How to use OpenSSL in network kernel extension? - c

I'm building a network kernel extension which requires the OpenSSL library by including a few headers in some of my project files.
The problem is that OpenSSL includes stdlib.h (among other headers) which all throw errors (File not found). Same happens if I include stdlib.h in a project file.
I guess that's due to the fact that they are not available in the kernel.
So, how do I include them? What am I missing?
Otherwise, how do I include CommonCrypto or any crypto library in the kernel?
Thank you!

OpenSSL and CommonCrypto are userspace libraries. They are not available in the kernel.
Some parts of CoreCrypto are available in the kernel under <libkern/crypto/…> and <corecrypto/…>. Generally speaking, however, this is limited to cryptographic primitives (AES, RSA, SHA, etc), not higher-level tools like X509 certificate parsing, key exchange algorithms, or TLS.

Related

Security vulnerability reported as backdoor when using OpenSSL's librypto.a library

My C code uses librypto.a library to link to the compiled source code at the final stage for implementing RSA algorithm.
When a vulnerability scan was done, it comes back with a YARA signature match for the following:
YARA signature "ldpreload" classified file as as "backdoor" based on indicators: "dlopen,dlsym,fopen,fopen64,__fxstat,accept,Accept,open,Open,OPEN,opendir,readdir"
This is because I use the libcrypto.a library from Open SSL. I thought this is a widely used library for implementing crypro algorithms. How to mitigate this issue? Should try to get this whitelisted as I was not able to find any other way of implementing RSA in C without having to use OpenSSL libraries.

Browsing directories on remote linux server in C

On a local computer you can make use of the dirent.h library in C to browse files and folders. How would you do this on a remote linux computer? Would you pipe the readdir() commands through an ssh connection? I would like to achieve this without using any non-standard libraries.
Use an SSH library like libssh.
http://api.libssh.org/stable/
It includes an API for SFTP and SCP which are the file manipulation components of SSH.
http://api.libssh.org/stable/group__libssh__sftp.html
There is a tutorial available here:
http://api.libssh.org/master/libssh_tutor_sftp.html
There is example code for "Listing the contents of a directory" in that linked page.
I would like to achieve this without using any non-standard libraries.
That just isn't feasible. While the libraries included in your Linux distribution (including source header files and directly linkable blobs) probably do include libssh owing to its ubiquity, it isn't "standard" because the C standard library doesn't mention SSH/SFTP (or even have a file-system API!) nor does POSIX.
SSH (and SFTP) is a relatively recent protocol - it was only created in 1995 and didn't see wide adoption until the late-1990s (people were still using rlogin, rsh, standard FTP, or even TELNET) - it's predated by FTP, HTTP, SMTP, and SSL/TLS.
(Remember C is very minimal - my perception is that it's a language used to manipulate and iterate over memory - everything else, even syscalls, are not part of the C standard - which is why you can compile C to JavaScript, for example, you just can't do anything fun because you can't syscall from JavaScript)

C unix, asymmetric encryption on a socket

i have a client/server application in C unix, and i need to encrypt/decript the data with something like RSA (but not necessarly RSA). Is there a library (and the correspondent documentation) for this kind of function?
You can take a look at SSL/TLS C API.
For a Client/Server Application, the best way to ensure security is by using TLS/SSL.
The latest version of TLS is TLS 1.2 (RFC 5246) and as WagnerVaz has rightly mentioned, the best opensource library available fro TLS is OpenSSL .OpenSSL not only provides the library for TLS/Crypto. But, it also provides you a tool for generating certificates & private keys (based on RSA/DSA etc) on various formats.
Though OpenSSL is the finest TLS Library available in the market, it is a little difficult to understand and use for a first timer. There is a very wonderful tutorial written by Eric Rescorla himself on using OpenSSL.
An Introduction to OpenSSL Programming (Part - I) /
An Introduction to OpenSSL Programming (Part - II)
It would be best if you first try to get some idea as to what is SSL and then start writing code for the same.
Alternately, let's say you are interested only in assymetric encryption / decryption, still OpenSSL's Crypto Libraries can be used.

automatically linking socket shared library in *nix

I am learning network programming through the sample source codes from this link http://cs.baylor.edu/~donahoo/practical/CSockets/textcode.html. During the compilation, just wondering why in Solaris environment, i have to manually link socket and nsl library in the make file but when in the linux machine, i dont need to do that ?
Documentation used: http://developers.sun.com/solaris/articles/solaris_linux_app.html
This is because linux's libc, the glibc (-lc, which is linked by default to all programs) includes socket part of POSIX; and nis/nis+ dynamic libraries in linux are loaded dynamically by libc too.
But in Solaris, there are a lot of libraries with basic functionality, which are not in libc.
(libc, libucb, libmalloc, libsocket, libxnet, etc). I think, it was a design solution to allow user link only parts of API he needs.
In linux there are some basic libraries outside libc too: libaio, librt, libm.
With separate library it is easier to update only some parts of system; and it is possible to have several implementations (e.g. to provide greater compatibility/workarounds with older versions of UNIX) of some libraries coexisting in same system.
This question is discussed a lot, e.g. http://web.archiveorange.com/archive/v/KcxCHdLNpD6NANxmAt3b http://mail.opensolaris.org/pipermail/opensolaris-code/2007-January/010316.html
are seriously considering folding libnsl and libsocket into libc.
It would be nice to move ONLY the current POSIX-based and other
standards-based functionality (Unix98 etc.) libnsl+libsocket functions
to libc and keep all the compatibilty-wrapper stuff in libnsl/libsocket
to avoid that libc gets bloated with 20years of Unix
backwards-compatibility workarounds
Because in Linux, the entire networking API is implemented in libc.so which is linked into every C program by default, while in Solaris, its implemented in separate libraries.

Small RSA or DSA lib without dependencies

Is there a small library for RSA or DSA without any dependencies like GMP or OpenSSL? (Written in C or Asm)
You may find LibTomCrypt useful. It's written in C, supports RSA and DSA (along with a host of other algorithms), and is public domain software. You can read about it here.
Take a look at axTLS it's a BSD licensed TLSv1 SSL in C for embedded systems. It's built for POSIX sockets, but is easily ported.
The one thing it's missing is RSA key generation, but it can read X.509 certificates.
It's about 32KB of code space with a small RAM footprint.
Okay I found myself one after searching not so common coder sites http://z0mbie.daemonlab.org/ it's under PGP/RSA-RELATED if someones interested. But are there any others?

Resources