Adding a TLS/SSL layer to communications..? - c

My stuff is made with several components among which some are written in C. As I would like to add some security features, I am thinking of communicating over an SSL/TLS layer.
Could you advise me some good lib to do this (if possible) ?

GnuTLS (Please note that it is mainly LGPL not GPL so you can link to it). At least I prefere it's API over OpenSSL.
Also there is Mozilla's NSS.

We use axTLS which works great on both our server (.NET) and our embedded systems (Linux and uClinux). We had problems getting OpenSSL to work well on uClinux.
axTLS is not as feature complete as OpenSSL yet so make sure it meets your requirements before using it.

How about OpenSSL?

I would suggest not spending your time trying to implement an SSL function in your app. Instead, you could just use an existing SSL-tunnel software, which creates an SSL tunnel in front of your existing socket application.
Internet --- [SSLTunnel] --- Your App
For example, you could tell the SSL tunnel to listen on port 443 (https) and forward all decrypted packets to port 80 (http). For your custom application, it will just see decrypted packets.
There are plenty of free apps that do it. Just google for one.

CyaSSL would be an excellent choice to consider. This is an embedded SSL library written in C which has been optimized for speed and size. It can be up to 20 times smaller than OpenSSL, and can be quite a bit faster as well.
Among the feature list are a minimum size of 30-100kb and an OpenSSL compatibility layer. The full feature list can be found on the yaSSL website here:
http://www.yassl.com/yaSSL/Products_cyassl.html.
It is dual licensed under the open source GPLv2 as well as a commercial license (for support). It is updated very frequently with new features. I think one of the cool features is support for the RABBIT and HC-128 stream ciphers from the eStream project.

Related

How to use libraries in codename one?

I am wondering about the limitations of using libraries in code name one. Specifically, I would like to use a specific http client library that uses nio but I am not sure if that will even work in code name one. There is an http1 client and an http2 client here
https://github.com/deanhiller/webpieces
Can the nio stuff actually be compiled into iOs? or does it have to be synchronous socket http client implementations?
thanks,
Dean
It won't work and you can't. This article is from 2016 but it's still mostly accurate. The gist of it is that most of these APIs aren't essential and if we add all of them performance/size would balloon to huge numbers.
E.g. a Codename One application can weigh less than 3mb for iOS production builds with 32 and 64 bit support. Our closest competitors clock at 50mb for the same functionality with only 64bit support. This isn't just a matter of size, it's a matter of quality (QA), maintenance etc.
This also reduces portability as we have to test this on all ports including iOS, UWP, Web etc.
Having said that we're open to adding things and have added some features to the core since the publication of that article. But either way, you can't just use an arbitrary jar and need to use a cn1lib.

Small portable digital signing and verification library

I'm looking for a library that allows me to authenticate data sent to embedded modules. Due to the hardware constraints, it needs to be of small footprint (both code and memory wise) and yet have security comparable to RSA-1024.
The requirements are as follows
Verification on embedded modules (custom CPUs, with only a C89 compiler available)
Signing and verification in Windows (C/C++ code)
Signing in Java (some data needs to be generated via a webpage, so Java would be a big perk)
I would very much like to not have to implement a PKCS #1 v1.5/PSS-like system myself, but I haven't been able to find any good libraries that match the above requirements. Open source would be nice, but commercial solutions are of equal interest. Note that I need access to the C-code, since it has to be recompiled for the custom CPUs.
NaCl looks promising, but it seems to be in development still.
I've had a look at OpenSSL, but it does a lot more than digital signatures and stripping out just the signature verification code was non-trivial.
Am I looking at it the wrong way?
I tried implementing SHA+RSA first, but I wasn't sure if the padding step was correct (which means that it probably wasn't secure), so I decided to post here instead for help.
EDIT: Clarification, only the verification part have the tough constraints on it. Signature and key generation will run on normal PCs.
Take a look at mbed TLS (formerly known as PolarSSL):
mbed TLS (formerly known as PolarSSL) makes it trivially easy for developers to include cryptographic and SSL/TLS capabilities in their (embedded) products, facilitating this functionality with a minimal coding footprint.
How can implement such a kind of solution is related to CPU and memory architecture that we have available, therefore would have to tell me more about your system. The first way would be to develop this on the cloud. Another alternative would be SCL. Also, you can found some answers on Small RSA or DSA lib without dependencies

C unix, asymmetric encryption on a socket

i have a client/server application in C unix, and i need to encrypt/decript the data with something like RSA (but not necessarly RSA). Is there a library (and the correspondent documentation) for this kind of function?
You can take a look at SSL/TLS C API.
For a Client/Server Application, the best way to ensure security is by using TLS/SSL.
The latest version of TLS is TLS 1.2 (RFC 5246) and as WagnerVaz has rightly mentioned, the best opensource library available fro TLS is OpenSSL .OpenSSL not only provides the library for TLS/Crypto. But, it also provides you a tool for generating certificates & private keys (based on RSA/DSA etc) on various formats.
Though OpenSSL is the finest TLS Library available in the market, it is a little difficult to understand and use for a first timer. There is a very wonderful tutorial written by Eric Rescorla himself on using OpenSSL.
An Introduction to OpenSSL Programming (Part - I) /
An Introduction to OpenSSL Programming (Part - II)
It would be best if you first try to get some idea as to what is SSL and then start writing code for the same.
Alternately, let's say you are interested only in assymetric encryption / decryption, still OpenSSL's Crypto Libraries can be used.

high performance application webserver in C/C++

Is there any high performance (ideally evented and open source) web server in C or C++?
I'd like to be able to use it in that it calls a method/function in my application with a filled out HTTP Request class/struct, and then I can return a filled out HTTP Response class/struct to it.
If it isn't open source, I'd need built in support for long-polling connections, keep-alive, etc—otherwise, I think that I can add these things myself.
If you don't know of any such servers available, would you recommend writing my own web server to fit the task? It cannot be file-based, and must be written in high-performance C/C++.
Edit: I'm thinking something like the Ruby Mongrel for C, if that helps.
I had the very same requirements for my job, so I evaluated a number of solutions: mongoose, libmicrohttpd, libevent. And I also was thinking about writing nginx modules. Here is the summary of my findings:
nginx
nginx project page
I love this server and use it a lot. Its performance and resource usage is much better than that of Apache, which I also still use but plan migrating to nginx.
Very good tunable performance. Rich functionality. Portability.
Module API is not documented and seems to be very verbose. See this nginx hello world module as example.
Nginx does not use threads but uses multiple processes. This makes writing modules harder, need to learn nginx API for shared memory, etc.
mongoose
mongoose project page
All server's code is in single mongoose.c file (about 130K), no dependencies. This is good.
One thread per connection, so if you need concurrency you've got to configure lots of threads, ie. high RAM usage. Not too good.
Performance is good, although not exceptional.
API is simple but you have to compose all response HTTP headers yourself, ie. learn HTTP protocol in detail.
libmicrohttpd
libmicrohttpd project page
Official GNU project.
Verbose API, seems awkward to me, although much more simple than writing nginx modules.
Good performance in keep-alive mode (link to my benchmarks below), not so good without keep-alive.
libevent
libevent project page
Libevent library has built-in web server called evhttp.
It is event based, uses libevent for that.
Easy API. Constructs HTTP headers automatically.
Officially single-threaded. This is major disadvantage. I've found a hack, which makes several instances of evhttp run simultaneously accepting connections from the same socket. Not sure if it is all safe and robust.
Performance of single-threaded evhttp is surprisingly poor. Multi-threaded hack works better, but still not good.
G-WAN
G-WAN project is not open source, but I'd like to say a few words about it.
Very good performance, low memory usage, 150 KB executable.
Very convenient 'servlet' deployment: just copy .c file into csp directory, and running server automatically compiles it. Code modifications also compiled on the fly.
Simple API. Although constrained in some ways. Rich functionality (json, key-value store, etc.).
Unstable. I had segfaults on static files. Hangs on some sample scripts. (Experienced on clean install. Never mixed files of different versions).
Only 32-bit binary (not anymore).
So as you can see, none of existing alternatives have fully satisfied me. So I have developed my own server, which is ...
NXWEB
NXWEB project page
Feature highlights:
Very good performance; see benchmarks on project page
Can serve tens of thousands concurrent requests
Small memory footprint
Multi-threaded model designed to scale
Exceptionally light code base
Simple API
Decent HTTP protocol handling
Keep-alive connections
SSL support (via GNUTLS)
HTTP proxy (with keep-alive connection pooling)
Non-blocking sendfile support (with configurable small file memory cache; gzip pre-encoded file serving)
Modular design for developers
Can be run as daemon; relaunches itself on error
Open source
Limitations:
Depends on libev library (not anymore)
Only tested on Linux
I would suggest to write a FastCGI executable that can be used with many high performance web servers (even closed source ones).
mongoose: one file. simple and easy to use. not an asycn io but perfect for embedded and particular purposes.
gwan. excellent. no crashes. ultra well planned configuration. very smart and easy for c/c++ development in other words, very clean sensible api compared to nginx. provides a thread per core. or whatever you specify. a great choice. largest disadvantage (maybe im lacking in this area): cannot step thru code.
libevent: single thread is not a disadvantage on a single core machine. afterall its point is an async i/o. does have multithreads for other cores.
nginx: no personal experience. gaining serious ground on a-patchy server. (terribly confusing api)
boost asio: a c++ library for asynchio (asio). awesome. needs a friendly higher-level api for simpletons like myself. and others who come from php, java, javascript, node.js and other web languages.
python bottle: awesome 1 file lib (framework/system) that makes it easy to build python web apps. has/is a built in httpd server, like libevent and node.js
node.js: javascript asyncio server. an excellent selection. unfortunately, have to program in javascript that does become tedious. while there is something to be said for getting the job done; there is also something to be said for enjoying yourself during the process. hopefully no ones comes up with node.php
I'm going to suggest the same thing as Axel Gneiting - but have provided an answer with my reasons for taking this approach:
1) HTTP is not trivial as a protocol - writing your own server or amending an off-the-shelf solution is a very complex task - a lot more complex than using the available APIs for implementing a separate processing engine
2) Using (an unmodified) mainstream webserver should provide you with more functionality than you require (so you've got growing room).
3) Using (an unmodified) mainstream webserver will usually mean that it has been far more extensively tested and documented than a homebrew system.
4) .. and its more likely to be secure and stable.
5) Using fastCGI you can use all sorts of languages to develop your back-end processing in - including C++ and C. There are standard toolkits available to facilitate this.
6) alternatively many webservers provide support for running interpreter engines in-process (e.g. mod_php, mod_perl). I'd advise against running your own native code as a module though.
It cannot be file-based.
Eh? What does that mean?
I'm an avid nginx user; nginx is written in C; nginx seems like it could work for you. If you want the very best speed out of nginx, I would make a nginx module. Here are 3rd party modules which you can examine to get an idea of what it requires.
As for the long polling requirement, you might want to have a look at the http push modules.

LDAP C SDK

I need to write a simple LDAP client in C. The only binary distributions I found are old and also lack SSL tools needed to implement an SLDAP connection. A complete and up to date distribution that I found is that of Mozilla however it is in source code format and I have not been able to compile it into binary form for windows.
I used the instructions described here: https://wiki.mozilla.org/LDAP_C_SDK. I got up to the step where apparently I now need to use nsinstall but I don't know how this is done. Does anyone know how nsinstall is to be used.? Alternatively, does anyone know of an existing binary distribution of the LDAP C sdk for windows? I also need the ssl libraries and associated tool for configuring the keystore.
thanks,
Mike
I used The Google a bit and ended up with this site that has Windows distributions of OpenLDAP: http://www.symas.net/portal/
OpenLDAP is heavily used on *NIX platforms, less commonly on Win32, but these folks seem to have done the heavy lifting for you. Good luck!
Oh, and for docs and API reference, hit http://www.openldap.org

Resources