deleisha / evt-tls Goto Github PK

The asynchronous TLS abstraction for OpenSSL

License: MIT License

Makefile 1.46% C 91.00% Python 0.93% C++ 6.61%

evt-tls's Introduction

This is work in progress and API might change

evt-tls

evt-tls is an abstraction layer of OpenSSL using bio pair to expose callback based asynchronous API and should integrate easily with any event based networking library like libuv, libevent and libev or any other network library which want to use OpenSSL as an state machine.

The evt-tls will evaluate and try to support other TLS library like libtls, mbedtls etc.

The work is in alpha stage and lot of work is still going on to make production ready.

Until then, Keep Watching for More Actions on This Space

How the evt-tls work

evt-tls uses the BIO-pair from OpenSSL, which is the suggested way, for using TLS engine for handling network I/O(nio) independently. Hence, user is responsible for nio and feed TLS engine with whatever data we receive from network. Evt will unwrap the data and give you application data via a callback. It also wraps data and write to network.

How to work with evt-tls

Sample integrations and usage can be found in sample/libuv-tls for integration with libuv. Integrations with other libraries are most welcome for contributions. Sample usage can also be seen at evt_test.c. These are the sources of tutorials until a better document comes. If anybody want to contribute doc, Most welcome.

#include "uv_tls.h"

void on_write(uv_tls_t *tls, int status) {
    uv_tls_close(tls, (uv_tls_close_cb)free);
}

void uv_rd_cb( uv_tls_t *strm, ssize_t nrd, const uv_buf_t *bfr) {
    if ( nrd <= 0 ) return;
    uv_tls_write(strm, (uv_buf_t*)bfr, on_write);
}

void on_uv_handshake(uv_tls_t *ut, int status) {
    if ( 0 == status )
        uv_tls_read(ut, uv_rd_cb);
    else
        uv_tls_close(ut, (uv_tls_close_cb)free);
}

void on_connect_cb(uv_stream_t *server, int status) {
    if( status ) return;
    uv_tcp_t *tcp = malloc(sizeof(*tcp)); //freed on uv_close callback
    uv_tcp_init(uv_default_loop(), tcp);
    if (uv_accept(server, (uv_stream_t*)tcp)) {
        return;
    }

    uv_tls_t *sclient = malloc(sizeof(*sclient)); //freed on uv_close callback
    if( uv_tls_init((evt_ctx_t*)server->data, tcp, sclient) < 0 ) {
        free(sclient);
        return;
    }
    uv_tls_accept(sclient, on_uv_handshake);
}

int main() {
    uv_loop_t *loop = uv_default_loop();
    int port = 8000, r = 0;
    evt_ctx_t ctx;
    struct sockaddr_in bind_local;

    evt_ctx_init_ex(&ctx, "server-cert.pem", "server-key.pem");
    evt_ctx_set_nio(&ctx, NULL, uv_tls_writer);

    uv_tcp_t listener_local;
    uv_tcp_init(loop, &listener_local);
    listener_local.data = &ctx;
    uv_ip4_addr("127.0.0.1", port, &bind_local);
    if ((r = uv_tcp_bind(&listener_local, (struct sockaddr*)&bind_local, 0)))
        fprintf( stderr, "bind: %s\n", uv_strerror(r));

    if ((r = uv_listen((uv_stream_t*)&listener_local, 128, on_connect_cb)))
        fprintf( stderr, "listen: %s\n", uv_strerror(r));
    printf("Listening on %d\n", port);
    uv_run(loop, UV_RUN_DEFAULT);
    evt_ctx_free(&ctx);
    return 0;
}

BUILD AND TEST

To join the actions, download the code and to build and test

make

evt-tls's People

Contributors

Stargazers

Watchers

evt-tls's Issues

Provide API for verifcation mode

Currently, evt_ctx does not permit setting new value for verification mode, it is set to none.

Still maintained?

Is evt-tls dead or will stuff happen?

Seems like it's bug-ridden, incomplete, and undocumented. But there doesn't seem to be SSL alternatives for libvu.

API Suggestion.

Evt-TLS only supports evt_tls_read()
but libuv has two functions:
uv_read_start() and uv_read_stop().

Is this will automatically stop after you use evt_tls_close? If it is , then it is fine.

uv_tls_close_cb isn

liking the potential here seem to have found a potential issue with assert in evt_tls_feed_data

if you test your libuv ./evt with openssl s_client or something like that it works fine however in trying to load test I get an assert and a program crash in debugging it appears the example code cannot handle when the stream is full right out of the gate?

repro with tcpkali util on ubuntu 16.04

tcpkali --workers 1 -c 1 -T 10s -1 "hello" -m "test" --ssl 127.0.0.1:8000

I added a bit of debug to on_tcp_read to see whats going on.... Seems like we need to feed another read/write to process the buffer and then consume the rest of the tls stream? Thx

Listening on 8000
on_tcp_read data len:65536 nrd:305
on_tcp_read data len:65536 nrd:318
on_tcp_read data len:65536 nrd:65536
evt: ../..//src/evt_tls.c:279: evt_tls_feed_data: Assertion `rv == sz' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff7178428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7178428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007ffff717a02a in __GI_abort () at abort.c:89
#2 0x00007ffff7170bd7 in __assert_fail_base (fmt=, assertion=assertion@entry=0x41fe2d "rv == sz", file=file@entry=0x41fcb0 "../..//src/evt_tls.c", line=line@entry=279,
function=function@entry=0x41ff40 <PRETTY_FUNCTION.15415> "evt_tls_feed_data") at assert.c:92
#3 0x00007ffff7170c82 in __GI___assert_fail (assertion=0x41fe2d "rv == sz", file=0x41fcb0 "../..//src/evt_tls.c", line=279, function=0x41ff40 <PRETTY_FUNCTION.15415> "evt_tls_feed_data") at assert.c:101
#4 0x0000000000404ebd in evt_tls_feed_data (c=0x6483c0, data=0x654a70, sz=65536) at ../..//src/evt_tls.c:279
#5 0x0000000000405553 in on_tcp_read (stream=0x648280, nrd=65536, data=0x7fffffffaff0) at uv_tls.c:75
#6 0x0000000000411057 in uv__read (stream=0x648280) at ../src/unix/stream.c:1178
#7 0x0000000000411312 in uv__stream_io (loop=0x6286c0 <default_loop_struct>, w=0x648308, events=1) at ../src/unix/stream.c:1241
#8 0x00000000004166d6 in uv__io_poll (loop=0x6286c0 <default_loop_struct>, timeout=-1) at ../src/unix/linux-core.c:345
#9 0x0000000000408034 in uv_run (loop=0x6286c0 <default_loop_struct>, mode=UV_RUN_DEFAULT) at ../src/unix/core.c:341
#10 0x000000000040442e in main () at test_tls.c:64
(gdb) frame 4
#4 0x0000000000404ebd in evt_tls_feed_data (c=0x6483c0, data=0x654a70, sz=65536) at ../..//src/evt_tls.c:279
279 assert( rv == sz);
(gdb) print rv
$1 = 17408

API for cipher setting

Evt currently uses the default ciphers. Though it is possible to set by using evt_tls_get_SSL_CTX and using SSL_CTX for setting it etc etc.

Evt can introduce it's own cipher setter/getter API

where is uv_read_start?

uv_read_start give a way to alloc buffer by user, but it seemed there is no way to do this with evt_tls.

for win

when I try to use this library on win(vs2017 win10 x64),Something was wrong.I fixed it temporary. Are you interested in merge it to master. https://github.com/yangxingpping/evt-tls.git

Use openssl1.1.0h to test libuv_tls, and crash at CRYPTO_free and OPENSSL_sk_pop_free.

I compile openssl1.1.0h use the default config. Just test evt and client in libuv-tls directory. And i receive coredump as follows, I found something related here and here

(gdb) bt
#0  0x00007ffff6d2638c in free () from /lib64/libc.so.6
#1  0x00007ffff781614e in CRYPTO_free (str=0xa4cb33d2, file=0x7ffff7bc130b "ssl/ssl_ciph.c", line=1799) at crypto/mem.c:179
#2  0x00007ffff7b8d22b in cmeth_free (cm=0xa4cb33d2) at ssl/ssl_ciph.c:1799
#3  0x00007ffff787b036 in OPENSSL_sk_pop_free (st=0x6237c0, func=0x7ffff7b8d207 <cmeth_free>) at crypto/stack/stack.c:265
#4  0x00007ffff7b8a391 in sk_SSL_COMP_pop_free (sk=0x6237c0, freefunc=0x7ffff7b8d207 <cmeth_free>) at include/openssl/ssl.h:846
#5  0x00007ffff7b8d25e in ssl_comp_free_compression_methods_int () at ssl/ssl_ciph.c:1806
#6  0x00007ffff7b8f305 in ssl_library_stop () at ssl/ssl_init.c:153
#7  0x00007ffff7810f31 in OPENSSL_cleanup () at crypto/init.c:412
#8  0x00007ffff6cdea49 in __run_exit_handlers () from /lib64/libc.so.6
#9  0x00007ffff6cdea95 in exit () from /lib64/libc.so.6
#10 0x00007ffff6cc7b3c in __libc_start_main () from /lib64/libc.so.6
#11 0x00000000004042e7 in _start ()
(gdb) info threads
  Id   Target Id         Frame 
* 1    Thread 0x7ffff7fed740 (LWP 10367) "client" 0x00007ffff787b036 in OPENSSL_sk_pop_free (st=0x6237c0, func=0x7ffff7b8d207 <cmeth_free>) at crypto/stack/stack.c:265

Better error handling

Explore better ways of error handling. Currently evt_tls return the error code being returned by OpenSSL.

This will be important for supporting mbedtls.

C test framework for testing evt

In order to make evt-tls production ready, we will need to run a rigorous tests against it.

This issue is evaluate C-Testing framework for evt and use it for testing.

do you think uv_multiplex would work in conjuction with this?

Asking because I wanted to know your opinion. I am looking for a multithreaded high perf TLS stream to msg parsing framework and so far your abstraction on openssl for async and the example for libuv looks like a potential win (obviously with a lot of work to switch from echo and make more production rdy...) but what do you think it would take to use https://github.com/willemt/uv_multiplex and make a example say test_multicore_tls.c in sample/libuv-tls?

Thanks again for the project...

Sample for making a HTTPS request from a client to a server

I'm struggling to integrate evt-tls with libuv in our client to make a POST request to our server over HTTPS, an example would be really useful.

I've read around and there are a few forks, some with test client and/or echo servers but no example of the above. Plus, given the different ages of the forks even these test clients don't work with latest.

appears it doesn't (fully) close the connection (fd leak) on sigpipe/epipe?

I added the SIG_IGN in main and i can repro with the tcpkali test of ./evt

if you run lsof on the binary you can see the fd(s) are still there and the sockets are in closed but the fd's remain is this normal or a bug? IMO feels like a bug as it would run the system out of fd's real quick...

Doesn't build against latest OpenSSL version

Running make, I get:

evt_tls.c:17:18: error: incomplete definition of type 'struct ssl_st'
    return t->ssl->server ? ENDPT_IS_SERVER : ENDPT_IS_CLIENT;
           ~~~~~~^

Building on mac, very latest versions of OpenSSL and libvu.

Do you plan to support mbedTLS?

API for CA path verfication and it's relative

API for adding and loading CA file path need to added to evt.
Until this API comes up, we should use

/*Gives the ptr to SSL_CTX usable raw openSSL programming */
SSL_CTX *evt_get_SSL_CTX(const evt_ctx_t *ctx);

/*Gives the ssl usable for doing raw OpenSSL programming */
SSL *evt_get_ssl(const evt_tls_t *tls);

Partial Write

evt__tls__op failed to deal with partial write of evt__send_pending, which makes the whole library unusable.

Libuv/evt-tls segfaults when trying to write to a socket which is closed by the other party

Libuv in this case just returns -1.

0  0x00007ffb845a1b54 in SSL_write () from /lib/x86_64-linux-gnu/libssl.so.1.0.0
1  0x000000000057f710 in evt__tls__op (conn=0x25a46c0, op=EVT_TLS_OP_WRITE, buf=0x253bd52, sz=236) at /home/vidi/dev/src/c/xmrigCC/src/3rdparty/evt-tls/src/evt_tls.c:260
2  0x000000000057fa85 in evt_tls_write (c=0x25a46c0, msg=0x253bd52, str_len=236, on_write=0x57eca0 <on_evt_write>) at /home/vidi/dev/src/c/xmrigCC/src/3rdparty/evt-tls/src/evt_tls.c:354
3  0x000000000057edae in uv_tls_write (stream=0x25a4680, buf=0x7ffc09a6d0a0, cb=0x5426d6 <Client::onTlsWrite(uv_tls_s*, int)>) at /home/vidi/dev/src/c/xmrigCC/src/3rdparty/evt-tls/src/uv_tls.c:187

If you need more info, please let me know.