Implement SSL/TLS over CyaSSL, GnuTLS, OpenSSL & PolarSSL backends

Signed-off-by: Michael Steinert <mike.steinert@gmail.com>
author: Michael Steinert <mike.steinert@gmail.com> 2012-05-24 17:41:36 -0600
committer: Alan Antonuk <alan.antonuk@gmail.com> 2013-04-09 15:22:59 -0700
commit: 91dbd7a9da38385308c02a4e94a18dd976179c2b (patch)
tree: 445b94e36dbc8e1207936a1d149c280fcb39434c /librabbitmq
parent: 795c1240c9fb09c42bcdc45d5a8d44e6a406ee9c (diff)
download: rabbitmq-c-github-ask-91dbd7a9da38385308c02a4e94a18dd976179c2b.tar.gz
6 files changed, 961 insertions, 2 deletions
diff --git a/librabbitmq/amqp-cyassl.c b/librabbitmq/amqp-cyassl.c
new file mode 100644
index 0000000..f8e4d40
--- /dev/null
+++ b/librabbitmq/amqp-cyassl.c
@@ -0,0 +1,167 @@
+/*
+ * Copyright 2012 Michael Steinert
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "amqp-ssl.h"
+#include "amqp_private.h"
+#include <cyassl/ssl.h>
+#include <stdlib.h>
+
+struct amqp_ssl_socket_context {
+	CYASSL_CTX *ctx;
+	CYASSL *ssl;
+};
+
+static ssize_t
+amqp_ssl_socket_send(AMQP_UNUSED int sockfd,
+		     const void *buf,
+		     size_t len,
+		     AMQP_UNUSED int flags,
+		     void *user_data)
+{
+	struct amqp_ssl_socket_context *self = user_data;
+	return CyaSSL_write(self->ssl, buf, len);
+}
+
+static ssize_t
+amqp_ssl_socket_writev(AMQP_UNUSED int sockfd,
+		       const struct iovec *iov,
+		       int iovcnt,
+		       void *user_data)
+{
+	struct amqp_ssl_socket_context *self = user_data;
+	char *buffer, *bufferp;
+	ssize_t written = -1;
+	size_t bytes;
+	int i;
+	bytes = 0;
+	for (i = 0; i < iovcnt; ++i) {
+		bytes += iov[i].iov_len;
+	}
+	buffer = malloc(bytes);
+	if (!buffer) {
+		goto exit;
+	}
+	bufferp = buffer;
+	for (i = 0; i < iovcnt; ++i) {
+		memcpy(bufferp, iov[i].iov_base, iov[i].iov_len);
+		bufferp += iov[i].iov_len;
+	}
+	written = CyaSSL_write(self->ssl, buffer, bytes);
+exit:
+	free(buffer);
+	return written;
+}
+
+static ssize_t
+amqp_ssl_socket_recv(AMQP_UNUSED int sockfd,
+		     void *buf,
+		     size_t len,
+		     AMQP_UNUSED int flags,
+		     void *user_data)
+{
+	struct amqp_ssl_socket_context *self = user_data;
+	return CyaSSL_read(self->ssl, buf, len);
+}
+
+static int
+amqp_ssl_socket_close(int sockfd,
+		      void *user_data)
+{
+	int status = -1;
+	struct amqp_ssl_socket_context *self = user_data;
+	if (self) {
+		CyaSSL_free(self->ssl);
+		CyaSSL_CTX_free(self->ctx);
+		free(self);
+	}
+	if (sockfd >= 0) {
+		status = amqp_socket_close(sockfd, 0);
+	}
+	return status;
+}
+
+static int
+amqp_ssl_socket_error(AMQP_UNUSED void *user_data)
+{
+	return -1;
+}
+
+int
+amqp_open_ssl_socket(amqp_connection_state_t state,
+		     const char *host,
+		     int port,
+		     const char *cacert,
+		     const char *key,
+		     const char *cert)
+{
+	int sockfd = -1, status;
+	struct amqp_ssl_socket_context *self;
+	CyaSSL_Init();
+	self = calloc(1, sizeof(*self));
+	if (!self) {
+		goto error;
+	}
+	self->ctx = CyaSSL_CTX_new(CyaSSLv23_client_method());
+	if (!self->ctx) {
+		goto error;
+	}
+	status = CyaSSL_CTX_load_verify_locations(self->ctx, cacert, NULL);
+	if (SSL_SUCCESS != status) {
+		goto error;
+	}
+	if (key && cert) {
+		status = CyaSSL_CTX_use_PrivateKey_file(self->ctx, key,
+							SSL_FILETYPE_PEM);
+		if (SSL_SUCCESS != status) {
+			goto error;
+		}
+		status = CyaSSL_CTX_use_certificate_chain_file(self->ctx, cert);
+	}
+	self->ssl = CyaSSL_new(self->ctx);
+	if (!self->ssl) {
+		goto error;
+	}
+	sockfd = amqp_open_socket(host, port);
+	if (0 > sockfd) {
+		goto error;
+	}
+	CyaSSL_set_fd(self->ssl, sockfd);
+	status = CyaSSL_connect(self->ssl);
+	if (SSL_SUCCESS != status) {
+		goto error;
+	}
+	amqp_set_sockfd_full(state, sockfd,
+			     amqp_ssl_socket_writev,
+			     amqp_ssl_socket_send,
+			     amqp_ssl_socket_recv,
+			     amqp_ssl_socket_close,
+			     amqp_ssl_socket_error,
+			     self);
+	return sockfd;
+error:
+	amqp_ssl_socket_close(sockfd, self);
+	return -1;
+}
diff --git a/librabbitmq/amqp-gnutls.c b/librabbitmq/amqp-gnutls.c
new file mode 100644
index 0000000..a435371
--- /dev/null
+++ b/librabbitmq/amqp-gnutls.c
@@ -0,0 +1,244 @@
+/*
+ * Copyright 2012 Michael Steinert
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "amqp_private.h"
+#include "amqp-ssl.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+#include <stdlib.h>
+
+struct amqp_ssl_socket_context {
+	gnutls_session_t session;
+	gnutls_certificate_credentials_t credentials;
+	char *host;
+};
+
+static ssize_t
+amqp_ssl_socket_send(AMQP_UNUSED int sockfd,
+		     const void *buf,
+		     size_t len,
+		     AMQP_UNUSED int flags,
+		     void *user_data)
+{
+	struct amqp_ssl_socket_context *self = user_data;
+	return gnutls_record_send(self->session, buf, len);
+}
+
+static ssize_t
+amqp_ssl_socket_writev(AMQP_UNUSED int sockfd,
+		       const struct iovec *iov,
+		       int iovcnt,
+		       void *user_data)
+{
+	struct amqp_ssl_socket_context *self = user_data;
+	char *buffer, *bufferp;
+	ssize_t written = -1;
+	size_t bytes;
+	int i;
+	bytes = 0;
+	for (i = 0; i < iovcnt; ++i) {
+		bytes += iov[i].iov_len;
+	}
+	buffer = malloc(bytes);
+	if (!buffer) {
+		goto exit;
+	}
+	bufferp = buffer;
+	for (i = 0; i < iovcnt; ++i) {
+		memcpy(bufferp, iov[i].iov_base, iov[i].iov_len);
+		bufferp += iov[i].iov_len;
+	}
+	written = gnutls_record_send(self->session, buffer, bytes);
+exit:
+	free(buffer);
+	return written;
+}
+
+static ssize_t
+amqp_ssl_socket_recv(AMQP_UNUSED int sockfd,
+		     void *buf,
+		     size_t len,
+		     AMQP_UNUSED int flags,
+		     void *user_data)
+{
+	struct amqp_ssl_socket_context *self = user_data;
+	return gnutls_record_recv(self->session, buf, len);
+}
+
+static int
+amqp_ssl_socket_close(int sockfd,
+		      void *user_data)
+{
+	int status = -1;
+	struct amqp_ssl_socket_context *self = user_data;
+	if (sockfd >= 0) {
+		status = amqp_socket_close(sockfd, 0);
+	}
+	if (self) {
+		gnutls_deinit(self->session);
+		gnutls_certificate_free_credentials(self->credentials);
+		free(self->host);
+		free(self);
+	}
+	return status;
+}
+
+static int
+amqp_ssl_socket_error(AMQP_UNUSED void *user_data)
+{
+	return -1;
+}
+
+static int
+amqp_ssl_verify(gnutls_session_t session)
+{
+	int ret;
+	unsigned int status, size;
+	const gnutls_datum_t *list;
+	gnutls_x509_crt_t cert = NULL;
+	struct amqp_ssl_socket_context *self = gnutls_session_get_ptr(session);
+	ret = gnutls_certificate_verify_peers2(session, &status);
+	if (0 > ret) {
+		goto error;
+	}
+	if (status & GNUTLS_CERT_INVALID) {
+		goto error;
+	}
+	if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
+		goto error;
+	}
+	if (status & GNUTLS_CERT_REVOKED) {
+		goto error;
+	}
+	if (status & GNUTLS_CERT_EXPIRED) {
+		goto error;
+	}
+	if (status & GNUTLS_CERT_NOT_ACTIVATED) {
+		goto error;
+	}
+	if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) {
+		goto error;
+	}
+	if (gnutls_x509_crt_init(&cert) < 0) {
+		goto error;
+	}
+	list = gnutls_certificate_get_peers(session, &size);
+	if (!list) {
+		goto error;
+	}
+	ret = gnutls_x509_crt_import(cert, &list[0], GNUTLS_X509_FMT_DER);
+	if (0 > ret) {
+		goto error;
+	}
+	if (!gnutls_x509_crt_check_hostname(cert, self->host)) {
+		goto error;
+	}
+	gnutls_x509_crt_deinit(cert);
+	return 0;
+error:
+	if (cert) {
+		gnutls_x509_crt_deinit (cert);
+	}
+	return GNUTLS_E_CERTIFICATE_ERROR;
+}
+
+int
+amqp_open_ssl_socket(amqp_connection_state_t state,
+		     const char *host,
+		     int port,
+		     const char *cacert,
+		     const char *key,
+		     const char *cert)
+{
+	struct amqp_ssl_socket_context *self;
+	const char *error;
+	int sockfd = -1;
+	int ret;
+	gnutls_global_init();
+	self = calloc(1, sizeof(*self));
+	if (!self) {
+		goto error;
+	}
+	self->host = strdup(host);
+	if (!self->host) {
+		goto error;
+	}
+	ret = gnutls_certificate_allocate_credentials(&self->credentials);
+	if (GNUTLS_E_SUCCESS != ret) {
+		goto error;
+	}
+	ret = gnutls_certificate_set_x509_trust_file(self->credentials,
+							cacert,
+							GNUTLS_X509_FMT_PEM);
+	if (0 > ret) {
+		goto error;
+	}
+	gnutls_certificate_set_verify_function(self->credentials,
+					       amqp_ssl_verify);
+	if (key && cert) {
+		ret = gnutls_certificate_set_x509_key_file(
+				self->credentials, cert, key,
+				GNUTLS_X509_FMT_PEM);
+		if (0 > ret) {
+			goto error;
+		}
+	}
+	ret = gnutls_init(&self->session, GNUTLS_CLIENT);
+	if (GNUTLS_E_SUCCESS != ret) {
+		goto error;
+	}
+	gnutls_session_set_ptr(self->session, self);
+	ret = gnutls_priority_set_direct(self->session, "NORMAL", &error);
+	if (GNUTLS_E_SUCCESS != ret) {
+		goto error;
+	}
+	ret = gnutls_credentials_set(self->session, GNUTLS_CRD_CERTIFICATE,
+				     self->credentials);
+	if (GNUTLS_E_SUCCESS != ret) {
+		goto error;
+	}
+	sockfd = amqp_open_socket(host, port);
+	if (0 > sockfd) {
+		goto error;
+	}
+	gnutls_transport_set_ptr(self->session, (gnutls_transport_ptr_t)sockfd);
+	do {
+		ret = gnutls_handshake(self->session);
+	} while (ret < 0 && !gnutls_error_is_fatal(ret));
+	amqp_set_sockfd_full(state, sockfd,
+			     amqp_ssl_socket_writev,
+			     amqp_ssl_socket_send,
+			     amqp_ssl_socket_recv,
+			     amqp_ssl_socket_close,
+			     amqp_ssl_socket_error,
+			     self);
+exit:
+	return sockfd;
+error:
+	amqp_ssl_socket_close(sockfd, self);
+	sockfd = -1;
+	goto exit;
+}
diff --git a/librabbitmq/amqp-openssl.c b/librabbitmq/amqp-openssl.c
new file mode 100644
index 0000000..d97aa4c
--- /dev/null
+++ b/librabbitmq/amqp-openssl.c
@@ -0,0 +1,261 @@
+/*
+ * Copyright 2012 Michael Steinert
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "amqp-ssl.h"
+#include "amqp_private.h"
+#include <ctype.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+struct amqp_ssl_socket_context {
+	BIO *bio;
+	SSL_CTX *ctx;
+};
+
+static ssize_t
+amqp_ssl_socket_send(AMQP_UNUSED int sockfd,
+		     const void *buf,
+		     size_t len,
+		     AMQP_UNUSED int flags,
+		     void *user_data)
+{
+	ssize_t sent;
+	struct amqp_ssl_socket_context *self = user_data;
+	ERR_clear_error();
+	sent = BIO_write(self->bio, buf, len);
+	if (0 > sent) {
+		SSL *ssl;
+		int error;
+		BIO_get_ssl(self->bio, &ssl);
+		error = SSL_get_error(ssl, sent);
+		switch (error) {
+		case SSL_ERROR_NONE:
+		case SSL_ERROR_ZERO_RETURN:
+		case SSL_ERROR_WANT_READ:
+		case SSL_ERROR_WANT_WRITE:
+			sent = 0;
+			break;
+		}
+	}
+	return sent;
+}
+
+static ssize_t
+amqp_ssl_socket_writev(AMQP_UNUSED int sockfd,
+		       const struct iovec *iov,
+		       int iovcnt,
+		       void *user_data)
+{
+	struct amqp_ssl_socket_context *self = user_data;
+	char *buffer, *bufferp;
+	ssize_t written = -1;
+	size_t bytes;
+	int i;
+	bytes = 0;
+	for (i = 0; i < iovcnt; ++i) {
+		bytes += iov[i].iov_len;
+	}
+	buffer = malloc(bytes);
+	if (!buffer) {
+		goto exit;
+	}
+	bufferp = buffer;
+	for (i = 0; i < iovcnt; ++i) {
+		memcpy(bufferp, iov[i].iov_base, iov[i].iov_len);
+		bufferp += iov[i].iov_len;
+	}
+	written = amqp_ssl_socket_send(sockfd, buffer, bytes, 0, self);
+exit:
+	free(buffer);
+	return written;
+}
+
+static ssize_t
+amqp_ssl_socket_recv(AMQP_UNUSED int sockfd,
+		     void *buf,
+		     size_t len,
+		     AMQP_UNUSED int flags,
+		     void *user_data)
+{
+	struct amqp_ssl_socket_context *self = user_data;
+	ssize_t received;
+	ERR_clear_error();
+	received = BIO_read(self->bio, buf, len);
+	if (0 > received) {
+		SSL *ssl;
+		int error;
+		BIO_get_ssl(self->bio, &ssl);
+		error = SSL_get_error(ssl, received);
+		switch (error) {
+		case SSL_ERROR_WANT_READ:
+		case SSL_ERROR_WANT_WRITE:
+			received = 0;
+			break;
+		}
+	}
+	return received;
+}
+
+static int
+amqp_ssl_socket_close(int sockfd,
+		      void *user_data)
+{
+	struct amqp_ssl_socket_context *self = user_data;
+	if (self) {
+		BIO_free_all(self->bio);
+		SSL_CTX_free(self->ctx);
+		free(self);
+	}
+	return 0 > sockfd ? -1 : 0;
+}
+
+static int
+amqp_ssl_socket_error(AMQP_UNUSED void *user_data)
+{
+	return -1;
+}
+
+int
+amqp_open_ssl_socket(amqp_connection_state_t state,
+		     const char *host,
+		     int port,
+		     const char *cacert,
+		     const char *key,
+		     const char *cert)
+{
+	SSL *ssl;
+	X509 *peer;
+	long result;
+	X509_NAME *name;
+	X509_NAME_ENTRY *entry;
+	ASN1_STRING *entry_string;
+	struct amqp_ssl_socket_context *self;
+	int sockfd, status, pos, utf8_length;
+	unsigned char *utf8_value = NULL, *cp, ch;
+	SSL_library_init();
+	SSL_load_error_strings();
+	OpenSSL_add_all_algorithms();
+	self = calloc(1, sizeof(*self));
+	if (!self) {
+		goto error;
+	}
+	self->ctx = SSL_CTX_new(SSLv23_client_method());
+	if (!self->ctx) {
+		goto error;
+	}
+	status = SSL_CTX_load_verify_locations(self->ctx, cacert, NULL);
+	if (1 != status) {
+		goto error;
+	}
+	if (key && cert) {
+		status = SSL_CTX_use_PrivateKey_file(self->ctx, key,
+						     SSL_FILETYPE_PEM);
+		if (1 != status) {
+			goto error;
+		}
+		status = SSL_CTX_use_certificate_chain_file(self->ctx, cert);
+		if (1 != status) {
+			goto error;
+		}
+	}
+	self->bio = BIO_new_ssl_connect(self->ctx);
+	if (!self->bio) {
+		goto error;
+	}
+	BIO_get_ssl(self->bio, &ssl);
+	SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
+	BIO_set_conn_hostname(self->bio, host);
+	BIO_set_conn_int_port(self->bio, &port);
+	status = BIO_do_connect(self->bio);
+	if (1 != status) {
+		goto error;
+	}
+	result = SSL_get_verify_result(ssl);
+	if (X509_V_OK != result) {
+		goto error;
+	}
+	peer = SSL_get_peer_certificate(ssl);
+	if (!peer) {
+		goto error;
+	}
+	name = X509_get_subject_name(peer);
+	if (!name) {
+		goto error;
+	}
+	pos = X509_NAME_get_index_by_NID(name, NID_commonName, -1);
+	if (0 > pos) {
+		goto error;
+	}
+	entry = X509_NAME_get_entry(name, pos);
+	if (!entry) {
+		goto error;
+	}
+	entry_string = X509_NAME_ENTRY_get_data(entry);
+	if (!entry_string) {
+		goto error;
+	}
+	utf8_length = ASN1_STRING_to_UTF8(&utf8_value, entry_string);
+	if (0 > utf8_length) {
+		goto error;
+	}
+	while (utf8_length > 0 && utf8_value[utf8_length - 1] == 0) {
+		--utf8_length;
+	}
+	if (utf8_length >= 256) {
+		goto error;
+	}
+	if ((size_t)utf8_length != strlen((char *)utf8_value)) {
+		goto error;
+	}
+	for (cp = utf8_value; (ch = *cp) != '\0'; ++cp) {
+		if (isascii(ch) && !isprint(ch)) {
+			goto error;
+		}
+	}
+	if (strcasecmp(host, (char *)utf8_value)) {
+		goto error;
+	}
+	sockfd = BIO_get_fd(self->bio, NULL);
+	amqp_set_sockfd_full(state, sockfd,
+			     amqp_ssl_socket_writev,
+			     amqp_ssl_socket_send,
+			     amqp_ssl_socket_recv,
+			     amqp_ssl_socket_close,
+			     amqp_ssl_socket_error,
+			     self);
+exit:
+	OPENSSL_free(utf8_value);
+	return sockfd;
+error:
+	OPENSSL_free(utf8_value);
+	amqp_ssl_socket_close(-1, self);
+	sockfd = -1;
+	goto exit;
+}
diff --git a/librabbitmq/amqp-polarssl.c b/librabbitmq/amqp-polarssl.c
new file mode 100644
index 0000000..e55aa00
--- /dev/null
+++ b/librabbitmq/amqp-polarssl.c
@@ -0,0 +1,233 @@
+/*
+ * Copyright 2012 Michael Steinert
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "amqp-ssl.h"
+#include "amqp_private.h"
+#include <polarssl/ctr_drbg.h>
+#include <polarssl/entropy.h>
+#include <polarssl/net.h>
+#include <polarssl/ssl.h>
+#include <stdlib.h>
+
+struct amqp_ssl_socket_context {
+	int sockfd;
+	entropy_context *entropy;
+	ctr_drbg_context *ctr_drbg;
+	x509_cert *cacert;
+	rsa_context *key;
+	x509_cert *cert;
+	ssl_context *ssl;
+	ssl_session *session;
+};
+
+static ssize_t
+amqp_ssl_socket_send(AMQP_UNUSED int sockfd,
+		     const void *buf,
+		     size_t len,
+		     AMQP_UNUSED int flags,
+		     void *user_data)
+{
+	struct amqp_ssl_socket_context *self = user_data;
+	return ssl_write(self->ssl, buf, len);
+}
+
+static ssize_t
+amqp_ssl_socket_writev(AMQP_UNUSED int sockfd,
+		       const struct iovec *iov,
+		       int iovcnt,
+		       void *user_data)
+{
+	struct amqp_ssl_socket_context *self = user_data;
+	char *buffer, *bufferp;
+	ssize_t written = -1;
+	size_t bytes;
+	int i;
+	bytes = 0;
+	for (i = 0; i < iovcnt; ++i) {
+		bytes += iov[i].iov_len;
+	}
+	buffer = malloc(bytes);
+	if (!buffer) {
+		goto exit;
+	}
+	bufferp = buffer;
+	for (i = 0; i < iovcnt; ++i) {
+		memcpy(bufferp, iov[i].iov_base, iov[i].iov_len);
+		bufferp += iov[i].iov_len;
+	}
+	written = ssl_write(self->ssl, (const unsigned char *)buffer, bytes);
+exit:
+	free(buffer);
+	return written;
+}
+
+static ssize_t
+amqp_ssl_socket_recv(AMQP_UNUSED int sockfd,
+		     void *buf,
+		     size_t len,
+		     AMQP_UNUSED int flags,
+		     void *user_data)
+{
+	struct amqp_ssl_socket_context *self = user_data;
+	return ssl_read(self->ssl, buf, len);
+}
+
+static int
+amqp_ssl_socket_close(int sockfd,
+		      void *user_data)
+{
+	int status = -1;
+	struct amqp_ssl_socket_context *self = user_data;
+	if (self) {
+		free(self->entropy);
+		free(self->ctr_drbg);
+		x509_free(self->cacert);
+		free(self->cacert);
+		rsa_free(self->key);
+		free(self->key);
+		x509_free(self->cert);
+		free(self->cert);
+		ssl_free(self->ssl);
+		free(self->ssl);
+		free(self->session);
+		free(self);
+		if (self->sockfd >= 0) {
+			net_close(sockfd);
+			status = 0;
+		}
+	}
+	return status;
+}
+
+static int
+amqp_ssl_socket_error(AMQP_UNUSED void *user_data)
+{
+	return -1;
+}
+
+int
+amqp_open_ssl_socket(amqp_connection_state_t state,
+		     const char *host,
+		     int port,
+		     const char *cacert,
+		     const char *key,
+		     const char *cert)
+{
+	int status;
+	struct amqp_ssl_socket_context *self;
+	self = calloc(1, sizeof(*self));
+	if (!self) {
+		goto error;
+	}
+	self->entropy = calloc(1, sizeof(*self->entropy));
+	if (!self->entropy) {
+		goto error;
+	}
+	self->sockfd = -1;
+	entropy_init(self->entropy);
+	self->ctr_drbg = calloc(1, sizeof(*self->ctr_drbg));
+	if (!self->ctr_drbg) {
+		goto error;
+	}
+	status = ctr_drbg_init(self->ctr_drbg, entropy_func, self->entropy,
+			       NULL, 0);
+	if (status) {
+		goto error;
+	}
+	self->cacert = calloc(1, sizeof(*self->cacert));
+	if (!self->cacert) {
+		goto error;
+	}
+	status = x509parse_crtfile(self->cacert, cacert);
+	if (status) {
+		goto error;
+	}
+	if (key && cert) {
+		self->key = calloc(1, sizeof(*self->key));
+		if (!self->key) {
+			goto error;
+		}
+		status = x509parse_keyfile(self->key, key, NULL);
+		if (status) {
+			goto error;
+		}
+		self->cert = calloc(1, sizeof(*self->cert));
+		if (!self->cert) {
+			goto error;
+		}
+		status = x509parse_crtfile(self->cert, cert);
+		if (status) {
+			goto error;
+		}
+	}
+	status = net_connect(&self->sockfd, host, port);
+	if (status) {
+		goto error;
+	}
+	self->ssl = calloc(1, sizeof(*self->ssl));
+	if (!self->ssl) {
+		goto error;
+	}
+	status = ssl_init(self->ssl);
+	if (status) {
+		goto error;
+	}
+	ssl_set_endpoint(self->ssl, SSL_IS_CLIENT);
+	ssl_set_authmode(self->ssl, SSL_VERIFY_REQUIRED);
+	ssl_set_ca_chain(self->ssl, self->cacert, NULL, host);
+	ssl_set_rng(self->ssl, ctr_drbg_random, self->ctr_drbg);
+	ssl_set_bio(self->ssl, net_recv, &self->sockfd,
+		    net_send, &self->sockfd);
+	ssl_set_ciphersuites(self->ssl, ssl_default_ciphersuites);
+	self->session = calloc(1, sizeof(*self->session));
+	if (!self->session) {
+		goto error;
+	}
+	ssl_set_session(self->ssl, 0, 0, self->session);
+	if (self->key && self->cert) {
+		ssl_set_own_cert(self->ssl, self->cert, self->key);
+	}
+	while (0 != (status = ssl_handshake(self->ssl))) {
+		switch (status) {
+		case POLARSSL_ERR_NET_WANT_READ:
+		case POLARSSL_ERR_NET_WANT_WRITE:
+			continue;
+		default:
+			goto error;
+		}
+	}
+	amqp_set_sockfd_full(state, self->sockfd,
+			     amqp_ssl_socket_writev,
+			     amqp_ssl_socket_send,
+			     amqp_ssl_socket_recv,
+			     amqp_ssl_socket_close,
+			     amqp_ssl_socket_error,
+			     self);
+	return self->sockfd;
+error:
+	amqp_ssl_socket_close(self->sockfd, self);
+	return -1;
+}
diff --git a/librabbitmq/amqp-ssl.h b/librabbitmq/amqp-ssl.h
new file mode 100644
index 0000000..93a2b7a
--- /dev/null
+++ b/librabbitmq/amqp-ssl.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright 2012 Michael Steinert
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#ifndef AMQP_SSL_H
+#define AMQP_SSL_H
+
+#include <amqp.h>
+
+/**
+ * \brief Open an SSL connection to an AMQP broker.
+ *
+ * If successful this function will setup the AMQP connection state object
+ * for SSL/TLS communication. The caller of this function should not call
+ * amqp_set_sockfd() or amqp_set_sockfd_full() after calling this function,
+ * nor should the returned file descriptor be used directly for network I/O.
+ *
+ * \param state [in/out] An AMQP connection state object.
+ * \param host [in] The name of the host to connect to.
+ * \param port [in] The port to connect on.
+ * \param caert [in] Path the CA cert file in PEM format.
+ * \param key [in] Path to the client key in PEM format. (may be NULL)
+ * \param cert [in] Path to the client cert in PEM format. (may be NULL)
+ *
+ * \return A socket file-descriptor (-1 if an error occurred).
+ */
+AMQP_PUBLIC_FUNCTION
+int
+amqp_open_ssl_socket(amqp_connection_state_t state,
+		     const char *host,
+		     int port,
+		     const char *cacert,
+		     const char *key,
+		     const char *cert);
+
+#endif /* AMQP_SSL_H */
diff --git a/librabbitmq/amqp_private.h b/librabbitmq/amqp_private.h
index b28d7bb..e362ed6 100644
--- a/librabbitmq/amqp_private.h
+++ b/librabbitmq/amqp_private.h
@@ -52,10 +52,10 @@
  * (i.e. where its number comes from) in the top bits of the number
  * (assuming that an int has at least 32 bits).
  */
-#define ERROR_CATEGORY_MASK (1 << 29)
-
 #define ERROR_CATEGORY_CLIENT (0 << 29) /* librabbitmq error codes */
 #define ERROR_CATEGORY_OS (1 << 29) /* OS-specific error codes */
+#define ERROR_CATEGORY_SSL (1 << 28) /* SSL-specific error codes */
+#define ERROR_CATEGORY_MASK (ERROR_CATEGORY_OS | ERROR_CATEGORY_SSL)
 
 /* librabbitmq error codes */
 #define ERROR_NO_MEMORY 1
author	Michael Steinert <mike.steinert@gmail.com>	2012-05-24 17:41:36 -0600
committer	Alan Antonuk <alan.antonuk@gmail.com>	2013-04-09 15:22:59 -0700
commit	91dbd7a9da38385308c02a4e94a18dd976179c2b (patch)
tree	445b94e36dbc8e1207936a1d149c280fcb39434c /librabbitmq
parent	795c1240c9fb09c42bcdc45d5a8d44e6a406ee9c (diff)
download	rabbitmq-c-github-ask-91dbd7a9da38385308c02a4e94a18dd976179c2b.tar.gz