📄 sslnetwork.c
字号:
/* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/** SSL network wrapper
*
* @author Mladen Turk
* @version $Revision: 481766 $, $Date: 2006-12-03 13:40:18 +0100 (dim., 03 déc. 2006) $
*/
#include "tcn.h"
#include "apr_thread_mutex.h"
#include "apr_poll.h"
#ifdef HAVE_OPENSSL
#include "ssl_private.h"
#ifdef TCN_DO_STATISTICS
#include "apr_atomic.h"
static volatile apr_uint32_t ssl_created = 0;
static volatile apr_uint32_t ssl_closed = 0;
static volatile apr_uint32_t ssl_cleared = 0;
static volatile apr_uint32_t ssl_accepted = 0;
void ssl_network_dump_statistics()
{
fprintf(stderr, "SSL Network Statistics ..\n");
fprintf(stderr, "Sockets created : %d\n", ssl_created);
fprintf(stderr, "Sockets accepted : %d\n", ssl_accepted);
fprintf(stderr, "Sockets closed : %d\n", ssl_closed);
fprintf(stderr, "Sockets cleared : %d\n", ssl_cleared);
}
#endif
static int ssl_smart_shutdown(SSL *ssl, int shutdown_type)
{
int i;
int rc = 0;
switch (shutdown_type) {
case SSL_SHUTDOWN_TYPE_UNCLEAN:
/* perform no close notify handshake at all
* (violates the SSL/TLS standard!)
*/
shutdown_type = SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN;
break;
case SSL_SHUTDOWN_TYPE_ACCURATE:
/* send close notify and wait for clients close notify
* (standard compliant, but usually causes connection hangs)
*/
shutdown_type = 0;
break;
default:
/*
* case SSL_SHUTDOWN_TYPE_UNSET:
* case SSL_SHUTDOWN_TYPE_STANDARD:
* send close notify, but don't wait for clients close notify
* (standard compliant and safe, so it's the DEFAULT!)
*/
shutdown_type = SSL_RECEIVED_SHUTDOWN;
break;
}
SSL_set_shutdown(ssl, shutdown_type);
/*
* Repeat the calls, because SSL_shutdown internally dispatches through a
* little state machine. Usually only one or two interation should be
* needed, so we restrict the total number of restrictions in order to
* avoid process hangs in case the client played bad with the socket
* connection and OpenSSL cannot recognize it.
* max 2x pending + 2x data = 4
*/
for (i = 0; i < 4; i++) {
if ((rc = SSL_shutdown(ssl)))
break;
}
return rc;
}
static apr_status_t ssl_cleanup(void *data)
{
tcn_ssl_conn_t *con = (tcn_ssl_conn_t *)data;
if (con) {
/* Pollset was already destroyed by
* the pool cleanup/destroy.
*/
con->pollset = NULL;
if (con->ssl) {
SSL *ssl = con->ssl;
con->ssl = NULL;
ssl_smart_shutdown(ssl, con->shutdown_type);
SSL_free(ssl);
}
if (con->peer) {
X509_free(con->peer);
con->peer = NULL;
}
}
#ifdef TCN_DO_STATISTICS
apr_atomic_inc32(&ssl_cleared);
#endif
return APR_SUCCESS;
}
static tcn_ssl_conn_t *ssl_create(JNIEnv *env, tcn_ssl_ctxt_t *ctx, apr_pool_t *pool)
{
tcn_ssl_conn_t *con;
SSL *ssl;
if ((con = apr_pcalloc(pool, sizeof(tcn_ssl_conn_t))) == NULL) {
tcn_ThrowAPRException(env, apr_get_os_error());
return NULL;
}
if ((ssl = SSL_new(ctx->ctx)) == NULL) {
char err[256];
ERR_error_string(ERR_get_error(), err);
tcn_Throw(env, "SSL_new failed (%s)", err);
con = NULL;
return NULL;
}
SSL_clear(ssl);
con->pool = pool;
con->ctx = ctx;
con->ssl = ssl;
con->shutdown_type = ctx->shutdown_type;
apr_pollset_create(&(con->pollset), 1, pool, 0);
SSL_set_app_data(ssl, (void *)con);
if (ctx->mode) {
/*
* Configure callbacks for SSL connection
*/
SSL_set_tmp_rsa_callback(ssl, SSL_callback_tmp_RSA);
SSL_set_tmp_dh_callback(ssl, SSL_callback_tmp_DH);
SSL_set_session_id_context(ssl, &(ctx->context_id[0]),
MD5_DIGEST_LENGTH);
}
SSL_set_verify_result(ssl, X509_V_OK);
SSL_rand_seed(ctx->rand_file);
#ifdef TCN_DO_STATISTICS
ssl_created++;
#endif
return con;
}
#ifdef WIN32
#define APR_INVALID_SOCKET INVALID_SOCKET
#else
#define APR_INVALID_SOCKET -1
#endif
static apr_status_t wait_for_io_or_timeout(tcn_ssl_conn_t *con,
int for_what)
{
apr_interval_time_t timeout;
apr_pollfd_t pfd;
int type;
apr_status_t status;
apr_os_sock_t sock;
if (!con->pollset)
return APR_ENOPOLL;
if (!con->sock)
return APR_ENOTSOCK;
/* Check if the socket was already closed
*/
apr_os_sock_get(&sock, con->sock);
if (sock == APR_INVALID_SOCKET)
return APR_ENOTSOCK;
/* Figure out the the poll direction */
switch (for_what) {
case SSL_ERROR_WANT_WRITE:
case SSL_ERROR_WANT_CONNECT:
case SSL_ERROR_WANT_ACCEPT:
type = APR_POLLOUT;
break;
case SSL_ERROR_WANT_READ:
type = APR_POLLIN;
break;
default:
return APR_EINVAL;
break;
}
apr_socket_timeout_get(con->sock, &timeout);
pfd.desc_type = APR_POLL_SOCKET;
pfd.desc.s = con->sock;
pfd.reqevents = type;
/* Remove the object if it was in the pollset, then add in the new
* object with the correct reqevents value. Ignore the status result
* on the remove, because it might not be in there (yet).
*/
apr_pollset_remove(con->pollset, &pfd);
/* ### check status code */
apr_pollset_add(con->pollset, &pfd);
do {
int numdesc;
const apr_pollfd_t *pdesc;
status = apr_pollset_poll(con->pollset, timeout, &numdesc, &pdesc);
if (numdesc == 1 && (pdesc[0].rtnevents & type) != 0)
return APR_SUCCESS;
} while (APR_STATUS_IS_EINTR(status));
return status;
}
static apr_status_t APR_THREAD_FUNC
ssl_socket_timeout_set(apr_socket_t *sock, apr_interval_time_t t)
{
tcn_ssl_conn_t *con = (tcn_ssl_conn_t *)sock;
return apr_socket_timeout_set(con->sock, t);
}
static apr_status_t APR_THREAD_FUNC
ssl_socket_timeout_get(apr_socket_t *sock, apr_interval_time_t *t)
{
tcn_ssl_conn_t *con = (tcn_ssl_conn_t *)sock;
return apr_socket_timeout_get(con->sock, t);
}
static APR_INLINE apr_status_t APR_THREAD_FUNC
ssl_socket_opt_set(apr_socket_t *sock, apr_int32_t opt, apr_int32_t on)
{
tcn_ssl_conn_t *con = (tcn_ssl_conn_t *)sock;
return apr_socket_opt_set(con->sock, opt, on);
}
static APR_INLINE apr_status_t APR_THREAD_FUNC
ssl_socket_opt_get(apr_socket_t *sock, apr_int32_t opt, apr_int32_t *on)
{
tcn_ssl_conn_t *con = (tcn_ssl_conn_t *)sock;
return apr_socket_opt_get(con->sock, opt, on);
}
static apr_status_t APR_THREAD_FUNC
ssl_socket_shutdown(apr_socket_t *sock, apr_shutdown_how_e how)
{
apr_status_t rv = APR_SUCCESS;
tcn_ssl_conn_t *con = (tcn_ssl_conn_t *)sock;
if (con->ssl) {
SSL *ssl = con->ssl;
con->ssl = NULL;
if (how < 1)
how = con->shutdown_type;
rv = ssl_smart_shutdown(ssl, how);
/* TODO: Translate OpenSSL Error codes */
SSL_free(ssl);
}
return rv;
}
static apr_status_t APR_THREAD_FUNC
ssl_socket_close(apr_socket_t *sock)
{
tcn_ssl_conn_t *con = (tcn_ssl_conn_t *)sock;
apr_status_t rv = APR_SUCCESS;
#ifdef TCN_DO_STATISTICS
apr_atomic_inc32(&ssl_closed);
#endif
if (con->ssl) {
SSL *ssl = con->ssl;
con->ssl = NULL;
rv = ssl_smart_shutdown(ssl, con->shutdown_type);
SSL_free(ssl);
}
if (con->peer) {
X509_free(con->peer);
con->peer = NULL;
}
return rv;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -