BIO *Connect_SSL(char *hostname, int port)
{
//BIO *bio = NULL;
char bio_addr[BUF_MAX] = { 0 };
snprintf(bio_addr, sizeof(bio_addr), "%s:%d", hostname, port);
SSL_library_init();
SSL_CTX *ctx = SSL_CTX_new(SSLv23_client_method());
SSL *ssl = NULL;
bio = BIO_new_ssl_connect(ctx);
if (bio == NULL)
{
Error("BIO_new_ssl_connect");
}
BIO_get_ssl(bio, &ssl);
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
BIO_set_conn_hostname(bio, bio_addr);
if (BIO_do_connect(bio) <= 0)
{
Error("SSL Unable to connect");
}
return bio;
}
BIO* connect_encrypted(char* host_and_port, char* store_path, char store_type, SSL_CTX** ctx, SSL** ssl) {
BIO* bio = NULL;
int r = 0;
*ctx = SSL_CTX_new(SSLv23_client_method());
*ssl = NULL;
if (store_type == 'f')
r = SSL_CTX_load_verify_locations(*ctx, store_path, NULL);
else
r = SSL_CTX_load_verify_locations(*ctx, NULL, store_path);
if (r == 0) {
return NULL;
}
bio = BIO_new_ssl_connect(*ctx);
BIO_get_ssl(bio, ssl);
if (!(*ssl)) {
return NULL;
}
SSL_set_mode(*ssl, SSL_MODE_AUTO_RETRY);
BIO_set_conn_hostname(bio, host_and_port);
if (BIO_do_connect(bio) < 1) {
return NULL;
}
return bio;
}
static Pfd*
opensslconnect(char *host)
{
Pfd *pfd;
BIO *sbio;
SSL_CTX *ctx;
SSL *ssl;
static int didinit;
char buf[1024];
if(!didinit){
httpsinit();
didinit = 1;
}
ctx = SSL_CTX_new(SSLv23_client_method());
sbio = BIO_new_ssl_connect(ctx);
BIO_get_ssl(sbio, &ssl);
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
snprint(buf, sizeof buf, "%s:https", host);
BIO_set_conn_hostname(sbio, buf);
if(BIO_do_connect(sbio) <= 0 || BIO_do_handshake(sbio) <= 0){
ERR_error_string_n(ERR_get_error(), buf, sizeof buf);
BIO_free_all(sbio);
werrstr("openssl: %s", buf);
return nil;
}
pfd = emalloc(sizeof *pfd);
pfd->sbio = sbio;
return pfd;
}
int main()
{
SSL_load_error_strings();
ERR_load_BIO_strings();
OpenSSL_add_all_algorithms();
SSL_CTX *ctx = SSL_CTX_new(SSLv23_client_method());
if (ctx == NULL) {
printf("SSL_CTX_new err func:%s\n reaseon:%s", ERR_func_error_string(ERR_get_error()),
ERR_reason_error_string(ERR_get_error()));
exit(1);
}
//加载可信任证书库
if (0 == SSL_CTX_load_verify_locations(ctx, "./push_cer.pem", NULL)) {
printf("err func:%s\n reaseon:%s", ERR_func_error_string(ERR_get_error()),
ERR_reason_error_string(ERR_get_error()));
ERR_print_errors_fp(stdout);
exit(1);
}
//set BIO
BIO *bio = BIO_new_ssl_connect(ctx);
if (bio == NULL) {
printf("err func:%s\n", ERR_func_error_string(ERR_get_error()));
ERR_print_errors_fp(stdout);
exit(1);
}
SSL *ssl;
BIO_get_ssl(bio, &ssl);
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
//open safe connect
BIO_set_conn_hostname(bio, "gateway.sandbox.push.apple.com:2195");
//verify connect ok
if (BIO_do_connect(bio) <= 0) {
ERR_print_errors_fp(stdout);
exit(1);
}
if (SSL_get_verify_result(ssl) != X509_V_OK) {
printf("SSL_get_verify_result not success\n");
}
char buf[MAXBUF];
char *json = "{\"aps\":{\"badge\":123}}";
sendPayload(bio, token, json, strlen(json));
int ret = BIO_read(bio, buf, MAXBUF);
if (ret <= 0) {
printf("BIO_read return 0\n");
}
SSL_CTX_free(ctx);
BIO_free_all(bio);
return 0;
}
/*-
* doConnection - make a connection
* Args:
* scon = earlier ssl connection for session id, or NULL
* Returns:
* SSL * = the connection pointer.
*/
static SSL *doConnection(SSL *scon)
{
BIO *conn;
SSL *serverCon;
int width, i;
fd_set readfds;
if ((conn = BIO_new(BIO_s_connect())) == NULL)
return (NULL);
/* BIO_set_conn_port(conn,port);*/
BIO_set_conn_hostname(conn, host);
if (scon == NULL)
serverCon = SSL_new(tm_ctx);
else {
serverCon = scon;
SSL_set_connect_state(serverCon);
}
SSL_set_bio(serverCon, conn, conn);
/* ok, lets connect */
for (;;) {
i = SSL_connect(serverCon);
if (BIO_sock_should_retry(i)) {
BIO_printf(bio_err, "DELAY\n");
i = SSL_get_fd(serverCon);
width = i + 1;
FD_ZERO(&readfds);
openssl_fdset(i, &readfds);
/*
* Note: under VMS with SOCKETSHR the 2nd parameter is currently
* of type (int *) whereas under other systems it is (void *) if
* you don't have a cast it will choke the compiler: if you do
* have a cast then you can either go for (int *) or (void *).
*/
select(width, (void *)&readfds, NULL, NULL, NULL);
continue;
}
break;
}
if (i <= 0) {
BIO_printf(bio_err, "ERROR\n");
if (verify_error != X509_V_OK)
BIO_printf(bio_err, "verify error:%s\n",
X509_verify_cert_error_string(verify_error));
else
ERR_print_errors(bio_err);
if (scon == NULL)
SSL_free(serverCon);
return NULL;
}
return serverCon;
}
/***********************************************************************
* doConnection - make a connection
* Args:
* scon = earlier ssl connection for session id, or NULL
* Returns:
* SSL * = the connection pointer.
*/
static SSL *
doConnection(SSL * scon)
{
BIO *conn;
SSL *serverCon;
int width, i;
fd_set readfds;
if ((conn = BIO_new(BIO_s_connect())) == NULL)
return (NULL);
/* BIO_set_conn_port(conn,port);*/
BIO_set_conn_hostname(conn, host);
if (scon == NULL)
serverCon = SSL_new(tm_ctx);
else {
serverCon = scon;
SSL_set_connect_state(serverCon);
}
SSL_set_bio(serverCon, conn, conn);
#if 0
if (scon != NULL)
SSL_set_session(serverCon, SSL_get_session(scon));
#endif
/* ok, lets connect */
for (;;) {
i = SSL_connect(serverCon);
if (BIO_sock_should_retry(i)) {
BIO_printf(bio_err, "DELAY\n");
i = SSL_get_fd(serverCon);
width = i + 1;
FD_ZERO(&readfds);
FD_SET(i, &readfds);
select(width, &readfds, NULL, NULL, NULL);
continue;
}
break;
}
if (i <= 0) {
BIO_printf(bio_err, "ERROR\n");
if (verify_error != X509_V_OK)
BIO_printf(bio_err, "verify error:%s\n",
X509_verify_cert_error_string(verify_error));
else
ERR_print_errors(bio_err);
if (scon == NULL)
SSL_free(serverCon);
return NULL;
}
return serverCon;
}
bool Email::sendCode(std::string user, std::string code)
{
std::string msg,to;
msg = m_m1 + code + m_m2;
to = m_to1 + user + m_to3;
SSL_CTX* ctx = SSL_CTX_new(SSLv23_client_method());
SSL* ssl;
BIO* bio = BIO_new_ssl_connect(ctx);
BIO_get_ssl(bio, &ssl);
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
BIO_set_conn_hostname(bio, m_amazonHostname.c_str());
if(BIO_do_connect(bio) <= 0){
BIO_free_all(bio);
SSL_CTX_free(ctx);
return false;
}
if(BIO_do_handshake(bio) <= 0){
BIO_free_all(bio);
SSL_CTX_free(ctx);
return false;
}
m_len = BIO_read(bio, m_buf, BUF_LEN) - 1;
BIO_puts(bio, "HELO localhost\r\n");
m_len = BIO_read(bio, m_buf, BUF_LEN) - 1;
BIO_puts(bio,"AUTH LOGIN\r\n");
m_len = BIO_read(bio,m_buf,BUF_LEN) - 1;
BIO_puts(bio,"QUtJQUlFVzJDMlU3RUZYTU5PUVE=\r\n");
m_len = BIO_read(bio,m_buf,BUF_LEN) - 1;
BIO_puts(bio,"QWd3TkZSOUJyb2dUTUkxYlJHeXh4dHZMYm4reldGZCtYSFJMbnJpNzZ5RC8=\r\n");
m_len = BIO_read(bio,m_buf,BUF_LEN) - 1;
BIO_puts(bio,"MAIL FROM:[email protected]\r\n");
m_len = BIO_read(bio,m_buf,BUF_LEN) - 1;
BIO_puts(bio,to.c_str());
m_len = BIO_read(bio,m_buf,BUF_LEN) - 1;
BIO_puts(bio,"DATA\r\n");
m_len = BIO_read(bio,m_buf,BUF_LEN) - 1;
BIO_puts(bio,"Subject:OneBrown Verification\r\n\r\n");
BIO_puts(bio,msg.c_str());
BIO_puts(bio,"\r\n.\r\n");
m_len = BIO_read(bio,m_buf,BUF_LEN) - 1;
BIO_puts(bio,"QUIT\r\n");
m_len = BIO_read(bio,m_buf,BUF_LEN) - 1;
BIO_free_all(bio);
SSL_CTX_free(ctx);
return true;
}
const char *dbapi_lookup(const char *key) {
long res = 1;
SSL_CTX* ctx = NULL;
BIO *web = NULL, *out = NULL;
SSL *ssl = NULL;
const SSL_METHOD* method;
char *token, *tmpout, *buf;
int hlen=0, len=0, maxlen=2048;
(void)SSL_library_init();
SSL_load_error_strings();
OPENSSL_config(NULL);
method = SSLv23_method(); if(method==NULL) return NULL;
ctx = SSL_CTX_new(method); if(ctx==NULL) return NULL;
SSL_CTX_set_verify_depth(ctx, 4);
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|
SSL_OP_NO_COMPRESSION);
web = BIO_new_ssl_connect(ctx); if(web==NULL) return NULL;
res = BIO_set_conn_hostname(web, DB_API_SERVER); if(res!=1) return NULL;
BIO_get_ssl(web, &ssl); if(ssl==NULL) return NULL;
res = SSL_set_cipher_list(ssl, SECURE_CIPHER_LIST); if(res!=1) return NULL;
res = SSL_set_tlsext_host_name(ssl, DB_API_HOST); if(res!=1) return NULL;
out = BIO_new_fp(stdout, BIO_NOCLOSE); if(NULL==out) return NULL;
res = BIO_do_connect(web); if(res!=1) return NULL;
res = BIO_do_handshake(web); if(res!=1) return NULL;
len=(60+strlen(key)+strlen(DB_API_HOST)+strlen(DB_API_AUTH));
char *request=malloc(sizeof(char)*(len+1));
snprintf(request,len,
"GET %s HTTP/1.1\nHost: %s\nx-api-key: %s\nConnection: close\n\n",
key, DB_API_HOST, DB_API_AUTH);
request[len]='\0';
BIO_puts(web, request);
BIO_puts(out, "\n");
buf = malloc(sizeof(char)*maxlen);
do {
char buff[1536] = {};
len=BIO_read(web, buff, sizeof(buff));
hlen+=len;
if(hlen<maxlen&&len>0) strncat(buf,buff,len);
} while (len>0 || BIO_should_retry(web));
buf[maxlen]='\0';
tmpout = malloc(sizeof(char)*(HASH_MAXLENGTH+1));
token = strtok(buf, "\n");
while (token) {
snprintf(tmpout,HASH_MAXLENGTH,"%s",token);
token = strtok(NULL, "\n");
}
tmpout[strlen(tmpout)]='\0';
free(buf);
free(request);
if(out) BIO_free(out);
if(web != NULL) BIO_free_all(web);
if(NULL != ctx) SSL_CTX_free(ctx);
return tmpout;
}
/***********************************************************************
* doConnection - make a connection
* Args:
* scon = earlier ssl connection for session id, or NULL
* Returns:
* SSL * = the connection pointer.
*/
static SSL *
doConnection(SSL * scon)
{
struct pollfd pfd[1];
SSL *serverCon;
BIO *conn;
long verify_error;
int i;
if ((conn = BIO_new(BIO_s_connect())) == NULL)
return (NULL);
/* BIO_set_conn_port(conn,port);*/
BIO_set_conn_hostname(conn, s_time_config.host);
if (scon == NULL)
serverCon = SSL_new(tm_ctx);
else {
serverCon = scon;
SSL_set_connect_state(serverCon);
}
SSL_set_bio(serverCon, conn, conn);
/* ok, lets connect */
for (;;) {
i = SSL_connect(serverCon);
if (BIO_sock_should_retry(i)) {
BIO_printf(bio_err, "DELAY\n");
i = SSL_get_fd(serverCon);
pfd[0].fd = i;
pfd[0].events = POLLIN;
poll(pfd, 1, -1);
continue;
}
break;
}
if (i <= 0) {
BIO_printf(bio_err, "ERROR\n");
verify_error = SSL_get_verify_result(serverCon);
if (verify_error != X509_V_OK)
BIO_printf(bio_err, "verify error:%s\n",
X509_verify_cert_error_string(verify_error));
else
ERR_print_errors(bio_err);
if (scon == NULL)
SSL_free(serverCon);
return NULL;
}
return serverCon;
}
BIO *BIO_new_connect(const char *hostname) {
BIO *ret;
ret = BIO_new(BIO_s_connect());
if (ret == NULL) {
return NULL;
}
if (!BIO_set_conn_hostname(ret, hostname)) {
BIO_free(ret);
return NULL;
}
return ret;
}
/*-
* doConnection - make a connection
*/
static SSL *doConnection(SSL *scon, const char *host, SSL_CTX *ctx)
{
BIO *conn;
SSL *serverCon;
int i;
if ((conn = BIO_new(BIO_s_connect())) == NULL)
return NULL;
BIO_set_conn_hostname(conn, host);
BIO_set_conn_mode(conn, BIO_SOCK_NODELAY);
if (scon == NULL)
serverCon = SSL_new(ctx);
else {
serverCon = scon;
SSL_set_connect_state(serverCon);
}
SSL_set_bio(serverCon, conn, conn);
/* ok, lets connect */
i = SSL_connect(serverCon);
if (i <= 0) {
BIO_printf(bio_err, "ERROR\n");
if (verify_args.error != X509_V_OK)
BIO_printf(bio_err, "verify error:%s\n",
X509_verify_cert_error_string(verify_args.error));
else
ERR_print_errors(bio_err);
if (scon == NULL)
SSL_free(serverCon);
return NULL;
}
#if defined(SOL_SOCKET) && defined(SO_LINGER)
{
struct linger no_linger;
int fd;
no_linger.l_onoff = 1;
no_linger.l_linger = 0;
fd = SSL_get_fd(serverCon);
if (fd >= 0)
(void)setsockopt(fd, SOL_SOCKET, SO_LINGER, (char*)&no_linger,
sizeof(no_linger));
}
#endif
return serverCon;
}
BIO *BIO_new_connect(char *str)
{
BIO *ret;
ret=BIO_new(BIO_s_connect());
if (ret == NULL) return(NULL);
if (BIO_set_conn_hostname(ret,str))
return(ret);
else
{
BIO_free(ret);
return(NULL);
}
}
static BIO *
my_connect_ssl(char *host, int port, SSL_CTX **ctx) {
BIO *conn = 0;
if (!(conn = BIO_new_ssl_connect(*ctx))) goto error_exit;
BIO_set_conn_hostname(conn, host);
BIO_set_conn_int_port(conn, &port);
if (BIO_do_connect(conn) <= 0) goto error_exit;
return conn;
error_exit:
if (conn) BIO_free_all(conn);
return 0;
}
bool tls_socket::set_hostname(const char* sAddr)
{
sock_closed = false;
if(ctx == nullptr)
{
init_ctx();
if(ctx == nullptr)
{
print_error();
return false;
}
}
if((bio = BIO_new_ssl_connect(ctx)) == nullptr)
{
print_error();
return false;
}
int flag = 1;
/* If it fails, it fails, we won't loose too much sleep over it */
setsockopt(BIO_get_fd(bio, nullptr), IPPROTO_TCP, TCP_NODELAY, (char *) &flag, sizeof(int));
if(BIO_set_conn_hostname(bio, sAddr) != 1)
{
print_error();
return false;
}
BIO_get_ssl(bio, &ssl);
if(ssl == nullptr)
{
print_error();
return false;
}
if(jconf::inst()->TlsSecureAlgos())
{
if(SSL_set_cipher_list(ssl, "HIGH:!aNULL:!PSK:!SRP:!MD5:!RC4:!SHA1") != 1)
{
print_error();
return false;
}
}
return true;
}
/**
* Connect to a host using an encrypted stream
*/
BIO* connect_encrypted(char* host_and_port, char* store_path, char store_type, SSL_CTX** ctx, SSL** ssl) {
BIO* bio = NULL;
int r = 0;
/* Set up the SSL pointers */
*ctx = SSL_CTX_new(SSLv23_client_method());
*ssl = NULL;
/* Load the trust store from the pem location in argv[2] */
if (store_type == 'f')
r = SSL_CTX_load_verify_locations(*ctx, store_path, NULL);
else
r = SSL_CTX_load_verify_locations(*ctx, NULL, store_path);
if (r == 0) {
print_ssl_error_2("Unable to load the trust store from %s.\n", store_path, stdout);
return NULL;
}
/* Setting up the BIO SSL object */
bio = BIO_new_ssl_connect(*ctx);
BIO_get_ssl(bio, ssl);
if (!(*ssl)) {
print_ssl_error("Unable to allocate SSL pointer.\n", stdout);
return NULL;
}
SSL_set_mode(*ssl, SSL_MODE_AUTO_RETRY);
/* Attempt to connect */
BIO_set_conn_hostname(bio, host_and_port);
/* Verify the connection opened and perform the handshake */
if (BIO_do_connect(bio) < 1) {
print_ssl_error_2("Unable to connect BIO.%s\n", host_and_port, stdout);
return NULL;
}
if (SSL_get_verify_result(*ssl) != X509_V_OK) {
print_ssl_error("Unable to verify connection result.\n", stdout);
}
return bio;
}
static int openssl_ssl_ctx_new_bio(lua_State*L)
{
SSL_CTX* ctx = CHECK_OBJECT(1, SSL_CTX, "openssl.ssl_ctx");
const char* host_addr = luaL_checkstring(L, 2);
int server = lua_isnoneornil(L, 3) ? 0 : auxiliar_checkboolean(L, 3);
int autoretry = lua_isnoneornil(L, 4) ? 1 : auxiliar_checkboolean(L, 4);
SSL *ssl = NULL;
BIO *bio = server ? BIO_new_ssl(ctx, 0) : BIO_new_ssl_connect(ctx);
int ret = BIO_get_ssl(bio, &ssl);
if (ret == 1 && ssl)
{
if (autoretry)
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
if (server)
{
BIO* acpt = BIO_new_accept((char*)host_addr);
BIO_set_accept_bios(acpt, bio);
bio = acpt;
}
else
{
ret = BIO_set_conn_hostname(bio, host_addr);
}
if (ret == 1)
{
PUSH_OBJECT(bio, "openssl.bio");
openssl_newvalue(L, bio);
lua_pushboolean(L, 1);
openssl_setvalue(L, bio, "free_all");
return 1;
}
else
return openssl_pushresult(L, ret);
}
else
{
BIO_free(bio);
bio = NULL;
return 0;
}
}
bool tls_socket::set_hostname(const char* sAddr)
{
if(ctx == nullptr)
{
init_ctx();
if(ctx == nullptr)
{
print_error();
return false;
}
}
if((bio = BIO_new_ssl_connect(ctx)) == nullptr)
{
print_error();
return false;
}
if(BIO_set_conn_hostname(bio, sAddr) != 1)
{
print_error();
return false;
}
BIO_get_ssl(bio, &ssl);
if(ssl == nullptr)
{
print_error();
return false;
}
if(jconf::inst()->TlsSecureAlgos())
{
if(SSL_set_cipher_list(ssl, "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4:!SHA1") != 1)
{
print_error();
return false;
}
}
return true;
}
// ----------------------------------------------------------------------------
void SecureClient::init() {
SSL_load_error_strings();
ERR_load_BIO_strings();
OpenSSL_add_all_algorithms();
m_ssl_context = SSL_CTX_new(SSLv23_client_method());
// loading the Trust Store
if(!SSL_CTX_load_verify_locations(m_ssl_context, "../client/certs/TrustStore.pem", nullptr)) {
ERR("Failed to load the Trust Store of certificates: %s", ERR_reason_error_string(ERR_get_error()));
throw ClientException();
}
m_bio = BIO_new_ssl_connect(m_ssl_context);
if (m_bio == nullptr) {
ERR("Failed to prepare new secure connection: %s", ERR_reason_error_string(ERR_get_error()));
throw ClientException();
}
BIO_get_ssl(m_bio, &m_ssl);
SSL_set_mode(m_ssl, SSL_MODE_AUTO_RETRY); // retry handshake transparently if Server suddenly wants
// establish secure connection
BIO_set_conn_hostname(m_bio, m_ip_address.c_str());
BIO_set_conn_port(m_bio, m_port.c_str());
if (BIO_do_connect(m_bio) <= 0) {
ERR("Failed to securely connect to [%s:%s]: %s", m_ip_address.c_str(), m_port.c_str(), ERR_reason_error_string(ERR_get_error()));
m_is_connected = false;
} else {
m_is_connected = true;
}
// checking certificate from Server
if (SSL_get_verify_result(m_ssl) != X509_V_OK) {
WRN("Certificate verification has failed: %s", ERR_reason_error_string(ERR_get_error()));
// TODO: probably, proceed further
}
INF("Secure connection has been established");
m_api_impl = new SecureClientApiImpl(m_bio, m_ip_address, m_port);
}
/*
Connect to host on the given port using tls and return the BIO object
representing the connection.
*/
BIO* connect_tls(const char *host, const char *port){
init_ssl_lib();
//the assignment is redundant, but it's weird not having it
ctx = init_ssl_ctx();
if(!ctx){return NULL;}
BIO *bio = BIO_new_ssl_connect(ctx);
if(!bio){goto err;}
if(BIO_set_conn_hostname(bio, host) == 0){
goto err;
}
if(BIO_set_conn_port(bio, port) == 0){
goto err;
}
SSL *ssl;
BIO_get_ssl(bio, &ssl);
//Handle renegotiation transparently
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
//this is to let the server know what name we used to connect to it
SSL_set_tlsext_host_name(ssl, host);
if(BIO_do_connect(bio) == 0){
goto err;
}
if(BIO_do_handshake(bio) == 0){
goto err;
}
//make sure that the certificate was valid
if(SSL_get_verify_result(ssl) != X509_V_OK){
goto err;
}
return bio;
err:
print_errors();
BIO_free_all(bio);
SSL_CTX_free(ctx);
return NULL;
}
bool ClientSSLSocket::Connect(std::string hostAndPort) {
SSL_library_init();
_ctx.Reset(SSL_CTX_new(SSLv23_client_method()));
if (!_ctx.Get()) {
ERR_print_errors_fp(stderr);
return false;
}
_bio.Reset(BIO_new_ssl_connect(_ctx.Get()));
SSL* ssl = nullptr;
// Set some flags.
BIO_get_ssl(_bio.Get(), &ssl);
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
// Create and setup the connection.
BIO_set_conn_hostname(_bio.Get(), hostAndPort.c_str());
if (BIO_do_connect(_bio.Get()) <= 0) {
std::cerr << "ERROR: Could not connect to \"" << hostAndPort << "\""
<< std::endl;
ERR_print_errors_fp(stderr);
return false;
}
#if 0 // We don't care about the certificate validity at the moment.
// Check the certificate.
if (SSL_get_verify_result(ssl) != X509_V_OK) {
std::cerr << "ERROR: Certificate verification error ("
<< SSL_get_verify_result(ssl) << ")" << std::endl;
ERR_print_errors_fp(stderr);
return false;
}
#endif // 0
return true;
}
BOOL tcp_connect(rdpTcp* tcp, const char* hostname, int port, int timeout)
{
int status;
UINT32 option_value;
socklen_t option_len;
if (!hostname)
return FALSE;
if (hostname[0] == '/')
{
tcp->sockfd = freerdp_uds_connect(hostname);
if (tcp->sockfd < 0)
return FALSE;
tcp->socketBio = BIO_new_fd(tcp->sockfd, 1);
if (!tcp->socketBio)
return FALSE;
}
else
{
fd_set cfds;
struct timeval tv;
tcp->socketBio = BIO_new(BIO_s_connect());
if (!tcp->socketBio)
return FALSE;
if (BIO_set_conn_hostname(tcp->socketBio, hostname) < 0 || BIO_set_conn_int_port(tcp->socketBio, &port) < 0)
return FALSE;
BIO_set_nbio(tcp->socketBio, 1);
status = BIO_do_connect(tcp->socketBio);
if ((status <= 0) && !BIO_should_retry(tcp->socketBio))
return FALSE;
tcp->sockfd = BIO_get_fd(tcp->socketBio, NULL);
if (tcp->sockfd < 0)
return FALSE;
if (status <= 0)
{
FD_ZERO(&cfds);
FD_SET(tcp->sockfd, &cfds);
tv.tv_sec = timeout;
tv.tv_usec = 0;
status = select(tcp->sockfd + 1, NULL, &cfds, NULL, &tv);
if (status == 0)
{
return FALSE; /* timeout */
}
}
BIO_set_close(tcp->socketBio, BIO_NOCLOSE);
BIO_free(tcp->socketBio);
tcp->socketBio = BIO_new(BIO_s_simple_socket());
if (!tcp->socketBio)
return -1;
BIO_set_fd(tcp->socketBio, tcp->sockfd, BIO_CLOSE);
}
SetEventFileDescriptor(tcp->event, tcp->sockfd);
tcp_get_ip_address(tcp);
tcp_get_mac_address(tcp);
option_value = 1;
option_len = sizeof(option_value);
if (setsockopt(tcp->sockfd, IPPROTO_TCP, TCP_NODELAY, (void*) &option_value, option_len) < 0)
fprintf(stderr, "%s: unable to set TCP_NODELAY\n", __FUNCTION__);
/* receive buffer must be a least 32 K */
if (getsockopt(tcp->sockfd, SOL_SOCKET, SO_RCVBUF, (void*) &option_value, &option_len) == 0)
{
if (option_value < (1024 * 32))
{
option_value = 1024 * 32;
option_len = sizeof(option_value);
if (setsockopt(tcp->sockfd, SOL_SOCKET, SO_RCVBUF, (void*) &option_value, option_len) < 0)
{
fprintf(stderr, "%s: unable to set receive buffer len\n", __FUNCTION__);
return FALSE;
}
}
}
if (!tcp_set_keep_alive_mode(tcp))
return FALSE;
tcp->bufferedBio = BIO_new(BIO_s_buffered_socket());
if (!tcp->bufferedBio)
return FALSE;
tcp->bufferedBio->ptr = tcp;
tcp->bufferedBio = BIO_push(tcp->bufferedBio, tcp->socketBio);
return TRUE;
}
int anetSSLGenericConnect( char* err, char* addr, int port, int flags, anetSSLConnection* sslctn, char* certFilePath, char* certDirPath, char* checkCommonName ) {
sslctn->sd = -1;
sslctn->ctx = NULL;
sslctn->ssl = NULL;
sslctn->bio = NULL;
sslctn->conn_str = NULL;
// Set up a SSL_CTX object, which will tell our BIO object how to do its work
SSL_CTX* ctx = SSL_CTX_new(TLSv1_1_client_method());
sslctn->ctx = ctx;
// Create a SSL object pointer, which our BIO object will provide.
SSL* ssl;
// Create our BIO object for SSL connections.
BIO* bio = BIO_new_ssl_connect(ctx);
sslctn->bio = bio;
// Failure?
if (bio == NULL) {
char errorbuf[1024];
ERR_error_string(1024,errorbuf);
anetSetError(err, "SSL Error: Error creating BIO: %s\n", errorbuf);
// We need to free up the SSL_CTX before we leave.
anetCleanupSSL( sslctn );
return ANET_ERR;
}
// Makes ssl point to bio's SSL object.
BIO_get_ssl(bio, &ssl);
sslctn->ssl = ssl;
// Set the SSL to automatically retry on failure.
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
char* connect_str = (char *)calloc( 1, strlen( addr ) + 10 );
sprintf( connect_str, "%s:%d", addr, port );
sslctn->conn_str = connect_str;
// We're connection to to the redis server at IP:port.
BIO_set_conn_hostname(bio, connect_str);
SSL_CTX_load_verify_locations(ctx, certFilePath, certDirPath);
// Same as before, try to connect.
if (BIO_do_connect(bio) <= 0) {
char errorbuf[1024];
ERR_error_string(1024,errorbuf);
anetSetError(err, "SSL Error: Failed to connect: %s\n", errorbuf);
anetCleanupSSL( sslctn );
return ANET_ERR;
}
// Now we need to do the SSL handshake, so we can communicate.
if (BIO_do_handshake(bio) <= 0) {
char errorbuf[1024];
ERR_error_string(1024,errorbuf);
anetSetError(err, "SSL Error: handshake failure: %s\n", errorbuf);
anetCleanupSSL( sslctn );
return ANET_ERR;
}
long verify_result = SSL_get_verify_result(ssl);
if( verify_result == X509_V_OK) {
X509* peerCertificate = SSL_get_peer_certificate(ssl);
char commonName [512];
X509_NAME * name = X509_get_subject_name(peerCertificate);
X509_NAME_get_text_by_NID(name, NID_commonName, commonName, 512);
if( checkCommonName != NULL && strlen( checkCommonName ) > 0 ) {
if(wildcmp(commonName, checkCommonName, strlen(checkCommonName)) == 0) {
anetSetError(err, "SSL Error: Error validating peer common name: %s\n", commonName);
anetCleanupSSL( sslctn );
return ANET_ERR;
}
}
} else {
char errorbuf[1024];
ERR_error_string(1024,errorbuf);
anetSetError(err, "SSL Error: Error retrieving peer certificate: %s\n", errorbuf);
anetCleanupSSL( sslctn );
return ANET_ERR;
}
int s = BIO_get_fd( bio, NULL );
if (flags & ANET_CONNECT_NONBLOCK) {
if (anetNonBlock(err,s) != ANET_OK)
return ANET_ERR;
}
return s;
}
/*
* Establishes the connection to the Duo server. On successful return,
* req->cbio is connected and ready to use.
* Return HTTPS_OK on success, error code on failure.
*/
static HTTPScode
_establish_connection(struct https_request * const req,
const char * const api_host,
const char * const api_port)
{
#ifndef HAVE_GETADDRINFO
/* Systems that don't have getaddrinfo can use the BIO
wrappers, but only get IPv4 support. */
int n;
if ((req->cbio = BIO_new(BIO_s_connect())) == NULL) {
ctx->errstr = _SSL_strerror();
return HTTPS_ERR_LIB;
}
BIO_set_conn_hostname(req->cbio, api_host);
BIO_set_conn_port(req->cbio, api_port);
BIO_set_nbio(req->cbio, 1);
while (BIO_do_connect(req->cbio) <= 0) {
if ((n = _BIO_wait(req->cbio, 10000)) != 1) {
ctx->errstr = n ? _SSL_strerror() :
"Connection timed out";
return (n ? HTTPS_ERR_SYSTEM : HTTPS_ERR_SERVER);
}
}
return HTTPS_OK;
#else /* HAVE_GETADDRINFO */
/* IPv6 Support
* BIO wrapped io does not support IPv6 addressing. To work around,
* resolve the address and connect the socket manually. Then pass
* the connected socket to the BIO wrapper with BIO_new_socket.
*/
int connected_socket = -1;
int socket_error = 0;
/* Address Lookup */
struct addrinfo *res = NULL;
struct addrinfo *cur_res = NULL;
struct addrinfo hints;
int error;
memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
error = getaddrinfo(api_host,
api_port,
&hints,
&res);
if (error) {
ctx->errstr = gai_strerror(error);
return HTTPS_ERR_SYSTEM;
}
/* Connect */
for (cur_res = res; cur_res; cur_res = cur_res->ai_next) {
int connretries = 3;
while (connected_socket == -1 && connretries--) {
int sock_flags;
connected_socket = socket(cur_res->ai_family,
cur_res->ai_socktype,
cur_res->ai_protocol);
if (connected_socket == -1) {
continue;
}
sock_flags = fcntl(connected_socket, F_GETFL, 0);
fcntl(connected_socket, F_SETFL, sock_flags|O_NONBLOCK);
if (connect(connected_socket, cur_res->ai_addr, cur_res->ai_addrlen) != 0 &&
errno != EINPROGRESS) {
close(connected_socket);
connected_socket = -1;
break;
}
socket_error = _fd_wait(connected_socket, 10000);
if (socket_error != 1) {
close(connected_socket);
connected_socket = -1;
continue;
}
/* Connected! */
break;
}
}
cur_res = NULL;
freeaddrinfo(res);
res = NULL;
if (connected_socket == -1) {
ctx->errstr = "Failed to connect";
return socket_error ? HTTPS_ERR_SYSTEM : HTTPS_ERR_SERVER;
}
if ((req->cbio = BIO_new_socket(connected_socket, BIO_CLOSE)) == NULL) {
ctx->errstr = _SSL_strerror();
return (HTTPS_ERR_LIB);
}
BIO_set_conn_hostname(req->cbio, api_host);
BIO_set_conn_port(req->cbio, api_port);
BIO_set_nbio(req->cbio, 1);
return HTTPS_OK;
#endif /* HAVE_GETADDRINFO */
}
int main(int argc, char **argv)
{
BIO *sbio = NULL, *out = NULL;
int i, len, rv;
char tmpbuf[1024];
SSL_CTX *ctx = NULL;
SSL_CONF_CTX *cctx = NULL;
SSL *ssl = NULL;
CONF *conf = NULL;
STACK_OF(CONF_VALUE) *sect = NULL;
CONF_VALUE *cnf;
const char *connect_str = "localhost:4433";
long errline = -1;
ERR_load_crypto_strings();
ERR_load_SSL_strings();
SSL_library_init();
conf = NCONF_new(NULL);
if (NCONF_load(conf, "connect.cnf", &errline) <= 0) {
if (errline <= 0)
fprintf(stderr, "Error processing config file\n");
else
fprintf(stderr, "Error on line %ld\n", errline);
goto end;
}
sect = NCONF_get_section(conf, "default");
if (sect == NULL) {
fprintf(stderr, "Error retrieving default section\n");
goto end;
}
ctx = SSL_CTX_new(SSLv3_client_method());
cctx = SSL_CONF_CTX_new();
SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE);
SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
for (i = 0; i < sk_CONF_VALUE_num(sect); i++) {
cnf = sk_CONF_VALUE_value(sect, i);
rv = SSL_CONF_cmd(cctx, cnf->name, cnf->value);
if (rv > 0)
continue;
if (rv != -2) {
fprintf(stderr, "Error processing %s = %s\n",
cnf->name, cnf->value);
ERR_print_errors_fp(stderr);
goto end;
}
if (!strcmp(cnf->name, "Connect")) {
connect_str = cnf->value;
} else {
fprintf(stderr, "Unknown configuration option %s\n", cnf->name);
goto end;
}
}
if (!SSL_CONF_CTX_finish(cctx)) {
fprintf(stderr, "Finish error\n");
ERR_print_errors_fp(stderr);
goto err;
}
/*
* We'd normally set some stuff like the verify paths and * mode here
* because as things stand this will connect to * any server whose
* certificate is signed by any CA.
*/
sbio = BIO_new_ssl_connect(ctx);
BIO_get_ssl(sbio, &ssl);
if (!ssl) {
fprintf(stderr, "Can't locate SSL pointer\n");
goto end;
}
/* Don't want any retries */
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
/* We might want to do other things with ssl here */
BIO_set_conn_hostname(sbio, connect_str);
out = BIO_new_fp(stdout, BIO_NOCLOSE);
if (BIO_do_connect(sbio) <= 0) {
fprintf(stderr, "Error connecting to server\n");
ERR_print_errors_fp(stderr);
goto end;
}
if (BIO_do_handshake(sbio) <= 0) {
fprintf(stderr, "Error establishing SSL connection\n");
ERR_print_errors_fp(stderr);
goto end;
}
/* Could examine ssl here to get connection info */
BIO_puts(sbio, "GET / HTTP/1.0\n\n");
for (;;) {
len = BIO_read(sbio, tmpbuf, 1024);
if (len <= 0)
break;
BIO_write(out, tmpbuf, len);
}
end:
SSL_CONF_CTX_free(cctx);
BIO_free_all(sbio);
BIO_free(out);
NCONF_free(conf);
return 0;
}
int main(int argc, char *argv[]) {
unsigned int bundleLength=0, urlLength=0;
if (argc == 3) {
printf("UNSUPPORTED\n"); //for now at least
return EXIT_SUCCESS;
} else if (argc != 4) {
printf("usage: %s <host> <port> <ca-bundle>\n", argv[0]);
return EXIT_FAILURE;
} else if ((urlLength = strlen(argv[1]) + strlen(argv[2]) + 2) > MAX_LENGTH) {
printf("Too long URL: %d characters, max: %d\n", urlLength, MAX_LENGTH);
return EXIT_FAILURE;
} else if ((bundleLength = strlen(argv[3]) + 1) > MAX_LENGTH) {
printf("Too long ca-bundle filepath: %d characters, max: %d\n", bundleLength, MAX_LENGTH);
return EXIT_FAILURE;
}
char url[1024]; snprintf(url, sizeof(url), "%s:%s", argv[1], argv[2]);
char ca_bundle[1024]; memcpy(ca_bundle, argv[3], bundleLength);
int exitvalue = 0;
BIO *sbio;
SSL_CTX *ssl_ctx;
SSL *ssl;
X509 *cert;
const char *servername = NULL;
X509_VERIFY_PARAM *param = NULL;
SSL_load_error_strings();
SSL_library_init();
ssl_ctx = SSL_CTX_new(TLS_method()); //if you are using an older version of openssl, you may need to change this into for example: TLSv1_2_client_method
param = SSL_CTX_get0_param(ssl_ctx);
//set certificate verify
//https://wiki.openssl.org/index.php/Hostname_validation
X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
X509_VERIFY_PARAM_set1_host(param, argv[1], 0);
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
if (SSL_CTX_load_verify_locations(ssl_ctx, ca_bundle, NULL) != 1) {
printf("Couldn't load certificate trust store\n");
printf("%s\n", ERR_reason_error_string(ERR_get_error()));
exitvalue=EXIT_FAILURE;
goto end;
}
sbio = BIO_new_ssl_connect(ssl_ctx);
BIO_get_ssl(sbio, &ssl);
if (!ssl) {
printf("Connection failed\n");
printf("%s\n", ERR_reason_error_string(ERR_get_error()));
exitvalue=EXIT_FAILURE;
goto connect_end;
}
//handshake
SSL_set_tlsext_host_name(ssl, url);
BIO_set_conn_hostname(sbio, url);
if(SSL_do_handshake(ssl) <= 0) {
unsigned long int error = ERR_get_error();
printf("%s\n", ERR_reason_error_string(error));
printf("REJECT\n");
} else {
printf ("ACCEPT\n");
}
connect_end:
BIO_free_all(sbio);
end:
SSL_CTX_free(ssl_ctx);
EVP_cleanup();
ERR_free_strings();
return exitvalue;
}
/**
* Run SSL handshake and store the resulting time value in the
* 'time_map'.
*
* @param time_map where to store the current time
*/
static void
run_ssl (uint32_t *time_map)
{
BIO *s_bio;
BIO *c_bio;
SSL_CTX *ctx;
SSL *ssl;
SSL_load_error_strings();
SSL_library_init();
ctx = NULL;
if (0 == strcmp("sslv23", protocol))
{
verb ("V: using SSLv23_client_method()\n");
ctx = SSL_CTX_new(SSLv23_client_method());
} else if (0 == strcmp("sslv3", protocol))
{
verb ("V: using SSLv3_client_method()\n");
ctx = SSL_CTX_new(SSLv3_client_method());
} else if (0 == strcmp("tlsv1", protocol))
{
verb ("V: using TLSv1_client_method()\n");
ctx = SSL_CTX_new(TLSv1_client_method());
} else
die("Unsupported protocol `%s'\n", protocol);
if (ctx == NULL)
die("OpenSSL failed to support protocol `%s'\n", protocol);
if (ca_racket)
{
// For google specifically:
// SSL_CTX_load_verify_locations(ctx, "/etc/ssl/certs/Equifax_Secure_CA.pem", NULL);
if (1 != SSL_CTX_load_verify_locations(ctx, NULL, "/etc/ssl/certs/"))
fprintf(stderr, "SSL_CTX_load_verify_locations failed\n");
}
if (NULL == (s_bio = BIO_new_ssl_connect(ctx)))
die ("SSL BIO setup failed\n");
BIO_get_ssl(s_bio, &ssl);
if (NULL == ssl)
die ("SSL setup failed\n");
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
if ( (1 != BIO_set_conn_hostname(s_bio, host)) ||
(1 != BIO_set_conn_port(s_bio, port)) )
die ("Failed to initialize connection to `%s:%s'\n", host, port);
if (NULL == (c_bio = BIO_new_fp(stdout, BIO_NOCLOSE)))
die ("FIXME: error message");
// This should run in seccomp
// eg: prctl(PR_SET_SECCOMP, 1);
if (1 != BIO_do_connect(s_bio)) // XXX TODO: BIO_should_retry() later?
die ("SSL connection failed\n");
if (1 != BIO_do_handshake(s_bio))
die ("SSL handshake failed\n");
// Verify the peer certificate against the CA certs on the local system
if (ca_racket) {
X509 *x509;
long ssl_verify_result;
if (NULL == (x509 = SSL_get_peer_certificate(ssl)) )
die ("Getting SSL certificate failed\n");
// In theory, we verify that the cert is valid
ssl_verify_result = SSL_get_verify_result(ssl);
switch (ssl_verify_result)
{
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
die ("SSL certificate is self signed\n");
case X509_V_OK:
verb ("V: SSL certificate verification passed\n");
break;
default:
die ("SSL certification verification error: %ld\n",
ssl_verify_result);
}
} else {
verb ("V: Certificate verification skipped!\n");
}
// from /usr/include/openssl/ssl3.h
// ssl->s3->server_random is an unsigned char of 32 bytes
memcpy(time_map, ssl->s3->server_random, sizeof (uint32_t));
}
void *netConnectHttpsThread(void *threadParam)
/* use a thread to run socket back to user */
{
/* child */
struct netConnectHttpsParams *params = threadParam;
pthread_detach(params->thread); // this thread will never join back with it's progenitor
int fd=0;
char hostnameProto[256];
BIO *sbio;
SSL_CTX *ctx;
SSL *ssl;
openSslInit();
ctx = SSL_CTX_new(SSLv23_client_method());
fd_set readfds;
fd_set writefds;
int err;
struct timeval tv;
/* TODO checking certificates
char *certFile = NULL;
char *certPath = NULL;
if (certFile || certPath)
{
SSL_CTX_load_verify_locations(ctx,certFile,certPath);
#if (OPENSSL_VERSION_NUMBER < 0x0090600fL)
SSL_CTX_set_verify_depth(ctx,1);
#endif
}
// verify paths and mode.
*/
sbio = BIO_new_ssl_connect(ctx);
BIO_get_ssl(sbio, &ssl);
if(!ssl)
{
xerr("Can't locate SSL pointer");
goto cleanup;
}
/* Don't want any retries since we are non-blocking bio now */
//SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
safef(hostnameProto,sizeof(hostnameProto),"%s:%d",params->hostName,params->port);
BIO_set_conn_hostname(sbio, hostnameProto);
BIO_set_nbio(sbio, 1); /* non-blocking mode */
while (1)
{
if (BIO_do_connect(sbio) == 1)
{
break; /* Connected */
}
if (! BIO_should_retry(sbio))
{
xerr("BIO_do_connect() failed");
char s[256];
safef(s, sizeof s, "SSL error: %s", ERR_reason_error_string(ERR_get_error()));
xerr(s);
goto cleanup;
}
fd = BIO_get_fd(sbio, NULL);
if (fd == -1)
{
xerr("unable to get BIO descriptor");
goto cleanup;
}
FD_ZERO(&readfds);
FD_ZERO(&writefds);
if (BIO_should_read(sbio))
{
FD_SET(fd, &readfds);
}
else if (BIO_should_write(sbio))
{
FD_SET(fd, &writefds);
}
else
{ /* BIO_should_io_special() */
FD_SET(fd, &readfds);
FD_SET(fd, &writefds);
}
tv.tv_sec = 10; // timeout
tv.tv_usec = 0;
err = select(fd + 1, &readfds, &writefds, NULL, &tv);
if (err < 0)
{
xerr("select() error");
goto cleanup;
}
if (err == 0)
{
char s[256];
safef(s, sizeof s, "connection timeout to %s", params->hostName);
xerr(s);
goto cleanup;
}
}
/* TODO checking certificates
if (certFile || certPath)
if (!check_cert(ssl, host))
return -1;
*/
/* we need to wait on both the user's socket and the BIO SSL socket
* to see if we need to ferry data from one to the other */
char sbuf[32768]; // socket buffer sv[1] to user
char bbuf[32768]; // bio buffer
int srd = 0;
int swt = 0;
int brd = 0;
int bwt = 0;
while (1)
{
// Do NOT move this outside the while loop.
/* Get underlying file descriptor, needed for select call */
fd = BIO_get_fd(sbio, NULL);
if (fd == -1)
{
xerr("BIO doesn't seem to be initialized in https, unable to get descriptor.");
goto cleanup;
}
FD_ZERO(&readfds);
FD_ZERO(&writefds);
if (brd == 0)
FD_SET(fd, &readfds);
if (swt < srd)
FD_SET(fd, &writefds);
if (srd == 0)
FD_SET(params->sv[1], &readfds);
tv.tv_sec = 10; // timeout
tv.tv_usec = 0;
err = select(max(fd,params->sv[1]) + 1, &readfds, &writefds, NULL, &tv);
/* Evaluate select() return code */
if (err < 0)
{
xerr("error during select()");
goto cleanup;
}
else if (err == 0)
{
/* Timed out - just quit */
xerr("https timeout expired");
goto cleanup;
}
else
{
if (FD_ISSET(params->sv[1], &readfds))
{
swt = 0;
srd = read(params->sv[1], sbuf, 32768);
if (srd == -1)
{
if (errno != 104) // udcCache often closes causing "Connection reset by peer"
xerrno("error reading https socket");
goto cleanup;
}
if (srd == 0)
break; // user closed socket, we are done
}
if (FD_ISSET(fd, &writefds))
{
int swtx = BIO_write(sbio, sbuf+swt, srd-swt);
if (swtx <= 0)
{
if (!BIO_should_write(sbio))
{
ERR_print_errors_fp(stderr);
xerr("Error writing SSL connection");
goto cleanup;
}
}
else
{
swt += swtx;
if (swt >= srd)
{
swt = 0;
srd = 0;
}
}
}
if (FD_ISSET(fd, &readfds))
{
bwt = 0;
brd = BIO_read(sbio, bbuf, 32768);
if (brd <= 0)
{
if (BIO_should_read(sbio))
{
brd = 0;
continue;
}
else
{
if (brd == 0) break;
ERR_print_errors_fp(stderr);
xerr("Error reading SSL connection");
goto cleanup;
}
}
// write the https data received immediately back on socket to user, and it's ok if it blocks.
while(bwt < brd)
{
int bwtx = write(params->sv[1], bbuf+bwt, brd-bwt);
if (bwtx == -1)
{
if ((errno != 104) // udcCache often closes causing "Connection reset by peer"
&& (errno != 32)) // udcCache often closes causing "Broken pipe"
xerrno("error writing https data back to user socket");
goto cleanup;
}
bwt += bwtx;
}
brd = 0;
bwt = 0;
}
}
}
cleanup:
BIO_free_all(sbio);
close(params->sv[1]); /* we are done with it */
return NULL;
}
/**
* Run SSL handshake and store the resulting time value in the
* 'time_map'.
*
* @param time_map where to store the current time
* @param time_is_an_illusion
* @param http whether to do an http request and take the date from that
* instead.
*/
static void
run_ssl (uint32_t *time_map, int time_is_an_illusion, int http)
{
BIO *s_bio;
SSL_CTX *ctx;
SSL *ssl;
struct stat statbuf;
uint32_t result_time;
SSL_load_error_strings();
SSL_library_init();
ctx = NULL;
if (0 == strcmp("sslv23", protocol))
{
verb ("V: using SSLv23_client_method()");
ctx = SSL_CTX_new(SSLv23_client_method());
} else if (0 == strcmp("sslv3", protocol))
{
verb ("V: using SSLv3_client_method()");
ctx = SSL_CTX_new(SSLv3_client_method());
} else if (0 == strcmp("tlsv1", protocol))
{
verb ("V: using TLSv1_client_method()");
ctx = SSL_CTX_new(TLSv1_client_method());
} else
die("Unsupported protocol `%s'", protocol);
if (ctx == NULL)
die("OpenSSL failed to support protocol `%s'", protocol);
verb("V: Using OpenSSL for SSL");
if (ca_racket)
{
if (-1 == stat(ca_cert_container, &statbuf))
{
die("Unable to stat CA certficate container %s", ca_cert_container);
} else
{
switch (statbuf.st_mode & S_IFMT)
{
case S_IFREG:
if (1 != SSL_CTX_load_verify_locations(ctx, ca_cert_container, NULL))
fprintf(stderr, "SSL_CTX_load_verify_locations failed");
break;
case S_IFDIR:
if (1 != SSL_CTX_load_verify_locations(ctx, NULL, ca_cert_container))
fprintf(stderr, "SSL_CTX_load_verify_locations failed");
break;
default:
if (1 != SSL_CTX_load_verify_locations(ctx, NULL, ca_cert_container))
{
fprintf(stderr, "SSL_CTX_load_verify_locations failed");
die("Unable to load CA certficate container %s", ca_cert_container);
}
}
}
}
if (NULL == (s_bio = make_ssl_bio(ctx)))
die ("SSL BIO setup failed");
BIO_get_ssl(s_bio, &ssl);
if (NULL == ssl)
die ("SSL setup failed");
if (time_is_an_illusion)
{
SSL_set_info_callback(ssl, openssl_time_callback);
}
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
verb("V: opening socket to %s:%s", host, port);
if ( (1 != BIO_set_conn_hostname(s_bio, host)) ||
(1 != BIO_set_conn_port(s_bio, port)) )
die ("Failed to initialize connection to `%s:%s'", host, port);
if (NULL == BIO_new_fp(stdout, BIO_NOCLOSE))
die ("BIO_new_fp returned error, possibly: %s", strerror(errno));
// This should run in seccomp
// eg: prctl(PR_SET_SECCOMP, 1);
if (1 != BIO_do_connect(s_bio)) // XXX TODO: BIO_should_retry() later?
die ("SSL connection failed");
if (1 != BIO_do_handshake(s_bio))
die ("SSL handshake failed");
// from /usr/include/openssl/ssl3.h
// ssl->s3->server_random is an unsigned char of 32 bits
memcpy(&result_time, ssl->s3->server_random, sizeof (uint32_t));
verb("V: In TLS response, T=%lu", (unsigned long)ntohl(result_time));
if (http) {
char buf[1024];
verb_debug ("V: Starting HTTP");
if (snprintf(buf, sizeof(buf),
HTTP_REQUEST, HTTPS_USER_AGENT, hostname_to_verify) >= 1024)
die("hostname too long");
buf[1023]='\0'; /* Unneeded. */
verb_debug ("V: Writing HTTP request");
if (1 != write_all_to_bio(s_bio, buf))
die ("write all to bio failed.");
verb_debug ("V: Reading HTTP response");
if (1 != read_http_date_from_bio(s_bio, &result_time))
die ("read all from bio failed.");
verb ("V: Received HTTP response. T=%lu", (unsigned long)result_time);
result_time = htonl(result_time);
}
// Verify the peer certificate against the CA certs on the local system
if (ca_racket) {
inspect_key (ssl, hostname_to_verify);
} else {
verb ("V: Certificate verification skipped!");
}
check_key_length(ssl);
memcpy(time_map, &result_time, sizeof (uint32_t));
SSL_free(ssl);
SSL_CTX_free(ctx);
}
int main(int argc, char *argv[]) {
if (argc < 4) {
printf("UNSUPPORTED"); //for now at least
return 3;
}
BIO *sbio;
SSL_CTX *ssl_ctx;
SSL *ssl;
X509 *cert;
int returncode = 0;
char url[256]; sprintf(url, "%s:%s", argv[1], argv[2]);
char ca_bundle[256]; strcpy(ca_bundle, argv[3]);
//init:
SSL_library_init();
SSL_load_error_strings();
ssl_ctx = SSL_CTX_new(TLSv1_client_method());
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
if (SSL_CTX_load_verify_locations(ssl_ctx, ca_bundle, NULL) != 1) {
printf("Couldn't load certificate trust store.");
returncode=1;
goto end;
} else {
goto connect;
}
connect:
sbio = BIO_new_ssl_connect(ssl_ctx);
BIO_get_ssl(sbio, &ssl);
if (!ssl) {
printf("Connection failed");
returncode=2;
goto connect_end;
}
SSL_set_tlsext_host_name(ssl, url);
BIO_set_conn_hostname(sbio, url);
if(SSL_do_handshake(ssl) <= 0 || !verify_cert_hostname(SSL_get_peer_certificate(ssl), argv[1])) {
printf ("VERIFY FAILURE");
} else {
printf ("VERIFY SUCCESS");
}
X509_free(cert);
BIO_ssl_shutdown(sbio);
connect_end:
BIO_free_all(sbio);
end:
SSL_CTX_free(ssl_ctx);
EVP_cleanup();
ERR_free_strings();
return returncode;
}
Status getTLSCertificate(std::string hostname, QueryData& results) {
SSL_library_init();
const auto method = TLSv1_method();
if (method == nullptr) {
return Status(1, "Failed to create OpenSSL method object");
}
auto delCTX = [](SSL_CTX* ctx) { SSL_CTX_free(ctx); };
auto ctx =
std::unique_ptr<SSL_CTX, decltype(delCTX)>(SSL_CTX_new(method), delCTX);
if (ctx == nullptr) {
return Status(1, "Failed to create OpenSSL CTX object");
}
auto delBIO = [](BIO* bio) { BIO_free_all(bio); };
auto server = std::unique_ptr<BIO, decltype(delBIO)>(
BIO_new_ssl_connect(ctx.get()), delBIO);
if (server == nullptr) {
return Status(1, "Failed to create OpenSSL BIO object");
}
std::string port = ":443";
auto ext_hostname = hostname;
auto conn_hostname = hostname;
auto delim = hostname.find(":");
if (delim == std::string::npos) {
conn_hostname += ":443";
} else {
ext_hostname = hostname.substr(0, delim);
}
auto ret = BIO_set_conn_hostname(server.get(), conn_hostname.c_str());
if (ret != 1) {
return Status(1, "Failed to set OpenSSL hostname: " + std::to_string(ret));
}
SSL* ssl = nullptr;
BIO_get_ssl(server.get(), &ssl);
if (ssl == nullptr) {
return Status(1, "Failed to retrieve OpenSSL object");
}
ret = SSL_set_tlsext_host_name(ssl, ext_hostname.c_str());
if (ret != 1) {
return Status(1,
"Failed to set OpenSSL server name: " + std::to_string(ret));
}
ret = BIO_do_connect(server.get());
if (ret != 1) {
return Status(1,
"Failed to establish TLS connection: " + std::to_string(ret));
}
ret = BIO_do_handshake(server.get());
if (ret != 1) {
return Status(1,
"Failed to complete TLS handshake: " + std::to_string(ret));
}
auto delX509 = [](X509* cert) { X509_free(cert); };
auto cert = std::unique_ptr<X509, decltype(delX509)>(
SSL_get_peer_certificate(ssl), delX509);
if (cert == nullptr) {
return Status(1, "No certificate");
}
Row r;
r["hostname"] = hostname;
fillRow(r, cert.get());
results.push_back(r);
return Status();
}
