sslconnection.cpp 5.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329
  1. //#ifdef USE_SSL
  2. //#include "netinc.h"
  3. //#include "util.h"
  4. //#include "connection.h"
  5. #include "sslconnection.h"
  6. SSL_CTX *sslContext = 0;
  7. #ifdef _DEBUG
  8. extern "C" void apps_ssl_info_callback (const SSL * s, int where, int ret)
  9. {
  10. /*
  11. ** DEBUG INFO HERE
  12. */
  13. }
  14. #endif
  15. /*
  16. ** Well, you should probably change this based on like...
  17. ** well, you're level of trust heh
  18. ** For now, this basically trusts all certs :)
  19. **
  20. */
  21. #if 0
  22. extern "C" int verify_callback(int ok, X509_STORE_CTX * ctx)
  23. {
  24. /* For certificate verification */
  25. int verify_depth = 0;
  26. int verify_error = X509_V_OK;
  27. char buf[1024] = {0};
  28. X509 * err_cert = X509_STORE_CTX_get_current_cert(ctx);
  29. int err = X509_STORE_CTX_get_error(ctx);
  30. int depth = X509_STORE_CTX_get_error_depth(ctx);
  31. X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
  32. if (!ok)
  33. {
  34. if (verify_depth >= depth)
  35. {
  36. ok = 1;
  37. verify_error = X509_V_OK;
  38. }
  39. else
  40. {
  41. ok = 0;
  42. verify_error = X509_V_ERR_CERT_CHAIN_TOO_LONG;
  43. }
  44. }
  45. switch (ctx->error)
  46. {
  47. case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
  48. X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, sizeof(buf));
  49. break;
  50. case X509_V_ERR_CERT_NOT_YET_VALID:
  51. case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
  52. break;
  53. case X509_V_ERR_CERT_HAS_EXPIRED:
  54. case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
  55. break;
  56. }
  57. return ok;
  58. }
  59. #endif
  60. JNL_SSL_Connection::JNL_SSL_Connection() : forceConnect(false), m_ssl(0), m_bsslinit(false), m_bcontextowned(true)
  61. {
  62. m_bsslinit = true;
  63. }
  64. JNL_SSL_Connection::JNL_SSL_Connection(SSL* pssl, JNL_AsyncDNS *dns, size_t sendbufsize, size_t recvbufsize) : JNL_Connection(dns, sendbufsize, recvbufsize),
  65. forceConnect(false)
  66. {
  67. m_ssl = pssl;
  68. m_bsslinit = false;
  69. if (m_ssl)
  70. {
  71. m_bcontextowned = false;
  72. }
  73. else
  74. {
  75. m_bcontextowned = true;
  76. }
  77. if (m_bcontextowned == false)
  78. {
  79. return ;
  80. }
  81. m_bsslinit = true;
  82. /* See the SSL states in our own callback */
  83. #ifdef _DEBUG
  84. // SSL_CTX_set_info_callback(m_app_ctx, apps_ssl_info_callback);
  85. #endif
  86. /* Set the certificate verification callback */
  87. //SSL_CTX_set_verify(sslContext, SSL_VERIFY_PEER, verify_callback);
  88. /* Not sure what this does */
  89. //SSL_CTX_set_session_cache_mode(sslContext, SSL_SESS_CACHE_CLIENT);
  90. return ;
  91. }
  92. int JNL_SSL_Connection::socket_connect()
  93. {
  94. int retval;
  95. if (m_bcontextowned == false)
  96. {
  97. /*
  98. ** WTF?
  99. */
  100. return -1;
  101. }
  102. if (m_ssl != NULL)
  103. {
  104. return -1;
  105. }
  106. retval = JNL_Connection::socket_connect();
  107. if (retval != 0)
  108. {
  109. if (ERRNO != JNL_EINPROGRESS)
  110. {
  111. return retval; // benski> if the underlying socket hasn't connected yet, then we can't start the SSL connection
  112. /*
  113. ** Joshua Teitelbaum 3/2/2006
  114. ** Fatal error here
  115. */
  116. }
  117. }
  118. // moved from InitSSL() as no need to create this unless
  119. // we're actually going to use it which helps slow loads
  120. if (!sslContext)
  121. {
  122. sslContext = SSL_CTX_new(SSLv23_client_method());
  123. if (sslContext)
  124. {
  125. SSL_CTX_set_verify(sslContext, SSL_VERIFY_NONE, NULL);
  126. }
  127. else
  128. {
  129. return -1;
  130. }
  131. }
  132. m_ssl = SSL_new(sslContext);
  133. if (m_ssl == NULL)
  134. {
  135. return -1;
  136. }
  137. /* Tell that we are in connect mode */
  138. SSL_set_connect_state(m_ssl);
  139. /* Set socket descriptor with the socket we already have open */
  140. if(SSL_set_fd(m_ssl, m_socket) != 0)
  141. {
  142. return -1;
  143. }
  144. return retval;
  145. }
  146. void JNL_SSL_Connection::socket_shutdown()
  147. {
  148. if (m_ssl)
  149. SSL_shutdown(m_ssl);
  150. JNL_Connection::socket_shutdown();
  151. if (m_ssl)
  152. {
  153. SSL_free(m_ssl);
  154. m_ssl = NULL;
  155. }
  156. return ;
  157. }
  158. void JNL_SSL_Connection::run(size_t max_send_bytes, size_t max_recv_bytes, size_t *bytes_sent, size_t *bytes_rcvd)
  159. {
  160. if (!m_bsslinit)
  161. {
  162. int rval = SSL_accept(m_ssl);
  163. if (rval == -1)
  164. {
  165. int e = SSL_get_error(m_ssl, rval);
  166. if (!((e == SSL_ERROR_WANT_READ) || (e == SSL_ERROR_WANT_WRITE)))
  167. {
  168. m_state = STATE_ERROR;
  169. }
  170. return ;
  171. }
  172. else
  173. {
  174. m_bsslinit = true;
  175. }
  176. }
  177. /**
  178. ** benski - march 2, 2006
  179. **if the underlying socket didn't connected yet, we need to try the SSL connection again
  180. */
  181. if (forceConnect)
  182. {
  183. if(init_ssl_connection() == false)
  184. {
  185. return;
  186. }
  187. }
  188. JNL_Connection::run(max_send_bytes, max_recv_bytes, bytes_sent, bytes_rcvd);
  189. }
  190. /*
  191. ** init_ssl_connection:
  192. ** Returns true, meaning can continue
  193. ** Else, cannot continue with underlying run
  194. ** side effects:
  195. ** sets forceConnect
  196. */
  197. bool JNL_SSL_Connection::init_ssl_connection()
  198. {
  199. if(m_ssl == NULL)
  200. {
  201. /*
  202. ** WTF?
  203. ** cascade up.
  204. */
  205. return true;
  206. }
  207. int retval = SSL_connect(m_ssl);
  208. if (retval < 0)
  209. {
  210. int err = SSL_get_error(m_ssl, retval);
  211. switch (err)
  212. {
  213. case SSL_ERROR_WANT_READ:
  214. case SSL_ERROR_WANT_WRITE:
  215. case SSL_ERROR_WANT_CONNECT:
  216. forceConnect = true;
  217. break;
  218. // fall through
  219. default: // TODO: benski> MOST other errors are OK, (especially "want read" and "want write", but we need to think through all the scenarios here
  220. forceConnect=false;
  221. }
  222. }
  223. else if(retval)
  224. {
  225. /*
  226. ** success
  227. */
  228. forceConnect = false;
  229. }
  230. /*
  231. ** If retval == 0
  232. ** socket is closed, or serious error occurred.
  233. ** cascade up.
  234. */
  235. return forceConnect==false;
  236. }
  237. void JNL_SSL_Connection::on_socket_connected(void)
  238. {
  239. init_ssl_connection();
  240. }
  241. void JNL_SSL_Connection::connect(SOCKET s, sockaddr *addr, socklen_t length)
  242. {
  243. /*
  244. ** Joshua Teitelbaum 2/01/2006
  245. ** No need to close
  246. ** This is the reason for divergence as well as setting
  247. ** the connect state
  248. */
  249. m_socket = s;
  250. address=(sockaddr *)malloc(length);
  251. memcpy(address, addr, length);
  252. m_remote_port = 0;
  253. if (m_socket != -1)
  254. {
  255. SET_SOCK_BLOCK(m_socket, 0);
  256. m_state = STATE_CONNECTED;
  257. SSL_set_fd(m_ssl, m_socket);
  258. }
  259. else
  260. {
  261. m_errorstr = "invalid socket passed to connect";
  262. m_state = STATE_ERROR;
  263. }
  264. }
  265. ssize_t JNL_SSL_Connection::socket_recv(char *buf, size_t len, int options)
  266. {
  267. return SSL_read(m_ssl, buf, (int)len);
  268. }
  269. ssize_t JNL_SSL_Connection::socket_send(const char *buf, size_t len, int options)
  270. {
  271. return SSL_write(m_ssl, buf, (int)len);
  272. }
  273. JNL_SSL_Connection::~JNL_SSL_Connection()
  274. {
  275. if (m_ssl)
  276. {
  277. SSL_free(m_ssl);
  278. m_ssl = NULL;
  279. }
  280. }
  281. //#endif