[git commit] networking/ssl_helper: experimental matrixssl-based ssl helper

Denys Vlasenko vda.linux at googlemail.com
Sun Feb 23 22:31:13 UTC 2014


commit: http://git.busybox.net/busybox/commit/?id=d82046f59f8b3d338bcfe6aa3b786e13c5c54ee3
branch: http://git.busybox.net/busybox/commit/?id=refs/heads/master

Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
---
 networking/ssl_helper/README        |   16 ++
 networking/ssl_helper/ssl_helper.c  |  406 +++++++++++++++++++++++++++++++++++
 networking/ssl_helper/ssl_helper.sh |   11 +
 3 files changed, 433 insertions(+), 0 deletions(-)

diff --git a/networking/ssl_helper/README b/networking/ssl_helper/README
new file mode 100644
index 0000000..4d0508f
--- /dev/null
+++ b/networking/ssl_helper/README
@@ -0,0 +1,16 @@
+Build instructions:
+
+* Unpack matrixssl-3-4-2-open.tgz.
+* Build it: "make"
+* Drop this directory into matrixssl-3-4-2-open/ssl_helper
+* Run ssl_helper.sh to compile and link the helper
+
+Usage: "ssl_helper -d <FILE_DESCRIPTOR>" where FILE_DESCRIPTOR is open to the peer.
+
+In bash, you can do it this way:
+$ ssl_helper -d3 3<>/dev/tcp/HOST/PORT
+
+Stdin will be SSL-encrypted and sent to FILE_DESCRIPTOR.
+Data from FILE_DESCRIPTOR will be decrypted and sent to stdout.
+
+The plan is to adapt it for wget https helper, and for ssl support in nc.
diff --git a/networking/ssl_helper/ssl_helper.c b/networking/ssl_helper/ssl_helper.c
new file mode 100644
index 0000000..d840b1b
--- /dev/null
+++ b/networking/ssl_helper/ssl_helper.c
@@ -0,0 +1,406 @@
+/*
+ * Copyright (c) 2013 INSIDE Secure Corporation
+ * Copyright (c) PeerSec Networks, 2002-2011
+ * All Rights Reserved
+ *
+ * The latest version of this code is available at http://www.matrixssl.org
+ *
+ * This software is open source; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in WITHOUT ANY WARRANTY; without even the
+ * implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ * http://www.gnu.org/copyleft/gpl.html
+ */
+#include <errno.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdarg.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <time.h>
+#include <poll.h>
+#include <sys/socket.h>
+
+#include "matrixssl/matrixsslApi.h"
+
+//#warning "DO NOT USE THESE DEFAULT KEYS IN PRODUCTION ENVIRONMENTS."
+
+/*
+ * If supporting client authentication, pick ONE identity to auto select a
+ * certificate and private key that support desired algorithms.
+ */
+#define ID_RSA /* RSA Certificate and Key */
+
+#define USE_HEADER_KEYS
+
+/* If the algorithm type is supported, load a CA for it */
+#ifdef USE_HEADER_KEYS
+/* CAs */
+# include "sampleCerts/RSA/ALL_RSA_CAS.h"
+/* Identity Certs and Keys for use with Client Authentication */
+# ifdef ID_RSA
+#  define EXAMPLE_RSA_KEYS
+#  include "sampleCerts/RSA/2048_RSA.h"
+#  include "sampleCerts/RSA/2048_RSA_KEY.h"
+# endif
+#endif
+
+static ssize_t safe_write(int fd, const void *buf, size_t count)
+{
+	ssize_t n;
+
+	do {
+		n = write(fd, buf, count);
+	} while (n < 0 && errno == EINTR);
+
+	return n;
+}
+
+static ssize_t full_write(int fd, const void *buf, size_t len)
+{
+	ssize_t cc;
+	ssize_t total;
+
+	total = 0;
+
+	while (len) {
+		cc = safe_write(fd, buf, len);
+
+		if (cc < 0) {
+			if (total) {
+				/* we already wrote some! */
+				/* user can do another write to know the error code */
+				return total;
+			}
+			return cc;  /* write() returns -1 on failure. */
+		}
+
+		total += cc;
+		buf = ((const char *)buf) + cc;
+		len -= cc;
+	}
+
+	return total;
+}
+
+static void say(const char *s, ...)
+{
+	char buf[256];
+	va_list p;
+	int sz;
+
+	va_start(p, s);
+	sz = vsnprintf(buf, sizeof(buf), s, p);
+	full_write(STDERR_FILENO, buf, sz >= 0 && sz < sizeof(buf) ? sz : strlen(buf));
+	va_end(p);
+}
+
+static void die(const char *s, ...)
+{
+	char buf[256];
+	va_list p;
+	int sz;
+
+	va_start(p, s);
+	sz = vsnprintf(buf, sizeof(buf), s, p);
+	full_write(STDERR_FILENO, buf, sz >= 0 && sz < sizeof(buf) ? sz : strlen(buf));
+	exit(1);
+	va_end(p);
+}
+
+#if 0
+# define dbg(...) say(__VA_ARGS__)
+#else
+# define dbg(...) ((void)0)
+#endif
+
+static struct pollfd pfd[2] = {
+	{ -1, POLLIN|POLLERR|POLLHUP, 0 },
+	{ -1, POLLIN|POLLERR|POLLHUP, 0 },
+};
+#define STDIN           pfd[0]
+#define NETWORK         pfd[1]
+#define STDIN_READY()   (pfd[0].revents & (POLLIN|POLLERR|POLLHUP))
+#define NETWORK_READY() (pfd[1].revents & (POLLIN|POLLERR|POLLHUP))
+
+static int wait_for_input(void)
+{
+	if (STDIN.fd == NETWORK.fd) /* means both are -1 */
+		exit(0);
+	dbg("polling\n");
+	STDIN.revents = NETWORK.revents = 0;
+	return poll(pfd, 2, -1);
+}
+
+static int32 certCb(ssl_t *ssl, psX509Cert_t *cert, int32 alert)
+{
+	/* Example to allow anonymous connections based on a define */
+	if (alert > 0) {
+		return SSL_ALLOW_ANON_CONNECTION; // = 254
+	}
+#if 0
+	/* Validate the 'not before' and 'not after' dates, etc */
+	return PS_FAILURE; /* if we don't like this cert */
+#endif
+	return PS_SUCCESS;
+}
+
+static void close_conn_and_exit(ssl_t *ssl, int fd)
+{
+	unsigned char *buf;
+	int len;
+
+	fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK);
+	/* Quick attempt to send a closure alert, don't worry about failure */
+	if (matrixSslEncodeClosureAlert(ssl) >= 0) {
+		len = matrixSslGetOutdata(ssl, &buf);
+		if (len > 0) {
+			len = safe_write(fd, buf, len);
+			//if (len > 0) {
+			//	matrixSslSentData(ssl, len);
+			//}
+		}
+	}
+	//matrixSslDeleteSession(ssl);
+	shutdown(fd, SHUT_WR);
+	exit(0);
+}
+
+static int encode_data(ssl_t *ssl, const void *data, int len)
+{
+	unsigned char *buf;
+	int available;
+
+	available = matrixSslGetWritebuf(ssl, &buf, len);
+	if (available < 0)
+		die("matrixSslGetWritebuf\n");
+	if (len > available)
+		die("len > available\n");
+	memcpy(buf, data, len);
+	if (matrixSslEncodeWritebuf(ssl, len) < 0)
+		die("matrixSslEncodeWritebuf\n");
+	return len;
+}
+
+static void flush_to_net(ssl_t *ssl, int fd)
+{
+	int rc;
+	int len;
+	unsigned char *buf;
+
+	while ((len = matrixSslGetOutdata(ssl, &buf)) > 0) {
+		dbg("writing net %d bytes\n", len);
+		if (full_write(fd, buf, len) != len)
+			die("write to network\n");
+		rc = matrixSslSentData(ssl, len);
+		if (rc < 0)
+			die("matrixSslSentData\n");
+	}
+}
+
+static void do_io_until_eof_and_exit(int fd, sslKeys_t *keys)
+{
+	int rc;
+	int len;
+	uint32_t len32u;
+	sslSessionId_t *sid;
+	ssl_t *ssl;
+	unsigned char *buf;
+
+	NETWORK.fd = fd;
+	/* Note! STDIN.fd is disabled (-1) until SSL handshake is over:
+	 * we do not attempt to feed any user data to MatrixSSL
+	 * before it is ready.
+	 */
+
+	matrixSslNewSessionId(&sid);
+	rc = matrixSslNewClientSession(&ssl, keys, sid, 0, certCb, NULL, NULL, 0);
+dbg("matrixSslNewClientSession:rc=%d\n", rc);
+	if (rc != MATRIXSSL_REQUEST_SEND)
+		die("matrixSslNewClientSession\n");
+
+	len = 0; /* only to suppress compiler warning */
+ again:
+	switch (rc) {
+	case MATRIXSSL_REQUEST_SEND:
+		dbg("MATRIXSSL_REQUEST_SEND\n");
+		flush_to_net(ssl, fd);
+		goto poll_input;
+
+	case 0:
+		dbg("rc==0\n");
+		flush_to_net(ssl, fd);
+		goto poll_input;
+
+	case MATRIXSSL_REQUEST_CLOSE:
+		/* what does this mean if we are here? */
+		dbg("MATRIXSSL_REQUEST_CLOSE\n");
+		close_conn_and_exit(ssl, fd);
+
+	case MATRIXSSL_HANDSHAKE_COMPLETE:
+		dbg("MATRIXSSL_HANDSHAKE_COMPLETE\n");
+		/* Init complete, can start reading local user's data: */
+		STDIN.fd = STDIN_FILENO;
+ poll_input:
+		wait_for_input();
+		if (STDIN_READY()) {
+			char ibuf[4 * 1024];
+			dbg("reading stdin\n");
+			len = read(STDIN_FILENO, ibuf, sizeof(ibuf));
+			if (len < 0)
+				die("read error on stdin\n");
+			if (len == 0)
+				STDIN.fd = -1;
+			else {
+				len = encode_data(ssl, ibuf, len);
+				if (len) {
+					rc = MATRIXSSL_REQUEST_SEND;
+dbg("rc=%d\n", rc);
+					goto again;
+				}
+			}
+		}
+ read_network:
+		if (NETWORK_READY()) {
+			dbg("%s%s%s\n",
+				(pfd[1].revents & POLLIN)  ? "POLLIN"  : "",
+				(pfd[1].revents & POLLERR) ? "|POLLERR" : "",
+				(pfd[1].revents & POLLHUP) ? "|POLLHUP" : ""
+			);
+			len = matrixSslGetReadbuf(ssl, &buf);
+			if (len <= 0)
+				die("matrixSslGetReadbuf\n");
+			dbg("reading net up to %d\n", len);
+			len = read(fd, buf, len);
+			dbg("reading net:%d\n", len);
+			if (len < 0)
+				die("read error on network\n");
+			if (len == 0) /*eof*/
+				NETWORK.fd = -1;
+			len32u = len;
+			rc = matrixSslReceivedData(ssl, len, &buf, &len32u);
+dbg("matrixSslReceivedData:rc=%d\n", rc);
+			len = len32u;
+			if (rc < 0)
+				die("matrixSslReceivedData\n");
+		}
+		goto again;
+
+	case MATRIXSSL_APP_DATA:
+		dbg("MATRIXSSL_APP_DATA: writing stdout\n");
+		do {
+			if (full_write(STDOUT_FILENO, buf, len) != len)
+				die("write to stdout\n");
+			len32u = len;
+			rc = matrixSslProcessedData(ssl, &buf, &len32u);
+//this was seen returning rc=0:
+dbg("matrixSslProcessedData:rc=%d\n", rc);
+			len = len32u;
+		} while (rc == MATRIXSSL_APP_DATA);
+		if (pfd[1].fd == -1) {
+			/* Already saw EOF on network, and we processed
+			 * and wrote out all ssl data. Signal it:
+			 */
+			close(STDOUT_FILENO);
+		}
+		goto again;
+
+	case MATRIXSSL_REQUEST_RECV:
+		dbg("MATRIXSSL_REQUEST_RECV\n");
+		wait_for_input();
+		goto read_network;
+
+	case MATRIXSSL_RECEIVED_ALERT:
+		dbg("MATRIXSSL_RECEIVED_ALERT\n");
+		/* The first byte of the buffer is the level */
+		/* The second byte is the description */
+		if (buf[0] == SSL_ALERT_LEVEL_FATAL)
+			die("Fatal alert\n");
+		/* Closure alert is normal (and best) way to close */
+		if (buf[1] == SSL_ALERT_CLOSE_NOTIFY)
+			close_conn_and_exit(ssl, fd);
+		die("Warning alert\n");
+		len32u = len;
+		rc = matrixSslProcessedData(ssl, &buf, &len32u);
+dbg("matrixSslProcessedData:rc=%d\n", rc);
+		len = len32u;
+		goto again;
+
+	default:
+		/* If rc < 0 it is an error */
+		die("bad rc:%d\n", rc);
+	}
+}
+
+static sslKeys_t* make_keys(void)
+{
+	int rc, CAstreamLen;
+	char *CAstream;
+	sslKeys_t *keys;
+
+	if (matrixSslNewKeys(&keys) < 0)
+		die("matrixSslNewKeys\n");
+
+#ifdef USE_HEADER_KEYS
+	/*
+	 * In-memory based keys
+	 * Build the CA list first for potential client auth usage
+	 */
+	CAstream = NULL;
+	CAstreamLen = sizeof(RSACAS);
+	if (CAstreamLen > 0) {
+		CAstream = psMalloc(NULL, CAstreamLen);
+		memcpy(CAstream, RSACAS, sizeof(RSACAS));
+	}
+
+ #ifdef ID_RSA
+	rc = matrixSslLoadRsaKeysMem(keys, RSA2048, sizeof(RSA2048),
+			RSA2048KEY, sizeof(RSA2048KEY), (unsigned char*)CAstream,
+			CAstreamLen);
+	if (rc < 0)
+		die("matrixSslLoadRsaKeysMem\n");
+ #endif
+
+	if (CAstream)
+		psFree(CAstream);
+#endif /* USE_HEADER_KEYS */
+	return keys;
+}
+
+int main(int argc, char **argv)
+{
+	int fd;
+	char *fd_str;
+
+	if (!argv[1])
+		die("Syntax error\n");
+	if (argv[1][0] != '-')
+		die("Syntax error\n");
+	if (argv[1][1] != 'd')
+		die("Syntax error\n");
+	fd_str = argv[1] + 2;
+	if (!fd_str[0])
+		fd_str = argv[2];
+	if (!fd_str || fd_str[0] < '0' || fd_str[0] > '9')
+		die("Syntax error\n");
+
+	fd = atoi(fd_str);
+	if (fd < 3)
+		die("Syntax error\n");
+
+	if (matrixSslOpen() < 0)
+		die("matrixSslOpen\n");
+
+	do_io_until_eof_and_exit(fd, make_keys());
+	/* does not return */
+
+	return 0;
+}
diff --git a/networking/ssl_helper/ssl_helper.sh b/networking/ssl_helper/ssl_helper.sh
new file mode 100755
index 0000000..dc52de7
--- /dev/null
+++ b/networking/ssl_helper/ssl_helper.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# I use this to build static uclibc based binary using Aboriginal Linux toolchain:
+PREFIX=x86_64-
+STATIC=-static
+# Standard build:
+PREFIX=""
+STATIC=""
+
+${PREFIX}gcc -Os -DPOSIX -I.. -I../sampleCerts -Wall -c ssl_helper.c -o ssl_helper.o
+${PREFIX}gcc $STATIC ssl_helper.o ../libmatrixssl.a -lc ../libmatrixssl.a -o ssl_helper


More information about the busybox-cvs mailing list