[apple/security.git] / tlsnke / tlsnketest / tlssocket.c

//
//  tlssocket.c
//  tlsnke
//
//  Created by Fabrice Gautier on 1/6/12.
//  Copyright (c) 2012 Apple, Inc. All rights reserved.
//

#include <Security/SecureTransportPriv.h>
#include <string.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#include <stdlib.h>
#include <stdio.h>
#include <assert.h>

#include <net/kext_net.h>

#include "tlssocket.h"
#include "tlsnke.h"

#include <AssertMacros.h>
#include <errno.h>

/* TLSSocket functions */

static 
int TLSSocket_Read(SSLRecordContextRef ref,
                        SSLRecord *rec)
{
    int socket = (int)ref;
    int rc;
    ssize_t sz;
    struct sockaddr_in client_addr;
    int avail;
    socklen_t avail_size;
    struct cmsghdr *cmsg;
    tls_record_hdr_t hdr;
    struct msghdr msg;
    struct iovec iov;
    int cbuf_len=CMSG_SPACE(sizeof(*hdr))+1024;
    uint8_t cbuf[cbuf_len];
   

    //    printf("%s: Waiting for some data...\n", __FUNCTION__);
    /* PEEK only... */
    char b;
    rc = (int)recv(socket, &b, 1, MSG_PEEK);
    
    if(rc==-1)
    {
        if(errno==EAGAIN)
            return errSSLRecordWouldBlock;
        else {
            perror("recv");
            return errno;
        }
    }
    
    /* get the next packet size */
    avail_size = sizeof(avail);
    rc = getsockopt(socket, SOL_SOCKET, SO_NREAD, &avail, &avail_size);
    
    check_noerr(rc); 
    check(avail_size==sizeof(avail));
    
    if(rc || (avail_size !=sizeof(avail)))
        return errSSLRecordInternal;

    //    printf("%s: Available = %d\n", __FUNCTION__, avail);
    
    if(avail==0)
        return errSSLRecordWouldBlock;

        
    /* Allocate a buffer */
    rec->contents.data = malloc(avail);
    rec->contents.length = avail;
    
    /* read the message */
    iov.iov_base = rec->contents.data;
    iov.iov_len = rec->contents.length;
    msg.msg_name = &client_addr;
    msg.msg_namelen = sizeof(client_addr);
    msg.msg_iov = &iov;
    msg.msg_iovlen = 1;
    msg.msg_control = cbuf;
    msg.msg_controllen = cbuf_len;
    
    sz = recvmsg(socket, &msg, 0);
    check(sz==avail);
    
    //    printf("%s: received = %ld, ctrl: l=%d f=%x\n", __FUNCTION__, sz, msg.msg_controllen, msg.msg_flags);
    rec->contents.length = sz;
    
    cmsg = CMSG_FIRSTHDR(&msg);
    check(cmsg);
    if(!cmsg)
        return 0;
    
    check(cmsg->cmsg_type == SCM_TLS_HEADER);
    check(cmsg->cmsg_level == SOL_SOCKET);
    check(cmsg->cmsg_len == CMSG_LEN(sizeof(*hdr)));
    hdr = (tls_record_hdr_t)CMSG_DATA(cmsg);
    check(hdr);
    
    /* print msg info */
    /*
    printf("%s: rc=%d, msg: %ld , cmsg = %d, %x, %x, hdr = %d, %x - from %s:%d\n", __FUNCTION__, rc,
           iov.iov_len,
           cmsg->cmsg_len, cmsg->cmsg_level, cmsg->cmsg_type,
           hdr->content_type, hdr->protocol_version,
           inet_ntoa(client_addr.sin_addr),ntohs(client_addr.sin_port)); 
    */
    rec->contentType = hdr->content_type;
    rec->protocolVersion = hdr->protocol_version;
    
    if(rec->contentType==SSL_RecordTypeChangeCipher) {
        printf("%s: Received ChangeCipherSpec message\n", __FUNCTION__);
    }
    return 0;
}

static
int TLSSocket_Free(SSLRecordContextRef ref,
                         SSLRecord rec)
{
    free(rec.contents.data);
    return 0;
}

static 
int TLSSocket_Write(SSLRecordContextRef ref,
                          SSLRecord rec)
{
    int socket = (int)ref;
    ssize_t sz;
    
    struct msghdr msg;
    struct iovec iov;
    tls_record_hdr_t hdr;
    struct cmsghdr *cmsg;
    int cbuf_len=CMSG_SPACE(sizeof(*hdr));
    uint8_t cbuf[cbuf_len];

    if(rec.contentType==SSL_RecordTypeChangeCipher) {
        printf("%s: Sending ChangeCipherSpec message\n", __FUNCTION__);
    }
    // printf("%s: fd=%d, rec.len=%ld\n", __FUNCTION__, socket, rec.contents.length);

    /* write the message */
    iov.iov_base = rec.contents.data;
    iov.iov_len = rec.contents.length;
    msg.msg_name = NULL;
    msg.msg_namelen = 0;
    msg.msg_iov = &iov;
    msg.msg_iovlen = 1;
    msg.msg_control = cbuf;
    msg.msg_controllen = cbuf_len;

    cmsg = CMSG_FIRSTHDR(&msg);
    cmsg->cmsg_level = SOL_SOCKET;
    cmsg->cmsg_type = SCM_TLS_HEADER;
    cmsg->cmsg_len = CMSG_LEN(sizeof(*hdr));
    hdr = (tls_record_hdr_t)CMSG_DATA(cmsg);
    hdr->content_type = rec.contentType;
    hdr->protocol_version = rec.protocolVersion;
    
    /* print msg info */
    sz = sendmsg(socket, &msg, 0);
    
    if(sz<0)
        perror("sendmsg");
    
    /*
       printf("%s: sz=%ld, msg: %ld , cmsg = %d, %d, %04x\n", __FUNCTION__, sz,
           iov.iov_len,
           cmsg->cmsg_len, cmsg->cmsg_level, cmsg->cmsg_type);
    */
    
    check(sz==rec.contents.length);

    if(sz<0)
        return (int)sz;
    else
        return 0;
}


static
int TLSSocket_InitPendingCiphers(SSLRecordContextRef   ref,
                                       uint16_t              selectedCipher,
                                       bool                  server,
                                       SSLBuffer             key)
{
    int socket = (int)ref;
    int rc;
    char *buf;
    
    buf = malloc(key.length+3);
    buf[0] = selectedCipher >> 8;
    buf[1] = selectedCipher & 0xff;
    buf[2] = server;
    memcpy(buf+3, key.data, key.length);
    
    printf("%s: cipher=%04x, keylen=%ld\n", __FUNCTION__, selectedCipher, key.length);
    
    rc = setsockopt(socket, SOL_SOCKET, SO_TLS_INIT_CIPHER, buf, (socklen_t)(key.length+3));
    
    printf("%s: rc=%d\n", __FUNCTION__, rc);
    
    free(buf);
    
    return rc;
}

static 
int TLSSocket_AdvanceWriteCipher(SSLRecordContextRef ref)
{
    int socket = (int)ref;
    int rc;
    rc = setsockopt(socket, SOL_SOCKET, SO_TLS_ADVANCE_WRITE_CIPHER, NULL, 0);
    
    printf("%s: rc=%d\n", __FUNCTION__, rc);
    
    return rc;
}

static 
int TLSSocket_RollbackWriteCipher(SSLRecordContextRef ref)
{
    int socket = (int)ref;
    int rc;
    rc = setsockopt(socket, SOL_SOCKET, SO_TLS_ROLLBACK_WRITE_CIPHER, NULL, 0);
    
    printf("%s: rc=%d\n", __FUNCTION__, rc);
    
    return rc;
}

static 
int TLSSocket_AdvanceReadCipher(SSLRecordContextRef    ref)
{
    int socket = (int)ref;
    int rc;
    rc = setsockopt(socket, SOL_SOCKET, SO_TLS_ADVANCE_READ_CIPHER, NULL, 0);
    
    printf("%s: rc=%d\n", __FUNCTION__, rc);
    
    return rc;
}

static 
int TLSSocket_SetProtocolVersion(SSLRecordContextRef    ref,
                                 SSLProtocolVersion     protocolVersion)
{
    int socket = (int)ref;
    int rc;
    rc = setsockopt(socket, SOL_SOCKET, SO_TLS_PROTOCOL_VERSION, &protocolVersion, sizeof(protocolVersion));
    
    printf("%s: rc=%d\n", __FUNCTION__, rc);
    
    return rc;
}


static
int TLSSocket_ServiceWriteQueue(SSLRecordContextRef    ref)
{
    int socket = (int)ref;
    int rc;
    rc = setsockopt(socket, SOL_SOCKET, SO_TLS_SERVICE_WRITE_QUEUE, NULL, 0);

    return rc;
}


const struct SSLRecordFuncs TLSSocket_Funcs = {
    .read                = TLSSocket_Read,
    .write               = TLSSocket_Write,
    .initPendingCiphers  = TLSSocket_InitPendingCiphers,
    .advanceWriteCipher  = TLSSocket_AdvanceWriteCipher,
    .rollbackWriteCipher = TLSSocket_RollbackWriteCipher,
    .advanceReadCipher   = TLSSocket_AdvanceReadCipher,
    .setProtocolVersion  = TLSSocket_SetProtocolVersion,
    .free                = TLSSocket_Free,
    .serviceWriteQueue   = TLSSocket_ServiceWriteQueue,
};


/* TLSSocket SPIs */

int TLSSocket_Attach(int socket)
{
    
    /* Attach the TLS socket filter and return handle */
    struct so_nke so_tlsnke;
    int rc;
    int handle;
    socklen_t len;
    
    memset(&so_tlsnke, 0, sizeof(so_tlsnke));
    so_tlsnke.nke_handle = TLS_HANDLE_IP4;
    rc=setsockopt(socket, SOL_SOCKET, SO_NKE, &so_tlsnke, sizeof(so_tlsnke));
    if(rc)
        return rc;

    len = sizeof(handle);
    rc = getsockopt(socket, SOL_SOCKET, SO_TLS_HANDLE, &handle, &len);
    if(rc)
        return rc;

    assert(len==sizeof(handle));
    
    return handle;
}
Commit	Line	Data
427c49bc A	1	//
	2	// tlssocket.c
	3	// tlsnke
	4	//
	5	// Created by Fabrice Gautier on 1/6/12.
	6	// Copyright (c) 2012 Apple, Inc. All rights reserved.
	7	//
	8
	9	#include <Security/SecureTransportPriv.h>
	10	#include <string.h>
	11	#include <netinet/in.h>
	12	#include <arpa/inet.h>
	13
	14	#include <stdlib.h>
	15	#include <stdio.h>
	16	#include <assert.h>
	17
	18	#include <net/kext_net.h>
	19
	20	#include "tlssocket.h"
	21	#include "tlsnke.h"
	22
	23	#include <AssertMacros.h>
	24	#include <errno.h>
	25
	26	/* TLSSocket functions */
	27
	28	static
	29	int TLSSocket_Read(SSLRecordContextRef ref,
	30	SSLRecord *rec)
	31	{
	32	int socket = (int)ref;
	33	int rc;
	34	ssize_t sz;
	35	struct sockaddr_in client_addr;
	36	int avail;
	37	socklen_t avail_size;
	38	struct cmsghdr *cmsg;
	39	tls_record_hdr_t hdr;
	40	struct msghdr msg;
	41	struct iovec iov;
	42	int cbuf_len=CMSG_SPACE(sizeof(*hdr))+1024;
	43	uint8_t cbuf[cbuf_len];
	44
	45
	46	// printf("%s: Waiting for some data...\n", __FUNCTION__);
	47	/* PEEK only... */
	48	char b;
	49	rc = (int)recv(socket, &b, 1, MSG_PEEK);
	50
	51	if(rc==-1)
	52	{
	53	if(errno==EAGAIN)
	54	return errSSLRecordWouldBlock;
	55	else {
	56	perror("recv");
	57	return errno;
	58	}
	59	}
	60
	61	/* get the next packet size */
	62	avail_size = sizeof(avail);
	63	rc = getsockopt(socket, SOL_SOCKET, SO_NREAD, &avail, &avail_size);
	64
65	check_noerr(rc);
66	check(avail_size==sizeof(avail));
67
68	if(rc \|\| (avail_size !=sizeof(avail)))
69	return errSSLRecordInternal;
70
71	// printf("%s: Available = %d\n", __FUNCTION__, avail);
72
73	if(avail==0)
74	return errSSLRecordWouldBlock;
75
76
77	/* Allocate a buffer */
78	rec->contents.data = malloc(avail);
79	rec->contents.length = avail;
80
81	/* read the message */
82	iov.iov_base = rec->contents.data;
83	iov.iov_len = rec->contents.length;
84	msg.msg_name = &client_addr;
85	msg.msg_namelen = sizeof(client_addr);
86	msg.msg_iov = &iov;
87	msg.msg_iovlen = 1;
88	msg.msg_control = cbuf;
89	msg.msg_controllen = cbuf_len;
90
91	sz = recvmsg(socket, &msg, 0);
92	check(sz==avail);
93
94	// printf("%s: received = %ld, ctrl: l=%d f=%x\n", __FUNCTION__, sz, msg.msg_controllen, msg.msg_flags);
95	rec->contents.length = sz;
96
97	cmsg = CMSG_FIRSTHDR(&msg);
98	check(cmsg);
99	if(!cmsg)
100	return 0;
101
102	check(cmsg->cmsg_type == SCM_TLS_HEADER);
103	check(cmsg->cmsg_level == SOL_SOCKET);
104	check(cmsg->cmsg_len == CMSG_LEN(sizeof(*hdr)));
105	hdr = (tls_record_hdr_t)CMSG_DATA(cmsg);
106	check(hdr);
107
108	/* print msg info */
109	/*
110	printf("%s: rc=%d, msg: %ld , cmsg = %d, %x, %x, hdr = %d, %x - from %s:%d\n", __FUNCTION__, rc,
111	iov.iov_len,
112	cmsg->cmsg_len, cmsg->cmsg_level, cmsg->cmsg_type,
113	hdr->content_type, hdr->protocol_version,
114	inet_ntoa(client_addr.sin_addr),ntohs(client_addr.sin_port));
115	*/
116	rec->contentType = hdr->content_type;
117	rec->protocolVersion = hdr->protocol_version;
118
119	if(rec->contentType==SSL_RecordTypeChangeCipher) {
120	printf("%s: Received ChangeCipherSpec message\n", __FUNCTION__);
121	}
122	return 0;
123	}
124
125	static
126	int TLSSocket_Free(SSLRecordContextRef ref,
127	SSLRecord rec)
128	{
129	free(rec.contents.data);
130	return 0;
131	}
132
133	static
134	int TLSSocket_Write(SSLRecordContextRef ref,
135	SSLRecord rec)
136	{
137	int socket = (int)ref;
138	ssize_t sz;
139
140	struct msghdr msg;
141	struct iovec iov;
142	tls_record_hdr_t hdr;
143	struct cmsghdr *cmsg;
144	int cbuf_len=CMSG_SPACE(sizeof(*hdr));
145	uint8_t cbuf[cbuf_len];
146
147	if(rec.contentType==SSL_RecordTypeChangeCipher) {
148	printf("%s: Sending ChangeCipherSpec message\n", __FUNCTION__);
149	}
150	// printf("%s: fd=%d, rec.len=%ld\n", __FUNCTION__, socket, rec.contents.length);
151
152	/* write the message */
153	iov.iov_base = rec.contents.data;
154	iov.iov_len = rec.contents.length;
155	msg.msg_name = NULL;
156	msg.msg_namelen = 0;
157	msg.msg_iov = &iov;
158	msg.msg_iovlen = 1;
159	msg.msg_control = cbuf;
160	msg.msg_controllen = cbuf_len;
161
162	cmsg = CMSG_FIRSTHDR(&msg);
163	cmsg->cmsg_level = SOL_SOCKET;
164	cmsg->cmsg_type = SCM_TLS_HEADER;
165	cmsg->cmsg_len = CMSG_LEN(sizeof(*hdr));
166	hdr = (tls_record_hdr_t)CMSG_DATA(cmsg);
167	hdr->content_type = rec.contentType;
168	hdr->protocol_version = rec.protocolVersion;
169
170	/* print msg info */
171	sz = sendmsg(socket, &msg, 0);
172
173	if(sz<0)
174	perror("sendmsg");
175
176	/*
177	printf("%s: sz=%ld, msg: %ld , cmsg = %d, %d, %04x\n", __FUNCTION__, sz,
178	iov.iov_len,
179	cmsg->cmsg_len, cmsg->cmsg_level, cmsg->cmsg_type);
180	*/
181
182	check(sz==rec.contents.length);
183
184	if(sz<0)
185	return (int)sz;
186	else
187	return 0;
188	}
189
190
191	static
192	int TLSSocket_InitPendingCiphers(SSLRecordContextRef ref,
193	uint16_t selectedCipher,
194	bool server,
195	SSLBuffer key)
196	{
197	int socket = (int)ref;
198	int rc;
199	char *buf;
200
201	buf = malloc(key.length+3);
202	buf[0] = selectedCipher >> 8;
203	buf[1] = selectedCipher & 0xff;
204	buf[2] = server;
205	memcpy(buf+3, key.data, key.length);
206
207	printf("%s: cipher=%04x, keylen=%ld\n", __FUNCTION__, selectedCipher, key.length);
208
209	rc = setsockopt(socket, SOL_SOCKET, SO_TLS_INIT_CIPHER, buf, (socklen_t)(key.length+3));
210
211	printf("%s: rc=%d\n", __FUNCTION__, rc);
212
213	free(buf);
214
215	return rc;
216	}
217
218	static
219	int TLSSocket_AdvanceWriteCipher(SSLRecordContextRef ref)
220	{
221	int socket = (int)ref;
222	int rc;
223	rc = setsockopt(socket, SOL_SOCKET, SO_TLS_ADVANCE_WRITE_CIPHER, NULL, 0);
224
225	printf("%s: rc=%d\n", __FUNCTION__, rc);
226
227	return rc;
228	}
229
230	static
231	int TLSSocket_RollbackWriteCipher(SSLRecordContextRef ref)
232	{
233	int socket = (int)ref;
234	int rc;
235	rc = setsockopt(socket, SOL_SOCKET, SO_TLS_ROLLBACK_WRITE_CIPHER, NULL, 0);
236
237	printf("%s: rc=%d\n", __FUNCTION__, rc);
238
239	return rc;
240	}
241
242	static
243	int TLSSocket_AdvanceReadCipher(SSLRecordContextRef ref)
244	{
245	int socket = (int)ref;
246	int rc;
247	rc = setsockopt(socket, SOL_SOCKET, SO_TLS_ADVANCE_READ_CIPHER, NULL, 0);
248
249	printf("%s: rc=%d\n", __FUNCTION__, rc);
250
251	return rc;
252	}
253
254	static
255	int TLSSocket_SetProtocolVersion(SSLRecordContextRef ref,
256	SSLProtocolVersion protocolVersion)
257	{
258	int socket = (int)ref;
259	int rc;
260	rc = setsockopt(socket, SOL_SOCKET, SO_TLS_PROTOCOL_VERSION, &protocolVersion, sizeof(protocolVersion));
261
262	printf("%s: rc=%d\n", __FUNCTION__, rc);
263
264	return rc;
265	}
266
267
268	static
269	int TLSSocket_ServiceWriteQueue(SSLRecordContextRef ref)
270	{
271	int socket = (int)ref;
272	int rc;
273	rc = setsockopt(socket, SOL_SOCKET, SO_TLS_SERVICE_WRITE_QUEUE, NULL, 0);
274
275	return rc;
276	}
277
278
279	const struct SSLRecordFuncs TLSSocket_Funcs = {
280	.read = TLSSocket_Read,
281	.write = TLSSocket_Write,
282	.initPendingCiphers = TLSSocket_InitPendingCiphers,
283	.advanceWriteCipher = TLSSocket_AdvanceWriteCipher,
284	.rollbackWriteCipher = TLSSocket_RollbackWriteCipher,
285	.advanceReadCipher = TLSSocket_AdvanceReadCipher,
286	.setProtocolVersion = TLSSocket_SetProtocolVersion,
287	.free = TLSSocket_Free,
288	.serviceWriteQueue = TLSSocket_ServiceWriteQueue,
289	};
290
291
292	/* TLSSocket SPIs */
293
294	int TLSSocket_Attach(int socket)
295	{
296
297	/* Attach the TLS socket filter and return handle */
298	struct so_nke so_tlsnke;
299	int rc;
300	int handle;
301	socklen_t len;
302
303	memset(&so_tlsnke, 0, sizeof(so_tlsnke));
304	so_tlsnke.nke_handle = TLS_HANDLE_IP4;
305	rc=setsockopt(socket, SOL_SOCKET, SO_NKE, &so_tlsnke, sizeof(so_tlsnke));
306	if(rc)
307	return rc;
308
309	len = sizeof(handle);
310	rc = getsockopt(socket, SOL_SOCKET, SO_TLS_HANDLE, &handle, &len);
311	if(rc)
312	return rc;
313
314	assert(len==sizeof(handle));
315
316	return handle;
317	}
318