src/microhttpd/connection_https.c - manifest_repos/libmicrohttpd - Git at Google

 /*
      This file is part of libmicrohttpd
      Copyright (C) 2007, 2008, 2010 Daniel Pittman and Christian Grothoff
      Copyright (C) 2015-2021 Karlson2k (Evgeny Grin)

      This library is free software; you can redistribute it and/or
      modify it under the terms of the GNU Lesser General Public
      License as published by the Free Software Foundation; either
      version 2.1 of the License, or (at your option) any later version.

      This library is distributed in the hope that it will be useful,
      but WITHOUT ANY WARRANTY; without even the implied warranty of
      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
      Lesser General Public License for more details.

      You should have received a copy of the GNU Lesser General Public
      License along with this library; if not, write to the Free Software
      Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA

 */

 /**
  * @file connection_https.c
  * @brief  Methods for managing SSL/TLS connections. This file is only
  *         compiled if ENABLE_HTTPS is set.
  * @author Sagie Amir
  * @author Christian Grothoff
  * @author Karlson2k (Evgeny Grin)
  */

 #include "internal.h"
 #include "connection.h"
 #include "connection_https.h"
 #include "memorypool.h"
 #include "response.h"
 #include "mhd_mono_clock.h"
 #include <gnutls/gnutls.h>
 #include "mhd_send.h"


 /**
  * Callback for receiving data from the socket.
  *
  * @param connection the MHD_Connection structure
  * @param other where to write received data to
  * @param i maximum size of other (in bytes)
  * @return positive value for number of bytes actually received or
  *         negative value for error number MHD_ERR_xxx_
  */
 static ssize_t
 recv_tls_adapter (struct MHD_Connection *connection,
                   void *other,
                   size_t i)
 {
   ssize_t res;

   if (i > SSIZE_MAX)
     i = SSIZE_MAX;

   res = gnutls_record_recv (connection->tls_session,
                             other,
                             i);
   if ( (GNUTLS_E_AGAIN == res) ||
        (GNUTLS_E_INTERRUPTED == res) )
   {
 #ifdef EPOLL_SUPPORT
     if (GNUTLS_E_AGAIN == res)
       connection->epoll_state &=
         ~((enum MHD_EpollState) MHD_EPOLL_STATE_READ_READY);
 #endif
     /* Any network errors means that buffer is empty. */
     connection->tls_read_ready = false;
     return MHD_ERR_AGAIN_;
   }
   if (res < 0)
   {
     connection->tls_read_ready = false;
     if ( (GNUTLS_E_DECRYPTION_FAILED == res) ||
          (GNUTLS_E_INVALID_SESSION == res) ||
          (GNUTLS_E_DECOMPRESSION_FAILED == res) ||
          (GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER == res) ||
          (GNUTLS_E_UNSUPPORTED_VERSION_PACKET == res) ||
          (GNUTLS_E_UNEXPECTED_PACKET_LENGTH == res) ||
          (GNUTLS_E_UNEXPECTED_PACKET == res) ||
          (GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET == res) ||
          (GNUTLS_E_EXPIRED == res) ||
          (GNUTLS_E_REHANDSHAKE == res) )
       return MHD_ERR_TLS_;
     if ( (GNUTLS_E_PULL_ERROR == res) ||
          (GNUTLS_E_INTERNAL_ERROR == res) ||
          (GNUTLS_E_CRYPTODEV_IOCTL_ERROR == res) ||
          (GNUTLS_E_CRYPTODEV_DEVICE_ERROR == res) )
       return MHD_ERR_PIPE_;
 #if defined(GNUTLS_E_PREMATURE_TERMINATION)
     if (GNUTLS_E_PREMATURE_TERMINATION == res)
       return MHD_ERR_CONNRESET_;
 #elif defined(GNUTLS_E_UNEXPECTED_PACKET_LENGTH)
     if (GNUTLS_E_UNEXPECTED_PACKET_LENGTH == res)
       return MHD_ERR_CONNRESET_;
 #endif /* GNUTLS_E_UNEXPECTED_PACKET_LENGTH */
     if (GNUTLS_E_MEMORY_ERROR == res)
       return MHD_ERR_NOMEM_;
     /* Treat any other error as a hard error. */
     return MHD_ERR_NOTCONN_;
   }

 #ifdef EPOLL_SUPPORT
   /* Unlike non-TLS connections, do not reset "read-ready" if
    * received amount smaller than provided amount, as TLS
    * connections may receive data by fixed-size chunks. */
 #endif /* EPOLL_SUPPORT */

   /* Check whether TLS buffers still have some unread data. */
   connection->tls_read_ready =
     ( ((size_t) res == i) &&
       (0 != gnutls_record_check_pending (connection->tls_session)) );
   return res;
 }


 /**
  * Give gnuTLS chance to work on the TLS handshake.
  *
  * @param connection connection to handshake on
  * @return true if the handshake has completed successfully
  *         and we should start to read/write data,
  *         false is handshake in progress or in case
  *         of error
  */
 bool
 MHD_run_tls_handshake_ (struct MHD_Connection *connection)
 {
   int ret;

   if ((MHD_TLS_CONN_INIT == connection->tls_state) ||
       (MHD_TLS_CONN_HANDSHAKING == connection->tls_state))
   {
 #if 0
     /* According to real-live testing, Nagel's Algorithm is not blocking
      * partial packets on just connected sockets on modern OSes. As TLS setup
      * is performed as the fist action upon socket connection, the next
      * optimisation typically is not required. If any specific OS will
      * require this optimization, it could be enabled by allowing the next
      * lines for this specific OS. */
     if (_MHD_ON != connection->sk_nodelay)
       MHD_connection_set_nodelay_state_ (connection, true);
 #endif
     ret = gnutls_handshake (connection->tls_session);
     if (ret == GNUTLS_E_SUCCESS)
     {
       /* set connection TLS state to enable HTTP processing */
       connection->tls_state = MHD_TLS_CONN_CONNECTED;
       MHD_update_last_activity_ (connection);
       return true;
     }
     if ( (GNUTLS_E_AGAIN == ret) ||
          (GNUTLS_E_INTERRUPTED == ret) )
     {
       connection->tls_state = MHD_TLS_CONN_HANDSHAKING;
       /* handshake not done */
       return false;
     }
     /* handshake failed */
     connection->tls_state = MHD_TLS_CONN_TLS_FAILED;
 #ifdef HAVE_MESSAGES
     MHD_DLOG (connection->daemon,
               _ ("Error: received handshake message out of context.\n"));
 #endif
     MHD_connection_close_ (connection,
                            MHD_REQUEST_TERMINATED_WITH_ERROR);
     return false;
   }
   return true;
 }


 /**
  * Set connection callback function to be used through out
  * the processing of this secure connection.
  *
  * @param connection which callbacks should be modified
  */
 void
 MHD_set_https_callbacks (struct MHD_Connection *connection)
 {
   connection->recv_cls = &recv_tls_adapter;
 }


 /**
  * Initiate shutdown of TLS layer of connection.
  *
  * @param connection to use
  * @return true if succeed, false otherwise.
  */
 bool
 MHD_tls_connection_shutdown (struct MHD_Connection *connection)
 {
   if (MHD_TLS_CONN_WR_CLOSED > connection->tls_state)
   {
     const int res =
       gnutls_bye (connection->tls_session, GNUTLS_SHUT_WR);
     if (GNUTLS_E_SUCCESS == res)
     {
       connection->tls_state = MHD_TLS_CONN_WR_CLOSED;
       return true;
     }
     if ((GNUTLS_E_AGAIN == res) ||
         (GNUTLS_E_INTERRUPTED == res))
     {
       connection->tls_state = MHD_TLS_CONN_WR_CLOSING;
       return true;
     }
     else
       connection->tls_state = MHD_TLS_CONN_TLS_FAILED;
   }
   return false;
 }


 /* end of connection_https.c */
	/*
	This file is part of libmicrohttpd
	Copyright (C) 2007, 2008, 2010 Daniel Pittman and Christian Grothoff
	Copyright (C) 2015-2021 Karlson2k (Evgeny Grin)

	This library is free software; you can redistribute it and/or
	modify it under the terms of the GNU Lesser General Public
	License as published by the Free Software Foundation; either
	version 2.1 of the License, or (at your option) any later version.

	This library is distributed in the hope that it will be useful,
	but WITHOUT ANY WARRANTY; without even the implied warranty of
	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	Lesser General Public License for more details.

	You should have received a copy of the GNU Lesser General Public
	License along with this library; if not, write to the Free Software
	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

	*/

	/**
	* @file connection_https.c
	* @brief Methods for managing SSL/TLS connections. This file is only
	* compiled if ENABLE_HTTPS is set.
	* @author Sagie Amir
	* @author Christian Grothoff
	* @author Karlson2k (Evgeny Grin)
	*/

	#include "internal.h"
	#include "connection.h"
	#include "connection_https.h"
	#include "memorypool.h"
	#include "response.h"
	#include "mhd_mono_clock.h"
	#include <gnutls/gnutls.h>
	#include "mhd_send.h"


	/**
	* Callback for receiving data from the socket.
	*
	* @param connection the MHD_Connection structure
	* @param other where to write received data to
	* @param i maximum size of other (in bytes)
	* @return positive value for number of bytes actually received or
	* negative value for error number MHD_ERR_xxx_
	*/
	static ssize_t
	recv_tls_adapter (struct MHD_Connection *connection,
	void *other,
	size_t i)
	{
	ssize_t res;

	if (i > SSIZE_MAX)
	i = SSIZE_MAX;

	res = gnutls_record_recv (connection->tls_session,
	other,
	i);
	if ( (GNUTLS_E_AGAIN == res) \|\|
	(GNUTLS_E_INTERRUPTED == res) )
	{
	#ifdef EPOLL_SUPPORT
	if (GNUTLS_E_AGAIN == res)
	connection->epoll_state &=
	~((enum MHD_EpollState) MHD_EPOLL_STATE_READ_READY);
	#endif
	/* Any network errors means that buffer is empty. */
	connection->tls_read_ready = false;
	return MHD_ERR_AGAIN_;
	}
	if (res < 0)
	{
	connection->tls_read_ready = false;
	if ( (GNUTLS_E_DECRYPTION_FAILED == res) \|\|
	(GNUTLS_E_INVALID_SESSION == res) \|\|
	(GNUTLS_E_DECOMPRESSION_FAILED == res) \|\|
	(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER == res) \|\|
	(GNUTLS_E_UNSUPPORTED_VERSION_PACKET == res) \|\|
	(GNUTLS_E_UNEXPECTED_PACKET_LENGTH == res) \|\|
	(GNUTLS_E_UNEXPECTED_PACKET == res) \|\|
	(GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET == res) \|\|
	(GNUTLS_E_EXPIRED == res) \|\|
	(GNUTLS_E_REHANDSHAKE == res) )
	return MHD_ERR_TLS_;
	if ( (GNUTLS_E_PULL_ERROR == res) \|\|
	(GNUTLS_E_INTERNAL_ERROR == res) \|\|
	(GNUTLS_E_CRYPTODEV_IOCTL_ERROR == res) \|\|
	(GNUTLS_E_CRYPTODEV_DEVICE_ERROR == res) )
	return MHD_ERR_PIPE_;
	#if defined(GNUTLS_E_PREMATURE_TERMINATION)
	if (GNUTLS_E_PREMATURE_TERMINATION == res)
	return MHD_ERR_CONNRESET_;
	#elif defined(GNUTLS_E_UNEXPECTED_PACKET_LENGTH)
	if (GNUTLS_E_UNEXPECTED_PACKET_LENGTH == res)
	return MHD_ERR_CONNRESET_;
	#endif /* GNUTLS_E_UNEXPECTED_PACKET_LENGTH */
	if (GNUTLS_E_MEMORY_ERROR == res)
	return MHD_ERR_NOMEM_;
	/* Treat any other error as a hard error. */
	return MHD_ERR_NOTCONN_;
	}

	#ifdef EPOLL_SUPPORT
	/* Unlike non-TLS connections, do not reset "read-ready" if
	* received amount smaller than provided amount, as TLS
	* connections may receive data by fixed-size chunks. */
	#endif /* EPOLL_SUPPORT */

	/* Check whether TLS buffers still have some unread data. */
	connection->tls_read_ready =
	( ((size_t) res == i) &&
	(0 != gnutls_record_check_pending (connection->tls_session)) );
	return res;
	}


	/**
	* Give gnuTLS chance to work on the TLS handshake.
	*
	* @param connection connection to handshake on
	* @return true if the handshake has completed successfully
	* and we should start to read/write data,
	* false is handshake in progress or in case
	* of error
	*/
	bool
	MHD_run_tls_handshake_ (struct MHD_Connection *connection)
	{
	int ret;

	if ((MHD_TLS_CONN_INIT == connection->tls_state) \|\|
	(MHD_TLS_CONN_HANDSHAKING == connection->tls_state))
	{
	#if 0
	/* According to real-live testing, Nagel's Algorithm is not blocking
	* partial packets on just connected sockets on modern OSes. As TLS setup
	* is performed as the fist action upon socket connection, the next
	* optimisation typically is not required. If any specific OS will
	* require this optimization, it could be enabled by allowing the next
	* lines for this specific OS. */
	if (_MHD_ON != connection->sk_nodelay)
	MHD_connection_set_nodelay_state_ (connection, true);
	#endif
	ret = gnutls_handshake (connection->tls_session);
	if (ret == GNUTLS_E_SUCCESS)
	{
	/* set connection TLS state to enable HTTP processing */
	connection->tls_state = MHD_TLS_CONN_CONNECTED;
	MHD_update_last_activity_ (connection);
	return true;
	}
	if ( (GNUTLS_E_AGAIN == ret) \|\|
	(GNUTLS_E_INTERRUPTED == ret) )
	{
	connection->tls_state = MHD_TLS_CONN_HANDSHAKING;
	/* handshake not done */
	return false;
	}
	/* handshake failed */
	connection->tls_state = MHD_TLS_CONN_TLS_FAILED;
	#ifdef HAVE_MESSAGES
	MHD_DLOG (connection->daemon,
	_ ("Error: received handshake message out of context.\n"));
	#endif
	MHD_connection_close_ (connection,
	MHD_REQUEST_TERMINATED_WITH_ERROR);
	return false;
	}
	return true;
	}


	/**
	* Set connection callback function to be used through out
	* the processing of this secure connection.
	*
	* @param connection which callbacks should be modified
	*/
	void
	MHD_set_https_callbacks (struct MHD_Connection *connection)
	{
	connection->recv_cls = &recv_tls_adapter;
	}


	/**
	* Initiate shutdown of TLS layer of connection.
	*
	* @param connection to use
	* @return true if succeed, false otherwise.
	*/
	bool
	MHD_tls_connection_shutdown (struct MHD_Connection *connection)
	{
	if (MHD_TLS_CONN_WR_CLOSED > connection->tls_state)
	{
	const int res =
	gnutls_bye (connection->tls_session, GNUTLS_SHUT_WR);
	if (GNUTLS_E_SUCCESS == res)
	{
	connection->tls_state = MHD_TLS_CONN_WR_CLOSED;
	return true;
	}
	if ((GNUTLS_E_AGAIN == res) \|\|
	(GNUTLS_E_INTERRUPTED == res))
	{
	connection->tls_state = MHD_TLS_CONN_WR_CLOSING;
	return true;
	}
	else
	connection->tls_state = MHD_TLS_CONN_TLS_FAILED;
	}
	return false;
	}


	/* end of connection_https.c */