Added a simple high level TLS wrapper for sockets
This commit is contained in:
parent
bd23b9086e
commit
17102f7b58
|
@ -11,6 +11,7 @@ libtls_la_SOURCES = \
|
|||
tls_prf.h tls_prf.c \
|
||||
tls_reader.h tls_reader.c \
|
||||
tls_writer.h tls_writer.c \
|
||||
tls_socket.h tls_socket.c \
|
||||
tls_peer.h tls_peer.c \
|
||||
tls_server.h tls_server.c \
|
||||
tls_handshake.h tls_application.h tls.h tls.c
|
||||
|
|
|
@ -290,6 +290,7 @@ tls_t *tls_create(bool is_server, identification_t *server,
|
|||
{
|
||||
case TLS_PURPOSE_EAP_TLS:
|
||||
case TLS_PURPOSE_EAP_TTLS:
|
||||
case TLS_PURPOSE_GENERIC:
|
||||
break;
|
||||
default:
|
||||
return NULL;
|
||||
|
|
|
@ -0,0 +1,213 @@
|
|||
/*
|
||||
* Copyright (C) 2010 Martin Willi
|
||||
* Copyright (C) 2010 revosec AG
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
#include "tls_socket.h"
|
||||
|
||||
#include <unistd.h>
|
||||
|
||||
#include <debug.h>
|
||||
|
||||
typedef struct private_tls_socket_t private_tls_socket_t;
|
||||
typedef struct private_tls_application_t private_tls_application_t;
|
||||
|
||||
struct private_tls_application_t {
|
||||
|
||||
/**
|
||||
* Implements tls_application layer.
|
||||
*/
|
||||
tls_application_t application;
|
||||
|
||||
/**
|
||||
* Chunk of data to send
|
||||
*/
|
||||
chunk_t out;
|
||||
|
||||
/**
|
||||
* Chunk of data received
|
||||
*/
|
||||
chunk_t in;
|
||||
};
|
||||
|
||||
/**
|
||||
* Private data of an tls_socket_t object.
|
||||
*/
|
||||
struct private_tls_socket_t {
|
||||
|
||||
/**
|
||||
* Public tls_socket_t interface.
|
||||
*/
|
||||
tls_socket_t public;
|
||||
|
||||
/**
|
||||
* TLS application implementation
|
||||
*/
|
||||
private_tls_application_t app;
|
||||
|
||||
/**
|
||||
* TLS stack
|
||||
*/
|
||||
tls_t *tls;
|
||||
|
||||
/**
|
||||
* Underlying OS socket
|
||||
*/
|
||||
int fd;
|
||||
};
|
||||
|
||||
METHOD(tls_application_t, process, status_t,
|
||||
private_tls_application_t *this, tls_reader_t *reader)
|
||||
{
|
||||
chunk_t data;
|
||||
|
||||
if (!reader->read_data(reader, reader->remaining(reader), &data))
|
||||
{
|
||||
return FAILED;
|
||||
}
|
||||
this->in = chunk_cat("mc", this->in, data);
|
||||
return NEED_MORE;
|
||||
}
|
||||
|
||||
METHOD(tls_application_t, build, status_t,
|
||||
private_tls_application_t *this, tls_writer_t *writer)
|
||||
{
|
||||
if (this->out.len)
|
||||
{
|
||||
writer->write_data(writer, this->out);
|
||||
this->out = chunk_empty;
|
||||
return NEED_MORE;
|
||||
}
|
||||
return INVALID_STATE;
|
||||
}
|
||||
|
||||
/**
|
||||
* TLS data exchange loop
|
||||
*/
|
||||
static bool exchange(private_tls_socket_t *this, bool wr)
|
||||
{
|
||||
chunk_t data;
|
||||
char buf[2048];
|
||||
ssize_t len;
|
||||
int round = 0;
|
||||
|
||||
for (round = 0; TRUE; round++)
|
||||
{
|
||||
if (this->tls->build(this->tls, &data) != NEED_MORE)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
if (data.len)
|
||||
{
|
||||
len = write(this->fd, data.ptr, data.len);
|
||||
free(data.ptr);
|
||||
if (len != data.len)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
if (wr)
|
||||
{
|
||||
if (this->app.out.len == 0)
|
||||
{ /* all data written */
|
||||
return TRUE;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
if (this->app.in.len)
|
||||
{ /* some data received */
|
||||
return TRUE;
|
||||
}
|
||||
if (round > 0)
|
||||
{ /* did some handshaking, return empty chunk to not block */
|
||||
return TRUE;
|
||||
}
|
||||
}
|
||||
len = read(this->fd, buf, sizeof(buf));
|
||||
if (len <= 0)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
if (this->tls->process(this->tls, chunk_create(buf, len)) != NEED_MORE)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
METHOD(tls_socket_t, read_, bool,
|
||||
private_tls_socket_t *this, chunk_t *buf)
|
||||
{
|
||||
if (exchange(this, FALSE))
|
||||
{
|
||||
*buf = this->app.in;
|
||||
this->app.in = chunk_empty;
|
||||
return TRUE;
|
||||
}
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
METHOD(tls_socket_t, write_, bool,
|
||||
private_tls_socket_t *this, chunk_t buf)
|
||||
{
|
||||
this->app.out = buf;
|
||||
if (exchange(this, TRUE))
|
||||
{
|
||||
return TRUE;
|
||||
}
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
METHOD(tls_socket_t, destroy, void,
|
||||
private_tls_socket_t *this)
|
||||
{
|
||||
this->tls->destroy(this->tls);
|
||||
free(this->app.in.ptr);
|
||||
free(this);
|
||||
}
|
||||
|
||||
/**
|
||||
* See header
|
||||
*/
|
||||
tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
|
||||
identification_t *peer, int fd)
|
||||
{
|
||||
private_tls_socket_t *this;
|
||||
|
||||
INIT(this,
|
||||
.public = {
|
||||
.read = _read_,
|
||||
.write = _write_,
|
||||
.destroy = _destroy,
|
||||
},
|
||||
.app = {
|
||||
.application = {
|
||||
.build = _build,
|
||||
.process = _process,
|
||||
.destroy = (void*)nop,
|
||||
},
|
||||
},
|
||||
.fd = fd,
|
||||
);
|
||||
|
||||
this->tls = tls_create(is_server, server, peer, TLS_PURPOSE_GENERIC,
|
||||
&this->app.application);
|
||||
if (!this->tls)
|
||||
{
|
||||
free(this);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
return &this->public;
|
||||
}
|
|
@ -0,0 +1,75 @@
|
|||
/*
|
||||
* Copyright (C) 2010 Martin Willi
|
||||
* Copyright (C) 2010 revosec AG
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
/**
|
||||
* @defgroup tls_socket tls_socket
|
||||
* @{ @ingroup libtls
|
||||
*/
|
||||
|
||||
#ifndef TLS_SOCKET_H_
|
||||
#define TLS_SOCKET_H_
|
||||
|
||||
#include "tls.h"
|
||||
|
||||
typedef struct tls_socket_t tls_socket_t;
|
||||
|
||||
/**
|
||||
* TLS secured socket.
|
||||
*
|
||||
* Wraps a blocking (socket) file descriptor for a reliable transport into a
|
||||
* TLS secured socket. TLS negotiation happens on demand, certificates and
|
||||
* private keys are fetched from any registered credential set.
|
||||
*/
|
||||
struct tls_socket_t {
|
||||
|
||||
/**
|
||||
* Read data from secured socket, return allocated chunk.
|
||||
*
|
||||
* This call is blocking, you may use select() on the underlying socket to
|
||||
* wait for data. If the there was non-application data available, the
|
||||
* read function can return an empty chunk.
|
||||
*
|
||||
* @param data pointer to allocate received data
|
||||
* @return TRUE if data received successfully
|
||||
*/
|
||||
bool (*read)(tls_socket_t *this, chunk_t *data);
|
||||
|
||||
/**
|
||||
* Write a chunk of data over the secured socket.
|
||||
*
|
||||
* @param data data to send
|
||||
* @return TRUE if data sent successfully
|
||||
*/
|
||||
bool (*write)(tls_socket_t *this, chunk_t data);
|
||||
|
||||
/**
|
||||
* Destroy a tls_socket_t.
|
||||
*/
|
||||
void (*destroy)(tls_socket_t *this);
|
||||
};
|
||||
|
||||
/**
|
||||
* Create a tls_socket instance.
|
||||
*
|
||||
* @param is_server TRUE to act as TLS server
|
||||
* @param server server identity
|
||||
* @param peer client identity, NULL for no client authentication
|
||||
* @param fd socket to read/write from
|
||||
* @return TLS socket wrapper
|
||||
*/
|
||||
tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
|
||||
identification_t *peer, int fd);
|
||||
|
||||
#endif /** TLS_SOCKET_H_ @}*/
|
Loading…
Reference in New Issue