summaryrefslogtreecommitdiff
path: root/vchat-tls.c
diff options
context:
space:
mode:
authorDirk Engling <erdgeist@erdgeist.org>2022-05-25 00:23:08 +0200
committerDirk Engling <erdgeist@erdgeist.org>2022-05-25 00:23:08 +0200
commit0bd0d4e6db2093186e91aa023865f16c793854e2 (patch)
tree18ad198b26f0be89c3a385cd09b7bcfe3a5063ac /vchat-tls.c
parentacc107e1a89cc599d9c00b3e899e39af3159e950 (diff)
Make tls engine runtime configurable
Diffstat (limited to 'vchat-tls.c')
-rwxr-xr-xvchat-tls.c73
1 files changed, 32 insertions, 41 deletions
diff --git a/vchat-tls.c b/vchat-tls.c
index d2f3b01..f326b91 100755
--- a/vchat-tls.c
+++ b/vchat-tls.c
@@ -28,8 +28,6 @@
28 28
29const char *vchat_tls_version = 29const char *vchat_tls_version =
30 "vchat-tls.c $Id$"; 30 "vchat-tls.c $Id$";
31const char *vchat_tls_version_external =
32 "Unknown implementation; version unknown";
33 31
34/* Helpers to work with vc_x509store_t used by all tls libs */ 32/* Helpers to work with vc_x509store_t used by all tls libs */
35void vc_cleanup_x509store(vc_x509store_t *store) { 33void vc_cleanup_x509store(vc_x509store_t *store) {
@@ -133,15 +131,6 @@ cleanup_happy:
133 return 0; 131 return 0;
134} 132}
135 133
136#if defined(TLS_LIB_OPENSSL) && defined(TLS_LIB_MBEDTLS)
137#error \
138 "Both TLS_LIB_OPENSSL and TLS_LIB_MBEDTLS are defined. Please select only one."
139#endif
140#if !defined(TLS_LIB_OPENSSL) && !defined(TLS_LIB_MBEDTLS)
141#error \
142 "Neither TLS_LIB_OPENSSL nor TLS_LIB_MBEDTLS are defined. Please select exactly one."
143#endif
144
145#ifdef TLS_LIB_OPENSSL 134#ifdef TLS_LIB_OPENSSL
146 135
147#include <openssl/bio.h> 136#include <openssl/bio.h>
@@ -152,13 +141,13 @@ cleanup_happy:
152#include <openssl/x509.h> 141#include <openssl/x509.h>
153#include <openssl/x509v3.h> 142#include <openssl/x509v3.h>
154 143
155void vchat_tls_get_version_external() { 144char *vc_openssl_version() {
156 snprintf(tmpstr, sizeof(tmpstr), "OpenSSL %s with %s", 145 snprintf(tmpstr, sizeof(tmpstr), "OpenSSL %s with %s",
157 SSLeay_version(SSLEAY_VERSION), SSLeay_version(SSLEAY_CFLAGS)); 146 SSLeay_version(SSLEAY_VERSION), SSLeay_version(SSLEAY_CFLAGS));
158 vchat_tls_version_external = strdup(tmpstr); 147 return strdup(tmpstr);
159} 148}
160 149
161void vc_init_x509store(vc_x509store_t *store) { 150void vc_openssl_init_x509store(vc_x509store_t *store) {
162 static int sslinit; 151 static int sslinit;
163 if (!sslinit++) { 152 if (!sslinit++) {
164 SSL_library_init(); 153 SSL_library_init();
@@ -243,7 +232,7 @@ static SSL_CTX *vc_create_sslctx(vc_x509store_t *vc_store) {
243 return (ctx); 232 return (ctx);
244} 233}
245 234
246int vc_tls_connect(int serverfd, vc_x509store_t *vc_store) { 235int vc_openssl_connect(int serverfd, vc_x509store_t *vc_store) {
247 SSL_CTX *ctx = vc_create_sslctx(vc_store); 236 SSL_CTX *ctx = vc_create_sslctx(vc_store);
248 X509 *peercert = NULL; 237 X509 *peercert = NULL;
249 BIO *ssl_conn = NULL; 238 BIO *ssl_conn = NULL;
@@ -261,6 +250,10 @@ int vc_tls_connect(int serverfd, vc_x509store_t *vc_store) {
261 250
262 long j; 251 long j;
263 252
253 writecf(FS_SERV, "[SOCKET CONNECTED ]");
254 writecf(FS_SERV, "[UPGRADING TO TLS ]");
255 writecf(FS_SERV, "[TLS ENGINE OPENSSL ]");
256
264 if (!ctx) 257 if (!ctx)
265 goto all_errors; 258 goto all_errors;
266 259
@@ -286,13 +279,13 @@ int vc_tls_connect(int serverfd, vc_x509store_t *vc_store) {
286 cipher = SSL_get_current_cipher(sslp); 279 cipher = SSL_get_current_cipher(sslp);
287 if (cipher) { 280 if (cipher) {
288 char cipher_desc[TMPSTRSIZE]; 281 char cipher_desc[TMPSTRSIZE];
289 snprintf(tmpstr, TMPSTRSIZE, "[SSL CIPHER ] %s", 282 snprintf(tmpstr, TMPSTRSIZE, "[SSL CIPHER ] %s",
290 SSL_CIPHER_description(cipher, cipher_desc, TMPSTRSIZE)); 283 SSL_CIPHER_description(cipher, cipher_desc, TMPSTRSIZE));
291 writecf(FS_SERV, tmpstr); 284 writecf(FS_SERV, tmpstr);
292 } else { 285 } else {
293 snprintf( 286 snprintf(
294 tmpstr, TMPSTRSIZE, 287 tmpstr, TMPSTRSIZE,
295 "[SSL ERROR ] Cipher not known / SSL object can't be queried!"); 288 "[SSL ERROR ] Cipher not known / SSL object can't be queried!");
296 writecf(FS_ERR, tmpstr); 289 writecf(FS_ERR, tmpstr);
297 } 290 }
298 291
@@ -302,10 +295,10 @@ int vc_tls_connect(int serverfd, vc_x509store_t *vc_store) {
302 goto ssl_error; 295 goto ssl_error;
303 296
304 /* show basic information about peer cert */ 297 /* show basic information about peer cert */
305 snprintf(tmpstr, TMPSTRSIZE, "[SSL SUBJECT ] %s", 298 snprintf(tmpstr, TMPSTRSIZE, "[SSL SUBJECT ] %s",
306 X509_NAME_oneline(X509_get_subject_name(peercert), 0, 0)); 299 X509_NAME_oneline(X509_get_subject_name(peercert), 0, 0));
307 writecf(FS_SERV, tmpstr); 300 writecf(FS_SERV, tmpstr);
308 snprintf(tmpstr, TMPSTRSIZE, "[SSL ISSUER ] %s", 301 snprintf(tmpstr, TMPSTRSIZE, "[SSL ISSUER ] %s",
309 X509_NAME_oneline(X509_get_issuer_name(peercert), 0, 0)); 302 X509_NAME_oneline(X509_get_issuer_name(peercert), 0, 0));
310 writecf(FS_SERV, tmpstr); 303 writecf(FS_SERV, tmpstr);
311 304
@@ -318,7 +311,7 @@ int vc_tls_connect(int serverfd, vc_x509store_t *vc_store) {
318 fp += sprintf(fp, "%02X:", fingerprint_bin[j]); 311 fp += sprintf(fp, "%02X:", fingerprint_bin[j]);
319 assert(fp > fingerprint); 312 assert(fp > fingerprint);
320 fp[-1] = 0; 313 fp[-1] = 0;
321 snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] %s (from server)", 314 snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] %s (from server)",
322 fingerprint); 315 fingerprint);
323 writecf(FS_SERV, tmpstr); 316 writecf(FS_SERV, tmpstr);
324 317
@@ -333,12 +326,12 @@ int vc_tls_connect(int serverfd, vc_x509store_t *vc_store) {
333 return 0; 326 return 0;
334 327
335 if (getintoption(CF_IGNSSL)) { 328 if (getintoption(CF_IGNSSL)) {
336 writecf(FS_ERR, "[SSL VERIFY ERROR ] FAILURE IGNORED!!!"); 329 writecf(FS_ERR, "[SSL VERIFY ERROR ] FAILURE IGNORED!!!");
337 return 0; 330 return 0;
338 } 331 }
339 332
340ssl_error: 333ssl_error:
341 snprintf(tmpstr, TMPSTRSIZE, "[SSL CONNECT ERROR] %s", 334 snprintf(tmpstr, TMPSTRSIZE, "[SSL CONNECT ERROR ] %s",
342 ERR_error_string(ERR_get_error(), NULL)); 335 ERR_error_string(ERR_get_error(), NULL));
343 writecf(FS_ERR, tmpstr); 336 writecf(FS_ERR, tmpstr);
344all_errors: 337all_errors:
@@ -396,18 +389,18 @@ X509_STORE *vc_x509store_create(vc_x509store_t *vc_store) {
396 389
397int vc_verify_callback(int ok, X509_STORE_CTX *store) { 390int vc_verify_callback(int ok, X509_STORE_CTX *store) {
398 if (!ok) { 391 if (!ok) {
399 snprintf(tmpstr, TMPSTRSIZE, "[SSL VERIFY ERROR ] %s", 392 snprintf(tmpstr, TMPSTRSIZE, "[SSL VERIFY ERROR ] %s",
400 X509_verify_cert_error_string(X509_STORE_CTX_get_error(store))); 393 X509_verify_cert_error_string(X509_STORE_CTX_get_error(store)));
401 writecf(FS_ERR, tmpstr); 394 writecf(FS_ERR, tmpstr);
402 } 395 }
403 return (ok | getintoption(CF_IGNSSL)); 396 return (ok | getintoption(CF_IGNSSL));
404} 397}
405 398
406ssize_t vc_tls_sendmessage(const void *buf, size_t size) { 399ssize_t vc_openssl_sendmessage(const void *buf, size_t size) {
407 return BIO_write(server_conn, buf, size); 400 return BIO_write(server_conn, buf, size);
408} 401}
409 402
410ssize_t vc_tls_receivemessage(void *buf, size_t size) { 403ssize_t vc_openssl_receivemessage(void *buf, size_t size) {
411 ssize_t received = (ssize_t)BIO_read(server_conn, buf, size); 404 ssize_t received = (ssize_t)BIO_read(server_conn, buf, size);
412 if (received != 0) 405 if (received != 0)
413 return received; 406 return received;
@@ -416,7 +409,7 @@ ssize_t vc_tls_receivemessage(void *buf, size_t size) {
416 return 0; 409 return 0;
417} 410}
418 411
419void vc_tls_cleanup() { 412void vc_openssl_cleanup() {
420 BIO_free_all(server_conn); 413 BIO_free_all(server_conn);
421 server_conn = NULL; 414 server_conn = NULL;
422} 415}
@@ -451,9 +444,9 @@ typedef struct {
451} mbedstate; 444} mbedstate;
452static mbedstate _mbedtls_state; 445static mbedstate _mbedtls_state;
453 446
454void vchat_tls_get_version_external() { 447char *vc_mbedtls_version() {
455 snprintf(tmpstr, sizeof(tmpstr), "%s", MBEDTLS_VERSION_STRING_FULL); 448 snprintf(tmpstr, sizeof(tmpstr), "%s", MBEDTLS_VERSION_STRING_FULL);
456 vchat_tls_version_external = strdup(tmpstr); 449 return strdup(tmpstr);
457} 450}
458 451
459static int static_tcp_recv(void *ctx, unsigned char *buf, size_t len) { 452static int static_tcp_recv(void *ctx, unsigned char *buf, size_t len) {
@@ -463,16 +456,13 @@ static int static_tcp_send(void *ctx, const unsigned char *buf, size_t len) {
463 return send((int)(intptr_t)ctx, buf, len, 0); 456 return send((int)(intptr_t)ctx, buf, len, 0);
464} 457}
465static int map_openssl_suite(char *openssl_name); 458static int map_openssl_suite(char *openssl_name);
466void vc_init_x509store(vc_x509store_t *store) { 459void vc_mbedtls_init_x509store(vc_x509store_t *store) {
467 static int sslinit; 460 mbedtls_entropy_init(&_mbedtls_state._entropy);
468 if (!sslinit++) { 461 mbedtls_ctr_drbg_init(&_mbedtls_state._ctr_drbg);
469 mbedtls_entropy_init(&_mbedtls_state._entropy);
470 mbedtls_ctr_drbg_init(&_mbedtls_state._ctr_drbg);
471 462
472 mbedtls_ctr_drbg_seed(&_mbedtls_state._ctr_drbg, mbedtls_entropy_func, 463 mbedtls_ctr_drbg_seed(&_mbedtls_state._ctr_drbg, mbedtls_entropy_func,
473 &_mbedtls_state._entropy, 464 &_mbedtls_state._entropy,
474 (const unsigned char *)DRBG_PERS, sizeof(DRBG_PERS)); 465 (const unsigned char *)DRBG_PERS, sizeof(DRBG_PERS));
475 }
476 memset(store, 0, sizeof(vc_x509store_t)); 466 memset(store, 0, sizeof(vc_x509store_t));
477 467
478 /* We want to make verifying the peer the default */ 468 /* We want to make verifying the peer the default */
@@ -485,7 +475,7 @@ static void vc_tls_report_error(int error, char *message) {
485 writecf(FS_ERR, tmpstr); 475 writecf(FS_ERR, tmpstr);
486} 476}
487 477
488int vc_tls_connect(int serverfd, vc_x509store_t *vc_store) { 478int vc_mbedtls_connect(int serverfd, vc_x509store_t *vc_store) {
489 /* Some aliases for shorter references */ 479 /* Some aliases for shorter references */
490 mbedstate *s = &_mbedtls_state; 480 mbedstate *s = &_mbedtls_state;
491 mbedtls_ssl_config *conf = &_mbedtls_state._conf; 481 mbedtls_ssl_config *conf = &_mbedtls_state._conf;
@@ -502,6 +492,7 @@ int vc_tls_connect(int serverfd, vc_x509store_t *vc_store) {
502 492
503 writecf(FS_SERV, "[SOCKET CONNECTED ]"); 493 writecf(FS_SERV, "[SOCKET CONNECTED ]");
504 writecf(FS_SERV, "[UPGRADING TO TLS ]"); 494 writecf(FS_SERV, "[UPGRADING TO TLS ]");
495 writecf(FS_SERV, "[TLS ENGINE MBEDTLS ]");
505 496
506 if ((ret = mbedtls_ssl_config_defaults(conf, MBEDTLS_SSL_IS_CLIENT, 497 if ((ret = mbedtls_ssl_config_defaults(conf, MBEDTLS_SSL_IS_CLIENT,
507 MBEDTLS_SSL_TRANSPORT_STREAM, 498 MBEDTLS_SSL_TRANSPORT_STREAM,
@@ -688,11 +679,11 @@ int vc_tls_connect(int serverfd, vc_x509store_t *vc_store) {
688 return 0; 679 return 0;
689} 680}
690 681
691ssize_t vc_tls_sendmessage(const void *buf, size_t size) { 682ssize_t vc_mbedtls_sendmessage(const void *buf, size_t size) {
692 return mbedtls_ssl_write(&_mbedtls_state._ssl, buf, size); 683 return mbedtls_ssl_write(&_mbedtls_state._ssl, buf, size);
693} 684}
694 685
695ssize_t vc_tls_receivemessage(void *buf, size_t size) { 686ssize_t vc_mbedtls_receivemessage(void *buf, size_t size) {
696 ssize_t received = (ssize_t)mbedtls_ssl_read(&_mbedtls_state._ssl, buf, size); 687 ssize_t received = (ssize_t)mbedtls_ssl_read(&_mbedtls_state._ssl, buf, size);
697 switch (received) { 688 switch (received) {
698 case MBEDTLS_ERR_SSL_WANT_READ: 689 case MBEDTLS_ERR_SSL_WANT_READ:
@@ -709,7 +700,7 @@ ssize_t vc_tls_receivemessage(void *buf, size_t size) {
709 } 700 }
710} 701}
711 702
712void vc_tls_cleanup() { 703void vc_mbedtls_cleanup() {
713 mbedtls_x509_crt_free(&_mbedtls_state._cacert); 704 mbedtls_x509_crt_free(&_mbedtls_state._cacert);
714 mbedtls_x509_crt_free(&_mbedtls_state._cert); 705 mbedtls_x509_crt_free(&_mbedtls_state._cert);
715 mbedtls_pk_free(&_mbedtls_state._key); 706 mbedtls_pk_free(&_mbedtls_state._key);
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-22 05:00:42 +0000