Exemple #1
0
static int init_https(void) {
	if(!SERVER_PORT_TLS) return 0;
	struct tls_config *config = tls_config_new();
	if(!config) {
		alogf("TLS config error: %s\n", strerror(errno));
		return -1;
	}
	int rc = tls_config_set_ciphers(config, TLS_CIPHERS);
	if(0 != rc) {
		alogf("TLS ciphers error: %s\n", strerror(errno));
		tls_config_free(config); config = NULL;
		return -1;
	}
	tls_config_set_protocols(config, TLS_PROTOCOLS);
	str_t pemfile[PATH_MAX];
	snprintf(pemfile, sizeof(pemfile), "%s/key.pem", path);
	rc = tls_config_set_key_file(config, pemfile);
	if(0 != rc) {
		alogf("TLS key file error: %s\n", strerror(errno));
		tls_config_free(config); config = NULL;
		return -1;
	}
	snprintf(pemfile, sizeof(pemfile), "%s/crt.pem", path);
	rc = tls_config_set_cert_file(config, pemfile);
	if(0 != rc) {
		alogf("TLS crt file error: %s\n", strerror(errno));
		tls_config_free(config); config = NULL;
		return -1;
	}
	struct tls *tls = tls_server();
	if(!tls) {
		alogf("TLS engine error: %s\n", strerror(errno));
		tls_config_free(config); config = NULL;
		return -1;
	}
	rc = tls_configure(tls, config);
	tls_config_free(config); config = NULL;
	if(0 != rc) {
		alogf("TLS config error: %s\n", tls_error(tls));
		tls_free(tls); tls = NULL;
		return -1;
	}
	server_tls = HTTPServerCreate((HTTPListener)listener, blog);
	if(!server_tls) {
		alogf("HTTPS server could not be initialized\n");
		tls_free(tls); tls = NULL;
		return -1;
	}
	rc = HTTPServerListenSecure(server_tls, SERVER_ADDRESS, SERVER_PORT_TLS, &tls);
	tls_free(tls); tls = NULL;
	if(rc < 0) {
		alogf("HTTPS server could not be started: %s\n", sln_strerror(rc));
		return -1;
	}
	int const port = SERVER_PORT_TLS;
	alogf("StrongLink server running at https://localhost:%d/\n", port);
	return 0;
}
Exemple #2
0
struct tls_config *
tls_config_new(void)
{
    struct tls_config *config;

    if ((config = calloc(1, sizeof(*config))) == NULL)
        return (NULL);

    /*
     * Default configuration.
     */
    if (tls_config_set_ca_file(config, _PATH_SSL_CA_FILE) != 0)
        goto err;
    if (tls_config_set_dheparams(config, "none") != 0)
        goto err;
    if (tls_config_set_ecdhecurve(config, "auto") != 0)
        goto err;
    if (tls_config_set_ciphers(config, "secure") != 0)
        goto err;

    tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT);
    tls_config_set_verify_depth(config, 6);

    tls_config_verify(config);

    return (config);

err:
    tls_config_free(config);
    return (NULL);
}
Exemple #3
0
int main(int argc, char *argv[])
{
	struct tls_config *conf;
	struct tls *ctx;
	struct tls_cert_info *cert;
	int res;
	const char *host;

	if (argc < 2)
		errx(1, "give host as arg\n");
	host = argv[1];

	res = tls_init();
	if (res < 0)
		errx(1, "tls_init");

	conf = tls_config_new();
	if (!conf)
		errx(1, "tls_config_new");

	tls_config_set_protocols(conf, TLS_PROTOCOLS_ALL);
	tls_config_set_ciphers(conf, "fast");

	ctx = tls_client();
	if (!ctx)
		errx(1, "tls_client");

	res = tls_configure(ctx, conf);
	if (res < 0)
		errx(1, "tls_configure: %s", tls_error(ctx));

	res = tls_connect(ctx, host, "443");
	if (res < 0)
		errx(1, "tls_connect: %s", tls_error(ctx));

	printf("connect ok\n");

	res = tls_get_peer_cert(ctx, &cert);
	if (res < 0)
		errx(1, "tls_get_peer_cert: %s", tls_error(ctx));

	tls_close(ctx);
	tls_free(ctx);
	tls_config_free(conf);

	printf("  CN='%s'\n", cert->subject.common_name);
	printf("  C='%s'\n", cert->subject.country_name);
	printf("  ST='%s'\n", cert->subject.state_or_province_name);
	printf("  L='%s'\n", cert->subject.locality_name);
	printf("  S='%s'\n", cert->subject.street_address);
	printf("  O='%s'\n", cert->subject.organization_name);
	printf("  OU='%s'\n", cert->subject.organizational_unit_name);

	tls_cert_free(cert);
	return 0;
}
Exemple #4
0
void server() {
    // load Config File and Settings
    fprintf(stdout, "Starting fidistat Server...\n");
    openlog("fidistat-server", LOG_PID, LOG_DAEMON);
    syslog(LOG_INFO, "Started Fidistat Server");

    struct pidfh *pfh = daemon_start('s');

    // Handle Signals
    signal(SIGTERM, handleSigterm_S);
    signal(SIGCHLD, handleChild);

    // Open Socket
    initConf();
    tls_init();
    struct tls* ctx = tls_server();
    int sock = initTLS_S(ctx);
    sckt = sock;

    int connfd, pid;
    listen(sock, 10);

    // Destroy Config
    destroyConf(); 

    while(!term) {
        connfd = accept(sock, (struct sockaddr*) NULL, NULL); 

        if (term) {
            break;
        }
        pid = fork();
        if (pid < 0) {
            syslog(LOG_ERR, "forking new Worker failed");
        } else if (pid == 0) {
            close(sock);
            syslog(LOG_INFO, "New incoming connection");
            worker(connfd, ctx);
            syslog(LOG_INFO, "Closing connection");
            exit(0);
        } else {
            close(connfd);
        }
    }
    syslog(LOG_INFO, "Shutting down Server");
    close(sock);
    tls_close(ctx);
    tls_free(ctx);
    tls_config_free(tlsServer_conf);

    pidfile_remove(pfh);
    syslog(LOG_INFO, "Stopped Fidistat Server");
    closelog();
    exit(0);
}
Exemple #5
0
static void free_worker(struct Worker *w)
{
	if (!w)
		return;
	event_del(&w->ev);
	tls_config_free(w->config);
	tls_free(w->ctx);
	tls_free(w->base);
	memset(w, 0, sizeof *w);
	free(w);
}
Exemple #6
0
struct tls_config *
tls_config_new_internal(void)
{
	struct tls_config *config;
	unsigned char sid[TLS_MAX_SESSION_ID_LENGTH];

	if ((config = calloc(1, sizeof(*config))) == NULL)
		return (NULL);

	if ((config->keypair = tls_keypair_new()) == NULL)
		goto err;

	config->refcount = 1;
	config->session_fd = -1;

	/*
	 * Default configuration.
	 */
	if (tls_config_set_dheparams(config, "none") != 0)
		goto err;
	if (tls_config_set_ecdhecurves(config, "default") != 0)
		goto err;
	if (tls_config_set_ciphers(config, "secure") != 0)
		goto err;

	if (tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT) != 0)
		goto err;
	if (tls_config_set_verify_depth(config, 6) != 0)
		goto err;

	/*
	 * Set session ID context to a random value.  For the simple case
	 * of a single process server this is good enough. For multiprocess
	 * servers the session ID needs to be set by the caller.
	 */
	arc4random_buf(sid, sizeof(sid));
	if (tls_config_set_session_id(config, sid, sizeof(sid)) != 0)
		goto err;
	config->ticket_keyrev = arc4random();
	config->ticket_autorekey = 1;

	tls_config_prefer_ciphers_server(config);

	tls_config_verify(config);

	return (config);

 err:
	tls_config_free(config);
	return (NULL);
}
Exemple #7
0
static void free_worker(struct Worker *w)
{
	if (!w)
		return;
	if (event_initialized(&w->ev))
		event_del(&w->ev);
	tls_free(w->ctx);
	tls_free(w->base);
	tls_config_free(w->config);
	if (w->socket > 0)
		close(w->socket);
	memset(w, 0, sizeof *w);
	free(w);
}
Exemple #8
0
int
tls_configure(struct tls *ctx, struct tls_config *config)
{
	if (config == NULL)
		config = tls_config_default;

	config->refcount++;

	tls_config_free(ctx->config);

	ctx->config = config;
	ctx->keypair = config->keypair;

	if ((ctx->flags & TLS_SERVER) != 0)
		return (tls_configure_server(ctx));

	return (0);
}
Exemple #9
0
void
tls_reset(struct tls *ctx)
{
	struct tls_sni_ctx *sni, *nsni;

	tls_config_free(ctx->config);
	ctx->config = NULL;

	SSL_CTX_free(ctx->ssl_ctx);
	SSL_free(ctx->ssl_conn);
	X509_free(ctx->ssl_peer_cert);

	ctx->ssl_conn = NULL;
	ctx->ssl_ctx = NULL;
	ctx->ssl_peer_cert = NULL;
	/* X509 objects in chain are freed with the SSL */
	ctx->ssl_peer_chain = NULL;

	ctx->socket = -1;
	ctx->state = 0;

	free(ctx->servername);
	ctx->servername = NULL;

	free(ctx->error.msg);
	ctx->error.msg = NULL;
	ctx->error.num = -1;

	tls_conninfo_free(ctx->conninfo);
	ctx->conninfo = NULL;

	tls_ocsp_free(ctx->ocsp);
	ctx->ocsp = NULL;

	for (sni = ctx->sni_ctx; sni != NULL; sni = nsni) {
		nsni = sni->next;
		tls_sni_ctx_free(sni);
	}
	ctx->sni_ctx = NULL;

	ctx->read_cb = NULL;
	ctx->write_cb = NULL;
	ctx->cb_arg = NULL;
}
Exemple #10
0
void
tls_deinit(void)
{
	if (tls_initialised) {
		tls_compat_cleanup();

		tls_config_free(tls_config_default);
		tls_config_default = NULL;

#ifdef USE_LIBSSL_INTERNALS
		EVP_cleanup();
		CRYPTO_cleanup_all_ex_data();
		BIO_sock_cleanup();
		ERR_clear_error();
		ERR_remove_thread_state(NULL);
		ERR_free_strings();
#else
		OPENSSL_cleanup();
#endif

		tls_initialised = 0;
	}
}
Exemple #11
0
int main(int argc, char *argv[])
{
	struct tls_config *conf;
	struct tls *ctx, *ocsp;
	struct tls_cert *cert;
	int res;
	const char *host;
	char buf[256];

	if (argc < 2)
		errx(1, "give host as arg\n");
	host = argv[1];

#ifdef USUAL_LIBSSL_FOR_TLS
	printf("libssl: %s\n", SSLeay_version(SSLEAY_VERSION));
#endif
	res = tls_init();
	if (res < 0)
		errx(1, "tls_init");

	conf = tls_config_new();
	if (!conf)
		errx(1, "tls_config_new");

	tls_config_set_protocols(conf, TLS_PROTOCOLS_ALL);
	tls_config_set_ciphers(conf, "fast");

	ctx = tls_client();
	if (!ctx)
		errx(1, "tls_client");

	res = tls_configure(ctx, conf);
	if (res < 0)
		errx(1, "tls_configure: %s", tls_error(ctx));

	res = tls_connect(ctx, host, "443");
	if (res < 0)
		errx(1, "tls_connect: %s", tls_error(ctx));

	res = tls_handshake(ctx);
	if (res < 0)
		errx(1, "tls_handshake: %s", tls_error(ctx));

	res = tls_get_peer_cert(ctx, &cert, NULL);
	if (res < 0)
		errx(1, "tls_get_peer_cert: %s", tls_error(ctx));

	tls_get_connection_info(ctx, buf, sizeof buf);

	printf("Connection: '%s'\n", buf);
	printf("  CN='%s'\n", cert->subject.common_name);
	printf("  C='%s'\n", cert->subject.country_name);
	printf("  ST='%s'\n", cert->subject.state_or_province_name);
	printf("  L='%s'\n", cert->subject.locality_name);
	printf("  S='%s'\n", cert->subject.street_address);
	printf("  O='%s'\n", cert->subject.organization_name);
	printf("  OU='%s'\n", cert->subject.organizational_unit_name);

	show_ocsp_info("OCSP stapling", ctx);

	ocsp = NULL;
	res = tls_ocsp_check_peer(&ocsp, NULL, ctx);
	if (ocsp) {
		show_ocsp_info("OCSP responder", ocsp);
		tls_free(ocsp);
	} else if (res == TLS_NO_OCSP) {
		printf("OCSP responder: No OCSP support in libtls\n");
	}

	if (0) test_context(ctx);

	tls_close(ctx);
	tls_free(ctx);
	tls_config_free(conf);
	tls_cert_free(cert);

	return 0;
}
Exemple #12
0
int main(int argc, char *argv[])
{
	struct tls_config *conf;
	struct tls *ctx;
	int res;
	const char *host;

	if (argc < 2)
		errx(1, "give host as arg\n");
	host = argv[1];

	res = tls_init();
	if (res < 0)
		errx(1, "tls_init");

	conf = tls_config_new();
	if (!conf)
		errx(1, "tls_config_new");

	tls_config_set_protocols(conf, TLS_PROTOCOLS_ALL);
	tls_config_set_ciphers(conf, "HIGH:+3DES:!aNULL");
	tls_config_set_ca_file(conf, "/etc/ssl/certs/ca-certificates.crt");

	ctx = tls_client();
	if (!ctx)
		errx(1, "tls_client");

	res = tls_configure(ctx, conf);
	if (res < 0)
		errx(1, "tls_configure: %s", tls_error(ctx));

	res = tls_connect(ctx, host, "443");
	if (res < 0)
		errx(1, "tls_connect: %s", tls_error(ctx));

	res = tls_handshake(ctx);
	if (res < 0)
		errx(1, "tls_handshake: %s", tls_error(ctx));

	printf("connect ok\n");

#if 0
	struct tls_cert *cert;
	//res = tls_get_peer_cert(ctx, &cert, NULL);
	//if (res < 0)
	//errx(1, "tls_get_peer_cert: %s", tls_error(ctx));
	printf("  CN='%s'\n", cert->subject.common_name);
	printf("  C='%s'\n", cert->subject.country_name);
	printf("  ST='%s'\n", cert->subject.state_or_province_name);
	printf("  L='%s'\n", cert->subject.locality_name);
	printf("  S='%s'\n", cert->subject.street_address);
	printf("  O='%s'\n", cert->subject.organization_name);
	printf("  OU='%s'\n", cert->subject.organizational_unit_name);

	tls_cert_free(cert);
#endif
	tls_close(ctx);
	tls_free(ctx);
	tls_config_free(conf);

	return 0;
}
int main(int argc, char **argv) {

	struct tls_config *config = NULL;
	struct tls *tls = NULL;
	unsigned int protocols = 0;
	struct sockaddr_in server, client;
	int sock = socket(AF_INET, SOCK_STREAM, 0);
	int opt = 1;
	int b;
	struct tls *tls2 = NULL;
	ssize_t outlen = 0;
	char bufs[1000], bufc[1000];
	int sc;
	char *msg = "HELLO TLS CLIENT\n";

	char *ciphers = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384";

	struct pollfd pfd[2];

	if(tls_init() < 0) {
		printf("tls_init error\n");
		exit(1);
	}

	config = tls_config_new();
	if(config == NULL) {
		printf("tls_config_new error\n");
		exit(1);
	}

	tls = tls_server();
	if(tls == NULL) {
		printf("tls_server error\n");
		exit(1);
	}


	if(tls_config_parse_protocols(&protocols, "secure") < 0) {
		printf("tls_config_parse_protocols error\n");
		exit(1);
	}

	tls_config_set_protocols(config, protocols);

	if(tls_config_set_ciphers(config, ciphers) < 0) {
		printf("tls_config_set_ciphers error\n");
		exit(1);
	}

	if(tls_config_set_key_file(config, "private.pem") < 0) {
		printf("tls_config_set_key_file error\n");
		exit(1);
	}

	if(tls_config_set_cert_file(config, "server.crt") < 0) {
		printf("tls_config_set_cert_file error\n");
		exit(1);
	}

	if(tls_configure(tls, config) < 0) {
		printf("tls_configure error: %s\n", tls_error(tls));
		exit(1);
	}


	bzero(&server, sizeof(server));
	server.sin_addr.s_addr = inet_addr("127.0.0.1");
	server.sin_port = htons(9000);
	server.sin_family = AF_INET;

	setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &opt, 4);
	b = bind(sock, (struct sockaddr *) &server, sizeof(server));
	if(b < 0) {
		printf("erro bind\n");
		exit(1);
	}
	listen(sock, 10);

	socklen_t client_size = sizeof(client);

	sc = accept(sock, (struct sockaddr *) &client, &client_size);

	if(tls_accept_socket(tls, &tls2, sc) < 0) {
		printf("tls_accept_socket error\n");
		exit(1);
	}

	tls_write(tls2, msg, strlen(msg));

	pfd[0].fd = 0;
	pfd[0].events = POLLIN;
	pfd[1].fd = sc;
	pfd[1].events = POLLIN;

	while(bufc[0] != ':' && bufc[1] != 'q') {

		poll(pfd, 2, -1);

		bzero(bufs, 1000);
		bzero(bufc, 1000);

		if(pfd[0].revents & POLLIN) {
			int q = read(0, bufc, 1000);
			tls_write(tls2, bufc, q);
		}

		if(pfd[1].revents & POLLIN) {
			if((outlen = tls_read(tls2, bufs, 1000)) <= 0) break;
			printf("Mensagem (%lu): %s\n", outlen, bufs);
		}


	}

	tls_close(tls);
	tls_free(tls);
	tls_config_free(config);

	return 0;

}