ssl-bozo.c revision 1.15.2.1
1 1.15.2.1 tls /* $NetBSD: ssl-bozo.c,v 1.15.2.1 2014/08/20 00:02:22 tls Exp $ */ 2 1.2 tls 3 1.13 mrg /* $eterna: ssl-bozo.c,v 1.15 2011/11/18 09:21:15 mrg Exp $ */ 4 1.1 tls 5 1.1 tls /* 6 1.15.2.1 tls * Copyright (c) 1997-2014 Matthew R. Green 7 1.1 tls * All rights reserved. 8 1.1 tls * 9 1.1 tls * Redistribution and use in source and binary forms, with or without 10 1.1 tls * modification, are permitted provided that the following conditions 11 1.1 tls * are met: 12 1.1 tls * 1. Redistributions of source code must retain the above copyright 13 1.1 tls * notice, this list of conditions and the following disclaimer. 14 1.1 tls * 2. Redistributions in binary form must reproduce the above copyright 15 1.1 tls * notice, this list of conditions and the following disclaimer and 16 1.1 tls * dedication in the documentation and/or other materials provided 17 1.1 tls * with the distribution. 18 1.1 tls * 19 1.1 tls * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 20 1.1 tls * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 21 1.1 tls * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 22 1.1 tls * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 23 1.1 tls * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24 1.1 tls * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25 1.1 tls * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 26 1.1 tls * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 27 1.1 tls * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 1.1 tls * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 1.1 tls * SUCH DAMAGE. 30 1.1 tls * 31 1.1 tls */ 32 1.1 tls 33 1.15.2.1 tls /* this code implements SSL and backend IO for bozohttpd */ 34 1.1 tls 35 1.7 mrg #include <stdarg.h> 36 1.7 mrg #include <stdio.h> 37 1.8 mrg #include <syslog.h> 38 1.7 mrg #include <unistd.h> 39 1.7 mrg 40 1.7 mrg #include "bozohttpd.h" 41 1.7 mrg 42 1.1 tls #ifndef NO_SSL_SUPPORT 43 1.1 tls 44 1.1 tls #include <openssl/ssl.h> 45 1.1 tls #include <openssl/err.h> 46 1.1 tls 47 1.7 mrg #ifndef USE_ARG 48 1.7 mrg #define USE_ARG(x) /*LINTED*/(void)&(x) 49 1.7 mrg #endif 50 1.7 mrg 51 1.7 mrg /* this structure encapsulates the ssl info */ 52 1.7 mrg typedef struct sslinfo_t { 53 1.7 mrg SSL_CTX *ssl_context; 54 1.7 mrg const SSL_METHOD *ssl_method; 55 1.7 mrg SSL *bozossl; 56 1.7 mrg char *certificate_file; 57 1.7 mrg char *privatekey_file; 58 1.7 mrg } sslinfo_t; 59 1.7 mrg 60 1.8 mrg /* 61 1.15.2.1 tls * bozo_clear_ssl_queue: print the contents of the SSL error queue 62 1.8 mrg */ 63 1.15.2.1 tls static void 64 1.15.2.1 tls bozo_clear_ssl_queue(bozohttpd_t *httpd) 65 1.8 mrg { 66 1.15.2.1 tls unsigned long sslcode = ERR_get_error(); 67 1.8 mrg 68 1.8 mrg do { 69 1.11 hannken static const char sslfmt[] = "SSL Error: %s:%s:%s"; 70 1.8 mrg 71 1.8 mrg if (httpd->logstderr || isatty(STDERR_FILENO)) { 72 1.8 mrg fprintf(stderr, sslfmt, 73 1.8 mrg ERR_lib_error_string(sslcode), 74 1.8 mrg ERR_func_error_string(sslcode), 75 1.8 mrg ERR_reason_error_string(sslcode)); 76 1.8 mrg } else { 77 1.8 mrg syslog(LOG_ERR, sslfmt, 78 1.8 mrg ERR_lib_error_string(sslcode), 79 1.8 mrg ERR_func_error_string(sslcode), 80 1.8 mrg ERR_reason_error_string(sslcode)); 81 1.8 mrg } 82 1.8 mrg } while (0 != (sslcode = ERR_get_error())); 83 1.15.2.1 tls } 84 1.15.2.1 tls 85 1.15.2.1 tls /* 86 1.15.2.1 tls * bozo_ssl_warn works just like bozo_warn, plus the SSL error queue 87 1.15.2.1 tls */ 88 1.15.2.1 tls BOZO_PRINTFLIKE(2, 3) static void 89 1.15.2.1 tls bozo_ssl_warn(bozohttpd_t *httpd, const char *fmt, ...) 90 1.15.2.1 tls { 91 1.15.2.1 tls va_list ap; 92 1.15.2.1 tls 93 1.15.2.1 tls va_start(ap, fmt); 94 1.15.2.1 tls if (httpd->logstderr || isatty(STDERR_FILENO)) { 95 1.15.2.1 tls vfprintf(stderr, fmt, ap); 96 1.15.2.1 tls fputs("\n", stderr); 97 1.15.2.1 tls } else 98 1.15.2.1 tls vsyslog(LOG_ERR, fmt, ap); 99 1.15.2.1 tls va_end(ap); 100 1.15.2.1 tls 101 1.15.2.1 tls bozo_clear_ssl_queue(httpd); 102 1.15.2.1 tls } 103 1.15.2.1 tls 104 1.15.2.1 tls 105 1.15.2.1 tls /* 106 1.15.2.1 tls * bozo_ssl_err works just like bozo_err, plus the SSL error queue 107 1.15.2.1 tls */ 108 1.15.2.1 tls BOZO_PRINTFLIKE(3, 4) BOZO_DEAD static void 109 1.15.2.1 tls bozo_ssl_err(bozohttpd_t *httpd, int code, const char *fmt, ...) 110 1.15.2.1 tls { 111 1.15.2.1 tls va_list ap; 112 1.15.2.1 tls 113 1.15.2.1 tls va_start(ap, fmt); 114 1.15.2.1 tls if (httpd->logstderr || isatty(STDERR_FILENO)) { 115 1.15.2.1 tls vfprintf(stderr, fmt, ap); 116 1.15.2.1 tls fputs("\n", stderr); 117 1.15.2.1 tls } else 118 1.15.2.1 tls vsyslog(LOG_ERR, fmt, ap); 119 1.15.2.1 tls va_end(ap); 120 1.15.2.1 tls 121 1.15.2.1 tls bozo_clear_ssl_queue(httpd); 122 1.8 mrg exit(code); 123 1.8 mrg } 124 1.8 mrg 125 1.15.2.1 tls /* 126 1.15.2.1 tls * bozo_check_error_queue: print warnings if the error isn't expected 127 1.15.2.1 tls */ 128 1.15.2.1 tls static void 129 1.15.2.1 tls bozo_check_error_queue(bozohttpd_t *httpd, const char *tag, int ret) 130 1.15.2.1 tls { 131 1.15.2.1 tls if (ret > 0) 132 1.15.2.1 tls return; 133 1.15.2.1 tls 134 1.15.2.1 tls const sslinfo_t *sslinfo = httpd->sslinfo; 135 1.15.2.1 tls const int sslerr = SSL_get_error(sslinfo->bozossl, ret); 136 1.15.2.1 tls 137 1.15.2.1 tls if (sslerr != SSL_ERROR_ZERO_RETURN && 138 1.15.2.1 tls sslerr != SSL_ERROR_SYSCALL && 139 1.15.2.1 tls sslerr != SSL_ERROR_NONE) 140 1.15.2.1 tls bozo_ssl_warn(httpd, "%s: SSL_ERROR %d", tag, sslerr); 141 1.15.2.1 tls } 142 1.15.2.1 tls 143 1.15 joerg static BOZO_PRINTFLIKE(2, 0) int 144 1.8 mrg bozo_ssl_printf(bozohttpd_t *httpd, const char * fmt, va_list ap) 145 1.7 mrg { 146 1.15.2.1 tls char *buf; 147 1.15.2.1 tls int nbytes; 148 1.15.2.1 tls 149 1.15.2.1 tls if ((nbytes = vasprintf(&buf, fmt, ap)) != -1) { 150 1.15.2.1 tls const sslinfo_t *sslinfo = httpd->sslinfo; 151 1.15.2.1 tls int ret = SSL_write(sslinfo->bozossl, buf, nbytes); 152 1.15.2.1 tls bozo_check_error_queue(httpd, "write", ret); 153 1.15.2.1 tls } 154 1.7 mrg 155 1.7 mrg free(buf); 156 1.7 mrg 157 1.7 mrg return nbytes; 158 1.7 mrg } 159 1.7 mrg 160 1.7 mrg static ssize_t 161 1.7 mrg bozo_ssl_read(bozohttpd_t *httpd, int fd, void *buf, size_t nbytes) 162 1.7 mrg { 163 1.15.2.1 tls const sslinfo_t *sslinfo = httpd->sslinfo; 164 1.15.2.1 tls int ret; 165 1.7 mrg 166 1.7 mrg USE_ARG(fd); 167 1.15.2.1 tls ret = SSL_read(sslinfo->bozossl, buf, (int)nbytes); 168 1.15.2.1 tls bozo_check_error_queue(httpd, "read", ret); 169 1.7 mrg 170 1.15.2.1 tls return (ssize_t)ret; 171 1.7 mrg } 172 1.7 mrg 173 1.7 mrg static ssize_t 174 1.7 mrg bozo_ssl_write(bozohttpd_t *httpd, int fd, const void *buf, size_t nbytes) 175 1.7 mrg { 176 1.15.2.1 tls const sslinfo_t *sslinfo = httpd->sslinfo; 177 1.15.2.1 tls int ret; 178 1.7 mrg 179 1.7 mrg USE_ARG(fd); 180 1.15.2.1 tls ret = SSL_write(sslinfo->bozossl, buf, (int)nbytes); 181 1.15.2.1 tls bozo_check_error_queue(httpd, "write", ret); 182 1.1 tls 183 1.15.2.1 tls return (ssize_t)ret; 184 1.7 mrg } 185 1.1 tls 186 1.1 tls void 187 1.7 mrg bozo_ssl_init(bozohttpd_t *httpd) 188 1.1 tls { 189 1.15.2.1 tls sslinfo_t *sslinfo = httpd->sslinfo; 190 1.7 mrg 191 1.7 mrg if (sslinfo == NULL || !sslinfo->certificate_file) 192 1.1 tls return; 193 1.1 tls SSL_library_init(); 194 1.1 tls SSL_load_error_strings(); 195 1.1 tls 196 1.7 mrg sslinfo->ssl_method = SSLv23_server_method(); 197 1.7 mrg sslinfo->ssl_context = SSL_CTX_new(sslinfo->ssl_method); 198 1.1 tls 199 1.8 mrg if (NULL == sslinfo->ssl_context) 200 1.8 mrg bozo_ssl_err(httpd, EXIT_FAILURE, 201 1.8 mrg "SSL context creation failed"); 202 1.8 mrg 203 1.14 elric if (1 != SSL_CTX_use_certificate_chain_file(sslinfo->ssl_context, 204 1.14 elric sslinfo->certificate_file)) 205 1.8 mrg bozo_ssl_err(httpd, EXIT_FAILURE, 206 1.8 mrg "Unable to use certificate file '%s'", 207 1.8 mrg sslinfo->certificate_file); 208 1.8 mrg 209 1.8 mrg if (1 != SSL_CTX_use_PrivateKey_file(sslinfo->ssl_context, 210 1.8 mrg sslinfo->privatekey_file, SSL_FILETYPE_PEM)) 211 1.8 mrg bozo_ssl_err(httpd, EXIT_FAILURE, 212 1.8 mrg "Unable to use private key file '%s'", 213 1.8 mrg sslinfo->privatekey_file); 214 1.1 tls 215 1.1 tls /* check consistency of key vs certificate */ 216 1.7 mrg if (!SSL_CTX_check_private_key(sslinfo->ssl_context)) 217 1.8 mrg bozo_ssl_err(httpd, EXIT_FAILURE, 218 1.8 mrg "Check private key failed"); 219 1.1 tls } 220 1.1 tls 221 1.15.2.1 tls /* 222 1.15.2.1 tls * returns non-zero for failure 223 1.15.2.1 tls */ 224 1.15.2.1 tls int 225 1.7 mrg bozo_ssl_accept(bozohttpd_t *httpd) 226 1.1 tls { 227 1.15.2.1 tls sslinfo_t *sslinfo = httpd->sslinfo; 228 1.7 mrg 229 1.15.2.1 tls if (sslinfo == NULL || !sslinfo->ssl_context) 230 1.15.2.1 tls return 0; 231 1.15.2.1 tls 232 1.15.2.1 tls sslinfo->bozossl = SSL_new(sslinfo->ssl_context); 233 1.15.2.1 tls if (sslinfo->bozossl == NULL) 234 1.15.2.1 tls bozo_err(httpd, 1, "SSL_new failed"); 235 1.15.2.1 tls 236 1.15.2.1 tls SSL_set_rfd(sslinfo->bozossl, 0); 237 1.15.2.1 tls SSL_set_wfd(sslinfo->bozossl, 1); 238 1.15.2.1 tls 239 1.15.2.1 tls const int ret = SSL_accept(sslinfo->bozossl); 240 1.15.2.1 tls bozo_check_error_queue(httpd, "accept", ret); 241 1.15.2.1 tls 242 1.15.2.1 tls return ret != 1; 243 1.1 tls } 244 1.1 tls 245 1.1 tls void 246 1.7 mrg bozo_ssl_destroy(bozohttpd_t *httpd) 247 1.1 tls { 248 1.15.2.1 tls const sslinfo_t *sslinfo = httpd->sslinfo; 249 1.7 mrg 250 1.7 mrg if (sslinfo && sslinfo->bozossl) 251 1.7 mrg SSL_free(sslinfo->bozossl); 252 1.1 tls } 253 1.1 tls 254 1.1 tls void 255 1.7 mrg bozo_ssl_set_opts(bozohttpd_t *httpd, const char *cert, const char *priv) 256 1.1 tls { 257 1.15.2.1 tls sslinfo_t *sslinfo = httpd->sslinfo; 258 1.7 mrg 259 1.15.2.1 tls if (sslinfo == NULL) { 260 1.7 mrg sslinfo = bozomalloc(httpd, sizeof(*sslinfo)); 261 1.15.2.1 tls if (sslinfo == NULL) 262 1.7 mrg bozo_err(httpd, 1, "sslinfo allocation failed"); 263 1.7 mrg httpd->sslinfo = sslinfo; 264 1.7 mrg } 265 1.7 mrg sslinfo->certificate_file = strdup(cert); 266 1.7 mrg sslinfo->privatekey_file = strdup(priv); 267 1.7 mrg debug((httpd, DEBUG_NORMAL, "using cert/priv files: %s & %s", 268 1.7 mrg sslinfo->certificate_file, 269 1.7 mrg sslinfo->privatekey_file)); 270 1.15.2.1 tls if (!httpd->bindport) 271 1.7 mrg httpd->bindport = strdup("https"); 272 1.1 tls } 273 1.1 tls 274 1.7 mrg #endif /* NO_SSL_SUPPORT */ 275 1.7 mrg 276 1.7 mrg int 277 1.7 mrg bozo_printf(bozohttpd_t *httpd, const char *fmt, ...) 278 1.1 tls { 279 1.7 mrg va_list args; 280 1.7 mrg int cc; 281 1.1 tls 282 1.7 mrg va_start(args, fmt); 283 1.7 mrg #ifndef NO_SSL_SUPPORT 284 1.15.2.1 tls if (httpd->sslinfo) 285 1.7 mrg cc = bozo_ssl_printf(httpd, fmt, args); 286 1.15.2.1 tls else 287 1.7 mrg #endif 288 1.15.2.1 tls cc = vprintf(fmt, args); 289 1.7 mrg va_end(args); 290 1.7 mrg return cc; 291 1.1 tls } 292 1.1 tls 293 1.7 mrg ssize_t 294 1.7 mrg bozo_read(bozohttpd_t *httpd, int fd, void *buf, size_t len) 295 1.1 tls { 296 1.7 mrg #ifndef NO_SSL_SUPPORT 297 1.15.2.1 tls if (httpd->sslinfo) 298 1.7 mrg return bozo_ssl_read(httpd, fd, buf, len); 299 1.7 mrg #endif 300 1.7 mrg return read(fd, buf, len); 301 1.1 tls } 302 1.1 tls 303 1.7 mrg ssize_t 304 1.7 mrg bozo_write(bozohttpd_t *httpd, int fd, const void *buf, size_t len) 305 1.1 tls { 306 1.7 mrg #ifndef NO_SSL_SUPPORT 307 1.15.2.1 tls if (httpd->sslinfo) 308 1.7 mrg return bozo_ssl_write(httpd, fd, buf, len); 309 1.7 mrg #endif 310 1.7 mrg return write(fd, buf, len); 311 1.1 tls } 312 1.1 tls 313 1.7 mrg int 314 1.7 mrg bozo_flush(bozohttpd_t *httpd, FILE *fp) 315 1.1 tls { 316 1.7 mrg #ifndef NO_SSL_SUPPORT 317 1.15.2.1 tls if (httpd->sslinfo) 318 1.15.2.1 tls return 0; 319 1.7 mrg #endif 320 1.7 mrg return fflush(fp); 321 1.1 tls } 322
Indexes created Thu Oct 02 14:10:14 GMT 2025