1 /*
2 Socket handling routines
3 Copyright (C) 1998-2009, Joe Orton <joe@manyfish.co.uk>
4 Copyright (C) 2004 Aleix Conchillo Flaque <aleix@member.fsf.org>
5
6 This library is free software; you can redistribute it and/or
7 modify it under the terms of the GNU Library General Public
8 License as published by the Free Software Foundation; either
9 version 2 of the License, or (at your option) any later version.
10
11 This library is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Library General Public License for more details.
15
16 You should have received a copy of the GNU Library General Public
17 License along with this library; if not, write to the Free
18 Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
19 MA 02111-1307, USA
20 */
21
22 /*
23 portions were originally under GPL in Mutt, http://www.mutt.org/
24 Relicensed under LGPL for neon, http://www.webdav.org/neon/
25 */
26
27 #include "config.h"
28
29 #include <sys/types.h>
30 #ifdef HAVE_SYS_UIO_H
31 #include <sys/uio.h> /* writev(2) */
32 #endif
33 #ifdef HAVE_SYS_TIME_H
34 #include <sys/time.h>
35 #endif
36 #include <sys/stat.h>
37 //#ifdef HAVE_SYS_SOCKET_H
38 #include <sys/socket.h>
39 //#endif
40
41 #ifdef __linux__
42 #include <sys/ioctl.h>
43 #include <linux/sockios.h>
44 #endif
45
46 #ifdef NE_USE_POLL
47 #include <sys/poll.h>
48 #elif defined(HAVE_SYS_SELECT_H)
49 #include <sys/select.h>
50 #endif
51
52 #ifdef HAVE_NETINET_IN_H
53 #include <netinet/in.h>
54 #endif
55 #ifdef HAVE_NETINET_TCP_H
56 #include <netinet/tcp.h>
57 #endif
58 #ifdef HAVE_ARPA_INET_H
59 #include <arpa/inet.h>
60 #endif
61 #ifdef HAVE_NETDB_H
62 #include <netdb.h>
63 #endif
64
65 #ifdef WIN32
66 #include <winsock2.h>
67 #include <stddef.h>
68 #ifdef USE_GETADDRINFO
69 #include <ws2tcpip.h>
70 #include <wspiapi.h>
71 #endif
72 #endif
73
74 #if defined(HAVE_OPENSSL) && defined(HAVE_LIMITS_H)
75 #include <limits.h> /* for INT_MAX */
76 #endif
77 #ifdef HAVE_STRING_H
78 #include <string.h>
79 #endif
80 #ifdef HAVE_STRINGS_H
81 #include <strings.h>
82 #endif
83 #ifdef HAVE_UNISTD_H
84 #include <unistd.h>
85 #endif
86 #ifdef HAVE_SIGNAL_H
87 #include <signal.h>
88 #endif
89 #ifdef HAVE_ERRNO_H
90 #include <errno.h>
91 #endif
92 #ifdef HAVE_STDLIB_H
93 #include <stdlib.h>
94 #endif
95 #ifdef HAVE_FCNTL_H
96 #include <fcntl.h>
97 #endif
98
99 #ifdef HAVE_SOCKS_H
100 #include <socks.h>
101 #endif
102
103 #ifdef HAVE_OPENSSL
104 #include <openssl/ssl.h>
105 #include <openssl/err.h>
106 #include <openssl/pkcs12.h> /* for PKCS12_PBE_add */
107 #include <openssl/rand.h>
108 #include <openssl/opensslv.h> /* for OPENSSL_VERSION_NUMBER */
109 #endif
110
111 #ifdef HAVE_GNUTLS
112 #include <gnutls/gnutls.h>
113 #endif
114
115 #define NE_INET_ADDR_DEFINED
116 /* A slightly ugly hack: change the ne_inet_addr definition to be the
117 * real address type used. The API only exposes ne_inet_addr as a
118 * pointer to an opaque object, so this should be well-defined
119 * behaviour. It avoids the hassle of a real wrapper ne_inet_addr
120 * structure, or losing type-safety by using void *. */
121 #ifdef USE_GETADDRINFO
122 typedef struct addrinfo ne_inet_addr;
123 #else
124 typedef struct in_addr ne_inet_addr;
125 #endif
126
127 #include "ne_privssl.h" /* MUST come after ne_inet_addr is defined */
128
129 /* To avoid doing AAAA queries unless absolutely necessary, either use
130 * AI_ADDRCONFIG where available, or a run-time check for working IPv6
131 * support; the latter is only known to work on Linux. */
132 #if defined(USE_GETADDRINFO) && !defined(USE_GAI_ADDRCONFIG) && defined(__linux__)
133 #define USE_CHECK_IPV6
134 #endif
135
136
137 // Use always non blocking socket
138 #ifndef USE_NONBLOCKING_CONNECT
139 #define USE_NONBLOCKING_CONNECT
140 #endif
141
142 #include "ne_internal.h"
143 #include "ne_utils.h"
144 #include "ne_string.h"
145 #include "ne_socket.h"
146 #include "ne_alloc.h"
147 #include "ne_sspi.h"
148
149 #if defined(__BEOS__) && !defined(BONE_VERSION)
150 /* pre-BONE */
151 #define ne_close(s) closesocket(s)
152 #define ne_errno errno
153 #elif defined(WIN32)
154 #define ne_close(s) closesocket(s)
155 #define ne_errno WSAGetLastError()
156 #else /* really Unix! */
157 #define ne_close(s) close(s)
158 #define ne_errno errno
159 #endif
160
161 #ifdef WIN32
162 #define NE_ISRESET(e) ((e) == WSAECONNABORTED || (e) == WSAETIMEDOUT || \
163 (e) == WSAECONNRESET || (e) == WSAENETRESET)
164 #define NE_ISCLOSED(e) ((e) == WSAESHUTDOWN || (e) == WSAENOTCONN)
165 #define NE_ISINTR(e) (0)
166 #define NE_ISINPROGRESS(e) ((e) == WSAEWOULDBLOCK) /* says MSDN */
167 #else /* Unix */
168 /* Also treat ECONNABORTED and ENOTCONN as "connection reset" errors;
169 * both can be returned by Winsock-based sockets layers e.g. CygWin */
170 #ifndef ECONNABORTED
171 #define ECONNABORTED ECONNRESET
172 #endif
173 #ifndef ENOTCONN
174 #define ENOTCONN ECONNRESET
175 #endif
176 #define NE_ISRESET(e) ((e) == ECONNRESET || (e) == ECONNABORTED || (e) == ENOTCONN)
177 #define NE_ISCLOSED(e) ((e) == EPIPE)
178 #define NE_ISINTR(e) (((e) == EINTR) || ((e) == EAGAIN))
179 #define NE_ISINPROGRESS(e) ((e) == EINPROGRESS)
180 #endif
181
182 /* Socket read timeout */
183 #define SOCKET_READ_TIMEOUT 3600
184 /* Socket step timeout */
185 #define SOCKET_STEP_TIMEOUT 10
186
187 /* Critical I/O functions on a socket: useful abstraction for easily
188 * handling SSL I/O alongside raw socket I/O. */
189 struct iofns {
190 /* Read up to 'len' bytes into 'buf' from socket. Return <0 on
191 * error or EOF, or >0; number of bytes read. */
192 ssize_t (*sread)(ne_socket *s, char *buf, size_t len);
193 /* Write up to 'len' bytes from 'buf' to socket. Return number of
194 * bytes written on success, or <0 on error. */
195 ssize_t (*swrite)(ne_socket *s, const char *buf, size_t len);
196 /* Wait up to 'n' seconds for socket to become readable. Returns
197 * 0 when readable, otherwise NE_SOCK_TIMEOUT or NE_SOCK_ERROR. */
198 int (*readable)(ne_socket *s, int n);
199 /* Write up to 'count' blocks described by 'vector' to socket.
200 * Return number of bytes written on success, or <0 on error. */
201 ssize_t (*swritev)(ne_socket *s, const struct ne_iovec *vector,
202 int count);
203 };
204
205 static const ne_inet_addr dummy_laddr;
206
207 struct ne_socket_s {
208 int fd;
209 unsigned int lport;
210 const ne_inet_addr *laddr;
211
212 void *progress_ud;
213 int rdtimeout, cotimeout; /* timeouts */
214 const struct iofns *ops;
215 #ifdef NE_HAVE_SSL
216 ne_ssl_socket ssl;
217 #endif
218 /* The read buffer: ->buffer stores byte which have been read; as
219 * these are consumed and passed back to the caller, bufpos
220 * advances through ->buffer. ->bufavail gives the number of
221 * bytes which remain to be consumed in ->buffer (from ->bufpos),
222 * and is hence always <= RDBUFSIZ. */
223 char *bufpos;
224 size_t bufavail;
225 #define RDBUFSIZ 4096
226 char buffer[RDBUFSIZ];
227 /* Error string. */
228 char error[192];
229 };
230
231 /* ne_sock_addr represents an Internet address. */
232 struct ne_sock_addr_s {
233 #ifdef USE_GETADDRINFO
234 struct addrinfo *result, *cursor;
235 #else
236 struct in_addr *addrs;
237 size_t cursor, count;
238 #endif
239 int errnum;
240 };
241
242 /* set_error: set socket error string to 'str'. */
243 #define set_error(s, str) ne_strnzcpy((s)->error, (str), sizeof (s)->error)
244
245 /* set_strerror: set socket error to system error string for 'errnum' */
246 #ifdef WIN32
247 /* Print system error message to given buffer. */
print_error(int errnum,char * buffer,size_t buflen)248 static void print_error(int errnum, char *buffer, size_t buflen)
249 {
250 if (FormatMessage (FORMAT_MESSAGE_FROM_SYSTEM
251 | FORMAT_MESSAGE_IGNORE_INSERTS,
252 NULL, (DWORD) errnum, 0,
253 buffer, buflen, NULL) == 0)
254 ne_snprintf(buffer, buflen, "Socket error %d", errnum);
255 }
256 #define set_strerror(s, e) print_error((e), (s)->error, sizeof (s)->error)
257 #else /* not WIN32 */
258 #define set_strerror(s, e) ne_strerror((e), (s)->error, sizeof (s)->error)
259 #endif
260
261 #ifdef HAVE_OPENSSL
262 /* Seed the SSL PRNG, if necessary; returns non-zero on failure. */
seed_ssl_prng(void)263 static int seed_ssl_prng(void)
264 {
265 /* Check whether the PRNG has already been seeded. */
266 if (RAND_status() == 1)
267 return 0;
268
269 #if defined(EGD_PATH)
270 NE_DEBUG(NE_DBG_SOCKET, "Seeding PRNG from " EGD_PATH "...");
271 if (RAND_egd(EGD_PATH) != -1)
272 return 0;
273 #elif defined(ENABLE_EGD)
274 {
275 static const char *paths[] = { "/var/run/egd-pool", "/dev/egd-pool",
276 "/etc/egd-pool", "/etc/entropy" };
277 size_t n;
278 for (n = 0; n < sizeof(paths) / sizeof(char *); n++) {
279 NE_DEBUG(NE_DBG_SOCKET, "Seeding PRNG from %s...", paths[n]);
280 if (RAND_egd(paths[n]) != -1)
281 return 0;
282 }
283 }
284 #endif /* EGD_PATH */
285
286 NE_DEBUG(NE_DBG_SOCKET, "No entropy source found; could not seed PRNG.");
287 return -1;
288 }
289 #endif /* HAVE_OPENSSL */
290
291 #ifdef USE_CHECK_IPV6
292 static int ipv6_disabled = 0;
293
294 /* On Linux kernels, IPv6 is typically built as a loadable module, and
295 * socket(AF_INET6, ...) will fail if this module is not loaded, so
296 * the slow AAAA lookups can be avoided for this common case. */
init_ipv6(void)297 static void init_ipv6(void)
298 {
299 int fd = socket(AF_INET6, SOCK_STREAM, 0);
300
301 if (fd < 0)
302 ipv6_disabled = 1;
303 else
304 close(fd);
305 }
306 #elif defined(AF_INET6)
307 #define ipv6_disabled (0)
308 #else
309 #define ipv6_disabled (1)
310 #endif
311
312 /* If init_state is N where > 0, ne_sock_init has been called N times;
313 * if == 0, library is not initialized; if < 0, library initialization
314 * has failed. */
315 static int init_state = 0;
316
ne_sock_init(void)317 int ne_sock_init(void)
318 {
319 #ifdef WIN32
320 WORD wVersionRequested;
321 WSADATA wsaData;
322 int err;
323 #endif
324
325 if (init_state > 0) {
326 init_state++;
327 return 0;
328 }
329 else if (init_state < 0) {
330 return -1;
331 }
332
333 #ifdef WIN32
334 wVersionRequested = MAKEWORD(2, 2);
335
336 err = WSAStartup(wVersionRequested, &wsaData);
337 if (err != 0) {
338 return init_state = -1;
339 }
340 #ifdef HAVE_SSPI
341 if (ne_sspi_init() < 0) {
342 return init_state = -1;
343 }
344 #endif
345 #endif
346
347 #ifdef NE_HAVE_SOCKS
348 SOCKSinit("neon");
349 #endif
350
351 #if defined(HAVE_SIGNAL)
352 //(void) signal(SIGPIPE, SIG_IGN);
353 struct sigaction sa;
354 memset( &sa, 0, sizeof(sa) );
355 sa.sa_handler = SIG_IGN;
356 sigaction( SIGPIPE, &sa, NULL);
357 #endif
358
359 #ifdef USE_CHECK_IPV6
360 init_ipv6();
361 #endif
362
363 #ifdef NE_HAVE_SSL
364 if (ne__ssl_init()) {
365 return init_state = -1;
366 }
367 #endif
368
369 init_state = 1;
370 return 0;
371 }
372
ne_sock_exit(void)373 void ne_sock_exit(void)
374 {
375 if (init_state > 0 && --init_state == 0) {
376 #ifdef WIN32
377 WSACleanup();
378 #endif
379 #ifdef NE_HAVE_SSL
380 ne__ssl_exit();
381 #endif
382
383 #ifdef HAVE_SSPI
384 ne_sspi_deinit();
385 #endif
386 }
387 }
388
389 /* Await readability (rdwr = 0) or writability (rdwr != 0) for socket
390 * fd for secs seconds. Returns <0 on error, zero on timeout, >0 if
391 * data is available. */
raw_poll(int fdno,int rdwr,int secs)392 static int raw_poll(int fdno, int rdwr, int secs)
393 {
394 int ret;
395 #ifdef NE_USE_POLL
396 struct pollfd fds;
397 int time_left = (secs > 0)?(secs):(-1);
398
399 fds.fd = fdno;
400 fds.events = rdwr == 0 ? POLLIN : POLLOUT;
401 fds.revents = 0;
402
403 do {
404 ret = poll(&fds, 1, 1000);
405 if( ret < 0 && !NE_ISINTR(ne_errno)){
406 break; // error
407 }
408 } while (ret <= 0 && --time_left);
409 #else
410 fd_set rdfds, wrfds;
411 struct timeval timeout, *tvp = (secs >= 0 ? &timeout : NULL);
412
413 /* Init the fd set */
414 FD_ZERO(&rdfds);
415 FD_ZERO(&wrfds);
416
417 /* Note that (amazingly) the FD_SET macro does not expand
418 * correctly on Netware if not inside a compound statement
419 * block. */
420 if (rdwr == 0) {
421 FD_SET(fdno, &rdfds);
422 } else {
423 FD_SET(fdno, &wrfds);
424 }
425
426 if (tvp) {
427 tvp->tv_sec = secs;
428 tvp->tv_usec = 0;
429 }
430 do {
431 ret = select(fdno + 1, &rdfds, &wrfds, NULL, tvp);
432 } while (ret < 0 && NE_ISINTR(ne_errno));
433 #endif
434 return ret;
435 }
436
ne_sock_block(ne_socket * sock,int n)437 int ne_sock_block(ne_socket *sock, int n)
438 {
439 if (sock->bufavail)
440 return 0;
441 return sock->ops->readable(sock, n);
442 }
443
444 /* Cast address object AD to type 'sockaddr_TY' */
445 #define SACAST(ty, ad) ((struct sockaddr_##ty *)(ad))
446
ne_sock_read(ne_socket * sock,char * buffer,size_t buflen)447 ssize_t ne_sock_read(ne_socket *sock, char *buffer, size_t buflen)
448 {
449 ssize_t bytes;
450
451 #if 0
452 NE_DEBUG(NE_DBG_SOCKET, "buf: at %d, %d avail [%s]",
453 sock->bufpos - sock->buffer, sock->bufavail, sock->bufpos);
454 #endif
455
456 if (sock->bufavail > 0) {
457 /* Deliver buffered data. */
458 if (buflen > sock->bufavail)
459 buflen = sock->bufavail;
460 memcpy(buffer, sock->bufpos, buflen);
461 sock->bufpos += buflen;
462 sock->bufavail -= buflen;
463 return buflen;
464 } else if (buflen >= sizeof sock->buffer) {
465 /* No need for read buffer. */
466 return sock->ops->sread(sock, buffer, buflen);
467 } else {
468 /* Fill read buffer. */
469 bytes = sock->ops->sread(sock, sock->buffer, sizeof sock->buffer);
470 if (bytes <= 0)
471 return bytes;
472
473 if (buflen > (size_t)bytes)
474 buflen = bytes;
475 memcpy(buffer, sock->buffer, buflen);
476 sock->bufpos = sock->buffer + buflen;
477 sock->bufavail = bytes - buflen;
478 return buflen;
479 }
480 }
481
ne_sock_peek(ne_socket * sock,char * buffer,size_t buflen)482 ssize_t ne_sock_peek(ne_socket *sock, char *buffer, size_t buflen)
483 {
484 ssize_t bytes;
485
486 if (sock->bufavail) {
487 /* just return buffered data. */
488 bytes = sock->bufavail;
489 } else {
490 /* fill the buffer. */
491 bytes = sock->ops->sread(sock, sock->buffer, sizeof sock->buffer);
492 if (bytes <= 0)
493 return bytes;
494
495 sock->bufpos = sock->buffer;
496 sock->bufavail = bytes;
497 }
498
499 if (buflen > (size_t)bytes)
500 buflen = bytes;
501
502 memcpy(buffer, sock->bufpos, buflen);
503
504 return buflen;
505 }
506
507 /* Await data on raw fd in socket. */
readable_raw(ne_socket * sock,int secs)508 static int readable_raw(ne_socket *sock, int secs)
509 {
510 int ret = raw_poll(sock->fd, 0, secs);
511
512 if (ret < 0) {
513 set_strerror(sock, ne_errno);
514 return NE_SOCK_ERROR;
515 }
516 return (ret == 0) ? NE_SOCK_TIMEOUT : 0;
517 }
518
519 #ifdef __linux__
wait_pending_writes(ne_socket * sock,int stepwait)520 static int wait_pending_writes(ne_socket *sock, int stepwait)
521 {
522 /* If there's any data in the TCP queue,
523 wait until it's been drained */
524
525 int prevpending = INT_MAX, pending = INT_MAX;
526 ssize_t ret;
527 do {
528 /* Ready to read from socket? */
529 ret = readable_raw(sock, stepwait);
530 if(ret == NE_SOCK_ERROR) return ret;
531
532 /* There was a timeout.. */
533 if(ret == NE_SOCK_TIMEOUT) {
534 /* Is there any data pending for writing? */
535 int ioret = ioctl(sock->fd, SIOCOUTQ, &pending);
536 if(ioret == -1) {
537 set_strerror(sock, ne_errno);
538 return NE_SOCK_ERROR;
539 }
540 if(pending > 0 && pending < prevpending) {
541 if(prevpending == INT_MAX) prevpending = -1;
542 NE_DEBUG(NE_DBG_SOCKET, "Pending bytes on TCP send buffer, waiting. (%d bytes)", pending);
543 prevpending = pending;
544 }
545 else {
546 /* Timeout, no change in buffer size since last time.
547 Connection is probably hung */
548 return NE_SOCK_TIMEOUT;
549 }
550 }
551 } while(ret == NE_SOCK_TIMEOUT);
552 return 0;
553 }
554 #endif
555
read_raw(ne_socket * sock,char * buffer,size_t len)556 static ssize_t read_raw(ne_socket *sock, char *buffer, size_t len)
557 {
558 ssize_t ret;
559 #ifdef __linux__
560 ret = wait_pending_writes(sock, sock->rdtimeout);
561 if (ret) return ret;
562 #endif
563 ret = readable_raw(sock, sock->rdtimeout);
564 if (ret) return ret;
565
566 do {
567 ret = recv(sock->fd, buffer, len, 0);
568 } while (ret == -1 && NE_ISINTR(ne_errno));
569
570 if (ret == 0) {
571 set_error(sock, _("Connection closed"));
572 ret = NE_SOCK_CLOSED;
573 } else if (ret < 0) {
574 int errnum = ne_errno;
575 ret = NE_ISRESET(errnum) ? NE_SOCK_RESET : NE_SOCK_ERROR;
576 set_strerror(sock, errnum);
577 }
578
579 return ret;
580 }
581
582 #define MAP_ERR(e) (NE_ISCLOSED(e) ? NE_SOCK_CLOSED : \
583 (NE_ISRESET(e) ? NE_SOCK_RESET : NE_SOCK_ERROR))
584
write_raw(ne_socket * sock,const char * data,size_t length)585 static ssize_t write_raw(ne_socket *sock, const char *data, size_t length)
586 {
587 ssize_t ret;
588
589 #ifdef __QNX__
590 /* Test failures seen on QNX over loopback, if passing large
591 * buffer lengths to send(). */
592 if (length > 8192) length = 8192;
593 #endif
594
595 do {
596
597 // no signal protection
598 #if (defined HAVE_SIGNAL) && (defined MSG_NOSIGNAL)
599 ret = send(sock->fd, data, length, MSG_NOSIGNAL);
600 #else
601 ret = send(sock->fd, data, length, 0);
602 #endif
603 } while (ret == -1 && NE_ISINTR(ne_errno));
604
605 if (ret < 0) {
606 int errnum = ne_errno;
607 set_strerror(sock, errnum);
608 return MAP_ERR(errnum);
609 }
610 return ret;
611 }
612
writev_raw(ne_socket * sock,const struct ne_iovec * vector,int count)613 static ssize_t writev_raw(ne_socket *sock, const struct ne_iovec *vector, int count)
614 {
615 ssize_t ret;
616 #ifdef WIN32
617 LPWSABUF wasvector = (LPWSABUF)ne_malloc(count * sizeof(WSABUF));
618 DWORD total;
619 int i;
620
621 for (i = 0; i < count; i++){
622 wasvector[i].buf = vector[i].base;
623 wasvector[i].len = vector[i].len;
624 }
625
626 ret = WSASend(sock->fd, wasvector, count, &total, 0, NULL, NULL);
627 if (ret == 0)
628 ret = total;
629
630 ne_free(wasvector);
631 #else
632 const struct iovec *vec = (const struct iovec *) vector;
633
634 do {
635 ret = writev(sock->fd, vec, count);
636 } while (ret == -1 && NE_ISINTR(ne_errno));
637 #endif
638
639 if (ret < 0) {
640 int errnum = ne_errno;
641 set_strerror(sock, errnum);
642 return MAP_ERR(errnum);
643 }
644
645 return ret;
646 }
647
648 #ifdef NE_HAVE_SSL
writev_dummy(ne_socket * sock,const struct ne_iovec * vector,int count)649 static ssize_t writev_dummy(ne_socket *sock, const struct ne_iovec *vector, int count)
650 {
651 return sock->ops->swrite(sock, vector[0].base, vector[0].len);
652 }
653 #endif
654
655 static const struct iofns iofns_raw = { read_raw, write_raw, readable_raw, writev_raw };
656
657 #ifdef HAVE_OPENSSL
658 /* OpenSSL I/O function implementations. */
readable_ossl(ne_socket * sock,int secs)659 static int readable_ossl(ne_socket *sock, int secs)
660 {
661 if (SSL_pending(sock->ssl))
662 return 0;
663 return readable_raw(sock, secs);
664 }
665
666 /* SSL error handling, according to SSL_get_error(3). */
error_ossl(ne_socket * sock,int sret)667 static int error_ossl(ne_socket *sock, int sret)
668 {
669 int errnum = SSL_get_error(sock->ssl, sret);
670 unsigned long err;
671
672 if (errnum == SSL_ERROR_ZERO_RETURN) {
673 set_error(sock, _("Connection closed"));
674 return NE_SOCK_CLOSED;
675 }
676
677 /* for all other errors, look at the OpenSSL error stack */
678 err = ERR_get_error();
679 if (err == 0) {
680 /* Empty error stack, presume this is a system call error: */
681 if (sret == 0) {
682 /* EOF without close_notify, possible truncation */
683 set_error(sock, _("Secure connection truncated"));
684 return NE_SOCK_TRUNC;
685 } else {
686 /* Other socket error. */
687 errnum = ne_errno;
688 set_strerror(sock, errnum);
689 return MAP_ERR(errnum);
690 }
691 }
692
693 if (ERR_reason_error_string(err)) {
694 ne_snprintf(sock->error, sizeof sock->error,
695 _("SSL error: %s"), ERR_reason_error_string(err));
696 } else {
697 ne_snprintf(sock->error, sizeof sock->error,
698 _("SSL error code %d/%d/%lu"), sret, errnum, err);
699 }
700
701 /* make sure the error stack is now empty. */
702 ERR_clear_error();
703 return NE_SOCK_ERROR;
704 }
705
706 /* Work around OpenSSL's use of 'int' rather than 'size_t', to prevent
707 * accidentally passing a negative number, etc. */
708 #define CAST2INT(n) (((n) > INT_MAX) ? INT_MAX : (n))
709
read_ossl(ne_socket * sock,char * buffer,size_t len)710 static ssize_t read_ossl(ne_socket *sock, char *buffer, size_t len)
711 {
712 int ret;
713
714 ret = readable_ossl(sock, sock->rdtimeout);
715 if (ret) return ret;
716
717 ret = SSL_read(sock->ssl, buffer, CAST2INT(len));
718 if (ret <= 0)
719 ret = error_ossl(sock, ret);
720
721 return ret;
722 }
723
write_ossl(ne_socket * sock,const char * data,size_t len)724 static ssize_t write_ossl(ne_socket *sock, const char *data, size_t len)
725 {
726 int ret, ilen = CAST2INT(len);
727 ret = SSL_write(sock->ssl, data, ilen);
728 /* ssl.h says SSL_MODE_ENABLE_PARTIAL_WRITE must be enabled to
729 * have SSL_write return < length... so, SSL_write should never
730 * return < length. */
731 if (ret != ilen)
732 return error_ossl(sock, ret);
733 return ret;
734 }
735
736 static const struct iofns iofns_ssl = {
737 read_ossl,
738 write_ossl,
739 readable_ossl,
740 writev_dummy
741 };
742
743 #elif defined(HAVE_GNUTLS)
744
745 /* Return zero if an alert value can be ignored. */
check_alert(ne_socket * sock,ssize_t ret)746 static int check_alert(ne_socket *sock, ssize_t ret)
747 {
748 const char *alert;
749
750 if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED) {
751 alert = gnutls_alert_get_name(gnutls_alert_get(sock->ssl));
752 NE_DEBUG(NE_DBG_SOCKET, "TLS warning alert: %s", alert);
753 return 0;
754 } else if (ret == GNUTLS_E_FATAL_ALERT_RECEIVED) {
755 alert = gnutls_alert_get_name(gnutls_alert_get(sock->ssl));
756 NE_DEBUG(NE_DBG_SOCKET, "TLS fatal alert: %s", alert);
757 return -1;
758 }
759 return ret;
760 }
761
readable_gnutls(ne_socket * sock,int secs)762 static int readable_gnutls(ne_socket *sock, int secs)
763 {
764 if (gnutls_record_check_pending(sock->ssl)) {
765 return 0;
766 }
767 return readable_raw(sock, secs);
768 }
769
error_gnutls(ne_socket * sock,ssize_t sret)770 static ssize_t error_gnutls(ne_socket *sock, ssize_t sret)
771 {
772 ssize_t ret;
773
774 switch (sret) {
775 case 0:
776 ret = NE_SOCK_CLOSED;
777 set_error(sock, _("Connection closed"));
778 break;
779 case GNUTLS_E_FATAL_ALERT_RECEIVED:
780 ret = NE_SOCK_ERROR;
781 ne_snprintf(sock->error, sizeof sock->error,
782 _("SSL alert received: %s"),
783 gnutls_alert_get_name(gnutls_alert_get(sock->ssl)));
784 break;
785 case GNUTLS_E_UNEXPECTED_PACKET_LENGTH:
786 /* It's not exactly an API guarantee but this error will
787 * always mean a premature EOF. */
788 ret = NE_SOCK_TRUNC;
789 set_error(sock, _("Secure connection truncated"));
790 break;
791 case GNUTLS_E_PUSH_ERROR:
792 ret = NE_SOCK_RESET;
793 set_error(sock, ("SSL socket write failed"));
794 break;
795 case GNUTLS_E_PULL_ERROR:
796 ret = NE_SOCK_RESET;
797 set_error(sock, _("SSL socket read failed"));
798 break;
799 default:
800 ret = NE_SOCK_ERROR;
801 ne_snprintf(sock->error, sizeof sock->error, _("SSL error: %s"),
802 gnutls_strerror(sret));
803 }
804 return ret;
805 }
806
807 #define RETRY_GNUTLS(sock, ret) ((ret < 0) \
808 && (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN \
809 || check_alert(sock, ret) == 0))
810
read_gnutls(ne_socket * sock,char * buffer,size_t len)811 static ssize_t read_gnutls(ne_socket *sock, char *buffer, size_t len)
812 {
813 ssize_t ret;
814 unsigned reneg = 1; /* number of allowed rehandshakes */
815
816 ret = readable_gnutls(sock, sock->rdtimeout);
817 if (ret) return ret;
818
819 do {
820 do {
821 ret = gnutls_record_recv(sock->ssl, buffer, len);
822 } while (RETRY_GNUTLS(sock, ret));
823
824 } while (ret == GNUTLS_E_REHANDSHAKE && reneg--
825 && (ret = gnutls_handshake(sock->ssl)) == GNUTLS_E_SUCCESS);
826
827 if (ret <= 0)
828 ret = error_gnutls(sock, ret);
829
830 return ret;
831 }
832
write_gnutls(ne_socket * sock,const char * data,size_t len)833 static ssize_t write_gnutls(ne_socket *sock, const char *data, size_t len)
834 {
835 ssize_t ret;
836
837 do {
838 ret = gnutls_record_send(sock->ssl, data, len);
839 } while (RETRY_GNUTLS(sock, ret));
840
841 if (ret < 0)
842 return error_gnutls(sock, ret);
843
844 return ret;
845 }
846
847 static const struct iofns iofns_ssl = {
848 read_gnutls,
849 write_gnutls,
850 readable_gnutls,
851 writev_dummy
852 };
853
854 #endif
855
ne_sock_fullwrite(ne_socket * sock,const char * data,size_t len)856 int ne_sock_fullwrite(ne_socket *sock, const char *data, size_t len)
857 {
858 ssize_t ret;
859
860 do {
861 ret = sock->ops->swrite(sock, data, len);
862 if (ret > 0) {
863 data += ret;
864 len -= ret;
865 }
866 } while (ret > 0 && len > 0);
867
868 return ret < 0 ? ret : 0;
869 }
870
ne_sock_fullwritev(ne_socket * sock,const struct ne_iovec * vector,int count)871 int ne_sock_fullwritev(ne_socket *sock, const struct ne_iovec *vector, int count)
872 {
873 ssize_t ret;
874
875 do {
876 ret = sock->ops->swritev(sock, vector, count);
877 if (ret > 0) {
878 while (count && (size_t)ret >= vector[0].len) {
879 ret -= vector[0].len;
880 count--;
881 vector++;
882 }
883
884 if (ret && count) {
885 /* Partial buffer sent; send the rest. */
886 ret = ne_sock_fullwrite(sock, (char *)vector[0].base + ret,
887 vector[0].len - ret);
888 count--;
889 vector++;
890 }
891 }
892 } while (count && ret >= 0);
893
894 return ret < 0 ? ret : 0;
895 }
896
ne_sock_readline(ne_socket * sock,char * buf,size_t buflen)897 ssize_t ne_sock_readline(ne_socket *sock, char *buf, size_t buflen)
898 {
899 char *lf;
900 size_t len;
901
902 if(!sock)
903 return NE_SOCK_CLOSED;
904
905 if ((lf = memchr(sock->bufpos, '\n', sock->bufavail)) == NULL
906 && sock->bufavail < RDBUFSIZ) {
907 /* The buffered data does not contain a complete line: move it
908 * to the beginning of the buffer. */
909 if (sock->bufavail)
910 memmove(sock->buffer, sock->bufpos, sock->bufavail);
911 sock->bufpos = sock->buffer;
912
913 /* Loop filling the buffer whilst no newline is found in the data
914 * buffered so far, and there is still buffer space available */
915 do {
916 /* Read more data onto end of buffer. */
917 ssize_t ret = sock->ops->sread(sock, sock->buffer + sock->bufavail,
918 RDBUFSIZ - sock->bufavail);
919 if (ret < 0) return ret;
920 sock->bufavail += ret;
921 } while ((lf = memchr(sock->buffer, '\n', sock->bufavail)) == NULL
922 && sock->bufavail < RDBUFSIZ);
923 }
924
925 if (lf)
926 len = lf - sock->bufpos + 1;
927 else
928 len = buflen; /* fall into "line too long" error... */
929
930 if ((len + 1) > buflen) {
931 set_error(sock, _("Line too long"));
932 return NE_SOCK_ERROR;
933 }
934
935 memcpy(buf, sock->bufpos, len);
936 buf[len] = '\0';
937 /* consume the line from buffer: */
938 sock->bufavail -= len;
939 sock->bufpos += len;
940 return len;
941 }
942
ne_sock_fullread(ne_socket * sock,char * buffer,size_t buflen)943 ssize_t ne_sock_fullread(ne_socket *sock, char *buffer, size_t buflen)
944 {
945 ssize_t len;
946
947 while (buflen > 0) {
948 len = ne_sock_read(sock, buffer, buflen);
949 if (len < 0) return len;
950 buflen -= len;
951 buffer += len;
952 }
953
954 return 0;
955 }
956
957 #ifndef INADDR_NONE
958 #define INADDR_NONE ((in_addr_t) -1)
959 #endif
960
961 #if !defined(USE_GETADDRINFO) && !defined(WIN32) && !HAVE_DECL_H_ERRNO
962 /* Ancient versions of netdb.h don't export h_errno. */
963 extern int h_errno;
964 #endif
965
966 /* This implemementation does not attempt to support IPv6 using
967 * gethostbyname2 et al. */
ne_addr_resolve(const char * hostname,int flags)968 ne_sock_addr *ne_addr_resolve(const char *hostname, int flags)
969 {
970 ne_sock_addr *addr = ne_calloc(sizeof *addr);
971 #ifdef USE_GETADDRINFO
972 struct addrinfo hints = {0};
973 char *pnt;
974
975 hints.ai_socktype = SOCK_STREAM;
976
977 #ifdef AF_INET6
978 if (hostname[0] == '[' && ((pnt = strchr(hostname, ']')) != NULL)) {
979 char *hn = ne_strdup(hostname + 1);
980 hn[pnt - hostname - 1] = '\0';
981 #ifdef AI_NUMERICHOST /* added in the RFC2553 API */
982 hints.ai_flags = AI_NUMERICHOST;
983 #endif
984 hints.ai_family = AF_INET6;
985 addr->errnum = getaddrinfo(hn, NULL, &hints, &addr->result);
986 ne_free(hn);
987 } else
988 #endif /* AF_INET6 */
989 {
990 #ifdef USE_GAI_ADDRCONFIG /* added in the RFC3493 API */
991 hints.ai_flags = AI_ADDRCONFIG;
992 hints.ai_family = AF_UNSPEC;
993 addr->errnum = getaddrinfo(hostname, NULL, &hints, &addr->result);
994 #else
995 hints.ai_family = ipv6_disabled ? AF_INET : AF_UNSPEC;
996 addr->errnum = getaddrinfo(hostname, NULL, &hints, &addr->result);
997 #endif
998 }
999 #else /* Use gethostbyname() */
1000 in_addr_t laddr;
1001 struct hostent *hp;
1002
1003 laddr = inet_addr(hostname);
1004 if (laddr == INADDR_NONE) {
1005 hp = gethostbyname(hostname);
1006 if (hp == NULL) {
1007 #ifdef WIN32
1008 addr->errnum = WSAGetLastError();
1009 #else
1010 addr->errnum = h_errno;
1011 #endif
1012 } else if (hp->h_length != sizeof(struct in_addr)) {
1013 /* fail gracefully if somebody set RES_USE_INET6 */
1014 addr->errnum = NO_RECOVERY;
1015 } else {
1016 size_t n;
1017 /* count addresses */
1018 for (n = 0; hp->h_addr_list[n] != NULL; n++)
1019 /* noop */;
1020
1021 addr->count = n;
1022 addr->addrs = ne_malloc(n * sizeof *addr->addrs);
1023
1024 for (n = 0; n < addr->count; n++)
1025 memcpy(&addr->addrs[n], hp->h_addr_list[n], hp->h_length);
1026 }
1027 } else {
1028 addr->addrs = ne_malloc(sizeof *addr->addrs);
1029 addr->count = 1;
1030 memcpy(addr->addrs, &laddr, sizeof *addr->addrs);
1031 }
1032 #endif
1033 return addr;
1034 }
1035
ne_addr_result(const ne_sock_addr * addr)1036 int ne_addr_result(const ne_sock_addr *addr)
1037 {
1038 return addr->errnum;
1039 }
1040
ne_addr_first(ne_sock_addr * addr)1041 const ne_inet_addr *ne_addr_first(ne_sock_addr *addr)
1042 {
1043 #ifdef USE_GETADDRINFO
1044 addr->cursor = addr->result->ai_next;
1045 return addr->result;
1046 #else
1047 addr->cursor = 0;
1048 return &addr->addrs[0];
1049 #endif
1050 }
1051
ne_addr_next(ne_sock_addr * addr)1052 const ne_inet_addr *ne_addr_next(ne_sock_addr *addr)
1053 {
1054 #ifdef USE_GETADDRINFO
1055 struct addrinfo *ret = addr->cursor;
1056 if (addr->cursor) addr->cursor = addr->cursor->ai_next;
1057 #else
1058 struct in_addr *ret;
1059 if (++addr->cursor < addr->count)
1060 ret = &addr->addrs[addr->cursor];
1061 else
1062 ret = NULL;
1063 #endif
1064 return ret;
1065 }
1066
ne_addr_error(const ne_sock_addr * addr,char * buf,size_t bufsiz)1067 char *ne_addr_error(const ne_sock_addr *addr, char *buf, size_t bufsiz)
1068 {
1069 #ifdef WIN32
1070 print_error(addr->errnum, buf, bufsiz);
1071 #else
1072 const char *err;
1073 #ifdef USE_GETADDRINFO
1074 /* override horrible generic "Name or service not known" error. */
1075 if (addr->errnum == EAI_NONAME)
1076 err = _("Host not found");
1077 else
1078 err = gai_strerror(addr->errnum);
1079 #elif defined(HAVE_HSTRERROR)
1080 err = hstrerror(addr->errnum);
1081 #else
1082 err = _("Host not found");
1083 #endif
1084 ne_strnzcpy(buf, err, bufsiz);
1085 #endif /* WIN32 */
1086 return buf;
1087 }
1088
ne_iaddr_print(const ne_inet_addr * ia,char * buf,size_t bufsiz)1089 char *ne_iaddr_print(const ne_inet_addr *ia, char *buf, size_t bufsiz)
1090 {
1091 #if defined(USE_GETADDRINFO) && defined(HAVE_INET_NTOP)
1092 const char *ret;
1093 #ifdef AF_INET6
1094 if (ia->ai_family == AF_INET6) {
1095 struct sockaddr_in6 *in6 = SACAST(in6, ia->ai_addr);
1096 ret = inet_ntop(AF_INET6, &in6->sin6_addr, buf, bufsiz);
1097 } else
1098 #endif
1099 if (ia->ai_family == AF_INET) {
1100 struct sockaddr_in *in = SACAST(in, ia->ai_addr);
1101 ret = inet_ntop(AF_INET, &in->sin_addr, buf, bufsiz);
1102 } else
1103 ret = NULL;
1104 if (ret == NULL)
1105 ne_strnzcpy(buf, "[IP address]", bufsiz);
1106 #elif defined(USE_GETADDRINFO) && defined(NI_NUMERICHOST)
1107 /* use getnameinfo instead for Win32, which lacks inet_ntop: */
1108 if (getnameinfo(ia->ai_addr, ia->ai_addrlen, buf, bufsiz, NULL, 0,
1109 NI_NUMERICHOST))
1110 ne_strnzcpy(buf, "[IP address]", bufsiz);
1111 #else /* USE_GETADDRINFO */
1112 ne_strnzcpy(buf, inet_ntoa(*ia), bufsiz);
1113 #endif
1114 return buf;
1115 }
1116
ne_iaddr_raw(const ne_inet_addr * ia,unsigned char * buf)1117 unsigned char *ne_iaddr_raw(const ne_inet_addr *ia, unsigned char *buf)
1118 {
1119 #ifdef USE_GETADDRINFO
1120 #ifdef AF_INET6
1121 if (ia->ai_family == AF_INET6) {
1122 struct sockaddr_in6 *in6 = SACAST(in6, ia->ai_addr);
1123 return memcpy(buf, in6->sin6_addr.s6_addr, sizeof in6->sin6_addr.s6_addr);
1124 } else
1125 #endif /* AF_INET6 */
1126 {
1127 struct sockaddr_in *in = SACAST(in, ia->ai_addr);
1128 return memcpy(buf, &in->sin_addr.s_addr, sizeof in->sin_addr.s_addr);
1129 }
1130 #else /* !USE_GETADDRINFO */
1131 return memcpy(buf, &ia->s_addr, sizeof ia->s_addr);
1132 #endif
1133 }
1134
ne_iaddr_parse(const char * addr,ne_iaddr_type type)1135 ne_inet_addr *ne_iaddr_parse(const char *addr, ne_iaddr_type type)
1136 {
1137 #if defined(USE_GETADDRINFO) && defined(HAVE_INET_PTON)
1138 char dst[sizeof(struct in6_addr)];
1139 int af = type == ne_iaddr_ipv6 ? AF_INET6 : AF_INET;
1140
1141 if (inet_pton(af, addr, dst) != 1) {
1142 return NULL;
1143 }
1144
1145 return ne_iaddr_make(type, (unsigned char *)dst);
1146 #elif defined(USE_GETADDRINFO) && !defined(HAVE_INET_PTON)
1147 /* For Windows, which lacks inet_pton(). */
1148 struct addrinfo *ai, *rv, hints;
1149
1150 memset(&hints, 0, sizeof hints);
1151 hints.ai_socktype = SOCK_STREAM;
1152 hints.ai_flags = AI_NUMERICHOST;
1153 hints.ai_family = type == ne_iaddr_ipv6 ? AF_INET6 : AF_INET;
1154
1155 if (getaddrinfo(addr, NULL, &hints, &ai)) {
1156 return NULL;
1157 }
1158
1159 /* Copy the returned addrinfo, since it needs to be ne_free()-able
1160 * later; must only call freeaddrinfo() on ai. */
1161 rv = ne_calloc(sizeof *rv);
1162 memcpy(rv, ai, sizeof *rv);
1163 rv->ai_next = NULL;
1164 rv->ai_canonname = NULL;
1165 rv->ai_addr = ne_calloc(ai->ai_addrlen);
1166 memcpy(rv->ai_addr, ai->ai_addr, ai->ai_addrlen);
1167 freeaddrinfo(ai);
1168
1169 return rv;
1170 #else /* !USE_GETADDRINFO */
1171 struct in_addr a;
1172
1173 if (type == ne_iaddr_ipv6) {
1174 return NULL;
1175 }
1176
1177 #ifdef WIN32
1178 /* inet_addr() is broken because INADDR_NONE is a valid
1179 * broadcast address, so only use it on Windows. */
1180 a.s_addr = inet_addr(addr);
1181 if (a.s_addr == INADDR_NONE) {
1182 return NULL;
1183 }
1184 #else /* !WIN32 */
1185 if (inet_aton(addr, &a) == 0) {
1186 return NULL;
1187 }
1188 #endif
1189
1190 return ne_iaddr_make(ne_iaddr_ipv4, (unsigned char *)&a.s_addr);
1191 #endif /* !USE_GETADDRINFO */
1192 }
1193
ne_iaddr_reverse(const ne_inet_addr * ia,char * buf,size_t bufsiz)1194 int ne_iaddr_reverse(const ne_inet_addr *ia, char *buf, size_t bufsiz)
1195 {
1196 #ifdef USE_GETADDRINFO
1197 return getnameinfo(ia->ai_addr, ia->ai_addrlen, buf, bufsiz,
1198 NULL, 0, 0);
1199 #else
1200 struct hostent *hp;
1201
1202 hp = gethostbyaddr(ia, sizeof *ia, AF_INET);
1203 if (hp && hp->h_name) {
1204 ne_strnzcpy(buf, hp->h_name, bufsiz);
1205 return 0;
1206 }
1207 return -1;
1208 #endif
1209 }
1210
ne_addr_destroy(ne_sock_addr * addr)1211 void ne_addr_destroy(ne_sock_addr *addr)
1212 {
1213 #ifdef USE_GETADDRINFO
1214 if (addr->result)
1215 freeaddrinfo(addr->result);
1216 #else
1217 if (addr->addrs)
1218 ne_free(addr->addrs);
1219 #endif
1220 ne_free(addr);
1221 }
1222
1223 /* Perform a connect() for given fd, handling EINTR retries. Returns
1224 * zero on success or -1 on failure, in which case, ne_errno is set
1225 * appropriately. */
raw_connect(int fd,const struct sockaddr * sa,size_t salen)1226 static int raw_connect(int fd, const struct sockaddr *sa, size_t salen)
1227 {
1228 int ret;
1229
1230 do {
1231 ret = connect(fd, sa, salen);
1232 } while (ret < 0 && NE_ISINTR(ne_errno));
1233
1234 return ret;
1235 }
1236
1237 /* Perform a connect() for fd to address sa of length salen, with a
1238 * timeout if supported on this platform. Returns zero on success or
1239 * NE_SOCK_* on failure, with sock->error set appropriately. */
timed_connect(ne_socket * sock,int fd,const struct sockaddr * sa,size_t salen)1240 static int timed_connect(ne_socket *sock, int fd,
1241 const struct sockaddr *sa, size_t salen)
1242 {
1243 int ret;
1244
1245 #ifdef USE_NONBLOCKING_CONNECT
1246 if (sock->cotimeout) {
1247 int errnum, flags;
1248
1249 /* Get flags and then set O_NONBLOCK. */
1250 flags = fcntl(fd, F_GETFL);
1251 if (flags & O_NONBLOCK) {
1252 /* This socket was created using SOCK_NONBLOCK... flip the
1253 * bit for restoring flags later. */
1254 flags &= ~O_NONBLOCK;
1255 }
1256 else if (fcntl(fd, F_SETFL, flags | O_NONBLOCK) == -1) {
1257 set_strerror(sock, errno);
1258 return NE_SOCK_ERROR;
1259 }
1260
1261 ret = raw_connect(fd, sa, salen);
1262 if (ret == -1) {
1263 errnum = ne_errno;
1264 if (NE_ISINPROGRESS(errnum)) {
1265 ret = raw_poll(fd, 1, sock->cotimeout);
1266 if (ret > 0) { /* poll got data */
1267 socklen_t len = sizeof(errnum);
1268
1269 /* Check whether there is a pending error for the
1270 * socket. Per Stevens UNPv1§15.4, Solaris will
1271 * return a pending error via errno by failing the
1272 * getsockopt() call. */
1273
1274 errnum = 0;
1275 if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &errnum, &len))
1276 errnum = errno;
1277
1278 if (errnum == 0) {
1279 ret = 0;
1280 } else {
1281 set_strerror(sock, errnum);
1282 ret = NE_SOCK_ERROR;
1283 }
1284 } else if (ret == 0) { /* poll timed out */
1285 set_error(sock, _("Connection timed out"));
1286 ret = NE_SOCK_TIMEOUT;
1287 } else /* poll failed */ {
1288 set_strerror(sock, errno);
1289 ret = NE_SOCK_ERROR;
1290 }
1291 } else /* non-EINPROGRESS error from connect() */ {
1292 set_strerror(sock, errnum);
1293 ret = NE_SOCK_ERROR;
1294 }
1295 }
1296
1297 /* Reset to old flags: */
1298 if (fcntl(fd, F_SETFL, flags) == -1) {
1299 set_strerror(sock, errno);
1300 ret = NE_SOCK_ERROR;
1301 }
1302 } else
1303 #endif /* USE_NONBLOCKING_CONNECT */
1304 {
1305 ret = raw_connect(fd, sa, salen);
1306
1307 if (ret < 0) {
1308 set_strerror(sock, errno);
1309 ret = NE_SOCK_ERROR;
1310 }
1311 }
1312
1313 return ret;
1314 }
1315
1316 /* Connect socket to address 'addr' on given 'port'. Returns zero on
1317 * success or NE_SOCK_* on failure with sock->error set
1318 * appropriately. */
connect_socket(ne_socket * sock,int fd,const ne_inet_addr * addr,unsigned int port)1319 static int connect_socket(ne_socket *sock, int fd,
1320 const ne_inet_addr *addr, unsigned int port)
1321 {
1322 #ifdef USE_GETADDRINFO
1323 #ifdef AF_INET6
1324 /* fill in the _family field for AIX 4.3, which forgets to do so. */
1325 if (addr->ai_family == AF_INET6) {
1326 struct sockaddr_in6 in6;
1327 memcpy(&in6, addr->ai_addr, sizeof in6);
1328 in6.sin6_port = port;
1329 in6.sin6_family = AF_INET6;
1330 return timed_connect(sock, fd, (struct sockaddr *)&in6, sizeof in6);
1331 } else
1332 #endif
1333 if (addr->ai_family == AF_INET) {
1334 struct sockaddr_in in;
1335 memcpy(&in, addr->ai_addr, sizeof in);
1336 in.sin_port = port;
1337 in.sin_family = AF_INET;
1338 return timed_connect(sock, fd, (struct sockaddr *)&in, sizeof in);
1339 } else {
1340 set_strerror(sock, EINVAL);
1341 return NE_SOCK_ERROR;
1342 }
1343 #else
1344 struct sockaddr_in sa = {0};
1345 sa.sin_family = AF_INET;
1346 sa.sin_port = port;
1347 sa.sin_addr = *addr;
1348 return timed_connect(sock, fd, (struct sockaddr *)&sa, sizeof sa);
1349 #endif
1350 }
1351
ne_sock_create(void)1352 ne_socket *ne_sock_create(void)
1353 {
1354 ne_socket *sock = ne_calloc(sizeof *sock);
1355 sock->rdtimeout = SOCKET_READ_TIMEOUT;
1356 sock->cotimeout = 0;
1357 sock->bufpos = sock->buffer;
1358 sock->ops = &iofns_raw;
1359 sock->fd = -1;
1360 return sock;
1361 }
1362
1363
1364 #ifdef USE_GETADDRINFO
1365 #define ia_family(a) ((a)->ai_family)
1366 #define ia_proto(a) ((a)->ai_protocol)
1367 #else
1368 #define ia_family(a) AF_INET
1369 #define ia_proto(a) 0
1370 #endif
1371
ne_sock_prebind(ne_socket * sock,const ne_inet_addr * addr,unsigned int port)1372 void ne_sock_prebind(ne_socket *sock, const ne_inet_addr *addr,
1373 unsigned int port)
1374 {
1375 sock->lport = port;
1376 sock->laddr = addr ? addr : &dummy_laddr;
1377 }
1378
1379 /* Bind socket 'fd' to address/port 'addr' and 'port', for subsequent
1380 * connect() to address of family 'peer_family'. */
do_bind(int fd,int peer_family,const ne_inet_addr * addr,unsigned int port)1381 static int do_bind(int fd, int peer_family,
1382 const ne_inet_addr *addr, unsigned int port)
1383 {
1384 #if defined(HAVE_SETSOCKOPT) && defined(SO_REUSEADDR) && defined(SOL_SOCKET)
1385 {
1386 int flag = 1;
1387
1388 (void) setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &flag, sizeof flag);
1389 /* An error here is not fatal, so ignore it. */
1390 }
1391 #endif
1392
1393
1394 #if defined(USE_GETADDRINFO) && defined(AF_INET6)
1395 /* Use a sockaddr_in6 if an AF_INET6 local address is specifed, or
1396 * if no address is specified and the peer address is AF_INET6: */
1397 if ((addr != &dummy_laddr && addr->ai_family == AF_INET6)
1398 || (addr == &dummy_laddr && peer_family == AF_INET6)) {
1399 struct sockaddr_in6 in6;
1400
1401 if (addr == &dummy_laddr)
1402 memset(&in6, 0, sizeof in6);
1403 else
1404 memcpy(&in6, addr->ai_addr, sizeof in6);
1405 in6.sin6_port = htons(port);
1406 /* fill in the _family field for AIX 4.3, which forgets to do so. */
1407 in6.sin6_family = AF_INET6;
1408
1409 return bind(fd, (struct sockaddr *)&in6, sizeof in6);
1410 } else
1411 #endif
1412 {
1413 struct sockaddr_in in;
1414
1415 if (addr == &dummy_laddr)
1416 memset(&in, 0, sizeof in);
1417 else {
1418 #ifdef USE_GETADDRINFO
1419 memcpy(&in, addr->ai_addr, sizeof in);
1420 #else
1421 in.sin_addr = *addr;
1422 #endif
1423 }
1424 in.sin_port = htons(port);
1425 in.sin_family = AF_INET;
1426
1427 return bind(fd, (struct sockaddr *)&in, sizeof in);
1428 }
1429 }
1430
1431 #ifdef SOCK_CLOEXEC
1432 /* sock_cloexec is initialized to SOCK_CLOEXEC and cleared to zero if
1433 * a socket() call ever fails with EINVAL. */
1434 static int sock_cloexec = SOCK_CLOEXEC;
1435 #define RETRY_ON_EINVAL
1436 #else
1437 #define sock_cloexec 0
1438 #endif
1439
ne_sock_connect(ne_socket * sock,const ne_inet_addr * addr,unsigned int port)1440 int ne_sock_connect(ne_socket *sock,
1441 const ne_inet_addr *addr, unsigned int port)
1442 {
1443 int fd, ret;
1444 int type = SOCK_STREAM | sock_cloexec;
1445
1446 #if defined(RETRY_ON_EINVAL) && defined(SOCK_NONBLOCK) \
1447 && defined(USE_NONBLOCKING_CONNECT)
1448 /* If the SOCK_NONBLOCK flag is defined, and the retry-on-EINVAL
1449 * logic is enabled, and the socket has a configured timeout, then
1450 * also use the SOCK_NONBLOCK flag to save enabling O_NONBLOCK
1451 * later. */
1452 if (sock->cotimeout && sock_cloexec) {
1453 type |= SOCK_NONBLOCK;
1454 }
1455 #endif
1456
1457 /* use SOCK_STREAM rather than ai_socktype: some getaddrinfo
1458 * implementations do not set ai_socktype, e.g. RHL6.2. */
1459 fd = socket(ia_family(addr), type, ia_proto(addr));
1460 #ifdef RETRY_ON_EINVAL
1461 /* Handle forwards compat for new glibc on an older kernels; clear
1462 * the sock_cloexec flag and retry the call: */
1463 if (fd < 0 && sock_cloexec && errno == EINVAL) {
1464 sock_cloexec = 0;
1465 fd = socket(ia_family(addr), SOCK_STREAM, ia_proto(addr));
1466 }
1467 #endif
1468 if (fd < 0) {
1469 set_strerror(sock, ne_errno);
1470 return -1;
1471 }
1472
1473 #if !defined(NE_USE_POLL) && !defined(WIN32)
1474 if (fd > FD_SETSIZE) {
1475 ne_close(fd);
1476 set_error(sock, _("Socket descriptor number exceeds FD_SETSIZE"));
1477 return NE_SOCK_ERROR;
1478 }
1479 #endif
1480
1481 #if defined(HAVE_FCNTL) && defined(F_GETFD) && defined(F_SETFD) \
1482 && defined(FD_CLOEXEC)
1483 /* Set the FD_CLOEXEC bit for the new fd, if the socket was not
1484 * created with the CLOEXEC bit already set. */
1485 if (!sock_cloexec && (ret = fcntl(fd, F_GETFD)) >= 0) {
1486 fcntl(fd, F_SETFD, ret | FD_CLOEXEC);
1487 /* ignore failure; not a critical error. */
1488 }
1489 #endif
1490
1491 if (sock->laddr && (sock->laddr == &dummy_laddr ||
1492 ia_family(sock->laddr) == ia_family(addr))) {
1493 ret = do_bind(fd, ia_family(addr), sock->laddr, sock->lport);
1494 if (ret < 0) {
1495 int errnum = errno;
1496 ne_close(fd);
1497 set_strerror(sock, errnum);
1498 return NE_SOCK_ERROR;
1499 }
1500 }
1501
1502 #if defined(HAVE_SETSOCKOPT) && (defined(TCP_NODELAY) || defined(WIN32))
1503 { /* Disable the Nagle algorithm. */
1504 int flag = 1;
1505 setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &flag, sizeof flag);
1506 }
1507 #endif
1508
1509 ret = connect_socket(sock, fd, addr, htons(port));
1510 if (ret == 0)
1511 sock->fd = fd;
1512 else
1513 ne_close(fd);
1514
1515 return ret;
1516 }
1517
ne_sock_peer(ne_socket * sock,unsigned int * port)1518 ne_inet_addr *ne_sock_peer(ne_socket *sock, unsigned int *port)
1519 {
1520 union saun {
1521 struct sockaddr sa;
1522 struct sockaddr_in sin;
1523 #if defined(USE_GETADDRINFO) && defined(AF_INET6)
1524 struct sockaddr_in6 sin6;
1525 #endif
1526 } saun;
1527 socklen_t len = sizeof saun;
1528 ne_inet_addr *ia;
1529 struct sockaddr *sad = (struct sockaddr *)&saun;
1530
1531 if (getpeername(sock->fd, sad, &len) != 0) {
1532 set_strerror(sock, errno);
1533 return NULL;
1534 }
1535
1536 #if !defined(USE_GETADDRINFO) || !defined(AF_INET6)
1537 if (sad->sa_family != AF_INET) {
1538 set_error(sock, _("Socket family not supported"));
1539 return NULL;
1540 }
1541 #endif
1542
1543 ia = ne_calloc(sizeof *ia);
1544 #ifdef USE_GETADDRINFO
1545 ia->ai_addr = ne_malloc(sizeof *ia);
1546 ia->ai_addrlen = len;
1547 memcpy(ia->ai_addr, sad, len);
1548 ia->ai_family = saun.sa.sa_family;
1549 #else
1550 memcpy(ia, &saun.sin.sin_addr.s_addr, sizeof *ia);
1551 #endif
1552
1553 #if defined(USE_GETADDRINFO) && defined(AF_INET6)
1554 *port = ntohs(saun.sa.sa_family == AF_INET ?
1555 saun.sin.sin_port : saun.sin6.sin6_port);
1556 #else
1557 *port = ntohs(saun.sin.sin_port);
1558 #endif
1559
1560 return ia;
1561 }
1562
ne_iaddr_make(ne_iaddr_type type,const unsigned char * raw)1563 ne_inet_addr *ne_iaddr_make(ne_iaddr_type type, const unsigned char *raw)
1564 {
1565 ne_inet_addr *ia;
1566 #if !defined(AF_INET6) || !defined(USE_GETADDRINFO)
1567 /* fail if IPv6 address is given if IPv6 is not supported. */
1568 if (type == ne_iaddr_ipv6)
1569 return NULL;
1570 #endif
1571 ia = ne_calloc(sizeof *ia);
1572 #ifdef USE_GETADDRINFO
1573 /* ai_protocol and ai_socktype aren't used by connect_socket() so
1574 * ignore them here. (for now) */
1575 if (type == ne_iaddr_ipv4) {
1576 struct sockaddr_in *in4 = ne_calloc(sizeof *in4);
1577 ia->ai_family = AF_INET;
1578 ia->ai_addr = (struct sockaddr *)in4;
1579 ia->ai_addrlen = sizeof *in4;
1580 in4->sin_family = AF_INET;
1581 memcpy(&in4->sin_addr.s_addr, raw, sizeof in4->sin_addr.s_addr);
1582 }
1583 #ifdef AF_INET6
1584 else {
1585 struct sockaddr_in6 *in6 = ne_calloc(sizeof *in6);
1586 ia->ai_family = AF_INET6;
1587 ia->ai_addr = (struct sockaddr *)in6;
1588 ia->ai_addrlen = sizeof *in6;
1589 in6->sin6_family = AF_INET6;
1590 memcpy(&in6->sin6_addr, raw, sizeof in6->sin6_addr.s6_addr);
1591 }
1592 #endif
1593 #else /* !USE_GETADDRINFO */
1594 memcpy(&ia->s_addr, raw, sizeof ia->s_addr);
1595 #endif
1596 return ia;
1597 }
1598
ne_iaddr_typeof(const ne_inet_addr * ia)1599 ne_iaddr_type ne_iaddr_typeof(const ne_inet_addr *ia)
1600 {
1601 #if defined(USE_GETADDRINFO) && defined(AF_INET6)
1602 return ia->ai_family == AF_INET6 ? ne_iaddr_ipv6 : ne_iaddr_ipv4;
1603 #else
1604 return ne_iaddr_ipv4;
1605 #endif
1606 }
1607
ne_iaddr_cmp(const ne_inet_addr * i1,const ne_inet_addr * i2)1608 int ne_iaddr_cmp(const ne_inet_addr *i1, const ne_inet_addr *i2)
1609 {
1610 #ifdef USE_GETADDRINFO
1611 if (i1->ai_family != i2->ai_family)
1612 return i2->ai_family - i1->ai_family;
1613 if (i1->ai_family == AF_INET) {
1614 struct sockaddr_in *in1 = SACAST(in, i1->ai_addr),
1615 *in2 = SACAST(in, i2->ai_addr);
1616 return memcmp(&in1->sin_addr.s_addr, &in2->sin_addr.s_addr,
1617 sizeof in1->sin_addr.s_addr);
1618 }
1619 #ifdef AF_INET6
1620 else if (i1->ai_family == AF_INET6) {
1621 struct sockaddr_in6 *in1 = SACAST(in6, i1->ai_addr),
1622 *in2 = SACAST(in6, i2->ai_addr);
1623 return memcmp(in1->sin6_addr.s6_addr, in2->sin6_addr.s6_addr,
1624 sizeof in1->sin6_addr.s6_addr);
1625 }
1626 #endif /* AF_INET6 */
1627 else
1628 return -1;
1629 #else
1630 return memcmp(&i1->s_addr, &i2->s_addr, sizeof i1->s_addr);
1631 #endif /* USE_GETADDRINFO */
1632 }
1633
ne_iaddr_free(ne_inet_addr * addr)1634 void ne_iaddr_free(ne_inet_addr *addr)
1635 {
1636 #ifdef USE_GETADDRINFO
1637 ne_free(addr->ai_addr);
1638 #endif
1639 ne_free(addr);
1640 }
1641
ne_sock_accept(ne_socket * sock,int listener)1642 int ne_sock_accept(ne_socket *sock, int listener)
1643 {
1644 int fd = accept(listener, NULL, NULL);
1645
1646 if (fd < 0)
1647 return -1;
1648
1649 sock->fd = fd;
1650 return 0;
1651 }
1652
ne_sock_fd(const ne_socket * sock)1653 int ne_sock_fd(const ne_socket *sock)
1654 {
1655 return sock->fd;
1656 }
1657
ne_sock_read_timeout(ne_socket * sock,int timeout)1658 void ne_sock_read_timeout(ne_socket *sock, int timeout)
1659 {
1660 sock->rdtimeout = timeout;
1661 }
1662
ne_sock_connect_timeout(ne_socket * sock,int timeout)1663 void ne_sock_connect_timeout(ne_socket *sock, int timeout)
1664 {
1665 sock->cotimeout = timeout;
1666 }
1667
1668 #ifdef NE_HAVE_SSL
1669
1670 #ifdef HAVE_GNUTLS
1671 /* Dumb server session cache implementation for GNUTLS; holds a single
1672 * session. */
1673
1674 /* Copy datum 'src' to 'dest'. */
copy_datum(gnutls_datum * dest,gnutls_datum * src)1675 static void copy_datum(gnutls_datum *dest, gnutls_datum *src)
1676 {
1677 dest->size = src->size;
1678 dest->data = memcpy(gnutls_malloc(src->size), src->data, src->size);
1679 }
1680
1681 /* Callback to store a session 'data' with id 'key'. */
store_sess(void * userdata,gnutls_datum key,gnutls_datum data)1682 static int store_sess(void *userdata, gnutls_datum key, gnutls_datum data)
1683 {
1684 ne_ssl_context *ctx = userdata;
1685
1686 if (ctx->cache.server.key.data) {
1687 gnutls_free(ctx->cache.server.key.data);
1688 gnutls_free(ctx->cache.server.data.data);
1689 }
1690
1691 copy_datum(&ctx->cache.server.key, &key);
1692 copy_datum(&ctx->cache.server.data, &data);
1693
1694 return 0;
1695 }
1696
1697 /* Returns non-zero if d1 and d2 are the same datum. */
match_datum(gnutls_datum * d1,gnutls_datum * d2)1698 static int match_datum(gnutls_datum *d1, gnutls_datum *d2)
1699 {
1700 return d1->size == d2->size
1701 && memcmp(d1->data, d2->data, d1->size) == 0;
1702 }
1703
1704 /* Callback to retrieve a session of id 'key'. */
retrieve_sess(void * userdata,gnutls_datum key)1705 static gnutls_datum retrieve_sess(void *userdata, gnutls_datum key)
1706 {
1707 ne_ssl_context *ctx = userdata;
1708 gnutls_datum ret = { NULL, 0 };
1709
1710 if (match_datum(&ctx->cache.server.key, &key)) {
1711 copy_datum(&ret, &ctx->cache.server.data);
1712 }
1713
1714 return ret;
1715 }
1716
1717 /* Callback to remove a session of id 'key'; stub needed but
1718 * implementation seems unnecessary. */
remove_sess(void * userdata,gnutls_datum key)1719 static int remove_sess(void *userdata, gnutls_datum key)
1720 {
1721 return -1;
1722 }
1723 #endif
1724
ne_sock_accept_ssl(ne_socket * sock,ne_ssl_context * ctx)1725 int ne_sock_accept_ssl(ne_socket *sock, ne_ssl_context *ctx)
1726 {
1727 int ret;
1728 ne_ssl_socket ssl;
1729
1730 #if defined(HAVE_OPENSSL)
1731 ssl = SSL_new(ctx->ctx);
1732
1733 SSL_set_fd(ssl, sock->fd);
1734
1735 sock->ssl = ssl;
1736 ret = SSL_accept(ssl);
1737 if (ret != 1) {
1738 return error_ossl(sock, ret);
1739 }
1740
1741 if (SSL_session_reused(ssl)) {
1742 NE_DEBUG(NE_DBG_SSL, "ssl: Server reused session.");
1743 }
1744 #elif defined(HAVE_GNUTLS)
1745 gnutls_init(&ssl, GNUTLS_SERVER);
1746 gnutls_credentials_set(ssl, GNUTLS_CRD_CERTIFICATE, ctx->cred);
1747 gnutls_set_default_priority(ssl);
1748
1749 /* Set up dummy session cache. */
1750 gnutls_db_set_store_function(ssl, store_sess);
1751 gnutls_db_set_retrieve_function(ssl, retrieve_sess);
1752 gnutls_db_set_remove_function(ssl, remove_sess);
1753 gnutls_db_set_ptr(ssl, ctx);
1754
1755 if (ctx->verify)
1756 gnutls_certificate_server_set_request(ssl, GNUTLS_CERT_REQUEST);
1757
1758 sock->ssl = ssl;
1759 gnutls_transport_set_ptr(sock->ssl, (gnutls_transport_ptr)(long)sock->fd);
1760 ret = gnutls_handshake(ssl);
1761 if (ret < 0) {
1762 return error_gnutls(sock, ret);
1763 }
1764 if (ctx->verify && gnutls_certificate_verify_peers(ssl)) {
1765 set_error(sock, _("Client certificate verification failed"));
1766 return NE_SOCK_ERROR;
1767 }
1768 #endif
1769 sock->ops = &iofns_ssl;
1770 return 0;
1771 }
1772
ne_sock_connect_ssl(ne_socket * sock,ne_ssl_context * ctx,void * userdata)1773 int ne_sock_connect_ssl(ne_socket *sock, ne_ssl_context *ctx, void *userdata)
1774 {
1775 int ret = -1;
1776
1777 #if defined(HAVE_OPENSSL)
1778 SSL *ssl;
1779
1780 if (seed_ssl_prng()) {
1781 set_error(sock, _("SSL disabled due to lack of entropy"));
1782 return NE_SOCK_ERROR;
1783 }
1784
1785 /* If runtime library version differs from compile-time version
1786 * number in major/minor/fix level, abort soon. */
1787 // disabled -> harmfull in case of version mismatch
1788 /* if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & 0xFFFFF000) {
1789 set_error(sock, _("SSL disabled due to library version mismatch"));
1790 return NE_SOCK_ERROR;
1791 }*/
1792
1793 sock->ssl = ssl = SSL_new(ctx->ctx);
1794 if (!ssl) {
1795 set_error(sock, _("Could not create SSL structure"));
1796 return NE_SOCK_ERROR;
1797 }
1798
1799 // check sock->fd, if it's blocking set to non-blocking just for SSL_conect
1800 long old_flags, new_flags = 0;
1801 time_t timeout;
1802
1803 if (sock->cotimeout)
1804 timeout = time(0) + sock->cotimeout;
1805
1806 // keep the old flags so we can reset them later
1807 new_flags = old_flags = fcntl(sock->fd, F_GETFL);
1808
1809 if(!(new_flags & O_NONBLOCK)){
1810 new_flags |= O_NONBLOCK;
1811
1812 if(fcntl(sock->fd, F_SETFL, new_flags) == -1){
1813 set_strerror(sock, errno);
1814 return NE_SOCK_ERROR;
1815 }
1816 }
1817
1818 SSL_set_app_data(ssl, userdata);
1819 SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
1820 SSL_set_fd(ssl, sock->fd);
1821 sock->ops = &iofns_ssl;
1822
1823 #ifdef SSL_set_tlsext_host_name
1824 if (ctx->hostname) {
1825 /* Try to enable SNI, but ignore failure (should only fail for
1826 * >255 char hostnames, which are probably not legal
1827 * anyway). */
1828 if (SSL_set_tlsext_host_name(ssl, ctx->hostname) != 1) {
1829 ERR_clear_error();
1830 }
1831 }
1832 #endif
1833
1834
1835
1836 if (ctx->sess)
1837 SSL_set_session(ssl, ctx->sess);
1838 /*
1839 ret = SSL_connect(ssl);
1840 if (ret != 1) {
1841 error_ossl(sock, ret);
1842 SSL_free(ssl);
1843 sock->ssl = NULL;
1844 return NE_SOCK_ERROR;
1845 }
1846 */
1847
1848 // non-blocking SSL handshake
1849 #ifdef NE_USE_POLL
1850 int polltimeout = 1000;
1851 #else
1852 struct timeval tv;
1853 #endif
1854
1855 while((ret = SSL_connect(ssl)) != 1){
1856 #ifdef NE_USE_POLL
1857 struct pollfd pfd;
1858 pfd.fd = sock->fd;
1859 #else
1860 fd_set fds;
1861 FD_ZERO(&fds);
1862 FD_SET(sock->fd, &fds);
1863
1864 tv.tv_sec = 1;
1865 tv.tv_usec = 0;
1866 #endif
1867
1868 switch(SSL_get_error(ssl, ret)){
1869 #ifdef NE_USE_POLL
1870 case SSL_ERROR_WANT_WRITE:
1871 pfd.events = POLLOUT;
1872 poll(&pfd, 1, polltimeout);
1873 break;
1874
1875 case SSL_ERROR_WANT_READ:
1876 pfd.events = POLLIN;
1877 poll(&pfd, 1, polltimeout);
1878 break;
1879
1880 case SSL_ERROR_WANT_X509_LOOKUP:
1881 pfd.events = POLLIN | POLLOUT;
1882 poll(&pfd, 1, polltimeout);
1883 break;
1884 #else
1885 case SSL_ERROR_WANT_WRITE:
1886 select(sock->fd +1, NULL, &fds, NULL, &tv);
1887 break;
1888
1889 case SSL_ERROR_WANT_READ:
1890 select(sock->fd +1, &fds, NULL, NULL, &tv);
1891 break;
1892
1893 case SSL_ERROR_WANT_X509_LOOKUP:
1894 select(sock->fd +1, &fds, &fds, NULL, &tv);
1895 break;
1896 #endif
1897
1898 case SSL_ERROR_NONE:
1899 case SSL_ERROR_ZERO_RETURN:
1900 case SSL_ERROR_WANT_CONNECT:
1901 case SSL_ERROR_WANT_ACCEPT:
1902 case SSL_ERROR_SYSCALL:
1903 break;
1904 case SSL_ERROR_SSL:{
1905 int ssl_err_code = ERR_get_error();
1906 const char* ssl_err_message = ERR_reason_error_string(ssl_err_code);
1907 ERR_clear_error();
1908 set_error(sock, _(ssl_err_message));
1909 return NE_SOCK_ERROR;
1910 }
1911
1912 default:
1913 set_error(sock, _("Unknown error during SSL handshake"));
1914 return NE_SOCK_ERROR;
1915 }
1916
1917 if(time(0) > timeout){
1918 error_ossl(sock, ret);
1919 SSL_free(ssl);
1920 sock->ssl = NULL;
1921 set_error(sock, _("Connection timed out during SSL handshake"));
1922 return NE_SOCK_ERROR;
1923 }
1924 }
1925
1926 // reset flags if needed
1927 if(new_flags != old_flags){
1928 if(fcntl(sock->fd, F_SETFL, old_flags) == -1){
1929 set_strerror(sock, errno);
1930 return NE_SOCK_ERROR;
1931 }
1932 }
1933
1934 #elif defined(HAVE_GNUTLS)
1935 /* DH and RSA params are set in ne_ssl_context_create */
1936 gnutls_init(&sock->ssl, GNUTLS_CLIENT);
1937 gnutls_set_default_priority(sock->ssl);
1938 gnutls_session_set_ptr(sock->ssl, userdata);
1939 gnutls_credentials_set(sock->ssl, GNUTLS_CRD_CERTIFICATE, ctx->cred);
1940
1941 #ifdef HAVE_GNUTLS_SIGN_CALLBACK_SET
1942 if (ctx->sign_func)
1943 gnutls_sign_callback_set(sock->ssl, ctx->sign_func, ctx->sign_data);
1944 #endif
1945
1946 if (ctx->hostname) {
1947 gnutls_server_name_set(sock->ssl, GNUTLS_NAME_DNS, ctx->hostname,
1948 strlen(ctx->hostname));
1949 }
1950
1951 gnutls_transport_set_ptr(sock->ssl, (gnutls_transport_ptr)(long)sock->fd);
1952
1953 if (ctx->cache.client.data) {
1954 #if defined(HAVE_GNUTLS_SESSION_GET_DATA2)
1955 gnutls_session_set_data(sock->ssl,
1956 ctx->cache.client.data,
1957 ctx->cache.client.size);
1958 #else
1959 gnutls_session_set_data(sock->ssl,
1960 ctx->cache.client.data,
1961 ctx->cache.client.len);
1962 #endif
1963 }
1964 sock->ops = &iofns_ssl;
1965
1966 do {
1967 ret = gnutls_handshake(sock->ssl);
1968 } while (RETRY_GNUTLS(sock, ret));
1969 if (ret < 0) {
1970 error_gnutls(sock, ret);
1971 return NE_SOCK_ERROR;
1972 }
1973
1974 if (!gnutls_session_is_resumed(sock->ssl)) {
1975 /* New session. The old method of using the _get_data
1976 * function seems to be broken with 1.3.0 and later*/
1977 #if defined(HAVE_GNUTLS_SESSION_GET_DATA2)
1978 gnutls_session_get_data2(sock->ssl, &ctx->cache.client);
1979 #else
1980 ctx->cache.client.len = 0;
1981 if (gnutls_session_get_data(sock->ssl, NULL,
1982 &ctx->cache.client.len) == 0) {
1983 ctx->cache.client.data = ne_malloc(ctx->cache.client.len);
1984 gnutls_session_get_data(sock->ssl, ctx->cache.client.data,
1985 &ctx->cache.client.len);
1986 }
1987 #endif
1988 }
1989 #endif
1990 return 0;
1991 }
1992
ne__sock_sslsock(ne_socket * sock)1993 ne_ssl_socket ne__sock_sslsock(ne_socket *sock)
1994 {
1995 return sock->ssl;
1996 }
1997
1998 #endif
1999
ne_sock_sessid(ne_socket * sock,unsigned char * buf,size_t * buflen)2000 int ne_sock_sessid(ne_socket *sock, unsigned char *buf, size_t *buflen)
2001 {
2002 #ifdef NE_HAVE_SSL
2003 #ifdef HAVE_GNUTLS
2004 if (sock->ssl) {
2005 return gnutls_session_get_id(sock->ssl, buf, buflen);
2006 } else {
2007 return -1;
2008 }
2009 #else
2010 SSL_SESSION *sess;
2011
2012 if (!sock->ssl) {
2013 return -1;
2014 }
2015
2016 sess = SSL_get0_session(sock->ssl);
2017
2018 if (!buf) {
2019 SSL_SESSION_get_id(sess, buflen);
2020 return 0;
2021 }
2022
2023 unsigned int session_id_length;
2024 const unsigned char* session_id = SSL_SESSION_get_id(sess, &session_id_length);
2025
2026 if (*buflen < session_id_length) {
2027 return -1;
2028 }
2029
2030 *buflen = session_id_length;
2031 memcpy(buf, session_id, *buflen);
2032 return 0;
2033 #endif
2034 #else
2035 return -1;
2036 #endif
2037 }
2038
ne_sock_cipher(ne_socket * sock)2039 char *ne_sock_cipher(ne_socket *sock)
2040 {
2041 #ifdef NE_HAVE_SSL
2042 if (sock->ssl) {
2043 #ifdef HAVE_OPENSSL
2044 const char *name = SSL_get_cipher(sock->ssl);
2045 return ne_strdup(name);
2046 #elif defined(HAVE_GNUTLS)
2047 const char *name = gnutls_cipher_get_name(gnutls_cipher_get(sock->ssl));
2048 return ne_strdup(name);
2049 #endif
2050 }
2051 else
2052 #endif /* NE_HAVE_SSL */
2053 {
2054 return NULL;
2055 }
2056 }
2057
ne_sock_error(const ne_socket * sock)2058 const char *ne_sock_error(const ne_socket *sock)
2059 {
2060 return sock->error;
2061 }
2062
ne_sock_set_error(ne_socket * sock,const char * format,...)2063 void ne_sock_set_error(ne_socket *sock, const char *format, ...)
2064 {
2065 va_list params;
2066
2067 va_start(params, format);
2068 ne_vsnprintf(sock->error, sizeof sock->error, format, params);
2069 va_end(params);
2070 }
2071
ne_sock_close(ne_socket * sock)2072 int ne_sock_close(ne_socket *sock)
2073 {
2074 int ret;
2075
2076 /* Per API description - for an SSL connection, simply send the
2077 * close_notify but do not wait for the peer's response. */
2078 #if defined(HAVE_OPENSSL)
2079 if (sock->ssl) {
2080 SSL_shutdown(sock->ssl);
2081 SSL_free(sock->ssl);
2082 }
2083 #elif defined(HAVE_GNUTLS)
2084 if (sock->ssl) {
2085 do {
2086 ret = gnutls_bye(sock->ssl, GNUTLS_SHUT_WR);
2087 } while (ret < 0
2088 && (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN));
2089 gnutls_deinit(sock->ssl);
2090 }
2091 #endif
2092
2093 if (sock->fd < 0)
2094 ret = 0;
2095 else
2096 ret = ne_close(sock->fd);
2097 ne_free(sock);
2098 return ret;
2099 }
2100