static SQRESULT sq_ssl_ctx_obj_load(HSQUIRRELVM v){ SQ_FUNC_VARS_NO_TOP(v); GET_ssl_ctx_INSTANCE(); SQ_GET_INTEGER(v, 2, obj_type); SQ_GET_STRING(v, 3, filename); SQ_GET_STRING(v, 4, password); int result = ssl_obj_load(self, obj_type, filename, password); sq_pushinteger(v, result); return 1; }
ScmObj Scm_TLSLoadObject(ScmTLS* t, ScmObj obj_type, const char *filename, const char *password) { #if defined(GAUCHE_USE_AXTLS) uint32_t type = Scm_GetIntegerU32Clamp(obj_type, SCM_CLAMP_ERROR, NULL); if (ssl_obj_load(t->ctx, type, filename, password) == SSL_OK) return SCM_TRUE; #endif /*GAUCHE_USE_AXTLS*/ return SCM_FALSE; }
/* * This function is called after the TCP connect has completed. Setup the TLS * layer and do all necessary magic. */ CURLcode Curl_axtls_connect(struct connectdata *conn, int sockindex) { struct SessionHandle *data = conn->data; SSL_CTX *ssl_ctx; SSL *ssl; int cert_types[] = {SSL_OBJ_X509_CERT, SSL_OBJ_PKCS12, 0}; int key_types[] = {SSL_OBJ_RSA_KEY, SSL_OBJ_PKCS8, SSL_OBJ_PKCS12, 0}; int i, ssl_fcn_return; const uint8_t *ssl_sessionid; size_t ssl_idsize; const char *peer_CN; uint32_t dns_altname_index; const char *dns_altname; int8_t found_subject_alt_names = 0; int8_t found_subject_alt_name_matching_conn = 0; /* Assuming users will not compile in custom key/cert to axTLS */ uint32_t client_option = SSL_NO_DEFAULT_KEY|SSL_SERVER_VERIFY_LATER; if(conn->ssl[sockindex].state == ssl_connection_complete) /* to make us tolerant against being called more than once for the same connection */ return CURLE_OK; /* axTLS only supports TLSv1 */ /* check to see if we've been told to use an explicit SSL/TLS version */ switch(data->set.ssl.version) { case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_TLSv1: break; default: failf(data, "axTLS only supports TLSv1"); return CURLE_SSL_CONNECT_ERROR; } #ifdef AXTLSDEBUG client_option |= SSL_DISPLAY_STATES | SSL_DISPLAY_RSA | SSL_DISPLAY_CERTS; #endif /* AXTLSDEBUG */ /* Allocate an SSL_CTX struct */ ssl_ctx = ssl_ctx_new(client_option, SSL_DEFAULT_CLNT_SESS); if(ssl_ctx == NULL) { failf(data, "unable to create client SSL context"); return CURLE_SSL_CONNECT_ERROR; } /* Load the trusted CA cert bundle file */ if(data->set.ssl.CAfile) { if(ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CACERT, data->set.ssl.CAfile, NULL) != SSL_OK) { infof(data, "error reading ca cert file %s \n", data->set.ssl.CAfile); if(data->set.ssl.verifypeer) { Curl_axtls_close(conn, sockindex); return CURLE_SSL_CACERT_BADFILE; } } else infof(data, "found certificates in %s\n", data->set.ssl.CAfile); } /* curl_gtls.c tasks we're skipping for now: * 1) certificate revocation list checking * 2) dns name assignment to host * 3) set protocol priority. axTLS is TLSv1 only, so can probably ignore * 4) set certificate priority. axTLS ignores type and sends certs in * order added. can probably ignore this. */ /* Load client certificate */ if(data->set.str[STRING_CERT]) { i=0; /* Instead of trying to analyze cert type here, let axTLS try them all. */ while(cert_types[i] != 0) { ssl_fcn_return = ssl_obj_load(ssl_ctx, cert_types[i], data->set.str[STRING_CERT], NULL); if(ssl_fcn_return == SSL_OK) { infof(data, "successfully read cert file %s \n", data->set.str[STRING_CERT]); break; } i++; } /* Tried all cert types, none worked. */ if(cert_types[i] == 0) { failf(data, "%s is not x509 or pkcs12 format", data->set.str[STRING_CERT]); Curl_axtls_close(conn, sockindex); return CURLE_SSL_CERTPROBLEM; } } /* Load client key. If a pkcs12 file successfully loaded a cert, then there's nothing to do because the key has already been loaded. */ if(data->set.str[STRING_KEY] && cert_types[i] != SSL_OBJ_PKCS12) { i=0; /* Instead of trying to analyze key type here, let axTLS try them all. */ while(key_types[i] != 0) { ssl_fcn_return = ssl_obj_load(ssl_ctx, key_types[i], data->set.str[STRING_KEY], NULL); if(ssl_fcn_return == SSL_OK) { infof(data, "successfully read key file %s \n", data->set.str[STRING_KEY]); break; } i++; } /* Tried all key types, none worked. */ if(key_types[i] == 0) { failf(data, "Failure: %s is not a supported key file", data->set.str[STRING_KEY]); Curl_axtls_close(conn, sockindex); return CURLE_SSL_CONNECT_ERROR; } } /* curl_gtls.c does more here that is being left out for now * 1) set session credentials. can probably ignore since axtls puts this * info in the ssl_ctx struct * 2) setting up callbacks. these seem gnutls specific */ /* In axTLS, handshaking happens inside ssl_client_new. */ if(!Curl_ssl_getsessionid(conn, (void **) &ssl_sessionid, &ssl_idsize)) { /* we got a session id, use it! */ infof (data, "SSL re-using session ID\n"); ssl = ssl_client_new(ssl_ctx, conn->sock[sockindex], ssl_sessionid, (uint8_t)ssl_idsize); } else ssl = ssl_client_new(ssl_ctx, conn->sock[sockindex], NULL, 0); /* Check to make sure handshake was ok. */ ssl_fcn_return = ssl_handshake_status(ssl); if(ssl_fcn_return != SSL_OK) { Curl_axtls_close(conn, sockindex); ssl_display_error(ssl_fcn_return); /* goes to stdout. */ return map_error_to_curl(ssl_fcn_return); } infof (data, "handshake completed successfully\n"); /* Here, curl_gtls.c gets the peer certificates and fails out depending on * settings in "data." axTLS api doesn't have get cert chain fcn, so omit? */ /* Verify server's certificate */ if(data->set.ssl.verifypeer) { if(ssl_verify_cert(ssl) != SSL_OK) { Curl_axtls_close(conn, sockindex); failf(data, "server cert verify failed"); return CURLE_SSL_CONNECT_ERROR; } } else infof(data, "\t server certificate verification SKIPPED\n"); /* Here, curl_gtls.c does issuer verification. axTLS has no straightforward * equivalent, so omitting for now.*/ /* Here, curl_gtls.c does the following * 1) x509 hostname checking per RFC2818. axTLS doesn't support this, but * it seems useful. This is now implemented, by Oscar Koeroo * 2) checks cert validity based on time. axTLS does this in ssl_verify_cert * 3) displays a bunch of cert information. axTLS doesn't support most of * this, but a couple fields are available. */ /* There is no (DNS) Altnames count in the version 1.4.8 API. There is a risk of an inifite loop */ for(dns_altname_index = 0; ; dns_altname_index++) { dns_altname = ssl_get_cert_subject_alt_dnsname(ssl, dns_altname_index); if(dns_altname == NULL) { break; } found_subject_alt_names = 1; infof(data, "\tComparing subject alt name DNS with hostname: %s <-> %s\n", dns_altname, conn->host.name); if(Curl_cert_hostcheck(dns_altname, conn->host.name)) { found_subject_alt_name_matching_conn = 1; break; } } /* RFC2818 checks */ if(found_subject_alt_names && !found_subject_alt_name_matching_conn) { /* Break connection ! */ Curl_axtls_close(conn, sockindex); failf(data, "\tsubjectAltName(s) do not match %s\n", conn->host.dispname); return CURLE_PEER_FAILED_VERIFICATION; } else if(found_subject_alt_names == 0) { /* Per RFC2818, when no Subject Alt Names were available, examine the peer CN as a legacy fallback */ peer_CN = ssl_get_cert_dn(ssl, SSL_X509_CERT_COMMON_NAME); if(peer_CN == NULL) { /* Similar behaviour to the OpenSSL interface */ Curl_axtls_close(conn, sockindex); failf(data, "unable to obtain common name from peer certificate"); return CURLE_PEER_FAILED_VERIFICATION; } else { if(!Curl_cert_hostcheck((const char *)peer_CN, conn->host.name)) { if(data->set.ssl.verifyhost) { /* Break connection ! */ Curl_axtls_close(conn, sockindex); failf(data, "\tcommon name \"%s\" does not match \"%s\"\n", peer_CN, conn->host.dispname); return CURLE_PEER_FAILED_VERIFICATION; } else infof(data, "\tcommon name \"%s\" does not match \"%s\"\n", peer_CN, conn->host.dispname); } } } /* General housekeeping */ conn->ssl[sockindex].state = ssl_connection_complete; conn->ssl[sockindex].ssl = ssl; conn->ssl[sockindex].ssl_ctx = ssl_ctx; conn->recv[sockindex] = axtls_recv; conn->send[sockindex] = axtls_send; /* Put our freshly minted SSL session in cache */ ssl_idsize = ssl_get_session_id_size(ssl); ssl_sessionid = ssl_get_session_id(ssl); if(Curl_ssl_addsessionid(conn, (void *) ssl_sessionid, ssl_idsize) != CURLE_OK) infof (data, "failed to add session to cache\n"); return CURLE_OK; }
/** * Load the key/certificates in memory depending on compile-time and user * options. */ int load_key_certs(SSL_CTX *ssl_ctx) { int ret = SSL_OK; uint32_t options = ssl_ctx->options; #ifdef CONFIG_SSL_GENERATE_X509_CERT uint8_t *cert_data = NULL; int cert_size; static const char *dn[] = { CONFIG_SSL_X509_COMMON_NAME, CONFIG_SSL_X509_ORGANIZATION_NAME, CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME }; #endif /* do the private key first */ if (strlen(CONFIG_SSL_PRIVATE_KEY_LOCATION) > 0) { if ((ret = ssl_obj_load(ssl_ctx, SSL_OBJ_RSA_KEY, CONFIG_SSL_PRIVATE_KEY_LOCATION, CONFIG_SSL_PRIVATE_KEY_PASSWORD)) < 0) goto error; } else if (!(options & SSL_NO_DEFAULT_KEY)) { #if defined(CONFIG_SSL_USE_DEFAULT_KEY) || defined(CONFIG_SSL_SKELETON_MODE) static const /* saves a few more bytes */ #include "private_key.h" ssl_obj_memory_load(ssl_ctx, SSL_OBJ_RSA_KEY, default_private_key, default_private_key_len, NULL); #endif } /* now load the certificate */ #ifdef CONFIG_SSL_GENERATE_X509_CERT if ((cert_size = ssl_x509_create(ssl_ctx, 0, dn, &cert_data)) < 0) { ret = cert_size; goto error; } ssl_obj_memory_load(ssl_ctx, SSL_OBJ_X509_CERT, cert_data, cert_size, NULL); free(cert_data); #else if (strlen(CONFIG_SSL_X509_CERT_LOCATION)) { if ((ret = ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CERT, CONFIG_SSL_X509_CERT_LOCATION, NULL)) < 0) goto error; } else if (!(options & SSL_NO_DEFAULT_KEY)) { #if defined(CONFIG_SSL_USE_DEFAULT_KEY) || defined(CONFIG_SSL_SKELETON_MODE) static const /* saves a few bytes and RAM */ #include "cert.h" ssl_obj_memory_load(ssl_ctx, SSL_OBJ_X509_CERT, default_certificate, default_certificate_len, NULL); #endif } #endif error: #ifdef CONFIG_SSL_FULL_MODE if (ret) { printf("Error: Certificate or key not loaded\n"); TTY_FLUSH(); } #endif return ret; }
/* * For both blocking and non-blocking connects, this function sets up the * ssl context and state. This function is called after the TCP connect * has completed. */ static CURLcode connect_prep(struct connectdata *conn, int sockindex) { struct SessionHandle *data = conn->data; SSL_CTX *ssl_ctx; SSL *ssl = NULL; int cert_types[] = {SSL_OBJ_X509_CERT, SSL_OBJ_PKCS12, 0}; int key_types[] = {SSL_OBJ_RSA_KEY, SSL_OBJ_PKCS8, SSL_OBJ_PKCS12, 0}; int i, ssl_fcn_return; const uint8_t *ssl_sessionid; size_t ssl_idsize; /* Assuming users will not compile in custom key/cert to axTLS. * Also, even for blocking connects, use axTLS non-blocking feature. */ uint32_t client_option = SSL_NO_DEFAULT_KEY | SSL_SERVER_VERIFY_LATER | SSL_CONNECT_IN_PARTS; if(conn->ssl[sockindex].state == ssl_connection_complete) /* to make us tolerant against being called more than once for the same connection */ return CURLE_OK; /* axTLS only supports TLSv1 */ /* check to see if we've been told to use an explicit SSL/TLS version */ switch(data->set.ssl.version) { case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_TLSv1: break; default: failf(data, "axTLS only supports TLSv1"); return CURLE_SSL_CONNECT_ERROR; } #ifdef AXTLSDEBUG client_option |= SSL_DISPLAY_STATES | SSL_DISPLAY_RSA | SSL_DISPLAY_CERTS; #endif /* AXTLSDEBUG */ /* Allocate an SSL_CTX struct */ ssl_ctx = ssl_ctx_new(client_option, SSL_DEFAULT_CLNT_SESS); if(ssl_ctx == NULL) { failf(data, "unable to create client SSL context"); return CURLE_SSL_CONNECT_ERROR; } conn->ssl[sockindex].ssl_ctx = ssl_ctx; conn->ssl[sockindex].ssl = NULL; /* Load the trusted CA cert bundle file */ if(data->set.ssl.CAfile) { if(ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CACERT, data->set.ssl.CAfile, NULL) != SSL_OK) { infof(data, "error reading ca cert file %s \n", data->set.ssl.CAfile); if(data->set.ssl.verifypeer) { return CURLE_SSL_CACERT_BADFILE; } } else infof(data, "found certificates in %s\n", data->set.ssl.CAfile); } /* gtls.c tasks we're skipping for now: * 1) certificate revocation list checking * 2) dns name assignment to host * 3) set protocol priority. axTLS is TLSv1 only, so can probably ignore * 4) set certificate priority. axTLS ignores type and sends certs in * order added. can probably ignore this. */ /* Load client certificate */ if(data->set.str[STRING_CERT]) { i=0; /* Instead of trying to analyze cert type here, let axTLS try them all. */ while(cert_types[i] != 0) { ssl_fcn_return = ssl_obj_load(ssl_ctx, cert_types[i], data->set.str[STRING_CERT], NULL); if(ssl_fcn_return == SSL_OK) { infof(data, "successfully read cert file %s \n", data->set.str[STRING_CERT]); break; } i++; } /* Tried all cert types, none worked. */ if(cert_types[i] == 0) { failf(data, "%s is not x509 or pkcs12 format", data->set.str[STRING_CERT]); return CURLE_SSL_CERTPROBLEM; } } /* Load client key. If a pkcs12 file successfully loaded a cert, then there's nothing to do because the key has already been loaded. */ if(data->set.str[STRING_KEY] && cert_types[i] != SSL_OBJ_PKCS12) { i=0; /* Instead of trying to analyze key type here, let axTLS try them all. */ while(key_types[i] != 0) { ssl_fcn_return = ssl_obj_load(ssl_ctx, key_types[i], data->set.str[STRING_KEY], NULL); if(ssl_fcn_return == SSL_OK) { infof(data, "successfully read key file %s \n", data->set.str[STRING_KEY]); break; } i++; } /* Tried all key types, none worked. */ if(key_types[i] == 0) { failf(data, "Failure: %s is not a supported key file", data->set.str[STRING_KEY]); return CURLE_SSL_CONNECT_ERROR; } } /* gtls.c does more here that is being left out for now * 1) set session credentials. can probably ignore since axtls puts this * info in the ssl_ctx struct * 2) setting up callbacks. these seem gnutls specific */ /* In axTLS, handshaking happens inside ssl_client_new. */ if(!Curl_ssl_getsessionid(conn, (void **) &ssl_sessionid, &ssl_idsize)) { /* we got a session id, use it! */ infof (data, "SSL re-using session ID\n"); ssl = ssl_client_new(ssl_ctx, conn->sock[sockindex], ssl_sessionid, (uint8_t)ssl_idsize); } else ssl = ssl_client_new(ssl_ctx, conn->sock[sockindex], NULL, 0); conn->ssl[sockindex].ssl = ssl; return CURLE_OK; }
/****************************************************************************** * FunctionName : upgrade_task * Description : task to connect with target server and get firmware data * Parameters : pvParameters--save the server address\port\request frame for * : the upgrade server\call back functions to tell the userapp * : the result of this upgrade task * Returns : none *******************************************************************************/ void upgrade_ssl_task(void *pvParameters) { int recbytes; int sta_socket; int retry_count = 0; struct ip_info ipconfig; struct upgrade_server_info *server = pvParameters; flash_erased=FALSE; precv_buf = (char*)malloc(UPGRADE_DATA_SEG_LEN);//the max data length while (retry_count++ < UPGRADE_RETRY_TIMES) { if (giveup) break; wifi_get_ip_info(STATION_IF, &ipconfig); /* check the ip address or net connection state*/ while (ipconfig.ip.addr == 0) { vTaskDelay(1000 / portTICK_RATE_MS); wifi_get_ip_info(STATION_IF, &ipconfig); } sta_socket = socket(PF_INET,SOCK_STREAM,0); if (-1 == sta_socket) { close(sta_socket); vTaskDelay(1000 / portTICK_RATE_MS); os_printf("socket fail !\r\n"); continue; } /*for upgrade connection debug*/ //server->sockaddrin.sin_addr.s_addr= inet_addr("192.168.1.170"); if(0 != connect(sta_socket,(struct sockaddr *)(&server->sockaddrin),sizeof(struct sockaddr))) { close(sta_socket); vTaskDelay(1000 / portTICK_RATE_MS); os_printf("connect fail!\r\n"); continue; } uint32_t options = SSL_DISPLAY_CERTS | SSL_NO_DEFAULT_KEY; int i=0; int quiet = 0; int cert_index = 0, ca_cert_index = 0; int cert_size, ca_cert_size; char **ca_cert, **cert; SSL *ssl; SSL_CTX *ssl_ctx; uint8_t *read_buf = NULL; cert_size = ssl_get_config(SSL_MAX_CERT_CFG_OFFSET); ca_cert_size = ssl_get_config(SSL_MAX_CA_CERT_CFG_OFFSET); ca_cert = (char **)calloc(1, sizeof(char *)*ca_cert_size); cert = (char **)calloc(1, sizeof(char *)*cert_size); if ((ssl_ctx= ssl_ctx_new(options, SSL_DEFAULT_CLNT_SESS)) == NULL) { printf("Error: Client context is invalid\n"); close(sta_socket); continue; } ssl_obj_memory_load(ssl_ctx, SSL_OBJ_X509_CACERT, default_certificate, default_certificate_len, NULL); for (i = 0; i < cert_index; i++) { if (ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CERT, cert[i], NULL)){ printf("Certificate '%s' is undefined.\n", cert[i]); } } for (i = 0; i < ca_cert_index; i++) { if (ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CACERT, ca_cert[i], NULL)){ printf("Certificate '%s' is undefined.\n", ca_cert[i]); } } free(cert); free(ca_cert); ssl= ssl_client_new(ssl_ctx, sta_socket, NULL, 0); if (ssl == NULL){ ssl_ctx_free(ssl_ctx); close(sta_socket); continue; } if(ssl_handshake_status(ssl) != SSL_OK){ printf("client handshake fail.\n"); ssl_free(ssl); ssl_ctx_free(ssl_ctx); close(sta_socket); continue; } //handshake sucesses,show cert and free x509_ctx here if (!quiet) { const char *common_name = ssl_get_cert_dn(ssl,SSL_X509_CERT_COMMON_NAME); if (common_name) { printf("Common Name:\t\t\t%s\n", common_name); } display_session_id(ssl); display_cipher(ssl); quiet = true; x509_free(ssl->x509_ctx); ssl->x509_ctx=NULL; } system_upgrade_init(); system_upgrade_flag_set(UPGRADE_FLAG_START); if(ssl_write(ssl, server->url, strlen(server->url)+1) < 0) { ssl_free(ssl); ssl_ctx_free(ssl_ctx); close(sta_socket); vTaskDelay(1000 / portTICK_RATE_MS); os_printf("send fail\n"); continue; } os_printf("Request send success\n"); while((recbytes = ssl_read(ssl, &read_buf)) >= 0) { if(recbytes == 0){ vTaskDelay(500 / portTICK_RATE_MS); continue; } if(recbytes > UPGRADE_DATA_SEG_LEN) { ssl_free(ssl); ssl_ctx_free(ssl_ctx); close(sta_socket); vTaskDelay(2000 / portTICK_RATE_MS); printf("bigger than UPGRADE_DATA_SEG_LEN\n"); } if((recbytes)<=1460) memcpy(precv_buf,read_buf,recbytes); else os_printf("ERR2:arr_overflow,%u,%d\n",__LINE__,recbytes); if(FALSE==flash_erased){ ssl_free(ssl); ssl_ctx_free(ssl_ctx); close(sta_socket); os_printf("pre erase flash!\n"); upgrade_data_load(precv_buf,recbytes); break; } if(false == upgrade_data_load(read_buf,recbytes)) { os_printf("upgrade data error!\n"); ssl_free(ssl); ssl_ctx_free(ssl_ctx); close(sta_socket); flash_erased=FALSE; vTaskDelay(1000 / portTICK_RATE_MS); break; } /*this two length data should be equal, if totallength is bigger, *maybe data wrong or server send extra info, drop it anyway*/ if(totallength >= sumlength) { os_printf("upgrade data load finish.\n"); ssl_free(ssl); ssl_ctx_free(ssl_ctx); close(sta_socket); goto finish; } os_printf("upgrade_task %d word left\n",uxTaskGetStackHighWaterMark(NULL)); } if(recbytes < 0) { os_printf("ERROR:read data fail! recbytes %d\r\n",recbytes); ssl_free(ssl); ssl_ctx_free(ssl_ctx); close(sta_socket); flash_erased=FALSE; vTaskDelay(1000 / portTICK_RATE_MS); } os_printf("upgrade_task %d word left\n",uxTaskGetStackHighWaterMark(NULL)); totallength =0; sumlength = 0; } finish: if(upgrade_crc_check(system_get_fw_start_sec(),sumlength) != 0) { printf("upgrade crc check failed !\n"); server->upgrade_flag = false; system_upgrade_flag_set(UPGRADE_FLAG_IDLE); } os_timer_disarm(&upgrade_timer); totallength = 0; sumlength = 0; flash_erased=FALSE; free(precv_buf); if(retry_count == UPGRADE_RETRY_TIMES){ /*retry too many times, fail*/ server->upgrade_flag = false; system_upgrade_flag_set(UPGRADE_FLAG_IDLE); }else{ if (server->upgrade_flag == true) system_upgrade_flag_set(UPGRADE_FLAG_FINISH); } upgrade_deinit(); os_printf("\n Exit upgrade task.\n"); if (server->check_cb != NULL) { server->check_cb(server); } vTaskDelay(100 / portTICK_RATE_MS); vTaskDelete(NULL); }
void SSL_CTX_set_client_CA_list(SSL_CTX *ssl_ctx, void *file) { ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CERT, (const char *)file, NULL); }
int SSL_CTX_use_certificate_chain_file(SSL_CTX *ssl_ctx, const char *file) { return (ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CERT, file, NULL) == SSL_OK); }
int SSL_CTX_use_PrivateKey_file(SSL_CTX *ssl_ctx, const char *file, int type) { return (ssl_obj_load(ssl_ctx, SSL_OBJ_RSA_KEY, file, key_password) == SSL_OK); }
int main(int argc, char *argv[]) { fd_set rfds, wfds; struct connstruct *tp, *to; struct serverstruct *sp; int rnum, wnum, active; int i = 1; time_t currtime; char *httpAddress = NULL; int httpPort = CONFIG_HTTP_PORT; char *httpsAddress = NULL; int httpsPort = CONFIG_HTTP_HTTPS_PORT; uint32_t options = CONFIG_HTTP_DEFAULT_SSL_OPTIONS; char *portStr; char *private_key = NULL; char *cert = NULL; #ifdef WIN32 WORD wVersionRequested = MAKEWORD(2, 2); WSADATA wsaData; WSAStartup(wVersionRequested,&wsaData); #else signal(SIGPIPE, SIG_IGN); #if defined(CONFIG_HTTP_HAS_CGI) signal(SIGCHLD, reaper); #endif #ifdef CONFIG_HTTP_VERBOSE signal(SIGQUIT, die); #endif #endif #ifdef CONFIG_HTTP_VERBOSE signal(SIGTERM, die); signal(SIGINT, sigint_cleanup); #endif tdate_init(); /* get some command-line parameters */ while (argv[i] != NULL) { if (strcmp(argv[i], "-p") == 0 && argv[i+1] != NULL) { if ((portStr = strchr(argv[i+1], ':')) != NULL) { httpAddress = argv[i+1]; *portStr = 0; httpPort = atoi(portStr + 1); } else httpPort = atoi(argv[i+1]); i += 2; continue; } if (strcmp(argv[i], "-s") == 0 && argv[i+1] != NULL) { if ((portStr = strchr(argv[i+1], ':')) != NULL) { httpsAddress = argv[i+1]; *portStr = 0; httpsPort = atoi(portStr + 1); } else httpsPort = atoi(argv[i+1]); i += 2; continue; } if (strcmp(argv[i], "-w") == 0 && argv[i+1] != NULL) { webroot = argv[i+1]; i += 2; continue; } if (strcmp(argv[i], "-cert") == 0 && argv[i+1] != NULL) { cert = argv[i+1]; i += 2; continue; } if (strcmp(argv[i], "-key") == 0 && argv[i+1] != NULL) { private_key = argv[i+1]; i += 2; continue; } printf("%s:\n" " [-p [address:]httpport]\n" " [-s [address:]httpsport]\n" " [-key private_key]\n" " [-cert cert]\n" " [-w webroot]\n", argv[0]); exit(1); } for (i = 0; i < INITIAL_CONNECTION_SLOTS; i++) { tp = freeconns; freeconns = (struct connstruct *)calloc(1, sizeof(struct connstruct)); freeconns->next = tp; } if ((active = openlistener(httpAddress, httpPort)) == -1) { #ifdef CONFIG_HTTP_VERBOSE fprintf(stderr, "ERR: Couldn't bind to port %d\n", httpPort); #endif exit(1); } addtoservers(active); if ((active = openlistener(httpsAddress, httpsPort)) == -1) { #ifdef CONFIG_HTTP_VERBOSE fprintf(stderr, "ERR: Couldn't bind to port %d\n", httpsPort); #endif exit(1); } addtoservers(active); if (cert != NULL && private_key != NULL) options |= SSL_NO_DEFAULT_KEY; servers->ssl_ctx = ssl_ctx_new(options, CONFIG_HTTP_SESSION_CACHE_SIZE); servers->is_ssl = 1; if (cert != NULL && private_key != NULL) { printf("YEAH\n"); if (ssl_obj_load(servers->ssl_ctx, SSL_OBJ_RSA_KEY, private_key, NULL)) { #ifdef CONFIG_HTTP_VERBOSE fprintf(stderr, "ERR: Couldn't load private key %s\n", private_key); #endif exit(1); } if (ssl_obj_load(servers->ssl_ctx, SSL_OBJ_X509_CERT, cert, NULL)) { #ifdef CONFIG_HTTP_VERBOSE fprintf(stderr, "ERR: Couldn't load cert %s\n", cert); #endif exit(1); } } #if defined(CONFIG_HTTP_HAS_CGI) addcgiext(CONFIG_HTTP_CGI_EXTENSIONS); #endif #if defined(CONFIG_HTTP_VERBOSE) #if defined(CONFIG_HTTP_HAS_CGI) printf("addcgiext %s\n", CONFIG_HTTP_CGI_EXTENSIONS); #endif printf("%s: listening on ports %d (http) and %d (https)\n", server_version, httpPort, httpsPort); TTY_FLUSH(); #endif ax_chdir(); #ifdef CONFIG_HTTP_ENABLE_DIFFERENT_USER { struct passwd *pd = getpwnam(CONFIG_HTTP_USER); if (pd != NULL) { int res = setuid(pd->pw_uid); res |= setgid(pd->pw_gid); #if defined(CONFIG_HTTP_VERBOSE) if (res == 0) { printf("change to '%s' successful\n", CONFIG_HTTP_USER); TTY_FLUSH(); } #endif } } #endif #ifndef WIN32 #ifdef CONFIG_HTTP_IS_DAEMON if (fork() > 0) /* parent will die */ exit(0); setsid(); #endif #endif /* main loop */ while (1) { struct timeval tv = { 10, 0 }; FD_ZERO(&rfds); FD_ZERO(&wfds); rnum = wnum = -1; sp = servers; while (sp != NULL) /* read each server port */ { FD_SET(sp->sd, &rfds); if (sp->sd > rnum) rnum = sp->sd; sp = sp->next; } /* Add the established sockets */ tp = usedconns; currtime = time(NULL); while (tp != NULL) { if (currtime > tp->timeout) /* timed out? Kill it. */ { to = tp; tp = tp->next; removeconnection(to); continue; } if (tp->state == STATE_WANT_TO_READ_HEAD) { FD_SET(tp->networkdesc, &rfds); if (tp->networkdesc > rnum) rnum = tp->networkdesc; } if (tp->state == STATE_WANT_TO_SEND_HEAD) { FD_SET(tp->networkdesc, &wfds); if (tp->networkdesc > wnum) wnum = tp->networkdesc; } if (tp->state == STATE_WANT_TO_READ_FILE) { FD_SET(tp->filedesc, &rfds); if (tp->filedesc > rnum) rnum = tp->filedesc; } if (tp->state == STATE_WANT_TO_SEND_FILE) { FD_SET(tp->networkdesc, &wfds); if (tp->networkdesc > wnum) wnum = tp->networkdesc; } #if defined(CONFIG_HTTP_DIRECTORIES) if (tp->state == STATE_DOING_DIR) { FD_SET(tp->networkdesc, &wfds); if (tp->networkdesc > wnum) wnum = tp->networkdesc; } #endif tp = tp->next; } active = select(wnum > rnum ? wnum+1 : rnum+1, rnum != -1 ? &rfds : NULL, wnum != -1 ? &wfds : NULL, NULL, usedconns ? &tv : NULL); /* timeout? */ if (active == 0) continue; /* New connection? */ sp = servers; while (active > 0 && sp != NULL) { if (FD_ISSET(sp->sd, &rfds)) { handlenewconnection(sp->sd, sp->is_ssl); active--; } sp = sp->next; } /* Handle the established sockets */ tp = usedconns; while (active > 0 && tp != NULL) { to = tp; tp = tp->next; if (to->state == STATE_WANT_TO_READ_HEAD && FD_ISSET(to->networkdesc, &rfds)) { active--; #if defined(CONFIG_HTTP_HAS_CGI) if (to->post_state) read_post_data(to); else #endif procreadhead(to); } if (to->state == STATE_WANT_TO_SEND_HEAD && FD_ISSET(to->networkdesc, &wfds)) { active--; procsendhead(to); } if (to->state == STATE_WANT_TO_READ_FILE && FD_ISSET(to->filedesc, &rfds)) { active--; procreadfile(to); } if (to->state == STATE_WANT_TO_SEND_FILE && FD_ISSET(to->networkdesc, &wfds)) { active--; procsendfile(to); } #if defined(CONFIG_HTTP_DIRECTORIES) if (to->state == STATE_DOING_DIR && FD_ISSET(to->networkdesc, &wfds)) { active--; procdodir(to); } #endif } } return 0; }
/** * Implement the SSL server logic. */ static void do_server(int argc, char *argv[]) { int i = 2; uint16_t port = 4433; uint32_t options = SSL_DISPLAY_CERTS; int client_fd; SSL_CTX *ssl_ctx; int server_fd, res = 0; socklen_t client_len; #ifndef CONFIG_SSL_SKELETON_MODE char *private_key_file = NULL; const char *password = NULL; char **cert; int cert_index = 0; int cert_size = ssl_get_config(SSL_MAX_CERT_CFG_OFFSET); #endif #ifdef WIN32 char yes = 1; #else int yes = 1; #endif struct sockaddr_in serv_addr; struct sockaddr_in client_addr; int quiet = 0; #ifdef CONFIG_SSL_CERT_VERIFICATION int ca_cert_index = 0; int ca_cert_size = ssl_get_config(SSL_MAX_CA_CERT_CFG_OFFSET); char **ca_cert = (char **)calloc(1, sizeof(char *)*ca_cert_size); #endif fd_set read_set; #ifndef CONFIG_SSL_SKELETON_MODE cert = (char **)calloc(1, sizeof(char *)*cert_size); #endif while (i < argc) { if (strcmp(argv[i], "-accept") == 0) { if (i >= argc - 1) { print_server_options(argv[i]); } port = atoi(argv[++i]); } #ifndef CONFIG_SSL_SKELETON_MODE else if (strcmp(argv[i], "-cert") == 0) { if (i >= argc - 1 || cert_index >= cert_size) { print_server_options(argv[i]); } cert[cert_index++] = argv[++i]; } else if (strcmp(argv[i], "-key") == 0) { if (i >= argc - 1) { print_server_options(argv[i]); } private_key_file = argv[++i]; options |= SSL_NO_DEFAULT_KEY; } else if (strcmp(argv[i], "-pass") == 0) { if (i >= argc - 1) { print_server_options(argv[i]); } password = argv[++i]; } #endif else if (strcmp(argv[i], "-quiet") == 0) { quiet = 1; options &= ~SSL_DISPLAY_CERTS; } #ifdef CONFIG_SSL_CERT_VERIFICATION else if (strcmp(argv[i], "-verify") == 0) { options |= SSL_CLIENT_AUTHENTICATION; } else if (strcmp(argv[i], "-CAfile") == 0) { if (i >= argc - 1 || ca_cert_index >= ca_cert_size) { print_server_options(argv[i]); } ca_cert[ca_cert_index++] = argv[++i]; } #endif #ifdef CONFIG_SSL_FULL_MODE else if (strcmp(argv[i], "-debug") == 0) { options |= SSL_DISPLAY_BYTES; } else if (strcmp(argv[i], "-state") == 0) { options |= SSL_DISPLAY_STATES; } else if (strcmp(argv[i], "-show-rsa") == 0) { options |= SSL_DISPLAY_RSA; } #endif else { /* don't know what this is */ print_server_options(argv[i]); } i++; } if ((ssl_ctx = ssl_ctx_new(options, SSL_DEFAULT_SVR_SESS)) == NULL) { fprintf(stderr, "Error: Server context is invalid\n"); exit(1); } #ifndef CONFIG_SSL_SKELETON_MODE if (private_key_file) { int obj_type = SSL_OBJ_RSA_KEY; /* auto-detect the key type from the file extension */ if (strstr(private_key_file, ".p8")) { obj_type = SSL_OBJ_PKCS8; } else if (strstr(private_key_file, ".p12")) { obj_type = SSL_OBJ_PKCS12; } if (ssl_obj_load(ssl_ctx, obj_type, private_key_file, password)) { fprintf(stderr, "Error: Private key '%s' is undefined.\n", private_key_file); exit(1); } } for (i = 0; i < cert_index; i++) { if (ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CERT, cert[i], NULL)) { printf("Certificate '%s' is undefined.\n", cert[i]); exit(1); } } #endif #ifdef CONFIG_SSL_CERT_VERIFICATION for (i = 0; i < ca_cert_index; i++) { if (ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CACERT, ca_cert[i], NULL)) { printf("Certificate '%s' is undefined.\n", ca_cert[i]); exit(1); } } free(ca_cert); #endif #ifndef CONFIG_SSL_SKELETON_MODE free(cert); #endif /* Create socket for incoming connections */ if ((server_fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror("socket"); return; } setsockopt(server_fd, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(yes)); /* Construct local address structure */ memset(&serv_addr, 0, sizeof(serv_addr)); /* Zero out structure */ serv_addr.sin_family = AF_INET; /* Internet address family */ serv_addr.sin_addr.s_addr = htonl(INADDR_ANY); /* Any incoming interface */ serv_addr.sin_port = htons(port); /* Local port */ /* Bind to the local address */ if (bind(server_fd, (struct sockaddr *) &serv_addr, sizeof(serv_addr)) < 0) { perror("bind"); exit(1); } if (listen(server_fd, 5) < 0) { perror("listen"); exit(1); } client_len = sizeof(client_addr); /************************************************************************* * This is where the interesting stuff happens. Up until now we've * just been setting up sockets etc. Now we do the SSL handshake. *************************************************************************/ for (;;) { SSL *ssl; int reconnected = 0; if (!quiet) { printf("ACCEPT\n"); TTY_FLUSH(); } if ((client_fd = accept(server_fd, (struct sockaddr *)&client_addr, &client_len)) < 0) { break; } ssl = ssl_server_new(ssl_ctx, client_fd); /* now read (and display) whatever the client sends us */ for (;;) { /* allow parallel reading of client and standard input */ FD_ZERO(&read_set); FD_SET(client_fd, &read_set); #ifndef WIN32 /* win32 doesn't like mixing up stdin and sockets */ if (isatty(STDIN_FILENO)) { /* but only if we are in an active shell */ FD_SET(STDIN_FILENO, &read_set); } if ((res = select(client_fd + 1, &read_set, NULL, NULL, NULL)) > 0) { uint8_t buf[1024]; /* read standard input? */ if (FD_ISSET(STDIN_FILENO, &read_set)) { if (fgets((char *)buf, sizeof(buf), stdin) == NULL) { res = SSL_ERROR_CONN_LOST; } else { /* small hack to check renegotiation */ if (buf[0] == 'r' && (buf[1] == '\n' || buf[1] == '\r')) { res = ssl_renegotiate(ssl); } else { /* write our ramblings to the client */ res = ssl_write(ssl, buf, strlen((char *)buf) + 1); } } } else /* a socket read */ #endif { /* keep reading until we get something interesting */ uint8_t *read_buf; if ((res = ssl_read(ssl, &read_buf)) == SSL_OK) { /* are we in the middle of doing a handshake? */ if (ssl_handshake_status(ssl) != SSL_OK) { reconnected = 0; } else if (!reconnected) { /* we are connected/reconnected */ if (!quiet) { display_session_id(ssl); display_cipher(ssl); } reconnected = 1; } } if (res > SSL_OK) { /* display our interesting output */ int written = 0; while (written < res) { written += write(STDOUT_FILENO, read_buf + written, res - written); } TTY_FLUSH(); } else if (res == SSL_CLOSE_NOTIFY) { printf("shutting down SSL\n"); TTY_FLUSH(); } else if (res < SSL_OK && !quiet) { ssl_display_error(res); } } #ifndef WIN32 } #endif if (res < SSL_OK) { if (!quiet) { printf("CONNECTION CLOSED\n"); TTY_FLUSH(); } break; } } /* client was disconnected or the handshake failed. */ ssl_free(ssl); SOCKET_CLOSE(client_fd); } ssl_ctx_free(ssl_ctx); }
/** * Implement the SSL client logic. */ static void do_client(int argc, char *argv[]) { #ifdef CONFIG_SSL_ENABLE_CLIENT int res, i = 2; uint16_t port = 4433; uint32_t options = SSL_SERVER_VERIFY_LATER | SSL_DISPLAY_CERTS; int client_fd; char *private_key_file = NULL; struct sockaddr_in client_addr; struct hostent *hostent; int reconnect = 0; uint32_t sin_addr; SSL_CTX *ssl_ctx; SSL *ssl = NULL; int quiet = 0; int cert_index = 0, ca_cert_index = 0; int cert_size, ca_cert_size; char **ca_cert, **cert; uint8_t session_id[SSL_SESSION_ID_SIZE]; fd_set read_set; const char *password = NULL; FD_ZERO(&read_set); sin_addr = inet_addr("127.0.0.1"); cert_size = ssl_get_config(SSL_MAX_CERT_CFG_OFFSET); ca_cert_size = ssl_get_config(SSL_MAX_CA_CERT_CFG_OFFSET); ca_cert = (char **)calloc(1, sizeof(char *)*ca_cert_size); cert = (char **)calloc(1, sizeof(char *)*cert_size); while (i < argc) { if (strcmp(argv[i], "-connect") == 0) { char *host, *ptr; if (i >= argc - 1) { print_client_options(argv[i]); } host = argv[++i]; if ((ptr = strchr(host, ':')) == NULL) { print_client_options(argv[i]); } *ptr++ = 0; port = atoi(ptr); hostent = gethostbyname(host); if (hostent == NULL) { print_client_options(argv[i]); } sin_addr = *((uint32_t **)hostent->h_addr_list)[0]; } else if (strcmp(argv[i], "-cert") == 0) { if (i >= argc - 1 || cert_index >= cert_size) { print_client_options(argv[i]); } cert[cert_index++] = argv[++i]; } else if (strcmp(argv[i], "-key") == 0) { if (i >= argc - 1) { print_client_options(argv[i]); } private_key_file = argv[++i]; options |= SSL_NO_DEFAULT_KEY; } else if (strcmp(argv[i], "-CAfile") == 0) { if (i >= argc - 1 || ca_cert_index >= ca_cert_size) { print_client_options(argv[i]); } ca_cert[ca_cert_index++] = argv[++i]; } else if (strcmp(argv[i], "-verify") == 0) { options &= ~SSL_SERVER_VERIFY_LATER; } else if (strcmp(argv[i], "-reconnect") == 0) { reconnect = 4; } else if (strcmp(argv[i], "-quiet") == 0) { quiet = 1; options &= ~SSL_DISPLAY_CERTS; } else if (strcmp(argv[i], "-pass") == 0) { if (i >= argc - 1) { print_client_options(argv[i]); } password = argv[++i]; } #ifdef CONFIG_SSL_FULL_MODE else if (strcmp(argv[i], "-debug") == 0) { options |= SSL_DISPLAY_BYTES; } else if (strcmp(argv[i], "-state") == 0) { options |= SSL_DISPLAY_STATES; } else if (strcmp(argv[i], "-show-rsa") == 0) { options |= SSL_DISPLAY_RSA; } #endif else { /* don't know what this is */ print_client_options(argv[i]); } i++; } if ((ssl_ctx = ssl_ctx_new(options, SSL_DEFAULT_CLNT_SESS)) == NULL) { fprintf(stderr, "Error: Client context is invalid\n"); exit(1); } if (private_key_file) { int obj_type = SSL_OBJ_RSA_KEY; /* auto-detect the key type from the file extension */ if (strstr(private_key_file, ".p8")) { obj_type = SSL_OBJ_PKCS8; } else if (strstr(private_key_file, ".p12")) { obj_type = SSL_OBJ_PKCS12; } if (ssl_obj_load(ssl_ctx, obj_type, private_key_file, password)) { fprintf(stderr, "Error: Private key '%s' is undefined.\n", private_key_file); exit(1); } } for (i = 0; i < cert_index; i++) { if (ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CERT, cert[i], NULL)) { printf("Certificate '%s' is undefined.\n", cert[i]); exit(1); } } for (i = 0; i < ca_cert_index; i++) { if (ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CACERT, ca_cert[i], NULL)) { printf("Certificate '%s' is undefined.\n", ca_cert[i]); exit(1); } } free(cert); free(ca_cert); /************************************************************************* * This is where the interesting stuff happens. Up until now we've * just been setting up sockets etc. Now we do the SSL handshake. *************************************************************************/ client_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); memset(&client_addr, 0, sizeof(client_addr)); client_addr.sin_family = AF_INET; client_addr.sin_port = htons(port); client_addr.sin_addr.s_addr = sin_addr; if (connect(client_fd, (struct sockaddr *)&client_addr, sizeof(client_addr)) < 0) { perror("connect"); exit(1); } if (!quiet) { printf("CONNECTED\n"); TTY_FLUSH(); } /* Try session resumption? */ if (reconnect) { while (reconnect--) { ssl = ssl_client_new(ssl_ctx, client_fd, session_id, sizeof(session_id)); if ((res = ssl_handshake_status(ssl)) != SSL_OK) { if (!quiet) { ssl_display_error(res); } ssl_free(ssl); exit(1); } display_session_id(ssl); memcpy(session_id, ssl_get_session_id(ssl), SSL_SESSION_ID_SIZE); if (reconnect) { ssl_free(ssl); SOCKET_CLOSE(client_fd); client_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); connect(client_fd, (struct sockaddr *)&client_addr, sizeof(client_addr)); } } } else { ssl = ssl_client_new(ssl_ctx, client_fd, NULL, 0); } /* check the return status */ if ((res = ssl_handshake_status(ssl)) != SSL_OK) { if (!quiet) { ssl_display_error(res); } exit(1); } if (!quiet) { const char *common_name = ssl_get_cert_dn(ssl, SSL_X509_CERT_COMMON_NAME); if (common_name) { printf("Common Name:\t\t\t%s\n", common_name); } display_session_id(ssl); display_cipher(ssl); } for (;;) { uint8_t buf[1024]; /* allow parallel reading of server and standard input */ FD_SET(client_fd, &read_set); #ifndef WIN32 /* win32 doesn't like mixing up stdin and sockets */ FD_SET(STDIN_FILENO, &read_set); if ((res = select(client_fd + 1, &read_set, NULL, NULL, NULL)) > 0) { /* read standard input? */ if (FD_ISSET(STDIN_FILENO, &read_set)) #endif { if (fgets((char *)buf, sizeof(buf), stdin) == NULL) { /* bomb out of here */ ssl_free(ssl); break; } else { /* small hack to check renegotiation */ if (buf[0] == 'R' && (buf[1] == '\n' || buf[1] == '\r')) { res = ssl_renegotiate(ssl); } else { res = ssl_write(ssl, buf, strlen((char *)buf)); } } } #ifndef WIN32 else { /* a socket read */ uint8_t *read_buf; res = ssl_read(ssl, &read_buf); if (res > 0) { /* display our interesting output */ int written = 0; while (written < res) { written += write(STDOUT_FILENO, read_buf + written, res - written); } TTY_FLUSH(); } } } #endif if (res < 0) { if (!quiet) { ssl_display_error(res); } break; /* get outta here */ } } ssl_ctx_free(ssl_ctx); SOCKET_CLOSE(client_fd); #else print_client_options(argv[1]); #endif }