Mercurial > ~mikael > mcabber > hg
annotate mcabber/connwrap/connwrap.c @ 938:40175f3dcef7
SSL server certificate verification
This patch enables SSL server certificate verification.
| author | Jefferson Ogata <ogata@antibozo.net> |
|---|---|
| date | Sat, 08 Jul 2006 23:32:49 +0200 |
| parents | 89aeb8fdd215 |
| children | 6be62425dc38 |
| rev | line source |
|---|---|
| 25 | 1 #include "connwrap.h" |
| 2 | |
|
302
8ca708a0d550
Remove compilation warnings in connwrap library
Mikael Berthe <mikael@lilotux.net>
parents:
235
diff
changeset
|
3 #include <stdio.h> |
|
8ca708a0d550
Remove compilation warnings in connwrap library
Mikael Berthe <mikael@lilotux.net>
parents:
235
diff
changeset
|
4 #include <stdlib.h> |
| 25 | 5 #include <netdb.h> |
| 6 #include <string.h> | |
| 7 #include <netinet/in.h> | |
| 8 #include <errno.h> | |
| 9 #include <arpa/inet.h> | |
| 10 #include <fcntl.h> | |
| 11 #include <sys/time.h> | |
| 112 | 12 #include <unistd.h> |
| 25 | 13 |
| 14 #define PROXY_TIMEOUT 10 | |
| 15 // HTTP proxy timeout in seconds (for the CONNECT method) | |
| 16 | |
| 17 #ifdef HAVE_OPENSSL | |
| 18 | |
| 19 #define OPENSSL_NO_KRB5 1 | |
| 20 #include <openssl/ssl.h> | |
| 21 #include <openssl/err.h> | |
| 22 | |
| 134 | 23 #else |
| 24 # ifdef HAVE_GNUTLS | |
| 25 # include <gnutls/openssl.h> | |
| 26 # define HAVE_OPENSSL | |
| 27 # endif | |
| 25 | 28 #endif |
| 29 | |
| 30 static int in_http_connect = 0; | |
| 31 | |
| 32 #ifdef HAVE_OPENSSL | |
| 33 | |
| 34 static SSL_CTX *ctx = 0; | |
| 35 | |
|
938
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
36 /* verify > 0 indicates verify depth as well */ |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
37 static int verify = -1; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
38 static const char *cafile = NULL; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
39 static const char *capath = NULL; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
40 static const char *cipherlist = NULL; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
41 static const char *peer = NULL; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
42 static const char *sslerror = NULL; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
43 |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
44 static int verify_cb(int preverify_ok, X509_STORE_CTX *cx) |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
45 { |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
46 X509 *cert; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
47 X509_NAME *nm; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
48 int lastpos; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
49 |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
50 if(!preverify_ok) { |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
51 long err = X509_STORE_CTX_get_error(cx); |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
52 |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
53 sslerror = X509_verify_cert_error_string(err); |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
54 return 0; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
55 } |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
56 |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
57 if (peer == NULL) |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
58 return 1; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
59 |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
60 if ((cert = X509_STORE_CTX_get_current_cert(cx)) == NULL) { |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
61 sslerror = "internal SSL error"; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
62 return 0; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
63 } |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
64 |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
65 /* We only want to look at the peername if we're working on the peer |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
66 * certificate. */ |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
67 if (cert != cx->cert) |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
68 return 1; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
69 |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
70 if ((nm = X509_get_subject_name (cert)) == NULL) { |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
71 sslerror = "internal SSL error"; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
72 return 0; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
73 } |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
74 |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
75 for(lastpos = -1; ; ) { |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
76 X509_NAME_ENTRY *e; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
77 ASN1_STRING *a; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
78 ASN1_STRING *p; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
79 int match; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
80 |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
81 lastpos = X509_NAME_get_index_by_NID(nm, NID_commonName, lastpos); |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
82 if (lastpos == -1) |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
83 break; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
84 if ((e = X509_NAME_get_entry(nm, lastpos)) == NULL) { |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
85 sslerror = "internal SSL error"; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
86 return 0; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
87 } |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
88 if ((a = X509_NAME_ENTRY_get_data(e)) == NULL) { |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
89 sslerror = "internal SSL error"; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
90 return 0; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
91 } |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
92 if ((p = ASN1_STRING_type_new(ASN1_STRING_type(a))) == NULL) { |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
93 sslerror = "internal SSL error"; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
94 return 0; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
95 } |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
96 (void) ASN1_STRING_set(p, peer, -1); |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
97 match = !ASN1_STRING_cmp(a, p); |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
98 ASN1_STRING_free(p); |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
99 if(match) |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
100 return 1; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
101 } |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
102 |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
103 sslerror = "server certificate cn mismatch"; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
104 return 0; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
105 } |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
106 |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
107 static void init(void) { |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
108 if(ctx) |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
109 return; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
110 |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
111 SSL_library_init(); |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
112 SSL_load_error_strings(); |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
113 |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
114 #ifdef HAVE_SSLEAY |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
115 SSLeay_add_all_algorithms(); |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
116 #else |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
117 OpenSSL_add_all_algorithms(); |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
118 #endif |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
119 |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
120 /* May need to use distinct SSLEAY bindings below... */ |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
121 |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
122 //ctx = SSL_CTX_new(SSLv23_method()); |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
123 ctx = SSL_CTX_new(SSLv23_client_method()); |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
124 if(cipherlist) |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
125 (void)SSL_CTX_set_cipher_list(ctx, cipherlist); |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
126 if(cafile || capath) |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
127 (void)SSL_CTX_load_verify_locations(ctx, cafile, capath); |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
128 if(verify) { |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
129 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_cb); |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
130 if(verify > 0) |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
131 SSL_CTX_set_verify_depth(ctx, verify); |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
132 } else |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
133 SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
134 } |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
135 |
| 25 | 136 typedef struct { int fd; SSL *ssl; } sslsock; |
| 137 | |
| 138 static sslsock *socks = 0; | |
| 139 static int sockcount = 0; | |
| 140 | |
| 141 static sslsock *getsock(int fd) { | |
| 142 int i; | |
| 143 | |
| 144 for(i = 0; i < sockcount; i++) | |
| 145 if(socks[i].fd == fd) | |
| 146 return &socks[i]; | |
| 147 | |
| 148 return 0; | |
| 149 } | |
| 150 | |
| 151 static sslsock *addsock(int fd) { | |
| 152 sslsock *p; | |
| 153 socks = (sslsock *) realloc(socks, sizeof(sslsock)*++sockcount); | |
| 154 | |
| 155 p = &socks[sockcount-1]; | |
| 156 | |
|
938
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
157 init (); |
| 25 | 158 |
| 159 p->ssl = SSL_new(ctx); | |
| 160 SSL_set_fd(p->ssl, p->fd = fd); | |
|
938
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
161 sslerror = NULL; |
| 25 | 162 |
| 163 return p; | |
| 164 } | |
| 165 | |
| 166 static void delsock(int fd) { | |
| 167 int i, nsockcount; | |
| 168 sslsock *nsocks; | |
| 169 | |
| 170 nsockcount = 0; | |
| 171 nsocks = (sslsock *) malloc(sizeof(sslsock)*(sockcount-1)); | |
| 172 | |
| 173 for(i = 0; i < sockcount; i++) { | |
| 174 if(socks[i].fd != fd) { | |
| 175 nsocks[nsockcount++] = socks[i]; | |
| 176 } else { | |
| 177 SSL_free(socks[i].ssl); | |
| 178 } | |
| 179 } | |
| 180 | |
| 181 free(socks); | |
| 182 | |
| 183 socks = nsocks; | |
| 184 sockcount = nsockcount; | |
| 185 } | |
| 186 | |
|
938
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
187 void cw_set_ssl_options(int sslverify, const char *sslcafile, const char *sslcapath, const char *sslciphers, const char *sslpeer) { |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
188 verify = sslverify; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
189 cafile = sslcafile; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
190 capath = sslcapath; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
191 cipherlist = sslciphers; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
192 peer = sslpeer; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
193 } |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
194 |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
195 const char *cw_get_ssl_error(void) { |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
196 return sslerror; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
197 } |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
198 |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
199 #else |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
200 |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
201 void cw_set_ssl_options(int sslverify, const char *sslcafile, const char *sslcapath, const char *sslciphers, const char *sslpeer) { } |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
202 |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
203 const char *cw_get_ssl_error(void) { |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
204 return NULL; |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
205 } |
|
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
206 |
| 25 | 207 #endif |
| 208 | |
| 209 static char *bindaddr = 0, *proxyhost = 0, *proxyuser = 0, *proxypass = 0; | |
| 210 static int proxyport = 3128; | |
| 211 static int proxy_ssl = 0; | |
| 212 | |
| 213 #define SOCKOUT(s) write(sockfd, s, strlen(s)) | |
| 214 | |
| 215 int cw_http_connect(int sockfd, const struct sockaddr *serv_addr, int addrlen) { | |
| 216 int err, pos, fl; | |
| 217 struct hostent *server; | |
| 218 struct sockaddr_in paddr; | |
| 219 char buf[512]; | |
| 220 fd_set rfds; | |
| 221 | |
|
400
e536ab271584
Kill a warning in the connwrap library
Mikael Berthe <mikael@lilotux.net>
parents:
302
diff
changeset
|
222 fl = 0; |
| 25 | 223 err = 0; |
| 224 in_http_connect = 1; | |
| 225 | |
| 226 if(!(server = gethostbyname(proxyhost))) { | |
| 227 errno = h_errno; | |
| 228 err = -1; | |
| 229 } | |
| 230 | |
| 231 if(!err) { | |
| 232 memset(&paddr, 0, sizeof(paddr)); | |
| 233 paddr.sin_family = AF_INET; | |
| 234 memcpy(&paddr.sin_addr.s_addr, *server->h_addr_list, server->h_length); | |
| 235 paddr.sin_port = htons(proxyport); | |
| 236 | |
| 237 fl = fcntl(sockfd, F_GETFL); | |
| 238 fcntl(sockfd, F_SETFL, fl & ~O_NONBLOCK); | |
| 239 | |
| 240 buf[0] = 0; | |
| 241 | |
| 242 err = cw_connect(sockfd, (struct sockaddr *) &paddr, sizeof(paddr), proxy_ssl); | |
| 243 } | |
| 244 | |
| 245 errno = ECONNREFUSED; | |
| 246 | |
| 247 if(!err) { | |
| 248 struct sockaddr_in *sin = (struct sockaddr_in *) serv_addr; | |
| 249 char *ip = inet_ntoa(sin->sin_addr), c; | |
| 250 struct timeval tv; | |
| 251 | |
| 252 sprintf(buf, "%d", ntohs(sin->sin_port)); | |
| 253 SOCKOUT("CONNECT "); | |
| 254 SOCKOUT(ip); | |
| 255 SOCKOUT(":"); | |
| 256 SOCKOUT(buf); | |
| 257 SOCKOUT(" HTTP/1.0\r\n"); | |
| 258 | |
| 259 if(proxyuser) { | |
| 260 char *b; | |
| 261 SOCKOUT("Proxy-Authorization: Basic "); | |
| 262 | |
|
427
ac85ce87f539
Fix buffer overflow in cw_setproxy()
Mikael Berthe <mikael@lilotux.net>
parents:
414
diff
changeset
|
263 snprintf(buf, sizeof(buf), "%s:%s", proxyuser, proxypass); |
| 25 | 264 b = cw_base64_encode(buf); |
| 265 SOCKOUT(b); | |
| 266 free(b); | |
| 267 | |
| 268 SOCKOUT("\r\n"); | |
| 269 } | |
| 270 | |
| 271 SOCKOUT("\r\n"); | |
| 272 | |
| 273 buf[0] = 0; | |
| 274 | |
| 275 while(err != -1) { | |
| 276 FD_ZERO(&rfds); | |
| 277 FD_SET(sockfd, &rfds); | |
| 278 | |
| 279 tv.tv_sec = PROXY_TIMEOUT; | |
| 280 tv.tv_usec = 0; | |
| 281 | |
| 282 err = select(sockfd+1, &rfds, 0, 0, &tv); | |
| 283 | |
| 284 if(err < 1) err = -1; | |
| 285 | |
| 286 if(err != -1 && FD_ISSET(sockfd, &rfds)) { | |
| 287 err = read(sockfd, &c, 1); | |
| 288 if(!err) err = -1; | |
| 289 | |
| 290 if(err != -1) { | |
| 291 pos = strlen(buf); | |
| 292 buf[pos] = c; | |
| 293 buf[pos+1] = 0; | |
| 294 | |
| 295 if(strlen(buf) > 4) | |
| 296 if(!strcmp(buf+strlen(buf)-4, "\r\n\r\n")) | |
| 297 break; | |
| 298 } | |
| 299 } | |
| 300 } | |
| 301 } | |
| 302 | |
| 303 if(err != -1 && strlen(buf)) { | |
| 304 char *p = strstr(buf, " "); | |
| 305 | |
| 306 err = -1; | |
| 307 | |
| 308 if(p) | |
| 309 if(atoi(++p) == 200) | |
| 310 err = 0; | |
| 311 | |
| 312 fcntl(sockfd, F_SETFL, fl); | |
| 313 if(fl & O_NONBLOCK) { | |
| 314 errno = EINPROGRESS; | |
| 315 err = -1; | |
| 316 } | |
| 317 } | |
| 318 | |
| 319 in_http_connect = 0; | |
| 320 | |
| 321 return err; | |
| 322 } | |
| 323 | |
| 324 int cw_connect(int sockfd, const struct sockaddr *serv_addr, int addrlen, int ssl) { | |
| 325 int rc; | |
| 326 struct sockaddr_in ba; | |
| 327 | |
| 328 if(bindaddr) | |
| 329 if(strlen(bindaddr)) { | |
| 330 #ifdef HAVE_INET_ATON | |
| 331 struct in_addr addr; | |
| 332 rc = inet_aton(bindaddr, &addr); | |
| 333 ba.sin_addr.s_addr = addr.s_addr; | |
| 334 #else | |
| 335 rc = inet_pton(AF_INET, bindaddr, &ba); | |
| 336 #endif | |
| 337 | |
| 338 if(rc) { | |
| 339 ba.sin_port = 0; | |
| 340 rc = bind(sockfd, (struct sockaddr *) &ba, sizeof(ba)); | |
| 341 } else { | |
| 342 rc = -1; | |
| 343 } | |
| 344 | |
| 345 if(rc) return rc; | |
| 346 } | |
| 347 | |
| 348 if(proxyhost && !in_http_connect) rc = cw_http_connect(sockfd, serv_addr, addrlen); | |
| 349 else rc = connect(sockfd, serv_addr, addrlen); | |
| 350 | |
| 351 #ifdef HAVE_OPENSSL | |
| 352 if(ssl && !rc) { | |
| 353 sslsock *p = addsock(sockfd); | |
| 354 if(SSL_connect(p->ssl) != 1) | |
| 355 return -1; | |
| 356 } | |
| 357 #endif | |
| 358 | |
| 359 return rc; | |
| 360 } | |
| 361 | |
| 362 int cw_nb_connect(int sockfd, const struct sockaddr *serv_addr, int addrlen, int ssl, int *state) { | |
| 363 int rc = 0; | |
| 364 struct sockaddr_in ba; | |
| 365 | |
| 366 if(bindaddr) | |
| 367 if(strlen(bindaddr)) { | |
| 368 #ifdef HAVE_INET_ATON | |
| 369 struct in_addr addr; | |
| 370 rc = inet_aton(bindaddr, &addr); | |
| 371 ba.sin_addr.s_addr = addr.s_addr; | |
| 372 #else | |
| 373 rc = inet_pton(AF_INET, bindaddr, &ba); | |
| 374 #endif | |
| 375 | |
| 376 if(rc) { | |
| 377 ba.sin_port = 0; | |
| 378 rc = bind(sockfd, (struct sockaddr *) &ba, sizeof(ba)); | |
| 379 } else { | |
| 380 rc = -1; | |
| 381 } | |
| 382 | |
| 383 if(rc) return rc; | |
| 384 } | |
| 385 | |
| 386 #ifdef HAVE_OPENSSL | |
| 387 if(ssl) { | |
| 388 if ( !(*state & CW_CONNECT_WANT_SOMETHING)) | |
| 389 rc = cw_connect(sockfd, serv_addr, addrlen, 0); | |
| 390 else{ /* check if the socket is connected correctly */ | |
| 391 int optlen = sizeof(int), optval; | |
| 235 | 392 if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval, (socklen_t*)&optlen) || optval) |
| 25 | 393 return -1; |
| 394 } | |
| 395 | |
| 396 if(!rc) { | |
| 397 sslsock *p; | |
| 398 if (*state & CW_CONNECT_SSL) | |
| 399 p = getsock(sockfd); | |
| 400 else | |
| 401 p = addsock(sockfd); | |
|
414
ec86d759ed54
Trailing whitespace cleanup
Mikael Berthe <mikael@lilotux.net>
parents:
409
diff
changeset
|
402 |
| 25 | 403 rc = SSL_connect(p->ssl); |
| 404 switch(rc){ | |
| 405 case 1: | |
| 406 *state = 0; | |
| 407 return 0; | |
| 408 case 0: | |
| 409 return -1; | |
| 410 default: | |
| 411 switch (SSL_get_error(p->ssl, rc)){ | |
| 412 case SSL_ERROR_WANT_READ: | |
| 413 *state = CW_CONNECT_SSL | CW_CONNECT_WANT_READ; | |
| 414 return 0; | |
| 415 case SSL_ERROR_WANT_WRITE: | |
| 416 *state = CW_CONNECT_SSL | CW_CONNECT_WANT_WRITE; | |
| 417 return 0; | |
| 418 default: | |
| 419 return -1; | |
| 420 } | |
| 421 } | |
| 422 } | |
| 423 else{ /* catch EINPROGRESS error from the connect call */ | |
| 424 if (errno == EINPROGRESS){ | |
| 425 *state = CW_CONNECT_STARTED | CW_CONNECT_WANT_WRITE; | |
| 426 return 0; | |
| 427 } | |
| 428 } | |
| 429 | |
| 430 return rc; | |
| 431 } | |
| 432 #endif | |
| 433 if ( !(*state & CW_CONNECT_WANT_SOMETHING)) | |
| 434 rc = connect(sockfd, serv_addr, addrlen); | |
| 435 else{ /* check if the socket is connected correctly */ | |
| 436 int optlen = sizeof(int), optval; | |
| 235 | 437 if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval, (socklen_t*)&optlen) || optval) |
| 25 | 438 return -1; |
| 439 *state = 0; | |
| 440 return 0; | |
| 441 } | |
| 442 if (rc) | |
| 443 if (errno == EINPROGRESS){ | |
| 444 *state = CW_CONNECT_STARTED | CW_CONNECT_WANT_WRITE; | |
| 445 return 0; | |
| 446 } | |
| 447 return rc; | |
| 448 } | |
| 449 | |
| 450 int cw_accept(int s, struct sockaddr *addr, int *addrlen, int ssl) { | |
| 451 #ifdef HAVE_OPENSSL | |
| 452 int rc; | |
| 453 | |
| 454 if(ssl) { | |
| 235 | 455 rc = accept(s, addr, (socklen_t*)addrlen); |
| 25 | 456 |
| 457 if(!rc) { | |
| 458 sslsock *p = addsock(s); | |
| 459 if(SSL_accept(p->ssl) != 1) | |
| 460 return -1; | |
| 461 | |
| 462 } | |
| 463 | |
| 464 return rc; | |
| 465 } | |
| 466 #endif | |
| 235 | 467 return accept(s, addr, (socklen_t*)addrlen); |
| 25 | 468 } |
| 469 | |
| 470 int cw_write(int fd, const void *buf, int count, int ssl) { | |
| 471 #ifdef HAVE_OPENSSL | |
| 472 sslsock *p; | |
| 473 | |
| 474 if(ssl) | |
| 235 | 475 if((p = getsock(fd)) != NULL) |
| 25 | 476 return SSL_write(p->ssl, buf, count); |
| 477 #endif | |
| 478 return write(fd, buf, count); | |
| 479 } | |
| 480 | |
| 481 int cw_read(int fd, void *buf, int count, int ssl) { | |
| 482 #ifdef HAVE_OPENSSL | |
| 483 sslsock *p; | |
| 484 | |
| 485 if(ssl) | |
| 235 | 486 if((p = getsock(fd)) != NULL) |
| 25 | 487 return SSL_read(p->ssl, buf, count); |
| 488 #endif | |
| 489 return read(fd, buf, count); | |
| 490 } | |
| 491 | |
| 235 | 492 void cw_close(int fd) { |
| 25 | 493 #ifdef HAVE_OPENSSL |
| 494 delsock(fd); | |
| 495 #endif | |
| 496 close(fd); | |
| 497 } | |
| 498 | |
| 499 #define FREEVAR(v) if(v) free(v), v = 0; | |
| 500 | |
| 501 void cw_setbind(const char *abindaddr) { | |
| 502 FREEVAR(bindaddr); | |
| 503 bindaddr = strdup(abindaddr); | |
| 504 } | |
| 505 | |
| 506 void cw_setproxy(const char *aproxyhost, int aproxyport, const char *aproxyuser, const char *aproxypass) { | |
| 507 FREEVAR(proxyhost); | |
| 508 FREEVAR(proxyuser); | |
| 509 FREEVAR(proxypass); | |
| 510 | |
| 511 if(aproxyhost && strlen(aproxyhost)) proxyhost = strdup(aproxyhost); | |
| 512 if(aproxyuser && strlen(aproxyuser)) proxyuser = strdup(aproxyuser); | |
| 513 if(aproxypass && strlen(aproxypass)) proxypass = strdup(aproxypass); | |
| 514 proxyport = aproxyport; | |
| 515 } | |
| 516 | |
| 517 char *cw_base64_encode(const char *in) { | |
| 518 static char base64digits[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._"; | |
| 519 | |
| 520 int j = 0; | |
| 521 int inlen = strlen(in); | |
| 522 char *out = (char *) malloc(inlen*4+1), c; | |
| 523 | |
| 524 for(out[0] = 0; inlen >= 3; inlen -= 3) { | |
| 525 strncat(out, &base64digits[ in[j] >> 2 ], 1); | |
| 526 strncat(out, &base64digits[ ((in[j] << 4) & 0x30) | (in[j+1] >> 4) ], 1); | |
| 527 strncat(out, &base64digits[ ((in[j+1] << 2) & 0x3c) | (in[j+2] >> 6) ], 1); | |
| 528 strncat(out, &base64digits[ in[j+2] & 0x3f ], 1); | |
| 529 j += 3; | |
| 530 } | |
| 531 | |
| 532 if(inlen > 0) { | |
| 533 unsigned char fragment; | |
| 534 | |
| 535 strncat(out, &base64digits[in[j] >> 2], 1); | |
| 536 fragment = (in[j] << 4) & 0x30; | |
| 537 | |
| 538 if(inlen > 1) | |
| 539 fragment |= in[j+1] >> 4; | |
| 540 | |
| 541 strncat(out, &base64digits[fragment], 1); | |
| 542 | |
| 543 c = (inlen < 2) ? '-' : base64digits[ (in[j+1] << 2) & 0x3c ]; | |
| 544 strncat(out, &c, 1); | |
| 545 c = '-'; | |
| 546 strncat(out, &c, 1); | |
| 547 } | |
|
414
ec86d759ed54
Trailing whitespace cleanup
Mikael Berthe <mikael@lilotux.net>
parents:
409
diff
changeset
|
548 |
| 25 | 549 return out; |
| 550 } |