int https_connect(struct url *url, struct url *proxy) { static struct tls_config *tls_config = NULL; int s; /* One time initialization */ if (tls_config == NULL) tls_config = https_init(); if ((ctx = tls_client()) == NULL) { warnx("failed to create tls client"); return -1; } if (tls_configure(ctx, tls_config) != 0) { warnx("%s: %s", __func__, tls_error(ctx)); return -1; } if (url->port[0] == '\0') (void)strlcpy(url->port, "443", sizeof(url->port)); if ((s = http_connect(url, proxy)) == -1) return -1; if (tls_connect_socket(ctx, s, url->host) != 0) { warnx("%s: %s", __func__, tls_error(ctx)); return -1; } return s; }
int main(int argc, char *argv[]) { tcp_ctx *tcp; tls_ctx *ctx; char *host, *port; if (argc != 3) { printf("\nusage: tlscmd <host> <port>\n"); return 0; } host = argv[1]; port = argv[2]; printf (" [ connecting to %s:%i...\n", host, atoi(port)); tcp = tcp_new_ctx(AF_INET, host, port); if (tcp!=NULL) { printf (" [ host resolved to %s.\n", tcp_addr2ip(tcp)); ctx = tls_new_ctx(); if (ctx!=NULL) { printf (" [ TLS client initialized.\n"); tls_client(tcp, ctx); tls_free_ctx(ctx); } tcp_free_ctx(tcp); } return 0; }
void connection_init_tls() { tls_init(); CurrentConnectionState.TlsConfiguration = tls_config_new(); CurrentConnectionState.ServerContext = tls_server(); CurrentConnectionState.ClientContext = tls_client(); tls_config_set_key_file(CurrentConnectionState.TlsConfiguration, CurrentConnectionState.PrivateKey); tls_config_set_cert_file(CurrentConnectionState.TlsConfiguration, CurrentConnectionState.CertificateFile); tls_config_insecure_noverifycert(CurrentConnectionState.TlsConfiguration); if(tls_configure(CurrentConnectionState.ServerContext, CurrentConnectionState.TlsConfiguration) != 0) { printf("%s\n", tls_error(CurrentConnectionState.ServerContext)); } if(tls_configure(CurrentConnectionState.ClientContext, CurrentConnectionState.TlsConfiguration) != 0) { printf("%s\n", tls_error(CurrentConnectionState.ClientContext)); } }
int main(int argc, char *argv[]) { struct tls_config *conf; struct tls *ctx; struct tls_cert_info *cert; int res; const char *host; if (argc < 2) errx(1, "give host as arg\n"); host = argv[1]; res = tls_init(); if (res < 0) errx(1, "tls_init"); conf = tls_config_new(); if (!conf) errx(1, "tls_config_new"); tls_config_set_protocols(conf, TLS_PROTOCOLS_ALL); tls_config_set_ciphers(conf, "fast"); ctx = tls_client(); if (!ctx) errx(1, "tls_client"); res = tls_configure(ctx, conf); if (res < 0) errx(1, "tls_configure: %s", tls_error(ctx)); res = tls_connect(ctx, host, "443"); if (res < 0) errx(1, "tls_connect: %s", tls_error(ctx)); printf("connect ok\n"); res = tls_get_peer_cert(ctx, &cert); if (res < 0) errx(1, "tls_get_peer_cert: %s", tls_error(ctx)); tls_close(ctx); tls_free(ctx); tls_config_free(conf); printf(" CN='%s'\n", cert->subject.common_name); printf(" C='%s'\n", cert->subject.country_name); printf(" ST='%s'\n", cert->subject.state_or_province_name); printf(" L='%s'\n", cert->subject.locality_name); printf(" S='%s'\n", cert->subject.street_address); printf(" O='%s'\n", cert->subject.organization_name); printf(" OU='%s'\n", cert->subject.organizational_unit_name); tls_cert_free(cert); return 0; }
static const char *run_time(const char *val) { #ifdef USUAL_LIBSSL_FOR_TLS ASN1_TIME tmp; time_t t = 0; static char buf[128]; struct tm *tm, tmbuf; struct tls *ctx; int err; memset(&tmp, 0, sizeof tmp); memset(&tmbuf, 0, sizeof tmbuf); tmp.data = (unsigned char*)val+2; tmp.length = strlen(val+2); if (val[0] == 'G' && val[1] == ':') { tmp.type = V_ASN1_GENERALIZEDTIME; } else if (val[0] == 'U' && val[1] == ':') { tmp.type = V_ASN1_UTCTIME; } else { tmp.type = val[0]; } ctx = tls_client(); if (!ctx) return "NOMEM"; err = tls_asn1_parse_time(ctx, &tmp, &t); if (err) { strlcpy(buf, tls_error(ctx), sizeof buf); tls_free(ctx); return buf; } tls_free(ctx); tm = gmtime_r(&t, &tmbuf); if (!tm) return "E-GMTIME"; strftime(buf, sizeof buf, "%Y-%m-%d %H:%M:%S GMT", tm); return buf; #else return "no-asn1"; #endif }
int main(int argc, char *argv[]) { struct tls_config *conf; struct tls *ctx, *ocsp; struct tls_cert *cert; int res; const char *host; char buf[256]; if (argc < 2) errx(1, "give host as arg\n"); host = argv[1]; #ifdef USUAL_LIBSSL_FOR_TLS printf("libssl: %s\n", SSLeay_version(SSLEAY_VERSION)); #endif res = tls_init(); if (res < 0) errx(1, "tls_init"); conf = tls_config_new(); if (!conf) errx(1, "tls_config_new"); tls_config_set_protocols(conf, TLS_PROTOCOLS_ALL); tls_config_set_ciphers(conf, "fast"); ctx = tls_client(); if (!ctx) errx(1, "tls_client"); res = tls_configure(ctx, conf); if (res < 0) errx(1, "tls_configure: %s", tls_error(ctx)); res = tls_connect(ctx, host, "443"); if (res < 0) errx(1, "tls_connect: %s", tls_error(ctx)); res = tls_handshake(ctx); if (res < 0) errx(1, "tls_handshake: %s", tls_error(ctx)); res = tls_get_peer_cert(ctx, &cert, NULL); if (res < 0) errx(1, "tls_get_peer_cert: %s", tls_error(ctx)); tls_get_connection_info(ctx, buf, sizeof buf); printf("Connection: '%s'\n", buf); printf(" CN='%s'\n", cert->subject.common_name); printf(" C='%s'\n", cert->subject.country_name); printf(" ST='%s'\n", cert->subject.state_or_province_name); printf(" L='%s'\n", cert->subject.locality_name); printf(" S='%s'\n", cert->subject.street_address); printf(" O='%s'\n", cert->subject.organization_name); printf(" OU='%s'\n", cert->subject.organizational_unit_name); show_ocsp_info("OCSP stapling", ctx); ocsp = NULL; res = tls_ocsp_check_peer(&ocsp, NULL, ctx); if (ocsp) { show_ocsp_info("OCSP responder", ocsp); tls_free(ocsp); } else if (res == TLS_NO_OCSP) { printf("OCSP responder: No OCSP support in libtls\n"); } if (0) test_context(ctx); tls_close(ctx); tls_free(ctx); tls_config_free(conf); tls_cert_free(cert); return 0; }
int main(int argc, char *argv[], char *envp[]) { struct tls *tls = NULL; int ch; environ = envp; /* pipes to communicate with the front end */ int in = -1; int out = -1; bool no_name_verification = false; bool no_cert_verification = false; bool no_time_verification = false; char *host = getenv("TCPREMOTEHOST"); struct tls_config *tls_config; if (getenv("TLSC_NO_VERIFICATION") != NULL) { no_name_verification = true; no_cert_verification = true; no_time_verification = true; } if (getenv("TLSC_NO_HOST_VERIFICATION") != NULL) no_name_verification = true; if (getenv("TLSC_NO_CERT_VERIFICATION") != NULL) no_cert_verification = true; if (getenv("TLSC_NO_TIME_VERIFICATION") != NULL) no_time_verification = true; if ((tls_config = tls_config_new()) == NULL) err(EXIT_FAILURE, "tls_config_new"); char *str = NULL; if ((str = getenv("TLSC_CERT_FILE")) != NULL) if (tls_config_set_cert_file(tls_config, str) == -1) err(EXIT_FAILURE, "tls_config_set_cert_file"); if ((str = getenv("TLSC_KEY_FILE")) != NULL) if (tls_config_set_key_file(tls_config, str) == -1) err(EXIT_FAILURE, "tls_config_set_key_file"); if ((str = getenv("TLSC_CA_FILE")) != NULL) if (tls_config_set_ca_file(tls_config, str) == -1) err(EXIT_FAILURE, "tls_config_set_ca_file"); if ((str = getenv("TLSC_CA_PATH")) != NULL) if (tls_config_set_ca_path(tls_config, str) == -1) err(EXIT_FAILURE, "tls_config_set_ca_path"); while ((ch = getopt(argc, argv, "c:k:f:p:n:HCTVh")) != -1) { switch (ch) { case 'c': if (tls_config_set_cert_file(tls_config, optarg) == -1) err(EXIT_FAILURE, "tls_config_set_cert_file"); break; case 'k': if (tls_config_set_key_file(tls_config, optarg) == -1) err(EXIT_FAILURE, "tls_config_set_key_file"); break; case 'f': if (tls_config_set_ca_file(tls_config, optarg) == -1) err(EXIT_FAILURE, "tls_config_set_ca_file"); break; case 'p': if (tls_config_set_ca_path(tls_config, optarg) == -1) err(EXIT_FAILURE, "tls_config_set_ca_path"); break; case 'n': if ((host = strdup(optarg)) == NULL) goto err; break; case 'H': no_name_verification = true; break; case 'C': no_cert_verification = true; break; case 'T': no_time_verification = true; break; case 'V': no_name_verification = true; no_cert_verification = true; no_time_verification = true; break; case 'h': default: usage(); /* NOTREACHED */ } } argc -= optind; argv += optind; if (argc < 1) usage(); /* verification settings */ if (no_cert_verification) tls_config_insecure_noverifycert(tls_config); if (no_name_verification) tls_config_insecure_noverifyname(tls_config); if (no_time_verification) tls_config_insecure_noverifytime(tls_config); /* libtls setup */ if (tls_init() != 0) err(EXIT_FAILURE, "tls_init"); if ((tls = tls_client()) == NULL) err(EXIT_FAILURE, "tls_client"); if (tls_configure(tls, tls_config) != 0) err(EXIT_FAILURE, "tls_configure"); if (tls_connect_fds(tls, READ_FD, WRITE_FD, host) == -1) goto err; if (tls_handshake(tls) == -1) goto err; /* overide PROTO to signal the application layer that the communication * channel is save. */ if (setenv("PROTO", "SSL", 1) == -1) err(EXIT_FAILURE, "setenv"); /* fork front end program */ char *prog = argv[0]; # define PIPE_READ 0 # define PIPE_WRITE 1 int pi[2]; /* input pipe */ int po[2]; /* output pipe */ if (pipe(pi) == -1) err(EXIT_FAILURE, "pipe"); if (pipe(po) == -1) err(EXIT_FAILURE, "pipe"); switch (fork()) { case -1: err(EXIT_FAILURE, "fork"); case 0: /* client program */ /* close non-using ends of pipes */ if (close(pi[PIPE_READ]) == -1) err(EXIT_FAILURE, "close"); if (close(po[PIPE_WRITE]) == -1) err(EXIT_FAILURE, "close"); /* * We have to move one descriptor cause po[] may * overlaps with descriptor 6 and 7. */ int po_read = 0; if ((po_read = dup(po[PIPE_READ])) == -1) err(EXIT_FAILURE, "dup"); if (close(po[PIPE_READ]) < 0) err(EXIT_FAILURE, "close"); if (dup2(pi[PIPE_WRITE], WRITE_FD) < 0) err(EXIT_FAILURE, "dup2"); if (dup2(po_read, READ_FD) < 0) err(EXIT_FAILURE, "dup2"); if (close(pi[PIPE_WRITE]) < 0) err(EXIT_FAILURE, "close"); if (close(po_read) < 0) err(EXIT_FAILURE, "close"); execvpe(prog, argv, environ); err(EXIT_FAILURE, "execvpe"); default: break; /* parent */ } /* close non-using ends of pipes */ if (close(pi[PIPE_WRITE]) == -1) err(EXIT_FAILURE, "close"); if (close(po[PIPE_READ]) == -1) err(EXIT_FAILURE, "close"); in = pi[PIPE_READ]; out = po[PIPE_WRITE]; /* communication loop */ for (;;) { int ret; char buf[BUFSIZ]; ssize_t sn = 0; fd_set readfds; FD_ZERO(&readfds); FD_SET(in, &readfds); FD_SET(READ_FD, &readfds); int max_fd = MAX(in, READ_FD); ret = select(max_fd+1, &readfds, NULL, NULL, NULL); if (ret == -1) err(EXIT_FAILURE, "select"); if (FD_ISSET(READ_FD, &readfds)) { do { again: sn = tls_read(tls, buf, sizeof buf); if (sn == TLS_WANT_POLLIN || sn == TLS_WANT_POLLOUT) goto again; if (sn == -1) goto err; if (sn == 0) return EXIT_SUCCESS; if (write(out, buf, sn) == -1) err(EXIT_FAILURE, "write()"); } while (sn == sizeof buf); } else if (FD_ISSET(in, &readfds)) { if ((sn = read(in, buf, sizeof buf)) == -1) err(EXIT_FAILURE, "read()"); if (sn == 0) goto out; if ((sn = tls_write(tls, buf, sn)) == -1) goto out; } } out: tls_close(tls); return EXIT_SUCCESS; err: errx(EXIT_FAILURE, "tls_error: %s", tls_error(tls)); }
int main(int argc, char *argv[]) { struct tls_config *conf; struct tls *ctx; int res; const char *host; if (argc < 2) errx(1, "give host as arg\n"); host = argv[1]; res = tls_init(); if (res < 0) errx(1, "tls_init"); conf = tls_config_new(); if (!conf) errx(1, "tls_config_new"); tls_config_set_protocols(conf, TLS_PROTOCOLS_ALL); tls_config_set_ciphers(conf, "HIGH:+3DES:!aNULL"); tls_config_set_ca_file(conf, "/etc/ssl/certs/ca-certificates.crt"); ctx = tls_client(); if (!ctx) errx(1, "tls_client"); res = tls_configure(ctx, conf); if (res < 0) errx(1, "tls_configure: %s", tls_error(ctx)); res = tls_connect(ctx, host, "443"); if (res < 0) errx(1, "tls_connect: %s", tls_error(ctx)); res = tls_handshake(ctx); if (res < 0) errx(1, "tls_handshake: %s", tls_error(ctx)); printf("connect ok\n"); #if 0 struct tls_cert *cert; //res = tls_get_peer_cert(ctx, &cert, NULL); //if (res < 0) //errx(1, "tls_get_peer_cert: %s", tls_error(ctx)); printf(" CN='%s'\n", cert->subject.common_name); printf(" C='%s'\n", cert->subject.country_name); printf(" ST='%s'\n", cert->subject.state_or_province_name); printf(" L='%s'\n", cert->subject.locality_name); printf(" S='%s'\n", cert->subject.street_address); printf(" O='%s'\n", cert->subject.organization_name); printf(" OU='%s'\n", cert->subject.organizational_unit_name); tls_cert_free(cert); #endif tls_close(ctx); tls_free(ctx); tls_config_free(conf); return 0; }
static const char *create_worker(struct Worker **w_p, bool is_server, ...) { va_list ap; const char *k, *v; int klen; struct Worker *w; int err; const char *mem = NULL; void *fdata; size_t flen; const char *errmsg = NULL; *w_p = NULL; w = calloc(1, sizeof *w); if (!w) return "calloc"; w->wstate = HANDSHAKE; w->is_server = is_server; w->config = tls_config_new(); if (!w->config) return "tls_config_new failed"; if (is_server) { w->base = tls_server(); if (!w->base) return "tls_server failed"; } else { w->ctx = tls_client(); if (!w->ctx) return "tls_client failed"; } va_start(ap, is_server); while (1) { k = va_arg(ap, char *); if (!k) break; v = strchr(k, '='); if (!v) { errmsg = k; break; } v++; klen = v - k; err = 0; if (!strncmp(k, "mem=", klen)) { mem = v; } else if (!strncmp(k, "ca=", klen)) { if (mem) { fdata = load_file(v, &flen); if (!fdata) { errmsg = strerror(errno); break; } err = tls_config_set_ca_mem(w->config, fdata, flen); free(fdata); } else { err = tls_config_set_ca_file(w->config, v); } } else if (!strncmp(k, "cert=", klen)) { if (mem) { fdata = load_file(v, &flen); if (!fdata) { errmsg = strerror(errno); break; } err = tls_config_set_cert_mem(w->config, fdata, flen); free(fdata); } else { err = tls_config_set_cert_file(w->config, v); } } else if (!strncmp(k, "key=", klen)) { if (mem) { fdata = load_file(v, &flen); if (!fdata) { errmsg = strerror(errno); break; } err = tls_config_set_key_mem(w->config, fdata, flen); free(fdata); } else { err = tls_config_set_key_file(w->config, v); } } else if (!strncmp(k, "show=", klen)) { w->show = v; } else if (!strncmp(k, "ciphers=", klen)) { err = tls_config_set_ciphers(w->config, v); } else if (!strncmp(k, "host=", klen)) { w->hostname = v; } else if (!strncmp(k, "noverifycert=", klen)) { tls_config_insecure_noverifycert(w->config); } else if (!strncmp(k, "noverifyname=", klen)) { tls_config_insecure_noverifyname(w->config); } else if (!strncmp(k, "verify=", klen)) { tls_config_verify(w->config); } else if (!strncmp(k, "dheparams=", klen)) { err = tls_config_set_dheparams(w->config, v); } else if (!strncmp(k, "ecdhecurve=", klen)) { err = tls_config_set_ecdhecurve(w->config, v); } else if (!strncmp(k, "protocols=", klen)) { uint32_t protos; err = tls_config_parse_protocols(&protos, v); tls_config_set_protocols(w->config, protos); } else if (!strncmp(k, "peer-sha1=", klen)) { w->peer_fingerprint_sha1 = v; } else if (!strncmp(k, "peer-sha256=", klen)) { w->peer_fingerprint_sha256 = v; } else if (!strncmp(k, "verify-client=", klen)) { tls_config_verify_client(w->config); } else if (!strncmp(k, "verify-client-optional=", klen)) { tls_config_verify_client_optional(w->config); } else if (!strncmp(k, "aggressive-close=", klen)) { w->aggressive_close = 1; } else { errmsg = k; break; } if (err < 0) { errmsg = k; break; } } va_end(ap); if (errmsg) return errmsg; if (is_server) { if (tls_configure(w->base, w->config) < 0) return tls_error(w->base); } else { if (tls_configure(w->ctx, w->config) < 0) return tls_error(w->ctx); } *w_p = w; return "OK"; }