X-Git-Url: https://git.tcpdump.org/libpcap/blobdiff_plain/9225ae2eca86dc75ee9d4c8a626e0c9c1d5a7831..refs/heads/master:/sslutils.c

diff --git a/sslutils.c b/sslutils.c
index d09ed6c9..c75b5378 100644
--- a/sslutils.c
+++ b/sslutils.c
@@ -30,16 +30,14 @@
  *
  */
 
-#ifdef HAVE_CONFIG_H
 #include <config.h>
-#endif
 
 #ifdef HAVE_OPENSSL
 #include <stdlib.h>
 
 #include "portability.h"
+
 #include "sslutils.h"
-#include "pcap/pcap.h"
 
 static const char *ssl_keyfile = "";   //!< file containing the private key in PEM format
 static const char *ssl_certfile = "";  //!< file containing the server's certificate in PEM format
@@ -75,7 +73,7 @@ int ssl_init_once(int is_server, int enable_compression, char *errbuf, size_t er
 	ctx = SSL_CTX_new(meth);
 	if (! ctx)
 	{
-		pcap_snprintf(errbuf, errbuflen, "Cannot get a new SSL context: %s", ERR_error_string(ERR_get_error(), NULL));
+		snprintf(errbuf, errbuflen, "Cannot get a new SSL context: %s", ERR_error_string(ERR_get_error(), NULL));
 		goto die;
 	}
 
@@ -86,14 +84,14 @@ int ssl_init_once(int is_server, int enable_compression, char *errbuf, size_t er
 		char const *certfile = ssl_certfile[0] ? ssl_certfile : "cert.pem";
 		if (1 != SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_PEM))
 		{
-			pcap_snprintf(errbuf, errbuflen, "Cannot read certificate file %s: %s", certfile, ERR_error_string(ERR_get_error(), NULL));
+			snprintf(errbuf, errbuflen, "Cannot read certificate file %s: %s", certfile, ERR_error_string(ERR_get_error(), NULL));
 			goto die;
 		}
 
 		char const *keyfile = ssl_keyfile[0] ? ssl_keyfile : "key.pem";
 		if (1 != SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_PEM))
 		{
-			pcap_snprintf(errbuf, errbuflen, "Cannot read private key file %s: %s", keyfile, ERR_error_string(ERR_get_error(), NULL));
+			snprintf(errbuf, errbuflen, "Cannot read private key file %s: %s", keyfile, ERR_error_string(ERR_get_error(), NULL));
 			goto die;
 		}
 	}
@@ -103,7 +101,7 @@ int ssl_init_once(int is_server, int enable_compression, char *errbuf, size_t er
 		{
 			if (! SSL_CTX_load_verify_locations(ctx, ssl_rootfile, 0))
 			{
-				pcap_snprintf(errbuf, errbuflen, "Cannot read CA list from %s", ssl_rootfile);
+				snprintf(errbuf, errbuflen, "Cannot read CA list from %s", ssl_rootfile);
 				goto die;
 			}
 		}
@@ -116,7 +114,7 @@ int ssl_init_once(int is_server, int enable_compression, char *errbuf, size_t er
 #if 0
 	if (! RAND_load_file(RANDOM, 1024*1024))
 	{
-		pcap_snprintf(errbuf, errbuflen, "Cannot init random");
+		snprintf(errbuf, errbuflen, "Cannot init random");
 		goto die;
 	}
 
@@ -133,25 +131,24 @@ die:
 	return -1;
 }
 
-SSL *ssl_promotion_rw(int is_server, SOCKET in, SOCKET out, char *errbuf, size_t errbuflen)
+SSL *ssl_promotion(int is_server, PCAP_SOCKET s, char *errbuf, size_t errbuflen)
 {
 	if (ssl_init_once(is_server, 1, errbuf, errbuflen) < 0) {
 		return NULL;
 	}
 
 	SSL *ssl = SSL_new(ctx); // TODO: also a DTLS context
-	SSL_set_rfd(ssl, in);
-	SSL_set_wfd(ssl, out);
+	SSL_set_fd(ssl, (int)s);
 
 	if (is_server) {
 		if (SSL_accept(ssl) <= 0) {
-			pcap_snprintf(errbuf, errbuflen, "SSL_accept(): %s",
+			snprintf(errbuf, errbuflen, "SSL_accept(): %s",
 					ERR_error_string(ERR_get_error(), NULL));
 			return NULL;
 		}
 	} else {
 		if (SSL_connect(ssl) <= 0) {
-			pcap_snprintf(errbuf, errbuflen, "SSL_connect(): %s",
+			snprintf(errbuf, errbuflen, "SSL_connect(): %s",
 					ERR_error_string(ERR_get_error(), NULL));
 			return NULL;
 		}
@@ -160,9 +157,23 @@ SSL *ssl_promotion_rw(int is_server, SOCKET in, SOCKET out, char *errbuf, size_t
 	return ssl;
 }
 
-SSL *ssl_promotion(int is_server, SOCKET s, char *errbuf, size_t errbuflen)
+// Finish using an SSL handle; shut down the connection and free the
+// handle.
+void ssl_finish(SSL *ssl)
 {
-	return ssl_promotion_rw(is_server, s, s, errbuf, errbuflen);
+	//
+	// We won't be using this again, so we can just send the
+	// shutdown alert and free up the handle, and have our
+	// caller close the socket.
+	//
+	// XXX - presumably, if the connection is shut down on
+	// our side, either our peer won't have a problem sending
+	// their shutdown alert or will not treat such a problem
+	// as an error.  If this causes errors to be reported,
+	// fix that as appropriate.
+	//
+	SSL_shutdown(ssl);
+	SSL_free(ssl);
 }
 
 // Same return value as sock_send:
@@ -188,7 +199,7 @@ int ssl_send(SSL *ssl, char const *buffer, int size, char *errbuf, size_t errbuf
 			if (errno == ECONNRESET || errno == EPIPE) return -2;
 #endif
 		}
-		pcap_snprintf(errbuf, errbuflen, "SSL_write(): %s",
+		snprintf(errbuf, errbuflen, "SSL_write(): %s",
 		    ERR_error_string(ERR_get_error(), NULL));
 		return -1;
 	}
@@ -212,7 +223,7 @@ int ssl_recv(SSL *ssl, char *buffer, int size, char *errbuf, size_t errbuflen)
 		else
 		{
 			// Should not happen
-			pcap_snprintf(errbuf, errbuflen, "SSL_read(): %s",
+			snprintf(errbuf, errbuflen, "SSL_read(): %s",
 			    ERR_error_string(ERR_get_error(), NULL));
 			return -2;
 		}