/**
* Run SSL handshake and store the resulting time value in the
* 'time_map'.
*
* @param time_map where to store the current time
* @param time_is_an_illusion
* @param http whether to do an http request and take the date from that
* instead.
*/
static void
run_ssl (uint32_t *time_map, int time_is_an_illusion, int http)
{
BIO *s_bio;
SSL_CTX *ctx;
SSL *ssl;
struct stat statbuf;
uint32_t result_time;
SSL_load_error_strings();
SSL_library_init();
ctx = NULL;
if (0 == strcmp("sslv23", protocol))
{
verb ("V: using SSLv23_client_method()");
ctx = SSL_CTX_new(SSLv23_client_method());
} else if (0 == strcmp("sslv3", protocol))
{
verb ("V: using SSLv3_client_method()");
ctx = SSL_CTX_new(SSLv3_client_method());
} else if (0 == strcmp("tlsv1", protocol))
{
verb ("V: using TLSv1_client_method()");
ctx = SSL_CTX_new(TLSv1_client_method());
} else
die("Unsupported protocol `%s'", protocol);
if (ctx == NULL)
die("OpenSSL failed to support protocol `%s'", protocol);
verb("V: Using OpenSSL for SSL");
if (ca_racket)
{
if (-1 == stat(ca_cert_container, &statbuf))
{
die("Unable to stat CA certficate container %s", ca_cert_container);
} else
{
switch (statbuf.st_mode & S_IFMT)
{
case S_IFREG:
if (1 != SSL_CTX_load_verify_locations(ctx, ca_cert_container, NULL))
fprintf(stderr, "SSL_CTX_load_verify_locations failed");
break;
case S_IFDIR:
if (1 != SSL_CTX_load_verify_locations(ctx, NULL, ca_cert_container))
fprintf(stderr, "SSL_CTX_load_verify_locations failed");
break;
default:
if (1 != SSL_CTX_load_verify_locations(ctx, NULL, ca_cert_container))
{
fprintf(stderr, "SSL_CTX_load_verify_locations failed");
die("Unable to load CA certficate container %s", ca_cert_container);
}
}
}
}
if (NULL == (s_bio = make_ssl_bio(ctx)))
die ("SSL BIO setup failed");
BIO_get_ssl(s_bio, &ssl);
if (NULL == ssl)
die ("SSL setup failed");
if (time_is_an_illusion)
{
SSL_set_info_callback(ssl, openssl_time_callback);
}
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
verb("V: opening socket to %s:%s", host, port);
if ( (1 != BIO_set_conn_hostname(s_bio, host)) ||
(1 != BIO_set_conn_port(s_bio, port)) )
die ("Failed to initialize connection to `%s:%s'", host, port);
if (NULL == BIO_new_fp(stdout, BIO_NOCLOSE))
die ("BIO_new_fp returned error, possibly: %s", strerror(errno));
// This should run in seccomp
// eg: prctl(PR_SET_SECCOMP, 1);
if (1 != BIO_do_connect(s_bio)) // XXX TODO: BIO_should_retry() later?
die ("SSL connection failed");
if (1 != BIO_do_handshake(s_bio))
die ("SSL handshake failed");
// from /usr/include/openssl/ssl3.h
// ssl->s3->server_random is an unsigned char of 32 bits
memcpy(&result_time, ssl->s3->server_random, sizeof (uint32_t));
verb("V: In TLS response, T=%lu", (unsigned long)ntohl(result_time));
if (http) {
char buf[1024];
verb_debug ("V: Starting HTTP");
if (snprintf(buf, sizeof(buf),
HTTP_REQUEST, HTTPS_USER_AGENT, hostname_to_verify) >= 1024)
die("hostname too long");
buf[1023]='\0'; /* Unneeded. */
verb_debug ("V: Writing HTTP request");
if (1 != write_all_to_bio(s_bio, buf))
die ("write all to bio failed.");
verb_debug ("V: Reading HTTP response");
if (1 != read_http_date_from_bio(s_bio, &result_time))
die ("read all from bio failed.");
verb ("V: Received HTTP response. T=%lu", (unsigned long)result_time);
result_time = htonl(result_time);
}
// Verify the peer certificate against the CA certs on the local system
if (ca_racket) {
inspect_key (ssl, hostname_to_verify);
} else {
verb ("V: Certificate verification skipped!");
}
check_key_length(ssl);
memcpy(time_map, &result_time, sizeof (uint32_t));
SSL_free(ssl);
SSL_CTX_free(ctx);
}
/**
* Run SSL handshake and store the resulting time value in the
* 'time_map'.
*
* @param time_map where to store the current time
* @param time_is_an_illusion
* @param http whether to do an http request and take the date from that
* instead.
*/
static void
run_ssl (uint32_t *time_map, int time_is_an_illusion, int http)
{
entropy_context entropy;
ctr_drbg_context ctr_drbg;
ssl_context ssl;
proxy_polarssl_ctx proxy_ctx;
x509_cert cacert;
struct stat statbuf;
int ret = 0, server_fd = 0;
char *pers = "tlsdate-helper";
memset (&ssl, 0, sizeof(ssl_context));
memset (&cacert, 0, sizeof(x509_cert));
verb("V: Using PolarSSL for SSL");
if (ca_racket)
{
if (-1 == stat (ca_cert_container, &statbuf))
{
die("Unable to stat CA certficate container %s", ca_cert_container);
}
else
{
switch (statbuf.st_mode & S_IFMT)
{
case S_IFREG:
if (0 > x509parse_crtfile(&cacert, ca_cert_container))
fprintf(stderr, "x509parse_crtfile failed");
break;
case S_IFDIR:
if (0 > x509parse_crtpath(&cacert, ca_cert_container))
fprintf(stderr, "x509parse_crtpath failed");
break;
default:
die("Unable to load CA certficate container %s", ca_cert_container);
}
}
}
entropy_init (&entropy);
if (0 != ctr_drbg_init (&ctr_drbg, entropy_func, &entropy,
(unsigned char *) pers, strlen(pers)))
{
die("Failed to initialize CTR_DRBG");
}
if (0 != ssl_init (&ssl))
{
die("SSL initialization failed");
}
ssl_set_endpoint (&ssl, SSL_IS_CLIENT);
ssl_set_rng (&ssl, ctr_drbg_random, &ctr_drbg);
ssl_set_ca_chain (&ssl, &cacert, NULL, hostname_to_verify);
if (ca_racket)
{
// You can do SSL_VERIFY_REQUIRED here, but then the check in
// inspect_key() never happens as the ssl_handshake() will fail.
ssl_set_authmode (&ssl, SSL_VERIFY_OPTIONAL);
}
if (proxy)
{
char *scheme;
char *proxy_host;
char *proxy_port;
parse_proxy_uri (proxy, &scheme, &proxy_host, &proxy_port);
verb("V: opening socket to proxy %s:%s", proxy_host, proxy_port);
if (0 != net_connect (&server_fd, proxy_host, atoi(proxy_port)))
{
die ("SSL connection failed");
}
proxy_polarssl_init (&proxy_ctx);
proxy_polarssl_set_bio (&proxy_ctx, net_recv, &server_fd, net_send, &server_fd);
proxy_polarssl_set_host (&proxy_ctx, host);
proxy_polarssl_set_port (&proxy_ctx, atoi(port));
proxy_polarssl_set_scheme (&proxy_ctx, scheme);
ssl_set_bio (&ssl, proxy_polarssl_recv, &proxy_ctx, proxy_polarssl_send, &proxy_ctx);
verb("V: Handle proxy connection");
if (0 == proxy_ctx.f_connect (&proxy_ctx))
die("Proxy connection failed");
}
else
{
verb("V: opening socket to %s:%s", host, port);
if (0 != net_connect (&server_fd, host, atoi(port)))
{
die ("SSL connection failed");
}
ssl_set_bio (&ssl, net_recv, &server_fd, net_send, &server_fd);
}
verb("V: starting handshake");
if (0 != ssl_do_handshake_part (&ssl))
die("SSL handshake first part failed");
uint32_t timestamp = ( (uint32_t) ssl.in_msg[6] << 24 )
| ( (uint32_t) ssl.in_msg[7] << 16 )
| ( (uint32_t) ssl.in_msg[8] << 8 )
| ( (uint32_t) ssl.in_msg[9] );
check_timestamp (timestamp);
verb("V: continuing handshake");
/* Continue with handshake */
while (0 != (ret = ssl_handshake (&ssl)))
{
if (POLARSSL_ERR_NET_WANT_READ != ret &&
POLARSSL_ERR_NET_WANT_WRITE != ret)
{
die("SSL handshake failed");
}
}
// Verify the peer certificate against the CA certs on the local system
if (ca_racket) {
inspect_key (&ssl, hostname_to_verify);
} else {
verb ("V: Certificate verification skipped!");
}
check_key_length (&ssl);
memcpy (time_map, ×tamp, sizeof(uint32_t));
proxy_polarssl_free (&proxy_ctx);
ssl_free (&ssl);
x509_free (&cacert);
}
/**
* Run SSL handshake and store the resulting time value in the
* 'time_map'.
*
* @param time_map where to store the current time
*/
static void
run_ssl (uint32_t *time_map, int time_is_an_illusion)
{
BIO *s_bio;
SSL_CTX *ctx;
SSL *ssl;
SSL_load_error_strings();
SSL_library_init();
ctx = NULL;
if (0 == strcmp("sslv23", protocol))
{
verb ("V: using SSLv23_client_method()\n");
ctx = SSL_CTX_new(SSLv23_client_method());
} else if (0 == strcmp("sslv3", protocol))
{
verb ("V: using SSLv3_client_method()\n");
ctx = SSL_CTX_new(SSLv3_client_method());
} else if (0 == strcmp("tlsv1", protocol))
{
verb ("V: using TLSv1_client_method()\n");
ctx = SSL_CTX_new(TLSv1_client_method());
} else
die("Unsupported protocol `%s'\n", protocol);
if (ctx == NULL)
die("OpenSSL failed to support protocol `%s'\n", protocol);
if (ca_racket)
{
if (1 != SSL_CTX_load_verify_locations(ctx, NULL, certdir))
fprintf(stderr, "SSL_CTX_load_verify_locations failed\n");
}
if (NULL == (s_bio = BIO_new_ssl_connect(ctx)))
die ("SSL BIO setup failed\n");
BIO_get_ssl(s_bio, &ssl);
if (NULL == ssl)
die ("SSL setup failed\n");
if (time_is_an_illusion)
{
SSL_set_info_callback(ssl, openssl_time_callback);
}
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
if ( (1 != BIO_set_conn_hostname(s_bio, host)) ||
(1 != BIO_set_conn_port(s_bio, port)) )
die ("Failed to initialize connection to `%s:%s'\n", host, port);
if (NULL == BIO_new_fp(stdout, BIO_NOCLOSE))
die ("BIO_new_fp returned error, possibly: %s", strerror(errno));
// This should run in seccomp
// eg: prctl(PR_SET_SECCOMP, 1);
if (1 != BIO_do_connect(s_bio)) // XXX TODO: BIO_should_retry() later?
die ("SSL connection failed\n");
if (1 != BIO_do_handshake(s_bio))
die ("SSL handshake failed\n");
// Verify the peer certificate against the CA certs on the local system
if (ca_racket) {
inspect_key (ssl, host);
} else {
verb ("V: Certificate verification skipped!\n");
}
check_key_length(ssl);
// from /usr/include/openssl/ssl3.h
// ssl->s3->server_random is an unsigned char of 32 bits
memcpy(time_map, ssl->s3->server_random, sizeof (uint32_t));
SSL_free(ssl);
SSL_CTX_free(ctx);
}
