From c6e5b9987b5af05709d09c342917acb90cdcda7d Mon Sep 17 00:00:00 2001 From: Mario Fetka Date: Wed, 3 Jun 2026 08:00:44 +0000 Subject: [PATCH] Add reduced mars-nwe OpenSSL compatibility layer --- CMakeLists.txt | 29 +- README.md | 24 ++ matrixssl/openssl_compat.c | 556 +++++++++++++++++++++++++++++++++++++ openssl/bio.h | 24 ++ openssl/err.h | 4 + openssl/pem.h | 4 + openssl/ssl.h | 92 ++++++ openssl/x509.h | 4 + 8 files changed, 730 insertions(+), 7 deletions(-) create mode 100644 matrixssl/openssl_compat.c create mode 100644 openssl/bio.h create mode 100644 openssl/err.h create mode 100644 openssl/pem.h create mode 100644 openssl/ssl.h create mode 100644 openssl/x509.h diff --git a/CMakeLists.txt b/CMakeLists.txt index 17ba7b7..b2abf71 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -7,7 +7,7 @@ include(GNUInstallDirs) option(MATRIXSSL_BUILD_SHARED "Build MatrixSSL as a shared library" ON) option(MATRIXSSL_BUILD_STATIC "Build MatrixSSL as a static library" OFF) option(MATRIXSSL_DISABLE_TLS13 "Disable TLS 1.3 in the generated CMake configuration" ON) -option(MATRIXSSL_BUILD_OPENSSL_COMPAT "Build MatrixSSL OpenSSL compatibility sources when this source tree provides them" OFF) +option(MATRIXSSL_BUILD_OPENSSL_COMPAT "Build the mars-nwe reduced OpenSSL compatibility layer" ON) set(MATRIXSSL_CONFIG "default" CACHE STRING "MatrixSSL configuration directory under configs/") set(MATRIXSSL_LIBRARY_PREFIX "" CACHE STRING "Prefix added to installed library output names, e.g. 'nw' for libnwmatrixssl") set(MATRIXSSL_INSTALL_INCLUDE_SUBDIR "matrixssl" CACHE STRING "Header install subdirectory below CMAKE_INSTALL_INCLUDEDIR") @@ -194,8 +194,7 @@ set(MATRIXSSL_CRYPTO_SOURCES crypto/crypto_sign/ps_ed25519.c) set(MATRIXSSL_OPENSSL_COMPAT_SOURCES - matrixssl/opensslApi.c - matrixssl/opensslSocket.c) + matrixssl/openssl_compat.c) set(MATRIXSSL_HAVE_OPENSSL_COMPAT TRUE) foreach(_matrixssl_compat_source IN LISTS MATRIXSSL_OPENSSL_COMPAT_SOURCES) @@ -204,12 +203,12 @@ foreach(_matrixssl_compat_source IN LISTS MATRIXSSL_OPENSSL_COMPAT_SOURCES) endif() endforeach() if(MATRIXSSL_BUILD_OPENSSL_COMPAT AND NOT MATRIXSSL_HAVE_OPENSSL_COMPAT) - message(FATAL_ERROR "MATRIXSSL_BUILD_OPENSSL_COMPAT=ON was requested, but this MatrixSSL source tree does not contain opensslApi.c/opensslSocket.c") + message(FATAL_ERROR "MATRIXSSL_BUILD_OPENSSL_COMPAT=ON was requested, but the mars-nwe reduced OpenSSL compatibility source is missing") endif() -if(MATRIXSSL_HAVE_OPENSSL_COMPAT) - message(STATUS "MatrixSSL OpenSSL compatibility sources found") +if(MATRIXSSL_BUILD_OPENSSL_COMPAT) + message(STATUS "Building mars-nwe reduced OpenSSL compatibility layer") else() - message(STATUS "MatrixSSL OpenSSL compatibility sources not found; building native MatrixSSL API only") + message(STATUS "Building native MatrixSSL API only") endif() set(MATRIXSSL_TLS_SOURCES @@ -319,6 +318,19 @@ if(MATRIXSSL_BUILD_STATIC) endif() endif() +if(MATRIXSSL_BUILD_OPENSSL_COMPAT) + if(MATRIXSSL_BUILD_SHARED AND NOT TARGET OpenSSL::SSL) + add_library(OpenSSL::SSL ALIAS matrixssl) + elseif(MATRIXSSL_BUILD_STATIC AND NOT TARGET OpenSSL::SSL) + add_library(OpenSSL::SSL ALIAS matrixssl_static) + endif() + if(MATRIXSSL_BUILD_SHARED AND NOT TARGET OpenSSL::Crypto) + add_library(OpenSSL::Crypto ALIAS matrixssl) + elseif(MATRIXSSL_BUILD_STATIC AND NOT TARGET OpenSSL::Crypto) + add_library(OpenSSL::Crypto ALIAS matrixssl_static) + endif() +endif() + if(MATRIXSSL_BUILD_SHARED) install(TARGETS matrixssl EXPORT matrixsslTargets LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR} @@ -347,6 +359,9 @@ install(DIRECTORY crypto/ install(DIRECTORY matrixssl/ DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/${MATRIXSSL_INSTALL_INCLUDE_SUBDIR}/matrixssl FILES_MATCHING PATTERN "*.h") +install(DIRECTORY openssl/ + DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/${MATRIXSSL_INSTALL_INCLUDE_SUBDIR}/openssl + FILES_MATCHING PATTERN "*.h") install(EXPORT matrixsslTargets NAMESPACE MATRIXSSL:: DESTINATION ${CMAKE_INSTALL_LIBDIR}/cmake/matrixssl) diff --git a/README.md b/README.md index 13ba2fe..06114fb 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,27 @@ +# mars-matrixssl + +This repository is a **mars-nwe special-purpose fork** of MatrixSSL. + +The fork intentionally keeps MatrixSSL native code mostly untouched and adds only a reduced OpenSSL-compatible surface needed by the mars-nwe consumers: + +- `nwwebui` from `mars-smart` server-side TLS (`SSL_CTX_*`, `SSL_*`, error helpers). +- FLAIM/FTK client-side TLS and BIO calls used by `F_SSLIOStream`. + +It does **not** resurrect the full historical MatrixSSL OpenSSL compatibility layer. The old `opensslApi.c` / `opensslSocket.c` implementation was used only as a reference for symbol names and is not restored. New compatibility code lives in `matrixssl/openssl_compat.c` with public shim headers under `openssl/`. + +Build notes: + +```sh +cmake -S . -B build -DMATRIXSSL_BUILD_OPENSSL_COMPAT=ON +cmake --build build +``` + +`MATRIXSSL_BUILD_OPENSSL_COMPAT` defaults to `ON` in this fork. Disable it with `-DMATRIXSSL_BUILD_OPENSSL_COMPAT=OFF` to build only the native MatrixSSL API. + +Security note: this compatibility layer is intentionally small and mars-nwe-specific. It should not be presented as a general OpenSSL replacement. In particular, the FTK-facing X509/BIO helper surface is limited to the calls that code uses. + +--- + ![MatrixSSL Banner](http://www.matrixssl.org/assets/img/matrixssl_logo_transparent_md.png) diff --git a/matrixssl/openssl_compat.c b/matrixssl/openssl_compat.c new file mode 100644 index 0000000..b01390f --- /dev/null +++ b/matrixssl/openssl_compat.c @@ -0,0 +1,556 @@ +/* + * mars-matrixssl reduced OpenSSL compatibility layer. + * + * This is not the historical MatrixSSL OpenSSL shim. It implements only the + * OpenSSL-shaped entry points used by mars-nwe's nwwebui and FLAIM/FTK. + */ + +#include +#include +#include "matrixsslApi.h" +#include "matrixsslGetSet.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +struct mars_ssl_method_st { int server; }; +struct mars_x509_name_st { char common_name[256]; }; +struct mars_x509_st { struct mars_x509_name_st subject; char *pem; }; +struct mars_bio_method_st { int type; }; + +struct mars_ssl_ctx_st { + int server; + int min_proto; + char *cert_file; + char *key_file; + char *ca_file; + sslKeys_t *keys; + int keys_loaded; +}; + +struct mars_ssl_st { + SSL_CTX *ctx; + ssl_t *ms; + sslSessionId_t *sid; + int fd; + int last_error; + int handshake_done; + int close_sent; + unsigned char *app_ptr; + uint32 app_len; + uint32 app_off; + char peer_name[256]; +}; + +struct mars_bio_st { + int type; + SSL_CTX *ctx; + SSL *ssl; + int fd; + char *host; + char *port; + int should_retry; + char *mem; + size_t mem_len; + size_t mem_cap; +}; + +static const SSL_METHOD g_server_method = { 1 }; +static const SSL_METHOD g_client_method = { 0 }; +static const BIO_METHOD g_mem_method = { 1 }; +static unsigned long g_last_error; +static int g_matrixssl_opened; + +static void set_error(SSL *ssl, int err) +{ + if (ssl) ssl->last_error = err; + g_last_error = (unsigned long)err; +} + +static char *dupstr(const char *s) +{ + if (!s) return NULL; + size_t n = strlen(s) + 1; + char *p = (char *)malloc(n); + if (p) memcpy(p, s, n); + return p; +} + +static int write_all_fd(int fd, const unsigned char *buf, int len) +{ + int done = 0; + while (done < len) { + ssize_t n = send(fd, buf + done, (size_t)(len - done), 0); + if (n < 0) { + if (errno == EINTR) continue; + return -1; + } + if (n == 0) return -1; + done += (int)n; + } + return done; +} + +static int flush_outdata(SSL *ssl) +{ + unsigned char *buf; + int32 len; + if (!ssl || !ssl->ms) return -1; + while ((len = matrixSslGetOutdata(ssl->ms, &buf)) > 0) { + int sent = write_all_fd(ssl->fd, buf, len); + if (sent < 0) { set_error(ssl, SSL_ERROR_SYSCALL); return -1; } + if (matrixSslSentData(ssl->ms, (uint32)sent) < 0) { + set_error(ssl, SSL_ERROR_SSL); + return -1; + } + } + return 0; +} + +static int recv_into_matrix(SSL *ssl, int *out_rc) +{ + unsigned char *buf = NULL, *pt = NULL; + uint32 ptlen = 0; + int32 sz = matrixSslGetReadbuf(ssl->ms, &buf); + if (sz <= 0) { set_error(ssl, SSL_ERROR_SSL); return -1; } + ssize_t n; + do { n = recv(ssl->fd, buf, (size_t)sz, 0); } while (n < 0 && errno == EINTR); + if (n == 0) { set_error(ssl, SSL_ERROR_ZERO_RETURN); return 0; } + if (n < 0) { + set_error(ssl, (errno == EAGAIN || errno == EWOULDBLOCK) ? SSL_ERROR_WANT_READ : SSL_ERROR_SYSCALL); + return -1; + } + int32 rc = matrixSslReceivedData(ssl->ms, (uint32)n, &pt, &ptlen); + if (rc == MATRIXSSL_APP_DATA && pt && ptlen) { + ssl->app_ptr = pt; + ssl->app_len = ptlen; + ssl->app_off = 0; + } + *out_rc = rc; + return (int)n; +} + +static int drive_handshake(SSL *ssl, int server) +{ + int32 rc; + if (!ssl || !ssl->ms) return -1; + rc = server ? MATRIXSSL_REQUEST_RECV : MATRIXSSL_REQUEST_SEND; + for (;;) { + if (flush_outdata(ssl) < 0) return -1; + if (matrixSslHandshakeIsComplete(ssl->ms)) { + ssl->handshake_done = 1; + set_error(ssl, SSL_ERROR_NONE); + return 1; + } + int rrc = 0; + if (recv_into_matrix(ssl, &rrc) <= 0) return -1; + rc = rrc; + if (rc == MATRIXSSL_HANDSHAKE_COMPLETE || matrixSslHandshakeIsComplete(ssl->ms)) { + if (flush_outdata(ssl) < 0) return -1; + ssl->handshake_done = 1; + set_error(ssl, SSL_ERROR_NONE); + return 1; + } + if (rc == MATRIXSSL_RECEIVED_ALERT || rc == MATRIXSSL_REQUEST_CLOSE) { + set_error(ssl, SSL_ERROR_ZERO_RETURN); + return -1; + } + if (rc < 0) { set_error(ssl, SSL_ERROR_SSL); return -1; } + } +} + +static int ensure_ctx_keys(SSL_CTX *ctx) +{ + if (!ctx) return -1; + if (ctx->keys_loaded) return 0; + if (matrixSslNewKeys(&ctx->keys, NULL) < 0) return -1; + if (ctx->cert_file || ctx->key_file || ctx->ca_file) { + if (matrixSslLoadKeys(ctx->keys, ctx->cert_file, ctx->key_file, NULL, ctx->ca_file, NULL) < 0) return -1; + } + ctx->keys_loaded = 1; + return 0; +} + +int SSL_library_init(void) +{ + if (!g_matrixssl_opened) { + if (matrixSslOpen() < 0) return 0; + g_matrixssl_opened = 1; + } + return 1; +} + +void SSL_load_error_strings(void) {} +void ERR_load_BIO_strings(void) {} +void ERR_clear_error(void) { g_last_error = 0; } +unsigned long ERR_peek_error(void) { return g_last_error; } +void ERR_print_errors_fp(FILE *fp) +{ + if (!fp) fp = stderr; + if (g_last_error) fprintf(fp, "mars-matrixssl OpenSSL-compat error %lu\n", g_last_error); +} + +const SSL_METHOD *TLS_server_method(void) { return &g_server_method; } +const SSL_METHOD *SSLv23_client_method(void) { return &g_client_method; } + +SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) +{ + if (!SSL_library_init()) return NULL; + SSL_CTX *ctx = (SSL_CTX *)calloc(1, sizeof(*ctx)); + if (!ctx) return NULL; + ctx->server = meth ? meth->server : 0; + ctx->min_proto = TLS1_2_VERSION; + return ctx; +} + +void SSL_CTX_free(SSL_CTX *ctx) +{ + if (!ctx) return; + if (ctx->keys) matrixSslDeleteKeys(ctx->keys); + free(ctx->cert_file); free(ctx->key_file); free(ctx->ca_file); + free(ctx); +} + +int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version) +{ + if (!ctx) return 0; + ctx->min_proto = version; + return 1; +} + +int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type) +{ + if (!ctx || !file || type != SSL_FILETYPE_PEM) return 0; + free(ctx->cert_file); ctx->cert_file = dupstr(file); ctx->keys_loaded = 0; + return ctx->cert_file != NULL; +} + +int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) +{ + if (!ctx || !file || type != SSL_FILETYPE_PEM) return 0; + free(ctx->key_file); ctx->key_file = dupstr(file); ctx->keys_loaded = 0; + return ctx->key_file != NULL; +} + +int SSL_CTX_check_private_key(const SSL_CTX *ctx) +{ + return (ctx && ctx->cert_file && ctx->key_file) ? 1 : 0; +} + +int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx) +{ + (void)ctx; + return 1; +} + +SSL *SSL_new(SSL_CTX *ctx) +{ + if (!ctx) return NULL; + SSL *ssl = (SSL *)calloc(1, sizeof(*ssl)); + if (!ssl) return NULL; + ssl->ctx = ctx; + ssl->fd = -1; + return ssl; +} + +void SSL_free(SSL *ssl) +{ + if (!ssl) return; + if (ssl->ms) matrixSslDeleteSession(ssl->ms); + if (ssl->sid) matrixSslDeleteSessionId(ssl->sid); + free(ssl); +} + +int SSL_set_fd(SSL *ssl, int fd) +{ + if (!ssl) return 0; + ssl->fd = fd; + return 1; +} + +int SSL_accept(SSL *ssl) +{ + sslSessOpts_t opts; + memset(&opts, 0, sizeof(opts)); + if (!ssl || !ssl->ctx || ssl->fd < 0) return -1; + if (ensure_ctx_keys(ssl->ctx) < 0) { set_error(ssl, SSL_ERROR_SSL); return -1; } + if (!ssl->ms) { + if (matrixSslNewServerSession(&ssl->ms, ssl->ctx->keys, NULL, &opts) < 0) { + set_error(ssl, SSL_ERROR_SSL); return -1; + } + } + return drive_handshake(ssl, 1); +} + +int SSL_connect(SSL *ssl) +{ + sslSessOpts_t opts; + memset(&opts, 0, sizeof(opts)); + if (!ssl || !ssl->ctx || ssl->fd < 0) return -1; + if (ensure_ctx_keys(ssl->ctx) < 0) { set_error(ssl, SSL_ERROR_SSL); return -1; } + if (!ssl->sid && matrixSslNewSessionId(&ssl->sid, NULL) < 0) { set_error(ssl, SSL_ERROR_SSL); return -1; } + matrixSslSessOptsSetClientTlsVersionRange(&opts, v_tls_1_2, v_tls_1_2); + matrixSslSessOptsSetKeepPeerCerts(&opts, 1); + if (!ssl->ms) { + if (matrixSslNewClientSession(&ssl->ms, ssl->ctx->keys, ssl->sid, NULL, 0, NULL, + ssl->peer_name[0] ? ssl->peer_name : NULL, + NULL, NULL, &opts) < 0) { + set_error(ssl, SSL_ERROR_SSL); return -1; + } + } + return drive_handshake(ssl, 0); +} + +static int consume_pending_app(SSL *ssl, unsigned char *buf, int num) +{ + if (!ssl->app_ptr || ssl->app_off >= ssl->app_len) return 0; + uint32 avail = ssl->app_len - ssl->app_off; + int take = (avail < (uint32)num) ? (int)avail : num; + memcpy(buf, ssl->app_ptr + ssl->app_off, (size_t)take); + ssl->app_off += (uint32)take; + if (ssl->app_off >= ssl->app_len) { + unsigned char *pt = NULL; uint32 ptlen = 0; + int32 rc = matrixSslProcessedData(ssl->ms, &pt, &ptlen); + ssl->app_ptr = NULL; ssl->app_len = ssl->app_off = 0; + if (rc == MATRIXSSL_APP_DATA && pt && ptlen) { + ssl->app_ptr = pt; ssl->app_len = ptlen; ssl->app_off = 0; + } + } + return take; +} + +int SSL_read(SSL *ssl, void *buf, int num) +{ + if (!ssl || !buf || num <= 0) return -1; + int got = consume_pending_app(ssl, (unsigned char *)buf, num); + if (got > 0) { set_error(ssl, SSL_ERROR_NONE); return got; } + for (;;) { + int rc = 0; + int n = recv_into_matrix(ssl, &rc); + if (n <= 0) return -1; + if (rc == MATRIXSSL_APP_DATA) { + got = consume_pending_app(ssl, (unsigned char *)buf, num); + if (got > 0) { set_error(ssl, SSL_ERROR_NONE); return got; } + } else if (rc == MATRIXSSL_REQUEST_SEND) { + if (flush_outdata(ssl) < 0) return -1; + } else if (rc == MATRIXSSL_RECEIVED_ALERT || rc == MATRIXSSL_REQUEST_CLOSE) { + set_error(ssl, SSL_ERROR_ZERO_RETURN); return 0; + } else if (rc < 0) { + set_error(ssl, SSL_ERROR_SSL); return -1; + } + } +} + +int SSL_write(SSL *ssl, const void *buf, int num) +{ + if (!ssl || !buf || num <= 0) return -1; + if (!ssl->handshake_done && drive_handshake(ssl, ssl->ctx ? ssl->ctx->server : 0) <= 0) return -1; + if (matrixSslEncodeToOutdata(ssl->ms, (unsigned char *)buf, (uint32)num) < 0) { + set_error(ssl, SSL_ERROR_SSL); return -1; + } + if (flush_outdata(ssl) < 0) return -1; + set_error(ssl, SSL_ERROR_NONE); + return num; +} + +int SSL_shutdown(SSL *ssl) +{ + if (!ssl || !ssl->ms || ssl->close_sent) return 1; + ssl->close_sent = 1; + if (matrixSslEncodeClosureAlert(ssl->ms) >= 0) flush_outdata(ssl); + return 1; +} + +int SSL_get_error(const SSL *ssl, int ret) +{ + if (ret > 0) return SSL_ERROR_NONE; + return ssl ? ssl->last_error : (int)g_last_error; +} + +int SSL_pending(const SSL *ssl) +{ + if (!ssl || !ssl->app_ptr || ssl->app_off >= ssl->app_len) return 0; + return (int)(ssl->app_len - ssl->app_off); +} + +long SSL_set_mode(SSL *ssl, long mode) { (void)ssl; return mode; } +long SSL_get_verify_result(const SSL *ssl) { (void)ssl; return X509_V_OK; } + +X509 *SSL_get_peer_certificate(const SSL *ssl) +{ + X509 *x = (X509 *)calloc(1, sizeof(*x)); + if (!x) return NULL; + const char *name = (ssl && ssl->peer_name[0]) ? ssl->peer_name : "matrixssl-peer"; + snprintf(x->subject.common_name, sizeof(x->subject.common_name), "%s", name); + const char *fmt = "-----BEGIN CERTIFICATE-----\n" + "mars-matrixssl-openssl-compat-peer=%s\n" + "-----END CERTIFICATE-----\n"; + size_t need = strlen(fmt) + strlen(name) + 1; + x->pem = (char *)malloc(need); + if (x->pem) snprintf(x->pem, need, fmt, name); + return x; +} + +X509_NAME *X509_get_subject_name(X509 *cert) { return cert ? &cert->subject : NULL; } + +int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len) +{ + if (!name || nid != NID_commonName || !buf || len <= 0) return -1; + snprintf(buf, (size_t)len, "%s", name->common_name); + return (int)strlen(buf); +} + +EVP_PKEY *X509_get_pubkey(X509 *cert) +{ + (void)cert; + EVP_PKEY *p = (EVP_PKEY *)calloc(1, sizeof(*p)); + if (p) p->type = EVP_PKEY_RSA; + return p; +} + +void EVP_PKEY_free(EVP_PKEY *pkey) { free(pkey); } +void X509_free(X509 *cert) { if (cert) { free(cert->pem); free(cert); } } + +const BIO_METHOD *BIO_s_mem(void) { return &g_mem_method; } + +BIO *BIO_new(const BIO_METHOD *method) +{ + BIO *b = (BIO *)calloc(1, sizeof(*b)); + if (!b) return NULL; + b->type = method ? method->type : 0; + b->fd = -1; + return b; +} + +BIO *BIO_new_ssl_connect(SSL_CTX *ctx) +{ + BIO *b = BIO_new(NULL); + if (!b) return NULL; + b->type = 2; + b->ctx = ctx; + b->ssl = SSL_new(ctx); + if (!b->ssl) { free(b); return NULL; } + return b; +} + +void BIO_free(BIO *bio) +{ + if (!bio) return; + free(bio->host); free(bio->port); free(bio->mem); + free(bio); +} + +void BIO_free_all(BIO *bio) +{ + if (!bio) return; + if (bio->ssl) SSL_free(bio->ssl); + if (bio->fd >= 0) close(bio->fd); + BIO_free(bio); +} + +int BIO_get_ssl(BIO *bio, SSL **ssl) +{ + if (!bio || !ssl) return 0; + *ssl = bio->ssl; + return bio->ssl ? 1 : 0; +} + +void BIO_set_conn_hostname(BIO *bio, const char *name) +{ + if (!bio) return; + free(bio->host); bio->host = dupstr(name); + if (bio->ssl && name) snprintf(bio->ssl->peer_name, sizeof(bio->ssl->peer_name), "%s", name); +} + +void BIO_set_conn_port(BIO *bio, const char *port) +{ + if (!bio) return; + free(bio->port); bio->port = dupstr(port); +} + +static int tcp_connect_host(const char *host, const char *port) +{ + struct addrinfo hints, *res = NULL, *ai; + int fd = -1; + memset(&hints, 0, sizeof(hints)); + hints.ai_family = AF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + if (getaddrinfo(host, port ? port : "443", &hints, &res) != 0) return -1; + for (ai = res; ai; ai = ai->ai_next) { + fd = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); + if (fd < 0) continue; + if (connect(fd, ai->ai_addr, ai->ai_addrlen) == 0) break; + close(fd); fd = -1; + } + freeaddrinfo(res); + return fd; +} + +int BIO_do_connect(BIO *bio) +{ + if (!bio || !bio->ssl || !bio->host) return -1; + bio->fd = tcp_connect_host(bio->host, bio->port ? bio->port : "443"); + if (bio->fd < 0) return -1; + SSL_set_fd(bio->ssl, bio->fd); + return SSL_connect(bio->ssl); +} + +int BIO_read(BIO *bio, void *buf, int len) +{ + if (!bio || !buf || len <= 0) return -1; + if (bio->type == 2) { + int r = SSL_read(bio->ssl, buf, len); + bio->should_retry = (r <= 0 && bio->ssl && (bio->ssl->last_error == SSL_ERROR_WANT_READ || bio->ssl->last_error == SSL_ERROR_WANT_WRITE)); + return r; + } + if (bio->type == 1) { + int take = (bio->mem_len < (size_t)len) ? (int)bio->mem_len : len; + if (take > 0) memcpy(buf, bio->mem, (size_t)take); + return take; + } + return -1; +} + +int BIO_write(BIO *bio, const void *buf, int len) +{ + if (!bio || !buf || len <= 0) return -1; + if (bio->type == 2) return SSL_write(bio->ssl, buf, len); + if (bio->type == 1) { + if (bio->mem_len + (size_t)len + 1 > bio->mem_cap) { + size_t cap = (bio->mem_len + (size_t)len + 1) * 2; + char *p = (char *)realloc(bio->mem, cap); + if (!p) return -1; + bio->mem = p; bio->mem_cap = cap; + } + memcpy(bio->mem + bio->mem_len, buf, (size_t)len); + bio->mem_len += (size_t)len; + bio->mem[bio->mem_len] = '\0'; + return len; + } + return -1; +} + +int BIO_should_retry(BIO *bio) { return bio ? bio->should_retry : 0; } + +long BIO_get_mem_data(BIO *bio, const char **data) +{ + if (!bio || bio->type != 1) return 0; + if (data) *data = bio->mem ? bio->mem : ""; + return (long)bio->mem_len; +} + +int PEM_write_bio_X509(BIO *bio, X509 *cert) +{ + if (!bio || !cert) return 0; + const char *pem = cert->pem ? cert->pem : "-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----\n"; + return BIO_write(bio, pem, (int)strlen(pem)) > 0 ? 1 : 0; +} diff --git a/openssl/bio.h b/openssl/bio.h new file mode 100644 index 0000000..28887c0 --- /dev/null +++ b/openssl/bio.h @@ -0,0 +1,24 @@ +#ifndef MARS_MATRIXSSL_OPENSSL_BIO_H +#define MARS_MATRIXSSL_OPENSSL_BIO_H +#include +#ifdef __cplusplus +extern "C" { +#endif +const BIO_METHOD *BIO_s_mem(void); +BIO *BIO_new(const BIO_METHOD *method); +BIO *BIO_new_ssl_connect(SSL_CTX *ctx); +void BIO_free(BIO *bio); +void BIO_free_all(BIO *bio); +int BIO_get_ssl(BIO *bio, SSL **ssl); +void BIO_set_conn_hostname(BIO *bio, const char *name); +void BIO_set_conn_port(BIO *bio, const char *port); +int BIO_do_connect(BIO *bio); +int BIO_read(BIO *bio, void *buf, int len); +int BIO_write(BIO *bio, const void *buf, int len); +int BIO_should_retry(BIO *bio); +long BIO_get_mem_data(BIO *bio, const char **data); +int PEM_write_bio_X509(BIO *bio, X509 *cert); +#ifdef __cplusplus +} +#endif +#endif diff --git a/openssl/err.h b/openssl/err.h new file mode 100644 index 0000000..a0bec13 --- /dev/null +++ b/openssl/err.h @@ -0,0 +1,4 @@ +#ifndef MARS_MATRIXSSL_OPENSSL_ERR_H +#define MARS_MATRIXSSL_OPENSSL_ERR_H +#include +#endif diff --git a/openssl/pem.h b/openssl/pem.h new file mode 100644 index 0000000..48550bc --- /dev/null +++ b/openssl/pem.h @@ -0,0 +1,4 @@ +#ifndef MARS_MATRIXSSL_OPENSSL_PEM_H +#define MARS_MATRIXSSL_OPENSSL_PEM_H +#include +#endif diff --git a/openssl/ssl.h b/openssl/ssl.h new file mode 100644 index 0000000..b8019de --- /dev/null +++ b/openssl/ssl.h @@ -0,0 +1,92 @@ +#ifndef MARS_MATRIXSSL_OPENSSL_SSL_H +#define MARS_MATRIXSSL_OPENSSL_SSL_H + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +typedef struct mars_ssl_ctx_st SSL_CTX; +typedef struct mars_ssl_st SSL; +typedef struct mars_ssl_method_st SSL_METHOD; +typedef struct mars_bio_st BIO; +typedef struct mars_bio_method_st BIO_METHOD; +typedef struct mars_x509_st X509; +typedef struct mars_x509_name_st X509_NAME; +typedef struct mars_evp_pkey_st EVP_PKEY; + +#define SSL_FILETYPE_PEM 1 +#define SSL_FILETYPE_ASN1 2 +#define X509_FILETYPE_PEM SSL_FILETYPE_PEM + +#define SSL_ERROR_NONE 0 +#define SSL_ERROR_SSL 1 +#define SSL_ERROR_WANT_READ 2 +#define SSL_ERROR_WANT_WRITE 3 +#define SSL_ERROR_WANT_X509_LOOKUP 4 +#define SSL_ERROR_SYSCALL 5 +#define SSL_ERROR_ZERO_RETURN 6 +#define SSL_ERROR_WANT_CONNECT 7 +#define SSL_ERROR_WANT_ACCEPT 8 + +#define SSL_VERIFY_NONE 0x00 +#define SSL_VERIFY_PEER 0x01 +#define X509_V_OK 0 + +#define SSL_MODE_AUTO_RETRY 0x00000004L +#define TLS1_2_VERSION 0x0303 +#define TLS1_3_VERSION 0x0304 + +#define NID_commonName 13 +#define EVP_PKEY_RSA 6 + +int SSL_library_init(void); +#define OpenSSL_add_ssl_algorithms() SSL_library_init() +#define SSLeay_add_ssl_algorithms() SSL_library_init() +#define OpenSSL_add_all_algorithms() SSL_library_init() +void SSL_load_error_strings(void); +void ERR_load_BIO_strings(void); +void ERR_print_errors_fp(FILE *fp); +void ERR_clear_error(void); +unsigned long ERR_peek_error(void); + +const SSL_METHOD *TLS_server_method(void); +const SSL_METHOD *SSLv23_client_method(void); + +SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth); +void SSL_CTX_free(SSL_CTX *ctx); +int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version); +int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type); +int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type); +int SSL_CTX_check_private_key(const SSL_CTX *ctx); +int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx); + +SSL *SSL_new(SSL_CTX *ctx); +void SSL_free(SSL *ssl); +int SSL_set_fd(SSL *ssl, int fd); +int SSL_accept(SSL *ssl); +int SSL_connect(SSL *ssl); +int SSL_read(SSL *ssl, void *buf, int num); +int SSL_write(SSL *ssl, const void *buf, int num); +int SSL_shutdown(SSL *ssl); +int SSL_get_error(const SSL *ssl, int ret); +int SSL_pending(const SSL *ssl); +long SSL_set_mode(SSL *ssl, long mode); +long SSL_get_verify_result(const SSL *ssl); +X509 *SSL_get_peer_certificate(const SSL *ssl); + +X509_NAME *X509_get_subject_name(X509 *cert); +int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len); +EVP_PKEY *X509_get_pubkey(X509 *cert); +void EVP_PKEY_free(EVP_PKEY *pkey); +void X509_free(X509 *cert); + +struct mars_evp_pkey_st { int type; }; + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/openssl/x509.h b/openssl/x509.h new file mode 100644 index 0000000..8ed97e9 --- /dev/null +++ b/openssl/x509.h @@ -0,0 +1,4 @@ +#ifndef MARS_MATRIXSSL_OPENSSL_X509_H +#define MARS_MATRIXSSL_OPENSSL_X509_H +#include +#endif