result_t crypto_base::pseudoRandomBytes(int32_t size, obj_ptr<Buffer_base> &retVal, exlib::AsyncEvent *ac) { if (!ac) return CHECK_ERROR(CALL_E_NOSYNC); int i, ret; entropy_context entropy; unsigned char buf[ENTROPY_BLOCK_SIZE]; std::string strBuf; strBuf.resize(size); entropy_init(&entropy); for (i = 0; i < size; i += sizeof(buf)) { ret = entropy_func(&entropy, buf, sizeof(buf)); if (ret != 0) { entropy_free(&entropy); return CHECK_ERROR(_ssl::setError(ret)); } memcpy(&strBuf[i], buf, size - i > (int)sizeof(buf) ? (int)sizeof(buf) : size - i); } entropy_free(&entropy); retVal = new Buffer(strBuf); return 0; }
/* shameless copy/paste from: https://polarssl.org/kb/how-to/generate-an-aes-key */ unsigned char *generatekey(char *pers, int size){ ctr_drbg_context ctr_drbg = {0}; entropy_context entropy = {0}; int keysize = 0; unsigned char *key = NULL; int ret = 0; //convert to bytes keysize = size / 8; entropy_init( &entropy ); if((ret = ctr_drbg_init(&ctr_drbg, entropy_func, &entropy, (unsigned char *)pers,strlen(pers))) != 0 ){ outputerror(DBG_ERROR,"%s\n","generatekey::failed to initialize random generator"); return NULL; } key = (unsigned char *)malloc(keysize); if(key == NULL){ outputerror(DBG_ERROR,"%s\n","generatekey::failed to malloc"); return NULL; } if((ret = ctr_drbg_random(&ctr_drbg,key,keysize)) != 0 ){ outputerror(DBG_ERROR,"%s\n","generatekey::failed to produce random data"); return NULL; } entropy_free(&entropy); return key; }
/* rsa oaep encryption */ unsigned char *rsacrypt(pk_context *pkctx,const unsigned char *plaintext,const unsigned int plaintextsize){ entropy_context entropy = {0}; ctr_drbg_context ctr_drbg = {0}; rsa_context rsactx = {0}; int pkresult = 0; unsigned char *encryptedoutput = NULL; unsigned int encryptedoutputsize = 0; char pers[33] = "3s:!2OXI(FX%#Q($[CEjiGRIk\\-)4e&?"; int ret = 0; entropy_init( &entropy ); if((ret = ctr_drbg_init(&ctr_drbg, entropy_func, &entropy, (unsigned char *)&pers[0],strlen(pers))) != 0 ){ outputerror(DBG_ERROR,"%s\n","rsacrypt::failed to initialize random generator"); return NULL; } encryptedoutputsize = pk_get_len(pkctx); outputerror(DBG_INFO,"%s %Iu\n","rsacrypt::buffer size for rsa encrypted output ",encryptedoutputsize); encryptedoutput = (unsigned char *)malloc(encryptedoutputsize); SecureZeroMemory(encryptedoutput,encryptedoutputsize); rsa_copy(&rsactx,pkctx->pk_ctx); rsactx.padding = RSA_PKCS_V21; rsactx.hash_id = POLARSSL_MD_SHA1; pkresult = 0; pkresult = rsa_rsaes_oaep_encrypt(&rsactx,ctr_drbg_random,&ctr_drbg,RSA_PUBLIC,"cryptoshot",strlen("cryptoshot"),plaintextsize,plaintext,encryptedoutput); if(pkresult != 0){ outputerror(DBG_ERROR,"%s %i\n","rsacrypt::failed to encrypt data",pkresult); return NULL; } entropy_free(&entropy); rsa_free(&rsactx); return encryptedoutput; }
void gui_file_destroy (gui_file * file) { allocated_gui_file--; entropy_free (file); }
int ssl_free_info(ssl_info *sslinfo){ x509_crt_free(&sslinfo->cacert ); ssl_free(&sslinfo->ssl); ctr_drbg_free(&sslinfo->ctr_drbg ); entropy_free(&sslinfo->entropy ); return 0; }
void entropy_notification_engine_destroy_thread(entropy_notification_engine* engine) { /*Request a terminate*/ engine->terminate = 1; entropy_notify_event* ev; void* clean; entropy_notify_event_cb_data* cb_data; /*Wait for thread to finish*/ printf("Waiting for notify thread to finish..\n"); printf("..Terminated\n"); ecore_list_first_goto(engine->op_queue); while ( (ev = ecore_list_next(engine->op_queue)) ) { //printf("Freeing an event..\n"); if (ev->cb_list) { ecore_list_first_goto(ev->cb_list); while ( (cb_data = ecore_list_next(ev->cb_list)) ) { entropy_free(cb_data); } ecore_list_destroy(ev->cb_list); } if (ev->cleanup_list) { ecore_list_first_goto(ev->cleanup_list); while ( (clean = ecore_list_next(ev->cleanup_list)) ) { entropy_free(clean); } ecore_list_destroy(ev->cleanup_list); } } printf("Terminating op queue...\n"); ecore_list_destroy(engine->op_queue); printf("Terminating exe queue...\n"); ecore_list_destroy(engine->exe_queue); /*Return*/ printf("..Exiting thread\n"); }
void entropy_thumbnail_destroy (entropy_thumbnail * thumb) { if (thumb) { if (thumb->text) ecore_hash_destroy (thumb->text); entropy_free (thumb); allocated_thumbnails--; print_allocation (); } }
void ms_dtls_srtp_context_destroy(MSDtlsSrtpContext *ctx) { /* clean polarssl contexts */ if (ctx->rtp_dtls_context) { x509_crt_free( &(ctx->rtp_dtls_context->crt) ); ssl_free( &(ctx->rtp_dtls_context->ssl) ); ctr_drbg_free( &(ctx->rtp_dtls_context->ctr_drbg) ); entropy_free( &(ctx->rtp_dtls_context->entropy) ); pk_free( &(ctx->rtp_dtls_context->pkey) ); ssl_cookie_free( &(ctx->rtp_dtls_context->cookie_ctx) ); ms_mutex_destroy(&ctx->rtp_dtls_context->ssl_context_mutex); ms_free(ctx->rtp_dtls_context); } if (ctx->rtcp_dtls_context) { x509_crt_free( &(ctx->rtcp_dtls_context->crt) ); ssl_free( &(ctx->rtcp_dtls_context->ssl) ); ctr_drbg_free( &(ctx->rtcp_dtls_context->ctr_drbg) ); entropy_free( &(ctx->rtcp_dtls_context->entropy) ); pk_free( &(ctx->rtcp_dtls_context->pkey) ); ssl_cookie_free( &(ctx->rtcp_dtls_context->cookie_ctx) ); ms_mutex_destroy(&ctx->rtcp_dtls_context->ssl_context_mutex); ms_free(ctx->rtcp_dtls_context); } /* clean incoming buffers */ while (ctx->rtp_incoming_buffer!=NULL) { DtlsRawPacket *next_packet = ctx->rtp_incoming_buffer->next; ms_free(ctx->rtp_incoming_buffer->data); ms_free(ctx->rtp_incoming_buffer); ctx->rtp_incoming_buffer = next_packet; } while (ctx->rtcp_incoming_buffer!=NULL) { DtlsRawPacket *next_packet = ctx->rtcp_incoming_buffer->next; ms_free(ctx->rtcp_incoming_buffer->data); ms_free(ctx->rtcp_incoming_buffer); ctx->rtcp_incoming_buffer = next_packet; } ms_free(ctx); ms_message("DTLS-SRTP context destroyed"); }
int main( int argc, char *argv[] ) { FILE *f; int i, k, ret; entropy_context entropy; unsigned char buf[ENTROPY_BLOCK_SIZE]; if( argc < 2 ) { fprintf( stderr, "usage: %s <output filename>\n", argv[0] ); return( 1 ); } if( ( f = fopen( argv[1], "wb+" ) ) == NULL ) { printf( "failed to open '%s' for writing.\n", argv[0] ); return( 1 ); } entropy_init( &entropy ); for( i = 0, k = 768; i < k; i++ ) { ret = entropy_func( &entropy, buf, sizeof( buf ) ); if( ret != 0 ) { printf("failed!\n"); goto cleanup; } fwrite( buf, 1, sizeof( buf ), f ); printf( "Generating 32Mb of data in file '%s'... %04.1f" \ "%% done\r", argv[1], (100 * (float) (i + 1)) / k ); fflush( stdout ); } ret = 0; cleanup: fclose( f ); entropy_free( &entropy ); return( ret ); }
int main( int argc, char *argv[] ) { int ret; rsa_context rsa; entropy_context entropy; ctr_drbg_context ctr_drbg; FILE *fpub = NULL; FILE *fpriv = NULL; const char *pers = "rsa_genkey"; ((void) argc); ((void) argv); polarssl_printf( "\n . Seeding the random number generator..." ); fflush( stdout ); entropy_init( &entropy ); if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, (const unsigned char *) pers, strlen( pers ) ) ) != 0 ) { polarssl_printf( " failed\n ! ctr_drbg_init returned %d\n", ret ); goto exit; } polarssl_printf( " ok\n . Generating the RSA key [ %d-bit ]...", KEY_SIZE ); fflush( stdout ); rsa_init( &rsa, RSA_PKCS_V15, 0 ); if( ( ret = rsa_gen_key( &rsa, ctr_drbg_random, &ctr_drbg, KEY_SIZE, EXPONENT ) ) != 0 ) { polarssl_printf( " failed\n ! rsa_gen_key returned %d\n\n", ret ); goto exit; } polarssl_printf( " ok\n . Exporting the public key in rsa_pub.txt...." ); fflush( stdout ); if( ( fpub = fopen( "rsa_pub.txt", "wb+" ) ) == NULL ) { polarssl_printf( " failed\n ! could not open rsa_pub.txt for writing\n\n" ); ret = 1; goto exit; } if( ( ret = mpi_write_file( "N = ", &rsa.N, 16, fpub ) ) != 0 || ( ret = mpi_write_file( "E = ", &rsa.E, 16, fpub ) ) != 0 ) { polarssl_printf( " failed\n ! mpi_write_file returned %d\n\n", ret ); goto exit; } polarssl_printf( " ok\n . Exporting the private key in rsa_priv.txt..." ); fflush( stdout ); if( ( fpriv = fopen( "rsa_priv.txt", "wb+" ) ) == NULL ) { polarssl_printf( " failed\n ! could not open rsa_priv.txt for writing\n" ); ret = 1; goto exit; } if( ( ret = mpi_write_file( "N = " , &rsa.N , 16, fpriv ) ) != 0 || ( ret = mpi_write_file( "E = " , &rsa.E , 16, fpriv ) ) != 0 || ( ret = mpi_write_file( "D = " , &rsa.D , 16, fpriv ) ) != 0 || ( ret = mpi_write_file( "P = " , &rsa.P , 16, fpriv ) ) != 0 || ( ret = mpi_write_file( "Q = " , &rsa.Q , 16, fpriv ) ) != 0 || ( ret = mpi_write_file( "DP = ", &rsa.DP, 16, fpriv ) ) != 0 || ( ret = mpi_write_file( "DQ = ", &rsa.DQ, 16, fpriv ) ) != 0 || ( ret = mpi_write_file( "QP = ", &rsa.QP, 16, fpriv ) ) != 0 ) { polarssl_printf( " failed\n ! mpi_write_file returned %d\n\n", ret ); goto exit; } /* polarssl_printf( " ok\n . Generating the certificate..." ); x509write_init_raw( &cert ); x509write_add_pubkey( &cert, &rsa ); x509write_add_subject( &cert, "CN='localhost'" ); x509write_add_validity( &cert, "2007-09-06 17:00:32", "2010-09-06 17:00:32" ); x509write_create_selfsign( &cert, &rsa ); x509write_crtfile( &cert, "cert.der", X509_OUTPUT_DER ); x509write_crtfile( &cert, "cert.pem", X509_OUTPUT_PEM ); x509write_free_raw( &cert ); */ polarssl_printf( " ok\n\n" ); exit: if( fpub != NULL ) fclose( fpub ); if( fpriv != NULL ) fclose( fpriv ); rsa_free( &rsa ); ctr_drbg_free( &ctr_drbg ); entropy_free( &entropy ); #if defined(_WIN32) polarssl_printf( " Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); #endif return( ret ); }
int main( int argc, char *argv[] ) { int ret = 1; mpi G, P, Q; entropy_context entropy; ctr_drbg_context ctr_drbg; const char *pers = "dh_genprime"; FILE *fout; ((void) argc); ((void) argv); mpi_init( &G ); mpi_init( &P ); mpi_init( &Q ); entropy_init( &entropy ); if( ( ret = mpi_read_string( &G, 10, GENERATOR ) ) != 0 ) { polarssl_printf( " failed\n ! mpi_read_string returned %d\n", ret ); goto exit; } polarssl_printf( "\nWARNING: You should not generate and use your own DHM primes\n" ); polarssl_printf( " unless you are very certain of what you are doing!\n" ); polarssl_printf( " Failing to follow this instruction may result in\n" ); polarssl_printf( " weak security for your connections! Use the\n" ); polarssl_printf( " predefined DHM parameters from dhm.h instead!\n\n" ); polarssl_printf( "============================================================\n\n" ); polarssl_printf( " ! Generating large primes may take minutes!\n" ); polarssl_printf( "\n . Seeding the random number generator..." ); fflush( stdout ); if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, (const unsigned char *) pers, strlen( pers ) ) ) != 0 ) { polarssl_printf( " failed\n ! ctr_drbg_init returned %d\n", ret ); goto exit; } polarssl_printf( " ok\n . Generating the modulus, please wait..." ); fflush( stdout ); /* * This can take a long time... */ if( ( ret = mpi_gen_prime( &P, DH_P_SIZE, 1, ctr_drbg_random, &ctr_drbg ) ) != 0 ) { polarssl_printf( " failed\n ! mpi_gen_prime returned %d\n\n", ret ); goto exit; } polarssl_printf( " ok\n . Verifying that Q = (P-1)/2 is prime..." ); fflush( stdout ); if( ( ret = mpi_sub_int( &Q, &P, 1 ) ) != 0 ) { polarssl_printf( " failed\n ! mpi_sub_int returned %d\n\n", ret ); goto exit; } if( ( ret = mpi_div_int( &Q, NULL, &Q, 2 ) ) != 0 ) { polarssl_printf( " failed\n ! mpi_div_int returned %d\n\n", ret ); goto exit; } if( ( ret = mpi_is_prime( &Q, ctr_drbg_random, &ctr_drbg ) ) != 0 ) { polarssl_printf( " failed\n ! mpi_is_prime returned %d\n\n", ret ); goto exit; } polarssl_printf( " ok\n . Exporting the value in dh_prime.txt..." ); fflush( stdout ); if( ( fout = fopen( "dh_prime.txt", "wb+" ) ) == NULL ) { ret = 1; polarssl_printf( " failed\n ! Could not create dh_prime.txt\n\n" ); goto exit; } if( ( ret = mpi_write_file( "P = ", &P, 16, fout ) != 0 ) || ( ret = mpi_write_file( "G = ", &G, 16, fout ) != 0 ) ) { polarssl_printf( " failed\n ! mpi_write_file returned %d\n\n", ret ); goto exit; } polarssl_printf( " ok\n\n" ); fclose( fout ); exit: mpi_free( &G ); mpi_free( &P ); mpi_free( &Q ); ctr_drbg_free( &ctr_drbg ); entropy_free( &entropy ); #if defined(_WIN32) polarssl_printf( " Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); #endif return( ret ); }
IPCCommandResult CWII_IPC_HLE_Device_net_ssl::IOCtlV(u32 _CommandAddress) { SIOCtlVBuffer CommandBuffer(_CommandAddress); u32 _BufferIn = 0, _BufferIn2 = 0, _BufferIn3 = 0; u32 BufferInSize = 0, BufferInSize2 = 0, BufferInSize3 = 0; u32 BufferOut = 0, BufferOut2 = 0, BufferOut3 = 0; u32 BufferOutSize = 0, BufferOutSize2 = 0, BufferOutSize3 = 0; if (CommandBuffer.InBuffer.size() > 0) { _BufferIn = CommandBuffer.InBuffer.at(0).m_Address; BufferInSize = CommandBuffer.InBuffer.at(0).m_Size; } if (CommandBuffer.InBuffer.size() > 1) { _BufferIn2 = CommandBuffer.InBuffer.at(1).m_Address; BufferInSize2 = CommandBuffer.InBuffer.at(1).m_Size; } if (CommandBuffer.InBuffer.size() > 2) { _BufferIn3 = CommandBuffer.InBuffer.at(2).m_Address; BufferInSize3 = CommandBuffer.InBuffer.at(2).m_Size; } if (CommandBuffer.PayloadBuffer.size() > 0) { BufferOut = CommandBuffer.PayloadBuffer.at(0).m_Address; BufferOutSize = CommandBuffer.PayloadBuffer.at(0).m_Size; } if (CommandBuffer.PayloadBuffer.size() > 1) { BufferOut2 = CommandBuffer.PayloadBuffer.at(1).m_Address; BufferOutSize2 = CommandBuffer.PayloadBuffer.at(1).m_Size; } if (CommandBuffer.PayloadBuffer.size() > 2) { BufferOut3 = CommandBuffer.PayloadBuffer.at(2).m_Address; BufferOutSize3 = CommandBuffer.PayloadBuffer.at(2).m_Size; } // I don't trust SSL to be deterministic, and this is never going to sync // as such (as opposed to forwarding IPC results or whatever), so - if (Core::g_want_determinism) { Memory::Write_U32(-1, _CommandAddress + 0x4); return IPC_DEFAULT_REPLY; } switch (CommandBuffer.Parameter) { case IOCTLV_NET_SSL_NEW: { int verifyOption = Memory::Read_U32(BufferOut); std::string hostname = Memory::GetString(BufferOut2, BufferOutSize2); int freeSSL = GetSSLFreeID(); if (freeSSL) { int sslID = freeSSL - 1; WII_SSL* ssl = &_SSL[sslID]; int ret = ssl_init(&ssl->ctx); if (ret) { goto _SSL_NEW_ERROR; } entropy_init(&ssl->entropy); const char* pers = "dolphin-emu"; ret = ctr_drbg_init(&ssl->ctr_drbg, entropy_func, &ssl->entropy, (const unsigned char*)pers, strlen(pers)); if (ret) { ssl_free(&ssl->ctx); entropy_free(&ssl->entropy); goto _SSL_NEW_ERROR; } ssl_set_rng(&ssl->ctx, ctr_drbg_random, &ssl->ctr_drbg); // For some reason we can't use TLSv1.2, v1.1 and below are fine! ssl_set_max_version(&ssl->ctx, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_2); ssl_set_session(&ssl->ctx, &ssl->session); ssl_set_endpoint(&ssl->ctx, SSL_IS_CLIENT); ssl_set_authmode(&ssl->ctx, SSL_VERIFY_NONE); ssl_set_renegotiation(&ssl->ctx, SSL_RENEGOTIATION_ENABLED); ssl->hostname = hostname; ssl_set_hostname(&ssl->ctx, ssl->hostname.c_str()); ssl->active = true; Memory::Write_U32(freeSSL, _BufferIn); } else { _SSL_NEW_ERROR: Memory::Write_U32(SSL_ERR_FAILED, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_NEW (%d, %s) " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", verifyOption, hostname.c_str(), _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } case IOCTLV_NET_SSL_SHUTDOWN: { int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { WII_SSL* ssl = &_SSL[sslID]; ssl_close_notify(&ssl->ctx); ssl_session_free(&ssl->session); ssl_free(&ssl->ctx); entropy_free(&ssl->entropy); x509_crt_free(&ssl->cacert); x509_crt_free(&ssl->clicert); ssl->hostname.clear(); ssl->active = false; Memory::Write_U32(SSL_OK, _BufferIn); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SHUTDOWN " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } case IOCTLV_NET_SSL_SETROOTCA: { INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETROOTCA " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { WII_SSL* ssl = &_SSL[sslID]; int ret = x509_crt_parse_der( &ssl->cacert, Memory::GetPointer(BufferOut2), BufferOutSize2); if (ret) { Memory::Write_U32(SSL_ERR_FAILED, _BufferIn); } else { ssl_set_ca_chain(&ssl->ctx, &ssl->cacert, nullptr, ssl->hostname.c_str()); Memory::Write_U32(SSL_OK, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETROOTCA = %d", ret); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } break; } case IOCTLV_NET_SSL_SETBUILTINCLIENTCERT: { INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { WII_SSL* ssl = &_SSL[sslID]; std::string cert_base_path = File::GetUserPath(D_SESSION_WIIROOT_IDX); int ret = x509_crt_parse_file(&ssl->clicert, (cert_base_path + "clientca.pem").c_str()); int pk_ret = pk_parse_keyfile(&ssl->pk, (cert_base_path + "clientcakey.pem").c_str(), nullptr); if (ret || pk_ret) { x509_crt_free(&ssl->clicert); pk_free(&ssl->pk); Memory::Write_U32(SSL_ERR_FAILED, _BufferIn); } else { ssl_set_own_cert(&ssl->ctx, &ssl->clicert, &ssl->pk); Memory::Write_U32(SSL_OK, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT = (%d, %d)", ret, pk_ret); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT invalid sslID = %d", sslID); } break; } case IOCTLV_NET_SSL_REMOVECLIENTCERT: { INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_REMOVECLIENTCERT " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { WII_SSL* ssl = &_SSL[sslID]; x509_crt_free(&ssl->clicert); pk_free(&ssl->pk); ssl_set_own_cert(&ssl->ctx, nullptr, nullptr); Memory::Write_U32(SSL_OK, _BufferIn); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT invalid sslID = %d", sslID); } break; } case IOCTLV_NET_SSL_SETBUILTINROOTCA: { int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { WII_SSL* ssl = &_SSL[sslID]; int ret = x509_crt_parse_file(&ssl->cacert, (File::GetUserPath(D_SESSION_WIIROOT_IDX) + "/rootca.pem").c_str()); if (ret) { x509_crt_free(&ssl->clicert); Memory::Write_U32(SSL_ERR_FAILED, _BufferIn); } else { ssl_set_ca_chain(&ssl->ctx, &ssl->cacert, nullptr, ssl->hostname.c_str()); Memory::Write_U32(SSL_OK, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINROOTCA = %d", ret); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINROOTCA " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } case IOCTLV_NET_SSL_CONNECT: { int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { WII_SSL* ssl = &_SSL[sslID]; ssl->sockfd = Memory::Read_U32(BufferOut2); INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_CONNECT socket = %d", ssl->sockfd); ssl_set_bio(&ssl->ctx, net_recv, &ssl->sockfd, net_send, &ssl->sockfd); Memory::Write_U32(SSL_OK, _BufferIn); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_CONNECT " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } case IOCTLV_NET_SSL_DOHANDSHAKE: { int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { WiiSockMan &sm = WiiSockMan::GetInstance(); sm.DoSock(_SSL[sslID].sockfd, _CommandAddress, IOCTLV_NET_SSL_DOHANDSHAKE); return IPC_NO_REPLY; } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } break; } case IOCTLV_NET_SSL_WRITE: { int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { WiiSockMan &sm = WiiSockMan::GetInstance(); sm.DoSock(_SSL[sslID].sockfd, _CommandAddress, IOCTLV_NET_SSL_WRITE); return IPC_NO_REPLY; } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_WRITE " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); INFO_LOG(WII_IPC_SSL, "%s", Memory::GetString(BufferOut2).c_str()); break; } case IOCTLV_NET_SSL_READ: { int ret = 0; int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { WiiSockMan &sm = WiiSockMan::GetInstance(); sm.DoSock(_SSL[sslID].sockfd, _CommandAddress, IOCTLV_NET_SSL_READ); return IPC_NO_REPLY; } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_READ(%d)" "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", ret, _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } case IOCTLV_NET_SSL_SETROOTCADEFAULT: { int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { Memory::Write_U32(SSL_OK, _BufferIn); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETROOTCADEFAULT " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } case IOCTLV_NET_SSL_SETCLIENTCERTDEFAULT: { INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETCLIENTCERTDEFAULT " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { Memory::Write_U32(SSL_OK, _BufferIn); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } break; } default: ERROR_LOG(WII_IPC_SSL, "%i " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", CommandBuffer.Parameter, _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } // SSL return codes are written to BufferIn Memory::Write_U32(0, _CommandAddress+4); return IPC_DEFAULT_REPLY; }
int main( int argc, char *argv[] ) { int ret = 0, len, server_fd, i, written, frags; unsigned char buf[SSL_MAX_CONTENT_LEN + 1]; #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED) unsigned char psk[POLARSSL_PSK_MAX_LEN]; size_t psk_len = 0; #endif #if defined(POLARSSL_SSL_ALPN) const char *alpn_list[10]; #endif const char *pers = "ssl_client2"; entropy_context entropy; ctr_drbg_context ctr_drbg; ssl_context ssl; ssl_session saved_session; #if defined(POLARSSL_X509_CRT_PARSE_C) x509_crt cacert; x509_crt clicert; pk_context pkey; #endif char *p, *q; const int *list; /* * Make sure memory references are valid. */ server_fd = 0; memset( &ssl, 0, sizeof( ssl_context ) ); memset( &saved_session, 0, sizeof( ssl_session ) ); #if defined(POLARSSL_X509_CRT_PARSE_C) x509_crt_init( &cacert ); x509_crt_init( &clicert ); pk_init( &pkey ); #endif #if defined(POLARSSL_SSL_ALPN) memset( (void * ) alpn_list, 0, sizeof( alpn_list ) ); #endif if( argc == 0 ) { usage: if( ret == 0 ) ret = 1; printf( USAGE ); list = ssl_list_ciphersuites(); while( *list ) { printf(" %-42s", ssl_get_ciphersuite_name( *list ) ); list++; if( !*list ) break; printf(" %s\n", ssl_get_ciphersuite_name( *list ) ); list++; } printf("\n"); goto exit; } opt.server_name = DFL_SERVER_NAME; opt.server_addr = DFL_SERVER_ADDR; opt.server_port = DFL_SERVER_PORT; opt.debug_level = DFL_DEBUG_LEVEL; opt.nbio = DFL_NBIO; opt.request_page = DFL_REQUEST_PAGE; opt.request_size = DFL_REQUEST_SIZE; opt.ca_file = DFL_CA_FILE; opt.ca_path = DFL_CA_PATH; opt.crt_file = DFL_CRT_FILE; opt.key_file = DFL_KEY_FILE; opt.psk = DFL_PSK; opt.psk_identity = DFL_PSK_IDENTITY; opt.force_ciphersuite[0]= DFL_FORCE_CIPHER; opt.renegotiation = DFL_RENEGOTIATION; opt.allow_legacy = DFL_ALLOW_LEGACY; opt.renegotiate = DFL_RENEGOTIATE; opt.min_version = DFL_MIN_VERSION; opt.max_version = DFL_MAX_VERSION; opt.auth_mode = DFL_AUTH_MODE; opt.mfl_code = DFL_MFL_CODE; opt.trunc_hmac = DFL_TRUNC_HMAC; opt.reconnect = DFL_RECONNECT; opt.reco_delay = DFL_RECO_DELAY; opt.tickets = DFL_TICKETS; opt.alpn_string = DFL_ALPN_STRING; for( i = 1; i < argc; i++ ) { p = argv[i]; if( ( q = strchr( p, '=' ) ) == NULL ) goto usage; *q++ = '\0'; if( strcmp( p, "server_name" ) == 0 ) opt.server_name = q; else if( strcmp( p, "server_addr" ) == 0 ) opt.server_addr = q; else if( strcmp( p, "server_port" ) == 0 ) { opt.server_port = atoi( q ); if( opt.server_port < 1 || opt.server_port > 65535 ) goto usage; } else if( strcmp( p, "debug_level" ) == 0 ) { opt.debug_level = atoi( q ); if( opt.debug_level < 0 || opt.debug_level > 65535 ) goto usage; } else if( strcmp( p, "nbio" ) == 0 ) { opt.nbio = atoi( q ); if( opt.nbio < 0 || opt.nbio > 2 ) goto usage; } else if( strcmp( p, "request_page" ) == 0 ) opt.request_page = q; else if( strcmp( p, "request_size" ) == 0 ) { opt.request_size = atoi( q ); if( opt.request_size < 0 || opt.request_size > SSL_MAX_CONTENT_LEN ) goto usage; } else if( strcmp( p, "ca_file" ) == 0 ) opt.ca_file = q; else if( strcmp( p, "ca_path" ) == 0 ) opt.ca_path = q; else if( strcmp( p, "crt_file" ) == 0 ) opt.crt_file = q; else if( strcmp( p, "key_file" ) == 0 ) opt.key_file = q; else if( strcmp( p, "psk" ) == 0 ) opt.psk = q; else if( strcmp( p, "psk_identity" ) == 0 ) opt.psk_identity = q; else if( strcmp( p, "force_ciphersuite" ) == 0 ) { opt.force_ciphersuite[0] = ssl_get_ciphersuite_id( q ); if( opt.force_ciphersuite[0] == 0 ) { ret = 2; goto usage; } opt.force_ciphersuite[1] = 0; } else if( strcmp( p, "renegotiation" ) == 0 ) { opt.renegotiation = (atoi( q )) ? SSL_RENEGOTIATION_ENABLED : SSL_RENEGOTIATION_DISABLED; } else if( strcmp( p, "allow_legacy" ) == 0 ) { opt.allow_legacy = atoi( q ); if( opt.allow_legacy < 0 || opt.allow_legacy > 1 ) goto usage; } else if( strcmp( p, "renegotiate" ) == 0 ) { opt.renegotiate = atoi( q ); if( opt.renegotiate < 0 || opt.renegotiate > 1 ) goto usage; } else if( strcmp( p, "reconnect" ) == 0 ) { opt.reconnect = atoi( q ); if( opt.reconnect < 0 || opt.reconnect > 2 ) goto usage; } else if( strcmp( p, "reco_delay" ) == 0 ) { opt.reco_delay = atoi( q ); if( opt.reco_delay < 0 ) goto usage; } else if( strcmp( p, "tickets" ) == 0 ) { opt.tickets = atoi( q ); if( opt.tickets < 0 || opt.tickets > 2 ) goto usage; } else if( strcmp( p, "alpn" ) == 0 ) { opt.alpn_string = q; } else if( strcmp( p, "min_version" ) == 0 ) { if( strcmp( q, "ssl3" ) == 0 ) opt.min_version = SSL_MINOR_VERSION_0; else if( strcmp( q, "tls1" ) == 0 ) opt.min_version = SSL_MINOR_VERSION_1; else if( strcmp( q, "tls1_1" ) == 0 ) opt.min_version = SSL_MINOR_VERSION_2; else if( strcmp( q, "tls1_2" ) == 0 ) opt.min_version = SSL_MINOR_VERSION_3; else goto usage; } else if( strcmp( p, "max_version" ) == 0 ) { if( strcmp( q, "ssl3" ) == 0 ) opt.max_version = SSL_MINOR_VERSION_0; else if( strcmp( q, "tls1" ) == 0 ) opt.max_version = SSL_MINOR_VERSION_1; else if( strcmp( q, "tls1_1" ) == 0 ) opt.max_version = SSL_MINOR_VERSION_2; else if( strcmp( q, "tls1_2" ) == 0 ) opt.max_version = SSL_MINOR_VERSION_3; else goto usage; } else if( strcmp( p, "force_version" ) == 0 ) { if( strcmp( q, "ssl3" ) == 0 ) { opt.min_version = SSL_MINOR_VERSION_0; opt.max_version = SSL_MINOR_VERSION_0; } else if( strcmp( q, "tls1" ) == 0 ) { opt.min_version = SSL_MINOR_VERSION_1; opt.max_version = SSL_MINOR_VERSION_1; } else if( strcmp( q, "tls1_1" ) == 0 ) { opt.min_version = SSL_MINOR_VERSION_2; opt.max_version = SSL_MINOR_VERSION_2; } else if( strcmp( q, "tls1_2" ) == 0 ) { opt.min_version = SSL_MINOR_VERSION_3; opt.max_version = SSL_MINOR_VERSION_3; } else goto usage; } else if( strcmp( p, "auth_mode" ) == 0 ) { if( strcmp( q, "none" ) == 0 ) opt.auth_mode = SSL_VERIFY_NONE; else if( strcmp( q, "optional" ) == 0 ) opt.auth_mode = SSL_VERIFY_OPTIONAL; else if( strcmp( q, "required" ) == 0 ) opt.auth_mode = SSL_VERIFY_REQUIRED; else goto usage; } else if( strcmp( p, "max_frag_len" ) == 0 ) { if( strcmp( q, "512" ) == 0 ) opt.mfl_code = SSL_MAX_FRAG_LEN_512; else if( strcmp( q, "1024" ) == 0 ) opt.mfl_code = SSL_MAX_FRAG_LEN_1024; else if( strcmp( q, "2048" ) == 0 ) opt.mfl_code = SSL_MAX_FRAG_LEN_2048; else if( strcmp( q, "4096" ) == 0 ) opt.mfl_code = SSL_MAX_FRAG_LEN_4096; else goto usage; } else if( strcmp( p, "trunc_hmac" ) == 0 ) { opt.trunc_hmac = atoi( q ); if( opt.trunc_hmac < 0 || opt.trunc_hmac > 1 ) goto usage; } else goto usage; } #if defined(POLARSSL_DEBUG_C) debug_set_threshold( opt.debug_level ); #endif if( opt.force_ciphersuite[0] > 0 ) { const ssl_ciphersuite_t *ciphersuite_info; ciphersuite_info = ssl_ciphersuite_from_id( opt.force_ciphersuite[0] ); if( opt.max_version != -1 && ciphersuite_info->min_minor_ver > opt.max_version ) { printf("forced ciphersuite not allowed with this protocol version\n"); ret = 2; goto usage; } if( opt.min_version != -1 && ciphersuite_info->max_minor_ver < opt.min_version ) { printf("forced ciphersuite not allowed with this protocol version\n"); ret = 2; goto usage; } if( opt.max_version > ciphersuite_info->max_minor_ver ) opt.max_version = ciphersuite_info->max_minor_ver; if( opt.min_version < ciphersuite_info->min_minor_ver ) opt.min_version = ciphersuite_info->min_minor_ver; } #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED) /* * Unhexify the pre-shared key if any is given */ if( strlen( opt.psk ) ) { unsigned char c; size_t j; if( strlen( opt.psk ) % 2 != 0 ) { printf("pre-shared key not valid hex\n"); goto exit; } psk_len = strlen( opt.psk ) / 2; for( j = 0; j < strlen( opt.psk ); j += 2 ) { c = opt.psk[j]; if( c >= '0' && c <= '9' ) c -= '0'; else if( c >= 'a' && c <= 'f' ) c -= 'a' - 10; else if( c >= 'A' && c <= 'F' ) c -= 'A' - 10; else { printf("pre-shared key not valid hex\n"); goto exit; } psk[ j / 2 ] = c << 4; c = opt.psk[j + 1]; if( c >= '0' && c <= '9' ) c -= '0'; else if( c >= 'a' && c <= 'f' ) c -= 'a' - 10; else if( c >= 'A' && c <= 'F' ) c -= 'A' - 10; else { printf("pre-shared key not valid hex\n"); goto exit; } psk[ j / 2 ] |= c; } } #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */ #if defined(POLARSSL_SSL_ALPN) if( opt.alpn_string != NULL ) { p = (char *) opt.alpn_string; i = 0; /* Leave room for a final NULL in alpn_list */ while( i < (int) sizeof alpn_list - 1 && *p != '\0' ) { alpn_list[i++] = p; /* Terminate the current string and move on to next one */ while( *p != ',' && *p != '\0' ) p++; if( *p == ',' ) *p++ = '\0'; } } #endif /* POLARSSL_SSL_ALPN */ /* * 0. Initialize the RNG and the session data */ printf( "\n . Seeding the random number generator..." ); fflush( stdout ); entropy_init( &entropy ); if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, (const unsigned char *) pers, strlen( pers ) ) ) != 0 ) { printf( " failed\n ! ctr_drbg_init returned -0x%x\n", -ret ); goto exit; } printf( " ok\n" ); #if defined(POLARSSL_X509_CRT_PARSE_C) /* * 1.1. Load the trusted CA */ printf( " . Loading the CA root certificate ..." ); fflush( stdout ); #if defined(POLARSSL_FS_IO) if( strlen( opt.ca_path ) ) if( strcmp( opt.ca_path, "none" ) == 0 ) ret = 0; else ret = x509_crt_parse_path( &cacert, opt.ca_path ); else if( strlen( opt.ca_file ) ) if( strcmp( opt.ca_file, "none" ) == 0 ) ret = 0; else ret = x509_crt_parse_file( &cacert, opt.ca_file ); else #endif #if defined(POLARSSL_CERTS_C) ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_list, strlen( test_ca_list ) ); #else { ret = 1; printf("POLARSSL_CERTS_C not defined."); } #endif if( ret < 0 ) { printf( " failed\n ! x509_crt_parse returned -0x%x\n\n", -ret ); goto exit; } printf( " ok (%d skipped)\n", ret ); /* * 1.2. Load own certificate and private key * * (can be skipped if client authentication is not required) */ printf( " . Loading the client cert. and key..." ); fflush( stdout ); #if defined(POLARSSL_FS_IO) if( strlen( opt.crt_file ) ) if( strcmp( opt.crt_file, "none" ) == 0 ) ret = 0; else ret = x509_crt_parse_file( &clicert, opt.crt_file ); else #endif #if defined(POLARSSL_CERTS_C) ret = x509_crt_parse( &clicert, (const unsigned char *) test_cli_crt, strlen( test_cli_crt ) ); #else { ret = 1; printf("POLARSSL_CERTS_C not defined."); } #endif if( ret != 0 ) { printf( " failed\n ! x509_crt_parse returned -0x%x\n\n", -ret ); goto exit; } #if defined(POLARSSL_FS_IO) if( strlen( opt.key_file ) ) if( strcmp( opt.key_file, "none" ) == 0 ) ret = 0; else ret = pk_parse_keyfile( &pkey, opt.key_file, "" ); else #endif #if defined(POLARSSL_CERTS_C) ret = pk_parse_key( &pkey, (const unsigned char *) test_cli_key, strlen( test_cli_key ), NULL, 0 ); #else { ret = 1; printf("POLARSSL_CERTS_C not defined."); } #endif if( ret != 0 ) { printf( " failed\n ! pk_parse_key returned -0x%x\n\n", -ret ); goto exit; } printf( " ok\n" ); #endif /* POLARSSL_X509_CRT_PARSE_C */ /* * 2. Start the connection */ if( opt.server_addr == NULL) opt.server_addr = opt.server_name; printf( " . Connecting to tcp/%s/%-4d...", opt.server_addr, opt.server_port ); fflush( stdout ); if( ( ret = net_connect( &server_fd, opt.server_addr, opt.server_port ) ) != 0 ) { printf( " failed\n ! net_connect returned -0x%x\n\n", -ret ); goto exit; } if( opt.nbio > 0 ) ret = net_set_nonblock( server_fd ); else ret = net_set_block( server_fd ); if( ret != 0 ) { printf( " failed\n ! net_set_(non)block() returned -0x%x\n\n", -ret ); goto exit; } printf( " ok\n" ); /* * 3. Setup stuff */ printf( " . Setting up the SSL/TLS structure..." ); fflush( stdout ); if( ( ret = ssl_init( &ssl ) ) != 0 ) { printf( " failed\n ! ssl_init returned -0x%x\n\n", -ret ); goto exit; } printf( " ok\n" ); #if defined(POLARSSL_X509_CRT_PARSE_C) if( opt.debug_level > 0 ) ssl_set_verify( &ssl, my_verify, NULL ); #endif ssl_set_endpoint( &ssl, SSL_IS_CLIENT ); ssl_set_authmode( &ssl, opt.auth_mode ); #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) if( ( ret = ssl_set_max_frag_len( &ssl, opt.mfl_code ) ) != 0 ) { printf( " failed\n ! ssl_set_max_frag_len returned %d\n\n", ret ); goto exit; } #endif #if defined(POLARSSL_SSL_TRUNCATED_HMAC) if( opt.trunc_hmac != 0 ) if( ( ret = ssl_set_truncated_hmac( &ssl, SSL_TRUNC_HMAC_ENABLED ) ) != 0 ) { printf( " failed\n ! ssl_set_truncated_hmac returned %d\n\n", ret ); goto exit; } #endif #if defined(POLARSSL_SSL_ALPN) if( opt.alpn_string != NULL ) if( ( ret = ssl_set_alpn_protocols( &ssl, alpn_list ) ) != 0 ) { printf( " failed\n ! ssl_set_alpn_protocols returned %d\n\n", ret ); goto exit; } #endif ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_dbg( &ssl, my_debug, stdout ); if( opt.nbio == 2 ) ssl_set_bio( &ssl, my_recv, &server_fd, my_send, &server_fd ); else ssl_set_bio( &ssl, net_recv, &server_fd, net_send, &server_fd ); #if defined(POLARSSL_SSL_SESSION_TICKETS) if( ( ret = ssl_set_session_tickets( &ssl, opt.tickets ) ) != 0 ) { printf( " failed\n ! ssl_set_session_tickets returned %d\n\n", ret ); goto exit; } #endif if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) ssl_set_ciphersuites( &ssl, opt.force_ciphersuite ); ssl_set_renegotiation( &ssl, opt.renegotiation ); ssl_legacy_renegotiation( &ssl, opt.allow_legacy ); #if defined(POLARSSL_X509_CRT_PARSE_C) if( strcmp( opt.ca_path, "none" ) != 0 && strcmp( opt.ca_file, "none" ) != 0 ) { ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name ); } if( strcmp( opt.crt_file, "none" ) != 0 && strcmp( opt.key_file, "none" ) != 0 ) { if( ( ret = ssl_set_own_cert( &ssl, &clicert, &pkey ) ) != 0 ) { printf( " failed\n ! ssl_set_own_cert returned %d\n\n", ret ); goto exit; } } #endif #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED) if( ( ret = ssl_set_psk( &ssl, psk, psk_len, (const unsigned char *) opt.psk_identity, strlen( opt.psk_identity ) ) ) != 0 ) { printf( " failed\n ! ssl_set_psk returned %d\n\n", ret ); goto exit; } #endif #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) if( ( ret = ssl_set_hostname( &ssl, opt.server_name ) ) != 0 ) { printf( " failed\n ! ssl_set_hostname returned %d\n\n", ret ); goto exit; } #endif if( opt.min_version != -1 ) ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version ); if( opt.max_version != -1 ) ssl_set_max_version( &ssl, SSL_MAJOR_VERSION_3, opt.max_version ); /* * 4. Handshake */ printf( " . Performing the SSL/TLS handshake..." ); fflush( stdout ); while( ( ret = ssl_handshake( &ssl ) ) != 0 ) { if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) { printf( " failed\n ! ssl_handshake returned -0x%x\n", -ret ); if( ret == POLARSSL_ERR_X509_CERT_VERIFY_FAILED ) printf( " Unable to verify the server's certificate. " "Either it is invalid,\n" " or you didn't set ca_file or ca_path " "to an appropriate value.\n" " Alternatively, you may want to use " "auth_mode=optional for testing purposes.\n" ); printf( "\n" ); goto exit; } } printf( " ok\n [ Protocol is %s ]\n [ Ciphersuite is %s ]\n", ssl_get_version( &ssl ), ssl_get_ciphersuite( &ssl ) ); #if defined(POLARSSL_SSL_ALPN) if( opt.alpn_string != NULL ) { const char *alp = ssl_get_alpn_protocol( &ssl ); printf( " [ Application Layer Protocol is %s ]\n", alp ? alp : "(none)" ); } #endif if( opt.reconnect != 0 ) { printf(" . Saving session for reuse..." ); fflush( stdout ); if( ( ret = ssl_get_session( &ssl, &saved_session ) ) != 0 ) { printf( " failed\n ! ssl_get_session returned -0x%x\n\n", -ret ); goto exit; } printf( " ok\n" ); } #if defined(POLARSSL_X509_CRT_PARSE_C) /* * 5. Verify the server certificate */ printf( " . Verifying peer X.509 certificate..." ); if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 ) { printf( " failed\n" ); if( ( ret & BADCERT_EXPIRED ) != 0 ) printf( " ! server certificate has expired\n" ); if( ( ret & BADCERT_REVOKED ) != 0 ) printf( " ! server certificate has been revoked\n" ); if( ( ret & BADCERT_CN_MISMATCH ) != 0 ) printf( " ! CN mismatch (expected CN=%s)\n", opt.server_name ); if( ( ret & BADCERT_NOT_TRUSTED ) != 0 ) printf( " ! self-signed or not signed by a trusted CA\n" ); printf( "\n" ); } else printf( " ok\n" ); if( ssl_get_peer_cert( &ssl ) != NULL ) { printf( " . Peer certificate information ...\n" ); x509_crt_info( (char *) buf, sizeof( buf ) - 1, " ", ssl_get_peer_cert( &ssl ) ); printf( "%s\n", buf ); } #endif /* POLARSSL_X509_CRT_PARSE_C */ if( opt.renegotiate ) { /* * Perform renegotiation (this must be done when the server is waiting * for input from our side). */ printf( " . Performing renegotiation..." ); fflush( stdout ); while( ( ret = ssl_renegotiate( &ssl ) ) != 0 ) { if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) { printf( " failed\n ! ssl_renegotiate returned %d\n\n", ret ); goto exit; } } printf( " ok\n" ); } /* * 6. Write the GET request */ send_request: printf( " > Write to server:" ); fflush( stdout ); if( strcmp( opt.request_page, "SERVERQUIT" ) == 0 ) len = sprintf( (char *) buf, "%s", opt.request_page ); else { size_t tail_len = strlen( GET_REQUEST_END ); len = snprintf( (char *) buf, sizeof(buf) - 1, GET_REQUEST, opt.request_page ); /* Add padding to GET request to reach opt.request_size in length */ if( opt.request_size != DFL_REQUEST_SIZE && len + tail_len < (size_t) opt.request_size ) { memset( buf + len, 'A', opt.request_size - len - tail_len ); len += opt.request_size - len - tail_len; } strncpy( (char *) buf + len, GET_REQUEST_END, sizeof(buf) - len - 1 ); len += tail_len; } /* Truncate if request size is smaller than the "natural" size */ if( opt.request_size != DFL_REQUEST_SIZE && len > opt.request_size ) { len = opt.request_size; /* Still end with \r\n unless that's really not possible */ if( len >= 2 ) buf[len - 2] = '\r'; if( len >= 1 ) buf[len - 1] = '\n'; } for( written = 0, frags = 0; written < len; written += ret, frags++ ) { while( ( ret = ssl_write( &ssl, buf + written, len - written ) ) <= 0 ) { if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) { printf( " failed\n ! ssl_write returned -0x%x\n\n", -ret ); goto exit; } } } buf[written] = '\0'; printf( " %d bytes written in %d fragments\n\n%s\n", written, frags, (char *) buf ); /* * 7. Read the HTTP response */ printf( " < Read from server:" ); fflush( stdout ); do { len = sizeof( buf ) - 1; memset( buf, 0, sizeof( buf ) ); ret = ssl_read( &ssl, buf, len ); if( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE ) continue; if( ret == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY ) break; if( ret < 0 ) { printf( "failed\n ! ssl_read returned -0x%x\n\n", -ret ); break; } if( ret == 0 ) { printf("\n\nEOF\n\n"); ssl_close_notify( &ssl ); break; } len = ret; buf[len] = '\0'; printf( " %d bytes read\n\n%s", len, (char *) buf ); } while( 1 ); if( opt.reconnect != 0 ) { --opt.reconnect; net_close( server_fd ); #if defined(POLARSSL_TIMING_C) if( opt.reco_delay > 0 ) m_sleep( 1000 * opt.reco_delay ); #endif printf( " . Reconnecting with saved session..." ); fflush( stdout ); if( ( ret = ssl_session_reset( &ssl ) ) != 0 ) { printf( " failed\n ! ssl_session_reset returned -0x%x\n\n", -ret ); goto exit; } if( ( ret = ssl_set_session( &ssl, &saved_session ) ) != 0 ) { printf( " failed\n ! ssl_set_session returned %d\n\n", ret ); goto exit; } if( ( ret = net_connect( &server_fd, opt.server_name, opt.server_port ) ) != 0 ) { printf( " failed\n ! net_connect returned -0x%x\n\n", -ret ); goto exit; } while( ( ret = ssl_handshake( &ssl ) ) != 0 ) { if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) { printf( " failed\n ! ssl_handshake returned -0x%x\n\n", -ret ); goto exit; } } printf( " ok\n" ); goto send_request; } exit: if( ret == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY ) ret = 0; #ifdef POLARSSL_ERROR_C if( ret != 0 ) { char error_buf[100]; polarssl_strerror( ret, error_buf, 100 ); printf("Last error was: -0x%X - %s\n\n", -ret, error_buf ); } #endif if( server_fd ) net_close( server_fd ); #if defined(POLARSSL_X509_CRT_PARSE_C) x509_crt_free( &clicert ); x509_crt_free( &cacert ); pk_free( &pkey ); #endif ssl_session_free( &saved_session ); ssl_free( &ssl ); ctr_drbg_free( &ctr_drbg ); entropy_free( &entropy ); memset( &ssl, 0, sizeof( ssl ) ); #if defined(_WIN32) printf( " + Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); #endif // Shell can not handle large exit numbers -> 1 for errors if( ret < 0 ) ret = 1; return( ret ); }
int main( int argc, char *argv[] ) { int ret; int listen_fd; int client_fd = -1; entropy_context entropy; x509_crt srvcert; pk_context pkey; #if defined(POLARSSL_MEMORY_BUFFER_ALLOC_C) unsigned char alloc_buf[100000]; #endif #if defined(POLARSSL_SSL_CACHE_C) ssl_cache_context cache; #endif ((void) argc); ((void) argv); #if defined(POLARSSL_MEMORY_BUFFER_ALLOC_C) memory_buffer_alloc_init( alloc_buf, sizeof(alloc_buf) ); #endif #if defined(POLARSSL_SSL_CACHE_C) ssl_cache_init( &cache ); base_info.cache = &cache; #endif memset( threads, 0, sizeof(threads) ); polarssl_mutex_init( &debug_mutex ); /* * We use only a single entropy source that is used in all the threads. */ entropy_init( &entropy ); base_info.entropy = &entropy; /* * 1. Load the certificates and private RSA key */ polarssl_printf( "\n . Loading the server cert. and key..." ); fflush( stdout ); x509_crt_init( &srvcert ); /* * This demonstration program uses embedded test certificates. * Instead, you may want to use x509_crt_parse_file() to read the * server and CA certificates, as well as pk_parse_keyfile(). */ ret = x509_crt_parse( &srvcert, (const unsigned char *) test_srv_crt, strlen( test_srv_crt ) ); if( ret != 0 ) { polarssl_printf( " failed\n ! x509_crt_parse returned %d\n\n", ret ); goto exit; } ret = x509_crt_parse( &srvcert, (const unsigned char *) test_ca_list, strlen( test_ca_list ) ); if( ret != 0 ) { polarssl_printf( " failed\n ! x509_crt_parse returned %d\n\n", ret ); goto exit; } pk_init( &pkey ); ret = pk_parse_key( &pkey, (const unsigned char *) test_srv_key, strlen( test_srv_key ), NULL, 0 ); if( ret != 0 ) { polarssl_printf( " failed\n ! pk_parse_key returned %d\n\n", ret ); goto exit; } base_info.ca_chain = srvcert.next; base_info.server_cert = &srvcert; base_info.server_key = &pkey; polarssl_printf( " ok\n" ); /* * 2. Setup the listening TCP socket */ polarssl_printf( " . Bind on https://localhost:4433/ ..." ); fflush( stdout ); if( ( ret = net_bind( &listen_fd, NULL, 4433 ) ) != 0 ) { polarssl_printf( " failed\n ! net_bind returned %d\n\n", ret ); goto exit; } polarssl_printf( " ok\n" ); reset: #ifdef POLARSSL_ERROR_C if( ret != 0 ) { char error_buf[100]; polarssl_strerror( ret, error_buf, 100 ); polarssl_printf( " [ main ] Last error was: -0x%04x - %s\n", -ret, error_buf ); } #endif /* * 3. Wait until a client connects */ client_fd = -1; polarssl_printf( " [ main ] Waiting for a remote connection\n" ); if( ( ret = net_accept( listen_fd, &client_fd, NULL ) ) != 0 ) { polarssl_printf( " [ main ] failed: net_accept returned -0x%04x\n", ret ); goto exit; } polarssl_printf( " [ main ] ok\n" ); polarssl_printf( " [ main ] Creating a new thread\n" ); if( ( ret = thread_create( client_fd ) ) != 0 ) { polarssl_printf( " [ main ] failed: thread_create returned %d\n", ret ); net_close( client_fd ); goto reset; } ret = 0; goto reset; exit: x509_crt_free( &srvcert ); pk_free( &pkey ); #if defined(POLARSSL_SSL_CACHE_C) ssl_cache_free( &cache ); #endif entropy_free( &entropy ); polarssl_mutex_free( &debug_mutex ); #if defined(POLARSSL_MEMORY_BUFFER_ALLOC_C) memory_buffer_alloc_free(); #endif #if defined(_WIN32) polarssl_printf( " Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); #endif return( ret ); }
int rand_bytes(uint8_t *output, int len) { #if defined(USE_CRYPTO_OPENSSL) return RAND_bytes(output, len); #elif defined(USE_CRYPTO_POLARSSL) static entropy_context ec = {0}; static ctr_drbg_context cd_ctx = {0}; static unsigned char rand_initialised = 0; const size_t blen = min(len, CTR_DRBG_MAX_REQUEST); if (!rand_initialised) { #ifdef _WIN32 HCRYPTPROV hProvider; union { unsigned __int64 seed; BYTE buffer[8]; } rand_buffer; hProvider = 0; if (CryptAcquireContext(&hProvider, 0, 0, PROV_RSA_FULL, \ CRYPT_VERIFYCONTEXT | CRYPT_SILENT)) { CryptGenRandom(hProvider, 8, rand_buffer.buffer); CryptReleaseContext(hProvider, 0); } else { rand_buffer.seed = (unsigned __int64) clock(); } #else FILE *urand; union { uint64_t seed; uint8_t buffer[8]; } rand_buffer; urand = fopen("/dev/urandom", "r"); if (urand) { fread(&rand_buffer.seed, sizeof(rand_buffer.seed), 1, urand); fclose(urand); } else { rand_buffer.seed = (uint64_t) clock(); } #endif entropy_init(&ec); if (ctr_drbg_init(&cd_ctx, entropy_func, &ec, (const unsigned char *) rand_buffer.buffer, 8) != 0) { #if POLARSSL_VERSION_NUMBER >= 0x01030000 entropy_free(&ec); #endif FATAL("Failed to initialize random generator"); } rand_initialised = 1; } #ifdef DEBUG int orig_len = len; uint8_t *orig_output = output; #endif while (len > 0) { if (ctr_drbg_random(&cd_ctx, output, blen) != 0) { return 0; } output += blen; len -= blen; } return 1; #endif }
/* * The actual entropy quality is hard to test, but we can at least * test that the functions don't cause errors and write the correct * amount of data to buffers. */ int entropy_self_test( int verbose ) { int ret = 0; entropy_context ctx; unsigned char buf[ENTROPY_BLOCK_SIZE] = { 0 }; unsigned char acc[ENTROPY_BLOCK_SIZE] = { 0 }; size_t i, j; if( verbose != 0 ) polarssl_printf( " ENTROPY test: " ); entropy_init( &ctx ); ret = entropy_add_source( &ctx, entropy_dummy_source, NULL, 16 ); if( ret != 0 ) goto cleanup; if( ( ret = entropy_gather( &ctx ) ) != 0 ) goto cleanup; if( ( ret = entropy_update_manual( &ctx, buf, sizeof buf ) ) != 0 ) goto cleanup; /* * To test that entropy_func writes correct number of bytes: * - use the whole buffer and rely on ASan to detect overruns * - collect entropy 8 times and OR the result in an accumulator: * any byte should then be 0 with probably 2^(-64), so requiring * each of the 32 or 64 bytes to be non-zero has a false failure rate * of at most 2^(-58) which is acceptable. */ for( i = 0; i < 8; i++ ) { if( ( ret = entropy_func( &ctx, buf, sizeof( buf ) ) ) != 0 ) goto cleanup; for( j = 0; j < sizeof( buf ); j++ ) acc[j] |= buf[j]; } for( j = 0; j < sizeof( buf ); j++ ) { if( acc[j] == 0 ) { ret = 1; goto cleanup; } } cleanup: entropy_free( &ctx ); if( verbose != 0 ) { if( ret != 0 ) polarssl_printf( "failed\n" ); else polarssl_printf( "passed\n" ); polarssl_printf( "\n" ); } return( ret != 0 ); }
int main( int argc, char *argv[] ) { int ret = 0, len, written, frags; int listen_fd; int client_fd = -1; unsigned char buf[1024]; #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED) unsigned char psk[256]; size_t psk_len = 0; #endif const char *pers = "ssl_server2"; entropy_context entropy; ctr_drbg_context ctr_drbg; ssl_context ssl; #if defined(POLARSSL_X509_CRT_PARSE_C) x509_crt cacert; x509_crt srvcert; pk_context pkey; x509_crt srvcert2; pk_context pkey2; int key_cert_init = 0, key_cert_init2 = 0; #endif #if defined(POLARSSL_SSL_CACHE_C) ssl_cache_context cache; #endif #if defined(POLARSSL_MEMORY_BUFFER_ALLOC_C) unsigned char alloc_buf[100000]; #endif int i; char *p, *q; const int *list; #if defined(POLARSSL_MEMORY_BUFFER_ALLOC_C) memory_buffer_alloc_init( alloc_buf, sizeof(alloc_buf) ); #endif /* * Make sure memory references are valid in case we exit early. */ listen_fd = 0; memset( &ssl, 0, sizeof( ssl_context ) ); #if defined(POLARSSL_X509_CRT_PARSE_C) x509_crt_init( &cacert ); x509_crt_init( &srvcert ); pk_init( &pkey ); x509_crt_init( &srvcert2 ); pk_init( &pkey2 ); #endif #if defined(POLARSSL_SSL_CACHE_C) ssl_cache_init( &cache ); #endif if( argc == 0 ) { usage: if( ret == 0 ) ret = 1; printf( USAGE ); list = ssl_list_ciphersuites(); while( *list ) { printf(" %-42s", ssl_get_ciphersuite_name( *list ) ); list++; if( !*list ) break; printf(" %s\n", ssl_get_ciphersuite_name( *list ) ); list++; } printf("\n"); goto exit; } opt.server_addr = DFL_SERVER_ADDR; opt.server_port = DFL_SERVER_PORT; opt.debug_level = DFL_DEBUG_LEVEL; opt.ca_file = DFL_CA_FILE; opt.ca_path = DFL_CA_PATH; opt.crt_file = DFL_CRT_FILE; opt.key_file = DFL_KEY_FILE; opt.crt_file2 = DFL_CRT_FILE2; opt.key_file2 = DFL_KEY_FILE2; opt.psk = DFL_PSK; opt.psk_identity = DFL_PSK_IDENTITY; opt.force_ciphersuite[0]= DFL_FORCE_CIPHER; opt.renegotiation = DFL_RENEGOTIATION; opt.allow_legacy = DFL_ALLOW_LEGACY; opt.min_version = DFL_MIN_VERSION; opt.max_version = DFL_MAX_VERSION; opt.auth_mode = DFL_AUTH_MODE; opt.mfl_code = DFL_MFL_CODE; opt.tickets = DFL_TICKETS; for( i = 1; i < argc; i++ ) { p = argv[i]; if( ( q = strchr( p, '=' ) ) == NULL ) goto usage; *q++ = '\0'; if( strcmp( p, "server_port" ) == 0 ) { opt.server_port = atoi( q ); if( opt.server_port < 1 || opt.server_port > 65535 ) goto usage; } else if( strcmp( p, "server_addr" ) == 0 ) opt.server_addr = q; else if( strcmp( p, "debug_level" ) == 0 ) { opt.debug_level = atoi( q ); if( opt.debug_level < 0 || opt.debug_level > 65535 ) goto usage; } else if( strcmp( p, "ca_file" ) == 0 ) opt.ca_file = q; else if( strcmp( p, "ca_path" ) == 0 ) opt.ca_path = q; else if( strcmp( p, "crt_file" ) == 0 ) opt.crt_file = q; else if( strcmp( p, "key_file" ) == 0 ) opt.key_file = q; else if( strcmp( p, "crt_file2" ) == 0 ) opt.crt_file2 = q; else if( strcmp( p, "key_file2" ) == 0 ) opt.key_file2 = q; else if( strcmp( p, "psk" ) == 0 ) opt.psk = q; else if( strcmp( p, "psk_identity" ) == 0 ) opt.psk_identity = q; else if( strcmp( p, "force_ciphersuite" ) == 0 ) { opt.force_ciphersuite[0] = -1; opt.force_ciphersuite[0] = ssl_get_ciphersuite_id( q ); if( opt.force_ciphersuite[0] <= 0 ) { ret = 2; goto usage; } opt.force_ciphersuite[1] = 0; } else if( strcmp( p, "renegotiation" ) == 0 ) { opt.renegotiation = (atoi( q )) ? SSL_RENEGOTIATION_ENABLED : SSL_RENEGOTIATION_DISABLED; } else if( strcmp( p, "allow_legacy" ) == 0 ) { opt.allow_legacy = atoi( q ); if( opt.allow_legacy < 0 || opt.allow_legacy > 1 ) goto usage; } else if( strcmp( p, "min_version" ) == 0 ) { if( strcmp( q, "ssl3" ) == 0 ) opt.min_version = SSL_MINOR_VERSION_0; else if( strcmp( q, "tls1" ) == 0 ) opt.min_version = SSL_MINOR_VERSION_1; else if( strcmp( q, "tls1_1" ) == 0 ) opt.min_version = SSL_MINOR_VERSION_2; else if( strcmp( q, "tls1_2" ) == 0 ) opt.min_version = SSL_MINOR_VERSION_3; else goto usage; } else if( strcmp( p, "max_version" ) == 0 ) { if( strcmp( q, "ssl3" ) == 0 ) opt.max_version = SSL_MINOR_VERSION_0; else if( strcmp( q, "tls1" ) == 0 ) opt.max_version = SSL_MINOR_VERSION_1; else if( strcmp( q, "tls1_1" ) == 0 ) opt.max_version = SSL_MINOR_VERSION_2; else if( strcmp( q, "tls1_2" ) == 0 ) opt.max_version = SSL_MINOR_VERSION_3; else goto usage; } else if( strcmp( p, "force_version" ) == 0 ) { if( strcmp( q, "ssl3" ) == 0 ) { opt.min_version = SSL_MINOR_VERSION_0; opt.max_version = SSL_MINOR_VERSION_0; } else if( strcmp( q, "tls1" ) == 0 ) { opt.min_version = SSL_MINOR_VERSION_1; opt.max_version = SSL_MINOR_VERSION_1; } else if( strcmp( q, "tls1_1" ) == 0 ) { opt.min_version = SSL_MINOR_VERSION_2; opt.max_version = SSL_MINOR_VERSION_2; } else if( strcmp( q, "tls1_2" ) == 0 ) { opt.min_version = SSL_MINOR_VERSION_3; opt.max_version = SSL_MINOR_VERSION_3; } else goto usage; } else if( strcmp( p, "auth_mode" ) == 0 ) { if( strcmp( q, "none" ) == 0 ) opt.auth_mode = SSL_VERIFY_NONE; else if( strcmp( q, "optional" ) == 0 ) opt.auth_mode = SSL_VERIFY_OPTIONAL; else if( strcmp( q, "required" ) == 0 ) opt.auth_mode = SSL_VERIFY_REQUIRED; else goto usage; } else if( strcmp( p, "max_frag_len" ) == 0 ) { if( strcmp( q, "512" ) == 0 ) opt.mfl_code = SSL_MAX_FRAG_LEN_512; else if( strcmp( q, "1024" ) == 0 ) opt.mfl_code = SSL_MAX_FRAG_LEN_1024; else if( strcmp( q, "2048" ) == 0 ) opt.mfl_code = SSL_MAX_FRAG_LEN_2048; else if( strcmp( q, "4096" ) == 0 ) opt.mfl_code = SSL_MAX_FRAG_LEN_4096; else goto usage; } else if( strcmp( p, "tickets" ) == 0 ) { opt.tickets = atoi( q ); if( opt.tickets < 0 || opt.tickets > 1 ) goto usage; } else goto usage; } if( opt.force_ciphersuite[0] > 0 ) { const ssl_ciphersuite_t *ciphersuite_info; ciphersuite_info = ssl_ciphersuite_from_id( opt.force_ciphersuite[0] ); if( opt.max_version != -1 && ciphersuite_info->min_minor_ver > opt.max_version ) { printf("forced ciphersuite not allowed with this protocol version\n"); ret = 2; goto usage; } if( opt.min_version != -1 && ciphersuite_info->max_minor_ver < opt.min_version ) { printf("forced ciphersuite not allowed with this protocol version\n"); ret = 2; goto usage; } if( opt.max_version > ciphersuite_info->max_minor_ver ) opt.max_version = ciphersuite_info->max_minor_ver; if( opt.min_version < ciphersuite_info->min_minor_ver ) opt.min_version = ciphersuite_info->min_minor_ver; } #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED) /* * Unhexify the pre-shared key if any is given */ if( strlen( opt.psk ) ) { unsigned char c; size_t j; if( strlen( opt.psk ) % 2 != 0 ) { printf("pre-shared key not valid hex\n"); goto exit; } psk_len = strlen( opt.psk ) / 2; for( j = 0; j < strlen( opt.psk ); j += 2 ) { c = opt.psk[j]; if( c >= '0' && c <= '9' ) c -= '0'; else if( c >= 'a' && c <= 'f' ) c -= 'a' - 10; else if( c >= 'A' && c <= 'F' ) c -= 'A' - 10; else { printf("pre-shared key not valid hex\n"); goto exit; } psk[ j / 2 ] = c << 4; c = opt.psk[j + 1]; if( c >= '0' && c <= '9' ) c -= '0'; else if( c >= 'a' && c <= 'f' ) c -= 'a' - 10; else if( c >= 'A' && c <= 'F' ) c -= 'A' - 10; else { printf("pre-shared key not valid hex\n"); goto exit; } psk[ j / 2 ] |= c; } } #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */ /* * 0. Initialize the RNG and the session data */ printf( "\n . Seeding the random number generator..." ); fflush( stdout ); entropy_init( &entropy ); if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, (const unsigned char *) pers, strlen( pers ) ) ) != 0 ) { printf( " failed\n ! ctr_drbg_init returned -0x%x\n", -ret ); goto exit; } printf( " ok\n" ); #if defined(POLARSSL_X509_CRT_PARSE_C) /* * 1.1. Load the trusted CA */ printf( " . Loading the CA root certificate ..." ); fflush( stdout ); #if defined(POLARSSL_FS_IO) if( strlen( opt.ca_path ) ) ret = x509_crt_parse_path( &cacert, opt.ca_path ); else if( strlen( opt.ca_file ) ) ret = x509_crt_parse_file( &cacert, opt.ca_file ); else #endif #if defined(POLARSSL_CERTS_C) ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_list, strlen( test_ca_list ) ); #else { ret = 1; printf("POLARSSL_CERTS_C not defined."); } #endif if( ret < 0 ) { printf( " failed\n ! x509_crt_parse returned -0x%x\n\n", -ret ); goto exit; } printf( " ok (%d skipped)\n", ret ); /* * 1.2. Load own certificate and private key */ printf( " . Loading the server cert. and key..." ); fflush( stdout ); #if defined(POLARSSL_FS_IO) if( strlen( opt.crt_file ) ) { key_cert_init++; if( ( ret = x509_crt_parse_file( &srvcert, opt.crt_file ) ) != 0 ) { printf( " failed\n ! x509_crt_parse_file returned -0x%x\n\n", -ret ); goto exit; } } if( strlen( opt.key_file ) ) { key_cert_init++; if( ( ret = pk_parse_keyfile( &pkey, opt.key_file, "" ) ) != 0 ) { printf( " failed\n ! pk_parse_keyfile returned -0x%x\n\n", -ret ); goto exit; } } if( key_cert_init == 1 ) { printf( " failed\n ! crt_file without key_file or vice-versa\n\n" ); goto exit; } if( strlen( opt.crt_file2 ) ) { key_cert_init2++; if( ( ret = x509_crt_parse_file( &srvcert2, opt.crt_file2 ) ) != 0 ) { printf( " failed\n ! x509_crt_parse_file(2) returned -0x%x\n\n", -ret ); goto exit; } } if( strlen( opt.key_file2 ) ) { key_cert_init2++; if( ( ret = pk_parse_keyfile( &pkey2, opt.key_file2, "" ) ) != 0 ) { printf( " failed\n ! pk_parse_keyfile(2) returned -0x%x\n\n", -ret ); goto exit; } } if( key_cert_init2 == 1 ) { printf( " failed\n ! crt_file2 without key_file2 or vice-versa\n\n" ); goto exit; } #endif if( key_cert_init == 0 && key_cert_init2 == 0 ) { #if !defined(POLARSSL_CERTS_C) printf( "Not certificated or key provided, and \n" "POLARSSL_CERTS_C not defined!\n" ); goto exit; #else #if defined(POLARSSL_RSA_C) if( ( ret = x509_crt_parse( &srvcert, (const unsigned char *) test_srv_crt_rsa, strlen( test_srv_crt_rsa ) ) ) != 0 ) { printf( " failed\n ! x509_crt_parse returned -0x%x\n\n", -ret ); goto exit; } if( ( ret = pk_parse_key( &pkey, (const unsigned char *) test_srv_key_rsa, strlen( test_srv_key_rsa ), NULL, 0 ) ) != 0 ) { printf( " failed\n ! pk_parse_key returned -0x%x\n\n", -ret ); goto exit; } key_cert_init = 2; #endif /* POLARSSL_RSA_C */ #if defined(POLARSSL_ECDSA_C) if( ( ret = x509_crt_parse( &srvcert2, (const unsigned char *) test_srv_crt_ec, strlen( test_srv_crt_ec ) ) ) != 0 ) { printf( " failed\n ! x509_crt_parse2 returned -0x%x\n\n", -ret ); goto exit; } if( ( ret = pk_parse_key( &pkey2, (const unsigned char *) test_srv_key_ec, strlen( test_srv_key_ec ), NULL, 0 ) ) != 0 ) { printf( " failed\n ! pk_parse_key2 returned -0x%x\n\n", -ret ); goto exit; } key_cert_init2 = 2; #endif /* POLARSSL_ECDSA_C */ #endif /* POLARSSL_CERTS_C */ } printf( " ok\n" ); #endif /* POLARSSL_X509_CRT_PARSE_C */ /* * 2. Setup the listening TCP socket */ printf( " . Bind on tcp://localhost:%-4d/ ...", opt.server_port ); fflush( stdout ); if( ( ret = net_bind( &listen_fd, opt.server_addr, opt.server_port ) ) != 0 ) { printf( " failed\n ! net_bind returned -0x%x\n\n", -ret ); goto exit; } printf( " ok\n" ); /* * 3. Setup stuff */ printf( " . Setting up the SSL/TLS structure..." ); fflush( stdout ); if( ( ret = ssl_init( &ssl ) ) != 0 ) { printf( " failed\n ! ssl_init returned -0x%x\n\n", -ret ); goto exit; } ssl_set_endpoint( &ssl, SSL_IS_SERVER ); ssl_set_authmode( &ssl, opt.auth_mode ); #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) ssl_set_max_frag_len( &ssl, opt.mfl_code ); #endif ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_dbg( &ssl, my_debug, stdout ); #if defined(POLARSSL_SSL_CACHE_C) ssl_set_session_cache( &ssl, ssl_cache_get, &cache, ssl_cache_set, &cache ); #endif #if defined(POLARSSL_SSL_SESSION_TICKETS) ssl_set_session_tickets( &ssl, opt.tickets ); #endif if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) ssl_set_ciphersuites( &ssl, opt.force_ciphersuite ); ssl_set_renegotiation( &ssl, opt.renegotiation ); ssl_legacy_renegotiation( &ssl, opt.allow_legacy ); #if defined(POLARSSL_X509_CRT_PARSE_C) ssl_set_ca_chain( &ssl, &cacert, NULL, NULL ); if( key_cert_init ) ssl_set_own_cert( &ssl, &srvcert, &pkey ); if( key_cert_init2 ) ssl_set_own_cert( &ssl, &srvcert2, &pkey2 ); #endif #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED) ssl_set_psk( &ssl, psk, psk_len, (const unsigned char *) opt.psk_identity, strlen( opt.psk_identity ) ); #endif #if defined(POLARSSL_DHM_C) /* * Use different group than default DHM group */ ssl_set_dh_param( &ssl, POLARSSL_DHM_RFC5114_MODP_2048_P, POLARSSL_DHM_RFC5114_MODP_2048_G ); #endif if( opt.min_version != -1 ) ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version ); if( opt.max_version != -1 ) ssl_set_max_version( &ssl, SSL_MAJOR_VERSION_3, opt.max_version ); printf( " ok\n" ); reset: #ifdef POLARSSL_ERROR_C if( ret != 0 ) { char error_buf[100]; polarssl_strerror( ret, error_buf, 100 ); printf("Last error was: %d - %s\n\n", ret, error_buf ); } #endif if( client_fd != -1 ) net_close( client_fd ); ssl_session_reset( &ssl ); /* * 3. Wait until a client connects */ client_fd = -1; printf( " . Waiting for a remote connection ..." ); fflush( stdout ); if( ( ret = net_accept( listen_fd, &client_fd, NULL ) ) != 0 ) { printf( " failed\n ! net_accept returned -0x%x\n\n", -ret ); goto exit; } ssl_set_bio( &ssl, net_recv, &client_fd, net_send, &client_fd ); printf( " ok\n" ); /* * 4. Handshake */ printf( " . Performing the SSL/TLS handshake..." ); fflush( stdout ); while( ( ret = ssl_handshake( &ssl ) ) != 0 ) { if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) { printf( " failed\n ! ssl_handshake returned -0x%x\n\n", -ret ); goto reset; } } printf( " ok\n [ Ciphersuite is %s ]\n", ssl_get_ciphersuite( &ssl ) ); #if defined(POLARSSL_X509_CRT_PARSE_C) /* * 5. Verify the server certificate */ printf( " . Verifying peer X.509 certificate..." ); if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 ) { printf( " failed\n" ); if( !ssl_get_peer_cert( &ssl ) ) printf( " ! no client certificate sent\n" ); if( ( ret & BADCERT_EXPIRED ) != 0 ) printf( " ! client certificate has expired\n" ); if( ( ret & BADCERT_REVOKED ) != 0 ) printf( " ! client certificate has been revoked\n" ); if( ( ret & BADCERT_NOT_TRUSTED ) != 0 ) printf( " ! self-signed or not signed by a trusted CA\n" ); printf( "\n" ); } else printf( " ok\n" ); if( ssl_get_peer_cert( &ssl ) ) { printf( " . Peer certificate information ...\n" ); x509_crt_info( (char *) buf, sizeof( buf ) - 1, " ", ssl_get_peer_cert( &ssl ) ); printf( "%s\n", buf ); } #endif /* POLARSSL_X509_CRT_PARSE_C */ /* * 6. Read the HTTP Request */ printf( " < Read from client:" ); fflush( stdout ); do { len = sizeof( buf ) - 1; memset( buf, 0, sizeof( buf ) ); ret = ssl_read( &ssl, buf, len ); if( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE ) continue; if( ret <= 0 ) { switch( ret ) { case POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY: printf( " connection was closed gracefully\n" ); break; case POLARSSL_ERR_NET_CONN_RESET: printf( " connection was reset by peer\n" ); break; default: printf( " ssl_read returned -0x%x\n", -ret ); break; } break; } len = ret; printf( " %d bytes read\n\n%s\n", len, (char *) buf ); if( memcmp( buf, "SERVERQUIT", 10 ) == 0 ) { ret = 0; goto exit; } if( ret > 0 ) break; } while( 1 ); /* * 7. Write the 200 Response */ printf( " > Write to client:" ); fflush( stdout ); len = sprintf( (char *) buf, HTTP_RESPONSE, ssl_get_ciphersuite( &ssl ) ); for( written = 0, frags = 0; written < len; written += ret, frags++ ) { while( ( ret = ssl_write( &ssl, buf + written, len - written ) ) <= 0 ) { if( ret == POLARSSL_ERR_NET_CONN_RESET ) { printf( " failed\n ! peer closed the connection\n\n" ); goto reset; } if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) { printf( " failed\n ! ssl_write returned %d\n\n", ret ); goto exit; } } } buf[written] = '\0'; printf( " %d bytes written in %d fragments\n\n%s\n", written, frags, (char *) buf ); #ifdef TEST_RENEGO /* * Request renegotiation (this must be done when the client is still * waiting for input from our side). */ printf( " . Requestion renegotiation..." ); fflush( stdout ); while( ( ret = ssl_renegotiate( &ssl ) ) != 0 ) { if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) { printf( " failed\n ! ssl_renegotiate returned %d\n\n", ret ); goto exit; } } /* * Should be a while loop, not an if, but here we're not actually * expecting data from the client, and since we're running tests locally, * we can just hope the handshake will finish the during the first call. */ if( ( ret = ssl_read( &ssl, buf, 0 ) ) != 0 ) { if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) { printf( " failed\n ! ssl_read returned %d\n\n", ret ); /* Unexpected message probably means client didn't renegotiate */ if( ret == POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE ) goto reset; else goto exit; } } printf( " ok\n" ); #endif ret = 0; goto reset; exit: #ifdef POLARSSL_ERROR_C if( ret != 0 ) { char error_buf[100]; polarssl_strerror( ret, error_buf, 100 ); printf("Last error was: -0x%X - %s\n\n", -ret, error_buf ); } #endif net_close( client_fd ); #if defined(POLARSSL_X509_CRT_PARSE_C) x509_crt_free( &cacert ); x509_crt_free( &srvcert ); pk_free( &pkey ); x509_crt_free( &srvcert2 ); pk_free( &pkey2 ); #endif ssl_free( &ssl ); entropy_free( &entropy ); #if defined(POLARSSL_SSL_CACHE_C) ssl_cache_free( &cache ); #endif #if defined(POLARSSL_MEMORY_BUFFER_ALLOC_C) #if defined(POLARSSL_MEMORY_DEBUG) memory_buffer_alloc_status(); #endif memory_buffer_alloc_free(); #endif #if defined(_WIN32) printf( " + Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); #endif // Shell can not handle large exit numbers -> 1 for errors if( ret < 0 ) ret = 1; return( ret ); }
int main( int argc, char *argv[] ) { int ret = 0, server_fd; unsigned char buf[1024]; entropy_context entropy; ctr_drbg_context ctr_drbg; ssl_context ssl; x509_crt cacert; x509_crt clicert; pk_context pkey; int i, j; int flags, verify = 0; char *p, *q; const char *pers = "cert_app"; /* * Set to sane values */ server_fd = 0; x509_crt_init( &cacert ); x509_crt_init( &clicert ); pk_init( &pkey ); if( argc == 0 ) { usage: printf( USAGE ); goto exit; } opt.mode = DFL_MODE; opt.filename = DFL_FILENAME; opt.ca_file = DFL_CA_FILE; opt.ca_path = DFL_CA_PATH; opt.server_name = DFL_SERVER_NAME; opt.server_port = DFL_SERVER_PORT; opt.debug_level = DFL_DEBUG_LEVEL; opt.permissive = DFL_PERMISSIVE; for( i = 1; i < argc; i++ ) { p = argv[i]; if( ( q = strchr( p, '=' ) ) == NULL ) goto usage; *q++ = '\0'; for( j = 0; p + j < q; j++ ) { if( argv[i][j] >= 'A' && argv[i][j] <= 'Z' ) argv[i][j] |= 0x20; } if( strcmp( p, "mode" ) == 0 ) { if( strcmp( q, "file" ) == 0 ) opt.mode = MODE_FILE; else if( strcmp( q, "ssl" ) == 0 ) opt.mode = MODE_SSL; else goto usage; } else if( strcmp( p, "filename" ) == 0 ) opt.filename = q; else if( strcmp( p, "ca_file" ) == 0 ) opt.ca_file = q; else if( strcmp( p, "ca_path" ) == 0 ) opt.ca_path = q; else if( strcmp( p, "server_name" ) == 0 ) opt.server_name = q; else if( strcmp( p, "server_port" ) == 0 ) { opt.server_port = atoi( q ); if( opt.server_port < 1 || opt.server_port > 65535 ) goto usage; } else if( strcmp( p, "debug_level" ) == 0 ) { opt.debug_level = atoi( q ); if( opt.debug_level < 0 || opt.debug_level > 65535 ) goto usage; } else if( strcmp( p, "permissive" ) == 0 ) { opt.permissive = atoi( q ); if( opt.permissive < 0 || opt.permissive > 1 ) goto usage; } else goto usage; } /* * 1.1. Load the trusted CA */ printf( " . Loading the CA root certificate ..." ); fflush( stdout ); if( strlen( opt.ca_path ) ) { ret = x509_crt_parse_path( &cacert, opt.ca_path ); verify = 1; } else if( strlen( opt.ca_file ) ) { ret = x509_crt_parse_file( &cacert, opt.ca_file ); verify = 1; } if( ret < 0 ) { printf( " failed\n ! x509_crt_parse returned -0x%x\n\n", -ret ); goto exit; } printf( " ok (%d skipped)\n", ret ); if( opt.mode == MODE_FILE ) { x509_crt crt; x509_crt *cur = &crt; x509_crt_init( &crt ); /* * 1.1. Load the certificate(s) */ printf( "\n . Loading the certificate(s) ..." ); fflush( stdout ); ret = x509_crt_parse_file( &crt, opt.filename ); if( ret < 0 ) { printf( " failed\n ! x509_crt_parse_file returned %d\n\n", ret ); x509_crt_free( &crt ); goto exit; } if( opt.permissive == 0 && ret > 0 ) { printf( " failed\n ! x509_crt_parse failed to parse %d certificates\n\n", ret ); x509_crt_free( &crt ); goto exit; } printf( " ok\n" ); /* * 1.2 Print the certificate(s) */ while( cur != NULL ) { printf( " . Peer certificate information ...\n" ); ret = x509_crt_info( (char *) buf, sizeof( buf ) - 1, " ", cur ); if( ret == -1 ) { printf( " failed\n ! x509_crt_info returned %d\n\n", ret ); x509_crt_free( &crt ); goto exit; } printf( "%s\n", buf ); cur = cur->next; } /* * 1.3 Verify the certificate */ if( verify ) { printf( " . Verifying X.509 certificate..." ); if( ( ret = x509_crt_verify( &crt, &cacert, NULL, NULL, &flags, my_verify, NULL ) ) != 0 ) { printf( " failed\n" ); if( ( ret & BADCERT_EXPIRED ) != 0 ) printf( " ! server certificate has expired\n" ); if( ( ret & BADCERT_REVOKED ) != 0 ) printf( " ! server certificate has been revoked\n" ); if( ( ret & BADCERT_CN_MISMATCH ) != 0 ) printf( " ! CN mismatch (expected CN=%s)\n", opt.server_name ); if( ( ret & BADCERT_NOT_TRUSTED ) != 0 ) printf( " ! self-signed or not signed by a trusted CA\n" ); printf( "\n" ); } else printf( " ok\n" ); } x509_crt_free( &crt ); } else if( opt.mode == MODE_SSL ) { /* * 1. Initialize the RNG and the session data */ printf( "\n . Seeding the random number generator..." ); fflush( stdout ); entropy_init( &entropy ); if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, (const unsigned char *) pers, strlen( pers ) ) ) != 0 ) { printf( " failed\n ! ctr_drbg_init returned %d\n", ret ); goto exit; } printf( " ok\n" ); /* * 2. Start the connection */ printf( " . SSL connection to tcp/%s/%-4d...", opt.server_name, opt.server_port ); fflush( stdout ); if( ( ret = net_connect( &server_fd, opt.server_name, opt.server_port ) ) != 0 ) { printf( " failed\n ! net_connect returned %d\n\n", ret ); goto exit; } /* * 3. Setup stuff */ if( ( ret = ssl_init( &ssl ) ) != 0 ) { printf( " failed\n ! ssl_init returned %d\n\n", ret ); goto exit; } ssl_set_endpoint( &ssl, SSL_IS_CLIENT ); if( verify ) { ssl_set_authmode( &ssl, SSL_VERIFY_REQUIRED ); ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name ); ssl_set_verify( &ssl, my_verify, NULL ); } else ssl_set_authmode( &ssl, SSL_VERIFY_NONE ); ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_dbg( &ssl, my_debug, stdout ); ssl_set_bio( &ssl, net_recv, &server_fd, net_send, &server_fd ); ssl_set_own_cert( &ssl, &clicert, &pkey ); #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) ssl_set_hostname( &ssl, opt.server_name ); #endif /* * 4. Handshake */ while( ( ret = ssl_handshake( &ssl ) ) != 0 ) { if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) { printf( " failed\n ! ssl_handshake returned %d\n\n", ret ); ssl_free( &ssl ); goto exit; } } printf( " ok\n" ); /* * 5. Print the certificate */ printf( " . Peer certificate information ...\n" ); ret = x509_crt_info( (char *) buf, sizeof( buf ) - 1, " ", ssl.session->peer_cert ); if( ret == -1 ) { printf( " failed\n ! x509_crt_info returned %d\n\n", ret ); ssl_free( &ssl ); goto exit; } printf( "%s\n", buf ); ssl_close_notify( &ssl ); ssl_free( &ssl ); } else goto usage; exit: if( server_fd ) net_close( server_fd ); x509_crt_free( &cacert ); x509_crt_free( &clicert ); pk_free( &pkey ); entropy_free( &entropy ); #if defined(_WIN32) printf( " + Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); #endif return( ret ); }
int main( int argc, char *argv[] ) { int ret; ecdsa_context ctx_sign, ctx_verify; entropy_context entropy; ctr_drbg_context ctr_drbg; unsigned char hash[] = "This should be the hash of a message."; unsigned char sig[512]; size_t sig_len; const char *pers = "ecdsa"; ((void) argv); ecdsa_init( &ctx_sign ); ecdsa_init( &ctx_verify ); memset(sig, 0, sizeof( sig ) ); ret = 1; if( argc != 1 ) { polarssl_printf( "usage: ecdsa\n" ); #if defined(_WIN32) polarssl_printf( "\n" ); #endif goto exit; } /* * Generate a key pair for signing */ polarssl_printf( "\n . Seeding the random number generator..." ); fflush( stdout ); entropy_init( &entropy ); if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, (const unsigned char *) pers, strlen( pers ) ) ) != 0 ) { polarssl_printf( " failed\n ! ctr_drbg_init returned %d\n", ret ); goto exit; } polarssl_printf( " ok\n . Generating key pair..." ); fflush( stdout ); if( ( ret = ecdsa_genkey( &ctx_sign, ECPARAMS, ctr_drbg_random, &ctr_drbg ) ) != 0 ) { polarssl_printf( " failed\n ! ecdsa_genkey returned %d\n", ret ); goto exit; } polarssl_printf( " ok (key size: %d bits)\n", (int) ctx_sign.grp.pbits ); dump_pubkey( " + Public key: ", &ctx_sign ); /* * Sign some message hash */ polarssl_printf( " . Signing message..." ); fflush( stdout ); if( ( ret = ecdsa_write_signature( &ctx_sign, hash, sizeof( hash ), sig, &sig_len, ctr_drbg_random, &ctr_drbg ) ) != 0 ) { polarssl_printf( " failed\n ! ecdsa_genkey returned %d\n", ret ); goto exit; } polarssl_printf( " ok (signature length = %u)\n", (unsigned int) sig_len ); dump_buf( " + Hash: ", hash, sizeof hash ); dump_buf( " + Signature: ", sig, sig_len ); /* * Signature is serialized as defined by RFC 4492 p. 20, * but one can also access 'r' and 's' directly from the context */ #ifdef POLARSSL_FS_IO mpi_write_file( " r = ", &ctx_sign.r, 16, NULL ); mpi_write_file( " s = ", &ctx_sign.s, 16, NULL ); #endif /* * Transfer public information to verifying context * * We could use the same context for verification and signatures, but we * chose to use a new one in order to make it clear that the verifying * context only needs the public key (Q), and not the private key (d). */ polarssl_printf( " . Preparing verification context..." ); fflush( stdout ); if( ( ret = ecp_group_copy( &ctx_verify.grp, &ctx_sign.grp ) ) != 0 ) { polarssl_printf( " failed\n ! ecp_group_copy returned %d\n", ret ); goto exit; } if( ( ret = ecp_copy( &ctx_verify.Q, &ctx_sign.Q ) ) != 0 ) { polarssl_printf( " failed\n ! ecp_copy returned %d\n", ret ); goto exit; } ret = 0; /* * Verify signature */ polarssl_printf( " ok\n . Verifying signature..." ); fflush( stdout ); if( ( ret = ecdsa_read_signature( &ctx_verify, hash, sizeof( hash ), sig, sig_len ) ) != 0 ) { polarssl_printf( " failed\n ! ecdsa_read_signature returned %d\n", ret ); goto exit; } polarssl_printf( " ok\n" ); exit: #if defined(_WIN32) polarssl_printf( " + Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); #endif ecdsa_free( &ctx_verify ); ecdsa_free( &ctx_sign ); ctr_drbg_free( &ctr_drbg ); entropy_free( &entropy ); return( ret ); }
bool CWII_IPC_HLE_Device_net_ssl::IOCtlV(u32 _CommandAddress) { SIOCtlVBuffer CommandBuffer(_CommandAddress); u32 _BufferIn = 0, _BufferIn2 = 0, _BufferIn3 = 0; u32 BufferInSize = 0, BufferInSize2 = 0, BufferInSize3 = 0; u32 BufferOut = 0, BufferOut2 = 0, BufferOut3 = 0; u32 BufferOutSize = 0, BufferOutSize2 = 0, BufferOutSize3 = 0; if (CommandBuffer.InBuffer.size() > 0) { _BufferIn = CommandBuffer.InBuffer.at(0).m_Address; BufferInSize = CommandBuffer.InBuffer.at(0).m_Size; } if (CommandBuffer.InBuffer.size() > 1) { _BufferIn2 = CommandBuffer.InBuffer.at(1).m_Address; BufferInSize2 = CommandBuffer.InBuffer.at(1).m_Size; } if (CommandBuffer.InBuffer.size() > 2) { _BufferIn3 = CommandBuffer.InBuffer.at(2).m_Address; BufferInSize3 = CommandBuffer.InBuffer.at(2).m_Size; } if (CommandBuffer.PayloadBuffer.size() > 0) { BufferOut = CommandBuffer.PayloadBuffer.at(0).m_Address; BufferOutSize = CommandBuffer.PayloadBuffer.at(0).m_Size; } if (CommandBuffer.PayloadBuffer.size() > 1) { BufferOut2 = CommandBuffer.PayloadBuffer.at(1).m_Address; BufferOutSize2 = CommandBuffer.PayloadBuffer.at(1).m_Size; } if (CommandBuffer.PayloadBuffer.size() > 2) { BufferOut3 = CommandBuffer.PayloadBuffer.at(2).m_Address; BufferOutSize3 = CommandBuffer.PayloadBuffer.at(2).m_Size; } switch (CommandBuffer.Parameter) { case IOCTLV_NET_SSL_NEW: { int verifyOption = Memory::Read_U32(BufferOut); const char * hostname = (const char*) Memory::GetPointer(BufferOut2); int freeSSL = this->getSSLFreeID(); if (freeSSL) { int sslID = freeSSL - 1; int ret = ssl_init(&_SSL[sslID].ctx); if (ret) { // Cleanup possibly dirty ctx memset(&_SSL[sslID].ctx, 0, sizeof(ssl_context)); goto _SSL_NEW_ERROR; } entropy_init(&_SSL[sslID].entropy); const char* pers = "dolphin-emu"; ret = ctr_drbg_init(&_SSL[sslID].ctr_drbg, entropy_func, &_SSL[sslID].entropy, (const unsigned char*)pers, strlen(pers)); if (ret) { ssl_free(&_SSL[sslID].ctx); // Cleanup possibly dirty ctx memset(&_SSL[sslID].ctx, 0, sizeof(ssl_context)); entropy_free(&_SSL[sslID].entropy); goto _SSL_NEW_ERROR; } ssl_set_rng(&_SSL[sslID].ctx, ctr_drbg_random, &_SSL[sslID].ctr_drbg); // For some reason we can't use TLSv1.2, v1.1 and below are fine! ssl_set_max_version(&_SSL[sslID].ctx, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_2); ssl_set_session(&_SSL[sslID].ctx, &_SSL[sslID].session); ssl_set_endpoint(&_SSL[sslID].ctx, SSL_IS_CLIENT); ssl_set_authmode(&_SSL[sslID].ctx, SSL_VERIFY_NONE); ssl_set_renegotiation(&_SSL[sslID].ctx, SSL_RENEGOTIATION_ENABLED); memcpy(_SSL[sslID].hostname, hostname, min((int)BufferOutSize2, NET_SSL_MAX_HOSTNAME_LEN)); _SSL[sslID].hostname[NET_SSL_MAX_HOSTNAME_LEN-1] = '\0'; ssl_set_hostname(&_SSL[sslID].ctx, _SSL[sslID].hostname); _SSL[sslID].active = true; Memory::Write_U32(freeSSL, _BufferIn); } else { _SSL_NEW_ERROR: Memory::Write_U32(SSL_ERR_FAILED, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_NEW (%d, %s) " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", verifyOption, hostname, _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } case IOCTLV_NET_SSL_SHUTDOWN: { int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { ssl_close_notify(&_SSL[sslID].ctx); ssl_session_free(&_SSL[sslID].session); ssl_free(&_SSL[sslID].ctx); entropy_free(&_SSL[sslID].entropy); x509_crt_free(&_SSL[sslID].cacert); x509_crt_free(&_SSL[sslID].clicert); memset(&_SSL[sslID].ctx, 0, sizeof(ssl_context)); memset(&_SSL[sslID].session, 0, sizeof(ssl_session)); memset(&_SSL[sslID].entropy, 0, sizeof(entropy_context)); memset(_SSL[sslID].hostname, 0, NET_SSL_MAX_HOSTNAME_LEN); _SSL[sslID].active = false; Memory::Write_U32(SSL_OK, _BufferIn); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SHUTDOWN " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } case IOCTLV_NET_SSL_SETROOTCA: { INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETROOTCA " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { int ret = x509_crt_parse_der( &_SSL[sslID].cacert, Memory::GetPointer(BufferOut2), BufferOutSize2); if (ret) { Memory::Write_U32(SSL_ERR_FAILED, _BufferIn); } else { ssl_set_ca_chain(&_SSL[sslID].ctx, &_SSL[sslID].cacert, NULL, _SSL[sslID].hostname); Memory::Write_U32(SSL_OK, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETROOTCA = %d", ret); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } break; } case IOCTLV_NET_SSL_SETBUILTINCLIENTCERT: { INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { std::string cert_base_path(File::GetUserPath(D_WIIUSER_IDX)); int ret = x509_crt_parse_file(&_SSL[sslID].clicert, (cert_base_path + "clientca.pem").c_str()); int pk_ret = pk_parse_keyfile(&_SSL[sslID].pk, (cert_base_path + "clientcakey.pem").c_str(), NULL); if (ret || pk_ret) { x509_crt_free(&_SSL[sslID].clicert); pk_free(&_SSL[sslID].pk); memset(&_SSL[sslID].clicert, 0, sizeof(x509_crt)); memset(&_SSL[sslID].pk, 0, sizeof(pk_context)); Memory::Write_U32(SSL_ERR_FAILED, _BufferIn); } else { ssl_set_own_cert(&_SSL[sslID].ctx, &_SSL[sslID].clicert, &_SSL[sslID].pk); Memory::Write_U32(SSL_OK, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT = (%d, %d)", ret, pk_ret); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT invalid sslID = %d", sslID); } break; } case IOCTLV_NET_SSL_REMOVECLIENTCERT: { INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_REMOVECLIENTCERT " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { x509_crt_free(&_SSL[sslID].clicert); pk_free(&_SSL[sslID].pk); memset(&_SSL[sslID].clicert, 0, sizeof(x509_crt)); memset(&_SSL[sslID].pk, 0, sizeof(pk_context)); ssl_set_own_cert(&_SSL[sslID].ctx, NULL, NULL); Memory::Write_U32(SSL_OK, _BufferIn); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT invalid sslID = %d", sslID); } break; } case IOCTLV_NET_SSL_SETBUILTINROOTCA: { int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { std::string cert_base_path(File::GetUserPath(D_WIIUSER_IDX)); int ret = x509_crt_parse_file(&_SSL[sslID].cacert, (cert_base_path + "rootca.pem").c_str()); if (ret) { x509_crt_free(&_SSL[sslID].clicert); Memory::Write_U32(SSL_ERR_FAILED, _BufferIn); } else { ssl_set_ca_chain(&_SSL[sslID].ctx, &_SSL[sslID].cacert, NULL, _SSL[sslID].hostname); Memory::Write_U32(SSL_OK, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINROOTCA = %d", ret); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINROOTCA " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } case IOCTLV_NET_SSL_CONNECT: { int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { _SSL[sslID].sockfd = Memory::Read_U32(BufferOut2); INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_CONNECT socket = %d", _SSL[sslID].sockfd); ssl_set_bio(&_SSL[sslID].ctx, net_recv, &_SSL[sslID].sockfd, net_send, &_SSL[sslID].sockfd); Memory::Write_U32(SSL_OK, _BufferIn); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_CONNECT " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } case IOCTLV_NET_SSL_DOHANDSHAKE: { int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { WiiSockMan &sm = WiiSockMan::getInstance(); sm.doSock(_SSL[sslID].sockfd, _CommandAddress, IOCTLV_NET_SSL_DOHANDSHAKE); return false; } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } break; } case IOCTLV_NET_SSL_WRITE: { int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { WiiSockMan &sm = WiiSockMan::getInstance(); sm.doSock(_SSL[sslID].sockfd, _CommandAddress, IOCTLV_NET_SSL_WRITE); return false; } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_WRITE " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); INFO_LOG(WII_IPC_SSL, "%s", Memory::GetPointer(BufferOut2)); break; } case IOCTLV_NET_SSL_READ: { int ret = 0; int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { WiiSockMan &sm = WiiSockMan::getInstance(); sm.doSock(_SSL[sslID].sockfd, _CommandAddress, IOCTLV_NET_SSL_READ); return false; } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_READ(%d)" "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", ret, _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } case IOCTLV_NET_SSL_SETROOTCADEFAULT: { int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { Memory::Write_U32(SSL_OK, _BufferIn); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETROOTCADEFAULT " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } case IOCTLV_NET_SSL_SETCLIENTCERTDEFAULT: { INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETCLIENTCERTDEFAULT " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { Memory::Write_U32(SSL_OK, _BufferIn); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } break; } default: ERROR_LOG(WII_IPC_SSL, "%i " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", CommandBuffer.Parameter, _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } // SSL return codes are written to BufferIn Memory::Write_U32(0, _CommandAddress+4); return true; }
int main( int argc, char *argv[] ) { int ret, len, server_fd = -1; unsigned char buf[1024]; const char *pers = "dtls_client"; int retry_left = MAX_RETRY; entropy_context entropy; ctr_drbg_context ctr_drbg; ssl_context ssl; x509_crt cacert; ((void) argc); ((void) argv); #if defined(POLARSSL_DEBUG_C) debug_set_threshold( DEBUG_LEVEL ); #endif /* * 0. Initialize the RNG and the session data */ memset( &ssl, 0, sizeof( ssl_context ) ); x509_crt_init( &cacert ); printf( "\n . Seeding the random number generator..." ); fflush( stdout ); entropy_init( &entropy ); if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, (const unsigned char *) pers, strlen( pers ) ) ) != 0 ) { printf( " failed\n ! ctr_drbg_init returned %d\n", ret ); goto exit; } printf( " ok\n" ); /* * 0. Initialize certificates */ printf( " . Loading the CA root certificate ..." ); fflush( stdout ); #if defined(POLARSSL_CERTS_C) ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_list, strlen( test_ca_list ) ); #else ret = 1; printf("POLARSSL_CERTS_C not defined."); #endif if( ret < 0 ) { printf( " failed\n ! x509_crt_parse returned -0x%x\n\n", -ret ); goto exit; } printf( " ok (%d skipped)\n", ret ); /* * 1. Start the connection */ printf( " . Connecting to udp/%s/%4d...", SERVER_NAME, SERVER_PORT ); fflush( stdout ); if( ( ret = net_connect( &server_fd, SERVER_ADDR, SERVER_PORT, NET_PROTO_UDP ) ) != 0 ) { printf( " failed\n ! net_connect returned %d\n\n", ret ); goto exit; } printf( " ok\n" ); /* * 2. Setup stuff */ printf( " . Setting up the DTLS structure..." ); fflush( stdout ); if( ( ret = ssl_init( &ssl ) ) != 0 ) { printf( " failed\n ! ssl_init returned %d\n\n", ret ); goto exit; } printf( " ok\n" ); ssl_set_endpoint( &ssl, SSL_IS_CLIENT ); ssl_set_transport( &ssl, SSL_TRANSPORT_DATAGRAM ); /* OPTIONAL is usually a bad choice for security, but makes interop easier * in this simplified example, in which the ca chain is hardcoded. * Production code should set a proper ca chain and use REQUIRED. */ ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL ); ssl_set_ca_chain( &ssl, &cacert, NULL, SERVER_NAME ); ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_dbg( &ssl, my_debug, stdout ); ssl_set_bio_timeout( &ssl, &server_fd, net_send, net_recv, net_recv_timeout, READ_TIMEOUT_MS ); /* * 4. Handshake */ printf( " . Performing the SSL/TLS handshake..." ); fflush( stdout ); do ret = ssl_handshake( &ssl ); while( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE ); if( ret != 0 ) { printf( " failed\n ! ssl_handshake returned -0x%x\n\n", -ret ); goto exit; } printf( " ok\n" ); /* * 5. Verify the server certificate */ printf( " . Verifying peer X.509 certificate..." ); /* In real life, we would have used SSL_VERIFY_REQUIRED so that the * handshake would not succeed if the peer's cert is bad. Even if we used * SSL_VERIFY_OPTIONAL, we would bail out here if ret != 0 */ if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 ) { printf( " failed\n" ); if( ( ret & BADCERT_EXPIRED ) != 0 ) printf( " ! server certificate has expired\n" ); if( ( ret & BADCERT_REVOKED ) != 0 ) printf( " ! server certificate has been revoked\n" ); if( ( ret & BADCERT_CN_MISMATCH ) != 0 ) printf( " ! CN mismatch (expected CN=%s)\n", SERVER_NAME ); if( ( ret & BADCERT_NOT_TRUSTED ) != 0 ) printf( " ! self-signed or not signed by a trusted CA\n" ); printf( "\n" ); } else printf( " ok\n" ); /* * 6. Write the echo request */ send_request: printf( " > Write to server:" ); fflush( stdout ); len = sizeof( MESSAGE ) - 1; do ret = ssl_write( &ssl, (unsigned char *) MESSAGE, len ); while( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE ); if( ret < 0 ) { printf( " failed\n ! ssl_write returned %d\n\n", ret ); goto exit; } len = ret; printf( " %d bytes written\n\n%s\n\n", len, MESSAGE ); /* * 7. Read the echo response */ printf( " < Read from server:" ); fflush( stdout ); len = sizeof( buf ) - 1; memset( buf, 0, sizeof( buf ) ); do ret = ssl_read( &ssl, buf, len ); while( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE ); if( ret <= 0 ) { switch( ret ) { case POLARSSL_ERR_NET_TIMEOUT: printf( " timeout\n\n" ); if( retry_left-- > 0 ) goto send_request; goto exit; case POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY: printf( " connection was closed gracefully\n" ); ret = 0; goto close_notify; default: printf( " ssl_read returned -0x%x\n\n", -ret ); goto exit; } } len = ret; printf( " %d bytes read\n\n%s\n\n", len, buf ); /* * 8. Done, cleanly close the connection */ close_notify: printf( " . Closing the connection..." ); /* No error checking, the connection might be closed already */ do ret = ssl_close_notify( &ssl ); while( ret == POLARSSL_ERR_NET_WANT_WRITE ); ret = 0; printf( " done\n" ); /* * 9. Final clean-ups and exit */ exit: #ifdef POLARSSL_ERROR_C if( ret != 0 ) { char error_buf[100]; polarssl_strerror( ret, error_buf, 100 ); printf( "Last error was: %d - %s\n\n", ret, error_buf ); } #endif if( server_fd != -1 ) net_close( server_fd ); x509_crt_free( &cacert ); ssl_free( &ssl ); ctr_drbg_free( &ctr_drbg ); entropy_free( &entropy ); #if defined(_WIN32) printf( " + Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); #endif /* Shell can not handle large exit numbers -> 1 for errors */ if( ret < 0 ) ret = 1; return( ret ); }
int main( void ) { int ret = exit_ok; int server_fd = -1; struct sockaddr_in addr; #if defined(POLARSSL_X509_CRT_PARSE_C) x509_crt ca; #endif entropy_context entropy; ctr_drbg_context ctr_drbg; ssl_context ssl; /* * 0. Initialize and setup stuff */ memset( &ssl, 0, sizeof( ssl_context ) ); #if defined(POLARSSL_X509_CRT_PARSE_C) x509_crt_init( &ca ); #endif entropy_init( &entropy ); if( ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, (const unsigned char *) pers, strlen( pers ) ) != 0 ) { ret = ssl_init_failed; goto exit; } if( ssl_init( &ssl ) != 0 ) { ret = ssl_init_failed; goto exit; } ssl_set_endpoint( &ssl, SSL_IS_CLIENT ); ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED) ssl_set_psk( &ssl, psk, sizeof( psk ), (const unsigned char *) psk_id, sizeof( psk_id ) - 1 ); #endif #if defined(POLARSSL_X509_CRT_PARSE_C) if( x509_crt_parse_der( &ca, ca_cert, sizeof( ca_cert ) ) != 0 ) { ret = x509_crt_parse_failed; goto exit; } ssl_set_ca_chain( &ssl, &ca, NULL, HOSTNAME ); ssl_set_authmode( &ssl, SSL_VERIFY_REQUIRED ); #endif /* * 1. Start the connection */ memset( &addr, 0, sizeof( addr ) ); addr.sin_family = AF_INET; ret = 1; /* for endianness detection */ addr.sin_port = *((char *) &ret) == ret ? PORT_LE : PORT_BE; addr.sin_addr.s_addr = *((char *) &ret) == ret ? ADDR_LE : ADDR_BE; ret = 0; if( ( server_fd = socket( AF_INET, SOCK_STREAM, 0 ) ) < 0 ) { ret = socket_failed; goto exit; } if( connect( server_fd, (const struct sockaddr *) &addr, sizeof( addr ) ) < 0 ) { ret = connect_failed; goto exit; } ssl_set_bio( &ssl, net_recv, &server_fd, net_send, &server_fd ); if( ssl_handshake( &ssl ) != 0 ) { ret = ssl_handshake_failed; goto exit; } /* * 2. Write the GET request and close the connection */ if( ssl_write( &ssl, (const unsigned char *) GET_REQUEST, sizeof( GET_REQUEST ) - 1 ) <= 0 ) { ret = ssl_write_failed; goto exit; } ssl_close_notify( &ssl ); exit: if( server_fd != -1 ) net_close( server_fd ); ssl_free( &ssl ); ctr_drbg_free( &ctr_drbg ); entropy_free( &entropy ); #if defined(POLARSSL_X509_CRT_PARSE_C) x509_crt_free( &ca ); #endif return( ret ); }
int main( int argc, char *argv[] ) { int ret; rainbow_context rb; pk_context ctx; entropy_context entropy; ctr_drbg_context ctr_drbg; FILE *fpub = NULL; FILE *fpriv = NULL; const char *pers = "rb_genkey"; unsigned char large_buffer[256000]; ctx.pk_info = &rainbow_info; ctx.pk_ctx = &rb; ((void) argc); ((void) argv); printf( "\n . Seeding the random number generator..." ); fflush( stdout ); entropy_init( &entropy ); if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, (const unsigned char *) pers, strlen( pers ) ) ) != 0 ) { printf( " failed\n ! ctr_drbg_init returned %d\n", ret ); goto exit; } printf( " ok\n . Generating the TTS key [ %d-bit ]...", TTS_PUBKEY_SIZE_BYTE * 8 ); fflush( stdout ); if( ( ret = rb_genkey( (uint8_t *) &rb.pk, (uint8_t *) &rb.sk, &myrand, NULL ) ) != 0 ) { printf( " failed\n ! rb_genkey returned %d\n\n", ret ); goto exit; } printf( " ok\n . Exporting the public key in ./self-signed/rb-pub.pem...." ); fflush( stdout ); if( ( fpub = fopen( "./self-signed/rb-pub.pem", "wb+" ) ) == NULL ) { printf( " failed\n ! could not open ./self-signed/rb-pub.pem for writing\n\n" ); ret = 1; goto exit; } pk_write_pubkey_pem( &ctx, large_buffer, 256000 ); fwrite( large_buffer, 1, 256000, fpub ); printf( " ok\n . Exporting the private key in ./self-signed/rb-prv.pem..." ); fflush( stdout ); if( ( fpriv = fopen( "./self-signed/rb-prv.pem", "wb+" ) ) == NULL ) { printf( " failed\n ! could not open ./self-signed/rb-prv.pem for writing\n" ); ret = 1; goto exit; } pk_write_key_pem( &ctx, large_buffer, 256000 ); fwrite( large_buffer, 1, 256000, fpriv ); printf( " ok\n\n" ); exit: if( fpub != NULL ) fclose( fpub ); if( fpriv != NULL ) fclose( fpriv ); ctr_drbg_free( &ctr_drbg ); entropy_free( &entropy ); #if defined(_WIN32) printf( " Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); #endif return( ret ); }
int main( int argc, char *argv[] ) { int ret = 0; pk_context key; char buf[1024]; int i; char *p, *q; entropy_context entropy; ctr_drbg_context ctr_drbg; const char *pers = "gen_key"; #if defined(POLARSSL_ECP_C) const ecp_curve_info *curve_info; #endif /* * Set to sane values */ pk_init( &key ); memset( buf, 0, sizeof( buf ) ); if( argc == 0 ) { usage: ret = 1; printf( USAGE ); #if defined(POLARSSL_ECP_C) printf( " availabled ec_curve values:\n" ); curve_info = ecp_curve_list(); printf( " %s (default)\n", curve_info->name ); while( ( ++curve_info )->name != NULL ) printf( " %s\n", curve_info->name ); #endif goto exit; } opt.type = DFL_TYPE; opt.rsa_keysize = DFL_RSA_KEYSIZE; opt.ec_curve = DFL_EC_CURVE; opt.filename = DFL_FILENAME; opt.format = DFL_FORMAT; opt.use_dev_random = DFL_USE_DEV_RANDOM; for( i = 1; i < argc; i++ ) { p = argv[i]; if( ( q = strchr( p, '=' ) ) == NULL ) goto usage; *q++ = '\0'; if( strcmp( p, "type" ) == 0 ) { if( strcmp( q, "rsa" ) == 0 ) opt.type = POLARSSL_PK_RSA; else if( strcmp( q, "ec" ) == 0 ) opt.type = POLARSSL_PK_ECKEY; else goto usage; } else if( strcmp( p, "format" ) == 0 ) { if( strcmp( q, "pem" ) == 0 ) opt.format = FORMAT_PEM; else if( strcmp( q, "der" ) == 0 ) opt.format = FORMAT_DER; else goto usage; } else if( strcmp( p, "rsa_keysize" ) == 0 ) { opt.rsa_keysize = atoi( q ); if( opt.rsa_keysize < 1024 || opt.rsa_keysize > 8192 ) goto usage; } else if( strcmp( p, "ec_curve" ) == 0 ) { if( ( curve_info = ecp_curve_info_from_name( q ) ) == NULL ) goto usage; opt.ec_curve = curve_info->grp_id; } else if( strcmp( p, "filename" ) == 0 ) opt.filename = q; else if( strcmp( p, "use_dev_random" ) == 0 ) { opt.use_dev_random = atoi( q ); if( opt.use_dev_random < 0 || opt.use_dev_random > 1 ) goto usage; } else goto usage; } printf( "\n . Seeding the random number generator..." ); fflush( stdout ); entropy_init( &entropy ); #if !defined(_WIN32) && defined(POLARSSL_FS_IO) if( opt.use_dev_random ) { if( ( ret = entropy_add_source( &entropy, dev_random_entropy_poll, NULL, DEV_RANDOM_THRESHOLD ) ) != 0 ) { printf( " failed\n ! entropy_add_source returned -0x%04x\n", -ret ); goto exit; } printf("\n Using /dev/random, so can take a long time! " ); fflush( stdout ); } #endif /* !_WIN32 && POLARSSL_FS_IO */ if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, (const unsigned char *) pers, strlen( pers ) ) ) != 0 ) { printf( " failed\n ! ctr_drbg_init returned -0x%04x\n", -ret ); goto exit; } /* * 1.1. Generate the key */ printf( "\n . Generating the private key ..." ); fflush( stdout ); if( ( ret = pk_init_ctx( &key, pk_info_from_type( opt.type ) ) ) != 0 ) { printf( " failed\n ! pk_init_ctx returned -0x%04x", -ret ); goto exit; } #if defined(POLARSSL_RSA_C) && defined(POLARSSL_GENPRIME) if( opt.type == POLARSSL_PK_RSA ) { ret = rsa_gen_key( pk_rsa( key ), ctr_drbg_random, &ctr_drbg, opt.rsa_keysize, 65537 ); if( ret != 0 ) { printf( " failed\n ! rsa_gen_key returned -0x%04x", -ret ); goto exit; } } else #endif /* POLARSSL_RSA_C */ #if defined(POLARSSL_ECP_C) if( opt.type == POLARSSL_PK_ECKEY ) { ret = ecp_gen_key( opt.ec_curve, pk_ec( key ), ctr_drbg_random, &ctr_drbg ); if( ret != 0 ) { printf( " failed\n ! rsa_gen_key returned -0x%04x", -ret ); goto exit; } } else #endif /* POLARSSL_ECP_C */ { printf( " failed\n ! key type not supported\n" ); goto exit; } /* * 1.2 Print the key */ printf( " ok\n . Key information:\n" ); #if defined(POLARSSL_RSA_C) if( pk_get_type( &key ) == POLARSSL_PK_RSA ) { rsa_context *rsa = pk_rsa( key ); mpi_write_file( "N: ", &rsa->N, 16, NULL ); mpi_write_file( "E: ", &rsa->E, 16, NULL ); mpi_write_file( "D: ", &rsa->D, 16, NULL ); mpi_write_file( "P: ", &rsa->P, 16, NULL ); mpi_write_file( "Q: ", &rsa->Q, 16, NULL ); mpi_write_file( "DP: ", &rsa->DP, 16, NULL ); mpi_write_file( "DQ: ", &rsa->DQ, 16, NULL ); mpi_write_file( "QP: ", &rsa->QP, 16, NULL ); } else #endif #if defined(POLARSSL_ECP_C) if( pk_get_type( &key ) == POLARSSL_PK_ECKEY ) { ecp_keypair *ecp = pk_ec( key ); printf( "curve: %s\n", ecp_curve_info_from_grp_id( ecp->grp.id )->name ); mpi_write_file( "X_Q: ", &ecp->Q.X, 16, NULL ); mpi_write_file( "Y_Q: ", &ecp->Q.Y, 16, NULL ); mpi_write_file( "D: ", &ecp->d , 16, NULL ); } else #endif printf(" ! key type not supported\n"); write_private_key( &key, opt.filename ); exit: if( ret != 0 && ret != 1) { #ifdef POLARSSL_ERROR_C polarssl_strerror( ret, buf, sizeof( buf ) ); printf( " - %s\n", buf ); #else printf("\n"); #endif } pk_free( &key ); ctr_drbg_free( &ctr_drbg ); entropy_free( &entropy ); #if defined(_WIN32) printf( " + Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); #endif return( ret ); }
int main( int argc, char *argv[] ) { FILE *f; int ret = 1; pk_context pk; entropy_context entropy; ctr_drbg_context ctr_drbg; unsigned char hash[20]; unsigned char buf[POLARSSL_MPI_MAX_SIZE]; char filename[512]; const char *pers = "pk_sign"; size_t olen = 0; entropy_init( &entropy ); pk_init( &pk ); if( argc != 3 ) { polarssl_printf( "usage: pk_sign <key_file> <filename>\n" ); #if defined(_WIN32) polarssl_printf( "\n" ); #endif goto exit; } polarssl_printf( "\n . Seeding the random number generator..." ); fflush( stdout ); if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, (const unsigned char *) pers, strlen( pers ) ) ) != 0 ) { polarssl_printf( " failed\n ! ctr_drbg_init returned -0x%04x\n", -ret ); goto exit; } polarssl_printf( "\n . Reading private key from '%s'", argv[1] ); fflush( stdout ); if( ( ret = pk_parse_keyfile( &pk, argv[1], "" ) ) != 0 ) { ret = 1; polarssl_printf( " failed\n ! Could not open '%s'\n", argv[1] ); goto exit; } /* * Compute the SHA-1 hash of the input file, * then calculate the signature of the hash. */ polarssl_printf( "\n . Generating the SHA-1 signature" ); fflush( stdout ); if( ( ret = sha1_file( argv[2], hash ) ) != 0 ) { polarssl_printf( " failed\n ! Could not open or read %s\n\n", argv[2] ); goto exit; } if( ( ret = pk_sign( &pk, POLARSSL_MD_SHA1, hash, 0, buf, &olen, ctr_drbg_random, &ctr_drbg ) ) != 0 ) { polarssl_printf( " failed\n ! pk_sign returned -0x%04x\n", -ret ); goto exit; } /* * Write the signature into <filename>-sig.txt */ snprintf( filename, sizeof(filename), "%s.sig", argv[2] ); if( ( f = fopen( filename, "wb+" ) ) == NULL ) { ret = 1; polarssl_printf( " failed\n ! Could not create %s\n\n", filename ); goto exit; } if( fwrite( buf, 1, olen, f ) != olen ) { polarssl_printf( "failed\n ! fwrite failed\n\n" ); goto exit; } fclose( f ); polarssl_printf( "\n . Done (created \"%s\")\n\n", filename ); exit: pk_free( &pk ); ctr_drbg_free( &ctr_drbg ); entropy_free( &entropy ); #if defined(POLARSSL_ERROR_C) polarssl_strerror( ret, (char *) buf, sizeof(buf) ); polarssl_printf( " ! Last error was: %s\n", buf ); #endif #if defined(_WIN32) polarssl_printf( " + Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); #endif return( ret ); }
int main( int argc, char *argv[] ) { FILE *f; int ret, c; size_t i, olen = 0; pk_context pk; entropy_context entropy; ctr_drbg_context ctr_drbg; unsigned char result[1024]; unsigned char buf[512]; const char *pers = "pk_decrypt"; ((void) argv); memset(result, 0, sizeof( result ) ); ret = 1; if( argc != 2 ) { printf( "usage: pk_decrypt <key_file>\n" ); #if defined(_WIN32) printf( "\n" ); #endif goto exit; } printf( "\n . Seeding the random number generator..." ); fflush( stdout ); entropy_init( &entropy ); if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, (const unsigned char *) pers, strlen( pers ) ) ) != 0 ) { printf( " failed\n ! ctr_drbg_init returned %d\n", ret ); goto exit; } printf( "\n . Reading private key from '%s'", argv[1] ); fflush( stdout ); pk_init( &pk ); if( ( ret = pk_parse_keyfile( &pk, argv[1], "" ) ) != 0 ) { printf( " failed\n ! pk_parse_keyfile returned -0x%04x\n", -ret ); goto exit; } /* * Extract the RSA encrypted value from the text file */ ret = 1; if( ( f = fopen( "result-enc.txt", "rb" ) ) == NULL ) { printf( "\n ! Could not open %s\n\n", "result-enc.txt" ); goto exit; } i = 0; while( fscanf( f, "%02X", &c ) > 0 && i < (int) sizeof( buf ) ) buf[i++] = (unsigned char) c; fclose( f ); /* * Decrypt the encrypted RSA data and print the result. */ printf( "\n . Decrypting the encrypted data" ); fflush( stdout ); if( ( ret = pk_decrypt( &pk, buf, i, result, &olen, sizeof(result), ctr_drbg_random, &ctr_drbg ) ) != 0 ) { printf( " failed\n ! pk_decrypt returned -0x%04x\n", -ret ); goto exit; } printf( "\n . OK\n\n" ); printf( "The decrypted result is: '%s'\n\n", result ); ret = 0; exit: entropy_free( &entropy ); #if defined(POLARSSL_ERROR_C) polarssl_strerror( ret, (char *) buf, sizeof(buf) ); printf( " ! Last error was: %s\n", buf ); #endif #if defined(_WIN32) printf( " + Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); #endif return( ret ); }
int rand_bytes(uint8_t *output, int len) { #if defined(USE_CRYPTO_OPENSSL) return RAND_bytes(output, len); #elif defined(USE_CRYPTO_POLARSSL) static entropy_context ec = {}; static ctr_drbg_context cd_ctx = {}; static unsigned char rand_initialised = 0; const size_t blen = min(len, CTR_DRBG_MAX_REQUEST); if (!rand_initialised) { #ifdef _WIN32 HCRYPTPROV hProvider; union { unsigned __int64 seed; BYTE buffer[8]; } rand_buffer; hProvider = 0; if (CryptAcquireContext(&hProvider, 0, 0, PROV_RSA_FULL, \ CRYPT_VERIFYCONTEXT | CRYPT_SILENT)) { CryptGenRandom(hProvider, 8, rand_buffer.buffer); CryptReleaseContext(hProvider, 0); } else { rand_buffer.seed = (unsigned __int64)clock(); } #else FILE *urand; union { uint64_t seed; uint8_t buffer[8]; } rand_buffer; urand = fopen("/dev/urandom", "r"); if (urand) { int read = fread(&rand_buffer.seed, sizeof(rand_buffer.seed), 1, urand); fclose(urand); if (read <= 0) { rand_buffer.seed = (uint64_t)clock(); } } else { rand_buffer.seed = (uint64_t)clock(); } #endif entropy_init(&ec); if (ctr_drbg_init(&cd_ctx, entropy_func, &ec, (const unsigned char *)rand_buffer.buffer, 8) != 0) { #if POLARSSL_VERSION_NUMBER >= 0x01030000 entropy_free(&ec); #endif FATAL("Failed to initialize random generator"); } rand_initialised = 1; } while (len > 0) { if (ctr_drbg_random(&cd_ctx, output, blen) != 0) { return 0; } output += blen; len -= blen; } return 1; #elif defined(USE_CRYPTO_MBEDTLS) static mbedtls_entropy_context ec = {}; // XXX: ctr_drbg_context changed, [if defined(MBEDTLS_THREADING_C) mbedtls_threading_mutex_t mutex;] static mbedtls_ctr_drbg_context cd_ctx = {}; static unsigned char rand_initialised = 0; const size_t blen = min(len, MBEDTLS_CTR_DRBG_MAX_REQUEST); if (!rand_initialised) { #ifdef _WIN32 HCRYPTPROV hProvider; union { unsigned __int64 seed; BYTE buffer[8]; } rand_buffer; hProvider = 0; if (CryptAcquireContext(&hProvider, 0, 0, PROV_RSA_FULL, \ CRYPT_VERIFYCONTEXT | CRYPT_SILENT)) { CryptGenRandom(hProvider, 8, rand_buffer.buffer); CryptReleaseContext(hProvider, 0); } else { rand_buffer.seed = (unsigned __int64)clock(); } #else FILE *urand; union { uint64_t seed; uint8_t buffer[8]; } rand_buffer; urand = fopen("/dev/urandom", "r"); if (urand) { int read = fread(&rand_buffer.seed, sizeof(rand_buffer.seed), 1, urand); fclose(urand); if (read <= 0) { rand_buffer.seed = (uint64_t)clock(); } } else { rand_buffer.seed = (uint64_t)clock(); } #endif mbedtls_entropy_init(&ec); // XXX: ctr_drbg_init changed, seems we should initialize it before calling mbedtls_ctr_drbg_seed() mbedtls_ctr_drbg_init(&cd_ctx); if (mbedtls_ctr_drbg_seed(&cd_ctx, mbedtls_entropy_func, &ec, (const unsigned char *)rand_buffer.buffer, 8) != 0) { mbedtls_entropy_free(&ec); FATAL("mbed TLS: Failed to initialize random generator"); } rand_initialised = 1; } while (len > 0) { if (mbedtls_ctr_drbg_random(&cd_ctx, output, blen) != 0) { return 0; } output += blen; len -= blen; } return 1; #endif }
char *mlsc_network_request(char *request, int debug_level) { int ret, len, server_fd = -1; char tmpbuf[BUFFER_SIZE]; char *buf = malloc(BUFFER_SIZE); const char *pers = "ssl_client1"; entropy_context entropy; ctr_drbg_context ctr_drbg; ssl_context ssl; x509_crt cacert; #if defined(POLARSSL_DEBUG_C) if (debug_level) debug_set_threshold(1); #endif /* * 0. Initialize the RNG and the session data */ memset(&ssl, 0, sizeof(ssl_context)); x509_crt_init(&cacert); if (debug_level) fprintf(stderr, "\n . Seeding the random number generator..."); entropy_init(&entropy); if ((ret = ctr_drbg_init(&ctr_drbg, entropy_func, &entropy, (const unsigned char *) pers, strlen(pers))) != 0) { if (debug_level) fprintf(stderr, " failed\n ! ctr_drbg_init returned %d\n", ret); goto exit; } if (debug_level) fprintf(stderr, " ok\n"); /* * 0. Initialize certificates */ if (debug_level) fprintf(stderr, " . Loading the CA root certificate ..."); fflush(stdout); #if defined(POLARSSL_CERTS_C) ret = x509_crt_parse(&cacert, (const unsigned char *) test_ca_list, strlen(test_ca_list)); #else ret = 1; if (debug_level) fprintf(stderr, "POLARSSL_CERTS_C not defined."); #endif if (ret < 0) { if (debug_level) fprintf(stderr, " failed\n ! x509_crt_parse returned -0x%x\n\n", -ret); goto exit; } if (debug_level) fprintf(stderr, " ok (%d skipped)\n", ret); /* * 1. Start the connection */ if (debug_level) fprintf(stderr, " . Connecting to tcp/%s/%4d...", SERVER_NAME, SERVER_PORT); if ((ret = net_connect(&server_fd, SERVER_NAME, SERVER_PORT)) != 0) { if (debug_level) fprintf(stderr, " failed\n ! net_connect returned %d\n\n", ret); goto exit; } if (debug_level) fprintf(stderr, " ok\n"); /* * 2. Setup stuff */ if (debug_level) fprintf(stderr, " . Setting up the SSL/TLS structure..."); if ((ret = ssl_init(&ssl)) != 0) { if (debug_level) fprintf(stderr, " failed\n ! ssl_init returned %d\n\n", ret); goto exit; } if (debug_level) fprintf(stderr, " ok\n"); ssl_set_endpoint(&ssl, SSL_IS_CLIENT); /* OPTIONAL is not optimal for security, * but makes interop easier in this simplified example */ ssl_set_authmode(&ssl, SSL_VERIFY_OPTIONAL); ssl_set_ca_chain(&ssl, &cacert, NULL, SERVER_NAME); ssl_set_rng(&ssl, ctr_drbg_random, &ctr_drbg); ssl_set_bio(&ssl, net_recv, &server_fd, net_send, &server_fd); /* * 4. Handshake */ if (debug_level) fprintf(stderr, " . Performing the SSL/TLS handshake..."); while ((ret = ssl_handshake(&ssl)) != 0) { if (ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE) { fprintf(stderr, " failed\n ! ssl_handshake returned -0x%x\n\n", -ret); goto exit; } } if (debug_level) fprintf(stderr, " ok\n"); /* * 5. Verify the server certificate */ if (debug_level) fprintf(stderr, " . Verifying peer X.509 certificate..."); /* In real life, we may want to bail out when ret != 0 */ if ((ret = ssl_get_verify_result(&ssl)) != 0) { if (debug_level) fprintf(stderr, " failed\n"); if ((ret & BADCERT_EXPIRED) != 0 && debug_level) fprintf(stderr, " ! server certificate has expired\n"); if ((ret & BADCERT_REVOKED) != 0 && debug_level) fprintf(stderr, " ! server certificate has been revoked\n"); if ((ret & BADCERT_CN_MISMATCH) != 0 && debug_level) fprintf(stderr, " ! CN mismatch (expected CN=%s)\n", SERVER_NAME); if ((ret & BADCERT_NOT_TRUSTED) != 0 && debug_level) fprintf(stderr, " ! self-signed or not signed by a trusted CA\n"); if (debug_level) fprintf(stderr, "\n"); } else if (debug_level) fprintf(stderr, " ok\n"); /* * 3. Write the GET request */ if (debug_level) fprintf(stderr, " > Write to server:"); len = sprintf((char *) tmpbuf, POST_REQUEST, strlen(request), request); while ((ret = ssl_write(&ssl, tmpbuf, len)) <= 0) { if (ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE) { if (debug_level) fprintf(stderr, " failed\n ! ssl_write returned %d\n\n", ret); goto exit; } } len = ret; if (debug_level) fprintf(stderr, " %d bytes written\n\n%s", len, (char *) tmpbuf); /* * 7. Read the HTTP response */ if (debug_level) fprintf(stderr, " < Read from server:"); do { len = BUFFER_SIZE - 1; memset(tmpbuf, 0, BUFFER_SIZE); ret = ssl_read(&ssl, tmpbuf, len); if (ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE) continue; if (ret == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY) break; if (ret < 0) { if (debug_level) fprintf(stderr, "failed\n ! ssl_read returned %d\n\n", ret); break; } if (ret == 0) { if (debug_level) fprintf(stderr, "\n\nEOF\n\n"); break; } len = ret; if (debug_level) fprintf(stderr, " %d bytes read\n\n%s\n", len, (char *) tmpbuf); strcpy(buf, tmpbuf); } while (1); ssl_close_notify(&ssl); exit: #ifdef POLARSSL_ERROR_C if (ret != 0) { char error_buf[100]; polarssl_strerror(ret, error_buf, 100); if (debug_level) fprintf(stderr, "Last error was: %d - %s\n\n", ret, error_buf); } #endif if (server_fd != -1) net_close(server_fd); x509_crt_free(&cacert); ssl_free(&ssl); ctr_drbg_free(&ctr_drbg); entropy_free(&entropy); memset(&ssl, 0, sizeof(ssl)); return (buf); }
cRSAPrivateKey::~cRSAPrivateKey() { entropy_free(&m_Entropy); rsa_free(&m_Rsa); }
int main( int argc, char *argv[] ) { int ret = 0, len, server_fd; unsigned char buf[1024]; #if defined(POLARSSL_BASE64_C) unsigned char base[1024]; #endif char hostname[32]; const char *pers = "ssl_mail_client"; entropy_context entropy; ctr_drbg_context ctr_drbg; ssl_context ssl; x509_crt cacert; x509_crt clicert; pk_context pkey; int i; size_t n; char *p, *q; const int *list; /* * Make sure memory references are valid in case we exit early. */ server_fd = 0; memset( &ssl, 0, sizeof( ssl_context ) ); x509_crt_init( &cacert ); x509_crt_init( &clicert ); pk_init( &pkey ); if( argc == 0 ) { usage: printf( USAGE ); list = ssl_list_ciphersuites(); while( *list ) { printf(" %s\n", ssl_get_ciphersuite_name( *list ) ); list++; } printf("\n"); goto exit; } opt.server_name = DFL_SERVER_NAME; opt.server_port = DFL_SERVER_PORT; opt.debug_level = DFL_DEBUG_LEVEL; opt.authentication = DFL_AUTHENTICATION; opt.mode = DFL_MODE; opt.user_name = DFL_USER_NAME; opt.user_pwd = DFL_USER_PWD; opt.mail_from = DFL_MAIL_FROM; opt.mail_to = DFL_MAIL_TO; opt.ca_file = DFL_CA_FILE; opt.crt_file = DFL_CRT_FILE; opt.key_file = DFL_KEY_FILE; opt.force_ciphersuite[0]= DFL_FORCE_CIPHER; for( i = 1; i < argc; i++ ) { p = argv[i]; if( ( q = strchr( p, '=' ) ) == NULL ) goto usage; *q++ = '\0'; if( strcmp( p, "server_name" ) == 0 ) opt.server_name = q; else if( strcmp( p, "server_port" ) == 0 ) { opt.server_port = atoi( q ); if( opt.server_port < 1 || opt.server_port > 65535 ) goto usage; } else if( strcmp( p, "debug_level" ) == 0 ) { opt.debug_level = atoi( q ); if( opt.debug_level < 0 || opt.debug_level > 65535 ) goto usage; } else if( strcmp( p, "authentication" ) == 0 ) { opt.authentication = atoi( q ); if( opt.authentication < 0 || opt.authentication > 1 ) goto usage; } else if( strcmp( p, "mode" ) == 0 ) { opt.mode = atoi( q ); if( opt.mode < 0 || opt.mode > 1 ) goto usage; } else if( strcmp( p, "user_name" ) == 0 ) opt.user_name = q; else if( strcmp( p, "user_pwd" ) == 0 ) opt.user_pwd = q; else if( strcmp( p, "mail_from" ) == 0 ) opt.mail_from = q; else if( strcmp( p, "mail_to" ) == 0 ) opt.mail_to = q; else if( strcmp( p, "ca_file" ) == 0 ) opt.ca_file = q; else if( strcmp( p, "crt_file" ) == 0 ) opt.crt_file = q; else if( strcmp( p, "key_file" ) == 0 ) opt.key_file = q; else if( strcmp( p, "force_ciphersuite" ) == 0 ) { opt.force_ciphersuite[0] = -1; opt.force_ciphersuite[0] = ssl_get_ciphersuite_id( q ); if( opt.force_ciphersuite[0] <= 0 ) goto usage; opt.force_ciphersuite[1] = 0; } else goto usage; } /* * 0. Initialize the RNG and the session data */ printf( "\n . Seeding the random number generator..." ); fflush( stdout ); entropy_init( &entropy ); if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, (const unsigned char *) pers, strlen( pers ) ) ) != 0 ) { printf( " failed\n ! ctr_drbg_init returned %d\n", ret ); goto exit; } printf( " ok\n" ); /* * 1.1. Load the trusted CA */ printf( " . Loading the CA root certificate ..." ); fflush( stdout ); #if defined(POLARSSL_FS_IO) if( strlen( opt.ca_file ) ) ret = x509_crt_parse_file( &cacert, opt.ca_file ); else #endif #if defined(POLARSSL_CERTS_C) ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_list, strlen( test_ca_list ) ); #else { ret = 1; printf("POLARSSL_CERTS_C not defined."); } #endif if( ret < 0 ) { printf( " failed\n ! x509_crt_parse returned %d\n\n", ret ); goto exit; } printf( " ok (%d skipped)\n", ret ); /* * 1.2. Load own certificate and private key * * (can be skipped if client authentication is not required) */ printf( " . Loading the client cert. and key..." ); fflush( stdout ); #if defined(POLARSSL_FS_IO) if( strlen( opt.crt_file ) ) ret = x509_crt_parse_file( &clicert, opt.crt_file ); else #endif #if defined(POLARSSL_CERTS_C) ret = x509_crt_parse( &clicert, (const unsigned char *) test_cli_crt, strlen( test_cli_crt ) ); #else { ret = -1; printf("POLARSSL_CERTS_C not defined."); } #endif if( ret != 0 ) { printf( " failed\n ! x509_crt_parse returned %d\n\n", ret ); goto exit; } #if defined(POLARSSL_FS_IO) if( strlen( opt.key_file ) ) ret = pk_parse_keyfile( &pkey, opt.key_file, "" ); else #endif #if defined(POLARSSL_CERTS_C) ret = pk_parse_key( &pkey, (const unsigned char *) test_cli_key, strlen( test_cli_key ), NULL, 0 ); #else { ret = -1; printf("POLARSSL_CERTS_C not defined."); } #endif if( ret != 0 ) { printf( " failed\n ! pk_parse_key returned %d\n\n", ret ); goto exit; } printf( " ok\n" ); /* * 2. Start the connection */ printf( " . Connecting to tcp/%s/%-4d...", opt.server_name, opt.server_port ); fflush( stdout ); if( ( ret = net_connect( &server_fd, opt.server_name, opt.server_port ) ) != 0 ) { printf( " failed\n ! net_connect returned %d\n\n", ret ); goto exit; } printf( " ok\n" ); /* * 3. Setup stuff */ printf( " . Setting up the SSL/TLS structure..." ); fflush( stdout ); if( ( ret = ssl_init( &ssl ) ) != 0 ) { printf( " failed\n ! ssl_init returned %d\n\n", ret ); goto exit; } printf( " ok\n" ); ssl_set_endpoint( &ssl, SSL_IS_CLIENT ); ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL ); ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_dbg( &ssl, my_debug, stdout ); ssl_set_bio( &ssl, net_recv, &server_fd, net_send, &server_fd ); if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) ssl_set_ciphersuites( &ssl, opt.force_ciphersuite ); ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name ); ssl_set_own_cert( &ssl, &clicert, &pkey ); #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) ssl_set_hostname( &ssl, opt.server_name ); #endif if( opt.mode == MODE_SSL_TLS ) { if( do_handshake( &ssl, &opt ) != 0 ) goto exit; printf( " > Get header from server:" ); fflush( stdout ); ret = write_ssl_and_get_response( &ssl, buf, 0 ); if( ret < 200 || ret > 299 ) { printf( " failed\n ! server responded with %d\n\n", ret ); goto exit; } printf(" ok\n" ); printf( " > Write EHLO to server:" ); fflush( stdout ); gethostname( hostname, 32 ); len = sprintf( (char *) buf, "EHLO %s\r\n", hostname ); ret = write_ssl_and_get_response( &ssl, buf, len ); if( ret < 200 || ret > 299 ) { printf( " failed\n ! server responded with %d\n\n", ret ); goto exit; } } else { printf( " > Get header from server:" ); fflush( stdout ); ret = write_and_get_response( server_fd, buf, 0 ); if( ret < 200 || ret > 299 ) { printf( " failed\n ! server responded with %d\n\n", ret ); goto exit; } printf(" ok\n" ); printf( " > Write EHLO to server:" ); fflush( stdout ); gethostname( hostname, 32 ); len = sprintf( (char *) buf, "EHLO %s\r\n", hostname ); ret = write_and_get_response( server_fd, buf, len ); if( ret < 200 || ret > 299 ) { printf( " failed\n ! server responded with %d\n\n", ret ); goto exit; } printf(" ok\n" ); printf( " > Write STARTTLS to server:" ); fflush( stdout ); gethostname( hostname, 32 ); len = sprintf( (char *) buf, "STARTTLS\r\n" ); ret = write_and_get_response( server_fd, buf, len ); if( ret < 200 || ret > 299 ) { printf( " failed\n ! server responded with %d\n\n", ret ); goto exit; } printf(" ok\n" ); if( do_handshake( &ssl, &opt ) != 0 ) goto exit; } #if defined(POLARSSL_BASE64_C) if( opt.authentication ) { printf( " > Write AUTH LOGIN to server:" ); fflush( stdout ); len = sprintf( (char *) buf, "AUTH LOGIN\r\n" ); ret = write_ssl_and_get_response( &ssl, buf, len ); if( ret < 200 || ret > 399 ) { printf( " failed\n ! server responded with %d\n\n", ret ); goto exit; } printf(" ok\n" ); printf( " > Write username to server: %s", opt.user_name ); fflush( stdout ); n = sizeof( buf ); len = base64_encode( base, &n, (const unsigned char *) opt.user_name, strlen( opt.user_name ) ); len = sprintf( (char *) buf, "%s\r\n", base ); ret = write_ssl_and_get_response( &ssl, buf, len ); if( ret < 300 || ret > 399 ) { printf( " failed\n ! server responded with %d\n\n", ret ); goto exit; } printf(" ok\n" ); printf( " > Write password to server: %s", opt.user_pwd ); fflush( stdout ); len = base64_encode( base, &n, (const unsigned char *) opt.user_pwd, strlen( opt.user_pwd ) ); len = sprintf( (char *) buf, "%s\r\n", base ); ret = write_ssl_and_get_response( &ssl, buf, len ); if( ret < 200 || ret > 399 ) { printf( " failed\n ! server responded with %d\n\n", ret ); goto exit; } printf(" ok\n" ); } #endif printf( " > Write MAIL FROM to server:" ); fflush( stdout ); len = sprintf( (char *) buf, "MAIL FROM:<%s>\r\n", opt.mail_from ); ret = write_ssl_and_get_response( &ssl, buf, len ); if( ret < 200 || ret > 299 ) { printf( " failed\n ! server responded with %d\n\n", ret ); goto exit; } printf(" ok\n" ); printf( " > Write RCPT TO to server:" ); fflush( stdout ); len = sprintf( (char *) buf, "RCPT TO:<%s>\r\n", opt.mail_to ); ret = write_ssl_and_get_response( &ssl, buf, len ); if( ret < 200 || ret > 299 ) { printf( " failed\n ! server responded with %d\n\n", ret ); goto exit; } printf(" ok\n" ); printf( " > Write DATA to server:" ); fflush( stdout ); len = sprintf( (char *) buf, "DATA\r\n" ); ret = write_ssl_and_get_response( &ssl, buf, len ); if( ret < 300 || ret > 399 ) { printf( " failed\n ! server responded with %d\n\n", ret ); goto exit; } printf(" ok\n" ); printf( " > Write content to server:" ); fflush( stdout ); len = sprintf( (char *) buf, "From: %s\r\nSubject: PolarSSL Test mail\r\n\r\n" "This is a simple test mail from the " "PolarSSL mail client example.\r\n" "\r\n" "Enjoy!", opt.mail_from ); ret = write_ssl_data( &ssl, buf, len ); len = sprintf( (char *) buf, "\r\n.\r\n"); ret = write_ssl_and_get_response( &ssl, buf, len ); if( ret < 200 || ret > 299 ) { printf( " failed\n ! server responded with %d\n\n", ret ); goto exit; } printf(" ok\n" ); ssl_close_notify( &ssl ); exit: if( server_fd ) net_close( server_fd ); x509_crt_free( &clicert ); x509_crt_free( &cacert ); pk_free( &pkey ); ssl_free( &ssl ); entropy_free( &entropy ); #if defined(_WIN32) printf( " + Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); #endif return( ret ); }