summaryrefslogtreecommitdiffstats
path: root/src/core/transport/http/sender/ssl
diff options
context:
space:
mode:
authorGravatar gmcdonald2010-02-13 01:32:03 +0000
committerGravatar gmcdonald2010-02-13 01:32:03 +0000
commit0425aadc78680e53000fd0108b540d6eca048516 (patch)
tree8ec7ab8e015d454c5ec586dfc91e05a2dce1cfc0 /src/core/transport/http/sender/ssl
downloadaxis2c-0425aadc78680e53000fd0108b540d6eca048516.tar.gz
axis2c-0425aadc78680e53000fd0108b540d6eca048516.tar.bz2
Moving axis svn, part of TLP move INFRA-2441
git-svn-id: http://svn.apache.org/repos/asf/axis/axis2/c/core/trunk@909681 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'src/core/transport/http/sender/ssl')
-rw-r--r--src/core/transport/http/sender/ssl/Makefile.am2
-rw-r--r--src/core/transport/http/sender/ssl/ssl_stream.c239
-rw-r--r--src/core/transport/http/sender/ssl/ssl_stream.h50
-rw-r--r--src/core/transport/http/sender/ssl/ssl_utils.c227
-rw-r--r--src/core/transport/http/sender/ssl/ssl_utils.h56
5 files changed, 574 insertions, 0 deletions
diff --git a/src/core/transport/http/sender/ssl/Makefile.am b/src/core/transport/http/sender/ssl/Makefile.am
new file mode 100644
index 0000000..3e457e5
--- /dev/null
+++ b/src/core/transport/http/sender/ssl/Makefile.am
@@ -0,0 +1,2 @@
+EXTRA_DIST= ssl_stream.c ssl_stream.h ssl_utils.c ssl_utils.h
+
diff --git a/src/core/transport/http/sender/ssl/ssl_stream.c b/src/core/transport/http/sender/ssl/ssl_stream.c
new file mode 100644
index 0000000..9360f1a
--- /dev/null
+++ b/src/core/transport/http/sender/ssl/ssl_stream.c
@@ -0,0 +1,239 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifdef AXIS2_SSL_ENABLED
+
+#include <string.h>
+#include <stdlib.h>
+#include "ssl_stream.h"
+#include "ssl_utils.h"
+
+/**
+ * @brief Stream struct impl
+ * Streaming mechanisms for SSL
+ */
+typedef struct ssl_stream_impl ssl_stream_impl_t;
+
+struct ssl_stream_impl
+{
+ axutil_stream_t stream;
+ axutil_stream_type_t stream_type;
+ SSL *ssl;
+ SSL_CTX *ctx;
+ axis2_socket_t socket;
+};
+
+#define AXIS2_INTF_TO_IMPL(stream) ((ssl_stream_impl_t *)(stream))
+
+void AXIS2_CALL axis2_ssl_stream_free(
+ axutil_stream_t * stream,
+ const axutil_env_t * env);
+
+axutil_stream_type_t AXIS2_CALL axis2_ssl_stream_get_type(
+ axutil_stream_t * stream,
+ const axutil_env_t * env);
+
+int AXIS2_CALL axis2_ssl_stream_write(
+ axutil_stream_t * stream,
+ const axutil_env_t * env,
+ const void *buffer,
+ size_t count);
+
+int AXIS2_CALL axis2_ssl_stream_read(
+ axutil_stream_t * stream,
+ const axutil_env_t * env,
+ void *buffer,
+ size_t count);
+
+int AXIS2_CALL axis2_ssl_stream_skip(
+ axutil_stream_t * stream,
+ const axutil_env_t * env,
+ int count);
+
+int AXIS2_CALL axis2_ssl_stream_get_char(
+ axutil_stream_t * stream,
+ const axutil_env_t * env);
+
+AXIS2_EXTERN axutil_stream_t *AXIS2_CALL
+axutil_stream_create_ssl(
+ const axutil_env_t * env,
+ axis2_socket_t socket,
+ axis2_char_t * server_cert,
+ axis2_char_t * key_file,
+ axis2_char_t * ssl_pp)
+{
+ ssl_stream_impl_t *stream_impl = NULL;
+
+ stream_impl =
+ (ssl_stream_impl_t *) AXIS2_MALLOC(env->allocator,
+ sizeof(ssl_stream_impl_t));
+
+ if (!stream_impl)
+ {
+ AXIS2_HANDLE_ERROR(env, AXIS2_ERROR_NO_MEMORY, AXIS2_FAILURE);
+ return NULL;
+ }
+ memset ((void *)stream_impl, 0, sizeof (ssl_stream_impl_t));
+ stream_impl->socket = socket;
+ stream_impl->ctx = NULL;
+ stream_impl->ssl = NULL;
+
+ stream_impl->ctx = axis2_ssl_utils_initialize_ctx(env, server_cert,
+ key_file, ssl_pp);
+ if (!stream_impl->ctx)
+ {
+ axis2_ssl_stream_free((axutil_stream_t *) stream_impl, env);
+ AXIS2_HANDLE_ERROR(env, AXIS2_ERROR_SSL_ENGINE, AXIS2_FAILURE);
+ return NULL;
+ }
+ stream_impl->ssl = axis2_ssl_utils_initialize_ssl(env, stream_impl->ctx,
+ stream_impl->socket);
+ if (!stream_impl->ssl)
+ {
+ AXIS2_HANDLE_ERROR(env, AXIS2_ERROR_SSL_ENGINE, AXIS2_FAILURE);
+ return NULL;
+ }
+ stream_impl->stream_type = AXIS2_STREAM_MANAGED;
+
+ axutil_stream_set_read(&(stream_impl->stream), env, axis2_ssl_stream_read);
+ axutil_stream_set_write(&(stream_impl->stream), env,
+ axis2_ssl_stream_write);
+ axutil_stream_set_skip(&(stream_impl->stream), env, axis2_ssl_stream_skip);
+
+ return &(stream_impl->stream);
+}
+
+void AXIS2_CALL
+axis2_ssl_stream_free(
+ axutil_stream_t * stream,
+ const axutil_env_t * env)
+{
+ ssl_stream_impl_t *stream_impl = NULL;
+
+ stream_impl = AXIS2_INTF_TO_IMPL(stream);
+ axis2_ssl_utils_cleanup_ssl(env, stream_impl->ctx, stream_impl->ssl);
+ AXIS2_FREE(env->allocator, stream_impl);
+
+ return;
+}
+
+int AXIS2_CALL
+axis2_ssl_stream_read(
+ axutil_stream_t * stream,
+ const axutil_env_t * env,
+ void *buffer,
+ size_t count)
+{
+ ssl_stream_impl_t *stream_impl = NULL;
+ int read = -1;
+ int len = -1;
+
+ stream_impl = AXIS2_INTF_TO_IMPL(stream);
+
+ SSL_set_mode(stream_impl->ssl, SSL_MODE_AUTO_RETRY);
+
+ read = SSL_read(stream_impl->ssl, buffer, (int)count);
+ /* We are sure that the difference lies within the int range */
+ switch (SSL_get_error(stream_impl->ssl, read))
+ {
+ case SSL_ERROR_NONE:
+ len = read;
+ break;
+ case SSL_ERROR_ZERO_RETURN:
+ len = -1;
+ break;
+ case SSL_ERROR_SYSCALL:
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "SSL Error: Premature close");
+ len = -1;
+ break;
+ default:
+ len = -1;
+ break;
+ }
+ return len;
+}
+
+int AXIS2_CALL
+axis2_ssl_stream_write(
+ axutil_stream_t * stream,
+ const axutil_env_t * env,
+ const void *buf,
+ size_t count)
+{
+ ssl_stream_impl_t *stream_impl = NULL;
+ int write = -1;
+
+ AXIS2_PARAM_CHECK(env->error, buf, AXIS2_FAILURE);
+ stream_impl = AXIS2_INTF_TO_IMPL(stream);
+ write = SSL_write(stream_impl->ssl, buf, (int)count);
+ /* We are sure that the difference lies within the int range */
+
+ switch (SSL_get_error(stream_impl->ssl, write))
+ {
+ case SSL_ERROR_NONE:
+ if ((int)count != write)
+ /* We are sure that the difference lies within the int range */
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "Incomplete SSL write!");
+ break;
+ default:
+ return -1;
+ }
+ return write;
+}
+
+int AXIS2_CALL
+axis2_ssl_stream_skip(
+ axutil_stream_t * stream,
+ const axutil_env_t * env,
+ int count)
+{
+ ssl_stream_impl_t *stream_impl = NULL;
+ axis2_char_t *tmp_buffer = NULL;
+ int len = -1;
+ stream_impl = AXIS2_INTF_TO_IMPL(stream);
+
+ tmp_buffer = AXIS2_MALLOC(env->allocator, count * sizeof(axis2_char_t));
+ if (tmp_buffer == NULL)
+ {
+ AXIS2_HANDLE_ERROR(env, AXIS2_ERROR_NO_MEMORY, AXIS2_FAILURE);
+ return -1;
+ }
+ len = SSL_read(stream_impl->ssl, tmp_buffer, count);
+ AXIS2_FREE(env->allocator, tmp_buffer);
+ return len;
+
+}
+
+int AXIS2_CALL
+axis2_ssl_stream_get_char(
+ axutil_stream_t * stream,
+ const axutil_env_t * env)
+{
+ int ret = -1;
+
+ return ret;
+}
+
+axutil_stream_type_t AXIS2_CALL
+axis2_ssl_stream_get_type(
+ axutil_stream_t * stream,
+ const axutil_env_t * env)
+{
+ return AXIS2_INTF_TO_IMPL(stream)->stream_type;
+}
+
+#endif
+
diff --git a/src/core/transport/http/sender/ssl/ssl_stream.h b/src/core/transport/http/sender/ssl/ssl_stream.h
new file mode 100644
index 0000000..396da5d
--- /dev/null
+++ b/src/core/transport/http/sender/ssl/ssl_stream.h
@@ -0,0 +1,50 @@
+
+/*
+ * Copyright 2004,2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain count copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef AXIS2_SSL_STREAM_H
+#define AXIS2_SSL_STREAM_H
+
+#include <axis2_const.h>
+#include <axis2_defines.h>
+#include <axutil_env.h>
+#include <axutil_stream.h>
+#include <platforms/axutil_platform_auto_sense.h>
+#include <openssl/ssl.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+ /** \brief Constructor for creating ssl stream
+ * @return axutil_stream (ssl)
+ */
+ AXIS2_EXTERN axutil_stream_t *AXIS2_CALL
+ axutil_stream_create_ssl(
+ const axutil_env_t * env,
+ axis2_socket_t socket,
+ axis2_char_t * server_cert,
+ axis2_char_t * key_file,
+ axis2_char_t * ssl_pp);
+
+ /** @} */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* AXIS2_SSL_STREAM_H */
diff --git a/src/core/transport/http/sender/ssl/ssl_utils.c b/src/core/transport/http/sender/ssl/ssl_utils.c
new file mode 100644
index 0000000..d565555
--- /dev/null
+++ b/src/core/transport/http/sender/ssl/ssl_utils.c
@@ -0,0 +1,227 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifdef AXIS2_SSL_ENABLED
+
+#include "ssl_utils.h"
+#include <openssl/err.h>
+BIO *bio_err = 0;
+
+static int
+password_cb(
+ char *buf,
+ int size,
+ int rwflag,
+ void *passwd)
+{
+ strncpy(buf, (char *) passwd, size);
+ buf[size - 1] = '\0';
+ return (int)(strlen(buf));
+ /* We are sure that the difference lies within the int range */
+}
+
+AXIS2_EXTERN SSL_CTX *AXIS2_CALL
+axis2_ssl_utils_initialize_ctx(
+ const axutil_env_t * env,
+ axis2_char_t * server_cert,
+ axis2_char_t * key_file,
+ axis2_char_t * ssl_pp)
+{
+ SSL_METHOD *meth = NULL;
+ SSL_CTX *ctx = NULL;
+ axis2_char_t *ca_file = server_cert;
+
+ if (!ca_file)
+ {
+ AXIS2_LOG_INFO(env->log, "[ssl client] CA certificate not specified");
+ AXIS2_HANDLE_ERROR(env, AXIS2_ERROR_SSL_NO_CA_FILE, AXIS2_FAILURE);
+ return NULL;
+ }
+
+ if (!bio_err)
+ {
+ /* Global system initialization */
+ SSL_library_init();
+ SSL_load_error_strings();
+
+ /* An error write context */
+ bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+ }
+
+ /* Create our context */
+ meth = SSLv23_method();
+ ctx = SSL_CTX_new(meth);
+
+ /* Load our keys and certificates
+ * If we need client certificates it has to be done here
+ */
+ if (key_file) /*can we check if the server needs client auth? */
+ {
+ if (!ssl_pp)
+ {
+ AXIS2_LOG_INFO(env->log,
+ "[ssl client] No passphrase specified for \
+key file %s and server cert %s", key_file, server_cert);
+ }
+
+ SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *) ssl_pp);
+ SSL_CTX_set_default_passwd_cb(ctx, password_cb);
+
+ if (!(SSL_CTX_use_certificate_chain_file(ctx, key_file)))
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[ssl client] Loading client certificate failed \
+, key file %s", key_file);
+ SSL_CTX_free(ctx);
+ return NULL;
+ }
+
+ if (!(SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM)))
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[ssl client] Loading client key failed, key file \
+%s", key_file);
+ SSL_CTX_free(ctx);
+ return NULL;
+ }
+ }
+ else
+ {
+ AXIS2_LOG_INFO(env->log,
+ "[ssl client] Client certificate chain file"
+ "not specified");
+ }
+
+ /* Load the CAs we trust */
+ if (!(SSL_CTX_load_verify_locations(ctx, ca_file, 0)))
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[ssl client] Loading CA certificate failed, \
+ca_file is %s", ca_file);
+ SSL_CTX_free(ctx);
+ return NULL;
+ }
+
+ return ctx;
+}
+
+AXIS2_EXTERN SSL *AXIS2_CALL
+axis2_ssl_utils_initialize_ssl(
+ const axutil_env_t * env,
+ SSL_CTX * ctx,
+ axis2_socket_t socket)
+{
+ SSL *ssl = NULL;
+ BIO *sbio = NULL;
+
+ AXIS2_PARAM_CHECK(env->error, ctx, NULL);
+
+ ssl = SSL_new(ctx);
+ if (!ssl)
+ {
+ AXIS2_LOG_ERROR (env->log, AXIS2_LOG_SI,
+ "[ssl]unable to create new ssl context");
+ return NULL;
+ }
+
+ sbio = BIO_new_socket((int)socket, BIO_NOCLOSE);
+ if (!sbio)
+ {
+ AXIS2_LOG_ERROR (env->log, AXIS2_LOG_SI,
+ "[ssl]unable to create BIO new socket for socket %d",
+ (int)socket);
+ return NULL;
+ }
+
+ SSL_set_bio(ssl, sbio, sbio);
+ if (SSL_connect(ssl) <= 0)
+ {
+ AXIS2_HANDLE_ERROR(env, AXIS2_ERROR_SSL_ENGINE, AXIS2_FAILURE);
+ return NULL;
+ }
+
+ if (SSL_get_verify_result(ssl) != X509_V_OK)
+ {
+ char sslerror[128]; /** error buffer must be at least 120 bytes long */
+ X509 *peer_cert = NULL;
+ X509_STORE *cert_store = NULL;
+ X509_NAME *peer_name = NULL;
+ X509_OBJECT *client_object = NULL;
+ X509 *client_cert = NULL;
+
+ peer_cert = SSL_get_peer_certificate(ssl);
+ if (peer_cert && peer_cert->cert_info)
+ {
+ peer_name = (peer_cert->cert_info)->subject;
+ }
+
+ cert_store = SSL_CTX_get_cert_store(ctx);
+ if (peer_name && cert_store)
+ {
+ client_object = X509_OBJECT_retrieve_by_subject(cert_store->objs,
+ X509_LU_X509,
+ peer_name);
+ }
+ if (client_object)
+ {
+ client_cert = (client_object->data).x509;
+ if (client_cert &&
+ (M_ASN1_BIT_STRING_cmp(client_cert->signature,
+ peer_cert->signature) == 0))
+ {
+ if (peer_cert)
+ {
+ X509_free(peer_cert);
+ }
+ AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI,
+ "[ssl client] SSL certificate verified against peer");
+ return ssl;
+ }
+ }
+ if (peer_cert)
+ {
+ X509_free(peer_cert);
+ }
+ ERR_error_string(SSL_get_verify_result(ssl), sslerror);
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[ssl client] SSL certificate verification failed (%s)",
+ sslerror);
+ return NULL;
+ }
+
+ return ssl;
+}
+
+AXIS2_EXTERN axis2_status_t AXIS2_CALL
+axis2_ssl_utils_cleanup_ssl(
+ const axutil_env_t * env,
+ SSL_CTX * ctx,
+ SSL * ssl)
+{
+
+ if (ssl)
+ {
+ SSL_shutdown(ssl);
+ }
+ if (ctx)
+ {
+ SSL_CTX_free(ctx);
+ }
+ return AXIS2_SUCCESS;
+}
+
+#endif
+
diff --git a/src/core/transport/http/sender/ssl/ssl_utils.h b/src/core/transport/http/sender/ssl/ssl_utils.h
new file mode 100644
index 0000000..26dc16b
--- /dev/null
+++ b/src/core/transport/http/sender/ssl/ssl_utils.h
@@ -0,0 +1,56 @@
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef AXIS2_SSL_UTILS_H
+#define AXIS2_SSL_UTILS_H
+
+
+#include <platforms/axutil_platform_auto_sense.h>
+#include <axis2_const.h>
+#include <axis2_defines.h>
+#include <openssl/ssl.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+ AXIS2_EXTERN SSL_CTX *AXIS2_CALL
+ axis2_ssl_utils_initialize_ctx(
+ const axutil_env_t * env,
+ axis2_char_t * server_cert,
+ axis2_char_t * key_file,
+ axis2_char_t * ssl_pp);
+
+ AXIS2_EXTERN SSL *AXIS2_CALL
+ axis2_ssl_utils_initialize_ssl(
+ const axutil_env_t * env,
+ SSL_CTX * ctx,
+ axis2_socket_t socket);
+
+ AXIS2_EXTERN axis2_status_t AXIS2_CALL
+ axis2_ssl_utils_cleanup_ssl(
+ const axutil_env_t * env,
+ SSL_CTX * ctx,
+ SSL * ssl);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* AXIS2_SSL_UTILS_H */