From: Jean-Marc Pigeon (Delson) Date: Thu, 8 Aug 2024 17:57:08 +0000 (-0400) Subject: SSL connexion seems to be working fine X-Git-Tag: tag-0.4~8 X-Git-Url: https://jmp-git.ovh.safe.ca/?a=commitdiff_plain;h=2ac1d58e1880f11bc33d830a82ac53059c66733e;p=jmp%2Fmailleur SSL connexion seems to be working fine --- diff --git a/lib/gestcp.c b/lib/gestcp.c index aecce9b..b6a4d16 100644 --- a/lib/gestcp.c +++ b/lib/gestcp.c @@ -37,6 +37,7 @@ static CONTYP *freecontact(CONTYP *contact) if (contact!=(CONTYP *)0) { contact->peerip=rou_freestr(contact->peerip); contact->locname=rou_freestr(contact->locname); + contact->locserv=rou_freestr(contact->locserv); (void) free(contact); contact=(CONTYP *)0; } @@ -164,6 +165,7 @@ while (proceed==true) { break; case 2 : //check socket components contact->locname=soc_getaddrinfo(contact->socptr,true,true); + contact->locserv=soc_getaddrinfo(contact->socptr,true,false); contact->peerip=soc_getaddrinfo(contact->socptr,false,true); if ((contact->locname==(char *)0)||(contact->peerip==(char *)0)) { (void) rou_alert(0,"%s Unable to establish contact entities",OPEP); @@ -230,7 +232,8 @@ while (proceed==true) { } break; case 1 : //properly closing remote contact - (void) rou_alert(0,"Contact with IP=<%s> Exiting",contact->peerip); + (void) rou_alert(0,"Contact from peer <%s> on port <%s> Terminated", + contact->peerip,contact->locserv); contact->socptr=soc_release(contact->socptr); break; case 2 : //freeing contact memory diff --git a/lib/gestcp.h b/lib/gestcp.h index 6d985b1..971f476 100644 --- a/lib/gestcp.h +++ b/lib/gestcp.h @@ -15,6 +15,7 @@ typedef struct { SOCPTR *socptr; //established contact context char *locname; //socket local hostname + char *locserv; //local service port char *peerip; //socket remote peer IP }CONTYP; diff --git a/lib/subrou.c b/lib/subrou.c index 10e13b7..f18e416 100644 --- a/lib/subrou.c +++ b/lib/subrou.c @@ -20,7 +20,7 @@ //version definition #define VERSION "0.3" -#define RELEASE "33" +#define RELEASE "34" //Public variables PUBLIC int debug=0; //debug level diff --git a/lib/unitls.c b/lib/unitls.c index 781595c..f0c74b7 100644 --- a/lib/unitls.c +++ b/lib/unitls.c @@ -5,8 +5,13 @@ /* exchange. */ /* */ /********************************************************/ +#include +#include #include +#include #include +#include +#include #include #include #include @@ -121,100 +126,60 @@ return good; */ /********************************************************/ /* */ -/* Procedure to wait for character on the TLS */ -/* tls channel. */ +/* Procedure to verify remote certificate */ /* */ /********************************************************/ -static _Bool dowait(TLSTYP *tls,TIMESPEC *attend) +static int verify(TLSTYP *tls) { -#define OPEP "unitls.c:dowait" - -_Bool done; -struct pollfd polling[1]; - -done=false; -polling[0].events=POLLIN|POLLPRI; -polling[0].revents=(short)0; -polling[0].fd=SSL_get_fd(tls->ssl); -switch (ppoll(polling,1,attend,(sigset_t *)0)) { - case -1 : - switch(errno) { //received a signal, lets see...* - case EINTR: //Yes could be a TERM/HANGUP signal - break; - default : //real problem - (void) rou_alert(0,"%s poll error '%s'",OPEP,strerror(errno)); - done=true; //No need to wait any more - break; - } - break; - case 0 : //standard timeout - done=true; - break; - default : - break; - } -return done; -#undef OPEP -} -/* -^L -*/ -/********************************************************/ -/* */ -/* Procedure to "accept" link on an SSL channel */ -/* */ -/********************************************************/ -static int doaccept(TLSTYP *tls) - -{ -#define OPEP "unitls.c:doaccept" -int status; +#define OPEP "unitls.c:verify" X509 *peer; -TIMESPEC attend; -int done; +int ok; +int phase; +_Bool proceed; -status=-1; peer=(X509 *)0; -attend.tv_sec=30; //waiting 30 second to have a full SSL -attend.tv_nsec=0; -done=false; -while (done==false) { - int sslerr; - - status=SSL_accept(tls->ssl); - (void) printf("after SSL_accept status='%d'\n",status); - done=true; - switch (sslerr=SSL_get_error(tls->ssl,status)) { - case SSL_ERROR_NONE : - status=0; - if ((peer=SSL_get_peer_certificate(tls->ssl))!=(X509 *)0) { - if (SSL_get_verify_result(tls->ssl)!=X509_V_OK) - status=-1; - (void) X509_free(peer); +ok=false; +phase=0; +proceed=true; +while (proceed==true) { + switch (phase) { + case 0 : //get remote certificate + if ((peer=SSL_get0_peer_certificate(tls->ssl))==(X509 *)0) { + (void) rou_alert(0,"%s, Unable to get certificate from remote [%s]", + OPEP,tls->peerip); + phase=999; } break; - case SSL_ERROR_WANT_READ : - done=dowait(tls,&attend); + case 1 : //displaying certificate + if (peer!=(X509 *)0) { //always + char *line; + + line=X509_NAME_oneline(X509_get_subject_name(peer),0,0); + (void) rou_alert(2,"Certificate subject=<%s>",line); + (void) free(line); + line=X509_NAME_oneline(X509_get_issuer_name(peer),0,0); + (void) rou_alert(2,"Certificate issuer=<%s>",line); + (void) free(line); + } break; - case SSL_ERROR_WANT_WRITE : - done=false; + case 3 : //verifying certificate + if (SSL_get_verify_result(tls->ssl)!=X509_V_OK) { + (void) rou_alert(0,"%s, Remote certificate NOT OK",OPEP); + phase=999; + } + (void) X509_free(peer); break; - case SSL_ERROR_SYSCALL : //EOF received? - if (ERR_get_error()==0) - tls->goteof=true; //EOF received! - else - (void) showtlserror(tls,status,"%s SSL_SYSCALL pbs",OPEP); - status=-1; + case 2 : //everything is fine + ok=true; break; - default : - (void) showtlserror(tls,status,"%s SSL_accept fatal error (sslerr='%d')", - OPEP,sslerr); - status=-1; + default : //SAFE Guard + proceed=false; break; } + phase++; } -return status; +return ok; #undef OPEP } /* @@ -229,6 +194,9 @@ static TLSTYP *freetls(TLSTYP *tls) { if (tls!=(TLSTYP *)0) { + tls->peerip=rou_freestr(tls->peerip); + tls->locip=rou_freestr(tls->locip); + tls->locport=rou_freestr(tls->locport); if (tls->ssl!=(SSL *)0) (void) free(tls->ssl); if (tls->ctx!=(SSL_CTX *)0) @@ -288,7 +256,7 @@ while (proceed==true) { break; case 4 : //verify management (void) SSL_CTX_set_purpose(ctx,X509_PURPOSE_ANY); - (void) SSL_CTX_set_verify(ctx,SSL_VERIFY_NONE,(int(*)())0); + (void) SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,(int(*)())0); (void) SSL_CTX_set_verify_depth(ctx,5); (void) SSL_CTX_set_options(ctx,SSL_OP_ALL); if (SSL_CTX_set_cipher_list(ctx,SSL_CIPHER_LIST)==0) { @@ -315,6 +283,79 @@ return done; */ /********************************************************/ /* */ +/* Procedure to get peerip, local name and port */ +/* */ +/********************************************************/ +static void getnames(TLSTYP *tls) + +{ +#define OPEP "unitls.c:getnames" + +socklen_t taille; +struct sockaddr connip; +char host[NI_MAXHOST]; +char serv[NI_MAXSERV]; +int phase; +_Bool proceed; + +taille=(socklen_t)(sizeof(connip)); +(void) strcpy(host,""); +(void) strcpy(serv,""); +phase=0; +proceed=true; +while (proceed==true) { + switch (phase) { + case 0 : //Checking if everithing is fine + if (tls==(TLSTYP *)0) { + (void) rou_alert(0,"%s, TLS is NULL (bug?)",OPEP); + } + break; + case 1 : //Getting local name and service + (void) strcpy(host,"lochost"); + (void) strcpy(serv,"locserv"); + if (getsockname(tls->handle,&connip,&taille)==0) { + int mode; + int status; + + mode=NI_NAMEREQD|NI_NUMERICSERV; + status=getnameinfo(&connip,taille,host,sizeof(host),serv,sizeof(serv),mode); + if (status!=0) { + (void) strcpy(host,"loc-Unknown"); + (void) strcpy(serv,"loc-Unknown"); + } + } + tls->locip=strdup(host); + tls->locport=strdup(serv); + break; + case 2 : //Getting peer name and service + (void) strcpy(host,"remhost"); + (void) strcpy(serv,"remserv"); + if (getpeername(tls->handle,&connip,&taille)==0) { + int mode; + int status; + + mode=NI_NUMERICHOST|NI_NUMERICSERV; + status=getnameinfo(&connip,taille,host,sizeof(host),serv,sizeof(serv),mode); + if (status!=0) { + (void) strcpy(host,"peer-Unknown"); + (void) strcpy(serv,"peer-Unknown"); + } + tls->peerip=strdup(host); + } + break; + default : //SAFE Guard + proceed=false; + break; + } + phase++; + } +#undef OPEP +} +/* +^L +*/ +/********************************************************/ +/* */ /* Procedure to open an SSL channel */ /* */ /********************************************************/ @@ -342,6 +383,7 @@ while (proceed==true) { tls=(TLSTYP *)calloc(1,sizeof(TLSTYP)); tls->handle=handle; tls->server=server; + (void) getnames(tls); (void) SSL_library_init(); (void) SSL_load_error_strings(); (void) ERR_clear_error(); @@ -368,6 +410,9 @@ while (proceed==true) { (void) SSL_set_accept_state(tls->ssl); break; } + break; + case 4 : //Setting the TLS channel actif + (void) verify(tls); ready=true; break; default : //SAFE guard @@ -517,52 +562,6 @@ return got; */ /********************************************************/ /* */ -/* Procedure to accept a TLS connection from peer. */ -/* */ -/********************************************************/ -PUBLIC int tls_accept(TLSTYP *tls) - -{ -#define OPEP "unitls.c:tls_accept" -int status; -int phase; -int proceed; - -status=-1; -phase=0; -proceed=true; -while (proceed==true) { - switch (phase) { - case 0 : //checking TLS - if (tls==(TLSTYP *)0) { - (void) rou_core_dump("%s, TLS pointer is NULL! (bug?)",OPEP); - phase=000; //trouble trouble - } - break; - case 1 : //checking TLS - if ((tls->bio=BIO_new_fd(tls->handle,BIO_NOCLOSE))==(BIO *)0) { - (void) rou_core_dump("%s, Unable to get the BIO (error=<%s>)", - OPEP,strerror(errno)); - } - break; - case 2 : //set BIO properly - (void) SSL_set_bio(tls->ssl,tls->bio,tls->bio); - status=doaccept(tls); - break; - default : //SAFE guard - proceed=false; - break; - } - phase++; - } -return status; -#undef OPEP -} -/* -^L -*/ -/********************************************************/ -/* */ /* Procedure to check if remote certificat is a */ /* valide one. */ /* return -1if trouble, 0 otherwise */ diff --git a/lib/unitls.h b/lib/unitls.h index f462901..354d940 100644 --- a/lib/unitls.h +++ b/lib/unitls.h @@ -15,6 +15,9 @@ typedef struct { _Bool server; //SSL server/client mode _Bool goteof; //SSL End Of File int handle; //device handle + char *peerip; //Remote IP number + char *locip; //Local IP number + char *locport; //local Port number SSL_CTX *ctx; //SSL context SSL *ssl; //SSL link BIO *bio; //SSL Basic input output