Delayed SSL Support

.gitignore

@@ -0,0 +1,2 @@
+command
+compile

src/CHANGES

@@ -69,3 +69,13 @@
 
 20050717
 	Version 0.70.
+
+20110901 (sgifford@suspectclass.com)
+	Add support for UCSPI-TLS in server (Scott Gifford)
+	Add support for UCSPI-TLS in client (Scott Gifford, sponsored by Meixler Technologies, Inc.)
+	For details see: http://www.suspectclass.com/sgifford/ucspi-tls/
+\ No newline at end of file
+	Add privilege separation to sslserver
+	Add chroot(2) support to sslserver
+	Add switching user ID and group ID in sslsever
+

src/Makefile

@@ -36,7 +36,8 @@ clean:
 	tai_pack.o taia_add.o taia_approx.o taia_frac.o taia_less.o taia_now.o \
 	taia_pack.o taia_sub.o taia_uint.o timeoutconn.o uint16_pack.o \
 	uint16_unpack.o uint32.h uint32_pack.o uint32_unpack.o uint64.h unix.a \
-	wait_nohang.o wait_pid.o
+	wait_nohang.o wait_pid.o tryssl.o \
+	ucspissltest ucspissltest.o ucspitls.o
 
 alloc.o: compile alloc.c alloc.h error.h
 	./compile alloc.c
@@ -312,7 +313,7 @@ ip4_scan.o: compile ip4_scan.c scan.h ip4.h
 
 it: it-base it-sslperl sysdeps
 
-it-base: sslclient sslserver https@ sslcat sslconnect sslprint sysdeps
+it-base: sslclient sslserver https@ sslcat sslconnect sslprint sysdeps ucspissltest
 
 it-sslperl: sslperl sysdeps
 
@@ -504,9 +505,9 @@ sslcat: home warn-auto.sh sslcat.sh
 	chmod 755 sslcat
 
 sslclient: load sslclient.o remoteinfo.o timeoutconn.o ssl.a unix.a \
-auto_cafile.o auto_cadir.o auto_ciphers.o socket.lib ssl.lib
+auto_cafile.o auto_cadir.o auto_ciphers.o wait_nohang.o ucspitls_master.o socket.lib ssl.lib
 	./load sslclient remoteinfo.o timeoutconn.o ssl.a unix.a auto_cafile.o \
-	auto_cadir.o auto_ciphers.o  `cat socket.lib` `cat ssl.lib`
+	auto_cadir.o auto_ciphers.o wait_nohang.o ucspitls_master.o  `cat socket.lib` `cat ssl.lib`
 
 sslclient.o: compile sslclient.c ssl.h sig.h exit.h sgetopt.h uint16.h \
 fmt.h scan.h str.h ip4.h uint16.h socket.h fd.h stralloc.h buffer.h \
@@ -562,10 +563,10 @@ sslprint.o: compile sslprint.c buffer.h env.h
 
 sslserver: load sslserver.o auto_cafile.o auto_ccafile.o auto_cadir.o \
 auto_dhfile.o auto_certfile.o auto_keyfile.o auto_ciphers.o rules.o \
-remoteinfo.o timeoutconn.o cdb.a ssl.a unix.a socket.lib ssl.lib
+remoteinfo.o timeoutconn.o wait_nohang.o ucspitls_master.o ucspitls.o cdb.a ssl.a unix.a socket.lib ssl.lib
 	./load sslserver auto_cafile.o auto_ccafile.o auto_cadir.o auto_dhfile.o \
 	auto_certfile.o auto_keyfile.o auto_ciphers.o rules.o remoteinfo.o \
-	timeoutconn.o cdb.a ssl.a unix.a  `cat socket.lib` `cat ssl.lib`
+	timeoutconn.o wait_nohang.o ucspitls_master.o ucspitls.o cdb.a ssl.a unix.a  `cat socket.lib` `cat ssl.lib`
 
 sslserver.o: compile sslserver.c ssl.h uint16.h str.h byte.h fmt.h scan.h \
 ip4.h fd.h exit.h env.h prot.h open.h wait.h stralloc.h alloc.h buffer.h \
@@ -575,7 +576,7 @@ auto_ccafile.h auto_dhfile.h auto_certfile.h auto_keyfile.h \
 auto_ciphers.h stralloc.h gen_alloc.h buffer.h stralloc.h subgetopt.h \
 uint16.h stralloc.h uint16.h stralloc.h stralloc.h iopause.h taia.h \
 gen_alloc.h gen_alloc.h gen_alloc.h gen_alloc.h gen_alloc.h taia.h tai.h \
-tai.h uint64.h uint64.h
+tai.h uint64.h uint64.h ucspitls.h
 	./compile sslserver.c
 
 str_chr.o: compile str_chr.c str.h
@@ -738,3 +739,15 @@ wait_nohang.o: compile wait_nohang.c haswaitp.h
 
 wait_pid.o: compile wait_pid.c error.h haswaitp.h
 	./compile wait_pid.c
+
+ucspissltest.o: ucspissltest.c ucspitls.h
+	./compile ucspissltest.c
+
+ucspitls.o: ucspitls.c ucspitls.h
+	./compile ucspitls.c
+
+ucspitls_master.o: ucspitls_master.c ucspitls_master.h wait.h strerr.h
+	./compile ucspitls_master.c
+
+ucspissltest: load ucspissltest.o ucspitls.o sgetopt.o sgetopt.h subgetopt.h subgetopt.o buffer.o buffer_2.o
+	./load ucspissltest ucspitls.o unix.a

src/UCSPI-SSL

@@ -37,12 +37,21 @@ lowercase. SSLREMOTEINFO is a connection-specific string supplied by the
 remote host via 931/1413/IDENT/TAP.
 
 SSL UCSPI tools take a -R option to turn off 931/1413/IDENT/TAP
-querying, and a -r option to turn it back on. SSL UCSPI tools take a -I
-option to turn off checking for a client certificate, and a -i option to
-turn it back on.  SSL UCSPI clients take a -p [locport] option to
-require a particular TCP port on the local side of the connection. SSL
-UCSPI servers take a -1 option to print the local port number (in
-decimal, followed by a newline) to descriptor 1 before closing
-descriptor 1 and after preparing to receive connections.  SSL UCSPI
-servers and clients take a -3 option to read a null-terminated key
-password from file descriptor 3.
+querying, and a -r option to turn it back on. SSL UCSPI tools take a
+-I option to turn off checking for a client certificate, and a -i
+option to turn it back on.  SSL UCSPI tools take a -j option (the
+default) to just shutdown the socket when we are done with the SSL
+protocol, and a -J option to negotiate a full shutdown (both are
+allowed by the protocol).  SSL UCSPI clients take a -p [locport]
+option to require a particular TCP port on the local side of the
+connection. SSL UCSPI servers take a -1 option to print the local port
+number (in decimal, followed by a newline) to descriptor 1 before
+closing descriptor 1 and after preparing to receive connections.  SSL
+UCSPI servers recognize the environment variable SSL_CHROOT to put the
+ssl handling process into a chroot jail, SSL_GID to run the ssl
+handling process with the given group ID, and SSL_UID to run the ssl
+handling process with the given user ID.  UCSPI servers and clients
+take a -3 option to read a null-terminated key password from file
+descriptor 3.  SSL UCSPI servers and clients take a -y option to delay
+starting SSL until the program requests it, and a -Y option (the
+default) to immediately begin negotiating SSL.

src/ssl.h

@@ -6,8 +6,14 @@
 
 #define SSL_NAME_LEN 256
 
+struct ssl_io_opt {
+  unsigned int timeout;
+  unsigned int just_shutdown;
+};
+extern struct ssl_io_opt ssl_io_opt_default;
+
 extern int ssl_errno;
-extern int ssl_io(SSL *,int,int,unsigned int);
+extern int ssl_io(SSL *,int,int,struct ssl_io_opt);
 extern SSL_CTX *ssl_context(SSL_METHOD *);
 extern int ssl_timeoutconn(SSL *,unsigned int);
 extern int ssl_timeoutaccept(SSL *,unsigned int);
@@ -20,7 +26,7 @@ extern int ssl_verify(SSL *,const char *);
 extern int ssl_params(SSL_CTX *,const char *,int);
 extern int ssl_server_env(SSL *,stralloc *);
 extern int ssl_client_env(SSL *,stralloc *);
-extern void ssl_error_str();
+extern char *ssl_error_str(int);
 extern int ssl_error(int (*)(const char *));
 
 #define ssl_client() (ssl_context(SSLv23_client_method()))

src/ssl_io.c

@@ -18,7 +18,9 @@ static char rightbuf[16 * 1024];
 static int rightlen;
 static int rightpos;
 
-int ssl_io(SSL *ssl,int fdleft,int fdright,unsigned int timeout) {
+struct ssl_io_opt ssl_io_opt_default = { 3600, 1 };
+
+int ssl_io(SSL *ssl,int fdleft,int fdright,struct ssl_io_opt opt) {
   struct taia now;
   struct taia deadline;
   iopause_fd x[4];
@@ -75,7 +77,7 @@ int ssl_io(SSL *ssl,int fdleft,int fdright,unsigned int timeout) {
     }
 
     taia_now(&now);
-    taia_uint(&deadline,timeout);
+    taia_uint(&deadline,opt.timeout);
     taia_add(&deadline,&now,&deadline);
     iopause(x,xlen,&deadline,&now);
     for (r = 0;r < xlen;++r)
@@ -104,6 +106,7 @@ int ssl_io(SSL *ssl,int fdleft,int fdright,unsigned int timeout) {
 	case SSL_ERROR_WANT_X509_LOOKUP:
 	  break;
 	case SSL_ERROR_ZERO_RETURN:
+	case SSL_ERROR_SSL:
 	  if (rightstatus == -1) goto done;
 	  close(fdleft);
 	  leftstatus = -1;
@@ -116,10 +119,6 @@ int ssl_io(SSL *ssl,int fdleft,int fdright,unsigned int timeout) {
 	  /* premature close */
 	  if (errno == error_connreset  && rightstatus == -1) goto done;
 	  goto bomb;
-	case SSL_ERROR_SSL:
-	  if (errno == error_again || errno == error_intr) break;
-	  if (!errno) break;
-	  goto bomb;
 	default:
 	  close(fdleft);
 	  leftstatus = -1;
@@ -186,8 +185,8 @@ int ssl_io(SSL *ssl,int fdleft,int fdright,unsigned int timeout) {
       else if (r == 0) {
 	close(fdright);
 	rightstatus = -1;
-	if (ssl_shutdown(ssl)) goto done; 
-	if (leftstatus == -1) goto done;
+	if (ssl_shutdown(ssl) < 0) goto bomb;
+	if (leftstatus == -1 || opt.just_shutdown) goto done;
       }
       else {
 	rightstatus = 1;
@@ -234,14 +233,14 @@ int ssl_io(SSL *ssl,int fdleft,int fdright,unsigned int timeout) {
   if (leftstatus != -1) close(fdleft);
   if (rightstatus != -1) close(fdright);
   if (!ssl_shutdown_sent(ssl)) ssl_shutdown(ssl);
-  if (!ssl_shutdown_pending(ssl)) ssl_shutdown(ssl);
+  if (!opt.just_shutdown && !ssl_shutdown_pending(ssl)) ssl_shutdown(ssl);
   shutdown(wfd,2);
   errno = r;
   return -1;
 
 done:
   if (!ssl_shutdown_sent(ssl)) ssl_shutdown(ssl);
-  if (!ssl_shutdown_pending(ssl)) ssl_shutdown(ssl);
+  if (!opt.just_shutdown && !ssl_shutdown_pending(ssl)) ssl_shutdown(ssl);
   shutdown(wfd,2);
   if (leftstatus != -1) close(fdleft);
   if (rightstatus != -1) close(fdright);