root/src/eventer/eventer_SSL_fd_opset.c

Revision 6210da7ee0e2ed143d71a8e00b709f16e71059f8, 13.3 kB (checked in by Theo Schlossnagle <jesus@omniti.com>, 6 years ago)

various changes to avoid dereferencing type-punned pointers and breaking strict-aliasing rules, refs #34

  • Property mode set to 100644
Line 
1 /*
2  * Copyright (c) 2007, OmniTI Computer Consulting, Inc.
3  * All rights reserved.
4  */
5
6 #include "noit_defines.h"
7 #include "eventer/eventer.h"
8 #include "utils/noit_log.h"
9 #include "eventer/eventer_SSL_fd_opset.h"
10
11 #include <sys/socket.h>
12 #include <unistd.h>
13
14 #include <openssl/ssl.h>
15 #include <openssl/err.h>
16 #include <openssl/engine.h>
17
18 #define EVENTER_SSL_DATANAME "eventer_ssl"
19
20 struct eventer_ssl_ctx_t {
21   SSL_CTX *ssl_ctx;
22   SSL     *ssl;
23   char    *issuer;
24   char    *subject;
25   eventer_ssl_verify_func_t verify_cb;
26   void    *verify_cb_closure;
27 };
28
29 /* Static function prototypes */
30 static void SSL_set_eventer_ssl_ctx(SSL *ssl, eventer_ssl_ctx_t *ctx);
31 static eventer_ssl_ctx_t *SSL_get_eventer_ssl_ctx(SSL *ssl);
32 static void _eventer_ssl_error();
33 static RSA *tmp_rsa_cb(SSL *ssl, int export, int keylen);
34
35 #define eventer_ssl_error() _eventer_ssl_error(__FILE__,__LINE__)
36
37 static void
38 _eventer_ssl_error(const char *f, int l) {
39   unsigned long err;
40   char buf[120]; /* ERR_error_string(3): buf must be at least 120 bytes */
41   noitL(noit_error, "%s:%d: errno: [%d] %s\n", f, l, errno, strerror(errno));
42   while((err = ERR_get_error()) != 0) {
43     ERR_error_string(err, buf);
44     noitL(noit_error, "%s:%d: write error[%08lx] %s\n", f, l, err, buf);
45   }
46 }
47
48 /*
49  * Cribbed from SSL examples.
50  */
51 static char *tmpkeyfile = NULL;
52 static time_t tmpkeyfile_time = 0;
53 static RSA *
54 tmp_rsa_cb(SSL *ssl, int export, int keylen) {
55   RSA *tmpkey;
56   if (!export) keylen = 512;
57   if (tmpkeyfile && keylen == 512) {
58     BIO *in = BIO_new_file(tmpkeyfile, "r");
59     if (in) {
60       RSA *rsa = PEM_read_bio_RSAPrivateKey(in,NULL,NULL,NULL);
61       BIO_free(in);
62       if (rsa) return rsa;
63     }
64   }
65   tmpkey = RSA_generate_key(keylen,RSA_F4,NULL,NULL);
66   if(tmpkeyfile && keylen == 512) {
67     BIO *out = BIO_new_file(tmpkeyfile, "r");
68     if(!out ||
69        !PEM_write_bio_RSAPrivateKey(out, tmpkey, NULL, NULL, 0, 0, NULL)) {
70       noitL(noit_error, "Could not save temporary RSA key to %s\n", tmpkeyfile);
71     } else {
72       tmpkeyfile_time = time(NULL);
73     }
74     if(out) BIO_free(out);
75   }
76   return tmpkey;
77 }
78
79 int
80 eventer_ssl_verify_dates(eventer_ssl_ctx_t *ctx, int ok,
81                          X509_STORE_CTX *x509ctx, void *closure) {
82   time_t now;
83   X509 *peer;
84   if(!x509ctx) return -1;
85   peer = X509_STORE_CTX_get_current_cert(x509ctx);
86   time(&now);
87   if(X509_cmp_time(X509_get_notBefore(peer), &now) > 0) return -1;
88   if(X509_cmp_time(X509_get_notAfter(peer), &now) < 0) return 1;
89   return 0;
90 }
91
92 int
93 eventer_ssl_verify_cert(eventer_ssl_ctx_t *ctx, int ok,
94                         X509_STORE_CTX *x509ctx, void *closure) {
95   SSL *ssl;
96   noit_hash_table *options = closure;
97   const char *opt_no_ca, *ignore_dates;
98   int v_res;
99
100   if(!x509ctx) return 0;
101
102   if(!noit_hash_retr_str(options, "optional_no_ca", strlen("optional_no_ca"),
103                          &opt_no_ca))
104     opt_no_ca = "false";
105   if(!noit_hash_retr_str(options, "ignore_dates", strlen("ignore_dates"),
106                          &ignore_dates))
107     ignore_dates = "false";
108
109   ssl = X509_STORE_CTX_get_ex_data(x509ctx,
110                                    SSL_get_ex_data_X509_STORE_CTX_idx());
111   v_res = X509_STORE_CTX_get_error(x509ctx);
112
113   if((v_res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ||
114      (v_res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) ||
115      (v_res == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) ||
116      (v_res == X509_V_ERR_CERT_UNTRUSTED) ||
117      (v_res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) {
118     if(!strcmp(opt_no_ca, "true")) ok = 1;
119     else {
120       noitL(noit_error, "SSL client cert invalid: %s\n",
121             X509_verify_cert_error_string(v_res));
122       ok = 0;
123       goto set_out;
124     }
125   }
126   v_res = eventer_ssl_verify_dates(ctx, ok, x509ctx, closure);
127   if(v_res != 0) {
128     if(!strcmp(ignore_dates, "true")) ok = 1;
129     else {
130       noitL(noit_error, "SSL client cert is %s valid.\n",
131             (v_res < 0) ? "not yet" : "no longer");
132       ok = 0;
133       goto set_out;
134     }
135   }
136  set_out:
137   return ok;
138 }
139
140 #define GET_SET_X509_NAME(type) \
141 static void \
142 eventer_ssl_set_peer_##type(eventer_ssl_ctx_t *ctx, \
143                              X509_STORE_CTX *x509ctx) { \
144   char buffer[1024]; \
145   X509 *peer; \
146   peer = X509_STORE_CTX_get_current_cert(x509ctx); \
147   X509_NAME_oneline(X509_get_##type##_name(peer), buffer, sizeof(buffer)-1); \
148   if(ctx->type) free(ctx->type); \
149   ctx->type = strdup(buffer); \
150 } \
151 char * \
152 eventer_ssl_get_peer_##type(eventer_ssl_ctx_t *ctx) { \
153   return ctx->type; \
154 }
155
156 GET_SET_X509_NAME(issuer)
157 GET_SET_X509_NAME(subject)
158
159 static int
160 verify_cb(int ok, X509_STORE_CTX *x509ctx) {
161   eventer_ssl_ctx_t *ctx;
162   SSL *ssl;
163
164   ssl = X509_STORE_CTX_get_ex_data(x509ctx,
165                                    SSL_get_ex_data_X509_STORE_CTX_idx());
166   ctx = SSL_get_eventer_ssl_ctx(ssl);
167   eventer_ssl_set_peer_subject(ctx, x509ctx);
168   eventer_ssl_set_peer_issuer(ctx, x509ctx);
169   if(ctx->verify_cb)
170     return ctx->verify_cb(ctx, ok, x509ctx, ctx->verify_cb_closure);
171   return ok;
172 }
173
174 /*
175  * Helpers to create and destroy our context.
176  */
177 void
178 eventer_ssl_ctx_free(eventer_ssl_ctx_t *ctx) {
179   if(ctx->ssl) SSL_free(ctx->ssl);
180   if(ctx->ssl_ctx) SSL_CTX_free(ctx->ssl_ctx);
181   if(ctx->issuer) free(ctx->issuer);
182   if(ctx->subject) free(ctx->subject);
183   free(ctx);
184 }
185
186 eventer_ssl_ctx_t *
187 eventer_ssl_ctx_new(eventer_ssl_orientation_t type,
188                     const char *certificate, const char *key,
189                     const char *ca, const char *ciphers) {
190   eventer_ssl_ctx_t *ctx;
191   ctx = calloc(1, sizeof(*ctx));
192   if(!ctx) return NULL;
193   /*
194    * First step is to setup the SSL context.  This is long-lived in SSL-land
195    * however, that would require us caching it.  Maybe we'll do that?
196    */
197   ctx->ssl_ctx = SSL_CTX_new(type == SSL_SERVER ?
198                              SSLv23_server_method() : SSLv23_client_method());
199   if(!ctx->ssl_ctx) return NULL;
200   if (type == SSL_SERVER)
201     SSL_CTX_set_session_id_context(ctx->ssl_ctx,
202             (unsigned char *)EVENTER_SSL_DATANAME,
203             sizeof(EVENTER_SSL_DATANAME)-1);
204   SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_ALL);
205   if(certificate &&
206      SSL_CTX_use_certificate_chain_file(ctx->ssl_ctx, certificate) != 1)
207     goto bail;
208   if(key &&
209      SSL_CTX_use_RSAPrivateKey_file(ctx->ssl_ctx,key,
210                                     SSL_FILETYPE_PEM) != 1)
211     goto bail;
212   if(ca) {
213     STACK_OF(X509_NAME) *cert_stack;
214     if(!SSL_CTX_load_verify_locations(ctx->ssl_ctx,ca,NULL) ||
215        (cert_stack = SSL_load_client_CA_file(ca)) == NULL)
216       goto bail;
217     SSL_CTX_set_client_CA_list(ctx->ssl_ctx, cert_stack);
218   }
219   SSL_CTX_set_tmp_rsa_callback(ctx->ssl_ctx, tmp_rsa_cb);
220   SSL_CTX_set_cipher_list(ctx->ssl_ctx, ciphers ? ciphers : "DEFAULT");
221   SSL_CTX_set_verify(ctx->ssl_ctx, SSL_VERIFY_PEER, verify_cb);
222   SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2);
223
224   ctx->ssl = SSL_new(ctx->ssl_ctx);
225   if(!ctx->ssl) goto bail;
226   SSL_set_eventer_ssl_ctx(ctx->ssl, ctx);
227   return ctx;
228
229  bail:
230   eventer_ssl_error();
231   eventer_ssl_ctx_free(ctx);
232   return NULL;
233 }
234
235 /*
236  * This is a set of helpers to tie the SSL stuff to the eventer_t.
237  */
238 static int SSL_eventer_ssl_ctx_dataid = -1;
239 #define INIT_DATAID do { \
240   if(SSL_eventer_ssl_ctx_dataid == -1) \
241     SSL_eventer_ssl_ctx_dataid = \
242       SSL_get_ex_new_index(0, EVENTER_SSL_DATANAME, NULL, NULL, NULL); \
243 } while(0)
244
245 static void
246 SSL_set_eventer_ssl_ctx(SSL *ssl, eventer_ssl_ctx_t *ctx) {
247   INIT_DATAID;
248   SSL_set_ex_data(ssl, SSL_eventer_ssl_ctx_dataid, ctx);
249 }
250
251 static eventer_ssl_ctx_t *
252 SSL_get_eventer_ssl_ctx(SSL *ssl) {
253   INIT_DATAID;
254   return SSL_get_ex_data(ssl, SSL_eventer_ssl_ctx_dataid);
255 }
256
257 eventer_ssl_ctx_t *
258 eventer_get_eventer_ssl_ctx(eventer_t e) {
259   return (e->opset == eventer_SSL_fd_opset) ? e->opset_ctx : NULL;
260 }
261
262 void
263 eventer_set_eventer_ssl_ctx(eventer_t e, eventer_ssl_ctx_t *ctx) {
264   e->opset = eventer_SSL_fd_opset;
265   e->opset_ctx = ctx;
266   SSL_set_fd(ctx->ssl, e->fd);
267 }
268
269 void
270 eventer_ssl_ctx_set_verify(eventer_ssl_ctx_t *ctx,
271                            eventer_ssl_verify_func_t f, void *c) {
272   ctx->verify_cb = f;
273   ctx->verify_cb_closure = c;
274 }
275
276 /* Accept will perform the usual BSD socket accept and then
277  * hand it into the SSL system.
278  */
279 static int
280 _noallowed_eventer_SSL_accept(int fd, struct sockaddr *addr, socklen_t *len,
281                               int *mask, void *closure) {
282   return -1;
283 }
284
285 static int
286 eventer_SSL_setup(eventer_ssl_ctx_t *ctx) {
287   X509 *peer = NULL;
288   SSL_set_mode(ctx->ssl, SSL_MODE_ENABLE_PARTIAL_WRITE);
289   peer = SSL_get_peer_certificate(ctx->ssl);
290
291   /* If have no peer, or the peer cert isn't okay, our
292    * callback won't fire, so fire it explicitly here.
293    * Learnt this from mod_ssl.
294    */
295   if(!peer ||
296      (peer && SSL_get_verify_result(ctx->ssl) != X509_V_OK)) {
297     if(ctx->verify_cb) {
298       return ctx->verify_cb(ctx, 0, NULL, ctx->verify_cb_closure);
299     }
300   }
301   return 0;
302 }
303
304 /* The read and write operations for ssl are almost identical.
305  * We read or write, depending on the need and if the SSL subsystem
306  * says we need more data to continue we mask for read, if it says
307  * we need need to write data to continue we mask for write.  Either
308  * way, we EAGAIN.
309  * If there is an SSL error, we spit it out and return EIO as that
310  * seems most appropriate.
311  */
312 static int
313 eventer_SSL_rw(int op, int fd, void *buffer, size_t len, int *mask,
314                void *closure) {
315   int rv, sslerror;
316   eventer_t e = closure;
317   eventer_ssl_ctx_t *ctx = e->opset_ctx;
318   int (*sslop)(SSL *) = NULL;
319
320   switch(op) {
321     case SSL_OP_READ:
322       if((rv = SSL_read(ctx->ssl, buffer, len)) > 0) return rv;
323       break;
324     case SSL_OP_WRITE:
325       if((rv = SSL_write(ctx->ssl, buffer, len)) > 0) return rv;
326       break;
327
328     case SSL_OP_CONNECT:
329       if(!sslop) sslop = SSL_connect;
330       /* fall through */
331     case SSL_OP_ACCEPT:
332       /* only set if we didn't fall through */
333       if(!sslop) sslop = SSL_accept;
334    
335       if((rv = sslop(ctx->ssl)) > 0) {
336         if(eventer_SSL_setup(ctx)) {
337           errno = EIO;
338           return -1;
339         }
340         return rv;
341       }
342       break;
343
344     default:
345       abort();
346   }
347
348   switch(sslerror = SSL_get_error(ctx->ssl, rv)) {
349     case SSL_ERROR_NONE:
350       return 0;
351     case SSL_ERROR_WANT_READ:
352     case SSL_ERROR_WANT_WRITE:
353       *mask = (sslerror == SSL_ERROR_WANT_READ) ?
354                 EVENTER_READ : EVENTER_WRITE;
355       errno = EAGAIN;
356       break;
357     default:
358       noitL(noit_error, "SSL rw error: %d\n", sslerror);
359       eventer_ssl_error();
360       errno = EIO;
361   }
362   return -1;
363 }
364
365 int
366 eventer_SSL_accept(eventer_t e, int *mask) {
367   return eventer_SSL_rw(SSL_OP_ACCEPT, e->fd, NULL, 0, mask, e);
368 }
369 int
370 eventer_SSL_connect(eventer_t e, int *mask) {
371   return eventer_SSL_rw(SSL_OP_CONNECT, e->fd, NULL, 0, mask, e);
372 }
373 static int
374 eventer_SSL_read(int fd, void *buffer, size_t len, int *mask, void *closure) {
375   int rv;
376   noitL(noit_debug, "SSL_read(%d) wants %ld bytes\n", fd, (long int)len);
377   rv = eventer_SSL_rw(SSL_OP_READ, fd, buffer, len, mask, closure);
378   noitL(noit_debug, "SSL_read(%d) wanted %ld bytes, got return value %d\n", fd, (long int)len, rv);
379   return rv;
380 }
381 static int
382 eventer_SSL_write(int fd, const void *buffer, size_t len, int *mask,
383                   void *closure) {
384   int rv;
385   noitL(noit_debug, "SSL_write(%d) wants %ld bytes\n", fd, (long int)len);
386   rv = eventer_SSL_rw(SSL_OP_WRITE, fd, (void *)buffer, len, mask, closure);
387   noitL(noit_debug, "SSL_write(%d) wanted %ld bytes, got return value %d\n", fd, (long int)len, rv);
388   return rv;
389 }
390
391 /* Close simply shuts down the SSL site and closes the file descriptor. */
392 static int
393 eventer_SSL_close(int fd, int *mask, void *closure) {
394   eventer_t e = closure;
395   eventer_ssl_ctx_t *ctx = e->opset_ctx;
396   SSL_shutdown(ctx->ssl);
397   eventer_ssl_ctx_free(ctx);
398   close(fd);
399   if(mask) *mask = 0;
400   return 0;
401 }
402
403 struct _fd_opset _eventer_SSL_fd_opset = {
404   _noallowed_eventer_SSL_accept,
405   eventer_SSL_read,
406   eventer_SSL_write,
407   eventer_SSL_close
408 };
409
410 eventer_fd_opset_t eventer_SSL_fd_opset = &_eventer_SSL_fd_opset;
411
412
413 /* Locking stuff to make libcrypto thread safe */
414 /* This stuff cribbed from the openssl examples */
415 struct CRYPTO_dynlock_value { pthread_mutex_t lock; };
416 static struct CRYPTO_dynlock_value *__lcks = NULL;
417 static void lock_static(int mode, int type, const char *f, int l) {
418   if(mode & CRYPTO_LOCK) pthread_mutex_lock(&__lcks[type].lock);
419   else pthread_mutex_unlock(&__lcks[type].lock);
420 }
421 static struct CRYPTO_dynlock_value *dynlock_create(const char *f, int l) {
422   struct CRYPTO_dynlock_value *lock = CRYPTO_malloc(sizeof(*lock),f,l);
423   pthread_mutex_init(&lock->lock,  NULL);
424   return lock;
425 }
426 static void dynlock_destroy(struct CRYPTO_dynlock_value *lock,
427                             const char *f, int l) {
428   pthread_mutex_destroy(&lock->lock);
429   CRYPTO_free(lock);
430 }
431 static void lock_dynamic(int mode, struct CRYPTO_dynlock_value *lock,
432                          const char *f, int l) {
433   if(mode & CRYPTO_LOCK) pthread_mutex_lock(&lock->lock);
434   else pthread_mutex_unlock(&lock->lock);
435 }
436 void eventer_ssl_init() {
437   int i, numlocks;
438   if(__lcks) return;
439   numlocks = CRYPTO_num_locks();
440   __lcks = CRYPTO_malloc(numlocks * sizeof(*__lcks),__FILE__,__LINE__);
441   for(i=0; i<numlocks; i++)
442     pthread_mutex_init(&__lcks[i].lock, NULL);
443   CRYPTO_set_id_callback((unsigned long (*)()) pthread_self);
444   CRYPTO_set_dynlock_create_callback(dynlock_create);
445   CRYPTO_set_dynlock_destroy_callback(dynlock_destroy);
446   CRYPTO_set_dynlock_lock_callback(lock_dynamic);
447   CRYPTO_set_locking_callback(lock_static);
448
449   SSL_load_error_strings();
450   SSL_library_init();
451   return;
452 }
453
Note: See TracBrowser for help on using the browser.