ssl-bozo.c revision 1.1.1.6
1 /* $eterna: ssl-bozo.c,v 1.15 2011/11/18 09:21:15 mrg Exp $ */ 2 3 /* 4 * Copyright (c) 1997-2011 Matthew R. Green 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer and 14 * dedication in the documentation and/or other materials provided 15 * with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 22 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 24 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 25 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 */ 30 31 /* this code implements SSL for bozohttpd */ 32 33 #include <stdarg.h> 34 #include <stdio.h> 35 #include <syslog.h> 36 #include <unistd.h> 37 38 #include "bozohttpd.h" 39 40 #ifndef NO_SSL_SUPPORT 41 42 #include <openssl/ssl.h> 43 #include <openssl/err.h> 44 45 #ifndef USE_ARG 46 #define USE_ARG(x) /*LINTED*/(void)&(x) 47 #endif 48 49 /* this structure encapsulates the ssl info */ 50 typedef struct sslinfo_t { 51 SSL_CTX *ssl_context; 52 const SSL_METHOD *ssl_method; 53 SSL *bozossl; 54 char *certificate_file; 55 char *privatekey_file; 56 } sslinfo_t; 57 58 /* 59 * bozo_ssl_err 60 * 61 * bozo_ssl_err works just like bozo_err except in addition to printing 62 * the error provided by the caller at the point of error it pops and 63 * prints all errors from the SSL error queue. 64 */ 65 BOZO_DEAD static void 66 bozo_ssl_err(bozohttpd_t *httpd, int code, const char *fmt, ...) 67 { 68 va_list ap; 69 70 va_start(ap, fmt); 71 if (httpd->logstderr || isatty(STDERR_FILENO)) { 72 vfprintf(stderr, fmt, ap); 73 fputs("\n", stderr); 74 } else 75 vsyslog(LOG_ERR, fmt, ap); 76 va_end(ap); 77 78 unsigned int sslcode = ERR_get_error(); 79 do { 80 static const char sslfmt[] = "SSL Error: %s:%s:%s"; 81 82 if (httpd->logstderr || isatty(STDERR_FILENO)) { 83 fprintf(stderr, sslfmt, 84 ERR_lib_error_string(sslcode), 85 ERR_func_error_string(sslcode), 86 ERR_reason_error_string(sslcode)); 87 } else { 88 syslog(LOG_ERR, sslfmt, 89 ERR_lib_error_string(sslcode), 90 ERR_func_error_string(sslcode), 91 ERR_reason_error_string(sslcode)); 92 } 93 } while (0 != (sslcode = ERR_get_error())); 94 exit(code); 95 } 96 97 static int 98 bozo_ssl_printf(bozohttpd_t *httpd, const char * fmt, va_list ap) 99 { 100 sslinfo_t *sslinfo; 101 char *buf; 102 int nbytes; 103 104 sslinfo = httpd->sslinfo; 105 /* XXX we need more elegant/proper handling of SSL_write return */ 106 if ((nbytes = vasprintf(&buf, fmt, ap)) != -1) 107 SSL_write(sslinfo->bozossl, buf, nbytes); 108 109 free(buf); 110 111 return nbytes; 112 } 113 114 static ssize_t 115 bozo_ssl_read(bozohttpd_t *httpd, int fd, void *buf, size_t nbytes) 116 { 117 sslinfo_t *sslinfo; 118 ssize_t rbytes; 119 120 USE_ARG(fd); 121 sslinfo = httpd->sslinfo; 122 /* XXX we need elegant/proper handling of SSL_read return */ 123 rbytes = (ssize_t)SSL_read(sslinfo->bozossl, buf, (int)nbytes); 124 if (rbytes < 1) { 125 if (SSL_get_error(sslinfo->bozossl, rbytes) == 126 SSL_ERROR_WANT_READ) 127 bozo_warn(httpd, "SSL_ERROR_WANT_READ"); 128 else 129 bozo_warn(httpd, "SSL_ERROR OTHER"); 130 } 131 132 return rbytes; 133 } 134 135 static ssize_t 136 bozo_ssl_write(bozohttpd_t *httpd, int fd, const void *buf, size_t nbytes) 137 { 138 sslinfo_t *sslinfo; 139 ssize_t wbytes; 140 141 USE_ARG(fd); 142 sslinfo = httpd->sslinfo; 143 /* XXX we need elegant/proper handling of SSL_write return */ 144 wbytes = (ssize_t)SSL_write(sslinfo->bozossl, buf, (int)nbytes); 145 146 return wbytes; 147 } 148 149 static int 150 bozo_ssl_flush(bozohttpd_t *httpd, FILE *fp) 151 { 152 USE_ARG(httpd); 153 USE_ARG(fp); 154 /* nothing to see here, move right along */ 155 return 0; 156 } 157 158 void 159 bozo_ssl_init(bozohttpd_t *httpd) 160 { 161 sslinfo_t *sslinfo; 162 163 sslinfo = httpd->sslinfo; 164 if (sslinfo == NULL || !sslinfo->certificate_file) 165 return; 166 SSL_library_init(); 167 SSL_load_error_strings(); 168 169 sslinfo->ssl_method = SSLv23_server_method(); 170 sslinfo->ssl_context = SSL_CTX_new(sslinfo->ssl_method); 171 172 /* XXX we need to learn how to check the SSL stack for more info */ 173 if (NULL == sslinfo->ssl_context) 174 bozo_ssl_err(httpd, EXIT_FAILURE, 175 "SSL context creation failed"); 176 177 if (1 != SSL_CTX_use_certificate_file(sslinfo->ssl_context, 178 sslinfo->certificate_file, SSL_FILETYPE_PEM)) 179 bozo_ssl_err(httpd, EXIT_FAILURE, 180 "Unable to use certificate file '%s'", 181 sslinfo->certificate_file); 182 183 if (1 != SSL_CTX_use_PrivateKey_file(sslinfo->ssl_context, 184 sslinfo->privatekey_file, SSL_FILETYPE_PEM)) 185 bozo_ssl_err(httpd, EXIT_FAILURE, 186 "Unable to use private key file '%s'", 187 sslinfo->privatekey_file); 188 189 /* check consistency of key vs certificate */ 190 if (!SSL_CTX_check_private_key(sslinfo->ssl_context)) 191 bozo_ssl_err(httpd, EXIT_FAILURE, 192 "Check private key failed"); 193 } 194 195 void 196 bozo_ssl_accept(bozohttpd_t *httpd) 197 { 198 sslinfo_t *sslinfo; 199 200 sslinfo = httpd->sslinfo; 201 if (sslinfo != NULL && sslinfo->ssl_context) { 202 sslinfo->bozossl = SSL_new(sslinfo->ssl_context); 203 SSL_set_rfd(sslinfo->bozossl, 0); 204 SSL_set_wfd(sslinfo->bozossl, 1); 205 SSL_accept(sslinfo->bozossl); 206 } 207 } 208 209 void 210 bozo_ssl_destroy(bozohttpd_t *httpd) 211 { 212 sslinfo_t *sslinfo; 213 214 sslinfo = httpd->sslinfo; 215 if (sslinfo && sslinfo->bozossl) 216 SSL_free(sslinfo->bozossl); 217 } 218 219 void 220 bozo_ssl_set_opts(bozohttpd_t *httpd, const char *cert, const char *priv) 221 { 222 sslinfo_t *sslinfo; 223 224 if ((sslinfo = httpd->sslinfo) == NULL) { 225 sslinfo = bozomalloc(httpd, sizeof(*sslinfo)); 226 if (sslinfo == NULL) { 227 bozo_err(httpd, 1, "sslinfo allocation failed"); 228 } 229 httpd->sslinfo = sslinfo; 230 } 231 sslinfo->certificate_file = strdup(cert); 232 sslinfo->privatekey_file = strdup(priv); 233 debug((httpd, DEBUG_NORMAL, "using cert/priv files: %s & %s", 234 sslinfo->certificate_file, 235 sslinfo->privatekey_file)); 236 if (!httpd->bindport) { 237 httpd->bindport = strdup("https"); 238 } 239 } 240 241 #endif /* NO_SSL_SUPPORT */ 242 243 int 244 bozo_printf(bozohttpd_t *httpd, const char *fmt, ...) 245 { 246 va_list args; 247 int cc; 248 249 va_start(args, fmt); 250 #ifndef NO_SSL_SUPPORT 251 if (httpd->sslinfo) { 252 cc = bozo_ssl_printf(httpd, fmt, args); 253 va_end(args); 254 return cc; 255 } 256 #endif 257 cc = vprintf(fmt, args); 258 va_end(args); 259 return cc; 260 } 261 262 ssize_t 263 bozo_read(bozohttpd_t *httpd, int fd, void *buf, size_t len) 264 { 265 #ifndef NO_SSL_SUPPORT 266 if (httpd->sslinfo) { 267 return bozo_ssl_read(httpd, fd, buf, len); 268 } 269 #endif 270 return read(fd, buf, len); 271 } 272 273 ssize_t 274 bozo_write(bozohttpd_t *httpd, int fd, const void *buf, size_t len) 275 { 276 #ifndef NO_SSL_SUPPORT 277 if (httpd->sslinfo) { 278 return bozo_ssl_write(httpd, fd, buf, len); 279 } 280 #endif 281 return write(fd, buf, len); 282 } 283 284 int 285 bozo_flush(bozohttpd_t *httpd, FILE *fp) 286 { 287 #ifndef NO_SSL_SUPPORT 288 if (httpd->sslinfo) { 289 return bozo_ssl_flush(httpd, fp); 290 } 291 #endif 292 return fflush(fp); 293 } 294
Indexes created Thu Oct 02 14:10:14 GMT 2025