/*
- Bacula® - The Network Backup Solution
+ Bacula(R) - The Network Backup Solution
- Copyright (C) 2005-2014 Free Software Foundation Europe e.V.
+ Copyright (C) 2000-2017 Kern Sibbald
- The main author of Bacula is Kern Sibbald, with contributions from many
- others, a complete list can be found in the file AUTHORS.
+ The original author of Bacula is Kern Sibbald, with contributions
+ from many others, a complete list can be found in the file AUTHORS.
You may use this file and others of this release according to the
license defined in the LICENSE file, which includes the Affero General
Public License, v3.0 ("AGPLv3") and some additional permissions and
terms pursuant to its AGPLv3 Section 7.
- Bacula® is a registered trademark of Kern Sibbald.
+ This notice must be preserved when any source code is
+ conveyed and/or propagated.
+
+ Bacula(R) is a registered trademark of Kern Sibbald.
*/
/*
* tls.c TLS support functions
#ifdef HAVE_OPENSSL /* How about OpenSSL? */
+#include "openssl-compat.h"
+
/* No anonymous ciphers, no <128 bit ciphers, no export ciphers, no MD5 ciphers */
#define TLS_DEFAULT_CIPHERS "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"
struct TLS_Connection {
SSL *openssl;
+ pthread_mutex_t wlock; /* make openssl_bsock_readwrite() atomic when writing */
+ pthread_mutex_t rwlock; /* only one SSL_read() or SSL_write() at a time */
};
/*
ctx = (TLS_CONTEXT *)malloc(sizeof(TLS_CONTEXT));
- /* Allocate our OpenSSL TLSv1 Context */
- ctx->openssl = SSL_CTX_new(TLSv1_method());
+ /* Allocate our OpenSSL TLS Context */
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ /* Allows SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols */
+ ctx->openssl = SSL_CTX_new(TLS_method());
+
+#else
+ /* Allows most all protocols */
+ ctx->openssl = SSL_CTX_new(SSLv23_method());
+
+#endif
+
+ /* Use SSL_OP_ALL to turn on all "rather harmless" workarounds that
+ * OpenSSL offers
+ */
+ SSL_CTX_set_options(ctx->openssl, SSL_OP_ALL);
+
+ /* Now disable old broken SSLv3 and SSLv2 protocols */
+ SSL_CTX_set_options(ctx->openssl, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
if (!ctx->openssl) {
openssl_post_errors(M_FATAL, _("Error initializing SSL context"));
bool auth_success = false;
int extensions;
int i, j;
+ const char *pval, *phost;
int cnLastPos = -1;
X509_NAME_ENTRY *neCN;
STACK_OF(CONF_VALUE) *val;
CONF_VALUE *nval;
void *extstr = NULL;
-#if (OPENSSL_VERSION_NUMBER >= 0x0090800FL)
const unsigned char *ext_value_data;
-#else
- unsigned char *ext_value_data;
-#endif
+ const ASN1_STRING *asn1_ext_val;
/* Get x509 extension method structure */
if (!(method = X509V3_EXT_get(ext))) {
break;
}
- ext_value_data = ext->value->data;
+ asn1_ext_val = X509_EXTENSION_get_data(ext);
+ ext_value_data = ASN1_STRING_get0_data(asn1_ext_val);
-#if (OPENSSL_VERSION_NUMBER > 0x00907000L)
if (method->it) {
/* New style ASN1 */
/* Decode ASN1 item in data */
- extstr = ASN1_item_d2i(NULL, &ext_value_data, ext->value->length,
+ extstr = ASN1_item_d2i(NULL, &ext_value_data, ASN1_STRING_length(asn1_ext_val),
ASN1_ITEM_ptr(method->it));
} else {
/* Old style ASN1 */
/* Decode ASN1 item in data */
- extstr = method->d2i(NULL, &ext_value_data, ext->value->length);
+ extstr = method->d2i(NULL, &ext_value_data, ASN1_STRING_length(asn1_ext_val));
}
-#else
- extstr = method->d2i(NULL, &ext_value_data, ext->value->length);
-#endif
-
/* Iterate through to find the dNSName field(s) */
val = method->i2v(method, extstr, NULL);
for (j = 0; j < sk_CONF_VALUE_num(val); j++) {
nval = sk_CONF_VALUE_value(val, j);
if (strcmp(nval->name, "DNS") == 0) {
- if (strcasecmp(nval->value, host) == 0) {
+ if (strncasecmp(nval->value, "*.", 2) == 0) {
+ Dmsg0(250, "Wildcard Certificate\n");
+ pval = strstr(nval->value, ".");
+ phost = strstr(host, ".");
+ if (pval && phost && (strcasecmp(pval, phost) == 0)) {
+ auth_success = true;
+ goto success;
+ }
+ } else if (strcasecmp(nval->value, host) == 0) {
auth_success = true;
goto success;
}
}
neCN = X509_NAME_get_entry(subject, cnLastPos);
asn1CN = X509_NAME_ENTRY_get_data(neCN);
- if (strcasecmp((const char*)asn1CN->data, host) == 0) {
+ if (strncasecmp((const char*)asn1CN->data, "*.", 2) == 0) {
+ /* wildcard certificate */
+ Dmsg0(250, "Wildcard Certificate\n");
+ pval = strstr((const char*)asn1CN->data, ".");
+ phost = strstr(host, ".");
+ if (pval && phost && (strcasecmp(pval, phost) == 0)) {
+ auth_success = true;
+ goto success;
+ }
+ } else if (strcasecmp((const char*)asn1CN->data, host) == 0) {
auth_success = true;
break;
}
/* Non-blocking partial writes */
SSL_set_mode(tls->openssl, SSL_MODE_ENABLE_PARTIAL_WRITE|SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
+ pthread_mutex_init(&tls->wlock, NULL);
+ pthread_mutex_init(&tls->rwlock, NULL);
+
return tls;
err:
*/
void free_tls_connection(TLS_CONNECTION *tls)
{
+ pthread_mutex_destroy(&tls->rwlock);
+ pthread_mutex_destroy(&tls->wlock);
SSL_free(tls->openssl);
free(tls);
}
{
TLS_CONNECTION *tls = bsock->tls;
int err;
- int fdmax, flags;
+ int flags;
int stat = true;
- fd_set fdset;
- struct timeval tv;
-
- /* Zero the fdset, we'll set our fd prior to each invocation of select() */
- FD_ZERO(&fdset);
- fdmax = bsock->m_fd + 1;
/* Ensure that socket is non-blocking */
flags = bsock->set_nonblocking();
stat = false;
goto cleanup;
case SSL_ERROR_WANT_READ:
- /* If we timeout of a select, this will be unset */
- FD_SET((unsigned) bsock->m_fd, &fdset);
- /* Set our timeout */
- tv.tv_sec = 10;
- tv.tv_usec = 0;
/* Block until we can read */
- select(fdmax, &fdset, NULL, NULL, &tv);
+ fd_wait_data(bsock->m_fd, WAIT_READ, 10, 0);
break;
case SSL_ERROR_WANT_WRITE:
- /* If we timeout of a select, this will be unset */
- FD_SET((unsigned) bsock->m_fd, &fdset);
- /* Set our timeout */
- tv.tv_sec = 10;
- tv.tv_usec = 0;
/* Block until we can write */
- select(fdmax, NULL, &fdset, NULL, &tv);
+ fd_wait_data(bsock->m_fd, WAIT_WRITE, 10, 0);
break;
default:
/* Socket Error Occurred */
static inline int openssl_bsock_readwrite(BSOCK *bsock, char *ptr, int nbytes, bool write)
{
TLS_CONNECTION *tls = bsock->tls;
- int fdmax, flags;
- fd_set fdset;
- struct timeval tv;
+ int flags;
int nleft = 0;
int nwritten = 0;
- /* Zero the fdset, we'll set our fd prior to each invocation of select() */
- FD_ZERO(&fdset);
- fdmax = bsock->m_fd + 1;
-
/* Ensure that socket is non-blocking */
flags = bsock->set_nonblocking();
nleft = nbytes;
+ if (write) {
+ pthread_mutex_lock(&tls->wlock);
+ }
while (nleft > 0) {
+
+ pthread_mutex_lock(&tls->rwlock);
if (write) {
nwritten = SSL_write(tls->openssl, ptr, nleft);
} else {
nwritten = SSL_read(tls->openssl, ptr, nleft);
}
+ pthread_mutex_unlock(&tls->rwlock);
/* Handle errors */
switch (SSL_get_error(tls->openssl, nwritten)) {
goto cleanup;
case SSL_ERROR_WANT_READ:
- /* If we timeout on a select, this will be unset */
- FD_SET((unsigned)bsock->m_fd, &fdset);
- tv.tv_sec = 10;
- tv.tv_usec = 0;
/* Block until we can read */
- select(fdmax, &fdset, NULL, NULL, &tv);
+ fd_wait_data(bsock->m_fd, WAIT_READ, 10, 0);
break;
case SSL_ERROR_WANT_WRITE:
- /* If we timeout on a select, this will be unset */
- FD_SET((unsigned)bsock->m_fd, &fdset);
- tv.tv_sec = 10;
- tv.tv_usec = 0;
- /* Block until we can write */
- select(fdmax, NULL, &fdset, NULL, &tv);
+ /* Block until we can read */
+ fd_wait_data(bsock->m_fd, WAIT_WRITE, 10, 0);
break;
case SSL_ERROR_ZERO_RETURN:
}
cleanup:
+ if (write) {
+ pthread_mutex_unlock(&tls->wlock);
+ }
/* Restore saved flags */
bsock->restore_blocking(flags);
return openssl_bsock_readwrite(bsock, ptr, nbytes, false);
}
+/* test if 4 bytes can be read without "blocking" */
+bool tls_bsock_probe(BSOCK *bsock)
+{
+ int32_t pktsiz;
+ return SSL_peek(bsock->tls->openssl, &pktsiz, sizeof(pktsiz))==sizeof(pktsiz);
+}
+
+
#else /* HAVE_OPENSSL */
# error No TLS implementation available.
#endif /* !HAVE_OPENSSL */
projects / bacula / bacula / blobdiff