Commit 0b84e6d8 authored by 's avatar

Added SSL support for DiMAPI.


git-svn-id: file:///home/svn/mapi/trunk@751 8d5bb341-7cf1-0310-8cf6-ba355fef3186
parent 9aa3dbbf
GR
-
Herakleion
ICS FORTH
DCS
User
dcs@ics.forth.gr
#!/bin/bash
# mapicommd_certs.sh
CERTPATH="/usr/local/share/mapi"
FILES="/usr/local/share/mapi/cacert.pem
/usr/local/share/mapi/privkey.pem"
for file in $FILES
do
if [ ! -e "$file" ] # Check if file exists.
then
echo "Creating certificate and private key"; echo
openssl genrsa -out /usr/local/share/mapi/privkey.pem 2048
openssl req -new -x509 -key $CERTPATH/privkey.pem -out $CERTPATH/cacert.pem -days 30000
fi
echo
done
exit 0
......@@ -34,6 +34,10 @@ static struct sockaddr_un mapidaddr;
//static struct sockaddr_un fromaddr;
static char* mapidsocket;
#ifdef DIMAPISSL
static SSL_CTX *ctx;
#endif
int mapiipc_write(struct mapiipcbuf *qbuf)
//Sends an IPC message to mapid
{
......@@ -108,14 +112,28 @@ int mapiipc_remote_write(struct dmapiipcbuf *dbuf, struct host *h)
//Sends an IPC message to mapid
{
// qbuf->uid=getuid();
#ifdef DIMAPISSL
if(SSL_write(h->con,dbuf,dbuf->length) == -1){
WARNING_CMD(printf("SSL_write: %s [%s:%d]\n",strerror(errno),__FILE__,__LINE__));
// exit(1);
return -1;
}
#endif
#ifndef DIMAPISSL
if(send(h->sockfd, dbuf, dbuf->length, 0) == -1) {
WARNING_CMD(printf("send: %s [%s:%d]\n",strerror(errno),__FILE__,__LINE__));
// exit(1);
return -1;
}
}
#endif
return 0;
}
int mapiipc_remote_write_to_all(remote_flowdescr_t* rflow)
{
host_flow* hflow;
......@@ -144,6 +162,10 @@ void *mapiipc_comm_thread(void *host) {
int recv_bytes;
int sockfd=((struct host *)host)->sockfd;
#ifdef DIMAPISSL
SSL *hostconn = ((struct host*)host)->con;
#endif
/* Guarantees that thread resources are deallocated upon return */
pthread_detach(pthread_self());
......@@ -152,9 +174,16 @@ void *mapiipc_comm_thread(void *host) {
while (1) {
if (host==NULL) break;
recv_bytes=readn(sockfd, dbuf, BASIC_SIZE);
#ifdef DIMAPISSL
recv_bytes = SSL_readn(hostconn,dbuf,BASIC_SIZE);
#endif
#ifndef DIMAPISSL
recv_bytes=readn(sockfd, dbuf, BASIC_SIZE);
#endif
if (recv_bytes == 0) { // the peer has gone
//printf("Socket closed\n");
break;
......@@ -170,8 +199,14 @@ void *mapiipc_comm_thread(void *host) {
}
if (dbuf->length-BASIC_SIZE>0) {
#ifdef DIMAPISSL
recv_bytes = SSL_readn(hostconn,(char *)dbuf + BASIC_SIZE, dbuf->length - BASIC_SIZE );
#endif
#ifndef DIMAPISSL
recv_bytes=readn(sockfd, (char*)dbuf+BASIC_SIZE, dbuf->length-BASIC_SIZE);
#endif
if (recv_bytes == 0) { // the peer has gone
//printf("Socket closed\n");
break;
......@@ -216,6 +251,23 @@ int mapiipc_remote_init(struct host *h)
struct hostent* host=gethostbyname(h->hostname);
struct timeval tv;
#ifdef DIMAPISSL
SSL_library_init();
SSL_load_error_strings();
if ((ctx=SSL_CTX_new(SSLv3_client_method())) == NULL) {
ERR_print_errors_fp(stderr);
return 0;
}
if ((h->con = SSL_new(ctx)) == NULL) {
ERR_print_errors_fp(stderr);
return 0;;
}
#endif
if ((h->sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
ERROR_CMD(printf("socket: %s [%s:%d]\n",strerror(errno),__FILE__,__LINE__));
//exit(-1);
......@@ -260,6 +312,19 @@ int mapiipc_remote_init(struct host *h)
//exit(EXIT_FAILURE);
return -1;
}
#ifdef DIMAPISSL
if (SSL_set_fd(h->con, h->sockfd) == 0) {
ERR_print_errors_fp(stderr);
return 0;
}
if (SSL_connect(h->con) <= 0) {
ERR_print_errors_fp(stderr);
return 0;
}
#endif
return 0;
}
......@@ -267,6 +332,11 @@ int mapiipc_remote_init(struct host *h)
void mapiipc_remote_close(struct host *h)
//Releases socket resources
{
#ifdef DIMAPISSL
if (SSL_shutdown(h->con) == -1)
ERR_print_errors_fp(stderr);
#endif
shutdown(h->sockfd, SHUT_RDWR);
close(h->sockfd);
}
......@@ -462,4 +532,29 @@ ssize_t readn(int fd, void *vptr, size_t n) {
return(n - nleft); /* return >= 0 */
}
#ifdef DIMAPISSL
ssize_t SSL_readn(SSL *con, void *vptr, size_t n) {
size_t nleft;
ssize_t nread;
char *ptr;
ptr = vptr;
nleft = n;
while (nleft > 0) {
errno=0;
if ( (nread = SSL_read(con, ptr, nleft)) < 0) {
if (errno == EINTR)
nread = 0; /* and call read() again */
else
return(-1);
} else if (nread == 0)
return 0; /* EOF */
nleft -= nread;
ptr += nread;
}
return(n - nleft); /* return >= 0 */
}
#endif
#ifndef _MAPIIPC_H
#define _MAPIIPC_H 1
#define DIMAPISSL
#ifdef DIMAPISSL
#include <openssl/ssl.h>
#include <openssl/err.h>
#endif
#include "mapi.h"
......@@ -26,6 +34,17 @@
//that is added.
#ifdef DIMAPISSL
static SSL_CTX *ctx;
struct overload{
SSL * connection;
int sock;
};
#endif
//Messages types that can be sent to/from mapi and mapid
typedef enum {
CREATE_FLOW,
......@@ -129,6 +148,9 @@ struct host {
char* hostname;
int port;
int sockfd;
#ifdef DIMAPISSL
SSL *con;
#endif
int num_flows; //to know when to close the socket
flist_t *flows;
flist_t* functions;
......@@ -191,6 +213,9 @@ void *mapiipc_comm_thread(void *host);
/* Read "n" bytes from a socket. */
ssize_t readn(int fd, void *vptr, size_t n);
#ifdef DIMAPISSL
ssize_t SSL_readn(SSL *con, void *vptr, size_t n);
#endif
#endif//DIMAPI
......
......@@ -42,6 +42,15 @@ int main() {
struct sockaddr_in serv_addr;
struct sockaddr_in clnt_addr;
#ifdef DIMAPISSL
struct overload *inst;
SSL *con=NULL;
OpenSSL_add_all_algorithms(); /* load & register all cryptos, etc. */
SSL_library_init();
SSL_load_error_strings();
#endif
pthread_t chld_thr;
char* mapi_conf;
......@@ -73,6 +82,28 @@ int main() {
serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
serv_addr.sin_port = htons(dimapi_port);
#ifdef DIMAPISSL
/**** SSL CHANGES **********/
if ((ctx=SSL_CTX_new(SSLv3_server_method())) == NULL) {
ERR_print_errors_fp(stderr);
return 0;
}
if (SSL_CTX_use_certificate_file(ctx, "/usr/local/share/mapi/cacert.pem", SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
return 0;
}
if (SSL_CTX_use_PrivateKey_file(ctx, "/usr/local/share/mapi/privkey.pem", SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
return 0;
}
/*** END OF SSL CHANGES *****/
#endif
/* DANGEROUS, but useful for debugging, so leave it for now */
if (setsockopt(serv_sock, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(int)) == -1) {
close(serv_sock);
......@@ -103,19 +134,69 @@ int main() {
continue;
}
#ifdef DIMAPISSL
printf("\n\t\tDiMAPI (SSL ENCRYPTION)\n");
if ((con=SSL_new(ctx)) == NULL) {
ERR_print_errors_fp(stderr);
return 0;;
}
if (SSL_set_fd(con, new_sock) == 0) {
ERR_print_errors_fp(stderr);
return 0;
}
if (SSL_accept(con) <= 0) {
ERR_print_errors_fp(stderr);
return 0;
}
#endif
#ifndef DIMAPISSL
printf("\n\t\tDiMAPI (no encryption)\n");
#endif
printf("<*> got connection from %s\n", inet_ntoa(clnt_addr.sin_addr));
#ifdef DIMAPISSL
inst = (struct overload *)malloc(sizeof(struct overload));
inst->connection = con;
inst->sock = new_sock;
if (pthread_create(&chld_thr, NULL, handle_request,(void *) inst) != 0){
die("pthread_create() failed");
continue;
}
#endif
#ifndef DIMAPISSL
if (pthread_create(&chld_thr, NULL, handle_request, (void *)new_sock) != 0) {
die("pthread_create() failed");
continue;
}
#endif
}
return 0; /* never reached */
}
void *handle_request(void *arg) {
#ifdef DIMAPISSL
SSL *con ;
con = ((struct overload*)arg)->connection;
int sock = ((struct overload*)arg)->sock;
#endif
#ifndef DIMAPISSL
int sock=(int)arg;
#endif
int recv_bytes;
//char buffer[DIMAPI_DATA_SIZE]; DELETE
struct dmapiipcbuf *dbuf=NULL;
......@@ -130,11 +211,20 @@ void *handle_request(void *arg) {
struct timeval tv; /*used for timestamping results when produced */
struct mapipkt *pkt;
/* Guarantees that thread resources are deallocated upon return */
pthread_detach(pthread_self());
dbuf = (struct dmapiipcbuf *)malloc(sizeof(struct dmapiipcbuf));
#ifdef DIMAPISSL
printf("<+> new thread %d, socket number = %d\n", (int)pthread_self(),(int) con);
#endif
#ifndef DIMAPISSL
printf("<+> new thread %d, socket number = %d\n", (int)pthread_self(), sock);
#endif
while(1) {
/*if (dbuf_bytes==0 || dbuf_bytes<((struct dmapiipcbuf *)buffer)->length){
......@@ -156,8 +246,13 @@ void *handle_request(void *arg) {
if (dbuf_bytes<((struct dmapiipcbuf *)buffer)->length) continue;*/
recv_bytes=readn(sock, dbuf, BASIC_SIZE);
#ifdef DIMAPISSL
recv_bytes = SSL_readn(con,dbuf,BASIC_SIZE);
#endif
#ifndef DIMAPISSL
recv_bytes=readn(sock, dbuf, BASIC_SIZE);
#endif
if (recv_bytes == 0) { // the peer has gone
printf("Peer has gone\n");
break;
......@@ -173,8 +268,13 @@ void *handle_request(void *arg) {
}
if (dbuf->length-BASIC_SIZE>0) {
#ifdef DIMAPISSL
recv_bytes = SSL_readn(con,(char *)dbuf+BASIC_SIZE,dbuf->length-BASIC_SIZE);
#endif
#ifndef DIMAPISSL
recv_bytes=readn(sock, (char*)dbuf+BASIC_SIZE, dbuf->length-BASIC_SIZE);
#endif
if (recv_bytes == 0) { // the peer has gone
printf("Peer has gone\n");
break;
......@@ -344,7 +444,13 @@ void *handle_request(void *arg) {
//no need to send responce on mapi_close_flow
if (dbuf->cmd!=CLOSE_FLOW) {
send(sock, dbuf, dbuf->length, 0);
#ifdef DIMAPISSL
SSL_write(con,dbuf,dbuf->length);
#endif
#ifndef DIMAPISSL
send(sock,dbuf, dbuf->length,0);
#endif
}
//dbuf_bytes=dbuf_bytes-((struct dmapiipcbuf *)buffer)->length; DELETE
......@@ -358,6 +464,13 @@ void *handle_request(void *arg) {
}
free(active_flows);
free(dbuf);
#ifdef DIMAPISSL
if (SSL_shutdown(con) == -1)
ERR_print_errors_fp(stderr);
#endif
shutdown(sock, SHUT_RDWR);
close(sock);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment