ssl.c

Go to the documentation of this file.
00001 /*
00002  * Copyright (C), 2000-2002 by Contributors to the monit codebase. 
00003  * All Rights Reserved.
00004  *
00005  * This program is free software; you can redistribute it and/or
00006  * modify it under the terms of the GNU General Public License as
00007  * published by the Free Software Foundation; either version 2 of the
00008  * License, or (at your option) any later version.
00009  *
00010  * This program is distributed in the hope that it will be useful, but
00011  * WITHOUT ANY WARRANTY; without even the implied warranty of
00012  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
00013  * General Public License for more details.
00014  * 
00015  * You should have received a copy of the GNU General Public License
00016  * along with this program; if not, write to the Free Software Foundation,
00017  * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
00018  */
00019 
00020 /* client socket clean up -> close */
00021 /* close client socket */
00022 
00023 #include <config.h>
00024 #include <stdio.h>
00025 #include <memory.h>
00026 #include <time.h>
00027 
00028 #ifdef HAVE_SYS_TYPES_H
00029 #include <sys/types.h>
00030 #endif
00031 
00032 #ifdef HAVE_SYS_SOCKET_H
00033 #include <sys/socket.h>
00034 #endif
00035 
00036 #ifdef HAVE_NETINET_IN_H
00037 #include <netinet/in.h>
00038 #endif
00039 
00040 #ifdef HAVE_ARPA_INET_H
00041 #include <arpa/inet.h>
00042 #endif
00043 
00044 #ifdef HAVE_NETDB_H
00045 #include <netdb.h>
00046 #endif
00047 
00048 #ifdef HAVE_PTHREAD_H
00049 #include <pthread.h>
00050 #endif
00051 
00052 #ifdef HAVE_UNISTD_H
00053 #include <unistd.h>
00054 #endif
00055 
00056 #ifdef HAVE_ERRNO_H
00057 #include <errno.h>
00058 #endif
00059 
00060 #ifdef HAVE_STRING_H
00061 #include <string.h>
00062 #endif
00063 
00064 
00065 #ifdef HAVE_OPENSSL
00066 #include <openssl/crypto.h>
00067 #include <openssl/x509.h>
00068 #include <openssl/x509_vfy.h>
00069 #include <openssl/pem.h>
00070 #include <openssl/ssl.h>
00071 #include <openssl/err.h>
00072 #include <openssl/rand.h>
00073 #include <openssl/bio.h>
00074 #endif
00075 
00076 #include "monitor.h"
00077 #include "net.h"
00078 #include "ssl.h"
00079 
00080 #ifdef HAVE_OPENSSL
00081 
00082 /* Initialization code */
00083 static int ssl_thread_start(void);
00084 static int ssl_thread_stop(void);
00085 static int unsigned long ssl_thread_id(void);
00086 static void ssl_mutex_lock(int mode, int n, const char *file, int line);
00087 static int ssl_entropy_start(void);
00088 static int ssl_entropy_stop(void);
00089 
00090 static pthread_mutex_t   ssl_mutex= PTHREAD_MUTEX_INITIALIZER;
00091 static pthread_mutex_t *ssl_mutex_table;
00092 static int ssl_initilized= FALSE;
00093 
00094 /* Connection verification code */
00095 static int verify_init(ssl_server_connection *);
00096 static int verify_callback(int, X509_STORE_CTX *);
00097 static int verify_callback_noclientcert(int, X509_STORE_CTX *);
00098 static void verify_info(ssl_server_connection *);
00099 static int check_preverify(X509_STORE_CTX *);
00100 
00101 static int allow_self_certfication= FALSE;
00102 static int allow_any_purpose= FALSE;
00103 
00104 /* Error handling */
00105 static int handle_connection_error(int, ssl_connection *, char *);
00106 static void handle_ssl_error(char *);
00107 #define SSLERROR ERR_error_string(ERR_get_error(),NULL)
00108 
00109 #define ALLOW_ANY_PURPOSE
00110 
00111 #endif
00112 
00116 #define RANDOM_BYTES 1024
00117 
00122 #define URANDOM_DEVICE "/dev/urandom"
00123 
00128 #define RANDOM_DEVICE "/dev/random"
00129 
00130 
00143   /*
00144    * For some of the code I was enlightened by:
00145    *
00146    * An Introduction to OpenSSL Programming, Part I of II
00147    *
00148    * by Eric Rescorla
00149    * Linux Journal 9/2001
00150    * http://www.linuxjournal.com/article.php?sid=4822
00151    */
00152 
00153 /* ------------------------------------------------------------------ Public */
00154 
00155 
00161 int embed_ssl_socket (ssl_connection *ssl, int socket) {
00162 
00163 #ifdef HAVE_OPENSSL
00164 
00165   int ssl_error;
00166   time_t ssl_time;
00167   
00168   if ( ssl == NULL ) {
00169     
00170     return FALSE;
00171     
00172   }
00173   
00174   if (!ssl_initilized) {
00175     
00176     start_ssl();
00177 
00178   }
00179 
00180   if ( socket >= 0 ) {
00181     
00182     ssl->socket= socket;
00183 
00184   } else {
00185 
00186     error("%s: Socket error!\n", prog);
00187     goto sslerror;
00188   }
00189 
00190   if ((ssl->handler= SSL_new (ssl->ctx)) == NULL ) {
00191 
00192     handle_ssl_error("embed_ssl_socket()");
00193     error("%s: Cannot initialize the SSL handler!\n", prog);
00194     goto sslerror;
00195 
00196   }
00197 
00198   set_noblock(ssl->socket);
00199 
00200   if((ssl->socket_bio= BIO_new_socket(ssl->socket, BIO_NOCLOSE)) == NULL) {
00201 
00202     handle_ssl_error("embed_ssl_socket()");
00203     error("%s: Cannot generate IO buffer!\n", prog);
00204     goto sslerror;
00205 
00206   }
00207 
00208   SSL_set_bio(ssl->handler, ssl->socket_bio, ssl->socket_bio);
00209 
00210   ssl_time=time(NULL);
00211 
00212   while((ssl_error= SSL_connect (ssl->handler)) < 0) {
00213 
00214     if((time(NULL)-ssl_time) > SSL_TIMEOUT) {
00215 
00216       error("%s: The connection process with the SSL service timed out!\n",
00217         prog);
00218       goto sslerror;
00219     
00220     }
00221 
00222     if (!handle_connection_error(ssl_error, ssl, "embed_ssl_socket()")) {
00223 
00224       goto sslerror;
00225 
00226     }
00227 
00228   }
00229 
00230   ssl->cipher= (char *) SSL_get_cipher(ssl->handler);
00231 
00232   if (! update_ssl_cert_data(ssl)) {
00233 
00234     error("%s: Cannot get the SSL server certificate!\n", 
00235       prog);
00236     goto sslerror;
00237 
00238   }
00239 
00240   return TRUE;
00241 
00242  sslerror:
00243 
00244   cleanup_ssl_socket(ssl);
00245   return FALSE;
00246 
00247 #else
00248 
00249   return FALSE;
00250 
00251 #endif
00252 } 
00253 
00254 
00260 int update_ssl_cert_data(ssl_connection *ssl) {
00261 
00262 #ifdef HAVE_OPENSSL
00263 
00264   unsigned char md5[EVP_MAX_MD_SIZE];
00265 
00266   ASSERT(ssl);
00267   
00268   if ((ssl->cert = SSL_get_peer_certificate (ssl->handler)) == NULL) {
00269 
00270     return FALSE;
00271 
00272   } 
00273 
00274   ssl->cert_issuer=X509_NAME_oneline (X509_get_issuer_name (ssl->cert),0,0);
00275   ssl->cert_subject=X509_NAME_oneline (X509_get_subject_name (ssl->cert),0,0);
00276   X509_digest(ssl->cert,EVP_md5(), md5, &ssl->cert_md5_len);
00277   ssl->cert_md5=xstrdup(md5);
00278 
00279   return TRUE;
00280 
00281 #else
00282 
00283   return FALSE;
00284 
00285 #endif
00286 
00287 }
00288 
00289 
00296 int check_ssl_md5sum(ssl_connection *ssl, char *md5sum) {
00297 
00298 #ifdef HAVE_OPENSSL
00299   int i= 0;
00300 
00301   ASSERT(md5sum);
00302 
00303   while (( i < ssl->cert_md5_len ) && 
00304      ( md5sum[2*i] != '\0' ) && 
00305      ( md5sum[2*i+1] != '\0' )) {
00306 
00307     unsigned char c= 
00308       (md5sum[2*i] > 57 ? md5sum[2*i] - 87 : md5sum[2*i] - 48) * 0x10+
00309       (md5sum[2*i+1] > 57 ? md5sum[2*i+1] - 87 : md5sum[2*i+1] - 48);
00310 
00311     if ( c!=ssl->cert_md5[i] ) {
00312 
00313       return FALSE;
00314       
00315     }
00316 
00317     i ++;
00318 
00319   }
00320 
00321 #endif
00322 
00323   return TRUE;
00324 
00325 }
00326 
00327 
00337 ssl_connection *create_ssl_socket(char *hostname, int port, int protocol) { 
00338 
00339 #ifdef HAVE_OPENSSL
00340 
00341   int socket;
00342   ssl_connection *ssl = new_ssl_connection(NULL);
00343 
00344   ASSERT(hostname);
00345 
00346   if (!ssl_initilized) {
00347 
00348     start_ssl();
00349 
00350   }
00351 
00352   if ((socket= create_socket(hostname, port, protocol)) == -1) {
00353 
00354     error("%s: Cannot connect!\n", prog);
00355     goto sslerror;
00356 
00357   }
00358 
00359   if (! embed_ssl_socket(ssl, socket)) {
00360 
00361     error("%s: Cannot embed socket!\n", prog);
00362 
00363     goto sslerror;
00364 
00365   }
00366 
00367   return ssl;
00368 
00369  sslerror:
00370 
00371   return NULL;
00372 
00373 #else
00374 
00375   return NULL;
00376 
00377 #endif
00378 
00379 }
00380 
00381 
00387 int close_ssl_socket(ssl_connection *ssl) {
00388 
00389 #ifdef HAVE_OPENSSL
00390 
00391   int error;
00392 
00393   if(ssl == NULL) {
00394 
00395     return FALSE;
00396 
00397   }
00398 
00399   if (! (error= SSL_shutdown (ssl->handler))) {
00400 
00401     shutdown(ssl->socket,1 );
00402     error= SSL_shutdown (ssl->handler);
00403 
00404   }
00405 
00406   close(ssl->socket);
00407   cleanup_ssl_socket(ssl);
00408 
00409   if ( error<=0 ) {
00410    
00411     return FALSE;
00412 
00413   } else {
00414 
00415     return TRUE;
00416 
00417   }
00418 
00419 #else
00420 
00421   return FALSE;
00422 
00423 #endif
00424 
00425 }
00426 
00427 
00433 int cleanup_ssl_socket(ssl_connection *ssl) {
00434 
00435 #ifdef HAVE_OPENSSL
00436 
00437   if(ssl==NULL) {
00438 
00439     return FALSE;
00440 
00441   }
00442 
00443   if (ssl->cert != NULL) {
00444 
00445     X509_free(ssl->cert);
00446     ssl->cert= NULL;
00447 
00448   }
00449 
00450   if (ssl->handler != NULL) {
00451     
00452     SSL_free(ssl->handler);
00453     ssl->handler= NULL;
00454 
00455   }
00456 
00457   if (ssl->socket_bio != NULL) {
00458     
00459     /* 
00460      * no BIO_free(ssl->socket_bio); necessary, because BIO is freed
00461      * by ssl->handler
00462      */
00463 
00464     ssl->socket_bio= NULL;
00465 
00466   }
00467 
00468   if (ssl->cert_issuer != NULL) {
00469 
00470     free(ssl->cert_issuer);
00471     ssl->cert_issuer= NULL;
00472 
00473   }
00474 
00475   if (ssl->cert_subject != NULL) {
00476 
00477     free(ssl->cert_subject);
00478     ssl->cert_subject= NULL;
00479 
00480   }
00481 
00482   if (ssl->cert_md5 != NULL) {
00483 
00484     free(ssl->cert_md5);
00485     ssl->cert_md5= NULL;
00486 
00487   }
00488 
00489   if(ssl->clientpemfile!=NULL) {
00490 
00491     free(ssl->clientpemfile);
00492     ssl->clientpemfile= NULL;
00493 
00494   }
00495 
00496   return TRUE;
00497 
00498 #else
00499 
00500   return FALSE;
00501 
00502 #endif
00503 
00504 }
00505 
00506 
00512 int delete_ssl_socket(ssl_connection *ssl) {
00513 
00514 #ifdef HAVE_OPENSSL
00515 
00516   if(ssl==NULL) {
00517 
00518     return FALSE;
00519 
00520   }
00521 
00522   cleanup_ssl_socket(ssl);
00523 
00524   if((ssl->ctx != NULL) && (! ssl->accepted)) {
00525 
00526     SSL_CTX_free(ssl->ctx);
00527     
00528   }
00529 
00530   free(ssl);
00531 
00532   return TRUE;
00533 
00534 #else
00535 
00536   return TRUE;
00537 
00538 #endif
00539 
00540 }
00541 
00542 
00548 ssl_server_connection *init_ssl_server (char *pemfile, char *clientpemfile) {
00549 
00550 #ifdef HAVE_OPENSSL
00551 
00552   ssl_server_connection *ssl_server = new_ssl_server_connection(pemfile, 
00553                                 clientpemfile);
00554 
00555   ASSERT(pemfile);
00556 
00557   if (!ssl_initilized) {
00558 
00559     start_ssl();
00560 
00561   }
00562   
00563   if ((ssl_server->method= SSLv23_server_method()) == NULL ) {
00564 
00565     handle_ssl_error("init_ssl_server()");
00566     error("%s: Cannot initialize the SSL method to use!\n", prog);
00567     goto sslerror;
00568 
00569   }
00570 
00571   if ((ssl_server->ctx= SSL_CTX_new(ssl_server->method)) == NULL ) {
00572 
00573     handle_ssl_error("init_ssl_server()");
00574     error("%s: Cannot initialize the SSL server's certificate handler!\n"
00575       , prog);
00576     goto sslerror;
00577 
00578   }
00579 
00580   if (SSL_CTX_use_certificate_file(ssl_server->ctx, pemfile, 
00581                    SSL_FILETYPE_PEM) <= 0) {
00582 
00583     handle_ssl_error("init_ssl_server()");
00584     error("%s: Cannot initialize the SSL server's certificate!\n", prog);
00585     goto sslerror;
00586 
00587   }
00588 
00589   if (SSL_CTX_use_PrivateKey_file(ssl_server->ctx, pemfile, 
00590                   SSL_FILETYPE_PEM) <= 0) {
00591 
00592     handle_ssl_error("init_ssl_server()");
00593     error("%s: Cannot initialize the SSL server's private key!\n", prog);
00594     goto sslerror;
00595 
00596   }
00597 
00598   if (!SSL_CTX_check_private_key(ssl_server->ctx)) {
00599 
00600     handle_ssl_error("init_ssl_server()");
00601     error("%s: The private key does not match the certificate public key!\n", 
00602       prog);
00603     goto sslerror;
00604 
00605   }
00606 
00607   /*
00608    * We need this to force transmission of client certs
00609    */
00610   if (!verify_init(ssl_server)) {
00611 
00612     handle_ssl_error("init_ssl_server()");
00613     error("%s: Verification engine was not properly initilized!\n", prog);
00614     goto sslerror;
00615 
00616   }
00617   verify_info(ssl_server);
00618 
00619   return ssl_server;
00620 
00621  sslerror:
00622 
00623   cleanup_ssl_server_socket(ssl_server);
00624   return NULL;
00625 
00626 #else
00627 
00628   return NULL;
00629 
00630 #endif
00631 
00632 }
00633 
00634 
00645 ssl_server_connection *create_ssl_server_socket(char *pemfile, int port, 
00646                         int backlog, 
00647                         char *bindAddr,
00648                         char *clientpemfile) {
00649 
00650 #ifdef HAVE_OPENSSL
00651   
00652   int socket;
00653   ssl_server_connection *ssl_server;
00654 
00655   ASSERT(pemfile);
00656   ASSERT(bindAddr);
00657 
00658   if (!ssl_initilized) {
00659 
00660     start_ssl();
00661 
00662   }
00663 
00664   if ((socket= create_server_socket(port, backlog, bindAddr)) == -1) {
00665 
00666     error("%s: Cannot connect!\n", prog);
00667     goto sslerror;
00668 
00669   }
00670 
00671   if (( ssl_server= init_ssl_server(pemfile, clientpemfile)) == NULL) {
00672 
00673     goto sslerror;
00674 
00675   }
00676   
00677   ssl_server->server_socket=socket;
00678 
00679   return ssl_server;
00680 
00681  sslerror:
00682 
00683   return NULL;
00684 
00685 #else
00686 
00687   return FALSE;
00688 
00689 #endif 
00690  
00691 }
00692 
00693 
00699 int close_ssl_server_socket(ssl_server_connection *ssl_server) {
00700 
00701 #ifdef HAVE_OPENSSL
00702 
00703   if (ssl_server==NULL) {
00704 
00705     return FALSE;
00706 
00707   }
00708 
00709   close(ssl_server->server_socket);
00710   cleanup_ssl_server_socket(ssl_server);
00711 
00712   return TRUE;
00713 
00714 #else
00715   
00716   return FALSE;
00717 
00718 #endif
00719 }
00720 
00721 
00727 int cleanup_ssl_server_socket(ssl_server_connection *ssl_server) {
00728 
00729 #ifdef HAVE_OPENSSL
00730 
00731   ssl_connection *ssl;
00732 
00733   if(ssl_server==NULL) {
00734 
00735     return FALSE;
00736 
00737   }
00738 
00739   if(ssl_server->pemfile!=NULL) {
00740 
00741     free(ssl_server->pemfile);
00742     ssl_server->pemfile= NULL;
00743 
00744   }
00745 
00746   if(ssl_server->clientpemfile!=NULL) {
00747 
00748     free(ssl_server->clientpemfile);
00749     ssl_server->clientpemfile= NULL;
00750 
00751   }
00752 
00753   while (ssl_server->ssl_conn_list!=NULL) {
00754     
00755     ssl = ssl_server->ssl_conn_list;
00756 
00757     ssl_server->ssl_conn_list=ssl_server->ssl_conn_list->next;
00758     
00759     close_accepted_ssl_socket(ssl_server, ssl);
00760     delete_ssl_socket(ssl);
00761     
00762   }
00763 
00764   return TRUE;
00765 
00766 #else
00767 
00768   return TRUE;
00769 
00770 #endif
00771 
00772 }
00773 
00774 
00780 int delete_ssl_server_socket(ssl_server_connection *ssl_server) {
00781 
00782 #ifdef HAVE_OPENSSL
00783 
00784   if(ssl_server==NULL) {
00785 
00786     return FALSE;
00787 
00788   }
00789 
00790   cleanup_ssl_server_socket(ssl_server);
00791 
00792   if (ssl_server->ctx != NULL) {
00793 
00794     SSL_CTX_free(ssl_server->ctx);
00795 
00796   }
00797 
00798   free(ssl_server);
00799 
00800   return TRUE;
00801 
00802 #else
00803 
00804   return TRUE;
00805 
00806 #endif
00807 
00808 }
00809 
00810 
00816 ssl_connection *insert_accepted_ssl_socket(ssl_server_connection *ssl_server) {
00817 
00818 #ifdef HAVE_OPENSSL
00819 
00820   ssl_connection *ssl;
00821 
00822   ASSERT(ssl_server);
00823 
00824   ssl= (ssl_connection *) NEW(ssl);
00825 
00826   if (!ssl_initilized) {
00827 
00828     start_ssl();
00829 
00830   }
00831 
00832   ssl->method= NULL;
00833   ssl->handler= NULL;
00834   ssl->cert= NULL;
00835   ssl->cipher= NULL;
00836   ssl->socket= 0;
00837   ssl->next= NULL;
00838   ssl->accepted= FALSE;
00839   ssl->cert_md5= NULL;
00840   ssl->cert_md5_len= 0;
00841   ssl->clientpemfile= NULL;
00842 
00843   if(ssl_server->clientpemfile!=NULL) {
00844 
00845     ssl->clientpemfile= xstrdup(ssl_server->clientpemfile);
00846 
00847   }
00848 
00849   if(( ssl_server == NULL ) || (ssl == NULL)) {
00850 
00851     return NULL;
00852 
00853   }
00854 
00855   LOCK(ssl_mutex);
00856 
00857   ssl->prev=NULL;
00858   ssl->next=ssl_server->ssl_conn_list;
00859 
00860   if( ssl->next != NULL ) {
00861 
00862     ssl->next->prev=ssl;
00863 
00864   }
00865 
00866   END_LOCK;
00867 
00868   ssl_server->ssl_conn_list=ssl;
00869   ssl->ctx=ssl_server->ctx;
00870   ssl->accepted=TRUE;
00871 
00872   return ssl;
00873 
00874 #else
00875 
00876   return NULL;
00877 
00878 #endif
00879 
00880 }
00881 
00882 
00890 int close_accepted_ssl_socket(ssl_server_connection *ssl_server, 
00891                   ssl_connection *ssl) {
00892 
00893 #ifdef HAVE_OPENSSL
00894 
00895   int return_value= TRUE;
00896 
00897   if ((ssl == NULL) ||  (ssl_server == NULL)) {
00898     return FALSE;
00899   }
00900 
00901   if (close(ssl->socket) < 0) {
00902 
00903     return_value= FALSE;
00904 
00905   } 
00906 
00907   if (! delete_accepted_ssl_socket(ssl_server,  ssl)) {
00908 
00909     return_value= FALSE;
00910 
00911   } 
00912 
00913   return return_value;
00914 
00915 #else
00916 
00917   return FALSE;
00918 
00919 #endif
00920 
00921 }
00922 
00923 
00931 int delete_accepted_ssl_socket (ssl_server_connection *ssl_server, 
00932                 ssl_connection *ssl) {
00933 
00934 #ifdef HAVE_OPENSSL
00935 
00936   int return_value= TRUE;
00937 
00938   if ((ssl == NULL) ||  (ssl_server == NULL)) {
00939     return FALSE;
00940   }
00941 
00942   LOCK(ssl_mutex);
00943 
00944   if ( ssl->prev == NULL ) {
00945 
00946     ssl_server->ssl_conn_list=ssl->next;
00947 
00948   } else {
00949 
00950     ssl->prev->next=ssl->next;
00951 
00952   }
00953 
00954   END_LOCK;  
00955 
00956   if(! cleanup_ssl_socket(ssl)) {
00957 
00958     return_value= FALSE;
00959 
00960   }
00961      
00962   if (! delete_ssl_socket(ssl)) {
00963 
00964     return_value= FALSE;
00965 
00966   }
00967 
00968   return return_value;
00969 
00970 #else
00971 
00972   return FALSE;
00973 
00974 #endif
00975 
00976 }
00977 
00978 
00985 int embed_accepted_ssl_socket(ssl_connection *ssl, int socket) {
00986 
00987 #ifdef HAVE_OPENSSL
00988 
00989   int ssl_error;
00990   time_t ssl_time;
00991 
00992   ASSERT(ssl);
00993   
00994   ssl->socket=socket;
00995 
00996   if(!ssl_initilized) {
00997 
00998     start_ssl();
00999 
01000   }
01001 
01002   if((ssl->handler= SSL_new(ssl->ctx)) == NULL) { 
01003  
01004     handle_ssl_error("embed_accepted_ssl_socket()");
01005     error("%s: Cannot initialize the SSL handler!\n", prog); 
01006     goto sslerror;
01007 
01008   } 
01009 
01010   if(socket < 0) {
01011 
01012     error("Socket error!\n");
01013     goto sslerror;
01014 
01015   }
01016 
01017   set_noblock(ssl->socket);
01018 
01019   if((ssl->socket_bio= BIO_new_socket(ssl->socket, BIO_NOCLOSE)) == NULL) {
01020 
01021     handle_ssl_error("embed_accepted_ssl_socket()");
01022     error("%s: Cannot generate IO buffer!\n", prog);
01023     goto sslerror;
01024 
01025   }
01026 
01027   SSL_set_bio(ssl->handler, ssl->socket_bio, ssl->socket_bio);
01028 
01029   ssl_time= time(NULL);
01030   
01031   while((ssl_error= SSL_accept(ssl->handler)) < 0) {
01032 
01033     if((time(NULL)-ssl_time) > SSL_TIMEOUT) {
01034 
01035       error("%s: The connection process with the SSL service timed out!\n", 
01036         prog);
01037       goto sslerror;
01038       
01039     }
01040 
01041     if (!handle_connection_error(ssl_error, ssl, 
01042                  "embed_accepted_ssl_socket()")) {
01043 
01044       goto sslerror;
01045 
01046     }
01047 
01048   }
01049 
01050   ssl->cipher= (char *) SSL_get_cipher(ssl->handler);
01051 
01052   if(!update_ssl_cert_data(ssl) && (ssl->clientpemfile != NULL)) {
01053 
01054     error("%s: The client did not supply a required client certificate!\n", 
01055       prog);
01056     goto sslerror;
01057 
01058   }
01059 
01060   if (SSL_get_verify_result(ssl->handler)>0) {
01061 
01062     error("%s: Verification of the certificate has failed!\n", 
01063       prog);
01064     goto sslerror;
01065 
01066   }
01067 
01068   return TRUE;
01069 
01070  sslerror:
01071 
01072   return FALSE;
01073 
01074 #else
01075   
01076   return FALSE;
01077 
01078 #endif
01079 
01080 }
01081 
01082 
01088 ssl_connection *accept_ssl_socket(ssl_server_connection *ssl_server) {
01089 
01090 #ifdef HAVE_OPENSSL
01091 
01092   int no_crypt_socket;
01093   int len= sizeof(struct sockaddr_in);
01094   struct sockaddr_in in;
01095 
01096   ASSERT(ssl_server);
01097   
01098   no_crypt_socket= accept(ssl_server->server_socket, (struct sockaddr*)&in, 
01099               &len);
01100 
01101   if(no_crypt_socket >= 0) {
01102     
01103     ssl_connection *ssl = insert_accepted_ssl_socket(ssl_server);
01104     
01105     if(ssl == NULL) {
01106 
01107       return NULL;
01108 
01109     }
01110 
01111     if(embed_accepted_ssl_socket(ssl, no_crypt_socket)) {
01112 
01113       return ssl;
01114 
01115     } else {
01116 
01117       close_accepted_ssl_socket(ssl_server, ssl);
01118       return NULL;
01119 
01120     }
01121 
01122   } else {
01123 
01124     return NULL;
01125 
01126   }
01127 
01128 #else
01129   
01130   return NULL;
01131 
01132 #endif
01133 
01134 }
01135 
01136 
01144 int send_ssl_socket(ssl_connection *ssl, void *buffer, int len) {
01145 
01146 #ifdef HAVE_OPENSSL
01147   int ssl_error;
01148   time_t ssl_time= time(NULL);
01149 
01150   ASSERT(ssl);
01151 
01152 
01153   while((ssl_error= SSL_write (ssl->handler, (void *) buffer, len))  < 0) {
01154 
01155     if((time(NULL)-ssl_time) > SSL_TIMEOUT) {
01156 
01157       error("%s: The connection process with the SSL service has timed"
01158         " out!\n", prog);
01159       break;
01160       
01161     }
01162 
01163     if (!handle_connection_error(ssl_error, ssl, "send_ssl_socket()")) {
01164 
01165       break;
01166 
01167     }
01168 
01169   }
01170 
01171   return ssl_error;
01172 
01173 #else
01174 
01175   return -1;
01176   
01177 #endif
01178 
01179 }
01180 
01181 
01189 int recv_ssl_socket(ssl_connection *ssl, void *buffer, int len) {
01190 
01191 #ifdef HAVE_OPENSSL
01192   int ssl_error;
01193   time_t ssl_time= time(NULL);
01194 
01195   ASSERT(ssl);
01196 
01197   while((ssl_error= SSL_read(ssl->handler, (void *) buffer, len))  < 0) {
01198     
01199     if((time(NULL)-ssl_time) > SSL_TIMEOUT) {
01200 
01201       error("%s: The connection process with the SSL service has timed"
01202         " out!\n", prog);
01203       break;
01204       
01205     }
01206 
01207     if (!handle_connection_error(ssl_error, ssl, "recv_ssl_socket()")) {
01208 
01209       break;
01210 
01211     }
01212   }
01213 
01214   return ssl_error;
01215 
01216 #else
01217 
01218   return -1;
01219   
01220 #endif
01221 
01222 }
01223 
01224 
01232 char *gets_ssl_socket(ssl_connection *ssl, char *buffer, int len ) {
01233 
01234 #ifdef HAVE_OPENSSL
01235 
01236   int i=0;
01237   char c;
01238 
01239   ASSERT(ssl);
01240   ASSERT(buffer);
01241 
01242   while(i <= len - 1) {
01243 
01244     switch ( recv_ssl_socket(ssl, (void *) &c, 1)) {
01245       
01246     case 1:
01247 
01248       buffer[i]=c;
01249       break;
01250 
01251     case 0:
01252 
01253       goto eot;
01254 
01255     default:
01256 
01257       return NULL;
01258 
01259     }
01260 
01261     if (c=='\n') {
01262       
01263       buffer[i+1]='\0';
01264       goto eot;
01265 
01266     }
01267 
01268     i++;
01269 
01270   }
01271 
01272  eot:
01273 
01274   return buffer;
01275 
01276 #else
01277     
01278   return NULL;
01279   
01280 #endif
01281 
01282 }
01283 
01284 
01292 int printf_ssl_socket(ssl_connection *ssl, const char *format, ...) {
01293 
01294 #ifdef HAVE_OPENSSL
01295   
01296   char msg[STRLEN];
01297   int len;
01298 
01299   va_list ap;
01300 
01301   ASSERT(ssl);
01302   ASSERT(format);
01303 
01304   va_start(ap,format);
01305   len=vsnprintf(msg, STRLEN, format, ap);
01306   va_end(ap);
01307 
01308   return send_ssl_socket(ssl, msg, len);  
01309 
01310 #else
01311 
01312   return 0;
01313   
01314 #endif
01315   
01316 }
01317 
01318 
01324 int start_ssl() {
01325 
01326 #ifdef HAVE_OPENSSL
01327 
01328   if (! ssl_initilized ) {
01329 
01330     ssl_initilized=TRUE;
01331     ERR_load_crypto_strings();
01332     return (ssl_thread_start() && SSL_library_init() && ssl_entropy_start());
01333 
01334   } else {
01335 
01336     return TRUE;
01337 
01338   }
01339 
01340 #else
01341 
01342   return FALSE;
01343 
01344 #endif
01345 
01346 }
01347 
01348 
01353 int stop_ssl() {
01354 
01355 #ifdef HAVE_OPENSSL
01356 
01357   if ( ssl_initilized ) {
01358 
01359     ssl_initilized=FALSE;
01360     ERR_free_strings();
01361     return (ssl_thread_stop() && ssl_entropy_stop());
01362 
01363   } else {
01364 
01365     return TRUE;
01366 
01367   }
01368 
01369 #else
01370 
01371   return FALSE;
01372 
01373 #endif
01374 
01375 }
01376 
01381 void config_ssl(int conf_allow_self_cert) {
01382 
01383 #ifdef HAVE_OPENSSL
01384 
01385   allow_self_certfication= conf_allow_self_cert;
01386 
01387 #endif
01388 
01389   return;
01390 
01391 }
01392 
01397 ssl_connection *new_ssl_connection(char *clientpemfile) {
01398 
01399 #ifdef HAVE_OPENSSL
01400 
01401   ssl_connection *ssl = (ssl_connection *) NEW(ssl);
01402 
01403   if (!ssl_initilized) {
01404 
01405     start_ssl();
01406 
01407   }
01408 
01409   ssl->socket_bio= NULL; 
01410   ssl->handler= NULL;
01411   ssl->cert= NULL;
01412   ssl->cipher= NULL;
01413   ssl->socket= 0;
01414   ssl->next = NULL;
01415   ssl->accepted = FALSE;
01416   ssl->cert_md5 = NULL;
01417   ssl->cert_md5_len = 0;
01418   
01419   if(clientpemfile!=NULL) {
01420 
01421     ssl->clientpemfile= xstrdup(clientpemfile);
01422 
01423   } else {
01424 
01425     ssl->clientpemfile= NULL;
01426 
01427   }
01428 
01429   if ((ssl->method= SSLv23_client_method()) == NULL ) {
01430 
01431     handle_ssl_error("new_ssl_connection()");
01432     error("%s: Cannot initilize SSL method!\n", prog);
01433     goto sslerror;
01434 
01435   } 
01436 
01437   if ((ssl->ctx= SSL_CTX_new (ssl->method)) == NULL ) {
01438 
01439     handle_ssl_error("new_ssl_connection()");
01440     error("%s: Cannot initilize SSL server certificate handler!\n", prog);
01441     goto sslerror;
01442 
01443   }
01444 
01445   if ( ssl->clientpemfile!=NULL ) {
01446 
01447     if (SSL_CTX_use_certificate_file(ssl->ctx, ssl->clientpemfile, 
01448                      SSL_FILETYPE_PEM) <= 0) {
01449 
01450       handle_ssl_error("new_ssl_connection()");
01451       error("%s: Cannot initilize SSL server certificate!\n", prog);
01452       goto sslerror;
01453       
01454     }
01455 
01456     if (SSL_CTX_use_PrivateKey_file(ssl->ctx, ssl->clientpemfile, 
01457                     SSL_FILETYPE_PEM) <= 0) {
01458 
01459       handle_ssl_error("new_ssl_connection()");
01460       error("%s: Cannot initilize SSL server private key!\n", prog);
01461       goto sslerror;
01462 
01463     }
01464 
01465     if (!SSL_CTX_check_private_key(ssl->ctx)) {
01466 
01467       handle_ssl_error("new_ssl_connection()");
01468       error("%s: Private key does not match the certificate public key!\n", 
01469         prog);
01470       goto sslerror;
01471 
01472     }
01473 
01474   }
01475 
01476 
01477   return ssl;
01478 
01479  sslerror:
01480 
01481   delete_ssl_socket(ssl);
01482 
01483   return NULL;
01484 
01485 #else
01486 
01487   return NULL;
01488 
01489 #endif
01490 
01491 }
01492 
01493 
01498 ssl_server_connection *new_ssl_server_connection(char * pemfile, 
01499                          char * clientpemfile) {
01500 
01501 #ifdef HAVE_OPENSSL
01502 
01503   ssl_server_connection *ssl_server = 
01504     (ssl_server_connection *) NEW(ssl_server);
01505 
01506   ASSERT(pemfile);
01507 
01508   if (!ssl_initilized) {
01509 
01510     start_ssl();
01511 
01512   }
01513 
01514   ssl_server->ctx= NULL;
01515   ssl_server->method= NULL;
01516   ssl_server->server_socket= 0;
01517   ssl_server->ssl_conn_list = NULL;
01518   ssl_server->pemfile=xstrdup(pemfile);
01519 
01520   if(clientpemfile != NULL) {
01521     
01522     ssl_server->clientpemfile= xstrdup(clientpemfile);
01523 
01524   } else {
01525 
01526     ssl_server->clientpemfile= NULL;
01527 
01528   }
01529   
01530   return ssl_server;
01531 
01532 #else
01533 
01534   return NULL;
01535 
01536 #endif
01537 
01538 }
01539 
01540 
01545 int have_ssl(void) {
01546 
01547 #ifdef HAVE_OPENSSL
01548 
01549   return HAVE_OPENSSL;
01550 
01551 #else
01552 
01553   return FALSE;
01554 
01555 #endif
01556 
01557 }
01558 
01559 /* ----------------------------------------------------------------- Private */
01560 
01561 #ifdef HAVE_OPENSSL
01562 
01566 static int verify_init(ssl_server_connection *ssl_server) {
01567 
01568   struct stat stat_buf;
01569 
01570   if (ssl_server->clientpemfile==NULL) {
01571 
01572     allow_any_purpose= TRUE;
01573     SSL_CTX_set_verify(ssl_server->ctx, SSL_VERIFY_PEER , 
01574                verify_callback_noclientcert);
01575     goto end_success; /* No verification, but we have to call the callback! */
01576 
01577   }
01578 
01579   if ( -1 == stat(ssl_server->clientpemfile, &stat_buf )) {
01580 
01581     error("%s: Cannot stat the SSL pem path '%s' -- %s\n",
01582       prog, Run.httpsslclientpem, STRERROR);
01583 
01584     goto end_error;
01585 
01586   }
01587   
01588   if (S_ISDIR(stat_buf.st_mode)) {
01589 
01590     if (!SSL_CTX_load_verify_locations(ssl_server->ctx, NULL ,
01591                        ssl_server->clientpemfile)) {
01592 
01593       handle_ssl_error("verify_init()");
01594       error("%s: Error setting verify directory to %s\n", 
01595         Run.httpsslclientpem);
01596 
01597       goto end_error;
01598 
01599     }
01600 
01601     log("Loaded SSL client pem directory '%s'\n", ssl_server->clientpemfile);
01602 
01603     /* Monits server cert for cli support ! */
01604 
01605     if(!SSL_CTX_load_verify_locations(ssl_server->ctx, ssl_server->pemfile, 
01606                       NULL)) {
01607 
01608       handle_ssl_error("verify_init()");
01609       error("%s: Error loading verify certificates from %s\n",
01610         prog, ssl_server->pemfile);
01611 
01612       goto end_error;
01613 
01614     }
01615 
01616     log("Loaded monit's SSL pem server file '%s'\n", ssl_server->pemfile);
01617 
01618   } else if (S_ISREG(stat_buf.st_mode)) {
01619 
01620     if(!SSL_CTX_load_verify_locations(ssl_server->ctx, 
01621                       ssl_server->clientpemfile, 
01622                       NULL)) {
01623 
01624       handle_ssl_error("verify_init()");
01625       error("%s: Error loading verify certificates from %s\n",
01626         prog, Run.httpsslclientpem);
01627 
01628       goto end_error;
01629 
01630     }
01631 
01632     log("Loaded SSL pem client file '%s'\n", ssl_server->clientpemfile);
01633 
01634     /* Monits server cert for cli support ! */
01635 
01636     if(!SSL_CTX_load_verify_locations(ssl_server->ctx, ssl_server->pemfile, 
01637                       NULL)) {
01638 
01639       handle_ssl_error("verify_init()");
01640       error("%s: Error loading verify certificates from %s\n",
01641         prog, ssl_server->pemfile);
01642 
01643       goto end_error;
01644 
01645     }
01646 
01647     log("Loaded monit's SSL pem server file '%s'\n", ssl_server->pemfile);
01648 
01649     SSL_CTX_set_client_CA_list(ssl_server->ctx,
01650                    SSL_load_client_CA_file(ssl_server->clientpemfile));
01651 
01652   } else {
01653 
01654     error("%s: SSL client pem path is no file or directory %s\n",
01655       prog, ssl_server->clientpemfile);
01656 
01657     goto end_error;
01658 
01659   }
01660 
01661   allow_any_purpose= FALSE;
01662   SSL_CTX_set_verify(ssl_server->ctx, SSL_VERIFY_PEER , verify_callback);
01663 
01664  end_success:
01665   
01666   return TRUE;
01667 
01668  end_error:
01669 
01670   return FALSE;
01671 }
01672 
01673 
01677 static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) {
01678 
01679   char subject[STRLEN];
01680   X509_OBJECT found_cert;
01681 
01682   X509_NAME_oneline(X509_get_subject_name(ctx->current_cert), subject, STRLEN);
01683 
01684   if(!preverify_ok) {
01685 
01686     if (!check_preverify(ctx)) {
01687 
01688       goto reject;
01689 
01690     }
01691 
01692   }
01693 
01694   if(ctx->error_depth==0 &&
01695      X509_STORE_get_by_subject(ctx, X509_LU_X509,
01696                    X509_get_subject_name(ctx->current_cert), 
01697                    &found_cert)!=1) {
01698 
01699     handle_ssl_error("verify_callback()");
01700     error("%s: SSL connection rejected. No matching certificate found.", prog);
01701 
01702     goto reject; 
01703 
01704   }
01705 
01706   return 1; 
01707 
01708  reject:
01709   return 0; 
01710 
01711 }
01712 
01717 static int verify_callback_noclientcert(int preverify_ok, 
01718                     X509_STORE_CTX *ctx) {
01719 
01720   char subject[STRLEN];
01721 
01722   X509_NAME_oneline(X509_get_subject_name(ctx->current_cert), subject, STRLEN);
01723 
01724   if(!preverify_ok) {
01725 
01726     if (!check_preverify(ctx)) {
01727 
01728       goto reject;
01729 
01730     }
01731 
01732   }
01733 
01734   return 1; 
01735 
01736  reject:
01737   return 0; 
01738 
01739 }
01740 
01745 static int check_preverify(X509_STORE_CTX *ctx) {
01746 
01747   if ((ctx->error != X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) &&
01748       (ctx->error != X509_V_ERR_INVALID_PURPOSE)) {
01749 
01750     /* Remote site specified a certificate, but it's not correct */
01751     
01752     error("%s: SSL connection rejected because certificate verification"
01753       " has failed -- Error %i\n", prog, ctx->error);
01754     return FALSE; /* Reject connection */
01755 
01756   } 
01757 
01758 
01759   if(allow_self_certfication && 
01760      (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) {
01761     
01762     /* Let's accept self signed certs for the moment! */
01763     
01764     log("SSL connection accepted with self signed certificate!\n");
01765 
01766     ctx->error=0;
01767     return TRUE;
01768 
01769   } 
01770 
01771   if(allow_any_purpose && 
01772      (ctx->error == X509_V_ERR_INVALID_PURPOSE)) {
01773     
01774     /* Let's accept any purpose certs for the moment! */
01775     
01776     log("SSL connection accepted with invalid purpose!\n");
01777 
01778     ctx->error=0;
01779     return TRUE;
01780 
01781   } 
01782     
01783   error("%s: SSL connection rejected because certificate verification"
01784     " has failed -- Error %i!\n", prog, ctx->error);
01785   return FALSE; /* Reject connection */
01786 
01787 
01788 }
01789 
01793 static void verify_info(ssl_server_connection *ssl_server) {
01794   
01795   STACK_OF(X509_NAME) *stack;
01796   
01797   stack=SSL_CTX_get_client_CA_list(ssl_server->ctx);
01798   log("Found %d certificates\n", sk_X509_NAME_num(stack));
01799   
01800 }
01801 
01802 
01807 static int unsigned long ssl_thread_id(void) {
01808 
01809   return ((unsigned long) pthread_self());
01810 
01811 }
01812 
01813 
01817 static void ssl_mutex_lock(int mode, int n, const char *file, int line) {
01818 
01819 
01820   if(mode & CRYPTO_LOCK) {
01821     
01822     pthread_mutex_lock( & ssl_mutex_table[n]);
01823     
01824   } else {
01825 
01826     pthread_mutex_unlock( & ssl_mutex_table[n]);
01827     
01828   }
01829   
01830 }
01831 
01832 
01837 static int ssl_thread_start(void) {
01838 
01839   int i;
01840   ssl_mutex_table= xcalloc(CRYPTO_num_locks(), sizeof(pthread_mutex_t));
01841   for(i= 0; i < CRYPTO_num_locks(); i++)
01842       pthread_mutex_init(&ssl_mutex_table[i], NULL);
01843   CRYPTO_set_id_callback(ssl_thread_id);
01844   CRYPTO_set_locking_callback(ssl_mutex_lock);
01845 
01846   return TRUE;
01847 
01848 }
01849 
01850 
01855 static int ssl_thread_stop(void) {
01856 
01857   int i;
01858   CRYPTO_set_id_callback(NULL);
01859   CRYPTO_set_locking_callback(NULL);
01860   for(i= 0; i < CRYPTO_num_locks(); i++)
01861       pthread_mutex_destroy(&ssl_mutex_table[i]);
01862   free(ssl_mutex_table);
01863   ssl_mutex_table= NULL;
01864 
01865   return TRUE;
01866 
01867 }
01868 
01869 
01874 static int ssl_entropy_start(void) {
01875 
01876   if(exist_file(URANDOM_DEVICE)) {
01877 
01878     return(RAND_load_file(URANDOM_DEVICE, RANDOM_BYTES)==RANDOM_BYTES);
01879 
01880   } else if(exist_file(RANDOM_DEVICE)) {
01881 
01882     fprintf(stdout, "Gathering entropy from the random device. Please wait\n");
01883     fflush(stdout);
01884 
01885     return(RAND_load_file(RANDOM_DEVICE, RANDOM_BYTES)==RANDOM_BYTES);
01886 
01887   }
01888 
01889   return FALSE;
01890 
01891 }
01892 
01893 
01898 static int ssl_entropy_stop(void) {
01899 
01900   RAND_cleanup();
01901 
01902   return TRUE;
01903 
01904 }
01905 
01906 
01911 static int handle_connection_error(int code, ssl_connection *ssl, 
01912                    char *operation) {
01913 
01914   int ssl_error= 0;
01915 
01916   switch ((ssl_error= SSL_get_error(ssl->handler, code))) {
01917     
01918   case SSL_ERROR_WANT_READ:
01919   case SSL_ERROR_WANT_WRITE:
01920     return TRUE;
01921     
01922   case SSL_ERROR_SYSCALL:
01923     error("%s: Openssl syscall error during %s: %s!\n", prog, operation, 
01924       STRERROR);
01925     return FALSE;
01926 
01927   case SSL_ERROR_SSL:
01928     handle_ssl_error(operation);
01929     return FALSE;
01930       
01931   default:
01932     error("%s: Openssl error during %s!\n", prog, operation);
01933     return FALSE;
01934 
01935   }
01936 
01937   return FALSE;
01938 }
01939 
01940 
01944 static void handle_ssl_error(char *operation) {
01945 
01946   error("%s: Openssl engine error during %s: %s\n", prog, operation, SSLERROR);
01947 
01948 }
01949 
01950 #endif