author | David Powell <David.Powell@sun.com> |
Wed, 16 Dec 2009 19:06:12 -0800 | |
changeset 401 | fc1223edbd8d |
parent 391 | 71abce159a62 |
child 426 | 2cc50564cd5f |
permissions | -rw-r--r-- |
391 | 1 |
/* |
2 |
* CDDL HEADER START |
|
3 |
* |
|
4 |
* The contents of this file are subject to the terms of the |
|
5 |
* Common Development and Distribution License (the "License"). |
|
6 |
* You may not use this file except in compliance with the License. |
|
7 |
* |
|
8 |
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE |
|
9 |
* or http://www.opensolaris.org/os/licensing. |
|
10 |
* See the License for the specific language governing permissions |
|
11 |
* and limitations under the License. |
|
12 |
* |
|
13 |
* When distributing Covered Code, include this CDDL HEADER in each |
|
14 |
* file and include the License file at usr/src/OPENSOLARIS.LICENSE. |
|
15 |
* If applicable, add the following below this CDDL HEADER, with the |
|
16 |
* fields enclosed by brackets "[]" replaced with your own identifying |
|
17 |
* information: Portions Copyright [yyyy] [name of copyright owner] |
|
18 |
* |
|
19 |
* CDDL HEADER END |
|
20 |
*/ |
|
21 |
||
22 |
/* |
|
23 |
* Copyright 2009 Sun Microsystems, Inc. All rights reserved. |
|
24 |
* Use is subject to license terms. |
|
25 |
*/ |
|
26 |
||
27 |
#include <openssl/ssl.h> |
|
28 |
#include <openssl/err.h> |
|
29 |
#include <sys/types.h> |
|
30 |
#include <sys/socket.h> |
|
31 |
#include <sys/utsname.h> |
|
32 |
#include <sys/stat.h> |
|
33 |
#include <sys/wait.h> |
|
34 |
#include <stdio.h> |
|
35 |
#include <string.h> |
|
36 |
#include <stdlib.h> |
|
37 |
#include <errno.h> |
|
38 |
#include <unistd.h> |
|
39 |
#include <spawn.h> |
|
40 |
||
41 |
#include "rad_object.h" |
|
42 |
#include "rad_modapi.h" |
|
43 |
#include "rad_modapi_xport.h" |
|
44 |
#include "rad_connection.h" |
|
45 |
#include "rad_util.h" |
|
46 |
#include "rad_xport.h" |
|
47 |
#include "rad_log.h" |
|
48 |
#include "../rad_listen.h" |
|
49 |
||
50 |
#include "api_tls.h" |
|
51 |
||
52 |
typedef struct ssldata { |
|
53 |
SSL *ssl; |
|
54 |
int fd; |
|
55 |
} ssldata_t; |
|
56 |
||
57 |
static int |
|
58 |
rad_tls_read(radmod_connection_t *conn, char *buf, int len) |
|
59 |
{ |
|
60 |
ssldata_t *sdata = conn->rm_conn_xport_data; |
|
61 |
int res = SSL_read(sdata->ssl, buf, len); |
|
62 |
if (res == 0) |
|
63 |
conn->rm_conn_state = RCS_EOF; /* XXX: Not necessarily true? */ |
|
64 |
return (res > 0 ? res : -1); |
|
65 |
} |
|
66 |
||
67 |
static int |
|
68 |
rad_tls_write(radmod_connection_t *conn, char *buf, int len) |
|
69 |
{ |
|
70 |
ssldata_t *sdata = conn->rm_conn_xport_data; |
|
71 |
return (SSL_write(sdata->ssl, buf, len)); |
|
72 |
} |
|
73 |
||
74 |
static void |
|
75 |
rad_tls_close(radmod_connection_t *conn) |
|
76 |
{ |
|
77 |
ssldata_t *sdata = conn->rm_conn_xport_data; |
|
78 |
SSL_shutdown(sdata->ssl); |
|
79 |
} |
|
80 |
||
81 |
static void |
|
82 |
rad_tls_free(radmod_connection_t *conn) |
|
83 |
{ |
|
84 |
ssldata_t *sdata = conn->rm_conn_xport_data; |
|
85 |
SSL_free(sdata->ssl); |
|
86 |
(void) close(sdata->fd); |
|
87 |
free(sdata); |
|
88 |
} |
|
89 |
||
90 |
static boolean_t |
|
91 |
generate_cert(const char *cert, const char *key) |
|
92 |
{ |
|
93 |
struct utsname name; |
|
94 |
struct stat st; |
|
95 |
pid_t pid; |
|
96 |
char buffer[1024]; |
|
97 |
const char *args[] = { |
|
98 |
"/usr/bin/openssl", "req", "-x509", "-newkey", "rsa:1024", |
|
99 |
"-days", "3650", "-sha1", "-nodes", "-keyout", key, |
|
100 |
"-out", cert, "-subj", buffer, NULL }; |
|
101 |
||
102 |
if (stat(cert, &st) != -1 && stat(key, &st) != -1) |
|
103 |
return (B_TRUE); |
|
104 |
||
105 |
(void) uname(&name); |
|
106 |
(void) snprintf(buffer, 1024, "/CN=Remote Administration Daemon @ %s", |
|
107 |
name.nodename); |
|
108 |
||
109 |
rad_log(RL_WARN, "generating key/certificate pair\n"); |
|
110 |
if (posix_spawn(&pid, args[0], NULL, NULL, (char **)args, NULL) != 0) { |
|
401
fc1223edbd8d
13421 apache: o.o.o.rad.ContainerException: system error: error talking to slave
David Powell <David.Powell@sun.com>
parents:
391
diff
changeset
|
111 |
rad_log(RL_ERROR, "failed to create key pair\n"); |
391 | 112 |
return (B_FALSE); |
113 |
} |
|
114 |
while (waitpid(pid, NULL, 0) == -1 && errno == EINTR) |
|
115 |
; |
|
116 |
||
401
fc1223edbd8d
13421 apache: o.o.o.rad.ContainerException: system error: error talking to slave
David Powell <David.Powell@sun.com>
parents:
391
diff
changeset
|
117 |
if (chmod(cert, 0644) == -1) |
fc1223edbd8d
13421 apache: o.o.o.rad.ContainerException: system error: error talking to slave
David Powell <David.Powell@sun.com>
parents:
391
diff
changeset
|
118 |
rad_log(RL_WARN, "failed to chmod '%s'; " |
fc1223edbd8d
13421 apache: o.o.o.rad.ContainerException: system error: error talking to slave
David Powell <David.Powell@sun.com>
parents:
391
diff
changeset
|
119 |
"certificate only readable by owner: %s", strerror(errno)); |
fc1223edbd8d
13421 apache: o.o.o.rad.ContainerException: system error: error talking to slave
David Powell <David.Powell@sun.com>
parents:
391
diff
changeset
|
120 |
|
391 | 121 |
return (B_TRUE); |
122 |
} |
|
123 |
||
124 |
static radmod_transport_t transport = { |
|
125 |
rad_tls_read, |
|
126 |
rad_tls_write, |
|
127 |
rad_tls_close, |
|
128 |
rad_tls_free |
|
129 |
}; |
|
130 |
||
131 |
static void |
|
132 |
tls_run(void *arg) |
|
133 |
{ |
|
134 |
radmod_connection_t *conn = arg; |
|
135 |
rad_proto_handle(conn); |
|
136 |
free(conn); |
|
137 |
} |
|
138 |
||
139 |
static rad_moderr_t |
|
140 |
tls_listen(rad_thread_t *arg) |
|
141 |
{ |
|
142 |
SSL_CTX *context; |
|
143 |
SSL *ssl; |
|
144 |
int fd; |
|
145 |
data_t *d, *data = rad_thread_arg(arg); |
|
146 |
||
147 |
int port = struct_get(data, "port")->d_data.integer; |
|
148 |
d = struct_get(data, "proto"); |
|
149 |
const char *protostr = d != NULL ? d->d_data.string : "rad"; |
|
150 |
d = struct_get(data, "localonly"); |
|
151 |
boolean_t local = d != NULL ? d->d_data.boolean : B_FALSE; |
|
152 |
d = struct_get(data, "certificate"); |
|
153 |
const char *cert = d->d_data.string; |
|
154 |
d = struct_get(data, "privatekey"); |
|
155 |
const char *key = d->d_data.string; |
|
156 |
d = struct_get(data, "generate"); |
|
157 |
boolean_t generate = d != NULL ? d->d_data.boolean : B_FALSE; |
|
158 |
||
159 |
if (generate && !generate_cert(cert, key)) { |
|
160 |
rad_log(RL_ERROR, "Failed to generate certificate.\n"); |
|
161 |
return (rm_system); |
|
162 |
} |
|
163 |
||
164 |
rad_protocol_t *proto = rad_proto_find(protostr); |
|
165 |
if (proto == NULL) { |
|
166 |
rad_log(RL_ERROR, "Unable to find protocol \"%s\".\n", |
|
167 |
protostr); |
|
168 |
return (rm_config); |
|
169 |
} |
|
170 |
||
171 |
if ((fd = listen_on_port(port, local)) < 0) { |
|
172 |
rad_log(RL_ERROR, "Error starting server on port %d\n", |
|
173 |
port); |
|
174 |
return (rm_system); |
|
175 |
} |
|
176 |
||
177 |
rad_log(RL_DEBUG, "Initializing SSL library.\n"); |
|
178 |
(void) SSL_library_init(); |
|
179 |
(void) SSL_load_error_strings(); |
|
180 |
||
181 |
rad_log(RL_DEBUG, "Creating SSL context.\n"); |
|
182 |
context = SSL_CTX_new(SSLv23_method()); |
|
183 |
if (context == NULL) { |
|
184 |
rad_log(RL_ERROR, "Unable to create SSL context.\n"); |
|
185 |
return (rm_system); |
|
186 |
} |
|
187 |
SSL_CTX_set_options(context, SSL_OP_NO_SSLv2); |
|
188 |
||
189 |
if (SSL_CTX_use_certificate_chain_file(context, cert) == 0) { |
|
190 |
rad_log(RL_ERROR, "Unable to use cert file: %s\n", cert); |
|
191 |
ERR_print_errors_fp(stderr); |
|
192 |
return (rm_system); |
|
193 |
} |
|
194 |
||
195 |
if (SSL_CTX_use_PrivateKey_file(context, key, SSL_FILETYPE_PEM) == 0) { |
|
196 |
rad_log(RL_ERROR, "Unable to use privatekey file: %s\n", key); |
|
197 |
ERR_print_errors_fp(stderr); |
|
198 |
return (rm_system); |
|
199 |
} |
|
200 |
||
201 |
rad_thread_ack(arg, rm_ok); |
|
202 |
for (;;) { |
|
203 |
int afd, result; |
|
204 |
||
205 |
rad_log(RL_DEBUG, "Waiting for connection.\n"); |
|
206 |
if ((afd = accept(fd, 0, 0)) == -1) { |
|
207 |
rad_log(RL_WARN, "Error in accept(): %s\n", |
|
208 |
strerror(errno)); |
|
209 |
continue; |
|
210 |
} |
|
211 |
rad_log(RL_DEBUG, "Connection accepted.\n"); |
|
212 |
||
213 |
rad_log(RL_DEBUG, "Creating SSL.\n"); |
|
214 |
ssl = SSL_new(context); |
|
215 |
if (ssl == NULL) { |
|
216 |
rad_log(RL_WARN, "Unable to create SSL.\n"); |
|
217 |
(void) close(afd); |
|
218 |
continue; |
|
219 |
} |
|
220 |
||
221 |
rad_log(RL_DEBUG, "Initiating SSL connection.\n"); |
|
222 |
if (!SSL_set_fd(ssl, afd)) { |
|
223 |
rad_log(RL_WARN, "Unable to set SSL fd.\n"); |
|
224 |
goto close; |
|
225 |
} |
|
226 |
||
227 |
rad_subject_t *subject = rad_subject_create_fd(afd, B_FALSE); |
|
228 |
if (subject == NULL) { |
|
229 |
rad_log(RL_WARN, "Unable to allocate subject.\n"); |
|
230 |
goto close; |
|
231 |
} |
|
232 |
||
233 |
while ((result = SSL_accept(ssl)) != 1) { |
|
234 |
result = SSL_get_error(ssl, result); |
|
235 |
||
236 |
/* Shouldn't happen, but just in case: */ |
|
237 |
if (result == SSL_ERROR_WANT_READ || |
|
238 |
result == SSL_ERROR_WANT_WRITE) |
|
239 |
continue; |
|
240 |
||
241 |
ERR_print_errors_fp(stderr); |
|
242 |
rad_log(RL_WARN, |
|
243 |
"Unable to establish connection: %d\n", result); |
|
244 |
goto close; |
|
245 |
} |
|
246 |
||
247 |
rad_log(RL_DEBUG, "Connection accepted.\n"); |
|
248 |
ssldata_t *sdata = zalloc(sizeof (ssldata_t)); |
|
249 |
sdata->ssl = ssl; |
|
250 |
sdata->fd = afd; |
|
251 |
radmod_connection_t *conn = rad_conn_create(); |
|
252 |
conn->rm_conn_xport_ops = &transport; |
|
253 |
conn->rm_conn_xport_data = sdata; |
|
254 |
conn->rm_conn_proto_ops = proto; |
|
255 |
conn->rm_conn_subject = subject; |
|
256 |
||
257 |
if (rad_thread_create_async(tls_run, conn) != rm_ok) { |
|
258 |
rad_conn_close(conn); |
|
259 |
free(conn); |
|
260 |
} |
|
261 |
||
262 |
continue; |
|
263 |
close: |
|
264 |
SSL_free(ssl); |
|
265 |
(void) close(afd); |
|
266 |
} |
|
267 |
} |
|
268 |
||
269 |
static rad_moderr_t |
|
270 |
starter(data_t *data) |
|
271 |
{ |
|
272 |
/* |
|
273 |
* Verify parameters. |
|
274 |
*/ |
|
275 |
data_t *d; |
|
276 |
if ((d = struct_get(data, "port")) == NULL) { |
|
277 |
rad_log(RL_ERROR, "Port required\n"); |
|
278 |
return (rm_config); |
|
279 |
} |
|
280 |
||
281 |
if ((d = struct_get(data, "certificate")) == NULL) { |
|
282 |
rad_log(RL_ERROR, "Cert required\n"); |
|
283 |
return (rm_config); |
|
284 |
} |
|
285 |
||
286 |
if ((d = struct_get(data, "privatekey")) == NULL) { |
|
287 |
rad_log(RL_ERROR, "Private key required\n"); |
|
288 |
return (rm_config); |
|
289 |
} |
|
290 |
||
291 |
return (rad_thread_create(tls_listen, data)); |
|
292 |
} |
|
293 |
||
294 |
static rad_modinfo_t modinfo = { "xport_tls", "TLS socket transport module" }; |
|
295 |
||
296 |
int |
|
297 |
_rad_init(void *handle) |
|
298 |
{ |
|
299 |
if (rad_module_register(handle, RAD_MODVERSION, &modinfo) == -1) |
|
300 |
return (-1); |
|
301 |
||
302 |
rad_xport_register("tls", &t__tls, starter); |
|
303 |
return (0); |
|
304 |
} |