Tree - source-git/memcached - CentOS Git server

source-git / memcached

Blame tls.c

Blob History Raw

Packit Service	584ef9	`#include "memcached.h"`
Packit Service	584ef9
Packit Service	584ef9	`#ifdef TLS`
Packit Service	584ef9
Packit Service	584ef9	`#include "tls.h"`
Packit Service	584ef9	`#include <string.h>`
Packit Service	584ef9	`#include <sysexits.h>`
Packit Service	584ef9	`#include <sys/param.h>`
Packit Service	584ef9
Packit Service	584ef9	`#ifndef MAXPATHLEN`
Packit Service	584ef9	`#define MAXPATHLEN 4096`
Packit Service	584ef9	`#endif`
Packit Service	584ef9
Packit Service	584ef9	`static pthread_mutex_t ssl_ctx_lock = PTHREAD_MUTEX_INITIALIZER;`
Packit Service	584ef9
Packit Service	584ef9	`const unsigned MAX_ERROR_MSG_SIZE = 128;`
Packit Service	584ef9
Packit Service	584ef9	`void SSL_LOCK() {`
Packit Service	584ef9	`pthread_mutex_lock(&(ssl_ctx_lock));`
Packit Service	584ef9	`}`
Packit Service	584ef9
Packit Service	584ef9	`void SSL_UNLOCK(void) {`
Packit Service	584ef9	`pthread_mutex_unlock(&(ssl_ctx_lock));`
Packit Service	584ef9	`}`
Packit Service	584ef9
Packit Service	584ef9	`/*`
Packit Service	584ef9	`* Reads decrypted data from the underlying BIO read buffers,`
Packit Service	584ef9	`* which reads from the socket.`
Packit Service	584ef9	`*/`
Packit Service	584ef9	`ssize_t ssl_read(conn c, void buf, size_t count) {`
Packit Service	584ef9	`assert (c != NULL);`
Packit Service	584ef9	`/* TODO : document the state machine interactions for SSL_read with`
Packit Service	584ef9	`non-blocking sockets/ SSL re-negotiations`
Packit Service	584ef9	`*/`
Packit Service	584ef9	`return SSL_read(c->ssl, buf, count);`
Packit Service	584ef9	`}`
Packit Service	584ef9
Packit Service	584ef9	`/*`
Packit Service	584ef9	`* SSL sendmsg implementation. Perform a SSL_write.`
Packit Service	584ef9	`*/`
Packit Service	584ef9	`ssize_t ssl_sendmsg(conn c, struct msghdr msg, int flags) {`
Packit Service	584ef9	`assert (c != NULL);`
Packit Service	584ef9	`size_t buf_remain = settings.ssl_wbuf_size;`
Packit Service	584ef9	`size_t bytes = 0;`
Packit Service	584ef9	`size_t to_copy;`
Packit Service	584ef9	`int i;`
Packit Service	584ef9
Packit Service	584ef9	`// ssl_wbuf is pointing to the buffer allocated in the worker thread.`
Packit Service	584ef9	`assert(c->ssl_wbuf);`
Packit Service	584ef9	`// TODO: allocate a fix buffer in crawler/logger if they start using`
Packit Service	584ef9	`// the sendmsg method. Also, set c->ssl_wbuf when the side thread`
Packit Service	584ef9	`// start owning the connection and reset the pointer in`
Packit Service	584ef9	`// conn_worker_readd.`
Packit Service	584ef9	`// Currntly this connection would not be served by a different thread`
Packit Service	584ef9	`// than the one it's assigned.`
Packit Service	584ef9	`assert(pthread_equal(c->thread->thread_id, pthread_self()) != 0);`
Packit Service	584ef9
Packit Service	584ef9	`char *bp = c->ssl_wbuf;`
Packit Service	584ef9	`for (i = 0; i < msg->msg_iovlen; i++) {`
Packit Service	584ef9	`size_t len = msg->msg_iov[i].iov_len;`
Packit Service	584ef9	`to_copy = len < buf_remain ? len : buf_remain;`
Packit Service	584ef9
Packit Service	584ef9	`memcpy(bp + bytes, (void*)msg->msg_iov[i].iov_base, to_copy);`
Packit Service	584ef9	`buf_remain -= to_copy;`
Packit Service	584ef9	`bytes += to_copy;`
Packit Service	584ef9	`if (buf_remain == 0)`
Packit Service	584ef9	`break;`
Packit Service	584ef9	`}`
Packit Service	584ef9	`/* TODO : document the state machine interactions for SSL_write with`
Packit Service	584ef9	`non-blocking sockets/ SSL re-negotiations`
Packit Service	584ef9	`*/`
Packit Service	584ef9	`return SSL_write(c->ssl, c->ssl_wbuf, bytes);`
Packit Service	584ef9	`}`
Packit Service	584ef9
Packit Service	584ef9	`/*`
Packit Service	584ef9	`* Writes data to the underlying BIO write buffers,`
Packit Service	584ef9	`* which encrypt and write them to the socket.`
Packit Service	584ef9	`*/`
Packit Service	584ef9	`ssize_t ssl_write(conn c, void buf, size_t count) {`
Packit Service	584ef9	`assert (c != NULL);`
Packit Service	584ef9	`return SSL_write(c->ssl, buf, count);`
Packit Service	584ef9	`}`
Packit Service	584ef9
Packit Service	584ef9	`/*`
Packit Service	584ef9	`* Loads server certificates to the SSL context and validate them.`
Packit Service	584ef9	`* @return whether certificates are successfully loaded and verified or not.`
Packit Service	584ef9	`* @param error_msg contains the error when unsuccessful.`
Packit Service	584ef9	`*/`
Packit Service	584ef9	`static bool load_server_certificates(char **errmsg) {`
Packit Service	584ef9	`bool success = true;`
Packit Service	584ef9	`char *error_msg = malloc(MAXPATHLEN + MAX_ERROR_MSG_SIZE);`
Packit Service	584ef9	`size_t errmax = MAXPATHLEN + MAX_ERROR_MSG_SIZE - 1;`
Packit Service	584ef9	`if (error_msg == NULL) {`
Packit Service	584ef9	`*errmsg = NULL;`
Packit Service	584ef9	`return false;`
Packit Service	584ef9	`}`
Packit Service	a41de5	`if (settings.ssl_ctx == NULL) {`
Packit Service	a41de5	`snprintf(error_msg, errmax, "Error TLS not enabled\r\n");`
Packit Service	a41de5	`*errmsg = error_msg;`
Packit Service	a41de5	`return false;`
Packit Service	a41de5	`}`
Packit Service	584ef9	`SSL_LOCK();`
Packit Service	584ef9	`if (!SSL_CTX_use_certificate_chain_file(settings.ssl_ctx,`
Packit Service	584ef9	`settings.ssl_chain_cert)) {`
Packit Service	584ef9	`snprintf(error_msg, errmax, "Error loading the certificate chain: %s\r\n",`
Packit Service	584ef9	`settings.ssl_chain_cert);`
Packit Service	584ef9	`success = false;`
Packit Service	584ef9	`} else if (!SSL_CTX_use_PrivateKey_file(settings.ssl_ctx, settings.ssl_key,`
Packit Service	584ef9	`settings.ssl_keyformat)) {`
Packit Service	584ef9	`snprintf(error_msg, errmax, "Error loading the key: %s\r\n", settings.ssl_key);`
Packit Service	584ef9	`success = false;`
Packit Service	584ef9	`} else if (!SSL_CTX_check_private_key(settings.ssl_ctx)) {`
Packit Service	584ef9	`snprintf(error_msg, errmax, "Error validating the certificate\r\n");`
Packit Service	584ef9	`success = false;`
Packit Service	584ef9	`} else if (settings.ssl_ca_cert) {`
Packit Service	584ef9	`if (!SSL_CTX_load_verify_locations(settings.ssl_ctx,`
Packit Service	584ef9	`settings.ssl_ca_cert, NULL)) {`
Packit Service	584ef9	`snprintf(error_msg, errmax,`
Packit Service	584ef9	`"Error loading the CA certificate: %s\r\n", settings.ssl_ca_cert);`
Packit Service	584ef9	`success = false;`
Packit Service	584ef9	`} else {`
Packit Service	584ef9	`SSL_CTX_set_client_CA_list(settings.ssl_ctx,`
Packit Service	584ef9	`SSL_load_client_CA_file(settings.ssl_ca_cert));`
Packit Service	584ef9	`}`
Packit Service	584ef9	`}`
Packit Service	584ef9	`SSL_UNLOCK();`
Packit Service	584ef9	`if (success) {`
Packit Service	584ef9	`settings.ssl_last_cert_refresh_time = current_time;`
Packit Service	584ef9	`free(error_msg);`
Packit Service	584ef9	`} else {`
Packit Service	584ef9	`*errmsg = error_msg;`
Packit Service	584ef9	`}`
Packit Service	584ef9	`return success;`
Packit Service	584ef9	`}`
Packit Service	584ef9
Packit Service	584ef9	`/*`
Packit Service	584ef9	`* Verify SSL settings and initiates the SSL context.`
Packit Service	584ef9	`*/`
Packit Service	584ef9	`int ssl_init(void) {`
Packit Service	584ef9	`assert(settings.ssl_enabled);`
Packit Service	584ef9	`// SSL context for the process. All connections will share one`
Packit Service	584ef9	`// process level context.`
Packit Service	584ef9	`settings.ssl_ctx = SSL_CTX_new(TLS_server_method());`
Packit Service	584ef9	`// Clients should use at least TLSv1.2`
Packit Service	584ef9	`int flags = SSL_OP_NO_SSLv2 \| SSL_OP_NO_SSLv3 \|`
Packit Service	584ef9	`SSL_OP_NO_TLSv1 \|SSL_OP_NO_TLSv1_1;`
Packit Service	584ef9	`SSL_CTX_set_options(settings.ssl_ctx, flags);`
Packit Service	584ef9
Packit Service	584ef9	`// The server certificate, private key and validations.`
Packit Service	584ef9	`char *error_msg;`
Packit Service	584ef9	`if (!load_server_certificates(&error_msg)) {`
Packit Service	584ef9	`if (settings.verbose) {`
Packit Service	584ef9	`fprintf(stderr, "%s", error_msg);`
Packit Service	584ef9	`}`
Packit Service	584ef9	`free(error_msg);`
Packit Service	584ef9	`exit(EX_USAGE);`
Packit Service	584ef9	`}`
Packit Service	584ef9
Packit Service	584ef9	`// The verification mode of client certificate, default is SSL_VERIFY_PEER.`
Packit Service	584ef9	`SSL_CTX_set_verify(settings.ssl_ctx, settings.ssl_verify_mode, NULL);`
Packit Service	584ef9	`if (settings.ssl_ciphers && !SSL_CTX_set_cipher_list(settings.ssl_ctx,`
Packit Service	584ef9	`settings.ssl_ciphers)) {`
Packit Service	584ef9	`if (settings.verbose) {`
Packit Service	584ef9	`fprintf(stderr, "Error setting the provided cipher(s): %s\n",`
Packit Service	584ef9	`settings.ssl_ciphers);`
Packit Service	584ef9	`}`
Packit Service	584ef9	`exit(EX_USAGE);`
Packit Service	584ef9	`}`
Packit Service	584ef9
Packit Service	584ef9	`return 0;`
Packit Service	584ef9	`}`
Packit Service	584ef9
Packit Service	584ef9	`/*`
Packit Service	584ef9	`* This method is registered with each SSL connection and abort the SSL session`
Packit Service	584ef9	`* if a client initiates a renegotiation.`
Packit Service	584ef9	`* TODO : Proper way to do this is to set SSL_OP_NO_RENEGOTIATION`
Packit Service	584ef9	`* using the SSL_CTX_set_options but that option only available in`
Packit Service	584ef9	`* openssl 1.1.0h or above.`
Packit Service	584ef9	`*/`
Packit Service	584ef9	`void ssl_callback(const SSL *s, int where, int ret) {`
Packit Service	584ef9	`SSL* ssl = (SSL*)s;`
Packit Service	584ef9	`if (SSL_in_before(ssl)) {`
Packit Service	584ef9	`if (settings.verbose) {`
Packit Service	584ef9	`fprintf(stderr, "%d: SSL renegotiation is not supported, "`
Packit Service	584ef9	`"closing the connection\n", SSL_get_fd(ssl));`
Packit Service	584ef9	`}`
Packit Service	584ef9	`SSL_set_shutdown(ssl, SSL_SENT_SHUTDOWN \| SSL_RECEIVED_SHUTDOWN);`
Packit Service	584ef9	`return;`
Packit Service	584ef9	`}`
Packit Service	584ef9	`}`
Packit Service	584ef9
Packit Service	584ef9	`bool refresh_certs(char **errmsg) {`
Packit Service	584ef9	`return load_server_certificates(errmsg);`
Packit Service	584ef9	`}`
Packit Service	584ef9	`#endif`

source-git / memcached

Source Code

Blame tls.c