/* Returns the SSL_SESSION of an nsock_iod, and increments it's usage count */
nsock_ssl_session nsi_get1_ssl_session(nsock_iod nsockiod) {
#if HAVE_OPENSSL
return SSL_get1_session(((msiod *)nsockiod)->ssl);
#else
return NULL;
#endif
}
/* Returns the SSL_SESSION of an nsock_iod.
* Increments its usage count if inc_ref is not zero. */
nsock_ssl_session nsock_iod_get_ssl_session(nsock_iod iod, int inc_ref) {
#if HAVE_OPENSSL
if (inc_ref)
return SSL_get1_session(((struct niod *)iod)->ssl);
else
return SSL_get0_session(((struct niod *)iod)->ssl);
#else
return NULL;
#endif
}
/*
* Extract the session id and store it in the session cache.
*/
static int Store_SSL_Session(struct connectdata *conn)
{
SSL_SESSION *ssl_sessionid;
int i;
struct SessionHandle *data=conn->data; /* the mother of all structs */
struct curl_ssl_session *store = &data->state.session[0];
int oldest_age=data->state.session[0].age; /* zero if unused */
/* ask OpenSSL, say please */
#ifdef HAVE_SSL_GET1_SESSION
ssl_sessionid = SSL_get1_session(conn->ssl.handle);
/* SSL_get1_session() will increment the reference
count and the session will stay in memory until explicitly freed with
SSL_SESSION_free(3), regardless of its state.
This function was introduced in openssl 0.9.5a. */
#else
ssl_sessionid = SSL_get_session(conn->ssl.handle);
/* if SSL_get1_session() is unavailable, use SSL_get_session().
This is an inferior option because the session can be flushed
at any time by openssl. It is included only so curl compiles
under versions of openssl < 0.9.5a.
WARNING: How curl behaves if it's session is flushed is
untested.
*/
#endif
/* Now we should add the session ID and the host name to the cache, (remove
the oldest if necessary) */
/* find an empty slot for us, or find the oldest */
for(i=1; (i<data->set.ssl.numsessions) &&
data->state.session[i].sessionid; i++) {
if(data->state.session[i].age < oldest_age) {
oldest_age = data->state.session[i].age;
store = &data->state.session[i];
}
}
if(i == data->set.ssl.numsessions)
/* cache is full, we must "kill" the oldest entry! */
Kill_Single_Session(store);
else
store = &data->state.session[i]; /* use this slot */
/* now init the session struct wisely */
store->sessionid = ssl_sessionid;
store->age = data->state.sessionage; /* set current age */
store->name = strdup(conn->name); /* clone host name */
store->remote_port = conn->remote_port; /* port number */
return 0;
}
SSLSession::Ptr SSLSocket::currentSession()
{
if (_sslAdapter._ssl) {
SSL_SESSION* session = SSL_get1_session(_sslAdapter._ssl);
if (session) {
if (_session && session == _session->sslSession()) {
SSL_SESSION_free(session);
return _session;
}
else return std::make_shared<SSLSession>(session); // new SSLSession(session);
}
}
return 0;
}
Session::Ptr SecureSocketImpl::currentSession()
{
if (_pSSL)
{
SSL_SESSION* pSession = SSL_get1_session(_pSSL);
if (pSession)
{
if (_pSession && pSession == _pSession->sslSession())
{
SSL_SESSION_free(pSession);
return _pSession;
}
else return new Session(pSession);
}
}
return 0;
}
static void on_handshake_complete(h2o_socket_t *sock, const char *err)
{
if (err == NULL) {
const SSL_CIPHER *cipher = SSL_get_current_cipher(sock->ssl->ssl);
switch (SSL_CIPHER_get_id(cipher)) {
case TLS1_CK_RSA_WITH_AES_128_GCM_SHA256:
case TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256:
case TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
case TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
case TLS1_CK_RSA_WITH_AES_256_GCM_SHA384:
case TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384:
case TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
case TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
sock->ssl->record_overhead = 5 /* header */ + 8 /* record_iv_length (RFC 5288 3) */ + 16 /* tag (RFC 5116 5.1) */;
break;
#if defined(TLS1_CK_DHE_RSA_CHACHA20_POLY1305)
case TLS1_CK_DHE_RSA_CHACHA20_POLY1305:
case TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305:
case TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305:
sock->ssl->record_overhead = 5 /* header */ + 16 /* tag */;
break;
#endif
default:
sock->ssl->record_overhead = 32; /* sufficiently large number that can hold most payloads */
break;
}
}
/* set ssl session into the cache */
if (sock->ssl->handshake.client.session_cache != NULL) {
if (err == NULL || err == h2o_socket_error_ssl_cert_name_mismatch) {
SSL_SESSION *session = SSL_get1_session(sock->ssl->ssl);
h2o_cache_set(sock->ssl->handshake.client.session_cache, h2o_now(h2o_socket_get_loop(sock)),
sock->ssl->handshake.client.session_cache_key, sock->ssl->handshake.client.session_cache_key_hash,
h2o_iovec_init(session, 1));
}
}
h2o_socket_cb handshake_cb = sock->ssl->handshake.cb;
sock->_cb.write = NULL;
sock->ssl->handshake.cb = NULL;
decode_ssl_input(sock);
handshake_cb(sock, err);
}
static int openssl_ssl_session(lua_State*L)
{
SSL* s = CHECK_OBJECT(1, SSL, "openssl.ssl");
SSL_SESSION*ss;
if (lua_isnoneornil(L, 2))
{
ss = SSL_get1_session(s);
PUSH_OBJECT(ss, "openssl.ssl_session");
}
else
{
if (lua_isstring(L, 3))
{
size_t sz;
const char* sid_ctx = luaL_checklstring(L, 2, &sz);
int ret = SSL_set_session_id_context(s, (unsigned char*)sid_ctx, sz);
lua_pushboolean(L, ret);
}
else
{
ss = CHECK_OBJECT(2, SSL_SESSION, "openssl.ssl_session");
if (lua_isnoneornil(L, 3))
{
int ret = SSL_set_session(s, ss);
lua_pushboolean(L, ret);
}
else
{
#ifdef SSL_add_session
int add = auxiliar_checkboolean(L, 3);
if (add)
add = SSL_add_session(s, ss);
else
add = SSL_remove_session(s, ss);
lua_pushboolean(L, add);
#endif
}
}
}
return 1;
}
/*
* call-seq:
* Session.new(SSLSocket | string) => session
*
* === Parameters
* +SSLSocket+ is an OpenSSL::SSL::SSLSocket
* +string+ must be a DER or PEM encoded Session.
*/
static VALUE ossl_ssl_session_initialize(VALUE self, VALUE arg1)
{
SSL_SESSION *ctx = NULL;
VALUE obj;
unsigned char *p;
if (RDATA(self)->data)
ossl_raise(eSSLSession, "SSL Session already initialized");
if (rb_obj_is_instance_of(arg1, cSSLSocket)) {
SSL *ssl;
Data_Get_Struct(arg1, SSL, ssl);
if ((ctx = SSL_get1_session(ssl)) == NULL)
ossl_raise(eSSLSession, "no session available");
} else {
BIO *in = ossl_obj2bio(arg1);
ctx = PEM_read_bio_SSL_SESSION(in, NULL, NULL, NULL);
if (!ctx) {
BIO_reset(in);
ctx = d2i_SSL_SESSION_bio(in, NULL);
}
BIO_free(in);
if (!ctx)
ossl_raise(rb_eArgError, "unknown type");
}
/* should not happen */
if (ctx == NULL)
ossl_raise(eSSLSession, "ctx not set - internal error");
RDATA(self)->data = ctx;
return self;
}
static int start_ssl_shutdown( pn_ssl_t *ssl )
{
if (!ssl->ssl_shutdown) {
_log(ssl, "Shutting down SSL connection...\n");
if (ssl->session_id) {
// save the negotiated credentials before we close the connection
pn_ssl_session_t *ssn = (pn_ssl_session_t *)calloc( 1, sizeof(pn_ssl_session_t));
if (ssn) {
ssn->id = pn_strdup( ssl->session_id );
ssn->session = SSL_get1_session( ssl->ssl );
if (ssn->session) {
_log( ssl, "Saving SSL session as %s\n", ssl->session_id );
LL_ADD( ssl->domain, ssn_cache, ssn );
} else {
ssl_session_free( ssn );
}
}
}
ssl->ssl_shutdown = true;
BIO_ssl_shutdown( ssl->bio_ssl );
}
return 0;
}
enum pbpal_resolv_n_connect_result pbpal_resolv_and_connect(pubnub_t *pb)
{
SSL *ssl = NULL;
int rslt;
char const* origin = PUBNUB_ORIGIN_SETTABLE ? pb->origin : PUBNUB_ORIGIN;
PUBNUB_ASSERT(pb_valid_ctx_ptr(pb));
PUBNUB_ASSERT_OPT((pb->state == PBS_READY) || (pb->state == PBS_WAIT_CONNECT));
if (!pb->options.useSSL) {
return resolv_and_connect_wout_SSL(pb);
}
if (NULL == pb->pal.ctx) {
PUBNUB_LOG_TRACE("pb=%p: Don't have SSL_CTX\n", pb);
pb->pal.ctx = SSL_CTX_new(SSLv23_client_method());
if (NULL == pb->pal.ctx) {
ERR_print_errors_cb(print_to_pubnub_log, NULL);
PUBNUB_LOG_ERROR("pb=%p SSL_CTX_new failed\n", pb);
return pbpal_resolv_resource_failure;
}
PUBNUB_LOG_TRACE("pb=%p: Got SSL_CTX\n", pb);
add_pubnub_cert(pb->pal.ctx);
}
if (NULL == pb->pal.socket) {
PUBNUB_LOG_TRACE("pb=%p: Don't have BIO\n", pb);
pb->pal.socket = BIO_new_ssl_connect(pb->pal.ctx);
if (PUBNUB_TIMERS_API) {
pb->pal.connect_timeout = time(NULL) + pb->transaction_timeout_ms/1000;
}
}
else {
BIO_get_ssl(pb->pal.socket, &ssl);
if (NULL == ssl) {
return resolv_and_connect_wout_SSL(pb);
}
ssl = NULL;
}
if (NULL == pb->pal.socket) {
ERR_print_errors_cb(print_to_pubnub_log, NULL);
return pbpal_resolv_resource_failure;
}
PUBNUB_LOG_TRACE("pb=%p: Using BIO == %p\n", pb, pb->pal.socket);
BIO_get_ssl(pb->pal.socket, &ssl);
PUBNUB_ASSERT(NULL != ssl);
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); /* maybe not auto_retry? */
if (pb->pal.session != NULL) {
SSL_set_session(ssl, pb->pal.session);
}
BIO_set_conn_hostname(pb->pal.socket, origin);
BIO_set_conn_port(pb->pal.socket, "https");
if (pb->pal.ip_timeout != 0) {
if (pb->pal.ip_timeout < time(NULL)) {
pb->pal.ip_timeout = 0;
}
else {
PUBNUB_LOG_TRACE("SSL re-connect to: %d.%d.%d.%d\n", pb->pal.ip[0], pb->pal.ip[1], pb->pal.ip[2], pb->pal.ip[3]);
BIO_set_conn_ip(pb->pal.socket, pb->pal.ip);
}
}
BIO_set_nbio(pb->pal.socket, !pb->options.use_blocking_io);
WATCH_ENUM(pb->options.use_blocking_io);
if (BIO_do_connect(pb->pal.socket) <= 0) {
if (BIO_should_retry(pb->pal.socket) && PUBNUB_TIMERS_API && (pb->pal.connect_timeout > time(NULL))) {
PUBNUB_LOG_TRACE("pb=%p: BIO_should_retry\n", pb);
return pbpal_connect_wouldblock;
}
/* Expire the IP for the next connect */
pb->pal.ip_timeout = 0;
ERR_print_errors_cb(print_to_pubnub_log, NULL);
if (pb->pal.session != NULL) {
SSL_SESSION_free(pb->pal.session);
pb->pal.session = NULL;
}
PUBNUB_LOG_ERROR("pb=%p: BIO_do_connect failed\n", pb);
return pbpal_connect_failed;
}
PUBNUB_LOG_TRACE("pb=%p: BIO connected\n", pb);
{
int fd = BIO_get_fd(pb->pal.socket, NULL);
socket_set_rcv_timeout(fd, pb->transaction_timeout_ms);
}
rslt = SSL_get_verify_result(ssl);
if (rslt != X509_V_OK) {
PUBNUB_LOG_WARNING("pb=%p: SSL_get_verify_result() failed == %d(%s)\n", pb, rslt, X509_verify_cert_error_string(rslt));
ERR_print_errors_cb(print_to_pubnub_log, NULL);
if (pb->options.fallbackSSL) {
BIO_free_all(pb->pal.socket);
pb->pal.socket = NULL;
return resolv_and_connect_wout_SSL(pb);
}
return pbpal_connect_failed;
}
PUBNUB_LOG_INFO("pb=%p: SSL session reused: %s\n", pb, SSL_session_reused(ssl) ? "yes" : "no");
if (pb->pal.session != NULL) {
SSL_SESSION_free(pb->pal.session);
}
pb->pal.session = SSL_get1_session(ssl);
if (0 == pb->pal.ip_timeout) {
pb->pal.ip_timeout = SSL_SESSION_get_time(pb->pal.session) + SSL_SESSION_get_timeout(pb->pal.session);
memcpy(pb->pal.ip, BIO_get_conn_ip(pb->pal.socket), 4);
}
PUBNUB_LOG_TRACE("pb=%p: SSL connected to IP: %d.%d.%d.%d\n", pb, pb->pal.ip[0], pb->pal.ip[1], pb->pal.ip[2], pb->pal.ip[3]);
return pbpal_connect_success;
}
static void init_local(CLI *c) {
SOCKADDR_UNION addr;
socklen_t addrlen;
addrlen=sizeof addr;
if(getpeername(c->local_rfd.fd, &addr.sa, &addrlen)<0) {
strcpy(c->accepted_address, "NOT A SOCKET");
c->local_rfd.is_socket=0;
c->local_wfd.is_socket=0; /* TODO: It's not always true */
#ifdef USE_WIN32
if(get_last_socket_error()!=ENOTSOCK) {
#else
if(c->opt->option.transparent_src || get_last_socket_error()!=ENOTSOCK) {
#endif
sockerror("getpeerbyname");
longjmp(c->err, 1);
}
/* ignore ENOTSOCK error so 'local' doesn't have to be a socket */
} else { /* success */
/* copy addr to c->peer_addr */
memcpy(&c->peer_addr.addr[0], &addr, sizeof addr);
c->peer_addr.num=1;
s_ntop(c->accepted_address, &c->peer_addr.addr[0]);
c->local_rfd.is_socket=1;
c->local_wfd.is_socket=1; /* TODO: It's not always true */
/* it's a socket: lets setup options */
if(set_socket_options(c->local_rfd.fd, 1)<0)
longjmp(c->err, 1);
#ifdef USE_LIBWRAP
libwrap_auth(c);
#endif /* USE_LIBWRAP */
auth_user(c);
s_log(LOG_NOTICE, "Service %s accepted connection from %s",
c->opt->servname, c->accepted_address);
}
}
static void init_remote(CLI *c) {
/* create connection to host/service */
if(c->opt->source_addr.num)
memcpy(&c->bind_addr, &c->opt->source_addr, sizeof(SOCKADDR_LIST));
#ifndef USE_WIN32
else if(c->opt->option.transparent_src)
memcpy(&c->bind_addr, &c->peer_addr, sizeof(SOCKADDR_LIST));
#endif
else {
c->bind_addr.num=0; /* don't bind connecting socket */
}
/* setup c->remote_fd, now */
if(c->opt->option.remote)
c->remote_fd.fd=connect_remote(c);
#ifdef SO_ORIGINAL_DST
else if(c->opt->option.transparent_dst)
c->remote_fd.fd=connect_transparent(c);
#endif /* SO_ORIGINAL_DST */
else /* NOT in remote mode */
c->remote_fd.fd=connect_local(c);
c->remote_fd.is_socket=1; /* always! */
s_log(LOG_DEBUG, "Remote FD=%d initialized", c->remote_fd.fd);
if(set_socket_options(c->remote_fd.fd, 2)<0)
longjmp(c->err, 1);
}
static void init_ssl(CLI *c) {
int i, err;
SSL_SESSION *old_session;
if(!(c->ssl=SSL_new(c->opt->ctx))) {
sslerror("SSL_new");
longjmp(c->err, 1);
}
SSL_set_ex_data(c->ssl, cli_index, c); /* for callbacks */
SSL_set_session_id_context(c->ssl, (unsigned char *)sid_ctx,
strlen(sid_ctx));
if(c->opt->option.client) {
#ifndef OPENSSL_NO_TLSEXT
if(c->opt->host_name) {
s_log(LOG_DEBUG, "SNI: host name: %s", c->opt->host_name);
if(!SSL_set_tlsext_host_name(c->ssl, c->opt->host_name)) {
sslerror("SSL_set_tlsext_host_name");
longjmp(c->err, 1);
}
}
#endif
if(c->opt->session) {
enter_critical_section(CRIT_SESSION);
SSL_set_session(c->ssl, c->opt->session);
leave_critical_section(CRIT_SESSION);
}
SSL_set_fd(c->ssl, c->remote_fd.fd);
SSL_set_connect_state(c->ssl);
} else {
if(c->local_rfd.fd==c->local_wfd.fd)
SSL_set_fd(c->ssl, c->local_rfd.fd);
else {
/* does it make sence to have SSL on STDIN/STDOUT? */
SSL_set_rfd(c->ssl, c->local_rfd.fd);
SSL_set_wfd(c->ssl, c->local_wfd.fd);
}
SSL_set_accept_state(c->ssl);
}
/* setup some values for transfer() function */
if(c->opt->option.client) {
c->sock_rfd=&(c->local_rfd);
c->sock_wfd=&(c->local_wfd);
c->ssl_rfd=c->ssl_wfd=&(c->remote_fd);
} else {
c->sock_rfd=c->sock_wfd=&(c->remote_fd);
c->ssl_rfd=&(c->local_rfd);
c->ssl_wfd=&(c->local_wfd);
}
while(1) {
#if OPENSSL_VERSION_NUMBER<0x1000002f
/* this critical section is a crude workaround for CVE-2010-3864 *
* see http://www.securityfocus.com/bid/44884 for details *
* NOTE: this critical section also covers callbacks (e.g. OCSP) */
enter_critical_section(CRIT_SSL);
#endif /* OpenSSL version < 1.0.0b */
if(c->opt->option.client)
i=SSL_connect(c->ssl);
else
i=SSL_accept(c->ssl);
#if OPENSSL_VERSION_NUMBER<0x1000002f
leave_critical_section(CRIT_SSL);
#endif /* OpenSSL version < 1.0.0b */
err=SSL_get_error(c->ssl, i);
if(err==SSL_ERROR_NONE)
break; /* ok -> done */
if(err==SSL_ERROR_WANT_READ || err==SSL_ERROR_WANT_WRITE) {
s_poll_init(&c->fds);
s_poll_add(&c->fds, c->ssl_rfd->fd,
err==SSL_ERROR_WANT_READ,
err==SSL_ERROR_WANT_WRITE);
switch(s_poll_wait(&c->fds, c->opt->timeout_busy, 0)) {
case -1:
sockerror("init_ssl: s_poll_wait");
longjmp(c->err, 1);
case 0:
s_log(LOG_INFO, "init_ssl: s_poll_wait:"
" TIMEOUTbusy exceeded: sending reset");
longjmp(c->err, 1);
case 1:
break; /* OK */
default:
s_log(LOG_ERR, "init_ssl: s_poll_wait: unknown result");
longjmp(c->err, 1);
}
continue; /* ok -> retry */
}
if(err==SSL_ERROR_SYSCALL) {
switch(get_last_socket_error()) {
case EINTR:
case EAGAIN:
continue;
}
}
if(c->opt->option.client)
sslerror("SSL_connect");
else
sslerror("SSL_accept");
longjmp(c->err, 1);
}
if(SSL_session_reused(c->ssl)) {
s_log(LOG_INFO, "SSL %s: previous session reused",
c->opt->option.client ? "connected" : "accepted");
} else { /* a new session was negotiated */
if(c->opt->option.client) {
s_log(LOG_INFO, "SSL connected: new session negotiated");
enter_critical_section(CRIT_SESSION);
old_session=c->opt->session;
c->opt->session=SSL_get1_session(c->ssl); /* store it */
if(old_session)
SSL_SESSION_free(old_session); /* release the old one */
leave_critical_section(CRIT_SESSION);
} else
s_log(LOG_INFO, "SSL accepted: new session negotiated");
print_cipher(c);
}
}
static void init_ssl(CLI *c) {
int i, err;
SSL_SESSION *old_session;
int unsafe_openssl;
c->ssl=SSL_new(c->opt->ctx);
if(!c->ssl) {
sslerror("SSL_new");
longjmp(c->err, 1);
}
SSL_set_ex_data(c->ssl, cli_index, c); /* for callbacks */
if(c->opt->option.client) {
#ifndef OPENSSL_NO_TLSEXT
if(c->opt->sni) {
s_log(LOG_DEBUG, "SNI: host name: %s", c->opt->sni);
if(!SSL_set_tlsext_host_name(c->ssl, c->opt->sni)) {
sslerror("SSL_set_tlsext_host_name");
longjmp(c->err, 1);
}
}
#endif
if(c->opt->session) {
enter_critical_section(CRIT_SESSION);
SSL_set_session(c->ssl, c->opt->session);
leave_critical_section(CRIT_SESSION);
}
SSL_set_fd(c->ssl, c->remote_fd.fd);
SSL_set_connect_state(c->ssl);
} else {
if(c->local_rfd.fd==c->local_wfd.fd)
SSL_set_fd(c->ssl, c->local_rfd.fd);
else {
/* does it make sense to have SSL on STDIN/STDOUT? */
SSL_set_rfd(c->ssl, c->local_rfd.fd);
SSL_set_wfd(c->ssl, c->local_wfd.fd);
}
SSL_set_accept_state(c->ssl);
}
/* setup some values for transfer() function */
if(c->opt->option.client) {
c->sock_rfd=&(c->local_rfd);
c->sock_wfd=&(c->local_wfd);
c->ssl_rfd=c->ssl_wfd=&(c->remote_fd);
} else {
c->sock_rfd=c->sock_wfd=&(c->remote_fd);
c->ssl_rfd=&(c->local_rfd);
c->ssl_wfd=&(c->local_wfd);
}
unsafe_openssl=SSLeay()<0x0090810fL ||
(SSLeay()>=0x10000000L && SSLeay()<0x1000002fL);
while(1) {
/* critical section for OpenSSL version < 0.9.8p or 1.x.x < 1.0.0b *
* this critical section is a crude workaround for CVE-2010-3864 *
* see http://www.securityfocus.com/bid/44884 for details *
* alternative solution is to disable internal session caching *
* NOTE: this critical section also covers callbacks (e.g. OCSP) */
if(unsafe_openssl)
enter_critical_section(CRIT_SSL);
if(c->opt->option.client)
i=SSL_connect(c->ssl);
else
i=SSL_accept(c->ssl);
if(unsafe_openssl)
leave_critical_section(CRIT_SSL);
err=SSL_get_error(c->ssl, i);
if(err==SSL_ERROR_NONE)
break; /* ok -> done */
if(err==SSL_ERROR_WANT_READ || err==SSL_ERROR_WANT_WRITE) {
s_poll_init(c->fds);
s_poll_add(c->fds, c->ssl_rfd->fd,
err==SSL_ERROR_WANT_READ,
err==SSL_ERROR_WANT_WRITE);
switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
case -1:
sockerror("init_ssl: s_poll_wait");
longjmp(c->err, 1);
case 0:
s_log(LOG_INFO, "init_ssl: s_poll_wait:"
" TIMEOUTbusy exceeded: sending reset");
longjmp(c->err, 1);
case 1:
break; /* OK */
default:
s_log(LOG_ERR, "init_ssl: s_poll_wait: unknown result");
longjmp(c->err, 1);
}
continue; /* ok -> retry */
}
if(err==SSL_ERROR_SYSCALL) {
switch(get_last_socket_error()) {
case S_EINTR:
case S_EWOULDBLOCK:
#if S_EAGAIN!=S_EWOULDBLOCK
case S_EAGAIN:
#endif
continue;
}
}
if(c->opt->option.client)
sslerror("SSL_connect");
else
sslerror("SSL_accept");
longjmp(c->err, 1);
}
if(SSL_session_reused(c->ssl)) {
s_log(LOG_INFO, "SSL %s: previous session reused",
c->opt->option.client ? "connected" : "accepted");
} else { /* a new session was negotiated */
#ifdef USE_WIN32
win_new_chain(c);
#endif
if(c->opt->option.client) {
s_log(LOG_INFO, "SSL connected: new session negotiated");
enter_critical_section(CRIT_SESSION);
old_session=c->opt->session;
c->opt->session=SSL_get1_session(c->ssl); /* store it */
if(old_session)
SSL_SESSION_free(old_session); /* release the old one */
leave_critical_section(CRIT_SESSION);
} else
s_log(LOG_INFO, "SSL accepted: new session negotiated");
print_cipher(c);
}
}
static void init_ssl(CLI * c)
{
int i, err;
SSL_SESSION *old_session;
c->ssl = SSL_new(c->opt->ctx);
if (!c->ssl) {
sslerror("SSL_new");
longjmp(c->err, 1);
}
SSL_set_ex_data(c->ssl, cli_index, c);
if (c->opt->option.client) {
if (c->opt->session) {
SSL_set_session(c->ssl, c->opt->session);
}
SSL_set_fd(c->ssl, c->remote_fd.fd);
SSL_set_connect_state(c->ssl);
} else {
if (c->local_rfd.fd == c->local_wfd.fd)
SSL_set_fd(c->ssl, c->local_rfd.fd);
else {
SSL_set_rfd(c->ssl, c->local_rfd.fd);
SSL_set_wfd(c->ssl, c->local_wfd.fd);
}
SSL_set_accept_state(c->ssl);
}
if (c->opt->option.client) {
c->sock_rfd = &(c->local_rfd);
c->sock_wfd = &(c->local_wfd);
c->ssl_rfd = c->ssl_wfd = &(c->remote_fd);
} else {
c->sock_rfd = c->sock_wfd = &(c->remote_fd);
c->ssl_rfd = &(c->local_rfd);
c->ssl_wfd = &(c->local_wfd);
}
while (1) {
if (c->opt->option.client)
i = SSL_connect(c->ssl);
else
i = SSL_accept(c->ssl);
err = SSL_get_error(c->ssl, i);
if (err == SSL_ERROR_NONE)
break;
if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE) {
s_poll_init(c->fds);
s_poll_add(c->fds, c->ssl_rfd->fd,
err == SSL_ERROR_WANT_READ,
err == SSL_ERROR_WANT_WRITE);
switch (s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
case -1:
sockerror("init_ssl: s_poll_wait");
longjmp(c->err, 1);
case 0:
s_log(LOG_INFO, "init_ssl: s_poll_wait:"
" TIMEOUTbusy exceeded: sending reset");
longjmp(c->err, 1);
case 1:
break;
default:
s_log(LOG_ERR,
"init_ssl: s_poll_wait: unknown result");
longjmp(c->err, 1);
}
continue;
}
if (err == SSL_ERROR_SYSCALL) {
switch (get_last_socket_error()) {
case S_EINTR:
case S_EWOULDBLOCK:
#if S_EAGAIN!=S_EWOULDBLOCK
case S_EAGAIN:
#endif
continue;
}
}
if (c->opt->option.client)
sslerror("SSL_connect");
else
sslerror("SSL_accept");
longjmp(c->err, 1);
}
if (SSL_session_reused(c->ssl)) {
s_log(LOG_INFO, "SSL %s: previous session reused",
c->opt->option.client ? "connected" : "accepted");
} else {
if (c->opt->option.client) {
s_log(LOG_INFO,
"SSL connected: new session negotiated");
old_session = c->opt->session;
c->opt->session = SSL_get1_session(c->ssl);
if (old_session)
SSL_SESSION_free(old_session);
} else
s_log(LOG_INFO, "SSL accepted: new session negotiated");
print_cipher(c);
}
}
static int init_ssl(CLI *c) {
int i, err;
SSL_SESSION *old_session;
if(!(c->ssl=SSL_new(ctx))) {
sslerror("SSL_new");
return -1;
}
#if SSLEAY_VERSION_NUMBER >= 0x0922
SSL_set_session_id_context(c->ssl, sid_ctx, strlen(sid_ctx));
#endif
if(options.option.client) {
if(c->opt->session) {
enter_critical_section(CRIT_SESSION);
SSL_set_session(c->ssl, c->opt->session);
leave_critical_section(CRIT_SESSION);
}
SSL_set_fd(c->ssl, c->remote_fd.fd);
SSL_set_connect_state(c->ssl);
} else {
if(c->local_rfd.fd==c->local_wfd.fd)
SSL_set_fd(c->ssl, c->local_rfd.fd);
else {
/* Does it make sence to have SSL on STDIN/STDOUT? */
SSL_set_rfd(c->ssl, c->local_rfd.fd);
SSL_set_wfd(c->ssl, c->local_wfd.fd);
}
SSL_set_accept_state(c->ssl);
}
/* Setup some values for transfer() function */
if(options.option.client) {
c->sock_rfd=&(c->local_rfd);
c->sock_wfd=&(c->local_wfd);
c->ssl_rfd=c->ssl_wfd=&(c->remote_fd);
} else {
c->sock_rfd=c->sock_wfd=&(c->remote_fd);
c->ssl_rfd=&(c->local_rfd);
c->ssl_wfd=&(c->local_wfd);
}
while(1) {
if(options.option.client)
i=SSL_connect(c->ssl);
else
i=SSL_accept(c->ssl);
err=SSL_get_error(c->ssl, i);
if(err==SSL_ERROR_NONE)
break; /* ok -> done */
if(err==SSL_ERROR_WANT_READ || err==SSL_ERROR_WANT_WRITE) {
s_poll_zero(&c->fds);
s_poll_add(&c->fds, c->ssl_rfd->fd,
err==SSL_ERROR_WANT_READ,
err==SSL_ERROR_WANT_WRITE);
switch(s_poll_wait(&c->fds, c->opt->timeout_busy)) {
case -1:
sockerror("init_ssl: s_poll_wait");
return -1; /* error */
case 0:
s_log(LOG_INFO, "init_ssl: s_poll_wait timeout");
return -1; /* timeout */
case 1:
break; /* OK */
default:
s_log(LOG_ERR, "init_ssl: s_poll_wait unknown result");
return -1; /* error */
}
continue; /* ok -> retry */
}
if(err==SSL_ERROR_SYSCALL) {
switch(get_last_socket_error()) {
case EINTR:
case EAGAIN:
continue;
}
}
if(options.option.client)
sslerror("SSL_connect");
else
sslerror("SSL_accept");
return -1;
}
if(SSL_session_reused(c->ssl)) {
s_log(LOG_INFO, "SSL %s: previous session reused",
options.option.client ? "connected" : "accepted");
} else { /* a new session was negotiated */
if(options.option.client) {
s_log(LOG_INFO, "SSL connected: new session negotiated");
enter_critical_section(CRIT_SESSION);
old_session=c->opt->session;
c->opt->session=SSL_get1_session(c->ssl); /* store it */
if(old_session)
SSL_SESSION_free(old_session); /* release the old one */
leave_critical_section(CRIT_SESSION);
} else
s_log(LOG_INFO, "SSL accepted: new session negotiated");
print_cipher(c);
}
return 0; /* OK */
}
static int test_dtls_drop_records(int idx)
{
SSL_CTX *sctx = NULL, *cctx = NULL;
SSL *serverssl = NULL, *clientssl = NULL;
BIO *c_to_s_fbio, *mempackbio;
int testresult = 0;
int epoch = 0;
SSL_SESSION *sess = NULL;
int cli_to_srv_epoch0, cli_to_srv_epoch1, srv_to_cli_epoch0;
if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
DTLS_client_method(),
DTLS1_VERSION, DTLS_MAX_VERSION,
&sctx, &cctx, cert, privkey)))
return 0;
if (idx >= TOTAL_FULL_HAND_RECORDS) {
/* We're going to do a resumption handshake. Get a session first. */
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
NULL, NULL))
|| !TEST_true(create_ssl_connection(serverssl, clientssl,
SSL_ERROR_NONE))
|| !TEST_ptr(sess = SSL_get1_session(clientssl)))
goto end;
SSL_shutdown(clientssl);
SSL_shutdown(serverssl);
SSL_free(serverssl);
SSL_free(clientssl);
serverssl = clientssl = NULL;
cli_to_srv_epoch0 = CLI_TO_SRV_RESUME_EPOCH_0_RECS;
cli_to_srv_epoch1 = CLI_TO_SRV_RESUME_EPOCH_1_RECS;
srv_to_cli_epoch0 = SRV_TO_CLI_RESUME_EPOCH_0_RECS;
idx -= TOTAL_FULL_HAND_RECORDS;
} else {
cli_to_srv_epoch0 = CLI_TO_SRV_EPOCH_0_RECS;
cli_to_srv_epoch1 = CLI_TO_SRV_EPOCH_1_RECS;
srv_to_cli_epoch0 = SRV_TO_CLI_EPOCH_0_RECS;
}
c_to_s_fbio = BIO_new(bio_f_tls_dump_filter());
if (!TEST_ptr(c_to_s_fbio))
goto end;
/* BIO is freed by create_ssl_connection on error */
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
NULL, c_to_s_fbio)))
goto end;
if (sess != NULL) {
if (!TEST_true(SSL_set_session(clientssl, sess)))
goto end;
}
DTLS_set_timer_cb(clientssl, timer_cb);
DTLS_set_timer_cb(serverssl, timer_cb);
/* Work out which record to drop based on the test number */
if (idx >= cli_to_srv_epoch0 + cli_to_srv_epoch1) {
mempackbio = SSL_get_wbio(serverssl);
idx -= cli_to_srv_epoch0 + cli_to_srv_epoch1;
if (idx >= srv_to_cli_epoch0) {
epoch = 1;
idx -= srv_to_cli_epoch0;
}
} else {
mempackbio = SSL_get_wbio(clientssl);
if (idx >= cli_to_srv_epoch0) {
epoch = 1;
idx -= cli_to_srv_epoch0;
}
mempackbio = BIO_next(mempackbio);
}
BIO_ctrl(mempackbio, MEMPACKET_CTRL_SET_DROP_EPOCH, epoch, NULL);
BIO_ctrl(mempackbio, MEMPACKET_CTRL_SET_DROP_REC, idx, NULL);
if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
goto end;
if (sess != NULL && !TEST_true(SSL_session_reused(clientssl)))
goto end;
/* If the test did what we planned then it should have dropped a record */
if (!TEST_int_eq((int)BIO_ctrl(mempackbio, MEMPACKET_CTRL_GET_DROP_REC, 0,
NULL), -1))
goto end;
testresult = 1;
end:
SSL_SESSION_free(sess);
SSL_free(serverssl);
SSL_free(clientssl);
SSL_CTX_free(sctx);
SSL_CTX_free(cctx);
return testresult;
}
/*
* Note that |extra| points to the correct client/server configuration
* within |test_ctx|. When configuring the handshake, general mode settings
* are taken from |test_ctx|, and client/server-specific settings should be
* taken from |extra|.
*
* The configuration code should never reach into |test_ctx->extra| or
* |test_ctx->resume_extra| directly.
*
* (We could refactor test mode settings into a substructure. This would result
* in cleaner argument passing but would complicate the test configuration
* parsing.)
*/
static HANDSHAKE_RESULT *do_handshake_internal(
SSL_CTX *server_ctx, SSL_CTX *server2_ctx, SSL_CTX *client_ctx,
const SSL_TEST_CTX *test_ctx, const SSL_TEST_EXTRA_CONF *extra,
SSL_SESSION *session_in, SSL_SESSION **session_out)
{
PEER server, client;
BIO *client_to_server, *server_to_client;
HANDSHAKE_EX_DATA server_ex_data, client_ex_data;
CTX_DATA client_ctx_data, server_ctx_data, server2_ctx_data;
HANDSHAKE_RESULT *ret = HANDSHAKE_RESULT_new();
int client_turn = 1;
connect_phase_t phase = HANDSHAKE;
handshake_status_t status = HANDSHAKE_RETRY;
const unsigned char* tick = NULL;
size_t tick_len = 0;
SSL_SESSION* sess = NULL;
const unsigned char *proto = NULL;
/* API dictates unsigned int rather than size_t. */
unsigned int proto_len = 0;
memset(&server_ctx_data, 0, sizeof(server_ctx_data));
memset(&server2_ctx_data, 0, sizeof(server2_ctx_data));
memset(&client_ctx_data, 0, sizeof(client_ctx_data));
memset(&server, 0, sizeof(server));
memset(&client, 0, sizeof(client));
configure_handshake_ctx(server_ctx, server2_ctx, client_ctx, test_ctx, extra,
&server_ctx_data, &server2_ctx_data, &client_ctx_data);
/* Setup SSL and buffers; additional configuration happens below. */
create_peer(&server, server_ctx);
create_peer(&client, client_ctx);
server.bytes_to_write = client.bytes_to_read = test_ctx->app_data_size;
client.bytes_to_write = server.bytes_to_read = test_ctx->app_data_size;
configure_handshake_ssl(server.ssl, client.ssl, extra);
if (session_in != NULL) {
/* In case we're testing resumption without tickets. */
TEST_check(SSL_CTX_add_session(server_ctx, session_in));
TEST_check(SSL_set_session(client.ssl, session_in));
}
memset(&server_ex_data, 0, sizeof(server_ex_data));
memset(&client_ex_data, 0, sizeof(client_ex_data));
ret->result = SSL_TEST_INTERNAL_ERROR;
client_to_server = BIO_new(BIO_s_mem());
server_to_client = BIO_new(BIO_s_mem());
TEST_check(client_to_server != NULL);
TEST_check(server_to_client != NULL);
/* Non-blocking bio. */
BIO_set_nbio(client_to_server, 1);
BIO_set_nbio(server_to_client, 1);
SSL_set_connect_state(client.ssl);
SSL_set_accept_state(server.ssl);
/* The bios are now owned by the SSL object. */
SSL_set_bio(client.ssl, server_to_client, client_to_server);
TEST_check(BIO_up_ref(server_to_client) > 0);
TEST_check(BIO_up_ref(client_to_server) > 0);
SSL_set_bio(server.ssl, client_to_server, server_to_client);
ex_data_idx = SSL_get_ex_new_index(0, "ex data", NULL, NULL, NULL);
TEST_check(ex_data_idx >= 0);
TEST_check(SSL_set_ex_data(server.ssl, ex_data_idx, &server_ex_data) == 1);
TEST_check(SSL_set_ex_data(client.ssl, ex_data_idx, &client_ex_data) == 1);
SSL_set_info_callback(server.ssl, &info_cb);
SSL_set_info_callback(client.ssl, &info_cb);
client.status = server.status = PEER_RETRY;
/*
* Half-duplex handshake loop.
* Client and server speak to each other synchronously in the same process.
* We use non-blocking BIOs, so whenever one peer blocks for read, it
* returns PEER_RETRY to indicate that it's the other peer's turn to write.
* The handshake succeeds once both peers have succeeded. If one peer
* errors out, we also let the other peer retry (and presumably fail).
*/
for(;;) {
if (client_turn) {
do_connect_step(&client, phase);
status = handshake_status(client.status, server.status,
1 /* client went last */);
} else {
do_connect_step(&server, phase);
status = handshake_status(server.status, client.status,
0 /* server went last */);
}
switch (status) {
case HANDSHAKE_SUCCESS:
phase = next_phase(phase);
if (phase == CONNECTION_DONE) {
ret->result = SSL_TEST_SUCCESS;
goto err;
} else {
client.status = server.status = PEER_RETRY;
/*
* For now, client starts each phase. Since each phase is
* started separately, we can later control this more
* precisely, for example, to test client-initiated and
* server-initiated shutdown.
*/
client_turn = 1;
break;
}
case CLIENT_ERROR:
ret->result = SSL_TEST_CLIENT_FAIL;
goto err;
case SERVER_ERROR:
ret->result = SSL_TEST_SERVER_FAIL;
goto err;
case INTERNAL_ERROR:
ret->result = SSL_TEST_INTERNAL_ERROR;
goto err;
case HANDSHAKE_RETRY:
/* Continue. */
client_turn ^= 1;
break;
}
}
err:
ret->server_alert_sent = server_ex_data.alert_sent;
ret->server_num_fatal_alerts_sent = server_ex_data.num_fatal_alerts_sent;
ret->server_alert_received = client_ex_data.alert_received;
ret->client_alert_sent = client_ex_data.alert_sent;
ret->client_num_fatal_alerts_sent = client_ex_data.num_fatal_alerts_sent;
ret->client_alert_received = server_ex_data.alert_received;
ret->server_protocol = SSL_version(server.ssl);
ret->client_protocol = SSL_version(client.ssl);
ret->servername = server_ex_data.servername;
if ((sess = SSL_get0_session(client.ssl)) != NULL)
SSL_SESSION_get0_ticket(sess, &tick, &tick_len);
if (tick == NULL || tick_len == 0)
ret->session_ticket = SSL_TEST_SESSION_TICKET_NO;
else
ret->session_ticket = SSL_TEST_SESSION_TICKET_YES;
ret->session_ticket_do_not_call = server_ex_data.session_ticket_do_not_call;
#ifndef OPENSSL_NO_NEXTPROTONEG
SSL_get0_next_proto_negotiated(client.ssl, &proto, &proto_len);
ret->client_npn_negotiated = dup_str(proto, proto_len);
SSL_get0_next_proto_negotiated(server.ssl, &proto, &proto_len);
ret->server_npn_negotiated = dup_str(proto, proto_len);
#endif
SSL_get0_alpn_selected(client.ssl, &proto, &proto_len);
ret->client_alpn_negotiated = dup_str(proto, proto_len);
SSL_get0_alpn_selected(server.ssl, &proto, &proto_len);
ret->server_alpn_negotiated = dup_str(proto, proto_len);
ret->client_resumed = SSL_session_reused(client.ssl);
ret->server_resumed = SSL_session_reused(server.ssl);
if (session_out != NULL)
*session_out = SSL_get1_session(client.ssl);
ctx_data_free_data(&server_ctx_data);
ctx_data_free_data(&server2_ctx_data);
ctx_data_free_data(&client_ctx_data);
peer_free_data(&server);
peer_free_data(&client);
return ret;
}
int
connect_ssl(char *host, char *port,
int reconnect,
int use_sessionid, int use_ticket,
int delay,
const char *client_cert, const char *client_key) {
SSL_CTX* ctx;
SSL* ssl;
SSL_SESSION* ssl_session = NULL;
int s, n;
char buffer[256];
struct addrinfo* addr;
start("Initialize OpenSSL library");
SSL_load_error_strings();
SSL_library_init();
if ((ctx = SSL_CTX_new(TLSv1_client_method())) == NULL)
fail("Unable to initialize SSL context:\n%s",
ERR_error_string(ERR_get_error(), NULL));
if (client_cert || client_key) {
if (SSL_CTX_use_certificate_chain_file(ctx,client_cert)==0) {
fail("failed to read X509 certificate from file %s into PEM format",client_key);
}
}
if (client_key) {
if (SSL_CTX_use_PrivateKey_file(ctx,client_key,SSL_FILETYPE_PEM)==0) {
fail("failed to read private key from file %s into PEM format",client_key);
}
}
if (!use_ticket) {
start("Disable use of session tickets (RFC 5077)");
SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
}
addr = solve(host, port);
do {
s = connect_socket(addr, host, port);
start("Start TLS renegotiation");
if ((ssl = SSL_new(ctx)) == NULL)
fail("Unable to create new SSL struct:\n%s",
ERR_error_string(ERR_get_error(), NULL));
SSL_set_fd(ssl, s);
if (ssl_session) {
if (!SSL_set_session(ssl, ssl_session)) {
fail("Unable to set session to previous one:\n%s",
ERR_error_string(ERR_get_error(), NULL));
}
}
if (SSL_connect(ssl) != 1)
fail("Unable to start TLS renegotiation:\n%s",
ERR_error_string(ERR_get_error(), NULL));
start("Check if session was reused");
if (!SSL_session_reused(ssl) && ssl_session)
warn("No session was reused.");
else if (SSL_session_reused(ssl) && !ssl_session)
warn("Session was reused.");
else if (SSL_session_reused(ssl))
end("SSL session correctly reused");
else
end("SSL session was not used");
start("Get current session");
if (ssl_session) SSL_SESSION_free(ssl_session);
ssl_session = NULL;
if (!(ssl_session = SSL_get1_session(ssl)))
warn("No session available");
else {
BIO *mem = BIO_new(BIO_s_mem());
char *buf;
if (SSL_SESSION_print(mem, ssl_session) != 1)
fail("Unable to print session:\n%s",
ERR_error_string(ERR_get_error(), NULL));
n = BIO_get_mem_data(mem, &buf);
buf[n-1] = '\0';
end("Session content:\n%s", buf);
BIO_free(mem);
}
if ((!use_sessionid && !use_ticket) ||
(!use_sessionid && !ssl_session->tlsext_tick)) {
SSL_SESSION_free(ssl_session);
ssl_session = NULL;
}
start("Send HTTP GET");
n = snprintf(buffer, sizeof(buffer),
"GET / HTTP/1.0\r\n"
"Host: %s\r\n"
"\r\n", host);
if (n == -1 || n >= sizeof(buffer))
fail("Unable to build request to send");
if (SSL_write(ssl, buffer, strlen(buffer)) != strlen(buffer))
fail("SSL write request failed:\n%s",
ERR_error_string(ERR_get_error(), NULL));
start("Get HTTP answer");
if ((n = SSL_read(ssl, buffer, sizeof(buffer) - 1)) <= 0)
fail("SSL read request failed:\n%s",
ERR_error_string(ERR_get_error(), NULL));
buffer[n] = '\0';
if (strchr(buffer, '\r'))
*strchr(buffer, '\r') = '\0';
end("%s", buffer);
start("End TLS connection");
SSL_shutdown(ssl);
close(s);
SSL_free(ssl);
--reconnect;
if (reconnect < 0) break;
else {
start("waiting %d seconds",delay);
sleep(delay);
}
} while (1);
SSL_CTX_free(ctx);
return 0;
}
void TLS_SOCKET_CLASS::close()
// DESCRIPTION : Close socket down.
// PRECONDITIONS :
// POSTCONDITIONS :
// EXCEPTIONS :
// NOTES :
//<<===========================================================================
{
if (ownerThreadIdM != getThreadId())
{
// this thread does not own the socket, just set the terminatng flag and let the owning
// thread take care of the close
if (loggerM_ptr)
{
loggerM_ptr->text(LOG_DEBUG, 1, "Secure Socket - tls::close() - starting to terminate connection");
}
terminatingM = true;
return;
}
if (loggerM_ptr)
{
loggerM_ptr->text(LOG_DEBUG, 1, "Secure Socket - tls::close()");
}
if (connectedM)
{
if (cacheTlsSessionsM)
{
if (savedClientSessionM_ptr != NULL)
{
SSL_SESSION_free(savedClientSessionM_ptr);
}
// cache the session
savedClientSessionM_ptr = SSL_get1_session(sslM_ptr);
}
// shutdown the connection - send our shutdown message
if (SSL_shutdown(sslM_ptr) == 0)
{
// don't wait for the peer shutdwon message - they may not respond, which will cause us to block
}
connectedM = false;
}
if (listeningM)
{
// the freeing of the acceptBio below closes the socket
listeningM = false;
}
if (acceptBioM_ptr != NULL)
{
BIO_free(acceptBioM_ptr);
acceptBioM_ptr = NULL;
}
if (sslM_ptr != NULL)
{
SSL_free(sslM_ptr);
sslM_ptr = NULL;
}
// report any outstanding SSL errors
if (ERR_peek_error() != 0)
{
openSslError("closing socket");
}
// free the OpenSSL error state. This really needs to be done on a per thread basis.
ERR_remove_state(0);
connectedM = false;
listeningM = false;
terminatingM = false;
}
/* ====================================================== */
CURLcode
Curl_ossl_connect(struct connectdata *conn,
int sockindex)
{
CURLcode retcode = CURLE_OK;
struct SessionHandle *data = conn->data;
int err;
long lerr;
int what;
char * str;
SSL_METHOD_QUAL SSL_METHOD *req_method=NULL;
void *ssl_sessionid=NULL;
ASN1_TIME *certdate;
curl_socket_t sockfd = conn->sock[sockindex];
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
if(!ssl_seeded || data->set.ssl.random_file || data->set.ssl.egdsocket) {
/* Make funny stuff to get random input */
random_the_seed(data);
ssl_seeded = TRUE;
}
/* check to see if we've been told to use an explicit SSL/TLS version */
switch(data->set.ssl.version) {
default:
case CURL_SSLVERSION_DEFAULT:
/* we try to figure out version */
req_method = SSLv23_client_method();
break;
case CURL_SSLVERSION_TLSv1:
req_method = TLSv1_client_method();
break;
case CURL_SSLVERSION_SSLv2:
req_method = SSLv2_client_method();
break;
case CURL_SSLVERSION_SSLv3:
req_method = SSLv3_client_method();
break;
}
connssl->ctx = SSL_CTX_new(req_method);
if(!connssl->ctx) {
failf(data, "SSL: couldn't create a context!");
return CURLE_OUT_OF_MEMORY;
}
#ifdef SSL_CTRL_SET_MSG_CALLBACK
if (data->set.fdebug) {
/* the SSL trace callback is only used for verbose logging so we only
inform about failures of setting it */
if (!SSL_CTX_callback_ctrl(connssl->ctx, SSL_CTRL_SET_MSG_CALLBACK,
(void (*)(void))ssl_tls_trace)) {
infof(data, "SSL: couldn't set callback!");
}
else if (!SSL_CTX_ctrl(connssl->ctx, SSL_CTRL_SET_MSG_CALLBACK_ARG, 0,
conn)) {
infof(data, "SSL: couldn't set callback argument!");
}
}
#endif
/* OpenSSL contains code to work-around lots of bugs and flaws in various
SSL-implementations. SSL_CTX_set_options() is used to enabled those
work-arounds. The man page for this option states that SSL_OP_ALL enables
ll the work-arounds and that "It is usually safe to use SSL_OP_ALL to
enable the bug workaround options if compatibility with somewhat broken
implementations is desired."
*/
SSL_CTX_set_options(connssl->ctx, SSL_OP_ALL);
#if 0
/*
* Not sure it's needed to tell SSL_connect() that socket is
* non-blocking. It doesn't seem to care, but just return with
* SSL_ERROR_WANT_x.
*/
if (data->state.used_interface == Curl_if_multi)
SSL_CTX_ctrl(connssl->ctx, BIO_C_SET_NBIO, 1, NULL);
#endif
if(data->set.cert) {
if(!cert_stuff(conn,
connssl->ctx,
data->set.cert,
data->set.cert_type,
data->set.key,
data->set.key_type)) {
/* failf() is already done in cert_stuff() */
return CURLE_SSL_CERTPROBLEM;
}
}
if(data->set.ssl.cipher_list) {
if(!SSL_CTX_set_cipher_list(connssl->ctx,
data->set.ssl.cipher_list)) {
failf(data, "failed setting cipher list");
return CURLE_SSL_CIPHER;
}
}
if (data->set.ssl.CAfile || data->set.ssl.CApath) {
/* tell SSL where to find CA certificates that are used to verify
the servers certificate. */
if (!SSL_CTX_load_verify_locations(connssl->ctx, data->set.ssl.CAfile,
data->set.ssl.CApath)) {
if (data->set.ssl.verifypeer) {
/* Fail if we insist on successfully verifying the server. */
failf(data,"error setting certificate verify locations:\n"
" CAfile: %s\n CApath: %s\n",
data->set.ssl.CAfile ? data->set.ssl.CAfile : "none",
data->set.ssl.CApath ? data->set.ssl.CApath : "none");
return CURLE_SSL_CACERT;
}
else {
/* Just continue with a warning if no strict certificate verification
is required. */
infof(data, "error setting certificate verify locations,"
" continuing anyway:\n");
}
}
else {
/* Everything is fine. */
infof(data, "successfully set certificate verify locations:\n");
}
infof(data,
" CAfile: %s\n"
" CApath: %s\n",
data->set.ssl.CAfile ? data->set.ssl.CAfile : "none",
data->set.ssl.CApath ? data->set.ssl.CApath : "none");
}
/* SSL always tries to verify the peer, this only says whether it should
* fail to connect if the verification fails, or if it should continue
* anyway. In the latter case the result of the verification is checked with
* SSL_get_verify_result() below. */
SSL_CTX_set_verify(connssl->ctx,
data->set.ssl.verifypeer?SSL_VERIFY_PEER:SSL_VERIFY_NONE,
cert_verify_callback);
/* give application a chance to interfere with SSL set up. */
if(data->set.ssl.fsslctx) {
retcode = (*data->set.ssl.fsslctx)(data, connssl->ctx,
data->set.ssl.fsslctxp);
if(retcode) {
failf(data,"error signaled by ssl ctx callback");
return retcode;
}
}
/* Lets make an SSL structure */
connssl->handle = SSL_new(connssl->ctx);
if (!connssl->handle) {
failf(data, "SSL: couldn't create a context (handle)!");
return CURLE_OUT_OF_MEMORY;
}
SSL_set_connect_state(connssl->handle);
connssl->server_cert = 0x0;
/* Check if there's a cached ID we can/should use here! */
if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL)) {
/* we got a session id, use it! */
if (!SSL_set_session(connssl->handle, ssl_sessionid)) {
failf(data, "SSL: SSL_set_session failed: %s",
ERR_error_string(ERR_get_error(),NULL));
return CURLE_SSL_CONNECT_ERROR;
}
/* Informational message */
infof (data, "SSL re-using session ID\n");
}
/* pass the raw socket into the SSL layers */
if (!SSL_set_fd(connssl->handle, sockfd)) {
failf(data, "SSL: SSL_set_fd failed: %s",
ERR_error_string(ERR_get_error(),NULL));
return CURLE_SSL_CONNECT_ERROR;
}
while(1) {
int writefd;
int readfd;
long timeout_ms;
long has_passed;
/* Find out if any timeout is set. If not, use 300 seconds.
Otherwise, figure out the most strict timeout of the two possible one
and then how much time that has elapsed to know how much time we
allow for the connect call */
if(data->set.timeout || data->set.connecttimeout) {
/* get the most strict timeout of the ones converted to milliseconds */
if(data->set.timeout &&
(data->set.timeout>data->set.connecttimeout))
timeout_ms = data->set.timeout*1000;
else
timeout_ms = data->set.connecttimeout*1000;
}
else
/* no particular time-out has been set */
timeout_ms= DEFAULT_CONNECT_TIMEOUT;
/* Evaluate in milliseconds how much time that has passed */
has_passed = Curl_tvdiff(Curl_tvnow(), data->progress.t_startsingle);
/* subtract the passed time */
timeout_ms -= has_passed;
if(timeout_ms < 0) {
/* a precaution, no need to continue if time already is up */
failf(data, "SSL connection timeout");
return CURLE_OPERATION_TIMEOUTED;
}
readfd = CURL_SOCKET_BAD;
writefd = CURL_SOCKET_BAD;
err = SSL_connect(connssl->handle);
/* 1 is fine
0 is "not successful but was shut down controlled"
<0 is "handshake was not successful, because a fatal error occurred" */
if(1 != err) {
int detail = SSL_get_error(connssl->handle, err);
if(SSL_ERROR_WANT_READ == detail)
readfd = sockfd;
else if(SSL_ERROR_WANT_WRITE == detail)
writefd = sockfd;
else {
/* untreated error */
unsigned long errdetail;
char error_buffer[120]; /* OpenSSL documents that this must be at least
120 bytes long. */
CURLcode rc;
const char *cert_problem = NULL;
errdetail = ERR_get_error(); /* Gets the earliest error code from the
thread's error queue and removes the
entry. */
switch(errdetail) {
case 0x1407E086:
/* 1407E086:
SSL routines:
SSL2_SET_CERTIFICATE:
certificate verify failed */
/* fall-through */
case 0x14090086:
/* 14090086:
SSL routines:
SSL3_GET_SERVER_CERTIFICATE:
certificate verify failed */
cert_problem = "SSL certificate problem, verify that the CA cert is"
" OK. Details:\n";
rc = CURLE_SSL_CACERT;
break;
default:
rc = CURLE_SSL_CONNECT_ERROR;
break;
}
/* detail is already set to the SSL error above */
/* If we e.g. use SSLv2 request-method and the server doesn't like us
* (RST connection etc.), OpenSSL gives no explanation whatsoever and
* the SO_ERROR is also lost.
*/
if (CURLE_SSL_CONNECT_ERROR == rc && errdetail == 0) {
failf(data, "Unknown SSL protocol error in connection to %s:%d ",
conn->host.name, conn->port);
return rc;
}
/* Could be a CERT problem */
SSL_strerror(errdetail, error_buffer, sizeof(error_buffer));
failf(data, "%s%s", cert_problem ? cert_problem : "", error_buffer);
return rc;
}
}
else
/* we have been connected fine, get out of the connect loop */
break;
while(1) {
what = Curl_select(readfd, writefd, (int)timeout_ms);
if(what > 0)
/* reabable or writable, go loop in the outer loop */
break;
else if(0 == what) {
/* timeout */
failf(data, "SSL connection timeout");
return CURLE_OPERATION_TIMEDOUT;
}
else {
/* anything that gets here is fatally bad */
failf(data, "select on SSL socket, errno: %d", Curl_ourerrno());
return CURLE_SSL_CONNECT_ERROR;
}
} /* while()-loop for the select() */
} /* while()-loop for the SSL_connect() */
/* Informational message */
infof (data, "SSL connection using %s\n",
SSL_get_cipher(connssl->handle));
if(!ssl_sessionid) {
/* Since this is not a cached session ID, then we want to stach this one
in the cache! */
SSL_SESSION *ssl_sessionid;
#ifdef HAVE_SSL_GET1_SESSION
ssl_sessionid = SSL_get1_session(connssl->handle);
/* SSL_get1_session() will increment the reference
count and the session will stay in memory until explicitly freed with
SSL_SESSION_free(3), regardless of its state.
This function was introduced in openssl 0.9.5a. */
#else
ssl_sessionid = SSL_get_session(connssl->handle);
/* if SSL_get1_session() is unavailable, use SSL_get_session().
This is an inferior option because the session can be flushed
at any time by openssl. It is included only so curl compiles
under versions of openssl < 0.9.5a.
WARNING: How curl behaves if it's session is flushed is
untested.
*/
#endif
retcode = Curl_ssl_addsessionid(conn, ssl_sessionid,
0 /* unknown size */);
if(retcode) {
failf(data, "failed to store ssl session");
return retcode;
}
}
/* Get server's certificate (note: beware of dynamic allocation) - opt */
/* major serious hack alert -- we should check certificates
* to authenticate the server; otherwise we risk man-in-the-middle
* attack
*/
connssl->server_cert = SSL_get_peer_certificate(connssl->handle);
if(!connssl->server_cert) {
failf(data, "SSL: couldn't get peer certificate!");
return CURLE_SSL_PEER_CERTIFICATE;
}
infof (data, "Server certificate:\n");
str = X509_NAME_oneline(X509_get_subject_name(connssl->server_cert),
NULL, 0);
if(!str) {
failf(data, "SSL: couldn't get X509-subject!");
X509_free(connssl->server_cert);
connssl->server_cert = NULL;
return CURLE_SSL_CONNECT_ERROR;
}
infof(data, "\t subject: %s\n", str);
CRYPTO_free(str);
certdate = X509_get_notBefore(connssl->server_cert);
Curl_ASN1_UTCTIME_output(conn, "\t start date: ", certdate);
certdate = X509_get_notAfter(connssl->server_cert);
Curl_ASN1_UTCTIME_output(conn, "\t expire date: ", certdate);
if(data->set.ssl.verifyhost) {
retcode = verifyhost(conn, connssl->server_cert);
if(retcode) {
X509_free(connssl->server_cert);
connssl->server_cert = NULL;
return retcode;
}
}
str = X509_NAME_oneline(X509_get_issuer_name(connssl->server_cert),
NULL, 0);
if(!str) {
failf(data, "SSL: couldn't get X509-issuer name!");
retcode = CURLE_SSL_CONNECT_ERROR;
}
else {
infof(data, "\t issuer: %s\n", str);
CRYPTO_free(str);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
lerr = data->set.ssl.certverifyresult=
SSL_get_verify_result(connssl->handle);
if(data->set.ssl.certverifyresult != X509_V_OK) {
if(data->set.ssl.verifypeer) {
/* We probably never reach this, because SSL_connect() will fail
and we return earlyer if verifypeer is set? */
failf(data, "SSL certificate verify result: %s (%ld)",
X509_verify_cert_error_string(lerr), lerr);
retcode = CURLE_SSL_PEER_CERTIFICATE;
}
else
infof(data, "SSL certificate verify result: %s (%ld),"
" continuing anyway.\n",
X509_verify_cert_error_string(lerr), lerr);
}
else
infof(data, "SSL certificate verify ok.\n");
}
X509_free(connssl->server_cert);
connssl->server_cert = NULL;
return retcode;
}
static int execute_test_session(SSL_SESSION_TEST_FIXTURE fix)
{
SSL_CTX *sctx = NULL, *cctx = NULL;
SSL *serverssl1 = NULL, *clientssl1 = NULL;
SSL *serverssl2 = NULL, *clientssl2 = NULL;
#ifndef OPENSSL_NO_TLS1_1
SSL *serverssl3 = NULL, *clientssl3 = NULL;
#endif
SSL_SESSION *sess1 = NULL, *sess2 = NULL;
int testresult = 0;
if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
&cctx, cert, privkey)) {
printf("Unable to create SSL_CTX pair\n");
return 0;
}
#ifndef OPENSSL_NO_TLS1_2
/* Only allow TLS1.2 so we can force a connection failure later */
SSL_CTX_set_min_proto_version(cctx, TLS1_2_VERSION);
#endif
/* Set up session cache */
if (fix.use_ext_cache) {
SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
}
if (fix.use_int_cache) {
/* Also covers instance where both are set */
SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
} else {
SSL_CTX_set_session_cache_mode(cctx,
SSL_SESS_CACHE_CLIENT
| SSL_SESS_CACHE_NO_INTERNAL_STORE);
}
if (!create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1, NULL,
NULL)) {
printf("Unable to create SSL objects\n");
goto end;
}
if (!create_ssl_connection(serverssl1, clientssl1)) {
printf("Unable to create SSL connection\n");
goto end;
}
sess1 = SSL_get1_session(clientssl1);
if (sess1 == NULL) {
printf("Unexpected NULL session\n");
goto end;
}
if (fix.use_int_cache && SSL_CTX_add_session(cctx, sess1)) {
/* Should have failed because it should already be in the cache */
printf("Unexpected success adding session to cache\n");
goto end;
}
if (fix.use_ext_cache && (new_called != 1 || remove_called != 0)) {
printf("Session not added to cache\n");
goto end;
}
if (!create_ssl_objects(sctx, cctx, &serverssl2, &clientssl2, NULL, NULL)) {
printf("Unable to create second SSL objects\n");
goto end;
}
if (!create_ssl_connection(serverssl2, clientssl2)) {
printf("Unable to create second SSL connection\n");
goto end;
}
sess2 = SSL_get1_session(clientssl2);
if (sess2 == NULL) {
printf("Unexpected NULL session from clientssl2\n");
goto end;
}
if (fix.use_ext_cache && (new_called != 2 || remove_called != 0)) {
printf("Remove session callback unexpectedly called\n");
goto end;
}
/*
* This should clear sess2 from the cache because it is a "bad" session. See
* SSL_set_session() documentation.
*/
if (!SSL_set_session(clientssl2, sess1)) {
printf("Unexpected failure setting session\n");
goto end;
}
if (fix.use_ext_cache && (new_called != 2 || remove_called != 1)) {
printf("Failed to call callback to remove session\n");
goto end;
}
if (SSL_get_session(clientssl2) != sess1) {
printf("Unexpected session found\n");
goto end;
}
if (fix.use_int_cache) {
if (!SSL_CTX_add_session(cctx, sess2)) {
/*
* Should have succeeded because it should not already be in the cache
*/
printf("Unexpected failure adding session to cache\n");
goto end;
}
if (!SSL_CTX_remove_session(cctx, sess2)) {
printf("Unexpected failure removing session from cache\n");
goto end;
}
/* This is for the purposes of internal cache testing...ignore the
* counter for external cache
*/
if (fix.use_ext_cache)
remove_called--;
}
/* This shouldn't be in the cache so should fail */
if (SSL_CTX_remove_session(cctx, sess2)) {
printf("Unexpected success removing session from cache\n");
goto end;
}
if (fix.use_ext_cache && (new_called != 2 || remove_called != 2)) {
printf("Failed to call callback to remove session #2\n");
goto end;
}
#if !defined(OPENSSL_NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_2)
/* Force a connection failure */
SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
if (!create_ssl_objects(sctx, cctx, &serverssl3, &clientssl3, NULL, NULL)) {
printf("Unable to create third SSL objects\n");
goto end;
}
if (!SSL_set_session(clientssl3, sess1)) {
printf("Unable to set session for third connection\n");
goto end;
}
/* This should fail because of the mismatched protocol versions */
if (create_ssl_connection(serverssl3, clientssl3)) {
printf("Unable to create third SSL connection\n");
goto end;
}
/* We should have automatically removed the session from the cache */
if (fix.use_ext_cache && (new_called != 2 || remove_called != 3)) {
printf("Failed to call callback to remove session #2\n");
goto end;
}
if (fix.use_int_cache && !SSL_CTX_add_session(cctx, sess2)) {
/*
* Should have succeeded because it should not already be in the cache
*/
printf("Unexpected failure adding session to cache #2\n");
goto end;
}
#endif
testresult = 1;
end:
SSL_free(serverssl1);
SSL_free(clientssl1);
SSL_free(serverssl2);
SSL_free(clientssl2);
#ifndef OPENSSL_NO_TLS1_1
SSL_free(serverssl3);
SSL_free(clientssl3);
#endif
SSL_SESSION_free(sess1);
SSL_SESSION_free(sess2);
/*
* Check if we need to remove any sessions up-refed for the external cache
*/
if (new_called >= 1)
SSL_SESSION_free(sess1);
if (new_called >= 2)
SSL_SESSION_free(sess2);
SSL_CTX_free(sctx);
SSL_CTX_free(cctx);
return testresult;
}
int MQTTClient_connect(MQTTClient handle, MQTTClient_connectOptions* options)
{
MQTTClients* m = handle;
int rc = SOCKET_ERROR;
START_TIME_TYPE start;
long millisecsTimeout = 30000L;
FUNC_ENTRY;
Thread_lock_mutex(mqttclient_mutex);
if (options == NULL)
{
rc = MQTTCLIENT_NULL_PARAMETER;
goto exit;
}
if (strncmp(options->struct_id, "MQTC", 4) != 0 || (options->struct_version != 0 && options->struct_version != 1))
{
rc = MQTTCLIENT_BAD_STRUCTURE;
goto exit;
}
if (options->will) /* check validity of will options structure */
{
if (strncmp(options->will->struct_id, "MQTW", 4) != 0 || options->will->struct_version != 0)
{
rc = MQTTCLIENT_BAD_STRUCTURE;
goto exit;
}
}
#if defined(OPENSSL)
if (options->struct_version != 0 && options->ssl) /* check validity of SSL options structure */
{
if (strncmp(options->ssl->struct_id, "MQTS", 4) != 0 || options->ssl->struct_version != 0)
{
rc = MQTTCLIENT_BAD_STRUCTURE;
goto exit;
}
}
#endif
if ((options->username && !UTF8_validateString(options->username)) ||
(options->password && !UTF8_validateString(options->password)))
{
rc = MQTTCLIENT_BAD_UTF8_STRING;
goto exit;
}
millisecsTimeout = options->connectTimeout * 1000;
start = MQTTClient_start_clock();
if (m->ma && !running)
{
Thread_start(MQTTClient_run, handle);
if (MQTTClient_elapsed(start) >= millisecsTimeout)
{
rc = SOCKET_ERROR;
goto exit;
}
MQTTClient_sleep(100L);
}
m->c->keepAliveInterval = options->keepAliveInterval;
m->c->cleansession = options->cleansession;
m->c->maxInflightMessages = (options->reliable) ? 1 : 10;
if (options->will && options->will->struct_version == 0)
{
m->c->will = malloc(sizeof(willMessages));
m->c->will->msg = options->will->message;
m->c->will->qos = options->will->qos;
m->c->will->retained = options->will->retained;
m->c->will->topic = options->will->topicName;
}
#if defined(OPENSSL)
if (options->struct_version != 0 && options->ssl)
m->c->sslopts = options->ssl;
#endif
m->c->username = options->username;
m->c->password = options->password;
m->c->retryInterval = options->retryInterval;
Log(TRACE_MIN, -1, "Connecting to serverURI %s", m->serverURI);
#if defined(OPENSSL)
rc = MQTTProtocol_connect(m->serverURI, m->c, m->ssl);
#else
rc = MQTTProtocol_connect(m->serverURI, m->c);
#endif
if (rc == SOCKET_ERROR)
goto exit;
if (m->c->connect_state == 0)
{
rc = SOCKET_ERROR;
goto exit;
}
if (m->c->connect_state == 1) /* TCP connect started - wait for completion */
{
Thread_unlock_mutex(mqttclient_mutex);
MQTTClient_waitfor(handle, CONNECT, &rc, millisecsTimeout - MQTTClient_elapsed(start));
Thread_lock_mutex(mqttclient_mutex);
if (rc != 0)
{
rc = SOCKET_ERROR;
goto exit;
}
#if defined(OPENSSL)
if (m->ssl)
{
if (SSLSocket_setSocketForSSL(&m->c->net, m->c->sslopts) != MQTTCLIENT_SUCCESS)
{
if (m->c->session != NULL)
if ((rc = SSL_set_session(m->c->net.ssl, m->c->session)) != 1)
Log(TRACE_MIN, -1, "Failed to set SSL session with stored data, non critical");
rc = SSLSocket_connect(m->c->net.ssl, m->c->net.socket);
if (rc == -1)
m->c->connect_state = 2;
else if (rc == SSL_FATAL)
{
rc = SOCKET_ERROR;
goto exit;
}
else if (rc == 1 && !m->c->cleansession && m->c->session == NULL)
m->c->session = SSL_get1_session(m->c->net.ssl);
}
else
{
rc = SOCKET_ERROR;
goto exit;
}
}
else
{
#endif
m->c->connect_state = 3; /* TCP connect completed, in which case send the MQTT connect packet */
if (MQTTPacket_send_connect(m->c) == SOCKET_ERROR)
{
rc = SOCKET_ERROR;
goto exit;
}
#if defined(OPENSSL)
}
#endif
}
#if defined(OPENSSL)
if (m->c->connect_state == 2) /* SSL connect sent - wait for completion */
{
Thread_unlock_mutex(mqttclient_mutex);
MQTTClient_waitfor(handle, CONNECT, &rc, millisecsTimeout - MQTTClient_elapsed(start));
Thread_lock_mutex(mqttclient_mutex);
if (rc != 1)
{
rc = SOCKET_ERROR;
goto exit;
}
m->c->connect_state = 3; /* TCP connect completed, in which case send the MQTT connect packet */
if (MQTTPacket_send_connect(m->c) == SOCKET_ERROR)
{
rc = SOCKET_ERROR;
goto exit;
}
}
#endif
if (m->c->connect_state == 3) /* MQTT connect sent - wait for CONNACK */
{
MQTTPacket* pack = NULL;
Thread_unlock_mutex(mqttclient_mutex);
pack = MQTTClient_waitfor(handle, CONNACK, &rc, millisecsTimeout - MQTTClient_elapsed(start));
Thread_lock_mutex(mqttclient_mutex);
if (pack == NULL)
rc = SOCKET_ERROR;
else
{
Connack* connack = (Connack*)pack;
Log(LOG_PROTOCOL, 1, NULL, m->c->net.socket, m->c->clientID, connack->rc);
if ((rc = connack->rc) == MQTTCLIENT_SUCCESS)
{
m->c->connected = 1;
m->c->good = 1;
m->c->connect_state = 0;
if (m->c->cleansession)
rc = MQTTClient_cleanSession(m->c);
if (m->c->outboundMsgs->count > 0)
{
ListElement* outcurrent = NULL;
while (ListNextElement(m->c->outboundMsgs, &outcurrent))
{
Messages* m = (Messages*)(outcurrent->content);
m->lastTouch = 0;
}
MQTTProtocol_retry(m->c->net.lastContact, 1);
if (m->c->connected != 1)
rc = MQTTCLIENT_DISCONNECTED;
}
}
free(connack);
m->pack = NULL;
}
}
exit:
if (rc != MQTTCLIENT_SUCCESS)
{
Thread_unlock_mutex(mqttclient_mutex);
MQTTClient_disconnect(handle, 0); /* not "internal" because we don't want to call connection lost */
Thread_lock_mutex(mqttclient_mutex);
}
if (m->c->will)
{
free(m->c->will);
m->c->will = NULL;
}
Thread_unlock_mutex(mqttclient_mutex);
FUNC_EXIT_RC(rc);
return rc;
}
MQTTPacket* MQTTClient_waitfor(MQTTClient handle, int packet_type, int* rc, long timeout)
{
MQTTPacket* pack = NULL;
MQTTClients* m = handle;
START_TIME_TYPE start = MQTTClient_start_clock();
FUNC_ENTRY;
if (((MQTTClients*)handle) == NULL)
{
*rc = MQTTCLIENT_FAILURE;
goto exit;
}
if (running)
{
if (packet_type == CONNECT)
{
if ((*rc = Thread_wait_sem(m->connect_sem, timeout)) == 0)
*rc = m->rc;
}
else if (packet_type == CONNACK)
*rc = Thread_wait_sem(m->connack_sem, timeout);
else if (packet_type == SUBACK)
*rc = Thread_wait_sem(m->suback_sem, timeout);
else if (packet_type == UNSUBACK)
*rc = Thread_wait_sem(m->unsuback_sem, timeout);
if (*rc == 0 && packet_type != CONNECT && m->pack == NULL)
Log(LOG_ERROR, -1, "waitfor unexpectedly is NULL for client %s, packet_type %d, timeout %ld", m->c->clientID, packet_type, timeout);
pack = m->pack;
}
else
{
*rc = TCPSOCKET_COMPLETE;
while (1)
{
int sock = -1;
pack = MQTTClient_cycle(&sock, 100L, rc);
if (sock == m->c->net.socket)
{
if (*rc == SOCKET_ERROR)
break;
if (pack && (pack->header.bits.type == packet_type))
break;
if (m->c->connect_state == 1)
{
int error;
socklen_t len = sizeof(error);
if ((*rc = getsockopt(m->c->net.socket, SOL_SOCKET, SO_ERROR, (char*)&error, &len)) == 0)
*rc = error;
break;
}
#if defined(OPENSSL)
else if (m->c->connect_state == 2)
{
*rc = SSLSocket_connect(m->c->net.ssl, sock);
if (*rc == SSL_FATAL)
break;
else if (*rc == 1) /* rc == 1 means SSL connect has finished and succeeded */
{
if (!m->c->cleansession && m->c->session == NULL)
m->c->session = SSL_get1_session(m->c->net.ssl);
break;
}
}
#endif
else if (m->c->connect_state == 3)
{
int error;
socklen_t len = sizeof(error);
if (getsockopt(m->c->net.socket, SOL_SOCKET, SO_ERROR, (char*)&error, &len) == 0)
{
if (error)
{
*rc = error;
break;
}
}
}
}
if (MQTTClient_elapsed(start) > timeout)
{
pack = NULL;
break;
}
}
}
exit:
FUNC_EXIT_RC(*rc);
return pack;
}
static int test_tls13ccs(int tst)
{
SSL_CTX *sctx = NULL, *cctx = NULL;
SSL *sssl = NULL, *cssl = NULL;
int ret = 0;
const char msg[] = "Dummy data";
char buf[80];
size_t written, readbytes;
SSL_SESSION *sess = NULL;
chseen = shseen = sccsseen = ccsaftersh = ccsbeforesh = 0;
sappdataseen = cappdataseen = badccs = badvers = badsessid = 0;
chsessidlen = 0;
if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey))
|| !TEST_true(SSL_CTX_set_max_early_data(sctx,
SSL3_RT_MAX_PLAIN_LENGTH)))
goto err;
/*
* Test 0: Simple Handshake
* Test 1: Simple Handshake, client middlebox compat mode disabled
* Test 2: Simple Handshake, server middlebox compat mode disabled
* Test 3: HRR Handshake
* Test 4: HRR Handshake, client middlebox compat mode disabled
* Test 5: HRR Handshake, server middlebox compat mode disabled
* Test 6: Early data handshake
* Test 7: Early data handshake, client middlebox compat mode disabled
* Test 8: Early data handshake, server middlebox compat mode disabled
* Test 9: Early data then HRR
* Test 10: Early data then HRR, client middlebox compat mode disabled
* Test 11: Early data then HRR, server middlebox compat mode disabled
*/
switch (tst) {
case 0:
case 3:
case 6:
case 9:
break;
case 1:
case 4:
case 7:
case 10:
SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
break;
case 2:
case 5:
case 8:
case 11:
SSL_CTX_clear_options(sctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
break;
default:
TEST_error("Invalid test value");
goto err;
}
if (tst >= 6) {
/* Get a session suitable for early_data */
if (!TEST_true(create_ssl_objects(sctx, cctx, &sssl, &cssl, NULL, NULL))
|| !TEST_true(create_ssl_connection(sssl, cssl, SSL_ERROR_NONE)))
goto err;
sess = SSL_get1_session(cssl);
if (!TEST_ptr(sess))
goto err;
SSL_shutdown(cssl);
SSL_shutdown(sssl);
SSL_free(sssl);
SSL_free(cssl);
sssl = cssl = NULL;
}
if ((tst >= 3 && tst <= 5) || tst >= 9) {
/* HRR handshake */
if (!TEST_true(SSL_CTX_set1_groups_list(sctx, "P-256")))
goto err;
}
s_to_c_fbio = BIO_new(bio_f_watchccs_filter());
c_to_s_fbio = BIO_new(bio_f_watchccs_filter());
if (!TEST_ptr(s_to_c_fbio)
|| !TEST_ptr(c_to_s_fbio)) {
BIO_free(s_to_c_fbio);
BIO_free(c_to_s_fbio);
goto err;
}
/* BIOs get freed on error */
if (!TEST_true(create_ssl_objects(sctx, cctx, &sssl, &cssl, s_to_c_fbio,
c_to_s_fbio)))
goto err;
if (tst >= 6) {
/* Early data */
if (!TEST_true(SSL_set_session(cssl, sess))
|| !TEST_true(SSL_write_early_data(cssl, msg, strlen(msg),
&written))
|| (tst <= 8
&& !TEST_int_eq(SSL_read_early_data(sssl, buf, sizeof(buf),
&readbytes),
SSL_READ_EARLY_DATA_SUCCESS)))
goto err;
if (tst <= 8) {
if (!TEST_int_gt(SSL_connect(cssl), 0))
goto err;
} else {
if (!TEST_int_le(SSL_connect(cssl), 0))
goto err;
}
if (!TEST_int_eq(SSL_read_early_data(sssl, buf, sizeof(buf),
&readbytes),
SSL_READ_EARLY_DATA_FINISH))
goto err;
}
/* Perform handshake (or complete it if doing early data ) */
if (!TEST_true(create_ssl_connection(sssl, cssl, SSL_ERROR_NONE)))
goto err;
/*
* Check there were no unexpected CCS messages, all record versions
* were as expected, and that the session ids were reflected by the server
* correctly.
*/
if (!TEST_false(badccs) || !TEST_false(badvers) || !TEST_false(badsessid))
goto err;
switch (tst) {
case 0:
if (!TEST_true(sccsseen)
|| !TEST_true(ccsaftersh)
|| !TEST_false(ccsbeforesh)
|| !TEST_size_t_gt(chsessidlen, 0))
goto err;
break;
case 1:
if (!TEST_true(sccsseen)
|| !TEST_false(ccsaftersh)
|| !TEST_false(ccsbeforesh)
|| !TEST_size_t_eq(chsessidlen, 0))
goto err;
break;
case 2:
if (!TEST_false(sccsseen)
|| !TEST_true(ccsaftersh)
|| !TEST_false(ccsbeforesh)
|| !TEST_size_t_gt(chsessidlen, 0))
goto err;
break;
case 3:
if (!TEST_true(sccsseen)
|| !TEST_true(ccsaftersh)
|| !TEST_false(ccsbeforesh)
|| !TEST_size_t_gt(chsessidlen, 0))
goto err;
break;
case 4:
if (!TEST_true(sccsseen)
|| !TEST_false(ccsaftersh)
|| !TEST_false(ccsbeforesh)
|| !TEST_size_t_eq(chsessidlen, 0))
goto err;
break;
case 5:
if (!TEST_false(sccsseen)
|| !TEST_true(ccsaftersh)
|| !TEST_false(ccsbeforesh)
|| !TEST_size_t_gt(chsessidlen, 0))
goto err;
break;
case 6:
if (!TEST_true(sccsseen)
|| !TEST_false(ccsaftersh)
|| !TEST_true(ccsbeforesh)
|| !TEST_size_t_gt(chsessidlen, 0))
goto err;
break;
case 7:
if (!TEST_true(sccsseen)
|| !TEST_false(ccsaftersh)
|| !TEST_false(ccsbeforesh)
|| !TEST_size_t_eq(chsessidlen, 0))
goto err;
break;
case 8:
if (!TEST_false(sccsseen)
|| !TEST_false(ccsaftersh)
|| !TEST_true(ccsbeforesh)
|| !TEST_size_t_gt(chsessidlen, 0))
goto err;
break;
case 9:
if (!TEST_true(sccsseen)
|| !TEST_false(ccsaftersh)
|| !TEST_true(ccsbeforesh)
|| !TEST_size_t_gt(chsessidlen, 0))
goto err;
break;
case 10:
if (!TEST_true(sccsseen)
|| !TEST_false(ccsaftersh)
|| !TEST_false(ccsbeforesh)
|| !TEST_size_t_eq(chsessidlen, 0))
goto err;
break;
case 11:
if (!TEST_false(sccsseen)
|| !TEST_false(ccsaftersh)
|| !TEST_true(ccsbeforesh)
|| !TEST_size_t_gt(chsessidlen, 0))
goto err;
break;
default:
TEST_error("Invalid test value");
goto err;
}
ret = 1;
err:
SSL_SESSION_free(sess);
SSL_free(sssl);
SSL_free(cssl);
SSL_CTX_free(sctx);
SSL_CTX_free(cctx);
return ret;
}
/*
* Custom call back tests.
* Test 0: callbacks in TLSv1.2
* Test 1: callbacks in TLSv1.2 with SNI
*/
static int test_custom_exts(int tst)
{
SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
int testresult = 0;
static int server = 1;
static int client = 0;
SSL_SESSION *sess = NULL;
/* Reset callback counters */
clntaddcb = clntparsecb = srvaddcb = srvparsecb = 0;
snicb = 0;
if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
&cctx, cert, privkey)) {
printf("Unable to create SSL_CTX pair\n");
goto end;
}
if (tst == 1
&& !create_ssl_ctx_pair(TLS_server_method(), NULL, &sctx2, NULL,
cert, privkey)) {
printf("Unable to create SSL_CTX pair (2)\n");
goto end;
}
/* Create a client side custom extension */
if (!SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1, add_cb, free_cb,
&client, parse_cb, &client)) {
printf("Unable to add client custom extension\n");
goto end;
}
/* Should not be able to add duplicates */
if (SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1, add_cb, free_cb,
&client, parse_cb, &client)) {
printf("Unexpected success adding duplicate extension\n");
goto end;
}
/* Create a server side custom extension */
if (!SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1, add_cb, free_cb,
&server, parse_cb, &server)) {
printf("Unable to add server custom extension\n");
goto end;
}
if (sctx2 != NULL
&& !SSL_CTX_add_server_custom_ext(sctx2, TEST_EXT_TYPE1,
add_cb, free_cb,
&server, parse_cb,
&server)) {
printf("Unable to add server custom extension for SNI\n");
goto end;
}
/* Should not be able to add duplicates */
if (SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1, add_cb, free_cb,
&server, parse_cb, &server)) {
printf("Unexpected success adding duplicate extension (2)\n");
goto end;
}
if (tst == 1) {
/* Set up SNI */
if (!SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb)
|| !SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)) {
printf("Cannot set SNI callbacks\n");
goto end;
}
}
if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)
|| !create_ssl_connection(serverssl, clientssl)) {
printf("Cannot create SSL connection\n");
goto end;
}
if (clntaddcb != 1
|| clntparsecb != 1
|| srvaddcb != 1
|| srvparsecb != 1
|| (tst != 1 && snicb != 0)
|| (tst == 1 && snicb != 1)) {
printf("Incorrect callback counts\n");
goto end;
}
sess = SSL_get1_session(clientssl);
SSL_shutdown(clientssl);
SSL_shutdown(serverssl);
SSL_free(serverssl);
SSL_free(clientssl);
serverssl = clientssl = NULL;
if (tst == 1) {
/* We don't bother with the resumption aspects for this test */
testresult = 1;
goto end;
}
if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)
|| !SSL_set_session(clientssl, sess)
|| !create_ssl_connection(serverssl, clientssl)) {
printf("Cannot create resumption connection\n");
goto end;
}
/*
* For a resumed session we expect to add the ClientHello extension but we
* should ignore it on the server side.
*/
if (clntaddcb != 2
|| clntparsecb != 1
|| srvaddcb != 1
|| srvparsecb != 1) {
printf("Incorrect resumption callback counts\n");
goto end;
}
testresult = 1;
end:
SSL_SESSION_free(sess);
SSL_free(serverssl);
SSL_free(clientssl);
SSL_CTX_free(sctx2);
SSL_CTX_free(sctx);
SSL_CTX_free(cctx);
return testresult;
}
/* This is the thread function that handles the calling of callback functions if set */
thread_return_type WINAPI MQTTClient_run(void* n)
{
long timeout = 10L; /* first time in we have a small timeout. Gets things started more quickly */
FUNC_ENTRY;
running = 1;
run_id = Thread_getid();
Thread_lock_mutex(mqttclient_mutex);
while (!tostop)
{
int rc = SOCKET_ERROR;
int sock = -1;
MQTTClients* m = NULL;
MQTTPacket* pack = NULL;
Thread_unlock_mutex(mqttclient_mutex);
pack = MQTTClient_cycle(&sock, timeout, &rc);
Thread_lock_mutex(mqttclient_mutex);
if (tostop)
break;
timeout = 1000L;
/* find client corresponding to socket */
if (ListFindItem(handles, &sock, clientSockCompare) == NULL)
{
/* assert: should not happen */
continue;
}
m = (MQTTClient)(handles->current->content);
if (m == NULL)
{
/* assert: should not happen */
continue;
}
if (rc == SOCKET_ERROR)
{
if (m->c->connected)
{
Thread_unlock_mutex(mqttclient_mutex);
MQTTClient_disconnect_internal(m, 0);
Thread_lock_mutex(mqttclient_mutex);
}
else
{
if (m->c->connect_state == 2 && !Thread_check_sem(m->connect_sem))
{
Log(TRACE_MIN, -1, "Posting connect semaphore for client %s", m->c->clientID);
Thread_post_sem(m->connect_sem);
}
if (m->c->connect_state == 3 && !Thread_check_sem(m->connack_sem))
{
Log(TRACE_MIN, -1, "Posting connack semaphore for client %s", m->c->clientID);
Thread_post_sem(m->connack_sem);
}
}
}
else
{
if (m->c->messageQueue->count > 0)
{
qEntry* qe = (qEntry*)(m->c->messageQueue->first->content);
int topicLen = qe->topicLen;
if (strlen(qe->topicName) == topicLen)
topicLen = 0;
Log(TRACE_MIN, -1, "Calling messageArrived for client %s, queue depth %d",
m->c->clientID, m->c->messageQueue->count);
Thread_unlock_mutex(mqttclient_mutex);
rc = (*(m->ma))(m->context, qe->topicName, topicLen, qe->msg);
Thread_lock_mutex(mqttclient_mutex);
/* if 0 (false) is returned by the callback then it failed, so we don't remove the message from
* the queue, and it will be retried later. If 1 is returned then the message data may have been freed,
* so we must be careful how we use it.
*/
if (rc)
ListRemove(m->c->messageQueue, qe);
else
Log(TRACE_MIN, -1, "False returned from messageArrived for client %s, message remains on queue",
m->c->clientID);
}
if (pack)
{
if (pack->header.bits.type == CONNACK && !Thread_check_sem(m->connack_sem))
{
Log(TRACE_MIN, -1, "Posting connack semaphore for client %s", m->c->clientID);
m->pack = pack;
Thread_post_sem(m->connack_sem);
}
else if (pack->header.bits.type == SUBACK)
{
Log(TRACE_MIN, -1, "Posting suback semaphore for client %s", m->c->clientID);
m->pack = pack;
Thread_post_sem(m->suback_sem);
}
else if (pack->header.bits.type == UNSUBACK)
{
Log(TRACE_MIN, -1, "Posting unsuback semaphore for client %s", m->c->clientID);
m->pack = pack;
Thread_post_sem(m->unsuback_sem);
}
}
else if (m->c->connect_state == 1 && !Thread_check_sem(m->connect_sem))
{
int error;
socklen_t len = sizeof(error);
if ((m->rc = getsockopt(m->c->net.socket, SOL_SOCKET, SO_ERROR, (char*)&error, &len)) == 0)
m->rc = error;
Log(TRACE_MIN, -1, "Posting connect semaphore for client %s rc %d", m->c->clientID, m->rc);
Thread_post_sem(m->connect_sem);
}
#if defined(OPENSSL)
else if (m->c->connect_state == 2 && !Thread_check_sem(m->connect_sem))
{
rc = SSLSocket_connect(m->c->net.ssl, m->c->net.socket);
if (rc == 1 || rc == SSL_FATAL)
{
if (rc == 1 && !m->c->cleansession && m->c->session == NULL)
m->c->session = SSL_get1_session(m->c->net.ssl);
m->rc = rc;
Log(TRACE_MIN, -1, "Posting connect semaphore for SSL client %s rc %d", m->c->clientID, m->rc);
Thread_post_sem(m->connect_sem);
}
}
#endif
}
}
run_id = 0;
running = tostop = 0;
Thread_unlock_mutex(mqttclient_mutex);
FUNC_EXIT;
return 0;
}
static HANDSHAKE_RESULT *do_handshake_internal(
SSL_CTX *server_ctx, SSL_CTX *server2_ctx, SSL_CTX *client_ctx,
const SSL_TEST_CTX *test_ctx, SSL_SESSION *session_in,
SSL_SESSION **session_out)
{
SSL *server, *client;
BIO *client_to_server, *server_to_client;
HANDSHAKE_EX_DATA server_ex_data, client_ex_data;
CTX_DATA client_ctx_data, server_ctx_data, server2_ctx_data;
HANDSHAKE_RESULT *ret = HANDSHAKE_RESULT_new();
int client_turn = 1, shutdown = 0;
peer_status_t client_status = PEER_RETRY, server_status = PEER_RETRY;
handshake_status_t status = HANDSHAKE_RETRY;
unsigned char* tick = NULL;
size_t tick_len = 0;
SSL_SESSION* sess = NULL;
const unsigned char *proto = NULL;
/* API dictates unsigned int rather than size_t. */
unsigned int proto_len = 0;
memset(&server_ctx_data, 0, sizeof(server_ctx_data));
memset(&server2_ctx_data, 0, sizeof(server2_ctx_data));
memset(&client_ctx_data, 0, sizeof(client_ctx_data));
configure_handshake_ctx(server_ctx, server2_ctx, client_ctx, test_ctx,
&server_ctx_data, &server2_ctx_data, &client_ctx_data);
server = SSL_new(server_ctx);
client = SSL_new(client_ctx);
OPENSSL_assert(server != NULL && client != NULL);
configure_handshake_ssl(server, client, test_ctx);
if (session_in != NULL) {
/* In case we're testing resumption without tickets. */
OPENSSL_assert(SSL_CTX_add_session(server_ctx, session_in));
OPENSSL_assert(SSL_set_session(client, session_in));
}
memset(&server_ex_data, 0, sizeof(server_ex_data));
memset(&client_ex_data, 0, sizeof(client_ex_data));
ret->result = SSL_TEST_INTERNAL_ERROR;
client_to_server = BIO_new(BIO_s_mem());
server_to_client = BIO_new(BIO_s_mem());
OPENSSL_assert(client_to_server != NULL && server_to_client != NULL);
/* Non-blocking bio. */
BIO_set_nbio(client_to_server, 1);
BIO_set_nbio(server_to_client, 1);
SSL_set_connect_state(client);
SSL_set_accept_state(server);
/* The bios are now owned by the SSL object. */
SSL_set_bio(client, server_to_client, client_to_server);
OPENSSL_assert(BIO_up_ref(server_to_client) > 0);
OPENSSL_assert(BIO_up_ref(client_to_server) > 0);
SSL_set_bio(server, client_to_server, server_to_client);
ex_data_idx = SSL_get_ex_new_index(0, "ex data", NULL, NULL, NULL);
OPENSSL_assert(ex_data_idx >= 0);
OPENSSL_assert(SSL_set_ex_data(server, ex_data_idx,
&server_ex_data) == 1);
OPENSSL_assert(SSL_set_ex_data(client, ex_data_idx,
&client_ex_data) == 1);
SSL_set_info_callback(server, &info_cb);
SSL_set_info_callback(client, &info_cb);
/*
* Half-duplex handshake loop.
* Client and server speak to each other synchronously in the same process.
* We use non-blocking BIOs, so whenever one peer blocks for read, it
* returns PEER_RETRY to indicate that it's the other peer's turn to write.
* The handshake succeeds once both peers have succeeded. If one peer
* errors out, we also let the other peer retry (and presumably fail).
*/
for(;;) {
if (client_turn) {
client_status = do_handshake_step(client, shutdown);
status = handshake_status(client_status, server_status,
1 /* client went last */);
} else {
server_status = do_handshake_step(server, shutdown);
status = handshake_status(server_status, client_status,
0 /* server went last */);
}
switch (status) {
case HANDSHAKE_SUCCESS:
if (shutdown) {
ret->result = SSL_TEST_SUCCESS;
goto err;
} else {
client_status = server_status = PEER_RETRY;
shutdown = 1;
client_turn = 1;
break;
}
case CLIENT_ERROR:
ret->result = SSL_TEST_CLIENT_FAIL;
goto err;
case SERVER_ERROR:
ret->result = SSL_TEST_SERVER_FAIL;
goto err;
case INTERNAL_ERROR:
ret->result = SSL_TEST_INTERNAL_ERROR;
goto err;
case HANDSHAKE_RETRY:
/* Continue. */
client_turn ^= 1;
break;
}
}
err:
ret->server_alert_sent = server_ex_data.alert_sent;
ret->server_alert_received = client_ex_data.alert_received;
ret->client_alert_sent = client_ex_data.alert_sent;
ret->client_alert_received = server_ex_data.alert_received;
ret->server_protocol = SSL_version(server);
ret->client_protocol = SSL_version(client);
ret->servername = server_ex_data.servername;
if ((sess = SSL_get0_session(client)) != NULL)
SSL_SESSION_get0_ticket(sess, &tick, &tick_len);
if (tick == NULL || tick_len == 0)
ret->session_ticket = SSL_TEST_SESSION_TICKET_NO;
else
ret->session_ticket = SSL_TEST_SESSION_TICKET_YES;
ret->session_ticket_do_not_call = server_ex_data.session_ticket_do_not_call;
SSL_get0_next_proto_negotiated(client, &proto, &proto_len);
ret->client_npn_negotiated = dup_str(proto, proto_len);
SSL_get0_next_proto_negotiated(server, &proto, &proto_len);
ret->server_npn_negotiated = dup_str(proto, proto_len);
SSL_get0_alpn_selected(client, &proto, &proto_len);
ret->client_alpn_negotiated = dup_str(proto, proto_len);
SSL_get0_alpn_selected(server, &proto, &proto_len);
ret->server_alpn_negotiated = dup_str(proto, proto_len);
ret->client_resumed = SSL_session_reused(client);
ret->server_resumed = SSL_session_reused(server);
if (session_out != NULL)
*session_out = SSL_get1_session(client);
ctx_data_free_data(&server_ctx_data);
ctx_data_free_data(&server2_ctx_data);
ctx_data_free_data(&client_ctx_data);
SSL_free(server);
SSL_free(client);
return ret;
}
int MQTTClient_connectURIVersion(MQTTClient handle, MQTTClient_connectOptions* options, const char* serverURI, int MQTTVersion,
START_TIME_TYPE start, long millisecsTimeout)
{
MQTTClients* m = handle;
int rc = SOCKET_ERROR;
int sessionPresent = 0;
FUNC_ENTRY;
if (m->ma && !running)
{
Thread_start(MQTTClient_run, handle);
if (MQTTClient_elapsed(start) >= millisecsTimeout)
{
rc = SOCKET_ERROR;
goto exit;
}
MQTTClient_sleep(100L);
}
Log(TRACE_MIN, -1, "Connecting to serverURI %s with MQTT version %d", serverURI, MQTTVersion);
#if defined(OPENSSL)
rc = MQTTProtocol_connect(serverURI, m->c, m->ssl, MQTTVersion);
#else
rc = MQTTProtocol_connect(serverURI, m->c, MQTTVersion);
#endif
if (rc == SOCKET_ERROR)
goto exit;
if (m->c->connect_state == 0)
{
rc = SOCKET_ERROR;
goto exit;
}
if (m->c->connect_state == 1) /* TCP connect started - wait for completion */
{
Thread_unlock_mutex(mqttclient_mutex);
MQTTClient_waitfor(handle, CONNECT, &rc, millisecsTimeout - MQTTClient_elapsed(start));
Thread_lock_mutex(mqttclient_mutex);
if (rc != 0)
{
rc = SOCKET_ERROR;
goto exit;
}
#if defined(OPENSSL)
if (m->ssl)
{
if (SSLSocket_setSocketForSSL(&m->c->net, m->c->sslopts) != MQTTCLIENT_SUCCESS)
{
if (m->c->session != NULL)
if ((rc = SSL_set_session(m->c->net.ssl, m->c->session)) != 1)
Log(TRACE_MIN, -1, "Failed to set SSL session with stored data, non critical");
rc = SSLSocket_connect(m->c->net.ssl, m->c->net.socket);
if (rc == TCPSOCKET_INTERRUPTED)
m->c->connect_state = 2; /* the connect is still in progress */
else if (rc == SSL_FATAL)
{
rc = SOCKET_ERROR;
goto exit;
}
else if (rc == 1)
{
rc = MQTTCLIENT_SUCCESS;
m->c->connect_state = 3;
if (MQTTPacket_send_connect(m->c, MQTTVersion) == SOCKET_ERROR)
{
rc = SOCKET_ERROR;
goto exit;
}
if (!m->c->cleansession && m->c->session == NULL)
m->c->session = SSL_get1_session(m->c->net.ssl);
}
}
else
{
rc = SOCKET_ERROR;
goto exit;
}
}
else
{
#endif
m->c->connect_state = 3; /* TCP connect completed, in which case send the MQTT connect packet */
if (MQTTPacket_send_connect(m->c, MQTTVersion) == SOCKET_ERROR)
{
rc = SOCKET_ERROR;
goto exit;
}
#if defined(OPENSSL)
}
#endif
}
#if defined(OPENSSL)
if (m->c->connect_state == 2) /* SSL connect sent - wait for completion */
{
Thread_unlock_mutex(mqttclient_mutex);
MQTTClient_waitfor(handle, CONNECT, &rc, millisecsTimeout - MQTTClient_elapsed(start));
Thread_lock_mutex(mqttclient_mutex);
if (rc != 1)
{
rc = SOCKET_ERROR;
goto exit;
}
if(!m->c->cleansession && m->c->session == NULL)
m->c->session = SSL_get1_session(m->c->net.ssl);
m->c->connect_state = 3; /* TCP connect completed, in which case send the MQTT connect packet */
if (MQTTPacket_send_connect(m->c, MQTTVersion) == SOCKET_ERROR)
{
rc = SOCKET_ERROR;
goto exit;
}
}
#endif
if (m->c->connect_state == 3) /* MQTT connect sent - wait for CONNACK */
{
MQTTPacket* pack = NULL;
Thread_unlock_mutex(mqttclient_mutex);
pack = MQTTClient_waitfor(handle, CONNACK, &rc, millisecsTimeout - MQTTClient_elapsed(start));
Thread_lock_mutex(mqttclient_mutex);
if (pack == NULL)
rc = SOCKET_ERROR;
else
{
Connack* connack = (Connack*)pack;
Log(TRACE_PROTOCOL, 1, NULL, m->c->net.socket, m->c->clientID, connack->rc);
if ((rc = connack->rc) == MQTTCLIENT_SUCCESS)
{
m->c->connected = 1;
m->c->good = 1;
m->c->connect_state = 0;
if (MQTTVersion == 4)
sessionPresent = connack->flags.bits.sessionPresent;
if (m->c->cleansession)
rc = MQTTClient_cleanSession(m->c);
if (m->c->outboundMsgs->count > 0)
{
ListElement* outcurrent = NULL;
while (ListNextElement(m->c->outboundMsgs, &outcurrent))
{
Messages* m = (Messages*)(outcurrent->content);
m->lastTouch = 0;
}
MQTTProtocol_retry((time_t)0, 1, 1);
if (m->c->connected != 1)
rc = MQTTCLIENT_DISCONNECTED;
}
}
free(connack);
m->pack = NULL;
}
}
exit:
if (rc == MQTTCLIENT_SUCCESS)
{
if (options->struct_version == 4) /* means we have to fill out return values */
{
options->returned.serverURI = serverURI;
options->returned.MQTTVersion = MQTTVersion;
options->returned.sessionPresent = sessionPresent;
}
}
else
{
Thread_unlock_mutex(mqttclient_mutex);
MQTTClient_disconnect1(handle, 0, 0, (MQTTVersion == 3)); /* not "internal" because we don't want to call connection lost */
Thread_lock_mutex(mqttclient_mutex);
}
FUNC_EXIT_RC(rc);
return rc;
}
