From owner-p4-projects@FreeBSD.ORG Mon Mar 3 18:57:25 2008 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 36D6B1065673; Mon, 3 Mar 2008 18:57:25 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E971F106566C for ; Mon, 3 Mar 2008 18:57:24 +0000 (UTC) (envelope-from csjp@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id E871A8FC17 for ; Mon, 3 Mar 2008 18:57:24 +0000 (UTC) (envelope-from csjp@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.1/8.14.1) with ESMTP id m23IvOSh074091 for ; Mon, 3 Mar 2008 18:57:24 GMT (envelope-from csjp@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.1/8.14.1/Submit) id m23IvOaf074089 for perforce@freebsd.org; Mon, 3 Mar 2008 18:57:24 GMT (envelope-from csjp@freebsd.org) Date: Mon, 3 Mar 2008 18:57:24 GMT Message-Id: <200803031857.m23IvOaf074089@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to csjp@freebsd.org using -f From: "Christian S.J. Peron" To: Perforce Change Reviews Cc: Subject: PERFORCE change 136762 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Mar 2008 18:57:25 -0000 http://perforce.freebsd.org/chv.cgi?CH=136762 Change 136762 by csjp@ibm01 on 2008/03/03 18:56:52 Bring in some of the SSL work: - Add "crypto keyfile" "crypto dsaparam" and "crypto cacert" to the configuration parameters. - Add the necessary elements to the structures to support SSL for both client and server - Hook crypto into the build - Annotate why some structures exist and when you can expect to use them. - Define netaudit_connect() and modify netaudit_accept_socket() so They are SSL aware. NOTE: SSL is thought to be 'enabled' when any of the crypto variables have been initialized. Affected files ... .. //depot/projects/trustedbsd/netauditd/Makefile#4 edit .. //depot/projects/trustedbsd/netauditd/component.c#6 edit .. //depot/projects/trustedbsd/netauditd/conf.c#6 edit .. //depot/projects/trustedbsd/netauditd/crypto.c#5 edit .. //depot/projects/trustedbsd/netauditd/netauditd.c#13 edit .. //depot/projects/trustedbsd/netauditd/netauditd.conf#4 edit .. //depot/projects/trustedbsd/netauditd/netauditd.h#10 edit Differences ... ==== //depot/projects/trustedbsd/netauditd/Makefile#4 (text+ko) ==== @@ -1,7 +1,10 @@ PROG= netauditd -SRCS= netauditd.c component.c conf.c +SRCS= netauditd.c component.c conf.c crypto.c NO_MAN= +DPADD= ${LIBSSL} +LDADD= -lssl + CFLAGS+= -Wall -ggdb .include ==== //depot/projects/trustedbsd/netauditd/component.c#6 (text+ko) ==== @@ -30,6 +30,8 @@ #include #include +#include + #include #include #include @@ -43,6 +45,7 @@ #include +#include "crypto.h" #include "netauditd.h" au_cmpnt_head_t au_srclist; ==== //depot/projects/trustedbsd/netauditd/conf.c#6 (text+ko) ==== @@ -30,6 +30,8 @@ #include #include +#include + #include #include #include @@ -43,6 +45,7 @@ #include +#include "crypto.h" #include "netauditd.h" #define SYNTAX_ERROR(x, y) { (void) fprintf(stderr, \ @@ -62,12 +65,22 @@ { "dst", NULL, "trail", 5, conf_parse_dst_trail }, { "dst", NULL, "net", 6, conf_parse_net }, { "crypto", "keyfile", NULL, 3, conf_parse_keyfile }, + { "crypto", "dsaparam", NULL, 3, conf_parse_keyfile }, + { "crypto", "cacert", NULL, 3, conf_parse_keyfile }, { NULL, NULL, NULL, 0, NULL } }; int conf_parse_keyfile(args_t *a) { + + if (strcmp(a->args[1], "keyfile") == 0) + crypto_keyfile = a->args[2]; + if (strcmp(a->args[1], "dsaparam") == 0) + crypto_dsaparam = a->args[2]; + if (strcmp(a->args[1], "cacert") == 0) + crypto_cacert = a->args[2]; + crypto_enabled = 1; return (0); } ==== //depot/projects/trustedbsd/netauditd/crypto.c#5 (text+ko) ==== @@ -27,10 +27,17 @@ #include #include +#include #include "crypto.h" +#if 0 static char *crypto_pass; +#endif +char *crypto_keyfile; +char *crypto_dsaparam; +char *crypto_cacert; +int crypto_enabled; static int crypto_fatal(struct crypto_context *ct, const char *string) @@ -42,6 +49,7 @@ exit(1); } +#if 0 static int crypto_password_cb(char *buf, int num, int rwflag, void *userdata) { @@ -52,7 +60,8 @@ return(0); (void) strcpy(buf, crypto_pass); return (slen); -} +} +#endif int crypto_init_context(struct crypto_context *ct, int ctx_type) @@ -71,27 +80,35 @@ } meth = SSLv23_method(); ct->c_ctx = SSL_CTX_new(meth); - if (!SSL_CTX_use_certificate_chain_file(ct->c_ctx, "server.pem")) - crypto_fatal(ct, "Can't read certificate file"); /* - * XXX we will revisit this. Just want to get things working. + * Open up the SSL certificate for this host. This information is + * specified in the configuration file using the following line: + * + * crypto keyfile + * + * In order to ensure that the service can come up on bootup without + * requiring password input from a user, use non-encrypted keyfiles. */ - crypto_pass = "SeCrET KeY"; - SSL_CTX_set_default_passwd_cb(ct->c_ctx, crypto_password_cb); - if (!SSL_CTX_use_PrivateKey_file(ct->c_ctx, "server.pem", SSL_FILETYPE_PEM)) - crypto_fatal(ct, "Can't read key file"); + if (!SSL_CTX_use_certificate_chain_file(ct->c_ctx, crypto_keyfile)) + crypto_fatal(ct, "Can't read certificate file"); /* - * Load trusted certificate authorities from key.pem + * Supply the certificate authorities (CA) x509 cert. This is + * supplied in the configuration file using the following line: + * + * crypto cacert */ - if (!SSL_CTX_load_verify_locations(ct->c_ctx, "key.pem", 0)) + if (!SSL_CTX_load_verify_locations(ct->c_ctx, crypto_cacert, 0)) crypto_fatal(ct, "Can't read CA list"); - if ((bio = BIO_new_file("DHFILE", "r")) == NULL) - crypto_fatal(ct, "Couldn't open DH file"); /* * If we are initializing this crypto context for serving SSL clients, - * make sure we initialize our Diffie Hellman parameters. + * make sure we initialize our Diffie Hellman parameters. DH params + * are specified in the configuration file using the following line: + * + * crypto dsaparam */ if (ctx_type == CRYPTO_CTX_SERVER) { + if ((bio = BIO_new_file(crypto_dsaparam, "r")) == NULL) + crypto_fatal(ct, "Couldn't open DH file"); ret = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); BIO_free(bio); if (SSL_CTX_set_tmp_dh(ct->c_ctx, ret) < 0) @@ -107,14 +124,19 @@ SSL_CTX_free(ct->c_ctx); } +#if 0 int main(int argc, char *argv[]) { struct crypto_context ct; int error; + crypto_keyfile = "server.pem"; + crypto_params = "dsaparam.pem"; + crypto_cacert = "cacert.pem"; error = crypto_init_context(&ct, CRYPTO_CTX_SERVER); if (error) err(1, "crypto_init_context failed"); return (0); } +#endif ==== //depot/projects/trustedbsd/netauditd/netauditd.c#13 (text+ko) ==== @@ -35,7 +35,9 @@ #include #include #include +#include +#include #include #include #include @@ -47,6 +49,7 @@ #include #include +#include "crypto.h" #include "netauditd.h" #define FLAG_DEBUG 1 @@ -228,6 +231,28 @@ } } +int +netaudit_connect(struct au_cmpnt *au) +{ + int error; + + error = connect(au->ac_fd, au->ac_ainfo->ai_addr, + au->ac_ainfo->ai_addrlen); + if (error < 0) + return (-1); + if (crypto_enabled == 0) + return (error); + assert(au->ac_crypto_init == 0); + (void) crypto_init_context(&au->ac_cct, CRTYPO_CTX_CLIENT); + au->ac_ssl = SSL_new(au->ac_cct.c_ctx); + au->ac_sbio = BIO_new_socket(au->ac_fd, BIO_NOCLOSE); + SSL_set_bio(au->ac_ssl, au->ac_sbio, au->ac_sbio); + error = SSL_connect(au->ac_ssl); + /* XXX need to do better error checking here */ + au->ac_crypto_init = 1; + return (error == 1 ? 0 : -1); +} + void netaudit_establish(void) { @@ -253,8 +278,7 @@ au->ac_ainfo->ai_protocol); if (au->ac_fd == -1) continue; - if (connect(au->ac_fd, au->ac_ainfo->ai_addr, - au->ac_ainfo->ai_addrlen) == -1) { + if (netaudit_connect(au) == -1) { warn("connect"); close(au->ac_fd); continue; @@ -368,6 +392,7 @@ netaudit_socket_accept(struct au_cmpnt *au) { struct au_srcbuffer *new; + int error; new = malloc(sizeof(struct au_srcbuffer)); if (new == NULL) @@ -387,6 +412,17 @@ exit(2); } new->sb_parent = au; + if (crypto_enabled == 0) { + TAILQ_INSERT_TAIL(&au->ac_sbufq, new, sb_glue); + return; + } + if (au->ac_crypto_init == 0) + (void) crypto_init_context(&au->ac_cct, CRYPTO_CTX_SERVER); + au->ac_crypto_init = 1; + new->sb_sbio = BIO_new_socket(new->sb_fd, BIO_NOCLOSE); + new->sb_ssl = SSL_new(au->ac_cct.c_ctx); + SSL_set_bio(new->sb_ssl, new->sb_sbio, new->sb_sbio); + error = SSL_accept(new->sb_ssl); TAILQ_INSERT_TAIL(&au->ac_sbufq, new, sb_glue); } ==== //depot/projects/trustedbsd/netauditd/netauditd.conf#4 (text+ko) ==== @@ -1,5 +1,12 @@ # netauditd configuration file +# +# For the use of SSL un-comment and define the following variables: +# +# crypto keyfile server.pem +# crypto cacert cacert.pem +# crypto dsaparam dsaparam.pem + src src0 pipe /dev/auditpipe src src1 net 0.0.0.0 9999 ==== //depot/projects/trustedbsd/netauditd/netauditd.h#10 (text+ko) ==== @@ -45,6 +45,11 @@ TAILQ_ENTRY(au_queue_ent) aq_glue; }; +/* + * This object exists for accepted connections. For each new file descriptor + * returned by accept(2), a au_srcbuffer will be allocated and initialized to + * track I/O for each connected remote peer. + */ struct au_srcbuffer { struct au_cmpnt *sb_parent; struct sockaddr *sb_sockaddr; @@ -55,20 +60,35 @@ u_char sb_buf[2048]; u_char sb_header[5]; TAILQ_ENTRY(au_srcbuffer) sb_glue; + BIO *sb_sbio; + SSL *sb_ssl; }; +/* + * Component objects exist for each source and destination components. In the + * case we are network socket (opposed to a regular file or pipe) we have + * SSL parameters. These parameters are inherited by au_srcbuffer objects for + * each connected peer for a component. + */ struct au_cmpnt { char *ac_name; int ac_type; int ac_fd; int ac_established; char *ac_path; - struct addrinfo *ac_ainfo; struct au_cmpnt **ac_consumers; unsigned int ac_nconsumers; TAILQ_HEAD(ac_oq, au_queue_ent) ac_oq; TAILQ_HEAD(ac_sbufq, au_srcbuffer) ac_sbufq; TAILQ_ENTRY(au_cmpnt) ac_glue; + /* + * In case we are a network socket + */ + struct addrinfo *ac_ainfo; + SSL *ac_ssl; + BIO *ac_sbio; + struct crypto_context ac_cct; + int ac_crypto_init; }; typedef struct _args_t { @@ -81,6 +101,10 @@ extern au_cmpnt_head_t au_dstlist; extern char *conf_path; +extern char *crypto_keyfile; +extern char *crypto_dsaparam; +extern char *crypto_cacert; +extern int crypto_enabled; int component_clear_oq(struct au_cmpnt *); void component_destroy(struct au_cmpnt *);