From 56ae875861ab260b80a030f50c4aff9f9dc8fff0 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sat, 13 Apr 2024 13:32:39 +0200
Subject: Adding upstream version 2.14.2.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 lib/base/tlsstream.cpp | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100644 lib/base/tlsstream.cpp

(limited to 'lib/base/tlsstream.cpp')

diff --git a/lib/base/tlsstream.cpp b/lib/base/tlsstream.cpp
new file mode 100644
index 0000000..db54c91
--- /dev/null
+++ b/lib/base/tlsstream.cpp
@@ -0,0 +1,71 @@
+/* Icinga 2 | (c) 2012 Icinga GmbH | GPLv2+ */
+
+#include "base/tlsstream.hpp"
+#include "base/application.hpp"
+#include "base/utility.hpp"
+#include "base/exception.hpp"
+#include "base/logger.hpp"
+#include "base/configuration.hpp"
+#include "base/convert.hpp"
+#include <boost/asio/ssl/context.hpp>
+#include <boost/asio/ssl/verify_context.hpp>
+#include <boost/asio/ssl/verify_mode.hpp>
+#include <iostream>
+#include <openssl/ssl.h>
+#include <openssl/tls1.h>
+#include <openssl/x509.h>
+#include <sstream>
+
+using namespace icinga;
+
+bool UnbufferedAsioTlsStream::IsVerifyOK() const
+{
+	return m_VerifyOK;
+}
+
+String UnbufferedAsioTlsStream::GetVerifyError() const
+{
+	return m_VerifyError;
+}
+
+std::shared_ptr<X509> UnbufferedAsioTlsStream::GetPeerCertificate()
+{
+	return std::shared_ptr<X509>(SSL_get_peer_certificate(native_handle()), X509_free);
+}
+
+void UnbufferedAsioTlsStream::BeforeHandshake(handshake_type type)
+{
+	namespace ssl = boost::asio::ssl;
+
+	if (!m_Hostname.IsEmpty()) {
+		X509_VERIFY_PARAM_set1_host(SSL_get0_param(native_handle()), m_Hostname.CStr(), m_Hostname.GetLength());
+	}
+
+	set_verify_mode(ssl::verify_peer | ssl::verify_client_once);
+
+	set_verify_callback([this](bool preverified, ssl::verify_context& ctx) {
+		if (!preverified) {
+			m_VerifyOK = false;
+
+			std::ostringstream msgbuf;
+			int err = X509_STORE_CTX_get_error(ctx.native_handle());
+
+			msgbuf << "code " << err << ": " << X509_verify_cert_error_string(err);
+			m_VerifyError = msgbuf.str();
+		}
+
+		return true;
+	});
+
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+	if (type == client && !m_Hostname.IsEmpty()) {
+		String environmentName = Application::GetAppEnvironment();
+		String serverName = m_Hostname;
+
+		if (!environmentName.IsEmpty())
+			serverName += ":" + environmentName;
+
+		SSL_set_tlsext_host_name(native_handle(), serverName.CStr());
+	}
+#endif /* SSL_CTRL_SET_TLSEXT_HOSTNAME */
+}
-- 
cgit v1.2.3