X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;f=src%2FrecordHandler.cpp;h=99428727bab890afcdb845ea887148d2ac14045c;hb=e7506fcdc92fa243a65a2f1efe9f3c5af2fac6b8;hp=b1c5ac4280b083158fcefb49581ff16c73803c49;hpb=2e64f805b7d03578897b4d8d2a3d3f270b6288c2;p=cassiopeia.git diff --git a/src/recordHandler.cpp b/src/recordHandler.cpp index b1c5ac4..9942872 100644 --- a/src/recordHandler.cpp +++ b/src/recordHandler.cpp @@ -14,6 +14,7 @@ #include "database.h" #include "record.h" #include "opensslBIO.h" +#include "remoteSigner.h" #include "simpleOpensslSigner.h" #include "slipBio.h" @@ -27,16 +28,41 @@ int gencb( int a, int b, BN_GENCB* g ) { return 1; } +static int verify_callback( int preverify_ok, X509_STORE_CTX* ctx ) { + if( !preverify_ok ) { + std::cout << "Verification failed: " << preverify_ok << " because " << X509_STORE_CTX_get_error( ctx ) << std::endl; + } + + return preverify_ok; +} + static std::shared_ptr dh_param; std::shared_ptr generateSSLContext( bool server ) { - std::shared_ptr ctx = std::shared_ptr( SSL_CTX_new( TLSv1_2_method() ), SSL_CTX_free ); + std::shared_ptr ctx = std::shared_ptr( + SSL_CTX_new( TLSv1_2_method() ), + []( SSL_CTX * p ) { + SSL_CTX_free( p ); + } ); if( !SSL_CTX_set_cipher_list( ctx.get(), "HIGH:+CAMELLIA256:!eNull:!aNULL:!ADH:!MD5:-RSA+AES+SHA1:!RC4:!DES:!3DES:!SEED:!EXP:!AES128:!CAMELLIA128" ) ) { throw "Cannot set cipher list. Your source is broken."; } + SSL_CTX_set_verify( ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback ); + SSL_CTX_use_certificate_file( ctx.get(), server ? "keys/signer_server.crt" : "keys/signer_client.crt", SSL_FILETYPE_PEM ); + SSL_CTX_use_PrivateKey_file( ctx.get(), server ? "keys/signer_server.key" : "keys/signer_client.key", SSL_FILETYPE_PEM ); + SSL_CTX_load_verify_locations( ctx.get(), "keys/env.crt", 0 ); + if( server ) { + STACK_OF( X509_NAME ) *names = SSL_load_client_CA_file( "keys/env.crt" ); + + if( names ) { + SSL_CTX_set_client_CA_list( ctx.get(), names ); + } else { + // error + } + if( !dh_param ) { FILE* paramfile = fopen( "dh_param.pem", "r" ); @@ -87,16 +113,18 @@ public: DefaultRecordHandler* parent; std::shared_ptr signer; - RecordHandlerSession( DefaultRecordHandler* parent, std::shared_ptr signer, std::shared_ptr ctx, BIO* output ) : + RecordHandlerSession( DefaultRecordHandler* parent, std::shared_ptr signer, std::shared_ptr ctx, std::shared_ptr output ) : tbs( new TBSCertificate() ) { this->parent = parent; this->signer = signer; ssl = SSL_new( ctx.get() ); - BIO* bio = BIO_new( BIO_f_ssl() ); + std::shared_ptr bio( BIO_new( BIO_f_ssl() ), [output]( BIO * p ) { + BIO_free( p ); + } ); SSL_set_accept_state( ssl ); - SSL_set_bio( ssl, output, output ); - BIO_set_ssl( bio, ssl, BIO_NOCLOSE ); + SSL_set_bio( ssl, output.get(), output.get() ); + BIO_set_ssl( bio.get(), ssl, BIO_NOCLOSE ); io = std::shared_ptr( new OpensslBIOWrapper( bio ) ); } @@ -110,8 +138,11 @@ public: } void work() { + std::cout << "done" << std::endl; std::vector buffer( 2048, 0 ); + std::cout << "reading" << std::endl; int res = io->read( buffer.data(), buffer.capacity() ); + std::cout << "read" << std::endl; if( res <= 0 ) { parent->reset(); @@ -144,7 +175,7 @@ public: break; case RecordHeader::SignerCommand::SET_SIGNATURE_TYPE: - tbs->md = "sha256"; // TODO use content ;-) + tbs->md = data; break; case RecordHeader::SignerCommand::SET_PROFILE: @@ -202,16 +233,13 @@ public: } }; -DefaultRecordHandler::DefaultRecordHandler( std::shared_ptr signer, BIO* bio ) : +DefaultRecordHandler::DefaultRecordHandler( std::shared_ptr signer, std::shared_ptr bio ) : currentSession() { this->signer = signer; ctx = generateSSLContext( true ); - SSL_CTX_use_certificate_file( ctx.get(), "testdata/server.crt", SSL_FILETYPE_PEM ); - SSL_CTX_use_PrivateKey_file( ctx.get(), "testdata/server.key", SSL_FILETYPE_PEM ); - this->bio = bio; } @@ -225,18 +253,10 @@ void DefaultRecordHandler::handle() { currentSession = std::shared_ptr( new RecordHandlerSession( this, signer, ctx, bio ) ); } + std::cout << "really allocated: " << currentSession << ";" << std::endl; currentSession->work(); } -int count = 0; - -void send( std::shared_ptr bio, RecordHeader& head, RecordHeader::SignerCommand cmd, std::string data ) { - head.command = ( uint16_t ) cmd; - head.command_count++; - head.totalLength = data.size(); - sendCommand( head, data, bio ); -} - void setupSerial( FILE* f ) { struct termios attr; @@ -250,6 +270,9 @@ void setupSerial( FILE* f ) { attr.c_cflag &= ~( CSIZE | PARENB ); attr.c_cflag |= CS8; + cfsetispeed( &attr, B115200 ); + cfsetospeed( &attr, B115200 ); + if( tcsetattr( fileno( f ), TCSANOW, &attr ) ) { throw "failed to get attrs"; } @@ -258,7 +281,8 @@ void setupSerial( FILE* f ) { int handlermain( int argc, const char* argv[] ) { ( void ) argc; ( void ) argv; - std::shared_ptr bio( new OpensslBIOWrapper( BIO_new_fd( 0, 0 ) ) ); + + std::shared_ptr bio( new OpensslBIOWrapper( std::shared_ptr( BIO_new_fd( 0, 0 ), BIO_free ) ) ); std::string data = "-----BEGIN CERTIFICATE REQUEST-----\n" "MIIBSzCBtQIBADAMMQowCAYDVQQDDAFhMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB\n" @@ -269,6 +293,7 @@ int handlermain( int argc, const char* argv[] ) { "/f49zIcVtUJuZuEwY6uDZQqfAm+8CLNpOCICH/Qw7YOe+s/Yw7a8rk5VqLtgxR4M\n" "z6DUeVL0zYFoLUxIje9yDU3pWmPvyVaBPdo0DguZwFMfiWwzhkUDeQgyeaiMvQA=\n" "-----END CERTIFICATE REQUEST-----"; + RecordHeader head; head.flags = 0; head.sessid = 13; @@ -287,40 +312,29 @@ int handlermain( int argc, const char* argv[] ) { setupSerial( f ); - BIO* b = BIO_new_fd( fileno( f ), 0 ); - BIO* slip1 = BIO_new( toBio() ); + std::shared_ptr b( BIO_new_fd( fileno( f ), 0 ), BIO_free ); + std::shared_ptr slip1( BIO_new( toBio() ), BIO_free ); ( ( SlipBIO* )slip1->ptr )->setTarget( std::shared_ptr( new OpensslBIOWrapper( b ) ) ); std::cout << "Initing tlsv1_2" << std::endl; std::shared_ptr ctx = generateSSLContext( false ); - SSL* ssl = SSL_new( ctx.get() ); - BIO* bio = BIO_new( BIO_f_ssl() ); - SSL_set_connect_state( ssl ); - SSL_set_bio( ssl, slip1, slip1 ); - BIO_set_ssl( bio, ssl, BIO_NOCLOSE ); - std::shared_ptr conn( new OpensslBIOWrapper( bio ) ); - send( conn, head, RecordHeader::SignerCommand::SET_CSR, data ); - send( conn, head, RecordHeader::SignerCommand::SET_SIGNATURE_TYPE, "sha256" ); - send( conn, head, RecordHeader::SignerCommand::SET_PROFILE, "1" ); - send( conn, head, RecordHeader::SignerCommand::ADD_AVA, "CN,commonName" ); - send( conn, head, RecordHeader::SignerCommand::ADD_SAN, "DNS,*.example.com" ); - send( conn, head, RecordHeader::SignerCommand::SIGN, "" ); - send( conn, head, RecordHeader::SignerCommand::LOG_SAVED, "" ); - std::vector buffer( 2048 * 4 ); - - for( int i = 0; i < 2; i++ ) { - try { - int length = conn->read( buffer.data(), buffer.size() ); - RecordHeader head; - std::string payload = parseCommand( head, std::string( buffer.data(), length ) ); - std::cout << "Data: " << std::endl << payload << std::endl; - } catch( const char* msg ) { - std::cout << msg << std::endl; - return -1; - } - } - - std::cout << "sent things" << std::endl; - + std::shared_ptr sign( new RemoteSigner( slip1, ctx ) ); + std::shared_ptr cert( new TBSCertificate() ); + cert->csr_type = "csr"; + cert->csr_content = data; + cert->md = "sha256"; + cert->profile = "1"; + std::shared_ptr ava( new AVA() ); + ava->name = "CN"; + ava->value = "Dummy user certificates"; + cert->AVAs.push_back( ava ); + std::shared_ptr san( new SAN() ); + san->type = "DNS"; + san->content = "n42.example.com"; + cert->SANs.push_back( san ); + + auto res = sign->sign( cert ); + std::cout << "log: " << res->log << std::endl; + std::cout << "cert things: " << res->certificate << std::endl; return 0; } @@ -333,8 +347,9 @@ int handlermain( int argc, const char* argv[] ) { setupSerial( f ); - BIO* conn = BIO_new_fd( fileno( f ), 0 ); - BIO* slip1 = BIO_new( toBio() ); + std::shared_ptr conn( BIO_new_fd( fileno( f ), 0 ), BIO_free ); + std::shared_ptr slip1( BIO_new( toBio() ), BIO_free ); + ( ( SlipBIO* )slip1->ptr )->setTarget( std::shared_ptr( new OpensslBIOWrapper( conn ) ) ); try {