1 /* $NetBSD: ssl-bozo.c,v 1.13 2011/11/18 09:51:31 mrg Exp $ */ 2 3 /* $eterna: ssl-bozo.c,v 1.15 2011/11/18 09:21:15 mrg Exp $ */ 4 5 /* 6 * Copyright (c) 1997-2011 Matthew R. Green 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer and 16 * dedication in the documentation and/or other materials provided 17 * with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 20 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 21 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 22 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 26 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 27 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 * 31 */ 32 33 /* this code implements SSL for bozohttpd */ 34 35 #include <stdarg.h> 36 #include <stdio.h> 37 #include <syslog.h> 38 #include <unistd.h> 39 40 #include "bozohttpd.h" 41 42 #ifndef NO_SSL_SUPPORT 43 44 #include <openssl/ssl.h> 45 #include <openssl/err.h> 46 47 #ifndef USE_ARG 48 #define USE_ARG(x) /*LINTED*/(void)&(x) 49 #endif 50 51 /* this structure encapsulates the ssl info */ 52 typedef struct sslinfo_t { 53 SSL_CTX *ssl_context; 54 const SSL_METHOD *ssl_method; 55 SSL *bozossl; 56 char *certificate_file; 57 char *privatekey_file; 58 } sslinfo_t; 59 60 /* 61 * bozo_ssl_err 62 * 63 * bozo_ssl_err works just like bozo_err except in addition to printing 64 * the error provided by the caller at the point of error it pops and 65 * prints all errors from the SSL error queue. 66 */ 67 BOZO_DEAD static void 68 bozo_ssl_err(bozohttpd_t *httpd, int code, const char *fmt, ...) 69 { 70 va_list ap; 71 72 va_start(ap, fmt); 73 if (httpd->logstderr || isatty(STDERR_FILENO)) { 74 vfprintf(stderr, fmt, ap); 75 fputs("\n", stderr); 76 } else 77 vsyslog(LOG_ERR, fmt, ap); 78 va_end(ap); 79 80 unsigned int sslcode = ERR_get_error(); 81 do { 82 static const char sslfmt[] = "SSL Error: %s:%s:%s"; 83 84 if (httpd->logstderr || isatty(STDERR_FILENO)) { 85 fprintf(stderr, sslfmt, 86 ERR_lib_error_string(sslcode), 87 ERR_func_error_string(sslcode), 88 ERR_reason_error_string(sslcode)); 89 } else { 90 syslog(LOG_ERR, sslfmt, 91 ERR_lib_error_string(sslcode), 92 ERR_func_error_string(sslcode), 93 ERR_reason_error_string(sslcode)); 94 } 95 } while (0 != (sslcode = ERR_get_error())); 96 exit(code); 97 } 98 99 static int 100 bozo_ssl_printf(bozohttpd_t *httpd, const char * fmt, va_list ap) 101 { 102 sslinfo_t *sslinfo; 103 char *buf; 104 int nbytes; 105 106 sslinfo = httpd->sslinfo; 107 /* XXX we need more elegant/proper handling of SSL_write return */ 108 if ((nbytes = vasprintf(&buf, fmt, ap)) != -1) 109 SSL_write(sslinfo->bozossl, buf, nbytes); 110 111 free(buf); 112 113 return nbytes; 114 } 115 116 static ssize_t 117 bozo_ssl_read(bozohttpd_t *httpd, int fd, void *buf, size_t nbytes) 118 { 119 sslinfo_t *sslinfo; 120 ssize_t rbytes; 121 122 USE_ARG(fd); 123 sslinfo = httpd->sslinfo; 124 /* XXX we need elegant/proper handling of SSL_read return */ 125 rbytes = (ssize_t)SSL_read(sslinfo->bozossl, buf, (int)nbytes); 126 if (rbytes < 1) { 127 if (SSL_get_error(sslinfo->bozossl, rbytes) == 128 SSL_ERROR_WANT_READ) 129 bozo_warn(httpd, "SSL_ERROR_WANT_READ"); 130 else 131 bozo_warn(httpd, "SSL_ERROR OTHER"); 132 } 133 134 return rbytes; 135 } 136 137 static ssize_t 138 bozo_ssl_write(bozohttpd_t *httpd, int fd, const void *buf, size_t nbytes) 139 { 140 sslinfo_t *sslinfo; 141 ssize_t wbytes; 142 143 USE_ARG(fd); 144 sslinfo = httpd->sslinfo; 145 /* XXX we need elegant/proper handling of SSL_write return */ 146 wbytes = (ssize_t)SSL_write(sslinfo->bozossl, buf, (int)nbytes); 147 148 return wbytes; 149 } 150 151 static int 152 bozo_ssl_flush(bozohttpd_t *httpd, FILE *fp) 153 { 154 USE_ARG(httpd); 155 USE_ARG(fp); 156 /* nothing to see here, move right along */ 157 return 0; 158 } 159 160 void 161 bozo_ssl_init(bozohttpd_t *httpd) 162 { 163 sslinfo_t *sslinfo; 164 165 sslinfo = httpd->sslinfo; 166 if (sslinfo == NULL || !sslinfo->certificate_file) 167 return; 168 SSL_library_init(); 169 SSL_load_error_strings(); 170 171 sslinfo->ssl_method = SSLv23_server_method(); 172 sslinfo->ssl_context = SSL_CTX_new(sslinfo->ssl_method); 173 174 /* XXX we need to learn how to check the SSL stack for more info */ 175 if (NULL == sslinfo->ssl_context) 176 bozo_ssl_err(httpd, EXIT_FAILURE, 177 "SSL context creation failed"); 178 179 if (1 != SSL_CTX_use_certificate_file(sslinfo->ssl_context, 180 sslinfo->certificate_file, SSL_FILETYPE_PEM)) 181 bozo_ssl_err(httpd, EXIT_FAILURE, 182 "Unable to use certificate file '%s'", 183 sslinfo->certificate_file); 184 185 if (1 != SSL_CTX_use_PrivateKey_file(sslinfo->ssl_context, 186 sslinfo->privatekey_file, SSL_FILETYPE_PEM)) 187 bozo_ssl_err(httpd, EXIT_FAILURE, 188 "Unable to use private key file '%s'", 189 sslinfo->privatekey_file); 190 191 /* check consistency of key vs certificate */ 192 if (!SSL_CTX_check_private_key(sslinfo->ssl_context)) 193 bozo_ssl_err(httpd, EXIT_FAILURE, 194 "Check private key failed"); 195 } 196 197 void 198 bozo_ssl_accept(bozohttpd_t *httpd) 199 { 200 sslinfo_t *sslinfo; 201 202 sslinfo = httpd->sslinfo; 203 if (sslinfo != NULL && sslinfo->ssl_context) { 204 sslinfo->bozossl = SSL_new(sslinfo->ssl_context); 205 SSL_set_rfd(sslinfo->bozossl, 0); 206 SSL_set_wfd(sslinfo->bozossl, 1); 207 SSL_accept(sslinfo->bozossl); 208 } 209 } 210 211 void 212 bozo_ssl_destroy(bozohttpd_t *httpd) 213 { 214 sslinfo_t *sslinfo; 215 216 sslinfo = httpd->sslinfo; 217 if (sslinfo && sslinfo->bozossl) 218 SSL_free(sslinfo->bozossl); 219 } 220 221 void 222 bozo_ssl_set_opts(bozohttpd_t *httpd, const char *cert, const char *priv) 223 { 224 sslinfo_t *sslinfo; 225 226 if ((sslinfo = httpd->sslinfo) == NULL) { 227 sslinfo = bozomalloc(httpd, sizeof(*sslinfo)); 228 if (sslinfo == NULL) { 229 bozo_err(httpd, 1, "sslinfo allocation failed"); 230 } 231 httpd->sslinfo = sslinfo; 232 } 233 sslinfo->certificate_file = strdup(cert); 234 sslinfo->privatekey_file = strdup(priv); 235 debug((httpd, DEBUG_NORMAL, "using cert/priv files: %s & %s", 236 sslinfo->certificate_file, 237 sslinfo->privatekey_file)); 238 if (!httpd->bindport) { 239 httpd->bindport = strdup("https"); 240 } 241 } 242 243 #endif /* NO_SSL_SUPPORT */ 244 245 int 246 bozo_printf(bozohttpd_t *httpd, const char *fmt, ...) 247 { 248 va_list args; 249 int cc; 250 251 va_start(args, fmt); 252 #ifndef NO_SSL_SUPPORT 253 if (httpd->sslinfo) { 254 cc = bozo_ssl_printf(httpd, fmt, args); 255 va_end(args); 256 return cc; 257 } 258 #endif 259 cc = vprintf(fmt, args); 260 va_end(args); 261 return cc; 262 } 263 264 ssize_t 265 bozo_read(bozohttpd_t *httpd, int fd, void *buf, size_t len) 266 { 267 #ifndef NO_SSL_SUPPORT 268 if (httpd->sslinfo) { 269 return bozo_ssl_read(httpd, fd, buf, len); 270 } 271 #endif 272 return read(fd, buf, len); 273 } 274 275 ssize_t 276 bozo_write(bozohttpd_t *httpd, int fd, const void *buf, size_t len) 277 { 278 #ifndef NO_SSL_SUPPORT 279 if (httpd->sslinfo) { 280 return bozo_ssl_write(httpd, fd, buf, len); 281 } 282 #endif 283 return write(fd, buf, len); 284 } 285 286 int 287 bozo_flush(bozohttpd_t *httpd, FILE *fp) 288 { 289 #ifndef NO_SSL_SUPPORT 290 if (httpd->sslinfo) { 291 return bozo_ssl_flush(httpd, fp); 292 } 293 #endif 294 return fflush(fp); 295 } 296