From c266796caaaf8a8c2a6c4a971a5fc18975b73f8e Mon Sep 17 00:00:00 2001 From: Holger Hans Peter Freyther Date: Thu, 25 Aug 2016 23:07:44 +0200 Subject: client: Initial support for TLS in the client Use GNUtls because it is GPL compatible and instead of mbedTLS seems to have a working non-blocking I/O integration. GNUtls has various issues that could not be resolved easily: * Pick spdy as sub protocol * gmt_time not randomized * private key loaded to RAM (but not verified) This is the beginning and not the end. Client support might need more work with actual tls verification. Maybe more manual x509 cert verification is needed and maybe client certs don't work at all. I try to ignore renegotiation as I threw away the key. Reload x509 creds and keys as they might have changed from one connection to another. Change-Id: I9128e14084da1fc2705f858393f98b8133996172 --- include/osmo-pcap/Makefile.am | 2 +- include/osmo-pcap/common.h | 1 + include/osmo-pcap/osmo_pcap_client.h | 16 +++++++++ include/osmo-pcap/osmo_tls.h | 65 ++++++++++++++++++++++++++++++++++++ 4 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 include/osmo-pcap/osmo_tls.h (limited to 'include') diff --git a/include/osmo-pcap/Makefile.am b/include/osmo-pcap/Makefile.am index 1a446bc..b71e70c 100644 --- a/include/osmo-pcap/Makefile.am +++ b/include/osmo-pcap/Makefile.am @@ -1 +1 @@ -noinst_HEADERS = common.h osmo_pcap_client.h osmo_pcap_server.h wireformat.h +noinst_HEADERS = common.h osmo_pcap_client.h osmo_pcap_server.h wireformat.h osmo_tls.h diff --git a/include/osmo-pcap/common.h b/include/osmo-pcap/common.h index b8f8110..fff452f 100644 --- a/include/osmo-pcap/common.h +++ b/include/osmo-pcap/common.h @@ -34,6 +34,7 @@ enum { DCLIENT, DSERVER, DVTY, + DTLS, Debug_LastEntry, }; diff --git a/include/osmo-pcap/osmo_pcap_client.h b/include/osmo-pcap/osmo_pcap_client.h index 4367e4c..b8ceb38 100644 --- a/include/osmo-pcap/osmo_pcap_client.h +++ b/include/osmo-pcap/osmo_pcap_client.h @@ -20,6 +20,8 @@ * */ +#include "osmo_tls.h" + #include #include @@ -64,6 +66,20 @@ struct osmo_pcap_client { struct osmo_wqueue wqueue; struct osmo_timer_list timer; + /* TLS handling */ + bool tls_on; + bool tls_verify; + char *tls_hostname; + char *tls_capath; + char *tls_priority; + + char *tls_client_cert; + char *tls_client_key; + + unsigned tls_log_level; + + struct osmo_tls_session tls_session; + /* statistics */ struct rate_ctr_group *ctrg; }; diff --git a/include/osmo-pcap/osmo_tls.h b/include/osmo-pcap/osmo_tls.h new file mode 100644 index 0000000..bfc813e --- /dev/null +++ b/include/osmo-pcap/osmo_tls.h @@ -0,0 +1,65 @@ +/* + * osmo-pcap TLS code + * + * (C) 2016 by Holger Hans Peter Freyther + * All Rights Reserved + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + * + */ +#pragma once + +#include +#include + +#include + +struct osmo_fd; +struct osmo_wqueue; +struct osmo_pcap_client; + +struct osmo_tls_session { + bool in_use; + bool need_handshake; + bool need_resend; + gnutls_session_t session; + + /* any credentials */ + bool anon_alloc; + gnutls_anon_client_credentials_t anon_cred; + + /* a x509 cert credential */ + bool cert_alloc; + gnutls_certificate_credentials_t cert_cred; + + /* the private certificate */ + bool pcert_alloc; + gnutls_pcert_st pcert; + + /* the private key in _RAM_ */ + bool privk_alloc; + gnutls_privkey_t privk; + + struct osmo_wqueue *wqueue; + + void (*error)(struct osmo_tls_session *session); + void (*handshake_done)(struct osmo_tls_session *session); +}; + +void osmo_tls_init(void); + +bool osmo_tls_init_client_session(struct osmo_pcap_client *client); +void osmo_tls_release(struct osmo_tls_session *); + +int osmo_tls_client_bfd_cb(struct osmo_fd *fd, unsigned int what); -- cgit v1.2.3