qssl.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) 1998 - 2010, Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at http://curl.haxx.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. ***************************************************************************/
  22. #include "setup.h"
  23. #ifdef USE_QSOSSL
  24. #include <qsossl.h>
  25. #include <errno.h>
  26. #include <string.h>
  27. #ifdef HAVE_LIMITS_H
  28. # include <limits.h>
  29. #endif
  30. #include <curl/curl.h>
  31. #include "urldata.h"
  32. #include "sendf.h"
  33. #include "qssl.h"
  34. #include "sslgen.h"
  35. #include "connect.h" /* for the connect timeout */
  36. #include "select.h"
  37. #include "curl_memory.h"
  38. /* The last #include file should be: */
  39. #include "memdebug.h"
  40. int Curl_qsossl_init(void)
  41. {
  42. /* Nothing to do here. We must have connection data to initialize ssl, so
  43. * defer.
  44. */
  45. return 1;
  46. }
  47. void Curl_qsossl_cleanup(void)
  48. {
  49. /* Nothing to do. */
  50. }
  51. static CURLcode Curl_qsossl_init_session(struct SessionHandle * data)
  52. {
  53. int rc;
  54. char * certname;
  55. SSLInit initstr;
  56. SSLInitApp initappstr;
  57. /* Initialize the job for SSL according to the current parameters.
  58. * QsoSSL offers two ways to do it: SSL_Init_Application() that uses an
  59. * application identifier to select certificates in the main certificate
  60. * store, and SSL_Init() that uses named keyring files and a password.
  61. * It is not possible to have different keyrings for the CAs and the
  62. * local certificate. We thus use the certificate name to identify the
  63. * keyring if given, else the CA file name.
  64. * If the key file name is given, it is taken as the password for the
  65. * keyring in certificate file.
  66. * We first try to SSL_Init_Application(), then SSL_Init() if it failed.
  67. */
  68. certname = data->set.str[STRING_CERT];
  69. if(!certname) {
  70. certname = data->set.str[STRING_SSL_CAFILE];
  71. if(!certname)
  72. return CURLE_OK; /* Use previous setup. */
  73. }
  74. memset((char *) &initappstr, 0, sizeof initappstr);
  75. initappstr.applicationID = certname;
  76. initappstr.applicationIDLen = strlen(certname);
  77. initappstr.protocol = SSL_VERSION_CURRENT; /* TLSV1 compat. SSLV[23]. */
  78. initappstr.sessionType = SSL_REGISTERED_AS_CLIENT;
  79. rc = SSL_Init_Application(&initappstr);
  80. if(rc == SSL_ERROR_NOT_REGISTERED) {
  81. initstr.keyringFileName = certname;
  82. initstr.keyringPassword = data->set.str[STRING_KEY];
  83. initstr.cipherSuiteList = NULL; /* Use default. */
  84. initstr.cipherSuiteListLen = 0;
  85. rc = SSL_Init(&initstr);
  86. }
  87. switch (rc) {
  88. case 0: /* No error. */
  89. break;
  90. case SSL_ERROR_IO:
  91. failf(data, "SSL_Init() I/O error: %s", strerror(errno));
  92. return CURLE_SSL_CONNECT_ERROR;
  93. case SSL_ERROR_BAD_CIPHER_SUITE:
  94. return CURLE_SSL_CIPHER;
  95. case SSL_ERROR_KEYPASSWORD_EXPIRED:
  96. case SSL_ERROR_NOT_REGISTERED:
  97. return CURLE_SSL_CONNECT_ERROR;
  98. case SSL_ERROR_NO_KEYRING:
  99. return CURLE_SSL_CACERT;
  100. case SSL_ERROR_CERT_EXPIRED:
  101. return CURLE_SSL_CERTPROBLEM;
  102. default:
  103. failf(data, "SSL_Init(): %s", SSL_Strerror(rc, NULL));
  104. return CURLE_SSL_CONNECT_ERROR;
  105. }
  106. return CURLE_OK;
  107. }
  108. static CURLcode Curl_qsossl_create(struct connectdata * conn, int sockindex)
  109. {
  110. SSLHandle * h;
  111. struct ssl_connect_data * connssl = &conn->ssl[sockindex];
  112. h = SSL_Create(conn->sock[sockindex], SSL_ENCRYPT);
  113. if(!h) {
  114. failf(conn->data, "SSL_Create() I/O error: %s", strerror(errno));
  115. return CURLE_SSL_CONNECT_ERROR;
  116. }
  117. connssl->handle = h;
  118. return CURLE_OK;
  119. }
  120. static int Curl_qsossl_trap_cert(SSLHandle * h)
  121. {
  122. return 1; /* Accept certificate. */
  123. }
  124. static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex)
  125. {
  126. int rc;
  127. struct SessionHandle * data = conn->data;
  128. struct ssl_connect_data * connssl = &conn->ssl[sockindex];
  129. SSLHandle * h = connssl->handle;
  130. long timeout_ms;
  131. h->exitPgm = NULL;
  132. if(!data->set.ssl.verifyhost)
  133. h->exitPgm = Curl_qsossl_trap_cert;
  134. /* figure out how long time we should wait at maximum */
  135. timeout_ms = Curl_timeleft(conn, NULL, TRUE);
  136. if(timeout_ms < 0) {
  137. /* time-out, bail out, go home */
  138. failf(data, "Connection time-out");
  139. return CURLE_OPERATION_TIMEDOUT;
  140. }
  141. /* SSL_Handshake() timeout resolution is second, so round up. */
  142. h->timeout = (timeout_ms + 1000 - 1) / 1000;
  143. /* Set-up protocol. */
  144. switch (data->set.ssl.version) {
  145. default:
  146. case CURL_SSLVERSION_DEFAULT:
  147. h->protocol = SSL_VERSION_CURRENT; /* TLSV1 compat. SSLV[23]. */
  148. break;
  149. case CURL_SSLVERSION_TLSv1:
  150. h->protocol = TLS_VERSION_1;
  151. break;
  152. case CURL_SSLVERSION_SSLv2:
  153. h->protocol = SSL_VERSION_2;
  154. break;
  155. case CURL_SSLVERSION_SSLv3:
  156. h->protocol = SSL_VERSION_3;
  157. break;
  158. }
  159. rc = SSL_Handshake(h, SSL_HANDSHAKE_AS_CLIENT);
  160. switch (rc) {
  161. case 0: /* No error. */
  162. break;
  163. case SSL_ERROR_BAD_CERTIFICATE:
  164. case SSL_ERROR_BAD_CERT_SIG:
  165. case SSL_ERROR_NOT_TRUSTED_ROOT:
  166. return CURLE_PEER_FAILED_VERIFICATION;
  167. case SSL_ERROR_BAD_CIPHER_SUITE:
  168. case SSL_ERROR_NO_CIPHERS:
  169. return CURLE_SSL_CIPHER;
  170. case SSL_ERROR_CERTIFICATE_REJECTED:
  171. case SSL_ERROR_CERT_EXPIRED:
  172. case SSL_ERROR_NO_CERTIFICATE:
  173. return CURLE_SSL_CERTPROBLEM;
  174. case SSL_ERROR_IO:
  175. failf(data, "SSL_Handshake() I/O error: %s", strerror(errno));
  176. return CURLE_SSL_CONNECT_ERROR;
  177. default:
  178. failf(data, "SSL_Handshake(): %s", SSL_Strerror(rc, NULL));
  179. return CURLE_SSL_CONNECT_ERROR;
  180. }
  181. return CURLE_OK;
  182. }
  183. static Curl_recv qsossl_recv;
  184. static Curl_send qsossl_send;
  185. CURLcode Curl_qsossl_connect(struct connectdata * conn, int sockindex)
  186. {
  187. struct SessionHandle * data = conn->data;
  188. struct ssl_connect_data * connssl = &conn->ssl[sockindex];
  189. int rc;
  190. rc = Curl_qsossl_init_session(data);
  191. if(rc == CURLE_OK) {
  192. rc = Curl_qsossl_create(conn, sockindex);
  193. if(rc == CURLE_OK)
  194. rc = Curl_qsossl_handshake(conn, sockindex);
  195. else {
  196. SSL_Destroy(connssl->handle);
  197. connssl->handle = NULL;
  198. connssl->use = FALSE;
  199. connssl->state = ssl_connection_none;
  200. }
  201. }
  202. if (rc == CURLE_OK) {
  203. connssl->state = ssl_connection_complete;
  204. conn->recv[sockindex] = qsossl_recv;
  205. conn->send[sockindex] = qsossl_send;
  206. }
  207. return rc;
  208. }
  209. static int Curl_qsossl_close_one(struct ssl_connect_data * conn,
  210. struct SessionHandle * data)
  211. {
  212. int rc;
  213. if(!conn->handle)
  214. return 0;
  215. rc = SSL_Destroy(conn->handle);
  216. if(rc) {
  217. if(rc == SSL_ERROR_IO) {
  218. failf(data, "SSL_Destroy() I/O error: %s", strerror(errno));
  219. return -1;
  220. }
  221. /* An SSL error. */
  222. failf(data, "SSL_Destroy() returned error %s", SSL_Strerror(rc, NULL));
  223. return -1;
  224. }
  225. conn->handle = NULL;
  226. return 0;
  227. }
  228. void Curl_qsossl_close(struct connectdata *conn, int sockindex)
  229. {
  230. struct SessionHandle *data = conn->data;
  231. struct ssl_connect_data *connssl = &conn->ssl[sockindex];
  232. if(connssl->use)
  233. (void) Curl_qsossl_close_one(connssl, data);
  234. }
  235. int Curl_qsossl_close_all(struct SessionHandle * data)
  236. {
  237. /* Unimplemented. */
  238. (void) data;
  239. return 0;
  240. }
  241. int Curl_qsossl_shutdown(struct connectdata * conn, int sockindex)
  242. {
  243. struct ssl_connect_data * connssl = &conn->ssl[sockindex];
  244. struct SessionHandle *data = conn->data;
  245. ssize_t nread;
  246. int what;
  247. int rc;
  248. char buf[120];
  249. if(!connssl->handle)
  250. return 0;
  251. if(data->set.ftp_ccc != CURLFTPSSL_CCC_ACTIVE)
  252. return 0;
  253. if(Curl_qsossl_close_one(connssl, data))
  254. return -1;
  255. rc = 0;
  256. what = Curl_socket_ready(conn->sock[sockindex],
  257. CURL_SOCKET_BAD, SSL_SHUTDOWN_TIMEOUT);
  258. for (;;) {
  259. if(what < 0) {
  260. /* anything that gets here is fatally bad */
  261. failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
  262. rc = -1;
  263. break;
  264. }
  265. if(!what) { /* timeout */
  266. failf(data, "SSL shutdown timeout");
  267. break;
  268. }
  269. /* Something to read, let's do it and hope that it is the close
  270. notify alert from the server. No way to SSL_Read now, so use read(). */
  271. nread = read(conn->sock[sockindex], buf, sizeof(buf));
  272. if(nread < 0) {
  273. failf(data, "read: %s", strerror(errno));
  274. rc = -1;
  275. }
  276. if(nread <= 0)
  277. break;
  278. what = Curl_socket_ready(conn->sock[sockindex], CURL_SOCKET_BAD, 0);
  279. }
  280. return rc;
  281. }
  282. static ssize_t qsossl_send(struct connectdata * conn, int sockindex,
  283. const void * mem, size_t len, CURLcode * curlcode)
  284. {
  285. /* SSL_Write() is said to return 'int' while write() and send() returns
  286. 'size_t' */
  287. int rc;
  288. rc = SSL_Write(conn->ssl[sockindex].handle, (void *) mem, (int) len);
  289. if(rc < 0) {
  290. switch(rc) {
  291. case SSL_ERROR_BAD_STATE:
  292. /* The operation did not complete; the same SSL I/O function
  293. should be called again later. This is basicly an EWOULDBLOCK
  294. equivalent. */
  295. *curlcode = CURLE_AGAIN;
  296. return -1;
  297. case SSL_ERROR_IO:
  298. switch (errno) {
  299. case EWOULDBLOCK:
  300. case EINTR:
  301. *curlcode = CURLE_AGAIN;
  302. return -1;
  303. }
  304. failf(conn->data, "SSL_Write() I/O error: %s", strerror(errno));
  305. *curlcode = CURLE_SEND_ERROR;
  306. return -1;
  307. }
  308. /* An SSL error. */
  309. failf(conn->data, "SSL_Write() returned error %s",
  310. SSL_Strerror(rc, NULL));
  311. *curlcode = CURLE_SEND_ERROR;
  312. return -1;
  313. }
  314. return (ssize_t) rc; /* number of bytes */
  315. }
  316. static ssize_t qsossl_recv(struct connectdata * conn, int num, char * buf,
  317. size_t buffersize, CURLcode * curlcode)
  318. {
  319. char error_buffer[120]; /* OpenSSL documents that this must be at
  320. least 120 bytes long. */
  321. unsigned long sslerror;
  322. int buffsize;
  323. int nread;
  324. buffsize = (buffersize > (size_t)INT_MAX) ? INT_MAX : (int)buffersize;
  325. nread = SSL_Read(conn->ssl[num].handle, buf, buffsize);
  326. if(nread < 0) {
  327. /* failed SSL_read */
  328. switch (nread) {
  329. case SSL_ERROR_BAD_STATE:
  330. /* there's data pending, re-invoke SSL_Read(). */
  331. *curlcode = CURLE_AGAIN;
  332. return -1;
  333. case SSL_ERROR_IO:
  334. switch (errno) {
  335. case EWOULDBLOCK:
  336. *curlcode = CURLE_AGAIN;
  337. return -1;
  338. }
  339. failf(conn->data, "SSL_Read() I/O error: %s", strerror(errno));
  340. *curlcode = CURLE_RECV_ERROR;
  341. return -1;
  342. default:
  343. failf(conn->data, "SSL read error: %s", SSL_Strerror(nread, NULL));
  344. *curlcode = CURLE_RECV_ERROR;
  345. return -1;
  346. }
  347. }
  348. return (ssize_t) nread;
  349. }
  350. size_t Curl_qsossl_version(char * buffer, size_t size)
  351. {
  352. strncpy(buffer, "IBM OS/400 SSL", size);
  353. return strlen(buffer);
  354. }
  355. int Curl_qsossl_check_cxn(struct connectdata * cxn)
  356. {
  357. int err;
  358. int errlen;
  359. /* The only thing that can be tested here is at the socket level. */
  360. if(!cxn->ssl[FIRSTSOCKET].handle)
  361. return 0; /* connection has been closed */
  362. err = 0;
  363. errlen = sizeof err;
  364. if(getsockopt(cxn->sock[FIRSTSOCKET], SOL_SOCKET, SO_ERROR,
  365. (unsigned char *) &err, &errlen) ||
  366. errlen != sizeof err || err)
  367. return 0; /* connection has been closed */
  368. return -1; /* connection status unknown */
  369. }
  370. #endif /* USE_QSOSSL */