1 | /* |
2 | * Copyright (c) 2019, Redis Labs |
3 | * All rights reserved. |
4 | * |
5 | * Redistribution and use in source and binary forms, with or without |
6 | * modification, are permitted provided that the following conditions are met: |
7 | * |
8 | * * Redistributions of source code must retain the above copyright notice, |
9 | * this list of conditions and the following disclaimer. |
10 | * * Redistributions in binary form must reproduce the above copyright |
11 | * notice, this list of conditions and the following disclaimer in the |
12 | * documentation and/or other materials provided with the distribution. |
13 | * * Neither the name of Redis nor the names of its contributors may be used |
14 | * to endorse or promote products derived from this software without |
15 | * specific prior written permission. |
16 | * |
17 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" |
18 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
19 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
20 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE |
21 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
22 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
23 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
24 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
25 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
26 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
27 | * POSSIBILITY OF SUCH DAMAGE. |
28 | */ |
29 | |
30 | |
31 | #include "server.h" |
32 | #include "connhelpers.h" |
33 | #include "adlist.h" |
34 | |
35 | #ifdef USE_OPENSSL |
36 | |
37 | #include <openssl/conf.h> |
38 | #include <openssl/ssl.h> |
39 | #include <openssl/err.h> |
40 | #include <openssl/rand.h> |
41 | #include <openssl/pem.h> |
42 | #if OPENSSL_VERSION_NUMBER >= 0x30000000L |
43 | #include <openssl/decoder.h> |
44 | #endif |
45 | #include <sys/uio.h> |
46 | |
47 | #define REDIS_TLS_PROTO_TLSv1 (1<<0) |
48 | #define REDIS_TLS_PROTO_TLSv1_1 (1<<1) |
49 | #define REDIS_TLS_PROTO_TLSv1_2 (1<<2) |
50 | #define REDIS_TLS_PROTO_TLSv1_3 (1<<3) |
51 | |
52 | /* Use safe defaults */ |
53 | #ifdef TLS1_3_VERSION |
54 | #define REDIS_TLS_PROTO_DEFAULT (REDIS_TLS_PROTO_TLSv1_2|REDIS_TLS_PROTO_TLSv1_3) |
55 | #else |
56 | #define REDIS_TLS_PROTO_DEFAULT (REDIS_TLS_PROTO_TLSv1_2) |
57 | #endif |
58 | |
59 | extern ConnectionType CT_Socket; |
60 | |
61 | SSL_CTX *redis_tls_ctx = NULL; |
62 | SSL_CTX *redis_tls_client_ctx = NULL; |
63 | |
64 | static int parseProtocolsConfig(const char *str) { |
65 | int i, count = 0; |
66 | int protocols = 0; |
67 | |
68 | if (!str) return REDIS_TLS_PROTO_DEFAULT; |
69 | sds *tokens = sdssplitlen(str, strlen(str), " " , 1, &count); |
70 | |
71 | if (!tokens) { |
72 | serverLog(LL_WARNING, "Invalid tls-protocols configuration string" ); |
73 | return -1; |
74 | } |
75 | for (i = 0; i < count; i++) { |
76 | if (!strcasecmp(tokens[i], "tlsv1" )) protocols |= REDIS_TLS_PROTO_TLSv1; |
77 | else if (!strcasecmp(tokens[i], "tlsv1.1" )) protocols |= REDIS_TLS_PROTO_TLSv1_1; |
78 | else if (!strcasecmp(tokens[i], "tlsv1.2" )) protocols |= REDIS_TLS_PROTO_TLSv1_2; |
79 | else if (!strcasecmp(tokens[i], "tlsv1.3" )) { |
80 | #ifdef TLS1_3_VERSION |
81 | protocols |= REDIS_TLS_PROTO_TLSv1_3; |
82 | #else |
83 | serverLog(LL_WARNING, "TLSv1.3 is specified in tls-protocols but not supported by OpenSSL." ); |
84 | protocols = -1; |
85 | break; |
86 | #endif |
87 | } else { |
88 | serverLog(LL_WARNING, "Invalid tls-protocols specified. " |
89 | "Use a combination of 'TLSv1', 'TLSv1.1', 'TLSv1.2' and 'TLSv1.3'." ); |
90 | protocols = -1; |
91 | break; |
92 | } |
93 | } |
94 | sdsfreesplitres(tokens, count); |
95 | |
96 | return protocols; |
97 | } |
98 | |
99 | /* list of connections with pending data already read from the socket, but not |
100 | * served to the reader yet. */ |
101 | static list *pending_list = NULL; |
102 | |
103 | /** |
104 | * OpenSSL global initialization and locking handling callbacks. |
105 | * Note that this is only required for OpenSSL < 1.1.0. |
106 | */ |
107 | |
108 | #if OPENSSL_VERSION_NUMBER < 0x10100000L |
109 | #define USE_CRYPTO_LOCKS |
110 | #endif |
111 | |
112 | #ifdef USE_CRYPTO_LOCKS |
113 | |
114 | static pthread_mutex_t *openssl_locks; |
115 | |
116 | static void sslLockingCallback(int mode, int lock_id, const char *f, int line) { |
117 | pthread_mutex_t *mt = openssl_locks + lock_id; |
118 | |
119 | if (mode & CRYPTO_LOCK) { |
120 | pthread_mutex_lock(mt); |
121 | } else { |
122 | pthread_mutex_unlock(mt); |
123 | } |
124 | |
125 | (void)f; |
126 | (void)line; |
127 | } |
128 | |
129 | static void initCryptoLocks(void) { |
130 | unsigned i, nlocks; |
131 | if (CRYPTO_get_locking_callback() != NULL) { |
132 | /* Someone already set the callback before us. Don't destroy it! */ |
133 | return; |
134 | } |
135 | nlocks = CRYPTO_num_locks(); |
136 | openssl_locks = zmalloc(sizeof(*openssl_locks) * nlocks); |
137 | for (i = 0; i < nlocks; i++) { |
138 | pthread_mutex_init(openssl_locks + i, NULL); |
139 | } |
140 | CRYPTO_set_locking_callback(sslLockingCallback); |
141 | } |
142 | #endif /* USE_CRYPTO_LOCKS */ |
143 | |
144 | void tlsInit(void) { |
145 | /* Enable configuring OpenSSL using the standard openssl.cnf |
146 | * OPENSSL_config()/OPENSSL_init_crypto() should be the first |
147 | * call to the OpenSSL* library. |
148 | * - OPENSSL_config() should be used for OpenSSL versions < 1.1.0 |
149 | * - OPENSSL_init_crypto() should be used for OpenSSL versions >= 1.1.0 |
150 | */ |
151 | #if OPENSSL_VERSION_NUMBER < 0x10100000L |
152 | OPENSSL_config(NULL); |
153 | SSL_load_error_strings(); |
154 | SSL_library_init(); |
155 | #elif OPENSSL_VERSION_NUMBER < 0x10101000L |
156 | OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); |
157 | #else |
158 | OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG|OPENSSL_INIT_ATFORK, NULL); |
159 | #endif |
160 | |
161 | #ifdef USE_CRYPTO_LOCKS |
162 | initCryptoLocks(); |
163 | #endif |
164 | |
165 | if (!RAND_poll()) { |
166 | serverLog(LL_WARNING, "OpenSSL: Failed to seed random number generator." ); |
167 | } |
168 | |
169 | pending_list = listCreate(); |
170 | } |
171 | |
172 | void tlsCleanup(void) { |
173 | if (redis_tls_ctx) { |
174 | SSL_CTX_free(redis_tls_ctx); |
175 | redis_tls_ctx = NULL; |
176 | } |
177 | if (redis_tls_client_ctx) { |
178 | SSL_CTX_free(redis_tls_client_ctx); |
179 | redis_tls_client_ctx = NULL; |
180 | } |
181 | |
182 | #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) |
183 | // unavailable on LibreSSL |
184 | OPENSSL_cleanup(); |
185 | #endif |
186 | } |
187 | |
188 | /* Callback for passing a keyfile password stored as an sds to OpenSSL */ |
189 | static int tlsPasswordCallback(char *buf, int size, int rwflag, void *u) { |
190 | UNUSED(rwflag); |
191 | |
192 | const char *pass = u; |
193 | size_t pass_len; |
194 | |
195 | if (!pass) return -1; |
196 | pass_len = strlen(pass); |
197 | if (pass_len > (size_t) size) return -1; |
198 | memcpy(buf, pass, pass_len); |
199 | |
200 | return (int) pass_len; |
201 | } |
202 | |
203 | /* Create a *base* SSL_CTX using the SSL configuration provided. The base context |
204 | * includes everything that's common for both client-side and server-side connections. |
205 | */ |
206 | static SSL_CTX *createSSLContext(redisTLSContextConfig *ctx_config, int protocols, int client) { |
207 | const char *cert_file = client ? ctx_config->client_cert_file : ctx_config->cert_file; |
208 | const char *key_file = client ? ctx_config->client_key_file : ctx_config->key_file; |
209 | const char *key_file_pass = client ? ctx_config->client_key_file_pass : ctx_config->key_file_pass; |
210 | char errbuf[256]; |
211 | SSL_CTX *ctx = NULL; |
212 | |
213 | ctx = SSL_CTX_new(SSLv23_method()); |
214 | |
215 | SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); |
216 | |
217 | #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS |
218 | SSL_CTX_set_options(ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); |
219 | #endif |
220 | |
221 | if (!(protocols & REDIS_TLS_PROTO_TLSv1)) |
222 | SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); |
223 | if (!(protocols & REDIS_TLS_PROTO_TLSv1_1)) |
224 | SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1); |
225 | #ifdef SSL_OP_NO_TLSv1_2 |
226 | if (!(protocols & REDIS_TLS_PROTO_TLSv1_2)) |
227 | SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2); |
228 | #endif |
229 | #ifdef SSL_OP_NO_TLSv1_3 |
230 | if (!(protocols & REDIS_TLS_PROTO_TLSv1_3)) |
231 | SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_3); |
232 | #endif |
233 | |
234 | #ifdef SSL_OP_NO_COMPRESSION |
235 | SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); |
236 | #endif |
237 | |
238 | SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE|SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); |
239 | SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); |
240 | |
241 | SSL_CTX_set_default_passwd_cb(ctx, tlsPasswordCallback); |
242 | SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *) key_file_pass); |
243 | |
244 | if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0) { |
245 | ERR_error_string_n(ERR_get_error(), errbuf, sizeof(errbuf)); |
246 | serverLog(LL_WARNING, "Failed to load certificate: %s: %s" , cert_file, errbuf); |
247 | goto error; |
248 | } |
249 | |
250 | if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0) { |
251 | ERR_error_string_n(ERR_get_error(), errbuf, sizeof(errbuf)); |
252 | serverLog(LL_WARNING, "Failed to load private key: %s: %s" , key_file, errbuf); |
253 | goto error; |
254 | } |
255 | |
256 | if ((ctx_config->ca_cert_file || ctx_config->ca_cert_dir) && |
257 | SSL_CTX_load_verify_locations(ctx, ctx_config->ca_cert_file, ctx_config->ca_cert_dir) <= 0) { |
258 | ERR_error_string_n(ERR_get_error(), errbuf, sizeof(errbuf)); |
259 | serverLog(LL_WARNING, "Failed to configure CA certificate(s) file/directory: %s" , errbuf); |
260 | goto error; |
261 | } |
262 | |
263 | if (ctx_config->ciphers && !SSL_CTX_set_cipher_list(ctx, ctx_config->ciphers)) { |
264 | serverLog(LL_WARNING, "Failed to configure ciphers: %s" , ctx_config->ciphers); |
265 | goto error; |
266 | } |
267 | |
268 | #ifdef TLS1_3_VERSION |
269 | if (ctx_config->ciphersuites && !SSL_CTX_set_ciphersuites(ctx, ctx_config->ciphersuites)) { |
270 | serverLog(LL_WARNING, "Failed to configure ciphersuites: %s" , ctx_config->ciphersuites); |
271 | goto error; |
272 | } |
273 | #endif |
274 | |
275 | return ctx; |
276 | |
277 | error: |
278 | if (ctx) SSL_CTX_free(ctx); |
279 | return NULL; |
280 | } |
281 | |
282 | /* Attempt to configure/reconfigure TLS. This operation is atomic and will |
283 | * leave the SSL_CTX unchanged if fails. |
284 | */ |
285 | int tlsConfigure(redisTLSContextConfig *ctx_config) { |
286 | char errbuf[256]; |
287 | SSL_CTX *ctx = NULL; |
288 | SSL_CTX *client_ctx = NULL; |
289 | |
290 | if (!ctx_config->cert_file) { |
291 | serverLog(LL_WARNING, "No tls-cert-file configured!" ); |
292 | goto error; |
293 | } |
294 | |
295 | if (!ctx_config->key_file) { |
296 | serverLog(LL_WARNING, "No tls-key-file configured!" ); |
297 | goto error; |
298 | } |
299 | |
300 | if (((server.tls_auth_clients != TLS_CLIENT_AUTH_NO) || server.tls_cluster || server.tls_replication) && |
301 | !ctx_config->ca_cert_file && !ctx_config->ca_cert_dir) { |
302 | serverLog(LL_WARNING, "Either tls-ca-cert-file or tls-ca-cert-dir must be specified when tls-cluster, tls-replication or tls-auth-clients are enabled!" ); |
303 | goto error; |
304 | } |
305 | |
306 | int protocols = parseProtocolsConfig(ctx_config->protocols); |
307 | if (protocols == -1) goto error; |
308 | |
309 | /* Create server side/generla context */ |
310 | ctx = createSSLContext(ctx_config, protocols, 0); |
311 | if (!ctx) goto error; |
312 | |
313 | if (ctx_config->session_caching) { |
314 | SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER); |
315 | SSL_CTX_sess_set_cache_size(ctx, ctx_config->session_cache_size); |
316 | SSL_CTX_set_timeout(ctx, ctx_config->session_cache_timeout); |
317 | SSL_CTX_set_session_id_context(ctx, (void *) "redis" , 5); |
318 | } else { |
319 | SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); |
320 | } |
321 | |
322 | #ifdef SSL_OP_NO_CLIENT_RENEGOTIATION |
323 | SSL_CTX_set_options(ctx, SSL_OP_NO_CLIENT_RENEGOTIATION); |
324 | #endif |
325 | |
326 | if (ctx_config->prefer_server_ciphers) |
327 | SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); |
328 | |
329 | #if ((OPENSSL_VERSION_NUMBER < 0x30000000L) && defined(SSL_CTX_set_ecdh_auto)) |
330 | SSL_CTX_set_ecdh_auto(ctx, 1); |
331 | #endif |
332 | SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); |
333 | |
334 | if (ctx_config->dh_params_file) { |
335 | FILE *dhfile = fopen(ctx_config->dh_params_file, "r" ); |
336 | if (!dhfile) { |
337 | serverLog(LL_WARNING, "Failed to load %s: %s" , ctx_config->dh_params_file, strerror(errno)); |
338 | goto error; |
339 | } |
340 | |
341 | #if (OPENSSL_VERSION_NUMBER >= 0x30000000L) |
342 | EVP_PKEY *pkey = NULL; |
343 | OSSL_DECODER_CTX *dctx = OSSL_DECODER_CTX_new_for_pkey( |
344 | &pkey, "PEM" , NULL, "DH" , OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, NULL, NULL); |
345 | if (!dctx) { |
346 | serverLog(LL_WARNING, "No decoder for DH params." ); |
347 | fclose(dhfile); |
348 | goto error; |
349 | } |
350 | if (!OSSL_DECODER_from_fp(dctx, dhfile)) { |
351 | serverLog(LL_WARNING, "%s: failed to read DH params." , ctx_config->dh_params_file); |
352 | OSSL_DECODER_CTX_free(dctx); |
353 | fclose(dhfile); |
354 | goto error; |
355 | } |
356 | |
357 | OSSL_DECODER_CTX_free(dctx); |
358 | fclose(dhfile); |
359 | |
360 | if (SSL_CTX_set0_tmp_dh_pkey(ctx, pkey) <= 0) { |
361 | ERR_error_string_n(ERR_get_error(), errbuf, sizeof(errbuf)); |
362 | serverLog(LL_WARNING, "Failed to load DH params file: %s: %s" , ctx_config->dh_params_file, errbuf); |
363 | EVP_PKEY_free(pkey); |
364 | goto error; |
365 | } |
366 | /* Not freeing pkey, it is owned by OpenSSL now */ |
367 | #else |
368 | DH *dh = PEM_read_DHparams(dhfile, NULL, NULL, NULL); |
369 | fclose(dhfile); |
370 | if (!dh) { |
371 | serverLog(LL_WARNING, "%s: failed to read DH params." , ctx_config->dh_params_file); |
372 | goto error; |
373 | } |
374 | |
375 | if (SSL_CTX_set_tmp_dh(ctx, dh) <= 0) { |
376 | ERR_error_string_n(ERR_get_error(), errbuf, sizeof(errbuf)); |
377 | serverLog(LL_WARNING, "Failed to load DH params file: %s: %s" , ctx_config->dh_params_file, errbuf); |
378 | DH_free(dh); |
379 | goto error; |
380 | } |
381 | |
382 | DH_free(dh); |
383 | #endif |
384 | } else { |
385 | #if (OPENSSL_VERSION_NUMBER >= 0x30000000L) |
386 | SSL_CTX_set_dh_auto(ctx, 1); |
387 | #endif |
388 | } |
389 | |
390 | /* If a client-side certificate is configured, create an explicit client context */ |
391 | if (ctx_config->client_cert_file && ctx_config->client_key_file) { |
392 | client_ctx = createSSLContext(ctx_config, protocols, 1); |
393 | if (!client_ctx) goto error; |
394 | } |
395 | |
396 | SSL_CTX_free(redis_tls_ctx); |
397 | SSL_CTX_free(redis_tls_client_ctx); |
398 | redis_tls_ctx = ctx; |
399 | redis_tls_client_ctx = client_ctx; |
400 | |
401 | return C_OK; |
402 | |
403 | error: |
404 | if (ctx) SSL_CTX_free(ctx); |
405 | if (client_ctx) SSL_CTX_free(client_ctx); |
406 | return C_ERR; |
407 | } |
408 | |
409 | /* Return 1 if TLS was already configured, 0 otherwise. |
410 | */ |
411 | int isTlsConfigured(void) { |
412 | return redis_tls_ctx != NULL; |
413 | } |
414 | |
415 | #ifdef TLS_DEBUGGING |
416 | #define TLSCONN_DEBUG(fmt, ...) \ |
417 | serverLog(LL_DEBUG, "TLSCONN: " fmt, __VA_ARGS__) |
418 | #else |
419 | #define TLSCONN_DEBUG(fmt, ...) |
420 | #endif |
421 | |
422 | ConnectionType CT_TLS; |
423 | |
424 | /* Normal socket connections have a simple events/handler correlation. |
425 | * |
426 | * With TLS connections we need to handle cases where during a logical read |
427 | * or write operation, the SSL library asks to block for the opposite |
428 | * socket operation. |
429 | * |
430 | * When this happens, we need to do two things: |
431 | * 1. Make sure we register for the event. |
432 | * 2. Make sure we know which handler needs to execute when the |
433 | * event fires. That is, if we notify the caller of a write operation |
434 | * that it blocks, and SSL asks for a read, we need to trigger the |
435 | * write handler again on the next read event. |
436 | * |
437 | */ |
438 | |
439 | typedef enum { |
440 | WANT_READ = 1, |
441 | WANT_WRITE |
442 | } WantIOType; |
443 | |
444 | #define TLS_CONN_FLAG_READ_WANT_WRITE (1<<0) |
445 | #define TLS_CONN_FLAG_WRITE_WANT_READ (1<<1) |
446 | #define TLS_CONN_FLAG_FD_SET (1<<2) |
447 | |
448 | typedef struct tls_connection { |
449 | connection c; |
450 | int flags; |
451 | SSL *ssl; |
452 | char *ssl_error; |
453 | listNode *pending_list_node; |
454 | } tls_connection; |
455 | |
456 | static connection *createTLSConnection(int client_side) { |
457 | SSL_CTX *ctx = redis_tls_ctx; |
458 | if (client_side && redis_tls_client_ctx) |
459 | ctx = redis_tls_client_ctx; |
460 | tls_connection *conn = zcalloc(sizeof(tls_connection)); |
461 | conn->c.type = &CT_TLS; |
462 | conn->c.fd = -1; |
463 | conn->ssl = SSL_new(ctx); |
464 | return (connection *) conn; |
465 | } |
466 | |
467 | connection *connCreateTLS(void) { |
468 | return createTLSConnection(1); |
469 | } |
470 | |
471 | /* Fetch the latest OpenSSL error and store it in the connection */ |
472 | static void updateTLSError(tls_connection *conn) { |
473 | conn->c.last_errno = 0; |
474 | if (conn->ssl_error) zfree(conn->ssl_error); |
475 | conn->ssl_error = zmalloc(512); |
476 | ERR_error_string_n(ERR_get_error(), conn->ssl_error, 512); |
477 | } |
478 | |
479 | /* Create a new TLS connection that is already associated with |
480 | * an accepted underlying file descriptor. |
481 | * |
482 | * The socket is not ready for I/O until connAccept() was called and |
483 | * invoked the connection-level accept handler. |
484 | * |
485 | * Callers should use connGetState() and verify the created connection |
486 | * is not in an error state. |
487 | */ |
488 | connection *connCreateAcceptedTLS(int fd, int require_auth) { |
489 | tls_connection *conn = (tls_connection *) createTLSConnection(0); |
490 | conn->c.fd = fd; |
491 | conn->c.state = CONN_STATE_ACCEPTING; |
492 | |
493 | if (!conn->ssl) { |
494 | updateTLSError(conn); |
495 | conn->c.state = CONN_STATE_ERROR; |
496 | return (connection *) conn; |
497 | } |
498 | |
499 | switch (require_auth) { |
500 | case TLS_CLIENT_AUTH_NO: |
501 | SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL); |
502 | break; |
503 | case TLS_CLIENT_AUTH_OPTIONAL: |
504 | SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, NULL); |
505 | break; |
506 | default: /* TLS_CLIENT_AUTH_YES, also fall-secure */ |
507 | SSL_set_verify(conn->ssl, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); |
508 | break; |
509 | } |
510 | |
511 | SSL_set_fd(conn->ssl, conn->c.fd); |
512 | SSL_set_accept_state(conn->ssl); |
513 | |
514 | return (connection *) conn; |
515 | } |
516 | |
517 | static void tlsEventHandler(struct aeEventLoop *el, int fd, void *clientData, int mask); |
518 | |
519 | /* Process the return code received from OpenSSL> |
520 | * Update the want parameter with expected I/O. |
521 | * Update the connection's error state if a real error has occurred. |
522 | * Returns an SSL error code, or 0 if no further handling is required. |
523 | */ |
524 | static int handleSSLReturnCode(tls_connection *conn, int ret_value, WantIOType *want) { |
525 | if (ret_value <= 0) { |
526 | int ssl_err = SSL_get_error(conn->ssl, ret_value); |
527 | switch (ssl_err) { |
528 | case SSL_ERROR_WANT_WRITE: |
529 | *want = WANT_WRITE; |
530 | return 0; |
531 | case SSL_ERROR_WANT_READ: |
532 | *want = WANT_READ; |
533 | return 0; |
534 | case SSL_ERROR_SYSCALL: |
535 | conn->c.last_errno = errno; |
536 | if (conn->ssl_error) zfree(conn->ssl_error); |
537 | conn->ssl_error = errno ? zstrdup(strerror(errno)) : NULL; |
538 | break; |
539 | default: |
540 | /* Error! */ |
541 | updateTLSError(conn); |
542 | break; |
543 | } |
544 | |
545 | return ssl_err; |
546 | } |
547 | |
548 | return 0; |
549 | } |
550 | |
551 | void (tls_connection *conn, WantIOType want) { |
552 | int mask = aeGetFileEvents(server.el, conn->c.fd); |
553 | |
554 | switch (want) { |
555 | case WANT_READ: |
556 | if (mask & AE_WRITABLE) aeDeleteFileEvent(server.el, conn->c.fd, AE_WRITABLE); |
557 | if (!(mask & AE_READABLE)) aeCreateFileEvent(server.el, conn->c.fd, AE_READABLE, |
558 | tlsEventHandler, conn); |
559 | break; |
560 | case WANT_WRITE: |
561 | if (mask & AE_READABLE) aeDeleteFileEvent(server.el, conn->c.fd, AE_READABLE); |
562 | if (!(mask & AE_WRITABLE)) aeCreateFileEvent(server.el, conn->c.fd, AE_WRITABLE, |
563 | tlsEventHandler, conn); |
564 | break; |
565 | default: |
566 | serverAssert(0); |
567 | break; |
568 | } |
569 | } |
570 | |
571 | void updateSSLEvent(tls_connection *conn) { |
572 | int mask = aeGetFileEvents(server.el, conn->c.fd); |
573 | int need_read = conn->c.read_handler || (conn->flags & TLS_CONN_FLAG_WRITE_WANT_READ); |
574 | int need_write = conn->c.write_handler || (conn->flags & TLS_CONN_FLAG_READ_WANT_WRITE); |
575 | |
576 | if (need_read && !(mask & AE_READABLE)) |
577 | aeCreateFileEvent(server.el, conn->c.fd, AE_READABLE, tlsEventHandler, conn); |
578 | if (!need_read && (mask & AE_READABLE)) |
579 | aeDeleteFileEvent(server.el, conn->c.fd, AE_READABLE); |
580 | |
581 | if (need_write && !(mask & AE_WRITABLE)) |
582 | aeCreateFileEvent(server.el, conn->c.fd, AE_WRITABLE, tlsEventHandler, conn); |
583 | if (!need_write && (mask & AE_WRITABLE)) |
584 | aeDeleteFileEvent(server.el, conn->c.fd, AE_WRITABLE); |
585 | } |
586 | |
587 | static void tlsHandleEvent(tls_connection *conn, int mask) { |
588 | int ret, conn_error; |
589 | |
590 | TLSCONN_DEBUG("tlsEventHandler(): fd=%d, state=%d, mask=%d, r=%d, w=%d, flags=%d" , |
591 | fd, conn->c.state, mask, conn->c.read_handler != NULL, conn->c.write_handler != NULL, |
592 | conn->flags); |
593 | |
594 | ERR_clear_error(); |
595 | |
596 | switch (conn->c.state) { |
597 | case CONN_STATE_CONNECTING: |
598 | conn_error = connGetSocketError((connection *) conn); |
599 | if (conn_error) { |
600 | conn->c.last_errno = conn_error; |
601 | conn->c.state = CONN_STATE_ERROR; |
602 | } else { |
603 | if (!(conn->flags & TLS_CONN_FLAG_FD_SET)) { |
604 | SSL_set_fd(conn->ssl, conn->c.fd); |
605 | conn->flags |= TLS_CONN_FLAG_FD_SET; |
606 | } |
607 | ret = SSL_connect(conn->ssl); |
608 | if (ret <= 0) { |
609 | WantIOType want = 0; |
610 | if (!handleSSLReturnCode(conn, ret, &want)) { |
611 | registerSSLEvent(conn, want); |
612 | |
613 | /* Avoid hitting UpdateSSLEvent, which knows nothing |
614 | * of what SSL_connect() wants and instead looks at our |
615 | * R/W handlers. |
616 | */ |
617 | return; |
618 | } |
619 | |
620 | /* If not handled, it's an error */ |
621 | conn->c.state = CONN_STATE_ERROR; |
622 | } else { |
623 | conn->c.state = CONN_STATE_CONNECTED; |
624 | } |
625 | } |
626 | |
627 | if (!callHandler((connection *) conn, conn->c.conn_handler)) return; |
628 | conn->c.conn_handler = NULL; |
629 | break; |
630 | case CONN_STATE_ACCEPTING: |
631 | ret = SSL_accept(conn->ssl); |
632 | if (ret <= 0) { |
633 | WantIOType want = 0; |
634 | if (!handleSSLReturnCode(conn, ret, &want)) { |
635 | /* Avoid hitting UpdateSSLEvent, which knows nothing |
636 | * of what SSL_connect() wants and instead looks at our |
637 | * R/W handlers. |
638 | */ |
639 | registerSSLEvent(conn, want); |
640 | return; |
641 | } |
642 | |
643 | /* If not handled, it's an error */ |
644 | conn->c.state = CONN_STATE_ERROR; |
645 | } else { |
646 | conn->c.state = CONN_STATE_CONNECTED; |
647 | } |
648 | |
649 | if (!callHandler((connection *) conn, conn->c.conn_handler)) return; |
650 | conn->c.conn_handler = NULL; |
651 | break; |
652 | case CONN_STATE_CONNECTED: |
653 | { |
654 | int call_read = ((mask & AE_READABLE) && conn->c.read_handler) || |
655 | ((mask & AE_WRITABLE) && (conn->flags & TLS_CONN_FLAG_READ_WANT_WRITE)); |
656 | int call_write = ((mask & AE_WRITABLE) && conn->c.write_handler) || |
657 | ((mask & AE_READABLE) && (conn->flags & TLS_CONN_FLAG_WRITE_WANT_READ)); |
658 | |
659 | /* Normally we execute the readable event first, and the writable |
660 | * event laster. This is useful as sometimes we may be able |
661 | * to serve the reply of a query immediately after processing the |
662 | * query. |
663 | * |
664 | * However if WRITE_BARRIER is set in the mask, our application is |
665 | * asking us to do the reverse: never fire the writable event |
666 | * after the readable. In such a case, we invert the calls. |
667 | * This is useful when, for instance, we want to do things |
668 | * in the beforeSleep() hook, like fsynching a file to disk, |
669 | * before replying to a client. */ |
670 | int invert = conn->c.flags & CONN_FLAG_WRITE_BARRIER; |
671 | |
672 | if (!invert && call_read) { |
673 | conn->flags &= ~TLS_CONN_FLAG_READ_WANT_WRITE; |
674 | if (!callHandler((connection *) conn, conn->c.read_handler)) return; |
675 | } |
676 | |
677 | /* Fire the writable event. */ |
678 | if (call_write) { |
679 | conn->flags &= ~TLS_CONN_FLAG_WRITE_WANT_READ; |
680 | if (!callHandler((connection *) conn, conn->c.write_handler)) return; |
681 | } |
682 | |
683 | /* If we have to invert the call, fire the readable event now |
684 | * after the writable one. */ |
685 | if (invert && call_read) { |
686 | conn->flags &= ~TLS_CONN_FLAG_READ_WANT_WRITE; |
687 | if (!callHandler((connection *) conn, conn->c.read_handler)) return; |
688 | } |
689 | |
690 | /* If SSL has pending that, already read from the socket, we're at |
691 | * risk of not calling the read handler again, make sure to add it |
692 | * to a list of pending connection that should be handled anyway. */ |
693 | if ((mask & AE_READABLE)) { |
694 | if (SSL_pending(conn->ssl) > 0) { |
695 | if (!conn->pending_list_node) { |
696 | listAddNodeTail(pending_list, conn); |
697 | conn->pending_list_node = listLast(pending_list); |
698 | } |
699 | } else if (conn->pending_list_node) { |
700 | listDelNode(pending_list, conn->pending_list_node); |
701 | conn->pending_list_node = NULL; |
702 | } |
703 | } |
704 | |
705 | break; |
706 | } |
707 | default: |
708 | break; |
709 | } |
710 | |
711 | updateSSLEvent(conn); |
712 | } |
713 | |
714 | static void tlsEventHandler(struct aeEventLoop *el, int fd, void *clientData, int mask) { |
715 | UNUSED(el); |
716 | UNUSED(fd); |
717 | tls_connection *conn = clientData; |
718 | tlsHandleEvent(conn, mask); |
719 | } |
720 | |
721 | static void connTLSClose(connection *conn_) { |
722 | tls_connection *conn = (tls_connection *) conn_; |
723 | |
724 | if (conn->ssl) { |
725 | if (conn->c.state == CONN_STATE_CONNECTED) |
726 | SSL_shutdown(conn->ssl); |
727 | SSL_free(conn->ssl); |
728 | conn->ssl = NULL; |
729 | } |
730 | |
731 | if (conn->ssl_error) { |
732 | zfree(conn->ssl_error); |
733 | conn->ssl_error = NULL; |
734 | } |
735 | |
736 | if (conn->pending_list_node) { |
737 | listDelNode(pending_list, conn->pending_list_node); |
738 | conn->pending_list_node = NULL; |
739 | } |
740 | |
741 | CT_Socket.close(conn_); |
742 | } |
743 | |
744 | static int connTLSAccept(connection *_conn, ConnectionCallbackFunc accept_handler) { |
745 | tls_connection *conn = (tls_connection *) _conn; |
746 | int ret; |
747 | |
748 | if (conn->c.state != CONN_STATE_ACCEPTING) return C_ERR; |
749 | ERR_clear_error(); |
750 | |
751 | /* Try to accept */ |
752 | conn->c.conn_handler = accept_handler; |
753 | ret = SSL_accept(conn->ssl); |
754 | |
755 | if (ret <= 0) { |
756 | WantIOType want = 0; |
757 | if (!handleSSLReturnCode(conn, ret, &want)) { |
758 | registerSSLEvent(conn, want); /* We'll fire back */ |
759 | return C_OK; |
760 | } else { |
761 | conn->c.state = CONN_STATE_ERROR; |
762 | return C_ERR; |
763 | } |
764 | } |
765 | |
766 | conn->c.state = CONN_STATE_CONNECTED; |
767 | if (!callHandler((connection *) conn, conn->c.conn_handler)) return C_OK; |
768 | conn->c.conn_handler = NULL; |
769 | |
770 | return C_OK; |
771 | } |
772 | |
773 | static int connTLSConnect(connection *conn_, const char *addr, int port, const char *src_addr, ConnectionCallbackFunc connect_handler) { |
774 | tls_connection *conn = (tls_connection *) conn_; |
775 | |
776 | if (conn->c.state != CONN_STATE_NONE) return C_ERR; |
777 | ERR_clear_error(); |
778 | |
779 | /* Initiate Socket connection first */ |
780 | if (CT_Socket.connect(conn_, addr, port, src_addr, connect_handler) == C_ERR) return C_ERR; |
781 | |
782 | /* Return now, once the socket is connected we'll initiate |
783 | * TLS connection from the event handler. |
784 | */ |
785 | return C_OK; |
786 | } |
787 | |
788 | static int connTLSWrite(connection *conn_, const void *data, size_t data_len) { |
789 | tls_connection *conn = (tls_connection *) conn_; |
790 | int ret, ssl_err; |
791 | |
792 | if (conn->c.state != CONN_STATE_CONNECTED) return -1; |
793 | ERR_clear_error(); |
794 | ret = SSL_write(conn->ssl, data, data_len); |
795 | /* If system call was interrupted, there's no need to go through the full |
796 | * OpenSSL error handling and just report this for the caller to retry the |
797 | * operation. |
798 | */ |
799 | if (errno == EINTR) { |
800 | conn->c.last_errno = EINTR; |
801 | return -1; |
802 | } |
803 | if (ret <= 0) { |
804 | WantIOType want = 0; |
805 | if (!(ssl_err = handleSSLReturnCode(conn, ret, &want))) { |
806 | if (want == WANT_READ) conn->flags |= TLS_CONN_FLAG_WRITE_WANT_READ; |
807 | updateSSLEvent(conn); |
808 | errno = EAGAIN; |
809 | return -1; |
810 | } else { |
811 | if (ssl_err == SSL_ERROR_ZERO_RETURN || |
812 | ((ssl_err == SSL_ERROR_SYSCALL && !errno))) { |
813 | conn->c.state = CONN_STATE_CLOSED; |
814 | return -1; |
815 | } else { |
816 | conn->c.state = CONN_STATE_ERROR; |
817 | return -1; |
818 | } |
819 | } |
820 | } |
821 | |
822 | return ret; |
823 | } |
824 | |
825 | static int connTLSWritev(connection *conn_, const struct iovec *iov, int iovcnt) { |
826 | if (iovcnt == 1) return connTLSWrite(conn_, iov[0].iov_base, iov[0].iov_len); |
827 | |
828 | /* Accumulate the amount of bytes of each buffer and check if it exceeds NET_MAX_WRITES_PER_EVENT. */ |
829 | size_t iov_bytes_len = 0; |
830 | for (int i = 0; i < iovcnt; i++) { |
831 | iov_bytes_len += iov[i].iov_len; |
832 | if (iov_bytes_len > NET_MAX_WRITES_PER_EVENT) break; |
833 | } |
834 | |
835 | /* The amount of all buffers is greater than NET_MAX_WRITES_PER_EVENT, |
836 | * which is not worth doing so much memory copying to reduce system calls, |
837 | * therefore, invoke connTLSWrite() multiple times to avoid memory copies. */ |
838 | if (iov_bytes_len > NET_MAX_WRITES_PER_EVENT) { |
839 | ssize_t tot_sent = 0; |
840 | for (int i = 0; i < iovcnt; i++) { |
841 | ssize_t sent = connTLSWrite(conn_, iov[i].iov_base, iov[i].iov_len); |
842 | if (sent <= 0) return tot_sent > 0 ? tot_sent : sent; |
843 | tot_sent += sent; |
844 | if ((size_t) sent != iov[i].iov_len) break; |
845 | } |
846 | return tot_sent; |
847 | } |
848 | |
849 | /* The amount of all buffers is less than NET_MAX_WRITES_PER_EVENT, |
850 | * which is worth doing more memory copies in exchange for fewer system calls, |
851 | * so concatenate these scattered buffers into a contiguous piece of memory |
852 | * and send it away by one call to connTLSWrite(). */ |
853 | char buf[iov_bytes_len]; |
854 | size_t offset = 0; |
855 | for (int i = 0; i < iovcnt; i++) { |
856 | memcpy(buf + offset, iov[i].iov_base, iov[i].iov_len); |
857 | offset += iov[i].iov_len; |
858 | } |
859 | return connTLSWrite(conn_, buf, iov_bytes_len); |
860 | } |
861 | |
862 | static int connTLSRead(connection *conn_, void *buf, size_t buf_len) { |
863 | tls_connection *conn = (tls_connection *) conn_; |
864 | int ret; |
865 | int ssl_err; |
866 | |
867 | if (conn->c.state != CONN_STATE_CONNECTED) return -1; |
868 | ERR_clear_error(); |
869 | ret = SSL_read(conn->ssl, buf, buf_len); |
870 | /* If system call was interrupted, there's no need to go through the full |
871 | * OpenSSL error handling and just report this for the caller to retry the |
872 | * operation. |
873 | */ |
874 | if (errno == EINTR) { |
875 | conn->c.last_errno = EINTR; |
876 | return -1; |
877 | } |
878 | if (ret <= 0) { |
879 | WantIOType want = 0; |
880 | if (!(ssl_err = handleSSLReturnCode(conn, ret, &want))) { |
881 | if (want == WANT_WRITE) conn->flags |= TLS_CONN_FLAG_READ_WANT_WRITE; |
882 | updateSSLEvent(conn); |
883 | |
884 | errno = EAGAIN; |
885 | return -1; |
886 | } else { |
887 | if (ssl_err == SSL_ERROR_ZERO_RETURN || |
888 | ((ssl_err == SSL_ERROR_SYSCALL) && !errno)) { |
889 | conn->c.state = CONN_STATE_CLOSED; |
890 | return 0; |
891 | } else { |
892 | conn->c.state = CONN_STATE_ERROR; |
893 | return -1; |
894 | } |
895 | } |
896 | } |
897 | |
898 | return ret; |
899 | } |
900 | |
901 | static const char *connTLSGetLastError(connection *conn_) { |
902 | tls_connection *conn = (tls_connection *) conn_; |
903 | |
904 | if (conn->ssl_error) return conn->ssl_error; |
905 | return NULL; |
906 | } |
907 | |
908 | int connTLSSetWriteHandler(connection *conn, ConnectionCallbackFunc func, int barrier) { |
909 | conn->write_handler = func; |
910 | if (barrier) |
911 | conn->flags |= CONN_FLAG_WRITE_BARRIER; |
912 | else |
913 | conn->flags &= ~CONN_FLAG_WRITE_BARRIER; |
914 | updateSSLEvent((tls_connection *) conn); |
915 | return C_OK; |
916 | } |
917 | |
918 | int connTLSSetReadHandler(connection *conn, ConnectionCallbackFunc func) { |
919 | conn->read_handler = func; |
920 | updateSSLEvent((tls_connection *) conn); |
921 | return C_OK; |
922 | } |
923 | |
924 | static void setBlockingTimeout(tls_connection *conn, long long timeout) { |
925 | anetBlock(NULL, conn->c.fd); |
926 | anetSendTimeout(NULL, conn->c.fd, timeout); |
927 | anetRecvTimeout(NULL, conn->c.fd, timeout); |
928 | } |
929 | |
930 | static void unsetBlockingTimeout(tls_connection *conn) { |
931 | anetNonBlock(NULL, conn->c.fd); |
932 | anetSendTimeout(NULL, conn->c.fd, 0); |
933 | anetRecvTimeout(NULL, conn->c.fd, 0); |
934 | } |
935 | |
936 | static int connTLSBlockingConnect(connection *conn_, const char *addr, int port, long long timeout) { |
937 | tls_connection *conn = (tls_connection *) conn_; |
938 | int ret; |
939 | |
940 | if (conn->c.state != CONN_STATE_NONE) return C_ERR; |
941 | |
942 | /* Initiate socket blocking connect first */ |
943 | if (CT_Socket.blocking_connect(conn_, addr, port, timeout) == C_ERR) return C_ERR; |
944 | |
945 | /* Initiate TLS connection now. We set up a send/recv timeout on the socket, |
946 | * which means the specified timeout will not be enforced accurately. */ |
947 | SSL_set_fd(conn->ssl, conn->c.fd); |
948 | setBlockingTimeout(conn, timeout); |
949 | |
950 | if ((ret = SSL_connect(conn->ssl)) <= 0) { |
951 | conn->c.state = CONN_STATE_ERROR; |
952 | return C_ERR; |
953 | } |
954 | unsetBlockingTimeout(conn); |
955 | |
956 | conn->c.state = CONN_STATE_CONNECTED; |
957 | return C_OK; |
958 | } |
959 | |
960 | static ssize_t connTLSSyncWrite(connection *conn_, char *ptr, ssize_t size, long long timeout) { |
961 | tls_connection *conn = (tls_connection *) conn_; |
962 | |
963 | setBlockingTimeout(conn, timeout); |
964 | SSL_clear_mode(conn->ssl, SSL_MODE_ENABLE_PARTIAL_WRITE); |
965 | int ret = SSL_write(conn->ssl, ptr, size); |
966 | SSL_set_mode(conn->ssl, SSL_MODE_ENABLE_PARTIAL_WRITE); |
967 | unsetBlockingTimeout(conn); |
968 | |
969 | return ret; |
970 | } |
971 | |
972 | static ssize_t connTLSSyncRead(connection *conn_, char *ptr, ssize_t size, long long timeout) { |
973 | tls_connection *conn = (tls_connection *) conn_; |
974 | |
975 | setBlockingTimeout(conn, timeout); |
976 | int ret = SSL_read(conn->ssl, ptr, size); |
977 | unsetBlockingTimeout(conn); |
978 | |
979 | return ret; |
980 | } |
981 | |
982 | static ssize_t connTLSSyncReadLine(connection *conn_, char *ptr, ssize_t size, long long timeout) { |
983 | tls_connection *conn = (tls_connection *) conn_; |
984 | ssize_t nread = 0; |
985 | |
986 | setBlockingTimeout(conn, timeout); |
987 | |
988 | size--; |
989 | while(size) { |
990 | char c; |
991 | |
992 | if (SSL_read(conn->ssl,&c,1) <= 0) { |
993 | nread = -1; |
994 | goto exit; |
995 | } |
996 | if (c == '\n') { |
997 | *ptr = '\0'; |
998 | if (nread && *(ptr-1) == '\r') *(ptr-1) = '\0'; |
999 | goto exit; |
1000 | } else { |
1001 | *ptr++ = c; |
1002 | *ptr = '\0'; |
1003 | nread++; |
1004 | } |
1005 | size--; |
1006 | } |
1007 | exit: |
1008 | unsetBlockingTimeout(conn); |
1009 | return nread; |
1010 | } |
1011 | |
1012 | static int connTLSGetType(connection *conn_) { |
1013 | (void) conn_; |
1014 | |
1015 | return CONN_TYPE_TLS; |
1016 | } |
1017 | |
1018 | ConnectionType CT_TLS = { |
1019 | .ae_handler = tlsEventHandler, |
1020 | .accept = connTLSAccept, |
1021 | .connect = connTLSConnect, |
1022 | .blocking_connect = connTLSBlockingConnect, |
1023 | .read = connTLSRead, |
1024 | .write = connTLSWrite, |
1025 | .writev = connTLSWritev, |
1026 | .close = connTLSClose, |
1027 | .set_write_handler = connTLSSetWriteHandler, |
1028 | .set_read_handler = connTLSSetReadHandler, |
1029 | .get_last_error = connTLSGetLastError, |
1030 | .sync_write = connTLSSyncWrite, |
1031 | .sync_read = connTLSSyncRead, |
1032 | .sync_readline = connTLSSyncReadLine, |
1033 | .get_type = connTLSGetType |
1034 | }; |
1035 | |
1036 | int tlsHasPendingData() { |
1037 | if (!pending_list) |
1038 | return 0; |
1039 | return listLength(pending_list) > 0; |
1040 | } |
1041 | |
1042 | int tlsProcessPendingData() { |
1043 | listIter li; |
1044 | listNode *ln; |
1045 | |
1046 | int processed = listLength(pending_list); |
1047 | listRewind(pending_list,&li); |
1048 | while((ln = listNext(&li))) { |
1049 | tls_connection *conn = listNodeValue(ln); |
1050 | tlsHandleEvent(conn, AE_READABLE); |
1051 | } |
1052 | return processed; |
1053 | } |
1054 | |
1055 | /* Fetch the peer certificate used for authentication on the specified |
1056 | * connection and return it as a PEM-encoded sds. |
1057 | */ |
1058 | sds connTLSGetPeerCert(connection *conn_) { |
1059 | tls_connection *conn = (tls_connection *) conn_; |
1060 | if (conn_->type->get_type(conn_) != CONN_TYPE_TLS || !conn->ssl) return NULL; |
1061 | |
1062 | X509 *cert = SSL_get_peer_certificate(conn->ssl); |
1063 | if (!cert) return NULL; |
1064 | |
1065 | BIO *bio = BIO_new(BIO_s_mem()); |
1066 | if (bio == NULL || !PEM_write_bio_X509(bio, cert)) { |
1067 | if (bio != NULL) BIO_free(bio); |
1068 | return NULL; |
1069 | } |
1070 | |
1071 | const char *bio_ptr; |
1072 | long long bio_len = BIO_get_mem_data(bio, &bio_ptr); |
1073 | sds cert_pem = sdsnewlen(bio_ptr, bio_len); |
1074 | BIO_free(bio); |
1075 | |
1076 | return cert_pem; |
1077 | } |
1078 | |
1079 | #else /* USE_OPENSSL */ |
1080 | |
1081 | void tlsInit(void) { |
1082 | } |
1083 | |
1084 | void tlsCleanup(void) { |
1085 | } |
1086 | |
1087 | int tlsConfigure(redisTLSContextConfig *ctx_config) { |
1088 | UNUSED(ctx_config); |
1089 | return C_OK; |
1090 | } |
1091 | |
1092 | connection *connCreateTLS(void) { |
1093 | return NULL; |
1094 | } |
1095 | |
1096 | connection *connCreateAcceptedTLS(int fd, int require_auth) { |
1097 | UNUSED(fd); |
1098 | UNUSED(require_auth); |
1099 | |
1100 | return NULL; |
1101 | } |
1102 | |
1103 | int tlsHasPendingData() { |
1104 | return 0; |
1105 | } |
1106 | |
1107 | int tlsProcessPendingData() { |
1108 | return 0; |
1109 | } |
1110 | |
1111 | sds connTLSGetPeerCert(connection *conn_) { |
1112 | (void) conn_; |
1113 | return NULL; |
1114 | } |
1115 | |
1116 | #endif |
1117 | |