aboutsummaryrefslogtreecommitdiff
path: root/src/microhttpd/connection_https.c
blob: 5421d5b290d669c8c0c97925d664d8c644ae4ad0 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
/*
     This file is part of libmicrohttpd
     Copyright (C) 2007, 2008, 2010 Daniel Pittman and Christian Grothoff
     Copyright (C) 2015-2021 Karlson2k (Evgeny Grin)

     This library is free software; you can redistribute it and/or
     modify it under the terms of the GNU Lesser General Public
     License as published by the Free Software Foundation; either
     version 2.1 of the License, or (at your option) any later version.

     This library is distributed in the hope that it will be useful,
     but WITHOUT ANY WARRANTY; without even the implied warranty of
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
     Lesser General Public License for more details.

     You should have received a copy of the GNU Lesser General Public
     License along with this library; if not, write to the Free Software
     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA

*/

/**
 * @file connection_https.c
 * @brief  Methods for managing SSL/TLS connections. This file is only
 *         compiled if ENABLE_HTTPS is set.
 * @author Sagie Amir
 * @author Christian Grothoff
 * @author Karlson2k (Evgeny Grin)
 */

#include "internal.h"
#include "connection.h"
#include "connection_https.h"
#include "memorypool.h"
#include "response.h"
#include "mhd_mono_clock.h"
#include <gnutls/gnutls.h>
#include "mhd_send.h"


/**
 * Callback for receiving data from the socket.
 *
 * @param connection the MHD_Connection structure
 * @param other where to write received data to
 * @param i maximum size of other (in bytes)
 * @return positive value for number of bytes actually received or
 *         negative value for error number MHD_ERR_xxx_
 */
static ssize_t
recv_tls_adapter (struct MHD_Connection *connection,
                  void *other,
                  size_t i)
{
  ssize_t res;

  if (i > SSIZE_MAX)
    i = SSIZE_MAX;

  res = gnutls_record_recv (connection->tls_session,
                            other,
                            i);
  if ( (GNUTLS_E_AGAIN == res) ||
       (GNUTLS_E_INTERRUPTED == res) )
  {
#ifdef EPOLL_SUPPORT
    if (GNUTLS_E_AGAIN == res)
      connection->epoll_state &=
        ~((enum MHD_EpollState) MHD_EPOLL_STATE_READ_READY);
#endif
    /* Any network errors means that buffer is empty. */
    connection->tls_read_ready = false;
    return MHD_ERR_AGAIN_;
  }
  if (res < 0)
  {
    connection->tls_read_ready = false;
    if ( (GNUTLS_E_DECRYPTION_FAILED == res) ||
         (GNUTLS_E_INVALID_SESSION == res) ||
         (GNUTLS_E_DECOMPRESSION_FAILED == res) ||
         (GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER == res) ||
         (GNUTLS_E_UNSUPPORTED_VERSION_PACKET == res) ||
         (GNUTLS_E_UNEXPECTED_PACKET_LENGTH == res) ||
         (GNUTLS_E_UNEXPECTED_PACKET == res) ||
         (GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET == res) ||
         (GNUTLS_E_EXPIRED == res) ||
         (GNUTLS_E_REHANDSHAKE == res) )
      return MHD_ERR_TLS_;
    if ( (GNUTLS_E_PULL_ERROR == res) ||
         (GNUTLS_E_INTERNAL_ERROR == res) ||
         (GNUTLS_E_CRYPTODEV_IOCTL_ERROR == res) ||
         (GNUTLS_E_CRYPTODEV_DEVICE_ERROR == res) )
      return MHD_ERR_PIPE_;
#if defined(GNUTLS_E_PREMATURE_TERMINATION)
    if (GNUTLS_E_PREMATURE_TERMINATION == res)
      return MHD_ERR_CONNRESET_;
#elif defined(GNUTLS_E_UNEXPECTED_PACKET_LENGTH)
    if (GNUTLS_E_UNEXPECTED_PACKET_LENGTH == res)
      return MHD_ERR_CONNRESET_;
#endif /* GNUTLS_E_UNEXPECTED_PACKET_LENGTH */
    if (GNUTLS_E_MEMORY_ERROR == res)
      return MHD_ERR_NOMEM_;
    /* Treat any other error as a hard error. */
    return MHD_ERR_NOTCONN_;
  }

#ifdef EPOLL_SUPPORT
  /* Unlike non-TLS connections, do not reset "read-ready" if
   * received amount smaller than provided amount, as TLS
   * connections may receive data by fixed-size chunks. */
#endif /* EPOLL_SUPPORT */

  /* Check whether TLS buffers still have some unread data. */
  connection->tls_read_ready =
    ( ((size_t) res == i) &&
      (0 != gnutls_record_check_pending (connection->tls_session)) );
  return res;
}


/**
 * Give gnuTLS chance to work on the TLS handshake.
 *
 * @param connection connection to handshake on
 * @return true if the handshake has completed successfully
 *         and we should start to read/write data,
 *         false is handshake in progress or in case
 *         of error
 */
bool
MHD_run_tls_handshake_ (struct MHD_Connection *connection)
{
  int ret;

  if ((MHD_TLS_CONN_INIT == connection->tls_state) ||
      (MHD_TLS_CONN_HANDSHAKING == connection->tls_state))
  {
#if 0
    /* According to real-live testing, Nagel's Algorithm is not blocking
     * partial packets on just connected sockets on modern OSes. As TLS setup
     * is performed as the fist action upon socket connection, the next
     * optimisation typically is not required. If any specific OS will
     * require this optimization, it could be enabled by allowing the next
     * lines for this specific OS. */
    if (_MHD_ON != connection->sk_nodelay)
      MHD_connection_set_nodelay_state_ (connection, true);
#endif
    ret = gnutls_handshake (connection->tls_session);
    if (ret == GNUTLS_E_SUCCESS)
    {
      /* set connection TLS state to enable HTTP processing */
      connection->tls_state = MHD_TLS_CONN_CONNECTED;
      MHD_update_last_activity_ (connection);
      return true;
    }
    if ( (GNUTLS_E_AGAIN == ret) ||
         (GNUTLS_E_INTERRUPTED == ret) )
    {
      connection->tls_state = MHD_TLS_CONN_HANDSHAKING;
      /* handshake not done */
      return false;
    }
    /* handshake failed */
    connection->tls_state = MHD_TLS_CONN_TLS_FAILED;
#ifdef HAVE_MESSAGES
    MHD_DLOG (connection->daemon,
              _ ("Error: received handshake message out of context.\n"));
#endif
    MHD_connection_close_ (connection,
                           MHD_REQUEST_TERMINATED_WITH_ERROR);
    return false;
  }
  return true;
}


/**
 * Set connection callback function to be used through out
 * the processing of this secure connection.
 *
 * @param connection which callbacks should be modified
 */
void
MHD_set_https_callbacks (struct MHD_Connection *connection)
{
  connection->recv_cls = &recv_tls_adapter;
}


/**
 * Initiate shutdown of TLS layer of connection.
 *
 * @param connection to use
 * @return true if succeed, false otherwise.
 */
bool
MHD_tls_connection_shutdown (struct MHD_Connection *connection)
{
  if (MHD_TLS_CONN_WR_CLOSED > connection->tls_state)
  {
    const int res =
      gnutls_bye (connection->tls_session, GNUTLS_SHUT_WR);
    if (GNUTLS_E_SUCCESS == res)
    {
      connection->tls_state = MHD_TLS_CONN_WR_CLOSED;
      return true;
    }
    if ((GNUTLS_E_AGAIN == res) ||
        (GNUTLS_E_INTERRUPTED == res))
    {
      connection->tls_state = MHD_TLS_CONN_WR_CLOSING;
      return true;
    }
    else
      connection->tls_state = MHD_TLS_CONN_TLS_FAILED;
  }
  return false;
}


/* end of connection_https.c */