]> The Tcpdump Group git mirrors - libpcap/blob - sslutils.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
sslutils: handle routines removed in at least some OpenSSL libraries.
[libpcap] / sslutils.c
1 /*
2 * Copyright (c) 2002 - 2003
3 * NetGroup, Politecnico di Torino (Italy)
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the Politecnico di Torino nor the names of its
16 * contributors may be used to endorse or promote products derived from
17 * this software without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
22 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
23 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
24 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
25 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 *
31 */
32
33 #ifdef HAVE_CONFIG_H
34 #include <config.h>
35 #endif
36
37 #ifdef HAVE_OPENSSL
38 #include <stdlib.h>
39
40 #include "portability.h"
41
42 #include "sslutils.h"
43
44 static const char *ssl_keyfile = ""; //!< file containing the private key in PEM format
45 static const char *ssl_certfile = ""; //!< file containing the server's certificate in PEM format
46 static const char *ssl_rootfile = ""; //!< file containing the list of CAs trusted by the client
47 // TODO: a way to set ssl_rootfile from the command line, or an envvar?
48
49 // TODO: lock?
50 static SSL_CTX *ctx;
51
52 void ssl_set_certfile(const char *certfile)
53 {
54 ssl_certfile = certfile;
55 }
56
57 void ssl_set_keyfile(const char *keyfile)
58 {
59 ssl_keyfile = keyfile;
60 }
61
62 int ssl_init_once(int is_server, int enable_compression, char *errbuf, size_t errbuflen)
63 {
64 static int inited = 0;
65 if (inited) return 0;
66
67 /*
68 * Avoid deprecated routines, even if they're still documented,
69 * as random versions of OpenSSL might not make them available.
70 * XXX - what's the minimum OpenSSL version we should support?
71 * And what about libressl?
72 */
73 #if defined(OPENSSL_VERSION_NUMBER) >= 0x10100000L
74 /* 1.1.0 or later */
75 OPENSSL_init_ssl(0, NULL);
76 OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
77 #else
78 SSL_library_init();
79 SSL_load_error_strings();
80 #endif
81 OpenSSL_add_ssl_algorithms();
82 if (enable_compression)
83 SSL_COMP_get_compression_methods();
84
85 #if defined(OPENSSL_VERSION_NUMBER) >= 0x10100000L
86 /* 1.1.0 or later */
87 SSL_METHOD const *meth =
88 is_server ? TLS_server_method() : TLS_client_method();
89 #else
90 SSL_METHOD const *meth =
91 is_server ? SSLv23_server_method() : SSLv23_client_method();
92 #endif
93 ctx = SSL_CTX_new(meth);
94 if (! ctx)
95 {
96 snprintf(errbuf, errbuflen, "Cannot get a new SSL context: %s", ERR_error_string(ERR_get_error(), NULL));
97 goto die;
98 }
99
100 SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
101
102 if (is_server)
103 {
104 char const *certfile = ssl_certfile[0] ? ssl_certfile : "cert.pem";
105 if (1 != SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_PEM))
106 {
107 snprintf(errbuf, errbuflen, "Cannot read certificate file %s: %s", certfile, ERR_error_string(ERR_get_error(), NULL));
108 goto die;
109 }
110
111 char const *keyfile = ssl_keyfile[0] ? ssl_keyfile : "key.pem";
112 if (1 != SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_PEM))
113 {
114 snprintf(errbuf, errbuflen, "Cannot read private key file %s: %s", keyfile, ERR_error_string(ERR_get_error(), NULL));
115 goto die;
116 }
117 }
118 else
119 {
120 if (ssl_rootfile[0])
121 {
122 if (! SSL_CTX_load_verify_locations(ctx, ssl_rootfile, 0))
123 {
124 snprintf(errbuf, errbuflen, "Cannot read CA list from %s", ssl_rootfile);
125 goto die;
126 }
127 }
128 else
129 {
130 SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
131 }
132 }
133
134 #if 0
135 if (! RAND_load_file(RANDOM, 1024*1024))
136 {
137 snprintf(errbuf, errbuflen, "Cannot init random");
138 goto die;
139 }
140
141 if (is_server)
142 {
143 SSL_CTX_set_session_id_context(ctx, (void *)&s_server_session_id_context, sizeof(s_server_session_id_context));
144 }
145 #endif
146
147 inited = 1;
148 return 0;
149
150 die:
151 return -1;
152 }
153
154 SSL *ssl_promotion(int is_server, SOCKET s, char *errbuf, size_t errbuflen)
155 {
156 if (ssl_init_once(is_server, 1, errbuf, errbuflen) < 0) {
157 return NULL;
158 }
159
160 SSL *ssl = SSL_new(ctx); // TODO: also a DTLS context
161 SSL_set_fd(ssl, (int)s);
162
163 if (is_server) {
164 if (SSL_accept(ssl) <= 0) {
165 snprintf(errbuf, errbuflen, "SSL_accept(): %s",
166 ERR_error_string(ERR_get_error(), NULL));
167 return NULL;
168 }
169 } else {
170 if (SSL_connect(ssl) <= 0) {
171 snprintf(errbuf, errbuflen, "SSL_connect(): %s",
172 ERR_error_string(ERR_get_error(), NULL));
173 return NULL;
174 }
175 }
176
177 return ssl;
178 }
179
180 // Finish using an SSL handle; shut down the connection and free the
181 // handle.
182 void ssl_finish(SSL *ssl)
183 {
184 //
185 // We won't be using this again, so we can just send the
186 // shutdown alert and free up the handle, and have our
187 // caller close the socket.
188 //
189 // XXX - presumably, if the connection is shut down on
190 // our side, either our peer won't have a problem sending
191 // their shutdown alert or will not treat such a problem
192 // as an error. If this causes errors to be reported,
193 // fix that as appropriate.
194 //
195 SSL_shutdown(ssl);
196 SSL_free(ssl);
197 }
198
199 // Same return value as sock_send:
200 // 0 on OK, -1 on error but closed connection (-2).
201 int ssl_send(SSL *ssl, char const *buffer, int size, char *errbuf, size_t errbuflen)
202 {
203 int status = SSL_write(ssl, buffer, size);
204 if (status > 0)
205 {
206 // "SSL_write() will only return with success, when the complete contents (...) has been written."
207 return 0;
208 }
209 else
210 {
211 int ssl_err = SSL_get_error(ssl, status); // TODO: does it pop the error?
212 if (ssl_err == SSL_ERROR_ZERO_RETURN)
213 {
214 return -2;
215 }
216 else if (ssl_err == SSL_ERROR_SYSCALL)
217 {
218 #ifndef _WIN32
219 if (errno == ECONNRESET || errno == EPIPE) return -2;
220 #endif
221 }
222 snprintf(errbuf, errbuflen, "SSL_write(): %s",
223 ERR_error_string(ERR_get_error(), NULL));
224 return -1;
225 }
226 }
227
228 // Returns the number of bytes read, or -1 on syserror, or -2 on SSL error.
229 int ssl_recv(SSL *ssl, char *buffer, int size, char *errbuf, size_t errbuflen)
230 {
231 int status = SSL_read(ssl, buffer, size);
232 if (status <= 0)
233 {
234 int ssl_err = SSL_get_error(ssl, status);
235 if (ssl_err == SSL_ERROR_ZERO_RETURN)
236 {
237 return 0;
238 }
239 else if (ssl_err == SSL_ERROR_SYSCALL)
240 {
241 return -1;
242 }
243 else
244 {
245 // Should not happen
246 snprintf(errbuf, errbuflen, "SSL_read(): %s",
247 ERR_error_string(ERR_get_error(), NULL));
248 return -2;
249 }
250 }
251 else
252 {
253 return status;
254 }
255 }
256
257 #endif // HAVE_OPENSSL
[mirror] the LIBpcap interface to various kernel packet capture mechanism