root/src/eventer/eventer_SSL_fd_opset.c

Revision ab93ce1ba43b38aed49616f5cbeda720e9c14296, 19.8 kB (checked in by Theo Schlossnagle <jesus@omniti.com>, 2 years ago)

adding all ciphers is needed on my Sol10box

  • Property mode set to 100644
Line 
1 /*
2  * Copyright (c) 2007, OmniTI Computer Consulting, Inc.
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions are
7  * met:
8  *
9  *     * Redistributions of source code must retain the above copyright
10  *       notice, this list of conditions and the following disclaimer.
11  *     * Redistributions in binary form must reproduce the above
12  *       copyright notice, this list of conditions and the following
13  *       disclaimer in the documentation and/or other materials provided
14  *       with the distribution.
15  *     * Neither the name OmniTI Computer Consulting, Inc. nor the names
16  *       of its contributors may be used to endorse or promote products
17  *       derived from this software without specific prior written
18  *       permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
23  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
24  * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
25  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
26  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31  */
32
33 #include "noit_defines.h"
34 #include "eventer/eventer.h"
35 #include "utils/noit_log.h"
36 #include "eventer/eventer_SSL_fd_opset.h"
37 #include "eventer/OETS_asn1_helper.h"
38
39 #include <sys/socket.h>
40 #include <unistd.h>
41
42 #include <openssl/ssl.h>
43 #include <openssl/err.h>
44 #include <openssl/engine.h>
45
46 #define EVENTER_SSL_DATANAME "eventer_ssl"
47
48 #define SSL_CTX_KEYLEN (PATH_MAX * 4 + 5)
49 typedef struct {
50   char *key;
51   SSL_CTX *internal_ssl_ctx;
52   time_t creation_time;
53   unsigned crl_loaded:1;
54   noit_atomic32_t refcnt;
55 } ssl_ctx_cache_node;
56
57 static noit_hash_table ssl_ctx_cache;
58 static pthread_mutex_t ssl_ctx_cache_lock;
59 static int ssl_ctx_cache_expiry = 3600;
60
61 struct eventer_ssl_ctx_t {
62   ssl_ctx_cache_node *ssl_ctx_cn;
63   SSL     *ssl;
64   char    *issuer;
65   char    *subject;
66   time_t   start_time;
67   time_t   end_time;
68   char    *cert_error;
69   eventer_ssl_verify_func_t verify_cb;
70   void    *verify_cb_closure;
71   unsigned no_more_negotiations:1;
72   unsigned renegotiated:1;
73 };
74
75 #define ssl_ctx ssl_ctx_cn->internal_ssl_ctx
76 #define ssl_ctx_crl_loaded ssl_ctx_cn->crl_loaded
77
78 /* Static function prototypes */
79 static void SSL_set_eventer_ssl_ctx(SSL *ssl, eventer_ssl_ctx_t *ctx);
80 static eventer_ssl_ctx_t *SSL_get_eventer_ssl_ctx(const SSL *ssl);
81 static void _eventer_ssl_error();
82 static RSA *tmp_rsa_cb(SSL *ssl, int export, int keylen);
83
84 #define eventer_ssl_error() _eventer_ssl_error(__FILE__,__LINE__)
85
86 static void
87 _eventer_ssl_error(const char *f, int l) {
88   unsigned long err;
89   char buf[120]; /* ERR_error_string(3): buf must be at least 120 bytes */
90   noitL(eventer_deb, "%s:%d: errno: [%d] %s\n", f, l, errno, strerror(errno));
91   while((err = ERR_get_error()) != 0) {
92     ERR_error_string(err, buf);
93     noitL(eventer_deb, "%s:%d: write error[%08lx] %s\n", f, l, err, buf);
94   }
95 }
96
97 /*
98  * Cribbed from SSL examples.
99  */
100 static char *tmpkeyfile = NULL;
101 static time_t tmpkeyfile_time = 0;
102 static RSA *
103 tmp_rsa_cb(SSL *ssl, int export, int keylen) {
104   RSA *tmpkey;
105   if (!export) keylen = 512;
106   if (tmpkeyfile && keylen == 512) {
107     BIO *in = BIO_new_file(tmpkeyfile, "r");
108     if (in) {
109       RSA *rsa = PEM_read_bio_RSAPrivateKey(in,NULL,NULL,NULL);
110       BIO_free(in);
111       if (rsa) return rsa;
112     }
113   }
114   tmpkey = RSA_generate_key(keylen,RSA_F4,NULL,NULL);
115   if(tmpkeyfile && keylen == 512) {
116     BIO *out = BIO_new_file(tmpkeyfile, "r");
117     if(!out ||
118        !PEM_write_bio_RSAPrivateKey(out, tmpkey, NULL, NULL, 0, 0, NULL)) {
119       noitL(eventer_err, "Could not save temporary RSA key to %s\n", tmpkeyfile);
120     } else {
121       tmpkeyfile_time = time(NULL);
122     }
123     if(out) BIO_free(out);
124   }
125   return tmpkey;
126 }
127
128 int
129 eventer_ssl_verify_dates(eventer_ssl_ctx_t *ctx, int ok,
130                          X509_STORE_CTX *x509ctx, void *closure) {
131   time_t now;
132   int err;
133   X509 *peer;
134   ASN1_TIME *t;
135   if(!x509ctx) return -1;
136   peer = X509_STORE_CTX_get_current_cert(x509ctx);
137   time(&now);
138   t = X509_get_notBefore(peer);
139   ctx->start_time = OETS_ASN1_TIME_get(t, &err);
140   if(X509_cmp_time(t, &now) > 0) return -1;
141   t = X509_get_notAfter(peer);
142   ctx->end_time = OETS_ASN1_TIME_get(t, &err);
143   if(X509_cmp_time(t, &now) < 0) return 1;
144   return 0;
145 }
146
147 int
148 eventer_ssl_verify_cert(eventer_ssl_ctx_t *ctx, int ok,
149                         X509_STORE_CTX *x509ctx, void *closure) {
150   noit_hash_table *options = closure;
151   const char *opt_no_ca, *ignore_dates;
152   int v_res;
153
154   if(!x509ctx) return 0;
155
156   if(!noit_hash_retr_str(options, "optional_no_ca", strlen("optional_no_ca"),
157                          &opt_no_ca))
158     opt_no_ca = "false";
159   if(!noit_hash_retr_str(options, "ignore_dates", strlen("ignore_dates"),
160                          &ignore_dates))
161     ignore_dates = "false";
162
163   if(options == NULL) {
164     /* Don't care about anything */
165     opt_no_ca = "true";
166     ignore_dates = "true";
167   }
168   X509_STORE_CTX_get_ex_data(x509ctx,
169                              SSL_get_ex_data_X509_STORE_CTX_idx());
170   v_res = X509_STORE_CTX_get_error(x509ctx);
171
172   if((v_res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ||
173      (v_res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) ||
174      (v_res == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) ||
175      (v_res == X509_V_ERR_CERT_UNTRUSTED) ||
176      (v_res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) {
177     ctx->cert_error = strdup(X509_verify_cert_error_string(v_res));
178     if(!strcmp(opt_no_ca, "true")) ok = 1;
179     else {
180       noitL(eventer_deb, "SSL client cert invalid: %s\n",
181             X509_verify_cert_error_string(v_res));
182       ok = 0;
183       goto set_out;
184     }
185   }
186   v_res = eventer_ssl_verify_dates(ctx, ok, x509ctx, closure);
187   if(v_res != 0) {
188     if(!strcmp(ignore_dates, "true")) ok = 1;
189     else {
190       noitL(eventer_deb, "SSL client cert is %s valid.\n",
191             (v_res < 0) ? "not yet" : "no longer");
192       ok = 0;
193       goto set_out;
194     }
195   }
196  set_out:
197   return ok;
198 }
199
200 #define GET_SET_X509_NAME(type) \
201 static void \
202 eventer_ssl_set_peer_##type(eventer_ssl_ctx_t *ctx, \
203                              X509_STORE_CTX *x509ctx) { \
204   char buffer[1024]; \
205   X509 *peer; \
206   peer = X509_STORE_CTX_get_current_cert(x509ctx); \
207   X509_NAME_oneline(X509_get_##type##_name(peer), buffer, sizeof(buffer)-1); \
208   if(ctx->type) free(ctx->type); \
209   ctx->type = strdup(buffer); \
210 } \
211 const char * \
212 eventer_ssl_get_peer_##type(eventer_ssl_ctx_t *ctx) { \
213   return ctx->type; \
214 }
215
216 GET_SET_X509_NAME(issuer)
217 GET_SET_X509_NAME(subject)
218
219 time_t
220 eventer_ssl_get_peer_start_time(eventer_ssl_ctx_t *ctx) {
221   return ctx->start_time;
222 }
223 time_t
224 eventer_ssl_get_peer_end_time(eventer_ssl_ctx_t *ctx) {
225   return ctx->end_time;
226 }
227 const char *
228 eventer_ssl_get_peer_error(eventer_ssl_ctx_t *ctx) {
229   return ctx->cert_error;
230 }
231
232 static int
233 verify_cb(int ok, X509_STORE_CTX *x509ctx) {
234   eventer_ssl_ctx_t *ctx;
235   SSL *ssl;
236
237   ssl = X509_STORE_CTX_get_ex_data(x509ctx,
238                                    SSL_get_ex_data_X509_STORE_CTX_idx());
239   ctx = SSL_get_eventer_ssl_ctx(ssl);
240   eventer_ssl_set_peer_subject(ctx, x509ctx);
241   eventer_ssl_set_peer_issuer(ctx, x509ctx);
242   if(ctx->verify_cb)
243     return ctx->verify_cb(ctx, ok, x509ctx, ctx->verify_cb_closure);
244   return ok;
245 }
246
247 /*
248  * Helpers to create and destroy our context.
249  */
250 static void
251 ssl_ctx_cache_node_free(ssl_ctx_cache_node *node) {
252   if(!node) return;
253   if(noit_atomic_dec32(&node->refcnt) == 0) {
254     SSL_CTX_free(node->internal_ssl_ctx);
255     free(node->key);
256     free(node);
257   }
258 }
259
260 void
261 eventer_ssl_ctx_free(eventer_ssl_ctx_t *ctx) {
262   if(ctx->ssl) SSL_free(ctx->ssl);
263   if(ctx->ssl_ctx_cn) ssl_ctx_cache_node_free(ctx->ssl_ctx_cn);
264   if(ctx->issuer) free(ctx->issuer);
265   if(ctx->subject) free(ctx->subject);
266   if(ctx->cert_error) free(ctx->cert_error);
267   free(ctx);
268 }
269
270 static void
271 eventer_SSL_server_info_callback(const SSL *ssl, int type, int val) {
272   eventer_ssl_ctx_t *ctx;
273
274   if (ssl->state != SSL3_ST_SR_CLNT_HELLO_A &&
275       ssl->state != SSL23_ST_SR_CLNT_HELLO_A)
276     return;
277
278   ctx = SSL_get_eventer_ssl_ctx(ssl);
279   if(ctx->no_more_negotiations) {
280     noitL(eventer_deb, "eventer_SSL_server_info_callback ... reneg is bad\n");
281     ctx->renegotiated = 1;
282   }
283 }
284
285 static void
286 ssl_ctx_key_write(char *b, int blen, eventer_ssl_orientation_t type,
287                   const char *certificate, const char *key,
288                   const char *ca, const char *ciphers) {
289   snprintf(b, blen, "%c:%s:%s:%s:%s",
290            (type == SSL_SERVER) ? 'S' : 'C',
291            certificate ? certificate : "", key ? key : "",
292            ca ? ca : "", ciphers ? ciphers : "");
293 }
294
295 static void
296 ssl_ctx_cache_remove(const char *key) {
297   pthread_mutex_lock(&ssl_ctx_cache_lock);
298   noit_hash_delete(&ssl_ctx_cache, key, strlen(key),
299                    NULL, (void (*)(void *))ssl_ctx_cache_node_free);
300   pthread_mutex_unlock(&ssl_ctx_cache_lock);
301 }
302
303 static ssl_ctx_cache_node *
304 ssl_ctx_cache_get(const char *key) {
305   void *vnode;
306   ssl_ctx_cache_node *node = NULL;
307   pthread_mutex_lock(&ssl_ctx_cache_lock);
308   if(noit_hash_retrieve(&ssl_ctx_cache, key, strlen(key), &vnode)) {
309     node = vnode;
310     noit_atomic_inc32(&node->refcnt);
311   }
312   pthread_mutex_unlock(&ssl_ctx_cache_lock);
313   return node;
314 }
315
316 static ssl_ctx_cache_node *
317 ssl_ctx_cache_set(ssl_ctx_cache_node *node) {
318   void *vnode;
319   pthread_mutex_lock(&ssl_ctx_cache_lock);
320   if(noit_hash_retrieve(&ssl_ctx_cache, node->key, strlen(node->key),
321                         &vnode)) {
322     ssl_ctx_cache_node_free(node);
323     node = vnode;
324   }
325   else {
326     noit_hash_store(&ssl_ctx_cache, node->key, strlen(node->key), node);
327   }
328   noit_atomic_inc32(&node->refcnt);
329   pthread_mutex_unlock(&ssl_ctx_cache_lock);
330   return node;
331 }
332
333 eventer_ssl_ctx_t *
334 eventer_ssl_ctx_new(eventer_ssl_orientation_t type,
335                     const char *certificate, const char *key,
336                     const char *ca, const char *ciphers) {
337   char ssl_ctx_key[SSL_CTX_KEYLEN];
338   eventer_ssl_ctx_t *ctx;
339   time_t now;
340   ctx = calloc(1, sizeof(*ctx));
341   if(!ctx) return NULL;
342
343   now = time(NULL);
344   ssl_ctx_key_write(ssl_ctx_key, sizeof(ssl_ctx_key),
345                     type, certificate, key, ca, ciphers);
346   ctx->ssl_ctx_cn = ssl_ctx_cache_get(ssl_ctx_key);
347   if(ctx->ssl_ctx_cn) {
348     if(now - ctx->ssl_ctx_cn->creation_time > ssl_ctx_cache_expiry) {
349       noit_atomic_dec32(&ctx->ssl_ctx_cn->refcnt);
350       ssl_ctx_cache_remove(ssl_ctx_key);
351       ctx->ssl_ctx_cn = NULL;
352     }
353   }
354
355   if(!ctx->ssl_ctx_cn) {
356     ctx->ssl_ctx_cn = calloc(1, sizeof(*ctx->ssl_ctx_cn));
357     ctx->ssl_ctx_cn->key = strdup(ssl_ctx_key);
358     ctx->ssl_ctx_cn->refcnt = 1;
359     ctx->ssl_ctx_cn->creation_time = now;
360     ctx->ssl_ctx = SSL_CTX_new(type == SSL_SERVER ?
361                                SSLv23_server_method() : SSLv23_client_method());
362     if(!ctx->ssl_ctx) return NULL;
363     if (type == SSL_SERVER)
364       SSL_CTX_set_session_id_context(ctx->ssl_ctx,
365               (unsigned char *)EVENTER_SSL_DATANAME,
366               sizeof(EVENTER_SSL_DATANAME)-1);
367     SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_ALL);
368 #ifdef SSL_MODE_RELEASE_BUFFERS
369     SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
370 #endif
371     if(certificate &&
372        SSL_CTX_use_certificate_chain_file(ctx->ssl_ctx, certificate) != 1)
373       goto bail;
374     if(key &&
375        SSL_CTX_use_RSAPrivateKey_file(ctx->ssl_ctx,key,
376                                       SSL_FILETYPE_PEM) != 1)
377       goto bail;
378     if(ca) {
379       STACK_OF(X509_NAME) *cert_stack;
380       if(!SSL_CTX_load_verify_locations(ctx->ssl_ctx,ca,NULL) ||
381          (cert_stack = SSL_load_client_CA_file(ca)) == NULL)
382         goto bail;
383       SSL_CTX_set_client_CA_list(ctx->ssl_ctx, cert_stack);
384     }
385     SSL_CTX_set_tmp_rsa_callback(ctx->ssl_ctx, tmp_rsa_cb);
386     SSL_CTX_set_cipher_list(ctx->ssl_ctx, ciphers ? ciphers : "DEFAULT");
387     SSL_CTX_set_verify(ctx->ssl_ctx, SSL_VERIFY_PEER, verify_cb);
388     SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2);
389     ssl_ctx_cache_set(ctx->ssl_ctx_cn);
390   }
391
392   ctx->ssl = SSL_new(ctx->ssl_ctx);
393   if(!ctx->ssl) goto bail;
394   SSL_set_info_callback(ctx->ssl, eventer_SSL_server_info_callback);
395   SSL_set_eventer_ssl_ctx(ctx->ssl, ctx);
396   return ctx;
397
398  bail:
399   eventer_ssl_error();
400   eventer_ssl_ctx_free(ctx);
401   return NULL;
402 }
403
404 int
405 eventer_ssl_use_crl(eventer_ssl_ctx_t *ctx, const char *crl_file) {
406   int ret;
407   X509_STORE *store;
408   X509_LOOKUP *lookup;
409   if(ctx->ssl_ctx_crl_loaded) return 1;
410   store = SSL_CTX_get_cert_store(ctx->ssl_ctx);
411   lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
412   ret = X509_load_crl_file(lookup, crl_file, X509_FILETYPE_PEM);
413   X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK |
414                               X509_V_FLAG_CRL_CHECK_ALL);
415   if(!ret) eventer_ssl_error();
416   else ctx->ssl_ctx_crl_loaded = 1;
417   return ret;
418 }
419
420 /*
421  * This is a set of helpers to tie the SSL stuff to the eventer_t.
422  */
423 static int SSL_eventer_ssl_ctx_dataid = -1;
424 #define INIT_DATAID do { \
425   if(SSL_eventer_ssl_ctx_dataid == -1) \
426     SSL_eventer_ssl_ctx_dataid = \
427       SSL_get_ex_new_index(0, EVENTER_SSL_DATANAME, NULL, NULL, NULL); \
428 } while(0)
429
430 static void
431 SSL_set_eventer_ssl_ctx(SSL *ssl, eventer_ssl_ctx_t *ctx) {
432   INIT_DATAID;
433   SSL_set_ex_data(ssl, SSL_eventer_ssl_ctx_dataid, ctx);
434 }
435
436 static eventer_ssl_ctx_t *
437 SSL_get_eventer_ssl_ctx(const SSL *ssl) {
438   INIT_DATAID;
439   return SSL_get_ex_data(ssl, SSL_eventer_ssl_ctx_dataid);
440 }
441
442 eventer_ssl_ctx_t *
443 eventer_get_eventer_ssl_ctx(const eventer_t e) {
444   return (e->opset == eventer_SSL_fd_opset) ? e->opset_ctx : NULL;
445 }
446
447 void
448 eventer_set_eventer_ssl_ctx(eventer_t e, eventer_ssl_ctx_t *ctx) {
449   e->opset = eventer_SSL_fd_opset;
450   e->opset_ctx = ctx;
451   SSL_set_fd(ctx->ssl, e->fd);
452 }
453
454 void
455 eventer_ssl_ctx_set_verify(eventer_ssl_ctx_t *ctx,
456                            eventer_ssl_verify_func_t f, void *c) {
457   ctx->verify_cb = f;
458   ctx->verify_cb_closure = c;
459 }
460
461 /* Accept will perform the usual BSD socket accept and then
462  * hand it into the SSL system.
463  */
464 static int
465 _noallowed_eventer_SSL_accept(int fd, struct sockaddr *addr, socklen_t *len,
466                               int *mask, void *closure) {
467   return -1;
468 }
469
470 static int
471 eventer_SSL_setup(eventer_ssl_ctx_t *ctx) {
472   X509 *peer = NULL;
473   SSL_set_mode(ctx->ssl, SSL_MODE_ENABLE_PARTIAL_WRITE);
474   peer = SSL_get_peer_certificate(ctx->ssl);
475
476   /* If have no peer, or the peer cert isn't okay, our
477    * callback won't fire, so fire it explicitly here.
478    * Learnt this from mod_ssl.
479    */
480   if(!peer ||
481      (peer && SSL_get_verify_result(ctx->ssl) != X509_V_OK)) {
482     if(ctx->verify_cb) {
483       if(peer) X509_free(peer);
484       return ctx->verify_cb(ctx, 0, NULL, ctx->verify_cb_closure);
485     }
486   }
487   if(peer) X509_free(peer);
488   return 0;
489 }
490
491 /* The read and write operations for ssl are almost identical.
492  * We read or write, depending on the need and if the SSL subsystem
493  * says we need more data to continue we mask for read, if it says
494  * we need need to write data to continue we mask for write.  Either
495  * way, we EAGAIN.
496  * If there is an SSL error, we spit it out and return EIO as that
497  * seems most appropriate.
498  */
499 static int
500 eventer_SSL_rw(int op, int fd, void *buffer, size_t len, int *mask,
501                void *closure) {
502   int rv, sslerror;
503   eventer_t e = closure;
504   eventer_ssl_ctx_t *ctx = e->opset_ctx;
505   int (*sslop)(SSL *) = NULL;
506   const char *opstr = NULL;
507
508   switch(op) {
509     case SSL_OP_READ:
510       opstr = "read";
511       if((rv = SSL_read(ctx->ssl, buffer, len)) > 0) return rv;
512       break;
513     case SSL_OP_WRITE:
514       opstr = "write";
515       if((rv = SSL_write(ctx->ssl, buffer, len)) > 0) return rv;
516       break;
517
518     case SSL_OP_CONNECT:
519       opstr = "connect";
520       if(!sslop) sslop = SSL_connect;
521       /* fall through */
522     case SSL_OP_ACCEPT:
523       if(!opstr) opstr = "accept";
524       /* only set if we didn't fall through */
525       if(!sslop) sslop = SSL_accept;
526    
527       if((rv = sslop(ctx->ssl)) > 0) {
528         if(eventer_SSL_setup(ctx)) {
529           errno = EIO;
530           return -1;
531         }
532         ctx->no_more_negotiations = 1;
533         return rv;
534       }
535       break;
536
537     default:
538       abort();
539   }
540   /* This can't happen as we'd have already aborted... */
541   if(!opstr) opstr = "none";
542
543   if(ctx->renegotiated) {
544     noitL(eventer_err, "SSL renogotiation attempted on %d\n", fd);
545     errno = EIO;
546     return -1;
547   }
548
549   switch(sslerror = SSL_get_error(ctx->ssl, rv)) {
550     case SSL_ERROR_NONE:
551       return 0;
552     case SSL_ERROR_WANT_READ:
553     case SSL_ERROR_WANT_WRITE:
554       *mask = (sslerror == SSL_ERROR_WANT_READ) ?
555                 EVENTER_READ : EVENTER_WRITE;
556       errno = EAGAIN;
557       break;
558     default:
559       noitL(eventer_deb, "SSL[%s of %d] rw error: %d\n", opstr,
560             (int)len, sslerror);
561       eventer_ssl_error();
562       errno = EIO;
563   }
564   return -1;
565 }
566
567 int
568 eventer_SSL_renegotiate(eventer_t e) {
569   eventer_ssl_ctx_t *ctx;
570   ctx = eventer_get_eventer_ssl_ctx(e);
571   SSL_renegotiate(ctx->ssl);
572   return 0;
573 }
574
575 int
576 eventer_SSL_accept(eventer_t e, int *mask) {
577   return eventer_SSL_rw(SSL_OP_ACCEPT, e->fd, NULL, 0, mask, e);
578 }
579 int
580 eventer_SSL_connect(eventer_t e, int *mask) {
581   return eventer_SSL_rw(SSL_OP_CONNECT, e->fd, NULL, 0, mask, e);
582 }
583 static int
584 eventer_SSL_read(int fd, void *buffer, size_t len, int *mask, void *closure) {
585   int rv;
586   rv = eventer_SSL_rw(SSL_OP_READ, fd, buffer, len, mask, closure);
587   return rv;
588 }
589 static int
590 eventer_SSL_write(int fd, const void *buffer, size_t len, int *mask,
591                   void *closure) {
592   int rv;
593   rv = eventer_SSL_rw(SSL_OP_WRITE, fd, (void *)buffer, len, mask, closure);
594   return rv;
595 }
596
597 /* Close simply shuts down the SSL site and closes the file descriptor. */
598 static int
599 eventer_SSL_close(int fd, int *mask, void *closure) {
600   eventer_t e = closure;
601   eventer_ssl_ctx_t *ctx = e->opset_ctx;
602   SSL_shutdown(ctx->ssl);
603   eventer_ssl_ctx_free(ctx);
604   close(fd);
605   if(mask) *mask = 0;
606   return 0;
607 }
608
609 struct _fd_opset _eventer_SSL_fd_opset = {
610   _noallowed_eventer_SSL_accept,
611   eventer_SSL_read,
612   eventer_SSL_write,
613   eventer_SSL_close
614 };
615
616 eventer_fd_opset_t eventer_SSL_fd_opset = &_eventer_SSL_fd_opset;
617
618
619 /* Locking stuff to make libcrypto thread safe */
620 /* This stuff cribbed from the openssl examples */
621 struct CRYPTO_dynlock_value { pthread_mutex_t lock; };
622 static struct CRYPTO_dynlock_value *__lcks = NULL;
623 static void lock_static(int mode, int type, const char *f, int l) {
624   if(mode & CRYPTO_LOCK) pthread_mutex_lock(&__lcks[type].lock);
625   else pthread_mutex_unlock(&__lcks[type].lock);
626 }
627 static struct CRYPTO_dynlock_value *dynlock_create(const char *f, int l) {
628   struct CRYPTO_dynlock_value *lock = CRYPTO_malloc(sizeof(*lock),f,l);
629   pthread_mutex_init(&lock->lock,  NULL);
630   return lock;
631 }
632 static void dynlock_destroy(struct CRYPTO_dynlock_value *lock,
633                             const char *f, int l) {
634   pthread_mutex_destroy(&lock->lock);
635   CRYPTO_free(lock);
636 }
637 static void lock_dynamic(int mode, struct CRYPTO_dynlock_value *lock,
638                          const char *f, int l) {
639   if(mode & CRYPTO_LOCK) pthread_mutex_lock(&lock->lock);
640   else pthread_mutex_unlock(&lock->lock);
641 }
642 void eventer_ssl_set_ssl_ctx_cache_expiry(int timeout) {
643   ssl_ctx_cache_expiry = timeout;
644 }
645 void eventer_ssl_init() {
646   int i, numlocks;
647   if(__lcks) return;
648   numlocks = CRYPTO_num_locks();
649   __lcks = CRYPTO_malloc(numlocks * sizeof(*__lcks),__FILE__,__LINE__);
650   for(i=0; i<numlocks; i++)
651     pthread_mutex_init(&__lcks[i].lock, NULL);
652   CRYPTO_set_id_callback((unsigned long (*)()) pthread_self);
653   CRYPTO_set_dynlock_create_callback(dynlock_create);
654   CRYPTO_set_dynlock_destroy_callback(dynlock_destroy);
655   CRYPTO_set_dynlock_lock_callback(lock_dynamic);
656   CRYPTO_set_locking_callback(lock_static);
657
658   SSL_load_error_strings();
659   SSL_library_init();
660   OpenSSL_add_all_ciphers();
661   return;
662 }
663
Note: See TracBrowser for help on using the browser.