Angels (OpenSSL) and D(a)emons
Athula Balachandran
Wolfgang Richter

PJ1 Final Submission
●

SSL server-side implementation

●

CGI

●

Daemonize

SSL – Stuff you already know!
●

●

Standard behind secure communication on the
Internet.
Data encrypted before it leaves your computer
and decrypted only at the computer.

●

Hope is it is impossible to crack and eavesdrop!

●

Can be used with HTTP, POP3, Telnet etc.

OpenSSL
●

Can do a lot more than SSL
●

Message digests

●

Encryption and decryption of files

●

Digital certificates

●

Digital signatures

●

Random number generation

Setup domain name
●

●

Create a DNS hostname for yourself with a free
account at DynDNS (or already have a domain
name...)
Don't buy anything, they offer free subdomains
and scripts/programs to
auto-update the DNS mapping for you.

Set up CA and get certificate
●

●

Add the 15-441 Carnegie Mellon University
Root CA to your browser (import certificate,
usually somewhere in preferences)
Obtain your own private key and public
certificate from the 15-441 CMU CA.

Implementation
●
●

Use the OpenSSL library, here is a link to their documentation.
Create a second server socket in addition to the first one, use the passed in SSL
port from the commandline arguments.

●

Add this socket to the select() loop just like your normal HTTP server socket.

●

Whenever you accept connections, wrap them with the SSL wrapping functions.

●

●

●

●

Use the special read() and write() SSL functions to read and write to these
special connected clients
In the select() loop, you need to know if a socket you are dealing with is SSL
wrapped or not
Use appropriate IO depending on the 'type' of socket---although use select() for
all fd's
Use your private key and certificate file that you obtained earlier.

Open SSL headers
/* OpenSSL headers */
#include <openssl/bio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>

Global Initilization
●

SSL_library_init()
●

●

registers the available SSL/TLS ciphers and
digests.

SSL_load_error_strings()
●

Provide readable error messages.

SSL_METHOD
●

To describe protocol versions

●

SSLv1, SSLv2 and TLSv1
SSL_METHOD* meth = TLSv1_method();

SSL_CTX
●

Context object

●

Store context information (keying material)

●

Reused for all connections
SSL_CTX* ctx = SSL_CTX_new(meth);

SSL_CTX_use_certificate_file()
●
●

Loads the first certificate stored in file into ctx.
The formatting type of the certificate must be
specified from the known types
●

SSL_FILETYPE_PEM

●

SSL_FILETYPE_ASN1.

●

Our CA generates files of PEM format

int SSL_CTX_use_certificate_file(SSL_CTX *ctx,
const char *file, int type);

SSL_CTX_use_PrivateKey_file()
●

●

Adds the first private key found in file to ctx.
The formatting type of the certificate must be
specified from the known types:
●

SSL_FILETYPE_PEM

●

SSL_FILETYPE_ASN1.

●

Our CA generates files of PEM format

int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const
char *file, int type);

Initialization Steps
●

●

●

Global System Initialize
●

SSL_library_init()

●

SSL_load_error_strings()

Initialize SSL_METHOD and SSL_CTX
●

meth=SSLv23_method();

●

ctx=SSL_CTX_new(meth);

Loading keys
●

SSL_CTX_use_certificate_file(...)

●

SSL_CTX_use_PrivateKey_file(...)

SSL_new()
●

Creates a new SSL structure

●

Inherits the settings of the underlying context.
SSL* ssl = SSL_new(ctx);

SSL_set_fd()
●

Connect the SSL object with a file descriptor
int SSL_set_fd(SSL *ssl, int fd);

SSL_accept
●

SSL_accept - wait for a TLS/SSL client to
initiate a TLS/SSL handshake
int SSL_accept(SSL *ssl)

SSL_read and SSL_write
●

SSL_read to read bytes from a TLS/SSL connection
int SSL_read(SSL *ssl, void *buf, int num);

●

SSL_write to write bytes to a TLS/SSL connection
int SSL_write(SSL *ssl, const void *buf, int num);

●

NOTE:
●

●

The data are received in records (with a maximum record size of
16kB for SSLv3/TLSv1).
Only when a record has been completely received, it can be
processed (decryption and check of integrity)

SSL_shutdown
●
●

Shuts down an active TLS/SSL connection.
Sends the ``close notify'' shutdown alert to the
peer.
int SSL_shutdown(SSL *ssl);

SSL Wrapping, send and recv data
●

Create new SSL structure using SSL_new()

●

Connect it to the socket using SSL_set_fd()

●

Perform handshake using SSL_accept()

●

●

●

Read and write using SSL_read() and
SSL_write()
Perform shutdown at the end, also need to clear
state and close underlying I/O socket etc.
As always, check for return value and handle
errors appropriately!

BIO - Optional
●
●

●

●

I/O abstraction provided by OpenSSL
Hides the underlying I/O and can set up
connection with any I/O (socket, buffer, ssl etc)
BIOs can be stacked on top of each other using
push and pop!
NOTE: You don't have to necessarily use BIO
for this project! The next few slides describe
creating BIO and working with it.

BIO_new()
●

Returns a new BIO using method type.

●

Check BIO_s_socket(), BIO_f_buffer(), BIO_f_ssl()

●

Check BIO_new_socket()
BIO *

BIO_new(BIO_s_socket());

BIO_set_fd(sbio, sock, BIO_NOCLOSE);

SSL_set_bio()
●

Connects the BIOs rbio and wbio for the read
and write operations of the TLS/SSL
(encrypted) side of ssl
void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio)

Example of Stacking BIOs
buf_io = BIO_new(BIO_f_buffer());
/* create a buffer BIO */
ssl_bio = BIO_new(BIO_f_ssl());
/* create an ssl BIO */
BIO_set_ssl(ssl_bio, ssl, BIO_CLOSE);
/* assign the ssl BIO to SSL */
BIO_push(buf_io, ssl_bio);

BIO_read() and BIO_write()
●

Attempts to read len bytes from BIO b and
places the data in buf.
int BIO_read(BIO *b, void *buf, int len);

●

Attempts to write len bytes from buf to BIO b.
int BIO_write(BIO *b, const void *buf, int len);

Foreground Processes
and
Background processes (daemons)

How to daemonize?
Orphaning
●

Fork the process to create a copy (child)

●

Let parent exit!

●

The child will become child of init process
–

Start operating in the background

int i, lfp, pid = fork();
if (pid < 0) exit(EXIT_FAILURE); /* fork error */
if (pid > 0) exit(EXIT_SUCCESS); /* parent exits */
/* child (daemon) continues */

How to daemonize?
Process Independency
●

Process inherits parent's controlling tty

●

Server should not receive signals

●

Detach from its controlling tty

●

Operate independently from other processes
setsid() /*obtain a new process group*/

How to daemonize?
Inherited Descriptors and Std I/0 Descriptors
●

Close all open descriptors inherited

●

Standard I/O descriptors (stdin 0, stdout 1, stderr 2)

●

Open and connect to /dev/null
for (i = getdtablesize(); i >= 0; --i) close(i);
/* close all descriptors*/
i = open(“/dev/null”,O_RDWR); /*open stdin */
dup(i)
dup(i)

How to daemonize?
File Creation Mask
●

Servers run as super-user

●

Need to protect the files they create

●

Filecreation mode is 750 (complement of 027)
umask(027);

How to daemonize?
Running directory
●

Server should run in a known directory
chdir(“/servers/”)

How to daemonize?
Mutual Exclusion
●

We want only one copy of the server (file locking)

●

Record pid of the running instance!

●

'cat

lisod.lock'

instead of 'ps

-ef | grep lisod'

lfp = open(lock_file, O_RDWR|O_CREAT|O_EXCL, 0640);
if (lfp < 0)
exit(EXIT_FAILURE); /* can not open */
if (lockf(lfp, F_TLOCK, 0) < 0)
exit(EXIT_SUCCESS); /* can not lock */
/* only first instance continues */
sprintf(str, "%d\n", getpid());
write(lfp, str, strlen(str)); /*record pid to lockfile */

How to daemonize?
Catching signals
●

Process may receive signal from a user or a
process

●

Catch those signals and behave accordingly.

●

Signal_Handler function in the sample code

How to daemonize?
●

Logging
●

Assignment – you need to log to file!

Questions?