You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

333 lines
9.4 KiB

  1. --- a/src/libwaitress/waitress.h
  2. +++ b/src/libwaitress/waitress.h
  3. @@ -27,7 +27,12 @@ THE SOFTWARE.
  4. #include <stdlib.h>
  5. #include <unistd.h>
  6. #include <stdbool.h>
  7. +
  8. +#if defined(USE_POLARSSL)
  9. +typedef struct _polarssl_ctx polarssl_ctx;
  10. +#else
  11. #include <gnutls/gnutls.h>
  12. +#endif
  13. #define LIBWAITRESS_NAME "libwaitress"
  14. @@ -102,8 +107,9 @@ typedef struct {
  15. WaitressUrl_t url;
  16. WaitressUrl_t proxy;
  17. +#if !defined(USE_POLARSSL)
  18. gnutls_certificate_credentials_t tlsCred;
  19. -
  20. +#endif
  21. /* per-request data */
  22. struct {
  23. int sockfd;
  24. @@ -121,7 +127,11 @@ typedef struct {
  25. WaitressReturn_t (*read) (void *, char *, const size_t, size_t *);
  26. WaitressReturn_t (*write) (void *, const char *, const size_t);
  27. +#if defined(USE_POLARSSL)
  28. + polarssl_ctx* sslCtx;
  29. +#else
  30. gnutls_session_t tlsSession;
  31. +#endif
  32. } request;
  33. } WaitressHandle_t;
  34. --- a/src/pianod.c
  35. +++ b/src/pianod.c
  36. @@ -531,8 +531,11 @@ static bool initialize_libraries (APPSTA
  37. gcry_check_version (NULL);
  38. gcry_control (GCRYCTL_DISABLE_SECMEM, 0);
  39. gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
  40. +
  41. +#if !defined(USE_POLARSSL)
  42. int crystatus = gnutls_global_init ();
  43. if (crystatus == GNUTLS_E_SUCCESS) {
  44. +#endif
  45. PianoReturn_t status = PianoInit (&app->ph, app->settings.partnerUser, app->settings.partnerPassword,
  46. app->settings.device, app->settings.inkey, app->settings.outkey);
  47. if (status == PIANO_RET_OK) {
  48. @@ -545,11 +548,13 @@ static bool initialize_libraries (APPSTA
  49. } else {
  50. flog (LOG_ERROR, "initialize_libraries: PianoInit: %s", PianoErrorToStr (status));
  51. }
  52. +#if !defined(USE_POLARSSL)
  53. gnutls_global_deinit ();
  54. } else {
  55. flog (LOG_ERROR, "initialize_libraries: gnutls_global_init: %s", gcry_strerror (crystatus));
  56. }
  57. +#endif
  58. return false;
  59. }
  60. @@ -728,7 +733,9 @@ int main (int argc, char **argv) {
  61. PianoDestroyPlaylist (app.song_history);
  62. PianoDestroyPlaylist (app.playlist);
  63. WaitressFree (&app.waith);
  64. +#if !defined(USE_POLARSSL)
  65. gnutls_global_deinit ();
  66. +#endif
  67. settings_destroy (&app.settings);
  68. }
  69. --- a/src/libwaitress/waitress.c
  70. +++ b/src/libwaitress/waitress.c
  71. @@ -41,11 +41,33 @@ THE SOFTWARE.
  72. #include <assert.h>
  73. #include <stdint.h>
  74. -#include <gnutls/x509.h>
  75. #include "config.h"
  76. #include "waitress.h"
  77. +#if defined(USE_POLARSSL)
  78. +
  79. +#include <polarssl/ssl.h>
  80. +#include <polarssl/entropy.h>
  81. +#include <polarssl/ctr_drbg.h>
  82. +#include <polarssl/x509.h>
  83. +#include <polarssl/sha1.h>
  84. +
  85. +struct _polarssl_ctx
  86. +{
  87. + ssl_context ssl;
  88. + ssl_session session;
  89. + entropy_context entrophy;
  90. + ctr_drbg_context rnd;
  91. +};
  92. +
  93. +#else
  94. +
  95. +// Use gnutls by default (USE_POLARSSL not defined)
  96. +#include <gnutls/x509.h>
  97. +
  98. +#endif
  99. +
  100. #define strcaseeq(a,b) (strcasecmp(a,b) == 0)
  101. #define WAITRESS_HTTP_VERSION "1.1"
  102. @@ -56,6 +78,13 @@ typedef struct {
  103. static WaitressReturn_t WaitressReceiveHeaders (WaitressHandle_t *, size_t *);
  104. +// gnutls wants (void *) and polarssl want (unsigned char *)
  105. +#if defined(USE_POLARSSL)
  106. +#define BUFFER_CAST unsigned char
  107. +#else
  108. +#define BUFFER_CAST void
  109. +#endif
  110. +
  111. #define READ_RET(buf, count, size) \
  112. if ((wRet = waith->request.read (waith, buf, count, size)) != \
  113. WAITRESS_RET_OK) { \
  114. @@ -444,7 +473,7 @@ static int WaitressPollLoop (int fd, sho
  115. * @param write count bytes
  116. * @return number of written bytes or -1 on error
  117. */
  118. -static ssize_t WaitressPollWrite (void *data, const void *buf, size_t count) {
  119. +static ssize_t WaitressPollWrite (void *data, const BUFFER_CAST *buf, size_t count) {
  120. int pollres = -1;
  121. ssize_t retSize;
  122. WaitressHandle_t *waith = data;
  123. @@ -478,13 +507,20 @@ static WaitressReturn_t WaitressOrdinary
  124. return waith->request.readWriteRet;
  125. }
  126. -static WaitressReturn_t WaitressGnutlsWrite (void *data, const char *buf,
  127. +static WaitressReturn_t WaitressTlsWrite (void *data, const char *buf,
  128. const size_t size) {
  129. WaitressHandle_t *waith = data;
  130. +#if defined(USE_POLARSSL)
  131. +
  132. + if (ssl_write (&waith->request.sslCtx->ssl, buf, size) < 0) {
  133. + return WAITRESS_RET_TLS_WRITE_ERR;
  134. + }
  135. +#else
  136. if (gnutls_record_send (waith->request.tlsSession, buf, size) < 0) {
  137. return WAITRESS_RET_TLS_WRITE_ERR;
  138. }
  139. +#endif
  140. return waith->request.readWriteRet;
  141. }
  142. @@ -494,7 +530,7 @@ static WaitressReturn_t WaitressGnutlsWr
  143. * @param buffer size
  144. * @return number of read bytes or -1 on error
  145. */
  146. -static ssize_t WaitressPollRead (void *data, void *buf, size_t count) {
  147. +static ssize_t WaitressPollRead (void *data, BUFFER_CAST *buf, size_t count) {
  148. int pollres = -1;
  149. ssize_t retSize;
  150. WaitressHandle_t *waith = data;
  151. @@ -531,16 +567,34 @@ static WaitressReturn_t WaitressOrdinary
  152. return waith->request.readWriteRet;
  153. }
  154. -static WaitressReturn_t WaitressGnutlsRead (void *data, char *buf,
  155. +static WaitressReturn_t WaitressTlsRead (void *data, char *buf,
  156. const size_t size, size_t *retSize) {
  157. WaitressHandle_t *waith = data;
  158. +#if defined(USE_POLARSSL)
  159. + int ret;
  160. +
  161. + *retSize = 0;
  162. + waith->request.readWriteRet = WAITRESS_RET_OK;
  163. + ret = ssl_read (&waith->request.sslCtx->ssl, buf, size);
  164. +
  165. + if (ret < 0) {
  166. + if (ret != POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY) {
  167. + waith->request.readWriteRet = WAITRESS_RET_TLS_READ_ERR;
  168. + }
  169. +
  170. + return waith->request.readWriteRet;
  171. + }
  172. +
  173. + *retSize = ret;
  174. +#else
  175. ssize_t ret = gnutls_record_recv (waith->request.tlsSession, buf, size);
  176. if (ret < 0) {
  177. return WAITRESS_RET_TLS_READ_ERR;
  178. } else {
  179. *retSize = ret;
  180. }
  181. +#endif
  182. return waith->request.readWriteRet;
  183. }
  184. @@ -727,10 +781,28 @@ static int WaitressParseStatusline (cons
  185. /* verify server certificate
  186. */
  187. static WaitressReturn_t WaitressTlsVerify (const WaitressHandle_t *waith) {
  188. +
  189. +#if defined(USE_POLARSSL)
  190. + unsigned char fingerprint[20];
  191. +
  192. + const x509_crt* cert = ssl_get_peer_cert (&waith->request.sslCtx->ssl);
  193. +
  194. + if (NULL == cert) {
  195. + return WAITRESS_RET_TLS_HANDSHAKE_ERR;
  196. + }
  197. +
  198. + sha1 (cert->raw.p, cert->raw.len, fingerprint);
  199. +
  200. + if (memcmp (fingerprint, waith->tlsFingerprint, sizeof (fingerprint)) != 0) {
  201. + return WAITRESS_RET_TLS_FINGERPRINT_MISMATCH;
  202. + }
  203. +
  204. +#else
  205. gnutls_session_t session = waith->request.tlsSession;
  206. unsigned int certListSize;
  207. const gnutls_datum_t *certList;
  208. gnutls_x509_crt_t cert;
  209. + char fingerprint[20];
  210. if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) {
  211. return WAITRESS_RET_TLS_HANDSHAKE_ERR;
  212. @@ -750,7 +822,6 @@ static WaitressReturn_t WaitressTlsVerif
  213. return WAITRESS_RET_TLS_HANDSHAKE_ERR;
  214. }
  215. - char fingerprint[20];
  216. size_t fingerprintSize = sizeof (fingerprint);
  217. if (gnutls_x509_crt_get_fingerprint (cert, GNUTLS_DIG_SHA1, fingerprint,
  218. &fingerprintSize) != 0) {
  219. @@ -763,7 +834,7 @@ static WaitressReturn_t WaitressTlsVerif
  220. }
  221. gnutls_x509_crt_deinit (cert);
  222. -
  223. +#endif
  224. return WAITRESS_RET_OK;
  225. }
  226. @@ -876,6 +947,12 @@ static WaitressReturn_t WaitressConnect
  227. }
  228. }
  229. +#if defined(USE_POLARSSL)
  230. + ssl_set_hostname (&waith->request.sslCtx->ssl, waith->url.host);
  231. + if (ssl_handshake (&waith->request.sslCtx->ssl) != 0) {
  232. + return WAITRESS_RET_TLS_HANDSHAKE_ERR;
  233. + }
  234. +#else
  235. /* Ignore return code as connection will likely still succeed */
  236. gnutls_server_name_set (waith->request.tlsSession, GNUTLS_NAME_DNS,
  237. waith->url.host, strlen (waith->url.host));
  238. @@ -883,14 +960,15 @@ static WaitressReturn_t WaitressConnect
  239. if (gnutls_handshake (waith->request.tlsSession) != GNUTLS_E_SUCCESS) {
  240. return WAITRESS_RET_TLS_HANDSHAKE_ERR;
  241. }
  242. +#endif
  243. if ((wRet = WaitressTlsVerify (waith)) != WAITRESS_RET_OK) {
  244. return wRet;
  245. }
  246. /* now we can talk encrypted */
  247. - waith->request.read = WaitressGnutlsRead;
  248. - waith->request.write = WaitressGnutlsWrite;
  249. + waith->request.read = WaitressTlsRead;
  250. + waith->request.write = WaitressTlsWrite;
  251. }
  252. return WAITRESS_RET_OK;
  253. @@ -1116,6 +1194,21 @@ WaitressReturn_t WaitressFetchCall (Wait
  254. waith->request.contentLengthKnown = false;
  255. if (waith->url.tls) {
  256. +#if defined(USE_POLARSSL)
  257. + waith->request.sslCtx = calloc (1, sizeof(polarssl_ctx));
  258. +
  259. + entropy_init (&waith->request.sslCtx->entrophy);
  260. + ctr_drbg_init (&waith->request.sslCtx->rnd, entropy_func, &waith->request.sslCtx->entrophy, "libwaitress", 11);
  261. + ssl_init (&waith->request.sslCtx->ssl);
  262. +
  263. + ssl_set_endpoint (&waith->request.sslCtx->ssl, SSL_IS_CLIENT);
  264. + ssl_set_authmode (&waith->request.sslCtx->ssl, SSL_VERIFY_NONE);
  265. + ssl_set_rng (&waith->request.sslCtx->ssl, ctr_drbg_random, &waith->request.sslCtx->rnd);
  266. + ssl_set_session (&waith->request.sslCtx->ssl, &waith->request.sslCtx->session);
  267. + ssl_set_bio (&waith->request.sslCtx->ssl,
  268. + WaitressPollRead, waith,
  269. + WaitressPollWrite, waith);
  270. +#else
  271. gnutls_init (&waith->request.tlsSession, GNUTLS_CLIENT);
  272. gnutls_set_default_priority (waith->request.tlsSession);
  273. @@ -1133,6 +1226,7 @@ WaitressReturn_t WaitressFetchCall (Wait
  274. WaitressPollRead);
  275. gnutls_transport_set_push_function (waith->request.tlsSession,
  276. WaitressPollWrite);
  277. +#endif
  278. }
  279. /* buffer is required for connect already */
  280. @@ -1144,15 +1238,22 @@ WaitressReturn_t WaitressFetchCall (Wait
  281. if ((wRet = WaitressSendRequest (waith)) == WAITRESS_RET_OK) {
  282. wRet = WaitressReceiveResponse (waith);
  283. }
  284. +#if !defined(USE_POLARSSL)
  285. if (waith->url.tls) {
  286. gnutls_bye (waith->request.tlsSession, GNUTLS_SHUT_RDWR);
  287. }
  288. +#endif
  289. }
  290. /* cleanup */
  291. if (waith->url.tls) {
  292. +#if defined(USE_POLARSSL)
  293. + ssl_free (&waith->request.sslCtx->ssl);
  294. + free (waith->request.sslCtx);
  295. +#else
  296. gnutls_deinit (waith->request.tlsSession);
  297. gnutls_certificate_free_credentials (waith->tlsCred);
  298. +#endif
  299. }
  300. if (waith->request.sockfd != -1) {
  301. close (waith->request.sockfd);