/**
* @brief Configure cipher list
* @param d domain
* @return 0 on success, -1 on error
*/
static int set_cipher_list(tls_domain_t* d)
{
int i;
int procs_no;
char* cipher_list;
cipher_list=d->cipher_list.s;
#ifdef TLS_KSSL_WORKARROUND
if (openssl_kssl_malloc_bug) { /* is openssl bug #1467 present ? */
if (d->cipher_list.s==0) {
/* use "DEFAULT:!KRB5" */
cipher_list="DEFAULT:!KRB5";
} else {
/* append ":!KRB5" */
cipher_list=shm_malloc(d->cipher_list.len+C_NO_KRB5_SUFFIX_LEN+1);
if (cipher_list) {
memcpy(cipher_list, d->cipher_list.s, d->cipher_list.len);
memcpy(cipher_list+d->cipher_list.len, C_NO_KRB5_SUFFIX,
C_NO_KRB5_SUFFIX_LEN);
cipher_list[d->cipher_list.len+C_NO_KRB5_SUFFIX_LEN]=0;
shm_free(d->cipher_list.s);
d->cipher_list.s=cipher_list;
d->cipher_list.len+=C_NO_KRB5_SUFFIX_LEN;
}
}
}
#endif /* TLS_KSSL_WORKARROUND */
if (!cipher_list) return 0;
procs_no=get_max_procs();
for(i = 0; i < procs_no; i++) {
if (SSL_CTX_set_cipher_list(d->ctx[i], cipher_list) == 0 ) {
ERR("%s: Failure to set SSL context cipher list \"%s\"\n",
tls_domain_str(d), cipher_list);
return -1;
}
#ifndef OPENSSL_NO_ECDH
setup_ecdh(d->ctx[i]);
#endif
#ifndef OPENSSL_NO_DH
setup_dh(d->ctx[i]);
#endif
}
return 0;
}
static ErlDrvSSizeT tls_drv_control(ErlDrvData handle,
unsigned int command,
char *buf, ErlDrvSizeT len,
char **rbuf, ErlDrvSizeT rlen)
{
tls_data *d = (tls_data *)handle;
int res;
int size;
ErlDrvBinary *b;
X509 *cert;
unsigned int flags = command;
command &= 0xffff;
ERR_clear_error();
switch (command)
{
case SET_CERTIFICATE_FILE_ACCEPT:
case SET_CERTIFICATE_FILE_CONNECT: {
time_t mtime = 0;
char *protocol_options = (buf + strlen(buf) + 1) + strlen(buf + strlen(buf) + 1) + 1;
long options = 0L;
if (strlen(protocol_options) != 0) {
char *po = strdup(protocol_options), delim[] = "|";
char *popts = po;
char *strtok_buf;
while ((po = strtok_r(po, delim, &strtok_buf)) != NULL) {
set_option_flag(po, &options);
po = NULL;
}
free(popts);
}
SSL_CTX *ssl_ctx = hash_table_lookup(buf, &mtime);
if (is_key_file_modified(buf, &mtime) || ssl_ctx == NULL)
{
SSL_CTX *ctx;
char *ciphers;
hash_table_insert(buf, mtime, NULL);
ctx = SSL_CTX_new(SSLv23_method());
die_unless(ctx, "SSL_CTX_new failed");
res = SSL_CTX_use_certificate_chain_file(ctx, buf);
die_unless(res > 0, "SSL_CTX_use_certificate_file failed");
res = SSL_CTX_use_PrivateKey_file(ctx, buf, SSL_FILETYPE_PEM);
die_unless(res > 0, "SSL_CTX_use_PrivateKey_file failed");
res = SSL_CTX_check_private_key(ctx);
die_unless(res > 0, "SSL_CTX_check_private_key failed");
ciphers = buf + strlen(buf) + 1;
if (strlen(ciphers) == 0)
ciphers = CIPHERS;
SSL_CTX_set_cipher_list(ctx, ciphers);
#ifndef OPENSSL_NO_ECDH
if (command == SET_CERTIFICATE_FILE_ACCEPT) {
setup_ecdh(ctx);
}
#endif
#ifndef OPENSSL_NO_DH
if (command == SET_CERTIFICATE_FILE_ACCEPT) {
setup_dh(ctx);
}
#endif
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
SSL_CTX_set_default_verify_paths(ctx);
#ifdef SSL_MODE_RELEASE_BUFFERS
SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS);
#endif
/* SSL_CTX_load_verify_locations(ctx, "/etc/ejabberd/ca_certificates.pem", NULL); */
/* SSL_CTX_load_verify_locations(ctx, NULL, "/etc/ejabberd/ca_certs/"); */
/* This IF is commented to allow verification in all cases: */
/* if (command == SET_CERTIFICATE_FILE_ACCEPT) */
/* { */
SSL_CTX_set_verify(ctx,
SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
verify_callback);
/* } */
SSL_CTX_set_info_callback(ctx, &ssl_info_callback);
ssl_ctx = ctx;
hash_table_insert(buf, mtime, ssl_ctx);
}
d->ssl = SSL_new(ssl_ctx);
die_unless(d->ssl, "SSL_new failed");
if (flags & VERIFY_NONE)
SSL_set_verify(d->ssl, SSL_VERIFY_NONE, verify_callback);
#ifdef SSL_OP_NO_COMPRESSION
if (flags & COMPRESSION_NONE)
SSL_set_options(d->ssl, SSL_OP_NO_COMPRESSION);
#endif
SSL_set_ex_data(d->ssl, ssl_index, d);
d->bio_read = BIO_new(BIO_s_mem());
d->bio_write = BIO_new(BIO_s_mem());
SSL_set_bio(d->ssl, d->bio_read, d->bio_write);
if (command == SET_CERTIFICATE_FILE_ACCEPT) {
options |= (SSL_OP_NO_TICKET|SSL_OP_ALL|SSL_OP_NO_SSLv2);
SSL_set_options(d->ssl, options);
SSL_set_accept_state(d->ssl);
} else {
options |= (SSL_OP_NO_TICKET|SSL_OP_NO_SSLv2);
SSL_set_options(d->ssl, options);
SSL_set_connect_state(d->ssl);
}
break;
}
case SET_ENCRYPTED_INPUT:
die_unless(d->ssl, "SSL not initialized");
BIO_write(d->bio_read, buf, len);
break;
case SET_DECRYPTED_OUTPUT:
die_unless(d->ssl, "SSL not initialized");
res = SSL_write(d->ssl, buf, len);
if (res <= 0)
{
res = SSL_get_error(d->ssl, res);
if (res == SSL_ERROR_WANT_READ || res == SSL_ERROR_WANT_WRITE)
{
b = driver_alloc_binary(1);
b->orig_bytes[0] = 2;
*rbuf = (char *)b;
return 1;
} else {
die_unless(0, "SSL_write failed");
}
}
break;
case GET_ENCRYPTED_OUTPUT:
die_unless(d->ssl, "SSL not initialized");
size = BIO_ctrl_pending(d->bio_write) + 1;
b = driver_alloc_binary(size);
b->orig_bytes[0] = 0;
BIO_read(d->bio_write, b->orig_bytes + 1, size - 1);
*rbuf = (char *)b;
return size;
case GET_DECRYPTED_INPUT:
if (!SSL_is_init_finished(d->ssl))
{
res = SSL_do_handshake(d->ssl);
if (res <= 0)
die_unless(SSL_get_error(d->ssl, res) == SSL_ERROR_WANT_READ,
"SSL_do_handshake failed");
}
if (SSL_is_init_finished(d->ssl)) {
size_t req_size = 0;
if (len == 4)
{
unsigned char *b = (unsigned char *)buf;
req_size =
(b[0] << 24) | (b[1] << 16) | (b[2] << 8) | b[3];
}
size = BUF_SIZE + 1;
rlen = 1;
b = driver_alloc_binary(size);
b->orig_bytes[0] = 0;
res = 0;
while ((req_size == 0 || rlen < req_size + 1) &&
(res = SSL_read(d->ssl,
b->orig_bytes + rlen,
(req_size == 0 || req_size + 1 >= size) ?
size - rlen : req_size + 1 - rlen)) > 0)
{
//printf("%d bytes of decrypted data read from state machine\r\n",res);
rlen += res;
if (size - rlen < BUF_SIZE) {
size *= 2;
b = driver_realloc_binary(b, size);
}
}
if (d->handshakes > 1) {
char *error = "client renegotiations forbidden";
int error_len = strlen(error);
rlen = error_len + 1;
b = driver_alloc_binary(rlen);
b->orig_bytes[0] = 1;
strncpy(b->orig_bytes + 1, error, error_len);
*rbuf = (char *)b;
return rlen;
}
if (res < 0)
{
int err = SSL_get_error(d->ssl, res);
if (err == SSL_ERROR_WANT_READ)
{
//printf("SSL_read wants more data\r\n");
//return 0;
}
// TODO
}
b = driver_realloc_binary(b, rlen);
*rbuf = (char *)b;
return rlen;
}
break;
case GET_PEER_CERTIFICATE:
cert = SSL_get_peer_certificate(d->ssl);
if (cert == NULL)
{
b = driver_alloc_binary(1);
b->orig_bytes[0] = 1;
*rbuf = (char *)b;
return 1;
} else {
unsigned char *tmp_buf;
rlen = i2d_X509(cert, NULL);
if (rlen >= 0)
{
rlen++;
b = driver_alloc_binary(rlen);
b->orig_bytes[0] = 0;
tmp_buf = (unsigned char *)&b->orig_bytes[1];
i2d_X509(cert, &tmp_buf);
X509_free(cert);
*rbuf = (char *)b;
return rlen;
} else
X509_free(cert);
}
break;
case GET_VERIFY_RESULT:
b = driver_alloc_binary(1);
b->orig_bytes[0] = SSL_get_verify_result(d->ssl);
*rbuf = (char *)b;
return 1;
break;
}
b = driver_alloc_binary(1);
b->orig_bytes[0] = 0;
*rbuf = (char *)b;
return 1;
}
