projects / project / ustream-ssl.git / blob
? search:


d3048ca2ded69f4ced3a0ddd778b1e6e923fdd20
[project/ustream-ssl.git] / ustream-ssl.c
1 /*
2 * ustream-ssl - library for SSL over ustream
3 *
4 * Copyright (C) 2012 Felix Fietkau <nbd@openwrt.org>
5 *
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19 #include <errno.h>
20 #include <stdlib.h>
21 #include <string.h>
22 #include <libubox/ustream.h>
23
24 #include "ustream-ssl.h"
25 #include "ustream-internal.h"
26
27 static void ustream_ssl_error_cb(struct uloop_timeout *t)
28 {
29 struct ustream_ssl *us = container_of(t, struct ustream_ssl, error_timer);
30 static char buffer[128];
31 int error = us->error;
32
33 if (us->notify_error)
34 us->notify_error(us, error, __ustream_ssl_strerror(us->error, buffer, sizeof(buffer)));
35 }
36
37 static void ustream_ssl_check_conn(struct ustream_ssl *us)
38 {
39 if (us->connected || us->error)
40 return;
41
42 if (__ustream_ssl_connect(us) == U_SSL_OK) {
43
44 /* __ustream_ssl_connect() will also return U_SSL_OK when certificate
45 * verification failed!
46 *
47 * Applications may register a custom .notify_verify_error callback in the
48 * struct ustream_ssl which is called upon verification failures, but there
49 * is no straight forward way for the callback to terminate the connection
50 * initiation right away, e.g. through a true or false return value.
51 *
52 * Instead, existing implementations appear to set .eof field of the underlying
53 * ustream in the hope that this inhibits further operations on the stream.
54 *
55 * Declare this informal behaviour "official" and check for the state of the
56 * .eof member after __ustream_ssl_connect() returned, and do not write the
57 * pending data if it is set to true.
58 */
59
60 if (us->stream.eof)
61 return;
62
63 us->connected = true;
64 if (us->notify_connected)
65 us->notify_connected(us);
66 ustream_write_pending(&us->stream);
67 }
68 }
69
70 static bool __ustream_ssl_poll(struct ustream *s)
71 {
72 struct ustream_ssl *us = container_of(s->next, struct ustream_ssl, stream);
73 char *buf;
74 int len, ret;
75 bool more = false;
76
77 ustream_ssl_check_conn(us);
78 if (!us->connected || us->error)
79 return false;
80
81 do {
82 buf = ustream_reserve(&us->stream, 1, &len);
83 if (!len)
84 break;
85
86 ret = __ustream_ssl_read(us, buf, len);
87 if (ret == U_SSL_PENDING) {
88 ustream_poll(us->conn);
89 ret = __ustream_ssl_read(us, buf, len);
90 }
91
92 switch (ret) {
93 case U_SSL_PENDING:
94 return more;
95 case U_SSL_ERROR:
96 return false;
97 case 0:
98 us->stream.eof = true;
99 ustream_state_change(&us->stream);
100 return false;
101 default:
102 ustream_fill_read(&us->stream, ret);
103 more = true;
104 continue;
105 }
106 } while (1);
107
108 return more;
109 }
110
111 static void ustream_ssl_notify_read(struct ustream *s, int bytes)
112 {
113 __ustream_ssl_poll(s);
114 }
115
116 static void ustream_ssl_notify_write(struct ustream *s, int bytes)
117 {
118 struct ustream_ssl *us = container_of(s->next, struct ustream_ssl, stream);
119
120 ustream_ssl_check_conn(us);
121 ustream_write_pending(s->next);
122 }
123
124 static void ustream_ssl_notify_state(struct ustream *s)
125 {
126 s->next->write_error = true;
127 ustream_state_change(s->next);
128 }
129
130 static int ustream_ssl_write(struct ustream *s, const char *buf, int len, bool more)
131 {
132 struct ustream_ssl *us = container_of(s, struct ustream_ssl, stream);
133
134 if (!us->connected || us->error)
135 return 0;
136
137 if (us->conn->w.data_bytes)
138 return 0;
139
140 return __ustream_ssl_write(us, buf, len);
141 }
142
143 static void ustream_ssl_set_read_blocked(struct ustream *s)
144 {
145 struct ustream_ssl *us = container_of(s, struct ustream_ssl, stream);
146
147 ustream_set_read_blocked(us->conn, !!s->read_blocked);
148 }
149
150 static void ustream_ssl_free(struct ustream *s)
151 {
152 struct ustream_ssl *us = container_of(s, struct ustream_ssl, stream);
153
154 if (us->conn) {
155 us->conn->next = NULL;
156 us->conn->notify_read = NULL;
157 us->conn->notify_write = NULL;
158 us->conn->notify_state = NULL;
159 }
160
161 uloop_timeout_cancel(&us->error_timer);
162 __ustream_ssl_session_free(us->ssl);
163 free(us->peer_cn);
164
165 us->ctx = NULL;
166 us->ssl = NULL;
167 us->conn = NULL;
168 us->peer_cn = NULL;
169 us->connected = false;
170 us->error = false;
171 us->valid_cert = false;
172 us->valid_cn = false;
173 }
174
175 static bool ustream_ssl_poll(struct ustream *s)
176 {
177 struct ustream_ssl *us = container_of(s, struct ustream_ssl, stream);
178 bool fd_poll;
179
180 fd_poll = ustream_poll(us->conn);
181 return __ustream_ssl_poll(us->conn) || fd_poll;
182 }
183
184 static void ustream_ssl_stream_init(struct ustream_ssl *us)
185 {
186 struct ustream *conn = us->conn;
187 struct ustream *s = &us->stream;
188
189 conn->notify_read = ustream_ssl_notify_read;
190 conn->notify_write = ustream_ssl_notify_write;
191 conn->notify_state = ustream_ssl_notify_state;
192
193 s->free = ustream_ssl_free;
194 s->write = ustream_ssl_write;
195 s->poll = ustream_ssl_poll;
196 s->set_read_blocked = ustream_ssl_set_read_blocked;
197 ustream_init_defaults(s);
198 }
199
200 static int _ustream_ssl_init(struct ustream_ssl *us, struct ustream *conn, struct ustream_ssl_ctx *ctx, bool server)
201 {
202 us->error_timer.cb = ustream_ssl_error_cb;
203 us->server = server;
204 us->conn = conn;
205 us->ctx = ctx;
206
207 us->ssl = __ustream_ssl_session_new(us->ctx);
208 if (!us->ssl)
209 return -ENOMEM;
210
211 conn->r.max_buffers = 4;
212 conn->next = &us->stream;
213 ustream_set_io(ctx, us->ssl, conn);
214 ustream_ssl_stream_init(us);
215
216 if (us->server_name)
217 __ustream_ssl_set_server_name(us);
218
219 ustream_ssl_check_conn(us);
220
221 return 0;
222 }
223
224 static int _ustream_ssl_set_peer_cn(struct ustream_ssl *us, const char *name)
225 {
226 us->peer_cn = strdup(name);
227 __ustream_ssl_update_peer_cn(us);
228
229 return 0;
230 }
231
232 const struct ustream_ssl_ops ustream_ssl_ops = {
233 .context_new = __ustream_ssl_context_new,
234 .context_set_crt_file = __ustream_ssl_set_crt_file,
235 .context_set_key_file = __ustream_ssl_set_key_file,
236 .context_add_ca_crt_file = __ustream_ssl_add_ca_crt_file,
237 .context_set_ciphers = __ustream_ssl_set_ciphers,
238 .context_set_require_validation = __ustream_ssl_set_require_validation,
239 .context_set_debug = __ustream_ssl_set_debug,
240 .context_free = __ustream_ssl_context_free,
241 .init = _ustream_ssl_init,
242 .set_peer_cn = _ustream_ssl_set_peer_cn,
243 };
ustream SSL wrapper