00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
00013
00014
00015
00016
00017
00018
00019
00020
00021
00022
00023 #include <config.h>
00024 #include <stdio.h>
00025 #include <memory.h>
00026 #include <time.h>
00027
00028 #ifdef HAVE_SYS_TYPES_H
00029 #include <sys/types.h>
00030 #endif
00031
00032 #ifdef HAVE_SYS_SOCKET_H
00033 #include <sys/socket.h>
00034 #endif
00035
00036 #ifdef HAVE_NETINET_IN_H
00037 #include <netinet/in.h>
00038 #endif
00039
00040 #ifdef HAVE_ARPA_INET_H
00041 #include <arpa/inet.h>
00042 #endif
00043
00044 #ifdef HAVE_NETDB_H
00045 #include <netdb.h>
00046 #endif
00047
00048 #ifdef HAVE_PTHREAD_H
00049 #include <pthread.h>
00050 #endif
00051
00052 #ifdef HAVE_UNISTD_H
00053 #include <unistd.h>
00054 #endif
00055
00056 #ifdef HAVE_ERRNO_H
00057 #include <errno.h>
00058 #endif
00059
00060 #ifdef HAVE_STRING_H
00061 #include <string.h>
00062 #endif
00063
00064
00065 #ifdef HAVE_OPENSSL
00066 #include <openssl/crypto.h>
00067 #include <openssl/x509.h>
00068 #include <openssl/x509_vfy.h>
00069 #include <openssl/pem.h>
00070 #include <openssl/ssl.h>
00071 #include <openssl/err.h>
00072 #include <openssl/rand.h>
00073 #include <openssl/bio.h>
00074 #endif
00075
00076 #include "monitor.h"
00077 #include "net.h"
00078 #include "ssl.h"
00079
00080 #ifdef HAVE_OPENSSL
00081
00082
00083 static int ssl_thread_start(void);
00084 static int ssl_thread_stop(void);
00085 static int unsigned long ssl_thread_id(void);
00086 static void ssl_mutex_lock(int mode, int n, const char *file, int line);
00087 static int ssl_entropy_start(void);
00088 static int ssl_entropy_stop(void);
00089
00090 static pthread_mutex_t ssl_mutex= PTHREAD_MUTEX_INITIALIZER;
00091 static pthread_mutex_t *ssl_mutex_table;
00092 static int ssl_initilized= FALSE;
00093
00094
00095 static int verify_init(ssl_server_connection *);
00096 static int verify_callback(int, X509_STORE_CTX *);
00097 static int verify_callback_noclientcert(int, X509_STORE_CTX *);
00098 static void verify_info(ssl_server_connection *);
00099 static int check_preverify(X509_STORE_CTX *);
00100
00101 static int allow_self_certfication= FALSE;
00102 static int allow_any_purpose= FALSE;
00103
00104
00105 static int handle_connection_error(int, ssl_connection *, char *);
00106 static void handle_ssl_error(char *);
00107 #define SSLERROR ERR_error_string(ERR_get_error(),NULL)
00108
00109 #define ALLOW_ANY_PURPOSE
00110
00111 #endif
00112
00116 #define RANDOM_BYTES 1024
00117
00122 #define URANDOM_DEVICE "/dev/urandom"
00123
00128 #define RANDOM_DEVICE "/dev/random"
00129
00130
00143
00144
00145
00146
00147
00148
00149
00150
00151
00152
00153
00154
00155
00161 int embed_ssl_socket (ssl_connection *ssl, int socket) {
00162
00163 #ifdef HAVE_OPENSSL
00164
00165 int ssl_error;
00166 time_t ssl_time;
00167
00168 if ( ssl == NULL ) {
00169
00170 return FALSE;
00171
00172 }
00173
00174 if (!ssl_initilized) {
00175
00176 start_ssl();
00177
00178 }
00179
00180 if ( socket >= 0 ) {
00181
00182 ssl->socket= socket;
00183
00184 } else {
00185
00186 error("%s: Socket error!\n", prog);
00187 goto sslerror;
00188 }
00189
00190 if ((ssl->handler= SSL_new (ssl->ctx)) == NULL ) {
00191
00192 handle_ssl_error("embed_ssl_socket()");
00193 error("%s: Cannot initialize the SSL handler!\n", prog);
00194 goto sslerror;
00195
00196 }
00197
00198 set_noblock(ssl->socket);
00199
00200 if((ssl->socket_bio= BIO_new_socket(ssl->socket, BIO_NOCLOSE)) == NULL) {
00201
00202 handle_ssl_error("embed_ssl_socket()");
00203 error("%s: Cannot generate IO buffer!\n", prog);
00204 goto sslerror;
00205
00206 }
00207
00208 SSL_set_bio(ssl->handler, ssl->socket_bio, ssl->socket_bio);
00209
00210 ssl_time=time(NULL);
00211
00212 while((ssl_error= SSL_connect (ssl->handler)) < 0) {
00213
00214 if((time(NULL)-ssl_time) > SSL_TIMEOUT) {
00215
00216 error("%s: The connection process with the SSL service timed out!\n",
00217 prog);
00218 goto sslerror;
00219
00220 }
00221
00222 if (!handle_connection_error(ssl_error, ssl, "embed_ssl_socket()")) {
00223
00224 goto sslerror;
00225
00226 }
00227
00228 }
00229
00230 ssl->cipher= (char *) SSL_get_cipher(ssl->handler);
00231
00232 if (! update_ssl_cert_data(ssl)) {
00233
00234 error("%s: Cannot get the SSL server certificate!\n",
00235 prog);
00236 goto sslerror;
00237
00238 }
00239
00240 return TRUE;
00241
00242 sslerror:
00243
00244 cleanup_ssl_socket(ssl);
00245 return FALSE;
00246
00247 #else
00248
00249 return FALSE;
00250
00251 #endif
00252 }
00253
00254
00260 int update_ssl_cert_data(ssl_connection *ssl) {
00261
00262 #ifdef HAVE_OPENSSL
00263
00264 unsigned char md5[EVP_MAX_MD_SIZE];
00265
00266 ASSERT(ssl);
00267
00268 if ((ssl->cert = SSL_get_peer_certificate (ssl->handler)) == NULL) {
00269
00270 handle_ssl_error("update_ssl_cert_data()");
00271
00272 return FALSE;
00273
00274 }
00275
00276 ssl->cert_issuer=X509_NAME_oneline (X509_get_issuer_name (ssl->cert),0,0);
00277 ssl->cert_subject=X509_NAME_oneline (X509_get_subject_name (ssl->cert),0,0);
00278 X509_digest(ssl->cert,EVP_md5(), md5, &ssl->cert_md5_len);
00279 ssl->cert_md5=xstrdup(md5);
00280
00281 return TRUE;
00282
00283 #else
00284
00285 return FALSE;
00286
00287 #endif
00288
00289 }
00290
00291
00298 int check_ssl_md5sum(ssl_connection *ssl, char *md5sum) {
00299
00300 #ifdef HAVE_OPENSSL
00301 int i= 0;
00302
00303 ASSERT(md5sum);
00304
00305 while (( i < ssl->cert_md5_len ) &&
00306 ( md5sum[2*i] != '\0' ) &&
00307 ( md5sum[2*i+1] != '\0' )) {
00308
00309 unsigned char c=
00310 (md5sum[2*i] > 57 ? md5sum[2*i] - 87 : md5sum[2*i] - 48) * 0x10+
00311 (md5sum[2*i+1] > 57 ? md5sum[2*i+1] - 87 : md5sum[2*i+1] - 48);
00312
00313 if ( c!=ssl->cert_md5[i] ) {
00314
00315 return FALSE;
00316
00317 }
00318
00319 i ++;
00320
00321 }
00322
00323 #endif
00324
00325 return TRUE;
00326
00327 }
00328
00329
00340 ssl_connection *create_ssl_socket(char *hostname, int port, int protocol, int sslversion) {
00341
00342 #ifdef HAVE_OPENSSL
00343
00344 int socket;
00345 ssl_connection *ssl = new_ssl_connection(NULL, sslversion);
00346
00347 ASSERT(hostname);
00348
00349 if (!ssl_initilized) {
00350
00351 start_ssl();
00352
00353 }
00354
00355 if ((socket= create_socket(hostname, port, protocol)) == -1) {
00356
00357 error("%s: Cannot connect!\n", prog);
00358 goto sslerror;
00359
00360 }
00361
00362 if (! embed_ssl_socket(ssl, socket)) {
00363
00364 error("%s: Cannot embed socket!\n", prog);
00365
00366 goto sslerror;
00367
00368 }
00369
00370 return ssl;
00371
00372 sslerror:
00373
00374 return NULL;
00375
00376 #else
00377
00378 return NULL;
00379
00380 #endif
00381
00382 }
00383
00384
00390 int close_ssl_socket(ssl_connection *ssl) {
00391
00392 #ifdef HAVE_OPENSSL
00393
00394 int error;
00395
00396 if(ssl == NULL) {
00397
00398 return FALSE;
00399
00400 }
00401
00402 if (! (error= SSL_shutdown (ssl->handler))) {
00403
00404 shutdown(ssl->socket,1 );
00405 error= SSL_shutdown (ssl->handler);
00406
00407 }
00408
00409 close(ssl->socket);
00410 cleanup_ssl_socket(ssl);
00411
00412 if ( error<=0 ) {
00413
00414 return FALSE;
00415
00416 } else {
00417
00418 return TRUE;
00419
00420 }
00421
00422 #else
00423
00424 return FALSE;
00425
00426 #endif
00427
00428 }
00429
00430
00436 int cleanup_ssl_socket(ssl_connection *ssl) {
00437
00438 #ifdef HAVE_OPENSSL
00439
00440 if(ssl==NULL) {
00441
00442 return FALSE;
00443
00444 }
00445
00446 if (ssl->cert != NULL) {
00447
00448 X509_free(ssl->cert);
00449 ssl->cert= NULL;
00450
00451 }
00452
00453 if (ssl->handler != NULL) {
00454
00455 SSL_free(ssl->handler);
00456 ssl->handler= NULL;
00457
00458 }
00459
00460 if (ssl->socket_bio != NULL) {
00461
00462
00463
00464
00465
00466
00467 ssl->socket_bio= NULL;
00468
00469 }
00470
00471 if (ssl->cert_issuer != NULL) {
00472
00473 free(ssl->cert_issuer);
00474 ssl->cert_issuer= NULL;
00475
00476 }
00477
00478 if (ssl->cert_subject != NULL) {
00479
00480 free(ssl->cert_subject);
00481 ssl->cert_subject= NULL;
00482
00483 }
00484
00485 if (ssl->cert_md5 != NULL) {
00486
00487 free(ssl->cert_md5);
00488 ssl->cert_md5= NULL;
00489
00490 }
00491
00492 if(ssl->clientpemfile!=NULL) {
00493
00494 free(ssl->clientpemfile);
00495 ssl->clientpemfile= NULL;
00496
00497 }
00498
00499 return TRUE;
00500
00501 #else
00502
00503 return FALSE;
00504
00505 #endif
00506
00507 }
00508
00509
00515 int delete_ssl_socket(ssl_connection *ssl) {
00516
00517 #ifdef HAVE_OPENSSL
00518
00519 if(ssl==NULL) {
00520
00521 return FALSE;
00522
00523 }
00524
00525 cleanup_ssl_socket(ssl);
00526
00527 if((ssl->ctx != NULL) && (! ssl->accepted)) {
00528
00529 SSL_CTX_free(ssl->ctx);
00530
00531 }
00532
00533 free(ssl);
00534
00535 return TRUE;
00536
00537 #else
00538
00539 return TRUE;
00540
00541 #endif
00542
00543 }
00544
00545
00551 ssl_server_connection *init_ssl_server (char *pemfile, char *clientpemfile) {
00552
00553 #ifdef HAVE_OPENSSL
00554
00555 ssl_server_connection *ssl_server = new_ssl_server_connection(pemfile,
00556 clientpemfile);
00557
00558 ASSERT(pemfile);
00559
00560 if (!ssl_initilized) {
00561
00562 start_ssl();
00563
00564 }
00565
00566 if ((ssl_server->method= SSLv23_server_method()) == NULL ) {
00567
00568 handle_ssl_error("init_ssl_server()");
00569 error("%s: Cannot initialize the SSL method to use!\n", prog);
00570 goto sslerror;
00571
00572 }
00573
00574 if ((ssl_server->ctx= SSL_CTX_new(ssl_server->method)) == NULL ) {
00575
00576 handle_ssl_error("init_ssl_server()");
00577 error("%s: Cannot initialize the SSL server's certificate handler!\n"
00578 , prog);
00579 goto sslerror;
00580
00581 }
00582
00583 if (SSL_CTX_use_certificate_file(ssl_server->ctx, pemfile,
00584 SSL_FILETYPE_PEM) <= 0) {
00585
00586 handle_ssl_error("init_ssl_server()");
00587 error("%s: Cannot initialize the SSL server's certificate!\n", prog);
00588 goto sslerror;
00589
00590 }
00591
00592 if (SSL_CTX_use_PrivateKey_file(ssl_server->ctx, pemfile,
00593 SSL_FILETYPE_PEM) <= 0) {
00594
00595 handle_ssl_error("init_ssl_server()");
00596 error("%s: Cannot initialize the SSL server's private key!\n", prog);
00597 goto sslerror;
00598
00599 }
00600
00601 if (!SSL_CTX_check_private_key(ssl_server->ctx)) {
00602
00603 handle_ssl_error("init_ssl_server()");
00604 error("%s: The private key does not match the certificate public key!\n",
00605 prog);
00606 goto sslerror;
00607
00608 }
00609
00610
00611
00612
00613 if (!verify_init(ssl_server)) {
00614
00615 handle_ssl_error("init_ssl_server()");
00616 error("%s: Verification engine was not properly initilized!\n", prog);
00617 goto sslerror;
00618
00619 }
00620 verify_info(ssl_server);
00621
00622 return ssl_server;
00623
00624 sslerror:
00625
00626 cleanup_ssl_server_socket(ssl_server);
00627 return NULL;
00628
00629 #else
00630
00631 return NULL;
00632
00633 #endif
00634
00635 }
00636
00637
00648 ssl_server_connection *create_ssl_server_socket(char *pemfile, int port,
00649 int backlog,
00650 char *bindAddr,
00651 char *clientpemfile) {
00652
00653 #ifdef HAVE_OPENSSL
00654
00655 int socket;
00656 ssl_server_connection *ssl_server;
00657
00658 ASSERT(pemfile);
00659 ASSERT(bindAddr);
00660
00661 if (!ssl_initilized) {
00662
00663 start_ssl();
00664
00665 }
00666
00667 if ((socket= create_server_socket(port, backlog, bindAddr)) == -1) {
00668
00669 error("%s: Cannot connect!\n", prog);
00670 goto sslerror;
00671
00672 }
00673
00674 if (( ssl_server= init_ssl_server(pemfile, clientpemfile)) == NULL) {
00675
00676 goto sslerror;
00677
00678 }
00679
00680 ssl_server->server_socket=socket;
00681
00682 return ssl_server;
00683
00684 sslerror:
00685
00686 return NULL;
00687
00688 #else
00689
00690 return FALSE;
00691
00692 #endif
00693
00694 }
00695
00696
00702 int close_ssl_server_socket(ssl_server_connection *ssl_server) {
00703
00704 #ifdef HAVE_OPENSSL
00705
00706 if (ssl_server==NULL) {
00707
00708 return FALSE;
00709
00710 }
00711
00712 close(ssl_server->server_socket);
00713 cleanup_ssl_server_socket(ssl_server);
00714
00715 return TRUE;
00716
00717 #else
00718
00719 return FALSE;
00720
00721 #endif
00722 }
00723
00724
00730 int cleanup_ssl_server_socket(ssl_server_connection *ssl_server) {
00731
00732 #ifdef HAVE_OPENSSL
00733
00734 ssl_connection *ssl;
00735
00736 if(ssl_server==NULL) {
00737
00738 return FALSE;
00739
00740 }
00741
00742 if(ssl_server->pemfile!=NULL) {
00743
00744 free(ssl_server->pemfile);
00745 ssl_server->pemfile= NULL;
00746
00747 }
00748
00749 if(ssl_server->clientpemfile!=NULL) {
00750
00751 free(ssl_server->clientpemfile);
00752 ssl_server->clientpemfile= NULL;
00753
00754 }
00755
00756 while (ssl_server->ssl_conn_list!=NULL) {
00757
00758 ssl = ssl_server->ssl_conn_list;
00759
00760 ssl_server->ssl_conn_list=ssl_server->ssl_conn_list->next;
00761
00762 close_accepted_ssl_socket(ssl_server, ssl);
00763 delete_ssl_socket(ssl);
00764
00765 }
00766
00767 return TRUE;
00768
00769 #else
00770
00771 return TRUE;
00772
00773 #endif
00774
00775 }
00776
00777
00783 int delete_ssl_server_socket(ssl_server_connection *ssl_server) {
00784
00785 #ifdef HAVE_OPENSSL
00786
00787 if(ssl_server==NULL) {
00788
00789 return FALSE;
00790
00791 }
00792
00793 cleanup_ssl_server_socket(ssl_server);
00794
00795 if (ssl_server->ctx != NULL) {
00796
00797 SSL_CTX_free(ssl_server->ctx);
00798
00799 }
00800
00801 free(ssl_server);
00802
00803 return TRUE;
00804
00805 #else
00806
00807 return TRUE;
00808
00809 #endif
00810
00811 }
00812
00813
00819 ssl_connection *insert_accepted_ssl_socket(ssl_server_connection *ssl_server) {
00820
00821 #ifdef HAVE_OPENSSL
00822
00823 ssl_connection *ssl;
00824
00825 ASSERT(ssl_server);
00826
00827 ssl= (ssl_connection *) NEW(ssl);
00828
00829 if (!ssl_initilized) {
00830
00831 start_ssl();
00832
00833 }
00834
00835 ssl->method= NULL;
00836 ssl->handler= NULL;
00837 ssl->cert= NULL;
00838 ssl->cipher= NULL;
00839 ssl->socket= 0;
00840 ssl->next= NULL;
00841 ssl->accepted= FALSE;
00842 ssl->cert_md5= NULL;
00843 ssl->cert_md5_len= 0;
00844 ssl->clientpemfile= NULL;
00845
00846 if(ssl_server->clientpemfile!=NULL) {
00847
00848 ssl->clientpemfile= xstrdup(ssl_server->clientpemfile);
00849
00850 }
00851
00852 if(( ssl_server == NULL ) || (ssl == NULL)) {
00853
00854 return NULL;
00855
00856 }
00857
00858 LOCK(ssl_mutex);
00859
00860 ssl->prev=NULL;
00861 ssl->next=ssl_server->ssl_conn_list;
00862
00863 if( ssl->next != NULL ) {
00864
00865 ssl->next->prev=ssl;
00866
00867 }
00868
00869 END_LOCK;
00870
00871 ssl_server->ssl_conn_list=ssl;
00872 ssl->ctx=ssl_server->ctx;
00873 ssl->accepted=TRUE;
00874
00875 return ssl;
00876
00877 #else
00878
00879 return NULL;
00880
00881 #endif
00882
00883 }
00884
00885
00893 int close_accepted_ssl_socket(ssl_server_connection *ssl_server,
00894 ssl_connection *ssl) {
00895
00896 #ifdef HAVE_OPENSSL
00897
00898 int return_value= TRUE;
00899
00900 if ((ssl == NULL) || (ssl_server == NULL)) {
00901 return FALSE;
00902 }
00903
00904 if (close(ssl->socket) < 0) {
00905
00906 return_value= FALSE;
00907
00908 }
00909
00910 if (! delete_accepted_ssl_socket(ssl_server, ssl)) {
00911
00912 return_value= FALSE;
00913
00914 }
00915
00916 return return_value;
00917
00918 #else
00919
00920 return FALSE;
00921
00922 #endif
00923
00924 }
00925
00926
00934 int delete_accepted_ssl_socket (ssl_server_connection *ssl_server,
00935 ssl_connection *ssl) {
00936
00937 #ifdef HAVE_OPENSSL
00938
00939 int return_value= TRUE;
00940
00941 if ((ssl == NULL) || (ssl_server == NULL)) {
00942 return FALSE;
00943 }
00944
00945 LOCK(ssl_mutex);
00946
00947 if ( ssl->prev == NULL ) {
00948
00949 ssl_server->ssl_conn_list=ssl->next;
00950
00951 } else {
00952
00953 ssl->prev->next=ssl->next;
00954
00955 }
00956
00957 END_LOCK;
00958
00959 if(! cleanup_ssl_socket(ssl)) {
00960
00961 return_value= FALSE;
00962
00963 }
00964
00965 if (! delete_ssl_socket(ssl)) {
00966
00967 return_value= FALSE;
00968
00969 }
00970
00971 return return_value;
00972
00973 #else
00974
00975 return FALSE;
00976
00977 #endif
00978
00979 }
00980
00981
00988 int embed_accepted_ssl_socket(ssl_connection *ssl, int socket) {
00989
00990 #ifdef HAVE_OPENSSL
00991
00992 int ssl_error;
00993 time_t ssl_time;
00994
00995 ASSERT(ssl);
00996
00997 ssl->socket=socket;
00998
00999 if(!ssl_initilized) {
01000
01001 start_ssl();
01002
01003 }
01004
01005 if((ssl->handler= SSL_new(ssl->ctx)) == NULL) {
01006
01007 handle_ssl_error("embed_accepted_ssl_socket()");
01008 error("%s: Cannot initialize the SSL handler!\n", prog);
01009 goto sslerror;
01010
01011 }
01012
01013 if(socket < 0) {
01014
01015 error("Socket error!\n");
01016 goto sslerror;
01017
01018 }
01019
01020 set_noblock(ssl->socket);
01021
01022 if((ssl->socket_bio= BIO_new_socket(ssl->socket, BIO_NOCLOSE)) == NULL) {
01023
01024 handle_ssl_error("embed_accepted_ssl_socket()");
01025 error("%s: Cannot generate IO buffer!\n", prog);
01026 goto sslerror;
01027
01028 }
01029
01030 SSL_set_bio(ssl->handler, ssl->socket_bio, ssl->socket_bio);
01031
01032 ssl_time= time(NULL);
01033
01034 while((ssl_error= SSL_accept(ssl->handler)) < 0) {
01035
01036 if((time(NULL)-ssl_time) > SSL_TIMEOUT) {
01037
01038 error("%s: The connection process with the SSL service timed out!\n",
01039 prog);
01040 goto sslerror;
01041
01042 }
01043
01044 if (!handle_connection_error(ssl_error, ssl,
01045 "embed_accepted_ssl_socket()")) {
01046
01047 goto sslerror;
01048
01049 }
01050
01051 }
01052
01053 ssl->cipher= (char *) SSL_get_cipher(ssl->handler);
01054
01055 if(!update_ssl_cert_data(ssl) && (ssl->clientpemfile != NULL)) {
01056
01057 error("%s: The client did not supply a required client certificate!\n",
01058 prog);
01059 goto sslerror;
01060
01061 }
01062
01063 if (SSL_get_verify_result(ssl->handler)>0) {
01064
01065 error("%s: Verification of the certificate has failed!\n",
01066 prog);
01067 goto sslerror;
01068
01069 }
01070
01071 return TRUE;
01072
01073 sslerror:
01074
01075 return FALSE;
01076
01077 #else
01078
01079 return FALSE;
01080
01081 #endif
01082
01083 }
01084
01085
01091 ssl_connection *accept_ssl_socket(ssl_server_connection *ssl_server) {
01092
01093 #ifdef HAVE_OPENSSL
01094
01095 int no_crypt_socket;
01096 int len= sizeof(struct sockaddr_in);
01097 struct sockaddr_in in;
01098
01099 ASSERT(ssl_server);
01100
01101 no_crypt_socket= accept(ssl_server->server_socket, (struct sockaddr*)&in,
01102 &len);
01103
01104 if(no_crypt_socket >= 0) {
01105
01106 ssl_connection *ssl = insert_accepted_ssl_socket(ssl_server);
01107
01108 if(ssl == NULL) {
01109
01110 return NULL;
01111
01112 }
01113
01114 if(embed_accepted_ssl_socket(ssl, no_crypt_socket)) {
01115
01116 return ssl;
01117
01118 } else {
01119
01120 close_accepted_ssl_socket(ssl_server, ssl);
01121 return NULL;
01122
01123 }
01124
01125 } else {
01126
01127 return NULL;
01128
01129 }
01130
01131 #else
01132
01133 return NULL;
01134
01135 #endif
01136
01137 }
01138
01139
01147 int send_ssl_socket(ssl_connection *ssl, void *buffer, int len) {
01148
01149 #ifdef HAVE_OPENSSL
01150 int ssl_error;
01151 time_t ssl_time= time(NULL);
01152
01153 ASSERT(ssl);
01154
01155
01156 while((ssl_error= SSL_write (ssl->handler, (void *) buffer, len)) < 0) {
01157
01158 if((time(NULL)-ssl_time) > SSL_TIMEOUT) {
01159
01160 error("%s: The connection process with the SSL service has timed"
01161 " out!\n", prog);
01162 break;
01163
01164 }
01165
01166 if (!handle_connection_error(ssl_error, ssl, "send_ssl_socket()")) {
01167
01168 break;
01169
01170 }
01171
01172 }
01173
01174 return ssl_error;
01175
01176 #else
01177
01178 return -1;
01179
01180 #endif
01181
01182 }
01183
01184
01192 int recv_ssl_socket(ssl_connection *ssl, void *buffer, int len) {
01193
01194 #ifdef HAVE_OPENSSL
01195 int ssl_error;
01196 time_t ssl_time= time(NULL);
01197
01198 ASSERT(ssl);
01199
01200 while((ssl_error= SSL_read(ssl->handler, (void *) buffer, len)) < 0) {
01201
01202 if((time(NULL)-ssl_time) > SSL_TIMEOUT) {
01203
01204 error("%s: The connection process with the SSL service has timed"
01205 " out!\n", prog);
01206 break;
01207
01208 }
01209
01210 if (!handle_connection_error(ssl_error, ssl, "recv_ssl_socket()")) {
01211
01212 break;
01213
01214 }
01215 }
01216
01217 return ssl_error;
01218
01219 #else
01220
01221 return -1;
01222
01223 #endif
01224
01225 }
01226
01227
01235 char *gets_ssl_socket(ssl_connection *ssl, char *buffer, int len ) {
01236
01237 #ifdef HAVE_OPENSSL
01238
01239 int i=0;
01240 char c;
01241
01242 ASSERT(ssl);
01243 ASSERT(buffer);
01244
01245 while(i <= len - 1) {
01246
01247 switch ( recv_ssl_socket(ssl, (void *) &c, 1)) {
01248
01249 case 1:
01250
01251 buffer[i]=c;
01252 break;
01253
01254 case 0:
01255
01256 goto eot;
01257
01258 default:
01259
01260 return NULL;
01261
01262 }
01263
01264 if (c=='\n') {
01265
01266 buffer[i+1]='\0';
01267 goto eot;
01268
01269 }
01270
01271 i++;
01272
01273 }
01274
01275 eot:
01276
01277 return buffer;
01278
01279 #else
01280
01281 return NULL;
01282
01283 #endif
01284
01285 }
01286
01287
01295 int printf_ssl_socket(ssl_connection *ssl, const char *format, ...) {
01296
01297 #ifdef HAVE_OPENSSL
01298
01299 char msg[STRLEN];
01300 int len;
01301
01302 va_list ap;
01303
01304 ASSERT(ssl);
01305 ASSERT(format);
01306
01307 va_start(ap,format);
01308 len=vsnprintf(msg, STRLEN, format, ap);
01309 va_end(ap);
01310
01311 return send_ssl_socket(ssl, msg, len);
01312
01313 #else
01314
01315 return 0;
01316
01317 #endif
01318
01319 }
01320
01321
01327 int start_ssl() {
01328
01329 #ifdef HAVE_OPENSSL
01330
01331 if (! ssl_initilized ) {
01332
01333 ssl_initilized=TRUE;
01334 ERR_load_crypto_strings();
01335 return (ssl_thread_start() && SSL_library_init() && ssl_entropy_start());
01336
01337 } else {
01338
01339 return TRUE;
01340
01341 }
01342
01343 #else
01344
01345 return FALSE;
01346
01347 #endif
01348
01349 }
01350
01351
01356 int stop_ssl() {
01357
01358 #ifdef HAVE_OPENSSL
01359
01360 if ( ssl_initilized ) {
01361
01362 ssl_initilized=FALSE;
01363 ERR_free_strings();
01364 return (ssl_thread_stop() && ssl_entropy_stop());
01365
01366 } else {
01367
01368 return TRUE;
01369
01370 }
01371
01372 #else
01373
01374 return FALSE;
01375
01376 #endif
01377
01378 }
01379
01384 void config_ssl(int conf_allow_self_cert) {
01385
01386 #ifdef HAVE_OPENSSL
01387
01388 allow_self_certfication= conf_allow_self_cert;
01389
01390 #endif
01391
01392 return;
01393
01394 }
01395
01400 ssl_connection *new_ssl_connection(char *clientpemfile, int sslversion) {
01401
01402 #ifdef HAVE_OPENSSL
01403
01404 ssl_connection *ssl = (ssl_connection *) NEW(ssl);
01405
01406 if (!ssl_initilized) {
01407
01408 start_ssl();
01409
01410 }
01411
01412 ssl->socket_bio= NULL;
01413 ssl->handler= NULL;
01414 ssl->cert= NULL;
01415 ssl->cipher= NULL;
01416 ssl->socket= 0;
01417 ssl->next = NULL;
01418 ssl->accepted = FALSE;
01419 ssl->cert_md5 = NULL;
01420 ssl->cert_md5_len = 0;
01421
01422 if(clientpemfile!=NULL) {
01423
01424 ssl->clientpemfile= xstrdup(clientpemfile);
01425
01426 } else {
01427
01428 ssl->clientpemfile= NULL;
01429
01430 }
01431
01432 switch (sslversion) {
01433
01434 case SSL_VERSION_AUTO:
01435
01436 ssl->method = SSLv23_client_method();
01437 break;
01438
01439 case SSL_VERSION_SSLV2:
01440
01441 ssl->method = SSLv2_client_method();
01442 break;
01443
01444 case SSL_VERSION_SSLV3:
01445
01446 ssl->method = SSLv3_client_method();
01447 break;
01448
01449 case SSL_VERSION_TLS:
01450
01451 ssl->method = TLSv1_client_method();
01452 break;
01453
01454 default:
01455
01456 error("%s: Unknown SSL version!\n", prog);
01457 goto sslerror;
01458
01459 }
01460
01461 if (ssl->method == NULL ) {
01462
01463 handle_ssl_error("new_ssl_connection()");
01464 error("%s: Cannot initilize SSL method!\n", prog);
01465 goto sslerror;
01466
01467 }
01468
01469 if ((ssl->ctx= SSL_CTX_new (ssl->method)) == NULL ) {
01470
01471 handle_ssl_error("new_ssl_connection()");
01472 error("%s: Cannot initilize SSL server certificate handler!\n", prog);
01473 goto sslerror;
01474
01475 }
01476
01477 if ( ssl->clientpemfile!=NULL ) {
01478
01479 if (SSL_CTX_use_certificate_file(ssl->ctx, ssl->clientpemfile,
01480 SSL_FILETYPE_PEM) <= 0) {
01481
01482 handle_ssl_error("new_ssl_connection()");
01483 error("%s: Cannot initilize SSL server certificate!\n", prog);
01484 goto sslerror;
01485
01486 }
01487
01488 if (SSL_CTX_use_PrivateKey_file(ssl->ctx, ssl->clientpemfile,
01489 SSL_FILETYPE_PEM) <= 0) {
01490
01491 handle_ssl_error("new_ssl_connection()");
01492 error("%s: Cannot initilize SSL server private key!\n", prog);
01493 goto sslerror;
01494
01495 }
01496
01497 if (!SSL_CTX_check_private_key(ssl->ctx)) {
01498
01499 handle_ssl_error("new_ssl_connection()");
01500 error("%s: Private key does not match the certificate public key!\n",
01501 prog);
01502 goto sslerror;
01503
01504 }
01505
01506 }
01507
01508
01509 return ssl;
01510
01511 sslerror:
01512
01513 delete_ssl_socket(ssl);
01514
01515 return NULL;
01516
01517 #else
01518
01519 return NULL;
01520
01521 #endif
01522
01523 }
01524
01525
01530 ssl_server_connection *new_ssl_server_connection(char * pemfile,
01531 char * clientpemfile) {
01532
01533 #ifdef HAVE_OPENSSL
01534
01535 ssl_server_connection *ssl_server =
01536 (ssl_server_connection *) NEW(ssl_server);
01537
01538 ASSERT(pemfile);
01539
01540 if (!ssl_initilized) {
01541
01542 start_ssl();
01543
01544 }
01545
01546 ssl_server->ctx= NULL;
01547 ssl_server->method= NULL;
01548 ssl_server->server_socket= 0;
01549 ssl_server->ssl_conn_list = NULL;
01550 ssl_server->pemfile=xstrdup(pemfile);
01551
01552 if(clientpemfile != NULL) {
01553
01554 ssl_server->clientpemfile= xstrdup(clientpemfile);
01555
01556 } else {
01557
01558 ssl_server->clientpemfile= NULL;
01559
01560 }
01561
01562 return ssl_server;
01563
01564 #else
01565
01566 return NULL;
01567
01568 #endif
01569
01570 }
01571
01572
01577 int have_ssl(void) {
01578
01579 #ifdef HAVE_OPENSSL
01580
01581 return HAVE_OPENSSL;
01582
01583 #else
01584
01585 return FALSE;
01586
01587 #endif
01588
01589 }
01590
01591
01592
01593 #ifdef HAVE_OPENSSL
01594
01598 static int verify_init(ssl_server_connection *ssl_server) {
01599
01600 struct stat stat_buf;
01601
01602 if (ssl_server->clientpemfile==NULL) {
01603
01604 allow_any_purpose= TRUE;
01605 SSL_CTX_set_verify(ssl_server->ctx, SSL_VERIFY_PEER ,
01606 verify_callback_noclientcert);
01607 goto end_success;
01608
01609 }
01610
01611 if ( -1 == stat(ssl_server->clientpemfile, &stat_buf )) {
01612
01613 error("%s: Cannot stat the SSL pem path '%s' -- %s\n",
01614 prog, Run.httpsslclientpem, STRERROR);
01615
01616 goto end_error;
01617
01618 }
01619
01620 if (S_ISDIR(stat_buf.st_mode)) {
01621
01622 if (!SSL_CTX_load_verify_locations(ssl_server->ctx, NULL ,
01623 ssl_server->clientpemfile)) {
01624
01625 handle_ssl_error("verify_init()");
01626 error("%s: Error setting verify directory to %s\n",
01627 Run.httpsslclientpem);
01628
01629 goto end_error;
01630
01631 }
01632
01633 log("Loaded SSL client pem directory '%s'\n", ssl_server->clientpemfile);
01634
01635
01636
01637 if(!SSL_CTX_load_verify_locations(ssl_server->ctx, ssl_server->pemfile,
01638 NULL)) {
01639
01640 handle_ssl_error("verify_init()");
01641 error("%s: Error loading verify certificates from %s\n",
01642 prog, ssl_server->pemfile);
01643
01644 goto end_error;
01645
01646 }
01647
01648 log("Loaded monit's SSL pem server file '%s'\n", ssl_server->pemfile);
01649
01650 } else if (S_ISREG(stat_buf.st_mode)) {
01651
01652 if(!SSL_CTX_load_verify_locations(ssl_server->ctx,
01653 ssl_server->clientpemfile,
01654 NULL)) {
01655
01656 handle_ssl_error("verify_init()");
01657 error("%s: Error loading verify certificates from %s\n",
01658 prog, Run.httpsslclientpem);
01659
01660 goto end_error;
01661
01662 }
01663
01664 log("Loaded SSL pem client file '%s'\n", ssl_server->clientpemfile);
01665
01666
01667
01668 if(!SSL_CTX_load_verify_locations(ssl_server->ctx, ssl_server->pemfile,
01669 NULL)) {
01670
01671 handle_ssl_error("verify_init()");
01672 error("%s: Error loading verify certificates from %s\n",
01673 prog, ssl_server->pemfile);
01674
01675 goto end_error;
01676
01677 }
01678
01679 log("Loaded monit's SSL pem server file '%s'\n", ssl_server->pemfile);
01680
01681 SSL_CTX_set_client_CA_list(ssl_server->ctx,
01682 SSL_load_client_CA_file(ssl_server->clientpemfile));
01683
01684 } else {
01685
01686 error("%s: SSL client pem path is no file or directory %s\n",
01687 prog, ssl_server->clientpemfile);
01688
01689 goto end_error;
01690
01691 }
01692
01693 allow_any_purpose= FALSE;
01694 SSL_CTX_set_verify(ssl_server->ctx, SSL_VERIFY_PEER , verify_callback);
01695
01696 end_success:
01697
01698 return TRUE;
01699
01700 end_error:
01701
01702 return FALSE;
01703 }
01704
01705
01709 static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) {
01710
01711 char subject[STRLEN];
01712 X509_OBJECT found_cert;
01713
01714 X509_NAME_oneline(X509_get_subject_name(ctx->current_cert), subject, STRLEN);
01715
01716 if(!preverify_ok) {
01717
01718 if (!check_preverify(ctx)) {
01719
01720 goto reject;
01721
01722 }
01723
01724 }
01725
01726 if(ctx->error_depth==0 &&
01727 X509_STORE_get_by_subject(ctx, X509_LU_X509,
01728 X509_get_subject_name(ctx->current_cert),
01729 &found_cert)!=1) {
01730
01731 handle_ssl_error("verify_callback()");
01732 error("%s: SSL connection rejected. No matching certificate found.", prog);
01733
01734 goto reject;
01735
01736 }
01737
01738 return 1;
01739
01740 reject:
01741 return 0;
01742
01743 }
01744
01749 static int verify_callback_noclientcert(int preverify_ok,
01750 X509_STORE_CTX *ctx) {
01751
01752 char subject[STRLEN];
01753
01754 X509_NAME_oneline(X509_get_subject_name(ctx->current_cert), subject, STRLEN);
01755
01756 if(!preverify_ok) {
01757
01758 if (!check_preverify(ctx)) {
01759
01760 goto reject;
01761
01762 }
01763
01764 }
01765
01766 return 1;
01767
01768 reject:
01769 return 0;
01770
01771 }
01772
01777 static int check_preverify(X509_STORE_CTX *ctx) {
01778
01779 if ((ctx->error != X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) &&
01780 (ctx->error != X509_V_ERR_INVALID_PURPOSE)) {
01781
01782
01783
01784 error("%s: SSL connection rejected because certificate verification"
01785 " has failed -- Error %i\n", prog, ctx->error);
01786 return FALSE;
01787
01788 }
01789
01790
01791 if(allow_self_certfication &&
01792 (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) {
01793
01794
01795
01796 log("SSL connection accepted with self signed certificate!\n");
01797
01798 ctx->error=0;
01799 return TRUE;
01800
01801 }
01802
01803 if(allow_any_purpose &&
01804 (ctx->error == X509_V_ERR_INVALID_PURPOSE)) {
01805
01806
01807
01808 log("SSL connection accepted with invalid purpose!\n");
01809
01810 ctx->error=0;
01811 return TRUE;
01812
01813 }
01814
01815 error("%s: SSL connection rejected because certificate verification"
01816 " has failed -- Error %i!\n", prog, ctx->error);
01817 return FALSE;
01818
01819
01820 }
01821
01825 static void verify_info(ssl_server_connection *ssl_server) {
01826
01827 STACK_OF(X509_NAME) *stack;
01828
01829 stack=SSL_CTX_get_client_CA_list(ssl_server->ctx);
01830 log("Found %d certificates\n", sk_X509_NAME_num(stack));
01831
01832 }
01833
01834
01839 static int unsigned long ssl_thread_id(void) {
01840
01841 return ((unsigned long) pthread_self());
01842
01843 }
01844
01845
01849 static void ssl_mutex_lock(int mode, int n, const char *file, int line) {
01850
01851
01852 if(mode & CRYPTO_LOCK) {
01853
01854 pthread_mutex_lock( & ssl_mutex_table[n]);
01855
01856 } else {
01857
01858 pthread_mutex_unlock( & ssl_mutex_table[n]);
01859
01860 }
01861
01862 }
01863
01864
01869 static int ssl_thread_start(void) {
01870
01871 int i;
01872 ssl_mutex_table= xcalloc(CRYPTO_num_locks(), sizeof(pthread_mutex_t));
01873 for(i= 0; i < CRYPTO_num_locks(); i++)
01874 pthread_mutex_init(&ssl_mutex_table[i], NULL);
01875 CRYPTO_set_id_callback(ssl_thread_id);
01876 CRYPTO_set_locking_callback(ssl_mutex_lock);
01877
01878 return TRUE;
01879
01880 }
01881
01882
01887 static int ssl_thread_stop(void) {
01888
01889 int i;
01890 CRYPTO_set_id_callback(NULL);
01891 CRYPTO_set_locking_callback(NULL);
01892 for(i= 0; i < CRYPTO_num_locks(); i++)
01893 pthread_mutex_destroy(&ssl_mutex_table[i]);
01894 free(ssl_mutex_table);
01895 ssl_mutex_table= NULL;
01896
01897 return TRUE;
01898
01899 }
01900
01901
01906 static int ssl_entropy_start(void) {
01907
01908 if(exist_file(URANDOM_DEVICE)) {
01909
01910 return(RAND_load_file(URANDOM_DEVICE, RANDOM_BYTES)==RANDOM_BYTES);
01911
01912 } else if(exist_file(RANDOM_DEVICE)) {
01913
01914 fprintf(stdout, "Gathering entropy from the random device. Please wait\n");
01915 fflush(stdout);
01916
01917 return(RAND_load_file(RANDOM_DEVICE, RANDOM_BYTES)==RANDOM_BYTES);
01918
01919 }
01920
01921 return FALSE;
01922
01923 }
01924
01925
01930 static int ssl_entropy_stop(void) {
01931
01932 RAND_cleanup();
01933
01934 return TRUE;
01935
01936 }
01937
01938
01943 static int handle_connection_error(int code, ssl_connection *ssl,
01944 char *operation) {
01945
01946 int ssl_error= 0;
01947
01948 switch ((ssl_error= SSL_get_error(ssl->handler, code))) {
01949
01950 case SSL_ERROR_WANT_READ:
01951 case SSL_ERROR_WANT_WRITE:
01952 return TRUE;
01953
01954 case SSL_ERROR_SYSCALL:
01955 error("%s: Openssl syscall error during %s: %s!\n", prog, operation,
01956 STRERROR);
01957 return FALSE;
01958
01959 case SSL_ERROR_SSL:
01960 handle_ssl_error(operation);
01961 return FALSE;
01962
01963 default:
01964 error("%s: Openssl error during %s!\n", prog, operation);
01965 return FALSE;
01966
01967 }
01968
01969 return FALSE;
01970 }
01971
01972
01976 static void handle_ssl_error(char *operation) {
01977
01978 error("%s: Openssl engine error during %s: %s\n", prog, operation, SSLERROR);
01979
01980 }
01981
01982 #endif