diff --git a/Makefile b/Makefile index c894e8d..438b304 100644 --- a/Makefile +++ b/Makefile @@ -1,8 +1,8 @@ # Compiler and flags CPPC = g++ -CPPC_FLAGS = -std=c++23 -s -O3 -lssl -lcrypto -march=native -fstack-protector-strong -D_FORTIFY_SOURCE=3 -D_GLIBCXX_ASSERTIONS -fPIE -pie -Wall -Wextra -Wformat -Wformat=2 -Werror=format-security -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,--as-needed -DEBUG_FLAGS = -ggdb -std=c++23 -lssl -lcrypto -march=native -fstack-protector-strong -D_FORTIFY_SOURCE=3 -D_GLIBCXX_ASSERTIONS -fPIE -pie -Wall -Wextra -Wformat -Wformat=2 -Werror=format-security -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,--as-needed -DEBUG_ASANITIZE = -fsanitize=address -ggdb -fno-omit-frame-pointer -std=c++23 -lssl -lcrypto -march=native -fstack-protector-strong -D_FORTIFY_SOURCE=3 -D_GLIBCXX_ASSERTIONS -fPIE -pie -Wall -Wextra -Wformat -Wformat=2 -Werror=format-security -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,--as-needed +CPPC_FLAGS = -std=c++23 -s -O3 -lwolfssl -march=native -fstack-protector-strong -D_FORTIFY_SOURCE=3 -D_GLIBCXX_ASSERTIONS -fPIE -pie -Wall -Wextra -Wformat -Wformat=2 -Werror=format-security -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,--as-needed +DEBUG_FLAGS = -ggdb -std=c++23 -lwolfssl -march=native -fstack-protector-strong -D_FORTIFY_SOURCE=3 -D_GLIBCXX_ASSERTIONS -fPIE -pie -Wall -Wextra -Wformat -Wformat=2 -Werror=format-security -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,--as-needed +DEBUG_ASANITIZE = -fsanitize=address -ggdb -fno-omit-frame-pointer -std=c++23 -lwolfssl -march=native -fstack-protector-strong -D_FORTIFY_SOURCE=3 -D_GLIBCXX_ASSERTIONS -fPIE -pie -Wall -Wextra -Wformat -Wformat=2 -Werror=format-security -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,--as-needed SRC_PATH_CLIENT := src/client diff --git a/misc/gen_no_PQC.sh b/misc/gen_no_PQC.sh new file mode 100755 index 0000000..9e61450 --- /dev/null +++ b/misc/gen_no_PQC.sh @@ -0,0 +1,17 @@ +#!/bin/bash +# generate_certs.sh +# Requires oqsprovider installed (dnf install oqsprovider) + +# Generate CA +openssl genpkey -algorithm ed25519 -out ca.key +openssl req -x509 -new -key ca.key -out ca.crt -subj "/CN=IF CA" + +# Generate server cert +openssl genpkey -algorithm ed25519 -out server.key +openssl req -new -key server.key -out server.csr -subj "/CN=IF Server" +openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt + +# Generate client cert +openssl genpkey -algorithm ed25519 -out client.key +openssl req -new -key client.key -out client.csr -subj "/CN=IF Client" +openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt diff --git a/src/client/main.cpp b/src/client/main.cpp index 9ae547a..0173b1d 100644 --- a/src/client/main.cpp +++ b/src/client/main.cpp @@ -2,14 +2,18 @@ #include "../common/const.h" #include "../common/global.h" #include "../common/tls.h" + #include #include +#include #include -#include -#include +#include #include #include -SSL_CTX *ctx; +#include +#include + +WOLFSSL_CTX *ctx; int sockfd; int main() { @@ -20,12 +24,18 @@ int main() { // error signal handlers signal(SIGSEGV, safe_exit); + + // Initialize wolfSSL library + wolfSSL_Init(); + ctx = create_context(false); + sockfd = socket(AF_INET, SOCK_STREAM, 0); if (sockfd < 0) { std::cerr << "Socket creation failed: " << strerror(errno) << std::endl; return 1; } + std::cout << "Socket created successfully (fd: " << sockfd << ")" << std::endl; @@ -39,23 +49,25 @@ int main() { return 1; } - SSL *ssl = SSL_new(ctx); - SSL_set_fd(ssl, sockfd); - int result = SSL_connect(ssl); - if (result != 1) { - int ssl_error = SSL_get_error(ssl, result); - std::cerr << "SSL_connect failed with error code: " << ssl_error + WOLFSSL *ssl = wolfSSL_new(ctx); + wolfSSL_set_fd(ssl, sockfd); + + int result = wolfSSL_connect(ssl); + if (result != WOLFSSL_SUCCESS) { + int ssl_error = wolfSSL_get_error(ssl, result); + std::cerr << "wolfSSL_connect failed with error code: " << ssl_error << std::endl; - ERR_print_errors_fp(stderr); return 1; } + std::cout << "SSL connection established successfully" << std::endl; handle_connection(ssl); - SSL_shutdown(ssl); - SSL_free(ssl); + wolfSSL_shutdown(ssl); + wolfSSL_free(ssl); close(sockfd); - SSL_CTX_free(ctx); + wolfSSL_CTX_free(ctx); + wolfSSL_Cleanup(); return 0; } diff --git a/src/common/cleanup.cpp b/src/common/cleanup.cpp index e822518..a0fcbd0 100644 --- a/src/common/cleanup.cpp +++ b/src/common/cleanup.cpp @@ -1,7 +1,10 @@ #include "global.h" #include #include -#include +#include +#include +#include + void safe_exit(int code) { switch (code) { case SIGTERM: @@ -16,16 +19,16 @@ void safe_exit(int code) { case SIGHUP: std::cerr << "\nreceived SIGHUP exiting...\n"; break; - case SIGSEGV: std::cerr << "\nreceived SIGSEGV(segmentation fault) exiting...\nIf this " "repeats please report it as a bug\n"; break; - default: break; } - SSL_CTX_free(ctx); + + wolfSSL_CTX_free(ctx); + wolfSSL_Cleanup(); close(sockfd); exit(code); -} \ No newline at end of file +} diff --git a/src/common/global.h b/src/common/global.h index 37cb822..163f27f 100644 --- a/src/common/global.h +++ b/src/common/global.h @@ -1,6 +1,8 @@ -#include + #ifndef _IF_GLOBAL_HG_ #define _IF_GLOBAL_HG_ -extern SSL_CTX *ctx; +#include +#include +extern WOLFSSL_CTX *ctx; extern int sockfd; #endif \ No newline at end of file diff --git a/src/common/tls.cpp b/src/common/tls.cpp index 0116125..d92674c 100644 --- a/src/common/tls.cpp +++ b/src/common/tls.cpp @@ -1,59 +1,75 @@ #include "const.h" #include -#include -#include #include #include +#include +#include -SSL_CTX *create_context(bool is_server) { - const SSL_METHOD *method = - is_server ? TLS_server_method() : TLS_client_method(); - SSL_CTX *ctx = SSL_CTX_new(method); - SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION); +WOLFSSL_CTX *create_context(bool is_server) { + WOLFSSL_METHOD *method = + is_server ? wolfTLSv1_3_server_method() : wolfTLSv1_3_client_method(); - if (is_server) { - SSL_CTX_use_certificate_file(ctx, CERTS_DIR "server.crt", SSL_FILETYPE_PEM); - SSL_CTX_use_PrivateKey_file(ctx, CERTS_DIR "server.key", SSL_FILETYPE_PEM); - } else { - SSL_CTX_use_certificate_file(ctx, CERTS_DIR "client.crt", SSL_FILETYPE_PEM); - SSL_CTX_use_PrivateKey_file(ctx, CERTS_DIR "client.key", SSL_FILETYPE_PEM); + WOLFSSL_CTX *ctx = wolfSSL_CTX_new(method); + if (ctx == NULL) { + std::cerr << "Failed to create wolfSSL context" << std::endl; + return nullptr; } - SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, nullptr); - SSL_CTX_load_verify_locations(ctx, CERTS_DIR "ca.crt", nullptr); + // Set minimum protocol version to TLS 1.3 + wolfSSL_CTX_set_min_proto_version(ctx, WOLFSSL_TLSV1_3); + + if (is_server) { + if (wolfSSL_CTX_use_certificate_file(ctx, CERTS_DIR "server.crt", + WOLFSSL_FILETYPE_PEM) != + WOLFSSL_SUCCESS) { + std::cerr << "Failed to load server certificate" << std::endl; + wolfSSL_CTX_free(ctx); + return nullptr; + } + + if (wolfSSL_CTX_use_PrivateKey_file(ctx, CERTS_DIR "server.key", + WOLFSSL_FILETYPE_PEM) != + WOLFSSL_SUCCESS) { + unsigned long err = wolfSSL_ERR_get_error(); + char err_buf[256]; + wolfSSL_ERR_error_string(err, err_buf); + std::cerr << "Failed to load server private key" << std::endl; + std::cerr << "Error code: " << err << std::endl; + std::cerr << "Error description: " << err_buf << std::endl; + wolfSSL_CTX_free(ctx); + return nullptr; + } + } else { + if (wolfSSL_CTX_use_certificate_file(ctx, CERTS_DIR "client.crt", + WOLFSSL_FILETYPE_PEM) != + WOLFSSL_SUCCESS) { + std::cerr << "Failed to load client certificate" << std::endl; + } + + if (wolfSSL_CTX_use_PrivateKey_file(ctx, CERTS_DIR "client.key", + WOLFSSL_FILETYPE_PEM) != + WOLFSSL_SUCCESS) { + std::cerr << "Failed to load client private key" << std::endl; + } + } + + // Enable peer verification + wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, nullptr); + + if (wolfSSL_CTX_load_verify_locations(ctx, CERTS_DIR "ca.crt", nullptr) != + WOLFSSL_SUCCESS) { + std::cerr << "Failed to load CA certificate" << std::endl; + } return ctx; } -void handle_connection(SSL *ssl) { - +void handle_connection(WOLFSSL *ssl) { char buf[1024]; - std::cout << "Starting connection handler for SSL session" << std::endl; - - std::thread send_thread([ssl]() { - while (true) { - std::string msg; - std::cout << "Enter message: "; - std::getline(std::cin, msg); - - if (msg == "quit") { - std::cout << "Terminating send thread" << std::endl; - break; - } - - int bytes_sent = SSL_write(ssl, msg.c_str(), msg.size()); - if (bytes_sent <= 0) { - int ssl_error = SSL_get_error(ssl, bytes_sent); - std::cerr << "SSL_write failed with error: " << ssl_error << std::endl; - ERR_print_errors_fp(stderr); - break; - } - std::cout << "Sent " << bytes_sent << " bytes to server" << std::endl; - } - }); + std::cout << "Starting connection handler for wolfSSL session" << std::endl; while (true) { - int bytes = SSL_read(ssl, buf, sizeof(buf) - 1); + int bytes = wolfSSL_read(ssl, buf, sizeof(buf) - 1); if (bytes > 0) { buf[bytes] = '\0'; std::cout << "Received " << bytes << " bytes from server: " << buf @@ -62,13 +78,10 @@ void handle_connection(SSL *ssl) { std::cout << "Connection closed by peer" << std::endl; break; } else { - int ssl_error = SSL_get_error(ssl, bytes); - std::cerr << "SSL_read failed with error: " << ssl_error << std::endl; - ERR_print_errors_fp(stderr); + int ssl_error = wolfSSL_get_error(ssl, bytes); + std::cerr << "wolfSSL_read failed with error: " << ssl_error << std::endl; break; } } - std::clog << "joining treads"; - send_thread.join(); std::cout << "Connection handler finished" << std::endl; } diff --git a/src/common/tls.h b/src/common/tls.h index 1e83218..30b559b 100644 --- a/src/common/tls.h +++ b/src/common/tls.h @@ -1,7 +1,7 @@ -#include - #ifndef _IF_TLS_HG_ #define _IF_TLS_HG_ -SSL_CTX *create_context(bool is_server); -void handle_connection(SSL *ssl); +#include +#include +WOLFSSL_CTX *create_context(bool is_server); +void handle_connection(WOLFSSL *ssl); #endif \ No newline at end of file diff --git a/src/server/capture.cpp b/src/server/capture.cpp index 6f41d76..0a79f8b 100644 --- a/src/server/capture.cpp +++ b/src/server/capture.cpp @@ -1,5 +1,7 @@ - +#include "../common/cleanup.h" +#include "../common/const.h" #include +#include #include #include #include @@ -11,10 +13,22 @@ #include #include #include +#include +#include -// this is max size standard Ipv4/6 packet can be +// this is max size standard Ipv4/6 packet can be plus 1 for message type // what in understand in practise it is much lower around 1500 bytes -#define IP_PACKET_BUFFER_SIZE 65536 +#define IP_PACKET_BUFFER_SIZE 65536 + 1 + +void process_incoming_ip_packet(unsigned char *buffer, int packet_size, + WOLFSSL *ssl) { + buffer[0] = IP_PACKET_TYPE; // Set message type + int bytes_sent = wolfSSL_write(ssl, buffer, IP_PACKET_BUFFER_SIZE); + if (bytes_sent <= 0) { + int ssl_error = wolfSSL_get_error(ssl, bytes_sent); + std::cerr << "wolfSSL_write failed with error: " << ssl_error << std::endl; + } +} int get_interface_index(const char *interface_name) { struct ifaddrs *ifaddr, *ifa; @@ -38,7 +52,7 @@ int get_interface_index(const char *interface_name) { return interface_index; } -int listen_for_ip_packets(const std::string interface_name) { +int listen_for_ip_packets(const std::string interface_name, WOLFSSL *ssl) { int raw_ip_scoketfd; unsigned char buffer[IP_PACKET_BUFFER_SIZE]; @@ -50,7 +64,7 @@ int listen_for_ip_packets(const std::string interface_name) { if (raw_ip_scoketfd < 0) { perror("Failed to create raw socket"); std::cerr << "Make sure you're running as root!" << std::endl; - return 1; + safe_exit(EACCES); } // Get interface index @@ -78,8 +92,10 @@ int listen_for_ip_packets(const std::string interface_name) { // Main packet capture loop while (true) { - int packet_size = recvfrom(raw_ip_scoketfd, buffer, IP_PACKET_BUFFER_SIZE, - 0, (struct sockaddr *)&saddr, &saddr_len); + // read and leave first byte for message type + int packet_size = + recvfrom(raw_ip_scoketfd, buffer + 1, IP_PACKET_BUFFER_SIZE - 1, 0, + (struct sockaddr *)&saddr, &saddr_len); if (packet_size < 0) { perror("Error receiving packet"); @@ -88,7 +104,7 @@ int listen_for_ip_packets(const std::string interface_name) { // Only process IP packets (skip non-IP traffic) if (packet_size >= sizeof(struct ethhdr) + sizeof(struct iphdr)) { - process_packet(buffer, packet_size); + process_incoming_ip_packet(buffer, packet_size, ssl); } } diff --git a/src/server/capture.h b/src/server/capture.h new file mode 100644 index 0000000..50bbe26 --- /dev/null +++ b/src/server/capture.h @@ -0,0 +1,8 @@ +#ifndef CAPTURE_H +#define CAPTURE_H +#include +#include +#include +int listen_for_ip_packets(const std::string interface_name, WOLFSSL *ssl); + +#endif \ No newline at end of file diff --git a/src/server/main.cpp b/src/server/main.cpp index b26f66a..c95ad34 100644 --- a/src/server/main.cpp +++ b/src/server/main.cpp @@ -2,14 +2,17 @@ #include "../common/const.h" #include "../common/global.h" #include "../common/tls.h" -#include + #include +#include #include -#include -#include +#include #include #include -SSL_CTX *ctx; +#include +#include + +WOLFSSL_CTX *ctx; int sockfd; int main() { @@ -21,12 +24,17 @@ int main() { // error signal handlers signal(SIGSEGV, safe_exit); + // Initialize wolfSSL library + wolfSSL_Init(); + ctx = create_context(true); + sockfd = socket(AF_INET, SOCK_STREAM, 0); if (sockfd < 0) { std::cerr << "Socket creation failed: " << strerror(errno) << std::endl; return 1; } + std::cout << "Socket created successfully (fd: " << sockfd << ")" << std::endl; @@ -39,25 +47,33 @@ int main() { std::cerr << "Bind failed: " << strerror(errno) << std::endl; return 1; } - listen(sockfd, 5); + + listen(sockfd, 1); while (true) { sockaddr_in client_addr{}; socklen_t len = sizeof(client_addr); int client_fd = accept(sockfd, (sockaddr *)&client_addr, &len); - SSL *ssl = SSL_new(ctx); - SSL_set_fd(ssl, client_fd); - SSL_accept(ssl); + WOLFSSL *ssl = wolfSSL_new(ctx); + wolfSSL_set_fd(ssl, client_fd); + + if (wolfSSL_accept(ssl) != WOLFSSL_SUCCESS) { + std::cerr << "wolfSSL_accept failed" << std::endl; + wolfSSL_free(ssl); + close(client_fd); + continue; + } handle_connection(ssl); - SSL_shutdown(ssl); - SSL_free(ssl); + wolfSSL_shutdown(ssl); + wolfSSL_free(ssl); close(client_fd); } - SSL_CTX_free(ctx); + wolfSSL_CTX_free(ctx); + wolfSSL_Cleanup(); close(sockfd); return 0; }