icinga2/lib/base/tlsstream.cpp

284 lines
6.9 KiB
C++
Raw Normal View History

/******************************************************************************
* Icinga 2 *
* Copyright (C) 2012 Icinga Development Team (http://www.icinga.org/) *
* *
* This program is free software; you can redistribute it and/or *
* modify it under the terms of the GNU General Public License *
* as published by the Free Software Foundation; either version 2 *
* of the License, or (at your option) any later version. *
* *
* This program is distributed in the hope that it will be useful, *
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
* GNU General Public License for more details. *
* *
* You should have received a copy of the GNU General Public License *
* along with this program; if not, write to the Free Software Foundation *
2012-05-11 13:33:57 +02:00
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. *
******************************************************************************/
2013-03-16 21:18:53 +01:00
#include "base/tlsstream.h"
#include "base/stream_bio.h"
#include "base/objectlock.h"
#include "base/utility.h"
#include "base/exception.h"
2013-03-15 18:21:29 +01:00
#include <boost/bind.hpp>
2013-03-16 21:18:53 +01:00
#include <boost/make_shared.hpp>
2012-04-24 14:02:15 +02:00
using namespace icinga;
2012-11-22 12:04:32 +01:00
int I2_EXPORT TlsStream::m_SSLIndex;
bool I2_EXPORT TlsStream::m_SSLIndexInitialized = false;
2012-05-08 15:36:28 +02:00
/**
2012-11-22 12:04:32 +01:00
* Constructor for the TlsStream class.
2012-05-08 15:36:28 +02:00
*
* @param role The role of the client.
* @param sslContext The SSL context for the client.
*/
2012-11-22 12:04:32 +01:00
TlsStream::TlsStream(const Stream::Ptr& innerStream, TlsRole role, shared_ptr<SSL_CTX> sslContext)
: m_SSLContext(sslContext), m_SendQueue(boost::make_shared<FIFO>()), m_RecvQueue(boost::make_shared<FIFO>()),
m_InnerStream(innerStream), m_Role(role)
2012-11-22 12:04:32 +01:00
{
m_InnerStream->OnDataAvailable.connect(boost::bind(&TlsStream::DataAvailableHandler, this));
m_InnerStream->OnClosed.connect(boost::bind(&TlsStream::ClosedHandler, this));
m_SendQueue->Start();
m_RecvQueue->Start();
}
2012-04-24 14:02:15 +02:00
2012-11-22 12:04:32 +01:00
void TlsStream::Start(void)
2012-04-24 14:02:15 +02:00
{
m_SSL = shared_ptr<SSL>(SSL_new(m_SSLContext.get()), SSL_free);
2012-07-18 11:15:39 +02:00
m_SSLContext.reset();
2013-03-11 13:45:08 +01:00
if (!m_SSL) {
BOOST_THROW_EXCEPTION(openssl_error()
2013-03-18 17:04:22 +01:00
<< boost::errinfo_api_function("SSL_new")
2013-03-11 13:45:08 +01:00
<< errinfo_openssl_error(ERR_get_error()));
}
2012-04-24 14:02:15 +02:00
if (!m_SSL)
2013-03-16 21:18:53 +01:00
BOOST_THROW_EXCEPTION(std::logic_error("No X509 client certificate was specified."));
if (!m_SSLIndexInitialized) {
2012-11-22 12:04:32 +01:00
m_SSLIndex = SSL_get_ex_new_index(0, const_cast<char *>("TlsStream"), NULL, NULL, NULL);
m_SSLIndexInitialized = true;
}
SSL_set_ex_data(m_SSL.get(), m_SSLIndex, this);
2012-07-18 11:15:39 +02:00
SSL_set_verify(m_SSL.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
2012-11-22 12:04:32 +01:00
m_BIO = BIO_new_I2Stream(m_InnerStream);
SSL_set_bio(m_SSL.get(), m_BIO, m_BIO);
2012-04-24 14:02:15 +02:00
2012-11-22 12:04:32 +01:00
if (m_Role == TlsRoleServer)
2012-04-24 14:02:15 +02:00
SSL_set_accept_state(m_SSL.get());
else
SSL_set_connect_state(m_SSL.get());
2012-11-22 12:04:32 +01:00
/*int rc = SSL_do_handshake(m_SSL.get());
2012-07-18 11:15:39 +02:00
if (rc == 1) {
SetConnected(true);
OnConnected(GetSelf());
2012-11-22 12:04:32 +01:00
}*/
2012-06-24 02:56:48 +02:00
2012-11-22 12:04:32 +01:00
Stream::Start();
HandleIO();
2012-06-24 02:56:48 +02:00
}
/**
* Retrieves the X509 certficate for this client.
*
* @returns The X509 certificate.
*/
2012-11-22 12:04:32 +01:00
shared_ptr<X509> TlsStream::GetClientCertificate(void) const
2012-06-24 02:56:48 +02:00
{
2013-03-02 09:07:47 +01:00
ObjectLock olock(this);
2012-08-07 21:02:12 +02:00
return shared_ptr<X509>(SSL_get_certificate(m_SSL.get()), &Utility::NullDeleter);
2012-06-24 02:56:48 +02:00
}
/**
* Retrieves the X509 certficate for the peer.
*
* @returns The X509 certificate.
*/
2012-11-22 12:04:32 +01:00
shared_ptr<X509> TlsStream::GetPeerCertificate(void) const
2012-06-24 02:56:48 +02:00
{
2013-03-02 09:07:47 +01:00
ObjectLock olock(this);
2012-06-24 02:56:48 +02:00
return shared_ptr<X509>(SSL_get_peer_certificate(m_SSL.get()), X509_free);
2012-04-24 14:02:15 +02:00
}
2012-11-22 12:04:32 +01:00
void TlsStream::DataAvailableHandler(void)
{
try {
HandleIO();
} catch (...) {
SetException(boost::current_exception());
Close();
}
}
void TlsStream::ClosedHandler(void)
{
2013-03-02 09:07:47 +01:00
ObjectLock olock(this);
2012-11-22 12:04:32 +01:00
SetException(m_InnerStream->GetException());
Close();
}
2012-05-08 15:36:28 +02:00
/**
2012-11-22 12:04:32 +01:00
* Processes data for the stream.
2012-05-08 15:36:28 +02:00
*/
2012-11-22 12:04:32 +01:00
void TlsStream::HandleIO(void)
2012-04-24 14:02:15 +02:00
{
ASSERT(!OwnsLock());
2013-03-02 09:07:47 +01:00
ObjectLock olock(this);
2012-11-22 12:04:32 +01:00
char data[16 * 1024];
int rc;
2012-11-22 12:04:32 +01:00
if (!IsConnected()) {
rc = SSL_do_handshake(m_SSL.get());
2012-07-16 11:44:11 +02:00
2012-11-22 12:04:32 +01:00
if (rc == 1) {
SetConnected(true);
2012-07-16 11:44:11 +02:00
} else {
2012-06-22 11:47:06 +02:00
switch (SSL_get_error(m_SSL.get(), rc)) {
case SSL_ERROR_WANT_WRITE:
/* fall through */
case SSL_ERROR_WANT_READ:
2012-11-22 12:04:32 +01:00
return;
2012-06-22 11:47:06 +02:00
case SSL_ERROR_ZERO_RETURN:
2012-11-22 12:04:32 +01:00
Close();
return;
2012-06-22 11:47:06 +02:00
default:
2012-11-22 12:04:32 +01:00
I2Stream_check_exception(m_BIO);
2013-03-11 13:45:08 +01:00
BOOST_THROW_EXCEPTION(openssl_error()
2013-03-18 17:04:22 +01:00
<< boost::errinfo_api_function("SSL_do_handshake")
2013-03-11 13:45:08 +01:00
<< errinfo_openssl_error(ERR_get_error()));
2012-06-22 11:47:06 +02:00
}
2012-04-24 14:02:15 +02:00
}
2012-11-22 12:04:32 +01:00
}
2012-04-24 14:02:15 +02:00
2012-11-22 12:04:32 +01:00
bool new_data = false, read_ok = true;
2012-08-06 10:01:21 +02:00
2012-11-22 12:04:32 +01:00
while (read_ok) {
rc = SSL_read(m_SSL.get(), data, sizeof(data));
if (rc > 0) {
2012-07-16 11:44:11 +02:00
m_RecvQueue->Write(data, rc);
2012-11-22 12:04:32 +01:00
new_data = true;
} else {
switch (SSL_get_error(m_SSL.get(), rc)) {
case SSL_ERROR_WANT_WRITE:
/* fall through */
case SSL_ERROR_WANT_READ:
read_ok = false;
break;
case SSL_ERROR_ZERO_RETURN:
Close();
return;
default:
I2Stream_check_exception(m_BIO);
2013-03-11 13:45:08 +01:00
BOOST_THROW_EXCEPTION(openssl_error()
2013-03-18 17:04:22 +01:00
<< boost::errinfo_api_function("SSL_read")
2013-03-11 13:45:08 +01:00
<< errinfo_openssl_error(ERR_get_error()));
2012-11-22 12:04:32 +01:00
}
2012-08-06 10:01:21 +02:00
}
2012-06-22 11:47:06 +02:00
}
2012-04-24 14:02:15 +02:00
2013-03-02 09:07:47 +01:00
if (new_data) {
olock.Unlock();
2012-11-22 12:04:32 +01:00
OnDataAvailable(GetSelf());
2013-03-02 09:07:47 +01:00
olock.Lock();
}
2012-04-24 14:02:15 +02:00
2012-11-22 12:04:32 +01:00
while (m_SendQueue->GetAvailableBytes() > 0) {
size_t count = m_SendQueue->GetAvailableBytes();
2012-07-16 00:02:31 +02:00
2012-11-22 12:04:32 +01:00
if (count == 0)
break;
2012-07-16 00:02:31 +02:00
2012-11-22 12:04:32 +01:00
if (count > sizeof(data))
count = sizeof(data);
2012-08-06 10:01:21 +02:00
2012-11-22 12:04:32 +01:00
m_SendQueue->Peek(data, count);
2012-07-16 00:02:31 +02:00
2012-11-22 12:04:32 +01:00
rc = SSL_write(m_SSL.get(), (const char *)data, count);
2012-07-16 00:02:31 +02:00
2012-11-22 12:04:32 +01:00
if (rc > 0) {
m_SendQueue->Read(NULL, rc);
2012-07-16 11:44:11 +02:00
} else {
2012-07-16 00:02:31 +02:00
switch (SSL_get_error(m_SSL.get(), rc)) {
case SSL_ERROR_WANT_READ:
/* fall through */
case SSL_ERROR_WANT_WRITE:
return;
case SSL_ERROR_ZERO_RETURN:
2012-11-22 12:04:32 +01:00
Close();
2012-07-16 00:02:31 +02:00
return;
default:
2012-11-22 12:04:32 +01:00
I2Stream_check_exception(m_BIO);
2013-03-11 13:45:08 +01:00
BOOST_THROW_EXCEPTION(openssl_error()
2013-03-18 17:04:22 +01:00
<< boost::errinfo_api_function("SSL_write")
2013-03-11 13:45:08 +01:00
<< errinfo_openssl_error(ERR_get_error()));
2012-07-16 00:02:31 +02:00
}
2012-04-24 14:02:15 +02:00
}
2012-07-16 00:02:31 +02:00
}
2012-04-24 14:02:15 +02:00
}
2012-05-08 15:36:28 +02:00
/**
2012-11-22 12:04:32 +01:00
* Closes the stream.
2012-05-08 15:36:28 +02:00
*/
2012-11-22 12:04:32 +01:00
void TlsStream::Close(void)
2012-04-24 16:27:23 +02:00
{
2013-03-02 09:07:47 +01:00
ObjectLock olock(this);
2012-11-22 12:04:32 +01:00
if (m_SSL)
SSL_shutdown(m_SSL.get());
m_SendQueue->Close();
m_RecvQueue->Close();
2012-11-22 12:04:32 +01:00
Stream::Close();
2012-04-24 16:27:23 +02:00
}
2012-11-22 12:04:32 +01:00
size_t TlsStream::GetAvailableBytes(void) const
2012-04-24 14:02:15 +02:00
{
2013-03-02 09:07:47 +01:00
ObjectLock olock(this);
2012-11-22 12:04:32 +01:00
return m_RecvQueue->GetAvailableBytes();
2012-04-24 14:02:15 +02:00
}
2012-11-22 12:04:32 +01:00
size_t TlsStream::Peek(void *buffer, size_t count)
2012-04-24 14:02:15 +02:00
{
2013-03-02 09:07:47 +01:00
ObjectLock olock(this);
2012-11-22 12:04:32 +01:00
return m_RecvQueue->Peek(buffer, count);
2012-04-24 14:02:15 +02:00
}
2012-11-22 12:04:32 +01:00
size_t TlsStream::Read(void *buffer, size_t count)
2012-04-24 14:02:15 +02:00
{
2013-03-02 09:07:47 +01:00
ObjectLock olock(this);
2012-11-22 12:04:32 +01:00
return m_RecvQueue->Read(buffer, count);
2012-04-24 14:02:15 +02:00
}
2012-11-22 12:04:32 +01:00
void TlsStream::Write(const void *buffer, size_t count)
{
2013-03-02 09:07:47 +01:00
{
ObjectLock olock(this);
m_SendQueue->Write(buffer, count);
}
2012-11-22 12:04:32 +01:00
HandleIO();
}