From 5b2585dc118f3db07a70575da47503e24986f8e9 Mon Sep 17 00:00:00 2001 From: Michael Steinert Date: Thu, 24 May 2012 17:41:36 -0600 Subject: Implement SSL/TLS over CyaSSL, GnuTLS, OpenSSL & PolarSSL backends Signed-off-by: Michael Steinert --- Makefile.am | 26 ++++- configure.ac | 31 ++++++ librabbitmq/amqp-cyassl.c | 167 ++++++++++++++++++++++++++++ librabbitmq/amqp-gnutls.c | 244 +++++++++++++++++++++++++++++++++++++++++ librabbitmq/amqp-openssl.c | 261 ++++++++++++++++++++++++++++++++++++++++++++ librabbitmq/amqp-polarssl.c | 233 +++++++++++++++++++++++++++++++++++++++ librabbitmq/amqp-ssl.h | 54 +++++++++ librabbitmq/amqp_private.h | 4 +- m4/polarssl.m4 | 60 ++++++++++ tools/common.c | 47 +++++--- 10 files changed, 1108 insertions(+), 19 deletions(-) create mode 100644 librabbitmq/amqp-cyassl.c create mode 100644 librabbitmq/amqp-gnutls.c create mode 100644 librabbitmq/amqp-openssl.c create mode 100644 librabbitmq/amqp-polarssl.c create mode 100644 librabbitmq/amqp-ssl.h create mode 100644 m4/polarssl.m4 diff --git a/Makefile.am b/Makefile.am index 204f0c7..dd52d04 100644 --- a/Makefile.am +++ b/Makefile.am @@ -12,12 +12,30 @@ librabbitmq_librabbitmq_la_SOURCES = \ librabbitmq/amqp_table.c \ librabbitmq/amqp_url.c +if SSL_CYASSL +librabbitmq_librabbitmq_la_SOURCES += librabbitmq/amqp-cyassl.c +endif + +if SSL_GNUTLS +librabbitmq_librabbitmq_la_SOURCES += librabbitmq/amqp-gnutls.c +endif + +if SSL_OPENSSL +librabbitmq_librabbitmq_la_SOURCES += librabbitmq/amqp-openssl.c +endif + +if SSL_POLARSSL +librabbitmq_librabbitmq_la_SOURCES += librabbitmq/amqp-polarssl.c +endif + librabbitmq_librabbitmq_la_CFLAGS = \ - -I$(top_srcdir)/librabbitmq + -I$(top_srcdir)/librabbitmq \ + $(SSL_CFLAGS) librabbitmq_librabbitmq_la_LDFLAGS = \ -version-info $(LT_CURRENT):$(LT_REVISION):$(LT_AGE) \ - $(NO_UNDEFINED) + $(NO_UNDEFINED) \ + $(SSL_LIBS) if OS_UNIX librabbitmq_librabbitmq_la_SOURCES += librabbitmq/unix/socket.c @@ -36,6 +54,10 @@ include_HEADERS = \ librabbitmq/amqp.h \ librabbitmq/amqp_framing.h +if SSL +include_HEADERS += librabbitmq/amqp-ssl.h +endif + BUILT_SOURCES = \ librabbitmq/amqp_framing.h \ librabbitmq/amqp_framing.c diff --git a/configure.ac b/configure.ac index 211858e..348fa09 100644 --- a/configure.ac +++ b/configure.ac @@ -29,6 +29,7 @@ m4_ifdef([AC_PROG_CC_C99], [AC_PROG_CC_C99], [AC_MSG_WARN([Attempt c99 workaround for old versions of autoconf]) AC_PROG_CC AX_TRY_CFLAGS([-std=c99], [AX_CFLAGS([-std=c99])])]) +PKG_PROG_PKG_CONFIG([0.17]) # Environment setup AC_CANONICAL_HOST @@ -107,6 +108,35 @@ AS_IF([test "x$ac_cv_path_PYTHON" = "x"], AC_MSG_WARN([unable to rebuild AMQP framing])]) AC_SUBST([PYTHON], [$ac_cv_path_PYTHON]) +# Configure SSL/TLS +AC_ARG_WITH([ssl], + [AS_HELP_STRING([--with-ssl=@<:@cyassl/gnutls/no/openssl/polarssl/yes@:>@], + [enable SSL/TLS support @<:@default=openssl@:>@])], + [AS_CASE([$withval], + [yes], [with_ssl=openssl], + [*], [with_ssl=$withval])], + [with_ssl=openssl]) + +AS_IF([test "x$with_ssl" = "xcyassl"], + [PKG_CHECK_MODULES([SSL], [libcyassl],, [with_ssl=no])], + [test "x$with_ssl" = "xgnutls"], + [PKG_CHECK_MODULES([SSL], [gnutls],, [with_ssl=no])], + [test "x$with_ssl" = "xopenssl"], + [PKG_CHECK_MODULES([SSL], [openssl >= 1.0.1a],, [with_ssl=no])], + [test "x$with_ssl" = "xpolarssl"], + [AX_LIB_POLARSSL([SSL_CFLAGS=$POLARSSL_CFLAGS + SSL_LIBS=$POLARSSL_LIBS], + [with_ssl=no])], + [test "x$with_ssl" = "xno"],, + [AC_MSG_ERROR([unknown SSL/TLS implementation: $with_ssl])]) +AM_CONDITIONAL([SSL_CYASSL], [test "x$with_ssl" = "xcyassl"]) +AM_CONDITIONAL([SSL_GNUTLS], [test "x$with_ssl" = "xgnutls"]) +AM_CONDITIONAL([SSL_OPENSSL], [test "x$with_ssl" = "xopenssl"]) +AM_CONDITIONAL([SSL_POLARSSL], [test "x$with_ssl" = "xpolarssl"]) +AM_CONDITIONAL([SSL], [test "x$with_ssl" != "xno"]) +AS_IF([test "x$with_ssl" != "xno"], + [AC_DEFINE([WITH_SSL], [1], [Define to 1 if SSL/TLS is enabled.])]) + # Configure AMQP command-line tools AC_ARG_ENABLE([tools], [AS_HELP_STRING([--enable-tools], @@ -143,6 +173,7 @@ $PACKAGE_NAME build options: Host: $host Version: $VERSION 64-bit: $enable_64_bit + SSL/TLS: $with_ssl Tools: $enable_tools Documentation: $enable_docs ]) diff --git a/librabbitmq/amqp-cyassl.c b/librabbitmq/amqp-cyassl.c new file mode 100644 index 0000000..f8e4d40 --- /dev/null +++ b/librabbitmq/amqp-cyassl.c @@ -0,0 +1,167 @@ +/* + * Copyright 2012 Michael Steinert + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "amqp-ssl.h" +#include "amqp_private.h" +#include +#include + +struct amqp_ssl_socket_context { + CYASSL_CTX *ctx; + CYASSL *ssl; +}; + +static ssize_t +amqp_ssl_socket_send(AMQP_UNUSED int sockfd, + const void *buf, + size_t len, + AMQP_UNUSED int flags, + void *user_data) +{ + struct amqp_ssl_socket_context *self = user_data; + return CyaSSL_write(self->ssl, buf, len); +} + +static ssize_t +amqp_ssl_socket_writev(AMQP_UNUSED int sockfd, + const struct iovec *iov, + int iovcnt, + void *user_data) +{ + struct amqp_ssl_socket_context *self = user_data; + char *buffer, *bufferp; + ssize_t written = -1; + size_t bytes; + int i; + bytes = 0; + for (i = 0; i < iovcnt; ++i) { + bytes += iov[i].iov_len; + } + buffer = malloc(bytes); + if (!buffer) { + goto exit; + } + bufferp = buffer; + for (i = 0; i < iovcnt; ++i) { + memcpy(bufferp, iov[i].iov_base, iov[i].iov_len); + bufferp += iov[i].iov_len; + } + written = CyaSSL_write(self->ssl, buffer, bytes); +exit: + free(buffer); + return written; +} + +static ssize_t +amqp_ssl_socket_recv(AMQP_UNUSED int sockfd, + void *buf, + size_t len, + AMQP_UNUSED int flags, + void *user_data) +{ + struct amqp_ssl_socket_context *self = user_data; + return CyaSSL_read(self->ssl, buf, len); +} + +static int +amqp_ssl_socket_close(int sockfd, + void *user_data) +{ + int status = -1; + struct amqp_ssl_socket_context *self = user_data; + if (self) { + CyaSSL_free(self->ssl); + CyaSSL_CTX_free(self->ctx); + free(self); + } + if (sockfd >= 0) { + status = amqp_socket_close(sockfd, 0); + } + return status; +} + +static int +amqp_ssl_socket_error(AMQP_UNUSED void *user_data) +{ + return -1; +} + +int +amqp_open_ssl_socket(amqp_connection_state_t state, + const char *host, + int port, + const char *cacert, + const char *key, + const char *cert) +{ + int sockfd = -1, status; + struct amqp_ssl_socket_context *self; + CyaSSL_Init(); + self = calloc(1, sizeof(*self)); + if (!self) { + goto error; + } + self->ctx = CyaSSL_CTX_new(CyaSSLv23_client_method()); + if (!self->ctx) { + goto error; + } + status = CyaSSL_CTX_load_verify_locations(self->ctx, cacert, NULL); + if (SSL_SUCCESS != status) { + goto error; + } + if (key && cert) { + status = CyaSSL_CTX_use_PrivateKey_file(self->ctx, key, + SSL_FILETYPE_PEM); + if (SSL_SUCCESS != status) { + goto error; + } + status = CyaSSL_CTX_use_certificate_chain_file(self->ctx, cert); + } + self->ssl = CyaSSL_new(self->ctx); + if (!self->ssl) { + goto error; + } + sockfd = amqp_open_socket(host, port); + if (0 > sockfd) { + goto error; + } + CyaSSL_set_fd(self->ssl, sockfd); + status = CyaSSL_connect(self->ssl); + if (SSL_SUCCESS != status) { + goto error; + } + amqp_set_sockfd_full(state, sockfd, + amqp_ssl_socket_writev, + amqp_ssl_socket_send, + amqp_ssl_socket_recv, + amqp_ssl_socket_close, + amqp_ssl_socket_error, + self); + return sockfd; +error: + amqp_ssl_socket_close(sockfd, self); + return -1; +} diff --git a/librabbitmq/amqp-gnutls.c b/librabbitmq/amqp-gnutls.c new file mode 100644 index 0000000..a435371 --- /dev/null +++ b/librabbitmq/amqp-gnutls.c @@ -0,0 +1,244 @@ +/* + * Copyright 2012 Michael Steinert + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "amqp_private.h" +#include "amqp-ssl.h" +#include +#include +#include + +struct amqp_ssl_socket_context { + gnutls_session_t session; + gnutls_certificate_credentials_t credentials; + char *host; +}; + +static ssize_t +amqp_ssl_socket_send(AMQP_UNUSED int sockfd, + const void *buf, + size_t len, + AMQP_UNUSED int flags, + void *user_data) +{ + struct amqp_ssl_socket_context *self = user_data; + return gnutls_record_send(self->session, buf, len); +} + +static ssize_t +amqp_ssl_socket_writev(AMQP_UNUSED int sockfd, + const struct iovec *iov, + int iovcnt, + void *user_data) +{ + struct amqp_ssl_socket_context *self = user_data; + char *buffer, *bufferp; + ssize_t written = -1; + size_t bytes; + int i; + bytes = 0; + for (i = 0; i < iovcnt; ++i) { + bytes += iov[i].iov_len; + } + buffer = malloc(bytes); + if (!buffer) { + goto exit; + } + bufferp = buffer; + for (i = 0; i < iovcnt; ++i) { + memcpy(bufferp, iov[i].iov_base, iov[i].iov_len); + bufferp += iov[i].iov_len; + } + written = gnutls_record_send(self->session, buffer, bytes); +exit: + free(buffer); + return written; +} + +static ssize_t +amqp_ssl_socket_recv(AMQP_UNUSED int sockfd, + void *buf, + size_t len, + AMQP_UNUSED int flags, + void *user_data) +{ + struct amqp_ssl_socket_context *self = user_data; + return gnutls_record_recv(self->session, buf, len); +} + +static int +amqp_ssl_socket_close(int sockfd, + void *user_data) +{ + int status = -1; + struct amqp_ssl_socket_context *self = user_data; + if (sockfd >= 0) { + status = amqp_socket_close(sockfd, 0); + } + if (self) { + gnutls_deinit(self->session); + gnutls_certificate_free_credentials(self->credentials); + free(self->host); + free(self); + } + return status; +} + +static int +amqp_ssl_socket_error(AMQP_UNUSED void *user_data) +{ + return -1; +} + +static int +amqp_ssl_verify(gnutls_session_t session) +{ + int ret; + unsigned int status, size; + const gnutls_datum_t *list; + gnutls_x509_crt_t cert = NULL; + struct amqp_ssl_socket_context *self = gnutls_session_get_ptr(session); + ret = gnutls_certificate_verify_peers2(session, &status); + if (0 > ret) { + goto error; + } + if (status & GNUTLS_CERT_INVALID) { + goto error; + } + if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) { + goto error; + } + if (status & GNUTLS_CERT_REVOKED) { + goto error; + } + if (status & GNUTLS_CERT_EXPIRED) { + goto error; + } + if (status & GNUTLS_CERT_NOT_ACTIVATED) { + goto error; + } + if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) { + goto error; + } + if (gnutls_x509_crt_init(&cert) < 0) { + goto error; + } + list = gnutls_certificate_get_peers(session, &size); + if (!list) { + goto error; + } + ret = gnutls_x509_crt_import(cert, &list[0], GNUTLS_X509_FMT_DER); + if (0 > ret) { + goto error; + } + if (!gnutls_x509_crt_check_hostname(cert, self->host)) { + goto error; + } + gnutls_x509_crt_deinit(cert); + return 0; +error: + if (cert) { + gnutls_x509_crt_deinit (cert); + } + return GNUTLS_E_CERTIFICATE_ERROR; +} + +int +amqp_open_ssl_socket(amqp_connection_state_t state, + const char *host, + int port, + const char *cacert, + const char *key, + const char *cert) +{ + struct amqp_ssl_socket_context *self; + const char *error; + int sockfd = -1; + int ret; + gnutls_global_init(); + self = calloc(1, sizeof(*self)); + if (!self) { + goto error; + } + self->host = strdup(host); + if (!self->host) { + goto error; + } + ret = gnutls_certificate_allocate_credentials(&self->credentials); + if (GNUTLS_E_SUCCESS != ret) { + goto error; + } + ret = gnutls_certificate_set_x509_trust_file(self->credentials, + cacert, + GNUTLS_X509_FMT_PEM); + if (0 > ret) { + goto error; + } + gnutls_certificate_set_verify_function(self->credentials, + amqp_ssl_verify); + if (key && cert) { + ret = gnutls_certificate_set_x509_key_file( + self->credentials, cert, key, + GNUTLS_X509_FMT_PEM); + if (0 > ret) { + goto error; + } + } + ret = gnutls_init(&self->session, GNUTLS_CLIENT); + if (GNUTLS_E_SUCCESS != ret) { + goto error; + } + gnutls_session_set_ptr(self->session, self); + ret = gnutls_priority_set_direct(self->session, "NORMAL", &error); + if (GNUTLS_E_SUCCESS != ret) { + goto error; + } + ret = gnutls_credentials_set(self->session, GNUTLS_CRD_CERTIFICATE, + self->credentials); + if (GNUTLS_E_SUCCESS != ret) { + goto error; + } + sockfd = amqp_open_socket(host, port); + if (0 > sockfd) { + goto error; + } + gnutls_transport_set_ptr(self->session, (gnutls_transport_ptr_t)sockfd); + do { + ret = gnutls_handshake(self->session); + } while (ret < 0 && !gnutls_error_is_fatal(ret)); + amqp_set_sockfd_full(state, sockfd, + amqp_ssl_socket_writev, + amqp_ssl_socket_send, + amqp_ssl_socket_recv, + amqp_ssl_socket_close, + amqp_ssl_socket_error, + self); +exit: + return sockfd; +error: + amqp_ssl_socket_close(sockfd, self); + sockfd = -1; + goto exit; +} diff --git a/librabbitmq/amqp-openssl.c b/librabbitmq/amqp-openssl.c new file mode 100644 index 0000000..d97aa4c --- /dev/null +++ b/librabbitmq/amqp-openssl.c @@ -0,0 +1,261 @@ +/* + * Copyright 2012 Michael Steinert + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "amqp-ssl.h" +#include "amqp_private.h" +#include +#include +#include +#include +#include +#include +#include + +struct amqp_ssl_socket_context { + BIO *bio; + SSL_CTX *ctx; +}; + +static ssize_t +amqp_ssl_socket_send(AMQP_UNUSED int sockfd, + const void *buf, + size_t len, + AMQP_UNUSED int flags, + void *user_data) +{ + ssize_t sent; + struct amqp_ssl_socket_context *self = user_data; + ERR_clear_error(); + sent = BIO_write(self->bio, buf, len); + if (0 > sent) { + SSL *ssl; + int error; + BIO_get_ssl(self->bio, &ssl); + error = SSL_get_error(ssl, sent); + switch (error) { + case SSL_ERROR_NONE: + case SSL_ERROR_ZERO_RETURN: + case SSL_ERROR_WANT_READ: + case SSL_ERROR_WANT_WRITE: + sent = 0; + break; + } + } + return sent; +} + +static ssize_t +amqp_ssl_socket_writev(AMQP_UNUSED int sockfd, + const struct iovec *iov, + int iovcnt, + void *user_data) +{ + struct amqp_ssl_socket_context *self = user_data; + char *buffer, *bufferp; + ssize_t written = -1; + size_t bytes; + int i; + bytes = 0; + for (i = 0; i < iovcnt; ++i) { + bytes += iov[i].iov_len; + } + buffer = malloc(bytes); + if (!buffer) { + goto exit; + } + bufferp = buffer; + for (i = 0; i < iovcnt; ++i) { + memcpy(bufferp, iov[i].iov_base, iov[i].iov_len); + bufferp += iov[i].iov_len; + } + written = amqp_ssl_socket_send(sockfd, buffer, bytes, 0, self); +exit: + free(buffer); + return written; +} + +static ssize_t +amqp_ssl_socket_recv(AMQP_UNUSED int sockfd, + void *buf, + size_t len, + AMQP_UNUSED int flags, + void *user_data) +{ + struct amqp_ssl_socket_context *self = user_data; + ssize_t received; + ERR_clear_error(); + received = BIO_read(self->bio, buf, len); + if (0 > received) { + SSL *ssl; + int error; + BIO_get_ssl(self->bio, &ssl); + error = SSL_get_error(ssl, received); + switch (error) { + case SSL_ERROR_WANT_READ: + case SSL_ERROR_WANT_WRITE: + received = 0; + break; + } + } + return received; +} + +static int +amqp_ssl_socket_close(int sockfd, + void *user_data) +{ + struct amqp_ssl_socket_context *self = user_data; + if (self) { + BIO_free_all(self->bio); + SSL_CTX_free(self->ctx); + free(self); + } + return 0 > sockfd ? -1 : 0; +} + +static int +amqp_ssl_socket_error(AMQP_UNUSED void *user_data) +{ + return -1; +} + +int +amqp_open_ssl_socket(amqp_connection_state_t state, + const char *host, + int port, + const char *cacert, + const char *key, + const char *cert) +{ + SSL *ssl; + X509 *peer; + long result; + X509_NAME *name; + X509_NAME_ENTRY *entry; + ASN1_STRING *entry_string; + struct amqp_ssl_socket_context *self; + int sockfd, status, pos, utf8_length; + unsigned char *utf8_value = NULL, *cp, ch; + SSL_library_init(); + SSL_load_error_strings(); + OpenSSL_add_all_algorithms(); + self = calloc(1, sizeof(*self)); + if (!self) { + goto error; + } + self->ctx = SSL_CTX_new(SSLv23_client_method()); + if (!self->ctx) { + goto error; + } + status = SSL_CTX_load_verify_locations(self->ctx, cacert, NULL); + if (1 != status) { + goto error; + } + if (key && cert) { + status = SSL_CTX_use_PrivateKey_file(self->ctx, key, + SSL_FILETYPE_PEM); + if (1 != status) { + goto error; + } + status = SSL_CTX_use_certificate_chain_file(self->ctx, cert); + if (1 != status) { + goto error; + } + } + self->bio = BIO_new_ssl_connect(self->ctx); + if (!self->bio) { + goto error; + } + BIO_get_ssl(self->bio, &ssl); + SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); + BIO_set_conn_hostname(self->bio, host); + BIO_set_conn_int_port(self->bio, &port); + status = BIO_do_connect(self->bio); + if (1 != status) { + goto error; + } + result = SSL_get_verify_result(ssl); + if (X509_V_OK != result) { + goto error; + } + peer = SSL_get_peer_certificate(ssl); + if (!peer) { + goto error; + } + name = X509_get_subject_name(peer); + if (!name) { + goto error; + } + pos = X509_NAME_get_index_by_NID(name, NID_commonName, -1); + if (0 > pos) { + goto error; + } + entry = X509_NAME_get_entry(name, pos); + if (!entry) { + goto error; + } + entry_string = X509_NAME_ENTRY_get_data(entry); + if (!entry_string) { + goto error; + } + utf8_length = ASN1_STRING_to_UTF8(&utf8_value, entry_string); + if (0 > utf8_length) { + goto error; + } + while (utf8_length > 0 && utf8_value[utf8_length - 1] == 0) { + --utf8_length; + } + if (utf8_length >= 256) { + goto error; + } + if ((size_t)utf8_length != strlen((char *)utf8_value)) { + goto error; + } + for (cp = utf8_value; (ch = *cp) != '\0'; ++cp) { + if (isascii(ch) && !isprint(ch)) { + goto error; + } + } + if (strcasecmp(host, (char *)utf8_value)) { + goto error; + } + sockfd = BIO_get_fd(self->bio, NULL); + amqp_set_sockfd_full(state, sockfd, + amqp_ssl_socket_writev, + amqp_ssl_socket_send, + amqp_ssl_socket_recv, + amqp_ssl_socket_close, + amqp_ssl_socket_error, + self); +exit: + OPENSSL_free(utf8_value); + return sockfd; +error: + OPENSSL_free(utf8_value); + amqp_ssl_socket_close(-1, self); + sockfd = -1; + goto exit; +} diff --git a/librabbitmq/amqp-polarssl.c b/librabbitmq/amqp-polarssl.c new file mode 100644 index 0000000..e55aa00 --- /dev/null +++ b/librabbitmq/amqp-polarssl.c @@ -0,0 +1,233 @@ +/* + * Copyright 2012 Michael Steinert + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "amqp-ssl.h" +#include "amqp_private.h" +#include +#include +#include +#include +#include + +struct amqp_ssl_socket_context { + int sockfd; + entropy_context *entropy; + ctr_drbg_context *ctr_drbg; + x509_cert *cacert; + rsa_context *key; + x509_cert *cert; + ssl_context *ssl; + ssl_session *session; +}; + +static ssize_t +amqp_ssl_socket_send(AMQP_UNUSED int sockfd, + const void *buf, + size_t len, + AMQP_UNUSED int flags, + void *user_data) +{ + struct amqp_ssl_socket_context *self = user_data; + return ssl_write(self->ssl, buf, len); +} + +static ssize_t +amqp_ssl_socket_writev(AMQP_UNUSED int sockfd, + const struct iovec *iov, + int iovcnt, + void *user_data) +{ + struct amqp_ssl_socket_context *self = user_data; + char *buffer, *bufferp; + ssize_t written = -1; + size_t bytes; + int i; + bytes = 0; + for (i = 0; i < iovcnt; ++i) { + bytes += iov[i].iov_len; + } + buffer = malloc(bytes); + if (!buffer) { + goto exit; + } + bufferp = buffer; + for (i = 0; i < iovcnt; ++i) { + memcpy(bufferp, iov[i].iov_base, iov[i].iov_len); + bufferp += iov[i].iov_len; + } + written = ssl_write(self->ssl, (const unsigned char *)buffer, bytes); +exit: + free(buffer); + return written; +} + +static ssize_t +amqp_ssl_socket_recv(AMQP_UNUSED int sockfd, + void *buf, + size_t len, + AMQP_UNUSED int flags, + void *user_data) +{ + struct amqp_ssl_socket_context *self = user_data; + return ssl_read(self->ssl, buf, len); +} + +static int +amqp_ssl_socket_close(int sockfd, + void *user_data) +{ + int status = -1; + struct amqp_ssl_socket_context *self = user_data; + if (self) { + free(self->entropy); + free(self->ctr_drbg); + x509_free(self->cacert); + free(self->cacert); + rsa_free(self->key); + free(self->key); + x509_free(self->cert); + free(self->cert); + ssl_free(self->ssl); + free(self->ssl); + free(self->session); + free(self); + if (self->sockfd >= 0) { + net_close(sockfd); + status = 0; + } + } + return status; +} + +static int +amqp_ssl_socket_error(AMQP_UNUSED void *user_data) +{ + return -1; +} + +int +amqp_open_ssl_socket(amqp_connection_state_t state, + const char *host, + int port, + const char *cacert, + const char *key, + const char *cert) +{ + int status; + struct amqp_ssl_socket_context *self; + self = calloc(1, sizeof(*self)); + if (!self) { + goto error; + } + self->entropy = calloc(1, sizeof(*self->entropy)); + if (!self->entropy) { + goto error; + } + self->sockfd = -1; + entropy_init(self->entropy); + self->ctr_drbg = calloc(1, sizeof(*self->ctr_drbg)); + if (!self->ctr_drbg) { + goto error; + } + status = ctr_drbg_init(self->ctr_drbg, entropy_func, self->entropy, + NULL, 0); + if (status) { + goto error; + } + self->cacert = calloc(1, sizeof(*self->cacert)); + if (!self->cacert) { + goto error; + } + status = x509parse_crtfile(self->cacert, cacert); + if (status) { + goto error; + } + if (key && cert) { + self->key = calloc(1, sizeof(*self->key)); + if (!self->key) { + goto error; + } + status = x509parse_keyfile(self->key, key, NULL); + if (status) { + goto error; + } + self->cert = calloc(1, sizeof(*self->cert)); + if (!self->cert) { + goto error; + } + status = x509parse_crtfile(self->cert, cert); + if (status) { + goto error; + } + } + status = net_connect(&self->sockfd, host, port); + if (status) { + goto error; + } + self->ssl = calloc(1, sizeof(*self->ssl)); + if (!self->ssl) { + goto error; + } + status = ssl_init(self->ssl); + if (status) { + goto error; + } + ssl_set_endpoint(self->ssl, SSL_IS_CLIENT); + ssl_set_authmode(self->ssl, SSL_VERIFY_REQUIRED); + ssl_set_ca_chain(self->ssl, self->cacert, NULL, host); + ssl_set_rng(self->ssl, ctr_drbg_random, self->ctr_drbg); + ssl_set_bio(self->ssl, net_recv, &self->sockfd, + net_send, &self->sockfd); + ssl_set_ciphersuites(self->ssl, ssl_default_ciphersuites); + self->session = calloc(1, sizeof(*self->session)); + if (!self->session) { + goto error; + } + ssl_set_session(self->ssl, 0, 0, self->session); + if (self->key && self->cert) { + ssl_set_own_cert(self->ssl, self->cert, self->key); + } + while (0 != (status = ssl_handshake(self->ssl))) { + switch (status) { + case POLARSSL_ERR_NET_WANT_READ: + case POLARSSL_ERR_NET_WANT_WRITE: + continue; + default: + goto error; + } + } + amqp_set_sockfd_full(state, self->sockfd, + amqp_ssl_socket_writev, + amqp_ssl_socket_send, + amqp_ssl_socket_recv, + amqp_ssl_socket_close, + amqp_ssl_socket_error, + self); + return self->sockfd; +error: + amqp_ssl_socket_close(self->sockfd, self); + return -1; +} diff --git a/librabbitmq/amqp-ssl.h b/librabbitmq/amqp-ssl.h new file mode 100644 index 0000000..93a2b7a --- /dev/null +++ b/librabbitmq/amqp-ssl.h @@ -0,0 +1,54 @@ +/* + * Copyright 2012 Michael Steinert + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef AMQP_SSL_H +#define AMQP_SSL_H + +#include + +/** + * \brief Open an SSL connection to an AMQP broker. + * + * If successful this function will setup the AMQP connection state object + * for SSL/TLS communication. The caller of this function should not call + * amqp_set_sockfd() or amqp_set_sockfd_full() after calling this function, + * nor should the returned file descriptor be used directly for network I/O. + * + * \param state [in/out] An AMQP connection state object. + * \param host [in] The name of the host to connect to. + * \param port [in] The port to connect on. + * \param caert [in] Path the CA cert file in PEM format. + * \param key [in] Path to the client key in PEM format. (may be NULL) + * \param cert [in] Path to the client cert in PEM format. (may be NULL) + * + * \return A socket file-descriptor (-1 if an error occurred). + */ +AMQP_PUBLIC_FUNCTION +int +amqp_open_ssl_socket(amqp_connection_state_t state, + const char *host, + int port, + const char *cacert, + const char *key, + const char *cert); + +#endif /* AMQP_SSL_H */ diff --git a/librabbitmq/amqp_private.h b/librabbitmq/amqp_private.h index 192cbba..d0a5dac 100644 --- a/librabbitmq/amqp_private.h +++ b/librabbitmq/amqp_private.h @@ -48,10 +48,10 @@ * (i.e. where its number comes from) in the top bits of the number * (assuming that an int has at least 32 bits). */ -#define ERROR_CATEGORY_MASK (1 << 29) - #define ERROR_CATEGORY_CLIENT (0 << 29) /* librabbitmq error codes */ #define ERROR_CATEGORY_OS (1 << 29) /* OS-specific error codes */ +#define ERROR_CATEGORY_SSL (1 << 28) /* SSL-specific error codes */ +#define ERROR_CATEGORY_MASK (ERROR_CATEGORY_OS | ERROR_CATEGORY_SSL) /* librabbitmq error codes */ #define ERROR_NO_MEMORY 1 diff --git a/m4/polarssl.m4 b/m4/polarssl.m4 new file mode 100644 index 0000000..21f401f --- /dev/null +++ b/m4/polarssl.m4 @@ -0,0 +1,60 @@ +# polarssl.m4 - Check for PolarSSL +# +# Copyright 2012 Michael Steinert +# +# This file is free software; the copyright holder(s) give unlimited +# permission to copy and/or distribute it, with or without modifications, +# as long as this notice is preserved. + +#serial 1 + +# _AX_LIB_POLARSSL +# ---------------- +# Check for the PolarSSL library and header file. If found the cache variable +# ax_cv_have_polarssl will be set to yes. +AC_DEFUN([_AX_LIB_POLARSSL], +[dnl +ax_cv_have_polarssl=no +_ax_polarssl_h=no +_ax_polarssl_lib=no +AC_ARG_VAR([POLARSSL_CFLAGS], + [C compiler flags for PolarSSL, overriding defaults]) +AC_ARG_VAR([POLARSSL_LIBS], [linker flags for PolarSSL, overriding defaults]) +AC_CHECK_HEADERS([polarssl/ssl.h], + [_ax_polarssl_h=yes],, + [$POLARSSL_CFLAGS]) +AS_IF([test "x$POLARSSL_LIBS" = "x"], + [AC_SEARCH_LIBS([entropy_init], [polarssl], + [POLARSSL_LIBS=-lpolarssl + _ax_polarssl_lib=yes])], + [_ax_polarssl_cflags=$CFLAGS + CFLAGS="$POLARSSL_CFLAGS $CFLAGS" + _ax_polarssl_ldflags=$LDFLAGS + LDFLAGS="$POLARSSL_LIBS $LDFLAGS" + AC_MSG_CHECKING([for libpolarssl]) + AC_TRY_LINK([#include ], + [entropy_init(NULL)], + [AC_MSG_RESULT([$POLARSSL_LIBS]) + _ax_polarssl_lib=yes], + [AC_MSG_RESULT([no])]) + CFLAGS=$_ax_polarssl_cflags + LDFLAGS=$_ax_polarssl_ldflags]) +AS_IF([test "x$_ax_polarssl_h" = "xyes" && \ + test "x$_ax_polarssl_lib" = "xyes"], + [ax_cv_have_polarssl=yes]) +])dnl + +# AX_LIB_POLARSSL([ACTION-IF-TRUE], [ACTION-IF-FALSE]) +# ------------------------------------------------ +# Check if PolarSSL is installed. If found the variable ax_have_polarssl will +# be set to yes. +# ACTION-IF-TRUE: commands to execute if PolarSSL is installed +# ACTION-IF-FALSE: commands to execute if PoloarSSL is not installed +AC_DEFUN([AX_LIB_POLARSSL], +[dnl +AC_CACHE_VAL([ax_cv_have_polarssl], [_AX_LIB_POLARSSL]) +ax_have_polarssl=$ax_cv_have_polarssl +AS_IF([test "x$ax_have_polarssl" = "xyes"], + [AC_DEFINE([HAVE_POLARSSL], [1], [Define to 1 if PolarSSL is available.]) + $1], [$2]) +])dnl diff --git a/tools/common.c b/tools/common.c index 5cc54a4..35e9a2e 100644 --- a/tools/common.c +++ b/tools/common.c @@ -34,17 +34,15 @@ #include "config.h" #endif -/* needed for asnprintf */ +#include "common.h" +#include +#include +#include +#include #include #include -#include #include - #include -#include -#include - -#include "common.h" #ifdef WINDOWS #include "compat.h" @@ -167,6 +165,12 @@ static int amqp_port = -1; static char *amqp_vhost; static char *amqp_username; static char *amqp_password; +#ifdef WITH_SSL +static int amqp_ssl = 0; +static char *amqp_cacert = "/etc/ssl/certs/cacert.pem"; +static char *amqp_key = NULL; +static char *amqp_cert = NULL; +#endif /* WITH_SSL */ const char *connect_options_title = "Connection options"; struct poptOption connect_options[] = { @@ -182,6 +186,16 @@ struct poptOption connect_options[] = { "the username to login with", "username"}, {"password", 0, POPT_ARG_STRING, &amqp_password, 0, "the password to login with", "password"}, +#ifdef WITH_SSL + {"ssl", 0, POPT_ARG_NONE, &amqp_ssl, 0, + "connect over SSL/TLS", NULL}, + {"cacert", 0, POPT_ARG_STRING, &amqp_cacert, 0, + "path to the CA certificate file", "cacert.pem"}, + {"key", 0, POPT_ARG_STRING, &amqp_key, 0, + "path to the client private key file", "key.pem"}, + {"cert", 0, POPT_ARG_STRING, &amqp_cert, 0, + "path to the client certificate file", "cert.pem"}, +#endif /* WITH_SSL */ { NULL, '\0', 0, NULL, 0, NULL, NULL } }; @@ -294,21 +308,24 @@ amqp_connection_state_t make_connection(void) amqp_connection_state_t conn; init_connection_info(&ci); - - s = amqp_open_socket(ci.host, ci.port); - die_amqp_error(s, "opening socket to %s:%d", ci.host, ci.port); - conn = amqp_new_connection(); - amqp_set_sockfd(conn, s); - +#ifdef WITH_SSL + if (amqp_ssl) { + s = amqp_open_ssl_socket(conn, ci.host, ci.port, amqp_cacert, + amqp_key, amqp_cert); + } else +#endif + { + s = amqp_open_socket(ci.host, ci.port); + amqp_set_sockfd(conn, s); + } + die_amqp_error(s, "opening socket to %s:%d", ci.host, ci.port); die_rpc(amqp_login(conn, ci.vhost, 0, 131072, 0, AMQP_SASL_METHOD_PLAIN, ci.user, ci.password), "logging in to AMQP server"); - if (!amqp_channel_open(conn, 1)) die_rpc(amqp_get_rpc_reply(conn), "opening channel"); - return conn; } -- cgit v1.2.1