From 273152762f4fe784344ee2a62ea90050fc1f3b8d Mon Sep 17 00:00:00 2001 From: Emanuele Giaquinta Date: Thu, 31 May 2007 23:56:51 +0000 Subject: [PATCH] Rewrite SSL connection/handshake code. git-svn-id: http://svn.irssi.org/repos/irssi/trunk@4536 dbcabf3a-b0e7-0310-adc4-f8d773084564 --- src/core/network-openssl.c | 105 +++++++++---------------------------- src/core/network.h | 1 + src/core/servers.c | 38 ++++++++++++++ 3 files changed, 65 insertions(+), 79 deletions(-) diff --git a/src/core/network-openssl.c b/src/core/network-openssl.c index 75d66050..d9bd948e 100644 --- a/src/core/network-openssl.c +++ b/src/core/network-openssl.c @@ -38,7 +38,6 @@ typedef struct GIOChannel *giochan; SSL *ssl; SSL_CTX *ctx; - unsigned int got_cert:1; unsigned int verify:1; } GIOSSLChannel; @@ -110,45 +109,11 @@ static GIOStatus ssl_errno(gint e) return G_IO_STATUS_ERROR; } -static GIOStatus irssi_ssl_cert_step(GIOSSLChannel *chan) -{ - X509 *cert; - gint err; - switch(err = SSL_do_handshake(chan->ssl)) - { - case 1: - if(!(cert = SSL_get_peer_certificate(chan->ssl))) - { - g_warning("SSL server supplied no certificate"); - return G_IO_STATUS_ERROR; - } - if (chan->verify && ! irssi_ssl_verify(chan->ssl, chan->ctx, cert)) { - X509_free(cert); - return G_IO_STATUS_ERROR; - } - X509_free(cert); - return G_IO_STATUS_NORMAL; - default: - if(SSL_get_error(chan->ssl, err) == SSL_ERROR_WANT_READ) - return G_IO_STATUS_AGAIN; - return ssl_errno(errno); - } - /*UNREACH*/ - return G_IO_STATUS_ERROR; -} - static GIOStatus irssi_ssl_read(GIOChannel *handle, gchar *buf, gsize len, gsize *ret, GError **gerr) { GIOSSLChannel *chan = (GIOSSLChannel *)handle; gint err; - if(! chan->got_cert) - { - gint cert_err = irssi_ssl_cert_step(chan); - if(cert_err != G_IO_STATUS_NORMAL) - return cert_err; - } - err = SSL_read(chan->ssl, buf, len); if(err < 0) { @@ -171,13 +136,6 @@ static GIOStatus irssi_ssl_write(GIOChannel *handle, const gchar *buf, gsize len GIOSSLChannel *chan = (GIOSSLChannel *)handle; gint err; - if(! chan->got_cert) - { - gint cert_err = irssi_ssl_cert_step(chan); - if(cert_err != G_IO_STATUS_NORMAL) - return cert_err; - } - err = SSL_write(chan->ssl, (const char *)buf, len); if(err < 0) { @@ -265,7 +223,6 @@ static GIOChannel *irssi_ssl_get_iochannel(GIOChannel *handle, const char *mycer GIOChannel *gchan; int err, fd; SSL *ssl; - X509 *cert = NULL; SSL_CTX *ctx = NULL; g_return_val_if_fail(handle != NULL, NULL); @@ -336,47 +293,11 @@ static GIOChannel *irssi_ssl_get_iochannel(GIOChannel *handle, const char *mycer return NULL; } - if((err = SSL_connect(ssl)) <= 0) - { - switch(err = SSL_get_error(ssl, err)) - { - case SSL_ERROR_SYSCALL: - if(errno == EINTR || errno == EAGAIN) - case SSL_ERROR_WANT_READ: - case SSL_ERROR_WANT_WRITE: - break; - default: - SSL_free(ssl); - if (ctx != ssl_ctx) - SSL_CTX_free(ctx); - return NULL; - } - } - else if(!(cert = SSL_get_peer_certificate(ssl))) - { - g_warning("SSL server supplied no certificate"); - if (ctx != ssl_ctx) - SSL_CTX_free(ctx); - SSL_free(ssl); - return NULL; - } - else - { - if (verify && ! irssi_ssl_verify(ssl, ctx, cert)) { - SSL_free(ssl); - if (ctx != ssl_ctx) - SSL_CTX_free(ctx); - return NULL; - } - X509_free(cert); - } - chan = g_new0(GIOSSLChannel, 1); chan->fd = fd; chan->giochan = handle; chan->ssl = ssl; chan->ctx = ctx; - chan->got_cert = cert != NULL; chan->verify = verify; gchan = (GIOChannel *)chan; @@ -397,6 +318,32 @@ GIOChannel *net_connect_ip_ssl(IPADDR *ip, int port, IPADDR *my_ip, const char * return ssl_handle; } +int irssi_ssl_handshake(GIOChannel *handle) +{ + GIOSSLChannel *chan = (GIOSSLChannel *)handle; + int ret, err; + X509 *cert; + + ret = SSL_connect(chan->ssl); + if (ret <= 0) { + err = SSL_get_error(chan->ssl, ret); + if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) { + g_warning(ERR_reason_error_string(ERR_get_error())); + return -1; + } + return err == SSL_ERROR_WANT_READ ? 1 : 3; + } + + cert = SSL_get_peer_certificate(chan->ssl); + if (cert == NULL) { + g_warning("SSL server supplied no certificate"); + return -1; + } + ret = !chan->verify || irssi_ssl_verify(chan->ssl, chan->ctx, cert); + X509_free(cert); + return ret ? 0 : -1; +} + #else /* HAVE_OPENSSL */ GIOChannel *net_connect_ip_ssl(IPADDR *ip, int port, IPADDR *my_ip, const char *cert, const char *pkey, const char *cafile, const char *capath, gboolean verify) diff --git a/src/core/network.h b/src/core/network.h index 5e445e83..a3a4eb41 100644 --- a/src/core/network.h +++ b/src/core/network.h @@ -48,6 +48,7 @@ int net_ip_compare(IPADDR *ip1, IPADDR *ip2); GIOChannel *net_connect(const char *addr, int port, IPADDR *my_ip); /* Connect to socket with ip address and SSL*/ GIOChannel *net_connect_ip_ssl(IPADDR *ip, int port, IPADDR *my_ip, const char *cert, const char *pkey, const char *cafile, const char *capath, gboolean verify); +int irssi_ssl_handshake(GIOChannel *handle); /* Connect to socket with ip address */ GIOChannel *net_connect_ip(IPADDR *ip, int port, IPADDR *my_ip); /* Connect to named UNIX socket */ diff --git a/src/core/servers.c b/src/core/servers.c index 046fa072..2e9d11fc 100644 --- a/src/core/servers.c +++ b/src/core/servers.c @@ -167,6 +167,39 @@ static void server_connect_callback_init(SERVER_REC *server, GIOChannel *handle) server_connect_finished(server); } +#ifdef HAVE_OPENSSL +static void server_connect_callback_init_ssl(SERVER_REC *server, GIOChannel *handle) +{ + int error; + + g_return_if_fail(IS_SERVER(server)); + + error = irssi_ssl_handshake(handle); + if (error == -1) { + server->connection_lost = TRUE; + server_connect_failed(server, NULL); + return; + } + if (error & 1) { + if (server->connect_tag != -1) + g_source_remove(server->connect_tag); + server->connect_tag = g_input_add(handle, error == 1 ? G_INPUT_READ : G_INPUT_WRITE, + (GInputFunction) + server_connect_callback_init_ssl, + server); + return; + } + + lookup_servers = g_slist_remove(lookup_servers, server); + if (server->connect_tag != -1) { + g_source_remove(server->connect_tag); + server->connect_tag = -1; + } + + server_connect_finished(server); +} +#endif + static void server_real_connect(SERVER_REC *server, IPADDR *ip, const char *unix_socket) { @@ -218,6 +251,11 @@ server->connrec->ssl_cafile, server->connrec->ssl_capath, server->connrec->ssl_v g_free(errmsg2); } else { server->handle = net_sendbuffer_create(handle, 0); +#ifdef HAVE_OPENSSL + if (server->connrec->use_ssl) + server_connect_callback_init_ssl(server, handle); + else +#endif server->connect_tag = g_input_add(handle, G_INPUT_WRITE | G_INPUT_READ, (GInputFunction)