SSLproxy/pxysslshut.c

194 lines
6.2 KiB
C
Raw Normal View History

2012-04-13 12:47:30 +00:00
/*
* SSLsplit - transparent SSL/TLS interception
2016-03-25 11:19:23 +00:00
* Copyright (c) 2009-2016, Daniel Roethlisberger <daniel@roe.ch>
2012-04-13 12:47:30 +00:00
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions, and the following disclaimer.
2012-04-13 12:47:30 +00:00
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "pxysslshut.h"
#include "log.h"
#include "attrib.h"
#include <stdlib.h>
#include <errno.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
/*
* Cleanly shut down an SSL socket. Libevent currently has no support for
* cleanly shutting down an SSL socket so we work around that by using a
* low-level event. This works for recent versions of OpenSSL. OpenSSL
* with the older SSL_shutdown() semantics, not exposing WANT_READ/WRITE
* may or may not work.
*/
/*
* SSL shutdown context.
*/
typedef struct pxy_ssl_shutdown_ctx {
opts_t *opts;
2012-04-13 12:47:30 +00:00
struct event_base *evbase;
struct event *ev;
SSL *ssl;
unsigned int retries;
} pxy_ssl_shutdown_ctx_t;
static pxy_ssl_shutdown_ctx_t *
pxy_ssl_shutdown_ctx_new(opts_t *opts, struct event_base *evbase, SSL *ssl)
2012-04-13 12:47:30 +00:00
{
pxy_ssl_shutdown_ctx_t *ctx;
ctx = malloc(sizeof(pxy_ssl_shutdown_ctx_t));
if (!ctx)
return NULL;
ctx->opts = opts;
2012-04-13 12:47:30 +00:00
ctx->evbase = evbase;
ctx->ssl = ssl;
ctx->ev = NULL;
ctx->retries = 0;
return ctx;
}
static void
pxy_ssl_shutdown_ctx_free(pxy_ssl_shutdown_ctx_t *ctx)
{
free(ctx);
}
/*
* The shutdown socket event handler. This is either
* scheduled as a timeout-only event, or as a fd read or
* fd write event, depending on whether SSL_shutdown()
* indicates it needs read or write on the socket.
*/
static void
pxy_ssl_shutdown_cb(evutil_socket_t fd, UNUSED short what, void *arg)
{
pxy_ssl_shutdown_ctx_t *ctx = arg;
2017-07-29 21:34:46 +00:00
// @attention Increasing the delay to 500 or more fixes some ssl shutdown failures, they report SSL_ERROR_WANT_READ before eventually succeeding
// @todo Can/should we set an adaptive delay per conn here? Does it matter?
2012-04-13 12:47:30 +00:00
struct timeval retry_delay = {0, 100};
short want = 0;
int rv, sslerr;
if (ctx->ev) {
event_free(ctx->ev);
ctx->ev = NULL;
}
/*
* Use the new (post-2008) semantics for SSL_shutdown() on a
* non-blocking socket. SSL_shutdown() returns -1 and WANT_READ
* if the other end's close notify was not received yet, and
* WANT_WRITE it could not write our own close notify.
*
* This is a good collection of recent and relevant documents:
* http://bugs.python.org/issue8108
*/
rv = SSL_shutdown(ctx->ssl);
if (rv == 1)
goto complete;
if (rv != -1) {
goto retry;
}
switch ((sslerr = SSL_get_error(ctx->ssl, rv))) {
case SSL_ERROR_WANT_READ:
want = EV_READ;
log_dbg_level_printf(LOG_DBG_MODE_FINEST, ">>>>> pxy_ssl_shutdown_cb: SSL_ERROR_WANT_READ, retries=%d, fd=%d\n", ctx->retries, fd);
2012-04-13 12:47:30 +00:00
goto retry;
case SSL_ERROR_WANT_WRITE:
want = EV_WRITE;
log_dbg_level_printf(LOG_DBG_MODE_FINEST, ">>>>> pxy_ssl_shutdown_cb: SSL_ERROR_WANT_WRITE, retries=%d, fd=%d\n", ctx->retries, fd);
2012-04-13 12:47:30 +00:00
goto retry;
case SSL_ERROR_ZERO_RETURN:
log_dbg_level_printf(LOG_DBG_MODE_FINEST, ">>>>> pxy_ssl_shutdown_cb: SSL_ERROR_ZERO_RETURN, retries=%d, fd=%d\n", ctx->retries, fd);
2012-04-13 12:47:30 +00:00
goto retry;
case SSL_ERROR_SYSCALL:
case SSL_ERROR_SSL:
log_dbg_level_printf(LOG_DBG_MODE_FINEST, ">>>>> pxy_ssl_shutdown_cb: SSL_ERROR_SYSCALL or SSL_ERROR_SSL, retries=%d, fd=%d\n", ctx->retries, fd);
2012-04-13 12:47:30 +00:00
goto complete;
default:
log_dbg_level_printf(LOG_DBG_MODE_FINEST, ">>>>> pxy_ssl_shutdown_cb: default, retries=%d, fd=%d\n", ctx->retries, fd);
2012-04-13 12:47:30 +00:00
log_err_printf("Unhandled SSL_shutdown() "
"error %i. Closing fd, fd=%d\n", sslerr, fd);
2012-04-13 12:47:30 +00:00
goto complete;
}
goto complete;
retry:
if (ctx->retries++ >= 50) {
log_err_printf("Failed to shutdown SSL connection cleanly: "
"Max retries reached. Closing fd, fd=%d\n", fd);
2012-04-13 12:47:30 +00:00
goto complete;
}
ctx->ev = event_new(ctx->evbase, fd, want, pxy_ssl_shutdown_cb, ctx);
if (ctx->ev) {
event_add(ctx->ev, &retry_delay);
2012-04-13 12:47:30 +00:00
return;
}
log_err_printf("Failed to shutdown SSL connection cleanly: "
"Cannot create event. Closing fd, fd=%d\n", fd);
2012-04-13 12:47:30 +00:00
complete:
if (OPTS_DEBUG(ctx->opts)) {
2017-07-20 14:55:00 +00:00
log_dbg_printf(">>>> pxy_ssl_shutdown_cb: SSL_free() in state ");
log_dbg_print_free(ssl_ssl_state_to_str(ctx->ssl));
2017-07-20 14:55:00 +00:00
log_dbg_printf(" fd=%d\n", fd);
}
2012-04-13 12:47:30 +00:00
SSL_free(ctx->ssl);
evutil_closesocket(fd);
pxy_ssl_shutdown_ctx_free(ctx);
}
/*
* Cleanly shutdown an SSL session on file descriptor fd using low-level
* file descriptor readiness events on event base evbase.
* Guarantees that SSL and the corresponding SSL_CTX are freed and the
* socket is closed, eventually, or in the case of fatal errors, immediately.
*/
void
pxy_ssl_shutdown(opts_t *opts, struct event_base *evbase, SSL *ssl,
evutil_socket_t fd)
2012-04-13 12:47:30 +00:00
{
pxy_ssl_shutdown_ctx_t *sslshutctx;
sslshutctx = pxy_ssl_shutdown_ctx_new(opts, evbase, ssl);
2012-04-13 12:47:30 +00:00
if (!sslshutctx) {
if (OPTS_DEBUG(opts)) {
2017-07-20 14:55:00 +00:00
log_dbg_printf(">>>> pxy_ssl_shutdown: SSL_free() in state ");
log_dbg_print_free(ssl_ssl_state_to_str(ssl));
2017-07-20 14:55:00 +00:00
log_dbg_printf(" fd=%d\n", fd);
}
2012-04-13 12:47:30 +00:00
SSL_free(ssl);
evutil_closesocket(fd);
return;
}
pxy_ssl_shutdown_cb(fd, 0, sslshutctx);
}
/* vim: set noet ft=c: */