int main(int argc, char **argv)
{
int port = 0;
int messagenumber = 5;
char local_addr[256];
int c;
int mclient = 1;
char peer_address[129] = "\0";
int peer_port = PEER_DEFAULT_PORT;
char rest_api_separator = ':';
int use_null_cipher=0;
set_logfile("stdout");
set_execdir();
set_system_parameters(0);
ns_bzero(local_addr, sizeof(local_addr));
while ((c = getopt(argc, argv, "a:d:p:l:n:L:m:e:r:u:w:i:k:z:W:C:E:F:o:bZvsyhcxXgtTSAPDNOUMRIGBJ")) != -1) {
switch (c){
case 'J': {
oauth = 1;
oauth_key_data okd_array[3];
convert_oauth_key_data_raw(&okdr_array[0], &okd_array[0]);
convert_oauth_key_data_raw(&okdr_array[1], &okd_array[1]);
convert_oauth_key_data_raw(&okdr_array[2], &okd_array[2]);
char err_msg[1025] = "\0";
size_t err_msg_size = sizeof(err_msg) - 1;
if (convert_oauth_key_data(&okd_array[0], &okey_array[0], err_msg, err_msg_size) < 0) {
fprintf(stderr, "%s\n", err_msg);
exit(-1);
}
if (convert_oauth_key_data(&okd_array[1], &okey_array[1], err_msg, err_msg_size) < 0) {
fprintf(stderr, "%s\n", err_msg);
exit(-1);
}
if (convert_oauth_key_data(&okd_array[2], &okey_array[2], err_msg, err_msg_size) < 0) {
fprintf(stderr, "%s\n", err_msg);
exit(-1);
}
}
break;
case 'a':
bps = (band_limit_t)strtoul(optarg,NULL,10);
break;
case 'o':
STRCPY(origin,optarg);
break;
case 'B':
random_disconnect = 1;
break;
case 'G':
extra_requests = 1;
break;
case 'F':
STRCPY(cipher_suite,optarg);
break;
case 'I':
no_permissions = 1;
break;
case 'M':
mobility = 1;
break;
case 'E':
{
char* fn = find_config_file(optarg,1);
if(!fn) {
fprintf(stderr,"ERROR: file %s not found\n",optarg);
exit(-1);
}
STRCPY(ca_cert_file,fn);
}
break;
case 'O':
dos = 1;
break;
case 'C':
rest_api_separator=*optarg;
break;
case 'D':
mandatory_channel_padding = 1;
break;
case 'N':
negative_test = 1;
break;
case 'R':
negative_protocol_test = 1;
break;
case 'z':
RTP_PACKET_INTERVAL = atoi(optarg);
break;
case 'Z':
dual_allocation = 1;
break;
case 'u':
STRCPY(g_uname, optarg);
break;
case 'w':
STRCPY(g_upwd, optarg);
break;
case 'g':
dont_fragment = 1;
break;
case 'd':
STRCPY(client_ifname, optarg);
break;
case 'x':
default_address_family = STUN_ATTRIBUTE_REQUESTED_ADDRESS_FAMILY_VALUE_IPV6;
break;
case 'X':
default_address_family = STUN_ATTRIBUTE_REQUESTED_ADDRESS_FAMILY_VALUE_IPV4;
break;
case 'l':
clmessage_length = atoi(optarg);
break;
case 's':
do_not_use_channel = 1;
break;
case 'n':
messagenumber = atoi(optarg);
break;
case 'p':
port = atoi(optarg);
break;
case 'L':
STRCPY(local_addr, optarg);
break;
case 'e':
STRCPY(peer_address, optarg);
break;
case 'r':
peer_port = atoi(optarg);
break;
case 'v':
clnet_verbose = TURN_VERBOSE_NORMAL;
break;
case 'h':
hang_on = 1;
break;
case 'c':
no_rtcp = 1;
break;
case 'm':
mclient = atoi(optarg);
break;
case 'y':
c2c = 1;
break;
case 't':
use_tcp = 1;
break;
case 'b':
use_sctp = 1;
use_tcp = 1;
break;
case 'P':
passive_tcp = 1;
/* implies 'T': */
/* no break */
case 'T':
relay_transport = STUN_ATTRIBUTE_TRANSPORT_TCP_VALUE;
break;
case 'U':
use_null_cipher = 1;
/* implies 'S' */
/* no break */
case 'S':
use_secure = 1;
break;
case 'W':
g_use_auth_secret_with_timestamp = 1;
STRCPY(g_auth_secret,optarg);
break;
case 'i':
{
char* fn = find_config_file(optarg,1);
if(!fn) {
fprintf(stderr,"ERROR: file %s not found\n",optarg);
exit(-1);
}
STRCPY(cert_file,fn);
free(fn);
}
break;
case 'k':
{
char* fn = find_config_file(optarg,1);
if(!fn) {
fprintf(stderr,"ERROR: file %s not found\n",optarg);
exit(-1);
}
STRCPY(pkey_file,fn);
free(fn);
}
break;
default:
fprintf(stderr, "%s\n", Usage);
exit(1);
}
}
if(dual_allocation) {
no_rtcp = 1;
}
if(g_use_auth_secret_with_timestamp) {
{
char new_uname[1025];
const unsigned long exp_time = 3600 * 24; /* one day */
if(g_uname[0]) {
snprintf(new_uname,sizeof(new_uname),"%lu%c%s",(unsigned long)time(NULL) + exp_time,rest_api_separator, (char*)g_uname);
} else {
snprintf(new_uname,sizeof(new_uname),"%lu", (unsigned long)time(NULL) + exp_time);
}
STRCPY(g_uname,new_uname);
}
{
u08bits hmac[MAXSHASIZE];
unsigned int hmac_len;
switch(shatype) {
case SHATYPE_SHA256:
hmac_len = SHA256SIZEBYTES;
break;
case SHATYPE_SHA384:
hmac_len = SHA384SIZEBYTES;
break;
case SHATYPE_SHA512:
hmac_len = SHA512SIZEBYTES;
break;
default:
hmac_len = SHA1SIZEBYTES;
};
hmac[0]=0;
if(stun_calculate_hmac(g_uname, strlen((char*)g_uname), (u08bits*)g_auth_secret, strlen(g_auth_secret), hmac, &hmac_len, shatype)>=0) {
size_t pwd_length = 0;
char *pwd = base64_encode(hmac,hmac_len,&pwd_length);
if(pwd) {
if(pwd_length>0) {
ns_bcopy(pwd,g_upwd,pwd_length);
g_upwd[pwd_length]=0;
}
}
free(pwd);
}
}
}
if(is_TCP_relay()) {
dont_fragment = 0;
no_rtcp = 1;
c2c = 1;
use_tcp = 1;
do_not_use_channel = 1;
}
if(port == 0) {
if(use_secure)
port = DEFAULT_STUN_TLS_PORT;
else
port = DEFAULT_STUN_PORT;
}
if (clmessage_length < (int) sizeof(message_info))
clmessage_length = (int) sizeof(message_info);
const int max_header = 100;
if(clmessage_length > (int)(STUN_BUFFER_SIZE-max_header)) {
fprintf(stderr,"Message length was corrected to %d\n",(STUN_BUFFER_SIZE-max_header));
clmessage_length = (int)(STUN_BUFFER_SIZE-max_header);
}
if (optind >= argc) {
fprintf(stderr, "%s\n", Usage);
exit(-1);
}
if (!c2c) {
if (make_ioa_addr((const u08bits*) peer_address, peer_port, &peer_addr) < 0) {
return -1;
}
if(peer_addr.ss.sa_family == AF_INET6) {
default_address_family = STUN_ATTRIBUTE_REQUESTED_ADDRESS_FAMILY_VALUE_IPV6;
} else if(peer_addr.ss.sa_family == AF_INET) {
default_address_family = STUN_ATTRIBUTE_REQUESTED_ADDRESS_FAMILY_VALUE_IPV4;
}
}
/* SSL Init ==>> */
if(use_secure) {
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
const char *csuite = "ALL"; //"AES256-SHA" "DH"
if(use_null_cipher)
csuite = "eNULL";
else if(cipher_suite[0])
csuite=cipher_suite;
if(use_tcp) {
root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
root_tls_ctx_num++;
root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(TLSv1_client_method());
SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
root_tls_ctx_num++;
#if TLSv1_1_SUPPORTED
root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(TLSv1_1_client_method());
SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
root_tls_ctx_num++;
#if TLSv1_2_SUPPORTED
root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(TLSv1_2_client_method());
SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
root_tls_ctx_num++;
#endif
#endif
} else {
#if !DTLS_SUPPORTED
fprintf(stderr,"ERROR: DTLS is not supported.\n");
exit(-1);
#else
if(OPENSSL_VERSION_NUMBER < 0x10000000L) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: OpenSSL version is rather old, DTLS may not be working correctly.\n");
}
root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(DTLSv1_client_method());
SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
root_tls_ctx_num++;
#if DTLSv1_2_SUPPORTED
root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(DTLSv1_2_client_method());
SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
root_tls_ctx_num++;
#endif
#endif
}
int sslind = 0;
for(sslind = 0; sslind<root_tls_ctx_num; sslind++) {
if(cert_file[0]) {
if (!SSL_CTX_use_certificate_chain_file(root_tls_ctx[sslind], cert_file)) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nERROR: no certificate found!\n");
exit(-1);
}
}
if (!SSL_CTX_use_PrivateKey_file(root_tls_ctx[sslind], pkey_file,
SSL_FILETYPE_PEM)) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nERROR: no private key found!\n");
exit(-1);
}
if(cert_file[0]) {
if (!SSL_CTX_check_private_key(root_tls_ctx[sslind])) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nERROR: invalid private key!\n");
exit(-1);
}
}
if (ca_cert_file[0]) {
if (!SSL_CTX_load_verify_locations(root_tls_ctx[sslind], ca_cert_file, NULL )) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,
"ERROR: cannot load CA from file: %s\n",
ca_cert_file);
}
/* Set to require peer (client) certificate verification */
SSL_CTX_set_verify(root_tls_ctx[sslind], SSL_VERIFY_PEER, NULL );
/* Set the verification depth to 9 */
SSL_CTX_set_verify_depth(root_tls_ctx[sslind], 9);
} else {
SSL_CTX_set_verify(root_tls_ctx[sslind], SSL_VERIFY_NONE, NULL );
}
if(!use_tcp)
SSL_CTX_set_read_ahead(root_tls_ctx[sslind], 1);
}
}
start_mclient(argv[optind], port, client_ifname, local_addr, messagenumber, mclient);
return 0;
}
BOOL tls_accept(rdpTls* tls, const char* cert_file, const char* privatekey_file)
{
CryptoCert cert;
long options = 0;
int connection_status;
tls->ctx = SSL_CTX_new(SSLv23_server_method());
if (tls->ctx == NULL)
{
fprintf(stderr, "SSL_CTX_new failed\n");
return FALSE;
}
/*
* SSL_OP_NO_SSLv2:
*
* We only want SSLv3 and TLSv1, so disable SSLv2.
* SSLv3 is used by, eg. Microsoft RDC for Mac OS X.
*/
options |= SSL_OP_NO_SSLv2;
/**
* SSL_OP_NO_COMPRESSION:
*
* The Microsoft RDP server does not advertise support
* for TLS compression, but alternative servers may support it.
* This was observed between early versions of the FreeRDP server
* and the FreeRDP client, and caused major performance issues,
* which is why we're disabling it.
*/
#ifdef SSL_OP_NO_COMPRESSION
options |= SSL_OP_NO_COMPRESSION;
#endif
/**
* SSL_OP_TLS_BLOCK_PADDING_BUG:
*
* The Microsoft RDP server does *not* support TLS padding.
* It absolutely needs to be disabled otherwise it won't work.
*/
options |= SSL_OP_TLS_BLOCK_PADDING_BUG;
/**
* SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS:
*
* Just like TLS padding, the Microsoft RDP server does not
* support empty fragments. This needs to be disabled.
*/
options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
SSL_CTX_set_options(tls->ctx, options);
if (SSL_CTX_use_RSAPrivateKey_file(tls->ctx, privatekey_file, SSL_FILETYPE_PEM) <= 0)
{
fprintf(stderr, "SSL_CTX_use_RSAPrivateKey_file failed\n");
fprintf(stderr, "PrivateKeyFile: %s\n", privatekey_file);
return FALSE;
}
tls->ssl = SSL_new(tls->ctx);
if (!tls->ssl)
{
fprintf(stderr, "SSL_new failed\n");
return FALSE;
}
if (SSL_use_certificate_file(tls->ssl, cert_file, SSL_FILETYPE_PEM) <= 0)
{
fprintf(stderr, "SSL_use_certificate_file failed\n");
return FALSE;
}
if (SSL_set_fd(tls->ssl, tls->sockfd) < 1)
{
fprintf(stderr, "SSL_set_fd failed\n");
return FALSE;
}
while (1)
{
connection_status = SSL_accept(tls->ssl);
if (connection_status <= 0)
{
switch (SSL_get_error(tls->ssl, connection_status))
{
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
break;
default:
if (tls_print_error("SSL_accept", tls->ssl, connection_status))
return FALSE;
break;
}
}
else
{
break;
}
}
cert = tls_get_certificate(tls, FALSE);
if (!cert)
{
fprintf(stderr, "tls_connect: tls_get_certificate failed to return the server certificate.\n");
return FALSE;
}
if (!crypto_cert_get_public_key(cert, &tls->PublicKey, &tls->PublicKeyLength))
{
fprintf(stderr, "tls_connect: crypto_cert_get_public_key failed to return the server public key.\n");
tls_free_certificate(cert);
return FALSE;
}
free(cert);
fprintf(stderr, "TLS connection accepted\n");
return TRUE;
}
void main()
{
int err;
int verify_client = OFF; /* To verify a client certificate, set ON */
int listen_sock;
int sock;
struct sockaddr_in sa_serv;
struct sockaddr_in sa_cli;
size_t client_len;
char *str;
char buf[4096];
SSL_CTX *ctx;
SSL *ssl;
SSL_METHOD *meth;
X509 *client_cert = NULL;
short int s_port = 5555;
/*----------------------------------------------------------------*/
/* Load encryption & hashing algorithms for the SSL program */
SSL_library_init();
/* Load the error strings for SSL & CRYPTO APIs */
SSL_load_error_strings();
/* Create a SSL_METHOD structure (choose a SSL/TLS protocol version) */
meth = SSLv3_method();
/* Create a SSL_CTX structure */
ctx = SSL_CTX_new(meth);
if (!ctx) {
ERR_print_errors_fp(stderr);
exit(1);
}
/* Load the server certificate into the SSL_CTX structure */
if (SSL_CTX_use_certificate_file(ctx, RSA_SERVER_CERT, SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(1);
}
/* Load the private-key corresponding to the server certificate */
if (SSL_CTX_use_PrivateKey_file(ctx, RSA_SERVER_KEY, SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(1);
}
/* Check if the server certificate and private-key matches */
if (!SSL_CTX_check_private_key(ctx)) {
fprintf(stderr,"Private key does not match the certificate public key\n");
exit(1);
}
if(verify_client == ON)
{
/* Load the RSA CA certificate into the SSL_CTX structure */
if (!SSL_CTX_load_verify_locations(ctx, RSA_SERVER_CA_CERT, NULL)) {
ERR_print_errors_fp(stderr);
exit(1);
}
/* Set to require peer (client) certificate verification */
SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,NULL);
/* Set the verification depth to 1 */
SSL_CTX_set_verify_depth(ctx,1);
}
/* ----------------------------------------------- */
/* Set up a TCP socket */
listen_sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
RETURN_ERR(listen_sock, "socket");
memset (&sa_serv, '\0', sizeof(sa_serv));
sa_serv.sin_family = AF_INET;
sa_serv.sin_addr.s_addr = INADDR_ANY;
sa_serv.sin_port = htons (s_port); /* Server Port number */
err = bind(listen_sock, (struct sockaddr*)&sa_serv,sizeof(sa_serv));
RETURN_ERR(err, "bind");
/* Wait for an incoming TCP connection. */
err = listen(listen_sock, 5);
RETURN_ERR(err, "listen");
client_len = sizeof(sa_cli);
/* Socket for a TCP/IP connection is created */
sock = accept(listen_sock, (struct sockaddr*)&sa_cli, &client_len);
RETURN_ERR(sock, "accept");
close (listen_sock);
printf ("Connection from %lx, port %x\n", sa_cli.sin_addr.s_addr,
sa_cli.sin_port);
/* ----------------------------------------------- */
/* TCP connection is ready. */
/* A SSL structure is created */
ssl = SSL_new(ctx);
RETURN_NULL(ssl);
/* Assign the socket into the SSL structure (SSL and socket without BIO) */
SSL_set_fd(ssl, sock);
/* Perform SSL Handshake on the SSL server */
err = SSL_accept(ssl);
RETURN_SSL(err);
/* Informational output (optional) */
printf("SSL connection using %s\n", SSL_get_cipher (ssl));
if (verify_client == ON)
{
/* Get the client's certificate (optional) */
client_cert = SSL_get_peer_certificate(ssl);
if (client_cert != NULL)
{
printf ("Client certificate:\n");
str = X509_NAME_oneline(X509_get_subject_name(client_cert), 0, 0);
RETURN_NULL(str);
printf ("\t subject: %s\n", str);
free (str);
str = X509_NAME_oneline(X509_get_issuer_name(client_cert), 0, 0);
RETURN_NULL(str);
printf ("\t issuer: %s\n", str);
free (str);
X509_free(client_cert);
}
else
printf("The SSL client does not have certificate.\n");
}
/*------- DATA EXCHANGE - Receive message and send reply. -------*/
/* Receive data from the SSL client */
err = SSL_read(ssl, buf, sizeof(buf) - 1);
RETURN_SSL(err);
buf[err] = '\0';
printf ("Received %d chars:'%s'\n", err, buf);
/* Send data to the SSL client */
err = SSL_write(ssl, "This message is from the SSL server",
strlen("This message is from the SSL server"));
RETURN_SSL(err);
/*--------------- SSL closure ---------------*/
/* Shutdown this side (server) of the connection. */
err = SSL_shutdown(ssl);
RETURN_SSL(err);
/* Terminate communication on a socket */
err = close(sock);
RETURN_ERR(err, "close");
/* Free the SSL structure */
SSL_free(ssl);
/* Free the SSL_CTX structure */
SSL_CTX_free(ctx);
}
/* The program expects at most four arguments: host in IP format, port
* number to connect to, proxy in IP format and proxy port number.
* If last two are specified, host can be in any format proxy will
* understand (since this is an example for SSL programming, host name
* resolving code is left out).
*
* Default values are "127.0.0.1", 443. If any proxy parameter is
* omitted, the program will connect directly to the host.
*/
int main(int argc, char *argv[])
{
char buffer[4096]; /* This should be dynamically allocated */
const char *request = "GET / HTTP/1.0\r\n\r\n";
BOOL is_ok = FALSE;
X509 *server_cert;
SSL_CTX *ctx;
BIO *bio_err;
SSL *ssl;
if (Init())
{
/* Basic intialization. Next few steps (up to SSL_new()) need
* to be done only once per AmiSSL opener.
*/
SSLeay_add_ssl_algorithms();
SSL_load_error_strings();
/* Note: BIO writing routines are prepared for NULL BIO handle */
if((bio_err = BIO_new(BIO_s_file())) != NULL)
BIO_set_fp_amiga(bio_err, GetStdErr(), BIO_NOCLOSE | BIO_FP_TEXT);
/* Get a new SSL context */
if((ctx = SSL_CTX_new(SSLv23_client_method())) != NULL)
{
/* Basic certificate handling. OpenSSL documentation has more
* information on this.
*/
SSL_CTX_set_default_verify_paths(ctx);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
NULL);
/* The following needs to be done once per socket */
if((ssl = SSL_new(ctx)) != NULL)
{
int sock;
/* Connect to the HTTPS server, directly or through a proxy */
if (argc > 4)
sock = ConnectToServer(argv[1], atol(argv[2]), argv[3],
atol(argv[4]));
else
sock = ConnectToServer(argv[1] ? argv[1] : (char *)"127.0.0.1",
argc > 2 ? atol(argv[2]) : 443,
NULL, 0);
/* Check if connection was established */
if (sock >= 0)
{
int ssl_err = 0;
/* Associate the socket with the ssl structure */
SSL_set_fd(ssl, sock);
/* Perform SSL handshake */
if((ssl_err = SSL_connect(ssl)) >= 0)
{
Printf("SSL connection using %s\n", SSL_get_cipher(ssl));
/* Certificate checking. This example is *very* basic */
if((server_cert = SSL_get_peer_certificate(ssl)))
{
char *str;
Printf("Server certificate:\n");
if((str = X509_NAME_oneline(X509_get_subject_name(server_cert), 0, 0)))
{
Printf("\tSubject: %s\n", str);
OPENSSL_free(str);
}
else
FPrintf(GetStdErr(), "Warning: couldn't read subject name in certificate!\n");
if((str = X509_NAME_oneline(X509_get_issuer_name(server_cert),
0, 0)) != NULL)
{
Printf("\tIssuer: %s\n", str);
OPENSSL_free(str);
}
else
FPrintf(GetStdErr(), "Warning: couldn't read issuer name in certificate!\n");
X509_free(server_cert);
/* Send a HTTP request. Again, this is just
* a very basic example.
*/
if ((ssl_err = SSL_write(ssl, request, strlen(request)))
> 0)
{
/* Dump everything to output */
while ((ssl_err = SSL_read(ssl, buffer,
sizeof(buffer) - 1))
> 0)
FWrite(Output(), buffer, ssl_err, 1);
FFlush(Output());
/* This is not entirely true, check
* the SSL_read documentation
*/
is_ok = ssl_err == 0;
}
else
FPrintf(GetStdErr(), "Couldn't write request!\n");
}
else
FPrintf(GetStdErr(), "Couldn't get server certificate!\n");
}
else
FPrintf(GetStdErr(), "Couldn't establish SSL connection!\n");
/* If there were errors, print them */
if (ssl_err < 0)
ERR_print_errors(bio_err);
/* Send SSL close notification and close the socket */
SSL_shutdown(ssl);
CloseSocket(sock);
}
else
FPrintf(GetStdErr(), "Couldn't connect to host!\n");
FPrintf(GetStdErr(), "before SSL_free()\n");
SSL_free(ssl);
}
else
FPrintf(GetStdErr(), "Couldn't create new SSL handle!\n");
FPrintf(GetStdErr(), "before SSL_CTX_free()\n");
SSL_CTX_free(ctx);
}
else
FPrintf(GetStdErr(), "Couldn't create new context!\n");
FPrintf(GetStdErr(), "before Cleanup()\n");
Cleanup();
}
FPrintf(GetStdErr(), "before end of main()\n");
return(is_ok ? RETURN_OK : RETURN_ERROR);
}
static void sl_ssl_server (void){
// create an ssl object and return the memory managed type back to
// SLang. It needs the file descriptor of the object upon which
// communication will occur, and the protocol to use
//
// this is the server, so it also needs the certfile and private key
SSL_CTX *ctx;
SSL *ssl;
int proto, pkey_type, cert_type;
SLang_MMT_Type *sslmmt;
SLFile_FD_Type *slfd;
SLsslctx_Type *slctx;
char *pkey=NULL, *cert=NULL;
if (SLang_pop_slstring(&pkey) == -1 ||
SLang_pop_slstring(&cert) == -1 ||
SLang_pop_integer(&proto) == -1){
goto free;
return;
}
if (proto==SSL_PROTO_SSL2)
ctx = SSL_CTX_new(SSLv23_server_method());
else if (proto==SSL_PROTO_SSL3)
ctx = SSL_CTX_new(SSLv3_server_method());
else if (proto==SSL_PROTO_TLS1)
ctx = SSL_CTX_new(TLSv1_server_method());
else if (proto==SSL_PROTO_ANY)
ctx = SSL_CTX_new(SSLv23_server_method());
// now add the cert file an private key
if (1!=SSL_CTX_use_certificate_file(ctx,cert,SSL_FILETYPE_PEM))
if (1!=SSL_CTX_use_certificate_file(ctx,cert,SSL_FILETYPE_ASN1)){
SLang_verror(0,"Could not load certificate file");
goto free;
}
if (1!=SSL_CTX_use_PrivateKey_file(ctx,pkey,SSL_FILETYPE_PEM))
if (1!=SSL_CTX_use_PrivateKey_file(ctx,pkey,SSL_FILETYPE_ASN1)){
SLang_verror(0,"Could not load private key");
goto free;
}
if (1!=SSL_CTX_check_private_key(ctx)){
SLang_verror(0,"Certificate and private keys do not match");
goto free;
}
slctx = (SLsslctx_Type *)malloc(sizeof(SLsslctx_Type));
slctx->is_server = 1;
slctx->ctx = (void *)ctx;
sslmmt = SLang_create_mmt(SLsslctx_Type_Id, (VOID_STAR) slctx);
if (0!=SLang_push_mmt(sslmmt))
SLang_free_mmt(sslmmt);
free:
if (NULL!=pkey)
SLang_free_slstring(pkey);
if (NULL!=cert)
SLang_free_slstring(cert);
}
/*
* Create a new TLS_CONTEXT instance.
* Returns: Pointer to TLS_CONTEXT instance on success
* NULL on failure;
*/
TLS_CONTEXT *new_tls_context(const char *ca_certfile, const char *ca_certdir,
const char *certfile, const char *keyfile,
CRYPTO_PEM_PASSWD_CB *pem_callback,
const void *pem_userdata, const char *dhfile,
bool verify_peer)
{
TLS_CONTEXT *ctx;
BIO *bio;
DH *dh;
ctx = (TLS_CONTEXT *)malloc(sizeof(TLS_CONTEXT));
/* Allocate our OpenSSL TLSv1 Context */
ctx->openssl = SSL_CTX_new(TLSv1_method());
if (!ctx->openssl) {
openssl_post_errors(M_FATAL, _("Error initializing SSL context"));
goto err;
}
/* Set up pem encryption callback */
if (pem_callback) {
ctx->pem_callback = pem_callback;
ctx->pem_userdata = pem_userdata;
} else {
ctx->pem_callback = crypto_default_pem_callback;
ctx->pem_userdata = NULL;
}
SSL_CTX_set_default_passwd_cb(ctx->openssl, tls_pem_callback_dispatch);
SSL_CTX_set_default_passwd_cb_userdata(ctx->openssl, (void *) ctx);
/*
* Set certificate verification paths. This requires that at least one
* value be non-NULL
*/
if (ca_certfile || ca_certdir) {
if (!SSL_CTX_load_verify_locations(ctx->openssl, ca_certfile, ca_certdir)) {
openssl_post_errors(M_FATAL, _("Error loading certificate verification stores"));
goto err;
}
} else if (verify_peer) {
/* At least one CA is required for peer verification */
Jmsg0(NULL, M_ERROR, 0, _("Either a certificate file or a directory must be"
" specified as a verification store\n"));
goto err;
}
/*
* Load our certificate file, if available. This file may also contain a
* private key, though this usage is somewhat unusual.
*/
if (certfile) {
if (!SSL_CTX_use_certificate_chain_file(ctx->openssl, certfile)) {
openssl_post_errors(M_FATAL, _("Error loading certificate file"));
goto err;
}
}
/* Load our private key. */
if (keyfile) {
if (!SSL_CTX_use_PrivateKey_file(ctx->openssl, keyfile, SSL_FILETYPE_PEM)) {
openssl_post_errors(M_FATAL, _("Error loading private key"));
goto err;
}
}
/* Load Diffie-Hellman Parameters. */
if (dhfile) {
if (!(bio = BIO_new_file(dhfile, "r"))) {
openssl_post_errors(M_FATAL, _("Unable to open DH parameters file"));
goto err;
}
dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
BIO_free(bio);
if (!dh) {
openssl_post_errors(M_FATAL, _("Unable to load DH parameters from specified file"));
goto err;
}
if (!SSL_CTX_set_tmp_dh(ctx->openssl, dh)) {
openssl_post_errors(M_FATAL, _("Failed to set TLS Diffie-Hellman parameters"));
DH_free(dh);
goto err;
}
/* Enable Single-Use DH for Ephemeral Keying */
SSL_CTX_set_options(ctx->openssl, SSL_OP_SINGLE_DH_USE);
}
if (SSL_CTX_set_cipher_list(ctx->openssl, TLS_DEFAULT_CIPHERS) != 1) {
Jmsg0(NULL, M_ERROR, 0,
_("Error setting cipher list, no valid ciphers available\n"));
goto err;
}
/* Verify Peer Certificate */
if (verify_peer) {
/* SSL_VERIFY_FAIL_IF_NO_PEER_CERT has no effect in client mode */
SSL_CTX_set_verify(ctx->openssl,
SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
openssl_verify_peer);
}
return ctx;
err:
/* Clean up after ourselves */
if(ctx->openssl) {
SSL_CTX_free(ctx->openssl);
}
free(ctx);
return NULL;
}
extern SSL_CTX *
MakeSSL_CTX(
char *key,
char *cert,
char *cafile,
char *capath,
char *ciphers)
{
SSL_CTX *ctx = NULL;
int mode = SSL_VERIFY_NONE;
if ((ctx = SSL_CTX_new(SSLv23_method())) == NULL){
SSL_Error(_d("SSL_CTX_new failure:\n %s\n"), GetSSLErrorString());
return NULL;
}
SSL_CTX_set_default_passwd_cb(ctx, passphrase_callback);
SSL_CTX_set_default_passwd_cb_userdata(ctx, (void*)ASKPASS_PROMPT);
if (!SSL_CTX_set_cipher_list(ctx, ciphers)){
SSL_Error(_d("SSL_CTX_set_cipher_list(%s) failure:\n %s\n"),
ciphers, GetSSLErrorString());
SSL_CTX_free(ctx);
return NULL;
}
mode = SSL_VERIFY_PEER;
mode |= SSL_VERIFY_CLIENT_ONCE;
SSL_CTX_set_verify(ctx, mode, RemoteVerifyCallBack);
SSL_CTX_set_options(ctx, SSL_OP_ALL);
if ((cafile == NULL) && (capath == NULL)){
if (!SSL_CTX_set_default_verify_paths(ctx)){
SSL_Error(_d("SSL_CTX_set_default_verify_paths error:\n %s\n"),
GetSSLErrorString());
}
}
else if (!SSL_CTX_load_verify_locations(ctx, cafile, capath)){
if (cafile == NULL) cafile = capath;
SSL_Error(_d("SSL_CTX_load_verify_locations(%s)\n"), cafile);
SSL_CTX_free(ctx);
return NULL;
}
if (cert != NULL){
if (IsPKCS12(cert)){
if (LoadPKCS12(ctx, cert)){
return ctx;
}
else {
SSL_CTX_free(ctx);
return NULL;
}
}
else {
if (SSL_CTX_use_certificate_file_with_check(ctx, cert, SSL_FILETYPE_PEM) <= 0){
SSL_Error(_d("SSL_CTX_use_certificate_file(%s) failure:\n %s\n"),
cert, GetSSLErrorString());
SSL_CTX_free(ctx);
return NULL;
}
if (key == NULL) key = cert;
for (;;){
if (SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM) <= 0){
int err_reason;
err_reason = ERR_GET_REASON(ERR_peek_error());
SSL_Error(_d("SSL_CTX_use_PrivateKey_file(%s) failure:\n %s\n"),
key, GetSSLErrorString());
if (err_reason == PEM_R_BAD_DECRYPT ||
err_reason == EVP_R_BAD_DECRYPT) continue;
SSL_CTX_free(ctx);
return NULL;
}
break;
}
if (!SSL_CTX_check_private_key(ctx)){
SSL_Error(_d("SSL_CTX_check_private_key failure:\n %s\n"),
GetSSLErrorString());
SSL_CTX_free(ctx);
return NULL;
}
}
} else {
SSL_Error(_d("Please specify certificate file"));
return NULL;
}
return ctx;
}
SslContext_t::SslContext_t (bool is_server, const string &privkeyfile, const string &certchainfile):
pCtx (NULL),
PrivateKey (NULL),
Certificate (NULL)
{
/* TODO: the usage of the specified private-key and cert-chain filenames only applies to
* client-side connections at this point. Server connections currently use the default materials.
* That needs to be fixed asap.
* Also, in this implementation, server-side connections use statically defined X-509 defaults.
* One thing I'm really not clear on is whether or not you have to explicitly free X509 and EVP_PKEY
* objects when we call our destructor, or whether just calling SSL_CTX_free is enough.
*/
if (!bLibraryInitialized) {
bLibraryInitialized = true;
SSL_library_init();
OpenSSL_add_ssl_algorithms();
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
ERR_load_crypto_strings();
InitializeDefaultCredentials();
}
bIsServer = is_server;
pCtx = SSL_CTX_new (is_server ? SSLv23_server_method() : SSLv23_client_method());
if (!pCtx)
throw std::runtime_error ("no SSL context");
SSL_CTX_set_options (pCtx, SSL_OP_ALL);
//SSL_CTX_set_options (pCtx, (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3));
if (is_server) {
// The SSL_CTX calls here do NOT allocate memory.
int e;
if (privkeyfile.length() > 0)
e = SSL_CTX_use_PrivateKey_file (pCtx, privkeyfile.c_str(), SSL_FILETYPE_PEM);
else
e = SSL_CTX_use_PrivateKey (pCtx, DefaultPrivateKey);
assert (e > 0);
if (certchainfile.length() > 0)
e = SSL_CTX_use_certificate_chain_file (pCtx, certchainfile.c_str());
else
e = SSL_CTX_use_certificate (pCtx, DefaultCertificate);
assert (e > 0);
}
SSL_CTX_set_cipher_list (pCtx, "ALL:!ADH:!LOW:!EXP:!DES-CBC3-SHA:@STRENGTH");
if (is_server) {
SSL_CTX_sess_set_cache_size (pCtx, 128);
SSL_CTX_set_session_id_context (pCtx, (unsigned char*)"eventmachine", 12);
}
else {
int e;
if (privkeyfile.length() > 0) {
e = SSL_CTX_use_PrivateKey_file (pCtx, privkeyfile.c_str(), SSL_FILETYPE_PEM);
assert (e > 0);
}
if (certchainfile.length() > 0) {
e = SSL_CTX_use_certificate_chain_file (pCtx, certchainfile.c_str());
assert (e > 0);
}
}
}
static int tport_ws_init_primary_secure(tport_primary_t *pri,
tp_name_t tpn[1],
su_addrinfo_t *ai,
tagi_t const *tags,
char const **return_culprit)
{
tport_ws_primary_t *wspri = (tport_ws_primary_t *)pri;
const char *cert = "/ssl.pem";
const char *key = "/ssl.pem";
char *homedir;
char *tbf = NULL;
su_home_t autohome[SU_HOME_AUTO_SIZE(1024)];
char const *path = NULL;
int ret = -1;
su_home_auto(autohome, sizeof autohome);
tl_gets(tags,
TPTAG_CERTIFICATE_REF(path),
TAG_END());
if (!path) {
homedir = getenv("HOME");
if (!homedir)
homedir = "";
path = tbf = su_sprintf(autohome, "%s/.sip/auth", homedir);
}
if (path) {
key = su_sprintf(autohome, "%s/%s", path, "wss.key");
if (access(key, R_OK) != 0) key = NULL;
cert = su_sprintf(autohome, "%s/%s", path, "wss.crt");
if (access(cert, R_OK) != 0) cert = NULL;
if ( !key ) key = su_sprintf(autohome, "%s/%s", path, "wss.pem");
if ( !cert ) cert = su_sprintf(autohome, "%s/%s", path, "wss.pem");
if (access(key, R_OK) != 0) key = NULL;
if (access(cert, R_OK) != 0) cert = NULL;
}
init_ssl();
// OpenSSL_add_all_algorithms(); /* load & register cryptos */
// SSL_load_error_strings(); /* load all error messages */
wspri->ssl_method = SSLv23_server_method(); /* create server instance */
wspri->ssl_ctx = SSL_CTX_new((SSL_METHOD *)wspri->ssl_method); /* create context */
SSL_CTX_sess_set_remove_cb(wspri->ssl_ctx, NULL);
wspri->ws_secure = 1;
if ( !wspri->ssl_ctx ) goto done;
/* set the local certificate from CertFile */
SSL_CTX_use_certificate_file(wspri->ssl_ctx, cert, SSL_FILETYPE_PEM);
/* set the private key from KeyFile */
SSL_CTX_use_PrivateKey_file(wspri->ssl_ctx, key, SSL_FILETYPE_PEM);
/* verify private key */
if ( !SSL_CTX_check_private_key(wspri->ssl_ctx) ) {
goto done;
}
SSL_CTX_set_cipher_list(wspri->ssl_ctx, "HIGH:!DSS:!aNULL@STRENGTH");
ret = tport_ws_init_primary(pri, tpn, ai, tags, return_culprit);
done:
su_home_zap(autohome);
return ret;
}
int main( int argc, char **argv ) {
SSL_CTX *ctx = NULL;
SSL *session = NULL;
char *command = "HEAD / HTTP/1.0\r\n\r\n";
int s;
int status;
/* We first need to establish what sort of
* connection we know how to make. We can use one of
* SSLv23_client_method(), SSLv2_client_method() and
* SSLv3_client_method().
*/
SSL_METHOD *meth = SSLv23_client_method();
if (meth == NULL) { fprintf( stderr, "no method. :(\n" ); exit(1); }
/* This enables all ciphers in SSLeay, these include:
* DES, RC4, IDEA, RC2, Blowfish,
* MD2, SHA, DSA.
* See crypto/c_all.c
*/
SSLeay_add_all_algorithms();
/* Initialize the context. This is shared between SSL sessions
* and can do FH caching.
*/
ctx = SSL_CTX_new( meth );
if ( ctx == NULL ) { fprintf( stderr, "no context. :(\n" ); exit(1); }
/* Set up a callback for each state change so we can see what's
* going on */
SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
/* Set it up so tha we will connect to *any* site, regardless
* of their certificate. */
SSL_CTX_set_verify( ctx, SSL_VERIFY_NONE, my_dumb_callback );
/* MACRO. Set's CTX options. Not sure. I think this enables bug
* support hacks. */
SSL_CTX_set_options(ctx,SSL_OP_ALL);
/* Finally, we're all set so we can set up the session holder */
session = SSL_new( ctx );
if ( session == NULL ) { fprintf( stderr, "no session. :(\n" ); exit(1);}
/* Make connection s.t. s is the appropriate fd */
s = my_connect( (argc == 2) ? argv[1] : "bozo.mit.edu" , 443 );
/* Set up the SSL side of the connection */
SSL_set_fd( session, s );
status = SSL_connect( session );
/* Check the results. */
switch (SSL_get_error(session,status)) {
case SSL_ERROR_NONE:
/* Everything worked :-) */
break;
case SSL_ERROR_SSL:
fprintf( stderr, "ssl handshake failure\n" );
ERR_print_errors_fp(stderr);
goto byebye;
break;
/* These are for NON-BLOCKING I/O only! */
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
fprintf( stderr, "want read/write. Use blocking?\n" );
goto byebye; break;
case SSL_ERROR_WANT_CONNECT:
fprintf( stderr, "want connect. sleep a while, try again." );
goto byebye; break;
case SSL_ERROR_SYSCALL:
perror("SSL_connect");
goto byebye; break;
case SSL_ERROR_WANT_X509_LOOKUP:
/* not used! */
fprintf( stderr, "shouldn't be getting this.\n" );
break;
case SSL_ERROR_ZERO_RETURN:
fprintf( stderr, "connection closed.\n" );
goto byebye;
}
/* Send the request */
SSL_write( session, command, strlen(command) );
/* wait a second for processing. */
sleep(1);
/* read! :) */
while (1) {
char readdata[1024];
status = SSL_read( session, readdata, 1024 );
if ( status == 0 ) break;
if ( status < 0 ) { sleep(1); continue; }
fwrite( readdata, 1, status, stdout );
}
byebye:
/* close everything down */
SSL_shutdown(session);
close(s);
SSL_free( session ); session = NULL;
SSL_CTX_free(ctx);
return 0;
}
/*
* Fetches the resource denoted by |uri|.
*/
static void
fetch_uri(const struct URI *uri)
{
spdylay_session_callbacks callbacks;
int fd;
SSL_CTX *ssl_ctx;
SSL *ssl;
struct Request req;
struct Connection connection;
int rv;
nfds_t npollfds = 1;
struct pollfd pollfds[1];
uint16_t spdy_proto_version;
request_init(&req, uri);
setup_spdylay_callbacks(&callbacks);
/* Establish connection and setup SSL */
fd = connect_to(req.host, req.port);
if (-1 == fd)
abort ();
ssl_ctx = SSL_CTX_new(SSLv23_client_method());
if(ssl_ctx == NULL) {
dief("SSL_CTX_new", ERR_error_string(ERR_get_error(), NULL));
}
init_ssl_ctx(ssl_ctx, &spdy_proto_version);
ssl = SSL_new(ssl_ctx);
if(ssl == NULL) {
dief("SSL_new", ERR_error_string(ERR_get_error(), NULL));
}
/* To simplify the program, we perform SSL/TLS handshake in blocking
I/O. */
ssl_handshake(ssl, fd);
connection.ssl = ssl;
connection.want_io = IO_NONE;
/* Here make file descriptor non-block */
make_non_block(fd);
set_tcp_nodelay(fd);
spdylay_printf("[INFO] SPDY protocol version = %d\n", spdy_proto_version);
rv = spdylay_session_client_new(&connection.session, spdy_proto_version,
&callbacks, &connection);
if(rv != 0) {
diec("spdylay_session_client_new", rv);
}
/* Submit the HTTP request to the outbound queue. */
submit_request(&connection, &req);
pollfds[0].fd = fd;
ctl_poll(pollfds, &connection);
/* Event loop */
while(spdylay_session_want_read(connection.session) ||
spdylay_session_want_write(connection.session)) {
int nfds = poll(pollfds, npollfds, -1);
if(nfds == -1) {
dief("poll", strerror(errno));
}
if(pollfds[0].revents & (POLLIN | POLLOUT)) {
exec_io(&connection);
}
if((pollfds[0].revents & POLLHUP) || (pollfds[0].revents & POLLERR)) {
die("Connection error");
}
ctl_poll(pollfds, &connection);
}
/* Resource cleanup */
spdylay_session_del(connection.session);
SSL_shutdown(ssl);
SSL_free(ssl);
SSL_CTX_free(ssl_ctx);
shutdown(fd, SHUT_WR);
MHD_socket_close_ (fd);
request_free(&req);
}
/* DTLS-SRTP initialization */
gint janus_dtls_srtp_init(const char *server_pem, const char *server_key, const char *password) {
const char *crypto_lib = NULL;
#if JANUS_USE_OPENSSL_PRE_1_1_API
#if defined(LIBRESSL_VERSION_NUMBER)
crypto_lib = "LibreSSL";
#else
crypto_lib = "OpenSSL pre-1.1.0";
#endif
/* First of all make OpenSSL thread safe (see note above on issue #316) */
janus_dtls_locks = g_malloc0(sizeof(*janus_dtls_locks) * CRYPTO_num_locks());
int l=0;
for(l = 0; l < CRYPTO_num_locks(); l++) {
janus_mutex_init(&janus_dtls_locks[l]);
}
CRYPTO_THREADID_set_callback(janus_dtls_cb_openssl_threadid);
CRYPTO_set_locking_callback(janus_dtls_cb_openssl_lock);
#else
crypto_lib = "OpenSSL >= 1.1.0";
#endif
#ifdef HAVE_BORINGSSL
crypto_lib = "BoringSSL";
#endif
JANUS_LOG(LOG_INFO, "Crypto: %s\n", crypto_lib);
#ifndef HAVE_SRTP_AESGCM
JANUS_LOG(LOG_WARN, "The libsrtp installation does not support AES-GCM profiles\n");
#endif
/* Go on and create the DTLS context */
#if JANUS_USE_OPENSSL_PRE_1_1_API
ssl_ctx = SSL_CTX_new(DTLSv1_method());
#else
ssl_ctx = SSL_CTX_new(DTLS_method());
#endif
if(!ssl_ctx) {
JANUS_LOG(LOG_FATAL, "Ops, error creating DTLS context?\n");
return -1;
}
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, janus_dtls_verify_callback);
SSL_CTX_set_tlsext_use_srtp(ssl_ctx,
#ifdef HAVE_SRTP_AESGCM
"SRTP_AEAD_AES_256_GCM:SRTP_AEAD_AES_128_GCM:SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32");
#else
"SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32");
#endif
if(!server_pem && !server_key) {
JANUS_LOG(LOG_WARN, "No cert/key specified, autogenerating some...\n");
if(janus_dtls_generate_keys(&ssl_cert, &ssl_key) != 0) {
JANUS_LOG(LOG_FATAL, "Error generating DTLS key/certificate\n");
return -2;
}
} else if(!server_pem || !server_key) {
JANUS_LOG(LOG_FATAL, "DTLS certificate and key must be specified\n");
return -2;
} else if(janus_dtls_load_keys(server_pem, server_key, password, &ssl_cert, &ssl_key) != 0) {
return -3;
}
if(!SSL_CTX_use_certificate(ssl_ctx, ssl_cert)) {
JANUS_LOG(LOG_FATAL, "Certificate error (%s)\n", ERR_reason_error_string(ERR_get_error()));
return -4;
}
if(!SSL_CTX_use_PrivateKey(ssl_ctx, ssl_key)) {
JANUS_LOG(LOG_FATAL, "Certificate key error (%s)\n", ERR_reason_error_string(ERR_get_error()));
return -5;
}
if(!SSL_CTX_check_private_key(ssl_ctx)) {
JANUS_LOG(LOG_FATAL, "Certificate check error (%s)\n", ERR_reason_error_string(ERR_get_error()));
return -6;
}
SSL_CTX_set_read_ahead(ssl_ctx,1);
unsigned int size;
unsigned char fingerprint[EVP_MAX_MD_SIZE];
if(X509_digest(ssl_cert, EVP_sha256(), (unsigned char *)fingerprint, &size) == 0) {
JANUS_LOG(LOG_FATAL, "Error converting X509 structure (%s)\n", ERR_reason_error_string(ERR_get_error()));
return -7;
}
char *lfp = (char *)&local_fingerprint;
unsigned int i = 0;
for(i = 0; i < size; i++) {
g_snprintf(lfp, 4, "%.2X:", fingerprint[i]);
lfp += 3;
}
*(lfp-1) = 0;
JANUS_LOG(LOG_INFO, "Fingerprint of our certificate: %s\n", local_fingerprint);
SSL_CTX_set_cipher_list(ssl_ctx, DTLS_CIPHERS);
if(janus_dtls_bio_filter_init() < 0) {
JANUS_LOG(LOG_FATAL, "Error initializing BIO filter\n");
return -8;
}
/* Initialize libsrtp */
if(srtp_init() != srtp_err_status_ok) {
JANUS_LOG(LOG_FATAL, "Ops, error setting up libsrtp?\n");
return 5;
}
return 0;
}
int main(int argc, char **argv)
{
int port = 0;
int messagenumber = 5;
char local_addr[256];
char c;
int mclient = 1;
unsigned char ifname[1025] = "\0";
char peer_address[129] = "\0";
int peer_port = PEER_DEFAULT_PORT;
set_execdir();
srandom((unsigned int) time(NULL));
memset(local_addr, 0, sizeof(local_addr));
while ((c = getopt(argc, argv, "d:p:l:n:L:m:e:r:u:w:i:k:z:vsyhcxgtS")) != -1) {
switch (c){
case 'z':
RTP_PACKET_INTERVAL = atoi(optarg);
break;
case 'u':
STRCPY(g_uname, optarg);
break;
case 'w':
STRCPY(g_upwd, optarg);
break;
case 'g':
dont_fragment = 1;
break;
case 'd':
STRCPY(ifname, optarg);
break;
case 'x':
default_address_family
= STUN_ATTRIBUTE_REQUESTED_ADDRESS_FAMILY_VALUE_IPV6;
break;
case 'l':
clmessage_length = atoi(optarg);
break;
case 's':
use_send_method = 1;
break;
case 'n':
messagenumber = atoi(optarg);
break;
case 'p':
port = atoi(optarg);
break;
case 'L':
STRCPY(local_addr, optarg);
break;
case 'e':
STRCPY(peer_address, optarg);
break;
case 'r':
peer_port = atoi(optarg);
break;
case 'v':
clnet_verbose = 1;
break;
case 'h':
hang_on = 1;
break;
case 'c':
no_rtcp = 1;
break;
case 'm':
mclient = atoi(optarg);
break;
case 'y':
c2c = 1;
break;
case 't':
use_tcp = 1;
break;
case 'S':
use_secure = 1;
break;
case 'i':
{
char* fn = find_config_file(optarg,1);
if(!fn) {
fprintf(stderr,"ERROR: file %s not found\n",optarg);
exit(-1);
}
strcpy(cert_file,fn);
free(fn);
break;
}
case 'k':
{
char* fn = find_config_file(optarg,1);
if(!fn) {
fprintf(stderr,"ERROR: file %s not found\n",optarg);
exit(-1);
}
STRCPY(pkey_file,fn);
free(fn);
break;
}
default:
fprintf(stderr, "%s\n", Usage);
exit(1);
}
}
if(port == 0) {
if(use_secure)
port = DEFAULT_STUN_TLS_PORT;
else
port = DEFAULT_STUN_PORT;
}
if (clmessage_length < (int) sizeof(message_info))
clmessage_length = (int) sizeof(message_info);
if (optind >= argc) {
fprintf(stderr, "%s\n", Usage);
exit(-1);
}
if (!c2c) {
if (make_ioa_addr((const u08bits*) peer_address, peer_port, &peer_addr) < 0)
return -1;
}
/* SSL Init ==>> */
if(use_secure) {
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
if(use_tcp) {
root_tls_ctx = SSL_CTX_new(TLSv1_client_method());
} else {
#if !defined(BIO_CTRL_DGRAM_QUERY_MTU)
fprintf(stderr,"ERROR: DTLS is not supported.\n");
exit(-1);
#else
if(OPENSSL_VERSION_NUMBER < 0x10000000L) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: OpenSSL version is rather old, DTLS may not be working correctly.\n");
}
root_tls_ctx = SSL_CTX_new(DTLSv1_client_method());
#endif
}
SSL_CTX_set_cipher_list(root_tls_ctx, "DEFAULT");
if (!SSL_CTX_use_certificate_file(root_tls_ctx, cert_file,
SSL_FILETYPE_PEM)) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nERROR: no certificate found!\n");
exit(-1);
}
if (!SSL_CTX_use_PrivateKey_file(root_tls_ctx, pkey_file,
SSL_FILETYPE_PEM)) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nERROR: no private key found!\n");
exit(-1);
}
if (!SSL_CTX_check_private_key(root_tls_ctx)) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nERROR: invalid private key!\n");
exit(-1);
}
SSL_CTX_set_verify_depth(root_tls_ctx, 2);
SSL_CTX_set_read_ahead(root_tls_ctx, 1);
}
start_mclient(argv[optind], port, ifname, local_addr, messagenumber, mclient);
return 0;
}
int main(int argc, const char **argv)
{
bind_port = default_port;
char *cwd = init_process_title(argc, argv);
char *msg = NULL;
update_time();
if(getarg("cache-size")) {
msg = getarg("cache-size");
YAC_CACHE_SIZE = atoi(msg);
if(msg[strlen(msg) - 1] == 'm') {
YAC_CACHE_SIZE = YAC_CACHE_SIZE * 1024 * 1024;
} else if(msg[strlen(msg) - 1] == 'k') {
YAC_CACHE_SIZE = YAC_CACHE_SIZE * 1024;
}
}
if(YAC_CACHE_SIZE < 1024 * 1024 * 2) {
YAC_CACHE_SIZE = 1024 * 1024 * 2;
}
if(!yac_storage_startup(YAC_CACHE_SIZE / 16, YAC_CACHE_SIZE - (YAC_CACHE_SIZE / 16), &msg)) {
LOGF(ERR, "Shared memory allocator startup failed at '%s': %s", msg, strerror(errno));
exit(1);
}
lua_State *L = luaL_newstate();
if(!L) {
LOGF(ERR, "error for luaL_newstate");
exit(1);
}
luaL_openlibs(L);
lua_getglobal(L, "_VERSION");
const char *lua_ver = lua_tostring(L, -1);
lua_getglobal(L, "jit");
if(lua_istable(L, -1)) {
lua_getfield(L, -1, "version");
if(lua_isstring(L, -1)) {
lua_ver = lua_tostring(L, -1);
}
}
sprintf(hostname, "%s", lua_ver);
lua_close(L);
_L = luaL_newstate();
lua_gc(_L, LUA_GCSTOP, 0);
luaL_openlibs(_L); /* Load Lua libraries */
lua_gc(_L, LUA_GCRESTART, 0);
if(getarg("host-route")) {
lua_pushstring(_L, getarg("host-route"));
lua_setglobal(_L, "HOST_ROUTE");
}
if(!update_vhost_routes(getarg("host-route")) && !getarg("app")) {
LOGF(WARN, "no host-route or app arguments! using defalut settings.");
sprintf(tbuf_4096, "%s/host-route.lua", process_chdir);
update_vhost_routes(tbuf_4096);
}
if(getarg("code-cache-ttl")) { /// default = 60s
lua_pushnumber(_L, atoi(getarg("code-cache-ttl")));
lua_setglobal(_L, "CODE_CACHE_TTL");
} else {
lua_pushnumber(_L, code_cache_ttl);
lua_setglobal(_L, "CODE_CACHE_TTL");
}
lua_getglobal(_L, "require");
lua_pushcfunction(_L, lua_f_package_require);
lua_getfenv(_L, -2);
int ret = lua_setfenv(_L, -2);
lua_setglobal(_L, "require");
lua_pop(_L, 1);
lua_register(_L, "echo", lua_echo);
lua_register(_L, "print_error", lua_print_error);
lua_register(_L, "sendfile", lua_sendfile);
lua_register(_L, "header", lua_header);
lua_register(_L, "clear_header", lua_clear_header);
lua_register(_L, "__end", lua_end);
lua_register(_L, "die", lua_die);
lua_register(_L, "flush", lua_flush);
lua_register(_L, "read_request_body", lua_read_request_body);
lua_register(_L, "get_boundary", lua_f_get_boundary);
lua_register(_L, "check_timeout", lua_check_timeout);
lua_register(_L, "is_websocket", lua_f_is_websocket);
lua_register(_L, "upgrade_to_websocket", lua_f_upgrade_to_websocket);
lua_register(_L, "websocket_send", lua_f_websocket_send);
lua_register(_L, "check_websocket_close", lua_f_check_websocket_close);
lua_register(_L, "router", lua_f_router);
lua_register(_L, "random_string", lua_f_random_string);
lua_register(_L, "file_exists", lua_f_file_exists);
lua_register(_L, "readfile", lua_f_readfile);
lua_register(_L, "filemtime", lua_f_filemtime);
lua_register(_L, "cache_set", lua_f_cache_set);
lua_register(_L, "cache_get", lua_f_cache_get);
lua_register(_L, "cache_del", lua_f_cache_del);
luaopen_fastlz(_L);
luaopen_coevent(_L);
luaopen_libfs(_L);
luaopen_string_utils(_L);
luaopen_i18n(_L);
luaopen_crypto(_L);
lua_pop(_L, 1);
sprintf(tbuf_4096,
"package.path = '%slua-libs/?.lua;' .. package.path package.cpath = '%slua-libs/?.so;' .. package.cpath", cwd, cwd);
luaL_dostring(_L, tbuf_4096);
luaL_dostring(_L, ""
"if not CODE_CACHE_TTL then CODE_CACHE_TTL = 60 end " \
"startloop = nil __CodeCache = {{},{}} __CodeCacheC = {false,false} "
);
if(getarg("accesslog")) {
ACCESS_LOG = open_log(getarg("accesslog"), 40960);
if(!ACCESS_LOG) {
LOGF(ERR, "Couldn't open access log file: %s", getarg("accesslog"));
}
}
if(getarg("ssl-bind") && getarg("ssl-cert") && getarg("ssl-key")) {
ssl_ctx = SSL_CTX_new(SSLv23_server_method());
if(!ssl_ctx) {
LOGF(ERR, "SSL_CTX_new Failed");
exit(1);
}
if(SSL_CTX_use_certificate_file(ssl_ctx, getarg("ssl-cert"), SSL_FILETYPE_PEM) != 1) {
SSL_CTX_free(ssl_ctx);
LOGF(ERR, "SSL_CTX_use_certificate_file");
exit(1);
}
if(SSL_CTX_use_PrivateKey_file(ssl_ctx, getarg("ssl-key"), SSL_FILETYPE_PEM) != 1) {
SSL_CTX_free(ssl_ctx);
LOGF(ERR, "SSL_CTX_use_PrivateKey_file");
exit(1);
}
SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
if(getarg("ssl-ca")) {
ssl_epd_idx = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
if(ssl_epd_idx == -1) {
LOGF(ERR, "SSL_get_ex_new_index Failed");
exit(1);
}
if(SSL_CTX_load_verify_locations(ssl_ctx, getarg("ssl-ca"), NULL) != 1) {
SSL_CTX_free(ssl_ctx);
LOGF(ERR, "SSL_CTX_load_verify_locations");
exit(1);
} else {
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback);
SSL_CTX_set_verify_depth(ssl_ctx, 4);
}
}
}
_shm_serv_status = shm_malloc(sizeof(serv_status_t));
bzero(_shm_serv_status->p, sizeof(serv_status_t));
attach_on_exit(on_master_exit_handler);
return merry_start(argc, argv, help, master_main, on_master_exit_handler, worker_main, 0);
}
/**
* @warning Make sure you've called CryptoInitialize() first!
*/
bool TLSClientInitialize()
{
int ret;
static bool is_initialised = false;
if (is_initialised)
{
return true;
}
if (!TLSGenericInitialize())
{
return false;
}
SSLCLIENTCONTEXT = SSL_CTX_new(SSLv23_client_method());
if (SSLCLIENTCONTEXT == NULL)
{
Log(LOG_LEVEL_ERR, "SSL_CTX_new: %s",
ERR_reason_error_string(ERR_get_error()));
goto err1;
}
TLSSetDefaultOptions(SSLCLIENTCONTEXT);
if (PRIVKEY == NULL || PUBKEY == NULL)
{
Log(CryptoGetMissingKeyLogLevel(),
"No public/private key pair is loaded, trying to reload");
LoadSecretKeys();
if (PRIVKEY == NULL || PUBKEY == NULL)
{
Log(CryptoGetMissingKeyLogLevel(),
"No public/private key pair found");
goto err2;
}
}
/* Create cert into memory and load it into SSL context. */
SSLCLIENTCERT = TLSGenerateCertFromPrivKey(PRIVKEY);
if (SSLCLIENTCERT == NULL)
{
Log(LOG_LEVEL_ERR,
"Failed to generate in-memory-certificate from private key");
goto err2;
}
SSL_CTX_use_certificate(SSLCLIENTCONTEXT, SSLCLIENTCERT);
ret = SSL_CTX_use_RSAPrivateKey(SSLCLIENTCONTEXT, PRIVKEY);
if (ret != 1)
{
Log(LOG_LEVEL_ERR, "Failed to use RSA private key: %s",
ERR_reason_error_string(ERR_get_error()));
goto err3;
}
/* Verify cert consistency. */
ret = SSL_CTX_check_private_key(SSLCLIENTCONTEXT);
if (ret != 1)
{
Log(LOG_LEVEL_ERR, "Inconsistent key and TLS cert: %s",
ERR_reason_error_string(ERR_get_error()));
goto err3;
}
is_initialised = true;
return true;
err3:
X509_free(SSLCLIENTCERT);
SSLCLIENTCERT = NULL;
err2:
SSL_CTX_free(SSLCLIENTCONTEXT);
SSLCLIENTCONTEXT = NULL;
err1:
return false;
}
static int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
{
STACK_OF(SSL_CIPHER) *ciphers;
method_const SSL_METHOD *dtls_method;
SSL_CIPHER *dtls_cipher;
SSL *dtls_ssl;
BIO *dtls_bio;
if (!vpninfo->dtls_ctx) {
dtls_method = DTLSv1_client_method();
vpninfo->dtls_ctx = SSL_CTX_new(dtls_method);
if (!vpninfo->dtls_ctx) {
vpn_progress(vpninfo, PRG_ERR,
_("Initialise DTLSv1 CTX failed\n"));
openconnect_report_ssl_errors(vpninfo);
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
/* If we don't readahead, then we do short reads and throw
away the tail of data packets. */
SSL_CTX_set_read_ahead(vpninfo->dtls_ctx, 1);
if (!SSL_CTX_set_cipher_list(vpninfo->dtls_ctx, vpninfo->dtls_cipher)) {
vpn_progress(vpninfo, PRG_ERR,
_("Set DTLS cipher list failed\n"));
SSL_CTX_free(vpninfo->dtls_ctx);
vpninfo->dtls_ctx = NULL;
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
}
if (!vpninfo->dtls_session) {
/* We're going to "resume" a session which never existed. Fake it... */
vpninfo->dtls_session = SSL_SESSION_new();
if (!vpninfo->dtls_session) {
vpn_progress(vpninfo, PRG_ERR,
_("Initialise DTLSv1 session failed\n"));
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
vpninfo->dtls_session->ssl_version = 0x0100; /* DTLS1_BAD_VER */
}
/* Do this every time; it may have changed due to a rekey */
vpninfo->dtls_session->master_key_length = sizeof(vpninfo->dtls_secret);
memcpy(vpninfo->dtls_session->master_key, vpninfo->dtls_secret,
sizeof(vpninfo->dtls_secret));
vpninfo->dtls_session->session_id_length = sizeof(vpninfo->dtls_session_id);
memcpy(vpninfo->dtls_session->session_id, vpninfo->dtls_session_id,
sizeof(vpninfo->dtls_session_id));
dtls_ssl = SSL_new(vpninfo->dtls_ctx);
SSL_set_connect_state(dtls_ssl);
ciphers = SSL_get_ciphers(dtls_ssl);
if (sk_SSL_CIPHER_num(ciphers) != 1) {
vpn_progress(vpninfo, PRG_ERR, _("Not precisely one DTLS cipher\n"));
SSL_CTX_free(vpninfo->dtls_ctx);
SSL_free(dtls_ssl);
SSL_SESSION_free(vpninfo->dtls_session);
vpninfo->dtls_ctx = NULL;
vpninfo->dtls_session = NULL;
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
dtls_cipher = sk_SSL_CIPHER_value(ciphers, 0);
/* Set the appropriate cipher on our session to be resumed */
vpninfo->dtls_session->cipher = dtls_cipher;
vpninfo->dtls_session->cipher_id = dtls_cipher->id;
/* Add the generated session to the SSL */
if (!SSL_set_session(dtls_ssl, vpninfo->dtls_session)) {
vpn_progress(vpninfo, PRG_ERR,
_("SSL_set_session() failed with old protocol version 0x%x\n"
"Are you using a version of OpenSSL older than 0.9.8m?\n"
"See http://rt.openssl.org/Ticket/Display.html?id=1751\n"
"Use the --no-dtls command line option to avoid this message\n"),
vpninfo->dtls_session->ssl_version);
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
dtls_bio = BIO_new_socket(dtls_fd, BIO_NOCLOSE);
/* Set non-blocking */
BIO_set_nbio(dtls_bio, 1);
SSL_set_bio(dtls_ssl, dtls_bio, dtls_bio);
SSL_set_options(dtls_ssl, SSL_OP_CISCO_ANYCONNECT);
vpninfo->new_dtls_ssl = dtls_ssl;
return 0;
}
int MAIN(int argc, char **argv)
{
int ret = 1, i;
int verbose = 0, Verbose = 0;
const char **pp;
const char *p;
int badops = 0;
SSL_CTX *ctx = NULL;
SSL *ssl = NULL;
char *ciphers = NULL;
const SSL_METHOD *meth = NULL;
STACK_OF(SSL_CIPHER) *sk;
char buf[512];
BIO *STDout = NULL;
meth = SSLv23_server_method();
apps_startup();
if (bio_err == NULL)
bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
STDout = BIO_new_fp(stdout, BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
STDout = BIO_push(tmpbio, STDout);
}
#endif
if (!load_config(bio_err, NULL))
goto end;
argc--;
argv++;
while (argc >= 1) {
if (strcmp(*argv, "-v") == 0)
verbose = 1;
else if (strcmp(*argv, "-V") == 0)
verbose = Verbose = 1;
#ifndef OPENSSL_NO_SSL2
else if (strcmp(*argv, "-ssl2") == 0)
meth = SSLv2_client_method();
#endif
#ifndef OPENSSL_NO_SSL3
else if (strcmp(*argv, "-ssl3") == 0)
meth = SSLv3_client_method();
#endif
#ifndef OPENSSL_NO_TLS1
else if (strcmp(*argv, "-tls1") == 0)
meth = TLSv1_client_method();
#endif
else if ((strncmp(*argv, "-h", 2) == 0) || (strcmp(*argv, "-?") == 0)) {
badops = 1;
break;
} else {
ciphers = *argv;
}
argc--;
argv++;
}
if (badops) {
for (pp = ciphers_usage; (*pp != NULL); pp++)
BIO_printf(bio_err, "%s", *pp);
goto end;
}
OpenSSL_add_ssl_algorithms();
ctx = SSL_CTX_new(meth);
if (ctx == NULL)
goto err;
if (ciphers != NULL) {
if (!SSL_CTX_set_cipher_list(ctx, ciphers)) {
BIO_printf(bio_err, "Error in cipher list\n");
goto err;
}
}
ssl = SSL_new(ctx);
if (ssl == NULL)
goto err;
if (!verbose) {
for (i = 0;; i++) {
p = SSL_get_cipher_list(ssl, i);
if (p == NULL)
break;
if (i != 0)
BIO_printf(STDout, ":");
BIO_printf(STDout, "%s", p);
}
BIO_printf(STDout, "\n");
} else { /* verbose */
sk = SSL_get_ciphers(ssl);
for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
SSL_CIPHER *c;
c = sk_SSL_CIPHER_value(sk, i);
if (Verbose) {
unsigned long id = SSL_CIPHER_get_id(c);
int id0 = (int)(id >> 24);
int id1 = (int)((id >> 16) & 0xffL);
int id2 = (int)((id >> 8) & 0xffL);
int id3 = (int)(id & 0xffL);
if ((id & 0xff000000L) == 0x02000000L) {
/* SSL2 cipher */
BIO_printf(STDout, " 0x%02X,0x%02X,0x%02X - ", id1,
id2, id3);
} else if ((id & 0xff000000L) == 0x03000000L) {
/* SSL3 cipher */
BIO_printf(STDout, " 0x%02X,0x%02X - ", id2,
id3);
} else {
/* whatever */
BIO_printf(STDout, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0,
id1, id2, id3);
}
}
BIO_puts(STDout, SSL_CIPHER_description(c, buf, sizeof buf));
}
}
ret = 0;
if (0) {
err:
SSL_load_error_strings();
ERR_print_errors(bio_err);
}
end:
if (ctx != NULL)
SSL_CTX_free(ctx);
if (ssl != NULL)
SSL_free(ssl);
if (STDout != NULL)
BIO_free_all(STDout);
apps_shutdown();
OPENSSL_EXIT(ret);
}
static GIOChannel *irssi_ssl_get_iochannel(GIOChannel *handle, int port, SERVER_REC *server)
{
GIOSSLChannel *chan;
GIOChannel *gchan;
int fd;
SSL *ssl;
SSL_CTX *ctx = NULL;
const char *mycert = server->connrec->tls_cert;
const char *mypkey = server->connrec->tls_pkey;
const char *mypass = server->connrec->tls_pass;
const char *cafile = server->connrec->tls_cafile;
const char *capath = server->connrec->tls_capath;
const char *ciphers = server->connrec->tls_ciphers;
gboolean verify = server->connrec->tls_verify;
g_return_val_if_fail(handle != NULL, NULL);
if(!ssl_inited && !irssi_ssl_init())
return NULL;
if(!(fd = g_io_channel_unix_get_fd(handle)))
return NULL;
ERR_clear_error();
ctx = SSL_CTX_new(SSLv23_client_method());
if (ctx == NULL) {
g_error("Could not allocate memory for SSL context");
return NULL;
}
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
SSL_CTX_set_default_passwd_cb(ctx, get_pem_password_callback);
SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *)mypass);
if (ciphers != NULL && ciphers[0] != '\0') {
if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1)
g_warning("No valid SSL cipher suite could be selected");
}
if (mycert && *mycert) {
char *scert = NULL, *spkey = NULL;
FILE *fp;
scert = convert_home(mycert);
if (mypkey && *mypkey)
spkey = convert_home(mypkey);
if ((fp = fopen(scert, "r"))) {
X509 *cert;
/* Let's parse the certificate by hand instead of using
* SSL_CTX_use_certificate_file so that we can validate
* some parts of it. */
cert = PEM_read_X509(fp, NULL, get_pem_password_callback, (void *)mypass);
if (cert != NULL) {
/* Only the expiration date is checked right now */
if (X509_cmp_current_time(X509_get_notAfter(cert)) <= 0 ||
X509_cmp_current_time(X509_get_notBefore(cert)) >= 0)
g_warning("The client certificate is expired");
ERR_clear_error();
if (! SSL_CTX_use_certificate(ctx, cert))
g_warning("Loading of client certificate '%s' failed: %s", mycert, ERR_reason_error_string(ERR_get_error()));
else if (! SSL_CTX_use_PrivateKey_file(ctx, spkey ? spkey : scert, SSL_FILETYPE_PEM))
g_warning("Loading of private key '%s' failed: %s", mypkey ? mypkey : mycert, ERR_reason_error_string(ERR_get_error()));
else if (! SSL_CTX_check_private_key(ctx))
g_warning("Private key does not match the certificate");
X509_free(cert);
} else
g_warning("Loading of client certificate '%s' failed: %s", mycert, ERR_reason_error_string(ERR_get_error()));
fclose(fp);
} else
g_warning("Could not find client certificate '%s'", scert);
g_free(scert);
g_free(spkey);
}
if ((cafile && *cafile) || (capath && *capath)) {
char *scafile = NULL;
char *scapath = NULL;
if (cafile && *cafile)
scafile = convert_home(cafile);
if (capath && *capath)
scapath = convert_home(capath);
if (! SSL_CTX_load_verify_locations(ctx, scafile, scapath)) {
g_warning("Could not load CA list for verifying TLS server certificate");
g_free(scafile);
g_free(scapath);
SSL_CTX_free(ctx);
return NULL;
}
g_free(scafile);
g_free(scapath);
verify = TRUE;
} else if (store != NULL) {
/* Make sure to increment the refcount every time the store is
* used, that's essential not to get it free'd by OpenSSL when
* the SSL_CTX is destroyed. */
X509_STORE_up_ref(store);
SSL_CTX_set_cert_store(ctx, store);
}
if(!(ssl = SSL_new(ctx)))
{
g_warning("Failed to allocate SSL structure");
SSL_CTX_free(ctx);
return NULL;
}
if(!SSL_set_fd(ssl, fd))
{
g_warning("Failed to associate socket to SSL stream");
SSL_free(ssl);
SSL_CTX_free(ctx);
return NULL;
}
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
SSL_set_tlsext_host_name(ssl, server->connrec->address);
#endif
SSL_set_mode(ssl, SSL_MODE_ENABLE_PARTIAL_WRITE |
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
chan = g_new0(GIOSSLChannel, 1);
chan->fd = fd;
chan->giochan = handle;
chan->ssl = ssl;
chan->ctx = ctx;
chan->server = server;
chan->port = port;
chan->verify = verify;
gchan = (GIOChannel *)chan;
gchan->funcs = &irssi_ssl_channel_funcs;
g_io_channel_init(gchan);
gchan->is_readable = gchan->is_writeable = TRUE;
gchan->use_buffer = FALSE;
return gchan;
}
THREAD_RETURN CYASSL_THREAD server_test(void* args)
{
SOCKET_T sockfd = WOLFSSL_SOCKET_INVALID;
SOCKET_T clientfd = WOLFSSL_SOCKET_INVALID;
wolfSSL_method_func method = NULL;
SSL_CTX* ctx = 0;
SSL* ssl = 0;
#ifndef WOLFSSL_ALT_TEST_STRINGS
const char msg[] = "I hear you fa shizzle!";
#else
const char msg[] = "I hear you fa shizzle!\n";
#endif
char input[80];
int ch;
int version = SERVER_DEFAULT_VERSION;
int doCliCertCheck = 1;
int useAnyAddr = 0;
word16 port = wolfSSLPort;
int usePsk = 0;
int usePskPlus = 0;
int useAnon = 0;
int doDTLS = 0;
int needDH = 0;
int useNtruKey = 0;
int nonBlocking = 0;
int trackMemory = 0;
int fewerPackets = 0;
int pkCallbacks = 0;
int wc_shutdown = 0;
int resume = 0;
int resumeCount = 0;
int loopIndefinitely = 0;
int echoData = 0;
int throughput = 0;
int minDhKeyBits = DEFAULT_MIN_DHKEY_BITS;
short minRsaKeyBits = DEFAULT_MIN_RSAKEY_BITS;
short minEccKeyBits = DEFAULT_MIN_ECCKEY_BITS;
int doListen = 1;
int crlFlags = 0;
int ret;
int err = 0;
char* serverReadyFile = NULL;
char* alpnList = NULL;
unsigned char alpn_opt = 0;
char* cipherList = NULL;
const char* verifyCert = cliCert;
const char* ourCert = svrCert;
const char* ourKey = svrKey;
const char* ourDhParam = dhParam;
tcp_ready* readySignal = NULL;
int argc = ((func_args*)args)->argc;
char** argv = ((func_args*)args)->argv;
#ifdef WOLFSSL_TRUST_PEER_CERT
const char* trustCert = NULL;
#endif
#ifndef NO_PSK
int sendPskIdentityHint = 1;
#endif
#ifdef HAVE_SNI
char* sniHostName = NULL;
#endif
#ifdef HAVE_OCSP
int useOcsp = 0;
char* ocspUrl = NULL;
#endif
#ifdef HAVE_WNR
const char* wnrConfigFile = wnrConfig;
#endif
#ifdef WOLFSSL_STATIC_MEMORY
#if (defined(HAVE_ECC) && !defined(ALT_ECC_SIZE)) \
|| defined(SESSION_CERTS)
/* big enough to handle most cases including session certs */
byte memory[204000];
#else
byte memory[80000];
#endif
byte memoryIO[34500]; /* max of 17k for IO buffer (TLS packet can be 16k) */
WOLFSSL_MEM_CONN_STATS ssl_stats;
#endif
((func_args*)args)->return_code = -1; /* error state */
#ifdef NO_RSA
verifyCert = (char*)cliEccCert;
ourCert = (char*)eccCert;
ourKey = (char*)eccKey;
#endif
(void)pkCallbacks;
(void)needDH;
(void)ourKey;
(void)ourCert;
(void)ourDhParam;
(void)verifyCert;
(void)useNtruKey;
(void)doCliCertCheck;
(void)minDhKeyBits;
(void)minRsaKeyBits;
(void)minEccKeyBits;
(void)alpnList;
(void)alpn_opt;
(void)crlFlags;
(void)readySignal;
#ifdef CYASSL_TIRTOS
fdOpenSession(Task_self());
#endif
#ifdef WOLFSSL_VXWORKS
useAnyAddr = 1;
#else
while ((ch = mygetopt(argc, argv,
"?jdbstnNufrawPIR:p:v:l:A:c:k:Z:S:oO:D:L:ieB:E:q:")) != -1) {
switch (ch) {
case '?' :
Usage();
exit(EXIT_SUCCESS);
case 'd' :
doCliCertCheck = 0;
break;
case 'b' :
useAnyAddr = 1;
break;
case 's' :
usePsk = 1;
break;
case 'j' :
usePskPlus = 1;
break;
case 't' :
#ifdef USE_WOLFSSL_MEMORY
trackMemory = 1;
#endif
break;
case 'n' :
useNtruKey = 1;
break;
case 'u' :
doDTLS = 1;
break;
case 'f' :
fewerPackets = 1;
break;
case 'R' :
serverReadyFile = myoptarg;
break;
case 'r' :
#ifndef NO_SESSION_CACHE
resume = 1;
#endif
break;
case 'P' :
#ifdef HAVE_PK_CALLBACKS
pkCallbacks = 1;
#endif
break;
case 'p' :
port = (word16)atoi(myoptarg);
break;
case 'w' :
wc_shutdown = 1;
break;
case 'v' :
version = atoi(myoptarg);
if (version < 0 || version > 3) {
Usage();
exit(MY_EX_USAGE);
}
break;
case 'l' :
cipherList = myoptarg;
break;
case 'A' :
verifyCert = myoptarg;
break;
case 'c' :
ourCert = myoptarg;
break;
case 'k' :
ourKey = myoptarg;
break;
case 'D' :
#ifndef NO_DH
ourDhParam = myoptarg;
#endif
break;
case 'Z' :
#ifndef NO_DH
minDhKeyBits = atoi(myoptarg);
if (minDhKeyBits <= 0 || minDhKeyBits > 16000) {
Usage();
exit(MY_EX_USAGE);
}
#endif
break;
case 'N':
nonBlocking = 1;
break;
case 'S' :
#ifdef HAVE_SNI
sniHostName = myoptarg;
#endif
break;
case 'o' :
#ifdef HAVE_OCSP
useOcsp = 1;
#endif
break;
case 'O' :
#ifdef HAVE_OCSP
useOcsp = 1;
ocspUrl = myoptarg;
#endif
break;
case 'a' :
#ifdef HAVE_ANON
useAnon = 1;
#endif
break;
case 'I':
#ifndef NO_PSK
sendPskIdentityHint = 0;
#endif
break;
case 'L' :
#ifdef HAVE_ALPN
alpnList = myoptarg;
if (alpnList[0] == 'C' && alpnList[1] == ':')
alpn_opt = WOLFSSL_ALPN_CONTINUE_ON_MISMATCH;
else if (alpnList[0] == 'F' && alpnList[1] == ':')
alpn_opt = WOLFSSL_ALPN_FAILED_ON_MISMATCH;
else {
Usage();
exit(MY_EX_USAGE);
}
alpnList += 2;
#endif
break;
case 'i' :
loopIndefinitely = 1;
break;
case 'e' :
echoData = 1;
break;
case 'B':
throughput = atoi(myoptarg);
if (throughput <= 0) {
Usage();
exit(MY_EX_USAGE);
}
break;
#ifdef WOLFSSL_TRUST_PEER_CERT
case 'E' :
trustCert = myoptarg;
break;
#endif
case 'q' :
#ifdef HAVE_WNR
wnrConfigFile = myoptarg;
#endif
break;
default:
Usage();
exit(MY_EX_USAGE);
}
}
myoptind = 0; /* reset for test cases */
#endif /* !WOLFSSL_VXWORKS */
/* sort out DTLS versus TLS versions */
if (version == CLIENT_INVALID_VERSION) {
if (doDTLS)
version = CLIENT_DTLS_DEFAULT_VERSION;
else
version = CLIENT_DEFAULT_VERSION;
}
else {
if (doDTLS) {
if (version == 3)
version = -2;
else
version = -1;
}
}
#if defined(USE_CYASSL_MEMORY) && !defined(WOLFSSL_STATIC_MEMORY)
if (trackMemory)
InitMemoryTracker();
#endif
#ifdef HAVE_WNR
if (wc_InitNetRandom(wnrConfigFile, NULL, 5000) != 0)
err_sys("can't load whitewood net random config file");
#endif
switch (version) {
#ifndef NO_OLD_TLS
#ifdef WOLFSSL_ALLOW_SSLV3
case 0:
method = wolfSSLv3_server_method_ex;
break;
#endif
#ifndef NO_TLS
case 1:
method = wolfTLSv1_server_method_ex;
break;
case 2:
method = wolfTLSv1_1_server_method_ex;
break;
#endif
#endif
#ifndef NO_TLS
case 3:
method = wolfTLSv1_2_server_method_ex;
break;
#endif
#ifdef CYASSL_DTLS
#ifndef NO_OLD_TLS
case -1:
method = wolfDTLSv1_server_method_ex;
break;
#endif
case -2:
method = wolfDTLSv1_2_server_method_ex;
break;
#endif
default:
err_sys("Bad SSL version");
}
if (method == NULL)
err_sys("unable to get method");
#ifdef WOLFSSL_STATIC_MEMORY
#ifdef DEBUG_WOLFSSL
/* print off helper buffer sizes for use with static memory
* printing to stderr incase of debug mode turned on */
fprintf(stderr, "static memory management size = %d\n",
wolfSSL_MemoryPaddingSz());
fprintf(stderr, "calculated optimum general buffer size = %d\n",
wolfSSL_StaticBufferSz(memory, sizeof(memory), 0));
fprintf(stderr, "calculated optimum IO buffer size = %d\n",
wolfSSL_StaticBufferSz(memoryIO, sizeof(memoryIO),
WOLFMEM_IO_POOL_FIXED));
#endif /* DEBUG_WOLFSSL */
if (wolfSSL_CTX_load_static_memory(&ctx, method, memory, sizeof(memory),0,1)
!= SSL_SUCCESS)
err_sys("unable to load static memory and create ctx");
/* load in a buffer for IO */
if (wolfSSL_CTX_load_static_memory(&ctx, NULL, memoryIO, sizeof(memoryIO),
WOLFMEM_IO_POOL_FIXED | WOLFMEM_TRACK_STATS, 1)
!= SSL_SUCCESS)
err_sys("unable to load static memory and create ctx");
#else
ctx = SSL_CTX_new(method(NULL));
#endif
if (ctx == NULL)
err_sys("unable to get ctx");
#if defined(HAVE_SESSION_TICKET) && defined(HAVE_CHACHA) && \
defined(HAVE_POLY1305)
if (TicketInit() != 0)
err_sys("unable to setup Session Ticket Key context");
wolfSSL_CTX_set_TicketEncCb(ctx, myTicketEncCb);
#endif
if (cipherList)
if (SSL_CTX_set_cipher_list(ctx, cipherList) != SSL_SUCCESS)
err_sys("server can't set cipher list 1");
#ifdef CYASSL_LEANPSK
if (!usePsk) {
usePsk = 1;
}
#endif
#if defined(NO_RSA) && !defined(HAVE_ECC)
if (!usePsk) {
usePsk = 1;
}
#endif
if (fewerPackets)
CyaSSL_CTX_set_group_messages(ctx);
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
SSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack);
#endif
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
if ((!usePsk || usePskPlus) && !useAnon) {
if (SSL_CTX_use_certificate_chain_file(ctx, ourCert)
!= SSL_SUCCESS)
err_sys("can't load server cert file, check file and run from"
" wolfSSL home dir");
}
#endif
#ifndef NO_DH
if (wolfSSL_CTX_SetMinDhKey_Sz(ctx, (word16)minDhKeyBits) != SSL_SUCCESS) {
err_sys("Error setting minimum DH key size");
}
#endif
#ifndef NO_RSA
if (wolfSSL_CTX_SetMinRsaKey_Sz(ctx, minRsaKeyBits) != SSL_SUCCESS){
err_sys("Error setting minimum RSA key size");
}
#endif
#ifdef HAVE_ECC
if (wolfSSL_CTX_SetMinEccKey_Sz(ctx, minEccKeyBits) != SSL_SUCCESS){
err_sys("Error setting minimum ECC key size");
}
#endif
#ifdef HAVE_NTRU
if (useNtruKey) {
if (CyaSSL_CTX_use_NTRUPrivateKey_file(ctx, ourKey)
!= SSL_SUCCESS)
err_sys("can't load ntru key file, "
"Please run from wolfSSL home dir");
}
#endif
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
if (!useNtruKey && (!usePsk || usePskPlus) && !useAnon) {
if (SSL_CTX_use_PrivateKey_file(ctx, ourKey, SSL_FILETYPE_PEM)
!= SSL_SUCCESS)
err_sys("can't load server private key file, check file and run "
"from wolfSSL home dir");
}
#endif
if (usePsk || usePskPlus) {
#ifndef NO_PSK
SSL_CTX_set_psk_server_callback(ctx, my_psk_server_cb);
if (sendPskIdentityHint == 1)
SSL_CTX_use_psk_identity_hint(ctx, "cyassl server");
if (cipherList == NULL && !usePskPlus) {
const char *defaultCipherList;
#if defined(HAVE_AESGCM) && !defined(NO_DH)
defaultCipherList = "DHE-PSK-AES128-GCM-SHA256";
needDH = 1;
#elif defined(HAVE_NULL_CIPHER)
defaultCipherList = "PSK-NULL-SHA256";
#else
defaultCipherList = "PSK-AES128-CBC-SHA256";
#endif
if (SSL_CTX_set_cipher_list(ctx, defaultCipherList) != SSL_SUCCESS)
err_sys("server can't set cipher list 2");
}
#endif
}
if (useAnon) {
#ifdef HAVE_ANON
CyaSSL_CTX_allow_anon_cipher(ctx);
if (cipherList == NULL) {
if (SSL_CTX_set_cipher_list(ctx, "ADH-AES128-SHA") != SSL_SUCCESS)
err_sys("server can't set cipher list 4");
}
#endif
}
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
/* if not using PSK, verify peer with certs
if using PSK Plus then verify peer certs except PSK suites */
if (doCliCertCheck && (usePsk == 0 || usePskPlus) && useAnon == 0) {
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER |
((usePskPlus)? SSL_VERIFY_FAIL_EXCEPT_PSK :
SSL_VERIFY_FAIL_IF_NO_PEER_CERT),0);
if (SSL_CTX_load_verify_locations(ctx, verifyCert, 0) != SSL_SUCCESS)
err_sys("can't load ca file, Please run from wolfSSL home dir");
#ifdef WOLFSSL_TRUST_PEER_CERT
if (trustCert) {
if ((ret = wolfSSL_CTX_trust_peer_cert(ctx, trustCert,
SSL_FILETYPE_PEM)) != SSL_SUCCESS) {
err_sys("can't load trusted peer cert file");
}
}
#endif /* WOLFSSL_TRUST_PEER_CERT */
}
#endif
#if defined(CYASSL_SNIFFER)
/* don't use EDH, can't sniff tmp keys */
if (cipherList == NULL) {
if (SSL_CTX_set_cipher_list(ctx, "AES128-SHA") != SSL_SUCCESS)
err_sys("server can't set cipher list 3");
}
#endif
#ifdef HAVE_SNI
if (sniHostName)
if (CyaSSL_CTX_UseSNI(ctx, CYASSL_SNI_HOST_NAME, sniHostName,
XSTRLEN(sniHostName)) != SSL_SUCCESS)
err_sys("UseSNI failed");
#endif
#ifdef USE_WINDOWS_API
if (port == 0) {
/* Generate random port for testing */
port = GetRandomPort();
}
#endif /* USE_WINDOWS_API */
while (1) {
/* allow resume option */
if(resumeCount > 1) {
if (doDTLS == 0) {
SOCKADDR_IN_T client;
socklen_t client_len = sizeof(client);
clientfd = accept(sockfd, (struct sockaddr*)&client,
(ACCEPT_THIRD_T)&client_len);
} else {
tcp_listen(&sockfd, &port, useAnyAddr, doDTLS);
clientfd = sockfd;
}
if(WOLFSSL_SOCKET_IS_INVALID(clientfd)) {
err_sys("tcp accept failed");
}
}
#if defined(WOLFSSL_STATIC_MEMORY) && defined(DEBUG_WOLFSSL)
{
WOLFSSL_MEM_STATS mem_stats;
fprintf(stderr, "Before creating SSL\n");
if (wolfSSL_CTX_is_static_memory(ctx, &mem_stats) != 1)
err_sys("ctx not using static memory");
if (wolfSSL_PrintStats(&mem_stats) != 1) /* function in test.h */
err_sys("error printing out memory stats");
}
#endif
ssl = SSL_new(ctx);
if (ssl == NULL)
err_sys("unable to get SSL");
#if defined(WOLFSSL_STATIC_MEMORY) && defined(DEBUG_WOLFSSL)
{
WOLFSSL_MEM_STATS mem_stats;
fprintf(stderr, "After creating SSL\n");
if (wolfSSL_CTX_is_static_memory(ctx, &mem_stats) != 1)
err_sys("ctx not using static memory");
if (wolfSSL_PrintStats(&mem_stats) != 1) /* function in test.h */
err_sys("error printing out memory stats");
}
#endif
#ifndef NO_HANDSHAKE_DONE_CB
wolfSSL_SetHsDoneCb(ssl, myHsDoneCb, NULL);
#endif
#ifdef HAVE_CRL
#ifdef HAVE_CRL_MONITOR
crlFlags = CYASSL_CRL_MONITOR | CYASSL_CRL_START_MON;
#endif
if (CyaSSL_EnableCRL(ssl, 0) != SSL_SUCCESS)
err_sys("unable to enable CRL");
if (CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM, crlFlags)
!= SSL_SUCCESS)
err_sys("unable to load CRL");
if (CyaSSL_SetCRL_Cb(ssl, CRL_CallBack) != SSL_SUCCESS)
err_sys("unable to set CRL callback url");
#endif
#ifdef HAVE_OCSP
if (useOcsp) {
if (ocspUrl != NULL) {
CyaSSL_CTX_SetOCSP_OverrideURL(ctx, ocspUrl);
CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE
| CYASSL_OCSP_URL_OVERRIDE);
}
else
CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE);
}
#endif
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
|| defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
if (wolfSSL_CTX_EnableOCSPStapling(ctx) != SSL_SUCCESS)
err_sys("can't enable OCSP Stapling Certificate Manager");
if (SSL_CTX_load_verify_locations(ctx, "certs/ocsp/intermediate1-ca-cert.pem", 0) != SSL_SUCCESS)
err_sys("can't load ca file, Please run from wolfSSL home dir");
if (SSL_CTX_load_verify_locations(ctx, "certs/ocsp/intermediate2-ca-cert.pem", 0) != SSL_SUCCESS)
err_sys("can't load ca file, Please run from wolfSSL home dir");
if (SSL_CTX_load_verify_locations(ctx, "certs/ocsp/intermediate3-ca-cert.pem", 0) != SSL_SUCCESS)
err_sys("can't load ca file, Please run from wolfSSL home dir");
#endif
#ifdef HAVE_PK_CALLBACKS
if (pkCallbacks)
SetupPkCallbacks(ctx, ssl);
#endif
/* do accept */
readySignal = ((func_args*)args)->signal;
if (readySignal) {
readySignal->srfName = serverReadyFile;
}
tcp_accept(&sockfd, &clientfd, (func_args*)args, port, useAnyAddr,
doDTLS, serverReadyFile ? 1 : 0, doListen);
doListen = 0; /* Don't listen next time */
if (SSL_set_fd(ssl, clientfd) != SSL_SUCCESS) {
err_sys("error in setting fd");
}
#ifdef HAVE_ALPN
if (alpnList != NULL) {
printf("ALPN accepted protocols list : %s\n", alpnList);
wolfSSL_UseALPN(ssl, alpnList, (word32)XSTRLEN(alpnList), alpn_opt);
}
#endif
#ifdef WOLFSSL_DTLS
if (doDTLS) {
SOCKADDR_IN_T cliaddr;
byte b[1500];
int n;
socklen_t len = sizeof(cliaddr);
/* For DTLS, peek at the next datagram so we can get the client's
* address and set it into the ssl object later to generate the
* cookie. */
n = (int)recvfrom(sockfd, (char*)b, sizeof(b), MSG_PEEK,
(struct sockaddr*)&cliaddr, &len);
if (n <= 0)
err_sys("recvfrom failed");
wolfSSL_dtls_set_peer(ssl, &cliaddr, len);
}
#endif
if ((usePsk == 0 || usePskPlus) || useAnon == 1 || cipherList != NULL
|| needDH == 1) {
#if !defined(NO_FILESYSTEM) && !defined(NO_DH) && !defined(NO_ASN)
CyaSSL_SetTmpDH_file(ssl, ourDhParam, SSL_FILETYPE_PEM);
#elif !defined(NO_DH)
SetDH(ssl); /* repick suites with DHE, higher priority than PSK */
#endif
}
#ifndef CYASSL_CALLBACKS
if (nonBlocking) {
CyaSSL_set_using_nonblock(ssl, 1);
tcp_set_nonblocking(&clientfd);
}
#endif
do {
#ifdef WOLFSSL_ASYNC_CRYPT
if (err == WC_PENDING_E) {
ret = AsyncCryptPoll(ssl);
if (ret < 0) { break; } else if (ret == 0) { continue; }
}
#endif
err = 0; /* Reset error */
#ifndef CYASSL_CALLBACKS
if (nonBlocking) {
ret = NonBlockingSSL_Accept(ssl);
}
else {
ret = SSL_accept(ssl);
}
#else
ret = NonBlockingSSL_Accept(ssl);
#endif
if (ret != SSL_SUCCESS) {
err = SSL_get_error(ssl, 0);
}
} while (ret != SSL_SUCCESS && err == WC_PENDING_E);
if (ret != SSL_SUCCESS) {
char buffer[CYASSL_MAX_ERROR_SZ];
err = SSL_get_error(ssl, 0);
printf("error = %d, %s\n", err, ERR_error_string(err, buffer));
err_sys("SSL_accept failed");
}
showPeer(ssl);
#ifdef HAVE_ALPN
if (alpnList != NULL) {
char *protocol_name = NULL, *list = NULL;
word16 protocol_nameSz = 0, listSz = 0;
err = wolfSSL_ALPN_GetProtocol(ssl, &protocol_name, &protocol_nameSz);
if (err == SSL_SUCCESS)
printf("Sent ALPN protocol : %s (%d)\n",
protocol_name, protocol_nameSz);
else if (err == SSL_ALPN_NOT_FOUND)
printf("No ALPN response sent (no match)\n");
else
printf("Getting ALPN protocol name failed\n");
err = wolfSSL_ALPN_GetPeerProtocol(ssl, &list, &listSz);
if (err == SSL_SUCCESS)
printf("List of protocol names sent by Client: %s (%d)\n",
list, listSz);
else
printf("Get list of client's protocol name failed\n");
free(list);
}
#endif
if(echoData == 0 && throughput == 0) {
ret = SSL_read(ssl, input, sizeof(input)-1);
if (ret > 0) {
input[ret] = 0;
printf("Client message: %s\n", input);
}
else if (ret < 0) {
int readErr = SSL_get_error(ssl, 0);
if (readErr != SSL_ERROR_WANT_READ)
err_sys("SSL_read failed");
}
if (SSL_write(ssl, msg, sizeof(msg)) != sizeof(msg))
err_sys("SSL_write failed");
}
else {
ServerEchoData(ssl, clientfd, echoData, throughput);
}
#if defined(WOLFSSL_MDK_SHELL) && defined(HAVE_MDK_RTX)
os_dly_wait(500) ;
#elif defined (CYASSL_TIRTOS)
Task_yield();
#endif
if (doDTLS == 0) {
ret = SSL_shutdown(ssl);
if (wc_shutdown && ret == SSL_SHUTDOWN_NOT_DONE)
SSL_shutdown(ssl); /* bidirectional shutdown */
}
/* display collected statistics */
#ifdef WOLFSSL_STATIC_MEMORY
if (wolfSSL_is_static_memory(ssl, &ssl_stats) != 1)
err_sys("static memory was not used with ssl");
fprintf(stderr, "\nprint off SSL memory stats\n");
fprintf(stderr, "*** This is memory state before wolfSSL_free is called\n");
fprintf(stderr, "peak connection memory = %d\n", ssl_stats.peakMem);
fprintf(stderr, "current memory in use = %d\n", ssl_stats.curMem);
fprintf(stderr, "peak connection allocs = %d\n", ssl_stats.peakAlloc);
fprintf(stderr, "current connection allocs = %d\n",ssl_stats.curAlloc);
fprintf(stderr, "total connection allocs = %d\n",ssl_stats.totalAlloc);
fprintf(stderr, "total connection frees = %d\n\n", ssl_stats.totalFr);
#endif
SSL_free(ssl);
CloseSocket(clientfd);
if (resume == 1 && resumeCount == 0) {
resumeCount++; /* only do one resume for testing */
continue;
}
resumeCount = 0;
if(!loopIndefinitely) {
break; /* out of while loop, done with normal and resume option */
}
} /* while(1) */
CloseSocket(sockfd);
SSL_CTX_free(ctx);
((func_args*)args)->return_code = 0;
#if defined(NO_MAIN_DRIVER) && defined(HAVE_ECC) && defined(FP_ECC) \
&& defined(HAVE_THREAD_LS)
ecc_fp_free(); /* free per thread cache */
#endif
#if defined(USE_WOLFSSL_MEMORY) && !defined(WOLFSSL_STATIC_MEMORY)
if (trackMemory)
ShowMemoryTracker();
#endif
#ifdef CYASSL_TIRTOS
fdCloseSession(Task_self());
#endif
#if defined(HAVE_SESSION_TICKET) && defined(HAVE_CHACHA) && \
defined(HAVE_POLY1305)
TicketCleanup();
#endif
/* There are use cases when these assignments are not read. To avoid
* potential confusion those warnings have been handled here.
*/
(void) ourKey;
(void) verifyCert;
(void) doCliCertCheck;
(void) useNtruKey;
(void) ourDhParam;
(void) ourCert;
(void) trackMemory;
#ifndef CYASSL_TIRTOS
return 0;
#endif
}
R_API int r_socket_connect (RSocket *s, const char *host, const char *port, int proto, int timeout) {
#if __WINDOWS__
struct sockaddr_in sa;
struct hostent *he;
WSADATA wsadata;
if (WSAStartup (MAKEWORD (1, 1), &wsadata) == SOCKET_ERROR) {
eprintf ("Error creating socket.");
return R_FALSE;
}
s->fd = socket (AF_INET, SOCK_STREAM, 0);
if (s->fd == -1)
return R_FALSE;
memset (&sa, 0, sizeof(sa));
sa.sin_family = AF_INET;
he = (struct hostent *)gethostbyname (host);
if (he == (struct hostent*)0) {
close (s->fd);
return R_FALSE;
}
sa.sin_addr = *((struct in_addr *)he->h_addr);
sa.sin_port = htons (atoi (port));
#warning TODO: implement connect timeout on w32
if (connect (s->fd, (const struct sockaddr*)&sa, sizeof (struct sockaddr))) {
close (s->fd);
return R_FALSE;
}
return R_TRUE;
#elif __UNIX__
if (proto==0) proto= R_SOCKET_PROTO_TCP;
int gai, ret;
struct addrinfo hints, *res, *rp;
signal (SIGPIPE, SIG_IGN);
if (proto == R_SOCKET_PROTO_UNIX) {
if (!r_socket_unix_connect (s, host))
return R_FALSE;
} else {
memset (&hints, 0, sizeof (struct addrinfo));
hints.ai_family = AF_UNSPEC; /* Allow IPv4 or IPv6 */
hints.ai_protocol = proto;
gai = getaddrinfo (host, port, &hints, &res);
if (gai != 0) {
//eprintf ("Error in getaddrinfo: %s\n", gai_strerror (gai));
return R_FALSE;
}
for (rp = res; rp != NULL; rp = rp->ai_next) {
s->fd = socket (rp->ai_family, rp->ai_socktype, rp->ai_protocol);
if (s->fd == -1)
continue;
if (timeout>0)
r_socket_block_time (s, 1, timeout);
//fcntl (s->fd, F_SETFL, O_NONBLOCK, 1);
ret = connect (s->fd, rp->ai_addr, rp->ai_addrlen);
if (timeout<1) {
if (ret == -1) {
close (s->fd);
return R_FALSE;
}
return R_TRUE;
}
if (timeout>0) {
struct timeval tv;
fd_set fdset;
FD_ZERO (&fdset);
FD_SET (s->fd, &fdset);
tv.tv_sec = timeout;
tv.tv_usec = 0;
if (select (s->fd + 1, NULL, &fdset, NULL, &tv) == 1) {
int so_error;
socklen_t len = sizeof so_error;
ret = getsockopt (s->fd, SOL_SOCKET,
SO_ERROR, &so_error, &len);
// fcntl (s->fd, F_SETFL, O_NONBLOCK, 0);
// r_socket_block_time (s, 0, 0);
freeaddrinfo (res);
return R_TRUE;
} else {
freeaddrinfo (res);
close (s->fd);
return R_FALSE;
}
}
close (s->fd);
s->fd = -1;
}
freeaddrinfo (res);
if (rp == NULL) {
eprintf ("Could not resolve address\n");
return R_FALSE;
}
}
#endif
#if HAVE_LIB_SSL
if (s->is_ssl) {
s->ctx = SSL_CTX_new (SSLv23_client_method ());
if (s->ctx == NULL) {
r_socket_free (s);
return R_FALSE;
}
s->sfd = SSL_new (s->ctx);
SSL_set_fd (s->sfd, s->fd);
if (SSL_connect (s->sfd) != 1) {
r_socket_free (s);
return R_FALSE;
}
}
#endif
return R_TRUE;
}
//WARNING!!!
//The function you are about to read is TERRIBLE.
//Please wash your eyes with acid after reading it.
//Thanks.
static bool httpGetRequest(const char *loc, char **content, bool forceNa = false)
{
*g_log << "RiotAPI query: " << loc << "; Force NA: " << forceNa << std::endl;
//Step one: resolve hostname
struct addrinfo hints;
struct addrinfo *result;
ZeroMemory(&hints, sizeof(struct addrinfo));
hints.ai_family = AF_INET;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
if(getaddrinfo(forceNa ? "na.api.pvp.net" : g_apiHost.c_str(), NULL, &hints, &result) != 0)
return false;
if(result->ai_addr == NULL || result->ai_addrlen != sizeof(sockaddr_in)) {
freeaddrinfo(result);
return false;
}
sockaddr_in addr;
memcpy(&addr, result->ai_addr, sizeof(sockaddr_in));
freeaddrinfo(result);
addr.sin_port = htons(443);
//Step two: create socket
SOCKET sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sock == INVALID_SOCKET)
return false;
if(connect(sock, reinterpret_cast<sockaddr*>(&addr), sizeof(sockaddr_in)) == SOCKET_ERROR) {
closesocket(sock);
return false;
}
//SSL STUFF
SSL_CTX *ctx = SSL_CTX_new(SSLv23_client_method());
SSL *ssl = SSL_new(ctx);
SSL_set_fd(ssl, sock);
SSL_connect(ssl);
//Step three: send request
std::string req("GET ");
req += loc;
req += " HTTP/1.1\r\nHost: ";
req += (forceNa ? std::string("na.api.pvp.net") : g_apiHost);
req += "\r\nUser-Agent: LoL Mana\r\n\r\n";
if(SSL_write(ssl, req.c_str(), req.length()) != req.length()) {
sslClose(sock, ssl, ctx);
return false;
}
//Step four: read response
char buf[8192];
int read = SSL_read(ssl, buf, 8192);
if(read <= 0) {
sslClose(sock, ssl, ctx);
return false;
}
char *response = buf;
int num = 0;
bool wasEmpty = false;
int retCode = -1;
int contentLength = -1;
while(!wasEmpty) {
char *ptr = nextLine(response, read);
int len = ptr - response;
if(ptr == NULL) //End!!
break;
read -= len;
len -= 2;
if(len <= 0) //Only CRLF; skip
wasEmpty = true;
else if(num == 0 || contentLength < 0) {
char *line = new char[len + 1];
memcpy(line, response, len);
line[len] = 0;
std::istringstream iss(line);
delete[] line;
if(num == 0) {
std::string dontcare;
iss >> dontcare;
iss >> retCode;
} else if(contentLength < 0) {
/* {{{ data_accept
*/
databuf_t*
data_accept(databuf_t *data, ftpbuf_t *ftp)
{
php_sockaddr_storage addr;
socklen_t size;
#ifdef HAVE_FTP_SSL
SSL_CTX *ctx;
zend_long ssl_ctx_options = SSL_OP_ALL;
int err, res;
zend_bool retry;
#endif
if (data->fd != -1) {
goto data_accepted;
}
size = sizeof(addr);
data->fd = my_accept(ftp, data->listener, (struct sockaddr*) &addr, &size);
closesocket(data->listener);
data->listener = -1;
if (data->fd == -1) {
efree(data);
return NULL;
}
data_accepted:
#ifdef HAVE_FTP_SSL
/* now enable ssl if we need to */
if (ftp->use_ssl && ftp->use_ssl_for_data) {
ctx = SSL_CTX_new(SSLv23_client_method());
if (ctx == NULL) {
php_error_docref(NULL, E_WARNING, "data_accept: failed to create the SSL context");
return 0;
}
#if OPENSSL_VERSION_NUMBER >= 0x0090605fL
ssl_ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
#endif
SSL_CTX_set_options(ctx, ssl_ctx_options);
data->ssl_handle = SSL_new(ctx);
if (data->ssl_handle == NULL) {
php_error_docref(NULL, E_WARNING, "data_accept: failed to create the SSL handle");
SSL_CTX_free(ctx);
return 0;
}
SSL_set_fd(data->ssl_handle, data->fd);
if (ftp->old_ssl) {
SSL_copy_session_id(data->ssl_handle, ftp->ssl_handle);
}
do {
res = SSL_connect(data->ssl_handle);
err = SSL_get_error(data->ssl_handle, res);
switch (err) {
case SSL_ERROR_NONE:
retry = 0;
break;
case SSL_ERROR_ZERO_RETURN:
retry = 0;
SSL_shutdown(data->ssl_handle);
break;
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE: {
php_pollfd p;
int i;
p.fd = ftp->fd;
p.events = (err == SSL_ERROR_WANT_READ) ? (POLLIN|POLLPRI) : POLLOUT;
p.revents = 0;
i = php_poll2(&p, 1, 300);
retry = i > 0;
}
break;
default:
php_error_docref(NULL, E_WARNING, "data_accept: SSL/TLS handshake failed");
SSL_shutdown(data->ssl_handle);
SSL_free(data->ssl_handle);
return 0;
}
} while (retry);
data->ssl_active = 1;
}
#endif
return data;
}
LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_enable_ssl(idevice_connection_t connection)
{
if (!connection || connection->ssl_data)
return IDEVICE_E_INVALID_ARG;
idevice_error_t ret = IDEVICE_E_SSL_ERROR;
uint32_t return_me = 0;
plist_t pair_record = NULL;
userpref_read_pair_record(connection->udid, &pair_record);
if (!pair_record) {
debug_info("ERROR: Failed enabling SSL. Unable to read pair record for udid %s.", connection->udid);
return ret;
}
#ifdef HAVE_OPENSSL
key_data_t root_cert = { NULL, 0 };
key_data_t root_privkey = { NULL, 0 };
pair_record_import_crt_with_name(pair_record, USERPREF_ROOT_CERTIFICATE_KEY, &root_cert);
pair_record_import_key_with_name(pair_record, USERPREF_ROOT_PRIVATE_KEY_KEY, &root_privkey);
if (pair_record)
plist_free(pair_record);
BIO *ssl_bio = BIO_new(BIO_s_socket());
if (!ssl_bio) {
debug_info("ERROR: Could not create SSL bio.");
return ret;
}
BIO_set_fd(ssl_bio, (int)(long)connection->data, BIO_NOCLOSE);
SSL_CTX *ssl_ctx = SSL_CTX_new(TLSv1_method());
if (ssl_ctx == NULL) {
debug_info("ERROR: Could not create SSL context.");
BIO_free(ssl_bio);
return ret;
}
BIO* membp;
X509* rootCert = NULL;
membp = BIO_new_mem_buf(root_cert.data, root_cert.size);
PEM_read_bio_X509(membp, &rootCert, NULL, NULL);
BIO_free(membp);
if (SSL_CTX_use_certificate(ssl_ctx, rootCert) != 1) {
debug_info("WARNING: Could not load RootCertificate");
}
X509_free(rootCert);
free(root_cert.data);
RSA* rootPrivKey = NULL;
membp = BIO_new_mem_buf(root_privkey.data, root_privkey.size);
PEM_read_bio_RSAPrivateKey(membp, &rootPrivKey, NULL, NULL);
BIO_free(membp);
if (SSL_CTX_use_RSAPrivateKey(ssl_ctx, rootPrivKey) != 1) {
debug_info("WARNING: Could not load RootPrivateKey");
}
RSA_free(rootPrivKey);
free(root_privkey.data);
SSL *ssl = SSL_new(ssl_ctx);
if (!ssl) {
debug_info("ERROR: Could not create SSL object");
BIO_free(ssl_bio);
SSL_CTX_free(ssl_ctx);
return ret;
}
SSL_set_connect_state(ssl);
SSL_set_verify(ssl, 0, ssl_verify_callback);
SSL_set_bio(ssl, ssl_bio, ssl_bio);
return_me = SSL_do_handshake(ssl);
if (return_me != 1) {
debug_info("ERROR in SSL_do_handshake: %s", ssl_error_to_string(SSL_get_error(ssl, return_me)));
SSL_free(ssl);
SSL_CTX_free(ssl_ctx);
} else {
ssl_data_t ssl_data_loc = (ssl_data_t)malloc(sizeof(struct ssl_data_private));
ssl_data_loc->session = ssl;
ssl_data_loc->ctx = ssl_ctx;
connection->ssl_data = ssl_data_loc;
ret = IDEVICE_E_SUCCESS;
debug_info("SSL mode enabled, cipher: %s", SSL_get_cipher(ssl));
}
/* required for proper multi-thread clean up to prevent leaks */
#ifdef HAVE_ERR_REMOVE_THREAD_STATE
ERR_remove_thread_state(NULL);
#else
ERR_remove_state(0);
#endif
#else
ssl_data_t ssl_data_loc = (ssl_data_t)malloc(sizeof(struct ssl_data_private));
/* Set up GnuTLS... */
debug_info("enabling SSL mode");
errno = 0;
gnutls_certificate_allocate_credentials(&ssl_data_loc->certificate);
#if GNUTLS_VERSION_NUMBER >= 0x020b07
gnutls_certificate_set_retrieve_function(ssl_data_loc->certificate, internal_cert_callback);
#else
gnutls_certificate_client_set_retrieve_function(ssl_data_loc->certificate, internal_cert_callback);
#endif
gnutls_init(&ssl_data_loc->session, GNUTLS_CLIENT);
gnutls_priority_set_direct(ssl_data_loc->session, "NONE:+VERS-TLS1.0:+ANON-DH:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA1:+MD5:+COMP-NULL", NULL);
gnutls_credentials_set(ssl_data_loc->session, GNUTLS_CRD_CERTIFICATE, ssl_data_loc->certificate);
gnutls_session_set_ptr(ssl_data_loc->session, ssl_data_loc);
gnutls_x509_crt_init(&ssl_data_loc->root_cert);
gnutls_x509_crt_init(&ssl_data_loc->host_cert);
gnutls_x509_privkey_init(&ssl_data_loc->root_privkey);
gnutls_x509_privkey_init(&ssl_data_loc->host_privkey);
pair_record_import_crt_with_name(pair_record, USERPREF_ROOT_CERTIFICATE_KEY, ssl_data_loc->root_cert);
pair_record_import_crt_with_name(pair_record, USERPREF_HOST_CERTIFICATE_KEY, ssl_data_loc->host_cert);
pair_record_import_key_with_name(pair_record, USERPREF_ROOT_PRIVATE_KEY_KEY, ssl_data_loc->root_privkey);
pair_record_import_key_with_name(pair_record, USERPREF_HOST_PRIVATE_KEY_KEY, ssl_data_loc->host_privkey);
if (pair_record)
plist_free(pair_record);
debug_info("GnuTLS step 1...");
gnutls_transport_set_ptr(ssl_data_loc->session, (gnutls_transport_ptr_t)connection);
debug_info("GnuTLS step 2...");
gnutls_transport_set_push_function(ssl_data_loc->session, (gnutls_push_func) & internal_ssl_write);
debug_info("GnuTLS step 3...");
gnutls_transport_set_pull_function(ssl_data_loc->session, (gnutls_pull_func) & internal_ssl_read);
debug_info("GnuTLS step 4 -- now handshaking...");
if (errno) {
debug_info("WARNING: errno says %s before handshake!", strerror(errno));
}
return_me = gnutls_handshake(ssl_data_loc->session);
debug_info("GnuTLS handshake done...");
if (return_me != GNUTLS_E_SUCCESS) {
internal_ssl_cleanup(ssl_data_loc);
free(ssl_data_loc);
debug_info("GnuTLS reported something wrong.");
gnutls_perror(return_me);
debug_info("oh.. errno says %s", strerror(errno));
} else {
connection->ssl_data = ssl_data_loc;
ret = IDEVICE_E_SUCCESS;
debug_info("SSL mode enabled");
}
#endif
return ret;
}
/* {{{ ftp_login
*/
int
ftp_login(ftpbuf_t *ftp, const char *user, const char *pass)
{
#ifdef HAVE_FTP_SSL
SSL_CTX *ctx = NULL;
long ssl_ctx_options = SSL_OP_ALL;
int err, res;
zend_bool retry;
#endif
if (ftp == NULL) {
return 0;
}
#ifdef HAVE_FTP_SSL
if (ftp->use_ssl && !ftp->ssl_active) {
if (!ftp_putcmd(ftp, "AUTH", "TLS")) {
return 0;
}
if (!ftp_getresp(ftp)) {
return 0;
}
if (ftp->resp != 234) {
if (!ftp_putcmd(ftp, "AUTH", "SSL")) {
return 0;
}
if (!ftp_getresp(ftp)) {
return 0;
}
if (ftp->resp != 334) {
return 0;
} else {
ftp->old_ssl = 1;
ftp->use_ssl_for_data = 1;
}
}
ctx = SSL_CTX_new(SSLv23_client_method());
if (ctx == NULL) {
php_error_docref(NULL, E_WARNING, "failed to create the SSL context");
return 0;
}
#if OPENSSL_VERSION_NUMBER >= 0x0090605fL
ssl_ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
#endif
SSL_CTX_set_options(ctx, ssl_ctx_options);
ftp->ssl_handle = SSL_new(ctx);
if (ftp->ssl_handle == NULL) {
php_error_docref(NULL, E_WARNING, "failed to create the SSL handle");
SSL_CTX_free(ctx);
return 0;
}
SSL_set_fd(ftp->ssl_handle, ftp->fd);
do {
res = SSL_connect(ftp->ssl_handle);
err = SSL_get_error(ftp->ssl_handle, res);
/* TODO check if handling other error codes would make sense */
switch (err) {
case SSL_ERROR_NONE:
retry = 0;
break;
case SSL_ERROR_ZERO_RETURN:
retry = 0;
SSL_shutdown(ftp->ssl_handle);
break;
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE: {
php_pollfd p;
int i;
p.fd = ftp->fd;
p.events = (err == SSL_ERROR_WANT_READ) ? (POLLIN|POLLPRI) : POLLOUT;
p.revents = 0;
i = php_poll2(&p, 1, 300);
retry = i > 0;
}
break;
default:
php_error_docref(NULL, E_WARNING, "SSL/TLS handshake failed");
SSL_shutdown(ftp->ssl_handle);
SSL_free(ftp->ssl_handle);
return 0;
}
} while (retry);
ftp->ssl_active = 1;
if (!ftp->old_ssl) {
/* set protection buffersize to zero */
if (!ftp_putcmd(ftp, "PBSZ", "0")) {
return 0;
}
if (!ftp_getresp(ftp)) {
return 0;
}
/* enable data conn encryption */
if (!ftp_putcmd(ftp, "PROT", "P")) {
return 0;
}
if (!ftp_getresp(ftp)) {
return 0;
}
ftp->use_ssl_for_data = (ftp->resp >= 200 && ftp->resp <=299);
}
}
#endif
if (!ftp_putcmd(ftp, "USER", user)) {
return 0;
}
if (!ftp_getresp(ftp)) {
return 0;
}
if (ftp->resp == 230) {
return 1;
}
if (ftp->resp != 331) {
return 0;
}
if (!ftp_putcmd(ftp, "PASS", pass)) {
return 0;
}
if (!ftp_getresp(ftp)) {
return 0;
}
return (ftp->resp == 230);
}
int MAIN(int argc, char **argv)
{
int off=0;
SSL *con=NULL,*con2=NULL;
X509_STORE *store = NULL;
int s,k,width,state=0;
char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
int cbuf_len,cbuf_off;
int sbuf_len,sbuf_off;
fd_set readfds,writefds;
short port=PORT;
int full_log=1;
char *host=SSL_HOST_NAME;
char *cert_file=NULL,*key_file=NULL;
int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
char *passarg = NULL, *pass = NULL;
X509 *cert = NULL;
EVP_PKEY *key = NULL;
char *CApath=NULL,*CAfile=NULL,*cipher=NULL;
int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0;
int crlf=0;
int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
SSL_CTX *ctx=NULL;
int ret=1,in_init=1,i,nbio_test=0;
int starttls_proto = 0;
int prexit = 0, vflags = 0;
SSL_METHOD *meth=NULL;
#ifdef sock_type
#undef sock_type
#endif
int sock_type=SOCK_STREAM;
BIO *sbio;
char *inrand=NULL;
#ifndef OPENSSL_NO_ENGINE
char *engine_id=NULL;
ENGINE *e=NULL;
#endif
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
struct timeval tv;
#endif
struct sockaddr peer;
int peerlen = sizeof(peer);
int enable_timeouts = 0 ;
long mtu = 0;
#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
meth=SSLv23_client_method();
#elif !defined(OPENSSL_NO_SSL3)
meth=SSLv3_client_method();
#elif !defined(OPENSSL_NO_SSL2)
meth=SSLv2_client_method();
#endif
apps_startup();
c_Pause=0;
c_quiet=0;
c_ign_eof=0;
c_debug=0;
c_msg=0;
c_showcerts=0;
if (bio_err == NULL)
bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
if (!load_config(bio_err, NULL))
goto end;
if ( ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
{
BIO_printf(bio_err,"out of memory\n");
goto end;
}
verify_depth=0;
verify_error=X509_V_OK;
#ifdef FIONBIO
c_nbio=0;
#endif
argc--;
argv++;
while (argc >= 1)
{
if (strcmp(*argv,"-host") == 0)
{
if (--argc < 1) goto bad;
host= *(++argv);
}
else if (strcmp(*argv,"-port") == 0)
{
if (--argc < 1) goto bad;
port=atoi(*(++argv));
if (port == 0) goto bad;
}
else if (strcmp(*argv,"-connect") == 0)
{
if (--argc < 1) goto bad;
if (!extract_host_port(*(++argv),&host,NULL,&port))
goto bad;
}
else if (strcmp(*argv,"-verify") == 0)
{
verify=SSL_VERIFY_PEER;
if (--argc < 1) goto bad;
verify_depth=atoi(*(++argv));
BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
}
else if (strcmp(*argv,"-cert") == 0)
{
if (--argc < 1) goto bad;
cert_file= *(++argv);
}
else if (strcmp(*argv,"-certform") == 0)
{
if (--argc < 1) goto bad;
cert_format = str2fmt(*(++argv));
}
else if (strcmp(*argv,"-crl_check") == 0)
vflags |= X509_V_FLAG_CRL_CHECK;
else if (strcmp(*argv,"-crl_check_all") == 0)
vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
else if (strcmp(*argv,"-prexit") == 0)
prexit=1;
else if (strcmp(*argv,"-crlf") == 0)
crlf=1;
else if (strcmp(*argv,"-quiet") == 0)
{
c_quiet=1;
c_ign_eof=1;
}
else if (strcmp(*argv,"-ign_eof") == 0)
c_ign_eof=1;
else if (strcmp(*argv,"-pause") == 0)
c_Pause=1;
else if (strcmp(*argv,"-debug") == 0)
c_debug=1;
#ifdef WATT32
else if (strcmp(*argv,"-wdebug") == 0)
dbug_init();
#endif
else if (strcmp(*argv,"-msg") == 0)
c_msg=1;
else if (strcmp(*argv,"-showcerts") == 0)
c_showcerts=1;
else if (strcmp(*argv,"-nbio_test") == 0)
nbio_test=1;
else if (strcmp(*argv,"-state") == 0)
state=1;
#ifndef OPENSSL_NO_SSL2
else if (strcmp(*argv,"-ssl2") == 0)
meth=SSLv2_client_method();
#endif
#ifndef OPENSSL_NO_SSL3
else if (strcmp(*argv,"-ssl3") == 0)
meth=SSLv3_client_method();
#endif
#ifndef OPENSSL_NO_TLS1
else if (strcmp(*argv,"-tls1") == 0)
meth=TLSv1_client_method();
#endif
#ifndef OPENSSL_NO_DTLS1
else if (strcmp(*argv,"-dtls1") == 0)
{
meth=DTLSv1_client_method();
sock_type=SOCK_DGRAM;
}
else if (strcmp(*argv,"-timeout") == 0)
enable_timeouts=1;
else if (strcmp(*argv,"-mtu") == 0)
{
if (--argc < 1) goto bad;
mtu = atol(*(++argv));
}
#endif
else if (strcmp(*argv,"-bugs") == 0)
bugs=1;
else if (strcmp(*argv,"-keyform") == 0)
{
if (--argc < 1) goto bad;
key_format = str2fmt(*(++argv));
}
else if (strcmp(*argv,"-pass") == 0)
{
if (--argc < 1) goto bad;
passarg = *(++argv);
}
else if (strcmp(*argv,"-key") == 0)
{
if (--argc < 1) goto bad;
key_file= *(++argv);
}
else if (strcmp(*argv,"-reconnect") == 0)
{
reconnect=5;
}
else if (strcmp(*argv,"-CApath") == 0)
{
if (--argc < 1) goto bad;
CApath= *(++argv);
}
else if (strcmp(*argv,"-CAfile") == 0)
{
if (--argc < 1) goto bad;
CAfile= *(++argv);
}
else if (strcmp(*argv,"-no_tls1") == 0)
off|=SSL_OP_NO_TLSv1;
else if (strcmp(*argv,"-no_ssl3") == 0)
off|=SSL_OP_NO_SSLv3;
else if (strcmp(*argv,"-no_ssl2") == 0)
off|=SSL_OP_NO_SSLv2;
else if (strcmp(*argv,"-serverpref") == 0)
off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
else if (strcmp(*argv,"-cipher") == 0)
{
if (--argc < 1) goto bad;
cipher= *(++argv);
}
#ifdef FIONBIO
else if (strcmp(*argv,"-nbio") == 0)
{ c_nbio=1; }
#endif
else if (strcmp(*argv,"-starttls") == 0)
{
if (--argc < 1) goto bad;
++argv;
if (strcmp(*argv,"smtp") == 0)
starttls_proto = 1;
else if (strcmp(*argv,"pop3") == 0)
starttls_proto = 2;
else
goto bad;
}
#ifndef OPENSSL_NO_ENGINE
else if (strcmp(*argv,"-engine") == 0)
{
if (--argc < 1) goto bad;
engine_id = *(++argv);
}
#endif
else if (strcmp(*argv,"-rand") == 0)
{
if (--argc < 1) goto bad;
inrand= *(++argv);
}
else
{
BIO_printf(bio_err,"unknown option %s\n",*argv);
badop=1;
break;
}
argc--;
argv++;
}
if (badop)
{
bad:
sc_usage();
goto end;
}
OpenSSL_add_ssl_algorithms();
SSL_load_error_strings();
#ifndef OPENSSL_NO_ENGINE
e = setup_engine(bio_err, engine_id, 1);
#endif
if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
{
BIO_printf(bio_err, "Error getting password\n");
goto end;
}
if (key_file == NULL)
key_file = cert_file;
if (key_file)
{
key = load_key(bio_err, key_file, key_format, 0, pass, e,
"client certificate private key file");
if (!key)
{
ERR_print_errors(bio_err);
goto end;
}
}
if (cert_file)
{
cert = load_cert(bio_err,cert_file,cert_format,
NULL, e, "client certificate file");
if (!cert)
{
ERR_print_errors(bio_err);
goto end;
}
}
if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
&& !RAND_status())
{
BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
}
if (inrand != NULL)
BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
app_RAND_load_files(inrand));
if (bio_c_out == NULL)
{
if (c_quiet && !c_debug && !c_msg)
{
bio_c_out=BIO_new(BIO_s_null());
}
else
{
if (bio_c_out == NULL)
bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
}
}
ctx=SSL_CTX_new(meth);
if (ctx == NULL)
{
ERR_print_errors(bio_err);
goto end;
}
if (bugs)
SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
else
SSL_CTX_set_options(ctx,off);
/* DTLS: partial reads end up discarding unread UDP bytes :-(
* Setting read ahead solves this problem.
*/
if (sock_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
if (cipher != NULL)
if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
BIO_printf(bio_err,"error setting cipher list\n");
ERR_print_errors(bio_err);
goto end;
}
#if 0
else
SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
#endif
SSL_CTX_set_verify(ctx,verify,verify_callback);
if (!set_cert_key_stuff(ctx,cert,key))
goto end;
if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
(!SSL_CTX_set_default_verify_paths(ctx)))
{
/* BIO_printf(bio_err,"error setting default verify locations\n"); */
ERR_print_errors(bio_err);
/* goto end; */
}
store = SSL_CTX_get_cert_store(ctx);
X509_STORE_set_flags(store, vflags);
con=SSL_new(ctx);
#ifndef OPENSSL_NO_KRB5
if (con && (con->kssl_ctx = kssl_ctx_new()) != NULL)
{
kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVER, host);
}
#endif /* OPENSSL_NO_KRB5 */
/* SSL_set_cipher_list(con,"RC4-MD5"); */
re_start:
if (init_client(&s,host,port,sock_type) == 0)
{
BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
SHUTDOWN(s);
goto end;
}
BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
#ifdef FIONBIO
if (c_nbio)
{
unsigned long l=1;
BIO_printf(bio_c_out,"turning on non blocking io\n");
if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
{
ERR_print_errors(bio_err);
goto end;
}
}
#endif
if (c_Pause & 0x01) con->debug=1;
if ( SSL_version(con) == DTLS1_VERSION)
{
struct timeval timeout;
sbio=BIO_new_dgram(s,BIO_NOCLOSE);
if (getsockname(s, &peer, (void *)&peerlen) < 0)
{
BIO_printf(bio_err, "getsockname:errno=%d\n",
get_last_socket_error());
SHUTDOWN(s);
goto end;
}
BIO_ctrl_set_connected(sbio, 1, &peer);
if ( enable_timeouts)
{
timeout.tv_sec = 0;
timeout.tv_usec = DGRAM_RCV_TIMEOUT;
BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
timeout.tv_sec = 0;
timeout.tv_usec = DGRAM_SND_TIMEOUT;
BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
}
if ( mtu > 0)
{
SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
SSL_set_mtu(con, mtu);
}
else
/* want to do MTU discovery */
BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
}
else
sbio=BIO_new_socket(s,BIO_NOCLOSE);
if (nbio_test)
{
BIO *test;
test=BIO_new(BIO_f_nbio_test());
sbio=BIO_push(test,sbio);
}
if (c_debug)
{
con->debug=1;
BIO_set_callback(sbio,bio_dump_callback);
BIO_set_callback_arg(sbio,(char*)bio_c_out);
}
if (c_msg)
{
SSL_set_msg_callback(con, msg_cb);
SSL_set_msg_callback_arg(con, bio_c_out);
}
SSL_set_bio(con,sbio,sbio);
SSL_set_connect_state(con);
/* ok, lets connect */
width=SSL_get_fd(con)+1;
read_tty=1;
write_tty=0;
tty_on=0;
read_ssl=1;
write_ssl=1;
cbuf_len=0;
cbuf_off=0;
sbuf_len=0;
sbuf_off=0;
/* This is an ugly hack that does a lot of assumptions */
if (starttls_proto == 1)
{
BIO_read(sbio,mbuf,BUFSIZZ);
BIO_printf(sbio,"STARTTLS\r\n");
BIO_read(sbio,sbuf,BUFSIZZ);
}
if (starttls_proto == 2)
{
BIO_read(sbio,mbuf,BUFSIZZ);
BIO_printf(sbio,"STLS\r\n");
BIO_read(sbio,sbuf,BUFSIZZ);
}
for (;;)
{
FD_ZERO(&readfds);
FD_ZERO(&writefds);
if (SSL_in_init(con) && !SSL_total_renegotiations(con))
{
in_init=1;
tty_on=0;
}
else
{
tty_on=1;
if (in_init)
{
in_init=0;
print_stuff(bio_c_out,con,full_log);
if (full_log > 0) full_log--;
if (starttls_proto)
{
BIO_printf(bio_err,"%s",mbuf);
/* We don't need to know any more */
starttls_proto = 0;
}
if (reconnect)
{
reconnect--;
BIO_printf(bio_c_out,"drop connection and then reconnect\n");
SSL_shutdown(con);
SSL_set_connect_state(con);
SHUTDOWN(SSL_get_fd(con));
goto re_start;
}
}
}
ssl_pending = read_ssl && SSL_pending(con);
if (!ssl_pending)
{
#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE)
if (tty_on)
{
if (read_tty) FD_SET(fileno(stdin),&readfds);
if (write_tty) FD_SET(fileno(stdout),&writefds);
}
if (read_ssl)
FD_SET(SSL_get_fd(con),&readfds);
if (write_ssl)
FD_SET(SSL_get_fd(con),&writefds);
#else
if(!tty_on || !write_tty) {
if (read_ssl)
FD_SET(SSL_get_fd(con),&readfds);
if (write_ssl)
FD_SET(SSL_get_fd(con),&writefds);
}
#endif
/* printf("mode tty(%d %d%d) ssl(%d%d)\n",
tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
/* Note: under VMS with SOCKETSHR the second parameter
* is currently of type (int *) whereas under other
* systems it is (void *) if you don't have a cast it
* will choke the compiler: if you do have a cast then
* you can either go for (int *) or (void *).
*/
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
/* Under Windows/DOS we make the assumption that we can
* always write to the tty: therefore if we need to
* write to the tty we just fall through. Otherwise
* we timeout the select every second and see if there
* are any keypresses. Note: this is a hack, in a proper
* Windows application we wouldn't do this.
*/
i=0;
if(!write_tty) {
if(read_tty) {
tv.tv_sec = 1;
tv.tv_usec = 0;
i=select(width,(void *)&readfds,(void *)&writefds,
NULL,&tv);
#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
if(!i && (!_kbhit() || !read_tty) ) continue;
#else
if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
#endif
} else i=select(width,(void *)&readfds,(void *)&writefds,
NULL,NULL);
}
#elif defined(OPENSSL_SYS_NETWARE)
if(!write_tty) {
if(read_tty) {
tv.tv_sec = 1;
tv.tv_usec = 0;
i=select(width,(void *)&readfds,(void *)&writefds,
NULL,&tv);
} else i=select(width,(void *)&readfds,(void *)&writefds,
NULL,NULL);
}
#else
i=select(width,(void *)&readfds,(void *)&writefds,
NULL,NULL);
#endif
if ( i < 0)
{
BIO_printf(bio_err,"bad select %d\n",
get_last_socket_error());
goto shut;
/* goto end; */
}
}
if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
{
k=SSL_write(con,&(cbuf[cbuf_off]),
(unsigned int)cbuf_len);
switch (SSL_get_error(con,k))
{
case SSL_ERROR_NONE:
cbuf_off+=k;
cbuf_len-=k;
if (k <= 0) goto end;
/* we have done a write(con,NULL,0); */
if (cbuf_len <= 0)
{
read_tty=1;
write_ssl=0;
}
else /* if (cbuf_len > 0) */
{
read_tty=0;
write_ssl=1;
}
break;
case SSL_ERROR_WANT_WRITE:
BIO_printf(bio_c_out,"write W BLOCK\n");
write_ssl=1;
read_tty=0;
break;
case SSL_ERROR_WANT_READ:
BIO_printf(bio_c_out,"write R BLOCK\n");
write_tty=0;
read_ssl=1;
write_ssl=0;
break;
case SSL_ERROR_WANT_X509_LOOKUP:
BIO_printf(bio_c_out,"write X BLOCK\n");
break;
case SSL_ERROR_ZERO_RETURN:
if (cbuf_len != 0)
{
BIO_printf(bio_c_out,"shutdown\n");
goto shut;
}
else
{
read_tty=1;
write_ssl=0;
break;
}
case SSL_ERROR_SYSCALL:
if ((k != 0) || (cbuf_len != 0))
{
BIO_printf(bio_err,"write:errno=%d\n",
get_last_socket_error());
goto shut;
}
else
{
read_tty=1;
write_ssl=0;
}
break;
case SSL_ERROR_SSL:
ERR_print_errors(bio_err);
goto shut;
}
}
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
/* Assume Windows/DOS can always write */
else if (!ssl_pending && write_tty)
#else
else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
#endif
{
#ifdef CHARSET_EBCDIC
ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
#endif
i=write(fileno(stdout),&(sbuf[sbuf_off]),sbuf_len);
if (i <= 0)
{
BIO_printf(bio_c_out,"DONE\n");
goto shut;
/* goto end; */
}
sbuf_len-=i;;
sbuf_off+=i;
if (sbuf_len <= 0)
{
read_ssl=1;
write_tty=0;
}
}
else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
{
#ifdef RENEG
{ static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
#endif
#if 1
k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
#else
/* Demo for pending and peek :-) */
k=SSL_read(con,sbuf,16);
{ char zbuf[10240];
printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
}
#endif
switch (SSL_get_error(con,k))
{
case SSL_ERROR_NONE:
if (k <= 0)
goto end;
sbuf_off=0;
sbuf_len=k;
read_ssl=0;
write_tty=1;
break;
case SSL_ERROR_WANT_WRITE:
BIO_printf(bio_c_out,"read W BLOCK\n");
write_ssl=1;
read_tty=0;
break;
case SSL_ERROR_WANT_READ:
BIO_printf(bio_c_out,"read R BLOCK\n");
write_tty=0;
read_ssl=1;
if ((read_tty == 0) && (write_ssl == 0))
write_ssl=1;
break;
case SSL_ERROR_WANT_X509_LOOKUP:
BIO_printf(bio_c_out,"read X BLOCK\n");
break;
case SSL_ERROR_SYSCALL:
BIO_printf(bio_err,"read:errno=%d\n",get_last_socket_error());
goto shut;
case SSL_ERROR_ZERO_RETURN:
BIO_printf(bio_c_out,"closed\n");
goto shut;
case SSL_ERROR_SSL:
ERR_print_errors(bio_err);
goto shut;
/* break; */
}
}
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
else if (_kbhit())
#else
else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
#endif
#elif defined (OPENSSL_SYS_NETWARE)
else if (_kbhit())
#else
else if (FD_ISSET(fileno(stdin),&readfds))
#endif
{
if (crlf)
{
int j, lf_num;
i=read(fileno(stdin),cbuf,BUFSIZZ/2);
lf_num = 0;
/* both loops are skipped when i <= 0 */
for (j = 0; j < i; j++)
if (cbuf[j] == '\n')
lf_num++;
for (j = i-1; j >= 0; j--)
{
cbuf[j+lf_num] = cbuf[j];
if (cbuf[j] == '\n')
{
lf_num--;
i++;
cbuf[j+lf_num] = '\r';
}
}
assert(lf_num == 0);
}
else
i=read(fileno(stdin),cbuf,BUFSIZZ);
if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
{
BIO_printf(bio_err,"DONE\n");
goto shut;
}
if ((!c_ign_eof) && (cbuf[0] == 'R'))
{
BIO_printf(bio_err,"RENEGOTIATING\n");
SSL_renegotiate(con);
cbuf_len=0;
}
else
{
cbuf_len=i;
cbuf_off=0;
#ifdef CHARSET_EBCDIC
ebcdic2ascii(cbuf, cbuf, i);
#endif
}
write_ssl=1;
read_tty=0;
}
}
shut:
SSL_shutdown(con);
SHUTDOWN(SSL_get_fd(con));
ret=0;
end:
if(prexit) print_stuff(bio_c_out,con,1);
if (con != NULL) SSL_free(con);
if (con2 != NULL) SSL_free(con2);
if (ctx != NULL) SSL_CTX_free(ctx);
if (cert)
X509_free(cert);
if (key)
EVP_PKEY_free(key);
if (pass)
OPENSSL_free(pass);
if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
if (bio_c_out != NULL)
{
BIO_free(bio_c_out);
bio_c_out=NULL;
}
apps_shutdown();
OPENSSL_EXIT(ret);
}
bool SslCrypt::init_server(const char* cert,
const char* key,
const char* clicacert, const char* chaincert)
{
if(_version == 23)
_pssl_accept = SSL_CTX_new(SSLv23_server_method());
// else if(_version == 2)
// _pssl_accept = SSL_CTX_new(SSLv2_server_method());
// else if(_version == 3)
// _pssl_accept = SSL_CTX_new(SSLv3_server_method());
else{
GLOGE("SSL_CTX_new("<<_version<<"_server_method())" << sslNerror());
return false;
}
if(0 == _pssl_accept)
{
GLOGE("SSL_CTX_new(SSLv23_server_method())" << sslNerror());
return false;
}
if(cert)
{
if(::access(cert,0)==0 )
{
if(0==SSL_CTX_use_certificate_file(_pssl_accept, cert, SSL_FILETYPE_PEM))
{
cout << "server:SSL_CTX_use_certificate_file" << cert <<" error: " << sslNerror();
return false;
}
}
else
{
GLOGW("File: " << cert << " not found");
}
}
if(key)
{
if(::access(key,0)==0)
{
if(0==SSL_CTX_use_PrivateKey_file(_pssl_accept, key, SSL_FILETYPE_PEM))
{
cout << "server:SSL_CTX_use_certificate_file" << key <<" error: " << sslNerror();
return false;
}
/*
if (!SSL_CTX_check_private_key(_pssl_accept))
{
cout << "server:SSL_CTX_check_private_key" << pem <<" error: " << sslNerror();
return false;
}
*/
}
else
{
GLOGW("File: " << key << " not found");
}
}
//SSL_CTX_load_and_set_client_CA_file(SSL_CTX *ctx, const char *file)
if(chaincert)
{
if(::access(chaincert,0)==0)
{
if(0 ==SSL_CTX_use_certificate_chain_file(_pssl_accept, chaincert))
{
cout << "server:SSL_CTX_use_certificate_chain_file" << chaincert <<" error: " << sslNerror();
return false;
}
else
{
GLOGW("File: " << chaincert << " not found");
}
}
else
{
GLOGW("File: " << chaincert << " not found");
}
}
_mutsize = sizeof(pthread_mutex_t) * CRYPTO_num_locks();
ssl_mutexes = (pthread_mutex_t *) malloc((size_t)_mutsize);
if(ssl_mutexes)
{
for (int i = 0; i < CRYPTO_num_locks(); i++)
{
pthread_mutex_init(&ssl_mutexes[i], 0);
}
}
CRYPTO_set_locking_callback(&ssl_locking_callback);
CRYPTO_set_id_callback(&ssl_id_callback);
return true;
}
BOOL tls_connect(rdpTls* tls)
{
CryptoCert cert;
long options = 0;
int connection_status;
char *hostname;
tls->ctx = SSL_CTX_new(TLSv1_client_method());
if (tls->ctx == NULL)
{
fprintf(stderr, "SSL_CTX_new failed\n");
return FALSE;
}
//SSL_CTX_set_mode(tls->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE);
/**
* SSL_OP_NO_COMPRESSION:
*
* The Microsoft RDP server does not advertise support
* for TLS compression, but alternative servers may support it.
* This was observed between early versions of the FreeRDP server
* and the FreeRDP client, and caused major performance issues,
* which is why we're disabling it.
*/
#ifdef SSL_OP_NO_COMPRESSION
options |= SSL_OP_NO_COMPRESSION;
#endif
/**
* SSL_OP_TLS_BLOCK_PADDING_BUG:
*
* The Microsoft RDP server does *not* support TLS padding.
* It absolutely needs to be disabled otherwise it won't work.
*/
options |= SSL_OP_TLS_BLOCK_PADDING_BUG;
/**
* SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS:
*
* Just like TLS padding, the Microsoft RDP server does not
* support empty fragments. This needs to be disabled.
*/
options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
SSL_CTX_set_options(tls->ctx, options);
tls->ssl = SSL_new(tls->ctx);
if (tls->ssl == NULL)
{
fprintf(stderr, "SSL_new failed\n");
return FALSE;
}
if (SSL_set_fd(tls->ssl, tls->sockfd) < 1)
{
fprintf(stderr, "SSL_set_fd failed\n");
return FALSE;
}
connection_status = SSL_connect(tls->ssl);
if (connection_status <= 0)
{
if (tls_print_error("SSL_connect", tls->ssl, connection_status))
{
return FALSE;
}
}
cert = tls_get_certificate(tls, TRUE);
if (cert == NULL)
{
fprintf(stderr, "tls_connect: tls_get_certificate failed to return the server certificate.\n");
return FALSE;
}
tls->Bindings = tls_get_channel_bindings(cert->px509);
if (!crypto_cert_get_public_key(cert, &tls->PublicKey, &tls->PublicKeyLength))
{
fprintf(stderr, "tls_connect: crypto_cert_get_public_key failed to return the server public key.\n");
tls_free_certificate(cert);
return FALSE;
}
if (tls->settings->GatewayEnabled)
hostname = tls->settings->GatewayHostname;
else
hostname = tls->settings->ServerHostname;
if (!tls_verify_certificate(tls, cert, hostname))
{
fprintf(stderr, "tls_connect: certificate not trusted, aborting.\n");
tls_disconnect(tls);
tls_free_certificate(cert);
return FALSE;
}
tls_free_certificate(cert);
return TRUE;
}
bool SslCrypt::init_client(const char* cert,const char* key,const char* cacert)
{
if(_version == 23)
_pssl_connect = SSL_CTX_new(SSLv23_client_method());
// if(_version == 2)
// _pssl_connect = SSL_CTX_new(SSLv2_client_method());
// if(_version == 3)
// _pssl_connect = SSL_CTX_new(SSLv3_client_method());
else{
GLOGE("SSL version: '" << _version << "' No known!.")
return false;
}
if ( _pssl_connect ==0 )
{
GLOGE("SSL_CTX_new("<<_version<<"_client_method())" << sslNerror());
return false;
}
if(cert)
{
if(::access(cert,0)==0)
{
if(0==SSL_CTX_use_certificate_file(_pssl_connect, cert, SSL_FILETYPE_PEM))
{
cout << "client:SSL_CTX_use_certificate_file" << cert <<" error: " << sslNerror();
return false;
}
}
else
{
GLOGW("File: " << cert << " not found");
}
}
if(key)
{
if(::access(key,0)==0)
{
if(0==SSL_CTX_use_PrivateKey_file(_pssl_connect, key, SSL_FILETYPE_PEM))
{
cout << "client:SSL_CTX_use_PrivateKey_file" << key <<" error: " << sslNerror();
return false;
}
}
else
{
GLOGW("File: " << key << " not found");
}
}
/*
if ( !SSL_CTX_check_private_key(_pssl_connect) )
{
cout << "CHECK PRIVATE KEY:" << sslNerror();
}
*/
return true;
}
int main(int argc,char *argv[])
{
FILE *filehd;
struct sockaddr_in server;
int sock;
int choice;
char command[20];
int k, size, status,ret,j=0;
char usern[20],passwd[20],ip[15],shut[10],ch;
struct stat obj;
char filel[300],gfiln[20],pfnam[20],pfilc[1000],*f;
int err[5],p,auth[5],csize;
strcpy(ip,argv[1]);
printf("ip:%s\n",ip);
printf("enter username:\n");
scanf("%s",usern);
printf("enter password\n");
scanf("%s",passwd);
SSL_CTX *ctx; //SSL pointers
SSL *ssl;
sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock == -1)
{
printf("socket creation failed\n");
exit(1);
}
strcpy(password,"clpfile");
SSL_library_init(); //SSL
SSL_load_error_strings();
const SSL_METHOD *meth=SSLv23_client_method(); //method
ctx=SSL_CTX_new(meth); //CTX Method
if(ctx==NULL)
{
printf("ctx method creation failed\n");
return -1;
}
load_certificate(ctx); //load_certificate call
server.sin_family=AF_INET;
server.sin_port = htons(3000);
inet_aton(ip,&(server.sin_addr));
k = connect(sock,(struct sockaddr*)&server, sizeof(server));
if(k == -1)
{
printf("Connect Error\n");
exit(1);
}
//int i = 1;
ssl=SSL_new(ctx); //SSL OBJECTS
if(ctx==NULL)
{
printf("unable to create ssl object \n");
return -1;
}
SSL_set_fd(ssl,sock);
ret=SSL_connect(ssl);
if(ret<0)
{
printf("error mapping ssl object\n");
return -1;
}
/*strcpy(mss,"hello world");
SSL_write(ssl,mss,sizeof(mss));*/
SSL_write(ssl,usern,sizeof(usern));
SSL_write(ssl,passwd,sizeof(passwd));
SSL_read(ssl,auth,sizeof(auth));
if(auth[0]!=0)
{
printf("invalid credentials!!\n");
printf("server shutting down\n");
SSL_shutdown(ssl);
close(sock);
exit(1);
}
while(1)
{
printf("Enter a choice:\n1. get 2. put 3.ls 4. help 5. quit\n");
scanf("%d", &choice);
switch(choice)
{
case 1:
strcpy(command,"get");
SSL_write(ssl,command,sizeof(command));
printf("enter file name\n");
scanf("%s",gfiln);
SSL_write(ssl,gfiln,sizeof(gfiln));
//printf("file name sent\n");
SSL_read(ssl,err,sizeof(err));
if(err[0]==1)
{
printf("file not found!!\n");
SSL_shutdown(ssl);
close(sock); //file not found
}
else
{
SSL_read(ssl,&csize,sizeof(int));
printf("file size=%d\n",csize);
f=malloc(csize);
SSL_read(ssl,f,csize);
getf(gfiln,f);
printf("file %s copied from server successfully !\n",gfiln);
//memset(f,'\0',csize);
}
break;
case 2:
strcpy(command,"put");
SSL_write(ssl,command,sizeof(command));
printf("enter file to be put:\n");
scanf("%s",pfnam);
filehd=fopen(pfnam,"r");
stat(pfnam,&obj);
csize = obj.st_size;
printf("file size=%d\n",csize);
if(filehd!=NULL)
{
SSL_write(ssl,pfnam,sizeof(pfnam));
SSL_write(ssl,&csize,sizeof(int));
f=malloc(csize);
putf(pfnam,f);
SSL_write(ssl,f,csize);
printf("%s\n",f);
printf("file sent successfully !!\n");
}
else
{
printf("file doesn't exsist !!\n");
SSL_shutdown(ssl);
close(sock);// close as file doesn't exsist
}
break;
case 3:
strcpy(command,"ls");
SSL_write(ssl,command,sizeof(command));
SSL_read(ssl,filel,sizeof(filel));
printf("list of files :\n%s \n",filel);
break;
case 4:
printf("command help! :\n");
printf("> get : get command can be used to get files from the server onto the client's systsem.\n");
printf("> put : put command can be used to put a file from client's system onto the server.\n");
printf("> ls : ls command lists the files in the current directory of the server.\n");
printf("> quit : terminates the connection \n");
break;
case 5:
strcpy(command,"quit");
SSL_write(ssl,command,sizeof(command));
shut[0]=-1;
SSL_write(ssl,shut,sizeof(shut));
printf("Server closed\nQuitting..\n");
SSL_shutdown(ssl);
close(sock);
exit(0);
}
}
SSL_shutdown(ssl);
close(sock);
return 0;
}
//--------------------------------------------------
// sends an OCSP_REQUES object to remore server and
// retrieves the OCSP_RESPONSE object
// resp - buffer to store the new responses pointer
// req - request objects pointer
// url - OCSP responder URL
//--------------------------------------------------
int ddocPullUrl(const char* url, DigiDocMemBuf* pSendData, DigiDocMemBuf* pRecvData,
const char* proxyHost, const char* proxyPort)
{
BIO* cbio = 0, *sbio = 0;
SSL_CTX *ctx = NULL;
char *host = NULL, *port = NULL, *path = "/", buf[200];
int err = ERR_OK, use_ssl = -1, rc;
long e;
//RETURN_IF_NULL_PARAM(pSendData); // may be null if nothing to send?
RETURN_IF_NULL_PARAM(pRecvData);
RETURN_IF_NULL_PARAM(url);
ddocDebug(3, "ddocPullUrl", "URL: %s, in: %d bytes", url, pSendData->nLen);
//there is an HTTP proxy - connect to that instead of the target host
if (proxyHost != 0 && *proxyHost != '\0') {
host = (char*)proxyHost;
if(proxyPort != 0 && *proxyPort != '\0')
port = (char*)proxyPort;
path = (char*)url;
} else {
if(OCSP_parse_url((char*)url, &host, &port, &path, &use_ssl) == 0) {
ddocDebug(1, "ddocPullUrl", "Failed to parse the URL");
return ERR_WRONG_URL_OR_PROXY;
}
}
if((cbio = BIO_new_connect(host)) != 0) {
if(port != NULL)
BIO_set_conn_port(cbio, port);
if(use_ssl == 1) {
ctx = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
sbio = BIO_new_ssl(ctx, 1);
cbio = BIO_push(sbio, cbio);
}
if ((rc = BIO_do_connect(cbio)) > 0) {
ddocDebug(4, "ddocPullUrl", "Connected: %d", rc);
if(pSendData && pSendData->nLen && pSendData->pMem) {
rc = BIO_write(cbio, pSendData->pMem, pSendData->nLen);
ddocDebug(4, "ddocPullUrl", "Sent: %d bytes, got: %d", pSendData->nLen, rc);
}
do {
memset(buf, 0, sizeof(buf));
rc = BIO_read(cbio, buf, sizeof(buf)-1);
ddocDebug(4, "ddocPullUrl", "Received: %d bytes\n", rc);
if(rc > 0)
err = ddocMemAppendData(pRecvData, buf, rc);
} while(rc > 0);
ddocDebug(4, "ddocPullUrl", "Total received: %d bytes\n", pRecvData->nLen);
} else {
//if no connection
e = checkErrors();
if(ERR_GET_REASON(e) == BIO_R_BAD_HOSTNAME_LOOKUP ||
ERR_GET_REASON(e) == OCSP_R_SERVER_WRITE_ERROR)
err = ERR_CONNECTION_FAILURE;
else
err = (host != NULL) ? ERR_WRONG_URL_OR_PROXY : ERR_CONNECTION_FAILURE;
}
BIO_free_all(cbio);
if (use_ssl != -1) {
OPENSSL_free(host);
OPENSSL_free(port);
OPENSSL_free(path);
SSL_CTX_free(ctx);
}
}
else
err = ERR_CONNECTION_FAILURE;
return(err);
}