int main(void) { int ret; int verify_peer = 0; entropy_context ssl_client_entropy; ctr_drbg_context ssl_client_ctr_drbg; ssl_context clientssl; ssl_session sslclientsession; x509_cert ssl_client_cert; rsa_context ssl_client_rsa; struct sockaddr_un serveraddr; char *owner = "ssl_client"; int clientsocketfd; char buffer[1024] = "Client Hello World"; memset(&clientssl, 0, sizeof(ssl_context)); memset(&sslclientsession, 0, sizeof(ssl_session)); memset(&ssl_client_cert, 0, sizeof(x509_cert)); memset(&ssl_client_rsa, 0, sizeof(rsa_context)); entropy_init(&ssl_client_entropy); if((ret = ctr_drbg_init(&ssl_client_ctr_drbg, entropy_func, &ssl_client_entropy, (unsigned char *)owner, strlen(owner))) != 0) { printf("ctr_drbg_init failed returned %d\n", ret); return -1; } if((ret = x509parse_crtfile(&ssl_client_cert, SSL_CLIENT_RSA_CERT)) != 0) { printf("x509parse_crtfile CLIENT CERT returned %d\n", ret); return -1; } if((ret = x509parse_keyfile(&ssl_client_rsa, SSL_CLIENT_RSA_KEY, NULL)) != 0) { if(ret == POLARSSL_ERR_PEM_PASSWORD_REQUIRED) { char buffer[100]; int size; polarssl_pem_password_callback(buffer, &size); if((ret = x509parse_keyfile(&ssl_client_rsa, SSL_CLIENT_RSA_KEY, buffer)) != 0) { printf("x509parse_keyfile CLIENT KEY returned %d\n", ret); return -1; } } } if((clientsocketfd = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) { printf("Error in socket creation%d\n", clientsocketfd); return -1; } memset(&serveraddr, 0, sizeof(struct sockaddr_un)); serveraddr.sun_family = AF_UNIX; serveraddr.sun_path[0] = 0; strncpy(&(serveraddr.sun_path[1]), SSL_SERVER_ADDR, strlen(SSL_SERVER_ADDR) + 1); if(ret = connect(clientsocketfd, (struct sockaddr *)&serveraddr, sizeof(struct sockaddr_un))) { printf("connect returned error %d\n", ret); return -1; } if(ret = ssl_init(&clientssl)) { printf("ssl_init failed returned %d\n", ret); return -1; } ssl_set_endpoint(&clientssl, SSL_IS_CLIENT); ssl_set_authmode(&clientssl, SSL_VERIFY_NONE); if(verify_peer) ssl_set_authmode(&clientssl, SSL_VERIFY_REQUIRED); ssl_set_rng(&clientssl, ctr_drbg_random, &ssl_client_ctr_drbg); ssl_set_dbg(&clientssl, ssl_client_debug, stdout); ssl_set_bio(&clientssl, net_recv, &clientsocketfd, net_send, &clientsocketfd); ssl_set_ciphersuites(&clientssl, ssl_default_ciphersuites); ssl_set_session(&clientssl, 1, 600, &sslclientsession); ssl_set_own_cert(&clientssl, &ssl_client_cert, &ssl_client_rsa); if(ret = ssl_handshake(&clientssl)) { printf("handshake failed returned %d\n", ret); return -1; } if((ret = ssl_write(&clientssl, buffer, strlen(buffer) + 1)) <= 0) { printf("ssl_write failed returned %d\n", ret); return -1; } if((ret = ssl_read(&clientssl, buffer, sizeof(buffer))) <= 0) { printf("ssl_read failed returned %d\n", ret); return -1; } printf("SSL server send %s\n", buffer); ssl_close_notify(&clientssl); net_close(clientsocketfd); x509_free(&ssl_client_cert); rsa_free(&ssl_client_rsa); ssl_free(&clientssl); return 0; }
/** * @brief SSL client task. * @param pvParameters not used * @retval None */ void ssl_client(void const * argument) { int ret, len, server_fd; unsigned char buf[1024]; ssl_context ssl; x509_cert cacert; memset( &ssl, 0, sizeof( ssl_context ) ); memset( &cacert, 0, sizeof( x509_cert ) ); /* * Initialize certificates */ printf( " . Loading the CA root certificate ..." ); #if defined(POLARSSL_CERTS_C) ret = x509parse_crt( &cacert, (const unsigned char *) test_ca_crt, strlen( test_ca_crt ) ); #else ret = 1; printf("POLARSSL_CERTS_C not defined."); #endif if( ret < 0 ) { printf( " failed\n ! x509parse_crt returned -0x%x\n\n", -ret ); goto exit; } printf( " ok (%d skipped)\n", ret ); /* Start the connection */ do { printf(( "\n\rSSL : Start the connection \n\r")); printf("\n\rConnecting to tcp/%s/ Port:%4d...", SSL_SERVER_NAME, SSL_SERVER_PORT); /* Bint the connection to SSL server port */ ret = net_connect(&server_fd, SSL_SERVER_NAME, SSL_SERVER_PORT); if(ret != 0) { /* Connection to SSL server failed */ printf(" failed \n\r ! net_connect returned %d\n\r", -ret); /* Wait 500 ms until next retry */ vTaskDelay(500); } }while(ret!=0); printf( " ok\n\r" ); /* * 2. Setup stuff */ printf( " . Setting up the SSL/TLS structure..." ); if( ( ret = ssl_init( &ssl ) ) != 0 ) { printf( " failed\n ! ssl_init returned %d\n\n\r", ret ); goto exit; } printf( " ok\n\r" ); ssl_set_endpoint( &ssl, SSL_IS_CLIENT ); ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL ); ssl_set_ca_chain( &ssl, &cacert, NULL, "PolarSSL Server 1" ); ssl_set_rng( &ssl, RandVal , NULL ); ssl_set_dbg( &ssl, my_debug, NULL); ssl_set_bio( &ssl, net_recv, &server_fd, net_send, &server_fd ); /* * Handshake */ printf( " . Performing the SSL/TLS handshake..." ); while( ( ret = ssl_handshake( &ssl ) ) != 0 ) { if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) { printf( " failed\n ! ssl_handshake returned -0x%x\n\n\r", -ret ); goto exit; } } printf( " ok\n\r" ); /* * Verify the server certificate */ printf( "\n\r . Verifying peer X.509 certificate..." ); if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 ) { printf( " failed\n\r" ); if( ( ret & BADCERT_EXPIRED ) != 0 ) printf( " ! server certificate has expired\n" ); if( ( ret & BADCERT_REVOKED ) != 0 ) printf( " ! server certificate has been revoked\n" ); if( ( ret & BADCERT_CN_MISMATCH ) != 0 ) printf( " ! CN mismatch (expected CN=%s)\n", "PolarSSL Server 1" ); if( ( ret & BADCERT_NOT_TRUSTED ) != 0 ) printf( " ! self-signed or not signed by a trusted CA\n" ); printf( "\n\r" ); } else printf( " ok\n\r" ); /* * Write the GET request */ printf( " > Write to server:" ); len = sprintf( (char *) buf, GET_REQUEST ); while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 ) { if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) { printf( " failed\n ! ssl_write returned %d\n\n\r", ret ); goto exit; } } len = ret; printf( " %d bytes written\n\n\r%s", len, (char *) buf ); /* * Read the HTTP response */ printf( " < Read from server:" ); do { len = sizeof( buf ) - 1; memset( buf, 0, sizeof( buf ) ); ret = ssl_read( &ssl, buf, len ); if( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE ) continue; if( ret == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY ) break; if( ret < 0 ) { printf( "failed\n\r ! ssl_read returned %d\n\n\r", ret ); break; } if( ret == 0 ) { printf( "\n\nEOF\n\n\r" ); break; } len = ret; printf( " %d bytes read\n\n\r%s", len, (char *) buf ); } while( 1 ); exit: #ifdef POLARSSL_ERROR_C if( ret != 0 ) { char error_buf[100]; error_strerror( ret, error_buf, 100 ); printf("Last error was: %d - %s\n\n\r", ret, error_buf ); } #endif x509_free( &cacert ); net_close( server_fd ); ssl_free( &ssl ); memset( &ssl, 0, sizeof( ssl ) ); #if 0 /* Infinite loop */ for( ;; ) { /* Toggle LED1 */ BSP_LED_Toggle(LED1); /* Insert 400 ms delay */ osDelay(400); } #endif /* Insert 1000 ms delay */ osDelay(1000); }
/********************************************************************************************************* ** 函数名称: __vpnClientConnect ** 功能描述: VPN 客户端链接服务器 ** 输 入 : pvpnctx VPN 上下文 (除了 VPNCTX_iVerifyOpt 有初值, 其他字段必须经过清空) ** cpcCACrtFile CA 证书文件 .pem or .crt ** cpcPrivateCrtFile 私有证书文件 .pem or .crt ** cpcKeyFile 私有密钥文件 .pem or .key ** cpcKeyPassword 私有密钥文件解密密码, 如果密钥文件不存在密码, 则为 NULL ** inaddr SSL 服务器地址 ** usPort SSL 服务器端口 (网络字节序) ** iSSLTimeoutSec 超时时间(单位秒, 推荐: 600) ** 输 出 : ERROR ** 全局变量: ** 调用模块: *********************************************************************************************************/ INT __vpnClientOpen (__PVPN_CONTEXT pvpnctx, CPCHAR cpcCACrtFile, CPCHAR cpcPrivateCrtFile, CPCHAR cpcKeyFile, CPCHAR cpcKeyPassword, struct in_addr inaddr, u16_t usPort, INT iSSLTimeoutSec) { INT i; INT iError = PX_ERROR; struct sockaddr_in sockaddrinRemote; (VOID)iSSLTimeoutSec; /* 新的 PolarSSL 暂未使用 */ if (pvpnctx == LW_NULL) { return (PX_ERROR); } pvpnctx->VPNCTX_iMode = __VPN_SSL_CLIENT; /* 设置为 client 模式 */ pvpnctx->VPNCTX_iSocket = PX_ERROR; /* 没有创建 socket */ havege_init(&pvpnctx->VPNCTX_haveagestat); /* 初始化随机数 */ if (pvpnctx->VPNCTX_iVerifyOpt != SSL_VERIFY_NONE) { /* 需要认证证书 */ /* * 安装 CA 证书和客户端证书 */ iError = x509parse_crtfile(&pvpnctx->VPNCTX_x509certCA, cpcCACrtFile); if (iError != ERROR_NONE) { _DebugHandle(__ERRORMESSAGE_LEVEL, "CA root certificate error.\r\n"); return (PX_ERROR); } iError = x509parse_crtfile(&pvpnctx->VPNCTX_x509certPrivate, cpcPrivateCrtFile); if (iError != ERROR_NONE) { _DebugHandle(__ERRORMESSAGE_LEVEL, "client certificate error.\r\n"); goto __error_handle; } /* * 安装 RSA 私有密钥 */ if (cpcKeyFile) { iError = x509parse_keyfile(&pvpnctx->VPNCTX_rasctx, cpcKeyFile, cpcKeyPassword); } else { iError = x509parse_keyfile(&pvpnctx->VPNCTX_rasctx, cpcPrivateCrtFile, cpcKeyPassword); } if (iError != ERROR_NONE) { _DebugHandle(__ERRORMESSAGE_LEVEL, "key file error.\r\n"); goto __error_handle; } } /* * 链接 SSL 服务器 */ pvpnctx->VPNCTX_iSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (pvpnctx->VPNCTX_iSocket < 0) { _DebugHandle(__ERRORMESSAGE_LEVEL, "can not create socket.\r\n"); goto __error_handle; } lib_bzero(&sockaddrinRemote, sizeof(sockaddrinRemote)); sockaddrinRemote.sin_len = sizeof(struct sockaddr_in); sockaddrinRemote.sin_family = AF_INET; sockaddrinRemote.sin_addr = inaddr; sockaddrinRemote.sin_port = usPort; if(connect(pvpnctx->VPNCTX_iSocket, (struct sockaddr *)&sockaddrinRemote, sizeof(struct sockaddr_in)) < 0) { _DebugHandle(__ERRORMESSAGE_LEVEL, "can not connect server.\r\n"); goto __error_handle; } havege_init(&pvpnctx->VPNCTX_haveagestat); /* 初始化随机数 */ /* * 初始化 SSL/STL */ if (ssl_init(&pvpnctx->VPNCTX_sslctx) != ERROR_NONE) { _DebugHandle(__ERRORMESSAGE_LEVEL, "can not init ssl context.\r\n"); goto __error_handle; } ssl_set_endpoint(&pvpnctx->VPNCTX_sslctx, SSL_IS_CLIENT); ssl_set_authmode(&pvpnctx->VPNCTX_sslctx, pvpnctx->VPNCTX_iVerifyOpt); ssl_set_rng(&pvpnctx->VPNCTX_sslctx, havege_random, &pvpnctx->VPNCTX_haveagestat); ssl_set_dbg(&pvpnctx->VPNCTX_sslctx, LW_NULL, stdout); /* 不需要 DEBUG 信息 */ ssl_set_bio(&pvpnctx->VPNCTX_sslctx, net_recv, &pvpnctx->VPNCTX_iSocket, net_send, &pvpnctx->VPNCTX_iSocket); ssl_set_ciphersuites(&pvpnctx->VPNCTX_sslctx, ssl_default_ciphersuites); ssl_set_session(&pvpnctx->VPNCTX_sslctx, &pvpnctx->VPNCTX_sslsn); ssl_set_ca_chain(&pvpnctx->VPNCTX_sslctx, &pvpnctx->VPNCTX_x509certCA, LW_NULL, LW_NULL); ssl_set_own_cert(&pvpnctx->VPNCTX_sslctx, &pvpnctx->VPNCTX_x509certPrivate, &pvpnctx->VPNCTX_rasctx); ssl_set_hostname(&pvpnctx->VPNCTX_sslctx, LW_NULL); /* 不设置服务器名 */ for (i = 0; i < __VPN_SSL_HANDSHAKE_MAX_TIME; i++) { iError = ssl_handshake(&pvpnctx->VPNCTX_sslctx); /* 握手 */ if (iError == ERROR_NONE) { break; } else if ((iError != POLARSSL_ERR_NET_WANT_READ) && (iError != POLARSSL_ERR_NET_WANT_WRITE)) { _DebugHandle(__ERRORMESSAGE_LEVEL, "can not handshake.\r\n"); goto __error_handle; } } if (i >= __VPN_SSL_HANDSHAKE_MAX_TIME) { goto __error_handle; } return (ERROR_NONE); __error_handle: if (pvpnctx->VPNCTX_iSocket >= 0) { net_close(pvpnctx->VPNCTX_iSocket); } x509_free(&pvpnctx->VPNCTX_x509certPrivate); x509_free(&pvpnctx->VPNCTX_x509certCA); rsa_free(&pvpnctx->VPNCTX_rasctx); ssl_free(&pvpnctx->VPNCTX_sslctx); return (PX_ERROR); }
/** * Construct a new x509 object. * @return 0 if ok. < 0 if there was a problem. */ int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx) { int begin_tbs, end_tbs; int ret = X509_NOT_OK, offset = 0, cert_size = 0; X509_CTX *x509_ctx; BI_CTX *bi_ctx; *ctx = (X509_CTX *)calloc(1, sizeof(X509_CTX)); x509_ctx = *ctx; /* get the certificate size */ asn1_skip_obj(cert, &cert_size, ASN1_SEQUENCE); if (asn1_next_obj(cert, &offset, ASN1_SEQUENCE) < 0) goto end_cert; begin_tbs = offset; /* start of the tbs */ end_tbs = begin_tbs; /* work out the end of the tbs */ asn1_skip_obj(cert, &end_tbs, ASN1_SEQUENCE); if (asn1_next_obj(cert, &offset, ASN1_SEQUENCE) < 0) goto end_cert; if (cert[offset] == ASN1_EXPLICIT_TAG) /* optional version */ { if (asn1_version(cert, &offset, x509_ctx)) goto end_cert; } if (asn1_skip_obj(cert, &offset, ASN1_INTEGER) || /* serial number */ asn1_next_obj(cert, &offset, ASN1_SEQUENCE) < 0) goto end_cert; /* make sure the signature is ok */ if (asn1_signature_type(cert, &offset, x509_ctx)) { ret = X509_VFY_ERROR_UNSUPPORTED_DIGEST; goto end_cert; } if (asn1_name(cert, &offset, x509_ctx->ca_cert_dn) || asn1_validity(cert, &offset, x509_ctx) || asn1_name(cert, &offset, x509_ctx->cert_dn) || asn1_public_key(cert, &offset, x509_ctx)) { goto end_cert; } bi_ctx = x509_ctx->rsa_ctx->bi_ctx; #ifdef CONFIG_SSL_CERT_VERIFICATION /* only care if doing verification */ /* use the appropriate signature algorithm (SHA1/MD5/MD2) */ if (x509_ctx->sig_type == SIG_TYPE_MD5) { MD5_CTX md5_ctx; uint8_t md5_dgst[MD5_SIZE]; MD5_Init(&md5_ctx); MD5_Update(&md5_ctx, &cert[begin_tbs], end_tbs-begin_tbs); MD5_Final(md5_dgst, &md5_ctx); x509_ctx->digest = bi_import(bi_ctx, md5_dgst, MD5_SIZE); } else if (x509_ctx->sig_type == SIG_TYPE_SHA1) { SHA1_CTX sha_ctx; uint8_t sha_dgst[SHA1_SIZE]; SHA1_Init(&sha_ctx); SHA1_Update(&sha_ctx, &cert[begin_tbs], end_tbs-begin_tbs); SHA1_Final(sha_dgst, &sha_ctx); x509_ctx->digest = bi_import(bi_ctx, sha_dgst, SHA1_SIZE); } else if (x509_ctx->sig_type == SIG_TYPE_MD2) { MD2_CTX md2_ctx; uint8_t md2_dgst[MD2_SIZE]; MD2_Init(&md2_ctx); MD2_Update(&md2_ctx, &cert[begin_tbs], end_tbs-begin_tbs); MD2_Final(md2_dgst, &md2_ctx); x509_ctx->digest = bi_import(bi_ctx, md2_dgst, MD2_SIZE); } if (cert[offset] == ASN1_V3_DATA) { int suboffset; ++offset; get_asn1_length(cert, &offset); if ((suboffset = asn1_find_subjectaltname(cert, offset)) > 0) { if (asn1_next_obj(cert, &suboffset, ASN1_OCTET_STRING) > 0) { int altlen; if ((altlen = asn1_next_obj(cert, &suboffset, ASN1_SEQUENCE)) > 0) { int endalt = suboffset + altlen; int totalnames = 0; while (suboffset < endalt) { int type = cert[suboffset++]; int dnslen = get_asn1_length(cert, &suboffset); if (type == ASN1_CONTEXT_DNSNAME) { x509_ctx->subject_alt_dnsnames = (char**) realloc(x509_ctx->subject_alt_dnsnames, (totalnames + 2) * sizeof(char*)); x509_ctx->subject_alt_dnsnames[totalnames] = (char*)malloc(dnslen + 1); x509_ctx->subject_alt_dnsnames[totalnames+1] = NULL; memcpy(x509_ctx->subject_alt_dnsnames[totalnames], cert + suboffset, dnslen); x509_ctx->subject_alt_dnsnames[ totalnames][dnslen] = 0; ++totalnames; } suboffset += dnslen; } } } } } offset = end_tbs; /* skip the rest of v3 data */ if (asn1_skip_obj(cert, &offset, ASN1_SEQUENCE) || asn1_signature(cert, &offset, x509_ctx)) goto end_cert; #endif ret = X509_OK; end_cert: if (len) { *len = cert_size; } if (ret) { #ifdef CONFIG_SSL_FULL_MODE printf("Error: Invalid X509 ASN.1 file (%s)\n", x509_display_error(ret)); #endif x509_free(x509_ctx); *ctx = NULL; } return ret; }
int main(void) { int ret, len; int listen_fd; int client_fd; uchar buf[1024]; havege_state hs; ssl_context ssl; ssl_session ssn; x509_cert srvcert; rsa_context rsa; /* * 1. Load the certificates and private RSA key */ printf("\n . Loading the server cert. and key..."); fflush(stdout); memset(&srvcert, 0, sizeof(x509_cert)); /* * This demonstration program uses embedded test certificates. * Instead, you may want to use x509parse_crtfile() to read the * server and CA certificates, as well as x509parse_keyfile(). */ ret = x509parse_crt(&srvcert, (uchar *)test_srv_crt, strlen(test_srv_crt)); if (ret != 0) { printf(" failed\n ! x509parse_crt returned %d\n\n", ret); goto exit; } ret = x509parse_crt(&srvcert, (uchar *)test_ca_crt, strlen(test_ca_crt)); if (ret != 0) { printf(" failed\n ! x509parse_crt returned %d\n\n", ret); goto exit; } ret = x509parse_key(&rsa, (uchar *)test_srv_key, strlen(test_srv_key), NULL, 0); if (ret != 0) { printf(" failed\n ! x509parse_key returned %d\n\n", ret); goto exit; } printf(" ok\n"); /* * 2. Setup the listening TCP socket */ printf(" . Bind on https://localhost:4433/ ..."); fflush(stdout); if ((ret = net_bind(&listen_fd, NULL, 4433)) != 0) { printf(" failed\n ! net_bind returned %d\n\n", ret); goto exit; } printf(" ok\n"); /* * 3. Wait until a client connects */ #ifdef WIN32 ShellExecute(NULL, "open", "https://localhost:4433/", NULL, NULL, SW_SHOWNORMAL); #endif client_fd = -1; memset(&ssl, 0, sizeof(ssl)); accept: net_close(client_fd); ssl_free(&ssl); printf(" . Waiting for a remote connection ..."); fflush(stdout); if ((ret = net_accept(listen_fd, &client_fd, NULL)) != 0) { printf(" failed\n ! net_accept returned %d\n\n", ret); goto exit; } printf(" ok\n"); /* * 4. Setup stuff */ printf(" . Setting up the RNG and SSL data...."); fflush(stdout); havege_init(&hs); if ((ret = ssl_init(&ssl)) != 0) { printf(" failed\n ! ssl_init returned %d\n\n", ret); goto accept; } printf(" ok\n"); ssl_set_endpoint(&ssl, SSL_IS_SERVER); ssl_set_authmode(&ssl, SSL_VERIFY_NONE); ssl_set_rng(&ssl, havege_rand, &hs); ssl_set_dbg(&ssl, my_debug, stdout); ssl_set_bio(&ssl, net_recv, &client_fd, net_send, &client_fd); ssl_set_scb(&ssl, my_get_session, my_set_session); ssl_set_ciphers(&ssl, my_ciphers); ssl_set_session(&ssl, 1, 0, &ssn); memset(&ssn, 0, sizeof(ssl_session)); ssl_set_ca_chain(&ssl, srvcert.next, NULL); ssl_set_own_cert(&ssl, &srvcert, &rsa); ssl_set_dh_param(&ssl, my_dhm_P, my_dhm_G); /* * 5. Handshake */ printf(" . Performing the SSL/TLS handshake..."); fflush(stdout); while ((ret = ssl_handshake(&ssl)) != 0) { if (ret != TROPICSSL_ERR_NET_TRY_AGAIN) { printf(" failed\n ! ssl_handshake returned %d\n\n", ret); goto accept; } } printf(" ok\n"); /* * 6. Read the HTTP Request */ printf(" < Read from client:"); fflush(stdout); do { len = sizeof(buf) - 1; memset(buf, 0, sizeof(buf)); ret = ssl_read(&ssl, buf, len); if (ret == TROPICSSL_ERR_NET_TRY_AGAIN) continue; if (ret <= 0) { switch (ret) { case TROPICSSL_ERR_SSL_PEER_CLOSE_NOTIFY: printf(" connection was closed gracefully\n"); break; case TROPICSSL_ERR_NET_CONN_RESET: printf(" connection was reset by peer\n"); break; default: printf(" ssl_read returned %d\n", ret); break; } break; } len = ret; printf(" %d bytes read\n\n%s", len, (char *)buf); } while (0); /* * 7. Write the 200 Response */ printf(" > Write to client:"); fflush(stdout); len = sprintf((char *)buf, HTTP_RESPONSE, ssl_get_cipher(&ssl)); while ((ret = ssl_write(&ssl, buf, len)) <= 0) { if (ret == TROPICSSL_ERR_NET_CONN_RESET) { printf(" failed\n ! peer closed the connection\n\n"); goto accept; } if (ret != TROPICSSL_ERR_NET_TRY_AGAIN) { printf(" failed\n ! ssl_write returned %d\n\n", ret); goto exit; } } len = ret; printf(" %d bytes written\n\n%s\n", len, (char *)buf); ssl_close_notify(&ssl); goto accept; exit: net_close(client_fd); x509_free(&srvcert); rsa_free(&rsa); ssl_free(&ssl); cur = s_list_1st; while (cur != NULL) { prv = cur; cur = cur->next; memset(prv, 0, sizeof(ssl_session)); free(prv); } memset(&ssl, 0, sizeof(ssl_context)); #ifdef WIN32 printf(" Press Enter to exit this program.\n"); fflush(stdout); getchar(); #endif return (ret); }
int main( int argc, char *argv[] ) { int ret, len; int listen_fd; int client_fd = -1; unsigned char buf[1024]; const char *pers = "ssl_server"; entropy_context entropy; ctr_drbg_context ctr_drbg; ssl_context ssl; x509_cert srvcert; rsa_context rsa; #if defined(POLARSSL_SSL_CACHE_C) ssl_cache_context cache; #endif ((void) argc); ((void) argv); #if defined(POLARSSL_SSL_CACHE_C) ssl_cache_init( &cache ); #endif /* * 1. Load the certificates and private RSA key */ printf( "\n . Loading the server cert. and key..." ); fflush( stdout ); memset( &srvcert, 0, sizeof( x509_cert ) ); /* * This demonstration program uses embedded test certificates. * Instead, you may want to use x509parse_crtfile() to read the * server and CA certificates, as well as x509parse_keyfile(). */ ret = x509parse_crt( &srvcert, (const unsigned char *) test_srv_crt, strlen( test_srv_crt ) ); if( ret != 0 ) { printf( " failed\n ! x509parse_crt returned %d\n\n", ret ); goto exit; } ret = x509parse_crt( &srvcert, (const unsigned char *) test_ca_crt, strlen( test_ca_crt ) ); if( ret != 0 ) { printf( " failed\n ! x509parse_crt returned %d\n\n", ret ); goto exit; } rsa_init( &rsa, RSA_PKCS_V15, 0 ); ret = x509parse_key( &rsa, (const unsigned char *) test_srv_key, strlen( test_srv_key ), NULL, 0 ); if( ret != 0 ) { printf( " failed\n ! x509parse_key returned %d\n\n", ret ); goto exit; } printf( " ok\n" ); /* * 2. Setup the listening TCP socket */ printf( " . Bind on https://localhost:4433/ ..." ); fflush( stdout ); if( ( ret = net_bind( &listen_fd, NULL, 4433 ) ) != 0 ) { printf( " failed\n ! net_bind returned %d\n\n", ret ); goto exit; } printf( " ok\n" ); /* * 3. Seed the RNG */ printf( " . Seeding the random number generator..." ); fflush( stdout ); entropy_init( &entropy ); if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, (const unsigned char *) pers, strlen( pers ) ) ) != 0 ) { printf( " failed\n ! ctr_drbg_init returned %d\n", ret ); goto exit; } printf( " ok\n" ); /* * 4. Setup stuff */ printf( " . Setting up the SSL data...." ); fflush( stdout ); if( ( ret = ssl_init( &ssl ) ) != 0 ) { printf( " failed\n ! ssl_init returned %d\n\n", ret ); goto exit; } ssl_set_endpoint( &ssl, SSL_IS_SERVER ); ssl_set_authmode( &ssl, SSL_VERIFY_NONE ); ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_dbg( &ssl, my_debug, stdout ); #if defined(POLARSSL_SSL_CACHE_C) ssl_set_session_cache( &ssl, ssl_cache_get, &cache, ssl_cache_set, &cache ); #endif ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL ); ssl_set_own_cert( &ssl, &srvcert, &rsa ); printf( " ok\n" ); reset: #ifdef POLARSSL_ERROR_C if( ret != 0 ) { char error_buf[100]; error_strerror( ret, error_buf, 100 ); printf("Last error was: %d - %s\n\n", ret, error_buf ); } #endif if( client_fd != -1 ) net_close( client_fd ); ssl_session_reset( &ssl ); /* * 3. Wait until a client connects */ #if defined(_WIN32_WCE) { SHELLEXECUTEINFO sei; ZeroMemory( &sei, sizeof( SHELLEXECUTEINFO ) ); sei.cbSize = sizeof( SHELLEXECUTEINFO ); sei.fMask = 0; sei.hwnd = 0; sei.lpVerb = _T( "open" ); sei.lpFile = _T( "https://localhost:4433/" ); sei.lpParameters = NULL; sei.lpDirectory = NULL; sei.nShow = SW_SHOWNORMAL; ShellExecuteEx( &sei ); } #elif defined(_WIN32) ShellExecute( NULL, "open", "https://localhost:4433/", NULL, NULL, SW_SHOWNORMAL ); #endif client_fd = -1; printf( " . Waiting for a remote connection ..." ); fflush( stdout ); if( ( ret = net_accept( listen_fd, &client_fd, NULL ) ) != 0 ) { printf( " failed\n ! net_accept returned %d\n\n", ret ); goto exit; } ssl_set_bio( &ssl, net_recv, &client_fd, net_send, &client_fd ); printf( " ok\n" ); /* * 5. Handshake */ printf( " . Performing the SSL/TLS handshake..." ); fflush( stdout ); while( ( ret = ssl_handshake( &ssl ) ) != 0 ) { if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) { printf( " failed\n ! ssl_handshake returned %d\n\n", ret ); goto reset; } } printf( " ok\n" ); /* * 6. Read the HTTP Request */ printf( " < Read from client:" ); fflush( stdout ); do { len = sizeof( buf ) - 1; memset( buf, 0, sizeof( buf ) ); ret = ssl_read( &ssl, buf, len ); if( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE ) continue; if( ret <= 0 ) { switch( ret ) { case POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY: printf( " connection was closed gracefully\n" ); break; case POLARSSL_ERR_NET_CONN_RESET: printf( " connection was reset by peer\n" ); break; default: printf( " ssl_read returned -0x%x\n", -ret ); break; } break; } len = ret; printf( " %d bytes read\n\n%s", len, (char *) buf ); if( ret > 0 ) break; } while( 1 ); /* * 7. Write the 200 Response */ printf( " > Write to client:" ); fflush( stdout ); len = sprintf( (char *) buf, HTTP_RESPONSE, ssl_get_ciphersuite( &ssl ) ); while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 ) { if( ret == POLARSSL_ERR_NET_CONN_RESET ) { printf( " failed\n ! peer closed the connection\n\n" ); goto reset; } if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) { printf( " failed\n ! ssl_write returned %d\n\n", ret ); goto exit; } } len = ret; printf( " %d bytes written\n\n%s\n", len, (char *) buf ); ret = 0; goto reset; exit: #ifdef POLARSSL_ERROR_C if( ret != 0 ) { char error_buf[100]; error_strerror( ret, error_buf, 100 ); printf("Last error was: %d - %s\n\n", ret, error_buf ); } #endif net_close( client_fd ); x509_free( &srvcert ); rsa_free( &rsa ); ssl_free( &ssl ); #if defined(POLARSSL_SSL_CACHE_C) ssl_cache_free( &cache ); #endif #if defined(_WIN32) printf( " Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); #endif return( ret ); }
int main( int argc, char *argv[] ) { int ret = 0, len, server_fd; unsigned char buf[1024]; #if defined(POLARSSL_BASE64_C) unsigned char base[1024]; #endif char hostname[32]; char *pers = "ssl_mail_client"; entropy_context entropy; ctr_drbg_context ctr_drbg; ssl_context ssl; ssl_session ssn; x509_cert cacert; x509_cert clicert; rsa_context rsa; int i; size_t j, n; char *p, *q; const int *list; /* * Make sure memory references are valid. */ server_fd = 0; memset( &ssn, 0, sizeof( ssl_session ) ); memset( &ssl, 0, sizeof( ssl_context ) ); memset( &cacert, 0, sizeof( x509_cert ) ); memset( &clicert, 0, sizeof( x509_cert ) ); memset( &rsa, 0, sizeof( rsa_context ) ); if( argc == 0 ) { usage: printf( USAGE ); list = ssl_list_ciphersuites(); while( *list ) { printf(" %s\n", ssl_get_ciphersuite_name( *list ) ); list++; } printf("\n"); goto exit; } opt.server_name = DFL_SERVER_NAME; opt.server_port = DFL_SERVER_PORT; opt.debug_level = DFL_DEBUG_LEVEL; opt.authentication = DFL_AUTHENTICATION; opt.mode = DFL_MODE; opt.user_name = DFL_USER_NAME; opt.user_pwd = DFL_USER_PWD; opt.mail_from = DFL_MAIL_FROM; opt.mail_to = DFL_MAIL_TO; opt.ca_file = DFL_CA_FILE; opt.crt_file = DFL_CRT_FILE; opt.key_file = DFL_KEY_FILE; opt.force_ciphersuite[0]= DFL_FORCE_CIPHER; for( i = 1; i < argc; i++ ) { n = strlen( argv[i] ); for( j = 0; j < n; j++ ) { if( argv[i][j] == '=') break; if( argv[i][j] >= 'A' && argv[i][j] <= 'Z' ) argv[i][j] |= 0x20; } p = argv[i]; if( ( q = strchr( p, '=' ) ) == NULL ) goto usage; *q++ = '\0'; if( strcmp( p, "server_name" ) == 0 ) opt.server_name = q; else if( strcmp( p, "server_port" ) == 0 ) { opt.server_port = atoi( q ); if( opt.server_port < 1 || opt.server_port > 65535 ) goto usage; } else if( strcmp( p, "debug_level" ) == 0 ) { opt.debug_level = atoi( q ); if( opt.debug_level < 0 || opt.debug_level > 65535 ) goto usage; } else if( strcmp( p, "authentication" ) == 0 ) { opt.authentication = atoi( q ); if( opt.authentication < 0 || opt.authentication > 1 ) goto usage; } else if( strcmp( p, "mode" ) == 0 ) { opt.mode = atoi( q ); if( opt.mode < 0 || opt.mode > 1 ) goto usage; } else if( strcmp( p, "user_name" ) == 0 ) opt.user_name = q; else if( strcmp( p, "user_pwd" ) == 0 ) opt.user_pwd = q; else if( strcmp( p, "mail_from" ) == 0 ) opt.mail_from = q; else if( strcmp( p, "mail_to" ) == 0 ) opt.mail_to = q; else if( strcmp( p, "ca_file" ) == 0 ) opt.ca_file = q; else if( strcmp( p, "crt_file" ) == 0 ) opt.crt_file = q; else if( strcmp( p, "key_file" ) == 0 ) opt.key_file = q; else if( strcmp( p, "force_ciphersuite" ) == 0 ) { opt.force_ciphersuite[0] = -1; opt.force_ciphersuite[0] = ssl_get_ciphersuite_id( q ); if( opt.force_ciphersuite[0] <= 0 ) goto usage; opt.force_ciphersuite[1] = 0; } else goto usage; } /* * 0. Initialize the RNG and the session data */ printf( "\n . Seeding the random number generator..." ); fflush( stdout ); entropy_init( &entropy ); if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, (unsigned char *) pers, strlen( pers ) ) ) != 0 ) { printf( " failed\n ! ctr_drbg_init returned %d\n", ret ); goto exit; } printf( " ok\n" ); /* * 1.1. Load the trusted CA */ printf( " . Loading the CA root certificate ..." ); fflush( stdout ); #if defined(POLARSSL_FS_IO) if( strlen( opt.ca_file ) ) ret = x509parse_crtfile( &cacert, opt.ca_file ); else #endif #if defined(POLARSSL_CERTS_C) ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt, strlen( test_ca_crt ) ); #else { ret = 1; printf("POLARSSL_CERTS_C not defined."); } #endif if( ret != 0 ) { printf( " failed\n ! x509parse_crt returned %d\n\n", ret ); goto exit; } printf( " ok\n" ); /* * 1.2. Load own certificate and private key * * (can be skipped if client authentication is not required) */ printf( " . Loading the client cert. and key..." ); fflush( stdout ); #if defined(POLARSSL_FS_IO) if( strlen( opt.crt_file ) ) ret = x509parse_crtfile( &clicert, opt.crt_file ); else #endif #if defined(POLARSSL_CERTS_C) ret = x509parse_crt( &clicert, (unsigned char *) test_cli_crt, strlen( test_cli_crt ) ); #else { ret = -1; printf("POLARSSL_CERTS_C not defined."); } #endif if( ret != 0 ) { printf( " failed\n ! x509parse_crt returned %d\n\n", ret ); goto exit; } #if defined(POLARSSL_FS_IO) if( strlen( opt.key_file ) ) ret = x509parse_keyfile( &rsa, opt.key_file, "" ); else #endif #if defined(POLARSSL_CERTS_C) ret = x509parse_key( &rsa, (unsigned char *) test_cli_key, strlen( test_cli_key ), NULL, 0 ); #else { ret = -1; printf("POLARSSL_CERTS_C not defined."); } #endif if( ret != 0 ) { printf( " failed\n ! x509parse_key returned %d\n\n", ret ); goto exit; } printf( " ok\n" ); /* * 2. Start the connection */ printf( " . Connecting to tcp/%s/%-4d...", opt.server_name, opt.server_port ); fflush( stdout ); if( ( ret = net_connect( &server_fd, opt.server_name, opt.server_port ) ) != 0 ) { printf( " failed\n ! net_connect returned %d\n\n", ret ); goto exit; } printf( " ok\n" ); /* * 3. Setup stuff */ printf( " . Setting up the SSL/TLS structure..." ); fflush( stdout ); if( ( ret = ssl_init( &ssl ) ) != 0 ) { printf( " failed\n ! ssl_init returned %d\n\n", ret ); goto exit; } printf( " ok\n" ); ssl_set_endpoint( &ssl, SSL_IS_CLIENT ); ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL ); ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_dbg( &ssl, my_debug, stdout ); ssl_set_bio( &ssl, net_recv, &server_fd, net_send, &server_fd ); if( opt.force_ciphersuite[0] == DFL_FORCE_CIPHER ) ssl_set_ciphersuites( &ssl, ssl_default_ciphersuites ); else ssl_set_ciphersuites( &ssl, opt.force_ciphersuite ); ssl_set_session( &ssl, 1, 600, &ssn ); ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name ); ssl_set_own_cert( &ssl, &clicert, &rsa ); ssl_set_hostname( &ssl, opt.server_name ); if( opt.mode == MODE_SSL_TLS ) { if( do_handshake( &ssl, &opt ) != 0 ) goto exit; printf( " > Get header from server:" ); fflush( stdout ); ret = write_ssl_and_get_response( &ssl, buf, 0 ); if( ret < 200 || ret > 299 ) { printf( " failed\n ! server responded with %d\n\n", ret ); goto exit; } printf(" ok\n" ); printf( " > Write EHLO to server:" ); fflush( stdout ); gethostname( hostname, 32 ); len = sprintf( (char *) buf, "EHLO %s\n", hostname ); ret = write_ssl_and_get_response( &ssl, buf, len ); if( ret < 200 || ret > 299 ) { printf( " failed\n ! server responded with %d\n\n", ret ); goto exit; } } else { printf( " > Get header from server:" ); fflush( stdout ); ret = write_and_get_response( server_fd, buf, 0 ); if( ret < 200 || ret > 299 ) { printf( " failed\n ! server responded with %d\n\n", ret ); goto exit; } printf(" ok\n" ); printf( " > Write EHLO to server:" ); fflush( stdout ); gethostname( hostname, 32 ); len = sprintf( (char *) buf, "EHLO %s\n", hostname ); ret = write_and_get_response( server_fd, buf, len ); if( ret < 200 || ret > 299 ) { printf( " failed\n ! server responded with %d\n\n", ret ); goto exit; } printf(" ok\n" ); printf( " > Write STARTTLS to server:" ); fflush( stdout ); gethostname( hostname, 32 ); len = sprintf( (char *) buf, "STARTTLS\n" ); ret = write_and_get_response( server_fd, buf, len ); if( ret < 200 || ret > 299 ) { printf( " failed\n ! server responded with %d\n\n", ret ); goto exit; } printf(" ok\n" ); if( do_handshake( &ssl, &opt ) != 0 ) goto exit; } #if defined(POLARSSL_BASE64_C) if( opt.authentication ) { printf( " > Write AUTH LOGIN to server:" ); fflush( stdout ); len = sprintf( (char *) buf, "AUTH LOGIN\n" ); ret = write_ssl_and_get_response( &ssl, buf, len ); if( ret < 200 || ret > 399 ) { printf( " failed\n ! server responded with %d\n\n", ret ); goto exit; } printf(" ok\n" ); printf( " > Write username to server: %s", opt.user_name ); fflush( stdout ); n = sizeof( buf ); len = base64_encode( base, &n, (unsigned char *) opt.user_name, strlen( opt.user_name ) ); len = sprintf( (char *) buf, "%s\n", base ); ret = write_ssl_and_get_response( &ssl, buf, len ); if( ret < 300 || ret > 399 ) { printf( " failed\n ! server responded with %d\n\n", ret ); goto exit; } printf(" ok\n" ); printf( " > Write password to server: %s", opt.user_pwd ); fflush( stdout ); len = base64_encode( base, &n, (unsigned char *) opt.user_pwd, strlen( opt.user_pwd ) ); len = sprintf( (char *) buf, "%s\n", base ); ret = write_ssl_and_get_response( &ssl, buf, len ); if( ret < 200 || ret > 399 ) { printf( " failed\n ! server responded with %d\n\n", ret ); goto exit; } printf(" ok\n" ); } #endif printf( " > Write MAIL FROM to server:" ); fflush( stdout ); len = sprintf( (char *) buf, "MAIL FROM:<%s>\n", opt.mail_from ); ret = write_ssl_and_get_response( &ssl, buf, len ); if( ret < 200 || ret > 299 ) { printf( " failed\n ! server responded with %d\n\n", ret ); goto exit; } printf(" ok\n" ); printf( " > Write RCPT TO to server:" ); fflush( stdout ); len = sprintf( (char *) buf, "RCPT TO:<%s>\n", opt.mail_to ); ret = write_ssl_and_get_response( &ssl, buf, len ); if( ret < 200 || ret > 299 ) { printf( " failed\n ! server responded with %d\n\n", ret ); goto exit; } printf(" ok\n" ); printf( " > Write DATA to server:" ); fflush( stdout ); len = sprintf( (char *) buf, "DATA\n" ); ret = write_ssl_and_get_response( &ssl, buf, len ); if( ret < 300 || ret > 399 ) { printf( " failed\n ! server responded with %d\n\n", ret ); goto exit; } printf(" ok\n" ); printf( " > Write content to server:" ); fflush( stdout ); len = sprintf( (char *) buf, "From: %s\nSubject: PolarSSL Test mail\n\n" "This is a simple test mail from the " "PolarSSL mail client example.\n" "\n" "Enjoy!", opt.mail_from ); ret = write_ssl_data( &ssl, buf, len ); len = sprintf( (char *) buf, "\r\n.\r\n"); ret = write_ssl_and_get_response( &ssl, buf, len ); if( ret < 200 || ret > 299 ) { printf( " failed\n ! server responded with %d\n\n", ret ); goto exit; } printf(" ok\n" ); ssl_close_notify( &ssl ); exit: if( server_fd ) net_close( server_fd ); x509_free( &clicert ); x509_free( &cacert ); rsa_free( &rsa ); ssl_free( &ssl ); memset( &ssl, 0, sizeof( ssl ) ); #if defined(_WIN32) printf( " + Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); #endif return( ret ); }
/** * Run SSL handshake and store the resulting time value in the * 'time_map'. * * @param time_map where to store the current time */ static void run_ssl (uint32_t *time_map, int time_is_an_illusion) { entropy_context entropy; ctr_drbg_context ctr_drbg; ssl_context ssl; proxy_polarssl_ctx proxy_ctx; x509_cert cacert; struct stat statbuf; int ret = 0, server_fd = 0; char *pers = "tlsdate-helper"; memset (&ssl, 0, sizeof(ssl_context)); memset (&cacert, 0, sizeof(x509_cert)); verb("V: Using PolarSSL for SSL\n"); if (ca_racket) { if (-1 == stat (ca_cert_container, &statbuf)) { die("Unable to stat CA certficate container %s\n", ca_cert_container); } else { switch (statbuf.st_mode & S_IFMT) { case S_IFREG: if (0 > x509parse_crtfile(&cacert, ca_cert_container)) fprintf(stderr, "x509parse_crtfile failed\n"); break; case S_IFDIR: if (0 > x509parse_crtpath(&cacert, ca_cert_container)) fprintf(stderr, "x509parse_crtpath failed\n"); break; default: die("Unable to load CA certficate container %s\n", ca_cert_container); } } } entropy_init (&entropy); if (0 != ctr_drbg_init (&ctr_drbg, entropy_func, &entropy, (unsigned char *) pers, strlen(pers))) { die("Failed to initialize CTR_DRBG\n"); } if (0 != ssl_init (&ssl)) { die("SSL initialization failed\n"); } ssl_set_endpoint (&ssl, SSL_IS_CLIENT); ssl_set_rng (&ssl, ctr_drbg_random, &ctr_drbg); ssl_set_ca_chain (&ssl, &cacert, NULL, hostname_to_verify); if (ca_racket) { // You can do SSL_VERIFY_REQUIRED here, but then the check in // inspect_key() never happens as the ssl_handshake() will fail. ssl_set_authmode (&ssl, SSL_VERIFY_OPTIONAL); } if (proxy) { char *scheme; char *proxy_host; char *proxy_port; parse_proxy_uri (proxy, &scheme, &proxy_host, &proxy_port); verb("V: opening socket to proxy %s:%s\n", proxy_host, proxy_port); if (0 != net_connect (&server_fd, proxy_host, atoi(proxy_port))) { die ("SSL connection failed\n"); } proxy_polarssl_init (&proxy_ctx); proxy_polarssl_set_bio (&proxy_ctx, net_recv, &server_fd, net_send, &server_fd); proxy_polarssl_set_host (&proxy_ctx, host); proxy_polarssl_set_port (&proxy_ctx, atoi(port)); proxy_polarssl_set_scheme (&proxy_ctx, scheme); ssl_set_bio (&ssl, proxy_polarssl_recv, &proxy_ctx, proxy_polarssl_send, &proxy_ctx); verb("V: Handle proxy connection\n"); if (0 == proxy_ctx.f_connect (&proxy_ctx)) die("Proxy connection failed\n"); } else { verb("V: opening socket to %s:%s\n", host, port); if (0 != net_connect (&server_fd, host, atoi(port))) { die ("SSL connection failed\n"); } ssl_set_bio (&ssl, net_recv, &server_fd, net_send, &server_fd); } verb("V: starting handshake\n"); if (0 != ssl_do_handshake_part (&ssl)) die("SSL handshake first part failed\n"); uint32_t timestamp = ( (uint32_t) ssl.in_msg[6] << 24 ) | ( (uint32_t) ssl.in_msg[7] << 16 ) | ( (uint32_t) ssl.in_msg[8] << 8 ) | ( (uint32_t) ssl.in_msg[9] ); check_timestamp (timestamp); verb("V: continuing handshake\n"); /* Continue with handshake */ while (0 != (ret = ssl_handshake (&ssl))) { if (POLARSSL_ERR_NET_WANT_READ != ret && POLARSSL_ERR_NET_WANT_WRITE != ret) { die("SSL handshake failed\n"); } } // Verify the peer certificate against the CA certs on the local system if (ca_racket) { inspect_key (&ssl, hostname_to_verify); } else { verb ("V: Certificate verification skipped!\n"); } check_key_length (&ssl); memcpy (time_map, ×tamp, sizeof(uint32_t)); proxy_polarssl_free (&proxy_ctx); ssl_free (&ssl); x509_free (&cacert); }
int main( int argc, char *argv[] ) { int ret = 0, len, server_fd; unsigned char buf[1024]; char *pers = "ssl_client2"; entropy_context entropy; ctr_drbg_context ctr_drbg; ssl_context ssl; x509_cert cacert; x509_cert clicert; rsa_context rsa; int i; char *p, *q; const int *list; /* * Make sure memory references are valid. */ server_fd = 0; memset( &ssl, 0, sizeof( ssl_context ) ); memset( &cacert, 0, sizeof( x509_cert ) ); memset( &clicert, 0, sizeof( x509_cert ) ); memset( &rsa, 0, sizeof( rsa_context ) ); if( argc == 0 ) { usage: if( ret == 0 ) ret = 1; printf( USAGE ); list = ssl_list_ciphersuites(); while( *list ) { printf(" %s\n", ssl_get_ciphersuite_name( *list ) ); list++; } printf("\n"); goto exit; } opt.server_name = DFL_SERVER_NAME; opt.server_port = DFL_SERVER_PORT; opt.debug_level = DFL_DEBUG_LEVEL; opt.request_page = DFL_REQUEST_PAGE; opt.ca_file = DFL_CA_FILE; opt.ca_path = DFL_CA_PATH; opt.crt_file = DFL_CRT_FILE; opt.key_file = DFL_KEY_FILE; opt.force_ciphersuite[0]= DFL_FORCE_CIPHER; opt.renegotiation = DFL_RENEGOTIATION; opt.allow_legacy = DFL_ALLOW_LEGACY; opt.min_version = DFL_MIN_VERSION; opt.max_version = DFL_MAX_VERSION; opt.auth_mode = DFL_AUTH_MODE; for( i = 1; i < argc; i++ ) { p = argv[i]; if( ( q = strchr( p, '=' ) ) == NULL ) goto usage; *q++ = '\0'; if( strcmp( p, "server_name" ) == 0 ) opt.server_name = q; else if( strcmp( p, "server_port" ) == 0 ) { opt.server_port = atoi( q ); if( opt.server_port < 1 || opt.server_port > 65535 ) goto usage; } else if( strcmp( p, "debug_level" ) == 0 ) { opt.debug_level = atoi( q ); if( opt.debug_level < 0 || opt.debug_level > 65535 ) goto usage; } else if( strcmp( p, "request_page" ) == 0 ) opt.request_page = q; else if( strcmp( p, "ca_file" ) == 0 ) opt.ca_file = q; else if( strcmp( p, "ca_path" ) == 0 ) opt.ca_path = q; else if( strcmp( p, "crt_file" ) == 0 ) opt.crt_file = q; else if( strcmp( p, "key_file" ) == 0 ) opt.key_file = q; else if( strcmp( p, "force_ciphersuite" ) == 0 ) { opt.force_ciphersuite[0] = -1; opt.force_ciphersuite[0] = ssl_get_ciphersuite_id( q ); if( opt.force_ciphersuite[0] <= 0 ) { ret = 2; goto usage; } opt.force_ciphersuite[1] = 0; } else if( strcmp( p, "renegotiation" ) == 0 ) { opt.renegotiation = (atoi( q )) ? SSL_RENEGOTIATION_ENABLED : SSL_RENEGOTIATION_DISABLED; } else if( strcmp( p, "allow_legacy" ) == 0 ) { opt.allow_legacy = atoi( q ); if( opt.allow_legacy < 0 || opt.allow_legacy > 1 ) goto usage; } else if( strcmp( p, "min_version" ) == 0 ) { if( strcmp( q, "ssl3" ) == 0 ) opt.min_version = SSL_MINOR_VERSION_0; else if( strcmp( q, "tls1" ) == 0 ) opt.min_version = SSL_MINOR_VERSION_1; else if( strcmp( q, "tls1_1" ) == 0 ) opt.min_version = SSL_MINOR_VERSION_2; else if( strcmp( q, "tls1_2" ) == 0 ) opt.min_version = SSL_MINOR_VERSION_3; else goto usage; } else if( strcmp( p, "max_version" ) == 0 ) { if( strcmp( q, "ssl3" ) == 0 ) opt.max_version = SSL_MINOR_VERSION_0; else if( strcmp( q, "tls1" ) == 0 ) opt.max_version = SSL_MINOR_VERSION_1; else if( strcmp( q, "tls1_1" ) == 0 ) opt.max_version = SSL_MINOR_VERSION_2; else if( strcmp( q, "tls1_2" ) == 0 ) opt.max_version = SSL_MINOR_VERSION_3; else goto usage; } else if( strcmp( p, "force_version" ) == 0 ) { if( strcmp( q, "ssl3" ) == 0 ) { opt.min_version = SSL_MINOR_VERSION_0; opt.max_version = SSL_MINOR_VERSION_0; } else if( strcmp( q, "tls1" ) == 0 ) { opt.min_version = SSL_MINOR_VERSION_1; opt.max_version = SSL_MINOR_VERSION_1; } else if( strcmp( q, "tls1_1" ) == 0 ) { opt.min_version = SSL_MINOR_VERSION_2; opt.max_version = SSL_MINOR_VERSION_2; } else if( strcmp( q, "tls1_2" ) == 0 ) { opt.min_version = SSL_MINOR_VERSION_3; opt.max_version = SSL_MINOR_VERSION_3; } else goto usage; } else if( strcmp( p, "auth_mode" ) == 0 ) { if( strcmp( q, "none" ) == 0 ) opt.auth_mode = SSL_VERIFY_NONE; else if( strcmp( q, "optional" ) == 0 ) opt.auth_mode = SSL_VERIFY_OPTIONAL; else if( strcmp( q, "required" ) == 0 ) opt.auth_mode = SSL_VERIFY_REQUIRED; else goto usage; } else goto usage; } /* * 0. Initialize the RNG and the session data */ printf( "\n . Seeding the random number generator..." ); fflush( stdout ); entropy_init( &entropy ); if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, (unsigned char *) pers, strlen( pers ) ) ) != 0 ) { printf( " failed\n ! ctr_drbg_init returned -0x%x\n", -ret ); goto exit; } printf( " ok\n" ); /* * 1.1. Load the trusted CA */ printf( " . Loading the CA root certificate ..." ); fflush( stdout ); #if defined(POLARSSL_FS_IO) if( strlen( opt.ca_path ) ) ret = x509parse_crtpath( &cacert, opt.ca_path ); else if( strlen( opt.ca_file ) ) ret = x509parse_crtfile( &cacert, opt.ca_file ); else #endif #if defined(POLARSSL_CERTS_C) ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt, strlen( test_ca_crt ) ); #else { ret = 1; printf("POLARSSL_CERTS_C not defined."); } #endif if( ret < 0 ) { printf( " failed\n ! x509parse_crt returned -0x%x\n\n", -ret ); goto exit; } printf( " ok (%d skipped)\n", ret ); /* * 1.2. Load own certificate and private key * * (can be skipped if client authentication is not required) */ printf( " . Loading the client cert. and key..." ); fflush( stdout ); #if defined(POLARSSL_FS_IO) if( strlen( opt.crt_file ) ) ret = x509parse_crtfile( &clicert, opt.crt_file ); else #endif #if defined(POLARSSL_CERTS_C) ret = x509parse_crt( &clicert, (unsigned char *) test_cli_crt, strlen( test_cli_crt ) ); #else { ret = 1; printf("POLARSSL_CERTS_C not defined."); } #endif if( ret != 0 ) { printf( " failed\n ! x509parse_crt returned -0x%x\n\n", -ret ); goto exit; } #if defined(POLARSSL_FS_IO) if( strlen( opt.key_file ) ) ret = x509parse_keyfile( &rsa, opt.key_file, "" ); else #endif #if defined(POLARSSL_CERTS_C) ret = x509parse_key( &rsa, (unsigned char *) test_cli_key, strlen( test_cli_key ), NULL, 0 ); #else { ret = 1; printf("POLARSSL_CERTS_C not defined."); } #endif if( ret != 0 ) { printf( " failed\n ! x509parse_key returned -0x%x\n\n", -ret ); goto exit; } printf( " ok\n" ); /* * 2. Start the connection */ printf( " . Connecting to tcp/%s/%-4d...", opt.server_name, opt.server_port ); fflush( stdout ); if( ( ret = net_connect( &server_fd, opt.server_name, opt.server_port ) ) != 0 ) { printf( " failed\n ! net_connect returned -0x%x\n\n", -ret ); goto exit; } printf( " ok\n" ); /* * 3. Setup stuff */ printf( " . Setting up the SSL/TLS structure..." ); fflush( stdout ); if( ( ret = ssl_init( &ssl ) ) != 0 ) { printf( " failed\n ! ssl_init returned -0x%x\n\n", -ret ); goto exit; } printf( " ok\n" ); if( opt.debug_level > 0 ) ssl_set_verify( &ssl, my_verify, NULL ); ssl_set_endpoint( &ssl, SSL_IS_CLIENT ); ssl_set_authmode( &ssl, opt.auth_mode ); ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_dbg( &ssl, my_debug, stdout ); ssl_set_bio( &ssl, net_recv, &server_fd, net_send, &server_fd ); if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) ssl_set_ciphersuites( &ssl, opt.force_ciphersuite ); ssl_set_renegotiation( &ssl, opt.renegotiation ); ssl_legacy_renegotiation( &ssl, opt.allow_legacy ); ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name ); ssl_set_own_cert( &ssl, &clicert, &rsa ); ssl_set_hostname( &ssl, opt.server_name ); if( opt.min_version != -1 ) ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version ); if( opt.max_version != -1 ) ssl_set_max_version( &ssl, SSL_MAJOR_VERSION_3, opt.max_version ); /* * 4. Handshake */ printf( " . Performing the SSL/TLS handshake..." ); fflush( stdout ); while( ( ret = ssl_handshake( &ssl ) ) != 0 ) { if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) { printf( " failed\n ! ssl_handshake returned -0x%x\n\n", -ret ); goto exit; } } printf( " ok\n [ Ciphersuite is %s ]\n", ssl_get_ciphersuite( &ssl ) ); /* * 5. Verify the server certificate */ printf( " . Verifying peer X.509 certificate..." ); if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 ) { printf( " failed\n" ); if( ( ret & BADCERT_EXPIRED ) != 0 ) printf( " ! server certificate has expired\n" ); if( ( ret & BADCERT_REVOKED ) != 0 ) printf( " ! server certificate has been revoked\n" ); if( ( ret & BADCERT_CN_MISMATCH ) != 0 ) printf( " ! CN mismatch (expected CN=%s)\n", opt.server_name ); if( ( ret & BADCERT_NOT_TRUSTED ) != 0 ) printf( " ! self-signed or not signed by a trusted CA\n" ); printf( "\n" ); } else printf( " ok\n" ); printf( " . Peer certificate information ...\n" ); x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ", ssl_get_peer_cert( &ssl ) ); printf( "%s\n", buf ); /* * 6. Write the GET request */ printf( " > Write to server:" ); fflush( stdout ); len = sprintf( (char *) buf, GET_REQUEST, opt.request_page ); while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 ) { if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) { printf( " failed\n ! ssl_write returned -0x%x\n\n", -ret ); goto exit; } } len = ret; printf( " %d bytes written\n\n%s", len, (char *) buf ); /* * 7. Read the HTTP response */ printf( " < Read from server:" ); fflush( stdout ); do { len = sizeof( buf ) - 1; memset( buf, 0, sizeof( buf ) ); ret = ssl_read( &ssl, buf, len ); if( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE ) continue; if( ret == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY ) break; if( ret < 0 ) { printf( "failed\n ! ssl_read returned -0x%x\n\n", -ret ); break; } if( ret == 0 ) { printf("\n\nEOF\n\n"); break; } len = ret; printf( " %d bytes read\n\n%s", len, (char *) buf ); } while( 1 ); ssl_close_notify( &ssl ); exit: #ifdef POLARSSL_ERROR_C if( ret != 0 ) { char error_buf[100]; error_strerror( ret, error_buf, 100 ); printf("Last error was: -0x%X - %s\n\n", -ret, error_buf ); } #endif if( server_fd ) net_close( server_fd ); x509_free( &clicert ); x509_free( &cacert ); rsa_free( &rsa ); ssl_free( &ssl ); memset( &ssl, 0, sizeof( ssl ) ); #if defined(_WIN32) printf( " + Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); #endif return( ret ); }
int main( int argc, char *argv[] ) { int ret, len, cnt = 0, pid; int listen_fd; int client_fd; unsigned char buf[1024]; const char *pers = "ssl_fork_server"; entropy_context entropy; ctr_drbg_context ctr_drbg; ssl_context ssl; x509_cert srvcert; rsa_context rsa; ((void) argc); ((void) argv); signal( SIGCHLD, SIG_IGN ); /* * 0. Initial seeding of the RNG */ printf( "\n . Initial seeding of the random generator..." ); fflush( stdout ); entropy_init( &entropy ); if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, (const unsigned char *) pers, strlen( pers ) ) ) != 0 ) { printf( " failed\n ! ctr_drbg_init returned %d\n", ret ); goto exit; } printf( " ok\n" ); /* * 1. Load the certificates and private RSA key */ printf( " . Loading the server cert. and key..." ); fflush( stdout ); memset( &srvcert, 0, sizeof( x509_cert ) ); /* * This demonstration program uses embedded test certificates. * Instead, you may want to use x509parse_crtfile() to read the * server and CA certificates, as well as x509parse_keyfile(). */ ret = x509parse_crt( &srvcert, (const unsigned char *) test_srv_crt, strlen( test_srv_crt ) ); if( ret != 0 ) { printf( " failed\n ! x509parse_crt returned %d\n\n", ret ); goto exit; } ret = x509parse_crt( &srvcert, (const unsigned char *) test_ca_crt, strlen( test_ca_crt ) ); if( ret != 0 ) { printf( " failed\n ! x509parse_crt returned %d\n\n", ret ); goto exit; } rsa_init( &rsa, RSA_PKCS_V15, 0 ); ret = x509parse_key( &rsa, (const unsigned char *) test_srv_key, strlen( test_srv_key ), NULL, 0 ); if( ret != 0 ) { printf( " failed\n ! x509parse_key returned %d\n\n", ret ); goto exit; } printf( " ok\n" ); /* * 2. Setup the listening TCP socket */ printf( " . Bind on https://localhost:4433/ ..." ); fflush( stdout ); if( ( ret = net_bind( &listen_fd, NULL, 4433 ) ) != 0 ) { printf( " failed\n ! net_bind returned %d\n\n", ret ); goto exit; } printf( " ok\n" ); while( 1 ) { /* * 3. Wait until a client connects */ client_fd = -1; memset( &ssl, 0, sizeof( ssl ) ); printf( " . Waiting for a remote connection ..." ); fflush( stdout ); if( ( ret = net_accept( listen_fd, &client_fd, NULL ) ) != 0 ) { printf( " failed\n ! net_accept returned %d\n\n", ret ); goto exit; } printf( " ok\n" ); /* * 3.5. Forking server thread */ pid = fork(); printf( " . Forking to handle connection ..." ); fflush( stdout ); if( pid < 0 ) { printf(" failed\n ! fork returned %d\n\n", pid ); goto exit; } printf( " ok\n" ); if( pid != 0 ) { if( ( ret = ctr_drbg_reseed( &ctr_drbg, (const unsigned char *) "parent", 6 ) ) != 0 ) { printf( " failed\n ! ctr_drbg_reseed returned %d\n", ret ); goto exit; } close( client_fd ); continue; } close( listen_fd ); /* * 4. Setup stuff */ printf( " . Setting up the SSL data...." ); fflush( stdout ); if( ( ret = ctr_drbg_reseed( &ctr_drbg, (const unsigned char *) "child", 5 ) ) != 0 ) { printf( " failed\n ! ctr_drbg_reseed returned %d\n", ret ); goto exit; } if( ( ret = ssl_init( &ssl ) ) != 0 ) { printf( " failed\n ! ssl_init returned %d\n\n", ret ); goto exit; } printf( " ok\n" ); ssl_set_endpoint( &ssl, SSL_IS_SERVER ); ssl_set_authmode( &ssl, SSL_VERIFY_NONE ); ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_dbg( &ssl, my_debug, stdout ); ssl_set_bio( &ssl, net_recv, &client_fd, net_send, &client_fd ); ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL ); ssl_set_own_cert( &ssl, &srvcert, &rsa ); /* * 5. Handshake */ printf( " . Performing the SSL/TLS handshake..." ); fflush( stdout ); while( ( ret = ssl_handshake( &ssl ) ) != 0 ) { if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) { printf( " failed\n ! ssl_handshake returned %d\n\n", ret ); goto exit; } } printf( " ok\n" ); /* * 6. Read the HTTP Request */ printf( " < Read from client:" ); fflush( stdout ); do { len = sizeof( buf ) - 1; memset( buf, 0, sizeof( buf ) ); ret = ssl_read( &ssl, buf, len ); if( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE ) continue; if( ret <= 0 ) { switch( ret ) { case POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY: printf( " connection was closed gracefully\n" ); break; case POLARSSL_ERR_NET_CONN_RESET: printf( " connection was reset by peer\n" ); break; default: printf( " ssl_read returned %d\n", ret ); break; } break; } len = ret; printf( " %d bytes read\n\n%s", len, (char *) buf ); } while( 0 ); /* * 7. Write the 200 Response */ printf( " > Write to client:" ); fflush( stdout ); len = sprintf( (char *) buf, HTTP_RESPONSE, ssl_get_ciphersuite( &ssl ) ); while( cnt < 100 ) { while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 ) { if( ret == POLARSSL_ERR_NET_CONN_RESET ) { printf( " failed\n ! peer closed the connection\n\n" ); goto exit; } if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) { printf( " failed\n ! ssl_write returned %d\n\n", ret ); goto exit; } } len = ret; printf( " %d bytes written\n\n%s\n", len, (char *) buf ); m_sleep( 1000 ); } ssl_close_notify( &ssl ); goto exit; } exit: net_close( client_fd ); x509_free( &srvcert ); rsa_free( &rsa ); ssl_free( &ssl ); #if defined(_WIN32) printf( " Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); #endif return( ret ); }
int main( int argc, char *argv[] ) { int ret = 0, len; int listen_fd; int client_fd = -1; unsigned char buf[1024]; const char *pers = "ssl_server2"; entropy_context entropy; ctr_drbg_context ctr_drbg; ssl_context ssl; x509_cert cacert; x509_cert srvcert; rsa_context rsa; #if defined(POLARSSL_SSL_CACHE_C) ssl_cache_context cache; #endif int i; char *p, *q; const int *list; /* * Make sure memory references are valid. */ listen_fd = 0; memset( &cacert, 0, sizeof( x509_cert ) ); memset( &srvcert, 0, sizeof( x509_cert ) ); memset( &rsa, 0, sizeof( rsa_context ) ); #if defined(POLARSSL_SSL_CACHE_C) ssl_cache_init( &cache ); #endif if( argc == 0 ) { usage: if( ret == 0 ) ret = 1; printf( USAGE ); list = ssl_list_ciphersuites(); while( *list ) { printf(" %s\n", ssl_get_ciphersuite_name( *list ) ); list++; } printf("\n"); goto exit; } opt.server_port = DFL_SERVER_PORT; opt.debug_level = DFL_DEBUG_LEVEL; opt.ca_file = DFL_CA_FILE; opt.ca_path = DFL_CA_PATH; opt.crt_file = DFL_CRT_FILE; opt.key_file = DFL_KEY_FILE; opt.force_ciphersuite[0]= DFL_FORCE_CIPHER; opt.renegotiation = DFL_RENEGOTIATION; opt.allow_legacy = DFL_ALLOW_LEGACY; opt.min_version = DFL_MIN_VERSION; opt.auth_mode = DFL_AUTH_MODE; for( i = 1; i < argc; i++ ) { p = argv[i]; if( ( q = strchr( p, '=' ) ) == NULL ) goto usage; *q++ = '\0'; if( strcmp( p, "server_port" ) == 0 ) { opt.server_port = atoi( q ); if( opt.server_port < 1 || opt.server_port > 65535 ) goto usage; } else if( strcmp( p, "debug_level" ) == 0 ) { opt.debug_level = atoi( q ); if( opt.debug_level < 0 || opt.debug_level > 65535 ) goto usage; } else if( strcmp( p, "ca_file" ) == 0 ) opt.ca_file = q; else if( strcmp( p, "ca_path" ) == 0 ) opt.ca_path = q; else if( strcmp( p, "crt_file" ) == 0 ) opt.crt_file = q; else if( strcmp( p, "key_file" ) == 0 ) opt.key_file = q; else if( strcmp( p, "force_ciphersuite" ) == 0 ) { opt.force_ciphersuite[0] = -1; opt.force_ciphersuite[0] = ssl_get_ciphersuite_id( q ); if( opt.force_ciphersuite[0] <= 0 ) { ret = 2; goto usage; } opt.force_ciphersuite[1] = 0; } else if( strcmp( p, "renegotiation" ) == 0 ) { opt.renegotiation = (atoi( q )) ? SSL_RENEGOTIATION_ENABLED : SSL_RENEGOTIATION_DISABLED; } else if( strcmp( p, "allow_legacy" ) == 0 ) { opt.allow_legacy = atoi( q ); if( opt.allow_legacy < 0 || opt.allow_legacy > 1 ) goto usage; } else if( strcmp( p, "min_version" ) == 0 ) { if( strcmp( q, "ssl3" ) == 0 ) opt.min_version = SSL_MINOR_VERSION_0; else if( strcmp( q, "tls1" ) == 0 ) opt.min_version = SSL_MINOR_VERSION_1; else if( strcmp( q, "tls1_1" ) == 0 ) opt.min_version = SSL_MINOR_VERSION_2; else if( strcmp( q, "tls1_2" ) == 0 ) opt.min_version = SSL_MINOR_VERSION_3; else goto usage; } else if( strcmp( p, "auth_mode" ) == 0 ) { if( strcmp( q, "none" ) == 0 ) opt.auth_mode = SSL_VERIFY_NONE; else if( strcmp( q, "optional" ) == 0 ) opt.auth_mode = SSL_VERIFY_OPTIONAL; else if( strcmp( q, "required" ) == 0 ) opt.auth_mode = SSL_VERIFY_REQUIRED; else goto usage; } else goto usage; } /* * 0. Initialize the RNG and the session data */ printf( "\n . Seeding the random number generator..." ); fflush( stdout ); entropy_init( &entropy ); if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, (const unsigned char *) pers, strlen( pers ) ) ) != 0 ) { printf( " failed\n ! ctr_drbg_init returned -0x%x\n", -ret ); goto exit; } printf( " ok\n" ); /* * 1.1. Load the trusted CA */ printf( " . Loading the CA root certificate ..." ); fflush( stdout ); #if defined(POLARSSL_FS_IO) if( strlen( opt.ca_path ) ) ret = x509parse_crtpath( &cacert, opt.ca_path ); else if( strlen( opt.ca_file ) ) ret = x509parse_crtfile( &cacert, opt.ca_file ); else #endif #if defined(POLARSSL_CERTS_C) ret = x509parse_crt( &cacert, (const unsigned char *) test_ca_crt, strlen( test_ca_crt ) ); #else { ret = 1; printf("POLARSSL_CERTS_C not defined."); } #endif if( ret < 0 ) { printf( " failed\n ! x509parse_crt returned -0x%x\n\n", -ret ); goto exit; } printf( " ok (%d skipped)\n", ret ); /* * 1.2. Load own certificate and private key */ printf( " . Loading the server cert. and key..." ); fflush( stdout ); #if defined(POLARSSL_FS_IO) if( strlen( opt.crt_file ) ) ret = x509parse_crtfile( &srvcert, opt.crt_file ); else #endif #if defined(POLARSSL_CERTS_C) ret = x509parse_crt( &srvcert, (const unsigned char *) test_srv_crt, strlen( test_srv_crt ) ); #else { ret = 1; printf("POLARSSL_CERTS_C not defined."); } #endif if( ret != 0 ) { printf( " failed\n ! x509parse_crt returned -0x%x\n\n", -ret ); goto exit; } #if defined(POLARSSL_FS_IO) if( strlen( opt.key_file ) ) ret = x509parse_keyfile( &rsa, opt.key_file, "" ); else #endif #if defined(POLARSSL_CERTS_C) ret = x509parse_key( &rsa, (const unsigned char *) test_srv_key, strlen( test_srv_key ), NULL, 0 ); #else { ret = 1; printf("POLARSSL_CERTS_C not defined."); } #endif if( ret != 0 ) { printf( " failed\n ! x509parse_key returned -0x%x\n\n", -ret ); goto exit; } printf( " ok\n" ); /* * 2. Setup the listening TCP socket */ printf( " . Bind on tcp://localhost:%-4d/ ...", opt.server_port ); fflush( stdout ); if( ( ret = net_bind( &listen_fd, NULL, opt.server_port ) ) != 0 ) { printf( " failed\n ! net_bind returned -0x%x\n\n", -ret ); goto exit; } printf( " ok\n" ); /* * 3. Setup stuff */ printf( " . Setting up the SSL/TLS structure..." ); fflush( stdout ); if( ( ret = ssl_init( &ssl ) ) != 0 ) { printf( " failed\n ! ssl_init returned -0x%x\n\n", -ret ); goto exit; } ssl_set_endpoint( &ssl, SSL_IS_SERVER ); ssl_set_authmode( &ssl, opt.auth_mode ); ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_dbg( &ssl, my_debug, stdout ); #if defined(POLARSSL_SSL_CACHE_C) ssl_set_session_cache( &ssl, ssl_cache_get, &cache, ssl_cache_set, &cache ); #endif if( opt.force_ciphersuite[0] == DFL_FORCE_CIPHER ) ssl_set_ciphersuites( &ssl, my_ciphersuites ); else ssl_set_ciphersuites( &ssl, opt.force_ciphersuite ); ssl_set_renegotiation( &ssl, opt.renegotiation ); ssl_legacy_renegotiation( &ssl, opt.allow_legacy ); ssl_set_ca_chain( &ssl, &cacert, NULL, NULL ); ssl_set_own_cert( &ssl, &srvcert, &rsa ); #if defined(POLARSSL_DHM_C) /* * Use different group than default DHM group */ ssl_set_dh_param( &ssl, POLARSSL_DHM_RFC5114_MODP_2048_P, POLARSSL_DHM_RFC5114_MODP_2048_G ); #endif if( opt.min_version != -1 ) ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version ); printf( " ok\n" ); reset: #ifdef POLARSSL_ERROR_C if( ret != 0 ) { char error_buf[100]; error_strerror( ret, error_buf, 100 ); printf("Last error was: %d - %s\n\n", ret, error_buf ); } #endif if( client_fd != -1 ) net_close( client_fd ); ssl_session_reset( &ssl ); /* * 3. Wait until a client connects */ #if defined(_WIN32_WCE) { SHELLEXECUTEINFO sei; ZeroMemory( &sei, sizeof( SHELLEXECUTEINFO ) ); sei.cbSize = sizeof( SHELLEXECUTEINFO ); sei.fMask = 0; sei.hwnd = 0; sei.lpVerb = _T( "open" ); sei.lpFile = _T( "https://localhost:4433/" ); sei.lpParameters = NULL; sei.lpDirectory = NULL; sei.nShow = SW_SHOWNORMAL; ShellExecuteEx( &sei ); } #elif defined(_WIN32) ShellExecute( NULL, "open", "https://localhost:4433/", NULL, NULL, SW_SHOWNORMAL ); #endif client_fd = -1; printf( " . Waiting for a remote connection ..." ); fflush( stdout ); if( ( ret = net_accept( listen_fd, &client_fd, NULL ) ) != 0 ) { printf( " failed\n ! net_accept returned -0x%x\n\n", -ret ); goto exit; } ssl_set_bio( &ssl, net_recv, &client_fd, net_send, &client_fd ); printf( " ok\n" ); /* * 4. Handshake */ printf( " . Performing the SSL/TLS handshake..." ); fflush( stdout ); while( ( ret = ssl_handshake( &ssl ) ) != 0 ) { if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) { printf( " failed\n ! ssl_handshake returned -0x%x\n\n", -ret ); goto reset; } } printf( " ok\n [ Ciphersuite is %s ]\n", ssl_get_ciphersuite( &ssl ) ); /* * 5. Verify the server certificate */ printf( " . Verifying peer X.509 certificate..." ); if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 ) { printf( " failed\n" ); if( !ssl_get_peer_cert( &ssl ) ) printf( " ! no client certificate sent\n" ); if( ( ret & BADCERT_EXPIRED ) != 0 ) printf( " ! client certificate has expired\n" ); if( ( ret & BADCERT_REVOKED ) != 0 ) printf( " ! client certificate has been revoked\n" ); if( ( ret & BADCERT_NOT_TRUSTED ) != 0 ) printf( " ! self-signed or not signed by a trusted CA\n" ); printf( "\n" ); } else printf( " ok\n" ); if( ssl_get_peer_cert( &ssl ) ) { printf( " . Peer certificate information ...\n" ); x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ", ssl_get_peer_cert( &ssl ) ); printf( "%s\n", buf ); } /* * 6. Read the HTTP Request */ printf( " < Read from client:" ); fflush( stdout ); do { len = sizeof( buf ) - 1; memset( buf, 0, sizeof( buf ) ); ret = ssl_read( &ssl, buf, len ); if( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE ) continue; if( ret <= 0 ) { switch( ret ) { case POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY: printf( " connection was closed gracefully\n" ); break; case POLARSSL_ERR_NET_CONN_RESET: printf( " connection was reset by peer\n" ); break; default: printf( " ssl_read returned -0x%x\n", -ret ); break; } break; } len = ret; printf( " %d bytes read\n\n%s", len, (char *) buf ); if( ret > 0 ) break; } while( 1 ); /* * 7. Write the 200 Response */ printf( " > Write to client:" ); fflush( stdout ); len = sprintf( (char *) buf, HTTP_RESPONSE, ssl_get_ciphersuite( &ssl ) ); while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 ) { if( ret == POLARSSL_ERR_NET_CONN_RESET ) { printf( " failed\n ! peer closed the connection\n\n" ); goto reset; } if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) { printf( " failed\n ! ssl_write returned %d\n\n", ret ); goto exit; } } len = ret; printf( " %d bytes written\n\n%s\n", len, (char *) buf ); ret = 0; goto reset; exit: #ifdef POLARSSL_ERROR_C if( ret != 0 ) { char error_buf[100]; error_strerror( ret, error_buf, 100 ); printf("Last error was: -0x%X - %s\n\n", -ret, error_buf ); } #endif net_close( client_fd ); x509_free( &srvcert ); x509_free( &cacert ); rsa_free( &rsa ); ssl_free( &ssl ); #if defined(POLARSSL_SSL_CACHE_C) ssl_cache_free( &cache ); #endif #if defined(_WIN32) printf( " + Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); #endif return( ret ); }
int main( void ) { int ret, len, server_fd; unsigned char buf[1024]; havege_state hs; ssl_context ssl; ssl_session ssn; x509_cert cacert; x509_cert clicert; rsa_context rsa; /* * 0. Initialize the RNG and the session data */ havege_init( &hs ); memset( &ssn, 0, sizeof( ssl_session ) ); /* * 1.1. Load the trusted CA */ printf( "\n . Loading the CA root certificate ..." ); fflush( stdout ); memset( &cacert, 0, sizeof( x509_cert ) ); /* * Alternatively, you may load the CA certificates from a .pem or * .crt file by calling x509parse_crtfile( &cacert, "myca.crt" ). */ ret = x509parse_crt( &cacert, (unsigned char *) xyssl_ca_crt, strlen( xyssl_ca_crt ) ); if( ret != 0 ) { printf( " failed\n ! x509parse_crt returned %d\n\n", ret ); goto exit; } printf( " ok\n" ); /* * 1.2. Load own certificate and private key * * (can be skipped if client authentication is not required) */ printf( " . Loading the client cert. and key..." ); fflush( stdout ); memset( &clicert, 0, sizeof( x509_cert ) ); ret = x509parse_crt( &clicert, (unsigned char *) test_cli_crt, strlen( test_cli_crt ) ); if( ret != 0 ) { printf( " failed\n ! x509parse_crt returned %d\n\n", ret ); goto exit; } ret = x509parse_key( &rsa, (unsigned char *) test_cli_key, strlen( test_cli_key ), NULL, 0 ); if( ret != 0 ) { printf( " failed\n ! x509parse_key returned %d\n\n", ret ); goto exit; } printf( " ok\n" ); /* * 2. Start the connection */ printf( " . Connecting to tcp/%s/%-4d...", SERVER_NAME, SERVER_PORT ); fflush( stdout ); if( ( ret = net_connect( &server_fd, SERVER_NAME, SERVER_PORT ) ) != 0 ) { printf( " failed\n ! net_connect returned %d\n\n", ret ); goto exit; } printf( " ok\n" ); /* * 3. Setup stuff */ printf( " . Setting up the SSL/TLS structure..." ); fflush( stdout ); havege_init( &hs ); if( ( ret = ssl_init( &ssl ) ) != 0 ) { printf( " failed\n ! ssl_init returned %d\n\n", ret ); goto exit; } printf( " ok\n" ); ssl_set_endpoint( &ssl, SSL_IS_CLIENT ); ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL ); ssl_set_rng( &ssl, havege_rand, &hs ); ssl_set_bio( &ssl, net_recv, &server_fd, net_send, &server_fd ); ssl_set_ciphers( &ssl, ssl_default_ciphers ); ssl_set_session( &ssl, 1, 600, &ssn ); ssl_set_ca_chain( &ssl, &cacert, SERVER_NAME ); ssl_set_own_cert( &ssl, &clicert, &rsa ); ssl_set_hostname( &ssl, SERVER_NAME ); /* * 4. Handshake */ printf( " . Performing the SSL/TLS handshake..." ); fflush( stdout ); while( ( ret = ssl_handshake( &ssl ) ) != 0 ) { if( ret != POLARSSL_ERR_NET_TRY_AGAIN ) { printf( " failed\n ! ssl_handshake returned %d\n\n", ret ); goto exit; } } printf( " ok\n [ Cipher is %s ]\n", ssl_get_cipher( &ssl ) ); /* * 5. Verify the server certificate */ printf( " . Verifying peer X.509 certificate..." ); if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 ) { printf( " failed\n" ); if( ( ret & BADCERT_EXPIRED ) != 0 ) printf( " ! server certificate has expired\n" ); if( ( ret & BADCERT_REVOKED ) != 0 ) printf( " ! server certificate has been revoked\n" ); if( ( ret & BADCERT_CN_MISMATCH ) != 0 ) printf( " ! CN mismatch (expected CN=%s)\n", SERVER_NAME ); if( ( ret & BADCERT_NOT_TRUSTED ) != 0 ) printf( " ! self-signed or not signed by a trusted CA\n" ); printf( "\n" ); } else printf( " ok\n" ); printf( " . Peer certificate information ...\n" ); printf( "%s", x509parse_cert_info( " ", ssl.peer_cert ) ); /* * 6. Write the GET request */ printf( " > Write to server:" ); fflush( stdout ); len = sprintf( (char *) buf, GET_REQUEST ); while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 ) { if( ret != POLARSSL_ERR_NET_TRY_AGAIN ) { printf( " failed\n ! ssl_write returned %d\n\n", ret ); goto exit; } } len = ret; printf( " %d bytes written\n\n%s", len, (char *) buf ); /* * 7. Read the HTTP response */ printf( " < Read from server:" ); fflush( stdout ); do { len = sizeof( buf ) - 1; memset( buf, 0, sizeof( buf ) ); ret = ssl_read( &ssl, buf, len ); if( ret == POLARSSL_ERR_NET_TRY_AGAIN ) continue; if( ret == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY ) break; if( ret <= 0 ) { printf( "failed\n ! ssl_read returned %d\n\n", ret ); break; } len = ret; printf( " %d bytes read\n\n%s", len, (char *) buf ); } while( 0 ); ssl_close_notify( &ssl ); exit: net_close( server_fd ); x509_free( &clicert ); x509_free( &cacert ); rsa_free( &rsa ); ssl_free( &ssl ); memset( &ssl, 0, sizeof( ssl ) ); #ifdef WIN32 printf( " + Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); #endif return( ret ); }
int main( int argc, char *argv[] ) { int ret, len, server_fd; unsigned char buf[2]; havege_state hs; ssl_context ssl; ssl_session ssn; x509_cert cacert; x509_cert clicert; rsa_context rsa; char *SERVER_NAME = argv[1]; char GET_REQUEST[128]; sprintf( GET_REQUEST, "GET %s HTTP/1.1\r\nHost: %s\r\n\r\n", argv[2], argv[1] ); /* * 0. Initialize the RNG and the session data */ havege_init( &hs ); memset( &ssn, 0, sizeof( ssl_session ) ); memset( &cacert, 0, sizeof( x509_cert ) ); /* * Alternatively, you may load the CA certificates from a .pem or * .crt file by calling x509parse_crtfile( &cacert, "myca.crt" ). */ ret = x509parse_crt( &cacert, ( unsigned char * )xyssl_ca_crt, strlen( xyssl_ca_crt ) ); if( ret != 0 ) { printf( " failed\n ! x509parse_crt returned %d\n\n", ret ); goto exit; } /* * 1.2. Load own certificate and private key * * (can be skipped if client authentication is not required) */ memset( &clicert, 0, sizeof( x509_cert ) ); ret = x509parse_crt( &clicert, ( unsigned char * )test_cli_crt, strlen( test_cli_crt ) ); if( ret != 0 ) { printf( " failed\n ! x509parse_crt returned %d\n\n", ret ); goto exit; } ret = x509parse_key( &rsa, ( unsigned char * )test_cli_key, strlen( test_cli_key ), NULL, 0 ); if( ret != 0 ) { printf( " failed\n ! x509parse_key returned %d\n\n", ret ); goto exit; } if( ( ret = net_connect( &server_fd, SERVER_NAME, SERVER_PORT ) ) != 0 ) { printf( " failed\n ! net_connect returned %d\n\n", ret ); goto exit; } havege_init( &hs ); if( ( ret = ssl_init( &ssl ) ) != 0 ) { printf( " failed\n ! ssl_init returned %d\n\n", ret ); goto exit; } ssl_set_endpoint( &ssl, SSL_IS_CLIENT ); ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL ); ssl_set_rng( &ssl, havege_rand, &hs ); ssl_set_bio( &ssl, net_recv, &server_fd, net_send, &server_fd ); ssl_set_ciphers( &ssl, ssl_default_ciphers ); ssl_set_session( &ssl, 1, 600, &ssn ); ssl_set_ca_chain( &ssl, &cacert, SERVER_NAME ); ssl_set_own_cert( &ssl, &clicert, &rsa ); ssl_set_hostname( &ssl, SERVER_NAME ); while( ( ret = ssl_handshake( &ssl ) ) != 0 ) { if( ret != XYSSL_ERR_NET_TRY_AGAIN ) { printf( " failed\n ! ssl_handshake returned %d\n\n", ret ); goto exit; } } if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 ) { printf( "certificate check failed\n" ); if( ( ret & BADCERT_EXPIRED ) != 0 ) printf( " ! server certificate has expired\n" ); if( ( ret & BADCERT_REVOKED ) != 0 ) printf( " ! server certificate has been revoked\n" ); if( ( ret & BADCERT_CN_MISMATCH ) != 0 ) printf( " ! CN mismatch (expected CN=%s)\n", SERVER_NAME ); if( ( ret & BADCERT_NOT_TRUSTED ) != 0 ) printf( " ! self-signed or not signed by a trusted CA\n" ); printf( "\n" ); } len = sprintf( ( char * )buf, GET_REQUEST ); while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 ) { if( ret != XYSSL_ERR_NET_TRY_AGAIN ) { printf( " failed\n ! ssl_write returned %d\n\n", ret ); goto exit; } } len = ret; /* * 7. Read the HTTP response */ fflush( stdout ); FILE *out = fopen( argv[3], "wb" ); int found = 0; int offset = 0; do { offset = 0; len = sizeof( buf ) - 1; memset( buf, 0, sizeof( buf ) ); ret = ssl_read( &ssl, buf, len ); if( ret == XYSSL_ERR_NET_TRY_AGAIN ) continue; if( ret == XYSSL_ERR_SSL_PEER_CLOSE_NOTIFY ) break; if( ret <= 0 ) { printf( "failed\n ! ssl_read returned %d\n\n", ret ); break; } if( found < 4 ) { if( found == 0 || found == 2 ) if( buf[0] == '\r' ) { found++; continue; } else found = 0; if( found == 1 || found == 3 ) if( buf[0] == '\n' ) { found++; continue; } else found = 0; } else putc( buf[0], out ); len = ret; } while( 1 ); ssl_close_notify( &ssl ); exit: fclose( out ); net_close( server_fd ); x509_free( &clicert ); x509_free( &cacert ); rsa_free( &rsa ); ssl_free( &ssl ); memset( &ssl, 0, sizeof( ssl ) ); return ( ret ); }
void bctbx_x509_certificate_free(bctbx_x509_certificate_t *cert) { x509_free((x509_cert *)cert); bctbx_free(cert); }
int main( int argc, char *argv[] ) { int ret = 0, server_fd; unsigned char buf[1024]; havege_state hs; ssl_context ssl; ssl_session ssn; x509_cert clicert; rsa_context rsa; int i, j, n; char *p, *q; if( argc == 0 ) { usage: printf( USAGE ); goto exit; } opt.mode = DFL_MODE; opt.filename = DFL_FILENAME; opt.server_name = DFL_SERVER_NAME; opt.server_port = DFL_SERVER_PORT; opt.debug_level = DFL_DEBUG_LEVEL; for( i = 1; i < argc; i++ ) { n = strlen( argv[i] ); for( j = 0; j < n; j++ ) { if( argv[i][j] >= 'A' && argv[i][j] <= 'Z' ) argv[i][j] |= 0x20; } p = argv[i]; if( ( q = strchr( p, '=' ) ) == NULL ) goto usage; *q++ = '\0'; if( strcmp( p, "mode" ) == 0 ) { if( strcmp( q, "file" ) == 0 ) opt.mode = MODE_FILE; else if( strcmp( q, "ssl" ) == 0 ) opt.mode = MODE_SSL; else goto usage; } else if( strcmp( p, "filename" ) == 0 ) opt.filename = q; else if( strcmp( p, "server_name" ) == 0 ) opt.server_name = q; else if( strcmp( p, "server_port" ) == 0 ) { opt.server_port = atoi( q ); if( opt.server_port < 1 || opt.server_port > 65535 ) goto usage; } else if( strcmp( p, "debug_level" ) == 0 ) { opt.debug_level = atoi( q ); if( opt.debug_level < 0 || opt.debug_level > 65535 ) goto usage; } else goto usage; } if( opt.mode == MODE_FILE ) { x509_cert crt; memset( &crt, 0, sizeof( x509_cert ) ); /* * 1.1. Load the certificate */ printf( "\n . Loading the certificate ..." ); fflush( stdout ); ret = x509parse_crtfile( &crt, opt.filename ); if( ret != 0 ) { printf( " failed\n ! x509parse_crt returned %d\n\n", ret ); x509_free( &crt ); goto exit; } printf( " ok\n" ); /* * 1.2 Print the certificate */ printf( " . Peer certificate information ...\n" ); ret = x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ", &crt ); if( ret == -1 ) { printf( " failed\n ! x509parse_cert_info returned %d\n\n", ret ); x509_free( &crt ); goto exit; } printf( "%s\n", buf ); x509_free( &crt ); } else if( opt.mode == MODE_SSL ) { /* * 1. Initialize the RNG and the session data */ havege_init( &hs ); memset( &ssn, 0, sizeof( ssl_session ) ); /* * 2. Start the connection */ printf( " . SSL connection to tcp/%s/%-4d...", opt.server_name, opt.server_port ); fflush( stdout ); if( ( ret = net_connect( &server_fd, opt.server_name, opt.server_port ) ) != 0 ) { printf( " failed\n ! net_connect returned %d\n\n", ret ); goto exit; } /* * 3. Setup stuff */ if( ( ret = ssl_init( &ssl ) ) != 0 ) { printf( " failed\n ! ssl_init returned %d\n\n", ret ); goto exit; } ssl_set_endpoint( &ssl, SSL_IS_CLIENT ); ssl_set_authmode( &ssl, SSL_VERIFY_NONE ); ssl_set_rng( &ssl, havege_rand, &hs ); ssl_set_dbg( &ssl, my_debug, stdout ); ssl_set_bio( &ssl, net_recv, &server_fd, net_send, &server_fd ); ssl_set_ciphers( &ssl, ssl_default_ciphers ); ssl_set_session( &ssl, 1, 600, &ssn ); ssl_set_own_cert( &ssl, &clicert, &rsa ); ssl_set_hostname( &ssl, opt.server_name ); /* * 4. Handshake */ while( ( ret = ssl_handshake( &ssl ) ) != 0 ) { if( ret != POLARSSL_ERR_NET_TRY_AGAIN ) { printf( " failed\n ! ssl_handshake returned %d\n\n", ret ); goto exit; } } printf( " ok\n" ); /* * 5. Print the certificate */ printf( " . Peer certificate information ...\n" ); ret = x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ", ssl.peer_cert ); if( ret == -1 ) { printf( " failed\n ! x509parse_cert_info returned %d\n\n", ret ); goto exit; } printf( "%s\n", buf ); ssl_close_notify( &ssl ); } else goto usage; exit: net_close( server_fd ); x509_free( &clicert ); rsa_free( &rsa ); ssl_free( &ssl ); memset( &ssl, 0, sizeof( ssl ) ); #ifdef WIN32 printf( " + Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); #endif return( ret ); }
/****************************************************************************** * FunctionName : upgrade_task * Description : task to connect with target server and get firmware data * Parameters : pvParameters--save the server address\port\request frame for * : the upgrade server\call back functions to tell the userapp * : the result of this upgrade task * Returns : none *******************************************************************************/ void upgrade_ssl_task(void *pvParameters) { int recbytes; int sta_socket; int retry_count = 0; struct ip_info ipconfig; struct upgrade_server_info *server = pvParameters; flash_erased=FALSE; precv_buf = (char*)malloc(UPGRADE_DATA_SEG_LEN);//the max data length while (retry_count++ < UPGRADE_RETRY_TIMES) { wifi_get_ip_info(STATION_IF, &ipconfig); /* check the ip address or net connection state*/ while (ipconfig.ip.addr == 0) { vTaskDelay(1000 / portTICK_RATE_MS); wifi_get_ip_info(STATION_IF, &ipconfig); } sta_socket = socket(PF_INET,SOCK_STREAM,0); if (-1 == sta_socket) { close(sta_socket); vTaskDelay(1000 / portTICK_RATE_MS); os_printf("socket fail !\r\n"); continue; } /*for upgrade connection debug*/ //server->sockaddrin.sin_addr.s_addr= inet_addr("192.168.1.170"); if(0 != connect(sta_socket,(struct sockaddr *)(&server->sockaddrin),sizeof(struct sockaddr))) { close(sta_socket); vTaskDelay(1000 / portTICK_RATE_MS); os_printf("connect fail!\r\n"); continue; } uint32_t options = SSL_DISPLAY_CERTS | SSL_NO_DEFAULT_KEY; int i=0; int quiet = 0; int cert_index = 0, ca_cert_index = 0; int cert_size, ca_cert_size; char **ca_cert, **cert; SSL *ssl; SSL_CTX *ssl_ctx; uint8_t *read_buf = NULL; cert_size = ssl_get_config(SSL_MAX_CERT_CFG_OFFSET); ca_cert_size = ssl_get_config(SSL_MAX_CA_CERT_CFG_OFFSET); ca_cert = (char **)calloc(1, sizeof(char *)*ca_cert_size); cert = (char **)calloc(1, sizeof(char *)*cert_size); if ((ssl_ctx= ssl_ctx_new(options, SSL_DEFAULT_CLNT_SESS)) == NULL) { printf("Error: Client context is invalid\n"); close(sta_socket); continue; } ssl_obj_memory_load(ssl_ctx, SSL_OBJ_X509_CACERT, default_certificate, default_certificate_len, NULL); for (i = 0; i < cert_index; i++) { if (ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CERT, cert[i], NULL)){ printf("Certificate '%s' is undefined.\n", cert[i]); } } for (i = 0; i < ca_cert_index; i++) { if (ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CACERT, ca_cert[i], NULL)){ printf("Certificate '%s' is undefined.\n", ca_cert[i]); } } free(cert); free(ca_cert); ssl= ssl_client_new(ssl_ctx, sta_socket, NULL, 0); if (ssl == NULL){ ssl_ctx_free(ssl_ctx); close(sta_socket); continue; } if(ssl_handshake_status(ssl) != SSL_OK){ printf("client handshake fail.\n"); ssl_free(ssl); ssl_ctx_free(ssl_ctx); close(sta_socket); continue; } //handshake sucesses,show cert and free x509_ctx here if (!quiet) { const char *common_name = ssl_get_cert_dn(ssl,SSL_X509_CERT_COMMON_NAME); if (common_name) { printf("Common Name:\t\t\t%s\n", common_name); } display_session_id(ssl); display_cipher(ssl); quiet = true; x509_free(ssl->x509_ctx); ssl->x509_ctx=NULL; } system_upgrade_init(); system_upgrade_flag_set(UPGRADE_FLAG_START); if(ssl_write(ssl, server->url, strlen(server->url)+1) < 0) { ssl_free(ssl); ssl_ctx_free(ssl_ctx); close(sta_socket); vTaskDelay(1000 / portTICK_RATE_MS); os_printf("send fail\n"); continue; } os_printf("Request send success\n"); while((recbytes = ssl_read(ssl, &read_buf)) >= 0) { if(recbytes == 0){ vTaskDelay(500 / portTICK_RATE_MS); continue; } if(recbytes > UPGRADE_DATA_SEG_LEN) { ssl_free(ssl); ssl_ctx_free(ssl_ctx); close(sta_socket); vTaskDelay(2000 / portTICK_RATE_MS); printf("bigger than UPGRADE_DATA_SEG_LEN\n"); } if((recbytes)<=1460) memcpy(precv_buf,read_buf,recbytes); else os_printf("ERR2:arr_overflow,%u,%d\n",__LINE__,recbytes); if(FALSE==flash_erased){ ssl_free(ssl); ssl_ctx_free(ssl_ctx); close(sta_socket); os_printf("pre erase flash!\n"); upgrade_data_load(precv_buf,recbytes); break; } if(false == upgrade_data_load(read_buf,recbytes)) { os_printf("upgrade data error!\n"); ssl_free(ssl); ssl_ctx_free(ssl_ctx); close(sta_socket); flash_erased=FALSE; vTaskDelay(1000 / portTICK_RATE_MS); break; } /*this two length data should be equal, if totallength is bigger, *maybe data wrong or server send extra info, drop it anyway*/ if(totallength >= sumlength) { os_printf("upgrade data load finish.\n"); ssl_free(ssl); ssl_ctx_free(ssl_ctx); close(sta_socket); goto finish; } os_printf("upgrade_task %d word left\n",uxTaskGetStackHighWaterMark(NULL)); } if(recbytes < 0) { os_printf("ERROR:read data fail! recbytes %d\r\n",recbytes); ssl_free(ssl); ssl_ctx_free(ssl_ctx); close(sta_socket); flash_erased=FALSE; vTaskDelay(1000 / portTICK_RATE_MS); } os_printf("upgrade_task %d word left\n",uxTaskGetStackHighWaterMark(NULL)); totallength =0; sumlength = 0; } finish: if(upgrade_crc_check(system_get_fw_start_sec(),sumlength) != 0) { printf("upgrade crc check failed !\n"); server->upgrade_flag = false; system_upgrade_flag_set(UPGRADE_FLAG_IDLE); } os_timer_disarm(&upgrade_timer); totallength = 0; sumlength = 0; flash_erased=FALSE; free(precv_buf); if(retry_count == UPGRADE_RETRY_TIMES){ /*retry too many times, fail*/ server->upgrade_flag = false; system_upgrade_flag_set(UPGRADE_FLAG_IDLE); }else{ server->upgrade_flag = true; system_upgrade_flag_set(UPGRADE_FLAG_FINISH); } upgrade_deinit(); os_printf("\n Exit upgrade task.\n"); if (server->check_cb != NULL) { server->check_cb(server); } vTaskDelay(100 / portTICK_RATE_MS); vTaskDelete(NULL); }
/** * @brief SSL Server task. * @param pvParameters not used * @retval None */ void ssl_server(void const * argument) { int ret, len; int listen_fd; int client_fd = -1; unsigned char buf[1524]; ssl_context ssl; x509_cert srvcert; rsa_context rsa; #if defined(POLARSSL_SSL_CACHE_C) ssl_cache_context cache; ssl_cache_init( &cache ); #endif /* * Load the certificates and private RSA key */ printf( "\n . Loading the server cert. and key..." ); memset( &srvcert, 0, sizeof( x509_cert ) ); /* * This demonstration program uses embedded test certificates. * Instead, you may want to use x509parse_crtfile() to read the * server and CA certificates, as well as x509parse_keyfile(). */ ret = x509parse_crt( &srvcert, (const unsigned char *) test_srv_crt, strlen( test_srv_crt ) ); if( ret != 0 ) { printf( " failed\n ! x509parse_crt returned %d\n\n", ret ); goto exit; } ret = x509parse_crt( &srvcert, (const unsigned char *) test_ca_crt, strlen( test_ca_crt ) ); if( ret != 0 ) { printf( " failed\n ! x509parse_crt returned %d\n\n", ret ); goto exit; } rsa_init( &rsa, RSA_PKCS_V15, 0 ); ret = x509parse_key( &rsa, (const unsigned char *) test_srv_key, strlen( test_srv_key ), NULL, 0 ); if( ret != 0 ) { printf( " failed\n ! x509parse_key returned %d\n\n", ret ); goto exit; } printf( " ok\n\r" ); /* * Setup the listening TCP socket */ printf( " . Bind on https://localhost:443/ ..." ); if( ( ret = net_bind( &listen_fd, NULL, 443) ) != 0 ) { printf( " failed\n ! net_bind returned %d\n\n", ret ); goto exit; } printf( " ok\n\r" ); /* * Setup stuff */ printf( " . Setting up the SSL data...." ); if( ( ret = ssl_init( &ssl ) ) != 0 ) { printf( " failed\n ! ssl_init returned %d\n\n", ret ); goto reset; } ssl_set_endpoint( &ssl, SSL_IS_SERVER ); ssl_set_authmode( &ssl, SSL_VERIFY_NONE ); ssl_set_rng( &ssl, RandVal , NULL ); ssl_set_dbg( &ssl, my_debug, stdout ); #if defined(POLARSSL_SSL_CACHE_C) ssl_set_session_cache( &ssl, ssl_cache_get, &cache, ssl_cache_set, &cache ); #endif ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL ); ssl_set_own_cert( &ssl, &srvcert, &rsa ); ssl_set_bio( &ssl, net_recv, &client_fd, net_send, &client_fd ); printf( " ok\n\r" ); for(;;) { /* * Wait until a client connects */ client_fd = -1; printf( " . Waiting for a remote connection ..." ); if( ( ret = net_accept( listen_fd, &client_fd, NULL ) ) != 0 ) { printf( " failed\n ! net_accept returned %d\n\n", ret ); goto exit; } printf( " ok\n\r" ); /* * Handshake */ printf( " . Performing the SSL/TLS handshake..." ); while( ( ret = ssl_handshake( &ssl ) ) != 0 ) { if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) { printf( " failed\n ! ssl_handshake returned -0x%x\n\n", -ret ); goto reset; } } printf( " ok\n\r" ); /* * Read the HTTP Request */ printf( " < Read from client:" ); memset( buf, 0, sizeof( buf ) ); len = 0; do { ret = ssl_read( &ssl, buf + len, 1523 - len); if( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE ) continue; if( ret <= 0 ) { switch( ret ) { case POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY: printf( " connection was closed gracefully\n" ); break; case POLARSSL_ERR_NET_CONN_RESET: printf( " connection was reset by peer\n" ); break; default: printf( " ssl_read returned -0x%x\n", -ret ); break; } break; } len += ret; if( ret > 1 ) break; } while( 1 ); printf( " %d bytes read\n\r", len); /* * Write the 200 Response */ printf( " > Write to client: " ); /* Send the dynamic html page */ ssl_DynPage(&ssl); goto reset; exit: #ifdef POLARSSL_ERROR_C if( ret != 0 ) { char error_buf[100]; error_strerror( ret, error_buf, 100 ); printf("Last error was: %d - %s\n\n", ret, error_buf ); } #endif x509_free( &srvcert ); rsa_free( &rsa ); ssl_free( &ssl ); #if defined(POLARSSL_SSL_CACHE_C) ssl_cache_free( &cache ); #endif reset: if (client_fd != -1) net_close(client_fd); ssl_session_reset( &ssl ); } }
/** * Construct a new x509 object. * @return 0 if ok. < 0 if there was a problem. */ int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx) { int begin_tbs, end_tbs, begin_spki, end_spki; int ret = X509_NOT_OK, offset = 0, cert_size = 0; int version = 0; X509_CTX *x509_ctx; #ifdef CONFIG_SSL_CERT_VERIFICATION /* only care if doing verification */ BI_CTX *bi_ctx; #endif *ctx = (X509_CTX *)calloc(1, sizeof(X509_CTX)); x509_ctx = *ctx; /* get the certificate size */ asn1_skip_obj(cert, &cert_size, ASN1_SEQUENCE); if (asn1_next_obj(cert, &offset, ASN1_SEQUENCE) < 0) goto end_cert; begin_tbs = offset; /* start of the tbs */ end_tbs = begin_tbs; /* work out the end of the tbs */ asn1_skip_obj(cert, &end_tbs, ASN1_SEQUENCE); if (asn1_next_obj(cert, &offset, ASN1_SEQUENCE) < 0) goto end_cert; /* optional version */ if (cert[offset] == ASN1_EXPLICIT_TAG && asn1_version(cert, &offset, &version) == X509_NOT_OK) goto end_cert; if (asn1_skip_obj(cert, &offset, ASN1_INTEGER) || /* serial number */ asn1_next_obj(cert, &offset, ASN1_SEQUENCE) < 0) goto end_cert; /* make sure the signature is ok */ if (asn1_signature_type(cert, &offset, x509_ctx)) { ret = X509_VFY_ERROR_UNSUPPORTED_DIGEST; goto end_cert; } if (asn1_name(cert, &offset, x509_ctx->ca_cert_dn) || asn1_validity(cert, &offset, x509_ctx) || asn1_name(cert, &offset, x509_ctx->cert_dn)) { goto end_cert; } begin_spki = offset; if (asn1_public_key(cert, &offset, x509_ctx)) goto end_cert; end_spki = offset; x509_ctx->fingerprint = malloc(SHA1_SIZE); SHA1_CTX sha_fp_ctx; SHA1_Init(&sha_fp_ctx); SHA1_Update(&sha_fp_ctx, &cert[0], cert_size); SHA1_Final(x509_ctx->fingerprint, &sha_fp_ctx); x509_ctx->spki_sha256 = malloc(SHA256_SIZE); SHA256_CTX spki_hash_ctx; SHA256_Init(&spki_hash_ctx); SHA256_Update(&spki_hash_ctx, &cert[begin_spki], end_spki-begin_spki); SHA256_Final(x509_ctx->spki_sha256, &spki_hash_ctx); #ifdef CONFIG_SSL_CERT_VERIFICATION /* only care if doing verification */ bi_ctx = x509_ctx->rsa_ctx->bi_ctx; /* use the appropriate signature algorithm */ switch (x509_ctx->sig_type) { case SIG_TYPE_MD5: { MD5_CTX md5_ctx; uint8_t md5_dgst[MD5_SIZE]; MD5_Init(&md5_ctx); MD5_Update(&md5_ctx, &cert[begin_tbs], end_tbs-begin_tbs); MD5_Final(md5_dgst, &md5_ctx); x509_ctx->digest = bi_import(bi_ctx, md5_dgst, MD5_SIZE); } break; case SIG_TYPE_SHA1: { SHA1_CTX sha_ctx; uint8_t sha_dgst[SHA1_SIZE]; SHA1_Init(&sha_ctx); SHA1_Update(&sha_ctx, &cert[begin_tbs], end_tbs-begin_tbs); SHA1_Final(sha_dgst, &sha_ctx); x509_ctx->digest = bi_import(bi_ctx, sha_dgst, SHA1_SIZE); } break; case SIG_TYPE_SHA256: { SHA256_CTX sha256_ctx; uint8_t sha256_dgst[SHA256_SIZE]; SHA256_Init(&sha256_ctx); SHA256_Update(&sha256_ctx, &cert[begin_tbs], end_tbs-begin_tbs); SHA256_Final(sha256_dgst, &sha256_ctx); x509_ctx->digest = bi_import(bi_ctx, sha256_dgst, SHA256_SIZE); } break; case SIG_TYPE_SHA384: { SHA384_CTX sha384_ctx; uint8_t sha384_dgst[SHA384_SIZE]; SHA384_Init(&sha384_ctx); SHA384_Update(&sha384_ctx, &cert[begin_tbs], end_tbs-begin_tbs); SHA384_Final(sha384_dgst, &sha384_ctx); x509_ctx->digest = bi_import(bi_ctx, sha384_dgst, SHA384_SIZE); } break; case SIG_TYPE_SHA512: { SHA512_CTX sha512_ctx; uint8_t sha512_dgst[SHA512_SIZE]; SHA512_Init(&sha512_ctx); SHA512_Update(&sha512_ctx, &cert[begin_tbs], end_tbs-begin_tbs); SHA512_Final(sha512_dgst, &sha512_ctx); x509_ctx->digest = bi_import(bi_ctx, sha512_dgst, SHA512_SIZE); } break; } if (version == 2 && asn1_next_obj(cert, &offset, ASN1_V3_DATA) > 0) { x509_v3_subject_alt_name(cert, offset, x509_ctx); x509_v3_basic_constraints(cert, offset, x509_ctx); x509_v3_key_usage(cert, offset, x509_ctx); } offset = end_tbs; /* skip the rest of v3 data */ if (asn1_skip_obj(cert, &offset, ASN1_SEQUENCE) || asn1_signature(cert, &offset, x509_ctx)) goto end_cert; /* Saves a few bytes of memory */ bi_clear_cache(bi_ctx); #endif ret = X509_OK; end_cert: if (len) { *len = cert_size; } if (ret) { #ifdef CONFIG_SSL_FULL_MODE char buff[64]; printf("Error: Invalid X509 ASN.1 file (%s)\n", x509_display_error(ret, buff)); #endif x509_free(x509_ctx); *ctx = NULL; } return ret; }