| 1 | /* |
|---|---|
| 2 | * Copyright (c) 2019, Redis Labs |
| 3 | * All rights reserved. |
| 4 | * |
| 5 | * Redistribution and use in source and binary forms, with or without |
| 6 | * modification, are permitted provided that the following conditions are met: |
| 7 | * |
| 8 | * * Redistributions of source code must retain the above copyright notice, |
| 9 | * this list of conditions and the following disclaimer. |
| 10 | * * Redistributions in binary form must reproduce the above copyright |
| 11 | * notice, this list of conditions and the following disclaimer in the |
| 12 | * documentation and/or other materials provided with the distribution. |
| 13 | * * Neither the name of Redis nor the names of its contributors may be used |
| 14 | * to endorse or promote products derived from this software without |
| 15 | * specific prior written permission. |
| 16 | * |
| 17 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" |
| 18 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 19 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| 20 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE |
| 21 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
| 22 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
| 23 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
| 24 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
| 25 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
| 26 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
| 27 | * POSSIBILITY OF SUCH DAMAGE. |
| 28 | */ |
| 29 | |
| 30 | |
| 31 | #include "server.h" |
| 32 | #include "connhelpers.h" |
| 33 | #include "adlist.h" |
| 34 | |
| 35 | #ifdef USE_OPENSSL |
| 36 | |
| 37 | #include <openssl/conf.h> |
| 38 | #include <openssl/ssl.h> |
| 39 | #include <openssl/err.h> |
| 40 | #include <openssl/rand.h> |
| 41 | #include <openssl/pem.h> |
| 42 | #if OPENSSL_VERSION_NUMBER >= 0x30000000L |
| 43 | #include <openssl/decoder.h> |
| 44 | #endif |
| 45 | #include <sys/uio.h> |
| 46 | |
| 47 | #define REDIS_TLS_PROTO_TLSv1 (1<<0) |
| 48 | #define REDIS_TLS_PROTO_TLSv1_1 (1<<1) |
| 49 | #define REDIS_TLS_PROTO_TLSv1_2 (1<<2) |
| 50 | #define REDIS_TLS_PROTO_TLSv1_3 (1<<3) |
| 51 | |
| 52 | /* Use safe defaults */ |
| 53 | #ifdef TLS1_3_VERSION |
| 54 | #define REDIS_TLS_PROTO_DEFAULT (REDIS_TLS_PROTO_TLSv1_2|REDIS_TLS_PROTO_TLSv1_3) |
| 55 | #else |
| 56 | #define REDIS_TLS_PROTO_DEFAULT (REDIS_TLS_PROTO_TLSv1_2) |
| 57 | #endif |
| 58 | |
| 59 | extern ConnectionType CT_Socket; |
| 60 | |
| 61 | SSL_CTX *redis_tls_ctx = NULL; |
| 62 | SSL_CTX *redis_tls_client_ctx = NULL; |
| 63 | |
| 64 | static int parseProtocolsConfig(const char *str) { |
| 65 | int i, count = 0; |
| 66 | int protocols = 0; |
| 67 | |
| 68 | if (!str) return REDIS_TLS_PROTO_DEFAULT; |
| 69 | sds *tokens = sdssplitlen(str, strlen(str), " ", 1, &count); |
| 70 | |
| 71 | if (!tokens) { |
| 72 | serverLog(LL_WARNING, "Invalid tls-protocols configuration string"); |
| 73 | return -1; |
| 74 | } |
| 75 | for (i = 0; i < count; i++) { |
| 76 | if (!strcasecmp(tokens[i], "tlsv1")) protocols |= REDIS_TLS_PROTO_TLSv1; |
| 77 | else if (!strcasecmp(tokens[i], "tlsv1.1")) protocols |= REDIS_TLS_PROTO_TLSv1_1; |
| 78 | else if (!strcasecmp(tokens[i], "tlsv1.2")) protocols |= REDIS_TLS_PROTO_TLSv1_2; |
| 79 | else if (!strcasecmp(tokens[i], "tlsv1.3")) { |
| 80 | #ifdef TLS1_3_VERSION |
| 81 | protocols |= REDIS_TLS_PROTO_TLSv1_3; |
| 82 | #else |
| 83 | serverLog(LL_WARNING, "TLSv1.3 is specified in tls-protocols but not supported by OpenSSL."); |
| 84 | protocols = -1; |
| 85 | break; |
| 86 | #endif |
| 87 | } else { |
| 88 | serverLog(LL_WARNING, "Invalid tls-protocols specified. " |
| 89 | "Use a combination of 'TLSv1', 'TLSv1.1', 'TLSv1.2' and 'TLSv1.3'."); |
| 90 | protocols = -1; |
| 91 | break; |
| 92 | } |
| 93 | } |
| 94 | sdsfreesplitres(tokens, count); |
| 95 | |
| 96 | return protocols; |
| 97 | } |
| 98 | |
| 99 | /* list of connections with pending data already read from the socket, but not |
| 100 | * served to the reader yet. */ |
| 101 | static list *pending_list = NULL; |
| 102 | |
| 103 | /** |
| 104 | * OpenSSL global initialization and locking handling callbacks. |
| 105 | * Note that this is only required for OpenSSL < 1.1.0. |
| 106 | */ |
| 107 | |
| 108 | #if OPENSSL_VERSION_NUMBER < 0x10100000L |
| 109 | #define USE_CRYPTO_LOCKS |
| 110 | #endif |
| 111 | |
| 112 | #ifdef USE_CRYPTO_LOCKS |
| 113 | |
| 114 | static pthread_mutex_t *openssl_locks; |
| 115 | |
| 116 | static void sslLockingCallback(int mode, int lock_id, const char *f, int line) { |
| 117 | pthread_mutex_t *mt = openssl_locks + lock_id; |
| 118 | |
| 119 | if (mode & CRYPTO_LOCK) { |
| 120 | pthread_mutex_lock(mt); |
| 121 | } else { |
| 122 | pthread_mutex_unlock(mt); |
| 123 | } |
| 124 | |
| 125 | (void)f; |
| 126 | (void)line; |
| 127 | } |
| 128 | |
| 129 | static void initCryptoLocks(void) { |
| 130 | unsigned i, nlocks; |
| 131 | if (CRYPTO_get_locking_callback() != NULL) { |
| 132 | /* Someone already set the callback before us. Don't destroy it! */ |
| 133 | return; |
| 134 | } |
| 135 | nlocks = CRYPTO_num_locks(); |
| 136 | openssl_locks = zmalloc(sizeof(*openssl_locks) * nlocks); |
| 137 | for (i = 0; i < nlocks; i++) { |
| 138 | pthread_mutex_init(openssl_locks + i, NULL); |
| 139 | } |
| 140 | CRYPTO_set_locking_callback(sslLockingCallback); |
| 141 | } |
| 142 | #endif /* USE_CRYPTO_LOCKS */ |
| 143 | |
| 144 | void tlsInit(void) { |
| 145 | /* Enable configuring OpenSSL using the standard openssl.cnf |
| 146 | * OPENSSL_config()/OPENSSL_init_crypto() should be the first |
| 147 | * call to the OpenSSL* library. |
| 148 | * - OPENSSL_config() should be used for OpenSSL versions < 1.1.0 |
| 149 | * - OPENSSL_init_crypto() should be used for OpenSSL versions >= 1.1.0 |
| 150 | */ |
| 151 | #if OPENSSL_VERSION_NUMBER < 0x10100000L |
| 152 | OPENSSL_config(NULL); |
| 153 | SSL_load_error_strings(); |
| 154 | SSL_library_init(); |
| 155 | #elif OPENSSL_VERSION_NUMBER < 0x10101000L |
| 156 | OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); |
| 157 | #else |
| 158 | OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG|OPENSSL_INIT_ATFORK, NULL); |
| 159 | #endif |
| 160 | |
| 161 | #ifdef USE_CRYPTO_LOCKS |
| 162 | initCryptoLocks(); |
| 163 | #endif |
| 164 | |
| 165 | if (!RAND_poll()) { |
| 166 | serverLog(LL_WARNING, "OpenSSL: Failed to seed random number generator."); |
| 167 | } |
| 168 | |
| 169 | pending_list = listCreate(); |
| 170 | } |
| 171 | |
| 172 | void tlsCleanup(void) { |
| 173 | if (redis_tls_ctx) { |
| 174 | SSL_CTX_free(redis_tls_ctx); |
| 175 | redis_tls_ctx = NULL; |
| 176 | } |
| 177 | if (redis_tls_client_ctx) { |
| 178 | SSL_CTX_free(redis_tls_client_ctx); |
| 179 | redis_tls_client_ctx = NULL; |
| 180 | } |
| 181 | |
| 182 | #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) |
| 183 | // unavailable on LibreSSL |
| 184 | OPENSSL_cleanup(); |
| 185 | #endif |
| 186 | } |
| 187 | |
| 188 | /* Callback for passing a keyfile password stored as an sds to OpenSSL */ |
| 189 | static int tlsPasswordCallback(char *buf, int size, int rwflag, void *u) { |
| 190 | UNUSED(rwflag); |
| 191 | |
| 192 | const char *pass = u; |
| 193 | size_t pass_len; |
| 194 | |
| 195 | if (!pass) return -1; |
| 196 | pass_len = strlen(pass); |
| 197 | if (pass_len > (size_t) size) return -1; |
| 198 | memcpy(buf, pass, pass_len); |
| 199 | |
| 200 | return (int) pass_len; |
| 201 | } |
| 202 | |
| 203 | /* Create a *base* SSL_CTX using the SSL configuration provided. The base context |
| 204 | * includes everything that's common for both client-side and server-side connections. |
| 205 | */ |
| 206 | static SSL_CTX *createSSLContext(redisTLSContextConfig *ctx_config, int protocols, int client) { |
| 207 | const char *cert_file = client ? ctx_config->client_cert_file : ctx_config->cert_file; |
| 208 | const char *key_file = client ? ctx_config->client_key_file : ctx_config->key_file; |
| 209 | const char *key_file_pass = client ? ctx_config->client_key_file_pass : ctx_config->key_file_pass; |
| 210 | char errbuf[256]; |
| 211 | SSL_CTX *ctx = NULL; |
| 212 | |
| 213 | ctx = SSL_CTX_new(SSLv23_method()); |
| 214 | |
| 215 | SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); |
| 216 | |
| 217 | #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS |
| 218 | SSL_CTX_set_options(ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); |
| 219 | #endif |
| 220 | |
| 221 | if (!(protocols & REDIS_TLS_PROTO_TLSv1)) |
| 222 | SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); |
| 223 | if (!(protocols & REDIS_TLS_PROTO_TLSv1_1)) |
| 224 | SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1); |
| 225 | #ifdef SSL_OP_NO_TLSv1_2 |
| 226 | if (!(protocols & REDIS_TLS_PROTO_TLSv1_2)) |
| 227 | SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2); |
| 228 | #endif |
| 229 | #ifdef SSL_OP_NO_TLSv1_3 |
| 230 | if (!(protocols & REDIS_TLS_PROTO_TLSv1_3)) |
| 231 | SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_3); |
| 232 | #endif |
| 233 | |
| 234 | #ifdef SSL_OP_NO_COMPRESSION |
| 235 | SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); |
| 236 | #endif |
| 237 | |
| 238 | SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE|SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); |
| 239 | SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); |
| 240 | |
| 241 | SSL_CTX_set_default_passwd_cb(ctx, tlsPasswordCallback); |
| 242 | SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *) key_file_pass); |
| 243 | |
| 244 | if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0) { |
| 245 | ERR_error_string_n(ERR_get_error(), errbuf, sizeof(errbuf)); |
| 246 | serverLog(LL_WARNING, "Failed to load certificate: %s: %s", cert_file, errbuf); |
| 247 | goto error; |
| 248 | } |
| 249 | |
| 250 | if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0) { |
| 251 | ERR_error_string_n(ERR_get_error(), errbuf, sizeof(errbuf)); |
| 252 | serverLog(LL_WARNING, "Failed to load private key: %s: %s", key_file, errbuf); |
| 253 | goto error; |
| 254 | } |
| 255 | |
| 256 | if ((ctx_config->ca_cert_file || ctx_config->ca_cert_dir) && |
| 257 | SSL_CTX_load_verify_locations(ctx, ctx_config->ca_cert_file, ctx_config->ca_cert_dir) <= 0) { |
| 258 | ERR_error_string_n(ERR_get_error(), errbuf, sizeof(errbuf)); |
| 259 | serverLog(LL_WARNING, "Failed to configure CA certificate(s) file/directory: %s", errbuf); |
| 260 | goto error; |
| 261 | } |
| 262 | |
| 263 | if (ctx_config->ciphers && !SSL_CTX_set_cipher_list(ctx, ctx_config->ciphers)) { |
| 264 | serverLog(LL_WARNING, "Failed to configure ciphers: %s", ctx_config->ciphers); |
| 265 | goto error; |
| 266 | } |
| 267 | |
| 268 | #ifdef TLS1_3_VERSION |
| 269 | if (ctx_config->ciphersuites && !SSL_CTX_set_ciphersuites(ctx, ctx_config->ciphersuites)) { |
| 270 | serverLog(LL_WARNING, "Failed to configure ciphersuites: %s", ctx_config->ciphersuites); |
| 271 | goto error; |
| 272 | } |
| 273 | #endif |
| 274 | |
| 275 | return ctx; |
| 276 | |
| 277 | error: |
| 278 | if (ctx) SSL_CTX_free(ctx); |
| 279 | return NULL; |
| 280 | } |
| 281 | |
| 282 | /* Attempt to configure/reconfigure TLS. This operation is atomic and will |
| 283 | * leave the SSL_CTX unchanged if fails. |
| 284 | */ |
| 285 | int tlsConfigure(redisTLSContextConfig *ctx_config) { |
| 286 | char errbuf[256]; |
| 287 | SSL_CTX *ctx = NULL; |
| 288 | SSL_CTX *client_ctx = NULL; |
| 289 | |
| 290 | if (!ctx_config->cert_file) { |
| 291 | serverLog(LL_WARNING, "No tls-cert-file configured!"); |
| 292 | goto error; |
| 293 | } |
| 294 | |
| 295 | if (!ctx_config->key_file) { |
| 296 | serverLog(LL_WARNING, "No tls-key-file configured!"); |
| 297 | goto error; |
| 298 | } |
| 299 | |
| 300 | if (((server.tls_auth_clients != TLS_CLIENT_AUTH_NO) || server.tls_cluster || server.tls_replication) && |
| 301 | !ctx_config->ca_cert_file && !ctx_config->ca_cert_dir) { |
| 302 | serverLog(LL_WARNING, "Either tls-ca-cert-file or tls-ca-cert-dir must be specified when tls-cluster, tls-replication or tls-auth-clients are enabled!"); |
| 303 | goto error; |
| 304 | } |
| 305 | |
| 306 | int protocols = parseProtocolsConfig(ctx_config->protocols); |
| 307 | if (protocols == -1) goto error; |
| 308 | |
| 309 | /* Create server side/generla context */ |
| 310 | ctx = createSSLContext(ctx_config, protocols, 0); |
| 311 | if (!ctx) goto error; |
| 312 | |
| 313 | if (ctx_config->session_caching) { |
| 314 | SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER); |
| 315 | SSL_CTX_sess_set_cache_size(ctx, ctx_config->session_cache_size); |
| 316 | SSL_CTX_set_timeout(ctx, ctx_config->session_cache_timeout); |
| 317 | SSL_CTX_set_session_id_context(ctx, (void *) "redis", 5); |
| 318 | } else { |
| 319 | SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); |
| 320 | } |
| 321 | |
| 322 | #ifdef SSL_OP_NO_CLIENT_RENEGOTIATION |
| 323 | SSL_CTX_set_options(ctx, SSL_OP_NO_CLIENT_RENEGOTIATION); |
| 324 | #endif |
| 325 | |
| 326 | if (ctx_config->prefer_server_ciphers) |
| 327 | SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); |
| 328 | |
| 329 | #if ((OPENSSL_VERSION_NUMBER < 0x30000000L) && defined(SSL_CTX_set_ecdh_auto)) |
| 330 | SSL_CTX_set_ecdh_auto(ctx, 1); |
| 331 | #endif |
| 332 | SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); |
| 333 | |
| 334 | if (ctx_config->dh_params_file) { |
| 335 | FILE *dhfile = fopen(ctx_config->dh_params_file, "r"); |
| 336 | if (!dhfile) { |
| 337 | serverLog(LL_WARNING, "Failed to load %s: %s", ctx_config->dh_params_file, strerror(errno)); |
| 338 | goto error; |
| 339 | } |
| 340 | |
| 341 | #if (OPENSSL_VERSION_NUMBER >= 0x30000000L) |
| 342 | EVP_PKEY *pkey = NULL; |
| 343 | OSSL_DECODER_CTX *dctx = OSSL_DECODER_CTX_new_for_pkey( |
| 344 | &pkey, "PEM", NULL, "DH", OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, NULL, NULL); |
| 345 | if (!dctx) { |
| 346 | serverLog(LL_WARNING, "No decoder for DH params."); |
| 347 | fclose(dhfile); |
| 348 | goto error; |
| 349 | } |
| 350 | if (!OSSL_DECODER_from_fp(dctx, dhfile)) { |
| 351 | serverLog(LL_WARNING, "%s: failed to read DH params.", ctx_config->dh_params_file); |
| 352 | OSSL_DECODER_CTX_free(dctx); |
| 353 | fclose(dhfile); |
| 354 | goto error; |
| 355 | } |
| 356 | |
| 357 | OSSL_DECODER_CTX_free(dctx); |
| 358 | fclose(dhfile); |
| 359 | |
| 360 | if (SSL_CTX_set0_tmp_dh_pkey(ctx, pkey) <= 0) { |
| 361 | ERR_error_string_n(ERR_get_error(), errbuf, sizeof(errbuf)); |
| 362 | serverLog(LL_WARNING, "Failed to load DH params file: %s: %s", ctx_config->dh_params_file, errbuf); |
| 363 | EVP_PKEY_free(pkey); |
| 364 | goto error; |
| 365 | } |
| 366 | /* Not freeing pkey, it is owned by OpenSSL now */ |
| 367 | #else |
| 368 | DH *dh = PEM_read_DHparams(dhfile, NULL, NULL, NULL); |
| 369 | fclose(dhfile); |
| 370 | if (!dh) { |
| 371 | serverLog(LL_WARNING, "%s: failed to read DH params.", ctx_config->dh_params_file); |
| 372 | goto error; |
| 373 | } |
| 374 | |
| 375 | if (SSL_CTX_set_tmp_dh(ctx, dh) <= 0) { |
| 376 | ERR_error_string_n(ERR_get_error(), errbuf, sizeof(errbuf)); |
| 377 | serverLog(LL_WARNING, "Failed to load DH params file: %s: %s", ctx_config->dh_params_file, errbuf); |
| 378 | DH_free(dh); |
| 379 | goto error; |
| 380 | } |
| 381 | |
| 382 | DH_free(dh); |
| 383 | #endif |
| 384 | } else { |
| 385 | #if (OPENSSL_VERSION_NUMBER >= 0x30000000L) |
| 386 | SSL_CTX_set_dh_auto(ctx, 1); |
| 387 | #endif |
| 388 | } |
| 389 | |
| 390 | /* If a client-side certificate is configured, create an explicit client context */ |
| 391 | if (ctx_config->client_cert_file && ctx_config->client_key_file) { |
| 392 | client_ctx = createSSLContext(ctx_config, protocols, 1); |
| 393 | if (!client_ctx) goto error; |
| 394 | } |
| 395 | |
| 396 | SSL_CTX_free(redis_tls_ctx); |
| 397 | SSL_CTX_free(redis_tls_client_ctx); |
| 398 | redis_tls_ctx = ctx; |
| 399 | redis_tls_client_ctx = client_ctx; |
| 400 | |
| 401 | return C_OK; |
| 402 | |
| 403 | error: |
| 404 | if (ctx) SSL_CTX_free(ctx); |
| 405 | if (client_ctx) SSL_CTX_free(client_ctx); |
| 406 | return C_ERR; |
| 407 | } |
| 408 | |
| 409 | /* Return 1 if TLS was already configured, 0 otherwise. |
| 410 | */ |
| 411 | int isTlsConfigured(void) { |
| 412 | return redis_tls_ctx != NULL; |
| 413 | } |
| 414 | |
| 415 | #ifdef TLS_DEBUGGING |
| 416 | #define TLSCONN_DEBUG(fmt, ...) \ |
| 417 | serverLog(LL_DEBUG, "TLSCONN: " fmt, __VA_ARGS__) |
| 418 | #else |
| 419 | #define TLSCONN_DEBUG(fmt, ...) |
| 420 | #endif |
| 421 | |
| 422 | ConnectionType CT_TLS; |
| 423 | |
| 424 | /* Normal socket connections have a simple events/handler correlation. |
| 425 | * |
| 426 | * With TLS connections we need to handle cases where during a logical read |
| 427 | * or write operation, the SSL library asks to block for the opposite |
| 428 | * socket operation. |
| 429 | * |
| 430 | * When this happens, we need to do two things: |
| 431 | * 1. Make sure we register for the event. |
| 432 | * 2. Make sure we know which handler needs to execute when the |
| 433 | * event fires. That is, if we notify the caller of a write operation |
| 434 | * that it blocks, and SSL asks for a read, we need to trigger the |
| 435 | * write handler again on the next read event. |
| 436 | * |
| 437 | */ |
| 438 | |
| 439 | typedef enum { |
| 440 | WANT_READ = 1, |
| 441 | WANT_WRITE |
| 442 | } WantIOType; |
| 443 | |
| 444 | #define TLS_CONN_FLAG_READ_WANT_WRITE (1<<0) |
| 445 | #define TLS_CONN_FLAG_WRITE_WANT_READ (1<<1) |
| 446 | #define TLS_CONN_FLAG_FD_SET (1<<2) |
| 447 | |
| 448 | typedef struct tls_connection { |
| 449 | connection c; |
| 450 | int flags; |
| 451 | SSL *ssl; |
| 452 | char *ssl_error; |
| 453 | listNode *pending_list_node; |
| 454 | } tls_connection; |
| 455 | |
| 456 | static connection *createTLSConnection(int client_side) { |
| 457 | SSL_CTX *ctx = redis_tls_ctx; |
| 458 | if (client_side && redis_tls_client_ctx) |
| 459 | ctx = redis_tls_client_ctx; |
| 460 | tls_connection *conn = zcalloc(sizeof(tls_connection)); |
| 461 | conn->c.type = &CT_TLS; |
| 462 | conn->c.fd = -1; |
| 463 | conn->ssl = SSL_new(ctx); |
| 464 | return (connection *) conn; |
| 465 | } |
| 466 | |
| 467 | connection *connCreateTLS(void) { |
| 468 | return createTLSConnection(1); |
| 469 | } |
| 470 | |
| 471 | /* Fetch the latest OpenSSL error and store it in the connection */ |
| 472 | static void updateTLSError(tls_connection *conn) { |
| 473 | conn->c.last_errno = 0; |
| 474 | if (conn->ssl_error) zfree(conn->ssl_error); |
| 475 | conn->ssl_error = zmalloc(512); |
| 476 | ERR_error_string_n(ERR_get_error(), conn->ssl_error, 512); |
| 477 | } |
| 478 | |
| 479 | /* Create a new TLS connection that is already associated with |
| 480 | * an accepted underlying file descriptor. |
| 481 | * |
| 482 | * The socket is not ready for I/O until connAccept() was called and |
| 483 | * invoked the connection-level accept handler. |
| 484 | * |
| 485 | * Callers should use connGetState() and verify the created connection |
| 486 | * is not in an error state. |
| 487 | */ |
| 488 | connection *connCreateAcceptedTLS(int fd, int require_auth) { |
| 489 | tls_connection *conn = (tls_connection *) createTLSConnection(0); |
| 490 | conn->c.fd = fd; |
| 491 | conn->c.state = CONN_STATE_ACCEPTING; |
| 492 | |
| 493 | if (!conn->ssl) { |
| 494 | updateTLSError(conn); |
| 495 | conn->c.state = CONN_STATE_ERROR; |
| 496 | return (connection *) conn; |
| 497 | } |
| 498 | |
| 499 | switch (require_auth) { |
| 500 | case TLS_CLIENT_AUTH_NO: |
| 501 | SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL); |
| 502 | break; |
| 503 | case TLS_CLIENT_AUTH_OPTIONAL: |
| 504 | SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, NULL); |
| 505 | break; |
| 506 | default: /* TLS_CLIENT_AUTH_YES, also fall-secure */ |
| 507 | SSL_set_verify(conn->ssl, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); |
| 508 | break; |
| 509 | } |
| 510 | |
| 511 | SSL_set_fd(conn->ssl, conn->c.fd); |
| 512 | SSL_set_accept_state(conn->ssl); |
| 513 | |
| 514 | return (connection *) conn; |
| 515 | } |
| 516 | |
| 517 | static void tlsEventHandler(struct aeEventLoop *el, int fd, void *clientData, int mask); |
| 518 | |
| 519 | /* Process the return code received from OpenSSL> |
| 520 | * Update the want parameter with expected I/O. |
| 521 | * Update the connection's error state if a real error has occurred. |
| 522 | * Returns an SSL error code, or 0 if no further handling is required. |
| 523 | */ |
| 524 | static int handleSSLReturnCode(tls_connection *conn, int ret_value, WantIOType *want) { |
| 525 | if (ret_value <= 0) { |
| 526 | int ssl_err = SSL_get_error(conn->ssl, ret_value); |
| 527 | switch (ssl_err) { |
| 528 | case SSL_ERROR_WANT_WRITE: |
| 529 | *want = WANT_WRITE; |
| 530 | return 0; |
| 531 | case SSL_ERROR_WANT_READ: |
| 532 | *want = WANT_READ; |
| 533 | return 0; |
| 534 | case SSL_ERROR_SYSCALL: |
| 535 | conn->c.last_errno = errno; |
| 536 | if (conn->ssl_error) zfree(conn->ssl_error); |
| 537 | conn->ssl_error = errno ? zstrdup(strerror(errno)) : NULL; |
| 538 | break; |
| 539 | default: |
| 540 | /* Error! */ |
| 541 | updateTLSError(conn); |
| 542 | break; |
| 543 | } |
| 544 | |
| 545 | return ssl_err; |
| 546 | } |
| 547 | |
| 548 | return 0; |
| 549 | } |
| 550 | |
| 551 | void registerSSLEvent(tls_connection *conn, WantIOType want) { |
| 552 | int mask = aeGetFileEvents(server.el, conn->c.fd); |
| 553 | |
| 554 | switch (want) { |
| 555 | case WANT_READ: |
| 556 | if (mask & AE_WRITABLE) aeDeleteFileEvent(server.el, conn->c.fd, AE_WRITABLE); |
| 557 | if (!(mask & AE_READABLE)) aeCreateFileEvent(server.el, conn->c.fd, AE_READABLE, |
| 558 | tlsEventHandler, conn); |
| 559 | break; |
| 560 | case WANT_WRITE: |
| 561 | if (mask & AE_READABLE) aeDeleteFileEvent(server.el, conn->c.fd, AE_READABLE); |
| 562 | if (!(mask & AE_WRITABLE)) aeCreateFileEvent(server.el, conn->c.fd, AE_WRITABLE, |
| 563 | tlsEventHandler, conn); |
| 564 | break; |
| 565 | default: |
| 566 | serverAssert(0); |
| 567 | break; |
| 568 | } |
| 569 | } |
| 570 | |
| 571 | void updateSSLEvent(tls_connection *conn) { |
| 572 | int mask = aeGetFileEvents(server.el, conn->c.fd); |
| 573 | int need_read = conn->c.read_handler || (conn->flags & TLS_CONN_FLAG_WRITE_WANT_READ); |
| 574 | int need_write = conn->c.write_handler || (conn->flags & TLS_CONN_FLAG_READ_WANT_WRITE); |
| 575 | |
| 576 | if (need_read && !(mask & AE_READABLE)) |
| 577 | aeCreateFileEvent(server.el, conn->c.fd, AE_READABLE, tlsEventHandler, conn); |
| 578 | if (!need_read && (mask & AE_READABLE)) |
| 579 | aeDeleteFileEvent(server.el, conn->c.fd, AE_READABLE); |
| 580 | |
| 581 | if (need_write && !(mask & AE_WRITABLE)) |
| 582 | aeCreateFileEvent(server.el, conn->c.fd, AE_WRITABLE, tlsEventHandler, conn); |
| 583 | if (!need_write && (mask & AE_WRITABLE)) |
| 584 | aeDeleteFileEvent(server.el, conn->c.fd, AE_WRITABLE); |
| 585 | } |
| 586 | |
| 587 | static void tlsHandleEvent(tls_connection *conn, int mask) { |
| 588 | int ret, conn_error; |
| 589 | |
| 590 | TLSCONN_DEBUG("tlsEventHandler(): fd=%d, state=%d, mask=%d, r=%d, w=%d, flags=%d", |
| 591 | fd, conn->c.state, mask, conn->c.read_handler != NULL, conn->c.write_handler != NULL, |
| 592 | conn->flags); |
| 593 | |
| 594 | ERR_clear_error(); |
| 595 | |
| 596 | switch (conn->c.state) { |
| 597 | case CONN_STATE_CONNECTING: |
| 598 | conn_error = connGetSocketError((connection *) conn); |
| 599 | if (conn_error) { |
| 600 | conn->c.last_errno = conn_error; |
| 601 | conn->c.state = CONN_STATE_ERROR; |
| 602 | } else { |
| 603 | if (!(conn->flags & TLS_CONN_FLAG_FD_SET)) { |
| 604 | SSL_set_fd(conn->ssl, conn->c.fd); |
| 605 | conn->flags |= TLS_CONN_FLAG_FD_SET; |
| 606 | } |
| 607 | ret = SSL_connect(conn->ssl); |
| 608 | if (ret <= 0) { |
| 609 | WantIOType want = 0; |
| 610 | if (!handleSSLReturnCode(conn, ret, &want)) { |
| 611 | registerSSLEvent(conn, want); |
| 612 | |
| 613 | /* Avoid hitting UpdateSSLEvent, which knows nothing |
| 614 | * of what SSL_connect() wants and instead looks at our |
| 615 | * R/W handlers. |
| 616 | */ |
| 617 | return; |
| 618 | } |
| 619 | |
| 620 | /* If not handled, it's an error */ |
| 621 | conn->c.state = CONN_STATE_ERROR; |
| 622 | } else { |
| 623 | conn->c.state = CONN_STATE_CONNECTED; |
| 624 | } |
| 625 | } |
| 626 | |
| 627 | if (!callHandler((connection *) conn, conn->c.conn_handler)) return; |
| 628 | conn->c.conn_handler = NULL; |
| 629 | break; |
| 630 | case CONN_STATE_ACCEPTING: |
| 631 | ret = SSL_accept(conn->ssl); |
| 632 | if (ret <= 0) { |
| 633 | WantIOType want = 0; |
| 634 | if (!handleSSLReturnCode(conn, ret, &want)) { |
| 635 | /* Avoid hitting UpdateSSLEvent, which knows nothing |
| 636 | * of what SSL_connect() wants and instead looks at our |
| 637 | * R/W handlers. |
| 638 | */ |
| 639 | registerSSLEvent(conn, want); |
| 640 | return; |
| 641 | } |
| 642 | |
| 643 | /* If not handled, it's an error */ |
| 644 | conn->c.state = CONN_STATE_ERROR; |
| 645 | } else { |
| 646 | conn->c.state = CONN_STATE_CONNECTED; |
| 647 | } |
| 648 | |
| 649 | if (!callHandler((connection *) conn, conn->c.conn_handler)) return; |
| 650 | conn->c.conn_handler = NULL; |
| 651 | break; |
| 652 | case CONN_STATE_CONNECTED: |
| 653 | { |
| 654 | int call_read = ((mask & AE_READABLE) && conn->c.read_handler) || |
| 655 | ((mask & AE_WRITABLE) && (conn->flags & TLS_CONN_FLAG_READ_WANT_WRITE)); |
| 656 | int call_write = ((mask & AE_WRITABLE) && conn->c.write_handler) || |
| 657 | ((mask & AE_READABLE) && (conn->flags & TLS_CONN_FLAG_WRITE_WANT_READ)); |
| 658 | |
| 659 | /* Normally we execute the readable event first, and the writable |
| 660 | * event laster. This is useful as sometimes we may be able |
| 661 | * to serve the reply of a query immediately after processing the |
| 662 | * query. |
| 663 | * |
| 664 | * However if WRITE_BARRIER is set in the mask, our application is |
| 665 | * asking us to do the reverse: never fire the writable event |
| 666 | * after the readable. In such a case, we invert the calls. |
| 667 | * This is useful when, for instance, we want to do things |
| 668 | * in the beforeSleep() hook, like fsynching a file to disk, |
| 669 | * before replying to a client. */ |
| 670 | int invert = conn->c.flags & CONN_FLAG_WRITE_BARRIER; |
| 671 | |
| 672 | if (!invert && call_read) { |
| 673 | conn->flags &= ~TLS_CONN_FLAG_READ_WANT_WRITE; |
| 674 | if (!callHandler((connection *) conn, conn->c.read_handler)) return; |
| 675 | } |
| 676 | |
| 677 | /* Fire the writable event. */ |
| 678 | if (call_write) { |
| 679 | conn->flags &= ~TLS_CONN_FLAG_WRITE_WANT_READ; |
| 680 | if (!callHandler((connection *) conn, conn->c.write_handler)) return; |
| 681 | } |
| 682 | |
| 683 | /* If we have to invert the call, fire the readable event now |
| 684 | * after the writable one. */ |
| 685 | if (invert && call_read) { |
| 686 | conn->flags &= ~TLS_CONN_FLAG_READ_WANT_WRITE; |
| 687 | if (!callHandler((connection *) conn, conn->c.read_handler)) return; |
| 688 | } |
| 689 | |
| 690 | /* If SSL has pending that, already read from the socket, we're at |
| 691 | * risk of not calling the read handler again, make sure to add it |
| 692 | * to a list of pending connection that should be handled anyway. */ |
| 693 | if ((mask & AE_READABLE)) { |
| 694 | if (SSL_pending(conn->ssl) > 0) { |
| 695 | if (!conn->pending_list_node) { |
| 696 | listAddNodeTail(pending_list, conn); |
| 697 | conn->pending_list_node = listLast(pending_list); |
| 698 | } |
| 699 | } else if (conn->pending_list_node) { |
| 700 | listDelNode(pending_list, conn->pending_list_node); |
| 701 | conn->pending_list_node = NULL; |
| 702 | } |
| 703 | } |
| 704 | |
| 705 | break; |
| 706 | } |
| 707 | default: |
| 708 | break; |
| 709 | } |
| 710 | |
| 711 | updateSSLEvent(conn); |
| 712 | } |
| 713 | |
| 714 | static void tlsEventHandler(struct aeEventLoop *el, int fd, void *clientData, int mask) { |
| 715 | UNUSED(el); |
| 716 | UNUSED(fd); |
| 717 | tls_connection *conn = clientData; |
| 718 | tlsHandleEvent(conn, mask); |
| 719 | } |
| 720 | |
| 721 | static void connTLSClose(connection *conn_) { |
| 722 | tls_connection *conn = (tls_connection *) conn_; |
| 723 | |
| 724 | if (conn->ssl) { |
| 725 | if (conn->c.state == CONN_STATE_CONNECTED) |
| 726 | SSL_shutdown(conn->ssl); |
| 727 | SSL_free(conn->ssl); |
| 728 | conn->ssl = NULL; |
| 729 | } |
| 730 | |
| 731 | if (conn->ssl_error) { |
| 732 | zfree(conn->ssl_error); |
| 733 | conn->ssl_error = NULL; |
| 734 | } |
| 735 | |
| 736 | if (conn->pending_list_node) { |
| 737 | listDelNode(pending_list, conn->pending_list_node); |
| 738 | conn->pending_list_node = NULL; |
| 739 | } |
| 740 | |
| 741 | CT_Socket.close(conn_); |
| 742 | } |
| 743 | |
| 744 | static int connTLSAccept(connection *_conn, ConnectionCallbackFunc accept_handler) { |
| 745 | tls_connection *conn = (tls_connection *) _conn; |
| 746 | int ret; |
| 747 | |
| 748 | if (conn->c.state != CONN_STATE_ACCEPTING) return C_ERR; |
| 749 | ERR_clear_error(); |
| 750 | |
| 751 | /* Try to accept */ |
| 752 | conn->c.conn_handler = accept_handler; |
| 753 | ret = SSL_accept(conn->ssl); |
| 754 | |
| 755 | if (ret <= 0) { |
| 756 | WantIOType want = 0; |
| 757 | if (!handleSSLReturnCode(conn, ret, &want)) { |
| 758 | registerSSLEvent(conn, want); /* We'll fire back */ |
| 759 | return C_OK; |
| 760 | } else { |
| 761 | conn->c.state = CONN_STATE_ERROR; |
| 762 | return C_ERR; |
| 763 | } |
| 764 | } |
| 765 | |
| 766 | conn->c.state = CONN_STATE_CONNECTED; |
| 767 | if (!callHandler((connection *) conn, conn->c.conn_handler)) return C_OK; |
| 768 | conn->c.conn_handler = NULL; |
| 769 | |
| 770 | return C_OK; |
| 771 | } |
| 772 | |
| 773 | static int connTLSConnect(connection *conn_, const char *addr, int port, const char *src_addr, ConnectionCallbackFunc connect_handler) { |
| 774 | tls_connection *conn = (tls_connection *) conn_; |
| 775 | |
| 776 | if (conn->c.state != CONN_STATE_NONE) return C_ERR; |
| 777 | ERR_clear_error(); |
| 778 | |
| 779 | /* Initiate Socket connection first */ |
| 780 | if (CT_Socket.connect(conn_, addr, port, src_addr, connect_handler) == C_ERR) return C_ERR; |
| 781 | |
| 782 | /* Return now, once the socket is connected we'll initiate |
| 783 | * TLS connection from the event handler. |
| 784 | */ |
| 785 | return C_OK; |
| 786 | } |
| 787 | |
| 788 | static int connTLSWrite(connection *conn_, const void *data, size_t data_len) { |
| 789 | tls_connection *conn = (tls_connection *) conn_; |
| 790 | int ret, ssl_err; |
| 791 | |
| 792 | if (conn->c.state != CONN_STATE_CONNECTED) return -1; |
| 793 | ERR_clear_error(); |
| 794 | ret = SSL_write(conn->ssl, data, data_len); |
| 795 | /* If system call was interrupted, there's no need to go through the full |
| 796 | * OpenSSL error handling and just report this for the caller to retry the |
| 797 | * operation. |
| 798 | */ |
| 799 | if (errno == EINTR) { |
| 800 | conn->c.last_errno = EINTR; |
| 801 | return -1; |
| 802 | } |
| 803 | if (ret <= 0) { |
| 804 | WantIOType want = 0; |
| 805 | if (!(ssl_err = handleSSLReturnCode(conn, ret, &want))) { |
| 806 | if (want == WANT_READ) conn->flags |= TLS_CONN_FLAG_WRITE_WANT_READ; |
| 807 | updateSSLEvent(conn); |
| 808 | errno = EAGAIN; |
| 809 | return -1; |
| 810 | } else { |
| 811 | if (ssl_err == SSL_ERROR_ZERO_RETURN || |
| 812 | ((ssl_err == SSL_ERROR_SYSCALL && !errno))) { |
| 813 | conn->c.state = CONN_STATE_CLOSED; |
| 814 | return -1; |
| 815 | } else { |
| 816 | conn->c.state = CONN_STATE_ERROR; |
| 817 | return -1; |
| 818 | } |
| 819 | } |
| 820 | } |
| 821 | |
| 822 | return ret; |
| 823 | } |
| 824 | |
| 825 | static int connTLSWritev(connection *conn_, const struct iovec *iov, int iovcnt) { |
| 826 | if (iovcnt == 1) return connTLSWrite(conn_, iov[0].iov_base, iov[0].iov_len); |
| 827 | |
| 828 | /* Accumulate the amount of bytes of each buffer and check if it exceeds NET_MAX_WRITES_PER_EVENT. */ |
| 829 | size_t iov_bytes_len = 0; |
| 830 | for (int i = 0; i < iovcnt; i++) { |
| 831 | iov_bytes_len += iov[i].iov_len; |
| 832 | if (iov_bytes_len > NET_MAX_WRITES_PER_EVENT) break; |
| 833 | } |
| 834 | |
| 835 | /* The amount of all buffers is greater than NET_MAX_WRITES_PER_EVENT, |
| 836 | * which is not worth doing so much memory copying to reduce system calls, |
| 837 | * therefore, invoke connTLSWrite() multiple times to avoid memory copies. */ |
| 838 | if (iov_bytes_len > NET_MAX_WRITES_PER_EVENT) { |
| 839 | ssize_t tot_sent = 0; |
| 840 | for (int i = 0; i < iovcnt; i++) { |
| 841 | ssize_t sent = connTLSWrite(conn_, iov[i].iov_base, iov[i].iov_len); |
| 842 | if (sent <= 0) return tot_sent > 0 ? tot_sent : sent; |
| 843 | tot_sent += sent; |
| 844 | if ((size_t) sent != iov[i].iov_len) break; |
| 845 | } |
| 846 | return tot_sent; |
| 847 | } |
| 848 | |
| 849 | /* The amount of all buffers is less than NET_MAX_WRITES_PER_EVENT, |
| 850 | * which is worth doing more memory copies in exchange for fewer system calls, |
| 851 | * so concatenate these scattered buffers into a contiguous piece of memory |
| 852 | * and send it away by one call to connTLSWrite(). */ |
| 853 | char buf[iov_bytes_len]; |
| 854 | size_t offset = 0; |
| 855 | for (int i = 0; i < iovcnt; i++) { |
| 856 | memcpy(buf + offset, iov[i].iov_base, iov[i].iov_len); |
| 857 | offset += iov[i].iov_len; |
| 858 | } |
| 859 | return connTLSWrite(conn_, buf, iov_bytes_len); |
| 860 | } |
| 861 | |
| 862 | static int connTLSRead(connection *conn_, void *buf, size_t buf_len) { |
| 863 | tls_connection *conn = (tls_connection *) conn_; |
| 864 | int ret; |
| 865 | int ssl_err; |
| 866 | |
| 867 | if (conn->c.state != CONN_STATE_CONNECTED) return -1; |
| 868 | ERR_clear_error(); |
| 869 | ret = SSL_read(conn->ssl, buf, buf_len); |
| 870 | /* If system call was interrupted, there's no need to go through the full |
| 871 | * OpenSSL error handling and just report this for the caller to retry the |
| 872 | * operation. |
| 873 | */ |
| 874 | if (errno == EINTR) { |
| 875 | conn->c.last_errno = EINTR; |
| 876 | return -1; |
| 877 | } |
| 878 | if (ret <= 0) { |
| 879 | WantIOType want = 0; |
| 880 | if (!(ssl_err = handleSSLReturnCode(conn, ret, &want))) { |
| 881 | if (want == WANT_WRITE) conn->flags |= TLS_CONN_FLAG_READ_WANT_WRITE; |
| 882 | updateSSLEvent(conn); |
| 883 | |
| 884 | errno = EAGAIN; |
| 885 | return -1; |
| 886 | } else { |
| 887 | if (ssl_err == SSL_ERROR_ZERO_RETURN || |
| 888 | ((ssl_err == SSL_ERROR_SYSCALL) && !errno)) { |
| 889 | conn->c.state = CONN_STATE_CLOSED; |
| 890 | return 0; |
| 891 | } else { |
| 892 | conn->c.state = CONN_STATE_ERROR; |
| 893 | return -1; |
| 894 | } |
| 895 | } |
| 896 | } |
| 897 | |
| 898 | return ret; |
| 899 | } |
| 900 | |
| 901 | static const char *connTLSGetLastError(connection *conn_) { |
| 902 | tls_connection *conn = (tls_connection *) conn_; |
| 903 | |
| 904 | if (conn->ssl_error) return conn->ssl_error; |
| 905 | return NULL; |
| 906 | } |
| 907 | |
| 908 | int connTLSSetWriteHandler(connection *conn, ConnectionCallbackFunc func, int barrier) { |
| 909 | conn->write_handler = func; |
| 910 | if (barrier) |
| 911 | conn->flags |= CONN_FLAG_WRITE_BARRIER; |
| 912 | else |
| 913 | conn->flags &= ~CONN_FLAG_WRITE_BARRIER; |
| 914 | updateSSLEvent((tls_connection *) conn); |
| 915 | return C_OK; |
| 916 | } |
| 917 | |
| 918 | int connTLSSetReadHandler(connection *conn, ConnectionCallbackFunc func) { |
| 919 | conn->read_handler = func; |
| 920 | updateSSLEvent((tls_connection *) conn); |
| 921 | return C_OK; |
| 922 | } |
| 923 | |
| 924 | static void setBlockingTimeout(tls_connection *conn, long long timeout) { |
| 925 | anetBlock(NULL, conn->c.fd); |
| 926 | anetSendTimeout(NULL, conn->c.fd, timeout); |
| 927 | anetRecvTimeout(NULL, conn->c.fd, timeout); |
| 928 | } |
| 929 | |
| 930 | static void unsetBlockingTimeout(tls_connection *conn) { |
| 931 | anetNonBlock(NULL, conn->c.fd); |
| 932 | anetSendTimeout(NULL, conn->c.fd, 0); |
| 933 | anetRecvTimeout(NULL, conn->c.fd, 0); |
| 934 | } |
| 935 | |
| 936 | static int connTLSBlockingConnect(connection *conn_, const char *addr, int port, long long timeout) { |
| 937 | tls_connection *conn = (tls_connection *) conn_; |
| 938 | int ret; |
| 939 | |
| 940 | if (conn->c.state != CONN_STATE_NONE) return C_ERR; |
| 941 | |
| 942 | /* Initiate socket blocking connect first */ |
| 943 | if (CT_Socket.blocking_connect(conn_, addr, port, timeout) == C_ERR) return C_ERR; |
| 944 | |
| 945 | /* Initiate TLS connection now. We set up a send/recv timeout on the socket, |
| 946 | * which means the specified timeout will not be enforced accurately. */ |
| 947 | SSL_set_fd(conn->ssl, conn->c.fd); |
| 948 | setBlockingTimeout(conn, timeout); |
| 949 | |
| 950 | if ((ret = SSL_connect(conn->ssl)) <= 0) { |
| 951 | conn->c.state = CONN_STATE_ERROR; |
| 952 | return C_ERR; |
| 953 | } |
| 954 | unsetBlockingTimeout(conn); |
| 955 | |
| 956 | conn->c.state = CONN_STATE_CONNECTED; |
| 957 | return C_OK; |
| 958 | } |
| 959 | |
| 960 | static ssize_t connTLSSyncWrite(connection *conn_, char *ptr, ssize_t size, long long timeout) { |
| 961 | tls_connection *conn = (tls_connection *) conn_; |
| 962 | |
| 963 | setBlockingTimeout(conn, timeout); |
| 964 | SSL_clear_mode(conn->ssl, SSL_MODE_ENABLE_PARTIAL_WRITE); |
| 965 | int ret = SSL_write(conn->ssl, ptr, size); |
| 966 | SSL_set_mode(conn->ssl, SSL_MODE_ENABLE_PARTIAL_WRITE); |
| 967 | unsetBlockingTimeout(conn); |
| 968 | |
| 969 | return ret; |
| 970 | } |
| 971 | |
| 972 | static ssize_t connTLSSyncRead(connection *conn_, char *ptr, ssize_t size, long long timeout) { |
| 973 | tls_connection *conn = (tls_connection *) conn_; |
| 974 | |
| 975 | setBlockingTimeout(conn, timeout); |
| 976 | int ret = SSL_read(conn->ssl, ptr, size); |
| 977 | unsetBlockingTimeout(conn); |
| 978 | |
| 979 | return ret; |
| 980 | } |
| 981 | |
| 982 | static ssize_t connTLSSyncReadLine(connection *conn_, char *ptr, ssize_t size, long long timeout) { |
| 983 | tls_connection *conn = (tls_connection *) conn_; |
| 984 | ssize_t nread = 0; |
| 985 | |
| 986 | setBlockingTimeout(conn, timeout); |
| 987 | |
| 988 | size--; |
| 989 | while(size) { |
| 990 | char c; |
| 991 | |
| 992 | if (SSL_read(conn->ssl,&c,1) <= 0) { |
| 993 | nread = -1; |
| 994 | goto exit; |
| 995 | } |
| 996 | if (c == '\n') { |
| 997 | *ptr = '\0'; |
| 998 | if (nread && *(ptr-1) == '\r') *(ptr-1) = '\0'; |
| 999 | goto exit; |
| 1000 | } else { |
| 1001 | *ptr++ = c; |
| 1002 | *ptr = '\0'; |
| 1003 | nread++; |
| 1004 | } |
| 1005 | size--; |
| 1006 | } |
| 1007 | exit: |
| 1008 | unsetBlockingTimeout(conn); |
| 1009 | return nread; |
| 1010 | } |
| 1011 | |
| 1012 | static int connTLSGetType(connection *conn_) { |
| 1013 | (void) conn_; |
| 1014 | |
| 1015 | return CONN_TYPE_TLS; |
| 1016 | } |
| 1017 | |
| 1018 | ConnectionType CT_TLS = { |
| 1019 | .ae_handler = tlsEventHandler, |
| 1020 | .accept = connTLSAccept, |
| 1021 | .connect = connTLSConnect, |
| 1022 | .blocking_connect = connTLSBlockingConnect, |
| 1023 | .read = connTLSRead, |
| 1024 | .write = connTLSWrite, |
| 1025 | .writev = connTLSWritev, |
| 1026 | .close = connTLSClose, |
| 1027 | .set_write_handler = connTLSSetWriteHandler, |
| 1028 | .set_read_handler = connTLSSetReadHandler, |
| 1029 | .get_last_error = connTLSGetLastError, |
| 1030 | .sync_write = connTLSSyncWrite, |
| 1031 | .sync_read = connTLSSyncRead, |
| 1032 | .sync_readline = connTLSSyncReadLine, |
| 1033 | .get_type = connTLSGetType |
| 1034 | }; |
| 1035 | |
| 1036 | int tlsHasPendingData() { |
| 1037 | if (!pending_list) |
| 1038 | return 0; |
| 1039 | return listLength(pending_list) > 0; |
| 1040 | } |
| 1041 | |
| 1042 | int tlsProcessPendingData() { |
| 1043 | listIter li; |
| 1044 | listNode *ln; |
| 1045 | |
| 1046 | int processed = listLength(pending_list); |
| 1047 | listRewind(pending_list,&li); |
| 1048 | while((ln = listNext(&li))) { |
| 1049 | tls_connection *conn = listNodeValue(ln); |
| 1050 | tlsHandleEvent(conn, AE_READABLE); |
| 1051 | } |
| 1052 | return processed; |
| 1053 | } |
| 1054 | |
| 1055 | /* Fetch the peer certificate used for authentication on the specified |
| 1056 | * connection and return it as a PEM-encoded sds. |
| 1057 | */ |
| 1058 | sds connTLSGetPeerCert(connection *conn_) { |
| 1059 | tls_connection *conn = (tls_connection *) conn_; |
| 1060 | if (conn_->type->get_type(conn_) != CONN_TYPE_TLS || !conn->ssl) return NULL; |
| 1061 | |
| 1062 | X509 *cert = SSL_get_peer_certificate(conn->ssl); |
| 1063 | if (!cert) return NULL; |
| 1064 | |
| 1065 | BIO *bio = BIO_new(BIO_s_mem()); |
| 1066 | if (bio == NULL || !PEM_write_bio_X509(bio, cert)) { |
| 1067 | if (bio != NULL) BIO_free(bio); |
| 1068 | return NULL; |
| 1069 | } |
| 1070 | |
| 1071 | const char *bio_ptr; |
| 1072 | long long bio_len = BIO_get_mem_data(bio, &bio_ptr); |
| 1073 | sds cert_pem = sdsnewlen(bio_ptr, bio_len); |
| 1074 | BIO_free(bio); |
| 1075 | |
| 1076 | return cert_pem; |
| 1077 | } |
| 1078 | |
| 1079 | #else /* USE_OPENSSL */ |
| 1080 | |
| 1081 | void tlsInit(void) { |
| 1082 | } |
| 1083 | |
| 1084 | void tlsCleanup(void) { |
| 1085 | } |
| 1086 | |
| 1087 | int tlsConfigure(redisTLSContextConfig *ctx_config) { |
| 1088 | UNUSED(ctx_config); |
| 1089 | return C_OK; |
| 1090 | } |
| 1091 | |
| 1092 | connection *connCreateTLS(void) { |
| 1093 | return NULL; |
| 1094 | } |
| 1095 | |
| 1096 | connection *connCreateAcceptedTLS(int fd, int require_auth) { |
| 1097 | UNUSED(fd); |
| 1098 | UNUSED(require_auth); |
| 1099 | |
| 1100 | return NULL; |
| 1101 | } |
| 1102 | |
| 1103 | int tlsHasPendingData() { |
| 1104 | return 0; |
| 1105 | } |
| 1106 | |
| 1107 | int tlsProcessPendingData() { |
| 1108 | return 0; |
| 1109 | } |
| 1110 | |
| 1111 | sds connTLSGetPeerCert(connection *conn_) { |
| 1112 | (void) conn_; |
| 1113 | return NULL; |
| 1114 | } |
| 1115 | |
| 1116 | #endif |
| 1117 |
Generated on 2022-Aug-16 from project redis revision 7.0.4
Powered by 
Code Browser 2.1
Generator usage only permitted with license.