From cdaab8fdf05f01181c58f77af2bb858fc366f7fa Mon Sep 17 00:00:00 2001
From: Přemysl Janouch
Date: Sat, 12 Jul 2014 21:59:17 +0200
Subject: Move `SSL_CTX *' into `struct server_context'
It didn't make much sense to parse the configuration values and load the SSL
keys on each connection.
---
src/kike.c | 137 ++++++++++++++++++++++++++++++++++++++-----------------------
1 file changed, 85 insertions(+), 52 deletions(-)
(limited to 'src')
diff --git a/src/kike.c b/src/kike.c
index bf13476..2b10835 100644
--- a/src/kike.c
+++ b/src/kike.c
@@ -115,7 +115,6 @@ struct connection
unsigned ssl_rx_want_tx : 1; ///< SSL_read() wants to write
unsigned ssl_tx_want_rx : 1; ///< SSL_write() wants to read
- SSL_CTX *ssl_ctx; ///< SSL context
SSL *ssl; ///< SSL connection
char *nickname; ///< IRC nickname (main identifier)
@@ -143,8 +142,6 @@ connection_free (struct connection *self)
{
if (!soft_assert (self->socket_fd == -1))
xclose (self->socket_fd);
- if (self->ssl_ctx)
- SSL_CTX_free (self->ssl_ctx);
if (self->ssl)
SSL_free (self->ssl);
@@ -211,11 +208,13 @@ struct server_context
int listen_fd; ///< Listening socket FD
struct connection *clients; ///< Client connections
+ SSL_CTX *ssl_ctx; ///< SSL context
struct str_map users; ///< Maps nicknames to connections
struct str_map channels; ///< Maps channel names to data
struct poller poller; ///< Manages polled description
+ bool quitting; ///< User requested quitting
bool polling; ///< The event loop is running
};
@@ -234,6 +233,7 @@ server_context_init (struct server_context *self)
str_map_init (&self->channels);
poller_init (&self->poller);
+ self->quitting = false;
self->polling = false;
}
@@ -244,6 +244,8 @@ server_context_free (struct server_context *self)
if (self->listen_fd != -1)
xclose (self->listen_fd);
+ if (self->ssl_ctx)
+ SSL_CTX_free (self->ssl_ctx);
// TODO: terminate the connections properly before this is called
struct connection *link, *tmp;
@@ -321,62 +323,29 @@ irc_ssl_verify_callback (int verify_ok, X509_STORE_CTX *ctx)
}
static bool
-irc_initialize_ssl (struct connection *conn)
+connection_initialize_ssl (struct connection *conn)
{
- struct server_context *ctx = conn->ctx;
+ // SSL support not enabled
+ if (!conn->ctx->ssl_ctx)
+ return false;
- conn->ssl_ctx = SSL_CTX_new (SSLv23_server_method ());
- if (!conn->ssl_ctx)
+ conn->ssl = SSL_new (conn->ctx->ssl_ctx);
+ if (!conn->ssl)
goto error_ssl_1;
- SSL_CTX_set_verify (conn->ssl_ctx,
- SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, irc_ssl_verify_callback);
- // XXX: maybe we should call SSL_CTX_set_options() for some workarounds
- conn->ssl = SSL_new (conn->ssl_ctx);
- if (!conn->ssl)
+ if (!SSL_set_fd (conn->ssl, conn->socket_fd))
goto error_ssl_2;
-
- const char *ssl_cert = str_map_find (&ctx->config, "ssl_cert");
- if (ssl_cert
- && !SSL_CTX_use_certificate_chain_file (conn->ssl_ctx, ssl_cert))
- {
- // XXX: perhaps we should read the file ourselves for better messages
- print_error ("%s: %s", "setting the SSL client certificate failed",
- ERR_error_string (ERR_get_error (), NULL));
- }
-
- const char *ssl_key = str_map_find (&ctx->config, "ssl_key");
- if (ssl_key
- && !SSL_use_PrivateKey_file (conn->ssl, ssl_key, SSL_FILETYPE_PEM))
- {
- // XXX: perhaps we should read the file ourselves for better messages
- print_error ("%s: %s", "setting the SSL private key failed",
- ERR_error_string (ERR_get_error (), NULL));
- }
-
- // TODO: SSL_check_private_key(conn->ssl)? It is has probably already been
- // checked by SSL_use_PrivateKey_file() above.
-
SSL_set_accept_state (conn->ssl);
- if (!SSL_set_fd (conn->ssl, conn->socket_fd))
- goto error_ssl_3;
- // Gah, spare me your awkward semantics, I just want to push data!
- // XXX: do we want SSL_MODE_AUTO_RETRY as well? I guess not.
- SSL_set_mode (conn->ssl,
- SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE);
return true;
-error_ssl_3:
+error_ssl_2:
SSL_free (conn->ssl);
conn->ssl = NULL;
-error_ssl_2:
- SSL_CTX_free (conn->ssl_ctx);
- conn->ssl_ctx = NULL;
error_ssl_1:
// XXX: these error strings are really nasty; also there could be
// multiple errors on the OpenSSL stack.
- print_error ("%s: %s", "could not initialize SSL",
- ERR_error_string (ERR_get_error (), NULL));
+ print_debug ("%s: %s: %s", "could not initialize SSL",
+ conn->hostname, ERR_error_string (ERR_get_error (), NULL));
return false;
}
@@ -502,13 +471,11 @@ irc_try_write_ssl (struct connection *conn)
static void
on_irc_client_ready (const struct pollfd *pfd, void *user_data)
{
- // XXX: check/load `ssl_cert' and `ssl_key' earlier?
struct connection *conn = user_data;
if (!conn->initialized)
{
hard_assert (pfd->events == POLLIN);
- // XXX: what with the error from irc_initialize_ssl()?
- if (irc_autodetect_ssl (conn) && !irc_initialize_ssl (conn))
+ if (irc_autodetect_ssl (conn) && !connection_initialize_ssl (conn))
{
connection_abort (conn, NULL);
return;
@@ -599,6 +566,69 @@ on_irc_connection_available (const struct pollfd *pfd, void *user_data)
}
}
+static bool
+irc_initialize_ssl (struct server_context *ctx)
+{
+ const char *ssl_cert = str_map_find (&ctx->config, "ssl_cert");
+ const char *ssl_key = str_map_find (&ctx->config, "ssl_key");
+
+ // Only try to enable SSL support if the user configures it; it is not
+ // a failure if no one has requested it.
+ if (!ssl_cert && !ssl_key)
+ return true;
+
+ if (!ssl_cert)
+ {
+ print_error ("no SSL certificate set");
+ return false;
+ }
+ if (!ssl_key)
+ {
+ print_error ("no SSL private key set");
+ return false;
+ }
+
+ ctx->ssl_ctx = SSL_CTX_new (SSLv23_server_method ());
+ if (!ctx->ssl_ctx)
+ goto error_ssl_1;
+ SSL_CTX_set_verify (ctx->ssl_ctx,
+ SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, irc_ssl_verify_callback);
+ // XXX: maybe we should call SSL_CTX_set_options() for some workarounds
+
+ // XXX: perhaps we should read the files ourselves for better messages
+ if (!SSL_CTX_use_certificate_chain_file (ctx->ssl_ctx, ssl_cert))
+ {
+ print_error ("%s: %s", "setting the SSL client certificate failed",
+ ERR_error_string (ERR_get_error (), NULL));
+ goto error_ssl_2;
+ }
+ if (!SSL_CTX_use_PrivateKey_file (ctx->ssl_ctx, ssl_key, SSL_FILETYPE_PEM))
+ {
+ print_error ("%s: %s", "setting the SSL private key failed",
+ ERR_error_string (ERR_get_error (), NULL));
+ goto error_ssl_2;
+ }
+
+ // TODO: SSL_CTX_check_private_key()? It has probably already been checked
+ // by SSL_CTX_use_PrivateKey_file() above.
+
+ // Gah, spare me your awkward semantics, I just want to push data!
+ // XXX: do we want SSL_MODE_AUTO_RETRY as well? I guess not.
+ SSL_CTX_set_mode (ctx->ssl_ctx,
+ SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE);
+ return true;
+
+error_ssl_2:
+ SSL_CTX_free (ctx->ssl_ctx);
+ ctx->ssl_ctx = NULL;
+error_ssl_1:
+ // XXX: these error strings are really nasty; also there could be
+ // multiple errors on the OpenSSL stack.
+ print_error ("%s: %s", "could not initialize SSL",
+ ERR_error_string (ERR_get_error (), NULL));
+ return false;
+}
+
static bool
irc_listen (struct server_context *ctx, struct error **e)
{
@@ -679,13 +709,14 @@ on_signal_pipe_readable (const struct pollfd *fd, struct server_context *ctx)
char *dummy;
(void) read (fd->fd, &dummy, 1);
-#if 0
- // TODO
+ // TODO: send ERROR messages to anyone, wait for the messages to get
+ // dispatched for a few seconds, RST the rest and quit.
if (g_termination_requested && !ctx->quitting)
{
+#if 0
initiate_quit (ctx);
- }
#endif
+ }
}
static void
@@ -778,6 +809,8 @@ main (int argc, char *argv[])
poller_set (&ctx.poller, g_signal_pipe[0], POLLIN,
(poller_dispatcher_func) on_signal_pipe_readable, &ctx);
+ if (!irc_initialize_ssl (&ctx))
+ exit (EXIT_FAILURE);
if (!irc_listen (&ctx, &e))
{
print_error ("%s", e->message);
--
cgit v1.2.3-70-g09d2