int SSLSocket_continueWrite(pending_writes* pw)
{
int rc = 0;
FUNC_ENTRY;
if ((rc = SSL_write(pw->ssl, pw->iovecs[0].iov_base, pw->iovecs[0].iov_len)) == pw->iovecs[0].iov_len)
{
/* topic and payload buffers are freed elsewhere, when all references to them have been removed */
free(pw->iovecs[0].iov_base);
if (pw->count > 1)
{
free(pw->iovecs[1].iov_base);
if (pw->count == 5)
free(pw->iovecs[3].iov_base);
}
Log(TRACE_MIN, -1, "SSL continueWrite: partial write now complete for socket %d", pw->socket);
rc = 1;
}
else
{
int sslerror = SSLSocket_error("SSL_write", pw->ssl, pw->socket, rc);
if (sslerror == SSL_ERROR_WANT_WRITE)
rc = 0; /* indicate we haven't finished writing the payload yet */
}
FUNC_EXIT_RC(rc);
return rc;
}
/**
* Reads one byte from a socket
* @param socket the socket to read from
* @param c the character read, returned
* @return completion code
*/
int SSLSocket_getch(SSL* ssl, int socket, char* c)
{
int rc = SOCKET_ERROR;
FUNC_ENTRY;
if ((rc = SocketBuffer_getQueuedChar(socket, c)) != SOCKETBUFFER_INTERRUPTED)
goto exit;
if ((rc = SSL_read(ssl, c, (size_t)1)) < 0)
{
int err = SSLSocket_error("SSL_read - getch", ssl, socket, rc);
if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE)
{
rc = TCPSOCKET_INTERRUPTED;
SocketBuffer_interrupted(socket, 0);
}
}
else if (rc == 0)
rc = SOCKET_ERROR; /* The return value from recv is 0 when the peer has performed an orderly shutdown. */
else if (rc == 1)
{
SocketBuffer_queueChar(socket, *c);
rc = TCPSOCKET_COMPLETE;
}
exit:
FUNC_EXIT_RC(rc);
return rc;
}
int SSLSocket_setSocketForSSL(networkHandles* net, MQTTClient_SSLOptions* opts)
{
int rc = 1;
FUNC_ENTRY;
if (net->ctx != NULL || (rc = SSLSocket_createContext(net, opts)) == 1)
{
int i;
SSL_CTX_set_info_callback(net->ctx, SSL_CTX_info_callback);
if (opts->enableServerCertAuth)
SSL_CTX_set_verify(net->ctx, SSL_VERIFY_PEER, NULL);
net->ssl = SSL_new(net->ctx);
/* Log all ciphers available to the SSL sessions (loaded in ctx) */
for (i = 0; ;i++)
{
const char* cipher = SSL_get_cipher_list(net->ssl, i);
if (cipher == NULL) break;
Log(TRACE_MIN, 1, "SSL cipher available: %d:%s", i, cipher);
}
if ((rc = SSL_set_fd(net->ssl, net->socket)) != 1)
SSLSocket_error("SSL_set_fd", net->ssl, net->socket, rc);
}
FUNC_EXIT_RC(rc);
return rc;
}
/* No SSL_writev() provided by OpenSSL. Boo. */
int SSLSocket_putdatas(SSL* ssl, int socket, char* buf0, int buf0len, int count, char** buffers, int* buflens)
{
int rc = 0;
int i;
char *ptr;
iobuf iovec;
int sslerror;
FUNC_ENTRY;
iovec.iov_len = buf0len;
for (i = 0; i < count; i++)
iovec.iov_len += buflens[i];
ptr = iovec.iov_base = (char *)malloc(iovec.iov_len);
memcpy(ptr, buf0, buf0len);
ptr += buf0len;
for (i = 0; i < count; i++)
{
memcpy(ptr, buffers[i], buflens[i]);
ptr += buflens[i];
}
SSL_lock_mutex(&sslCoreMutex);
if ((rc = SSL_write(ssl, iovec.iov_base, iovec.iov_len)) == iovec.iov_len)
rc = TCPSOCKET_COMPLETE;
else
{
sslerror = SSLSocket_error("SSL_write", ssl, socket, rc);
if (sslerror == SSL_ERROR_WANT_WRITE)
{
int* sockmem = (int*)malloc(sizeof(int));
Log(TRACE_MIN, -1, "Partial write: incomplete write of %d bytes on SSL socket %d",
iovec.iov_len, socket);
SocketBuffer_pendingWrite(socket, ssl, 1, &iovec, iovec.iov_len, 0);
*sockmem = socket;
ListAppend(s.write_pending, sockmem, sizeof(int));
FD_SET(socket, &(s.pending_wset));
rc = TCPSOCKET_INTERRUPTED;
iovec.iov_base = NULL; /* don't free it because it hasn't been completely written yet */
}
else
rc = SOCKET_ERROR;
}
SSL_unlock_mutex(&sslCoreMutex);
if (iovec.iov_base)
free(iovec.iov_base);
FUNC_EXIT_RC(rc);
return rc;
}
/**
* Attempts to read a number of bytes from a socket, non-blocking. If a previous read did not
* finish, then retrieve that data.
* @param socket the socket to read from
* @param bytes the number of bytes to read
* @param actual_len the actual number of bytes read
* @return completion code
*/
char *SSLSocket_getdata(SSL* ssl, int socket, int bytes, int* actual_len)
{
int rc;
char* buf;
FUNC_ENTRY;
if (bytes == 0)
{
buf = SocketBuffer_complete(socket);
goto exit;
}
buf = SocketBuffer_getQueuedData(socket, bytes, actual_len);
if ((rc = SSL_read(ssl, buf + (*actual_len), (size_t)(bytes - (*actual_len)))) < 0)
{
rc = SSLSocket_error("SSL_read - getdata", ssl, socket, rc);
if (rc != SSL_ERROR_WANT_READ && rc != SSL_ERROR_WANT_WRITE)
{
buf = NULL;
goto exit;
}
}
else if (rc == 0) /* rc 0 means the other end closed the socket */
{
buf = NULL;
goto exit;
}
else
*actual_len += rc;
if (*actual_len == bytes)
{
SocketBuffer_complete(socket);
/* if we read the whole packet, there might still be data waiting in the SSL buffer, which
isn't picked up by select. So here we should check for any data remaining in the SSL buffer, and
if so, add this socket to a new "pending SSL reads" list.
*/
if (SSL_pending(ssl) > 0) /* return no of bytes pending */
SSLSocket_addPendingRead(socket);
}
else /* we didn't read the whole packet */
{
SocketBuffer_interrupted(socket, *actual_len);
Log(TRACE_MAX, -1, "SSL_read: %d bytes expected but %d bytes now received", bytes, *actual_len);
}
exit:
FUNC_EXIT;
return buf;
}
int SSLSocket_connect(SSL* ssl, int sock)
{
int rc = 0;
FUNC_ENTRY;
rc = SSL_connect(ssl);
if (rc != 1)
{
int error;
error = SSLSocket_error("SSL_connect", ssl, sock, rc);
if (error == SSL_FATAL)
rc = error;
}
FUNC_EXIT_RC(rc);
return rc;
}
int SSLSocket_connect(SSL* ssl, int sock)
{
int rc = 0;
FUNC_ENTRY;
rc = SSL_connect(ssl);
if (rc != 1)
{
int error;
error = SSLSocket_error("SSL_connect", ssl, sock, rc);
if (error == SSL_FATAL)
rc = error;
if (error == SSL_ERROR_WANT_READ || error == SSL_ERROR_WANT_WRITE)
rc = TCPSOCKET_INTERRUPTED;
}
FUNC_EXIT_RC(rc);
return rc;
}
int SSLSocket_createContext(networkHandles* net, MQTTClient_SSLOptions* opts)
{
int rc = 1;
char* ciphers = NULL;
FUNC_ENTRY;
if (net->ctx == NULL)
if ((net->ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) /* SSLv23 for compatibility with SSLv2, SSLv3 and TLSv1 */
{
SSLSocket_error("SSL_CTX_new", NULL, net->socket, rc);
goto exit;
}
if (opts->keyStore)
{
if ((rc = SSL_CTX_use_certificate_chain_file(net->ctx, opts->keyStore)) != 1)
{
SSLSocket_error("SSL_CTX_use_certificate_chain_file", NULL, net->socket, rc);
goto free_ctx; /*If we can't load the certificate (chain) file then loading the privatekey won't work either as it needs a matching cert already loaded */
}
if (opts->privateKey == NULL)
opts->privateKey = opts->keyStore; /* the privateKey can be included in the keyStore */
if (opts->privateKeyPassword != NULL)
{
SSL_CTX_set_default_passwd_cb(net->ctx, pem_passwd_cb);
SSL_CTX_set_default_passwd_cb_userdata(net->ctx, (void*)opts->privateKeyPassword);
}
/* support for ASN.1 == DER format? DER can contain only one certificate? */
if ((rc = SSL_CTX_use_PrivateKey_file(net->ctx, opts->privateKey, SSL_FILETYPE_PEM)) != 1)
{
SSLSocket_error("SSL_CTX_use_PrivateKey_file", NULL, net->socket, rc);
goto free_ctx;
}
}
if (opts->trustStore)
{
if ((rc = SSL_CTX_load_verify_locations(net->ctx, opts->trustStore, NULL)) != 1)
{
SSLSocket_error("SSL_CTX_load_verify_locations", NULL, net->socket, rc);
goto free_ctx;
}
}
else if ((rc = SSL_CTX_set_default_verify_paths(net->ctx)) != 1)
{
SSLSocket_error("SSL_CTX_set_default_verify_paths", NULL, net->socket, rc);
goto free_ctx;
}
if (opts->enabledCipherSuites == NULL)
ciphers = "DEFAULT";
else
ciphers = opts->enabledCipherSuites;
if ((rc = SSL_CTX_set_cipher_list(net->ctx, ciphers)) != 1)
{
SSLSocket_error("SSL_CTX_set_cipher_list", NULL, net->socket, rc);
goto free_ctx;
}
SSL_CTX_set_mode(net->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
goto exit;
free_ctx:
SSL_CTX_free(net->ctx);
net->ctx = NULL;
exit:
FUNC_EXIT_RC(rc);
return rc;
}
