viossl.c

/* Copyright (C) 2000 MySQL AB

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 2 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program; if not, write to the Free Software
   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA */

/*
  Note that we can't have assertion on file descriptors;  The reason for
  this is that during mysql shutdown, another thread can close a file
  we are working on.  In this case we should just return read errors from
  the file descriptior.
*/

#include <my_global.h>

#ifdef HAVE_OPENSSL

#include <mysql_com.h>

#include <errno.h>
#include <assert.h>
#include <violite.h>
#include <my_sys.h>
#include <my_net.h>
#include <m_string.h>

#ifndef __WIN__
#define HANDLE void *
#endif

static void
report_errors()
{
  unsigned long	l;
  const char*	file;
  const char*	data;
  int		line,flags;
  DBUG_ENTER("report_errors");

  while ((l=ERR_get_error_line_data(&file,&line,&data,&flags)))
  {
    char buf[512];
    DBUG_PRINT("error", ("OpenSSL: %s:%s:%d:%s\n", ERR_error_string(l,buf),
			 file,line,(flags&ERR_TXT_STRING)?data:"")) ;
  }
  DBUG_PRINT("info", ("errno: %d", socket_errno));
  DBUG_VOID_RETURN;
}

/*
  Delete a vio object

  SYNPOSIS
    vio_ssl_delete()
    vio			Vio object.  May be 0.
*/


void vio_ssl_delete(Vio * vio)
{
  if (vio)
  {
    if (vio->type != VIO_CLOSED)
      vio_close(vio);
    my_free((gptr) vio,MYF(0));
  }
}


int vio_ssl_errno(Vio *vio __attribute__((unused)))
{
  return socket_errno;	/* On Win32 this mapped to WSAGetLastError() */
}


int vio_ssl_read(Vio * vio, gptr buf, int size)
{
  int r;
  DBUG_ENTER("vio_ssl_read");
  DBUG_PRINT("enter", ("sd=%d, buf=%p, size=%d, ssl_=%p",
		       vio->sd, buf, size, vio->ssl_));

  if ((r= SSL_read(vio->ssl_, buf, size)) < 0)
  {
    int err= SSL_get_error(vio->ssl_, r);
    DBUG_PRINT("error",("SSL_read(): %d  SSL_get_error(): %d", r, err));
    report_errors();
  }
  DBUG_PRINT("exit", ("%d", r));
  DBUG_RETURN(r);
}


int vio_ssl_write(Vio * vio, const gptr buf, int size)
{
  int r;
  DBUG_ENTER("vio_ssl_write");
  DBUG_PRINT("enter", ("sd=%d, buf=%p, size=%d", vio->sd, buf, size));

  if ((r= SSL_write(vio->ssl_, buf, size)) < 0)
    report_errors();
  DBUG_PRINT("exit", ("%d", r));
  DBUG_RETURN(r);
}


int vio_ssl_fastsend(Vio * vio __attribute__((unused)))
{
  int r= 0;
  DBUG_ENTER("vio_ssl_fastsend");

#ifdef IPTOS_THROUGHPUT
  {
#ifndef __EMX__
    int tos = IPTOS_THROUGHPUT;
    if (!setsockopt(vio->sd, IPPROTO_IP, IP_TOS, (void *) &tos, sizeof(tos)))
#endif				/* !__EMX__ */
    {
      int nodelay = 1;
      if (setsockopt(vio->sd, IPPROTO_TCP, TCP_NODELAY, (void *) &nodelay,
		     sizeof(nodelay))) {
	DBUG_PRINT("warning",
		   ("Couldn't set socket option for fast send"));
	r= -1;
      }
    }
  }
#endif	/* IPTOS_THROUGHPUT */
  DBUG_PRINT("exit", ("%d", r));
  DBUG_RETURN(r);
}


int vio_ssl_keepalive(Vio* vio, my_bool set_keep_alive)
{
  int r=0;
  DBUG_ENTER("vio_ssl_keepalive");
  DBUG_PRINT("enter", ("sd=%d, set_keep_alive=%d", vio->sd, (int)
		       set_keep_alive));
  if (vio->type != VIO_TYPE_NAMEDPIPE)
  {
    uint opt = (set_keep_alive) ? 1 : 0;
    r= setsockopt(vio->sd, SOL_SOCKET, SO_KEEPALIVE, (char *) &opt,
		  sizeof(opt));
  }
  DBUG_RETURN(r);
}


my_bool
vio_ssl_should_retry(Vio * vio __attribute__((unused)))
{
  int en = socket_errno;
  return (en == SOCKET_EAGAIN || en == SOCKET_EINTR ||
	  en == SOCKET_EWOULDBLOCK);
}


int vio_ssl_close(Vio * vio)
{
  int r;
  DBUG_ENTER("vio_ssl_close");
  r=0;
  if (vio->ssl_)
  {
    r = SSL_shutdown(vio->ssl_);
    SSL_free(vio->ssl_);
    vio->ssl_= 0;
  }
  if (vio->sd >= 0)
  {
    if (shutdown(vio->sd, 2))
      r= -1;
    if (closesocket(vio->sd))
      r= -1;
  }
  if (r)
  {
    DBUG_PRINT("error", ("close() failed, error: %d",socket_errno));
    report_errors();
    /* FIXME: error handling (not critical for MySQL) */
  }
  vio->type= VIO_CLOSED;
  vio->sd=   -1;
  DBUG_RETURN(r);
}


const char *vio_ssl_description(Vio * vio)
{
  return vio->desc;
}

enum enum_vio_type vio_ssl_type(Vio* vio)
{
  return vio->type;
}

my_socket vio_ssl_fd(Vio* vio)
{
  return vio->sd;
}


my_bool vio_ssl_peer_addr(Vio * vio, char *buf, uint16 *port)
{
  DBUG_ENTER("vio_ssl_peer_addr");
  DBUG_PRINT("enter", ("sd=%d", vio->sd));
  if (vio->localhost)
  {
    strmov(buf,"127.0.0.1");
    *port=0;
  }
  else
  {
    size_socket addrLen = sizeof(struct sockaddr);
    if (getpeername(vio->sd, (struct sockaddr *) (& (vio->remote)),
		    &addrLen) != 0)
    {
      DBUG_PRINT("exit", ("getpeername, error: %d", socket_errno));
      DBUG_RETURN(1);
    }
#ifdef TO_BE_FIXED
    my_inet_ntoa(vio->remote.sin_addr,buf);
    *port= 0;
#else
    strmov(buf, "unknown");
    *port= 0;
#endif
  }
  DBUG_PRINT("exit", ("addr=%s", buf));
  DBUG_RETURN(0);
}


void vio_ssl_in_addr(Vio *vio, struct in_addr *in)
{
  DBUG_ENTER("vio_ssl_in_addr");
  if (vio->localhost)
    bzero((char*) in, sizeof(*in));	/* This should never be executed */
  else
    *in=vio->remote.sin_addr;
  DBUG_VOID_RETURN;
}


/*
  TODO: Add documentation
*/

int sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio, long timeout)
{
  char *str;
  char buf[1024];
  X509* client_cert;
  my_bool unused;
  my_bool net_blocking;
  enum enum_vio_type old_type;  
  DBUG_ENTER("sslaccept");
  DBUG_PRINT("enter", ("sd=%d ptr=%p", vio->sd,ptr));

  old_type= vio->type;
  net_blocking = vio_is_blocking(vio);
  vio_blocking(vio, 1, &unused);	/* Must be called before reset */
  vio_reset(vio,VIO_TYPE_SSL,vio->sd,0,FALSE);
  vio->ssl_=0;
  if (!(vio->ssl_ = SSL_new(ptr->ssl_context_)))
  {
    DBUG_PRINT("error", ("SSL_new failure"));
    report_errors();
    vio_reset(vio, old_type,vio->sd,0,FALSE);
    vio_blocking(vio, net_blocking, &unused);
    DBUG_RETURN(1);
  }
  DBUG_PRINT("info", ("ssl_=%p  timeout=%ld",vio->ssl_, timeout));
  SSL_clear(vio->ssl_);
  SSL_SESSION_set_timeout(SSL_get_session(vio->ssl_), timeout);
  SSL_set_fd(vio->ssl_,vio->sd);
  SSL_set_accept_state(vio->ssl_);
  if (SSL_do_handshake(vio->ssl_) < 1 ||
      SSL_get_verify_result(vio->ssl_) != X509_V_OK)
  {
    DBUG_PRINT("error", ("SSL_do_handshake failure"));
    report_errors();
    SSL_free(vio->ssl_);
    vio->ssl_=0;
    vio_reset(vio, old_type,vio->sd,0,FALSE);
    vio_blocking(vio, net_blocking, &unused);
    DBUG_RETURN(1);
  }
#ifndef DBUF_OFF
  DBUG_PRINT("info",("SSL_get_cipher_name() = '%s'"
		     ,SSL_get_cipher_name(vio->ssl_)));
  client_cert = SSL_get_peer_certificate (vio->ssl_);
  if (client_cert != NULL)
  {
    DBUG_PRINT("info",("Client certificate:"));
    str = X509_NAME_oneline (X509_get_subject_name (client_cert), 0, 0);
    DBUG_PRINT("info",("\t subject: %s", str));
    free (str);

    str = X509_NAME_oneline (X509_get_issuer_name  (client_cert), 0, 0);
    DBUG_PRINT("info",("\t issuer: %s", str));
    free (str);

    X509_free (client_cert);
  }
  else
    DBUG_PRINT("info",("Client does not have certificate."));

  str=SSL_get_shared_ciphers(vio->ssl_, buf, sizeof(buf));
  if (str)
  {
    DBUG_PRINT("info",("SSL_get_shared_ciphers() returned '%s'",str));
  }
  else
  {
    DBUG_PRINT("info",("no shared ciphers!"));
  }

#endif
  DBUG_RETURN(0);
}


int sslconnect(struct st_VioSSLConnectorFd* ptr, Vio* vio, long timeout)
{
  char *str;
  X509*    server_cert;
  my_bool unused;
  my_bool net_blocking;
  enum enum_vio_type old_type;  
  DBUG_ENTER("sslconnect");
  DBUG_PRINT("enter", ("sd=%d ptr=%p ctx: %p", vio->sd,ptr,ptr->ssl_context_));

  old_type= vio->type;
  net_blocking = vio_is_blocking(vio);
  vio_blocking(vio, 1, &unused);	/* Must be called before reset */
  vio_reset(vio,VIO_TYPE_SSL,vio->sd,0,FALSE);
  vio->ssl_=0;
  if (!(vio->ssl_ = SSL_new(ptr->ssl_context_)))
  {
    DBUG_PRINT("error", ("SSL_new failure"));
    report_errors();
    vio_reset(vio, old_type,vio->sd,0,FALSE);
    vio_blocking(vio, net_blocking, &unused);    
    DBUG_RETURN(1);
  }
  DBUG_PRINT("info", ("ssl_=%p  timeout=%ld",vio->ssl_, timeout));
  SSL_clear(vio->ssl_);
  SSL_SESSION_set_timeout(SSL_get_session(vio->ssl_), timeout);
  SSL_set_fd (vio->ssl_, vio->sd);
  SSL_set_connect_state(vio->ssl_);
  if (SSL_do_handshake(vio->ssl_) < 1 ||
      SSL_get_verify_result(vio->ssl_) != X509_V_OK)
  {
    DBUG_PRINT("error", ("SSL_do_handshake failure"));
    report_errors();
    SSL_free(vio->ssl_);
    vio->ssl_=0;
    vio_reset(vio, old_type,vio->sd,0,FALSE);
    vio_blocking(vio, net_blocking, &unused);
    DBUG_RETURN(1);
  }  
#ifndef DBUG_OFF
  DBUG_PRINT("info",("SSL_get_cipher_name() = '%s'"
		     ,SSL_get_cipher_name(vio->ssl_)));
  server_cert = SSL_get_peer_certificate (vio->ssl_);
  if (server_cert != NULL)
  {
    DBUG_PRINT("info",("Server certificate:"));
    str = X509_NAME_oneline (X509_get_subject_name (server_cert), 0, 0);
    DBUG_PRINT("info",("\t subject: %s", str));
    free(str);

    str = X509_NAME_oneline (X509_get_issuer_name  (server_cert), 0, 0);
    DBUG_PRINT("info",("\t issuer: %s", str));
    free(str);

    /*
      We could do all sorts of certificate verification stuff here before
      deallocating the certificate.
    */
    X509_free (server_cert);
  }
  else
    DBUG_PRINT("info",("Server does not have certificate."));
#endif
  DBUG_RETURN(0);
}


int vio_ssl_blocking(Vio * vio __attribute__((unused)),
		     my_bool set_blocking_mode,
		     my_bool *old_mode)
{
  /* Return error if we try to change to non_blocking mode */
  *old_mode=1;					/* Mode is always blocking */
  return set_blocking_mode ? 0 : 1;
}

#endif /* HAVE_OPENSSL */