2012-05-10 12:06:41 +02:00
|
|
|
/******************************************************************************
|
|
|
|
|
* Icinga 2 *
|
|
|
|
|
* Copyright (C) 2012 Icinga Development Team (http://www.icinga.org/) *
|
|
|
|
|
* *
|
|
|
|
|
* This program is free software; you can redistribute it and/or *
|
|
|
|
|
* modify it under the terms of the GNU General Public License *
|
|
|
|
|
* as published by the Free Software Foundation; either version 2 *
|
|
|
|
|
* of the License, or (at your option) any later version. *
|
|
|
|
|
* *
|
|
|
|
|
* This program is distributed in the hope that it will be useful, *
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
|
|
|
|
|
* GNU General Public License for more details. *
|
|
|
|
|
* *
|
|
|
|
|
* You should have received a copy of the GNU General Public License *
|
|
|
|
|
* along with this program; if not, write to the Free Software Foundation *
|
2012-05-11 13:33:57 +02:00
|
|
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. *
|
2012-05-10 12:06:41 +02:00
|
|
|
******************************************************************************/
|
|
|
|
|
|
2012-04-24 14:02:15 +02:00
|
|
|
#include "i2-base.h"
|
|
|
|
|
|
|
|
|
|
using namespace icinga;
|
|
|
|
|
|
2012-05-19 10:27:41 +02:00
|
|
|
int I2_EXPORT TlsClient::m_SSLIndex;
|
|
|
|
|
bool I2_EXPORT TlsClient::m_SSLIndexInitialized = false;
|
2012-04-24 14:54:05 +02:00
|
|
|
|
2012-05-08 15:36:28 +02:00
|
|
|
/**
|
2012-05-19 10:27:41 +02:00
|
|
|
* Constructor for the TlsClient class.
|
2012-05-08 15:36:28 +02:00
|
|
|
*
|
|
|
|
|
* @param role The role of the client.
|
|
|
|
|
* @param sslContext The SSL context for the client.
|
|
|
|
|
*/
|
2012-05-19 10:27:41 +02:00
|
|
|
TlsClient::TlsClient(TcpClientRole role, shared_ptr<SSL_CTX> sslContext) : TcpClient(role)
|
2012-04-24 14:02:15 +02:00
|
|
|
{
|
|
|
|
|
m_SSLContext = sslContext;
|
2012-04-27 14:15:22 +02:00
|
|
|
m_BlockRead = false;
|
|
|
|
|
m_BlockWrite = false;
|
2012-04-24 14:02:15 +02:00
|
|
|
}
|
|
|
|
|
|
2012-05-19 10:27:41 +02:00
|
|
|
void TlsClient::Start(void)
|
2012-04-24 14:02:15 +02:00
|
|
|
{
|
|
|
|
|
m_SSL = shared_ptr<SSL>(SSL_new(m_SSLContext.get()), SSL_free);
|
|
|
|
|
|
|
|
|
|
if (!m_SSL)
|
2012-04-24 15:56:48 +02:00
|
|
|
throw OpenSSLException("SSL_new failed", ERR_get_error());
|
2012-04-24 14:02:15 +02:00
|
|
|
|
2012-04-24 14:54:05 +02:00
|
|
|
if (!GetClientCertificate())
|
2012-05-26 21:30:04 +02:00
|
|
|
throw logic_error("No X509 client certificate was specified.");
|
2012-04-24 14:54:05 +02:00
|
|
|
|
|
|
|
|
if (!m_SSLIndexInitialized) {
|
2012-05-19 10:27:41 +02:00
|
|
|
m_SSLIndex = SSL_get_ex_new_index(0, (void *)"TlsClient", NULL, NULL, NULL);
|
2012-04-24 14:54:05 +02:00
|
|
|
m_SSLIndexInitialized = true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SSL_set_ex_data(m_SSL.get(), m_SSLIndex, this);
|
|
|
|
|
|
|
|
|
|
SSL_set_verify(m_SSL.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
|
2012-05-19 10:27:41 +02:00
|
|
|
&TlsClient::SSLVerifyCertificate);
|
2012-04-24 14:54:05 +02:00
|
|
|
|
2012-04-24 14:02:15 +02:00
|
|
|
BIO *bio = BIO_new_socket(GetFD(), 0);
|
|
|
|
|
SSL_set_bio(m_SSL.get(), bio, bio);
|
|
|
|
|
|
|
|
|
|
if (GetRole() == RoleInbound)
|
|
|
|
|
SSL_set_accept_state(m_SSL.get());
|
|
|
|
|
else
|
|
|
|
|
SSL_set_connect_state(m_SSL.get());
|
2012-05-07 11:41:23 +02:00
|
|
|
|
|
|
|
|
SSL_do_handshake(m_SSL.get());
|
2012-06-24 02:56:48 +02:00
|
|
|
|
|
|
|
|
Socket::Start();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Takes a certificate as an argument. Does nothing.
|
|
|
|
|
*
|
|
|
|
|
* @param certificate An X509 certificate.
|
|
|
|
|
*/
|
|
|
|
|
void TlsClient::NullCertificateDeleter(X509 *certificate)
|
|
|
|
|
{
|
|
|
|
|
/* Nothing to do here. */
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Retrieves the X509 certficate for this client.
|
|
|
|
|
*
|
|
|
|
|
* @returns The X509 certificate.
|
|
|
|
|
*/
|
|
|
|
|
shared_ptr<X509> TlsClient::GetClientCertificate(void) const
|
|
|
|
|
{
|
|
|
|
|
mutex::scoped_lock lock(GetMutex());
|
|
|
|
|
|
|
|
|
|
return shared_ptr<X509>(SSL_get_certificate(m_SSL.get()), &TlsClient::NullCertificateDeleter);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Retrieves the X509 certficate for the peer.
|
|
|
|
|
*
|
|
|
|
|
* @returns The X509 certificate.
|
|
|
|
|
*/
|
|
|
|
|
shared_ptr<X509> TlsClient::GetPeerCertificate(void) const
|
|
|
|
|
{
|
|
|
|
|
mutex::scoped_lock lock(GetMutex());
|
|
|
|
|
|
|
|
|
|
return shared_ptr<X509>(SSL_get_peer_certificate(m_SSL.get()), X509_free);
|
2012-04-24 14:02:15 +02:00
|
|
|
}
|
|
|
|
|
|
2012-05-08 15:36:28 +02:00
|
|
|
/**
|
|
|
|
|
* Processes data that is available for this socket.
|
|
|
|
|
*/
|
2012-06-24 02:56:48 +02:00
|
|
|
void TlsClient::HandleReadable(void)
|
2012-04-24 14:02:15 +02:00
|
|
|
{
|
2012-06-22 11:47:06 +02:00
|
|
|
int result;
|
2012-04-24 14:02:15 +02:00
|
|
|
|
2012-04-27 14:15:22 +02:00
|
|
|
m_BlockRead = false;
|
|
|
|
|
m_BlockWrite = false;
|
|
|
|
|
|
2012-06-22 11:47:06 +02:00
|
|
|
result = 0;
|
|
|
|
|
|
|
|
|
|
for (;;) {
|
|
|
|
|
size_t bufferSize = FIFO::BlockSize / 2;
|
|
|
|
|
char *buffer = (char *)GetRecvQueue()->GetWriteBuffer(&bufferSize);
|
2012-06-24 02:56:48 +02:00
|
|
|
int rc = SSL_read(m_SSL.get(), buffer, bufferSize);
|
2012-06-22 11:47:06 +02:00
|
|
|
|
|
|
|
|
if (rc <= 0) {
|
|
|
|
|
switch (SSL_get_error(m_SSL.get(), rc)) {
|
|
|
|
|
case SSL_ERROR_WANT_WRITE:
|
|
|
|
|
m_BlockRead = true;
|
|
|
|
|
/* fall through */
|
|
|
|
|
case SSL_ERROR_WANT_READ:
|
2012-06-24 02:56:48 +02:00
|
|
|
goto post_event;
|
2012-06-22 11:47:06 +02:00
|
|
|
case SSL_ERROR_ZERO_RETURN:
|
2012-06-24 02:56:48 +02:00
|
|
|
CloseInternal(false);
|
|
|
|
|
goto post_event;
|
2012-06-22 11:47:06 +02:00
|
|
|
default:
|
|
|
|
|
HandleSocketError(OpenSSLException(
|
|
|
|
|
"SSL_read failed", ERR_get_error()));
|
2012-06-24 02:56:48 +02:00
|
|
|
goto post_event;
|
2012-06-22 11:47:06 +02:00
|
|
|
}
|
2012-04-24 14:02:15 +02:00
|
|
|
}
|
|
|
|
|
|
2012-06-22 11:47:06 +02:00
|
|
|
GetRecvQueue()->Write(NULL, rc);
|
|
|
|
|
}
|
2012-04-24 14:02:15 +02:00
|
|
|
|
2012-06-24 02:56:48 +02:00
|
|
|
post_event:
|
2012-07-13 23:33:30 +02:00
|
|
|
Event::Post(boost::bind(boost::ref(OnDataAvailable), GetSelf()));
|
2012-04-24 14:02:15 +02:00
|
|
|
}
|
|
|
|
|
|
2012-05-08 15:36:28 +02:00
|
|
|
/**
|
|
|
|
|
* Processes data that can be written for this socket.
|
|
|
|
|
*/
|
2012-06-24 02:56:48 +02:00
|
|
|
void TlsClient::HandleWritable(void)
|
2012-04-24 14:02:15 +02:00
|
|
|
{
|
2012-04-27 14:15:22 +02:00
|
|
|
m_BlockRead = false;
|
|
|
|
|
m_BlockWrite = false;
|
|
|
|
|
|
2012-06-24 02:56:48 +02:00
|
|
|
int rc = SSL_write(m_SSL.get(), (const char *)GetSendQueue()->GetReadBuffer(), GetSendQueue()->GetSize());
|
2012-04-24 14:02:15 +02:00
|
|
|
|
|
|
|
|
if (rc <= 0) {
|
2012-06-21 16:16:53 +02:00
|
|
|
switch (SSL_get_error(m_SSL.get(), rc)) {
|
2012-04-24 14:02:15 +02:00
|
|
|
case SSL_ERROR_WANT_READ:
|
2012-04-27 14:15:22 +02:00
|
|
|
m_BlockWrite = true;
|
|
|
|
|
/* fall through */
|
|
|
|
|
case SSL_ERROR_WANT_WRITE:
|
2012-06-24 02:56:48 +02:00
|
|
|
return;
|
2012-04-24 14:02:15 +02:00
|
|
|
case SSL_ERROR_ZERO_RETURN:
|
2012-06-24 02:56:48 +02:00
|
|
|
CloseInternal(false);
|
|
|
|
|
return;
|
2012-04-24 14:02:15 +02:00
|
|
|
default:
|
2012-05-26 20:00:03 +02:00
|
|
|
HandleSocketError(OpenSSLException(
|
2012-06-21 16:16:53 +02:00
|
|
|
"SSL_write failed", ERR_get_error()));
|
2012-06-24 02:56:48 +02:00
|
|
|
return;
|
2012-04-24 14:02:15 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
GetSendQueue()->Read(NULL, rc);
|
|
|
|
|
}
|
|
|
|
|
|
2012-05-08 15:36:28 +02:00
|
|
|
/**
|
|
|
|
|
* Checks whether data should be read for this socket.
|
|
|
|
|
*
|
|
|
|
|
* @returns true if data should be read, false otherwise.
|
|
|
|
|
*/
|
2012-05-19 10:27:41 +02:00
|
|
|
bool TlsClient::WantsToRead(void) const
|
2012-04-24 16:27:23 +02:00
|
|
|
{
|
|
|
|
|
if (SSL_want_read(m_SSL.get()))
|
|
|
|
|
return true;
|
|
|
|
|
|
2012-04-27 14:15:22 +02:00
|
|
|
if (m_BlockRead)
|
|
|
|
|
return false;
|
|
|
|
|
|
2012-05-19 10:27:41 +02:00
|
|
|
return TcpClient::WantsToRead();
|
2012-04-24 16:27:23 +02:00
|
|
|
}
|
|
|
|
|
|
2012-05-08 15:36:28 +02:00
|
|
|
/**
|
|
|
|
|
* Checks whether data should be written for this socket.
|
|
|
|
|
*
|
|
|
|
|
* @returns true if data should be written, false otherwise.
|
|
|
|
|
*/
|
2012-05-19 10:27:41 +02:00
|
|
|
bool TlsClient::WantsToWrite(void) const
|
2012-04-24 14:02:15 +02:00
|
|
|
{
|
|
|
|
|
if (SSL_want_write(m_SSL.get()))
|
|
|
|
|
return true;
|
|
|
|
|
|
2012-04-27 14:15:22 +02:00
|
|
|
if (m_BlockWrite)
|
|
|
|
|
return false;
|
|
|
|
|
|
2012-05-19 10:27:41 +02:00
|
|
|
return TcpClient::WantsToWrite();
|
2012-04-24 14:02:15 +02:00
|
|
|
}
|
|
|
|
|
|
2012-05-08 15:36:28 +02:00
|
|
|
/**
|
|
|
|
|
* Closes the socket.
|
|
|
|
|
*
|
|
|
|
|
* @param from_dtor Whether this method was invoked from the destructor.
|
|
|
|
|
*/
|
2012-05-19 10:27:41 +02:00
|
|
|
void TlsClient::CloseInternal(bool from_dtor)
|
2012-04-24 14:02:15 +02:00
|
|
|
{
|
2012-06-21 12:22:16 +02:00
|
|
|
if (m_SSL)
|
|
|
|
|
SSL_shutdown(m_SSL.get());
|
2012-04-24 14:02:15 +02:00
|
|
|
|
2012-05-19 10:27:41 +02:00
|
|
|
TcpClient::CloseInternal(from_dtor);
|
2012-04-24 14:02:15 +02:00
|
|
|
}
|
|
|
|
|
|
2012-05-08 15:36:28 +02:00
|
|
|
/**
|
2012-05-19 10:27:41 +02:00
|
|
|
* Factory function for the TlsClient class.
|
2012-05-08 15:36:28 +02:00
|
|
|
*
|
|
|
|
|
* @param role The role of the TLS socket.
|
|
|
|
|
* @param sslContext The SSL context for the socket.
|
|
|
|
|
* @returns A new TLS socket.
|
|
|
|
|
*/
|
2012-05-19 10:27:41 +02:00
|
|
|
TcpClient::Ptr icinga::TlsClientFactory(TcpClientRole role, shared_ptr<SSL_CTX> sslContext)
|
2012-04-24 14:02:15 +02:00
|
|
|
{
|
2012-06-15 19:32:41 +02:00
|
|
|
return boost::make_shared<TlsClient>(role, sslContext);
|
2012-04-24 14:02:15 +02:00
|
|
|
}
|
2012-04-24 14:54:05 +02:00
|
|
|
|
2012-05-08 15:36:28 +02:00
|
|
|
/**
|
|
|
|
|
* Callback function that verifies SSL certificates.
|
|
|
|
|
*
|
|
|
|
|
* @param ok Whether pre-checks for the SSL certificates were successful.
|
|
|
|
|
* @param x509Context X509 context for the certificate.
|
|
|
|
|
* @returns 1 if the verification was successful, 0 otherwise.
|
|
|
|
|
*/
|
2012-05-19 10:27:41 +02:00
|
|
|
int TlsClient::SSLVerifyCertificate(int ok, X509_STORE_CTX *x509Context)
|
2012-04-24 14:54:05 +02:00
|
|
|
{
|
|
|
|
|
SSL *ssl = (SSL *)X509_STORE_CTX_get_ex_data(x509Context, SSL_get_ex_data_X509_STORE_CTX_idx());
|
2012-05-19 10:27:41 +02:00
|
|
|
TlsClient *client = (TlsClient *)SSL_get_ex_data(ssl, m_SSLIndex);
|
2012-04-24 14:54:05 +02:00
|
|
|
|
|
|
|
|
if (client == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
|
2012-06-24 02:56:48 +02:00
|
|
|
return client->ValidateCertificateInternal(ok, x509Context);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int TlsClient::ValidateCertificateInternal(int ok, X509_STORE_CTX *x509Context)
|
|
|
|
|
{
|
2012-06-16 03:42:54 +02:00
|
|
|
shared_ptr<X509> x509Certificate = shared_ptr<X509>(x509Context->cert, &TlsClient::NullCertificateDeleter);
|
2012-06-24 02:56:48 +02:00
|
|
|
bool valid = ValidateCertificate((ok != 0), x509Context, x509Certificate);
|
|
|
|
|
|
2012-07-13 23:33:30 +02:00
|
|
|
if (valid)
|
|
|
|
|
Event::Post(boost::bind(boost::ref(OnCertificateValidated), GetSelf()));
|
2012-04-24 14:54:05 +02:00
|
|
|
|
2012-06-16 03:42:54 +02:00
|
|
|
return valid ? 1 : 0;
|
2012-04-24 14:54:05 +02:00
|
|
|
}
|
2012-06-24 02:56:48 +02:00
|
|
|
|
|
|
|
|
bool TlsClient::ValidateCertificate(bool ok, X509_STORE_CTX *x509Context, const shared_ptr<X509>& x509Certificate)
|
|
|
|
|
{
|
|
|
|
|
return ok;
|
|
|
|
|
}
|
