/* This file is part of libmicrohttpd Copyright (C) 2007, 2008, 2010 Daniel Pittman and Christian Grothoff Copyright (C) 2015-2021 Karlson2k (Evgeny Grin) This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ /** * @file connection_https.c * @brief Methods for managing SSL/TLS connections. This file is only * compiled if ENABLE_HTTPS is set. * @author Sagie Amir * @author Christian Grothoff * @author Karlson2k (Evgeny Grin) */ #include "internal.h" #include "connection.h" #include "connection_https.h" #include "memorypool.h" #include "response.h" #include "mhd_mono_clock.h" #include #include "mhd_send.h" /** * Callback for receiving data from the socket. * * @param connection the MHD_Connection structure * @param other where to write received data to * @param i maximum size of other (in bytes) * @return positive value for number of bytes actually received or * negative value for error number MHD_ERR_xxx_ */ static ssize_t recv_tls_adapter (struct MHD_Connection *connection, void *other, size_t i) { ssize_t res; if (i > SSIZE_MAX) i = SSIZE_MAX; res = gnutls_record_recv (connection->tls_session, other, i); if ( (GNUTLS_E_AGAIN == res) || (GNUTLS_E_INTERRUPTED == res) ) { #ifdef EPOLL_SUPPORT if (GNUTLS_E_AGAIN == res) connection->epoll_state &= ~((enum MHD_EpollState) MHD_EPOLL_STATE_READ_READY); #endif /* Any network errors means that buffer is empty. */ connection->tls_read_ready = false; return MHD_ERR_AGAIN_; } if (res < 0) { connection->tls_read_ready = false; if ( (GNUTLS_E_DECRYPTION_FAILED == res) || (GNUTLS_E_INVALID_SESSION == res) || (GNUTLS_E_DECOMPRESSION_FAILED == res) || (GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER == res) || (GNUTLS_E_UNSUPPORTED_VERSION_PACKET == res) || (GNUTLS_E_UNEXPECTED_PACKET_LENGTH == res) || (GNUTLS_E_UNEXPECTED_PACKET == res) || (GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET == res) || (GNUTLS_E_EXPIRED == res) || (GNUTLS_E_REHANDSHAKE == res) ) return MHD_ERR_TLS_; if ( (GNUTLS_E_PULL_ERROR == res) || (GNUTLS_E_INTERNAL_ERROR == res) || (GNUTLS_E_CRYPTODEV_IOCTL_ERROR == res) || (GNUTLS_E_CRYPTODEV_DEVICE_ERROR == res) ) return MHD_ERR_PIPE_; #if defined(GNUTLS_E_PREMATURE_TERMINATION) if (GNUTLS_E_PREMATURE_TERMINATION == res) return MHD_ERR_CONNRESET_; #elif defined(GNUTLS_E_UNEXPECTED_PACKET_LENGTH) if (GNUTLS_E_UNEXPECTED_PACKET_LENGTH == res) return MHD_ERR_CONNRESET_; #endif /* GNUTLS_E_UNEXPECTED_PACKET_LENGTH */ if (GNUTLS_E_MEMORY_ERROR == res) return MHD_ERR_NOMEM_; /* Treat any other error as a hard error. */ return MHD_ERR_NOTCONN_; } #ifdef EPOLL_SUPPORT /* Unlike non-TLS connections, do not reset "read-ready" if * received amount smaller than provided amount, as TLS * connections may receive data by fixed-size chunks. */ #endif /* EPOLL_SUPPORT */ /* Check whether TLS buffers still have some unread data. */ connection->tls_read_ready = ( ((size_t) res == i) && (0 != gnutls_record_check_pending (connection->tls_session)) ); return res; } /** * Give gnuTLS chance to work on the TLS handshake. * * @param connection connection to handshake on * @return true if the handshake has completed successfully * and we should start to read/write data, * false is handshake in progress or in case * of error */ bool MHD_run_tls_handshake_ (struct MHD_Connection *connection) { int ret; if ((MHD_TLS_CONN_INIT == connection->tls_state) || (MHD_TLS_CONN_HANDSHAKING == connection->tls_state)) { #if 0 /* According to real-live testing, Nagel's Algorithm is not blocking * partial packets on just connected sockets on modern OSes. As TLS setup * is performed as the fist action upon socket connection, the next * optimisation typically is not required. If any specific OS will * require this optimization, it could be enabled by allowing the next * lines for this specific OS. */ if (_MHD_ON != connection->sk_nodelay) MHD_connection_set_nodelay_state_ (connection, true); #endif ret = gnutls_handshake (connection->tls_session); if (ret == GNUTLS_E_SUCCESS) { /* set connection TLS state to enable HTTP processing */ connection->tls_state = MHD_TLS_CONN_CONNECTED; MHD_update_last_activity_ (connection); return true; } if ( (GNUTLS_E_AGAIN == ret) || (GNUTLS_E_INTERRUPTED == ret) ) { connection->tls_state = MHD_TLS_CONN_HANDSHAKING; /* handshake not done */ return false; } /* handshake failed */ connection->tls_state = MHD_TLS_CONN_TLS_FAILED; #ifdef HAVE_MESSAGES MHD_DLOG (connection->daemon, _ ("Error: received handshake message out of context.\n")); #endif MHD_connection_close_ (connection, MHD_REQUEST_TERMINATED_WITH_ERROR); return false; } return true; } /** * Set connection callback function to be used through out * the processing of this secure connection. * * @param connection which callbacks should be modified */ void MHD_set_https_callbacks (struct MHD_Connection *connection) { connection->recv_cls = &recv_tls_adapter; } /** * Initiate shutdown of TLS layer of connection. * * @param connection to use * @return true if succeed, false otherwise. */ bool MHD_tls_connection_shutdown (struct MHD_Connection *connection) { if (MHD_TLS_CONN_WR_CLOSED > connection->tls_state) { const int res = gnutls_bye (connection->tls_session, GNUTLS_SHUT_WR); if (GNUTLS_E_SUCCESS == res) { connection->tls_state = MHD_TLS_CONN_WR_CLOSED; return true; } if ((GNUTLS_E_AGAIN == res) || (GNUTLS_E_INTERRUPTED == res)) { connection->tls_state = MHD_TLS_CONN_WR_CLOSING; return true; } else connection->tls_state = MHD_TLS_CONN_TLS_FAILED; } return false; } /* end of connection_https.c */