Compare commits

..

9 commits

Author SHA1 Message Date
lda
da7199f03a Merge branch 'master' into add-mbed
Some checks failed
Compile Cytoplasm / Compile Cytoplasm (aarch64, alpine) (pull_request) Has been cancelled
2024-09-24 05:16:59 +00:00
LDA
4ce2b136a5 [FIX] Use as much certs as possible, handshakes 2024-09-21 09:25:31 +02:00
LDA
b28cd422fb Merge branch 'add-mbed' of https://git.telodendria.io/lda/Cytoplasm into add-mbed 2024-09-16 23:26:17 +02:00
LDA
dfcdef51fe [MOD] Try to probe for certificate stores 2024-09-16 23:25:43 +02:00
LDA
f9702cf0ef Merge branch 'add-mbed' of https://git.telodendria.io/lda/Cytoplasm into add-mbed 2024-09-15 13:09:26 +02:00
LDA
69f8e47ea2 [FIX] Remove dummy functions 2024-09-15 13:09:00 +02:00
lda
ffc11ea8ba Merge branch 'master' into add-mbed 2024-09-15 11:08:13 +00:00
LDA
ee58167928 [META] Denote the presence of Mbed in the README 2024-09-15 11:15:31 +02:00
LDA
c1d59b2c6f [ADD] Add MbedTLS support 2024-09-15 11:10:52 +02:00
11 changed files with 468 additions and 80 deletions

View file

@ -5,6 +5,20 @@ Cytoplasm. It is intended to be updated with every commit that makes a user-faci
change worth reporting in the change log. As such, it changes frequently between
releases. Final change log entries are published as [Releases](releases).
## v0.5.0
**TO BE WRITTEN**
### Breaking Changes
- `ShaToHex` now requires what hash was used.
### New Features
- LMDB support is available with the `--with-lmdb` flag.
- MbedTLS summort is available with the `--with-mbed` flag. Please note that Cytoplasm
programs using it must be used with the `CYTO_TLS_CA` environment defined to map to a
valid CA file, and that the `CYTO_TLS_SEED` flag can be set to use a seedfile, increasing
entropy on systems where it is unavailable.
## v0.4.1
Cytoplasm is now a C99 library! Upgrading from C89 to C99 makes Cytoplasm more portable

View file

@ -21,6 +21,7 @@ Cytoplasm aims to have zero software dependencies beyond what is mandated by POS
- OpenSSL
- LibreSSL
- MbedTLS (requires the `CYTO_TLS_CA` environment variables for programs built with it)
If TLS support is not enabled, all APIs that use it should fall back to non-TLS behavior in a sensible manner. For example, if TLS support is not enabled, then the HTTP client API will simply return an error if a TLS connection is requested.
@ -50,7 +51,7 @@ You can also run `make install` as `root` to install Cytoplasm to the system. Th
The `configure` script has a number of optional flags, which are as follows:
- `--with-(openssl|libressl)`: Select the TLS implementation to use. OpenSSL is selected by default.
- `--with-(openssl|libressl|mbed)`: Select the TLS implementation to use. OpenSSL is selected by default.
- `--disable-tls`: Disable TLS altogether.
- `--prefix=<path>`: Set the install prefix to set by default in the `Makefile`. This defaults to `/usr/local`, which should be appropriate for most Unix-like systems.
- `--(enable|disable)-debug`: Control whether or not to enable debug mode. This sets the optimization level to 0 and builds with debug symbols. Useful for running with a debugger.

4
configure vendored
View file

@ -76,6 +76,10 @@ for arg in $SCRIPT_ARGS; do
TLS_IMPL="TLS_LIBRESSL"
TLS_LIBS="-ltls -lcrypto -lssl"
;;
--with-mbed)
TLS_IMPL="TLS_MBEDTLS"
TLS_LIBS="-lmbedtls -lmbedx509 -lmbedcrypto"
;;
--disable-tls)
TLS_IMPL=""
TLS_LIBS=""

View file

@ -297,12 +297,6 @@ extern size_t JsonEncode(HashMap *, Stream *, int);
*/
extern HashMap * JsonDecode(Stream *);
/**
* Decodes a JSON value from thr current input strram and parse it
* into a JsonValue.
*/
extern JsonValue * JsonValueDecode(Stream *);
/**
* A convenience function that allows the caller to retrieve and
* arbitrarily deep keys within a JSON object. It takes a root JSON

View file

@ -50,6 +50,7 @@
#define TLS_LIBRESSL 2
#define TLS_OPENSSL 3
#define TLS_MBEDTLS 4
/**
* Create a new TLS client stream using the given file descriptor and

View file

@ -1348,25 +1348,6 @@ JsonDecode(Stream * stream)
return result;
}
JsonValue *
JsonValueDecode(Stream *stream)
{
JsonValue *result;
JsonParserState state;
state.stream = stream;
state.token = NULL;
JsonTokenSeek(&state);
result = JsonDecodeValue(&state);
if (state.token)
{
Free(state.token);
}
return result;
}
JsonValue *
JsonGet(HashMap * json, size_t nArgs,...)

View file

@ -42,30 +42,26 @@
#define MEMORY_FILE_SIZE 256
#define MEM_BOUND_TYPE uint64_t
#define MEM_BOUND 0xDEADBEEFBEEFDEAD
#define MEM_MAGIC 0xDEADBEEFDEADBEEF
struct MemoryInfo
{
uint64_t magic;
size_t size;
size_t unalignedSize;
char file[MEMORY_FILE_SIZE];
int line;
void *pointer;
MemoryInfo *prev;
MemoryInfo *next;
MEM_BOUND_TYPE leftBoundary;
};
#define MEM_SIZE_ACTUAL(x) (MemoryAlignBoundary((x) * sizeof(uint8_t)) + sizeof(MEM_BOUND_TYPE))
#define MEM_START_BOUNDARY(info) (info->leftBoundary)
#define MEM_END_BOUNDARY(info) (*(((MEM_BOUND_TYPE *) (((uint8_t *) info->pointer) + info->size)) - 1))
#define MEM_BOUND_TYPE uint32_t
#define MEM_BOUND 0xDEADBEEF
#define MEM_MAGIC 0xDEADBEEFDEADBEEF
#define MEM_BOUND_LOWER(p) *((MEM_BOUND_TYPE *) p)
#define MEM_BOUND_UPPER(p, x) *(((MEM_BOUND_TYPE *) (((uint8_t *) p) + x)) + 1)
#define MEM_SIZE_ACTUAL(x) (((x) * sizeof(uint8_t)) + (2 * sizeof(MEM_BOUND_TYPE)))
static pthread_mutex_t lock;
static void (*hook) (MemoryAction, MemoryInfo *, void *) = MemoryDefaultHook;
@ -75,19 +71,6 @@ static size_t allocationsLen = 0;
static MemoryInfo *allocationTail = NULL;
/* Simple range of "plausible" boundaries for heap, serving as an extra
* check */
static void *heapStart, *heapEnd;
static size_t MemoryAlignBoundary(size_t size)
{
size_t boundSize = sizeof(MEM_BOUND_TYPE);
size_t remainder = size % boundSize;
size_t closest = size / boundSize + !!remainder;
return closest * boundSize;
}
int
MemoryRuntimeInit(void)
{
@ -102,8 +85,6 @@ MemoryRuntimeInit(void)
pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_RECURSIVE);
ret = pthread_mutex_init(&lock, &attr);
pthread_mutexattr_destroy(&attr);
heapStart = NULL;
heapEnd = NULL;
ret = (ret == 0);
@ -129,15 +110,6 @@ MemoryInsert(MemoryInfo * a)
a->prev = allocationTail;
a->magic = MEM_MAGIC;
if (!heapStart || heapStart > (void *) a)
{
heapStart = a;
}
if (!heapEnd || heapEnd < (void *) a)
{
heapEnd = a;
}
allocationTail = a;
allocationsLen++;
@ -170,9 +142,8 @@ MemoryDelete(MemoryInfo * a)
static int
MemoryCheck(MemoryInfo * a)
{
if (MEM_START_BOUNDARY(a) != MEM_BOUND ||
a->magic != MEM_MAGIC ||
MEM_END_BOUNDARY(a) != MEM_BOUND)
if (MEM_BOUND_LOWER(a->pointer) != MEM_BOUND ||
MEM_BOUND_UPPER(a->pointer, a->size - (2 * sizeof(MEM_BOUND_TYPE))) != MEM_BOUND)
{
if (hook)
{
@ -203,14 +174,13 @@ MemoryAllocate(size_t size, const char *file, int line)
p = a + 1;
memset(p, 0, MEM_SIZE_ACTUAL(size));
MEM_BOUND_LOWER(p) = MEM_BOUND;
MEM_BOUND_UPPER(p, size) = MEM_BOUND;
a->size = MEM_SIZE_ACTUAL(size);
a->unalignedSize = size;
strncpy(a->file, file, MEMORY_FILE_SIZE - 1);
a->line = line;
a->pointer = p;
MEM_START_BOUNDARY(a) = MEM_BOUND;
MEM_END_BOUNDARY(a) = MEM_BOUND;
if (!MemoryInsert(a))
{
@ -225,7 +195,7 @@ MemoryAllocate(size_t size, const char *file, int line)
}
pthread_mutex_unlock(&lock);
return p;
return ((MEM_BOUND_TYPE *) p) + 1;
}
void *
@ -250,7 +220,6 @@ MemoryReallocate(void *p, size_t size, const char *file, int line)
if (new)
{
a = new;
a->unalignedSize = size;
a->size = MEM_SIZE_ACTUAL(size);
strncpy(a->file, file, MEMORY_FILE_SIZE - 1);
a->line = line;
@ -259,8 +228,8 @@ MemoryReallocate(void *p, size_t size, const char *file, int line)
a->pointer = a + 1;
MemoryInsert(a);
MEM_START_BOUNDARY(a) = MEM_BOUND;
MEM_END_BOUNDARY(a) = MEM_BOUND;
MEM_BOUND_LOWER(a->pointer) = MEM_BOUND;
MEM_BOUND_UPPER(a->pointer, size) = MEM_BOUND;
if (hook)
{
@ -284,7 +253,7 @@ MemoryReallocate(void *p, size_t size, const char *file, int line)
}
}
return a->pointer;
return ((MEM_BOUND_TYPE *) a->pointer) + 1;
}
void
@ -375,12 +344,8 @@ MemoryInfoGet(void *po)
pthread_mutex_lock(&lock);
p = ((MEM_BOUND_TYPE *) po) - 1;
p = ((MemoryInfo *) p) - 1;
if (p < heapStart || p > heapEnd)
{
pthread_mutex_unlock(&lock);
return NULL;
}
if (((MemoryInfo *)p)->magic != MEM_MAGIC)
{
@ -399,7 +364,7 @@ MemoryInfoGetSize(MemoryInfo * a)
return 0;
}
return a->size ? a->unalignedSize : 0;
return a->size ? a->size - (2 * sizeof(MEM_BOUND_TYPE)) : 0;
}
const char *
@ -432,7 +397,7 @@ MemoryInfoGetPointer(MemoryInfo * a)
return NULL;
}
return a->pointer;
return ((MEM_BOUND_TYPE *) a->pointer) + 1;
}
void

View file

@ -29,6 +29,7 @@
#include <limits.h>
/* TODO: Verify LibreSSL support later */
#include <Tls.h>
#if defined(TLS_IMPL) && (TLS_IMPL == TLS_OPENSSL)
#include <openssl/sha.h>

View file

@ -31,6 +31,7 @@
/* TODO: Verify LibreSSL support later */
#include <Tls.h>
#if defined(TLS_IMPL) && (TLS_IMPL == TLS_OPENSSL)
#include <openssl/sha.h>

426
src/Tls/TlsMbedTLS.c Normal file
View file

@ -0,0 +1,426 @@
/*
* Copyright (C) 2022-2024 Jordan Bancino <@jordan:bancino.net> with
* other valuable contributors. See CONTRIBUTORS.txt for the full list.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation files
* (the "Software"), to deal in the Software without restriction,
* including without limitation the rights to use, copy, modify, merge,
* publish, distribute, sublicense, and/or sell copies of the Software,
* and to permit persons to whom the Software is furnished to do so,
* subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include <Tls.h>
#if TLS_IMPL == TLS_MBEDTLS
#include "mbedtls/net_sockets.h"
#include "mbedtls/ssl.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/debug.h"
#include "mbedtls/error.h"
#include <Memory.h>
#include <Log.h>
#include <Str.h>
#include <string.h>
#include <stdlib.h>
/*
* #include statements and any implementation structures
* needed should go here.
*/
typedef struct MbedCookie {
int fd;
bool serverside;
mbedtls_net_context serverFD;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctrDrbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt cert;
mbedtls_pk_context serverkey;
} MbedCookie;
static bool
AddPEM(mbedtls_x509_crt *certs, char *path)
{
size_t len;
if (!certs || !path)
{
return false;
}
len = strlen(path);
if (len >= 4 && StrEquals(&path[len - 1 - 4], ".pem"))
{
/* Parse it as a file */
if (mbedtls_x509_crt_parse_file(certs, path) == 0)
{
return true;
}
}
/* Parse it as a directory if it is not a .PEM
* Note that this is non-recursive. */
return mbedtls_x509_crt_parse_path(certs, path) == 0;
}
static bool
RegisterPEMs(mbedtls_x509_crt *certs)
{
char *cafile;
int loaded = 0;
if (!certs)
{
return false;
}
/* Step 0: Load from CYTO_TLS_CA if present to overwrite */
cafile = getenv("CYTO_TLS_CA");
if (AddPEM(certs, cafile))
{
loaded++;
}
/* Step 1: Try /etc/ssl/certs */
if (AddPEM(certs, "/etc/ssl/certs"))
{
loaded++;
}
/* Step 2: Try loading off Mozilla's certificates */
if (AddPEM(certs, "/usr/share/ca-certificates/mozilla"))
{
loaded++;
}
/* Step 3: Try loading from its root directly */
if (AddPEM(certs, "/usr/share/ca-certificates"))
{
loaded++;
}
return loaded != 0;
}
void *
TlsInitClient(int fd, const char *serverName)
{
MbedCookie *cookie;
int err;
if (!serverName)
{
return NULL;
}
cookie = Malloc(sizeof(MbedCookie));
memset(cookie, 0, sizeof(MbedCookie));
cookie->fd = fd;
cookie->serverside = false;
/* Initialise MbedTLS */
mbedtls_net_init(&cookie->serverFD);
mbedtls_ssl_init(&cookie->ssl);
mbedtls_ssl_config_init(&cookie->conf);
mbedtls_x509_crt_init(&cookie->cert);
mbedtls_ctr_drbg_init(&cookie->ctrDrbg);
mbedtls_pk_init(&cookie->serverkey);
mbedtls_entropy_init(&cookie->entropy);
err = mbedtls_ctr_drbg_seed(
&cookie->ctrDrbg,
mbedtls_entropy_func,
&cookie->entropy,
(const unsigned char *) serverName, strlen(serverName)
);
if (err != 0)
{
Log(LOG_ERR, "MbedTLS failure on client init: %d", err);
goto error;
}
cookie->serverFD.fd = fd;
err = mbedtls_ssl_config_defaults(
&cookie->conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT
);
if (err != 0)
{
char message[256];
mbedtls_strerror(err, message, 255);
Log(LOG_ERR, "MbedTLS failure on client config: %s", message);
goto error;
}
/* Setup key verification */
if (!RegisterPEMs(&cookie->cert))
{
char message[256];
mbedtls_strerror(err, message, 255);
Log(LOG_ERR, "MbedTLS failure on client certs: %s", message);
goto error;
}
mbedtls_ssl_conf_authmode(&cookie->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
mbedtls_ssl_conf_ca_chain(&cookie->conf, &cookie->cert, NULL);
/* Setup some callbacks */
mbedtls_ssl_conf_rng(
&cookie->conf,
mbedtls_ctr_drbg_random,
&cookie->ctrDrbg
);
if ((err = mbedtls_ssl_setup(&cookie->ssl, &cookie->conf)) != 0)
{
char message[256];
mbedtls_strerror(err, message, 255);
Log(LOG_ERR, "MbedTLS failure on SSL setup: %s", message);
goto error;
}
/* Setup some functions */
mbedtls_ssl_set_bio(
&cookie->ssl, &cookie->serverFD,
mbedtls_net_send, mbedtls_net_recv, NULL
);
/* Setup the servername */
if ((err = mbedtls_ssl_set_hostname(&cookie->ssl, serverName)) != 0)
{
char message[256];
mbedtls_strerror(err, message, 255);
Log(LOG_ERR, "MbedTLS failure on client hostname: %s", message);
goto error;
}
while ((err = mbedtls_ssl_handshake(&cookie->ssl)) != 0)
{
char message[256];
switch (err)
{
case MBEDTLS_ERR_SSL_WANT_WRITE:
case MBEDTLS_ERR_SSL_WANT_READ:
break;
default:
mbedtls_strerror(err, message, 255);
Log(LOG_ERR, "MbedTLS failure on handshake: %s", message);
goto error;
}
}
return cookie;
error:
mbedtls_net_free(&cookie->serverFD);
mbedtls_ssl_free(&cookie->ssl);
mbedtls_ssl_config_free(&cookie->conf);
mbedtls_ctr_drbg_free(&cookie->ctrDrbg);
mbedtls_entropy_free(&cookie->entropy);
Free(cookie);
return NULL;
}
void *
TlsInitServer(int fd, const char *crt, const char *key)
{
MbedCookie *cookie;
char *seed;
int err;
if (!crt || !key)
{
return NULL;
}
cookie = Malloc(sizeof(MbedCookie));
memset(cookie, 0, sizeof(MbedCookie));
cookie->fd = fd;
cookie->serverside = true;
/* Initialise MbedTLS */
mbedtls_net_init(&cookie->serverFD);
mbedtls_ssl_init(&cookie->ssl);
mbedtls_ssl_config_init(&cookie->conf);
mbedtls_x509_crt_init(&cookie->cert);
mbedtls_ctr_drbg_init(&cookie->ctrDrbg);
mbedtls_pk_init(&cookie->serverkey);
mbedtls_entropy_init(&cookie->entropy);
err = mbedtls_ctr_drbg_seed(
&cookie->ctrDrbg,
mbedtls_entropy_func,
&cookie->entropy,
(const unsigned char *) key, strlen(key)
);
if (err != 0)
{
Log(LOG_ERR, "MbedTLS failure on server init: %d", err);
goto error;
}
/* Add a source of entropy if possible(using the CYTO_TLS_SEED env).
* Note that we ignore the error code. */
seed = getenv("CYTO_TLS_SEED");
mbedtls_entropy_update_seed_file(&cookie->entropy, seed);
/* Setup key verification */
if ((err = mbedtls_x509_crt_parse_file(&cookie->cert, crt)) != 0)
{
char message[256];
mbedtls_strerror(err, message, 255);
Log(LOG_ERR, "MbedTLS failure on server certs: %s", message);
goto error;
}
if ((err = mbedtls_pk_parse_keyfile(&cookie->serverkey, key, NULL, mbedtls_entropy_func, &cookie->ctrDrbg)) != 0)
{
char message[256];
mbedtls_strerror(err, message, 255);
Log(LOG_ERR, "MbedTLS failure on server certs: %s", message);
goto error;
}
mbedtls_ssl_conf_ca_chain(&cookie->conf, cookie->cert.next, NULL);
if ((err = mbedtls_ssl_conf_own_cert(&cookie->conf, &cookie->cert, &cookie->serverkey)) != 0)
{
char message[256];
mbedtls_strerror(err, message, 255);
Log(LOG_ERR, "MbedTLS failure on server certs: %s", message);
goto error;
}
/* Setup SSL */
cookie->serverFD.fd = fd;
err = mbedtls_ssl_config_defaults(
&cookie->conf,
MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT
);
if (err != 0)
{
char message[256];
mbedtls_strerror(err, message, 255);
Log(LOG_ERR, "MbedTLS failure on server SSL: %s", message);
goto error;
}
/* Setup some callbacks */
mbedtls_ssl_conf_rng(
&cookie->conf,
mbedtls_ctr_drbg_random,
&cookie->ctrDrbg
);
mbedtls_ssl_conf_ca_chain(&cookie->conf, cookie->cert.next, NULL);
if ((err = mbedtls_ssl_setup(&cookie->ssl, &cookie->conf)) != 0)
{
char message[256];
mbedtls_strerror(err, message, 255);
Log(LOG_ERR, "MbedTLS failure on SSL setup: %s", message);
goto error;
}
/* Client connexion */
/* Setup some functions */
mbedtls_ssl_set_bio(
&cookie->ssl, &cookie->serverFD,
mbedtls_net_send, mbedtls_net_recv, NULL
);
/* Handshake the client */
while ((err = mbedtls_ssl_handshake(&cookie->ssl)) != 0)
{
switch (err)
{
case MBEDTLS_ERR_SSL_WANT_WRITE:
case MBEDTLS_ERR_SSL_WANT_READ:
break;
default:
goto error;
}
}
return cookie;
error:
mbedtls_net_free(&cookie->serverFD);
mbedtls_ssl_free(&cookie->ssl);
mbedtls_ssl_config_free(&cookie->conf);
mbedtls_ctr_drbg_free(&cookie->ctrDrbg);
mbedtls_entropy_free(&cookie->entropy);
Free(cookie);
return NULL;
}
ssize_t
TlsRead(void *cookie, void *buf, size_t nBytes)
{
MbedCookie *cooked = cookie;
int ret;
if (!cookie || !buf)
{
return -1;
}
ret = mbedtls_ssl_read(&cooked->ssl, buf, nBytes);
if (ret <= 0)
{
ret = -1;
}
return ret;
}
ssize_t
TlsWrite(void *cookie, void *buf, size_t nBytes)
{
MbedCookie *cooked = cookie;
int ret;
if (!cookie || !buf)
{
return -1;
}
ret = mbedtls_ssl_write(&cooked->ssl, buf, nBytes);
if (ret <= 0)
{
ret = -1;
}
return ret;
}
int
TlsClose(void *cookie)
{
MbedCookie *cooked = cookie;
if (!cookie)
{
return -1;
}
mbedtls_net_free(&cooked->serverFD);
mbedtls_ssl_free(&cooked->ssl);
mbedtls_ssl_config_free(&cooked->conf);
mbedtls_ctr_drbg_free(&cooked->ctrDrbg);
mbedtls_entropy_free(&cooked->entropy);
mbedtls_x509_crt_free(&cooked->cert);
if (cooked->serverside)
{
mbedtls_pk_free(&cooked->serverkey);
}
Free(cooked);
return 0;
}
#endif

View file

@ -399,7 +399,7 @@ end_loop:
}
else if (StrEquals(op, "def?"))
{
Definition *def;
Definition *def = NULL;
size_t i;
char *directive = Eval(&argv, stack);