Add Botan, TLS stream and Secure HTTP server

Author: fwsGonzo

CMakeLists.txt

@@ -89,6 +89,10 @@ set(CMAKE_C_FLAGS "-target i686 -MMD ${CAPABS} ${WARNS} -nostdlib -nostdlibinc -
 option(from_bundle "Download and use pre-compiled libraries for cross-comilation" ON)
 include(${CMAKE_CURRENT_SOURCE_DIR}/cmake/cross_compiled_libraries.txt)
 
+# Botan Crypto & TLS
+# Note: Include order matters!
+include(${CMAKE_CURRENT_SOURCE_DIR}/cmake/botan.cmake)
+
 #
 # Subprojects
 #
@@ -120,9 +124,6 @@ if(diskbuilder)
   )
 endif(diskbuilder)
 
-# Botan Crypto & TLS
-include(${CMAKE_CURRENT_SOURCE_DIR}/cmake/botan.cmake)
-
 option(examples "Build example unikernels in /examples" OFF)
 if(examples)
 	add_subdirectory(examples)

api/https

@@ -0,0 +1,27 @@
+// -*- C++ -*-
+// This file is a part of the IncludeOS unikernel - www.includeos.org
+//
+// Copyright 2015-2016 Oslo and Akershus University College of Applied Sciences
+// and Alfred Bratterud
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#pragma once
+#ifndef API_HTTPS_HEADER
+#define API_HTTPS_HEADER
+
+#include "net/http/response.hpp"
+#include "net/http/request.hpp"
+#include "net/http/secure_server.hpp"
+
+#endif

api/memdisk

@@ -25,7 +25,15 @@
 
 namespace fs
 {
+  // new singleton interface for the memdisk
+  inline Disk& memdisk()
+  {
+    static MemDisk device;
+    static Disk    disk {device};
+    return disk;
+  }
   // new_shared_memdisk() very likely contains FAT
+  // Note: deprecated!
   inline Disk_ptr new_shared_memdisk()
   {
     static MemDisk device;

api/net/http/secure_server.hpp

@@ -0,0 +1,72 @@
+// This file is a part of the IncludeOS unikernel - www.includeos.org
+//
+// Copyright 2016-2017 Oslo and Akershus University College of Applied Sciences
+// and Alfred Bratterud
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#pragma once
+#ifndef NET_HTTP_SECURE_SERVER_HPP
+#define NET_HTTP_SECURE_SERVER_HPP
+
+#include <net/http/server.hpp>
+#include <fs/dirent.hpp>
+#include <net/tls/server.hpp>
+
+namespace http {
+
+class Secure_server : public http::Server
+{
+public:
+  Secure_server(
+      fs::Dirent& ca_key,
+      fs::Dirent& ca_cert,
+      fs::Dirent& server_key,
+      TCP& tcp,
+      Request_handler cb
+    );
+
+  Secure_server(
+      Botan::Credentials_Manager*   in_credman,
+      Botan::RandomNumberGenerator& in_rng,
+      TCP& tcp,
+      Request_handler cb)
+    : http::Server(tcp, cb), rng(in_rng), credman(in_credman)
+  {
+    on_connect = {this, &Secure_server::secure_connect};
+  }
+
+  void secure_connect(TCP_conn conn)
+  {
+    auto* ptr = new net::tls::Server(conn, rng, *credman);
+
+    ptr->on_connect(
+    [this, ptr] (net::Stream&)
+    {
+      // create and pass TLS socket
+      Server::connect(std::unique_ptr<net::tls::Server>(ptr));
+    });
+    ptr->on_close([ptr] {
+      printf("Secure_HTTP::on_close on %s\n", ptr->to_string().c_str());
+      delete ptr;
+    });
+  }
+
+private:
+  Botan::RandomNumberGenerator& rng;
+  std::unique_ptr<Botan::Credentials_Manager> credman;
+};
+
+} // http
+
+#endif

api/net/http/server.hpp

@@ -90,7 +90,11 @@ namespace http {
      */
     Response_ptr create_response(status_t code = http::OK) const;
 
-    ~Server();
+    virtual ~Server();
+
+  protected:
+    delegate<void(TCP_conn)> on_connect;
+    void connect(Connection::Stream_ptr stream);
 
   private:
     friend class Server_connection;
@@ -109,10 +113,9 @@ namespace http {
     Stat& stat_req_bad_;
     Stat& stat_timeouts_;
 
-    void connect(TCP_conn conn)
-    { connect(std::make_unique<Connection::Stream>(conn)); }
-
-    void connect(Connection::Stream_ptr stream);
+    void connected(TCP_conn conn) {
+      connect(std::make_unique<Connection::Stream>(conn));
+    }
 
     void close(Server_connection&);
 

api/net/tls/credman.hpp

@@ -0,0 +1,148 @@
+// This file is a part of the IncludeOS unikernel - www.includeos.org
+//
+// Copyright 2015-2017 Oslo and Akershus University College of Applied Sciences
+// and Alfred Bratterud
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#pragma once
+#ifndef NET_TLS_CREDMAN_HPP
+#define NET_TLS_CREDMAN_HPP
+
+#include <botan/credentials_manager.h>
+#include <botan/pk_algs.h>
+#include <botan/rng.h>
+#include <botan/x509cert.h>
+#include <botan/x509_ca.h>
+//#include <botan/x509path.h>
+#include <botan/x509self.h>
+#include <memory>
+
+namespace net
+{
+typedef std::chrono::duration<int, std::ratio<31556926>> years;
+
+class Credman : public Botan::Credentials_Manager
+{
+public:
+  Credman(const Botan::X509_Certificate server_cert,
+          const Botan::X509_Certificate ca_cert,
+          std::unique_ptr<Botan::Private_Key> server_key) :
+          m_server_cert(std::move(server_cert)),
+          m_ca_cert(std::move(ca_cert)),
+          m_server_key(std::move(server_key))
+  {
+    std::unique_ptr<Botan::Certificate_Store> store(new Botan::Certificate_Store_In_Memory(m_ca_cert));
+    m_stores.push_back(std::move(store));
+    m_provides_client_certs = false;
+  }
+
+  std::vector<Botan::Certificate_Store*>
+  trusted_certificate_authorities(const std::string&,
+          const std::string&) override
+  {
+    std::vector<Botan::Certificate_Store*> v;
+    for (auto&& store : m_stores)
+        v.push_back(store.get());
+    return v;
+  }
+
+  std::vector<Botan::X509_Certificate> cert_chain(
+              const std::vector<std::string>& cert_key_types,
+              const std::string& type,
+              const std::string&) override
+  {
+    std::vector<Botan::X509_Certificate> chain;
+
+    if (type == "tls-server" || (type == "tls-client" && m_provides_client_certs))
+    {
+      bool have_match = false;
+      for (size_t i = 0; i != cert_key_types.size(); ++i)
+          if(cert_key_types[i] == m_server_key->algo_name())
+              have_match = true;
+
+      if(have_match)
+      {
+        chain.push_back(m_server_cert);
+        chain.push_back(m_ca_cert);
+      }
+    }
+    return chain;
+  }
+
+  Botan::Private_Key* private_key_for(const Botan::X509_Certificate&,
+              const std::string&,
+              const std::string&) override
+  {
+    return m_server_key.get();
+  }
+
+  Botan::SymmetricKey psk(const std::string&,
+        const std::string&,
+        const std::string&) override
+  {
+    //if (type == "tls-server" && context == "session-ticket")
+    //  return Botan::SymmetricKey("AABBCCDDEEFF012345678012345678");
+
+    return Botan::SymmetricKey("20B602D1475F2DF888FCB60D2AE03AFD"); // PSK key
+  }
+
+  static Credman* create(
+        Botan::RandomNumberGenerator&  rng,
+        std::unique_ptr<Botan::Private_Key> ca_key,
+        Botan::X509_Certificate ca_cert,
+        std::unique_ptr<Botan::Private_Key> server_key);
+
+public:
+  Botan::X509_Certificate             m_server_cert, m_ca_cert;
+  std::unique_ptr<Botan::Private_Key> m_server_key;
+  std::vector<std::unique_ptr<Botan::Certificate_Store>> m_stores;
+  bool m_provides_client_certs;
+};
+
+/**
+ * 3. create private key 2 <server>
+ * 4. create certificate request <req> with private key 2
+ * 5. create CA with <CA> key and <CA> cert
+ * 6, create certificate <server> by signing <req>
+ * 
+**/
+inline Credman* Credman::create(
+        Botan::RandomNumberGenerator&  rng,
+        std::unique_ptr<Botan::Private_Key> ca_key,
+        Botan::X509_Certificate ca_cert,
+        std::unique_ptr<Botan::Private_Key> server_key)
+{
+  Botan::X509_CA ca(ca_cert, *ca_key, "SHA-256", rng);
+
+  // create server certificate from CA
+  auto now = std::chrono::system_clock::now();
+  Botan::X509_Time start_time(now);
+  Botan::X509_Time end_time(now + years(1));
+
+  // create certificate request
+  Botan::X509_Cert_Options server_opts;
+  server_opts.common_name = "server.example.com";
+  server_opts.country = "VT";
+
+  auto req = Botan::X509::create_cert_req(server_opts, *server_key, "SHA-256", rng);
+
+  auto server_cert = ca.sign_request(req, rng, start_time, end_time);
+
+  // create credentials manager
+  return new Credman(server_cert, ca_cert, std::move(server_key));
+}
+
+} // net
+
+#endif