From 756ae4fd15b4e217ae434216ceda8cbea2fac41c Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Aug 12 2016 14:55:33 +0000 Subject: Drop tlslayer* Drop the tlslayer prototype, which was started in order to be able to handle enrollment protocols that weren't based on protocols implemented by libcurl, but which wasn't a particularly good example of how to use the APIs that it was using. (ticket #55) Signed-off-by: Nalin Dahyabhai --- diff --git a/src/Makefile.am b/src/Makefile.am index c8917f6..6621703 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -181,7 +181,7 @@ certmonger_session_SOURCES = main.c env-session.c tm.c tm.h certmonger_session_LDADD = libcm.a \ $(OPENSSL_LIBS) $(CERTMONGER_LIBS) $(KRB5_LIBS) $(IDN_LIBS) \ $(GMP_LIBS) $(UUID_LIBS) $(POPT_LIBS) $(LTLIBICONV) -noinst_PROGRAMS = tdbusm-check serial-check nl-check submit-x tlslayer toklist +noinst_PROGRAMS = tdbusm-check serial-check nl-check submit-x toklist tdbusm_check_SOURCES = tdbusm-check.c tm.c tm.h tdbusm_check_LDADD = libcm.a $(CERTMONGER_LIBS) $(POPT_LIBS) serial_check_LDADD = libcm.a $(CERTMONGER_LIBS) $(LTLIBICONV) @@ -264,11 +264,3 @@ submit_h_CFLAGS = $(AM_CFLAGS) $(CURL_CFLAGS) $(XML_CFLAGS) -DCM_SUBMIT_H_MAIN submit_h_SOURCES = submit-h.c submit-h.h log.c log.h tm.c tm.h submit_h_LDADD = $(CURL_LIBS) $(XML_LIBS) $(TALLOC_LIBS) $(LTLIBICONV) \ $(POPT_LIBS) -tlslayer_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) $(OPENSSL_SSL_CFLAGS) \ - -DCM_TLSLAYER_MAIN -tlslayer_SOURCES = tlslayer.c tlslayer-n.c \ - tlslayer.h tlslayer-int.h -if HAVE_OPENSSL -tlslayer_SOURCES += tlslayer-o.c -endif -tlslayer_LDADD = $(NSS_LIBS) $(OPENSSL_SSL_LIBS) $(TALLOC_LIBS) $(POPT_LIBS) diff --git a/src/tlslayer-int.h b/src/tlslayer-int.h deleted file mode 100644 index dd9ab1e..0000000 --- a/src/tlslayer-int.h +++ /dev/null @@ -1,44 +0,0 @@ -/* - * Copyright (C) 2012 Red Hat, Inc. - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -#ifndef tlslayer_int_h -#define tlslayer_int_h - -struct cm_tls_connection { - struct cm_tls_connection_ops { - int (*cm_fd)(struct cm_tls_connection *conn, void *pvt); - ssize_t (*cm_write)(struct cm_tls_connection *conn, void *pvt, - const void *buf, size_t count); - ssize_t (*cm_read)(struct cm_tls_connection *conn, void *pvt, - void *buf, size_t count); - void (*cm_close)(struct cm_tls_connection *conn, void *pvt); - } pvt_ops; - void *pvt; -}; - -struct cm_tls_connection *cm_tls_n(const char *hostport, - const char *trusted_ca_file, - const char *trusted_ca_db, - const char *client_db, - const char *client_nickname); -struct cm_tls_connection *cm_tls_o(const char *hostport, - const char *trusted_ca_file, - const char *trusted_ca_dir, - const char *client_cert_file, - const char *client_key_file); - -#endif diff --git a/src/tlslayer-n.c b/src/tlslayer-n.c deleted file mode 100644 index 6d24ce0..0000000 --- a/src/tlslayer-n.c +++ /dev/null @@ -1,209 +0,0 @@ -/* - * Copyright (C) 2012,2014 Red Hat, Inc. - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -#include "config.h" - -#include -#include -#include -#include -#include - -#include -#include -#include -#include - -#include "tlslayer.h" -#include "tlslayer-int.h" - -struct cm_tls_n_pvt { - PRFileDesc *sfd, *model, *fd; - char *client_db, *client_nickname; -}; - -static int -cm_tls_n_fd(struct cm_tls_connection *conn, void *data) -{ - return -1; -} - -static ssize_t -cm_tls_n_write(struct cm_tls_connection *conn, void *data, - const void *buf, size_t count) -{ - return -1; -} - -static ssize_t -cm_tls_n_read(struct cm_tls_connection *conn, void *data, - void *buf, size_t count) -{ - return -1; -} - -static void -cm_tls_n_close(struct cm_tls_connection *conn, void *data) -{ - struct cm_tls_n_pvt *pvt = (struct cm_tls_n_pvt *) data; - PR_Close(pvt->sfd); - PR_Close(pvt->model); - PR_Close(pvt->fd); - talloc_free(conn); -} - -static SECStatus -cm_tls_n_bad_cert(void *arg, PRFileDesc *fd) -{ - fprintf(stderr, "Server certificate failed to verify: %s.\n", - PR_ErrorToName(PORT_GetError())); - return SECFailure; -} - -static SECStatus -cm_tls_n_get_client_creds(void *arg, PRFileDesc *socket, - CERTDistNames *cas, - CERTCertificate **client_cert, - SECKEYPrivateKey **client_key) -{ - *client_cert = NULL; - *client_key = NULL; - return SECFailure; -} - -struct cm_tls_connection * -cm_tls_n(const char *hostport, - const char *trusted_ca_file, - const char *trusted_ca_db, - const char *client_db, - const char *client_nickname) -{ - struct cm_tls_connection *ret; - struct cm_tls_n_pvt *pvt; - char buf[LINE_MAX], *hp, *service; - PRHostEnt host; - PRNetAddr addr; - PRIntn i; - PRUint16 port; - - if (trusted_ca_db != NULL) { - NSS_InitContext(trusted_ca_db, - NULL, NULL, NULL, NULL, 0); - } else { - NSS_InitContext(CM_DEFAULT_CERT_STORAGE_LOCATION, - NULL, NULL, NULL, NULL, NSS_INIT_NOCERTDB); - } - ret = talloc_ptrtype(NULL, ret); - if (ret == NULL) { - return NULL; - } - memset(ret, 0, sizeof(*ret)); - pvt = talloc_ptrtype(ret, pvt); - if (pvt == NULL) { - talloc_free(ret); - return NULL; - } - memset(pvt, 0, sizeof(*pvt)); - hp = talloc_strdup(ret, hostport); - if (hp == NULL) { - talloc_free(ret); - return NULL; - } - service = strrchr(hp, ':'); - port = 80; - if (service != NULL) { - if (strspn(service + 1, "0123456789") == strlen(service + 1)) { - *service++ = '\0'; - port = atoi(service); - } else { - service = NULL; - } - } - pvt->client_db = talloc_strdup(pvt, client_db); - pvt->client_nickname = talloc_strdup(pvt, client_nickname); - pvt->fd = PR_NewTCPSocket(); - memset(&host, 0, sizeof(host)); - PR_GetHostByName(hp, buf, sizeof(buf), &host); - memset(&addr, 0, sizeof(addr)); - for (i = PR_EnumerateHostEnt(0, &host, port, &addr); - i != 0; - i = PR_EnumerateHostEnt(i, &host, port, &addr)) { - if (PR_Connect(pvt->fd, &addr, - PR_INTERVAL_NO_TIMEOUT) == PR_SUCCESS) { - break; - } - } - if (i == 0) { - fprintf(stderr, "PR_Connect\n"); - PR_Close(pvt->fd); - talloc_free(ret); - return NULL; - } - pvt->model = SSL_ImportFD(NULL, PR_NewTCPSocket()); - if (pvt->model == NULL) { - fprintf(stderr, "SSL_ImportFD: %d\n", PORT_GetError()); - PR_Close(pvt->model); - PR_Close(pvt->fd); - talloc_free(ret); - return NULL; - } -#if 0 - if (SSL_OptionSet(pvt->model, SSL_SECURITY, 1) < 0) { - fprintf(stderr, "SSL_OptionSet(SSL_SECURITY): %d\n", - PORT_GetError()); - PR_Close(pvt->model); - PR_Close(pvt->fd); - talloc_free(ret); - return NULL; - } -#endif - if (SSL_SetURL(pvt->model, hp) != SECSuccess) { - fprintf(stderr, "SSL_SetURL: %d\n", PORT_GetError()); - PR_Close(pvt->model); - PR_Close(pvt->fd); - talloc_free(ret); - return NULL; - } - SSL_BadCertHook(pvt->model, &cm_tls_n_bad_cert, NULL); - SSL_GetClientAuthDataHook(pvt->model, - &cm_tls_n_get_client_creds, - pvt); - pvt->sfd = SSL_ImportFD(pvt->model, pvt->fd); - if (SSL_ResetHandshake(pvt->sfd, 0) != SECSuccess) { - fprintf(stderr, "SSL_ResetHandshake: %d\n", PORT_GetError()); - PR_Close(pvt->sfd); - PR_Close(pvt->model); - PR_Close(pvt->fd); - talloc_free(ret); - return NULL; - } - if (SSL_ForceHandshake(pvt->sfd) != SECSuccess) { - fprintf(stderr, "SSL_ForceHandshake: %s\n", - PR_ErrorToName(PORT_GetError())); - PR_Close(pvt->sfd); - PR_Close(pvt->model); - PR_Close(pvt->fd); - talloc_free(ret); - return NULL; - } - ret->pvt = pvt; - ret->pvt_ops.cm_fd = &cm_tls_n_fd; - ret->pvt_ops.cm_read = &cm_tls_n_read; - ret->pvt_ops.cm_write = &cm_tls_n_write; - ret->pvt_ops.cm_close = &cm_tls_n_close; - return ret; -} diff --git a/src/tlslayer-o.c b/src/tlslayer-o.c deleted file mode 100644 index 2619975..0000000 --- a/src/tlslayer-o.c +++ /dev/null @@ -1,100 +0,0 @@ -/* - * Copyright (C) 2012 Red Hat, Inc. - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -#include "config.h" - -#include -#include - -#include -#include - -#include - -#include "tlslayer.h" -#include "tlslayer-int.h" - -struct cm_tls_o_pvt { - SSL_CTX *cm_ctx; - BIO *cm_bio, *cm_sbio; -}; - -static int -cm_tls_o_fd(struct cm_tls_connection *conn, void *data) -{ - return -1; -} - -static ssize_t -cm_tls_o_write(struct cm_tls_connection *conn, void *data, - const void *buf, size_t count) -{ - struct cm_tls_o_pvt *pvt = (struct cm_tls_o_pvt *) data; - return BIO_write(pvt->cm_sbio, buf, count); -} - -static ssize_t -cm_tls_o_read(struct cm_tls_connection *conn, void *data, - void *buf, size_t count) -{ - struct cm_tls_o_pvt *pvt = (struct cm_tls_o_pvt *) data; - return BIO_read(pvt->cm_sbio, buf, count); -} - -static void -cm_tls_o_close(struct cm_tls_connection *conn, void *data) -{ - struct cm_tls_o_pvt *pvt = (struct cm_tls_o_pvt *) data; - BIO_ssl_shutdown(pvt->cm_sbio); - talloc_free(conn); -} - -struct cm_tls_connection * -cm_tls_o(const char *hostport, - const char *trusted_ca_file, - const char *trusted_ca_db, - const char *client_db, - const char *client_nickname) -{ - struct cm_tls_connection *ret; - struct cm_tls_o_pvt *pvt; - - ret = talloc_ptrtype(NULL, ret); - if (ret == NULL) { - return NULL; - } - memset(ret, 0, sizeof(*ret)); - pvt = talloc_ptrtype(ret, pvt); - if (pvt == NULL) { - talloc_free(ret); - return NULL; - } - memset(pvt, 0, sizeof(*pvt)); - pvt->cm_ctx = SSL_CTX_new(SSLv23_client_method()); - pvt->cm_bio = BIO_new_connect(strdup(hostport)); - pvt->cm_sbio = BIO_new_ssl(pvt->cm_ctx, 1); - BIO_push(pvt->cm_sbio, pvt->cm_bio); - if (BIO_do_connect(pvt->cm_sbio) != 1) { - return NULL; - } - ret->pvt = pvt; - ret->pvt_ops.cm_fd = &cm_tls_o_fd; - ret->pvt_ops.cm_read = &cm_tls_o_read; - ret->pvt_ops.cm_write = &cm_tls_o_write; - ret->pvt_ops.cm_close = &cm_tls_o_close; - return ret; -} diff --git a/src/tlslayer.c b/src/tlslayer.c deleted file mode 100644 index 3728146..0000000 --- a/src/tlslayer.c +++ /dev/null @@ -1,247 +0,0 @@ -/* - * Copyright (C) 2012,2015 Red Hat, Inc. - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -#include "config.h" - -#include -#include -#include -#include -#include -#include -#include - -#include - -#include - -#include "tlslayer.h" -#include "tlslayer-int.h" - -#ifdef CM_TLSLAYER_MAIN -static int -cm_tls_null_fd(struct cm_tls_connection *conn, void *pvt) -{ - return *(int *) pvt; -} - -static ssize_t -cm_tls_null_write(struct cm_tls_connection *conn, void *pvt, const void *buf, size_t count) -{ - return write(*(int *) pvt, buf, count); -} - -static ssize_t -cm_tls_null_read(struct cm_tls_connection *conn, void *pvt, void *buf, size_t count) -{ - return read(*(int *) pvt, buf, count); -} - -static void -cm_tls_null_close(struct cm_tls_connection *conn, void *pvt) -{ - close(*(int *)pvt); - talloc_free(conn); -} - -static struct cm_tls_connection * -cm_tls_null(const char *hostport) -{ - static struct cm_tls_connection *ret; - struct addrinfo *res, *r; - int *pvt, sd; - char *hp, *service; - - ret = talloc_ptrtype(NULL, ret); - if (ret == NULL) { - return NULL; - } - memset(ret, 0, sizeof(*ret)); - pvt = talloc_ptrtype(ret, pvt); - if (pvt == NULL) { - talloc_free(ret); - return NULL; - } - memset(pvt, 0, sizeof(*pvt)); - hp = talloc_strdup(ret, hostport); - if (hp == NULL) { - talloc_free(ret); - return NULL; - } - service = strrchr(hp, ':'); - if (service != NULL) { - if (strspn(service + 1, "0123456789") == strlen(service + 1)) { - *service++ = '\0'; - } else { - service = NULL; - } - } - res = NULL; - if (getaddrinfo(hp, service, NULL, &res) != 0) { - talloc_free(ret); - return NULL; - } - for (r = res; r != NULL; r = r->ai_next) { - sd = socket(r->ai_family, r->ai_socktype, r->ai_protocol); - if (sd == -1) { - continue; - } - if (connect(sd, r->ai_addr, r->ai_addrlen) != 0) { - close(sd); - sd = -1; - continue; - } - break; - } - freeaddrinfo(res); - *pvt = sd; - ret->pvt = pvt; - ret->pvt_ops.cm_fd = &cm_tls_null_fd; - ret->pvt_ops.cm_read = &cm_tls_null_read; - ret->pvt_ops.cm_write = &cm_tls_null_write; - ret->pvt_ops.cm_close = &cm_tls_null_close; - return ret; -} -#else -static struct cm_tls_connection * -cm_tls_null(const char *hostport) -{ - return NULL; -} -#endif - -struct cm_tls_connection * -cm_tls_connect(const char *hostport, - const char *trusted_ca_file, - const char *trusted_ca_dir, - const char *trusted_ca_db, - const char *client_cert_file, - const char *client_key_file, - const char *client_db, - const char *client_nickname) -{ - if (!trusted_ca_db && !trusted_ca_dir && !trusted_ca_file && - !client_cert_file && !client_key_file && - !client_db && !client_nickname) { - fprintf(stderr, "The googles! They do nothing!\n"); - return cm_tls_null(hostport); - } else - if (!trusted_ca_dir && !client_cert_file && !client_key_file) { - fprintf(stderr, "NSS!\n"); - return cm_tls_n(hostport, - trusted_ca_file, - trusted_ca_db, - client_db, - client_nickname); -#ifdef HAVE_OPENSSL - } else - if (!trusted_ca_db && !client_db && !client_nickname) { - fprintf(stderr, "OpenSSL!\n"); - return cm_tls_o(hostport, - trusted_ca_file, - trusted_ca_dir, - client_cert_file, - client_key_file); -#endif - } else { - return NULL; - } -} - -int -cm_tls_fd(struct cm_tls_connection *conn) -{ - return conn->pvt_ops.cm_fd(conn, conn->pvt); -} - -ssize_t -cm_tls_write(struct cm_tls_connection *conn, const void *buf, size_t count) -{ - return conn->pvt_ops.cm_write(conn, conn->pvt, buf, count); -} - -ssize_t -cm_tls_read(struct cm_tls_connection *conn, void *buf, size_t count) -{ - return conn->pvt_ops.cm_read(conn, conn->pvt, buf, count); -} - -void -cm_tls_close(struct cm_tls_connection *conn) -{ - conn->pvt_ops.cm_close(conn, conn->pvt); -} - -#ifdef CM_TLSLAYER_MAIN -int -main(int argc, const char **argv) -{ - struct cm_tls_connection *conn; - const char *hostport = NULL; - const char *trusted_ca_file = NULL, *trusted_ca_dir = NULL; - const char *trusted_ca_db = NULL; - const char *client_cert_file = NULL, *client_key_file = NULL; - const char *client_db = NULL, *client_nickname = NULL; - int c; - poptContext pctx; - struct poptOption popts[] = { - {"ca-file", 'c', POPT_ARG_STRING, &trusted_ca_file, 0, NULL, "FILENAME"}, - {"ca-dir", 'C', POPT_ARG_STRING, &trusted_ca_dir, 0, NULL, "DIRECTORY"}, - {"ca-database", 'D', POPT_ARG_STRING, &trusted_ca_db, 0, NULL, "DIRECTORY"}, - {"client-cert", 'f', POPT_ARG_STRING, &client_cert_file, 0, NULL, "FILENAME"}, - {"client-key", 'k', POPT_ARG_STRING, &client_key_file, 0, NULL, "FILENAME"}, - {"client-database", 'd', POPT_ARG_STRING, &client_db, 0, NULL, "DIRECTORY"}, - {"client-nickname", 'n', POPT_ARG_STRING, &client_nickname, 0, NULL, NULL}, - POPT_AUTOHELP - POPT_TABLEEND - }; - - pctx = poptGetContext("tlslayer", argc, argv, popts, 0); - if (pctx == NULL) { - return 1; - } - poptSetOtherOptionHelp(pctx, "[options...] hostname:port"); - while ((c = poptGetNextOpt(pctx)) > 0) { - continue; - } - if (c != -1) { - poptPrintUsage(pctx, stdout, 0); - return 1; - } - hostport = poptGetArg(pctx); - if (hostport == NULL) { - poptPrintUsage(pctx, stdout, 0); - return 2; - } - - conn = cm_tls_connect(hostport, - trusted_ca_file, - trusted_ca_dir, - trusted_ca_db, - client_cert_file, - client_key_file, - client_db, - client_nickname); - if (conn == NULL) { - fprintf(stderr, "Error establishing connection.\n"); - return 2; - } - - cm_tls_close(conn); - return 0; -} -#endif diff --git a/src/tlslayer.h b/src/tlslayer.h deleted file mode 100644 index 43ed352..0000000 --- a/src/tlslayer.h +++ /dev/null @@ -1,37 +0,0 @@ -/* - * Copyright (C) 2012 Red Hat, Inc. - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -#ifndef tlslayer_h -#define tlslayer_h - -struct cm_tls_connection; -struct cm_tls_connection *cm_tls_connect(const char *hostport, - const char *trusted_ca_file, - const char *trusted_ca_dir, - const char *trusted_ca_db, - const char *client_cert_file, - const char *client_key_file, - const char *client_db, - const char *client_nickname); -int cm_tls_fd(struct cm_tls_connection *conn); -ssize_t cm_tls_write(struct cm_tls_connection *conn, - const void *buf, size_t count); -ssize_t cm_tls_read(struct cm_tls_connection *conn, - void *buf, size_t count); -void cm_tls_close(struct cm_tls_connection *conn); - -#endif