diff --git a/CMakeLists.txt b/CMakeLists.txt index e38476b..b7be9cc 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -107,7 +107,8 @@ include_directories(${cxxopts_SOURCE_DIR}/include) # export CPATH=/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/include/ FetchContent_Declare( picohttpparser - GIT_REPOSITORY https://github.com/unum-cloud/picohttpparser.git + #GIT_REPOSITORY https://github.com/unum-cloud/picohttpparser.git + GIT_REPOSITORY https://github.com/MarkReedZ/picohttpparser.git GIT_SHALLOW 1 ) FetchContent_MakeAvailable(picohttpparser) @@ -123,21 +124,6 @@ FetchContent_MakeAvailable(tb64) include_directories(${tb64_SOURCE_DIR}) set(CMAKE_POSITION_INDEPENDENT_CODE ON) -FetchContent_Declare( - mbedtls - GIT_REPOSITORY https://github.com/Mbed-TLS/mbedtls/ - GIT_TAG v3.4.0 - CMAKE_ARGS - -DENABLE_PROGRAMS=OFF - -DENABLE_TESTING=OFF - -DUSE_SHARED_MBEDTLS_LIBRARY=OFF - -DUSE_STATIC_MBEDTLS_LIBRARY=ON -) - -FetchContent_MakeAvailable(mbedtls) -include_directories(${mbedtls_SOURCE_DIR}/include) -set(mbedtls_LIBS mbedtls mbedcrypto mbedx509) - # LibUring if(LINUX) set(URING_DIR ${CMAKE_BINARY_DIR}/_deps/liburing-ep) @@ -168,7 +154,7 @@ find_package(Threads REQUIRED) include_directories(include/ src/) add_library(ucall_server_posix src/engine_posix.cpp) -target_link_libraries(ucall_server_posix simdjson::simdjson Threads::Threads ${mbedtls_LIBS}) +target_link_libraries(ucall_server_posix simdjson::simdjson Threads::Threads ) set(PYTHON_BACKEND ucall_server_posix) add_executable(ucall_example_login_posix examples/login/ucall_server.cpp) diff --git a/src/engine_posix.cpp b/src/engine_posix.cpp index 44360b4..8101722 100644 --- a/src/engine_posix.cpp +++ b/src/engine_posix.cpp @@ -38,13 +38,6 @@ #include // `std::to_chars` #include // `std::chrono` -#include "mbedtls/config.h" -#include -#include -#include -#include -#include - #include "ucall/ucall.h" #include "helpers/log.hpp" @@ -59,80 +52,11 @@ using time_point_t = std::chrono::time_point; static constexpr std::size_t initial_buffer_size_k = ram_page_size_k * 4; -struct ucall_ssl_context_t { - - ~ucall_ssl_context_t() noexcept { - mbedtls_x509_crt_free(&srvcert); - mbedtls_pk_free(&pkey); - mbedtls_ssl_free(&ssl); - mbedtls_ssl_config_free(&conf); - mbedtls_ssl_cache_free(&cache); - mbedtls_ctr_drbg_free(&ctr_drbg); - mbedtls_entropy_free(&entropy); - } - - int init(const char* pk_path, const char** crts_path, size_t crts_cnt) { - mbedtls_ssl_init(&ssl); - mbedtls_ssl_config_init(&conf); - mbedtls_ssl_cache_init(&cache); - mbedtls_x509_crt_init(&srvcert); - mbedtls_pk_init(&pkey); - mbedtls_entropy_init(&entropy); - mbedtls_ctr_drbg_init(&ctr_drbg); - int ret = 0; - - // Seed the RNG - if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0)) != 0) - // TODO Use personalization string. Required or Optional ? - return ret; - - // Load Private Key - if ((ret = mbedtls_pk_parse_keyfile(&pkey, pk_path, NULL, NULL, &ctr_drbg)) != 0) - // TODO Use Password. Required or Optional ? - return ret; - - // Load Certificates - for (size_t i = 0; i < crts_cnt; ++i) - if ((ret = mbedtls_x509_crt_parse_file(&srvcert, crts_path[i])) != 0) - // TODO Notify which certificate was invalid ? - return ret; - - if ((ret = mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_SERVER, MBEDTLS_SSL_TRANSPORT_STREAM, - MBEDTLS_SSL_PRESET_DEFAULT)) != 0) - return ret; - - mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg); - - mbedtls_ssl_conf_session_cache(&conf, &cache, mbedtls_ssl_cache_get, mbedtls_ssl_cache_set); - mbedtls_ssl_conf_renegotiation(&conf, MBEDTLS_SSL_RENEGOTIATION_DISABLED); - - mbedtls_ssl_conf_ca_chain(&conf, srvcert.next, NULL); - if ((ret = mbedtls_ssl_conf_own_cert(&conf, &srvcert, &pkey)) != 0) - return ret; - - if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0) - return ret; - - return 0; - } - - mbedtls_ssl_context ssl{}; - mbedtls_ssl_config conf{}; - mbedtls_pk_context pkey{}; - mbedtls_x509_crt srvcert{}; - mbedtls_entropy_context entropy{}; - mbedtls_ssl_cache_context cache{}; - mbedtls_ctr_drbg_context ctr_drbg{}; -}; - struct engine_t { - ~engine_t() noexcept { delete ssl_ctx; } + ~engine_t() noexcept { } descriptor_t socket{}; - /// @brief Establishes an SSL connection if SSL is enabled, otherwise the `ssl_ctx` is unused and uninitialized. - ucall_ssl_context_t* ssl_ctx = nullptr; - /// @brief The file descriptor of the stateful connection over TCP. descriptor_t connection{}; /// @brief A small memory buffer to store small requests. @@ -169,13 +93,8 @@ void send_message(engine_t& engine, array_gt const& message) noexcept { long idx = 0; long res = 0; - if (engine.ssl_ctx) - while (idx < len && (res = mbedtls_ssl_write(&engine.ssl_ctx->ssl, reinterpret_cast(buf + idx), - (len - idx))) > 0) - idx += res; - else - while (idx < len && (res = send(engine.connection, buf + idx, len - idx, 0)) > 0) - idx += res; + while (idx < len && (res = send(engine.connection, buf + idx, len - idx, 0)) > 0) + idx += res; if (res < 0) { if (errno == EMSGSIZE) @@ -264,29 +183,12 @@ void forward_packet(engine_t& engine) noexcept { return forward_call_or_calls(engine); } -int ssl_send(void* ctx, const unsigned char* buf, size_t len) { - mbedtls_net_context* conn = reinterpret_cast(ctx); - ssize_t ret = send(conn->fd, reinterpret_cast(buf), len, 0); - return ret; -} - -int ssl_recv(void* ctx, unsigned char* buf, size_t len) { - mbedtls_net_context* conn = reinterpret_cast(ctx); - ssize_t ret = recv(conn->fd, reinterpret_cast(buf), len, 0); - return ret; -} - int recv_all(engine_t& engine, char* buf, size_t len) { size_t idx = 0; int res = 0; - if (engine.ssl_ctx) - while (idx < len && - (res = mbedtls_ssl_read(&engine.ssl_ctx->ssl, reinterpret_cast(buf + idx), (len - idx))) > 0) - idx += res; - else - while (idx < len && (res = recv(engine.connection, buf + idx, len - idx, 0)) > 0) - idx += res; + while (idx < len && (res = recv(engine.connection, buf + idx, len - idx, 0)) > 0) + idx += res; return idx; } @@ -320,20 +222,6 @@ void ucall_take_call(ucall_server_t server, uint16_t) { return; } - mbedtls_net_context client_ctx; - - if (engine.ssl_ctx) { - client_ctx.fd = connection_fd; - mbedtls_ssl_set_bio(&engine.ssl_ctx->ssl, &client_ctx, ssl_send, ssl_recv, NULL); - int ret = 0; - while ((ret = mbedtls_ssl_handshake(&engine.ssl_ctx->ssl)) != 0) - if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) { - mbedtls_net_free(&client_ctx); - mbedtls_ssl_session_reset(&engine.ssl_ctx->ssl); - return; - } - } - // Wait until we have input. engine.connection = descriptor_t{connection_fd}; engine.stats.added_connections++; @@ -341,11 +229,7 @@ void ucall_take_call(ucall_server_t server, uint16_t) { char* buffer_ptr = &engine.packet_buffer[0]; size_t bytes_received = 0, bytes_expected = 0; - if (engine.ssl_ctx) - bytes_received = - mbedtls_ssl_read(&engine.ssl_ctx->ssl, reinterpret_cast(buffer_ptr), http_head_max_size_k); - else - bytes_received = recv(engine.connection, buffer_ptr, http_head_max_size_k, 0); + bytes_received = recv(engine.connection, buffer_ptr, http_head_max_size_k, 0); auto json_or_error = split_body_headers(std::string_view(buffer_ptr, bytes_received)); if (auto error_ptr = std::get_if(&json_or_error); error_ptr) @@ -401,14 +285,6 @@ void ucall_take_call(ucall_server_t server, uint16_t) { buffer_ptr = nullptr; } - if (engine.ssl_ctx) { - int ret = 0; - while ((ret = mbedtls_ssl_close_notify(&engine.ssl_ctx->ssl)) < 0) - if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) - break; - - mbedtls_ssl_session_reset(&engine.ssl_ctx->ssl); - } shutdown(connection_fd, SHUT_WR); // If later on some UB is detected for client not recieving full data, // then it may be required to put a `recv` with timeout between `shutdown` and `close` @@ -431,9 +307,6 @@ void ucall_init(ucall_config_t* config_inout, ucall_server_t* server_out) { config.max_callbacks = 128u; if (!config.hostname) config.hostname = "0.0.0.0"; - if (config.use_ssl && - !(config.ssl_private_key_path || config.ssl_certificates_paths || config.ssl_certificates_count)) - return; // Some limitations are hard-coded for this non-concurrent implementation config.max_threads = 1u; @@ -447,7 +320,6 @@ void ucall_init(ucall_config_t* config_inout, ucall_server_t* server_out) { engine_t* server_ptr = nullptr; array_gt buffer; array_gt embedded_callbacks; - ucall_ssl_context_t* ssl_context = nullptr; sjd::parser parser; // By default, let's open TCP port for IPv4. @@ -475,12 +347,6 @@ void ucall_init(ucall_config_t* config_inout, ucall_server_t* server_out) { goto cleanup; if (listen(socket_descriptor, config.queue_depth) < 0) goto cleanup; - if (config.use_ssl) { - ssl_context = new ucall_ssl_context_t(); - if (ssl_context->init(config.ssl_private_key_path, config.ssl_certificates_paths, - config.ssl_certificates_count) != 0) - goto cleanup; - } if (parser.allocate(ram_page_size_k, ram_page_size_k / 2) != sj::SUCCESS) goto cleanup; @@ -493,7 +359,6 @@ void ucall_init(ucall_config_t* config_inout, ucall_server_t* server_out) { server_ptr->logs_file_descriptor = config.logs_file_descriptor; server_ptr->logs_format = config.logs_format ? std::string_view(config.logs_format) : std::string_view(); server_ptr->log_last_time = time_clock_t::now(); - server_ptr->ssl_ctx = ssl_context; *server_out = (ucall_server_t)server_ptr; return; @@ -503,7 +368,6 @@ void ucall_init(ucall_config_t* config_inout, ucall_server_t* server_out) { close(socket_descriptor); std::free(server_ptr); *server_out = nullptr; - delete ssl_context; } void ucall_add_procedure(ucall_server_t server, ucall_str_t name, ucall_callback_t callback, @@ -705,4 +569,4 @@ bool ucall_param_positional_str(ucall_call_t call, size_t position, ucall_str_t* return true; } else return false; -} \ No newline at end of file +}