PERFORCE change 136762 for review

Christian S.J. Peron csjp at FreeBSD.org
Mon Mar 3 18:57:25 UTC 2008


http://perforce.freebsd.org/chv.cgi?CH=136762

Change 136762 by csjp at ibm01 on 2008/03/03 18:56:52

	Bring in some of the SSL work:
	
	- Add "crypto keyfile" "crypto dsaparam" and "crypto cacert" to the
	  configuration parameters.
	- Add the necessary elements to the structures to support SSL for
	  both client and server
	- Hook crypto into the build
	- Annotate why some structures exist and when you can expect to use
	  them.
	- Define netaudit_connect() and modify netaudit_accept_socket() so
	  They are SSL aware.
	
	NOTE: SSL is thought to be 'enabled' when any of the crypto variables
	have been initialized.

Affected files ...

.. //depot/projects/trustedbsd/netauditd/Makefile#4 edit
.. //depot/projects/trustedbsd/netauditd/component.c#6 edit
.. //depot/projects/trustedbsd/netauditd/conf.c#6 edit
.. //depot/projects/trustedbsd/netauditd/crypto.c#5 edit
.. //depot/projects/trustedbsd/netauditd/netauditd.c#13 edit
.. //depot/projects/trustedbsd/netauditd/netauditd.conf#4 edit
.. //depot/projects/trustedbsd/netauditd/netauditd.h#10 edit

Differences ...

==== //depot/projects/trustedbsd/netauditd/Makefile#4 (text+ko) ====

@@ -1,7 +1,10 @@
 PROG=	netauditd
-SRCS=	netauditd.c component.c conf.c
+SRCS=	netauditd.c component.c conf.c crypto.c
 NO_MAN=
 
+DPADD=	${LIBSSL}
+LDADD=  -lssl
+
 CFLAGS+= -Wall -ggdb
 
 .include <bsd.prog.mk>

==== //depot/projects/trustedbsd/netauditd/component.c#6 (text+ko) ====

@@ -30,6 +30,8 @@
 #include <sys/stat.h>
 #include <sys/time.h>
 
+#include <openssl/ssl.h>
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -43,6 +45,7 @@
 
 #include <bsm/libbsm.h>
 
+#include "crypto.h"
 #include "netauditd.h"
 
 au_cmpnt_head_t	au_srclist;

==== //depot/projects/trustedbsd/netauditd/conf.c#6 (text+ko) ====

@@ -30,6 +30,8 @@
 #include <sys/stat.h>
 #include <sys/time.h>
 
+#include <openssl/ssl.h>
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -43,6 +45,7 @@
 
 #include <bsm/libbsm.h>
 
+#include "crypto.h"
 #include "netauditd.h"
 
 #define SYNTAX_ERROR(x, y)	{ (void) fprintf(stderr, \
@@ -62,12 +65,22 @@
 	{ "dst", NULL, "trail", 5, conf_parse_dst_trail },
 	{ "dst", NULL, "net", 6, conf_parse_net },
 	{ "crypto", "keyfile", NULL, 3, conf_parse_keyfile },
+	{ "crypto", "dsaparam", NULL, 3, conf_parse_keyfile },
+	{ "crypto", "cacert", NULL, 3, conf_parse_keyfile },
 	{ NULL, NULL, NULL, 0, NULL }
 };
 
 int
 conf_parse_keyfile(args_t *a)
 {
+
+	if (strcmp(a->args[1], "keyfile") == 0)
+		crypto_keyfile = a->args[2];
+	if (strcmp(a->args[1], "dsaparam") == 0)
+		crypto_dsaparam = a->args[2];
+	if (strcmp(a->args[1], "cacert") == 0)
+		crypto_cacert = a->args[2];
+	crypto_enabled = 1;
 	return (0);
 }
 

==== //depot/projects/trustedbsd/netauditd/crypto.c#5 (text+ko) ====

@@ -27,10 +27,17 @@
 #include <assert.h>
 
 #include <openssl/ssl.h>
+#include <openssl/err.h>
 
 #include "crypto.h"
 
+#if 0
 static char	*crypto_pass;
+#endif
+char		*crypto_keyfile;
+char		*crypto_dsaparam;
+char		*crypto_cacert;
+int		crypto_enabled;
 
 static int
 crypto_fatal(struct crypto_context *ct, const char *string)
@@ -42,6 +49,7 @@
 	exit(1);
 }
 
+#if 0
 static int
 crypto_password_cb(char *buf, int num, int rwflag, void *userdata)
 {
@@ -52,7 +60,8 @@
 		return(0);
 	(void) strcpy(buf, crypto_pass);
 	return (slen);
-}   
+}
+#endif
 
 int
 crypto_init_context(struct crypto_context *ct, int ctx_type)
@@ -71,27 +80,35 @@
 	}
 	meth = SSLv23_method();
 	ct->c_ctx = SSL_CTX_new(meth);
-	if (!SSL_CTX_use_certificate_chain_file(ct->c_ctx, "server.pem"))
-		crypto_fatal(ct, "Can't read certificate file");
 	/*
-	 * XXX we will revisit this.  Just want to get things working.
+	 * Open up the SSL certificate for this host.  This information is
+	 * specified in the configuration file using the following line:
+	 *
+	 * crypto keyfile <filename>
+	 *
+	 * In order to ensure that the service can come up on bootup without
+	 * requiring password input from a user, use non-encrypted keyfiles.
 	 */
-	crypto_pass = "SeCrET KeY";
-	SSL_CTX_set_default_passwd_cb(ct->c_ctx, crypto_password_cb);
-	if (!SSL_CTX_use_PrivateKey_file(ct->c_ctx, "server.pem", SSL_FILETYPE_PEM))
-		crypto_fatal(ct, "Can't read key file");
+	if (!SSL_CTX_use_certificate_chain_file(ct->c_ctx, crypto_keyfile))
+		crypto_fatal(ct, "Can't read certificate file");
 	/*
-	 * Load trusted certificate authorities from key.pem
+	 * Supply the certificate authorities (CA) x509 cert.  This is
+	 * supplied in the configuration file using the following line:
+	 *
+	 * crypto cacert <filename>
 	 */
-	if (!SSL_CTX_load_verify_locations(ct->c_ctx, "key.pem", 0))
+	if (!SSL_CTX_load_verify_locations(ct->c_ctx, crypto_cacert, 0))
 		crypto_fatal(ct, "Can't read CA list");
-	if ((bio = BIO_new_file("DHFILE", "r")) == NULL)
-		crypto_fatal(ct, "Couldn't open DH file");
 	/*
 	 * If we are initializing this crypto context for serving SSL clients,
-	 * make sure we initialize our Diffie Hellman parameters.
+	 * make sure we initialize our Diffie Hellman parameters.  DH params
+	 * are specified in the configuration file using the following line:
+	 *
+	 * crypto dsaparam <filename>
 	 */
 	if (ctx_type == CRYPTO_CTX_SERVER) {
+		if ((bio = BIO_new_file(crypto_dsaparam, "r")) == NULL)
+			crypto_fatal(ct, "Couldn't open DH file");
 		ret = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
 		BIO_free(bio); 
 		if (SSL_CTX_set_tmp_dh(ct->c_ctx, ret) < 0)
@@ -107,14 +124,19 @@
 	SSL_CTX_free(ct->c_ctx);
 }
 
+#if 0
 int
 main(int argc, char *argv[])
 {
 	struct crypto_context ct;
 	int error;
 
+	crypto_keyfile = "server.pem";
+	crypto_params = "dsaparam.pem";
+	crypto_cacert = "cacert.pem";
 	error = crypto_init_context(&ct, CRYPTO_CTX_SERVER);
 	if (error)
 		err(1, "crypto_init_context failed");
 	return (0);
 }
+#endif

==== //depot/projects/trustedbsd/netauditd/netauditd.c#13 (text+ko) ====

@@ -35,7 +35,9 @@
 #include <bsm/audit.h>
 #include <bsm/libbsm.h>
 #include <security/audit/audit_ioctl.h>
+#include <openssl/ssl.h>
 
+#include <assert.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -47,6 +49,7 @@
 #include <netdb.h>
 #include <signal.h>
 
+#include "crypto.h"
 #include "netauditd.h"
 
 #define		FLAG_DEBUG	1
@@ -228,6 +231,28 @@
 	}
 }
 
+int
+netaudit_connect(struct au_cmpnt *au)
+{
+	int error;
+
+	error = connect(au->ac_fd, au->ac_ainfo->ai_addr,
+	    au->ac_ainfo->ai_addrlen);
+	if (error < 0)
+		return (-1);
+	if (crypto_enabled == 0)
+		return (error);
+	assert(au->ac_crypto_init == 0);
+	(void) crypto_init_context(&au->ac_cct, CRTYPO_CTX_CLIENT);
+	au->ac_ssl = SSL_new(au->ac_cct.c_ctx);
+	au->ac_sbio = BIO_new_socket(au->ac_fd, BIO_NOCLOSE);
+	SSL_set_bio(au->ac_ssl, au->ac_sbio, au->ac_sbio);
+	error = SSL_connect(au->ac_ssl);
+	/* XXX need to do better error checking here */
+	au->ac_crypto_init = 1;
+	return (error == 1 ? 0 : -1);
+}
+
 void
 netaudit_establish(void)
 {
@@ -253,8 +278,7 @@
 			    au->ac_ainfo->ai_protocol);
 			if (au->ac_fd == -1)
 				continue;
-			if (connect(au->ac_fd, au->ac_ainfo->ai_addr,
-			    au->ac_ainfo->ai_addrlen) == -1) {
+			if (netaudit_connect(au) == -1) {
 				warn("connect");
 				close(au->ac_fd);
 				continue;
@@ -368,6 +392,7 @@
 netaudit_socket_accept(struct au_cmpnt *au)
 {
 	struct au_srcbuffer *new;
+	int error;
 
 	new = malloc(sizeof(struct au_srcbuffer));
 	if (new == NULL)
@@ -387,6 +412,17 @@
 			exit(2);
 	}
 	new->sb_parent = au;
+	if (crypto_enabled == 0) {
+		TAILQ_INSERT_TAIL(&au->ac_sbufq, new, sb_glue);
+		return;
+	}
+	if (au->ac_crypto_init == 0)
+		(void) crypto_init_context(&au->ac_cct, CRYPTO_CTX_SERVER);
+	au->ac_crypto_init = 1;
+	new->sb_sbio = BIO_new_socket(new->sb_fd, BIO_NOCLOSE);
+	new->sb_ssl = SSL_new(au->ac_cct.c_ctx);
+	SSL_set_bio(new->sb_ssl, new->sb_sbio, new->sb_sbio);
+	error = SSL_accept(new->sb_ssl);
 	TAILQ_INSERT_TAIL(&au->ac_sbufq, new, sb_glue);
 }
 

==== //depot/projects/trustedbsd/netauditd/netauditd.conf#4 (text+ko) ====

@@ -1,5 +1,12 @@
 # netauditd configuration file
 
+#
+# For the use of SSL un-comment and define the following variables:
+#
+# crypto keyfile server.pem
+# crypto cacert cacert.pem
+# crypto dsaparam dsaparam.pem
+
 src src0 pipe /dev/auditpipe
 src src1 net 0.0.0.0 9999
 

==== //depot/projects/trustedbsd/netauditd/netauditd.h#10 (text+ko) ====

@@ -45,6 +45,11 @@
 	TAILQ_ENTRY(au_queue_ent)	aq_glue;
 };
 
+/*
+ * This object exists for accepted connections.  For each new file descriptor
+ * returned by accept(2), a au_srcbuffer will be allocated and initialized to
+ * track I/O for each connected remote peer.
+ */
 struct au_srcbuffer {
 	struct au_cmpnt			*sb_parent;
 	struct sockaddr			*sb_sockaddr;
@@ -55,20 +60,35 @@
 	u_char				sb_buf[2048];
 	u_char				sb_header[5];
 	TAILQ_ENTRY(au_srcbuffer)	sb_glue;
+	BIO				*sb_sbio;
+	SSL				*sb_ssl;
 };
 
+/*
+ * Component objects exist for each source and destination components.  In the
+ * case we are network socket (opposed to a regular file or pipe) we have
+ * SSL parameters.  These parameters are inherited by au_srcbuffer objects for
+ * each connected peer for a component.
+ */
 struct au_cmpnt {
 	char					*ac_name;
 	int					ac_type;
 	int					ac_fd;
 	int					ac_established;
 	char					*ac_path;
-	struct addrinfo				*ac_ainfo;
 	struct au_cmpnt				**ac_consumers;
 	unsigned int				ac_nconsumers;
 	TAILQ_HEAD(ac_oq, au_queue_ent)		ac_oq;
 	TAILQ_HEAD(ac_sbufq, au_srcbuffer)	ac_sbufq;
 	TAILQ_ENTRY(au_cmpnt)        		ac_glue;
+	/*
+	 * In case we are a network socket
+	 */
+	struct addrinfo				*ac_ainfo;
+	SSL					*ac_ssl;
+	BIO					*ac_sbio;
+	struct crypto_context			ac_cct;
+	int					 ac_crypto_init;
 };
 
 typedef struct _args_t {
@@ -81,6 +101,10 @@
 extern au_cmpnt_head_t au_dstlist;
 
 extern char	*conf_path;
+extern char	*crypto_keyfile;
+extern char	*crypto_dsaparam;
+extern char	*crypto_cacert;
+extern int	crypto_enabled;
 
 int		component_clear_oq(struct au_cmpnt *);
 void		component_destroy(struct au_cmpnt *);


More information about the p4-projects mailing list