tcpcon_t *
tcp_connect(const char *hostname, int port, char *errbuf, size_t errbufsize,
int timeout, int ssl, cancellable_t *c)
{
struct hostent *hp;
char *tmphstbuf;
int fd, val, r, err, herr;
const char *errtxt;
#if !defined(__APPLE__)
struct hostent hostbuf;
size_t hstbuflen;
int res;
#endif
struct sockaddr_in6 in6;
struct sockaddr_in in;
socklen_t errlen = sizeof(int);
if(!strcmp(hostname, "localhost")) {
if((fd = getstreamsocket(AF_INET, errbuf, errbufsize)) == -1)
return NULL;
memset(&in, 0, sizeof(in));
in.sin_family = AF_INET;
in.sin_port = htons(port);
in.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
r = connect(fd, (struct sockaddr *)&in, sizeof(struct sockaddr_in));
} else {
#if defined(__APPLE__)
herr = 0;
tmphstbuf = NULL; /* free NULL is a nop */
/* TODO: AF_INET6 */
hp = gethostbyname(hostname);
if(hp == NULL)
herr = h_errno;
#else
hstbuflen = 1024;
tmphstbuf = malloc(hstbuflen);
while((res = gethostbyname_r(hostname, &hostbuf, tmphstbuf, hstbuflen,
&hp, &herr)) == ERANGE) {
hstbuflen *= 2;
tmphstbuf = realloc(tmphstbuf, hstbuflen);
}
#endif
if(herr != 0) {
switch(herr) {
case HOST_NOT_FOUND:
errtxt = "Unknown host";
break;
case NO_ADDRESS:
errtxt = "The requested name is valid but does not have an IP address";
break;
case NO_RECOVERY:
errtxt = "A non-recoverable name server error occurred";
break;
case TRY_AGAIN:
errtxt = "A temporary error occurred on an authoritative name server";
break;
default:
errtxt = "Unknown error";
break;
}
snprintf(errbuf, errbufsize, "%s", errtxt);
free(tmphstbuf);
return NULL;
} else if(hp == NULL) {
snprintf(errbuf, errbufsize, "Resolver internal error");
free(tmphstbuf);
return NULL;
}
if((fd = getstreamsocket(hp->h_addrtype, errbuf, errbufsize)) == -1) {
free(tmphstbuf);
return NULL;
}
switch(hp->h_addrtype) {
case AF_INET:
memset(&in, 0, sizeof(in));
in.sin_family = AF_INET;
in.sin_port = htons(port);
memcpy(&in.sin_addr, hp->h_addr_list[0], sizeof(struct in_addr));
r = connect(fd, (struct sockaddr *)&in, sizeof(struct sockaddr_in));
break;
case AF_INET6:
memset(&in6, 0, sizeof(in6));
in6.sin6_family = AF_INET6;
in6.sin6_port = htons(port);
memcpy(&in6.sin6_addr, hp->h_addr_list[0], sizeof(struct in6_addr));
r = connect(fd, (struct sockaddr *)&in, sizeof(struct sockaddr_in6));
break;
default:
snprintf(errbuf, errbufsize, "Invalid protocol family");
free(tmphstbuf);
return NULL;
}
free(tmphstbuf);
}
tcpcon_t *tc = calloc(1, sizeof(tcpcon_t));
tc->fd = fd;
tc->c = c;
htsbuf_queue_init(&tc->spill, 0);
if(c != NULL)
cancellable_bind(c, tcp_cancel, tc);
if(r == -1) {
if(errno == EINPROGRESS) {
struct pollfd pfd;
pfd.fd = fd;
pfd.events = POLLOUT;
pfd.revents = 0;
r = poll(&pfd, 1, timeout);
if(r < 1) {
/* Timeout */
if(!r)
snprintf(errbuf, errbufsize, "Connection attempt timed out");
else
snprintf(errbuf, errbufsize, "poll() error: %s", strerror(errno));
tcp_close(tc);
return NULL;
}
getsockopt(fd, SOL_SOCKET, SO_ERROR, (void *)&err, &errlen);
} else {
err = errno;
}
} else {
err = 0;
}
if(err != 0) {
snprintf(errbuf, errbufsize, "%s", strerror(err));
tcp_close(tc);
return NULL;
}
fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) & ~O_NONBLOCK);
val = 1;
setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));
if(ssl) {
#if ENABLE_OPENSSL
if(showtime_ssl_ctx != NULL) {
char errmsg[120];
if((tc->ssl = SSL_new(showtime_ssl_ctx)) == NULL) {
ERR_error_string(ERR_get_error(), errmsg);
snprintf(errbuf, errlen, "SSL: %s", errmsg);
tcp_close(tc);
return NULL;
}
if(SSL_set_fd(tc->ssl, tc->fd) == 0) {
ERR_error_string(ERR_get_error(), errmsg);
snprintf(errbuf, errlen, "SSL fd: %s", errmsg);
tcp_close(tc);
return NULL;
}
if(SSL_connect(tc->ssl) <= 0) {
ERR_error_string(ERR_get_error(), errmsg);
snprintf(errbuf, errlen, "SSL connect: %s", errmsg);
tcp_close(tc);
return NULL;
}
SSL_set_mode(tc->ssl, SSL_MODE_AUTO_RETRY);
tc->read = ssl_read;
tc->write = ssl_write;
} else
#elif ENABLE_POLARSSL
if(1) {
tc->ssl = malloc(sizeof(ssl_context));
if(ssl_init(tc->ssl)) {
snprintf(errbuf, errlen, "SSL failed to initialize");
close(fd);
free(tc->ssl);
free(tc);
return NULL;
}
tc->ssn = malloc(sizeof(ssl_session));
tc->hs = malloc(sizeof(havege_state));
havege_init(tc->hs);
memset(tc->ssn, 0, sizeof(ssl_session));
ssl_set_endpoint(tc->ssl, SSL_IS_CLIENT );
ssl_set_authmode(tc->ssl, SSL_VERIFY_NONE );
ssl_set_rng(tc->ssl, havege_random, tc->hs );
ssl_set_bio(tc->ssl, net_recv, &tc->fd, net_send, &tc->fd);
ssl_set_ciphersuites(tc->ssl, ssl_default_ciphersuites );
ssl_set_session(tc->ssl, tc->ssn );
tc->read = polarssl_read;
tc->write = polarssl_write;
} else
#endif
{
snprintf(errbuf, errlen, "SSL not supported");
tcp_close(tc);
return NULL;
}
} else {
tc->read = tcp_read;
tc->write = tcp_write;
}
return tc;
}
int main( int argc, char *argv[] )
{
int ret = 0, len, written, frags;
int listen_fd;
int client_fd = -1;
unsigned char buf[1024];
#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
unsigned char psk[256];
size_t psk_len = 0;
#endif
const char *pers = "ssl_server2";
entropy_context entropy;
ctr_drbg_context ctr_drbg;
ssl_context ssl;
#if defined(POLARSSL_X509_CRT_PARSE_C)
x509_crt cacert;
x509_crt srvcert;
pk_context pkey;
x509_crt srvcert2;
pk_context pkey2;
int key_cert_init = 0, key_cert_init2 = 0;
#endif
#if defined(POLARSSL_SSL_CACHE_C)
ssl_cache_context cache;
#endif
#if defined(POLARSSL_MEMORY_BUFFER_ALLOC_C)
unsigned char alloc_buf[100000];
#endif
int i;
char *p, *q;
const int *list;
#if defined(POLARSSL_MEMORY_BUFFER_ALLOC_C)
memory_buffer_alloc_init( alloc_buf, sizeof(alloc_buf) );
#endif
/*
* Make sure memory references are valid in case we exit early.
*/
listen_fd = 0;
memset( &ssl, 0, sizeof( ssl_context ) );
#if defined(POLARSSL_X509_CRT_PARSE_C)
x509_crt_init( &cacert );
x509_crt_init( &srvcert );
pk_init( &pkey );
x509_crt_init( &srvcert2 );
pk_init( &pkey2 );
#endif
#if defined(POLARSSL_SSL_CACHE_C)
ssl_cache_init( &cache );
#endif
if( argc == 0 )
{
usage:
if( ret == 0 )
ret = 1;
printf( USAGE );
list = ssl_list_ciphersuites();
while( *list )
{
printf(" %-42s", ssl_get_ciphersuite_name( *list ) );
list++;
if( !*list )
break;
printf(" %s\n", ssl_get_ciphersuite_name( *list ) );
list++;
}
printf("\n");
goto exit;
}
opt.server_port = DFL_SERVER_PORT;
opt.debug_level = DFL_DEBUG_LEVEL;
opt.ca_file = DFL_CA_FILE;
opt.ca_path = DFL_CA_PATH;
opt.crt_file = DFL_CRT_FILE;
opt.key_file = DFL_KEY_FILE;
opt.crt_file2 = DFL_CRT_FILE2;
opt.key_file2 = DFL_KEY_FILE2;
opt.psk = DFL_PSK;
opt.psk_identity = DFL_PSK_IDENTITY;
opt.force_ciphersuite[0]= DFL_FORCE_CIPHER;
opt.renegotiation = DFL_RENEGOTIATION;
opt.allow_legacy = DFL_ALLOW_LEGACY;
opt.min_version = DFL_MIN_VERSION;
opt.max_version = DFL_MAX_VERSION;
opt.auth_mode = DFL_AUTH_MODE;
opt.mfl_code = DFL_MFL_CODE;
opt.tickets = DFL_TICKETS;
for( i = 1; i < argc; i++ )
{
p = argv[i];
if( ( q = strchr( p, '=' ) ) == NULL )
goto usage;
*q++ = '\0';
if( strcmp( p, "server_port" ) == 0 )
{
opt.server_port = atoi( q );
if( opt.server_port < 1 || opt.server_port > 65535 )
goto usage;
}
else if( strcmp( p, "debug_level" ) == 0 )
{
opt.debug_level = atoi( q );
if( opt.debug_level < 0 || opt.debug_level > 65535 )
goto usage;
}
else if( strcmp( p, "ca_file" ) == 0 )
opt.ca_file = q;
else if( strcmp( p, "ca_path" ) == 0 )
opt.ca_path = q;
else if( strcmp( p, "crt_file" ) == 0 )
opt.crt_file = q;
else if( strcmp( p, "key_file" ) == 0 )
opt.key_file = q;
else if( strcmp( p, "crt_file2" ) == 0 )
opt.crt_file2 = q;
else if( strcmp( p, "key_file2" ) == 0 )
opt.key_file2 = q;
else if( strcmp( p, "psk" ) == 0 )
opt.psk = q;
else if( strcmp( p, "psk_identity" ) == 0 )
opt.psk_identity = q;
else if( strcmp( p, "force_ciphersuite" ) == 0 )
{
opt.force_ciphersuite[0] = -1;
opt.force_ciphersuite[0] = ssl_get_ciphersuite_id( q );
if( opt.force_ciphersuite[0] <= 0 )
{
ret = 2;
goto usage;
}
opt.force_ciphersuite[1] = 0;
}
else if( strcmp( p, "renegotiation" ) == 0 )
{
opt.renegotiation = (atoi( q )) ? SSL_RENEGOTIATION_ENABLED :
SSL_RENEGOTIATION_DISABLED;
}
else if( strcmp( p, "allow_legacy" ) == 0 )
{
opt.allow_legacy = atoi( q );
if( opt.allow_legacy < 0 || opt.allow_legacy > 1 )
goto usage;
}
else if( strcmp( p, "min_version" ) == 0 )
{
if( strcmp( q, "ssl3" ) == 0 )
opt.min_version = SSL_MINOR_VERSION_0;
else if( strcmp( q, "tls1" ) == 0 )
opt.min_version = SSL_MINOR_VERSION_1;
else if( strcmp( q, "tls1_1" ) == 0 )
opt.min_version = SSL_MINOR_VERSION_2;
else if( strcmp( q, "tls1_2" ) == 0 )
opt.min_version = SSL_MINOR_VERSION_3;
else
goto usage;
}
else if( strcmp( p, "max_version" ) == 0 )
{
if( strcmp( q, "ssl3" ) == 0 )
opt.max_version = SSL_MINOR_VERSION_0;
else if( strcmp( q, "tls1" ) == 0 )
opt.max_version = SSL_MINOR_VERSION_1;
else if( strcmp( q, "tls1_1" ) == 0 )
opt.max_version = SSL_MINOR_VERSION_2;
else if( strcmp( q, "tls1_2" ) == 0 )
opt.max_version = SSL_MINOR_VERSION_3;
else
goto usage;
}
else if( strcmp( p, "force_version" ) == 0 )
{
if( strcmp( q, "ssl3" ) == 0 )
{
opt.min_version = SSL_MINOR_VERSION_0;
opt.max_version = SSL_MINOR_VERSION_0;
}
else if( strcmp( q, "tls1" ) == 0 )
{
opt.min_version = SSL_MINOR_VERSION_1;
opt.max_version = SSL_MINOR_VERSION_1;
}
else if( strcmp( q, "tls1_1" ) == 0 )
{
opt.min_version = SSL_MINOR_VERSION_2;
opt.max_version = SSL_MINOR_VERSION_2;
}
else if( strcmp( q, "tls1_2" ) == 0 )
{
opt.min_version = SSL_MINOR_VERSION_3;
opt.max_version = SSL_MINOR_VERSION_3;
}
else
goto usage;
}
else if( strcmp( p, "auth_mode" ) == 0 )
{
if( strcmp( q, "none" ) == 0 )
opt.auth_mode = SSL_VERIFY_NONE;
else if( strcmp( q, "optional" ) == 0 )
opt.auth_mode = SSL_VERIFY_OPTIONAL;
else if( strcmp( q, "required" ) == 0 )
opt.auth_mode = SSL_VERIFY_REQUIRED;
else
goto usage;
}
else if( strcmp( p, "max_frag_len" ) == 0 )
{
if( strcmp( q, "512" ) == 0 )
opt.mfl_code = SSL_MAX_FRAG_LEN_512;
else if( strcmp( q, "1024" ) == 0 )
opt.mfl_code = SSL_MAX_FRAG_LEN_1024;
else if( strcmp( q, "2048" ) == 0 )
opt.mfl_code = SSL_MAX_FRAG_LEN_2048;
else if( strcmp( q, "4096" ) == 0 )
opt.mfl_code = SSL_MAX_FRAG_LEN_4096;
else
goto usage;
}
else if( strcmp( p, "tickets" ) == 0 )
{
opt.tickets = atoi( q );
if( opt.tickets < 0 || opt.tickets > 1 )
goto usage;
}
else
goto usage;
}
if( opt.force_ciphersuite[0] > 0 )
{
const ssl_ciphersuite_t *ciphersuite_info;
ciphersuite_info = ssl_ciphersuite_from_id( opt.force_ciphersuite[0] );
if( opt.max_version != -1 &&
ciphersuite_info->min_minor_ver > opt.max_version )
{
printf("forced ciphersuite not allowed with this protocol version\n");
ret = 2;
goto usage;
}
if( opt.min_version != -1 &&
ciphersuite_info->max_minor_ver < opt.min_version )
{
printf("forced ciphersuite not allowed with this protocol version\n");
ret = 2;
goto usage;
}
if( opt.max_version > ciphersuite_info->max_minor_ver )
opt.max_version = ciphersuite_info->max_minor_ver;
if( opt.min_version < ciphersuite_info->min_minor_ver )
opt.min_version = ciphersuite_info->min_minor_ver;
}
#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
/*
* Unhexify the pre-shared key if any is given
*/
if( strlen( opt.psk ) )
{
unsigned char c;
size_t j;
if( strlen( opt.psk ) % 2 != 0 )
{
printf("pre-shared key not valid hex\n");
goto exit;
}
psk_len = strlen( opt.psk ) / 2;
for( j = 0; j < strlen( opt.psk ); j += 2 )
{
c = opt.psk[j];
if( c >= '0' && c <= '9' )
c -= '0';
else if( c >= 'a' && c <= 'f' )
c -= 'a' - 10;
else if( c >= 'A' && c <= 'F' )
c -= 'A' - 10;
else
{
printf("pre-shared key not valid hex\n");
goto exit;
}
psk[ j / 2 ] = c << 4;
c = opt.psk[j + 1];
if( c >= '0' && c <= '9' )
c -= '0';
else if( c >= 'a' && c <= 'f' )
c -= 'a' - 10;
else if( c >= 'A' && c <= 'F' )
c -= 'A' - 10;
else
{
printf("pre-shared key not valid hex\n");
goto exit;
}
psk[ j / 2 ] |= c;
}
}
#endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
/*
* 0. Initialize the RNG and the session data
*/
printf( "\n . Seeding the random number generator..." );
fflush( stdout );
entropy_init( &entropy );
if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
printf( " failed\n ! ctr_drbg_init returned -0x%x\n", -ret );
goto exit;
}
printf( " ok\n" );
#if defined(POLARSSL_X509_CRT_PARSE_C)
/*
* 1.1. Load the trusted CA
*/
printf( " . Loading the CA root certificate ..." );
fflush( stdout );
#if defined(POLARSSL_FS_IO)
if( strlen( opt.ca_path ) )
ret = x509_crt_parse_path( &cacert, opt.ca_path );
else if( strlen( opt.ca_file ) )
ret = x509_crt_parse_file( &cacert, opt.ca_file );
else
#endif
#if defined(POLARSSL_CERTS_C)
ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_list,
strlen( test_ca_list ) );
#else
{
ret = 1;
printf("POLARSSL_CERTS_C not defined.");
}
#endif
if( ret < 0 )
{
printf( " failed\n ! x509_crt_parse returned -0x%x\n\n", -ret );
goto exit;
}
printf( " ok (%d skipped)\n", ret );
/*
* 1.2. Load own certificate and private key
*/
printf( " . Loading the server cert. and key..." );
fflush( stdout );
#if defined(POLARSSL_FS_IO)
if( strlen( opt.crt_file ) )
{
key_cert_init++;
if( ( ret = x509_crt_parse_file( &srvcert, opt.crt_file ) ) != 0 )
{
printf( " failed\n ! x509_crt_parse_file returned -0x%x\n\n",
-ret );
goto exit;
}
}
if( strlen( opt.key_file ) )
{
key_cert_init++;
if( ( ret = pk_parse_keyfile( &pkey, opt.key_file, "" ) ) != 0 )
{
printf( " failed\n ! pk_parse_keyfile returned -0x%x\n\n", -ret );
goto exit;
}
}
if( key_cert_init == 1 )
{
printf( " failed\n ! crt_file without key_file or vice-versa\n\n" );
goto exit;
}
if( strlen( opt.crt_file2 ) )
{
key_cert_init2++;
if( ( ret = x509_crt_parse_file( &srvcert2, opt.crt_file2 ) ) != 0 )
{
printf( " failed\n ! x509_crt_parse_file(2) returned -0x%x\n\n",
-ret );
goto exit;
}
}
if( strlen( opt.key_file2 ) )
{
key_cert_init2++;
if( ( ret = pk_parse_keyfile( &pkey2, opt.key_file2, "" ) ) != 0 )
{
printf( " failed\n ! pk_parse_keyfile(2) returned -0x%x\n\n",
-ret );
goto exit;
}
}
if( key_cert_init2 == 1 )
{
printf( " failed\n ! crt_file2 without key_file2 or vice-versa\n\n" );
goto exit;
}
#endif
if( key_cert_init == 0 && key_cert_init2 == 0 )
{
#if !defined(POLARSSL_CERTS_C)
printf( "Not certificated or key provided, and \n"
"POLARSSL_CERTS_C not defined!\n" );
goto exit;
#else
#if defined(POLARSSL_RSA_C)
if( ( ret = x509_crt_parse( &srvcert,
(const unsigned char *) test_srv_crt_rsa,
strlen( test_srv_crt_rsa ) ) ) != 0 )
{
printf( " failed\n ! x509_crt_parse returned -0x%x\n\n", -ret );
goto exit;
}
if( ( ret = pk_parse_key( &pkey,
(const unsigned char *) test_srv_key_rsa,
strlen( test_srv_key_rsa ), NULL, 0 ) ) != 0 )
{
printf( " failed\n ! pk_parse_key returned -0x%x\n\n", -ret );
goto exit;
}
key_cert_init = 2;
#endif /* POLARSSL_RSA_C */
#if defined(POLARSSL_ECDSA_C)
if( ( ret = x509_crt_parse( &srvcert2,
(const unsigned char *) test_srv_crt_ec,
strlen( test_srv_crt_ec ) ) ) != 0 )
{
printf( " failed\n ! x509_crt_parse2 returned -0x%x\n\n", -ret );
goto exit;
}
if( ( ret = pk_parse_key( &pkey2,
(const unsigned char *) test_srv_key_ec,
strlen( test_srv_key_ec ), NULL, 0 ) ) != 0 )
{
printf( " failed\n ! pk_parse_key2 returned -0x%x\n\n", -ret );
goto exit;
}
key_cert_init2 = 2;
#endif /* POLARSSL_ECDSA_C */
#endif /* POLARSSL_CERTS_C */
}
printf( " ok\n" );
#endif /* POLARSSL_X509_CRT_PARSE_C */
/*
* 2. Setup the listening TCP socket
*/
printf( " . Bind on tcp://localhost:%-4d/ ...", opt.server_port );
fflush( stdout );
if( ( ret = net_bind( &listen_fd, NULL, opt.server_port ) ) != 0 )
{
printf( " failed\n ! net_bind returned -0x%x\n\n", -ret );
goto exit;
}
printf( " ok\n" );
/*
* 3. Setup stuff
*/
printf( " . Setting up the SSL/TLS structure..." );
fflush( stdout );
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
printf( " failed\n ! ssl_init returned -0x%x\n\n", -ret );
goto exit;
}
ssl_set_endpoint( &ssl, SSL_IS_SERVER );
ssl_set_authmode( &ssl, opt.auth_mode );
#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
ssl_set_max_frag_len( &ssl, opt.mfl_code );
#endif
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
#if defined(POLARSSL_SSL_CACHE_C)
ssl_set_session_cache( &ssl, ssl_cache_get, &cache,
ssl_cache_set, &cache );
#endif
#if defined(POLARSSL_SSL_SESSION_TICKETS)
ssl_set_session_tickets( &ssl, opt.tickets );
#endif
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
ssl_set_renegotiation( &ssl, opt.renegotiation );
ssl_legacy_renegotiation( &ssl, opt.allow_legacy );
#if defined(POLARSSL_X509_CRT_PARSE_C)
ssl_set_ca_chain( &ssl, &cacert, NULL, NULL );
if( key_cert_init )
ssl_set_own_cert( &ssl, &srvcert, &pkey );
if( key_cert_init2 )
ssl_set_own_cert( &ssl, &srvcert2, &pkey2 );
#endif
#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
ssl_set_psk( &ssl, psk, psk_len, (const unsigned char *) opt.psk_identity,
strlen( opt.psk_identity ) );
#endif
#if defined(POLARSSL_DHM_C)
/*
* Use different group than default DHM group
*/
ssl_set_dh_param( &ssl, POLARSSL_DHM_RFC5114_MODP_2048_P,
POLARSSL_DHM_RFC5114_MODP_2048_G );
#endif
if( opt.min_version != -1 )
ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version );
if( opt.max_version != -1 )
ssl_set_max_version( &ssl, SSL_MAJOR_VERSION_3, opt.max_version );
printf( " ok\n" );
reset:
#ifdef POLARSSL_ERROR_C
if( ret != 0 )
{
char error_buf[100];
polarssl_strerror( ret, error_buf, 100 );
printf("Last error was: %d - %s\n\n", ret, error_buf );
}
#endif
if( client_fd != -1 )
net_close( client_fd );
ssl_session_reset( &ssl );
/*
* 3. Wait until a client connects
*/
#if defined(_WIN32_WCE)
{
SHELLEXECUTEINFO sei;
ZeroMemory( &sei, sizeof( SHELLEXECUTEINFO ) );
sei.cbSize = sizeof( SHELLEXECUTEINFO );
sei.fMask = 0;
sei.hwnd = 0;
sei.lpVerb = _T( "open" );
sei.lpFile = _T( "https://localhost:4433/" );
sei.lpParameters = NULL;
sei.lpDirectory = NULL;
sei.nShow = SW_SHOWNORMAL;
ShellExecuteEx( &sei );
}
#elif defined(_WIN32)
ShellExecute( NULL, "open", "https://localhost:4433/",
NULL, NULL, SW_SHOWNORMAL );
#endif
client_fd = -1;
printf( " . Waiting for a remote connection ..." );
fflush( stdout );
if( ( ret = net_accept( listen_fd, &client_fd, NULL ) ) != 0 )
{
printf( " failed\n ! net_accept returned -0x%x\n\n", -ret );
goto exit;
}
ssl_set_bio( &ssl, net_recv, &client_fd,
net_send, &client_fd );
printf( " ok\n" );
/*
* 4. Handshake
*/
printf( " . Performing the SSL/TLS handshake..." );
fflush( stdout );
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_handshake returned -0x%x\n\n", -ret );
goto reset;
}
}
printf( " ok\n [ Ciphersuite is %s ]\n",
ssl_get_ciphersuite( &ssl ) );
#if defined(POLARSSL_X509_CRT_PARSE_C)
/*
* 5. Verify the server certificate
*/
printf( " . Verifying peer X.509 certificate..." );
if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 )
{
printf( " failed\n" );
if( !ssl_get_peer_cert( &ssl ) )
printf( " ! no client certificate sent\n" );
if( ( ret & BADCERT_EXPIRED ) != 0 )
printf( " ! client certificate has expired\n" );
if( ( ret & BADCERT_REVOKED ) != 0 )
printf( " ! client certificate has been revoked\n" );
if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
printf( " ! self-signed or not signed by a trusted CA\n" );
printf( "\n" );
}
else
printf( " ok\n" );
if( ssl_get_peer_cert( &ssl ) )
{
printf( " . Peer certificate information ...\n" );
x509_crt_info( (char *) buf, sizeof( buf ) - 1, " ",
ssl_get_peer_cert( &ssl ) );
printf( "%s\n", buf );
}
#endif /* POLARSSL_X509_CRT_PARSE_C */
/*
* 6. Read the HTTP Request
*/
printf( " < Read from client:" );
fflush( stdout );
do
{
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
ret = ssl_read( &ssl, buf, len );
if( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE )
continue;
if( ret <= 0 )
{
switch( ret )
{
case POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY:
printf( " connection was closed gracefully\n" );
break;
case POLARSSL_ERR_NET_CONN_RESET:
printf( " connection was reset by peer\n" );
break;
default:
printf( " ssl_read returned -0x%x\n", -ret );
break;
}
break;
}
len = ret;
printf( " %d bytes read\n\n%s\n", len, (char *) buf );
if( memcmp( buf, "SERVERQUIT", 10 ) == 0 )
{
ret = 0;
goto exit;
}
if( ret > 0 )
break;
}
while( 1 );
/*
* 7. Write the 200 Response
*/
printf( " > Write to client:" );
fflush( stdout );
len = sprintf( (char *) buf, HTTP_RESPONSE,
ssl_get_ciphersuite( &ssl ) );
for( written = 0, frags = 0; written < len; written += ret, frags++ )
{
while( ( ret = ssl_write( &ssl, buf + written, len - written ) ) <= 0 )
{
if( ret == POLARSSL_ERR_NET_CONN_RESET )
{
printf( " failed\n ! peer closed the connection\n\n" );
goto reset;
}
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_write returned %d\n\n", ret );
goto exit;
}
}
}
buf[written] = '\0';
printf( " %d bytes written in %d fragments\n\n%s\n", written, frags, (char *) buf );
#ifdef TEST_RENEGO
/*
* Request renegotiation (this must be done when the client is still
* waiting for input from our side).
*/
printf( " . Requestion renegotiation..." );
fflush( stdout );
while( ( ret = ssl_renegotiate( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_renegotiate returned %d\n\n", ret );
goto exit;
}
}
/*
* Should be a while loop, not an if, but here we're not actually
* expecting data from the client, and since we're running tests locally,
* we can just hope the handshake will finish the during the first call.
*/
if( ( ret = ssl_read( &ssl, buf, 0 ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_read returned %d\n\n", ret );
/* Unexpected message probably means client didn't renegotiate */
if( ret == POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE )
goto reset;
else
goto exit;
}
}
printf( " ok\n" );
#endif
ret = 0;
goto reset;
exit:
#ifdef POLARSSL_ERROR_C
if( ret != 0 )
{
char error_buf[100];
polarssl_strerror( ret, error_buf, 100 );
printf("Last error was: -0x%X - %s\n\n", -ret, error_buf );
}
#endif
net_close( client_fd );
#if defined(POLARSSL_X509_CRT_PARSE_C)
x509_crt_free( &cacert );
x509_crt_free( &srvcert );
pk_free( &pkey );
x509_crt_free( &srvcert2 );
pk_free( &pkey2 );
#endif
ssl_free( &ssl );
entropy_free( &entropy );
#if defined(POLARSSL_SSL_CACHE_C)
ssl_cache_free( &cache );
#endif
#if defined(POLARSSL_MEMORY_BUFFER_ALLOC_C)
#if defined(POLARSSL_MEMORY_DEBUG)
memory_buffer_alloc_status();
#endif
memory_buffer_alloc_free();
#endif
#if defined(_WIN32)
printf( " + Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
// Shell can not handle large exit numbers -> 1 for errors
if( ret < 0 )
ret = 1;
return( ret );
}
static void *handle_ssl_connection( void *data )
{
int ret, len;
thread_info_t *thread_info = (thread_info_t *) data;
int client_fd = thread_info->client_fd;
int thread_id = (int) pthread_self();
unsigned char buf[1024];
char pers[50];
ssl_context ssl;
ctr_drbg_context ctr_drbg;
snprintf( pers, sizeof(pers), "SSL Pthread Thread %d", thread_id );
printf( " [ #%d ] Client FD %d\n", thread_id, client_fd );
printf( " [ #%d ] Seeding the random number generator...\n", thread_id );
/* entropy_func() is thread-safe if POLARSSL_THREADING_C is set
*/
if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, thread_info->entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
printf( " [ #%d ] failed: ctr_drbg_init returned -0x%04x\n",
thread_id, -ret );
goto thread_exit;
}
printf( " [ #%d ] ok\n", thread_id );
/*
* 4. Setup stuff
*/
printf( " [ #%d ] Setting up the SSL data....\n", thread_id );
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
printf( " [ #%d ] failed: ssl_init returned -0x%04x\n",
thread_id, -ret );
goto thread_exit;
}
ssl_set_endpoint( &ssl, SSL_IS_SERVER );
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_mutexed_debug, stdout );
/* ssl_cache_get() and ssl_cache_set() are thread-safe if
* POLARSSL_THREADING_C is set.
*/
#if defined(POLARSSL_SSL_CACHE_C)
ssl_set_session_cache( &ssl, ssl_cache_get, thread_info->cache,
ssl_cache_set, thread_info->cache );
#endif
ssl_set_ca_chain( &ssl, thread_info->ca_chain, NULL, NULL );
if( ( ret = ssl_set_own_cert( &ssl, thread_info->server_cert, thread_info->server_key ) ) != 0 )
{
printf( " failed\n ! ssl_set_own_cert returned %d\n\n", ret );
goto exit;
}
printf( " [ #%d ] ok\n", thread_id );
ssl_set_bio( &ssl, net_recv, &client_fd,
net_send, &client_fd );
printf( " [ #%d ] ok\n", thread_id );
/*
* 5. Handshake
*/
printf( " [ #%d ] Performing the SSL/TLS handshake\n", thread_id );
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " [ #%d ] failed: ssl_handshake returned -0x%04x\n",
thread_id, -ret );
goto thread_exit;
}
}
printf( " [ #%d ] ok\n", thread_id );
/*
* 6. Read the HTTP Request
*/
printf( " [ #%d ] < Read from client\n", thread_id );
do
{
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
ret = ssl_read( &ssl, buf, len );
if( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE )
continue;
if( ret <= 0 )
{
switch( ret )
{
case POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY:
printf( " [ #%d ] connection was closed gracefully\n",
thread_id );
goto thread_exit;
case POLARSSL_ERR_NET_CONN_RESET:
printf( " [ #%d ] connection was reset by peer\n",
thread_id );
goto thread_exit;
default:
printf( " [ #%d ] ssl_read returned -0x%04x\n",
thread_id, -ret );
goto thread_exit;
}
break;
}
len = ret;
printf( " [ #%d ] %d bytes read\n=====\n%s\n=====\n",
thread_id, len, (char *) buf );
if( ret > 0 )
break;
}
while( 1 );
/*
* 7. Write the 200 Response
*/
printf( " [ #%d ] > Write to client:\n", thread_id );
len = sprintf( (char *) buf, HTTP_RESPONSE,
ssl_get_ciphersuite( &ssl ) );
while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 )
{
if( ret == POLARSSL_ERR_NET_CONN_RESET )
{
printf( " [ #%d ] failed: peer closed the connection\n",
thread_id );
goto thread_exit;
}
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " [ #%d ] failed: ssl_write returned -0x%04x\n",
thread_id, ret );
goto thread_exit;
}
}
len = ret;
printf( " [ #%d ] %d bytes written\n=====\n%s\n=====\n",
thread_id, len, (char *) buf );
printf( " [ #%d ] . Closing the connection...", thread_id );
while( ( ret = ssl_close_notify( &ssl ) ) < 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ &&
ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " [ #%d ] failed: ssl_close_notify returned -0x%04x\n",
thread_id, ret );
goto thread_exit;
}
}
printf( " ok\n" );
ret = 0;
thread_exit:
#ifdef POLARSSL_ERROR_C
if( ret != 0 )
{
char error_buf[100];
polarssl_strerror( ret, error_buf, 100 );
printf(" [ #%d ] Last error was: -0x%04x - %s\n\n",
thread_id, -ret, error_buf );
}
#endif
net_close( client_fd );
ssl_free( &ssl );
thread_info->thread_complete = 1;
return( NULL );
}
char *http_process_request(char *url, int method, char **type, int *code, int *size, const char *contype, char *post) {
struct sockaddr_in serv_addr;
int sockfd = 0, bytes = 0;
int has_code = 0, has_type = 0;
int pos = 0;
size_t bufsize = BUFFER_SIZE;
char ip[INET_ADDRSTRLEN+1], *content = NULL, *host = NULL, *auth = NULL, *auth64 = NULL;
char *page = NULL, *tok = NULL;
char recvBuff[BUFFER_SIZE+1], *header = MALLOC(bufsize);
unsigned short port = 0, sslfree = 0, entropyfree = 0;
size_t len = 0, tlen = 0, plen = 0;
entropy_context entropy;
ctr_drbg_context ctr_drbg;
ssl_context ssl;
*size = 0;
if(header == NULL) {
fprintf(stderr, "out of memory\n");
exit(EXIT_FAILURE);
}
memset(header, '\0', bufsize);
memset(recvBuff, '\0', BUFFER_SIZE+1);
memset(&serv_addr, '\0', sizeof(struct sockaddr_in));
/* Check which port we need to use based on the http(s) protocol */
if(strncmp(url, "http://", 7) == 0) {
port = 80;
plen = 8;
} else if(strncmp(url, "https://", 8) == 0) {
port = 443;
plen = 9;
} else {
logprintf(LOG_ERR, "an url should start with either http:// or https://", url);
*code = -1;
goto exit;
}
/* Split the url into a host and page part */
len = strlen(url);
if((tok = strstr(&url[plen], "/"))) {
tlen = (size_t)(tok-url)-plen+1;
if((host = MALLOC(tlen+1)) == NULL) {
fprintf(stderr, "out of memory\n");
exit(EXIT_FAILURE);
}
strncpy(host, &url[plen-1], tlen);
host[tlen] = '\0';
if((page = MALLOC(len-tlen)) == NULL) {
fprintf(stderr, "out of memory\n");
exit(EXIT_FAILURE);
}
strcpy(page, &url[tlen+(plen-1)]);
} else {
tlen = strlen(url)-(plen-1);
if((host = MALLOC(tlen+1)) == NULL) {
fprintf(stderr, "out of memory\n");
exit(EXIT_FAILURE);
}
strncpy(host, &url[(plen-1)], tlen);
host[tlen] = '\0';
if((page = MALLOC(2)) == NULL) {
fprintf(stderr, "out of memory\n");
exit(EXIT_FAILURE);
}
strcpy(page, "/");
}
if((tok = strstr(host, "@"))) {
size_t pglen = strlen(page);
if(strcmp(page, "/") == 0) {
pglen -= 1;
}
tlen = (size_t)(tok-host);
if((auth = MALLOC(tlen+1)) == NULL) {
fprintf(stderr, "out of memory\n");
exit(EXIT_FAILURE);
}
strncpy(auth, &host[0], tlen);
auth[tlen] = '\0';
strncpy(&host[0], &url[plen+tlen], len-(plen+tlen+pglen));
host[len-(plen+tlen+pglen)] = '\0';
auth64 = base64encode(auth, strlen(auth));
}
#ifdef _WIN32
WSADATA wsa;
if(WSAStartup(0x202, &wsa) != 0) {
logprintf(LOG_ERR, "could not initialize new socket");
*code = -1;
goto exit;
}
#endif
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
logprintf(LOG_ERR, "could not http create socket");
*code = -1;
goto exit;
}
setsockopt(sockfd, SOL_SOCKET, SO_KEEPALIVE, 0, 0);
char *w = ip;
if(host2ip(host, w) == -1) {
*code = -1;
goto exit;
}
serv_addr.sin_family = AF_INET;
if(inet_pton(AF_INET, ip, (void *)(&(serv_addr.sin_addr.s_addr))) <= 0) {
logprintf(LOG_ERR, "%s is not a valid ip address", ip);
*code = -1;
goto exit;
}
serv_addr.sin_port = htons(port);
/* Proper socket timeout testing */
switch(socket_timeout_connect(sockfd, (struct sockaddr *)&serv_addr, 3)) {
case -1:
logprintf(LOG_ERR, "could not connect to http socket (%s)", url);
*code = -1;
goto exit;
case -2:
logprintf(LOG_ERR, "http socket connection timeout (%s)", url);
*code = -1;
goto exit;
case -3:
logprintf(LOG_ERR, "error in http socket connection", url);
*code = -1;
goto exit;
default:
break;
}
if(method == HTTP_POST) {
len = (size_t)snprintf(&header[0], bufsize, "POST %s HTTP/1.0\r\n", page);
if(len >= bufsize) {
bufsize += BUFFER_SIZE;
if((header = REALLOC(header, bufsize)) == NULL) {
fprintf(stderr, "out of memory\n");
exit(EXIT_FAILURE);
}
}
len += (size_t)snprintf(&header[len], bufsize - len, "Host: %s\r\n", host);
if(len >= bufsize) {
bufsize += BUFFER_SIZE;
if((header = REALLOC(header, bufsize)) == NULL) {
fprintf(stderr, "out of memory\n");
exit(EXIT_FAILURE);
}
}
if(auth64 != NULL) {
len += (size_t)snprintf(&header[len], bufsize - len, "Authorization: Basic %s\r\n", auth64);
if(len >= bufsize) {
bufsize += BUFFER_SIZE;
if((header = REALLOC(header, bufsize)) == NULL) {
fprintf(stderr, "out of memory\n");
exit(EXIT_FAILURE);
}
}
}
len += (size_t)snprintf(&header[len], bufsize - len, "User-Agent: %s\r\n", USERAGENT);
if(len >= bufsize) {
bufsize += BUFFER_SIZE;
if((header = REALLOC(header, bufsize)) == NULL) {
fprintf(stderr, "out of memory\n");
exit(EXIT_FAILURE);
}
}
len += (size_t)snprintf(&header[len], bufsize - len, "Content-Type: %s\r\n", contype);
if(len >= bufsize) {
bufsize += BUFFER_SIZE;
if((header = REALLOC(header, bufsize)) == NULL) {
fprintf(stderr, "out of memory\n");
exit(EXIT_FAILURE);
}
}
len += (size_t)snprintf(&header[len], bufsize - len, "Content-Length: %d\r\n\r\n", (int)strlen(post));
if(len >= bufsize) {
bufsize += BUFFER_SIZE;
if((header = REALLOC(header, bufsize)) == NULL) {
fprintf(stderr, "out of memory\n");
exit(EXIT_FAILURE);
}
}
len += (size_t)snprintf(&header[len], bufsize - len, "%s", post);
if(len >= bufsize) {
bufsize += BUFFER_SIZE;
if((header = REALLOC(header, bufsize)) == NULL) {
fprintf(stderr, "out of memory\n");
exit(EXIT_FAILURE);
}
}
} else if(method == HTTP_GET) {
len = (size_t)snprintf(&header[0], bufsize, "GET %s HTTP/1.0\r\n", page);
if(len >= bufsize) {
bufsize += BUFFER_SIZE;
if((header = REALLOC(header, bufsize)) == NULL) {
fprintf(stderr, "out of memory\n");
exit(EXIT_FAILURE);
}
}
len += (size_t)snprintf(&header[len], bufsize - len, "Host: %s\r\n", host);
if(len >= bufsize) {
bufsize += BUFFER_SIZE;
if((header = REALLOC(header, bufsize)) == NULL) {
fprintf(stderr, "out of memory\n");
exit(EXIT_FAILURE);
}
}
if(auth64 != NULL) {
len += (size_t)snprintf(&header[len], bufsize - len, "Authorization: Basic %s\r\n", auth64);
if(len >= bufsize) {
bufsize += BUFFER_SIZE;
if((header = REALLOC(header, bufsize)) == NULL) {
fprintf(stderr, "out of memory\n");
exit(EXIT_FAILURE);
}
}
}
len += (size_t)snprintf(&header[len], bufsize - len, "User-Agent: %s\r\n", USERAGENT);
if(len >= bufsize) {
bufsize += BUFFER_SIZE;
if((header = REALLOC(header, bufsize)) == NULL) {
fprintf(stderr, "out of memory\n");
exit(EXIT_FAILURE);
}
}
len += (size_t)snprintf(&header[len], bufsize - len, "Connection: close\r\n\r\n");
if(len >= bufsize) {
bufsize += BUFFER_SIZE;
if((header = REALLOC(header, bufsize)) == NULL) {
fprintf(stderr, "out of memory\n");
exit(EXIT_FAILURE);
}
}
}
if(port == 443) {
memset(&ssl, '\0', sizeof(ssl_context));
entropy_init(&entropy);
entropyfree = 1;
if((ctr_drbg_init(&ctr_drbg, entropy_func, &entropy, (const unsigned char *)USERAGENT, 6)) != 0) {
logprintf(LOG_ERR, "ctr_drbg_init failed");
*code = -1;
goto exit;
}
if((ssl_init(&ssl)) != 0) {
logprintf(LOG_ERR, "ssl_init failed");
*code = -1;
goto exit;
}
sslfree = 1;
ssl_set_endpoint(&ssl, SSL_IS_CLIENT);
ssl_set_rng(&ssl, ctr_drbg_random, &ctr_drbg);
ssl_set_bio(&ssl, net_recv, &sockfd, net_send, &sockfd);
int ret = 0;
while((ret = ssl_handshake(&ssl)) != 0) {
if(ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE) {
logprintf(LOG_ERR, "ssl_handshake failed");
*code = -1;
goto exit;
}
}
while((ret = ssl_write(&ssl, (const unsigned char *)header, len)) <= 0) {
if(ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE) {
if(ret == -76) {
logprintf(LOG_ERR, "ssl_write timed out");
} else {
logprintf(LOG_ERR, "ssl_write failed");
}
*code = -1;
goto exit;
}
}
} else {
if((bytes = send(sockfd, header, len, 0)) <= 0) {
logprintf(LOG_ERR, "sending header to http server failed");
*code = -1;
goto exit;
}
}
char *nl = NULL;
char *tp = *type;
memset(recvBuff, '\0', sizeof(recvBuff));
while(1) {
if(port == 443) {
bytes = ssl_read(&ssl, (unsigned char *)recvBuff, BUFFER_SIZE);
if(bytes == POLARSSL_ERR_NET_WANT_READ || bytes == POLARSSL_ERR_NET_WANT_WRITE) {
continue;
}
if(bytes == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY) {
break;
}
} else {
bytes = recv(sockfd, recvBuff, BUFFER_SIZE, 0);
}
if(bytes <= 0) {
if(*size == 0) {
logprintf(LOG_ERR, "http(s) read failed (%s)", url);
}
break;
}
if((content = REALLOC(content, (size_t)(*size+bytes+1))) == NULL) {
fprintf(stderr, "out of memory\n");
exit(EXIT_FAILURE);
}
memset(&content[*size], '\0', (size_t)(bytes+1));
strncpy(&content[*size], recvBuff, (size_t)(bytes));
*size += bytes;
char **array = NULL;
char *p = recvBuff;
/* Let's first normalize the HEADER terminator */
str_replace("\r\n", "\n\r", &p);
unsigned int n = explode(recvBuff, "\n\r", &array), q = 0;
int z = 0;
for(q=0;q<n;q++) {
if(has_code == 0 && sscanf(array[q], "HTTP/1.%d%*[ ]%d%*s%*[ \n\r]", &z, code)) {
has_code = 1;
}
// ;%*[ A-Za-z0-9\\/=+- \n\r]
if(has_type == 0 && sscanf(array[q], "Content-%*[tT]ype:%*[ ]%[A-Za-z\\/+-]", tp)) {
has_type = 1;
}
}
array_free(&array, n);
memset(recvBuff, '\0', sizeof(recvBuff));
}
if(content != NULL) {
/* Remove the header */
if((nl = strstr(content, "\r\n\r\n"))) {
pos = (nl-content)+4;
memmove(&content[0], &content[pos], (size_t)(*size-pos));
*size-=pos;
}
/* Remove the footer */
if((nl = strstr(content, "0\r\n\r\n"))) {
*size -= 5;
}
}
exit:
if(port == 443) {
if(sslfree == 1) {
ssl_free(&ssl);
}
if(entropyfree == 1) {
entropy_free(&entropy);
}
}
if(header) FREE(header);
if(auth) FREE(auth);
if(auth64) FREE(auth64);
if(page) FREE(page);
if(host) FREE(host);
if(sockfd > 0) {
close(sockfd);
}
if(*size > 0) {
content[*size] = '\0';
return content;
} else {
return NULL;
}
return NULL;
}
int main( int argc, char *argv[] )
{
int ret, len;
int listen_fd;
int client_fd = -1;
unsigned char buf[1024];
const char *pers = "ssl_server";
entropy_context entropy;
ctr_drbg_context ctr_drbg;
ssl_context ssl;
x509_cert srvcert;
rsa_context rsa;
#if defined(POLARSSL_SSL_CACHE_C)
ssl_cache_context cache;
#endif
((void) argc);
((void) argv);
#if defined(POLARSSL_SSL_CACHE_C)
ssl_cache_init( &cache );
#endif
/*
* 1. Load the certificates and private RSA key
*/
printf( "\n . Loading the server cert. and key..." );
fflush( stdout );
memset( &srvcert, 0, sizeof( x509_cert ) );
/*
* This demonstration program uses embedded test certificates.
* Instead, you may want to use x509parse_crtfile() to read the
* server and CA certificates, as well as x509parse_keyfile().
*/
ret = x509parse_crt( &srvcert, (const unsigned char *) test_srv_crt,
strlen( test_srv_crt ) );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
goto exit;
}
ret = x509parse_crt( &srvcert, (const unsigned char *) test_ca_crt,
strlen( test_ca_crt ) );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
goto exit;
}
rsa_init( &rsa, RSA_PKCS_V15, 0 );
ret = x509parse_key( &rsa, (const unsigned char *) test_srv_key,
strlen( test_srv_key ), NULL, 0 );
if( ret != 0 )
{
printf( " failed\n ! x509parse_key returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 2. Setup the listening TCP socket
*/
printf( " . Bind on https://localhost:4433/ ..." );
fflush( stdout );
if( ( ret = net_bind( &listen_fd, NULL, 4433 ) ) != 0 )
{
printf( " failed\n ! net_bind returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 3. Seed the RNG
*/
printf( " . Seeding the random number generator..." );
fflush( stdout );
entropy_init( &entropy );
if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
printf( " failed\n ! ctr_drbg_init returned %d\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 4. Setup stuff
*/
printf( " . Setting up the SSL data...." );
fflush( stdout );
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
printf( " failed\n ! ssl_init returned %d\n\n", ret );
goto exit;
}
ssl_set_endpoint( &ssl, SSL_IS_SERVER );
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
#if defined(POLARSSL_SSL_CACHE_C)
ssl_set_session_cache( &ssl, ssl_cache_get, &cache,
ssl_cache_set, &cache );
#endif
ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
ssl_set_own_cert( &ssl, &srvcert, &rsa );
printf( " ok\n" );
reset:
#ifdef POLARSSL_ERROR_C
if( ret != 0 )
{
char error_buf[100];
error_strerror( ret, error_buf, 100 );
printf("Last error was: %d - %s\n\n", ret, error_buf );
}
#endif
if( client_fd != -1 )
net_close( client_fd );
ssl_session_reset( &ssl );
/*
* 3. Wait until a client connects
*/
#if defined(_WIN32_WCE)
{
SHELLEXECUTEINFO sei;
ZeroMemory( &sei, sizeof( SHELLEXECUTEINFO ) );
sei.cbSize = sizeof( SHELLEXECUTEINFO );
sei.fMask = 0;
sei.hwnd = 0;
sei.lpVerb = _T( "open" );
sei.lpFile = _T( "https://localhost:4433/" );
sei.lpParameters = NULL;
sei.lpDirectory = NULL;
sei.nShow = SW_SHOWNORMAL;
ShellExecuteEx( &sei );
}
#elif defined(_WIN32)
ShellExecute( NULL, "open", "https://localhost:4433/",
NULL, NULL, SW_SHOWNORMAL );
#endif
client_fd = -1;
printf( " . Waiting for a remote connection ..." );
fflush( stdout );
if( ( ret = net_accept( listen_fd, &client_fd, NULL ) ) != 0 )
{
printf( " failed\n ! net_accept returned %d\n\n", ret );
goto exit;
}
ssl_set_bio( &ssl, net_recv, &client_fd,
net_send, &client_fd );
printf( " ok\n" );
/*
* 5. Handshake
*/
printf( " . Performing the SSL/TLS handshake..." );
fflush( stdout );
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_handshake returned %d\n\n", ret );
goto reset;
}
}
printf( " ok\n" );
/*
* 6. Read the HTTP Request
*/
printf( " < Read from client:" );
fflush( stdout );
do
{
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
ret = ssl_read( &ssl, buf, len );
if( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE )
continue;
if( ret <= 0 )
{
switch( ret )
{
case POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY:
printf( " connection was closed gracefully\n" );
break;
case POLARSSL_ERR_NET_CONN_RESET:
printf( " connection was reset by peer\n" );
break;
default:
printf( " ssl_read returned -0x%x\n", -ret );
break;
}
break;
}
len = ret;
printf( " %d bytes read\n\n%s", len, (char *) buf );
if( ret > 0 )
break;
}
while( 1 );
/*
* 7. Write the 200 Response
*/
printf( " > Write to client:" );
fflush( stdout );
len = sprintf( (char *) buf, HTTP_RESPONSE,
ssl_get_ciphersuite( &ssl ) );
while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 )
{
if( ret == POLARSSL_ERR_NET_CONN_RESET )
{
printf( " failed\n ! peer closed the connection\n\n" );
goto reset;
}
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_write returned %d\n\n", ret );
goto exit;
}
}
len = ret;
printf( " %d bytes written\n\n%s\n", len, (char *) buf );
ret = 0;
goto reset;
exit:
#ifdef POLARSSL_ERROR_C
if( ret != 0 )
{
char error_buf[100];
error_strerror( ret, error_buf, 100 );
printf("Last error was: %d - %s\n\n", ret, error_buf );
}
#endif
net_close( client_fd );
x509_free( &srvcert );
rsa_free( &rsa );
ssl_free( &ssl );
#if defined(POLARSSL_SSL_CACHE_C)
ssl_cache_free( &cache );
#endif
#if defined(_WIN32)
printf( " Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
return( ret );
}
int main( void )
{
int ret, len;
int listen_fd;
int client_fd;
unsigned char buf[1024];
havege_state hs;
ssl_context ssl;
ssl_session ssn;
x509_cert srvcert;
rsa_context rsa;
/*
* 1. Load the certificates and private RSA key
*/
printf( "\n . Loading the server cert. and key..." );
fflush( stdout );
memset( &srvcert, 0, sizeof( x509_cert ) );
/*
* This demonstration program uses embedded test certificates.
* Instead, you may want to use x509parse_crtfile() to read the
* server and CA certificates, as well as x509parse_keyfile().
*/
ret = x509parse_crt( &srvcert, (unsigned char *) test_srv_crt,
strlen( test_srv_crt ) );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
goto exit;
}
ret = x509parse_crt( &srvcert, (unsigned char *) test_ca_crt,
strlen( test_ca_crt ) );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
goto exit;
}
rsa_init( &rsa, RSA_PKCS_V15, 0 );
ret = x509parse_key( &rsa, (unsigned char *) test_srv_key,
strlen( test_srv_key ), NULL, 0 );
if( ret != 0 )
{
printf( " failed\n ! x509parse_key returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 2. Setup the listening TCP socket
*/
printf( " . Bind on https://localhost:4433/ ..." );
fflush( stdout );
if( ( ret = net_bind( &listen_fd, NULL, 4433 ) ) != 0 )
{
printf( " failed\n ! net_bind returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 3. Wait until a client connects
*/
#ifdef WIN32
ShellExecute( NULL, "open", "https://localhost:4433/",
NULL, NULL, SW_SHOWNORMAL );
#endif
client_fd = -1;
memset( &ssl, 0, sizeof( ssl ) );
accept:
net_close( client_fd );
ssl_free( &ssl );
printf( " . Waiting for a remote connection ..." );
fflush( stdout );
if( ( ret = net_accept( listen_fd, &client_fd, NULL ) ) != 0 )
{
printf( " failed\n ! net_accept returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 4. Setup stuff
*/
printf( " . Setting up the RNG and SSL data...." );
fflush( stdout );
havege_init( &hs );
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
printf( " failed\n ! ssl_init returned %d\n\n", ret );
goto accept;
}
printf( " ok\n" );
ssl_set_endpoint( &ssl, SSL_IS_SERVER );
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
ssl_set_rng( &ssl, havege_rand, &hs );
ssl_set_dbg( &ssl, my_debug, stdout );
ssl_set_bio( &ssl, net_recv, &client_fd,
net_send, &client_fd );
ssl_set_scb( &ssl, my_get_session,
my_set_session );
ssl_set_ciphersuites( &ssl, my_ciphersuites );
ssl_set_session( &ssl, 1, 0, &ssn );
memset( &ssn, 0, sizeof( ssl_session ) );
ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
ssl_set_own_cert( &ssl, &srvcert, &rsa );
ssl_set_dh_param( &ssl, my_dhm_P, my_dhm_G );
/*
* 5. Handshake
*/
printf( " . Performing the SSL/TLS handshake..." );
fflush( stdout );
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_handshake returned %d\n\n", ret );
goto accept;
}
}
printf( " ok\n" );
/*
* 6. Read the HTTP Request
*/
printf( " < Read from client:" );
fflush( stdout );
do
{
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
ret = ssl_read( &ssl, buf, len );
if( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE )
continue;
if( ret <= 0 )
{
switch( ret )
{
case POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY:
printf( " connection was closed gracefully\n" );
break;
case POLARSSL_ERR_NET_CONN_RESET:
printf( " connection was reset by peer\n" );
break;
default:
printf( " ssl_read returned %d\n", ret );
break;
}
break;
}
len = ret;
printf( " %d bytes read\n\n%s", len, (char *) buf );
}
while( 0 );
/*
* 7. Write the 200 Response
*/
printf( " > Write to client:" );
fflush( stdout );
len = sprintf( (char *) buf, HTTP_RESPONSE,
ssl_get_ciphersuite( &ssl ) );
while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 )
{
if( ret == POLARSSL_ERR_NET_CONN_RESET )
{
printf( " failed\n ! peer closed the connection\n\n" );
goto accept;
}
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_write returned %d\n\n", ret );
goto exit;
}
}
len = ret;
printf( " %d bytes written\n\n%s\n", len, (char *) buf );
ssl_close_notify( &ssl );
goto accept;
exit:
net_close( client_fd );
x509_free( &srvcert );
rsa_free( &rsa );
ssl_free( &ssl );
cur = s_list_1st;
while( cur != NULL )
{
prv = cur;
cur = cur->next;
memset( prv, 0, sizeof( ssl_session ) );
free( prv );
}
memset( &ssl, 0, sizeof( ssl_context ) );
#ifdef WIN32
printf( " Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
return( ret );
}
static CURLcode
polarssl_connect_step1(struct connectdata *conn,
int sockindex)
{
struct SessionHandle *data = conn->data;
struct ssl_connect_data* connssl = &conn->ssl[sockindex];
bool sni = TRUE; /* default is SNI enabled */
int ret = -1;
#ifdef ENABLE_IPV6
struct in6_addr addr;
#else
struct in_addr addr;
#endif
void *old_session = NULL;
size_t old_session_size = 0;
char errorbuf[128];
errorbuf[0]=0;
/* PolarSSL only supports SSLv3 and TLSv1 */
if(data->set.ssl.version == CURL_SSLVERSION_SSLv2) {
failf(data, "PolarSSL does not support SSLv2");
return CURLE_SSL_CONNECT_ERROR;
}
else if(data->set.ssl.version == CURL_SSLVERSION_SSLv3)
sni = FALSE; /* SSLv3 has no SNI */
#ifdef THREADING_SUPPORT
entropy_init_mutex(&entropy);
if((ret = ctr_drbg_init(&connssl->ctr_drbg, entropy_func_mutex, &entropy,
connssl->ssn.id, connssl->ssn.length)) != 0) {
#ifdef POLARSSL_ERROR_C
error_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* POLARSSL_ERROR_C */
failf(data, "Failed - PolarSSL: ctr_drbg_init returned (-0x%04X) %s\n",
-ret, errorbuf);
}
#else
entropy_init(&connssl->entropy);
if((ret = ctr_drbg_init(&connssl->ctr_drbg, entropy_func, &connssl->entropy,
connssl->ssn.id, connssl->ssn.length)) != 0) {
#ifdef POLARSSL_ERROR_C
error_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* POLARSSL_ERROR_C */
failf(data, "Failed - PolarSSL: ctr_drbg_init returned (-0x%04X) %s\n",
-ret, errorbuf);
}
#endif /* THREADING_SUPPORT */
/* Load the trusted CA */
memset(&connssl->cacert, 0, sizeof(x509_crt));
if(data->set.str[STRING_SSL_CAFILE]) {
ret = x509_crt_parse_file(&connssl->cacert,
data->set.str[STRING_SSL_CAFILE]);
if(ret<0) {
#ifdef POLARSSL_ERROR_C
error_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* POLARSSL_ERROR_C */
failf(data, "Error reading ca cert file %s - PolarSSL: (-0x%04X) %s",
data->set.str[STRING_SSL_CAFILE], -ret, errorbuf);
if(data->set.ssl.verifypeer)
return CURLE_SSL_CACERT_BADFILE;
}
}
if(data->set.str[STRING_SSL_CAPATH]) {
ret = x509_crt_parse_path(&connssl->cacert,
data->set.str[STRING_SSL_CAPATH]);
if(ret<0) {
#ifdef POLARSSL_ERROR_C
error_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* POLARSSL_ERROR_C */
failf(data, "Error reading ca cert path %s - PolarSSL: (-0x%04X) %s",
data->set.str[STRING_SSL_CAPATH], -ret, errorbuf);
if(data->set.ssl.verifypeer)
return CURLE_SSL_CACERT_BADFILE;
}
}
/* Load the client certificate */
memset(&connssl->clicert, 0, sizeof(x509_crt));
if(data->set.str[STRING_CERT]) {
ret = x509_crt_parse_file(&connssl->clicert,
data->set.str[STRING_CERT]);
if(ret) {
#ifdef POLARSSL_ERROR_C
error_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* POLARSSL_ERROR_C */
failf(data, "Error reading client cert file %s - PolarSSL: (-0x%04X) %s",
data->set.str[STRING_CERT], -ret, errorbuf);
return CURLE_SSL_CERTPROBLEM;
}
}
/* Load the client private key */
if(data->set.str[STRING_KEY]) {
pk_context pk;
pk_init(&pk);
ret = pk_parse_keyfile(&pk, data->set.str[STRING_KEY],
data->set.str[STRING_KEY_PASSWD]);
if(ret == 0 && !pk_can_do(&pk, POLARSSL_PK_RSA))
ret = POLARSSL_ERR_PK_TYPE_MISMATCH;
if(ret == 0)
rsa_copy(&connssl->rsa, pk_rsa(pk));
else
rsa_free(&connssl->rsa);
pk_free(&pk);
if(ret) {
#ifdef POLARSSL_ERROR_C
error_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* POLARSSL_ERROR_C */
failf(data, "Error reading private key %s - PolarSSL: (-0x%04X) %s",
data->set.str[STRING_KEY], -ret, errorbuf);
return CURLE_SSL_CERTPROBLEM;
}
}
/* Load the CRL */
memset(&connssl->crl, 0, sizeof(x509_crl));
if(data->set.str[STRING_SSL_CRLFILE]) {
ret = x509_crl_parse_file(&connssl->crl,
data->set.str[STRING_SSL_CRLFILE]);
if(ret) {
#ifdef POLARSSL_ERROR_C
error_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* POLARSSL_ERROR_C */
failf(data, "Error reading CRL file %s - PolarSSL: (-0x%04X) %s",
data->set.str[STRING_SSL_CRLFILE], -ret, errorbuf);
return CURLE_SSL_CRL_BADFILE;
}
}
infof(data, "PolarSSL: Connecting to %s:%d\n",
conn->host.name, conn->remote_port);
if(ssl_init(&connssl->ssl)) {
failf(data, "PolarSSL: ssl_init failed");
return CURLE_SSL_CONNECT_ERROR;
}
switch(data->set.ssl.version) {
default:
case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_1);
break;
case CURL_SSLVERSION_SSLv3:
ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_0);
ssl_set_max_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_0);
infof(data, "PolarSSL: Forced min. SSL Version to be SSLv3\n");
break;
case CURL_SSLVERSION_TLSv1_0:
ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_1);
ssl_set_max_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_1);
infof(data, "PolarSSL: Forced min. SSL Version to be TLS 1.0\n");
break;
case CURL_SSLVERSION_TLSv1_1:
ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_2);
ssl_set_max_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_2);
infof(data, "PolarSSL: Forced min. SSL Version to be TLS 1.1\n");
break;
case CURL_SSLVERSION_TLSv1_2:
ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_3);
ssl_set_max_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_3);
infof(data, "PolarSSL: Forced min. SSL Version to be TLS 1.2\n");
break;
}
ssl_set_endpoint(&connssl->ssl, SSL_IS_CLIENT);
ssl_set_authmode(&connssl->ssl, SSL_VERIFY_OPTIONAL);
ssl_set_rng(&connssl->ssl, ctr_drbg_random,
&connssl->ctr_drbg);
ssl_set_bio(&connssl->ssl,
net_recv, &conn->sock[sockindex],
net_send, &conn->sock[sockindex]);
ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites());
if(!Curl_ssl_getsessionid(conn, &old_session, &old_session_size)) {
memcpy(&connssl->ssn, old_session, old_session_size);
infof(data, "PolarSSL re-using session\n");
}
ssl_set_session(&connssl->ssl,
&connssl->ssn);
ssl_set_ca_chain(&connssl->ssl,
&connssl->cacert,
&connssl->crl,
conn->host.name);
ssl_set_own_cert_rsa(&connssl->ssl,
&connssl->clicert, &connssl->rsa);
if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) &&
#ifdef ENABLE_IPV6
!Curl_inet_pton(AF_INET6, conn->host.name, &addr) &&
#endif
sni && ssl_set_hostname(&connssl->ssl, conn->host.name)) {
infof(data, "WARNING: failed to configure "
"server name indication (SNI) TLS extension\n");
}
#ifdef HAS_ALPN
if(data->set.ssl_enable_alpn) {
static const char* protocols[3];
int cur = 0;
#ifdef USE_NGHTTP2
if(data->set.httpversion == CURL_HTTP_VERSION_2_0) {
protocols[cur++] = NGHTTP2_PROTO_VERSION_ID;
infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID);
}
#endif
protocols[cur++] = ALPN_HTTP_1_1;
infof(data, "ALPN, offering %s\n", ALPN_HTTP_1_1);
protocols[cur] = NULL;
ssl_set_alpn_protocols(&connssl->ssl, protocols);
}
#endif
#ifdef POLARSSL_DEBUG
ssl_set_dbg(&connssl->ssl, polarssl_debug, data);
#endif
connssl->connecting_state = ssl_connect_2;
return CURLE_OK;
}
/*
* This function loads all the client/CA certificates and CRLs. Setup the TLS
* layer and do all necessary magic.
*/
CURLcode
Curl_polarssl_connect(struct connectdata *conn,
int sockindex)
{
struct SessionHandle *data = conn->data;
bool sni = TRUE; /* default is SNI enabled */
int ret = -1;
#ifdef ENABLE_IPV6
struct in6_addr addr;
#else
struct in_addr addr;
#endif
void *old_session = NULL;
size_t old_session_size = 0;
char buffer[1024];
if(conn->ssl[sockindex].state == ssl_connection_complete)
return CURLE_OK;
/* PolarSSL only supports SSLv3 and TLSv1 */
if(data->set.ssl.version == CURL_SSLVERSION_SSLv2) {
failf(data, "PolarSSL does not support SSLv2");
return CURLE_SSL_CONNECT_ERROR;
}
else if(data->set.ssl.version == CURL_SSLVERSION_SSLv3)
sni = FALSE; /* SSLv3 has no SNI */
havege_init(&conn->ssl[sockindex].hs);
/* Load the trusted CA */
memset(&conn->ssl[sockindex].cacert, 0, sizeof(x509_cert));
if(data->set.str[STRING_SSL_CAFILE]) {
ret = x509parse_crtfile(&conn->ssl[sockindex].cacert,
data->set.str[STRING_SSL_CAFILE]);
if(ret) {
failf(data, "Error reading ca cert file %s: -0x%04X",
data->set.str[STRING_SSL_CAFILE], -ret);
if(data->set.ssl.verifypeer)
return CURLE_SSL_CACERT_BADFILE;
}
}
/* Load the client certificate */
memset(&conn->ssl[sockindex].clicert, 0, sizeof(x509_cert));
if(data->set.str[STRING_CERT]) {
ret = x509parse_crtfile(&conn->ssl[sockindex].clicert,
data->set.str[STRING_CERT]);
if(ret) {
failf(data, "Error reading client cert file %s: -0x%04X",
data->set.str[STRING_CERT], -ret);
return CURLE_SSL_CERTPROBLEM;
}
}
/* Load the client private key */
if(data->set.str[STRING_KEY]) {
ret = x509parse_keyfile(&conn->ssl[sockindex].rsa,
data->set.str[STRING_KEY],
data->set.str[STRING_KEY_PASSWD]);
if(ret) {
failf(data, "Error reading private key %s: -0x%04X",
data->set.str[STRING_KEY], -ret);
return CURLE_SSL_CERTPROBLEM;
}
}
/* Load the CRL */
memset(&conn->ssl[sockindex].crl, 0, sizeof(x509_crl));
if(data->set.str[STRING_SSL_CRLFILE]) {
ret = x509parse_crlfile(&conn->ssl[sockindex].crl,
data->set.str[STRING_SSL_CRLFILE]);
if(ret) {
failf(data, "Error reading CRL file %s: -0x%04X",
data->set.str[STRING_SSL_CRLFILE], -ret);
return CURLE_SSL_CRL_BADFILE;
}
}
infof(data, "PolarSSL: Connected to %s:%d\n",
conn->host.name, conn->remote_port);
havege_init(&conn->ssl[sockindex].hs);
if(ssl_init(&conn->ssl[sockindex].ssl)) {
failf(data, "PolarSSL: ssl_init failed");
return CURLE_SSL_CONNECT_ERROR;
}
ssl_set_endpoint(&conn->ssl[sockindex].ssl, SSL_IS_CLIENT);
ssl_set_authmode(&conn->ssl[sockindex].ssl, SSL_VERIFY_OPTIONAL);
ssl_set_rng(&conn->ssl[sockindex].ssl, havege_rand,
&conn->ssl[sockindex].hs);
ssl_set_bio(&conn->ssl[sockindex].ssl,
net_recv, &conn->sock[sockindex],
net_send, &conn->sock[sockindex]);
ssl_set_ciphers(&conn->ssl[sockindex].ssl, ssl_default_ciphers);
if(!Curl_ssl_getsessionid(conn, &old_session, &old_session_size)) {
memcpy(&conn->ssl[sockindex].ssn, old_session, old_session_size);
infof(data, "PolarSSL re-using session\n");
}
ssl_set_session(&conn->ssl[sockindex].ssl, 1, 600,
&conn->ssl[sockindex].ssn);
ssl_set_ca_chain(&conn->ssl[sockindex].ssl,
&conn->ssl[sockindex].cacert,
&conn->ssl[sockindex].crl,
conn->host.name);
ssl_set_own_cert(&conn->ssl[sockindex].ssl,
&conn->ssl[sockindex].clicert, &conn->ssl[sockindex].rsa);
if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) &&
#ifdef ENABLE_IPV6
!Curl_inet_pton(AF_INET6, conn->host.name, &addr) &&
#endif
sni && ssl_set_hostname(&conn->ssl[sockindex].ssl, conn->host.name)) {
infof(data, "WARNING: failed to configure "
"server name indication (SNI) TLS extension\n");
}
infof(data, "PolarSSL: performing SSL/TLS handshake...\n");
#ifdef POLARSSL_DEBUG
ssl_set_dbg(&conn->ssl[sockindex].ssl, polarssl_debug, data);
#endif
for(;;) {
if(!(ret = ssl_handshake(&conn->ssl[sockindex].ssl)))
break;
else if(ret != POLARSSL_ERR_NET_TRY_AGAIN) {
failf(data, "ssl_handshake returned -0x%04X", -ret);
return CURLE_SSL_CONNECT_ERROR;
}
else {
/* wait for data from server... */
long timeout_ms = Curl_timeleft(data, NULL, TRUE);
if(timeout_ms < 0) {
failf(data, "SSL connection timeout");
return CURLE_OPERATION_TIMEDOUT;
}
switch(Curl_socket_ready(conn->sock[sockindex],
CURL_SOCKET_BAD, timeout_ms)) {
case 0:
failf(data, "SSL handshake timeout");
return CURLE_OPERATION_TIMEDOUT;
break;
case CURL_CSELECT_IN:
continue;
break;
default:
return CURLE_SSL_CONNECT_ERROR;
break;
}
}
}
infof(data, "PolarSSL: Handshake complete, cipher is %s\n",
ssl_get_cipher(&conn->ssl[sockindex].ssl));
ret = ssl_get_verify_result(&conn->ssl[sockindex].ssl);
if(ret && data->set.ssl.verifypeer) {
if(ret & BADCERT_EXPIRED)
failf(data, "Cert verify failed: BADCERT_EXPIRED\n");
if(ret & BADCERT_REVOKED)
failf(data, "Cert verify failed: BADCERT_REVOKED");
if(ret & BADCERT_CN_MISMATCH)
failf(data, "Cert verify failed: BADCERT_CN_MISMATCH");
if(ret & BADCERT_NOT_TRUSTED)
failf(data, "Cert verify failed: BADCERT_NOT_TRUSTED");
return CURLE_SSL_CACERT;
}
if(conn->ssl[sockindex].ssl.peer_cert) {
/* If the session was resumed, there will be no peer certs */
memset(buffer, 0, sizeof(buffer));
if(x509parse_cert_info(buffer, sizeof(buffer), (char *)"* ",
conn->ssl[sockindex].ssl.peer_cert) != -1)
infof(data, "Dumping cert info:\n%s\n", buffer);
}
conn->ssl[sockindex].state = ssl_connection_complete;
conn->recv[sockindex] = polarssl_recv;
conn->send[sockindex] = polarssl_send;
/* Save the current session data for possible re-use */
{
void *new_session = malloc(sizeof(conn->ssl[sockindex].ssn));
if(new_session) {
memcpy(new_session, &conn->ssl[sockindex].ssn,
sizeof(conn->ssl[sockindex].ssn));
if(old_session)
Curl_ssl_delsessionid(conn, old_session);
return Curl_ssl_addsessionid(conn, new_session,
sizeof(conn->ssl[sockindex].ssn));
}
}
return CURLE_OK;
}
/**
* @brief SSL Server task.
* @param pvParameters not used
* @retval None
*/
void ssl_server(void const * argument)
{
int ret, len;
int listen_fd;
int client_fd = -1;
unsigned char buf[1524];
ssl_context ssl;
x509_cert srvcert;
rsa_context rsa;
#if defined(POLARSSL_SSL_CACHE_C)
ssl_cache_context cache;
ssl_cache_init( &cache );
#endif
/*
* Load the certificates and private RSA key
*/
printf( "\n . Loading the server cert. and key..." );
memset( &srvcert, 0, sizeof( x509_cert ) );
/*
* This demonstration program uses embedded test certificates.
* Instead, you may want to use x509parse_crtfile() to read the
* server and CA certificates, as well as x509parse_keyfile().
*/
ret = x509parse_crt( &srvcert, (const unsigned char *) test_srv_crt,
strlen( test_srv_crt ) );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
goto exit;
}
ret = x509parse_crt( &srvcert, (const unsigned char *) test_ca_crt,
strlen( test_ca_crt ) );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
goto exit;
}
rsa_init( &rsa, RSA_PKCS_V15, 0 );
ret = x509parse_key( &rsa, (const unsigned char *) test_srv_key,
strlen( test_srv_key ), NULL, 0 );
if( ret != 0 )
{
printf( " failed\n ! x509parse_key returned %d\n\n", ret );
goto exit;
}
printf( " ok\n\r" );
/*
* Setup the listening TCP socket
*/
printf( " . Bind on https://localhost:443/ ..." );
if( ( ret = net_bind( &listen_fd, NULL, 443) ) != 0 )
{
printf( " failed\n ! net_bind returned %d\n\n", ret );
goto exit;
}
printf( " ok\n\r" );
/*
* Setup stuff
*/
printf( " . Setting up the SSL data...." );
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
printf( " failed\n ! ssl_init returned %d\n\n", ret );
goto reset;
}
ssl_set_endpoint( &ssl, SSL_IS_SERVER );
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
ssl_set_rng( &ssl, RandVal , NULL );
ssl_set_dbg( &ssl, my_debug, stdout );
#if defined(POLARSSL_SSL_CACHE_C)
ssl_set_session_cache( &ssl, ssl_cache_get, &cache,
ssl_cache_set, &cache );
#endif
ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
ssl_set_own_cert( &ssl, &srvcert, &rsa );
ssl_set_bio( &ssl, net_recv, &client_fd, net_send, &client_fd );
printf( " ok\n\r" );
for(;;)
{
/*
* Wait until a client connects
*/
client_fd = -1;
printf( " . Waiting for a remote connection ..." );
if( ( ret = net_accept( listen_fd, &client_fd, NULL ) ) != 0 )
{
printf( " failed\n ! net_accept returned %d\n\n", ret );
goto exit;
}
printf( " ok\n\r" );
/*
* Handshake
*/
printf( " . Performing the SSL/TLS handshake..." );
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_handshake returned -0x%x\n\n", -ret );
goto reset;
}
}
printf( " ok\n\r" );
/*
* Read the HTTP Request
*/
printf( " < Read from client:" );
memset( buf, 0, sizeof( buf ) );
len = 0;
do
{
ret = ssl_read( &ssl, buf + len, 1523 - len);
if( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE )
continue;
if( ret <= 0 )
{
switch( ret )
{
case POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY:
printf( " connection was closed gracefully\n" );
break;
case POLARSSL_ERR_NET_CONN_RESET:
printf( " connection was reset by peer\n" );
break;
default:
printf( " ssl_read returned -0x%x\n", -ret );
break;
}
break;
}
len += ret;
if( ret > 1 )
break;
}
while( 1 );
printf( " %d bytes read\n\r", len);
/*
* Write the 200 Response
*/
printf( " > Write to client:" );
/* Send the dynamic html page */
ssl_DynPage(&ssl);
goto reset;
exit:
#ifdef POLARSSL_ERROR_C
if( ret != 0 )
{
char error_buf[100];
error_strerror( ret, error_buf, 100 );
printf("Last error was: %d - %s\n\n", ret, error_buf );
}
#endif
x509_free( &srvcert );
rsa_free( &rsa );
ssl_free( &ssl );
#if defined(POLARSSL_SSL_CACHE_C)
ssl_cache_free( &cache );
#endif
reset:
if (client_fd != -1)
net_close(client_fd);
ssl_session_reset( &ssl );
}
}
static int belle_sip_tls_channel_load_root_ca(belle_sip_tls_channel_t *obj, const char *path){
struct stat statbuf;
if (stat(path,&statbuf)==0){
if (statbuf.st_mode & S_IFDIR){
#if POLARSSL_VERSION_NUMBER < 0x01030000
if (x509parse_crtpath(&obj->root_ca,path)<0){
#else
if (x509_crt_parse_path(&obj->root_ca,path)<0){
#endif
belle_sip_error("Failed to load root ca from directory %s",path);
return -1;
}
}else{
#if POLARSSL_VERSION_NUMBER < 0x01030000
if (x509parse_crtfile(&obj->root_ca,path)<0){
#else
if (x509_crt_parse_file(&obj->root_ca,path)<0){
#endif
belle_sip_error("Failed to load root ca from file %s",path);
return -1;
}
}
return 0;
}
belle_sip_error("Could not load root ca from %s: %s",path,strerror(errno));
return -1;
}
#ifdef ENABLE_POLARSSL_LOGS
/*
* polarssl does a lot of logs, some with newline, some without.
* We need to concatenate logs without new line until a new line is found.
*/
static void ssl_debug_to_belle_sip(void *context, int level, const char *str){
belle_sip_tls_channel_t *chan=(belle_sip_tls_channel_t*)context;
int len=strlen(str);
if (len>0 && (str[len-1]=='\n' || str[len-1]=='\r')){
/*eliminate the newline*/
char *tmp=belle_sip_strdup(str);
tmp[len-1]=0;
if (chan->cur_debug_msg){
belle_sip_message("ssl: %s%s",chan->cur_debug_msg,tmp);
belle_sip_free(chan->cur_debug_msg);
chan->cur_debug_msg=NULL;
}else belle_sip_message("ssl: %s",tmp);
belle_sip_free(tmp);
}else{
if (chan->cur_debug_msg){
char *tmp=belle_sip_strdup_printf("%s%s",chan->cur_debug_msg,str);
belle_sip_free(chan->cur_debug_msg);
chan->cur_debug_msg=tmp;
}else chan->cur_debug_msg=belle_sip_strdup(str);
}
}
#endif
belle_sip_channel_t * belle_sip_channel_new_tls(belle_sip_stack_t *stack, belle_tls_verify_policy_t *verify_ctx,const char *bindip, int localport, const char *peer_cname, const char *dest, int port){
belle_sip_tls_channel_t *obj=belle_sip_object_new(belle_sip_tls_channel_t);
belle_sip_stream_channel_t* super=(belle_sip_stream_channel_t*)obj;
belle_sip_stream_channel_init_client(super
,stack
,bindip,localport,peer_cname,dest,port);
ssl_init(&obj->sslctx);
#ifdef ENABLE_POLARSSL_LOGS
ssl_set_dbg(&obj->sslctx,ssl_debug_to_belle_sip,obj);
#endif
ssl_set_endpoint(&obj->sslctx,SSL_IS_CLIENT);
ssl_set_authmode(&obj->sslctx,SSL_VERIFY_REQUIRED);
ssl_set_bio(&obj->sslctx,polarssl_read,obj,polarssl_write,obj);
if (verify_ctx->root_ca && belle_sip_tls_channel_load_root_ca(obj,verify_ctx->root_ca)==0){
ssl_set_ca_chain(&obj->sslctx,&obj->root_ca,NULL,super->base.peer_cname ? super->base.peer_cname : super->base.peer_name );
}
ssl_set_rng(&obj->sslctx,random_generator,NULL);
ssl_set_verify(&obj->sslctx,belle_sip_ssl_verify,verify_ctx);
obj->verify_ctx=(belle_tls_verify_policy_t*)belle_sip_object_ref(verify_ctx);
return (belle_sip_channel_t*)obj;
}
LWS_VISIBLE int
lws_server_socket_service_ssl(struct lws *wsi, lws_sockfd_type accept_fd)
{
struct lws_context *context = wsi->context;
struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi];
int n, m;
#if !defined(USE_WOLFSSL) && !defined(LWS_USE_POLARSSL) && !defined(LWS_USE_MBEDTLS)
BIO *bio;
#endif
if (!LWS_SSL_ENABLED(wsi->vhost))
return 0;
switch (wsi->mode) {
case LWSCM_SSL_INIT:
if (wsi->ssl)
lwsl_err("%s: leaking ssl\n", __func__);
if (accept_fd == LWS_SOCK_INVALID)
assert(0);
#if defined(LWS_USE_POLARSSL)
{
ssl_session *ssn;
int rc;
wsi->ssl = lws_zalloc(sizeof(ssl_context));
ssn = lws_zalloc(sizeof(ssl_session));
rc = ssl_init(wsi->ssl);
if (rc) {
lwsl_err("ssl_init failed\n");
goto fail;
}
ssl_set_endpoint(wsi->ssl, SSL_IS_SERVER);
ssl_set_authmode(wsi->ssl, SSL_VERIFY_OPTIONAL);
ssl_set_rng(wsi->ssl, urandom_bytes, NULL);
ssl_set_dbg(wsi->ssl, pssl_debug, NULL);
ssl_set_bio(wsi->ssl, net_recv, &wsi->sock, net_send, &wsi->sock);
ssl_set_ciphersuites(wsi->ssl, ciphers);
ssl_set_session(wsi->ssl, ssn);
ssl_set_ca_chain(wsi->ssl, &wsi->vhost->ssl_ctx->ca,
NULL, NULL);
ssl_set_own_cert_rsa(wsi->ssl,
&wsi->vhost->ssl_ctx->certificate,
&wsi->vhost->ssl_ctx->key);
// ssl_set_dh_param(wsi->ssl, my_dhm_P, my_dhm_G);
lwsl_err("%s: polarssl init done\n", __func__);
}
#else
#if defined(LWS_USE_MBEDTLS)
#else
wsi->ssl = SSL_new(wsi->vhost->ssl_ctx);
if (wsi->ssl == NULL) {
lwsl_err("SSL_new failed: %s\n",
ERR_error_string(lws_ssl_get_error(wsi, 0), NULL));
lws_decode_ssl_error();
if (accept_fd != LWS_SOCK_INVALID)
compatible_close(accept_fd);
goto fail;
}
SSL_set_ex_data(wsi->ssl,
openssl_websocket_private_data_index, wsi->vhost);
SSL_set_fd(wsi->ssl, accept_fd);
#endif
#endif
#ifdef USE_WOLFSSL
#ifdef USE_OLD_CYASSL
CyaSSL_set_using_nonblock(wsi->ssl, 1);
#else
wolfSSL_set_using_nonblock(wsi->ssl, 1);
#endif
#else
#if defined(LWS_USE_POLARSSL)
#else
#if defined(LWS_USE_MBEDTLS)
#else
SSL_set_mode(wsi->ssl, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
bio = SSL_get_rbio(wsi->ssl);
if (bio)
BIO_set_nbio(bio, 1); /* nonblocking */
else
lwsl_notice("NULL rbio\n");
bio = SSL_get_wbio(wsi->ssl);
if (bio)
BIO_set_nbio(bio, 1); /* nonblocking */
else
lwsl_notice("NULL rbio\n");
#endif
#endif
#endif
/*
* we are not accepted yet, but we need to enter ourselves
* as a live connection. That way we can retry when more
* pieces come if we're not sorted yet
*/
wsi->mode = LWSCM_SSL_ACK_PENDING;
if (insert_wsi_socket_into_fds(context, wsi)) {
lwsl_err("%s: failed to insert into fds\n", __func__);
goto fail;
}
lws_set_timeout(wsi, PENDING_TIMEOUT_SSL_ACCEPT,
context->timeout_secs);
lwsl_info("inserted SSL accept into fds, trying SSL_accept\n");
/* fallthru */
case LWSCM_SSL_ACK_PENDING:
if (lws_change_pollfd(wsi, LWS_POLLOUT, 0)) {
lwsl_err("%s: lws_change_pollfd failed\n", __func__);
goto fail;
}
lws_latency_pre(context, wsi);
n = recv(wsi->sock, (char *)pt->serv_buf, context->pt_serv_buf_size,
MSG_PEEK);
/*
* optionally allow non-SSL connect on SSL listening socket
* This is disabled by default, if enabled it goes around any
* SSL-level access control (eg, client-side certs) so leave
* it disabled unless you know it's not a problem for you
*/
if (wsi->vhost->allow_non_ssl_on_ssl_port) {
if (n >= 1 && pt->serv_buf[0] >= ' ') {
/*
* TLS content-type for Handshake is 0x16, and
* for ChangeCipherSpec Record, it's 0x14
*
* A non-ssl session will start with the HTTP
* method in ASCII. If we see it's not a legit
* SSL handshake kill the SSL for this
* connection and try to handle as a HTTP
* connection upgrade directly.
*/
wsi->use_ssl = 0;
#if defined(LWS_USE_POLARSSL)
ssl_close_notify(wsi->ssl);
ssl_free(wsi->ssl);
#else
#if defined(LWS_USE_MBEDTLS)
#else
SSL_shutdown(wsi->ssl);
SSL_free(wsi->ssl);
#endif
#endif
wsi->ssl = NULL;
if (lws_check_opt(context->options,
LWS_SERVER_OPTION_REDIRECT_HTTP_TO_HTTPS))
wsi->redirect_to_https = 1;
goto accepted;
}
if (!n) /*
* connection is gone, or nothing to read
* if it's gone, we will timeout on
* PENDING_TIMEOUT_SSL_ACCEPT
*/
break;
if (n < 0 && (LWS_ERRNO == LWS_EAGAIN ||
LWS_ERRNO == LWS_EWOULDBLOCK)) {
/*
* well, we get no way to know ssl or not
* so go around again waiting for something
* to come and give us a hint, or timeout the
* connection.
*/
m = SSL_ERROR_WANT_READ;
goto go_again;
}
}
/* normal SSL connection processing path */
#if defined(LWS_USE_POLARSSL)
n = ssl_handshake(wsi->ssl);
#else
#if defined(LWS_USE_MBEDTLS)
#else
n = SSL_accept(wsi->ssl);
#endif
#endif
lws_latency(context, wsi,
"SSL_accept LWSCM_SSL_ACK_PENDING\n", n, n == 1);
if (n == 1)
goto accepted;
m = lws_ssl_get_error(wsi, n);
lwsl_debug("SSL_accept failed %d / %s\n",
m, ERR_error_string(m, NULL));
go_again:
if (m == SSL_ERROR_WANT_READ) {
if (lws_change_pollfd(wsi, 0, LWS_POLLIN)) {
lwsl_err("%s: WANT_READ change_pollfd failed\n", __func__);
goto fail;
}
lwsl_info("SSL_ERROR_WANT_READ\n");
break;
}
if (m == SSL_ERROR_WANT_WRITE) {
if (lws_change_pollfd(wsi, 0, LWS_POLLOUT)) {
lwsl_err("%s: WANT_WRITE change_pollfd failed\n", __func__);
goto fail;
}
break;
}
lwsl_err("SSL_accept failed skt %u: %s\n",
wsi->sock, ERR_error_string(m, NULL));
lws_ssl_elaborate_error();
goto fail;
accepted:
/* OK, we are accepted... give him some time to negotiate */
lws_set_timeout(wsi, PENDING_TIMEOUT_ESTABLISH_WITH_SERVER,
context->timeout_secs);
wsi->mode = LWSCM_HTTP_SERVING;
lws_http2_configure_if_upgraded(wsi);
lwsl_debug("accepted new SSL conn\n");
break;
}
return 0;
fail:
return 1;
}