|
|
|
/*
|
|
|
|
* Secure Network Transport Layer Library v2 implementation.
|
|
|
|
* (sntllv2) it superseed all versions before due to the:
|
|
|
|
* - memory consumption
|
|
|
|
* - new features such as pulse emitting
|
|
|
|
* - performance optimization
|
|
|
|
*
|
|
|
|
* This is a proprietary software. See COPYING for further details.
|
|
|
|
*
|
|
|
|
* (c) Askele Group 2013-2015 <http://askele.com>
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <errno.h>
|
|
|
|
#include <string.h>
|
|
|
|
#include <pthread.h>
|
|
|
|
#include <sys/stat.h>
|
|
|
|
#include <sys/time.h>
|
|
|
|
#include <sys/types.h>
|
|
|
|
#include <fcntl.h>
|
|
|
|
|
|
|
|
#ifdef WIN32
|
|
|
|
#include <Winsock2.h>
|
|
|
|
#define EBADE 1
|
|
|
|
#define NETDB_SUCCESS 0
|
|
|
|
#else
|
|
|
|
#include <sys/select.h>
|
|
|
|
#include <netdb.h>
|
|
|
|
#include <unistd.h>
|
|
|
|
#include <uuid/uuid.h>
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#include <openssl/ssl.h>
|
|
|
|
#include <openssl/err.h>
|
|
|
|
|
|
|
|
#include <tdata/usrtc.h>
|
|
|
|
#include <sexpr/sexp.h>
|
|
|
|
|
|
|
|
#include <sntl/connection.h>
|
|
|
|
|
|
|
|
static int ex_ssldata_index; /** < index used to work with additional data
|
|
|
|
* provided to the special call during SSL handshake */
|
|
|
|
|
|
|
|
/* this function is an ugly implementation to get C string with uuid */
|
|
|
|
extern char *__generate_uuid(void);
|
|
|
|
|
|
|
|
/* this is a callback to perform a custom SSL certs chain validation,
|
|
|
|
* as I promised here the comments, a lot of ...
|
|
|
|
* The first shit: 0 means validation failed, 1 otherwise
|
|
|
|
* The second shit: X509 API, I guess u will love it ;-)
|
|
|
|
* openssl calls this function for each certificate in chain,
|
|
|
|
* since our case is a simple (depth of chain is one, since we're
|
|
|
|
* don't care for public certificates lists or I cannot find any reasons to
|
|
|
|
* do it ...), amount of calls reduced, and in this case we're interested
|
|
|
|
* only in top of chain i.e. actual certificate used on client side,
|
|
|
|
* the validity of signing for other certificates within chain is
|
|
|
|
* guaranteed by the ssl itself.
|
|
|
|
* u know, we need to lookup in database, or elsewhere... some information
|
|
|
|
* about client certificate, and decide - is it valid, or not?, if so
|
|
|
|
* yep I mean it's valid, we can assign it's long fucking number to
|
|
|
|
* security context, to use in ongoing full scaled connection handshaking.
|
|
|
|
*/
|
|
|
|
static int __verify_certcall(int preverify_ok, X509_STORE_CTX *ctx)
|
|
|
|
{
|
|
|
|
// X509 *cert = X509_STORE_CTX_get_current_cert(ctx);
|
|
|
|
int err = X509_STORE_CTX_get_error(ctx), depth = X509_STORE_CTX_get_error_depth(ctx);
|
|
|
|
SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
|
|
|
|
conn_t *co = SSL_get_ex_data(ssl, ex_ssldata_index); /* this is a custom data we're set before */
|
|
|
|
conn_sys_t *ssys = co->ssys;
|
|
|
|
|
|
|
|
/* now we need to check for certificates with a long chain,
|
|
|
|
* so since we have a short one, reject long ones */
|
|
|
|
if(depth > VERIFY_DEPTH) { /* longer than we expect */
|
|
|
|
preverify_ok = 0; /* yep, 0 means error for those function callback in openssl, fucking set */
|
|
|
|
err = X509_V_ERR_CERT_CHAIN_TOO_LONG;
|
|
|
|
X509_STORE_CTX_set_error(ctx, err);
|
|
|
|
}
|
|
|
|
|
|
|
|
if(!preverify_ok) return 0;
|
|
|
|
|
|
|
|
/* ok, now we're on top of SSL (depth == 0) certs chain,
|
|
|
|
* and we can validate client certificate */
|
|
|
|
if(!depth) {
|
|
|
|
co->pctx->certid =
|
|
|
|
ASN1_INTEGER_get((const ASN1_INTEGER *)X509_get_serialNumber(ctx->current_cert));
|
|
|
|
/* now we're need to check the ssl cert */
|
|
|
|
if(ssys->validate_sslpem) {
|
|
|
|
if(ssys->validate_sslpem(co)) return 0;
|
|
|
|
else return 1;
|
|
|
|
} else return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return preverify_ok;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* dummy just to check the server side */
|
|
|
|
static int __verify_certcall_dummy(int preverify_ok, X509_STORE_CTX *ctx)
|
|
|
|
{
|
|
|
|
return preverify_ok;
|
|
|
|
}
|
|
|
|
|
|
|
|
int sntl_init(void)
|
|
|
|
{
|
|
|
|
/* init SSL library */
|
|
|
|
SSL_library_init();
|
|
|
|
|
|
|
|
OpenSSL_add_all_algorithms();
|
|
|
|
SSL_load_error_strings();
|
|
|
|
|
|
|
|
ex_ssldata_index = SSL_get_ex_new_index(0, "__ssldata index", NULL, NULL, NULL);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
conn_t *__connection_minimal_alloc(struct in_addr *addr)
|
|
|
|
{
|
|
|
|
conn_t *co = malloc(sizeof(conn_t));
|
|
|
|
int r;
|
|
|
|
|
|
|
|
if(!co) { r = ENOMEM; goto __fail; }
|
|
|
|
else memset(co, 0, sizeof(conn_t));
|
|
|
|
|
|
|
|
if(!(co->messages = malloc(sizeof(uintptr_t)*1024))) { r = ENOMEM; goto __fail; }
|
|
|
|
else memset(co->messages, 0, sizeof(uintptr_t)*1024);
|
|
|
|
|
|
|
|
if(!(co->pctx = malloc(sizeof(perm_ctx_t)))) { r = ENOMEM; goto __fail; }
|
|
|
|
else memset(co->pctx, 0, sizeof(perm_ctx_t));
|
|
|
|
if(addr) {
|
|
|
|
if(!(co->pctx->addr = malloc(sizeof(struct in_addr)))) { r = ENOMEM; goto __fail; }
|
|
|
|
|
|
|
|
memcpy(co->pctx->addr, addr, sizeof(struct in_addr));
|
|
|
|
}
|
|
|
|
|
|
|
|
if(!(co->uuid = __generate_uuid())) { r = ENOMEM; goto __fail; }
|
|
|
|
|
|
|
|
return co;
|
|
|
|
|
|
|
|
__fail:
|
|
|
|
if(co) {
|
|
|
|
if(co->pctx) {
|
|
|
|
if(co->pctx->addr) free(co->pctx->addr);
|
|
|
|
free(co->pctx);
|
|
|
|
}
|
|
|
|
if(co->messages) free(co->messages);
|
|
|
|
free(co);
|
|
|
|
}
|
|
|
|
errno = r;
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void __connection_minimal_free(conn_t *co)
|
|
|
|
{
|
|
|
|
if(co) {
|
|
|
|
if(co->pctx) {
|
|
|
|
if(co->pctx->addr) free(co->pctx->addr);
|
|
|
|
free(co->pctx);
|
|
|
|
}
|
|
|
|
if(co->messages) free(co->messages);
|
|
|
|
free(co->uuid);
|
|
|
|
free(co);
|
|
|
|
}
|
|
|
|
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int __eval_syssexp(conn_t *co, sexp_t *sx)
|
|
|
|
{
|
|
|
|
cx_rpc_list_t *rpc_list = co->ssys->system_rpc;
|
|
|
|
usrtc_node_t *node;
|
|
|
|
cx_rpc_t *rentry;
|
|
|
|
char *rpcf;
|
|
|
|
|
|
|
|
if(sx->ty == SEXP_LIST)
|
|
|
|
rpcf = sx->list->val;
|
|
|
|
else return SNE_BADPROTO;
|
|
|
|
|
|
|
|
/* find an appropriate function */
|
|
|
|
node = usrtc_lookup(rpc_list->rpc_tree, rpcf);
|
|
|
|
|
|
|
|
if(!node) return SNE_ENORPC;
|
|
|
|
else rentry = (cx_rpc_t *)usrtc_node_getdata(node);
|
|
|
|
|
|
|
|
/* call it */
|
|
|
|
return rentry->rpcf((void *)co, sx);
|
|
|
|
}
|
|
|
|
|
|
|
|
int connection_create_fapi_m(conn_sys_t *ssys, conn_t *co, int sck,
|
|
|
|
struct in_addr *addr)
|
|
|
|
{
|
|
|
|
void *buf = NULL;
|
|
|
|
char *bbuf;
|
|
|
|
conn_t *coc = __connection_minimal_alloc(addr);
|
|
|
|
sx_msg_t *msg = NULL;
|
|
|
|
sntllv2_head_t *head;
|
|
|
|
size_t rd;
|
|
|
|
|
|
|
|
if(!coc) return SNE_ENOMEM;
|
|
|
|
|
|
|
|
/* ok, now we need to init ssl stuff */
|
|
|
|
co->ssys = ssys;
|
|
|
|
|
|
|
|
/* init SSL certificates and context */
|
|
|
|
co->ctx = SSL_CTX_new(TLSv1_2_server_method());
|
|
|
|
if(!co->ctx) { goto __fail; }
|
|
|
|
else {
|
|
|
|
/* set verify context */
|
|
|
|
SSL_CTX_set_verify(co->ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
|
|
|
|
__verify_certcall);
|
|
|
|
/* set verify depth */
|
|
|
|
SSL_CTX_set_verify_depth(co->ctx, VERIFY_DEPTH);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* load certificates */
|
|
|
|
SSL_CTX_load_verify_locations(co->ctx, ssys->rootca, NULL);
|
|
|
|
/* set the local certificate from CertFile */
|
|
|
|
if(SSL_CTX_use_certificate_file(co->ctx, ssys->certpem,
|
|
|
|
SSL_FILETYPE_PEM)<=0) {
|
|
|
|
ERR_print_errors_fp(stderr);
|
|
|
|
goto __fail;
|
|
|
|
}
|
|
|
|
/* set the private key from KeyFile (may be the same as CertFile) */
|
|
|
|
if(SSL_CTX_use_PrivateKey_file(co->ctx, ssys->certkey,
|
|
|
|
SSL_FILETYPE_PEM)<=0) {
|
|
|
|
goto __fail;
|
|
|
|
}
|
|
|
|
/* verify private key */
|
|
|
|
if (!SSL_CTX_check_private_key(co->ctx)) {
|
|
|
|
goto __fail;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* now we will create an SSL connection */
|
|
|
|
co->ssl = SSL_new(co->ctx);
|
|
|
|
if(!co->ssl) goto __fail;
|
|
|
|
else SSL_set_fd(co->ssl, sck); /* attach connected socket */
|
|
|
|
|
|
|
|
SSL_set_accept_state(co->ssl);
|
|
|
|
/* set the context to verify ssl connection */
|
|
|
|
SSL_set_ex_data(co->ssl, ex_ssldata_index, (void *)co);
|
|
|
|
SSL_set_accept_state(co->ssl);
|
|
|
|
if(SSL_accept(co->ssl) == -1) goto __fail;
|
|
|
|
|
|
|
|
/* ok, now we are able to allocate and so on */
|
|
|
|
/* set connection to the batch mode */
|
|
|
|
co->flags |= SNSX_BATCHMODE;
|
|
|
|
/* allocate our first buffer */
|
|
|
|
buf = mmap(NULL, 65536, PROT_READ|PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
|
|
|
|
if(buf == MAP_FAILED) goto __fail2;
|
|
|
|
/* allocate first message */
|
|
|
|
if(!(msg = malloc(sizeof(sx_msg_t)))) goto __fail2;
|
|
|
|
else {
|
|
|
|
memset(msg, 0, sizeof(sx_msg_t));
|
|
|
|
coc->messages[0] = msg;
|
|
|
|
}
|
|
|
|
bbuf = (char *)buf;
|
|
|
|
bbuf += sizeof(sntllv2_head_t);
|
|
|
|
|
|
|
|
sexp_t *sx;
|
|
|
|
while(co->flags & SNSX_BATCHMODE) {
|
|
|
|
rd = __conn_read(co, buf, sizeof(sntllv2_head_t));
|
|
|
|
if(rd == sizeof(sntllv2_head_t)) {
|
|
|
|
head = (sntllv2_head_t *)buf;
|
|
|
|
|
|
|
|
/* check for returns */
|
|
|
|
if(head->opcode != SNE_SUCCESS) goto __fail3;
|
|
|
|
else { /* opcode is fine */
|
|
|
|
/* if we're ready for messaging mode, turn off batch mode */
|
|
|
|
if(co->flags & SNSX_MESSAGINGMODE) co->flags &= ~SNSX_BATCHMODE;
|
|
|
|
}
|
|
|
|
|
|
|
|
if(!head->payload_length) continue; /* pass the following check up */
|
|
|
|
|
|
|
|
rd = __conn_read(co, bbuf, head->payload_length);
|
|
|
|
if(rd != head->payload_length) goto __fail3;
|
|
|
|
bbuf[rd] = '\0';
|
|
|
|
sx = parse_sexp(bbuf, rd);
|
|
|
|
if(!sx) goto __fail3;
|
|
|
|
|
|
|
|
/* initialize message */
|
|
|
|
msg->payload = bbuf;
|
|
|
|
msg->payload_length = 0;
|
|
|
|
/* deal with it */
|
|
|
|
r = __eval_syssexp(co, sx);
|
|
|
|
head->opcode = r;
|
|
|
|
if(r != SNE_SUCCESS) { /* we finish */
|
|
|
|
head->payload_length = 0;
|
|
|
|
__conn_write(co, buf, sizeof(sntllv2_head_t));
|
|
|
|
destroy_sexp(sx);
|
|
|
|
goto __fail3;
|
|
|
|
}
|
|
|
|
rd = __conn_write(co, buf, sizeof(sntllv2_head_t) + msg->payload_length);
|
|
|
|
if(rd != sizeof(sntllv2_head_t) + msg->payload_length) {
|
|
|
|
destroy_sexp(sx);
|
|
|
|
goto __fail3;
|
|
|
|
}
|
|
|
|
|
|
|
|
destroy_sexp(sx);
|
|
|
|
} else goto __fail3;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* if we're there - negotiation is done, going to init messaging mode */
|
|
|
|
r = __connection_second_alloc(co);
|
|
|
|
if(r != SNE_SUCCESS) goto __fail3;
|
|
|
|
|
|
|
|
/* and now we're need to create a thread poll */
|
|
|
|
|
|
|
|
return SNE_SUCCESS;
|
|
|
|
|
|
|
|
__fail4:
|
|
|
|
__connection_second_free(co);
|
|
|
|
__fail3:
|
|
|
|
if(ssys->on_destroy) ssys->on_destroy(co);
|
|
|
|
__fail2:
|
|
|
|
if(msg) free(msg);
|
|
|
|
if(buf != MAP_FAILED) munmap(buf, 65536);
|
|
|
|
SSL_shutdown(co->ssl);
|
|
|
|
__fail:
|
|
|
|
if(coc) {
|
|
|
|
if(co->ssl) SSL_free(co->ssl);
|
|
|
|
if(co->ctx) SSL_CTX_free(co->ctx);
|
|
|
|
__connection_minimal_free(coc);
|
|
|
|
}
|
|
|
|
close(sck);
|
|
|
|
return SNE_FAILED;
|
|
|
|
}
|