void
connection_init_tls()
{
tls_init();
CurrentConnectionState.TlsConfiguration = tls_config_new();
CurrentConnectionState.ServerContext = tls_server();
CurrentConnectionState.ClientContext = tls_client();
tls_config_set_key_file(CurrentConnectionState.TlsConfiguration,
CurrentConnectionState.PrivateKey);
tls_config_set_cert_file(CurrentConnectionState.TlsConfiguration,
CurrentConnectionState.CertificateFile);
tls_config_insecure_noverifycert(CurrentConnectionState.TlsConfiguration);
if(tls_configure(CurrentConnectionState.ServerContext,
CurrentConnectionState.TlsConfiguration) != 0)
{
printf("%s\n", tls_error(CurrentConnectionState.ServerContext));
}
if(tls_configure(CurrentConnectionState.ClientContext,
CurrentConnectionState.TlsConfiguration) != 0)
{
printf("%s\n", tls_error(CurrentConnectionState.ClientContext));
}
}
static int init_https(void) {
if(!SERVER_PORT_TLS) return 0;
struct tls_config *config = tls_config_new();
if(!config) {
alogf("TLS config error: %s\n", strerror(errno));
return -1;
}
int rc = tls_config_set_ciphers(config, TLS_CIPHERS);
if(0 != rc) {
alogf("TLS ciphers error: %s\n", strerror(errno));
tls_config_free(config); config = NULL;
return -1;
}
tls_config_set_protocols(config, TLS_PROTOCOLS);
str_t pemfile[PATH_MAX];
snprintf(pemfile, sizeof(pemfile), "%s/key.pem", path);
rc = tls_config_set_key_file(config, pemfile);
if(0 != rc) {
alogf("TLS key file error: %s\n", strerror(errno));
tls_config_free(config); config = NULL;
return -1;
}
snprintf(pemfile, sizeof(pemfile), "%s/crt.pem", path);
rc = tls_config_set_cert_file(config, pemfile);
if(0 != rc) {
alogf("TLS crt file error: %s\n", strerror(errno));
tls_config_free(config); config = NULL;
return -1;
}
struct tls *tls = tls_server();
if(!tls) {
alogf("TLS engine error: %s\n", strerror(errno));
tls_config_free(config); config = NULL;
return -1;
}
rc = tls_configure(tls, config);
tls_config_free(config); config = NULL;
if(0 != rc) {
alogf("TLS config error: %s\n", tls_error(tls));
tls_free(tls); tls = NULL;
return -1;
}
server_tls = HTTPServerCreate((HTTPListener)listener, blog);
if(!server_tls) {
alogf("HTTPS server could not be initialized\n");
tls_free(tls); tls = NULL;
return -1;
}
rc = HTTPServerListenSecure(server_tls, SERVER_ADDRESS, SERVER_PORT_TLS, &tls);
tls_free(tls); tls = NULL;
if(rc < 0) {
alogf("HTTPS server could not be started: %s\n", sln_strerror(rc));
return -1;
}
int const port = SERVER_PORT_TLS;
alogf("StrongLink server running at https://localhost:%d/\n", port);
return 0;
}
void server() {
// load Config File and Settings
fprintf(stdout, "Starting fidistat Server...\n");
openlog("fidistat-server", LOG_PID, LOG_DAEMON);
syslog(LOG_INFO, "Started Fidistat Server");
struct pidfh *pfh = daemon_start('s');
// Handle Signals
signal(SIGTERM, handleSigterm_S);
signal(SIGCHLD, handleChild);
// Open Socket
initConf();
tls_init();
struct tls* ctx = tls_server();
int sock = initTLS_S(ctx);
sckt = sock;
int connfd, pid;
listen(sock, 10);
// Destroy Config
destroyConf();
while(!term) {
connfd = accept(sock, (struct sockaddr*) NULL, NULL);
if (term) {
break;
}
pid = fork();
if (pid < 0) {
syslog(LOG_ERR, "forking new Worker failed");
} else if (pid == 0) {
close(sock);
syslog(LOG_INFO, "New incoming connection");
worker(connfd, ctx);
syslog(LOG_INFO, "Closing connection");
exit(0);
} else {
close(connfd);
}
}
syslog(LOG_INFO, "Shutting down Server");
close(sock);
tls_close(ctx);
tls_free(ctx);
tls_config_free(tlsServer_conf);
pidfile_remove(pfh);
syslog(LOG_INFO, "Stopped Fidistat Server");
closelog();
exit(0);
}
static const char *create_worker(struct Worker **w_p, bool is_server, ...)
{
va_list ap;
const char *k, *v;
int klen;
struct Worker *w;
int err;
const char *mem = NULL;
void *fdata;
size_t flen;
const char *errmsg = NULL;
*w_p = NULL;
w = calloc(1, sizeof *w);
if (!w)
return "calloc";
w->wstate = HANDSHAKE;
w->is_server = is_server;
w->config = tls_config_new();
if (!w->config)
return "tls_config_new failed";
if (is_server) {
w->base = tls_server();
if (!w->base)
return "tls_server failed";
} else {
w->ctx = tls_client();
if (!w->ctx)
return "tls_client failed";
}
va_start(ap, is_server);
while (1) {
k = va_arg(ap, char *);
if (!k)
break;
v = strchr(k, '=');
if (!v) {
errmsg = k;
break;
}
v++;
klen = v - k;
err = 0;
if (!strncmp(k, "mem=", klen)) {
mem = v;
} else if (!strncmp(k, "ca=", klen)) {
if (mem) {
fdata = load_file(v, &flen);
if (!fdata) {
errmsg = strerror(errno);
break;
}
err = tls_config_set_ca_mem(w->config, fdata, flen);
free(fdata);
} else {
err = tls_config_set_ca_file(w->config, v);
}
} else if (!strncmp(k, "cert=", klen)) {
if (mem) {
fdata = load_file(v, &flen);
if (!fdata) {
errmsg = strerror(errno);
break;
}
err = tls_config_set_cert_mem(w->config, fdata, flen);
free(fdata);
} else {
err = tls_config_set_cert_file(w->config, v);
}
} else if (!strncmp(k, "key=", klen)) {
if (mem) {
fdata = load_file(v, &flen);
if (!fdata) {
errmsg = strerror(errno);
break;
}
err = tls_config_set_key_mem(w->config, fdata, flen);
free(fdata);
} else {
err = tls_config_set_key_file(w->config, v);
}
} else if (!strncmp(k, "show=", klen)) {
w->show = v;
} else if (!strncmp(k, "ciphers=", klen)) {
err = tls_config_set_ciphers(w->config, v);
} else if (!strncmp(k, "host=", klen)) {
w->hostname = v;
} else if (!strncmp(k, "noverifycert=", klen)) {
tls_config_insecure_noverifycert(w->config);
} else if (!strncmp(k, "noverifyname=", klen)) {
tls_config_insecure_noverifyname(w->config);
} else if (!strncmp(k, "verify=", klen)) {
tls_config_verify(w->config);
} else if (!strncmp(k, "dheparams=", klen)) {
err = tls_config_set_dheparams(w->config, v);
} else if (!strncmp(k, "ecdhecurve=", klen)) {
err = tls_config_set_ecdhecurve(w->config, v);
} else if (!strncmp(k, "protocols=", klen)) {
uint32_t protos;
err = tls_config_parse_protocols(&protos, v);
tls_config_set_protocols(w->config, protos);
} else if (!strncmp(k, "peer-sha1=", klen)) {
w->peer_fingerprint_sha1 = v;
} else if (!strncmp(k, "peer-sha256=", klen)) {
w->peer_fingerprint_sha256 = v;
} else if (!strncmp(k, "verify-client=", klen)) {
tls_config_verify_client(w->config);
} else if (!strncmp(k, "verify-client-optional=", klen)) {
tls_config_verify_client_optional(w->config);
} else if (!strncmp(k, "aggressive-close=", klen)) {
w->aggressive_close = 1;
} else {
errmsg = k;
break;
}
if (err < 0) {
errmsg = k;
break;
}
}
va_end(ap);
if (errmsg)
return errmsg;
if (is_server) {
if (tls_configure(w->base, w->config) < 0)
return tls_error(w->base);
} else {
if (tls_configure(w->ctx, w->config) < 0)
return tls_error(w->ctx);
}
*w_p = w;
return "OK";
}
int
main(int argc, char *argv[])
{
struct tls *tls = NULL;
struct tls *cctx = NULL;
struct tls_config *tls_config = NULL;
char buf[BUFSIZ];
int ch;
int e;
if ((tls_config = tls_config_new()) == NULL)
err(EXIT_FAILURE, "tls_config_new");
while ((ch = getopt(argc, argv, "Cc:k:p:f:")) != -1) {
switch (ch) {
case 'C':
tls_config_verify_client(tls_config);
break;
case 'c':
if (tls_config_set_cert_file(tls_config, optarg) == -1)
err(EXIT_FAILURE, "tls_config_set_cert_file");
break;
case 'k':
if (tls_config_set_key_file(tls_config, optarg) == -1)
err(EXIT_FAILURE, "tls_config_set_key_file");
break;
case 'f':
if (tls_config_set_ca_file(tls_config, optarg) == -1)
err(EXIT_FAILURE, "tls_config_set_ca_file");
break;
case 'p':
if (tls_config_set_ca_path(tls_config, optarg) == -1)
err(EXIT_FAILURE, "tls_config_set_ca_path");
break;
default:
usage();
/* NOTREACHED */
}
}
argc -= optind;
argv += optind;
/* prepare libtls */
if (tls_init() == -1)
err(EXIT_FAILURE, "tls_init");
if ((tls = tls_server()) == NULL)
err(EXIT_FAILURE, "tls_server");
if (tls_configure(tls, tls_config) == -1)
goto err;
if (tls_accept_fds(tls, &cctx, STDIN_FILENO, STDOUT_FILENO) == -1)
goto err;
if (tls_handshake(cctx) == -1)
goto err;
if (setenv("PROTO", "SSL", 1) == -1)
err(EXIT_FAILURE, "setenv");
/* fork front end program */
char *prog = argv[0];
# define PIPE_READ 0
# define PIPE_WRITE 1
int pi[2]; /* input pipe */
int po[2]; /* output pipe */
if (pipe(pi) == -1) err(EXIT_FAILURE, "pipe");
if (pipe(po) == -1) err(EXIT_FAILURE, "pipe");
switch (fork()) {
case -1:
err(EXIT_FAILURE, "fork");
case 0: /* client program */
/* close non-using ends of pipes */
if (close(pi[PIPE_READ]) == -1) err(EXIT_FAILURE, "close");
if (close(po[PIPE_WRITE]) == -1) err(EXIT_FAILURE, "close");
/* move pipe end to ucspi defined fd numbers */
if (dup2(po[PIPE_READ], READ_FD) == -1)
err(EXIT_FAILURE, "dup2");
if (dup2(pi[PIPE_WRITE], WRITE_FD) == -1)
err(EXIT_FAILURE, "dup2");
if (close(po[PIPE_READ]) == -1) err(EXIT_FAILURE, "close");
if (close(pi[PIPE_WRITE]) == -1) err(EXIT_FAILURE, "close");
execv(prog, argv);
err(EXIT_FAILURE, "execve");
default: break; /* parent */
}
/* close non-using ends of pipes */
if (close(pi[PIPE_WRITE]) == -1) err(EXIT_FAILURE, "close");
if (close(po[PIPE_READ]) == -1) err(EXIT_FAILURE, "close");
int in = pi[PIPE_READ];
int out = po[PIPE_WRITE];
/* communication loop */
for (;;) {
int ret;
char buf[BUFSIZ];
ssize_t sn = 0;
fd_set readfds;
FD_ZERO(&readfds);
FD_SET(in, &readfds);
FD_SET(READ_FD, &readfds);
int max_fd = MAX(in, READ_FD);
ret = select(max_fd+1, &readfds, NULL, NULL, NULL);
if (ret == -1)
err(EXIT_FAILURE, "select");
if (FD_ISSET(READ_FD, &readfds)) {
do {
again:
sn = tls_read(cctx, buf, sizeof buf);
if (sn == TLS_WANT_POLLIN ||
sn == TLS_WANT_POLLOUT)
goto again;
if (sn == -1)
goto err;
if (sn == 0)
return EXIT_SUCCESS;
if (write(out, buf, sn) == -1)
err(EXIT_FAILURE, "write()");
} while (sn == sizeof buf);
} else if (FD_ISSET(in, &readfds)) {
if ((sn = read(in, buf, sizeof buf)) == -1)
err(EXIT_FAILURE, "read()");
if (sn == 0) /* EOF from inside */
goto out;
/* XXX: unable to detect disconnect here */
if (tls_write(cctx, buf, sn) == -1)
goto err;
}
}
out:
tls_close(cctx);
return EXIT_SUCCESS;
err:
while ((e = ERR_get_error())) {
ERR_error_string(e, buf);
fprintf(stderr, " %s\n", buf);
}
errx(EXIT_FAILURE, "tls_error: %s", tls_error(cctx));
errx(EXIT_FAILURE, "tls_error: %s", tls_error(tls));
}
int main(int argc, char **argv) {
struct tls_config *config = NULL;
struct tls *tls = NULL;
unsigned int protocols = 0;
struct sockaddr_in server, client;
int sock = socket(AF_INET, SOCK_STREAM, 0);
int opt = 1;
int b;
struct tls *tls2 = NULL;
ssize_t outlen = 0;
char bufs[1000], bufc[1000];
int sc;
char *msg = "HELLO TLS CLIENT\n";
char *ciphers = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384";
struct pollfd pfd[2];
if(tls_init() < 0) {
printf("tls_init error\n");
exit(1);
}
config = tls_config_new();
if(config == NULL) {
printf("tls_config_new error\n");
exit(1);
}
tls = tls_server();
if(tls == NULL) {
printf("tls_server error\n");
exit(1);
}
if(tls_config_parse_protocols(&protocols, "secure") < 0) {
printf("tls_config_parse_protocols error\n");
exit(1);
}
tls_config_set_protocols(config, protocols);
if(tls_config_set_ciphers(config, ciphers) < 0) {
printf("tls_config_set_ciphers error\n");
exit(1);
}
if(tls_config_set_key_file(config, "private.pem") < 0) {
printf("tls_config_set_key_file error\n");
exit(1);
}
if(tls_config_set_cert_file(config, "server.crt") < 0) {
printf("tls_config_set_cert_file error\n");
exit(1);
}
if(tls_configure(tls, config) < 0) {
printf("tls_configure error: %s\n", tls_error(tls));
exit(1);
}
bzero(&server, sizeof(server));
server.sin_addr.s_addr = inet_addr("127.0.0.1");
server.sin_port = htons(9000);
server.sin_family = AF_INET;
setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &opt, 4);
b = bind(sock, (struct sockaddr *) &server, sizeof(server));
if(b < 0) {
printf("erro bind\n");
exit(1);
}
listen(sock, 10);
socklen_t client_size = sizeof(client);
sc = accept(sock, (struct sockaddr *) &client, &client_size);
if(tls_accept_socket(tls, &tls2, sc) < 0) {
printf("tls_accept_socket error\n");
exit(1);
}
tls_write(tls2, msg, strlen(msg));
pfd[0].fd = 0;
pfd[0].events = POLLIN;
pfd[1].fd = sc;
pfd[1].events = POLLIN;
while(bufc[0] != ':' && bufc[1] != 'q') {
poll(pfd, 2, -1);
bzero(bufs, 1000);
bzero(bufc, 1000);
if(pfd[0].revents & POLLIN) {
int q = read(0, bufc, 1000);
tls_write(tls2, bufc, q);
}
if(pfd[1].revents & POLLIN) {
if((outlen = tls_read(tls2, bufs, 1000)) <= 0) break;
printf("Mensagem (%lu): %s\n", outlen, bufs);
}
}
tls_close(tls);
tls_free(tls);
tls_config_free(config);
return 0;
}