Skip to content

Commit 4ffda72

Browse files
ssl-aware insocket, and load cacerts on sslconnect
1 parent 5dec311 commit 4ffda72

2 files changed

Lines changed: 53 additions & 9 deletions

File tree

src/basic/sockets.c

Lines changed: 51 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,8 @@
77
static queued_udp_packet* udp_packets[65536] = {0};
88
static queued_udp_packet* udp_list_tail[65536] = {0};
99
static spinlock_t udp_read_lock = 0;
10+
static uint8_t* ca = NULL;
11+
static size_t ca_len = 0;
1012

1113
/**
1214
* @brief Idle callback to check if socket is ready to read.
@@ -248,12 +250,33 @@ void sslconnect_statement(struct basic_ctx* ctx) {
248250
ip = str_expr(ctx);
249251
accept_or_return(COMMA, ctx);
250252
port = expr(ctx);
251-
accept_or_return(COMMA, ctx);
252-
sni = expr(ctx);
253+
if (tokenizer_token(ctx) == COMMA) {
254+
accept_or_return(COMMA, ctx);
255+
sni = expr(ctx);
256+
if (!*sni) {
257+
sni = NULL;
258+
}
259+
}
253260

254-
const char* ca = "";
261+
if (!ca) {
262+
fs_directory_entry_t* info = fs_get_file_info("/system/ssl/cacert.pem");
263+
if (!info || (info->flags & FS_DIRECTORY) != 0) {
264+
tokenizer_error_print(ctx, "Unable to load CA cert bundle from /system/ssl/cacert.pem");
265+
return;
266+
}
267+
ca = kmalloc(info->size);
268+
if (!ca) {
269+
tokenizer_error_print(ctx, "Out of memory for CA cert bundle");
270+
return;
271+
}
272+
if (!fs_read_file(info, 0, info->size, ca)) {
273+
tokenizer_error_print(ctx, "Unable to load CA cert bundle from /system/ssl/cacert.pem");
274+
return;
275+
}
276+
ca_len = info->size;
277+
}
255278

256-
int rv = ssl_connect(str_to_ip(ip), port, 0, true, sni, NULL, (const uint8_t*)ca, strlen(ca));
279+
int rv = ssl_connect(str_to_ip(ip), port, 0, true, sni, NULL, ca, ca_len);
257280

258281
if (rv >= 0) {
259282
*(input + rv) = 0;
@@ -339,6 +362,7 @@ int64_t basic_sslsockaccept(struct basic_ctx* ctx) {
339362
PARAMS_GET_ITEM(BIP_INT);
340363
const char* key = strval;
341364
PARAMS_END("SSLSOCKACCEPT",-1);
365+
// TODO: Load the certs from the file paths
342366
int rv = ssl_accept(server, (const uint8_t*)cert, strlen(cert), (const uint8_t*)key, strlen(key), NULL, true);
343367
if (rv < 0) {
344368
tokenizer_error_print(ctx, socket_error(rv));
@@ -349,7 +373,7 @@ int64_t basic_sslsockaccept(struct basic_ctx* ctx) {
349373

350374
char* basic_insocket(struct basic_ctx* ctx) {
351375
uint8_t input[2] = { 0, 0 };
352-
376+
353377
PARAMS_START;
354378
PARAMS_GET_ITEM(BIP_INT);
355379
int64_t fd = intval;
@@ -360,15 +384,35 @@ char* basic_insocket(struct basic_ctx* ctx) {
360384
return "";
361385
}
362386

363-
int rv = recv(fd, input, 1, false, 0);
387+
int rv;
388+
if (tls_get(fd)) {
389+
int want;
390+
int out_n;
391+
bool ok;
392+
393+
want = 0;
394+
out_n = 0;
395+
ok = tls_read_fd(fd, input, 1, &want, &out_n);
396+
if (ok) {
397+
rv = out_n;
398+
} else {
399+
if (want == 1) {
400+
rv = 0;
401+
} else {
402+
rv = TCP_ERROR_CONNECTION_FAILED;
403+
}
404+
}
405+
} else {
406+
rv = recv(fd, input, 1, false, 0);
407+
}
364408

365409
if (rv > 0) {
366410
input[1] = 0;
367411
return gc_strdup(ctx, (const char*)input);
368412
} else if (rv < 0) {
369413
tokenizer_error_print(ctx, socket_error(rv));
370414
} else {
371-
__asm__ volatile("hlt");
415+
__asm__ volatile("pause");
372416
}
373417
return "";
374418
}

src/net/tls.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -373,7 +373,7 @@ int ssl_connect(uint32_t target_addr, uint16_t target_port, uint16_t source_port
373373
if (get_ticks() - start > 3000) {
374374
return TCP_CONNECTION_TIMED_OUT;
375375
}
376-
__asm__ volatile("hlt");
376+
__asm__ volatile("pause");
377377
}
378378
}
379379

@@ -430,7 +430,7 @@ int ssl_accept(int listen_fd, const uint8_t *cert_pem, size_t cert_len, const ui
430430
tls_close_fd(fd);
431431
return TCP_CONNECTION_TIMED_OUT;
432432
}
433-
__asm__ volatile("hlt");
433+
__asm__ volatile("pause");
434434
}
435435
}
436436

0 commit comments

Comments
 (0)