/* Request an SSL over TCP/SCTP connection to another system (by IP address).
* The in_addr is normal network byte order, but the port number should be given
* in HOST BYTE ORDER. This function will call back only after it has made the
* connection AND done the initial SSL negotiation. From that point on, you use
* the normal read/write calls and decryption will happen transparently. ss
* should be a sockaddr_storage, sockaddr_in6, or sockaddr_in as appropriate
* (just like what you would pass to connect). sslen should be the sizeof the
* structure you are passing in. */
nsock_event_id nsock_connect_ssl(nsock_pool nsp, nsock_iod nsiod, nsock_ev_handler handler, int timeout_msecs,
void *userdata, struct sockaddr *saddr, size_t sslen, int proto, unsigned short port, nsock_ssl_session ssl_session) {
#ifndef HAVE_OPENSSL
fatal("nsock_connect_ssl called - but nsock was built w/o SSL support. QUITTING");
return (nsock_event_id)0; /* UNREACHED */
#else
struct sockaddr_storage *ss = (struct sockaddr_storage *)saddr;
msiod *nsi = (msiod *)nsiod;
mspool *ms = (mspool *)nsp;
msevent *nse;
if (!ms->sslctx)
nsp_ssl_init(ms);
assert(nsi->state == NSIOD_STATE_INITIAL || nsi->state == NSIOD_STATE_UNKNOWN);
nse = msevent_new(ms, NSE_TYPE_CONNECT_SSL, nsi, timeout_msecs, handler, userdata);
assert(nse);
/* Set our SSL_SESSION so we can benefit from session-id reuse. */
nsi_set_ssl_session(nsi, (SSL_SESSION *)ssl_session);
nsock_log_info(ms, "SSL connection requested to %s:%hu/%s (IOD #%li) EID %li",
inet_ntop_ez(ss, sslen), port, (proto == IPPROTO_TCP ? "tcp" : "sctp"),
nsi->id, nse->id);
/* Do the actual connect() */
nsock_connect_internal(ms, nse, SOCK_STREAM, proto, ss, sslen, port);
nsp_add_event(ms, nse);
return nse->id;
#endif /* HAVE_OPENSSL */
}
/* Request a UNIX domain sockets connection to the same system (by path to socket).
* This function connects to the socket of type SOCK_DGRAM. ss should be a
* sockaddr_storage, sockaddr_un as appropriate (just like what you would pass to
* connect). sslen should be the sizeof the structure you are passing in. */
nsock_event_id nsock_connect_unixsock_datagram(nsock_pool nsp, nsock_iod nsiod, nsock_ev_handler handler,
void *userdata, struct sockaddr *saddr, size_t sslen) {
struct niod *nsi = (struct niod *)nsiod;
struct npool *ms = (struct npool *)nsp;
struct nevent *nse;
struct sockaddr_storage *ss = (struct sockaddr_storage *)saddr;
assert(nsi->state == NSIOD_STATE_INITIAL || nsi->state == NSIOD_STATE_UNKNOWN);
nse = event_new(ms, NSE_TYPE_CONNECT, nsi, -1, handler, userdata);
assert(nse);
nsock_log_info("UNIX domain socket (DGRAM) connection requested to %s (IOD #%li) EID %li",
get_unixsock_path(ss), nsi->id, nse->id);
nsock_connect_internal(ms, nse, SOCK_DGRAM, 0, ss, sslen, 0);
nsock_pool_add_event(ms, nse);
return nse->id;
}
/* Request a UDP "connection" to another system (by IP address). The in_addr is
* normal network byte order, but the port number should be given in HOST BYTE
* ORDER. Since this is UDP, no packets are actually sent. The destination IP
* and port are just associated with the nsiod (an actual OS connect() call is
* made). You can then use the normal nsock write calls on the socket. There
* is no timeout since this call always calls your callback at the next
* opportunity. The advantages to having a connected UDP socket (as opposed to
* just specifying an address with sendto() are that we can now use a consistent
* set of write/read calls for TCP/UDP, received packets from the non-partner
* are automatically dropped by the OS, and the OS can provide asynchronous
* errors (see Unix Network Programming pp224). ss should be a
* sockaddr_storage, sockaddr_in6, or sockaddr_in as appropriate (just like what
* you would pass to connect). sslen should be the sizeof the structure you are
* passing in. */
nsock_event_id nsock_connect_udp(nsock_pool nsp, nsock_iod nsiod, nsock_ev_handler handler, void *userdata,
struct sockaddr *saddr, size_t sslen, unsigned short port) {
struct niod *nsi = (struct niod *)nsiod;
struct npool *ms = (struct npool *)nsp;
struct nevent *nse;
struct sockaddr_storage *ss = (struct sockaddr_storage *)saddr;
assert(nsi->state == NSIOD_STATE_INITIAL || nsi->state == NSIOD_STATE_UNKNOWN);
nse = event_new(ms, NSE_TYPE_CONNECT, nsi, -1, handler, userdata);
assert(nse);
nsock_log_info("UDP connection requested to %s:%hu (IOD #%li) EID %li",
inet_ntop_ez(ss, sslen), port, nsi->id, nse->id);
nsock_connect_internal(ms, nse, SOCK_DGRAM, IPPROTO_UDP, ss, sslen, port);
nsock_pool_add_event(ms, nse);
return nse->id;
}
/* Request a TCP connection to another system (by IP address). The in_addr is
* normal network byte order, but the port number should be given in HOST BYTE
* ORDER. ss should be a sockaddr_storage, sockaddr_in6, or sockaddr_in as
* appropriate (just like what you would pass to connect). sslen should be the
* sizeof the structure you are passing in. */
nsock_event_id nsock_connect_tcp(nsock_pool nsp, nsock_iod ms_iod, nsock_ev_handler handler, int timeout_msecs,
void *userdata, struct sockaddr *saddr, size_t sslen, unsigned short port) {
msiod *nsi = (msiod *)ms_iod;
mspool *ms = (mspool *)nsp;
msevent *nse;
struct sockaddr_storage *ss = (struct sockaddr_storage *)saddr;
assert(nsi->state == NSIOD_STATE_INITIAL || nsi->state == NSIOD_STATE_UNKNOWN);
nse = msevent_new(ms, NSE_TYPE_CONNECT, nsi, timeout_msecs, handler, userdata);
assert(nse);
nsock_log_info(ms, "TCP connection requested to %s:%hu (IOD #%li) EID %li",
inet_ntop_ez(ss, sslen), port, nsi->id, nse->id);
/* Do the actual connect() */
nsock_connect_internal(ms, nse, SOCK_STREAM, IPPROTO_TCP, ss, sslen, port);
nsp_add_event(ms, nse);
return nse->id;
}
/* handle_connect_results assumes that select or poll have already shown the
* descriptor to be active */
void handle_connect_result(struct npool *ms, struct nevent *nse, enum nse_status status) {
int optval;
socklen_t optlen = sizeof(int);
struct niod *iod = nse->iod;
#if HAVE_OPENSSL
int sslerr;
int rc = 0;
int sslconnect_inprogress = nse->type == NSE_TYPE_CONNECT_SSL && nse->iod &&
(nse->sslinfo.ssl_desire == SSL_ERROR_WANT_READ ||
nse->sslinfo.ssl_desire == SSL_ERROR_WANT_WRITE);
#else
int sslconnect_inprogress = 0;
#endif
if (status == NSE_STATUS_TIMEOUT || status == NSE_STATUS_CANCELLED) {
nse->status = status;
nse->event_done = 1;
} else if (sslconnect_inprogress) {
/* Do nothing */
} else if (status == NSE_STATUS_SUCCESS) {
/* First we want to determine whether the socket really is connected */
if (getsockopt(iod->sd, SOL_SOCKET, SO_ERROR, (char *)&optval, &optlen) != 0)
optval = socket_errno(); /* Stupid Solaris */
switch (optval) {
case 0:
nse->status = NSE_STATUS_SUCCESS;
break;
/* EACCES can be caused by ICMPv6 dest-unreach-admin, or when a port is
blocked by Windows Firewall (WSAEACCES). */
case EACCES:
case ECONNREFUSED:
case EHOSTUNREACH:
case ENETDOWN:
case ENETUNREACH:
case ENETRESET:
case ECONNABORTED:
case ETIMEDOUT:
case EHOSTDOWN:
case ECONNRESET:
#ifdef WIN32
case WSAEADDRINUSE:
case WSAEADDRNOTAVAIL:
#endif
#ifndef WIN32
case EPIPE: /* Has been seen after connect on Linux. */
case ENOPROTOOPT: /* Also seen on Linux, perhaps in response to protocol unreachable. */
#endif
nse->status = NSE_STATUS_ERROR;
nse->errnum = optval;
break;
default:
/* I'd like for someone to report it */
fatal("Strange connect error from %s (%d): %s",
inet_ntop_ez(&iod->peer, iod->peerlen), optval,
socket_strerror(optval));
}
/* Now special code for the SSL case where the TCP connection was successful. */
if (nse->type == NSE_TYPE_CONNECT_SSL &&
nse->status == NSE_STATUS_SUCCESS) {
#if HAVE_OPENSSL
assert(ms->sslctx != NULL);
/* Reuse iod->ssl if present. If set, this is the second try at connection
without the SSL_OP_NO_SSLv2 option set. */
if (iod->ssl == NULL) {
iod->ssl = SSL_new(ms->sslctx);
if (!iod->ssl)
fatal("SSL_new failed: %s", ERR_error_string(ERR_get_error(), NULL));
}
#if HAVE_SSL_SET_TLSEXT_HOST_NAME
if (iod->hostname != NULL) {
if (SSL_set_tlsext_host_name(iod->ssl, iod->hostname) != 1)
fatal("SSL_set_tlsext_host_name failed: %s", ERR_error_string(ERR_get_error(), NULL));
}
#endif
/* Associate our new SSL with the connected socket. It will inherit the
* non-blocking nature of the sd */
if (SSL_set_fd(iod->ssl, iod->sd) != 1)
fatal("SSL_set_fd failed: %s", ERR_error_string(ERR_get_error(), NULL));
/* Event not done -- need to do SSL connect below */
nse->sslinfo.ssl_desire = SSL_ERROR_WANT_CONNECT;
#endif
} else {
/* This is not an SSL connect (in which case we are always done), or the
* TCP connect() underlying the SSL failed (in which case we are also done */
nse->event_done = 1;
}
} else {
fatal("Unknown status (%d)", status);
}
/* At this point the TCP connection is done, whether successful or not.
* Therefore decrease the read/write listen counts that were incremented in
* nsock_pool_add_event. In the SSL case, we may increase one of the counts depending
* on whether SSL_connect returns an error of SSL_ERROR_WANT_READ or
* SSL_ERROR_WANT_WRITE. In that case we will re-enter this function, but we
* don't want to execute this block again. */
if (iod->sd != -1 && !sslconnect_inprogress) {
int ev = EV_NONE;
ev |= socket_count_read_dec(iod);
ev |= socket_count_write_dec(iod);
ev |= EV_EXCEPT;
update_events(iod, ms, EV_NONE, ev);
}
#if HAVE_OPENSSL
if (nse->type == NSE_TYPE_CONNECT_SSL && !nse->event_done) {
/* Lets now start/continue/finish the connect! */
if (iod->ssl_session) {
rc = SSL_set_session(iod->ssl, iod->ssl_session);
if (rc == 0)
nsock_log_error("Uh-oh: SSL_set_session() failed - please tell [email protected]");
iod->ssl_session = NULL; /* No need for this any more */
}
/* If this is a reinvocation of handle_connect_result, clear out the listen
* bits that caused it, based on the previous SSL desire. */
if (sslconnect_inprogress) {
int ev;
ev = socket_count_dec_ssl_desire(nse);
update_events(iod, ms, EV_NONE, ev);
}
rc = SSL_connect(iod->ssl);
if (rc == 1) {
/* Woop! Connect is done! */
nse->event_done = 1;
/* Check that certificate verification was okay, if requested. */
if (nsi_ssl_post_connect_verify(iod)) {
nse->status = NSE_STATUS_SUCCESS;
} else {
nsock_log_error("certificate verification error for EID %li: %s",
nse->id, ERR_error_string(ERR_get_error(), NULL));
nse->status = NSE_STATUS_ERROR;
}
} else {
long options = SSL_get_options(iod->ssl);
sslerr = SSL_get_error(iod->ssl, rc);
if (rc == -1 && sslerr == SSL_ERROR_WANT_READ) {
nse->sslinfo.ssl_desire = sslerr;
socket_count_read_inc(iod);
update_events(iod, ms, EV_READ, EV_NONE);
} else if (rc == -1 && sslerr == SSL_ERROR_WANT_WRITE) {
nse->sslinfo.ssl_desire = sslerr;
socket_count_write_inc(iod);
update_events(iod, ms, EV_WRITE, EV_NONE);
} else if (!(options & SSL_OP_NO_SSLv2)) {
int saved_ev;
/* SSLv3-only and TLSv1-only servers can't be connected to when the
* SSL_OP_NO_SSLv2 option is not set, which is the case when the pool
* was initialized with nsock_pool_ssl_init_max_speed. Try reconnecting
* with SSL_OP_NO_SSLv2. Never downgrade a NO_SSLv2 connection to one
* that might use SSLv2. */
nsock_log_info("EID %li reconnecting with SSL_OP_NO_SSLv2", nse->id);
saved_ev = iod->watched_events;
nsock_engine_iod_unregister(ms, iod);
close(iod->sd);
nsock_connect_internal(ms, nse, SOCK_STREAM, iod->lastproto, &iod->peer,
iod->peerlen, nsock_iod_get_peerport(iod));
nsock_engine_iod_register(ms, iod, saved_ev);
SSL_clear(iod->ssl);
if(!SSL_clear(iod->ssl))
fatal("SSL_clear failed: %s", ERR_error_string(ERR_get_error(), NULL));
SSL_set_options(iod->ssl, options | SSL_OP_NO_SSLv2);
socket_count_read_inc(nse->iod);
socket_count_write_inc(nse->iod);
update_events(iod, ms, EV_READ|EV_WRITE, EV_NONE);
nse->sslinfo.ssl_desire = SSL_ERROR_WANT_CONNECT;
} else {
nsock_log_info("EID %li %s",
nse->id, ERR_error_string(ERR_get_error(), NULL));
nse->event_done = 1;
nse->status = NSE_STATUS_ERROR;
nse->errnum = EIO;
}
}
}
#endif
}
