Example #1
0
void
connection_init_tls()
{
    tls_init();

    CurrentConnectionState.TlsConfiguration = tls_config_new();
    CurrentConnectionState.ServerContext = tls_server();
    CurrentConnectionState.ClientContext = tls_client();

    tls_config_set_key_file(CurrentConnectionState.TlsConfiguration,
                            CurrentConnectionState.PrivateKey);

    tls_config_set_cert_file(CurrentConnectionState.TlsConfiguration,
                             CurrentConnectionState.CertificateFile);

    tls_config_insecure_noverifycert(CurrentConnectionState.TlsConfiguration);

    if(tls_configure(CurrentConnectionState.ServerContext,
                     CurrentConnectionState.TlsConfiguration) != 0)
    {
        printf("%s\n", tls_error(CurrentConnectionState.ServerContext));
    }

    if(tls_configure(CurrentConnectionState.ClientContext,
                     CurrentConnectionState.TlsConfiguration) != 0)
    {
        printf("%s\n", tls_error(CurrentConnectionState.ClientContext));
    }
}
Example #2
0
static int init_https(void) {
	if(!SERVER_PORT_TLS) return 0;
	struct tls_config *config = tls_config_new();
	if(!config) {
		alogf("TLS config error: %s\n", strerror(errno));
		return -1;
	}
	int rc = tls_config_set_ciphers(config, TLS_CIPHERS);
	if(0 != rc) {
		alogf("TLS ciphers error: %s\n", strerror(errno));
		tls_config_free(config); config = NULL;
		return -1;
	}
	tls_config_set_protocols(config, TLS_PROTOCOLS);
	str_t pemfile[PATH_MAX];
	snprintf(pemfile, sizeof(pemfile), "%s/key.pem", path);
	rc = tls_config_set_key_file(config, pemfile);
	if(0 != rc) {
		alogf("TLS key file error: %s\n", strerror(errno));
		tls_config_free(config); config = NULL;
		return -1;
	}
	snprintf(pemfile, sizeof(pemfile), "%s/crt.pem", path);
	rc = tls_config_set_cert_file(config, pemfile);
	if(0 != rc) {
		alogf("TLS crt file error: %s\n", strerror(errno));
		tls_config_free(config); config = NULL;
		return -1;
	}
	struct tls *tls = tls_server();
	if(!tls) {
		alogf("TLS engine error: %s\n", strerror(errno));
		tls_config_free(config); config = NULL;
		return -1;
	}
	rc = tls_configure(tls, config);
	tls_config_free(config); config = NULL;
	if(0 != rc) {
		alogf("TLS config error: %s\n", tls_error(tls));
		tls_free(tls); tls = NULL;
		return -1;
	}
	server_tls = HTTPServerCreate((HTTPListener)listener, blog);
	if(!server_tls) {
		alogf("HTTPS server could not be initialized\n");
		tls_free(tls); tls = NULL;
		return -1;
	}
	rc = HTTPServerListenSecure(server_tls, SERVER_ADDRESS, SERVER_PORT_TLS, &tls);
	tls_free(tls); tls = NULL;
	if(rc < 0) {
		alogf("HTTPS server could not be started: %s\n", sln_strerror(rc));
		return -1;
	}
	int const port = SERVER_PORT_TLS;
	alogf("StrongLink server running at https://localhost:%d/\n", port);
	return 0;
}
Example #3
0
void server() {
    // load Config File and Settings
    fprintf(stdout, "Starting fidistat Server...\n");
    openlog("fidistat-server", LOG_PID, LOG_DAEMON);
    syslog(LOG_INFO, "Started Fidistat Server");

    struct pidfh *pfh = daemon_start('s');

    // Handle Signals
    signal(SIGTERM, handleSigterm_S);
    signal(SIGCHLD, handleChild);

    // Open Socket
    initConf();
    tls_init();
    struct tls* ctx = tls_server();
    int sock = initTLS_S(ctx);
    sckt = sock;

    int connfd, pid;
    listen(sock, 10);

    // Destroy Config
    destroyConf(); 

    while(!term) {
        connfd = accept(sock, (struct sockaddr*) NULL, NULL); 

        if (term) {
            break;
        }
        pid = fork();
        if (pid < 0) {
            syslog(LOG_ERR, "forking new Worker failed");
        } else if (pid == 0) {
            close(sock);
            syslog(LOG_INFO, "New incoming connection");
            worker(connfd, ctx);
            syslog(LOG_INFO, "Closing connection");
            exit(0);
        } else {
            close(connfd);
        }
    }
    syslog(LOG_INFO, "Shutting down Server");
    close(sock);
    tls_close(ctx);
    tls_free(ctx);
    tls_config_free(tlsServer_conf);

    pidfile_remove(pfh);
    syslog(LOG_INFO, "Stopped Fidistat Server");
    closelog();
    exit(0);
}
Example #4
0
static const char *create_worker(struct Worker **w_p, bool is_server, ...)
{
	va_list ap;
	const char *k, *v;
	int klen;
	struct Worker *w;
	int err;
	const char *mem = NULL;
	void *fdata;
	size_t flen;
	const char *errmsg = NULL;

	*w_p = NULL;

	w = calloc(1, sizeof *w);
	if (!w)
		return "calloc";

	w->wstate = HANDSHAKE;
	w->is_server = is_server;
	w->config = tls_config_new();
	if (!w->config)
		return "tls_config_new failed";

	if (is_server) {
		w->base = tls_server();
		if (!w->base)
			return "tls_server failed";
	} else {
		w->ctx = tls_client();
		if (!w->ctx)
			return "tls_client failed";
	}

	va_start(ap, is_server);
	while (1) {
		k = va_arg(ap, char *);
		if (!k)
			break;
		v = strchr(k, '=');
		if (!v) {
			errmsg = k;
			break;
		}
		v++;
		klen = v - k;
		err = 0;
		if (!strncmp(k, "mem=", klen)) {
			mem = v;
		} else if (!strncmp(k, "ca=", klen)) {
			if (mem) {
				fdata = load_file(v, &flen);
				if (!fdata) {
					errmsg = strerror(errno);
					break;
				}
				err = tls_config_set_ca_mem(w->config, fdata, flen);
				free(fdata);
			} else {
				err = tls_config_set_ca_file(w->config, v);
			}
		} else if (!strncmp(k, "cert=", klen)) {
			if (mem) {
				fdata = load_file(v, &flen);
				if (!fdata) {
					errmsg = strerror(errno);
					break;
				}
				err = tls_config_set_cert_mem(w->config, fdata, flen);
				free(fdata);
			} else {
				err = tls_config_set_cert_file(w->config, v);
			}
		} else if (!strncmp(k, "key=", klen)) {
			if (mem) {
				fdata = load_file(v, &flen);
				if (!fdata) {
					errmsg = strerror(errno);
					break;
				}
				err = tls_config_set_key_mem(w->config, fdata, flen);
				free(fdata);
			} else {
				err = tls_config_set_key_file(w->config, v);
			}
		} else if (!strncmp(k, "show=", klen)) {
			w->show = v;
		} else if (!strncmp(k, "ciphers=", klen)) {
			err = tls_config_set_ciphers(w->config, v);
		} else if (!strncmp(k, "host=", klen)) {
			w->hostname = v;
		} else if (!strncmp(k, "noverifycert=", klen)) {
			tls_config_insecure_noverifycert(w->config);
		} else if (!strncmp(k, "noverifyname=", klen)) {
			tls_config_insecure_noverifyname(w->config);
		} else if (!strncmp(k, "verify=", klen)) {
			tls_config_verify(w->config);
		} else if (!strncmp(k, "dheparams=", klen)) {
			err = tls_config_set_dheparams(w->config, v);
		} else if (!strncmp(k, "ecdhecurve=", klen)) {
			err = tls_config_set_ecdhecurve(w->config, v);
		} else if (!strncmp(k, "protocols=", klen)) {
			uint32_t protos;
			err = tls_config_parse_protocols(&protos, v);
			tls_config_set_protocols(w->config, protos);
		} else if (!strncmp(k, "peer-sha1=", klen)) {
			w->peer_fingerprint_sha1 = v;
		} else if (!strncmp(k, "peer-sha256=", klen)) {
			w->peer_fingerprint_sha256 = v;
		} else if (!strncmp(k, "verify-client=", klen)) {
			tls_config_verify_client(w->config);
		} else if (!strncmp(k, "verify-client-optional=", klen)) {
			tls_config_verify_client_optional(w->config);
		} else if (!strncmp(k, "aggressive-close=", klen)) {
			w->aggressive_close = 1;
		} else {
			errmsg = k;
			break;
		}
		if (err < 0) {
			errmsg = k;
			break;
		}
	}
	va_end(ap);

	if (errmsg)
		return errmsg;
	if (is_server) {
		if (tls_configure(w->base, w->config) < 0)
			return tls_error(w->base);
	} else {
		if (tls_configure(w->ctx, w->config) < 0)
			return tls_error(w->ctx);
	}

	*w_p = w;
	return "OK";
}
Example #5
0
File: tlss.c Project: michas2/ucspi
int
main(int argc, char *argv[])
{
	struct tls *tls = NULL;
	struct tls *cctx = NULL;
	struct tls_config *tls_config = NULL;
	char buf[BUFSIZ];
	int ch;
	int e;

	if ((tls_config = tls_config_new()) == NULL)
		err(EXIT_FAILURE, "tls_config_new");

	while ((ch = getopt(argc, argv, "Cc:k:p:f:")) != -1) {
		switch (ch) {
		case 'C':
			tls_config_verify_client(tls_config);
			break;
		case 'c':
			if (tls_config_set_cert_file(tls_config, optarg) == -1)
				err(EXIT_FAILURE, "tls_config_set_cert_file");
			break;
		case 'k':
			if (tls_config_set_key_file(tls_config, optarg) == -1)
				err(EXIT_FAILURE, "tls_config_set_key_file");
			break;
		case 'f':
			if (tls_config_set_ca_file(tls_config, optarg) == -1)
				err(EXIT_FAILURE, "tls_config_set_ca_file");
			break;
		case 'p':
			if (tls_config_set_ca_path(tls_config, optarg) == -1)
				err(EXIT_FAILURE, "tls_config_set_ca_path");
			break;
		default:
			usage();
			/* NOTREACHED */
		}
	}
	argc -= optind;
	argv += optind;

	/* prepare libtls */
	if (tls_init() == -1)
		err(EXIT_FAILURE, "tls_init");

	if ((tls = tls_server()) == NULL)
		err(EXIT_FAILURE, "tls_server");

	if (tls_configure(tls, tls_config) == -1)
		goto err;

	if (tls_accept_fds(tls, &cctx, STDIN_FILENO, STDOUT_FILENO) == -1)
		goto err;

	if (tls_handshake(cctx) == -1)
		goto err;

	if (setenv("PROTO", "SSL", 1) == -1)
		err(EXIT_FAILURE, "setenv");

	/* fork front end program */
	char *prog = argv[0];
#	define PIPE_READ 0
#	define PIPE_WRITE 1
	int pi[2];      /* input pipe */
	int po[2];      /* output pipe */
	if (pipe(pi) == -1) err(EXIT_FAILURE, "pipe");
	if (pipe(po) == -1) err(EXIT_FAILURE, "pipe");

	switch (fork()) {
	case -1:
		err(EXIT_FAILURE, "fork");
	case 0: /* client program */

		/* close non-using ends of pipes */
		if (close(pi[PIPE_READ]) == -1) err(EXIT_FAILURE, "close");
		if (close(po[PIPE_WRITE]) == -1) err(EXIT_FAILURE, "close");

		/* move pipe end to ucspi defined fd numbers */
		if (dup2(po[PIPE_READ], READ_FD) == -1)
			err(EXIT_FAILURE, "dup2");
		if (dup2(pi[PIPE_WRITE], WRITE_FD) == -1)
			err(EXIT_FAILURE, "dup2");

		if (close(po[PIPE_READ]) == -1) err(EXIT_FAILURE, "close");
		if (close(pi[PIPE_WRITE]) == -1) err(EXIT_FAILURE, "close");

		execv(prog, argv);
		err(EXIT_FAILURE, "execve");
	default: break; /* parent */
	}

	/* close non-using ends of pipes */
	if (close(pi[PIPE_WRITE]) == -1) err(EXIT_FAILURE, "close");
	if (close(po[PIPE_READ]) == -1) err(EXIT_FAILURE, "close");

	int in = pi[PIPE_READ];
	int out = po[PIPE_WRITE];

	/* communication loop */
	for (;;) {
		int ret;
		char buf[BUFSIZ];
		ssize_t sn = 0;
		fd_set readfds;
		FD_ZERO(&readfds);
		FD_SET(in, &readfds);
		FD_SET(READ_FD, &readfds);
		int max_fd = MAX(in, READ_FD);

		ret = select(max_fd+1, &readfds, NULL, NULL, NULL);
		if (ret == -1)
			err(EXIT_FAILURE, "select");

		if (FD_ISSET(READ_FD, &readfds)) {
			do {
 again:
				sn = tls_read(cctx, buf, sizeof buf);
				if (sn == TLS_WANT_POLLIN ||
				    sn == TLS_WANT_POLLOUT)
					goto again;
				if (sn == -1)
					goto err;
				if (sn == 0)
					return EXIT_SUCCESS;
				if (write(out, buf, sn) == -1)
					err(EXIT_FAILURE, "write()");
			} while (sn == sizeof buf);
		} else if (FD_ISSET(in, &readfds)) {
			if ((sn = read(in, buf, sizeof buf)) == -1)
				err(EXIT_FAILURE, "read()");
			if (sn == 0) /* EOF from inside */
				goto out;
			/* XXX: unable to detect disconnect here */
			if (tls_write(cctx, buf, sn) == -1)
				goto err;
		}
	}

 out:
	tls_close(cctx);
	return EXIT_SUCCESS;
 err:
	while ((e = ERR_get_error())) {
		ERR_error_string(e, buf);
		fprintf(stderr, " %s\n", buf);
	}
	errx(EXIT_FAILURE, "tls_error: %s", tls_error(cctx));
	errx(EXIT_FAILURE, "tls_error: %s", tls_error(tls));
}
int main(int argc, char **argv) {

	struct tls_config *config = NULL;
	struct tls *tls = NULL;
	unsigned int protocols = 0;
	struct sockaddr_in server, client;
	int sock = socket(AF_INET, SOCK_STREAM, 0);
	int opt = 1;
	int b;
	struct tls *tls2 = NULL;
	ssize_t outlen = 0;
	char bufs[1000], bufc[1000];
	int sc;
	char *msg = "HELLO TLS CLIENT\n";

	char *ciphers = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384";

	struct pollfd pfd[2];

	if(tls_init() < 0) {
		printf("tls_init error\n");
		exit(1);
	}

	config = tls_config_new();
	if(config == NULL) {
		printf("tls_config_new error\n");
		exit(1);
	}

	tls = tls_server();
	if(tls == NULL) {
		printf("tls_server error\n");
		exit(1);
	}


	if(tls_config_parse_protocols(&protocols, "secure") < 0) {
		printf("tls_config_parse_protocols error\n");
		exit(1);
	}

	tls_config_set_protocols(config, protocols);

	if(tls_config_set_ciphers(config, ciphers) < 0) {
		printf("tls_config_set_ciphers error\n");
		exit(1);
	}

	if(tls_config_set_key_file(config, "private.pem") < 0) {
		printf("tls_config_set_key_file error\n");
		exit(1);
	}

	if(tls_config_set_cert_file(config, "server.crt") < 0) {
		printf("tls_config_set_cert_file error\n");
		exit(1);
	}

	if(tls_configure(tls, config) < 0) {
		printf("tls_configure error: %s\n", tls_error(tls));
		exit(1);
	}


	bzero(&server, sizeof(server));
	server.sin_addr.s_addr = inet_addr("127.0.0.1");
	server.sin_port = htons(9000);
	server.sin_family = AF_INET;

	setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &opt, 4);
	b = bind(sock, (struct sockaddr *) &server, sizeof(server));
	if(b < 0) {
		printf("erro bind\n");
		exit(1);
	}
	listen(sock, 10);

	socklen_t client_size = sizeof(client);

	sc = accept(sock, (struct sockaddr *) &client, &client_size);

	if(tls_accept_socket(tls, &tls2, sc) < 0) {
		printf("tls_accept_socket error\n");
		exit(1);
	}

	tls_write(tls2, msg, strlen(msg));

	pfd[0].fd = 0;
	pfd[0].events = POLLIN;
	pfd[1].fd = sc;
	pfd[1].events = POLLIN;

	while(bufc[0] != ':' && bufc[1] != 'q') {

		poll(pfd, 2, -1);

		bzero(bufs, 1000);
		bzero(bufc, 1000);

		if(pfd[0].revents & POLLIN) {
			int q = read(0, bufc, 1000);
			tls_write(tls2, bufc, q);
		}

		if(pfd[1].revents & POLLIN) {
			if((outlen = tls_read(tls2, bufs, 1000)) <= 0) break;
			printf("Mensagem (%lu): %s\n", outlen, bufs);
		}


	}

	tls_close(tls);
	tls_free(tls);
	tls_config_free(config);

	return 0;

}