X-Git-Url: http://git.indexdata.com/?p=yaz-moved-to-github.git;a=blobdiff_plain;f=src%2Ftcpip.c;h=e712c0ef7bbf107e76e8a6ca33b862ff3c0bc65e;hp=986abc926f1a7ac2d97edd490aa5ef136f748d54;hb=d7971954990c423d60a52030f5dfa78d32003486;hpb=b3f7c70decd161e3aa6ad25d08db436662e32624 diff --git a/src/tcpip.c b/src/tcpip.c index 986abc9..e712c0e 100644 --- a/src/tcpip.c +++ b/src/tcpip.c @@ -1,5 +1,5 @@ /* This file is part of the YAZ toolkit. - * Copyright (C) 1995-2012 Index Data + * Copyright (C) 1995-2013 Index Data * See the file LICENSE for details. */ /** @@ -238,7 +238,7 @@ COMSTACK tcpip_type(int s, int flags, int protocol, void *vp) sp->connect_response_len = 0; p->timeout = COMSTACK_DEFAULT_TIMEOUT; - TRC(fprintf(stderr, "Created new TCPIP comstack\n")); + TRC(fprintf(stderr, "Created new TCPIP comstack h=%p\n", p)); return p; } @@ -338,7 +338,8 @@ static int ssl_check_error(COMSTACK h, tcpip_state *sp, int res) #if HAVE_GETADDRINFO /* resolve using getaddrinfo */ -struct addrinfo *tcpip_getaddrinfo(const char *str, const char *port) +struct addrinfo *tcpip_getaddrinfo(const char *str, const char *port, + int *ipv6_only) { struct addrinfo hints, *res; int error; @@ -366,18 +367,28 @@ struct addrinfo *tcpip_getaddrinfo(const char *str, const char *port) if (!strcmp("@", host)) { hints.ai_flags = AI_PASSIVE; + hints.ai_family = AF_UNSPEC; + error = getaddrinfo(0, port, &hints, &res); + *ipv6_only = 0; + } + else if (!strcmp("@4", host)) + { + hints.ai_flags = AI_PASSIVE; hints.ai_family = AF_INET; error = getaddrinfo(0, port, &hints, &res); + *ipv6_only = -1; } else if (!strcmp("@6", host)) { hints.ai_flags = AI_PASSIVE; hints.ai_family = AF_INET6; error = getaddrinfo(0, port, &hints, &res); + *ipv6_only = 1; } else { error = getaddrinfo(host, port, &hints, &res); + *ipv6_only = -1; } if (error) return 0; @@ -433,6 +444,7 @@ void *tcpip_straddr(COMSTACK h, const char *str) tcpip_state *sp = (tcpip_state *)h->cprivate; const char *port = "210"; struct addrinfo *ai = 0; + int ipv6_only = 0; if (h->protocol == PROTO_HTTP) { if (h->type == ssl_type) @@ -445,21 +457,37 @@ void *tcpip_straddr(COMSTACK h, const char *str) if (sp->ai) freeaddrinfo(sp->ai); - sp->ai = tcpip_getaddrinfo(str, port); + sp->ai = tcpip_getaddrinfo(str, port, &ipv6_only); if (sp->ai && h->state == CS_ST_UNBND) { int s = -1; for (ai = sp->ai; ai; ai = ai->ai_next) { - s = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); - if (s != -1) - break; + if (ai->ai_family == AF_INET6) + { + s = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); + if (s != -1) + break; + } + } + if (s == -1) + { + for (ai = sp->ai; ai; ai = ai->ai_next) + { + s = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); + if (s != -1) + break; + } } if (s == -1) return 0; assert(ai); h->iofile = s; - + if (ai->ai_family == AF_INET6 && ipv6_only >= 0 && + setsockopt(h->iofile, + IPPROTO_IPV6, + IPV6_V6ONLY, &ipv6_only, sizeof(ipv6_only))) + return 0; if (!tcpip_set_blocking(h, h->flags)) return 0; } @@ -500,7 +528,7 @@ void *tcpip_straddr(COMSTACK h, const char *str) int tcpip_more(COMSTACK h) { tcpip_state *sp = (tcpip_state *)h->cprivate; - + return sp->altlen && (*sp->complete)(sp->altbuf, sp->altlen); } @@ -518,7 +546,7 @@ int tcpip_connect(COMSTACK h, void *address) struct sockaddr_in *add = (struct sockaddr_in *) address; #endif int r; - TRC(fprintf(stderr, "tcpip_connect\n")); + TRC(fprintf(stderr, "tcpip_connect h=%p\n", h)); h->io_pending = 0; if (h->state != CS_ST_UNBND) { @@ -580,21 +608,20 @@ int tcpip_rcvconnect(COMSTACK h) #if HAVE_GNUTLS_H if (h->type == ssl_type && !sp->session) { - int res; gnutls_global_init(); - tcpip_create_cred(h); - gnutls_init(&sp->session, GNUTLS_CLIENT); gnutls_set_default_priority(sp->session); gnutls_credentials_set (sp->session, GNUTLS_CRD_CERTIFICATE, sp->cred_ptr->xcred); - /* cast to intermediate size_t to avoid GCC warning. */ - gnutls_transport_set_ptr(sp->session, - (gnutls_transport_ptr_t) + gnutls_transport_set_ptr(sp->session, + (gnutls_transport_ptr_t) (size_t) h->iofile); - res = gnutls_handshake(sp->session); + } + if (sp->session) + { + int res = gnutls_handshake(sp->session); if (res < 0) { if (ssl_check_error(h, sp, res)) @@ -645,8 +672,8 @@ static int tcpip_bind(COMSTACK h, void *address, int mode) { int r; tcpip_state *sp = (tcpip_state *)h->cprivate; -#if HAVE_GETADDRINFO - struct addrinfo *ai = (struct addrinfo *) address; +#if HAVE_GETADDRINFO + struct addrinfo *ai = (struct addrinfo *) address; #else struct sockaddr *addr = (struct sockaddr *)address; #endif @@ -664,7 +691,7 @@ static int tcpip_bind(COMSTACK h, void *address, int mode) tcpip_create_cred(h); - res = gnutls_certificate_set_x509_key_file(sp->cred_ptr->xcred, + res = gnutls_certificate_set_x509_key_file(sp->cred_ptr->xcred, sp->cert_fname, sp->cert_fname, GNUTLS_X509_FMT_PEM); @@ -723,7 +750,7 @@ static int tcpip_bind(COMSTACK h, void *address, int mode) TRC(fprintf(stderr, "tcpip_bind\n")); #endif #ifndef WIN32 - if (setsockopt(h->iofile, SOL_SOCKET, SO_REUSEADDR, (char*) + if (setsockopt(h->iofile, SOL_SOCKET, SO_REUSEADDR, (char*) &one, sizeof(one)) < 0) { h->cerrno = CSYSERR; @@ -781,7 +808,7 @@ int tcpip_listen(COMSTACK h, char *raddr, int *addrlen, #ifdef WIN32 WSAGetLastError() == WSAEWOULDBLOCK #else - yaz_errno() == EWOULDBLOCK + yaz_errno() == EWOULDBLOCK #ifdef EAGAIN #if EAGAIN != EWOULDBLOCK || yaz_errno() == EAGAIN @@ -894,7 +921,7 @@ COMSTACK tcpip_accept(COMSTACK h) #endif cnew->state = CS_ST_ACCEPT; h->state = CS_ST_IDLE; - + #if HAVE_GNUTLS_H state->cred_ptr = st->cred_ptr; state->session = 0; @@ -918,7 +945,7 @@ COMSTACK tcpip_accept(COMSTACK h) return 0; } res = gnutls_credentials_set(state->session, - GNUTLS_CRD_CERTIFICATE, + GNUTLS_CRD_CERTIFICATE, st->cred_ptr->xcred); if (res != GNUTLS_E_SUCCESS) { @@ -927,7 +954,7 @@ COMSTACK tcpip_accept(COMSTACK h) return 0; } /* cast to intermediate size_t to avoid GCC warning. */ - gnutls_transport_set_ptr(state->session, + gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t) (size_t) cnew->iofile); } @@ -1010,7 +1037,7 @@ int tcpip_get(COMSTACK h, char **buf, int *bufsize) int tmpi, berlen, rest, req, tomove; int hasread = 0, res; - TRC(fprintf(stderr, "tcpip_get: bufsize=%d\n", *bufsize)); + TRC(fprintf(stderr, "tcpip_get: h=%p bufsize=%d\n", h, *bufsize)); if (sp->altlen) /* switch buffers */ { TRC(fprintf(stderr, " %d bytes in altbuf (%p)\n", sp->altlen, @@ -1050,7 +1077,7 @@ int tcpip_get(COMSTACK h, char **buf, int *bufsize) TRC(fprintf(stderr, " recv res=%d, hasread=%d\n", res, hasread)); if (res < 0) { - TRC(fprintf(stderr, " recv errno=%d, (%s)\n", yaz_errno(), + TRC(fprintf(stderr, " recv errno=%d, (%s)\n", yaz_errno(), strerror(yaz_errno()))); #ifdef WIN32 if (WSAGetLastError() == WSAEWOULDBLOCK) @@ -1064,8 +1091,8 @@ int tcpip_get(COMSTACK h, char **buf, int *bufsize) return -1; } #else - if (yaz_errno() == EWOULDBLOCK -#ifdef EAGAIN + if (yaz_errno() == EWOULDBLOCK +#ifdef EAGAIN #if EAGAIN != EWOULDBLOCK || yaz_errno() == EAGAIN #endif @@ -1228,7 +1255,7 @@ int tcpip_put(COMSTACK h, char *buf, int size) int res; struct tcpip_state *state = (struct tcpip_state *)h->cprivate; - TRC(fprintf(stderr, "tcpip_put: size=%d\n", size)); + TRC(fprintf(stderr, "tcpip_put: h=%p size=%d\n", h, size)); h->io_pending = 0; h->event = CS_DATA; if (state->towrite < 0) @@ -1245,7 +1272,7 @@ int tcpip_put(COMSTACK h, char *buf, int size) { if ((res = send(h->iofile, buf + state->written, size - - state->written, + state->written, #ifdef MSG_NOSIGNAL MSG_NOSIGNAL #else @@ -1257,7 +1284,7 @@ int tcpip_put(COMSTACK h, char *buf, int size) #ifdef WIN32 WSAGetLastError() == WSAEWOULDBLOCK #else - yaz_errno() == EWOULDBLOCK + yaz_errno() == EWOULDBLOCK #ifdef EAGAIN #if EAGAIN != EWOULDBLOCK || yaz_errno() == EAGAIN @@ -1314,7 +1341,7 @@ int ssl_put(COMSTACK h, char *buf, int size) while (state->towrite > state->written) { #if HAVE_GNUTLS_H - res = gnutls_record_send(state->session, buf + state->written, + res = gnutls_record_send(state->session, buf + state->written, size - state->written); if (res <= 0) { @@ -1323,7 +1350,7 @@ int ssl_put(COMSTACK h, char *buf, int size) return -1; } #else - res = SSL_write(state->ssl, buf + state->written, + res = SSL_write(state->ssl, buf + state->written, size - state->written); if (res <= 0) { @@ -1346,12 +1373,12 @@ void tcpip_close(COMSTACK h) { tcpip_state *sp = (struct tcpip_state *)h->cprivate; - TRC(fprintf(stderr, "tcpip_close h=%p pid=%d\n", h, getpid())); + TRC(fprintf(stderr, "tcpip_close: h=%p pid=%d\n", h, getpid())); if (h->iofile != -1) { #if HAVE_GNUTLS_H if (sp->session) - gnutls_bye(sp->session, GNUTLS_SHUT_RDWR); + gnutls_bye(sp->session, GNUTLS_SHUT_WR); #elif HAVE_OPENSSL_SSL_H if (sp->ssl) { @@ -1377,7 +1404,7 @@ void tcpip_close(COMSTACK h) if (--(sp->cred_ptr->ref) == 0) { - TRC(fprintf(stderr, "Removed credentials %p pid=%d\n", + TRC(fprintf(stderr, "Removed credentials %p pid=%d\n", sp->cred_ptr->xcred, getpid())); gnutls_certificate_free_credentials(sp->cred_ptr->xcred); xfree(sp->cred_ptr); @@ -1413,27 +1440,27 @@ const char *tcpip_addrstr(COMSTACK h) char host[120]; struct sockaddr_storage addr; YAZ_SOCKLEN_T len = sizeof(addr); - + if (getpeername(h->iofile, (struct sockaddr *)&addr, &len) < 0) { h->cerrno = CSYSERR; return 0; } - if (getnameinfo((struct sockaddr *) &addr, len, host, sizeof(host)-1, - 0, 0, + if (getnameinfo((struct sockaddr *) &addr, len, host, sizeof(host)-1, + 0, 0, (h->flags & CS_FLAGS_NUMERICHOST) ? NI_NUMERICHOST : 0)) { r = "unknown"; } else r = host; - + #else struct sockaddr_in addr; YAZ_SOCKLEN_T len = sizeof(addr); struct hostent *host; - + if (getpeername(h->iofile, (struct sockaddr*) &addr, &len) < 0) { h->cerrno = CSYSERR; @@ -1447,7 +1474,7 @@ const char *tcpip_addrstr(COMSTACK h) r = (char*) host->h_name; } if (!r) - r = inet_ntoa(addr.sin_addr); + r = inet_ntoa(addr.sin_addr); #endif if (h->protocol == PROTO_HTTP) @@ -1477,7 +1504,7 @@ const char *tcpip_addrstr(COMSTACK h) static int tcpip_set_blocking(COMSTACK p, int flags) { unsigned long flag; - + #ifdef WIN32 flag = (flags & CS_FLAGS_BLOCKING) ? 0 : 1; if (ioctlsocket(p->iofile, FIONBIO, &flag) < 0) @@ -1498,39 +1525,140 @@ static int tcpip_set_blocking(COMSTACK p, int flags) return 1; } + +#if HAVE_GNUTLS_H +/* gnutls_x509_crt_print appeared in 1.7.6. Memory leaks were fixed in 1.7.9. + GNUTLS_CRT_PRINT_FULL appeared in 2.4.0. */ +#if GNUTLS_VERSION_NUMBER >= 0x020400 +#define USE_GNUTLS_X509_CRT_PRINT 1 +#else +#define USE_GNUTLS_X509_CRT_PRINT 0 +#endif + + +#if USE_GNUTLS_X509_CRT_PRINT +#else +static const char *bin2hex(const void *bin, size_t bin_size) +{ + static char printable[110]; + const unsigned char *_bin = bin; + char *print; + size_t i; + if (bin_size > 50) + bin_size = 50; + print = printable; + for (i = 0; i < bin_size; i++) + { + sprintf(print, "%.2x ", _bin[i]); + print += 2; + } + return printable; +} + +static void x509_crt_print(gnutls_x509_crt_t cert) +{ + time_t expiration_time, activation_time; + size_t size; + char serial[40]; + char dn[256]; + unsigned int algo, bits; + + expiration_time = gnutls_x509_crt_get_expiration_time(cert); + activation_time = gnutls_x509_crt_get_activation_time(cert); + + printf("\tCertificate is valid since: %s", ctime(&activation_time)); + printf("\tCertificate expires: %s", ctime(&expiration_time)); + + /* Print the serial number of the certificate. */ + size = sizeof(serial); + gnutls_x509_crt_get_serial(cert, serial, &size); + + printf("\tCertificate serial number: %s\n", bin2hex(serial, size)); + + /* Extract some of the public key algorithm's parameters + */ + algo = gnutls_x509_crt_get_pk_algorithm(cert, &bits); + + printf("Certificate public key: %s", gnutls_pk_algorithm_get_name(algo)); + + /* Print the version of the X.509 certificate. */ + printf("\tCertificate version: #%d\n", gnutls_x509_crt_get_version(cert)); + + size = sizeof(dn); + gnutls_x509_crt_get_dn(cert, dn, &size); + printf("\tDN: %s\n", dn); + + size = sizeof(dn); + gnutls_x509_crt_get_issuer_dn(cert, dn, &size); + printf("\tIssuer's DN: %s\n", dn); +} +#endif +#endif + void cs_print_session_info(COMSTACK cs) { #if HAVE_GNUTLS_H struct tcpip_state *sp = (struct tcpip_state *) cs->cprivate; - if (sp->session) + if (cs->type == ssl_type && sp->session) { + const gnutls_datum_t *cert_list; + unsigned i, cert_list_size; if (gnutls_certificate_type_get(sp->session) != GNUTLS_CRT_X509) return; printf("X509 certificate\n"); + cert_list = gnutls_certificate_get_peers(sp->session, + &cert_list_size); + printf("Peer provided %u certificates\n", cert_list_size); + for (i = 0; i < cert_list_size; i++) + { + gnutls_x509_crt_t cert; +#if USE_GNUTLS_X509_CRT_PRINT + int ret; + gnutls_datum_t cinfo; +#endif + gnutls_x509_crt_init(&cert); + gnutls_x509_crt_import(cert, &cert_list[i], GNUTLS_X509_FMT_DER); + printf("Certificate info %d:\n", i + 1); +#if USE_GNUTLS_X509_CRT_PRINT + ret = gnutls_x509_crt_print(cert, GNUTLS_CRT_PRINT_FULL, + &cinfo); + if (ret == 0) + { + printf("\t%s\n", cinfo.data); + gnutls_free(cinfo.data); + } +#else + x509_crt_print(cert); +#endif + gnutls_x509_crt_deinit(cert); + + } } #elif HAVE_OPENSSL_SSL_H - struct tcpip_state *sp = (struct tcpip_state *) cs->cprivate; - SSL *ssl = (SSL *) sp->ssl; - if (ssl) + if (cs->type == ssl_type) { - X509 *server_cert = SSL_get_peer_certificate(ssl); - - if (server_cert) + struct tcpip_state *sp = (struct tcpip_state *) cs->cprivate; + SSL *ssl = (SSL *) sp->ssl; + if (ssl) { - char *pem_buf; - int pem_len; - BIO *bio = BIO_new(BIO_s_mem()); + X509 *server_cert = SSL_get_peer_certificate(ssl); + if (server_cert) + { + char *pem_buf; + int pem_len; + BIO *bio = BIO_new(BIO_s_mem()); - /* get PEM buffer in memory */ - PEM_write_bio_X509(bio, server_cert); - pem_len = BIO_get_mem_data(bio, &pem_buf); - fwrite(pem_buf, pem_len, 1, stdout); + /* get PEM buffer in memory */ + PEM_write_bio_X509(bio, server_cert); + pem_len = BIO_get_mem_data(bio, &pem_buf); + fwrite(pem_buf, pem_len, 1, stdout); - /* print all info on screen .. */ - X509_print_fp(stdout, server_cert); - BIO_free(bio); + /* print all info on screen .. */ + X509_print_fp(stdout, server_cert); + BIO_free(bio); - X509_free(server_cert); + X509_free(server_cert); + } } } #endif @@ -1542,7 +1670,7 @@ void *cs_get_ssl(COMSTACK cs) if (cs && cs->type == ssl_type) { struct tcpip_state *sp = (struct tcpip_state *) cs->cprivate; - return sp->ssl; + return sp->ssl; } #endif return 0; @@ -1623,7 +1751,7 @@ static int tcpip_get_connect(COMSTACK h, char **buf, int *bufsize) struct tcpip_state *state = (struct tcpip_state *)h->cprivate; int r; - r = tcpip_get(h, &state->connect_response_buf, + r = tcpip_get(h, &state->connect_response_buf, &state->connect_response_len); if (r < 1) return r;