Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS #53

Draft
wants to merge 6 commits into
base: master
Choose a base branch
from
Draft

TLS #53

Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion .github/workflows/ci-scripts-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -158,8 +158,10 @@ jobs:
- name: "apt-get install"
run: |
sudo apt-get update
sudo apt-get -y install libreadline-dev g++-mingw-w64-x86-64 cmake gdb qemu-system-x86
sudo apt-get -y install libreadline-dev g++-mingw-w64-x86-64 cmake gdb qemu-system-x86 libssl-dev
if: runner.os == 'Linux'
- name: Host Info
run: openssl version -a
- name: Automatic core dumper analysis
uses: mdavidsaver/ci-core-dumper@master
- name: Prepare and compile dependencies
Expand Down
1 change: 1 addition & 0 deletions MANIFEST.in
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ include LICENSE
include README.md

include configure/CONFIG_PVXS_VERSION
include configure/probe-openssl.c
include src/*.h
include src/*.h@
include src/*.cpp
Expand Down
5 changes: 4 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,11 @@ include $(TOP)/configure/CONFIG
# Directories to build, any order
DIRS += configure

DIRS += setup
setup_DEPEND_DIRS = configure

DIRS += src
src_DEPEND_DIRS = configure
src_DEPEND_DIRS = setup

DIRS += tools
tools_DEPEND_DIRS = src
Expand Down
3 changes: 2 additions & 1 deletion bundle/Makefile
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
TOP=..

_PVXS_BOOTSTRAP = YES

include $(TOP)/configure/CONFIG

CMAKE ?= cmake
Expand All @@ -21,7 +23,6 @@ LIBEVENT_$(T_A) = $(INSTALL_LOCATION)/bundle/usr/$(T_A)
CMAKEFLAGS += -DCMAKE_INSTALL_PREFIX:PATH="$(abspath $(LIBEVENT_$(T_A)))"

# not needed, and may not be available on embedded targets, so never try
CMAKEFLAGS += -DEVENT__DISABLE_OPENSSL=ON
CMAKEFLAGS += -DEVENT__DISABLE_MBEDTLS=ON

# not run, so why bother?
Expand Down
2 changes: 1 addition & 1 deletion bundle/libevent
Submodule libevent updated 73 files
+15 −0 .exrc
+105 −242 .github/workflows/build.yml
+1 −0 .github/workflows/cifuzz.yml
+19 −10 .github/workflows/master.yml
+55 −0 .github/workflows/scorecard.yml
+6 −1 .gitignore
+117 −74 CMakeLists.txt
+151 −0 CONTRIBUTORS.md
+319 −2 ChangeLog
+1 −1 ChangeLog-2.1
+45 −42 Documentation/Building.md
+1 −1 Makefile.am
+35 −31 README.md
+11 −0 SECURITY.md
+2 −11 arc4random.c
+19 −2 buffer.c
+3 −2 bufferevent_mbedtls.c
+10 −2 bufferevent_openssl.c
+48 −19 bufferevent_ssl.c
+11 −23 cmake/AddEventLibrary.cmake
+11 −9 cmake/FindMbedTLS.cmake
+29 −75 cmake/LibeventConfig.cmake.in
+2 −2 cmake/UseDoxygen.cmake
+1 −1 cmake/VersionViaGit.cmake
+21 −12 configure.ac
+20 −18 evdns.c
+21 −17 event.c
+3 −1 event_iocp.c
+2 −2 evthread.c
+7 −4 evthread_win32.c
+37 −7 evutil.c
+3 −3 evutil_rand.c
+43 −5 extra/release/changelog.py
+1 −0 extra/tsan.supp
+7 −8 http.c
+22 −3 include/event2/dns.h
+4 −2 include/event2/event.h
+10 −1 include/event2/listener.h
+19 −2 include/event2/util.h
+8 −0 include/event2/ws.h
+1 −4 libevent_core.pc.in
+2 −4 libevent_extra.pc.in
+3 −5 libevent_mbedtls.pc.in
+4 −5 libevent_openssl.pc.in
+3 −5 libevent_pthreads.pc.in
+12 −4 listener.c
+9 −6 m4/libevent_mbedtls.m4
+10 −10 m4/libevent_openssl.m4
+5 −5 sample/becat.c
+2 −0 sample/http-server.c
+4 −0 sample/ws-chat-server.c
+0 −2 sha1.c
+2 −2 signalfd.c
+1 −1 ssl-compat.h
+1 −5 strlcpy.c
+2 −1 test-export/CMakeLists.txt
+16 −18 test-export/test-export.py
+3 −0 test/include.am
+93 −92 test/regress.c
+3 −2 test/regress.h
+0 −5 test/regress_buffer.c
+11 −27 test/regress_bufferevent.c
+128 −15 test/regress_dns.c
+6 −1 test/regress_http.c
+3 −2 test/regress_main.c
+127 −0 test/regress_timer_timeout.c
+15 −6 test/regress_util.c
+5 −0 test/regress_ws.c
+9 −2 test/test.sh
+2 −2 test/tinytest.c
+8 −2 util-internal.h
+16 −19 wepoll.c
+416 −96 whatsnew-2.2.txt
1 change: 1 addition & 0 deletions configure/CONFIG
Original file line number Diff line number Diff line change
Expand Up @@ -25,5 +25,6 @@ include $(TOP)/configure/CONFIG_SITE
ifdef T_A
-include $(TOP)/configure/CONFIG_SITE.Common.$(T_A)
-include $(TOP)/configure/CONFIG_SITE.$(EPICS_HOST_ARCH).$(T_A)
-include $(TOP)/configure/O.$(T_A)/TOOLCHAIN
endif

41 changes: 0 additions & 41 deletions configure/CONFIG_PVXS_MODULE

This file was deleted.

33 changes: 26 additions & 7 deletions configure/Makefile
Original file line number Diff line number Diff line change
@@ -1,22 +1,41 @@
TOP=..

# step 1. Use -I... to test event-config.h
# produce configure/O.$(T_A)/TOOLCHAIN
# step 2 in setup/Makefile
_PVXS_BOOTSTRAP = YES

include $(TOP)/configure/CONFIG

# use custom libevent2 install prefix by:
# setting LIBEVENT only for single arch build
# setting LIBEVENT_$(T_A) for each arch
# leave unset to use implicit system search path
# NOTE: only needed if not present in default search paths
LIBEVENT ?= $(LIBEVENT_$(T_A))
LIBEVENT_$(T_A) ?= $(wildcard $(abspath $(TOP)/bundle/usr/$(T_A)))

INCLUDES += $(if $(LIBEVENT),-I$(LIBEVENT)/include)

# use libssl in non-default location. (eg. OSX w/ brew)
OPENSSL ?= $(OPENSSL_$(T_A))
OPENSSL_$(T_A) ?=

INCLUDES += $(if $(OPENSSL),-I$(OPENSSL)/include)

TARGETS = $(CONFIG_TARGETS)
CONFIGS += $(subst ../,,$(wildcard $(CONFIG_INSTALLS)))

CFG += CONFIG_PVXS_VERSION
CFG += CONFIG_PVXS_MODULE
CFG += RULES_PVXS_MODULE

include $(TOP)/configure/RULES

ifdef T_A
install: $(TOP)/configure/CONFIG_SITE.Common.$(T_A)

$(TOP)/configure/CONFIG_SITE.Common.$(T_A): toolchain.c
$(PREPROCESS.cpp)
install: TOOLCHAIN

CLEANS += ../CONFIG_SITE.Common.$(T_A)
TOOLCHAIN: toolchain.c
$(CPP) $(CPPFLAGS) $(INCLUDES) ../toolchain.c > [email protected]
$(CPP) $(CPPFLAGS) $(INCLUDES) ../probe-openssl.c > probe-openssl.out && echo "EVENT2_HAS_OPENSSL = YES" >> [email protected] || echo "No OpenSSL"
$(MV) [email protected] $@

endif
17 changes: 17 additions & 0 deletions configure/probe-openssl.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@

#include <openssl/opensslv.h>

#ifndef OPENSSL_VERSION_NUMBER
# error Some antique OpenSSL version?
#endif
#if OPENSSL_VERSION_NUMBER < 0x30000000
# error Minimum OpenSSL 3.0
#endif

#include <event2/event-config.h>

#ifndef EVENT__HAVE_OPENSSL
# error libevent not built with OpenSSL support
#endif

#include <event2/bufferevent_ssl.h>
2 changes: 1 addition & 1 deletion configure/toolchain.c
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
#ifdef _COMMENT_
/* Compiler inspection
*
* expanded as configure/CONFIG_SITE.Common.*
* expanded as configure/O.*/TOOLCHAIN
*/
/* GCC preprocessor drops C comments from output.
* MSVC preprocessor emits C comments in output
Expand Down
102 changes: 102 additions & 0 deletions documentation/pkcs12.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
# PKCS#12 files in brief

The following is based on a reading of [RFC7292](https://datatracker.ietf.org/doc/html/rfc7292) as of July 2014.
Also on observation of OpenSSL circa 3.1 and keytool circa Java 17.

End users do not need to know this.

## File Structure

Each `PKCS#12` file contains a list of `AuthenticatedSafe` entries (aka. "Safes").

```
PKCS#12 file
AuthenticatedSafe (unencrypted)
...
AuthenticatedSafe (password encrypted)
...
AuthenticatedSafe (public key encrypted)
```

Each Safe may be: unencrypted, encrypted with a password, or encrypted with a public key.

Each Safe contains a list of `SafeBag` entries (aka. "Bags").

```
PKCS#12 file
AuthenticatedSafe
*Bag
attributes...
value
```

Each Bag has an a list of "Attributes" and a "value".

RFC7292 defines two attributes `friendlyName` and `localKeyId`.
Additionally, Java defines another `oracle-jdk-trustedkeyusage` or `ORACLE_TrustedKeyUsage`.

```
PKCS#12 file
AuthenticatedSafe
keyBag (unencrypted private key)
pkcs8ShroudedKeyBag (encrypted private key)
certBag (certificate, usually X509)
crlBag (certificate revocation list, usually X509CRL)
secretBag (arbitrary encrypted bytes)
safeContentsBag
... recursive list of Bags
```

RFC7292 defines 6 types of Bag, and leaves open the possibility of more.


## Bag Attributes

`friendlyName` is a string labeling a Bag.
Java keytool uses these (via. `-alias`) to distinguish multiple private keys within one file.
OpenSSL ignores them, and gets confused if multiple private keys are present.

`localKeyId` is meant to identifies pairs of private key and certificate.

`oracle-jdk-trustedkeyusage` has the same value as the X509 `extendedKeyUsage` extension.

Released version of OpenSSL as of 3.1 circa Aug. 2023 [do not understand](https://github.com/openssl/openssl/issues/6684) `oracle-jdk-trustedkeyusage`.
This is feature [planned for 3.2](https://github.com/openssl/openssl/pull/19025).

TODO: keytool has been observed setting this to "6". OpenSSL 3.2 set `anyExtendedKeyUsage`, aka. 1.

## File Structure as Observed

The structures of files created by `openssl pkcs12` and `keytool` are almost identical.

For example, a file with a certificate/key pair, and an associated CA certificate is structured like:

```
PKCS#12
AuthenticatedSafe (unencrypted)
pkcs8ShroudedKeyBag
attributes
friendlyName = "my:cert:name" (Java only)
localKeyId = ... (value will match the associated keyBag or pkcs8ShroudedKeyBag
value = private key...
AuthenticatedSafe (encrypted)
certBag
attributes
friendlyName = "my:cert:name" (Java only)
localKeyId = ... (value will match the associated certBag
value = X509 certificate
certBag
attributes
friendlyName = "my:ca" (Java only)
oracle-jdk-trustedkeyusage = ... (Java only)
value = X509 certificate
```

Notes...

This structure leaves the friendlyName (aka `-alias`) and localKeyId associated with a private key unencrypted in all cases.

Java keytool has been observed (after an `-importcert`) to put almost two certBag entries with the same certificate.
One with the friendlyName from `-alias` and `oracle-jdk-trustedkeyusage` set,
and a second with friendlyName set to the distinguishing name (eg. `CN=foo,O=bar`) and no `oracle-jdk-trustedkeyusage`.
keytool seems to ignore any entries without `oracle-jdk-trustedkeyusage`, but OpenSSL reads them.
5 changes: 2 additions & 3 deletions example/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,7 @@ TOP=..
include $(TOP)/configure/CONFIG
# cfg/ sometimes isn't correctly included due to a Base bug
# so we do here (maybe again) as workaround
include $(TOP)/configure/CONFIG_PVXS_MODULE
include $(TOP)/configure/CONFIG_PVXS_VERSION
-include $(wildcard $(TOP)/cfg/CONFIG*))
#----------------------------------------
# ADD MACRO DEFINITIONS AFTER THIS LINE
#=============================
Expand Down Expand Up @@ -35,7 +34,7 @@ rpc_client_SRCS += rpc_client.cpp
#===========================

include $(TOP)/configure/RULES
include $(TOP)/configure/RULES_PVXS_MODULE
-include $(wildcard $(TOP)/cfg/RULES*))
#----------------------------------------
# ADD RULES AFTER THIS LINE

5 changes: 2 additions & 3 deletions ioc/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,7 @@ TOP=..
include $(TOP)/configure/CONFIG
# cfg/ sometimes isn't correctly included due to an issue in epics-base
# so we do here (maybe again) as workaround
include $(TOP)/configure/CONFIG_PVXS_MODULE
include $(TOP)/configure/CONFIG_PVXS_VERSION
-include $(wildcard $(TOP)/cfg/CONFIG*))
#----------------------------------------
# ADD MACRO DEFINITIONS AFTER THIS LINE
#=============================
Expand Down Expand Up @@ -85,7 +84,7 @@ LIB_LIBS += $(EPICS_BASE_IOC_LIBS)
#===========================

include $(TOP)/configure/RULES
include $(TOP)/configure/RULES_PVXS_MODULE
-include $(wildcard $(TOP)/cfg/RULES*))
#----------------------------------------
# ADD RULES AFTER THIS LINE

Expand Down
17 changes: 17 additions & 0 deletions ioc/iochooks.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -303,6 +303,20 @@ void pvxrefdiff() {
}
}

void pvxreconfigure()
{
Guard (pvxServer->lock);
auto& srv = pvxServer->srv;

if (srv) {
printf("Reconfiguring QSRV\n");
srv.reconfigure(server::Config::from_env());
pvxsr(0); // print new configuration
} else {
fprintf(stderr, "Warning: QSRV not running\n");
}
}

} // namespace

static
Expand Down Expand Up @@ -468,6 +482,9 @@ void pvxsBaseRegistrar() noexcept {
"Save the current set of instance counters for reference by later pvxrefdiff.\n").implementation<&pvxrefsave>();
IOCShCommand<>("pvxrefdiff",
"Show different of current instance counts with those when pvxrefsave was called.\n").implementation<&pvxrefdiff>();
IOCShCommand<>("pvxreconfigure",
"Reconfigure QSRV using current values of EPICS_PVA*. Only disconnects TLS clients\n")
.implementation<&pvxreconfigure>();

// Initialise the PVXS Server
initialisePvxsServer();
Expand Down
5 changes: 2 additions & 3 deletions qsrv/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,7 @@ TOP=..
include $(TOP)/configure/CONFIG
# cfg/ sometimes isn't correctly included due to a Base bug
# so we do here (maybe again) as workaround
include $(TOP)/configure/CONFIG_PVXS_MODULE
include $(TOP)/configure/CONFIG_PVXS_VERSION
-include $(wildcard $(TOP)/cfg/CONFIG*))
#----------------------------------------
# ADD MACRO DEFINITIONS AFTER THIS LINE
#=============================
Expand All @@ -31,7 +30,7 @@ FINAL_LOCATION ?= $(shell $(PERL) $(TOOLS)/fullPathName.pl $(INSTALL_LOCATION))
#===========================

include $(TOP)/configure/RULES
include $(TOP)/configure/RULES_PVXS_MODULE
-include $(wildcard $(TOP)/cfg/RULES*))
#----------------------------------------
# ADD RULES AFTER THIS LINE

Expand Down
Loading
Loading