Add SSL support to an open source application - c

I need Mosquitto http://mosquitto.org to work with SSL.
I've read several examples with OpenSSL, but as I've never worked with sockets in C, can someone tell me what do I have to change for my existing sockets? (Accept, write, read?)
Thank you very much

My understanding is that after you've called accept(), you then have to configure the socket for use with OpenSSL - assuming you've also already configured the library for use as well.
After that, you can use SSL_read() and SSL_write() instead of read() and write().
When you want to close the socket, you need to disable SSL support before calling close().
It's a reasonable undertaking for certain - the socket code isn't really the problem, it's understanding what you need to do to start and stop the TLS support and ensuring that you don't miss something out which could lead to vulnerabilities.

Related

Partially Porting PJLIB - Without IOQUEUE, select abstraction, and socket abstraction API

I would like to use the PJSIP library to implement a small SIP softphone on an embedded system. Since this embedded system does not offer Linux or support POSIX, I would like to port the PJLIB library only partially, as described here (https://www.pjsip.org/porting.htm#mozTocId30930). The threading function can be deactivated via a macro, but I'm not quite sure yet how I have to set up this new transport function or where exactly it has to be included so that I can also bypass the IOQUEUE implementation and the PJLIB socket abstraction.
On my embedded system (Keil RTX) I can allocate a UDP socket and register a callback which is called on a network event. I also have a send function which I can use to send data packets. Although I have already looked into the stack, I can't find a way to get started.
Has anyone already dared to the partial porting and can give me a brief assistance. Thank you !
See how Symbian port worked (I think it might be removed from recent versions, but it should be still downloadable) - it was also based on non-POSIX sockets. Create your own platform-specific socket file and ioqueue file.

Client/Server communication using TCP/IP under TLS 1.3

I want to write a client and server in C preferably, simple C++ if necessary.
The server will run on some flavor of Linux, the client is for testing the server.
I want to ensure messages are received and error free; therefore I will use TCP.
I want them to communicate securely; thus I will use the latest version of TLS (v1.3).
I intend to use the GnuTLS library for reasons:
Actively updated by reputable open source project
License permits selling product
Given the above, if implemented and tested, I could claim that the client/server communication is secure, reliable (a.k.a. assured), and error-checked. Yes?
Am I missing something? Is anything patently false?
Edit: certificates... i think i'm missing something about certificates to protect against man in the middle attacks...
TLS is a complex topic. Depending on your specific code the TLS connection might succeed even if you fail to properly validate the certificate. Thus, just based on what you state so far in your question it cannot be assured that the data are transferred with proper end-to-end protection and that no man in the middle can manipulate the data.

How do you determine the PID of a peer TCP connection on the same iOS device?

For reasons I'd rather not go into (has to do with compatibility with a third-party library that I cannot change), I need to use a TCP socket to do IPC within a single process in iOS.
In order to prevent other processes from talking to my TCP IPC socket, I'd like to verify with the OS that the process calling connect() (from another thread) has the same PID as my own.
On OS X I noticed that netstat does not have this information (unlike other OSes such as Windows and Linux) and the only way I was able to determine this information was using lsof. I am not sure what might be available in the iOS sandbox, but so far it seems like my best bet (even though it seems expensive) is to figure out what lsof is doing and try to replicate that.
Does anyone know of a system call I can use in order to check this? I've already read through getsockopt(2) and don't see anything that applies, and I can't find documentation about what ioctl(2) calls are supported.
What might be possible here?
Wow, that sounds like a terrible API for an in-process library.
getpeername on the receiving end should match getsockname of the sending end. You could try to match it up with all open fds in the local process.

Confused about OpenSSL non-blocking I/O

In general, the OpenSSL library (C API) seems to offer two ways to do everything: you can either use plain system sockets configured to your liking, or you can use OpenSSL BIO objects which are sort of like streams.
However, I'm often confused by some of the duplicated functionality. For example, how do you make an SSL connection non-blocking? One way seems to be to simply access the underlying file descriptor and set it to non-blocking using fcntl. But there is also an OpenSSL API function called BIO_set_nbio which takes in a BIO* object and sets it to non-blocking mode.
So what is the best way to set up a non-blocking SSL socket? What happens if you pass OpenSSL a native file descriptor which is already set to non-blocking mode via fnctl? Do you still need to specifically call BIO_set_nbio to make the BIO object non-blocking?
I think most people prefer the BIO interface, but the BIO routines just use whatever native non-blocking socket APIs that are available on the platform. I don't know what happens if you mix and match.
Note that non-blocking I/O for SSL is much trickier than for TCP in general. If you don't understand this going in you're going to be torturing yourself. There are books by John Viega and another by Eric Rescorla that go into this, and you can certainly read the OpenSSL mailing list to get a sense of the heartburn this has caused. Some good code examples showing non-blocking SSL programming with OpenSSL are contained in the software for the TOR project, and the curl utility.

Bind a client's local IP through SSL

I'm looking to add SSL support to a client application written in C/C++ that I'm developing (it is multi-platform, designed to work on Linux and Windows). OpenSSL documentation is pretty poor, but I found a good working tutorial here. To my knowledge, however, there is no way to bind the socket to a local IP address using the BIO handle. There is a rather old ticket on the OpenSSL bug tracker that addresses this, but I think that no solution has been found (one comment suggests using BIO_get_accept_socket, but that will obviously not work for my client application). Any suggestions, solutions, or alternative libraries that offer this kind of functionality?
You can just create, bind and connect the socket yourself, then use SSL_set_fd to pass the socket to OpenSSL, followed by SSL_connect to set up the session.

Resources