search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
CyaSSL configure: disable examples and tests, fix zlib test
[tomato.git] / release / src / router / mssl / mssl.c
blob94603307f5edc49cc662d9ba57dfd18e1b366406
1 /*
2
3 Minimal MatrixSSL Helper
4 Copyright (C) 2006-2009 Jonathan Zarate
5
6 Licensed under GNU GPL v2 or later.
7
8 */
9
10 #define _GNU_SOURCE
11 #include <stdio.h>
12 #include <stdlib.h>
13 #include <string.h>
14 #include <unistd.h>
15 #include <syslog.h>
16 #include <sys/socket.h>
17 #include <fcntl.h>
18 #include <stdarg.h>
19 #include <netinet/in.h>
20 #include <stdint.h>
21 #include <errno.h>
22
23 #include "matrixSsl.h"
24 /*
25 #include "mssl.h"
26 */
27
28 #define _dprintf(args...) while (0) {}
29
30 typedef struct {
31 ssl_t *ssl;
32 sslBuf_t inbuf; // buffer for decoded data
33 sslBuf_t insock; // buffer for recv() data
34 sslBuf_t outsock; // buffer for send() data
35 int sslend;
36 int outbufcnt;
37 int sd;
38 } mssl_cookie_t;
39
40 static sslKeys_t *keys;
41
42
43
44 static inline int sb_used(sslBuf_t *b)
45 {
46 return b->end - b->start;
47 }
48
49 static inline int sb_unused(sslBuf_t *b)
50 {
51 return (b->buf + b->size) - b->end;
52 }
53
54 static inline void sb_free(sslBuf_t *b)
55 {
56 free(b->buf);
57 b->start = b->end = b->buf = NULL;
58 b->size = 0;
59 }
60
61 // - expects ->buf to be valid or NULL
62 // - malloc error is fatal
63 static inline int sb_alloc(sslBuf_t *b, int size)
64 {
65 _dprintf("%s()\n", __FUNCTION__);
66 void *p = NULL;
67
68 //sb_free(b);
69 if (size > 0) {
70 if ((p = malloc(size)) == NULL) {
71 syslog(LOG_CRIT, "Not enough memory");
72 exit(1);
73 }
74 }
75 b->start = b->end = b->buf = p;
76 b->size = size;
77 return 1;
78 }
79
80 // - expects ->buf to be valid or NULL
81 // - malloc error is fatal
82 static inline int sb_realloc(sslBuf_t *b, int size)
83 {
84 _dprintf("%s()\n", __FUNCTION__);
85 void *p;
86
87 if ((p = realloc(b->buf, size)) == NULL) {
88 syslog(LOG_CRIT, "Not enough memory");
89 exit(1);
90 }
91 b->start = p + (b->start - b->buf);
92 b->end = p + (b->end - b->buf);
93 b->buf = p;
94 b->size = size;
95 return 1;
96 }
97
98 static inline void sb_pack(sslBuf_t *b)
99 {
100 _dprintf("%s()\n", __FUNCTION__);
101 if (b->buf < b->start) {
102 if (b->start == b->end) {
103 b->start = b->end = b->buf;
104 }
105 else {
106 memmove(b->buf, b->start, sb_used(b));
107 b->end -= b->start - b->buf;
108 b->start = b->buf;
109 }
110 }
111 }
112
113 static inline int sb_read(sslBuf_t *b, unsigned char *buf, int len)
114 {
115 _dprintf("%s()\n", __FUNCTION__);
116 int n;
117 n = min(sb_used(b), len);
118 memcpy(buf, b->start, n);
119 b->start += n;
120 if (b->start == b->end) b->start = b->end = b->buf;
121 return n;
122 }
123
124
125 // -----------------------------------------------------------------------------
126
127
128 static ssize_t mssl_read(void *cookie, char *buf, size_t len)
129 {
130 mssl_cookie_t *kuki = cookie;
131 int r;
132 unsigned char err, alevel, adesc;
133
134 _dprintf("%s\n", __FUNCTION__);
135 kuki->sslend = 0;
136 if (kuki->ssl == NULL || len <= 0) {
137 return -1;
138 }
139
140 /*
141 If inbuf is valid, then we have previously decoded data that must be
142 returned, return as much as possible. Once all buffered data is
143 returned, free the inbuf.
144 */
145 if (kuki->inbuf.buf) {
146 if (kuki->inbuf.start < kuki->inbuf.end) {
147 r = sb_read(&(kuki->inbuf), buf, len);
148 _dprintf("sb_read r=%d\n", r);
149 return r;
150 }
151 sb_free(&(kuki->inbuf));
152 }
153
154 /* Pack the buffered socket data (if any) so that start is at zero. */
155 sb_pack(&(kuki->insock));
156
157 /*
158 Read up to as many bytes as there are remaining in the buffer. We could
159 Have encrypted data already cached in conn->insock, but might as well read more
160 if we can.
161 */
162 if (kuki->insock.start == kuki->insock.end) {
163 READ:
164 _dprintf("READ\n");
165
166 while ((r = recv(kuki->sd, kuki->insock.end, sb_unused(&kuki->insock), 0)) == -1) {
167 if (errno != EINTR) {
168 _dprintf("recv failed errno=%d\n", errno);
169 return -1;
170 }
171 }
172 if (r == 0) {
173 kuki->sslend = 1;
174 return 0;
175 }
176 kuki->insock.end += r;
177 }
178
179 /* Define a temporary sslBuf */
180 if (kuki->inbuf.buf == (unsigned char*)buf) kuki->inbuf.buf = NULL;
181 sb_alloc(&(kuki->inbuf), len);
182
183 DECODE:
184 _dprintf("DECODE\n");
185
186 /* Decode the data we just read from the socket */
187 err = 0;
188 alevel = 0;
189 adesc = 0;
190
191 r = matrixSslDecode(kuki->ssl, &kuki->insock, &kuki->inbuf, &err, &alevel, &adesc);
192 switch (r) {
193 case SSL_SUCCESS:
194 /* Successfully decoded an application data record, and placed in tmp buf */
195 _dprintf("SSL_SUCCESS\n");
196 return 0;
197 case SSL_PROCESS_DATA:
198 /*
199 Copy as much as we can from the temp buffer into the caller's buffer
200 and leave the remainder in conn->inbuf until the next call to read
201 It is possible that len > data in buffer if the encoded record
202 was longer than len, but the decoded record isn't!
203 */
204 _dprintf("SSL_PROCESS_DATA\n");
205
206 r = sb_used(&kuki->inbuf);
207 _dprintf(" r = %d len = %d\n", r, len);
208 r = min(r, len);
209 memcpy(buf, kuki->inbuf.start, r);
210 kuki->inbuf.start += r;
211 return r;
212 case SSL_SEND_RESPONSE:
213 /*
214 We've decoded a record that requires a response into tmp
215 If there is no data to be flushed in the out buffer, we can write out
216 the contents of the tmp buffer. Otherwise, we need to append the data
217 to the outgoing data buffer and flush it out.
218 */
219 _dprintf("SSL_SEND_RESPONSE\n");
220 _dprintf("send %d\n", sb_used(&kuki->inbuf));
221
222 while ((r = send(kuki->sd, (char *)kuki->inbuf.start, sb_used(&kuki->inbuf), MSG_NOSIGNAL)) == -1) {
223 if (errno != EINTR) {
224 _dprintf("send error\n");
225 goto readError;
226 }
227 }
228 kuki->inbuf.start += r;
229 if (kuki->inbuf.start != kuki->inbuf.end) {
230 _dprintf("inbuf.start != inbuf.end\n");
231 }
232 kuki->inbuf.start = kuki->inbuf.end = kuki->inbuf.buf;
233 return 0;
234 case SSL_ERROR:
235 /*
236 There was an error decoding the data, or encoding the out buffer.
237 There may be a response data in the out buffer, so try to send.
238 We try a single hail-mary send of the data, and then close the socket.
239 Since we're closing on error, we don't worry too much about a clean flush.
240 */
241 _dprintf("ssl error %d\n", err);
242
243 if (kuki->inbuf.start < kuki->inbuf.end) {
244 fcntl(kuki->sd, F_SETFL, fcntl(kuki->sd, F_GETFL) | O_NONBLOCK);
245 send(kuki->sd, kuki->inbuf.start, sb_used(&kuki->inbuf), MSG_NOSIGNAL);
246 }
247 errno = EIO;
248 goto readError;
249 case SSL_ALERT:
250 /*
251 We've decoded an alert. The level and description passed into
252 matrixSslDecode are filled in with the specifics.
253 */
254 _dprintf("SSL_ALERT\n");
255
256 if (adesc == SSL_ALERT_CLOSE_NOTIFY) {
257 kuki->sslend = 1;
258 goto readZero;
259 }
260
261 _dprintf("ssl closing on alert level=%d desc=%d\n", alevel, adesc);
262 errno = EIO;
263 goto readError;
264 case SSL_PARTIAL:
265 /*
266 We have a partial record, we need to read more data off the socket.
267 If we have a completely full conn->insock buffer, we'll need to grow it
268 here so that we CAN read more data when called the next time.
269 */
270 _dprintf("SSL_PARTIAL insock.size=%d %d\n", kuki->insock.size, SSL_MAX_BUF_SIZE);
271
272 if ((kuki->insock.start == kuki->insock.buf) && (kuki->insock.end == (kuki->insock.buf + kuki->insock.size))) {
273 if (kuki->insock.size > SSL_MAX_BUF_SIZE)
274 goto readError;
275 sb_realloc(&kuki->insock, kuki->insock.size * 2);
276 }
277
278 if (kuki->inbuf.start != kuki->inbuf.end) {
279 _dprintf("!! inbuf.start != inbuf.end\n");
280 }
281
282 sb_free(&kuki->inbuf);
283 goto READ;
284 case SSL_FULL:
285 /*
286 The out buffer is too small to fit the decoded or response
287 data. Increase the size of the buffer and call decode again
288 */
289 _dprintf("SSL_FULL\n");
290
291 if (kuki->inbuf.buf == (unsigned char*)buf) kuki->inbuf.buf = NULL;
292 sb_alloc(&(kuki->inbuf), kuki->inbuf.size * 2);
293 goto DECODE;
294 }
295
296 /*
297 We consolidated some of the returns here because we must ensure
298 that conn->inbuf is cleared if pointing at caller's buffer, otherwise
299 it will be freed later on.
300 */
301 readZero:
302 if (kuki->inbuf.buf == (unsigned char*)buf) {
303 kuki->inbuf.buf = NULL;
304 }
305 return 0;
306 readError:
307 if (kuki->inbuf.buf == (unsigned char*)buf) {
308 kuki->inbuf.buf = NULL;
309 }
310 return -1;
311 }
312
313 static int _socket_write(int sd, sslBuf_t *out)
314 {
315 _dprintf("%s\n", __FUNCTION__);
316
317 unsigned char *s;
318 int r;
319
320 s = out->start;
321 while (out->start < out->end) {
322 while ((r = send(sd, out->start, sb_used(out), MSG_NOSIGNAL)) == -1) {
323 if (errno != EINTR) {
324 _dprintf("send error %d\n", errno);
325 return -1;
326 }
327 }
328 out->start += r;
329 }
330 return (int)(out->start - s);
331 }
332
333 static ssize_t _mssl_write(void *cookie, const char *buf, size_t len)
334 {
335 mssl_cookie_t *kuki = cookie;
336 int r;
337
338 _dprintf("%s(len=%d), outbufcnt=%d\n", __FUNCTION__, len, kuki->outbufcnt);
339
340 kuki->sslend = 0;
341 /* Pack the buffered socket data (if any) so that start is at zero. */
342 sb_pack(&kuki->outsock);
343
344 /*
345 If there is buffered output data, the caller must be trying to
346 send the same amount of data as last time. We don't support
347 sending additional data until the original buffered request has
348 been completely sent.
349 */
350 if (kuki->outbufcnt > 0 && len != kuki->outbufcnt)
351 return -1;
352
353 /* Encode the caller's data */
354 if (kuki->outbufcnt == 0) {
355 RETRY:
356 r = matrixSslEncode(kuki->ssl, (unsigned char *)buf, len, &kuki->outsock);
357 _dprintf("%s: encode r=%d\n", __FUNCTION__, r);
358 switch (r) {
359 case SSL_ERROR:
360 errno = EIO;
361 _dprintf("SSL_ERROR\n");
362 return -1;
363 case SSL_FULL:
364 if (kuki->outsock.size > SSL_MAX_BUF_SIZE) {
365 errno = EFBIG;
366 _dprintf("outsock.size > max\n");
367 return -1;
368 }
369 sb_realloc(&kuki->outsock, kuki->outsock.size * 2);
370 goto RETRY;
371 }
372 }
373
374 /* We've got data to send. */
375 _dprintf("%s: sending %d bytes\n", __FUNCTION__, sb_used(&kuki->outsock));
376 while ((r = send(kuki->sd, kuki->outsock.start, sb_used(&kuki->outsock), MSG_NOSIGNAL)) == -1) {
377 if (errno != EINTR) {
378 _dprintf("send error %d\n", errno);
379 return -1;
380 }
381 }
382 kuki->outsock.start += r;
383
384 /*
385 If we wrote it all return the length, otherwise remember the number of
386 bytes passed in, and return 0 to be called again later.
387 */
388 _dprintf("exiting %s(): outbufcnt=%d, len=%d\n", __FUNCTION__, kuki->outbufcnt, len);
389 if (kuki->outsock.start == kuki->outsock.end) {
390 kuki->outbufcnt = 0;
391 return len;
392 }
393 kuki->outbufcnt = len;
394 return 0;
395 }
396
397 static ssize_t mssl_write(void *cookie, const char *buf, size_t len)
398 {
399 _dprintf("%s\n", __FUNCTION__);
400
401 int r = 0;
402 int sum = 0;
403 int offset = 0;
404 int maxwrite = SSL_MAX_BUF_SIZE / 2;
405
406 if (len > maxwrite) {
407 while (offset < len && r >= 0) {
408 r = 0;
409 while (r == 0) {
410 r = _mssl_write(cookie, (char*)(buf + offset), min(len - offset, maxwrite));
411 }
412 _dprintf("multiple write: r = %d\n", r);
413 sum += r;
414 offset += maxwrite;
415 }
416 if (r < 0) sum = r;
417 }
418 else {
419 while (r == 0) {
420 r = _mssl_write(cookie, buf, len);
421 _dprintf("single write: r = %d\n", r);
422 }
423 sum = r;
424 }
425 return sum;
426 }
427
428 static int mssl_seek(void *cookie, __offmax_t *pos, int whence)
429 {
430 _dprintf("%s()\n", __FUNCTION__);
431 errno = EIO;
432 return -1;
433 }
434
435 static int mssl_close(void *cookie)
436 {
437 mssl_cookie_t *kuki = cookie;
438
439 _dprintf("%s()\n", __FUNCTION__);
440
441 if (!kuki) return 0;
442
443 if (kuki->ssl) {
444 if (kuki->outsock.buf) {
445 sb_pack(&kuki->outsock);
446 _socket_write(kuki->sd, &(kuki->outsock));
447
448 kuki->outsock.start = kuki->outsock.end = kuki->outsock.buf;
449 matrixSslEncodeClosureAlert(kuki->ssl, &kuki->outsock);
450 fcntl(kuki->sd, F_SETFL, fcntl(kuki->sd, F_GETFL) | O_NONBLOCK);
451 send(kuki->sd, kuki->outsock.start, sb_used(&kuki->outsock), MSG_NOSIGNAL);
452 }
453
454 matrixSslDeleteSession(kuki->ssl);
455 kuki->ssl = NULL;
456 }
457 sb_free(&kuki->inbuf);
458 sb_free(&kuki->insock);
459 sb_free(&kuki->outsock);
460
461 free(kuki);
462 return 0;
463 }
464
465 static int cert_valid(sslCertInfo_t *cert, void *arg)
466 {
467 // note: no validation!
468 return SSL_ALLOW_ANON_CONNECTION;
469 }
470
471 static const cookie_io_functions_t mssl = {
472 mssl_read, mssl_write, mssl_seek, mssl_close
473 };
474
475 static FILE *_ssl_fopen(int sd, int client)
476 {
477 unsigned char buf[1024];
478 int r;
479 int n;
480 mssl_cookie_t *kuki;
481 FILE *f;
482
483 _dprintf("%s()\n", __FUNCTION__);
484
485 if ((kuki = calloc(1, sizeof(*kuki))) == NULL) {
486 errno = ENOMEM;
487 return NULL;
488 }
489 kuki->sd = sd;
490 kuki->outbufcnt = 0;
491
492 if (matrixSslNewSession(&(kuki->ssl), keys, NULL, client ? 0 : SSL_FLAGS_SERVER) < 0) {
493 _dprintf("%s: matrixSslNewSession failed\n", __FUNCTION__);
494 goto ERROR;
495 }
496
497 sb_alloc(&(kuki->insock), 1024);
498 sb_alloc(&(kuki->outsock), 2048);
499 sb_alloc(&(kuki->inbuf), 0);
500
501 if (client) {
502 matrixSslSetCertValidator(kuki->ssl, cert_valid, keys);
503
504 n = matrixSslEncodeClientHello(kuki->ssl, &(kuki->outsock), 0);
505 if (n < 0) {
506 _dprintf("%s: matrixSslEncodeClientHello failed\n", __FUNCTION__);
507 goto ERROR;
508 }
509 if (_socket_write(kuki->sd, &(kuki->outsock)) < 0) {
510 _dprintf("%s: error while writing HELLO\n", __FUNCTION__);
511 goto ERROR;
512 }
513 kuki->outsock.start = kuki->outsock.end = kuki->outsock.buf;
514 }
515
516 MORE:
517 r = mssl_read(kuki, buf, sizeof(buf));
518 if (r > 0 || (r == 0 && matrixSslHandshakeIsComplete(kuki->ssl) == 0)) {
519 if (kuki->sslend) {
520 _dprintf("%s: end reached\n", __FUNCTION__);
521 errno = EIO;
522 goto ERROR;
523 }
524 _dprintf("%s: =0 goto more\n", __FUNCTION__);
525 goto MORE;
526 }
527 else if (r < 0) {
528 _dprintf("%s: read error r=%d errno=%d\n", __FUNCTION__, r, errno);
529 errno = EIO;
530 goto ERROR;
531 }
532
533 if ((f = fopencookie(kuki, "r+", mssl)) == NULL) {
534 _dprintf("%s: fopencookie failed\n", __FUNCTION__);
535 goto ERROR;
536 }
537 return f;
538
539 ERROR:
540 mssl_close(kuki);
541 return NULL;
542 }
543
544 FILE *ssl_server_fopen(int sd)
545 {
546 _dprintf("%s()\n", __FUNCTION__);
547 return _ssl_fopen(sd, 0);
548 }
549
550 FILE *ssl_client_fopen(int sd)
551 {
552 _dprintf("%s()\n", __FUNCTION__);
553 return _ssl_fopen(sd, 1);
554 }
555
556 int mssl_init(char *cert, char *priv)
557 {
558 _dprintf("%s()\n", __FUNCTION__);
559 if (matrixSslOpen() < 0) {
560 _dprintf("matrixSslOpen failed");
561 return 0;
562 }
563 if (matrixSslReadKeys(&keys, cert, priv, NULL, NULL) < 0) {
564 matrixSslClose();
565 _dprintf("matrixSslReadKeys failed");
566 return 0;
567 }
568 return 1;
569 }
Tomato firmware and modifications.