X-Git-Url: https://git.tcpdump.org/libpcap/blobdiff_plain/9ba5495a8a6c63debb66eee82c153dbf02226c90..HEAD:/sslutils.c diff --git a/sslutils.c b/sslutils.c index 637940a1..c75b5378 100644 --- a/sslutils.c +++ b/sslutils.c @@ -30,26 +30,34 @@ * */ -#ifdef HAVE_CONFIG_H #include -#endif #ifdef HAVE_OPENSSL #include #include "portability.h" + #include "sslutils.h" -#include "pcap/pcap.h" -char ssl_keyfile[PATH_MAX]; //!< file containing the private key in PEM format -char ssl_certfile[PATH_MAX]; //!< file containing the server's certificate in PEM format -char ssl_rootfile[PATH_MAX]; //!< file containing the list of CAs trusted by the client +static const char *ssl_keyfile = ""; //!< file containing the private key in PEM format +static const char *ssl_certfile = ""; //!< file containing the server's certificate in PEM format +static const char *ssl_rootfile = ""; //!< file containing the list of CAs trusted by the client // TODO: a way to set ssl_rootfile from the command line, or an envvar? // TODO: lock? static SSL_CTX *ctx; -static int ssl_init_once(int is_server, char *errbuf, size_t errbuflen) +void ssl_set_certfile(const char *certfile) +{ + ssl_certfile = certfile; +} + +void ssl_set_keyfile(const char *keyfile) +{ + ssl_keyfile = keyfile; +} + +int ssl_init_once(int is_server, int enable_compression, char *errbuf, size_t errbuflen) { static int inited = 0; if (inited) return 0; @@ -57,44 +65,33 @@ static int ssl_init_once(int is_server, char *errbuf, size_t errbuflen) SSL_library_init(); SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); + if (enable_compression) + SSL_COMP_get_compression_methods(); -<<<<<<< HEAD - SSL_METHOD const *meth = SSLv23_method(); + SSL_METHOD const *meth = + is_server ? SSLv23_server_method() : SSLv23_client_method(); ctx = SSL_CTX_new(meth); if (! ctx) { -======= - SSL_METHOD const *meth = - is_server ? SSLv23_server_method() : SSLv23_client_method(); - ctx = SSL_CTX_new(meth); - if (! ctx) { ->>>>>>> b5063379... TLS for rpcap: also encrypt the control socket - pcap_snprintf(errbuf, errbuflen, "Cannot get a new SSL context: %s", ERR_error_string(ERR_get_error(), NULL)); + snprintf(errbuf, errbuflen, "Cannot get a new SSL context: %s", ERR_error_string(ERR_get_error(), NULL)); goto die; } SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); -<<<<<<< HEAD if (is_server) { char const *certfile = ssl_certfile[0] ? ssl_certfile : "cert.pem"; if (1 != SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_PEM)) { -======= - if (is_server) { - char const *certfile = ssl_certfile[0] ? ssl_certfile : "cert.pem"; - if (1 != SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_PEM)) { ->>>>>>> b5063379... TLS for rpcap: also encrypt the control socket - pcap_snprintf(errbuf, errbuflen, "Cannot read certificate file %s: %s", certfile, ERR_error_string(ERR_get_error(), NULL)); + snprintf(errbuf, errbuflen, "Cannot read certificate file %s: %s", certfile, ERR_error_string(ERR_get_error(), NULL)); goto die; } char const *keyfile = ssl_keyfile[0] ? ssl_keyfile : "key.pem"; -<<<<<<< HEAD if (1 != SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_PEM)) { - pcap_snprintf(errbuf, errbuflen, "Cannot read private key file %s: %s", keyfile, ERR_error_string(ERR_get_error(), NULL)); + snprintf(errbuf, errbuflen, "Cannot read private key file %s: %s", keyfile, ERR_error_string(ERR_get_error(), NULL)); goto die; } } @@ -104,46 +101,25 @@ static int ssl_init_once(int is_server, char *errbuf, size_t errbuflen) { if (! SSL_CTX_load_verify_locations(ctx, ssl_rootfile, 0)) { - pcap_snprintf(errbuf, errbuflen, "Cannot read CA list from %s", ssl_rootfile); + snprintf(errbuf, errbuflen, "Cannot read CA list from %s", ssl_rootfile); goto die; } } else { -======= - if (1 != SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_PEM)) { - pcap_snprintf(errbuf, errbuflen, "Cannot read private key file %s: %s", keyfile, ERR_error_string(ERR_get_error(), NULL)); - goto die; - } - } else { - if (ssl_rootfile[0]) { - if (! SSL_CTX_load_verify_locations(ctx, ssl_rootfile, 0)) { - pcap_snprintf(errbuf, errbuflen, "Cannot read CA list from %s", ssl_rootfile); - goto die; - } - } else { ->>>>>>> b5063379... TLS for rpcap: also encrypt the control socket SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); } } #if 0 -<<<<<<< HEAD if (! RAND_load_file(RANDOM, 1024*1024)) { -======= - if (! RAND_load_file(RANDOM, 1024*1024)) { ->>>>>>> b5063379... TLS for rpcap: also encrypt the control socket - pcap_snprintf(errbuf, errbuflen, "Cannot init random"); + snprintf(errbuf, errbuflen, "Cannot init random"); goto die; } -<<<<<<< HEAD if (is_server) { -======= - if (is_server) { ->>>>>>> b5063379... TLS for rpcap: also encrypt the control socket SSL_CTX_set_session_id_context(ctx, (void *)&s_server_session_id_context, sizeof(s_server_session_id_context)); } #endif @@ -155,59 +131,54 @@ die: return -1; } -void init_ssl_or_die(int is_server) -{ - char errbuf[PCAP_ERRBUF_SIZE]; - -<<<<<<< HEAD - if (ssl_init_once(is_server, errbuf, sizeof errbuf) < 0) - { - fprintf(stderr, "%s\n", errbuf); - exit(3); - } -======= - if (ssl_init_once(is_server, errbuf, sizeof errbuf) < 0) { - fprintf(stderr, "%s\n", errbuf); - exit(3); - } -} - -SSL *ssl_promotion_rw(int is_server, SOCKET in, SOCKET out, char *errbuf, size_t errbuflen) +SSL *ssl_promotion(int is_server, PCAP_SOCKET s, char *errbuf, size_t errbuflen) { - if (ssl_init_once(is_server, errbuf, errbuflen) < 0) { + if (ssl_init_once(is_server, 1, errbuf, errbuflen) < 0) { return NULL; } SSL *ssl = SSL_new(ctx); // TODO: also a DTLS context - SSL_set_rfd(ssl, in); - SSL_set_wfd(ssl, out); + SSL_set_fd(ssl, (int)s); if (is_server) { if (SSL_accept(ssl) <= 0) { - pcap_snprintf(errbuf, errbuflen, "SSL_accept(): %s", + snprintf(errbuf, errbuflen, "SSL_accept(): %s", ERR_error_string(ERR_get_error(), NULL)); return NULL; } } else { if (SSL_connect(ssl) <= 0) { - pcap_snprintf(errbuf, errbuflen, "SSL_connect(): %s", + snprintf(errbuf, errbuflen, "SSL_connect(): %s", ERR_error_string(ERR_get_error(), NULL)); return NULL; } } return ssl; ->>>>>>> b5063379... TLS for rpcap: also encrypt the control socket } -SSL *ssl_promotion(int is_server, SOCKET s, char *errbuf, size_t errbuflen) +// Finish using an SSL handle; shut down the connection and free the +// handle. +void ssl_finish(SSL *ssl) { - return ssl_promotion_rw(is_server, s, s, errbuf, errbuflen); + // + // We won't be using this again, so we can just send the + // shutdown alert and free up the handle, and have our + // caller close the socket. + // + // XXX - presumably, if the connection is shut down on + // our side, either our peer won't have a problem sending + // their shutdown alert or will not treat such a problem + // as an error. If this causes errors to be reported, + // fix that as appropriate. + // + SSL_shutdown(ssl); + SSL_free(ssl); } // Same return value as sock_send: // 0 on OK, -1 on error but closed connection (-2). -int ssl_send(SSL *ssl, char const *buffer, size_t size, char *errbuf, size_t errbuflen) +int ssl_send(SSL *ssl, char const *buffer, int size, char *errbuf, size_t errbuflen) { int status = SSL_write(ssl, buffer, size); if (status > 0) @@ -228,14 +199,14 @@ int ssl_send(SSL *ssl, char const *buffer, size_t size, char *errbuf, size_t err if (errno == ECONNRESET || errno == EPIPE) return -2; #endif } - pcap_snprintf(errbuf, errbuflen, "SSL_write(): %s", + snprintf(errbuf, errbuflen, "SSL_write(): %s", ERR_error_string(ERR_get_error(), NULL)); return -1; } } // Returns the number of bytes read, or -1 on syserror, or -2 on SSL error. -int ssl_recv(SSL *ssl, char *buffer, size_t size, char *errbuf, size_t errbuflen) +int ssl_recv(SSL *ssl, char *buffer, int size, char *errbuf, size_t errbuflen) { int status = SSL_read(ssl, buffer, size); if (status <= 0) @@ -252,7 +223,7 @@ int ssl_recv(SSL *ssl, char *buffer, size_t size, char *errbuf, size_t errbuflen else { // Should not happen - pcap_snprintf(errbuf, errbuflen, "SSL_read(): %s", + snprintf(errbuf, errbuflen, "SSL_read(): %s", ERR_error_string(ERR_get_error(), NULL)); return -2; }