rack-tctp 0.9.4 → 0.9.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e17ba07a070105aa159112f1bc05b786470ca915
-  data.tar.gz: 32d80313f686de0b04502360ef993833888ba95a
+  metadata.gz: b6b91b55890f0a473f132a0e6c2eec7fe5aa3254
+  data.tar.gz: 8ac625d2bb5a6576a5cc164fed0b7a928419d129
 SHA512:
-  metadata.gz: bef07d9eced9cade393e20bbe8762e656c8b943ee292c5b89acf3e790e274ce9d0e24634bb27051bba01c5470b266516567623ca7f7605efb5949f57f9b645c2
-  data.tar.gz: 3ad2c8e428775997f7300d60b13e6dd7ec77ff60ba551b6163ecdb8f16c82614be9f5f7dbe163c1bf49f4bf825b22119f9acb925f840e4c2ac74fe26031364f9
+  metadata.gz: d93b73d45ac80ad26c8c6f5d1b10964cf6f07d47a7a4a4fde519d96d7206c74613cae47301658d6e2d50ae44ed658666c8eb6bc5323b4c9d3eba15f8543577a8
+  data.tar.gz: b68e836d5e51dd6cfbc10ff89b7b67f98ed3adeee36f34faabab4dc117d7bcdbe61bae9bd4a36f1177f51b80ce40b61335ce60927381d6636de71dbe4375330c

data/ext/engine/engine.c

@@ -0,0 +1,216 @@
+//Modified from: https://github.com/puma/puma/blob/master/ext/puma_http11/mini_ssl.c
+#define RSTRING_NOT_MODIFIED 1
+#include <assert.h>
+#include <ruby.h>
+#include <rubyio.h>
+#include <openssl/bio.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+
+typedef struct {
+  BIO* read;
+  BIO* write;
+  SSL* ssl;
+  SSL_CTX* ctx;
+} ms_conn;
+
+void engine_free(ms_conn* conn) {
+  BIO_free(conn->read);
+  BIO_free(conn->write);
+
+  free(conn);
+}
+
+static VALUE eError;
+
+void raise_error(SSL* ssl, int result) {
+  char buf[256];
+  u_long err;
+
+  while ((err = ERR_get_error()) != 0) {
+    ERR_error_string_n(err, buf, sizeof(buf));
+    printf("*** %s\n", buf);
+  }
+
+  ERR_clear_error();
+  rb_raise(eError, "OpenSSL error");
+}
+
+ms_conn* engine_alloc(VALUE klass, VALUE* obj) {
+  ms_conn* conn;
+
+  *obj = Data_Make_Struct(klass, ms_conn, 0, engine_free, conn);
+
+  conn->read = BIO_new(BIO_s_mem());
+  BIO_set_nbio(conn->read, 1);
+
+  conn->write = BIO_new(BIO_s_mem());
+  BIO_set_nbio(conn->write, 1);
+
+  conn->ssl = 0;
+  conn->ctx = 0;
+
+  return conn;
+}
+
+VALUE engine_init_server(VALUE self, VALUE key, VALUE cert) {
+  VALUE obj;
+  SSL_CTX* ctx;
+  SSL* ssl;
+  int use_certificate_file_ret, use_pk_file_ret;
+
+  ms_conn* conn = engine_alloc(self, &obj);
+
+  StringValue(key);
+  StringValue(cert);
+
+  ctx = SSL_CTX_new(TLSv1_server_method());
+  conn->ctx = ctx;
+
+  use_certificate_file_ret = SSL_CTX_use_certificate_file(ctx, RSTRING_PTR(cert), SSL_FILETYPE_PEM);
+  if(use_certificate_file_ret != 1) {
+    raise_error(conn->ssl, 0);
+  }
+
+  use_pk_file_ret = SSL_CTX_use_PrivateKey_file(ctx, RSTRING_PTR(key), SSL_FILETYPE_PEM);
+  if(use_pk_file_ret != 1) {
+    raise_error(conn->ssl, 0);
+  }
+
+  SSL_CTX_set_cipher_list(ctx, "ALL");
+  SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
+
+  ssl = SSL_new(ctx);
+  conn->ssl = ssl;
+
+  SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
+
+  SSL_set_bio(conn->ssl, conn->read, conn->write);
+
+  SSL_set_accept_state(ssl);
+  return obj;
+}
+
+VALUE engine_init_client(VALUE klass) {
+  VALUE obj;
+  ms_conn* conn = engine_alloc(klass, &obj);
+
+  conn->ctx = SSL_CTX_new(TLSv1_client_method());
+  SSL_CTX_set_cipher_list(conn->ctx, "ALL");
+
+  conn->ssl = SSL_new(conn->ctx);
+
+  SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL);
+
+  SSL_set_bio(conn->ssl, conn->read, conn->write);
+
+  SSL_set_connect_state(conn->ssl);
+  return obj;
+}
+
+VALUE engine_inject(VALUE self, VALUE str) {
+  ms_conn* conn;
+  long used;
+
+  Data_Get_Struct(self, ms_conn, conn);
+
+  StringValue(str);
+
+  used = BIO_write(conn->read, RSTRING_PTR(str), (int)RSTRING_LEN(str));
+
+  if(used == 0 || used == -1) {
+    return Qfalse;
+  }
+
+  return INT2FIX(used);
+}
+
+VALUE engine_read(VALUE self) {
+  ms_conn* conn;
+  char buf[512];
+  int bytes, n;
+
+  Data_Get_Struct(self, ms_conn, conn);
+
+  bytes = SSL_read(conn->ssl, (void*)buf, sizeof(buf));
+
+  if(bytes > 0) {
+    return rb_str_new(buf, bytes);
+  }
+
+  if(SSL_want_read(conn->ssl)) return Qnil;
+
+  if(SSL_get_error(conn->ssl, bytes) == SSL_ERROR_ZERO_RETURN) {
+    rb_eof_error();
+  }
+
+  raise_error(conn->ssl, bytes);
+
+  return Qnil;
+}
+
+VALUE engine_write(VALUE self, VALUE str) {
+  ms_conn* conn;
+  char buf[512];
+  int bytes;
+
+  Data_Get_Struct(self, ms_conn, conn);
+
+  StringValue(str);
+
+  bytes = SSL_write(conn->ssl, (void*)RSTRING_PTR(str), (int)RSTRING_LEN(str));
+  if(bytes > 0) {
+    return INT2FIX(bytes);
+  }
+
+  if(SSL_want_write(conn->ssl)) return Qnil;
+
+  raise_error(conn->ssl, bytes);
+
+  return Qnil;
+}
+
+VALUE engine_extract(VALUE self) {
+  ms_conn* conn;
+  int bytes;
+  size_t pending;
+  char buf[512];
+
+  Data_Get_Struct(self, ms_conn, conn);
+
+  pending = BIO_pending(conn->write);
+  if(pending > 0) {
+    bytes = BIO_read(conn->write, buf, sizeof(buf));
+    if(bytes > 0) {
+      return rb_str_new(buf, bytes);
+    } else if(!BIO_should_retry(conn->write)) {
+      raise_error(conn->ssl, bytes);
+    }
+  }
+
+  return Qnil;
+}
+
+void Init_engine() {
+  VALUE mod, eng, rack;
+  
+  SSL_library_init();
+  OpenSSL_add_ssl_algorithms();
+  SSL_load_error_strings();
+  ERR_load_crypto_strings();
+
+  rack = rb_define_module("Rack");
+  mod = rb_define_class_under(rack, "TCTP", rb_cObject);
+  eng = rb_define_class_under(mod, "Engine", rb_cObject);
+
+  eError = rb_define_class_under(mod, "SSLError", rb_eStandardError);
+
+  rb_define_singleton_method(eng, "server", engine_init_server, 2);
+  rb_define_singleton_method(eng, "client", engine_init_client, 0);
+
+  rb_define_method(eng, "inject", engine_inject, 1);
+  rb_define_method(eng, "read",  engine_read, 0);
+
+  rb_define_method(eng, "write",  engine_write, 1);
+  rb_define_method(eng, "extract", engine_extract, 0);
+}

data/ext/engine/extconf.rb

@@ -0,0 +1,6 @@
+require 'mkmf'
+
+$defs.push '-Wno-deprecated-declarations'
+$libs += ' -lssl -lcrypto '
+
+create_makefile('rack/tctp/engine')

data/lib/rack/tctp/halec.rb

@@ -1,19 +1,16 @@
 require 'openssl'
 require 'socket'
+require 'radix'
 
-# HTTP application layer encryption channel. Used for the Trusted Cloud Transfer Protocol (TCTP)
-class HALEC
-  # The URL of this HALEC
-  attr_reader :url
-
-  # The plaintext socket
-  attr_reader :socket_here
+require 'rack/tctp/engine'
 
-  # The SSL socket
-  attr_reader :ssl_socket
+# HTTP application layer encryption channel. Used for the Trusted Cloud Transfer Protocol (TCTP)
+class Rack::TCTP::HALEC
+  # The SSL engine
+  attr_reader :engine
 
-  # The encrypted socket
-  attr_reader :socket_there
+  # The URL of this HALEC
+  attr_accessor :url
 
   # The private key for a certificate (if any)
   attr_reader :private_key
@@ -21,40 +18,68 @@ class HALEC
   # A server or client certificate (if any)
   attr_reader :certificate
 
-  # The TLS context
-  attr_reader :ctx
-
   def initialize(options = {})
-    @url = options[:url] || ''
-    @ctx = options[:ssl_context] || OpenSSL::SSL::SSLContext.new()
-
-    @ctx.ssl_version = :TLSv1
+    @url = options[:url] || nil
+  end
 
-    @socket_here, @socket_there = socket_pair
-    [@socket_here, @socket_there].each do |socket|
-      socket.set_encoding(Encoding::BINARY)
+  # Encrypts +plaintext+ data and either returns the encrypted data or calls a block with it.
+  # @param [String] plaintext The plaintext
+  # @return [String] The encrypted data
+  # @yield Gives the encrypted data to the block
+  # @yieldparam [String] The encrypted data
+  def encrypt_data(plaintext, &encrypted)
+    @engine.write plaintext
+
+    while(read_chunk = @engine.extract)
+      if(block_given?)
+        encrypted.call read_chunk
+      else
+        if read_data
+          read_data.write read_chunk
+        else
+          read_data = StringIO.new(read_chunk)
+        end
+      end
     end
+
+    read_data.string unless block_given?
   end
 
-  private
-    def socket_pair
-      Socket.pair(:UNIX, :STREAM, 0) # Linux
-    rescue Errno::EAFNOSUPPORT
-      Socket.pair(:INET, :STREAM, 0) # Windows
+  # Decrypts +encrypted+ data and either returns the plaintext or calls a block with it.
+  # @param [String] encrypted The encrypted data
+  # @return [String] The plaintext
+  # @yield Gives the plaintext to the block
+  # @yieldparam [String] The plaintext
+  def decrypt_data(encrypted, &decrypted)
+    @engine.inject encrypted
+
+    while(read_chunk = @engine.read)
+      if(block_given?)
+        decrypted.call read_chunk
+      else
+        if read_data
+          read_data.write read_chunk
+        else
+          read_data = StringIO.new(read_chunk)
+        end
+      end
     end
+
+    read_data.string unless block_given?
+  end
 end
 
 # The Client end of an HALEC
-class ClientHALEC < HALEC
+class Rack::TCTP::ClientHALEC < Rack::TCTP::HALEC
   def initialize(options = {})
     super(options)
 
-    @ssl_socket = OpenSSL::SSL::SSLSocket.new(@socket_here, @ctx)
+    @engine = Rack::TCTP::Engine.client
   end
 end
 
 # The Server end of an HALEC
-class ServerHALEC < HALEC
+class Rack::TCTP::ServerHALEC < Rack::TCTP::HALEC
   def initialize(options = {})
     super(options)
 
@@ -62,21 +87,19 @@ class ServerHALEC < HALEC
       @private_key = options[:private_key]
       @certificate = options[:certificate]
     else
-      @private_key = ServerHALEC.default_key
-      @certificate = ServerHALEC.default_self_signed_certificate
+      @private_key = self.class.default_key
+      @certificate = self.class.default_self_signed_certificate
     end
 
-    @ctx.cert = @certificate
-    @ctx.key = @private_key
+    @private_key_file = Tempfile.new('rack_tctp_pk')
+    @private_key_file.write @private_key.to_s
+    @private_key_file.close
 
-    @ssl_socket = OpenSSL::SSL::SSLSocket.new(@socket_here, @ctx)
-    Thread.new {
-      begin
-        s = @ssl_socket.accept
-      rescue Exception => e
-        puts e
-      end
-    }
+    @certificate_file = Tempfile.new('rack_tctp_cert')
+    @certificate_file.write @certificate.to_s
+    @certificate_file.close
+
+    @engine = Rack::TCTP::Engine.server(@private_key_file.path, @certificate_file.path)
   end
 
   class << self
@@ -112,5 +135,15 @@ class ServerHALEC < HALEC
 
       cert
     end
+
+    # The slug URI can contain any HTTP compatible characters
+    def slug_base
+      Radix::Base.new(Radix::BASE::B62 + ['-', '_'])
+    end
+
+    # Generate a new random slug (2^64 possibilities)
+    def new_slug
+      slug_base.convert(rand(2**64), 10)
+    end
   end
-end
+end

data/lib/rack/tctp.rb

@@ -26,8 +26,8 @@ module Rack
     # Initializes TCTP middleware
     def initialize(app, logger = nil)
       unless logger
-        @logger = Kernel::Logger.new(STDOUT)
-        @logger.level = Logger::FATAL
+        @logger = ::Logger.new(STDOUT)
+        @logger.level = ::Logger::FATAL
       else
         @logger = logger
       end
@@ -52,21 +52,22 @@ module Rack
           when is_tctp_discovery?(req)
             # TCTP discovery
             # TODO Parameterize discovery information
-            [200, {"Content-Type" => TCTP_DISCOVERY_MEDIA_TYPE, "Content-Length" => DEFAULT_TCTP_DISCOVERY_INFORMATION.length.to_s}, DEFAULT_TCTP_DISCOVERY_INFORMATION]
+            [200, {"Content-Type" => TCTP_DISCOVERY_MEDIA_TYPE, "Content-Length" => DEFAULT_TCTP_DISCOVERY_INFORMATION.length.to_s}, [DEFAULT_TCTP_DISCOVERY_INFORMATION]]
           when is_halec_creation?(req)
             # HALEC creation
-            halec = ServerHALEC.new(url: '/halecs/' + TCTP::new_slug)
+            halec = ServerHALEC.new(url: halec_uri(req.env, "/halecs/#{TCTP::new_slug}"))
 
             # TODO Allow creation using predefined cookie
             session = TCTPSession.new
 
             # Send client_hello to server HALEC and read handshake_response
             client_hello = req.body.read
-            halec.socket_there.write(client_hello)
-            handshake_response = [halec.socket_there.recv(2048)]
+            halec.engine.inject client_hello
+            halec.engine.read
+            handshake_response = [halec.engine.extract]
 
             # Set location header and content-length
-            header = {'Location' => halec.url, 'Content-Length' => handshake_response[0].length.to_s}
+            header = {'Location' => halec.url.to_s, 'Content-Length' => handshake_response[0].length.to_s}
 
             # Set the TCTP session cookie header
             Rack::Utils.set_cookie_header!(header, "tctp_session_cookie", {:value => session.session_id, :path => '/', :expires => Time.now+24*60*60})
@@ -78,13 +79,14 @@ module Rack
             [201, header, handshake_response]
           when is_halec_handshake?(req)
             # Get persisted server HALEC
-            halec = @sessions[req.cookies['tctp_session_cookie']].halecs[req.path_info]
+            halec = @sessions[req.cookies['tctp_session_cookie']].halecs[halec_uri(req.env, req.path_info)]
 
             # Write handshake message to server HALEC
-            halec.socket_there.write(req.body.read)
+            halec.engine.inject req.body.read
 
             # Receive handshake response
-            handshake_response = halec.socket_there.recv(2048)
+            halec.engine.read
+            handshake_response = halec.engine.extract
 
             # Send back server HALEC response
             [200, {'Content-Length' => handshake_response.length.to_s}, [handshake_response]]
@@ -96,10 +98,11 @@ module Rack
               halec_url = req.body.readline.chomp
 
               # Gets the HALEC
-              halec = @sessions[req.cookies['tctp_session_cookie']].halecs[halec_url]
+              halec = @sessions[req.cookies['tctp_session_cookie']].halecs[URI(halec_url)]
 
-              halec.socket_there.write(req.body.read)
-              decrypted_body.write(halec.ssl_socket.readpartial(2 ** 26 - 1))
+              read_body = req.body.read
+
+              decrypted_body.write halec.decrypt_data(read_body)
 
               req.body.string = decrypted_body.string
             end
@@ -125,7 +128,7 @@ module Rack
               content_body_length = 0
 
               # The first line
-              first_line = halec.url + "\r\n"
+              first_line = halec.url.to_s + "\r\n"
               content_body_length += first_line.length
 
               # Encrypt the body. The first line of the response specifies the used HALEC
@@ -134,15 +137,9 @@ module Rack
 
               # Encrypt each body fragment
               body.each do |fragment|
-                bodyio = StringIO.new(fragment)
-
-                until bodyio.eof? do
-                  chunk = bodyio.read(16 * 1024)
-                  halec.ssl_socket.write(chunk)
-                  encrypted_chunk = halec.socket_there.readpartial(32 * 1024)
-                  encrypted_body << encrypted_chunk
-                  content_body_length += encrypted_chunk.length
-                end
+                encrypted_fragment = halec.encrypt_data fragment
+                encrypted_body << encrypted_fragment
+                content_body_length += encrypted_fragment.length
               end
 
               # Finding this bug took waaaay too long ...
@@ -190,7 +187,7 @@ module Rack
             !req.cookies.nil? &&
             req.cookies.has_key?('tctp_session_cookie') &&
             sessions.has_key?(req.cookies['tctp_session_cookie']) &&
-            sessions[req.cookies['tctp_session_cookie']].halecs.has_key?(req.path_info)
+            sessions[req.cookies['tctp_session_cookie']].halecs.has_key?(halec_uri(req.env, req.path_info))
       end
 
       def is_tctp_response_requested? (req)
@@ -200,6 +197,14 @@ module Rack
       def is_tctp_encrypted_body? (req)
         req.env['HTTP_CONTENT_ENCODING'].eql?('encrypted')
       end
+
+      # Builds an URI object to be used as a HALEC +uri+
+      # @param [Hash] env A Rack environment hash
+      # @param [String] path A path
+      # @return [URI] An HALEC +uri+
+      def halec_uri(env, path)
+        URI("#{env['rack.url_scheme']}://#{env['HTTP_HOST']}:#{env['SERVER_PORT']}#{path}")
+      end
   end
 
   class TCTPSession

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-tctp
 version: !ruby/object:Gem::Version
-  version: 0.9.4
+  version: 0.9.5
 platform: ruby
 authors:
 - Mathias Slawik
@@ -97,12 +97,15 @@ dependencies:
 description: Rack middleware for end-to-end security through TCTP
 email: mathias.slawik@tu-berlin.de
 executables: []
-extensions: []
+extensions:
+- ext/engine/extconf.rb
 extra_rdoc_files: []
 files:
 - lib/rack-tctp.rb
 - lib/rack/tctp.rb
 - lib/rack/tctp/halec.rb
+- ext/engine/engine.c
+- ext/engine/extconf.rb
 homepage: https://github.com/mathiasslawik/rack-tctp
 licenses:
 - Apache-2.0
@@ -128,3 +131,4 @@ signing_key:
 specification_version: 4
 summary: Rack TCTP middleware
 test_files: []
+has_rdoc: