upstream/oracle/vpanels: comparison usr/src/cmd/rad/mod/xport_tls/mod_xport

equal deleted inserted replaced

-:98a84e2ccca6
+:f20f2afa6263
-/*
-* CDDL HEADER START
-*
-* The contents of this file are subject to the terms of the
-* Common Development and Distribution License (the "License").
-* You may not use this file except in compliance with the License.
-*
-* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-* or http://www.opensolaris.org/os/licensing.
-* See the License for the specific language governing permissions
-* and limitations under the License.
-*
-* When distributing Covered Code, include this CDDL HEADER in each
-* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-* If applicable, add the following below this CDDL HEADER, with the
-* fields enclosed by brackets "[]" replaced with your own identifying
-* information: Portions Copyright [yyyy] [name of copyright owner]
-*
-* CDDL HEADER END
-*/
-/*
-* Copyright (c) 2010, 2012, Oracle and/or its affiliates. All rights reserved.
-*/
-#include <openssl/ssl.h>
-#include <openssl/err.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/utsname.h>
-#include <sys/stat.h>
-#include <sys/wait.h>
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <unistd.h>
-#include <spawn.h>
-#include <rad/adr_stream.h>
-#include "rad_object.h"
-#include "rad_modapi.h"
-#include "rad_modapi_xport.h"
-#include "rad_connection.h"
-#include "rad_xport.h"
-#include "../rad_listen.h"
-#include "api_tls.h"
-static char *pam_service = "rad-tls";
-static boolean_t
-generate_cert(const char *cert, const char *key)
-{
-	struct utsname name;
-	struct stat st;
-	pid_t pid;
-	char buffer[1024];
-	const char *args[] = {
-	    "/usr/bin/openssl", "req", "-x509", "-newkey", "rsa:1024",
-	    "-days", "3650", "-sha1", "-nodes", "-keyout", key,
-	    "-out", cert, "-subj", buffer, NULL };
-	if (stat(cert, &st) != -1 && stat(key, &st) != -1)
-		return (B_TRUE);
-	(void) uname(&name);
-	(void) snprintf(buffer, 1024, "/CN=Remote Administration Daemon @ %s",
-	    name.nodename);
-	rad_log(RL_WARN, "generating key/certificate pair\n");
-	if (posix_spawn(&pid, args[0], NULL, NULL, (char **)args, NULL) != 0) {
-		rad_log(RL_ERROR, "failed to create key pair\n");
-		return (B_FALSE);
-	}
-	while (waitpid(pid, NULL, 0) == -1 && errno == EINTR)
-		;
-	if (chmod(cert, 0644) == -1)
-		rad_log(RL_WARN, "failed to chmod '%s'; "
-		    "certificate only readable by owner: %s", strerror(errno));
-	return (B_TRUE);
-}
-static void
-tls_run(void *arg)
-{
-	radmod_connection_t *conn = arg;
-	rad_proto_handle(conn);
-	rad_conn_free(conn);
-}
-static rad_moderr_t
-tls_listen(rad_thread_t *arg)
-{
-	SSL_CTX *context;
-	SSL *ssl;
-	int fd;
-	data_t *d, *data = rad_thread_arg(arg);
-	int port = data_to_integer(struct_get(data, "port"));
-	d = struct_get(data, "proto");
-	const char *protostr = d != NULL ? data_to_string(d) : "rad";
-	d = struct_get(data, "localonly");
-	boolean_t local = d != NULL ? data_to_boolean(d) : B_TRUE;
-	d = struct_get(data, "certificate");
-	const char *cert = data_to_string(d);
-	d = struct_get(data, "privatekey");
-	const char *key = data_to_string(d);
-	d = struct_get(data, "generate");
-	boolean_t generate = d != NULL ? data_to_boolean(d) : B_FALSE;
-	d = struct_get(data, "pam_service");
-	if (d != NULL) {
-		pam_service = (char *)data_to_string(d);
-	}
-	if (generate && !generate_cert(cert, key)) {
-		rad_log(RL_ERROR, "Failed to generate certificate.\n");
-		return (rm_system);
-	}
-	rad_protocol_t *proto = rad_proto_find(protostr);
-	if (proto == NULL) {
-		rad_log(RL_ERROR, "Unable to find protocol \"%s\".\n",
-		    protostr);
-		return (rm_config);
-	}
-	if ((fd = listen_on_port(port, local)) < 0) {
-		rad_log(RL_ERROR, "Error starting server on port %d\n",
-		    port);
-		return (rm_system);
-	}
-	rad_log(RL_DEBUG, "Initializing SSL library.\n");
-	(void) SSL_library_init();
-	(void) SSL_load_error_strings();
-	rad_log(RL_DEBUG, "Creating SSL context.\n");
-	context = SSL_CTX_new(SSLv23_method());
-	if (context == NULL) {
-		rad_log(RL_ERROR, "Unable to create SSL context.\n");
-		return (rm_system);
-	}
-	(void) SSL_CTX_set_options(context, SSL_OP_NO_SSLv2);
-	if (SSL_CTX_use_certificate_chain_file(context, cert) == 0) {
-		rad_log(RL_ERROR, "Unable to use cert file: %s\n", cert);
-		ERR_print_errors_fp(stderr);
-		return (rm_system);
-	}
-	if (SSL_CTX_use_PrivateKey_file(context, key, SSL_FILETYPE_PEM) == 0) {
-		rad_log(RL_ERROR, "Unable to use privatekey file: %s\n", key);
-		ERR_print_errors_fp(stderr);
-		return (rm_system);
-	}
-	rad_thread_ack(arg, rm_ok);
-	for (;;) {
-		int afd, result;
-		rad_log(RL_DEBUG, "Waiting for connection.\n");
-		if ((afd = accept(fd, 0, 0)) == -1) {
-			rad_log(RL_WARN, "Error in accept(): %s\n",
-			    strerror(errno));
-			continue;
-		}
-		rad_log(RL_DEBUG, "Connection accepted.\n");
-		rad_log(RL_DEBUG, "Creating SSL.\n");
-		ssl = SSL_new(context);
-		if (ssl == NULL) {
-			rad_log(RL_WARN, "Unable to create SSL.\n");
-			(void) close(afd);
-			continue;
-		}
-		rad_log(RL_DEBUG, "Initiating SSL connection.\n");
-		if (!SSL_set_fd(ssl, afd)) {
-			rad_log(RL_WARN, "Unable to set SSL fd.\n");
-			goto close;
-		}
-		while ((result = SSL_accept(ssl)) != 1) {
-			result = SSL_get_error(ssl, result);
-			/* Shouldn't happen, but just in case: */
-			if (result == SSL_ERROR_WANT_READ ||
-			    result == SSL_ERROR_WANT_WRITE)
-				continue;
-			ERR_print_errors_fp(stderr);
-			rad_log(RL_WARN,
-			    "Unable to establish connection: %d\n", result);
-			goto close;
-		}
-		rad_log(RL_DEBUG, "Connection accepted.\n");
-		adr_stream_t *stream = adr_stream_create_ssl(ssl, afd);
-		if (stream == NULL)
-			continue;
-		radmod_connection_t *conn = rad_conn_create_fd(afd, B_TRUE);
-		if (conn == NULL) {
-			adr_stream_close(stream);
-			adr_stream_free(stream);
-			rad_log(RL_WARN, "failed to allocate connection");
-			continue;
-		}
-		conn->rm_conn_xport = stream;
-		conn->rm_conn_proto_ops = proto;
-		conn->rm_conn_pam_service = pam_service;
-		if (rad_thread_create_async(tls_run, conn) != rm_ok) {
-			rad_conn_close(conn);
-			rad_conn_free(conn);
-		}
-		continue;
-close:
-		SSL_free(ssl);
-		(void) close(afd);
-	}
-}
-static rad_moderr_t
-starter(data_t *data)
-{
-	/*
-	 * Verify parameters.
-	 */
-	if (struct_get(data, "port") == NULL) {
-		rad_log(RL_ERROR, "Port required\n");
-		return (rm_config);
-	}
-	if (struct_get(data, "certificate") == NULL) {
-		rad_log(RL_ERROR, "Cert required\n");
-		return (rm_config);
-	}
-	if (struct_get(data, "privatekey") == NULL) {
-		rad_log(RL_ERROR, "Private key required\n");
-		return (rm_config);
-	}
-	return (rad_thread_create(tls_listen, data));
-}
-static rad_modinfo_t modinfo = { "xport_tls", "TLS socket transport module" };
-int
-_rad_init(void *handle)
-{
-	if (rad_module_register(handle, RAD_MODVERSION, &modinfo) == -1)
-		return (-1);
-	rad_xport_register("tls", &t__tls, starter);
-	return (0);
-}

changeset 862	f20f2afa6263
parent 861	98a84e2ccca6
child 863	83ff534df225