Get OpenSSL custom extension added by client - c

I've been trying to get custom client extensions on client hello but I don`t know how to issue a method like get_custom_ext or similar.
Firstly we add the extension on the client side with SSL_CTX_set_custom_cli_ext
int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx, unsigned int ext_type,
custom_ext_add_cb add_cb,
custom_ext_free_cb free_cb, void *add_arg,
custom_ext_parse_cb parse_cb,
void *parse_arg)
Now the client add one extension on every client hello, but how the server could get the custom added extension properly?

It looks like you can register the same custom extension on the server, and use whether or not the add_cb callback is called to detect whether the client proposed the extension.
For the ServerHello and EncryptedExtension messages every registered
add_cb is called once if and only if the requirements of the specified
context are met and the corresponding extension was received in the
ClientHello. That is, if no corresponding extension was received in
the ClientHello then add_cb will not be called.
(https://www.openssl.org/docs/manmaster/man3/SSL_CTX_add_server_custom_ext.html#EXTENSION-CALLBACKS)
I.e., do the corresponding
int SSL_CTX_add_server_custom_ext(SSL_CTX *ctx, unsigned int ext_type,
custom_ext_add_cb add_cb,
custom_ext_free_cb free_cb, void *add_arg,
custom_ext_parse_cb parse_cb,
void *parse_arg);
and let your add_cb call-back mark the context (or other data structure) to indicate that this connection used the custom extension.

Related

How to duplicate a SSL_CTX object in a TLS application?

I am having a application in. c that uses openssl for TLS v1.2 implemention.
The application shall open multiple remote connections to remote server running with the same version of TLS. I have a single set of key, certificate and CA_certificate to be used for all connections.
I need to maintain the SSL_CTX object for each client separately. But, I wish to create a single global SSL_CTX context object and configure it once for the following:
SSL_CTX_set_ecdh_auto()
SSL_CTX_use_certificate_file()
SL_CTX_use_PrivateKey_file()
SSL_CTX_set_verify()
SSL_CTX_set_options()
SSL_CTX_load_verify_locations
SSL_CTX_set_verify_depth()
And then, for each connections initiated by the application, I can duplicate (make a copy) of the above configured context ctx and call SSL_new() directly, without going through the listed steps over and over for each client.
Does Openssl provide any function to duplicate the SSL_CTX object?
If not is there any other safe way to do so? like memcpy() etc.
SSL_CTX has a counting reference. It means it will be freed when its reference counts reaches zero.
So rather than copying SSL_CTX, just increase its reference by SSL_CTX_up_ref() and use same object. As a result, your code will be something like this:
SSL_CTX *g_ssl_ctx = nullptr;
//...
//init g_ssl_ctx
//...
SSL_CTX *get_client_ctx() {
SSL_CTX_up_ref(g_ssl_ctx);
return g_ssl_ctx;
}

Callback not found for topic using C SDK for IBM Watson

I start from example found at ibm-watson-iot.github.io
I define my device on Watson IOT
I create my C-device snippet using deviceSample.c and it send an event
{"d": {"SensorID":"Test","Reading": 99}}
I see the event in Watson IoT platform correctly
But when I try to manage the event from my C application I catch the following error
iotp_async.c iotp_client_messageArrived 1320: ERROR: Callback not found for topic. topic: iot-2/type/semaforo/id/1002/evt/status/fmt/json
from my client log I take the following msg
iotp_client_setHandler 1176: INFO: Handler (type=AppEvent) is added. Topic=iot-2/type/+/id/+/evt/+/fmt/+
Does this msg means that my code is subscribed to the event ?
In my C code I define a CallBack event func using
IoTPApplication_setEventHandler
(application, applicationEventCallback,
devType, devId, eventName, format
);
where my applicationEventCallback is
void applicationEventCallback (char* type, char* id,
char* eventName, char *format, void* payload, size_t payloadSize);
Why my client does not mange correctly the incoming event ?
A fix for the issue is delivered in the GigHub project:
https://github.com/ibm-watson-iot/iot-c
For details, refer to:
https://github.com/ibm-watson-iot/iot-c/pull/10
thanks to Ranjan for collaboration and fixing

send_v3trap context value

I am developing shared library and subagent for net-snmp. I need to send v3 traps for specific hardware events. I would like to know what value need to be filled in the context value of send_v3trap API.
void send_v3trap(netsnmp_variable_list * vars,const char * context )
Is this context value, same as user defined engine id ? i.e., the one which needs to be configured in snmptrapd.conf as below ?
createUser -e ENGINEID myuser SHA "my authentication pass" AES "my encryption pass"
More on configuring in this link
There is an example source code available for sending
v2traps
By looking at the net-snmp source code, send_v3trap calls internally send_v2trap and eventually,
/* A context name was provided, so copy it and its length to the v2 pdu
* template. */
if (context != NULL)
{
template_v2pdu->contextName = strdup(context);
template_v2pdu->contextNameLen = strlen(context);
}
Answering my own question.
"context" value can be filled with
value returned by "snmpv3_get_engineID"
NULL
As long as, configurations are proper in terms of v3 i.e., trapsess -v3 specified in the host and on the target, engineid of net-snmp is specified, then everything works fine.
Only unclear part still is, if someone is able to send v3 traps without specifying "context", in which scenario would it be useful really !

Passing a FD to an unnamed pipe over DBus using Vala

I'm trying to send a large block of data between applications by sending a control message over DBus from one to the other requesting a Unix file descriptor. I have it so that the client can request this, the server creates a DBus message that includes a UnixFDList, and the client receives a reply message but it doesn't contain anything. On the server side in Vala the DBusConnection object is setup using register_object, unfortunately the Vapi hides the DBusInterfaceVTable parameter that all the C examples use that would let me specify a delegate for method calls. I've tried to use register_object_with_closures instead but I can't seem to get that to work and the Closure object in Vala is woefully undocumented.
It seems to me that I need one of these methods in order to receive the message from the DBusMethodInvocation object that you get from a call to the DBusInterfaceMethodCallFunc delegate, with that you can create a reply message. Is there a way to either specify a closure class that works with register_object_with_closures, or a way to specify a DBusInterfaceVTable object as part of the service data?
I know that one option is to just create the service in C, but I'd rather figure out and understand how this works in Vala.
Vala uses UnixFDList internally for methods that contain a parameter of type GLib.UnixInputStream, GLib.UnixOutputStream, GLib.Socket, or GLib.FileDescriptorBased.
Example:
[DBus(name="eu.tiliado.Nuvola")]
public interface MasterDbusIfce: GLib.Object {
public abstract void get_connection(
string app_id,
string dbus_id,
out GLib.Socket? socket,
out string? token) throws GLib.Error;
}

Hapi API: how to modify the Message ACK ID behaviour

I am using the following code to generate a message ACK:
public static Message process(Message in) throws Exception {
ADTReceiverQueue.getInstance().submit(in);
Message out = in.generateACK();
return out;
}
}
This generates the following warning:
FileBasedGenerator - Could not write ID to file /var/lib/tomcat7/./id_file, going to use internal ID generator. /var/lib/tomcat7/./id_file (Permission denied)
I can obviously set permissions to remove the warning, however I am wondering how to tell Hapi to use the internal ID generator or possibly a generator where the ID is stored in a database?
HAPI provides the IDGenerator interface to provide different implementations of ID generation. If you look at the JavaDoc for that class you'll find a bunch of different options for doing ID generation and you could certainly roll your own too.
To actually set the ID generator is easy enough, you just need to set it on the ParserConfiguration which is stored in the context.
HapiContext ctx = new DefaultHapiContext();
ctx.getParserConfiguration().setIdGenerator(new FileBasedHiLoGenerator());
If you use that context object to create your server then you're done, or if you didn't you can explicitly set it on the received message before generating an ACK.
in.setParser(ctx.getPipeParser());
-James

Resources