~rcr/rirc

7893d810bd2bb2c5dc8ef5f46f2669594c82900a — Richard Robbins 1 year, 3 months ago e39f08f
move mbedtls to lib and add compile time config
7 files changed, 156 insertions(+), 36 deletions(-)

M .gitmodules
M Makefile
M README.md
A lib/mbedtls
A lib/mbedtls.h
D mbedtls
M src/io.c
M .gitmodules => .gitmodules +1 -1
@@ 1,4 1,4 @@
[submodule "mbedtls"]
	path = mbedtls
	path = lib/mbedtls
	url = https://github.com/ARMmbed/mbedtls.git
	ignore = dirty

M Makefile => Makefile +15 -13
@@ 11,22 11,20 @@ BIN_DIR = /usr/local/bin
MAN_DIR = /usr/local/share/man/man1

STDS := \
 -std=c11 \
 -D_BSD_VISIBLE \
 -D_DARWIN_C_SOURCE \
 -D_POSIX_C_SOURCE=200809L

TLS_INCLUDE := \
 -I./mbedtls/include
	-std=c11 \
	-D_BSD_VISIBLE \
	-D_DARWIN_C_SOURCE \
	-D_POSIX_C_SOURCE=200809L

TLS_CONF := ./lib/mbedtls.h
TLS_LIBS := \
 ./mbedtls/library/libmbedtls.a \
 ./mbedtls/library/libmbedx509.a \
 ./mbedtls/library/libmbedcrypto.a
	./lib/mbedtls/library/libmbedtls.a \
	./lib/mbedtls/library/libmbedx509.a \
	./lib/mbedtls/library/libmbedcrypto.a

CC := cc
PP := cc -E
CFLAGS   := $(CC_EXT) -I. $(TLS_INCLUDE) $(STDS) -DVERSION=\"$(VERSION)\" -Wall -Wextra -pedantic
CFLAGS   := $(CC_EXT) -I. $(STDS) -DVERSION=\"$(VERSION)\" -Wall -Wextra -pedantic
CFLAGS_R := $(CFLAGS) -O2 -flto -DNDEBUG
CFLAGS_D := $(CFLAGS) -O0 -g
LDFLAGS  := $(LD_EXT) -lpthread


@@ 52,12 50,12 @@ OBJS_T += $(DIR_B)/utils/tree.t # Header only file
OBJS_G := $(patsubst %.gperf, %.gperf.out, $(SRC_G))

# Release build executable
$(BIN_R): $(DIR_B) $(OBJS_G) $(OBJS_R)
$(BIN_R): $(TLS_LIBS) $(DIR_B) $(OBJS_G) $(OBJS_R)
	@echo cc $@
	@$(CC) $(LDFLAGS) -o $@ $(OBJS_R) $(TLS_LIBS)

# Debug build executable
$(BIN_D): $(DIR_B) $(OBJS_G) $(OBJS_D)
$(BIN_D): $(TLS_LIBS) $(DIR_B) $(OBJS_G) $(OBJS_D)
	@echo cc $@
	@$(CC) $(LDFLAGS) -o $@ $(OBJS_D) $(TLS_LIBS)



@@ 84,6 82,10 @@ $(DIR_B)/%.t: $(DIR_T)/%.c
	-@rm -f $(@:.t=.td) && $(TEST_EXT) ./$@ || mv $@ $(@:.t=.td)
	@[ ! -f $(@:.t=.td) ]

# TLS libraries
$(TLS_LIBS): $(TLS_CONF)
	@CFLAGS="-I$(PWD) -DMBEDTLS_CONFIG_FILE='<$(TLS_CONF)>'" $(MAKE) -C ./lib/mbedtls clean lib

# Build directories
$(DIR_B):
	@for dir in $(patsubst $(DIR_S)/%, %, $(SUBDIRS)); do mkdir -p $(DIR_B)/$$dir; done

M README.md => README.md +1 -12
@@ 40,22 40,11 @@ rirc requires the latest version of GNU gperf to compile.

See: https://www.gnu.org/software/gperf/

Initialize, configure and build mbedtls:
Build rirc:

```
git submodule init
git submodule update --recursive
cd mbedtls
./scripts/config.pl set MBEDTLS_THREADING_C
./scripts/config.pl set MBEDTLS_THREADING_PTHREAD
cmake .
cmake --build .
cd ..
```

Build rirc:

```
make
```


A lib/mbedtls => lib/mbedtls +1 -0
@@ 0,0 1,1 @@
Subproject commit 0fce215851cc069c5b5def12fcc18725055fa6cf

A lib/mbedtls.h => lib/mbedtls.h +116 -0
@@ 0,0 1,116 @@
#ifndef MBEDTLS_CONFIG_H
#define MBEDTLS_CONFIG_H

/* Enabled ciphersuites, in order of preference.
 *   - Only ECHDE key exchanges, AEAD ciphers
 *   - Ordered by cipher:
 *     - ChaCha
 *     - AES-256-GCM
 *     - AES-256-CCM
 *     - AES-256-CCM_8
 *     - AES-128-GCM
 *     - AES-128-CCM
 *     - AES-128-CCM_8
 *   - Sub-ordered by authentication method:
 *     - ECDSA
 *     - RSA
 * Note: Only stream ciphers were chosen here, which may
 *       reveal the length of exchanged messages.
 */
#define MBEDTLS_SSL_CIPHERSUITES                           \
	/* ChaCha */                                           \
	MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, \
	MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,   \
	/* AES-256 */                                          \
	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,       \
	MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,         \
	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM,              \
	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,            \
	/* AES-128 */                                          \
	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,       \
	MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,         \
	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM,              \
	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8

/* Supported ECC curves */
#define MBEDTLS_ECP_DP_BP256R1_ENABLED
#define MBEDTLS_ECP_DP_BP384R1_ENABLED
#define MBEDTLS_ECP_DP_BP512R1_ENABLED
#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
#define MBEDTLS_ECP_DP_CURVE448_ENABLED

/* System support */
#define MBEDTLS_DEPRECATED_REMOVED
#define MBEDTLS_HAVE_ASM
#define MBEDTLS_HAVE_TIME
#define MBEDTLS_HAVE_TIME_DATE
#define MBEDTLS_REMOVE_3DES_CIPHERSUITES
#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
#define MBEDTLS_THREADING_C
#define MBEDTLS_THREADING_PTHREAD

/* Ciphersuite elements */
#define MBEDTLS_CCM_C
#define MBEDTLS_CHACHA20_C
#define MBEDTLS_CHACHAPOLY_C
#define MBEDTLS_GCM_C
#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
#define MBEDTLS_POLY1305_C

/* TLS 1.2 client */
#define MBEDTLS_SSL_CLI_C
#define MBEDTLS_SSL_PROTO_TLS1_2

/* TLS modules */
#define MBEDTLS_AESNI_C
#define MBEDTLS_AES_C
#define MBEDTLS_ASN1_PARSE_C
#define MBEDTLS_ASN1_WRITE_C
#define MBEDTLS_BASE64_C
#define MBEDTLS_BIGNUM_C
#define MBEDTLS_CERTS_C
#define MBEDTLS_CIPHER_C
#define MBEDTLS_CTR_DRBG_C
#define MBEDTLS_ECDH_C
#define MBEDTLS_ECDSA_C
#define MBEDTLS_ECP_C
#define MBEDTLS_ENTROPY_C
#define MBEDTLS_FS_IO
#define MBEDTLS_GENPRIME
#define MBEDTLS_HMAC_DRBG_C
#define MBEDTLS_MD_C
#define MBEDTLS_NET_C
#define MBEDTLS_OID_C
#define MBEDTLS_PEM_PARSE_C
#define MBEDTLS_PKCS1_V15
#define MBEDTLS_PK_C
#define MBEDTLS_PK_PARSE_C
#define MBEDTLS_RSA_C
#define MBEDTLS_SHA1_C
#define MBEDTLS_SHA256_C
#define MBEDTLS_SHA512_C
#define MBEDTLS_SSL_TLS_C
#define MBEDTLS_X509_CRT_PARSE_C
#define MBEDTLS_X509_USE_C

/* TLS extensions */
#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET /* RFC 7627 */
#define MBEDTLS_SSL_SERVER_NAME_INDICATION /* RFC 6066 */

/* Crypto features */
#define MBEDTLS_ECDSA_DETERMINISTIC
#define MBEDTLS_ECP_NIST_OPTIM
#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
#define MBEDTLS_X509_CHECK_KEY_USAGE

/* Error strings */
#define MBEDTLS_ERROR_C

#include "mbedtls/check_config.h"

#endif

D mbedtls => mbedtls +0 -1
@@ 1,1 0,0 @@
Subproject commit 0fce215851cc069c5b5def12fcc18725055fa6cf

M src/io.c => src/io.c +22 -9
@@ 12,18 12,21 @@
#include <termios.h>
#include <unistd.h>

#include "mbedtls/ctr_drbg.h"
#include "mbedtls/entropy.h"
#include "mbedtls/error.h"
#include "mbedtls/net_sockets.h"
#include "mbedtls/ssl.h"
#include "mbedtls/x509_crt.h"

#include "config.h"
#include "rirc.h"
#include "src/io_net.h"
#include "utils/utils.h"

/* lib/mbedtls.h is the compile time config
 * and must precede the other mbedtls headers */
#include "lib/mbedtls.h"
#include "lib/mbedtls/include/mbedtls/ctr_drbg.h"
#include "lib/mbedtls/include/mbedtls/entropy.h"
#include "lib/mbedtls/include/mbedtls/error.h"
#include "lib/mbedtls/include/mbedtls/net_sockets.h"
#include "lib/mbedtls/include/mbedtls/ssl.h"
#include "lib/mbedtls/include/mbedtls/x509_crt.h"

/* RFC 2812, section 2.3 */
#ifndef IO_MESG_LEN
#define IO_MESG_LEN 510


@@ 406,7 409,7 @@ io_state_rxng(struct connection *cx)
static enum io_state_t
io_state_cxng(struct connection *cx)
{
	char buf[MIN(INET6_ADDRSTRLEN, 512)];
	char buf[MAX(INET6_ADDRSTRLEN, 512)];
	enum io_state_t st = IO_ST_RXNG;
	int ret;
	uint32_t cert_ret;


@@ 457,6 460,16 @@ io_state_cxng(struct connection *cx)
		goto err;
	}

	mbedtls_ssl_conf_max_version(
			&(cx->tls_conf),
			MBEDTLS_SSL_MAJOR_VERSION_3,
			MBEDTLS_SSL_MINOR_VERSION_3);

	mbedtls_ssl_conf_min_version(
			&(cx->tls_conf),
			MBEDTLS_SSL_MAJOR_VERSION_3,
			MBEDTLS_SSL_MINOR_VERSION_3);

	mbedtls_ssl_conf_ca_chain(&(cx->tls_conf), &tls_x509_crt, NULL);
	mbedtls_ssl_conf_rng(&(cx->tls_conf), mbedtls_ctr_drbg_random, &tls_ctr_drbg);



@@ 761,7 774,7 @@ io_tls_init(void)
		fatal("mbedtls_ctr_drbg_seed: %s", io_tls_strerror(err, buf, sizeof(buf)));
	}

	if ((err = mbedtls_x509_crt_parse_path(&tls_x509_crt, ca_cert_path)) != 0)
	if ((err = mbedtls_x509_crt_parse_path(&tls_x509_crt, ca_cert_path)) < 0)
		fatal("mbedtls_x509_crt_parse_path: %s", io_tls_strerror(err, buf, sizeof(buf)));
}