const SSL_METHOD *sycDTLSv1_server_method(void) {
const SSL_METHOD *result;
Debug("DTLSv1_server_method()");
result = DTLSv1_server_method();
Debug1("DTLSv1_server_method() -> %p", result);
return result;
}
ssl_server * ssl_setup_server(int fd){
ssl_ensure_initialized();
SSL_CTX * ctx = SSL_CTX_new(DTLSv1_server_method());
{ // setup server SSL CTX
SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!MD5:!RC4");
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
if (!SSL_CTX_use_certificate_file(ctx, "certs/server-cert.pem", SSL_FILETYPE_PEM))
printf("\nERROR: no certificate found!");
if (!SSL_CTX_use_PrivateKey_file(ctx, "certs/server-key.pem", SSL_FILETYPE_PEM))
printf("\nERROR: no private key found!");
if (!SSL_CTX_check_private_key (ctx))
printf("\nERROR: invalid private key!");
/* Client has to authenticate */
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, dtls_verify_callback);
SSL_CTX_set_read_ahead(ctx, 1);
SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie);
SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie);
}
ssl_server * srv = alloc0(sizeof(ssl_server));
srv->ctx = ctx;
srv->fd = fd;
return srv;
}
static SSL_METHOD *dtls1_get_server_method(int ver)
{
if (ver == DTLS1_VERSION)
return(DTLSv1_server_method());
else
return(NULL);
}
static const SSL_METHOD *dtls1_get_server_method(int ver)
{
if (ver == DTLS_ANY_VERSION)
return DTLS_server_method();
else if (ver == DTLS1_VERSION)
return DTLSv1_server_method();
else if (ver == DTLS1_2_VERSION)
return DTLSv1_2_server_method();
else
return NULL;
}
bool VSslServer::doOpen()
{
VLock lock(stateOpenCs); // gilgil temp 2014.03.14
//
// Set server method
//
LOG_DEBUG("method=%s", qPrintable(methodType.str()));
switch (methodType)
{
#ifdef _WIN32 // Linux openssl does not support SSLv2_server_method
case VSslMethodType::mtSSLv2 : m_meth = (SSL_METHOD*)SSLv2_server_method(); break;
#endif // _WIN32
case VSslMethodType::mtSSLv3 : m_meth = (SSL_METHOD*)SSLv3_server_method(); break;
case VSslMethodType::mtSSLv23 : m_meth = (SSL_METHOD*)SSLv23_server_method(); break;
case VSslMethodType::mtTLSv1 : m_meth = (SSL_METHOD*)TLSv1_server_method(); break;
case VSslMethodType::mtTLSv1_1 : m_meth = (SSL_METHOD*)TLSv1_1_server_method(); break;
case VSslMethodType::mtTLSv1_2 : m_meth = (SSL_METHOD*)TLSv1_2_server_method(); break;
case VSslMethodType::mtDTLSv1 : m_meth = (SSL_METHOD*)DTLSv1_server_method(); break;
case VSslMethodType::mtNone :
default :
SET_ERROR(VSslError, QString("client method error(%1)").arg(methodType.str()), VSslError::INVALID_SSL_METHOD);
return false;
}
m_ctx = SSL_CTX_new(m_meth);
if (!SSL_CTX_set_tlsext_servername_callback(m_ctx, ssl_servername_cb))
{
LOG_ERROR("SSL_CTX_set_tlsext_servername_callback return false");
}
if (!SSL_CTX_set_tlsext_servername_arg(m_ctx, this))
{
LOG_ERROR("SSL_CTX_set_tlsext_servername_arg return false");
}
if (defaultKeyCrtFileName != "")
{
QString fileName = certificatePath;
QFileInfo fi(fileName);
// if (!fi.isAbsolute()) fileName = VApp::_filePath() + fileName; // gilgil temp 2014.12.25
if (!fi.isAbsolute()) fileName = QCoreApplication::applicationDirPath() + QDir::separator() + fileName; // gilgil temp 2014.12.25
if (!fileName.endsWith('/') && !fileName.endsWith('\\'))
{
fileName += QDir::separator();
}
fileName += defaultKeyCrtFileName;
if (!setup(fileName)) return false;
}
if (!VTcpServer::doOpen()) return false;
return true;
}
static const SSL_METHOD *dtls1_get_server_method(int ver)
{
switch (ver) {
case DTLS_ANY_VERSION:
return DTLS_server_method();
case DTLS1_VERSION:
return DTLSv1_server_method();
case DTLS1_2_VERSION:
return DTLSv1_2_server_method();
default:
return NULL;
}
}
static const SSL_METHOD *swSSL_get_method(int method)
{
switch (method)
{
#ifndef OPENSSL_NO_SSL3_METHOD
case SW_SSLv3_METHOD:
return SSLv3_method();
case SW_SSLv3_SERVER_METHOD:
return SSLv3_server_method();
case SW_SSLv3_CLIENT_METHOD:
return SSLv3_client_method();
#endif
case SW_SSLv23_SERVER_METHOD:
return SSLv23_server_method();
case SW_SSLv23_CLIENT_METHOD:
return SSLv23_client_method();
case SW_TLSv1_METHOD:
return TLSv1_method();
case SW_TLSv1_SERVER_METHOD:
return TLSv1_server_method();
case SW_TLSv1_CLIENT_METHOD:
return TLSv1_client_method();
#ifdef TLS1_1_VERSION
case SW_TLSv1_1_METHOD:
return TLSv1_1_method();
case SW_TLSv1_1_SERVER_METHOD:
return TLSv1_1_server_method();
case SW_TLSv1_1_CLIENT_METHOD:
return TLSv1_1_client_method();
#endif
#ifdef TLS1_2_VERSION
case SW_TLSv1_2_METHOD:
return TLSv1_2_method();
case SW_TLSv1_2_SERVER_METHOD:
return TLSv1_2_server_method();
case SW_TLSv1_2_CLIENT_METHOD:
return TLSv1_2_client_method();
#endif
case SW_DTLSv1_METHOD:
return DTLSv1_method();
case SW_DTLSv1_SERVER_METHOD:
return DTLSv1_server_method();
case SW_DTLSv1_CLIENT_METHOD:
return DTLSv1_client_method();
case SW_SSLv23_METHOD:
default:
return SSLv23_method();
}
return SSLv23_method();
}
static HEARTBEAT_TEST_FIXTURE set_up_dtls(const char *const test_case_name)
{
HEARTBEAT_TEST_FIXTURE fixture = set_up(test_case_name,
DTLSv1_server_method());
fixture.process_heartbeat = dtls1_process_heartbeat;
/*
* As per dtls1_get_record(), skipping the following from the beginning
* of the returned heartbeat message: type-1 byte; version-2 bytes;
* sequence number-8 bytes; length-2 bytes And then skipping the 1-byte
* type encoded by process_heartbeat for a total of 14 bytes, at which
* point we can grab the length and the payload we seek.
*/
fixture.return_payload_offset = 14;
return fixture;
}
IoSecureServer *IoSecureServer_useDTLS(IoSecureServer *self, IoObject *locals, IoMessage *msg)
{
#ifdef DTLS_IMPLEMENTED
SSL_CTX *ctx = OCTX(self);
if(SSL_CTX_set_ssl_version(ctx, DTLSv1_server_method()) != 1)
{
ERR_print_errors_fp(stderr);
IoState_error_(IOSTATE, msg, "Error using DTLS");
return IONIL(self);
}
SSL_CTX_set_read_ahead(ctx, 1);
return self;
#else
IoState_error_(IOSTATE, msg, "Addon built against OpenSSL older than 0.9.8; DTLS is not supported.");
return IONIL(self);
#endif
}
SSL_CTX* EdSSLContext::buildServerCtx(int sslmethod, const char* certfile, const char* privkeyfile)
{
const SSL_METHOD *method;
switch (sslmethod)
{
case SSL_VER_TLSV1:
method = TLSv1_server_method();
break;
case SSL_VER_TLSV11:
method = TLSv1_1_server_method();
break;
case SSL_VER_V23:
method = SSLv23_server_method();
break;
case SSL_VER_V3:
method = SSLv3_server_method();
break;
case SSL_VER_DTLSV1:
method = DTLSv1_server_method();
break;
default:
method = NULL;
break;
}
if (method == NULL)
return NULL;
SSL_CTX* pctx = SSL_CTX_new(method);
int ret;
ret = SSL_CTX_use_certificate_file(pctx, certfile, SSL_FILETYPE_PEM);
dbgd("set cert file, ret=%d", ret);
ret = SSL_CTX_use_PrivateKey_file(pctx, privkeyfile, SSL_FILETYPE_PEM);
dbgd("set key file, ret=%d", ret);
if (!SSL_CTX_check_private_key(pctx))
{
dbge("### private key check error......");
SSL_CTX_free(pctx);
return NULL;
}
return pctx;
}
static const SSL_METHOD *swSSL_get_method(int method)
{
switch (method)
{
case SW_SSLv3_METHOD:
return SSLv3_method();
case SW_SSLv3_SERVER_METHOD:
return SSLv3_server_method();
case SW_SSLv3_CLIENT_METHOD:
return SSLv3_client_method();
case SW_SSLv23_SERVER_METHOD:
return SSLv23_server_method();
case SW_SSLv23_CLIENT_METHOD:
return SSLv23_client_method();
case SW_TLSv1_METHOD:
return TLSv1_method();
case SW_TLSv1_SERVER_METHOD:
return TLSv1_server_method();
case SW_TLSv1_CLIENT_METHOD:
return TLSv1_client_method();
case SW_TLSv1_1_METHOD:
return TLSv1_1_method();
case SW_TLSv1_1_SERVER_METHOD:
return TLSv1_1_server_method();
case SW_TLSv1_1_CLIENT_METHOD:
return TLSv1_1_client_method();
case SW_TLSv1_2_METHOD:
return TLSv1_2_method();
case SW_TLSv1_2_SERVER_METHOD:
return TLSv1_2_server_method();
case SW_TLSv1_2_CLIENT_METHOD:
return TLSv1_2_client_method();
case SW_DTLSv1_METHOD:
return DTLSv1_method();
case SW_DTLSv1_SERVER_METHOD:
return DTLSv1_server_method();
case SW_DTLSv1_CLIENT_METHOD:
return DTLSv1_client_method();
case SW_SSLv23_METHOD:
default:
return SSLv23_method();
}
return SSLv23_method();
}
int dtls_connection_init(struct packet_stream *ps, int active, struct dtls_cert *cert) {
struct dtls_connection *d;
unsigned long err;
if (!ps || !ps->sfd)
return 0;
__DBG("dtls_connection_init(%i)", active);
d = &ps->sfd->dtls;
if (d->init) {
if ((d->active && active) || (!d->active && !active))
goto done;
dtls_connection_cleanup(d);
}
d->ssl_ctx = SSL_CTX_new(active ? DTLSv1_client_method() : DTLSv1_server_method());
if (!d->ssl_ctx)
goto error;
if (SSL_CTX_use_certificate(d->ssl_ctx, cert->x509) != 1)
goto error;
if (SSL_CTX_use_PrivateKey(d->ssl_ctx, cert->pkey) != 1)
goto error;
SSL_CTX_set_verify(d->ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
verify_callback);
SSL_CTX_set_verify_depth(d->ssl_ctx, 4);
SSL_CTX_set_cipher_list(d->ssl_ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
if (SSL_CTX_set_tlsext_use_srtp(d->ssl_ctx, ciphers_str))
goto error;
if (SSL_CTX_set_read_ahead(d->ssl_ctx, 1))
goto error;
d->ssl = SSL_new(d->ssl_ctx);
if (!d->ssl)
goto error;
d->r_bio = BIO_new(BIO_s_mem());
d->w_bio = BIO_new(BIO_s_mem());
if (!d->r_bio || !d->w_bio)
goto error;
SSL_set_app_data(d->ssl, ps->sfd); /* XXX obj reference here? */
SSL_set_bio(d->ssl, d->r_bio, d->w_bio);
SSL_set_mode(d->ssl, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
EC_KEY* ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
if (ecdh == NULL)
goto error;
SSL_set_options(d->ssl, SSL_OP_SINGLE_ECDH_USE);
SSL_set_tmp_ecdh(d->ssl, ecdh);
EC_KEY_free(ecdh);
d->init = 1;
d->active = active ? -1 : 0;
done:
return 0;
error:
err = ERR_peek_last_error();
if (d->r_bio)
BIO_free(d->r_bio);
if (d->w_bio)
BIO_free(d->w_bio);
if (d->ssl)
SSL_free(d->ssl);
if (d->ssl_ctx)
SSL_CTX_free(d->ssl_ctx);
ZERO(*d);
ilog(LOG_ERROR, "Failed to init DTLS connection: %s", ERR_reason_error_string(err));
return -1;
}
THREAD_RETURN CYASSL_THREAD server_test(void* args)
{
SOCKET_T sockfd = 0;
SOCKET_T clientfd = 0;
SSL_METHOD* method = 0;
SSL_CTX* ctx = 0;
SSL* ssl = 0;
char msg[] = "I hear you fa shizzle!";
char input[80];
int idx;
int ch;
int version = SERVER_DEFAULT_VERSION;
int doCliCertCheck = 1;
int useAnyAddr = 0;
word16 port = yasslPort;
int usePsk = 0;
int useAnon = 0;
int doDTLS = 0;
int useNtruKey = 0;
int nonBlocking = 0;
int trackMemory = 0;
int fewerPackets = 0;
int pkCallbacks = 0;
int serverReadyFile = 0;
char* cipherList = NULL;
const char* verifyCert = cliCert;
const char* ourCert = svrCert;
const char* ourKey = svrKey;
int argc = ((func_args*)args)->argc;
char** argv = ((func_args*)args)->argv;
#ifdef HAVE_SNI
char* sniHostName = NULL;
#endif
#ifdef HAVE_OCSP
int useOcsp = 0;
char* ocspUrl = NULL;
#endif
((func_args*)args)->return_code = -1; /* error state */
#ifdef NO_RSA
verifyCert = (char*)cliEccCert;
ourCert = (char*)eccCert;
ourKey = (char*)eccKey;
#endif
(void)trackMemory;
(void)pkCallbacks;
#ifdef CYASSL_TIRTOS
fdOpenSession(Task_self());
#endif
while ((ch = mygetopt(argc, argv, "?dbstnNufraPp:v:l:A:c:k:S:oO:")) != -1) {
switch (ch) {
case '?' :
Usage();
exit(EXIT_SUCCESS);
case 'd' :
doCliCertCheck = 0;
break;
case 'b' :
useAnyAddr = 1;
break;
case 's' :
usePsk = 1;
break;
case 't' :
#ifdef USE_CYASSL_MEMORY
trackMemory = 1;
#endif
break;
case 'n' :
useNtruKey = 1;
break;
case 'u' :
doDTLS = 1;
break;
case 'f' :
fewerPackets = 1;
break;
case 'r' :
serverReadyFile = 1;
break;
case 'P' :
#ifdef HAVE_PK_CALLBACKS
pkCallbacks = 1;
#endif
break;
case 'p' :
port = (word16)atoi(myoptarg);
#if !defined(NO_MAIN_DRIVER) || defined(USE_WINDOWS_API)
if (port == 0)
err_sys("port number cannot be 0");
#endif
break;
case 'v' :
version = atoi(myoptarg);
if (version < 0 || version > 3) {
Usage();
exit(MY_EX_USAGE);
}
break;
case 'l' :
cipherList = myoptarg;
break;
case 'A' :
verifyCert = myoptarg;
break;
case 'c' :
ourCert = myoptarg;
break;
case 'k' :
ourKey = myoptarg;
break;
case 'N':
nonBlocking = 1;
break;
case 'S' :
#ifdef HAVE_SNI
sniHostName = myoptarg;
#endif
break;
case 'o' :
#ifdef HAVE_OCSP
useOcsp = 1;
#endif
break;
case 'O' :
#ifdef HAVE_OCSP
useOcsp = 1;
ocspUrl = myoptarg;
#endif
break;
case 'a' :
#ifdef HAVE_ANON
useAnon = 1;
#endif
break;
default:
Usage();
exit(MY_EX_USAGE);
}
}
myoptind = 0; /* reset for test cases */
/* sort out DTLS versus TLS versions */
if (version == CLIENT_INVALID_VERSION) {
if (doDTLS)
version = CLIENT_DTLS_DEFAULT_VERSION;
else
version = CLIENT_DEFAULT_VERSION;
}
else {
if (doDTLS) {
if (version == 3)
version = -2;
else
version = -1;
}
}
#ifdef USE_CYASSL_MEMORY
if (trackMemory)
InitMemoryTracker();
#endif
switch (version) {
#ifndef NO_OLD_TLS
case 0:
method = SSLv3_server_method();
break;
#ifndef NO_TLS
case 1:
method = TLSv1_server_method();
break;
case 2:
method = TLSv1_1_server_method();
break;
#endif
#endif
#ifndef NO_TLS
case 3:
method = TLSv1_2_server_method();
break;
#endif
#ifdef CYASSL_DTLS
case -1:
method = DTLSv1_server_method();
break;
case -2:
method = DTLSv1_2_server_method();
break;
#endif
default:
err_sys("Bad SSL version");
}
if (method == NULL)
err_sys("unable to get method");
ctx = SSL_CTX_new(method);
if (ctx == NULL)
err_sys("unable to get ctx");
if (cipherList)
if (SSL_CTX_set_cipher_list(ctx, cipherList) != SSL_SUCCESS)
err_sys("server can't set cipher list 1");
#ifdef CYASSL_LEANPSK
usePsk = 1;
#endif
#if defined(NO_RSA) && !defined(HAVE_ECC)
usePsk = 1;
#endif
if (fewerPackets)
CyaSSL_CTX_set_group_messages(ctx);
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
SSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack);
#endif
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
if (!usePsk && !useAnon) {
if (SSL_CTX_use_certificate_file(ctx, ourCert, SSL_FILETYPE_PEM)
!= SSL_SUCCESS)
err_sys("can't load server cert file, check file and run from"
" CyaSSL home dir");
}
#endif
#ifdef HAVE_NTRU
if (useNtruKey) {
if (CyaSSL_CTX_use_NTRUPrivateKey_file(ctx, ourKey)
!= SSL_SUCCESS)
err_sys("can't load ntru key file, "
"Please run from CyaSSL home dir");
}
#endif
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
if (!useNtruKey && !usePsk && !useAnon) {
if (SSL_CTX_use_PrivateKey_file(ctx, ourKey, SSL_FILETYPE_PEM)
!= SSL_SUCCESS)
err_sys("can't load server private key file, check file and run "
"from CyaSSL home dir");
}
#endif
if (usePsk) {
#ifndef NO_PSK
SSL_CTX_set_psk_server_callback(ctx, my_psk_server_cb);
SSL_CTX_use_psk_identity_hint(ctx, "cyassl server");
if (cipherList == NULL) {
const char *defaultCipherList;
#ifdef HAVE_NULL_CIPHER
defaultCipherList = "PSK-NULL-SHA256";
#else
defaultCipherList = "PSK-AES128-CBC-SHA256";
#endif
if (SSL_CTX_set_cipher_list(ctx, defaultCipherList) != SSL_SUCCESS)
err_sys("server can't set cipher list 2");
}
#endif
}
if (useAnon) {
#ifdef HAVE_ANON
CyaSSL_CTX_allow_anon_cipher(ctx);
if (cipherList == NULL) {
if (SSL_CTX_set_cipher_list(ctx, "ADH-AES128-SHA") != SSL_SUCCESS)
err_sys("server can't set cipher list 4");
}
#endif
}
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
/* if not using PSK, verify peer with certs */
if (doCliCertCheck && usePsk == 0 && useAnon == 0) {
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0);
if (SSL_CTX_load_verify_locations(ctx, verifyCert, 0) != SSL_SUCCESS)
err_sys("can't load ca file, Please run from CyaSSL home dir");
}
#endif
#if defined(CYASSL_SNIFFER) && !defined(HAVE_NTRU) && !defined(HAVE_ECC)
/* don't use EDH, can't sniff tmp keys */
if (cipherList == NULL) {
if (SSL_CTX_set_cipher_list(ctx, "AES256-SHA256") != SSL_SUCCESS)
err_sys("server can't set cipher list 3");
}
#endif
#ifdef HAVE_SNI
if (sniHostName)
if (CyaSSL_CTX_UseSNI(ctx, CYASSL_SNI_HOST_NAME, sniHostName,
XSTRLEN(sniHostName)) != SSL_SUCCESS)
err_sys("UseSNI failed");
#endif
ssl = SSL_new(ctx);
if (ssl == NULL)
err_sys("unable to get SSL");
#ifdef HAVE_CRL
CyaSSL_EnableCRL(ssl, 0);
CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM, CYASSL_CRL_MONITOR |
CYASSL_CRL_START_MON);
CyaSSL_SetCRL_Cb(ssl, CRL_CallBack);
#endif
#ifdef HAVE_OCSP
if (useOcsp) {
if (ocspUrl != NULL) {
CyaSSL_CTX_SetOCSP_OverrideURL(ctx, ocspUrl);
CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE
| CYASSL_OCSP_URL_OVERRIDE);
}
else
CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE);
}
#endif
#ifdef HAVE_PK_CALLBACKS
if (pkCallbacks)
SetupPkCallbacks(ctx, ssl);
#endif
tcp_accept(&sockfd, &clientfd, (func_args*)args, port, useAnyAddr, doDTLS,
serverReadyFile);
if (!doDTLS)
CloseSocket(sockfd);
SSL_set_fd(ssl, clientfd);
if (usePsk == 0 || useAnon == 1 || cipherList != NULL) {
#if !defined(NO_FILESYSTEM) && !defined(NO_DH)
CyaSSL_SetTmpDH_file(ssl, dhParam, SSL_FILETYPE_PEM);
#elif !defined(NO_DH)
SetDH(ssl); /* repick suites with DHE, higher priority than PSK */
#endif
}
#ifndef CYASSL_CALLBACKS
if (nonBlocking) {
CyaSSL_set_using_nonblock(ssl, 1);
tcp_set_nonblocking(&clientfd);
NonBlockingSSL_Accept(ssl);
} else if (SSL_accept(ssl) != SSL_SUCCESS) {
int err = SSL_get_error(ssl, 0);
char buffer[CYASSL_MAX_ERROR_SZ];
printf("error = %d, %s\n", err, ERR_error_string(err, buffer));
err_sys("SSL_accept failed");
}
#else
NonBlockingSSL_Accept(ssl);
#endif
showPeer(ssl);
idx = SSL_read(ssl, input, sizeof(input)-1);
if (idx > 0) {
input[idx] = 0;
printf("Client message: %s\n", input);
}
else if (idx < 0) {
int readErr = SSL_get_error(ssl, 0);
if (readErr != SSL_ERROR_WANT_READ)
err_sys("SSL_read failed");
}
if (SSL_write(ssl, msg, sizeof(msg)) != sizeof(msg))
err_sys("SSL_write failed");
#if defined(CYASSL_MDK_SHELL) && defined(HAVE_MDK_RTX)
os_dly_wait(500) ;
#elif defined (CYASSL_TIRTOS)
Task_yield();
#endif
SSL_shutdown(ssl);
SSL_free(ssl);
SSL_CTX_free(ctx);
CloseSocket(clientfd);
((func_args*)args)->return_code = 0;
#if defined(NO_MAIN_DRIVER) && defined(HAVE_ECC) && defined(FP_ECC) \
&& defined(HAVE_THREAD_LS)
ecc_fp_free(); /* free per thread cache */
#endif
#ifdef USE_CYASSL_MEMORY
if (trackMemory)
ShowMemoryTracker();
#endif
#ifdef CYASSL_TIRTOS
fdCloseSession(Task_self());
#endif
#ifndef CYASSL_TIRTOS
return 0;
#endif
}
THREAD_RETURN CYASSL_THREAD server_test(void* args)
{
SOCKET_T sockfd = 0;
int clientfd = 0;
SSL_METHOD* method = 0;
SSL_CTX* ctx = 0;
SSL* ssl = 0;
char msg[] = "I hear you fa shizzle!";
char input[1024];
int idx;
int ch;
int version = SERVER_DEFAULT_VERSION;
int doCliCertCheck = 1;
int useAnyAddr = 0;
int port = yasslPort;
int usePsk = 0;
int doDTLS = 0;
int useNtruKey = 0;
char* cipherList = NULL;
char* verifyCert = (char*)cliCert;
char* ourCert = (char*)svrCert;
char* ourKey = (char*)svrKey;
int argc = ((func_args*)args)->argc;
char** argv = ((func_args*)args)->argv;
((func_args*)args)->return_code = -1; /* error state */
while ((ch = mygetopt(argc, argv, "?dbsnup:v:l:A:c:k:")) != -1) {
switch (ch) {
case '?' :
Usage();
exit(EXIT_SUCCESS);
case 'd' :
doCliCertCheck = 0;
break;
case 'b' :
useAnyAddr = 1;
break;
case 's' :
usePsk = 1;
break;
case 'n' :
useNtruKey = 1;
break;
case 'u' :
doDTLS = 1;
version = -1; /* DTLS flag */
break;
case 'p' :
port = atoi(myoptarg);
break;
case 'v' :
version = atoi(myoptarg);
if (version < 0 || version > 3) {
Usage();
exit(MY_EX_USAGE);
}
if (doDTLS)
version = -1; /* stay with DTLS */
break;
case 'l' :
cipherList = myoptarg;
break;
case 'A' :
verifyCert = myoptarg;
break;
case 'c' :
ourCert = myoptarg;
break;
case 'k' :
ourKey = myoptarg;
break;
default:
Usage();
exit(MY_EX_USAGE);
}
}
argc -= myoptind;
argv += myoptind;
myoptind = 0; /* reset for test cases */
switch (version) {
case 0:
method = SSLv3_server_method();
break;
case 1:
method = TLSv1_server_method();
break;
case 2:
method = TLSv1_1_server_method();
break;
case 3:
method = TLSv1_2_server_method();
break;
#ifdef CYASSL_DTLS
case -1:
method = DTLSv1_server_method();
break;
#endif
default:
err_sys("Bad SSL version");
}
if (method == NULL)
err_sys("unable to get method");
ctx = SSL_CTX_new(method);
if (ctx == NULL)
err_sys("unable to get ctx");
if (cipherList)
if (SSL_CTX_set_cipher_list(ctx, cipherList) != SSL_SUCCESS)
err_sys("can't set cipher list");
if (SSL_CTX_use_certificate_file(ctx, ourCert, SSL_FILETYPE_PEM)
!= SSL_SUCCESS)
err_sys("can't load server cert file, check file and run from"
" CyaSSL home dir");
#ifdef HAVE_NTRU
if (useNtruKey) {
if (CyaSSL_CTX_use_NTRUPrivateKey_file(ctx, ourKey)
!= SSL_SUCCESS)
err_sys("can't load ntru key file, "
"Please run from CyaSSL home dir");
}
#endif
if (!useNtruKey) {
if (SSL_CTX_use_PrivateKey_file(ctx, ourKey, SSL_FILETYPE_PEM)
!= SSL_SUCCESS)
err_sys("can't load server cert file, check file and run from"
" CyaSSL home dir");
}
#ifndef NO_PSK
if (usePsk) {
SSL_CTX_set_psk_server_callback(ctx, my_psk_server_cb);
SSL_CTX_use_psk_identity_hint(ctx, "cyassl server");
if (cipherList == NULL)
if (SSL_CTX_set_cipher_list(ctx,"PSK-AES256-CBC-SHA") !=SSL_SUCCESS)
err_sys("can't set cipher list");
}
#endif
/* if not using PSK, verify peer with certs */
if (doCliCertCheck && usePsk == 0) {
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0);
if (SSL_CTX_load_verify_locations(ctx, verifyCert, 0) != SSL_SUCCESS)
err_sys("can't load ca file, Please run from CyaSSL home dir");
}
#ifdef OPENSSL_EXTRA
SSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack);
#endif
#if defined(CYASSL_SNIFFER) && !defined(HAVE_NTRU) && !defined(HAVE_ECC)
/* don't use EDH, can't sniff tmp keys */
if (SSL_CTX_set_cipher_list(ctx, "AES256-SHA") != SSL_SUCCESS)
err_sys("can't set cipher list");
#endif
ssl = SSL_new(ctx);
if (ssl == NULL)
err_sys("unable to get SSL");
#ifdef HAVE_CRL
CyaSSL_EnableCRL(ssl, 0);
CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM, CYASSL_CRL_MONITOR |
CYASSL_CRL_START_MON);
CyaSSL_SetCRL_Cb(ssl, CRL_CallBack);
#endif
tcp_accept(&sockfd, &clientfd, (func_args*)args, port, useAnyAddr, doDTLS);
if (!doDTLS)
CloseSocket(sockfd);
SSL_set_fd(ssl, clientfd);
#ifdef NO_PSK
#if !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA)
CyaSSL_SetTmpDH_file(ssl, dhParam, SSL_FILETYPE_PEM);
#else
SetDH(ssl); /* will repick suites with DHE, higher priority than PSK */
#endif
#endif
#ifdef NON_BLOCKING
tcp_set_nonblocking(&clientfd);
NonBlockingSSL_Accept(ssl);
#else
#ifndef CYASSL_CALLBACKS
if (SSL_accept(ssl) != SSL_SUCCESS) {
int err = SSL_get_error(ssl, 0);
char buffer[80];
printf("error = %d, %s\n", err, ERR_error_string(err, buffer));
err_sys("SSL_accept failed");
}
#else
NonBlockingSSL_Accept(ssl);
#endif
#endif
showPeer(ssl);
idx = SSL_read(ssl, input, sizeof(input));
if (idx > 0) {
input[idx] = 0;
printf("Client message: %s\n", input);
}
if (SSL_write(ssl, msg, sizeof(msg)) != sizeof(msg))
err_sys("SSL_write failed");
SSL_shutdown(ssl);
SSL_free(ssl);
SSL_CTX_free(ctx);
CloseSocket(clientfd);
((func_args*)args)->return_code = 0;
return 0;
}
void DataPlaneServer::start() {
server_addr.s6.sin6_family = AF_INET6;
// we listen on public IP, which is the one stored in the DB.
struct in6_addr servIp;
inet_pton(AF_INET6, qSql->getLocalIP().toUtf8().data(), &servIp);
server_addr.s6.sin6_addr = servIp; //in6addr_any;
server_addr.s6.sin6_port = htons(DATAPLANEPORT);
const int on = 1, off = 0;
OpenSSL_add_ssl_algorithms();
SSL_load_error_strings();
ctx = SSL_CTX_new(DTLSv1_server_method());
SSL_CTX_set_cipher_list(ctx, DTLS_ENCRYPT);
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
// get certificate and key from SQL & use them
ConnectionInitiator* i = ConnectionInitiator::getInstance();
QSslCertificate cert = i->getLocalCertificate();
QByteArray certBytesPEM = cert.toPem();
char* x509buffer = certBytesPEM.data();
BIO *bi;
bi = BIO_new_mem_buf(x509buffer, certBytesPEM.length());
X509 *x;
x = PEM_read_bio_X509(bi, NULL, NULL, NULL);
if (!SSL_CTX_use_certificate(ctx,x)) {
qWarning() << "ERROR: no certificate found!";
UnixSignalHandler::termSignalHandler(0);
}
if (x != NULL) X509_free(x);
if (bi != NULL) BIO_free(bi);
QSslKey key = i->getPrivateKey();
QByteArray keyBytesPEM = key.toPem();
char* keyBuffer = keyBytesPEM.data();
bi = BIO_new_mem_buf(keyBuffer, keyBytesPEM.length());
EVP_PKEY *pkey;
pkey = PEM_read_bio_PrivateKey(bi, NULL, NULL, NULL);
if (!SSL_CTX_use_PrivateKey(ctx, pkey)) {
qWarning() << "ERROR: no private key found!";
UnixSignalHandler::termSignalHandler(0);
}
if (pkey != NULL) EVP_PKEY_free(pkey);
if (bi != NULL) BIO_free(bi);
if (!SSL_CTX_check_private_key (ctx)) {
qWarning() << "ERROR: invalid private key!";
UnixSignalHandler::termSignalHandler(0);
}
/* Client has to authenticate */
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, dtls_verify_callback);
SSL_CTX_set_read_ahead(ctx, 1);
SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie);
SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie);
fd = socket(server_addr.ss.ss_family, SOCK_DGRAM, 0);
if (fd < 0) {
qWarning() << "Could not open SOCK_DGRAM";
UnixSignalHandler::termSignalHandler(0);
}
#ifdef WIN32
setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (const char*) &on, (socklen_t) sizeof(on));
#else
setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (const void*) &on, (socklen_t) sizeof(on));
#ifdef SO_REUSEPORT
setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, (const void*) &on, (socklen_t) sizeof(on));
#endif
#endif
setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, (char *)&off, sizeof(off));
bind(fd, (const struct sockaddr *) &server_addr, sizeof(struct sockaddr_in6));
notif = new QSocketNotifier(fd, QSocketNotifier::Read);
connect(notif, SIGNAL(activated(int)), this, SLOT(readyRead(int)));
}
static int openssl_ssl_ctx_new(lua_State*L)
{
const char* meth = luaL_optstring(L, 1, "TLSv1");
#if OPENSSL_VERSION_NUMBER >= 0x01000000L
const
#endif
SSL_METHOD* method = NULL;
const char* ciphers;
SSL_CTX* ctx;
if (strcmp(meth, "SSLv3") == 0)
method = SSLv3_method(); /* SSLv3 */
else if (strcmp(meth, "SSLv3_server") == 0)
method = SSLv3_server_method(); /* SSLv3 */
else if (strcmp(meth, "SSLv3_client") == 0)
method = SSLv3_client_method(); /* SSLv3 */
else if (strcmp(meth, "SSLv23") == 0)
method = SSLv23_method(); /* SSLv3 but can rollback to v2 */
else if (strcmp(meth, "SSLv23_server") == 0)
method = SSLv23_server_method(); /* SSLv3 but can rollback to v2 */
else if (strcmp(meth, "SSLv23_client") == 0)
method = SSLv23_client_method(); /* SSLv3 but can rollback to v2 */
else if (strcmp(meth, "TLSv1_1") == 0)
method = TLSv1_1_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_1_server") == 0)
method = TLSv1_1_server_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_1_client") == 0)
method = TLSv1_1_client_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_2") == 0)
method = TLSv1_2_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_2_server") == 0)
method = TLSv1_2_server_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_2_client") == 0)
method = TLSv1_2_client_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1") == 0)
method = TLSv1_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_server") == 0)
method = TLSv1_server_method(); /* TLSv1.0 */
else if (strcmp(meth, "TLSv1_client") == 0)
method = TLSv1_client_method(); /* TLSv1.0 */
else if (strcmp(meth, "DTLSv1") == 0)
method = DTLSv1_method(); /* DTLSv1.0 */
else if (strcmp(meth, "DTLSv1_server") == 0)
method = DTLSv1_server_method(); /* DTLSv1.0 */
else if (strcmp(meth, "DTLSv1_client") == 0)
method = DTLSv1_client_method(); /* DTLSv1.0 */
#ifndef OPENSSL_NO_SSL2
#if OPENSSL_VERSION_NUMBER < 0x10100000L
else if (strcmp(meth, "SSLv2") == 0)
method = SSLv2_method(); /* SSLv2 */
else if (strcmp(meth, "SSLv2_server") == 0)
method = SSLv2_server_method(); /* SSLv2 */
else if (strcmp(meth, "SSLv2_client") == 0)
method = SSLv2_client_method();
#endif
#ifdef LOAD_SSL_CUSTOM
LOAD_SSL_CUSTOM
#endif
#endif
else
luaL_error(L, "#1:%s not supported\n"
"Maybe SSLv3 SSLv23 TLSv1 TLSv1_1 TLSv1_2 DTLSv1 [SSLv2], option followed by _client or _server\n",
"default is SSLv3",
meth);
ciphers = luaL_optstring(L, 2, SSL_DEFAULT_CIPHER_LIST);
ctx = SSL_CTX_new(method);
if (!ctx)
luaL_error(L, "#1:%s not supported\n"
"Maybe SSLv3 SSLv23 TLSv1 TLSv1_1 TLSv1_2 DTLSv1 [SSLv2], option followed by _client or _server\n",
"default is SSLv3",
meth);
openssl_newvalue(L, ctx);
SSL_CTX_set_cipher_list(ctx, ciphers);
PUSH_OBJECT(ctx, "openssl.ssl_ctx");
SSL_CTX_set_app_data(ctx, L);
return 1;
}
/*
* \brief Initialize OpenSSl of Verse server
*/
static int vs_init_ssl(VS_CTX *vs_ctx)
{
/* Set up the library */
SSL_library_init();
ERR_load_BIO_strings();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
/* Set up SSL context for TLS */
if( (vs_ctx->tls_ctx = SSL_CTX_new(TLSv1_server_method())) == NULL ) {
v_print_log(VRS_PRINT_ERROR, "Setting up SSL_CTX failed.\n");
ERR_print_errors_fp(v_log_file());
return -1;
}
/* Load certificate chain file from CA */
if(vs_ctx->ca_cert_file != NULL) {
if(SSL_CTX_use_certificate_chain_file(vs_ctx->tls_ctx, vs_ctx->ca_cert_file) != 1) {
v_print_log(VRS_PRINT_ERROR, "TLS: Loading certificate chain file: %s failed.\n",
vs_ctx->ca_cert_file);
ERR_print_errors_fp(v_log_file());
return -1;
}
}
/* Load certificate with public key for TLS */
if(SSL_CTX_use_certificate_file(vs_ctx->tls_ctx, vs_ctx->public_cert_file, SSL_FILETYPE_PEM) != 1) {
v_print_log(VRS_PRINT_ERROR, "TLS: Loading certificate file: %s failed.\n",
vs_ctx->public_cert_file);
ERR_print_errors_fp(v_log_file());
return -1;
}
/* Load private key for TLS */
if(SSL_CTX_use_PrivateKey_file(vs_ctx->tls_ctx, vs_ctx->private_cert_file, SSL_FILETYPE_PEM) != 1) {
v_print_log(VRS_PRINT_ERROR, "TLS: Loading private key file: %s failed.\n",
vs_ctx->private_cert_file);
ERR_print_errors_fp(v_log_file());
return -1;
}
/* Check the consistency of a private key with the corresponding
* certificate loaded into ssl_ctx */
if(SSL_CTX_check_private_key(vs_ctx->tls_ctx) != 1) {
v_print_log(VRS_PRINT_ERROR, "TLS: Private key does not match the certificate public key\n");
ERR_print_errors_fp(v_log_file());
return -1;
}
/* When CA certificate file was set, then try to load it */
if(vs_ctx->ca_cert_file != NULL) {
if(SSL_CTX_load_verify_locations(vs_ctx->tls_ctx, vs_ctx->ca_cert_file, NULL) != 1) {
v_print_log(VRS_PRINT_ERROR, "TLS: Loading CA certificate file: %s failed.\n",
vs_ctx->ca_cert_file);
ERR_print_errors_fp(v_log_file());
return -1;
}
}
#if OPENSSL_VERSION_NUMBER>=0x10000000
/* Set up SSL context for DTLS */
if( (vs_ctx->dtls_ctx = SSL_CTX_new(DTLSv1_server_method())) == NULL ) {
v_print_log(VRS_PRINT_ERROR, "Setting up SSL_CTX failed.\n");
ERR_print_errors_fp(v_log_file());
return -1;
}
/* Load certificate chain file from CA */
if(vs_ctx->ca_cert_file != NULL) {
if(SSL_CTX_use_certificate_chain_file(vs_ctx->dtls_ctx, vs_ctx->ca_cert_file) != 1) {
v_print_log(VRS_PRINT_ERROR, "DTLS: Loading certificate chain file: %s failed.\n",
vs_ctx->ca_cert_file);
ERR_print_errors_fp(v_log_file());
return -1;
}
}
/* Load certificate with public key for DTLS */
if (SSL_CTX_use_certificate_file(vs_ctx->dtls_ctx, vs_ctx->public_cert_file, SSL_FILETYPE_PEM) != 1) {
v_print_log(VRS_PRINT_ERROR, "DTLS: Loading certificate file: %s failed.\n",
vs_ctx->public_cert_file);
ERR_print_errors_fp(v_log_file());
return -1;
}
/* Load private key for DTLS */
if(SSL_CTX_use_PrivateKey_file(vs_ctx->dtls_ctx, vs_ctx->private_cert_file, SSL_FILETYPE_PEM) != 1) {
v_print_log(VRS_PRINT_ERROR, "DTLS: Loading private key file: %s failed.\n",
vs_ctx->private_cert_file);
ERR_print_errors_fp(v_log_file());
return -1;
}
/* Check the consistency of a private key with the corresponding
* certificate loaded into ssl_ctx */
if(SSL_CTX_check_private_key(vs_ctx->dtls_ctx) != 1) {
v_print_log(VRS_PRINT_ERROR, "DTLS: Private key does not match the certificate public key\n");
ERR_print_errors_fp(v_log_file());
return -1;
}
/* When CA certificate file was set, then try to load it */
if(vs_ctx->ca_cert_file != NULL) {
if(SSL_CTX_load_verify_locations(vs_ctx->dtls_ctx, vs_ctx->ca_cert_file, NULL) != 1) {
v_print_log(VRS_PRINT_ERROR, "DTLS: Loading CA certificate file: %s failed.\n",
vs_ctx->ca_cert_file);
ERR_print_errors_fp(v_log_file());
return -1;
}
}
/* Set up callback functions for DTLS cookie */
SSL_CTX_set_cookie_generate_cb(vs_ctx->dtls_ctx, vs_dtls_generate_cookie);
SSL_CTX_set_cookie_verify_cb(vs_ctx->dtls_ctx, vs_dtls_verify_cookie);
/* Accept all cipher including NULL cipher (testing) */
if( SSL_CTX_set_cipher_list(vs_ctx->dtls_ctx, "ALL:NULL:eNULL:aNULL") == 0) {
v_print_log(VRS_PRINT_ERROR, "Setting ciphers for DTLS failed.\n");
ERR_print_errors_fp(v_log_file());
return 0;
}
/* DTLS require this */
SSL_CTX_set_read_ahead(vs_ctx->dtls_ctx, 1);
#else
vs_ctx->dtls_ctx = NULL;
#endif
return 1;
}
int
main(int argc, char **argv) {
int sockfd = 0;
int on = 1;
struct sockaddr_in6 listen_addr = { AF_INET6, htons(20220), 0, IN6ADDR_ANY_INIT, 0 };
size_t addr_size = sizeof(struct sockaddr_in6);
fd_set fds[2];
int result, flags;
int idx, res = 0;
struct timeval timeout;
struct sigaction act, oact;
#ifdef WITH_DTLS
SSL_CTX *ctx;
memset(ssl_peer_storage, 0, sizeof(ssl_peer_storage));
SSL_load_error_strings();
SSL_library_init();
ctx = SSL_CTX_new(DTLSv1_server_method());
SSL_CTX_set_cipher_list(ctx, "ALL");
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
res = SSL_CTX_use_certificate_file(ctx, SERVER_CERT_PEM, SSL_FILETYPE_PEM);
if (res != 1) {
fprintf(stderr, "cannot read server certificate from file '%s' (%s)\n",
SERVER_CERT_PEM, ERR_error_string(res,NULL));
goto end;
}
res = SSL_CTX_use_PrivateKey_file(ctx, SERVER_KEY_PEM, SSL_FILETYPE_PEM);
if (res != 1) {
fprintf(stderr, "cannot read server key from file '%s' (%s)\n",
SERVER_KEY_PEM, ERR_error_string(res,NULL));
goto end;
}
res = SSL_CTX_check_private_key (ctx);
if (res != 1) {
fprintf(stderr, "invalid private key\n");
goto end;
}
res = SSL_CTX_load_verify_locations(ctx, CA_CERT_PEM, NULL);
if (res != 1) {
fprintf(stderr, "cannot read ca file '%s'\n", CA_CERT_PEM);
goto end;
}
/* Client has to authenticate */
/* Client has to authenticate */
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, NULL);
SSL_CTX_set_read_ahead(ctx, 1); /* disable read-ahead */
SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie);
SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie);
SSL_CTX_use_psk_identity_hint(ctx, "Enter password for CoAP-Gateway");
SSL_CTX_set_psk_server_callback(ctx, psk_server_callback);
SSL_CTX_set_info_callback(ctx, info_callback);
#endif
sockfd = socket(listen_addr.sin6_family, SOCK_DGRAM, 0);
if ( sockfd < 0 ) {
perror("socket");
return -1;
}
if (setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on) ) < 0)
perror("setsockopt SO_REUSEADDR");
flags = fcntl(sockfd, F_GETFL, 0);
if (flags < 0 || fcntl(sockfd, F_SETFL, flags | O_NONBLOCK) < 0) {
perror("fcntl");
return -1;
}
on = 1;
if (setsockopt(sockfd, IPPROTO_IPV6, IPV6_RECVPKTINFO, &on, sizeof(on) ) < 0) {
perror("setsockopt IPV6_PKTINFO");
}
if (bind (sockfd, (const struct sockaddr *)&listen_addr, addr_size) < 0) {
perror("bind");
res = -2;
goto end;
}
act.sa_handler = handle_sigint;
sigemptyset(&act.sa_mask);
act.sa_flags = 0;
sigaction(SIGINT, &act, &oact);
while (!quit) {
FD_ZERO(&fds[READ]);
FD_ZERO(&fds[WRITE]);
FD_SET(sockfd, &fds[READ]);
timeout.tv_sec = 1;
timeout.tv_usec = 0;
result = select( FD_SETSIZE, &fds[READ], &fds[WRITE], 0, &timeout);
if (result < 0) { /* error */
if (errno != EINTR)
perror("select");
} else if (result > 0) { /* read from socket */
if ( FD_ISSET( sockfd, &fds[READ]) ) {
_read(ctx, sockfd); /* read received data */
} else if ( FD_ISSET( sockfd, &fds[WRITE]) ) { /* write to socket */
_write(ctx, sockfd); /* write data */
}
} else { /* timeout */
check_timeout();
}
remove_closed();
}
end:
#ifdef WITH_DTLS
for (idx = 0; idx < MAX_SSL_PEERS; idx++) {
if (ssl_peer_storage[idx] && ssl_peer_storage[idx]->ssl) {
if (ssl_peer_storage[idx]->state == PEER_ST_ESTABLISHED)
SSL_shutdown(ssl_peer_storage[idx]->ssl);
SSL_free(ssl_peer_storage[idx]->ssl);
}
}
SSL_CTX_free(ctx);
#endif
close(sockfd); /* don't care if we close stdin at this point */
return res;
}
gboolean fbConnSpecInitTLS(
fbConnSpec_t *spec,
gboolean passive,
GError **err)
{
const SSL_METHOD *tlsmeth = NULL;
SSL_CTX *ssl_ctx = NULL;
gboolean ok = TRUE;
/* Initialize the library and error strings */
SSL_library_init();
SSL_load_error_strings();
/*
* Select a TLS method based on passivity and transport.
* Shortcircuit on no TLS initialization necessary for sockets.
*/
switch (spec->transport) {
#if FB_ENABLE_SCTP
case FB_SCTP:
#endif
case FB_TCP:
case FB_UDP:
return TRUE;
#if HAVE_OPENSSL_DTLS_SCTP
case FB_DTLS_SCTP:
tlsmeth = passive ? DTLSv1_server_method() : DTLSv1_client_method();
break;
#endif
case FB_TLS_TCP:
tlsmeth = passive ? TLSv1_server_method() : TLSv1_client_method();
break;
#if HAVE_OPENSSL_DTLS
case FB_DTLS_UDP:
tlsmeth = passive ? DTLSv1_server_method() : DTLSv1_client_method();
break;
#endif
default:
g_set_error(err, FB_ERROR_DOMAIN, FB_ERROR_IMPL,
"Unsupported TLS method.");
return FALSE;
}
/* Verify we have all the files we need */
g_assert(spec->ssl_ca_file);
g_assert(spec->ssl_cert_file);
g_assert(spec->ssl_key_file);
/* nuke the old context if there is one */
if (spec->vssl_ctx) {
SSL_CTX_free((SSL_CTX *)spec->vssl_ctx);
spec->vssl_ctx = NULL;
}
/* create an SSL_CTX object */
ssl_ctx = SSL_CTX_new(tlsmeth);
if (!ssl_ctx) {
g_set_error(err, FB_ERROR_DOMAIN, FB_ERROR_CONN,
"Cannot create SSL context: %s",
ERR_error_string(ERR_get_error(), NULL));
while (ERR_get_error());
ok = FALSE;
goto end;
}
/* Set up password callback */
SSL_CTX_set_default_passwd_cb(ssl_ctx, fbConnSpecGetTLSPassword);
SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, spec->ssl_key_pass);
/* Load CA certificate */
if (SSL_CTX_load_verify_locations(ssl_ctx,
spec->ssl_ca_file, NULL) != 1) {
ok = FALSE;
g_set_error(err, FB_ERROR_DOMAIN, FB_ERROR_CONN,
"Failed to load certificate authority file %s: %s",
spec->ssl_ca_file, ERR_error_string(ERR_get_error(), NULL));
while (ERR_get_error());
goto end;
}
/* Load certificate */
if (SSL_CTX_use_certificate_chain_file(ssl_ctx,
spec->ssl_cert_file) != 1) {
ok = FALSE;
g_set_error(err, FB_ERROR_DOMAIN, FB_ERROR_CONN,
"Failed to load certificate file %s: %s",
spec->ssl_cert_file,
ERR_error_string(ERR_get_error(), NULL));
while (ERR_get_error());
goto end;
}
/* Load private key */
if (SSL_CTX_use_PrivateKey_file(ssl_ctx,
spec->ssl_key_file,
SSL_FILETYPE_PEM) != 1) {
ok = FALSE;
g_set_error(err, FB_ERROR_DOMAIN, FB_ERROR_CONN,
"Failed to load private key file %s: %s",
spec->ssl_key_file,
ERR_error_string(ERR_get_error(), NULL));
while (ERR_get_error());
goto end;
}
/* Require verification */
SSL_CTX_set_verify(ssl_ctx,
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
fbConnSpecVerifyTLSCert);
/* Stash SSL context in specifier */
spec->vssl_ctx = ssl_ctx;
end:
/* free incomplete SSL context */
if (!ok) SSL_CTX_free(ssl_ctx);
return ok;
}
SSL_CTX *dtls_setup_ssl_server (void)
{
SSL_METHOD *meth = NULL;
SSL_CTX *ctx = NULL;
int s_server_verify = SSL_VERIFY_CLIENT_ONCE; //SSL_VERIFY_NONE;
if (!dtls_bio_err)
{
SSL_library_init ();
ERR_clear_error ();
SSL_load_error_strings ();
OpenSSL_add_all_algorithms ();
dtls_bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
}
meth = DTLSv1_server_method (); // Support DTLS v1 server - Datagram TLS - requires openSSL > v0.9.8
ctx = SSL_CTX_new (meth); // New SSL CTX object as Framework to establish new SSL connections
if (NULL == ctx)
{
dtls_report_berr ("%s: %s(): ERROR: SSL_ctx_new - DTLSv1_server_method\n", __FILE__, __func__);
}
SSL_CTX_set_quiet_shutdown (ctx, 1);
if (!SSL_CTX_use_certificate_chain_file (ctx, DTLS_CERT))
{
dtls_destroy_ctx (ctx);
dtls_report_berr ("Error loading the file \"%s\" - %s\n", DTLS_CERT, strerror (errno));
}
// SSL_CTX_set_default_passwd_cb (ctx, dtls_password_cb);
if (!SSL_CTX_use_PrivateKey_file (ctx, DTLS_KEY_CERT, SSL_FILETYPE_PEM))
{
dtls_destroy_ctx (ctx);
dtls_report_berr ("Error loading the private key from the file \"%s\" - %s\n", DTLS_KEY_CERT, strerror (errno));
}
if (!SSL_CTX_check_private_key (ctx))
{
dtls_destroy_ctx (ctx);
dtls_report_berr ("%s: %s(): Private key does not match the certificate\n", __FILE__, __func__);
}
if (!SSL_CTX_load_verify_locations (ctx, DTLS_CA_CERT, 0))
{
dtls_destroy_ctx (ctx);
dtls_report_berr ("Error loading the CA file - %s\n", strerror (errno));
}
dtls_generate_rsa_key (ctx);
// SSL_CTX_set_verify_depth (ctx, 2);
SSL_CTX_set_verify(ctx, s_server_verify, dtls_verify_callback);
SSL_CTX_set_options (ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
SSL_CTX_set_session_id_context (ctx, "dtls-example", strlen ("dtls-example"));
#ifdef DEBUG
SSL_CTX_set_info_callback (ctx, dtls_info_callback);
#endif
SSL_CTX_set_read_ahead (ctx, 1); // Specific for DTLS
return ctx;
}
THREAD_RETURN CYASSL_API echoserver_test(void* args)
{
SOCKET_T sockfd = 0;
SSL_METHOD* method = 0;
SSL_CTX* ctx = 0;
int shutdown = 0;
int argc = 0;
char** argv = 0;
#ifdef ECHO_OUT
FILE* fout = stdout;
if (argc >= 2) fout = fopen(argv[1], "w");
if (!fout) err_sys("can't open output file");
#endif
((func_args*)args)->return_code = -1; /* error state */
argc = ((func_args*)args)->argc;
argv = ((func_args*)args)->argv;
tcp_listen(&sockfd);
#if defined(CYASSL_DTLS)
method = DTLSv1_server_method();
#elif !defined(NO_TLS)
method = TLSv1_server_method();
#else
method = SSLv3_server_method();
#endif
ctx = SSL_CTX_new(method);
/* SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); */
if (SSL_CTX_load_verify_locations(ctx, caCert, 0) != SSL_SUCCESS)
err_sys("can't load ca file");
if (SSL_CTX_use_certificate_file(ctx, svrCert, SSL_FILETYPE_PEM)
!= SSL_SUCCESS)
err_sys("can't load server cert file");
if (SSL_CTX_use_PrivateKey_file(ctx, svrKey, SSL_FILETYPE_PEM)
!= SSL_SUCCESS)
err_sys("can't load server key file");
SignalReady(args);
while (!shutdown) {
SSL* ssl = 0;
char command[1024];
int echoSz = 0;
int clientfd;
#ifndef CYASSL_DTLS
SOCKADDR_IN_T client;
socklen_t client_len = sizeof(client);
clientfd = accept(sockfd, (struct sockaddr*)&client,
(ACCEPT_THIRD_T)&client_len);
#else
clientfd = udp_read_connect(sockfd);
#endif
if (clientfd == -1) err_sys("tcp accept failed");
ssl = SSL_new(ctx);
SSL_set_fd(ssl, clientfd);
if (SSL_accept(ssl) != SSL_SUCCESS) {
printf("SSL_accept failed");
SSL_free(ssl);
CloseSocket(clientfd);
continue;
}
while ( (echoSz = SSL_read(ssl, command, sizeof(command))) > 0) {
if ( strncmp(command, "quit", 4) == 0) {
printf("client sent quit command: shutting down!\n");
shutdown = 1;
break;
}
if ( strncmp(command, "break", 5) == 0) {
printf("client sent break command: closing session!\n");
break;
}
else if ( strncmp(command, "GET", 3) == 0) {
char type[] = "HTTP/1.0 200 ok\r\nContent-type:"
" text/html\r\n\r\n";
char header[] = "<html><body BGCOLOR=\"#ffffff\">\n<pre>\n";
char body[] = "greetings from CyaSSL\n";
char footer[] = "</body></html>\r\n\r\n";
strncpy(command, type, sizeof(type));
echoSz = sizeof(type) - 1;
strncpy(&command[echoSz], header, sizeof(header));
echoSz += sizeof(header) - 1;
strncpy(&command[echoSz], body, sizeof(body));
echoSz += sizeof(body) - 1;
strncpy(&command[echoSz], footer, sizeof(footer));
echoSz += sizeof(footer);
if (SSL_write(ssl, command, echoSz) != echoSz)
err_sys("SSL_write failed");
break;
}
command[echoSz] = 0;
#ifdef ECHO_OUT
fputs(command, fout);
#endif
if (SSL_write(ssl, command, echoSz) != echoSz)
err_sys("SSL_write failed");
}
SSL_shutdown(ssl);
SSL_free(ssl);
CloseSocket(clientfd);
#ifdef CYASSL_DTLS
tcp_listen(&sockfd);
SignalReady(args);
#endif
}
CloseSocket(sockfd);
SSL_CTX_free(ctx);
((func_args*)args)->return_code = 0;
return 0;
}
static int _tls_session_init_server(tls_session_t *s,
const tls_init_config_t *cfg)
{
int r;
SSL_METHOD *method = 0;
ASSERT(cfg->tls.server.server_cert != NULL);
ASSERT(cfg->tls.server.server_key != NULL);
#if defined(CYASSL_DTLS)
method = DTLSv1_server_method();
#elif !defined(NO_TLS)
method = SSLv23_server_method();
#else
method = SSLv3_server_method();
#endif
s->ctx = SSL_CTX_new(method);
#ifndef NO_PSK
/* do PSK */
SSL_CTX_set_psk_server_callback(s->ctx, my_psk_server_cb);
SSL_CTX_use_psk_identity_hint(s->ctx, "cyassl server");
SSL_CTX_set_cipher_list(s->ctx, "PSK-AES256-CBC-SHA");
#else
if (cfg->flags & TLS_CHECK_CLIENT_CERT) {
/* not using PSK, verify peer with certs */
SSL_CTX_set_verify(s->ctx, SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
} else {
SSL_CTX_set_verify(s->ctx, SSL_VERIFY_NONE, 0);
}
#endif
#ifdef OPENSSL_EXTRA
SSL_CTX_set_default_passwd_cb(s->ctx, PasswordCallBack);
#endif
#ifndef NO_FILESYSTEM
/* for client auth */
if (SSL_CTX_load_verify_locations(s->ctx, cliCert, 0) != SSL_SUCCESS)
err_sys("can't load ca file, Please run from CyaSSL home dir");
#ifdef HAVE_ECC
if (SSL_CTX_use_certificate_file(s->ctx, eccCert, SSL_FILETYPE_PEM)
!= SSL_SUCCESS)
err_sys("can't load server ecc cert file, "
"Please run from CyaSSL home dir");
if (SSL_CTX_use_PrivateKey_file(s->ctx, eccKey, SSL_FILETYPE_PEM)
!= SSL_SUCCESS)
err_sys("can't load server ecc key file, "
"Please run from CyaSSL home dir");
#elif HAVE_NTRU
if (SSL_CTX_use_certificate_file(s->ctx, ntruCert, SSL_FILETYPE_PEM)
!= SSL_SUCCESS)
err_sys("can't load ntru cert file, "
"Please run from CyaSSL home dir");
if (CyaSSL_CTX_use_NTRUPrivateKey_file(s->ctx, ntruKey)
!= SSL_SUCCESS)
err_sys("can't load ntru key file, "
"Please run from CyaSSL home dir");
#else /* normal */
if (SSL_CTX_use_certificate_file(s->ctx, svrCert, SSL_FILETYPE_PEM)
!= SSL_SUCCESS)
err_sys("can't load server cert chain file, "
"Please run from CyaSSL home dir");
if (SSL_CTX_use_PrivateKey_file(s->ctx, svrKey, SSL_FILETYPE_PEM)
!= SSL_SUCCESS)
err_sys("can't load server key file, "
"Please run from CyaSSL home dir");
#endif /* NTRU */
#else
tls_d("Loading certificates");
if (cfg->tls.server.client_cert) {
r = CyaSSL_CTX_load_verify_buffer(s->ctx,
cfg->tls.server.client_cert,
cfg->tls.
server.client_cert_size,
SSL_FILETYPE_PEM);
if (r != SSL_SUCCESS) {
tls_e("Server loading client cert failed: %d", r);
SSL_CTX_free(s->ctx);
return -WM_FAIL;
}
} else {
tls_d("Server mode: Client cert not given");
}
r = CyaSSL_CTX_use_certificate_buffer(s->ctx,
cfg->tls.server.server_cert,
cfg->tls.server.server_cert_size,
SSL_FILETYPE_PEM);
if (r != SSL_SUCCESS) {
tls_e("Server loading server cert failed: %d", r);
SSL_CTX_free(s->ctx);
return -WM_FAIL;
}
r = CyaSSL_CTX_use_PrivateKey_buffer(s->ctx, cfg->tls.server.server_key,
cfg->tls.server.server_key_size,
SSL_FILETYPE_PEM);
if (r != SSL_SUCCESS) {
tls_e("Server loading server private key failed: %d", r);
SSL_CTX_free(s->ctx);
return -WM_FAIL;
}
#endif /* NO_FILESYSTEM */
s->ssl = SSL_new(s->ctx);
return WM_SUCCESS;
}
THREAD_RETURN CYASSL_THREAD server_test(void* args)
{
SOCKET_T sockfd = WOLFSSL_SOCKET_INVALID;
SOCKET_T clientfd = WOLFSSL_SOCKET_INVALID;
SSL_METHOD* method = 0;
SSL_CTX* ctx = 0;
SSL* ssl = 0;
const char msg[] = "I hear you fa shizzle!";
char input[80];
int ch;
int version = SERVER_DEFAULT_VERSION;
int doCliCertCheck = 1;
int useAnyAddr = 0;
word16 port = wolfSSLPort;
int usePsk = 0;
int usePskPlus = 0;
int useAnon = 0;
int doDTLS = 0;
int needDH = 0;
int useNtruKey = 0;
int nonBlocking = 0;
int trackMemory = 0;
int fewerPackets = 0;
int pkCallbacks = 0;
int wc_shutdown = 0;
int resume = 0;
int resumeCount = 0;
int loopIndefinitely = 0;
int echoData = 0;
int throughput = 0;
int minDhKeyBits = DEFAULT_MIN_DHKEY_BITS;
short minRsaKeyBits = DEFAULT_MIN_RSAKEY_BITS;
short minEccKeyBits = DEFAULT_MIN_ECCKEY_BITS;
int doListen = 1;
int crlFlags = 0;
int ret;
int err = 0;
char* serverReadyFile = NULL;
char* alpnList = NULL;
unsigned char alpn_opt = 0;
char* cipherList = NULL;
const char* verifyCert = cliCert;
const char* ourCert = svrCert;
const char* ourKey = svrKey;
const char* ourDhParam = dhParam;
tcp_ready* readySignal = NULL;
int argc = ((func_args*)args)->argc;
char** argv = ((func_args*)args)->argv;
#ifdef WOLFSSL_TRUST_PEER_CERT
const char* trustCert = NULL;
#endif
#ifndef NO_PSK
int sendPskIdentityHint = 1;
#endif
#ifdef HAVE_SNI
char* sniHostName = NULL;
#endif
#ifdef HAVE_OCSP
int useOcsp = 0;
char* ocspUrl = NULL;
#endif
((func_args*)args)->return_code = -1; /* error state */
#ifdef NO_RSA
verifyCert = (char*)cliEccCert;
ourCert = (char*)eccCert;
ourKey = (char*)eccKey;
#endif
(void)trackMemory;
(void)pkCallbacks;
(void)needDH;
(void)ourKey;
(void)ourCert;
(void)ourDhParam;
(void)verifyCert;
(void)useNtruKey;
(void)doCliCertCheck;
(void)minDhKeyBits;
(void)minRsaKeyBits;
(void)minEccKeyBits;
(void)alpnList;
(void)alpn_opt;
(void)crlFlags;
(void)readySignal;
#ifdef CYASSL_TIRTOS
fdOpenSession(Task_self());
#endif
#ifdef WOLFSSL_VXWORKS
useAnyAddr = 1;
#else
while ((ch = mygetopt(argc, argv, "?jdbstnNufrawPIR:p:v:l:A:c:k:Z:S:oO:D:L:ieB:E:"))
!= -1) {
switch (ch) {
case '?' :
Usage();
exit(EXIT_SUCCESS);
case 'd' :
doCliCertCheck = 0;
break;
case 'b' :
useAnyAddr = 1;
break;
case 's' :
usePsk = 1;
break;
case 'j' :
usePskPlus = 1;
break;
case 't' :
#ifdef USE_WOLFSSL_MEMORY
trackMemory = 1;
#endif
break;
case 'n' :
useNtruKey = 1;
break;
case 'u' :
doDTLS = 1;
break;
case 'f' :
fewerPackets = 1;
break;
case 'R' :
serverReadyFile = myoptarg;
break;
case 'r' :
#ifndef NO_SESSION_CACHE
resume = 1;
#endif
break;
case 'P' :
#ifdef HAVE_PK_CALLBACKS
pkCallbacks = 1;
#endif
break;
case 'p' :
port = (word16)atoi(myoptarg);
break;
case 'w' :
wc_shutdown = 1;
break;
case 'v' :
version = atoi(myoptarg);
if (version < 0 || version > 3) {
Usage();
exit(MY_EX_USAGE);
}
break;
case 'l' :
cipherList = myoptarg;
break;
case 'A' :
verifyCert = myoptarg;
break;
case 'c' :
ourCert = myoptarg;
break;
case 'k' :
ourKey = myoptarg;
break;
case 'D' :
#ifndef NO_DH
ourDhParam = myoptarg;
#endif
break;
case 'Z' :
#ifndef NO_DH
minDhKeyBits = atoi(myoptarg);
if (minDhKeyBits <= 0 || minDhKeyBits > 16000) {
Usage();
exit(MY_EX_USAGE);
}
#endif
break;
case 'N':
nonBlocking = 1;
break;
case 'S' :
#ifdef HAVE_SNI
sniHostName = myoptarg;
#endif
break;
case 'o' :
#ifdef HAVE_OCSP
useOcsp = 1;
#endif
break;
case 'O' :
#ifdef HAVE_OCSP
useOcsp = 1;
ocspUrl = myoptarg;
#endif
break;
case 'a' :
#ifdef HAVE_ANON
useAnon = 1;
#endif
break;
case 'I':
#ifndef NO_PSK
sendPskIdentityHint = 0;
#endif
break;
case 'L' :
#ifdef HAVE_ALPN
alpnList = myoptarg;
if (alpnList[0] == 'C' && alpnList[1] == ':')
alpn_opt = WOLFSSL_ALPN_CONTINUE_ON_MISMATCH;
else if (alpnList[0] == 'F' && alpnList[1] == ':')
alpn_opt = WOLFSSL_ALPN_FAILED_ON_MISMATCH;
else {
Usage();
exit(MY_EX_USAGE);
}
alpnList += 2;
#endif
break;
case 'i' :
loopIndefinitely = 1;
break;
case 'e' :
echoData = 1;
break;
case 'B':
throughput = atoi(myoptarg);
if (throughput <= 0) {
Usage();
exit(MY_EX_USAGE);
}
break;
#ifdef WOLFSSL_TRUST_PEER_CERT
case 'E' :
trustCert = myoptarg;
break;
#endif
default:
Usage();
exit(MY_EX_USAGE);
}
}
myoptind = 0; /* reset for test cases */
#endif /* !WOLFSSL_VXWORKS */
/* sort out DTLS versus TLS versions */
if (version == CLIENT_INVALID_VERSION) {
if (doDTLS)
version = CLIENT_DTLS_DEFAULT_VERSION;
else
version = CLIENT_DEFAULT_VERSION;
}
else {
if (doDTLS) {
if (version == 3)
version = -2;
else
version = -1;
}
}
#ifdef USE_CYASSL_MEMORY
if (trackMemory)
InitMemoryTracker();
#endif
switch (version) {
#ifndef NO_OLD_TLS
#ifdef WOLFSSL_ALLOW_SSLV3
case 0:
method = SSLv3_server_method();
break;
#endif
#ifndef NO_TLS
case 1:
method = TLSv1_server_method();
break;
case 2:
method = TLSv1_1_server_method();
break;
#endif
#endif
#ifndef NO_TLS
case 3:
method = TLSv1_2_server_method();
break;
#endif
#ifdef CYASSL_DTLS
#ifndef NO_OLD_TLS
case -1:
method = DTLSv1_server_method();
break;
#endif
case -2:
method = DTLSv1_2_server_method();
break;
#endif
default:
err_sys("Bad SSL version");
}
if (method == NULL)
err_sys("unable to get method");
ctx = SSL_CTX_new(method);
if (ctx == NULL)
err_sys("unable to get ctx");
#if defined(HAVE_SESSION_TICKET) && defined(HAVE_CHACHA) && \
defined(HAVE_POLY1305)
if (TicketInit() != 0)
err_sys("unable to setup Session Ticket Key context");
wolfSSL_CTX_set_TicketEncCb(ctx, myTicketEncCb);
#endif
if (cipherList)
if (SSL_CTX_set_cipher_list(ctx, cipherList) != SSL_SUCCESS)
err_sys("server can't set cipher list 1");
#ifdef CYASSL_LEANPSK
if (!usePsk) {
usePsk = 1;
}
#endif
#if defined(NO_RSA) && !defined(HAVE_ECC)
if (!usePsk) {
usePsk = 1;
}
#endif
if (fewerPackets)
CyaSSL_CTX_set_group_messages(ctx);
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
SSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack);
#endif
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
if ((!usePsk || usePskPlus) && !useAnon) {
if (SSL_CTX_use_certificate_chain_file(ctx, ourCert)
!= SSL_SUCCESS)
err_sys("can't load server cert file, check file and run from"
" wolfSSL home dir");
}
#endif
#ifndef NO_DH
if (wolfSSL_CTX_SetMinDhKey_Sz(ctx, (word16)minDhKeyBits) != SSL_SUCCESS) {
err_sys("Error setting minimum DH key size");
}
#endif
#ifndef NO_RSA
if (wolfSSL_CTX_SetMinRsaKey_Sz(ctx, minRsaKeyBits) != SSL_SUCCESS){
err_sys("Error setting minimum RSA key size");
}
#endif
#ifdef HAVE_ECC
if (wolfSSL_CTX_SetMinEccKey_Sz(ctx, minEccKeyBits) != SSL_SUCCESS){
err_sys("Error setting minimum ECC key size");
}
#endif
#ifdef HAVE_NTRU
if (useNtruKey) {
if (CyaSSL_CTX_use_NTRUPrivateKey_file(ctx, ourKey)
!= SSL_SUCCESS)
err_sys("can't load ntru key file, "
"Please run from wolfSSL home dir");
}
#endif
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
if (!useNtruKey && (!usePsk || usePskPlus) && !useAnon) {
if (SSL_CTX_use_PrivateKey_file(ctx, ourKey, SSL_FILETYPE_PEM)
!= SSL_SUCCESS)
err_sys("can't load server private key file, check file and run "
"from wolfSSL home dir");
}
#endif
if (usePsk || usePskPlus) {
#ifndef NO_PSK
SSL_CTX_set_psk_server_callback(ctx, my_psk_server_cb);
if (sendPskIdentityHint == 1)
SSL_CTX_use_psk_identity_hint(ctx, "cyassl server");
if (cipherList == NULL && !usePskPlus) {
const char *defaultCipherList;
#if defined(HAVE_AESGCM) && !defined(NO_DH)
defaultCipherList = "DHE-PSK-AES128-GCM-SHA256";
needDH = 1;
#elif defined(HAVE_NULL_CIPHER)
defaultCipherList = "PSK-NULL-SHA256";
#else
defaultCipherList = "PSK-AES128-CBC-SHA256";
#endif
if (SSL_CTX_set_cipher_list(ctx, defaultCipherList) != SSL_SUCCESS)
err_sys("server can't set cipher list 2");
}
#endif
}
if (useAnon) {
#ifdef HAVE_ANON
CyaSSL_CTX_allow_anon_cipher(ctx);
if (cipherList == NULL) {
if (SSL_CTX_set_cipher_list(ctx, "ADH-AES128-SHA") != SSL_SUCCESS)
err_sys("server can't set cipher list 4");
}
#endif
}
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
/* if not using PSK, verify peer with certs
if using PSK Plus then verify peer certs except PSK suites */
if (doCliCertCheck && (usePsk == 0 || usePskPlus) && useAnon == 0) {
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER |
((usePskPlus)? SSL_VERIFY_FAIL_EXCEPT_PSK :
SSL_VERIFY_FAIL_IF_NO_PEER_CERT),0);
if (SSL_CTX_load_verify_locations(ctx, verifyCert, 0) != SSL_SUCCESS)
err_sys("can't load ca file, Please run from wolfSSL home dir");
#ifdef WOLFSSL_TRUST_PEER_CERT
if (trustCert) {
if ((ret = wolfSSL_CTX_trust_peer_cert(ctx, trustCert,
SSL_FILETYPE_PEM)) != SSL_SUCCESS) {
err_sys("can't load trusted peer cert file");
}
}
#endif /* WOLFSSL_TRUST_PEER_CERT */
}
#endif
#if defined(CYASSL_SNIFFER)
/* don't use EDH, can't sniff tmp keys */
if (cipherList == NULL) {
if (SSL_CTX_set_cipher_list(ctx, "AES128-SHA") != SSL_SUCCESS)
err_sys("server can't set cipher list 3");
}
#endif
#ifdef HAVE_SNI
if (sniHostName)
if (CyaSSL_CTX_UseSNI(ctx, CYASSL_SNI_HOST_NAME, sniHostName,
XSTRLEN(sniHostName)) != SSL_SUCCESS)
err_sys("UseSNI failed");
#endif
#ifdef USE_WINDOWS_API
if (port == 0) {
/* Generate random port for testing */
port = GetRandomPort();
}
#endif /* USE_WINDOWS_API */
while (1) {
/* allow resume option */
if(resumeCount > 1) {
if (doDTLS == 0) {
SOCKADDR_IN_T client;
socklen_t client_len = sizeof(client);
clientfd = accept(sockfd, (struct sockaddr*)&client,
(ACCEPT_THIRD_T)&client_len);
} else {
tcp_listen(&sockfd, &port, useAnyAddr, doDTLS);
clientfd = sockfd;
}
if(WOLFSSL_SOCKET_IS_INVALID(clientfd)) {
err_sys("tcp accept failed");
}
}
ssl = SSL_new(ctx);
if (ssl == NULL)
err_sys("unable to get SSL");
#ifndef NO_HANDSHAKE_DONE_CB
wolfSSL_SetHsDoneCb(ssl, myHsDoneCb, NULL);
#endif
#ifdef HAVE_CRL
#ifdef HAVE_CRL_MONITOR
crlFlags = CYASSL_CRL_MONITOR | CYASSL_CRL_START_MON;
#endif
if (CyaSSL_EnableCRL(ssl, 0) != SSL_SUCCESS)
err_sys("unable to enable CRL");
if (CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM, crlFlags)
!= SSL_SUCCESS)
err_sys("unable to load CRL");
if (CyaSSL_SetCRL_Cb(ssl, CRL_CallBack) != SSL_SUCCESS)
err_sys("unable to set CRL callback url");
#endif
#ifdef HAVE_OCSP
if (useOcsp) {
if (ocspUrl != NULL) {
CyaSSL_CTX_SetOCSP_OverrideURL(ctx, ocspUrl);
CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE
| CYASSL_OCSP_URL_OVERRIDE);
}
else
CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE);
}
#endif
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
|| defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
if (wolfSSL_CTX_EnableOCSPStapling(ctx) != SSL_SUCCESS)
err_sys("can't enable OCSP Stapling Certificate Manager");
if (SSL_CTX_load_verify_locations(ctx, "certs/ocsp/intermediate1-ca-cert.pem", 0) != SSL_SUCCESS)
err_sys("can't load ca file, Please run from wolfSSL home dir");
if (SSL_CTX_load_verify_locations(ctx, "certs/ocsp/intermediate2-ca-cert.pem", 0) != SSL_SUCCESS)
err_sys("can't load ca file, Please run from wolfSSL home dir");
if (SSL_CTX_load_verify_locations(ctx, "certs/ocsp/intermediate3-ca-cert.pem", 0) != SSL_SUCCESS)
err_sys("can't load ca file, Please run from wolfSSL home dir");
#endif
#ifdef HAVE_PK_CALLBACKS
if (pkCallbacks)
SetupPkCallbacks(ctx, ssl);
#endif
/* do accept */
readySignal = ((func_args*)args)->signal;
if (readySignal) {
readySignal->srfName = serverReadyFile;
}
tcp_accept(&sockfd, &clientfd, (func_args*)args, port, useAnyAddr,
doDTLS, serverReadyFile ? 1 : 0, doListen);
doListen = 0; /* Don't listen next time */
if (SSL_set_fd(ssl, clientfd) != SSL_SUCCESS) {
err_sys("error in setting fd");
}
#ifdef HAVE_ALPN
if (alpnList != NULL) {
printf("ALPN accepted protocols list : %s\n", alpnList);
wolfSSL_UseALPN(ssl, alpnList, (word32)XSTRLEN(alpnList), alpn_opt);
}
#endif
#ifdef WOLFSSL_DTLS
if (doDTLS) {
SOCKADDR_IN_T cliaddr;
byte b[1500];
int n;
socklen_t len = sizeof(cliaddr);
/* For DTLS, peek at the next datagram so we can get the client's
* address and set it into the ssl object later to generate the
* cookie. */
n = (int)recvfrom(sockfd, (char*)b, sizeof(b), MSG_PEEK,
(struct sockaddr*)&cliaddr, &len);
if (n <= 0)
err_sys("recvfrom failed");
wolfSSL_dtls_set_peer(ssl, &cliaddr, len);
}
#endif
if ((usePsk == 0 || usePskPlus) || useAnon == 1 || cipherList != NULL
|| needDH == 1) {
#if !defined(NO_FILESYSTEM) && !defined(NO_DH) && !defined(NO_ASN)
CyaSSL_SetTmpDH_file(ssl, ourDhParam, SSL_FILETYPE_PEM);
#elif !defined(NO_DH)
SetDH(ssl); /* repick suites with DHE, higher priority than PSK */
#endif
}
#ifndef CYASSL_CALLBACKS
if (nonBlocking) {
CyaSSL_set_using_nonblock(ssl, 1);
tcp_set_nonblocking(&clientfd);
}
#endif
do {
#ifdef WOLFSSL_ASYNC_CRYPT
if (err == WC_PENDING_E) {
ret = AsyncCryptPoll(ssl);
if (ret < 0) { break; } else if (ret == 0) { continue; }
}
#endif
err = 0; /* Reset error */
#ifndef CYASSL_CALLBACKS
if (nonBlocking) {
ret = NonBlockingSSL_Accept(ssl);
}
else {
ret = SSL_accept(ssl);
}
#else
ret = NonBlockingSSL_Accept(ssl);
#endif
if (ret != SSL_SUCCESS) {
err = SSL_get_error(ssl, 0);
}
} while (ret != SSL_SUCCESS && err == WC_PENDING_E);
if (ret != SSL_SUCCESS) {
char buffer[CYASSL_MAX_ERROR_SZ];
err = SSL_get_error(ssl, 0);
printf("error = %d, %s\n", err, ERR_error_string(err, buffer));
err_sys("SSL_accept failed");
}
showPeer(ssl);
#ifdef HAVE_ALPN
if (alpnList != NULL) {
char *protocol_name = NULL, *list = NULL;
word16 protocol_nameSz = 0, listSz = 0;
err = wolfSSL_ALPN_GetProtocol(ssl, &protocol_name, &protocol_nameSz);
if (err == SSL_SUCCESS)
printf("Sent ALPN protocol : %s (%d)\n",
protocol_name, protocol_nameSz);
else if (err == SSL_ALPN_NOT_FOUND)
printf("No ALPN response sent (no match)\n");
else
printf("Getting ALPN protocol name failed\n");
err = wolfSSL_ALPN_GetPeerProtocol(ssl, &list, &listSz);
if (err == SSL_SUCCESS)
printf("List of protocol names sent by Client: %s (%d)\n",
list, listSz);
else
printf("Get list of client's protocol name failed\n");
free(list);
}
#endif
if(echoData == 0 && throughput == 0) {
ret = SSL_read(ssl, input, sizeof(input)-1);
if (ret > 0) {
input[ret] = 0;
printf("Client message: %s\n", input);
}
else if (ret < 0) {
int readErr = SSL_get_error(ssl, 0);
if (readErr != SSL_ERROR_WANT_READ)
err_sys("SSL_read failed");
}
if (SSL_write(ssl, msg, sizeof(msg)) != sizeof(msg))
err_sys("SSL_write failed");
}
else {
ServerEchoData(ssl, clientfd, echoData, throughput);
}
#if defined(WOLFSSL_MDK_SHELL) && defined(HAVE_MDK_RTX)
os_dly_wait(500) ;
#elif defined (CYASSL_TIRTOS)
Task_yield();
#endif
if (doDTLS == 0) {
ret = SSL_shutdown(ssl);
if (wc_shutdown && ret == SSL_SHUTDOWN_NOT_DONE)
SSL_shutdown(ssl); /* bidirectional shutdown */
}
SSL_free(ssl);
CloseSocket(clientfd);
if (resume == 1 && resumeCount == 0) {
resumeCount++; /* only do one resume for testing */
continue;
}
resumeCount = 0;
if(!loopIndefinitely) {
break; /* out of while loop, done with normal and resume option */
}
} /* while(1) */
CloseSocket(sockfd);
SSL_CTX_free(ctx);
((func_args*)args)->return_code = 0;
#if defined(NO_MAIN_DRIVER) && defined(HAVE_ECC) && defined(FP_ECC) \
&& defined(HAVE_THREAD_LS)
ecc_fp_free(); /* free per thread cache */
#endif
#ifdef USE_WOLFSSL_MEMORY
if (trackMemory)
ShowMemoryTracker();
#endif
#ifdef CYASSL_TIRTOS
fdCloseSession(Task_self());
#endif
#if defined(HAVE_SESSION_TICKET) && defined(HAVE_CHACHA) && \
defined(HAVE_POLY1305)
TicketCleanup();
#endif
/* There are use cases when these assignments are not read. To avoid
* potential confusion those warnings have been handled here.
*/
(void) ourKey;
(void) verifyCert;
(void) doCliCertCheck;
(void) useNtruKey;
(void) ourDhParam;
(void) ourCert;
#ifndef CYASSL_TIRTOS
return 0;
#endif
}
