Update of /cvsroot/aolserver/nsopenssl In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv26018 Modified Files: ChangeLog TODO nsopenssl.c nsopenssl.h ssl.c sslcontext.c tclcmds.c Added Files: defaults.h Log Message: Minor modifications, major cleanups. --- NEW FILE: defaults.h --- /* * Defaults Settings */ /* Turn this on to show debug info */ //#define DEBUG_NSOPENSSL 1 #define MODULE "nsopenssl" #define MODULE_SHORT "ssl" #define SERVER_ROLE 1 #define CLIENT_ROLE 0 #define DEFAULT_PROTOCOLS "All" #define DEFAULT_CIPHER_LIST SSL_DEFAULT_CIPHER_LIST #define DEFAULT_CERT_FILE "certificate.pem" #define DEFAULT_KEY_FILE "key.pem" #define DEFAULT_CA_FILE "ca.pem" #define DEFAULT_CA_DIR "ca" #define DEFAULT_PEER_VERIFY NS_FALSE #define DEFAULT_PEER_VERIFY_DEPTH 3 #define DEFAULT_SESSION_CACHE NS_TRUE #define DEFAULT_SESSION_CACHE_SIZE 128 #define DEFAULT_SESSION_CACHE_TIMEOUT 300 #define DEFAULT_TRACE NS_FALSE #define DEFAULT_TIMEOUT 30 #define DEFAULT_BUFFER_SIZE 16384 #define DEFAULT_SEEDBYTES 1024 #define DEFAULT_MAXBYTES 1024000 #define DEFAULT_SENDWAIT 60 #define DEFAULT_RECVWAIT 60 #define CONFIG_MODULE_DIR "ModuleDir" #define CONFIG_RANDOM_FILE "RandomFile" #define CONFIG_SEEDBYTES "SeedBytes" Index: ChangeLog =================================================================== RCS file: /cvsroot/aolserver/nsopenssl/ChangeLog,v retrieving revision 1.103 retrieving revision 1.104 diff -C2 -d -r1.103 -r1.104 *** ChangeLog 5 Apr 2004 02:15:33 -0000 1.103 --- ChangeLog 9 Apr 2004 16:30:56 -0000 1.104 *************** *** 1,4 **** --- 1,20 ---- + 2004-04-09 Scott Goodwin <sc...@sc...> + + * All: Lot's of cleanup, deleting old comments, restructing some code. + + * defaults.h, nsopenssl.h: Pulled default defines out of nsopenssl.h and + into separate defaults.h file. + + * nsopenssl.h, ssl.c: Added DEBUG_NSOPENSSL define: uncomment it to dump + more info to log; comment out for production runs. Recompilation + necessary. + + * sslcontext: fixed SSLContextCacheInit to take into account the + context's server / client role. + 2004-04-04 Scott Goodwin <sc...@sc...> + * Tagged: 3_0beta19 + * nsopenssl.h, ssl.c, tclcmds.c, https.tcl: Cleaned up CreateTclChannel. This affects calls to ns_openssl_sockopen and friends: the number of Index: TODO =================================================================== RCS file: /cvsroot/aolserver/nsopenssl/TODO,v retrieving revision 1.39 retrieving revision 1.40 diff -C2 -d -r1.39 -r1.40 *** TODO 15 Feb 2004 18:32:24 -0000 1.39 --- TODO 9 Apr 2004 16:30:56 -0000 1.40 *************** *** 1,4 **** --- 1,8 ---- TODO for nsopenssl: + - Make library loadable into tclsh + - Make ns_openssl commands available to Tcl API conns + - + nsopenssl 3.0 release: - Ensure sslcontexts are not NULL before accessing (mostly tclcmds.c) Index: nsopenssl.c =================================================================== RCS file: /cvsroot/aolserver/nsopenssl/nsopenssl.c,v retrieving revision 1.71 retrieving revision 1.72 diff -C2 -d -r1.71 -r1.72 *** nsopenssl.c 27 Mar 2004 04:54:40 -0000 1.71 --- nsopenssl.c 9 Apr 2004 16:30:56 -0000 1.72 *************** *** 235,248 **** Ns_DStringInit(&ds); - thisServer = ns_malloc(sizeof(Server)); ! if (thisServer == NULL) Ns_Log(Fatal, "%s (%s): memory allocation failed"); ! thisServer->server = server; thisServer->defaultservercontext = NULL; thisServer->defaultclientcontext = NULL; thisServer->nextSessionCacheId = 1; - Ns_MutexInit(&thisServer->lock); Ns_DStringPrintf(&ds, "server:%s", server); --- 235,246 ---- Ns_DStringInit(&ds); thisServer = ns_malloc(sizeof(Server)); ! if (thisServer == NULL) { Ns_Log(Fatal, "%s (%s): memory allocation failed"); ! } thisServer->server = server; thisServer->defaultservercontext = NULL; thisServer->defaultclientcontext = NULL; thisServer->nextSessionCacheId = 1; Ns_MutexInit(&thisServer->lock); Ns_DStringPrintf(&ds, "server:%s", server); *************** *** 252,256 **** ns_free(lockName); lockName = NULL; - hPtr = Tcl_CreateHashEntry(&NsOpenSSLServers, server, &new); Tcl_SetHashValue(hPtr, thisServer); --- 250,253 ---- *************** *** 306,310 **** return; } - for (i = 0; i < Ns_SetSize(sslcontexts); ++i) { name = Ns_SetKey(sslcontexts, i); --- 303,306 ---- *************** *** 326,330 **** path = Ns_ConfigGetPath(server, MODULE, "defaults", NULL); defaults = Ns_ConfigGetSection(path); - if (defaults == NULL) { Ns_Log(Notice, "%s (%s): no default SSL contexts defined for this server", --- 322,325 ---- *************** *** 332,342 **** return; } - for (i = 0; i < Ns_SetSize(defaults); ++i) { name = Ns_SetKey(defaults, i); value = Ns_ConfigGetValue(path, name); - - //Ns_Log(Debug, "LoadSSLContexts: default context name = (%s), value = (%s)", name, value); - sslcontext = Ns_OpenSSLServerSSLContextGet(server, value); if (sslcontext != NULL) { --- 327,333 ---- *************** *** 402,406 **** return NULL; } - sslcontext = NsOpenSSLContextCreate(server, name); --- 393,396 ---- *************** *** 434,438 **** NsOpenSSLContextCertFileSet(server, sslcontext, certFile); } - keyFile = Ns_ConfigGetValue(path, "keyfile"); if (keyFile != NULL) { --- 424,427 ---- *************** *** 448,452 **** NsOpenSSLContextProtocolsSet(server, sslcontext, protocols); } - cipherSuite = Ns_ConfigGetValue(path, "ciphersuite"); if (cipherSuite != NULL) { --- 437,440 ---- *************** *** 464,468 **** NsOpenSSLContextCAFileSet(server, sslcontext, caFile); } - caDir = Ns_ConfigGetValue(path, "cadir"); if (caDir != NULL) { --- 452,455 ---- *************** *** 498,506 **** NsOpenSSLContextSessionCacheSet(server, sslcontext, sessionCache); } - if (Ns_ConfigGetInt(path, "sessioncachesize", &sessionCacheSize) == NS_TRUE) { NsOpenSSLContextSessionCacheSizeSet(server, sslcontext, sessionCacheSize); } - if (Ns_ConfigGetInt(path, "sessioncachetimeout", &sessionCacheTimeout) == NS_TRUE) { NsOpenSSLContextSessionCacheTimeoutSet(server, sslcontext, sessionCacheTimeout); --- 485,491 ---- *************** *** 543,549 **** char *server = (char *) arg; - /* XXX Ns_RegisterAtShutdown isn't calling this function at shutdown time */ - /* XXX in AOLserver 4.0. */ - Ns_Log(Notice, "Shutdown called for server %s", server); --- 528,531 ---- *************** *** 558,562 **** */ - return; } --- 540,543 ---- *************** *** 598,605 **** Ns_Log(Warning, "%s: OpenSSL memory callbacks failed in InitOpenSSL", MODULE); - num_locks = CRYPTO_num_locks(); locks = ns_calloc(num_locks, sizeof(*locks)); - for (i = 0; i < num_locks; i++) { Ns_DStringPrintf(&ds, "crypto:%d", i); --- 579,584 ---- *************** *** 610,616 **** lockName = NULL; } - Ns_DStringFree(&ds); - CRYPTO_set_locking_callback(ThreadLockCallback); CRYPTO_set_id_callback(ThreadIdCallback); --- 589,593 ---- *************** *** 634,638 **** SeedPRNG(); } - if (! RAND_status()) { Ns_Log(Warning, "%s: PRNG fails to have enough entropy after %d tries", --- 611,614 ---- *************** *** 681,691 **** return NS_TRUE; } - path = Ns_ConfigGetPath(MODULE, NULL); - if (Ns_ConfigGetInt(path, "seedbytes", &seedBytes) == NS_FALSE) { seedBytes = DEFAULT_SEEDBYTES; } - if (Ns_ConfigGetInt(path, "maxbytes", &maxBytes) == NS_FALSE) { maxBytes = DEFAULT_MAXBYTES; --- 657,664 ---- *************** *** 709,713 **** Ns_Log(Warning, "%s: No randomFile set and/or found", MODULE); } - if (RAND_status()) { return NS_TRUE; --- 682,685 ---- *************** *** 721,733 **** buf_ptr = Ns_Malloc(size); bufoffset_ptr = buf_ptr; - for (i = 0; i < seedBytes; i++) { *bufoffset_ptr = Ns_DRand(); bufoffset_ptr++; } - RAND_add(buf_ptr, seedBytes, (double) seedBytes); ns_free(buf_ptr); - if (!RAND_status()) { Ns_Log(Warning, "%s: failed to seed PRNG", MODULE); --- 693,702 ---- *************** *** 812,820 **** Ns_DStringInit(&ds); - lock = ns_calloc(1, sizeof(*lock)); Ns_DStringVarAppend(&ds, "openssl: ", file, ": "); Ns_DStringPrintf(&ds, "%d", line); Ns_MutexSetName2(lock, MODULE, Ns_DStringValue(&ds)); return (struct CRYPTO_dynlock_value *) lock; } --- 781,789 ---- Ns_DStringInit(&ds); lock = ns_calloc(1, sizeof(*lock)); Ns_DStringVarAppend(&ds, "openssl: ", file, ": "); Ns_DStringPrintf(&ds, "%d", line); Ns_MutexSetName2(lock, MODULE, Ns_DStringValue(&ds)); + return (struct CRYPTO_dynlock_value *) lock; } *************** *** 902,906 **** path = Ns_ConfigGetPath(server, MODULE, "ssldrivers", NULL); ssldrivers = Ns_ConfigGetSection(path); - if (ssldrivers == NULL) { Ns_Log(Notice, "%s (%s): no SSL drivers defined for this server", --- 871,874 ---- *************** *** 908,916 **** return; } - for (i = 0; i < Ns_SetSize(ssldrivers); ++i) { name = Ns_SetKey(ssldrivers, i); Ns_Log(Notice, "%s (%s): loading '%s' SSL driver", MODULE, server, name); - path = Ns_ConfigGetPath(server, MODULE, "ssldriver", name, NULL); if (path == NULL) { --- 876,882 ---- *************** *** 919,923 **** continue; } - sslcontextname = Ns_ConfigGetValue(path, "sslcontext"); if (sslcontextname == NULL) { --- 885,888 ---- *************** *** 938,944 **** ssldriver = ns_calloc(1, sizeof(NsOpenSSLDriver)); - - //Ns_Log(Debug, "LoadSSLDrivers: ssldriver = (%p)", ssldriver); - ssldriver->server = server; ssldriver->sslcontext = sslcontext; --- 903,906 ---- *************** *** 946,950 **** ssldriver->path = path; ssldriver->refcnt = 0; - if (!Ns_ConfigGetInt(path, "port", &ssldriver->port)) { ssldriver->port = 443; --- 908,911 ---- *************** *** 981,985 **** InitSSLDriver(char *server, NsOpenSSLDriver *ssldriver) { - /* XXX uninitialized here */ Ns_DriverInitData init; Server *thisServer = NULL; --- 942,945 ---- *************** *** 1152,1172 **** do { if (cmd == DriverSend) { - //Ns_Log(Debug, "OpenSSLProc: DriverSend: towrite = %d", (int) bufs->iov_len); n = NsOpenSSLConnSend(sslconn->ssl, bufs->iov_base, (int) bufs->iov_len); - // if (n < 0 - // && ns_sockerrno == EWOULDBLOCK - // && Ns_SockWait(sock->sock, NS_SOCK_WRITE, sock->driver->sendwait) == NS_OK) { - // n = NsOpenSSLConnSend(sslconn->ssl, bufs->iov_base, (int) bufs->iov_len); - // } } else { - //Ns_Log(Debug, "OpenSSLProc: DriverRecv: toread = %d", (int) bufs->iov_len); n = NsOpenSSLConnRecv(sslconn->ssl, bufs->iov_base, (int) bufs->iov_len); - //if (n < 0 - // && ns_sockerrno == EWOULDBLOCK - // && Ns_SockWait(sock->sock, NS_SOCK_READ, sock->driver->recvwait) == NS_OK) { - // n = NsOpenSSLConnRecv(sslconn->ssl, bufs->iov_base, (int) bufs->iov_len); - //} } - if (n < 0 && total > 0) { /* NB: Mask error if some bytes were read. */ --- 1112,1119 ---- *************** *** 1178,1193 **** n = total; break; - case DriverKeep: - /* XXX TODO: - * Some clients (MSIE) don't work well with keepalive over SSL. I - * need to research the user agent capabilities and then smartly - * determine whether to prevent keepalive from working with some of - * the clients that are known to have problems. This will probably - * mean I'll need to have some default rules for how the module - * acts with certain user agents, with the ability to override the - * behavior on a per user-agent basis in the configuration file. - */ - if (sslconn != NULL && NsOpenSSLConnFlush(sslconn) == NS_OK) { n = 0; --- 1125,1129 ---- *************** *** 1196,1200 **** } break; - case DriverClose: if (sslconn != NULL) { --- 1132,1135 ---- *************** *** 1205,1209 **** n = 0; break; - default: Ns_Log(Error, "%s (%s): Unsupported driver command encountered", --- 1140,1143 ---- Index: nsopenssl.h =================================================================== RCS file: /cvsroot/aolserver/nsopenssl/nsopenssl.h,v retrieving revision 1.65 retrieving revision 1.66 diff -C2 -d -r1.65 -r1.66 *** nsopenssl.h 5 Apr 2004 02:14:45 -0000 1.65 --- nsopenssl.h 9 Apr 2004 16:30:57 -0000 1.66 *************** *** 51,59 **** #endif ! /* openssl and nsd both define closesocket */ #ifdef closesocket #undef closesocket #endif #include <openssl/ssl.h> #include <openssl/err.h> --- 51,66 ---- #endif ! /* ! * OpenSSL and AOLserver both define closesocket. ! */ ! #ifdef closesocket #undef closesocket #endif + /* + * OpenSSL Library + */ + #include <openssl/ssl.h> #include <openssl/err.h> *************** *** 62,100 **** #include <openssl/opensslconf.h> - /* ! * Defaults */ ! /* Turn this on to show debug info */ ! #define NSOPENSSL_DEBUG 1 ! ! #define MODULE "nsopenssl" ! #define MODULE_SHORT "ssl" ! ! #define SERVER_ROLE 1 ! #define CLIENT_ROLE 0 ! ! #define DEFAULT_PROTOCOLS "All" ! #define DEFAULT_CIPHER_LIST SSL_DEFAULT_CIPHER_LIST ! #define DEFAULT_CERT_FILE "certificate.pem" ! #define DEFAULT_KEY_FILE "key.pem" ! #define DEFAULT_CA_FILE "ca.pem" ! #define DEFAULT_CA_DIR "ca" ! #define DEFAULT_PEER_VERIFY NS_FALSE ! #define DEFAULT_PEER_VERIFY_DEPTH 3 ! #define DEFAULT_SESSION_CACHE NS_TRUE ! #define DEFAULT_SESSION_CACHE_SIZE 128 ! #define DEFAULT_SESSION_CACHE_TIMEOUT 300 ! #define DEFAULT_TRACE NS_FALSE ! #define DEFAULT_TIMEOUT 30 ! #define DEFAULT_BUFFER_SIZE 16384 ! #define DEFAULT_SEEDBYTES 1024 ! #define DEFAULT_MAXBYTES 1024000 ! #define DEFAULT_SENDWAIT 60 ! #define DEFAULT_RECVWAIT 60 ! #define CONFIG_MODULE_DIR "ModuleDir" ! #define CONFIG_RANDOM_FILE "RandomFile" ! #define CONFIG_SEEDBYTES "SeedBytes" --- 69,77 ---- #include <openssl/opensslconf.h> /* ! * nsopenssl Default Settings. */ ! #include "defaults.h" *************** *** 194,202 **** */ - #if 0 - extern void - NsOpenSSLErrorDump(NsOpenSSLConn *sslconn, int code); - #endif - extern NsOpenSSLConn * NsOpenSSLConnCreate(SOCKET socket, NsOpenSSLContext *sslcontext); --- 171,174 ---- *************** *** 211,215 **** NsOpenSSLConnRecv(SSL *ssl, void *buffer, int toread); - // XXX const or CONST??? extern int NsOpenSSLConnSend(SSL *ssl, const void *buffer, int towrite); --- 183,186 ---- *************** *** 277,281 **** NsOpenSSLContextDestroy(char *server, NsOpenSSLContext *sslcontext); - /* XXX ugly. find a cleaner way to do this */ extern NsOpenSSLContext * NsOpenSSLContextServerDefaultGet(char *server); --- 248,251 ---- *************** *** 371,379 **** NsOpenSSLModuleInit(char *server); - - #if 0 - /* XXX debug log */ - extern void - NsOpenSSLDebug(char *fmt, ...); - #endif - --- 341,342 ---- Index: ssl.c =================================================================== RCS file: /cvsroot/aolserver/nsopenssl/ssl.c,v retrieving revision 1.62 retrieving revision 1.63 diff -C2 -d -r1.62 -r1.63 *** ssl.c 5 Apr 2004 02:14:45 -0000 1.62 --- ssl.c 9 Apr 2004 16:30:57 -0000 1.63 *************** *** 64,83 **** * NsOpenSSLConnCreate -- * ! * Create an SSL connection. The socket has already been accept()ed and is ! * ready for reading/writing. Used to use OpenSSL's BIO abstraction to build a ! * BIO stack that looked like this: ! * ! * nsopenssl module ! * buffering BIO ! * SSL BIO ! * socket BIO ! * TCP socket to client ! * ! * I switched back to straight SSL to simplify the code and to improve ! * performance. Though I don't have any evidence, I suspect BIOs add some ! * performance overhead and I'm not sure they work well on every platform. * * Results: ! * sslconn, which might be NULL * * Side effects: --- 64,72 ---- * NsOpenSSLConnCreate -- * ! * Create an SSL connection. The socket has already been accept()ed and is ! * ready for reading/writing. * * Results: ! * Pointer to sslconn, which might be NULL * * Side effects: *************** *** 97,103 **** "%s (%s): connection refused due to server shutdown pending", MODULE, sslcontext->server); ! return NULL; } - sslconn = ns_calloc(1, sizeof(NsOpenSSLConn)); if (sslconn == NULL) { --- 86,91 ---- "%s (%s): connection refused due to server shutdown pending", MODULE, sslcontext->server); ! } sslconn = ns_calloc(1, sizeof(NsOpenSSLConn)); if (sslconn == NULL) { *************** *** 107,110 **** --- 95,102 ---- } + /* + * Set connection structure initial values. + */ + sslconn->server = sslcontext->server; sslconn->sslcontext = sslcontext; *************** *** 112,116 **** sslconn->sendwait = DEFAULT_SENDWAIT; sslconn->recvwait = DEFAULT_RECVWAIT; - //sslconn->wsock = INVALID_SOCKET; sslconn->ssl = NULL; sslconn->sslctx = NULL; --- 104,107 ---- *************** *** 128,132 **** gettimeofday(&sslconn->timer, NULL); ! /* Initialize the SSL structure */ sslconn->ssl = SSL_new(sslcontext->sslctx); --- 119,125 ---- gettimeofday(&sslconn->timer, NULL); ! /* ! * Instantiate the SSL structure from the sslcontext. ! */ sslconn->ssl = SSL_new(sslcontext->sslctx); *************** *** 139,148 **** SSL_clear(sslconn->ssl); ! /* Associate the socket with the SSL structure */ SSL_set_fd(sslconn->ssl, socket); ! // XXX is this necessary? SSL_set_app_data(sslconn->ssl, sslconn); if (sslcontext->role == SERVER_ROLE) { SSL_set_accept_state(sslconn->ssl); --- 132,151 ---- SSL_clear(sslconn->ssl); ! /* ! * Associate the socket with the SSL instance. ! */ ! SSL_set_fd(sslconn->ssl, socket); ! /* ! * Associate the connection structure with the SSL instance. ! */ ! SSL_set_app_data(sslconn->ssl, sslconn); + /* + * Define the SSL instance's role. + */ + if (sslcontext->role == SERVER_ROLE) { SSL_set_accept_state(sslconn->ssl); *************** *** 151,161 **** } if (NsOpenSSLConnHandshake(sslconn) != NS_OK) { NsOpenSSLConnDestroy(sslconn); - sslconn = NULL; } - //Ns_Log(Debug, "NsOpenSSLConnCreate: sslconn = (%p), sslcontext = (%p)", sslconn, sslcontext); - return sslconn; } --- 154,165 ---- } + /* + * Run the SSL handshake. + */ + if (NsOpenSSLConnHandshake(sslconn) != NS_OK) { NsOpenSSLConnDestroy(sslconn); } return sslconn; } *************** *** 185,221 **** int rc = 0; ! sslconn->refcnt--; ! ! if (sslconn->refcnt > 0) { ! //Ns_Log(Debug, "NsOpenSSLConnDestroy: SSL conn still active: refcnt = (%d), sslconn = (%p)", sslconn->refcnt, sslconn); return; } ! if (sslconn == NULL) return; ! //Ns_Log(Debug, "NsOpenSSLConnDestroy: sslconn = (%p)", sslconn); if (sslconn->ssl != NULL) { - /* XXX review these shutdown procedures w/r to SSL_shutdown man page */ - /* XXX seems we can clean this up a bit */ SSL_set_shutdown(sslconn->ssl, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN); - - /* Call SSL_shutdown repeatedly until we're sure it's done. */ for (i = rc = 0; rc == 0 && i < 4; i++) { rc = SSL_shutdown(sslconn->ssl); } - } - - if (sslconn->ssl != NULL) { SSL_free(sslconn->ssl); } /* ! * We disallow sending through the socket, since BIO_free_all triggers ! * SSL_shutdown, which is sending something (2 bytes). It confuses Win32 ! * clients, since they automatically close socket on FIN packet only if ! * there is no waiting received bytes (it gives "connection reset" message ! * in MSIE when socket is freed by keepalive thread). */ --- 189,221 ---- int rc = 0; ! if (sslconn == NULL) { return; } ! /* ! * Don't destroy the connection if it's still referenced somewhere. ! */ ! ! sslconn->refcnt--; ! if (sslconn->refcnt > 0) { return; + } ! /* ! * Shutdown the SSL connection and free the SSL structure. ! */ if (sslconn->ssl != NULL) { SSL_set_shutdown(sslconn->ssl, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN); for (i = rc = 0; rc == 0 && i < 4; i++) { rc = SSL_shutdown(sslconn->ssl); } SSL_free(sslconn->ssl); } /* ! * Shutdown and close the socket itself, but only if it's not a socket ! * managed by the core AOLserver driver. In that case we leave the socket ! * to be shutdown there. */ *************** *** 225,229 **** sslconn->socket = INVALID_SOCKET; } - ns_free(sslconn); sslconn = NULL; --- 225,228 ---- *************** *** 263,269 **** SOCKET socket = INVALID_SOCKET; ! //Ns_Log(Debug, "Ns_OpenSSLSockConnect %s %d", host, port); ! //Ns_Log(Debug, "Ns_OpenSSLSockConnect: sslcontext = (%p)", sslcontext); ! //Ns_Log(Debug, "Ns_OpenSSLSockConnect: sslcontext->initialized = (%d)", sslcontext->initialized); if (timeout < 0) { --- 262,268 ---- SOCKET socket = INVALID_SOCKET; ! /* ! * Create the socket connection. ! */ if (timeout < 0) { *************** *** 272,280 **** socket = Ns_SockTimedConnect(host, port, timeout); } - if (socket == INVALID_SOCKET) { return NULL; } sslconn = NsOpenSSLConnCreate(socket, sslcontext); if (sslconn != NULL) { --- 271,282 ---- socket = Ns_SockTimedConnect(host, port, timeout); } if (socket == INVALID_SOCKET) { return NULL; } + /* + * Wrap SSL around the socket. + */ + sslconn = NsOpenSSLConnCreate(socket, sslcontext); if (sslconn != NULL) { *************** *** 316,321 **** NsOpenSSLConn *sslconn = NULL; - //Ns_Log(Debug, "Ns_OpenSSLSockAccept: sslcontext = (%p)", sslcontext); - if (sock == INVALID_SOCKET) { Ns_Log(Error, "%s (%s): attempted accept on invalid socket", --- 318,321 ---- *************** *** 324,327 **** --- 324,331 ---- } + /* + * Wrap SSL around socket. + */ + sslconn = NsOpenSSLConnCreate(sock, sslcontext); if (sslconn != NULL) { *************** *** 379,384 **** */ - /* XXX move to x509.c; change args */ - /* XXX add *server arg */ extern int Ns_OpenSSLIsPeerCertValid(NsOpenSSLConn *sslconn) --- 383,386 ---- *************** *** 444,448 **** Ns_Request *request = NULL; Ns_DString ds; - /* XXX uninitialized */ Stream stream; char *p = NULL; --- 446,449 ---- *************** *** 459,463 **** Ns_DStringVarAppend(&ds, "GET ", url, " HTTP/1.0", NULL); request = Ns_ParseRequest(ds.string); - if ( request == NULL || --- 460,463 ---- *************** *** 470,477 **** } if (request->port == 0) { request->port = 443; } - sslconn = Ns_OpenSSLSockConnect(server, request->host, request->port, 0, 300, sslcontext); if (sslconn == NULL) { --- 470,480 ---- } + /* + * Open an SSL connection. + */ + if (request->port == 0) { request->port = 443; } sslconn = Ns_OpenSSLSockConnect(server, request->host, request->port, 0, 300, sslcontext); if (sslconn == NULL) { *************** *** 482,502 **** /* ! * Send a simple HTTP GET request. */ - // SendHTTPGet(url, query, ) Ns_DStringTrunc(&ds, 0); Ns_DStringVarAppend(&ds, "GET ", request->url, NULL); - if (request->query != NULL) { Ns_DStringVarAppend(&ds, "?", request->query, NULL); } - Ns_DStringAppend(&ds, " HTTP/1.0\r\nAccept: */*\r\n\r\n"); p = ds.string; tosend = ds.length; - while (tosend > 0) { - //n = NsOpenSSLConnSend(sslconn->bio, p, tosend); n = NsOpenSSLConnSend(sslconn->ssl, p, tosend); if (n <= 0) { --- 485,500 ---- /* ! * Send HTTP GET request. */ Ns_DStringTrunc(&ds, 0); Ns_DStringVarAppend(&ds, "GET ", request->url, NULL); if (request->query != NULL) { Ns_DStringVarAppend(&ds, "?", request->query, NULL); } Ns_DStringAppend(&ds, " HTTP/1.0\r\nAccept: */*\r\n\r\n"); p = ds.string; tosend = ds.length; while (tosend > 0) { n = NsOpenSSLConnSend(sslconn->ssl, p, tosend); if (n <= 0) { *************** *** 518,526 **** stream.ptr = stream.buf; stream.sslconn = (NsOpenSSLConn *) sslconn; - if (!GetLine (&stream, &ds)) { goto done; } - if (headers != NULL && strncmp(ds.string, "HTTP", 4) == 0) { if (headers->name != NULL) { --- 516,522 ---- *************** *** 529,533 **** headers->name = Ns_DStringExport(&ds); } - do { if (!GetLine (&stream, &ds)) { --- 525,528 ---- *************** *** 549,553 **** Ns_DStringNAppend(dsPtr, stream.ptr, stream.cnt); } while (FillBuf(&stream)); - if (!stream.error) { status = NS_OK; --- 544,547 ---- *************** *** 555,567 **** done: - if (request != NULL) { Ns_FreeRequest(request); } - if (sslconn != NULL) { NsOpenSSLConnDestroy(sslconn); } - Ns_DStringFree(&ds); --- 549,558 ---- *************** *** 595,600 **** SOCKET socket = SSL_get_fd(ssl); - //Ns_Log(Debug, "Send(%d): START: towrite = %d, wrote = %d", socket, towrite, total); - /* * We loop until all bytes are written. We can call NsOpenSSLRecv() at any --- 586,589 ---- *************** *** 604,626 **** while (total < towrite) { - - //rc = SSL_write(ssl, (char *) (buffer + total), (towrite - total)); rc = SSL_write(ssl, (char *) buffer, towrite); - if (rc > 0) { total += rc; continue; } - - Ns_Log(Debug, "Send(%d): (towrite = %d; total = %d; rc = %d)", socket, towrite, total, rc); - switch(SSL_get_error(ssl, rc)) { - case SSL_ERROR_NONE: ! //Ns_Log(Debug, "Send(%d): SSL_ERROR_NONE (towrite = %d; total = %d; rc = %d)", socket, total, towrite, rc); break; - case SSL_ERROR_WANT_WRITE: ! //Ns_Log(Debug, "Send(%d): SSL_ERROR_WANT_WRITE (towrite = %d; total = %d; rc = %d)", socket, total, towrite, rc); if (rc < 0 && ns_sockerrno == EWOULDBLOCK --- 593,611 ---- while (total < towrite) { rc = SSL_write(ssl, (char *) buffer, towrite); if (rc > 0) { total += rc; continue; } switch(SSL_get_error(ssl, rc)) { case SSL_ERROR_NONE: ! #ifdef DEBUG_NSOPENSSL ! Ns_Log(Debug, "Send(%d): SSL_ERROR_NONE: towrite = %d; total = %d; rc = %d", socket, total, towrite, rc); ! #endif break; case SSL_ERROR_WANT_WRITE: ! #ifdef DEBUG_NSOPENSSL ! Ns_Log(Debug, "Send(%d): SSL_ERROR_WANT_WRITE: towrite = %d; total = %d; rc = %d", socket, total, towrite, rc); ! #endif if (rc < 0 && ns_sockerrno == EWOULDBLOCK *************** *** 630,670 **** } break; - case SSL_ERROR_WANT_READ: ! //Ns_Log(Debug, "Send(%d): SSL_ERROR_WANT_READ (towrite = %d; total = %d; rc = %d)", socket, total, towrite, rc); break; - case SSL_ERROR_WANT_X509_LOOKUP: ! Ns_Log(Debug, "Send(%d): SSL_ERROR_WANT_X509_LOOKUP (towrite = %d; total = %d; rc = %d)", socket, total, towrite, rc); SSL_renegotiate(ssl); SSL_write(ssl, NULL, 0); break; - case SSL_ERROR_SYSCALL: ! Ns_Log(Debug, "Send(%d): SSL_ERROR_SYSCALL (towrite = %d; total = %d; rc = %d)", socket, total, towrite, rc); ! // XXX should check for invalid socket here ? ! exit(1); ! return -2; break; - case SSL_ERROR_SSL: ! Ns_Log(Debug, "Send(%d): SSL_ERROR_SSL (towrite = %d; total = %d; rc = %d)", socket, total, towrite, rc); ! // XXX should check for invalid socket here ? break; - case SSL_ERROR_ZERO_RETURN: ! /* We'll never see this error: either some bytes were written or we get a real error */ ! Ns_Log(Debug, "Send(%d): SSL_ERROR_ZERO_RETURN (towrite = %d; total = %d; rc = %d)", socket, total, towrite, rc); break; - default: ! Ns_Log(Debug, "Send(%d): FALLTHROUGH (error) (towrite = %d; total = %d; rc = %d)", socket, total, towrite, rc); break; } - } - //Ns_Log(Debug, "Send(%d): END: towrite = %d, wrote = %d", socket, towrite, total); - return total; } --- 615,654 ---- } break; case SSL_ERROR_WANT_READ: ! #ifdef DEBUG_NSOPENSSL ! Ns_Log(Debug, "Send(%d): SSL_ERROR_WANT_READ: towrite = %d; total = %d; rc = %d", socket, total, towrite, rc); ! #endif break; case SSL_ERROR_WANT_X509_LOOKUP: ! #ifdef DEBUG_NSOPENSSL ! Ns_Log(Debug, "Send(%d): SSL_ERROR_WANT_X509_LOOKUP: towrite = %d; total = %d; rc = %d", socket, total, towrite, rc); ! #endif SSL_renegotiate(ssl); SSL_write(ssl, NULL, 0); break; case SSL_ERROR_SYSCALL: ! #ifdef DEBUG_NSOPENSSL ! Ns_Log(Debug, "Send(%d) HERE: SSL_ERROR_SYSCALL: towrite = %d; total = %d; rc = %d", socket, total, towrite, rc); ! #endif ! Ns_Log(Warning, "%s: SSL handshake interrupted, perhaps by client", MODULE); ! return -1; break; case SSL_ERROR_SSL: ! #ifdef DEBUG_NSOPENSSL ! Ns_Log(Debug, "Send(%d): SSL_ERROR_SSL: towrite = %d; total = %d; rc = %d", socket, total, towrite, rc); ! #endif ! Ns_Log(Error, "%s: SSL error on writing data", MODULE); break; case SSL_ERROR_ZERO_RETURN: ! #ifdef DEBUG_NSOPENSSL ! Ns_Log(Debug, "Send(%d): SSL_ERROR_ZERO_RETURN: towrite = %d; total = %d; rc = %d", socket, total, towrite, rc); ! #endif break; default: ! Ns_Log(Error, "%s: Unknown SSL error code in ssl.c (%d)", MODULE, rc); break; } } return total; } *************** *** 713,746 **** */ - //Ns_Log(Debug, "Recv(%d): START: toread = %d, read = %d, pending = %d", socket, toread, total, SSL_pending(ssl)); - do { - rc = SSL_read(ssl, (char *) buffer, toread); - if (rc > 0) { - total += rc; - } else if (rc == 0) { - if (SSL_pending(ssl) == 0) { return total; } - } else { - switch(SSL_get_error(ssl, rc)) { - case SSL_ERROR_NONE: ! //Ns_Log(Debug, "Recv(%d): SSL_ERROR_NONE (toread = %d; total = %d; rc = %d)", socket, toread, total, rc); break; - case SSL_ERROR_WANT_WRITE: ! //Ns_Log(Debug, "Recv(%d): SSL_ERROR_WANT_WRITE (toread = %d; total = %d; rc = %d)", socket, toread, total, rc); break; - case SSL_ERROR_WANT_READ: ! //Ns_Log(Debug, "Recv(%d): SSL_ERROR_WANT_READ (toread = %d; total = %d; rc = %d)", socket, toread, total, rc); if (rc < 0 && ns_sockerrno == EWOULDBLOCK --- 697,724 ---- */ do { rc = SSL_read(ssl, (char *) buffer, toread); if (rc > 0) { total += rc; } else if (rc == 0) { if (SSL_pending(ssl) == 0) { return total; } } else { switch(SSL_get_error(ssl, rc)) { case SSL_ERROR_NONE: ! #ifdef DEBUG_NSOPENSSL ! Ns_Log(Debug, "Recv(%d): SSL_ERROR_NONE: toread = %d; total = %d; rc = %d", socket, toread, total, rc); ! #endif break; case SSL_ERROR_WANT_WRITE: ! #ifdef DEBUG_NSOPENSSL ! Ns_Log(Debug, "Recv(%d): SSL_ERROR_WANT_WRITE: toread = %d; total = %d; rc = %d", socket, toread, total, rc); ! #endif break; case SSL_ERROR_WANT_READ: ! #ifdef DEBUG_NSOPENSSL ! Ns_Log(Debug, "Recv(%d): SSL_ERROR_WANT_READ: toread = %d; total = %d; rc = %d", socket, toread, total, rc); ! #endif if (rc < 0 && ns_sockerrno == EWOULDBLOCK *************** *** 750,785 **** } break; - case SSL_ERROR_WANT_X509_LOOKUP: ! Ns_Log(Debug, "Recv(%d): SSL_ERROR_WANT_X509_LOOKUP (toread = %d; total = %d; rc = %d)", socket, toread, total, rc); break; - case SSL_ERROR_SYSCALL: ! Ns_Log(Debug, "Recv(%d): SSL_ERROR_SYSCALL (toread = %d; total = %d; rc = %d)", socket, toread, total, rc); return -1; break; - case SSL_ERROR_SSL: ! //Ns_Log(Debug, "Recv(%d): SSL_ERROR_SSL (toread = %d; total = %d; rc = %d)", socket, toread, total, rc); return -1; break; - case SSL_ERROR_ZERO_RETURN: ! Ns_Log(Debug, "Recv(%d): SSL_ERROR_ZERO_RETURN (toread = %d; total = %d; rc = %d)", socket, toread, total, rc); return -1; break; - default: ! Ns_Log(Debug, "Recv(%d): FALLTHROUGH (error) (toread = %d; total = %d; rc = %d)", socket, toread, total, rc); return -1; break; - } } - } while (SSL_get_error(ssl, rc) != SSL_ERROR_NONE); - //Ns_Log(Debug, "Recv(%d): END: toread = %d, read = %d", socket, toread, total); - return total; } --- 728,765 ---- } break; case SSL_ERROR_WANT_X509_LOOKUP: ! #ifdef DEBUG_NSOPENSSL ! Ns_Log(Debug, "Recv(%d): SSL_ERROR_WANT_X509_LOOKUP: toread = %d; total = %d; rc = %d", socket, toread, total, rc); ! #endif ! Ns_Log(Warning, "%s: SSL wants X509 Lookup", MODULE); break; case SSL_ERROR_SYSCALL: ! #ifdef DEBUG_NSOPENSSL ! Ns_Log(Debug, "Recv(%d): SSL_ERROR_SYSCALL: toread = %d; total = %d; rc = %d", socket, toread, total, rc); ! #endif ! Ns_Log(Warning, "%s: SSL handshake interrupted, perhaps by client", MODULE); return -1; break; case SSL_ERROR_SSL: ! #ifdef DEBUG_NSOPENSSL ! Ns_Log(Debug, "Recv(%d): SSL_ERROR_SSL: toread = %d; total = %d; rc = %d", socket, toread, total, rc); ! #endif ! Ns_Log(Error, "%s: SSL error on reading data", MODULE); return -1; break; case SSL_ERROR_ZERO_RETURN: ! #ifdef DEBUG_NSOPENSSL ! Ns_Log(Debug, "Recv(%d): SSL_ERROR_ZERO_RETURN: toread = %d; total = %d; rc = %d", socket, toread, total, rc); ! #endif return -1; break; default: ! Ns_Log(Error, "%s: Unknown SSL error code in ssl.c (%d)", MODULE, rc); return -1; break; } } } while (SSL_get_error(ssl, rc) != SSL_ERROR_NONE); return total; } *************** *** 841,849 **** { int rc = 0; - /* XXX defer to sslconn->socket ... */ SOCKET socket = SSL_get_fd(sslconn->ssl); while (! SSL_is_init_finished(sslconn->ssl)) { - if (sslconn->sslcontext->role == SERVER_ROLE) { rc = SSL_accept(sslconn->ssl); --- 821,827 ---- *************** *** 851,868 **** rc = SSL_connect(sslconn->ssl); } - switch(SSL_get_error(sslconn->ssl, rc)) { - case SSL_ERROR_NONE: - /* Handshake completed successfully */ //Ns_Log(Debug, "Handshake(%d): SSL_ERROR_NONE (rc = %d)", socket, rc); return NS_OK; break; - case SSL_ERROR_WANT_WRITE: //Ns_Log(Debug, "Handshake(%d): SSL_ERROR_WANT_WRITE (rc = %d)", socket, rc); - /* XXX need write wait at this point */ break; - case SSL_ERROR_WANT_READ: //Ns_Log(Debug, "Handshake(%d): SSL_ERROR_WANT_READ (rc = %d)", socket, rc); --- 829,840 ---- *************** *** 874,878 **** } break; - case SSL_ERROR_WANT_X509_LOOKUP: //Ns_Log(Debug, "Handshake(%d): SSL_ERROR_WANT_X509_LOOKUP (rc = %d)", socket, rc); --- 846,849 ---- *************** *** 880,894 **** //SSL_write(ssl, NULL, 0); break; - case SSL_ERROR_SYSCALL: Ns_Log(Debug, "Handshake(%d): SSL_ERROR_SYSCALL (rc = %d)", socket, rc); return NS_ERROR; break; - case SSL_ERROR_SSL: //Ns_Log(Debug, "Handshake(%d): SSL_ERROR_SSL (rc = %d)", socket, rc); return NS_ERROR; break; - case SSL_ERROR_ZERO_RETURN: /* Connection was closed before any data was transferred */ --- 851,862 ---- *************** *** 896,909 **** return NS_ERROR; break; - default: Ns_Log(Debug, "Handshake(%d): FALLTHROUGH (error) (rc = %d)", socket, rc); return NS_ERROR; break; - } } ! ! Ns_Log(Warning, "%s (%s): SSL handshake failed (might be normal if client does not have CA cert)", MODULE, sslconn->server); return NS_ERROR; --- 864,874 ---- return NS_ERROR; break; default: Ns_Log(Debug, "Handshake(%d): FALLTHROUGH (error) (rc = %d)", socket, rc); return NS_ERROR; break; } } ! Ns_Log(Warning, "%s (%s): SSL handshake failed", MODULE, sslconn->server); return NS_ERROR; *************** *** 930,934 **** FillBuf(Stream *sPtr) { - // XXX int n = NsOpenSSLConnRecv(sPtr->sslconn->bio, sPtr->buf, BUFSIZE); int n = NsOpenSSLConnRecv(sPtr->sslconn->ssl, sPtr->buf, BUFSIZE); int status = NS_TRUE; --- 895,898 ---- *************** *** 974,981 **** Ns_DStringTrunc(dsPtr, 0); - do { if (sPtr->cnt > 0) { - eol = strchr(sPtr->ptr, '\n'); if (eol == NULL) { --- 938,943 ---- *************** *** 985,994 **** n = eol - sPtr->ptr; } - Ns_DStringNAppend (dsPtr, sPtr->ptr, n - 1); - sPtr->ptr += n; sPtr->cnt -= n; - if (eol != NULL) { n = dsPtr->length; --- 947,953 ---- *************** *** 998,1002 **** return NS_TRUE; } - } } while (FillBuf(sPtr)); --- 957,960 ---- *************** *** 1004,1064 **** return NS_FALSE; } - - #if 0 - - /* - *---------------------------------------------------------------------- - * - * NsOpenSSLErrorDump -- - * - * Send data through an SSL connection - * - * Results: - * The number of bytes send or a negative number in case of an error. - * - * Side effects: - * None. - * - *---------------------------------------------------------------------- - */ - - void - NsOpenSSLErrorDump(NsOpenSSLConn *sslconn, int code) - { - int error = 0; - unsigned long e = 0; - - error = SSL_get_error(sslconn->ssl, code); - - switch (error) { - case SSL_ERROR_NONE: - Ns_Log(Debug, "--- SSL_ERROR_NONE"); - break; - case SSL_ERROR_ZERO_RETURN: - Ns_Log(Debug, "--- SSL_ERROR_ZERO_RETURN"); - break; - case SSL_ERROR_WANT_READ: - Ns_Log(Debug, "--- SSL_ERROR_WANT_READ"); - break; - case SSL_ERROR_WANT_WRITE: - Ns_Log(Debug, "--- SSL_ERROR_WANT_WRITE"); - break; - case SSL_ERROR_WANT_X509_LOOKUP: - Ns_Log(Debug, "--- SSL_ERROR_WANT_X509_LOOKUP"); - break; - case SSL_ERROR_SYSCALL: - Ns_Log(Debug, "--- SSL_ERROR_SYSCALL"); - break; - case SSL_ERROR_SSL: - Ns_Log(Debug, "--- SSL_ERROR_SSL"); - break; - } - - while ((e = ERR_get_error()) != 0) { - Ns_Log(Debug, "--- ERR = %s", ERR_error_string(e, NULL)); - Ns_Log(Debug, " - LIB = %d", ERR_GET_LIB(e)); - Ns_Log(Debug, " - FUNC = %d", ERR_GET_FUNC(e)); - Ns_Log(Debug, " - REASON = %d", ERR_GET_REASON(e)); - } - } - #endif --- 962,963 ---- Index: sslcontext.c =================================================================== RCS file: /cvsroot/aolserver/nsopenssl/sslcontext.c,v retrieving revision 1.5 retrieving revision 1.6 diff -C2 -d -r1.5 -r1.6 *** sslcontext.c 16 Feb 2004 00:42:31 -0000 1.5 --- sslcontext.c 9 Apr 2004 16:30:57 -0000 1.6 *************** *** 115,119 **** /* ! * The name of an SSL context must be unique within a virtual server. */ --- 115,120 ---- /* ! * Check to see if the context name is already in use. The name of an SSL ! * context must be unique within a virtual server. */ *************** *** 124,131 **** } ! sslcontext = ns_calloc(1, sizeof(*sslcontext)); Ns_MutexInit(&sslcontext->lock); - Ns_DStringPrintf(&ds, "ctx:%s", name); lockName = Ns_DStringExport(&ds); --- 125,134 ---- } ! /* ! * Create the SSL context. ! */ + sslcontext = ns_calloc(1, sizeof(*sslcontext)); Ns_MutexInit(&sslcontext->lock); Ns_DStringPrintf(&ds, "ctx:%s", name); lockName = Ns_DStringExport(&ds); *************** *** 135,183 **** lockName = NULL; sslcontext->server = server; sslcontext->name = name; - sslcontext->initialized = NS_FALSE; sslcontext->refcnt = 0; - sslcontext->peerVerify = DEFAULT_PEER_VERIFY; sslcontext->peerVerifyDepth = DEFAULT_PEER_VERIFY_DEPTH; sslcontext->protocols = DEFAULT_PROTOCOLS; sslcontext->cipherSuite = DEFAULT_CIPHER_LIST; - sslcontext->sessionCache = DEFAULT_SESSION_CACHE; sslcontext->sessionCacheSize = DEFAULT_SESSION_CACHE_SIZE; sslcontext->sessionCacheTimeout = DEFAULT_SESSION_CACHE_TIMEOUT; sslcontext->trace = DEFAULT_TRACE; - sslcontext->bufsize = DEFAULT_BUFFER_SIZE; sslcontext->timeout = DEFAULT_TIMEOUT; - sslcontext->sessionCacheId = SSLContextSessionCacheIdNew(server); - Ns_HomePath(&ds, "servers", server, "modules", MODULE, NULL); sslcontext->moduleDir = Ns_DStringExport(&ds); Ns_DStringTrunc(&ds, 0); - Ns_HomePath(&ds, "servers", server, "modules", MODULE, DEFAULT_CERT_FILE, NULL); sslcontext->certFile = Ns_DStringExport(&ds); Ns_DStringTrunc(&ds, 0); - Ns_HomePath(&ds, "servers", server, "modules", MODULE, DEFAULT_KEY_FILE, NULL); sslcontext->keyFile = Ns_DStringExport(&ds); Ns_DStringTrunc(&ds, 0); - Ns_HomePath(&ds, "servers", server, "modules", MODULE, DEFAULT_CA_FILE, NULL); sslcontext->caFile = Ns_DStringExport(&ds); Ns_DStringTrunc(&ds, 0); - Ns_HomePath(&ds, "servers", server, "modules", MODULE, DEFAULT_CA_DIR, NULL); sslcontext->caDir = Ns_DStringExport(&ds); Ns_DStringTrunc(&ds, 0); - Ns_DStringFree(&ds); - //Ns_Log(Debug, "NsOpenSSLContextCreate: sslcontext = (%p)", sslcontext); - return sslcontext; } --- 138,177 ---- lockName = NULL; + /* + * Set SSL context initial values. + */ + sslcontext->server = server; sslcontext->name = name; sslcontext->initialized = NS_FALSE; sslcontext->refcnt = 0; sslcontext->peerVerify = DEFAULT_PEER_VERIFY; sslcontext->peerVerifyDepth = DEFAULT_PEER_VERIFY_DEPTH; sslcontext->protocols = DEFAULT_PROTOCOLS; sslcontext->cipherSuite = DEFAULT_CIPHER_LIST; sslcontext->sessionCache = DEFAULT_SESSION_CACHE; sslcontext->sessionCacheSize = DEFAULT_SESSION_CACHE_SIZE; sslcontext->sessionCacheTimeout = DEFAULT_SESSION_CACHE_TIMEOUT; sslcontext->trace = DEFAULT_TRACE; sslcontext->bufsize = DEFAULT_BUFFER_SIZE; sslcontext->timeout = DEFAULT_TIMEOUT; sslcontext->sessionCacheId = SSLContextSessionCacheIdNew(server); Ns_HomePath(&ds, "servers", server, "modules", MODULE, NULL); sslcontext->moduleDir = Ns_DStringExport(&ds); Ns_DStringTrunc(&ds, 0); Ns_HomePath(&ds, "servers", server, "modules", MODULE, DEFAULT_CERT_FILE, NULL); sslcontext->certFile = Ns_DStringExport(&ds); Ns_DStringTrunc(&ds, 0); Ns_HomePath(&ds, "servers", server, "modules", MODULE, DEFAULT_KEY_FILE, NULL); sslcontext->keyFile = Ns_DStringExport(&ds); Ns_DStringTrunc(&ds, 0); Ns_HomePath(&ds, "servers", server, "modules", MODULE, DEFAULT_CA_FILE, NULL); sslcontext->caFile = Ns_DStringExport(&ds); Ns_DStringTrunc(&ds, 0); Ns_HomePath(&ds, "servers", server, "modules", MODULE, DEFAULT_CA_DIR, NULL); sslcontext->caDir = Ns_DStringExport(&ds); Ns_DStringTrunc(&ds, 0); Ns_DStringFree(&ds); return sslcontext; } *************** *** 203,221 **** NsOpenSSLContextDestroy(char *server, NsOpenSSLContext *sslcontext) { - /* - * We only need to free structure members where we've used strdup to create - * them. - */ - ns_free(sslcontext->certFile); ns_free(sslcontext->keyFile); ns_free(sslcontext->caFile); ns_free(sslcontext->caDir); - ns_free(sslcontext); - /* XXX REMOVE THE CONTEXT FROM THE SERVER STATE */ - /* XXX should be a private func??? */ #if 0 Ns_OpenSSLServerContextRemove(); #endif --- 197,208 ---- NsOpenSSLContextDestroy(char *server, NsOpenSSLContext *sslcontext) { ns_free(sslcontext->certFile); ns_free(sslcontext->keyFile); ns_free(sslcontext->caFile); ns_free(sslcontext->caDir); ns_free(sslcontext); #if 0 + /* XXX REMOVE THE CONTEXT FROM THE SERVER STATE */ Ns_OpenSSLServerContextRemove(); #endif *************** *** 250,261 **** NsOpenSSLContextInit(char *server, NsOpenSSLContext *sslcontext) { - - /* XXX argh -- gotta use a goto here to pop out and unlock struct */ if (sslcontext == NULL) { ! Ns_Log(Error, "%s (%s): SSL context passed to NsOpenSSLContextValidate is NULL", ! MODULE, server); return NS_ERROR; } - if (!STREQ(server, sslcontext->server)) { Ns_Log(Error, "%s (%s): SSL context server field (%s) does not match the virtual server name", --- 237,244 ---- NsOpenSSLContextInit(char *server, NsOpenSSLContext *sslcontext) { if (sslcontext == NULL) { ! Ns_Log(Error, "%s (%s): SSL context is NULL", MODULE, server); return NS_ERROR; } if (!STREQ(server, sslcontext->server)) { Ns_Log(Error, "%s (%s): SSL context server field (%s) does not match the virtual server name", *************** *** 265,277 **** /* ! * Initialize parts of SSL_CTX that are common to all NsOpenSSLContexts ! * (i.e. these are not configurable via nsd.tcl or Ns_OpenSSL* calls). */ if (sslcontext->role) { - //Ns_Log(Debug, "NsOpenSSLContextInit: SSLv23_server_method(): sslcontext = (%p)", sslcontext); sslcontext->sslctx = SSL_CTX_new(SSLv23_server_method()); } else { - //Ns_Log(Debug, "NsOpenSSLContextInit: SSLv23_client_method(): sslcontext = (%p)", sslcontext); sslcontext->sslctx = SSL_CTX_new(SSLv23_client_method()); } --- 248,257 ---- /* ! * Initialize the SSL_CTX based on the role this context will play. */ if (sslcontext->role) { sslcontext->sslctx = SSL_CTX_new(SSLv23_server_method()); } else { sslcontext->sslctx = SSL_CTX_new(SSLv23_client_method()); } *************** *** 310,324 **** * comes from that library after the SSL_CTX_use_certificate_chain_file * call. - * XXX I need to research the warning above and find out why that's - * so. - * XXX I could store certs in memory and check to see if the same cert - * is already in memory and use if from there instead. */ ! if ( ! SSLContextCiphersInit(sslcontext) == NS_ERROR ! || SSLContextProtocolsInit(sslcontext) == NS_ERROR ! || SSLContextKeyFileInit(sslcontext) == NS_ERROR ! || SSLContextCertFileInit(sslcontext) == NS_ERROR || SSLContextValidateCertKey(sslcontext) == NS_ERROR ) { --- 290,299 ---- * comes from that library after the SSL_CTX_use_certificate_chain_file * call. */ ! if ( SSLContextCiphersInit(sslcontext) == NS_ERROR ! || SSLContextProtocolsInit(sslcontext) == NS_ERROR ! || SSLContextKeyFileInit(sslcontext) == NS_ERROR ! || SSLContextCertFileInit(sslcontext) == NS_ERROR || SSLContextValidateCertKey(sslcontext) == NS_ERROR ) { *************** *** 340,350 **** /* * We succeeded in initializing the context. We now have an OpenSSL SSL_CTX ! * structure we can use to create connections. */ sslcontext->initialized = 1; - //Ns_Log(Debug, "NsOpenSSLContextInit: sslcontext = (%p), sslctx = (%p)", sslcontext, sslcontext->sslctx); - return NS_OK; } --- 315,323 ---- /* * We succeeded in initializing the context. We now have an OpenSSL SSL_CTX ! * structure we can use to create SSL connections. */ sslcontext->initialized = 1; return NS_OK; } *************** *** 373,377 **** #if 0 - /* XXX add the ability to wait for the context to be inactive? */ int NsOpenSSLContextRelease(char *server, NsOpenSSLContext *sslcontext) --- 346,349 ---- *************** *** 421,425 **** { Ns_MutexLock(&sslcontext->lock); - if (STREQ(role, "client")) { sslcontext->role = 0; --- 393,396 ---- *************** *** 431,435 **** return NS_ERROR; } - Ns_MutexUnlock(&sslcontext->lock); --- 402,405 ---- *************** *** 458,462 **** { Ns_MutexLock(&sslcontext->lock); - if (sslcontext->role == 0) { return "client"; --- 428,431 ---- *************** *** 466,470 **** return "undefined"; } - Ns_MutexUnlock(&sslcontext->lock); --- 435,438 ---- *************** *** 559,563 **** Ns_DStringInit(&ds); - Ns_MutexLock(&sslcontext->lock); sslcontext->certFile = ns_strdup(certFile); --- 527,530 ---- *************** *** 621,625 **** Ns_DStringInit(&ds); - Ns_MutexLock(&sslcontext->lock); sslcontext->keyFile = ns_strdup(keyFile); --- 588,591 ---- *************** *** 784,788 **** Ns_DStringInit(&ds); - Ns_MutexLock(&sslcontext->lock); sslcontext->caFile = ns_strdup(caFile); --- 750,753 ---- *************** *** 844,848 **** Ns_DStringInit(&ds); - Ns_MutexLock(&sslcontext->lock); sslcontext->caDir = ns_strdup(caDir); --- 809,812 ---- *************** *** 956,961 **** int peerVerifyDepth) { - /* XXX how do I handle the default case? with varargs in func call? */ - /* XXX ah, no, preset all the default values in NsOpenSSLContextCreate */ Ns_MutexLock(&sslcontext->lock); sslcontext->peerVerifyDepth = peerVerifyDepth; --- 920,923 ---- *************** *** 1170,1174 **** Ns_MutexLock(&sslcontext->lock); sslcontext->trace = trace; - //Ns_Log(Debug, "*****>>>>> TRACE = (%d)", trace); Ns_MutexUnlock(&sslcontext->lock); --- 1132,1135 ---- *************** *** 1260,1264 **** thisServer = NsOpenSSLServerGet(server); Ns_MutexLock(&thisServer->lock); - hPtr = Tcl_CreateHashEntry(&thisServer->sslcontexts, sslcontext->name, &new); if (new) { --- 1221,1224 ---- *************** *** 1268,1272 **** MODULE, server, sslcontext->name); } - Ns_MutexUnlock(&thisServer->lock); } --- 1228,1231 ---- *************** *** 1300,1314 **** return; } - thisServer = NsOpenSSLServerGet(server); - Ns_MutexLock(&thisServer->lock); - hPtr = Tcl_FindHashEntry(&thisServer->sslcontexts, sslcontext->name); - if (hPtr != NULL) { Tcl_DeleteHashEntry(hPtr); } - Ns_MutexUnlock(&thisServer->lock); --- 1259,1268 ---- *************** *** 1332,1337 **** */ - /* XXX should this be in sslcontext.c ??? */ - NsOpenSSLContext * Ns_OpenSSLServerSSLContextGet(char *server, char *name) --- 1286,1289 ---- *************** *** 1346,1350 **** return NULL; } - thisServer = NsOpenSSLServerGet(server); Ns_MutexLock(&thisServer->lock); --- 1298,1301 ---- *************** *** 1429,1433 **** sslconn = (NsOpenSSLConn *) SSL_get_app_data(ssl); - rsa_tmp = RSA_generate_key(keylen, RSA_F4, NULL, NULL); if (rsa_tmp == NULL) { --- 1380,1383 ---- *************** *** 1462,1466 **** */ - /* XXX figure out how to monitor OpenSSL's session cache performance */ static char * SSLContextSessionCacheIdNew(char *server) --- 1412,1415 ---- *************** *** 1472,1483 **** Ns_DStringInit(&ds); - - //XXX thisServer = NsOpenSSLServerGet(server); - Ns_MutexLock(&thisServer->lock); id = thisServer->nextSessionCacheId; thisServer->nextSessionCacheId++; Ns_MutexUnlock(&thisServer->lock); - Ns_DStringPrintf(&ds, "%s:%s:%d", MODULE, server, id); if (Ns_DStringLength(&ds) > SSL_MAX_SSL_SESSION_ID_LENGTH) { --- 1421,1428 ---- *************** *** 1485,1489 **** MODULE, server); Ns_DStringTrunc(&ds, 0); - /* XXX it could still be longer than 32 chars, though not likely */ Ns_DStringPrintf(&ds, "%s:%d", server, id); } --- 1430,1433 ---- *************** *** 1494,1500 **** } - - /* XXX MAKE ALL TEH FOLLOWING STATICS */ - /* --- 1438,1441 ---- *************** *** 1516,1523 **** SSLContextCertFileInit(NsOpenSSLContext *sslcontext) { - #if 0 - char *error; - #endif - if (sslcontext->certFile == NULL || SSL_CTX_use_certificate_chain_file(sslcontext->sslctx, sslcontext->certFile) == 0 --- 1457,1460 ---- *************** *** 1525,1533 **** Ns_Log(Error, "%s (%s): error loading certificate '%s'", MODULE, sslcontext->server, sslcontext->certFile); - #if 0 - error = ERR_reason_error_string(ERR_get_error()); - Ns_Log(Error, "%s (%s): OpenSSL reports: %s", - MODULE, sslcontext->server, error); - #endif if ((access(sslcontext->certFile, F_OK) != 0) || (access(sslcontext->certFile, R_OK) != 0)) Ns_Log(Error, "%s (%s): '%s' certificate file is not readable or does not exist", --- 1462,1465 ---- *************** *** 1537,1540 **** --- 1469,1473 ---- Ns_Log(Notice, "%s (%s): '%s' certificate loaded successfully", MODULE, sslcontext->server, sslcontext->name); + return NS_OK; } *************** *** 1559,1563 **** SSLContextKeyFileInit(NsOpenSSLContext *sslcontext) { - /* XXX add ability to read DER etc. file formats? */ if (sslcontext->keyFile == NULL || SSL_CTX_use_PrivateKey_file(sslcontext->sslctx, sslcontext->keyFile, --- 1492,1495 ---- *************** *** 1572,1575 **** --- 1504,1508 ---- Ns_Log(Notice, "%s (%s): '%s' key loaded successfully", MODULE, sslcontext->server, sslcontext->name); + return NS_OK; } *************** *** 1599,1602 **** --- 1532,1536 ---- return NS_ERROR; } + return NS_OK; } *************** *** 1698,1701 **** --- 1632,1636 ---- Ns_Log(Notice, "%s (%s): '%s' ciphers loaded successfully", MODULE, sslcontext->server, sslcontext->name); + return NS_OK; } *************** *** 1768,1775 **** * * Initialize the per-SSL context session cache. We use OpenSSL's ! * internal cache for storage and let it handle all of the work. We can ! * set up callbacks to manage an external session cache that could be ! * shared across multiple servers. If you want this capability, contact ! * me and we'll see what we can work out. * * Results: --- 1703,1707 ---- * * Initialize the per-SSL context session cache. We use OpenSSL's ! * internal cache for storage and let it do the work. * * Results: *************** *** 1780,1796 **** */ - /* XXX move this to sslcontext.c */ - static void SSLContextSessionCacheInit(NsO... [truncated message content] |