static ssize_t write_ossl(ne_socket *sock, const char *data, size_t len) { int ret, ilen = CAST2INT(len); ret = SSL_write(sock->ssl, data, ilen); /* ssl.h says SSL_MODE_ENABLE_PARTIAL_WRITE must be enabled to * have SSL_write return < length... so, SSL_write should never * return < length. */ if (ret != ilen) return error_ossl(sock, ret); return ret; }
static ssize_t read_ossl(ne_socket *sock, char *buffer, size_t len) { int ret; ret = readable_ossl(sock, sock->rdtimeout); if (ret) return ret; ret = SSL_read(sock->ssl, buffer, CAST2INT(len)); if (ret <= 0) ret = error_ossl(sock, ret); return ret; }
int ne_sock_accept_ssl(ne_socket *sock, ne_ssl_context *ctx) { int ret; ne_ssl_socket ssl; #if defined(HAVE_OPENSSL) ssl = SSL_new(ctx->ctx); SSL_set_fd(ssl, sock->fd); sock->ssl = ssl; ret = SSL_accept(ssl); if (ret != 1) { return error_ossl(sock, ret); } #elif defined(HAVE_GNUTLS) gnutls_init(&ssl, GNUTLS_SERVER); gnutls_credentials_set(ssl, GNUTLS_CRD_CERTIFICATE, ctx->cred); gnutls_set_default_priority(ssl); /* Set up dummy session cache. */ gnutls_db_set_store_function(ssl, store_sess); gnutls_db_set_retrieve_function(ssl, retrieve_sess); gnutls_db_set_remove_function(ssl, remove_sess); gnutls_db_set_ptr(ssl, ctx); if (ctx->verify) gnutls_certificate_server_set_request(ssl, GNUTLS_CERT_REQUEST); sock->ssl = ssl; gnutls_transport_set_ptr(sock->ssl, (gnutls_transport_ptr) sock->fd); ret = gnutls_handshake(ssl); if (ret < 0) { return error_gnutls(sock, ret); } if (ctx->verify && gnutls_certificate_verify_peers(ssl)) { set_error(sock, _("Client certificate verification failed")); return NE_SOCK_ERROR; } #endif sock->ops = &iofns_ssl; return 0; }
int ne_sock_use_ssl_os(ne_socket *sock, SSL_CTX *ctx, SSL_SESSION *sess, SSL **ssl, void *appdata) { int ret; if (!prng_seeded && RAND_status() != 1) { set_error(sock, _("SSL disabled due to lack of entropy")); return NE_SOCK_ERROR; } sock->ssl = SSL_new(ctx); if (!sock->ssl) { set_error(sock, _("Could not create SSL structure")); return NE_SOCK_ERROR; } if (appdata) { SSL_set_app_data(sock->ssl, appdata); } sock->ops = &iofns_ossl; SSL_set_mode(sock->ssl, SSL_MODE_AUTO_RETRY); SSL_set_fd(sock->ssl, sock->fd); if (sess) SSL_set_session(sock->ssl, sess); ret = SSL_connect(sock->ssl); if (ret != 1) { error_ossl(sock, ret); SSL_free(sock->ssl); sock->ssl = NULL; return NE_SOCK_ERROR; } if (ssl) *ssl = sock->ssl; return 0; }
int ne_sock_connect_ssl(ne_socket *sock, ne_ssl_context *ctx, void *userdata) { int ret; #if defined(HAVE_OPENSSL) SSL *ssl; if (seed_ssl_prng()) { set_error(sock, _("SSL disabled due to lack of entropy")); return NE_SOCK_ERROR; } /* If runtime library version differs from compile-time version * number in major/minor/fix level, abort soon. */ if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & 0xFFFFF000) { set_error(sock, _("SSL disabled due to library version mismatch")); return NE_SOCK_ERROR; } sock->ssl = ssl = SSL_new(ctx->ctx); if (!ssl) { set_error(sock, _("Could not create SSL structure")); return NE_SOCK_ERROR; } SSL_set_app_data(ssl, userdata); SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); SSL_set_fd(ssl, sock->fd); sock->ops = &iofns_ssl; if (ctx->sess) SSL_set_session(ssl, ctx->sess); ret = SSL_connect(ssl); if (ret != 1) { error_ossl(sock, ret); SSL_free(ssl); sock->ssl = NULL; return NE_SOCK_ERROR; } #elif defined(HAVE_GNUTLS) /* DH and RSA params are set in ne_ssl_context_create */ gnutls_init(&sock->ssl, GNUTLS_CLIENT); gnutls_set_default_priority(sock->ssl); gnutls_session_set_ptr(sock->ssl, userdata); gnutls_credentials_set(sock->ssl, GNUTLS_CRD_CERTIFICATE, ctx->cred); gnutls_transport_set_ptr(sock->ssl, (gnutls_transport_ptr) sock->fd); if (ctx->cache.client.data) { #if defined(HAVE_GNUTLS_SESSION_GET_DATA2) gnutls_session_set_data(sock->ssl, ctx->cache.client.data, ctx->cache.client.size); #else gnutls_session_set_data(sock->ssl, ctx->cache.client.data, ctx->cache.client.len); #endif } sock->ops = &iofns_ssl; ret = gnutls_handshake(sock->ssl); if (ret < 0) { error_gnutls(sock, ret); return NE_SOCK_ERROR; } if (!gnutls_session_is_resumed(sock->ssl)) { /* New session. The old method of using the _get_data * function seems to be broken with 1.3.0 and later*/ #if defined(HAVE_GNUTLS_SESSION_GET_DATA2) gnutls_session_get_data2(sock->ssl, &ctx->cache.client); #else ctx->cache.client.len = 0; if (gnutls_session_get_data(sock->ssl, NULL, &ctx->cache.client.len) == 0) { ctx->cache.client.data = ne_malloc(ctx->cache.client.len); gnutls_session_get_data(sock->ssl, ctx->cache.client.data, &ctx->cache.client.len); } #endif } #endif return 0; }