Move `SSL_CTX *' into `struct server_context'

It didn't make much sense to parse the configuration values and load the SSL keys on each connection.
2014-07-12 21:59:17 +02:00 · 2014-07-12 21:59:17 +02:00 · cdaab8fdf0
parent 0cb51320d6
commit cdaab8fdf0
1 changed files with 86 additions and 53 deletions
--- a/src/kike.c
+++ b/src/kike.c
@ -115,7 +115,6 @@ struct connection
 	unsigned ssl_rx_want_tx : 1;        ///< SSL_read() wants to write
 	unsigned ssl_tx_want_rx : 1;        ///< SSL_write() wants to read

-	SSL_CTX *ssl_ctx;                   ///< SSL context
 	SSL *ssl;                           ///< SSL connection

 	char *nickname;                     ///< IRC nickname (main identifier)
@ -143,8 +142,6 @@ connection_free (struct connection *self)
 {
 	if (!soft_assert (self->socket_fd == -1))
 		xclose (self->socket_fd);
-	if (self->ssl_ctx)
-		SSL_CTX_free (self->ssl_ctx);
 	if (self->ssl)
 		SSL_free (self->ssl);

@ -211,11 +208,13 @@ struct server_context

 	int listen_fd;                      ///< Listening socket FD
 	struct connection *clients;         ///< Client connections
+	SSL_CTX *ssl_ctx;                   ///< SSL context

 	struct str_map users;               ///< Maps nicknames to connections
 	struct str_map channels;            ///< Maps channel names to data

 	struct poller poller;               ///< Manages polled description
+	bool quitting;                      ///< User requested quitting
 	bool polling;                       ///< The event loop is running
 };

@ -234,6 +233,7 @@ server_context_init (struct server_context *self)
 	str_map_init (&self->channels);

 	poller_init (&self->poller);
+	self->quitting = false;
 	self->polling = false;
 }

@ -244,6 +244,8 @@ server_context_free (struct server_context *self)

 	if (self->listen_fd != -1)
 		xclose (self->listen_fd);
+	if (self->ssl_ctx)
+		SSL_CTX_free (self->ssl_ctx);

 	// TODO: terminate the connections properly before this is called
 	struct connection *link, *tmp;
@ -321,62 +323,29 @@ irc_ssl_verify_callback (int verify_ok, X509_STORE_CTX *ctx)
 }

 static bool
-irc_initialize_ssl (struct connection *conn)
+connection_initialize_ssl (struct connection *conn)
 {
-	struct server_context *ctx = conn->ctx;
+	// SSL support not enabled
+	if (!conn->ctx->ssl_ctx)
+		return false;

-	conn->ssl_ctx = SSL_CTX_new (SSLv23_server_method ());
-	if (!conn->ssl_ctx)
-		goto error_ssl_1;
-	SSL_CTX_set_verify (conn->ssl_ctx,
-		SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, irc_ssl_verify_callback);
-	// XXX: maybe we should call SSL_CTX_set_options() for some workarounds
-
-	conn->ssl = SSL_new (conn->ssl_ctx);
+	conn->ssl = SSL_new (conn->ctx->ssl_ctx);
 	if (!conn->ssl)
-		goto error_ssl_2;
+		goto error_ssl_1;

-	const char *ssl_cert = str_map_find (&ctx->config, "ssl_cert");
-	if (ssl_cert
-	 && !SSL_CTX_use_certificate_chain_file (conn->ssl_ctx, ssl_cert))
-	{
-		// XXX: perhaps we should read the file ourselves for better messages
-		print_error ("%s: %s", "setting the SSL client certificate failed",
-			ERR_error_string (ERR_get_error (), NULL));
-	}
-
-	const char *ssl_key = str_map_find (&ctx->config, "ssl_key");
-	if (ssl_key
-	 && !SSL_use_PrivateKey_file (conn->ssl, ssl_key, SSL_FILETYPE_PEM))
-	{
-		// XXX: perhaps we should read the file ourselves for better messages
-		print_error ("%s: %s", "setting the SSL private key failed",
-			ERR_error_string (ERR_get_error (), NULL));
-	}
-
-	// TODO: SSL_check_private_key(conn->ssl)?  It is has probably already been
-	//   checked by SSL_use_PrivateKey_file() above.
-
-	SSL_set_accept_state (conn->ssl);
 	if (!SSL_set_fd (conn->ssl, conn->socket_fd))
-		goto error_ssl_3;
-	// Gah, spare me your awkward semantics, I just want to push data!
-	// XXX: do we want SSL_MODE_AUTO_RETRY as well?  I guess not.
-	SSL_set_mode (conn->ssl,
-		SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE);
+		goto error_ssl_2;
+	SSL_set_accept_state (conn->ssl);
 	return true;

-error_ssl_3:
+error_ssl_2:
 	SSL_free (conn->ssl);
 	conn->ssl = NULL;
-error_ssl_2:
-	SSL_CTX_free (conn->ssl_ctx);
-	conn->ssl_ctx = NULL;
 error_ssl_1:
 	// XXX: these error strings are really nasty; also there could be
 	//   multiple errors on the OpenSSL stack.
-	print_error ("%s: %s", "could not initialize SSL",
-		ERR_error_string (ERR_get_error (), NULL));
+	print_debug ("%s: %s: %s", "could not initialize SSL",
+		conn->hostname, ERR_error_string (ERR_get_error (), NULL));
 	return false;
 }

@ -502,13 +471,11 @@ irc_try_write_ssl (struct connection *conn)
 static void
 on_irc_client_ready (const struct pollfd *pfd, void *user_data)
 {
-	// XXX: check/load `ssl_cert' and `ssl_key' earlier?
 	struct connection *conn = user_data;
 	if (!conn->initialized)
 	{
 		hard_assert (pfd->events == POLLIN);
-		// XXX: what with the error from irc_initialize_ssl()?
-		if (irc_autodetect_ssl (conn) && !irc_initialize_ssl (conn))
+		if (irc_autodetect_ssl (conn) && !connection_initialize_ssl (conn))
 		{
 			connection_abort (conn, NULL);
 			return;
@ -599,6 +566,69 @@ on_irc_connection_available (const struct pollfd *pfd, void *user_data)
 	}
 }

+static bool
+irc_initialize_ssl (struct server_context *ctx)
+{
+	const char *ssl_cert = str_map_find (&ctx->config, "ssl_cert");
+	const char *ssl_key = str_map_find (&ctx->config, "ssl_key");
+
+	// Only try to enable SSL support if the user configures it; it is not
+	// a failure if no one has requested it.
+	if (!ssl_cert && !ssl_key)
+		return true;
+
+	if (!ssl_cert)
+	{
+		print_error ("no SSL certificate set");
+		return false;
+	}
+	if (!ssl_key)
+	{
+		print_error ("no SSL private key set");
+		return false;
+	}
+
+	ctx->ssl_ctx = SSL_CTX_new (SSLv23_server_method ());
+	if (!ctx->ssl_ctx)
+		goto error_ssl_1;
+	SSL_CTX_set_verify (ctx->ssl_ctx,
+		SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, irc_ssl_verify_callback);
+	// XXX: maybe we should call SSL_CTX_set_options() for some workarounds
+
+	// XXX: perhaps we should read the files ourselves for better messages
+	if (!SSL_CTX_use_certificate_chain_file (ctx->ssl_ctx, ssl_cert))
+	{
+		print_error ("%s: %s", "setting the SSL client certificate failed",
+			ERR_error_string (ERR_get_error (), NULL));
+		goto error_ssl_2;
+	}
+	if (!SSL_CTX_use_PrivateKey_file (ctx->ssl_ctx, ssl_key, SSL_FILETYPE_PEM))
+	{
+		print_error ("%s: %s", "setting the SSL private key failed",
+			ERR_error_string (ERR_get_error (), NULL));
+		goto error_ssl_2;
+	}
+
+	// TODO: SSL_CTX_check_private_key()?  It has probably already been checked
+	//   by SSL_CTX_use_PrivateKey_file() above.
+
+	// Gah, spare me your awkward semantics, I just want to push data!
+	// XXX: do we want SSL_MODE_AUTO_RETRY as well?  I guess not.
+	SSL_CTX_set_mode (ctx->ssl_ctx,
+		SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE);
+	return true;
+
+error_ssl_2:
+	SSL_CTX_free (ctx->ssl_ctx);
+	ctx->ssl_ctx = NULL;
+error_ssl_1:
+	// XXX: these error strings are really nasty; also there could be
+	//   multiple errors on the OpenSSL stack.
+	print_error ("%s: %s", "could not initialize SSL",
+		ERR_error_string (ERR_get_error (), NULL));
+	return false;
+}
+
 static bool
 irc_listen (struct server_context *ctx, struct error **e)
 {
@ -679,13 +709,14 @@ on_signal_pipe_readable (const struct pollfd *fd, struct server_context *ctx)
 	char *dummy;
 	(void) read (fd->fd, &dummy, 1);

-#if 0
-	// TODO
+	// TODO: send ERROR messages to anyone, wait for the messages to get
+	//   dispatched for a few seconds, RST the rest and quit.
 	if (g_termination_requested && !ctx->quitting)
 	{
+#if 0
 		initiate_quit (ctx);
-	}
 #endif
+	}
 }

 static void
@ -778,6 +809,8 @@ main (int argc, char *argv[])
 	poller_set (&ctx.poller, g_signal_pipe[0], POLLIN,
 		(poller_dispatcher_func) on_signal_pipe_readable, &ctx);

+	if (!irc_initialize_ssl (&ctx))
+		exit (EXIT_FAILURE);
 	if (!irc_listen (&ctx, &e))
 	{
 		print_error ("%s", e->message);