*
*/
-#ifdef HAVE_CONFIG_H
#include <config.h>
-#endif
#ifdef HAVE_OPENSSL
#include <stdlib.h>
#include "portability.h"
+
#include "sslutils.h"
-#include "pcap/pcap.h"
-int uses_ssl; //!< '1' to use TLS over the data socket
-char ssl_keyfile[PATH_MAX]; //!< file containing the private key in PEM format
-char ssl_certfile[PATH_MAX]; //!< file containing the server's certificate in PEM format
-char ssl_rootfile[PATH_MAX]; //!< file containing the list of CAs trusted by the client
+static const char *ssl_keyfile = ""; //!< file containing the private key in PEM format
+static const char *ssl_certfile = ""; //!< file containing the server's certificate in PEM format
+static const char *ssl_rootfile = ""; //!< file containing the list of CAs trusted by the client
// TODO: a way to set ssl_rootfile from the command line, or an envvar?
// TODO: lock?
static SSL_CTX *ctx;
-static int ssl_init_once(int is_server, char *errbuf, size_t errbuflen)
+void ssl_set_certfile(const char *certfile)
+{
+ ssl_certfile = certfile;
+}
+
+void ssl_set_keyfile(const char *keyfile)
+{
+ ssl_keyfile = keyfile;
+}
+
+int ssl_init_once(int is_server, int enable_compression, char *errbuf, size_t errbuflen)
{
static int inited = 0;
if (inited) return 0;
SSL_library_init();
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
+ if (enable_compression)
+ SSL_COMP_get_compression_methods();
- SSL_METHOD const *meth = SSLv23_method();
+ SSL_METHOD const *meth =
+ is_server ? SSLv23_server_method() : SSLv23_client_method();
ctx = SSL_CTX_new(meth);
if (! ctx)
{
- pcap_snprintf(errbuf, errbuflen, "Cannot get a new SSL context: %s", ERR_error_string(ERR_get_error(), NULL));
+ snprintf(errbuf, errbuflen, "Cannot get a new SSL context: %s", ERR_error_string(ERR_get_error(), NULL));
goto die;
}
char const *certfile = ssl_certfile[0] ? ssl_certfile : "cert.pem";
if (1 != SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_PEM))
{
- pcap_snprintf(errbuf, errbuflen, "Cannot read certificate file %s: %s", certfile, ERR_error_string(ERR_get_error(), NULL));
+ snprintf(errbuf, errbuflen, "Cannot read certificate file %s: %s", certfile, ERR_error_string(ERR_get_error(), NULL));
goto die;
}
char const *keyfile = ssl_keyfile[0] ? ssl_keyfile : "key.pem";
if (1 != SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_PEM))
{
- pcap_snprintf(errbuf, errbuflen, "Cannot read private key file %s: %s", keyfile, ERR_error_string(ERR_get_error(), NULL));
+ snprintf(errbuf, errbuflen, "Cannot read private key file %s: %s", keyfile, ERR_error_string(ERR_get_error(), NULL));
goto die;
}
}
{
if (! SSL_CTX_load_verify_locations(ctx, ssl_rootfile, 0))
{
- pcap_snprintf(errbuf, errbuflen, "Cannot read CA list from %s", ssl_rootfile);
+ snprintf(errbuf, errbuflen, "Cannot read CA list from %s", ssl_rootfile);
goto die;
}
}
#if 0
if (! RAND_load_file(RANDOM, 1024*1024))
{
- pcap_snprintf(errbuf, errbuflen, "Cannot init random");
+ snprintf(errbuf, errbuflen, "Cannot init random");
goto die;
}
return -1;
}
-void init_ssl_or_die(int is_server)
-{
- char errbuf[PCAP_ERRBUF_SIZE];
-
- if (ssl_init_once(is_server, errbuf, sizeof errbuf) < 0)
- {
- fprintf(stderr, "%s\n", errbuf);
- exit(3);
- }
-}
-
-SSL *ssl_promotion(int is_server, SOCKET s, char *errbuf, size_t errbuflen)
+SSL *ssl_promotion(int is_server, PCAP_SOCKET s, char *errbuf, size_t errbuflen)
{
- if (ssl_init_once(is_server, errbuf, errbuflen) < 0)
- {
+ if (ssl_init_once(is_server, 1, errbuf, errbuflen) < 0) {
return NULL;
}
- SSL *ssl = SSL_new(ctx);
- SSL_set_fd(ssl, s);
+ SSL *ssl = SSL_new(ctx); // TODO: also a DTLS context
+ SSL_set_fd(ssl, (int)s);
- if (is_server)
- {
- if (SSL_accept(ssl) <= 0)
- {
- pcap_snprintf(errbuf, errbuflen, "SSL_accept(): %s",
+ if (is_server) {
+ if (SSL_accept(ssl) <= 0) {
+ snprintf(errbuf, errbuflen, "SSL_accept(): %s",
ERR_error_string(ERR_get_error(), NULL));
return NULL;
}
- }
- else
- {
- if (SSL_connect(ssl) <= 0)
- {
- pcap_snprintf(errbuf, errbuflen, "SSL_connect(): %s",
+ } else {
+ if (SSL_connect(ssl) <= 0) {
+ snprintf(errbuf, errbuflen, "SSL_connect(): %s",
ERR_error_string(ERR_get_error(), NULL));
return NULL;
}
return ssl;
}
+// Finish using an SSL handle; shut down the connection and free the
+// handle.
+void ssl_finish(SSL *ssl)
+{
+ //
+ // We won't be using this again, so we can just send the
+ // shutdown alert and free up the handle, and have our
+ // caller close the socket.
+ //
+ // XXX - presumably, if the connection is shut down on
+ // our side, either our peer won't have a problem sending
+ // their shutdown alert or will not treat such a problem
+ // as an error. If this causes errors to be reported,
+ // fix that as appropriate.
+ //
+ SSL_shutdown(ssl);
+ SSL_free(ssl);
+}
+
// Same return value as sock_send:
// 0 on OK, -1 on error but closed connection (-2).
-int ssl_send(SSL *ssl, char const *buffer, size_t size, char *errbuf, size_t errbuflen)
+int ssl_send(SSL *ssl, char const *buffer, int size, char *errbuf, size_t errbuflen)
{
int status = SSL_write(ssl, buffer, size);
if (status > 0)
if (errno == ECONNRESET || errno == EPIPE) return -2;
#endif
}
- pcap_snprintf(errbuf, errbuflen, "SSL_write(): %s",
+ snprintf(errbuf, errbuflen, "SSL_write(): %s",
ERR_error_string(ERR_get_error(), NULL));
return -1;
}
}
-// Same return status as sock_recv(SOCK_EOF_IS_ERROR):
-// -3 for EINTR, -1 on error and EOF, or number of bytes read
-int ssl_recv(SSL *ssl, unsigned char *buffer, size_t size, char *errbuf, size_t errbuflen)
+// Returns the number of bytes read, or -1 on syserror, or -2 on SSL error.
+int ssl_recv(SSL *ssl, char *buffer, int size, char *errbuf, size_t errbuflen)
{
int status = SSL_read(ssl, buffer, size);
if (status <= 0)
int ssl_err = SSL_get_error(ssl, status);
if (ssl_err == SSL_ERROR_ZERO_RETURN)
{
- pcap_snprintf(errbuf, errbuflen, "The other host terminated the connection.");
- return -1;
+ return 0;
}
else if (ssl_err == SSL_ERROR_SYSCALL)
{
-#ifndef _WIN32
- if (errno == EINTR)
- {
- return -3;
- }
- else
- {
- pcap_snprintf(errbuf, errbuflen, "SSL_read(): %s",
- ERR_error_string(ERR_get_error(), NULL));
- return -1;
- }
-#endif
+ return -1;
+ }
+ else
+ {
+ // Should not happen
+ snprintf(errbuf, errbuflen, "SSL_read(): %s",
+ ERR_error_string(ERR_get_error(), NULL));
+ return -2;
}
}
- return status;
+ else
+ {
+ return status;
+ }
}
#endif // HAVE_OPENSSL
projects / libpcap / blobdiff