kore

An easy to use, scalable and secure web application framework for writing web APIs in C.
Commits | Files | Refs | README | LICENSE | git clone https://git.kore.io/kore.git

commit a9f7bd7faf065f4d958da0527e94dd8e910c6feb
parent c93a8f3b40741cc0a0b20eaf2aa45f44dbf68596
Author: Joris Vink <joris@coders.se>
Date:   Fri, 18 Feb 2022 10:20:28 +0100

rename ssl prefixed things to tls.

Diffstat:
include/kore/kore.h | 5+++--
src/accesslog.c | 2+-
src/connection.c | 6++++--
src/http.c | 4++--
src/python.c | 8++++----
src/tls_openssl.c | 130++++++++++++++++++++++++++++++++++++++++----------------------------------------
src/utils.c | 2+-
src/worker.c | 2+-
8 files changed, 81 insertions(+), 78 deletions(-)

diff --git a/include/kore/kore.h b/include/kore/kore.h @@ -214,10 +214,11 @@ struct connection { u_int8_t state; u_int8_t proto; struct listener *owner; - void *ssl; - void *cert; + void *tls; + void *tls_cert; char *tls_sni; int tls_reneg; + u_int16_t flags; void *hdlr_extra; diff --git a/src/accesslog.c b/src/accesslog.c @@ -111,7 +111,7 @@ kore_accesslog(struct http_request *req) cn = "-"; cn_value = NULL; - if (req->owner->cert != NULL) { + if (req->owner->tls_cert != NULL) { if (kore_x509_subject_name(req->owner, &cn_value, KORE_X509_COMMON_NAME_ONLY)) cn = cn_value; diff --git a/src/connection.c b/src/connection.c @@ -61,15 +61,17 @@ kore_connection_new(void *owner) c = kore_pool_get(&connection_pool); - c->ssl = NULL; - c->cert = NULL; c->flags = 0; c->rnb = NULL; c->snb = NULL; c->owner = owner; c->handle = NULL; + + c->tls = NULL; + c->tls_cert = NULL; c->tls_reneg = 0; c->tls_sni = NULL; + c->disconnect = NULL; c->hdlr_extra = NULL; c->proto = CONN_PROTO_UNKNOWN; diff --git a/src/http.c b/src/http.c @@ -1982,7 +1982,7 @@ http_request_new(struct connection *c, const char *host, return (NULL); } - if (dom->cafile != NULL && c->cert == NULL) { + if (dom->cafile != NULL && c->tls_cert == NULL) { http_error_response(c, HTTP_STATUS_FORBIDDEN); return (NULL); } @@ -2485,7 +2485,7 @@ http_response_normal(struct http_request *req, struct connection *c, } } - if (c->ssl && http_hsts_enable) { + if (c->tls && http_hsts_enable) { kore_buf_appendf(header_buf, "strict-transport-security: "); kore_buf_appendf(header_buf, "max-age=%" PRIu64 "; includeSubDomains\r\n", diff --git a/src/python.c b/src/python.c @@ -2916,7 +2916,7 @@ pyconnection_get_peer_x509(struct pyconnection *pyc, void *closure) u_int8_t *der; PyObject *bytes; - if (pyc->c->cert == NULL) { + if (pyc->c->tls_cert == NULL) { Py_RETURN_NONE; } @@ -2942,7 +2942,7 @@ pyconnection_get_peer_x509dict(struct pyconnection *pyc, void *closure) issuer = NULL; subject = NULL; - if (pyc->c->cert == NULL) { + if (pyc->c->tls_cert == NULL) { Py_RETURN_NONE; } @@ -2963,7 +2963,7 @@ pyconnection_get_peer_x509dict(struct pyconnection *pyc, void *closure) PyErr_Clear(); - if ((name = kore_tls_x509_subject_name(pyc->c->cert)) == NULL) { + if ((name = kore_tls_x509_subject_name(pyc->c)) == NULL) { PyErr_Format(PyExc_RuntimeError, "failed to obtain x509 subjectName"); goto out; @@ -2977,7 +2977,7 @@ pyconnection_get_peer_x509dict(struct pyconnection *pyc, void *closure) goto out; } - if ((name = kore_tls_x509_issuer_name(pyc->c->cert)) == NULL) { + if ((name = kore_tls_x509_issuer_name(pyc->c)) == NULL) { PyErr_Format(PyExc_RuntimeError, "failed to obtain x509 issuerName"); goto out; diff --git a/src/tls_openssl.c b/src/tls_openssl.c @@ -209,30 +209,30 @@ kore_tls_domain_setup(struct kore_domain *dom, int type, kore_debug("kore_domain_tlsinit(%s)", dom->domain); - if (dom->ssl_ctx != NULL) - SSL_CTX_free(dom->ssl_ctx); + if (dom->tls_ctx != NULL) + SSL_CTX_free(dom->tls_ctx); if ((method = TLS_method()) == NULL) fatalx("TLS_method(): %s", ssl_errno_s); - if ((dom->ssl_ctx = SSL_CTX_new(method)) == NULL) + if ((dom->tls_ctx = SSL_CTX_new(method)) == NULL) fatalx("SSL_ctx_new(): %s", ssl_errno_s); - if (!SSL_CTX_set_min_proto_version(dom->ssl_ctx, TLS1_2_VERSION)) + if (!SSL_CTX_set_min_proto_version(dom->tls_ctx, TLS1_2_VERSION)) fatalx("SSL_CTX_set_min_proto_version: %s", ssl_errno_s); #if defined(TLS1_3_VERSION) - if (!SSL_CTX_set_max_proto_version(dom->ssl_ctx, TLS1_3_VERSION)) + if (!SSL_CTX_set_max_proto_version(dom->tls_ctx, TLS1_3_VERSION)) fatalx("SSL_CTX_set_max_proto_version: %s", ssl_errno_s); #else - if (!SSL_CTX_set_max_proto_version(dom->ssl_ctx, TLS1_2_VERSION)) + if (!SSL_CTX_set_max_proto_version(dom->tls_ctx, TLS1_2_VERSION)) fatalx("SSL_CTX_set_min_proto_version: %s", ssl_errno_s); #endif switch (tls_version) { case KORE_TLS_VERSION_1_3: #if defined(TLS1_3_VERSION) - if (!SSL_CTX_set_min_proto_version(dom->ssl_ctx, + if (!SSL_CTX_set_min_proto_version(dom->tls_ctx, TLS1_3_VERSION)) { fatalx("SSL_CTX_set_min_proto_version: %s", ssl_errno_s); @@ -240,7 +240,7 @@ kore_tls_domain_setup(struct kore_domain *dom, int type, break; #endif case KORE_TLS_VERSION_1_2: - if (!SSL_CTX_set_max_proto_version(dom->ssl_ctx, + if (!SSL_CTX_set_max_proto_version(dom->tls_ctx, TLS1_2_VERSION)) { fatalx("SSL_CTX_set_min_proto_version: %s", ssl_errno_s); @@ -255,14 +255,14 @@ kore_tls_domain_setup(struct kore_domain *dom, int type, switch (type) { case KORE_PEM_CERT_CHAIN: - x509 = tls_domain_load_certificate_chain(dom->ssl_ctx, + x509 = tls_domain_load_certificate_chain(dom->tls_ctx, data, datalen); break; case KORE_DER_CERT_DATA: ptr = data; if ((x509 = d2i_X509(NULL, &ptr, datalen)) == NULL) fatalx("d2i_X509: %s", ssl_errno_s); - if (SSL_CTX_use_certificate(dom->ssl_ctx, x509) == 0) + if (SSL_CTX_use_certificate(dom->tls_ctx, x509) == 0) fatalx("SSL_CTX_use_certificate: %s", ssl_errno_s); break; default: @@ -272,8 +272,8 @@ kore_tls_domain_setup(struct kore_domain *dom, int type, if (x509 == NULL) { kore_log(LOG_NOTICE, "failed to load certificate for '%s': %s", dom->domain, ssl_errno_s); - SSL_CTX_free(dom->ssl_ctx); - dom->ssl_ctx = NULL; + SSL_CTX_free(dom->tls_ctx); + dom->tls_ctx = NULL; return; } @@ -297,10 +297,10 @@ kore_tls_domain_setup(struct kore_domain *dom, int type, fatalx("unknown public key in certificate"); } - if (!SSL_CTX_use_PrivateKey(dom->ssl_ctx, pkey)) + if (!SSL_CTX_use_PrivateKey(dom->tls_ctx, pkey)) fatalx("SSL_CTX_use_PrivateKey(): %s", ssl_errno_s); - if (!SSL_CTX_check_private_key(dom->ssl_ctx)) { + if (!SSL_CTX_check_private_key(dom->tls_ctx)) { fatalx("Public/Private key for %s do not match (%s)", dom->domain, ssl_errno_s); } @@ -308,14 +308,14 @@ kore_tls_domain_setup(struct kore_domain *dom, int type, if (dh_params == NULL) fatal("no DH parameters specified"); - SSL_CTX_set_tmp_dh(dom->ssl_ctx, dh_params); - SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_SINGLE_DH_USE); + SSL_CTX_set_tmp_dh(dom->tls_ctx, dh_params); + SSL_CTX_set_options(dom->tls_ctx, SSL_OP_SINGLE_DH_USE); - if (!SSL_CTX_set_ecdh_auto(dom->ssl_ctx, 1)) + if (!SSL_CTX_set_ecdh_auto(dom->tls_ctx, 1)) fatalx("SSL_CTX_set_ecdh_auto: %s", ssl_errno_s); - SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_SINGLE_ECDH_USE); - SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_COMPRESSION); + SSL_CTX_set_options(dom->tls_ctx, SSL_OP_SINGLE_ECDH_USE); + SSL_CTX_set_options(dom->tls_ctx, SSL_OP_NO_COMPRESSION); if (dom->cafile != NULL) { if ((certs = SSL_load_client_CA_file(dom->cafile)) == NULL) { @@ -323,32 +323,32 @@ kore_tls_domain_setup(struct kore_domain *dom, int type, dom->cafile, ssl_errno_s); } - SSL_CTX_load_verify_locations(dom->ssl_ctx, dom->cafile, NULL); - SSL_CTX_set_verify_depth(dom->ssl_ctx, dom->x509_verify_depth); - SSL_CTX_set_client_CA_list(dom->ssl_ctx, certs); - SSL_CTX_set_verify(dom->ssl_ctx, SSL_VERIFY_PEER | + SSL_CTX_load_verify_locations(dom->tls_ctx, dom->cafile, NULL); + SSL_CTX_set_verify_depth(dom->tls_ctx, dom->x509_verify_depth); + SSL_CTX_set_client_CA_list(dom->tls_ctx, certs); + SSL_CTX_set_verify(dom->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, tls_domain_x509_verify); } - SSL_CTX_set_session_id_context(dom->ssl_ctx, + SSL_CTX_set_session_id_context(dom->tls_ctx, (unsigned char *)TLS_SESSION_ID, strlen(TLS_SESSION_ID)); - SSL_CTX_set_mode(dom->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); + SSL_CTX_set_mode(dom->tls_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); if (tls_version == KORE_TLS_VERSION_BOTH) { - SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_SSLv2); - SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_SSLv3); - SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_TLSv1); - SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_TLSv1_1); + SSL_CTX_set_options(dom->tls_ctx, SSL_OP_NO_SSLv2); + SSL_CTX_set_options(dom->tls_ctx, SSL_OP_NO_SSLv3); + SSL_CTX_set_options(dom->tls_ctx, SSL_OP_NO_TLSv1); + SSL_CTX_set_options(dom->tls_ctx, SSL_OP_NO_TLSv1_1); } - SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); - SSL_CTX_set_cipher_list(dom->ssl_ctx, tls_cipher_list); + SSL_CTX_set_options(dom->tls_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); + SSL_CTX_set_cipher_list(dom->tls_ctx, tls_cipher_list); - SSL_CTX_set_info_callback(dom->ssl_ctx, tls_info_callback); - SSL_CTX_set_tlsext_servername_callback(dom->ssl_ctx, tls_sni_cb); + SSL_CTX_set_info_callback(dom->tls_ctx, tls_info_callback); + SSL_CTX_set_tlsext_servername_callback(dom->tls_ctx, tls_sni_cb); #if defined(KORE_USE_ACME) - SSL_CTX_set_alpn_select_cb(dom->ssl_ctx, tls_acme_alpn, dom); + SSL_CTX_set_alpn_select_cb(dom->tls_ctx, tls_acme_alpn, dom); #endif X509_free(x509); @@ -365,7 +365,7 @@ kore_tls_domain_crl(struct kore_domain *dom, const void *pem, size_t pemlen) ERR_clear_error(); in = BIO_new_mem_buf(pem, pemlen); - if ((store = SSL_CTX_get_cert_store(dom->ssl_ctx)) == NULL) { + if ((store = SSL_CTX_get_cert_store(dom->tls_ctx)) == NULL) { BIO_free(in); kore_log(LOG_ERR, "SSL_CTX_get_cert_store(): %s", ssl_errno_s); return; @@ -408,8 +408,8 @@ kore_tls_domain_crl(struct kore_domain *dom, const void *pem, size_t pemlen) void kore_tls_domain_cleanup(struct kore_domain *dom) { - if (dom->ssl_ctx != NULL) - SSL_CTX_free(dom->ssl_ctx); + if (dom->tls_ctx != NULL) + SSL_CTX_free(dom->tls_ctx); } int @@ -423,22 +423,22 @@ kore_tls_connection_accept(struct connection *c) return (KORE_RESULT_ERROR); } - if (primary_dom->ssl_ctx == NULL) { + if (primary_dom->tls_ctx == NULL) { kore_log(LOG_NOTICE, "TLS configuration for %s not yet complete", primary_dom->domain); return (KORE_RESULT_ERROR); } - if (c->ssl == NULL) { - c->ssl = SSL_new(primary_dom->ssl_ctx); - if (c->ssl == NULL) + if (c->tls == NULL) { + c->tls = SSL_new(primary_dom->tls_ctx); + if (c->tls == NULL) return (KORE_RESULT_ERROR); - SSL_set_fd(c->ssl, c->fd); - SSL_set_accept_state(c->ssl); + SSL_set_fd(c->tls, c->fd); + SSL_set_accept_state(c->tls); - if (!SSL_set_ex_data(c->ssl, 0, c)) + if (!SSL_set_ex_data(c->tls, 0, c)) return (KORE_RESULT_ERROR); if (primary_dom->cafile != NULL) @@ -446,9 +446,9 @@ kore_tls_connection_accept(struct connection *c) } ERR_clear_error(); - r = SSL_accept(c->ssl); + r = SSL_accept(c->tls); if (r <= 0) { - r = SSL_get_error(c->ssl, r); + r = SSL_get_error(c->tls, r); switch (r) { case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_WRITE: @@ -471,14 +471,14 @@ kore_tls_connection_accept(struct connection *c) } #endif - if (SSL_get_verify_mode(c->ssl) & SSL_VERIFY_PEER) { - c->cert = SSL_get_peer_certificate(c->ssl); - if (c->cert == NULL) { + if (SSL_get_verify_mode(c->tls) & SSL_VERIFY_PEER) { + c->tls_cert = SSL_get_peer_certificate(c->tls); + if (c->tls_cert == NULL) { kore_log(LOG_NOTICE, "no peer certificate"); return (KORE_RESULT_ERROR); } } else { - c->cert = NULL; + c->tls_cert = NULL; } return (KORE_RESULT_OK); @@ -490,14 +490,14 @@ kore_tls_read(struct connection *c, size_t *bytes) int r; ERR_clear_error(); - r = SSL_read(c->ssl, (c->rnb->buf + c->rnb->s_off), + r = SSL_read(c->tls, (c->rnb->buf + c->rnb->s_off), (c->rnb->b_len - c->rnb->s_off)); if (c->tls_reneg > 1) return (KORE_RESULT_ERROR); if (r <= 0) { - r = SSL_get_error(c->ssl, r); + r = SSL_get_error(c->tls, r); switch (r) { case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_WRITE: @@ -542,12 +542,12 @@ kore_tls_write(struct connection *c, size_t len, size_t *written) return (KORE_RESULT_ERROR); ERR_clear_error(); - r = SSL_write(c->ssl, (c->snb->buf + c->snb->s_off), len); + r = SSL_write(c->tls, (c->snb->buf + c->snb->s_off), len); if (c->tls_reneg > 1) return (KORE_RESULT_ERROR); if (r <= 0) { - r = SSL_get_error(c->ssl, r); + r = SSL_get_error(c->tls, r); switch (r) { case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_WRITE: @@ -585,13 +585,13 @@ kore_tls_write(struct connection *c, size_t len, size_t *written) void kore_tls_connection_cleanup(struct connection *c) { - if (c->ssl != NULL) { - SSL_shutdown(c->ssl); - SSL_free(c->ssl); + if (c->tls != NULL) { + SSL_shutdown(c->tls); + SSL_free(c->tls); } - if (c->cert != NULL) - X509_free(c->cert); + if (c->tls_cert != NULL) + X509_free(c->tls_cert); if (c->tls_sni != NULL) kore_free(c->tls_sni); @@ -656,7 +656,7 @@ kore_tls_x509_subject_name(struct connection *c) { X509_NAME *name; - if ((name = X509_get_subject_name(c->cert)) == NULL) + if ((name = X509_get_subject_name(c->tls_cert)) == NULL) kore_log(LOG_NOTICE, "X509_get_subject_name: %s", ssl_errno_s); return (name); @@ -667,7 +667,7 @@ kore_tls_x509_issuer_name(struct connection *c) { X509_NAME *name; - if ((name = X509_get_issuer_name(c->cert)) == NULL) + if ((name = X509_get_issuer_name(c->tls_cert)) == NULL) kore_log(LOG_NOTICE, "X509_get_issuer_name: %s", ssl_errno_s); return (name); @@ -740,7 +740,7 @@ kore_tls_x509_data(struct connection *c, u_int8_t **ptr, size_t *olen) int len; u_int8_t *der, *pp; - if ((len = i2d_X509(c->cert, NULL)) <= 0) { + if ((len = i2d_X509(c->tls_cert, NULL)) <= 0) { kore_log(LOG_NOTICE, "i2d_X509: %s", ssl_errno_s); return (KORE_RESULT_ERROR); } @@ -748,7 +748,7 @@ kore_tls_x509_data(struct connection *c, u_int8_t **ptr, size_t *olen) der = kore_calloc(1, len); pp = der; - if (i2d_X509(c->cert, &pp) <= 0) { + if (i2d_X509(c->tls_cert, &pp) <= 0) { kore_free(der); kore_log(LOG_NOTICE, "i2d_X509: %s", ssl_errno_s); return (KORE_RESULT_ERROR); @@ -801,7 +801,7 @@ tls_sni_cb(SSL *ssl, int *ad, void *arg) if (sname != NULL && (dom = kore_domain_lookup(c->owner->server, sname)) != NULL) { - if (dom->ssl_ctx == NULL) { + if (dom->tls_ctx == NULL) { kore_log(LOG_NOTICE, "TLS configuration for %s not complete", dom->domain); @@ -809,7 +809,7 @@ tls_sni_cb(SSL *ssl, int *ad, void *arg) } kore_debug("kore_ssl_sni_cb(): Using %s CTX", sname); - SSL_set_SSL_CTX(ssl, dom->ssl_ctx); + SSL_set_SSL_CTX(ssl, dom->tls_ctx); if (dom->cafile != NULL) { SSL_set_verify(ssl, SSL_VERIFY_PEER | diff --git a/src/utils.c b/src/utils.c @@ -497,7 +497,7 @@ kore_x509_issuer_name(struct connection *c, char **out, int flags) struct kore_buf buf; void *name; - if ((name = kore_tls_x509_issuer_name(c->cert)) == NULL) + if ((name = kore_tls_x509_issuer_name(c)) == NULL) return (KORE_RESULT_ERROR); kore_buf_init(&buf, 1024); diff --git a/src/worker.c b/src/worker.c @@ -1059,7 +1059,7 @@ worker_keymgr_response(struct kore_msg *msg, const void *data) break; #if defined(KORE_USE_ACME) case KORE_ACME_CHALLENGE_SET_CERT: - if (dom->ssl_ctx == NULL) { + if (dom->tls_ctx == NULL) { kore_tls_domain_setup(dom, KORE_DER_CERT_DATA, req->data, req->data_len); }