mirror of
https://github.com/vlang/v.git
synced 2023-08-10 21:13:21 +03:00
579 lines
15 KiB
V
579 lines
15 KiB
V
module mbedtls
|
|
|
|
import io
|
|
import net
|
|
import time
|
|
|
|
const ctr_drbg = C.mbedtls_ctr_drbg_context{}
|
|
|
|
const entropy = C.mbedtls_entropy_context{}
|
|
|
|
fn init() {
|
|
$if trace_ssl ? {
|
|
eprintln(@METHOD)
|
|
}
|
|
unsafe { // Unsafe is needed for taking an address of const
|
|
C.mbedtls_ctr_drbg_init(&mbedtls.ctr_drbg)
|
|
C.mbedtls_entropy_init(&mbedtls.entropy)
|
|
ret := C.mbedtls_ctr_drbg_seed(&mbedtls.ctr_drbg, C.mbedtls_entropy_func, &mbedtls.entropy,
|
|
0, 0)
|
|
if ret != 0 {
|
|
C.mbedtls_ctr_drbg_free(&mbedtls.ctr_drbg)
|
|
panic('Failed to seed ssl context: ${ret}')
|
|
}
|
|
}
|
|
}
|
|
|
|
struct SSLCerts {
|
|
cacert C.mbedtls_x509_crt
|
|
client_cert C.mbedtls_x509_crt
|
|
client_key C.mbedtls_pk_context
|
|
}
|
|
|
|
// SSLConn is the current connection
|
|
pub struct SSLConn {
|
|
config SSLConnectConfig
|
|
mut:
|
|
server_fd C.mbedtls_net_context
|
|
ssl C.mbedtls_ssl_context
|
|
conf C.mbedtls_ssl_config
|
|
certs &SSLCerts = unsafe { nil }
|
|
handle int
|
|
duration time.Duration
|
|
opened bool
|
|
|
|
owns_socket bool
|
|
}
|
|
|
|
// SSLListener listens on a TCP port and accepts connection secured with TLS
|
|
pub struct SSLListener {
|
|
saddr string
|
|
config SSLConnectConfig
|
|
mut:
|
|
server_fd C.mbedtls_net_context
|
|
ssl C.mbedtls_ssl_context
|
|
conf C.mbedtls_ssl_config
|
|
certs &SSLCerts = unsafe { nil }
|
|
opened bool
|
|
// handle int
|
|
// duration time.Duration
|
|
}
|
|
|
|
// create a new SSLListener binding to `saddr`
|
|
pub fn new_ssl_listener(saddr string, config SSLConnectConfig) !&SSLListener {
|
|
mut listener := &SSLListener{
|
|
saddr: saddr
|
|
config: config
|
|
}
|
|
listener.init()!
|
|
listener.opened = true
|
|
return listener
|
|
}
|
|
|
|
// finish the listener and clean up resources
|
|
pub fn (mut l SSLListener) shutdown() ! {
|
|
$if trace_ssl ? {
|
|
eprintln(@METHOD)
|
|
}
|
|
if unsafe { l.certs != nil } {
|
|
C.mbedtls_x509_crt_free(&l.certs.cacert)
|
|
C.mbedtls_x509_crt_free(&l.certs.client_cert)
|
|
C.mbedtls_pk_free(&l.certs.client_key)
|
|
}
|
|
C.mbedtls_ssl_free(&l.ssl)
|
|
C.mbedtls_ssl_config_free(&l.conf)
|
|
if l.opened {
|
|
C.mbedtls_net_free(&l.server_fd)
|
|
}
|
|
}
|
|
|
|
// internal function to init and bind the listener
|
|
fn (mut l SSLListener) init() ! {
|
|
$if trace_ssl ? {
|
|
eprintln(@METHOD)
|
|
}
|
|
|
|
lhost, lport := net.split_address(l.saddr)!
|
|
if l.config.cert == '' || l.config.cert_key == '' {
|
|
return error('No certificate or key provided')
|
|
}
|
|
if l.config.validate && l.config.verify == '' {
|
|
return error('No root CA provided')
|
|
}
|
|
C.mbedtls_net_init(&l.server_fd)
|
|
C.mbedtls_ssl_init(&l.ssl)
|
|
C.mbedtls_ssl_config_init(&l.conf)
|
|
l.certs = &SSLCerts{}
|
|
C.mbedtls_x509_crt_init(&l.certs.client_cert)
|
|
C.mbedtls_pk_init(&l.certs.client_key)
|
|
|
|
unsafe {
|
|
C.mbedtls_ssl_conf_rng(&l.conf, C.mbedtls_ctr_drbg_random, &mbedtls.ctr_drbg)
|
|
}
|
|
|
|
mut ret := 0
|
|
|
|
if l.config.in_memory_verification {
|
|
if l.config.verify != '' {
|
|
ret = C.mbedtls_x509_crt_parse(&l.certs.cacert, l.config.verify.str,
|
|
l.config.verify.len + 1)
|
|
}
|
|
if l.config.cert != '' {
|
|
ret = C.mbedtls_x509_crt_parse(&l.certs.client_cert, l.config.cert.str,
|
|
l.config.cert.len + 1)
|
|
}
|
|
if l.config.cert_key != '' {
|
|
unsafe {
|
|
ret = C.mbedtls_pk_parse_key(&l.certs.client_key, l.config.cert_key.str,
|
|
l.config.cert_key.len + 1, 0, 0, C.mbedtls_ctr_drbg_random, &mbedtls.ctr_drbg)
|
|
}
|
|
}
|
|
} else {
|
|
if l.config.verify != '' {
|
|
ret = C.mbedtls_x509_crt_parse_file(&l.certs.cacert, &char(l.config.verify.str))
|
|
}
|
|
ret = C.mbedtls_x509_crt_parse_file(&l.certs.client_cert, &char(l.config.cert.str))
|
|
unsafe {
|
|
ret = C.mbedtls_pk_parse_keyfile(&l.certs.client_key, &char(l.config.cert_key.str),
|
|
0, C.mbedtls_ctr_drbg_random, &mbedtls.ctr_drbg)
|
|
}
|
|
}
|
|
|
|
if l.config.validate {
|
|
C.mbedtls_ssl_conf_authmode(&l.conf, C.MBEDTLS_SSL_VERIFY_REQUIRED)
|
|
}
|
|
|
|
mut bind_ip := unsafe { nil }
|
|
if lhost != '' {
|
|
bind_ip = voidptr(lhost.str)
|
|
}
|
|
bind_port := lport.str()
|
|
|
|
ret = C.mbedtls_net_bind(&l.server_fd, bind_ip, voidptr(bind_port.str), C.MBEDTLS_NET_PROTO_TCP)
|
|
|
|
if ret != 0 {
|
|
return error_with_code("can't bind to ${l.saddr}", ret)
|
|
}
|
|
|
|
ret = C.mbedtls_ssl_config_defaults(&l.conf, C.MBEDTLS_SSL_IS_SERVER, C.MBEDTLS_SSL_TRANSPORT_STREAM,
|
|
C.MBEDTLS_SSL_PRESET_DEFAULT)
|
|
if ret != 0 {
|
|
return error_with_code("can't to set config defaults", ret)
|
|
}
|
|
|
|
C.mbedtls_ssl_conf_ca_chain(&l.conf, &l.certs.cacert, unsafe { nil })
|
|
ret = C.mbedtls_ssl_conf_own_cert(&l.conf, &l.certs.client_cert, &l.certs.client_key)
|
|
|
|
if ret != 0 {
|
|
return error_with_code("can't load certificate", ret)
|
|
}
|
|
|
|
ret = C.mbedtls_ssl_setup(&l.ssl, &l.conf)
|
|
|
|
if ret != 0 {
|
|
return error_with_code("can't setup ssl", ret)
|
|
}
|
|
}
|
|
|
|
// accepts a new connection and returns a SSLConn of the connected client
|
|
pub fn (mut l SSLListener) accept() !&SSLConn {
|
|
mut conn := &SSLConn{
|
|
config: l.config
|
|
opened: true
|
|
owns_socket: false
|
|
}
|
|
|
|
// TODO: save the client's IP address somewhere (maybe add a field to SSLConn ?)
|
|
mut ret := C.mbedtls_net_accept(&l.server_fd, &conn.server_fd, unsafe { nil }, 0,
|
|
unsafe { nil })
|
|
if ret != 0 {
|
|
return error_with_code("can't accept connection", ret)
|
|
}
|
|
|
|
C.mbedtls_ssl_init(&conn.ssl)
|
|
C.mbedtls_ssl_config_init(&conn.conf)
|
|
ret = C.mbedtls_ssl_setup(&conn.ssl, &l.conf)
|
|
|
|
if ret != 0 {
|
|
return error_with_code('SSL setup failed', ret)
|
|
}
|
|
|
|
C.mbedtls_ssl_set_bio(&conn.ssl, &conn.server_fd, C.mbedtls_net_send, C.mbedtls_net_recv,
|
|
unsafe { nil })
|
|
|
|
ret = C.mbedtls_ssl_handshake(&conn.ssl)
|
|
for ret != 0 {
|
|
if ret != C.MBEDTLS_ERR_SSL_WANT_READ && ret != C.MBEDTLS_ERR_SSL_WANT_WRITE {
|
|
return error_with_code('SSL handshake failed', ret)
|
|
}
|
|
ret = C.mbedtls_ssl_handshake(&conn.ssl)
|
|
}
|
|
|
|
return conn
|
|
}
|
|
|
|
[params]
|
|
pub struct SSLConnectConfig {
|
|
verify string // the path to a rootca.pem file, containing trusted CA certificate(s)
|
|
cert string // the path to a cert.pem file, containing client certificate(s) for the request
|
|
cert_key string // the path to a key.pem file, containing private keys for the client certificate(s)
|
|
validate bool // set this to true, if you want to stop requests, when their certificates are found to be invalid
|
|
|
|
in_memory_verification bool // if true, verify, cert, and cert_key are read from memory, not from a file
|
|
}
|
|
|
|
// new_ssl_conn returns a new SSLConn with the given config.
|
|
pub fn new_ssl_conn(config SSLConnectConfig) !&SSLConn {
|
|
$if trace_ssl ? {
|
|
eprintln(@METHOD)
|
|
}
|
|
mut conn := &SSLConn{
|
|
config: config
|
|
}
|
|
conn.init() or { return err }
|
|
return conn
|
|
}
|
|
|
|
// Select operation
|
|
enum Select {
|
|
read
|
|
write
|
|
except
|
|
}
|
|
|
|
// shutdown terminates the ssl connection and does cleanup
|
|
pub fn (mut s SSLConn) shutdown() ! {
|
|
$if trace_ssl ? {
|
|
eprintln(@METHOD)
|
|
}
|
|
if !s.opened {
|
|
return error('ssl connection not open')
|
|
}
|
|
if unsafe { s.certs != nil } {
|
|
C.mbedtls_x509_crt_free(&s.certs.cacert)
|
|
C.mbedtls_x509_crt_free(&s.certs.client_cert)
|
|
C.mbedtls_pk_free(&s.certs.client_key)
|
|
}
|
|
C.mbedtls_ssl_free(&s.ssl)
|
|
C.mbedtls_ssl_config_free(&s.conf)
|
|
if s.owns_socket {
|
|
net.shutdown(s.handle)
|
|
net.close(s.handle)!
|
|
}
|
|
}
|
|
|
|
// connect to server using mbedtls
|
|
fn (mut s SSLConn) init() ! {
|
|
$if trace_ssl ? {
|
|
eprintln(@METHOD)
|
|
}
|
|
C.mbedtls_net_init(&s.server_fd)
|
|
C.mbedtls_ssl_init(&s.ssl)
|
|
C.mbedtls_ssl_config_init(&s.conf)
|
|
|
|
mut ret := 0
|
|
ret = C.mbedtls_ssl_config_defaults(&s.conf, C.MBEDTLS_SSL_IS_CLIENT, C.MBEDTLS_SSL_TRANSPORT_STREAM,
|
|
C.MBEDTLS_SSL_PRESET_DEFAULT)
|
|
if ret != 0 {
|
|
return error_with_code('Failed to set SSL configuration', ret)
|
|
}
|
|
|
|
unsafe {
|
|
C.mbedtls_ssl_conf_rng(&s.conf, C.mbedtls_ctr_drbg_random, &mbedtls.ctr_drbg)
|
|
}
|
|
|
|
if s.config.verify != '' || s.config.cert != '' || s.config.cert_key != '' {
|
|
s.certs = &SSLCerts{}
|
|
C.mbedtls_x509_crt_init(&s.certs.cacert)
|
|
C.mbedtls_x509_crt_init(&s.certs.client_cert)
|
|
C.mbedtls_pk_init(&s.certs.client_key)
|
|
}
|
|
|
|
if s.config.in_memory_verification {
|
|
if s.config.verify != '' {
|
|
ret = C.mbedtls_x509_crt_parse(&s.certs.cacert, s.config.verify.str,
|
|
s.config.verify.len + 1)
|
|
}
|
|
if s.config.cert != '' {
|
|
ret = C.mbedtls_x509_crt_parse(&s.certs.client_cert, s.config.cert.str,
|
|
s.config.cert.len + 1)
|
|
}
|
|
if s.config.cert_key != '' {
|
|
unsafe {
|
|
ret = C.mbedtls_pk_parse_key(&s.certs.client_key, s.config.cert_key.str,
|
|
s.config.cert_key.len + 1, 0, 0, C.mbedtls_ctr_drbg_random, &mbedtls.ctr_drbg)
|
|
}
|
|
}
|
|
} else {
|
|
if s.config.verify != '' {
|
|
ret = C.mbedtls_x509_crt_parse_file(&s.certs.cacert, &char(s.config.verify.str))
|
|
}
|
|
if s.config.cert != '' {
|
|
ret = C.mbedtls_x509_crt_parse_file(&s.certs.client_cert, &char(s.config.cert.str))
|
|
}
|
|
if s.config.cert_key != '' {
|
|
unsafe {
|
|
ret = C.mbedtls_pk_parse_keyfile(&s.certs.client_key, &char(s.config.cert_key.str),
|
|
0, C.mbedtls_ctr_drbg_random, &mbedtls.ctr_drbg)
|
|
}
|
|
}
|
|
}
|
|
if ret < 0 {
|
|
return error_with_code('Failed to set certificates', ret)
|
|
}
|
|
|
|
if unsafe { s.certs != nil } {
|
|
C.mbedtls_ssl_conf_ca_chain(&s.conf, &s.certs.cacert, 0)
|
|
C.mbedtls_ssl_conf_own_cert(&s.conf, &s.certs.client_cert, &s.certs.client_key)
|
|
}
|
|
|
|
if s.config.validate {
|
|
C.mbedtls_ssl_conf_authmode(&s.conf, C.MBEDTLS_SSL_VERIFY_REQUIRED)
|
|
} else {
|
|
C.mbedtls_ssl_conf_authmode(&s.conf, C.MBEDTLS_SSL_VERIFY_OPTIONAL)
|
|
}
|
|
|
|
ret = C.mbedtls_ssl_setup(&s.ssl, &s.conf)
|
|
if ret != 0 {
|
|
return error_with_code('Failed to setup SSL connection', ret)
|
|
}
|
|
}
|
|
|
|
// connect sets up an ssl connection on an existing TCP connection
|
|
pub fn (mut s SSLConn) connect(mut tcp_conn net.TcpConn, hostname string) ! {
|
|
$if trace_ssl ? {
|
|
eprintln('${@METHOD} hostname: ${hostname}')
|
|
}
|
|
if s.opened {
|
|
return error('ssl connection already open')
|
|
}
|
|
s.handle = tcp_conn.sock.handle
|
|
s.duration = 30 * time.second
|
|
|
|
mut ret := C.mbedtls_ssl_set_hostname(&s.ssl, &char(hostname.str))
|
|
if ret != 0 {
|
|
return error_with_code('Failed to set hostname', ret)
|
|
}
|
|
|
|
s.server_fd.fd = s.handle
|
|
|
|
C.mbedtls_ssl_set_bio(&s.ssl, &s.server_fd, C.mbedtls_net_send, C.mbedtls_net_recv,
|
|
C.mbedtls_net_recv_timeout)
|
|
|
|
ret = C.mbedtls_ssl_handshake(&s.ssl)
|
|
if ret != 0 {
|
|
return error_with_code('SSL handshake failed', ret)
|
|
}
|
|
|
|
s.opened = true
|
|
}
|
|
|
|
// dial opens an ssl connection on hostname:port
|
|
pub fn (mut s SSLConn) dial(hostname string, port int) ! {
|
|
$if trace_ssl ? {
|
|
eprintln('${@METHOD} hostname: ${hostname} | port: ${port}')
|
|
}
|
|
s.owns_socket = true
|
|
if s.opened {
|
|
return error('ssl connection already open')
|
|
}
|
|
s.duration = 30 * time.second
|
|
|
|
mut ret := C.mbedtls_ssl_set_hostname(&s.ssl, &char(hostname.str))
|
|
if ret != 0 {
|
|
return error_with_code('Failed to set hostname', ret)
|
|
}
|
|
|
|
port_str := port.str()
|
|
ret = C.mbedtls_net_connect(&s.server_fd, &char(hostname.str), &char(port_str.str),
|
|
C.MBEDTLS_NET_PROTO_TCP)
|
|
if ret != 0 {
|
|
return error_with_code('Failed to connect to host', ret)
|
|
}
|
|
|
|
C.mbedtls_ssl_set_bio(&s.ssl, &s.server_fd, C.mbedtls_net_send, C.mbedtls_net_recv,
|
|
C.mbedtls_net_recv_timeout)
|
|
|
|
s.handle = s.server_fd.fd
|
|
|
|
ret = C.mbedtls_ssl_handshake(&s.ssl)
|
|
if ret != 0 {
|
|
return error_with_code('SSL handshake failed', ret)
|
|
}
|
|
|
|
s.opened = true
|
|
}
|
|
|
|
// socket_read_into_ptr reads `len` bytes into `buf`
|
|
pub fn (mut s SSLConn) socket_read_into_ptr(buf_ptr &u8, len int) !int {
|
|
mut res := 0
|
|
$if trace_ssl ? {
|
|
defer {
|
|
if len > 0 {
|
|
eprintln('${@METHOD} res: ${res}: buf_ptr: ${voidptr(buf_ptr):x}, len: ${len}, hex: ${unsafe { buf_ptr.vbytes(len).hex() }} data: `${unsafe { buf_ptr.vstring_with_len(len) }}`')
|
|
}
|
|
}
|
|
}
|
|
for {
|
|
res = C.mbedtls_ssl_read(&s.ssl, buf_ptr, len)
|
|
if res > 0 {
|
|
return res
|
|
} else if res == 0 {
|
|
$if trace_ssl ? {
|
|
eprintln('${@METHOD} ---> res: io.Eof')
|
|
}
|
|
return io.Eof{}
|
|
} else {
|
|
match res {
|
|
C.MBEDTLS_ERR_SSL_WANT_READ {
|
|
ready := @select(s.handle, .read, s.duration)!
|
|
if !ready {
|
|
$if trace_ssl ? {
|
|
eprintln('${@METHOD} ---> res: net.err_timed_out, C.MBEDTLS_ERR_SSL_WANT_READ')
|
|
}
|
|
return net.err_timed_out
|
|
}
|
|
}
|
|
C.MBEDTLS_ERR_SSL_WANT_WRITE {
|
|
ready := @select(s.handle, .write, s.duration)!
|
|
if !ready {
|
|
$if trace_ssl ? {
|
|
eprintln('${@METHOD} ---> res: net.err_timed_out, C.MBEDTLS_ERR_SSL_WANT_WRITE')
|
|
}
|
|
return net.err_timed_out
|
|
}
|
|
}
|
|
C.MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY {
|
|
break
|
|
}
|
|
else {
|
|
$if trace_ssl ? {
|
|
eprintln('${@METHOD} ---> res: could not read using SSL')
|
|
}
|
|
return error_with_code('Could not read using SSL', res)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
return res
|
|
}
|
|
|
|
// read reads data from the ssl connection into `buffer`
|
|
pub fn (mut s SSLConn) read(mut buffer []u8) !int {
|
|
$if trace_ssl ? {
|
|
eprintln('${@METHOD} buffer.len: ${buffer.len}')
|
|
}
|
|
return s.socket_read_into_ptr(&u8(buffer.data), buffer.len)
|
|
}
|
|
|
|
// write_ptr writes `len` bytes from `bytes` to the ssl connection
|
|
pub fn (mut s SSLConn) write_ptr(bytes &u8, len int) !int {
|
|
mut total_sent := 0
|
|
$if trace_ssl ? {
|
|
defer {
|
|
eprintln('${@METHOD} total_sent: ${total_sent}, bytes: ${voidptr(bytes):x}, len: ${len}, hex: ${unsafe { bytes.vbytes(len).hex() }}, data:-=-=-=-\n${unsafe { bytes.vstring_with_len(len) }}\n-=-=-=-')
|
|
}
|
|
}
|
|
unsafe {
|
|
mut ptr_base := bytes
|
|
for total_sent < len {
|
|
ptr := ptr_base + total_sent
|
|
remaining := len - total_sent
|
|
mut sent := C.mbedtls_ssl_write(&s.ssl, ptr, remaining)
|
|
if sent <= 0 {
|
|
match sent {
|
|
C.MBEDTLS_ERR_SSL_WANT_READ {
|
|
for {
|
|
ready := @select(s.handle, .read, s.duration)!
|
|
if ready {
|
|
break
|
|
}
|
|
}
|
|
continue
|
|
}
|
|
C.MBEDTLS_ERR_SSL_WANT_WRITE {
|
|
for {
|
|
ready := @select(s.handle, .write, s.duration)!
|
|
if ready {
|
|
break
|
|
}
|
|
}
|
|
continue
|
|
}
|
|
else {
|
|
$if trace_ssl ? {
|
|
eprintln('${@METHOD} ---> res: could not write SSL, sent: ${sent}')
|
|
}
|
|
return error_with_code('Could not write using SSL', sent)
|
|
}
|
|
}
|
|
}
|
|
total_sent += sent
|
|
}
|
|
}
|
|
return total_sent
|
|
}
|
|
|
|
// write writes data from `bytes` to the ssl connection
|
|
pub fn (mut s SSLConn) write(bytes []u8) !int {
|
|
return s.write_ptr(&u8(bytes.data), bytes.len)
|
|
}
|
|
|
|
// write_string writes a string to the ssl connection
|
|
pub fn (mut s SSLConn) write_string(str string) !int {
|
|
$if trace_ssl ? {
|
|
eprintln('${@METHOD} str: ${str}')
|
|
}
|
|
return s.write_ptr(str.str, str.len)
|
|
}
|
|
|
|
/*
|
|
This is basically a copy of Emily socket implementation of select.
|
|
This have to be consolidated into common net lib features
|
|
when merging this to V
|
|
*/
|
|
|
|
// Select waits for an io operation (specified by parameter `test`) to be available
|
|
fn @select(handle int, test Select, timeout time.Duration) !bool {
|
|
$if trace_ssl ? {
|
|
eprintln('${@METHOD} handle: ${handle}, timeout: ${timeout}')
|
|
}
|
|
set := C.fd_set{}
|
|
|
|
C.FD_ZERO(&set)
|
|
C.FD_SET(handle, &set)
|
|
|
|
seconds := timeout.milliseconds() / 1000
|
|
microseconds := timeout - (seconds * time.second)
|
|
mut tt := C.timeval{
|
|
tv_sec: u64(seconds)
|
|
tv_usec: u64(microseconds)
|
|
}
|
|
|
|
mut timeval_timeout := &tt
|
|
|
|
// infinite timeout is signaled by passing null as the timeout to
|
|
// select
|
|
if timeout == net.infinite_timeout {
|
|
timeval_timeout = &C.timeval(unsafe { nil })
|
|
}
|
|
|
|
match test {
|
|
.read {
|
|
net.socket_error(C.@select(handle + 1, &set, C.NULL, C.NULL, timeval_timeout))!
|
|
}
|
|
.write {
|
|
net.socket_error(C.@select(handle + 1, C.NULL, &set, C.NULL, timeval_timeout))!
|
|
}
|
|
.except {
|
|
net.socket_error(C.@select(handle + 1, C.NULL, C.NULL, &set, timeval_timeout))!
|
|
}
|
|
}
|
|
|
|
res := C.FD_ISSET(handle, &set)
|
|
$if trace_ssl ? {
|
|
eprintln('${@METHOD} ---> res: ${res}')
|
|
}
|
|
return res
|
|
}
|