ex_network_ssl_hardened.c File Reference

#include "nilorea/n_list.h"
#include "nilorea/n_str.h"
#include "nilorea/n_log.h"
#include "nilorea/n_network.h"
#include "nilorea/n_thread_pool.h"
#include "nilorea/n_signals.h"

Include dependency graph for ex_network_ssl_hardened.c:

Go to the source code of this file.

Data Structures
struct	NETWORK_SSL_THREAD_PARAMS
	structure of a NETWORK_SSL_THREAD_PARAMS More...

Macros
#define	CONNECTION_TIMEOUT_SECONDS   10
#define	MAX_HTTP_REQUEST_SIZE_LIMIT   1048576
#define	SECURITY_HEADERS
	Network for managing connections.

Functions
void	action_on_sig (int recvd_signal)
int	build_secure_response (N_STR **response, int status_code, const char *content_type, char *extra_headers, N_STR *body)
void	handle_request (NETWORK *netw_ptr, LIST *routes_ptr)
int	main (int argc, char *argv[])
void	process_args (int argc_nb, char **argv_ptr, char **addr_ptr, char **port_ptr, char **key_ptr, char **cert_ptr, char **ca_file_ptr, int *ssl_verify_ptr, LIST *routes_ptr, int *ip_version_ptr, int *max_http_request_size_ptr, char **root_dir_ptr)
int	set_socket_timeout (SOCKET sock, int timeout_seconds)
	Set socket read/write timeout to prevent slow-loris attacks.
int	ssl_harden_context (NETWORK *ssl_netw)
	Harden the SSL context with modern security settings.
void *	ssl_network_thread (void *params)
void	usage (void)
int	validate_path (const char *requested_path, const char *root, char *resolved, size_t resolved_size)
	Validate that a resolved path stays within the document root.

Variables
char *	addr = NULL
char *	ca_file = NULL
char *	cert = NULL
bool	done = 0
int	ip_version = 0
char *	key = NULL
int	max_connections = 0
int	max_http_request_size = 16384
NETWORK *	netw = NULL
	Network for server mode, accepting incomming.
char *	port = NULL
char *	root_dir = NULL
LIST *	routes = NULL
NETWORK *	server = NULL
int	ssl_verify = 0

---

Data Structure Documentation

NETWORK_SSL_THREAD_PARAMS

struct NETWORK_SSL_THREAD_PARAMS

structure of a NETWORK_SSL_THREAD_PARAMS

Examples

ex_network_ssl.c, and ex_network_ssl_hardened.c.

Definition at line 412 of file ex_network_ssl.c.

Collaboration diagram for NETWORK_SSL_THREAD_PARAMS:

Data Fields
NETWORK *	netw	network to use for the receiving thread
LIST *	routes	virtual routes for the server

Macro Definition Documentation

CONNECTION_TIMEOUT_SECONDS

#define CONNECTION_TIMEOUT_SECONDS   10

Examples

ex_network_ssl_hardened.c.

Definition at line 56 of file ex_network_ssl_hardened.c.

MAX_HTTP_REQUEST_SIZE_LIMIT

#define MAX_HTTP_REQUEST_SIZE_LIMIT   1048576

Examples

ex_network_ssl_hardened.c.

Definition at line 55 of file ex_network_ssl_hardened.c.

SECURITY_HEADERS

#define SECURITY_HEADERS

Value:

    "Strict-Transport-Security: max-age=31536000\r\n"      \
    "X-Content-Type-Options: nosniff\r\n"                  \
    "X-Frame-Options: DENY\r\n"                            \
    "Content-Security-Policy: default-src 'self'\r\n"      \
    "Referrer-Policy: strict-origin-when-cross-origin\r\n" \
    "Permissions-Policy: geolocation=(), camera=(), microphone=()\r\n"

Network for managing connections.

security headers appended to every response

Examples

ex_network_ssl_hardened.c.

Definition at line 65 of file ex_network_ssl_hardened.c.

Function Documentation

action_on_sig()

void action_on_sig

(

int

recvd_signal

)

Definition at line 375 of file ex_network_ssl_hardened.c.

References done, LOG_ERR, LOG_NOTICE, and n_log.

build_secure_response()

int build_secure_response	(	N_STR **	response,
		int	status_code,
		const char *	content_type,
		char *	extra_headers,
		N_STR *	body
	)

Examples

ex_network_ssl_hardened.c.

Definition at line 425 of file ex_network_ssl_hardened.c.

References netw_build_http_response(), and SECURITY_HEADERS.

Referenced by handle_request().

Here is the call graph for this function:

Here is the caller graph for this function:

handle_request()

void handle_request	(	NETWORK *	netw_ptr,
		LIST *	routes_ptr
	)

Definition at line 432 of file ex_network_ssl_hardened.c.

References __n_assert, _nstr, _str, NETWORK_HTTP_INFO::body, build_secure_response(), char_to_nstr(), CONNECTION_TIMEOUT_SECONDS, N_STR::data, destroy_ht(), file_to_nstr(), Free, free_nstr, free_split_result(), HT_FOREACH, N_SOCKET::ip, NETWORK::link, list_foreach, LOG_DEBUG, LOG_ERR, LOG_INFO, Malloc, max_http_request_size, n_log, netw_close(), netw_extract_http_info(), netw_get_url_from_http_request(), netw_guess_http_content_type(), netw_info_destroy(), netw_parse_post_data(), new_nstr(), nstrprintf, root_dir, send_ssl_data(), set_socket_timeout(), N_SOCKET::sock, SOCKET_SIZE_FORMAT, split(), NETWORK::ssl, NETWORK_HTTP_INFO::type, validate_path(), and N_STR::written.

Here is the call graph for this function:

main()

int main	(	int	argc,
		char *	argv[]
	)

Definition at line 652 of file ex_network_ssl_hardened.c.

References __n_assert, _str, action_on_sig(), add_threaded_process(), addr, ca_file, cert, destroy_threaded_pool(), DIRECT_PROC, done, FreeNoLog, get_nb_cpu_cores(), ip_version, key, NETWORK::link, list_destroy(), LOG_DEBUG, LOG_ERR, LOG_INFO, LOG_NOTICE, Malloc, max_connections, max_http_request_size, MAX_LIST_ITEMS, n_log, netw, NETWORK_SSL_THREAD_PARAMS::netw, netw_accept_from_ex(), netw_close(), netw_make_listening(), netw_set_crypto(), netw_set_crypto_chain(), netw_ssl_set_verify(), new_generic_list(), new_thread_pool(), port, process_args(), root_dir, routes, NETWORK_SSL_THREAD_PARAMS::routes, server, N_SOCKET::sock, ssl_harden_context(), ssl_network_thread(), ssl_verify, thread_pool, and wait_for_threaded_pool().

Here is the call graph for this function:

process_args()

void process_args	(	int	argc_nb,
		char **	argv_ptr,
		char **	addr_ptr,
		char **	port_ptr,
		char **	key_ptr,
		char **	cert_ptr,
		char **	ca_file_ptr,
		int *	ssl_verify_ptr,
		LIST *	routes_ptr,
		int *	ip_version_ptr,
		int *	max_http_request_size_ptr,
		char **	root_dir_ptr
	)

Definition at line 91 of file ex_network_ssl_hardened.c.

References getoptret, list_push(), LOG_DEBUG, LOG_ERR, LOG_INFO, log_level, LOG_NOTICE, LOG_NULL, max_connections, MAX_HTTP_REQUEST_SIZE_LIMIT, n_log, NETWORK_IPV4, NETWORK_IPV6, set_log_level(), and usage().

Here is the call graph for this function:

set_socket_timeout()

int set_socket_timeout	(	SOCKET	sock,
		int	timeout_seconds
	)

Set socket read/write timeout to prevent slow-loris attacks.

Parameters

sock	the socket file descriptor
timeout_seconds	timeout in seconds

Returns

TRUE on success, FALSE on failure

Examples

ex_network_ssl_hardened.c.

Definition at line 298 of file ex_network_ssl_hardened.c.

References LOG_ERR, and n_log.

Referenced by handle_request().

Here is the caller graph for this function:

ssl_harden_context()

int ssl_harden_context

(

NETWORK *

ssl_netw

)

Harden the SSL context with modern security settings.

Applied after netw_set_crypto/netw_set_crypto_chain to tighten TLS configuration:

• Enforce TLS 1.2 minimum
• Restrict cipher suites to strong AEAD ciphers with forward secrecy
• Disable compression (CRIME attack)
• Server cipher preference
• Disable session tickets for forward secrecy
• Configure ECDH curves

Parameters

ssl_netw

the network whose SSL_CTX to harden

Returns

TRUE on success, FALSE on failure

Examples

ex_network_ssl_hardened.c.

Definition at line 234 of file ex_network_ssl_hardened.c.

References __n_assert, NETWORK::ctx, LOG_ERR, LOG_INFO, and n_log.

Referenced by main().

Here is the caller graph for this function:

ssl_network_thread()

void * ssl_network_thread

(

void *

params

)

Definition at line 643 of file ex_network_ssl_hardened.c.

References __n_assert, Free, handle_request(), NETWORK_SSL_THREAD_PARAMS::netw, netw_close(), and NETWORK_SSL_THREAD_PARAMS::routes.

Here is the call graph for this function:

usage()

void usage

(

void

)

Definition at line 73 of file ex_network_ssl_hardened.c.

References max_http_request_size, and MAX_HTTP_REQUEST_SIZE_LIMIT.

validate_path()

int validate_path	(	const char *	requested_path,
		const char *	root,
		char *	resolved,
		size_t	resolved_size
	)

Validate that a resolved path stays within the document root.

Resolves the requested path using realpath() and checks that it starts with the resolved root directory, preventing path traversal attacks (e.g., GET /../../etc/passwd).

Parameters

requested_path	the filesystem path constructed from the URL
root	the document root directory
resolved	output buffer for the validated absolute path
resolved_size	size of the output buffer

Returns

TRUE if the path is safe, FALSE if it escapes the root

Examples

ex_network_ssl_hardened.c.

Definition at line 338 of file ex_network_ssl_hardened.c.

References LOG_ERR, and n_log.

Referenced by handle_request().

Here is the caller graph for this function:

Variable Documentation

addr

char* addr = NULL

Definition at line 47 of file ex_network_ssl_hardened.c.

ca_file

char* ca_file = NULL

Definition at line 50 of file ex_network_ssl_hardened.c.

cert

char* cert = NULL

Definition at line 49 of file ex_network_ssl_hardened.c.

done

bool done = 0

Definition at line 59 of file ex_network_ssl_hardened.c.

ip_version

int ip_version = 0

Definition at line 53 of file ex_network_ssl_hardened.c.

key

char* key = NULL

Definition at line 48 of file ex_network_ssl_hardened.c.

max_connections

int max_connections = 0

Definition at line 58 of file ex_network_ssl_hardened.c.

max_http_request_size

int max_http_request_size = 16384

Definition at line 54 of file ex_network_ssl_hardened.c.

netw

NETWORK * netw = NULL

Network for server mode, accepting incomming.

Definition at line 62 of file ex_network_ssl_hardened.c.

port

char* port = NULL

Definition at line 46 of file ex_network_ssl_hardened.c.

root_dir

char* root_dir = NULL

Definition at line 51 of file ex_network_ssl_hardened.c.

routes

LIST* routes = NULL

Definition at line 52 of file ex_network_ssl_hardened.c.

server

NETWORK* server = NULL

Definition at line 61 of file ex_network_ssl_hardened.c.

ssl_verify

int ssl_verify = 0

Definition at line 57 of file ex_network_ssl_hardened.c.