2011-08-27 19:33:59 +04:00
|
|
|
/* $NetBSD: ssl-bozo.c,v 1.12 2011/08/27 15:33:59 joerg Exp $ */
|
2007-10-17 22:47:59 +04:00
|
|
|
|
2010-05-15 10:48:27 +04:00
|
|
|
/* $eterna: ssl-bozo.c,v 1.13 2010/05/12 12:24:58 rtr Exp $ */
|
2007-10-16 05:14:01 +04:00
|
|
|
|
|
|
|
/*
|
2010-05-10 07:37:45 +04:00
|
|
|
* Copyright (c) 1997-2010 Matthew R. Green
|
2007-10-16 05:14:01 +04:00
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer and
|
|
|
|
* dedication in the documentation and/or other materials provided
|
|
|
|
* with the distribution.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
|
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
|
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
|
|
|
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
|
|
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
|
|
|
|
* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
|
|
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
* SUCH DAMAGE.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* this code implements SSL for bozohttpd */
|
|
|
|
|
2010-05-10 07:37:45 +04:00
|
|
|
#include <stdarg.h>
|
|
|
|
#include <stdio.h>
|
2010-05-15 10:48:27 +04:00
|
|
|
#include <syslog.h>
|
2007-10-16 05:14:01 +04:00
|
|
|
#include <unistd.h>
|
|
|
|
|
2010-05-10 07:37:45 +04:00
|
|
|
#include "bozohttpd.h"
|
|
|
|
|
|
|
|
#ifndef NO_SSL_SUPPORT
|
|
|
|
|
2007-10-16 05:14:01 +04:00
|
|
|
#include <openssl/ssl.h>
|
|
|
|
#include <openssl/err.h>
|
|
|
|
|
2010-05-10 07:37:45 +04:00
|
|
|
#ifndef USE_ARG
|
|
|
|
#define USE_ARG(x) /*LINTED*/(void)&(x)
|
|
|
|
#endif
|
|
|
|
|
|
|
|
/* this structure encapsulates the ssl info */
|
|
|
|
typedef struct sslinfo_t {
|
|
|
|
SSL_CTX *ssl_context;
|
|
|
|
const SSL_METHOD *ssl_method;
|
|
|
|
SSL *bozossl;
|
|
|
|
char *certificate_file;
|
|
|
|
char *privatekey_file;
|
|
|
|
} sslinfo_t;
|
|
|
|
|
2010-05-15 10:48:27 +04:00
|
|
|
/*
|
|
|
|
* bozo_ssl_err
|
|
|
|
*
|
|
|
|
* bozo_ssl_err works just like bozo_err except in addition to printing
|
|
|
|
* the error provided by the caller at the point of error it pops and
|
|
|
|
* prints all errors from the SSL error queue.
|
|
|
|
*/
|
2011-08-27 19:33:59 +04:00
|
|
|
BOZO_DEAD static void
|
2010-05-15 10:48:27 +04:00
|
|
|
bozo_ssl_err(bozohttpd_t *httpd, int code, const char *fmt, ...)
|
|
|
|
{
|
|
|
|
va_list ap;
|
|
|
|
|
|
|
|
va_start(ap, fmt);
|
|
|
|
if (httpd->logstderr || isatty(STDERR_FILENO)) {
|
|
|
|
vfprintf(stderr, fmt, ap);
|
|
|
|
fputs("\n", stderr);
|
|
|
|
} else
|
|
|
|
vsyslog(LOG_ERR, fmt, ap);
|
|
|
|
va_end(ap);
|
|
|
|
|
|
|
|
unsigned int sslcode = ERR_get_error();
|
|
|
|
do {
|
2011-08-21 14:45:33 +04:00
|
|
|
static const char sslfmt[] = "SSL Error: %s:%s:%s";
|
2010-05-15 10:48:27 +04:00
|
|
|
|
|
|
|
if (httpd->logstderr || isatty(STDERR_FILENO)) {
|
|
|
|
fprintf(stderr, sslfmt,
|
|
|
|
ERR_lib_error_string(sslcode),
|
|
|
|
ERR_func_error_string(sslcode),
|
|
|
|
ERR_reason_error_string(sslcode));
|
|
|
|
} else {
|
|
|
|
syslog(LOG_ERR, sslfmt,
|
|
|
|
ERR_lib_error_string(sslcode),
|
|
|
|
ERR_func_error_string(sslcode),
|
|
|
|
ERR_reason_error_string(sslcode));
|
|
|
|
}
|
|
|
|
} while (0 != (sslcode = ERR_get_error()));
|
|
|
|
exit(code);
|
|
|
|
}
|
|
|
|
|
2010-05-10 07:37:45 +04:00
|
|
|
static int
|
2010-05-15 10:48:27 +04:00
|
|
|
bozo_ssl_printf(bozohttpd_t *httpd, const char * fmt, va_list ap)
|
2010-05-10 07:37:45 +04:00
|
|
|
{
|
|
|
|
sslinfo_t *sslinfo;
|
|
|
|
char *buf;
|
|
|
|
int nbytes;
|
|
|
|
|
|
|
|
sslinfo = httpd->sslinfo;
|
|
|
|
/* XXX we need more elegant/proper handling of SSL_write return */
|
|
|
|
if ((nbytes = vasprintf(&buf, fmt, ap)) != -1)
|
|
|
|
SSL_write(sslinfo->bozossl, buf, nbytes);
|
|
|
|
|
|
|
|
free(buf);
|
|
|
|
|
|
|
|
return nbytes;
|
|
|
|
}
|
|
|
|
|
|
|
|
static ssize_t
|
|
|
|
bozo_ssl_read(bozohttpd_t *httpd, int fd, void *buf, size_t nbytes)
|
|
|
|
{
|
|
|
|
sslinfo_t *sslinfo;
|
|
|
|
ssize_t rbytes;
|
|
|
|
|
|
|
|
USE_ARG(fd);
|
|
|
|
sslinfo = httpd->sslinfo;
|
|
|
|
/* XXX we need elegant/proper handling of SSL_read return */
|
|
|
|
rbytes = (ssize_t)SSL_read(sslinfo->bozossl, buf, (int)nbytes);
|
|
|
|
if (rbytes < 1) {
|
|
|
|
if (SSL_get_error(sslinfo->bozossl, rbytes) ==
|
|
|
|
SSL_ERROR_WANT_READ)
|
|
|
|
bozo_warn(httpd, "SSL_ERROR_WANT_READ");
|
|
|
|
else
|
|
|
|
bozo_warn(httpd, "SSL_ERROR OTHER");
|
|
|
|
}
|
|
|
|
|
|
|
|
return rbytes;
|
|
|
|
}
|
2007-10-16 05:14:01 +04:00
|
|
|
|
2010-05-10 07:37:45 +04:00
|
|
|
static ssize_t
|
|
|
|
bozo_ssl_write(bozohttpd_t *httpd, int fd, const void *buf, size_t nbytes)
|
|
|
|
{
|
|
|
|
sslinfo_t *sslinfo;
|
|
|
|
ssize_t wbytes;
|
|
|
|
|
|
|
|
USE_ARG(fd);
|
|
|
|
sslinfo = httpd->sslinfo;
|
|
|
|
/* XXX we need elegant/proper handling of SSL_write return */
|
|
|
|
wbytes = (ssize_t)SSL_write(sslinfo->bozossl, buf, (int)nbytes);
|
2007-10-16 05:14:01 +04:00
|
|
|
|
2010-05-10 07:37:45 +04:00
|
|
|
return wbytes;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
bozo_ssl_flush(bozohttpd_t *httpd, FILE *fp)
|
|
|
|
{
|
|
|
|
USE_ARG(httpd);
|
|
|
|
USE_ARG(fp);
|
|
|
|
/* nothing to see here, move right along */
|
|
|
|
return 0;
|
|
|
|
}
|
2007-10-16 05:14:01 +04:00
|
|
|
|
|
|
|
void
|
2010-05-10 07:37:45 +04:00
|
|
|
bozo_ssl_init(bozohttpd_t *httpd)
|
2007-10-16 05:14:01 +04:00
|
|
|
{
|
2010-05-10 07:37:45 +04:00
|
|
|
sslinfo_t *sslinfo;
|
|
|
|
|
|
|
|
sslinfo = httpd->sslinfo;
|
|
|
|
if (sslinfo == NULL || !sslinfo->certificate_file)
|
2007-10-16 05:14:01 +04:00
|
|
|
return;
|
|
|
|
SSL_library_init();
|
|
|
|
SSL_load_error_strings();
|
|
|
|
|
2010-05-10 07:37:45 +04:00
|
|
|
sslinfo->ssl_method = SSLv23_server_method();
|
|
|
|
sslinfo->ssl_context = SSL_CTX_new(sslinfo->ssl_method);
|
2007-10-16 05:14:01 +04:00
|
|
|
|
|
|
|
/* XXX we need to learn how to check the SSL stack for more info */
|
2010-05-15 10:48:27 +04:00
|
|
|
if (NULL == sslinfo->ssl_context)
|
|
|
|
bozo_ssl_err(httpd, EXIT_FAILURE,
|
|
|
|
"SSL context creation failed");
|
|
|
|
|
|
|
|
if (1 != SSL_CTX_use_certificate_file(sslinfo->ssl_context,
|
|
|
|
sslinfo->certificate_file, SSL_FILETYPE_PEM))
|
|
|
|
bozo_ssl_err(httpd, EXIT_FAILURE,
|
|
|
|
"Unable to use certificate file '%s'",
|
|
|
|
sslinfo->certificate_file);
|
|
|
|
|
|
|
|
if (1 != SSL_CTX_use_PrivateKey_file(sslinfo->ssl_context,
|
|
|
|
sslinfo->privatekey_file, SSL_FILETYPE_PEM))
|
|
|
|
bozo_ssl_err(httpd, EXIT_FAILURE,
|
|
|
|
"Unable to use private key file '%s'",
|
|
|
|
sslinfo->privatekey_file);
|
2007-10-16 05:14:01 +04:00
|
|
|
|
|
|
|
/* check consistency of key vs certificate */
|
2010-05-10 07:37:45 +04:00
|
|
|
if (!SSL_CTX_check_private_key(sslinfo->ssl_context))
|
2010-05-15 10:48:27 +04:00
|
|
|
bozo_ssl_err(httpd, EXIT_FAILURE,
|
|
|
|
"Check private key failed");
|
2007-10-16 05:14:01 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
void
|
2010-05-10 07:37:45 +04:00
|
|
|
bozo_ssl_accept(bozohttpd_t *httpd)
|
2007-10-16 05:14:01 +04:00
|
|
|
{
|
2010-05-10 07:37:45 +04:00
|
|
|
sslinfo_t *sslinfo;
|
|
|
|
|
|
|
|
sslinfo = httpd->sslinfo;
|
|
|
|
if (sslinfo != NULL && sslinfo->ssl_context) {
|
|
|
|
sslinfo->bozossl = SSL_new(sslinfo->ssl_context);
|
|
|
|
SSL_set_rfd(sslinfo->bozossl, 0);
|
|
|
|
SSL_set_wfd(sslinfo->bozossl, 1);
|
|
|
|
SSL_accept(sslinfo->bozossl);
|
2007-10-16 05:14:01 +04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
2010-05-10 07:37:45 +04:00
|
|
|
bozo_ssl_destroy(bozohttpd_t *httpd)
|
2007-10-16 05:14:01 +04:00
|
|
|
{
|
2010-05-10 07:37:45 +04:00
|
|
|
sslinfo_t *sslinfo;
|
|
|
|
|
|
|
|
sslinfo = httpd->sslinfo;
|
|
|
|
if (sslinfo && sslinfo->bozossl)
|
|
|
|
SSL_free(sslinfo->bozossl);
|
2007-10-16 05:14:01 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
void
|
2010-05-10 07:37:45 +04:00
|
|
|
bozo_ssl_set_opts(bozohttpd_t *httpd, const char *cert, const char *priv)
|
2007-10-16 05:14:01 +04:00
|
|
|
{
|
2010-05-10 07:37:45 +04:00
|
|
|
sslinfo_t *sslinfo;
|
|
|
|
|
|
|
|
if ((sslinfo = httpd->sslinfo) == NULL) {
|
|
|
|
sslinfo = bozomalloc(httpd, sizeof(*sslinfo));
|
|
|
|
if (sslinfo == NULL) {
|
|
|
|
bozo_err(httpd, 1, "sslinfo allocation failed");
|
|
|
|
}
|
|
|
|
httpd->sslinfo = sslinfo;
|
|
|
|
}
|
|
|
|
sslinfo->certificate_file = strdup(cert);
|
|
|
|
sslinfo->privatekey_file = strdup(priv);
|
|
|
|
debug((httpd, DEBUG_NORMAL, "using cert/priv files: %s & %s",
|
|
|
|
sslinfo->certificate_file,
|
|
|
|
sslinfo->privatekey_file));
|
|
|
|
if (!httpd->bindport) {
|
|
|
|
httpd->bindport = strdup("https");
|
|
|
|
}
|
2007-10-16 05:14:01 +04:00
|
|
|
}
|
|
|
|
|
2010-05-10 07:37:45 +04:00
|
|
|
#endif /* NO_SSL_SUPPORT */
|
2007-10-16 05:14:01 +04:00
|
|
|
|
2010-05-10 07:37:45 +04:00
|
|
|
int
|
|
|
|
bozo_printf(bozohttpd_t *httpd, const char *fmt, ...)
|
|
|
|
{
|
|
|
|
va_list args;
|
|
|
|
int cc;
|
2007-10-16 05:14:01 +04:00
|
|
|
|
2010-05-10 07:37:45 +04:00
|
|
|
va_start(args, fmt);
|
|
|
|
#ifndef NO_SSL_SUPPORT
|
|
|
|
if (httpd->sslinfo) {
|
|
|
|
cc = bozo_ssl_printf(httpd, fmt, args);
|
|
|
|
va_end(args);
|
|
|
|
return cc;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
cc = vprintf(fmt, args);
|
|
|
|
va_end(args);
|
|
|
|
return cc;
|
2007-10-16 05:14:01 +04:00
|
|
|
}
|
|
|
|
|
2010-05-10 07:37:45 +04:00
|
|
|
ssize_t
|
|
|
|
bozo_read(bozohttpd_t *httpd, int fd, void *buf, size_t len)
|
2007-10-16 05:14:01 +04:00
|
|
|
{
|
2010-05-10 07:37:45 +04:00
|
|
|
#ifndef NO_SSL_SUPPORT
|
|
|
|
if (httpd->sslinfo) {
|
|
|
|
return bozo_ssl_read(httpd, fd, buf, len);
|
2007-10-16 05:14:01 +04:00
|
|
|
}
|
2010-05-10 07:37:45 +04:00
|
|
|
#endif
|
|
|
|
return read(fd, buf, len);
|
2007-10-16 05:14:01 +04:00
|
|
|
}
|
|
|
|
|
2010-05-10 07:37:45 +04:00
|
|
|
ssize_t
|
|
|
|
bozo_write(bozohttpd_t *httpd, int fd, const void *buf, size_t len)
|
2007-10-16 05:14:01 +04:00
|
|
|
{
|
2010-05-10 07:37:45 +04:00
|
|
|
#ifndef NO_SSL_SUPPORT
|
|
|
|
if (httpd->sslinfo) {
|
|
|
|
return bozo_ssl_write(httpd, fd, buf, len);
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
return write(fd, buf, len);
|
2007-10-16 05:14:01 +04:00
|
|
|
}
|
|
|
|
|
2010-05-10 07:37:45 +04:00
|
|
|
int
|
|
|
|
bozo_flush(bozohttpd_t *httpd, FILE *fp)
|
2007-10-16 05:14:01 +04:00
|
|
|
{
|
2010-05-10 07:37:45 +04:00
|
|
|
#ifndef NO_SSL_SUPPORT
|
|
|
|
if (httpd->sslinfo) {
|
|
|
|
return bozo_ssl_flush(httpd, fp);
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
return fflush(fp);
|
2007-10-16 05:14:01 +04:00
|
|
|
}
|