Implemented basic SSL

2020-12-11 16:25:26 +01:00
parent f98ffc7077
commit 0bf8c0ccc3
4 changed files with 112 additions and 25 deletions
--- a/2
+++ b/2
@ -8,7 +8,7 @@ packages:
 compile:
 	@echo "Compiling..."
 	@mkdir -p bin
-	gcc src/necronda-server.c -o bin/necronda-server -std=c11 -D_POSIX_C_SOURCE
+	gcc src/necronda-server.c -o bin/necronda-server -std=c11 -D_POSIX_C_SOURCE -lssl -lcrypto
 	@echo "Finished compiling!"
 install: | packages update compile
--- a/src/client.c
+++ b/src/client.c
@ -40,27 +40,34 @@ int client_request_handler() {
    return 0;
 }
-int client_connection_handler(int client) {
+int client_connection_handler(sock *client) {
-    char buf1[256];
+    int ret;
    char buf2[256];
    print("Connection accepted from %s (%s) [%s]", client_addr_str, client_addr_str, "N/A");
-    sprintf(buf1, "Hello World!\nYour address is: %s\n", client_addr_str);
+    if (client->enc) {
-    send(client, buf1, strlen(buf1), 0);
+        client->ssl = SSL_new(client->ctx);
-    int len = -1;
+        SSL_set_fd(client->ssl, client->socket);
    while (len == -1) {
        len = recv(client, &buf1, sizeof(buf1), 0);
    }
    sprintf(buf2, "Thank you, %.*s!\nGood bye!\n", len, buf1);
    send(client, buf2, strlen(buf2), 0);
-    close(client);
+        ret = SSL_accept(client->ssl);
        if (ret <= 0) {
            print(ERR_STR "Unable to perform handshake: %s" CLR_STR, ssl_get_error(client->ssl, ret));
            goto close;
        }
    }
    close:
    if (client->enc) {
        SSL_shutdown(client->ssl);
    }
    shutdown(client->socket, SHUT_RDWR);
    close(client->socket);
    print("Connection closed");
    return 0;
 }
-int client_handler(int client, long client_num, struct sockaddr_in6 *client_addr) {
+int client_handler(sock *client, long client_num, struct sockaddr_in6 *client_addr) {
    int ret;
    struct sockaddr_in6 *server_addr;
    struct sockaddr_storage server_addr_storage;
@ -78,7 +85,7 @@ int client_handler(int client, long client_num, struct sockaddr_in6 *client_addr
    }
    socklen_t len = sizeof(server_addr_storage);
-    getsockname(client, (struct sockaddr *) &server_addr_storage, &len);
+    getsockname(client->socket, (struct sockaddr *) &server_addr_storage, &len);
    server_addr = (struct sockaddr_in6 *) &server_addr_storage;
    server_addr_str_ptr = malloc(INET6_ADDRSTRLEN);
    inet_ntop(server_addr->sin6_family, (void *) &server_addr->sin6_addr, server_addr_str_ptr, INET6_ADDRSTRLEN);
@ -90,10 +97,10 @@ int client_handler(int client, long client_num, struct sockaddr_in6 *client_addr
    log_base_prefix = malloc(256);
    sprintf(log_base_prefix, "[%24s][%s%4i%s]%s[%*s][%5i]%s ",
-            server_addr_str, R_STR, ntohs(server_addr->sin6_port), CLR_STR,
+            server_addr_str, client->enc ? HTTPS_STR : HTTP_STR, ntohs(server_addr->sin6_port), CLR_STR,
            color_table[client_num % 6], INET_ADDRSTRLEN, client_addr_str, ntohs(client_addr->sin6_port), CLR_STR);
-    int ret = client_connection_handler(client);
+    ret = client_connection_handler(client);
    free(client_addr_str_ptr);
    free(server_addr_str_ptr);
    free(log_base_prefix);
--- a/src/necronda-server.c
+++ b/src/necronda-server.c
@ -24,6 +24,47 @@
 int active = 1;
 void openssl_init() {
    SSL_library_init();
    SSL_load_error_strings();
    ERR_load_BIO_strings();
    OpenSSL_add_all_algorithms();
 }
 char *ssl_get_error(SSL *ssl, int ret) {
    if (ret > 0) {
        return NULL;
    }
    unsigned long ret2 = ERR_get_error();
    char *err2 = strerror(errno);
    char *err1 = (char *) ERR_reason_error_string(ret2);
    switch (SSL_get_error(ssl, ret)) {
        case SSL_ERROR_NONE:
            return "none";
        case SSL_ERROR_ZERO_RETURN:
            return "closed";
        case SSL_ERROR_WANT_READ:
            return "want read";
        case SSL_ERROR_WANT_WRITE:
            return "want write";
        case SSL_ERROR_WANT_CONNECT:
            return "want connect";
        case SSL_ERROR_WANT_ACCEPT:
            return "want accept";
        case SSL_ERROR_WANT_X509_LOOKUP:
            return "want x509 lookup";
        case SSL_ERROR_SYSCALL:
            return ((ret2 == 0) ? ((ret == 0) ? "protocol violation" : err2) : err1);
        case SSL_ERROR_SSL:
            return err1;
        default:
            return "unknown error";
    }
 }
 void destroy() {
    fprintf(stderr, "\n" ERR_STR "Terminating forcefully!" CLR_STR "\n");
    int status = 0;
@ -97,7 +138,8 @@ int main(int argc, const char *argv[]) {
    int ready_sockets_num = 0;
    long client_num = 0;
-    int client;
+    int client_fd;
    sock client;
    struct sockaddr_in6 client_addr;
    unsigned int client_addr_len = sizeof(client_addr);
@ -139,7 +181,24 @@ int main(int argc, const char *argv[]) {
    signal(SIGINT, terminate);
    signal(SIGTERM, terminate);
-    // TODO implement TLS server side handshake
+    openssl_init();
    client.ctx = SSL_CTX_new(TLS_server_method());
    SSL_CTX_set_options(client.ctx, SSL_OP_SINGLE_DH_USE);
    SSL_CTX_set_verify(client.ctx, SSL_VERIFY_NONE, NULL);
    SSL_CTX_set_min_proto_version(client.ctx, TLS1_VERSION);
    SSL_CTX_set_mode(client.ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
    SSL_CTX_set_cipher_list(client.ctx, "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4");
    SSL_CTX_set_ecdh_auto(client.ctx, 1);
    if (SSL_CTX_use_certificate_chain_file(client.ctx, "/home/lorenz/cert/chakotay.pem") != 1) {
        fprintf(stderr, ERR_STR "Unable to load certificate chain file: %s" CLR_STR "\n", ERR_reason_error_string(ERR_get_error()));
        return 1;
    }
    if (SSL_CTX_use_PrivateKey_file(client.ctx, "/home/lorenz/cert/priv/chakotay.key", SSL_FILETYPE_PEM) != 1) {
        fprintf(stderr, ERR_STR "Unable to load private key file: %s" CLR_STR "\n", ERR_reason_error_string(ERR_get_error()));
        return 1;
    }
    for (int i = 0; i < NUM_SOCKETS; i++) {
        if (listen(SOCKETS[i], LISTEN_BACKLOG) == -1) {
@ -168,8 +227,8 @@ int main(int argc, const char *argv[]) {
        for (int i = 0; i < NUM_SOCKETS; i++) {
            if (FD_ISSET(SOCKETS[i], &read_socket_fds)) {
-                client = accept(SOCKETS[i], (struct sockaddr *) &client_addr, &client_addr_len);
+                client_fd = accept(SOCKETS[i], (struct sockaddr *) &client_addr, &client_addr_len);
-                if (client == -1) {
+                if (client_fd == -1) {
                    fprintf(parent_stderr, ERR_STR "Unable to accept connection: %s" CLR_STR "\n", strerror(errno));
                    continue;
                }
@ -179,11 +238,15 @@ int main(int argc, const char *argv[]) {
                    // child
                    signal(SIGINT, SIG_IGN);
                    signal(SIGTERM, SIG_IGN);
-                    return client_handler(client, client_num, &client_addr);
+
                    client.socket = client_fd;
                    client.enc = i == 1;
                    return client_handler(&client, client_num, &client_addr);
                } else if (pid > 0) {
                    // parent
                    client_num++;
-                    close(client);
+                    close(client_fd);
                    for (int j = 0; j < MAX_CHILDREN; j++) {
                        if (CHILDREN[j] == 0) {
                            CHILDREN[j] = pid;
--- a/src/necronda-server.h
+++ b/src/necronda-server.h
@ -10,6 +10,13 @@
 #include <sys/types.h>
 #include <stdio.h>
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/ssl.h>
 #include <openssl/conf.h>
 #include <openssl/engine.h>
 #include <openssl/dh.h>
 #define NUM_SOCKETS 2
@ -18,13 +25,23 @@
 #define ERR_STR "\x1B[1;31m"
 #define CLR_STR "\x1B[0m"
-#define R_STR "\x1B[31m"
+#define HTTP_STR "\x1B[1;31m"
-#define G_STR "\x1B[32m"
+#define HTTPS_STR "\x1B[1;32m"
 int SOCKETS[NUM_SOCKETS];
 pid_t CHILDREN[MAX_CHILDREN];
 FILE *parent_stdout, *parent_stderr;
 typedef struct {
    int enc:1;
    int socket;
    SSL_CTX *ctx;
    SSL *ssl;
    BIO *bio_in;
    BIO *bio_out;
 } sock;
 char *ssl_get_error(SSL *ssl, int ret);
 #endif //NECRONDA_SERVER_NECRONDA_SERVER_H