-/*
- * tls.c TLS support functions
- *
- * Author: Landon Fuller <landonf@threerings.net>
- *
- * Version $Id$
- *
- * This file was contributed to the Bacula project by Landon Fuller
- * and Three Rings Design, Inc.
- *
- * Three Rings Design, Inc. has been granted a perpetual, worldwide,
- * non-exclusive, no-charge, royalty-free, irrevocable copyright
- * license to reproduce, prepare derivative works of, publicly
- * display, publicly perform, sublicense, and distribute the original
- * work contributed by Three Rings Design, Inc. and its employees to
- * the Bacula project in source or object form.
- *
- * If you wish to license contributions from Three Rings Design, Inc,
- * under an alternate open source license please contact
- * Landon Fuller <landonf@threerings.net>.
- */
/*
Bacula® - The Network Backup Solution
- Copyright (C) 2005-2007 Free Software Foundation Europe e.V.
+ Copyright (C) 2005-2008 Free Software Foundation Europe e.V.
The main author of Bacula is Kern Sibbald, with contributions from
many others, a complete list can be found in the file AUTHORS.
This program is Free Software; you can redistribute it and/or
modify it under the terms of version two of the GNU General Public
- License as published by the Free Software Foundation plus additions
- that are listed in the file LICENSE.
+ License as published by the Free Software Foundation and included
+ in the file LICENSE.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301, USA.
- Bacula® is a registered trademark of John Walker.
+ Bacula® is a registered trademark of Kern Sibbald.
The licensor of Bacula is the Free Software Foundation Europe
(FSFE), Fiduciary Program, Sumatrastrasse 25, 8006 Zürich,
Switzerland, email:ftf@fsfeurope.org.
*/
+/*
+ * tls.c TLS support functions
+ *
+ * Author: Landon Fuller <landonf@threerings.net>
+ *
+ * Version $Id$
+ *
+ * This file was contributed to the Bacula project by Landon Fuller
+ * and Three Rings Design, Inc.
+ *
+ * Three Rings Design, Inc. has been granted a perpetual, worldwide,
+ * non-exclusive, no-charge, royalty-free, irrevocable copyright
+ * license to reproduce, prepare derivative works of, publicly
+ * display, publicly perform, sublicense, and distribute the original
+ * work contributed by Three Rings Design, Inc. and its employees to
+ * the Bacula project in source or object form.
+ *
+ * If you wish to license contributions from Three Rings Design, Inc,
+ * under an alternate open source license please contact
+ * Landon Fuller <landonf@threerings.net>.
+ */
#include "bacula.h"
#include <assert.h>
-extern time_t watchdog_time;
#ifdef HAVE_TLS /* Is TLS enabled? */
X509_NAME_oneline(X509_get_issuer_name(cert), issuer, 256);
X509_NAME_oneline(X509_get_subject_name(cert), subject, 256);
- Emsg5(M_ERROR, 0, _("Error with certificate at depth: %d, issuer = %s,"
- " subject = %s, ERR=%d:%s\n"), depth, issuer,
- subject, err, X509_verify_cert_error_string(err));
+ Jmsg5(NULL, M_ERROR, 0, _("Error with certificate at depth: %d, issuer = %s,"
+ " subject = %s, ERR=%d:%s\n"), depth, issuer,
+ subject, err, X509_verify_cert_error_string(err));
}
}
} else if (verify_peer) {
/* At least one CA is required for peer verification */
- Emsg0(M_ERROR, 0, _("Either a certificate file or a directory must be"
+ Jmsg0(NULL, M_ERROR, 0, _("Either a certificate file or a directory must be"
" specified as a verification store\n"));
goto err;
}
}
if (SSL_CTX_set_cipher_list(ctx->openssl, TLS_DEFAULT_CIPHERS) != 1) {
- Emsg0(M_ERROR, 0, _("Error setting cipher list, no valid ciphers available\n"));
+ Jmsg0(NULL, M_ERROR, 0,
+ _("Error setting cipher list, no valid ciphers available\n"));
goto err;
}
* Returns: true on success
* false on failure
*/
-bool tls_postconnect_verify_cn(TLS_CONNECTION *tls, alist *verify_list)
+bool tls_postconnect_verify_cn(JCR *jcr, TLS_CONNECTION *tls, alist *verify_list)
{
SSL *ssl = tls->openssl;
X509 *cert;
/* Check if peer provided a certificate */
if (!(cert = SSL_get_peer_certificate(ssl))) {
- Emsg0(M_ERROR, 0, _("Peer failed to present a TLS certificate\n"));
+ Qmsg0(jcr, M_ERROR, 0, _("Peer failed to present a TLS certificate\n"));
return false;
}
* Returns: true on success
* false on failure
*/
-bool tls_postconnect_verify_host(TLS_CONNECTION *tls, const char *host)
+bool tls_postconnect_verify_host(JCR *jcr, TLS_CONNECTION *tls, const char *host)
{
SSL *ssl = tls->openssl;
X509 *cert;
/* Check if peer provided a certificate */
if (!(cert = SSL_get_peer_certificate(ssl))) {
- Emsg1(M_ERROR, 0, _("Peer %s failed to present a TLS certificate\n"), host);
+ Qmsg1(jcr, M_ERROR, 0,
+ _("Peer %s failed to present a TLS certificate\n"), host);
return false;
}
BIO_free(bio);
SSL_free(tls->openssl);
free(tls);
-
return NULL;
}
fdmax = bsock->m_fd + 1;
/* Ensure that socket is non-blocking */
- flags = bnet_set_nonblocking(bsock);
+ flags = bsock->set_nonblocking();
/* start timer */
bsock->timer_start = watchdog_time;
- bsock->m_timed_out = 0;
+ bsock->clear_timed_out();
for (;;) {
if (server) {
tv.tv_sec = 10;
tv.tv_usec = 0;
/* Block until we can read */
- select(fdmax, &fdset, NULL, &fdset, &tv);
+ select(fdmax, &fdset, NULL, NULL, &tv);
break;
case SSL_ERROR_WANT_WRITE:
/* If we timeout of a select, this will be unset */
tv.tv_sec = 10;
tv.tv_usec = 0;
/* Block until we can write */
- select(fdmax, NULL, &fdset, &fdset, &tv);
+ select(fdmax, NULL, &fdset, NULL, &tv);
break;
default:
- /* Socket Error Occured */
+ /* Socket Error Occurred */
openssl_post_errors(M_ERROR, _("Connect failure"));
stat = false;
goto cleanup;
cleanup:
/* Restore saved flags */
- bnet_restore_blocking(bsock, flags);
+ bsock->restore_blocking(flags);
/* Clear timer */
bsock->timer_start = 0;
bool tls_bsock_connect(BSOCK *bsock)
{
/* SSL_connect(bsock->tls) */
- return (openssl_bsock_session_start(bsock, false));
+ return openssl_bsock_session_start(bsock, false);
}
/*
bool tls_bsock_accept(BSOCK *bsock)
{
/* SSL_accept(bsock->tls) */
- return (openssl_bsock_session_start(bsock, true));
+ return openssl_bsock_session_start(bsock, true);
}
/*
* The first time to initiate the shutdown handshake, and the second to
* receive the peer's reply.
*
- * However, it is valid to close the SSL connection after the initial
- * shutdown notification is sent to the peer, without waiting for the
- * peer's reply, as long as you do not plan to re-use that particular
- * SSL connection object.
- *
- * Because we do not re-use SSL connection objects, I do not bother
- * calling SSL_shutdown a second time.
- *
* In addition, if the underlying socket is blocking, SSL_shutdown()
* will not return until the current stage of the shutdown process has
* completed or an error has occured. By setting the socket blocking
* we can avoid the ugly for()/switch()/select() loop.
*/
int err;
- int flags;
/* Set socket blocking for shutdown */
- flags = bsock->set_blocking();
+ bsock->set_blocking();
err = SSL_shutdown(bsock->tls->openssl);
+ if (err == 0) {
+ /* Complete shutdown */
+ err = SSL_shutdown(bsock->tls->openssl);
+ }
switch (SSL_get_error(bsock->tls->openssl, err)) {
- case SSL_ERROR_NONE:
- break;
- case SSL_ERROR_ZERO_RETURN:
- /* TLS connection was shut down on us via a TLS protocol-level closure */
- openssl_post_errors(M_ERROR, _("TLS shutdown failure."));
- break;
- default:
- /* Socket Error Occured */
- openssl_post_errors(M_ERROR, _("TLS shutdown failure."));
- break;
+ case SSL_ERROR_NONE:
+ break;
+ case SSL_ERROR_ZERO_RETURN:
+ /* TLS connection was shut down on us via a TLS protocol-level closure */
+ openssl_post_errors(M_ERROR, _("TLS shutdown failure."));
+ break;
+ default:
+ /* Socket Error Occurred */
+ openssl_post_errors(M_ERROR, _("TLS shutdown failure."));
+ break;
}
-
- /* Restore saved flags */
- bsock->restore_blocking(flags);
}
/* Does all the manual labor for tls_bsock_readn() and tls_bsock_writen() */
/* start timer */
bsock->timer_start = watchdog_time;
- bsock->m_timed_out = 0;
+ bsock->clear_timed_out();
nleft = nbytes;
while (nleft > 0) {
-
if (write) {
nwritten = SSL_write(tls->openssl, ptr, nleft);
} else {
ptr += nwritten;
}
break;
- case SSL_ERROR_ZERO_RETURN:
- /* TLS connection was cleanly shut down */
- openssl_post_errors(M_ERROR, _("TLS read/write failure."));
- goto cleanup;
+
case SSL_ERROR_WANT_READ:
- /* If we timeout of a select, this will be unset */
- FD_SET((unsigned) bsock->m_fd, &fdset);
+ /* If we timeout on a select, this will be unset */
+ FD_SET((unsigned)bsock->m_fd, &fdset);
tv.tv_sec = 10;
tv.tv_usec = 0;
/* Block until we can read */
- select(fdmax, &fdset, NULL, &fdset, &tv);
+ select(fdmax, &fdset, NULL, NULL, &tv);
break;
+
case SSL_ERROR_WANT_WRITE:
- /* If we timeout of a select, this will be unset */
- FD_SET((unsigned) bsock->m_fd, &fdset);
+ /* If we timeout on a select, this will be unset */
+ FD_SET((unsigned)bsock->m_fd, &fdset);
tv.tv_sec = 10;
tv.tv_usec = 0;
/* Block until we can write */
- select(fdmax, NULL, &fdset, &fdset, &tv);
+ select(fdmax, NULL, &fdset, NULL, &tv);
break;
+
+ case SSL_ERROR_ZERO_RETURN:
+ /* TLS connection was cleanly shut down */
+ /* Fall through wanted */
default:
/* Socket Error Occured */
openssl_post_errors(M_ERROR, _("TLS read/write failure."));
/* Clear timer */
bsock->timer_start = 0;
-
return nbytes - nleft;
}
-int tls_bsock_writen(BSOCK *bsock, char *ptr, int32_t nbytes) {
+int tls_bsock_writen(BSOCK *bsock, char *ptr, int32_t nbytes)
+{
/* SSL_write(bsock->tls->openssl, ptr, nbytes) */
- return (openssl_bsock_readwrite(bsock, ptr, nbytes, true));
+ return openssl_bsock_readwrite(bsock, ptr, nbytes, true);
}
-int tls_bsock_readn(BSOCK *bsock, char *ptr, int32_t nbytes) {
+int tls_bsock_readn(BSOCK *bsock, char *ptr, int32_t nbytes)
+{
/* SSL_read(bsock->tls->openssl, ptr, nbytes) */
- return (openssl_bsock_readwrite(bsock, ptr, nbytes, false));
+ return openssl_bsock_readwrite(bsock, ptr, nbytes, false);
}
#else /* HAVE_OPENSSL */
# error No TLS implementation available.
#endif /* !HAVE_OPENSSL */
-#else
+
+#else /* TLS NOT enabled, dummy routines substituted */
+
/* Dummy routines */
TLS_CONTEXT *new_tls_context(const char *ca_certfile, const char *ca_certdir,
projects / bacula / bacula / blobdiff