/* Init necessary structures for SSL in WebIf*/
SSL_CTX *SSL_Webif_Init(void)
{
SSL_CTX *ctx;
static const char *cs_cert = "oscam.pem";
// set locking callbacks for SSL
int32_t i, num = CRYPTO_num_locks();
lock_cs = (CS_MUTEX_LOCK *) OPENSSL_malloc(num * sizeof(CS_MUTEX_LOCK));
for(i = 0; i < num; ++i)
{
cs_lock_create(__func__, &lock_cs[i], "ssl_lock_cs", 10000);
}
/* static lock callbacks */
CRYPTO_set_id_callback(SSL_id_function);
CRYPTO_set_locking_callback(SSL_locking_function);
/* dynamic lock callbacks */
CRYPTO_set_dynlock_create_callback(SSL_dyn_create_function);
CRYPTO_set_dynlock_lock_callback(SSL_dyn_lock_function);
CRYPTO_set_dynlock_destroy_callback(SSL_dyn_destroy_function);
if(cfg.http_force_sslv3)
{
ctx = SSL_CTX_new(SSLv3_server_method());
#ifdef SSL_CTX_clear_options
SSL_CTX_clear_options(ctx, SSL_OP_ALL); //we CLEAR all bug workarounds! This is for security reason
#else
cs_log("WARNING: You enabled to force sslv3 but your system does not support to clear the ssl workarounds! SSL security will be reduced!");
#endif
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); // we force SSL v3 !
SSL_CTX_set_cipher_list(ctx, SSL_TXT_RC4);
}
else
{ ctx = SSL_CTX_new(SSLv23_server_method()); }
char path[128];
if(!cfg.http_cert)
{ get_config_filename(path, sizeof(path), cs_cert); }
else
{ cs_strncpy(path, cfg.http_cert, sizeof(path)); }
if(!ctx)
goto out_err;
if(SSL_CTX_use_certificate_file(ctx, path, SSL_FILETYPE_PEM) <= 0)
goto out_err;
if(SSL_CTX_use_PrivateKey_file(ctx, path, SSL_FILETYPE_PEM) <= 0)
goto out_err;
if(!SSL_CTX_check_private_key(ctx))
{
cs_log("SSL: Private key does not match the certificate public key");
goto out_err;
}
cs_log("load ssl certificate file %s", path);
return ctx;
out_err:
ERR_print_errors_fp(stderr);
ERR_remove_state(0);
SSL_CTX_free(ctx);
return NULL;
}
/*
* This function loads all the client/CA certificates and CRLs. Setup the TLS
* layer and do all necessary magic.
*/
static CURLcode
cyassl_connect_step1(struct connectdata *conn,
int sockindex)
{
char error_buffer[CYASSL_MAX_ERROR_SZ];
char *ciphers;
struct Curl_easy *data = conn->data;
struct ssl_connect_data* connssl = &conn->ssl[sockindex];
SSL_METHOD* req_method = NULL;
curl_socket_t sockfd = conn->sock[sockindex];
#ifdef HAVE_SNI
bool sni = FALSE;
#define use_sni(x) sni = (x)
#else
#define use_sni(x) Curl_nop_stmt
#endif
if(connssl->state == ssl_connection_complete)
return CURLE_OK;
if(SSL_CONN_CONFIG(version_max) != CURL_SSLVERSION_MAX_NONE) {
failf(data, "CyaSSL does not support to set maximum SSL/TLS version");
return CURLE_SSL_CONNECT_ERROR;
}
/* check to see if we've been told to use an explicit SSL/TLS version */
switch(SSL_CONN_CONFIG(version)) {
case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
#if LIBCYASSL_VERSION_HEX >= 0x03003000 /* >= 3.3.0 */
/* minimum protocol version is set later after the CTX object is created */
req_method = SSLv23_client_method();
#else
infof(data, "CyaSSL <3.3.0 cannot be configured to use TLS 1.0-1.2, "
"TLS 1.0 is used exclusively\n");
req_method = TLSv1_client_method();
#endif
use_sni(TRUE);
break;
case CURL_SSLVERSION_TLSv1_0:
#ifdef WOLFSSL_ALLOW_TLSV10
req_method = TLSv1_client_method();
use_sni(TRUE);
#else
failf(data, "CyaSSL does not support TLS 1.0");
return CURLE_NOT_BUILT_IN;
#endif
break;
case CURL_SSLVERSION_TLSv1_1:
req_method = TLSv1_1_client_method();
use_sni(TRUE);
break;
case CURL_SSLVERSION_TLSv1_2:
req_method = TLSv1_2_client_method();
use_sni(TRUE);
break;
case CURL_SSLVERSION_TLSv1_3:
#ifdef WOLFSSL_TLS13
req_method = wolfTLSv1_3_client_method();
use_sni(TRUE);
break;
#else
failf(data, "CyaSSL: TLS 1.3 is not yet supported");
return CURLE_SSL_CONNECT_ERROR;
#endif
case CURL_SSLVERSION_SSLv3:
#ifdef WOLFSSL_ALLOW_SSLV3
req_method = SSLv3_client_method();
use_sni(FALSE);
#else
failf(data, "CyaSSL does not support SSLv3");
return CURLE_NOT_BUILT_IN;
#endif
break;
case CURL_SSLVERSION_SSLv2:
failf(data, "CyaSSL does not support SSLv2");
return CURLE_SSL_CONNECT_ERROR;
default:
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
return CURLE_SSL_CONNECT_ERROR;
}
if(!req_method) {
failf(data, "SSL: couldn't create a method!");
return CURLE_OUT_OF_MEMORY;
}
if(BACKEND->ctx)
SSL_CTX_free(BACKEND->ctx);
BACKEND->ctx = SSL_CTX_new(req_method);
if(!BACKEND->ctx) {
failf(data, "SSL: couldn't create a context!");
return CURLE_OUT_OF_MEMORY;
}
switch(SSL_CONN_CONFIG(version)) {
case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
#if LIBCYASSL_VERSION_HEX > 0x03004006 /* > 3.4.6 */
/* Versions 3.3.0 to 3.4.6 we know the minimum protocol version is whatever
minimum version of TLS was built in and at least TLS 1.0. For later library
versions that could change (eg TLS 1.0 built in but defaults to TLS 1.1) so
we have this short circuit evaluation to find the minimum supported TLS
version. We use wolfSSL_CTX_SetMinVersion and not CyaSSL_SetMinVersion
because only the former will work before the user's CTX callback is called.
*/
if((wolfSSL_CTX_SetMinVersion(BACKEND->ctx, WOLFSSL_TLSV1) != 1) &&
(wolfSSL_CTX_SetMinVersion(BACKEND->ctx, WOLFSSL_TLSV1_1) != 1) &&
(wolfSSL_CTX_SetMinVersion(BACKEND->ctx, WOLFSSL_TLSV1_2) != 1)
#ifdef WOLFSSL_TLS13
&& (wolfSSL_CTX_SetMinVersion(BACKEND->ctx, WOLFSSL_TLSV1_3) != 1)
#endif
) {
failf(data, "SSL: couldn't set the minimum protocol version");
return CURLE_SSL_CONNECT_ERROR;
}
#endif
break;
}
ciphers = SSL_CONN_CONFIG(cipher_list);
if(ciphers) {
if(!SSL_CTX_set_cipher_list(BACKEND->ctx, ciphers)) {
failf(data, "failed setting cipher list: %s", ciphers);
return CURLE_SSL_CIPHER;
}
infof(data, "Cipher selection: %s\n", ciphers);
}
#ifndef NO_FILESYSTEM
/* load trusted cacert */
if(SSL_CONN_CONFIG(CAfile)) {
if(1 != SSL_CTX_load_verify_locations(BACKEND->ctx,
SSL_CONN_CONFIG(CAfile),
SSL_CONN_CONFIG(CApath))) {
if(SSL_CONN_CONFIG(verifypeer)) {
/* Fail if we insist on successfully verifying the server. */
failf(data, "error setting certificate verify locations:\n"
" CAfile: %s\n CApath: %s",
SSL_CONN_CONFIG(CAfile)?
SSL_CONN_CONFIG(CAfile): "none",
SSL_CONN_CONFIG(CApath)?
SSL_CONN_CONFIG(CApath) : "none");
return CURLE_SSL_CACERT_BADFILE;
}
else {
/* Just continue with a warning if no strict certificate
verification is required. */
infof(data, "error setting certificate verify locations,"
" continuing anyway:\n");
}
}
else {
/* Everything is fine. */
infof(data, "successfully set certificate verify locations:\n");
}
infof(data,
" CAfile: %s\n"
" CApath: %s\n",
SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile):
"none",
SSL_CONN_CONFIG(CApath) ? SSL_CONN_CONFIG(CApath):
"none");
}
/* Load the client certificate, and private key */
if(SSL_SET_OPTION(cert) && SSL_SET_OPTION(key)) {
int file_type = do_file_type(SSL_SET_OPTION(cert_type));
if(SSL_CTX_use_certificate_file(BACKEND->ctx, SSL_SET_OPTION(cert),
file_type) != 1) {
failf(data, "unable to use client certificate (no key or wrong pass"
" phrase?)");
return CURLE_SSL_CONNECT_ERROR;
}
file_type = do_file_type(SSL_SET_OPTION(key_type));
if(SSL_CTX_use_PrivateKey_file(BACKEND->ctx, SSL_SET_OPTION(key),
file_type) != 1) {
failf(data, "unable to set private key");
return CURLE_SSL_CONNECT_ERROR;
}
}
#endif /* !NO_FILESYSTEM */
/* SSL always tries to verify the peer, this only says whether it should
* fail to connect if the verification fails, or if it should continue
* anyway. In the latter case the result of the verification is checked with
* SSL_get_verify_result() below. */
SSL_CTX_set_verify(BACKEND->ctx,
SSL_CONN_CONFIG(verifypeer)?SSL_VERIFY_PEER:
SSL_VERIFY_NONE,
NULL);
#ifdef HAVE_SNI
if(sni) {
struct in_addr addr4;
#ifdef ENABLE_IPV6
struct in6_addr addr6;
#endif
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;
size_t hostname_len = strlen(hostname);
if((hostname_len < USHRT_MAX) &&
(0 == Curl_inet_pton(AF_INET, hostname, &addr4)) &&
#ifdef ENABLE_IPV6
(0 == Curl_inet_pton(AF_INET6, hostname, &addr6)) &&
#endif
(CyaSSL_CTX_UseSNI(BACKEND->ctx, CYASSL_SNI_HOST_NAME, hostname,
(unsigned short)hostname_len) != 1)) {
infof(data, "WARNING: failed to configure server name indication (SNI) "
"TLS extension\n");
}
}
#endif
/* give application a chance to interfere with SSL set up. */
if(data->set.ssl.fsslctx) {
CURLcode result = CURLE_OK;
result = (*data->set.ssl.fsslctx)(data, BACKEND->ctx,
data->set.ssl.fsslctxp);
if(result) {
failf(data, "error signaled by ssl ctx callback");
return result;
}
}
#ifdef NO_FILESYSTEM
else if(SSL_CONN_CONFIG(verifypeer)) {
failf(data, "SSL: Certificates couldn't be loaded because CyaSSL was built"
" with \"no filesystem\". Either disable peer verification"
" (insecure) or if you are building an application with libcurl you"
" can load certificates via CURLOPT_SSL_CTX_FUNCTION.");
return CURLE_SSL_CONNECT_ERROR;
}
#endif
/* Let's make an SSL structure */
if(BACKEND->handle)
SSL_free(BACKEND->handle);
BACKEND->handle = SSL_new(BACKEND->ctx);
if(!BACKEND->handle) {
failf(data, "SSL: couldn't create a context (handle)!");
return CURLE_OUT_OF_MEMORY;
}
#ifdef HAVE_ALPN
if(conn->bits.tls_enable_alpn) {
char protocols[128];
*protocols = '\0';
/* wolfSSL's ALPN protocol name list format is a comma separated string of
protocols in descending order of preference, eg: "h2,http/1.1" */
#ifdef USE_NGHTTP2
if(data->set.httpversion >= CURL_HTTP_VERSION_2) {
strcpy(protocols + strlen(protocols), NGHTTP2_PROTO_VERSION_ID ",");
infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID);
}
#endif
strcpy(protocols + strlen(protocols), ALPN_HTTP_1_1);
infof(data, "ALPN, offering %s\n", ALPN_HTTP_1_1);
if(wolfSSL_UseALPN(BACKEND->handle, protocols,
(unsigned)strlen(protocols),
WOLFSSL_ALPN_CONTINUE_ON_MISMATCH) != SSL_SUCCESS) {
failf(data, "SSL: failed setting ALPN protocols");
return CURLE_SSL_CONNECT_ERROR;
}
}
#endif /* HAVE_ALPN */
/* Check if there's a cached ID we can/should use here! */
if(SSL_SET_OPTION(primary.sessionid)) {
void *ssl_sessionid = NULL;
Curl_ssl_sessionid_lock(conn);
if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
/* we got a session id, use it! */
if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
Curl_ssl_sessionid_unlock(conn);
failf(data, "SSL: SSL_set_session failed: %s",
ERR_error_string(SSL_get_error(BACKEND->handle, 0),
error_buffer));
return CURLE_SSL_CONNECT_ERROR;
}
/* Informational message */
infof(data, "SSL re-using session ID\n");
}
Curl_ssl_sessionid_unlock(conn);
}
/* pass the raw socket into the SSL layer */
if(!SSL_set_fd(BACKEND->handle, (int)sockfd)) {
failf(data, "SSL: SSL_set_fd failed");
return CURLE_SSL_CONNECT_ERROR;
}
connssl->connecting_state = ssl_connect_2;
return CURLE_OK;
}
int s_time_main(int argc, char **argv)
{
char buf[1024 * 8];
SSL *scon = NULL;
SSL_CTX *ctx = NULL;
const SSL_METHOD *meth = NULL;
char *CApath = NULL, *CAfile = NULL, *cipher = NULL, *www_path = NULL;
char *host = SSL_CONNECT_NAME, *certfile = NULL, *keyfile = NULL, *prog;
double totalTime = 0.0;
int noCApath = 0, noCAfile = 0;
int maxtime = SECONDS, nConn = 0, perform = 3, ret = 1, i, st_bugs = 0;
long bytes_read = 0, finishtime = 0;
OPTION_CHOICE o;
int max_version = 0, ver, buf_len;
size_t buf_size;
meth = TLS_client_method();
prog = opt_init(argc, argv, s_time_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
opt_help(s_time_options);
ret = 0;
goto end;
case OPT_CONNECT:
host = opt_arg();
break;
case OPT_REUSE:
perform = 2;
break;
case OPT_NEW:
perform = 1;
break;
case OPT_VERIFY:
if (!opt_int(opt_arg(), &verify_args.depth))
goto opthelp;
BIO_printf(bio_err, "%s: verify depth is %d\n",
prog, verify_args.depth);
break;
case OPT_CERT:
certfile = opt_arg();
break;
case OPT_KEY:
keyfile = opt_arg();
break;
case OPT_CAPATH:
CApath = opt_arg();
break;
case OPT_CAFILE:
CAfile = opt_arg();
break;
case OPT_NOCAPATH:
noCApath = 1;
break;
case OPT_NOCAFILE:
noCAfile = 1;
break;
case OPT_CIPHER:
cipher = opt_arg();
break;
case OPT_BUGS:
st_bugs = 1;
break;
case OPT_TIME:
if (!opt_int(opt_arg(), &maxtime))
goto opthelp;
break;
case OPT_WWW:
www_path = opt_arg();
buf_size = strlen(www_path) + sizeof(fmt_http_get_cmd) - 2; /* 2 is for %s */
if (buf_size > sizeof(buf)) {
BIO_printf(bio_err, "%s: -www option is too long\n", prog);
goto end;
}
break;
case OPT_SSL3:
max_version = SSL3_VERSION;
break;
}
}
argc = opt_num_rest();
if (argc != 0)
goto opthelp;
if (cipher == NULL)
cipher = getenv("SSL_CIPHER");
if (cipher == NULL) {
BIO_printf(bio_err, "No CIPHER specified\n");
goto end;
}
if ((ctx = SSL_CTX_new(meth)) == NULL)
goto end;
SSL_CTX_set_quiet_shutdown(ctx, 1);
if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
goto end;
if (st_bugs)
SSL_CTX_set_options(ctx, SSL_OP_ALL);
if (!SSL_CTX_set_cipher_list(ctx, cipher))
goto end;
if (!set_cert_stuff(ctx, certfile, keyfile))
goto end;
if (!ctx_set_verify_locations(ctx, CAfile, CApath, noCAfile, noCApath)) {
ERR_print_errors(bio_err);
goto end;
}
if (!(perform & 1))
goto next;
printf("Collecting connection statistics for %d seconds\n", maxtime);
/* Loop and time how long it takes to make connections */
bytes_read = 0;
finishtime = (long)time(NULL) + maxtime;
tm_Time_F(START);
for (;;) {
if (finishtime < (long)time(NULL))
break;
if ((scon = doConnection(NULL, host, ctx)) == NULL)
goto end;
if (www_path != NULL) {
buf_len = BIO_snprintf(buf, sizeof buf,
fmt_http_get_cmd, www_path);
if (SSL_write(scon, buf, buf_len) <= 0)
goto end;
while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
bytes_read += i;
}
#ifdef NO_SHUTDOWN
SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
#else
SSL_shutdown(scon);
#endif
BIO_closesocket(SSL_get_fd(scon));
nConn += 1;
if (SSL_session_reused(scon))
ver = 'r';
else {
ver = SSL_version(scon);
if (ver == TLS1_VERSION)
ver = 't';
else if (ver == SSL3_VERSION)
ver = '3';
else
ver = '*';
}
fputc(ver, stdout);
fflush(stdout);
SSL_free(scon);
scon = NULL;
}
totalTime += tm_Time_F(STOP); /* Add the time for this iteration */
i = (int)((long)time(NULL) - finishtime + maxtime);
printf
("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n",
nConn, totalTime, ((double)nConn / totalTime), bytes_read);
printf
("%d connections in %ld real seconds, %ld bytes read per connection\n",
nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn);
/*
* Now loop and time connections using the same session id over and over
*/
next:
if (!(perform & 2))
goto end;
printf("\n\nNow timing with session id reuse.\n");
/* Get an SSL object so we can reuse the session id */
if ((scon = doConnection(NULL, host, ctx)) == NULL) {
BIO_printf(bio_err, "Unable to get connection\n");
goto end;
}
if (www_path != NULL) {
buf_len = BIO_snprintf(buf, sizeof buf,
fmt_http_get_cmd, www_path);
if (SSL_write(scon, buf, buf_len) <= 0)
goto end;
while (SSL_read(scon, buf, sizeof(buf)) > 0)
continue;
}
#ifdef NO_SHUTDOWN
SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
#else
SSL_shutdown(scon);
#endif
BIO_closesocket(SSL_get_fd(scon));
nConn = 0;
totalTime = 0.0;
finishtime = (long)time(NULL) + maxtime;
printf("starting\n");
bytes_read = 0;
tm_Time_F(START);
for (;;) {
if (finishtime < (long)time(NULL))
break;
if ((doConnection(scon, host, ctx)) == NULL)
goto end;
if (www_path) {
BIO_snprintf(buf, sizeof buf, "GET %s HTTP/1.0\r\n\r\n",
www_path);
if (SSL_write(scon, buf, strlen(buf)) <= 0)
goto end;
while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
bytes_read += i;
}
#ifdef NO_SHUTDOWN
SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
#else
SSL_shutdown(scon);
#endif
BIO_closesocket(SSL_get_fd(scon));
nConn += 1;
if (SSL_session_reused(scon))
ver = 'r';
else {
ver = SSL_version(scon);
if (ver == TLS1_VERSION)
ver = 't';
else if (ver == SSL3_VERSION)
ver = '3';
else
ver = '*';
}
fputc(ver, stdout);
fflush(stdout);
}
totalTime += tm_Time_F(STOP); /* Add the time for this iteration */
printf
("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n",
nConn, totalTime, ((double)nConn / totalTime), bytes_read);
printf
("%d connections in %ld real seconds, %ld bytes read per connection\n",
nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn);
ret = 0;
end:
SSL_free(scon);
SSL_CTX_free(ctx);
return (ret);
}
static int test_ssl_set_bio(int idx)
{
SSL_CTX *ctx = SSL_CTX_new(TLS_method());
BIO *bio1 = NULL;
BIO *bio2 = NULL;
BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
SSL *ssl = NULL;
int initrbio, initwbio, newrbio, newwbio;
int testresult = 0;
if (ctx == NULL) {
printf("Failed to allocate SSL_CTX\n");
goto end;
}
ssl = SSL_new(ctx);
if (ssl == NULL) {
printf("Failed to allocate SSL object\n");
goto end;
}
initrbio = idx % 3;
idx /= 3;
initwbio = idx % 3;
idx /= 3;
newrbio = idx % 3;
idx /= 3;
newwbio = idx;
OPENSSL_assert(newwbio <= 2);
if (initrbio == USE_BIO_1 || initwbio == USE_BIO_1 || newrbio == USE_BIO_1
|| newwbio == USE_BIO_1) {
bio1 = BIO_new(BIO_s_mem());
if (bio1 == NULL) {
printf("Failed to allocate bio1\n");
goto end;
}
}
if (initrbio == USE_BIO_2 || initwbio == USE_BIO_2 || newrbio == USE_BIO_2
|| newwbio == USE_BIO_2) {
bio2 = BIO_new(BIO_s_mem());
if (bio2 == NULL) {
printf("Failed to allocate bio2\n");
goto end;
}
}
setupbio(&irbio, bio1, bio2, initrbio);
setupbio(&iwbio, bio1, bio2, initwbio);
/*
* We want to maintain our own refs to these BIO, so do an up ref for each
* BIO that will have ownersip transferred in the SSL_set_bio() call
*/
if (irbio != NULL)
BIO_up_ref(irbio);
if (iwbio != NULL && iwbio != irbio)
BIO_up_ref(iwbio);
SSL_set_bio(ssl, irbio, iwbio);
setupbio(&nrbio, bio1, bio2, newrbio);
setupbio(&nwbio, bio1, bio2, newwbio);
/*
* We will (maybe) transfer ownership again so do more up refs.
* SSL_set_bio() has some really complicated ownership rules where BIOs have
* already been set!
*/
if (nrbio != NULL && nrbio != irbio && (nwbio != iwbio || nrbio != nwbio))
BIO_up_ref(nrbio);
if (nwbio != NULL && nwbio != nrbio && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
BIO_up_ref(nwbio);
SSL_set_bio(ssl, nrbio, nwbio);
testresult = 1;
end:
SSL_free(ssl);
BIO_free(bio1);
BIO_free(bio2);
/*
* This test is checking that the ref counting for SSL_set_bio is correct.
* If we get here and we did too many frees then we will fail in the above
* functions. If we haven't done enough then this will only be detected in
* a crypto-mdebug build
*/
SSL_CTX_free(ctx);
return testresult;
}
THREAD_RETURN CYASSL_THREAD server_test(void* args)
{
SOCKET_T sockfd = WOLFSSL_SOCKET_INVALID;
SOCKET_T clientfd = WOLFSSL_SOCKET_INVALID;
SSL_METHOD* method = 0;
SSL_CTX* ctx = 0;
SSL* ssl = 0;
const char msg[] = "I hear you fa shizzle!";
char input[80];
int ch;
int version = SERVER_DEFAULT_VERSION;
int doCliCertCheck = 1;
int useAnyAddr = 0;
word16 port = wolfSSLPort;
int usePsk = 0;
int useAnon = 0;
int doDTLS = 0;
int needDH = 0;
int useNtruKey = 0;
int nonBlocking = 0;
int trackMemory = 0;
int fewerPackets = 0;
int pkCallbacks = 0;
int serverReadyFile = 0;
int wc_shutdown = 0;
int resume = 0;
int resumeCount = 0;
int loopIndefinitely = 0;
int echoData = 0;
int throughput = 0;
int minDhKeyBits = DEFAULT_MIN_DHKEY_BITS;
int doListen = 1;
int ret;
char* alpnList = NULL;
unsigned char alpn_opt = 0;
char* cipherList = NULL;
const char* verifyCert = cliCert;
const char* ourCert = svrCert;
const char* ourKey = svrKey;
const char* ourDhParam = dhParam;
int argc = ((func_args*)args)->argc;
char** argv = ((func_args*)args)->argv;
#ifndef NO_PSK
int sendPskIdentityHint = 1;
#endif
#ifdef HAVE_SNI
char* sniHostName = NULL;
#endif
#ifdef HAVE_OCSP
int useOcsp = 0;
char* ocspUrl = NULL;
#endif
((func_args*)args)->return_code = -1; /* error state */
#ifdef NO_RSA
verifyCert = (char*)cliEccCert;
ourCert = (char*)eccCert;
ourKey = (char*)eccKey;
#endif
(void)trackMemory;
(void)pkCallbacks;
(void)needDH;
(void)ourKey;
(void)ourCert;
(void)ourDhParam;
(void)verifyCert;
(void)useNtruKey;
(void)doCliCertCheck;
(void)minDhKeyBits;
(void)alpnList;
(void)alpn_opt;
#ifdef CYASSL_TIRTOS
fdOpenSession(Task_self());
#endif
#ifdef WOLFSSL_VXWORKS
useAnyAddr = 1;
#else
while ((ch = mygetopt(argc, argv, "?dbstnNufrRawPIp:v:l:A:c:k:Z:S:oO:D:L:ieB:"))
!= -1) {
switch (ch) {
case '?' :
Usage();
exit(EXIT_SUCCESS);
case 'd' :
doCliCertCheck = 0;
break;
case 'b' :
useAnyAddr = 1;
break;
case 's' :
usePsk = 1;
break;
case 't' :
#ifdef USE_WOLFSSL_MEMORY
trackMemory = 1;
#endif
break;
case 'n' :
useNtruKey = 1;
break;
case 'u' :
doDTLS = 1;
break;
case 'f' :
fewerPackets = 1;
break;
case 'R' :
serverReadyFile = 1;
break;
case 'r' :
#ifndef NO_SESSION_CACHE
resume = 1;
#endif
break;
case 'P' :
#ifdef HAVE_PK_CALLBACKS
pkCallbacks = 1;
#endif
break;
case 'p' :
port = (word16)atoi(myoptarg);
#if !defined(NO_MAIN_DRIVER) || defined(USE_WINDOWS_API)
if (port == 0)
err_sys("port number cannot be 0");
#endif
break;
case 'w' :
wc_shutdown = 1;
break;
case 'v' :
version = atoi(myoptarg);
if (version < 0 || version > 3) {
Usage();
exit(MY_EX_USAGE);
}
break;
case 'l' :
cipherList = myoptarg;
break;
case 'A' :
verifyCert = myoptarg;
break;
case 'c' :
ourCert = myoptarg;
break;
case 'k' :
ourKey = myoptarg;
break;
case 'D' :
#ifndef NO_DH
ourDhParam = myoptarg;
#endif
break;
case 'Z' :
#ifndef NO_DH
minDhKeyBits = atoi(myoptarg);
if (minDhKeyBits <= 0 || minDhKeyBits > 16000) {
Usage();
exit(MY_EX_USAGE);
}
#endif
break;
case 'N':
nonBlocking = 1;
break;
case 'S' :
#ifdef HAVE_SNI
sniHostName = myoptarg;
#endif
break;
case 'o' :
#ifdef HAVE_OCSP
useOcsp = 1;
#endif
break;
case 'O' :
#ifdef HAVE_OCSP
useOcsp = 1;
ocspUrl = myoptarg;
#endif
break;
case 'a' :
#ifdef HAVE_ANON
useAnon = 1;
#endif
break;
case 'I':
#ifndef NO_PSK
sendPskIdentityHint = 0;
#endif
break;
case 'L' :
#ifdef HAVE_ALPN
alpnList = myoptarg;
if (alpnList[0] == 'C' && alpnList[1] == ':')
alpn_opt = WOLFSSL_ALPN_CONTINUE_ON_MISMATCH;
else if (alpnList[0] == 'F' && alpnList[1] == ':')
alpn_opt = WOLFSSL_ALPN_FAILED_ON_MISMATCH;
else {
Usage();
exit(MY_EX_USAGE);
}
alpnList += 2;
#endif
break;
case 'i' :
loopIndefinitely = 1;
break;
case 'e' :
echoData = 1;
break;
case 'B':
throughput = atoi(myoptarg);
if (throughput <= 0) {
Usage();
exit(MY_EX_USAGE);
}
break;
default:
Usage();
exit(MY_EX_USAGE);
}
}
myoptind = 0; /* reset for test cases */
#endif /* !WOLFSSL_VXWORKS */
/* sort out DTLS versus TLS versions */
if (version == CLIENT_INVALID_VERSION) {
if (doDTLS)
version = CLIENT_DTLS_DEFAULT_VERSION;
else
version = CLIENT_DEFAULT_VERSION;
}
else {
if (doDTLS) {
if (version == 3)
version = -2;
else
version = -1;
}
}
#ifdef USE_CYASSL_MEMORY
if (trackMemory)
InitMemoryTracker();
#endif
switch (version) {
#ifndef NO_OLD_TLS
#ifdef WOLFSSL_ALLOW_SSLV3
case 0:
method = SSLv3_server_method();
break;
#endif
#ifndef NO_TLS
case 1:
method = TLSv1_server_method();
break;
case 2:
method = TLSv1_1_server_method();
break;
#endif
#endif
#ifndef NO_TLS
case 3:
method = TLSv1_2_server_method();
break;
#endif
#ifdef CYASSL_DTLS
#ifndef NO_OLD_TLS
case -1:
method = DTLSv1_server_method();
break;
#endif
case -2:
method = DTLSv1_2_server_method();
break;
#endif
default:
err_sys("Bad SSL version");
}
if (method == NULL)
err_sys("unable to get method");
ctx = SSL_CTX_new(method);
if (ctx == NULL)
err_sys("unable to get ctx");
#if defined(HAVE_SESSION_TICKET) && defined(HAVE_CHACHA) && \
defined(HAVE_POLY1305)
if (TicketInit() != 0)
err_sys("unable to setup Session Ticket Key context");
wolfSSL_CTX_set_TicketEncCb(ctx, myTicketEncCb);
#endif
if (cipherList)
if (SSL_CTX_set_cipher_list(ctx, cipherList) != SSL_SUCCESS)
err_sys("server can't set cipher list 1");
#ifdef CYASSL_LEANPSK
usePsk = 1;
#endif
#if defined(NO_RSA) && !defined(HAVE_ECC)
usePsk = 1;
#endif
if (fewerPackets)
CyaSSL_CTX_set_group_messages(ctx);
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
SSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack);
#endif
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
if (!usePsk && !useAnon) {
if (SSL_CTX_use_certificate_file(ctx, ourCert, SSL_FILETYPE_PEM)
!= SSL_SUCCESS)
err_sys("can't load server cert file, check file and run from"
" wolfSSL home dir");
}
#endif
#ifndef NO_DH
wolfSSL_CTX_SetMinDhKey_Sz(ctx, (word16)minDhKeyBits);
#endif
#ifdef HAVE_NTRU
if (useNtruKey) {
if (CyaSSL_CTX_use_NTRUPrivateKey_file(ctx, ourKey)
!= SSL_SUCCESS)
err_sys("can't load ntru key file, "
"Please run from wolfSSL home dir");
}
#endif
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
if (!useNtruKey && !usePsk && !useAnon) {
if (SSL_CTX_use_PrivateKey_file(ctx, ourKey, SSL_FILETYPE_PEM)
!= SSL_SUCCESS)
err_sys("can't load server private key file, check file and run "
"from wolfSSL home dir");
}
#endif
if (usePsk) {
#ifndef NO_PSK
SSL_CTX_set_psk_server_callback(ctx, my_psk_server_cb);
if (sendPskIdentityHint == 1)
SSL_CTX_use_psk_identity_hint(ctx, "cyassl server");
if (cipherList == NULL) {
const char *defaultCipherList;
#if defined(HAVE_AESGCM) && !defined(NO_DH)
defaultCipherList = "DHE-PSK-AES128-GCM-SHA256";
needDH = 1;
#elif defined(HAVE_NULL_CIPHER)
defaultCipherList = "PSK-NULL-SHA256";
#else
defaultCipherList = "PSK-AES128-CBC-SHA256";
#endif
if (SSL_CTX_set_cipher_list(ctx, defaultCipherList) != SSL_SUCCESS)
err_sys("server can't set cipher list 2");
}
#endif
}
if (useAnon) {
#ifdef HAVE_ANON
CyaSSL_CTX_allow_anon_cipher(ctx);
if (cipherList == NULL) {
if (SSL_CTX_set_cipher_list(ctx, "ADH-AES128-SHA") != SSL_SUCCESS)
err_sys("server can't set cipher list 4");
}
#endif
}
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
/* if not using PSK, verify peer with certs */
if (doCliCertCheck && usePsk == 0 && useAnon == 0) {
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0);
if (SSL_CTX_load_verify_locations(ctx, verifyCert, 0) != SSL_SUCCESS)
err_sys("can't load ca file, Please run from wolfSSL home dir");
}
#endif
#if defined(CYASSL_SNIFFER)
/* don't use EDH, can't sniff tmp keys */
if (cipherList == NULL) {
if (SSL_CTX_set_cipher_list(ctx, "AES256-SHA256") != SSL_SUCCESS)
err_sys("server can't set cipher list 3");
}
#endif
#ifdef HAVE_SNI
if (sniHostName)
if (CyaSSL_CTX_UseSNI(ctx, CYASSL_SNI_HOST_NAME, sniHostName,
XSTRLEN(sniHostName)) != SSL_SUCCESS)
err_sys("UseSNI failed");
#endif
while (1) {
/* allow resume option */
if(resumeCount > 1) {
if (doDTLS == 0) {
SOCKADDR_IN_T client;
socklen_t client_len = sizeof(client);
clientfd = accept(sockfd, (struct sockaddr*)&client,
(ACCEPT_THIRD_T)&client_len);
} else {
tcp_listen(&sockfd, &port, useAnyAddr, doDTLS);
clientfd = sockfd;
}
if(WOLFSSL_SOCKET_IS_INVALID(clientfd)) {
err_sys("tcp accept failed");
}
}
ssl = SSL_new(ctx);
if (ssl == NULL)
err_sys("unable to get SSL");
#ifndef NO_HANDSHAKE_DONE_CB
wolfSSL_SetHsDoneCb(ssl, myHsDoneCb, NULL);
#endif
#ifdef HAVE_CRL
CyaSSL_EnableCRL(ssl, 0);
CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM, CYASSL_CRL_MONITOR |
CYASSL_CRL_START_MON);
CyaSSL_SetCRL_Cb(ssl, CRL_CallBack);
#endif
#ifdef HAVE_OCSP
if (useOcsp) {
if (ocspUrl != NULL) {
CyaSSL_CTX_SetOCSP_OverrideURL(ctx, ocspUrl);
CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE
| CYASSL_OCSP_URL_OVERRIDE);
}
else
CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE);
}
#endif
#ifdef HAVE_PK_CALLBACKS
if (pkCallbacks)
SetupPkCallbacks(ctx, ssl);
#endif
/* do accept */
tcp_accept(&sockfd, &clientfd, (func_args*)args, port, useAnyAddr,
doDTLS, serverReadyFile, doListen);
doListen = 0; /* Don't listen next time */
SSL_set_fd(ssl, clientfd);
#ifdef HAVE_ALPN
if (alpnList != NULL) {
printf("ALPN accepted protocols list : %s\n", alpnList);
wolfSSL_UseALPN(ssl, alpnList, (word32)XSTRLEN(alpnList), alpn_opt);
}
#endif
#ifdef WOLFSSL_DTLS
if (doDTLS) {
SOCKADDR_IN_T cliaddr;
byte b[1500];
int n;
socklen_t len = sizeof(cliaddr);
/* For DTLS, peek at the next datagram so we can get the client's
* address and set it into the ssl object later to generate the
* cookie. */
n = (int)recvfrom(sockfd, (char*)b, sizeof(b), MSG_PEEK,
(struct sockaddr*)&cliaddr, &len);
if (n <= 0)
err_sys("recvfrom failed");
wolfSSL_dtls_set_peer(ssl, &cliaddr, len);
}
#endif
if (usePsk == 0 || useAnon == 1 || cipherList != NULL || needDH == 1) {
#if !defined(NO_FILESYSTEM) && !defined(NO_DH) && !defined(NO_ASN)
CyaSSL_SetTmpDH_file(ssl, ourDhParam, SSL_FILETYPE_PEM);
#elif !defined(NO_DH)
SetDH(ssl); /* repick suites with DHE, higher priority than PSK */
#endif
}
#ifndef CYASSL_CALLBACKS
if (nonBlocking) {
CyaSSL_set_using_nonblock(ssl, 1);
tcp_set_nonblocking(&clientfd);
NonBlockingSSL_Accept(ssl);
} else if (SSL_accept(ssl) != SSL_SUCCESS) {
int err = SSL_get_error(ssl, 0);
char buffer[CYASSL_MAX_ERROR_SZ];
printf("error = %d, %s\n", err, ERR_error_string(err, buffer));
err_sys("SSL_accept failed");
}
#else
NonBlockingSSL_Accept(ssl);
#endif
showPeer(ssl);
#ifdef HAVE_ALPN
if (alpnList != NULL) {
int err;
char *protocol_name = NULL, *list = NULL;
word16 protocol_nameSz = 0, listSz = 0;
err = wolfSSL_ALPN_GetProtocol(ssl, &protocol_name, &protocol_nameSz);
if (err == SSL_SUCCESS)
printf("Sent ALPN protocol : %s (%d)\n",
protocol_name, protocol_nameSz);
else if (err == SSL_ALPN_NOT_FOUND)
printf("No ALPN response sent (no match)\n");
else
printf("Getting ALPN protocol name failed\n");
err = wolfSSL_ALPN_GetPeerProtocol(ssl, &list, &listSz);
if (err == SSL_SUCCESS)
printf("List of protocol names sent by Client: %s (%d)\n",
list, listSz);
else
printf("Get list of client's protocol name failed\n");
free(list);
}
#endif
if(echoData == 0 && throughput == 0) {
ret = SSL_read(ssl, input, sizeof(input)-1);
if (ret > 0) {
input[ret] = 0;
printf("Client message: %s\n", input);
}
else if (ret < 0) {
int readErr = SSL_get_error(ssl, 0);
if (readErr != SSL_ERROR_WANT_READ)
err_sys("SSL_read failed");
}
if (SSL_write(ssl, msg, sizeof(msg)) != sizeof(msg))
err_sys("SSL_write failed");
}
else {
ServerEchoData(ssl, clientfd, echoData, throughput);
}
#if defined(WOLFSSL_MDK_SHELL) && defined(HAVE_MDK_RTX)
os_dly_wait(500) ;
#elif defined (CYASSL_TIRTOS)
Task_yield();
#endif
if (doDTLS == 0) {
ret = SSL_shutdown(ssl);
if (wc_shutdown && ret == SSL_SHUTDOWN_NOT_DONE)
SSL_shutdown(ssl); /* bidirectional shutdown */
}
SSL_free(ssl);
CloseSocket(clientfd);
if (resume == 1 && resumeCount == 0) {
resumeCount++; /* only do one resume for testing */
continue;
}
resumeCount = 0;
if(!loopIndefinitely) {
break; /* out of while loop, done with normal and resume option */
}
} /* while(1) */
CloseSocket(sockfd);
SSL_CTX_free(ctx);
((func_args*)args)->return_code = 0;
#if defined(NO_MAIN_DRIVER) && defined(HAVE_ECC) && defined(FP_ECC) \
&& defined(HAVE_THREAD_LS)
ecc_fp_free(); /* free per thread cache */
#endif
#ifdef USE_WOLFSSL_MEMORY
if (trackMemory)
ShowMemoryTracker();
#endif
#ifdef CYASSL_TIRTOS
fdCloseSession(Task_self());
#endif
#if defined(HAVE_SESSION_TICKET) && defined(HAVE_CHACHA) && \
defined(HAVE_POLY1305)
TicketCleanup();
#endif
#ifndef CYASSL_TIRTOS
return 0;
#endif
}
int ssl_client_libssl(void)
{
int verify_peer = ON;
const SSL_METHOD *client_meth;
SSL_CTX *ssl_client_ctx;
int clientsocketfd;
struct sockaddr_in serveraddr;
int handshakestatus;
SSL *clientssl;
char buffer[1024] = "Client Say Hello Server";
int ret;
SSL_library_init(); //添加国密算法对ssl的支持
SSL_load_error_strings();
// TODO 1
//client_meth = SSLv23_client_method();
//client_meth = TLSv1_1_client_method();
client_meth = GMSSLv1_client_method();
// TODO 2
ssl_client_ctx = SSL_CTX_new(client_meth);
if(!ssl_client_ctx)
{
ERR_print_errors_fp(stderr);
return -1;
}
if(verify_peer)
{
if(SSL_CTX_use_certificate_file(ssl_client_ctx, SSL_CLIENT_RSA_CERT, SSL_FILETYPE_PEM) <= 0)
{
ERR_print_errors_fp(stderr);
return -1;
}
if(SSL_CTX_use_PrivateKey_file(ssl_client_ctx, SSL_CLIENT_RSA_KEY, SSL_FILETYPE_PEM) <= 0)
{
ERR_print_errors_fp(stderr);
return -1;
}
// TODO 3
if(SSL_CTX_check_private_key(ssl_client_ctx) != 1)
{
printf("Private and certificate is not matching\n");
return -1;
}
//See function man pages for instructions on generating CERT files
if(!SSL_CTX_load_verify_locations(ssl_client_ctx, SSL_CLIENT_RSA_CA_CERT, NULL))
{
ERR_print_errors_fp(stderr);
return -1;
}
SSL_CTX_set_verify(ssl_client_ctx, SSL_VERIFY_PEER, NULL);
SSL_CTX_set_verify_depth(ssl_client_ctx, 1);
}
if((clientsocketfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
printf("Error on socket creation\n");
return -1;
}
memset(&serveraddr, 0, sizeof(struct sockaddr_in));
serveraddr.sin_family = AF_INET;
//serveraddr.sin_addr.s_addr = inet_addr("192.168.2.75");
serveraddr.sin_addr.s_addr = inet_addr("127.0.0.1");
serveraddr.sin_port=htons(4433);
if(connect(clientsocketfd, (struct sockaddr *)&serveraddr, sizeof(struct sockaddr_in)) < 0)
{
perror("connect");
return -1;
}
/* ----------------------------------------------- */
/* Now we hava a real socket to use for ssl */
// TODO 4
clientssl = SSL_new(ssl_client_ctx);
if(!clientssl)
{
printf("Error SSL_new\n");
return -1;
}
SSL_set_info_callback(clientssl,apps_ssl_info_callback);
SSL_set_fd(clientssl, clientsocketfd);
// TODO 5
if((ret = SSL_connect(clientssl)) != 1)
{
printf("Handshake Error %d\n", SSL_get_error(clientssl, ret));
return -1;
}
/* ------------------------------------------------------- */
/* SSL Connect Success Now we print some information */
printf ("SSL connection using %s\n", SSL_get_cipher (clientssl));
/* -------------------------------------------------------- */
/* There if we need verify peer */
if(verify_peer)
{
X509 *ssl_client_cert = NULL;
ssl_client_cert = SSL_get_peer_certificate(clientssl);
if(ssl_client_cert)
{
long verifyresult;
verifyresult = SSL_get_verify_result(clientssl);
if(verifyresult == X509_V_OK)
printf("Certificate Verify Success\n");
else
printf("Certificate Verify Failed\n");
X509_free(ssl_client_cert);
}
else
printf("There is no client certificate\n");
}
SSL_write(clientssl, buffer, strlen(buffer) + 1);
SSL_read(clientssl, buffer, sizeof(buffer));
printf("SSL server send %s\n", buffer);
SSL_shutdown(clientssl);
close(clientsocketfd);
SSL_free(clientssl);
SSL_CTX_free(ssl_client_ctx);
return 0;
}
static int execute_test_large_message(const SSL_METHOD *smeth,
const SSL_METHOD *cmeth, int read_ahead)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
int testresult = 0;
int i;
BIO *certbio = BIO_new_file(cert, "r");
X509 *chaincert = NULL;
int certlen;
if (certbio == NULL) {
printf("Can't load the certficate file\n");
goto end;
}
chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
BIO_free(certbio);
certbio = NULL;
if (chaincert == NULL) {
printf("Unable to load certificate for chain\n");
goto end;
}
if (!create_ssl_ctx_pair(smeth, cmeth, &sctx,
&cctx, cert, privkey)) {
printf("Unable to create SSL_CTX pair\n");
goto end;
}
if(read_ahead) {
/*
* Test that read_ahead works correctly when dealing with large
* records
*/
SSL_CTX_set_read_ahead(cctx, 1);
}
/*
* We assume the supplied certificate is big enough so that if we add
* NUM_EXTRA_CERTS it will make the overall message large enough. The
* default buffer size is requested to be 16k, but due to the way BUF_MEM
* works, it ends up allocing a little over 21k (16 * 4/3). So, in this test
* we need to have a message larger than that.
*/
certlen = i2d_X509(chaincert, NULL);
OPENSSL_assert((certlen * NUM_EXTRA_CERTS)
> ((SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3));
for (i = 0; i < NUM_EXTRA_CERTS; i++) {
if (!X509_up_ref(chaincert)) {
printf("Unable to up ref cert\n");
goto end;
}
if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
printf("Unable to add extra chain cert %d\n", i);
X509_free(chaincert);
goto end;
}
}
if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
printf("Unable to create SSL objects\n");
goto end;
}
if (!create_ssl_connection(serverssl, clientssl)) {
printf("Unable to create SSL connection\n");
goto end;
}
testresult = 1;
end:
X509_free(chaincert);
SSL_free(serverssl);
SSL_free(clientssl);
SSL_CTX_free(sctx);
SSL_CTX_free(cctx);
return testresult;
}
static int _be_connect(cosocket_t *c*k, int fd, int yielded)
{
int flag = 1;
int ret = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, (char *)&flag, sizeof(flag));
c*k->fd = fd;
c*k->ptr = se_add(_loop_fd, fd, c*k);
c*k->status = 2;
c*k->in_read_action = 0;
if(c*k->use_ssl) {
if(c*k->ctx == NULL) {
c*k->ctx = SSL_CTX_new(SSLv23_client_method());
if(c*k->ctx == NULL) {
connection_pool_counter_operate(c*k->pool_key, -1);
se_delete(c*k->ptr);
close(c*k->fd);
c*k->ptr = NULL;
c*k->fd = -1;
c*k->status = 0;
lua_pushnil(c*k->L);
lua_pushstring(c*k->L, "SSL_CTX_new Error");
return 2;
}
}
c*k->ssl = SSL_new(c*k->ctx);
if(c*k->ssl == NULL) {
connection_pool_counter_operate(c*k->pool_key, -1);
se_delete(c*k->ptr);
close(c*k->fd);
c*k->ptr = NULL;
c*k->fd = -1;
c*k->status = 0;
SSL_CTX_free(c*k->ctx);
c*k->ctx = NULL;
lua_pushnil(c*k->L);
lua_pushstring(c*k->L, "SSL_new Error");
return 2;
}
SSL_set_fd(c*k->ssl, c*k->fd);
if(se_be_read(c*k->ptr, cosocket_be_ssl_connected) == -1) {
se_delete(c*k->ptr);
close(c*k->fd);
c*k->ptr = NULL;
c*k->fd = -1;
c*k->status = 0;
SSL_shutdown(c*k->ssl);
SSL_free(c*k->ssl);
c*k->ssl = NULL;
SSL_CTX_free(c*k->ctx);
c*k->ctx = NULL;
lua_pushnil(c*k->L);
lua_pushstring(c*k->L, "Network Error");
return 2;
} else {
if(SSL_connect(c*k->ssl) == 1) {
se_be_pri(c*k->ptr, NULL);
lua_pushboolean(c*k->L, 1);
c*k->inuse = 0;
return 1;
}
c*k->timeout_ptr = add_timeout(c*k, c*k->timeout, timeout_handle);
}
return -2;
}
se_be_pri(c*k->ptr, NULL);
lua_pushboolean(c*k->L, 1);
c*k->inuse = 0;
return 1;
}
static void timeout_handle(void *ptr)
{
cosocket_t *c*k = ptr;
delete_timeout(c*k->timeout_ptr);
c*k->timeout_ptr = NULL;
if(c*k->pool_wait) {
delete_in_waiting_get_connection(c*k->pool_wait);
c*k->pool_wait = NULL;
}
lua_pushnil(c*k->L);
if(c*k->ptr) {
if(c*k->status == 3) {
lua_pushstring(c*k->L, "Connect error!(wait pool timeout)");
} else if(((se_ptr_t *) c*k->ptr)->wfunc == cosocket_be_ssl_connected) {
lua_pushstring(c*k->L, "SSL Connect timeout!");
} else if(((se_ptr_t *) c*k->ptr)->wfunc == cosocket_be_write) {
lua_pushstring(c*k->L, "Send timeout!");
} else if(((se_ptr_t *) c*k->ptr)->rfunc == cosocket_be_read) {
lua_pushstring(c*k->L, "Read timeout!");
} else {
lua_pushstring(c*k->L, "Timeout!");
}
} else {
if(c*k->status == 3) {
lua_pushstring(c*k->L, "Connect error!(wait pool timeout)");
} else {
lua_pushstring(c*k->L, "Timeout!");
}
}
{
se_delete(c*k->ptr);
c*k->ptr = NULL;
if(c*k->fd > -1) {
connection_pool_counter_operate(c*k->pool_key, -1);
close(c*k->fd);
c*k->fd = -1;
}
c*k->status = 0;
}
if(c*k->ssl) {
SSL_shutdown(c*k->ssl);
SSL_free(c*k->ssl);
c*k->ssl = NULL;
SSL_CTX_free(c*k->ctx);
c*k->ctx = NULL;
}
if(c*k->read_buf) {
cosocket_link_buf_t *fr = c*k->read_buf;
cosocket_link_buf_t *nb = NULL;
while(fr) {
nb = fr->next;
free(fr->buf);
free(fr);
fr = nb;
}
c*k->read_buf = NULL;
}
if(c*k->send_buf_need_free) {
free(c*k->send_buf_need_free);
c*k->send_buf_need_free = NULL;
}
c*k->inuse = 0;
lua_f_lua_uthread_resume_in_c(c*k->L, 2);
}
int main(int argc, char **argv)
{
SSL_library_init();
SSL_load_error_strings();
BIO * bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
/* Set up a SIGPIPE handler */
signal(SIGPIPE, SIG_IGN);
/* Create our context*/
SSL_CTX * ctx = SSL_CTX_new(SSLv23_method());
/* Load our keys and certificates*/
if(!(SSL_CTX_use_certificate_chain_file(ctx, "ftests/fixtures/rdpproxy-cert.pem")))
{
BIO_printf(bio_err, "Can't read certificate file\n");
ERR_print_errors(bio_err);
exit(0);
}
SSL_CTX_set_default_passwd_cb(ctx, password_cb0);
SSL_CTX_set_default_passwd_cb_userdata(ctx, (void*)"inquisition");
if(!(SSL_CTX_use_PrivateKey_file(ctx, "ftests/fixtures/rdpproxy-key.pem", SSL_FILETYPE_PEM)))
{
BIO_printf(bio_err,"Can't read key file\n");
ERR_print_errors(bio_err);
exit(0);
}
DH *ret=0;
BIO *bio;
if ((bio=BIO_new_file("ftests/fixtures/dh1024.pem","r")) == NULL){
BIO_printf(bio_err,"Couldn't open DH file\n");
ERR_print_errors(bio_err);
exit(0);
}
ret=PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
BIO_free(bio);
if(SSL_CTX_set_tmp_dh(ctx, ret)<0)
{
BIO_printf(bio_err,"Couldn't set DH parameters\n");
ERR_print_errors(bio_err);
exit(0);
}
union
{
struct sockaddr s;
struct sockaddr_storage ss;
struct sockaddr_in s4;
struct sockaddr_in6 s6;
} ucs;
memset(&ucs, 0, sizeof(ucs));
int val=1;
int sock = socket(AF_INET, SOCK_STREAM,0);
if(sock < 0) {
fprintf(stderr, "Failed to make socket\n");
exit(0);
}
memset(&ucs.s4, 0, sizeof(ucs));
ucs.s4.sin_addr.s_addr = INADDR_ANY;
ucs.s4.sin_family = AF_INET;
ucs.s4.sin_port = htons(4433);
setsockopt(sock,SOL_SOCKET,SO_REUSEADDR, &val,sizeof(val));
int bind_res = bind(sock,&ucs.s, sizeof(ucs));
if(bind_res < 0){
fprintf(stderr, "Failed to bind\n");
exit(0);
}
listen(sock,5);
while(1){
int s = accept(sock,0,0);
if(s < 0){
fprintf(stderr,"Problem accepting\n");
exit(0);
}
pid_t pid = fork();
if(pid){
close(s);
}
else {
rdp_serve(ctx, s, bio_err);
exit(0);
}
}
SSL_CTX_free(ctx);
exit(0);
}
static int lua_co_tcp(lua_State *L)
{
cosocket_t *c*k = (cosocket_t *) lua_newuserdata(L, sizeof(cosocket_t));
if(!c*k) {
lua_pushnil(L);
lua_pushstring(L, "stack error!");
return 2;
}
bzero(c*k, sizeof(cosocket_t));
if(lua_isstring(L, 1) && lua_isstring(L, 2)) {
if(c*k->ctx) {
SSL_CTX_free(c*k->ctx);
}
c*k->ctx = SSL_CTX_new(SSLv23_client_method());
if(c*k->ctx == NULL) {
lua_pushnil(c*k->L);
lua_pushstring(c*k->L, "SSL_CTX_new Error");
return 2;
}
if(lua_isstring(L, 3)) {
if(c*k->ssl_pw) {
free(c*k->ssl_pw);
}
size_t len = 0;
const char *p1 = lua_tolstring(L, 3, &len);
c*k->ssl_pw = malloc(len + 1);
if(c*k->ssl_pw) {
memcpy(c*k->ssl_pw, p1, len);
c*k->ssl_pw[len] = '\0';
SSL_CTX_set_default_passwd_cb_userdata(c*k->ctx, (void *)c*k->ssl_pw);
SSL_CTX_set_default_passwd_cb(c*k->ctx, ssl_password_cb);
}
int l = snprintf(temp_buf, 4096, "%s:%s:%s", lua_tostring(L, 1), lua_tostring(L, 2), p1);
c*k->ssl_sign = fnv1a_32(temp_buf, l);
} else {
int l = snprintf(temp_buf, 4096, "%s:%s:", lua_tostring(L, 1), lua_tostring(L, 2));
c*k->ssl_sign = fnv1a_32(temp_buf, l);
}
if(SSL_CTX_use_certificate_file(c*k->ctx, lua_tostring(L, 1), SSL_FILETYPE_PEM) != 1) {
SSL_CTX_free(c*k->ctx);
c*k->ctx = NULL;
lua_pushnil(c*k->L);
lua_pushstring(c*k->L, "SSL_CTX_use_certificate_file Error");
return 2;
}
if(SSL_CTX_use_PrivateKey_file(c*k->ctx, lua_tostring(L, 2), SSL_FILETYPE_PEM) != 1) {
SSL_CTX_free(c*k->ctx);
c*k->ctx = NULL;
lua_pushnil(c*k->L);
lua_pushstring(c*k->L, "SSL_CTX_use_PrivateKey_file Error");
return 2;
}
if(!SSL_CTX_check_private_key(c*k->ctx)) {
SSL_CTX_free(c*k->ctx);
c*k->ctx = NULL;
lua_pushnil(c*k->L);
lua_pushstring(c*k->L, "SSL_CTX_check_private_key Error");
return 2;
}
c*k->use_ssl = 1;
} else if(lua_isboolean(L, 1) && lua_toboolean(L, 1) == 1) {
c*k->use_ssl = 1;
} else {
c*k->use_ssl = 0;
}
c*k->L = L;
c*k->fd = -1;
c*k->timeout = 30000;
/*
if(luaL_newmetatable(L, "cosocket")) {
//luaL_checkstack(L, 1, "not enough stack to register connection MT");
lua_pushvalue(L, lua_upvalueindex(1));
setfuncs(L, M, 1);
lua_pushvalue(L, -1);
lua_setfield(L, -2, "__index");
}*/
luaL_getmetatable(L, "cosocket:tcp");
lua_setmetatable(L, -2);
return 1;
}
/*
* Accept a url string, return a struct status.
*
* A negative status indicates a problem either connecting to the
* machine, or a url parse problem. The message will tell you what,
* specifically happened (although it doesn't distinguish between a
* timeout, and a connection refused).
*/
struct status
getstatus(char *url)
{
int i;
char line[1024];
char *p, *q;
struct url u;
struct status st;
struct host_ret conn;
st.status = -1;
st.message = NULL;
st.bytesread = 0;
u = parseurl(url);
if (u.port == -1) {
st.message = strdup("Invalid url request format");
return (st);
}
conn = openhost(u.host, u.port, u.ssl);
if (conn.s < 0) {
st.message = strdup("Could not connect to host");
return (st);
}
send_data(conn, u, "GET ");
send_data(conn, u, u.req);
send_data(conn, u, " HTTP/1.0\n\n");
alarm(120);
i = recv_data(conn, u, line, 1024);
alarm(0);
if (i < 1) {
st.message = strdup("Timeout, or nothing returned.");
return (st);
}
line[i] = NULL;
/*
* My keen parsing techniques, flip through it with a pointer
* to get the status number
*/
p = &line[0];
while (*p++ && *p != ' ');
st.status = atoi(p);
/* Now we want the status message */
while (*++p && *p != ' ');
/* Kill Whitey */
q = p;
while (*++q && !iswhitey(*q));
*q = NULL;
st.message = strdup(p + 1);
/* Eat the rest of the page */
while (recv_data(conn, u, line, 1024));
#ifdef USE_SSLEAY
if (u.ssl) {
if (conn.ssl)
SSL_free(conn.ssl);
if (conn.ctx)
SSL_CTX_free(conn.ctx);
}
#endif
close(conn.s);
freeurl(u);
return (st);
}
int main ()
{
int err;
int sd;
struct sockaddr_in sa;
SSL_CTX* ctx;
SSL* ssl;
X509* server_cert;
char* str;
char buf [8096];
SSL_METHOD *meth;
SSLeay_add_ssl_algorithms();
#ifndef OPENSSL_NO_SSL2
meth = (SSL_METHOD*)SSLv2_client_method();
#else
///meth = (SSL_METHOD*)SSLv3_client_method();
//连接https 需要使用tls类型的
meth = (SSL_METHOD*)TLSv1_2_client_method();
//return ThrowException(Exception::Error(String::New("SSLv2 methods disabled")));
#endif
SSL_load_error_strings();
ctx = SSL_CTX_new (meth);
if(ctx==NULL)
{
printd("ctx is NULL\n");
exit(1);
}
CHK_SSL(err);
/* ----------------------------------------------- */
/* Create a socket and connect to server using normal socket calls. */
sd = socket (AF_INET, SOCK_STREAM, 0); CHK_ERR(sd, "socket");
memset (&sa, '\0', sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = inet_addr (SERVERIP); /* Server IP */
sa.sin_port = htons (SERVERPORT); /* Server Port number */
err = connect(sd, (struct sockaddr*) &sa,
sizeof(sa)); CHK_ERR(err, "connect");
/* ----------------------------------------------- */
/* Now we have TCP conncetion. Start SSL negotiation. */
printd("connect to %s:%d success.\n",SERVERIP, SERVERPORT);
ssl = SSL_new (ctx); CHK_NULL(ssl);
printd("SSL_new ok\n");
SSL_set_fd (ssl, sd);
printd("Set fd OK\n");
err = SSL_connect (ssl); CHK_SSL(err);
/* Following two steps are optional and not required for
data exchange to be successful. */
/* Get the cipher - opt */
printd ("SSL connection using %s\n", SSL_get_cipher (ssl));
//验证证书是否可以信任
if ( X509_V_OK != SSL_get_verify_result(ssl) )
{
printd("SSL verify error\n");
int color = 32;
printf("\033[%dmHello, world.\n\033[0m", color);
}
/* Get server's certificate (note: beware of dynamic allocation) - opt */
//比如连接 https时,需要打开以下选项
#if 1
server_cert = SSL_get_peer_certificate (ssl); CHK_NULL(server_cert);
printd ("Server certificate:\n");
str = X509_NAME_oneline (X509_get_subject_name (server_cert),0,0);
CHK_NULL(str);
printd ("\t subject: %s\n", str);
OPENSSL_free (str);
str = X509_NAME_oneline (X509_get_issuer_name (server_cert),0,0);
CHK_NULL(str);
printd ("\t issuer: %s\n", str);
OPENSSL_free (str);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
X509_free (server_cert);
#endif
/* --------------------------------------------------- */
/* DATA EXCHANGE - Send a message and receive a reply. */
#ifdef AUTH
//init base 64
//come from : http://doctrina.org/Base64-With-OpenSSL-C-API.html
BIO *bio, *b64;
char* base64EncodeOutput;
BUF_MEM *bufferPtr;
char message[] = USER ":"******"base encode str:->%s<- message len:%d\n", message, message_len);
b64 = BIO_new(BIO_f_base64());
bio = BIO_new(BIO_s_mem());
bio = BIO_push(b64, bio);
/*
///!IMPORTANT
//BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL); //Ignore newlines - write everything in one line
//BIO_FLAGS_BASE64_NO_NL: 编码结果中,每64个字符换行一次,整个编码后的字符串的末尾也有换行
//如果有这个选项,测试结尾会出现0x76 0x7f字符 0x7f是del所以打印时显示正常,其实不正常
*/
BIO_write(bio, message, strlen(message));
BIO_flush(bio);
BIO_get_mem_ptr(bio, &bufferPtr);
BIO_set_close(bio, BIO_NOCLOSE);
BIO_free_all(bio);
char b64text[1024]={0};
strcpy(b64text, (*bufferPtr).data);
memcpy(b64text, (*bufferPtr).data, bufferPtr->length);
printd("base64 encode str: ->%s<-, size:%ld\n", b64text, strlen(b64text));
//printd("%x %x %x %x %x %x\n", b64text[0],b64text[1],b64text[2],b64text[3],b64text[4],b64text[5]);
#endif
/*
* 以下是模拟浏览器登陆https://172.20.1.209:8001的过程
*
* 服务器是python做的,服务器代码从:
* https://github.com/SevenW/httpwebsockethandler.git
* 下载,
* 运行服务器的命令:
* python ExampleWSServer.py 8001 secure u:2
*/
char http_get_str[2048] = {0};
sprintf(http_get_str,
"GET / HTTP/1.1\r\n"
"Host: %s:%d \r\n"
#ifdef AUTH
"Authorization: Basic %s\r\n"
#endif
"Connection: keep-alive\r\n"
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/* ;q=0.8\r\n"
"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36\r\n"
"Accept-Encoding: gzip, deflate, sdch\r\n"
"Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4,zh-TW;q=0.2\r\n"
"\r\n"
,SERVERIP, SERVERPORT
#ifdef AUTH
,b64text
#endif
);
printd("http get str: ->%s<- len:%ld\n", http_get_str, strlen(http_get_str));
err = SSL_write (ssl, http_get_str, strlen(http_get_str)); CHK_SSL(err);
err = 0;
int c1=0;
do{
err = SSL_read (ssl, buf+c1, sizeof(buf) - c1 - 1); CHK_SSL(err);
c1 += err;
while(err>0);
buf[err] = '\0';
printd ("Got %d chars:'%s'\n", err, buf);
SSL_shutdown (ssl); /* send SSL/TLS close_notify */
/* Clean up. */
close (sd);
SSL_free (ssl);
SSL_CTX_free (ctx);
}
static void init()
{
if ( real_accept == NULL )
{
char *cert_path, *pkey_path, *pass_path;
real_accept = (int (*)(int, struct sockaddr *, socklen_t *)) dlsym(RTLD_NEXT,"accept");
real_fork = (int (*)()) dlsym(RTLD_NEXT,"fork");
real_close = (int (*)(int)) dlsym(RTLD_NEXT,"close");
real_recv = (ssize_t (*)(int s, void *buf, size_t len, int flags)) dlsym(RTLD_NEXT,"recv");
real_send = (ssize_t (*)(int s, const void *buf, size_t len, int flags)) dlsym(RTLD_NEXT,"send");
if ( (real_accept == NULL) || (real_accept == accept)
|| (real_fork == NULL) || (real_fork == fork)
|| (real_close == NULL) || (real_close == close)
|| (real_recv == NULL) || (real_recv == recv)
|| (real_send == NULL) || (real_send == send) )
{
fprintf(stderr,"could not load real functions!\n");
real_accept = NULL;
real_fork = NULL;
real_close = NULL;
real_recv = NULL;
real_send = NULL;
exit(1);
}
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();
cert_path = getenv("WARSOLVE_CERT");
pkey_path = getenv("WARSOLVE_PKEY");
pass_path = getenv("WARSOLVE_PASS");
ssl_ctx = SSL_CTX_new(SSLv23_server_method());
SSL_CTX_set_options(ssl_ctx, SSL_OP_SINGLE_DH_USE);
if (cert_path != NULL)
{
if (!SSL_CTX_use_certificate_chain_file(ssl_ctx, cert_path))
{
ERR_print_errors_fp(stdout);
SSL_CTX_free(ssl_ctx);
exit(1);
}
}
if (pass_path != NULL)
{
char pass[MAX_PASS_SIZE];
int i;
FILE *pass_fd = fopen(pass_path,"r");
if (!pass_fd || !fgets(pass, MAX_PASS_SIZE, pass_fd))
{
perror("WARSOLVE_PASS");
fprintf(stderr,"error: could not read password file\n");
SSL_CTX_free(ssl_ctx);
exit(1);
}
fclose(pass_fd);
pass[MAX_PASS_SIZE-1] = '\0';
for (i=strlen(pass)-1; (i>=0) && (pass[i] == '\n'); i--)
{
pass[i] = '\0';
}
SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, pass);
}
if (pkey_path != NULL)
{
if (!SSL_CTX_use_PrivateKey_file(ssl_ctx, pkey_path, SSL_FILETYPE_PEM))
{
ERR_print_errors_fp(stdout);
SSL_CTX_free(ssl_ctx);
exit(1);
}
}
}
}
void *synchronization_responding_main(void *arg)
{
BIO *bio_acc = NULL;
BIO *bio_client = NULL;
SSL *ssl_client = NULL;
SSL_CTX *ctx = NULL;
int err;
char *host[1];
ctx = setup_server_ctx(UA_CERTFILE_PATH, UA_CERTFILE_PASSWD, PHR_ROOT_CA_ONLY_CERT_CERTFILE_PATH);
bio_acc = BIO_new_accept(UA_SYNCHRONIZATION_RESPONDING_PORT);
if(!bio_acc)
int_error("Creating server socket failed");
if(BIO_do_accept(bio_acc) <= 0)
int_error("Binding server socket failed");
for(;;)
{
if(BIO_do_accept(bio_acc) <= 0)
int_error("Accepting connection failed");
bio_client = BIO_pop(bio_acc);
if(!(ssl_client = SSL_new(ctx)))
int_error("Creating SSL context failed");
SSL_set_bio(ssl_client, bio_client, bio_client);
if(SSL_accept(ssl_client) <= 0)
{
fprintf(stderr, "Accepting SSL connection failed\n");
goto ERROR_AT_SSL_LAYER;
}
host[0] = USER_AUTH_CN;
if((err = post_connection_check(ssl_client, host, 1, false, NULL)) != X509_V_OK)
{
fprintf(stderr, "Checking peer certificate failed\n\"%s\"\n", X509_verify_cert_error_string(err));
goto ERROR_AT_SSL_LAYER;
}
// Process the request
if(!process_request(ssl_client))
goto ERROR_AT_SSL_LAYER;
ERROR_AT_SSL_LAYER:
SSL_cleanup(ssl_client);
ssl_client = NULL;
ERR_remove_state(0);
}
SSL_CTX_free(ctx);
ctx = NULL;
BIO_free(bio_acc);
bio_acc = NULL;
pthread_exit(NULL);
return NULL;
}
static int _lua_co_close(lua_State *L, cosocket_t *c*k)
{
if(c*k->read_buf) {
cosocket_link_buf_t *fr = c*k->read_buf;
cosocket_link_buf_t *nb = NULL;
while(fr) {
nb = fr->next;
free(fr->buf);
free(fr);
fr = nb;
}
c*k->read_buf = NULL;
}
if(c*k->send_buf_need_free) {
free(c*k->send_buf_need_free);
c*k->send_buf_need_free = NULL;
}
if(c*k->pool_wait) {
delete_in_waiting_get_connection(c*k->pool_wait);
c*k->pool_wait = NULL;
}
delete_timeout(c*k->timeout_ptr);
c*k->timeout_ptr = NULL;
c*k->status = 0;
if(c*k->fd > -1) {
((se_ptr_t *) c*k->ptr)->fd = c*k->fd;
if(c*k->pool_size < 1
|| add_connection_to_pool(_loop_fd, c*k->pool_key, c*k->pool_size, c*k->ptr, c*k->ssl,
c*k->ctx, c*k->ssl_pw) == 0) {
se_delete(c*k->ptr);
c*k->ptr = NULL;
connection_pool_counter_operate(c*k->pool_key, -1);
close(c*k->fd);
if(c*k->ssl) {
SSL_free(c*k->ssl);
c*k->ssl = NULL;
}
if(c*k->ctx) {
SSL_CTX_free(c*k->ctx);
c*k->ctx = NULL;
}
if(c*k->ssl_pw) {
free(c*k->ssl_pw);
c*k->ssl_pw = NULL;
}
}
c*k->ssl = NULL;
c*k->ctx = NULL;
c*k->ssl_pw = NULL;
c*k->ptr = NULL;
c*k->fd = -1;
}
}
int BSslBindServer(BSOCK_HANDLE hBSock, SslServerBind const *pSSLB,
int (*pfEnvCB)(void *, int, void const *), void *pPrivate)
{
int iError;
SYS_SOCKET SockFD;
SSL_METHOD const *pMethod;
SSL_CTX *pSCtx;
SSL *pSSL;
X509 *pCert;
SslBindCtx *pCtx;
pMethod = SSLv23_server_method();
if ((pSCtx = SSL_CTX_new((SSL_METHOD *) pMethod)) == NULL) {
ErrSetErrorCode(ERR_SSLCTX_CREATE);
return ERR_SSLCTX_CREATE;
}
SSL_CTX_set_session_cache_mode(pSCtx, SSL_SESS_CACHE_OFF);
if (BSslSetupVerify(pSCtx, pSSLB) < 0) {
SSL_CTX_free(pSCtx);
return ErrGetErrorCode();
}
if ((pSSL = SSL_new(pSCtx)) == NULL) {
SSL_CTX_free(pSCtx);
ErrSetErrorCode(ERR_SSL_CREATE);
return ERR_SSL_CREATE;
}
SockFD = BSckGetAttachedSocket(hBSock);
/*
* We want blocking sockets during the initial SSL negotiation.
*/
SysBlockSocket(SockFD, 1);
SSL_set_fd(pSSL, SockFD);
if (SSL_accept(pSSL) == -1) {
SysBlockSocket(SockFD, -1);
SSL_free(pSSL);
SSL_CTX_free(pSCtx);
ErrSetErrorCode(ERR_SSL_ACCEPT);
return ERR_SSL_ACCEPT;
}
SSL_CTX_set_app_data(pSCtx, NULL);
/*
* Client may not supply a certificate.
*/
iError = 0;
if (pfEnvCB != NULL &&
(pCert = SSL_get_peer_certificate(pSSL)) != NULL) {
iError = BSslEnvExport(pSCtx, pSSL, pCert, pfEnvCB, pPrivate);
X509_free(pCert);
}
if (iError < 0 ||
BSslAllocCtx(&pCtx, SockFD, pSCtx, pSSL) < 0) {
ErrorPush();
SysBlockSocket(SockFD, -1);
SSL_free(pSSL);
SSL_CTX_free(pSCtx);
return ErrorPop();
}
/*
* Need to use non-blocking socket to implement read/write timeouts.
*/
SysBlockSocket(SockFD, 0);
BSckSetIOops(hBSock, &pCtx->IOOps);
return 0;
}
void _mosquitto_destroy(struct mosquitto *mosq)
{
struct _mosquitto_packet *packet;
if(!mosq) return;
#ifdef WITH_THREADING
if(mosq->threaded && !pthread_equal(mosq->thread_id, pthread_self())){
#ifndef ANDROID
pthread_cancel(mosq->thread_id);
#endif
pthread_join(mosq->thread_id, NULL);
mosq->threaded = false;
}
if(mosq->id){
/* If mosq->id is not NULL then the client has already been initialised
* and so the mutexes need destroying. If mosq->id is NULL, the mutexes
* haven't been initialised. */
pthread_mutex_destroy(&mosq->callback_mutex);
pthread_mutex_destroy(&mosq->log_callback_mutex);
pthread_mutex_destroy(&mosq->state_mutex);
pthread_mutex_destroy(&mosq->out_packet_mutex);
pthread_mutex_destroy(&mosq->current_out_packet_mutex);
pthread_mutex_destroy(&mosq->msgtime_mutex);
pthread_mutex_destroy(&mosq->in_message_mutex);
pthread_mutex_destroy(&mosq->out_message_mutex);
pthread_mutex_destroy(&mosq->mid_mutex);
}
#endif
if(mosq->sock != INVALID_SOCKET){
_mosquitto_socket_close(mosq);
}
_mosquitto_message_cleanup_all(mosq);
_mosquitto_will_clear(mosq);
#ifdef WITH_TLS
if(mosq->ssl){
SSL_free(mosq->ssl);
}
if(mosq->ssl_ctx){
SSL_CTX_free(mosq->ssl_ctx);
}
if(mosq->tls_cafile) _mosquitto_free(mosq->tls_cafile);
if(mosq->tls_capath) _mosquitto_free(mosq->tls_capath);
if(mosq->tls_certfile) _mosquitto_free(mosq->tls_certfile);
if(mosq->tls_keyfile) _mosquitto_free(mosq->tls_keyfile);
if(mosq->tls_pw_callback) mosq->tls_pw_callback = NULL;
if(mosq->tls_version) _mosquitto_free(mosq->tls_version);
if(mosq->tls_ciphers) _mosquitto_free(mosq->tls_ciphers);
if(mosq->tls_psk) _mosquitto_free(mosq->tls_psk);
if(mosq->tls_psk_identity) _mosquitto_free(mosq->tls_psk_identity);
#endif
if(mosq->address){
_mosquitto_free(mosq->address);
mosq->address = NULL;
}
if(mosq->id){
_mosquitto_free(mosq->id);
mosq->id = NULL;
}
if(mosq->username){
_mosquitto_free(mosq->username);
mosq->username = NULL;
}
if(mosq->password){
_mosquitto_free(mosq->password);
mosq->password = NULL;
}
if(mosq->host){
_mosquitto_free(mosq->host);
mosq->host = NULL;
}
if(mosq->bind_address){
_mosquitto_free(mosq->bind_address);
mosq->bind_address = NULL;
}
/* Out packet cleanup */
if(mosq->out_packet && !mosq->current_out_packet){
mosq->current_out_packet = mosq->out_packet;
mosq->out_packet = mosq->out_packet->next;
}
while(mosq->current_out_packet){
packet = mosq->current_out_packet;
/* Free data and reset values */
mosq->current_out_packet = mosq->out_packet;
if(mosq->out_packet){
mosq->out_packet = mosq->out_packet->next;
}
_mosquitto_packet_cleanup(packet);
_mosquitto_free(packet);
}
_mosquitto_packet_cleanup(&mosq->in_packet);
if(mosq->sockpairR != INVALID_SOCKET){
COMPAT_CLOSE(mosq->sockpairR);
mosq->sockpairR = INVALID_SOCKET;
}
if(mosq->sockpairW != INVALID_SOCKET){
COMPAT_CLOSE(mosq->sockpairW);
mosq->sockpairW = INVALID_SOCKET;
}
}
static int test_tlsext_status_type(void)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
int testresult = 0;
STACK_OF(OCSP_RESPID) *ids = NULL;
OCSP_RESPID *id = NULL;
BIO *certbio = NULL;
if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
&cctx, cert, privkey)) {
printf("Unable to create SSL_CTX pair\n");
return 0;
}
if (SSL_CTX_get_tlsext_status_type(cctx) != -1) {
printf("Unexpected initial value for "
"SSL_CTX_get_tlsext_status_type()\n");
goto end;
}
/* First just do various checks getting and setting tlsext_status_type */
clientssl = SSL_new(cctx);
if (SSL_get_tlsext_status_type(clientssl) != -1) {
printf("Unexpected initial value for SSL_get_tlsext_status_type()\n");
goto end;
}
if (!SSL_set_tlsext_status_type(clientssl, TLSEXT_STATUSTYPE_ocsp)) {
printf("Unexpected fail for SSL_set_tlsext_status_type()\n");
goto end;
}
if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp) {
printf("Unexpected result for SSL_get_tlsext_status_type()\n");
goto end;
}
SSL_free(clientssl);
clientssl = NULL;
if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)) {
printf("Unexpected fail for SSL_CTX_set_tlsext_status_type()\n");
goto end;
}
if (SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp) {
printf("Unexpected result for SSL_CTX_get_tlsext_status_type()\n");
goto end;
}
clientssl = SSL_new(cctx);
if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp) {
printf("Unexpected result for SSL_get_tlsext_status_type() (test 2)\n");
goto end;
}
SSL_free(clientssl);
clientssl = NULL;
/*
* Now actually do a handshake and check OCSP information is exchanged and
* the callbacks get called
*/
SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
printf("Unable to create SSL objects\n");
goto end;
}
if (!create_ssl_connection(serverssl, clientssl)) {
printf("Unable to create SSL connection\n");
goto end;
}
if (!ocsp_client_called || !ocsp_server_called) {
printf("OCSP callbacks not called\n");
goto end;
}
SSL_free(serverssl);
SSL_free(clientssl);
serverssl = NULL;
clientssl = NULL;
/* Try again but this time force the server side callback to fail */
ocsp_client_called = 0;
ocsp_server_called = 0;
cdummyarg = 0;
if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
printf("Unable to create SSL objects\n");
goto end;
}
/* This should fail because the callback will fail */
if (create_ssl_connection(serverssl, clientssl)) {
printf("Unexpected success creating the connection\n");
goto end;
}
if (ocsp_client_called || ocsp_server_called) {
printf("OCSP callbacks successfully called unexpectedly\n");
goto end;
}
SSL_free(serverssl);
SSL_free(clientssl);
serverssl = NULL;
clientssl = NULL;
/*
* This time we'll get the client to send an OCSP_RESPID that it will
* accept.
*/
ocsp_client_called = 0;
ocsp_server_called = 0;
cdummyarg = 2;
if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
printf("Unable to create SSL objects\n");
goto end;
}
/*
* We'll just use any old cert for this test - it doesn't have to be an OCSP
* specifc one. We'll use the server cert.
*/
certbio = BIO_new_file(cert, "r");
if (certbio == NULL) {
printf("Can't load the certficate file\n");
goto end;
}
id = OCSP_RESPID_new();
ids = sk_OCSP_RESPID_new_null();
ocspcert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
if (id == NULL || ids == NULL || ocspcert == NULL
|| !OCSP_RESPID_set_by_key(id, ocspcert)
|| !sk_OCSP_RESPID_push(ids, id)) {
printf("Unable to set OCSP_RESPIDs\n");
goto end;
}
id = NULL;
SSL_set_tlsext_status_ids(clientssl, ids);
/* Control has been transferred */
ids = NULL;
BIO_free(certbio);
certbio = NULL;
if (!create_ssl_connection(serverssl, clientssl)) {
printf("Unable to create SSL connection\n");
goto end;
}
if (!ocsp_client_called || !ocsp_server_called) {
printf("OCSP callbacks not called\n");
goto end;
}
testresult = 1;
end:
SSL_free(serverssl);
SSL_free(clientssl);
SSL_CTX_free(sctx);
SSL_CTX_free(cctx);
sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
OCSP_RESPID_free(id);
BIO_free(certbio);
X509_free(ocspcert);
ocspcert = NULL;
return testresult;
}
void ssl_destroy_ctx(SSL_CTX *ctx)
{
SSL_CTX_free(ctx);
}
static int execute_test_session(SSL_SESSION_TEST_FIXTURE fix)
{
SSL_CTX *sctx = NULL, *cctx = NULL;
SSL *serverssl1 = NULL, *clientssl1 = NULL;
SSL *serverssl2 = NULL, *clientssl2 = NULL;
#ifndef OPENSSL_NO_TLS1_1
SSL *serverssl3 = NULL, *clientssl3 = NULL;
#endif
SSL_SESSION *sess1 = NULL, *sess2 = NULL;
int testresult = 0;
if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
&cctx, cert, privkey)) {
printf("Unable to create SSL_CTX pair\n");
return 0;
}
#ifndef OPENSSL_NO_TLS1_2
/* Only allow TLS1.2 so we can force a connection failure later */
SSL_CTX_set_min_proto_version(cctx, TLS1_2_VERSION);
#endif
/* Set up session cache */
if (fix.use_ext_cache) {
SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
}
if (fix.use_int_cache) {
/* Also covers instance where both are set */
SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
} else {
SSL_CTX_set_session_cache_mode(cctx,
SSL_SESS_CACHE_CLIENT
| SSL_SESS_CACHE_NO_INTERNAL_STORE);
}
if (!create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1, NULL,
NULL)) {
printf("Unable to create SSL objects\n");
goto end;
}
if (!create_ssl_connection(serverssl1, clientssl1)) {
printf("Unable to create SSL connection\n");
goto end;
}
sess1 = SSL_get1_session(clientssl1);
if (sess1 == NULL) {
printf("Unexpected NULL session\n");
goto end;
}
if (fix.use_int_cache && SSL_CTX_add_session(cctx, sess1)) {
/* Should have failed because it should already be in the cache */
printf("Unexpected success adding session to cache\n");
goto end;
}
if (fix.use_ext_cache && (new_called != 1 || remove_called != 0)) {
printf("Session not added to cache\n");
goto end;
}
if (!create_ssl_objects(sctx, cctx, &serverssl2, &clientssl2, NULL, NULL)) {
printf("Unable to create second SSL objects\n");
goto end;
}
if (!create_ssl_connection(serverssl2, clientssl2)) {
printf("Unable to create second SSL connection\n");
goto end;
}
sess2 = SSL_get1_session(clientssl2);
if (sess2 == NULL) {
printf("Unexpected NULL session from clientssl2\n");
goto end;
}
if (fix.use_ext_cache && (new_called != 2 || remove_called != 0)) {
printf("Remove session callback unexpectedly called\n");
goto end;
}
/*
* This should clear sess2 from the cache because it is a "bad" session. See
* SSL_set_session() documentation.
*/
if (!SSL_set_session(clientssl2, sess1)) {
printf("Unexpected failure setting session\n");
goto end;
}
if (fix.use_ext_cache && (new_called != 2 || remove_called != 1)) {
printf("Failed to call callback to remove session\n");
goto end;
}
if (SSL_get_session(clientssl2) != sess1) {
printf("Unexpected session found\n");
goto end;
}
if (fix.use_int_cache) {
if (!SSL_CTX_add_session(cctx, sess2)) {
/*
* Should have succeeded because it should not already be in the cache
*/
printf("Unexpected failure adding session to cache\n");
goto end;
}
if (!SSL_CTX_remove_session(cctx, sess2)) {
printf("Unexpected failure removing session from cache\n");
goto end;
}
/* This is for the purposes of internal cache testing...ignore the
* counter for external cache
*/
if (fix.use_ext_cache)
remove_called--;
}
/* This shouldn't be in the cache so should fail */
if (SSL_CTX_remove_session(cctx, sess2)) {
printf("Unexpected success removing session from cache\n");
goto end;
}
if (fix.use_ext_cache && (new_called != 2 || remove_called != 2)) {
printf("Failed to call callback to remove session #2\n");
goto end;
}
#if !defined(OPENSSL_NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_2)
/* Force a connection failure */
SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
if (!create_ssl_objects(sctx, cctx, &serverssl3, &clientssl3, NULL, NULL)) {
printf("Unable to create third SSL objects\n");
goto end;
}
if (!SSL_set_session(clientssl3, sess1)) {
printf("Unable to set session for third connection\n");
goto end;
}
/* This should fail because of the mismatched protocol versions */
if (create_ssl_connection(serverssl3, clientssl3)) {
printf("Unable to create third SSL connection\n");
goto end;
}
/* We should have automatically removed the session from the cache */
if (fix.use_ext_cache && (new_called != 2 || remove_called != 3)) {
printf("Failed to call callback to remove session #2\n");
goto end;
}
if (fix.use_int_cache && !SSL_CTX_add_session(cctx, sess2)) {
/*
* Should have succeeded because it should not already be in the cache
*/
printf("Unexpected failure adding session to cache #2\n");
goto end;
}
#endif
testresult = 1;
end:
SSL_free(serverssl1);
SSL_free(clientssl1);
SSL_free(serverssl2);
SSL_free(clientssl2);
#ifndef OPENSSL_NO_TLS1_1
SSL_free(serverssl3);
SSL_free(clientssl3);
#endif
SSL_SESSION_free(sess1);
SSL_SESSION_free(sess2);
/*
* Check if we need to remove any sessions up-refed for the external cache
*/
if (new_called >= 1)
SSL_SESSION_free(sess1);
if (new_called >= 2)
SSL_SESSION_free(sess2);
SSL_CTX_free(sctx);
SSL_CTX_free(cctx);
return testresult;
}
int MAIN(int argc, char **argv)
{
int ret=1,i;
int verbose=0;
const char **pp;
const char *p;
int badops=0;
SSL_CTX *ctx=NULL;
SSL *ssl=NULL;
char *ciphers=NULL;
SSL_METHOD *meth=NULL;
STACK_OF(SSL_CIPHER) *sk;
char buf[512];
BIO *STDout=NULL;
#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
meth=SSLv23_server_method();
#elif !defined(OPENSSL_NO_SSL3)
meth=SSLv3_server_method();
#elif !defined(OPENSSL_NO_SSL2)
meth=SSLv2_server_method();
#endif
apps_startup();
if (bio_err == NULL)
bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
STDout=BIO_new_fp(stdout,BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
STDout = BIO_push(tmpbio, STDout);
}
#endif
argc--;
argv++;
while (argc >= 1)
{
if (strcmp(*argv,"-v") == 0)
verbose=1;
#ifndef OPENSSL_NO_SSL2
else if (strcmp(*argv,"-ssl2") == 0)
meth=SSLv2_client_method();
#endif
#ifndef OPENSSL_NO_SSL3
else if (strcmp(*argv,"-ssl3") == 0)
meth=SSLv3_client_method();
#endif
#ifndef OPENSSL_NO_TLS1
else if (strcmp(*argv,"-tls1") == 0)
meth=TLSv1_client_method();
#endif
else if ((strncmp(*argv,"-h",2) == 0) ||
(strcmp(*argv,"-?") == 0))
{
badops=1;
break;
}
else
{
ciphers= *argv;
}
argc--;
argv++;
}
if (badops)
{
for (pp=ciphers_usage; (*pp != NULL); pp++)
BIO_printf(bio_err,"%s",*pp);
goto end;
}
OpenSSL_add_ssl_algorithms();
ctx=SSL_CTX_new(meth);
if (ctx == NULL) goto err;
if (ciphers != NULL) {
if(!SSL_CTX_set_cipher_list(ctx,ciphers)) {
BIO_printf(bio_err, "Error in cipher list\n");
goto err;
}
}
ssl=SSL_new(ctx);
if (ssl == NULL) goto err;
if (!verbose)
{
for (i=0; ; i++)
{
p=SSL_get_cipher_list(ssl,i);
if (p == NULL) break;
if (i != 0) BIO_printf(STDout,":");
BIO_printf(STDout,"%s",p);
}
BIO_printf(STDout,"\n");
}
else
{
sk=SSL_get_ciphers(ssl);
for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
{
BIO_puts(STDout,SSL_CIPHER_description(
sk_SSL_CIPHER_value(sk,i),
buf,sizeof buf));
}
}
ret=0;
if (0)
{
err:
SSL_load_error_strings();
ERR_print_errors(bio_err);
}
end:
if (ctx != NULL) SSL_CTX_free(ctx);
if (ssl != NULL) SSL_free(ssl);
if (STDout != NULL) BIO_free_all(STDout);
apps_shutdown();
OPENSSL_EXIT(ret);
}
static int execute_test_ssl_bio(SSL_BIO_TEST_FIXTURE fix)
{
BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
SSL_CTX *ctx = SSL_CTX_new(TLS_method());
SSL *ssl = NULL;
int testresult = 0;
if (ctx == NULL) {
printf("Failed to allocate SSL_CTX\n");
return 0;
}
ssl = SSL_new(ctx);
if (ssl == NULL) {
printf("Failed to allocate SSL object\n");
goto end;
}
sslbio = BIO_new(BIO_f_ssl());
membio1 = BIO_new(BIO_s_mem());
if (sslbio == NULL || membio1 == NULL) {
printf("Malloc failure creating BIOs\n");
goto end;
}
BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
/*
* If anything goes wrong here then we could leak memory, so this will
* be caught in a crypto-mdebug build
*/
BIO_push(sslbio, membio1);
/* Verify chaning the rbio/wbio directly does not cause leaks */
if (fix.change_bio != NO_BIO_CHANGE) {
membio2 = BIO_new(BIO_s_mem());
if (membio2 == NULL) {
printf("Malloc failure creating membio2\n");
goto end;
}
if (fix.change_bio == CHANGE_RBIO)
SSL_set0_rbio(ssl, membio2);
else
SSL_set0_wbio(ssl, membio2);
}
ssl = NULL;
if (fix.pop_ssl)
BIO_pop(sslbio);
else
BIO_pop(membio1);
testresult = 1;
end:
BIO_free(membio1);
BIO_free(sslbio);
SSL_free(ssl);
SSL_CTX_free(ctx);
return testresult;
}
static int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
{
STACK_OF(SSL_CIPHER) *ciphers;
method_const SSL_METHOD *dtls_method;
SSL_CIPHER *dtls_cipher;
SSL *dtls_ssl;
BIO *dtls_bio;
if (!vpninfo->dtls_ctx) {
dtls_method = DTLSv1_client_method();
vpninfo->dtls_ctx = SSL_CTX_new(dtls_method);
if (!vpninfo->dtls_ctx) {
vpn_progress(vpninfo, PRG_ERR,
_("Initialise DTLSv1 CTX failed\n"));
openconnect_report_ssl_errors(vpninfo);
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
/* If we don't readahead, then we do short reads and throw
away the tail of data packets. */
SSL_CTX_set_read_ahead(vpninfo->dtls_ctx, 1);
if (!SSL_CTX_set_cipher_list(vpninfo->dtls_ctx, vpninfo->dtls_cipher)) {
vpn_progress(vpninfo, PRG_ERR,
_("Set DTLS cipher list failed\n"));
SSL_CTX_free(vpninfo->dtls_ctx);
vpninfo->dtls_ctx = NULL;
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
}
if (!vpninfo->dtls_session) {
/* We're going to "resume" a session which never existed. Fake it... */
vpninfo->dtls_session = SSL_SESSION_new();
if (!vpninfo->dtls_session) {
vpn_progress(vpninfo, PRG_ERR,
_("Initialise DTLSv1 session failed\n"));
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
vpninfo->dtls_session->ssl_version = 0x0100; /* DTLS1_BAD_VER */
}
/* Do this every time; it may have changed due to a rekey */
vpninfo->dtls_session->master_key_length = sizeof(vpninfo->dtls_secret);
memcpy(vpninfo->dtls_session->master_key, vpninfo->dtls_secret,
sizeof(vpninfo->dtls_secret));
vpninfo->dtls_session->session_id_length = sizeof(vpninfo->dtls_session_id);
memcpy(vpninfo->dtls_session->session_id, vpninfo->dtls_session_id,
sizeof(vpninfo->dtls_session_id));
dtls_ssl = SSL_new(vpninfo->dtls_ctx);
SSL_set_connect_state(dtls_ssl);
ciphers = SSL_get_ciphers(dtls_ssl);
if (sk_SSL_CIPHER_num(ciphers) != 1) {
vpn_progress(vpninfo, PRG_ERR, _("Not precisely one DTLS cipher\n"));
SSL_CTX_free(vpninfo->dtls_ctx);
SSL_free(dtls_ssl);
SSL_SESSION_free(vpninfo->dtls_session);
vpninfo->dtls_ctx = NULL;
vpninfo->dtls_session = NULL;
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
dtls_cipher = sk_SSL_CIPHER_value(ciphers, 0);
/* Set the appropriate cipher on our session to be resumed */
vpninfo->dtls_session->cipher = dtls_cipher;
vpninfo->dtls_session->cipher_id = dtls_cipher->id;
/* Add the generated session to the SSL */
if (!SSL_set_session(dtls_ssl, vpninfo->dtls_session)) {
vpn_progress(vpninfo, PRG_ERR,
_("SSL_set_session() failed with old protocol version 0x%x\n"
"Are you using a version of OpenSSL older than 0.9.8m?\n"
"See http://rt.openssl.org/Ticket/Display.html?id=1751\n"
"Use the --no-dtls command line option to avoid this message\n"),
vpninfo->dtls_session->ssl_version);
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
dtls_bio = BIO_new_socket(dtls_fd, BIO_NOCLOSE);
/* Set non-blocking */
BIO_set_nbio(dtls_bio, 1);
SSL_set_bio(dtls_ssl, dtls_bio, dtls_bio);
SSL_set_options(dtls_ssl, SSL_OP_CISCO_ANYCONNECT);
vpninfo->dtls_ssl = dtls_ssl;
return 0;
}
/* {{{ stomp_connect
*/
int stomp_connect(stomp_t *stomp, const char *host, unsigned short port TSRMLS_DC)
{
char error[1024];
socklen_t size;
struct timeval tv;
if (stomp->host != NULL)
{
efree(stomp->host);
}
stomp->host = (char *) emalloc(strlen(host) + 1);
memcpy(stomp->host, host, strlen(host));
stomp->host[strlen(host)] = '\0';
stomp->port = port;
tv.tv_sec = stomp->options.connect_timeout_sec;
tv.tv_usec = stomp->options.connect_timeout_usec;
stomp->fd = php_network_connect_socket_to_host(stomp->host, stomp->port, SOCK_STREAM, 0, &tv, NULL, NULL, NULL, 0 TSRMLS_CC);
if (stomp->fd == -1) {
snprintf(error, sizeof(error), "Unable to connect to %s:%ld", stomp->host, stomp->port);
stomp_set_error(stomp, error, errno, NULL);
return 0;
}
size = sizeof(stomp->localaddr);
memset(&stomp->localaddr, 0, size);
if (getsockname(stomp->fd, (struct sockaddr*) &stomp->localaddr, &size) == -1) {
snprintf(error, sizeof(error), "getsockname failed: %s (%d)", strerror(errno), errno);
stomp_set_error(stomp, error, errno, NULL);
return 0;
}
if (stomp_writable(stomp)) {
#if HAVE_STOMP_SSL
if (stomp->options.use_ssl) {
SSL_CTX *ctx = SSL_CTX_new(SSLv23_client_method());
if (NULL == ctx) {
stomp_set_error(stomp, "failed to create the SSL context", 0, NULL);
return 0;
}
SSL_CTX_set_options(ctx, SSL_OP_ALL);
stomp->ssl_handle = SSL_new(ctx);
if (stomp->ssl_handle == NULL) {
stomp_set_error(stomp, "failed to create the SSL handle", 0, NULL);
SSL_CTX_free(ctx);
return 0;
}
SSL_set_fd(stomp->ssl_handle, stomp->fd);
if (SSL_connect(stomp->ssl_handle) <= 0) {
stomp_set_error(stomp, "SSL/TLS handshake failed", 0, NULL);
SSL_shutdown(stomp->ssl_handle);
return 0;
}
}
#endif
return 1;
} else {
snprintf(error, sizeof(error), "Unable to connect to %s:%ld", stomp->host, stomp->port);
stomp_set_error(stomp, error, errno, NULL);
return 0;
}
}
void dtls_shutdown(struct openconnect_info *vpninfo)
{
dtls_close(vpninfo);
SSL_CTX_free(vpninfo->dtls_ctx);
SSL_SESSION_free(vpninfo->dtls_session);
}
void main ()
{
int err;
SSL_CTX* ctx;
SSL* ssl;
X509* client_cert;
char* str;
char buf [4096];
FILE* log;
log = fopen ("/dev/console", "a"); CHK_NULL(log);
fprintf (log, "inetdserv %ld\n", (long)getpid());
SSL_load_error_strings();
ctx = SSL_CTX_new (); CHK_NULL(ctx);
err = SSL_CTX_use_RSAPrivateKey_file (ctx, KEYF, SSL_FILETYPE_PEM);
CHK_SSL (err);
err = SSL_CTX_use_certificate_file (ctx, CERTF, SSL_FILETYPE_PEM);
CHK_SSL (err);
/* inetd has already opened the TCP connection, so we can get right
down to business. */
ssl = SSL_new (ctx); CHK_NULL(ssl);
SSL_set_fd (ssl, fileno(stdin));
err = SSL_accept (ssl); CHK_SSL(err);
/* Get the cipher - opt */
fprintf (log, "SSL connection using %s\n", SSL_get_cipher (ssl));
/* Get client's certificate (note: beware of dynamic allocation) - opt */
client_cert = SSL_get_peer_certificate (ssl);
if (client_cert != NULL) {
fprintf (log, "Client certificate:\n");
str = X509_NAME_oneline (X509_get_subject_name (client_cert));
CHK_NULL(str);
fprintf (log, "\t subject: %s\n", str);
OPENSSL_free (str);
str = X509_NAME_oneline (X509_get_issuer_name (client_cert));
CHK_NULL(str);
fprintf (log, "\t issuer: %s\n", str);
OPENSSL_free (str);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
X509_free (client_cert);
} else
fprintf (log, "Client doe not have certificate.\n");
/* ------------------------------------------------- */
/* DATA EXCHANGE: Receive message and send reply */
err = SSL_read (ssl, buf, sizeof(buf) - 1); CHK_SSL(err);
buf[err] = '\0';
fprintf (log, "Got %d chars:'%s'\n", err, buf);
err = SSL_write (ssl, "Loud and clear.", strlen("Loud and clear."));
CHK_SSL(err);
/* Clean up. */
fclose (log);
SSL_free (ssl);
SSL_CTX_free (ctx);
}
//=========================================
// SSLFree
//-----------------------------------------
void SSLClient::SSLFree ( void ) {
SSL_shutdown (ssl);
SSL_free (ssl);
SSL_CTX_free (ctx);
}
static struct mailstream_ssl_data * ssl_data_new_full(int fd, time_t timeout,
SSL_METHOD * method, void (* callback)(struct mailstream_ssl_context * ssl_context, void * cb_data),
void * cb_data)
{
struct mailstream_ssl_data * ssl_data;
SSL * ssl_conn;
int r;
SSL_CTX * tmp_ctx;
struct mailstream_cancel * cancel;
struct mailstream_ssl_context * ssl_context = NULL;
mailstream_ssl_init();
tmp_ctx = SSL_CTX_new(method);
if (tmp_ctx == NULL)
goto err;
if (callback != NULL) {
ssl_context = mailstream_ssl_context_new(tmp_ctx, fd);
callback(ssl_context, cb_data);
}
SSL_CTX_set_app_data(tmp_ctx, ssl_context);
SSL_CTX_set_client_cert_cb(tmp_ctx, mailstream_openssl_client_cert_cb);
ssl_conn = (SSL *) SSL_new(tmp_ctx);
if (ssl_conn == NULL)
goto free_ctx;
if (SSL_set_fd(ssl_conn, fd) == 0)
goto free_ssl_conn;
again:
r = SSL_connect(ssl_conn);
switch(SSL_get_error(ssl_conn, r)) {
case SSL_ERROR_WANT_READ:
r = wait_SSL_connect(fd, 1, timeout);
if (r < 0)
goto free_ssl_conn;
else
goto again;
break;
case SSL_ERROR_WANT_WRITE:
r = wait_SSL_connect(fd, 0, timeout);
if (r < 0)
goto free_ssl_conn;
else
goto again;
break;
}
if (r <= 0)
goto free_ssl_conn;
cancel = mailstream_cancel_new();
if (cancel == NULL)
goto free_ssl_conn;
r = mailstream_prepare_fd(fd);
if (r < 0)
goto free_cancel;
ssl_data = malloc(sizeof(* ssl_data));
if (ssl_data == NULL)
goto free_cancel;
ssl_data->fd = fd;
ssl_data->ssl_conn = ssl_conn;
ssl_data->ssl_ctx = tmp_ctx;
ssl_data->cancel = cancel;
mailstream_ssl_context_free(ssl_context);
return ssl_data;
free_cancel:
mailstream_cancel_free(cancel);
free_ssl_conn:
SSL_free(ssl_conn);
free_ctx:
SSL_CTX_free(tmp_ctx);
mailstream_ssl_context_free(ssl_context);
err:
return NULL;
}
int
be_tls_init(bool isServerStart)
{
STACK_OF(X509_NAME) *root_cert_list = NULL;
SSL_CTX *context;
/* This stuff need be done only once. */
if (!SSL_initialized)
{
#ifdef HAVE_OPENSSL_INIT_SSL
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
#else
OPENSSL_config(NULL);
SSL_library_init();
SSL_load_error_strings();
#endif
SSL_initialized = true;
}
/*
* We use SSLv23_method() because it can negotiate use of the highest
* mutually supported protocol version, while alternatives like
* TLSv1_2_method() permit only one specific version. Note that we don't
* actually allow SSL v2 or v3, only TLS protocols (see below).
*/
context = SSL_CTX_new(SSLv23_method());
if (!context)
{
ereport(isServerStart ? FATAL : LOG,
(errmsg("could not create SSL context: %s",
SSLerrmessage(ERR_get_error()))));
goto error;
}
/*
* Disable OpenSSL's moving-write-buffer sanity check, because it causes
* unnecessary failures in nonblocking send cases.
*/
SSL_CTX_set_mode(context, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
/*
* If reloading, override OpenSSL's default handling of
* passphrase-protected files, because we don't want to prompt for a
* passphrase in an already-running server. (Not that the default
* handling is very desirable during server start either, but some people
* insist we need to keep it.)
*/
if (!isServerStart)
SSL_CTX_set_default_passwd_cb(context, ssl_passwd_cb);
/*
* Load and verify server's certificate and private key
*/
if (SSL_CTX_use_certificate_chain_file(context, ssl_cert_file) != 1)
{
ereport(isServerStart ? FATAL : LOG,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("could not load server certificate file \"%s\": %s",
ssl_cert_file, SSLerrmessage(ERR_get_error()))));
goto error;
}
if (!check_ssl_key_file_permissions(ssl_key_file, isServerStart))
goto error;
/*
* OK, try to load the private key file.
*/
ssl_passwd_cb_called = false;
if (SSL_CTX_use_PrivateKey_file(context,
ssl_key_file,
SSL_FILETYPE_PEM) != 1)
{
if (ssl_passwd_cb_called)
ereport(isServerStart ? FATAL : LOG,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("private key file \"%s\" cannot be reloaded because it requires a passphrase",
ssl_key_file)));
else
ereport(isServerStart ? FATAL : LOG,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("could not load private key file \"%s\": %s",
ssl_key_file, SSLerrmessage(ERR_get_error()))));
goto error;
}
if (SSL_CTX_check_private_key(context) != 1)
{
ereport(isServerStart ? FATAL : LOG,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("check of private key failed: %s",
SSLerrmessage(ERR_get_error()))));
goto error;
}
/* disallow SSL v2/v3 */
SSL_CTX_set_options(context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
/* disallow SSL session tickets */
#ifdef SSL_OP_NO_TICKET /* added in openssl 0.9.8f */
SSL_CTX_set_options(context, SSL_OP_NO_TICKET);
#endif
/* disallow SSL session caching, too */
SSL_CTX_set_session_cache_mode(context, SSL_SESS_CACHE_OFF);
/* set up ephemeral DH and ECDH keys */
if (!initialize_dh(context, isServerStart))
goto error;
if (!initialize_ecdh(context, isServerStart))
goto error;
/* set up the allowed cipher list */
if (SSL_CTX_set_cipher_list(context, SSLCipherSuites) != 1)
{
ereport(isServerStart ? FATAL : LOG,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("could not set the cipher list (no valid ciphers available)")));
goto error;
}
/* Let server choose order */
if (SSLPreferServerCiphers)
SSL_CTX_set_options(context, SSL_OP_CIPHER_SERVER_PREFERENCE);
/*
* Load CA store, so we can verify client certificates if needed.
*/
if (ssl_ca_file[0])
{
if (SSL_CTX_load_verify_locations(context, ssl_ca_file, NULL) != 1 ||
(root_cert_list = SSL_load_client_CA_file(ssl_ca_file)) == NULL)
{
ereport(isServerStart ? FATAL : LOG,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("could not load root certificate file \"%s\": %s",
ssl_ca_file, SSLerrmessage(ERR_get_error()))));
goto error;
}
}
/*----------
* Load the Certificate Revocation List (CRL).
* http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html
*----------
*/
if (ssl_crl_file[0])
{
X509_STORE *cvstore = SSL_CTX_get_cert_store(context);
if (cvstore)
{
/* Set the flags to check against the complete CRL chain */
if (X509_STORE_load_locations(cvstore, ssl_crl_file, NULL) == 1)
{
/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
#ifdef X509_V_FLAG_CRL_CHECK
X509_STORE_set_flags(cvstore,
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
#else
ereport(LOG,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("SSL certificate revocation list file \"%s\" ignored",
ssl_crl_file),
errdetail("SSL library does not support certificate revocation lists.")));
#endif
}
else
{
ereport(isServerStart ? FATAL : LOG,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("could not load SSL certificate revocation list file \"%s\": %s",
ssl_crl_file, SSLerrmessage(ERR_get_error()))));
goto error;
}
}
}
if (ssl_ca_file[0])
{
/*
* Always ask for SSL client cert, but don't fail if it's not
* presented. We might fail such connections later, depending on what
* we find in pg_hba.conf.
*/
SSL_CTX_set_verify(context,
(SSL_VERIFY_PEER |
SSL_VERIFY_CLIENT_ONCE),
verify_cb);
/*
* Tell OpenSSL to send the list of root certs we trust to clients in
* CertificateRequests. This lets a client with a keystore select the
* appropriate client certificate to send to us.
*/
SSL_CTX_set_client_CA_list(context, root_cert_list);
}
/*
* Success! Replace any existing SSL_context.
*/
if (SSL_context)
SSL_CTX_free(SSL_context);
SSL_context = context;
/*
* Set flag to remember whether CA store has been loaded into SSL_context.
*/
if (ssl_ca_file[0])
ssl_loaded_verify_locations = true;
else
ssl_loaded_verify_locations = false;
return 0;
error:
if (context)
SSL_CTX_free(context);
return -1;
}
