Support TLS in ipfixsend

Author: BonnyAD9

src/tools/ipfixsend/CMakeLists.txt

@@ -8,8 +8,10 @@ add_executable(ipfixsend2
     siso.h
 )
 
+target_link_libraries(ipfixsend2 OpenSSL::Crypto OpenSSL::SSL)
+
 # Installation targets
 install(
     TARGETS ipfixsend2
     DESTINATION bin
-)
+)

src/tools/ipfixsend/ipfixsend.c

@@ -81,7 +81,7 @@ void usage()
     printf("  -i path    IPFIX input file\n");
     printf("  -d ip      Destination IP address (default: %s)\n", DEFAULT_IP);
     printf("  -p port    Destination port number (default: %s)\n", DEFAULT_PORT);
-    printf("  -t type    Connection type (UDP or TCP) (default: UDP)\n");
+    printf("  -t type    Connection type (UDP/TCP/SCTP/TLS) (default: UDP)\n");
     printf("  -c         Precache input file (for performance tests)\n");
     printf("  -n num     How many times the file should be sent (default: infinity)\n");
     printf("  -s speed   Maximum data sending speed/s\n");
@@ -90,6 +90,8 @@ void usage()
     printf("  -R num     Real-time sending\n");
     printf("             Allow speed-up sending 'num' times (realtime: 1.0)\n");
     printf("  -O num     Rewrite Observation Domain ID (ODID)\n");
+    printf("  -C path    Set path to certificate/private key for TLS verification.\n");
+    printf("             This is required only if the server requires clients to verify.\n");
     printf("\n");
 }
 
@@ -125,14 +127,16 @@ int main(int argc, char** argv)
     bool    odid_rewrite = false;
     long    odid_new;
 
+    char   *certificate = NULL;
+
     if (argc == 1) {
         usage();
         return 0;
     }
 
     // Parse parameters
     int c;
-    while ((c = getopt(argc, argv, "hci:d:p:t:n:s:S:R:O:")) != -1) {
+    while ((c = getopt(argc, argv, "hci:d:p:t:n:s:S:R:O:C:")) != -1) {
         switch (c) {
         case 'h':
             usage();
@@ -168,6 +172,9 @@ int main(int argc, char** argv)
             odid_rewrite = true;
             odid_new = atol(optarg);
             break;
+        case 'C':
+            certificate = optarg;
+            break;
         default:
             fprintf(stderr, "Unknown option.\n");
             return 1;
@@ -202,6 +209,15 @@ int main(int argc, char** argv)
         return 1;
     }
 
+    if (certificate && strcmp(type, "TLS") != 0) {
+        fprintf(
+            stderr,
+            "Certificate path is valid only with type TLS, but the type is %s.\n",
+            type
+        );
+        return 1;
+    }
+
     // Check whether everything is set
     if (!input) {
         fprintf(stderr, "Input file must be set!\n");
@@ -217,6 +233,13 @@ int main(int argc, char** argv)
         return 1;
     }
 
+    // Load certificate and private key
+    if (certificate && siso_load_cert(sender, certificate) != SISO_OK) {
+        fprintf(stderr, "Failed to load certificate file: %s\n", siso_get_last_err(sender));
+        siso_destroy(sender);
+        return 1;
+    }
+
     // Prepare an input file
     reader_t *reader = reader_create(input, precache);
     if (!reader) {

src/tools/ipfixsend/siso.c

@@ -41,6 +41,8 @@
 
 #include <stdbool.h>
 #include <stdlib.h>
+#include <assert.h>
+#include <signal.h>
 
 #include <errno.h>
 #include <netdb.h>
@@ -57,6 +59,9 @@
 #include <stdio.h>
 #include <strings.h>
 
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+
 /**
  * \brief Check that a pointer is not null. Otherwise returns #SISO_ERR
  * \param[in] ptr Pointer to check
@@ -71,6 +76,14 @@
  * \brief Get the lass error message
  */
 #define PERROR_LAST strerror(errno)
+/**
+ * @brief Get the last global OpenSSL error message
+ */
+#define TLS_LAST_ERROR tls_code_error(ERR_get_error())
+/**
+ * @brief Get the last OpenSSL error message for SSL connection.
+ */
+#define TLS_LAST_SSL_ERROR(ssl, ret) tls_code_error(SSL_get_error((ssl), (ret)))
 /** Maximum message size that can be send over UDP                          */
 #define SISO_UDP_MAX 65000
 /**
@@ -86,6 +99,7 @@ enum siso_conn_type {
    SC_UDP,
    SC_TCP,
    SC_SCTP,
+   SC_TLS,
    SC_UNKNOWN,
 };
 
@@ -109,26 +123,32 @@ static const char *siso_messages[] = {
 static const char *siso_sc_types[] = {
     [SC_UDP]  = "UDP",
     [SC_TCP]  = "TCP",
-    [SC_SCTP] = "SCTP"
+    [SC_SCTP] = "SCTP",
+    [SC_TLS]  = "TLS",
 };
 
+/** Buffer for error messages. */
+static char sisco_err_msg_buf[256] = { 0 };
+
 /**
  * \brief Main sisolib structure
  */
 struct sisoconf_s {
     const char *last_error;     /**< last error message */
-    enum siso_conn_type type;   /**< UDP/TCP/SCTP */
+    enum siso_conn_type type;   /**< UDP/TCP/SCTP/TLS */
     struct addrinfo *servinfo;  /**< server information */
     int sockfd;                 /**< socket descriptor */
     uint64_t max_speed;         /**< max sending speed */
     uint64_t act_speed;         /**< actual speed */
     struct timeval begin, end;  /**< start/end time for limited transfers */
+    SSL_CTX *ssl_ctx;           /**< context for creating TLS connecitons */
+    SSL *ssl;                   /**< TLS connection */
 };
 
 /**
  * \brief Constructor
  */
-sisoconf *siso_create()
+sisoconf *siso_create(void)
 {
     /* allocate memory */
     sisoconf *conf = (sisoconf *) calloc(1, sizeof(sisoconf));
@@ -154,6 +174,11 @@ void siso_destroy(sisoconf *conf)
         freeaddrinfo(conf->servinfo);
     }
 
+    if (conf->ssl_ctx) {
+        SSL_CTX_free(conf->ssl_ctx);
+        conf->ssl_ctx = NULL;
+    }
+
     free(conf);
 }
 
@@ -256,6 +281,7 @@ int siso_getaddrinfo(sisoconf *conf, const char *ip, const char *port)
         hints.ai_socktype = SOCK_DGRAM;
         hints.ai_protocol = IPPROTO_UDP;
         break;
+    case SC_TLS:
     case SC_TCP:
         hints.ai_socktype = SOCK_STREAM;
         hints.ai_protocol = IPPROTO_TCP;
@@ -281,6 +307,115 @@ int siso_getaddrinfo(sisoconf *conf, const char *ip, const char *port)
     return SISO_OK;
 }
 
+/**
+ * @brief Get OpenSSL error message for the given code
+ */
+static inline const char *tls_code_error(unsigned long code)
+{
+    ERR_error_string_n(code, sisco_err_msg_buf, sizeof(sisco_err_msg_buf));
+    return &sisco_err_msg_buf[0];
+}
+
+/**
+ * @brief Get SSL_CTX. Initialize it if it is not initialized.
+ * @return NULL on failure.
+ */
+SSL_CTX *siso_get_ssl_ctx(sisoconf *conf)
+{
+    if (conf->ssl_ctx) {
+        return conf->ssl_ctx;
+    }
+
+    SSL_load_error_strings();
+
+    SSL_CTX *ctx = SSL_CTX_new(TLS_client_method());
+    if (!ctx) {
+        conf->last_error = TLS_LAST_ERROR;
+        return NULL;
+    }
+
+    SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
+
+    if (!SSL_CTX_set_default_verify_paths(ctx)) {
+        conf->last_error = TLS_LAST_ERROR;
+        SSL_CTX_free(ctx);
+        return NULL;
+    }
+
+    if (!SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION)) {
+        conf->last_error = TLS_LAST_ERROR;
+        SSL_CTX_free(ctx);
+        return NULL;
+    }
+
+    SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
+
+    // There is no way to pass MSG_SIGIGN when writing using OpenSSL without
+    // creating custom BIO. So we can just ignore SIGPIPE which can occur if
+    // peer closes the file descriptor.
+    signal(SIGPIPE, SIG_IGN);
+
+    return conf->ssl_ctx = ctx;
+}
+
+int siso_load_cert(sisoconf *conf, const char *cert_file) {
+    SSL_CTX *ctx = siso_get_ssl_ctx(conf);
+
+    if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0) {
+        conf->last_error = TLS_LAST_ERROR;
+        return SISO_ERR;
+    }
+
+    if (SSL_CTX_use_PrivateKey_file(ctx, cert_file, SSL_FILETYPE_PEM) <= 0) {
+        conf->last_error = TLS_LAST_ERROR;
+        return SISO_ERR;
+    }
+
+    return SISO_OK;
+}
+
+int siso_tls_connect(sisoconf *conf, int new_fd)
+{
+    assert(!conf->ssl);
+
+    SSL_CTX *ctx = siso_get_ssl_ctx(conf);
+    if (!ctx) {
+        return SISO_ERR;
+    }
+
+    SSL *ssl = SSL_new(ctx);
+    if (!ssl) {
+        conf->last_error = TLS_LAST_ERROR;
+        return SISO_ERR;
+    }
+
+    BIO *bio = BIO_new(BIO_s_socket());
+    if (!bio) {
+        conf->last_error = TLS_LAST_ERROR;
+        SSL_free(ssl);
+        return SISO_ERR;
+    }
+
+    BIO_set_fd(bio, new_fd, BIO_NOCLOSE);
+    SSL_set_bio(ssl, bio, bio);
+
+    int res = SSL_connect(ssl);
+    if (res <= 0) {
+        // Get the best error message.
+        long vres = SSL_get_verify_result(ssl);
+        if (vres == X509_V_OK) {
+            conf->last_error = TLS_LAST_SSL_ERROR(ssl, res);
+        } else {
+            conf->last_error = X509_verify_cert_error_string(vres);
+        }
+        SSL_free(ssl);
+        return SISO_ERR;
+    }
+
+    conf->ssl = ssl;
+    return SISO_OK;
+}
+
 /**
  * \brief Create new socket
  */
@@ -309,6 +444,11 @@ int siso_create_socket(sisoconf *conf)
         return SISO_ERR;
     }
 
+    if (conf->type == SC_TLS && siso_tls_connect(conf, new_fd) != SISO_OK) {
+        close(new_fd);
+        return SISO_ERR;
+    }
+
     conf->sockfd = new_fd;
     return SISO_OK;
 }
@@ -345,7 +485,16 @@ int siso_create_connection(sisoconf* conf, const char* ip, const char *port, con
  */
 void siso_close_connection(sisoconf *conf)
 {
-    if (conf && conf->sockfd > 0) {
+    if (!conf) {
+        return;
+    }
+
+    if (conf->ssl) {
+        SSL_free(conf->ssl);
+        conf->ssl = NULL;
+    }
+
+    if (conf->sockfd > 0) {
         close(conf->sockfd);
         conf->sockfd = -1;
     }
@@ -375,6 +524,7 @@ int siso_send(sisoconf *conf, const char *data, ssize_t length)
 
     // data sent per cycle
     ssize_t sent_now = 0;
+    int ret_code = 1;
 
     // Size of remaining data
     ssize_t todo = length;
@@ -390,12 +540,25 @@ int siso_send(sisoconf *conf, const char *data, ssize_t length)
         case SC_SCTP:
             sent_now = send(conf->sockfd, ptr, todo, MSG_NOSIGNAL);
             break;
+        case SC_TLS:
+            ret_code = SSL_write_ex(conf->ssl, ptr, todo, (size_t *)&sent_now);
+            break;
         default:
             break;
         }
 
         // Check for errors
-        if (sent_now == -1) {
+        if (ret_code <= 0) {
+            int err_code = SSL_get_error(conf->ssl, ret_code);
+            if (err_code != SSL_ERROR_WANT_READ && err_code != SSL_ERROR_WANT_WRITE) {
+                // Connection is broken, close...
+                conf->last_error = tls_code_error(err_code);
+                siso_close_connection(conf);
+                return SISO_ERR;
+            }
+
+            // Don't use continue here, the write may be partial.
+        } else if (sent_now == -1) {
             if (errno != EAGAIN && errno != EWOULDBLOCK) {
                 // Connection broken, close...
                 conf->last_error = PERROR_LAST;

src/tools/ipfixsend/siso.h

@@ -78,7 +78,7 @@ enum siso_units {
  *
  * \return new sisoconf object
  */
-sisoconf *siso_create();
+sisoconf *siso_create(void);
 
 /**
  * \brief Destructor
@@ -151,6 +151,16 @@ void siso_set_speed(sisoconf* conf, uint32_t limit, enum siso_units units);
  */
 void siso_set_speed_str(sisoconf* conf, const char* limit);
 
+/**
+ * \brief Load certificate and private key for TLS conections. This must be called before
+ * `siso_create_connection` or not at all.
+ *
+ * \param[in] conf susoconf configuration.
+ * \param[in] cert_file path to file with certificate and private key in PEM format.
+ * \return #SISO_OK or #SISO_ERR and sets error message.
+ */
+int siso_load_cert(sisoconf *conf, const char *cert_file);
+
 /**
  * \brief Create new connection
  *
@@ -199,4 +209,3 @@ int siso_send(sisoconf *conf, const char *data, ssize_t length);
 #endif
 
 #endif	/* SISO_H */
-