Merge branch 'master' of ssh://git.indexdata.com/home/git/pub/yaz

[yaz-moved-to-github.git] / src / tcpip.c

diff --git a/src/tcpip.c b/src/tcpip.c
index 310c6a1..11b676c 100644 (file)
--- a/src/tcpip.c
+++ b/src/tcpip.c
@@ -9,6 +9,7 @@
 
 #include <stdio.h>
 #include <string.h>
+#include <assert.h>
 #include <stdlib.h>
 #include <errno.h>
 #include <fcntl.h>
@@ -24,7 +25,6 @@
 #endif
 
 #ifdef WIN32
-
 /* VS 2003 or later has getaddrinfo; older versions do not */
 #include <winsock2.h>
 #if _MSC_VER >= 1300
@@ -33,14 +33,20 @@
 #else
 #define HAVE_GETADDRINFO 0
 #endif
+#endif
 
-#else
+#if HAVE_NETINET_IN_H
 #include <netinet/in.h>
+#endif
+#if HAVE_NETDB_H
 #include <netdb.h>
+#endif
+#if HAVE_ARPA_INET_H
 #include <arpa/inet.h>
+#endif
+#if HAVE_NETINET_TCP_H
 #include <netinet/tcp.h>
 #endif
-
 #if HAVE_SYS_SOCKET_H
 #include <sys/socket.h>
 #endif
@@ -51,12 +57,7 @@
 #if HAVE_GNUTLS_H
 #include <gnutls/x509.h>
 #include <gnutls/gnutls.h>
-#define ENABLE_SSL 2
-
-#if ENABLE_SSL == 1
-#include <gnutls/openssl.h>
-#endif
-
+#define ENABLE_SSL 1
 #endif
 
 #if HAVE_OPENSSL_SSL_H
@@ -102,6 +103,13 @@ static void *tcpip_straddr(COMSTACK h, const char *str);
 #define YAZ_SOCKLEN_T int
 #endif
 
+#if HAVE_GNUTLS_H
+struct tcpip_cred_ptr {
+    gnutls_certificate_credentials_t xcred;
+    int ref;
+};
+
+#endif
 /* this state is used for both SSL and straight TCP/IP */
 typedef struct tcpip_state
 {
@@ -118,11 +126,11 @@ typedef struct tcpip_state
     struct sockaddr_in addr;  /* returned by cs_straddr */
 #endif
     char buf[128]; /* returned by cs_addrstr */
-#if ENABLE_SSL == 2
-    gnutls_certificate_credentials_t xcred;
+#if HAVE_GNUTLS_H
+    struct tcpip_cred_ptr *cred_ptr;
     gnutls_session_t session;
     char cert_fname[256];
-#elif ENABLE_SSL == 1
+#elif HAVE_OPENSSL_SSL_H
     SSL_CTX *ctx;       /* current CTX. */
     SSL_CTX *ctx_alloc; /* If =ctx it is owned by CS. If 0 it is not owned */
     SSL *ssl;
@@ -201,10 +209,11 @@ COMSTACK tcpip_type(int s, int flags, int protocol, void *vp)
     p->stackerr = 0;
     p->user = 0;
 
-#if ENABLE_SSL == 2
-    sp->xcred = 0;
+#if HAVE_GNUTLS_H
+    sp->cred_ptr = 0;
     sp->session = 0;
-#elif ENABLE_SSL == 1
+    strcpy(sp->cert_fname, "yaz.pem");
+#elif HAVE_OPENSSL_SSL_H
     sp->ctx = sp->ctx_alloc = 0;
     sp->ssl = 0;
     strcpy(sp->cert_fname, "yaz.pem");
@@ -252,6 +261,16 @@ COMSTACK yaz_tcpip_create(int s, int flags, int protocol,
     return p;
 }
 
+#if HAVE_GNUTLS_H
+static void tcpip_create_cred(COMSTACK cs)
+{
+    tcpip_state *sp = (tcpip_state *) cs->cprivate;
+    sp->cred_ptr = (struct tcpip_cred_ptr *) xmalloc(sizeof(*sp->cred_ptr));
+    sp->cred_ptr->ref = 1;
+    gnutls_certificate_allocate_credentials(&sp->cred_ptr->xcred);
+}
+
+#endif
 
 COMSTACK ssl_type(int s, int flags, int protocol, void *vp)
 {
@@ -269,9 +288,9 @@ COMSTACK ssl_type(int s, int flags, int protocol, void *vp)
     p->type = ssl_type;
     sp = (tcpip_state *) p->cprivate;
 
-#if ENABLE_SSL == 2
+#if HAVE_GNUTLS_H
     sp->session = (gnutls_session_t) vp;
-#else
+#elif HAVE_OPENSSL_SSL_H
     sp->ctx = (SSL_CTX *) vp;  /* may be NULL */
 #endif
     /* note: we don't handle already opened socket in SSL mode - yet */
@@ -297,12 +316,11 @@ static int ssl_check_error(COMSTACK h, tcpip_state *sp, int res)
         h->io_pending = CS_WANT_WRITE;
         return 1;
     }
-#else
-#if ENABLE_SSL == 2
-    fprintf(stderr, "ssl_check_error error=%d fatal=%d msg=%s\n",
-            res,
-            gnutls_error_is_fatal(res),
-            gnutls_strerror(res));
+#elif HAVE_GNUTLS_H
+    TRC(fprintf(stderr, "ssl_check_error error=%d fatal=%d msg=%s\n",
+                res,
+                gnutls_error_is_fatal(res),
+                gnutls_strerror(res)));
     if (res == GNUTLS_E_AGAIN || res == GNUTLS_E_INTERRUPTED)
     {
         int dir = gnutls_record_get_direction(sp->session);
@@ -310,20 +328,6 @@ static int ssl_check_error(COMSTACK h, tcpip_state *sp, int res)
         h->io_pending = dir ? CS_WANT_WRITE : CS_WANT_READ;
         return 1;
     }
-#else
-    int tls_error = sp->ssl->last_error;
-    TRC(fprintf(stderr, "ssl_check_error error=%d fatal=%d msg=%s\n",
-                sp->ssl->last_error,
-                gnutls_error_is_fatal(tls_error),
-                gnutls_strerror(tls_error)));
-    if (tls_error == GNUTLS_E_AGAIN || tls_error == GNUTLS_E_INTERRUPTED)
-    {
-        int dir = gnutls_record_get_direction(sp->ssl->gnutls_state);
-        TRC(fprintf(stderr, " -> incomplete dir=%d\n", dir));
-        h->io_pending = dir ? CS_WANT_WRITE : CS_WANT_READ;
-        return 1;
-    }
-#endif
 #endif
     h->cerrno = CSERRORSSL;
     return 0;
@@ -414,8 +418,27 @@ int tcpip_strtoaddr_ex(const char *str, struct sockaddr_in *add,
     return 1;
 }
 
-
 #if HAVE_GETADDRINFO
+/** \brief Creates socket using particular address family (AF_)
+    \param ai getaddrinfo result
+    \param mask family mask
+    \returns socket or -1 if none could be created
+
+*/
+static int create_socket_family(struct addrinfo *ai, unsigned mask)
+{
+    for (; ai; ai = ai->ai_next)
+    {
+        if ((ai->ai_family & mask) == mask)
+        {
+            int s = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
+            if (s != -1)
+                return s;
+        }
+    }
+    return -1;
+}
+
 void *tcpip_straddr(COMSTACK h, const char *str)
 {
     tcpip_state *sp = (tcpip_state *)h->cprivate;
@@ -430,14 +453,13 @@ void *tcpip_straddr(COMSTACK h, const char *str)
     sp->ai = tcpip_getaddrinfo(str, port);
     if (sp->ai && h->state == CS_ST_UNBND)
     {
-        int s = -1;
-        struct addrinfo *ai = sp->ai;
-        for (; ai; ai = ai->ai_next)
-        {
-            s = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
-            if (s != -1)
-                break;
-        }
+        /* The getaddrinfo call may return multiple addresses when passive
+           flags are used (AI_PASSIVE). This function picks the IPV6 if a
+           socket can be created for it. Otherwise IPV4 is used.
+           See also bug #2350 */
+        int s = create_socket_family(sp->ai, AF_INET6);
+        if (s == -1)
+            s = create_socket_family(sp->ai, AF_INET);
         if (s == -1)
             return 0;
         h->iofile = s;
@@ -581,7 +603,6 @@ int tcpip_rcvconnect(COMSTACK h)
 {
 #if ENABLE_SSL
     tcpip_state *sp = (tcpip_state *)h->cprivate;
-    int res;
 #endif
     TRC(fprintf(stderr, "tcpip_rcvconnect\n"));
 
@@ -592,26 +613,30 @@ int tcpip_rcvconnect(COMSTACK h)
         h->cerrno = CSOUTSTATE;
         return -1;
     }
-#if ENABLE_SSL == 2
-    gnutls_global_init();
-
-    gnutls_certificate_allocate_credentials(&sp->xcred);
-    gnutls_init(&sp->session,  GNUTLS_CLIENT);
-    gnutls_priority_set_direct(sp->session, 
-                               "PERFORMANCE", NULL);
-
-    gnutls_credentials_set (sp->session, GNUTLS_CRD_CERTIFICATE, sp->xcred);
-
-    gnutls_transport_set_ptr(sp->session, (gnutls_transport_ptr_t) h->iofile);
-
-    res = gnutls_handshake(sp->session);
-    if (res < 0)
+#if HAVE_GNUTLS_H
+    if (h->type == ssl_type && !sp->session)
     {
-        if (ssl_check_error(h, sp, res))
-            return 1;
-        return -1;
+        int res;
+        gnutls_global_init();
+        
+        tcpip_create_cred(h);
+
+        gnutls_init(&sp->session, GNUTLS_CLIENT);
+        gnutls_set_default_priority(sp->session);
+        gnutls_credentials_set (sp->session, GNUTLS_CRD_CERTIFICATE,
+                                sp->cred_ptr->xcred);
+        
+        gnutls_transport_set_ptr(sp->session, (gnutls_transport_ptr_t) h->iofile);
+        
+        res = gnutls_handshake(sp->session);
+        if (res < 0)
+        {
+            if (ssl_check_error(h, sp, res))
+                return 1;
+            return -1;
+        }
     }
-#elif ENABLE_SSL == 1
+#elif HAVE_OPENSSL_SSL_H
     if (h->type == ssl_type && !sp->ctx)
     {
         SSL_library_init();
@@ -693,9 +718,25 @@ static int tcpip_bind(COMSTACK h, void *address, int mode)
     }
 #endif
 
-#if ENABLE_SSL == 2
-    exit(9);
-#elif ENABLE_SSL == 1
+#if HAVE_GNUTLS_H
+    if (h->type == ssl_type && !sp->session)
+    {
+        int res;
+        gnutls_global_init();
+
+        tcpip_create_cred(h);
+
+        res = gnutls_certificate_set_x509_key_file(sp->cred_ptr->xcred, 
+                                                   sp->cert_fname,
+                                                   sp->cert_fname,
+                                                   GNUTLS_X509_FMT_PEM);
+        if (res != GNUTLS_E_SUCCESS)
+        {
+            h->cerrno = CSERRORSSL;
+            return -1;
+        }
+    }
+#elif HAVE_OPENSSL_SSL_H
     if (h->type == ssl_type && !sp->ctx)
     {
         SSL_library_init();
@@ -717,34 +758,22 @@ static int tcpip_bind(COMSTACK h, void *address, int mode)
                                                SSL_FILETYPE_PEM);
             if (res <= 0)
             {
-#if HAVE_OPENSSL_SSL_H
                 ERR_print_errors_fp(stderr);
-#else
-                fprintf(stderr, " SSL_CTX_use_certificate_file %s failed\n",
-                        sp->cert_fname);
-#endif
                 exit(2);
             }
             res = SSL_CTX_use_PrivateKey_file(sp->ctx, sp->cert_fname,
                                                SSL_FILETYPE_PEM);
             if (res <= 0)
             {
-#if HAVE_OPENSSL_SSL_H
                 ERR_print_errors_fp(stderr);
-#else
-                fprintf(stderr, " SSL_CTX_use_certificate_file %s failed\n",
-                        sp->cert_fname);
-#endif
                 exit(3);
             }
-#if HAVE_OPENSSL_SSL_H
             res = SSL_CTX_check_private_key(sp->ctx);
             if (res <= 0)
             {
                 ERR_print_errors_fp(stderr);
                 exit(5);
             }
-#endif
         }
         TRC(fprintf(stderr, "ssl_bind\n"));
     }
@@ -852,14 +881,14 @@ int tcpip_listen(COMSTACK h, char *raddr, int *addrlen,
 COMSTACK tcpip_accept(COMSTACK h)
 {
     COMSTACK cnew;
-    tcpip_state *state, *st = (tcpip_state *)h->cprivate;
 #ifdef WIN32
     unsigned long tru = 1;
 #endif
 
-    TRC(fprintf(stderr, "tcpip_accept\n"));
+    TRC(fprintf(stderr, "tcpip_accept h=%p pid=%d\n", h, getpid()));
     if (h->state == CS_ST_INCON)
     {
+        tcpip_state *state, *st = (tcpip_state *)h->cprivate;
         if (!(cnew = (COMSTACK)xmalloc(sizeof(*cnew))))
         {
             h->cerrno = CSYSERR;
@@ -874,6 +903,7 @@ COMSTACK tcpip_accept(COMSTACK h)
         memcpy(cnew, h, sizeof(*h));
         cnew->iofile = h->newfd;
         cnew->io_pending = 0;
+
         if (!(state = (tcpip_state *)
               (cnew->cprivate = xmalloc(sizeof(tcpip_state)))))
         {
@@ -916,9 +946,41 @@ COMSTACK tcpip_accept(COMSTACK h)
         cnew->state = CS_ST_ACCEPT;
         h->state = CS_ST_IDLE;
         
-#if ENABLE_SSL == 2
-        exit(9);
-#elif ENABLE_SSL == 1
+#if HAVE_GNUTLS_H
+        state->cred_ptr = st->cred_ptr;
+        state->session = 0;
+        if (st->cred_ptr)
+        {
+            int res;
+
+            (state->cred_ptr->ref)++;
+            gnutls_init(&state->session, GNUTLS_SERVER);
+            if (!state->session)
+            {
+                xfree(cnew);
+                xfree(state);
+                return 0;
+            }
+            res = gnutls_set_default_priority(state->session);
+            if (res != GNUTLS_E_SUCCESS)
+            {
+                xfree(cnew);
+                xfree(state);
+                return 0;
+            }
+            res = gnutls_credentials_set(state->session,
+                                         GNUTLS_CRD_CERTIFICATE, 
+                                         st->cred_ptr->xcred);
+            if (res != GNUTLS_E_SUCCESS)
+            {
+                xfree(cnew);
+                xfree(state);
+                return 0;
+            }
+            gnutls_transport_set_ptr(state->session, 
+                                     (gnutls_transport_ptr_t) cnew->iofile);
+        }
+#elif HAVE_OPENSSL_SSL_H
         state->ctx = st->ctx;
         state->ctx_alloc = 0;
         state->ssl = st->ssl;
@@ -934,10 +996,25 @@ COMSTACK tcpip_accept(COMSTACK h)
     }
     if (h->state == CS_ST_ACCEPT)
     {
-
-#if ENABLE_SSL == 2
-        exit(9);
-#elif ENABLE_SSL == 1
+#if HAVE_GNUTLS_H
+        tcpip_state *state = (tcpip_state *)h->cprivate;
+        if (state->session)
+        {
+            int res = gnutls_handshake(state->session);
+            if (res < 0)
+            {
+                if (ssl_check_error(h, state, res))
+                {
+                    TRC(fprintf(stderr, "gnutls_handshake int in tcpip_accept\n"));
+                    return h;
+                }
+                TRC(fprintf(stderr, "gnutls_handshake failed in tcpip_accept\n"));
+                cs_close(h);
+                return 0;
+            }
+            TRC(fprintf(stderr, "SSL_accept complete. gnutls\n"));
+        }
+#elif HAVE_OPENSSL_SSL_H
         tcpip_state *state = (tcpip_state *)h->cprivate;
         if (state->ctx)
         {
@@ -1138,7 +1215,7 @@ int ssl_get(COMSTACK h, char **buf, int *bufsize)
         else if (*bufsize - hasread < CS_TCPIP_BUFCHUNK)
             if (!(*buf =(char *)xrealloc(*buf, *bufsize *= 2)))
                 return -1;
-#if ENABLE_SSL == 2
+#if HAVE_GNUTLS_H
         res = gnutls_record_recv(sp->session, *buf + hasread,
                                  CS_TCPIP_BUFCHUNK);
         if (res < 0)
@@ -1280,7 +1357,7 @@ int ssl_put(COMSTACK h, char *buf, int size)
     }
     while (state->towrite > state->written)
     {
-#if ENABLE_SSL == 2
+#if HAVE_GNUTLS_H
         res = gnutls_record_send(state->session, buf + state->written, 
                                  size - state->written);
         if (res <= 0)
@@ -1289,7 +1366,7 @@ int ssl_put(COMSTACK h, char *buf, int size)
                 return 1;
             return -1;
         }
-#elif  ENABLE_SSL == 1
+#else
         res = SSL_write(state->ssl, buf + state->written, 
                         size - state->written);
         if (res <= 0)
@@ -1313,13 +1390,13 @@ int tcpip_close(COMSTACK h)
 {
     tcpip_state *sp = (struct tcpip_state *)h->cprivate;
 
-    TRC(fprintf(stderr, "tcpip_close\n"));
+    TRC(fprintf(stderr, "tcpip_close h=%p pid=%d\n", h, getpid()));
     if (h->iofile != -1)
     {
-#if ENABLE_SSL == 2
+#if HAVE_GNUTLS_H
         if (sp->session)
             gnutls_bye(sp->session, GNUTLS_SHUT_RDWR);
-#elif ENABLE_SSL == 2
+#elif HAVE_OPENSSL_SSL_H
         if (sp->ssl)
         {
             SSL_shutdown(sp->ssl);
@@ -1333,13 +1410,25 @@ int tcpip_close(COMSTACK h)
     }
     if (sp->altbuf)
         xfree(sp->altbuf);
-#if ENABLE_SSL == 2
+#if HAVE_GNUTLS_H
     if (sp->session)
     {
         gnutls_deinit(sp->session);
-        gnutls_certificate_free_credentials(sp->xcred);
     }
-#elif ENABLE_SSL == 1
+    if (sp->cred_ptr)
+    {
+        assert(sp->cred_ptr->ref > 0);
+
+        if (--(sp->cred_ptr->ref) == 0)
+        {
+            TRC(fprintf(stderr, "Removed credentials %p pid=%d\n", 
+                        sp->cred_ptr->xcred, getpid()));
+            gnutls_certificate_free_credentials(sp->cred_ptr->xcred);
+            xfree(sp->cred_ptr);
+        }
+        sp->cred_ptr = 0;
+    }
+#elif HAVE_OPENSSL_SSL_H
     if (sp->ssl)
     {
         TRC(fprintf(stderr, "SSL_free\n"));
@@ -1410,7 +1499,7 @@ char *tcpip_addrstr(COMSTACK h)
         sprintf(buf, "http:%s", r);
     else
         sprintf(buf, "tcp:%s", r);
-#if ENABLE_SSL == 2
+#if HAVE_GNUTLS_H
     if (sp->session)
     {
         if (h->protocol == PROTO_HTTP)
@@ -1418,7 +1507,7 @@ char *tcpip_addrstr(COMSTACK h)
         else
             sprintf(buf, "ssl:%s", r);
     }
-#elif ENABLE_SSL == 1
+#elif HAVE_OPENSSL_SSL_H
     if (sp->ctx)
     {
         if (h->protocol == PROTO_HTTP)
@@ -1430,7 +1519,7 @@ char *tcpip_addrstr(COMSTACK h)
     return buf;
 }
 
-int static tcpip_set_blocking(COMSTACK p, int flags)
+static int tcpip_set_blocking(COMSTACK p, int flags)
 {
     unsigned long flag;
     
@@ -1457,7 +1546,6 @@ int static tcpip_set_blocking(COMSTACK p, int flags)
 void cs_print_session_info(COMSTACK cs)
 {
 #if HAVE_GNUTLS_H
-#if ENABLE_SSL == 2
     struct tcpip_state *sp = (struct tcpip_state *) cs->cprivate;
     if (sp->session)
     {
@@ -1465,19 +1553,7 @@ void cs_print_session_info(COMSTACK cs)
             return;
         printf("X509 certificate\n");
     }
-#else
-    struct tcpip_state *sp = (struct tcpip_state *) cs->cprivate;
-    SSL *ssl = (SSL *) sp->ssl;
-    if (ssl)
-    {
-        gnutls_session_t session = ssl->gnutls_state;
-        if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509)
-            return;
-        printf("X509 certificate\n");
-    }
-#endif
-#endif
-#if HAVE_OPENSSL_SSL_H
+#elif HAVE_OPENSSL_SSL_H
     struct tcpip_state *sp = (struct tcpip_state *) cs->cprivate;
     SSL *ssl = (SSL *) sp->ssl;
     if (ssl)
@@ -1518,23 +1594,27 @@ void *cs_get_ssl(COMSTACK cs)
 #endif
 }
 
-#if ENABLE_SSL
 int cs_set_ssl_ctx(COMSTACK cs, void *ctx)
 {
+#if ENABLE_SSL
     struct tcpip_state *sp;
     if (!cs || cs->type != ssl_type)
         return 0;
     sp = (struct tcpip_state *) cs->cprivate;
-#if ENABLE_SSL == 1
+#if HAVE_OPENSSL_SSL_H
     if (sp->ctx_alloc)
         return 0;
     sp->ctx = (SSL_CTX *) ctx;
 #endif
     return 1;
+#else
+    return 0;
+#endif
 }
 
 int cs_set_ssl_certificate_file(COMSTACK cs, const char *fname)
 {
+#if ENABLE_SSL
     struct tcpip_state *sp;
     if (!cs || cs->type != ssl_type)
         return 0;
@@ -1542,15 +1622,17 @@ int cs_set_ssl_certificate_file(COMSTACK cs, const char *fname)
     strncpy(sp->cert_fname, fname, sizeof(sp->cert_fname)-1);
     sp->cert_fname[sizeof(sp->cert_fname)-1] = '\0';
     return 1;
+#else
+    return 0;
+#endif
 }
 
 int cs_get_peer_certificate_x509(COMSTACK cs, char **buf, int *len)
 {
-#if ENABLE_SSL == 1
+#if HAVE_OPENSSL_SSL_H
     SSL *ssl = (SSL *) cs_get_ssl(cs);
     if (ssl)
     {
-#if HAVE_OPENSSL_SSL_H
         X509 *server_cert = SSL_get_peer_certificate(ssl);
         if (server_cert)
         {
@@ -1566,26 +1648,8 @@ int cs_get_peer_certificate_x509(COMSTACK cs, char **buf, int *len)
         }
     }
 #endif
-#endif
     return 0;
 }
-#else
-int cs_set_ssl_ctx(COMSTACK cs, void *ctx)
-{
-    return 0;
-}
-
-int cs_get_peer_certificate_x509(COMSTACK cs, char **buf, int *len)
-{
-    return 0;
-}
-
-int cs_set_ssl_certificate_file(COMSTACK cs, const char *fname)
-{
-    return 0;
-}
-#endif
-
 
 static int tcpip_put_connect(COMSTACK h, char *buf, int size)
 {