void SSLClient::write()
{
int nBytesSend = SSL_write(pSSL, wBuffer.data(), wBuffer.size());
int tmp = SSL_get_error(pSSL, nBytesSend);
const char *file;
int line;
unsigned long err;
switch (tmp){
case SSL_ERROR_NONE:
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
case SSL_ERROR_WANT_X509_LOOKUP:
break;
case SSL_ERROR_SSL:
err = ERR_get_error_line(&file, &line);
log(L_WARN, "SSL: SSL_write error = %lx, %s:%i", err, file, line);
ERR_clear_error();
notify->error_state(I18N_NOOP("SSL write error"));
return;
default:
log(L_DEBUG, "SSL: SSL_write error %d, SSL_%d", nBytesSend, tmp);
notify->error_state(I18N_NOOP("SSL write error"));
return;
}
if (nBytesSend > 0)
wBuffer.incReadPos(nBytesSend);
if (wBuffer.readPos() == wBuffer.writePos()){
wBuffer.init(0);
state = SSLConnected;
}
process();
}
void SSLClient::accept()
{
if (pSSL == NULL){
notify->error_state(I18N_NOOP("SSL accept error"));
return;
}
int i = SSL_accept(pSSL);
int j = SSL_get_error(pSSL, i);
if (j == SSL_ERROR_NONE)
{
m_bSecure = true;
notify->connect_ready();
state = SSLConnected;
return;
}
const char *file;
int line;
unsigned long err;
switch (j)
{
case SSL_ERROR_SSL:
err = ERR_get_error_line(&file, &line);
log(L_WARN, "SSL: SSL_accept error = %lx, %s:%i", err, file, line);
ERR_clear_error();
notify->error_state(I18N_NOOP("SSL accept error"));
return;
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
state = SSLAccept;
return;
default:
log(L_DEBUG, "SSL: SSL_accept error %d, SSL_%d", i, j);
notify->error_state(I18N_NOOP("SSL accept error"));
}
}
int SSLClient::read(char *buf, unsigned int size)
{
if (state != SSLConnected) return 0;
int nBytesReceived = SSL_read(pSSL, buf, size);
int tmp = SSL_get_error(pSSL, nBytesReceived);
const char *file;
int line;
unsigned long err;
switch (tmp){
case SSL_ERROR_NONE:
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
case SSL_ERROR_WANT_X509_LOOKUP:
break;
case SSL_ERROR_SSL:
err = ERR_get_error_line(&file, &line);
log(L_WARN, "SSL: SSL_read error = %lx, %s:%i", err, file, line);
ERR_clear_error();
notify->error_state(I18N_NOOP("SSL read error"));
return -1;
default:
log(L_DEBUG, "SSL: SSL_read error %d, SSL_%d", nBytesReceived, tmp);
notify->error_state(I18N_NOOP("SSL read error"));
return -1;
}
process(true);
if (nBytesReceived < 0) nBytesReceived = 0;
return nBytesReceived;
}
void SSLClient::shutdown()
{
if (pSSL == NULL){
notify->error_state(I18N_NOOP("SSL shutdown error"));
return;
}
int i = SSL_shutdown(pSSL);
int j = SSL_get_error(pSSL, i);
if (j == SSL_ERROR_NONE)
{
SSL_free(pSSL);
mpSSL = NULL;
m_bSecure = false;
return;
}
const char *file;
int line;
unsigned long err;
switch (j)
{
case SSL_ERROR_SSL:
err = ERR_get_error_line(&file, &line);
log(L_WARN, "SSL: SSL_shutdown error = %lx, %s:%i", err, file, line);
ERR_clear_error();
notify->error_state(I18N_NOOP("SSL shuwdown error"));
return;
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
state = SSLShutdown;
return;
default:
log(L_DEBUG, "SSL: SSL_shutdown error %d, SSL_%d", i, j);
notify->error_state(I18N_NOOP("SSL shuwdown error"));
}
}
void print_errors(){
unsigned long err, line;
char *file;
while((err = ERR_get_error_line((const char**)&file, (int*)&line))){
ERR_error_string_n(err, err_str_buf, 128);
fprintf(stderr, "%s in %s at line %ld", err_str_buf, file, line);
}
}
static void drain_openssl_errors(void)
{
const char *file;
int line;
if (ERR_peek_error() == 0)
return;
while (ERR_get_error_line(&file, &line)) {}
}
static void ssl_error_stack()
{
const char *file;
int line;
unsigned long e;
do {
e = ERR_get_error_line(&file, &line);
jlog(L_ERROR, "%s", ERR_error_string(e, NULL));
} while (e);
}
static void display_openssl_errors(int l)
{
const char *file;
char buf[120];
int e, line;
if (ERR_peek_error() == 0)
return;
fprintf(stderr, "At main.c:%d:\n", l);
while ((e = ERR_get_error_line(&file, &line))) {
ERR_error_string(e, buf);
fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
}
}
size_t readn_ssl(SSL *ssl, void *buf, size_t amount) {
const char *error_file;
int error_line;
size_t received = 0;
char error_string[120] = {0};
int ssl_err;
char *ptr = buf;
// To read from OpenSSL, just read. SSL_read has its own timeout.
received = SSL_read(ssl, ptr, amount);
if (received <= 0) {
ssl_err = ERR_get_error_line(&error_file, &error_line);
ERR_error_string_n(ssl_err, error_string, sizeof(error_string));
log_println(2, "SSL failed due to %s (%d)\n", error_string, ssl_err);
log_println(2, "File: %s line: %d\n", error_file, error_line);
}
return received;
}
void wi_error_set_openssl_error(void) {
wi_error_t *error;
const char *file;
int line;
if(ERR_peek_error() == 0) {
wi_error_set_errno(errno);
} else {
error = _wi_get_error();
error->domain = WI_ERROR_DOMAIN_OPENSSL;
error->code = ERR_get_error_line(&file, &line);
wi_release(error->string);
error->string = wi_string_init_with_format(wi_string_alloc(), WI_STR("%s:%d: %s: %s (%u)"),
file,
line,
ERR_func_error_string(error->code),
ERR_reason_error_string(error->code),
ERR_GET_REASON(error->code));
}
}
void wi_error_set_openssl_error(void) {
wi_string_t *string;
const char *file;
unsigned long code;
int line;
if(ERR_peek_error() == 0) {
wi_error_set_errno(errno);
} else {
code = ERR_get_error_line(&file, &line);
string = wi_string_with_format(WI_STR("%s:%d: %s: %s (%u)"),
file,
line,
ERR_func_error_string(code),
ERR_reason_error_string(code),
ERR_GET_REASON(code));
wi_error_set_error_with_string(WI_ERROR_DOMAIN_OPENSSL, code, string);
}
ERR_clear_error();
}
/* Inspired by ERR_print_errors in OpenSSL */
static void
tlso_report_error( void )
{
unsigned long l;
char buf[200];
const char *file;
int line;
while ( ( l = ERR_get_error_line( &file, &line ) ) != 0 ) {
ERR_error_string_n( l, buf, sizeof( buf ) );
#ifdef HAVE_EBCDIC
if ( file ) {
file = LDAP_STRDUP( file );
__etoa( (char *)file );
}
__etoa( buf );
#endif
Debug( LDAP_DEBUG_ANY, "TLS: %s %s:%d\n",
buf, file, line );
#ifdef HAVE_EBCDIC
if ( file ) LDAP_FREE( (void *)file );
#endif
}
}
int main(int argc, char *argv[])
{
// default paths currently point to my test certificates
char *m_caCertPath;
char *m_serverCert;
char *m_serverKey;
char *stoparg;
m_caCertPath= argv[1];
fprintf(stdout, "phase1\n");
m_serverCert = strchr(m_caCertPath, ';');
fprintf(stdout, "phase2\n");
*m_serverCert++ ='\0';
m_serverKey = strchr(m_serverCert, ';');
fprintf(stdout, "phase3\n");
*m_serverKey++ ='\0';
stoparg = strchr(m_serverKey, ';');
fprintf(stdout, "phase4\n");
*stoparg++ = '\0';
fprintf(stdout, "ca:%s\ncert:%s\nkey:%s\nstop:%s\n", m_caCertPath, m_serverCert, m_serverKey, stoparg);
SSL_CTX *m_sslCtx = NULL;
// Initializing OpenSSL
// FIXME should this only be called once?
OpenSSL_add_all_algorithms();
SSLeay_add_all_algorithms();
SSL_load_error_strings();
ERR_load_crypto_strings();
ERR_load_BIO_strings();
SSL_library_init();
m_sslCtx = SSL_CTX_new( SSLv23_method() );
if (!m_sslCtx) {
ERR_print_errors_fp( stdout );
printf("error1\n");
}
SSL_CTX_set_options(m_sslCtx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
/* SSL_CTX_set_cipher_list(m_sslCtx, "ALL:!LOW:!EXP:!MD5:!MD2"); */
SSL_CTX_set_purpose(m_sslCtx, X509_PURPOSE_ANY);
/* SSL_CTX_set_mode(m_sslCtx, SSL_MODE_AUTO_RETRY); */
printf("test\n");
// load server certificate
if ( SSL_CTX_use_certificate_file( m_sslCtx,
m_serverCert, SSL_FILETYPE_PEM ) <= 0 )
{
ERR_print_errors_fp( stdout );
printf("error1\n");
}
// load private key
if ( SSL_CTX_use_PrivateKey_file( m_sslCtx,
m_serverKey, SSL_FILETYPE_PEM) <= 0 )
{
ERR_print_errors_fp( stdout );
printf("error2\n");
}
// load trusted Certificate Authority
if ( !SSL_CTX_load_verify_locations( m_sslCtx, 0,
m_caCertPath ) )
{
ERR_print_errors_fp( stdout );
printf("error3\n");
}
// require peer (client) certificate verification
SSL_CTX_set_verify( m_sslCtx, SSL_VERIFY_PEER, 0 );
// Set the verification depth to 1
SSL_CTX_set_verify_depth( m_sslCtx, 100 );
// set the verify call back to girdsite, which understands
// proxy certificates
SSL_CTX_set_cert_verify_callback( m_sslCtx,
proxy_verify_callback_server, 0);
// create new ssl structure and pass the fd to it
SSL *m_sslCon = SSL_new( m_sslCtx );
BIO *bio = BIO_new_accept("33334");
if (BIO_do_accept(bio) <= 0)
fprintf(stdout, "BIO_do_accept failed\n");
fprintf(stdout, "now accepting\n");
fprintf(stdout, "bio=%ld\n", bio);
BIO_do_accept(bio);
fprintf(stdout, "part1\n");
BIO *client= BIO_pop(bio);
fprintf(stdout, "part2\n");
SSL_set_bio(m_sslCon, client, client);
fprintf(stdout,"bio set\n");
// initiate the handshake
int error;
if ( (error = SSL_accept( m_sslCon )) <= 0 ) {
unsigned long l;
char buf[256];
#if SSLEAY_VERSION_NUMBER >= 0x00904100L
const char *file;
#else
char *file;
#endif
char *dat;
int line;
/* WIN32 does not have the ERR_get_error_line_data */
/* exported, so simulate it till it is fixed */
/* in SSLeay-0.9.0 */
while ( ERR_peek_error() != 0 ) {
int i;
ERR_STATE *es;
es = ERR_get_state();
i = (es->bottom+1)%ERR_NUM_ERRORS;
if (es->err_data[i] == NULL)
dat = (char*)"";
else
dat = es->err_data[i];
if (dat) {
l = ERR_get_error_line(&file, &line);
// if (debug)
fprintf(stdout, "%s:%s,%d,%s\n", ERR_error_string(l, buf),
file, line, dat);
// error += std::string(ERR_reason_error_string(l)) + ":" + std::string(ERR_func_error_string(l)) + "\n";
}
}
/* fprintf(stdout, "%s\n", */
/* ERR_reason_error_string( ERR_get_error() )); */
fprintf(stdout, "ERROR\n");
exit(1);
}
fprintf(stdout, "Handshake done!\n");
/* connected */
sleep(100);
exit(0);
}
