Mercurial > hg
annotate mcabber/connwrap/connwrap.c @ 1574:d8a016f76ff7
Fix segfaults when receiving malformed XEP-0146 packets
author | franky@veqlargh.fs |
---|---|
date | Tue, 20 Jan 2009 08:48:11 +0100 |
parents | 3067c096cfc4 |
children |
rev | line source |
---|---|
25 | 1 #include "connwrap.h" |
2 | |
302
8ca708a0d550
Remove compilation warnings in connwrap library
Mikael Berthe <mikael@lilotux.net>
parents:
235
diff
changeset
|
3 #include <stdio.h> |
8ca708a0d550
Remove compilation warnings in connwrap library
Mikael Berthe <mikael@lilotux.net>
parents:
235
diff
changeset
|
4 #include <stdlib.h> |
25 | 5 #include <netdb.h> |
6 #include <string.h> | |
7 #include <netinet/in.h> | |
8 #include <errno.h> | |
9 #include <arpa/inet.h> | |
10 #include <fcntl.h> | |
11 #include <sys/time.h> | |
112 | 12 #include <unistd.h> |
25 | 13 |
14 #define PROXY_TIMEOUT 10 | |
15 // HTTP proxy timeout in seconds (for the CONNECT method) | |
16 | |
17 #ifdef HAVE_OPENSSL | |
1253 | 18 # define OPENSSL_NO_KRB5 1 |
19 # include <openssl/ssl.h> | |
20 # include <openssl/err.h> | |
21 # define HAVE_SSL | |
22 # undef HAVE_GNUTLS // Can't use both... | |
23 #elif defined HAVE_GNUTLS | |
24 # include <gnutls/gnutls.h> | |
25 # define HAVE_SSL | |
25 | 26 #endif |
27 | |
28 static int in_http_connect = 0; | |
29 | |
30 #ifdef HAVE_OPENSSL | |
1253 | 31 static SSL_CTX *ctx = NULL; |
32 typedef struct { int fd; SSL *ssl; } sslsock; | |
33 #elif defined HAVE_GNUTLS | |
34 typedef struct { int fd; gnutls_session_t session; } sslsock; | |
35 #endif | |
25 | 36 |
1253 | 37 |
38 #ifdef HAVE_SSL | |
25 | 39 |
938
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
40 /* verify > 0 indicates verify depth as well */ |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
41 static int verify = -1; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
42 static const char *cafile = NULL; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
43 static const char *capath = NULL; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
44 static const char *cipherlist = NULL; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
45 static const char *peer = NULL; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
46 static const char *sslerror = NULL; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
47 |
1253 | 48 #ifdef HAVE_OPENSSL |
938
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
49 static int verify_cb(int preverify_ok, X509_STORE_CTX *cx) |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
50 { |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
51 X509 *cert; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
52 X509_NAME *nm; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
53 int lastpos; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
54 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
55 if(!preverify_ok) { |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
56 long err = X509_STORE_CTX_get_error(cx); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
57 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
58 sslerror = X509_verify_cert_error_string(err); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
59 return 0; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
60 } |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
61 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
62 if (peer == NULL) |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
63 return 1; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
64 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
65 if ((cert = X509_STORE_CTX_get_current_cert(cx)) == NULL) { |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
66 sslerror = "internal SSL error"; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
67 return 0; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
68 } |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
69 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
70 /* We only want to look at the peername if we're working on the peer |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
71 * certificate. */ |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
72 if (cert != cx->cert) |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
73 return 1; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
74 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
75 if ((nm = X509_get_subject_name (cert)) == NULL) { |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
76 sslerror = "internal SSL error"; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
77 return 0; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
78 } |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
79 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
80 for(lastpos = -1; ; ) { |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
81 X509_NAME_ENTRY *e; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
82 ASN1_STRING *a; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
83 ASN1_STRING *p; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
84 int match; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
85 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
86 lastpos = X509_NAME_get_index_by_NID(nm, NID_commonName, lastpos); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
87 if (lastpos == -1) |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
88 break; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
89 if ((e = X509_NAME_get_entry(nm, lastpos)) == NULL) { |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
90 sslerror = "internal SSL error"; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
91 return 0; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
92 } |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
93 if ((a = X509_NAME_ENTRY_get_data(e)) == NULL) { |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
94 sslerror = "internal SSL error"; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
95 return 0; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
96 } |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
97 if ((p = ASN1_STRING_type_new(ASN1_STRING_type(a))) == NULL) { |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
98 sslerror = "internal SSL error"; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
99 return 0; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
100 } |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
101 (void) ASN1_STRING_set(p, peer, -1); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
102 match = !ASN1_STRING_cmp(a, p); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
103 ASN1_STRING_free(p); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
104 if(match) |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
105 return 1; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
106 } |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
107 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
108 sslerror = "server certificate cn mismatch"; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
109 return 0; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
110 } |
1253 | 111 #endif |
938
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
112 |
1253 | 113 static void init(int fd, sslsock *p) { |
114 #ifdef HAVE_GNUTLS | |
115 gnutls_certificate_credentials_t xcred; | |
116 #endif | |
117 | |
118 #ifdef HAVE_OPENSSL | |
938
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
119 if(ctx) |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
120 return; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
121 SSL_library_init(); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
122 SSL_load_error_strings(); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
123 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
124 #ifdef HAVE_SSLEAY |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
125 SSLeay_add_all_algorithms(); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
126 #else |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
127 OpenSSL_add_all_algorithms(); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
128 #endif |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
129 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
130 /* May need to use distinct SSLEAY bindings below... */ |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
131 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
132 ctx = SSL_CTX_new(SSLv23_client_method()); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
133 if(cipherlist) |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
134 (void)SSL_CTX_set_cipher_list(ctx, cipherlist); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
135 if(cafile || capath) |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
136 (void)SSL_CTX_load_verify_locations(ctx, cafile, capath); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
137 if(verify) { |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
138 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_cb); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
139 if(verify > 0) |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
140 SSL_CTX_set_verify_depth(ctx, verify); |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
141 } else |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
142 SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); |
1253 | 143 |
144 p->ssl = SSL_new(ctx); | |
145 SSL_set_fd(p->ssl, p->fd = fd); | |
146 | |
147 #elif defined HAVE_GNUTLS | |
148 gnutls_global_init(); | |
149 gnutls_certificate_allocate_credentials(&xcred); | |
150 gnutls_init(&(p->session), GNUTLS_CLIENT); | |
151 gnutls_set_default_priority(p->session); | |
152 gnutls_credentials_set(p->session, GNUTLS_CRD_CERTIFICATE, xcred); | |
153 p->fd = fd; | |
154 gnutls_transport_set_ptr(p->session,(gnutls_transport_ptr_t)fd); | |
155 #endif | |
938
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
156 } |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
157 |
1253 | 158 static sslsock *socks = NULL; |
25 | 159 static int sockcount = 0; |
160 | |
161 static sslsock *getsock(int fd) { | |
162 int i; | |
163 | |
164 for(i = 0; i < sockcount; i++) | |
165 if(socks[i].fd == fd) | |
166 return &socks[i]; | |
167 | |
1253 | 168 return NULL; |
25 | 169 } |
170 | |
171 static sslsock *addsock(int fd) { | |
172 sslsock *p; | |
984
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
173 |
1253 | 174 sockcount++; |
175 | |
984
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
176 if (socks) |
1253 | 177 socks = (sslsock *) realloc(socks, sizeof(sslsock)*sockcount); |
984
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
178 else |
1253 | 179 socks = (sslsock *) malloc(sizeof(sslsock)*sockcount); |
25 | 180 |
181 p = &socks[sockcount-1]; | |
182 | |
1253 | 183 init(fd, p); |
25 | 184 |
938
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
185 sslerror = NULL; |
25 | 186 |
187 return p; | |
188 } | |
189 | |
190 static void delsock(int fd) { | |
191 int i, nsockcount; | |
192 sslsock *nsocks; | |
193 | |
194 nsockcount = 0; | |
984
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
195 |
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
196 if (sockcount > 1) { |
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
197 nsocks = (sslsock *) malloc(sizeof(sslsock)*(sockcount-1)); |
25 | 198 |
984
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
199 for(i = 0; i < sockcount; i++) { |
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
200 if(socks[i].fd != fd) { |
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
201 nsocks[nsockcount++] = socks[i]; |
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
202 } else { |
1253 | 203 #ifdef HAVE_OPENSSL |
984
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
204 SSL_free(socks[i].ssl); |
1253 | 205 #elif defined HAVE_GNUTLS |
206 gnutls_bye(socks[i].session, GNUTLS_SHUT_WR); | |
207 gnutls_deinit(socks[i].session); | |
208 #endif | |
984
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
209 } |
25 | 210 } |
984
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
211 |
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
212 } else { |
1253 | 213 #ifdef HAVE_OPENSSL |
984
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
214 if (ctx) |
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
215 SSL_CTX_free(ctx); |
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
216 ctx = 0; |
1253 | 217 #endif |
218 nsocks = NULL; | |
25 | 219 } |
220 | |
984
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
221 if (socks) |
3225a1ba050d
Fix a potential libconnwrap issue
Mikael Berthe <mikael@lilotux.net>
parents:
955
diff
changeset
|
222 free(socks); |
25 | 223 socks = nsocks; |
224 sockcount = nsockcount; | |
225 } | |
226 | |
1253 | 227 void cw_set_ssl_options(int sslverify, |
228 const char *sslcafile, const char *sslcapath, | |
229 const char *sslciphers, const char *sslpeer) { | |
938
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
230 verify = sslverify; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
231 cafile = sslcafile; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
232 capath = sslcapath; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
233 cipherlist = sslciphers; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
234 peer = sslpeer; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
235 } |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
236 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
237 const char *cw_get_ssl_error(void) { |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
238 return sslerror; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
239 } |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
240 |
1253 | 241 #else // HAVE_SSL |
938
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
242 |
1253 | 243 void cw_set_ssl_options(int sslverify, |
244 const char *sslcafile, const char *sslcapath, | |
245 const char *sslciphers, const char *sslpeer) { } | |
938
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
246 |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
247 const char *cw_get_ssl_error(void) { |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
248 return NULL; |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
249 } |
40175f3dcef7
SSL server certificate verification
Jefferson Ogata <ogata@antibozo.net>
parents:
431
diff
changeset
|
250 |
1253 | 251 #endif // HAVE_SSL |
25 | 252 |
253 static char *bindaddr = 0, *proxyhost = 0, *proxyuser = 0, *proxypass = 0; | |
254 static int proxyport = 3128; | |
255 static int proxy_ssl = 0; | |
256 | |
257 #define SOCKOUT(s) write(sockfd, s, strlen(s)) | |
258 | |
259 int cw_http_connect(int sockfd, const struct sockaddr *serv_addr, int addrlen) { | |
260 int err, pos, fl; | |
261 struct hostent *server; | |
262 struct sockaddr_in paddr; | |
263 char buf[512]; | |
264 fd_set rfds; | |
265 | |
400
e536ab271584
Kill a warning in the connwrap library
Mikael Berthe <mikael@lilotux.net>
parents:
302
diff
changeset
|
266 fl = 0; |
25 | 267 err = 0; |
268 in_http_connect = 1; | |
269 | |
270 if(!(server = gethostbyname(proxyhost))) { | |
271 errno = h_errno; | |
272 err = -1; | |
273 } | |
274 | |
275 if(!err) { | |
276 memset(&paddr, 0, sizeof(paddr)); | |
277 paddr.sin_family = AF_INET; | |
278 memcpy(&paddr.sin_addr.s_addr, *server->h_addr_list, server->h_length); | |
279 paddr.sin_port = htons(proxyport); | |
280 | |
281 fl = fcntl(sockfd, F_GETFL); | |
282 fcntl(sockfd, F_SETFL, fl & ~O_NONBLOCK); | |
283 | |
284 buf[0] = 0; | |
285 | |
1253 | 286 err = cw_connect(sockfd, (struct sockaddr *) &paddr, sizeof(paddr), |
287 proxy_ssl); | |
25 | 288 } |
289 | |
290 errno = ECONNREFUSED; | |
291 | |
292 if(!err) { | |
293 struct sockaddr_in *sin = (struct sockaddr_in *) serv_addr; | |
294 char *ip = inet_ntoa(sin->sin_addr), c; | |
295 struct timeval tv; | |
296 | |
1387 | 297 snprintf(buf, sizeof(buf), "%d", ntohs(sin->sin_port)); |
25 | 298 SOCKOUT("CONNECT "); |
299 SOCKOUT(ip); | |
300 SOCKOUT(":"); | |
301 SOCKOUT(buf); | |
302 SOCKOUT(" HTTP/1.0\r\n"); | |
303 | |
304 if(proxyuser) { | |
305 char *b; | |
306 SOCKOUT("Proxy-Authorization: Basic "); | |
307 | |
427
ac85ce87f539
Fix buffer overflow in cw_setproxy()
Mikael Berthe <mikael@lilotux.net>
parents:
414
diff
changeset
|
308 snprintf(buf, sizeof(buf), "%s:%s", proxyuser, proxypass); |
25 | 309 b = cw_base64_encode(buf); |
310 SOCKOUT(b); | |
311 free(b); | |
312 | |
313 SOCKOUT("\r\n"); | |
314 } | |
315 | |
316 SOCKOUT("\r\n"); | |
317 | |
318 buf[0] = 0; | |
319 | |
320 while(err != -1) { | |
321 FD_ZERO(&rfds); | |
322 FD_SET(sockfd, &rfds); | |
323 | |
324 tv.tv_sec = PROXY_TIMEOUT; | |
325 tv.tv_usec = 0; | |
326 | |
327 err = select(sockfd+1, &rfds, 0, 0, &tv); | |
328 | |
329 if(err < 1) err = -1; | |
330 | |
331 if(err != -1 && FD_ISSET(sockfd, &rfds)) { | |
332 err = read(sockfd, &c, 1); | |
333 if(!err) err = -1; | |
334 | |
335 if(err != -1) { | |
336 pos = strlen(buf); | |
337 buf[pos] = c; | |
338 buf[pos+1] = 0; | |
339 | |
340 if(strlen(buf) > 4) | |
341 if(!strcmp(buf+strlen(buf)-4, "\r\n\r\n")) | |
342 break; | |
343 } | |
344 } | |
345 } | |
346 } | |
347 | |
348 if(err != -1 && strlen(buf)) { | |
349 char *p = strstr(buf, " "); | |
350 | |
351 err = -1; | |
352 | |
353 if(p) | |
354 if(atoi(++p) == 200) | |
355 err = 0; | |
356 | |
357 fcntl(sockfd, F_SETFL, fl); | |
358 if(fl & O_NONBLOCK) { | |
359 errno = EINPROGRESS; | |
360 err = -1; | |
361 } | |
362 } | |
363 | |
364 in_http_connect = 0; | |
365 | |
366 return err; | |
367 } | |
368 | |
1253 | 369 int cw_connect(int sockfd, const struct sockaddr *serv_addr, int addrlen, |
370 int ssl) { | |
25 | 371 int rc; |
372 struct sockaddr_in ba; | |
373 | |
374 if(bindaddr) | |
375 if(strlen(bindaddr)) { | |
376 #ifdef HAVE_INET_ATON | |
377 struct in_addr addr; | |
378 rc = inet_aton(bindaddr, &addr); | |
379 ba.sin_addr.s_addr = addr.s_addr; | |
380 #else | |
381 rc = inet_pton(AF_INET, bindaddr, &ba); | |
382 #endif | |
383 | |
384 if(rc) { | |
385 ba.sin_port = 0; | |
386 rc = bind(sockfd, (struct sockaddr *) &ba, sizeof(ba)); | |
387 } else { | |
388 rc = -1; | |
389 } | |
390 | |
391 if(rc) return rc; | |
392 } | |
393 | |
1253 | 394 if(proxyhost && !in_http_connect) |
395 rc = cw_http_connect(sockfd, serv_addr, addrlen); | |
396 else | |
397 rc = connect(sockfd, serv_addr, addrlen); | |
25 | 398 |
399 #ifdef HAVE_OPENSSL | |
400 if(ssl && !rc) { | |
401 sslsock *p = addsock(sockfd); | |
402 if(SSL_connect(p->ssl) != 1) | |
1253 | 403 return -1; // XXX "Can't connect to SSL" |
25 | 404 } |
405 #endif | |
406 | |
407 return rc; | |
408 } | |
409 | |
1253 | 410 int cw_nb_connect(int sockfd, const struct sockaddr *serv_addr, int addrlen, |
411 int ssl, int *state) { | |
25 | 412 int rc = 0; |
413 struct sockaddr_in ba; | |
414 | |
415 if(bindaddr) | |
416 if(strlen(bindaddr)) { | |
417 #ifdef HAVE_INET_ATON | |
418 struct in_addr addr; | |
419 rc = inet_aton(bindaddr, &addr); | |
420 ba.sin_addr.s_addr = addr.s_addr; | |
421 #else | |
422 rc = inet_pton(AF_INET, bindaddr, &ba); | |
423 #endif | |
424 | |
425 if(rc) { | |
426 ba.sin_port = 0; | |
427 rc = bind(sockfd, (struct sockaddr *) &ba, sizeof(ba)); | |
428 } else { | |
429 rc = -1; | |
430 } | |
431 | |
432 if(rc) return rc; | |
433 } | |
434 | |
1253 | 435 #ifdef HAVE_SSL |
25 | 436 if(ssl) { |
1253 | 437 if ( !(*state & CW_CONNECT_WANT_SOMETHING)) { |
25 | 438 rc = cw_connect(sockfd, serv_addr, addrlen, 0); |
1253 | 439 } else { /* check if the socket is connected correctly */ |
25 | 440 int optlen = sizeof(int), optval; |
1253 | 441 if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval, |
442 (socklen_t*)&optlen) || optval) | |
443 return -1; | |
25 | 444 } |
445 | |
446 if(!rc) { | |
1253 | 447 #ifdef HAVE_GNUTLS |
448 int ret; | |
449 #endif | |
25 | 450 sslsock *p; |
451 if (*state & CW_CONNECT_SSL) | |
452 p = getsock(sockfd); | |
453 else | |
454 p = addsock(sockfd); | |
414
ec86d759ed54
Trailing whitespace cleanup
Mikael Berthe <mikael@lilotux.net>
parents:
409
diff
changeset
|
455 |
1253 | 456 #ifdef HAVE_GNUTLS |
457 do { | |
458 ret = gnutls_handshake(p->session); | |
459 } while ((ret == GNUTLS_E_AGAIN) || (ret == GNUTLS_E_INTERRUPTED)); | |
460 if (ret < 0) { | |
461 gnutls_deinit(p->session); | |
462 gnutls_perror(ret); | |
463 return -1; | |
464 } | |
465 else{ | |
466 *state = 1; | |
467 return 0; | |
468 } | |
469 #elif defined HAVE_OPENSSL | |
25 | 470 rc = SSL_connect(p->ssl); |
471 switch(rc){ | |
472 case 1: | |
473 *state = 0; | |
474 return 0; | |
475 case 0: | |
476 return -1; | |
477 default: | |
478 switch (SSL_get_error(p->ssl, rc)){ | |
479 case SSL_ERROR_WANT_READ: | |
480 *state = CW_CONNECT_SSL | CW_CONNECT_WANT_READ; | |
481 return 0; | |
482 case SSL_ERROR_WANT_WRITE: | |
483 *state = CW_CONNECT_SSL | CW_CONNECT_WANT_WRITE; | |
484 return 0; | |
485 default: | |
486 return -1; | |
487 } | |
488 } | |
1253 | 489 #endif |
490 } else { /* catch EINPROGRESS error from the connect call */ | |
25 | 491 if (errno == EINPROGRESS){ |
492 *state = CW_CONNECT_STARTED | CW_CONNECT_WANT_WRITE; | |
493 return 0; | |
494 } | |
495 } | |
496 | |
497 return rc; | |
498 } | |
499 #endif | |
1253 | 500 if ( !(*state & CW_CONNECT_WANT_SOMETHING)) { |
1266
3bd496b9a9f7
Fix proxy usage when SSL is disabled
Mikael Berthe <mikael@lilotux.net>
parents:
1253
diff
changeset
|
501 rc = cw_connect(sockfd, serv_addr, addrlen, 0); |
1253 | 502 } else { /* check if the socket is connected correctly */ |
25 | 503 int optlen = sizeof(int), optval; |
1253 | 504 if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval, |
505 (socklen_t*)&optlen) || optval) | |
25 | 506 return -1; |
507 *state = 0; | |
508 return 0; | |
509 } | |
510 if (rc) | |
511 if (errno == EINPROGRESS){ | |
512 *state = CW_CONNECT_STARTED | CW_CONNECT_WANT_WRITE; | |
513 return 0; | |
514 } | |
515 return rc; | |
516 } | |
517 | |
518 int cw_accept(int s, struct sockaddr *addr, int *addrlen, int ssl) { | |
519 #ifdef HAVE_OPENSSL | |
520 int rc; | |
521 | |
522 if(ssl) { | |
235 | 523 rc = accept(s, addr, (socklen_t*)addrlen); |
25 | 524 |
525 if(!rc) { | |
526 sslsock *p = addsock(s); | |
527 if(SSL_accept(p->ssl) != 1) | |
528 return -1; | |
529 } | |
530 return rc; | |
531 } | |
532 #endif | |
235 | 533 return accept(s, addr, (socklen_t*)addrlen); |
25 | 534 } |
535 | |
536 int cw_write(int fd, const void *buf, int count, int ssl) { | |
1253 | 537 #ifdef HAVE_SSL |
25 | 538 sslsock *p; |
539 | |
1253 | 540 if(ssl) { |
541 #ifdef HAVE_GNUTLS | |
542 p = getsock(fd); | |
543 if(p) { | |
544 int ret; | |
545 if((ret = gnutls_record_send( p->session, buf, count) < 0)) | |
546 fprintf(stderr, "Can't write to server"); | |
547 return ret; | |
548 } | |
549 #elif defined HAVE_OPENSSL | |
550 if((p = getsock(fd)) != NULL) | |
551 return SSL_write(p->ssl, buf, count); | |
25 | 552 #endif |
1253 | 553 } |
554 #endif // HAVE_SSL | |
25 | 555 return write(fd, buf, count); |
556 } | |
557 | |
558 int cw_read(int fd, void *buf, int count, int ssl) { | |
1253 | 559 #ifdef HAVE_SSL |
25 | 560 sslsock *p; |
561 | |
1253 | 562 if(ssl) { |
563 #ifdef HAVE_GNUTLS | |
564 p = getsock(fd); | |
565 if(p) { | |
566 int ret; | |
567 do { | |
568 ret = gnutls_record_recv(p->session, buf, count); | |
569 } while (ret < 0 && | |
570 (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN)); | |
571 return ret; | |
572 } | |
573 #elif defined HAVE_OPENSSL | |
574 if((p = getsock(fd)) != NULL) | |
575 return SSL_read(p->ssl, buf, count); | |
25 | 576 #endif |
1253 | 577 } |
578 #endif // HAVE_SSL | |
25 | 579 return read(fd, buf, count); |
580 } | |
581 | |
235 | 582 void cw_close(int fd) { |
1253 | 583 #ifdef HAVE_SSL |
25 | 584 delsock(fd); |
585 #endif | |
586 close(fd); | |
587 } | |
588 | |
589 #define FREEVAR(v) if(v) free(v), v = 0; | |
590 | |
591 void cw_setbind(const char *abindaddr) { | |
592 FREEVAR(bindaddr); | |
593 bindaddr = strdup(abindaddr); | |
594 } | |
595 | |
1253 | 596 void cw_setproxy(const char *aproxyhost, int aproxyport, |
597 const char *aproxyuser, const char *aproxypass) { | |
25 | 598 FREEVAR(proxyhost); |
599 FREEVAR(proxyuser); | |
600 FREEVAR(proxypass); | |
601 | |
602 if(aproxyhost && strlen(aproxyhost)) proxyhost = strdup(aproxyhost); | |
603 if(aproxyuser && strlen(aproxyuser)) proxyuser = strdup(aproxyuser); | |
604 if(aproxypass && strlen(aproxypass)) proxypass = strdup(aproxypass); | |
605 proxyport = aproxyport; | |
606 } | |
607 | |
608 char *cw_base64_encode(const char *in) { | |
609 static char base64digits[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._"; | |
610 | |
611 int j = 0; | |
612 int inlen = strlen(in); | |
613 char *out = (char *) malloc(inlen*4+1), c; | |
614 | |
615 for(out[0] = 0; inlen >= 3; inlen -= 3) { | |
616 strncat(out, &base64digits[ in[j] >> 2 ], 1); | |
617 strncat(out, &base64digits[ ((in[j] << 4) & 0x30) | (in[j+1] >> 4) ], 1); | |
618 strncat(out, &base64digits[ ((in[j+1] << 2) & 0x3c) | (in[j+2] >> 6) ], 1); | |
619 strncat(out, &base64digits[ in[j+2] & 0x3f ], 1); | |
620 j += 3; | |
621 } | |
622 | |
623 if(inlen > 0) { | |
624 unsigned char fragment; | |
625 | |
626 strncat(out, &base64digits[in[j] >> 2], 1); | |
627 fragment = (in[j] << 4) & 0x30; | |
628 | |
629 if(inlen > 1) | |
630 fragment |= in[j+1] >> 4; | |
631 | |
632 strncat(out, &base64digits[fragment], 1); | |
633 | |
634 c = (inlen < 2) ? '-' : base64digits[ (in[j+1] << 2) & 0x3c ]; | |
635 strncat(out, &c, 1); | |
636 c = '-'; | |
637 strncat(out, &c, 1); | |
638 } | |
414
ec86d759ed54
Trailing whitespace cleanup
Mikael Berthe <mikael@lilotux.net>
parents:
409
diff
changeset
|
639 |
25 | 640 return out; |
641 } |