Merge of r85:88 from branch polarssl into trunk.

diff --git a/src/Makefile b/src/Makefile
index a93fc5a9480ea44fa37dc4be9e7441e53b4e5954..af5aa3dd5cd8f4ebf55a6c850a0035cd870b78bd 100644 (file)
--- a/src/Makefile
+++ b/src/Makefile
@@ -3,13 +3,30 @@ SRCS:=client.c main.c messages.c pds.c server.c ssl.c log.c conf.c crypt.c \
 
 OBJS:=$(patsubst %.c, %.o, $(SRCS))
 
+POLARSSL_LIB:=../../../../polarssl/polarssl-0.12.1/library/libpolarssl.a
+
+# For Valgrind
 #CFLAGS:=$(CFLAGS) -I. -I/data/export/proj/openssl/include/ -Wall -g -DDEBUG
 #LDFLAGS:=$(LDFLAGS) -L/data/export/proj/openssl/lib/ -lcrypto -lssl -lconfig
-CFLAGS:=$(CFLAGS) -I. -Wall -g
-LDFLAGS:=$(LDFLAGS) -lcrypto -lssl -lconfig
 
-umurmurd:google/protobuf-c/libprotobuf_c.a depend.mak $(OBJS)  
-       $(CC) $(LDFLAGS) $(OBJS) google/protobuf-c/libprotobuf_c.a -o umurmurd
+# PolarSSL
+CFLAGS:=$(CFLAGS) -DDEBUG -DUSE_POLARSSL -I. -I../../../../polarssl/polarssl-0.12.1/include -Wall -g
+LDFLAGS:=$(LDFLAGS) -L  -lpolarssl -lconfig
+
+# OpenSSL
+#CFLAGS:=$(CFLAGS) -I. -Wall
+#LDFLAGS:=$(LDFLAGS) -L  -lcrypto -lssl -lconfig
+
+# Debug
+#CFLAGS:=$(CFLAGS) -DDEBUG -I. -Wall -g
+
+# PolarSSL
+umurmurd:google/protobuf-c/libprotobuf_c.a depend.mak $(OBJS) $(POLARSSL_LIB)
+       $(CC) $(LDFLAGS) $(OBJS) $(POLARSSL_LIB) google/protobuf-c/libprotobuf_c.a -o umurmurd
+
+# OpenSSL
+#umurmurd:google/protobuf-c/libprotobuf_c.a depend.mak $(OBJS)
+#      $(CC) $(LDFLAGS) $(OBJS) google/protobuf-c/libprotobuf_c.a -o umurmurd
 
 google/protobuf-c/libprotobuf_c.a:
        $(MAKE) -C google/protobuf-c/

diff --git a/src/channel.c b/src/channel.c
index 1fab5a4a793cdde82849bb36373798d03697c40e..3524a966f9c958dfe52ca70eefc296596c0172ed 100644 (file)
--- a/src/channel.c
+++ b/src/channel.c
@@ -29,6 +29,8 @@
    SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include <limits.h>
+#include <stdlib.h>
+#include <string.h>
 #include "log.h"
 #include "list.h"
 #include "client.h"

diff --git a/src/client.c b/src/client.c
index 141934735629e96c9587cc16156505ff0de49cdf..e515a454e0082ae731d4bc9b15f3fa24c0730b76 100644 (file)
--- a/src/client.c
+++ b/src/client.c
@@ -30,8 +30,11 @@
 */
 #include <sys/poll.h>
 #include <sys/socket.h>
+#include <fcntl.h>
 #include <errno.h>
 #include <limits.h>
+#include <stdlib.h>
+#include <string.h>
 #include "log.h"
 #include "list.h"
 #include "client.h"
@@ -247,7 +250,7 @@ int Client_add(int fd, struct sockaddr_in *remote)
 
        newclient->tcpfd = fd;
        memcpy(&newclient->remote_tcp, remote, sizeof(struct sockaddr_in));
-       newclient->ssl = SSL_newconnection(newclient->tcpfd, &newclient->SSLready);
+       newclient->ssl = SSLi_newconnection(&newclient->tcpfd, &newclient->SSLready);
        if (newclient->ssl == NULL) {
                Log_warn("SSL negotiation failed with %s:%d", inet_ntoa(remote->sin_addr),
                                 ntohs(remote->sin_port));
@@ -307,7 +310,7 @@ void Client_free(client_t *client)
        
        list_del(&client->node);
        if (client->ssl)
-               SSL_free(client->ssl);
+               SSLi_free(client->ssl);
        close(client->tcpfd);
        clientcount--;
        if (client->release)
@@ -323,7 +326,7 @@ void Client_free(client_t *client)
 
 void Client_close(client_t *client)
 {
-       SSL_shutdown(client->ssl);
+       SSLi_shutdown(client->ssl);
        client->shutdown_wait = true;
 }
 
@@ -371,7 +374,7 @@ int Client_read(client_t *client)
        }
        if (!client->SSLready) {
                int rc;
-               rc = SSL_nonblockaccept(client->ssl, &client->SSLready);
+               rc = SSLi_nonblockaccept(client->ssl, &client->SSLready);
                if (rc < 0) {
                        Client_free(client);
                        return -1;
@@ -381,9 +384,9 @@ int Client_read(client_t *client)
        do {
                errno = 0;
                if (!client->msgsize) 
-                       rc = SSL_read(client->ssl, &client->rxbuf[client->rxcount], 6 - client->rxcount);
+                       rc = SSLi_read(client->ssl, &client->rxbuf[client->rxcount], 6 - client->rxcount);
                else
-                       rc = SSL_read(client->ssl, &client->rxbuf[client->rxcount], client->msgsize);
+                       rc = SSLi_read(client->ssl, &client->rxbuf[client->rxcount], client->msgsize);
                if (rc > 0) {
                        message_t *msg;
                        client->rxcount += rc;
@@ -411,33 +414,30 @@ int Client_read(client_t *client)
                                client->rxcount = client->msgsize = 0;
                        }
                } else /* rc <= 0 */ {
-                       if (SSL_get_error(client->ssl, rc) == SSL_ERROR_WANT_READ) {
+                       if (SSLi_get_error(client->ssl, rc) == SSLI_ERROR_WANT_READ) {
                                return 0;
                        }
-                       else if (SSL_get_error(client->ssl, rc) == SSL_ERROR_WANT_WRITE) {
+                       else if (SSLi_get_error(client->ssl, rc) == SSLI_ERROR_WANT_WRITE) {
                                client->readBlockedOnWrite = true;
                                return 0;
                        }
-                       else if (SSL_get_error(client->ssl, rc) == SSL_ERROR_ZERO_RETURN) {
+                       else if (SSLi_get_error(client->ssl, rc) == SSLI_ERROR_ZERO_RETURN) {
                                Log_info_client(client, "Connection closed by peer");
                                if (!client->shutdown_wait)
                                        Client_close(client);
                        }
                        else {
-                               if (SSL_get_error(client->ssl, rc) == SSL_ERROR_SYSCALL) {
-                                       /* Hmm. This is where we end up when the client closes its connection.
-                                        * Kind of strange...
-                                        */
+                               if (SSLi_get_error(client->ssl, rc) == SSLI_ERROR_SYSCALL) {
                                        Log_info_client(client, "Connection closed by peer");
                                }
                                else {
-                                       Log_info_client(client, "SSL error: %d - Closing connection", SSL_get_error(client->ssl, rc));
+                                       Log_info_client(client, "SSL error: %d - Closing connection", SSLi_get_error(client->ssl, rc));
                                }
                                Client_free(client);
                                return -1;
                        }
                }
-       } while (SSL_pending(client->ssl));
+       } while (SSLi_data_pending(client->ssl));
        
        return 0;
 }
@@ -468,25 +468,25 @@ int Client_write(client_t *client)
                Log_debug("Client_write: readBlockedOnWrite == true");
                return Client_read(client);
        }
-       rc = SSL_write(client->ssl, &client->txbuf[client->txcount], client->txsize - client->txcount);
+       rc = SSLi_write(client->ssl, &client->txbuf[client->txcount], client->txsize - client->txcount);
        if (rc > 0) {
                client->txcount += rc;
                if (client->txcount == client->txsize)
                        client->txsize = client->txcount = 0;
        }
        else if (rc < 0) {
-               if (SSL_get_error(client->ssl, rc) == SSL_ERROR_WANT_READ) {
+               if (SSLi_get_error(client->ssl, rc) == SSLI_ERROR_WANT_READ) {
                        client->writeBlockedOnRead = true;
                        return 0;
                }
-               else if (SSL_get_error(client->ssl, rc) == SSL_ERROR_WANT_WRITE) {
+               else if (SSLi_get_error(client->ssl, rc) == SSLI_ERROR_WANT_WRITE) {
                        return 0;
                }
                else {
-                       if (SSL_get_error(client->ssl, rc) == SSL_ERROR_SYSCALL)
+                       if (SSLi_get_error(client->ssl, rc) == SSLI_ERROR_SYSCALL)
                                Log_warn("Client_write: Error: %s  - Closing connection", strerror(errno));
                        else
-                               Log_warn("Client_write: SSL error: %d - Closing connection.", SSL_get_error(client->ssl, rc));
+                               Log_warn("Client_write: SSL error: %d - Closing connection.", SSLi_get_error(client->ssl, rc));
                        Client_free(client);
                        return -1;
                }

diff --git a/src/client.h b/src/client.h
index f7b88c492993a65144357151ead09a8f22990ada..66bf7d8d9ad1bfc0ff4b8b95e4f6c0106c8dcc70 100644 (file)
--- a/src/client.h
+++ b/src/client.h
@@ -31,7 +31,6 @@
 #ifndef CLIENT_H_45786678
 #define CLIENT_H_45786678
 
-#include <openssl/ssl.h>
 #include <stdint.h>
 #include <unistd.h>             /* close() */
 #include <sys/types.h>
@@ -47,6 +46,7 @@
 #include "crypt.h"
 #include "timer.h"
 #include "pds.h"
+#include "ssl.h"
 
 #define BUFSIZE 8192
 #define UDP_BUFSIZE 512
@@ -57,7 +57,7 @@
 
 typedef struct {
        int tcpfd;
-       SSL *ssl;
+       SSL_handle_t *ssl;
        bool_t SSLready;
        bool_t shutdown_wait;
        cryptState_t cryptState;

diff --git a/src/crypt.c b/src/crypt.c
index e69d34e4524269d8d1cde279fecb496e2bb49d7e..8324bca5dc24b8050ccaaa3ae4320afd13092e69 100644 (file)
--- a/src/crypt.c
+++ b/src/crypt.c
@@ -41,7 +41,19 @@
 #include <string.h>
 #include <arpa/inet.h>
 #include "crypt.h"
-#include "log.h"
+
+#ifdef USE_POLARSSL
+#include <polarssl/havege.h>
+#define RAND_bytes(_dst_, _size_) do { \
+       int i; \
+       for (i = 0; i < _size_; i++) { \
+       _dst_[i] = havege_rand(&hs); \
+       } \
+ } while (0);
+
+extern havege_state hs;
+#endif
+
 static void CryptState_ocb_encrypt(cryptState_t *cs, const unsigned char *plain, unsigned char *encrypted, unsigned int len, const unsigned char *nonce, unsigned char *tag);
 static void CryptState_ocb_decrypt(cryptState_t *cs, const unsigned char *encrypted, unsigned char *plain, unsigned int len, const unsigned char *nonce, unsigned char *tag);
 
@@ -67,8 +79,13 @@ void CryptState_genKey(cryptState_t *cs) {
        RAND_bytes(cs->raw_key, AES_BLOCK_SIZE);
        RAND_bytes(cs->encrypt_iv, AES_BLOCK_SIZE);
        RAND_bytes(cs->decrypt_iv, AES_BLOCK_SIZE);
+#ifndef USE_POLARSSL
        AES_set_encrypt_key(cs->raw_key, 128, &cs->encrypt_key);
        AES_set_decrypt_key(cs->raw_key, 128, &cs->decrypt_key);
+#else
+       aes_setkey_enc(&cs->aes_enc, cs->raw_key, 128);
+       aes_setkey_dec(&cs->aes_dec, cs->raw_key, 128);
+#endif
        cs->bInit = true;
 }
 
@@ -77,8 +94,13 @@ void CryptState_setKey(cryptState_t *cs, const unsigned char *rkey, const unsign
        memcpy(cs->raw_key, rkey, AES_BLOCK_SIZE);
        memcpy(cs->encrypt_iv, eiv, AES_BLOCK_SIZE);
        memcpy(cs->decrypt_iv, div, AES_BLOCK_SIZE);
-       AES_set_encrypt_key(cs->raw_key, 128, &cs->encrypt_key);
+#ifndef USE_POLARSSL
+       AES_set_encrypt_key(cs->decrypt_iv, 128, &cs->encrypt_key);
        AES_set_decrypt_key(cs->raw_key, 128, &cs->decrypt_key);
+#else
+       aes_setkey_enc(&cs->aes_enc, cs->decrypt_iv, 128);
+       aes_setkey_dec(&cs->aes_dec, cs->raw_key, 128);
+#endif
        cs->bInit = true;
 }
 
@@ -184,7 +206,7 @@ bool_t CryptState_decrypt(cryptState_t *cs, const unsigned char *source, unsigne
        CryptState_ocb_decrypt(cs, source+4, dst, plain_length, cs->decrypt_iv, tag);
 
        if (memcmp(tag, source+1, 3) != 0) {
-               memcpy(cs->decrypt_iv, saveiv, AES_BLOCK_SIZE);
+               memcpy(cs->decrypt_iv, saveiv, AES_BLOCK_SIZE);         
                return false;
        }
        cs->decrypt_history[cs->decrypt_iv[0]] = cs->decrypt_iv[1];
@@ -257,20 +279,25 @@ static void inline ZERO(subblock *block) {
                block[i]=0;
 }
 
-#define AESencrypt(src,dst,key) AES_encrypt((unsigned char *)(src),(unsigned char *)(dst), key);
-#define AESdecrypt(src,dst,key) AES_decrypt((unsigned char *)(src),(unsigned char *)(dst), key);
+#ifdef USE_POLARSSL
+#define AESencrypt(src, dst, cryptstate) aes_crypt_ecb(&(cryptstate)->aes_enc, AES_ENCRYPT, (unsigned char *)(src), (unsigned char *)(dst));
+#define AESdecrypt(src, dst, cryptstate) aes_crypt_ecb(&(cryptstate)->aes_dec, AES_DECRYPT, (unsigned char *)(src), (unsigned char *)(dst));
+#else
+#define AESencrypt(src, dst, cryptstate) AES_encrypt((unsigned char *)(src), (unsigned char *)(dst), &(cryptstate)->encrypt_key);
+#define AESdecrypt(src, dst, cryptstate) AES_decrypt((unsigned char *)(src), (unsigned char *)(dst), &(cryptstate)->decrypt_key);
+#endif
 
 void CryptState_ocb_encrypt(cryptState_t *cs, const unsigned char *plain, unsigned char *encrypted, unsigned int len, const unsigned char *nonce, unsigned char *tag) {
        subblock checksum[BLOCKSIZE], delta[BLOCKSIZE], tmp[BLOCKSIZE], pad[BLOCKSIZE];
 
        // Initialize
-       AESencrypt(nonce, delta, &cs->encrypt_key);
+       AESencrypt(nonce, delta, cs);
        ZERO(checksum);
 
        while (len > AES_BLOCK_SIZE) {
                S2(delta);
                XOR(tmp, delta, (const subblock *)(plain));
-               AESencrypt(tmp, tmp, &cs->encrypt_key);
+               AESencrypt(tmp, tmp, cs);
                XOR((subblock *)(encrypted), delta, tmp);
                XOR(checksum, checksum, (subblock *)(plain));
                len -= AES_BLOCK_SIZE;
@@ -282,7 +309,7 @@ void CryptState_ocb_encrypt(cryptState_t *cs, const unsigned char *plain, unsign
        ZERO(tmp);
        tmp[BLOCKSIZE - 1] = SWAPPED(len * 8);
        XOR(tmp, tmp, delta);
-       AESencrypt(tmp, pad, &cs->encrypt_key);
+       AESencrypt(tmp, pad, cs);
        memcpy(tmp, plain, len);
        memcpy((unsigned char *)tmp + len, (unsigned char *)pad + len, AES_BLOCK_SIZE - len);
        XOR(checksum, checksum, tmp);
@@ -291,20 +318,19 @@ void CryptState_ocb_encrypt(cryptState_t *cs, const unsigned char *plain, unsign
 
        S3(delta);
        XOR(tmp, delta, checksum);
-       AESencrypt(tmp, tag, &cs->encrypt_key);
+       AESencrypt(tmp, tag, cs);
 }
 
 void CryptState_ocb_decrypt(cryptState_t *cs, const unsigned char *encrypted, unsigned char *plain, unsigned int len, const unsigned char *nonce, unsigned char *tag) {
        subblock checksum[BLOCKSIZE], delta[BLOCKSIZE], tmp[BLOCKSIZE], pad[BLOCKSIZE];
-
        // Initialize
-       AESencrypt(nonce, delta, &cs->encrypt_key);
+       AESencrypt(nonce, delta, cs);
        ZERO(checksum);
 
        while (len > AES_BLOCK_SIZE) {
                S2(delta);
                XOR(tmp, delta, (const subblock *)(encrypted));
-               AESdecrypt(tmp, tmp, &cs->decrypt_key);
+               AESdecrypt(tmp, tmp, cs);
                XOR((subblock *)(plain), delta, tmp);
                XOR(checksum, checksum, (const subblock *)(plain));
                len -= AES_BLOCK_SIZE;
@@ -316,7 +342,7 @@ void CryptState_ocb_decrypt(cryptState_t *cs, const unsigned char *encrypted, un
        ZERO(tmp);
        tmp[BLOCKSIZE - 1] = SWAPPED(len * 8);
        XOR(tmp, tmp, delta);
-       AESencrypt(tmp, pad, &cs->encrypt_key);
+       AESencrypt(tmp, pad, cs);
        memset(tmp, 0, AES_BLOCK_SIZE);
        memcpy(tmp, encrypted, len);
        XOR(tmp, tmp, pad);
@@ -325,5 +351,5 @@ void CryptState_ocb_decrypt(cryptState_t *cs, const unsigned char *encrypted, un
 
        S3(delta);
        XOR(tmp, delta, checksum);
-       AESencrypt(tmp, tag, &cs->encrypt_key);
+       AESencrypt(tmp, tag, cs);
 }

diff --git a/src/crypt.h b/src/crypt.h
index 8e95fe2f8dbaaa6fd663ab3a33afcae77a54bd55..4570c74b294c488ea340f5935f6cd056c55c95c3 100644 (file)
--- a/src/crypt.h
+++ b/src/crypt.h
@@ -28,11 +28,18 @@
    NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
    SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
-#ifndef _CRYPTSTATE_H
-#define _CRYPTSTATE_H
+#ifndef CRYPTSTATE_H_34564356
+#define CRYPTSTATE_H_34564356
 
+#ifdef USE_POLARSSL
+#include <polarssl/havege.h>
+#include <polarssl/aes.h>
+#define AES_BLOCK_SIZE 16
+#else
 #include <openssl/rand.h>
 #include <openssl/aes.h>
+#endif
+
 #include <stdint.h>
 #include "timer.h"
 #include "types.h"
@@ -52,9 +59,13 @@ typedef struct CryptState {
        unsigned int uiRemoteLate;
        unsigned int uiRemoteLost;
        unsigned int uiRemoteResync;
-       
+#ifndef USE_POLARSSL
        AES_KEY encrypt_key;
        AES_KEY decrypt_key;
+#else
+       aes_context aes_enc;
+       aes_context aes_dec;
+#endif
        etimer_t tLastGood;
        etimer_t tLastRequest;
        bool_t bInit;   
@@ -68,4 +79,5 @@ void CryptState_setDecryptIV(cryptState_t *cs, const unsigned char *iv);
 
 bool_t CryptState_decrypt(cryptState_t *cs, const unsigned char *source, unsigned char *dst, unsigned int crypted_length);
 void CryptState_encrypt(cryptState_t *cs, const unsigned char *source, unsigned char *dst, unsigned int plain_length);
+
 #endif

diff --git a/src/main.c b/src/main.c
index cce178a1ffe458d90de0efd9fcb64aabc4ce580a..a4c1c12b3182045174f8af9e8ee0c106d6e8bcc9 100644 (file)
--- a/src/main.c
+++ b/src/main.c
@@ -39,6 +39,8 @@
 #include <signal.h>
 #include <sched.h>
 #include <errno.h>
+#include <string.h>
+#include <stdlib.h>
 
 #include "server.h"
 #include "ssl.h"
@@ -182,6 +184,7 @@ int main(int argc, char **argv)
        signal(SIGTSTP, SIG_IGN); /* ignore tty signals */
        signal(SIGTTOU, SIG_IGN);
        signal(SIGTTIN, SIG_IGN);
+       signal(SIGPIPE, SIG_IGN);
        signal(SIGHUP, signal_handler); /* catch hangup signal */
        signal(SIGTERM, signal_handler); /* catch kill signal */
        
@@ -196,7 +199,7 @@ int main(int argc, char **argv)
        }
        
        /* Initializing */
-       SSL_init();
+       SSLi_init();
        Chan_init();
        Client_init();
 
@@ -205,7 +208,7 @@ int main(int argc, char **argv)
        
        Server_run();
        
-       SSL_deinit();
+       SSLi_deinit();
        Chan_free();
        Log_free();
        Conf_deinit();

diff --git a/src/messagehandler.c b/src/messagehandler.c
index b2f5670e90d6c0c1f08fdd67b531a465bde7fefb..ae613dafb6d7be3fa30ba4caab9e3efcd57863d2 100644 (file)
--- a/src/messagehandler.c
+++ b/src/messagehandler.c
@@ -29,7 +29,7 @@
    SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include <string.h>
-#include <openssl/aes.h>
+#include <stdlib.h>
 
 #include "log.h"
 #include "list.h"

diff --git a/src/server.c b/src/server.c
index c345e5db7eb74d605cb572d519a599b87065ffe5..e63684498cbff1a9c9423dd1c476090cf9a211b7 100644 (file)
--- a/src/server.c
+++ b/src/server.c
@@ -39,6 +39,7 @@
 #include <unistd.h>
 #include <fcntl.h>
 #include <errno.h>
+#include <stdlib.h>
 
 #include "client.h"
 #include "conf.h"

diff --git a/src/ssl.c b/src/ssl.c
index 456fe828f805f7f0853f12fd82e21d83da8bd216..dc2245352b6fff895948f665ceca3087c5861c4a 100644 (file)
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -28,16 +28,221 @@
    NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
    SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
-#include <openssl/x509v3.h>
-#include <openssl/ssl.h>
-#include <openssl/err.h>
-#include <openssl/safestack.h>
 #include <string.h>
+#include <stdlib.h>
 
 #include "conf.h"
 #include "log.h"
 #include "ssl.h"
 
+#ifdef USE_POLARSSL
+/*
+ * PolarSSL interface
+ */
+
+#include <polarssl/havege.h>
+#include <polarssl/certs.h>
+#include <polarssl/x509.h>
+#include <polarssl/ssl.h>
+#include <polarssl/net.h>
+
+#define CA_CRT_FILENAME "ca.crt"
+
+int ciphers[] =
+{
+    SSL_EDH_RSA_AES_256_SHA,
+    SSL_EDH_RSA_CAMELLIA_256_SHA,
+    SSL_EDH_RSA_DES_168_SHA,
+    SSL_RSA_AES_256_SHA,
+    SSL_RSA_CAMELLIA_256_SHA,
+    SSL_RSA_AES_128_SHA,
+    SSL_RSA_CAMELLIA_128_SHA,
+    SSL_RSA_DES_168_SHA,
+    SSL_RSA_RC4_128_SHA,
+    SSL_RSA_RC4_128_MD5,
+    0
+};
+static x509_cert certificate;
+static rsa_context key;
+havege_state hs; /* exported to crypt.c */
+
+/* DH prime */
+char *my_dhm_P =
+       "9CE85640903BF123906947FEDE767261" \
+       "D9B4A973EB8F7D984A8C656E2BCC161C" \
+       "183D4CA471BA78225F940F16D1D99CA3" \
+       "E66152CC68EDCE1311A390F307741835" \
+       "44FF6AB553EC7073AD0CB608F2A3B480" \
+       "19E6C02BCED40BD30E91BB2469089670" \
+       "DEF409C08E8AC24D1732A6128D2220DC53";
+char *my_dhm_G = "4";
+
+static void initCert()
+{
+       int rc;
+       char *crtfile = (char *)getStrConf(CERTIFICATE);
+       char *ca_file, *p;
+       
+       if (crtfile == NULL)
+               Log_fatal("No certificate file specified"); 
+       rc = x509parse_crtfile(&certificate, crtfile);
+       if (rc != 0)
+               Log_fatal("Could not read certificate file %s", crtfile);
+       
+       /* Look for CA certificate file in same dir */
+       ca_file = malloc(strlen(crtfile) + strlen(CA_CRT_FILENAME) + 1);
+       strcpy(ca_file, crtfile);
+       p = strrchr(ca_file, '/');
+       if (p != NULL)
+               strcpy(p + 1, CA_CRT_FILENAME);
+       else
+               strcpy(ca_file, CA_CRT_FILENAME);
+       
+       rc = x509parse_crtfile(&certificate, ca_file);
+       if (rc != 0) { /* No CA certifiacte found. Assume self-signed. */
+               Log_info("CA certificate file %s not found. Assuming self-signed certificate.", ca_file);
+               /*
+                * Apparently PolarSSL needs to read something more into certificate chain.
+                * Doesn't seem to matter what. Read own certificate again.
+                */
+               rc = x509parse_crtfile(&certificate, crtfile);
+               if (rc != 0)
+                       Log_fatal("Could not read certificate file %s", crtfile);
+       }
+}
+
+static void initKey()
+{
+       int rc;
+       char *keyfile = (char *)getStrConf(KEY);
+       
+       if (keyfile == NULL)
+               Log_fatal("No key file specified"); 
+       rc = x509parse_keyfile(&key, keyfile, NULL);
+       if (rc != 0)
+               Log_fatal("Could not read RSA key file %s", keyfile);
+}
+
+#define DEBUG_LEVEL 0
+static void pssl_debug(void *ctx, int level, char *str)
+{
+    if (level <= DEBUG_LEVEL)
+               Log_debug("PolarSSL [level %d]: %s", level, str);
+}
+
+void SSLi_init(void)
+{
+       initCert();
+       initKey();
+    havege_init(&hs);
+       Log_info("PolarSSL library initialized");
+}
+
+void SSLi_deinit(void)
+{
+       x509_free(&certificate);
+       rsa_free(&key);
+}
+
+SSL_handle_t *SSLi_newconnection(int *fd, bool_t *SSLready)
+{
+       ssl_context *ssl;
+       ssl_session *ssn;
+       int rc;
+       
+       ssl = malloc(sizeof(ssl_context));
+       ssn = malloc(sizeof(ssl_session));
+       if (!ssl || !ssn)
+               Log_fatal("Out of memory");
+       memset(ssl, 0, sizeof(ssl_context));
+       memset(ssn, 0, sizeof(ssl_session));
+       
+       rc = ssl_init(ssl);
+       if (rc != 0 )
+               Log_fatal("Failed to initalize: %d", rc);
+       
+       ssl_set_endpoint(ssl, SSL_IS_SERVER);   
+    ssl_set_authmode(ssl, SSL_VERIFY_OPTIONAL);
+
+    ssl_set_rng(ssl, havege_rand, &hs);
+    ssl_set_dbg(ssl, pssl_debug, NULL);
+    ssl_set_bio(ssl, net_recv, fd, net_send, fd);
+
+    ssl_set_ciphers(ssl, ciphers);
+    ssl_set_session(ssl, 0, 0, ssn);
+
+    ssl_set_ca_chain(ssl, certificate.next, NULL, NULL);
+    ssl_set_own_cert(ssl, &certificate, &key);
+    ssl_set_dh_param(ssl, my_dhm_P, my_dhm_G);
+
+       return ssl;
+}
+
+int SSLi_nonblockaccept(SSL_handle_t *ssl, bool_t *SSLready)
+{
+       int rc;
+       
+       rc = ssl_handshake(ssl);
+       if (rc != 0) {
+               if (rc == POLARSSL_ERR_NET_TRY_AGAIN) {
+                       return 0;
+               } else {
+                       Log_warn("SSL handshake failed: %d", rc);
+                       return -1;
+               }
+       }
+       *SSLready = true;
+       return 0;
+}
+
+int SSLi_read(SSL_handle_t *ssl, uint8_t *buf, int len)
+{
+       int rc;
+       rc = ssl_read(ssl, buf, len);
+       if (rc == POLARSSL_ERR_NET_TRY_AGAIN)
+               return SSLI_ERROR_WANT_READ;
+       return rc;
+}
+
+int SSLi_write(SSL_handle_t *ssl, uint8_t *buf, int len)
+{
+       int rc;
+       rc = ssl_write(ssl, buf, len);
+       if (rc == POLARSSL_ERR_NET_TRY_AGAIN)
+               return SSLI_ERROR_WANT_WRITE;
+       return rc;
+}
+
+int SSLi_get_error(SSL_handle_t *ssl, int code)
+{
+       return code;
+}
+
+bool_t SSLi_data_pending(SSL_handle_t *ssl)
+{
+       return ssl_get_bytes_avail(ssl) > 0;
+}
+
+void SSLi_shutdown(SSL_handle_t *ssl)
+{
+       ssl_close_notify(ssl);
+}
+
+void SSLi_free(SSL_handle_t *ssl)
+{
+       free(ssl->session);
+       free(ssl);
+}
+
+#else
+/*
+ * OpenSSL interface
+ */
+
+#include <openssl/x509v3.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <openssl/safestack.h>
 static X509 *x509;
 static RSA *rsa;
 static SSL_CTX *context;
@@ -112,7 +317,7 @@ static RSA *SSL_readprivatekey(char *keyfile)
        return rsa;
 }
 
-void SSL_writecert(char *certfile, X509 *x509)
+static void SSL_writecert(char *certfile, X509 *x509)
 {
        FILE *fp;
        BIO *err_output;
@@ -136,7 +341,7 @@ void SSL_writecert(char *certfile, X509 *x509)
        fclose(fp);
 }
 
-void SSL_writekey(char *keyfile, RSA *rsa)
+static void SSL_writekey(char *keyfile, RSA *rsa)
 {
        FILE *fp;
        BIO *err_output;
@@ -159,7 +364,7 @@ void SSL_writekey(char *keyfile, RSA *rsa)
        fclose(fp);
 }
 
-void SSL_initializeCert() {
+static void SSL_initializeCert() {
        char *crt, *key, *pass;
        
        crt = (char *)getStrConf(CERTIFICATE);
@@ -241,28 +446,7 @@ void SSL_initializeCert() {
 
 }
 
-void SSL_getdigest(char *s, int l)
-{
-       unsigned char md[EVP_MAX_MD_SIZE];
-       unsigned int n;
-       int j;
-       
-       if (!X509_digest (x509, EVP_md5(), md, &n))
-       {
-               snprintf (s, l, "[unable to calculate]");
-       }
-       else
-       {
-               for (j = 0; j < (int) n; j++)
-               {
-                       char ch[8];
-                       snprintf(ch, 8, "%02X%s", md[j], (j % 2 ? " " : ""));
-                       strcat(s, ch);
-               }
-       }
-}
-
-void SSL_init(void)
+void SSLi_init(void)
 {
        const SSL_METHOD *method;
        SSL *ssl;
@@ -320,15 +504,17 @@ void SSL_init(void)
                
        
        SSL_free(ssl);
+       Log_info("OpenSSL library initialized");
+
 }
 
-void SSL_deinit(void)
+void SSLi_deinit(void)
 {
        SSL_CTX_free(context);
        EVP_cleanup();
 }
 
-int SSL_nonblockaccept(SSL *ssl, bool_t *SSLready)
+int SSLi_nonblockaccept(SSL_handle_t *ssl, bool_t *SSLready)
 {
        int rc;
        rc = SSL_accept(ssl);
@@ -346,23 +532,53 @@ int SSL_nonblockaccept(SSL *ssl, bool_t *SSLready)
        return 0;
 }
 
-SSL *SSL_newconnection(int fd, bool_t *SSLready)
+SSL_handle_t *SSLi_newconnection(int *fd, bool_t *SSLready)
 {
        SSL *ssl;
        
        *SSLready = false;
        ssl = SSL_new(context);
-       SSL_set_fd(ssl, fd);
-       if (SSL_nonblockaccept(ssl, SSLready) < 0) {
+       SSL_set_fd(ssl, *fd);
+       if (SSLi_nonblockaccept(ssl, SSLready) < 0) {
                SSL_free(ssl);
                return NULL;
        }
        return ssl;
 }
 
-void SSL_closeconnection(SSL *ssl)
+void SSLi_closeconnection(SSL_handle_t *ssl)
 {
        SSL_free(ssl);
 }
 
+void SSLi_shutdown(SSL_handle_t *ssl)
+{
+       SSL_shutdown(ssl);
+}
 
+int SSLi_read(SSL_handle_t *ssl, uint8_t *buf, int len)
+{
+       return SSL_read(ssl, buf, len);
+}
+
+int SSLi_write(SSL_handle_t *ssl, uint8_t *buf, int len)
+{
+       return SSL_write(ssl, buf, len);
+}
+
+int SSLi_get_error(SSL_handle_t *ssl, int code)
+{
+       return SSL_get_error(ssl, code);
+}
+
+bool_t SSLi_data_pending(SSL_handle_t *ssl)
+{
+       return SSL_pending(ssl);
+}
+
+void SSLi_free(SSL_handle_t *ssl)
+{
+       SSL_free(ssl);
+}
+
+#endif

diff --git a/src/ssl.h b/src/ssl.h
index 2c47f83d1411ded5d47a92e5dee8da3515650533..5ed8384e30cdb47c65f8583490624a339fef85f6 100644 (file)
--- a/src/ssl.h
+++ b/src/ssl.h
@@ -28,12 +28,51 @@
    NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
    SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
+
+#ifndef SSL_H_987698
+#define SSL_H_987698
+
+#ifdef USE_POLARSSL
+#include <polarssl/ssl.h>
+#else
 #include <openssl/x509v3.h>
 #include <openssl/ssl.h>
+#endif
+
 #include "types.h"
+#include <inttypes.h>
+
+#ifdef USE_POLARSSL
+#define SSLI_ERROR_WANT_READ -0x0F300 /* PolarSSL uses -0x0f00 -> --0x0f90 */
+#define SSLI_ERROR_WANT_WRITE -0x0F310
+#define SSLI_ERROR_ZERO_RETURN POLARSSL_ERR_NET_CONN_RESET
+#define SSLI_ERROR_CONNRESET POLARSSL_ERR_NET_CONN_RESET
+#define SSLI_ERROR_SYSCALL POLARSSL_ERR_NET_RECV_FAILED
+
+typedef        ssl_context SSL_handle_t;
+
+#else
+
+#define SSLI_ERROR_WANT_READ SSL_ERROR_WANT_READ
+#define SSLI_ERROR_WANT_WRITE SSL_ERROR_WANT_WRITE
+#define SSLI_ERROR_ZERO_RETURN SSL_ERROR_ZERO_RETURN
+#define SSLI_ERROR_CONNRESET SSL_ERROR_ZERO_RETURN
+#define SSLI_ERROR_SYSCALL SSL_ERROR_SYSCALL
+
+typedef SSL SSL_handle_t;
+
+#endif
+
+void SSLi_init(void);
+void SSLi_deinit(void);
+SSL_handle_t *SSLi_newconnection(int *fd, bool_t *SSLready);
+void SSLi_closeconnection(SSL_handle_t *ssl);
+int SSLi_nonblockaccept(SSL_handle_t *ssl, bool_t *SSLready);
+int SSLi_read(SSL_handle_t *ssl, uint8_t *buf, int len);
+int SSLi_write(SSL_handle_t *ssl, uint8_t *buf, int len);
+int SSLi_get_error(SSL_handle_t *ssl, int code);
+bool_t SSLi_data_pending(SSL_handle_t *ssl);
+void SSLi_shutdown(SSL_handle_t *ssl);
+void SSLi_free(SSL_handle_t *ssl);
 
-void SSL_init(void);
-void SSL_deinit(void);
-SSL *SSL_newconnection(int fd, bool_t *SSLready);
-void SSL_closeconnection(SSL *ssl);
-int SSL_nonblockaccept(SSL *ssl, bool_t *SSLready);
+#endif

diff --git a/src/voicetarget.c b/src/voicetarget.c
index 85c26076384a45469db99ca3ad1ad1275eec2339..92f8c5bfcc9a30b041a67134b2a1808be835fc4d 100644 (file)
--- a/src/voicetarget.c
+++ b/src/voicetarget.c
@@ -29,6 +29,8 @@
    SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 
+#include <stdlib.h>
+#include <string.h>
 #include "voicetarget.h"
 #include "log.h"