Skip to content

Commit

Permalink
Merge 707e6b1 into d18e2d7
Browse files Browse the repository at this point in the history
  • Loading branch information
@mdavidsaver
mdavidsaver authored Jun 25, 2024
2 parents d18e2d7 + 707e6b1 commit d451688
Show file tree
Hide file tree
Showing 51 changed files with 2,669 additions and 271 deletions.
4 changes: 3 additions & 1 deletion .github/workflows/ci-scripts-build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -151,8 +151,10 @@ jobs:
- name: "apt-get install"
run: |
sudo apt-get update
sudo apt-get -y install g++-mingw-w64-x86-64 cmake gdb qemu-system-x86
sudo apt-get -y install g++-mingw-w64-x86-64 cmake gdb qemu-system-x86 libssl-dev
if: runner.os == 'Linux'
- name: Host Info
run: openssl version -a
- name: Automatic core dumper analysis
uses: mdavidsaver/ci-core-dumper@master
- name: Prepare and compile dependencies
Expand Down
1 change: 1 addition & 0 deletions MANIFEST.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ include LICENSE
include README.md

include configure/CONFIG_PVXS_VERSION
include configure/probe-openssl.c
include src/*.h
include src/*.h@
include src/*.cpp
Expand Down
5 changes: 4 additions & 1 deletion Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,11 @@ include $(TOP)/configure/CONFIG
# Directories to build, any order
DIRS += configure

DIRS += setup
setup_DEPEND_DIRS = configure

DIRS += src
src_DEPEND_DIRS = configure
src_DEPEND_DIRS = setup

DIRS += tools
tools_DEPEND_DIRS = src
Expand Down
3 changes: 2 additions & 1 deletion bundle/Makefile
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
TOP=..

_PVXS_BOOTSTRAP = YES

include $(TOP)/configure/CONFIG

CMAKE ?= cmake
Expand All @@ -21,7 +23,6 @@ LIBEVENT_$(T_A) = $(INSTALL_LOCATION)/bundle/usr/$(T_A)
CMAKEFLAGS += -DCMAKE_INSTALL_PREFIX:PATH="$(abspath $(LIBEVENT_$(T_A)))"

# not needed, and may not be available on embedded targets, so never try
CMAKEFLAGS += -DEVENT__DISABLE_OPENSSL=ON
CMAKEFLAGS += -DEVENT__DISABLE_MBEDTLS=ON

# not run, so why bother?
Expand Down
2 changes: 1 addition & 1 deletion bundle/libevent
Submodule libevent updated 73 files
+15 −0 .exrc
+105 −242 .github/workflows/build.yml
+1 −0 .github/workflows/cifuzz.yml
+19 −10 .github/workflows/master.yml
+55 −0 .github/workflows/scorecard.yml
+6 −1 .gitignore
+117 −74 CMakeLists.txt
+151 −0 CONTRIBUTORS.md
+319 −2 ChangeLog
+1 −1 ChangeLog-2.1
+45 −42 Documentation/Building.md
+1 −1 Makefile.am
+35 −31 README.md
+11 −0 SECURITY.md
+2 −11 arc4random.c
+19 −2 buffer.c
+3 −2 bufferevent_mbedtls.c
+10 −2 bufferevent_openssl.c
+48 −19 bufferevent_ssl.c
+11 −23 cmake/AddEventLibrary.cmake
+11 −9 cmake/FindMbedTLS.cmake
+29 −75 cmake/LibeventConfig.cmake.in
+2 −2 cmake/UseDoxygen.cmake
+1 −1 cmake/VersionViaGit.cmake
+21 −12 configure.ac
+20 −18 evdns.c
+21 −17 event.c
+3 −1 event_iocp.c
+2 −2 evthread.c
+7 −4 evthread_win32.c
+37 −7 evutil.c
+3 −3 evutil_rand.c
+43 −5 extra/release/changelog.py
+1 −0 extra/tsan.supp
+7 −8 http.c
+22 −3 include/event2/dns.h
+4 −2 include/event2/event.h
+10 −1 include/event2/listener.h
+19 −2 include/event2/util.h
+8 −0 include/event2/ws.h
+1 −4 libevent_core.pc.in
+2 −4 libevent_extra.pc.in
+3 −5 libevent_mbedtls.pc.in
+4 −5 libevent_openssl.pc.in
+3 −5 libevent_pthreads.pc.in
+12 −4 listener.c
+9 −6 m4/libevent_mbedtls.m4
+10 −10 m4/libevent_openssl.m4
+5 −5 sample/becat.c
+2 −0 sample/http-server.c
+4 −0 sample/ws-chat-server.c
+0 −2 sha1.c
+2 −2 signalfd.c
+1 −1 ssl-compat.h
+1 −5 strlcpy.c
+2 −1 test-export/CMakeLists.txt
+16 −18 test-export/test-export.py
+3 −0 test/include.am
+93 −92 test/regress.c
+3 −2 test/regress.h
+0 −5 test/regress_buffer.c
+11 −27 test/regress_bufferevent.c
+128 −15 test/regress_dns.c
+6 −1 test/regress_http.c
+3 −2 test/regress_main.c
+127 −0 test/regress_timer_timeout.c
+15 −6 test/regress_util.c
+5 −0 test/regress_ws.c
+9 −2 test/test.sh
+2 −2 test/tinytest.c
+8 −2 util-internal.h
+16 −19 wepoll.c
+416 −96 whatsnew-2.2.txt
1 change: 1 addition & 0 deletions configure/CONFIG
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,5 +25,6 @@ include $(TOP)/configure/CONFIG_SITE
ifdef T_A
-include $(TOP)/configure/CONFIG_SITE.Common.$(T_A)
-include $(TOP)/configure/CONFIG_SITE.$(EPICS_HOST_ARCH).$(T_A)
-include $(TOP)/configure/O.$(T_A)/TOOLCHAIN
endif

41 changes: 0 additions & 41 deletions configure/CONFIG_PVXS_MODULE
View file

This file was deleted.

33 changes: 26 additions & 7 deletions configure/Makefile
View file
Original file line number Diff line number Diff line change
@@ -1,22 +1,41 @@
TOP=..

# step 1. Use -I... to test event-config.h
# produce configure/O.$(T_A)/TOOLCHAIN
# step 2 in setup/Makefile
_PVXS_BOOTSTRAP = YES

include $(TOP)/configure/CONFIG

# use custom libevent2 install prefix by:
# setting LIBEVENT only for single arch build
# setting LIBEVENT_$(T_A) for each arch
# leave unset to use implicit system search path
# NOTE: only needed if not present in default search paths
LIBEVENT ?= $(LIBEVENT_$(T_A))
LIBEVENT_$(T_A) ?= $(wildcard $(abspath $(TOP)/bundle/usr/$(T_A)))

INCLUDES += $(if $(LIBEVENT),-I$(LIBEVENT)/include)

# use libssl in non-default location. (eg. OSX w/ brew)
OPENSSL ?= $(OPENSSL_$(T_A))
OPENSSL_$(T_A) ?=

INCLUDES += $(if $(OPENSSL),-I$(OPENSSL)/include)

TARGETS = $(CONFIG_TARGETS)
CONFIGS += $(subst ../,,$(wildcard $(CONFIG_INSTALLS)))

CFG += CONFIG_PVXS_VERSION
CFG += CONFIG_PVXS_MODULE
CFG += RULES_PVXS_MODULE

include $(TOP)/configure/RULES

ifdef T_A
install: $(TOP)/configure/CONFIG_SITE.Common.$(T_A)

$(TOP)/configure/CONFIG_SITE.Common.$(T_A): toolchain.c
$(PREPROCESS.cpp)
install: TOOLCHAIN

CLEANS += ../CONFIG_SITE.Common.$(T_A)
TOOLCHAIN: toolchain.c
$(CPP) $(CPPFLAGS) $(INCLUDES) ../toolchain.c > $@.tmp
$(CPP) $(CPPFLAGS) $(INCLUDES) ../probe-openssl.c > probe-openssl.out && echo "EVENT2_HAS_OPENSSL = YES" >> $@.tmp || echo "No OpenSSL"
$(MV) $@.tmp $@

endif
17 changes: 17 additions & 0 deletions configure/probe-openssl.c
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@

#include <openssl/opensslv.h>

#ifndef OPENSSL_VERSION_NUMBER
# error Some antique OpenSSL version?
#endif
#if OPENSSL_VERSION_NUMBER < 0x30000000
# error Minimum OpenSSL 3.0
#endif

#include <event2/event-config.h>

#ifndef EVENT__HAVE_OPENSSL
# error libevent not built with OpenSSL support
#endif

#include <event2/bufferevent_ssl.h>
2 changes: 1 addition & 1 deletion configure/toolchain.c
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
#ifdef _COMMENT_
/* Compiler inspection
*
* expanded as configure/CONFIG_SITE.Common.*
* expanded as configure/O.*/TOOLCHAIN
*/
/* GCC preprocessor drops C comments from output.
* MSVC preprocessor emits C comments in output
Expand Down
102 changes: 102 additions & 0 deletions documentation/pkcs12.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
# PKCS#12 files in brief

The following is based on a reading of [RFC7292](https://datatracker.ietf.org/doc/html/rfc7292) as of July 2014.
Also on observation of OpenSSL circa 3.1 and keytool circa Java 17.

End users do not need to know this.

## File Structure

Each `PKCS#12` file contains a list of `AuthenticatedSafe` entries (aka. "Safes").

```
PKCS#12 file
AuthenticatedSafe (unencrypted)
...
AuthenticatedSafe (password encrypted)
...
AuthenticatedSafe (public key encrypted)
```

Each Safe may be: unencrypted, encrypted with a password, or encrypted with a public key.

Each Safe contains a list of `SafeBag` entries (aka. "Bags").

```
PKCS#12 file
AuthenticatedSafe
*Bag
attributes...
value
```

Each Bag has an a list of "Attributes" and a "value".

RFC7292 defines two attributes `friendlyName` and `localKeyId`.
Additionally, Java defines another `oracle-jdk-trustedkeyusage` or `ORACLE_TrustedKeyUsage`.

```
PKCS#12 file
AuthenticatedSafe
keyBag (unencrypted private key)
pkcs8ShroudedKeyBag (encrypted private key)
certBag (certificate, usually X509)
crlBag (certificate revocation list, usually X509CRL)
secretBag (arbitrary encrypted bytes)
safeContentsBag
... recursive list of Bags
```

RFC7292 defines 6 types of Bag, and leaves open the possibility of more.


## Bag Attributes

`friendlyName` is a string labeling a Bag.
Java keytool uses these (via. `-alias`) to distinguish multiple private keys within one file.
OpenSSL ignores them, and gets confused if multiple private keys are present.

`localKeyId` is meant to identifies pairs of private key and certificate.

`oracle-jdk-trustedkeyusage` has the same value as the X509 `extendedKeyUsage` extension.

Released version of OpenSSL as of 3.1 circa Aug. 2023 [do not understand](https://github.com/openssl/openssl/issues/6684) `oracle-jdk-trustedkeyusage`.
This is feature [planned for 3.2](https://github.com/openssl/openssl/pull/19025).

TODO: keytool has been observed setting this to "6". OpenSSL 3.2 set `anyExtendedKeyUsage`, aka. 1.

## File Structure as Observed

The structures of files created by `openssl pkcs12` and `keytool` are almost identical.

For example, a file with a certificate/key pair, and an associated CA certificate is structured like:

```
PKCS#12
AuthenticatedSafe (unencrypted)
pkcs8ShroudedKeyBag
attributes
friendlyName = "my:cert:name" (Java only)
localKeyId = ... (value will match the associated keyBag or pkcs8ShroudedKeyBag
value = private key...
AuthenticatedSafe (encrypted)
certBag
attributes
friendlyName = "my:cert:name" (Java only)
localKeyId = ... (value will match the associated certBag
value = X509 certificate
certBag
attributes
friendlyName = "my:ca" (Java only)
oracle-jdk-trustedkeyusage = ... (Java only)
value = X509 certificate
```

Notes...

This structure leaves the friendlyName (aka `-alias`) and localKeyId associated with a private key unencrypted in all cases.

Java keytool has been observed (after an `-importcert`) to put almost two certBag entries with the same certificate.
One with the friendlyName from `-alias` and `oracle-jdk-trustedkeyusage` set,
and a second with friendlyName set to the distinguishing name (eg. `CN=foo,O=bar`) and no `oracle-jdk-trustedkeyusage`.
keytool seems to ignore any entries without `oracle-jdk-trustedkeyusage`, but OpenSSL reads them.
5 changes: 2 additions & 3 deletions example/Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,7 @@ TOP=..
include $(TOP)/configure/CONFIG
# cfg/ sometimes isn't correctly included due to a Base bug
# so we do here (maybe again) as workaround
include $(TOP)/configure/CONFIG_PVXS_MODULE
include $(TOP)/configure/CONFIG_PVXS_VERSION
-include $(wildcard $(TOP)/cfg/CONFIG*))
#----------------------------------------
# ADD MACRO DEFINITIONS AFTER THIS LINE
#=============================
Expand Down Expand Up @@ -35,7 +34,7 @@ rpc_client_SRCS += rpc_client.cpp
#===========================

include $(TOP)/configure/RULES
include $(TOP)/configure/RULES_PVXS_MODULE
-include $(wildcard $(TOP)/cfg/RULES*))
#----------------------------------------
# ADD RULES AFTER THIS LINE

5 changes: 2 additions & 3 deletions ioc/Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,7 @@ TOP=..
include $(TOP)/configure/CONFIG
# cfg/ sometimes isn't correctly included due to an issue in epics-base
# so we do here (maybe again) as workaround
include $(TOP)/configure/CONFIG_PVXS_MODULE
include $(TOP)/configure/CONFIG_PVXS_VERSION
-include $(wildcard $(TOP)/cfg/CONFIG*))
#----------------------------------------
# ADD MACRO DEFINITIONS AFTER THIS LINE
#=============================
Expand Down Expand Up @@ -85,7 +84,7 @@ LIB_LIBS += $(EPICS_BASE_IOC_LIBS)
#===========================

include $(TOP)/configure/RULES
include $(TOP)/configure/RULES_PVXS_MODULE
-include $(wildcard $(TOP)/cfg/RULES*))
#----------------------------------------
# ADD RULES AFTER THIS LINE

Expand Down
17 changes: 17 additions & 0 deletions ioc/iochooks.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -303,6 +303,20 @@ void pvxrefdiff() {
}
}

void pvxreconfigure()
{
Guard (pvxServer->lock);
auto& srv = pvxServer->srv;

if (srv) {
printf("Reconfiguring QSRV\n");
srv.reconfigure(server::Config::from_env());
pvxsr(0); // print new configuration
} else {
fprintf(stderr, "Warning: QSRV not running\n");
}
}

} // namespace

static
Expand Down Expand Up @@ -468,6 +482,9 @@ void pvxsBaseRegistrar() noexcept {
"Save the current set of instance counters for reference by later pvxrefdiff.\n").implementation<&pvxrefsave>();
IOCShCommand<>("pvxrefdiff",
"Show different of current instance counts with those when pvxrefsave was called.\n").implementation<&pvxrefdiff>();
IOCShCommand<>("pvxreconfigure",
"Reconfigure QSRV using current values of EPICS_PVA*. Only disconnects TLS clients\n")
.implementation<&pvxreconfigure>();

// Initialise the PVXS Server
initialisePvxsServer();
Expand Down
5 changes: 2 additions & 3 deletions qsrv/Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,7 @@ TOP=..
include $(TOP)/configure/CONFIG
# cfg/ sometimes isn't correctly included due to a Base bug
# so we do here (maybe again) as workaround
include $(TOP)/configure/CONFIG_PVXS_MODULE
include $(TOP)/configure/CONFIG_PVXS_VERSION
-include $(wildcard $(TOP)/cfg/CONFIG*))
#----------------------------------------
# ADD MACRO DEFINITIONS AFTER THIS LINE
#=============================
Expand All @@ -31,7 +30,7 @@ FINAL_LOCATION ?= $(shell $(PERL) $(TOOLS)/fullPathName.pl $(INSTALL_LOCATION))
#===========================

include $(TOP)/configure/RULES
include $(TOP)/configure/RULES_PVXS_MODULE
-include $(wildcard $(TOP)/cfg/RULES*))
#----------------------------------------
# ADD RULES AFTER THIS LINE

Expand Down
Loading

0 comments on commit d451688

Please sign in to comment.