networking/ssl_helper: experimental matrixssl-based ssl helper
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
parent
8b7e8ae224
commit
d82046f59f
16
networking/ssl_helper/README
Normal file
16
networking/ssl_helper/README
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
Build instructions:
|
||||||
|
|
||||||
|
* Unpack matrixssl-3-4-2-open.tgz.
|
||||||
|
* Build it: "make"
|
||||||
|
* Drop this directory into matrixssl-3-4-2-open/ssl_helper
|
||||||
|
* Run ssl_helper.sh to compile and link the helper
|
||||||
|
|
||||||
|
Usage: "ssl_helper -d <FILE_DESCRIPTOR>" where FILE_DESCRIPTOR is open to the peer.
|
||||||
|
|
||||||
|
In bash, you can do it this way:
|
||||||
|
$ ssl_helper -d3 3<>/dev/tcp/HOST/PORT
|
||||||
|
|
||||||
|
Stdin will be SSL-encrypted and sent to FILE_DESCRIPTOR.
|
||||||
|
Data from FILE_DESCRIPTOR will be decrypted and sent to stdout.
|
||||||
|
|
||||||
|
The plan is to adapt it for wget https helper, and for ssl support in nc.
|
406
networking/ssl_helper/ssl_helper.c
Normal file
406
networking/ssl_helper/ssl_helper.c
Normal file
@ -0,0 +1,406 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2013 INSIDE Secure Corporation
|
||||||
|
* Copyright (c) PeerSec Networks, 2002-2011
|
||||||
|
* All Rights Reserved
|
||||||
|
*
|
||||||
|
* The latest version of this code is available at http://www.matrixssl.org
|
||||||
|
*
|
||||||
|
* This software is open source; you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU General Public License as published by
|
||||||
|
* the Free Software Foundation; either version 2 of the License, or
|
||||||
|
* (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in WITHOUT ANY WARRANTY; without even the
|
||||||
|
* implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||||
|
* See the GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License
|
||||||
|
* along with this program; if not, write to the Free Software
|
||||||
|
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||||
|
* http://www.gnu.org/copyleft/gpl.html
|
||||||
|
*/
|
||||||
|
#include <errno.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <stdarg.h>
|
||||||
|
#include <fcntl.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <time.h>
|
||||||
|
#include <poll.h>
|
||||||
|
#include <sys/socket.h>
|
||||||
|
|
||||||
|
#include "matrixssl/matrixsslApi.h"
|
||||||
|
|
||||||
|
//#warning "DO NOT USE THESE DEFAULT KEYS IN PRODUCTION ENVIRONMENTS."
|
||||||
|
|
||||||
|
/*
|
||||||
|
* If supporting client authentication, pick ONE identity to auto select a
|
||||||
|
* certificate and private key that support desired algorithms.
|
||||||
|
*/
|
||||||
|
#define ID_RSA /* RSA Certificate and Key */
|
||||||
|
|
||||||
|
#define USE_HEADER_KEYS
|
||||||
|
|
||||||
|
/* If the algorithm type is supported, load a CA for it */
|
||||||
|
#ifdef USE_HEADER_KEYS
|
||||||
|
/* CAs */
|
||||||
|
# include "sampleCerts/RSA/ALL_RSA_CAS.h"
|
||||||
|
/* Identity Certs and Keys for use with Client Authentication */
|
||||||
|
# ifdef ID_RSA
|
||||||
|
# define EXAMPLE_RSA_KEYS
|
||||||
|
# include "sampleCerts/RSA/2048_RSA.h"
|
||||||
|
# include "sampleCerts/RSA/2048_RSA_KEY.h"
|
||||||
|
# endif
|
||||||
|
#endif
|
||||||
|
|
||||||
|
static ssize_t safe_write(int fd, const void *buf, size_t count)
|
||||||
|
{
|
||||||
|
ssize_t n;
|
||||||
|
|
||||||
|
do {
|
||||||
|
n = write(fd, buf, count);
|
||||||
|
} while (n < 0 && errno == EINTR);
|
||||||
|
|
||||||
|
return n;
|
||||||
|
}
|
||||||
|
|
||||||
|
static ssize_t full_write(int fd, const void *buf, size_t len)
|
||||||
|
{
|
||||||
|
ssize_t cc;
|
||||||
|
ssize_t total;
|
||||||
|
|
||||||
|
total = 0;
|
||||||
|
|
||||||
|
while (len) {
|
||||||
|
cc = safe_write(fd, buf, len);
|
||||||
|
|
||||||
|
if (cc < 0) {
|
||||||
|
if (total) {
|
||||||
|
/* we already wrote some! */
|
||||||
|
/* user can do another write to know the error code */
|
||||||
|
return total;
|
||||||
|
}
|
||||||
|
return cc; /* write() returns -1 on failure. */
|
||||||
|
}
|
||||||
|
|
||||||
|
total += cc;
|
||||||
|
buf = ((const char *)buf) + cc;
|
||||||
|
len -= cc;
|
||||||
|
}
|
||||||
|
|
||||||
|
return total;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void say(const char *s, ...)
|
||||||
|
{
|
||||||
|
char buf[256];
|
||||||
|
va_list p;
|
||||||
|
int sz;
|
||||||
|
|
||||||
|
va_start(p, s);
|
||||||
|
sz = vsnprintf(buf, sizeof(buf), s, p);
|
||||||
|
full_write(STDERR_FILENO, buf, sz >= 0 && sz < sizeof(buf) ? sz : strlen(buf));
|
||||||
|
va_end(p);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void die(const char *s, ...)
|
||||||
|
{
|
||||||
|
char buf[256];
|
||||||
|
va_list p;
|
||||||
|
int sz;
|
||||||
|
|
||||||
|
va_start(p, s);
|
||||||
|
sz = vsnprintf(buf, sizeof(buf), s, p);
|
||||||
|
full_write(STDERR_FILENO, buf, sz >= 0 && sz < sizeof(buf) ? sz : strlen(buf));
|
||||||
|
exit(1);
|
||||||
|
va_end(p);
|
||||||
|
}
|
||||||
|
|
||||||
|
#if 0
|
||||||
|
# define dbg(...) say(__VA_ARGS__)
|
||||||
|
#else
|
||||||
|
# define dbg(...) ((void)0)
|
||||||
|
#endif
|
||||||
|
|
||||||
|
static struct pollfd pfd[2] = {
|
||||||
|
{ -1, POLLIN|POLLERR|POLLHUP, 0 },
|
||||||
|
{ -1, POLLIN|POLLERR|POLLHUP, 0 },
|
||||||
|
};
|
||||||
|
#define STDIN pfd[0]
|
||||||
|
#define NETWORK pfd[1]
|
||||||
|
#define STDIN_READY() (pfd[0].revents & (POLLIN|POLLERR|POLLHUP))
|
||||||
|
#define NETWORK_READY() (pfd[1].revents & (POLLIN|POLLERR|POLLHUP))
|
||||||
|
|
||||||
|
static int wait_for_input(void)
|
||||||
|
{
|
||||||
|
if (STDIN.fd == NETWORK.fd) /* means both are -1 */
|
||||||
|
exit(0);
|
||||||
|
dbg("polling\n");
|
||||||
|
STDIN.revents = NETWORK.revents = 0;
|
||||||
|
return poll(pfd, 2, -1);
|
||||||
|
}
|
||||||
|
|
||||||
|
static int32 certCb(ssl_t *ssl, psX509Cert_t *cert, int32 alert)
|
||||||
|
{
|
||||||
|
/* Example to allow anonymous connections based on a define */
|
||||||
|
if (alert > 0) {
|
||||||
|
return SSL_ALLOW_ANON_CONNECTION; // = 254
|
||||||
|
}
|
||||||
|
#if 0
|
||||||
|
/* Validate the 'not before' and 'not after' dates, etc */
|
||||||
|
return PS_FAILURE; /* if we don't like this cert */
|
||||||
|
#endif
|
||||||
|
return PS_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void close_conn_and_exit(ssl_t *ssl, int fd)
|
||||||
|
{
|
||||||
|
unsigned char *buf;
|
||||||
|
int len;
|
||||||
|
|
||||||
|
fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK);
|
||||||
|
/* Quick attempt to send a closure alert, don't worry about failure */
|
||||||
|
if (matrixSslEncodeClosureAlert(ssl) >= 0) {
|
||||||
|
len = matrixSslGetOutdata(ssl, &buf);
|
||||||
|
if (len > 0) {
|
||||||
|
len = safe_write(fd, buf, len);
|
||||||
|
//if (len > 0) {
|
||||||
|
// matrixSslSentData(ssl, len);
|
||||||
|
//}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
//matrixSslDeleteSession(ssl);
|
||||||
|
shutdown(fd, SHUT_WR);
|
||||||
|
exit(0);
|
||||||
|
}
|
||||||
|
|
||||||
|
static int encode_data(ssl_t *ssl, const void *data, int len)
|
||||||
|
{
|
||||||
|
unsigned char *buf;
|
||||||
|
int available;
|
||||||
|
|
||||||
|
available = matrixSslGetWritebuf(ssl, &buf, len);
|
||||||
|
if (available < 0)
|
||||||
|
die("matrixSslGetWritebuf\n");
|
||||||
|
if (len > available)
|
||||||
|
die("len > available\n");
|
||||||
|
memcpy(buf, data, len);
|
||||||
|
if (matrixSslEncodeWritebuf(ssl, len) < 0)
|
||||||
|
die("matrixSslEncodeWritebuf\n");
|
||||||
|
return len;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void flush_to_net(ssl_t *ssl, int fd)
|
||||||
|
{
|
||||||
|
int rc;
|
||||||
|
int len;
|
||||||
|
unsigned char *buf;
|
||||||
|
|
||||||
|
while ((len = matrixSslGetOutdata(ssl, &buf)) > 0) {
|
||||||
|
dbg("writing net %d bytes\n", len);
|
||||||
|
if (full_write(fd, buf, len) != len)
|
||||||
|
die("write to network\n");
|
||||||
|
rc = matrixSslSentData(ssl, len);
|
||||||
|
if (rc < 0)
|
||||||
|
die("matrixSslSentData\n");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static void do_io_until_eof_and_exit(int fd, sslKeys_t *keys)
|
||||||
|
{
|
||||||
|
int rc;
|
||||||
|
int len;
|
||||||
|
uint32_t len32u;
|
||||||
|
sslSessionId_t *sid;
|
||||||
|
ssl_t *ssl;
|
||||||
|
unsigned char *buf;
|
||||||
|
|
||||||
|
NETWORK.fd = fd;
|
||||||
|
/* Note! STDIN.fd is disabled (-1) until SSL handshake is over:
|
||||||
|
* we do not attempt to feed any user data to MatrixSSL
|
||||||
|
* before it is ready.
|
||||||
|
*/
|
||||||
|
|
||||||
|
matrixSslNewSessionId(&sid);
|
||||||
|
rc = matrixSslNewClientSession(&ssl, keys, sid, 0, certCb, NULL, NULL, 0);
|
||||||
|
dbg("matrixSslNewClientSession:rc=%d\n", rc);
|
||||||
|
if (rc != MATRIXSSL_REQUEST_SEND)
|
||||||
|
die("matrixSslNewClientSession\n");
|
||||||
|
|
||||||
|
len = 0; /* only to suppress compiler warning */
|
||||||
|
again:
|
||||||
|
switch (rc) {
|
||||||
|
case MATRIXSSL_REQUEST_SEND:
|
||||||
|
dbg("MATRIXSSL_REQUEST_SEND\n");
|
||||||
|
flush_to_net(ssl, fd);
|
||||||
|
goto poll_input;
|
||||||
|
|
||||||
|
case 0:
|
||||||
|
dbg("rc==0\n");
|
||||||
|
flush_to_net(ssl, fd);
|
||||||
|
goto poll_input;
|
||||||
|
|
||||||
|
case MATRIXSSL_REQUEST_CLOSE:
|
||||||
|
/* what does this mean if we are here? */
|
||||||
|
dbg("MATRIXSSL_REQUEST_CLOSE\n");
|
||||||
|
close_conn_and_exit(ssl, fd);
|
||||||
|
|
||||||
|
case MATRIXSSL_HANDSHAKE_COMPLETE:
|
||||||
|
dbg("MATRIXSSL_HANDSHAKE_COMPLETE\n");
|
||||||
|
/* Init complete, can start reading local user's data: */
|
||||||
|
STDIN.fd = STDIN_FILENO;
|
||||||
|
poll_input:
|
||||||
|
wait_for_input();
|
||||||
|
if (STDIN_READY()) {
|
||||||
|
char ibuf[4 * 1024];
|
||||||
|
dbg("reading stdin\n");
|
||||||
|
len = read(STDIN_FILENO, ibuf, sizeof(ibuf));
|
||||||
|
if (len < 0)
|
||||||
|
die("read error on stdin\n");
|
||||||
|
if (len == 0)
|
||||||
|
STDIN.fd = -1;
|
||||||
|
else {
|
||||||
|
len = encode_data(ssl, ibuf, len);
|
||||||
|
if (len) {
|
||||||
|
rc = MATRIXSSL_REQUEST_SEND;
|
||||||
|
dbg("rc=%d\n", rc);
|
||||||
|
goto again;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
read_network:
|
||||||
|
if (NETWORK_READY()) {
|
||||||
|
dbg("%s%s%s\n",
|
||||||
|
(pfd[1].revents & POLLIN) ? "POLLIN" : "",
|
||||||
|
(pfd[1].revents & POLLERR) ? "|POLLERR" : "",
|
||||||
|
(pfd[1].revents & POLLHUP) ? "|POLLHUP" : ""
|
||||||
|
);
|
||||||
|
len = matrixSslGetReadbuf(ssl, &buf);
|
||||||
|
if (len <= 0)
|
||||||
|
die("matrixSslGetReadbuf\n");
|
||||||
|
dbg("reading net up to %d\n", len);
|
||||||
|
len = read(fd, buf, len);
|
||||||
|
dbg("reading net:%d\n", len);
|
||||||
|
if (len < 0)
|
||||||
|
die("read error on network\n");
|
||||||
|
if (len == 0) /*eof*/
|
||||||
|
NETWORK.fd = -1;
|
||||||
|
len32u = len;
|
||||||
|
rc = matrixSslReceivedData(ssl, len, &buf, &len32u);
|
||||||
|
dbg("matrixSslReceivedData:rc=%d\n", rc);
|
||||||
|
len = len32u;
|
||||||
|
if (rc < 0)
|
||||||
|
die("matrixSslReceivedData\n");
|
||||||
|
}
|
||||||
|
goto again;
|
||||||
|
|
||||||
|
case MATRIXSSL_APP_DATA:
|
||||||
|
dbg("MATRIXSSL_APP_DATA: writing stdout\n");
|
||||||
|
do {
|
||||||
|
if (full_write(STDOUT_FILENO, buf, len) != len)
|
||||||
|
die("write to stdout\n");
|
||||||
|
len32u = len;
|
||||||
|
rc = matrixSslProcessedData(ssl, &buf, &len32u);
|
||||||
|
//this was seen returning rc=0:
|
||||||
|
dbg("matrixSslProcessedData:rc=%d\n", rc);
|
||||||
|
len = len32u;
|
||||||
|
} while (rc == MATRIXSSL_APP_DATA);
|
||||||
|
if (pfd[1].fd == -1) {
|
||||||
|
/* Already saw EOF on network, and we processed
|
||||||
|
* and wrote out all ssl data. Signal it:
|
||||||
|
*/
|
||||||
|
close(STDOUT_FILENO);
|
||||||
|
}
|
||||||
|
goto again;
|
||||||
|
|
||||||
|
case MATRIXSSL_REQUEST_RECV:
|
||||||
|
dbg("MATRIXSSL_REQUEST_RECV\n");
|
||||||
|
wait_for_input();
|
||||||
|
goto read_network;
|
||||||
|
|
||||||
|
case MATRIXSSL_RECEIVED_ALERT:
|
||||||
|
dbg("MATRIXSSL_RECEIVED_ALERT\n");
|
||||||
|
/* The first byte of the buffer is the level */
|
||||||
|
/* The second byte is the description */
|
||||||
|
if (buf[0] == SSL_ALERT_LEVEL_FATAL)
|
||||||
|
die("Fatal alert\n");
|
||||||
|
/* Closure alert is normal (and best) way to close */
|
||||||
|
if (buf[1] == SSL_ALERT_CLOSE_NOTIFY)
|
||||||
|
close_conn_and_exit(ssl, fd);
|
||||||
|
die("Warning alert\n");
|
||||||
|
len32u = len;
|
||||||
|
rc = matrixSslProcessedData(ssl, &buf, &len32u);
|
||||||
|
dbg("matrixSslProcessedData:rc=%d\n", rc);
|
||||||
|
len = len32u;
|
||||||
|
goto again;
|
||||||
|
|
||||||
|
default:
|
||||||
|
/* If rc < 0 it is an error */
|
||||||
|
die("bad rc:%d\n", rc);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static sslKeys_t* make_keys(void)
|
||||||
|
{
|
||||||
|
int rc, CAstreamLen;
|
||||||
|
char *CAstream;
|
||||||
|
sslKeys_t *keys;
|
||||||
|
|
||||||
|
if (matrixSslNewKeys(&keys) < 0)
|
||||||
|
die("matrixSslNewKeys\n");
|
||||||
|
|
||||||
|
#ifdef USE_HEADER_KEYS
|
||||||
|
/*
|
||||||
|
* In-memory based keys
|
||||||
|
* Build the CA list first for potential client auth usage
|
||||||
|
*/
|
||||||
|
CAstream = NULL;
|
||||||
|
CAstreamLen = sizeof(RSACAS);
|
||||||
|
if (CAstreamLen > 0) {
|
||||||
|
CAstream = psMalloc(NULL, CAstreamLen);
|
||||||
|
memcpy(CAstream, RSACAS, sizeof(RSACAS));
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef ID_RSA
|
||||||
|
rc = matrixSslLoadRsaKeysMem(keys, RSA2048, sizeof(RSA2048),
|
||||||
|
RSA2048KEY, sizeof(RSA2048KEY), (unsigned char*)CAstream,
|
||||||
|
CAstreamLen);
|
||||||
|
if (rc < 0)
|
||||||
|
die("matrixSslLoadRsaKeysMem\n");
|
||||||
|
#endif
|
||||||
|
|
||||||
|
if (CAstream)
|
||||||
|
psFree(CAstream);
|
||||||
|
#endif /* USE_HEADER_KEYS */
|
||||||
|
return keys;
|
||||||
|
}
|
||||||
|
|
||||||
|
int main(int argc, char **argv)
|
||||||
|
{
|
||||||
|
int fd;
|
||||||
|
char *fd_str;
|
||||||
|
|
||||||
|
if (!argv[1])
|
||||||
|
die("Syntax error\n");
|
||||||
|
if (argv[1][0] != '-')
|
||||||
|
die("Syntax error\n");
|
||||||
|
if (argv[1][1] != 'd')
|
||||||
|
die("Syntax error\n");
|
||||||
|
fd_str = argv[1] + 2;
|
||||||
|
if (!fd_str[0])
|
||||||
|
fd_str = argv[2];
|
||||||
|
if (!fd_str || fd_str[0] < '0' || fd_str[0] > '9')
|
||||||
|
die("Syntax error\n");
|
||||||
|
|
||||||
|
fd = atoi(fd_str);
|
||||||
|
if (fd < 3)
|
||||||
|
die("Syntax error\n");
|
||||||
|
|
||||||
|
if (matrixSslOpen() < 0)
|
||||||
|
die("matrixSslOpen\n");
|
||||||
|
|
||||||
|
do_io_until_eof_and_exit(fd, make_keys());
|
||||||
|
/* does not return */
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
11
networking/ssl_helper/ssl_helper.sh
Executable file
11
networking/ssl_helper/ssl_helper.sh
Executable file
@ -0,0 +1,11 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
# I use this to build static uclibc based binary using Aboriginal Linux toolchain:
|
||||||
|
PREFIX=x86_64-
|
||||||
|
STATIC=-static
|
||||||
|
# Standard build:
|
||||||
|
PREFIX=""
|
||||||
|
STATIC=""
|
||||||
|
|
||||||
|
${PREFIX}gcc -Os -DPOSIX -I.. -I../sampleCerts -Wall -c ssl_helper.c -o ssl_helper.o
|
||||||
|
${PREFIX}gcc $STATIC ssl_helper.o ../libmatrixssl.a -lc ../libmatrixssl.a -o ssl_helper
|
Loading…
Reference in New Issue
Block a user