
+#endif /* SSL_KRYPTON */
+    }
+  }
+#endif /* MG_ENABLE_SSL */
+
  if (rc == 0) {
 #ifndef MG_DISABLE_RESOLVER
    /*
@ -2858,6 +2886,16 @@ struct mg_connection *mg_bind_opt(struct mg_mgr *mgr, const char *address,
    mg_destroy_conn(nc);
    return NULL;
  }
+#ifdef MG_ENABLE_SSL
+  if (opts.ssl_cert != NULL || opts.ssl_ca_cert != NULL) {
+    const char *err = mg_set_ssl(nc, opts.ssl_cert, opts.ssl_ca_cert);
+    if (err != NULL) {
+      MG_SET_PTRPTR(opts.error_string, err);
+      mg_destroy_conn(nc);
+      return NULL;
+    }
+  }
+#endif /* MG_ENABLE_SSL */
  mg_add_conn(nc->mgr, nc);

  return nc;
--- a/mongoose.h
+++ b/mongoose.h
@ -1191,6 +1191,11 @@ struct mg_bind_opts {
  void *user_data;           /* Initial value for connection's user_data */
  unsigned int flags;        /* Extra connection flags */
  const char **error_string; /* Placeholder for the error string */
+#ifdef MG_ENABLE_SSL
+  /* SSL settings. */
+  const char *ssl_cert;    /* Server certificate to present to clients */
+  const char *ssl_ca_cert; /* Verify client certificates with this CA bundle */
+#endif
 };

 /*
@ -1217,14 +1222,29 @@ struct mg_connection *mg_bind(struct mg_mgr *, const char *,
 * Return a new listening connection, or `NULL` on error.
 * NOTE: Connection remains owned by the manager, do not free().
 */
-struct mg_connection *mg_bind_opt(struct mg_mgr *, const char *,
-                                  mg_event_handler_t, struct mg_bind_opts);
+struct mg_connection *mg_bind_opt(struct mg_mgr *mgr, const char *address,
+                                  mg_event_handler_t handler,
+                                  struct mg_bind_opts opts);

 /* Optional parameters to mg_connect_opt() */
 struct mg_connect_opts {
  void *user_data;           /* Initial value for connection's user_data */
  unsigned int flags;        /* Extra connection flags */
  const char **error_string; /* Placeholder for the error string */
+#ifdef MG_ENABLE_SSL
+  /* SSL settings. */
+  const char *ssl_cert;    /* Client certificate to present to the server */
+  const char *ssl_ca_cert; /* Verify server certificate using this CA bundle */
+
+  /*
+   * Server name verification. If ssl_ca_cert is set and the certificate has
+   * passed verification, its subject will be verified against this string.
+   * By default (if ssl_server_name is NULL) hostname part of the address will
+   * be used. Wildcard matching is supported. A special value of "*" disables
+   * name verification.
+   */
+  const char *ssl_server_name;
+#endif
 };

 /*
@ -1232,8 +1252,8 @@ struct mg_connect_opts {
 *
 * See `mg_connect_opt()` for full documentation.
 */
-struct mg_connection *mg_connect(struct mg_mgr *, const char *,
-                                 mg_event_handler_t);
+struct mg_connection *mg_connect(struct mg_mgr *mgr, const char *address,
+                                 mg_event_handler_t handler);

 /*
 * Connect to a remote host.
@ -1284,9 +1304,9 @@ struct mg_connection *mg_connect(struct mg_mgr *, const char *,
 *   mg_connect(mgr, "my_site.com:80", ev_handler);
 * ----
 */
-struct mg_connection *mg_connect_opt(struct mg_mgr *, const char *,
-                                     mg_event_handler_t,
-                                     struct mg_connect_opts);
+struct mg_connection *mg_connect_opt(struct mg_mgr *mgr, const char *address,
+                                     mg_event_handler_t handler,
+                                     struct mg_connect_opts opts);

 /*
 * Enable SSL for a given connection.