Mercurial > hg
annotate mcabber/connwrap/connwrap.c @ 1067:a5dc85fdebde
Add key comparison for signatures & use user-provided PGP keys for encryption
When we receive a signed presence/message, we check that the key used matches
the one which has been set with "/pgp setkey".
If provided, we use this key for encryption too.
author | Mikael Berthe <mikael@lilotux.net> |
---|---|
date | Sat, 02 Dec 2006 13:11:44 +0100 |
parents | 3225a1ba050d |
children | eb38963e082f |
rev | line source |
---|---|
25 | 1 #include "connwrap.h" |
2 | |
302
8ca708a0d550
Remove compilation warnings in connwrap library
Mikael Berthe <mikael@lilotux.net>
parents:
235
diff
changeset
|
3 #include <stdio.h> |
8ca708a0d550
Remove compilation warnings in connwrap library
Mikael Berthe <mikael@lilotux.net>
parents:
235
diff
changeset
|
4 #include <stdlib.h> |
25 | 5 #include <netdb.h> |
6 #include <string.h> | |
7 #include <netinet/in.h> | |
8 #include <errno.h> | |
9 #include <arpa/inet.h> | |
10 #include <fcntl.h> | |
11 #include <sys/time.h> | |
112 | 12 #include <unistd.h> |
25 | 13 |
14 #define PROXY_TIMEOUT 10 | |
15 // HTTP proxy timeout in seconds (for the CONNECT method) | |
16 | |
17 #ifdef HAVE_OPENSSL | |
18 | |
19 #define OPENSSL_NO_KRB5 1 | |
20 #include <openssl/ssl.h> | |
21 #include <openssl/err.h> | |
22 | |
134 | 23 #else |
24 # ifdef HAVE_GNUTLS | |
25 # include <gnutls/openssl.h> | |
26 # define HAVE_OPENSSL | |
27 # endif | |
25 | 28 #endif |
29 | |
30 static int in_http_connect = 0; | |
31 | |
32 #ifdef HAVE_OPENSSL | |
33 | |
34 static SSL_CTX *ctx = 0; | |
35 | |
938
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
36 /* verify > 0 indicates verify depth as well */ |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
37 static int verify = -1; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
38 static const char *cafile = NULL; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
39 static const char *capath = NULL; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
40 static const char *cipherlist = NULL; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
41 static const char *peer = NULL; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
42 static const char *sslerror = NULL; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
43 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
44 static int verify_cb(int preverify_ok, X509_STORE_CTX *cx) |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
45 { |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
46 X509 *cert; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
47 X509_NAME *nm; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
48 int lastpos; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
49 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
50 if(!preverify_ok) { |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
51 long err = X509_STORE_CTX_get_error(cx); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
52 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
53 sslerror = X509_verify_cert_error_string(err); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
54 return 0; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
55 } |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
56 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
57 if (peer == NULL) |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
58 return 1; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
59 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
60 if ((cert = X509_STORE_CTX_get_current_cert(cx)) == NULL) { |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
61 sslerror = "internal SSL error"; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
62 return 0; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
63 } |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
64 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
65 /* We only want to look at the peername if we're working on the peer |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
66 * certificate. */ |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
67 if (cert != cx->cert) |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
68 return 1; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
69 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
70 if ((nm = X509_get_subject_name (cert)) == NULL) { |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
71 sslerror = "internal SSL error"; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
72 return 0; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
73 } |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
74 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
75 for(lastpos = -1; ; ) { |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
76 X509_NAME_ENTRY *e; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
77 ASN1_STRING *a; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
78 ASN1_STRING *p; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
79 int match; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
80 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
81 lastpos = X509_NAME_get_index_by_NID(nm, NID_commonName, lastpos); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
82 if (lastpos == -1) |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
83 break; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
84 if ((e = X509_NAME_get_entry(nm, lastpos)) == NULL) { |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
85 sslerror = "internal SSL error"; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
86 return 0; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
87 } |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
88 if ((a = X509_NAME_ENTRY_get_data(e)) == NULL) { |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
89 sslerror = "internal SSL error"; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
90 return 0; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
91 } |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
92 if ((p = ASN1_STRING_type_new(ASN1_STRING_type(a))) == NULL) { |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
93 sslerror = "internal SSL error"; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
94 return 0; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
95 } |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
96 (void) ASN1_STRING_set(p, peer, -1); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
97 match = !ASN1_STRING_cmp(a, p); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
98 ASN1_STRING_free(p); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
99 if(match) |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
100 return 1; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
101 } |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
102 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
103 sslerror = "server certificate cn mismatch"; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
104 return 0; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
105 } |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
106 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
107 static void init(void) { |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
108 if(ctx) |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
109 return; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
110 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
111 SSL_library_init(); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
112 SSL_load_error_strings(); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
113 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
114 #ifdef HAVE_SSLEAY |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
115 SSLeay_add_all_algorithms(); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
116 #else |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
117 OpenSSL_add_all_algorithms(); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
118 #endif |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
119 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
120 /* May need to use distinct SSLEAY bindings below... */ |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
121 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
122 //ctx = SSL_CTX_new(SSLv23_method()); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
123 ctx = SSL_CTX_new(SSLv23_client_method()); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
124 if(cipherlist) |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
125 (void)SSL_CTX_set_cipher_list(ctx, cipherlist); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
126 if(cafile || capath) |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
127 (void)SSL_CTX_load_verify_locations(ctx, cafile, capath); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
128 if(verify) { |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
129 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_cb); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
130 if(verify > 0) |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
131 SSL_CTX_set_verify_depth(ctx, verify); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
132 } else |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
133 SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
134 } |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
135 |
25 | 136 typedef struct { int fd; SSL *ssl; } sslsock; |
137 | |
138 static sslsock *socks = 0; | |
139 static int sockcount = 0; | |
140 | |
141 static sslsock *getsock(int fd) { | |
142 int i; | |
143 | |
144 for(i = 0; i < sockcount; i++) | |
145 if(socks[i].fd == fd) | |
146 return &socks[i]; | |
147 | |
148 return 0; | |
149 } | |
150 | |
151 static sslsock *addsock(int fd) { | |
152 sslsock *p; | |
984
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
153 |
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
154 if (socks) |
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
155 socks = (sslsock *) realloc(socks, sizeof(sslsock)*++sockcount); |
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
156 else |
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
157 socks = (sslsock *) malloc(sizeof(sslsock)*++sockcount); |
25 | 158 |
159 p = &socks[sockcount-1]; | |
160 | |
938
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
161 init (); |
25 | 162 |
163 p->ssl = SSL_new(ctx); | |
164 SSL_set_fd(p->ssl, p->fd = fd); | |
938
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
165 sslerror = NULL; |
25 | 166 |
167 return p; | |
168 } | |
169 | |
170 static void delsock(int fd) { | |
171 int i, nsockcount; | |
172 sslsock *nsocks; | |
173 | |
174 nsockcount = 0; | |
984
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
175 |
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
176 if (sockcount > 1) { |
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
177 nsocks = (sslsock *) malloc(sizeof(sslsock)*(sockcount-1)); |
25 | 178 |
984
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
179 for(i = 0; i < sockcount; i++) { |
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
180 if(socks[i].fd != fd) { |
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
181 nsocks[nsockcount++] = socks[i]; |
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
182 } else { |
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
183 SSL_free(socks[i].ssl); |
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
184 } |
25 | 185 } |
984
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
186 |
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
187 } else { |
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
188 if (ctx) |
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
189 SSL_CTX_free(ctx); |
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
190 ctx = 0; |
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
191 nsocks = 0; |
25 | 192 } |
193 | |
984
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
194 if (socks) |
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
195 free(socks); |
25 | 196 socks = nsocks; |
197 sockcount = nsockcount; | |
198 } | |
199 | |
938
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
200 void cw_set_ssl_options(int sslverify, const char *sslcafile, const char *sslcapath, const char *sslciphers, const char *sslpeer) { |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
201 verify = sslverify; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
202 cafile = sslcafile; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
203 capath = sslcapath; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
204 cipherlist = sslciphers; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
205 peer = sslpeer; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
206 } |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
207 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
208 const char *cw_get_ssl_error(void) { |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
209 return sslerror; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
210 } |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
211 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
212 #else |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
213 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
214 void cw_set_ssl_options(int sslverify, const char *sslcafile, const char *sslcapath, const char *sslciphers, const char *sslpeer) { } |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
215 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
216 const char *cw_get_ssl_error(void) { |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
217 return NULL; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
218 } |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
219 |
25 | 220 #endif |
221 | |
222 static char *bindaddr = 0, *proxyhost = 0, *proxyuser = 0, *proxypass = 0; | |
223 static int proxyport = 3128; | |
224 static int proxy_ssl = 0; | |
225 | |
226 #define SOCKOUT(s) write(sockfd, s, strlen(s)) | |
227 | |
228 int cw_http_connect(int sockfd, const struct sockaddr *serv_addr, int addrlen) { | |
229 int err, pos, fl; | |
230 struct hostent *server; | |
231 struct sockaddr_in paddr; | |
232 char buf[512]; | |
233 fd_set rfds; | |
234 | |
400
e536ab271584
Kill a warning in the connwrap library
Mikael Berthe <mikael@lilotux.net>
parents:
302
diff
changeset
|
235 fl = 0; |
25 | 236 err = 0; |
237 in_http_connect = 1; | |
238 | |
239 if(!(server = gethostbyname(proxyhost))) { | |
240 errno = h_errno; | |
241 err = -1; | |
242 } | |
243 | |
244 if(!err) { | |
245 memset(&paddr, 0, sizeof(paddr)); | |
246 paddr.sin_family = AF_INET; | |
247 memcpy(&paddr.sin_addr.s_addr, *server->h_addr_list, server->h_length); | |
248 paddr.sin_port = htons(proxyport); | |
249 | |
250 fl = fcntl(sockfd, F_GETFL); | |
251 fcntl(sockfd, F_SETFL, fl & ~O_NONBLOCK); | |
252 | |
253 buf[0] = 0; | |
254 | |
255 err = cw_connect(sockfd, (struct sockaddr *) &paddr, sizeof(paddr), proxy_ssl); | |
256 } | |
257 | |
258 errno = ECONNREFUSED; | |
259 | |
260 if(!err) { | |
261 struct sockaddr_in *sin = (struct sockaddr_in *) serv_addr; | |
262 char *ip = inet_ntoa(sin->sin_addr), c; | |
263 struct timeval tv; | |
264 | |
265 sprintf(buf, "%d", ntohs(sin->sin_port)); | |
266 SOCKOUT("CONNECT "); | |
267 SOCKOUT(ip); | |
268 SOCKOUT(":"); | |
269 SOCKOUT(buf); | |
270 SOCKOUT(" HTTP/1.0\r\n"); | |
271 | |
272 if(proxyuser) { | |
273 char *b; | |
274 SOCKOUT("Proxy-Authorization: Basic "); | |
275 | |
427
ac85ce87f539
Fix buffer overflow in cw_setproxy()
Mikael Berthe <mikael@lilotux.net>
parents:
414
diff
changeset
|
276 snprintf(buf, sizeof(buf), "%s:%s", proxyuser, proxypass); |
25 | 277 b = cw_base64_encode(buf); |
278 SOCKOUT(b); | |
279 free(b); | |
280 | |
281 SOCKOUT("\r\n"); | |
282 } | |
283 | |
284 SOCKOUT("\r\n"); | |
285 | |
286 buf[0] = 0; | |
287 | |
288 while(err != -1) { | |
289 FD_ZERO(&rfds); | |
290 FD_SET(sockfd, &rfds); | |
291 | |
292 tv.tv_sec = PROXY_TIMEOUT; | |
293 tv.tv_usec = 0; | |
294 | |
295 err = select(sockfd+1, &rfds, 0, 0, &tv); | |
296 | |
297 if(err < 1) err = -1; | |
298 | |
299 if(err != -1 && FD_ISSET(sockfd, &rfds)) { | |
300 err = read(sockfd, &c, 1); | |
301 if(!err) err = -1; | |
302 | |
303 if(err != -1) { | |
304 pos = strlen(buf); | |
305 buf[pos] = c; | |
306 buf[pos+1] = 0; | |
307 | |
308 if(strlen(buf) > 4) | |
309 if(!strcmp(buf+strlen(buf)-4, "\r\n\r\n")) | |
310 break; | |
311 } | |
312 } | |
313 } | |
314 } | |
315 | |
316 if(err != -1 && strlen(buf)) { | |
317 char *p = strstr(buf, " "); | |
318 | |
319 err = -1; | |
320 | |
321 if(p) | |
322 if(atoi(++p) == 200) | |
323 err = 0; | |
324 | |
325 fcntl(sockfd, F_SETFL, fl); | |
326 if(fl & O_NONBLOCK) { | |
327 errno = EINPROGRESS; | |
328 err = -1; | |
329 } | |
330 } | |
331 | |
332 in_http_connect = 0; | |
333 | |
334 return err; | |
335 } | |
336 | |
337 int cw_connect(int sockfd, const struct sockaddr *serv_addr, int addrlen, int ssl) { | |
338 int rc; | |
339 struct sockaddr_in ba; | |
340 | |
341 if(bindaddr) | |
342 if(strlen(bindaddr)) { | |
343 #ifdef HAVE_INET_ATON | |
344 struct in_addr addr; | |
345 rc = inet_aton(bindaddr, &addr); | |
346 ba.sin_addr.s_addr = addr.s_addr; | |
347 #else | |
348 rc = inet_pton(AF_INET, bindaddr, &ba); | |
349 #endif | |
350 | |
351 if(rc) { | |
352 ba.sin_port = 0; | |
353 rc = bind(sockfd, (struct sockaddr *) &ba, sizeof(ba)); | |
354 } else { | |
355 rc = -1; | |
356 } | |
357 | |
358 if(rc) return rc; | |
359 } | |
360 | |
361 if(proxyhost && !in_http_connect) rc = cw_http_connect(sockfd, serv_addr, addrlen); | |
362 else rc = connect(sockfd, serv_addr, addrlen); | |
363 | |
364 #ifdef HAVE_OPENSSL | |
365 if(ssl && !rc) { | |
366 sslsock *p = addsock(sockfd); | |
367 if(SSL_connect(p->ssl) != 1) | |
368 return -1; | |
369 } | |
370 #endif | |
371 | |
372 return rc; | |
373 } | |
374 | |
375 int cw_nb_connect(int sockfd, const struct sockaddr *serv_addr, int addrlen, int ssl, int *state) { | |
376 int rc = 0; | |
377 struct sockaddr_in ba; | |
378 | |
379 if(bindaddr) | |
380 if(strlen(bindaddr)) { | |
381 #ifdef HAVE_INET_ATON | |
382 struct in_addr addr; | |
383 rc = inet_aton(bindaddr, &addr); | |
384 ba.sin_addr.s_addr = addr.s_addr; | |
385 #else | |
386 rc = inet_pton(AF_INET, bindaddr, &ba); | |
387 #endif | |
388 | |
389 if(rc) { | |
390 ba.sin_port = 0; | |
391 rc = bind(sockfd, (struct sockaddr *) &ba, sizeof(ba)); | |
392 } else { | |
393 rc = -1; | |
394 } | |
395 | |
396 if(rc) return rc; | |
397 } | |
398 | |
399 #ifdef HAVE_OPENSSL | |
400 if(ssl) { | |
401 if ( !(*state & CW_CONNECT_WANT_SOMETHING)) | |
402 rc = cw_connect(sockfd, serv_addr, addrlen, 0); | |
403 else{ /* check if the socket is connected correctly */ | |
404 int optlen = sizeof(int), optval; | |
235 | 405 if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval, (socklen_t*)&optlen) || optval) |
25 | 406 return -1; |
407 } | |
408 | |
409 if(!rc) { | |
410 sslsock *p; | |
411 if (*state & CW_CONNECT_SSL) | |
412 p = getsock(sockfd); | |
413 else | |
414 p = addsock(sockfd); | |
414
ec86d759ed54
Trailing whitespace cleanup
Mikael Berthe <mikael@lilotux.net>
parents:
409
diff
changeset
|
415 |
25 | 416 rc = SSL_connect(p->ssl); |
417 switch(rc){ | |
418 case 1: | |
419 *state = 0; | |
420 return 0; | |
421 case 0: | |
422 return -1; | |
423 default: | |
424 switch (SSL_get_error(p->ssl, rc)){ | |
425 case SSL_ERROR_WANT_READ: | |
426 *state = CW_CONNECT_SSL | CW_CONNECT_WANT_READ; | |
427 return 0; | |
428 case SSL_ERROR_WANT_WRITE: | |
429 *state = CW_CONNECT_SSL | CW_CONNECT_WANT_WRITE; | |
430 return 0; | |
431 default: | |
432 return -1; | |
433 } | |
434 } | |
435 } | |
436 else{ /* catch EINPROGRESS error from the connect call */ | |
437 if (errno == EINPROGRESS){ | |
438 *state = CW_CONNECT_STARTED | CW_CONNECT_WANT_WRITE; | |
439 return 0; | |
440 } | |
441 } | |
442 | |
443 return rc; | |
444 } | |
445 #endif | |
446 if ( !(*state & CW_CONNECT_WANT_SOMETHING)) | |
447 rc = connect(sockfd, serv_addr, addrlen); | |
448 else{ /* check if the socket is connected correctly */ | |
449 int optlen = sizeof(int), optval; | |
235 | 450 if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval, (socklen_t*)&optlen) || optval) |
25 | 451 return -1; |
452 *state = 0; | |
453 return 0; | |
454 } | |
455 if (rc) | |
456 if (errno == EINPROGRESS){ | |
457 *state = CW_CONNECT_STARTED | CW_CONNECT_WANT_WRITE; | |
458 return 0; | |
459 } | |
460 return rc; | |
461 } | |
462 | |
463 int cw_accept(int s, struct sockaddr *addr, int *addrlen, int ssl) { | |
464 #ifdef HAVE_OPENSSL | |
465 int rc; | |
466 | |
467 if(ssl) { | |
235 | 468 rc = accept(s, addr, (socklen_t*)addrlen); |
25 | 469 |
470 if(!rc) { | |
471 sslsock *p = addsock(s); | |
472 if(SSL_accept(p->ssl) != 1) | |
473 return -1; | |
474 | |
475 } | |
476 | |
477 return rc; | |
478 } | |
479 #endif | |
235 | 480 return accept(s, addr, (socklen_t*)addrlen); |
25 | 481 } |
482 | |
483 int cw_write(int fd, const void *buf, int count, int ssl) { | |
484 #ifdef HAVE_OPENSSL | |
485 sslsock *p; | |
486 | |
487 if(ssl) | |
235 | 488 if((p = getsock(fd)) != NULL) |
25 | 489 return SSL_write(p->ssl, buf, count); |
490 #endif | |
491 return write(fd, buf, count); | |
492 } | |
493 | |
494 int cw_read(int fd, void *buf, int count, int ssl) { | |
495 #ifdef HAVE_OPENSSL | |
496 sslsock *p; | |
497 | |
498 if(ssl) | |
235 | 499 if((p = getsock(fd)) != NULL) |
25 | 500 return SSL_read(p->ssl, buf, count); |
501 #endif | |
502 return read(fd, buf, count); | |
503 } | |
504 | |
235 | 505 void cw_close(int fd) { |
25 | 506 #ifdef HAVE_OPENSSL |
507 delsock(fd); | |
508 #endif | |
509 close(fd); | |
510 } | |
511 | |
512 #define FREEVAR(v) if(v) free(v), v = 0; | |
513 | |
514 void cw_setbind(const char *abindaddr) { | |
515 FREEVAR(bindaddr); | |
516 bindaddr = strdup(abindaddr); | |
517 } | |
518 | |
519 void cw_setproxy(const char *aproxyhost, int aproxyport, const char *aproxyuser, const char *aproxypass) { | |
520 FREEVAR(proxyhost); | |
521 FREEVAR(proxyuser); | |
522 FREEVAR(proxypass); | |
523 | |
524 if(aproxyhost && strlen(aproxyhost)) proxyhost = strdup(aproxyhost); | |
525 if(aproxyuser && strlen(aproxyuser)) proxyuser = strdup(aproxyuser); | |
526 if(aproxypass && strlen(aproxypass)) proxypass = strdup(aproxypass); | |
527 proxyport = aproxyport; | |
528 } | |
529 | |
530 char *cw_base64_encode(const char *in) { | |
531 static char base64digits[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._"; | |
532 | |
533 int j = 0; | |
534 int inlen = strlen(in); | |
535 char *out = (char *) malloc(inlen*4+1), c; | |
536 | |
537 for(out[0] = 0; inlen >= 3; inlen -= 3) { | |
538 strncat(out, &base64digits[ in[j] >> 2 ], 1); | |
539 strncat(out, &base64digits[ ((in[j] << 4) & 0x30) | (in[j+1] >> 4) ], 1); | |
540 strncat(out, &base64digits[ ((in[j+1] << 2) & 0x3c) | (in[j+2] >> 6) ], 1); | |
541 strncat(out, &base64digits[ in[j+2] & 0x3f ], 1); | |
542 j += 3; | |
543 } | |
544 | |
545 if(inlen > 0) { | |
546 unsigned char fragment; | |
547 | |
548 strncat(out, &base64digits[in[j] >> 2], 1); | |
549 fragment = (in[j] << 4) & 0x30; | |
550 | |
551 if(inlen > 1) | |
552 fragment |= in[j+1] >> 4; | |
553 | |
554 strncat(out, &base64digits[fragment], 1); | |
555 | |
556 c = (inlen < 2) ? '-' : base64digits[ (in[j+1] << 2) & 0x3c ]; | |
557 strncat(out, &c, 1); | |
558 c = '-'; | |
559 strncat(out, &c, 1); | |
560 } | |
414
ec86d759ed54
Trailing whitespace cleanup
Mikael Berthe <mikael@lilotux.net>
parents:
409
diff
changeset
|
561 |
25 | 562 return out; |
563 } |