1 /******************************************************************************
3 * Copyright (C) 2012-2017 Icinga Development Team (https://www.icinga.com/) *
5 * This program is free software; you can redistribute it and/or *
6 * modify it under the terms of the GNU General Public License *
7 * as published by the Free Software Foundation; either version 2 *
8 * of the License, or (at your option) any later version. *
10 * This program is distributed in the hope that it will be useful, *
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of *
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
13 * GNU General Public License for more details. *
15 * You should have received a copy of the GNU General Public License *
16 * along with this program; if not, write to the Free Software Foundation *
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. *
18 ******************************************************************************/
20 #include "base/tlsstream.hpp"
21 #include "base/utility.hpp"
22 #include "base/exception.hpp"
23 #include "base/logger.hpp"
30 using namespace icinga;
32 int I2_EXPORT TlsStream::m_SSLIndex;
33 bool I2_EXPORT TlsStream::m_SSLIndexInitialized = false;
36 * Constructor for the TlsStream class.
38 * @param role The role of the client.
39 * @param sslContext The SSL context for the client.
41 TlsStream::TlsStream(const Socket::Ptr& socket, const String& hostname, ConnectionRole role, const std::shared_ptr<SSL_CTX>& sslContext)
42 : SocketEvents(socket, this), m_Eof(false), m_HandshakeOK(false), m_VerifyOK(true), m_ErrorCode(0),
43 m_ErrorOccurred(false), m_Socket(socket), m_Role(role), m_SendQ(new FIFO()), m_RecvQ(new FIFO()),
44 m_CurrentAction(TlsActionNone), m_Retry(false), m_Shutdown(false)
46 std::ostringstream msgbuf;
49 m_SSL = std::shared_ptr<SSL>(SSL_new(sslContext.get()), SSL_free);
52 msgbuf << "SSL_new() failed with code " << ERR_peek_error() << ", \"" << ERR_error_string(ERR_peek_error(), errbuf) << "\"";
53 Log(LogCritical, "TlsStream", msgbuf.str());
55 BOOST_THROW_EXCEPTION(openssl_error()
56 << boost::errinfo_api_function("SSL_new")
57 << errinfo_openssl_error(ERR_peek_error()));
60 if (!m_SSLIndexInitialized) {
61 m_SSLIndex = SSL_get_ex_new_index(0, const_cast<char *>("TlsStream"), NULL, NULL, NULL);
62 m_SSLIndexInitialized = true;
65 SSL_set_ex_data(m_SSL.get(), m_SSLIndex, this);
67 SSL_set_verify(m_SSL.get(), SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, &TlsStream::ValidateCertificate);
69 socket->MakeNonBlocking();
71 SSL_set_fd(m_SSL.get(), socket->GetFD());
73 if (m_Role == RoleServer)
74 SSL_set_accept_state(m_SSL.get());
76 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
77 if (!hostname.IsEmpty())
78 SSL_set_tlsext_host_name(m_SSL.get(), hostname.CStr());
79 #endif /* SSL_CTRL_SET_TLSEXT_HOSTNAME */
81 SSL_set_connect_state(m_SSL.get());
85 TlsStream::~TlsStream(void)
90 int TlsStream::ValidateCertificate(int preverify_ok, X509_STORE_CTX *ctx)
92 SSL *ssl = static_cast<SSL *>(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
93 TlsStream *stream = static_cast<TlsStream *>(SSL_get_ex_data(ssl, m_SSLIndex));
96 stream->m_VerifyOK = false;
98 std::ostringstream msgbuf;
99 int err = X509_STORE_CTX_get_error(ctx);
100 msgbuf << "code " << err << ": " << X509_verify_cert_error_string(err);
101 stream->m_VerifyError = msgbuf.str();
107 bool TlsStream::IsVerifyOK(void) const
112 String TlsStream::GetVerifyError(void) const
114 return m_VerifyError;
118 * Retrieves the X509 certficate for this client.
120 * @returns The X509 certificate.
122 std::shared_ptr<X509> TlsStream::GetClientCertificate(void) const
124 boost::mutex::scoped_lock lock(m_Mutex);
125 return std::shared_ptr<X509>(SSL_get_certificate(m_SSL.get()), &Utility::NullDeleter);
129 * Retrieves the X509 certficate for the peer.
131 * @returns The X509 certificate.
133 std::shared_ptr<X509> TlsStream::GetPeerCertificate(void) const
135 boost::mutex::scoped_lock lock(m_Mutex);
136 return std::shared_ptr<X509>(SSL_get_peer_certificate(m_SSL.get()), X509_free);
139 void TlsStream::OnEvent(int revents)
144 boost::mutex::scoped_lock lock(m_Mutex);
149 char buffer[64 * 1024];
151 if (m_CurrentAction == TlsActionNone) {
152 if (revents & (POLLIN | POLLERR | POLLHUP))
153 m_CurrentAction = TlsActionRead;
154 else if (m_SendQ->GetAvailableBytes() > 0 && (revents & POLLOUT))
155 m_CurrentAction = TlsActionWrite;
157 ChangeEvents(POLLIN);
162 bool success = false;
164 /* Clear error queue for this thread before using SSL_{read,write,do_handshake}.
165 * Otherwise SSL_*_error() does not work reliably.
169 switch (m_CurrentAction) {
172 rc = SSL_read(m_SSL.get(), buffer, sizeof(buffer));
175 m_RecvQ->Write(buffer, rc);
185 count = m_SendQ->Peek(buffer, sizeof(buffer), true);
187 rc = SSL_write(m_SSL.get(), buffer, count);
190 m_SendQ->Read(NULL, rc, true);
195 case TlsActionHandshake:
196 rc = SSL_do_handshake(m_SSL.get());
200 m_HandshakeOK = true;
206 VERIFY(!"Invalid TlsAction");
210 int err = SSL_get_error(m_SSL.get(), rc);
213 case SSL_ERROR_WANT_READ:
215 ChangeEvents(POLLIN);
218 case SSL_ERROR_WANT_WRITE:
220 ChangeEvents(POLLOUT);
223 case SSL_ERROR_ZERO_RETURN:
230 m_ErrorCode = ERR_peek_error();
231 m_ErrorOccurred = true;
233 if (m_ErrorCode != 0) {
234 Log(LogWarning, "TlsStream")
235 << "OpenSSL error: " << ERR_error_string(m_ErrorCode, NULL);
237 Log(LogWarning, "TlsStream", "TLS stream was disconnected.");
249 m_CurrentAction = TlsActionNone;
252 if (m_SendQ->GetAvailableBytes() > 0)
253 ChangeEvents(POLLIN|POLLOUT);
255 ChangeEvents(POLLIN);
260 while (m_RecvQ->IsDataAvailable() && IsHandlingEvents())
261 SignalDataAvailable();
264 if (m_Shutdown && !m_SendQ->IsDataAvailable()) {
272 void TlsStream::HandleError(void) const
274 if (m_ErrorOccurred) {
275 BOOST_THROW_EXCEPTION(openssl_error()
276 << boost::errinfo_api_function("TlsStream::OnEvent")
277 << errinfo_openssl_error(m_ErrorCode));
281 void TlsStream::Handshake(void)
283 boost::mutex::scoped_lock lock(m_Mutex);
285 m_CurrentAction = TlsActionHandshake;
286 ChangeEvents(POLLOUT);
288 while (!m_HandshakeOK && !m_ErrorOccurred && !m_Eof)
292 BOOST_THROW_EXCEPTION(std::runtime_error("Socket was closed during TLS handshake."));
298 * Processes data for the stream.
300 size_t TlsStream::Peek(void *buffer, size_t count, bool allow_partial)
302 boost::mutex::scoped_lock lock(m_Mutex);
305 while (m_RecvQ->GetAvailableBytes() < count && !m_ErrorOccurred && !m_Eof)
310 return m_RecvQ->Peek(buffer, count, true);
313 size_t TlsStream::Read(void *buffer, size_t count, bool allow_partial)
315 boost::mutex::scoped_lock lock(m_Mutex);
318 while (m_RecvQ->GetAvailableBytes() < count && !m_ErrorOccurred && !m_Eof)
323 return m_RecvQ->Read(buffer, count, true);
326 void TlsStream::Write(const void *buffer, size_t count)
328 boost::mutex::scoped_lock lock(m_Mutex);
330 m_SendQ->Write(buffer, count);
332 ChangeEvents(POLLIN|POLLOUT);
335 void TlsStream::Shutdown(void)
338 ChangeEvents(POLLOUT);
344 void TlsStream::Close(void)
346 CloseInternal(false);
349 void TlsStream::CloseInternal(bool inDestructor)
357 SignalDataAvailable();
359 SocketEvents::Unregister();
363 boost::mutex::scoped_lock lock(m_Mutex);
368 (void)SSL_shutdown(m_SSL.get());
377 bool TlsStream::IsEof(void) const
382 bool TlsStream::SupportsWaiting(void) const
387 bool TlsStream::IsDataAvailable(void) const
389 boost::mutex::scoped_lock lock(m_Mutex);
391 return m_RecvQ->GetAvailableBytes() > 0;
394 Socket::Ptr TlsStream::GetSocket(void) const