search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Retry only for https protocol
[elinks.git] / src / network / ssl / ssl.c
blobc2683e01cbcb2b0a3b69bfb06739591a7af11beb
1 /* SSL support - wrappers for SSL routines */
2
3 #ifdef HAVE_CONFIG_H
4 #include "config.h"
5 #endif
6
7 #ifdef CONFIG_OPENSSL
8 #include <openssl/ssl.h>
9 #include <openssl/rand.h>
10 #define USE_OPENSSL
11 #elif defined(CONFIG_NSS_COMPAT_OSSL)
12 #include <nss_compat_ossl/nss_compat_ossl.h>
13 #define USE_OPENSSL
14 #elif defined(CONFIG_GNUTLS)
15 #include <gcrypt.h>
16 #include <gnutls/gnutls.h>
17 #include <gnutls/x509.h>
18 #else
19 #error "Huh?! You have SSL enabled, but not OPENSSL nor GNUTLS!! And then you want exactly *what* from me?"
20 #endif
21
22 #ifdef HAVE_LIMITS_H
23 #include <limits.h>
24 #endif
25
26 #include "elinks.h"
27
28 #include "intl/gettext/libintl.h"
29 #include "main/module.h"
30 #include "network/connection.h"
31 #include "network/socket.h"
32 #include "network/ssl/ssl.h"
33 #include "util/conv.h"
34 #include "util/error.h"
35 #include "util/string.h"
36 #include "util/random.h"
37
38
39 /* FIXME: As you can see, SSL is currently implemented in very, erm,
40 * decentralized manner. */
41
42 #ifdef USE_OPENSSL
43
44 #ifndef PATH_MAX
45 #define PATH_MAX 256 /* according to my /usr/include/bits/posix1_lim.h */
46 #endif
47
48 static SSL_CTX *context = NULL;
49 int socket_SSL_ex_data_idx = -1;
50
51 /** Prevent SSL_dup() if the SSL is associated with struct socket.
52 * We cannot copy struct socket and it doesn't have a reference count
53 * either. */
54 static int
55 socket_SSL_ex_data_dup(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from,
56 void *from_d, int idx, long argl, void *argp)
57 {
58 /* The documentation of from_d in RSA_get_ex_new_index(3)
59 * is a bit unclear. The caller does something like:
60 *
61 * void *data = CRYPTO_get_ex_data(from, idx);
62 * socket_SSL_dup(to, from, &data, idx, argl, argp);
63 * CRYPTO_set_ex_data(to, idx, data);
64 *
65 * i.e., from_d always points to a pointer, even though
66 * it is just a void * in the prototype. */
67 struct socket *socket = *(void **) from_d;
68
69 assert(idx == socket_SSL_ex_data_idx);
70 if_assert_failed return 0;
71
72 if (socket)
73 return 0; /* prevent SSL_dup() */
74 else
75 return 1; /* allow SSL_dup() */
76 }
77
78 static void
79 init_openssl(struct module *module)
80 {
81 unsigned char f_randfile[PATH_MAX];
82
83 /* In a nutshell, on OS's without a /dev/urandom, the OpenSSL library
84 * cannot initialize the PRNG and so every attempt to use SSL fails.
85 * It's actually an OpenSSL FAQ, and according to them, it's up to the
86 * application coders to seed the RNG. -- William Yodlowsky */
87 RAND_file_name(f_randfile, sizeof(f_randfile));
88 #ifdef HAVE_RAND_EGD
89 if (RAND_egd(f_randfile) < 0) {
90 /* Not an EGD, so read and write to it */
91 #endif
92 if (RAND_load_file(f_randfile, -1))
93 RAND_write_file(f_randfile);
94 #ifdef HAVE_RAND_EGD
95 }
96 #endif
97
98 SSLeay_add_ssl_algorithms();
99 context = SSL_CTX_new(SSLv23_client_method());
100 SSL_CTX_set_options(context, SSL_OP_ALL);
101 SSL_CTX_set_default_verify_paths(context);
102 socket_SSL_ex_data_idx = SSL_get_ex_new_index(0, NULL,
103 NULL,
104 socket_SSL_ex_data_dup,
105 NULL);
106 }
107
108 static void
109 done_openssl(struct module *module)
110 {
111 if (context) SSL_CTX_free(context);
112 /* There is no function that undoes SSL_get_ex_new_index. */
113 }
114
115 static union option_info openssl_options[] = {
116 INIT_OPT_BOOL("connection.ssl", N_("Verify certificates"),
117 "cert_verify", 0, 1,
118 N_("Verify the peer's SSL certificate. Note that this "
119 "needs extensive configuration of OpenSSL by the user.")),
120
121 INIT_OPT_TREE("connection.ssl", N_("Client Certificates"),
122 "client_cert", OPT_SORT,
123 N_("X509 client certificate options.")),
124
125 INIT_OPT_BOOL("connection.ssl.client_cert", N_("Enable"),
126 "enable", 0, 0,
127 N_("Enable or not the sending of X509 client certificates "
128 "to servers which request them.")),
129
130 #ifdef CONFIG_NSS_COMPAT_OSSL
131 INIT_OPT_STRING("connection.ssl.client_cert", N_("Certificate nickname"),
132 "nickname", 0, "",
133 N_("The nickname of the client certificate stored in NSS "
134 "database. If this value is unset, the nickname from "
135 "the X509_CLIENT_CERT variable is used instead. If you "
136 "have a PKCS#12 file containing client certificate, you "
137 "can import it into your NSS database with:\n"
138 "\n"
139 "$ pk12util -i mycert.p12 -d /path/to/database\n"
140 "\n"
141 "The NSS database location can be changed by SSL_DIR "
142 "environment variable. The database can be also shared "
143 "with Mozilla browsers.")),
144 #else
145 INIT_OPT_STRING("connection.ssl.client_cert", N_("Certificate File"),
146 "file", 0, "",
147 N_("The location of a file containing the client certificate "
148 "and unencrypted private key in PEM format. If unset, the "
149 "file pointed to by the X509_CLIENT_CERT variable is used "
150 "instead.")),
151 #endif
152
153 NULL_OPTION_INFO,
154 };
155
156 static struct module openssl_module = struct_module(
157 /* name: */ "OpenSSL",
158 /* options: */ openssl_options,
159 /* events: */ NULL,
160 /* submodules: */ NULL,
161 /* data: */ NULL,
162 /* init: */ init_openssl,
163 /* done: */ done_openssl
164 );
165
166 #elif defined(CONFIG_GNUTLS)
167
168 static gnutls_anon_client_credentials_t anon_cred = NULL;
169 static gnutls_certificate_credentials_t xcred = NULL;
170
171 #if 0
172 const static int kx_priority[16] = {
173 GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP,
174 /* Do not use anonymous authentication, unless you know what that means */
175 GNUTLS_KX_ANON_DH, GNUTLS_KX_RSA_EXPORT, 0
176 };
177 const static int cipher_priority[16] = {
178 GNUTLS_CIPHER_RIJNDAEL_128_CBC, GNUTLS_CIPHER_ARCFOUR_128,
179 GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_ARCFOUR_40, 0
180 };
181 const static int cert_type_priority[16] = { GNUTLS_CRT_X509, GNUTLS_CRT_OPENPGP, 0 };
182 #endif
183
184 static void
185 init_gnutls(struct module *module)
186 {
187 int ret = gnutls_global_init();
188 unsigned char *ca_file = get_opt_str("connection.ssl.trusted_ca_file",
189 NULL);
190
191 if (ret < 0)
192 INTERNAL("GNUTLS init failed: %s", gnutls_strerror(ret));
193
194 ret = gnutls_anon_allocate_client_credentials(&anon_cred);
195 if (ret < 0)
196 INTERNAL("GNUTLS anon credentials alloc failed: %s",
197 gnutls_strerror(ret));
198
199 ret = gnutls_certificate_allocate_credentials(&xcred);
200 if (ret < 0)
201 INTERNAL("GNUTLS X509 credentials alloc failed: %s",
202 gnutls_strerror(ret));
203 /* Here, we should load certificate files etc. */
204 if (*ca_file) {
205 /* FIXME: check returned values. --witekfl */
206 gnutls_certificate_set_x509_trust_file(xcred, ca_file,
207 GNUTLS_X509_FMT_PEM);
208
209 gnutls_certificate_set_verify_flags(xcred,
210 GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
211 }
212
213 }
214
215 static void
216 done_gnutls(struct module *module)
217 {
218 if (xcred) gnutls_certificate_free_credentials(xcred);
219 if (anon_cred) gnutls_anon_free_client_credentials(anon_cred);
220 gnutls_global_deinit();
221 }
222
223 static union option_info gnutls_options[] = {
224 INIT_OPT_BOOL("connection.ssl", N_("Verify certificates"),
225 "cert_verify", 0, 0,
226 N_("Verify the peer's SSL certificate. If you enable "
227 "this, set also \"Trusted CA file\".")),
228
229 /* The default value of the following option points to a file
230 * generated by the ca-certificates Debian package. Don't use
231 * CONFDIR here: if someone installs ELinks in $HOME and wants
232 * to have a user-specific trust list, he or she can just
233 * change the file name via the option manager. Distributors
234 * of binary packages should of course change the default to
235 * suit their systems.
236 * TODO: If the file name is relative, look in elinks_home? */
237 INIT_OPT_STRING("connection.ssl", N_("Trusted CA file"),
238 "trusted_ca_file", 0, "/etc/ssl/certs/ca-certificates.crt",
239 N_("The location of a file containing certificates of "
240 "trusted certification authorities in PEM format. "
241 "ELinks then trusts certificates issued by these CAs.\n"
242 "\n"
243 "If you change this option or the file, you must "
244 "restart ELinks for the changes to take effect. "
245 "This option affects GnuTLS but not OpenSSL.")),
246
247 NULL_OPTION_INFO,
248 };
249
250 static struct module gnutls_module = struct_module(
251 /* name: */ "GnuTLS",
252 /* options: */ gnutls_options,
253 /* events: */ NULL,
254 /* submodules: */ NULL,
255 /* data: */ NULL,
256 /* init: */ init_gnutls,
257 /* done: */ done_gnutls
258 );
259
260 #endif /* USE_OPENSSL or CONFIG_GNUTLS */
261
262 static union option_info ssl_options[] = {
263 INIT_OPT_TREE("connection", N_("SSL"),
264 "ssl", OPT_SORT,
265 N_("SSL options.")),
266
267 NULL_OPTION_INFO,
268 };
269
270 static struct module *ssl_modules[] = {
271 #ifdef USE_OPENSSL
272 &openssl_module,
273 #elif defined(CONFIG_GNUTLS)
274 &gnutls_module,
275 #endif
276 NULL,
277 };
278
279 struct module ssl_module = struct_module(
280 /* name: */ N_("SSL"),
281 /* options: */ ssl_options,
282 /* events: */ NULL,
283 /* submodules: */ ssl_modules,
284 /* data: */ NULL,
285 /* init: */ NULL,
286 /* done: */ NULL
287 );
288
289 int
290 init_ssl_connection(struct socket *socket,
291 const unsigned char *server_name)
292 {
293 #ifdef USE_OPENSSL
294 socket->ssl = SSL_new(context);
295 if (!socket->ssl) return S_SSL_ERROR;
296
297 if (!SSL_set_ex_data(socket->ssl, socket_SSL_ex_data_idx, socket)) {
298 SSL_free(socket->ssl);
299 socket->ssl = NULL;
300 return S_SSL_ERROR;
301 }
302
303 /* If the server name is known, pass it to OpenSSL.
304 *
305 * The return value of SSL_set_tlsext_host_name is not
306 * documented. The source shows that it returns 1 if
307 * successful; on error, it calls SSLerr and returns 0. */
308 if (server_name
309 && !SSL_set_tlsext_host_name(socket->ssl, server_name)) {
310 SSL_free(socket->ssl);
311 socket->ssl = NULL;
312 return S_SSL_ERROR;
313 }
314
315 #elif defined(CONFIG_GNUTLS)
316 ssl_t *state = mem_alloc(sizeof(ssl_t));
317
318 if (!state) return S_SSL_ERROR;
319
320 if (gnutls_init(state, GNUTLS_CLIENT) < 0) {
321 /* DBG("sslinit %s", gnutls_strerror(ret)); */
322 mem_free(state);
323 return S_SSL_ERROR;
324 }
325
326 if (gnutls_cred_set(*state, GNUTLS_CRD_ANON, anon_cred) < 0) {
327 /* DBG("sslanoncred %s", gnutls_strerror(ret)); */
328 gnutls_deinit(*state);
329 mem_free(state);
330 return S_SSL_ERROR;
331 }
332
333 if (gnutls_cred_set(*state, GNUTLS_CRD_CERTIFICATE, xcred) < 0) {
334 /* DBG("sslx509cred %s", gnutls_strerror(ret)); */
335 gnutls_deinit(*state);
336 mem_free(state);
337 return S_SSL_ERROR;
338 }
339
340 #ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT
341 /* Disable OpenPGP certificates because they are not widely
342 * used and ELinks does not yet support verifying them.
343 * Besides, in GnuTLS < 2.4.0, they require the gnutls-extra
344 * library, whose GPLv3+ is not compatible with GPLv2 of
345 * ELinks.
346 *
347 * Disable TLS1.1 because https://bugzilla.novell.com/ does
348 * not reply to it and leaves the connection open so that
349 * ELinks does not detect an SSL error but rather times out.
350 * http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528661#25
351 *
352 * There is another gnutls_priority_set_direct call elsewhere
353 * in ELinks. If you change the priorities here, please check
354 * whether that one needs to be changed as well. */
355 if (gnutls_priority_set_direct(*state,
356 "NORMAL:-CTYPE-OPENPGP:-VERS-TLS1.1:-VERS-SSL3.0",
357 NULL)) {
358 gnutls_deinit(*state);
359 mem_free(state);
360 return S_SSL_ERROR;
361 }
362 #else
363 gnutls_set_default_priority(*state);
364 #endif
365 #if 0
366 /* Deprecated functions */
367 /* gnutls_handshake_set_private_extensions(*state, 1); */
368 gnutls_cipher_set_priority(*state, cipher_priority);
369 gnutls_kx_set_priority(*state, kx_priority);
370 /* gnutls_certificate_type_set_priority(*state, cert_type_priority); */
371 #endif
372
373 if (server_name
374 && gnutls_server_name_set(*state, GNUTLS_NAME_DNS, server_name,
375 strlen(server_name))) {
376 gnutls_deinit(*state);
377 mem_free(state);
378 return S_SSL_ERROR;
379 }
380
381 socket->ssl = state;
382 #endif
383
384 return S_OK;
385 }
386
387 void
388 done_ssl_connection(struct socket *socket)
389 {
390 ssl_t *ssl = socket->ssl;
391
392 if (!ssl) return;
393 #ifdef USE_OPENSSL
394 SSL_free(ssl);
395 #elif defined(CONFIG_GNUTLS)
396 gnutls_deinit(*ssl);
397 mem_free(ssl);
398 #endif
399 socket->ssl = NULL;
400 }
401
402 unsigned char *
403 get_ssl_connection_cipher(struct socket *socket)
404 {
405 ssl_t *ssl = socket->ssl;
406 struct string str;
407
408 if (!init_string(&str)) return NULL;
409
410 #ifdef USE_OPENSSL
411 add_format_to_string(&str, "%ld-bit %s %s",
412 SSL_get_cipher_bits(ssl, NULL),
413 SSL_get_cipher_version(ssl),
414 SSL_get_cipher_name(ssl));
415 #elif defined(CONFIG_GNUTLS)
416 /* XXX: How to get other relevant parameters? */
417 add_format_to_string(&str, "%s - %s - %s - %s - %s (compr: %s)",
418 gnutls_protocol_get_name(gnutls_protocol_get_version(*ssl)),
419 gnutls_kx_get_name(gnutls_kx_get(*ssl)),
420 gnutls_cipher_get_name(gnutls_cipher_get(*ssl)),
421 gnutls_mac_get_name(gnutls_mac_get(*ssl)),
422 gnutls_certificate_type_get_name(gnutls_certificate_type_get(*ssl)),
423 gnutls_compression_get_name(gnutls_compression_get(*ssl)));
424 #endif
425
426 return str.source;
427 }
428
429 /* When CONFIG_SSL is defined, this implementation replaces the one in
430 * src/util/random.c. */
431 void
432 random_nonce(unsigned char buf[], size_t size)
433 {
434 #ifdef USE_OPENSSL
435 RAND_pseudo_bytes(buf, size);
436 #elif defined(CONFIG_GNUTLS)
437 gcry_create_nonce(buf, size);
438 #else
439 # error unsupported SSL library
440 #endif
441 }
The ultimate text WWW browser