From 018025f0f36a4847df265c9948dbaf7073ed3245 Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Fri, 25 Nov 2016 18:16:05 +0000 Subject: Alpha version of the SSL work. Doesn't build yet, but I'm scared of losing it, so using git as storage. Will fix the stupid bugs now, the tricky bugs later. --- src/stls/deps-lib/stls | 5 + src/stls/stls_run.c | 274 +++++++++++++++++++++++++++++++++++++++++++++++++ src/stls/stls_s6tlsc.c | 95 +++++++++++++++++ src/stls/stls_s6tlsd.c | 91 ++++++++++++++++ 4 files changed, 465 insertions(+) create mode 100644 src/stls/deps-lib/stls create mode 100644 src/stls/stls_run.c create mode 100644 src/stls/stls_s6tlsc.c create mode 100644 src/stls/stls_s6tlsd.c (limited to 'src/stls') diff --git a/src/stls/deps-lib/stls b/src/stls/deps-lib/stls new file mode 100644 index 0000000..799c7ae --- /dev/null +++ b/src/stls/deps-lib/stls @@ -0,0 +1,5 @@ +stls_run.o +stls_s6tlsc.o +stls_s6tlsd.o +-ltls +-lskarnet diff --git a/src/stls/stls_run.c b/src/stls/stls_run.c new file mode 100644 index 0000000..24ff801 --- /dev/null +++ b/src/stls/stls_run.c @@ -0,0 +1,274 @@ +/* ISC license. */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +typedef struct tlsbuf_s tlsbuf_t, *tlsbuf_t_ref ; +struct tlsbuf_s +{ + char buf[STLS_BUFSIZE] ; + buffer b ; + unsigned int blockedonother : 1 ; +} ; + +static inline int buffer_tls_flush (struct tls *ctx, tlsbuf_t *b) +{ + siovec_t v[2] ; + ssize_t r, w ; + buffer_rpeek(&b[0].b, v) ; + r = tls_write(ctx, v[0].s, v[0].len) ; + switch (r) + { + case -1 : return -1 ; + case TLS_WANT_POLLIN : + if (b[1].blockedonother) strerr_dief1x(101, "TLS deadlock") ; + b[0].blockedonother = 1 ; + case TLS_WANT_POLLOUT : return 0 ; + default : break ; + } + w = r ; + if (v[1].len) + { + r = tls_write(ctx, v[1].s, v[1].len) ; + switch (r) + { + case TLS_WANT_POLLIN : + if (b[1].blockedonother) strerr_dief1x(101, "TLS deadlock") ; + b[0].blockedonother = 1 ; + case -1 : + case TLS_WANT_POLLOUT : + buffer_rseek(&b[0].b, w) ; + return 0 ; + default : break ; + } + w += r ; + } + buffer_rseek(&b[0].b, w) ; + return 1 ; +} + +static inline int buffer_tls_fill (struct tls *ctx, tlsbuf_t *b) +{ + siovec_t v[2] ; + ssize_t r, w ; + int ok = 1 ; + buffer_wpeek(&b[1].b, v) ; + r = tls_read(ctx, v[0].s, v[0].len) ; + switch (r) + { + case 0 : return -2 ; + case -1 : return -1 ; + case TLS_WANT_POLLOUT : + if (b[0].blockedonother) strerr_dief1x(101, "TLS deadlock") ; + b[1].blockedonother = 1 ; + case TLS_WANT_POLLIN : return 0 ; + default : break ; + } + w = r ; + if (v[1].len) + { + r = tls_read(ctx, v[1].s, v[1].len) ; + switch (r) + { + case TLS_WANT_POLLOUT : + if (b[0].blockedonother) strerr_dief1x(101, "TLS deadlock") ; + b[1].blockedonother = 1 ; + case -1 : + case TLS_WANT_POLLIN : + buffer_wseek(&b[1].b, w) ; + return 0 ; + case 0 : ok = -1 ; + default : break ; + } + w += r ; + } + buffer_wseek(&b[1].b, w) ; + return ok ; +} + +static void do_tls_close (struct tls *ctx, int fd) +{ + iopause_fd x = { .fd = fd, .events = IOPAUSE_WRITE } ; + while (tls_close(ctx) == TLS_WANT_POLLOUT) + if (iopause_g(&x, 1, 0) < 0) + strerr_diefu1sys(111, "iopause") ; +} + +int stls_run (struct tls *ctx, int *fds, unsigned int verbosity, uint32 options, tain_t const *tto) +{ + tlsbuf_t b[2] = { { .blockedonother = 0 }, { .blockedonother = 0 } } ; + iopause_fd x[4] ; + unsigned int xindex[4] ; + register unsigned int i ; + + for (i = 0 ; i < 2 ; i++) + { + buffer_init(&b[i].b, i ? &buffer_write : &buffer_read, fds[i], b[i].buf, STLS_BUFSIZE) ; + if (ndelay_on(fds[2+i]) < 0) strerr_diefu1sys(111, "set fds non-blocking") ; + } + if (sig_ignore(SIGPIPE) < 0) strerr_diefu1sys(111, "ignore SIGPIPE") ; + + tain_now_g() ; + + for (;;) + { + tain_t deadline ; + unsigned int xlen = 0 ; + register int r ; + + tain_add_g(&deadline, buffer_isempty(&b[0].b) && buffer_isempty(&b[1].b) ? tto : &tain_infinite_relative) ; + + + /* poll() preparation */ + + if (fds[0] >= 0 && buffer_isreadable(&b[0].b)) + { + x[xlen].fd = fds[0] ; + x[xlen].events = IOPAUSE_READ ; + xindex[0] = xlen++ ; + } + else xindex[0] = 4 ; + + if (fds[1] >= 0 && buffer_iswritable(&b[1].b)) + { + x[xlen].fd = fds[1] ; + x[xlen].events = IOPAUSE_WRITE ; + xindex[1] = xlen++ ; + } + else xindex[1] = 4 ; + + if (fds[2] >= 0 && !b[1].blockedonother && buffer_isreadable(&b[1].b)) + { + x[xlen].fd = fds[2] ; + x[xlen].events = IOPAUSE_READ ; + xindex[2] = xlen++ ; + } + else xindex[2] = 4 ; + + if (fds[3] >= 0 && !b[0].blockedonother && buffer_iswritable(&b[0].b)) + { + x[xlen].fd = fds[3] ; + x[xlen].events = IOPAUSE_WRITE ; + xindex[3] = xlen++ ; + } + else xindex[3] = 4 ; + + if (!xlen) break ; + + + /* poll() */ + + r = iopause_g(x, xlen, &deadline) ; + if (r < 0) strerr_diefu1sys(111, "iopause") ; + else if (!r) + { + fd_close(fds[0]) ; + tls_close(ctx) ; + continue ; + } + + while (xlen--) + if (x[xlen].revents & IOPAUSE_EXCEPT) + x[xlen].revents |= IOPAUSE_READ | IOPAUSE_WRITE ; + + + /* Flush to local */ + + if (xindex[1] < 4 && x[xindex[1]].revents & IOPAUSE_WRITE) + { + r = buffer_flush(&b[1].b) ; + if (!r && !error_isagain(errno)) + { + strerr_warnwu1sys("write to application") ; + if (fds[2] >= 0) + { + if (options & 1) shutdown(fds[2], SHUT_RD) ; + fd_close(fds[2]) ; fds[2] = -1 ; + } + r = 1 ; + } + if (r && fds[2] < 0) + { + fd_close(fds[1]) ; fds[1] = -1 ; + } + } + + + /* Flush to remote */ + + if (xindex[3] < 4 && x[xindex[3]].revents & IOPAUSE_WRITE) + { + r = buffer_tls_flush(ctx, b) ; + if (r < 0) + { + strerr_warnwu2x("write to peer: ", tls_error(ctx)) ; + fd_close(fds[0]) ; fds[0] = -1 ; + } + if (r && fds[0] < 0) + { + if (fds[2] >= 0) do_tls_close(ctx, fds[3]) ; + if (options & 1) shutdown(fds[3], SHUT_WR) ; + fd_close(fds[3]) ; fds[3] = -1 ; + } + } + + + /* Fill from local */ + + if (xindex[0] < 4 && x[xindex[0]].revents & IOPAUSE_READ) + { + r = sanitize_read(buffer_fill(&b[0].b)) ; + if (r < 0) + { + if (r == -1) strerr_warnwu1sys("read from application") ; + fd_close(fds[0]) ; fds[0] = -1 ; + if (buffer_isempty(&b[0].b)) + { + if (fds[2] >= 0) do_tls_close(ctx, fds[3]) ; + if (options & 1) shutdown(fds[3], SHUT_WR) ; + fd_close(fds[3]) ; fds[3] = -1 ; + } + } + } + + + /* Fill from remote */ + + if (xindex[2] < 4 && x[xindex[2]].revents & IOPAUSE_READ) + { + r = buffer_tls_fill(ctx, b) ; + if (r < 0) + { + if (errno != EPIPE) strerr_warnwu1sys("read from peer") ; + if (options & 1) shutdown(fds[2], SHUT_RD) ; + fd_close(fds[2]) ; fds[2] = -1 ; + if (buffer_isempty(&b[1].b)) + { + fd_close(fds[1]) ; fds[1] = -1 ; + } + } + } + } + + if (fds[1] >= 0) fd_close(fds[1]) ; + if (fds[0] >= 0) fd_close(fds[0]) ; + if (fds[3] >= 0) fd_close(fds[3]) ; + if (fds[2] >= 0) fd_close(fds[2]) ; + return 0 ; +} diff --git a/src/stls/stls_s6tlsc.c b/src/stls/stls_s6tlsc.c new file mode 100644 index 0000000..7fd4325 --- /dev/null +++ b/src/stls/stls_s6tlsc.c @@ -0,0 +1,95 @@ +/* ISC license. */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define diecfg(cfg, s) strerr_diefu3x(96, (s), ": ", tls_config_error(cfg)) +#define diectx(e, ctx, s) strerr_diefu3x(e, (s), ": ", tls_error(ctx)) + +int stls_s6tlsc (char const *const *argv, char const *const *envp, tain_t const *tto, uint32_t preoptions, uint32_t options, uid_t uid, gid_t gid, unsigned int verbosity, int *sfd) +{ + int fds[4] = { sfd[0], sfd[1], sfd[0], sfd[1] } ; + struct tls *cctx ; + struct tls *ctx ; + struct tls_config *cfg ; + pid_t pid ; + char const *x ; + + if (tls_init() < 0) strerr_diefu1sys(111, "tls_init") ; + cfg = tls_config_new() ; + if (!cfg) strerr_diefu1sys(111, "tls_config_new") + + x = env_get2(envp, "CADIR") ; + if (x) + { + if (tls_config_set_ca_path(cfg, x) < 0) + diecfg(cfg, "tls_config_set_ca_path") ; + } + else + { + x = env_get2(envp, "CAFILE") ; + if (x) + { + if (tls_config_set_ca_file(cfg, x) < 0) + diecfg(cfg, "tls_config_set_ca_file") ; + } + else strerr_dief1x(100, "no trust anchor found - please set CADIR or CAFILE") ; + } + + if (preoptions & 1) + { + x = env_get2(envp, "CERTFILE") ; + if (!x) strerr_dienotset(100, "CERTFILE") ; + if (tls_config_set_cert_file(cfg, x) < 0) + diecfg(cfg, "tls_config_set_cert_file") ; + + x = env_get2(envp, "KEYFILE") ; + if (!x) strerr_dienotset(100, "KEYFILE") ; + if (tls_config_set_key_file(cfg, x) < 0) + diecfg(cfg, "tls_config_set_cert_file") ; + } + + if (tls_config_set_ciphers(cfg, "secure") < 0) + diecfg(cfg, "tls_config_set_ciphers") ; + + if (tls_config_set_dheparams(cfg, "auto") < 0) + diecfg(cfg, "tls_config_set_dheparams") ; + + if (tls_config_set_ecdhecurve(cfg, "auto") < 0) + diecfg("tls_config_set_ecdhecurve") ; + + tls_config_verify(cfg) ; + tls_config_set_protocols(cfg, TLS_PROTOCOLS_DEFAULT) ; + tls_config_prefer_ciphers_server(cfg) ; + + ctx = tls_client() ; + if (!ctx) strerr_diefu1sys(111, "tls_client") ; + if (tls_configure(ctx, cfg) < 0) diectx(97, ctx, "tls_configure) ; + tls_config_free(cfg) ; + + pid = child_spawn2(argv[0], argv, envp, fds) ; + if (!pid) strerr_diefu2sys(111, "spawn ", argv[0]) ; + if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ; + if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ; + + if (tls_accept_fds(ctx, &cctx, fds[2], fds[3]) < 0) + diectx(ctx, "tls_accept_fds") ; + + tls_free(ctx) ; + + { + int wstat ; + int r = stls_run(cctx, fds, verbosity, options, tto) ; + if (r < 0) strerr_diefu1sys(111, "run SSL engine") ; + else if (r) diectx(98, cctx, "run SSL engine") ; + if (wait_pid(pid, &wstat) < 0) strerr_diefu1sys(111, "wait_pid") ; + return wait_estatus(wstat) ; + } +} diff --git a/src/stls/stls_s6tlsd.c b/src/stls/stls_s6tlsd.c new file mode 100644 index 0000000..f6d5e7c --- /dev/null +++ b/src/stls/stls_s6tlsd.c @@ -0,0 +1,91 @@ +/* ISC license. */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define diecfg(cfg, s) strerr_diefu3x(96, (s), ": ", tls_config_error(cfg)) +#define diectx(e, ctx, s) strerr_diefu3x(e, (s), ": ", tls_error(ctx)) + +int stls_s6tlsd (char const *const *argv, char const *const *envp, tain_t const *tto, uint32_t preoptions, uint32_t options, uid_t uid, gid_t gid, unsigned int verbosity) +{ + int fds[4] = { 0, 1, 0, 1 } ; + struct tls *cctx ; + struct tls *ctx ; + struct tls_config *cfg ; + pid_t pid ; + char const *x ; + + if (tls_init() < 0) strerr_diefu1sys(111, "tls_init") ; + cfg = tls_config_new() ; + if (!cfg) strerr_diefu1sys(111, "tls_config_new") + + x = env_get2(envp, "CAFILE") ; + if (x) + { + if (tls_config_set_ca_file(cfg, x) < 0) + diecfg(cfg, "tls_config_set_ca_file") ; + } + + x = env_get2(envp, "CADIR") ; + if (x) + { + if (tls_config_set_ca_path(cfg, x) < 0) + diecfg(cfg, "tls_config_set_ca_path") ; + } + + x = env_get2(envp, "CERTFILE") ; + if (!x) strerr_dienotset(100, "CERTFILE") ; + if (tls_config_set_cert_file(cfg, x) < 0) + diecfg(cfg, "tls_config_set_cert_file") ; + + x = env_get2(envp, "KEYFILE") ; + if (!x) strerr_dienotset(100, "KEYFILE") ; + if (tls_config_set_key_file(cfg, x) < 0) + diecfg(cfg, "tls_config_set_cert_file") ; + + if (tls_config_set_ciphers(cfg, "secure") < 0) + diecfg(cfg, "tls_config_set_ciphers") ; + + if (tls_config_set_dheparams(cfg, "auto") < 0) + diecfg(cfg, "tls_config_set_dheparams") ; + + if (tls_config_set_ecdhecurve(cfg, "auto") < 0) + diecfg("tls_config_set_ecdhecurve") ; + + if (preoptions & 1) tls_config_verify_client(cfg) ; + else tls_config_verify_client_optional(cfg) ; + + tls_config_set_protocols(cfg, TLS_PROTOCOLS_DEFAULT) ; + tls_config_prefer_ciphers_server(cfg) ; + + ctx = tls_server() ; + if (!ctx) strerr_diefu1sys(111, "tls_server") ; + if (tls_configure(ctx, cfg) < 0) diectx(97, ctx, "tls_configure") ; + tls_config_free(cfg) ; + + pid = child_spawn2(argv[0], argv, envp, fds) ; + if (!pid) strerr_diefu2sys(111, "spawn ", argv[0]) ; + if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ; + if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ; + + if (tls_accept_fds(ctx, &cctx, fds[2], fds[3]) < 0) + diectx(ctx, "tls_accept_fds") ; + + tls_free(ctx) ; + + { + int wstat ; + int r = stls_run(cctx, fds, verbosity, options, tto) ; + if (r < 0) strerr_diefu1sys(111, "run SSL engine") ; + else if (r) diectx(98, cctx, "run SSL engine") ; + if (wait_pid(pid, &wstat) < 0) strerr_diefu1sys(111, "wait_pid") ; + return wait_estatus(wstat) ; + } +} -- cgit v1.2.3