static ssize_t write_ossl(ne_socket *sock, const char *data, size_t len)
{
int ret, ilen = CAST2INT(len);
ret = SSL_write(sock->ssl, data, ilen);
/* ssl.h says SSL_MODE_ENABLE_PARTIAL_WRITE must be enabled to
* have SSL_write return < length... so, SSL_write should never
* return < length. */
if (ret != ilen)
return error_ossl(sock, ret);
return ret;
}
static ssize_t read_ossl(ne_socket *sock, char *buffer, size_t len)
{
int ret;
ret = readable_ossl(sock, sock->rdtimeout);
if (ret) return ret;
ret = SSL_read(sock->ssl, buffer, CAST2INT(len));
if (ret <= 0)
ret = error_ossl(sock, ret);
return ret;
}
int ne_sock_accept_ssl(ne_socket *sock, ne_ssl_context *ctx)
{
int ret;
ne_ssl_socket ssl;
#if defined(HAVE_OPENSSL)
ssl = SSL_new(ctx->ctx);
SSL_set_fd(ssl, sock->fd);
sock->ssl = ssl;
ret = SSL_accept(ssl);
if (ret != 1) {
return error_ossl(sock, ret);
}
#elif defined(HAVE_GNUTLS)
gnutls_init(&ssl, GNUTLS_SERVER);
gnutls_credentials_set(ssl, GNUTLS_CRD_CERTIFICATE, ctx->cred);
gnutls_set_default_priority(ssl);
/* Set up dummy session cache. */
gnutls_db_set_store_function(ssl, store_sess);
gnutls_db_set_retrieve_function(ssl, retrieve_sess);
gnutls_db_set_remove_function(ssl, remove_sess);
gnutls_db_set_ptr(ssl, ctx);
if (ctx->verify)
gnutls_certificate_server_set_request(ssl, GNUTLS_CERT_REQUEST);
sock->ssl = ssl;
gnutls_transport_set_ptr(sock->ssl, (gnutls_transport_ptr) sock->fd);
ret = gnutls_handshake(ssl);
if (ret < 0) {
return error_gnutls(sock, ret);
}
if (ctx->verify && gnutls_certificate_verify_peers(ssl)) {
set_error(sock, _("Client certificate verification failed"));
return NE_SOCK_ERROR;
}
#endif
sock->ops = &iofns_ssl;
return 0;
}
int ne_sock_use_ssl_os(ne_socket *sock, SSL_CTX *ctx,
SSL_SESSION *sess, SSL **ssl,
void *appdata)
{
int ret;
if (!prng_seeded && RAND_status() != 1) {
set_error(sock, _("SSL disabled due to lack of entropy"));
return NE_SOCK_ERROR;
}
sock->ssl = SSL_new(ctx);
if (!sock->ssl) {
set_error(sock, _("Could not create SSL structure"));
return NE_SOCK_ERROR;
}
if (appdata) {
SSL_set_app_data(sock->ssl, appdata);
}
sock->ops = &iofns_ossl;
SSL_set_mode(sock->ssl, SSL_MODE_AUTO_RETRY);
SSL_set_fd(sock->ssl, sock->fd);
if (sess)
SSL_set_session(sock->ssl, sess);
ret = SSL_connect(sock->ssl);
if (ret != 1) {
error_ossl(sock, ret);
SSL_free(sock->ssl);
sock->ssl = NULL;
return NE_SOCK_ERROR;
}
if (ssl)
*ssl = sock->ssl;
return 0;
}
int ne_sock_connect_ssl(ne_socket *sock, ne_ssl_context *ctx, void *userdata)
{
int ret;
#if defined(HAVE_OPENSSL)
SSL *ssl;
if (seed_ssl_prng()) {
set_error(sock, _("SSL disabled due to lack of entropy"));
return NE_SOCK_ERROR;
}
/* If runtime library version differs from compile-time version
* number in major/minor/fix level, abort soon. */
if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & 0xFFFFF000) {
set_error(sock, _("SSL disabled due to library version mismatch"));
return NE_SOCK_ERROR;
}
sock->ssl = ssl = SSL_new(ctx->ctx);
if (!ssl) {
set_error(sock, _("Could not create SSL structure"));
return NE_SOCK_ERROR;
}
SSL_set_app_data(ssl, userdata);
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
SSL_set_fd(ssl, sock->fd);
sock->ops = &iofns_ssl;
if (ctx->sess)
SSL_set_session(ssl, ctx->sess);
ret = SSL_connect(ssl);
if (ret != 1) {
error_ossl(sock, ret);
SSL_free(ssl);
sock->ssl = NULL;
return NE_SOCK_ERROR;
}
#elif defined(HAVE_GNUTLS)
/* DH and RSA params are set in ne_ssl_context_create */
gnutls_init(&sock->ssl, GNUTLS_CLIENT);
gnutls_set_default_priority(sock->ssl);
gnutls_session_set_ptr(sock->ssl, userdata);
gnutls_credentials_set(sock->ssl, GNUTLS_CRD_CERTIFICATE, ctx->cred);
gnutls_transport_set_ptr(sock->ssl, (gnutls_transport_ptr) sock->fd);
if (ctx->cache.client.data) {
#if defined(HAVE_GNUTLS_SESSION_GET_DATA2)
gnutls_session_set_data(sock->ssl,
ctx->cache.client.data,
ctx->cache.client.size);
#else
gnutls_session_set_data(sock->ssl,
ctx->cache.client.data,
ctx->cache.client.len);
#endif
}
sock->ops = &iofns_ssl;
ret = gnutls_handshake(sock->ssl);
if (ret < 0) {
error_gnutls(sock, ret);
return NE_SOCK_ERROR;
}
if (!gnutls_session_is_resumed(sock->ssl)) {
/* New session. The old method of using the _get_data
* function seems to be broken with 1.3.0 and later*/
#if defined(HAVE_GNUTLS_SESSION_GET_DATA2)
gnutls_session_get_data2(sock->ssl, &ctx->cache.client);
#else
ctx->cache.client.len = 0;
if (gnutls_session_get_data(sock->ssl, NULL,
&ctx->cache.client.len) == 0) {
ctx->cache.client.data = ne_malloc(ctx->cache.client.len);
gnutls_session_get_data(sock->ssl, ctx->cache.client.data,
&ctx->cache.client.len);
}
#endif
}
#endif
return 0;
}
