Added TLS support + tests
All checks were successful
/ unit_test (push) Successful in 44s

This commit is contained in:
Daniele Lacamera 2024-12-20 23:31:50 +01:00
parent 63c2ff26ab
commit 6203d6a57e
5 changed files with 517 additions and 6 deletions

View file

@ -19,15 +19,15 @@ jobs:
- name: Update repo - name: Update repo
run: | run: |
sudo apt-get update sudo apt-get update
sudo modprobe tun
- name: Build linux tests - name: Build linux tests
run: | run: |
mkdir -p build/port mkdir -p build/port
make make
# - name: Run interop tests - name: Run interop tests
# run: | run: |
# sudo build/test sudo build/test
#
#
# Build only for now: no tuntap support in container

View file

@ -63,6 +63,14 @@ build/tcp_netcat_select: $(OBJ) build/port/posix/bsd_socket.o build/test/tcp_net
@echo "[LD] $@" @echo "[LD] $@"
@$(CC) $(CFLAGS) $(LDFLAGS) -o $@ -Wl,--start-group $(^) -Wl,--end-group @$(CC) $(CFLAGS) $(LDFLAGS) -o $@ -Wl,--start-group $(^) -Wl,--end-group
build/test-wolfssl:CFLAGS+=-Wno-cpp -DWOLFSSL_DEBUG
build/test-wolfssl: $(OBJ) build/test/test_native_wolfssl.o build/port/wolfssl_io.o build/certs/server_key.o build/certs/ca_cert.o build/certs/server_cert.o
@echo "[LD] $@"
@$(CC) $(CFLAGS) $(LDFLAGS) -o $@ -Wl,--start-group $(^) -lwolfssl -Wl,--end-group
build/%.o: src/%.c build/%.o: src/%.c
@mkdir -p `dirname $@` || true @mkdir -p `dirname $@` || true
@echo "[CC] $<" @echo "[CC] $<"
@ -73,6 +81,28 @@ build/pie/%.o: src/%.c
@echo "[CC] $<" @echo "[CC] $<"
@$(CC) $(CFLAGS) -c $< -o $@ @$(CC) $(CFLAGS) -c $< -o $@
build/certs/%.o: build/certs/%.c
@mkdir -p `dirname $@` || true
@echo "[CC] $<"
@$(CC) $(CFLAGS) -c $< -o $@
build/certs/ca_cert.c:
@echo "[MKCERTS] `dirname $@`"
@tools/certs/mkcerts.sh
build/certs/server_key.c:
@echo "[MKCERTS] `dirname $@`"
@tools/certs/mkcerts.sh
build/certs/server_cert.c:
@echo "[MKCERTS] `dirname $@`"
@tools/certs/mkcerts.sh
build/certs/server_key.o: build/certs/server_key.c
@mkdir -p `dirname $@` || true
@echo "[CC] $<"
@$(CC) $(CFLAGS) -c $< -o $@
unit: build/test/unit unit: build/test/unit
build/test/unit: build/test/unit:

51
src/port/wolfssl_io.c Normal file
View file

@ -0,0 +1,51 @@
#include "femtotcp.h"
#include <wolfssl/wolfcrypt/settings.h>
#include <wolfssl/ssl.h>
static struct ipstack *ref_ipstack = NULL;
static int ipstack_io_recv(WOLFSSL* ssl, char* buf, int sz, void* ctx)
{
int ret = 0;
int fd = (intptr_t)ctx;
(void)ssl;
if (!ref_ipstack)
return -1;
ret = ft_recv(ref_ipstack, fd, buf, sz, 0);
if (ret == -11)
return WOLFSSL_CBIO_ERR_WANT_READ;
else if (ret <= 0)
return WOLFSSL_CBIO_ERR_CONN_CLOSE;
return ret;
}
static int ipstack_io_send(WOLFSSL* ssl, char* buf, int sz, void* ctx)
{
int ret = 0;
int fd = (intptr_t)ctx;
(void)ssl;
if (!ref_ipstack)
return -1;
ret = ft_send(ref_ipstack, fd, buf, sz, 0);
if (ret == -11)
return WOLFSSL_CBIO_ERR_WANT_WRITE;
else if (ret <= 0)
return WOLFSSL_CBIO_ERR_CONN_CLOSE;
return ret;
}
int wolfSSL_SetIO_FT_CTX(WOLFSSL_CTX* ctx, struct ipstack *s)
{
wolfSSL_SetIORecv(ctx, ipstack_io_recv);
wolfSSL_SetIOSend(ctx, ipstack_io_send);
ref_ipstack = s;
return 0;
}
int wolfSSL_SetIO_FT(WOLFSSL* ssl, int fd)
{
wolfSSL_SetIOReadCtx(ssl, (void*)(intptr_t)fd);
wolfSSL_SetIOWriteCtx(ssl, (void*)(intptr_t)fd);
return 0;
}

View file

@ -0,0 +1,369 @@
#include <stdio.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <pthread.h>
#include <stdlib.h>
#include <sys/time.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>
#include "config.h"
#include "femtotcp.h"
#include <wolfssl/options.h>
#include <wolfssl/wolfcrypt/settings.h>
#include <wolfssl/ssl.h>
#define TEST_SIZE (8 * 1024)
#define BUFFER_SIZE TEST_SIZE
static int listen_fd = -1, client_fd = -1;
static int exit_ok = 0, exit_count = 0;
static uint8_t buf[TEST_SIZE];
static int tot_sent = 0;
static int tot_recv = 0;
static int femtotcp_closing = 0;
static int closed = 0;
static const uint8_t test_pattern[16] = "Test pattern - -";
static WOLFSSL_CTX *server_ctx = NULL; /* Used by femtoTCP */
static WOLFSSL_CTX *client_ctx = NULL; /* Used by Linux */
static WOLFSSL *client_ssl = NULL;
static WOLFSSL *server_ssl = NULL;
/* Defined in wolfssl_io.c */
int wolfSSL_SetIO_FT(WOLFSSL* ssl, int fd);
int wolfSSL_SetIO_FT_CTX(WOLFSSL_CTX *ctx, struct ipstack *s);
/* FemtoTCP: server side callback. */
static void server_cb(int fd, uint16_t event, void *arg)
{
int ret = 0;
if ((fd == listen_fd) && (event & CB_EVENT_READABLE) && (client_fd == -1)) {
client_fd = ft_accept((struct ipstack *)arg, listen_fd, NULL, NULL);
if (client_fd > 0) {
printf("accept: Client FD is 0x%04x\n", client_fd);
/* Create the wolfSSL object */
server_ssl = wolfSSL_new(server_ctx);
if (!server_ssl) {
printf("Failed to create server SSL object\n");
return;
}
wolfSSL_SetIO_FT(server_ssl, client_fd);
/* Accepting the TLS session is not necessary here, as the
* first read will trigger the handshake.
*/
printf("Server: TCP connection established\n");
}
} else if ((fd == client_fd) && (event & CB_EVENT_READABLE )) {
ret = wolfSSL_read(server_ssl, buf, sizeof(buf));
if (ret < 0) {
ret = wolfSSL_get_error(server_ssl, 0);
if (ret != WOLFSSL_ERROR_WANT_READ) {
printf("Recv error: %d\n", ret);
ft_close((struct ipstack *)arg, client_fd);
}
} else if (ret == 0) {
printf("Client side closed the connection.\n");
ft_close((struct ipstack *)arg, client_fd);
printf("Server: Exiting.\n");
exit_ok = 1;
} else if (ret > 0) {
printf("recv: %d, echoing back\n", ret);
tot_recv += ret;
}
}
if ((event & CB_EVENT_WRITABLE) || ((ret > 0) && !closed)) {
int snd_ret;
if ((tot_sent >= 4096) && femtotcp_closing) {
ft_close((struct ipstack *)arg, client_fd);
printf("Server: I closed the connection.\n");
closed = 1;
exit_ok = 1;
}
if ((!closed) && (tot_sent < tot_recv)) {
snd_ret = wolfSSL_write(server_ssl, buf + tot_sent, tot_recv - tot_sent);
if (snd_ret != WANT_WRITE) {
if (snd_ret < 0) {
printf("Send error: %d\n", snd_ret);
wolfSSL_free(server_ssl);
ft_close((struct ipstack *)arg, client_fd);
} else {
tot_sent += snd_ret;
printf("sent %d bytes\n", snd_ret);
if (tot_recv == tot_sent) {
tot_sent = 0;
tot_recv = 0;
}
}
}
}
}
if (event & CB_EVENT_CLOSED) {
printf("Closing %d, client fd: %d\n", fd, client_fd);
wolfSSL_free(server_ssl);
server_ssl = NULL;
}
if ((fd == client_fd) && (event & CB_EVENT_CLOSED)) {
printf("Client side closed the connection (EVENT_CLOSED)\n");
wolfSSL_free(server_ssl);
ft_close((struct ipstack *)arg, client_fd);
client_fd = -1;
printf("Server: Exiting.\n");
exit_ok = 1;
}
}
/* FemtoTCP side: main loop of the stack under test. */
static int test_loop(struct ipstack *s, int active_close)
{
exit_ok = 0;
exit_count = 0;
tot_sent = 0;
femtotcp_closing = active_close;
closed = 0;
while(1) {
uint32_t ms_next;
struct timeval tv;
gettimeofday(&tv, NULL);
ms_next = ipstack_poll(s, tv.tv_sec * 1000 + tv.tv_usec / 1000);
usleep(ms_next * 1000);
if (exit_ok > 0) {
if (exit_count++ < 10)
continue;
else break;
}
}
return 0;
}
/* Test code (Linux side).
* Thread with client to test the echoserver.
*/
extern const unsigned char ca_der[];
extern const unsigned long ca_der_len;
void *pt_echoclient(void *arg)
{
int fd, ret;
unsigned total_r = 0;
unsigned i;
uint8_t buf[BUFFER_SIZE];
uint32_t *srv_addr = (uint32_t *)arg;
struct sockaddr_in remote_sock = {
.sin_family = AF_INET,
.sin_port = ntohs(8), /* Echo */
};
client_ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method());
if (!client_ctx) {
printf("Failed to create client context\n");
return (void *)-1;
}
client_ssl = wolfSSL_new(client_ctx);
if (!client_ssl) {
printf("Failed to create client SSL object\n");
return (void *)-1;
}
wolfSSL_CTX_load_verify_buffer(client_ctx, ca_der, ca_der_len, SSL_FILETYPE_ASN1);
remote_sock.sin_addr.s_addr = *srv_addr;
fd = socket(AF_INET, IPSTACK_SOCK_STREAM, 0);
if (fd < 0) {
printf("test client socket: %d\n", fd);
return (void *)-1;
}
wolfSSL_set_fd(client_ssl, fd);
sleep(1);
setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &(int){1}, sizeof(int));
printf("Connecting to echo server\n");
ret = connect(fd, (struct sockaddr *)&remote_sock, sizeof(remote_sock));
if (ret < 0) {
printf("test client connect: %d\n", ret);
perror("connect");
return (void *)-1;
}
printf("Linux client: TCP connection established\n");
ret = wolfSSL_connect(client_ssl);
if (ret != SSL_SUCCESS) {
printf("Linux client: Failed to connect to TLS server, err: %d\n", ret);
return (void *)-1;
}
for (i = 0; i < sizeof(buf); i += sizeof(test_pattern)) {
memcpy(buf + i, test_pattern, sizeof(test_pattern));
}
ret = wolfSSL_write(client_ssl, buf, sizeof(buf));
if (ret < 0) {
printf("test client write: %d\n", ret);
return (void *)-1;
}
while (total_r < sizeof(buf)) {
ret = wolfSSL_read(client_ssl, buf + total_r, sizeof(buf) - total_r);
if (ret < 0) {
printf("failed test client read: %d\n", ret);
return (void *)-1;
}
if (ret == 0) {
printf("test client read: server has closed the connection.\n");
if (femtotcp_closing)
return (void *)0;
else
return (void *)-1;
}
total_r += ret;
}
for (i = 0; i < sizeof(buf); i += sizeof(test_pattern)) {
if (memcmp(buf + i, test_pattern, sizeof(test_pattern))) {
printf("test client: pattern mismatch\n");
printf("at position %d\n", i);
buf[i + 16] = 0;
printf("%s\n", &buf[i]);
return (void *)-1;
}
}
client_ssl = NULL;
close(fd);
printf("Test client: success\n");
wolfSSL_free(client_ssl);
return (void *)0;
}
/* Catch-all function to initialize a new tap device as the network interface.
* This is defined in port/linux.c
* */
extern int tap_init(struct ll *dev, const char *name, uint32_t host_ip);
/* Test cases */
extern const unsigned char server_der[];
extern const unsigned long server_der_len;
extern const unsigned char server_key_der[];
extern const unsigned long server_key_der_len;
void test_femtotcp_echoserver(struct ipstack *s, uint32_t srv_ip)
{
int ret, test_ret = 0;
pthread_t pt;
struct ipstack_sockaddr_in local_sock = {
.sin_family = AF_INET,
.sin_port = ee16(8), /* Echo */
.sin_addr.s_addr = 0
};
printf("TCP server tests\n");
printf("Creating TLS server context\n");
server_ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method());
if (!server_ctx) {
printf("Failed to create server context\n");
return;
}
printf("Associating server context with femtoTCP\n");
wolfSSL_SetIO_FT_CTX(server_ctx, s);
printf("Importing server certificate\n");
ret = wolfSSL_CTX_use_certificate_buffer(server_ctx, server_der,
server_der_len, SSL_FILETYPE_ASN1);
if (ret != SSL_SUCCESS) {
printf("Failed to import server certificate\n");
return;
}
printf("Importing server private key\n");
ret = wolfSSL_CTX_use_PrivateKey_buffer(server_ctx, server_key_der,
server_key_der_len, SSL_FILETYPE_ASN1);
if (ret != SSL_SUCCESS) {
printf("Failed to import server private key\n");
return;
}
listen_fd = ft_socket(s, AF_INET, IPSTACK_SOCK_STREAM, 0);
printf("socket: %04x\n", listen_fd);
ipstack_register_callback(s, listen_fd, server_cb, s);
pthread_create(&pt, NULL, pt_echoclient, &srv_ip);
printf("Starting test: echo server close-wait\n");
ret = ft_bind(s, listen_fd, (struct ipstack_sockaddr *)&local_sock, sizeof(local_sock));
printf("bind: %d\n", ret);
ret = ft_listen(s, listen_fd, 1);
printf("listen: %d\n", ret);
ret = test_loop(s, 0);
pthread_join(pt, (void **)&test_ret);
printf("Test echo server close-wait: %d\n", ret);
printf("Test linux client: %d\n", test_ret);
sleep(1);
pthread_create(&pt, NULL, pt_echoclient, &srv_ip);
printf("Starting test: echo server active close\n");
ret = test_loop(s, 1);
printf("Test echo server close-wait: %d\n", ret);
pthread_join(pt, (void **)&test_ret);
printf("Test linux client: %d\n", test_ret);
sleep(1);
ft_close(s, listen_fd);
}
/* Main test function. */
int main(int argc, char **argv)
{
struct ipstack *s;
struct ll *tapdev;
struct timeval tv;
struct in_addr linux_ip;
uint32_t srv_ip;
ip4 ip = 0, nm = 0, gw = 0;
wolfSSL_Init();
wolfSSL_Debugging_OFF();
(void)argc;
(void)argv;
(void)ip;
(void)nm;
(void)gw;
(void)tv;
ipstack_init_static(&s);
tapdev = ipstack_getdev(s);
if (!tapdev)
return 1;
inet_aton(LINUX_IP, &linux_ip);
if (tap_init(tapdev, "femt0", linux_ip.s_addr) < 0) {
perror("tap init");
return 2;
}
system("tcpdump -i femt0 -w test.pcap &");
#ifdef DHCP
gettimeofday(&tv, NULL);
ipstack_poll(s, tv.tv_sec * 1000 + tv.tv_usec / 1000);
dhcp_client_init(s);
do {
gettimeofday(&tv, NULL);
ipstack_poll(s, tv.tv_sec * 1000 + tv.tv_usec / 1000);
usleep(1000);
ipstack_ipconfig_get(s, &ip, &nm, &gw);
} while (!dhcp_bound(s));
printf("DHCP: obtained IP address.\n");
ipstack_ipconfig_get(s, &ip, &nm, &gw);
srv_ip = htonl(ip);
#else
ipstack_ipconfig_set(s, atoip4(FEMTOTCP_IP), atoip4("255.255.255.0"),
atoip4(LINUX_IP));
printf("IP: manually configured\n");
inet_pton(AF_INET, FEMTOTCP_IP, &srv_ip);
#endif
/* Server side test */
test_femtotcp_echoserver(s, srv_ip);
sleep(2);
sync();
system("killall tcpdump");
return 0;
}

61
tools/certs/mkcerts.sh Executable file
View file

@ -0,0 +1,61 @@
#!/bin/bash
#
OUT_DIR=build/certs
: "${COUNTRY:=US}"
: "${STATE:=State}"
: "${CITY:=City}"
: "${ORG:=ExampleOrg}"
: "${ORG_UNIT:=IT}"
: "${CA_COMMON_NAME:=Example CA}"
: "${SERVER_COMMON_NAME:=example.com}"
: "${DAYS_CA:=3650}" # CA certificate validity in days (10 years)
: "${DAYS_SERVER:=825}" # Server certificate validity in days (2 years)
: "${ECC_CURVE:=secp384r1}" # ECC curve to use
# Create the output directory if it doesn't exist
mkdir -p "$OUT_DIR"
# 1. Generate CA private key
openssl ecparam -name "$ECC_CURVE" -genkey -noout -out "$OUT_DIR/ca.key"
# 2. Generate the CA self-signed certificate (PEM format)
openssl req -x509 -new -key "$OUT_DIR/ca.key" -sha256 -days "$DAYS_CA" -out "$OUT_DIR/ca.crt" \
-subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORG/OU=$ORG_UNIT/CN=$CA_COMMON_NAME"
# 3. Convert CA certificate to DER format
openssl x509 -in "$OUT_DIR/ca.crt" -outform DER -out "$OUT_DIR/ca.der"
xxd -i "$OUT_DIR/ca.der" |sed -e "s/unsigned/const unsigned/g" | sed -e "s/build_certs_//g" > "$OUT_DIR/ca_cert.c"
echo "==== Generating server private key ===="
# 4. Generate server private key
openssl ecparam -name "$ECC_CURVE" -genkey -noout -out "$OUT_DIR/server.key"
# 5. Convert server private key to DER format
openssl pkcs8 -topk8 -nocrypt -in "$OUT_DIR/server.key" -outform DER -out "$OUT_DIR/server.key.der"
xxd -i "$OUT_DIR/server.key.der" |sed -e "s/unsigned/const unsigned/g" | sed -e "s/build_certs_//g" > "$OUT_DIR/server_key.c"
echo "==== Generating server Certificate Signing Request (CSR) ===="
# 6. Generate server Certificate Signing Request (CSR)
openssl req -new -key "$OUT_DIR/server.key" -out "$OUT_DIR/server.csr" \
-subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORG/OU=$ORG_UNIT/CN=$SERVER_COMMON_NAME"
echo "==== Signing server certificate with the CA ===="
# 7. Sign the server CSR with the CA to create a server certificate (PEM format)
openssl x509 -req -in "$OUT_DIR/server.csr" -CA "$OUT_DIR/ca.crt" -CAkey "$OUT_DIR/ca.key" \
-CAcreateserial -out "$OUT_DIR/server.crt" -days "$DAYS_SERVER" -sha256
# 8. Convert server certificate to DER format
openssl x509 -in "$OUT_DIR/server.crt" -outform DER -out "$OUT_DIR/server.der"
xxd -i "$OUT_DIR/server.der" |sed -e "s/unsigned/const unsigned/g" | sed -e "s/build_certs_//g" > "$OUT_DIR/server_cert.c"
echo "==== Done ===="