diff options
Diffstat (limited to 'openwrt/package/mini_httpd/files/matrixssl_helper.c')
-rw-r--r-- | openwrt/package/mini_httpd/files/matrixssl_helper.c | 455 |
1 files changed, 455 insertions, 0 deletions
diff --git a/openwrt/package/mini_httpd/files/matrixssl_helper.c b/openwrt/package/mini_httpd/files/matrixssl_helper.c new file mode 100644 index 0000000000..e3fe3346c2 --- /dev/null +++ b/openwrt/package/mini_httpd/files/matrixssl_helper.c @@ -0,0 +1,455 @@ +/* + * MatrixSSL helper functions + * + * Copyright (C) 2005 Nicolas Thill <nthill@free.fr> + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * Portions borrowed from MatrixSSL example code + * + */ + +#include <sys/socket.h> +#include <netinet/in.h> +#include <netinet/tcp.h> +#include <arpa/inet.h> +#include <fcntl.h> +#include <unistd.h> +#include <stdio.h> +#include <string.h> +#include <errno.h> + +#include "matrixssl_helper.h" + +#define SSL_SOCKET_EOF 0x0001 +#define SSL_SOCKET_CLOSE_NOTIFY 0x0002 + +#define min(a, b) ( (a) < (b) ) ? (a) : (b) + +static int _ssl_read(SSL *ssl, char *buf, int len); +static int _ssl_write(SSL *ssl, char *buf, int len); +static void _ssl_setSocketBlock(int fd); +static void _ssl_setSocketNonblock(int fd); +static void _ssl_closeSocket(int fd); + + +SSL * SSL_new(sslKeys_t *keys) +{ + SSL * ssl; + ssl = (SSL *)malloc(sizeof(SSL)); + + if (!ssl) return 0; + + ssl->keys = keys; + if ( matrixSslNewSession(&(ssl->ssl), ssl->keys, NULL, SSL_FLAGS_SERVER) < 0 ) { + } + + ssl->insock.size = 1024; + ssl->insock.buf = ssl->insock.start = ssl->insock.end = + (unsigned char *)malloc(ssl->insock.size); + + ssl->outsock.size = 1024; + ssl->outsock.buf = ssl->outsock.start = ssl->outsock.end = + (unsigned char *)malloc(ssl->outsock.size); + + ssl->inbuf.size = 0; + ssl->inbuf.buf = ssl->inbuf.start = ssl->inbuf.end = NULL; + + return ssl; +} + + +int SSL_accept(SSL *ssl) { + + unsigned char buf[1024]; + int status, rc; + +readMore: + rc = _ssl_read(ssl, buf, sizeof(buf)); + if (rc == 0) { + if (ssl->status == SSL_SOCKET_EOF || ssl->status == SSL_SOCKET_CLOSE_NOTIFY) { + SSL_free(ssl); + return -1; + } + if (matrixSslHandshakeIsComplete(ssl->ssl) == 0) { + goto readMore; + } + } else if (rc > 0) { + return 0; + } else { + SSL_free(ssl); + return -1; + } + + return 1; +} + + +void SSL_set_fd(SSL *ssl, int fd) { + ssl->fd = fd; +} + + +int SSL_read(SSL *ssl, char *buf, int len) { + int rc; +readMore: + rc = _ssl_read(ssl, buf, len); + if (rc <= 0) { + if (rc < 0 || ssl->status == SSL_SOCKET_EOF || ssl->status == SSL_SOCKET_CLOSE_NOTIFY) { + _ssl_closeSocket(ssl->fd); + return rc; + } + goto readMore; + } + return rc; +} + + +int SSL_write(SSL *ssl, char *buf, int len) { + int rc; +writeMore: + rc = _ssl_write(ssl, buf, len); + if (rc <= 0) { + if (rc < 0) { + return rc; + } + goto writeMore; + } + return rc; +} + + +void SSL_free(SSL * ssl) +{ + matrixSslDeleteSession(ssl->ssl); + if (ssl->insock.buf) { + free(ssl->insock.buf); + } + if (ssl->outsock.buf) { + free(ssl->outsock.buf); + } + if (ssl->inbuf.buf) { + free(ssl->inbuf.buf); + } + free(ssl); +} + + + +static void _ssl_setSocketBlock(int fd) +{ + fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) & ~O_NONBLOCK); + fcntl(fd, F_SETFD, FD_CLOEXEC); +} + + +static void _ssl_setSocketNonblock(int fd) +{ + fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK); +} + + +static void _ssl_closeSocket(int fd) +{ + char buf[32]; + + if (fd != -1) { + _ssl_setSocketNonblock(fd); + if (shutdown(fd, 1) >= 0) { + while (recv(fd, buf, sizeof(buf), 0) > 0); + } + close(fd); + } +} + + +static int _ssl_read(SSL *ssl, char *buf, int len) +{ + int bytes, rc, remaining; + unsigned char error, alertLevel, alertDescription, performRead; + + ssl->status = 0; + + if (ssl->ssl == NULL || len <= 0) { + return -1; + } +/* + If inbuf is valid, then we have previously decoded data that must be + returned, return as much as possible. Once all buffered data is + returned, free the inbuf. +*/ + if (ssl->inbuf.buf) { + if (ssl->inbuf.start < ssl->inbuf.end) { + remaining = (int)(ssl->inbuf.end - ssl->inbuf.start); + bytes = (int)min(len, remaining); + memcpy(buf, ssl->inbuf.start, bytes); + ssl->inbuf.start += bytes; + return bytes; + } + free(ssl->inbuf.buf); + ssl->inbuf.buf = NULL; + } +/* + Pack the buffered socket data (if any) so that start is at zero. +*/ + if (ssl->insock.buf < ssl->insock.start) { + if (ssl->insock.start == ssl->insock.end) { + ssl->insock.start = ssl->insock.end = ssl->insock.buf; + } else { + memmove(ssl->insock.buf, ssl->insock.start, ssl->insock.end - ssl->insock.start); + ssl->insock.end -= (ssl->insock.start - ssl->insock.buf); + ssl->insock.start = ssl->insock.buf; + } + } +/* + Read up to as many bytes as there are remaining in the buffer. We could + Have encrypted data already cached in conn->insock, but might as well read more + if we can. +*/ + performRead = 0; +readMore: + if (ssl->insock.end == ssl->insock.start || performRead) { + performRead = 1; + bytes = recv(ssl->fd, (char *)ssl->insock.end, + (int)((ssl->insock.buf + ssl->insock.size) - ssl->insock.end), MSG_NOSIGNAL); + if (bytes == -1) { + ssl->status = errno; + return -1; + } + if (bytes == 0) { + ssl->status = SSL_SOCKET_EOF; + return 0; + } + ssl->insock.end += bytes; + } +/* + Define a temporary sslBuf +*/ + ssl->inbuf.start = ssl->inbuf.end = ssl->inbuf.buf = (unsigned char *)malloc(len); + ssl->inbuf.size = len; +/* + Decode the data we just read from the socket +*/ +decodeMore: + error = 0; + alertLevel = 0; + alertDescription = 0; + + rc = matrixSslDecode(ssl->ssl, &ssl->insock, &ssl->inbuf, &error, &alertLevel, + &alertDescription); + switch (rc) { +/* + Successfully decoded a record that did not return data or require a response. +*/ + case SSL_SUCCESS: + return 0; +/* + Successfully decoded an application data record, and placed in tmp buf +*/ + case SSL_PROCESS_DATA: +/* + Copy as much as we can from the temp buffer into the caller's buffer + and leave the remainder in conn->inbuf until the next call to read + It is possible that len > data in buffer if the encoded record + was longer than len, but the decoded record isn't! +*/ + rc = (int)(ssl->inbuf.end - ssl->inbuf.start); + rc = min(rc, len); + memcpy(buf, ssl->inbuf.start, rc); + ssl->inbuf.start += rc; + return rc; +/* + We've decoded a record that requires a response into tmp + If there is no data to be flushed in the out buffer, we can write out + the contents of the tmp buffer. Otherwise, we need to append the data + to the outgoing data buffer and flush it out. +*/ + case SSL_SEND_RESPONSE: + bytes = send(ssl->fd, (char *)ssl->inbuf.start, + (int)(ssl->inbuf.end - ssl->inbuf.start), MSG_NOSIGNAL); + if (bytes == -1) { + ssl->status = errno; + if (ssl->status != EAGAIN) { + goto readError; + } + ssl->status = 0; + } + ssl->inbuf.start += bytes; + if (ssl->inbuf.start < ssl->inbuf.end) { +/* + This must be a non-blocking socket since it didn't all get sent + out and there was no error. We want to finish the send here + simply because we are likely in the SSL handshake. +*/ + _ssl_setSocketBlock(ssl->fd); + bytes = send(ssl->fd, (char *)ssl->inbuf.start, + (int)(ssl->inbuf.end - ssl->inbuf.start), MSG_NOSIGNAL); + if (bytes == -1) { + ssl->status = errno; + goto readError; + } + ssl->inbuf.start += bytes; +/* + Can safely set back to non-blocking because we wouldn't + have got here if this socket wasn't non-blocking to begin with. +*/ + _ssl_setSocketNonblock(ssl->fd); + } + ssl->inbuf.start = ssl->inbuf.end = ssl->inbuf.buf; + return 0; +/* + There was an error decoding the data, or encoding the out buffer. + There may be a response data in the out buffer, so try to send. + We try a single hail-mary send of the data, and then close the socket. + Since we're closing on error, we don't worry too much about a clean flush. +*/ + case SSL_ERROR: + if (ssl->inbuf.start < ssl->inbuf.end) { + _ssl_setSocketNonblock(ssl->fd); + bytes = send(ssl->fd, (char *)ssl->inbuf.start, + (int)(ssl->inbuf.end - ssl->inbuf.start), MSG_NOSIGNAL); + } + goto readError; +/* + We've decoded an alert. The level and description passed into + matrixSslDecode are filled in with the specifics. +*/ + case SSL_ALERT: + if (alertDescription == SSL_ALERT_CLOSE_NOTIFY) { + ssl->status = SSL_SOCKET_CLOSE_NOTIFY; + goto readZero; + } + goto readError; +/* + We have a partial record, we need to read more data off the socket. + If we have a completely full conn->insock buffer, we'll need to grow it + here so that we CAN read more data when called the next time. +*/ + case SSL_PARTIAL: + if (ssl->insock.start == ssl->insock.buf && ssl->insock.end == + (ssl->insock.buf + ssl->insock.size)) { + if (ssl->insock.size > SSL_MAX_BUF_SIZE) { + goto readError; + } + ssl->insock.size *= 2; + ssl->insock.start = ssl->insock.buf = + (unsigned char *)realloc(ssl->insock.buf, ssl->insock.size); + ssl->insock.end = ssl->insock.buf + (ssl->insock.size / 2); + } + if (!performRead) { + performRead = 1; + free(ssl->inbuf.buf); + ssl->inbuf.buf = NULL; + goto readMore; + } else { + goto readZero; + } +/* + The out buffer is too small to fit the decoded or response + data. Increase the size of the buffer and call decode again +*/ + case SSL_FULL: + ssl->inbuf.size *= 2; + if (ssl->inbuf.buf != (unsigned char*)buf) { + free(ssl->inbuf.buf); + ssl->inbuf.buf = NULL; + } + ssl->inbuf.start = ssl->inbuf.end = ssl->inbuf.buf = + (unsigned char *)malloc(ssl->inbuf.size); + goto decodeMore; + } +/* + We consolidated some of the returns here because we must ensure + that conn->inbuf is cleared if pointing at caller's buffer, otherwise + it will be freed later on. +*/ +readZero: + if (ssl->inbuf.buf == (unsigned char*)buf) { + ssl->inbuf.buf = NULL; + } + return 0; +readError: + if (ssl->inbuf.buf == (unsigned char*)buf) { + ssl->inbuf.buf = NULL; + } + return -1; +} + + +int _ssl_write(SSL *ssl, char *buf, int len) +{ + int rc; + + ssl->status = 0; +/* + Pack the buffered socket data (if any) so that start is at zero. +*/ + if (ssl->outsock.buf < ssl->outsock.start) { + if (ssl->outsock.start == ssl->outsock.end) { + ssl->outsock.start = ssl->outsock.end = ssl->outsock.buf; + } else { + memmove(ssl->outsock.buf, ssl->outsock.start, ssl->outsock.end - ssl->outsock.start); + ssl->outsock.end -= (ssl->outsock.start - ssl->outsock.buf); + ssl->outsock.start = ssl->outsock.buf; + } + } +/* + If there is buffered output data, the caller must be trying to + send the same amount of data as last time. We don't support + sending additional data until the original buffered request has + been completely sent. +*/ + if (ssl->outBufferCount > 0 && len != ssl->outBufferCount) { + return -1; + } +/* + If we don't have buffered data, encode the caller's data +*/ + if (ssl->outBufferCount == 0) { +retryEncode: + rc = matrixSslEncode(ssl->ssl, (unsigned char *)buf, len, &ssl->outsock); + switch (rc) { + case SSL_ERROR: + return -1; + case SSL_FULL: + if (ssl->outsock.size > SSL_MAX_BUF_SIZE) { + return -1; + } + ssl->outsock.size *= 2; + ssl->outsock.buf = + (unsigned char *)realloc(ssl->outsock.buf, ssl->outsock.size); + ssl->outsock.end = ssl->outsock.buf + (ssl->outsock.end - ssl->outsock.start); + ssl->outsock.start = ssl->outsock.buf; + goto retryEncode; + } + } +/* + We've got data to send. +*/ + rc = send(ssl->fd, (char *)ssl->outsock.start, + (int)(ssl->outsock.end - ssl->outsock.start), MSG_NOSIGNAL); + if (rc == -1) { + ssl->status = errno; + return -1; + } + ssl->outsock.start += rc; +/* + If we wrote it all return the length, otherwise remember the number of + bytes passed in, and return 0 to be called again later. +*/ + if (ssl->outsock.start == ssl->outsock.end) { + ssl->outBufferCount = 0; + return len; + } + ssl->outBufferCount = len; + return 0; +} + |