From b2b4ffeeae906ee7fdb8afc7bc533e90cc3959c3 Mon Sep 17 00:00:00 2001 From: Cory McWilliams Date: Wed, 15 Oct 2025 20:02:59 -0400 Subject: [PATCH] cleanup: Remove OpenSSL and consequently https support. Run behind a reverse proxy if you need https. --- .gitmodules | 4 - GNUmakefile | 137 +---------------- README.md | 2 - deps/openssl_src | 1 - src/http.c | 108 +------------ src/http.h | 8 +- src/httpd.js.c | 83 +--------- src/httpd.login.c | 11 +- src/main.c | 5 +- src/mem.c | 28 ---- src/mem.h | 13 +- src/ssb.tests.c | 2 +- src/task.c | 8 - src/tests.c | 6 +- src/tls.c | 384 ---------------------------------------------- src/tls.h | 177 --------------------- src/util.js.c | 1 - 17 files changed, 22 insertions(+), 956 deletions(-) delete mode 160000 deps/openssl_src delete mode 100644 src/tls.c delete mode 100644 src/tls.h diff --git a/.gitmodules b/.gitmodules index ec39f52f..630da226 100644 --- a/.gitmodules +++ b/.gitmodules @@ -19,10 +19,6 @@ [submodule "deps/picohttpparser"] path = deps/picohttpparser url = https://github.com/h2o/picohttpparser.git -[submodule "deps/openssl_src"] - path = deps/openssl_src - url = https://github.com/openssl/openssl.git - shallow = true [submodule "deps/c-ares"] path = deps/c-ares url = https://github.com/c-ares/c-ares.git diff --git a/GNUmakefile b/GNUmakefile index 7ae32d38..463b8e91 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -38,7 +38,6 @@ BUNDLETOOL = out/bundletool.jar HAVE_WIN := HAVE_CROSS_AARCH64 := -USE_SYSTEM_SSL := export SOURCE_DATE_EPOCH=1 export TZ=UTC @@ -65,7 +64,6 @@ LDFLAGS += \ -lbsd \ -lnetwork \ -Wno-stringop-overflow -USE_SYSTEM_SSL := 1 HAVE_ANDROID = 0 HAVE_LINUX_IOS = 0 HAVE_LINUX_MACOS = 0 @@ -80,13 +78,12 @@ LDFLAGS += \ HAVE_ANDROID := HAVE_LINUX_IOS := HAVE_LINUX_MACOS := -USE_SYSTEM_SSL := 1 else $(error Unexpected host platform $(UNAME_S).) endif # Everything is set above. -$(info Building Tilde Friends $(VERSION_NUMBER) android=$(if $(HAVE_ANDROID),1,0) win=$(if $(HAVE_WIN),1,0) cross_aarch64=$(if $(HAVE_CROSS_AARCH64),1,0) cross_ios=$(if $(HAVE_LINUX_IOS),1,0) cross_macos=$(if $(HAVE_LINUX_MACOS),1,0) system_ssl=$(if $(USE_SYSTEM_SSL),1,0)) +$(info Building Tilde Friends $(VERSION_NUMBER) android=$(if $(HAVE_ANDROID),1,0) win=$(if $(HAVE_WIN),1,0) cross_aarch64=$(if $(HAVE_CROSS_AARCH64),1,0) cross_ios=$(if $(HAVE_LINUX_IOS),1,0) cross_macos=$(if $(HAVE_LINUX_MACOS),1,0)) CFLAGS += \ -std=gnu11 \ @@ -270,16 +267,12 @@ $(WINDOWS_TARGETS): AS = $(CC) $(WINDOWS_TARGETS): CFLAGS += \ -D_WIN32_WINNT=0x0A00 \ -DWINVER=0x0A00 \ - -DNTDDI_VERSION=NTDDI_WIN10 \ - -Iout/openssl/$(UNAME_S)/mingw64/usr/local/include + -DNTDDI_VERSION=NTDDI_WIN10 $(WINDOWS_TARGETS): LDFLAGS += \ -static \ - -lm \ - -Lout/openssl/$(UNAME_S)/mingw64/usr/local/lib + -lm $(AARCH64_TARGETS): CC = aarch64-linux-gnu-gcc $(AARCH64_TARGETS): AS = $(CC) -$(AARCH64_TARGETS): CFLAGS += -Iout/openssl/Linux/aarch64/usr/local/include -$(AARCH64_TARGETS): LDFLAGS += -Lout/openssl/Linux/aarch64/usr/local/lib ifeq ($(UNAME_S),Darwin) $(HOST_TARGETS): CC = xcrun clang $(IOS_TARGETS): IOS_SYSROOT := $(shell xcrun --sdk iphoneos --show-sdk-path) @@ -304,39 +297,12 @@ $(ANDROID_TARGETS): AS = $(CC) $(ANDROID_TARGETS): CFLAGS += \ -target $(ANDROID_NDK_TARGET_TRIPLE)$(ANDROID_MIN_SDK_VERSION) \ -Wno-unknown-warning-option -$(ANDROID_ARMV7A_TARGETS): CFLAGS += -Iout/openssl/android/armeabi-v7a/usr/local/include -$(ANDROID_ARMV7A_TARGETS): LDFLAGS += -Lout/openssl/android/armeabi-v7a/usr/local/lib -$(ANDROID_ARM64_TARGETS): CFLAGS += -Iout/openssl/android/arm64-v8a/usr/local/include -$(ANDROID_ARM64_TARGETS): LDFLAGS += -Lout/openssl/android/arm64-v8a/usr/local/lib -$(ANDROID_X86_TARGETS): CFLAGS += -Iout/openssl/android/x86/usr/local/include $(ANDROID_X86_TARGETS): CFLAGS += -Wno-atomic-alignment -$(ANDROID_X86_TARGETS): LDFLAGS += -Lout/openssl/android/x86/usr/local/lib -$(ANDROID_X86_64_TARGETS): CFLAGS += -Iout/openssl/android/x86_64/usr/local/include -$(ANDROID_X86_64_TARGETS): LDFLAGS += -Lout/openssl/android/x86_64/usr/local/lib $(NONMACOS_TARGETS): CFLAGS += -Wno-cast-function-type $(MACOS_TARGETS): LDFLAGS += -Wl,-dead_strip $(NONMACOS_TARGETS): LDFLAGS += -Wl,--gc-sections -Wl,--as-needed $(IOS_TARGETS): CFLAGS += -miphoneos-version-min=$(IPHONEOS_VERSION_MIN) $(IOS_TARGETS): LDFLAGS += -miphoneos-version-min=$(IPHONEOS_VERSION_MIN) -ifeq ($(UNAME_S),Darwin) -$(IOS_TARGETS): CFLAGS += -Iout/openssl/ios/ios64-xcrun/usr/local/include -$(IOS_TARGETS): LDFLAGS += -Lout/openssl/ios/ios64-xcrun/usr/local/lib -else -$(IOS_TARGETS): CFLAGS += -Iout/openssl/$(UNAME_S)/ios64-cross/usr/local/include -$(IOS_TARGETS): LDFLAGS += -Lout/openssl/$(UNAME_S)/ios64-cross/usr/local/lib -$(filter $(BUILD_DIR)/macosdebug-x86_64/%,$(ALL_TARGETS)): CFLAGS += -Iout/openssl/$(UNAME_S)/macos-x86_64/usr/local/include -$(filter $(BUILD_DIR)/macosdebug-arm/%,$(ALL_TARGETS)): CFLAGS += -Iout/openssl/$(UNAME_S)/macos-arm/usr/local/include -$(filter $(BUILD_DIR)/macosdebug-x86_64/%,$(ALL_TARGETS)): LDFLAGS += -Lout/openssl/$(UNAME_S)/macos-x86_64/usr/local/lib -$(filter $(BUILD_DIR)/macosdebug-arm/%,$(ALL_TARGETS)): LDFLAGS += -Lout/openssl/$(UNAME_S)/macos-arm/usr/local/lib -$(filter $(BUILD_DIR)/macosrelease-x86_64/%,$(ALL_TARGETS)): CFLAGS += -Iout/openssl/$(UNAME_S)/macos-x86_64/usr/local/include -$(filter $(BUILD_DIR)/macosrelease-arm/%,$(ALL_TARGETS)): CFLAGS += -Iout/openssl/$(UNAME_S)/macos-arm/usr/local/include -$(filter $(BUILD_DIR)/macosrelease-x86_64/%,$(ALL_TARGETS)): LDFLAGS += -Lout/openssl/$(UNAME_S)/macos-x86_64/usr/local/lib -$(filter $(BUILD_DIR)/macosrelease-arm/%,$(ALL_TARGETS)): LDFLAGS += -Lout/openssl/$(UNAME_S)/macos-arm/usr/local/lib -endif -$(IOSSIM_TARGETS): CFLAGS += -Iout/openssl/ios/iossimulator-xcrun/usr/local/include -$(IOSSIM_TARGETS): LDFLAGS += -Lout/openssl/ios/iossimulator-xcrun/usr/local/lib -$(HOST_TARGETS): CFLAGS += -Iout/openssl/$(UNAME_S)/$(UNAME_M)/usr/local/include -$(HOST_TARGETS): LDFLAGS += -Lout/openssl/$(UNAME_S)/$(UNAME_M)/usr/local/lib ifeq ($(UNAME_M),x86_64) ifeq ($(UNAME_S),Linux) @@ -824,9 +790,6 @@ $(MINIUNZIP_OBJS): CFLAGS += \ LDFLAGS += \ -pthread \ -lm -$(HOST_TARGETS) $(IOS_TARGETS) $(IOSSIM_TARGETS) $(AARCH64_TARGETS) $(filter-out $(HOST_TARGETS),$(MACOS_TARGETS)): LDFLAGS += \ - -lssl \ - -lcrypto ifneq ($(UNAME_S),Haiku) ifneq ($(UNAME_S),OpenBSD) $(HOST_TARGETS) $(IOS_TARGETS) $(IOSSIM_TARGETS): LDFLAGS += \ @@ -834,8 +797,6 @@ $(HOST_TARGETS) $(IOS_TARGETS) $(IOSSIM_TARGETS): LDFLAGS += \ endif endif $(WINDOWS_TARGETS): LDFLAGS += \ - -lssl \ - -lcrypto \ -lcrypt32 \ -ldbghelp \ -liphlpapi \ @@ -848,9 +809,7 @@ $(WINDOWS_TARGETS): LDFLAGS += \ $(ANDROID_TARGETS): LDFLAGS += \ -target $(ANDROID_NDK_TARGET_TRIPLE)$(ANDROID_MIN_SDK_VERSION) \ -ldl \ - -llog \ - -lssl \ - -lcrypto + -llog $(MACOS_TARGETS) $(IOS_TARGETS) $(IOSSIM_TARGETS): CFLAGS += \ -Wno-unknown-warning-option $(IOS_TARGETS) $(IOSSIM_TARGETS): LDFLAGS += \ @@ -1225,94 +1184,6 @@ iossimdebuggo: out/tildefriends-iossimdebug.app/tildefriends ## Build, install, xcrun simctl launch booted com.unprompted.tildefriends .PHONY: iossimdebuggo -ANDROID_DEPS := out/openssl/android/arm64-v8a/usr/local/lib/libssl.a -$(ANDROID_DEPS): - +@export ANDROID_NDK_ROOT=$(ANDROID_NDK) - +@export BUILD_PLATFORM=android - +@export TOOLCHAIN=$(ANDROID_NDK)/toolchains/llvm/prebuilt/linux-x86_64 - +@PATH="$$TOOLCHAIN/x86_64-linux-android/bin:$$TOOLCHAIN/bin:$$PATH" BUILD_TARGET=x86_64 SSL_TARGET=android-x86_64 OPTIONS="-D__ANDROID_API__=$(ANDROID_MIN_SDK_VERSION) -Wno-macro-redefined" tools/ssl-local - +@PATH="$$TOOLCHAIN/i686-linux-android/bin:$$TOOLCHAIN/bin:$$PATH" BUILD_TARGET=x86 SSL_TARGET=android-x86 OPTIONS="-D__ANDROID_API__=$(ANDROID_MIN_SDK_VERSION) -Wno-macro-redefined" tools/ssl-local - +@PATH="$$TOOLCHAIN/arm-linux-androideabi/bin:$$TOOLCHAIN/bin:$$PATH" BUILD_TARGET=armeabi-v7a SSL_TARGET=android-arm OPTIONS="--target=armv7a-linux-androideabi -Wl,--fix-cortex-a8 -D__ANDROID_API__=$(ANDROID_MIN_SDK_VERSION) -Wno-macro-redefined" tools/ssl-local - +@PATH="$$TOOLCHAIN/aarch64-linux-android/bin:$$TOOLCHAIN/bin:$$PATH" BUILD_TARGET=arm64-v8a SSL_TARGET=android-arm64 OPTIONS="-D__ANDROID_API__=$(ANDROID_MIN_SDK_VERSION) -Wno-macro-redefined" tools/ssl-local -$(filter $(BUILD_DIR)/android%,$(APP_OBJS)): | $(ANDROID_DEPS) - -ifeq ($(UNAME_S),Linux) -ifneq ($(USE_SYSTEM_SSL),1) -LOCAL_DEPS := out/openssl/$(UNAME_S)/$(UNAME_M)/usr/local/lib/libssl.a -$(LOCAL_DEPS): - +@tools/ssl-local -$(filter $(BUILD_DIR)/debug/%,$(APP_OBJS)) $(filter $(BUILD_DIR)/release/%,$(APP_OBJS)): | $(LOCAL_DEPS) -endif - -ifeq ($(HAVE_CROSS_AARCH64),1) -LOCAL_DEPS := out/openssl/$(UNAME_S)/aarch64/usr/local/lib/libssl.a -$(LOCAL_DEPS): - +@OPTIONS="--cross-compile-prefix=aarch64-linux-gnu-" BUILD_TARGET=aarch64 SSL_TARGET=linux-aarch64 tools/ssl-local -$(filter $(BUILD_DIR)/armdebug/%,$(APP_OBJS)) $(filter $(BUILD_DIR)/armrelease/%,$(APP_OBJS)): | $(LOCAL_DEPS) -endif - -ifeq ($(HAVE_LINUX_IOS),1) -LOCAL_DEPS := out/openssl/$(UNAME_S)/ios64-cross/usr/local/lib/libssl.a -$(LOCAL_DEPS): - +@PATH=deps/ios_toolchain/target/bin:$$PATH \ - BUILD_TARGET=ios64-cross \ - SSL_TARGET=ios64-cross \ - CROSS_COMPILE=../../deps/ios_toolchain/target/bin/arm-apple-darwin11- \ - CROSS_TOP=../../deps/ios_toolchain/target \ - CROSS_SDK=iPhoneOS18.2.sdk \ - CC=clang \ - OPTIONS=-miphoneos-version-min=$(IPHONEOS_VERSION_MIN) \ - tools/ssl-local -$(filter $(BUILD_DIR)/ios%,$(APP_OBJS)): | $(LOCAL_DEPS) -endif - -ifeq ($(HAVE_LINUX_MACOS),1) -LOCAL_DEPS := out/openssl/$(UNAME_S)/macos-arm/usr/local/lib/libssl.a -$(LOCAL_DEPS): - +@PATH=../../deps/macos_toolchain/bin:$$PATH \ - BUILD_TARGET=macos-arm \ - SSL_TARGET=darwin64-arm64 \ - CC=../../deps/macos_toolchain/bin/oa64-clang \ - RANLIB=../../deps/macos_toolchain/bin/x86_64-apple-darwin24-ranlib \ - AR=../../deps/macos_toolchain/bin/arm64-apple-darwin24-ar \ - tools/ssl-local -$(filter $(BUILD_DIR)/macosrelease-arm/% $(BUILD_DIR)/macosdebug-arm/%,$(APP_OBJS)): | $(LOCAL_DEPS) - -LOCAL_DEPS := out/openssl/$(UNAME_S)/macos-x86_64/usr/local/lib/libssl.a -$(LOCAL_DEPS): - +@PATH=../../deps/macos_toolchain/bin:$$PATH \ - BUILD_TARGET=macos-x86_64 \ - SSL_TARGET=darwin64-x86_64 \ - CC=../../deps/macos_toolchain/bin/o64-clang \ - RANLIB=../../deps/macos_toolchain/bin/x86_64-apple-darwin24-ranlib \ - AR=../../deps/macos_toolchain/bin/x86_64-apple-darwin24-ar \ - tools/ssl-local -$(filter $(BUILD_DIR)/macosrelease-x86_64/% $(BUILD_DIR)/macosdebug-x86_64/%,$(APP_OBJS)): | $(LOCAL_DEPS) -endif -endif - -ifeq ($(UNAME_S),Darwin) -LOCAL_DEPS := out/openssl/$(UNAME_S)/$(UNAME_M)/usr/local/lib/libssl.a -$(LOCAL_DEPS): - +@tools/ssl-local -$(filter $(BUILD_DIR)/debug/%,$(APP_OBJS)) $(filter $(BUILD_DIR)/release/%,$(APP_OBJS)): | $(LOCAL_DEPS) -endif - -ifeq ($(HAVE_WIN),1) -WINDOWS_DEPS := out/openssl/$(UNAME_S)/mingw64/usr/local/lib/libssl.a -$(WINDOWS_DEPS): - +@BUILD_TARGET=mingw64 SSL_TARGET=mingw64 OPTIONS="--cross-compile-prefix=x86_64-w64-mingw32-" tools/ssl-local -$(filter $(BUILD_DIR)/win%,$(APP_OBJS)): | $(WINDOWS_DEPS) -endif - -ifeq ($(UNAME_S),Darwin) -IOS_DEPS := out/openssl/ios/ios64-xcrun/usr/local/lib/libssl.a -$(IOS_DEPS): - +@BUILD_PLATFORM=ios BUILD_TARGET=ios64-xcrun SSL_TARGET=ios64-xcrun OPTIONS="-fPIC -Wno-macro-redefined -miphoneos-version-min=$(IPHONEOS_VERSION_MIN)" tools/ssl-local - +@BUILD_PLATFORM=ios BUILD_TARGET=iossimulator-xcrun SSL_TARGET=iossimulator-xcrun OPTIONS="-fPIC -Wno-macro-redefined" tools/ssl-local -$(filter $(BUILD_DIR)/ios%,$(APP_OBJS)): | $(IOS_DEPS) -endif - out/macos%/tildefriends: out/macos%-arm/tildefriends out/macos%-x86_64/tildefriends @echo [lipo] $@ @mkdir -p $(@D) diff --git a/README.md b/README.md index 7a9d10e8..6a50028f 100644 --- a/README.md +++ b/README.md @@ -38,8 +38,6 @@ dependencies in the right places. ### Requirements -System OpenSSL libraries are assumed to be available on Haiku and OpenBSD. - On MacOS, Xcode's command-line tools are expected to be available. ### Build Commands diff --git a/deps/openssl_src b/deps/openssl_src deleted file mode 160000 index 7b371d80..00000000 --- a/deps/openssl_src +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 7b371d80d959ec9ab4139d09d78e83c090de9779 diff --git a/src/http.c b/src/http.c index 250388e4..ff381df2 100644 --- a/src/http.c +++ b/src/http.c @@ -2,7 +2,6 @@ #include "log.h" #include "mem.h" -#include "tls.h" #include "trace.h" #include "util.js.h" @@ -26,7 +25,6 @@ int s_http_instance_count; typedef struct _tf_http_connection_t { tf_http_t* http; - tf_tls_session_t* tls; uv_tcp_t tcp; uv_shutdown_t shutdown; uv_timer_t timeout; @@ -78,7 +76,6 @@ typedef struct _tf_http_handler_t typedef struct _tf_http_listener_t { tf_http_t* http; - tf_tls_context_t* tls; uv_tcp_t tcp; tf_http_cleanup_t* cleanup; void* user_data; @@ -109,7 +106,6 @@ typedef struct _tf_http_t static const char* _http_connection_get_header(const tf_http_connection_t* connection, const char* name); static void _http_connection_destroy(tf_http_connection_t* connection, const char* reason); static void _http_timer_reset(tf_http_connection_t* connection); -static void _http_tls_update(tf_http_connection_t* connection); static void _http_builtin_404_handler(tf_http_request_t* request); tf_http_t* tf_http_create(uv_loop_t* loop) @@ -260,11 +256,6 @@ static void _http_connection_destroy(tf_http_connection_t* connection, const cha { uv_close((uv_handle_t*)&connection->timeout, _http_connection_on_close); } - if (connection->tls) - { - tf_tls_session_destroy(connection->tls); - connection->tls = NULL; - } if (connection->ref_count == 0 && !connection->tcp.data && !connection->shutdown.data && !connection->timeout.data) { @@ -446,7 +437,6 @@ static void _http_add_body_bytes(tf_http_connection_t* connection, const void* d *request = (tf_http_request_t) { .http = connection->http, .connection = connection, - .is_tls = connection->tls != NULL, .method = connection->method, .path = connection->path, .query = connection->query, @@ -587,21 +577,7 @@ static void _http_on_read(uv_stream_t* stream, ssize_t read_size, const uv_buf_t _http_timer_reset(connection); if (read_size > 0) { - if (connection->tls) - { - if (tf_tls_session_write_encrypted(connection->tls, buffer->base, read_size) < 0) - { - _http_connection_destroy(connection, "tf_tls_session_write_encrypted"); - } - else - { - _http_tls_update(connection); - } - } - else - { - _http_on_read_plain(connection, buffer->base, read_size); - } + _http_on_read_plain(connection, buffer->base, read_size); } else if (read_size < 0) { @@ -643,17 +619,6 @@ static void _http_on_connection(uv_stream_t* stream, int status) tf_http_connection_t* connection = tf_malloc(sizeof(tf_http_connection_t)); *connection = (tf_http_connection_t) { .http = http, .tcp = { .data = connection }, .is_receiving_headers = true }; - if (listener->tls) - { - connection->tls = tf_tls_context_create_session(listener->tls); - if (!connection->tls) - { - _http_connection_destroy(connection, "tf_tls_context_create_session"); - return; - } - tf_tls_session_start_accept(connection->tls); - connection->is_handshaking = true; - } int r = uv_tcp_init(connection->http->loop, &connection->tcp); if (r) { @@ -694,21 +659,15 @@ static void _http_on_connection(uv_stream_t* stream, int status) return; } - if (connection->tls) - { - _http_tls_update(connection); - } - http->connections = tf_resize_vec(http->connections, sizeof(tf_http_connection_t*) * (http->connections_count + 1)); http->connections[http->connections_count++] = connection; } -int tf_http_listen(tf_http_t* http, int port, bool local_only, tf_tls_context_t* tls, tf_http_cleanup_t* cleanup, void* user_data) +int tf_http_listen(tf_http_t* http, int port, bool local_only, tf_http_cleanup_t* cleanup, void* user_data) { tf_http_listener_t* listener = tf_malloc(sizeof(tf_http_listener_t)); *listener = (tf_http_listener_t) { .http = http, - .tls = tls, .tcp = { .data = listener }, .cleanup = cleanup, .user_data = user_data, @@ -948,71 +907,10 @@ static void _http_write_internal(tf_http_connection_t* connection, const void* d } } -static void _http_tls_update(tf_http_connection_t* connection) -{ - bool again = true; - while (again) - { - again = false; - - if (connection->is_handshaking && connection->tls) - { - switch (tf_tls_session_handshake(connection->tls)) - { - case k_tls_handshake_done: - connection->is_handshaking = false; - break; - case k_tls_handshake_more: - break; - case k_tls_handshake_failed: - _http_connection_destroy(connection, "tf_tls_session_handshake"); - return; - } - } - - /* Maybe we became disconnected and cleaned up our TLS session. */ - if (connection->tls) - { - char buffer[8192]; - int r = tf_tls_session_read_encrypted(connection->tls, buffer, sizeof(buffer)); - if (r > 0) - { - _http_write_internal(connection, buffer, r); - again = true; - } - } - - if (connection->tls) - { - char buffer[8192]; - int r = tf_tls_session_read_plain(connection->tls, buffer, sizeof(buffer)); - if (r > 0) - { - _http_on_read_plain(connection, buffer, r); - again = true; - } - } - } -} - static void _http_write(tf_http_connection_t* connection, const void* data, size_t size) { _http_timer_reset(connection); - if (connection->tls) - { - int r = tf_tls_session_write_plain(connection->tls, data, size); - if (r < (ssize_t)size) - { - char buffer[8192]; - tf_tls_session_get_error(connection->tls, buffer, sizeof(buffer)); - tf_printf("tf_tls_session_write_plain: %s\n", buffer); - } - _http_tls_update(connection); - } - else - { - _http_write_internal(connection, data, size); - } + _http_write_internal(connection, data, size); } void tf_http_request_websocket_send(tf_http_request_t* request, int op_code, const void* data, size_t size) diff --git a/src/http.h b/src/http.h index a7cd8a1b..4f05962b 100644 --- a/src/http.h +++ b/src/http.h @@ -23,9 +23,6 @@ typedef struct _tf_http_request_t tf_http_request_t; /** An HTTP instance. */ typedef struct _tf_http_t tf_http_t; -/** A TLS context. */ -typedef struct _tf_tls_context_t tf_tls_context_t; - /** A trace instance. */ typedef struct _tf_trace_t tf_trace_t; @@ -68,8 +65,6 @@ typedef struct _tf_http_request_t tf_http_t* http; /** The HTTP connection associated with this request. */ tf_http_connection_t* connection; - /** True if this is an HTTPS session. */ - bool is_tls; /** The HTTP method of the request (GET/POST/...). */ const char* method; /** The HTTP request path. */ @@ -117,12 +112,11 @@ void tf_http_set_trace(tf_http_t* http, tf_trace_t* trace); ** @param http The HTTP instance. ** @param port The port on which to listen, or 0 to assign a free port. ** @param local_only Only access connections on localhost, otherwise any address. -** @param tls An optional TLS context to use for HTTPS requests. ** @param cleanup A function called when the HTTP instance is being cleaned up. ** @param user_data User data passed to the cleanup callback. ** @return The port number on which the HTTP instance is now listening. */ -int tf_http_listen(tf_http_t* http, int port, bool local_only, tf_tls_context_t* tls, tf_http_cleanup_t* cleanup, void* user_data); +int tf_http_listen(tf_http_t* http, int port, bool local_only, tf_http_cleanup_t* cleanup, void* user_data); /** ** Add an HTTP request handler. diff --git a/src/httpd.js.c b/src/httpd.js.c index d8464aab..389db0aa 100644 --- a/src/httpd.js.c +++ b/src/httpd.js.c @@ -7,7 +7,6 @@ #include "sha1.h" #include "ssb.db.h" #include "task.h" -#include "tls.h" #include "trace.h" #include "util.js.h" #include "version.h" @@ -257,11 +256,6 @@ JSValue tf_httpd_make_response_object(JSContext* context, tf_http_request_t* req bool tf_httpd_redirect(tf_http_request_t* request) { - if (request->is_tls) - { - return false; - } - http_user_data_t* user_data = tf_http_get_user_data(request->http); if (!user_data || !*user_data->redirect) { @@ -276,16 +270,12 @@ bool tf_httpd_redirect(tf_http_request_t* request) typedef struct _httpd_listener_t { - tf_tls_context_t* tls; + int padding; } httpd_listener_t; static void _httpd_listener_cleanup(void* user_data) { httpd_listener_t* listener = user_data; - if (listener->tls) - { - tf_tls_context_destroy(listener->tls); - } tf_free(listener); } @@ -574,7 +564,7 @@ static void _httpd_endpoint_add_slash(tf_http_request_t* request) host = tf_http_request_get_header(request, "host"); } char url[1024]; - snprintf(url, sizeof(url), "%s%s%s/", request->is_tls ? "https://" : "http://", host, request->path); + snprintf(url, sizeof(url), "%s%s%s/", "http://", host, request->path); const char* headers[] = { "Location", url, @@ -860,31 +850,6 @@ bool tf_httpd_is_name_valid(const char* name) return true; } -static void _httpd_free_user_data(void* user_data) -{ - tf_free(user_data); -} - -static const char* _httpd_read_file(tf_task_t* task, const char* path) -{ - const char* actual = tf_task_get_path_with_root(task, path); - const size_t k_max_read = 8 * 1024 * 1024; - char* result = NULL; - char* buffer = tf_malloc(k_max_read); - FILE* file = fopen(actual, "rb"); - if (file) - { - size_t size = fread(buffer, 1, k_max_read, file); - result = tf_malloc(size + 1); - memcpy(result, buffer, size); - result[size] = '\0'; - fclose(file); - } - tf_free(buffer); - tf_free((char*)actual); - return result; -} - void tf_httpd_register(JSContext* context) { JS_NewClassID(&_httpd_request_class_id); @@ -913,36 +878,14 @@ tf_http_t* tf_httpd_create(JSContext* context) tf_http_set_trace(http, tf_task_get_trace(task)); int64_t http_port = 0; - int64_t https_port = 0; char out_http_port_file[512] = ""; bool local_only = false; sqlite3* db = tf_ssb_acquire_db_reader(ssb); tf_ssb_db_get_global_setting_int64(db, "http_port", &http_port); - tf_ssb_db_get_global_setting_int64(db, "https_port", &https_port); tf_ssb_db_get_global_setting_string(db, "out_http_port_file", out_http_port_file, sizeof(out_http_port_file)); tf_ssb_db_get_global_setting_bool(db, "http_local_only", &local_only); tf_ssb_release_db_reader(ssb, db); - if (https_port) - { - http_user_data_t* user_data = tf_http_get_user_data(http); - if (!user_data) - { - user_data = tf_malloc(sizeof(http_user_data_t)); - memset(user_data, 0, sizeof(http_user_data_t)); - tf_http_set_user_data(http, user_data, _httpd_free_user_data); - } - sqlite3* db = tf_ssb_acquire_db_reader(ssb); - tf_ssb_db_get_global_setting_string(db, "http_redirect", user_data->redirect, sizeof(user_data->redirect)); - tf_ssb_release_db_reader(ssb, db); - - /* Workaround. */ - if (strcmp(user_data->redirect, "0") == 0) - { - *user_data->redirect = '\0'; - } - } - tf_http_add_handler(http, "/", _httpd_endpoint_root, NULL, task); tf_http_add_handler(http, "/codemirror/*", tf_httpd_endpoint_static, NULL, task); tf_http_add_handler(http, "/lit/*", tf_httpd_endpoint_static, NULL, task); @@ -977,7 +920,7 @@ tf_http_t* tf_httpd_create(JSContext* context) { httpd_listener_t* listener = tf_malloc(sizeof(httpd_listener_t)); *listener = (httpd_listener_t) { 0 }; - int assigned_port = tf_http_listen(http, http_port, local_only, NULL, _httpd_listener_cleanup, listener); + int assigned_port = tf_http_listen(http, http_port, local_only, _httpd_listener_cleanup, listener); tf_printf(CYAN "~😎 Tilde Friends" RESET " " YELLOW VERSION_NUMBER RESET " is now up at " MAGENTA "http://127.0.0.1:%d/" RESET ".\n", assigned_port); if (*out_http_port_file) @@ -996,26 +939,6 @@ tf_http_t* tf_httpd_create(JSContext* context) } tf_free((char*)actual_http_port_file); } - - if (https_port) - { - const char* k_certificate = "data/httpd/certificate.pem"; - const char* k_private_key = "data/httpd/privatekey.pem"; - const char* certificate = _httpd_read_file(task, k_certificate); - const char* private_key = _httpd_read_file(task, k_private_key); - if (certificate && private_key) - { - tf_tls_context_t* tls = tf_tls_context_create(); - tf_tls_context_set_certificate(tls, certificate); - tf_tls_context_set_private_key(tls, private_key); - httpd_listener_t* listener = tf_malloc(sizeof(httpd_listener_t)); - *listener = (httpd_listener_t) { .tls = tls }; - int assigned_port = tf_http_listen(http, https_port, local_only, tls, _httpd_listener_cleanup, listener); - tf_printf(CYAN "~😎 Tilde Friends" RESET " " YELLOW VERSION_NUMBER RESET " is now up at " MAGENTA "https://127.0.0.1:%d/" RESET ".\n", assigned_port); - } - tf_free((char*)certificate); - tf_free((char*)private_key); - } } return http; } diff --git a/src/httpd.login.c b/src/httpd.login.c index fd285260..ca2a29fb 100644 --- a/src/httpd.login.c +++ b/src/httpd.login.c @@ -37,11 +37,11 @@ typedef struct _login_request_t const char* tf_httpd_make_set_session_cookie_header(tf_http_request_t* request, const char* session_cookie) { const char* k_pattern = "session=%s; path=/; Max-Age=%" PRId64 "; %sSameSite=Strict; HttpOnly"; - int length = session_cookie ? snprintf(NULL, 0, k_pattern, session_cookie, k_httpd_auth_refresh_interval, request->is_tls ? "Secure; " : "") : 0; + int length = session_cookie ? snprintf(NULL, 0, k_pattern, session_cookie, k_httpd_auth_refresh_interval, "") : 0; char* cookie = length ? tf_malloc(length + 1) : NULL; if (cookie) { - snprintf(cookie, length + 1, k_pattern, session_cookie, k_httpd_auth_refresh_interval, request->is_tls ? "Secure; " : ""); + snprintf(cookie, length + 1, k_pattern, session_cookie, k_httpd_auth_refresh_interval, ""); } return cookie; } @@ -226,7 +226,7 @@ static void _httpd_endpoint_login_work(tf_ssb_t* ssb, void* user_data) } else { - snprintf(login->location_header, sizeof(login->location_header), "%s%s/", request->is_tls ? "https://" : "http://", tf_http_request_get_header(request, "host")); + snprintf(login->location_header, sizeof(login->location_header), "%s%s/", "http://", tf_http_request_get_header(request, "host")); } goto done; } @@ -332,7 +332,7 @@ static void _httpd_endpoint_login_work(tf_ssb_t* ssb, void* user_data) } else { - snprintf(login->location_header, sizeof(login->location_header), "%s%s/", request->is_tls ? "https://" : "http://", tf_http_request_get_header(request, "host")); + snprintf(login->location_header, sizeof(login->location_header), "%s%s/", "http://", tf_http_request_get_header(request, "host")); } login->set_cookie_header = tf_httpd_make_set_session_cookie_header(request, send_session); tf_free((void*)send_session); @@ -416,8 +416,7 @@ void tf_httpd_endpoint_login(tf_http_request_t* request) void tf_httpd_endpoint_logout(tf_http_request_t* request) { - const char* k_set_cookie = request->is_tls ? "session=; path=/; Secure; SameSite=Strict; expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly" - : "session=; path=/; SameSite=Strict; expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly"; + const char* k_set_cookie = "session=; path=/; SameSite=Strict; expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly"; const char* k_location_format = "/login%s%s"; int length = snprintf(NULL, 0, k_location_format, request->query ? "?" : "", request->query); char* location = alloca(length + 1); diff --git a/src/main.c b/src/main.c index 53c556b0..0a7f90f4 100644 --- a/src/main.c +++ b/src/main.c @@ -1502,13 +1502,11 @@ static int _tf_run_task(const tf_run_args_t* args, int index) tf_ssb_t* ssb = tf_task_get_ssb(task); sqlite3* db = tf_ssb_acquire_db_reader(ssb); int64_t http_port = 0; - int64_t https_port = 0; char out_http_port_file[512] = ""; tf_ssb_db_get_global_setting_int64(db, "http_port", &http_port); - tf_ssb_db_get_global_setting_int64(db, "https_port", &https_port); tf_ssb_db_get_global_setting_string(db, "out_http_port_file", out_http_port_file, sizeof(out_http_port_file)); tf_ssb_release_db_reader(ssb, db); - if (http_port || https_port || *out_http_port_file) + if (http_port || *out_http_port_file) { if (args->zip) { @@ -1869,7 +1867,6 @@ static void _startup(int argc, char* argv[]) prctl(PR_SET_PDEATHSIG, SIGKILL); #endif tf_mem_replace_uv_allocator(); - tf_mem_replace_tls_allocator(); tf_mem_replace_sqlite_allocator(); uv_setup_args(argc, argv); tf_taskstub_startup(); diff --git a/src/mem.c b/src/mem.c index 5284ce83..50967385 100644 --- a/src/mem.c +++ b/src/mem.c @@ -7,8 +7,6 @@ #include "sqlite3.h" #include "uv.h" -#include - #include #include @@ -19,7 +17,6 @@ static bool s_mem_tracking; static tf_mem_node_t* s_mem_tracked; static int64_t s_tf_malloc_size; static int64_t s_uv_malloc_size; -static int64_t s_tls_malloc_size; static int64_t s_js_malloc_size; static int64_t s_sqlite_malloc_size; @@ -387,31 +384,6 @@ size_t tf_mem_get_uv_malloc_size() return s_uv_malloc_size; } -static void* _tf_tls_alloc(size_t size, const char* file, int line) -{ - return _tf_alloc(&s_tls_malloc_size, size); -} - -static void* _tf_tls_realloc(void* ptr, size_t size, const char* file, int line) -{ - return _tf_realloc(&s_tls_malloc_size, ptr, size); -} - -static void _tf_tls_free(void* ptr, const char* file, int line) -{ - _tf_free(&s_tls_malloc_size, ptr); -} - -void tf_mem_replace_tls_allocator() -{ - CRYPTO_set_mem_functions(_tf_tls_alloc, _tf_tls_realloc, _tf_tls_free); -} - -size_t tf_mem_get_tls_malloc_size() -{ - return s_tls_malloc_size; -} - void* tf_malloc(size_t size) { return _tf_alloc(&s_tf_malloc_size, size); diff --git a/src/mem.h b/src/mem.h index 120b01ac..48b1334b 100644 --- a/src/mem.h +++ b/src/mem.h @@ -3,7 +3,7 @@ /** ** \defgroup mem Memory management ** tf_malloc() and friends use malloc() behind the scenes but optionally -** track memory per system (OpenSSL, sqlite, libuv, ...) and store callstacks +** track memory per system (sqlite, libuv, ...) and store callstacks ** to help debug leaks. ** @{ */ @@ -38,17 +38,6 @@ void tf_mem_replace_uv_allocator(); */ size_t tf_mem_get_uv_malloc_size(); -/** -** Register a custom allocator with OpenSSL. -*/ -void tf_mem_replace_tls_allocator(); - -/** -** Get the number of bytes currently allocated by OpenSSL. -** @return The allocated size in bytes. -*/ -size_t tf_mem_get_tls_malloc_size(); - /** ** Register a custom allocator with SQLite. */ diff --git a/src/ssb.tests.c b/src/ssb.tests.c index 5588a5bc..d22ff1f9 100644 --- a/src/ssb.tests.c +++ b/src/ssb.tests.c @@ -923,7 +923,7 @@ static void _write_file(const char* path, const char* contents) fclose(file); } -#define TEST_ARGS " --args=ssb_port=0,http_port=0,https_port=0" +#define TEST_ARGS " --args=ssb_port=0,http_port=0" void tf_ssb_test_encrypt(const tf_test_options_t* options) { diff --git a/src/task.c b/src/task.c index 7ecd19f4..9806bb0b 100644 --- a/src/task.c +++ b/src/task.c @@ -26,8 +26,6 @@ #include "uv.h" #include "zlib.h" -#include - #include #include #include @@ -707,11 +705,6 @@ static JSValue _tf_task_version(JSContext* context, JSValueConst this_val, int a JS_SetPropertyStr(context, version, "name", JS_NewString(context, VERSION_NAME)); JS_SetPropertyStr(context, version, "libuv", JS_NewString(context, uv_version_string())); JS_SetPropertyStr(context, version, "sqlite", JS_NewString(context, sqlite3_libversion())); -#if defined(OPENSSL_VERSION_STRING) - JS_SetPropertyStr(context, version, "openssl", JS_NewString(context, OpenSSL_version(OPENSSL_VERSION_STRING))); -#else - JS_SetPropertyStr(context, version, "openssl", JS_NewString(context, OpenSSL_version(OPENSSL_VERSION))); -#endif const char* sodium_version_string(); JS_SetPropertyStr(context, version, "c-ares", JS_NewString(context, ares_version(NULL))); JS_SetPropertyStr(context, version, "libsodium", JS_NewString(context, sodium_version_string())); @@ -822,7 +815,6 @@ static JSValue _tf_task_getStats(JSContext* context, JSValueConst this_val, int JS_SetPropertyStr(context, result, "sqlite3_memory_percent", JS_NewFloat64(context, 100.0 * tf_mem_get_sqlite_malloc_size() / total_memory)); JS_SetPropertyStr(context, result, "js_malloc_percent", JS_NewFloat64(context, 100.0 * tf_mem_get_js_malloc_size() / total_memory)); JS_SetPropertyStr(context, result, "uv_malloc_percent", JS_NewFloat64(context, 100.0 * tf_mem_get_uv_malloc_size() / total_memory)); - JS_SetPropertyStr(context, result, "tls_malloc_percent", JS_NewFloat64(context, 100.0 * tf_mem_get_tls_malloc_size() / total_memory)); JS_SetPropertyStr(context, result, "tf_malloc_percent", JS_NewFloat64(context, 100.0 * tf_mem_get_tf_malloc_size() / total_memory)); if (task->_ssb) diff --git a/src/tests.c b/src/tests.c index 21c27c6d..18b7a048 100644 --- a/src/tests.c +++ b/src/tests.c @@ -32,7 +32,7 @@ #include #endif -#define TEST_ARGS " --args=ssb_port=0,http_port=0,https_port=0" +#define TEST_ARGS " --args=ssb_port=0,http_port=0" #if !TARGET_OS_IPHONE static void _write_file(const char* path, const char* contents) @@ -694,7 +694,7 @@ static void _test_http(const tf_test_options_t* options) tf_http_t* http = tf_http_create(&loop); tf_http_add_handler(http, "/hello", _test_http_handler, NULL, NULL); tf_http_add_handler(http, "/post", _test_http_handler_post, NULL, NULL); - tf_http_listen(http, 23456, true, NULL, NULL, NULL); + tf_http_listen(http, 23456, true, NULL, NULL); test_http_t test = { .loop = &loop }; uv_async_init(&loop, &test.async, _test_http_async); @@ -786,7 +786,7 @@ static void _test_httpd(const tf_test_options_t* options) uv_spawn(&loop, &process, &(uv_process_options_t) { .file = options->exe_path, - .args = (char*[]) { (char*)options->exe_path, "run", "--db-path=out/test_db0.sqlite", "--args=ssb_port=0,http_port=8080,https_port=0", NULL }, + .args = (char*[]) { (char*)options->exe_path, "run", "--db-path=out/test_db0.sqlite", "--args=ssb_port=0,http_port=8080", NULL }, .stdio_count = sizeof(stdio) / sizeof(*stdio), .stdio = stdio, }); diff --git a/src/tls.c b/src/tls.c deleted file mode 100644 index 9999dd69..00000000 --- a/src/tls.c +++ /dev/null @@ -1,384 +0,0 @@ -#include "tls.h" - -#include "mem.h" - -#include - -#include -#include -#include -#include -#include - -typedef enum _direction_t -{ - k_direction_undetermined, - k_direction_accept, - k_direction_connect, -} direction_t; - -typedef struct _tf_tls_context_t -{ - SSL_CTX* context; -} tf_tls_context_t; - -typedef struct _tf_tls_session_t -{ - tf_tls_context_t* context; - BIO* bio_in; - BIO* bio_out; - SSL* ssl; - const char* hostname; - direction_t direction; -} tf_tls_session_t; - -tf_tls_context_t* tf_tls_context_create() -{ - tf_tls_context_t* context = tf_malloc(sizeof(tf_tls_context_t)); - memset(context, 0, sizeof(*context)); - OPENSSL_init_ssl(0, NULL); - context->context = SSL_CTX_new(SSLv23_method()); - SSL_CTX_set_default_verify_paths(context->context); - return context; -} - -bool tf_tls_context_set_certificate(tf_tls_context_t* context, const char* certificate) -{ - int result = 0; - BIO* bio = BIO_new(BIO_s_mem()); - BIO_puts(bio, certificate); - X509* x509 = PEM_read_bio_X509(bio, 0, 0, 0); - result = SSL_CTX_use_certificate(context->context, x509); - X509_free(x509); - while (true) - { - x509 = PEM_read_bio_X509(bio, 0, 0, 0); - if (x509) - { - SSL_CTX_add_extra_chain_cert(context->context, x509); - /* Docs say don't x509_free: https://www.openssl.org/docs/man3.2/man3/SSL_CTX_add_extra_chain_cert.html. */ - } - else - { - break; - } - } - BIO_free(bio); - return result == 1; -} - -bool tf_tls_context_set_private_key(tf_tls_context_t* context, const char* private_key) -{ - int result = 0; - BIO* bio = BIO_new(BIO_s_mem()); - BIO_puts(bio, private_key); - EVP_PKEY* key = PEM_read_bio_PrivateKey(bio, 0, 0, 0); - result = SSL_CTX_use_PrivateKey(context->context, key); - EVP_PKEY_free(key); - BIO_free(bio); - return result == 1; -} - -bool tf_tls_context_add_trusted_certificate(tf_tls_context_t* context, const char* certificate) -{ - bool result = false; - BIO* bio = BIO_new_mem_buf(certificate, -1); - X509* x509 = PEM_read_bio_X509(bio, 0, 0, 0); - BIO_free(bio); - - if (x509) - { - X509_STORE* store = SSL_CTX_get_cert_store(context->context); - if (store && X509_STORE_add_cert(store, x509) == 1) - { - result = true; - } - X509_free(x509); - } - - return result; -} - -tf_tls_session_t* tf_tls_context_create_session(tf_tls_context_t* context) -{ - tf_tls_session_t* session = tf_malloc(sizeof(tf_tls_session_t)); - memset(session, 0, sizeof(*session)); - session->context = context; - session->bio_in = BIO_new(BIO_s_mem()); - session->bio_out = BIO_new(BIO_s_mem()); - return session; -} - -void tf_tls_context_destroy(tf_tls_context_t* context) -{ - SSL_CTX_free(context->context); - OPENSSL_cleanup(); - tf_free(context); -} - -void tf_tls_session_destroy(tf_tls_session_t* session) -{ - if (session->ssl) - { - SSL_free(session->ssl); - } - if (session->hostname) - { - tf_free((void*)session->hostname); - } - tf_free(session); -} - -void tf_tls_session_set_hostname(tf_tls_session_t* session, const char* hostname) -{ - if (session->hostname) - { - tf_free((void*)session->hostname); - session->hostname = NULL; - } - if (hostname) - { - session->hostname = tf_strdup(hostname); - } -} - -void tf_tls_session_start_accept(tf_tls_session_t* session) -{ - session->direction = k_direction_accept; - session->ssl = SSL_new(session->context->context); - SSL_set_bio(session->ssl, session->bio_in, session->bio_out); - SSL_accept(session->ssl); - tf_tls_session_handshake(session); -} - -void tf_tls_session_start_connect(tf_tls_session_t* session) -{ - session->direction = k_direction_connect; - session->ssl = SSL_new(session->context->context); - X509_VERIFY_PARAM* param = SSL_get0_param(session->ssl); - X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); - X509_VERIFY_PARAM_set1_host(param, session->hostname, 0); - SSL_set_tlsext_host_name(session->ssl, session->hostname); - SSL_set_bio(session->ssl, session->bio_in, session->bio_out); - SSL_connect(session->ssl); - tf_tls_session_handshake(session); -} - -void tf_tls_session_shutdown(tf_tls_session_t* session) -{ - SSL_shutdown(session->ssl); -} - -int tf_tls_session_get_peer_certificate(tf_tls_session_t* session, char* buffer, size_t bytes) -{ - int result = -1; -#if OPENSSL_VERSION_NUMBER < 0x30000000L - X509* certificate = SSL_get_peer_certificate(session->ssl); -#else - X509* certificate = SSL_get1_peer_certificate(session->ssl); -#endif - BIO* bio = BIO_new(BIO_s_mem()); - PEM_write_bio_X509(bio, certificate); - X509_free(certificate); - BUF_MEM* mem; - BIO_get_mem_ptr(bio, &mem); - if (mem->length <= bytes) - { - memcpy(buffer, mem->data, mem->length); - result = mem->length; - } - BIO_free(bio); - return result; -} - -#if OPENSSL_VERSION_NUMBER < 0x10100000L -static bool _tls_session_wildcard_match(const char* pattern, size_t pattern_length, const char* name) -{ - const char* it = pattern; - while (it - pattern < pattern_length && *name) - { - if (*it == '*') - { - for (const char* p = name; *p; ++p) - { - if (_tls_session_wildcard_match(it + 1, pattern_length - 1, p)) - { - return true; - } - } - return false; - } - else if (tolower(*it) == tolower(*name)) - { - ++it; - ++name; - } - else - { - break; - } - } - return it - pattern <= pattern_length && *name == 0; -} - -static bool _tls_session_verify_hostname(X509* certificate, const char* hostname) -{ - bool verified = false; - void* names = X509_get_ext_d2i(certificate, NID_subject_alt_name, 0, 0); - if (names) - { - int count = sk_GENERAL_NAME_num(names); - for (int i = 0; i < count; ++i) - { - const GENERAL_NAME* check = sk_GENERAL_NAME_value(names, i); - if (!verified) - { -#if OPENSSL_VERSION_NUMBER <= 0x1000211fL - const unsigned char* name = ASN1_STRING_data(check->d.ia5); -#else - const char* name = ASN1_STRING_get0_data(check->d.ia5); -#endif - size_t length = ASN1_STRING_length(check->d.ia5); - if (_tls_session_wildcard_match((const char*)name, length, hostname)) - { - verified = true; - } - } - } - sk_GENERAL_NAMES_free(names); - } - - if (!verified) - { - int index = X509_NAME_get_index_by_NID(X509_get_subject_name(certificate), NID_commonName, -1); - if (index >= 0) - { - X509_NAME_ENTRY* entry = X509_NAME_get_entry(X509_get_subject_name(certificate), index); - if (entry) - { - ASN1_STRING* asn1 = X509_NAME_ENTRY_get_data(entry); - if (asn1) - { -#if OPENSSL_VERSION_NUMBER <= 0x1000211fL - const unsigned char* commonName = ASN1_STRING_data(asn1); -#else - const char* commonName = ASN1_STRING_get0_data(asn1); -#endif - if ((size_t)(ASN1_STRING_length(asn1)) == strlen((const char*)commonName)) - { - verified = _tls_session_wildcard_match((const char*)commonName, ASN1_STRING_length(asn1), hostname); - } - } - } - } - } - - return verified; -} -#endif - -static bool _tls_session_verify_peer_certificate(tf_tls_session_t* session) -{ - bool verified = false; -#if OPENSSL_VERSION_NUMBER < 0x30000000L - X509* certificate = SSL_get_peer_certificate(session->ssl); -#else - X509* certificate = SSL_get1_peer_certificate(session->ssl); -#endif - if (certificate) - { - if (SSL_get_verify_result(session->ssl) == X509_V_OK) - { -#if OPENSSL_VERSION_NUMBER < 0x10100000L - if (_tls_session_verify_hostname(certificate, session->hostname)) - { - verified = true; - } -#else - verified = true; -#endif - } - X509_free(certificate); - } - return verified; -} - -tf_tls_handshake_t tf_tls_session_handshake(tf_tls_session_t* session) -{ - tf_tls_handshake_t result = k_tls_handshake_done; - if (!SSL_is_init_finished(session->ssl)) - { - int value = SSL_do_handshake(session->ssl); - if (value <= 0) - { - int error = SSL_get_error(session->ssl, value); - if (error != SSL_ERROR_WANT_READ && error != SSL_ERROR_WANT_WRITE) - { - result = k_tls_handshake_failed; - } - else - { - result = k_tls_handshake_more; - } - } - } - if (result == k_tls_handshake_done && session->direction == k_direction_connect && !_tls_session_verify_peer_certificate(session)) - { - result = k_tls_handshake_failed; - } - return result; -} - -int tf_tls_session_read_plain(tf_tls_session_t* session, char* buffer, size_t bytes) -{ - int result = SSL_read(session->ssl, buffer, bytes); - if (result <= 0) - { - int error = SSL_get_error(session->ssl, result); - if (error == SSL_ERROR_WANT_READ || error == SSL_ERROR_WANT_WRITE) - { - result = 0; - } - else if (error == SSL_ERROR_ZERO_RETURN) - { - if ((SSL_get_shutdown(session->ssl) & SSL_RECEIVED_SHUTDOWN) != 0) - { - result = k_tls_read_zero; - } - else - { - result = 0; - } - } - else - { - result = k_tls_read_failed; - } - } - return result; -} - -int tf_tls_session_write_plain(tf_tls_session_t* session, const char* buffer, size_t bytes) -{ - return SSL_write(session->ssl, buffer, bytes); -} - -int tf_tls_session_read_encrypted(tf_tls_session_t* session, char* buffer, size_t bytes) -{ - return BIO_read(session->bio_out, buffer, bytes); -} - -int tf_tls_session_write_encrypted(tf_tls_session_t* session, const char* buffer, size_t bytes) -{ - return BIO_write(session->bio_in, buffer, bytes); -} - -bool tf_tls_session_get_error(tf_tls_session_t* session, char* buffer, size_t bytes) -{ - unsigned long error = ERR_get_error(); - if (error != 0) - { - ERR_error_string_n(error, buffer, bytes); - } - return error != 0; -} diff --git a/src/tls.h b/src/tls.h deleted file mode 100644 index 84c93f9f..00000000 --- a/src/tls.h +++ /dev/null @@ -1,177 +0,0 @@ -#pragma once - -/** -** \defgroup tls TLS -** A minimal wrapper around OpenSSL. -** @{ -*/ - -#include -#include - -/** -** A TLS context. May have many tf_tls_session_t instances. -*/ -typedef struct _tf_tls_context_t tf_tls_context_t; - -/** -** A TLS session. Belongs to one tf_tls_context_t and represents a single connection. -*/ -typedef struct _tf_tls_session_t tf_tls_session_t; - -/** -** The state of a TLS handshake. -*/ -typedef enum _tf_tls_handshake_t -{ - k_tls_handshake_done, - k_tls_handshake_more, - k_tls_handshake_failed, -} tf_tls_handshake_t; - -/** -** Possible error statuses from tf_tls_session_read_plain. -*/ -typedef enum _tf_tls_read_t -{ - k_tls_read_zero = -1, - k_tls_read_failed = -2, -} tf_tls_read_t; - -/** -** Create a TLS context. Clean up with tf_tls_context_destroy(). -** @return A new TLS context. -*/ -tf_tls_context_t* tf_tls_context_create(); - -/** -** Set the TLS context's server certificate. -** @param context The TLS context. -** @param certificate The certificate in PEM format. -** @return true if set successfully. -*/ -bool tf_tls_context_set_certificate(tf_tls_context_t* context, const char* certificate); - -/** -** Set the TLS context's server certificate's private key. -** @param context The TLS context. -** @param private_key The private key in PEM format. -** @return true if set successfully. -*/ -bool tf_tls_context_set_private_key(tf_tls_context_t* context, const char* private_key); - -/** -** Add a trusted certificate. -** @param context The TLS context. -** @param certificate The certificate in PEM format. -** @return true if the certificate was added to the trusted list successfully. -*/ -bool tf_tls_context_add_trusted_certificate(tf_tls_context_t* context, const char* certificate); - -/** -** Create a TLS session from a context. Once created, call -** tf_tls_session_handshake() until it returns k_tls_handshake_done. Call -** tf_tls_session_[read/write]_[plain/encrypted]() as data is available. -** @param context The TLS context. Clean up with tf_tls_session_destroy(). -** @return A new TLS session. -*/ -tf_tls_session_t* tf_tls_context_create_session(tf_tls_context_t* context); - -/** -** Destroy a TLS context. -** @param context The TLS contextx created by tf_tls_context_create(). -*/ -void tf_tls_context_destroy(tf_tls_context_t* context); - -/** -** Destroy a TLS session. -** @param session A TLS sesssion created by tf_tls_context_create_session(). -*/ -void tf_tls_session_destroy(tf_tls_session_t* session); - -/** -** Set the remote hostname for a session. -** @param session The TLS session. -** @param hostname The hostname. -*/ -void tf_tls_session_set_hostname(tf_tls_session_t* session, const char* hostname); - -/** -** Begin an outgoing TLS session. -** @param session The TLS session. -*/ -void tf_tls_session_start_accept(tf_tls_session_t* session); - -/** -** Begin an incoming TLS session. -** @param session The TLS session. -*/ -void tf_tls_session_start_connect(tf_tls_session_t* session); - -/** -** Begin the clean shutdown process for a TLS session. -** @param session The TLS session. -*/ -void tf_tls_session_shutdown(tf_tls_session_t* session); - -/** -** Get the certificate from the remote end of a TLS session if available. -** @param session The TLS session. -** @param buffer A buffer to receive the certificate. -** @param bytes The size of the buffer. -** @return The size of the returned certificate, or -1 on failure. -*/ -int tf_tls_session_get_peer_certificate(tf_tls_session_t* session, char* buffer, size_t bytes); - -/** -** Update the TLS handshake. Call repeatedly as new data is available until it returns done. -** @param session The TLS session. -** @return The current state of the handshake process. -*/ -tf_tls_handshake_t tf_tls_session_handshake(tf_tls_session_t* session); - -/** -** Read decrypted data from the TLS session. -** @param session The TLS session. -** @param buffer A buffer to receive the data. -** @param bytes The size of the buffer. -** @return The number of bytes returned. -*/ -int tf_tls_session_read_plain(tf_tls_session_t* session, char* buffer, size_t bytes); - -/** -** Write unencrypted data to the TLS session. -** @param session The TLS session. -** @param buffer The data to encrypt. -** @param bytes The size of the data. -** @return 1 on success, 0 on failure. -*/ -int tf_tls_session_write_plain(tf_tls_session_t* session, const char* buffer, size_t bytes); - -/** -** Read encrypted data from the TLS session that needs to be sent. -** @param session The TLS session. -** @param buffer A buffer to receive the data. -** @param bytes The size of the buffer. -** @return The number of bytes returned. -*/ -int tf_tls_session_read_encrypted(tf_tls_session_t* session, char* buffer, size_t bytes); - -/** -** Write encrypted data to the TLS session. -** @param session The TLS session. -** @param buffer The encrypted data. -** @param bytes The number of bytes written. -*/ -int tf_tls_session_write_encrypted(tf_tls_session_t* session, const char* buffer, size_t bytes); - -/** -** Retrieve the last error from a TLS session. -** @param session The TLS session. -** @param buffer A buffer to receive the error text. -** @param bytes The size of the buffer. -** @return true if an error was retrieved. -*/ -bool tf_tls_session_get_error(tf_tls_session_t* session, char* buffer, size_t bytes); - -/** @} */ diff --git a/src/util.js.c b/src/util.js.c index a81572f8..351342b0 100644 --- a/src/util.js.c +++ b/src/util.js.c @@ -289,7 +289,6 @@ static const setting_t k_settings[] = { .description = "Whether to bind http(s) to the loopback address. Otherwise any.", .default_value = { .kind = k_kind_bool, .bool_value = TF_IS_MOBILE ? true : false } }, { .name = "http_port", .type = "integer", .description = "Port on which to listen for HTTP connections.", .default_value = { .kind = k_kind_int, .int_value = 12345 } }, - { .name = "https_port", .type = "integer", .description = "Port on which to listen for secure HTTP connections.", .default_value = { .kind = k_kind_int, .int_value = 0 } }, { .name = "out_http_port_file", .type = "hidden", .description = "File to which to write bound HTTP port.", .default_value = { .kind = k_kind_string, .string_value = NULL } }, { .name = "blob_fetch_age_seconds", .type = "integer",