Implement SSL/TLS over CyaSSL, GnuTLS, OpenSSL & PolarSSL backends

Signed-off-by: Michael Steinert <mike.steinert@gmail.com>
author: Michael Steinert <mike.steinert@gmail.com> 2012-05-24 17:41:36 -0600
committer: Michael Steinert <mike.steinert@gmail.com> 2012-05-27 10:39:57 -0600
commit: 5b2585dc118f3db07a70575da47503e24986f8e9 (patch)
tree: 4d68627311e1aa0b23e1e257d3e4ba52dc3623a1
parent: ec9f03ce615713acfa1f2fb4a6da42a8c972e6e6 (diff)
download: rabbitmq-c-github-ask-5b2585dc118f3db07a70575da47503e24986f8e9.tar.gz
10 files changed, 1108 insertions, 19 deletions
diff --git a/Makefile.am b/Makefile.am
index 204f0c7..dd52d04 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -12,12 +12,30 @@ librabbitmq_librabbitmq_la_SOURCES = \
 	librabbitmq/amqp_table.c \
 	librabbitmq/amqp_url.c
 
+if SSL_CYASSL
+librabbitmq_librabbitmq_la_SOURCES += librabbitmq/amqp-cyassl.c
+endif
+
+if SSL_GNUTLS
+librabbitmq_librabbitmq_la_SOURCES += librabbitmq/amqp-gnutls.c
+endif
+
+if SSL_OPENSSL
+librabbitmq_librabbitmq_la_SOURCES += librabbitmq/amqp-openssl.c
+endif
+
+if SSL_POLARSSL
+librabbitmq_librabbitmq_la_SOURCES += librabbitmq/amqp-polarssl.c
+endif
+
 librabbitmq_librabbitmq_la_CFLAGS = \
-	-I$(top_srcdir)/librabbitmq
+	-I$(top_srcdir)/librabbitmq \
+	$(SSL_CFLAGS)
 
 librabbitmq_librabbitmq_la_LDFLAGS = \
 	-version-info $(LT_CURRENT):$(LT_REVISION):$(LT_AGE) \
-	$(NO_UNDEFINED)
+	$(NO_UNDEFINED) \
+	$(SSL_LIBS)
 
 if OS_UNIX
 librabbitmq_librabbitmq_la_SOURCES += librabbitmq/unix/socket.c
@@ -36,6 +54,10 @@ include_HEADERS = \
 	librabbitmq/amqp.h \
 	librabbitmq/amqp_framing.h
 
+if SSL
+include_HEADERS += librabbitmq/amqp-ssl.h
+endif
+
 BUILT_SOURCES = \
 	librabbitmq/amqp_framing.h \
 	librabbitmq/amqp_framing.c
diff --git a/configure.ac b/configure.ac
index 211858e..348fa09 100644
--- a/configure.ac
+++ b/configure.ac
@@ -29,6 +29,7 @@ m4_ifdef([AC_PROG_CC_C99], [AC_PROG_CC_C99],
 	 [AC_MSG_WARN([Attempt c99 workaround for old versions of autoconf])
 	  AC_PROG_CC
 	  AX_TRY_CFLAGS([-std=c99], [AX_CFLAGS([-std=c99])])])
+PKG_PROG_PKG_CONFIG([0.17])
 
 # Environment setup
 AC_CANONICAL_HOST
@@ -107,6 +108,35 @@ AS_IF([test "x$ac_cv_path_PYTHON" = "x"],
        AC_MSG_WARN([unable to rebuild AMQP framing])])
 AC_SUBST([PYTHON], [$ac_cv_path_PYTHON])
 
+# Configure SSL/TLS
+AC_ARG_WITH([ssl],
+	    [AS_HELP_STRING([--with-ssl=@<:@cyassl/gnutls/no/openssl/polarssl/yes@:>@],
+			    [enable SSL/TLS support @<:@default=openssl@:>@])],
+	    [AS_CASE([$withval],
+		     [yes], [with_ssl=openssl],
+		     [*], [with_ssl=$withval])],
+	    [with_ssl=openssl])
+
+AS_IF([test "x$with_ssl" = "xcyassl"],
+      [PKG_CHECK_MODULES([SSL], [libcyassl],, [with_ssl=no])],
+      [test "x$with_ssl" = "xgnutls"],
+      [PKG_CHECK_MODULES([SSL], [gnutls],, [with_ssl=no])],
+      [test "x$with_ssl" = "xopenssl"],
+      [PKG_CHECK_MODULES([SSL], [openssl >= 1.0.1a],, [with_ssl=no])],
+      [test "x$with_ssl" = "xpolarssl"],
+      [AX_LIB_POLARSSL([SSL_CFLAGS=$POLARSSL_CFLAGS
+			SSL_LIBS=$POLARSSL_LIBS],
+		       [with_ssl=no])],
+      [test "x$with_ssl" = "xno"],,
+      [AC_MSG_ERROR([unknown SSL/TLS implementation: $with_ssl])])
+AM_CONDITIONAL([SSL_CYASSL], [test "x$with_ssl" = "xcyassl"])
+AM_CONDITIONAL([SSL_GNUTLS], [test "x$with_ssl" = "xgnutls"])
+AM_CONDITIONAL([SSL_OPENSSL], [test "x$with_ssl" = "xopenssl"])
+AM_CONDITIONAL([SSL_POLARSSL], [test "x$with_ssl" = "xpolarssl"])
+AM_CONDITIONAL([SSL], [test "x$with_ssl" != "xno"])
+AS_IF([test "x$with_ssl" != "xno"],
+      [AC_DEFINE([WITH_SSL], [1], [Define to 1 if SSL/TLS is enabled.])])
+
 # Configure AMQP command-line tools
 AC_ARG_ENABLE([tools],
 	      [AS_HELP_STRING([--enable-tools],
@@ -143,6 +173,7 @@ $PACKAGE_NAME build options:
 	Host: $host
 	Version: $VERSION
 	64-bit: $enable_64_bit
+	SSL/TLS: $with_ssl
 	Tools: $enable_tools
 	Documentation: $enable_docs
 ])
diff --git a/librabbitmq/amqp-cyassl.c b/librabbitmq/amqp-cyassl.c
new file mode 100644
index 0000000..f8e4d40
--- /dev/null
+++ b/librabbitmq/amqp-cyassl.c
@@ -0,0 +1,167 @@
+/*
+ * Copyright 2012 Michael Steinert
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "amqp-ssl.h"
+#include "amqp_private.h"
+#include <cyassl/ssl.h>
+#include <stdlib.h>
+
+struct amqp_ssl_socket_context {
+	CYASSL_CTX *ctx;
+	CYASSL *ssl;
+};
+
+static ssize_t
+amqp_ssl_socket_send(AMQP_UNUSED int sockfd,
+		     const void *buf,
+		     size_t len,
+		     AMQP_UNUSED int flags,
+		     void *user_data)
+{
+	struct amqp_ssl_socket_context *self = user_data;
+	return CyaSSL_write(self->ssl, buf, len);
+}
+
+static ssize_t
+amqp_ssl_socket_writev(AMQP_UNUSED int sockfd,
+		       const struct iovec *iov,
+		       int iovcnt,
+		       void *user_data)
+{
+	struct amqp_ssl_socket_context *self = user_data;
+	char *buffer, *bufferp;
+	ssize_t written = -1;
+	size_t bytes;
+	int i;
+	bytes = 0;
+	for (i = 0; i < iovcnt; ++i) {
+		bytes += iov[i].iov_len;
+	}
+	buffer = malloc(bytes);
+	if (!buffer) {
+		goto exit;
+	}
+	bufferp = buffer;
+	for (i = 0; i < iovcnt; ++i) {
+		memcpy(bufferp, iov[i].iov_base, iov[i].iov_len);
+		bufferp += iov[i].iov_len;
+	}
+	written = CyaSSL_write(self->ssl, buffer, bytes);
+exit:
+	free(buffer);
+	return written;
+}
+
+static ssize_t
+amqp_ssl_socket_recv(AMQP_UNUSED int sockfd,
+		     void *buf,
+		     size_t len,
+		     AMQP_UNUSED int flags,
+		     void *user_data)
+{
+	struct amqp_ssl_socket_context *self = user_data;
+	return CyaSSL_read(self->ssl, buf, len);
+}
+
+static int
+amqp_ssl_socket_close(int sockfd,
+		      void *user_data)
+{
+	int status = -1;
+	struct amqp_ssl_socket_context *self = user_data;
+	if (self) {
+		CyaSSL_free(self->ssl);
+		CyaSSL_CTX_free(self->ctx);
+		free(self);
+	}
+	if (sockfd >= 0) {
+		status = amqp_socket_close(sockfd, 0);
+	}
+	return status;
+}
+
+static int
+amqp_ssl_socket_error(AMQP_UNUSED void *user_data)
+{
+	return -1;
+}
+
+int
+amqp_open_ssl_socket(amqp_connection_state_t state,
+		     const char *host,
+		     int port,
+		     const char *cacert,
+		     const char *key,
+		     const char *cert)
+{
+	int sockfd = -1, status;
+	struct amqp_ssl_socket_context *self;
+	CyaSSL_Init();
+	self = calloc(1, sizeof(*self));
+	if (!self) {
+		goto error;
+	}
+	self->ctx = CyaSSL_CTX_new(CyaSSLv23_client_method());
+	if (!self->ctx) {
+		goto error;
+	}
+	status = CyaSSL_CTX_load_verify_locations(self->ctx, cacert, NULL);
+	if (SSL_SUCCESS != status) {
+		goto error;
+	}
+	if (key && cert) {
+		status = CyaSSL_CTX_use_PrivateKey_file(self->ctx, key,
+							SSL_FILETYPE_PEM);
+		if (SSL_SUCCESS != status) {
+			goto error;
+		}
+		status = CyaSSL_CTX_use_certificate_chain_file(self->ctx, cert);
+	}
+	self->ssl = CyaSSL_new(self->ctx);
+	if (!self->ssl) {
+		goto error;
+	}
+	sockfd = amqp_open_socket(host, port);
+	if (0 > sockfd) {
+		goto error;
+	}
+	CyaSSL_set_fd(self->ssl, sockfd);
+	status = CyaSSL_connect(self->ssl);
+	if (SSL_SUCCESS != status) {
+		goto error;
+	}
+	amqp_set_sockfd_full(state, sockfd,
+			     amqp_ssl_socket_writev,
+			     amqp_ssl_socket_send,
+			     amqp_ssl_socket_recv,
+			     amqp_ssl_socket_close,
+			     amqp_ssl_socket_error,
+			     self);
+	return sockfd;
+error:
+	amqp_ssl_socket_close(sockfd, self);
+	return -1;
+}
diff --git a/librabbitmq/amqp-gnutls.c b/librabbitmq/amqp-gnutls.c
new file mode 100644
index 0000000..a435371
--- /dev/null
+++ b/librabbitmq/amqp-gnutls.c
@@ -0,0 +1,244 @@
+/*
+ * Copyright 2012 Michael Steinert
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "amqp_private.h"
+#include "amqp-ssl.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+#include <stdlib.h>
+
+struct amqp_ssl_socket_context {
+	gnutls_session_t session;
+	gnutls_certificate_credentials_t credentials;
+	char *host;
+};
+
+static ssize_t
+amqp_ssl_socket_send(AMQP_UNUSED int sockfd,
+		     const void *buf,
+		     size_t len,
+		     AMQP_UNUSED int flags,
+		     void *user_data)
+{
+	struct amqp_ssl_socket_context *self = user_data;
+	return gnutls_record_send(self->session, buf, len);
+}
+
+static ssize_t
+amqp_ssl_socket_writev(AMQP_UNUSED int sockfd,
+		       const struct iovec *iov,
+		       int iovcnt,
+		       void *user_data)
+{
+	struct amqp_ssl_socket_context *self = user_data;
+	char *buffer, *bufferp;
+	ssize_t written = -1;
+	size_t bytes;
+	int i;
+	bytes = 0;
+	for (i = 0; i < iovcnt; ++i) {
+		bytes += iov[i].iov_len;
+	}
+	buffer = malloc(bytes);
+	if (!buffer) {
+		goto exit;
+	}
+	bufferp = buffer;
+	for (i = 0; i < iovcnt; ++i) {
+		memcpy(bufferp, iov[i].iov_base, iov[i].iov_len);
+		bufferp += iov[i].iov_len;
+	}
+	written = gnutls_record_send(self->session, buffer, bytes);
+exit:
+	free(buffer);
+	return written;
+}
+
+static ssize_t
+amqp_ssl_socket_recv(AMQP_UNUSED int sockfd,
+		     void *buf,
+		     size_t len,
+		     AMQP_UNUSED int flags,
+		     void *user_data)
+{
+	struct amqp_ssl_socket_context *self = user_data;
+	return gnutls_record_recv(self->session, buf, len);
+}
+
+static int
+amqp_ssl_socket_close(int sockfd,
+		      void *user_data)
+{
+	int status = -1;
+	struct amqp_ssl_socket_context *self = user_data;
+	if (sockfd >= 0) {
+		status = amqp_socket_close(sockfd, 0);
+	}
+	if (self) {
+		gnutls_deinit(self->session);
+		gnutls_certificate_free_credentials(self->credentials);
+		free(self->host);
+		free(self);
+	}
+	return status;
+}
+
+static int
+amqp_ssl_socket_error(AMQP_UNUSED void *user_data)
+{
+	return -1;
+}
+
+static int
+amqp_ssl_verify(gnutls_session_t session)
+{
+	int ret;
+	unsigned int status, size;
+	const gnutls_datum_t *list;
+	gnutls_x509_crt_t cert = NULL;
+	struct amqp_ssl_socket_context *self = gnutls_session_get_ptr(session);
+	ret = gnutls_certificate_verify_peers2(session, &status);
+	if (0 > ret) {
+		goto error;
+	}
+	if (status & GNUTLS_CERT_INVALID) {
+		goto error;
+	}
+	if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
+		goto error;
+	}
+	if (status & GNUTLS_CERT_REVOKED) {
+		goto error;
+	}
+	if (status & GNUTLS_CERT_EXPIRED) {
+		goto error;
+	}
+	if (status & GNUTLS_CERT_NOT_ACTIVATED) {
+		goto error;
+	}
+	if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) {
+		goto error;
+	}
+	if (gnutls_x509_crt_init(&cert) < 0) {
+		goto error;
+	}
+	list = gnutls_certificate_get_peers(session, &size);
+	if (!list) {
+		goto error;
+	}
+	ret = gnutls_x509_crt_import(cert, &list[0], GNUTLS_X509_FMT_DER);
+	if (0 > ret) {
+		goto error;
+	}
+	if (!gnutls_x509_crt_check_hostname(cert, self->host)) {
+		goto error;
+	}
+	gnutls_x509_crt_deinit(cert);
+	return 0;
+error:
+	if (cert) {
+		gnutls_x509_crt_deinit (cert);
+	}
+	return GNUTLS_E_CERTIFICATE_ERROR;
+}
+
+int
+amqp_open_ssl_socket(amqp_connection_state_t state,
+		     const char *host,
+		     int port,
+		     const char *cacert,
+		     const char *key,
+		     const char *cert)
+{
+	struct amqp_ssl_socket_context *self;
+	const char *error;
+	int sockfd = -1;
+	int ret;
+	gnutls_global_init();
+	self = calloc(1, sizeof(*self));
+	if (!self) {
+		goto error;
+	}
+	self->host = strdup(host);
+	if (!self->host) {
+		goto error;
+	}
+	ret = gnutls_certificate_allocate_credentials(&self->credentials);
+	if (GNUTLS_E_SUCCESS != ret) {
+		goto error;
+	}
+	ret = gnutls_certificate_set_x509_trust_file(self->credentials,
+							cacert,
+							GNUTLS_X509_FMT_PEM);
+	if (0 > ret) {
+		goto error;
+	}
+	gnutls_certificate_set_verify_function(self->credentials,
+					       amqp_ssl_verify);
+	if (key && cert) {
+		ret = gnutls_certificate_set_x509_key_file(
+				self->credentials, cert, key,
+				GNUTLS_X509_FMT_PEM);
+		if (0 > ret) {
+			goto error;
+		}
+	}
+	ret = gnutls_init(&self->session, GNUTLS_CLIENT);
+	if (GNUTLS_E_SUCCESS != ret) {
+		goto error;
+	}
+	gnutls_session_set_ptr(self->session, self);
+	ret = gnutls_priority_set_direct(self->session, "NORMAL", &error);
+	if (GNUTLS_E_SUCCESS != ret) {
+		goto error;
+	}
+	ret = gnutls_credentials_set(self->session, GNUTLS_CRD_CERTIFICATE,
+				     self->credentials);
+	if (GNUTLS_E_SUCCESS != ret) {
+		goto error;
+	}
+	sockfd = amqp_open_socket(host, port);
+	if (0 > sockfd) {
+		goto error;
+	}
+	gnutls_transport_set_ptr(self->session, (gnutls_transport_ptr_t)sockfd);
+	do {
+		ret = gnutls_handshake(self->session);
+	} while (ret < 0 && !gnutls_error_is_fatal(ret));
+	amqp_set_sockfd_full(state, sockfd,
+			     amqp_ssl_socket_writev,
+			     amqp_ssl_socket_send,
+			     amqp_ssl_socket_recv,
+			     amqp_ssl_socket_close,
+			     amqp_ssl_socket_error,
+			     self);
+exit:
+	return sockfd;
+error:
+	amqp_ssl_socket_close(sockfd, self);
+	sockfd = -1;
+	goto exit;
+}
diff --git a/librabbitmq/amqp-openssl.c b/librabbitmq/amqp-openssl.c
new file mode 100644
index 0000000..d97aa4c
--- /dev/null
+++ b/librabbitmq/amqp-openssl.c
@@ -0,0 +1,261 @@
+/*
+ * Copyright 2012 Michael Steinert
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "amqp-ssl.h"
+#include "amqp_private.h"
+#include <ctype.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+struct amqp_ssl_socket_context {
+	BIO *bio;
+	SSL_CTX *ctx;
+};
+
+static ssize_t
+amqp_ssl_socket_send(AMQP_UNUSED int sockfd,
+		     const void *buf,
+		     size_t len,
+		     AMQP_UNUSED int flags,
+		     void *user_data)
+{
+	ssize_t sent;
+	struct amqp_ssl_socket_context *self = user_data;
+	ERR_clear_error();
+	sent = BIO_write(self->bio, buf, len);
+	if (0 > sent) {
+		SSL *ssl;
+		int error;
+		BIO_get_ssl(self->bio, &ssl);
+		error = SSL_get_error(ssl, sent);
+		switch (error) {
+		case SSL_ERROR_NONE:
+		case SSL_ERROR_ZERO_RETURN:
+		case SSL_ERROR_WANT_READ:
+		case SSL_ERROR_WANT_WRITE:
+			sent = 0;
+			break;
+		}
+	}
+	return sent;
+}
+
+static ssize_t
+amqp_ssl_socket_writev(AMQP_UNUSED int sockfd,
+		       const struct iovec *iov,
+		       int iovcnt,
+		       void *user_data)
+{
+	struct amqp_ssl_socket_context *self = user_data;
+	char *buffer, *bufferp;
+	ssize_t written = -1;
+	size_t bytes;
+	int i;
+	bytes = 0;
+	for (i = 0; i < iovcnt; ++i) {
+		bytes += iov[i].iov_len;
+	}
+	buffer = malloc(bytes);
+	if (!buffer) {
+		goto exit;
+	}
+	bufferp = buffer;
+	for (i = 0; i < iovcnt; ++i) {
+		memcpy(bufferp, iov[i].iov_base, iov[i].iov_len);
+		bufferp += iov[i].iov_len;
+	}
+	written = amqp_ssl_socket_send(sockfd, buffer, bytes, 0, self);
+exit:
+	free(buffer);
+	return written;
+}
+
+static ssize_t
+amqp_ssl_socket_recv(AMQP_UNUSED int sockfd,
+		     void *buf,
+		     size_t len,
+		     AMQP_UNUSED int flags,
+		     void *user_data)
+{
+	struct amqp_ssl_socket_context *self = user_data;
+	ssize_t received;
+	ERR_clear_error();
+	received = BIO_read(self->bio, buf, len);
+	if (0 > received) {
+		SSL *ssl;
+		int error;
+		BIO_get_ssl(self->bio, &ssl);
+		error = SSL_get_error(ssl, received);
+		switch (error) {
+		case SSL_ERROR_WANT_READ:
+		case SSL_ERROR_WANT_WRITE:
+			received = 0;
+			break;
+		}
+	}
+	return received;
+}
+
+static int
+amqp_ssl_socket_close(int sockfd,
+		      void *user_data)
+{
+	struct amqp_ssl_socket_context *self = user_data;
+	if (self) {
+		BIO_free_all(self->bio);
+		SSL_CTX_free(self->ctx);
+		free(self);
+	}
+	return 0 > sockfd ? -1 : 0;
+}
+
+static int
+amqp_ssl_socket_error(AMQP_UNUSED void *user_data)
+{
+	return -1;
+}
+
+int
+amqp_open_ssl_socket(amqp_connection_state_t state,
+		     const char *host,
+		     int port,
+		     const char *cacert,
+		     const char *key,
+		     const char *cert)
+{
+	SSL *ssl;
+	X509 *peer;
+	long result;
+	X509_NAME *name;
+	X509_NAME_ENTRY *entry;
+	ASN1_STRING *entry_string;
+	struct amqp_ssl_socket_context *self;
+	int sockfd, status, pos, utf8_length;
+	unsigned char *utf8_value = NULL, *cp, ch;
+	SSL_library_init();
+	SSL_load_error_strings();
+	OpenSSL_add_all_algorithms();
+	self = calloc(1, sizeof(*self));
+	if (!self) {
+		goto error;
+	}
+	self->ctx = SSL_CTX_new(SSLv23_client_method());
+	if (!self->ctx) {
+		goto error;
+	}
+	status = SSL_CTX_load_verify_locations(self->ctx, cacert, NULL);
+	if (1 != status) {
+		goto error;
+	}
+	if (key && cert) {
+		status = SSL_CTX_use_PrivateKey_file(self->ctx, key,
+						     SSL_FILETYPE_PEM);
+		if (1 != status) {
+			goto error;
+		}
+		status = SSL_CTX_use_certificate_chain_file(self->ctx, cert);
+		if (1 != status) {
+			goto error;
+		}
+	}
+	self->bio = BIO_new_ssl_connect(self->ctx);
+	if (!self->bio) {
+		goto error;
+	}
+	BIO_get_ssl(self->bio, &ssl);
+	SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
+	BIO_set_conn_hostname(self->bio, host);
+	BIO_set_conn_int_port(self->bio, &port);
+	status = BIO_do_connect(self->bio);
+	if (1 != status) {
+		goto error;
+	}
+	result = SSL_get_verify_result(ssl);
+	if (X509_V_OK != result) {
+		goto error;
+	}
+	peer = SSL_get_peer_certificate(ssl);
+	if (!peer) {
+		goto error;
+	}
+	name = X509_get_subject_name(peer);
+	if (!name) {
+		goto error;
+	}
+	pos = X509_NAME_get_index_by_NID(name, NID_commonName, -1);
+	if (0 > pos) {
+		goto error;
+	}
+	entry = X509_NAME_get_entry(name, pos);
+	if (!entry) {
+		goto error;
+	}
+	entry_string = X509_NAME_ENTRY_get_data(entry);
+	if (!entry_string) {
+		goto error;
+	}
+	utf8_length = ASN1_STRING_to_UTF8(&utf8_value, entry_string);
+	if (0 > utf8_length) {
+		goto error;
+	}
+	while (utf8_length > 0 && utf8_value[utf8_length - 1] == 0) {
+		--utf8_length;
+	}
+	if (utf8_length >= 256) {
+		goto error;
+	}
+	if ((size_t)utf8_length != strlen((char *)utf8_value)) {
+		goto error;
+	}
+	for (cp = utf8_value; (ch = *cp) != '\0'; ++cp) {
+		if (isascii(ch) && !isprint(ch)) {
+			goto error;
+		}
+	}
+	if (strcasecmp(host, (char *)utf8_value)) {
+		goto error;
+	}
+	sockfd = BIO_get_fd(self->bio, NULL);
+	amqp_set_sockfd_full(state, sockfd,
+			     amqp_ssl_socket_writev,
+			     amqp_ssl_socket_send,
+			     amqp_ssl_socket_recv,
+			     amqp_ssl_socket_close,
+			     amqp_ssl_socket_error,
+			     self);
+exit:
+	OPENSSL_free(utf8_value);
+	return sockfd;
+error:
+	OPENSSL_free(utf8_value);
+	amqp_ssl_socket_close(-1, self);
+	sockfd = -1;
+	goto exit;
+}
diff --git a/librabbitmq/amqp-polarssl.c b/librabbitmq/amqp-polarssl.c
new file mode 100644
index 0000000..e55aa00
--- /dev/null
+++ b/librabbitmq/amqp-polarssl.c
@@ -0,0 +1,233 @@
+/*
+ * Copyright 2012 Michael Steinert
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "amqp-ssl.h"
+#include "amqp_private.h"
+#include <polarssl/ctr_drbg.h>
+#include <polarssl/entropy.h>
+#include <polarssl/net.h>
+#include <polarssl/ssl.h>
+#include <stdlib.h>
+
+struct amqp_ssl_socket_context {
+	int sockfd;
+	entropy_context *entropy;
+	ctr_drbg_context *ctr_drbg;
+	x509_cert *cacert;
+	rsa_context *key;
+	x509_cert *cert;
+	ssl_context *ssl;
+	ssl_session *session;
+};
+
+static ssize_t
+amqp_ssl_socket_send(AMQP_UNUSED int sockfd,
+		     const void *buf,
+		     size_t len,
+		     AMQP_UNUSED int flags,
+		     void *user_data)
+{
+	struct amqp_ssl_socket_context *self = user_data;
+	return ssl_write(self->ssl, buf, len);
+}
+
+static ssize_t
+amqp_ssl_socket_writev(AMQP_UNUSED int sockfd,
+		       const struct iovec *iov,
+		       int iovcnt,
+		       void *user_data)
+{
+	struct amqp_ssl_socket_context *self = user_data;
+	char *buffer, *bufferp;
+	ssize_t written = -1;
+	size_t bytes;
+	int i;
+	bytes = 0;
+	for (i = 0; i < iovcnt; ++i) {
+		bytes += iov[i].iov_len;
+	}
+	buffer = malloc(bytes);
+	if (!buffer) {
+		goto exit;
+	}
+	bufferp = buffer;
+	for (i = 0; i < iovcnt; ++i) {
+		memcpy(bufferp, iov[i].iov_base, iov[i].iov_len);
+		bufferp += iov[i].iov_len;
+	}
+	written = ssl_write(self->ssl, (const unsigned char *)buffer, bytes);
+exit:
+	free(buffer);
+	return written;
+}
+
+static ssize_t
+amqp_ssl_socket_recv(AMQP_UNUSED int sockfd,
+		     void *buf,
+		     size_t len,
+		     AMQP_UNUSED int flags,
+		     void *user_data)
+{
+	struct amqp_ssl_socket_context *self = user_data;
+	return ssl_read(self->ssl, buf, len);
+}
+
+static int
+amqp_ssl_socket_close(int sockfd,
+		      void *user_data)
+{
+	int status = -1;
+	struct amqp_ssl_socket_context *self = user_data;
+	if (self) {
+		free(self->entropy);
+		free(self->ctr_drbg);
+		x509_free(self->cacert);
+		free(self->cacert);
+		rsa_free(self->key);
+		free(self->key);
+		x509_free(self->cert);
+		free(self->cert);
+		ssl_free(self->ssl);
+		free(self->ssl);
+		free(self->session);
+		free(self);
+		if (self->sockfd >= 0) {
+			net_close(sockfd);
+			status = 0;
+		}
+	}
+	return status;
+}
+
+static int
+amqp_ssl_socket_error(AMQP_UNUSED void *user_data)
+{
+	return -1;
+}
+
+int
+amqp_open_ssl_socket(amqp_connection_state_t state,
+		     const char *host,
+		     int port,
+		     const char *cacert,
+		     const char *key,
+		     const char *cert)
+{
+	int status;
+	struct amqp_ssl_socket_context *self;
+	self = calloc(1, sizeof(*self));
+	if (!self) {
+		goto error;
+	}
+	self->entropy = calloc(1, sizeof(*self->entropy));
+	if (!self->entropy) {
+		goto error;
+	}
+	self->sockfd = -1;
+	entropy_init(self->entropy);
+	self->ctr_drbg = calloc(1, sizeof(*self->ctr_drbg));
+	if (!self->ctr_drbg) {
+		goto error;
+	}
+	status = ctr_drbg_init(self->ctr_drbg, entropy_func, self->entropy,
+			       NULL, 0);
+	if (status) {
+		goto error;
+	}
+	self->cacert = calloc(1, sizeof(*self->cacert));
+	if (!self->cacert) {
+		goto error;
+	}
+	status = x509parse_crtfile(self->cacert, cacert);
+	if (status) {
+		goto error;
+	}
+	if (key && cert) {
+		self->key = calloc(1, sizeof(*self->key));
+		if (!self->key) {
+			goto error;
+		}
+		status = x509parse_keyfile(self->key, key, NULL);
+		if (status) {
+			goto error;
+		}
+		self->cert = calloc(1, sizeof(*self->cert));
+		if (!self->cert) {
+			goto error;
+		}
+		status = x509parse_crtfile(self->cert, cert);
+		if (status) {
+			goto error;
+		}
+	}
+	status = net_connect(&self->sockfd, host, port);
+	if (status) {
+		goto error;
+	}
+	self->ssl = calloc(1, sizeof(*self->ssl));
+	if (!self->ssl) {
+		goto error;
+	}
+	status = ssl_init(self->ssl);
+	if (status) {
+		goto error;
+	}
+	ssl_set_endpoint(self->ssl, SSL_IS_CLIENT);
+	ssl_set_authmode(self->ssl, SSL_VERIFY_REQUIRED);
+	ssl_set_ca_chain(self->ssl, self->cacert, NULL, host);
+	ssl_set_rng(self->ssl, ctr_drbg_random, self->ctr_drbg);
+	ssl_set_bio(self->ssl, net_recv, &self->sockfd,
+		    net_send, &self->sockfd);
+	ssl_set_ciphersuites(self->ssl, ssl_default_ciphersuites);
+	self->session = calloc(1, sizeof(*self->session));
+	if (!self->session) {
+		goto error;
+	}
+	ssl_set_session(self->ssl, 0, 0, self->session);
+	if (self->key && self->cert) {
+		ssl_set_own_cert(self->ssl, self->cert, self->key);
+	}
+	while (0 != (status = ssl_handshake(self->ssl))) {
+		switch (status) {
+		case POLARSSL_ERR_NET_WANT_READ:
+		case POLARSSL_ERR_NET_WANT_WRITE:
+			continue;
+		default:
+			goto error;
+		}
+	}
+	amqp_set_sockfd_full(state, self->sockfd,
+			     amqp_ssl_socket_writev,
+			     amqp_ssl_socket_send,
+			     amqp_ssl_socket_recv,
+			     amqp_ssl_socket_close,
+			     amqp_ssl_socket_error,
+			     self);
+	return self->sockfd;
+error:
+	amqp_ssl_socket_close(self->sockfd, self);
+	return -1;
+}
diff --git a/librabbitmq/amqp-ssl.h b/librabbitmq/amqp-ssl.h
new file mode 100644
index 0000000..93a2b7a
--- /dev/null
+++ b/librabbitmq/amqp-ssl.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright 2012 Michael Steinert
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#ifndef AMQP_SSL_H
+#define AMQP_SSL_H
+
+#include <amqp.h>
+
+/**
+ * \brief Open an SSL connection to an AMQP broker.
+ *
+ * If successful this function will setup the AMQP connection state object
+ * for SSL/TLS communication. The caller of this function should not call
+ * amqp_set_sockfd() or amqp_set_sockfd_full() after calling this function,
+ * nor should the returned file descriptor be used directly for network I/O.
+ *
+ * \param state [in/out] An AMQP connection state object.
+ * \param host [in] The name of the host to connect to.
+ * \param port [in] The port to connect on.
+ * \param caert [in] Path the CA cert file in PEM format.
+ * \param key [in] Path to the client key in PEM format. (may be NULL)
+ * \param cert [in] Path to the client cert in PEM format. (may be NULL)
+ *
+ * \return A socket file-descriptor (-1 if an error occurred).
+ */
+AMQP_PUBLIC_FUNCTION
+int
+amqp_open_ssl_socket(amqp_connection_state_t state,
+		     const char *host,
+		     int port,
+		     const char *cacert,
+		     const char *key,
+		     const char *cert);
+
+#endif /* AMQP_SSL_H */
diff --git a/librabbitmq/amqp_private.h b/librabbitmq/amqp_private.h
index 192cbba..d0a5dac 100644
--- a/librabbitmq/amqp_private.h
+++ b/librabbitmq/amqp_private.h
@@ -48,10 +48,10 @@
  * (i.e. where its number comes from) in the top bits of the number
  * (assuming that an int has at least 32 bits).
  */
-#define ERROR_CATEGORY_MASK (1 << 29)
-
 #define ERROR_CATEGORY_CLIENT (0 << 29) /* librabbitmq error codes */
 #define ERROR_CATEGORY_OS (1 << 29) /* OS-specific error codes */
+#define ERROR_CATEGORY_SSL (1 << 28) /* SSL-specific error codes */
+#define ERROR_CATEGORY_MASK (ERROR_CATEGORY_OS | ERROR_CATEGORY_SSL)
 
 /* librabbitmq error codes */
 #define ERROR_NO_MEMORY 1
diff --git a/m4/polarssl.m4 b/m4/polarssl.m4
new file mode 100644
index 0000000..21f401f
--- /dev/null
+++ b/m4/polarssl.m4
@@ -0,0 +1,60 @@
+# polarssl.m4 - Check for PolarSSL
+#
+# Copyright 2012 Michael Steinert
+#
+# This file is free software; the copyright holder(s) give unlimited
+# permission to copy and/or distribute it, with or without modifications,
+# as long as this notice is preserved.
+
+#serial 1
+
+# _AX_LIB_POLARSSL
+# ----------------
+# Check for the PolarSSL library and header file. If found the cache variable
+# ax_cv_have_polarssl will be set to yes.
+AC_DEFUN([_AX_LIB_POLARSSL],
+[dnl
+ax_cv_have_polarssl=no
+_ax_polarssl_h=no
+_ax_polarssl_lib=no
+AC_ARG_VAR([POLARSSL_CFLAGS],
+	   [C compiler flags for PolarSSL, overriding defaults])
+AC_ARG_VAR([POLARSSL_LIBS], [linker flags for PolarSSL, overriding defaults])
+AC_CHECK_HEADERS([polarssl/ssl.h],
+		 [_ax_polarssl_h=yes],,
+		 [$POLARSSL_CFLAGS])
+AS_IF([test "x$POLARSSL_LIBS" = "x"],
+      [AC_SEARCH_LIBS([entropy_init], [polarssl],
+		      [POLARSSL_LIBS=-lpolarssl
+		       _ax_polarssl_lib=yes])],
+      [_ax_polarssl_cflags=$CFLAGS
+       CFLAGS="$POLARSSL_CFLAGS $CFLAGS"
+       _ax_polarssl_ldflags=$LDFLAGS
+       LDFLAGS="$POLARSSL_LIBS $LDFLAGS"
+       AC_MSG_CHECKING([for libpolarssl])
+       AC_TRY_LINK([#include <polarssl/entropy.h>],
+		   [entropy_init(NULL)],
+		   [AC_MSG_RESULT([$POLARSSL_LIBS])
+		    _ax_polarssl_lib=yes],
+		   [AC_MSG_RESULT([no])])
+       CFLAGS=$_ax_polarssl_cflags
+       LDFLAGS=$_ax_polarssl_ldflags])
+AS_IF([test "x$_ax_polarssl_h" = "xyes" && \
+       test "x$_ax_polarssl_lib" = "xyes"],
+      [ax_cv_have_polarssl=yes])
+])dnl
+
+# AX_LIB_POLARSSL([ACTION-IF-TRUE], [ACTION-IF-FALSE])
+# ------------------------------------------------
+# Check if PolarSSL is installed. If found the variable ax_have_polarssl will
+# be set to yes.
+# ACTION-IF-TRUE: commands to execute if PolarSSL is installed
+# ACTION-IF-FALSE: commands to execute if PoloarSSL is not installed
+AC_DEFUN([AX_LIB_POLARSSL],
+[dnl
+AC_CACHE_VAL([ax_cv_have_polarssl], [_AX_LIB_POLARSSL])
+ax_have_polarssl=$ax_cv_have_polarssl
+AS_IF([test "x$ax_have_polarssl" = "xyes"],
+      [AC_DEFINE([HAVE_POLARSSL], [1], [Define to 1 if PolarSSL is available.])
+       $1], [$2])
+])dnl
diff --git a/tools/common.c b/tools/common.c
index 5cc54a4..35e9a2e 100644
--- a/tools/common.c
+++ b/tools/common.c
@@ -34,17 +34,15 @@
 #include "config.h"
 #endif
 
-/* needed for asnprintf */
+#include "common.h"
+#include <amqp-ssl.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
-#include <stdarg.h>
 #include <string.h>
-
 #include <unistd.h>
-#include <fcntl.h>
-#include <errno.h>
-
-#include "common.h"
 
 #ifdef WINDOWS
 #include "compat.h"
@@ -167,6 +165,12 @@ static int amqp_port = -1;
 static char *amqp_vhost;
 static char *amqp_username;
 static char *amqp_password;
+#ifdef WITH_SSL
+static int amqp_ssl = 0;
+static char *amqp_cacert = "/etc/ssl/certs/cacert.pem";
+static char *amqp_key = NULL;
+static char *amqp_cert = NULL;
+#endif /* WITH_SSL */
 
 const char *connect_options_title = "Connection options";
 struct poptOption connect_options[] = {
@@ -182,6 +186,16 @@ struct poptOption connect_options[] = {
 	 "the username to login with", "username"},
 	{"password", 0, POPT_ARG_STRING, &amqp_password, 0,
 	 "the password to login with", "password"},
+#ifdef WITH_SSL
+	{"ssl", 0, POPT_ARG_NONE, &amqp_ssl, 0,
+	 "connect over SSL/TLS", NULL},
+	{"cacert", 0, POPT_ARG_STRING, &amqp_cacert, 0,
+	 "path to the CA certificate file", "cacert.pem"},
+	{"key", 0, POPT_ARG_STRING, &amqp_key, 0,
+	 "path to the client private key file", "key.pem"},
+	{"cert", 0, POPT_ARG_STRING, &amqp_cert, 0,
+	 "path to the client certificate file", "cert.pem"},
+#endif /* WITH_SSL */
 	{ NULL, '\0', 0, NULL, 0, NULL, NULL }
 };
 
@@ -294,21 +308,24 @@ amqp_connection_state_t make_connection(void)
 	amqp_connection_state_t conn;
 
 	init_connection_info(&ci);
-
-	s = amqp_open_socket(ci.host, ci.port);
-	die_amqp_error(s, "opening socket to %s:%d", ci.host, ci.port);
-
 	conn = amqp_new_connection();
-	amqp_set_sockfd(conn, s);
-
+#ifdef WITH_SSL
+	if (amqp_ssl) {
+		s = amqp_open_ssl_socket(conn, ci.host, ci.port, amqp_cacert,
+					 amqp_key, amqp_cert);
+	} else
+#endif
+	{
+		s = amqp_open_socket(ci.host, ci.port);
+		amqp_set_sockfd(conn, s);
+	}
+	die_amqp_error(s, "opening socket to %s:%d", ci.host, ci.port);
 	die_rpc(amqp_login(conn, ci.vhost, 0, 131072, 0,
 			   AMQP_SASL_METHOD_PLAIN,
 			   ci.user, ci.password),
 		"logging in to AMQP server");
-
 	if (!amqp_channel_open(conn, 1))
 		die_rpc(amqp_get_rpc_reply(conn), "opening channel");
-
 	return conn;
 }
author	Michael Steinert <mike.steinert@gmail.com>	2012-05-24 17:41:36 -0600
committer	Michael Steinert <mike.steinert@gmail.com>	2012-05-27 10:39:57 -0600
commit	5b2585dc118f3db07a70575da47503e24986f8e9 (patch)
tree	4d68627311e1aa0b23e1e257d3e4ba52dc3623a1
parent	ec9f03ce615713acfa1f2fb4a6da42a8c972e6e6 (diff)
download	rabbitmq-c-github-ask-5b2585dc118f3db07a70575da47503e24986f8e9.tar.gz