[0001]
[0002]
[0003]
[0004]
[0005]
[0006]
[0007]
[0008]
[0009]
[0010]
[0011]
[0012]
[0013]
[0014]
[0015]
[0016]
[0017]
[0018]
[0019]
[0020]
[0021]
[0022]
[0023]
[0024]
[0025]
[0026]
[0027]
[0028]
[0029]
[0030]
[0031]
[0032]
[0033]
[0034]
[0035]
[0036]
[0037]
[0038]
[0039]
[0040]
[0041]
[0042]
[0043]
[0044]
[0045]
[0046]
[0047]
[0048]
[0049]
[0050]
[0051]
[0052]
[0053]
[0054]
[0055]
[0056]
[0057]
[0058]
[0059]
[0060]
[0061]
[0062]
[0063]
[0064]
[0065]
[0066]
[0067]
[0068]
[0069]
[0070]
[0071]
[0072]
[0073]
[0074]
[0075]
[0076]
[0077]
[0078]
[0079]
[0080]
[0081]
[0082]
[0083]
[0084]
[0085]
[0086]
[0087]
[0088]
[0089]
[0090]
[0091]
[0092]
[0093]
[0094]
[0095]
[0096]
[0097]
[0098]
[0099]
[0100]
[0101]
[0102]
[0103]
[0104]
[0105]
[0106]
[0107]
[0108]
[0109]
[0110]
[0111]
[0112]
[0113]
[0114]
[0115]
[0116]
[0117]
[0118]
[0119]
[0120]
[0121]
[0122]
[0123]
[0124]
[0125]
[0126]
[0127]
[0128]
[0129]
[0130]
[0131]
[0132]
[0133]
[0134]
[0135]
[0136]
[0137]
[0138]
[0139]
[0140]
[0141]
[0142]
[0143]
[0144]
[0145]
[0146]
[0147]
[0148]
[0149]
[0150]
[0151]
[0152]
[0153]
[0154]
[0155]
[0156]
[0157]
[0158]
[0159]
[0160]
[0161]
[0162]
[0163]
[0164]
[0165]
[0166]
[0167]
[0168]
[0169]
[0170]
[0171]
[0172]
[0173]
[0174]
[0175]
[0176]
[0177]
[0178]
[0179]
[0180]
[0181]
[0182]
[0183]
[0184]
[0185]
[0186]
[0187]
[0188]
[0189]
[0190]
[0191]
[0192]
[0193]
[0194]
[0195]
[0196]
[0197]
[0198]
[0199]
[0200]
[0201]
[0202]
[0203]
[0204]
[0205]
[0206]
[0207]
[0208]
[0209]
[0210]
[0211]
[0212]
[0213]
[0214]
[0215]
[0216]
[0217]
[0218]
[0219]
[0220]
[0221]
[0222]
[0223]
[0224]
[0225]
[0226]
[0227]
[0228]
[0229]
[0230]
[0231]
[0232]
[0233]
[0234]
[0235]
[0236]
[0237]
[0238]
[0239]
[0240]
[0241]
[0242]
[0243]
[0244]
[0245]
[0246]
[0247]
[0248]
[0249]
[0250]
[0251]
[0252]
[0253]
[0254]
[0255]
[0256]
[0257]
[0258]
[0259]
[0260]
[0261]
[0262]
[0263]
[0264]
[0265]
[0266]
[0267]
[0268]
[0269]
[0270]
[0271]
[0272]
[0273]
[0274]
[0275]
[0276]
[0277]
[0278]
[0279]
[0280]
[0281]
[0282]
[0283]
[0284]
[0285]
[0286]
[0287]
[0288]
[0289]
[0290]
[0291]
[0292]
[0293]
[0294]
[0295]
[0296]
[0297]
[0298]
[0299]
[0300]
[0301]
[0302]
[0303]
[0304]
[0305]
[0306]
[0307]
[0308]
[0309]
[0310]
[0311]
[0312]
[0313]
[0314]
[0315]
[0316]
[0317]
[0318]
[0319]
[0320]
[0321]
[0322]
[0323]
[0324]
[0325]
[0326]
[0327]
[0328]
[0329]
[0330]
[0331]
[0332]
[0333]
[0334]
[0335]
[0336]
[0337]
[0338]
[0339]
[0340]
[0341]
[0342]
[0343]
[0344]
[0345]
[0346]
[0347]
[0348]
[0349]
[0350]
[0351]
[0352]
[0353]
[0354]
[0355]
[0356]
[0357]
[0358]
[0359]
[0360]
[0361]
[0362]
[0363]
[0364]
[0365]
[0366]
[0367]
[0368]
[0369]
[0370]
[0371]
[0372]
[0373]
[0374]
[0375]
[0376]
[0377]
[0378]
[0379]
[0380]
[0381]
[0382]
[0383]
[0384]
[0385]
[0386]
[0387]
[0388]
[0389]
[0390]
[0391]
[0392]
[0393]
[0394]
[0395]
[0396]
[0397]
[0398]
[0399]
[0400]
[0401]
[0402]
[0403]
[0404]
[0405]
[0406]
[0407]
[0408]
[0409]
[0410]
[0411]
[0412]
[0413]
[0414]
[0415]
[0416]
[0417]
[0418]
[0419]
[0420]
[0421]
[0422]
[0423]
[0424]
[0425]
[0426]
[0427]
[0428]
[0429]
[0430]
[0431]
[0432]
[0433]
[0434]
[0435]
[0436]
[0437]
[0438]
[0439]
[0440]
[0441]
[0442]
[0443]
[0444]
[0445]
[0446]
[0447]
[0448]
[0449]
[0450]
[0451]
[0452]
[0453]
[0454]
[0455]
[0456]
[0457]
[0458]
[0459]
[0460]
[0461]
[0462]
[0463]
[0464]
[0465]
[0466]
[0467]
[0468]
[0469]
[0470]
[0471]
[0472]
[0473]
[0474]
[0475]
[0476]
[0477]
[0478]
[0479]
[0480]
[0481]
[0482]
[0483]
[0484]
[0485]
[0486]
[0487]
[0488]
[0489]
[0490]
[0491]
[0492]
[0493]
[0494]
[0495]
[0496]
[0497]
[0498]
[0499]
[0500]
[0501]
[0502]
[0503]
[0504]
[0505]
[0506]
[0507]
[0508]
[0509]
[0510]
[0511]
[0512]
[0513]
[0514]
[0515]
[0516]
[0517]
[0518]
[0519]
[0520]
[0521]
[0522]
[0523]
[0524]
[0525]
[0526]
[0527]
[0528]
[0529]
[0530]
[0531]
[0532]
[0533]
[0534]
[0535]
[0536]
[0537]
[0538]
[0539]
[0540]
[0541]
[0542]
[0543]
[0544]
[0545]
[0546]
[0547]
[0548]
[0549]
[0550]
[0551]
[0552]
[0553]
[0554]
[0555]
[0556]
[0557]
[0558]
[0559]
[0560]
[0561]
[0562]
[0563]
[0564]
[0565]
[0566]
[0567]
[0568]
[0569]
[0570]
[0571]
[0572]
[0573]
[0574]
[0575]
[0576]
[0577]
[0578]
[0579]
[0580]
[0581]
[0582]
[0583]
[0584]
[0585]
[0586]
[0587]
[0588]
[0589]
[0590]
[0591]
[0592]
[0593]
[0594]
[0595]
[0596]
[0597]
[0598]
[0599]
[0600]
[0601]
[0602]
[0603]
[0604]
[0605]
[0606]
[0607]
[0608]
[0609]
[0610]
[0611]
[0612]
[0613]
[0614]
[0615]
[0616]
[0617]
[0618]
[0619]
[0620]
[0621]
[0622]
[0623]
[0624]
[0625]
[0626]
[0627]
[0628]
[0629]
[0630]
[0631]
[0632]
[0633]
[0634]
[0635]
[0636]
[0637]
[0638]
[0639]
[0640]
[0641]
[0642]
[0643]
[0644]
[0645]
[0646]
[0647]
[0648]
[0649]
[0650]
[0651]
[0652]
[0653]
[0654]
[0655]
[0656]
[0657]
[0658]
[0659]
[0660]
[0661]
[0662]
[0663]
[0664]
[0665]
[0666]
[0667]
[0668]
[0669]
[0670]
[0671]
[0672]
[0673]
[0674]
[0675]
[0676]
[0677]
[0678]
[0679]
[0680]
[0681]
[0682]
[0683]
[0684]
[0685]
[0686]
[0687]
[0688]
[0689]
[0690]
[0691]
[0692]
[0693]
[0694]
[0695]
[0696]
[0697]
[0698]
[0699]
[0700]
[0701]
[0702]
[0703]
[0704]
[0705]
[0706]
[0707]
[0708]
[0709]
[0710]
[0711]
[0712]
[0713]
[0714]
[0715]
[0716]
[0717]
[0718]
[0719]
[0720]
[0721]
[0722]
[0723]
[0724]
[0725]
[0726]
[0727]
[0728]
[0729]
[0730]
[0731]
[0732]
[0733]
[0734]
[0735]
[0736]
[0737]
[0738]
[0739]
[0740]
[0741]
[0742]
[0743]
[0744]
[0745]
[0746]
[0747]
[0748]
[0749]
[0750]
[0751]
[0752]
[0753]
[0754]
[0755]
[0756]
[0757]
[0758]
[0759]
[0760]
[0761]
[0762]
[0763]
[0764]
[0765]
[0766]
[0767]
[0768]
[0769]
[0770]
[0771]
[0772]
[0773]
[0774]
[0775]
[0776]
[0777]
[0778]
[0779]
[0780]
[0781]
[0782]
[0783]
[0784]
[0785]
[0786]
[0787]
[0788]
[0789]
[0790]
[0791]
[0792]
[0793]
[0794]
[0795]
[0796]
[0797]
[0798]
[0799]
[0800]
[0801]
[0802]
[0803]
[0804]
[0805]
[0806]
[0807]
[0808]
[0809]
[0810]
[0811]
[0812]
[0813]
[0814]
[0815]
[0816]
[0817]
[0818]
[0819]
[0820]
[0821]
[0822]
[0823]
[0824]
[0825]
[0826]
[0827]
[0828]
[0829]
[0830]
[0831]
[0832]
[0833]
[0834]
[0835]
[0836]
[0837]
[0838]
[0839]
[0840]
[0841]
[0842]
[0843]
[0844]
[0845]
[0846]
[0847]
[0848]
[0849]
[0850]
[0851]
[0852]
[0853]
[0854]
[0855]
[0856]
[0857]
[0858]
[0859]
[0860]
[0861]
[0862]
[0863]
[0864]
[0865]
[0866]
[0867]
[0868]
[0869]
[0870]
[0871]
[0872]
[0873]
[0874]
[0875]
[0876]
[0877]
[0878]
[0879]
[0880]
[0881]
[0882]
[0883]
[0884]
[0885]
[0886]
[0887]
[0888]
[0889]
[0890]
[0891]
[0892]
[0893]
[0894]
[0895]
[0896]
[0897]
[0898]
[0899]
[0900]
[0901]
[0902]
[0903]
[0904]
[0905]
[0906]
[0907]
[0908]
[0909]
[0910]
[0911]
[0912]
[0913]
[0914]
[0915]
[0916]
[0917]
[0918]
[0919]
[0920]
[0921]
[0922]
[0923]
[0924]
[0925]
[0926]
[0927]
[0928]
[0929]
[0930]
[0931]
[0932]
[0933]
[0934]
[0935]
[0936]
[0937]
[0938]
[0939]
[0940]
[0941]
[0942]
[0943]
[0944]
[0945]
[0946]
[0947]
[0948]
[0949]
[0950]
[0951]
[0952]
[0953]
[0954]
[0955]
[0956]
[0957]
[0958]
[0959]
[0960]
[0961]
[0962]
[0963]
[0964]
[0965]
[0966]
[0967]
[0968]
[0969]
[0970]
[0971]
[0972]
[0973]
[0974]
[0975]
[0976]
[0977]
[0978]
[0979]
[0980]
[0981]
[0982]
[0983]
[0984]
[0985]
[0986]
[0987]
[0988]
[0989]
[0990]
[0991]
[0992]
[0993]
[0994]
[0995]
[0996]
[0997]
[0998]
[0999]
[1000]
[1001]
[1002]
[1003]
[1004]
[1005]
[1006]
[1007]
[1008]
[1009]
[1010]
[1011]
[1012]
[1013]
[1014]
[1015]
[1016]
[1017]
[1018]
[1019]
[1020]
[1021]
[1022]
[1023]
[1024]
[1025]
[1026]
[1027]
[1028]
[1029]
[1030]
[1031]
[1032]
[1033]
[1034]
[1035]
[1036]
[1037]
[1038]
[1039]
[1040]
[1041]
[1042]
[1043]
[1044]
[1045]
[1046]
[1047]
[1048]
[1049]
[1050]
[1051]
[1052]
[1053]
[1054]
[1055]
[1056]
[1057]
[1058]
[1059]
[1060]
[1061]
[1062]
[1063]
[1064]
[1065]
[1066]
[1067]
[1068]
[1069]
[1070]
[1071]
[1072]
[1073]
[1074]
[1075]
[1076]
[1077]
[1078]
[1079]
[1080]
[1081]
[1082]
[1083]
[1084]
[1085]
[1086]
[1087]
[1088]
[1089]
[1090]
[1091]
[1092]
[1093]
[1094]
[1095]
[1096]
[1097]
[1098]
[1099]
[1100]
[1101]
[1102]
[1103]
[1104]
[1105]
[1106]
[1107]
[1108]
[1109]
[1110]
[1111]
[1112]
[1113]
[1114]
[1115]
[1116]
[1117]
[1118]
[1119]
[1120]
[1121]
[1122]
[1123]
[1124]
[1125]
[1126]
[1127]
[1128]
[1129]
[1130]
[1131]
[1132]
[1133]
[1134]
[1135]
[1136]
[1137]
[1138]
[1139]
[1140]
[1141]
[1142]
[1143]
[1144]
[1145]
[1146]
[1147]
[1148]
[1149]
[1150]
[1151]
[1152]
[1153]
[1154]
[1155]
[1156]
[1157]
[1158]
[1159]
[1160]
[1161]
[1162]
[1163]
[1164]
[1165]
[1166]
[1167]
[1168]
[1169]
[1170]
[1171]
[1172]
[1173]
[1174]
[1175]
[1176]
[1177]
[1178]
[1179]
[1180]
[1181]
[1182]
[1183]
[1184]
[1185]
[1186]
[1187]
[1188]
[1189]
[1190]
[1191]
[1192]
[1193]
[1194]
[1195]
[1196]
[1197]
[1198]
[1199]
[1200]
[1201]
[1202]
[1203]
[1204]
[1205]
[1206]
[1207]
[1208]
[1209]
[1210]
[1211]
[1212]
[1213]
[1214]
[1215]
[1216]
[1217]
[1218]
[1219]
[1220]
[1221]
[1222]
[1223]
[1224]
[1225]
[1226]
[1227]
[1228]
[1229]
[1230]
[1231]
[1232]
[1233]
[1234]
[1235]
[1236]
[1237]
[1238]
[1239]
[1240]
[1241]
[1242]
[1243]
[1244]
[1245]
[1246]
[1247]
[1248]
[1249]
[1250]
[1251]
[1252]
[1253]
[1254]
[1255]
[1256]
[1257]
[1258]
[1259]
[1260]
[1261]
[1262]
[1263]
[1264]
[1265]
[1266]
[1267]
[1268]
[1269]
[1270]
[1271]
[1272]
[1273]
[1274]
[1275]
[1276]
[1277]
[1278]
[1279]
[1280]
[1281]
[1282]
[1283]
[1284]
[1285]
[1286]
[1287]
[1288]
[1289]
[1290]
[1291]
[1292]
[1293]
[1294]
[1295]
[1296]
[1297]
[1298]
[1299]
[1300]
[1301]
[1302]
[1303]
[1304]
[1305]
[1306]
[1307]
[1308]
[1309]
[1310]
[1311]
[1312]
[1313]
[1314]
[1315]
[1316]
[1317]
[1318]
[1319]
[1320]
[1321]
[1322]
[1323]
[1324]
[1325]
[1326]
[1327]
[1328]
/*****************************************************************************/
/*
SesolaNet.c
SSL network connection establishment, read/write and other functions.
The SesolaNetRequest..() functions deal with SSL acceptance and SSL rundown of
requests to SSL services (i.e. via "https:").
The SesolaNetClient..() functions deal with initiation and rundown of an SSL
transaction with a remote SSL server. This is sometimes refered to as HTTP to
SSL gatewaying, and should not be confised with the processing of peer
certificate which is also refered to as client processing sometimes.
VERSION HISTORY
---------------
08-AUG-2020 MGD keep connect cert (->VerifyPeer) distinct from client cert
01-AUG-2020 MGD bugfix; SesolaNetFree() ensure (sigh) X509_free() where
->ClientCertPtr associated with connection (i.e. HTTP/2)
02-MAR-2020 MGD SesolaNetBegin/Accept/End() refinements
19-JAN-2020 MGD more proxy persistent connection (per JPP)
18-OCT-2019 MGD bugfix; SesolaNetClientBegin() SESOLA_SINCE_110
BIO_set_data() before SSL_set_bio() (per JPP)
18-APR-2018 MGD SesolaNetBegin() return success/failure
16-MAR-2017 MGD further refinements supporting OpenSSL v1.1.0 and TLS 1.3
30-DEC-2016 MGD SesolaNetThisIsSSL() allow redirection to include scheme
03-AUG-2016 MGD OpenSSL v1.1.0(-pre6) required code changes including
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) compilation
11-AUG-2015 MGD restructure of network I/O abstractions
SesolaNetThisIsSSL() simplify by removing request URI
13-JUN-2015 MGD disable kludge; SesolaNetAccept() SSL3_ST_SR_CLNT_HELLO_C
as the issue seems to have been fixed in OpenSSL v1.0.2c
20-FEB-2015 MGD SesolaNetAccept() SSL3_ST_SR_CLNT_HELLO_C in v1.0.2a
bugfix; #if..#endif nesting of kludge described below
02-FEB-2015 MGD kludge; SesolaNetAccept() SSL3_ST_SR_CLNT_HELLO_C
29-JAN-2015 MGD bugfix; SesolaNetClientBegin() ambiguous WatchThis(SNI)
11-NOV-2014 MGD SesolaNetAccept() collect version, cipher, cached
04-OCT-2013 MGD SesolaNetThisIsSSL() support [ServiceNonSSLRedirect]
03-AUG-2013 MGD SesolaNetClientBegin() include SNI before connect
28-APR-2012 MGD bugfix; SesolaNetAccept() initialise value=0
bugfix; SesolaNetRead() SSL state not SSL_ST_OK
bugfix; SesolaNetWrite() SSL state not SSL_ST_OK
04-SEP-2010 MGD Sesola_read_ast() extend HTTP methods check
18-JUL-2010 MGD bugfix; SSL_set_info_callback() not SSL_CTX_set..()
25-APR-2008 MGD increase sanity check error count from 255 to 8192
12-APR-2006 MGD bugfix; SSL_shutdown() problem reported by JPP
introduce SesolaNetReadAst() and SesolaNetWriteAst()
to defer reset of AST function address used to indicate
AST-in-progress in other parts of the code
10-JUN-2005 MGD make EXQUOTA (particularly ASTLM) a little more obvious
14-APR-2005 MGD bugfix; SesolaNetClientShutdown() remove SSL_shutdown()
(revealed by ->https: tunnelling shutdown)
21-DEC-2004 MGD bugfix; obscure in Sesesol_read() and Sesola_Write()
when WATCHing via SSL due to undereferenced NULL 'rqptr'
17-DEC-2004 MGD bugfix; Sesola_read_ast() and Sesola_write_ast()
zero I/O status block count on error status
14-DEC-2004 MGD remove BIO_set_retry_..() BIO_clear_retry_..(),
add some sanity checking around reads and writes
17-NOV-2004 MGD bugfix; SesolaNetRead() and SesolaNetWrite() if no I/O
and hence no defered AST reset defered AST function pointer
(thanks to jpp@esme.fr for isolating this during BETA)
27-OCT-2004 MGD SesolaNetInProgress() raw I/O in progress? (for ProxyEnd())
21-AUG-2004 MGD significant refinements to SSL processing
22-JUL-2004 MGD changes to SSL shutdown, SesolaNetEnd() to allow
persistent connections over SSL for HTTP/1.1 (and general
SSL performance improvements - long overdue)
29-JAN-2003 MGD bugfix; error recovery in Sesola_read() and Sesola_write()
18-APR-2002 MGD bugfix; service and client SSL contexts
26-FEB-2002 MGD bugfix; SesolaNetRequestEnd() wait for blocking I/O
08-JAN-2002 MGD rework SESOLA.C
*/
/*****************************************************************************/
#ifdef WASD_VMS_V7
#undef _VMS__V6__SOURCE
#define _VMS__V6__SOURCE
#undef __VMS_VER
#define __VMS_VER 70000000
#undef __CRTL_VER
#define __CRTL_VER 70000000
#endif
/* standard C header files */
#include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
/* VMS related header files */
#include <iodef.h>
#include <ssdef.h>
#include <stsdef.h>
/* application header files */
#define SESOLA_REQUIRED
#include "Sesola.h"
#define WASD_MODULE "SESOLANET"
/***************************************/
#ifdef SESOLA /* secure sockets layer */
/***************************************/
#define SET_RECEIVED_SHUTDOWN 1
/******************/
/* global storage */
/******************/
int SesolaNetEndCount,
SesolaNetFailCount,
SesolaNetFreeCount,
SesolaNetNewCount,
SesolaNetProblemCount,
SesolaNetShutCount,
SesolaNetShut0Count,
SesolaNetShut1Count,
SesolaNetShutChanCount,
SesolaNetShutReadCount,
SesolaNetShutWriteCount;
#if SESOLA_SINCE_110
/* FYI only - opaque after OpenSSL v1.1.0 */
struct bio_method_struct
{
int type;
const char *name;
int (*bwrite_conv) (BIO *, const char *, int);
int (*bwrite) (BIO *, const char *, int);
int (*bread_conv) (BIO *, char *, int);
int (*bread) (BIO *, char *, int);
int (*bputs) (BIO *, const char *);
int (*bgets) (BIO *, char *, int);
long (*ctrl) (BIO *, int, long, void *);
int (*create) (BIO *);
int (*destroy) (BIO *);
long (*callback_ctrl) (BIO *, int, bio_info_cb *);
};
#else /* earlier days */
/* prior to OpenSSL v1.1.0 a simple structure initialisation */
struct bio_method_struct
{
int type;
const char *name;
int (*bwrite) (BIO *, const char *, int);
int (*bread) (BIO *, char *, int);
int (*bputs) (BIO *, const char *);
int (*bgets) (BIO *, char *, int);
long (*ctrl) (BIO *, int, long, void *);
int (*create) (BIO *);
int (*destroy) (BIO *);
long (*callback_ctrl) (BIO *, int, bio_info_cb *);
};
#endif /* SESOLA_BEFORE_110 */
/********************/
/* external storage */
/********************/
extern int EfnWait,
EfnNoWait,
NetReadBufferSize,
SesolaSNI,
SesolaSSLversion;
extern char *SesolaDefaultCertPtr,
*SesolaDefaultCipherListPtr,
*SesolaDefaultKeyPtr;
extern char ErrorSanityCheck[],
SoftwareID[];
extern ACCOUNTING_STRUCT *AccountingPtr;
extern WATCH_STRUCT Watch;
#if SESOLA_BEFORE_110
extern int (*Sesola_SSL_get_servername)(SSL*, int);
#endif
/*****************************************************************************/
/*
Begin an SSL transaction for a request. Create the Sesola structure used to
store HTTPd SSL-related used during the transaction, initialize the OpenSSL
structures required, then begin the OpenSSL accept functionality.
RequestAccept() and RequestBegin() ensure the client has supplied data to begin
the handshake (by using NetIoPeek()) before this function is called. OpenSSL
v1.0.n would occasionally barf when SSL_free()ing if the client had written no
data (test case: "telnet <host> 443" left to timeout).
*/
void SesolaNetBegin (REQUEST_STRUCT *rqptr)
{
int value;
SERVICE_STRUCT *svptr;
SESOLA_STRUCT *sesolaptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_MOD_SESOLA, "SesolaNetBegin()");
/* note that this IS NOT HEAP memory, and must be explicitly VmFree()d */
sesolaptr = (SESOLA_STRUCT*)VmGet (sizeof(SESOLA_STRUCT));
sesolaptr->RequestPtr = rqptr;
sesolaptr->WatchItem = rqptr->WatchItem;
sesolaptr->NetIoPtr = rqptr->NetIoPtr;
rqptr->NetIoPtr->SesolaPtr = sesolaptr;
if (!((SESOLA_CONTEXT*)rqptr->ServicePtr->SSLserverPtr)->SslCtx)
{
SesolaNetProblemCount++;
ErrorNoticed (rqptr, 0, "SslCtx == NULL", FI_LI);
if (WATCHING (rqptr, WATCH_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_SESOLA, "BEGIN SSL context NULL");
SesolaNetBeginFail (sesolaptr);
return;
}
svptr = sesolaptr->NetIoPtr->ServicePtr;
sesolaptr->SslCtx = (SSL_CTX*)((SESOLA_CONTEXT*)svptr->SSLserverPtr)->SslCtx;
if (sesolaptr->WatchItem)
{
char *cptr;
if (cptr = SesolaMemTrackReport())
WatchThis (WATCHALL, WATCH_SESOLA, "MEMORY !AZ", cptr);
}
sesolaptr->SslPtr = SSL_new (sesolaptr->SslCtx);
if (!sesolaptr->SslPtr)
{
SesolaNetProblemCount++;
ErrorNoticed (rqptr, 0, "SSL_new() failed", FI_LI);
if (WATCHING (rqptr, WATCH_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_SESOLA, "BEGIN SSL_new() failed");
SesolaNetBeginFail (sesolaptr);
return;
}
SesolaNetNewCount++;
SSL_set_app_data (sesolaptr->SslPtr, sesolaptr);
sesolaptr->BioPtr = BIO_new (BIO_s_Sesola());
if (!sesolaptr->BioPtr)
{
SesolaNetProblemCount++;
ErrorNoticed (rqptr, 0, "BIO_new() failed", FI_LI);
if (WATCHING (rqptr, WATCH_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_SESOLA, "BEGIN BIO_new() failed");
SesolaNetBeginFail (sesolaptr);
return;
}
#if SESOLA_SINCE_110
BIO_set_data (sesolaptr->BioPtr, sesolaptr);
SSL_set0_rbio (sesolaptr->SslPtr, sesolaptr->BioPtr);
SSL_set0_wbio (sesolaptr->SslPtr, sesolaptr->BioPtr);
#else
sesolaptr->BioPtr->ptr = sesolaptr;
sesolaptr->BioPtr->init = 1;
SSL_set_bio (sesolaptr->SslPtr, sesolaptr->BioPtr, sesolaptr->BioPtr);
#endif
SSL_set_accept_state (sesolaptr->SslPtr);
#if WATCH_CAT
if (WATCHING (rqptr, WATCH_SESOLA))
{
WatchThis (WATCHITM(rqptr), WATCH_SESOLA, "BEGIN");
/* set for SSL information and verification callback */
SSL_set_ex_data (sesolaptr->SslPtr, 0, sesolaptr);
SSL_set_info_callback (sesolaptr->SslPtr, &SesolaWatchInfoCallback);
/* set for BIO callback with the request pointer as it's argument */
BIO_set_callback (sesolaptr->BioPtr, &SesolaWatchBioCallback);
BIO_set_callback_arg (sesolaptr->BioPtr, sesolaptr);
}
#endif
/* begin the SSL handshake */
SesolaNetAccept (sesolaptr);
}
/*****************************************************************************/
/*
Either SesolaNetBegin() or SesolaNetAccept() have failed in some way, the
TLS/SSL negotiation has not occured, the TLS/SSL connection is not established
and the request has not got underway. Shut down the request in as economical
way as possible.
*/
void SesolaNetBeginFail (SESOLA_STRUCT *sesolaptr)
{
REQUEST_STRUCT *rqptr;
/*********/
/* begin */
/*********/
rqptr = sesolaptr->RequestPtr;
if (WATCHMOD (rqptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_MOD_SESOLA, "SesolaNetBeginFail()");
if (WATCHING (rqptr, WATCH_CONNECT))
WatchThis (WATCHITM(rqptr), WATCH_CONNECT, "CLOSE !AZ,!UL !AZ",
rqptr->ClientPtr->Lookup.HostName,
rqptr->ClientPtr->IpPort,
rqptr->ServicePtr->ServerHostPort);
/* this will be reset to zero by the next successful TLS accept */
if (SesolaNetProblemCount > SESOLA_NET_PROBLEM_MAX)
{
char buf [32];
sprintf (buf, "%d successive TLS failures", SesolaNetProblemCount);
ErrorExitVmsStatus (SS$_ABORT, buf, FI_LI);
}
SesolaNetFailCount++;
rqptr->NetIoPtr->SesolaPtr = NULL;
SesolaNetFree (sesolaptr);
InstanceMutexLock (INSTANCE_MUTEX_HTTPD);
NetUpdateConnected (rqptr, -1);
InstanceMutexUnLock (INSTANCE_MUTEX_HTTPD);
RequestEnd4 (rqptr);
}
/*****************************************************************************/
/*
This establishes the connection with an SSL client by providing the server
"hello", certificate and key exchange, etc. Due to the non-blocking I/O used
by WASD this function will be called multiple times to complete the OpenSSL
accept.
*/
SesolaNetAccept (SESOLA_STRUCT *sesolaptr)
{
int value = 0;
REQUEST_STRUCT *rqptr;
SESOLA_CONTEXT *scptr;
SSL_SESSION *SessionPtr;
/*********/
/* begin */
/*********/
rqptr = sesolaptr->RequestPtr;
if (WATCH_MODULE (WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA,
"SesolaNetAccept() !&F !UL !&B !&B !&B !&S", &SesolaNetAccept,
sesolaptr->SslAcceptCount,
sesolaptr->HTTPduringHandshake,
sesolaptr->SSHduringHandshake,
rqptr->NetIoPtr->ServicePtr->ShareSSH,
sesolaptr->ReadIOsb.Status);
sesolaptr->SslStateFunction = &SesolaNetAccept;
ERR_clear_error ();
value = SSL_accept (sesolaptr->SslPtr);
if (WATCHMOD (rqptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_MOD_SESOLA,
"SSL_accept() !SL !SL",
value, SSL_get_error(sesolaptr->SslPtr,value));
/* just a sanity check on the SSL_accept() activity */
if (sesolaptr->SslAcceptCount++ > SESOLA_SSL_ACCEPT_MAX)
{
if (rqptr->NetIoPtr->Channel)
{
/* break the connection */
sys$dassgn (rqptr->NetIoPtr->Channel);
rqptr->NetIoPtr->Channel = 0;
}
value = -1;
}
/* if non-blocking IO in progress just return and wait for delivery */
if (sesolaptr->ReadInProgress || sesolaptr->WriteInProgress) return;
sesolaptr->SslStateFunction = NULL;
if (sesolaptr->HTTPduringHandshake)
SesolaNetThisIsSSL (sesolaptr);
else
if (rqptr->NetIoPtr->ServicePtr->ShareSSH)
{
if (sesolaptr->SSHduringHandshake ||
sesolaptr->ReadIOsb.Status == SS$_CANCEL)
{
SesolaNetFree (sesolaptr);
rqptr->NetIoPtr->SesolaPtr = NULL;
RequestShareBegin (rqptr);
return;
}
}
if (value <= 0)
{
/********/
/* fail */
/********/
if (WATCHING (rqptr, WATCH_SESOLA))
{
WatchThis (WATCHITM(rqptr), WATCH_SESOLA, "BEGIN failed");
SesolaWatchErrors (sesolaptr);
}
SesolaNetBeginFail (sesolaptr);
return;
}
/***********/
/* TLS/SSL */
/***********/
switch (SSL_version (sesolaptr->SslPtr))
{
#if SESOLA_SINCE_111
case TLS1_3_VERSION :
InstanceGblSecIncrLong (&AccountingPtr->ConnectTLS13Count);
break;
#endif
case TLS1_2_VERSION :
InstanceGblSecIncrLong (&AccountingPtr->ConnectTLS12Count);
break;
case TLS1_1_VERSION :
InstanceGblSecIncrLong (&AccountingPtr->ConnectTLS11Count);
break;
case TLS1_VERSION :
InstanceGblSecIncrLong (&AccountingPtr->ConnectTLS1Count);
break;
case SSL3_VERSION :
InstanceGblSecIncrLong (&AccountingPtr->ConnectSSL3Count);
break;
}
scptr = sesolaptr->NetIoPtr->ServicePtr->SSLserverPtr;
if (scptr->VerifyPeer)
sesolaptr->ConnectCertPtr = SSL_get_peer_certificate (sesolaptr->SslPtr);
else
sesolaptr->ClientCertPtr = SSL_get_peer_certificate (sesolaptr->SslPtr);
if (WATCHING (rqptr, WATCH_SESOLA))
SesolaWatchSession (sesolaptr);
if (WATCHMOD (rqptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_MOD_SESOLA,
"->ClientCertPtr !&X", sesolaptr->ClientCertPtr);
SesolaNetProblemCount = 0;
RequestBegin (rqptr);
}
/*****************************************************************************/
/*
Shutdown the SSL session with the client (elegantly if we can!).
Once kicked off this function becomes autonomous, eventually deassigning the
socket and freeing both the network I/O structure and itself. The calling
routine can just continue on its way.
*/
void SesolaNetEnd (SESOLA_STRUCT *sesolaptr)
{
int error, sanity, value;
NETIO_STRUCT *ioptr;
/*********/
/* begin */
/*********/
ioptr = sesolaptr->NetIoPtr;
if (WATCHMOD (ioptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(ioptr), WATCH_MOD_SESOLA,
"SesolaNetEnd() !&F shut:!UL chan:!UL count:!UL \
read:%X!8XL AST:!&A inprog:!SL write:%X!8XL AST:!&A inprog:!SL",
&SesolaNetEnd,
SSL_get_shutdown(sesolaptr->SslPtr),
ioptr->Channel, sesolaptr->SslShutdownCount,
ioptr->ReadStatus, ioptr->ReadAstFunction,
sesolaptr->ReadInProgress,
ioptr->WriteStatus, ioptr->WriteAstFunction,
sesolaptr->WriteInProgress);
if (sesolaptr->SslStateFunction &&
sesolaptr->SslStateFunction != &SesolaNetEnd)
{
/* original SSL_accept() has not completed */
if (WATCHING (ioptr, WATCH_SESOLA))
WatchThis (WATCHITM(ioptr), WATCH_SESOLA, "BEGIN failed");
sys$dassgn (ioptr->Channel);
ioptr->Channel = 0;
}
if (sesolaptr->SslStateFunction != &SesolaNetEnd) SesolaNetEndCount++;
/* everything (now) is coming here! */
sesolaptr->SslStateFunction = &SesolaNetEnd;
if (ioptr->Channel)
{
/* socket is still available */
SesolaNetShutChanCount++;
/* these are still usable status (VCCLOSED occurs with HTTP/2) */
if (ioptr->ReadStatus == SS$_CANCEL ||
ioptr->ReadStatus == SS$_VCCLOSED) ioptr->ReadStatus = SS$_NORMAL;
if (ioptr->WriteStatus == SS$_CANCEL ||
ioptr->WriteStatus == SS$_VCCLOSED) ioptr->WriteStatus = SS$_NORMAL;
}
if (ioptr->Channel)
{
if (sesolaptr->SslShutdownCount++ < SESOLA_SSL_SHUTDOWN_MAX)
{
if (sesolaptr->SslShutdownCount == 1)
if (WATCHING (ioptr, WATCH_SESOLA))
WatchThis (WATCHITM(ioptr), WATCH_SESOLA, "SHUTDOWN");
#if SET_RECEIVED_SHUTDOWN
/* not going to wait for the peer to respond */
SSL_set_shutdown (sesolaptr->SslPtr, SSL_RECEIVED_SHUTDOWN);
#endif
for (sanity = value = 0; sanity < 5 && value == 0; sanity++)
{
ERR_clear_error ();
value = SSL_shutdown (sesolaptr->SslPtr);
if (WATCHMOD (ioptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(ioptr), WATCH_MOD_SESOLA,
"SSL_shutdown() !SL !SL",
value, SSL_get_error(sesolaptr->SslPtr,value));
if (value == 1)
SesolaNetShut1Count++;
else
if (value == 0)
SesolaNetShut0Count++;
else
SesolaNetShutCount++;
}
if (sesolaptr->ReadInProgress) SesolaNetShutReadCount++;
if (sesolaptr->WriteInProgress) SesolaNetShutWriteCount++;
}
else
{
/* sanity check, so knock the socket on the head */
sys$dassgn (ioptr->Channel);
ioptr->Channel = 0;
ErrorNoticed (NULL, SS$_BUGCHECK, "SESOLA_SSL_SHUTDOWN_MAX", FI_LI);
}
}
if (WATCHMOD (ioptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(ioptr), WATCH_MOD_SESOLA, "reading:!SL writing:!SL",
sesolaptr->ReadInProgress, sesolaptr->WriteInProgress);
/* intercept any outstanding I/O */
if (sesolaptr->ReadInProgress || sesolaptr->WriteInProgress) return;
if (WATCHING (ioptr, WATCH_SESOLA))
WatchThis (WATCHITM(ioptr), WATCH_SESOLA, "END");
if (WATCHING (ioptr, WATCH_CONNECT))
WatchThis (WATCHITM(ioptr), WATCH_CONNECT, "CLOSE !AZ,!UL !AZ",
ioptr->ClientPtr->Lookup.HostName,
ioptr->ClientPtr->IpPort,
ioptr->ServicePtr->ServerHostPort);
if (ioptr->Channel) sys$dassgn (ioptr->Channel);
sesolaptr->WatchItem = ioptr->WatchItem;
VmFree (ioptr, FI_LI);
SSL_set_shutdown (sesolaptr->SslPtr, SSL_SENT_SHUTDOWN);
SSL_set_shutdown (sesolaptr->SslPtr, SSL_RECEIVED_SHUTDOWN);
SesolaNetFree (sesolaptr);
}
/*****************************************************************************/
/*
Free the OpenSSL structures outside of any use of them (early mistake)!
*/
void SesolaNetFree (SESOLA_STRUCT *sesolaptr)
{
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaNetFree()");
if (sesolaptr->ClientCertPtr)
X509_free (sesolaptr->ClientCertPtr);
if (sesolaptr->ConnectCertPtr)
X509_free (sesolaptr->ConnectCertPtr);
if (sesolaptr->VerifyPeerDataSize)
VmFree (sesolaptr->VerifyPeerDataPtr, FI_LI);
if (sesolaptr->SslPtr) SSL_free (sesolaptr->SslPtr);
if (sesolaptr->WatchItem)
{
char *cptr;
if (cptr = SesolaMemTrackReport())
WatchThis (WATCHALL, WATCH_SESOLA, "MEMORY !AZ", cptr);
}
VmFree (sesolaptr, FI_LI);
SesolaNetFreeCount++;
}
/*****************************************************************************/
/*
Some development/debug statistics.
*/
char* SesolaNetStats (void)
{
static char buf [96];
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaNetStats()");
sprintf (buf, "new:%u end:%u free:%u fail:%u shut:%u/%u/%u/%u/%u/%u",
SesolaNetNewCount, SesolaNetEndCount, SesolaNetFreeCount,
SesolaNetFailCount, SesolaNetShutCount, SesolaNetShutChanCount,
SesolaNetShut0Count, SesolaNetShut1Count, SesolaNetShutReadCount,
SesolaNetShutWriteCount);
return (buf);
}
/*****************************************************************************/
/*
Begin an SSL transaction. Create the Sesola structure used to store HTTPd
SSL-related used during the transaction, initialize the OpenSSL structures
required, then begin the OpenSSL connect functionality. Note that this is
proxy functionality and so proxy request rundown functions are used.
*/
SesolaNetClientBegin (PROXY_TASK *tkptr)
{
int value;
REQUEST_STRUCT *rqptr;
SERVICE_STRUCT *svptr;
SESOLA_CONTEXT *scptr;
SESOLA_STRUCT *sesolaptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (tkptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(tkptr), WATCH_MOD_SESOLA,
"SesolaNetClientBegin()");
rqptr = tkptr->RequestPtr;
svptr = tkptr->ServicePtr;
if (!svptr->SSLclientPtr)
{
if (WATCHING (rqptr, WATCH_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_SESOLA, "CLIENT SSL not configured");
ProxyEnd (tkptr);
return;
}
if (!((SESOLA_CONTEXT*)svptr->SSLclientPtr)->SslCtx)
{
ErrorNoticed (rqptr, 0, "SslCtx == NULL", FI_LI);
if (WATCHING (rqptr, WATCH_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_SESOLA, "BEGIN SSL context NULL");
ProxyEnd (tkptr);
return;
}
/* note that this IS NOT HEAP memory, and must be explicitly VmFree()d */
sesolaptr = (SESOLA_STRUCT*)VmGet (sizeof(SESOLA_STRUCT));
tkptr->NetIoPtr->SesolaPtr = sesolaptr;
sesolaptr->NetIoPtr = tkptr->NetIoPtr;
sesolaptr->ProxyTaskPtr = tkptr;
sesolaptr->SslPtr = SSL_new (((SESOLA_CONTEXT*)svptr->SSLclientPtr)->SslCtx);
if (!sesolaptr->SslPtr)
{
if (WATCHING (tkptr, WATCH_SESOLA))
WatchThis (WATCHITM(tkptr), WATCH_SESOLA,
"BEGIN SSL_new() failed");
ErrorNoticed (rqptr, 0, "SSL_new() failed", FI_LI);
if (rqptr)
{
rqptr->rqResponse.HttpStatus = 500;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_GENERAL_INTERNAL), FI_LI);
}
SesolaNetClientFree (tkptr);
ProxyEnd (tkptr);
return;
}
scptr = (SESOLA_CONTEXT*)svptr->SSLclientPtr;
if (scptr->CipherListPtr[0])
SSL_set_cipher_list (sesolaptr->SslPtr, scptr->CipherListPtr);
/* set the application data to point to the proxy task structure */
SSL_set_app_data (sesolaptr->SslPtr, tkptr);
sesolaptr->BioPtr = BIO_new (BIO_s_Sesola());
if (!sesolaptr->BioPtr)
{
if (WATCHING (tkptr, WATCH_SESOLA))
WatchThis (WATCHITM(tkptr), WATCH_SESOLA,
"BEGIN BIO_new() failed");
ErrorNoticed (rqptr, 0, "BIO_new() failed", FI_LI);
if (rqptr)
{
rqptr->rqResponse.HttpStatus = 500;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_GENERAL_INTERNAL), FI_LI);
}
SesolaNetClientFree (tkptr);
ProxyEnd (tkptr);
return;
}
#if SESOLA_SINCE_110
BIO_set_data (sesolaptr->BioPtr, sesolaptr);
SSL_set0_rbio (sesolaptr->SslPtr, sesolaptr->BioPtr);
SSL_set0_wbio (sesolaptr->SslPtr, sesolaptr->BioPtr);
#else
sesolaptr->BioPtr->ptr = sesolaptr;
sesolaptr->BioPtr->init = 1;
SSL_set_bio (sesolaptr->SslPtr, sesolaptr->BioPtr, sesolaptr->BioPtr);
#endif
SSL_set_connect_state (sesolaptr->SslPtr);
/* Server Name Indication (SNI) */
#if SESOLA_SINCE_110
if (SesolaSNI)
#else
if (SesolaSNI && Sesola_SSL_get_servername)
#endif
{
/* if the SSL_get_servername() exists then this control should work */
value = SSL_set_tlsext_host_name (sesolaptr->SslPtr,
tkptr->RequestHostName);
if (WATCHING (tkptr, WATCH_SESOLA))
WatchThis (WATCHITM(tkptr), WATCH_SESOLA, "SNI !AZ!AZ",
tkptr->RequestHostName, value ? "" : " FAILED");
}
if (scptr->VerifyCA)
SSL_set_verify (sesolaptr->SslPtr, SSL_VERIFY_CLIENT_ONCE,
&SesolaCertVerifyCallback);
/* provide the sesola pointer for the verify callback */
SSL_set_ex_data (sesolaptr->SslPtr, 0, sesolaptr);
#if WATCH_CAT
if (WATCHING (rqptr, WATCH_SESOLA))
{
WatchThis (WATCHITM(rqptr), WATCH_SESOLA, "BEGIN");
/* set for SSL information and verification callback */
SSL_set_info_callback (sesolaptr->SslPtr, &SesolaWatchInfoCallback);
/* set for BIO callback with the request pointer as it's argument */
BIO_set_callback (sesolaptr->BioPtr, &SesolaWatchBioCallback);
BIO_set_callback_arg (sesolaptr->BioPtr, sesolaptr);
}
#endif
/* associate the proxy task with the SSL structure */
sesolaptr->ProxyTaskPtr = tkptr;
/* begin the SSL handshake */
SesolaNetClientConnect (sesolaptr);
}
/*****************************************************************************/
/*
This establishes the connection to an SSL server by providing the server
"hello", certificate and key exchange, etc. Due to the non-blocking I/O used
by WASD this function will be called multiple times to complete the OpenSSL
connect.
*/
SesolaNetClientConnect (SESOLA_STRUCT *sesolaptr)
{
int status,
value;
PROXY_TASK *tkptr;
REQUEST_STRUCT *rqptr;
/*********/
/* begin */
/*********/
/* get the associate proxy task and request pointers */
tkptr = sesolaptr->ProxyTaskPtr;
rqptr = tkptr->RequestPtr;
if (WATCHMOD (tkptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(tkptr), WATCH_MOD_SESOLA,
"SesolaNetClientConnect() !&F !UL", &SesolaNetClientConnect,
sesolaptr->SslConnectCount);
sesolaptr->SslStateFunction = &SesolaNetClientConnect;
/* just a sanity check on the SSL_connect() activity */
if (sesolaptr->SslConnectCount++ < SESOLA_SSL_CONNECT_MAX)
{
if (sesolaptr->HTTPduringHandshake)
{
rqptr->rqResponse.HttpStatus = 501;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_HTTP_501), FI_LI);
SesolaNetClientFree (tkptr);
ProxyEnd (tkptr);
return;
}
value = SSL_connect (sesolaptr->SslPtr);
if (WATCHMOD (tkptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(tkptr), WATCH_MOD_SESOLA,
"SSL_connect() !SL", value);
/* if non-blocking IO in progress just return and wait for delivery */
if (sesolaptr->ReadInProgress || sesolaptr->WriteInProgress) return;
if (sesolaptr->HTTPduringHandshake)
{
rqptr->rqResponse.HttpStatus = 501;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_HTTP_501), FI_LI);
SesolaNetClientFree (tkptr);
ProxyEnd (tkptr);
return;
}
}
/* can't free structures while non-blocking I/O still outstanding */
if (sesolaptr->ReadInProgress || sesolaptr->WriteInProgress)
{
/* so knock the socket on the head */
if (sesolaptr->NetIoPtr->Channel) ProxyNetCloseSocket (tkptr);
return;
}
if (value <= 0)
{
/*********/
/* error */
/*********/
if (WATCHING (rqptr, WATCH_SESOLA))
SesolaWatchErrors (sesolaptr);
if (rqptr)
{
rqptr->rqResponse.HttpStatus = 502;
if (sesolaptr->CertVerifyFailed)
/* or perhaps some more formal message? */
ErrorGeneral (rqptr, "Unknown server Certificate Authority.", FI_LI);
else
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_HTTP_502), FI_LI);
}
SesolaNetClientFree (tkptr);
ProxyEnd (tkptr);
return;
}
if (WATCHING (tkptr, WATCH_SESOLA))
SesolaWatchSession (sesolaptr);
sesolaptr->SslStateFunction = NULL;
if (tkptr->ProxyTunnel)
ProxyTunnelBegin (tkptr);
else
ProxyWriteRequest (tkptr);
}
/*****************************************************************************/
/*
Shutdown the SSL session with the client (via an SSL alert so that we don't
wait around for a response!) Return true if RequestEnd() can continue the
request run-down, false if has to abort and wait for some more to happen!
*/
SesolaNetClientShutdown (SESOLA_STRUCT *sesolaptr)
{
int value;
PROXY_TASK *tkptr;
/*********/
/* begin */
/*********/
tkptr = sesolaptr->ProxyTaskPtr;
if (WATCHMOD (tkptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(tkptr), WATCH_MOD_SESOLA,
"SesolaNetClientShutdown() !&F !UL !UL !SL !SL", &SesolaNetClientShutdown,
sesolaptr->NetIoPtr->Channel, sesolaptr->SslShutdownCount,
sesolaptr->ReadInProgress, sesolaptr->WriteInProgress);
/* everything is now going to be coming here! */
sesolaptr->SslStateFunction = &SesolaNetClientShutdown;
/* only provide explicit shutdown if still connected! */
if (sesolaptr->NetIoPtr->Channel)
{
/* just a sanity check on the SSL_shutdown() activity */
if (!sesolaptr->SslShutdownCount++)
{
if (WATCHING (tkptr, WATCH_SESOLA))
WatchThis (WATCHITM(tkptr), WATCH_SESOLA, "SHUTDOWN");
ERR_clear_error ();
value = SSL_shutdown (sesolaptr->SslPtr);
if (WATCHMOD (sesolaptr->NetIoPtr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(sesolaptr->NetIoPtr), WATCH_MOD_SESOLA,
"SSL_shutdown() !SL !SL",
value, SSL_get_error(sesolaptr->SslPtr,value));
}
else
if (sesolaptr->SslShutdownCount > SESOLA_SSL_SHUTDOWN_MAX)
{
/* sanity check, so knock the socket on the head */
if (sesolaptr->NetIoPtr->Channel) ProxyNetCloseSocket (tkptr);
}
}
/* intercept any outstanding I/O */
if (sesolaptr->ReadInProgress || sesolaptr->WriteInProgress) return;
if (WATCHING (tkptr, WATCH_SESOLA))
WatchThis (WATCHITM(tkptr), WATCH_SESOLA, "END");
SSL_set_shutdown (sesolaptr->SslPtr, SSL_SENT_SHUTDOWN);
SSL_set_shutdown (sesolaptr->SslPtr, SSL_RECEIVED_SHUTDOWN);
sesolaptr->SslStateFunction = NULL;
SesolaNetClientFree (tkptr);
ProxyEnd (tkptr);
}
/*****************************************************************************/
/*
Free the OpenSSL structures outside of any use of them (early mistake)!
*/
SesolaNetClientFree (PROXY_TASK *tkptr)
{
int value;
SESOLA_STRUCT *sesolaptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (tkptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(tkptr), WATCH_MOD_SESOLA,
"SesolaNetClientFree()");
sesolaptr = (SESOLA_STRUCT*)tkptr->NetIoPtr->SesolaPtr;
if (sesolaptr->SslPtr) SSL_free (sesolaptr->SslPtr);
VmFree (sesolaptr, FI_LI);
tkptr->NetIoPtr->SesolaPtr = NULL;
}
/*****************************************************************************/
/*
Associate the proxy task with the SSL structure. Needed when re-using a
persistent connection.
*/
void SesolaNetSetProxyTask (PROXY_TASK *tkptr)
{
SESOLA_STRUCT *sesolaptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (tkptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(tkptr), WATCH_MOD_SESOLA,
"SesolaNetSetProxyTask()");
sesolaptr = (SESOLA_STRUCT*)tkptr->NetIoPtr->SesolaPtr;
sesolaptr->ProxyTaskPtr = tkptr;
}
/*****************************************************************************/
/*
Plain-text HTTP has been detected arriving on an SSL service. Return either an
error message or redirect response (if configured). The redirect parameter can
comprise an optional leading HTTP response code 301, 302, or 307 (default),
followed by an optional scheme ("http://" or "https://"), optional host name or
IP address, and optional port number (port must have leading colon if only
parameter), and even an optional URI. The minimum parameter is a single colon,
which redirects to the same service name on port 80. A 307 is used to indicate
to the agent that a non-GET should not be turned into one! Something that
apparently commonly (incorrectly) happens with 302s.
*/
void SesolaNetThisIsSSL (SESOLA_STRUCT *sesolaptr)
{
static char ThisIsSSLFao [] =
"HTTP/1.0 400 This is an SSL service!!\r\n\
Server: !AZ\r\n\
Content-Type: text/html\r\n\
\r\n\
400 error - This is an SSL service!!\n";
static char RedirectFao [] =
"HTTP/1.0 !UL Redirection\r\n\
Server: !AZ\r\n\
Location: !AZ://!AZ!AZ\r\n\
Content-Type: text/html\r\n\
\r\n\
!UL redirection - !AZ://!AZ!AZ\n";
int code, status;
unsigned short slen;
char *cptr, *pptr, *sptr, *zptr;
char NonSslRedirect [256],
ResponseBuffer [4096];
REQUEST_STRUCT *rqptr;
IO_SB IOsb;
/*********/
/* begin */
/*********/
rqptr = sesolaptr->RequestPtr;
if (WATCHMOD (rqptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_MOD_SESOLA, "SesolaNetThisIsSSL()");
if (!rqptr) return;
for (cptr = rqptr->ServicePtr->NonSslRedirect; *cptr == ' '; cptr++);
if (*cptr)
{
/************/
/* redirect */
/************/
/* buffer the directive */
for (cptr = rqptr->ServicePtr->NonSslRedirect; *cptr == ' '; cptr++);
zptr = (sptr = NonSslRedirect) + sizeof(NonSslRedirect)-1;
while (*cptr && sptr < zptr) *sptr++ = *cptr++;
*sptr = '\0';
cptr = NonSslRedirect;
if (WATCHING (rqptr, WATCH_RESPONSE))
WatchThis (WATCHITM(rqptr), WATCH_RESPONSE, "REDIRECT !AZ", cptr);
/* optional HTTP response code - default is 307 */
if (isdigit(*cptr))
{
code = atoi(cptr);
if (code != 301 && code != 302 && code != 303) code = 307;
while (*cptr && (isdigit(*cptr) || ISLWS(*cptr))) cptr++;
}
else
code = 307;
pptr = "http";
sptr = "";
if (*cptr == ':')
{
/* default to current service name */
sptr = rqptr->ServicePtr->ServerHostName;
/* if no trailing number then no port - default will be 80 */
if (!isdigit(*(cptr+1))) cptr++;
}
else
if (MATCH8 (cptr, "https://"))
{
pptr = "https";
cptr += 8;
}
else
if (MATCH7 (cptr, "http://"))
cptr += 7;
status = FaoToBuffer (ResponseBuffer, sizeof(ResponseBuffer)-1, &slen,
RedirectFao,
code, SoftwareID, pptr, sptr, cptr,
code, pptr, sptr, cptr);
rqptr->rqResponse.HttpStatus = code;
}
else
{
/***********/
/* message */
/***********/
status = FaoToBuffer (ResponseBuffer, sizeof(ResponseBuffer)-1, &slen,
ThisIsSSLFao, SoftwareID);
rqptr->rqResponse.HttpStatus = 400;
}
if (VMSnok(status)) ErrorNoticed (rqptr, status, "FaoToBuffer()", FI_LI);
/*******************/
/* write to client */
/*******************/
if (WATCHPNT(rqptr) && (WATCH_CATEGORY(WATCH_RESPONSE_HEADER) ||
WATCH_CATEGORY(WATCH_RESPONSE_BODY)))
WatchData (ResponseBuffer, slen);
sys$qiow (EfnWait, sesolaptr->NetIoPtr->Channel,
IO$_WRITEVBLK, &IOsb, 0, 0,
ResponseBuffer, slen, 0, 0, 0, 0);
}
/*****************************************************************************/
/*
Implements a required function of a OpenSSL BIO_METHOD.
*/
BIO_METHOD *BIO_s_Sesola()
{
static BIO_METHOD *bmptr;
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "BIO_s_Sesola()");
if (bmptr) return (bmptr);
#if SESOLA_SINCE_110
bmptr = BIO_meth_new (BIO_TYPE_NULL, "WASD Sesola");
if (!bmptr) return (bmptr);
BIO_meth_set_write_ex (bmptr, Sesola_netio_write_ex);
BIO_meth_set_read_ex (bmptr, Sesola_netio_read_ex);
BIO_meth_set_ctrl (bmptr, Sesola_ctrl);
#else
bmptr = (BIO_METHOD*)OPENSSL_malloc (sizeof(BIO_METHOD));
if (!bmptr) return (bmptr);
memset (bmptr, 0, sizeof(BIO_METHOD));
bmptr->type = BIO_TYPE_NULL;
bmptr->name = "WASD Sesola";
bmptr->bwrite = Sesola_netio_write;
bmptr->bread = Sesola_netio_read;
bmptr->ctrl = Sesola_ctrl;
#endif
return (bmptr);
}
/*****************************************************************************/
/*
Implements a required function of a OpenSSL BIO_METHOD.
*/
long Sesola_ctrl
(
BIO *bioptr,
int Command,
long Number,
char *Pointer
)
{
int value;
/*********/
/* begin */
/*********/
if (WATCH_MODULE(WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA,
"Sesola_ctrl() !UL !UL !&X", Command, Number, Pointer);
value = 1;
switch (Command)
{
case BIO_CTRL_SET:
#if SESOLA_SINCE_110
BIO_set_init(bioptr, Number);
#else
bioptr->num = Number;
#endif
return (1);
case BIO_CTRL_EOF:
case BIO_CTRL_FLUSH:
case BIO_CTRL_RESET:
return (1);
case BIO_CTRL_SET_CLOSE:
case BIO_CTRL_GET_CLOSE:
case BIO_CTRL_DUP:
case BIO_CTRL_INFO:
case BIO_CTRL_GET:
case BIO_CTRL_PENDING:
case BIO_CTRL_POP:
case BIO_CTRL_PUSH:
case BIO_CTRL_WPENDING:
default:
return (0);
}
}
/*****************************************************************************/
/*
For compilations without SSL these functions provide LINKage stubs for the
rest of the HTTPd modules, allowing for just recompiling the Sesola module to
integrate the SSL functionality.
*/
/*********************/
#else /* not SESOLA */
/*********************/
/* external storage */
extern char ErrorSanityCheck[];
SesolaNetBegin (REQUEST_STRUCT *rqptr)
{
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
}
SesolaNetClientBegin (PROXY_TASK *tkptr)
{
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
}
SesolaNetClientShutdown (void *sesolaptr)
{
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
}
SesolaNetEnd (void *sesolaptr)
{
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
}
SesolaNetSetProxyTask (PROXY_TASK *tkptr)
{
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
}
Sesola_read_ast (void *sesolaptr)
{
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
}
Sesola_write_ast (void *sesolaptr)
{
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
}
SesolaNetAccept (void *sesolaptr)
{
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
}
SesolaNetClientConnect (void *sesolaptr)
{
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
}
/************************/
#endif /* ifdef SESOLA */
/************************/
/*****************************************************************************/