Mercurial > gftp.yaz
view lib/sslcommon.c @ 952:a490d94a5b8e
2008-03-28 Brian Masney <masneyb@gftp.org>
* lib/Makefile.am lib/misc.c lib/socket-connect.c
lib/socket-connect-getaddrinfo.c lib/socket-connect-gethostbyname.c
lib/sockutils.c lib/gftp.h - cleaned up more of the socket functions
and split them up into their own files. Cleanups and bug fixes to the
DNS lookup code.
| author | masneyb |
|---|---|
| date | Fri, 28 Mar 2008 11:44:36 +0000 |
| parents | 9a6571938f89 |
| children | 4c7a58ef26c1 |
line wrap: on
line source
/*****************************************************************************/ /* sslcommon.c - interface to OpenSSL */ /* Copyright (C) 1998-2007 Brian Masney <masneyb@gftp.org> */ /* */ /* This program is free software; you can redistribute it and/or modify */ /* it under the terms of the GNU General Public License as published by */ /* the Free Software Foundation; either version 2 of the License, or */ /* (at your option) any later version. */ /* */ /* This program is distributed in the hope that it will be useful, */ /* but WITHOUT ANY WARRANTY; without even the implied warranty of */ /* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */ /* GNU General Public License for more details. */ /* */ /* You should have received a copy of the GNU General Public License */ /* along with this program; if not, write to the Free Software */ /* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111 USA */ /*****************************************************************************/ #include "gftp.h" static const char cvsid[] = "$Id$"; /* Some of the functions in here was taken either entirely or partially from * the O'Reilly book Network Security with OpenSSL */ #ifdef USE_SSL static gftp_config_vars config_vars[] = { {"", N_("SSL Engine"), gftp_option_type_notebook, NULL, NULL, 0, NULL, GFTP_PORT_GTK, NULL}, {"entropy_source", N_("SSL Entropy File:"), gftp_option_type_text, "/dev/urandom", NULL, 0, N_("SSL entropy file"), GFTP_PORT_ALL, 0}, {"entropy_len", N_("Entropy Seed Length:"), gftp_option_type_int, GINT_TO_POINTER(1024), NULL, 0, N_("The maximum number of bytes to seed the SSL engine with"), GFTP_PORT_ALL, 0}, {"verify_ssl_peer", N_("Verify SSL Peer"), gftp_option_type_checkbox, GINT_TO_POINTER(1), NULL, 0, N_("Verify SSL Peer"), GFTP_PORT_ALL, NULL}, {NULL, NULL, 0, NULL, NULL, 0, NULL, 0, NULL} }; static GMutex ** gftp_ssl_mutexes = NULL; static volatile int gftp_ssl_initialized = 0; static SSL_CTX * ctx = NULL; struct CRYPTO_dynlock_value { GMutex * mutex; }; void ssl_register_module (void) { static volatile int module_registered = 0; if (!module_registered) { gftp_register_config_vars (config_vars); module_registered = 1; } } static int gftp_ssl_get_index (void) { static volatile int index = -1; if (index < 0) index = SSL_get_ex_new_index (0, gftp_version, NULL, NULL, NULL); return index; } static int gftp_ssl_verify_callback (int ok, X509_STORE_CTX *store) { char issuer[256], subject[256]; intptr_t verify_ssl_peer; gftp_request * request; SSL * ssl; ssl = X509_STORE_CTX_get_ex_data (store, SSL_get_ex_data_X509_STORE_CTX_idx ()); request = SSL_get_ex_data (ssl, gftp_ssl_get_index ()); gftp_lookup_request_option (request, "verify_ssl_peer", &verify_ssl_peer); if (!verify_ssl_peer) ok = 1; if (!ok) { X509 *cert = X509_STORE_CTX_get_current_cert (store); int depth = X509_STORE_CTX_get_error_depth (store); int err = X509_STORE_CTX_get_error (store); X509_NAME_oneline (X509_get_issuer_name (cert), issuer, sizeof (issuer)); X509_NAME_oneline (X509_get_subject_name (cert), subject, sizeof (subject)); request->logging_function (gftp_logging_error, request, _("Error with certificate at depth: %i\nIssuer = %s\nSubject = %s\nError %i:%s\n"), depth, issuer, subject, err, X509_verify_cert_error_string (err)); } return ok; } static int gftp_ssl_post_connection_check (gftp_request * request) { char data[256], *extstr; int extcount, ok, i, j; X509_EXTENSION *ext; X509_NAME *subj; X509 *cert; ok = 0; if (!(cert = SSL_get_peer_certificate (request->ssl))) { request->logging_function (gftp_logging_error, request, _("Cannot get peer certificate\n")); return (X509_V_ERR_APPLICATION_VERIFICATION); } if ((extcount = X509_get_ext_count (cert)) > 0) { for (i = 0; i < extcount; i++) { ext = X509_get_ext (cert, i); extstr = (char *) OBJ_nid2sn (OBJ_obj2nid (X509_EXTENSION_get_object (ext))); if (strcmp (extstr, "subjectAltName") == 0) { unsigned char *data; STACK_OF(CONF_VALUE) *val; CONF_VALUE *nval; X509V3_EXT_METHOD *meth; void *ext_str = NULL; if (!(meth = X509V3_EXT_get (ext))) break; data = ext->value->data; #if (OPENSSL_VERSION_NUMBER > 0x00907000L) if (meth->it) ext_str = ASN1_item_d2i (NULL, &data, ext->value->length, ASN1_ITEM_ptr (meth->it)); else ext_str = meth->d2i (NULL, &data, ext->value->length); #else ext_str = meth->d2i(NULL, &data, ext->value->length); #endif val = meth->i2v(meth, ext_str, NULL); for (j = 0; j < sk_CONF_VALUE_num(val); j++) { nval = sk_CONF_VALUE_value (val, j); if (strcmp (nval->name, "DNS") == 0 && strcmp (nval->value, request->hostname) == 0) { ok = 1; break; } } } if (ok) break; } } if (!ok && (subj = X509_get_subject_name (cert)) && X509_NAME_get_text_by_NID (subj, NID_commonName, data, 256) > 0) { data[sizeof (data) - 1] = '\0'; /* Check for wildcard CN (must begin with *.) */ if (strncmp (data, "*.", 2) == 0) { size_t hostname_len = strlen (data) - 1; if (strlen (request->hostname) > hostname_len && strcasecmp (&(data[1]), &(request->hostname[strlen (request->hostname) - hostname_len])) == 0) ok = 1; } else if (strcasecmp (data, request->hostname) == 0) ok = 1; if (!ok) { request->logging_function (gftp_logging_error, request, _("ERROR: The host in the SSL certificate (%s) does not match the host that we connected to (%s). Aborting connection.\n"), data, request->hostname); X509_free (cert); return (X509_V_ERR_APPLICATION_VERIFICATION); } } X509_free (cert); return (SSL_get_verify_result(request->ssl)); } static void _gftp_ssl_locking_function (int mode, int n, const char * file, int line) { if (mode & CRYPTO_LOCK) g_mutex_lock (gftp_ssl_mutexes[n]); else g_mutex_unlock (gftp_ssl_mutexes[n]); } static unsigned long _gftp_ssl_id_function (void) { #if GLIB_MAJOR_VERSION > 1 return ((unsigned long) g_thread_self ()); #else /* FIXME - call pthread version. */ return (0); #endif } static struct CRYPTO_dynlock_value * _gftp_ssl_create_dyn_mutex (const char *file, int line) { struct CRYPTO_dynlock_value *value; value = g_malloc0 (sizeof (*value)); value->mutex = g_mutex_new (); return (value); } static void _gftp_ssl_dyn_mutex_lock (int mode, struct CRYPTO_dynlock_value *l, const char *file, int line) { if (mode & CRYPTO_LOCK) g_mutex_lock (l->mutex); else g_mutex_unlock (l->mutex); } static void _gftp_ssl_destroy_dyn_mutex (struct CRYPTO_dynlock_value *l, const char *file, int line) { g_mutex_free (l->mutex); g_free (l); } static void _gftp_ssl_thread_setup (void) { int i; #if G_MAJOR_VERSION == 1 /* Thread setup isn't supported in glib 1.2 yet */ return; #endif gftp_ssl_mutexes = g_malloc0 (CRYPTO_num_locks( ) * sizeof (*gftp_ssl_mutexes)); for (i = 0; i < CRYPTO_num_locks ( ); i++) gftp_ssl_mutexes[i] = g_mutex_new (); CRYPTO_set_id_callback (_gftp_ssl_id_function); CRYPTO_set_locking_callback (_gftp_ssl_locking_function); CRYPTO_set_dynlock_create_callback (_gftp_ssl_create_dyn_mutex); CRYPTO_set_dynlock_lock_callback (_gftp_ssl_dyn_mutex_lock); CRYPTO_set_dynlock_destroy_callback (_gftp_ssl_destroy_dyn_mutex); } int gftp_ssl_startup (gftp_request * request) { intptr_t entropy_len; char *entropy_source; if (gftp_ssl_initialized) return (0); gftp_ssl_initialized = 1; if (g_thread_supported ()) _gftp_ssl_thread_setup (); if (!SSL_library_init ()) { request->logging_function (gftp_logging_error, request, _("Cannot initialize the OpenSSL library\n")); return (GFTP_EFATAL); } SSL_load_error_strings (); gftp_lookup_request_option (request, "entropy_source", &entropy_source); gftp_lookup_request_option (request, "entropy_len", &entropy_len); RAND_load_file (entropy_source, entropy_len); ctx = SSL_CTX_new (SSLv23_method ()); if (SSL_CTX_set_default_verify_paths (ctx) != 1) { request->logging_function (gftp_logging_error, request, _("Error loading default SSL certificates\n")); return (GFTP_EFATAL); } SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER, gftp_ssl_verify_callback); SSL_CTX_set_verify_depth (ctx, 9); SSL_CTX_set_options (ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2); if (SSL_CTX_set_cipher_list (ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH") != 1) { request->logging_function (gftp_logging_error, request, _("Error setting cipher list (no valid ciphers)\n")); return (GFTP_EFATAL); } return (0); } int gftp_ssl_session_setup (gftp_request * request) { intptr_t verify_ssl_peer; BIO * bio; long ret; g_return_val_if_fail (request->datafd > 0, GFTP_EFATAL); if (!gftp_ssl_initialized) { request->logging_function (gftp_logging_error, request, _("Error: SSL engine was not initialized\n")); gftp_disconnect (request); return (GFTP_EFATAL); } /* FIXME - take this out. I need to find out how to do timeouts with the SSL functions (a select() or poll() like function) */ if (gftp_fd_set_sockblocking (request, request->datafd, 0) < 0) { gftp_disconnect (request); return (GFTP_ERETRYABLE); } if ((bio = BIO_new (BIO_s_socket ())) == NULL) { request->logging_function (gftp_logging_error, request, _("Error setting up SSL connection (BIO object)\n")); gftp_disconnect (request); return (GFTP_EFATAL); } BIO_set_fd (bio, request->datafd, BIO_NOCLOSE); if ((request->ssl = SSL_new (ctx)) == NULL) { request->logging_function (gftp_logging_error, request, _("Error setting up SSL connection (SSL object)\n")); gftp_disconnect (request); return (GFTP_EFATAL); } SSL_set_bio (request->ssl, bio, bio); SSL_set_ex_data (request->ssl, gftp_ssl_get_index (), request); if (SSL_connect (request->ssl) <= 0) { gftp_disconnect (request); return (GFTP_EFATAL); } gftp_lookup_request_option (request, "verify_ssl_peer", &verify_ssl_peer); if (verify_ssl_peer && (ret = gftp_ssl_post_connection_check (request)) != X509_V_OK) { if (ret != X509_V_ERR_APPLICATION_VERIFICATION) request->logging_function (gftp_logging_error, request, _("Error with peer certificate: %s\n"), X509_verify_cert_error_string (ret)); gftp_disconnect (request); return (GFTP_EFATAL); } request->logging_function (gftp_logging_misc, request, "SSL connection established using %s (%s)\n", SSL_get_cipher_version (request->ssl), SSL_get_cipher_name (request->ssl)); return (0); } ssize_t gftp_ssl_read (gftp_request * request, void *ptr, size_t size, int fd) { ssize_t ret; int err; g_return_val_if_fail (request->ssl != NULL, GFTP_EFATAL); if (!gftp_ssl_initialized) { request->logging_function (gftp_logging_error, request, _("Error: SSL engine was not initialized\n")); return (GFTP_EFATAL); } errno = 0; ret = 0; do { if ((ret = SSL_read (request->ssl, ptr, size)) < 0) { err = SSL_get_error (request->ssl, ret); if (errno == EINTR || errno == EAGAIN) { if (request->cancel) { gftp_disconnect (request); return (GFTP_ERETRYABLE); } continue; } request->logging_function (gftp_logging_error, request, _("Error: Could not read from socket: %s\n"), g_strerror (errno)); gftp_disconnect (request); return (GFTP_ERETRYABLE); } break; } while (1); return (ret); } ssize_t gftp_ssl_write (gftp_request * request, const char *ptr, size_t size, int fd) { size_t ret, w_ret; g_return_val_if_fail (request->ssl != NULL, GFTP_EFATAL); if (!gftp_ssl_initialized) { request->logging_function (gftp_logging_error, request, _("Error: SSL engine was not initialized\n")); return (GFTP_EFATAL); } ret = 0; do { w_ret = SSL_write (request->ssl, ptr, size); if (w_ret <= 0) { if (errno == EINTR || errno == EAGAIN) { if (request != NULL && request->cancel) { gftp_disconnect (request); return (GFTP_ERETRYABLE); } continue; } request->logging_function (gftp_logging_error, request, _("Error: Could not write to socket: %s\n"), g_strerror (errno)); gftp_disconnect (request); return (GFTP_ERETRYABLE); } ptr += w_ret; size -= w_ret; ret += w_ret; } while (size > 0); return (ret); } #endif