From 734860f535c147ec9470ede9a7252cad6a6cc2bf Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Fri, 26 Mar 2021 12:55:13 -0500 Subject: [PATCH] WOLFSSL_NETWORK_INTROSPECTION WIP --- examples/server/server.c | 35 +++++++++++++++++++++++++++++++++++ src/internal.c | 4 ++-- src/ssl.c | 31 +++++++++++++------------------ wolfssl/internal.h | 16 ++-------------- wolfssl/ssl.h | 10 +++++++++- 5 files changed, 61 insertions(+), 35 deletions(-) diff --git a/examples/server/server.c b/examples/server/server.c index 214e96ad2..e8542fdb3 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -276,6 +276,36 @@ static int TestEmbedSendTo(WOLFSSL* ssl, char *buf, int sz, void *ctx) #endif /* WOLFSSL_DTLS */ +#ifdef WOLFSSL_NETWORK_INTROSPECTION + +static int test_NetworkFilterCallback(WOLFSSL *ssl, struct wolfSSL_network_connection *nc, void *ctx, wolfSSL_netfilter_decision_t *decision) { + const void *remote_addr2; + const void *local_addr2; + char inet_ntop_buf[INET6_ADDRSTRLEN], inet_ntop_buf2[INET6_ADDRSTRLEN]; + int ret; + + (void)ssl; + (void)ctx; + + if ((ret = wolfSSL_get_endpoint_addrs(nc, &remote_addr2, &local_addr2)) != WOLFSSL_SUCCESS) { + printf("wolfSSL_get_endpoints(): %s\n", wolfSSL_ERR_error_string(ret, NULL)); + err_sys_ex(catastrophic, "error in wolfSSL_get_endpoints()"); + } + + printf("got network filter callback: family=%d proto=%d rport=%d lport=%d raddr=%s laddr=%s interface=%d\n", + nc->family, + nc->proto, + nc->remote_port, + nc->local_port, + inet_ntop(nc->family, remote_addr2, inet_ntop_buf, sizeof inet_ntop_buf), + inet_ntop(nc->family, local_addr2, inet_ntop_buf2, sizeof inet_ntop_buf2), + nc->interface); + + *decision = WOLFSSL_NETFILTER_ACCEPT; + return 0; +} + +#endif /* WOLFSSL_NETWORK_INTROSPECTION */ static int NonBlockingSSL_Accept(SSL* ssl) { @@ -1840,6 +1870,11 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) if (ctx == NULL) err_sys_ex(catastrophic, "unable to get ctx"); +#ifdef WOLFSSL_NETWORK_INTROSPECTION + if (wolfSSL_CTX_set_AcceptFilter(ctx, test_NetworkFilterCallback, NULL /* AcceptFilter_arg */) < 0) + err_sys_ex(catastrophic, "unable to install test_NetworkFilterCallback"); +#endif + if (simulateWantWrite) { wolfSSL_CTX_SetIOSend(ctx, SimulateWantWriteIOSendCb); diff --git a/src/internal.c b/src/internal.c index 9337b90b6..a86ca0a61 100644 --- a/src/internal.c +++ b/src/internal.c @@ -6467,9 +6467,9 @@ void SSL_ResourceFree(WOLFSSL* ssl) #endif #ifdef WOLFSSL_NETWORK_INTROSPECTION if (WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(ssl->buffers.network_connection)) - XFREE(ssl->buffers.network_connection_addr_buffer_dynamic, ssl->heap, DYNAMIC_TYPE_SOCKADDR); + XFREE(ssl->buffers.network_connection.addr_buffer_dynamic, ssl->heap, DYNAMIC_TYPE_SOCKADDR); if (WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(ssl->buffers.network_connection_layer2)) - XFREE(ssl->buffers.network_connection_layer2_addr_buffer_dynamic, ssl->heap, DYNAMIC_TYPE_SOCKADDR); + XFREE(ssl->buffers.network_connection_layer2.addr_buffer_dynamic, ssl->heap, DYNAMIC_TYPE_SOCKADDR); #endif /* WOLFSSL_NETWORK_INTROSPECTION */ #ifdef WOLFSSL_RENESAS_TSIP_TLS XFREE(ssl->peerTsipEncRsaKeyIndex, ssl->heap, DYNAMIC_TYPE_RSA); diff --git a/src/ssl.c b/src/ssl.c index ee8d010c6..8dd44bffc 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1019,7 +1019,6 @@ int wolfSSL_mutual_auth(WOLFSSL* ssl, int req) static WC_INLINE int wolfSSL_set_endpoints_1( WOLFSSL* ssl, struct wolfSSL_network_connection *nc, - byte **nc_addr_buffer_dynamic, unsigned int interface_id, unsigned int family, unsigned int proto, @@ -1049,13 +1048,13 @@ static WC_INLINE int wolfSSL_set_endpoints_1( if (current_dynamic_alloc != needed_dynamic_alloc) { if (current_dynamic_alloc > 0) - XFREE(*nc_addr_buffer_dynamic, ssl->heap, DYNAMIC_TYPE_SOCKADDR); + XFREE(nc->addr_buffer_dynamic, ssl->heap, DYNAMIC_TYPE_SOCKADDR); if (needed_dynamic_alloc > 0) { - *nc_addr_buffer_dynamic = (byte *)XMALLOC + nc->addr_buffer_dynamic = (byte *)XMALLOC (needed_dynamic_alloc, ssl->heap, DYNAMIC_TYPE_SOCKADDR); - if (*nc_addr_buffer_dynamic == NULL) + if (nc->addr_buffer_dynamic == NULL) return MEMORY_E; } } @@ -1072,8 +1071,8 @@ static WC_INLINE int wolfSSL_set_endpoints_1( XMEMCPY(nc->addr_buffer, remote_addr, remote_addr_len); XMEMCPY(nc->addr_buffer + remote_addr_len, local_addr, local_addr_len); } else { - XMEMCPY(*nc_addr_buffer_dynamic, remote_addr, remote_addr_len); - XMEMCPY((*nc_addr_buffer_dynamic) + remote_addr_len, local_addr, local_addr_len); + XMEMCPY(nc->addr_buffer_dynamic, remote_addr, remote_addr_len); + XMEMCPY((nc->addr_buffer_dynamic) + remote_addr_len, local_addr, local_addr_len); } nc->remote_addr_len = remote_addr_len; nc->local_addr_len = local_addr_len; @@ -1095,7 +1094,6 @@ int wolfSSL_set_endpoints( return wolfSSL_set_endpoints_1( ssl, &ssl->buffers.network_connection, - &ssl->buffers.network_connection_addr_buffer_dynamic, interface_id, family, proto, @@ -1118,7 +1116,6 @@ int wolfSSL_set_endpoints_layer2( return wolfSSL_set_endpoints_1( ssl, &ssl->buffers.network_connection_layer2, - &ssl->buffers.network_connection_layer2_addr_buffer_dynamic, interface_id, family, 0 /* proto */, @@ -1130,9 +1127,8 @@ int wolfSSL_set_endpoints_layer2( 0 /* local_port */); } -static WC_INLINE int wolfSSL_get_endpoints_1( +WOLFSSL_API int wolfSSL_get_endpoint_addrs( const struct wolfSSL_network_connection *nc, - byte *nc_addr_buffer_dynamic, const void **remote_addr, const void **local_addr) { @@ -1142,8 +1138,8 @@ static WC_INLINE int wolfSSL_get_endpoints_1( return INCOMPLETE_DATA; if (WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(*nc)) { - *remote_addr = nc_addr_buffer_dynamic; - *local_addr = nc_addr_buffer_dynamic + nc->remote_addr_len; + *remote_addr = nc->addr_buffer_dynamic; + *local_addr = nc->addr_buffer_dynamic + nc->remote_addr_len; } else { *remote_addr = nc->addr_buffer; *local_addr = nc->addr_buffer + nc->remote_addr_len; @@ -1159,7 +1155,7 @@ WOLFSSL_API int wolfSSL_get_endpoints( const void **local_addr) { *nc = &ssl->buffers.network_connection; - return wolfSSL_get_endpoints_1(*nc, ssl->buffers.network_connection_addr_buffer_dynamic, remote_addr, local_addr); + return wolfSSL_get_endpoint_addrs(*nc, remote_addr, local_addr); } WOLFSSL_API int wolfSSL_get_endpoints_layer2( @@ -1169,12 +1165,11 @@ WOLFSSL_API int wolfSSL_get_endpoints_layer2( const void **local_addr) { *nc = &ssl->buffers.network_connection_layer2; - return wolfSSL_get_endpoints_1(*nc, ssl->buffers.network_connection_layer2_addr_buffer_dynamic, remote_addr, local_addr); + return wolfSSL_get_endpoint_addrs(*nc, remote_addr, local_addr); } static WC_INLINE int wolfSSL_copy_endpoints_1( struct wolfSSL_network_connection *nc_src, - byte *nc_addr_buffer_dynamic, struct wolfSSL_network_connection *nc_dst, size_t nc_dst_size, const void **remote_addr, @@ -1192,7 +1187,7 @@ static WC_INLINE int wolfSSL_copy_endpoints_1( return BUFFER_E; XMEMCPY(nc_dst, nc_src, ((unsigned int)(unsigned long int)(&((struct wolfSSL_network_connection *)0)->addr_buffer[0]))); if (WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(*nc_src)) - XMEMCPY(nc_dst->addr_buffer, nc_addr_buffer_dynamic, nc_src->remote_addr_len + nc_src->local_addr_len); + XMEMCPY(nc_dst->addr_buffer, nc_src->addr_buffer_dynamic, nc_src->remote_addr_len + nc_src->local_addr_len); else XMEMCPY(nc_dst->addr_buffer, nc_src->addr_buffer, nc_src->remote_addr_len + nc_src->local_addr_len); *remote_addr = nc_dst->addr_buffer; @@ -1211,7 +1206,7 @@ WOLFSSL_API int wolfSSL_copy_endpoints( if (ssl == NULL) return BAD_FUNC_ARG; - return wolfSSL_copy_endpoints_1(&ssl->buffers.network_connection, ssl->buffers.network_connection_addr_buffer_dynamic, nc, nc_size, remote_addr, local_addr); + return wolfSSL_copy_endpoints_1(&ssl->buffers.network_connection, nc, nc_size, remote_addr, local_addr); } WOLFSSL_API int wolfSSL_copy_endpoints_layer2( @@ -1224,7 +1219,7 @@ WOLFSSL_API int wolfSSL_copy_endpoints_layer2( if (ssl == NULL) return BAD_FUNC_ARG; - return wolfSSL_copy_endpoints_1(&ssl->buffers.network_connection_layer2, ssl->buffers.network_connection_layer2_addr_buffer_dynamic, nc, nc_size, remote_addr, local_addr); + return wolfSSL_copy_endpoints_1(&ssl->buffers.network_connection_layer2, nc, nc_size, remote_addr, local_addr); } WOLFSSL_API int wolfSSL_CTX_set_AcceptFilter(WOLFSSL_CTX *ctx, NetworkFilterCallback_t AcceptFilter, void *AcceptFilter_arg) { diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 6222c58e3..c16fbc2ff 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3450,20 +3450,8 @@ typedef struct Buffers { buffer tls13CookieSecret; /* HRR cookie secret */ #endif #ifdef WOLFSSL_NETWORK_INTROSPECTION - struct { - struct wolfSSL_network_connection network_connection; - union { - byte network_connection_addr_buffer_static[WOLFSSL_NETWORK_INTROSPECTION_STATIC_ADDR_BYTES]; - byte *network_connection_addr_buffer_dynamic; - }; - }; - struct { - struct wolfSSL_network_connection network_connection_layer2; - union { - byte network_connection_layer2_addr_buffer_static[WOLFSSL_NETWORK_INTROSPECTION_STATIC_ADDR_BYTES]; - byte *network_connection_layer2_addr_buffer_dynamic; - }; - }; + struct wolfSSL_network_connection network_connection; + struct wolfSSL_network_connection network_connection_layer2; #define WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(x) ((x).remote_addr_len + (x).local_addr_len > WOLFSSL_NETWORK_INTROSPECTION_STATIC_ADDR_BYTES) #endif #ifdef WOLFSSL_DTLS diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 56d6954f7..935a6b820 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1155,7 +1155,10 @@ struct wolfSSL_network_connection { word16 remote_addr_len; word16 local_addr_len; byte interface; - byte addr_buffer[0]; + union { + byte addr_buffer[WOLFSSL_NETWORK_INTROSPECTION_STATIC_ADDR_BYTES]; + byte *addr_buffer_dynamic; + }; }; #define WOLFSSL_NETWORK_CONNECTION_BUFSIZ(remote_addr_len, local_addr_len) \ @@ -1173,6 +1176,11 @@ WOLFSSL_API int wolfSSL_set_endpoints( unsigned int remote_port, unsigned int local_port); +WOLFSSL_API int wolfSSL_get_endpoint_addrs( + const struct wolfSSL_network_connection *nc, + const void **remote_addr, + const void **local_addr); + WOLFSSL_API int wolfSSL_get_endpoints( WOLFSSL *ssl, const struct wolfSSL_network_connection **nc,