void ConnectionManager(ServerGame& aGame, Ogre::String aAddress, int32 aPort)
{
LOG(INFO) << "Init SRP";
boost::asio::ssl::context sslCtx(boost::asio::ssl::context::tlsv1_server);
SSL_CTX* ctx = sslCtx.native_handle();
SSL_CTX_set_info_callback(ctx, SSLInfoCallback);
SSL_CTX_SRP_CTX_init(ctx);
if (SSL_CTX_set_cipher_list(ctx, "SRP") != 1)
{
LOG(ERROR) << "Can not set SRP ciphers";
return;
}
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
SSL_CTX_set_srp_username_callback(ctx, SSLSRPServerParamCallback);
AddUser("test", "test");
LOG(INFO) << "Listening to " << aAddress << ":" << aPort;
boost::asio::io_service IOService;
boost::asio::ip::tcp::acceptor gate(IOService,
boost::asio::ip::tcp::endpoint(boost::asio::ip::tcp::v4(), aPort));
while (true)
{
SSLStreamPtr sslStream(new SSLStream(IOService, sslCtx));
gate.accept(sslStream->lowest_layer());
boost::thread thrd(boost::bind(ClientConnection, boost::ref(aGame), sslStream));
}
}
/*
* This starts a minimal TLS server that only does a
* handshake and then closes the connection. This is
* strictly used to test TLS session negotiation
* behavior with EST.
*/
static void us1060_start_tls_server (char *cipherstring)
{
BIO *conn;
BIO *listener;
BIO *berr;
char h_p[25];
SSL *ssl;
SSL_CTX *ssl_ctx = NULL;
int nid, rv;
EC_KEY *ecdh = NULL;
berr = BIO_new_fp(stderr, BIO_NOCLOSE);
ssl_ctx = SSL_CTX_new(SSLv23_server_method());
if (!ssl_ctx) {
printf("Failed to create SSL context\n");
ERR_print_errors(berr);
return;
}
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
if (SSL_CTX_use_certificate_chain_file(ssl_ctx, US1060_RSA_CERT) != 1) {
printf("Failed to load server certificate\n");
ERR_print_errors(berr);
return;
}
if (SSL_CTX_use_PrivateKey_file(ssl_ctx, US1060_RSA_KEY, SSL_FILETYPE_PEM) != 1) {
printf("Failed to load server private key\n");
ERR_print_errors(berr);
return;
}
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2 |
SSL_OP_NO_SSLv3 |
SSL_OP_NO_TLSv1 |
SSL_OP_SINGLE_ECDH_USE |
SSL_OP_SINGLE_DH_USE |
SSL_OP_NO_TICKET);
nid = OBJ_sn2nid("prime256v1");
ecdh = EC_KEY_new_by_curve_name(nid);
if (ecdh == NULL) {
printf("Failed to retreive ECDH curve\n");
ERR_print_errors(berr);
return;
}
SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
EC_KEY_free(ecdh);
if (SSL_CTX_set_cipher_list(ssl_ctx, cipherstring) != 1) {
printf("Failed to set server cipher list\n");
ERR_print_errors(berr);
return;
}
SSL_CTX_set_srp_username_callback(ssl_ctx, us1060_srp_cb);
sprintf(h_p, "%s:%d", US1060_SERVER_IP, US1060_TLS_PORT);
listener = BIO_new_accept(h_p);
if (listener == NULL) {
printf("IP connection failed\n");
return;
}
BIO_set_bind_mode(listener, BIO_BIND_REUSEADDR);
/*
* The first call to do_accept binds the socket
*/
if (BIO_do_accept(listener) <= 0) {
printf("TCP bind failed\n");
BIO_free_all(listener);
return;
}
/*
* The second call to do_accept waits for a new
* connection request on the listener.
* Note that we are in blocking mode for this socket
*/
if (BIO_do_accept(listener) <= 0) {
printf("TCP accept failed\n");
BIO_free_all(listener);
return;
}
conn = BIO_pop(listener);
ssl = SSL_new(ssl_ctx);
SSL_set_bio(ssl, conn, conn);
/*
* Now that we have everything ready, let's start waiting for
* a client to contact us. Normally we might using a pthread
* or some other construct to avoid blocking on the main
* thread while waiting for an incoming connection. This
* code is simply a contrived example, we will wait on the
* main thread for an incoming connection.
*/
rv = SSL_accept(ssl);
if (rv <= 0) {
printf("\nFailed to complete TLS handshake %d\n", rv);
ERR_print_errors(berr);
}
SSL_shutdown(ssl);
SSL_free(ssl);
SSL_CTX_free(ssl_ctx);
BIO_free(berr);
(void)BIO_reset(listener);
BIO_free_all(listener);
pthread_exit(0);
}
int LLVMFuzzerInitialize(int* argc, char*** argv)
{
rand_predictable = 1;
SSL_library_init();
OpenSSL_add_ssl_algorithms();
ERR_load_crypto_strings();
if (RAND_reset_for_fuzzing)
RAND_reset_for_fuzzing();
ctx = SSL_CTX_new(SSLv23_method());
const uint8_t* bufp = kRSAPrivateKeyDER;
RSA* privkey = d2i_RSAPrivateKey(NULL, &bufp, sizeof(kRSAPrivateKeyDER));
assert(privkey != NULL);
EVP_PKEY* pkey = EVP_PKEY_new();
EVP_PKEY_assign_RSA(pkey, privkey);
int ret = SSL_CTX_use_PrivateKey(ctx, pkey);
assert(ret == 1);
EVP_PKEY_free(pkey);
bufp = kCertificateDER;
X509* cert = d2i_X509(NULL, &bufp, sizeof(kCertificateDER));
assert(cert != NULL);
ret = SSL_CTX_use_certificate(ctx, cert);
assert(ret == 1);
X509_free(cert);
ret = SSL_CTX_set_cipher_list(ctx, "ALL:eNULL:aNULL:DSS");
assert(ret == 1);
X509_STORE* store = X509_STORE_new();
assert(store != NULL);
bufp = kRSACACertDER;
cert = d2i_X509(NULL, &bufp, sizeof(kRSACACertDER));
assert(cert != NULL);
ret = SSL_CTX_add_client_CA(ctx, cert);
assert(ret == 1);
ret = X509_STORE_add_cert(store, cert);
assert(ret == 1);
X509_free(cert);
bufp = kECCACertDER;
cert = d2i_X509(NULL, &bufp, sizeof(kECCACertDER));
assert(cert != NULL);
ret = SSL_CTX_add_client_CA(ctx, cert);
assert(ret == 1);
ret = X509_STORE_add_cert(store, cert);
assert(ret == 1);
X509_free(cert);
bufp = kDSACertDER;
cert = d2i_X509(NULL, &bufp, sizeof(kDSACertDER));
ret = SSL_CTX_add_client_CA(ctx, cert);
assert(ret == 1);
ret = X509_STORE_add_cert(store, cert);
assert(ret == 1);
X509_free(cert);
SSL_CTX_set_cert_store(ctx, store);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, NULL);
SSL_CTX_set_verify_depth(ctx, 10);
#if !defined(LIBRESSL_VERSION_NUMBER)
SSL_CTX_set_psk_server_callback(ctx, psk_callback);
ret = SSL_CTX_use_psk_identity_hint(ctx, "ABCDEFUZZ");
assert(ret == 1);
#endif /* !defined(LIBRESSL_VERSION_NUMBER) */
#if !defined(LIBRESSL_VERSION_NUMBER) && !defined(BORINGSSL_API_VERSION)
ret = SSL_CTX_set_srp_username_callback(ctx, srp_callback);
assert(ret == 1);
ret = SSL_CTX_set_srp_cb_arg(ctx, NULL);
assert(ret == 1);
#endif /* !defined(LIBRESSL_VERSION_NUMBER) && !defined(BORINGSSL_API_VERSION) */
SSL_CTX_set_alpn_select_cb(ctx, alpn_callback, NULL);
SSL_CTX_set_next_protos_advertised_cb(ctx, npn_callback, NULL);
SSL_CTX_set_ecdh_auto(ctx, 1);
return 1;
}
