eventer_SSL_fd_opset.c

Revision 6210da7ee0e2ed143d71a8e00b709f16e71059f8, 13.3 kB (checked in by Theo Schlossnagle <jesus@omniti.com>, 4 years ago)
various changes to avoid dereferencing type-punned pointers and breaking strict-aliasing rules, refs #34
Property mode set to `100644`

Line
1	/*
2	* Copyright (c) 2007, OmniTI Computer Consulting, Inc.
3	* All rights reserved.
4	*/
5
6	#include "noit_defines.h"
7	#include "eventer/eventer.h"
8	#include "utils/noit_log.h"
9	#include "eventer/eventer_SSL_fd_opset.h"
10
11	#include <sys/socket.h>
12	#include <unistd.h>
13
14	#include <openssl/ssl.h>
15	#include <openssl/err.h>
16	#include <openssl/engine.h>
17
18	#define EVENTER_SSL_DATANAME "eventer_ssl"
19
20	struct eventer_ssl_ctx_t {
21	SSL_CTX *ssl_ctx;
22	SSL *ssl;
23	char *issuer;
24	char *subject;
25	eventer_ssl_verify_func_t verify_cb;
26	void *verify_cb_closure;
27	};
28
29	/* Static function prototypes */
30	static void SSL_set_eventer_ssl_ctx(SSL ssl, eventer_ssl_ctx_t ctx);
31	static eventer_ssl_ctx_t SSL_get_eventer_ssl_ctx(SSL ssl);
32	static void _eventer_ssl_error();
33	static RSA tmp_rsa_cb(SSL ssl, int export, int keylen);
34
35	#define eventer_ssl_error() _eventer_ssl_error(__FILE__,__LINE__)
36
37	static void
38	_eventer_ssl_error(const char *f, int l) {
39	unsigned long err;
40	char buf[120]; /* ERR_error_string(3): buf must be at least 120 bytes */
41	noitL(noit_error, "%s:%d: errno: [%d] %s\n", f, l, errno, strerror(errno));
42	while((err = ERR_get_error()) != 0) {
43	ERR_error_string(err, buf);
44	noitL(noit_error, "%s:%d: write error[%08lx] %s\n", f, l, err, buf);
45	}
46	}
47
48	/*
49	* Cribbed from SSL examples.
50	*/
51	static char *tmpkeyfile = NULL;
52	static time_t tmpkeyfile_time = 0;
53	static RSA *
54	tmp_rsa_cb(SSL *ssl, int export, int keylen) {
55	RSA *tmpkey;
56	if (!export) keylen = 512;
57	if (tmpkeyfile && keylen == 512) {
58	BIO *in = BIO_new_file(tmpkeyfile, "r");
59	if (in) {
60	RSA *rsa = PEM_read_bio_RSAPrivateKey(in,NULL,NULL,NULL);
61	BIO_free(in);
62	if (rsa) return rsa;
63	}
64	}
65	tmpkey = RSA_generate_key(keylen,RSA_F4,NULL,NULL);
66	if(tmpkeyfile && keylen == 512) {
67	BIO *out = BIO_new_file(tmpkeyfile, "r");
68	if(!out \|\|
69	!PEM_write_bio_RSAPrivateKey(out, tmpkey, NULL, NULL, 0, 0, NULL)) {
70	noitL(noit_error, "Could not save temporary RSA key to %s\n", tmpkeyfile);
71	} else {
72	tmpkeyfile_time = time(NULL);
73	}
74	if(out) BIO_free(out);
75	}
76	return tmpkey;
77	}
78
79	int
80	eventer_ssl_verify_dates(eventer_ssl_ctx_t *ctx, int ok,
81	X509_STORE_CTX x509ctx, void closure) {
82	time_t now;
83	X509 *peer;
84	if(!x509ctx) return -1;
85	peer = X509_STORE_CTX_get_current_cert(x509ctx);
86	time(&now);
87	if(X509_cmp_time(X509_get_notBefore(peer), &now) > 0) return -1;
88	if(X509_cmp_time(X509_get_notAfter(peer), &now) < 0) return 1;
89	return 0;
90	}
91
92	int
93	eventer_ssl_verify_cert(eventer_ssl_ctx_t *ctx, int ok,
94	X509_STORE_CTX x509ctx, void closure) {
95	SSL *ssl;
96	noit_hash_table *options = closure;
97	const char opt_no_ca, ignore_dates;
98	int v_res;
99
100	if(!x509ctx) return 0;
101
102	if(!noit_hash_retr_str(options, "optional_no_ca", strlen("optional_no_ca"),
103	&opt_no_ca))
104	opt_no_ca = "false";
105	if(!noit_hash_retr_str(options, "ignore_dates", strlen("ignore_dates"),
106	&ignore_dates))
107	ignore_dates = "false";
108
109	ssl = X509_STORE_CTX_get_ex_data(x509ctx,
110	SSL_get_ex_data_X509_STORE_CTX_idx());
111	v_res = X509_STORE_CTX_get_error(x509ctx);
112
113	if((v_res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \|\|
114	(v_res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \|\|
115	(v_res == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \|\|
116	(v_res == X509_V_ERR_CERT_UNTRUSTED) \|\|
117	(v_res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) {
118	if(!strcmp(opt_no_ca, "true")) ok = 1;
119	else {
120	noitL(noit_error, "SSL client cert invalid: %s\n",
121	X509_verify_cert_error_string(v_res));
122	ok = 0;
123	goto set_out;
124	}
125	}
126	v_res = eventer_ssl_verify_dates(ctx, ok, x509ctx, closure);
127	if(v_res != 0) {
128	if(!strcmp(ignore_dates, "true")) ok = 1;
129	else {
130	noitL(noit_error, "SSL client cert is %s valid.\n",
131	(v_res < 0) ? "not yet" : "no longer");
132	ok = 0;
133	goto set_out;
134	}
135	}
136	set_out:
137	return ok;
138	}
139
140	#define GET_SET_X509_NAME(type) \
141	static void \
142	eventer_ssl_set_peer_##type(eventer_ssl_ctx_t *ctx, \
143	X509_STORE_CTX *x509ctx) { \
144	char buffer[1024]; \
145	X509 *peer; \
146	peer = X509_STORE_CTX_get_current_cert(x509ctx); \
147	X509_NAME_oneline(X509_get_##type##_name(peer), buffer, sizeof(buffer)-1); \
148	if(ctx->type) free(ctx->type); \
149	ctx->type = strdup(buffer); \
150	} \
151	char * \
152	eventer_ssl_get_peer_##type(eventer_ssl_ctx_t *ctx) { \
153	return ctx->type; \
154	}
155
156	GET_SET_X509_NAME(issuer)
157	GET_SET_X509_NAME(subject)
158
159	static int
160	verify_cb(int ok, X509_STORE_CTX *x509ctx) {
161	eventer_ssl_ctx_t *ctx;
162	SSL *ssl;
163
164	ssl = X509_STORE_CTX_get_ex_data(x509ctx,
165	SSL_get_ex_data_X509_STORE_CTX_idx());
166	ctx = SSL_get_eventer_ssl_ctx(ssl);
167	eventer_ssl_set_peer_subject(ctx, x509ctx);
168	eventer_ssl_set_peer_issuer(ctx, x509ctx);
169	if(ctx->verify_cb)
170	return ctx->verify_cb(ctx, ok, x509ctx, ctx->verify_cb_closure);
171	return ok;
172	}
173
174	/*
175	* Helpers to create and destroy our context.
176	*/
177	void
178	eventer_ssl_ctx_free(eventer_ssl_ctx_t *ctx) {
179	if(ctx->ssl) SSL_free(ctx->ssl);
180	if(ctx->ssl_ctx) SSL_CTX_free(ctx->ssl_ctx);
181	if(ctx->issuer) free(ctx->issuer);
182	if(ctx->subject) free(ctx->subject);
183	free(ctx);
184	}
185
186	eventer_ssl_ctx_t *
187	eventer_ssl_ctx_new(eventer_ssl_orientation_t type,
188	const char certificate, const char key,
189	const char ca, const char ciphers) {
190	eventer_ssl_ctx_t *ctx;
191	ctx = calloc(1, sizeof(*ctx));
192	if(!ctx) return NULL;
193	/*
194	* First step is to setup the SSL context. This is long-lived in SSL-land
195	* however, that would require us caching it. Maybe we'll do that?
196	*/
197	ctx->ssl_ctx = SSL_CTX_new(type == SSL_SERVER ?
198	SSLv23_server_method() : SSLv23_client_method());
199	if(!ctx->ssl_ctx) return NULL;
200	if (type == SSL_SERVER)
201	SSL_CTX_set_session_id_context(ctx->ssl_ctx,
202	(unsigned char *)EVENTER_SSL_DATANAME,
203	sizeof(EVENTER_SSL_DATANAME)-1);
204	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_ALL);
205	if(certificate &&
206	SSL_CTX_use_certificate_chain_file(ctx->ssl_ctx, certificate) != 1)
207	goto bail;
208	if(key &&
209	SSL_CTX_use_RSAPrivateKey_file(ctx->ssl_ctx,key,
210	SSL_FILETYPE_PEM) != 1)
211	goto bail;
212	if(ca) {
213	STACK_OF(X509_NAME) *cert_stack;
214	if(!SSL_CTX_load_verify_locations(ctx->ssl_ctx,ca,NULL) \|\|
215	(cert_stack = SSL_load_client_CA_file(ca)) == NULL)
216	goto bail;
217	SSL_CTX_set_client_CA_list(ctx->ssl_ctx, cert_stack);
218	}
219	SSL_CTX_set_tmp_rsa_callback(ctx->ssl_ctx, tmp_rsa_cb);
220	SSL_CTX_set_cipher_list(ctx->ssl_ctx, ciphers ? ciphers : "DEFAULT");
221	SSL_CTX_set_verify(ctx->ssl_ctx, SSL_VERIFY_PEER, verify_cb);
222	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2);
223
224	ctx->ssl = SSL_new(ctx->ssl_ctx);
225	if(!ctx->ssl) goto bail;
226	SSL_set_eventer_ssl_ctx(ctx->ssl, ctx);
227	return ctx;
228
229	bail:
230	eventer_ssl_error();
231	eventer_ssl_ctx_free(ctx);
232	return NULL;
233	}
234
235	/*
236	* This is a set of helpers to tie the SSL stuff to the eventer_t.
237	*/
238	static int SSL_eventer_ssl_ctx_dataid = -1;
239	#define INIT_DATAID do { \
240	if(SSL_eventer_ssl_ctx_dataid == -1) \
241	SSL_eventer_ssl_ctx_dataid = \
242	SSL_get_ex_new_index(0, EVENTER_SSL_DATANAME, NULL, NULL, NULL); \
243	} while(0)
244
245	static void
246	SSL_set_eventer_ssl_ctx(SSL ssl, eventer_ssl_ctx_t ctx) {
247	INIT_DATAID;
248	SSL_set_ex_data(ssl, SSL_eventer_ssl_ctx_dataid, ctx);
249	}
250
251	static eventer_ssl_ctx_t *
252	SSL_get_eventer_ssl_ctx(SSL *ssl) {
253	INIT_DATAID;
254	return SSL_get_ex_data(ssl, SSL_eventer_ssl_ctx_dataid);
255	}
256
257	eventer_ssl_ctx_t *
258	eventer_get_eventer_ssl_ctx(eventer_t e) {
259	return (e->opset == eventer_SSL_fd_opset) ? e->opset_ctx : NULL;
260	}
261
262	void
263	eventer_set_eventer_ssl_ctx(eventer_t e, eventer_ssl_ctx_t *ctx) {
264	e->opset = eventer_SSL_fd_opset;
265	e->opset_ctx = ctx;
266	SSL_set_fd(ctx->ssl, e->fd);
267	}
268
269	void
270	eventer_ssl_ctx_set_verify(eventer_ssl_ctx_t *ctx,
271	eventer_ssl_verify_func_t f, void *c) {
272	ctx->verify_cb = f;
273	ctx->verify_cb_closure = c;
274	}
275
276	/* Accept will perform the usual BSD socket accept and then
277	* hand it into the SSL system.
278	*/
279	static int
280	_noallowed_eventer_SSL_accept(int fd, struct sockaddr addr, socklen_t len,
281	int mask, void closure) {
282	return -1;
283	}
284
285	static int
286	eventer_SSL_setup(eventer_ssl_ctx_t *ctx) {
287	X509 *peer = NULL;
288	SSL_set_mode(ctx->ssl, SSL_MODE_ENABLE_PARTIAL_WRITE);
289	peer = SSL_get_peer_certificate(ctx->ssl);
290
291	/* If have no peer, or the peer cert isn't okay, our
292	* callback won't fire, so fire it explicitly here.
293	* Learnt this from mod_ssl.
294	*/
295	if(!peer \|\|
296	(peer && SSL_get_verify_result(ctx->ssl) != X509_V_OK)) {
297	if(ctx->verify_cb) {
298	return ctx->verify_cb(ctx, 0, NULL, ctx->verify_cb_closure);
299	}
300	}
301	return 0;
302	}
303
304	/* The read and write operations for ssl are almost identical.
305	* We read or write, depending on the need and if the SSL subsystem
306	* says we need more data to continue we mask for read, if it says
307	* we need need to write data to continue we mask for write. Either
308	* way, we EAGAIN.
309	* If there is an SSL error, we spit it out and return EIO as that
310	* seems most appropriate.
311	*/
312	static int
313	eventer_SSL_rw(int op, int fd, void buffer, size_t len, int mask,
314	void *closure) {
315	int rv, sslerror;
316	eventer_t e = closure;
317	eventer_ssl_ctx_t *ctx = e->opset_ctx;
318	int (sslop)(SSL ) = NULL;
319
320	switch(op) {
321	case SSL_OP_READ:
322	if((rv = SSL_read(ctx->ssl, buffer, len)) > 0) return rv;
323	break;
324	case SSL_OP_WRITE:
325	if((rv = SSL_write(ctx->ssl, buffer, len)) > 0) return rv;
326	break;
327
328	case SSL_OP_CONNECT:
329	if(!sslop) sslop = SSL_connect;
330	/* fall through */
331	case SSL_OP_ACCEPT:
332	/* only set if we didn't fall through */
333	if(!sslop) sslop = SSL_accept;
334
335	if((rv = sslop(ctx->ssl)) > 0) {
336	if(eventer_SSL_setup(ctx)) {
337	errno = EIO;
338	return -1;
339	}
340	return rv;
341	}
342	break;
343
344	default:
345	abort();
346	}
347
348	switch(sslerror = SSL_get_error(ctx->ssl, rv)) {
349	case SSL_ERROR_NONE:
350	return 0;
351	case SSL_ERROR_WANT_READ:
352	case SSL_ERROR_WANT_WRITE:
353	*mask = (sslerror == SSL_ERROR_WANT_READ) ?
354	EVENTER_READ : EVENTER_WRITE;
355	errno = EAGAIN;
356	break;
357	default:
358	noitL(noit_error, "SSL rw error: %d\n", sslerror);
359	eventer_ssl_error();
360	errno = EIO;
361	}
362	return -1;
363	}
364
365	int
366	eventer_SSL_accept(eventer_t e, int *mask) {
367	return eventer_SSL_rw(SSL_OP_ACCEPT, e->fd, NULL, 0, mask, e);
368	}
369	int
370	eventer_SSL_connect(eventer_t e, int *mask) {
371	return eventer_SSL_rw(SSL_OP_CONNECT, e->fd, NULL, 0, mask, e);
372	}
373	static int
374	eventer_SSL_read(int fd, void buffer, size_t len, int mask, void *closure) {
375	int rv;
376	noitL(noit_debug, "SSL_read(%d) wants %ld bytes\n", fd, (long int)len);
377	rv = eventer_SSL_rw(SSL_OP_READ, fd, buffer, len, mask, closure);
378	noitL(noit_debug, "SSL_read(%d) wanted %ld bytes, got return value %d\n", fd, (long int)len, rv);
379	return rv;
380	}
381	static int
382	eventer_SSL_write(int fd, const void buffer, size_t len, int mask,
383	void *closure) {
384	int rv;
385	noitL(noit_debug, "SSL_write(%d) wants %ld bytes\n", fd, (long int)len);
386	rv = eventer_SSL_rw(SSL_OP_WRITE, fd, (void *)buffer, len, mask, closure);
387	noitL(noit_debug, "SSL_write(%d) wanted %ld bytes, got return value %d\n", fd, (long int)len, rv);
388	return rv;
389	}
390
391	/* Close simply shuts down the SSL site and closes the file descriptor. */
392	static int
393	eventer_SSL_close(int fd, int mask, void closure) {
394	eventer_t e = closure;
395	eventer_ssl_ctx_t *ctx = e->opset_ctx;
396	SSL_shutdown(ctx->ssl);
397	eventer_ssl_ctx_free(ctx);
398	close(fd);
399	if(mask) *mask = 0;
400	return 0;
401	}
402
403	struct _fd_opset _eventer_SSL_fd_opset = {
404	_noallowed_eventer_SSL_accept,
405	eventer_SSL_read,
406	eventer_SSL_write,
407	eventer_SSL_close
408	};
409
410	eventer_fd_opset_t eventer_SSL_fd_opset = &_eventer_SSL_fd_opset;
411
412
413	/* Locking stuff to make libcrypto thread safe */
414	/* This stuff cribbed from the openssl examples */
415	struct CRYPTO_dynlock_value { pthread_mutex_t lock; };
416	static struct CRYPTO_dynlock_value *__lcks = NULL;
417	static void lock_static(int mode, int type, const char *f, int l) {
418	if(mode & CRYPTO_LOCK) pthread_mutex_lock(&__lcks[type].lock);
419	else pthread_mutex_unlock(&__lcks[type].lock);
420	}
421	static struct CRYPTO_dynlock_value dynlock_create(const char f, int l) {
422	struct CRYPTO_dynlock_value lock = CRYPTO_malloc(sizeof(lock),f,l);
423	pthread_mutex_init(&lock->lock, NULL);
424	return lock;
425	}
426	static void dynlock_destroy(struct CRYPTO_dynlock_value *lock,
427	const char *f, int l) {
428	pthread_mutex_destroy(&lock->lock);
429	CRYPTO_free(lock);
430	}
431	static void lock_dynamic(int mode, struct CRYPTO_dynlock_value *lock,
432	const char *f, int l) {
433	if(mode & CRYPTO_LOCK) pthread_mutex_lock(&lock->lock);
434	else pthread_mutex_unlock(&lock->lock);
435	}
436	void eventer_ssl_init() {
437	int i, numlocks;
438	if(__lcks) return;
439	numlocks = CRYPTO_num_locks();
440	__lcks = CRYPTO_malloc(numlocks * sizeof(*__lcks),__FILE__,__LINE__);
441	for(i=0; i<numlocks; i++)
442	pthread_mutex_init(&__lcks[i].lock, NULL);
443	CRYPTO_set_id_callback((unsigned long (*)()) pthread_self);
444	CRYPTO_set_dynlock_create_callback(dynlock_create);
445	CRYPTO_set_dynlock_destroy_callback(dynlock_destroy);
446	CRYPTO_set_dynlock_lock_callback(lock_dynamic);
447	CRYPTO_set_locking_callback(lock_static);
448
449	SSL_load_error_strings();
450	SSL_library_init();
451	return;
452	}
453

Note: See TracBrowser for help on using the browser.

root/src/eventer/eventer_SSL_fd_opset.c

Download in other formats: