Make tls engine runtime configurable

author: Dirk Engling <erdgeist@erdgeist.org> 2022-05-25 00:23:08 +0200
committer: Dirk Engling <erdgeist@erdgeist.org> 2022-05-25 00:23:08 +0200
commit: 0bd0d4e6db2093186e91aa023865f16c793854e2 (patch)
tree: 18ad198b26f0be89c3a385cd09b7bcfe3a5063ac /vchat-connection.c
parent: acc107e1a89cc599d9c00b3e899e39af3159e950 (diff)
1 files changed, 99 insertions, 11 deletions
diff --git a/vchat-connection.c b/vchat-connection.c
index 165ed9b..4680b6e 100644
--- a/vchat-connection.c
+++ b/vchat-connection.c
@@ -35,6 +35,9 @@
 static int serverfd = -1;
 unsigned int want_tcp_keepalive = 0;
+enum { TLS_ENGINE_UNSET, TLS_ENGINE_OPENSSL, TLS_ENGINE_MBEDTLS };
+static int _engine = TLS_ENGINE_UNSET;
 #define STAGING_SIZE 16384
 #define RECEIVEBUF_SIZE 4096
@@ -87,6 +90,7 @@ int vc_connect(const char *server, const char *port) {
  /* pointer to tilde-expanded certificate/keyfile-names */
  char *certfile, *cafile;
+  int result = -1, want_openssl = !strcmp(getstroption(CF_TLSLIB), "openssl");
  /* Connect to the server */
  serverfd = connect_tcp_socket(server, port);
@@ -100,8 +104,35 @@ int vc_connect(const char *server, const char *port) {
  if (!getintoption(CF_USESSL))
    return 0;
+#ifdef TLS_LIB_OPENSSL
+  _engine = TLS_ENGINE_OPENSSL;
+#endif
+#ifdef TLS_LIB_MBEDTLS
+  /* Make mbedtls default unless mbedtls is configured */
+  if (!want_openssl || _engine == TLS_ENGINE_UNSET)
+    _engine = TLS_ENGINE_MBEDTLS;
+#endif
+  if (_engine == TLS_ENGINE_UNSET) {
+    writecf(FS_ERR, "Error: tls requested but no tls engine compiled in.");
+    return -1;
+  }
+  if (want_openssl && _engine == TLS_ENGINE_MBEDTLS)
+    writecf(FS_SERV, "Warning: tls engine openssl requested but openssl engine not compiled in. Using mbedtls");
+  if (!want_openssl && _engine == TLS_ENGINE_OPENSSL)
+    writecf(FS_SERV, "Warning: tls engine mbedtls requested but mbedts engine not compiled in. Using openssl");
  /* If SSL is requested, get our ssl-BIO running */
-  vc_init_x509store(&vc_store);
+#ifdef TLS_LIB_OPENSSL
+  if (_engine == TLS_ENGINE_OPENSSL)
+    vc_openssl_init_x509store(&vc_store);
+#endif
+#ifdef TLS_LIB_MBEDTLS
+  if (_engine == TLS_ENGINE_MBEDTLS)
+    vc_mbedtls_init_x509store(&vc_store);
+#endif
  /* get name of certificate file */
  certfile = get_tilde_expanded(CF_CERTFILE);
@@ -127,14 +158,30 @@ int vc_connect(const char *server, const char *port) {
  free(cafile);
  /* upgrade our plain BIO to ssl */
-  int result = vc_tls_connect(serverfd, &vc_store);
+#ifdef TLS_LIB_OPENSSL
+  if (_engine == TLS_ENGINE_OPENSSL)
+    result = vc_openssl_connect(serverfd, &vc_store);
+#endif
+#ifdef TLS_LIB_MBEDTLS
+  if (_engine == TLS_ENGINE_MBEDTLS)
+    result = vc_mbedtls_connect(serverfd, &vc_store);
+#endif
  vc_cleanup_x509store(&vc_store);
  if (result) {
    close(serverfd);
    serverfd = -1;
    errno = EIO;
-    vc_tls_cleanup();
+#ifdef TLS_LIB_OPENSSL
+    if (_engine == TLS_ENGINE_OPENSSL)
+      vc_openssl_cleanup();
+#endif
+#ifdef TLS_LIB_MBEDTLS
+    if (_engine == TLS_ENGINE_MBEDTLS)
+      vc_mbedtls_cleanup();
+#endif
+    _engine = TLS_ENGINE_UNSET;
    snprintf(tmpstr, TMPSTRSIZE, getformatstr(FS_CANTCONNECT), server, port);
    writechan(tmpstr);
    return -1;
@@ -175,27 +222,42 @@ void vc_disconnect() {
    close(serverfd);
    serverfd = -1;
  }
-  vc_tls_cleanup();
+#ifdef TLS_LIB_OPENSSL
+  if (_engine == TLS_ENGINE_OPENSSL)
+    vc_openssl_cleanup();
+#endif
+#ifdef TLS_LIB_MBEDTLS
+  if (_engine == TLS_ENGINE_MBEDTLS)
+    vc_mbedtls_cleanup();
+#endif
+  _engine = TLS_ENGINE_UNSET;
  loggedin = 0;
 }
 void vc_sendmessage(const char *msg) {
  static char staging[STAGING_SIZE];
-  size_t sent, len = snprintf(staging, sizeof(staging), "%s\r\n", msg);
+  size_t sent = 0, len = snprintf(staging, sizeof(staging), "%s\r\n", msg);
 #ifdef DEBUG
  /* debugging? log network output! */
  fprintf(dumpfile, ">| (%zd) %s\n", len - 2, msg);
 #endif
-  if (getintoption(CF_USESSL))
+  if (getintoption(CF_USESSL)) {
-    sent = vc_tls_sendmessage(staging, len);
+#ifdef TLS_LIB_OPENSSL
-  else
+    if (_engine == TLS_ENGINE_OPENSSL)
+      sent = vc_openssl_sendmessage(staging, len);
+#endif
+#ifdef TLS_LIB_MBEDTLS
+    if (_engine == TLS_ENGINE_MBEDTLS)
+      sent = vc_mbedtls_sendmessage(staging, len);
+#endif
+  } else
    sent = write(serverfd, staging, len);
  if (sent != len)
    writecf(FS_ERR, "Message sending fuzzy.");
 }
 /* get data from servers connection */
 int vc_receive(void) {
 /* offset in buffer (for linebreaks at packet borders) */
@@ -203,12 +265,19 @@ int vc_receive(void) {
  static size_t buf_fill;
  char *endmsg;
  size_t freebytes = sizeof(buf) - buf_fill;
-  ssize_t bytes;
+  ssize_t bytes = 0;
  if (!getintoption(CF_USESSL))
    bytes = read(serverfd, buf + buf_fill, freebytes);
  else
-    bytes = vc_tls_receivemessage(buf + buf_fill, freebytes);
+#ifdef TLS_LIB_OPENSSL
+    if (_engine == TLS_ENGINE_OPENSSL)
+      bytes = vc_openssl_receivemessage(buf + buf_fill, freebytes);
+#endif
+#ifdef TLS_LIB_MBEDTLS
+   if (_engine == TLS_ENGINE_MBEDTLS)
+      bytes = vc_mbedtls_receivemessage(buf + buf_fill, freebytes);
+#endif
  /* Our tls functions may require retries with handshakes etc, this is
   * signalled by -2 */
@@ -255,3 +324,22 @@ int vc_receive(void) {
  }
  return 0;
 }
+const char *vchat_tls_version_external() {
+#ifdef TLS_LIB_OPENSSL
+  char *openssl_version = vc_openssl_version();
+#else
+  char *openssl_version = strdup("not installed");
+#endif
+#ifdef TLS_LIB_MBEDTLS
+  char *mbedtls_version = vc_mbedtls_version();
+#else
+  char *mbedtls_version = strdup("not installed");
+#endif
+  snprintf(tmpstr, TMPSTRSIZE, "Module plain v0.1\nModule openssl version: %s\nModule mbedtls version: %s", openssl_version, mbedtls_version);
+  free(openssl_version);
+  free(mbedtls_version);
+  return tmpstr;
+}
author	Dirk Engling <erdgeist@erdgeist.org>	2022-05-25 00:23:08 +0200
committer	Dirk Engling <erdgeist@erdgeist.org>	2022-05-25 00:23:08 +0200
commit	0bd0d4e6db2093186e91aa023865f16c793854e2 (patch)
tree	18ad198b26f0be89c3a385cd09b7bcfe3a5063ac /vchat-connection.c
parent	acc107e1a89cc599d9c00b3e899e39af3159e950 (diff)

diff --git a/vchat-connection.c b/vchat-connection.c index 165ed9b..4680b6e 100644 --- a/vchat-connection.c +++ b/vchat-connection.c
@@ -35,6 +35,9 @@
35	static int serverfd = -1;	35	static int serverfd = -1;
36	unsigned int want_tcp_keepalive = 0;	36	unsigned int want_tcp_keepalive = 0;
37		37
		38	enum { TLS_ENGINE_UNSET, TLS_ENGINE_OPENSSL, TLS_ENGINE_MBEDTLS };
		39	static int _engine = TLS_ENGINE_UNSET;
		40
38	#define STAGING_SIZE 16384	41	#define STAGING_SIZE 16384
39	#define RECEIVEBUF_SIZE 4096	42	#define RECEIVEBUF_SIZE 4096
40		43
@@ -87,6 +90,7 @@ int vc_connect(const char server, const char port) {
87		90
88	/* pointer to tilde-expanded certificate/keyfile-names */	91	/* pointer to tilde-expanded certificate/keyfile-names */
89	char certfile, cafile;	92	char certfile, cafile;
		93	int result = -1, want_openssl = !strcmp(getstroption(CF_TLSLIB), "openssl");
90		94
91	/* Connect to the server */	95	/* Connect to the server */
92	serverfd = connect_tcp_socket(server, port);	96	serverfd = connect_tcp_socket(server, port);
@@ -100,8 +104,35 @@ int vc_connect(const char server, const char port) {
100	if (!getintoption(CF_USESSL))	104	if (!getintoption(CF_USESSL))
101	return 0;	105	return 0;
102		106
		107	#ifdef TLS_LIB_OPENSSL
		108	_engine = TLS_ENGINE_OPENSSL;
		109	#endif
		110	#ifdef TLS_LIB_MBEDTLS
		111	/* Make mbedtls default unless mbedtls is configured */
		112	if (!want_openssl \|\| _engine == TLS_ENGINE_UNSET)
		113	_engine = TLS_ENGINE_MBEDTLS;
		114	#endif
		115
		116	if (_engine == TLS_ENGINE_UNSET) {
		117	writecf(FS_ERR, "Error: tls requested but no tls engine compiled in.");
		118	return -1;
		119	}
		120
		121	if (want_openssl && _engine == TLS_ENGINE_MBEDTLS)
		122	writecf(FS_SERV, "Warning: tls engine openssl requested but openssl engine not compiled in. Using mbedtls");
		123
		124	if (!want_openssl && _engine == TLS_ENGINE_OPENSSL)
		125	writecf(FS_SERV, "Warning: tls engine mbedtls requested but mbedts engine not compiled in. Using openssl");
		126
103	/* If SSL is requested, get our ssl-BIO running */	127	/* If SSL is requested, get our ssl-BIO running */
104	vc_init_x509store(&vc_store);	128	#ifdef TLS_LIB_OPENSSL
		129	if (_engine == TLS_ENGINE_OPENSSL)
		130	vc_openssl_init_x509store(&vc_store);
		131	#endif
		132	#ifdef TLS_LIB_MBEDTLS
		133	if (_engine == TLS_ENGINE_MBEDTLS)
		134	vc_mbedtls_init_x509store(&vc_store);
		135	#endif
105		136
106	/* get name of certificate file */	137	/* get name of certificate file */
107	certfile = get_tilde_expanded(CF_CERTFILE);	138	certfile = get_tilde_expanded(CF_CERTFILE);
@@ -127,14 +158,30 @@ int vc_connect(const char server, const char port) {
127	free(cafile);	158	free(cafile);
128		159
129	/* upgrade our plain BIO to ssl */	160	/* upgrade our plain BIO to ssl */
130	int result = vc_tls_connect(serverfd, &vc_store);	161	#ifdef TLS_LIB_OPENSSL
		162	if (_engine == TLS_ENGINE_OPENSSL)
		163	result = vc_openssl_connect(serverfd, &vc_store);
		164	#endif
		165	#ifdef TLS_LIB_MBEDTLS
		166	if (_engine == TLS_ENGINE_MBEDTLS)
		167	result = vc_mbedtls_connect(serverfd, &vc_store);
		168	#endif
131	vc_cleanup_x509store(&vc_store);	169	vc_cleanup_x509store(&vc_store);
132		170
133	if (result) {	171	if (result) {
134	close(serverfd);	172	close(serverfd);
135	serverfd = -1;	173	serverfd = -1;
136	errno = EIO;	174	errno = EIO;
137	vc_tls_cleanup();	175	#ifdef TLS_LIB_OPENSSL
		176	if (_engine == TLS_ENGINE_OPENSSL)
		177	vc_openssl_cleanup();
		178	#endif
		179	#ifdef TLS_LIB_MBEDTLS
		180	if (_engine == TLS_ENGINE_MBEDTLS)
		181	vc_mbedtls_cleanup();
		182	#endif
		183
		184	_engine = TLS_ENGINE_UNSET;
138	snprintf(tmpstr, TMPSTRSIZE, getformatstr(FS_CANTCONNECT), server, port);	185	snprintf(tmpstr, TMPSTRSIZE, getformatstr(FS_CANTCONNECT), server, port);
139	writechan(tmpstr);	186	writechan(tmpstr);
140	return -1;	187	return -1;
@@ -175,27 +222,42 @@ void vc_disconnect() {
175	close(serverfd);	222	close(serverfd);
176	serverfd = -1;	223	serverfd = -1;
177	}	224	}
178	vc_tls_cleanup();	225	#ifdef TLS_LIB_OPENSSL
		226	if (_engine == TLS_ENGINE_OPENSSL)
		227	vc_openssl_cleanup();
		228	#endif
		229	#ifdef TLS_LIB_MBEDTLS
		230	if (_engine == TLS_ENGINE_MBEDTLS)
		231	vc_mbedtls_cleanup();
		232	#endif
		233
		234	_engine = TLS_ENGINE_UNSET;
179	loggedin = 0;	235	loggedin = 0;
180	}	236	}
181		237
182	void vc_sendmessage(const char *msg) {	238	void vc_sendmessage(const char *msg) {
183	static char staging[STAGING_SIZE];	239	static char staging[STAGING_SIZE];
184	size_t sent, len = snprintf(staging, sizeof(staging), "%s\r\n", msg);	240	size_t sent = 0, len = snprintf(staging, sizeof(staging), "%s\r\n", msg);
185	#ifdef DEBUG	241	#ifdef DEBUG
186	/* debugging? log network output! */	242	/* debugging? log network output! */
187	fprintf(dumpfile, ">\| (%zd) %s\n", len - 2, msg);	243	fprintf(dumpfile, ">\| (%zd) %s\n", len - 2, msg);
188	#endif	244	#endif
189		245
190	if (getintoption(CF_USESSL))	246	if (getintoption(CF_USESSL)) {
191	sent = vc_tls_sendmessage(staging, len);	247	#ifdef TLS_LIB_OPENSSL
192	else	248	if (_engine == TLS_ENGINE_OPENSSL)
		249	sent = vc_openssl_sendmessage(staging, len);
		250	#endif
		251	#ifdef TLS_LIB_MBEDTLS
		252	if (_engine == TLS_ENGINE_MBEDTLS)
		253	sent = vc_mbedtls_sendmessage(staging, len);
		254	#endif
		255	} else
193	sent = write(serverfd, staging, len);	256	sent = write(serverfd, staging, len);
194	if (sent != len)	257	if (sent != len)
195	writecf(FS_ERR, "Message sending fuzzy.");	258	writecf(FS_ERR, "Message sending fuzzy.");
196	}	259	}
197		260
198
199	/* get data from servers connection */	261	/* get data from servers connection */
200	int vc_receive(void) {	262	int vc_receive(void) {
201	/* offset in buffer (for linebreaks at packet borders) */	263	/* offset in buffer (for linebreaks at packet borders) */
@@ -203,12 +265,19 @@ int vc_receive(void) {
203	static size_t buf_fill;	265	static size_t buf_fill;
204	char *endmsg;	266	char *endmsg;
205	size_t freebytes = sizeof(buf) - buf_fill;	267	size_t freebytes = sizeof(buf) - buf_fill;
206	ssize_t bytes;	268	ssize_t bytes = 0;
207		269
208	if (!getintoption(CF_USESSL))	270	if (!getintoption(CF_USESSL))
209	bytes = read(serverfd, buf + buf_fill, freebytes);	271	bytes = read(serverfd, buf + buf_fill, freebytes);
210	else	272	else
211	bytes = vc_tls_receivemessage(buf + buf_fill, freebytes);	273	#ifdef TLS_LIB_OPENSSL
		274	if (_engine == TLS_ENGINE_OPENSSL)
		275	bytes = vc_openssl_receivemessage(buf + buf_fill, freebytes);
		276	#endif
		277	#ifdef TLS_LIB_MBEDTLS
		278	if (_engine == TLS_ENGINE_MBEDTLS)
		279	bytes = vc_mbedtls_receivemessage(buf + buf_fill, freebytes);
		280	#endif
212		281
213	/* Our tls functions may require retries with handshakes etc, this is	282	/* Our tls functions may require retries with handshakes etc, this is
214	* signalled by -2 */	283	* signalled by -2 */
@@ -255,3 +324,22 @@ int vc_receive(void) {
255	}	324	}
256	return 0;	325	return 0;
257	}	326	}
		327
		328	const char *vchat_tls_version_external() {
		329	#ifdef TLS_LIB_OPENSSL
		330	char *openssl_version = vc_openssl_version();
		331	#else
		332	char *openssl_version = strdup("not installed");
		333	#endif
		334	#ifdef TLS_LIB_MBEDTLS
		335	char *mbedtls_version = vc_mbedtls_version();
		336	#else
		337	char *mbedtls_version = strdup("not installed");
		338	#endif
		339
		340	snprintf(tmpstr, TMPSTRSIZE, "Module plain v0.1\nModule openssl version: %s\nModule mbedtls version: %s", openssl_version, mbedtls_version);
		341
		342	free(openssl_version);
		343	free(mbedtls_version);
		344	return tmpstr;
		345	}