ssl-bozo.c revision 1.1.1.6
1 1.1.1.6 mrg /* $eterna: ssl-bozo.c,v 1.15 2011/11/18 09:21:15 mrg Exp $ */ 2 1.1 tls 3 1.1 tls /* 4 1.1.1.6 mrg * Copyright (c) 1997-2011 Matthew R. Green 5 1.1 tls * All rights reserved. 6 1.1 tls * 7 1.1 tls * Redistribution and use in source and binary forms, with or without 8 1.1 tls * modification, are permitted provided that the following conditions 9 1.1 tls * are met: 10 1.1 tls * 1. Redistributions of source code must retain the above copyright 11 1.1 tls * notice, this list of conditions and the following disclaimer. 12 1.1 tls * 2. Redistributions in binary form must reproduce the above copyright 13 1.1 tls * notice, this list of conditions and the following disclaimer and 14 1.1 tls * dedication in the documentation and/or other materials provided 15 1.1 tls * with the distribution. 16 1.1 tls * 17 1.1 tls * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 1.1 tls * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 1.1 tls * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 1.1 tls * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 1.1 tls * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 22 1.1 tls * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23 1.1 tls * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 24 1.1 tls * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 25 1.1 tls * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 1.1 tls * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 1.1 tls * SUCH DAMAGE. 28 1.1 tls * 29 1.1 tls */ 30 1.1 tls 31 1.1 tls /* this code implements SSL for bozohttpd */ 32 1.1 tls 33 1.1.1.4 mrg #include <stdarg.h> 34 1.1.1.4 mrg #include <stdio.h> 35 1.1.1.5 mrg #include <syslog.h> 36 1.1 tls #include <unistd.h> 37 1.1 tls 38 1.1.1.4 mrg #include "bozohttpd.h" 39 1.1.1.4 mrg 40 1.1.1.4 mrg #ifndef NO_SSL_SUPPORT 41 1.1.1.4 mrg 42 1.1 tls #include <openssl/ssl.h> 43 1.1 tls #include <openssl/err.h> 44 1.1 tls 45 1.1.1.4 mrg #ifndef USE_ARG 46 1.1.1.4 mrg #define USE_ARG(x) /*LINTED*/(void)&(x) 47 1.1.1.4 mrg #endif 48 1.1.1.4 mrg 49 1.1.1.4 mrg /* this structure encapsulates the ssl info */ 50 1.1.1.4 mrg typedef struct sslinfo_t { 51 1.1.1.4 mrg SSL_CTX *ssl_context; 52 1.1.1.4 mrg const SSL_METHOD *ssl_method; 53 1.1.1.4 mrg SSL *bozossl; 54 1.1.1.4 mrg char *certificate_file; 55 1.1.1.4 mrg char *privatekey_file; 56 1.1.1.4 mrg } sslinfo_t; 57 1.1.1.4 mrg 58 1.1.1.5 mrg /* 59 1.1.1.5 mrg * bozo_ssl_err 60 1.1.1.5 mrg * 61 1.1.1.5 mrg * bozo_ssl_err works just like bozo_err except in addition to printing 62 1.1.1.5 mrg * the error provided by the caller at the point of error it pops and 63 1.1.1.5 mrg * prints all errors from the SSL error queue. 64 1.1.1.5 mrg */ 65 1.1.1.6 mrg BOZO_DEAD static void 66 1.1.1.5 mrg bozo_ssl_err(bozohttpd_t *httpd, int code, const char *fmt, ...) 67 1.1.1.5 mrg { 68 1.1.1.5 mrg va_list ap; 69 1.1.1.5 mrg 70 1.1.1.5 mrg va_start(ap, fmt); 71 1.1.1.5 mrg if (httpd->logstderr || isatty(STDERR_FILENO)) { 72 1.1.1.5 mrg vfprintf(stderr, fmt, ap); 73 1.1.1.5 mrg fputs("\n", stderr); 74 1.1.1.5 mrg } else 75 1.1.1.5 mrg vsyslog(LOG_ERR, fmt, ap); 76 1.1.1.5 mrg va_end(ap); 77 1.1.1.5 mrg 78 1.1.1.5 mrg unsigned int sslcode = ERR_get_error(); 79 1.1.1.5 mrg do { 80 1.1.1.6 mrg static const char sslfmt[] = "SSL Error: %s:%s:%s"; 81 1.1.1.5 mrg 82 1.1.1.5 mrg if (httpd->logstderr || isatty(STDERR_FILENO)) { 83 1.1.1.5 mrg fprintf(stderr, sslfmt, 84 1.1.1.5 mrg ERR_lib_error_string(sslcode), 85 1.1.1.5 mrg ERR_func_error_string(sslcode), 86 1.1.1.5 mrg ERR_reason_error_string(sslcode)); 87 1.1.1.5 mrg } else { 88 1.1.1.5 mrg syslog(LOG_ERR, sslfmt, 89 1.1.1.5 mrg ERR_lib_error_string(sslcode), 90 1.1.1.5 mrg ERR_func_error_string(sslcode), 91 1.1.1.5 mrg ERR_reason_error_string(sslcode)); 92 1.1.1.5 mrg } 93 1.1.1.5 mrg } while (0 != (sslcode = ERR_get_error())); 94 1.1.1.5 mrg exit(code); 95 1.1.1.5 mrg } 96 1.1.1.5 mrg 97 1.1.1.4 mrg static int 98 1.1.1.5 mrg bozo_ssl_printf(bozohttpd_t *httpd, const char * fmt, va_list ap) 99 1.1.1.4 mrg { 100 1.1.1.4 mrg sslinfo_t *sslinfo; 101 1.1.1.4 mrg char *buf; 102 1.1.1.4 mrg int nbytes; 103 1.1.1.4 mrg 104 1.1.1.4 mrg sslinfo = httpd->sslinfo; 105 1.1.1.4 mrg /* XXX we need more elegant/proper handling of SSL_write return */ 106 1.1.1.4 mrg if ((nbytes = vasprintf(&buf, fmt, ap)) != -1) 107 1.1.1.4 mrg SSL_write(sslinfo->bozossl, buf, nbytes); 108 1.1.1.4 mrg 109 1.1.1.4 mrg free(buf); 110 1.1.1.4 mrg 111 1.1.1.4 mrg return nbytes; 112 1.1.1.4 mrg } 113 1.1.1.4 mrg 114 1.1.1.4 mrg static ssize_t 115 1.1.1.4 mrg bozo_ssl_read(bozohttpd_t *httpd, int fd, void *buf, size_t nbytes) 116 1.1.1.4 mrg { 117 1.1.1.4 mrg sslinfo_t *sslinfo; 118 1.1.1.4 mrg ssize_t rbytes; 119 1.1.1.4 mrg 120 1.1.1.4 mrg USE_ARG(fd); 121 1.1.1.4 mrg sslinfo = httpd->sslinfo; 122 1.1.1.4 mrg /* XXX we need elegant/proper handling of SSL_read return */ 123 1.1.1.4 mrg rbytes = (ssize_t)SSL_read(sslinfo->bozossl, buf, (int)nbytes); 124 1.1.1.4 mrg if (rbytes < 1) { 125 1.1.1.4 mrg if (SSL_get_error(sslinfo->bozossl, rbytes) == 126 1.1.1.4 mrg SSL_ERROR_WANT_READ) 127 1.1.1.4 mrg bozo_warn(httpd, "SSL_ERROR_WANT_READ"); 128 1.1.1.4 mrg else 129 1.1.1.4 mrg bozo_warn(httpd, "SSL_ERROR OTHER"); 130 1.1.1.4 mrg } 131 1.1.1.4 mrg 132 1.1.1.4 mrg return rbytes; 133 1.1.1.4 mrg } 134 1.1.1.4 mrg 135 1.1.1.4 mrg static ssize_t 136 1.1.1.4 mrg bozo_ssl_write(bozohttpd_t *httpd, int fd, const void *buf, size_t nbytes) 137 1.1.1.4 mrg { 138 1.1.1.4 mrg sslinfo_t *sslinfo; 139 1.1.1.4 mrg ssize_t wbytes; 140 1.1 tls 141 1.1.1.4 mrg USE_ARG(fd); 142 1.1.1.4 mrg sslinfo = httpd->sslinfo; 143 1.1.1.4 mrg /* XXX we need elegant/proper handling of SSL_write return */ 144 1.1.1.4 mrg wbytes = (ssize_t)SSL_write(sslinfo->bozossl, buf, (int)nbytes); 145 1.1.1.4 mrg 146 1.1.1.4 mrg return wbytes; 147 1.1.1.4 mrg } 148 1.1.1.4 mrg 149 1.1.1.4 mrg static int 150 1.1.1.4 mrg bozo_ssl_flush(bozohttpd_t *httpd, FILE *fp) 151 1.1.1.4 mrg { 152 1.1.1.4 mrg USE_ARG(httpd); 153 1.1.1.4 mrg USE_ARG(fp); 154 1.1.1.4 mrg /* nothing to see here, move right along */ 155 1.1.1.4 mrg return 0; 156 1.1.1.4 mrg } 157 1.1 tls 158 1.1 tls void 159 1.1.1.4 mrg bozo_ssl_init(bozohttpd_t *httpd) 160 1.1 tls { 161 1.1.1.4 mrg sslinfo_t *sslinfo; 162 1.1.1.4 mrg 163 1.1.1.4 mrg sslinfo = httpd->sslinfo; 164 1.1.1.4 mrg if (sslinfo == NULL || !sslinfo->certificate_file) 165 1.1 tls return; 166 1.1 tls SSL_library_init(); 167 1.1 tls SSL_load_error_strings(); 168 1.1 tls 169 1.1.1.4 mrg sslinfo->ssl_method = SSLv23_server_method(); 170 1.1.1.4 mrg sslinfo->ssl_context = SSL_CTX_new(sslinfo->ssl_method); 171 1.1 tls 172 1.1 tls /* XXX we need to learn how to check the SSL stack for more info */ 173 1.1.1.5 mrg if (NULL == sslinfo->ssl_context) 174 1.1.1.5 mrg bozo_ssl_err(httpd, EXIT_FAILURE, 175 1.1.1.5 mrg "SSL context creation failed"); 176 1.1.1.5 mrg 177 1.1.1.5 mrg if (1 != SSL_CTX_use_certificate_file(sslinfo->ssl_context, 178 1.1.1.5 mrg sslinfo->certificate_file, SSL_FILETYPE_PEM)) 179 1.1.1.5 mrg bozo_ssl_err(httpd, EXIT_FAILURE, 180 1.1.1.5 mrg "Unable to use certificate file '%s'", 181 1.1.1.5 mrg sslinfo->certificate_file); 182 1.1.1.5 mrg 183 1.1.1.5 mrg if (1 != SSL_CTX_use_PrivateKey_file(sslinfo->ssl_context, 184 1.1.1.5 mrg sslinfo->privatekey_file, SSL_FILETYPE_PEM)) 185 1.1.1.5 mrg bozo_ssl_err(httpd, EXIT_FAILURE, 186 1.1.1.5 mrg "Unable to use private key file '%s'", 187 1.1.1.5 mrg sslinfo->privatekey_file); 188 1.1 tls 189 1.1 tls /* check consistency of key vs certificate */ 190 1.1.1.4 mrg if (!SSL_CTX_check_private_key(sslinfo->ssl_context)) 191 1.1.1.5 mrg bozo_ssl_err(httpd, EXIT_FAILURE, 192 1.1.1.5 mrg "Check private key failed"); 193 1.1 tls } 194 1.1 tls 195 1.1 tls void 196 1.1.1.4 mrg bozo_ssl_accept(bozohttpd_t *httpd) 197 1.1 tls { 198 1.1.1.4 mrg sslinfo_t *sslinfo; 199 1.1.1.4 mrg 200 1.1.1.4 mrg sslinfo = httpd->sslinfo; 201 1.1.1.4 mrg if (sslinfo != NULL && sslinfo->ssl_context) { 202 1.1.1.4 mrg sslinfo->bozossl = SSL_new(sslinfo->ssl_context); 203 1.1.1.4 mrg SSL_set_rfd(sslinfo->bozossl, 0); 204 1.1.1.4 mrg SSL_set_wfd(sslinfo->bozossl, 1); 205 1.1.1.4 mrg SSL_accept(sslinfo->bozossl); 206 1.1 tls } 207 1.1 tls } 208 1.1 tls 209 1.1 tls void 210 1.1.1.4 mrg bozo_ssl_destroy(bozohttpd_t *httpd) 211 1.1 tls { 212 1.1.1.4 mrg sslinfo_t *sslinfo; 213 1.1.1.4 mrg 214 1.1.1.4 mrg sslinfo = httpd->sslinfo; 215 1.1.1.4 mrg if (sslinfo && sslinfo->bozossl) 216 1.1.1.4 mrg SSL_free(sslinfo->bozossl); 217 1.1 tls } 218 1.1 tls 219 1.1 tls void 220 1.1.1.4 mrg bozo_ssl_set_opts(bozohttpd_t *httpd, const char *cert, const char *priv) 221 1.1 tls { 222 1.1.1.4 mrg sslinfo_t *sslinfo; 223 1.1.1.4 mrg 224 1.1.1.4 mrg if ((sslinfo = httpd->sslinfo) == NULL) { 225 1.1.1.4 mrg sslinfo = bozomalloc(httpd, sizeof(*sslinfo)); 226 1.1.1.4 mrg if (sslinfo == NULL) { 227 1.1.1.4 mrg bozo_err(httpd, 1, "sslinfo allocation failed"); 228 1.1.1.4 mrg } 229 1.1.1.4 mrg httpd->sslinfo = sslinfo; 230 1.1.1.4 mrg } 231 1.1.1.4 mrg sslinfo->certificate_file = strdup(cert); 232 1.1.1.4 mrg sslinfo->privatekey_file = strdup(priv); 233 1.1.1.4 mrg debug((httpd, DEBUG_NORMAL, "using cert/priv files: %s & %s", 234 1.1.1.4 mrg sslinfo->certificate_file, 235 1.1.1.4 mrg sslinfo->privatekey_file)); 236 1.1.1.4 mrg if (!httpd->bindport) { 237 1.1.1.4 mrg httpd->bindport = strdup("https"); 238 1.1.1.4 mrg } 239 1.1 tls } 240 1.1 tls 241 1.1.1.4 mrg #endif /* NO_SSL_SUPPORT */ 242 1.1 tls 243 1.1.1.4 mrg int 244 1.1.1.4 mrg bozo_printf(bozohttpd_t *httpd, const char *fmt, ...) 245 1.1.1.4 mrg { 246 1.1.1.4 mrg va_list args; 247 1.1.1.4 mrg int cc; 248 1.1 tls 249 1.1.1.4 mrg va_start(args, fmt); 250 1.1.1.4 mrg #ifndef NO_SSL_SUPPORT 251 1.1.1.4 mrg if (httpd->sslinfo) { 252 1.1.1.4 mrg cc = bozo_ssl_printf(httpd, fmt, args); 253 1.1.1.4 mrg va_end(args); 254 1.1.1.4 mrg return cc; 255 1.1.1.4 mrg } 256 1.1.1.4 mrg #endif 257 1.1.1.4 mrg cc = vprintf(fmt, args); 258 1.1.1.4 mrg va_end(args); 259 1.1.1.4 mrg return cc; 260 1.1 tls } 261 1.1 tls 262 1.1.1.4 mrg ssize_t 263 1.1.1.4 mrg bozo_read(bozohttpd_t *httpd, int fd, void *buf, size_t len) 264 1.1 tls { 265 1.1.1.4 mrg #ifndef NO_SSL_SUPPORT 266 1.1.1.4 mrg if (httpd->sslinfo) { 267 1.1.1.4 mrg return bozo_ssl_read(httpd, fd, buf, len); 268 1.1 tls } 269 1.1.1.4 mrg #endif 270 1.1.1.4 mrg return read(fd, buf, len); 271 1.1 tls } 272 1.1 tls 273 1.1.1.4 mrg ssize_t 274 1.1.1.4 mrg bozo_write(bozohttpd_t *httpd, int fd, const void *buf, size_t len) 275 1.1 tls { 276 1.1.1.4 mrg #ifndef NO_SSL_SUPPORT 277 1.1.1.4 mrg if (httpd->sslinfo) { 278 1.1.1.4 mrg return bozo_ssl_write(httpd, fd, buf, len); 279 1.1.1.4 mrg } 280 1.1.1.4 mrg #endif 281 1.1.1.4 mrg return write(fd, buf, len); 282 1.1 tls } 283 1.1 tls 284 1.1.1.4 mrg int 285 1.1.1.4 mrg bozo_flush(bozohttpd_t *httpd, FILE *fp) 286 1.1 tls { 287 1.1.1.4 mrg #ifndef NO_SSL_SUPPORT 288 1.1.1.4 mrg if (httpd->sslinfo) { 289 1.1.1.4 mrg return bozo_ssl_flush(httpd, fp); 290 1.1.1.4 mrg } 291 1.1.1.4 mrg #endif 292 1.1.1.4 mrg return fflush(fp); 293 1.1 tls } 294
Indexes created Thu Oct 02 14:10:14 GMT 2025