From: fatbob313 Date: Sat, 13 Feb 2010 22:36:54 +0000 (+0000) Subject: Merge of r85:88 from branch polarssl into trunk. X-Git-Url: http://git.code-monkey.de/?a=commitdiff_plain;h=14a67bc74c81651015bbbad075f7eb1c41218cf7;p=umurmur.git Merge of r85:88 from branch polarssl into trunk. --- diff --git a/src/Makefile b/src/Makefile index a93fc5a..af5aa3d 100644 --- a/src/Makefile +++ b/src/Makefile @@ -3,13 +3,30 @@ SRCS:=client.c main.c messages.c pds.c server.c ssl.c log.c conf.c crypt.c \ OBJS:=$(patsubst %.c, %.o, $(SRCS)) +POLARSSL_LIB:=../../../../polarssl/polarssl-0.12.1/library/libpolarssl.a + +# For Valgrind #CFLAGS:=$(CFLAGS) -I. -I/data/export/proj/openssl/include/ -Wall -g -DDEBUG #LDFLAGS:=$(LDFLAGS) -L/data/export/proj/openssl/lib/ -lcrypto -lssl -lconfig -CFLAGS:=$(CFLAGS) -I. -Wall -g -LDFLAGS:=$(LDFLAGS) -lcrypto -lssl -lconfig -umurmurd:google/protobuf-c/libprotobuf_c.a depend.mak $(OBJS) - $(CC) $(LDFLAGS) $(OBJS) google/protobuf-c/libprotobuf_c.a -o umurmurd +# PolarSSL +CFLAGS:=$(CFLAGS) -DDEBUG -DUSE_POLARSSL -I. -I../../../../polarssl/polarssl-0.12.1/include -Wall -g +LDFLAGS:=$(LDFLAGS) -L -lpolarssl -lconfig + +# OpenSSL +#CFLAGS:=$(CFLAGS) -I. -Wall +#LDFLAGS:=$(LDFLAGS) -L -lcrypto -lssl -lconfig + +# Debug +#CFLAGS:=$(CFLAGS) -DDEBUG -I. -Wall -g + +# PolarSSL +umurmurd:google/protobuf-c/libprotobuf_c.a depend.mak $(OBJS) $(POLARSSL_LIB) + $(CC) $(LDFLAGS) $(OBJS) $(POLARSSL_LIB) google/protobuf-c/libprotobuf_c.a -o umurmurd + +# OpenSSL +#umurmurd:google/protobuf-c/libprotobuf_c.a depend.mak $(OBJS) +# $(CC) $(LDFLAGS) $(OBJS) google/protobuf-c/libprotobuf_c.a -o umurmurd google/protobuf-c/libprotobuf_c.a: $(MAKE) -C google/protobuf-c/ diff --git a/src/channel.c b/src/channel.c index 1fab5a4..3524a96 100644 --- a/src/channel.c +++ b/src/channel.c @@ -29,6 +29,8 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include +#include +#include #include "log.h" #include "list.h" #include "client.h" diff --git a/src/client.c b/src/client.c index 1419347..e515a45 100644 --- a/src/client.c +++ b/src/client.c @@ -30,8 +30,11 @@ */ #include #include +#include #include #include +#include +#include #include "log.h" #include "list.h" #include "client.h" @@ -247,7 +250,7 @@ int Client_add(int fd, struct sockaddr_in *remote) newclient->tcpfd = fd; memcpy(&newclient->remote_tcp, remote, sizeof(struct sockaddr_in)); - newclient->ssl = SSL_newconnection(newclient->tcpfd, &newclient->SSLready); + newclient->ssl = SSLi_newconnection(&newclient->tcpfd, &newclient->SSLready); if (newclient->ssl == NULL) { Log_warn("SSL negotiation failed with %s:%d", inet_ntoa(remote->sin_addr), ntohs(remote->sin_port)); @@ -307,7 +310,7 @@ void Client_free(client_t *client) list_del(&client->node); if (client->ssl) - SSL_free(client->ssl); + SSLi_free(client->ssl); close(client->tcpfd); clientcount--; if (client->release) @@ -323,7 +326,7 @@ void Client_free(client_t *client) void Client_close(client_t *client) { - SSL_shutdown(client->ssl); + SSLi_shutdown(client->ssl); client->shutdown_wait = true; } @@ -371,7 +374,7 @@ int Client_read(client_t *client) } if (!client->SSLready) { int rc; - rc = SSL_nonblockaccept(client->ssl, &client->SSLready); + rc = SSLi_nonblockaccept(client->ssl, &client->SSLready); if (rc < 0) { Client_free(client); return -1; @@ -381,9 +384,9 @@ int Client_read(client_t *client) do { errno = 0; if (!client->msgsize) - rc = SSL_read(client->ssl, &client->rxbuf[client->rxcount], 6 - client->rxcount); + rc = SSLi_read(client->ssl, &client->rxbuf[client->rxcount], 6 - client->rxcount); else - rc = SSL_read(client->ssl, &client->rxbuf[client->rxcount], client->msgsize); + rc = SSLi_read(client->ssl, &client->rxbuf[client->rxcount], client->msgsize); if (rc > 0) { message_t *msg; client->rxcount += rc; @@ -411,33 +414,30 @@ int Client_read(client_t *client) client->rxcount = client->msgsize = 0; } } else /* rc <= 0 */ { - if (SSL_get_error(client->ssl, rc) == SSL_ERROR_WANT_READ) { + if (SSLi_get_error(client->ssl, rc) == SSLI_ERROR_WANT_READ) { return 0; } - else if (SSL_get_error(client->ssl, rc) == SSL_ERROR_WANT_WRITE) { + else if (SSLi_get_error(client->ssl, rc) == SSLI_ERROR_WANT_WRITE) { client->readBlockedOnWrite = true; return 0; } - else if (SSL_get_error(client->ssl, rc) == SSL_ERROR_ZERO_RETURN) { + else if (SSLi_get_error(client->ssl, rc) == SSLI_ERROR_ZERO_RETURN) { Log_info_client(client, "Connection closed by peer"); if (!client->shutdown_wait) Client_close(client); } else { - if (SSL_get_error(client->ssl, rc) == SSL_ERROR_SYSCALL) { - /* Hmm. This is where we end up when the client closes its connection. - * Kind of strange... - */ + if (SSLi_get_error(client->ssl, rc) == SSLI_ERROR_SYSCALL) { Log_info_client(client, "Connection closed by peer"); } else { - Log_info_client(client, "SSL error: %d - Closing connection", SSL_get_error(client->ssl, rc)); + Log_info_client(client, "SSL error: %d - Closing connection", SSLi_get_error(client->ssl, rc)); } Client_free(client); return -1; } } - } while (SSL_pending(client->ssl)); + } while (SSLi_data_pending(client->ssl)); return 0; } @@ -468,25 +468,25 @@ int Client_write(client_t *client) Log_debug("Client_write: readBlockedOnWrite == true"); return Client_read(client); } - rc = SSL_write(client->ssl, &client->txbuf[client->txcount], client->txsize - client->txcount); + rc = SSLi_write(client->ssl, &client->txbuf[client->txcount], client->txsize - client->txcount); if (rc > 0) { client->txcount += rc; if (client->txcount == client->txsize) client->txsize = client->txcount = 0; } else if (rc < 0) { - if (SSL_get_error(client->ssl, rc) == SSL_ERROR_WANT_READ) { + if (SSLi_get_error(client->ssl, rc) == SSLI_ERROR_WANT_READ) { client->writeBlockedOnRead = true; return 0; } - else if (SSL_get_error(client->ssl, rc) == SSL_ERROR_WANT_WRITE) { + else if (SSLi_get_error(client->ssl, rc) == SSLI_ERROR_WANT_WRITE) { return 0; } else { - if (SSL_get_error(client->ssl, rc) == SSL_ERROR_SYSCALL) + if (SSLi_get_error(client->ssl, rc) == SSLI_ERROR_SYSCALL) Log_warn("Client_write: Error: %s - Closing connection", strerror(errno)); else - Log_warn("Client_write: SSL error: %d - Closing connection.", SSL_get_error(client->ssl, rc)); + Log_warn("Client_write: SSL error: %d - Closing connection.", SSLi_get_error(client->ssl, rc)); Client_free(client); return -1; } diff --git a/src/client.h b/src/client.h index f7b88c4..66bf7d8 100644 --- a/src/client.h +++ b/src/client.h @@ -31,7 +31,6 @@ #ifndef CLIENT_H_45786678 #define CLIENT_H_45786678 -#include #include #include /* close() */ #include @@ -47,6 +46,7 @@ #include "crypt.h" #include "timer.h" #include "pds.h" +#include "ssl.h" #define BUFSIZE 8192 #define UDP_BUFSIZE 512 @@ -57,7 +57,7 @@ typedef struct { int tcpfd; - SSL *ssl; + SSL_handle_t *ssl; bool_t SSLready; bool_t shutdown_wait; cryptState_t cryptState; diff --git a/src/crypt.c b/src/crypt.c index e69d34e..8324bca 100644 --- a/src/crypt.c +++ b/src/crypt.c @@ -41,7 +41,19 @@ #include #include #include "crypt.h" -#include "log.h" + +#ifdef USE_POLARSSL +#include +#define RAND_bytes(_dst_, _size_) do { \ + int i; \ + for (i = 0; i < _size_; i++) { \ + _dst_[i] = havege_rand(&hs); \ + } \ + } while (0); + +extern havege_state hs; +#endif + static void CryptState_ocb_encrypt(cryptState_t *cs, const unsigned char *plain, unsigned char *encrypted, unsigned int len, const unsigned char *nonce, unsigned char *tag); static void CryptState_ocb_decrypt(cryptState_t *cs, const unsigned char *encrypted, unsigned char *plain, unsigned int len, const unsigned char *nonce, unsigned char *tag); @@ -67,8 +79,13 @@ void CryptState_genKey(cryptState_t *cs) { RAND_bytes(cs->raw_key, AES_BLOCK_SIZE); RAND_bytes(cs->encrypt_iv, AES_BLOCK_SIZE); RAND_bytes(cs->decrypt_iv, AES_BLOCK_SIZE); +#ifndef USE_POLARSSL AES_set_encrypt_key(cs->raw_key, 128, &cs->encrypt_key); AES_set_decrypt_key(cs->raw_key, 128, &cs->decrypt_key); +#else + aes_setkey_enc(&cs->aes_enc, cs->raw_key, 128); + aes_setkey_dec(&cs->aes_dec, cs->raw_key, 128); +#endif cs->bInit = true; } @@ -77,8 +94,13 @@ void CryptState_setKey(cryptState_t *cs, const unsigned char *rkey, const unsign memcpy(cs->raw_key, rkey, AES_BLOCK_SIZE); memcpy(cs->encrypt_iv, eiv, AES_BLOCK_SIZE); memcpy(cs->decrypt_iv, div, AES_BLOCK_SIZE); - AES_set_encrypt_key(cs->raw_key, 128, &cs->encrypt_key); +#ifndef USE_POLARSSL + AES_set_encrypt_key(cs->decrypt_iv, 128, &cs->encrypt_key); AES_set_decrypt_key(cs->raw_key, 128, &cs->decrypt_key); +#else + aes_setkey_enc(&cs->aes_enc, cs->decrypt_iv, 128); + aes_setkey_dec(&cs->aes_dec, cs->raw_key, 128); +#endif cs->bInit = true; } @@ -184,7 +206,7 @@ bool_t CryptState_decrypt(cryptState_t *cs, const unsigned char *source, unsigne CryptState_ocb_decrypt(cs, source+4, dst, plain_length, cs->decrypt_iv, tag); if (memcmp(tag, source+1, 3) != 0) { - memcpy(cs->decrypt_iv, saveiv, AES_BLOCK_SIZE); + memcpy(cs->decrypt_iv, saveiv, AES_BLOCK_SIZE); return false; } cs->decrypt_history[cs->decrypt_iv[0]] = cs->decrypt_iv[1]; @@ -257,20 +279,25 @@ static void inline ZERO(subblock *block) { block[i]=0; } -#define AESencrypt(src,dst,key) AES_encrypt((unsigned char *)(src),(unsigned char *)(dst), key); -#define AESdecrypt(src,dst,key) AES_decrypt((unsigned char *)(src),(unsigned char *)(dst), key); +#ifdef USE_POLARSSL +#define AESencrypt(src, dst, cryptstate) aes_crypt_ecb(&(cryptstate)->aes_enc, AES_ENCRYPT, (unsigned char *)(src), (unsigned char *)(dst)); +#define AESdecrypt(src, dst, cryptstate) aes_crypt_ecb(&(cryptstate)->aes_dec, AES_DECRYPT, (unsigned char *)(src), (unsigned char *)(dst)); +#else +#define AESencrypt(src, dst, cryptstate) AES_encrypt((unsigned char *)(src), (unsigned char *)(dst), &(cryptstate)->encrypt_key); +#define AESdecrypt(src, dst, cryptstate) AES_decrypt((unsigned char *)(src), (unsigned char *)(dst), &(cryptstate)->decrypt_key); +#endif void CryptState_ocb_encrypt(cryptState_t *cs, const unsigned char *plain, unsigned char *encrypted, unsigned int len, const unsigned char *nonce, unsigned char *tag) { subblock checksum[BLOCKSIZE], delta[BLOCKSIZE], tmp[BLOCKSIZE], pad[BLOCKSIZE]; // Initialize - AESencrypt(nonce, delta, &cs->encrypt_key); + AESencrypt(nonce, delta, cs); ZERO(checksum); while (len > AES_BLOCK_SIZE) { S2(delta); XOR(tmp, delta, (const subblock *)(plain)); - AESencrypt(tmp, tmp, &cs->encrypt_key); + AESencrypt(tmp, tmp, cs); XOR((subblock *)(encrypted), delta, tmp); XOR(checksum, checksum, (subblock *)(plain)); len -= AES_BLOCK_SIZE; @@ -282,7 +309,7 @@ void CryptState_ocb_encrypt(cryptState_t *cs, const unsigned char *plain, unsign ZERO(tmp); tmp[BLOCKSIZE - 1] = SWAPPED(len * 8); XOR(tmp, tmp, delta); - AESencrypt(tmp, pad, &cs->encrypt_key); + AESencrypt(tmp, pad, cs); memcpy(tmp, plain, len); memcpy((unsigned char *)tmp + len, (unsigned char *)pad + len, AES_BLOCK_SIZE - len); XOR(checksum, checksum, tmp); @@ -291,20 +318,19 @@ void CryptState_ocb_encrypt(cryptState_t *cs, const unsigned char *plain, unsign S3(delta); XOR(tmp, delta, checksum); - AESencrypt(tmp, tag, &cs->encrypt_key); + AESencrypt(tmp, tag, cs); } void CryptState_ocb_decrypt(cryptState_t *cs, const unsigned char *encrypted, unsigned char *plain, unsigned int len, const unsigned char *nonce, unsigned char *tag) { subblock checksum[BLOCKSIZE], delta[BLOCKSIZE], tmp[BLOCKSIZE], pad[BLOCKSIZE]; - // Initialize - AESencrypt(nonce, delta, &cs->encrypt_key); + AESencrypt(nonce, delta, cs); ZERO(checksum); while (len > AES_BLOCK_SIZE) { S2(delta); XOR(tmp, delta, (const subblock *)(encrypted)); - AESdecrypt(tmp, tmp, &cs->decrypt_key); + AESdecrypt(tmp, tmp, cs); XOR((subblock *)(plain), delta, tmp); XOR(checksum, checksum, (const subblock *)(plain)); len -= AES_BLOCK_SIZE; @@ -316,7 +342,7 @@ void CryptState_ocb_decrypt(cryptState_t *cs, const unsigned char *encrypted, un ZERO(tmp); tmp[BLOCKSIZE - 1] = SWAPPED(len * 8); XOR(tmp, tmp, delta); - AESencrypt(tmp, pad, &cs->encrypt_key); + AESencrypt(tmp, pad, cs); memset(tmp, 0, AES_BLOCK_SIZE); memcpy(tmp, encrypted, len); XOR(tmp, tmp, pad); @@ -325,5 +351,5 @@ void CryptState_ocb_decrypt(cryptState_t *cs, const unsigned char *encrypted, un S3(delta); XOR(tmp, delta, checksum); - AESencrypt(tmp, tag, &cs->encrypt_key); + AESencrypt(tmp, tag, cs); } diff --git a/src/crypt.h b/src/crypt.h index 8e95fe2..4570c74 100644 --- a/src/crypt.h +++ b/src/crypt.h @@ -28,11 +28,18 @@ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#ifndef _CRYPTSTATE_H -#define _CRYPTSTATE_H +#ifndef CRYPTSTATE_H_34564356 +#define CRYPTSTATE_H_34564356 +#ifdef USE_POLARSSL +#include +#include +#define AES_BLOCK_SIZE 16 +#else #include #include +#endif + #include #include "timer.h" #include "types.h" @@ -52,9 +59,13 @@ typedef struct CryptState { unsigned int uiRemoteLate; unsigned int uiRemoteLost; unsigned int uiRemoteResync; - +#ifndef USE_POLARSSL AES_KEY encrypt_key; AES_KEY decrypt_key; +#else + aes_context aes_enc; + aes_context aes_dec; +#endif etimer_t tLastGood; etimer_t tLastRequest; bool_t bInit; @@ -68,4 +79,5 @@ void CryptState_setDecryptIV(cryptState_t *cs, const unsigned char *iv); bool_t CryptState_decrypt(cryptState_t *cs, const unsigned char *source, unsigned char *dst, unsigned int crypted_length); void CryptState_encrypt(cryptState_t *cs, const unsigned char *source, unsigned char *dst, unsigned int plain_length); + #endif diff --git a/src/main.c b/src/main.c index cce178a..a4c1c12 100644 --- a/src/main.c +++ b/src/main.c @@ -39,6 +39,8 @@ #include #include #include +#include +#include #include "server.h" #include "ssl.h" @@ -182,6 +184,7 @@ int main(int argc, char **argv) signal(SIGTSTP, SIG_IGN); /* ignore tty signals */ signal(SIGTTOU, SIG_IGN); signal(SIGTTIN, SIG_IGN); + signal(SIGPIPE, SIG_IGN); signal(SIGHUP, signal_handler); /* catch hangup signal */ signal(SIGTERM, signal_handler); /* catch kill signal */ @@ -196,7 +199,7 @@ int main(int argc, char **argv) } /* Initializing */ - SSL_init(); + SSLi_init(); Chan_init(); Client_init(); @@ -205,7 +208,7 @@ int main(int argc, char **argv) Server_run(); - SSL_deinit(); + SSLi_deinit(); Chan_free(); Log_free(); Conf_deinit(); diff --git a/src/messagehandler.c b/src/messagehandler.c index b2f5670..ae613da 100644 --- a/src/messagehandler.c +++ b/src/messagehandler.c @@ -29,7 +29,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include -#include +#include #include "log.h" #include "list.h" diff --git a/src/server.c b/src/server.c index c345e5d..e636844 100644 --- a/src/server.c +++ b/src/server.c @@ -39,6 +39,7 @@ #include #include #include +#include #include "client.h" #include "conf.h" diff --git a/src/ssl.c b/src/ssl.c index 456fe82..dc22453 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -28,16 +28,221 @@ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#include -#include -#include -#include #include +#include #include "conf.h" #include "log.h" #include "ssl.h" +#ifdef USE_POLARSSL +/* + * PolarSSL interface + */ + +#include +#include +#include +#include +#include + +#define CA_CRT_FILENAME "ca.crt" + +int ciphers[] = +{ + SSL_EDH_RSA_AES_256_SHA, + SSL_EDH_RSA_CAMELLIA_256_SHA, + SSL_EDH_RSA_DES_168_SHA, + SSL_RSA_AES_256_SHA, + SSL_RSA_CAMELLIA_256_SHA, + SSL_RSA_AES_128_SHA, + SSL_RSA_CAMELLIA_128_SHA, + SSL_RSA_DES_168_SHA, + SSL_RSA_RC4_128_SHA, + SSL_RSA_RC4_128_MD5, + 0 +}; +static x509_cert certificate; +static rsa_context key; +havege_state hs; /* exported to crypt.c */ + +/* DH prime */ +char *my_dhm_P = + "9CE85640903BF123906947FEDE767261" \ + "D9B4A973EB8F7D984A8C656E2BCC161C" \ + "183D4CA471BA78225F940F16D1D99CA3" \ + "E66152CC68EDCE1311A390F307741835" \ + "44FF6AB553EC7073AD0CB608F2A3B480" \ + "19E6C02BCED40BD30E91BB2469089670" \ + "DEF409C08E8AC24D1732A6128D2220DC53"; +char *my_dhm_G = "4"; + +static void initCert() +{ + int rc; + char *crtfile = (char *)getStrConf(CERTIFICATE); + char *ca_file, *p; + + if (crtfile == NULL) + Log_fatal("No certificate file specified"); + rc = x509parse_crtfile(&certificate, crtfile); + if (rc != 0) + Log_fatal("Could not read certificate file %s", crtfile); + + /* Look for CA certificate file in same dir */ + ca_file = malloc(strlen(crtfile) + strlen(CA_CRT_FILENAME) + 1); + strcpy(ca_file, crtfile); + p = strrchr(ca_file, '/'); + if (p != NULL) + strcpy(p + 1, CA_CRT_FILENAME); + else + strcpy(ca_file, CA_CRT_FILENAME); + + rc = x509parse_crtfile(&certificate, ca_file); + if (rc != 0) { /* No CA certifiacte found. Assume self-signed. */ + Log_info("CA certificate file %s not found. Assuming self-signed certificate.", ca_file); + /* + * Apparently PolarSSL needs to read something more into certificate chain. + * Doesn't seem to matter what. Read own certificate again. + */ + rc = x509parse_crtfile(&certificate, crtfile); + if (rc != 0) + Log_fatal("Could not read certificate file %s", crtfile); + } +} + +static void initKey() +{ + int rc; + char *keyfile = (char *)getStrConf(KEY); + + if (keyfile == NULL) + Log_fatal("No key file specified"); + rc = x509parse_keyfile(&key, keyfile, NULL); + if (rc != 0) + Log_fatal("Could not read RSA key file %s", keyfile); +} + +#define DEBUG_LEVEL 0 +static void pssl_debug(void *ctx, int level, char *str) +{ + if (level <= DEBUG_LEVEL) + Log_debug("PolarSSL [level %d]: %s", level, str); +} + +void SSLi_init(void) +{ + initCert(); + initKey(); + havege_init(&hs); + Log_info("PolarSSL library initialized"); +} + +void SSLi_deinit(void) +{ + x509_free(&certificate); + rsa_free(&key); +} + +SSL_handle_t *SSLi_newconnection(int *fd, bool_t *SSLready) +{ + ssl_context *ssl; + ssl_session *ssn; + int rc; + + ssl = malloc(sizeof(ssl_context)); + ssn = malloc(sizeof(ssl_session)); + if (!ssl || !ssn) + Log_fatal("Out of memory"); + memset(ssl, 0, sizeof(ssl_context)); + memset(ssn, 0, sizeof(ssl_session)); + + rc = ssl_init(ssl); + if (rc != 0 ) + Log_fatal("Failed to initalize: %d", rc); + + ssl_set_endpoint(ssl, SSL_IS_SERVER); + ssl_set_authmode(ssl, SSL_VERIFY_OPTIONAL); + + ssl_set_rng(ssl, havege_rand, &hs); + ssl_set_dbg(ssl, pssl_debug, NULL); + ssl_set_bio(ssl, net_recv, fd, net_send, fd); + + ssl_set_ciphers(ssl, ciphers); + ssl_set_session(ssl, 0, 0, ssn); + + ssl_set_ca_chain(ssl, certificate.next, NULL, NULL); + ssl_set_own_cert(ssl, &certificate, &key); + ssl_set_dh_param(ssl, my_dhm_P, my_dhm_G); + + return ssl; +} + +int SSLi_nonblockaccept(SSL_handle_t *ssl, bool_t *SSLready) +{ + int rc; + + rc = ssl_handshake(ssl); + if (rc != 0) { + if (rc == POLARSSL_ERR_NET_TRY_AGAIN) { + return 0; + } else { + Log_warn("SSL handshake failed: %d", rc); + return -1; + } + } + *SSLready = true; + return 0; +} + +int SSLi_read(SSL_handle_t *ssl, uint8_t *buf, int len) +{ + int rc; + rc = ssl_read(ssl, buf, len); + if (rc == POLARSSL_ERR_NET_TRY_AGAIN) + return SSLI_ERROR_WANT_READ; + return rc; +} + +int SSLi_write(SSL_handle_t *ssl, uint8_t *buf, int len) +{ + int rc; + rc = ssl_write(ssl, buf, len); + if (rc == POLARSSL_ERR_NET_TRY_AGAIN) + return SSLI_ERROR_WANT_WRITE; + return rc; +} + +int SSLi_get_error(SSL_handle_t *ssl, int code) +{ + return code; +} + +bool_t SSLi_data_pending(SSL_handle_t *ssl) +{ + return ssl_get_bytes_avail(ssl) > 0; +} + +void SSLi_shutdown(SSL_handle_t *ssl) +{ + ssl_close_notify(ssl); +} + +void SSLi_free(SSL_handle_t *ssl) +{ + free(ssl->session); + free(ssl); +} + +#else +/* + * OpenSSL interface + */ + +#include +#include +#include +#include static X509 *x509; static RSA *rsa; static SSL_CTX *context; @@ -112,7 +317,7 @@ static RSA *SSL_readprivatekey(char *keyfile) return rsa; } -void SSL_writecert(char *certfile, X509 *x509) +static void SSL_writecert(char *certfile, X509 *x509) { FILE *fp; BIO *err_output; @@ -136,7 +341,7 @@ void SSL_writecert(char *certfile, X509 *x509) fclose(fp); } -void SSL_writekey(char *keyfile, RSA *rsa) +static void SSL_writekey(char *keyfile, RSA *rsa) { FILE *fp; BIO *err_output; @@ -159,7 +364,7 @@ void SSL_writekey(char *keyfile, RSA *rsa) fclose(fp); } -void SSL_initializeCert() { +static void SSL_initializeCert() { char *crt, *key, *pass; crt = (char *)getStrConf(CERTIFICATE); @@ -241,28 +446,7 @@ void SSL_initializeCert() { } -void SSL_getdigest(char *s, int l) -{ - unsigned char md[EVP_MAX_MD_SIZE]; - unsigned int n; - int j; - - if (!X509_digest (x509, EVP_md5(), md, &n)) - { - snprintf (s, l, "[unable to calculate]"); - } - else - { - for (j = 0; j < (int) n; j++) - { - char ch[8]; - snprintf(ch, 8, "%02X%s", md[j], (j % 2 ? " " : "")); - strcat(s, ch); - } - } -} - -void SSL_init(void) +void SSLi_init(void) { const SSL_METHOD *method; SSL *ssl; @@ -320,15 +504,17 @@ void SSL_init(void) SSL_free(ssl); + Log_info("OpenSSL library initialized"); + } -void SSL_deinit(void) +void SSLi_deinit(void) { SSL_CTX_free(context); EVP_cleanup(); } -int SSL_nonblockaccept(SSL *ssl, bool_t *SSLready) +int SSLi_nonblockaccept(SSL_handle_t *ssl, bool_t *SSLready) { int rc; rc = SSL_accept(ssl); @@ -346,23 +532,53 @@ int SSL_nonblockaccept(SSL *ssl, bool_t *SSLready) return 0; } -SSL *SSL_newconnection(int fd, bool_t *SSLready) +SSL_handle_t *SSLi_newconnection(int *fd, bool_t *SSLready) { SSL *ssl; *SSLready = false; ssl = SSL_new(context); - SSL_set_fd(ssl, fd); - if (SSL_nonblockaccept(ssl, SSLready) < 0) { + SSL_set_fd(ssl, *fd); + if (SSLi_nonblockaccept(ssl, SSLready) < 0) { SSL_free(ssl); return NULL; } return ssl; } -void SSL_closeconnection(SSL *ssl) +void SSLi_closeconnection(SSL_handle_t *ssl) { SSL_free(ssl); } +void SSLi_shutdown(SSL_handle_t *ssl) +{ + SSL_shutdown(ssl); +} +int SSLi_read(SSL_handle_t *ssl, uint8_t *buf, int len) +{ + return SSL_read(ssl, buf, len); +} + +int SSLi_write(SSL_handle_t *ssl, uint8_t *buf, int len) +{ + return SSL_write(ssl, buf, len); +} + +int SSLi_get_error(SSL_handle_t *ssl, int code) +{ + return SSL_get_error(ssl, code); +} + +bool_t SSLi_data_pending(SSL_handle_t *ssl) +{ + return SSL_pending(ssl); +} + +void SSLi_free(SSL_handle_t *ssl) +{ + SSL_free(ssl); +} + +#endif diff --git a/src/ssl.h b/src/ssl.h index 2c47f83..5ed8384 100644 --- a/src/ssl.h +++ b/src/ssl.h @@ -28,12 +28,51 @@ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + +#ifndef SSL_H_987698 +#define SSL_H_987698 + +#ifdef USE_POLARSSL +#include +#else #include #include +#endif + #include "types.h" +#include + +#ifdef USE_POLARSSL +#define SSLI_ERROR_WANT_READ -0x0F300 /* PolarSSL uses -0x0f00 -> --0x0f90 */ +#define SSLI_ERROR_WANT_WRITE -0x0F310 +#define SSLI_ERROR_ZERO_RETURN POLARSSL_ERR_NET_CONN_RESET +#define SSLI_ERROR_CONNRESET POLARSSL_ERR_NET_CONN_RESET +#define SSLI_ERROR_SYSCALL POLARSSL_ERR_NET_RECV_FAILED + +typedef ssl_context SSL_handle_t; + +#else + +#define SSLI_ERROR_WANT_READ SSL_ERROR_WANT_READ +#define SSLI_ERROR_WANT_WRITE SSL_ERROR_WANT_WRITE +#define SSLI_ERROR_ZERO_RETURN SSL_ERROR_ZERO_RETURN +#define SSLI_ERROR_CONNRESET SSL_ERROR_ZERO_RETURN +#define SSLI_ERROR_SYSCALL SSL_ERROR_SYSCALL + +typedef SSL SSL_handle_t; + +#endif + +void SSLi_init(void); +void SSLi_deinit(void); +SSL_handle_t *SSLi_newconnection(int *fd, bool_t *SSLready); +void SSLi_closeconnection(SSL_handle_t *ssl); +int SSLi_nonblockaccept(SSL_handle_t *ssl, bool_t *SSLready); +int SSLi_read(SSL_handle_t *ssl, uint8_t *buf, int len); +int SSLi_write(SSL_handle_t *ssl, uint8_t *buf, int len); +int SSLi_get_error(SSL_handle_t *ssl, int code); +bool_t SSLi_data_pending(SSL_handle_t *ssl); +void SSLi_shutdown(SSL_handle_t *ssl); +void SSLi_free(SSL_handle_t *ssl); -void SSL_init(void); -void SSL_deinit(void); -SSL *SSL_newconnection(int fd, bool_t *SSLready); -void SSL_closeconnection(SSL *ssl); -int SSL_nonblockaccept(SSL *ssl, bool_t *SSLready); +#endif diff --git a/src/voicetarget.c b/src/voicetarget.c index 85c2607..92f8c5b 100644 --- a/src/voicetarget.c +++ b/src/voicetarget.c @@ -29,6 +29,8 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +#include +#include #include "voicetarget.h" #include "log.h"