/*
* Establish a new SSL connection to an SSL server.
*/
EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, int client_fd, const
uint8_t *session_id, uint8_t sess_id_size, const char* host_name)
{
SSL *ssl = ssl_new(ssl_ctx, client_fd);
ssl->version = SSL_PROTOCOL_VERSION_MAX; /* try top version first */
if (session_id && ssl_ctx->num_sessions)
{
if (sess_id_size > SSL_SESSION_ID_SIZE) /* validity check */
{
ssl_free(ssl);
return NULL;
}
memcpy(ssl->session_id, session_id, sess_id_size);
ssl->sess_id_size = sess_id_size;
SET_SSL_FLAG(SSL_SESSION_RESUME); /* just flag for later */
}
if(host_name != NULL && strlen(host_name) > 0) {
ssl->host_name = (char *)strdup(host_name);
}
SET_SSL_FLAG(SSL_IS_CLIENT);
do_client_connect(ssl);
return ssl;
}
SSL * SSL_new(SSL_CTX *ssl_ctx)
{
SSL *ssl;
ssl = ssl_new(ssl_ctx, -1); /* fd is set later */
return ssl;
}
/*
* Establish a new SSL connection to an SSL client.
*/
EXP_FUNC SSL * STDCALL ssl_server_new(SSL_CTX *ssl_ctx, int client_fd)
{
SSL *ssl;
ssl = ssl_new(ssl_ctx, client_fd);
ssl->next_state = HS_CLIENT_HELLO;
#ifdef CONFIG_SSL_FULL_MODE
if (ssl_ctx->chain_length == 0)
printf("Warning - no server certificate defined\n"); TTY_FLUSH();
#endif
return ssl;
}
//Setups SSL with the certificates needed for api.twitter.com
s32 ssl_setup(char * http_host, int socket){
s32 ssl_context;
s32 ret;
ssl_context = ssl_new((u8 *)http_host, 0);
if(ssl_context <= 0){
return ssl_context;
}
ret = ssl_setbuiltinclientcert(ssl_context, 0);
if(ret){
return ret;
}
if(!strcmp(http_host,"www.googleapis.com")){
ret = ssl_setrootca(ssl_context, (void *)ESCA, ESCA_size);
if(ret){
return ret;
}
}else{ //api.twitter.com
ret = ssl_setrootca(ssl_context, (void *)PCA3G2, PCA3G2_size);
if(ret){
return ret;
}
}
ret = ssl_connect(ssl_context, socket);
if(ret){
return ret;
}
ret = ssl_handshake(ssl_context);
if(ret){
return ret;
}
return ssl_context;
}
SSL * SSL_new(SSL_CTX *ssl_ctx)
{
SSL *ssl;
ssl_func_type_t ssl_func_type;
ssl = ssl_new(ssl_ctx, -1); /* fd is set later */
ssl_func_type = OPENSSL_CTX_ATTR->ssl_func_type;
#ifdef CONFIG_SSL_ENABLE_CLIENT
if (ssl_func_type == SSLv23_client_method ||
ssl_func_type == SSLv3_client_method ||
ssl_func_type == TLSv1_client_method)
{
SET_SSL_FLAG(SSL_IS_CLIENT);
}
else
#endif
{
ssl->next_state = HS_CLIENT_HELLO;
}
return ssl;
}
static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
{
SSL **sslp,*ssl;
BIO_SSL *bs;
BIO *dbio,*bio;
long ret=1;
bs=(BIO_SSL *)b->ptr;
ssl=bs->ssl;
if ((ssl == NULL) && (cmd != BIO_C_SET_SSL))
return(0);
switch (cmd)
{
case BIO_CTRL_RESET:
SSL_shutdown(ssl);
if (ssl->handshake_func == ssl->method->ssl_connect)
SSL_set_connect_state(ssl);
else if (ssl->handshake_func == ssl->method->ssl_accept)
SSL_set_accept_state(ssl);
SSL_clear(ssl);
if (b->next_bio != NULL)
ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
else if (ssl->rbio != NULL)
ret=BIO_ctrl(ssl->rbio,cmd,num,ptr);
else
ret=1;
break;
case BIO_CTRL_INFO:
ret=0;
break;
case BIO_C_SSL_MODE:
if (num) /* client mode */
SSL_set_connect_state(ssl);
else
SSL_set_accept_state(ssl);
break;
case BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT:
ret=bs->renegotiate_timeout;
if (num < 60) num=5;
bs->renegotiate_timeout=(unsigned long)num;
bs->last_time=(unsigned long)time(NULL);
break;
case BIO_C_SET_SSL_RENEGOTIATE_BYTES:
ret=bs->renegotiate_count;
if ((long)num >=512)
bs->renegotiate_count=(unsigned long)num;
break;
case BIO_C_GET_SSL_NUM_RENEGOTIATES:
ret=bs->num_renegotiates;
break;
case BIO_C_SET_SSL:
if (ssl != NULL)
{
ssl_free(b);
if (!ssl_new(b))
return 0;
}
b->shutdown=(int)num;
ssl=(SSL *)ptr;
((BIO_SSL *)b->ptr)->ssl=ssl;
bio=SSL_get_rbio(ssl);
if (bio != NULL)
{
if (b->next_bio != NULL)
BIO_push(bio,b->next_bio);
b->next_bio=bio;
CRYPTO_add(&bio->references,1,CRYPTO_LOCK_BIO);
}
b->init=1;
break;
case BIO_C_GET_SSL:
if (ptr != NULL)
{
sslp=(SSL **)ptr;
*sslp=ssl;
}
else
ret=0;
break;
case BIO_CTRL_GET_CLOSE:
ret=b->shutdown;
break;
case BIO_CTRL_SET_CLOSE:
b->shutdown=(int)num;
break;
case BIO_CTRL_WPENDING:
ret=BIO_ctrl(ssl->wbio,cmd,num,ptr);
break;
case BIO_CTRL_PENDING:
ret=SSL_pending(ssl);
if (ret == 0)
ret=BIO_pending(ssl->rbio);
break;
case BIO_CTRL_FLUSH:
BIO_clear_retry_flags(b);
ret=BIO_ctrl(ssl->wbio,cmd,num,ptr);
BIO_copy_next_retry(b);
break;
case BIO_CTRL_PUSH:
if ((b->next_bio != NULL) && (b->next_bio != ssl->rbio))
{
SSL_set_bio(ssl,b->next_bio,b->next_bio);
CRYPTO_add(&b->next_bio->references,1,CRYPTO_LOCK_BIO);
}
break;
case BIO_CTRL_POP:
/* ugly bit of a hack */
if (ssl->rbio != ssl->wbio) /* we are in trouble :-( */
{
BIO_free_all(ssl->wbio);
}
if (b->next_bio != NULL)
{
CRYPTO_add(&b->next_bio->references,1,CRYPTO_LOCK_BIO);
}
ssl->wbio=NULL;
ssl->rbio=NULL;
break;
case BIO_C_DO_STATE_MACHINE:
BIO_clear_retry_flags(b);
b->retry_reason=0;
ret=(int)SSL_do_handshake(ssl);
switch (SSL_get_error(ssl,(int)ret))
{
case SSL_ERROR_WANT_READ:
BIO_set_flags(b,
BIO_FLAGS_READ|BIO_FLAGS_SHOULD_RETRY);
break;
case SSL_ERROR_WANT_WRITE:
BIO_set_flags(b,
BIO_FLAGS_WRITE|BIO_FLAGS_SHOULD_RETRY);
break;
case SSL_ERROR_WANT_CONNECT:
BIO_set_flags(b,
BIO_FLAGS_IO_SPECIAL|BIO_FLAGS_SHOULD_RETRY);
b->retry_reason=b->next_bio->retry_reason;
break;
default:
break;
}
break;
case BIO_CTRL_DUP:
dbio=(BIO *)ptr;
if (((BIO_SSL *)dbio->ptr)->ssl != NULL)
SSL_free(((BIO_SSL *)dbio->ptr)->ssl);
((BIO_SSL *)dbio->ptr)->ssl=SSL_dup(ssl);
((BIO_SSL *)dbio->ptr)->renegotiate_count=
((BIO_SSL *)b->ptr)->renegotiate_count;
((BIO_SSL *)dbio->ptr)->byte_count=
((BIO_SSL *)b->ptr)->byte_count;
((BIO_SSL *)dbio->ptr)->renegotiate_timeout=
((BIO_SSL *)b->ptr)->renegotiate_timeout;
((BIO_SSL *)dbio->ptr)->last_time=
((BIO_SSL *)b->ptr)->last_time;
ret=(((BIO_SSL *)dbio->ptr)->ssl != NULL);
break;
case BIO_C_GET_FD:
ret=BIO_ctrl(ssl->rbio,cmd,num,ptr);
break;
case BIO_CTRL_SET_CALLBACK:
{
#if 0 /* FIXME: Should this be used? -- Richard Levitte */
SSLerr(SSL_F_SSL_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
ret = -1;
#else
ret=0;
#endif
}
break;
case BIO_CTRL_GET_CALLBACK:
{
void (**fptr)(const SSL *xssl,int type,int val);
fptr=(void (**)(const SSL *xssl,int type,int val))ptr;
*fptr=SSL_get_info_callback(ssl);
}
break;
default:
ret=BIO_ctrl(ssl->rbio,cmd,num,ptr);
break;
}
return(ret);
}
void doit(int t) {
int fakev4=0;
int j;
SSL *ssl;
int wstat;
uint32 scope_id;
int sslctl[2];
char *s;
unsigned long tmp_long;
char sslctl_cmd;
stralloc ssl_env = { 0 };
buffer ssl_env_buf;
if (pipe(pi) == -1) strerr_die2sys(111,DROP,"unable to create pipe: ");
if (pipe(po) == -1) strerr_die2sys(111,DROP,"unable to create pipe: ");
if (socketpair(AF_UNIX, SOCK_STREAM, 0, sslctl) == -1) strerr_die2sys(111,DROP,"unable to create socketpair: ");
switch(fork()) {
case -1:
strerr_die2sys(111,DROP,"unable to fork: ");
case 0:
/* Child */
break;
default:
/* Parent */
close(pi[0]); close(po[1]); close(sslctl[1]);
if ((s=env_get("SSL_CHROOT")))
if (chroot(s) == -1)
strerr_die2x(111,DROPSSL,"unable to chroot");
if ((s=env_get("SSL_GID"))) {
scan_ulong(s,&tmp_long);
gid = tmp_long;
}
if (gid) if (prot_gid(gid) == -1) strerr_die2sys(111,DROPSSL,"unable to set gid: ");
if ((s=env_get("SSL_UID"))) {
scan_ulong(s,&tmp_long);
uid = tmp_long;
}
if (uid) if (prot_uid(uid) == -1)
strerr_die2sys(111,DROPSSL,"unable to set uid: ");
/* This will exit on a fatal error or if the client quits
* without activating SSL
*/
sslctl_cmd = ucspitls_master_wait_for_activation(sslctl[0]);
/* If we got here, SSL must have been activated */
ssl = ssl_new(ctx,t);
if (!ssl) strerr_die2x(111,DROP,"unable to create SSL instance");
if (ndelay_on(t) == -1)
strerr_die2sys(111,DROP,"unable to set socket options: ");
if (ssl_timeoutaccept(ssl,ssltimeout) == -1)
strerr_die3x(111,DROP,"unable to accept SSL: ",ssl_error_str(ssl_errno));
if (verbosity >= 2) {
strnum[fmt_ulong(strnum,getpid())] = 0;
strerr_warn3("sslserver: ssl ",strnum," accept ",0);
}
if (flagclientcert) {
switch(ssl_verify(ssl,verifyhost)) {
case -1:
strerr_die2x(111,DROP,"unable to verify client certificate");
case -2:
strerr_die2x(111,DROP,"no client certificate");
case -3:
strerr_die2x(111,DROP,"client name does not match certificate");
default: break;
}
}
if (sslctl_cmd == 'Y') {
ssl_server_env(ssl, &ssl_env);
stralloc_0(&ssl_env); /* Add another NUL */
buffer_init(&ssl_env_buf,buffer_unixwrite,sslctl[0],NULL,0);
if (buffer_putflush(&ssl_env_buf, ssl_env.s, ssl_env.len) == -1) {
strerr_die2sys(111, FATAL, "unable to write SSL environment: ");
}
} else if (sslctl_cmd != 'y') {
strerr_die2x(111,DROP,"Protocol error on SSL control descriptor: invalid command character read");
}
if (close(sslctl[0]) != 0) {
strerr_die2sys(111, DROP, "Error closing SSL control socket: ");
}
if (ssl_io(ssl,pi[1],po[0],io_opt) != 0)
strerr_die3x(111,DROP,"unable to speak SSL: ",ssl_error_str(ssl_errno));
if (wait_nohang(&wstat) > 0)
_exit(wait_exitcode(wstat));
ssl_close(ssl);
_exit(0);
}
/* Child-only below this point */
if (close(sslctl[0]) != 0) {
strerr_die2sys(111, DROP, "Error closing SSL control socket: ");
}
if (!forcev6 && ip6_isv4mapped(remoteip))
fakev4=1;
if (fakev4)
remoteipstr[ip4_fmt(remoteipstr,remoteip+12)] = 0;
else
remoteipstr[ip6_fmt(remoteipstr,remoteip)] = 0;
if (verbosity >= 2) {
strnum[fmt_ulong(strnum,getpid())] = 0;
strerr_warn4("sslserver: pid ",strnum," from ",remoteipstr,0);
}
if (socket_local6(t,localip,&localport,&scope_id) == -1)
strerr_die2sys(111,DROP,"unable to get local address: ");
if (fakev4)
localipstr[ip4_fmt(localipstr,localip+12)] = 0;
else
localipstr[ip6_fmt(localipstr,localip)] = 0;
remoteportstr[fmt_ulong(remoteportstr,remoteport)] = 0;
if (!localhost)
if (dns_name6(&localhostsa,localip) == 0)
if (localhostsa.len) {
if (!stralloc_0(&localhostsa)) drop_nomem();
localhost = localhostsa.s;
}
env("PROTO",fakev4?"SSL":"SSL6");
env("SSLLOCALIP",localipstr);
env("SSL6LOCALIP",localipstr);
env("SSLLOCALPORT",localportstr);
env("SSL6LOCALPORT",localportstr);
env("SSLLOCALHOST",localhost);
env("SSL6LOCALHOST",localhost);
if (!fakev4 && scope_id)
env("SSL6INTERFACE",socket_getifname(scope_id));
if (flagtcpenv) {
env("TCPLOCALIP",localipstr);
env("TCP6LOCALIP",localipstr);
env("TCPLOCALPORT",localportstr);
env("TCP6LOCALPORT",localportstr);
env("TCPLOCALHOST",localhost);
env("TCP6LOCALHOST",localhost);
if (!fakev4 && scope_id)
env("TCP6INTERFACE",socket_getifname(scope_id));
}
if (flagremotehost)
if (dns_name6(&remotehostsa,remoteip) == 0)
if (remotehostsa.len) {
if (flagparanoid) {
verifyhost = remoteipstr;
if (dns_ip6(&tmp,&remotehostsa) == 0)
for (j = 0;j + 16 <= tmp.len;j += 16)
if (byte_equal(remoteip,16,tmp.s + j)) {
flagparanoid = 0;
break;
}
}
if (!flagparanoid) {
if (!stralloc_0(&remotehostsa)) drop_nomem();
remotehost = remotehostsa.s;
verifyhost = remotehostsa.s;
}
}
env("SSLREMOTEIP",remoteipstr);
env("SSL6REMOTEIP",remoteipstr);
remoteipstr[ip6_fmt(remoteipstr,remoteip)]=0;
env("SSLREMOTEPORT",remoteportstr);
env("SSL6REMOTEPORT",remoteportstr);
env("SSLREMOTEHOST",remotehost);
env("SSL6REMOTEHOST",remotehost);
if (flagtcpenv) {
env("TCPREMOTEIP",remoteipstr);
env("TCP6REMOTEIP",remoteipstr);
env("TCPREMOTEPORT",remoteportstr);
env("TCP6REMOTEPORT",remoteportstr);
env("TCPREMOTEHOST",remotehost);
env("TCP6REMOTEHOST",remotehost);
}
if (flagremoteinfo) {
if (remoteinfo6(&tcpremoteinfo,remoteip,remoteport,localip,localport,timeout,netif) == -1)
flagremoteinfo = 0;
if (!stralloc_0(&tcpremoteinfo)) drop_nomem();
}
env("SSLREMOTEINFO",flagremoteinfo ? tcpremoteinfo.s : 0);
env("SSL6REMOTEINFO",flagremoteinfo ? tcpremoteinfo.s : 0);
if (flagtcpenv) {
env("TCPREMOTEINFO",flagremoteinfo ? tcpremoteinfo.s : 0);
env("TCP6REMOTEINFO",flagremoteinfo ? tcpremoteinfo.s : 0);
}
if (fnrules) {
int fdrules;
fdrules = open_read(fnrules);
if (fdrules == -1) {
if (errno != error_noent) drop_rules();
if (!flagallownorules) drop_rules();
}
else {
int fakev4=0;
char* temp;
if (!forcev6 && ip6_isv4mapped(remoteip))
fakev4=1;
if (fakev4)
temp=remoteipstr+7;
else
temp=remoteipstr;
if (rules(found,fdrules,temp,remotehost,flagremoteinfo ? tcpremoteinfo.s : 0) == -1) drop_rules();
close(fdrules);
}
}
if (verbosity >= 2) {
strnum[fmt_ulong(strnum,getpid())] = 0;
if (!stralloc_copys(&tmp,"sslserver: ")) drop_nomem();
safecats(flagdeny ? "deny" : "ok");
cats(" "); safecats(strnum);
cats(" "); if (localhost) safecats(localhost);
cats(":"); safecats(localipstr);
cats(":"); safecats(localportstr);
cats(" "); if (remotehost) safecats(remotehost);
cats(":"); safecats(remoteipstr);
cats(":"); if (flagremoteinfo) safecats(tcpremoteinfo.s);
cats(":"); safecats(remoteportstr);
cats("\n");
buffer_putflush(buffer_2,tmp.s,tmp.len);
}
if (flagdeny) _exit(100);
if (gid) if (prot_gid(gid) == -1)
strerr_die2sys(111,FATAL,"unable to set gid: ");
if (uid) if (prot_uid(uid) == -1)
strerr_die2sys(111,FATAL,"unable to set uid: ");
close(pi[1]); close(po[0]);
sig_uncatch(sig_child);
sig_unblock(sig_child);
sig_uncatch(sig_term);
sig_uncatch(sig_pipe);
if (fcntl(sslctl[1],F_SETFD,0) == -1)
strerr_die2sys(111,FATAL,"unable to clear close-on-exec flag");
strnum[fmt_ulong(strnum,sslctl[1])]=0;
setenv("SSLCTLFD",strnum,1);
if (fcntl(pi[0],F_SETFD,0) == -1)
strerr_die2sys(111,FATAL,"unable to clear close-on-exec flag");
strnum[fmt_ulong(strnum,pi[0])]=0;
setenv("SSLREADFD",strnum,1);
if (fcntl(po[1],F_SETFD,0) == -1)
strerr_die2sys(111,FATAL,"unable to clear close-on-exec flag");
strnum[fmt_ulong(strnum,po[1])]=0;
setenv("SSLWRITEFD",strnum,1);
if (flagsslwait) {
if (fd_copy(0,t) == -1)
strerr_die2sys(111,DROP,"unable to set up descriptor 0: ");
if (fd_copy(1,t) == -1)
strerr_die2sys(111,DROP,"unable to set up descriptor 1: ");
} else {
if (fd_move(0,pi[0]) == -1)
strerr_die2sys(111,DROP,"unable to set up descriptor 0: ");
if (fd_move(1,po[1]) == -1)
strerr_die2sys(111,DROP,"unable to set up descriptor 1: ");
}
if (flagkillopts)
socket_ipoptionskill(t);
if (!flagdelay)
socket_tcpnodelay(t);
if (*banner) {
buffer_init(&b,buffer_unixwrite,1,bspace,sizeof bspace);
if (buffer_putsflush(&b,banner) == -1)
strerr_die2sys(111,DROP,"unable to print banner: ");
}
if (!flagsslwait) {
strnum[fmt_ulong(strnum,flagsslenv)] = 0;
strerr_warn2("flagsslenv: ", strnum, 0);
ucspitls(flagsslenv,0,1);
}
pathexec(prog);
strerr_die4sys(111,DROP,"unable to run ",*prog,": ");
}
bool http_request (const char *url, const u32 max_size) {
int linecount;
int sslcontext = -1;
if (!http_split_url(&http_host, &http_path, url)) return false;
if (strncasecmp (url, "http://", 7) == 0)
http_port = 80;
else
http_port = 443;
http_max_size = max_size;
http_status = 404;
content_length = 0;
http_data = NULL;
int s = tcp_connect (http_host, http_port);
if (s < 0) {
result = HTTPR_ERR_CONNECT;
return false;
}
if(http_port == 443)
{
//patched out anyways so just to set something
sslcontext = ssl_new((u8*)http_host,0);
if(sslcontext < 0)
{
gprintf("ssl_new\n");
result = HTTPR_ERR_CONNECT;
net_close (s);
return false;
}
//patched out anyways so just to set something
ssl_setbuiltinclientcert(sslcontext,0);
if(ssl_connect(sslcontext,s) < 0)
{
gprintf("ssl_connect\n");
result = HTTPR_ERR_CONNECT;
ssl_shutdown(sslcontext);
net_close (s);
return false;
}
int ret = ssl_handshake(sslcontext);
if(ret < 0)
{
gprintf("ssl_handshake %i\n", ret);
result = HTTPR_ERR_STATUS;
ssl_shutdown(sslcontext);
net_close (s);
return false;
}
}
char *request = (char *) memalign (32, 1024*2);
snprintf(request, 1024*2,
"GET %s HTTP/1.1\r\n"
"Host: %s\r\n"
"Cache-Control: no-cache\r\n\r\n",
http_path, http_host);
bool b = tcp_write (http_port == 443 ? sslcontext : s, (u8 *) request, strlen (request));
free (request);
linecount = 0;
for (linecount=0; linecount < 32; linecount++) {
char *line = tcp_readln (http_port == 443 ? sslcontext : s, 0xff, gettime(), (u16)HTTP_TIMEOUT);
if (!line) {
http_status = 404;
result = HTTPR_ERR_REQUEST;
break;
}
if (strlen (line) < 1) {
free (line);
line = NULL;
break;
}
sscanf (line, "HTTP/1.%*u %u", &http_status);
sscanf (line, "Content-Length: %u", &content_length);
gprintf(line);
gprintf("\n");
free (line);
line = NULL;
}
if (linecount == 32 || !content_length) http_status = 404;
if (http_status != 200) {
result = HTTPR_ERR_STATUS;
if(http_port == 443)
ssl_shutdown(sslcontext);
net_close (s);
return false;
}
if (content_length > http_max_size) {
result = HTTPR_ERR_TOOBIG;
if(http_port == 443)
ssl_shutdown(sslcontext);
net_close (s);
return false;
}
http_data = (u8 *) memalign (32, content_length);
b = tcp_read (http_port == 443 ? sslcontext : s, &http_data, content_length);
if (!b) {
free (http_data);
http_data = NULL;
result = HTTPR_ERR_RECEIVE;
if(http_port == 443)
ssl_shutdown(sslcontext);
net_close (s);
return false;
}
result = HTTPR_OK;
if(http_port == 443)
ssl_shutdown(sslcontext);
net_close (s);
return true;
}
void doit(int t) {
int j;
SSL *ssl;
int wstat;
int sslctl[2];
char *s;
unsigned long tmp_long;
char ssl_cmd;
stralloc ssl_env = { 0 };
int bytesleft;
char envbuf[8192];
int childpid;
if (pipe(pi) == -1) strerr_die2sys(111,DROP,"unable to create pipe: ");
if (pipe(po) == -1) strerr_die2sys(111,DROP,"unable to create pipe: ");
if (socketpair(AF_UNIX, SOCK_STREAM, 0, sslctl) == -1) strerr_die2sys(111,DROP,"unable to create socketpair: ");
if ((j = ip_fmt(&remoteipsa,&remoteaddr)))
strerr_die3x(111,DROP,"unable to print remote ip",gai_strerror(j));
if (flagremotehost) {
if (dns_name(&remotehostsa,&remoteaddr) == 0)
if (remotehostsa.len) {
if (flagparanoid) {
struct addrinfo *reverse, hints = {0};
verifyhost = remoteipsa.s;
hints.ai_family = remoteaddr.sa4.sin_family;
if (remoteaddr.sa6.sin6_family == AF_INET6) {
hints.ai_flags = AI_V4MAPPED | AI_ALL;
}
if (getaddrinfo(remotehostsa.s, NULL, &hints, &reverse) == 0) {
hints.ai_next = reverse;
while (hints.ai_next) {
if (hints.ai_next->ai_family == AF_INET
&& remoteaddr.sa4.sin_family == AF_INET
&& byte_equal(&remoteaddr.sa4.sin_addr, 4, &((struct sockaddr_in*) hints.ai_next->ai_addr)->sin_addr)
|| hints.ai_next->ai_family == AF_INET6
&& remoteaddr.sa6.sin6_family == AF_INET6
&& byte_equal(remoteaddr.sa6.sin6_addr.s6_addr, 16,
&((struct sockaddr_in6*) hints.ai_next->ai_addr)->sin6_addr.s6_addr)) {
flagparanoid = 0;
break;
}
hints.ai_next = hints.ai_next->ai_next;
}
freeaddrinfo(reverse);
}
}
if (!flagparanoid) {
remotehost = remotehostsa.s;
verifyhost = remotehostsa.s;
}
}
}
switch(childpid=fork()) {
case -1:
strerr_die2sys(111,DROP,"unable to fork: ");
case 0:
/* Child */
close(sslctl[0]);
break;
default:
/* Parent */
close(pi[0]); close(po[1]); close(sslctl[1]);
if ((s=env_get("SSL_CHROOT")))
if (chroot(s) == -1) {
kill(childpid, SIGTERM);
strerr_die2x(111,DROP,"unable to chroot");
}
if ((s=env_get("SSL_GID"))) {
scan_ulong(s,&tmp_long);
gid = tmp_long;
}
if (gid) if (prot_gid(gid) == -1) {
kill(childpid, SIGTERM);
strerr_die2sys(111,FATAL,"unable to set gid: ");
}
if ((s=env_get("SSL_UID"))) {
scan_ulong(s,&tmp_long);
uid = tmp_long;
}
if (uid)
if (prot_uid(uid) == -1) {
kill(childpid, SIGTERM);
strerr_die2sys(111,FATAL,"unable to set uid: ");
}
/* Read the TLS command socket. This will block until/unless
* TLS is requested.
*/
if (read(sslctl[0],&ssl_cmd,1) == 1) {
ssl = ssl_new(ctx,t);
if (!ssl) {
kill(childpid, SIGTERM);
strerr_die2x(111,DROP,"unable to create SSL instance");
}
if (ndelay_on(t) == -1) {
kill(childpid, SIGTERM);
strerr_die2sys(111,DROP,"unable to set socket options: ");
}
if (ssl_timeoutaccept(ssl,ssltimeout) == -1) {
kill(childpid, SIGTERM);
strerr_die3x(111,DROP,"unable to accept SSL: ",ssl_error_str(ssl_errno));
}
}
if (verbosity >= 2) {
strnum[fmt_ulong(strnum,getpid())] = 0;
strerr_warn3("sslserver: ssl ",strnum," accept ",0);
}
if (flagclientcert) {
switch(ssl_verify(ssl,verifyhost)) {
case -1:
kill(childpid, SIGTERM);
strerr_die2x(111,DROP,"unable to verify client certificate");
case -2:
kill(childpid, SIGTERM);
strerr_die2x(111,DROP,"no client certificate");
case -3:
kill(childpid, SIGTERM);
strerr_die3x(111,DROP,"certificate name does not match client fqdn: ",verifyhost);
default: break;
}
}
if (ssl_cmd == 'Y') {
ssl_server_env(ssl, &ssl_env);
if(!stralloc_0(&ssl_env)) drop_nomem(); /* Add another NUL */
env("SSLCTL",ssl_env.s);
for(bytesleft = ssl_env.len; bytesleft>0; bytesleft-=j)
if ( (j=write(sslctl[0], ssl_env.s, bytesleft)) < 0) {
kill(childpid, SIGTERM);
strerr_die2sys(111, FATAL, "unable to write SSL environment: ");
}
}
if (ssl_cmd == 'Y' || ssl_cmd == 'y') {
if (ssl_io(ssl,pi[1],po[0],progtimeout) != 0) {
kill(childpid, SIGTERM);
strerr_die3x(111,DROP,"unable to speak SSL: ",ssl_error_str(ssl_errno));
}
if (wait_nohang(&wstat) > 0)
_exit(wait_exitcode(wstat));
ssl_close(ssl);
}
kill(childpid, SIGTERM);
_exit(0);
}
/* Child-only below this point */
if (verbosity >= 2) {
strnum[fmt_ulong(strnum,getpid())] = 0;
strerr_warn4("sslserver: pid ",strnum," from ",remoteipsa.s,0);
}
if (socket_local(t,&localaddr,&localport) == -1)
strerr_die2sys(111,DROP,"unable to get local address: ");
if ((j = ip_fmt(&localipsa,&localaddr)))
strerr_die3x(111,DROP,"unable to print local address: ",gai_strerror(j));
remoteportstr[fmt_ulong(remoteportstr,remoteport)] = 0;
if (!localhost)
if (dns_name(&localhostsa,&localaddr) == 0)
if (localhostsa.len) {
if (!stralloc_0(&localhostsa)) drop_nomem();
localhost = localhostsa.s;
}
/* If remoteipsa.s contain ':' colon character will assume it is IPv6 */
if (byte_chr(remoteipsa.s, remoteipsa.len, ':') < remoteipsa.len)
env("PROTO","SSL6");
else
env("PROTO","SSL");
env("SSLLOCALIP",localipsa.s);
env("SSLLOCALPORT",localportstr);
env("SSLLOCALHOST",localhost);
if (flagtcpenv) {
env("TCPLOCALIP",localipsa.s);
env("TCPLOCALPORT",localportstr);
env("TCPLOCALHOST",localhost);
}
env("SSLREMOTEIP",remoteipsa.s);
env("SSLREMOTEPORT",remoteportstr);
env("SSLREMOTEHOST",remotehost);
if (flagtcpenv) {
env("TCPREMOTEIP",remoteipsa.s);
env("TCPREMOTEPORT",remoteportstr);
env("TCPREMOTEHOST",remotehost);
}
if (flagremoteinfo) {
if (remoteinfo(&tcpremoteinfo,&remoteaddr,&localaddr,timeout) == -1)
flagremoteinfo = 0;
if (!stralloc_0(&tcpremoteinfo)) drop_nomem();
}
env("SSLREMOTEINFO",flagremoteinfo ? tcpremoteinfo.s : 0);
if (flagtcpenv)
env("TCPREMOTEINFO",flagremoteinfo ? tcpremoteinfo.s : 0);
if (fnrules) {
int fdrules;
fdrules = open_read(fnrules);
if (fdrules == -1) {
if (errno != error_noent) drop_rules();
if (!flagallownorules) drop_rules();
}
else {
if (rules(found,fdrules,&remoteaddr,remotehost,flagremoteinfo ? tcpremoteinfo.s : 0) == -1)
drop_rules();
close(fdrules);
}
}
if (verbosity >= 2) {
strnum[fmt_ulong(strnum,getpid())] = 0;
if (!stralloc_copys(&tmp,"sslserver: ")) drop_nomem();
safecats(flagdeny ? "deny" : "ok");
cats(" "); safecats(strnum);
cats(" "); if (localhost) safecats(localhost);
cats(":"); safecats(localipsa.s);
cats(":"); safecats(localportstr);
cats(" "); if (remotehost) safecats(remotehost);
cats(":"); safecats(remoteipsa.s);
cats(":"); if (flagremoteinfo) safecats(tcpremoteinfo.s);
cats(":"); safecats(remoteportstr);
cats("\n");
buffer_putflush(buffer_2,tmp.s,tmp.len);
}
if (flagdeny) _exit(100);
if (gid) if (prot_gid(gid) == -1)
strerr_die2sys(111,FATAL,"unable to set gid: ");
if (uid) if (prot_uid(uid) == -1)
strerr_die2sys(111,FATAL,"unable to set uid: ");
close(pi[1]); close(po[0]); close(sslctl[0]);
sig_uncatch(sig_child);
sig_unblock(sig_child);
sig_uncatch(sig_term);
sig_uncatch(sig_pipe);
if (fcntl(sslctl[1],F_SETFD,0) == -1)
strerr_die2sys(111,FATAL,"unable to clear close-on-exec flag");
strnum[fmt_ulong(strnum,sslctl[1])]=0;
env("SSLCTLFD",strnum);
if (fcntl(pi[0],F_SETFD,0) == -1)
strerr_die2sys(111,FATAL,"unable to clear close-on-exec flag");
strnum[fmt_ulong(strnum,pi[0])]=0;
env("SSLREADFD",strnum);
if (fcntl(po[1],F_SETFD,0) == -1)
strerr_die2sys(111,FATAL,"unable to clear close-on-exec flag");
strnum[fmt_ulong(strnum,po[1])]=0;
env("SSLWRITEFD",strnum);
if (flagsslwait) {
if (fd_copy(0,t) == -1)
strerr_die2sys(111,DROP,"unable to set up descriptor 0: ");
if (fd_copy(1,t) == -1)
strerr_die2sys(111,DROP,"unable to set up descriptor 1: ");
} else {
if (fd_move(0,pi[0]) == -1)
strerr_die2sys(111,DROP,"unable to set up descriptor 0: ");
if (fd_move(1,po[1]) == -1)
strerr_die2sys(111,DROP,"unable to set up descriptor 1: ");
}
if (flagkillopts)
socket_ipoptionskill(t);
if (!flagdelay)
socket_tcpnodelay(t);
if (*banner) {
buffer_init(&b,buffer_unixwrite,1,bspace,sizeof bspace);
if (buffer_putsflush(&b,banner) == -1)
strerr_die2sys(111,DROP,"unable to print banner: ");
}
if (!flagsslwait) {
ssl_cmd = flagsslenv ? 'Y' : 'y';
if (write(sslctl[1], &ssl_cmd, 1) < 1)
strerr_die2sys(111,DROP,"unable to start SSL: ");
if (flagsslenv) {
while ((j=read(sslctl[1],envbuf,8192)) > 0) {
stralloc_catb(&ssl_env,envbuf,j);
if (ssl_env.len >= 2 && ssl_env.s[ssl_env.len-2]==0 && ssl_env.s[ssl_env.len-1]==0)
break;
}
if (j < 0)
strerr_die2sys(111,DROP,"unable to read SSL environment: ");
pathexec_multienv(&ssl_env);
}
}
pathexec(prog);
strerr_die4sys(111,DROP,"unable to run ",*prog,": ");
}
static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
{
SSL **sslp, *ssl;
BIO_SSL *bs, *dbs;
BIO *dbio, *bio;
long ret = 1;
BIO *next;
bs = BIO_get_data(b);
next = BIO_next(b);
ssl = bs->ssl;
if ((ssl == NULL) && (cmd != BIO_C_SET_SSL))
return 0;
switch (cmd) {
case BIO_CTRL_RESET:
SSL_shutdown(ssl);
if (ssl->handshake_func == ssl->method->ssl_connect)
SSL_set_connect_state(ssl);
else if (ssl->handshake_func == ssl->method->ssl_accept)
SSL_set_accept_state(ssl);
if (!SSL_clear(ssl)) {
ret = 0;
break;
}
if (next != NULL)
ret = BIO_ctrl(next, cmd, num, ptr);
else if (ssl->rbio != NULL)
ret = BIO_ctrl(ssl->rbio, cmd, num, ptr);
else
ret = 1;
break;
case BIO_CTRL_INFO:
ret = 0;
break;
case BIO_C_SSL_MODE:
if (num) /* client mode */
SSL_set_connect_state(ssl);
else
SSL_set_accept_state(ssl);
break;
case BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT:
ret = bs->renegotiate_timeout;
if (num < 60)
num = 5;
bs->renegotiate_timeout = (unsigned long)num;
bs->last_time = (unsigned long)time(NULL);
break;
case BIO_C_SET_SSL_RENEGOTIATE_BYTES:
ret = bs->renegotiate_count;
if ((long)num >= 512)
bs->renegotiate_count = (unsigned long)num;
break;
case BIO_C_GET_SSL_NUM_RENEGOTIATES:
ret = bs->num_renegotiates;
break;
case BIO_C_SET_SSL:
if (ssl != NULL) {
ssl_free(b);
if (!ssl_new(b))
return 0;
}
BIO_set_shutdown(b, num);
ssl = (SSL *)ptr;
bs->ssl = ssl;
bio = SSL_get_rbio(ssl);
if (bio != NULL) {
if (next != NULL)
BIO_push(bio, next);
BIO_set_next(b, bio);
BIO_up_ref(bio);
}
BIO_set_init(b, 1);
break;
case BIO_C_GET_SSL:
if (ptr != NULL) {
sslp = (SSL **)ptr;
*sslp = ssl;
} else
ret = 0;
break;
case BIO_CTRL_GET_CLOSE:
ret = BIO_get_shutdown(b);
break;
case BIO_CTRL_SET_CLOSE:
BIO_set_shutdown(b, (int)num);
break;
case BIO_CTRL_WPENDING:
ret = BIO_ctrl(ssl->wbio, cmd, num, ptr);
break;
case BIO_CTRL_PENDING:
ret = SSL_pending(ssl);
if (ret == 0)
ret = BIO_pending(ssl->rbio);
break;
case BIO_CTRL_FLUSH:
BIO_clear_retry_flags(b);
ret = BIO_ctrl(ssl->wbio, cmd, num, ptr);
BIO_copy_next_retry(b);
break;
case BIO_CTRL_PUSH:
if ((next != NULL) && (next != ssl->rbio)) {
/*
* We are going to pass ownership of next to the SSL object...but
* we don't own a reference to pass yet - so up ref
*/
BIO_up_ref(next);
SSL_set_bio(ssl, next, next);
}
break;
case BIO_CTRL_POP:
/* Only detach if we are the BIO explicitly being popped */
if (b == ptr) {
/* This will clear the reference we obtained during push */
SSL_set_bio(ssl, NULL, NULL);
}
break;
case BIO_C_DO_STATE_MACHINE:
BIO_clear_retry_flags(b);
BIO_set_retry_reason(b, 0);
ret = (int)SSL_do_handshake(ssl);
switch (SSL_get_error(ssl, (int)ret)) {
case SSL_ERROR_WANT_READ:
BIO_set_flags(b, BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY);
break;
case SSL_ERROR_WANT_WRITE:
BIO_set_flags(b, BIO_FLAGS_WRITE | BIO_FLAGS_SHOULD_RETRY);
break;
case SSL_ERROR_WANT_CONNECT:
BIO_set_flags(b, BIO_FLAGS_IO_SPECIAL | BIO_FLAGS_SHOULD_RETRY);
BIO_set_retry_reason(b, BIO_get_retry_reason(next));
break;
case SSL_ERROR_WANT_X509_LOOKUP:
BIO_set_retry_special(b);
BIO_set_retry_reason(b, BIO_RR_SSL_X509_LOOKUP);
break;
default:
break;
}
break;
case BIO_CTRL_DUP:
dbio = (BIO *)ptr;
dbs = BIO_get_data(dbio);
SSL_free(dbs->ssl);
dbs->ssl = SSL_dup(ssl);
dbs->num_renegotiates = bs->num_renegotiates;
dbs->renegotiate_count = bs->renegotiate_count;
dbs->byte_count = bs->byte_count;
dbs->renegotiate_timeout = bs->renegotiate_timeout;
dbs->last_time = bs->last_time;
ret = (dbs->ssl != NULL);
break;
case BIO_C_GET_FD:
ret = BIO_ctrl(ssl->rbio, cmd, num, ptr);
break;
case BIO_CTRL_SET_CALLBACK:
ret = 0; /* use callback ctrl */
break;
case BIO_CTRL_GET_CALLBACK:
{
void (**fptr) (const SSL *xssl, int type, int val);
fptr = (void (**)(const SSL *xssl, int type, int val))ptr;
*fptr = SSL_get_info_callback(ssl);
}
break;
default:
ret = BIO_ctrl(ssl->rbio, cmd, num, ptr);
break;
}
return ret;
}
/**
* Downloads the contents of a URL to memory
* This method is not threadsafe (because networking is not threadsafe on the Wii)
*/
struct block downloadfile(const char *url)
{
int sslcontext = -1;
//Check if the url starts with "http://", if not it is not considered a valid url
if (strncmp(url, "http://", strlen("http://")) == 0)
http_port = 80;
else if(strncmp(url, "https://", strlen("https://")) == 0)
{
http_port = 443;
gprintf("Initializing ssl...\n");
if(ssl_init() < 0)
return emptyblock;
}
else
return emptyblock;
//Locate the path part of the url by searching for '/' past "http://"
char *path = 0;
if(http_port == 443)
path = strchr(url + strlen("https://"), '/');
else
path = strchr(url + strlen("http://"), '/');
//At the very least the url has to end with '/', ending with just a domain is invalid
if (path == NULL)
{
//printf("URL '%s' has no PATH part\n", url);
return emptyblock;
}
//Extract the domain part out of the url
int domainlength = path - url - strlen("http://") - (http_port == 443 ? 1 : 0);
if (domainlength == 0)
{
//printf("No domain part in URL '%s'\n", url);
return emptyblock;
}
char domain[domainlength + 1];
strlcpy(domain, url + strlen("http://") + (http_port == 443 ? 1 : 0), domainlength + 1);
//Parsing of the URL is done, start making an actual connection
u32 ipaddress = getipbynamecached(domain);
if (ipaddress == 0)
{
//printf("\ndomain %s could not be resolved", domain);
return emptyblock;
}
s32 connection = tcp_connect(ipaddress, http_port);
if (connection < 0)
{
//printf("Error establishing connection");
return emptyblock;
}
if(http_port == 443)
{
//patched out anyways so just to set something
sslcontext = ssl_new((u8*)domain,0);
if(sslcontext < 0)
{
//gprintf("ssl_new\n");
result = HTTPR_ERR_CONNECT;
net_close (connection);
return emptyblock;
}
//patched out anyways so just to set something
ssl_setbuiltinclientcert(sslcontext,0);
if(ssl_connect(sslcontext,connection) < 0)
{
//gprintf("ssl_connect\n");
result = HTTPR_ERR_CONNECT;
ssl_shutdown(sslcontext);
net_close (connection);
return emptyblock;
}
int ret = ssl_handshake(sslcontext);
if(ret < 0)
{
//gprintf("ssl_handshake %i\n", ret);
result = HTTPR_ERR_STATUS;
ssl_shutdown(sslcontext);
net_close (connection);
return emptyblock;
}
}
// Remove Referer from the request header for incompatible websites (ex. Cloudflare proxy)
char referer[domainlength + 12];
snprintf(referer, sizeof(referer), "Referer: %s\r\n", domain);
if(strstr(url, "geckocodes"))
{
strcpy(referer, "");
}
//Form a nice request header to send to the webserver
char* headerformat = "GET %s HTTP/1.0\r\nHost: %s\r\n%sUser-Agent: USBLoaderGX r%s\r\n\r\n";
char header[strlen(headerformat) + strlen(path) + strlen(domain) + strlen(referer) + 100];
sprintf(header, headerformat, path, domain, referer, GetRev());
//gprintf("\nHTTP Request:\n");
//gprintf("%s\n",header);
//Do the request and get the response
tcp_write(http_port == 443 ? sslcontext : connection, header);
read_header( http_port == 443 ? sslcontext : connection);
if (http_status >= 400) // Not found
{
//gprintf("HTTP ERROR: %d\n", http_status);
return emptyblock;
}
if(!content_length)
content_length = 0;
// create data buffer to return
struct block response;
response.data = malloc(content_length);
response.size = content_length;
if (response.data == NULL)
{
return emptyblock;
}
if (http_status == 200)
{
if(displayProgressWindow)
{
ProgressCancelEnable(true);
StartProgress(tr("Downloading file..."), tr("Please wait"), 0, false, false);
}
int ret = tcp_readData(http_port == 443 ? sslcontext : connection, &response.data, content_length);
if(!ret)
{
free(response.data);
result = HTTPR_ERR_RECEIVE;
if(http_port == 443)
ssl_shutdown(sslcontext);
net_close (connection);
return emptyblock;
}
}
else if (http_status == 302) // 302 FOUND (redirected link)
{
// close current connection
if(http_port == 443)
ssl_shutdown(sslcontext);
net_close (connection);
// prevent infinite loops
retryloop++;
if(retryloop > 3)
{
retryloop = 0;
return emptyblock;
}
struct block redirected = downloadfile(content_location);
if(redirected.size == 0)
return emptyblock;
// copy the newURL data into the original data
u8 * tmp = realloc(response.data, redirected.size);
if (tmp == NULL)
{
gprintf("Could not allocate enough memory for new URL. Download canceled.\n");
free(response.data);
response.size = 0;
free(redirected.data);
result = HTTPR_ERR_RECEIVE;
if(http_port == 443)
ssl_shutdown(sslcontext);
net_close (connection);
return emptyblock;
}
response.data = tmp;
memcpy(response.data, redirected.data, redirected.size);
free(redirected.data);
response.size = redirected.size;
}
retryloop = 0;
// reset progress window if used
if(displayProgressWindow)
{
ProgressStop();
ProgressCancelEnable(false);
displayProgressWindow = false;
}
return response;
}
