tport_tls.c 15.7 KB
Newer Older
Pekka Pessi's avatar
Pekka Pessi committed
1 2 3 4 5 6 7
/*
 * This file is part of the Sofia-SIP package
 *
 * Copyright (C) 2005 Nokia Corporation.
 *
 * Contact: Pekka Pessi <pekka.pessi@nokia.com>
 *
8
 * This library is free software; you can redistribute it and/or
Pekka Pessi's avatar
Pekka Pessi committed
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
 * modify it under the terms of the GNU Lesser General Public License
 * as published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
 * 02110-1301 USA
 *
 */

/**@CFILE tport_tls.c
 * @brief TLS interface
27
 *
Pekka Pessi's avatar
Pekka Pessi committed
28
 * @author Mikko Haataja <ext-Mikko.A.Haataja@nokia.com>
29
 * @author Pekka Pessi <ext-Pekka.Pessi@nokia.com>
Pekka Pessi's avatar
Pekka Pessi committed
30 31 32 33 34
 *
 * Copyright 2001, 2002 Nokia Research Center.  All rights reserved.
 *
 */

35 36
#include "config.h"

Pekka Pessi's avatar
Pekka Pessi committed
37 38 39 40 41 42 43 44 45 46 47
#define OPENSSL_NO_KRB5 oh-no

#include <openssl/lhash.h>
#include <openssl/bn.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/rand.h>
#include <openssl/bio.h>
48
#include <openssl/opensslv.h>
Pekka Pessi's avatar
Pekka Pessi committed
49

50 51 52 53 54 55 56 57
#include <sofia-sip/su_types.h>
#include <sofia-sip/su.h>
#include <sofia-sip/su_wait.h>

#include <assert.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
Pekka Pessi's avatar
Pekka Pessi committed
58

59 60 61 62
#if HAVE_SIGPIPE
#include <signal.h>
#endif

Pekka Pessi's avatar
Pekka Pessi committed
63
#include "tport_tls.h"
64
#include "tport_internal.h"
Pekka Pessi's avatar
Pekka Pessi committed
65

66 67
char const tls_version[] = OPENSSL_VERSION_TEXT;

68
enum  { tls_master, tls_slave };
Pekka Pessi's avatar
Pekka Pessi committed
69 70 71 72 73 74 75 76 77 78 79

struct tls_s {
  SSL_CTX *ctx;
  SSL *con;
  BIO *bio_con;
  int type;
  int verified;

  /* Receiving */
  int read_events;
  void *read_buffer;
80
  size_t read_buffer_len;
Pekka Pessi's avatar
Pekka Pessi committed
81 82 83 84

  /* Sending */
  int   write_events;
  void *write_buffer;
85
  size_t write_buffer_len;
Pekka Pessi's avatar
Pekka Pessi committed
86 87 88 89 90 91 92

  /* Host names */
  char *hosts[TLS_MAX_HOSTS + 1];
};

enum { tls_buffer_size = 16384 };

93 94 95 96 97
/** Log TLS error(s).
 *
 * Log the TLS error specified by the error code @a e and all the errors in
 * the queue. The error code @a e implies no error, and it is not logged.
 */
98
static
99
void tls_log_errors(unsigned level, char const *s, unsigned long e)
100
{
101 102 103 104 105 106
  if (e == 0)
    e = ERR_get_error();

  if (!tport_log->log_init)
    su_log_init(tport_log);

107 108
  if (s == NULL) s = "tls";

109
  for (; e != 0; e = ERR_get_error()) {
110 111 112 113 114
    if (level <= tport_log->log_level) {
      const char *error = ERR_lib_error_string(e);
      const char *func = ERR_func_error_string(e);
      const char *reason = ERR_reason_error_string(e);

115
      su_llog(tport_log, level, "%s: %08lx:%s:%s:%s\n",
116
	      s, e, error, func, reason);
117 118
    }
  }
119 120
}

121

Pekka Pessi's avatar
Pekka Pessi committed
122 123 124 125 126 127 128 129 130 131 132
static
tls_t *tls_create(int type)
{
  tls_t *tls = calloc(1, sizeof(*tls));

  if (tls)
    tls->type = type;

  return tls;
}

133

Pekka Pessi's avatar
Pekka Pessi committed
134 135 136 137 138 139 140 141 142
static
void tls_set_default(tls_issues_t *i)
{
  i->verify_depth = i->verify_depth == 0 ? 2 : i->verify_depth;
  i->cert = i->cert ? i->cert : "agent.pem";
  i->key = i->key ? i->key : i->cert;
  i->randFile = i->randFile ? i->randFile : "tls_seed.dat";
  i->CAfile = i->CAfile ? i->CAfile : "cafile.pem";
  i->cipher = i->cipher ? i->cipher : "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH";
Pekka Pessi's avatar
Pekka Pessi committed
143 144 145 146
  /* Default SIP cipher */
  /* "RSA-WITH-AES-128-CBC-SHA"; */
  /* RFC-2543-compatibility ciphersuite */
  /* TLS_RSA_WITH_3DES_EDE_CBC_SHA; */
Pekka Pessi's avatar
Pekka Pessi committed
147 148
}

149

Pekka Pessi's avatar
Pekka Pessi committed
150 151 152 153 154
static
int tls_verify_cb(int ok, X509_STORE_CTX *store)
{
  if (!ok)
  {
155 156 157 158 159 160
    char data[256];

    X509 *cert = X509_STORE_CTX_get_current_cert(store);
    int  depth = X509_STORE_CTX_get_error_depth(store);
    int  err = X509_STORE_CTX_get_error(store);

Stefan Knoblich's avatar
Stefan Knoblich committed
161
    SU_DEBUG_1(("-Error with certificate at depth: %i\n", depth));
Pekka Pessi's avatar
Pekka Pessi committed
162
    X509_NAME_oneline(X509_get_issuer_name(cert), data, 256);
Stefan Knoblich's avatar
Stefan Knoblich committed
163
    SU_DEBUG_1(("  issuer   = %s\n", data));
Pekka Pessi's avatar
Pekka Pessi committed
164
    X509_NAME_oneline(X509_get_subject_name(cert), data, 256);
Stefan Knoblich's avatar
Stefan Knoblich committed
165 166
    SU_DEBUG_1(("  subject  = %s\n", data));
    SU_DEBUG_1(("  err %i:%s\n", err, X509_verify_cert_error_string(err)));
Pekka Pessi's avatar
Pekka Pessi committed
167
  }
168

169
  return ok;
Pekka Pessi's avatar
Pekka Pessi committed
170 171 172 173 174 175 176 177 178 179 180 181 182 183 184
}

static
int tls_init_context(tls_t *tls, tls_issues_t const *ti)
{
  static int initialized = 0;

  if (!initialized) {
    initialized = 1;
    SSL_library_init();
    SSL_load_error_strings();

    if (ti->randFile &&
	!RAND_load_file(ti->randFile, 1024 * 1024)) {
      if (ti->configured > 1) {
185
	SU_DEBUG_3(("%s: cannot open randFile %s\n",
Stefan Knoblich's avatar
Stefan Knoblich committed
186
		   "tls_init_context", ti->randFile));
187
	tls_log_errors(3, "tls_init_context", 0);
Pekka Pessi's avatar
Pekka Pessi committed
188 189 190 191 192 193
      }
      /* errno = EIO; */
      /* return -1; */
    }
  }

194 195 196 197 198
#if HAVE_SIGPIPE
  /* Avoid possible SIGPIPE when sending close_notify */
  signal(SIGPIPE, SIG_IGN);
#endif

Pekka Pessi's avatar
Pekka Pessi committed
199 200
  if (tls->ctx == NULL) {
    SSL_METHOD *meth;
Pekka Pessi's avatar
Pekka Pessi committed
201 202 203

    /* meth = SSLv3_method(); */
    /* meth = SSLv23_method(); */
Pekka Pessi's avatar
Pekka Pessi committed
204 205 206 207 208 209 210 211 212 213

    if (ti->version)
      meth = TLSv1_method();
    else
      meth = SSLv23_method();

    tls->ctx = SSL_CTX_new(meth);
  }

  if (tls->ctx == NULL) {
214
    tls_log_errors(1, "tls_init_context", 0);
Pekka Pessi's avatar
Pekka Pessi committed
215 216 217 218
    errno = EIO;
    return -1;
  }

219
  if (!SSL_CTX_use_certificate_file(tls->ctx,
Pekka Pessi's avatar
Pekka Pessi committed
220 221 222
				    ti->cert,
				    SSL_FILETYPE_PEM)) {
    if (ti->configured > 0) {
223
      SU_DEBUG_1(("%s: invalid local certificate: %s\n",
Stefan Knoblich's avatar
Stefan Knoblich committed
224
		 "tls_init_context", ti->cert));
225
      tls_log_errors(1, "tls_init_context", 0);
Pekka Pessi's avatar
Pekka Pessi committed
226
#if require_client_certificate
227 228
      errno = EIO;
      return -1;
Pekka Pessi's avatar
Pekka Pessi committed
229
#endif
230
    }
Pekka Pessi's avatar
Pekka Pessi committed
231 232
  }

233 234
  if (!SSL_CTX_use_PrivateKey_file(tls->ctx,
                                   ti->key,
Pekka Pessi's avatar
Pekka Pessi committed
235
                                   SSL_FILETYPE_PEM)) {
236
    if (ti->configured > 0) {
237
      tls_log_errors(1, "tls_init_context", 0);
Pekka Pessi's avatar
Pekka Pessi committed
238
#if require_client_certificate
239 240
      errno = EIO;
      return -1;
Pekka Pessi's avatar
Pekka Pessi committed
241
#endif
242
    }
Pekka Pessi's avatar
Pekka Pessi committed
243 244 245
  }

  if (!SSL_CTX_check_private_key(tls->ctx)) {
246
    if (ti->configured > 0) {
247 248
      SU_DEBUG_1(("%s: private key does not match the certificate public key\n",
		  "tls_init_context"));
249
    }
Pekka Pessi's avatar
Pekka Pessi committed
250
#if require_client_certificate
Pekka Pessi's avatar
Pekka Pessi committed
251 252
    errno = EIO;
    return -1;
Pekka Pessi's avatar
Pekka Pessi committed
253
#endif
Pekka Pessi's avatar
Pekka Pessi committed
254 255
  }

256 257
  if (!SSL_CTX_load_verify_locations(tls->ctx,
                                     ti->CAfile,
Pekka Pessi's avatar
Pekka Pessi committed
258
                                     ti->CApath)) {
259
    if (ti->configured > 0)
260
      tls_log_errors(1, "tls_init_context", 0);
Pekka Pessi's avatar
Pekka Pessi committed
261 262 263 264 265 266
    errno = EIO;
    return -1;
  }

  SSL_CTX_set_verify_depth(tls->ctx, ti->verify_depth);

267
  SSL_CTX_set_verify(tls->ctx,
268
		     ti->verify_peer == 1 ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,
Pekka Pessi's avatar
Pekka Pessi committed
269 270 271
                     tls_verify_cb);

  if (!SSL_CTX_set_cipher_list(tls->ctx, ti->cipher)) {
272 273
    SU_DEBUG_1(("%s: error setting cipher list\n", "tls_init_context"));
    tls_log_errors(1, "tls_init_context", 0);
Pekka Pessi's avatar
Pekka Pessi committed
274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300
    errno = EIO;
    return -1;
  }

  return 0;
}

void tls_free(tls_t *tls)
{
  int k;

  if (!tls)
    return;

  if (tls->read_buffer)
    free(tls->read_buffer), tls->read_buffer = NULL;

  if (tls->con != NULL)
    SSL_shutdown(tls->con);

  if (tls->ctx != NULL && tls->type != tls_slave)
    SSL_CTX_free(tls->ctx);

  if (tls->bio_con != NULL)
    BIO_free(tls->bio_con);

  for (k = 0; k < TLS_MAX_HOSTS; k++)
301 302 303
    if (tls->hosts[k]) {
      free(tls->hosts[k]), tls->hosts[k] = NULL;
    }
Pekka Pessi's avatar
Pekka Pessi committed
304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319

  free(tls);
}

int tls_get_socket(tls_t *tls)
{
  int sock = -1;

  if (tls != NULL && tls->bio_con != NULL)
    BIO_get_fd(tls->bio_con, &sock);

  return sock;
}

tls_t *tls_init_master(tls_issues_t *ti)
{
320 321
  /* Default id in case RAND fails */
  unsigned char sessionId[32] = "sofia/tls";
Pekka Pessi's avatar
Pekka Pessi committed
322 323
  tls_t *tls;

324 325 326 327
#if HAVE_SIGPIPE
  signal(SIGPIPE, SIG_IGN);  /* Ignore spurios SIGPIPE from OpenSSL */
#endif

Pekka Pessi's avatar
Pekka Pessi committed
328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343
  tls_set_default(ti);

  if (!(tls = tls_create(tls_master)))
    return NULL;

  if (tls_init_context(tls, ti) < 0) {
    int err = errno;
    tls_free(tls);
    errno = err;
    return NULL;
  }

  RAND_pseudo_bytes(sessionId, sizeof(sessionId));

  SSL_CTX_set_session_id_context(tls->ctx,
                                 (void*) sessionId,
344 345
				 sizeof(sessionId));

Pekka Pessi's avatar
Pekka Pessi committed
346 347 348 349 350 351 352 353 354
  if (ti->CAfile != NULL)
    SSL_CTX_set_client_CA_list(tls->ctx,
                               SSL_load_client_CA_file(ti->CAfile));

#if 0
  if (sock != -1) {
    tls->bio_con = BIO_new_socket(sock, BIO_NOCLOSE);

    if (tls->bio_con == NULL) {
355
      tls_log_errors(1, "tls_init_master", 0);
Pekka Pessi's avatar
Pekka Pessi committed
356 357 358 359 360 361 362 363 364 365
      tls_free(tls);
      errno = EIO;
      return NULL;
    }
  }
#endif

  return tls;
}

366
tls_t *tls_clone(tls_t *master, int sock, int accept)
Pekka Pessi's avatar
Pekka Pessi committed
367
{
368
  tls_t *tls = tls_create(tls_slave);
Pekka Pessi's avatar
Pekka Pessi committed
369

370 371 372 373 374 375
  if (tls) {
    tls->ctx = master->ctx;

    if (!(tls->read_buffer = malloc(tls_buffer_size)))
      free(tls), tls = NULL;
  }
Pekka Pessi's avatar
Pekka Pessi committed
376 377 378 379 380
  if (!tls)
    return tls;

  assert(sock != -1);

381
  tls->bio_con = BIO_new_socket(sock, BIO_NOCLOSE);
Pekka Pessi's avatar
Pekka Pessi committed
382 383 384
  tls->con = SSL_new(tls->ctx);

  if (tls->con == NULL) {
385
    tls_log_errors(1, "tls_clone", 0);
Pekka Pessi's avatar
Pekka Pessi committed
386 387 388 389 390 391
    tls_free(tls);
    errno = EIO;
    return NULL;
  }

  SSL_set_bio(tls->con, tls->bio_con, tls->bio_con);
392 393 394 395
  if (accept)
    SSL_set_accept_state(tls->con);
  else
    SSL_set_connect_state(tls->con);
Pekka Pessi's avatar
Pekka Pessi committed
396 397
  SSL_set_mode(tls->con, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);

398
  su_setblocking(sock, 0);
Pekka Pessi's avatar
Pekka Pessi committed
399 400 401 402 403
  tls_read(tls); /* XXX - works only with non-blocking sockets */

  return tls;
}

404 405 406 407 408
tls_t *tls_init_slave(tls_t *master, int sock)
{
  int accept;
  return tls_clone(master, sock, accept = 1);
}
Pekka Pessi's avatar
Pekka Pessi committed
409 410 411

tls_t *tls_init_client(tls_t *master, int sock)
{
412 413
  int accept;
  return tls_clone(master, sock, accept = 0);
Pekka Pessi's avatar
Pekka Pessi committed
414 415 416 417 418
}

static char *tls_strdup(char const *s)
{
  if (s) {
419 420
    size_t len = strlen(s) + 1;
    char *d = malloc(len);
Pekka Pessi's avatar
Pekka Pessi committed
421
    if (d)
422
      memcpy(d, s, len);
Pekka Pessi's avatar
Pekka Pessi committed
423 424 425 426 427 428 429 430 431 432 433 434 435 436
    return d;
  }
  return NULL;
}

static
int tls_post_connection_check(tls_t *tls)
{
  X509 *cert;
  int extcount;
  int k, i, j, error;

  if (!tls) return -1;

437
  cert = SSL_get_peer_certificate(tls->con);
Pekka Pessi's avatar
Pekka Pessi committed
438 439
  if (!cert)
    return X509_V_OK;
440

Pekka Pessi's avatar
Pekka Pessi committed
441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456
  extcount = X509_get_ext_count(cert);

  for (k = 0; k < TLS_MAX_HOSTS && tls->hosts[k]; k++)
    ;

  /* Find matching subjectAltName.DNS */
  for (i = 0; i < extcount; i++) {
    X509_EXTENSION *ext;
    char const *name;
    X509V3_EXT_METHOD *vp;
    STACK_OF(CONF_VALUE) *values;
    CONF_VALUE *value;
    void *d2i;

    ext = X509_get_ext(cert, i);
    name = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
457

Pekka Pessi's avatar
Pekka Pessi committed
458 459
    if (strcmp(name, "subjectAltName") != 0)
      continue;
460

Pekka Pessi's avatar
Pekka Pessi committed
461 462 463
    vp = X509V3_EXT_get(ext); if (!vp) continue;
    d2i = X509V3_EXT_d2i(ext);
    values = vp->i2v(vp, d2i, NULL);
464

Pekka Pessi's avatar
Pekka Pessi committed
465 466
    for (j = 0; j < sk_CONF_VALUE_num(values); j++) {
      value = sk_CONF_VALUE_value(values, j);
467 468 469 470 471 472 473 474 475 476 477 478
      if (strcmp(value->name, "DNS") == 0) {
	if (k < TLS_MAX_HOSTS) {
	  tls->hosts[k] = tls_strdup(value->value);
	  k += tls->hosts[k] != NULL;
	}
      }
      else if (strcmp(value->name, "URI") == 0) {
	char const *uri = strchr(value->value, ':');
	if (uri ++ && k < TLS_MAX_HOSTS) {
	  tls->hosts[k] = tls_strdup(uri);
	  k += tls->hosts[k] != NULL;
	}
Pekka Pessi's avatar
Pekka Pessi committed
479 480 481
      }
    }
  }
482

Pekka Pessi's avatar
Pekka Pessi committed
483 484 485 486 487 488
  if (k < TLS_MAX_HOSTS) {
    X509_NAME *subject;
    char name[256];

    subject = X509_get_subject_name(cert);
    if (subject) {
489
      if (X509_NAME_get_text_by_NID(subject, NID_commonName,
Pekka Pessi's avatar
Pekka Pessi committed
490 491 492
				    name, sizeof name) > 0) {
	name[(sizeof name) - 1] = '\0';

493
	for (i = 0; tls->hosts[i]; i++)
Pekka Pessi's avatar
Pekka Pessi committed
494 495 496 497 498 499 500 501 502 503 504 505 506 507 508
	  if (strcasecmp(tls->hosts[i], name) == 0)
	    break;

	if (i == k)
	  tls->hosts[k++] = tls_strdup(name);
      }
    }
  }

  X509_free(cert);

  error = SSL_get_verify_result(tls->con);

  if (error == X509_V_OK)
    tls->verified = 1;
509

Pekka Pessi's avatar
Pekka Pessi committed
510 511 512 513 514 515 516 517 518 519
  return error;
}

int tls_check_hosts(tls_t *tls, char const *hosts[TLS_MAX_HOSTS])
{
  int i, j;

  if (tls == NULL) { errno = EINVAL; return -1; }
  if (!tls->verified) { errno = EAGAIN; return -1; }

520
  if (!hosts)
Pekka Pessi's avatar
Pekka Pessi committed
521 522 523 524 525 526 527 528 529 530 531 532
    return 0;

  for (i = 0; hosts[i]; i++) {
    for (j = 0; tls->hosts[j]; j++) {
      if (strcasecmp(hosts[i], tls->hosts[j]) == 0)
	break;
    }
    if (tls->hosts[j] == NULL) {
      errno = EACCES;
      return -1;
    }
  }
533

Pekka Pessi's avatar
Pekka Pessi committed
534 535 536
  return 0;
}

Pekka Pessi's avatar
Pekka Pessi committed
537
static
538
int tls_error(tls_t *tls, int ret, char const *who,
Pekka Pessi's avatar
Pekka Pessi committed
539 540 541 542 543 544 545
	      void *buf, int size)
{
  int events = 0;
  int err = SSL_get_error(tls->con, ret);

  switch (err) {
  case SSL_ERROR_WANT_WRITE:
546
    events = SU_WAIT_OUT;
Pekka Pessi's avatar
Pekka Pessi committed
547 548 549
    break;

  case SSL_ERROR_WANT_READ:
550
    events = SU_WAIT_IN;
Pekka Pessi's avatar
Pekka Pessi committed
551 552 553 554 555 556
    break;

  case SSL_ERROR_ZERO_RETURN:
    return 0;

  case SSL_ERROR_SYSCALL:
557 558 559 560
    if (SSL_get_shutdown(tls->con) & SSL_RECEIVED_SHUTDOWN)
      return 0;			/* EOS */
    if (errno == 0)
      return 0;			/* EOS */
Pekka Pessi's avatar
Pekka Pessi committed
561 562 563
    return -1;

  default:
564
    tls_log_errors(1, who, err);
Pekka Pessi's avatar
Pekka Pessi committed
565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580
    errno = EIO;
    return -1;
  }

  if (buf) {
    tls->write_events = events;
    tls->write_buffer = buf, tls->write_buffer_len = size;
  }
  else {
    tls->read_events = events;
  }

  errno = EAGAIN;
  return -1;
}

581
ssize_t tls_read(tls_t *tls)
Pekka Pessi's avatar
Pekka Pessi committed
582
{
583
  ssize_t ret;
Pekka Pessi's avatar
Pekka Pessi committed
584 585 586 587 588 589 590

  if (tls == NULL) {
    errno = EINVAL;
    return -1;
  }

  if (0)
Stefan Knoblich's avatar
Stefan Knoblich committed
591
    SU_DEBUG_1(("tls_read(%p) called on %s (events %u)\n", (void *)tls,
Pekka Pessi's avatar
Pekka Pessi committed
592
	    tls->type == tls_slave ? "server" : "client",
Stefan Knoblich's avatar
Stefan Knoblich committed
593
	    tls->read_events));
Pekka Pessi's avatar
Pekka Pessi committed
594 595

  if (tls->read_buffer_len)
596
    return (ssize_t)tls->read_buffer_len;
Pekka Pessi's avatar
Pekka Pessi committed
597

598
  tls->read_events = SU_WAIT_IN;
Pekka Pessi's avatar
Pekka Pessi committed
599 600

  ret = SSL_read(tls->con, tls->read_buffer, tls_buffer_size);
Pekka Pessi's avatar
Pekka Pessi committed
601
  if (ret <= 0)
602
    return tls_error(tls, ret, "tls_read: SSL_read", NULL, 0);
Pekka Pessi's avatar
Pekka Pessi committed
603

Pekka Pessi's avatar
Pekka Pessi committed
604
  if (!tls->verified) {
Pekka Pessi's avatar
Pekka Pessi committed
605 606
    int err = tls_post_connection_check(tls);

607
    if (err != X509_V_OK &&
Pekka Pessi's avatar
Pekka Pessi committed
608
	err != SSL_ERROR_SYSCALL &&
Pekka Pessi's avatar
Pekka Pessi committed
609 610
	err != SSL_ERROR_WANT_WRITE &&
	err != SSL_ERROR_WANT_READ) {
Stefan Knoblich's avatar
Stefan Knoblich committed
611
      SU_DEBUG_1((
612
		 "%s: server certificate doesn't verify\n",
Stefan Knoblich's avatar
Stefan Knoblich committed
613
		 "tls_read"));
Pekka Pessi's avatar
Pekka Pessi committed
614 615 616
    }
  }

617
  return (ssize_t)(tls->read_buffer_len = ret);
Pekka Pessi's avatar
Pekka Pessi committed
618 619
}

620
void *tls_read_buffer(tls_t *tls, size_t N)
Pekka Pessi's avatar
Pekka Pessi committed
621 622 623 624 625 626 627 628 629 630 631
{
  assert(N == tls->read_buffer_len);
  tls->read_buffer_len = 0;
  return tls->read_buffer;
}

int tls_pending(tls_t const *tls)
{
  return tls && tls->con && SSL_pending(tls->con);
}

632 633
/** Check if data is available in TCP connection.
 *
634
 *
635 636 637
 *
 * @retval -1 upon an error
 * @retval 0 end-of-stream
638
 * @retval 1 nothing to read
639 640
 * @retval 2 there is data to read
 */
Pekka Pessi's avatar
Pekka Pessi committed
641 642 643 644
int tls_want_read(tls_t *tls, int events)
{
  if (tls && (events & tls->read_events)) {
    int ret = tls_read(tls);
645
    if (ret > 0)
646
      return 2;
647
    else if (ret == 0)
Pekka Pessi's avatar
Pekka Pessi committed
648
      return 0;
649
    else if (errno == EAGAIN)
650
      return 3;			/* ??? */
Pekka Pessi's avatar
Pekka Pessi committed
651 652 653 654
    else
      return -1;
  }

655
  return 1;
Pekka Pessi's avatar
Pekka Pessi committed
656 657
}

658
ssize_t tls_write(tls_t *tls, void *buf, size_t size)
Pekka Pessi's avatar
Pekka Pessi committed
659
{
660
  ssize_t ret;
Pekka Pessi's avatar
Pekka Pessi committed
661

662 663
  if (0)
    SU_DEBUG_1(("tls_write(%p, %p, "MOD_ZU") called on %s\n",
664
	    (void *)tls, buf, size,
Stefan Knoblich's avatar
Stefan Knoblich committed
665
	    tls && tls->type == tls_slave ? "server" : "client"));
Pekka Pessi's avatar
Pekka Pessi committed
666 667 668 669 670 671 672 673 674 675 676 677

  if (tls == NULL || buf == NULL) {
    errno = EINVAL;
    return -1;
  }

  if (tls->write_buffer) {
    assert(buf == tls->write_buffer);
    assert(size >= tls->write_buffer_len);
    assert(tls->write_events == 0);

    if (tls->write_events ||
678
	buf != tls->write_buffer ||
Pekka Pessi's avatar
Pekka Pessi committed
679
	size < tls->write_buffer_len) {
680
      errno = EIO;
Pekka Pessi's avatar
Pekka Pessi committed
681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698
      return -1;
    }

    ret = tls->write_buffer_len;

    tls->write_buffer = NULL;
    tls->write_buffer_len = 0;

    return ret;
  }

  if (size == 0)
    return 0;

  tls->write_events = 0;

  if (!tls->verified) {
    if (tls_post_connection_check(tls) != X509_V_OK) {
Stefan Knoblich's avatar
Stefan Knoblich committed
699 700
      SU_DEBUG_1((
		 "tls_read: server certificate doesn't verify\n"));
Pekka Pessi's avatar
Pekka Pessi committed
701 702 703 704
    }
  }

  ret = SSL_write(tls->con, buf, size);
Pekka Pessi's avatar
Pekka Pessi committed
705
  if (ret < 0)
706
    return tls_error(tls, ret, "tls_write: SSL_write", buf, size);
Pekka Pessi's avatar
Pekka Pessi committed
707

Pekka Pessi's avatar
Pekka Pessi committed
708
  return ret;
Pekka Pessi's avatar
Pekka Pessi committed
709 710 711 712 713 714 715
}

int tls_want_write(tls_t *tls, int events)
{
  if (tls && (events & tls->write_events)) {
    int ret;
    void *buf = tls->write_buffer;
716
    size_t size = tls->write_buffer_len;
Pekka Pessi's avatar
Pekka Pessi committed
717 718

    tls->write_events = 0;
Pekka Pessi's avatar
Pekka Pessi committed
719 720

    /* remove buf */
Pekka Pessi's avatar
Pekka Pessi committed
721 722 723 724 725 726
    tls->write_buffer = NULL;
    tls->write_buffer_len = 0;

    ret = tls_write(tls, buf, size);

    if (ret >= 0)
Pekka Pessi's avatar
Pekka Pessi committed
727
      /* Restore buf */
Pekka Pessi's avatar
Pekka Pessi committed
728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744
      return tls->write_buffer = buf, tls->write_buffer_len = ret;
    else if (errno == EAGAIN)
      return 0;
    else
      return -1;
  }
  return 0;
}

int tls_events(tls_t const *tls, int mask)
{

  if (!tls)
    return mask;

  if (tls->type == tls_master)
    return mask;
745

Pekka Pessi's avatar
Pekka Pessi committed
746
  return
747
    (mask & ~(SU_WAIT_IN|SU_WAIT_OUT)) |
748
    ((mask & SU_WAIT_IN) ? tls->read_events : 0) |
749
    ((mask & SU_WAIT_OUT) ? tls->write_events : 0);
Pekka Pessi's avatar
Pekka Pessi committed
750
}