src/microspdy/io_openssl.c - manifest_repos/libmicrohttpd - Git at Google

 /*
     This file is part of libmicrospdy
     Copyright Copyright (C) 2012 Andrey Uzunov

     This program is free software: you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
     the Free Software Foundation, either version 3 of the License, or
     (at your option) any later version.

     This program is distributed in the hope that it will be useful,
     but WITHOUT ANY WARRANTY; without even the implied warranty of
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     GNU General Public License for more details.

     You should have received a copy of the GNU General Public License
     along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

 /**
  * @file io_openssl.c
  * @brief  TLS handling using libssl. The current code assumes that
  * 			blocking I/O is in use.
  * @author Andrey Uzunov
  */

 #include "platform.h"
 #include "internal.h"
 #include "session.h"
 #include "io_openssl.h"


 /**
  * Callback to advertise spdy ver. 3 in Next Protocol Negotiation
  *
  * @param ssl openssl context for a connection
  * @param out must be set to the raw data that is advertised in NPN
  * @param outlen must be set to size of out
  * @param arg
  * @return SSL_TLSEXT_ERR_OK to do advertising
  */
 static int
 spdyf_next_protos_advertised_cb (SSL *ssl, const unsigned char **out, unsigned int *outlen, void *arg)
 {
 	(void)ssl;
 	(void)arg;
 	static unsigned char npn_spdy3[] = {0x06, // length of "spdy/3"
 		0x73,0x70,0x64,0x79,0x2f,0x33};// spdy/3

 	*out = npn_spdy3;
 	*outlen = 7; // total length of npn_spdy3
 	return SSL_TLSEXT_ERR_OK;
 }


 void
 SPDYF_openssl_global_init()
 {
 	//error strings are now not used by the lib
     //SSL_load_error_strings();
     //init libssl
     SSL_library_init(); //always returns 1
     //the table for looking up algos is not used now by the lib
     //OpenSSL_add_all_algorithms();
 }


 void
 SPDYF_openssl_global_deinit()
 {
 	//if SSL_load_error_strings was called
     //ERR_free_strings();
     //if OpenSSL_add_all_algorithms was called
     //EVP_cleanup();
 }


 int
 SPDYF_openssl_init(struct SPDY_Daemon *daemon)
 {
     int options;
     //create ssl context. TLSv1 used
     if(NULL == (daemon->io_context = SSL_CTX_new(TLSv1_server_method())))
     {
 		SPDYF_DEBUG("Couldn't create ssl context");
 		return SPDY_NO;
         }
 	//set options for tls
 	//TODO DH is not enabled for easier debugging
     //SSL_CTX_set_options(daemon->io_context, SSL_OP_SINGLE_DH_USE);

     //TODO here session tickets are disabled for easier debuging with
     //wireshark when using Chrome
     // SSL_OP_NO_COMPRESSION disables TLS compression to avoid CRIME attack
     options = SSL_OP_NO_TICKET;
 #ifdef SSL_OP_NO_COMPRESSION
     options |= SSL_OP_NO_COMPRESSION;
 #elif OPENSSL_VERSION_NUMBER >= 0x00908000L /* workaround for OpenSSL 0.9.8 */
     sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
 #endif

     SSL_CTX_set_options(daemon->io_context, options);
     if(1 != SSL_CTX_use_certificate_file(daemon->io_context, daemon->certfile , SSL_FILETYPE_PEM))
     {
 		SPDYF_DEBUG("Couldn't load the cert file");
 		SSL_CTX_free(daemon->io_context);
 		return SPDY_NO;
 	}
     if(1 != SSL_CTX_use_PrivateKey_file(daemon->io_context, daemon->keyfile, SSL_FILETYPE_PEM))
     {
 		SPDYF_DEBUG("Couldn't load the name file");
 		SSL_CTX_free(daemon->io_context);
 		return SPDY_NO;
 	}
     SSL_CTX_set_next_protos_advertised_cb(daemon->io_context, &spdyf_next_protos_advertised_cb, NULL);
     if (1 != SSL_CTX_set_cipher_list(daemon->io_context, "HIGH"))
     {
 		SPDYF_DEBUG("Couldn't set the desired cipher list");
 		SSL_CTX_free(daemon->io_context);
 		return SPDY_NO;
 	}

 	return SPDY_YES;
 }


 void
 SPDYF_openssl_deinit(struct SPDY_Daemon *daemon)
 {
     SSL_CTX_free(daemon->io_context);
 }


 int
 SPDYF_openssl_new_session(struct SPDY_Session *session)
 {
 	int ret;

 	if(NULL == (session->io_context = SSL_new(session->daemon->io_context)))
     {
 		SPDYF_DEBUG("Couldn't create ssl structure");
 		return SPDY_NO;
 	}
 	if(1 != (ret = SSL_set_fd(session->io_context, session->socket_fd)))
     {
 		SPDYF_DEBUG("SSL_set_fd %i",ret);
 		SSL_free(session->io_context);
 		session->io_context = NULL;
 		return SPDY_NO;
 	}

 	//for non-blocking I/O SSL_accept may return -1
 	//and this function won't work
 	if(1 != (ret = SSL_accept(session->io_context)))
     {
 		SPDYF_DEBUG("SSL_accept %i",ret);
 		SSL_free(session->io_context);
 		session->io_context = NULL;
 		return SPDY_NO;
 	}
 	/* alternatively
 	SSL_set_accept_state(session->io_context);
 	* may be called and then the negotiation will be done on reading
 	*/

 	return SPDY_YES;
 }


 void
 SPDYF_openssl_close_session(struct SPDY_Session *session)
 {
 	//SSL_shutdown sends TLS "close notify" as in TLS standard.
 	//The function may fail as it waits for the other party to also close
 	//the TLS session. The lib just sends it and will close the socket
 	//after that because the browsers don't seem to care much about
 	//"close notify"
 	SSL_shutdown(session->io_context);

 	SSL_free(session->io_context);
 }


 int
 SPDYF_openssl_recv(struct SPDY_Session *session,
 				void * buffer,
 				size_t size)
 {
 	int ret;
 	int n = SSL_read(session->io_context,
 					buffer,
 					size);
 	//if(n > 0) SPDYF_DEBUG("recvd: %i",n);
 	if (n <= 0)
 	{
 		ret = SSL_get_error(session->io_context, n);
 		switch(ret)
 		{
 			case SSL_ERROR_ZERO_RETURN:
 				return 0;

 			case SSL_ERROR_WANT_READ:
 			case SSL_ERROR_WANT_WRITE:
 				return SPDY_IO_ERROR_AGAIN;

 			case SSL_ERROR_SYSCALL:
 				if(EINTR == errno)
 					return SPDY_IO_ERROR_AGAIN;
 				return SPDY_IO_ERROR_ERROR;
 			default:
 				return SPDY_IO_ERROR_ERROR;
 		}
 	}

 	return n;
 }


 int
 SPDYF_openssl_send(struct SPDY_Session *session,
 				const void * buffer,
 				size_t size)
 {
 	int ret;

 	int n = SSL_write(session->io_context,
 					buffer,
 					size);
 	//if(n > 0) SPDYF_DEBUG("sent: %i",n);
 	if (n <= 0)
 	{
 		ret = SSL_get_error(session->io_context, n);
 		switch(ret)
 		{
 			case SSL_ERROR_ZERO_RETURN:
 				return 0;

 			case SSL_ERROR_WANT_READ:
 			case SSL_ERROR_WANT_WRITE:
 				return SPDY_IO_ERROR_AGAIN;

 			case SSL_ERROR_SYSCALL:
 				if(EINTR == errno)
 					return SPDY_IO_ERROR_AGAIN;
 				return SPDY_IO_ERROR_ERROR;
 			default:
 				return SPDY_IO_ERROR_ERROR;
 		}
 	}

 	return n;
 }


 int
 SPDYF_openssl_is_pending(struct SPDY_Session *session)
 {
 	/* From openssl docs:
 	 * BUGS
 SSL_pending() takes into account only bytes from the TLS/SSL record that is currently being processed (if any). If the SSL object's read_ahead flag is set, additional protocol bytes may have been read containing more TLS/SSL records; these are ignored by SSL_pending().
 	 */
 	return SSL_pending(session->io_context) > 0 ? SPDY_YES : SPDY_NO;
 }


 int
 SPDYF_openssl_before_write(struct SPDY_Session *session)
 {
   (void)session;

   return SPDY_YES;
 }


 int
 SPDYF_openssl_after_write(struct SPDY_Session *session, int was_written)
 {
   (void)session;

   return was_written;
 }
	/*
	This file is part of libmicrospdy
	Copyright Copyright (C) 2012 Andrey Uzunov

	This program is free software: you can redistribute it and/or modify
	it under the terms of the GNU General Public License as published by
	the Free Software Foundation, either version 3 of the License, or
	(at your option) any later version.

	This program is distributed in the hope that it will be useful,
	but WITHOUT ANY WARRANTY; without even the implied warranty of
	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	GNU General Public License for more details.

	You should have received a copy of the GNU General Public License
	along with this program. If not, see <http://www.gnu.org/licenses/>.
	*/

	/**
	* @file io_openssl.c
	* @brief TLS handling using libssl. The current code assumes that
	* blocking I/O is in use.
	* @author Andrey Uzunov
	*/

	#include "platform.h"
	#include "internal.h"
	#include "session.h"
	#include "io_openssl.h"


	/**
	* Callback to advertise spdy ver. 3 in Next Protocol Negotiation
	*
	* @param ssl openssl context for a connection
	* @param out must be set to the raw data that is advertised in NPN
	* @param outlen must be set to size of out
	* @param arg
	* @return SSL_TLSEXT_ERR_OK to do advertising
	*/
	static int
	spdyf_next_protos_advertised_cb (SSL ssl, const unsigned char out, unsigned int outlen, void *arg)
	{
	(void)ssl;
	(void)arg;
	static unsigned char npn_spdy3[] = {0x06, // length of "spdy/3"
	0x73,0x70,0x64,0x79,0x2f,0x33};// spdy/3

	*out = npn_spdy3;
	*outlen = 7; // total length of npn_spdy3
	return SSL_TLSEXT_ERR_OK;
	}


	void
	SPDYF_openssl_global_init()
	{
	//error strings are now not used by the lib
	//SSL_load_error_strings();
	//init libssl
	SSL_library_init(); //always returns 1
	//the table for looking up algos is not used now by the lib
	//OpenSSL_add_all_algorithms();
	}


	void
	SPDYF_openssl_global_deinit()
	{
	//if SSL_load_error_strings was called
	//ERR_free_strings();
	//if OpenSSL_add_all_algorithms was called
	//EVP_cleanup();
	}


	int
	SPDYF_openssl_init(struct SPDY_Daemon *daemon)
	{
	int options;
	//create ssl context. TLSv1 used
	if(NULL == (daemon->io_context = SSL_CTX_new(TLSv1_server_method())))
	{
	SPDYF_DEBUG("Couldn't create ssl context");
	return SPDY_NO;
	}
	//set options for tls
	//TODO DH is not enabled for easier debugging
	//SSL_CTX_set_options(daemon->io_context, SSL_OP_SINGLE_DH_USE);

	//TODO here session tickets are disabled for easier debuging with
	//wireshark when using Chrome
	// SSL_OP_NO_COMPRESSION disables TLS compression to avoid CRIME attack
	options = SSL_OP_NO_TICKET;
	#ifdef SSL_OP_NO_COMPRESSION
	options \|= SSL_OP_NO_COMPRESSION;
	#elif OPENSSL_VERSION_NUMBER >= 0x00908000L /* workaround for OpenSSL 0.9.8 */
	sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
	#endif

	SSL_CTX_set_options(daemon->io_context, options);
	if(1 != SSL_CTX_use_certificate_file(daemon->io_context, daemon->certfile , SSL_FILETYPE_PEM))
	{
	SPDYF_DEBUG("Couldn't load the cert file");
	SSL_CTX_free(daemon->io_context);
	return SPDY_NO;
	}
	if(1 != SSL_CTX_use_PrivateKey_file(daemon->io_context, daemon->keyfile, SSL_FILETYPE_PEM))
	{
	SPDYF_DEBUG("Couldn't load the name file");
	SSL_CTX_free(daemon->io_context);
	return SPDY_NO;
	}
	SSL_CTX_set_next_protos_advertised_cb(daemon->io_context, &spdyf_next_protos_advertised_cb, NULL);
	if (1 != SSL_CTX_set_cipher_list(daemon->io_context, "HIGH"))
	{
	SPDYF_DEBUG("Couldn't set the desired cipher list");
	SSL_CTX_free(daemon->io_context);
	return SPDY_NO;
	}

	return SPDY_YES;
	}


	void
	SPDYF_openssl_deinit(struct SPDY_Daemon *daemon)
	{
	SSL_CTX_free(daemon->io_context);
	}


	int
	SPDYF_openssl_new_session(struct SPDY_Session *session)
	{
	int ret;

	if(NULL == (session->io_context = SSL_new(session->daemon->io_context)))
	{
	SPDYF_DEBUG("Couldn't create ssl structure");
	return SPDY_NO;
	}
	if(1 != (ret = SSL_set_fd(session->io_context, session->socket_fd)))
	{
	SPDYF_DEBUG("SSL_set_fd %i",ret);
	SSL_free(session->io_context);
	session->io_context = NULL;
	return SPDY_NO;
	}

	//for non-blocking I/O SSL_accept may return -1
	//and this function won't work
	if(1 != (ret = SSL_accept(session->io_context)))
	{
	SPDYF_DEBUG("SSL_accept %i",ret);
	SSL_free(session->io_context);
	session->io_context = NULL;
	return SPDY_NO;
	}
	/* alternatively
	SSL_set_accept_state(session->io_context);
	* may be called and then the negotiation will be done on reading
	*/

	return SPDY_YES;
	}


	void
	SPDYF_openssl_close_session(struct SPDY_Session *session)
	{
	//SSL_shutdown sends TLS "close notify" as in TLS standard.
	//The function may fail as it waits for the other party to also close
	//the TLS session. The lib just sends it and will close the socket
	//after that because the browsers don't seem to care much about
	//"close notify"
	SSL_shutdown(session->io_context);

	SSL_free(session->io_context);
	}


	int
	SPDYF_openssl_recv(struct SPDY_Session *session,
	void * buffer,
	size_t size)
	{
	int ret;
	int n = SSL_read(session->io_context,
	buffer,
	size);
	//if(n > 0) SPDYF_DEBUG("recvd: %i",n);
	if (n <= 0)
	{
	ret = SSL_get_error(session->io_context, n);
	switch(ret)
	{
	case SSL_ERROR_ZERO_RETURN:
	return 0;

	case SSL_ERROR_WANT_READ:
	case SSL_ERROR_WANT_WRITE:
	return SPDY_IO_ERROR_AGAIN;

	case SSL_ERROR_SYSCALL:
	if(EINTR == errno)
	return SPDY_IO_ERROR_AGAIN;
	return SPDY_IO_ERROR_ERROR;
	default:
	return SPDY_IO_ERROR_ERROR;
	}
	}

	return n;
	}


	int
	SPDYF_openssl_send(struct SPDY_Session *session,
	const void * buffer,
	size_t size)
	{
	int ret;

	int n = SSL_write(session->io_context,
	buffer,
	size);
	//if(n > 0) SPDYF_DEBUG("sent: %i",n);
	if (n <= 0)
	{
	ret = SSL_get_error(session->io_context, n);
	switch(ret)
	{
	case SSL_ERROR_ZERO_RETURN:
	return 0;

	case SSL_ERROR_WANT_READ:
	case SSL_ERROR_WANT_WRITE:
	return SPDY_IO_ERROR_AGAIN;

	case SSL_ERROR_SYSCALL:
	if(EINTR == errno)
	return SPDY_IO_ERROR_AGAIN;
	return SPDY_IO_ERROR_ERROR;
	default:
	return SPDY_IO_ERROR_ERROR;
	}
	}

	return n;
	}


	int
	SPDYF_openssl_is_pending(struct SPDY_Session *session)
	{
	/* From openssl docs:
	* BUGS
	SSL_pending() takes into account only bytes from the TLS/SSL record that is currently being processed (if any). If the SSL object's read_ahead flag is set, additional protocol bytes may have been read containing more TLS/SSL records; these are ignored by SSL_pending().
	*/
	return SSL_pending(session->io_context) > 0 ? SPDY_YES : SPDY_NO;
	}


	int
	SPDYF_openssl_before_write(struct SPDY_Session *session)
	{
	(void)session;

	return SPDY_YES;
	}


	int
	SPDYF_openssl_after_write(struct SPDY_Session *session, int was_written)
	{
	(void)session;

	return was_written;
	}