static mrb_value mrb_ssl_initialize(mrb_state *mrb, mrb_value self) {
ssl_context *ssl;
int ret;
#if POLARSSL_VERSION_MAJOR == 1 && POLARSSL_VERSION_MINOR == 1
ssl_session *ssn;
#endif
ssl = (ssl_context *)DATA_PTR(self);
if (ssl) {
mrb_ssl_free(mrb, ssl);
}
DATA_TYPE(self) = &mrb_ssl_type;
DATA_PTR(self) = NULL;
ssl = (ssl_context *)mrb_malloc(mrb, sizeof(ssl_context));
DATA_PTR(self) = ssl;
ret = ssl_init(ssl);
if (ret == POLARSSL_ERR_SSL_MALLOC_FAILED) {
mrb_raise(mrb, E_MALLOC_FAILED, "ssl_init() memory allocation failed.");
}
#if POLARSSL_VERSION_MAJOR == 1 && POLARSSL_VERSION_MINOR == 1
ssn = (ssl_session *)mrb_malloc(mrb, sizeof(ssl_session));
ssl_set_session( ssl, 0, 600, ssn );
ssl_set_ciphersuites( ssl, ssl_default_ciphersuites );
#endif
return self;
}
static inline int iobuf_ssl_setup(IOBuf *buf)
{
int rc = 0;
buf->use_ssl = 1;
buf->handshake_performed = 0;
rc = ssl_init(&buf->ssl);
check(rc == 0, "Failed to initialize SSL structure.");
ssl_set_endpoint(&buf->ssl, SSL_IS_SERVER);
ssl_set_authmode(&buf->ssl, IO_SSL_VERIFY_METHOD);
havege_init(&buf->hs);
ssl_set_rng(&buf->ssl, havege_rand, &buf->hs);
#ifndef DEBUG
ssl_set_dbg(&buf->ssl, ssl_debug, NULL);
#endif
ssl_set_bio(&buf->ssl, ssl_fdrecv_wrapper, buf,
ssl_fdsend_wrapper, buf);
ssl_set_session(&buf->ssl, 1, 0, &buf->ssn);
ssl_set_scb(&buf->ssl, simple_get_session, simple_set_session);
memset(&buf->ssn, 0, sizeof(buf->ssn));
return 0;
error:
return -1;
}
static VALUE R_ssl_allocate( VALUE klass )
{
ssl_context *ssl;
int ret;
#if POLARSSL_VERSION_MAJOR == 1 && POLARSSL_VERSION_MINOR == 1
ssl_session *ssn;
#endif
ssl = ALLOC( ssl_context );
ret = ssl_init( ssl );
if ( ret == POLARSSL_ERR_SSL_MALLOC_FAILED )
rb_raise(e_MallocFailed, "ssl_init() memory allocation failed.");
#if POLARSSL_VERSION_MAJOR == 1 && POLARSSL_VERSION_MINOR == 1
ssn = ALLOC( ssl_session );
ssl_set_session( ssl, 0, 600, ssn );
ssl_set_ciphersuites( ssl, ssl_default_ciphersuites );
#endif
// ssl_set_dbg(ssl, my_debug, stdout);
return Data_Wrap_Struct( klass, 0, ssl_free, ssl );
}
void gtget_ssl_init(connection_t * conn)
{
char *clientcert = NULL;
char *clientkey = NULL;
const char *pers = "gtget";
sslparam_t *ssl = calloc(1, sizeof(sslparam_t));
if (!(conn->flags & GTGET_FLAG_INSECURE)) {
char *cacertfile = alloca(strlen(conn->remote->host) + 5);
char *servercert = NULL;
strcpy(cacertfile, conn->remote->host);
strcat(cacertfile, ".pem");
if (!(servercert = tryopen_alt(conn, conn->caFile, cacertfile)))
servercert = tryopen("cacerts.pem");
if (!(servercert))
die(conn, "can't open cacert", NULL);
if (x509_crt_parse_file(&ssl->cacert, servercert))
die(conn, "error reading cacert", servercert);
}
/* read and parse the client certificate if provided */
if ((clientcert = tryopen_alt(conn, conn->ccFile, "clientcert.pem"))) {
if (!(clientkey = tryopen_alt(conn, conn->ckFile, "clientkey.pem")))
clientkey = clientcert;
if (x509_crt_parse_file(&ssl->clicert, clientcert)) {
die(conn, "error reading client certificate", clientcert);
if (clientkey && pk_parse_public_keyfile(&ssl->pk, clientkey))
die(conn, "error reading client key", clientkey);
}
write2f("using client cert: %s\n", clientcert);
write2f("using client key: %s\n", clientkey);
}
entropy_init(&ssl->entropy);
if (0 != (ctr_drbg_init(&ssl->ctr_drbg, entropy_func, &ssl->entropy,
(const unsigned char *)pers, strlen(pers))))
die(conn, "Seeding the random number generator failed", NULL);
if (ssl_init(&ssl->ssl))
die(conn, "error initializing SSL", NULL);
ssl_set_endpoint(&ssl->ssl, SSL_IS_CLIENT);
if ((conn->flags & GTGET_FLAG_INSECURE)) {
ssl_set_authmode(&ssl->ssl, SSL_VERIFY_NONE);
}
ssl_set_ca_chain(&ssl->ssl, &ssl->cacert, NULL, conn->remote->host);
ssl_set_authmode(&ssl->ssl, SSL_VERIFY_OPTIONAL);
ssl_set_verify(&ssl->ssl, verify_cb, conn);
ssl_set_ciphersuites(&ssl->ssl, ssl_list_ciphersuites());
ssl_set_session(&ssl->ssl, &ssl->ssn);
ssl_set_rng(&ssl->ssl, ctr_drbg_random, &ssl->ctr_drbg);
conn->ssl = ssl;
}
int ssl_init_info(int *server_fd,ssl_info *sslinfo)
{
int ret;
const char *pers = "ssl";
x509_crt_init(&sslinfo->cacert );
entropy_init(&sslinfo->entropy );
if( ( ret = ctr_drbg_init( &sslinfo->ctr_drbg, entropy_func, &sslinfo->entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
return -1;
}
if( ( ret = ssl_init( &sslinfo->ssl ) ) != 0 )
{
echo( " failed\n ! ssl_init returned %d\n\n", ret );
return -1;
}
ssl_set_endpoint( &sslinfo->ssl, SSL_IS_CLIENT );
ssl_set_authmode( &sslinfo->ssl, SSL_VERIFY_OPTIONAL );
ssl_set_ca_chain( &sslinfo->ssl, &sslinfo->cacert, NULL, "" );
ssl_set_rng( &sslinfo->ssl, ctr_drbg_random, &sslinfo->ctr_drbg );
ssl_set_bio( &sslinfo->ssl, net_recv, server_fd,net_send, server_fd );
ssl_set_session(&sslinfo->ssl, &ssn);
while((ret = ssl_handshake(&sslinfo->ssl))!=0)
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
echo( " failed\n ! ssl_handshake returned -0x%x\n\n", -ret );
return -1;
}
//CPU sleep
sleeps(1);
}
if((ret = ssl_get_verify_result( &sslinfo->ssl ) ) != 0 )
{
// echo( "Verifying peer X.509 certificate...failed \r\n" );
}
else
{
echo( " ok\n" );
}
//保存session加快握手速度
if( ( ret = ssl_get_session( &sslinfo->ssl, &ssn ) ) != 0 )
{
//失败初始化
memset(&ssn, 0, sizeof(ssl_session));
}
return 0;
}
int SSL_set_session(SSL *ssl, SSL_SESSION *session) {
/* SSL_set_session may only be called before the handshake has started. */
if (ssl->s3->initial_handshake_complete ||
ssl->s3->hs == NULL ||
ssl->s3->hs->state != SSL_ST_INIT) {
abort();
}
ssl_set_session(ssl, session);
return 1;
}
IOBuf *IOBuf_create(size_t len, int fd, IOBufType type)
{
IOBuf *buf = h_calloc(sizeof(IOBuf), 1);
check_mem(buf);
buf->fd = fd;
buf->len = len;
buf->buf = h_malloc(len + 1);
check_mem(buf->buf);
hattach(buf->buf, buf);
buf->type = type;
if(type == IOBUF_SSL) {
buf->use_ssl = 1;
buf->handshake_performed = 0;
ssl_init(&buf->ssl);
ssl_set_endpoint(&buf->ssl, SSL_IS_SERVER);
ssl_set_authmode(&buf->ssl, SSL_VERIFY_NONE);
havege_init(&buf->hs);
ssl_set_rng(&buf->ssl, havege_rand, &buf->hs);
ssl_set_dbg(&buf->ssl, ssl_debug, NULL);
ssl_set_bio(&buf->ssl, ssl_fdrecv_wrapper, buf,
ssl_fdsend_wrapper, buf);
ssl_set_session(&buf->ssl, 1, 0, &buf->ssn);
memset(&buf->ssn, 0, sizeof(buf->ssn));
buf->send = ssl_send;
buf->recv = ssl_recv;
buf->stream_file = ssl_stream_file;
} else if(type == IOBUF_NULL) {
buf->send = null_send;
buf->recv = null_recv;
buf->stream_file = null_stream_file;
} else if(type == IOBUF_FILE) {
buf->send = file_send;
buf->recv = file_recv;
buf->stream_file = plain_stream_file;
} else if(type == IOBUF_SOCKET) {
buf->send = plaintext_send;
buf->recv = plaintext_recv;
buf->stream_file = plain_stream_file;
} else {
sentinel("Invalid IOBufType given: %d", type);
}
return buf;
error:
if(buf) h_free(buf);
return NULL;
}
void http_ssl_connect( struct HTTP* http )
{
/** SSL init */
entropy_init( &http->ssl.entropy );
http->last_result = ctr_drbg_init( &http->ssl.ctr_drbg, entropy_func, &http->ssl.entropy, (unsigned char*)"HTTP_SSL", 8 );
if ( http->last_result != 0 )
{
/** Entropy init failed */
http->error.errorId = HTTP_ERROR_SSL_ENTROPY_INIT_FAILED;
http->error.line = __LINE__;
http->error.file = __FILE__;
return;
}
memset( &http->ssl.ssl_session, 0, sizeof( ssl_session ) );
memset( &http->ssl.ssl, 0, sizeof( ssl_context ) );
http_raw_connect( http );
if ( http->last_result != 0 )
{
/** Connect failed */
return;
}
http->last_result = ssl_init( &http->ssl.ssl );
if ( http->last_result != 0 )
{
/** SSL init failed */
http->error.errorId = HTTP_ERROR_SSL_INIT_FAILED;
http->error.line = __LINE__;
http->error.file = __FILE__;
return;
}
ssl_set_endpoint( &http->ssl.ssl, SSL_IS_CLIENT );
ssl_set_authmode( &http->ssl.ssl, HTTP_SSL_VERIFY_MODE );
ssl_set_rng( &http->ssl.ssl, ctr_drbg_random, &http->ssl.ctr_drbg );
/** Insert debug function here */
ssl_set_dbg( &http->ssl.ssl, NULL, stdout );
ssl_set_bio( &http->ssl.ssl, net_recv, &http->socket, net_send, &http->socket );
ssl_set_session( &http->ssl.ssl, &http->ssl.ssl_session );
}
bool ssl_aio_stream::ssl_client_init()
{
#ifdef HAS_POLARSSL
ACL_VSTREAM* stream = get_vstream();
acl_assert(stream);
// 0. Initialize the RNG and the session data
havege_init((havege_state*) hs_);
int ret;
if ((ret = ssl_init((ssl_context*) ssl_)) != 0)
{
logger_error("failed, ssl_init returned %d", ret);
return false;
}
ssl_set_endpoint((ssl_context*) ssl_, SSL_IS_CLIENT);
ssl_set_authmode((ssl_context*) ssl_, SSL_VERIFY_NONE);
ssl_set_rng((ssl_context*) ssl_, ::havege_random, hs_);
//ssl_set_dbg((ssl_context*) ssl_, my_debug, stdout);
ssl_set_bio((ssl_context*) ssl_, __sock_read, this, __sock_send, this);
const int* cipher_suites = ssl_list_ciphersuites();
if (cipher_suites == NULL)
{
logger_error("ssl_list_ciphersuites null");
return false;
}
ssl_set_ciphersuites((ssl_context*) ssl_, cipher_suites);
ssl_set_session((ssl_context*) ssl_, (ssl_session*) ssn_);
acl_vstream_ctl(stream,
ACL_VSTREAM_CTL_READ_FN, __ssl_read,
ACL_VSTREAM_CTL_WRITE_FN, __ssl_send,
ACL_VSTREAM_CTL_CTX, this,
ACL_VSTREAM_CTL_END);
acl_tcp_set_nodelay(ACL_VSTREAM_SOCK(stream));
#endif
return true;
}
PUBLIC int sslUpgrade(Webs *wp)
{
EstSocket *est;
WebsSocket *sp;
assert(wp);
if ((est = malloc(sizeof(EstSocket))) == 0) {
return -1;
}
wp->ssl = est;
ssl_free(&est->ctx);
havege_init(&est->hs);
ssl_init(&est->ctx);
ssl_set_endpoint(&est->ctx, 1);
ssl_set_authmode(&est->ctx, BIT_GOAHEAD_VERIFY_PEER ? SSL_VERIFY_OPTIONAL : SSL_VERIFY_NO_CHECK);
ssl_set_rng(&est->ctx, havege_rand, &est->hs);
ssl_set_dbg(&est->ctx, estTrace, NULL);
sp = socketPtr(wp->sid);
ssl_set_bio(&est->ctx, net_recv, &sp->sock, net_send, &sp->sock);
ssl_set_ciphers(&est->ctx, estConfig.ciphers);
ssl_set_session(&est->ctx, 1, 0, &est->session);
memset(&est->session, 0, sizeof(ssl_session));
ssl_set_ca_chain(&est->ctx, *BIT_GOAHEAD_CA ? &estConfig.ca : NULL, NULL);
if (*BIT_GOAHEAD_CERTIFICATE && *BIT_GOAHEAD_KEY) {
ssl_set_own_cert(&est->ctx, &estConfig.cert, &estConfig.rsa);
}
ssl_set_dh_param(&est->ctx, dhKey, dhg);
if (estHandshake(wp) < 0) {
return -1;
}
return 0;
}
int main( int argc, char *argv[] )
{
int ret = 0, len, server_fd, i, written, frags;
unsigned char buf[SSL_MAX_CONTENT_LEN + 1];
#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
unsigned char psk[POLARSSL_PSK_MAX_LEN];
size_t psk_len = 0;
#endif
#if defined(POLARSSL_SSL_ALPN)
const char *alpn_list[10];
#endif
const char *pers = "ssl_client2";
entropy_context entropy;
ctr_drbg_context ctr_drbg;
ssl_context ssl;
ssl_session saved_session;
#if defined(POLARSSL_X509_CRT_PARSE_C)
x509_crt cacert;
x509_crt clicert;
pk_context pkey;
#endif
char *p, *q;
const int *list;
/*
* Make sure memory references are valid.
*/
server_fd = 0;
memset( &ssl, 0, sizeof( ssl_context ) );
memset( &saved_session, 0, sizeof( ssl_session ) );
#if defined(POLARSSL_X509_CRT_PARSE_C)
x509_crt_init( &cacert );
x509_crt_init( &clicert );
pk_init( &pkey );
#endif
#if defined(POLARSSL_SSL_ALPN)
memset( (void * ) alpn_list, 0, sizeof( alpn_list ) );
#endif
if( argc == 0 )
{
usage:
if( ret == 0 )
ret = 1;
printf( USAGE );
list = ssl_list_ciphersuites();
while( *list )
{
printf(" %-42s", ssl_get_ciphersuite_name( *list ) );
list++;
if( !*list )
break;
printf(" %s\n", ssl_get_ciphersuite_name( *list ) );
list++;
}
printf("\n");
goto exit;
}
opt.server_name = DFL_SERVER_NAME;
opt.server_addr = DFL_SERVER_ADDR;
opt.server_port = DFL_SERVER_PORT;
opt.debug_level = DFL_DEBUG_LEVEL;
opt.nbio = DFL_NBIO;
opt.request_page = DFL_REQUEST_PAGE;
opt.request_size = DFL_REQUEST_SIZE;
opt.ca_file = DFL_CA_FILE;
opt.ca_path = DFL_CA_PATH;
opt.crt_file = DFL_CRT_FILE;
opt.key_file = DFL_KEY_FILE;
opt.psk = DFL_PSK;
opt.psk_identity = DFL_PSK_IDENTITY;
opt.force_ciphersuite[0]= DFL_FORCE_CIPHER;
opt.renegotiation = DFL_RENEGOTIATION;
opt.allow_legacy = DFL_ALLOW_LEGACY;
opt.renegotiate = DFL_RENEGOTIATE;
opt.min_version = DFL_MIN_VERSION;
opt.max_version = DFL_MAX_VERSION;
opt.auth_mode = DFL_AUTH_MODE;
opt.mfl_code = DFL_MFL_CODE;
opt.trunc_hmac = DFL_TRUNC_HMAC;
opt.reconnect = DFL_RECONNECT;
opt.reco_delay = DFL_RECO_DELAY;
opt.tickets = DFL_TICKETS;
opt.alpn_string = DFL_ALPN_STRING;
for( i = 1; i < argc; i++ )
{
p = argv[i];
if( ( q = strchr( p, '=' ) ) == NULL )
goto usage;
*q++ = '\0';
if( strcmp( p, "server_name" ) == 0 )
opt.server_name = q;
else if( strcmp( p, "server_addr" ) == 0 )
opt.server_addr = q;
else if( strcmp( p, "server_port" ) == 0 )
{
opt.server_port = atoi( q );
if( opt.server_port < 1 || opt.server_port > 65535 )
goto usage;
}
else if( strcmp( p, "debug_level" ) == 0 )
{
opt.debug_level = atoi( q );
if( opt.debug_level < 0 || opt.debug_level > 65535 )
goto usage;
}
else if( strcmp( p, "nbio" ) == 0 )
{
opt.nbio = atoi( q );
if( opt.nbio < 0 || opt.nbio > 2 )
goto usage;
}
else if( strcmp( p, "request_page" ) == 0 )
opt.request_page = q;
else if( strcmp( p, "request_size" ) == 0 )
{
opt.request_size = atoi( q );
if( opt.request_size < 0 || opt.request_size > SSL_MAX_CONTENT_LEN )
goto usage;
}
else if( strcmp( p, "ca_file" ) == 0 )
opt.ca_file = q;
else if( strcmp( p, "ca_path" ) == 0 )
opt.ca_path = q;
else if( strcmp( p, "crt_file" ) == 0 )
opt.crt_file = q;
else if( strcmp( p, "key_file" ) == 0 )
opt.key_file = q;
else if( strcmp( p, "psk" ) == 0 )
opt.psk = q;
else if( strcmp( p, "psk_identity" ) == 0 )
opt.psk_identity = q;
else if( strcmp( p, "force_ciphersuite" ) == 0 )
{
opt.force_ciphersuite[0] = ssl_get_ciphersuite_id( q );
if( opt.force_ciphersuite[0] == 0 )
{
ret = 2;
goto usage;
}
opt.force_ciphersuite[1] = 0;
}
else if( strcmp( p, "renegotiation" ) == 0 )
{
opt.renegotiation = (atoi( q )) ? SSL_RENEGOTIATION_ENABLED :
SSL_RENEGOTIATION_DISABLED;
}
else if( strcmp( p, "allow_legacy" ) == 0 )
{
opt.allow_legacy = atoi( q );
if( opt.allow_legacy < 0 || opt.allow_legacy > 1 )
goto usage;
}
else if( strcmp( p, "renegotiate" ) == 0 )
{
opt.renegotiate = atoi( q );
if( opt.renegotiate < 0 || opt.renegotiate > 1 )
goto usage;
}
else if( strcmp( p, "reconnect" ) == 0 )
{
opt.reconnect = atoi( q );
if( opt.reconnect < 0 || opt.reconnect > 2 )
goto usage;
}
else if( strcmp( p, "reco_delay" ) == 0 )
{
opt.reco_delay = atoi( q );
if( opt.reco_delay < 0 )
goto usage;
}
else if( strcmp( p, "tickets" ) == 0 )
{
opt.tickets = atoi( q );
if( opt.tickets < 0 || opt.tickets > 2 )
goto usage;
}
else if( strcmp( p, "alpn" ) == 0 )
{
opt.alpn_string = q;
}
else if( strcmp( p, "min_version" ) == 0 )
{
if( strcmp( q, "ssl3" ) == 0 )
opt.min_version = SSL_MINOR_VERSION_0;
else if( strcmp( q, "tls1" ) == 0 )
opt.min_version = SSL_MINOR_VERSION_1;
else if( strcmp( q, "tls1_1" ) == 0 )
opt.min_version = SSL_MINOR_VERSION_2;
else if( strcmp( q, "tls1_2" ) == 0 )
opt.min_version = SSL_MINOR_VERSION_3;
else
goto usage;
}
else if( strcmp( p, "max_version" ) == 0 )
{
if( strcmp( q, "ssl3" ) == 0 )
opt.max_version = SSL_MINOR_VERSION_0;
else if( strcmp( q, "tls1" ) == 0 )
opt.max_version = SSL_MINOR_VERSION_1;
else if( strcmp( q, "tls1_1" ) == 0 )
opt.max_version = SSL_MINOR_VERSION_2;
else if( strcmp( q, "tls1_2" ) == 0 )
opt.max_version = SSL_MINOR_VERSION_3;
else
goto usage;
}
else if( strcmp( p, "force_version" ) == 0 )
{
if( strcmp( q, "ssl3" ) == 0 )
{
opt.min_version = SSL_MINOR_VERSION_0;
opt.max_version = SSL_MINOR_VERSION_0;
}
else if( strcmp( q, "tls1" ) == 0 )
{
opt.min_version = SSL_MINOR_VERSION_1;
opt.max_version = SSL_MINOR_VERSION_1;
}
else if( strcmp( q, "tls1_1" ) == 0 )
{
opt.min_version = SSL_MINOR_VERSION_2;
opt.max_version = SSL_MINOR_VERSION_2;
}
else if( strcmp( q, "tls1_2" ) == 0 )
{
opt.min_version = SSL_MINOR_VERSION_3;
opt.max_version = SSL_MINOR_VERSION_3;
}
else
goto usage;
}
else if( strcmp( p, "auth_mode" ) == 0 )
{
if( strcmp( q, "none" ) == 0 )
opt.auth_mode = SSL_VERIFY_NONE;
else if( strcmp( q, "optional" ) == 0 )
opt.auth_mode = SSL_VERIFY_OPTIONAL;
else if( strcmp( q, "required" ) == 0 )
opt.auth_mode = SSL_VERIFY_REQUIRED;
else
goto usage;
}
else if( strcmp( p, "max_frag_len" ) == 0 )
{
if( strcmp( q, "512" ) == 0 )
opt.mfl_code = SSL_MAX_FRAG_LEN_512;
else if( strcmp( q, "1024" ) == 0 )
opt.mfl_code = SSL_MAX_FRAG_LEN_1024;
else if( strcmp( q, "2048" ) == 0 )
opt.mfl_code = SSL_MAX_FRAG_LEN_2048;
else if( strcmp( q, "4096" ) == 0 )
opt.mfl_code = SSL_MAX_FRAG_LEN_4096;
else
goto usage;
}
else if( strcmp( p, "trunc_hmac" ) == 0 )
{
opt.trunc_hmac = atoi( q );
if( opt.trunc_hmac < 0 || opt.trunc_hmac > 1 )
goto usage;
}
else
goto usage;
}
#if defined(POLARSSL_DEBUG_C)
debug_set_threshold( opt.debug_level );
#endif
if( opt.force_ciphersuite[0] > 0 )
{
const ssl_ciphersuite_t *ciphersuite_info;
ciphersuite_info = ssl_ciphersuite_from_id( opt.force_ciphersuite[0] );
if( opt.max_version != -1 &&
ciphersuite_info->min_minor_ver > opt.max_version )
{
printf("forced ciphersuite not allowed with this protocol version\n");
ret = 2;
goto usage;
}
if( opt.min_version != -1 &&
ciphersuite_info->max_minor_ver < opt.min_version )
{
printf("forced ciphersuite not allowed with this protocol version\n");
ret = 2;
goto usage;
}
if( opt.max_version > ciphersuite_info->max_minor_ver )
opt.max_version = ciphersuite_info->max_minor_ver;
if( opt.min_version < ciphersuite_info->min_minor_ver )
opt.min_version = ciphersuite_info->min_minor_ver;
}
#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
/*
* Unhexify the pre-shared key if any is given
*/
if( strlen( opt.psk ) )
{
unsigned char c;
size_t j;
if( strlen( opt.psk ) % 2 != 0 )
{
printf("pre-shared key not valid hex\n");
goto exit;
}
psk_len = strlen( opt.psk ) / 2;
for( j = 0; j < strlen( opt.psk ); j += 2 )
{
c = opt.psk[j];
if( c >= '0' && c <= '9' )
c -= '0';
else if( c >= 'a' && c <= 'f' )
c -= 'a' - 10;
else if( c >= 'A' && c <= 'F' )
c -= 'A' - 10;
else
{
printf("pre-shared key not valid hex\n");
goto exit;
}
psk[ j / 2 ] = c << 4;
c = opt.psk[j + 1];
if( c >= '0' && c <= '9' )
c -= '0';
else if( c >= 'a' && c <= 'f' )
c -= 'a' - 10;
else if( c >= 'A' && c <= 'F' )
c -= 'A' - 10;
else
{
printf("pre-shared key not valid hex\n");
goto exit;
}
psk[ j / 2 ] |= c;
}
}
#endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
#if defined(POLARSSL_SSL_ALPN)
if( opt.alpn_string != NULL )
{
p = (char *) opt.alpn_string;
i = 0;
/* Leave room for a final NULL in alpn_list */
while( i < (int) sizeof alpn_list - 1 && *p != '\0' )
{
alpn_list[i++] = p;
/* Terminate the current string and move on to next one */
while( *p != ',' && *p != '\0' )
p++;
if( *p == ',' )
*p++ = '\0';
}
}
#endif /* POLARSSL_SSL_ALPN */
/*
* 0. Initialize the RNG and the session data
*/
printf( "\n . Seeding the random number generator..." );
fflush( stdout );
entropy_init( &entropy );
if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
printf( " failed\n ! ctr_drbg_init returned -0x%x\n", -ret );
goto exit;
}
printf( " ok\n" );
#if defined(POLARSSL_X509_CRT_PARSE_C)
/*
* 1.1. Load the trusted CA
*/
printf( " . Loading the CA root certificate ..." );
fflush( stdout );
#if defined(POLARSSL_FS_IO)
if( strlen( opt.ca_path ) )
if( strcmp( opt.ca_path, "none" ) == 0 )
ret = 0;
else
ret = x509_crt_parse_path( &cacert, opt.ca_path );
else if( strlen( opt.ca_file ) )
if( strcmp( opt.ca_file, "none" ) == 0 )
ret = 0;
else
ret = x509_crt_parse_file( &cacert, opt.ca_file );
else
#endif
#if defined(POLARSSL_CERTS_C)
ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_list,
strlen( test_ca_list ) );
#else
{
ret = 1;
printf("POLARSSL_CERTS_C not defined.");
}
#endif
if( ret < 0 )
{
printf( " failed\n ! x509_crt_parse returned -0x%x\n\n", -ret );
goto exit;
}
printf( " ok (%d skipped)\n", ret );
/*
* 1.2. Load own certificate and private key
*
* (can be skipped if client authentication is not required)
*/
printf( " . Loading the client cert. and key..." );
fflush( stdout );
#if defined(POLARSSL_FS_IO)
if( strlen( opt.crt_file ) )
if( strcmp( opt.crt_file, "none" ) == 0 )
ret = 0;
else
ret = x509_crt_parse_file( &clicert, opt.crt_file );
else
#endif
#if defined(POLARSSL_CERTS_C)
ret = x509_crt_parse( &clicert, (const unsigned char *) test_cli_crt,
strlen( test_cli_crt ) );
#else
{
ret = 1;
printf("POLARSSL_CERTS_C not defined.");
}
#endif
if( ret != 0 )
{
printf( " failed\n ! x509_crt_parse returned -0x%x\n\n", -ret );
goto exit;
}
#if defined(POLARSSL_FS_IO)
if( strlen( opt.key_file ) )
if( strcmp( opt.key_file, "none" ) == 0 )
ret = 0;
else
ret = pk_parse_keyfile( &pkey, opt.key_file, "" );
else
#endif
#if defined(POLARSSL_CERTS_C)
ret = pk_parse_key( &pkey, (const unsigned char *) test_cli_key,
strlen( test_cli_key ), NULL, 0 );
#else
{
ret = 1;
printf("POLARSSL_CERTS_C not defined.");
}
#endif
if( ret != 0 )
{
printf( " failed\n ! pk_parse_key returned -0x%x\n\n", -ret );
goto exit;
}
printf( " ok\n" );
#endif /* POLARSSL_X509_CRT_PARSE_C */
/*
* 2. Start the connection
*/
if( opt.server_addr == NULL)
opt.server_addr = opt.server_name;
printf( " . Connecting to tcp/%s/%-4d...", opt.server_addr,
opt.server_port );
fflush( stdout );
if( ( ret = net_connect( &server_fd, opt.server_addr,
opt.server_port ) ) != 0 )
{
printf( " failed\n ! net_connect returned -0x%x\n\n", -ret );
goto exit;
}
if( opt.nbio > 0 )
ret = net_set_nonblock( server_fd );
else
ret = net_set_block( server_fd );
if( ret != 0 )
{
printf( " failed\n ! net_set_(non)block() returned -0x%x\n\n", -ret );
goto exit;
}
printf( " ok\n" );
/*
* 3. Setup stuff
*/
printf( " . Setting up the SSL/TLS structure..." );
fflush( stdout );
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
printf( " failed\n ! ssl_init returned -0x%x\n\n", -ret );
goto exit;
}
printf( " ok\n" );
#if defined(POLARSSL_X509_CRT_PARSE_C)
if( opt.debug_level > 0 )
ssl_set_verify( &ssl, my_verify, NULL );
#endif
ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
ssl_set_authmode( &ssl, opt.auth_mode );
#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
if( ( ret = ssl_set_max_frag_len( &ssl, opt.mfl_code ) ) != 0 )
{
printf( " failed\n ! ssl_set_max_frag_len returned %d\n\n", ret );
goto exit;
}
#endif
#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
if( opt.trunc_hmac != 0 )
if( ( ret = ssl_set_truncated_hmac( &ssl, SSL_TRUNC_HMAC_ENABLED ) ) != 0 )
{
printf( " failed\n ! ssl_set_truncated_hmac returned %d\n\n", ret );
goto exit;
}
#endif
#if defined(POLARSSL_SSL_ALPN)
if( opt.alpn_string != NULL )
if( ( ret = ssl_set_alpn_protocols( &ssl, alpn_list ) ) != 0 )
{
printf( " failed\n ! ssl_set_alpn_protocols returned %d\n\n", ret );
goto exit;
}
#endif
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
if( opt.nbio == 2 )
ssl_set_bio( &ssl, my_recv, &server_fd, my_send, &server_fd );
else
ssl_set_bio( &ssl, net_recv, &server_fd, net_send, &server_fd );
#if defined(POLARSSL_SSL_SESSION_TICKETS)
if( ( ret = ssl_set_session_tickets( &ssl, opt.tickets ) ) != 0 )
{
printf( " failed\n ! ssl_set_session_tickets returned %d\n\n", ret );
goto exit;
}
#endif
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
ssl_set_renegotiation( &ssl, opt.renegotiation );
ssl_legacy_renegotiation( &ssl, opt.allow_legacy );
#if defined(POLARSSL_X509_CRT_PARSE_C)
if( strcmp( opt.ca_path, "none" ) != 0 &&
strcmp( opt.ca_file, "none" ) != 0 )
{
ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name );
}
if( strcmp( opt.crt_file, "none" ) != 0 &&
strcmp( opt.key_file, "none" ) != 0 )
{
if( ( ret = ssl_set_own_cert( &ssl, &clicert, &pkey ) ) != 0 )
{
printf( " failed\n ! ssl_set_own_cert returned %d\n\n", ret );
goto exit;
}
}
#endif
#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
if( ( ret = ssl_set_psk( &ssl, psk, psk_len,
(const unsigned char *) opt.psk_identity,
strlen( opt.psk_identity ) ) ) != 0 )
{
printf( " failed\n ! ssl_set_psk returned %d\n\n", ret );
goto exit;
}
#endif
#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
if( ( ret = ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
{
printf( " failed\n ! ssl_set_hostname returned %d\n\n", ret );
goto exit;
}
#endif
if( opt.min_version != -1 )
ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version );
if( opt.max_version != -1 )
ssl_set_max_version( &ssl, SSL_MAJOR_VERSION_3, opt.max_version );
/*
* 4. Handshake
*/
printf( " . Performing the SSL/TLS handshake..." );
fflush( stdout );
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_handshake returned -0x%x\n", -ret );
if( ret == POLARSSL_ERR_X509_CERT_VERIFY_FAILED )
printf(
" Unable to verify the server's certificate. "
"Either it is invalid,\n"
" or you didn't set ca_file or ca_path "
"to an appropriate value.\n"
" Alternatively, you may want to use "
"auth_mode=optional for testing purposes.\n" );
printf( "\n" );
goto exit;
}
}
printf( " ok\n [ Protocol is %s ]\n [ Ciphersuite is %s ]\n",
ssl_get_version( &ssl ), ssl_get_ciphersuite( &ssl ) );
#if defined(POLARSSL_SSL_ALPN)
if( opt.alpn_string != NULL )
{
const char *alp = ssl_get_alpn_protocol( &ssl );
printf( " [ Application Layer Protocol is %s ]\n",
alp ? alp : "(none)" );
}
#endif
if( opt.reconnect != 0 )
{
printf(" . Saving session for reuse..." );
fflush( stdout );
if( ( ret = ssl_get_session( &ssl, &saved_session ) ) != 0 )
{
printf( " failed\n ! ssl_get_session returned -0x%x\n\n", -ret );
goto exit;
}
printf( " ok\n" );
}
#if defined(POLARSSL_X509_CRT_PARSE_C)
/*
* 5. Verify the server certificate
*/
printf( " . Verifying peer X.509 certificate..." );
if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 )
{
printf( " failed\n" );
if( ( ret & BADCERT_EXPIRED ) != 0 )
printf( " ! server certificate has expired\n" );
if( ( ret & BADCERT_REVOKED ) != 0 )
printf( " ! server certificate has been revoked\n" );
if( ( ret & BADCERT_CN_MISMATCH ) != 0 )
printf( " ! CN mismatch (expected CN=%s)\n", opt.server_name );
if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
printf( " ! self-signed or not signed by a trusted CA\n" );
printf( "\n" );
}
else
printf( " ok\n" );
if( ssl_get_peer_cert( &ssl ) != NULL )
{
printf( " . Peer certificate information ...\n" );
x509_crt_info( (char *) buf, sizeof( buf ) - 1, " ",
ssl_get_peer_cert( &ssl ) );
printf( "%s\n", buf );
}
#endif /* POLARSSL_X509_CRT_PARSE_C */
if( opt.renegotiate )
{
/*
* Perform renegotiation (this must be done when the server is waiting
* for input from our side).
*/
printf( " . Performing renegotiation..." );
fflush( stdout );
while( ( ret = ssl_renegotiate( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ &&
ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_renegotiate returned %d\n\n", ret );
goto exit;
}
}
printf( " ok\n" );
}
/*
* 6. Write the GET request
*/
send_request:
printf( " > Write to server:" );
fflush( stdout );
if( strcmp( opt.request_page, "SERVERQUIT" ) == 0 )
len = sprintf( (char *) buf, "%s", opt.request_page );
else
{
size_t tail_len = strlen( GET_REQUEST_END );
len = snprintf( (char *) buf, sizeof(buf) - 1, GET_REQUEST,
opt.request_page );
/* Add padding to GET request to reach opt.request_size in length */
if( opt.request_size != DFL_REQUEST_SIZE &&
len + tail_len < (size_t) opt.request_size )
{
memset( buf + len, 'A', opt.request_size - len - tail_len );
len += opt.request_size - len - tail_len;
}
strncpy( (char *) buf + len, GET_REQUEST_END, sizeof(buf) - len - 1 );
len += tail_len;
}
/* Truncate if request size is smaller than the "natural" size */
if( opt.request_size != DFL_REQUEST_SIZE &&
len > opt.request_size )
{
len = opt.request_size;
/* Still end with \r\n unless that's really not possible */
if( len >= 2 ) buf[len - 2] = '\r';
if( len >= 1 ) buf[len - 1] = '\n';
}
for( written = 0, frags = 0; written < len; written += ret, frags++ )
{
while( ( ret = ssl_write( &ssl, buf + written, len - written ) ) <= 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_write returned -0x%x\n\n", -ret );
goto exit;
}
}
}
buf[written] = '\0';
printf( " %d bytes written in %d fragments\n\n%s\n", written, frags, (char *) buf );
/*
* 7. Read the HTTP response
*/
printf( " < Read from server:" );
fflush( stdout );
do
{
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
ret = ssl_read( &ssl, buf, len );
if( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE )
continue;
if( ret == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY )
break;
if( ret < 0 )
{
printf( "failed\n ! ssl_read returned -0x%x\n\n", -ret );
break;
}
if( ret == 0 )
{
printf("\n\nEOF\n\n");
ssl_close_notify( &ssl );
break;
}
len = ret;
buf[len] = '\0';
printf( " %d bytes read\n\n%s", len, (char *) buf );
}
while( 1 );
if( opt.reconnect != 0 )
{
--opt.reconnect;
net_close( server_fd );
#if defined(POLARSSL_TIMING_C)
if( opt.reco_delay > 0 )
m_sleep( 1000 * opt.reco_delay );
#endif
printf( " . Reconnecting with saved session..." );
fflush( stdout );
if( ( ret = ssl_session_reset( &ssl ) ) != 0 )
{
printf( " failed\n ! ssl_session_reset returned -0x%x\n\n", -ret );
goto exit;
}
if( ( ret = ssl_set_session( &ssl, &saved_session ) ) != 0 )
{
printf( " failed\n ! ssl_set_session returned %d\n\n", ret );
goto exit;
}
if( ( ret = net_connect( &server_fd, opt.server_name,
opt.server_port ) ) != 0 )
{
printf( " failed\n ! net_connect returned -0x%x\n\n", -ret );
goto exit;
}
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ &&
ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_handshake returned -0x%x\n\n", -ret );
goto exit;
}
}
printf( " ok\n" );
goto send_request;
}
exit:
if( ret == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY )
ret = 0;
#ifdef POLARSSL_ERROR_C
if( ret != 0 )
{
char error_buf[100];
polarssl_strerror( ret, error_buf, 100 );
printf("Last error was: -0x%X - %s\n\n", -ret, error_buf );
}
#endif
if( server_fd )
net_close( server_fd );
#if defined(POLARSSL_X509_CRT_PARSE_C)
x509_crt_free( &clicert );
x509_crt_free( &cacert );
pk_free( &pkey );
#endif
ssl_session_free( &saved_session );
ssl_free( &ssl );
ctr_drbg_free( &ctr_drbg );
entropy_free( &entropy );
memset( &ssl, 0, sizeof( ssl ) );
#if defined(_WIN32)
printf( " + Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
// Shell can not handle large exit numbers -> 1 for errors
if( ret < 0 )
ret = 1;
return( ret );
}
int main( void )
{
int ret, len;
int listen_fd;
int client_fd;
unsigned char buf[1024];
havege_state hs;
ssl_context ssl;
ssl_session ssn;
x509_cert srvcert;
rsa_context rsa;
/*
* 1. Load the certificates and private RSA key
*/
printf( "\n . Loading the server cert. and key..." );
fflush( stdout );
memset( &srvcert, 0, sizeof( x509_cert ) );
/*
* This demonstration program uses embedded test certificates.
* Instead, you may want to use x509parse_crtfile() to read the
* server and CA certificates, as well as x509parse_keyfile().
*/
ret = x509parse_crt( &srvcert, (unsigned char *) test_srv_crt,
strlen( test_srv_crt ) );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
goto exit;
}
ret = x509parse_crt( &srvcert, (unsigned char *) test_ca_crt,
strlen( test_ca_crt ) );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
goto exit;
}
ret = x509parse_key( &rsa, (unsigned char *) test_srv_key,
strlen( test_srv_key ), NULL, 0 );
if( ret != 0 )
{
printf( " failed\n ! x509parse_key returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 2. Setup the listening TCP socket
*/
printf( " . Bind on https://localhost:4433/ ..." );
fflush( stdout );
if( ( ret = net_bind( &listen_fd, NULL, 4433 ) ) != 0 )
{
printf( " failed\n ! net_bind returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 3. Wait until a client connects
*/
#ifdef WIN32
ShellExecute( NULL, "open", "https://localhost:4433/",
NULL, NULL, SW_SHOWNORMAL );
#endif
client_fd = -1;
memset( &ssl, 0, sizeof( ssl ) );
accept:
net_close( client_fd );
ssl_free( &ssl );
printf( " . Waiting for a remote connection ..." );
fflush( stdout );
if( ( ret = net_accept( listen_fd, &client_fd, NULL ) ) != 0 )
{
printf( " failed\n ! net_accept returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 4. Setup stuff
*/
printf( " . Setting up the RNG and SSL data...." );
fflush( stdout );
havege_init( &hs );
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
printf( " failed\n ! ssl_init returned %d\n\n", ret );
goto accept;
}
printf( " ok\n" );
ssl_set_endpoint( &ssl, SSL_IS_SERVER );
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
ssl_set_rng( &ssl, havege_rand, &hs );
ssl_set_dbg( &ssl, my_debug, stdout );
ssl_set_bio( &ssl, net_recv, &client_fd,
net_send, &client_fd );
ssl_set_scb( &ssl, my_get_session,
my_set_session );
ssl_set_ciphers( &ssl, my_ciphers );
ssl_set_session( &ssl, 1, 0, &ssn );
memset( &ssn, 0, sizeof( ssl_session ) );
ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
ssl_set_own_cert( &ssl, &srvcert, &rsa );
ssl_set_dh_param( &ssl, my_dhm_P, my_dhm_G );
/*
* 5. Handshake
*/
printf( " . Performing the SSL/TLS handshake..." );
fflush( stdout );
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_TRY_AGAIN )
{
printf( " failed\n ! ssl_handshake returned %d\n\n", ret );
goto accept;
}
}
printf( " ok\n" );
/*
* 6. Read the HTTP Request
*/
printf( " < Read from client:" );
fflush( stdout );
do
{
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
ret = ssl_read( &ssl, buf, len );
if( ret == POLARSSL_ERR_NET_TRY_AGAIN )
continue;
if( ret <= 0 )
{
switch( ret )
{
case POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY:
printf( " connection was closed gracefully\n" );
break;
case POLARSSL_ERR_NET_CONN_RESET:
printf( " connection was reset by peer\n" );
break;
default:
printf( " ssl_read returned %d\n", ret );
break;
}
break;
}
len = ret;
printf( " %d bytes read\n\n%s", len, (char *) buf );
}
while( 0 );
/*
* 7. Write the 200 Response
*/
printf( " > Write to client:" );
fflush( stdout );
len = sprintf( (char *) buf, HTTP_RESPONSE,
ssl_get_cipher( &ssl ) );
while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 )
{
if( ret == POLARSSL_ERR_NET_CONN_RESET )
{
printf( " failed\n ! peer closed the connection\n\n" );
goto accept;
}
if( ret != POLARSSL_ERR_NET_TRY_AGAIN )
{
printf( " failed\n ! ssl_write returned %d\n\n", ret );
goto exit;
}
}
len = ret;
printf( " %d bytes written\n\n%s\n", len, (char *) buf );
ssl_close_notify( &ssl );
goto accept;
exit:
net_close( client_fd );
x509_free( &srvcert );
rsa_free( &rsa );
ssl_free( &ssl );
cur = s_list_1st;
while( cur != NULL )
{
prv = cur;
cur = cur->next;
memset( prv, 0, sizeof( ssl_session ) );
free( prv );
}
memset( &ssl, 0, sizeof( ssl_context ) );
#ifdef WIN32
printf( " Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
return( ret );
}
int main(void)
{
int ret, len, server_fd = -1;
unsigned char buf[1024];
havege_state hs;
ssl_context ssl;
ssl_session ssn;
/*
* 0. Initialize the RNG and the session data
*/
havege_init(&hs);
memset(&ssl, 0, sizeof(ssl));
memset(&ssn, 0, sizeof(ssl_session));
/*
* 1. Start the connection
*/
printf("\n . Connecting to tcp/%s/%4d...", SERVER_NAME, SERVER_PORT);
fflush(stdout);
if ((ret = net_connect(&server_fd, SERVER_NAME, SERVER_PORT)) != 0) {
printf(" failed\n ! net_connect returned %d\n\n", ret);
goto exit;
}
printf(" ok\n");
/*
* 2. Setup stuff
*/
printf(" . Setting up the SSL/TLS structure...");
fflush(stdout);
if ((ret = ssl_init(&ssl)) != 0) {
printf(" failed\n ! ssl_init returned %d\n\n", ret);
goto exit;
}
printf(" ok\n");
ssl_set_endpoint(&ssl, SSL_IS_CLIENT);
ssl_set_authmode(&ssl, SSL_VERIFY_NONE);
ssl_set_rng(&ssl, havege_rand, &hs);
ssl_set_dbg(&ssl, my_debug, stdout);
ssl_set_bio(&ssl, net_recv, &server_fd, net_send, &server_fd);
ssl_set_ciphers(&ssl, ssl_default_ciphers);
ssl_set_session(&ssl, 1, 600, &ssn);
/*
* 3. Write the GET request
*/
printf(" > Write to server:");
fflush(stdout);
len = sprintf((char *)buf, GET_REQUEST);
while ((ret = ssl_write(&ssl, buf, len)) <= 0) {
if (ret != TROPICSSL_ERR_NET_TRY_AGAIN) {
printf(" failed\n ! ssl_write returned %d\n\n", ret);
goto exit;
}
}
len = ret;
printf(" %d bytes written\n\n%s", len, (char *)buf);
/*
* 7. Read the HTTP response
*/
printf(" < Read from server:");
fflush(stdout);
do {
len = sizeof(buf) - 1;
memset(buf, 0, sizeof(buf));
ret = ssl_read(&ssl, buf, len);
if (ret == TROPICSSL_ERR_NET_TRY_AGAIN)
continue;
if (ret == TROPICSSL_ERR_SSL_PEER_CLOSE_NOTIFY)
break;
if (ret <= 0) {
printf("failed\n ! ssl_read returned %d\n\n", ret);
break;
}
len = ret;
printf(" %d bytes read\n\n%s", len, (char *)buf);
}
while (0);
ssl_close_notify(&ssl);
exit:
net_close(server_fd);
ssl_free(&ssl);
memset(&ssl, 0, sizeof(ssl));
#ifdef WIN32
printf(" + Press Enter to exit this program.\n");
fflush(stdout);
getchar();
#endif
return (ret);
}
int main( int argc, char *argv[] )
{
int ret = 0, server_fd;
unsigned char buf[1024];
havege_state hs;
ssl_context ssl;
ssl_session ssn;
x509_cert clicert;
rsa_context rsa;
int i, j, n;
char *p, *q;
if( argc == 0 )
{
usage:
printf( USAGE );
goto exit;
}
opt.mode = DFL_MODE;
opt.filename = DFL_FILENAME;
opt.server_name = DFL_SERVER_NAME;
opt.server_port = DFL_SERVER_PORT;
opt.debug_level = DFL_DEBUG_LEVEL;
for( i = 1; i < argc; i++ )
{
n = strlen( argv[i] );
for( j = 0; j < n; j++ )
{
if( argv[i][j] >= 'A' && argv[i][j] <= 'Z' )
argv[i][j] |= 0x20;
}
p = argv[i];
if( ( q = strchr( p, '=' ) ) == NULL )
goto usage;
*q++ = '\0';
if( strcmp( p, "mode" ) == 0 )
{
if( strcmp( q, "file" ) == 0 )
opt.mode = MODE_FILE;
else if( strcmp( q, "ssl" ) == 0 )
opt.mode = MODE_SSL;
else
goto usage;
}
else if( strcmp( p, "filename" ) == 0 )
opt.filename = q;
else if( strcmp( p, "server_name" ) == 0 )
opt.server_name = q;
else if( strcmp( p, "server_port" ) == 0 )
{
opt.server_port = atoi( q );
if( opt.server_port < 1 || opt.server_port > 65535 )
goto usage;
}
else if( strcmp( p, "debug_level" ) == 0 )
{
opt.debug_level = atoi( q );
if( opt.debug_level < 0 || opt.debug_level > 65535 )
goto usage;
}
else
goto usage;
}
if( opt.mode == MODE_FILE )
{
x509_cert crt;
memset( &crt, 0, sizeof( x509_cert ) );
/*
* 1.1. Load the certificate
*/
printf( "\n . Loading the certificate ..." );
fflush( stdout );
ret = x509parse_crtfile( &crt, opt.filename );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
x509_free( &crt );
goto exit;
}
printf( " ok\n" );
/*
* 1.2 Print the certificate
*/
printf( " . Peer certificate information ...\n" );
ret = x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ", &crt );
if( ret == -1 )
{
printf( " failed\n ! x509parse_cert_info returned %d\n\n", ret );
x509_free( &crt );
goto exit;
}
printf( "%s\n", buf );
x509_free( &crt );
}
else if( opt.mode == MODE_SSL )
{
/*
* 1. Initialize the RNG and the session data
*/
havege_init( &hs );
memset( &ssn, 0, sizeof( ssl_session ) );
/*
* 2. Start the connection
*/
printf( " . SSL connection to tcp/%s/%-4d...", opt.server_name,
opt.server_port );
fflush( stdout );
if( ( ret = net_connect( &server_fd, opt.server_name,
opt.server_port ) ) != 0 )
{
printf( " failed\n ! net_connect returned %d\n\n", ret );
goto exit;
}
/*
* 3. Setup stuff
*/
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
printf( " failed\n ! ssl_init returned %d\n\n", ret );
goto exit;
}
ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
ssl_set_rng( &ssl, havege_rand, &hs );
ssl_set_dbg( &ssl, my_debug, stdout );
ssl_set_bio( &ssl, net_recv, &server_fd,
net_send, &server_fd );
ssl_set_ciphers( &ssl, ssl_default_ciphers );
ssl_set_session( &ssl, 1, 600, &ssn );
ssl_set_own_cert( &ssl, &clicert, &rsa );
ssl_set_hostname( &ssl, opt.server_name );
/*
* 4. Handshake
*/
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_TRY_AGAIN )
{
printf( " failed\n ! ssl_handshake returned %d\n\n", ret );
goto exit;
}
}
printf( " ok\n" );
/*
* 5. Print the certificate
*/
printf( " . Peer certificate information ...\n" );
ret = x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ", ssl.peer_cert );
if( ret == -1 )
{
printf( " failed\n ! x509parse_cert_info returned %d\n\n", ret );
goto exit;
}
printf( "%s\n", buf );
ssl_close_notify( &ssl );
}
else
goto usage;
exit:
net_close( server_fd );
x509_free( &clicert );
rsa_free( &rsa );
ssl_free( &ssl );
memset( &ssl, 0, sizeof( ssl ) );
#ifdef WIN32
printf( " + Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
return( ret );
}
static CURLcode
polarssl_connect_step1(struct connectdata *conn,
int sockindex)
{
struct Curl_easy *data = conn->data;
struct ssl_connect_data* connssl = &conn->ssl[sockindex];
bool sni = TRUE; /* default is SNI enabled */
int ret = -1;
#ifdef ENABLE_IPV6
struct in6_addr addr;
#else
struct in_addr addr;
#endif
char errorbuf[128];
errorbuf[0]=0;
/* PolarSSL only supports SSLv3 and TLSv1 */
if(data->set.ssl.version == CURL_SSLVERSION_SSLv2) {
failf(data, "PolarSSL does not support SSLv2");
return CURLE_SSL_CONNECT_ERROR;
}
else if(data->set.ssl.version == CURL_SSLVERSION_SSLv3)
sni = FALSE; /* SSLv3 has no SNI */
#ifdef THREADING_SUPPORT
entropy_init_mutex(&entropy);
if((ret = ctr_drbg_init(&connssl->ctr_drbg, entropy_func_mutex, &entropy,
NULL, 0)) != 0) {
#ifdef POLARSSL_ERROR_C
error_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* POLARSSL_ERROR_C */
failf(data, "Failed - PolarSSL: ctr_drbg_init returned (-0x%04X) %s\n",
-ret, errorbuf);
}
#else
entropy_init(&connssl->entropy);
if((ret = ctr_drbg_init(&connssl->ctr_drbg, entropy_func, &connssl->entropy,
NULL, 0)) != 0) {
#ifdef POLARSSL_ERROR_C
error_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* POLARSSL_ERROR_C */
failf(data, "Failed - PolarSSL: ctr_drbg_init returned (-0x%04X) %s\n",
-ret, errorbuf);
}
#endif /* THREADING_SUPPORT */
/* Load the trusted CA */
memset(&connssl->cacert, 0, sizeof(x509_crt));
if(data->set.str[STRING_SSL_CAFILE]) {
ret = x509_crt_parse_file(&connssl->cacert,
data->set.str[STRING_SSL_CAFILE]);
if(ret<0) {
#ifdef POLARSSL_ERROR_C
error_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* POLARSSL_ERROR_C */
failf(data, "Error reading ca cert file %s - PolarSSL: (-0x%04X) %s",
data->set.str[STRING_SSL_CAFILE], -ret, errorbuf);
if(data->set.ssl.verifypeer)
return CURLE_SSL_CACERT_BADFILE;
}
}
if(data->set.str[STRING_SSL_CAPATH]) {
ret = x509_crt_parse_path(&connssl->cacert,
data->set.str[STRING_SSL_CAPATH]);
if(ret<0) {
#ifdef POLARSSL_ERROR_C
error_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* POLARSSL_ERROR_C */
failf(data, "Error reading ca cert path %s - PolarSSL: (-0x%04X) %s",
data->set.str[STRING_SSL_CAPATH], -ret, errorbuf);
if(data->set.ssl.verifypeer)
return CURLE_SSL_CACERT_BADFILE;
}
}
/* Load the client certificate */
memset(&connssl->clicert, 0, sizeof(x509_crt));
if(data->set.str[STRING_CERT]) {
ret = x509_crt_parse_file(&connssl->clicert,
data->set.str[STRING_CERT]);
if(ret) {
#ifdef POLARSSL_ERROR_C
error_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* POLARSSL_ERROR_C */
failf(data, "Error reading client cert file %s - PolarSSL: (-0x%04X) %s",
data->set.str[STRING_CERT], -ret, errorbuf);
return CURLE_SSL_CERTPROBLEM;
}
}
/* Load the client private key */
if(data->set.str[STRING_KEY]) {
pk_context pk;
pk_init(&pk);
ret = pk_parse_keyfile(&pk, data->set.str[STRING_KEY],
data->set.str[STRING_KEY_PASSWD]);
if(ret == 0 && !pk_can_do(&pk, POLARSSL_PK_RSA))
ret = POLARSSL_ERR_PK_TYPE_MISMATCH;
if(ret == 0)
rsa_copy(&connssl->rsa, pk_rsa(pk));
else
rsa_free(&connssl->rsa);
pk_free(&pk);
if(ret) {
#ifdef POLARSSL_ERROR_C
error_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* POLARSSL_ERROR_C */
failf(data, "Error reading private key %s - PolarSSL: (-0x%04X) %s",
data->set.str[STRING_KEY], -ret, errorbuf);
return CURLE_SSL_CERTPROBLEM;
}
}
/* Load the CRL */
memset(&connssl->crl, 0, sizeof(x509_crl));
if(data->set.str[STRING_SSL_CRLFILE]) {
ret = x509_crl_parse_file(&connssl->crl,
data->set.str[STRING_SSL_CRLFILE]);
if(ret) {
#ifdef POLARSSL_ERROR_C
error_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* POLARSSL_ERROR_C */
failf(data, "Error reading CRL file %s - PolarSSL: (-0x%04X) %s",
data->set.str[STRING_SSL_CRLFILE], -ret, errorbuf);
return CURLE_SSL_CRL_BADFILE;
}
}
infof(data, "PolarSSL: Connecting to %s:%d\n",
conn->host.name, conn->remote_port);
if(ssl_init(&connssl->ssl)) {
failf(data, "PolarSSL: ssl_init failed");
return CURLE_SSL_CONNECT_ERROR;
}
switch(data->set.ssl.version) {
default:
case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_1);
break;
case CURL_SSLVERSION_SSLv3:
ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_0);
ssl_set_max_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_0);
infof(data, "PolarSSL: Forced min. SSL Version to be SSLv3\n");
break;
case CURL_SSLVERSION_TLSv1_0:
ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_1);
ssl_set_max_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_1);
infof(data, "PolarSSL: Forced min. SSL Version to be TLS 1.0\n");
break;
case CURL_SSLVERSION_TLSv1_1:
ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_2);
ssl_set_max_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_2);
infof(data, "PolarSSL: Forced min. SSL Version to be TLS 1.1\n");
break;
case CURL_SSLVERSION_TLSv1_2:
ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_3);
ssl_set_max_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_3);
infof(data, "PolarSSL: Forced min. SSL Version to be TLS 1.2\n");
break;
}
ssl_set_endpoint(&connssl->ssl, SSL_IS_CLIENT);
ssl_set_authmode(&connssl->ssl, SSL_VERIFY_OPTIONAL);
ssl_set_rng(&connssl->ssl, ctr_drbg_random,
&connssl->ctr_drbg);
ssl_set_bio(&connssl->ssl,
net_recv, &conn->sock[sockindex],
net_send, &conn->sock[sockindex]);
ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites());
/* Check if there's a cached ID we can/should use here! */
if(conn->ssl_config.sessionid) {
void *old_session = NULL;
Curl_ssl_sessionid_lock(conn);
if(!Curl_ssl_getsessionid(conn, &old_session, NULL)) {
ret = ssl_set_session(&connssl->ssl, old_session);
Curl_ssl_sessionid_unlock(conn);
if(ret) {
failf(data, "ssl_set_session returned -0x%x", -ret);
return CURLE_SSL_CONNECT_ERROR;
}
infof(data, "PolarSSL re-using session\n");
}
}
ssl_set_ca_chain(&connssl->ssl,
&connssl->cacert,
&connssl->crl,
conn->host.name);
ssl_set_own_cert_rsa(&connssl->ssl,
&connssl->clicert, &connssl->rsa);
if(ssl_set_hostname(&connssl->ssl, conn->host.name)) {
/* ssl_set_hostname() sets the name to use in CN/SAN checks *and* the name
to set in the SNI extension. So even if curl connects to a host
specified as an IP address, this function must be used. */
failf(data, "couldn't set hostname in PolarSSL");
return CURLE_SSL_CONNECT_ERROR;
}
#ifdef HAS_ALPN
if(conn->bits.tls_enable_alpn) {
static const char* protocols[3];
int cur = 0;
#ifdef USE_NGHTTP2
if(data->set.httpversion >= CURL_HTTP_VERSION_2) {
protocols[cur++] = NGHTTP2_PROTO_VERSION_ID;
infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID);
}
#endif
protocols[cur++] = ALPN_HTTP_1_1;
infof(data, "ALPN, offering %s\n", ALPN_HTTP_1_1);
protocols[cur] = NULL;
ssl_set_alpn_protocols(&connssl->ssl, protocols);
}
#endif
#ifdef POLARSSL_DEBUG
ssl_set_dbg(&connssl->ssl, polarssl_debug, data);
#endif
connssl->connecting_state = ssl_connect_2;
return CURLE_OK;
}
int main(void)
{
int ret;
int verify_peer = 0;
entropy_context ssl_client_entropy;
ctr_drbg_context ssl_client_ctr_drbg;
ssl_context clientssl;
ssl_session sslclientsession;
x509_cert ssl_client_cert;
rsa_context ssl_client_rsa;
struct sockaddr_un serveraddr;
char *owner = "ssl_client";
int clientsocketfd;
char buffer[1024] = "Client Hello World";
memset(&clientssl, 0, sizeof(ssl_context));
memset(&sslclientsession, 0, sizeof(ssl_session));
memset(&ssl_client_cert, 0, sizeof(x509_cert));
memset(&ssl_client_rsa, 0, sizeof(rsa_context));
entropy_init(&ssl_client_entropy);
if((ret = ctr_drbg_init(&ssl_client_ctr_drbg, entropy_func, &ssl_client_entropy, (unsigned char *)owner, strlen(owner))) != 0)
{
printf("ctr_drbg_init failed returned %d\n", ret);
return -1;
}
if((ret = x509parse_crtfile(&ssl_client_cert, SSL_CLIENT_RSA_CERT)) != 0)
{
printf("x509parse_crtfile CLIENT CERT returned %d\n", ret);
return -1;
}
if((ret = x509parse_keyfile(&ssl_client_rsa, SSL_CLIENT_RSA_KEY, NULL)) != 0)
{
if(ret == POLARSSL_ERR_PEM_PASSWORD_REQUIRED)
{
char buffer[100];
int size;
polarssl_pem_password_callback(buffer, &size);
if((ret = x509parse_keyfile(&ssl_client_rsa, SSL_CLIENT_RSA_KEY, buffer)) != 0)
{
printf("x509parse_keyfile CLIENT KEY returned %d\n", ret);
return -1;
}
}
}
if((clientsocketfd = socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
{
printf("Error in socket creation%d\n", clientsocketfd);
return -1;
}
memset(&serveraddr, 0, sizeof(struct sockaddr_un));
serveraddr.sun_family = AF_UNIX;
serveraddr.sun_path[0] = 0;
strncpy(&(serveraddr.sun_path[1]), SSL_SERVER_ADDR, strlen(SSL_SERVER_ADDR) + 1);
if(ret = connect(clientsocketfd, (struct sockaddr *)&serveraddr, sizeof(struct sockaddr_un)))
{
printf("connect returned error %d\n", ret);
return -1;
}
if(ret = ssl_init(&clientssl))
{
printf("ssl_init failed returned %d\n", ret);
return -1;
}
ssl_set_endpoint(&clientssl, SSL_IS_CLIENT);
ssl_set_authmode(&clientssl, SSL_VERIFY_NONE);
if(verify_peer)
ssl_set_authmode(&clientssl, SSL_VERIFY_REQUIRED);
ssl_set_rng(&clientssl, ctr_drbg_random, &ssl_client_ctr_drbg);
ssl_set_dbg(&clientssl, ssl_client_debug, stdout);
ssl_set_bio(&clientssl, net_recv, &clientsocketfd, net_send, &clientsocketfd);
ssl_set_ciphersuites(&clientssl, ssl_default_ciphersuites);
ssl_set_session(&clientssl, 1, 600, &sslclientsession);
ssl_set_own_cert(&clientssl, &ssl_client_cert, &ssl_client_rsa);
if(ret = ssl_handshake(&clientssl))
{
printf("handshake failed returned %d\n", ret);
return -1;
}
if((ret = ssl_write(&clientssl, buffer, strlen(buffer) + 1)) <= 0)
{
printf("ssl_write failed returned %d\n", ret);
return -1;
}
if((ret = ssl_read(&clientssl, buffer, sizeof(buffer))) <= 0)
{
printf("ssl_read failed returned %d\n", ret);
return -1;
}
printf("SSL server send %s\n", buffer);
ssl_close_notify(&clientssl);
net_close(clientsocketfd);
x509_free(&ssl_client_cert);
rsa_free(&ssl_client_rsa);
ssl_free(&clientssl);
return 0;
}
static CURLcode
polarssl_connect_step1(struct connectdata *conn,
int sockindex)
{
struct SessionHandle *data = conn->data;
struct ssl_connect_data* connssl = &conn->ssl[sockindex];
bool sni = TRUE; /* default is SNI enabled */
int ret = -1;
#ifdef ENABLE_IPV6
struct in6_addr addr;
#else
struct in_addr addr;
#endif
void *old_session = NULL;
size_t old_session_size = 0;
/* PolarSSL only supports SSLv3 and TLSv1 */
if(data->set.ssl.version == CURL_SSLVERSION_SSLv2) {
failf(data, "PolarSSL does not support SSLv2");
return CURLE_SSL_CONNECT_ERROR;
}
else if(data->set.ssl.version == CURL_SSLVERSION_SSLv3)
sni = FALSE; /* SSLv3 has no SNI */
havege_init(&connssl->hs);
/* Load the trusted CA */
memset(&connssl->cacert, 0, sizeof(x509_cert));
if(data->set.str[STRING_SSL_CAFILE]) {
ret = x509parse_crtfile(&connssl->cacert,
data->set.str[STRING_SSL_CAFILE]);
if(ret<0) {
failf(data, "Error reading ca cert file %s: -0x%04X",
data->set.str[STRING_SSL_CAFILE], ret);
if(data->set.ssl.verifypeer)
return CURLE_SSL_CACERT_BADFILE;
}
}
/* Load the client certificate */
memset(&connssl->clicert, 0, sizeof(x509_cert));
if(data->set.str[STRING_CERT]) {
ret = x509parse_crtfile(&connssl->clicert,
data->set.str[STRING_CERT]);
if(ret) {
failf(data, "Error reading client cert file %s: -0x%04X",
data->set.str[STRING_CERT], -ret);
return CURLE_SSL_CERTPROBLEM;
}
}
/* Load the client private key */
if(data->set.str[STRING_KEY]) {
ret = x509parse_keyfile(&connssl->rsa,
data->set.str[STRING_KEY],
data->set.str[STRING_KEY_PASSWD]);
if(ret) {
failf(data, "Error reading private key %s: -0x%04X",
data->set.str[STRING_KEY], -ret);
return CURLE_SSL_CERTPROBLEM;
}
}
/* Load the CRL */
memset(&connssl->crl, 0, sizeof(x509_crl));
if(data->set.str[STRING_SSL_CRLFILE]) {
ret = x509parse_crlfile(&connssl->crl,
data->set.str[STRING_SSL_CRLFILE]);
if(ret) {
failf(data, "Error reading CRL file %s: -0x%04X",
data->set.str[STRING_SSL_CRLFILE], -ret);
return CURLE_SSL_CRL_BADFILE;
}
}
infof(data, "PolarSSL: Connecting to %s:%d\n",
conn->host.name, conn->remote_port);
if(ssl_init(&connssl->ssl)) {
failf(data, "PolarSSL: ssl_init failed");
return CURLE_SSL_CONNECT_ERROR;
}
ssl_set_endpoint(&connssl->ssl, SSL_IS_CLIENT);
ssl_set_authmode(&connssl->ssl, SSL_VERIFY_OPTIONAL);
ssl_set_rng(&connssl->ssl, HAVEGE_RANDOM,
&connssl->hs);
ssl_set_bio(&connssl->ssl,
net_recv, &conn->sock[sockindex],
net_send, &conn->sock[sockindex]);
#if POLARSSL_VERSION_NUMBER<0x01000000
ssl_set_ciphers(&connssl->ssl, ssl_default_ciphers);
#else
ssl_set_ciphersuites(&connssl->ssl, ssl_default_ciphersuites);
#endif
if(!Curl_ssl_getsessionid(conn, &old_session, &old_session_size)) {
memcpy(&connssl->ssn, old_session, old_session_size);
infof(data, "PolarSSL re-using session\n");
}
ssl_set_session(&connssl->ssl, 1, 600,
&connssl->ssn);
ssl_set_ca_chain(&connssl->ssl,
&connssl->cacert,
&connssl->crl,
conn->host.name);
ssl_set_own_cert(&connssl->ssl,
&connssl->clicert, &connssl->rsa);
if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) &&
#ifdef ENABLE_IPV6
!Curl_inet_pton(AF_INET6, conn->host.name, &addr) &&
#endif
sni && ssl_set_hostname(&connssl->ssl, conn->host.name)) {
infof(data, "WARNING: failed to configure "
"server name indication (SNI) TLS extension\n");
}
#ifdef POLARSSL_DEBUG
ssl_set_dbg(&connssl->ssl, polarssl_debug, data);
#endif
connssl->connecting_state = ssl_connect_2;
return CURLE_OK;
}
static CURLcode
polarssl_connect_step1(struct connectdata *conn,
int sockindex)
{
struct SessionHandle *data = conn->data;
struct ssl_connect_data* connssl = &conn->ssl[sockindex];
bool sni = TRUE; /* default is SNI enabled */
int ret = -1;
#ifdef ENABLE_IPV6
struct in6_addr addr;
#else
struct in_addr addr;
#endif
void *old_session = NULL;
size_t old_session_size = 0;
char errorbuf[128];
memset(errorbuf, 0, sizeof(errorbuf));
/* PolarSSL only supports SSLv3 and TLSv1 */
if(data->set.ssl.version == CURL_SSLVERSION_SSLv2) {
failf(data, "PolarSSL does not support SSLv2");
return CURLE_SSL_CONNECT_ERROR;
}
else if(data->set.ssl.version == CURL_SSLVERSION_SSLv3)
sni = FALSE; /* SSLv3 has no SNI */
#if POLARSSL_VERSION_NUMBER<0x01010000
havege_init(&connssl->hs);
#else
#ifdef THREADING_SUPPORT
entropy_init_mutex(&entropy);
if((ret = ctr_drbg_init(&connssl->ctr_drbg, entropy_func_mutex, &entropy,
connssl->ssn.id, connssl->ssn.length)) != 0) {
#ifdef POLARSSL_ERROR_C
error_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* POLARSSL_ERROR_C */
failf(data, "Failed - PolarSSL: ctr_drbg_init returned (-0x%04X) %s\n",
-ret, errorbuf);
}
#else
entropy_init(&connssl->entropy);
if((ret = ctr_drbg_init(&connssl->ctr_drbg, entropy_func, &connssl->entropy,
connssl->ssn.id, connssl->ssn.length)) != 0) {
#ifdef POLARSSL_ERROR_C
error_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* POLARSSL_ERROR_C */
failf(data, "Failed - PolarSSL: ctr_drbg_init returned (-0x%04X) %s\n",
-ret, errorbuf);
}
#endif /* THREADING_SUPPORT */
#endif /* POLARSSL_VERSION_NUMBER<0x01010000 */
/* Load the trusted CA */
memset(&connssl->cacert, 0, sizeof(x509_cert));
if(data->set.str[STRING_SSL_CAFILE]) {
ret = x509parse_crtfile(&connssl->cacert,
data->set.str[STRING_SSL_CAFILE]);
if(ret<0) {
#ifdef POLARSSL_ERROR_C
error_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* POLARSSL_ERROR_C */
failf(data, "Error reading ca cert file %s - PolarSSL: (-0x%04X) %s",
data->set.str[STRING_SSL_CAFILE], -ret, errorbuf);
if(data->set.ssl.verifypeer)
return CURLE_SSL_CACERT_BADFILE;
}
}
/* Load the client certificate */
memset(&connssl->clicert, 0, sizeof(x509_cert));
if(data->set.str[STRING_CERT]) {
ret = x509parse_crtfile(&connssl->clicert,
data->set.str[STRING_CERT]);
if(ret) {
#ifdef POLARSSL_ERROR_C
error_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* POLARSSL_ERROR_C */
failf(data, "Error reading client cert file %s - PolarSSL: (-0x%04X) %s",
data->set.str[STRING_CERT], -ret, errorbuf);
return CURLE_SSL_CERTPROBLEM;
}
}
/* Load the client private key */
if(data->set.str[STRING_KEY]) {
ret = x509parse_keyfile(&connssl->rsa,
data->set.str[STRING_KEY],
data->set.str[STRING_KEY_PASSWD]);
if(ret) {
#ifdef POLARSSL_ERROR_C
error_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* POLARSSL_ERROR_C */
failf(data, "Error reading private key %s - PolarSSL: (-0x%04X) %s",
data->set.str[STRING_KEY], -ret, errorbuf);
return CURLE_SSL_CERTPROBLEM;
}
}
/* Load the CRL */
memset(&connssl->crl, 0, sizeof(x509_crl));
if(data->set.str[STRING_SSL_CRLFILE]) {
ret = x509parse_crlfile(&connssl->crl,
data->set.str[STRING_SSL_CRLFILE]);
if(ret) {
#ifdef POLARSSL_ERROR_C
error_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* POLARSSL_ERROR_C */
failf(data, "Error reading CRL file %s - PolarSSL: (-0x%04X) %s",
data->set.str[STRING_SSL_CRLFILE], -ret, errorbuf);
return CURLE_SSL_CRL_BADFILE;
}
}
infof(data, "PolarSSL: Connecting to %s:%d\n",
conn->host.name, conn->remote_port);
if(ssl_init(&connssl->ssl)) {
failf(data, "PolarSSL: ssl_init failed");
return CURLE_SSL_CONNECT_ERROR;
}
ssl_set_endpoint(&connssl->ssl, SSL_IS_CLIENT);
ssl_set_authmode(&connssl->ssl, SSL_VERIFY_OPTIONAL);
#if POLARSSL_VERSION_NUMBER<0x01010000
ssl_set_rng(&connssl->ssl, havege_rand,
&connssl->hs);
#else
ssl_set_rng(&connssl->ssl, ctr_drbg_random,
&connssl->ctr_drbg);
#endif /* POLARSSL_VERSION_NUMBER<0x01010000 */
ssl_set_bio(&connssl->ssl,
net_recv, &conn->sock[sockindex],
net_send, &conn->sock[sockindex]);
#if POLARSSL_VERSION_NUMBER<0x01000000
ssl_set_ciphers(&connssl->ssl, ssl_default_ciphers);
#else
ssl_set_ciphersuites(&connssl->ssl, ssl_default_ciphersuites);
#endif
if(!Curl_ssl_getsessionid(conn, &old_session, &old_session_size)) {
memcpy(&connssl->ssn, old_session, old_session_size);
infof(data, "PolarSSL re-using session\n");
}
/* PolarSSL SVN revision r1316 to r1317, matching <1.2.0 is to cover Ubuntu's
1.1.4 version and the like */
#if POLARSSL_VERSION_NUMBER<0x01020000
ssl_set_session(&connssl->ssl, 1, 600,
&connssl->ssn);
#else
ssl_set_session(&connssl->ssl,
&connssl->ssn);
#endif
ssl_set_ca_chain(&connssl->ssl,
&connssl->cacert,
&connssl->crl,
conn->host.name);
ssl_set_own_cert(&connssl->ssl,
&connssl->clicert, &connssl->rsa);
if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) &&
#ifdef ENABLE_IPV6
!Curl_inet_pton(AF_INET6, conn->host.name, &addr) &&
#endif
sni && ssl_set_hostname(&connssl->ssl, conn->host.name)) {
infof(data, "WARNING: failed to configure "
"server name indication (SNI) TLS extension\n");
}
#ifdef POLARSSL_DEBUG
ssl_set_dbg(&connssl->ssl, polarssl_debug, data);
#endif
connssl->connecting_state = ssl_connect_2;
return CURLE_OK;
}
bool socket_stream::open_ssl_client(void)
{
if (stream_ == NULL)
{
logger_error("stream_ null");
return false;
}
#ifdef HAS_POLARSSL
// 如果打开已经是 SSL 模式的流,则直接返回
if (ssl_ != NULL)
{
acl_assert(ssn_);
acl_assert(hs_);
return true;
}
ssl_ = acl_mycalloc(1, sizeof(ssl_context));
ssn_ = acl_mycalloc(1, sizeof(ssl_session));
hs_ = acl_mymalloc(sizeof(havege_state));
// Initialize the RNG and the session data
::havege_init((havege_state*) hs_);
int ret;
// Setup stuff
if ((ret = ssl_init((ssl_context*) ssl_)) != 0)
{
logger_error("failed, ssl_init returned %d", ret);
return false;
}
ssl_set_endpoint((ssl_context*) ssl_, SSL_IS_CLIENT);
ssl_set_authmode((ssl_context*) ssl_, SSL_VERIFY_NONE);
ssl_set_rng((ssl_context*) ssl_, havege_random, hs_);
//ssl_set_dbg(ssl_, my_debug, stdout);
ssl_set_bio((ssl_context*) ssl_, sock_read, this, sock_send, this);
const int* cipher_suites = ssl_list_ciphersuites();
if (cipher_suites == NULL)
{
logger_error("ssl_list_ciphersuites null");
return false;
}
ssl_set_ciphersuites((ssl_context*) ssl_, cipher_suites);
ssl_set_session((ssl_context*) ssl_, (ssl_session*) ssn_);
acl_vstream_ctl(stream_,
ACL_VSTREAM_CTL_READ_FN, ssl_read,
ACL_VSTREAM_CTL_WRITE_FN, ssl_send,
ACL_VSTREAM_CTL_CTX, this,
ACL_VSTREAM_CTL_END);
acl_tcp_set_nodelay(ACL_VSTREAM_SOCK(stream_));
// Handshake
while((ret = ssl_handshake((ssl_context*) ssl_)) != 0)
{
if (ret != POLARSSL_ERR_NET_WANT_READ
&& ret != POLARSSL_ERR_NET_WANT_WRITE)
{
logger_error("ssl_handshake failed: 0x%x", ret);
return false;
}
}
return true;
#else
logger_error("define HAS_POLARSSL first!");
return false;
#endif
}
int main( int argc, char *argv[] )
{
int ret = 0, len, server_fd;
unsigned char buf[1024];
#if defined(POLARSSL_BASE64_C)
unsigned char base[1024];
#endif
char hostname[32];
char *pers = "ssl_mail_client";
entropy_context entropy;
ctr_drbg_context ctr_drbg;
ssl_context ssl;
ssl_session ssn;
x509_cert cacert;
x509_cert clicert;
rsa_context rsa;
int i;
size_t j, n;
char *p, *q;
const int *list;
/*
* Make sure memory references are valid.
*/
server_fd = 0;
memset( &ssn, 0, sizeof( ssl_session ) );
memset( &ssl, 0, sizeof( ssl_context ) );
memset( &cacert, 0, sizeof( x509_cert ) );
memset( &clicert, 0, sizeof( x509_cert ) );
memset( &rsa, 0, sizeof( rsa_context ) );
if( argc == 0 )
{
usage:
printf( USAGE );
list = ssl_list_ciphersuites();
while( *list )
{
printf(" %s\n", ssl_get_ciphersuite_name( *list ) );
list++;
}
printf("\n");
goto exit;
}
opt.server_name = DFL_SERVER_NAME;
opt.server_port = DFL_SERVER_PORT;
opt.debug_level = DFL_DEBUG_LEVEL;
opt.authentication = DFL_AUTHENTICATION;
opt.mode = DFL_MODE;
opt.user_name = DFL_USER_NAME;
opt.user_pwd = DFL_USER_PWD;
opt.mail_from = DFL_MAIL_FROM;
opt.mail_to = DFL_MAIL_TO;
opt.ca_file = DFL_CA_FILE;
opt.crt_file = DFL_CRT_FILE;
opt.key_file = DFL_KEY_FILE;
opt.force_ciphersuite[0]= DFL_FORCE_CIPHER;
for( i = 1; i < argc; i++ )
{
n = strlen( argv[i] );
for( j = 0; j < n; j++ )
{
if( argv[i][j] == '=')
break;
if( argv[i][j] >= 'A' && argv[i][j] <= 'Z' )
argv[i][j] |= 0x20;
}
p = argv[i];
if( ( q = strchr( p, '=' ) ) == NULL )
goto usage;
*q++ = '\0';
if( strcmp( p, "server_name" ) == 0 )
opt.server_name = q;
else if( strcmp( p, "server_port" ) == 0 )
{
opt.server_port = atoi( q );
if( opt.server_port < 1 || opt.server_port > 65535 )
goto usage;
}
else if( strcmp( p, "debug_level" ) == 0 )
{
opt.debug_level = atoi( q );
if( opt.debug_level < 0 || opt.debug_level > 65535 )
goto usage;
}
else if( strcmp( p, "authentication" ) == 0 )
{
opt.authentication = atoi( q );
if( opt.authentication < 0 || opt.authentication > 1 )
goto usage;
}
else if( strcmp( p, "mode" ) == 0 )
{
opt.mode = atoi( q );
if( opt.mode < 0 || opt.mode > 1 )
goto usage;
}
else if( strcmp( p, "user_name" ) == 0 )
opt.user_name = q;
else if( strcmp( p, "user_pwd" ) == 0 )
opt.user_pwd = q;
else if( strcmp( p, "mail_from" ) == 0 )
opt.mail_from = q;
else if( strcmp( p, "mail_to" ) == 0 )
opt.mail_to = q;
else if( strcmp( p, "ca_file" ) == 0 )
opt.ca_file = q;
else if( strcmp( p, "crt_file" ) == 0 )
opt.crt_file = q;
else if( strcmp( p, "key_file" ) == 0 )
opt.key_file = q;
else if( strcmp( p, "force_ciphersuite" ) == 0 )
{
opt.force_ciphersuite[0] = -1;
opt.force_ciphersuite[0] = ssl_get_ciphersuite_id( q );
if( opt.force_ciphersuite[0] <= 0 )
goto usage;
opt.force_ciphersuite[1] = 0;
}
else
goto usage;
}
/*
* 0. Initialize the RNG and the session data
*/
printf( "\n . Seeding the random number generator..." );
fflush( stdout );
entropy_init( &entropy );
if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy,
(unsigned char *) pers, strlen( pers ) ) ) != 0 )
{
printf( " failed\n ! ctr_drbg_init returned %d\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 1.1. Load the trusted CA
*/
printf( " . Loading the CA root certificate ..." );
fflush( stdout );
#if defined(POLARSSL_FS_IO)
if( strlen( opt.ca_file ) )
ret = x509parse_crtfile( &cacert, opt.ca_file );
else
#endif
#if defined(POLARSSL_CERTS_C)
ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt,
strlen( test_ca_crt ) );
#else
{
ret = 1;
printf("POLARSSL_CERTS_C not defined.");
}
#endif
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 1.2. Load own certificate and private key
*
* (can be skipped if client authentication is not required)
*/
printf( " . Loading the client cert. and key..." );
fflush( stdout );
#if defined(POLARSSL_FS_IO)
if( strlen( opt.crt_file ) )
ret = x509parse_crtfile( &clicert, opt.crt_file );
else
#endif
#if defined(POLARSSL_CERTS_C)
ret = x509parse_crt( &clicert, (unsigned char *) test_cli_crt,
strlen( test_cli_crt ) );
#else
{
ret = -1;
printf("POLARSSL_CERTS_C not defined.");
}
#endif
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
goto exit;
}
#if defined(POLARSSL_FS_IO)
if( strlen( opt.key_file ) )
ret = x509parse_keyfile( &rsa, opt.key_file, "" );
else
#endif
#if defined(POLARSSL_CERTS_C)
ret = x509parse_key( &rsa, (unsigned char *) test_cli_key,
strlen( test_cli_key ), NULL, 0 );
#else
{
ret = -1;
printf("POLARSSL_CERTS_C not defined.");
}
#endif
if( ret != 0 )
{
printf( " failed\n ! x509parse_key returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 2. Start the connection
*/
printf( " . Connecting to tcp/%s/%-4d...", opt.server_name,
opt.server_port );
fflush( stdout );
if( ( ret = net_connect( &server_fd, opt.server_name,
opt.server_port ) ) != 0 )
{
printf( " failed\n ! net_connect returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 3. Setup stuff
*/
printf( " . Setting up the SSL/TLS structure..." );
fflush( stdout );
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
printf( " failed\n ! ssl_init returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
ssl_set_bio( &ssl, net_recv, &server_fd,
net_send, &server_fd );
if( opt.force_ciphersuite[0] == DFL_FORCE_CIPHER )
ssl_set_ciphersuites( &ssl, ssl_default_ciphersuites );
else
ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
ssl_set_session( &ssl, 1, 600, &ssn );
ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name );
ssl_set_own_cert( &ssl, &clicert, &rsa );
ssl_set_hostname( &ssl, opt.server_name );
if( opt.mode == MODE_SSL_TLS )
{
if( do_handshake( &ssl, &opt ) != 0 )
goto exit;
printf( " > Get header from server:" );
fflush( stdout );
ret = write_ssl_and_get_response( &ssl, buf, 0 );
if( ret < 200 || ret > 299 )
{
printf( " failed\n ! server responded with %d\n\n", ret );
goto exit;
}
printf(" ok\n" );
printf( " > Write EHLO to server:" );
fflush( stdout );
gethostname( hostname, 32 );
len = sprintf( (char *) buf, "EHLO %s\n", hostname );
ret = write_ssl_and_get_response( &ssl, buf, len );
if( ret < 200 || ret > 299 )
{
printf( " failed\n ! server responded with %d\n\n", ret );
goto exit;
}
}
else
{
printf( " > Get header from server:" );
fflush( stdout );
ret = write_and_get_response( server_fd, buf, 0 );
if( ret < 200 || ret > 299 )
{
printf( " failed\n ! server responded with %d\n\n", ret );
goto exit;
}
printf(" ok\n" );
printf( " > Write EHLO to server:" );
fflush( stdout );
gethostname( hostname, 32 );
len = sprintf( (char *) buf, "EHLO %s\n", hostname );
ret = write_and_get_response( server_fd, buf, len );
if( ret < 200 || ret > 299 )
{
printf( " failed\n ! server responded with %d\n\n", ret );
goto exit;
}
printf(" ok\n" );
printf( " > Write STARTTLS to server:" );
fflush( stdout );
gethostname( hostname, 32 );
len = sprintf( (char *) buf, "STARTTLS\n" );
ret = write_and_get_response( server_fd, buf, len );
if( ret < 200 || ret > 299 )
{
printf( " failed\n ! server responded with %d\n\n", ret );
goto exit;
}
printf(" ok\n" );
if( do_handshake( &ssl, &opt ) != 0 )
goto exit;
}
#if defined(POLARSSL_BASE64_C)
if( opt.authentication )
{
printf( " > Write AUTH LOGIN to server:" );
fflush( stdout );
len = sprintf( (char *) buf, "AUTH LOGIN\n" );
ret = write_ssl_and_get_response( &ssl, buf, len );
if( ret < 200 || ret > 399 )
{
printf( " failed\n ! server responded with %d\n\n", ret );
goto exit;
}
printf(" ok\n" );
printf( " > Write username to server: %s", opt.user_name );
fflush( stdout );
n = sizeof( buf );
len = base64_encode( base, &n, (unsigned char *) opt.user_name, strlen( opt.user_name ) );
len = sprintf( (char *) buf, "%s\n", base );
ret = write_ssl_and_get_response( &ssl, buf, len );
if( ret < 300 || ret > 399 )
{
printf( " failed\n ! server responded with %d\n\n", ret );
goto exit;
}
printf(" ok\n" );
printf( " > Write password to server: %s", opt.user_pwd );
fflush( stdout );
len = base64_encode( base, &n, (unsigned char *) opt.user_pwd, strlen( opt.user_pwd ) );
len = sprintf( (char *) buf, "%s\n", base );
ret = write_ssl_and_get_response( &ssl, buf, len );
if( ret < 200 || ret > 399 )
{
printf( " failed\n ! server responded with %d\n\n", ret );
goto exit;
}
printf(" ok\n" );
}
#endif
printf( " > Write MAIL FROM to server:" );
fflush( stdout );
len = sprintf( (char *) buf, "MAIL FROM:<%s>\n", opt.mail_from );
ret = write_ssl_and_get_response( &ssl, buf, len );
if( ret < 200 || ret > 299 )
{
printf( " failed\n ! server responded with %d\n\n", ret );
goto exit;
}
printf(" ok\n" );
printf( " > Write RCPT TO to server:" );
fflush( stdout );
len = sprintf( (char *) buf, "RCPT TO:<%s>\n", opt.mail_to );
ret = write_ssl_and_get_response( &ssl, buf, len );
if( ret < 200 || ret > 299 )
{
printf( " failed\n ! server responded with %d\n\n", ret );
goto exit;
}
printf(" ok\n" );
printf( " > Write DATA to server:" );
fflush( stdout );
len = sprintf( (char *) buf, "DATA\n" );
ret = write_ssl_and_get_response( &ssl, buf, len );
if( ret < 300 || ret > 399 )
{
printf( " failed\n ! server responded with %d\n\n", ret );
goto exit;
}
printf(" ok\n" );
printf( " > Write content to server:" );
fflush( stdout );
len = sprintf( (char *) buf, "From: %s\nSubject: PolarSSL Test mail\n\n"
"This is a simple test mail from the "
"PolarSSL mail client example.\n"
"\n"
"Enjoy!", opt.mail_from );
ret = write_ssl_data( &ssl, buf, len );
len = sprintf( (char *) buf, "\r\n.\r\n");
ret = write_ssl_and_get_response( &ssl, buf, len );
if( ret < 200 || ret > 299 )
{
printf( " failed\n ! server responded with %d\n\n", ret );
goto exit;
}
printf(" ok\n" );
ssl_close_notify( &ssl );
exit:
if( server_fd )
net_close( server_fd );
x509_free( &clicert );
x509_free( &cacert );
rsa_free( &rsa );
ssl_free( &ssl );
memset( &ssl, 0, sizeof( ssl ) );
#if defined(_WIN32)
printf( " + Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
return( ret );
}
IPCCommandResult CWII_IPC_HLE_Device_net_ssl::IOCtlV(u32 _CommandAddress)
{
SIOCtlVBuffer CommandBuffer(_CommandAddress);
u32 _BufferIn = 0, _BufferIn2 = 0, _BufferIn3 = 0;
u32 BufferInSize = 0, BufferInSize2 = 0, BufferInSize3 = 0;
u32 BufferOut = 0, BufferOut2 = 0, BufferOut3 = 0;
u32 BufferOutSize = 0, BufferOutSize2 = 0, BufferOutSize3 = 0;
if (CommandBuffer.InBuffer.size() > 0)
{
_BufferIn = CommandBuffer.InBuffer.at(0).m_Address;
BufferInSize = CommandBuffer.InBuffer.at(0).m_Size;
}
if (CommandBuffer.InBuffer.size() > 1)
{
_BufferIn2 = CommandBuffer.InBuffer.at(1).m_Address;
BufferInSize2 = CommandBuffer.InBuffer.at(1).m_Size;
}
if (CommandBuffer.InBuffer.size() > 2)
{
_BufferIn3 = CommandBuffer.InBuffer.at(2).m_Address;
BufferInSize3 = CommandBuffer.InBuffer.at(2).m_Size;
}
if (CommandBuffer.PayloadBuffer.size() > 0)
{
BufferOut = CommandBuffer.PayloadBuffer.at(0).m_Address;
BufferOutSize = CommandBuffer.PayloadBuffer.at(0).m_Size;
}
if (CommandBuffer.PayloadBuffer.size() > 1)
{
BufferOut2 = CommandBuffer.PayloadBuffer.at(1).m_Address;
BufferOutSize2 = CommandBuffer.PayloadBuffer.at(1).m_Size;
}
if (CommandBuffer.PayloadBuffer.size() > 2)
{
BufferOut3 = CommandBuffer.PayloadBuffer.at(2).m_Address;
BufferOutSize3 = CommandBuffer.PayloadBuffer.at(2).m_Size;
}
// I don't trust SSL to be deterministic, and this is never going to sync
// as such (as opposed to forwarding IPC results or whatever), so -
if (Core::g_want_determinism)
{
Memory::Write_U32(-1, _CommandAddress + 0x4);
return IPC_DEFAULT_REPLY;
}
switch (CommandBuffer.Parameter)
{
case IOCTLV_NET_SSL_NEW:
{
int verifyOption = Memory::Read_U32(BufferOut);
std::string hostname = Memory::GetString(BufferOut2, BufferOutSize2);
int freeSSL = GetSSLFreeID();
if (freeSSL)
{
int sslID = freeSSL - 1;
WII_SSL* ssl = &_SSL[sslID];
int ret = ssl_init(&ssl->ctx);
if (ret)
{
goto _SSL_NEW_ERROR;
}
entropy_init(&ssl->entropy);
const char* pers = "dolphin-emu";
ret = ctr_drbg_init(&ssl->ctr_drbg, entropy_func,
&ssl->entropy,
(const unsigned char*)pers,
strlen(pers));
if (ret)
{
ssl_free(&ssl->ctx);
entropy_free(&ssl->entropy);
goto _SSL_NEW_ERROR;
}
ssl_set_rng(&ssl->ctx, ctr_drbg_random, &ssl->ctr_drbg);
// For some reason we can't use TLSv1.2, v1.1 and below are fine!
ssl_set_max_version(&ssl->ctx, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_2);
ssl_set_session(&ssl->ctx, &ssl->session);
ssl_set_endpoint(&ssl->ctx, SSL_IS_CLIENT);
ssl_set_authmode(&ssl->ctx, SSL_VERIFY_NONE);
ssl_set_renegotiation(&ssl->ctx, SSL_RENEGOTIATION_ENABLED);
ssl->hostname = hostname;
ssl_set_hostname(&ssl->ctx, ssl->hostname.c_str());
ssl->active = true;
Memory::Write_U32(freeSSL, _BufferIn);
}
else
{
_SSL_NEW_ERROR:
Memory::Write_U32(SSL_ERR_FAILED, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_NEW (%d, %s) "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
verifyOption, hostname.c_str(),
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
break;
}
case IOCTLV_NET_SSL_SHUTDOWN:
{
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
WII_SSL* ssl = &_SSL[sslID];
ssl_close_notify(&ssl->ctx);
ssl_session_free(&ssl->session);
ssl_free(&ssl->ctx);
entropy_free(&ssl->entropy);
x509_crt_free(&ssl->cacert);
x509_crt_free(&ssl->clicert);
ssl->hostname.clear();
ssl->active = false;
Memory::Write_U32(SSL_OK, _BufferIn);
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SHUTDOWN "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
break;
}
case IOCTLV_NET_SSL_SETROOTCA:
{
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETROOTCA "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
WII_SSL* ssl = &_SSL[sslID];
int ret = x509_crt_parse_der(
&ssl->cacert,
Memory::GetPointer(BufferOut2),
BufferOutSize2);
if (ret)
{
Memory::Write_U32(SSL_ERR_FAILED, _BufferIn);
}
else
{
ssl_set_ca_chain(&ssl->ctx, &ssl->cacert, nullptr, ssl->hostname.c_str());
Memory::Write_U32(SSL_OK, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETROOTCA = %d", ret);
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
}
break;
}
case IOCTLV_NET_SSL_SETBUILTINCLIENTCERT:
{
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
WII_SSL* ssl = &_SSL[sslID];
std::string cert_base_path = File::GetUserPath(D_SESSION_WIIROOT_IDX);
int ret = x509_crt_parse_file(&ssl->clicert, (cert_base_path + "clientca.pem").c_str());
int pk_ret = pk_parse_keyfile(&ssl->pk, (cert_base_path + "clientcakey.pem").c_str(), nullptr);
if (ret || pk_ret)
{
x509_crt_free(&ssl->clicert);
pk_free(&ssl->pk);
Memory::Write_U32(SSL_ERR_FAILED, _BufferIn);
}
else
{
ssl_set_own_cert(&ssl->ctx, &ssl->clicert, &ssl->pk);
Memory::Write_U32(SSL_OK, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT = (%d, %d)", ret, pk_ret);
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT invalid sslID = %d", sslID);
}
break;
}
case IOCTLV_NET_SSL_REMOVECLIENTCERT:
{
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_REMOVECLIENTCERT "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
WII_SSL* ssl = &_SSL[sslID];
x509_crt_free(&ssl->clicert);
pk_free(&ssl->pk);
ssl_set_own_cert(&ssl->ctx, nullptr, nullptr);
Memory::Write_U32(SSL_OK, _BufferIn);
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT invalid sslID = %d", sslID);
}
break;
}
case IOCTLV_NET_SSL_SETBUILTINROOTCA:
{
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
WII_SSL* ssl = &_SSL[sslID];
int ret = x509_crt_parse_file(&ssl->cacert, (File::GetUserPath(D_SESSION_WIIROOT_IDX) + "/rootca.pem").c_str());
if (ret)
{
x509_crt_free(&ssl->clicert);
Memory::Write_U32(SSL_ERR_FAILED, _BufferIn);
}
else
{
ssl_set_ca_chain(&ssl->ctx, &ssl->cacert, nullptr, ssl->hostname.c_str());
Memory::Write_U32(SSL_OK, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINROOTCA = %d", ret);
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINROOTCA "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
break;
}
case IOCTLV_NET_SSL_CONNECT:
{
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
WII_SSL* ssl = &_SSL[sslID];
ssl->sockfd = Memory::Read_U32(BufferOut2);
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_CONNECT socket = %d", ssl->sockfd);
ssl_set_bio(&ssl->ctx, net_recv, &ssl->sockfd, net_send, &ssl->sockfd);
Memory::Write_U32(SSL_OK, _BufferIn);
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_CONNECT "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
break;
}
case IOCTLV_NET_SSL_DOHANDSHAKE:
{
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
WiiSockMan &sm = WiiSockMan::GetInstance();
sm.DoSock(_SSL[sslID].sockfd, _CommandAddress, IOCTLV_NET_SSL_DOHANDSHAKE);
return IPC_NO_REPLY;
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
}
break;
}
case IOCTLV_NET_SSL_WRITE:
{
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
WiiSockMan &sm = WiiSockMan::GetInstance();
sm.DoSock(_SSL[sslID].sockfd, _CommandAddress, IOCTLV_NET_SSL_WRITE);
return IPC_NO_REPLY;
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_WRITE "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
INFO_LOG(WII_IPC_SSL, "%s", Memory::GetString(BufferOut2).c_str());
break;
}
case IOCTLV_NET_SSL_READ:
{
int ret = 0;
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
WiiSockMan &sm = WiiSockMan::GetInstance();
sm.DoSock(_SSL[sslID].sockfd, _CommandAddress, IOCTLV_NET_SSL_READ);
return IPC_NO_REPLY;
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_READ(%d)"
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
ret,
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
break;
}
case IOCTLV_NET_SSL_SETROOTCADEFAULT:
{
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
Memory::Write_U32(SSL_OK, _BufferIn);
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETROOTCADEFAULT "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
break;
}
case IOCTLV_NET_SSL_SETCLIENTCERTDEFAULT:
{
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETCLIENTCERTDEFAULT "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
Memory::Write_U32(SSL_OK, _BufferIn);
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
}
break;
}
default:
ERROR_LOG(WII_IPC_SSL, "%i "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
CommandBuffer.Parameter,
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
break;
}
// SSL return codes are written to BufferIn
Memory::Write_U32(0, _CommandAddress+4);
return IPC_DEFAULT_REPLY;
}
/*
* This function loads all the client/CA certificates and CRLs. Setup the TLS
* layer and do all necessary magic.
*/
CURLcode
Curl_polarssl_connect(struct connectdata *conn,
int sockindex)
{
struct SessionHandle *data = conn->data;
bool sni = TRUE; /* default is SNI enabled */
int ret = -1;
#ifdef ENABLE_IPV6
struct in6_addr addr;
#else
struct in_addr addr;
#endif
void *old_session = NULL;
size_t old_session_size = 0;
char buffer[1024];
if(conn->ssl[sockindex].state == ssl_connection_complete)
return CURLE_OK;
/* PolarSSL only supports SSLv3 and TLSv1 */
if(data->set.ssl.version == CURL_SSLVERSION_SSLv2) {
failf(data, "PolarSSL does not support SSLv2");
return CURLE_SSL_CONNECT_ERROR;
}
else if(data->set.ssl.version == CURL_SSLVERSION_SSLv3)
sni = FALSE; /* SSLv3 has no SNI */
havege_init(&conn->ssl[sockindex].hs);
/* Load the trusted CA */
memset(&conn->ssl[sockindex].cacert, 0, sizeof(x509_cert));
if(data->set.str[STRING_SSL_CAFILE]) {
ret = x509parse_crtfile(&conn->ssl[sockindex].cacert,
data->set.str[STRING_SSL_CAFILE]);
if(ret) {
failf(data, "Error reading ca cert file %s: -0x%04X",
data->set.str[STRING_SSL_CAFILE], -ret);
if(data->set.ssl.verifypeer)
return CURLE_SSL_CACERT_BADFILE;
}
}
/* Load the client certificate */
memset(&conn->ssl[sockindex].clicert, 0, sizeof(x509_cert));
if(data->set.str[STRING_CERT]) {
ret = x509parse_crtfile(&conn->ssl[sockindex].clicert,
data->set.str[STRING_CERT]);
if(ret) {
failf(data, "Error reading client cert file %s: -0x%04X",
data->set.str[STRING_CERT], -ret);
return CURLE_SSL_CERTPROBLEM;
}
}
/* Load the client private key */
if(data->set.str[STRING_KEY]) {
ret = x509parse_keyfile(&conn->ssl[sockindex].rsa,
data->set.str[STRING_KEY],
data->set.str[STRING_KEY_PASSWD]);
if(ret) {
failf(data, "Error reading private key %s: -0x%04X",
data->set.str[STRING_KEY], -ret);
return CURLE_SSL_CERTPROBLEM;
}
}
/* Load the CRL */
memset(&conn->ssl[sockindex].crl, 0, sizeof(x509_crl));
if(data->set.str[STRING_SSL_CRLFILE]) {
ret = x509parse_crlfile(&conn->ssl[sockindex].crl,
data->set.str[STRING_SSL_CRLFILE]);
if(ret) {
failf(data, "Error reading CRL file %s: -0x%04X",
data->set.str[STRING_SSL_CRLFILE], -ret);
return CURLE_SSL_CRL_BADFILE;
}
}
infof(data, "PolarSSL: Connected to %s:%d\n",
conn->host.name, conn->remote_port);
havege_init(&conn->ssl[sockindex].hs);
if(ssl_init(&conn->ssl[sockindex].ssl)) {
failf(data, "PolarSSL: ssl_init failed");
return CURLE_SSL_CONNECT_ERROR;
}
ssl_set_endpoint(&conn->ssl[sockindex].ssl, SSL_IS_CLIENT);
ssl_set_authmode(&conn->ssl[sockindex].ssl, SSL_VERIFY_OPTIONAL);
ssl_set_rng(&conn->ssl[sockindex].ssl, havege_rand,
&conn->ssl[sockindex].hs);
ssl_set_bio(&conn->ssl[sockindex].ssl,
net_recv, &conn->sock[sockindex],
net_send, &conn->sock[sockindex]);
ssl_set_ciphers(&conn->ssl[sockindex].ssl, ssl_default_ciphers);
if(!Curl_ssl_getsessionid(conn, &old_session, &old_session_size)) {
memcpy(&conn->ssl[sockindex].ssn, old_session, old_session_size);
infof(data, "PolarSSL re-using session\n");
}
ssl_set_session(&conn->ssl[sockindex].ssl, 1, 600,
&conn->ssl[sockindex].ssn);
ssl_set_ca_chain(&conn->ssl[sockindex].ssl,
&conn->ssl[sockindex].cacert,
&conn->ssl[sockindex].crl,
conn->host.name);
ssl_set_own_cert(&conn->ssl[sockindex].ssl,
&conn->ssl[sockindex].clicert, &conn->ssl[sockindex].rsa);
if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) &&
#ifdef ENABLE_IPV6
!Curl_inet_pton(AF_INET6, conn->host.name, &addr) &&
#endif
sni && ssl_set_hostname(&conn->ssl[sockindex].ssl, conn->host.name)) {
infof(data, "WARNING: failed to configure "
"server name indication (SNI) TLS extension\n");
}
infof(data, "PolarSSL: performing SSL/TLS handshake...\n");
#ifdef POLARSSL_DEBUG
ssl_set_dbg(&conn->ssl[sockindex].ssl, polarssl_debug, data);
#endif
for(;;) {
if(!(ret = ssl_handshake(&conn->ssl[sockindex].ssl)))
break;
else if(ret != POLARSSL_ERR_NET_TRY_AGAIN) {
failf(data, "ssl_handshake returned -0x%04X", -ret);
return CURLE_SSL_CONNECT_ERROR;
}
else {
/* wait for data from server... */
long timeout_ms = Curl_timeleft(data, NULL, TRUE);
if(timeout_ms < 0) {
failf(data, "SSL connection timeout");
return CURLE_OPERATION_TIMEDOUT;
}
switch(Curl_socket_ready(conn->sock[sockindex],
CURL_SOCKET_BAD, timeout_ms)) {
case 0:
failf(data, "SSL handshake timeout");
return CURLE_OPERATION_TIMEDOUT;
break;
case CURL_CSELECT_IN:
continue;
break;
default:
return CURLE_SSL_CONNECT_ERROR;
break;
}
}
}
infof(data, "PolarSSL: Handshake complete, cipher is %s\n",
ssl_get_cipher(&conn->ssl[sockindex].ssl));
ret = ssl_get_verify_result(&conn->ssl[sockindex].ssl);
if(ret && data->set.ssl.verifypeer) {
if(ret & BADCERT_EXPIRED)
failf(data, "Cert verify failed: BADCERT_EXPIRED\n");
if(ret & BADCERT_REVOKED)
failf(data, "Cert verify failed: BADCERT_REVOKED");
if(ret & BADCERT_CN_MISMATCH)
failf(data, "Cert verify failed: BADCERT_CN_MISMATCH");
if(ret & BADCERT_NOT_TRUSTED)
failf(data, "Cert verify failed: BADCERT_NOT_TRUSTED");
return CURLE_SSL_CACERT;
}
if(conn->ssl[sockindex].ssl.peer_cert) {
/* If the session was resumed, there will be no peer certs */
memset(buffer, 0, sizeof(buffer));
if(x509parse_cert_info(buffer, sizeof(buffer), (char *)"* ",
conn->ssl[sockindex].ssl.peer_cert) != -1)
infof(data, "Dumping cert info:\n%s\n", buffer);
}
conn->ssl[sockindex].state = ssl_connection_complete;
conn->recv[sockindex] = polarssl_recv;
conn->send[sockindex] = polarssl_send;
/* Save the current session data for possible re-use */
{
void *new_session = malloc(sizeof(conn->ssl[sockindex].ssn));
if(new_session) {
memcpy(new_session, &conn->ssl[sockindex].ssn,
sizeof(conn->ssl[sockindex].ssn));
if(old_session)
Curl_ssl_delsessionid(conn, old_session);
return Curl_ssl_addsessionid(conn, new_session,
sizeof(conn->ssl[sockindex].ssn));
}
}
return CURLE_OK;
}
bool CWII_IPC_HLE_Device_net_ssl::IOCtlV(u32 _CommandAddress)
{
SIOCtlVBuffer CommandBuffer(_CommandAddress);
u32 _BufferIn = 0, _BufferIn2 = 0, _BufferIn3 = 0;
u32 BufferInSize = 0, BufferInSize2 = 0, BufferInSize3 = 0;
u32 BufferOut = 0, BufferOut2 = 0, BufferOut3 = 0;
u32 BufferOutSize = 0, BufferOutSize2 = 0, BufferOutSize3 = 0;
if (CommandBuffer.InBuffer.size() > 0)
{
_BufferIn = CommandBuffer.InBuffer.at(0).m_Address;
BufferInSize = CommandBuffer.InBuffer.at(0).m_Size;
}
if (CommandBuffer.InBuffer.size() > 1)
{
_BufferIn2 = CommandBuffer.InBuffer.at(1).m_Address;
BufferInSize2 = CommandBuffer.InBuffer.at(1).m_Size;
}
if (CommandBuffer.InBuffer.size() > 2)
{
_BufferIn3 = CommandBuffer.InBuffer.at(2).m_Address;
BufferInSize3 = CommandBuffer.InBuffer.at(2).m_Size;
}
if (CommandBuffer.PayloadBuffer.size() > 0)
{
BufferOut = CommandBuffer.PayloadBuffer.at(0).m_Address;
BufferOutSize = CommandBuffer.PayloadBuffer.at(0).m_Size;
}
if (CommandBuffer.PayloadBuffer.size() > 1)
{
BufferOut2 = CommandBuffer.PayloadBuffer.at(1).m_Address;
BufferOutSize2 = CommandBuffer.PayloadBuffer.at(1).m_Size;
}
if (CommandBuffer.PayloadBuffer.size() > 2)
{
BufferOut3 = CommandBuffer.PayloadBuffer.at(2).m_Address;
BufferOutSize3 = CommandBuffer.PayloadBuffer.at(2).m_Size;
}
switch (CommandBuffer.Parameter)
{
case IOCTLV_NET_SSL_NEW:
{
int verifyOption = Memory::Read_U32(BufferOut);
const char * hostname = (const char*) Memory::GetPointer(BufferOut2);
int freeSSL = this->getSSLFreeID();
if (freeSSL)
{
int sslID = freeSSL - 1;
int ret = ssl_init(&_SSL[sslID].ctx);
if (ret)
{
// Cleanup possibly dirty ctx
memset(&_SSL[sslID].ctx, 0, sizeof(ssl_context));
goto _SSL_NEW_ERROR;
}
entropy_init(&_SSL[sslID].entropy);
const char* pers = "dolphin-emu";
ret = ctr_drbg_init(&_SSL[sslID].ctr_drbg, entropy_func,
&_SSL[sslID].entropy,
(const unsigned char*)pers,
strlen(pers));
if (ret)
{
ssl_free(&_SSL[sslID].ctx);
// Cleanup possibly dirty ctx
memset(&_SSL[sslID].ctx, 0, sizeof(ssl_context));
entropy_free(&_SSL[sslID].entropy);
goto _SSL_NEW_ERROR;
}
ssl_set_rng(&_SSL[sslID].ctx, ctr_drbg_random, &_SSL[sslID].ctr_drbg);
// For some reason we can't use TLSv1.2, v1.1 and below are fine!
ssl_set_max_version(&_SSL[sslID].ctx, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_2);
ssl_set_session(&_SSL[sslID].ctx, &_SSL[sslID].session);
ssl_set_endpoint(&_SSL[sslID].ctx, SSL_IS_CLIENT);
ssl_set_authmode(&_SSL[sslID].ctx, SSL_VERIFY_NONE);
ssl_set_renegotiation(&_SSL[sslID].ctx, SSL_RENEGOTIATION_ENABLED);
memcpy(_SSL[sslID].hostname, hostname, min((int)BufferOutSize2, NET_SSL_MAX_HOSTNAME_LEN));
_SSL[sslID].hostname[NET_SSL_MAX_HOSTNAME_LEN-1] = '\0';
ssl_set_hostname(&_SSL[sslID].ctx, _SSL[sslID].hostname);
_SSL[sslID].active = true;
Memory::Write_U32(freeSSL, _BufferIn);
}
else
{
_SSL_NEW_ERROR:
Memory::Write_U32(SSL_ERR_FAILED, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_NEW (%d, %s) "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
verifyOption, hostname,
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
break;
}
case IOCTLV_NET_SSL_SHUTDOWN:
{
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
ssl_close_notify(&_SSL[sslID].ctx);
ssl_session_free(&_SSL[sslID].session);
ssl_free(&_SSL[sslID].ctx);
entropy_free(&_SSL[sslID].entropy);
x509_crt_free(&_SSL[sslID].cacert);
x509_crt_free(&_SSL[sslID].clicert);
memset(&_SSL[sslID].ctx, 0, sizeof(ssl_context));
memset(&_SSL[sslID].session, 0, sizeof(ssl_session));
memset(&_SSL[sslID].entropy, 0, sizeof(entropy_context));
memset(_SSL[sslID].hostname, 0, NET_SSL_MAX_HOSTNAME_LEN);
_SSL[sslID].active = false;
Memory::Write_U32(SSL_OK, _BufferIn);
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SHUTDOWN "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
break;
}
case IOCTLV_NET_SSL_SETROOTCA:
{
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETROOTCA "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
int ret = x509_crt_parse_der(
&_SSL[sslID].cacert,
Memory::GetPointer(BufferOut2),
BufferOutSize2);
if (ret)
{
Memory::Write_U32(SSL_ERR_FAILED, _BufferIn);
}
else
{
ssl_set_ca_chain(&_SSL[sslID].ctx, &_SSL[sslID].cacert, NULL, _SSL[sslID].hostname);
Memory::Write_U32(SSL_OK, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETROOTCA = %d", ret);
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
}
break;
}
case IOCTLV_NET_SSL_SETBUILTINCLIENTCERT:
{
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
std::string cert_base_path(File::GetUserPath(D_WIIUSER_IDX));
int ret = x509_crt_parse_file(&_SSL[sslID].clicert, (cert_base_path + "clientca.pem").c_str());
int pk_ret = pk_parse_keyfile(&_SSL[sslID].pk, (cert_base_path + "clientcakey.pem").c_str(), NULL);
if (ret || pk_ret)
{
x509_crt_free(&_SSL[sslID].clicert);
pk_free(&_SSL[sslID].pk);
memset(&_SSL[sslID].clicert, 0, sizeof(x509_crt));
memset(&_SSL[sslID].pk, 0, sizeof(pk_context));
Memory::Write_U32(SSL_ERR_FAILED, _BufferIn);
}
else
{
ssl_set_own_cert(&_SSL[sslID].ctx, &_SSL[sslID].clicert, &_SSL[sslID].pk);
Memory::Write_U32(SSL_OK, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT = (%d, %d)", ret, pk_ret);
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT invalid sslID = %d", sslID);
}
break;
}
case IOCTLV_NET_SSL_REMOVECLIENTCERT:
{
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_REMOVECLIENTCERT "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
x509_crt_free(&_SSL[sslID].clicert);
pk_free(&_SSL[sslID].pk);
memset(&_SSL[sslID].clicert, 0, sizeof(x509_crt));
memset(&_SSL[sslID].pk, 0, sizeof(pk_context));
ssl_set_own_cert(&_SSL[sslID].ctx, NULL, NULL);
Memory::Write_U32(SSL_OK, _BufferIn);
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT invalid sslID = %d", sslID);
}
break;
}
case IOCTLV_NET_SSL_SETBUILTINROOTCA:
{
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
std::string cert_base_path(File::GetUserPath(D_WIIUSER_IDX));
int ret = x509_crt_parse_file(&_SSL[sslID].cacert, (cert_base_path + "rootca.pem").c_str());
if (ret)
{
x509_crt_free(&_SSL[sslID].clicert);
Memory::Write_U32(SSL_ERR_FAILED, _BufferIn);
}
else
{
ssl_set_ca_chain(&_SSL[sslID].ctx, &_SSL[sslID].cacert, NULL, _SSL[sslID].hostname);
Memory::Write_U32(SSL_OK, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINROOTCA = %d", ret);
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINROOTCA "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
break;
}
case IOCTLV_NET_SSL_CONNECT:
{
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
_SSL[sslID].sockfd = Memory::Read_U32(BufferOut2);
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_CONNECT socket = %d", _SSL[sslID].sockfd);
ssl_set_bio(&_SSL[sslID].ctx, net_recv, &_SSL[sslID].sockfd, net_send, &_SSL[sslID].sockfd);
Memory::Write_U32(SSL_OK, _BufferIn);
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_CONNECT "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
break;
}
case IOCTLV_NET_SSL_DOHANDSHAKE:
{
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
WiiSockMan &sm = WiiSockMan::getInstance();
sm.doSock(_SSL[sslID].sockfd, _CommandAddress, IOCTLV_NET_SSL_DOHANDSHAKE);
return false;
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
}
break;
}
case IOCTLV_NET_SSL_WRITE:
{
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
WiiSockMan &sm = WiiSockMan::getInstance();
sm.doSock(_SSL[sslID].sockfd, _CommandAddress, IOCTLV_NET_SSL_WRITE);
return false;
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_WRITE "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
INFO_LOG(WII_IPC_SSL, "%s", Memory::GetPointer(BufferOut2));
break;
}
case IOCTLV_NET_SSL_READ:
{
int ret = 0;
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
WiiSockMan &sm = WiiSockMan::getInstance();
sm.doSock(_SSL[sslID].sockfd, _CommandAddress, IOCTLV_NET_SSL_READ);
return false;
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_READ(%d)"
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
ret,
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
break;
}
case IOCTLV_NET_SSL_SETROOTCADEFAULT:
{
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
Memory::Write_U32(SSL_OK, _BufferIn);
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETROOTCADEFAULT "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
break;
}
case IOCTLV_NET_SSL_SETCLIENTCERTDEFAULT:
{
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETCLIENTCERTDEFAULT "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
Memory::Write_U32(SSL_OK, _BufferIn);
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
}
break;
}
default:
ERROR_LOG(WII_IPC_SSL, "%i "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
CommandBuffer.Parameter,
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
break;
}
// SSL return codes are written to BufferIn
Memory::Write_U32(0, _CommandAddress+4);
return true;
}
int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server) {
SSL *const ssl = hs->ssl;
if (ssl->mode & SSL_MODE_NO_SESSION_CREATION) {
OPENSSL_PUT_ERROR(SSL, SSL_R_SESSION_MAY_NOT_BE_CREATED);
return 0;
}
SSL_SESSION *session = ssl_session_new(ssl->ctx->x509_method);
if (session == NULL) {
return 0;
}
session->is_server = is_server;
session->ssl_version = ssl->version;
/* Fill in the time from the |SSL_CTX|'s clock. */
struct OPENSSL_timeval now;
ssl_get_current_time(ssl, &now);
session->time = now.tv_sec;
uint16_t version = ssl3_protocol_version(ssl);
if (version >= TLS1_3_VERSION) {
/* TLS 1.3 uses tickets as authenticators, so we are willing to use them for
* longer. */
session->timeout = ssl->session_ctx->session_psk_dhe_timeout;
session->auth_timeout = SSL_DEFAULT_SESSION_AUTH_TIMEOUT;
} else {
/* TLS 1.2 resumption does not incorporate new key material, so we use a
* much shorter timeout. */
session->timeout = ssl->session_ctx->session_timeout;
session->auth_timeout = ssl->session_ctx->session_timeout;
}
if (is_server) {
if (hs->ticket_expected || version >= TLS1_3_VERSION) {
/* Don't set session IDs for sessions resumed with tickets. This will keep
* them out of the session cache. */
session->session_id_length = 0;
} else {
session->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
if (!RAND_bytes(session->session_id, session->session_id_length)) {
goto err;
}
}
} else {
session->session_id_length = 0;
}
if (ssl->cert->sid_ctx_length > sizeof(session->sid_ctx)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
goto err;
}
OPENSSL_memcpy(session->sid_ctx, ssl->cert->sid_ctx,
ssl->cert->sid_ctx_length);
session->sid_ctx_length = ssl->cert->sid_ctx_length;
/* The session is marked not resumable until it is completely filled in. */
session->not_resumable = 1;
session->verify_result = X509_V_ERR_INVALID_CALL;
SSL_SESSION_free(hs->new_session);
hs->new_session = session;
ssl_set_session(ssl, NULL);
return 1;
err:
SSL_SESSION_free(session);
return 0;
}
tcpcon_t *
tcp_connect(const char *hostname, int port, char *errbuf, size_t errbufsize,
int timeout, int ssl)
{
struct net_hostent *hp;
char *tmphstbuf;
int fd, r, err, herr, optval;
const char *errtxt;
struct sockaddr_in in;
socklen_t errlen = sizeof(int);
if(!strcmp(hostname, "localhost")) {
if((fd = getstreamsocket(AF_INET, errbuf, errbufsize)) == -1)
return NULL;
memset(&in, 0, sizeof(in));
in.sin_family = AF_INET;
in.sin_port = htons(port);
in.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
r = netConnect(fd, (struct sockaddr *)&in, sizeof(struct sockaddr_in));
} else {
herr = 0;
tmphstbuf = NULL; /* free NULL is a nop */
hp = netGetHostByName(hostname);
if(hp == NULL)
herr = h_errno;
if(herr != 0) {
switch(herr) {
case HOST_NOT_FOUND:
errtxt = "Unknown host";
break;
case NO_ADDRESS:
errtxt = "The requested name is valid but does not have an IP address";
break;
case NO_RECOVERY:
errtxt = "A non-recoverable name server error occurred";
break;
case TRY_AGAIN:
errtxt = "A temporary error occurred on an authoritative name server";
break;
default:
errtxt = "Unknown error";
break;
}
snprintf(errbuf, errbufsize, "%s", errtxt);
free(tmphstbuf);
return NULL;
} else if(hp == NULL) {
snprintf(errbuf, errbufsize, "Resolver internal error");
free(tmphstbuf);
return NULL;
}
if((fd = getstreamsocket(hp->h_addrtype, errbuf, errbufsize)) == -1) {
free(tmphstbuf);
return NULL;
}
switch(hp->h_addrtype) {
case AF_INET:
memset(&in, 0, sizeof(in));
in.sin_family = AF_INET;
in.sin_port = htons(port);
lv2_void* netaddrlist = (lv2_void*)(u64)hp->h_addr_list;
memcpy(&in.sin_addr, (char*)(u64)netaddrlist[0], sizeof(struct in_addr));
r = netConnect(fd, (struct sockaddr *)&in, sizeof(struct sockaddr_in));
break;
default:
snprintf(errbuf, errbufsize, "Invalid protocol family");
free(tmphstbuf);
return NULL;
}
free(tmphstbuf);
}
if(r < 0) {
if(net_errno == NET_EINPROGRESS) {
struct pollfd pfd;
pfd.fd = fd;
pfd.events = POLLOUT;
pfd.revents = 0;
r = netPoll(&pfd, 1, timeout);
if(r == 0) {
/* Timeout */
snprintf(errbuf, errbufsize, "Connection attempt timed out");
netClose(fd);
return NULL;
}
if(r == -1) {
snprintf(errbuf, errbufsize, "poll() error: %s",
strerror(net_errno));
netClose(fd);
return NULL;
}
netGetSockOpt(fd, SOL_SOCKET, SO_ERROR, (void *)&err, &errlen);
} else {
err = net_errno;
}
} else {
err = 0;
}
if(err != 0) {
snprintf(errbuf, errbufsize, "%s", strerror(err));
netClose(fd);
return NULL;
}
optval = 0;
r = netSetSockOpt(fd, SOL_SOCKET, SO_NBIO, &optval, sizeof(optval));
if(r < 0) {
snprintf(errbuf, errbufsize, "Unable to go blocking: %s",
strerror(net_errno));
netClose(fd);
return NULL;
}
tcpcon_t *tc = calloc(1, sizeof(tcpcon_t));
tc->fd = fd;
htsbuf_queue_init(&tc->spill, 0);
if(ssl) {
#if ENABLE_POLARSSL
if(1) {
tc->ssl = malloc(sizeof(ssl_context));
if(ssl_init(tc->ssl)) {
snprintf(errbuf, errlen, "SSL failed to initialize");
close(fd);
free(tc->ssl);
free(tc);
return NULL;
}
tc->ssn = malloc(sizeof(ssl_session));
tc->hs = malloc(sizeof(havege_state));
havege_init(tc->hs);
memset(tc->ssn, 0, sizeof(ssl_session));
ssl_set_endpoint(tc->ssl, SSL_IS_CLIENT );
ssl_set_authmode(tc->ssl, SSL_VERIFY_NONE );
ssl_set_rng(tc->ssl, havege_rand, tc->hs );
ssl_set_bio(tc->ssl, net_recv, &tc->fd, net_send, &tc->fd);
ssl_set_ciphers(tc->ssl, ssl_default_ciphers );
ssl_set_session(tc->ssl, 1, 600, tc->ssn );
tc->read = polarssl_read;
tc->write = polarssl_write;
} else
#endif
{
snprintf(errbuf, errlen, "SSL not supported");
tcp_close(tc);
return NULL;
}
} else {
tc->read = tcp_read;
tc->write = tcp_write;
}
return tc;
}
static CURLcode
polarssl_connect_step1(struct connectdata *conn,
int sockindex)
{
struct SessionHandle *data = conn->data;
struct ssl_connect_data* connssl = &conn->ssl[sockindex];
bool sni = TRUE; /* default is SNI enabled */
int ret = -1;
#ifdef ENABLE_IPV6
struct in6_addr addr;
#else
struct in_addr addr;
#endif
void *old_session = NULL;
size_t old_session_size = 0;
char errorbuf[128];
errorbuf[0]=0;
/* PolarSSL only supports SSLv3 and TLSv1 */
if(data->set.ssl.version == CURL_SSLVERSION_SSLv2) {
failf(data, "PolarSSL does not support SSLv2");
return CURLE_SSL_CONNECT_ERROR;
}
else if(data->set.ssl.version == CURL_SSLVERSION_SSLv3)
sni = FALSE; /* SSLv3 has no SNI */
#ifdef THREADING_SUPPORT
entropy_init_mutex(&entropy);
if((ret = ctr_drbg_init(&connssl->ctr_drbg, entropy_func_mutex, &entropy,
connssl->ssn.id, connssl->ssn.length)) != 0) {
#ifdef POLARSSL_ERROR_C
error_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* POLARSSL_ERROR_C */
failf(data, "Failed - PolarSSL: ctr_drbg_init returned (-0x%04X) %s\n",
-ret, errorbuf);
}
#else
entropy_init(&connssl->entropy);
if((ret = ctr_drbg_init(&connssl->ctr_drbg, entropy_func, &connssl->entropy,
connssl->ssn.id, connssl->ssn.length)) != 0) {
#ifdef POLARSSL_ERROR_C
error_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* POLARSSL_ERROR_C */
failf(data, "Failed - PolarSSL: ctr_drbg_init returned (-0x%04X) %s\n",
-ret, errorbuf);
}
#endif /* THREADING_SUPPORT */
/* Load the trusted CA */
memset(&connssl->cacert, 0, sizeof(x509_crt));
if(data->set.str[STRING_SSL_CAFILE]) {
ret = x509_crt_parse_file(&connssl->cacert,
data->set.str[STRING_SSL_CAFILE]);
if(ret<0) {
#ifdef POLARSSL_ERROR_C
error_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* POLARSSL_ERROR_C */
failf(data, "Error reading ca cert file %s - PolarSSL: (-0x%04X) %s",
data->set.str[STRING_SSL_CAFILE], -ret, errorbuf);
if(data->set.ssl.verifypeer)
return CURLE_SSL_CACERT_BADFILE;
}
}
if(data->set.str[STRING_SSL_CAPATH]) {
ret = x509_crt_parse_path(&connssl->cacert,
data->set.str[STRING_SSL_CAPATH]);
if(ret<0) {
#ifdef POLARSSL_ERROR_C
error_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* POLARSSL_ERROR_C */
failf(data, "Error reading ca cert path %s - PolarSSL: (-0x%04X) %s",
data->set.str[STRING_SSL_CAPATH], -ret, errorbuf);
if(data->set.ssl.verifypeer)
return CURLE_SSL_CACERT_BADFILE;
}
}
/* Load the client certificate */
memset(&connssl->clicert, 0, sizeof(x509_crt));
if(data->set.str[STRING_CERT]) {
ret = x509_crt_parse_file(&connssl->clicert,
data->set.str[STRING_CERT]);
if(ret) {
#ifdef POLARSSL_ERROR_C
error_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* POLARSSL_ERROR_C */
failf(data, "Error reading client cert file %s - PolarSSL: (-0x%04X) %s",
data->set.str[STRING_CERT], -ret, errorbuf);
return CURLE_SSL_CERTPROBLEM;
}
}
/* Load the client private key */
if(data->set.str[STRING_KEY]) {
pk_context pk;
pk_init(&pk);
ret = pk_parse_keyfile(&pk, data->set.str[STRING_KEY],
data->set.str[STRING_KEY_PASSWD]);
if(ret == 0 && !pk_can_do(&pk, POLARSSL_PK_RSA))
ret = POLARSSL_ERR_PK_TYPE_MISMATCH;
if(ret == 0)
rsa_copy(&connssl->rsa, pk_rsa(pk));
else
rsa_free(&connssl->rsa);
pk_free(&pk);
if(ret) {
#ifdef POLARSSL_ERROR_C
error_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* POLARSSL_ERROR_C */
failf(data, "Error reading private key %s - PolarSSL: (-0x%04X) %s",
data->set.str[STRING_KEY], -ret, errorbuf);
return CURLE_SSL_CERTPROBLEM;
}
}
/* Load the CRL */
memset(&connssl->crl, 0, sizeof(x509_crl));
if(data->set.str[STRING_SSL_CRLFILE]) {
ret = x509_crl_parse_file(&connssl->crl,
data->set.str[STRING_SSL_CRLFILE]);
if(ret) {
#ifdef POLARSSL_ERROR_C
error_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* POLARSSL_ERROR_C */
failf(data, "Error reading CRL file %s - PolarSSL: (-0x%04X) %s",
data->set.str[STRING_SSL_CRLFILE], -ret, errorbuf);
return CURLE_SSL_CRL_BADFILE;
}
}
infof(data, "PolarSSL: Connecting to %s:%d\n",
conn->host.name, conn->remote_port);
if(ssl_init(&connssl->ssl)) {
failf(data, "PolarSSL: ssl_init failed");
return CURLE_SSL_CONNECT_ERROR;
}
switch(data->set.ssl.version) {
default:
case CURL_SSLVERSION_DEFAULT:
ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_1);
break;
case CURL_SSLVERSION_SSLv3:
ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_0);
infof(data, "PolarSSL: Forced min. SSL Version to be SSLv3\n");
break;
case CURL_SSLVERSION_TLSv1_0:
ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_1);
infof(data, "PolarSSL: Forced min. SSL Version to be TLS 1.0\n");
break;
case CURL_SSLVERSION_TLSv1_1:
ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_2);
infof(data, "PolarSSL: Forced min. SSL Version to be TLS 1.1\n");
break;
case CURL_SSLVERSION_TLSv1_2:
ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_3);
infof(data, "PolarSSL: Forced min. SSL Version to be TLS 1.2\n");
break;
}
ssl_set_endpoint(&connssl->ssl, SSL_IS_CLIENT);
ssl_set_authmode(&connssl->ssl, SSL_VERIFY_OPTIONAL);
ssl_set_rng(&connssl->ssl, ctr_drbg_random,
&connssl->ctr_drbg);
ssl_set_bio(&connssl->ssl,
net_recv, &conn->sock[sockindex],
net_send, &conn->sock[sockindex]);
ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites());
if(!Curl_ssl_getsessionid(conn, &old_session, &old_session_size)) {
memcpy(&connssl->ssn, old_session, old_session_size);
infof(data, "PolarSSL re-using session\n");
}
ssl_set_session(&connssl->ssl,
&connssl->ssn);
ssl_set_ca_chain(&connssl->ssl,
&connssl->cacert,
&connssl->crl,
conn->host.name);
ssl_set_own_cert_rsa(&connssl->ssl,
&connssl->clicert, &connssl->rsa);
if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) &&
#ifdef ENABLE_IPV6
!Curl_inet_pton(AF_INET6, conn->host.name, &addr) &&
#endif
sni && ssl_set_hostname(&connssl->ssl, conn->host.name)) {
infof(data, "WARNING: failed to configure "
"server name indication (SNI) TLS extension\n");
}
#ifdef HAS_ALPN
if(data->set.httpversion == CURL_HTTP_VERSION_2_0) {
if(data->set.ssl_enable_alpn) {
static const char* protocols[] = {
NGHTTP2_PROTO_VERSION_ID, ALPN_HTTP_1_1, NULL
};
ssl_set_alpn_protocols(&connssl->ssl, protocols);
infof(data, "ALPN, offering %s, %s\n", protocols[0],
protocols[1]);
}
}
#endif
#ifdef POLARSSL_DEBUG
ssl_set_dbg(&connssl->ssl, polarssl_debug, data);
#endif
connssl->connecting_state = ssl_connect_2;
return CURLE_OK;
}
wiced_result_t wiced_generic_start_tls_with_ciphers( wiced_tls_simple_context_t* tls_context, void* referee, wiced_tls_endpoint_type_t type, wiced_tls_certificate_verification_t verification, const cipher_suite_t* cipher_list[], tls_transport_protocol_t transport_protocol )
{
microrng_state rngstate;
int prev_state;
uint64_t start_time;
tls_result_t result;
/* Initialize the session data */
if ( transport_protocol != TLS_EAP_TRANSPORT )
{
memset( &tls_context->session, 0, sizeof(wiced_tls_session_t) );
}
memset( &tls_context->context, 0, sizeof(wiced_tls_context_t) );
/* Prepare session and entropy */
tls_context->session.age = MAX_TLS_SESSION_AGE;
wwd_wifi_get_random( &rngstate.entropy, 4 );
/* Initialize session context */ /* TODO: Ideally this should be done once for a socket */
if ( ssl_init( &tls_context->context ) != 0 )
{
wiced_assert("Error initialising SSL", 0!=0 );
return WICED_TLS_INIT_FAIL;
}
tls_context->context.transport_protocol = transport_protocol;
microrng_init( &rngstate );
ssl_set_endpoint( &tls_context->context, type );
ssl_set_rng ( &tls_context->context, microrng_rand, &rngstate );
tls_context->context.receive_context = referee;
tls_context->context.send_context = referee;
tls_context->context.get_session = tls_get_session;
tls_context->context.set_session = tls_set_session;
tls_context->context.ciphers = cipher_list;
ssl_set_session ( &tls_context->context, SESSION_CAN_BE_RESUMED, 1000000, &tls_context->session );
/* Assert if user has not created correct TLS context for the TLS endpoint type */
wiced_assert("TLS servers must have an advanced TLS context", !((type == WICED_TLS_AS_SERVER) && (tls_context->context_type != WICED_TLS_ADVANCED_CONTEXT)));
if ( root_ca_certificates != NULL )
{
ssl_set_ca_chain( &tls_context->context, root_ca_certificates, tls_context->context.peer_cn );
ssl_set_authmode( &tls_context->context, verification );
}
else
{
ssl_set_authmode( &tls_context->context, SSL_VERIFY_NONE );
}
if ( tls_context->context_type == WICED_TLS_ADVANCED_CONTEXT )
{
wiced_tls_advanced_context_t* advanced_context = (wiced_tls_advanced_context_t*)tls_context;
ssl_set_own_cert( &advanced_context->context, &advanced_context->certificate, &advanced_context->key );
ssl_set_dh_param( &tls_context->context, diffie_hellman_prime_P, sizeof( diffie_hellman_prime_P ), diffie_hellman_prime_G, sizeof( diffie_hellman_prime_G ) );
}
prev_state = 0;
start_time = tls_host_get_time_ms();
do
{
uint64_t curr_time;
if (type == WICED_TLS_AS_SERVER)
{
result = ssl_handshake_server_async( &tls_context->context );
if ( result != TLS_SUCCESS )
{
WPRINT_SECURITY_INFO(( "Error with TLS server handshake\n" ));
goto exit_with_inited_context;
}
}
else
{
result = ssl_handshake_client_async( &tls_context->context );
if ( result != TLS_SUCCESS )
{
WPRINT_SECURITY_INFO(( "Error with TLS client handshake %u\n", (unsigned int)result ));
goto exit_with_inited_context;
}
}
/* break out if stuck */
curr_time = tls_host_get_time_ms();
if ( curr_time - start_time > MAX_HANDSHAKE_WAIT )
{
WPRINT_SECURITY_INFO(( "Timeout in SSL handshake\n" ));
result = TLS_HANDSHAKE_TIMEOUT;
goto exit_with_inited_context;
}
/* if no state change then wait on client */
if ( prev_state == tls_context->context.state )
{
host_rtos_delay_milliseconds( 10 );
}
else /* otherwise process next state with no delay */
{
prev_state = tls_context->context.state;
}
} while ( tls_context->context.state != SSL_HANDSHAKE_OVER );
return WICED_SUCCESS;
exit_with_inited_context:
ssl_close_notify( &tls_context->context );
ssl_free(&tls_context->context);
return (wiced_result_t) result;
}
tcpcon_t *
tcp_connect(const char *hostname, int port, char *errbuf, size_t errbufsize,
int timeout, int ssl)
{
struct hostent *hp;
char *tmphstbuf;
int fd, val, r, err, herr;
const char *errtxt;
#if !defined(__APPLE__)
struct hostent hostbuf;
size_t hstbuflen;
int res;
#endif
struct sockaddr_in6 in6;
struct sockaddr_in in;
socklen_t errlen = sizeof(int);
if(!strcmp(hostname, "localhost")) {
if((fd = getstreamsocket(AF_INET, errbuf, errbufsize)) == -1)
return NULL;
memset(&in, 0, sizeof(in));
in.sin_family = AF_INET;
in.sin_port = htons(port);
in.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
r = connect(fd, (struct sockaddr *)&in, sizeof(struct sockaddr_in));
} else {
#if defined(__APPLE__)
herr = 0;
tmphstbuf = NULL; /* free NULL is a nop */
/* TODO: AF_INET6 */
hp = gethostbyname(hostname);
if(hp == NULL)
herr = h_errno;
#else
hstbuflen = 1024;
tmphstbuf = malloc(hstbuflen);
while((res = gethostbyname_r(hostname, &hostbuf, tmphstbuf, hstbuflen,
&hp, &herr)) == ERANGE) {
hstbuflen *= 2;
tmphstbuf = realloc(tmphstbuf, hstbuflen);
}
#endif
if(herr != 0) {
switch(herr) {
case HOST_NOT_FOUND:
errtxt = "Unknown host";
break;
case NO_ADDRESS:
errtxt = "The requested name is valid but does not have an IP address";
break;
case NO_RECOVERY:
errtxt = "A non-recoverable name server error occurred";
break;
case TRY_AGAIN:
errtxt = "A temporary error occurred on an authoritative name server";
break;
default:
errtxt = "Unknown error";
break;
}
snprintf(errbuf, errbufsize, "%s", errtxt);
free(tmphstbuf);
return NULL;
} else if(hp == NULL) {
snprintf(errbuf, errbufsize, "Resolver internal error");
free(tmphstbuf);
return NULL;
}
if((fd = getstreamsocket(hp->h_addrtype, errbuf, errbufsize)) == -1) {
free(tmphstbuf);
return NULL;
}
switch(hp->h_addrtype) {
case AF_INET:
memset(&in, 0, sizeof(in));
in.sin_family = AF_INET;
in.sin_port = htons(port);
memcpy(&in.sin_addr, hp->h_addr_list[0], sizeof(struct in_addr));
r = connect(fd, (struct sockaddr *)&in, sizeof(struct sockaddr_in));
break;
case AF_INET6:
memset(&in6, 0, sizeof(in6));
in6.sin6_family = AF_INET6;
in6.sin6_port = htons(port);
memcpy(&in6.sin6_addr, hp->h_addr_list[0], sizeof(struct in6_addr));
r = connect(fd, (struct sockaddr *)&in, sizeof(struct sockaddr_in6));
break;
default:
snprintf(errbuf, errbufsize, "Invalid protocol family");
free(tmphstbuf);
return NULL;
}
free(tmphstbuf);
}
if(r == -1) {
if(errno == EINPROGRESS) {
struct pollfd pfd;
pfd.fd = fd;
pfd.events = POLLOUT;
pfd.revents = 0;
r = poll(&pfd, 1, timeout);
if(r == 0) {
/* Timeout */
snprintf(errbuf, errbufsize, "Connection attempt timed out");
close(fd);
return NULL;
}
if(r == -1) {
snprintf(errbuf, errbufsize, "poll() error: %s", strerror(errno));
close(fd);
return NULL;
}
getsockopt(fd, SOL_SOCKET, SO_ERROR, (void *)&err, &errlen);
} else {
err = errno;
}
} else {
err = 0;
}
if(err != 0) {
snprintf(errbuf, errbufsize, "%s", strerror(err));
close(fd);
return NULL;
}
fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) & ~O_NONBLOCK);
val = 1;
setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));
tcpcon_t *tc = calloc(1, sizeof(tcpcon_t));
tc->fd = fd;
htsbuf_queue_init(&tc->spill, 0);
if(ssl) {
#if ENABLE_OPENSSL
if(showtime_ssl_ctx != NULL) {
char errmsg[120];
if((tc->ssl = SSL_new(showtime_ssl_ctx)) == NULL) {
ERR_error_string(ERR_get_error(), errmsg);
snprintf(errbuf, errlen, "SSL: %s", errmsg);
tcp_close(tc);
return NULL;
}
if(SSL_set_fd(tc->ssl, tc->fd) == 0) {
ERR_error_string(ERR_get_error(), errmsg);
snprintf(errbuf, errlen, "SSL fd: %s", errmsg);
tcp_close(tc);
return NULL;
}
if(SSL_connect(tc->ssl) <= 0) {
ERR_error_string(ERR_get_error(), errmsg);
snprintf(errbuf, errlen, "SSL connect: %s", errmsg);
tcp_close(tc);
return NULL;
}
SSL_set_mode(tc->ssl, SSL_MODE_AUTO_RETRY);
tc->read = ssl_read;
tc->write = ssl_write;
} else
#elif ENABLE_POLARSSL
if(1) {
tc->ssl = malloc(sizeof(ssl_context));
if(ssl_init(tc->ssl)) {
snprintf(errbuf, errlen, "SSL failed to initialize");
close(fd);
free(tc->ssl);
free(tc);
return NULL;
}
tc->ssn = malloc(sizeof(ssl_session));
tc->hs = malloc(sizeof(havege_state));
havege_init(tc->hs);
memset(tc->ssn, 0, sizeof(ssl_session));
ssl_set_endpoint(tc->ssl, SSL_IS_CLIENT );
ssl_set_authmode(tc->ssl, SSL_VERIFY_NONE );
ssl_set_rng(tc->ssl, havege_rand, tc->hs );
ssl_set_bio(tc->ssl, net_recv, &tc->fd, net_send, &tc->fd);
ssl_set_ciphers(tc->ssl, ssl_default_ciphers );
ssl_set_session(tc->ssl, 1, 600, tc->ssn );
tc->read = polarssl_read;
tc->write = polarssl_write;
} else
#endif
{
snprintf(errbuf, errlen, "SSL not supported");
tcp_close(tc);
return NULL;
}
} else {
tc->read = tcp_read;
tc->write = tcp_write;
}
return tc;
}
static CURLcode
polarssl_connect_step1(struct connectdata *conn,
int sockindex)
{
struct Curl_easy *data = conn->data;
struct ssl_connect_data* connssl = &conn->ssl[sockindex];
const char *capath = SSL_CONN_CONFIG(CApath);
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;
const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
int ret = -1;
char errorbuf[128];
errorbuf[0]=0;
/* PolarSSL only supports SSLv3 and TLSv1 */
if(SSL_CONN_CONFIG(version) == CURL_SSLVERSION_SSLv2) {
failf(data, "PolarSSL does not support SSLv2");
return CURLE_SSL_CONNECT_ERROR;
}
#ifdef THREADING_SUPPORT
entropy_init_mutex(&entropy);
if((ret = ctr_drbg_init(&BACKEND->ctr_drbg, entropy_func_mutex, &entropy,
NULL, 0)) != 0) {
error_strerror(ret, errorbuf, sizeof(errorbuf));
failf(data, "Failed - PolarSSL: ctr_drbg_init returned (-0x%04X) %s\n",
-ret, errorbuf);
}
#else
entropy_init(&BACKEND->entropy);
if((ret = ctr_drbg_init(&BACKEND->ctr_drbg, entropy_func, &BACKEND->entropy,
NULL, 0)) != 0) {
error_strerror(ret, errorbuf, sizeof(errorbuf));
failf(data, "Failed - PolarSSL: ctr_drbg_init returned (-0x%04X) %s\n",
-ret, errorbuf);
}
#endif /* THREADING_SUPPORT */
/* Load the trusted CA */
memset(&BACKEND->cacert, 0, sizeof(x509_crt));
if(SSL_CONN_CONFIG(CAfile)) {
ret = x509_crt_parse_file(&BACKEND->cacert,
SSL_CONN_CONFIG(CAfile));
if(ret<0) {
error_strerror(ret, errorbuf, sizeof(errorbuf));
failf(data, "Error reading ca cert file %s - PolarSSL: (-0x%04X) %s",
SSL_CONN_CONFIG(CAfile), -ret, errorbuf);
if(SSL_CONN_CONFIG(verifypeer))
return CURLE_SSL_CACERT_BADFILE;
}
}
if(capath) {
ret = x509_crt_parse_path(&BACKEND->cacert, capath);
if(ret<0) {
error_strerror(ret, errorbuf, sizeof(errorbuf));
failf(data, "Error reading ca cert path %s - PolarSSL: (-0x%04X) %s",
capath, -ret, errorbuf);
if(SSL_CONN_CONFIG(verifypeer))
return CURLE_SSL_CACERT_BADFILE;
}
}
/* Load the client certificate */
memset(&BACKEND->clicert, 0, sizeof(x509_crt));
if(SSL_SET_OPTION(cert)) {
ret = x509_crt_parse_file(&BACKEND->clicert,
SSL_SET_OPTION(cert));
if(ret) {
error_strerror(ret, errorbuf, sizeof(errorbuf));
failf(data, "Error reading client cert file %s - PolarSSL: (-0x%04X) %s",
SSL_SET_OPTION(cert), -ret, errorbuf);
return CURLE_SSL_CERTPROBLEM;
}
}
/* Load the client private key */
if(SSL_SET_OPTION(key)) {
pk_context pk;
pk_init(&pk);
ret = pk_parse_keyfile(&pk, SSL_SET_OPTION(key),
SSL_SET_OPTION(key_passwd));
if(ret == 0 && !pk_can_do(&pk, POLARSSL_PK_RSA))
ret = POLARSSL_ERR_PK_TYPE_MISMATCH;
if(ret == 0)
rsa_copy(&BACKEND->rsa, pk_rsa(pk));
else
rsa_free(&BACKEND->rsa);
pk_free(&pk);
if(ret) {
error_strerror(ret, errorbuf, sizeof(errorbuf));
failf(data, "Error reading private key %s - PolarSSL: (-0x%04X) %s",
SSL_SET_OPTION(key), -ret, errorbuf);
return CURLE_SSL_CERTPROBLEM;
}
}
/* Load the CRL */
memset(&BACKEND->crl, 0, sizeof(x509_crl));
if(SSL_SET_OPTION(CRLfile)) {
ret = x509_crl_parse_file(&BACKEND->crl,
SSL_SET_OPTION(CRLfile));
if(ret) {
error_strerror(ret, errorbuf, sizeof(errorbuf));
failf(data, "Error reading CRL file %s - PolarSSL: (-0x%04X) %s",
SSL_SET_OPTION(CRLfile), -ret, errorbuf);
return CURLE_SSL_CRL_BADFILE;
}
}
infof(data, "PolarSSL: Connecting to %s:%d\n", hostname, port);
if(ssl_init(&BACKEND->ssl)) {
failf(data, "PolarSSL: ssl_init failed");
return CURLE_SSL_CONNECT_ERROR;
}
switch(SSL_CONN_CONFIG(version)) {
case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
ssl_set_min_version(&BACKEND->ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_1);
break;
case CURL_SSLVERSION_SSLv3:
ssl_set_min_version(&BACKEND->ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_0);
ssl_set_max_version(&BACKEND->ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_0);
infof(data, "PolarSSL: Forced min. SSL Version to be SSLv3\n");
break;
case CURL_SSLVERSION_TLSv1_0:
case CURL_SSLVERSION_TLSv1_1:
case CURL_SSLVERSION_TLSv1_2:
case CURL_SSLVERSION_TLSv1_3:
{
CURLcode result = set_ssl_version_min_max(conn, sockindex);
if(result != CURLE_OK)
return result;
break;
}
default:
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
return CURLE_SSL_CONNECT_ERROR;
}
ssl_set_endpoint(&BACKEND->ssl, SSL_IS_CLIENT);
ssl_set_authmode(&BACKEND->ssl, SSL_VERIFY_OPTIONAL);
ssl_set_rng(&BACKEND->ssl, ctr_drbg_random,
&BACKEND->ctr_drbg);
ssl_set_bio(&BACKEND->ssl,
net_recv, &conn->sock[sockindex],
net_send, &conn->sock[sockindex]);
ssl_set_ciphersuites(&BACKEND->ssl, ssl_list_ciphersuites());
/* Check if there's a cached ID we can/should use here! */
if(SSL_SET_OPTION(primary.sessionid)) {
void *old_session = NULL;
Curl_ssl_sessionid_lock(conn);
if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) {
ret = ssl_set_session(&BACKEND->ssl, old_session);
if(ret) {
Curl_ssl_sessionid_unlock(conn);
failf(data, "ssl_set_session returned -0x%x", -ret);
return CURLE_SSL_CONNECT_ERROR;
}
infof(data, "PolarSSL re-using session\n");
}
Curl_ssl_sessionid_unlock(conn);
}
ssl_set_ca_chain(&BACKEND->ssl,
&BACKEND->cacert,
&BACKEND->crl,
hostname);
ssl_set_own_cert_rsa(&BACKEND->ssl,
&BACKEND->clicert, &BACKEND->rsa);
if(ssl_set_hostname(&BACKEND->ssl, hostname)) {
/* ssl_set_hostname() sets the name to use in CN/SAN checks *and* the name
to set in the SNI extension. So even if curl connects to a host
specified as an IP address, this function must be used. */
failf(data, "couldn't set hostname in PolarSSL");
return CURLE_SSL_CONNECT_ERROR;
}
#ifdef HAS_ALPN
if(conn->bits.tls_enable_alpn) {
static const char *protocols[3];
int cur = 0;
#ifdef USE_NGHTTP2
if(data->set.httpversion >= CURL_HTTP_VERSION_2) {
protocols[cur++] = NGHTTP2_PROTO_VERSION_ID;
infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID);
}
#endif
protocols[cur++] = ALPN_HTTP_1_1;
infof(data, "ALPN, offering %s\n", ALPN_HTTP_1_1);
protocols[cur] = NULL;
ssl_set_alpn_protocols(&BACKEND->ssl, protocols);
}
#endif
#ifdef POLARSSL_DEBUG
ssl_set_dbg(&BACKEND->ssl, polarssl_debug, data);
#endif
connssl->connecting_state = ssl_connect_2;
return CURLE_OK;
}
/*********************************************************************************************************
** 函数名称: __vpnClientConnect
** 功能描述: VPN 客户端链接服务器
** 输 入 : pvpnctx VPN 上下文 (除了 VPNCTX_iVerifyOpt 有初值, 其他字段必须经过清空)
** cpcCACrtFile CA 证书文件 .pem or .crt
** cpcPrivateCrtFile 私有证书文件 .pem or .crt
** cpcKeyFile 私有密钥文件 .pem or .key
** cpcKeyPassword 私有密钥文件解密密码, 如果密钥文件不存在密码, 则为 NULL
** inaddr SSL 服务器地址
** usPort SSL 服务器端口 (网络字节序)
** iSSLTimeoutSec 超时时间(单位秒, 推荐: 600)
** 输 出 : ERROR
** 全局变量:
** 调用模块:
*********************************************************************************************************/
INT __vpnClientOpen (__PVPN_CONTEXT pvpnctx,
CPCHAR cpcCACrtFile,
CPCHAR cpcPrivateCrtFile,
CPCHAR cpcKeyFile,
CPCHAR cpcKeyPassword,
struct in_addr inaddr,
u16_t usPort,
INT iSSLTimeoutSec)
{
INT i;
INT iError = PX_ERROR;
struct sockaddr_in sockaddrinRemote;
(VOID)iSSLTimeoutSec; /* 新的 PolarSSL 暂未使用 */
if (pvpnctx == LW_NULL) {
return (PX_ERROR);
}
pvpnctx->VPNCTX_iMode = __VPN_SSL_CLIENT; /* 设置为 client 模式 */
pvpnctx->VPNCTX_iSocket = PX_ERROR; /* 没有创建 socket */
havege_init(&pvpnctx->VPNCTX_haveagestat); /* 初始化随机数 */
if (pvpnctx->VPNCTX_iVerifyOpt != SSL_VERIFY_NONE) { /* 需要认证证书 */
/*
* 安装 CA 证书和客户端证书
*/
iError = x509parse_crtfile(&pvpnctx->VPNCTX_x509certCA, cpcCACrtFile);
if (iError != ERROR_NONE) {
_DebugHandle(__ERRORMESSAGE_LEVEL, "CA root certificate error.\r\n");
return (PX_ERROR);
}
iError = x509parse_crtfile(&pvpnctx->VPNCTX_x509certPrivate, cpcPrivateCrtFile);
if (iError != ERROR_NONE) {
_DebugHandle(__ERRORMESSAGE_LEVEL, "client certificate error.\r\n");
goto __error_handle;
}
/*
* 安装 RSA 私有密钥
*/
if (cpcKeyFile) {
iError = x509parse_keyfile(&pvpnctx->VPNCTX_rasctx, cpcKeyFile, cpcKeyPassword);
} else {
iError = x509parse_keyfile(&pvpnctx->VPNCTX_rasctx, cpcPrivateCrtFile, cpcKeyPassword);
}
if (iError != ERROR_NONE) {
_DebugHandle(__ERRORMESSAGE_LEVEL, "key file error.\r\n");
goto __error_handle;
}
}
/*
* 链接 SSL 服务器
*/
pvpnctx->VPNCTX_iSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (pvpnctx->VPNCTX_iSocket < 0) {
_DebugHandle(__ERRORMESSAGE_LEVEL, "can not create socket.\r\n");
goto __error_handle;
}
lib_bzero(&sockaddrinRemote, sizeof(sockaddrinRemote));
sockaddrinRemote.sin_len = sizeof(struct sockaddr_in);
sockaddrinRemote.sin_family = AF_INET;
sockaddrinRemote.sin_addr = inaddr;
sockaddrinRemote.sin_port = usPort;
if(connect(pvpnctx->VPNCTX_iSocket,
(struct sockaddr *)&sockaddrinRemote,
sizeof(struct sockaddr_in)) < 0) {
_DebugHandle(__ERRORMESSAGE_LEVEL, "can not connect server.\r\n");
goto __error_handle;
}
havege_init(&pvpnctx->VPNCTX_haveagestat); /* 初始化随机数 */
/*
* 初始化 SSL/STL
*/
if (ssl_init(&pvpnctx->VPNCTX_sslctx) != ERROR_NONE) {
_DebugHandle(__ERRORMESSAGE_LEVEL, "can not init ssl context.\r\n");
goto __error_handle;
}
ssl_set_endpoint(&pvpnctx->VPNCTX_sslctx, SSL_IS_CLIENT);
ssl_set_authmode(&pvpnctx->VPNCTX_sslctx, pvpnctx->VPNCTX_iVerifyOpt);
ssl_set_rng(&pvpnctx->VPNCTX_sslctx, havege_random, &pvpnctx->VPNCTX_haveagestat);
ssl_set_dbg(&pvpnctx->VPNCTX_sslctx, LW_NULL, stdout); /* 不需要 DEBUG 信息 */
ssl_set_bio(&pvpnctx->VPNCTX_sslctx,
net_recv, &pvpnctx->VPNCTX_iSocket,
net_send, &pvpnctx->VPNCTX_iSocket);
ssl_set_ciphersuites(&pvpnctx->VPNCTX_sslctx, ssl_default_ciphersuites);
ssl_set_session(&pvpnctx->VPNCTX_sslctx, &pvpnctx->VPNCTX_sslsn);
ssl_set_ca_chain(&pvpnctx->VPNCTX_sslctx, &pvpnctx->VPNCTX_x509certCA, LW_NULL, LW_NULL);
ssl_set_own_cert(&pvpnctx->VPNCTX_sslctx, &pvpnctx->VPNCTX_x509certPrivate, &pvpnctx->VPNCTX_rasctx);
ssl_set_hostname(&pvpnctx->VPNCTX_sslctx, LW_NULL); /* 不设置服务器名 */
for (i = 0; i < __VPN_SSL_HANDSHAKE_MAX_TIME; i++) {
iError = ssl_handshake(&pvpnctx->VPNCTX_sslctx); /* 握手 */
if (iError == ERROR_NONE) {
break;
} else if ((iError != POLARSSL_ERR_NET_WANT_READ) &&
(iError != POLARSSL_ERR_NET_WANT_WRITE)) {
_DebugHandle(__ERRORMESSAGE_LEVEL, "can not handshake.\r\n");
goto __error_handle;
}
}
if (i >= __VPN_SSL_HANDSHAKE_MAX_TIME) {
goto __error_handle;
}
return (ERROR_NONE);
__error_handle:
if (pvpnctx->VPNCTX_iSocket >= 0) {
net_close(pvpnctx->VPNCTX_iSocket);
}
x509_free(&pvpnctx->VPNCTX_x509certPrivate);
x509_free(&pvpnctx->VPNCTX_x509certCA);
rsa_free(&pvpnctx->VPNCTX_rasctx);
ssl_free(&pvpnctx->VPNCTX_sslctx);
return (PX_ERROR);
}
