* add strerror to our errormessage
[citadel.git] / webcit / crypto.c
index 4d9880c9e4df13715d7db633047d8dc3e8ad4b02..88b6fd66e26430d2f2aca34694eeec8b8a46ab42 100644 (file)
@@ -1,39 +1,56 @@
 /*
  * $Id$
- *
- * Provides HTTPS, when the OpenSSL library is available.
+ */
+/**
+ * \defgroup https  Provides HTTPS, when the OpenSSL library is available.
+ * \ingroup WebcitHttpServer 
  */
 
+/*@{*/
+#include "sysdep.h"
 #ifdef HAVE_OPENSSL
 
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <pthread.h>
-
-#include <sys/time.h>
 #include "webcit.h"
 #include "webserver.h"
-
-#define        CTDL_CRYPTO_DIR         "./keys"
-#define CTDL_KEY_PATH          CTDL_CRYPTO_DIR "/citadel.key"
-#define CTDL_CSR_PATH          CTDL_CRYPTO_DIR "/citadel.csr"
-#define CTDL_CER_PATH          CTDL_CRYPTO_DIR "/citadel.cer"
-#define SIGN_DAYS              365
-
-SSL_CTX *ssl_ctx;              /* SSL context */
-pthread_mutex_t **SSLCritters; /* Things needing locking */
-
-pthread_key_t ThreadSSL;       /* Per-thread SSL context */
-
+/** \todo dirify */
+/** where to find the keys */
+#define        CTDL_CRYPTO_DIR         ctdl_key_dir
+#define CTDL_KEY_PATH          file_crpt_file_key /**< the key */
+#define CTDL_CSR_PATH          file_crpt_file_csr /**< the csr file */
+#define CTDL_CER_PATH          file_crpt_file_cer /**< the cer file */
+#define SIGN_DAYS              365 /**< how long our certificate should live */
+
+SSL_CTX *ssl_ctx;              /**< SSL context */
+pthread_mutex_t **SSLCritters; /**< Things needing locking */
+
+pthread_key_t ThreadSSL;       /**< Per-thread SSL context */
+
+/**
+ * \brief what?????
+ * \return thread id??? 
+ */
 static unsigned long id_callback(void)
 {
        return (unsigned long) pthread_self();
 }
 
+void shutdown_ssl(void)
+{
+       ERR_free_strings();
+
+       /* Openssl requires these while shutdown. 
+        * Didn't find a way to get out of this clean.
+        * int i, n = CRYPTO_num_locks();
+        * for (i = 0; i < n; i++)
+        *      free(SSLCritters[i]);
+        * free(SSLCritters);
+       */
+}
 
+/**
+ * \brief initialize ssl engine
+ * load certs and initialize openssl internals
+ */
 void init_ssl(void)
 {
        SSL_METHOD *ssl_method;
@@ -59,7 +76,8 @@ void init_ssl(void)
        if (!SSLCritters) {
                lprintf(1, "citserver: can't allocate memory!!\n");
                /* Nothing's been initialized, just die */
-               exit(1);
+               ShutDownWebcit();
+               exit(WC_EXIT_SSL);
        } else {
                int a;
 
@@ -68,14 +86,15 @@ void init_ssl(void)
                        if (!SSLCritters[a]) {
                                lprintf(1,
                                        "citserver: can't allocate memory!!\n");
-                               /* Nothing's been initialized, just die */
-                               exit(1);
+                               /** Nothing's been initialized, just die */
+                               ShutDownWebcit();
+                               exit(WC_EXIT_SSL);
                        }
                        pthread_mutex_init(SSLCritters[a], NULL);
                }
        }
 
-       /*
+       /**
         * Initialize SSL transport layer
         */
        SSL_library_init();
@@ -90,18 +109,19 @@ void init_ssl(void)
        CRYPTO_set_locking_callback(ssl_lock);
        CRYPTO_set_id_callback(id_callback);
 
-       /* Get our certificates in order.
+       /**
+        * Get our certificates in order. \todo dirify. this is a setup job.
         * First, create the key/cert directory if it's not there already...
         */
        mkdir(CTDL_CRYPTO_DIR, 0700);
 
-       /*
+       /**
         * Before attempting to generate keys/certificates, first try
         * link to them from the Citadel server if it's on the same host.
         * We ignore any error return because it either meant that there
         * was nothing in Citadel to link from (in which case we just
         * generate new files) or the target files already exist (which
-        * is not fatal either).
+        * is not fatal either). \todo dirify
         */
        if (!strcasecmp(ctdlhost, "uds")) {
                sprintf(buf, "%s/keys/citadel.key", ctdlport);
@@ -112,15 +132,15 @@ void init_ssl(void)
                symlink(buf, CTDL_CER_PATH);
        }
 
-       /*
+       /**
         * If we still don't have a private key, generate one.
         */
        if (access(CTDL_KEY_PATH, R_OK) != 0) {
                lprintf(5, "Generating RSA key pair.\n");
-               rsa = RSA_generate_key(1024,    /* modulus size */
-                                       65537,  /* exponent */
-                                       NULL,   /* no callback */
-                                       NULL);  /* no callback */
+               rsa = RSA_generate_key(1024,    /**< modulus size */
+                                       65537,  /**< exponent */
+                                       NULL,   /**< no callback */
+                                       NULL);  /**< no callback */
                if (rsa == NULL) {
                        lprintf(3, "Key generation failed: %s\n",
                                ERR_reason_error_string(ERR_get_error()));
@@ -129,13 +149,13 @@ void init_ssl(void)
                        fp = fopen(CTDL_KEY_PATH, "w");
                        if (fp != NULL) {
                                chmod(CTDL_KEY_PATH, 0600);
-                               if (PEM_write_RSAPrivateKey(fp, /* the file */
-                                                       rsa,    /* the key */
-                                                       NULL,   /* no enc */
-                                                       NULL,   /* no passphr */
-                                                       0,      /* no passphr */
-                                                       NULL,   /* no callbk */
-                                                       NULL    /* no callbk */
+                               if (PEM_write_RSAPrivateKey(fp, /**< the file */
+                                                       rsa,    /**< the key */
+                                                       NULL,   /**< no enc */
+                                                       NULL,   /**< no passphr */
+                                                       0,      /**< no passphr */
+                                                       NULL,   /**< no callbk */
+                                                       NULL    /**< no callbk */
                                ) != 1) {
                                        lprintf(3, "Cannot write key: %s\n",
                                                ERR_reason_error_string(ERR_get_error()));
@@ -143,17 +163,24 @@ void init_ssl(void)
                                }
                                fclose(fp);
                        }
+                       else {
+                               lprintf(3, "Cannot write key: %s\n", CTDL_KEY_PATH);
+                               ShutDownWebcit();
+                               exit(0);
+                       }
                        RSA_free(rsa);
                }
        }
 
        /*
-        * Generate a CSR if we don't have one.
+        * If there is no certificate file on disk, we will be generating a self-signed certificate
+        * in the next step.  Therefore, if we have neither a CSR nor a certificate, generate
+        * the CSR in this step so that the next step may commence.
         */
-       if (access(CTDL_CSR_PATH, R_OK) != 0) {
+       if ( (access(CTDL_CER_PATH, R_OK) != 0) && (access(CTDL_CSR_PATH, R_OK) != 0) ) {
                lprintf(5, "Generating a certificate signing request.\n");
 
-               /*
+               /**
                 * Read our key from the file.  No, we don't just keep this
                 * in memory from the above key-generation function, because
                 * there is the possibility that the key was already on disk
@@ -167,20 +194,20 @@ void init_ssl(void)
 
                if (rsa) {
 
-                       /* Create a public key from the private key */
+                       /** Create a public key from the private key */
                        if (pk=EVP_PKEY_new(), pk != NULL) {
                                EVP_PKEY_assign_RSA(pk, rsa);
                                if (req = X509_REQ_new(), req != NULL) {
 
-                                       /* Set the public key */
+                                       /** Set the public key */
                                        X509_REQ_set_pubkey(req, pk);
                                        X509_REQ_set_version(req, 0L);
 
                                        name = X509_REQ_get_subject_name(req);
 
-                                       /* Tell it who we are */
+                                       /** Tell it who we are */
 
-                                       /*
+                                       /* \todo whats this?
                                        X509_NAME_add_entry_by_txt(name, "C",
                                                MBSTRING_ASC, "US", -1, -1, 0);
 
@@ -191,29 +218,42 @@ void init_ssl(void)
                                                MBSTRING_ASC, "Mount Kisco", -1, -1, 0);
                                        */
 
-                                       X509_NAME_add_entry_by_txt(name, "O",
-                                               MBSTRING_ASC, "FIXME.FIXME.org", -1, -1, 0);
-
-                                       X509_NAME_add_entry_by_txt(name, "OU",
-                                               MBSTRING_ASC, "Citadel server", -1, -1, 0);
-
-                                       X509_NAME_add_entry_by_txt(name, "CN",
-                                               MBSTRING_ASC, "FIXME.FIXME.org", -1, -1, 0);
+                                       X509_NAME_add_entry_by_txt(
+                                               name, "O",
+                                               MBSTRING_ASC, 
+                                               (unsigned char*)"Organization name",
+                                               -1, -1, 0);
+
+                                       X509_NAME_add_entry_by_txt(
+                                               name, "OU",
+                                               MBSTRING_ASC, 
+                                               (unsigned char*)"Citadel server1",
+                                               -1, -1, 0);
+
+                                       X509_NAME_add_entry_by_txt(
+                                               name, "CN",
+                                               MBSTRING_ASC, 
+                                               (unsigned char*)"*", -1, -1, 0);
                                
                                        X509_REQ_set_subject_name(req, name);
 
-                                       /* Sign the CSR */
+                                       /** Sign the CSR */
                                        if (!X509_REQ_sign(req, pk, EVP_md5())) {
                                                lprintf(3, "X509_REQ_sign(): error\n");
                                        }
                                        else {
-                                               /* Write it to disk. */ 
+                                               /** Write it to disk. */        
                                                fp = fopen(CTDL_CSR_PATH, "w");
                                                if (fp != NULL) {
                                                        chmod(CTDL_CSR_PATH, 0600);
                                                        PEM_write_X509_REQ(fp, req);
                                                        fclose(fp);
                                                }
+                                               else {
+                                                       lprintf(3, "Cannot write key: %s\n", CTDL_CSR_PATH);
+                                                       ShutDownWebcit();
+                                                       exit(0);
+                                               }
                                        }
 
                                        X509_REQ_free(req);
@@ -230,13 +270,13 @@ void init_ssl(void)
 
 
 
-       /*
+       /**
         * Generate a self-signed certificate if we don't have one.
         */
        if (access(CTDL_CER_PATH, R_OK) != 0) {
                lprintf(5, "Generating a self-signed certificate.\n");
 
-               /* Same deal as before: always read the key from disk because
+               /** Same deal as before: always read the key from disk because
                 * it may or may not have just been generated.
                 */
                fp = fopen(CTDL_KEY_PATH, "r");
@@ -245,7 +285,7 @@ void init_ssl(void)
                        fclose(fp);
                }
 
-               /* This also holds true for the CSR. */
+               /** This also holds true for the CSR. */
                req = NULL;
                cer = NULL;
                pk = NULL;
@@ -273,18 +313,23 @@ void init_ssl(void)
                                        X509_set_pubkey(cer, req_pkey);
                                        EVP_PKEY_free(req_pkey);
                                        
-                                       /* Sign the cert */
+                                       /** Sign the cert */
                                        if (!X509_sign(cer, pk, EVP_md5())) {
                                                lprintf(3, "X509_sign(): error\n");
                                        }
                                        else {
-                                               /* Write it to disk. */ 
+                                               /** Write it to disk. */        
                                                fp = fopen(CTDL_CER_PATH, "w");
                                                if (fp != NULL) {
                                                        chmod(CTDL_CER_PATH, 0600);
                                                        PEM_write_X509(fp, cer);
                                                        fclose(fp);
                                                }
+                                               else {
+                                                       lprintf(3, "Cannot write key: %s\n", CTDL_CER_PATH);
+                                                       ShutDownWebcit();
+                                                       exit(0);
+                                               }
                                        }
                                        X509_free(cer);
                                }
@@ -294,7 +339,7 @@ void init_ssl(void)
                }
        }
 
-       /*
+       /**
         * Now try to bind to the key and certificate.
         * Note that we use SSL_CTX_use_certificate_chain_file() which allows
         * the certificate file to contain intermediate certificates.
@@ -309,11 +354,13 @@ void init_ssl(void)
 }
 
 
-/*
- * starttls() starts SSL/TLS encryption for the current session.
+/**
+ * \brief starts SSL/TLS encryption for the current session.
+ * \param sock the socket connection
+ * \return Zero if the SSL/TLS handshake succeeded, non-zero otherwise.
  */
 int starttls(int sock) {
-       int retval, bits, alg_bits;
+       int retval, bits, alg_bits, r;
        SSL *newssl;
 
        pthread_setspecific(ThreadSSL, NULL);
@@ -334,52 +381,86 @@ int starttls(int sock) {
        }
        retval = SSL_accept(newssl);
        if (retval < 1) {
-               /*
+               /**
                 * Can't notify the client of an error here; they will
                 * discover the problem at the SSL layer and should
                 * revert to unencrypted communications.
                 */
                long errval;
+               const char *ssl_error_reason = NULL;
 
                errval = SSL_get_error(newssl, retval);
-               lprintf(3, "SSL_accept failed: %s\n",
-                       ERR_reason_error_string(ERR_get_error()));
+               ssl_error_reason = ERR_reason_error_string(ERR_get_error());
+               if (ssl_error_reason == NULL)
+                       lprintf(3, "SSL_accept failed: errval=%i, retval=%i %s\n", errval, retval, strerror(errval));
+               else
+                       lprintf(3, "SSL_accept failed: %s\n", ssl_error_reason);
+               sleeeeeeeeeep(1);
+               retval = SSL_accept(newssl);
+       }
+       if (retval < 1) {
+               long errval;
+               const char *ssl_error_reason = NULL;
+
+               errval = SSL_get_error(newssl, retval);
+               ssl_error_reason = ERR_reason_error_string(ERR_get_error());
+               if (ssl_error_reason == NULL)
+                       lprintf(3, "SSL_accept failed: errval=%i, retval=%i (%s)\n", errval, retval, strerror(errval));
+               else
+                       lprintf(3, "SSL_accept failed: %s\n", ssl_error_reason);
                SSL_free(newssl);
                newssl = NULL;
                return(4);
-       }
-       BIO_set_close(newssl->rbio, BIO_NOCLOSE);
-       bits =
-           SSL_CIPHER_get_bits(SSL_get_current_cipher(newssl),
-                               &alg_bits);
-       lprintf(5, "SSL/TLS using %s on %s (%d of %d bits)\n",
+       } else lprintf(15, "SSL_accept success\n");
+       r = BIO_set_close(newssl->rbio, BIO_NOCLOSE);
+       bits = SSL_CIPHER_get_bits(SSL_get_current_cipher(newssl), &alg_bits);
+       lprintf(15, "SSL/TLS using %s on %s (%d of %d bits)\n",
                SSL_CIPHER_get_name(SSL_get_current_cipher(newssl)),
                SSL_CIPHER_get_version(SSL_get_current_cipher(newssl)),
                bits, alg_bits);
 
        pthread_setspecific(ThreadSSL, newssl);
+       lprintf(15, "SSL started\n");
        return(0);
 }
 
 
 
-/*
- * endtls() shuts down the TLS connection
+/**
+ * \brief shuts down the TLS connection
  *
  * WARNING:  This may make your session vulnerable to a known plaintext
  * attack in the current implmentation.
  */
 void endtls(void)
 {
-       lprintf(5, "Ending SSL/TLS\n");
+       SSL_CTX *ctx = NULL;
+
+       if (THREADSSL == NULL) return;
+
+       lprintf(15, "Ending SSL/TLS\n");
        SSL_shutdown(THREADSSL);
+       ctx = SSL_get_SSL_CTX(THREADSSL);
+
+       /** I don't think this is needed, and it crashes the server anyway
+        *
+        *      if (ctx != NULL) {
+        *              lprintf(9, "Freeing CTX at %x\n", (int)ctx );
+        *              SSL_CTX_free(ctx);
+        *      }
+        */
+
        SSL_free(THREADSSL);
        pthread_setspecific(ThreadSSL, NULL);
 }
 
 
-/*
- * ssl_lock() callback for OpenSSL mutex locks
+/**
+ * \brief callback for OpenSSL mutex locks
+ * \param mode which mode??????
+ * \param n  how many???
+ * \param file which filename ???
+ * \param line what line????
  */
 void ssl_lock(int mode, int n, const char *file, int line)
 {
@@ -389,37 +470,45 @@ void ssl_lock(int mode, int n, const char *file, int line)
                pthread_mutex_unlock(SSLCritters[n]);
 }
 
-/*
- * client_write_ssl() Send binary data to the client encrypted.
+/**
+ * \brief Send binary data to the client encrypted.
+ * \param buf chars to send to the client
+ * \param nbytes how many chars
  */
-void client_write_ssl(char *buf, int nbytes)
+void client_write_ssl(const StrBuf *Buf)
 {
+       const char *buf;
        int retval;
        int nremain;
+       long nbytes;
        char junk[1];
 
-       nremain = nbytes;
+       if (THREADSSL == NULL) return;
+
+       nbytes = nremain = StrLength(Buf);
+       buf = ChrPtr(Buf);
 
        while (nremain > 0) {
                if (SSL_want_write(THREADSSL)) {
                        if ((SSL_read(THREADSSL, junk, 0)) < 1) {
-                               lprintf(9, "SSL_read in client_write: %s\n", ERR_reason_error_string(ERR_get_error()));
+                               lprintf(9, "SSL_read in client_write: %s\n",
+                                               ERR_reason_error_string(ERR_get_error()));
                        }
                }
-               retval =
-                   SSL_write(THREADSSL, &buf[nbytes - nremain], nremain);
+               retval = SSL_write(THREADSSL, &buf[nbytes - nremain], nremain);
                if (retval < 1) {
                        long errval;
 
                        errval = SSL_get_error(THREADSSL, retval);
                        if (errval == SSL_ERROR_WANT_READ ||
                            errval == SSL_ERROR_WANT_WRITE) {
-                               sleep(1);
+                               sleeeeeeeeeep(1);
                                continue;
                        }
                        lprintf(9, "SSL_write got error %ld, ret %d\n", errval, retval);
-                       if (retval == -1)
+                       if (retval == -1) {
                                lprintf(9, "errno is %d\n", errno);
+                       }
                        endtls();
                        return;
                }
@@ -428,10 +517,14 @@ void client_write_ssl(char *buf, int nbytes)
 }
 
 
-/*
- * client_read_ssl() - read data from the encrypted layer.
+/**
+ * \brief read data from the encrypted layer.
+ * \param buf charbuffer to read to 
+ * \param bytes how many
+ * \param timeout how long should we wait?
+ * \returns what???
  */
-int client_read_ssl(char *buf, int bytes, int timeout)
+int client_read_sslbuffer(StrBuf *buf, int timeout)
 {
 #if 0
        fd_set rfds;
@@ -439,18 +532,21 @@ int client_read_ssl(char *buf, int bytes, int timeout)
        int retval;
        int s;
 #endif
-       int len, rlen;
+       char sbuf[16384]; /**< Openssl communicates in 16k blocks, so lets speak its native tongue. */
+       int rlen;
        char junk[1];
+       SSL *pssl = THREADSSL;
 
-       len = 0;
-       while (len < bytes) {
+       if (pssl == NULL) return(-1);
+
+       while (1) {
 #if 0
-               /*
+               /**
                 * This code is disabled because we don't need it when
                 * using blocking reads (which we are). -IO
                 */
                FD_ZERO(&rfds);
-               s = BIO_get_fd(THREADSSL->rbio, NULL);
+               s = BIO_get_fd(pssl->rbio, NULL);
                FD_SET(s, &rfds);
                tv.tv_sec = timeout;
                tv.tv_usec = 0;
@@ -462,29 +558,31 @@ int client_read_ssl(char *buf, int bytes, int timeout)
                }
 
 #endif
-               if (SSL_want_read(THREADSSL)) {
-                       if ((SSL_write(THREADSSL, junk, 0)) < 1) {
-                               lprintf(9, "SSL_write in client_read: %s\n", ERR_reason_error_string(ERR_get_error()));
+               if (SSL_want_read(pssl)) {
+                       if ((SSL_write(pssl, junk, 0)) < 1) {
+                               lprintf(9, "SSL_write in client_read\n");
                        }
                }
-               rlen = SSL_read(THREADSSL, &buf[len], bytes - len);
+               rlen = SSL_read(pssl, sbuf, sizeof(sbuf));
                if (rlen < 1) {
                        long errval;
 
-                       errval = SSL_get_error(THREADSSL, rlen);
+                       errval = SSL_get_error(pssl, rlen);
                        if (errval == SSL_ERROR_WANT_READ ||
                            errval == SSL_ERROR_WANT_WRITE) {
-                               sleep(1);
+                               sleeeeeeeeeep(1);
                                continue;
                        }
                        lprintf(9, "SSL_read got error %ld\n", errval);
                        endtls();
-                       return (0);
+                       return (-1);
                }
-               len += rlen;
+               StrBufAppendBufPlain(buf, sbuf, rlen, 0);
+               return rlen;
        }
-       return (1);
+       return (0);
 }
 
 
 #endif                         /* HAVE_OPENSSL */
+/*@}*/