static int init_https(void) {
if(!SERVER_PORT_TLS) return 0;
struct tls_config *config = tls_config_new();
if(!config) {
alogf("TLS config error: %s\n", strerror(errno));
return -1;
}
int rc = tls_config_set_ciphers(config, TLS_CIPHERS);
if(0 != rc) {
alogf("TLS ciphers error: %s\n", strerror(errno));
tls_config_free(config); config = NULL;
return -1;
}
tls_config_set_protocols(config, TLS_PROTOCOLS);
str_t pemfile[PATH_MAX];
snprintf(pemfile, sizeof(pemfile), "%s/key.pem", path);
rc = tls_config_set_key_file(config, pemfile);
if(0 != rc) {
alogf("TLS key file error: %s\n", strerror(errno));
tls_config_free(config); config = NULL;
return -1;
}
snprintf(pemfile, sizeof(pemfile), "%s/crt.pem", path);
rc = tls_config_set_cert_file(config, pemfile);
if(0 != rc) {
alogf("TLS crt file error: %s\n", strerror(errno));
tls_config_free(config); config = NULL;
return -1;
}
struct tls *tls = tls_server();
if(!tls) {
alogf("TLS engine error: %s\n", strerror(errno));
tls_config_free(config); config = NULL;
return -1;
}
rc = tls_configure(tls, config);
tls_config_free(config); config = NULL;
if(0 != rc) {
alogf("TLS config error: %s\n", tls_error(tls));
tls_free(tls); tls = NULL;
return -1;
}
server_tls = HTTPServerCreate((HTTPListener)listener, blog);
if(!server_tls) {
alogf("HTTPS server could not be initialized\n");
tls_free(tls); tls = NULL;
return -1;
}
rc = HTTPServerListenSecure(server_tls, SERVER_ADDRESS, SERVER_PORT_TLS, &tls);
tls_free(tls); tls = NULL;
if(rc < 0) {
alogf("HTTPS server could not be started: %s\n", sln_strerror(rc));
return -1;
}
int const port = SERVER_PORT_TLS;
alogf("StrongLink server running at https://localhost:%d/\n", port);
return 0;
}
struct tls_config *
tls_config_new(void)
{
struct tls_config *config;
if ((config = calloc(1, sizeof(*config))) == NULL)
return (NULL);
/*
* Default configuration.
*/
if (tls_config_set_ca_file(config, _PATH_SSL_CA_FILE) != 0)
goto err;
if (tls_config_set_dheparams(config, "none") != 0)
goto err;
if (tls_config_set_ecdhecurve(config, "auto") != 0)
goto err;
if (tls_config_set_ciphers(config, "secure") != 0)
goto err;
tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT);
tls_config_set_verify_depth(config, 6);
tls_config_verify(config);
return (config);
err:
tls_config_free(config);
return (NULL);
}
int main(int argc, char *argv[])
{
struct tls_config *conf;
struct tls *ctx;
struct tls_cert_info *cert;
int res;
const char *host;
if (argc < 2)
errx(1, "give host as arg\n");
host = argv[1];
res = tls_init();
if (res < 0)
errx(1, "tls_init");
conf = tls_config_new();
if (!conf)
errx(1, "tls_config_new");
tls_config_set_protocols(conf, TLS_PROTOCOLS_ALL);
tls_config_set_ciphers(conf, "fast");
ctx = tls_client();
if (!ctx)
errx(1, "tls_client");
res = tls_configure(ctx, conf);
if (res < 0)
errx(1, "tls_configure: %s", tls_error(ctx));
res = tls_connect(ctx, host, "443");
if (res < 0)
errx(1, "tls_connect: %s", tls_error(ctx));
printf("connect ok\n");
res = tls_get_peer_cert(ctx, &cert);
if (res < 0)
errx(1, "tls_get_peer_cert: %s", tls_error(ctx));
tls_close(ctx);
tls_free(ctx);
tls_config_free(conf);
printf(" CN='%s'\n", cert->subject.common_name);
printf(" C='%s'\n", cert->subject.country_name);
printf(" ST='%s'\n", cert->subject.state_or_province_name);
printf(" L='%s'\n", cert->subject.locality_name);
printf(" S='%s'\n", cert->subject.street_address);
printf(" O='%s'\n", cert->subject.organization_name);
printf(" OU='%s'\n", cert->subject.organizational_unit_name);
tls_cert_free(cert);
return 0;
}
void server() {
// load Config File and Settings
fprintf(stdout, "Starting fidistat Server...\n");
openlog("fidistat-server", LOG_PID, LOG_DAEMON);
syslog(LOG_INFO, "Started Fidistat Server");
struct pidfh *pfh = daemon_start('s');
// Handle Signals
signal(SIGTERM, handleSigterm_S);
signal(SIGCHLD, handleChild);
// Open Socket
initConf();
tls_init();
struct tls* ctx = tls_server();
int sock = initTLS_S(ctx);
sckt = sock;
int connfd, pid;
listen(sock, 10);
// Destroy Config
destroyConf();
while(!term) {
connfd = accept(sock, (struct sockaddr*) NULL, NULL);
if (term) {
break;
}
pid = fork();
if (pid < 0) {
syslog(LOG_ERR, "forking new Worker failed");
} else if (pid == 0) {
close(sock);
syslog(LOG_INFO, "New incoming connection");
worker(connfd, ctx);
syslog(LOG_INFO, "Closing connection");
exit(0);
} else {
close(connfd);
}
}
syslog(LOG_INFO, "Shutting down Server");
close(sock);
tls_close(ctx);
tls_free(ctx);
tls_config_free(tlsServer_conf);
pidfile_remove(pfh);
syslog(LOG_INFO, "Stopped Fidistat Server");
closelog();
exit(0);
}
static void free_worker(struct Worker *w)
{
if (!w)
return;
event_del(&w->ev);
tls_config_free(w->config);
tls_free(w->ctx);
tls_free(w->base);
memset(w, 0, sizeof *w);
free(w);
}
struct tls_config *
tls_config_new_internal(void)
{
struct tls_config *config;
unsigned char sid[TLS_MAX_SESSION_ID_LENGTH];
if ((config = calloc(1, sizeof(*config))) == NULL)
return (NULL);
if ((config->keypair = tls_keypair_new()) == NULL)
goto err;
config->refcount = 1;
config->session_fd = -1;
/*
* Default configuration.
*/
if (tls_config_set_dheparams(config, "none") != 0)
goto err;
if (tls_config_set_ecdhecurves(config, "default") != 0)
goto err;
if (tls_config_set_ciphers(config, "secure") != 0)
goto err;
if (tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT) != 0)
goto err;
if (tls_config_set_verify_depth(config, 6) != 0)
goto err;
/*
* Set session ID context to a random value. For the simple case
* of a single process server this is good enough. For multiprocess
* servers the session ID needs to be set by the caller.
*/
arc4random_buf(sid, sizeof(sid));
if (tls_config_set_session_id(config, sid, sizeof(sid)) != 0)
goto err;
config->ticket_keyrev = arc4random();
config->ticket_autorekey = 1;
tls_config_prefer_ciphers_server(config);
tls_config_verify(config);
return (config);
err:
tls_config_free(config);
return (NULL);
}
static void free_worker(struct Worker *w)
{
if (!w)
return;
if (event_initialized(&w->ev))
event_del(&w->ev);
tls_free(w->ctx);
tls_free(w->base);
tls_config_free(w->config);
if (w->socket > 0)
close(w->socket);
memset(w, 0, sizeof *w);
free(w);
}
int
tls_configure(struct tls *ctx, struct tls_config *config)
{
if (config == NULL)
config = tls_config_default;
config->refcount++;
tls_config_free(ctx->config);
ctx->config = config;
ctx->keypair = config->keypair;
if ((ctx->flags & TLS_SERVER) != 0)
return (tls_configure_server(ctx));
return (0);
}
void
tls_reset(struct tls *ctx)
{
struct tls_sni_ctx *sni, *nsni;
tls_config_free(ctx->config);
ctx->config = NULL;
SSL_CTX_free(ctx->ssl_ctx);
SSL_free(ctx->ssl_conn);
X509_free(ctx->ssl_peer_cert);
ctx->ssl_conn = NULL;
ctx->ssl_ctx = NULL;
ctx->ssl_peer_cert = NULL;
/* X509 objects in chain are freed with the SSL */
ctx->ssl_peer_chain = NULL;
ctx->socket = -1;
ctx->state = 0;
free(ctx->servername);
ctx->servername = NULL;
free(ctx->error.msg);
ctx->error.msg = NULL;
ctx->error.num = -1;
tls_conninfo_free(ctx->conninfo);
ctx->conninfo = NULL;
tls_ocsp_free(ctx->ocsp);
ctx->ocsp = NULL;
for (sni = ctx->sni_ctx; sni != NULL; sni = nsni) {
nsni = sni->next;
tls_sni_ctx_free(sni);
}
ctx->sni_ctx = NULL;
ctx->read_cb = NULL;
ctx->write_cb = NULL;
ctx->cb_arg = NULL;
}
void
tls_deinit(void)
{
if (tls_initialised) {
tls_compat_cleanup();
tls_config_free(tls_config_default);
tls_config_default = NULL;
#ifdef USE_LIBSSL_INTERNALS
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
BIO_sock_cleanup();
ERR_clear_error();
ERR_remove_thread_state(NULL);
ERR_free_strings();
#else
OPENSSL_cleanup();
#endif
tls_initialised = 0;
}
}
int main(int argc, char *argv[])
{
struct tls_config *conf;
struct tls *ctx, *ocsp;
struct tls_cert *cert;
int res;
const char *host;
char buf[256];
if (argc < 2)
errx(1, "give host as arg\n");
host = argv[1];
#ifdef USUAL_LIBSSL_FOR_TLS
printf("libssl: %s\n", SSLeay_version(SSLEAY_VERSION));
#endif
res = tls_init();
if (res < 0)
errx(1, "tls_init");
conf = tls_config_new();
if (!conf)
errx(1, "tls_config_new");
tls_config_set_protocols(conf, TLS_PROTOCOLS_ALL);
tls_config_set_ciphers(conf, "fast");
ctx = tls_client();
if (!ctx)
errx(1, "tls_client");
res = tls_configure(ctx, conf);
if (res < 0)
errx(1, "tls_configure: %s", tls_error(ctx));
res = tls_connect(ctx, host, "443");
if (res < 0)
errx(1, "tls_connect: %s", tls_error(ctx));
res = tls_handshake(ctx);
if (res < 0)
errx(1, "tls_handshake: %s", tls_error(ctx));
res = tls_get_peer_cert(ctx, &cert, NULL);
if (res < 0)
errx(1, "tls_get_peer_cert: %s", tls_error(ctx));
tls_get_connection_info(ctx, buf, sizeof buf);
printf("Connection: '%s'\n", buf);
printf(" CN='%s'\n", cert->subject.common_name);
printf(" C='%s'\n", cert->subject.country_name);
printf(" ST='%s'\n", cert->subject.state_or_province_name);
printf(" L='%s'\n", cert->subject.locality_name);
printf(" S='%s'\n", cert->subject.street_address);
printf(" O='%s'\n", cert->subject.organization_name);
printf(" OU='%s'\n", cert->subject.organizational_unit_name);
show_ocsp_info("OCSP stapling", ctx);
ocsp = NULL;
res = tls_ocsp_check_peer(&ocsp, NULL, ctx);
if (ocsp) {
show_ocsp_info("OCSP responder", ocsp);
tls_free(ocsp);
} else if (res == TLS_NO_OCSP) {
printf("OCSP responder: No OCSP support in libtls\n");
}
if (0) test_context(ctx);
tls_close(ctx);
tls_free(ctx);
tls_config_free(conf);
tls_cert_free(cert);
return 0;
}
int main(int argc, char *argv[])
{
struct tls_config *conf;
struct tls *ctx;
int res;
const char *host;
if (argc < 2)
errx(1, "give host as arg\n");
host = argv[1];
res = tls_init();
if (res < 0)
errx(1, "tls_init");
conf = tls_config_new();
if (!conf)
errx(1, "tls_config_new");
tls_config_set_protocols(conf, TLS_PROTOCOLS_ALL);
tls_config_set_ciphers(conf, "HIGH:+3DES:!aNULL");
tls_config_set_ca_file(conf, "/etc/ssl/certs/ca-certificates.crt");
ctx = tls_client();
if (!ctx)
errx(1, "tls_client");
res = tls_configure(ctx, conf);
if (res < 0)
errx(1, "tls_configure: %s", tls_error(ctx));
res = tls_connect(ctx, host, "443");
if (res < 0)
errx(1, "tls_connect: %s", tls_error(ctx));
res = tls_handshake(ctx);
if (res < 0)
errx(1, "tls_handshake: %s", tls_error(ctx));
printf("connect ok\n");
#if 0
struct tls_cert *cert;
//res = tls_get_peer_cert(ctx, &cert, NULL);
//if (res < 0)
//errx(1, "tls_get_peer_cert: %s", tls_error(ctx));
printf(" CN='%s'\n", cert->subject.common_name);
printf(" C='%s'\n", cert->subject.country_name);
printf(" ST='%s'\n", cert->subject.state_or_province_name);
printf(" L='%s'\n", cert->subject.locality_name);
printf(" S='%s'\n", cert->subject.street_address);
printf(" O='%s'\n", cert->subject.organization_name);
printf(" OU='%s'\n", cert->subject.organizational_unit_name);
tls_cert_free(cert);
#endif
tls_close(ctx);
tls_free(ctx);
tls_config_free(conf);
return 0;
}
int main(int argc, char **argv) {
struct tls_config *config = NULL;
struct tls *tls = NULL;
unsigned int protocols = 0;
struct sockaddr_in server, client;
int sock = socket(AF_INET, SOCK_STREAM, 0);
int opt = 1;
int b;
struct tls *tls2 = NULL;
ssize_t outlen = 0;
char bufs[1000], bufc[1000];
int sc;
char *msg = "HELLO TLS CLIENT\n";
char *ciphers = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384";
struct pollfd pfd[2];
if(tls_init() < 0) {
printf("tls_init error\n");
exit(1);
}
config = tls_config_new();
if(config == NULL) {
printf("tls_config_new error\n");
exit(1);
}
tls = tls_server();
if(tls == NULL) {
printf("tls_server error\n");
exit(1);
}
if(tls_config_parse_protocols(&protocols, "secure") < 0) {
printf("tls_config_parse_protocols error\n");
exit(1);
}
tls_config_set_protocols(config, protocols);
if(tls_config_set_ciphers(config, ciphers) < 0) {
printf("tls_config_set_ciphers error\n");
exit(1);
}
if(tls_config_set_key_file(config, "private.pem") < 0) {
printf("tls_config_set_key_file error\n");
exit(1);
}
if(tls_config_set_cert_file(config, "server.crt") < 0) {
printf("tls_config_set_cert_file error\n");
exit(1);
}
if(tls_configure(tls, config) < 0) {
printf("tls_configure error: %s\n", tls_error(tls));
exit(1);
}
bzero(&server, sizeof(server));
server.sin_addr.s_addr = inet_addr("127.0.0.1");
server.sin_port = htons(9000);
server.sin_family = AF_INET;
setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &opt, 4);
b = bind(sock, (struct sockaddr *) &server, sizeof(server));
if(b < 0) {
printf("erro bind\n");
exit(1);
}
listen(sock, 10);
socklen_t client_size = sizeof(client);
sc = accept(sock, (struct sockaddr *) &client, &client_size);
if(tls_accept_socket(tls, &tls2, sc) < 0) {
printf("tls_accept_socket error\n");
exit(1);
}
tls_write(tls2, msg, strlen(msg));
pfd[0].fd = 0;
pfd[0].events = POLLIN;
pfd[1].fd = sc;
pfd[1].events = POLLIN;
while(bufc[0] != ':' && bufc[1] != 'q') {
poll(pfd, 2, -1);
bzero(bufs, 1000);
bzero(bufc, 1000);
if(pfd[0].revents & POLLIN) {
int q = read(0, bufc, 1000);
tls_write(tls2, bufc, q);
}
if(pfd[1].revents & POLLIN) {
if((outlen = tls_read(tls2, bufs, 1000)) <= 0) break;
printf("Mensagem (%lu): %s\n", outlen, bufs);
}
}
tls_close(tls);
tls_free(tls);
tls_config_free(config);
return 0;
}