-
Notifications
You must be signed in to change notification settings - Fork 0
/
libssl.c
328 lines (269 loc) · 8.35 KB
/
libssl.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
/* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; version 2 of the License. For a copy,
* see http://www.gnu.org/licenses/gpl-2.0.html.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* The copyright holder gives permission to link this code with the OpenSSL
* library and distribute linked combinations including the two. You must obey
* the GNU General Public License in all respects for all of the code used other
* than OpenSSL. If you modify this file, you may extend this exception to your
* version of the file, but you are not obligated to do so. If you do not wish to
* do so, delete this exception statement from your version.
*/
#include "config.h"
#ifdef HAVE_SSL
#include <stdio.h>
#include <string.h>
#include <syslog.h>
#include <pthread.h>
#include <openssl/rand.h>
#include <openssl/err.h>
#include "alternative.h"
#include "libssl.h"
static pthread_mutex_t *locks;
static int lockcount;
#ifdef DEBUG
int print_ssl_error(SSL *ssl, int code) {
int result;
switch (result = SSL_get_error(ssl, code)) {
case SSL_ERROR_ZERO_RETURN:
fprintf(stderr, "connection closed\n");
break;
case SSL_ERROR_WANT_READ:
fprintf(stderr, "read incomplete\n");
break;
case SSL_ERROR_WANT_WRITE:
fprintf(stderr, "write incomplete\n");
break;
case SSL_ERROR_WANT_CONNECT:
fprintf(stderr, "connect incomplete\n");
break;
case SSL_ERROR_WANT_ACCEPT:
fprintf(stderr, "accept incomplete\n");
break;
case SSL_ERROR_WANT_X509_LOOKUP:
fprintf(stderr, "X509 lookup incomplete\n");
break;
case SSL_ERROR_SYSCALL:
fprintf(stderr, "I/O error\n");
break;
case SSL_ERROR_SSL:
fprintf(stderr, "protocol error\n");
break;
default:
fprintf(stderr, "unknown error\n");
break;
}
return result;
}
#endif
/* SSL multithread locking callback
*/
static void locking_callback(int mode, int n, const char *file, int line) {
if ((n >= 0) && (n < lockcount)) {
if (mode & CRYPTO_LOCK) {
pthread_mutex_lock(&locks[n]);
} else {
pthread_mutex_unlock(&locks[n]);
}
} else {
syslog(LOG_DAEMON | LOG_ALERT, "libssl::locking_callback() error!");
exit(EXIT_FAILURE);
}
}
/* SSL thread ID callback
*/
static unsigned long id_callback() {
return (unsigned long)pthread_self();
}
/* Password callback
*/
static int password_callback(char *buffer, int size, int rwflag, void *data) {
int len;
if ((len = (int)strlen((char*)data) + 1) > size) {
return 0;
}
memcpy(buffer, (char*)data, len);
return len;
}
int ssl_init(char *buffer, int size) {
int i;
SSL_library_init();
SSL_load_error_strings();
if (buffer != NULL) {
RAND_add(buffer, size, (double)size);
}
lockcount = CRYPTO_num_locks();
if (lockcount > 0) {
if ((locks = malloc(lockcount * sizeof(pthread_mutex_t))) != NULL) {
for (i = 0; i < lockcount; i++) {
if (pthread_mutex_init(&locks[i], NULL) != 0) {
return -1;
}
}
}
}
CRYPTO_set_locking_callback(locking_callback);
CRYPTO_set_id_callback(id_callback);
return 0;
}
static int load_dh_params(SSL_CTX *context, char *file) {
DH *dh = NULL;
BIO *bio;
if ((bio = BIO_new_file(file,"r")) == NULL) {
fprintf(stderr, "Couldn't open DH file");
return -1;
}
dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
BIO_free(bio);
if (SSL_CTX_set_tmp_dh(context, dh) != 1) {
fprintf(stderr, "Couldn't set DH parameters");
return -1;
}
return 0;
}
SSL_CTX *ssl_binding(char *keyfile, char *ca_cert, int verify_depth, char *dh_file, char *ciphers) {
SSL_METHOD *meth;
SSL_CTX *context;
STACK_OF(X509_NAME) *ca_list;
if ((meth = SSLv23_method()) == NULL) {
fprintf(stderr, "SSLv23_method() error\n");
return NULL;
}
if ((context = SSL_CTX_new(meth)) == NULL) {
fprintf(stderr, "SSL_CTX_new() error\n");
return NULL;
}
SSL_CTX_set_options(context, SSL_OP_NO_SSLv2);
if (SSL_CTX_use_certificate_chain_file(context, keyfile) != 1) {
fprintf(stderr, "Error while reading certificate (chain) from %s\n", keyfile);
return NULL;
}
SSL_CTX_set_default_passwd_cb(context, password_callback);
/* SSL_CTX_set_default_passwd_cb_userdata(context, (void*)password); */
if (SSL_CTX_use_PrivateKey_file(context, keyfile, SSL_FILETYPE_PEM) != 1) {
fprintf(stderr, "Error while reading private key from %s\n", keyfile);
return NULL;
}
if (SSL_CTX_check_private_key(context) != 1) {
fprintf(stderr, "Private key does not match the certificate\n");
return NULL;
}
if (ca_cert != NULL) {
SSL_CTX_set_verify_depth(context, verify_depth);
SSL_CTX_set_verify(context, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
if (SSL_CTX_load_verify_locations(context, ca_cert, NULL) != 1) {
fprintf(stderr, "Error while setting CA verify locations\n");
return NULL;
}
if ((ca_list = SSL_load_client_CA_file(ca_cert)) == NULL) {
fprintf(stderr, "Error while loading CA certificate file\n");
return NULL;
}
SSL_CTX_set_client_CA_list(context, ca_list);
}
if (dh_file != NULL) {
if (load_dh_params(context, dh_file) == -1) {
fprintf(stderr, "Error while loading DH file\n");
return NULL;
}
}
if (ciphers != NULL) {
if (SSL_CTX_set_cipher_list(context, ciphers) == 0) {
fprintf(stderr, "Error while setting cipher list\n");
return NULL;
}
}
return context;
}
int ssl_accept(int sock, SSL **ssl, SSL_CTX *context, int timeout) {
BIO *bio;
int result;
struct timeval select_timeout;
fd_set read_fds;
if ((bio = BIO_new_socket(sock, 0)) == NULL) {
return -1;
} else if ((*ssl = SSL_new(context)) == NULL) {
return -1;
}
SSL_set_bio(*ssl, bio, bio);
FD_ZERO(&read_fds);
FD_SET(sock, &read_fds);
select_timeout.tv_sec = timeout;
select_timeout.tv_usec = 0;
result = select(sock + 1, &read_fds, NULL, NULL, &select_timeout);
if (result == -1) {
return -1;
} else if (result == 0) {
return -2;
}
if ((result = SSL_accept(*ssl)) != 1) {
#ifdef DEBUG
fprintf(stderr, "SSL_accept(): ");
print_ssl_error(*ssl, result);
#endif
SSL_free(*ssl);
return -1;
}
return 0;
}
int ssl_receive(SSL *ssl, char *buffer, unsigned int maxlength) {
int result;
result = SSL_read(ssl, buffer, maxlength);
if (result > 0) {
return result;
} else if (result == 0) {
if (SSL_get_error(ssl, result) == SSL_ERROR_ZERO_RETURN) {
return 0;
}
}
#ifdef DEBUG
fprintf(stderr, "SSL_read(): ");
print_ssl_error(ssl, result);
#endif
return -1;
}
int ssl_send(SSL *ssl, char *buffer, unsigned int length) {
int result;
result = SSL_write(ssl, buffer, length);
if (result > 0) {
return result;
} else if (result == 0) {
if (SSL_get_error(ssl, result) == SSL_ERROR_ZERO_RETURN) {
return 0;
}
}
#ifdef DEBUG
fprintf(stderr, "SSL_write(): ");
print_ssl_error(ssl, result);
#endif
return -1;
}
int ssl_close(SSL **ssl) {
int result;
result = SSL_shutdown(*ssl);
SSL_free(*ssl);
*ssl = NULL;
ERR_remove_state(0);
return result;
}
void ssl_free(SSL_CTX *context) {
SSL_CTX_free(context);
}
int get_client_certificate(SSL *ssl_data, char *subject, char *issuer, int size) {
X509 *cert;
subject[size - 1] = '\0';
issuer[size - 1] = '\0';
if ((cert = SSL_get_peer_certificate(ssl_data)) == NULL) {
return -1;
}
X509_NAME_oneline(X509_get_subject_name(cert), subject, size - 1);
X509_NAME_oneline(X509_get_issuer_name(cert), issuer, size - 1);
return 0;
}
#endif