/* * Establish a new SSL connection to an SSL server. */ EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, int client_fd, const uint8_t *session_id, uint8_t sess_id_size, const char* host_name) { SSL *ssl = ssl_new(ssl_ctx, client_fd); ssl->version = SSL_PROTOCOL_VERSION_MAX; /* try top version first */ if (session_id && ssl_ctx->num_sessions) { if (sess_id_size > SSL_SESSION_ID_SIZE) /* validity check */ { ssl_free(ssl); return NULL; } memcpy(ssl->session_id, session_id, sess_id_size); ssl->sess_id_size = sess_id_size; SET_SSL_FLAG(SSL_SESSION_RESUME); /* just flag for later */ } if(host_name != NULL && strlen(host_name) > 0) { ssl->host_name = (char *)strdup(host_name); } SET_SSL_FLAG(SSL_IS_CLIENT); do_client_connect(ssl); return ssl; }
SSL * SSL_new(SSL_CTX *ssl_ctx) { SSL *ssl; ssl = ssl_new(ssl_ctx, -1); /* fd is set later */ return ssl; }
/* * Establish a new SSL connection to an SSL client. */ EXP_FUNC SSL * STDCALL ssl_server_new(SSL_CTX *ssl_ctx, int client_fd) { SSL *ssl; ssl = ssl_new(ssl_ctx, client_fd); ssl->next_state = HS_CLIENT_HELLO; #ifdef CONFIG_SSL_FULL_MODE if (ssl_ctx->chain_length == 0) printf("Warning - no server certificate defined\n"); TTY_FLUSH(); #endif return ssl; }
//Setups SSL with the certificates needed for api.twitter.com s32 ssl_setup(char * http_host, int socket){ s32 ssl_context; s32 ret; ssl_context = ssl_new((u8 *)http_host, 0); if(ssl_context <= 0){ return ssl_context; } ret = ssl_setbuiltinclientcert(ssl_context, 0); if(ret){ return ret; } if(!strcmp(http_host,"www.googleapis.com")){ ret = ssl_setrootca(ssl_context, (void *)ESCA, ESCA_size); if(ret){ return ret; } }else{ //api.twitter.com ret = ssl_setrootca(ssl_context, (void *)PCA3G2, PCA3G2_size); if(ret){ return ret; } } ret = ssl_connect(ssl_context, socket); if(ret){ return ret; } ret = ssl_handshake(ssl_context); if(ret){ return ret; } return ssl_context; }
SSL * SSL_new(SSL_CTX *ssl_ctx) { SSL *ssl; ssl_func_type_t ssl_func_type; ssl = ssl_new(ssl_ctx, -1); /* fd is set later */ ssl_func_type = OPENSSL_CTX_ATTR->ssl_func_type; #ifdef CONFIG_SSL_ENABLE_CLIENT if (ssl_func_type == SSLv23_client_method || ssl_func_type == SSLv3_client_method || ssl_func_type == TLSv1_client_method) { SET_SSL_FLAG(SSL_IS_CLIENT); } else #endif { ssl->next_state = HS_CLIENT_HELLO; } return ssl; }
static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr) { SSL **sslp,*ssl; BIO_SSL *bs; BIO *dbio,*bio; long ret=1; bs=(BIO_SSL *)b->ptr; ssl=bs->ssl; if ((ssl == NULL) && (cmd != BIO_C_SET_SSL)) return(0); switch (cmd) { case BIO_CTRL_RESET: SSL_shutdown(ssl); if (ssl->handshake_func == ssl->method->ssl_connect) SSL_set_connect_state(ssl); else if (ssl->handshake_func == ssl->method->ssl_accept) SSL_set_accept_state(ssl); SSL_clear(ssl); if (b->next_bio != NULL) ret=BIO_ctrl(b->next_bio,cmd,num,ptr); else if (ssl->rbio != NULL) ret=BIO_ctrl(ssl->rbio,cmd,num,ptr); else ret=1; break; case BIO_CTRL_INFO: ret=0; break; case BIO_C_SSL_MODE: if (num) /* client mode */ SSL_set_connect_state(ssl); else SSL_set_accept_state(ssl); break; case BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT: ret=bs->renegotiate_timeout; if (num < 60) num=5; bs->renegotiate_timeout=(unsigned long)num; bs->last_time=(unsigned long)time(NULL); break; case BIO_C_SET_SSL_RENEGOTIATE_BYTES: ret=bs->renegotiate_count; if ((long)num >=512) bs->renegotiate_count=(unsigned long)num; break; case BIO_C_GET_SSL_NUM_RENEGOTIATES: ret=bs->num_renegotiates; break; case BIO_C_SET_SSL: if (ssl != NULL) { ssl_free(b); if (!ssl_new(b)) return 0; } b->shutdown=(int)num; ssl=(SSL *)ptr; ((BIO_SSL *)b->ptr)->ssl=ssl; bio=SSL_get_rbio(ssl); if (bio != NULL) { if (b->next_bio != NULL) BIO_push(bio,b->next_bio); b->next_bio=bio; CRYPTO_add(&bio->references,1,CRYPTO_LOCK_BIO); } b->init=1; break; case BIO_C_GET_SSL: if (ptr != NULL) { sslp=(SSL **)ptr; *sslp=ssl; } else ret=0; break; case BIO_CTRL_GET_CLOSE: ret=b->shutdown; break; case BIO_CTRL_SET_CLOSE: b->shutdown=(int)num; break; case BIO_CTRL_WPENDING: ret=BIO_ctrl(ssl->wbio,cmd,num,ptr); break; case BIO_CTRL_PENDING: ret=SSL_pending(ssl); if (ret == 0) ret=BIO_pending(ssl->rbio); break; case BIO_CTRL_FLUSH: BIO_clear_retry_flags(b); ret=BIO_ctrl(ssl->wbio,cmd,num,ptr); BIO_copy_next_retry(b); break; case BIO_CTRL_PUSH: if ((b->next_bio != NULL) && (b->next_bio != ssl->rbio)) { SSL_set_bio(ssl,b->next_bio,b->next_bio); CRYPTO_add(&b->next_bio->references,1,CRYPTO_LOCK_BIO); } break; case BIO_CTRL_POP: /* ugly bit of a hack */ if (ssl->rbio != ssl->wbio) /* we are in trouble :-( */ { BIO_free_all(ssl->wbio); } if (b->next_bio != NULL) { CRYPTO_add(&b->next_bio->references,1,CRYPTO_LOCK_BIO); } ssl->wbio=NULL; ssl->rbio=NULL; break; case BIO_C_DO_STATE_MACHINE: BIO_clear_retry_flags(b); b->retry_reason=0; ret=(int)SSL_do_handshake(ssl); switch (SSL_get_error(ssl,(int)ret)) { case SSL_ERROR_WANT_READ: BIO_set_flags(b, BIO_FLAGS_READ|BIO_FLAGS_SHOULD_RETRY); break; case SSL_ERROR_WANT_WRITE: BIO_set_flags(b, BIO_FLAGS_WRITE|BIO_FLAGS_SHOULD_RETRY); break; case SSL_ERROR_WANT_CONNECT: BIO_set_flags(b, BIO_FLAGS_IO_SPECIAL|BIO_FLAGS_SHOULD_RETRY); b->retry_reason=b->next_bio->retry_reason; break; default: break; } break; case BIO_CTRL_DUP: dbio=(BIO *)ptr; if (((BIO_SSL *)dbio->ptr)->ssl != NULL) SSL_free(((BIO_SSL *)dbio->ptr)->ssl); ((BIO_SSL *)dbio->ptr)->ssl=SSL_dup(ssl); ((BIO_SSL *)dbio->ptr)->renegotiate_count= ((BIO_SSL *)b->ptr)->renegotiate_count; ((BIO_SSL *)dbio->ptr)->byte_count= ((BIO_SSL *)b->ptr)->byte_count; ((BIO_SSL *)dbio->ptr)->renegotiate_timeout= ((BIO_SSL *)b->ptr)->renegotiate_timeout; ((BIO_SSL *)dbio->ptr)->last_time= ((BIO_SSL *)b->ptr)->last_time; ret=(((BIO_SSL *)dbio->ptr)->ssl != NULL); break; case BIO_C_GET_FD: ret=BIO_ctrl(ssl->rbio,cmd,num,ptr); break; case BIO_CTRL_SET_CALLBACK: { #if 0 /* FIXME: Should this be used? -- Richard Levitte */ SSLerr(SSL_F_SSL_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); ret = -1; #else ret=0; #endif } break; case BIO_CTRL_GET_CALLBACK: { void (**fptr)(const SSL *xssl,int type,int val); fptr=(void (**)(const SSL *xssl,int type,int val))ptr; *fptr=SSL_get_info_callback(ssl); } break; default: ret=BIO_ctrl(ssl->rbio,cmd,num,ptr); break; } return(ret); }
void doit(int t) { int fakev4=0; int j; SSL *ssl; int wstat; uint32 scope_id; int sslctl[2]; char *s; unsigned long tmp_long; char sslctl_cmd; stralloc ssl_env = { 0 }; buffer ssl_env_buf; if (pipe(pi) == -1) strerr_die2sys(111,DROP,"unable to create pipe: "); if (pipe(po) == -1) strerr_die2sys(111,DROP,"unable to create pipe: "); if (socketpair(AF_UNIX, SOCK_STREAM, 0, sslctl) == -1) strerr_die2sys(111,DROP,"unable to create socketpair: "); switch(fork()) { case -1: strerr_die2sys(111,DROP,"unable to fork: "); case 0: /* Child */ break; default: /* Parent */ close(pi[0]); close(po[1]); close(sslctl[1]); if ((s=env_get("SSL_CHROOT"))) if (chroot(s) == -1) strerr_die2x(111,DROPSSL,"unable to chroot"); if ((s=env_get("SSL_GID"))) { scan_ulong(s,&tmp_long); gid = tmp_long; } if (gid) if (prot_gid(gid) == -1) strerr_die2sys(111,DROPSSL,"unable to set gid: "); if ((s=env_get("SSL_UID"))) { scan_ulong(s,&tmp_long); uid = tmp_long; } if (uid) if (prot_uid(uid) == -1) strerr_die2sys(111,DROPSSL,"unable to set uid: "); /* This will exit on a fatal error or if the client quits * without activating SSL */ sslctl_cmd = ucspitls_master_wait_for_activation(sslctl[0]); /* If we got here, SSL must have been activated */ ssl = ssl_new(ctx,t); if (!ssl) strerr_die2x(111,DROP,"unable to create SSL instance"); if (ndelay_on(t) == -1) strerr_die2sys(111,DROP,"unable to set socket options: "); if (ssl_timeoutaccept(ssl,ssltimeout) == -1) strerr_die3x(111,DROP,"unable to accept SSL: ",ssl_error_str(ssl_errno)); if (verbosity >= 2) { strnum[fmt_ulong(strnum,getpid())] = 0; strerr_warn3("sslserver: ssl ",strnum," accept ",0); } if (flagclientcert) { switch(ssl_verify(ssl,verifyhost)) { case -1: strerr_die2x(111,DROP,"unable to verify client certificate"); case -2: strerr_die2x(111,DROP,"no client certificate"); case -3: strerr_die2x(111,DROP,"client name does not match certificate"); default: break; } } if (sslctl_cmd == 'Y') { ssl_server_env(ssl, &ssl_env); stralloc_0(&ssl_env); /* Add another NUL */ buffer_init(&ssl_env_buf,buffer_unixwrite,sslctl[0],NULL,0); if (buffer_putflush(&ssl_env_buf, ssl_env.s, ssl_env.len) == -1) { strerr_die2sys(111, FATAL, "unable to write SSL environment: "); } } else if (sslctl_cmd != 'y') { strerr_die2x(111,DROP,"Protocol error on SSL control descriptor: invalid command character read"); } if (close(sslctl[0]) != 0) { strerr_die2sys(111, DROP, "Error closing SSL control socket: "); } if (ssl_io(ssl,pi[1],po[0],io_opt) != 0) strerr_die3x(111,DROP,"unable to speak SSL: ",ssl_error_str(ssl_errno)); if (wait_nohang(&wstat) > 0) _exit(wait_exitcode(wstat)); ssl_close(ssl); _exit(0); } /* Child-only below this point */ if (close(sslctl[0]) != 0) { strerr_die2sys(111, DROP, "Error closing SSL control socket: "); } if (!forcev6 && ip6_isv4mapped(remoteip)) fakev4=1; if (fakev4) remoteipstr[ip4_fmt(remoteipstr,remoteip+12)] = 0; else remoteipstr[ip6_fmt(remoteipstr,remoteip)] = 0; if (verbosity >= 2) { strnum[fmt_ulong(strnum,getpid())] = 0; strerr_warn4("sslserver: pid ",strnum," from ",remoteipstr,0); } if (socket_local6(t,localip,&localport,&scope_id) == -1) strerr_die2sys(111,DROP,"unable to get local address: "); if (fakev4) localipstr[ip4_fmt(localipstr,localip+12)] = 0; else localipstr[ip6_fmt(localipstr,localip)] = 0; remoteportstr[fmt_ulong(remoteportstr,remoteport)] = 0; if (!localhost) if (dns_name6(&localhostsa,localip) == 0) if (localhostsa.len) { if (!stralloc_0(&localhostsa)) drop_nomem(); localhost = localhostsa.s; } env("PROTO",fakev4?"SSL":"SSL6"); env("SSLLOCALIP",localipstr); env("SSL6LOCALIP",localipstr); env("SSLLOCALPORT",localportstr); env("SSL6LOCALPORT",localportstr); env("SSLLOCALHOST",localhost); env("SSL6LOCALHOST",localhost); if (!fakev4 && scope_id) env("SSL6INTERFACE",socket_getifname(scope_id)); if (flagtcpenv) { env("TCPLOCALIP",localipstr); env("TCP6LOCALIP",localipstr); env("TCPLOCALPORT",localportstr); env("TCP6LOCALPORT",localportstr); env("TCPLOCALHOST",localhost); env("TCP6LOCALHOST",localhost); if (!fakev4 && scope_id) env("TCP6INTERFACE",socket_getifname(scope_id)); } if (flagremotehost) if (dns_name6(&remotehostsa,remoteip) == 0) if (remotehostsa.len) { if (flagparanoid) { verifyhost = remoteipstr; if (dns_ip6(&tmp,&remotehostsa) == 0) for (j = 0;j + 16 <= tmp.len;j += 16) if (byte_equal(remoteip,16,tmp.s + j)) { flagparanoid = 0; break; } } if (!flagparanoid) { if (!stralloc_0(&remotehostsa)) drop_nomem(); remotehost = remotehostsa.s; verifyhost = remotehostsa.s; } } env("SSLREMOTEIP",remoteipstr); env("SSL6REMOTEIP",remoteipstr); remoteipstr[ip6_fmt(remoteipstr,remoteip)]=0; env("SSLREMOTEPORT",remoteportstr); env("SSL6REMOTEPORT",remoteportstr); env("SSLREMOTEHOST",remotehost); env("SSL6REMOTEHOST",remotehost); if (flagtcpenv) { env("TCPREMOTEIP",remoteipstr); env("TCP6REMOTEIP",remoteipstr); env("TCPREMOTEPORT",remoteportstr); env("TCP6REMOTEPORT",remoteportstr); env("TCPREMOTEHOST",remotehost); env("TCP6REMOTEHOST",remotehost); } if (flagremoteinfo) { if (remoteinfo6(&tcpremoteinfo,remoteip,remoteport,localip,localport,timeout,netif) == -1) flagremoteinfo = 0; if (!stralloc_0(&tcpremoteinfo)) drop_nomem(); } env("SSLREMOTEINFO",flagremoteinfo ? tcpremoteinfo.s : 0); env("SSL6REMOTEINFO",flagremoteinfo ? tcpremoteinfo.s : 0); if (flagtcpenv) { env("TCPREMOTEINFO",flagremoteinfo ? tcpremoteinfo.s : 0); env("TCP6REMOTEINFO",flagremoteinfo ? tcpremoteinfo.s : 0); } if (fnrules) { int fdrules; fdrules = open_read(fnrules); if (fdrules == -1) { if (errno != error_noent) drop_rules(); if (!flagallownorules) drop_rules(); } else { int fakev4=0; char* temp; if (!forcev6 && ip6_isv4mapped(remoteip)) fakev4=1; if (fakev4) temp=remoteipstr+7; else temp=remoteipstr; if (rules(found,fdrules,temp,remotehost,flagremoteinfo ? tcpremoteinfo.s : 0) == -1) drop_rules(); close(fdrules); } } if (verbosity >= 2) { strnum[fmt_ulong(strnum,getpid())] = 0; if (!stralloc_copys(&tmp,"sslserver: ")) drop_nomem(); safecats(flagdeny ? "deny" : "ok"); cats(" "); safecats(strnum); cats(" "); if (localhost) safecats(localhost); cats(":"); safecats(localipstr); cats(":"); safecats(localportstr); cats(" "); if (remotehost) safecats(remotehost); cats(":"); safecats(remoteipstr); cats(":"); if (flagremoteinfo) safecats(tcpremoteinfo.s); cats(":"); safecats(remoteportstr); cats("\n"); buffer_putflush(buffer_2,tmp.s,tmp.len); } if (flagdeny) _exit(100); if (gid) if (prot_gid(gid) == -1) strerr_die2sys(111,FATAL,"unable to set gid: "); if (uid) if (prot_uid(uid) == -1) strerr_die2sys(111,FATAL,"unable to set uid: "); close(pi[1]); close(po[0]); sig_uncatch(sig_child); sig_unblock(sig_child); sig_uncatch(sig_term); sig_uncatch(sig_pipe); if (fcntl(sslctl[1],F_SETFD,0) == -1) strerr_die2sys(111,FATAL,"unable to clear close-on-exec flag"); strnum[fmt_ulong(strnum,sslctl[1])]=0; setenv("SSLCTLFD",strnum,1); if (fcntl(pi[0],F_SETFD,0) == -1) strerr_die2sys(111,FATAL,"unable to clear close-on-exec flag"); strnum[fmt_ulong(strnum,pi[0])]=0; setenv("SSLREADFD",strnum,1); if (fcntl(po[1],F_SETFD,0) == -1) strerr_die2sys(111,FATAL,"unable to clear close-on-exec flag"); strnum[fmt_ulong(strnum,po[1])]=0; setenv("SSLWRITEFD",strnum,1); if (flagsslwait) { if (fd_copy(0,t) == -1) strerr_die2sys(111,DROP,"unable to set up descriptor 0: "); if (fd_copy(1,t) == -1) strerr_die2sys(111,DROP,"unable to set up descriptor 1: "); } else { if (fd_move(0,pi[0]) == -1) strerr_die2sys(111,DROP,"unable to set up descriptor 0: "); if (fd_move(1,po[1]) == -1) strerr_die2sys(111,DROP,"unable to set up descriptor 1: "); } if (flagkillopts) socket_ipoptionskill(t); if (!flagdelay) socket_tcpnodelay(t); if (*banner) { buffer_init(&b,buffer_unixwrite,1,bspace,sizeof bspace); if (buffer_putsflush(&b,banner) == -1) strerr_die2sys(111,DROP,"unable to print banner: "); } if (!flagsslwait) { strnum[fmt_ulong(strnum,flagsslenv)] = 0; strerr_warn2("flagsslenv: ", strnum, 0); ucspitls(flagsslenv,0,1); } pathexec(prog); strerr_die4sys(111,DROP,"unable to run ",*prog,": "); }
bool http_request (const char *url, const u32 max_size) { int linecount; int sslcontext = -1; if (!http_split_url(&http_host, &http_path, url)) return false; if (strncasecmp (url, "http://", 7) == 0) http_port = 80; else http_port = 443; http_max_size = max_size; http_status = 404; content_length = 0; http_data = NULL; int s = tcp_connect (http_host, http_port); if (s < 0) { result = HTTPR_ERR_CONNECT; return false; } if(http_port == 443) { //patched out anyways so just to set something sslcontext = ssl_new((u8*)http_host,0); if(sslcontext < 0) { gprintf("ssl_new\n"); result = HTTPR_ERR_CONNECT; net_close (s); return false; } //patched out anyways so just to set something ssl_setbuiltinclientcert(sslcontext,0); if(ssl_connect(sslcontext,s) < 0) { gprintf("ssl_connect\n"); result = HTTPR_ERR_CONNECT; ssl_shutdown(sslcontext); net_close (s); return false; } int ret = ssl_handshake(sslcontext); if(ret < 0) { gprintf("ssl_handshake %i\n", ret); result = HTTPR_ERR_STATUS; ssl_shutdown(sslcontext); net_close (s); return false; } } char *request = (char *) memalign (32, 1024*2); snprintf(request, 1024*2, "GET %s HTTP/1.1\r\n" "Host: %s\r\n" "Cache-Control: no-cache\r\n\r\n", http_path, http_host); bool b = tcp_write (http_port == 443 ? sslcontext : s, (u8 *) request, strlen (request)); free (request); linecount = 0; for (linecount=0; linecount < 32; linecount++) { char *line = tcp_readln (http_port == 443 ? sslcontext : s, 0xff, gettime(), (u16)HTTP_TIMEOUT); if (!line) { http_status = 404; result = HTTPR_ERR_REQUEST; break; } if (strlen (line) < 1) { free (line); line = NULL; break; } sscanf (line, "HTTP/1.%*u %u", &http_status); sscanf (line, "Content-Length: %u", &content_length); gprintf(line); gprintf("\n"); free (line); line = NULL; } if (linecount == 32 || !content_length) http_status = 404; if (http_status != 200) { result = HTTPR_ERR_STATUS; if(http_port == 443) ssl_shutdown(sslcontext); net_close (s); return false; } if (content_length > http_max_size) { result = HTTPR_ERR_TOOBIG; if(http_port == 443) ssl_shutdown(sslcontext); net_close (s); return false; } http_data = (u8 *) memalign (32, content_length); b = tcp_read (http_port == 443 ? sslcontext : s, &http_data, content_length); if (!b) { free (http_data); http_data = NULL; result = HTTPR_ERR_RECEIVE; if(http_port == 443) ssl_shutdown(sslcontext); net_close (s); return false; } result = HTTPR_OK; if(http_port == 443) ssl_shutdown(sslcontext); net_close (s); return true; }
void doit(int t) { int j; SSL *ssl; int wstat; int sslctl[2]; char *s; unsigned long tmp_long; char ssl_cmd; stralloc ssl_env = { 0 }; int bytesleft; char envbuf[8192]; int childpid; if (pipe(pi) == -1) strerr_die2sys(111,DROP,"unable to create pipe: "); if (pipe(po) == -1) strerr_die2sys(111,DROP,"unable to create pipe: "); if (socketpair(AF_UNIX, SOCK_STREAM, 0, sslctl) == -1) strerr_die2sys(111,DROP,"unable to create socketpair: "); if ((j = ip_fmt(&remoteipsa,&remoteaddr))) strerr_die3x(111,DROP,"unable to print remote ip",gai_strerror(j)); if (flagremotehost) { if (dns_name(&remotehostsa,&remoteaddr) == 0) if (remotehostsa.len) { if (flagparanoid) { struct addrinfo *reverse, hints = {0}; verifyhost = remoteipsa.s; hints.ai_family = remoteaddr.sa4.sin_family; if (remoteaddr.sa6.sin6_family == AF_INET6) { hints.ai_flags = AI_V4MAPPED | AI_ALL; } if (getaddrinfo(remotehostsa.s, NULL, &hints, &reverse) == 0) { hints.ai_next = reverse; while (hints.ai_next) { if (hints.ai_next->ai_family == AF_INET && remoteaddr.sa4.sin_family == AF_INET && byte_equal(&remoteaddr.sa4.sin_addr, 4, &((struct sockaddr_in*) hints.ai_next->ai_addr)->sin_addr) || hints.ai_next->ai_family == AF_INET6 && remoteaddr.sa6.sin6_family == AF_INET6 && byte_equal(remoteaddr.sa6.sin6_addr.s6_addr, 16, &((struct sockaddr_in6*) hints.ai_next->ai_addr)->sin6_addr.s6_addr)) { flagparanoid = 0; break; } hints.ai_next = hints.ai_next->ai_next; } freeaddrinfo(reverse); } } if (!flagparanoid) { remotehost = remotehostsa.s; verifyhost = remotehostsa.s; } } } switch(childpid=fork()) { case -1: strerr_die2sys(111,DROP,"unable to fork: "); case 0: /* Child */ close(sslctl[0]); break; default: /* Parent */ close(pi[0]); close(po[1]); close(sslctl[1]); if ((s=env_get("SSL_CHROOT"))) if (chroot(s) == -1) { kill(childpid, SIGTERM); strerr_die2x(111,DROP,"unable to chroot"); } if ((s=env_get("SSL_GID"))) { scan_ulong(s,&tmp_long); gid = tmp_long; } if (gid) if (prot_gid(gid) == -1) { kill(childpid, SIGTERM); strerr_die2sys(111,FATAL,"unable to set gid: "); } if ((s=env_get("SSL_UID"))) { scan_ulong(s,&tmp_long); uid = tmp_long; } if (uid) if (prot_uid(uid) == -1) { kill(childpid, SIGTERM); strerr_die2sys(111,FATAL,"unable to set uid: "); } /* Read the TLS command socket. This will block until/unless * TLS is requested. */ if (read(sslctl[0],&ssl_cmd,1) == 1) { ssl = ssl_new(ctx,t); if (!ssl) { kill(childpid, SIGTERM); strerr_die2x(111,DROP,"unable to create SSL instance"); } if (ndelay_on(t) == -1) { kill(childpid, SIGTERM); strerr_die2sys(111,DROP,"unable to set socket options: "); } if (ssl_timeoutaccept(ssl,ssltimeout) == -1) { kill(childpid, SIGTERM); strerr_die3x(111,DROP,"unable to accept SSL: ",ssl_error_str(ssl_errno)); } } if (verbosity >= 2) { strnum[fmt_ulong(strnum,getpid())] = 0; strerr_warn3("sslserver: ssl ",strnum," accept ",0); } if (flagclientcert) { switch(ssl_verify(ssl,verifyhost)) { case -1: kill(childpid, SIGTERM); strerr_die2x(111,DROP,"unable to verify client certificate"); case -2: kill(childpid, SIGTERM); strerr_die2x(111,DROP,"no client certificate"); case -3: kill(childpid, SIGTERM); strerr_die3x(111,DROP,"certificate name does not match client fqdn: ",verifyhost); default: break; } } if (ssl_cmd == 'Y') { ssl_server_env(ssl, &ssl_env); if(!stralloc_0(&ssl_env)) drop_nomem(); /* Add another NUL */ env("SSLCTL",ssl_env.s); for(bytesleft = ssl_env.len; bytesleft>0; bytesleft-=j) if ( (j=write(sslctl[0], ssl_env.s, bytesleft)) < 0) { kill(childpid, SIGTERM); strerr_die2sys(111, FATAL, "unable to write SSL environment: "); } } if (ssl_cmd == 'Y' || ssl_cmd == 'y') { if (ssl_io(ssl,pi[1],po[0],progtimeout) != 0) { kill(childpid, SIGTERM); strerr_die3x(111,DROP,"unable to speak SSL: ",ssl_error_str(ssl_errno)); } if (wait_nohang(&wstat) > 0) _exit(wait_exitcode(wstat)); ssl_close(ssl); } kill(childpid, SIGTERM); _exit(0); } /* Child-only below this point */ if (verbosity >= 2) { strnum[fmt_ulong(strnum,getpid())] = 0; strerr_warn4("sslserver: pid ",strnum," from ",remoteipsa.s,0); } if (socket_local(t,&localaddr,&localport) == -1) strerr_die2sys(111,DROP,"unable to get local address: "); if ((j = ip_fmt(&localipsa,&localaddr))) strerr_die3x(111,DROP,"unable to print local address: ",gai_strerror(j)); remoteportstr[fmt_ulong(remoteportstr,remoteport)] = 0; if (!localhost) if (dns_name(&localhostsa,&localaddr) == 0) if (localhostsa.len) { if (!stralloc_0(&localhostsa)) drop_nomem(); localhost = localhostsa.s; } /* If remoteipsa.s contain ':' colon character will assume it is IPv6 */ if (byte_chr(remoteipsa.s, remoteipsa.len, ':') < remoteipsa.len) env("PROTO","SSL6"); else env("PROTO","SSL"); env("SSLLOCALIP",localipsa.s); env("SSLLOCALPORT",localportstr); env("SSLLOCALHOST",localhost); if (flagtcpenv) { env("TCPLOCALIP",localipsa.s); env("TCPLOCALPORT",localportstr); env("TCPLOCALHOST",localhost); } env("SSLREMOTEIP",remoteipsa.s); env("SSLREMOTEPORT",remoteportstr); env("SSLREMOTEHOST",remotehost); if (flagtcpenv) { env("TCPREMOTEIP",remoteipsa.s); env("TCPREMOTEPORT",remoteportstr); env("TCPREMOTEHOST",remotehost); } if (flagremoteinfo) { if (remoteinfo(&tcpremoteinfo,&remoteaddr,&localaddr,timeout) == -1) flagremoteinfo = 0; if (!stralloc_0(&tcpremoteinfo)) drop_nomem(); } env("SSLREMOTEINFO",flagremoteinfo ? tcpremoteinfo.s : 0); if (flagtcpenv) env("TCPREMOTEINFO",flagremoteinfo ? tcpremoteinfo.s : 0); if (fnrules) { int fdrules; fdrules = open_read(fnrules); if (fdrules == -1) { if (errno != error_noent) drop_rules(); if (!flagallownorules) drop_rules(); } else { if (rules(found,fdrules,&remoteaddr,remotehost,flagremoteinfo ? tcpremoteinfo.s : 0) == -1) drop_rules(); close(fdrules); } } if (verbosity >= 2) { strnum[fmt_ulong(strnum,getpid())] = 0; if (!stralloc_copys(&tmp,"sslserver: ")) drop_nomem(); safecats(flagdeny ? "deny" : "ok"); cats(" "); safecats(strnum); cats(" "); if (localhost) safecats(localhost); cats(":"); safecats(localipsa.s); cats(":"); safecats(localportstr); cats(" "); if (remotehost) safecats(remotehost); cats(":"); safecats(remoteipsa.s); cats(":"); if (flagremoteinfo) safecats(tcpremoteinfo.s); cats(":"); safecats(remoteportstr); cats("\n"); buffer_putflush(buffer_2,tmp.s,tmp.len); } if (flagdeny) _exit(100); if (gid) if (prot_gid(gid) == -1) strerr_die2sys(111,FATAL,"unable to set gid: "); if (uid) if (prot_uid(uid) == -1) strerr_die2sys(111,FATAL,"unable to set uid: "); close(pi[1]); close(po[0]); close(sslctl[0]); sig_uncatch(sig_child); sig_unblock(sig_child); sig_uncatch(sig_term); sig_uncatch(sig_pipe); if (fcntl(sslctl[1],F_SETFD,0) == -1) strerr_die2sys(111,FATAL,"unable to clear close-on-exec flag"); strnum[fmt_ulong(strnum,sslctl[1])]=0; env("SSLCTLFD",strnum); if (fcntl(pi[0],F_SETFD,0) == -1) strerr_die2sys(111,FATAL,"unable to clear close-on-exec flag"); strnum[fmt_ulong(strnum,pi[0])]=0; env("SSLREADFD",strnum); if (fcntl(po[1],F_SETFD,0) == -1) strerr_die2sys(111,FATAL,"unable to clear close-on-exec flag"); strnum[fmt_ulong(strnum,po[1])]=0; env("SSLWRITEFD",strnum); if (flagsslwait) { if (fd_copy(0,t) == -1) strerr_die2sys(111,DROP,"unable to set up descriptor 0: "); if (fd_copy(1,t) == -1) strerr_die2sys(111,DROP,"unable to set up descriptor 1: "); } else { if (fd_move(0,pi[0]) == -1) strerr_die2sys(111,DROP,"unable to set up descriptor 0: "); if (fd_move(1,po[1]) == -1) strerr_die2sys(111,DROP,"unable to set up descriptor 1: "); } if (flagkillopts) socket_ipoptionskill(t); if (!flagdelay) socket_tcpnodelay(t); if (*banner) { buffer_init(&b,buffer_unixwrite,1,bspace,sizeof bspace); if (buffer_putsflush(&b,banner) == -1) strerr_die2sys(111,DROP,"unable to print banner: "); } if (!flagsslwait) { ssl_cmd = flagsslenv ? 'Y' : 'y'; if (write(sslctl[1], &ssl_cmd, 1) < 1) strerr_die2sys(111,DROP,"unable to start SSL: "); if (flagsslenv) { while ((j=read(sslctl[1],envbuf,8192)) > 0) { stralloc_catb(&ssl_env,envbuf,j); if (ssl_env.len >= 2 && ssl_env.s[ssl_env.len-2]==0 && ssl_env.s[ssl_env.len-1]==0) break; } if (j < 0) strerr_die2sys(111,DROP,"unable to read SSL environment: "); pathexec_multienv(&ssl_env); } } pathexec(prog); strerr_die4sys(111,DROP,"unable to run ",*prog,": "); }
static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr) { SSL **sslp, *ssl; BIO_SSL *bs, *dbs; BIO *dbio, *bio; long ret = 1; BIO *next; bs = BIO_get_data(b); next = BIO_next(b); ssl = bs->ssl; if ((ssl == NULL) && (cmd != BIO_C_SET_SSL)) return 0; switch (cmd) { case BIO_CTRL_RESET: SSL_shutdown(ssl); if (ssl->handshake_func == ssl->method->ssl_connect) SSL_set_connect_state(ssl); else if (ssl->handshake_func == ssl->method->ssl_accept) SSL_set_accept_state(ssl); if (!SSL_clear(ssl)) { ret = 0; break; } if (next != NULL) ret = BIO_ctrl(next, cmd, num, ptr); else if (ssl->rbio != NULL) ret = BIO_ctrl(ssl->rbio, cmd, num, ptr); else ret = 1; break; case BIO_CTRL_INFO: ret = 0; break; case BIO_C_SSL_MODE: if (num) /* client mode */ SSL_set_connect_state(ssl); else SSL_set_accept_state(ssl); break; case BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT: ret = bs->renegotiate_timeout; if (num < 60) num = 5; bs->renegotiate_timeout = (unsigned long)num; bs->last_time = (unsigned long)time(NULL); break; case BIO_C_SET_SSL_RENEGOTIATE_BYTES: ret = bs->renegotiate_count; if ((long)num >= 512) bs->renegotiate_count = (unsigned long)num; break; case BIO_C_GET_SSL_NUM_RENEGOTIATES: ret = bs->num_renegotiates; break; case BIO_C_SET_SSL: if (ssl != NULL) { ssl_free(b); if (!ssl_new(b)) return 0; } BIO_set_shutdown(b, num); ssl = (SSL *)ptr; bs->ssl = ssl; bio = SSL_get_rbio(ssl); if (bio != NULL) { if (next != NULL) BIO_push(bio, next); BIO_set_next(b, bio); BIO_up_ref(bio); } BIO_set_init(b, 1); break; case BIO_C_GET_SSL: if (ptr != NULL) { sslp = (SSL **)ptr; *sslp = ssl; } else ret = 0; break; case BIO_CTRL_GET_CLOSE: ret = BIO_get_shutdown(b); break; case BIO_CTRL_SET_CLOSE: BIO_set_shutdown(b, (int)num); break; case BIO_CTRL_WPENDING: ret = BIO_ctrl(ssl->wbio, cmd, num, ptr); break; case BIO_CTRL_PENDING: ret = SSL_pending(ssl); if (ret == 0) ret = BIO_pending(ssl->rbio); break; case BIO_CTRL_FLUSH: BIO_clear_retry_flags(b); ret = BIO_ctrl(ssl->wbio, cmd, num, ptr); BIO_copy_next_retry(b); break; case BIO_CTRL_PUSH: if ((next != NULL) && (next != ssl->rbio)) { /* * We are going to pass ownership of next to the SSL object...but * we don't own a reference to pass yet - so up ref */ BIO_up_ref(next); SSL_set_bio(ssl, next, next); } break; case BIO_CTRL_POP: /* Only detach if we are the BIO explicitly being popped */ if (b == ptr) { /* This will clear the reference we obtained during push */ SSL_set_bio(ssl, NULL, NULL); } break; case BIO_C_DO_STATE_MACHINE: BIO_clear_retry_flags(b); BIO_set_retry_reason(b, 0); ret = (int)SSL_do_handshake(ssl); switch (SSL_get_error(ssl, (int)ret)) { case SSL_ERROR_WANT_READ: BIO_set_flags(b, BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY); break; case SSL_ERROR_WANT_WRITE: BIO_set_flags(b, BIO_FLAGS_WRITE | BIO_FLAGS_SHOULD_RETRY); break; case SSL_ERROR_WANT_CONNECT: BIO_set_flags(b, BIO_FLAGS_IO_SPECIAL | BIO_FLAGS_SHOULD_RETRY); BIO_set_retry_reason(b, BIO_get_retry_reason(next)); break; case SSL_ERROR_WANT_X509_LOOKUP: BIO_set_retry_special(b); BIO_set_retry_reason(b, BIO_RR_SSL_X509_LOOKUP); break; default: break; } break; case BIO_CTRL_DUP: dbio = (BIO *)ptr; dbs = BIO_get_data(dbio); SSL_free(dbs->ssl); dbs->ssl = SSL_dup(ssl); dbs->num_renegotiates = bs->num_renegotiates; dbs->renegotiate_count = bs->renegotiate_count; dbs->byte_count = bs->byte_count; dbs->renegotiate_timeout = bs->renegotiate_timeout; dbs->last_time = bs->last_time; ret = (dbs->ssl != NULL); break; case BIO_C_GET_FD: ret = BIO_ctrl(ssl->rbio, cmd, num, ptr); break; case BIO_CTRL_SET_CALLBACK: ret = 0; /* use callback ctrl */ break; case BIO_CTRL_GET_CALLBACK: { void (**fptr) (const SSL *xssl, int type, int val); fptr = (void (**)(const SSL *xssl, int type, int val))ptr; *fptr = SSL_get_info_callback(ssl); } break; default: ret = BIO_ctrl(ssl->rbio, cmd, num, ptr); break; } return ret; }
/** * Downloads the contents of a URL to memory * This method is not threadsafe (because networking is not threadsafe on the Wii) */ struct block downloadfile(const char *url) { int sslcontext = -1; //Check if the url starts with "http://", if not it is not considered a valid url if (strncmp(url, "http://", strlen("http://")) == 0) http_port = 80; else if(strncmp(url, "https://", strlen("https://")) == 0) { http_port = 443; gprintf("Initializing ssl...\n"); if(ssl_init() < 0) return emptyblock; } else return emptyblock; //Locate the path part of the url by searching for '/' past "http://" char *path = 0; if(http_port == 443) path = strchr(url + strlen("https://"), '/'); else path = strchr(url + strlen("http://"), '/'); //At the very least the url has to end with '/', ending with just a domain is invalid if (path == NULL) { //printf("URL '%s' has no PATH part\n", url); return emptyblock; } //Extract the domain part out of the url int domainlength = path - url - strlen("http://") - (http_port == 443 ? 1 : 0); if (domainlength == 0) { //printf("No domain part in URL '%s'\n", url); return emptyblock; } char domain[domainlength + 1]; strlcpy(domain, url + strlen("http://") + (http_port == 443 ? 1 : 0), domainlength + 1); //Parsing of the URL is done, start making an actual connection u32 ipaddress = getipbynamecached(domain); if (ipaddress == 0) { //printf("\ndomain %s could not be resolved", domain); return emptyblock; } s32 connection = tcp_connect(ipaddress, http_port); if (connection < 0) { //printf("Error establishing connection"); return emptyblock; } if(http_port == 443) { //patched out anyways so just to set something sslcontext = ssl_new((u8*)domain,0); if(sslcontext < 0) { //gprintf("ssl_new\n"); result = HTTPR_ERR_CONNECT; net_close (connection); return emptyblock; } //patched out anyways so just to set something ssl_setbuiltinclientcert(sslcontext,0); if(ssl_connect(sslcontext,connection) < 0) { //gprintf("ssl_connect\n"); result = HTTPR_ERR_CONNECT; ssl_shutdown(sslcontext); net_close (connection); return emptyblock; } int ret = ssl_handshake(sslcontext); if(ret < 0) { //gprintf("ssl_handshake %i\n", ret); result = HTTPR_ERR_STATUS; ssl_shutdown(sslcontext); net_close (connection); return emptyblock; } } // Remove Referer from the request header for incompatible websites (ex. Cloudflare proxy) char referer[domainlength + 12]; snprintf(referer, sizeof(referer), "Referer: %s\r\n", domain); if(strstr(url, "geckocodes")) { strcpy(referer, ""); } //Form a nice request header to send to the webserver char* headerformat = "GET %s HTTP/1.0\r\nHost: %s\r\n%sUser-Agent: USBLoaderGX r%s\r\n\r\n"; char header[strlen(headerformat) + strlen(path) + strlen(domain) + strlen(referer) + 100]; sprintf(header, headerformat, path, domain, referer, GetRev()); //gprintf("\nHTTP Request:\n"); //gprintf("%s\n",header); //Do the request and get the response tcp_write(http_port == 443 ? sslcontext : connection, header); read_header( http_port == 443 ? sslcontext : connection); if (http_status >= 400) // Not found { //gprintf("HTTP ERROR: %d\n", http_status); return emptyblock; } if(!content_length) content_length = 0; // create data buffer to return struct block response; response.data = malloc(content_length); response.size = content_length; if (response.data == NULL) { return emptyblock; } if (http_status == 200) { if(displayProgressWindow) { ProgressCancelEnable(true); StartProgress(tr("Downloading file..."), tr("Please wait"), 0, false, false); } int ret = tcp_readData(http_port == 443 ? sslcontext : connection, &response.data, content_length); if(!ret) { free(response.data); result = HTTPR_ERR_RECEIVE; if(http_port == 443) ssl_shutdown(sslcontext); net_close (connection); return emptyblock; } } else if (http_status == 302) // 302 FOUND (redirected link) { // close current connection if(http_port == 443) ssl_shutdown(sslcontext); net_close (connection); // prevent infinite loops retryloop++; if(retryloop > 3) { retryloop = 0; return emptyblock; } struct block redirected = downloadfile(content_location); if(redirected.size == 0) return emptyblock; // copy the newURL data into the original data u8 * tmp = realloc(response.data, redirected.size); if (tmp == NULL) { gprintf("Could not allocate enough memory for new URL. Download canceled.\n"); free(response.data); response.size = 0; free(redirected.data); result = HTTPR_ERR_RECEIVE; if(http_port == 443) ssl_shutdown(sslcontext); net_close (connection); return emptyblock; } response.data = tmp; memcpy(response.data, redirected.data, redirected.size); free(redirected.data); response.size = redirected.size; } retryloop = 0; // reset progress window if used if(displayProgressWindow) { ProgressStop(); ProgressCancelEnable(false); displayProgressWindow = false; } return response; }