PERFORCE change 136762 for review
Christian S.J. Peron
csjp at FreeBSD.org
Mon Mar 3 18:57:25 UTC 2008
http://perforce.freebsd.org/chv.cgi?CH=136762
Change 136762 by csjp at ibm01 on 2008/03/03 18:56:52
Bring in some of the SSL work:
- Add "crypto keyfile" "crypto dsaparam" and "crypto cacert" to the
configuration parameters.
- Add the necessary elements to the structures to support SSL for
both client and server
- Hook crypto into the build
- Annotate why some structures exist and when you can expect to use
them.
- Define netaudit_connect() and modify netaudit_accept_socket() so
They are SSL aware.
NOTE: SSL is thought to be 'enabled' when any of the crypto variables
have been initialized.
Affected files ...
.. //depot/projects/trustedbsd/netauditd/Makefile#4 edit
.. //depot/projects/trustedbsd/netauditd/component.c#6 edit
.. //depot/projects/trustedbsd/netauditd/conf.c#6 edit
.. //depot/projects/trustedbsd/netauditd/crypto.c#5 edit
.. //depot/projects/trustedbsd/netauditd/netauditd.c#13 edit
.. //depot/projects/trustedbsd/netauditd/netauditd.conf#4 edit
.. //depot/projects/trustedbsd/netauditd/netauditd.h#10 edit
Differences ...
==== //depot/projects/trustedbsd/netauditd/Makefile#4 (text+ko) ====
@@ -1,7 +1,10 @@
PROG= netauditd
-SRCS= netauditd.c component.c conf.c
+SRCS= netauditd.c component.c conf.c crypto.c
NO_MAN=
+DPADD= ${LIBSSL}
+LDADD= -lssl
+
CFLAGS+= -Wall -ggdb
.include <bsd.prog.mk>
==== //depot/projects/trustedbsd/netauditd/component.c#6 (text+ko) ====
@@ -30,6 +30,8 @@
#include <sys/stat.h>
#include <sys/time.h>
+#include <openssl/ssl.h>
+
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -43,6 +45,7 @@
#include <bsm/libbsm.h>
+#include "crypto.h"
#include "netauditd.h"
au_cmpnt_head_t au_srclist;
==== //depot/projects/trustedbsd/netauditd/conf.c#6 (text+ko) ====
@@ -30,6 +30,8 @@
#include <sys/stat.h>
#include <sys/time.h>
+#include <openssl/ssl.h>
+
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -43,6 +45,7 @@
#include <bsm/libbsm.h>
+#include "crypto.h"
#include "netauditd.h"
#define SYNTAX_ERROR(x, y) { (void) fprintf(stderr, \
@@ -62,12 +65,22 @@
{ "dst", NULL, "trail", 5, conf_parse_dst_trail },
{ "dst", NULL, "net", 6, conf_parse_net },
{ "crypto", "keyfile", NULL, 3, conf_parse_keyfile },
+ { "crypto", "dsaparam", NULL, 3, conf_parse_keyfile },
+ { "crypto", "cacert", NULL, 3, conf_parse_keyfile },
{ NULL, NULL, NULL, 0, NULL }
};
int
conf_parse_keyfile(args_t *a)
{
+
+ if (strcmp(a->args[1], "keyfile") == 0)
+ crypto_keyfile = a->args[2];
+ if (strcmp(a->args[1], "dsaparam") == 0)
+ crypto_dsaparam = a->args[2];
+ if (strcmp(a->args[1], "cacert") == 0)
+ crypto_cacert = a->args[2];
+ crypto_enabled = 1;
return (0);
}
==== //depot/projects/trustedbsd/netauditd/crypto.c#5 (text+ko) ====
@@ -27,10 +27,17 @@
#include <assert.h>
#include <openssl/ssl.h>
+#include <openssl/err.h>
#include "crypto.h"
+#if 0
static char *crypto_pass;
+#endif
+char *crypto_keyfile;
+char *crypto_dsaparam;
+char *crypto_cacert;
+int crypto_enabled;
static int
crypto_fatal(struct crypto_context *ct, const char *string)
@@ -42,6 +49,7 @@
exit(1);
}
+#if 0
static int
crypto_password_cb(char *buf, int num, int rwflag, void *userdata)
{
@@ -52,7 +60,8 @@
return(0);
(void) strcpy(buf, crypto_pass);
return (slen);
-}
+}
+#endif
int
crypto_init_context(struct crypto_context *ct, int ctx_type)
@@ -71,27 +80,35 @@
}
meth = SSLv23_method();
ct->c_ctx = SSL_CTX_new(meth);
- if (!SSL_CTX_use_certificate_chain_file(ct->c_ctx, "server.pem"))
- crypto_fatal(ct, "Can't read certificate file");
/*
- * XXX we will revisit this. Just want to get things working.
+ * Open up the SSL certificate for this host. This information is
+ * specified in the configuration file using the following line:
+ *
+ * crypto keyfile <filename>
+ *
+ * In order to ensure that the service can come up on bootup without
+ * requiring password input from a user, use non-encrypted keyfiles.
*/
- crypto_pass = "SeCrET KeY";
- SSL_CTX_set_default_passwd_cb(ct->c_ctx, crypto_password_cb);
- if (!SSL_CTX_use_PrivateKey_file(ct->c_ctx, "server.pem", SSL_FILETYPE_PEM))
- crypto_fatal(ct, "Can't read key file");
+ if (!SSL_CTX_use_certificate_chain_file(ct->c_ctx, crypto_keyfile))
+ crypto_fatal(ct, "Can't read certificate file");
/*
- * Load trusted certificate authorities from key.pem
+ * Supply the certificate authorities (CA) x509 cert. This is
+ * supplied in the configuration file using the following line:
+ *
+ * crypto cacert <filename>
*/
- if (!SSL_CTX_load_verify_locations(ct->c_ctx, "key.pem", 0))
+ if (!SSL_CTX_load_verify_locations(ct->c_ctx, crypto_cacert, 0))
crypto_fatal(ct, "Can't read CA list");
- if ((bio = BIO_new_file("DHFILE", "r")) == NULL)
- crypto_fatal(ct, "Couldn't open DH file");
/*
* If we are initializing this crypto context for serving SSL clients,
- * make sure we initialize our Diffie Hellman parameters.
+ * make sure we initialize our Diffie Hellman parameters. DH params
+ * are specified in the configuration file using the following line:
+ *
+ * crypto dsaparam <filename>
*/
if (ctx_type == CRYPTO_CTX_SERVER) {
+ if ((bio = BIO_new_file(crypto_dsaparam, "r")) == NULL)
+ crypto_fatal(ct, "Couldn't open DH file");
ret = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
BIO_free(bio);
if (SSL_CTX_set_tmp_dh(ct->c_ctx, ret) < 0)
@@ -107,14 +124,19 @@
SSL_CTX_free(ct->c_ctx);
}
+#if 0
int
main(int argc, char *argv[])
{
struct crypto_context ct;
int error;
+ crypto_keyfile = "server.pem";
+ crypto_params = "dsaparam.pem";
+ crypto_cacert = "cacert.pem";
error = crypto_init_context(&ct, CRYPTO_CTX_SERVER);
if (error)
err(1, "crypto_init_context failed");
return (0);
}
+#endif
==== //depot/projects/trustedbsd/netauditd/netauditd.c#13 (text+ko) ====
@@ -35,7 +35,9 @@
#include <bsm/audit.h>
#include <bsm/libbsm.h>
#include <security/audit/audit_ioctl.h>
+#include <openssl/ssl.h>
+#include <assert.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -47,6 +49,7 @@
#include <netdb.h>
#include <signal.h>
+#include "crypto.h"
#include "netauditd.h"
#define FLAG_DEBUG 1
@@ -228,6 +231,28 @@
}
}
+int
+netaudit_connect(struct au_cmpnt *au)
+{
+ int error;
+
+ error = connect(au->ac_fd, au->ac_ainfo->ai_addr,
+ au->ac_ainfo->ai_addrlen);
+ if (error < 0)
+ return (-1);
+ if (crypto_enabled == 0)
+ return (error);
+ assert(au->ac_crypto_init == 0);
+ (void) crypto_init_context(&au->ac_cct, CRTYPO_CTX_CLIENT);
+ au->ac_ssl = SSL_new(au->ac_cct.c_ctx);
+ au->ac_sbio = BIO_new_socket(au->ac_fd, BIO_NOCLOSE);
+ SSL_set_bio(au->ac_ssl, au->ac_sbio, au->ac_sbio);
+ error = SSL_connect(au->ac_ssl);
+ /* XXX need to do better error checking here */
+ au->ac_crypto_init = 1;
+ return (error == 1 ? 0 : -1);
+}
+
void
netaudit_establish(void)
{
@@ -253,8 +278,7 @@
au->ac_ainfo->ai_protocol);
if (au->ac_fd == -1)
continue;
- if (connect(au->ac_fd, au->ac_ainfo->ai_addr,
- au->ac_ainfo->ai_addrlen) == -1) {
+ if (netaudit_connect(au) == -1) {
warn("connect");
close(au->ac_fd);
continue;
@@ -368,6 +392,7 @@
netaudit_socket_accept(struct au_cmpnt *au)
{
struct au_srcbuffer *new;
+ int error;
new = malloc(sizeof(struct au_srcbuffer));
if (new == NULL)
@@ -387,6 +412,17 @@
exit(2);
}
new->sb_parent = au;
+ if (crypto_enabled == 0) {
+ TAILQ_INSERT_TAIL(&au->ac_sbufq, new, sb_glue);
+ return;
+ }
+ if (au->ac_crypto_init == 0)
+ (void) crypto_init_context(&au->ac_cct, CRYPTO_CTX_SERVER);
+ au->ac_crypto_init = 1;
+ new->sb_sbio = BIO_new_socket(new->sb_fd, BIO_NOCLOSE);
+ new->sb_ssl = SSL_new(au->ac_cct.c_ctx);
+ SSL_set_bio(new->sb_ssl, new->sb_sbio, new->sb_sbio);
+ error = SSL_accept(new->sb_ssl);
TAILQ_INSERT_TAIL(&au->ac_sbufq, new, sb_glue);
}
==== //depot/projects/trustedbsd/netauditd/netauditd.conf#4 (text+ko) ====
@@ -1,5 +1,12 @@
# netauditd configuration file
+#
+# For the use of SSL un-comment and define the following variables:
+#
+# crypto keyfile server.pem
+# crypto cacert cacert.pem
+# crypto dsaparam dsaparam.pem
+
src src0 pipe /dev/auditpipe
src src1 net 0.0.0.0 9999
==== //depot/projects/trustedbsd/netauditd/netauditd.h#10 (text+ko) ====
@@ -45,6 +45,11 @@
TAILQ_ENTRY(au_queue_ent) aq_glue;
};
+/*
+ * This object exists for accepted connections. For each new file descriptor
+ * returned by accept(2), a au_srcbuffer will be allocated and initialized to
+ * track I/O for each connected remote peer.
+ */
struct au_srcbuffer {
struct au_cmpnt *sb_parent;
struct sockaddr *sb_sockaddr;
@@ -55,20 +60,35 @@
u_char sb_buf[2048];
u_char sb_header[5];
TAILQ_ENTRY(au_srcbuffer) sb_glue;
+ BIO *sb_sbio;
+ SSL *sb_ssl;
};
+/*
+ * Component objects exist for each source and destination components. In the
+ * case we are network socket (opposed to a regular file or pipe) we have
+ * SSL parameters. These parameters are inherited by au_srcbuffer objects for
+ * each connected peer for a component.
+ */
struct au_cmpnt {
char *ac_name;
int ac_type;
int ac_fd;
int ac_established;
char *ac_path;
- struct addrinfo *ac_ainfo;
struct au_cmpnt **ac_consumers;
unsigned int ac_nconsumers;
TAILQ_HEAD(ac_oq, au_queue_ent) ac_oq;
TAILQ_HEAD(ac_sbufq, au_srcbuffer) ac_sbufq;
TAILQ_ENTRY(au_cmpnt) ac_glue;
+ /*
+ * In case we are a network socket
+ */
+ struct addrinfo *ac_ainfo;
+ SSL *ac_ssl;
+ BIO *ac_sbio;
+ struct crypto_context ac_cct;
+ int ac_crypto_init;
};
typedef struct _args_t {
@@ -81,6 +101,10 @@
extern au_cmpnt_head_t au_dstlist;
extern char *conf_path;
+extern char *crypto_keyfile;
+extern char *crypto_dsaparam;
+extern char *crypto_cacert;
+extern int crypto_enabled;
int component_clear_oq(struct au_cmpnt *);
void component_destroy(struct au_cmpnt *);
More information about the p4-projects
mailing list