00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
00013
00014
00015
00016
00017
00018
00019
00020
00021
00022
00023 #include <config.h>
00024 #include <stdio.h>
00025 #include <memory.h>
00026 #include <time.h>
00027
00028 #ifdef HAVE_SYS_TYPES_H
00029 #include <sys/types.h>
00030 #endif
00031
00032 #ifdef HAVE_SYS_SOCKET_H
00033 #include <sys/socket.h>
00034 #endif
00035
00036 #ifdef HAVE_NETINET_IN_H
00037 #include <netinet/in.h>
00038 #endif
00039
00040 #ifdef HAVE_ARPA_INET_H
00041 #include <arpa/inet.h>
00042 #endif
00043
00044 #ifdef HAVE_NETDB_H
00045 #include <netdb.h>
00046 #endif
00047
00048 #ifdef HAVE_PTHREAD_H
00049 #include <pthread.h>
00050 #endif
00051
00052 #ifdef HAVE_UNISTD_H
00053 #include <unistd.h>
00054 #endif
00055
00056 #ifdef HAVE_ERRNO_H
00057 #include <errno.h>
00058 #endif
00059
00060 #ifdef HAVE_STRING_H
00061 #include <string.h>
00062 #endif
00063
00064
00065 #ifdef HAVE_OPENSSL
00066 #include <openssl/crypto.h>
00067 #include <openssl/x509.h>
00068 #include <openssl/x509_vfy.h>
00069 #include <openssl/pem.h>
00070 #include <openssl/ssl.h>
00071 #include <openssl/err.h>
00072 #include <openssl/rand.h>
00073 #include <openssl/bio.h>
00074 #endif
00075
00076 #include "monitor.h"
00077 #include "net.h"
00078 #include "ssl.h"
00079
00080 #ifdef HAVE_OPENSSL
00081
00082
00083 static int ssl_thread_start(void);
00084 static int ssl_thread_stop(void);
00085 static int unsigned long ssl_thread_id(void);
00086 static void ssl_mutex_lock(int mode, int n, const char *file, int line);
00087 static int ssl_entropy_start(void);
00088 static int ssl_entropy_stop(void);
00089
00090 static pthread_mutex_t ssl_mutex= PTHREAD_MUTEX_INITIALIZER;
00091 static pthread_mutex_t *ssl_mutex_table;
00092 static int ssl_initilized= FALSE;
00093
00094
00095 static int verify_init(ssl_server_connection *);
00096 static int verify_callback(int, X509_STORE_CTX *);
00097 static int verify_callback_noclientcert(int, X509_STORE_CTX *);
00098 static void verify_info(ssl_server_connection *);
00099 static int check_preverify(X509_STORE_CTX *);
00100
00101 static int allow_self_certfication= FALSE;
00102 static int allow_any_purpose= FALSE;
00103
00104
00105 static int handle_connection_error(int, ssl_connection *, char *);
00106 static void handle_ssl_error(char *);
00107 #define SSLERROR ERR_error_string(ERR_get_error(),NULL)
00108
00109 #define ALLOW_ANY_PURPOSE
00110
00111 #endif
00112
00116 #define RANDOM_BYTES 1024
00117
00122 #define URANDOM_DEVICE "/dev/urandom"
00123
00128 #define RANDOM_DEVICE "/dev/random"
00129
00130
00143
00144
00145
00146
00147
00148
00149
00150
00151
00152
00153
00154
00155
00161 int embed_ssl_socket (ssl_connection *ssl, int socket) {
00162
00163 #ifdef HAVE_OPENSSL
00164
00165 int ssl_error;
00166 time_t ssl_time;
00167
00168 if ( ssl == NULL ) {
00169
00170 return FALSE;
00171
00172 }
00173
00174 if (!ssl_initilized) {
00175
00176 start_ssl();
00177
00178 }
00179
00180 if ( socket >= 0 ) {
00181
00182 ssl->socket= socket;
00183
00184 } else {
00185
00186 error("%s: Socket error!\n", prog);
00187 goto sslerror;
00188 }
00189
00190 if ((ssl->handler= SSL_new (ssl->ctx)) == NULL ) {
00191
00192 handle_ssl_error("embed_ssl_socket()");
00193 error("%s: Cannot initialize the SSL handler!\n", prog);
00194 goto sslerror;
00195
00196 }
00197
00198 set_noblock(ssl->socket);
00199
00200 if((ssl->socket_bio= BIO_new_socket(ssl->socket, BIO_NOCLOSE)) == NULL) {
00201
00202 handle_ssl_error("embed_ssl_socket()");
00203 error("%s: Cannot generate IO buffer!\n", prog);
00204 goto sslerror;
00205
00206 }
00207
00208 SSL_set_bio(ssl->handler, ssl->socket_bio, ssl->socket_bio);
00209
00210 ssl_time=time(NULL);
00211
00212 while((ssl_error= SSL_connect (ssl->handler)) < 0) {
00213
00214 if((time(NULL)-ssl_time) > SSL_TIMEOUT) {
00215
00216 error("%s: The connection process with the SSL service timed out!\n",
00217 prog);
00218 goto sslerror;
00219
00220 }
00221
00222 if (!handle_connection_error(ssl_error, ssl, "embed_ssl_socket()")) {
00223
00224 goto sslerror;
00225
00226 }
00227
00228 }
00229
00230 ssl->cipher= (char *) SSL_get_cipher(ssl->handler);
00231
00232 if (! update_ssl_cert_data(ssl)) {
00233
00234 error("%s: Cannot get the SSL server certificate!\n",
00235 prog);
00236 goto sslerror;
00237
00238 }
00239
00240 return TRUE;
00241
00242 sslerror:
00243
00244 cleanup_ssl_socket(ssl);
00245 return FALSE;
00246
00247 #else
00248
00249 return FALSE;
00250
00251 #endif
00252 }
00253
00254
00260 int update_ssl_cert_data(ssl_connection *ssl) {
00261
00262 #ifdef HAVE_OPENSSL
00263
00264 unsigned char md5[EVP_MAX_MD_SIZE];
00265
00266 ASSERT(ssl);
00267
00268 if ((ssl->cert = SSL_get_peer_certificate (ssl->handler)) == NULL) {
00269
00270 return FALSE;
00271
00272 }
00273
00274 ssl->cert_issuer=X509_NAME_oneline (X509_get_issuer_name (ssl->cert),0,0);
00275 ssl->cert_subject=X509_NAME_oneline (X509_get_subject_name (ssl->cert),0,0);
00276 X509_digest(ssl->cert,EVP_md5(), md5, &ssl->cert_md5_len);
00277 ssl->cert_md5=xstrdup(md5);
00278
00279 return TRUE;
00280
00281 #else
00282
00283 return FALSE;
00284
00285 #endif
00286
00287 }
00288
00289
00296 int check_ssl_md5sum(ssl_connection *ssl, char *md5sum) {
00297
00298 #ifdef HAVE_OPENSSL
00299 int i= 0;
00300
00301 ASSERT(md5sum);
00302
00303 while (( i < ssl->cert_md5_len ) &&
00304 ( md5sum[2*i] != '\0' ) &&
00305 ( md5sum[2*i+1] != '\0' )) {
00306
00307 unsigned char c=
00308 (md5sum[2*i] > 57 ? md5sum[2*i] - 87 : md5sum[2*i] - 48) * 0x10+
00309 (md5sum[2*i+1] > 57 ? md5sum[2*i+1] - 87 : md5sum[2*i+1] - 48);
00310
00311 if ( c!=ssl->cert_md5[i] ) {
00312
00313 return FALSE;
00314
00315 }
00316
00317 i ++;
00318
00319 }
00320
00321 #endif
00322
00323 return TRUE;
00324
00325 }
00326
00327
00337 ssl_connection *create_ssl_socket(char *hostname, int port, int protocol) {
00338
00339 #ifdef HAVE_OPENSSL
00340
00341 int socket;
00342 ssl_connection *ssl = new_ssl_connection(NULL);
00343
00344 ASSERT(hostname);
00345
00346 if (!ssl_initilized) {
00347
00348 start_ssl();
00349
00350 }
00351
00352 if ((socket= create_socket(hostname, port, protocol)) == -1) {
00353
00354 error("%s: Cannot connect!\n", prog);
00355 goto sslerror;
00356
00357 }
00358
00359 if (! embed_ssl_socket(ssl, socket)) {
00360
00361 error("%s: Cannot embed socket!\n", prog);
00362
00363 goto sslerror;
00364
00365 }
00366
00367 return ssl;
00368
00369 sslerror:
00370
00371 return NULL;
00372
00373 #else
00374
00375 return NULL;
00376
00377 #endif
00378
00379 }
00380
00381
00387 int close_ssl_socket(ssl_connection *ssl) {
00388
00389 #ifdef HAVE_OPENSSL
00390
00391 int error;
00392
00393 if(ssl == NULL) {
00394
00395 return FALSE;
00396
00397 }
00398
00399 if (! (error= SSL_shutdown (ssl->handler))) {
00400
00401 shutdown(ssl->socket,1 );
00402 error= SSL_shutdown (ssl->handler);
00403
00404 }
00405
00406 close(ssl->socket);
00407 cleanup_ssl_socket(ssl);
00408
00409 if ( error<=0 ) {
00410
00411 return FALSE;
00412
00413 } else {
00414
00415 return TRUE;
00416
00417 }
00418
00419 #else
00420
00421 return FALSE;
00422
00423 #endif
00424
00425 }
00426
00427
00433 int cleanup_ssl_socket(ssl_connection *ssl) {
00434
00435 #ifdef HAVE_OPENSSL
00436
00437 if(ssl==NULL) {
00438
00439 return FALSE;
00440
00441 }
00442
00443 if (ssl->cert != NULL) {
00444
00445 X509_free(ssl->cert);
00446 ssl->cert= NULL;
00447
00448 }
00449
00450 if (ssl->handler != NULL) {
00451
00452 SSL_free(ssl->handler);
00453 ssl->handler= NULL;
00454
00455 }
00456
00457 if (ssl->socket_bio != NULL) {
00458
00459
00460
00461
00462
00463
00464 ssl->socket_bio= NULL;
00465
00466 }
00467
00468 if (ssl->cert_issuer != NULL) {
00469
00470 free(ssl->cert_issuer);
00471 ssl->cert_issuer= NULL;
00472
00473 }
00474
00475 if (ssl->cert_subject != NULL) {
00476
00477 free(ssl->cert_subject);
00478 ssl->cert_subject= NULL;
00479
00480 }
00481
00482 if (ssl->cert_md5 != NULL) {
00483
00484 free(ssl->cert_md5);
00485 ssl->cert_md5= NULL;
00486
00487 }
00488
00489 if(ssl->clientpemfile!=NULL) {
00490
00491 free(ssl->clientpemfile);
00492 ssl->clientpemfile= NULL;
00493
00494 }
00495
00496 return TRUE;
00497
00498 #else
00499
00500 return FALSE;
00501
00502 #endif
00503
00504 }
00505
00506
00512 int delete_ssl_socket(ssl_connection *ssl) {
00513
00514 #ifdef HAVE_OPENSSL
00515
00516 if(ssl==NULL) {
00517
00518 return FALSE;
00519
00520 }
00521
00522 cleanup_ssl_socket(ssl);
00523
00524 if((ssl->ctx != NULL) && (! ssl->accepted)) {
00525
00526 SSL_CTX_free(ssl->ctx);
00527
00528 }
00529
00530 free(ssl);
00531
00532 return TRUE;
00533
00534 #else
00535
00536 return TRUE;
00537
00538 #endif
00539
00540 }
00541
00542
00548 ssl_server_connection *init_ssl_server (char *pemfile, char *clientpemfile) {
00549
00550 #ifdef HAVE_OPENSSL
00551
00552 ssl_server_connection *ssl_server = new_ssl_server_connection(pemfile,
00553 clientpemfile);
00554
00555 ASSERT(pemfile);
00556
00557 if (!ssl_initilized) {
00558
00559 start_ssl();
00560
00561 }
00562
00563 if ((ssl_server->method= SSLv23_server_method()) == NULL ) {
00564
00565 handle_ssl_error("init_ssl_server()");
00566 error("%s: Cannot initialize the SSL method to use!\n", prog);
00567 goto sslerror;
00568
00569 }
00570
00571 if ((ssl_server->ctx= SSL_CTX_new(ssl_server->method)) == NULL ) {
00572
00573 handle_ssl_error("init_ssl_server()");
00574 error("%s: Cannot initialize the SSL server's certificate handler!\n"
00575 , prog);
00576 goto sslerror;
00577
00578 }
00579
00580 if (SSL_CTX_use_certificate_file(ssl_server->ctx, pemfile,
00581 SSL_FILETYPE_PEM) <= 0) {
00582
00583 handle_ssl_error("init_ssl_server()");
00584 error("%s: Cannot initialize the SSL server's certificate!\n", prog);
00585 goto sslerror;
00586
00587 }
00588
00589 if (SSL_CTX_use_PrivateKey_file(ssl_server->ctx, pemfile,
00590 SSL_FILETYPE_PEM) <= 0) {
00591
00592 handle_ssl_error("init_ssl_server()");
00593 error("%s: Cannot initialize the SSL server's private key!\n", prog);
00594 goto sslerror;
00595
00596 }
00597
00598 if (!SSL_CTX_check_private_key(ssl_server->ctx)) {
00599
00600 handle_ssl_error("init_ssl_server()");
00601 error("%s: The private key does not match the certificate public key!\n",
00602 prog);
00603 goto sslerror;
00604
00605 }
00606
00607
00608
00609
00610 if (!verify_init(ssl_server)) {
00611
00612 handle_ssl_error("init_ssl_server()");
00613 error("%s: Verification engine was not properly initilized!\n", prog);
00614 goto sslerror;
00615
00616 }
00617 verify_info(ssl_server);
00618
00619 return ssl_server;
00620
00621 sslerror:
00622
00623 cleanup_ssl_server_socket(ssl_server);
00624 return NULL;
00625
00626 #else
00627
00628 return NULL;
00629
00630 #endif
00631
00632 }
00633
00634
00645 ssl_server_connection *create_ssl_server_socket(char *pemfile, int port,
00646 int backlog,
00647 char *bindAddr,
00648 char *clientpemfile) {
00649
00650 #ifdef HAVE_OPENSSL
00651
00652 int socket;
00653 ssl_server_connection *ssl_server;
00654
00655 ASSERT(pemfile);
00656 ASSERT(bindAddr);
00657
00658 if (!ssl_initilized) {
00659
00660 start_ssl();
00661
00662 }
00663
00664 if ((socket= create_server_socket(port, backlog, bindAddr)) == -1) {
00665
00666 error("%s: Cannot connect!\n", prog);
00667 goto sslerror;
00668
00669 }
00670
00671 if (( ssl_server= init_ssl_server(pemfile, clientpemfile)) == NULL) {
00672
00673 goto sslerror;
00674
00675 }
00676
00677 ssl_server->server_socket=socket;
00678
00679 return ssl_server;
00680
00681 sslerror:
00682
00683 return NULL;
00684
00685 #else
00686
00687 return FALSE;
00688
00689 #endif
00690
00691 }
00692
00693
00699 int close_ssl_server_socket(ssl_server_connection *ssl_server) {
00700
00701 #ifdef HAVE_OPENSSL
00702
00703 if (ssl_server==NULL) {
00704
00705 return FALSE;
00706
00707 }
00708
00709 close(ssl_server->server_socket);
00710 cleanup_ssl_server_socket(ssl_server);
00711
00712 return TRUE;
00713
00714 #else
00715
00716 return FALSE;
00717
00718 #endif
00719 }
00720
00721
00727 int cleanup_ssl_server_socket(ssl_server_connection *ssl_server) {
00728
00729 #ifdef HAVE_OPENSSL
00730
00731 ssl_connection *ssl;
00732
00733 if(ssl_server==NULL) {
00734
00735 return FALSE;
00736
00737 }
00738
00739 if(ssl_server->pemfile!=NULL) {
00740
00741 free(ssl_server->pemfile);
00742 ssl_server->pemfile= NULL;
00743
00744 }
00745
00746 if(ssl_server->clientpemfile!=NULL) {
00747
00748 free(ssl_server->clientpemfile);
00749 ssl_server->clientpemfile= NULL;
00750
00751 }
00752
00753 while (ssl_server->ssl_conn_list!=NULL) {
00754
00755 ssl = ssl_server->ssl_conn_list;
00756
00757 ssl_server->ssl_conn_list=ssl_server->ssl_conn_list->next;
00758
00759 close_accepted_ssl_socket(ssl_server, ssl);
00760 delete_ssl_socket(ssl);
00761
00762 }
00763
00764 return TRUE;
00765
00766 #else
00767
00768 return TRUE;
00769
00770 #endif
00771
00772 }
00773
00774
00780 int delete_ssl_server_socket(ssl_server_connection *ssl_server) {
00781
00782 #ifdef HAVE_OPENSSL
00783
00784 if(ssl_server==NULL) {
00785
00786 return FALSE;
00787
00788 }
00789
00790 cleanup_ssl_server_socket(ssl_server);
00791
00792 if (ssl_server->ctx != NULL) {
00793
00794 SSL_CTX_free(ssl_server->ctx);
00795
00796 }
00797
00798 free(ssl_server);
00799
00800 return TRUE;
00801
00802 #else
00803
00804 return TRUE;
00805
00806 #endif
00807
00808 }
00809
00810
00816 ssl_connection *insert_accepted_ssl_socket(ssl_server_connection *ssl_server) {
00817
00818 #ifdef HAVE_OPENSSL
00819
00820 ssl_connection *ssl;
00821
00822 ASSERT(ssl_server);
00823
00824 ssl= (ssl_connection *) NEW(ssl);
00825
00826 if (!ssl_initilized) {
00827
00828 start_ssl();
00829
00830 }
00831
00832 ssl->method= NULL;
00833 ssl->handler= NULL;
00834 ssl->cert= NULL;
00835 ssl->cipher= NULL;
00836 ssl->socket= 0;
00837 ssl->next= NULL;
00838 ssl->accepted= FALSE;
00839 ssl->cert_md5= NULL;
00840 ssl->cert_md5_len= 0;
00841 ssl->clientpemfile= NULL;
00842
00843 if(ssl_server->clientpemfile!=NULL) {
00844
00845 ssl->clientpemfile= xstrdup(ssl_server->clientpemfile);
00846
00847 }
00848
00849 if(( ssl_server == NULL ) || (ssl == NULL)) {
00850
00851 return NULL;
00852
00853 }
00854
00855 LOCK(ssl_mutex);
00856
00857 ssl->prev=NULL;
00858 ssl->next=ssl_server->ssl_conn_list;
00859
00860 if( ssl->next != NULL ) {
00861
00862 ssl->next->prev=ssl;
00863
00864 }
00865
00866 END_LOCK;
00867
00868 ssl_server->ssl_conn_list=ssl;
00869 ssl->ctx=ssl_server->ctx;
00870 ssl->accepted=TRUE;
00871
00872 return ssl;
00873
00874 #else
00875
00876 return NULL;
00877
00878 #endif
00879
00880 }
00881
00882
00890 int close_accepted_ssl_socket(ssl_server_connection *ssl_server,
00891 ssl_connection *ssl) {
00892
00893 #ifdef HAVE_OPENSSL
00894
00895 int return_value= TRUE;
00896
00897 if ((ssl == NULL) || (ssl_server == NULL)) {
00898 return FALSE;
00899 }
00900
00901 if (close(ssl->socket) < 0) {
00902
00903 return_value= FALSE;
00904
00905 }
00906
00907 if (! delete_accepted_ssl_socket(ssl_server, ssl)) {
00908
00909 return_value= FALSE;
00910
00911 }
00912
00913 return return_value;
00914
00915 #else
00916
00917 return FALSE;
00918
00919 #endif
00920
00921 }
00922
00923
00931 int delete_accepted_ssl_socket (ssl_server_connection *ssl_server,
00932 ssl_connection *ssl) {
00933
00934 #ifdef HAVE_OPENSSL
00935
00936 int return_value= TRUE;
00937
00938 if ((ssl == NULL) || (ssl_server == NULL)) {
00939 return FALSE;
00940 }
00941
00942 LOCK(ssl_mutex);
00943
00944 if ( ssl->prev == NULL ) {
00945
00946 ssl_server->ssl_conn_list=ssl->next;
00947
00948 } else {
00949
00950 ssl->prev->next=ssl->next;
00951
00952 }
00953
00954 END_LOCK;
00955
00956 if(! cleanup_ssl_socket(ssl)) {
00957
00958 return_value= FALSE;
00959
00960 }
00961
00962 if (! delete_ssl_socket(ssl)) {
00963
00964 return_value= FALSE;
00965
00966 }
00967
00968 return return_value;
00969
00970 #else
00971
00972 return FALSE;
00973
00974 #endif
00975
00976 }
00977
00978
00985 int embed_accepted_ssl_socket(ssl_connection *ssl, int socket) {
00986
00987 #ifdef HAVE_OPENSSL
00988
00989 int ssl_error;
00990 time_t ssl_time;
00991
00992 ASSERT(ssl);
00993
00994 ssl->socket=socket;
00995
00996 if(!ssl_initilized) {
00997
00998 start_ssl();
00999
01000 }
01001
01002 if((ssl->handler= SSL_new(ssl->ctx)) == NULL) {
01003
01004 handle_ssl_error("embed_accepted_ssl_socket()");
01005 error("%s: Cannot initialize the SSL handler!\n", prog);
01006 goto sslerror;
01007
01008 }
01009
01010 if(socket < 0) {
01011
01012 error("Socket error!\n");
01013 goto sslerror;
01014
01015 }
01016
01017 set_noblock(ssl->socket);
01018
01019 if((ssl->socket_bio= BIO_new_socket(ssl->socket, BIO_NOCLOSE)) == NULL) {
01020
01021 handle_ssl_error("embed_accepted_ssl_socket()");
01022 error("%s: Cannot generate IO buffer!\n", prog);
01023 goto sslerror;
01024
01025 }
01026
01027 SSL_set_bio(ssl->handler, ssl->socket_bio, ssl->socket_bio);
01028
01029 ssl_time= time(NULL);
01030
01031 while((ssl_error= SSL_accept(ssl->handler)) < 0) {
01032
01033 if((time(NULL)-ssl_time) > SSL_TIMEOUT) {
01034
01035 error("%s: The connection process with the SSL service timed out!\n",
01036 prog);
01037 goto sslerror;
01038
01039 }
01040
01041 if (!handle_connection_error(ssl_error, ssl,
01042 "embed_accepted_ssl_socket()")) {
01043
01044 goto sslerror;
01045
01046 }
01047
01048 }
01049
01050 ssl->cipher= (char *) SSL_get_cipher(ssl->handler);
01051
01052 if(!update_ssl_cert_data(ssl) && (ssl->clientpemfile != NULL)) {
01053
01054 error("%s: The client did not supply a required client certificate!\n",
01055 prog);
01056 goto sslerror;
01057
01058 }
01059
01060 if (SSL_get_verify_result(ssl->handler)>0) {
01061
01062 error("%s: Verification of the certificate has failed!\n",
01063 prog);
01064 goto sslerror;
01065
01066 }
01067
01068 return TRUE;
01069
01070 sslerror:
01071
01072 return FALSE;
01073
01074 #else
01075
01076 return FALSE;
01077
01078 #endif
01079
01080 }
01081
01082
01088 ssl_connection *accept_ssl_socket(ssl_server_connection *ssl_server) {
01089
01090 #ifdef HAVE_OPENSSL
01091
01092 int no_crypt_socket;
01093 int len= sizeof(struct sockaddr_in);
01094 struct sockaddr_in in;
01095
01096 ASSERT(ssl_server);
01097
01098 no_crypt_socket= accept(ssl_server->server_socket, (struct sockaddr*)&in,
01099 &len);
01100
01101 if(no_crypt_socket >= 0) {
01102
01103 ssl_connection *ssl = insert_accepted_ssl_socket(ssl_server);
01104
01105 if(ssl == NULL) {
01106
01107 return NULL;
01108
01109 }
01110
01111 if(embed_accepted_ssl_socket(ssl, no_crypt_socket)) {
01112
01113 return ssl;
01114
01115 } else {
01116
01117 close_accepted_ssl_socket(ssl_server, ssl);
01118 return NULL;
01119
01120 }
01121
01122 } else {
01123
01124 return NULL;
01125
01126 }
01127
01128 #else
01129
01130 return NULL;
01131
01132 #endif
01133
01134 }
01135
01136
01144 int send_ssl_socket(ssl_connection *ssl, void *buffer, int len) {
01145
01146 #ifdef HAVE_OPENSSL
01147 int ssl_error;
01148 time_t ssl_time= time(NULL);
01149
01150 ASSERT(ssl);
01151
01152
01153 while((ssl_error= SSL_write (ssl->handler, (void *) buffer, len)) < 0) {
01154
01155 if((time(NULL)-ssl_time) > SSL_TIMEOUT) {
01156
01157 error("%s: The connection process with the SSL service has timed"
01158 " out!\n", prog);
01159 break;
01160
01161 }
01162
01163 if (!handle_connection_error(ssl_error, ssl, "send_ssl_socket()")) {
01164
01165 break;
01166
01167 }
01168
01169 }
01170
01171 return ssl_error;
01172
01173 #else
01174
01175 return -1;
01176
01177 #endif
01178
01179 }
01180
01181
01189 int recv_ssl_socket(ssl_connection *ssl, void *buffer, int len) {
01190
01191 #ifdef HAVE_OPENSSL
01192 int ssl_error;
01193 time_t ssl_time= time(NULL);
01194
01195 ASSERT(ssl);
01196
01197 while((ssl_error= SSL_read(ssl->handler, (void *) buffer, len)) < 0) {
01198
01199 if((time(NULL)-ssl_time) > SSL_TIMEOUT) {
01200
01201 error("%s: The connection process with the SSL service has timed"
01202 " out!\n", prog);
01203 break;
01204
01205 }
01206
01207 if (!handle_connection_error(ssl_error, ssl, "recv_ssl_socket()")) {
01208
01209 break;
01210
01211 }
01212 }
01213
01214 return ssl_error;
01215
01216 #else
01217
01218 return -1;
01219
01220 #endif
01221
01222 }
01223
01224
01232 char *gets_ssl_socket(ssl_connection *ssl, char *buffer, int len ) {
01233
01234 #ifdef HAVE_OPENSSL
01235
01236 int i=0;
01237 char c;
01238
01239 ASSERT(ssl);
01240 ASSERT(buffer);
01241
01242 while(i <= len - 1) {
01243
01244 switch ( recv_ssl_socket(ssl, (void *) &c, 1)) {
01245
01246 case 1:
01247
01248 buffer[i]=c;
01249 break;
01250
01251 case 0:
01252
01253 goto eot;
01254
01255 default:
01256
01257 return NULL;
01258
01259 }
01260
01261 if (c=='\n') {
01262
01263 buffer[i+1]='\0';
01264 goto eot;
01265
01266 }
01267
01268 i++;
01269
01270 }
01271
01272 eot:
01273
01274 return buffer;
01275
01276 #else
01277
01278 return NULL;
01279
01280 #endif
01281
01282 }
01283
01284
01292 int printf_ssl_socket(ssl_connection *ssl, const char *format, ...) {
01293
01294 #ifdef HAVE_OPENSSL
01295
01296 char msg[STRLEN];
01297 int len;
01298
01299 va_list ap;
01300
01301 ASSERT(ssl);
01302 ASSERT(format);
01303
01304 va_start(ap,format);
01305 len=vsnprintf(msg, STRLEN, format, ap);
01306 va_end(ap);
01307
01308 return send_ssl_socket(ssl, msg, len);
01309
01310 #else
01311
01312 return 0;
01313
01314 #endif
01315
01316 }
01317
01318
01324 int start_ssl() {
01325
01326 #ifdef HAVE_OPENSSL
01327
01328 if (! ssl_initilized ) {
01329
01330 ssl_initilized=TRUE;
01331 ERR_load_crypto_strings();
01332 return (ssl_thread_start() && SSL_library_init() && ssl_entropy_start());
01333
01334 } else {
01335
01336 return TRUE;
01337
01338 }
01339
01340 #else
01341
01342 return FALSE;
01343
01344 #endif
01345
01346 }
01347
01348
01353 int stop_ssl() {
01354
01355 #ifdef HAVE_OPENSSL
01356
01357 if ( ssl_initilized ) {
01358
01359 ssl_initilized=FALSE;
01360 ERR_free_strings();
01361 return (ssl_thread_stop() && ssl_entropy_stop());
01362
01363 } else {
01364
01365 return TRUE;
01366
01367 }
01368
01369 #else
01370
01371 return FALSE;
01372
01373 #endif
01374
01375 }
01376
01381 void config_ssl(int conf_allow_self_cert) {
01382
01383 #ifdef HAVE_OPENSSL
01384
01385 allow_self_certfication= conf_allow_self_cert;
01386
01387 #endif
01388
01389 return;
01390
01391 }
01392
01397 ssl_connection *new_ssl_connection(char *clientpemfile) {
01398
01399 #ifdef HAVE_OPENSSL
01400
01401 ssl_connection *ssl = (ssl_connection *) NEW(ssl);
01402
01403 if (!ssl_initilized) {
01404
01405 start_ssl();
01406
01407 }
01408
01409 ssl->socket_bio= NULL;
01410 ssl->handler= NULL;
01411 ssl->cert= NULL;
01412 ssl->cipher= NULL;
01413 ssl->socket= 0;
01414 ssl->next = NULL;
01415 ssl->accepted = FALSE;
01416 ssl->cert_md5 = NULL;
01417 ssl->cert_md5_len = 0;
01418
01419 if(clientpemfile!=NULL) {
01420
01421 ssl->clientpemfile= xstrdup(clientpemfile);
01422
01423 } else {
01424
01425 ssl->clientpemfile= NULL;
01426
01427 }
01428
01429 if ((ssl->method= SSLv23_client_method()) == NULL ) {
01430
01431 handle_ssl_error("new_ssl_connection()");
01432 error("%s: Cannot initilize SSL method!\n", prog);
01433 goto sslerror;
01434
01435 }
01436
01437 if ((ssl->ctx= SSL_CTX_new (ssl->method)) == NULL ) {
01438
01439 handle_ssl_error("new_ssl_connection()");
01440 error("%s: Cannot initilize SSL server certificate handler!\n", prog);
01441 goto sslerror;
01442
01443 }
01444
01445 if ( ssl->clientpemfile!=NULL ) {
01446
01447 if (SSL_CTX_use_certificate_file(ssl->ctx, ssl->clientpemfile,
01448 SSL_FILETYPE_PEM) <= 0) {
01449
01450 handle_ssl_error("new_ssl_connection()");
01451 error("%s: Cannot initilize SSL server certificate!\n", prog);
01452 goto sslerror;
01453
01454 }
01455
01456 if (SSL_CTX_use_PrivateKey_file(ssl->ctx, ssl->clientpemfile,
01457 SSL_FILETYPE_PEM) <= 0) {
01458
01459 handle_ssl_error("new_ssl_connection()");
01460 error("%s: Cannot initilize SSL server private key!\n", prog);
01461 goto sslerror;
01462
01463 }
01464
01465 if (!SSL_CTX_check_private_key(ssl->ctx)) {
01466
01467 handle_ssl_error("new_ssl_connection()");
01468 error("%s: Private key does not match the certificate public key!\n",
01469 prog);
01470 goto sslerror;
01471
01472 }
01473
01474 }
01475
01476
01477 return ssl;
01478
01479 sslerror:
01480
01481 delete_ssl_socket(ssl);
01482
01483 return NULL;
01484
01485 #else
01486
01487 return NULL;
01488
01489 #endif
01490
01491 }
01492
01493
01498 ssl_server_connection *new_ssl_server_connection(char * pemfile,
01499 char * clientpemfile) {
01500
01501 #ifdef HAVE_OPENSSL
01502
01503 ssl_server_connection *ssl_server =
01504 (ssl_server_connection *) NEW(ssl_server);
01505
01506 ASSERT(pemfile);
01507
01508 if (!ssl_initilized) {
01509
01510 start_ssl();
01511
01512 }
01513
01514 ssl_server->ctx= NULL;
01515 ssl_server->method= NULL;
01516 ssl_server->server_socket= 0;
01517 ssl_server->ssl_conn_list = NULL;
01518 ssl_server->pemfile=xstrdup(pemfile);
01519
01520 if(clientpemfile != NULL) {
01521
01522 ssl_server->clientpemfile= xstrdup(clientpemfile);
01523
01524 } else {
01525
01526 ssl_server->clientpemfile= NULL;
01527
01528 }
01529
01530 return ssl_server;
01531
01532 #else
01533
01534 return NULL;
01535
01536 #endif
01537
01538 }
01539
01540
01545 int have_ssl(void) {
01546
01547 #ifdef HAVE_OPENSSL
01548
01549 return HAVE_OPENSSL;
01550
01551 #else
01552
01553 return FALSE;
01554
01555 #endif
01556
01557 }
01558
01559
01560
01561 #ifdef HAVE_OPENSSL
01562
01566 static int verify_init(ssl_server_connection *ssl_server) {
01567
01568 struct stat stat_buf;
01569
01570 if (ssl_server->clientpemfile==NULL) {
01571
01572 allow_any_purpose= TRUE;
01573 SSL_CTX_set_verify(ssl_server->ctx, SSL_VERIFY_PEER ,
01574 verify_callback_noclientcert);
01575 goto end_success;
01576
01577 }
01578
01579 if ( -1 == stat(ssl_server->clientpemfile, &stat_buf )) {
01580
01581 error("%s: Cannot stat the SSL pem path '%s' -- %s\n",
01582 prog, Run.httpsslclientpem, STRERROR);
01583
01584 goto end_error;
01585
01586 }
01587
01588 if (S_ISDIR(stat_buf.st_mode)) {
01589
01590 if (!SSL_CTX_load_verify_locations(ssl_server->ctx, NULL ,
01591 ssl_server->clientpemfile)) {
01592
01593 handle_ssl_error("verify_init()");
01594 error("%s: Error setting verify directory to %s\n",
01595 Run.httpsslclientpem);
01596
01597 goto end_error;
01598
01599 }
01600
01601 log("Loaded SSL client pem directory '%s'\n", ssl_server->clientpemfile);
01602
01603
01604
01605 if(!SSL_CTX_load_verify_locations(ssl_server->ctx, ssl_server->pemfile,
01606 NULL)) {
01607
01608 handle_ssl_error("verify_init()");
01609 error("%s: Error loading verify certificates from %s\n",
01610 prog, ssl_server->pemfile);
01611
01612 goto end_error;
01613
01614 }
01615
01616 log("Loaded monit's SSL pem server file '%s'\n", ssl_server->pemfile);
01617
01618 } else if (S_ISREG(stat_buf.st_mode)) {
01619
01620 if(!SSL_CTX_load_verify_locations(ssl_server->ctx,
01621 ssl_server->clientpemfile,
01622 NULL)) {
01623
01624 handle_ssl_error("verify_init()");
01625 error("%s: Error loading verify certificates from %s\n",
01626 prog, Run.httpsslclientpem);
01627
01628 goto end_error;
01629
01630 }
01631
01632 log("Loaded SSL pem client file '%s'\n", ssl_server->clientpemfile);
01633
01634
01635
01636 if(!SSL_CTX_load_verify_locations(ssl_server->ctx, ssl_server->pemfile,
01637 NULL)) {
01638
01639 handle_ssl_error("verify_init()");
01640 error("%s: Error loading verify certificates from %s\n",
01641 prog, ssl_server->pemfile);
01642
01643 goto end_error;
01644
01645 }
01646
01647 log("Loaded monit's SSL pem server file '%s'\n", ssl_server->pemfile);
01648
01649 SSL_CTX_set_client_CA_list(ssl_server->ctx,
01650 SSL_load_client_CA_file(ssl_server->clientpemfile));
01651
01652 } else {
01653
01654 error("%s: SSL client pem path is no file or directory %s\n",
01655 prog, ssl_server->clientpemfile);
01656
01657 goto end_error;
01658
01659 }
01660
01661 allow_any_purpose= FALSE;
01662 SSL_CTX_set_verify(ssl_server->ctx, SSL_VERIFY_PEER , verify_callback);
01663
01664 end_success:
01665
01666 return TRUE;
01667
01668 end_error:
01669
01670 return FALSE;
01671 }
01672
01673
01677 static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) {
01678
01679 char subject[STRLEN];
01680 X509_OBJECT found_cert;
01681
01682 X509_NAME_oneline(X509_get_subject_name(ctx->current_cert), subject, STRLEN);
01683
01684 if(!preverify_ok) {
01685
01686 if (!check_preverify(ctx)) {
01687
01688 goto reject;
01689
01690 }
01691
01692 }
01693
01694 if(ctx->error_depth==0 &&
01695 X509_STORE_get_by_subject(ctx, X509_LU_X509,
01696 X509_get_subject_name(ctx->current_cert),
01697 &found_cert)!=1) {
01698
01699 handle_ssl_error("verify_callback()");
01700 error("%s: SSL connection rejected. No matching certificate found.", prog);
01701
01702 goto reject;
01703
01704 }
01705
01706 return 1;
01707
01708 reject:
01709 return 0;
01710
01711 }
01712
01717 static int verify_callback_noclientcert(int preverify_ok,
01718 X509_STORE_CTX *ctx) {
01719
01720 char subject[STRLEN];
01721
01722 X509_NAME_oneline(X509_get_subject_name(ctx->current_cert), subject, STRLEN);
01723
01724 if(!preverify_ok) {
01725
01726 if (!check_preverify(ctx)) {
01727
01728 goto reject;
01729
01730 }
01731
01732 }
01733
01734 return 1;
01735
01736 reject:
01737 return 0;
01738
01739 }
01740
01745 static int check_preverify(X509_STORE_CTX *ctx) {
01746
01747 if ((ctx->error != X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) &&
01748 (ctx->error != X509_V_ERR_INVALID_PURPOSE)) {
01749
01750
01751
01752 error("%s: SSL connection rejected because certificate verification"
01753 " has failed -- Error %i\n", prog, ctx->error);
01754 return FALSE;
01755
01756 }
01757
01758
01759 if(allow_self_certfication &&
01760 (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) {
01761
01762
01763
01764 log("SSL connection accepted with self signed certificate!\n");
01765
01766 ctx->error=0;
01767 return TRUE;
01768
01769 }
01770
01771 if(allow_any_purpose &&
01772 (ctx->error == X509_V_ERR_INVALID_PURPOSE)) {
01773
01774
01775
01776 log("SSL connection accepted with invalid purpose!\n");
01777
01778 ctx->error=0;
01779 return TRUE;
01780
01781 }
01782
01783 error("%s: SSL connection rejected because certificate verification"
01784 " has failed -- Error %i!\n", prog, ctx->error);
01785 return FALSE;
01786
01787
01788 }
01789
01793 static void verify_info(ssl_server_connection *ssl_server) {
01794
01795 STACK_OF(X509_NAME) *stack;
01796
01797 stack=SSL_CTX_get_client_CA_list(ssl_server->ctx);
01798 log("Found %d certificates\n", sk_X509_NAME_num(stack));
01799
01800 }
01801
01802
01807 static int unsigned long ssl_thread_id(void) {
01808
01809 return ((unsigned long) pthread_self());
01810
01811 }
01812
01813
01817 static void ssl_mutex_lock(int mode, int n, const char *file, int line) {
01818
01819
01820 if(mode & CRYPTO_LOCK) {
01821
01822 pthread_mutex_lock( & ssl_mutex_table[n]);
01823
01824 } else {
01825
01826 pthread_mutex_unlock( & ssl_mutex_table[n]);
01827
01828 }
01829
01830 }
01831
01832
01837 static int ssl_thread_start(void) {
01838
01839 int i;
01840 ssl_mutex_table= xcalloc(CRYPTO_num_locks(), sizeof(pthread_mutex_t));
01841 for(i= 0; i < CRYPTO_num_locks(); i++)
01842 pthread_mutex_init(&ssl_mutex_table[i], NULL);
01843 CRYPTO_set_id_callback(ssl_thread_id);
01844 CRYPTO_set_locking_callback(ssl_mutex_lock);
01845
01846 return TRUE;
01847
01848 }
01849
01850
01855 static int ssl_thread_stop(void) {
01856
01857 int i;
01858 CRYPTO_set_id_callback(NULL);
01859 CRYPTO_set_locking_callback(NULL);
01860 for(i= 0; i < CRYPTO_num_locks(); i++)
01861 pthread_mutex_destroy(&ssl_mutex_table[i]);
01862 free(ssl_mutex_table);
01863 ssl_mutex_table= NULL;
01864
01865 return TRUE;
01866
01867 }
01868
01869
01874 static int ssl_entropy_start(void) {
01875
01876 if(exist_file(URANDOM_DEVICE)) {
01877
01878 return(RAND_load_file(URANDOM_DEVICE, RANDOM_BYTES)==RANDOM_BYTES);
01879
01880 } else if(exist_file(RANDOM_DEVICE)) {
01881
01882 fprintf(stdout, "Gathering entropy from the random device. Please wait\n");
01883 fflush(stdout);
01884
01885 return(RAND_load_file(RANDOM_DEVICE, RANDOM_BYTES)==RANDOM_BYTES);
01886
01887 }
01888
01889 return FALSE;
01890
01891 }
01892
01893
01898 static int ssl_entropy_stop(void) {
01899
01900 RAND_cleanup();
01901
01902 return TRUE;
01903
01904 }
01905
01906
01911 static int handle_connection_error(int code, ssl_connection *ssl,
01912 char *operation) {
01913
01914 int ssl_error= 0;
01915
01916 switch ((ssl_error= SSL_get_error(ssl->handler, code))) {
01917
01918 case SSL_ERROR_WANT_READ:
01919 case SSL_ERROR_WANT_WRITE:
01920 return TRUE;
01921
01922 case SSL_ERROR_SYSCALL:
01923 error("%s: Openssl syscall error during %s: %s!\n", prog, operation,
01924 STRERROR);
01925 return FALSE;
01926
01927 case SSL_ERROR_SSL:
01928 handle_ssl_error(operation);
01929 return FALSE;
01930
01931 default:
01932 error("%s: Openssl error during %s!\n", prog, operation);
01933 return FALSE;
01934
01935 }
01936
01937 return FALSE;
01938 }
01939
01940
01944 static void handle_ssl_error(char *operation) {
01945
01946 error("%s: Openssl engine error during %s: %s\n", prog, operation, SSLERROR);
01947
01948 }
01949
01950 #endif