/* Request an SSL over TCP/SCTP connection to another system (by IP address). * The in_addr is normal network byte order, but the port number should be given * in HOST BYTE ORDER. This function will call back only after it has made the * connection AND done the initial SSL negotiation. From that point on, you use * the normal read/write calls and decryption will happen transparently. ss * should be a sockaddr_storage, sockaddr_in6, or sockaddr_in as appropriate * (just like what you would pass to connect). sslen should be the sizeof the * structure you are passing in. */ nsock_event_id nsock_connect_ssl(nsock_pool nsp, nsock_iod nsiod, nsock_ev_handler handler, int timeout_msecs, void *userdata, struct sockaddr *saddr, size_t sslen, int proto, unsigned short port, nsock_ssl_session ssl_session) { #ifndef HAVE_OPENSSL fatal("nsock_connect_ssl called - but nsock was built w/o SSL support. QUITTING"); return (nsock_event_id)0; /* UNREACHED */ #else struct sockaddr_storage *ss = (struct sockaddr_storage *)saddr; msiod *nsi = (msiod *)nsiod; mspool *ms = (mspool *)nsp; msevent *nse; if (!ms->sslctx) nsp_ssl_init(ms); assert(nsi->state == NSIOD_STATE_INITIAL || nsi->state == NSIOD_STATE_UNKNOWN); nse = msevent_new(ms, NSE_TYPE_CONNECT_SSL, nsi, timeout_msecs, handler, userdata); assert(nse); /* Set our SSL_SESSION so we can benefit from session-id reuse. */ nsi_set_ssl_session(nsi, (SSL_SESSION *)ssl_session); nsock_log_info(ms, "SSL connection requested to %s:%hu/%s (IOD #%li) EID %li", inet_ntop_ez(ss, sslen), port, (proto == IPPROTO_TCP ? "tcp" : "sctp"), nsi->id, nse->id); /* Do the actual connect() */ nsock_connect_internal(ms, nse, SOCK_STREAM, proto, ss, sslen, port); nsp_add_event(ms, nse); return nse->id; #endif /* HAVE_OPENSSL */ }
/* Request a UNIX domain sockets connection to the same system (by path to socket). * This function connects to the socket of type SOCK_DGRAM. ss should be a * sockaddr_storage, sockaddr_un as appropriate (just like what you would pass to * connect). sslen should be the sizeof the structure you are passing in. */ nsock_event_id nsock_connect_unixsock_datagram(nsock_pool nsp, nsock_iod nsiod, nsock_ev_handler handler, void *userdata, struct sockaddr *saddr, size_t sslen) { struct niod *nsi = (struct niod *)nsiod; struct npool *ms = (struct npool *)nsp; struct nevent *nse; struct sockaddr_storage *ss = (struct sockaddr_storage *)saddr; assert(nsi->state == NSIOD_STATE_INITIAL || nsi->state == NSIOD_STATE_UNKNOWN); nse = event_new(ms, NSE_TYPE_CONNECT, nsi, -1, handler, userdata); assert(nse); nsock_log_info("UNIX domain socket (DGRAM) connection requested to %s (IOD #%li) EID %li", get_unixsock_path(ss), nsi->id, nse->id); nsock_connect_internal(ms, nse, SOCK_DGRAM, 0, ss, sslen, 0); nsock_pool_add_event(ms, nse); return nse->id; }
/* Request a UDP "connection" to another system (by IP address). The in_addr is * normal network byte order, but the port number should be given in HOST BYTE * ORDER. Since this is UDP, no packets are actually sent. The destination IP * and port are just associated with the nsiod (an actual OS connect() call is * made). You can then use the normal nsock write calls on the socket. There * is no timeout since this call always calls your callback at the next * opportunity. The advantages to having a connected UDP socket (as opposed to * just specifying an address with sendto() are that we can now use a consistent * set of write/read calls for TCP/UDP, received packets from the non-partner * are automatically dropped by the OS, and the OS can provide asynchronous * errors (see Unix Network Programming pp224). ss should be a * sockaddr_storage, sockaddr_in6, or sockaddr_in as appropriate (just like what * you would pass to connect). sslen should be the sizeof the structure you are * passing in. */ nsock_event_id nsock_connect_udp(nsock_pool nsp, nsock_iod nsiod, nsock_ev_handler handler, void *userdata, struct sockaddr *saddr, size_t sslen, unsigned short port) { struct niod *nsi = (struct niod *)nsiod; struct npool *ms = (struct npool *)nsp; struct nevent *nse; struct sockaddr_storage *ss = (struct sockaddr_storage *)saddr; assert(nsi->state == NSIOD_STATE_INITIAL || nsi->state == NSIOD_STATE_UNKNOWN); nse = event_new(ms, NSE_TYPE_CONNECT, nsi, -1, handler, userdata); assert(nse); nsock_log_info("UDP connection requested to %s:%hu (IOD #%li) EID %li", inet_ntop_ez(ss, sslen), port, nsi->id, nse->id); nsock_connect_internal(ms, nse, SOCK_DGRAM, IPPROTO_UDP, ss, sslen, port); nsock_pool_add_event(ms, nse); return nse->id; }
/* Request a TCP connection to another system (by IP address). The in_addr is * normal network byte order, but the port number should be given in HOST BYTE * ORDER. ss should be a sockaddr_storage, sockaddr_in6, or sockaddr_in as * appropriate (just like what you would pass to connect). sslen should be the * sizeof the structure you are passing in. */ nsock_event_id nsock_connect_tcp(nsock_pool nsp, nsock_iod ms_iod, nsock_ev_handler handler, int timeout_msecs, void *userdata, struct sockaddr *saddr, size_t sslen, unsigned short port) { msiod *nsi = (msiod *)ms_iod; mspool *ms = (mspool *)nsp; msevent *nse; struct sockaddr_storage *ss = (struct sockaddr_storage *)saddr; assert(nsi->state == NSIOD_STATE_INITIAL || nsi->state == NSIOD_STATE_UNKNOWN); nse = msevent_new(ms, NSE_TYPE_CONNECT, nsi, timeout_msecs, handler, userdata); assert(nse); nsock_log_info(ms, "TCP connection requested to %s:%hu (IOD #%li) EID %li", inet_ntop_ez(ss, sslen), port, nsi->id, nse->id); /* Do the actual connect() */ nsock_connect_internal(ms, nse, SOCK_STREAM, IPPROTO_TCP, ss, sslen, port); nsp_add_event(ms, nse); return nse->id; }
/* handle_connect_results assumes that select or poll have already shown the * descriptor to be active */ void handle_connect_result(struct npool *ms, struct nevent *nse, enum nse_status status) { int optval; socklen_t optlen = sizeof(int); struct niod *iod = nse->iod; #if HAVE_OPENSSL int sslerr; int rc = 0; int sslconnect_inprogress = nse->type == NSE_TYPE_CONNECT_SSL && nse->iod && (nse->sslinfo.ssl_desire == SSL_ERROR_WANT_READ || nse->sslinfo.ssl_desire == SSL_ERROR_WANT_WRITE); #else int sslconnect_inprogress = 0; #endif if (status == NSE_STATUS_TIMEOUT || status == NSE_STATUS_CANCELLED) { nse->status = status; nse->event_done = 1; } else if (sslconnect_inprogress) { /* Do nothing */ } else if (status == NSE_STATUS_SUCCESS) { /* First we want to determine whether the socket really is connected */ if (getsockopt(iod->sd, SOL_SOCKET, SO_ERROR, (char *)&optval, &optlen) != 0) optval = socket_errno(); /* Stupid Solaris */ switch (optval) { case 0: nse->status = NSE_STATUS_SUCCESS; break; /* EACCES can be caused by ICMPv6 dest-unreach-admin, or when a port is blocked by Windows Firewall (WSAEACCES). */ case EACCES: case ECONNREFUSED: case EHOSTUNREACH: case ENETDOWN: case ENETUNREACH: case ENETRESET: case ECONNABORTED: case ETIMEDOUT: case EHOSTDOWN: case ECONNRESET: #ifdef WIN32 case WSAEADDRINUSE: case WSAEADDRNOTAVAIL: #endif #ifndef WIN32 case EPIPE: /* Has been seen after connect on Linux. */ case ENOPROTOOPT: /* Also seen on Linux, perhaps in response to protocol unreachable. */ #endif nse->status = NSE_STATUS_ERROR; nse->errnum = optval; break; default: /* I'd like for someone to report it */ fatal("Strange connect error from %s (%d): %s", inet_ntop_ez(&iod->peer, iod->peerlen), optval, socket_strerror(optval)); } /* Now special code for the SSL case where the TCP connection was successful. */ if (nse->type == NSE_TYPE_CONNECT_SSL && nse->status == NSE_STATUS_SUCCESS) { #if HAVE_OPENSSL assert(ms->sslctx != NULL); /* Reuse iod->ssl if present. If set, this is the second try at connection without the SSL_OP_NO_SSLv2 option set. */ if (iod->ssl == NULL) { iod->ssl = SSL_new(ms->sslctx); if (!iod->ssl) fatal("SSL_new failed: %s", ERR_error_string(ERR_get_error(), NULL)); } #if HAVE_SSL_SET_TLSEXT_HOST_NAME if (iod->hostname != NULL) { if (SSL_set_tlsext_host_name(iod->ssl, iod->hostname) != 1) fatal("SSL_set_tlsext_host_name failed: %s", ERR_error_string(ERR_get_error(), NULL)); } #endif /* Associate our new SSL with the connected socket. It will inherit the * non-blocking nature of the sd */ if (SSL_set_fd(iod->ssl, iod->sd) != 1) fatal("SSL_set_fd failed: %s", ERR_error_string(ERR_get_error(), NULL)); /* Event not done -- need to do SSL connect below */ nse->sslinfo.ssl_desire = SSL_ERROR_WANT_CONNECT; #endif } else { /* This is not an SSL connect (in which case we are always done), or the * TCP connect() underlying the SSL failed (in which case we are also done */ nse->event_done = 1; } } else { fatal("Unknown status (%d)", status); } /* At this point the TCP connection is done, whether successful or not. * Therefore decrease the read/write listen counts that were incremented in * nsock_pool_add_event. In the SSL case, we may increase one of the counts depending * on whether SSL_connect returns an error of SSL_ERROR_WANT_READ or * SSL_ERROR_WANT_WRITE. In that case we will re-enter this function, but we * don't want to execute this block again. */ if (iod->sd != -1 && !sslconnect_inprogress) { int ev = EV_NONE; ev |= socket_count_read_dec(iod); ev |= socket_count_write_dec(iod); ev |= EV_EXCEPT; update_events(iod, ms, EV_NONE, ev); } #if HAVE_OPENSSL if (nse->type == NSE_TYPE_CONNECT_SSL && !nse->event_done) { /* Lets now start/continue/finish the connect! */ if (iod->ssl_session) { rc = SSL_set_session(iod->ssl, iod->ssl_session); if (rc == 0) nsock_log_error("Uh-oh: SSL_set_session() failed - please tell [email protected]"); iod->ssl_session = NULL; /* No need for this any more */ } /* If this is a reinvocation of handle_connect_result, clear out the listen * bits that caused it, based on the previous SSL desire. */ if (sslconnect_inprogress) { int ev; ev = socket_count_dec_ssl_desire(nse); update_events(iod, ms, EV_NONE, ev); } rc = SSL_connect(iod->ssl); if (rc == 1) { /* Woop! Connect is done! */ nse->event_done = 1; /* Check that certificate verification was okay, if requested. */ if (nsi_ssl_post_connect_verify(iod)) { nse->status = NSE_STATUS_SUCCESS; } else { nsock_log_error("certificate verification error for EID %li: %s", nse->id, ERR_error_string(ERR_get_error(), NULL)); nse->status = NSE_STATUS_ERROR; } } else { long options = SSL_get_options(iod->ssl); sslerr = SSL_get_error(iod->ssl, rc); if (rc == -1 && sslerr == SSL_ERROR_WANT_READ) { nse->sslinfo.ssl_desire = sslerr; socket_count_read_inc(iod); update_events(iod, ms, EV_READ, EV_NONE); } else if (rc == -1 && sslerr == SSL_ERROR_WANT_WRITE) { nse->sslinfo.ssl_desire = sslerr; socket_count_write_inc(iod); update_events(iod, ms, EV_WRITE, EV_NONE); } else if (!(options & SSL_OP_NO_SSLv2)) { int saved_ev; /* SSLv3-only and TLSv1-only servers can't be connected to when the * SSL_OP_NO_SSLv2 option is not set, which is the case when the pool * was initialized with nsock_pool_ssl_init_max_speed. Try reconnecting * with SSL_OP_NO_SSLv2. Never downgrade a NO_SSLv2 connection to one * that might use SSLv2. */ nsock_log_info("EID %li reconnecting with SSL_OP_NO_SSLv2", nse->id); saved_ev = iod->watched_events; nsock_engine_iod_unregister(ms, iod); close(iod->sd); nsock_connect_internal(ms, nse, SOCK_STREAM, iod->lastproto, &iod->peer, iod->peerlen, nsock_iod_get_peerport(iod)); nsock_engine_iod_register(ms, iod, saved_ev); SSL_clear(iod->ssl); if(!SSL_clear(iod->ssl)) fatal("SSL_clear failed: %s", ERR_error_string(ERR_get_error(), NULL)); SSL_set_options(iod->ssl, options | SSL_OP_NO_SSLv2); socket_count_read_inc(nse->iod); socket_count_write_inc(nse->iod); update_events(iod, ms, EV_READ|EV_WRITE, EV_NONE); nse->sslinfo.ssl_desire = SSL_ERROR_WANT_CONNECT; } else { nsock_log_info("EID %li %s", nse->id, ERR_error_string(ERR_get_error(), NULL)); nse->event_done = 1; nse->status = NSE_STATUS_ERROR; nse->errnum = EIO; } } } #endif }