void ircd_client_free(struct ircd_client* const client)
{
if (! client)
return;
if (client->info_length > 0 && client->info_written < client->info_length)
(void) ssl_close_notify(&client->ssl_ctx);
(void) ssl_free(&client->ssl_ctx);
if (client->ev_t)
(void) event_free(client->ev_t);
if (client->ev_r)
(void) event_free(client->ev_r);
if (client->ev_w)
(void) event_free(client->ev_w);
if (client->fd > -1)
(void) close(client->fd);
DL_DELETE(ircd_clients, client);
free(client);
}
bool polarssl_io::on_close(bool alive)
{
#ifdef HAS_POLARSSL
if (ssl_ == NULL)
{
logger_error("ssl_ null");
return false;
}
if (stream_ == NULL)
{
logger_error("stream_ null");
return false;
}
if (!alive)
return false;
int ret;
while((ret = ssl_close_notify((ssl_context*) ssl_ )) < 0)
{
if( ret != POLARSSL_ERR_NET_WANT_READ &&
ret != POLARSSL_ERR_NET_WANT_WRITE )
{
logger_warn("ssl_close_notify error: -0x%04x", ret);
return false;
}
}
#else
(void) alive;
#endif
return true;
}
int CTTLS::closeSocket() {
if((!iConnected && iPeerClosed==0) || iClosed) {
if(iNeedCallCloseSocket && pSSL && ((T_SSL*)pSSL)->sock) {
SOCKET server_fd=((T_SSL*)pSSL)->sock;
net_close(server_fd);
}
iNeedCallCloseSocket=0;
return 0;
}
addrConnected.clear();
iPeerClosed=0;
iConnected=0;
iClosed=1;
ssl_context *ssl=&((T_SSL*)pSSL)->ssl;
ssl_close_notify( ssl );
Sleep(60);
SOCKET server_fd=((T_SSL*)pSSL)->sock;
net_close( server_fd );
Sleep(80);
if(ssl)ssl_free( ssl );
((T_SSL*)pSSL)->sock=0;
iNeedCallCloseSocket=0;
return 0;
}
void gtget_ssl_close(connection_t * conn)
{
if (conn->ssl) {
sslparam_t *ssl = (sslparam_t *) conn->ssl;
ssl_close_notify(&ssl->ssl);
}
}
LWS_VISIBLE int
lws_ssl_close(struct lws *wsi)
{
int n;
if (!wsi->ssl)
return 0; /* not handled */
#if defined(LWS_USE_POLARSSL)
ssl_close_notify(wsi->ssl);
(void)n; /* we need to close the fd? */
ssl_free(wsi->ssl);
#else
#if defined(LWS_USE_MBEDTLS)
#else
n = SSL_get_fd(wsi->ssl);
SSL_shutdown(wsi->ssl);
compatible_close(n);
SSL_free(wsi->ssl);
#endif
#endif
wsi->ssl = NULL;
return 1; /* handled */
}
/*-----------------------------------------------------------------------------------*/
int sslclient_close(ssl_context *ssl)
{
ssl_close_notify( ssl );
ssl_free( ssl );
memset( ssl, 0, sizeof( ssl_context ) );
return 0;
}
wiced_result_t wiced_tls_close_notify( wiced_tcp_socket_t* socket )
{
if ( socket->tls_context != NULL )
{
ssl_close_notify( &socket->tls_context->context );
}
return WICED_SUCCESS;
}
static void tls_channel_close(belle_sip_tls_channel_t *obj){
belle_sip_socket_t sock = belle_sip_source_get_socket((belle_sip_source_t*)obj);
if (sock!=-1 && belle_sip_channel_get_state((belle_sip_channel_t*)obj)!=BELLE_SIP_CHANNEL_ERROR)
ssl_close_notify(&obj->sslctx);
stream_channel_close((belle_sip_stream_channel_t*)obj);
ssl_session_reset(&obj->sslctx);
obj->socket_connected=0;
}
void IOBuf_destroy(IOBuf *buf)
{
if(buf) {
if(buf->use_ssl) {
ssl_close_notify(&buf->ssl);
ssl_free(&buf->ssl);
}
fdclose(buf->fd);
h_free(buf);
}
}
static mrb_value mrb_ssl_close_notify(mrb_state *mrb, mrb_value self) {
ssl_context *ssl;
int ret;
ssl = DATA_CHECK_GET_PTR(mrb, self, &mrb_ssl_type, ssl_context);
ret = ssl_close_notify(ssl);
if (ret < 0) {
mrb_raise(mrb, E_SSL_ERROR, "ssl_close_notify() returned E_SSL_ERROR");
}
return mrb_true_value();
}
/*
* call-seq:
* close_notify() -> true or raises
*
* Notifies the peer to close the connection. true or raises PolarSSL::SSL::Error
*/
static VALUE R_ssl_close_notify( VALUE self )
{
ssl_context *ssl;
int ret;
Data_Get_Struct( self, ssl_context, ssl );
ret = ssl_close_notify( ssl );
if (ret < 0)
rb_raise( e_SSLError, "-0x%x", -ret );
return Qtrue;
}
int IOBuf_close(IOBuf *buf)
{
int rc = 0;
if(buf) {
if(buf->use_ssl) {
rc = ssl_close_notify(&buf->ssl);
}
fdclose(buf->fd);
}
return rc;
}
ngx_int_t
ngx_ssl_shutdown(ngx_connection_t *c)
{
int sslerr;
if (c->timedout || c->ssl->no_send_shutdown || c->ssl->no_wait_shutdown) {
ssl_free(c->ssl->connection);
c->ssl = NULL;
return NGX_OK;
}
sslerr = ssl_close_notify(c->ssl->connection);
if (sslerr == 0 || sslerr == MBEDTLS_ERR_SSL_CONN_EOF) {
ssl_free(c->ssl->connection);
c->ssl = NULL;
return NGX_OK;
}
if (sslerr == MBEDTLS_ERR_NET_WANT_READ ||
sslerr == MBEDTLS_ERR_NET_WANT_WRITE) {
c->read->handler = ngx_ssl_shutdown_handler;
c->write->handler = ngx_ssl_shutdown_handler;
if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
return NGX_ERROR;
}
if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
return NGX_ERROR;
}
if (sslerr == MBEDTLS_ERR_NET_WANT_READ) {
ngx_add_timer(c->read, 300000);
}
return NGX_AGAIN;
}
ngx_mbedtls_error(NGX_LOG_ERR, c->log, 0, sslerr,
"ssl_close_notify() failed");
ssl_free(c->ssl->connection);
c->ssl = NULL;
return NGX_ERROR;
}
void
tcp_close(tcpcon_t *tc)
{
#if ENABLE_POLARSSL
if(tc->ssl != NULL) {
ssl_close_notify(tc->ssl);
ssl_free(tc->ssl);
free(tc->ssl);
free(tc->ssn);
free(tc->hs);
}
#endif
htsbuf_queue_flush(&tc->spill);
netClose(tc->fd);
free(tc);
}
void clearsock(int sock,sockinfo * sock_info)
{
if(sock_info->istype==1)
{
if(sock_info->packbuflen>0&&sock_info->packbuf!=NULL)
{
free(sock_info->packbuf);
sock_info->packbuf=NULL;
}
if(sock_info->sslinfo!=NULL)
{
#if ISMBEDTLS
mbedtls_ssl_close_notify(&sock_info->sslinfo->ssl);
#else
ssl_close_notify(&sock_info->sslinfo->ssl);
#endif // ISMBEDTLS
ssl_free_info(sock_info->sslinfo);
free(sock_info->sslinfo);
sock_info->sslinfo=NULL;
}
}
#if ISMBEDTLS
shutdown(sock,2);
//closesocket(sock);
#if WIN32
closesocket(sock);
#else
close(sock);
#endif
#else
net_close(sock);
#endif
//ÊÍ·ÅÄÚ´æ
if(sock_info!=NULL)
{
free(sock_info);
sock_info=NULL;
}
}
/*********************************************************************************************************
** 函数名称: __vpnClientClose
** 功能描述: VPN 客户端关闭链接并释放 ssl 相关数据结构
** 输 入 : pvpnctx VPN 上下文
** 输 出 : ERROR
** 全局变量:
** 调用模块:
*********************************************************************************************************/
INT __vpnClientClose (__PVPN_CONTEXT pvpnctx)
{
if (pvpnctx == LW_NULL) {
return (PX_ERROR);
}
ssl_close_notify(&pvpnctx->VPNCTX_sslctx); /* 通知 ssl 即将关闭 */
if (pvpnctx->VPNCTX_iSocket >= 0) {
net_close(pvpnctx->VPNCTX_iSocket);
}
x509_free(&pvpnctx->VPNCTX_x509certPrivate);
x509_free(&pvpnctx->VPNCTX_x509certCA);
rsa_free(&pvpnctx->VPNCTX_rasctx);
ssl_free(&pvpnctx->VPNCTX_sslctx);
return (ERROR_NONE);
}
CWII_IPC_HLE_Device_net_ssl::~CWII_IPC_HLE_Device_net_ssl()
{
// Cleanup sessions
for (WII_SSL& ssl : _SSL)
{
if (ssl.active)
{
ssl_close_notify(&ssl.ctx);
ssl_session_free(&ssl.session);
ssl_free(&ssl.ctx);
x509_crt_free(&ssl.cacert);
x509_crt_free(&ssl.clicert);
ssl.hostname.clear();
ssl.active = false;
}
}
}
void
tcp_close(tcpcon_t *tc)
{
#if ENABLE_OPENSSL
if(tc->ssl != NULL) {
SSL_shutdown(tc->ssl);
SSL_free(tc->ssl);
}
#endif
#if ENABLE_POLARSSL
if(tc->ssl != NULL) {
ssl_close_notify(tc->ssl);
ssl_free(tc->ssl);
free(tc->ssl);
free(tc->ssn);
free(tc->hs);
}
#endif
close(tc->fd);
htsbuf_queue_flush(&tc->spill);
free(tc);
}
CWII_IPC_HLE_Device_net_ssl::~CWII_IPC_HLE_Device_net_ssl()
{
// Cleanup sessions
for (int i = 0; i < NET_SSL_MAXINSTANCES; i++)
{
if (_SSL[i].active)
{
ssl_close_notify(&_SSL[i].ctx);
ssl_session_free(&_SSL[i].session);
ssl_free(&_SSL[i].ctx);
x509_crt_free(&_SSL[i].cacert);
x509_crt_free(&_SSL[i].clicert);
memset(&_SSL[i].ctx, 0, sizeof(ssl_context));
memset(&_SSL[i].session, 0, sizeof(ssl_session));
memset(&_SSL[i].entropy, 0, sizeof(entropy_context));
memset(_SSL[i].hostname, 0, NET_SSL_MAX_HOSTNAME_LEN);
_SSL[i].active = false;
}
}
}
wiced_result_t wiced_generic_start_tls_with_ciphers( wiced_tls_simple_context_t* tls_context, void* referee, wiced_tls_endpoint_type_t type, wiced_tls_certificate_verification_t verification, const cipher_suite_t* cipher_list[], tls_transport_protocol_t transport_protocol )
{
microrng_state rngstate;
int prev_state;
uint64_t start_time;
tls_result_t result;
/* Initialize the session data */
if ( transport_protocol != TLS_EAP_TRANSPORT )
{
memset( &tls_context->session, 0, sizeof(wiced_tls_session_t) );
}
memset( &tls_context->context, 0, sizeof(wiced_tls_context_t) );
/* Prepare session and entropy */
tls_context->session.age = MAX_TLS_SESSION_AGE;
wwd_wifi_get_random( &rngstate.entropy, 4 );
/* Initialize session context */ /* TODO: Ideally this should be done once for a socket */
if ( ssl_init( &tls_context->context ) != 0 )
{
wiced_assert("Error initialising SSL", 0!=0 );
return WICED_TLS_INIT_FAIL;
}
tls_context->context.transport_protocol = transport_protocol;
microrng_init( &rngstate );
ssl_set_endpoint( &tls_context->context, type );
ssl_set_rng ( &tls_context->context, microrng_rand, &rngstate );
tls_context->context.receive_context = referee;
tls_context->context.send_context = referee;
tls_context->context.get_session = tls_get_session;
tls_context->context.set_session = tls_set_session;
tls_context->context.ciphers = cipher_list;
ssl_set_session ( &tls_context->context, SESSION_CAN_BE_RESUMED, 1000000, &tls_context->session );
/* Assert if user has not created correct TLS context for the TLS endpoint type */
wiced_assert("TLS servers must have an advanced TLS context", !((type == WICED_TLS_AS_SERVER) && (tls_context->context_type != WICED_TLS_ADVANCED_CONTEXT)));
if ( root_ca_certificates != NULL )
{
ssl_set_ca_chain( &tls_context->context, root_ca_certificates, tls_context->context.peer_cn );
ssl_set_authmode( &tls_context->context, verification );
}
else
{
ssl_set_authmode( &tls_context->context, SSL_VERIFY_NONE );
}
if ( tls_context->context_type == WICED_TLS_ADVANCED_CONTEXT )
{
wiced_tls_advanced_context_t* advanced_context = (wiced_tls_advanced_context_t*)tls_context;
ssl_set_own_cert( &advanced_context->context, &advanced_context->certificate, &advanced_context->key );
ssl_set_dh_param( &tls_context->context, diffie_hellman_prime_P, sizeof( diffie_hellman_prime_P ), diffie_hellman_prime_G, sizeof( diffie_hellman_prime_G ) );
}
prev_state = 0;
start_time = tls_host_get_time_ms();
do
{
uint64_t curr_time;
if (type == WICED_TLS_AS_SERVER)
{
result = ssl_handshake_server_async( &tls_context->context );
if ( result != TLS_SUCCESS )
{
WPRINT_SECURITY_INFO(( "Error with TLS server handshake\n" ));
goto exit_with_inited_context;
}
}
else
{
result = ssl_handshake_client_async( &tls_context->context );
if ( result != TLS_SUCCESS )
{
WPRINT_SECURITY_INFO(( "Error with TLS client handshake %u\n", (unsigned int)result ));
goto exit_with_inited_context;
}
}
/* break out if stuck */
curr_time = tls_host_get_time_ms();
if ( curr_time - start_time > MAX_HANDSHAKE_WAIT )
{
WPRINT_SECURITY_INFO(( "Timeout in SSL handshake\n" ));
result = TLS_HANDSHAKE_TIMEOUT;
goto exit_with_inited_context;
}
/* if no state change then wait on client */
if ( prev_state == tls_context->context.state )
{
host_rtos_delay_milliseconds( 10 );
}
else /* otherwise process next state with no delay */
{
prev_state = tls_context->context.state;
}
} while ( tls_context->context.state != SSL_HANDSHAKE_OVER );
return WICED_SUCCESS;
exit_with_inited_context:
ssl_close_notify( &tls_context->context );
ssl_free(&tls_context->context);
return (wiced_result_t) result;
}
int main( int argc, char *argv[] )
{
int ret = 0, len, server_fd, i, written, frags;
unsigned char buf[SSL_MAX_CONTENT_LEN + 1];
#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
unsigned char psk[POLARSSL_PSK_MAX_LEN];
size_t psk_len = 0;
#endif
#if defined(POLARSSL_SSL_ALPN)
const char *alpn_list[10];
#endif
const char *pers = "ssl_client2";
entropy_context entropy;
ctr_drbg_context ctr_drbg;
ssl_context ssl;
ssl_session saved_session;
#if defined(POLARSSL_X509_CRT_PARSE_C)
x509_crt cacert;
x509_crt clicert;
pk_context pkey;
#endif
char *p, *q;
const int *list;
/*
* Make sure memory references are valid.
*/
server_fd = 0;
memset( &ssl, 0, sizeof( ssl_context ) );
memset( &saved_session, 0, sizeof( ssl_session ) );
#if defined(POLARSSL_X509_CRT_PARSE_C)
x509_crt_init( &cacert );
x509_crt_init( &clicert );
pk_init( &pkey );
#endif
#if defined(POLARSSL_SSL_ALPN)
memset( (void * ) alpn_list, 0, sizeof( alpn_list ) );
#endif
if( argc == 0 )
{
usage:
if( ret == 0 )
ret = 1;
printf( USAGE );
list = ssl_list_ciphersuites();
while( *list )
{
printf(" %-42s", ssl_get_ciphersuite_name( *list ) );
list++;
if( !*list )
break;
printf(" %s\n", ssl_get_ciphersuite_name( *list ) );
list++;
}
printf("\n");
goto exit;
}
opt.server_name = DFL_SERVER_NAME;
opt.server_addr = DFL_SERVER_ADDR;
opt.server_port = DFL_SERVER_PORT;
opt.debug_level = DFL_DEBUG_LEVEL;
opt.nbio = DFL_NBIO;
opt.request_page = DFL_REQUEST_PAGE;
opt.request_size = DFL_REQUEST_SIZE;
opt.ca_file = DFL_CA_FILE;
opt.ca_path = DFL_CA_PATH;
opt.crt_file = DFL_CRT_FILE;
opt.key_file = DFL_KEY_FILE;
opt.psk = DFL_PSK;
opt.psk_identity = DFL_PSK_IDENTITY;
opt.force_ciphersuite[0]= DFL_FORCE_CIPHER;
opt.renegotiation = DFL_RENEGOTIATION;
opt.allow_legacy = DFL_ALLOW_LEGACY;
opt.renegotiate = DFL_RENEGOTIATE;
opt.min_version = DFL_MIN_VERSION;
opt.max_version = DFL_MAX_VERSION;
opt.auth_mode = DFL_AUTH_MODE;
opt.mfl_code = DFL_MFL_CODE;
opt.trunc_hmac = DFL_TRUNC_HMAC;
opt.reconnect = DFL_RECONNECT;
opt.reco_delay = DFL_RECO_DELAY;
opt.tickets = DFL_TICKETS;
opt.alpn_string = DFL_ALPN_STRING;
for( i = 1; i < argc; i++ )
{
p = argv[i];
if( ( q = strchr( p, '=' ) ) == NULL )
goto usage;
*q++ = '\0';
if( strcmp( p, "server_name" ) == 0 )
opt.server_name = q;
else if( strcmp( p, "server_addr" ) == 0 )
opt.server_addr = q;
else if( strcmp( p, "server_port" ) == 0 )
{
opt.server_port = atoi( q );
if( opt.server_port < 1 || opt.server_port > 65535 )
goto usage;
}
else if( strcmp( p, "debug_level" ) == 0 )
{
opt.debug_level = atoi( q );
if( opt.debug_level < 0 || opt.debug_level > 65535 )
goto usage;
}
else if( strcmp( p, "nbio" ) == 0 )
{
opt.nbio = atoi( q );
if( opt.nbio < 0 || opt.nbio > 2 )
goto usage;
}
else if( strcmp( p, "request_page" ) == 0 )
opt.request_page = q;
else if( strcmp( p, "request_size" ) == 0 )
{
opt.request_size = atoi( q );
if( opt.request_size < 0 || opt.request_size > SSL_MAX_CONTENT_LEN )
goto usage;
}
else if( strcmp( p, "ca_file" ) == 0 )
opt.ca_file = q;
else if( strcmp( p, "ca_path" ) == 0 )
opt.ca_path = q;
else if( strcmp( p, "crt_file" ) == 0 )
opt.crt_file = q;
else if( strcmp( p, "key_file" ) == 0 )
opt.key_file = q;
else if( strcmp( p, "psk" ) == 0 )
opt.psk = q;
else if( strcmp( p, "psk_identity" ) == 0 )
opt.psk_identity = q;
else if( strcmp( p, "force_ciphersuite" ) == 0 )
{
opt.force_ciphersuite[0] = ssl_get_ciphersuite_id( q );
if( opt.force_ciphersuite[0] == 0 )
{
ret = 2;
goto usage;
}
opt.force_ciphersuite[1] = 0;
}
else if( strcmp( p, "renegotiation" ) == 0 )
{
opt.renegotiation = (atoi( q )) ? SSL_RENEGOTIATION_ENABLED :
SSL_RENEGOTIATION_DISABLED;
}
else if( strcmp( p, "allow_legacy" ) == 0 )
{
opt.allow_legacy = atoi( q );
if( opt.allow_legacy < 0 || opt.allow_legacy > 1 )
goto usage;
}
else if( strcmp( p, "renegotiate" ) == 0 )
{
opt.renegotiate = atoi( q );
if( opt.renegotiate < 0 || opt.renegotiate > 1 )
goto usage;
}
else if( strcmp( p, "reconnect" ) == 0 )
{
opt.reconnect = atoi( q );
if( opt.reconnect < 0 || opt.reconnect > 2 )
goto usage;
}
else if( strcmp( p, "reco_delay" ) == 0 )
{
opt.reco_delay = atoi( q );
if( opt.reco_delay < 0 )
goto usage;
}
else if( strcmp( p, "tickets" ) == 0 )
{
opt.tickets = atoi( q );
if( opt.tickets < 0 || opt.tickets > 2 )
goto usage;
}
else if( strcmp( p, "alpn" ) == 0 )
{
opt.alpn_string = q;
}
else if( strcmp( p, "min_version" ) == 0 )
{
if( strcmp( q, "ssl3" ) == 0 )
opt.min_version = SSL_MINOR_VERSION_0;
else if( strcmp( q, "tls1" ) == 0 )
opt.min_version = SSL_MINOR_VERSION_1;
else if( strcmp( q, "tls1_1" ) == 0 )
opt.min_version = SSL_MINOR_VERSION_2;
else if( strcmp( q, "tls1_2" ) == 0 )
opt.min_version = SSL_MINOR_VERSION_3;
else
goto usage;
}
else if( strcmp( p, "max_version" ) == 0 )
{
if( strcmp( q, "ssl3" ) == 0 )
opt.max_version = SSL_MINOR_VERSION_0;
else if( strcmp( q, "tls1" ) == 0 )
opt.max_version = SSL_MINOR_VERSION_1;
else if( strcmp( q, "tls1_1" ) == 0 )
opt.max_version = SSL_MINOR_VERSION_2;
else if( strcmp( q, "tls1_2" ) == 0 )
opt.max_version = SSL_MINOR_VERSION_3;
else
goto usage;
}
else if( strcmp( p, "force_version" ) == 0 )
{
if( strcmp( q, "ssl3" ) == 0 )
{
opt.min_version = SSL_MINOR_VERSION_0;
opt.max_version = SSL_MINOR_VERSION_0;
}
else if( strcmp( q, "tls1" ) == 0 )
{
opt.min_version = SSL_MINOR_VERSION_1;
opt.max_version = SSL_MINOR_VERSION_1;
}
else if( strcmp( q, "tls1_1" ) == 0 )
{
opt.min_version = SSL_MINOR_VERSION_2;
opt.max_version = SSL_MINOR_VERSION_2;
}
else if( strcmp( q, "tls1_2" ) == 0 )
{
opt.min_version = SSL_MINOR_VERSION_3;
opt.max_version = SSL_MINOR_VERSION_3;
}
else
goto usage;
}
else if( strcmp( p, "auth_mode" ) == 0 )
{
if( strcmp( q, "none" ) == 0 )
opt.auth_mode = SSL_VERIFY_NONE;
else if( strcmp( q, "optional" ) == 0 )
opt.auth_mode = SSL_VERIFY_OPTIONAL;
else if( strcmp( q, "required" ) == 0 )
opt.auth_mode = SSL_VERIFY_REQUIRED;
else
goto usage;
}
else if( strcmp( p, "max_frag_len" ) == 0 )
{
if( strcmp( q, "512" ) == 0 )
opt.mfl_code = SSL_MAX_FRAG_LEN_512;
else if( strcmp( q, "1024" ) == 0 )
opt.mfl_code = SSL_MAX_FRAG_LEN_1024;
else if( strcmp( q, "2048" ) == 0 )
opt.mfl_code = SSL_MAX_FRAG_LEN_2048;
else if( strcmp( q, "4096" ) == 0 )
opt.mfl_code = SSL_MAX_FRAG_LEN_4096;
else
goto usage;
}
else if( strcmp( p, "trunc_hmac" ) == 0 )
{
opt.trunc_hmac = atoi( q );
if( opt.trunc_hmac < 0 || opt.trunc_hmac > 1 )
goto usage;
}
else
goto usage;
}
#if defined(POLARSSL_DEBUG_C)
debug_set_threshold( opt.debug_level );
#endif
if( opt.force_ciphersuite[0] > 0 )
{
const ssl_ciphersuite_t *ciphersuite_info;
ciphersuite_info = ssl_ciphersuite_from_id( opt.force_ciphersuite[0] );
if( opt.max_version != -1 &&
ciphersuite_info->min_minor_ver > opt.max_version )
{
printf("forced ciphersuite not allowed with this protocol version\n");
ret = 2;
goto usage;
}
if( opt.min_version != -1 &&
ciphersuite_info->max_minor_ver < opt.min_version )
{
printf("forced ciphersuite not allowed with this protocol version\n");
ret = 2;
goto usage;
}
if( opt.max_version > ciphersuite_info->max_minor_ver )
opt.max_version = ciphersuite_info->max_minor_ver;
if( opt.min_version < ciphersuite_info->min_minor_ver )
opt.min_version = ciphersuite_info->min_minor_ver;
}
#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
/*
* Unhexify the pre-shared key if any is given
*/
if( strlen( opt.psk ) )
{
unsigned char c;
size_t j;
if( strlen( opt.psk ) % 2 != 0 )
{
printf("pre-shared key not valid hex\n");
goto exit;
}
psk_len = strlen( opt.psk ) / 2;
for( j = 0; j < strlen( opt.psk ); j += 2 )
{
c = opt.psk[j];
if( c >= '0' && c <= '9' )
c -= '0';
else if( c >= 'a' && c <= 'f' )
c -= 'a' - 10;
else if( c >= 'A' && c <= 'F' )
c -= 'A' - 10;
else
{
printf("pre-shared key not valid hex\n");
goto exit;
}
psk[ j / 2 ] = c << 4;
c = opt.psk[j + 1];
if( c >= '0' && c <= '9' )
c -= '0';
else if( c >= 'a' && c <= 'f' )
c -= 'a' - 10;
else if( c >= 'A' && c <= 'F' )
c -= 'A' - 10;
else
{
printf("pre-shared key not valid hex\n");
goto exit;
}
psk[ j / 2 ] |= c;
}
}
#endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
#if defined(POLARSSL_SSL_ALPN)
if( opt.alpn_string != NULL )
{
p = (char *) opt.alpn_string;
i = 0;
/* Leave room for a final NULL in alpn_list */
while( i < (int) sizeof alpn_list - 1 && *p != '\0' )
{
alpn_list[i++] = p;
/* Terminate the current string and move on to next one */
while( *p != ',' && *p != '\0' )
p++;
if( *p == ',' )
*p++ = '\0';
}
}
#endif /* POLARSSL_SSL_ALPN */
/*
* 0. Initialize the RNG and the session data
*/
printf( "\n . Seeding the random number generator..." );
fflush( stdout );
entropy_init( &entropy );
if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
printf( " failed\n ! ctr_drbg_init returned -0x%x\n", -ret );
goto exit;
}
printf( " ok\n" );
#if defined(POLARSSL_X509_CRT_PARSE_C)
/*
* 1.1. Load the trusted CA
*/
printf( " . Loading the CA root certificate ..." );
fflush( stdout );
#if defined(POLARSSL_FS_IO)
if( strlen( opt.ca_path ) )
if( strcmp( opt.ca_path, "none" ) == 0 )
ret = 0;
else
ret = x509_crt_parse_path( &cacert, opt.ca_path );
else if( strlen( opt.ca_file ) )
if( strcmp( opt.ca_file, "none" ) == 0 )
ret = 0;
else
ret = x509_crt_parse_file( &cacert, opt.ca_file );
else
#endif
#if defined(POLARSSL_CERTS_C)
ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_list,
strlen( test_ca_list ) );
#else
{
ret = 1;
printf("POLARSSL_CERTS_C not defined.");
}
#endif
if( ret < 0 )
{
printf( " failed\n ! x509_crt_parse returned -0x%x\n\n", -ret );
goto exit;
}
printf( " ok (%d skipped)\n", ret );
/*
* 1.2. Load own certificate and private key
*
* (can be skipped if client authentication is not required)
*/
printf( " . Loading the client cert. and key..." );
fflush( stdout );
#if defined(POLARSSL_FS_IO)
if( strlen( opt.crt_file ) )
if( strcmp( opt.crt_file, "none" ) == 0 )
ret = 0;
else
ret = x509_crt_parse_file( &clicert, opt.crt_file );
else
#endif
#if defined(POLARSSL_CERTS_C)
ret = x509_crt_parse( &clicert, (const unsigned char *) test_cli_crt,
strlen( test_cli_crt ) );
#else
{
ret = 1;
printf("POLARSSL_CERTS_C not defined.");
}
#endif
if( ret != 0 )
{
printf( " failed\n ! x509_crt_parse returned -0x%x\n\n", -ret );
goto exit;
}
#if defined(POLARSSL_FS_IO)
if( strlen( opt.key_file ) )
if( strcmp( opt.key_file, "none" ) == 0 )
ret = 0;
else
ret = pk_parse_keyfile( &pkey, opt.key_file, "" );
else
#endif
#if defined(POLARSSL_CERTS_C)
ret = pk_parse_key( &pkey, (const unsigned char *) test_cli_key,
strlen( test_cli_key ), NULL, 0 );
#else
{
ret = 1;
printf("POLARSSL_CERTS_C not defined.");
}
#endif
if( ret != 0 )
{
printf( " failed\n ! pk_parse_key returned -0x%x\n\n", -ret );
goto exit;
}
printf( " ok\n" );
#endif /* POLARSSL_X509_CRT_PARSE_C */
/*
* 2. Start the connection
*/
if( opt.server_addr == NULL)
opt.server_addr = opt.server_name;
printf( " . Connecting to tcp/%s/%-4d...", opt.server_addr,
opt.server_port );
fflush( stdout );
if( ( ret = net_connect( &server_fd, opt.server_addr,
opt.server_port ) ) != 0 )
{
printf( " failed\n ! net_connect returned -0x%x\n\n", -ret );
goto exit;
}
if( opt.nbio > 0 )
ret = net_set_nonblock( server_fd );
else
ret = net_set_block( server_fd );
if( ret != 0 )
{
printf( " failed\n ! net_set_(non)block() returned -0x%x\n\n", -ret );
goto exit;
}
printf( " ok\n" );
/*
* 3. Setup stuff
*/
printf( " . Setting up the SSL/TLS structure..." );
fflush( stdout );
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
printf( " failed\n ! ssl_init returned -0x%x\n\n", -ret );
goto exit;
}
printf( " ok\n" );
#if defined(POLARSSL_X509_CRT_PARSE_C)
if( opt.debug_level > 0 )
ssl_set_verify( &ssl, my_verify, NULL );
#endif
ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
ssl_set_authmode( &ssl, opt.auth_mode );
#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
if( ( ret = ssl_set_max_frag_len( &ssl, opt.mfl_code ) ) != 0 )
{
printf( " failed\n ! ssl_set_max_frag_len returned %d\n\n", ret );
goto exit;
}
#endif
#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
if( opt.trunc_hmac != 0 )
if( ( ret = ssl_set_truncated_hmac( &ssl, SSL_TRUNC_HMAC_ENABLED ) ) != 0 )
{
printf( " failed\n ! ssl_set_truncated_hmac returned %d\n\n", ret );
goto exit;
}
#endif
#if defined(POLARSSL_SSL_ALPN)
if( opt.alpn_string != NULL )
if( ( ret = ssl_set_alpn_protocols( &ssl, alpn_list ) ) != 0 )
{
printf( " failed\n ! ssl_set_alpn_protocols returned %d\n\n", ret );
goto exit;
}
#endif
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
if( opt.nbio == 2 )
ssl_set_bio( &ssl, my_recv, &server_fd, my_send, &server_fd );
else
ssl_set_bio( &ssl, net_recv, &server_fd, net_send, &server_fd );
#if defined(POLARSSL_SSL_SESSION_TICKETS)
if( ( ret = ssl_set_session_tickets( &ssl, opt.tickets ) ) != 0 )
{
printf( " failed\n ! ssl_set_session_tickets returned %d\n\n", ret );
goto exit;
}
#endif
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
ssl_set_renegotiation( &ssl, opt.renegotiation );
ssl_legacy_renegotiation( &ssl, opt.allow_legacy );
#if defined(POLARSSL_X509_CRT_PARSE_C)
if( strcmp( opt.ca_path, "none" ) != 0 &&
strcmp( opt.ca_file, "none" ) != 0 )
{
ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name );
}
if( strcmp( opt.crt_file, "none" ) != 0 &&
strcmp( opt.key_file, "none" ) != 0 )
{
if( ( ret = ssl_set_own_cert( &ssl, &clicert, &pkey ) ) != 0 )
{
printf( " failed\n ! ssl_set_own_cert returned %d\n\n", ret );
goto exit;
}
}
#endif
#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
if( ( ret = ssl_set_psk( &ssl, psk, psk_len,
(const unsigned char *) opt.psk_identity,
strlen( opt.psk_identity ) ) ) != 0 )
{
printf( " failed\n ! ssl_set_psk returned %d\n\n", ret );
goto exit;
}
#endif
#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
if( ( ret = ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
{
printf( " failed\n ! ssl_set_hostname returned %d\n\n", ret );
goto exit;
}
#endif
if( opt.min_version != -1 )
ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version );
if( opt.max_version != -1 )
ssl_set_max_version( &ssl, SSL_MAJOR_VERSION_3, opt.max_version );
/*
* 4. Handshake
*/
printf( " . Performing the SSL/TLS handshake..." );
fflush( stdout );
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_handshake returned -0x%x\n", -ret );
if( ret == POLARSSL_ERR_X509_CERT_VERIFY_FAILED )
printf(
" Unable to verify the server's certificate. "
"Either it is invalid,\n"
" or you didn't set ca_file or ca_path "
"to an appropriate value.\n"
" Alternatively, you may want to use "
"auth_mode=optional for testing purposes.\n" );
printf( "\n" );
goto exit;
}
}
printf( " ok\n [ Protocol is %s ]\n [ Ciphersuite is %s ]\n",
ssl_get_version( &ssl ), ssl_get_ciphersuite( &ssl ) );
#if defined(POLARSSL_SSL_ALPN)
if( opt.alpn_string != NULL )
{
const char *alp = ssl_get_alpn_protocol( &ssl );
printf( " [ Application Layer Protocol is %s ]\n",
alp ? alp : "(none)" );
}
#endif
if( opt.reconnect != 0 )
{
printf(" . Saving session for reuse..." );
fflush( stdout );
if( ( ret = ssl_get_session( &ssl, &saved_session ) ) != 0 )
{
printf( " failed\n ! ssl_get_session returned -0x%x\n\n", -ret );
goto exit;
}
printf( " ok\n" );
}
#if defined(POLARSSL_X509_CRT_PARSE_C)
/*
* 5. Verify the server certificate
*/
printf( " . Verifying peer X.509 certificate..." );
if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 )
{
printf( " failed\n" );
if( ( ret & BADCERT_EXPIRED ) != 0 )
printf( " ! server certificate has expired\n" );
if( ( ret & BADCERT_REVOKED ) != 0 )
printf( " ! server certificate has been revoked\n" );
if( ( ret & BADCERT_CN_MISMATCH ) != 0 )
printf( " ! CN mismatch (expected CN=%s)\n", opt.server_name );
if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
printf( " ! self-signed or not signed by a trusted CA\n" );
printf( "\n" );
}
else
printf( " ok\n" );
if( ssl_get_peer_cert( &ssl ) != NULL )
{
printf( " . Peer certificate information ...\n" );
x509_crt_info( (char *) buf, sizeof( buf ) - 1, " ",
ssl_get_peer_cert( &ssl ) );
printf( "%s\n", buf );
}
#endif /* POLARSSL_X509_CRT_PARSE_C */
if( opt.renegotiate )
{
/*
* Perform renegotiation (this must be done when the server is waiting
* for input from our side).
*/
printf( " . Performing renegotiation..." );
fflush( stdout );
while( ( ret = ssl_renegotiate( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ &&
ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_renegotiate returned %d\n\n", ret );
goto exit;
}
}
printf( " ok\n" );
}
/*
* 6. Write the GET request
*/
send_request:
printf( " > Write to server:" );
fflush( stdout );
if( strcmp( opt.request_page, "SERVERQUIT" ) == 0 )
len = sprintf( (char *) buf, "%s", opt.request_page );
else
{
size_t tail_len = strlen( GET_REQUEST_END );
len = snprintf( (char *) buf, sizeof(buf) - 1, GET_REQUEST,
opt.request_page );
/* Add padding to GET request to reach opt.request_size in length */
if( opt.request_size != DFL_REQUEST_SIZE &&
len + tail_len < (size_t) opt.request_size )
{
memset( buf + len, 'A', opt.request_size - len - tail_len );
len += opt.request_size - len - tail_len;
}
strncpy( (char *) buf + len, GET_REQUEST_END, sizeof(buf) - len - 1 );
len += tail_len;
}
/* Truncate if request size is smaller than the "natural" size */
if( opt.request_size != DFL_REQUEST_SIZE &&
len > opt.request_size )
{
len = opt.request_size;
/* Still end with \r\n unless that's really not possible */
if( len >= 2 ) buf[len - 2] = '\r';
if( len >= 1 ) buf[len - 1] = '\n';
}
for( written = 0, frags = 0; written < len; written += ret, frags++ )
{
while( ( ret = ssl_write( &ssl, buf + written, len - written ) ) <= 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_write returned -0x%x\n\n", -ret );
goto exit;
}
}
}
buf[written] = '\0';
printf( " %d bytes written in %d fragments\n\n%s\n", written, frags, (char *) buf );
/*
* 7. Read the HTTP response
*/
printf( " < Read from server:" );
fflush( stdout );
do
{
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
ret = ssl_read( &ssl, buf, len );
if( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE )
continue;
if( ret == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY )
break;
if( ret < 0 )
{
printf( "failed\n ! ssl_read returned -0x%x\n\n", -ret );
break;
}
if( ret == 0 )
{
printf("\n\nEOF\n\n");
ssl_close_notify( &ssl );
break;
}
len = ret;
buf[len] = '\0';
printf( " %d bytes read\n\n%s", len, (char *) buf );
}
while( 1 );
if( opt.reconnect != 0 )
{
--opt.reconnect;
net_close( server_fd );
#if defined(POLARSSL_TIMING_C)
if( opt.reco_delay > 0 )
m_sleep( 1000 * opt.reco_delay );
#endif
printf( " . Reconnecting with saved session..." );
fflush( stdout );
if( ( ret = ssl_session_reset( &ssl ) ) != 0 )
{
printf( " failed\n ! ssl_session_reset returned -0x%x\n\n", -ret );
goto exit;
}
if( ( ret = ssl_set_session( &ssl, &saved_session ) ) != 0 )
{
printf( " failed\n ! ssl_set_session returned %d\n\n", ret );
goto exit;
}
if( ( ret = net_connect( &server_fd, opt.server_name,
opt.server_port ) ) != 0 )
{
printf( " failed\n ! net_connect returned -0x%x\n\n", -ret );
goto exit;
}
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ &&
ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_handshake returned -0x%x\n\n", -ret );
goto exit;
}
}
printf( " ok\n" );
goto send_request;
}
exit:
if( ret == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY )
ret = 0;
#ifdef POLARSSL_ERROR_C
if( ret != 0 )
{
char error_buf[100];
polarssl_strerror( ret, error_buf, 100 );
printf("Last error was: -0x%X - %s\n\n", -ret, error_buf );
}
#endif
if( server_fd )
net_close( server_fd );
#if defined(POLARSSL_X509_CRT_PARSE_C)
x509_crt_free( &clicert );
x509_crt_free( &cacert );
pk_free( &pkey );
#endif
ssl_session_free( &saved_session );
ssl_free( &ssl );
ctr_drbg_free( &ctr_drbg );
entropy_free( &entropy );
memset( &ssl, 0, sizeof( ssl ) );
#if defined(_WIN32)
printf( " + Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
// Shell can not handle large exit numbers -> 1 for errors
if( ret < 0 )
ret = 1;
return( ret );
}
int main( int argc, char *argv[] )
{
int ret = 0, server_fd;
unsigned char buf[1024];
entropy_context entropy;
ctr_drbg_context ctr_drbg;
ssl_context ssl;
x509_crt cacert;
x509_crt clicert;
pk_context pkey;
int i, j;
int flags, verify = 0;
char *p, *q;
const char *pers = "cert_app";
/*
* Set to sane values
*/
server_fd = 0;
x509_crt_init( &cacert );
x509_crt_init( &clicert );
pk_init( &pkey );
if( argc == 0 )
{
usage:
printf( USAGE );
goto exit;
}
opt.mode = DFL_MODE;
opt.filename = DFL_FILENAME;
opt.ca_file = DFL_CA_FILE;
opt.ca_path = DFL_CA_PATH;
opt.server_name = DFL_SERVER_NAME;
opt.server_port = DFL_SERVER_PORT;
opt.debug_level = DFL_DEBUG_LEVEL;
opt.permissive = DFL_PERMISSIVE;
for( i = 1; i < argc; i++ )
{
p = argv[i];
if( ( q = strchr( p, '=' ) ) == NULL )
goto usage;
*q++ = '\0';
for( j = 0; p + j < q; j++ )
{
if( argv[i][j] >= 'A' && argv[i][j] <= 'Z' )
argv[i][j] |= 0x20;
}
if( strcmp( p, "mode" ) == 0 )
{
if( strcmp( q, "file" ) == 0 )
opt.mode = MODE_FILE;
else if( strcmp( q, "ssl" ) == 0 )
opt.mode = MODE_SSL;
else
goto usage;
}
else if( strcmp( p, "filename" ) == 0 )
opt.filename = q;
else if( strcmp( p, "ca_file" ) == 0 )
opt.ca_file = q;
else if( strcmp( p, "ca_path" ) == 0 )
opt.ca_path = q;
else if( strcmp( p, "server_name" ) == 0 )
opt.server_name = q;
else if( strcmp( p, "server_port" ) == 0 )
{
opt.server_port = atoi( q );
if( opt.server_port < 1 || opt.server_port > 65535 )
goto usage;
}
else if( strcmp( p, "debug_level" ) == 0 )
{
opt.debug_level = atoi( q );
if( opt.debug_level < 0 || opt.debug_level > 65535 )
goto usage;
}
else if( strcmp( p, "permissive" ) == 0 )
{
opt.permissive = atoi( q );
if( opt.permissive < 0 || opt.permissive > 1 )
goto usage;
}
else
goto usage;
}
/*
* 1.1. Load the trusted CA
*/
printf( " . Loading the CA root certificate ..." );
fflush( stdout );
if( strlen( opt.ca_path ) )
{
ret = x509_crt_parse_path( &cacert, opt.ca_path );
verify = 1;
}
else if( strlen( opt.ca_file ) )
{
ret = x509_crt_parse_file( &cacert, opt.ca_file );
verify = 1;
}
if( ret < 0 )
{
printf( " failed\n ! x509_crt_parse returned -0x%x\n\n", -ret );
goto exit;
}
printf( " ok (%d skipped)\n", ret );
if( opt.mode == MODE_FILE )
{
x509_crt crt;
x509_crt *cur = &crt;
x509_crt_init( &crt );
/*
* 1.1. Load the certificate(s)
*/
printf( "\n . Loading the certificate(s) ..." );
fflush( stdout );
ret = x509_crt_parse_file( &crt, opt.filename );
if( ret < 0 )
{
printf( " failed\n ! x509_crt_parse_file returned %d\n\n", ret );
x509_crt_free( &crt );
goto exit;
}
if( opt.permissive == 0 && ret > 0 )
{
printf( " failed\n ! x509_crt_parse failed to parse %d certificates\n\n", ret );
x509_crt_free( &crt );
goto exit;
}
printf( " ok\n" );
/*
* 1.2 Print the certificate(s)
*/
while( cur != NULL )
{
printf( " . Peer certificate information ...\n" );
ret = x509_crt_info( (char *) buf, sizeof( buf ) - 1, " ",
cur );
if( ret == -1 )
{
printf( " failed\n ! x509_crt_info returned %d\n\n", ret );
x509_crt_free( &crt );
goto exit;
}
printf( "%s\n", buf );
cur = cur->next;
}
/*
* 1.3 Verify the certificate
*/
if( verify )
{
printf( " . Verifying X.509 certificate..." );
if( ( ret = x509_crt_verify( &crt, &cacert, NULL, NULL, &flags,
my_verify, NULL ) ) != 0 )
{
printf( " failed\n" );
if( ( ret & BADCERT_EXPIRED ) != 0 )
printf( " ! server certificate has expired\n" );
if( ( ret & BADCERT_REVOKED ) != 0 )
printf( " ! server certificate has been revoked\n" );
if( ( ret & BADCERT_CN_MISMATCH ) != 0 )
printf( " ! CN mismatch (expected CN=%s)\n", opt.server_name );
if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
printf( " ! self-signed or not signed by a trusted CA\n" );
printf( "\n" );
}
else
printf( " ok\n" );
}
x509_crt_free( &crt );
}
else if( opt.mode == MODE_SSL )
{
/*
* 1. Initialize the RNG and the session data
*/
printf( "\n . Seeding the random number generator..." );
fflush( stdout );
entropy_init( &entropy );
if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
printf( " failed\n ! ctr_drbg_init returned %d\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 2. Start the connection
*/
printf( " . SSL connection to tcp/%s/%-4d...", opt.server_name,
opt.server_port );
fflush( stdout );
if( ( ret = net_connect( &server_fd, opt.server_name,
opt.server_port ) ) != 0 )
{
printf( " failed\n ! net_connect returned %d\n\n", ret );
goto exit;
}
/*
* 3. Setup stuff
*/
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
printf( " failed\n ! ssl_init returned %d\n\n", ret );
goto exit;
}
ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
if( verify )
{
ssl_set_authmode( &ssl, SSL_VERIFY_REQUIRED );
ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name );
ssl_set_verify( &ssl, my_verify, NULL );
}
else
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
ssl_set_bio( &ssl, net_recv, &server_fd,
net_send, &server_fd );
ssl_set_own_cert( &ssl, &clicert, &pkey );
#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
ssl_set_hostname( &ssl, opt.server_name );
#endif
/*
* 4. Handshake
*/
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_handshake returned %d\n\n", ret );
ssl_free( &ssl );
goto exit;
}
}
printf( " ok\n" );
/*
* 5. Print the certificate
*/
printf( " . Peer certificate information ...\n" );
ret = x509_crt_info( (char *) buf, sizeof( buf ) - 1, " ",
ssl.session->peer_cert );
if( ret == -1 )
{
printf( " failed\n ! x509_crt_info returned %d\n\n", ret );
ssl_free( &ssl );
goto exit;
}
printf( "%s\n", buf );
ssl_close_notify( &ssl );
ssl_free( &ssl );
}
else
goto usage;
exit:
if( server_fd )
net_close( server_fd );
x509_crt_free( &cacert );
x509_crt_free( &clicert );
pk_free( &pkey );
entropy_free( &entropy );
#if defined(_WIN32)
printf( " + Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
return( ret );
}
int main( int argc, char *argv[] )
{
int ret = 0, server_fd;
unsigned char buf[1024];
entropy_context entropy;
ctr_drbg_context ctr_drbg;
ssl_context ssl;
x509_cert clicert;
rsa_context rsa;
int i, j, n;
char *p, *q;
const char *pers = "cert_app";
/*
* Set to sane values
*/
server_fd = 0;
memset( &clicert, 0, sizeof( x509_cert ) );
memset( &rsa, 0, sizeof( rsa_context ) );
if( argc == 0 )
{
usage:
printf( USAGE );
goto exit;
}
opt.mode = DFL_MODE;
opt.filename = DFL_FILENAME;
opt.server_name = DFL_SERVER_NAME;
opt.server_port = DFL_SERVER_PORT;
opt.debug_level = DFL_DEBUG_LEVEL;
opt.permissive = DFL_PERMISSIVE;
for( i = 1; i < argc; i++ )
{
n = strlen( argv[i] );
for( j = 0; j < n; j++ )
{
if( argv[i][j] >= 'A' && argv[i][j] <= 'Z' )
argv[i][j] |= 0x20;
}
p = argv[i];
if( ( q = strchr( p, '=' ) ) == NULL )
goto usage;
*q++ = '\0';
if( strcmp( p, "mode" ) == 0 )
{
if( strcmp( q, "file" ) == 0 )
opt.mode = MODE_FILE;
else if( strcmp( q, "ssl" ) == 0 )
opt.mode = MODE_SSL;
else
goto usage;
}
else if( strcmp( p, "filename" ) == 0 )
opt.filename = q;
else if( strcmp( p, "server_name" ) == 0 )
opt.server_name = q;
else if( strcmp( p, "server_port" ) == 0 )
{
opt.server_port = atoi( q );
if( opt.server_port < 1 || opt.server_port > 65535 )
goto usage;
}
else if( strcmp( p, "debug_level" ) == 0 )
{
opt.debug_level = atoi( q );
if( opt.debug_level < 0 || opt.debug_level > 65535 )
goto usage;
}
else if( strcmp( p, "permissive" ) == 0 )
{
opt.permissive = atoi( q );
if( opt.permissive < 0 || opt.permissive > 1 )
goto usage;
}
else
goto usage;
}
if( opt.mode == MODE_FILE )
{
x509_cert crt;
x509_cert *cur = &crt;
memset( &crt, 0, sizeof( x509_cert ) );
/*
* 1.1. Load the certificate(s)
*/
printf( "\n . Loading the certificate(s) ..." );
fflush( stdout );
ret = x509parse_crtfile( &crt, opt.filename );
if( ret < 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
x509_free( &crt );
goto exit;
}
if( opt.permissive == 0 && ret > 0 )
{
printf( " failed\n ! x509parse_crt failed to parse %d certificates\n\n", ret );
x509_free( &crt );
goto exit;
}
printf( " ok\n" );
/*
* 1.2 Print the certificate(s)
*/
while( cur != NULL )
{
printf( " . Peer certificate information ...\n" );
ret = x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ", cur );
if( ret == -1 )
{
printf( " failed\n ! x509parse_cert_info returned %d\n\n", ret );
x509_free( &crt );
goto exit;
}
printf( "%s\n", buf );
cur = cur->next;
}
x509_free( &crt );
}
else if( opt.mode == MODE_SSL )
{
/*
* 1. Initialize the RNG and the session data
*/
printf( "\n . Seeding the random number generator..." );
fflush( stdout );
entropy_init( &entropy );
if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
printf( " failed\n ! ctr_drbg_init returned %d\n", ret );
goto exit;
}
/*
* 2. Start the connection
*/
printf( " . SSL connection to tcp/%s/%-4d...", opt.server_name,
opt.server_port );
fflush( stdout );
if( ( ret = net_connect( &server_fd, opt.server_name,
opt.server_port ) ) != 0 )
{
printf( " failed\n ! net_connect returned %d\n\n", ret );
goto exit;
}
/*
* 3. Setup stuff
*/
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
printf( " failed\n ! ssl_init returned %d\n\n", ret );
goto exit;
}
ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
ssl_set_bio( &ssl, net_recv, &server_fd,
net_send, &server_fd );
ssl_set_ciphersuites( &ssl, ssl_default_ciphersuites );
ssl_set_own_cert( &ssl, &clicert, &rsa );
ssl_set_hostname( &ssl, opt.server_name );
/*
* 4. Handshake
*/
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_handshake returned %d\n\n", ret );
ssl_free( &ssl );
goto exit;
}
}
printf( " ok\n" );
/*
* 5. Print the certificate
*/
printf( " . Peer certificate information ...\n" );
ret = x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ",
ssl.session->peer_cert );
if( ret == -1 )
{
printf( " failed\n ! x509parse_cert_info returned %d\n\n", ret );
ssl_free( &ssl );
goto exit;
}
printf( "%s\n", buf );
ssl_close_notify( &ssl );
ssl_free( &ssl );
}
else
goto usage;
exit:
if( server_fd )
net_close( server_fd );
x509_free( &clicert );
rsa_free( &rsa );
#if defined(_WIN32)
printf( " + Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
return( ret );
}
int main( int argc, const char *argv[] )
{
/* Client and server declarations. */
int ret;
int len;
#if SOCKET_COMMUNICATION
int listen_fd = -1;
int client_fd = -1;
int server_fd = -1;
#endif
unsigned char buf[1024];
/* Handshake step counter */
size_t step = 1;
int flags;
ssl_context s_ssl, c_ssl;
x509_crt srvcert;
pk_context pkey;
#if defined(POLARSSL_SSL_CACHE_C)
ssl_cache_context cache;
#endif
if( argc == 3)
{
packet_in_num = atoi(argv[1]);
packet_in_file = argv[2];
}
else if( argc != 1)
{
usage(argv[0]);
exit(1);
}
/* Server init */
memset( &s_ssl, 0, sizeof( ssl_context ) );
#if defined(POLARSSL_SSL_CACHE_C)
ssl_cache_init( &cache );
#endif
x509_crt_init( &srvcert );
pk_init( &pkey );
/* Client init */
memset( &c_ssl, 0, sizeof( ssl_context ) );
/*x509_crt_init( &cacert );*/
#if defined(POLARSSL_DEBUG_C)
debug_set_threshold( DEBUG_LEVEL );
#endif
/*
* Server:
* Load the certificates and private RSA key
*/
if( packet_in_num == 0 )
{
printf( " . Loading the server cert. and key..." );
fflush( stdout );
}
/*
* This demonstration program uses embedded test certificates.
* Instead, you may want to use x509_crt_parse_file() to read the
* server and CA certificates, as well as pk_parse_keyfile().
*/
ret = x509_crt_parse( &srvcert, (const unsigned char *) test_srv_crt,
strlen( test_srv_crt ) );
if( ret != 0 )
{
printf( " failed\n ! x509_crt_parse returned %d\n\n", ret );
goto exit;
}
ret = x509_crt_parse( &srvcert, (const unsigned char *) test_ca_list,
strlen( test_ca_list ) );
if( ret != 0 )
{
polarssl_printf( " failed\n ! x509_crt_parse returned %d\n\n", ret );
goto exit;
}
ret = pk_parse_key( &pkey, (const unsigned char *) test_srv_key,
strlen( test_srv_key ), NULL, 0 );
if( ret != 0 )
{
printf( " failed\n ! pk_parse_key returned %d\n\n", ret );
goto exit;
}
if( packet_in_num == 0 )
{
printf( " ok\n" );
}
/*
* Server:
* Setup stuff
*/
if( packet_in_num == 0 )
{
printf( " . Server: Setting up the SSL data...." );
fflush( stdout );
}
if( ( ret = ssl_init( &s_ssl ) ) != 0 )
{
polarssl_printf( " failed\n ! ssl_init returned %d\n\n", ret );
goto exit;
}
ssl_set_endpoint( &s_ssl, SSL_IS_SERVER );
ssl_set_authmode( &s_ssl, SSL_VERIFY_NONE );
/* SSLv3 is deprecated, set minimum to TLS 1.0 */
ssl_set_min_version( &s_ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
/* RC4 is deprecated, disable it */
ssl_set_arc4_support( &s_ssl, SSL_ARC4_DISABLED );
ssl_set_rng( &s_ssl, ctr_drbg_deterministic, NULL );
ssl_set_dbg( &s_ssl, my_debug, stdout );
#if defined(POLARSSL_SSL_CACHE_C)
ssl_set_session_cache( &s_ssl, ssl_cache_get, &cache,
ssl_cache_set, &cache );
#endif
ssl_set_ca_chain( &s_ssl, srvcert.next, NULL, NULL );
if( ( ret = ssl_set_own_cert( &s_ssl, &srvcert, &pkey ) ) != 0 )
{
printf( " failed\n ! ssl_set_own_cert returned %d\n\n", ret );
goto exit;
}
if( packet_in_num == 0 )
{
printf( " ok\n" );
}
ssl_session_reset( &s_ssl );
#if SOCKET_COMMUNICATION
/*
* Server:
* Setup the listening TCP socket
*/
if( packet_in_num == 0 )
{
printf( " . Bind on https://localhost:%d/ ...", SERVER_PORT );
fflush( stdout );
}
if( ( ret = net_bind( &listen_fd, NULL, SERVER_PORT ) ) != 0 )
{
printf( " failed\n ! net_bind returned %d\n\n", ret );
goto exit;
}
if( packet_in_num == 0 )
{
printf( " ok\n" );
}
/*
* Client:
* Start the connection
*/
if( packet_in_num == 0 )
{
printf( " . Connecting to tcp/%s/%d...", SERVER_NAME, SERVER_PORT );
fflush( stdout );
}
if( ( ret = net_connect( &server_fd, SERVER_NAME,
SERVER_PORT ) ) != 0 )
{
printf( " failed\n ! net_connect returned %d\n\n", ret );
goto exit;
}
if( packet_in_num == 0 )
{
printf( " ok\n" );
}
/*
* Server:
* Start listening for client connections
*/
if( packet_in_num == 0 )
{
printf( " . Waiting for a remote connection ..." );
fflush( stdout );
}
/*
* Server:
* Accept client connection (socket is set non-blocking in
* library/net.c)
*/
if( ( ret = net_accept( listen_fd, &client_fd,
NULL ) ) != 0 )
{
printf( " failed\n ! net_accept returned %d\n\n", ret );
goto exit;
}
if( packet_in_num == 0 )
{
printf( " ok\n" );
}
ssl_set_bio( &s_ssl, recv_custom, &client_fd, send_custom, &client_fd );
#else
ssl_set_bio( &s_ssl, func_server_recv_buf, NULL, func_server_send_buf, NULL );
#endif
/*
* Client:
* Setup stuff
*/
if( packet_in_num == 0 )
{
printf( " . Client: Setting up the SSL/TLS structure..." );
fflush( stdout );
}
if( ( ret = ssl_init( &c_ssl ) ) != 0 )
{
polarssl_printf( " failed\n ! ssl_init returned %d\n\n", ret );
goto exit;
}
if( packet_in_num == 0 )
{
polarssl_printf( " ok\n" );
}
ssl_set_endpoint( &c_ssl, SSL_IS_CLIENT );
/* OPTIONAL is not optimal for security,
* but makes interop easier in this simplified example */
ssl_set_authmode( &c_ssl, SSL_VERIFY_OPTIONAL );
/* NONE permits man-in-the-middle attacks. */
/*ssl_set_authmode( &c_ssl, VERIFY_NONE );*/
/*ssl_set_authmode( &c_ssl, SSL_VERIFY_REQUIRED );*/
ssl_set_ca_chain( &c_ssl, &srvcert, NULL, "PolarSSL Server 1" );
/* SSLv3 is deprecated, set minimum to TLS 1.0 */
ssl_set_min_version( &c_ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
/* RC4 is deprecated, disable it */
ssl_set_arc4_support( &c_ssl, SSL_ARC4_DISABLED );
ssl_set_rng( &c_ssl, ctr_drbg_deterministic, NULL );
ssl_set_dbg( &c_ssl, my_debug, stdout );
if( ( ret = ssl_set_hostname( &c_ssl, "mbed TLS Server 1" ) ) != 0 )
{
printf( " failed\n ! ssl_set_hostname returned %d\n\n", ret );
goto exit;
}
#if SOCKET_COMMUNICATION
ssl_set_bio( &c_ssl, recv_custom, &server_fd, send_custom, &server_fd );
#else
ssl_set_bio( &c_ssl, func_client_recv_buf, NULL, func_client_send_buf, NULL );
#endif
if( packet_in_num == 0 )
{
printf( " . Performing the SSL/TLS handshake...\n" );
fflush( stdout );
}
/*
* The following number of steps are hardcoded to ensure
* that the client and server complete the handshake without
* waiting infinitely for the other side to send data.
*
* 1 2 3 4 5 6 7 8 9
*/
int client_steps[] = { 2, 1, 1, 1, 4, 2, 1, 1, 3 };
int server_steps[] = { 3, 1, 1, 3, 2, 1, 2, 1, 2 };
do {
/*
* Client:
* Handshake step
*/
int i;
int no_steps;
if( c_ssl.state == SSL_HANDSHAKE_OVER ) {
no_steps = 0;
} else {
no_steps = client_steps[step - 1];
}
for (i = 0; i < no_steps; i++) {
if( ( ret = ssl_handshake_step( &c_ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_handshake returned -0x%x\n\n", -ret );
goto exit;
}
}
}
if( packet_in_num == 0 )
{
printf( "--- client handshake step %zd ok\n", step );
}
/*
* Server:
* Handshake step
*/
if( s_ssl.state == SSL_HANDSHAKE_OVER ) {
printf("over\n");
no_steps = 0;
} else {
no_steps = server_steps[step - 1];
}
for (i = 0; i < no_steps; i++) {
if( ( ret = ssl_handshake_step( &s_ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_handshake returned %d\n\n", ret );
goto exit;
}
}
}
if( packet_in_num == 0 )
{
printf( "--- server handshake step %zd ok\n", step );
}
step++;
} while( ((c_ssl.state != SSL_HANDSHAKE_OVER)
|| (s_ssl.state != SSL_HANDSHAKE_OVER))
&& (step <= MAX_HANDSHAKE_STEPS) );
if( packet_in_num == 0 )
{
printf( "c_ssl.state: %d\n", c_ssl.state != SSL_HANDSHAKE_OVER );
printf( "s_ssl.state: %d\n", s_ssl.state != SSL_HANDSHAKE_OVER );
}
/*
* Client:
* Verify the server certificate
*/
if( packet_in_num == 0 )
{
printf( " . Verifying peer X.509 certificate..." );
}
/* In real life, we probably want to bail out when ret != 0 */
if( ( flags = ssl_get_verify_result( &c_ssl ) ) != 0 )
{
char vrfy_buf[512];
printf( " failed\n" );
x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
printf( "%s\n", vrfy_buf );
}
else if( packet_in_num == 0 )
{
printf( " ok\n" );
}
/*
* Client:
* Write the GET request
*/
if( packet_in_num == 0 )
{
printf( " > Write to server:" );
fflush( stdout );
}
len = sprintf( (char *) buf, GET_REQUEST );
while( ( ret = ssl_write( &c_ssl, buf, len ) ) <= 0 )
{
if( ret !=POLARSSL_ERR_NET_WANT_READ && ret !=POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_write returned %d\n\n", ret );
goto exit;
}
}
len = ret;
if( packet_in_num == 0 )
{
printf( " %d bytes written\n\n%s", len, (char *) buf );
}
/*
* Server:
* Read the HTTP Request
*/
if( packet_in_num == 0 )
{
printf( " < Read from client:" );
fflush( stdout );
}
do
{
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
ret = ssl_read( &s_ssl, buf, len );
if( ret ==POLARSSL_ERR_NET_WANT_READ || ret ==POLARSSL_ERR_NET_WANT_WRITE )
continue;
if( ret <= 0 )
{
switch( ret )
{
case POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY:
printf( " connection was closed gracefully\n" );
break;
case POLARSSL_ERR_NET_CONN_RESET:
printf( " connection was reset by peer\n" );
break;
default:
printf( " ssl_read returned -0x%x\n", -ret );
break;
}
break;
}
len = ret;
if( packet_in_num == 0 )
{
printf( " %d bytes read\n\n%s", len, (char *) buf );
}
if( ret > 0 )
break;
}
while( 1 );
/*
* Server:
* Write the 200 Response
*/
if( packet_in_num == 0 )
{
printf( " > Write to client:" );
fflush( stdout );
}
len = sprintf( (char *) buf, HTTP_RESPONSE,
ssl_get_ciphersuite( &s_ssl ) );
while( ( ret = ssl_write( &s_ssl, buf, len ) ) <= 0 )
{
if( ret == POLARSSL_ERR_NET_CONN_RESET )
{
printf( " failed\n ! peer closed the connection\n\n" );
goto exit;
}
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_write returned %d\n\n", ret );
goto exit;
}
}
len = ret;
if( packet_in_num == 0 )
{
printf( " %d bytes written\n\n%s\n", len, (char *) buf );
}
/*
* Client:
* Read the HTTP response
*/
if( packet_in_num == 0 )
{
printf( " < Read from server:" );
fflush( stdout );
}
do
{
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
ret = ssl_read( &c_ssl, buf, len );
if( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE )
continue;
if( ret == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY )
{
ret = 0;
break;
}
if( ret < 0 )
{
printf( "failed\n ! ssl_read returned %d\n\n", ret );
break;
}
if( ret == 0 )
{
printf( "\n\nEOF\n\n" );
break;
}
len = ret;
if( packet_in_num == 0 )
{
printf( " %d bytes read\n\n%s", len, (char *) buf );
}
/*
* Server:
* Client read response. Close connection.
*/
if ( packet_in_num == 0 )
{
printf( " . Closing the connection..." );
fflush( stdout );
}
while( ( ret = ssl_close_notify( &s_ssl ) ) < 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ &&
ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_close_notify returned %d\n\n", ret );
goto exit;
}
}
if( packet_in_num == 0 )
{
printf( " ok\n" );
}
}
while( 1 );
/*
* Client:
* Close connection.
*/
if( packet_in_num == 0 )
{
printf( " . Closing the connection..." );
fflush( stdout );
}
ssl_close_notify( &c_ssl );
if( packet_in_num == 0 )
{
printf( " ok\n" );
}
/*
* Server:
* We do not have multiple clients and therefore do not goto reset.
*/
/*ret = 0;*/
/*goto reset;*/
exit:
#ifdef POLARSSL_ERROR_C
if( ret != 0 )
{
char error_buf[100];
polarssl_strerror( ret, error_buf, 100 );
printf("Last error was: %d - %s\n\n", ret, error_buf );
}
#endif
#if SOCKET_COMMUNICATION
if ( client_fd != 1 )
net_close( client_fd );
if( server_fd != -1 )
net_close( server_fd );
if ( listen_fd != 1 )
net_close( listen_fd );
#endif
x509_crt_free( &srvcert );
pk_free( &pkey );
ssl_free( &s_ssl );
ssl_free( &c_ssl );
#if defined(POLARSSL_SSL_CACHE_C)
ssl_cache_free( &cache );
#endif
#if defined(_WIN32)
printf( " Press Enter to exit this program.\n" );
fflush( stdout );
getchar();
#endif
return( ret );
}
int main( int argc, char *argv[] )
{
int ret = 0, server_fd;
unsigned char buf[1024];
havege_state hs;
ssl_context ssl;
ssl_session ssn;
x509_cert clicert;
rsa_context rsa;
int i, j, n;
char *p, *q;
if( argc == 0 )
{
usage:
printf( USAGE );
goto exit;
}
opt.mode = DFL_MODE;
opt.filename = DFL_FILENAME;
opt.server_name = DFL_SERVER_NAME;
opt.server_port = DFL_SERVER_PORT;
opt.debug_level = DFL_DEBUG_LEVEL;
for( i = 1; i < argc; i++ )
{
n = strlen( argv[i] );
for( j = 0; j < n; j++ )
{
if( argv[i][j] >= 'A' && argv[i][j] <= 'Z' )
argv[i][j] |= 0x20;
}
p = argv[i];
if( ( q = strchr( p, '=' ) ) == NULL )
goto usage;
*q++ = '\0';
if( strcmp( p, "mode" ) == 0 )
{
if( strcmp( q, "file" ) == 0 )
opt.mode = MODE_FILE;
else if( strcmp( q, "ssl" ) == 0 )
opt.mode = MODE_SSL;
else
goto usage;
}
else if( strcmp( p, "filename" ) == 0 )
opt.filename = q;
else if( strcmp( p, "server_name" ) == 0 )
opt.server_name = q;
else if( strcmp( p, "server_port" ) == 0 )
{
opt.server_port = atoi( q );
if( opt.server_port < 1 || opt.server_port > 65535 )
goto usage;
}
else if( strcmp( p, "debug_level" ) == 0 )
{
opt.debug_level = atoi( q );
if( opt.debug_level < 0 || opt.debug_level > 65535 )
goto usage;
}
else
goto usage;
}
if( opt.mode == MODE_FILE )
{
x509_cert crt;
memset( &crt, 0, sizeof( x509_cert ) );
/*
* 1.1. Load the certificate
*/
printf( "\n . Loading the certificate ..." );
fflush( stdout );
ret = x509parse_crtfile( &crt, opt.filename );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
x509_free( &crt );
goto exit;
}
printf( " ok\n" );
/*
* 1.2 Print the certificate
*/
printf( " . Peer certificate information ...\n" );
ret = x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ", &crt );
if( ret == -1 )
{
printf( " failed\n ! x509parse_cert_info returned %d\n\n", ret );
x509_free( &crt );
goto exit;
}
printf( "%s\n", buf );
x509_free( &crt );
}
else if( opt.mode == MODE_SSL )
{
/*
* 1. Initialize the RNG and the session data
*/
havege_init( &hs );
memset( &ssn, 0, sizeof( ssl_session ) );
/*
* 2. Start the connection
*/
printf( " . SSL connection to tcp/%s/%-4d...", opt.server_name,
opt.server_port );
fflush( stdout );
if( ( ret = net_connect( &server_fd, opt.server_name,
opt.server_port ) ) != 0 )
{
printf( " failed\n ! net_connect returned %d\n\n", ret );
goto exit;
}
/*
* 3. Setup stuff
*/
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
printf( " failed\n ! ssl_init returned %d\n\n", ret );
goto exit;
}
ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
ssl_set_rng( &ssl, havege_rand, &hs );
ssl_set_dbg( &ssl, my_debug, stdout );
ssl_set_bio( &ssl, net_recv, &server_fd,
net_send, &server_fd );
ssl_set_ciphers( &ssl, ssl_default_ciphers );
ssl_set_session( &ssl, 1, 600, &ssn );
ssl_set_own_cert( &ssl, &clicert, &rsa );
ssl_set_hostname( &ssl, opt.server_name );
/*
* 4. Handshake
*/
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_TRY_AGAIN )
{
printf( " failed\n ! ssl_handshake returned %d\n\n", ret );
goto exit;
}
}
printf( " ok\n" );
/*
* 5. Print the certificate
*/
printf( " . Peer certificate information ...\n" );
ret = x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ", ssl.peer_cert );
if( ret == -1 )
{
printf( " failed\n ! x509parse_cert_info returned %d\n\n", ret );
goto exit;
}
printf( "%s\n", buf );
ssl_close_notify( &ssl );
}
else
goto usage;
exit:
net_close( server_fd );
x509_free( &clicert );
rsa_free( &rsa );
ssl_free( &ssl );
memset( &ssl, 0, sizeof( ssl ) );
#ifdef WIN32
printf( " + Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
return( ret );
}
IPCCommandResult CWII_IPC_HLE_Device_net_ssl::IOCtlV(u32 _CommandAddress)
{
SIOCtlVBuffer CommandBuffer(_CommandAddress);
u32 _BufferIn = 0, _BufferIn2 = 0, _BufferIn3 = 0;
u32 BufferInSize = 0, BufferInSize2 = 0, BufferInSize3 = 0;
u32 BufferOut = 0, BufferOut2 = 0, BufferOut3 = 0;
u32 BufferOutSize = 0, BufferOutSize2 = 0, BufferOutSize3 = 0;
if (CommandBuffer.InBuffer.size() > 0)
{
_BufferIn = CommandBuffer.InBuffer.at(0).m_Address;
BufferInSize = CommandBuffer.InBuffer.at(0).m_Size;
}
if (CommandBuffer.InBuffer.size() > 1)
{
_BufferIn2 = CommandBuffer.InBuffer.at(1).m_Address;
BufferInSize2 = CommandBuffer.InBuffer.at(1).m_Size;
}
if (CommandBuffer.InBuffer.size() > 2)
{
_BufferIn3 = CommandBuffer.InBuffer.at(2).m_Address;
BufferInSize3 = CommandBuffer.InBuffer.at(2).m_Size;
}
if (CommandBuffer.PayloadBuffer.size() > 0)
{
BufferOut = CommandBuffer.PayloadBuffer.at(0).m_Address;
BufferOutSize = CommandBuffer.PayloadBuffer.at(0).m_Size;
}
if (CommandBuffer.PayloadBuffer.size() > 1)
{
BufferOut2 = CommandBuffer.PayloadBuffer.at(1).m_Address;
BufferOutSize2 = CommandBuffer.PayloadBuffer.at(1).m_Size;
}
if (CommandBuffer.PayloadBuffer.size() > 2)
{
BufferOut3 = CommandBuffer.PayloadBuffer.at(2).m_Address;
BufferOutSize3 = CommandBuffer.PayloadBuffer.at(2).m_Size;
}
// I don't trust SSL to be deterministic, and this is never going to sync
// as such (as opposed to forwarding IPC results or whatever), so -
if (Core::g_want_determinism)
{
Memory::Write_U32(-1, _CommandAddress + 0x4);
return IPC_DEFAULT_REPLY;
}
switch (CommandBuffer.Parameter)
{
case IOCTLV_NET_SSL_NEW:
{
int verifyOption = Memory::Read_U32(BufferOut);
std::string hostname = Memory::GetString(BufferOut2, BufferOutSize2);
int freeSSL = GetSSLFreeID();
if (freeSSL)
{
int sslID = freeSSL - 1;
WII_SSL* ssl = &_SSL[sslID];
int ret = ssl_init(&ssl->ctx);
if (ret)
{
goto _SSL_NEW_ERROR;
}
entropy_init(&ssl->entropy);
const char* pers = "dolphin-emu";
ret = ctr_drbg_init(&ssl->ctr_drbg, entropy_func,
&ssl->entropy,
(const unsigned char*)pers,
strlen(pers));
if (ret)
{
ssl_free(&ssl->ctx);
entropy_free(&ssl->entropy);
goto _SSL_NEW_ERROR;
}
ssl_set_rng(&ssl->ctx, ctr_drbg_random, &ssl->ctr_drbg);
// For some reason we can't use TLSv1.2, v1.1 and below are fine!
ssl_set_max_version(&ssl->ctx, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_2);
ssl_set_session(&ssl->ctx, &ssl->session);
ssl_set_endpoint(&ssl->ctx, SSL_IS_CLIENT);
ssl_set_authmode(&ssl->ctx, SSL_VERIFY_NONE);
ssl_set_renegotiation(&ssl->ctx, SSL_RENEGOTIATION_ENABLED);
ssl->hostname = hostname;
ssl_set_hostname(&ssl->ctx, ssl->hostname.c_str());
ssl->active = true;
Memory::Write_U32(freeSSL, _BufferIn);
}
else
{
_SSL_NEW_ERROR:
Memory::Write_U32(SSL_ERR_FAILED, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_NEW (%d, %s) "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
verifyOption, hostname.c_str(),
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
break;
}
case IOCTLV_NET_SSL_SHUTDOWN:
{
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
WII_SSL* ssl = &_SSL[sslID];
ssl_close_notify(&ssl->ctx);
ssl_session_free(&ssl->session);
ssl_free(&ssl->ctx);
entropy_free(&ssl->entropy);
x509_crt_free(&ssl->cacert);
x509_crt_free(&ssl->clicert);
ssl->hostname.clear();
ssl->active = false;
Memory::Write_U32(SSL_OK, _BufferIn);
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SHUTDOWN "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
break;
}
case IOCTLV_NET_SSL_SETROOTCA:
{
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETROOTCA "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
WII_SSL* ssl = &_SSL[sslID];
int ret = x509_crt_parse_der(
&ssl->cacert,
Memory::GetPointer(BufferOut2),
BufferOutSize2);
if (ret)
{
Memory::Write_U32(SSL_ERR_FAILED, _BufferIn);
}
else
{
ssl_set_ca_chain(&ssl->ctx, &ssl->cacert, nullptr, ssl->hostname.c_str());
Memory::Write_U32(SSL_OK, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETROOTCA = %d", ret);
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
}
break;
}
case IOCTLV_NET_SSL_SETBUILTINCLIENTCERT:
{
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
WII_SSL* ssl = &_SSL[sslID];
std::string cert_base_path = File::GetUserPath(D_SESSION_WIIROOT_IDX);
int ret = x509_crt_parse_file(&ssl->clicert, (cert_base_path + "clientca.pem").c_str());
int pk_ret = pk_parse_keyfile(&ssl->pk, (cert_base_path + "clientcakey.pem").c_str(), nullptr);
if (ret || pk_ret)
{
x509_crt_free(&ssl->clicert);
pk_free(&ssl->pk);
Memory::Write_U32(SSL_ERR_FAILED, _BufferIn);
}
else
{
ssl_set_own_cert(&ssl->ctx, &ssl->clicert, &ssl->pk);
Memory::Write_U32(SSL_OK, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT = (%d, %d)", ret, pk_ret);
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT invalid sslID = %d", sslID);
}
break;
}
case IOCTLV_NET_SSL_REMOVECLIENTCERT:
{
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_REMOVECLIENTCERT "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
WII_SSL* ssl = &_SSL[sslID];
x509_crt_free(&ssl->clicert);
pk_free(&ssl->pk);
ssl_set_own_cert(&ssl->ctx, nullptr, nullptr);
Memory::Write_U32(SSL_OK, _BufferIn);
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT invalid sslID = %d", sslID);
}
break;
}
case IOCTLV_NET_SSL_SETBUILTINROOTCA:
{
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
WII_SSL* ssl = &_SSL[sslID];
int ret = x509_crt_parse_file(&ssl->cacert, (File::GetUserPath(D_SESSION_WIIROOT_IDX) + "/rootca.pem").c_str());
if (ret)
{
x509_crt_free(&ssl->clicert);
Memory::Write_U32(SSL_ERR_FAILED, _BufferIn);
}
else
{
ssl_set_ca_chain(&ssl->ctx, &ssl->cacert, nullptr, ssl->hostname.c_str());
Memory::Write_U32(SSL_OK, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINROOTCA = %d", ret);
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINROOTCA "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
break;
}
case IOCTLV_NET_SSL_CONNECT:
{
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
WII_SSL* ssl = &_SSL[sslID];
ssl->sockfd = Memory::Read_U32(BufferOut2);
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_CONNECT socket = %d", ssl->sockfd);
ssl_set_bio(&ssl->ctx, net_recv, &ssl->sockfd, net_send, &ssl->sockfd);
Memory::Write_U32(SSL_OK, _BufferIn);
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_CONNECT "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
break;
}
case IOCTLV_NET_SSL_DOHANDSHAKE:
{
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
WiiSockMan &sm = WiiSockMan::GetInstance();
sm.DoSock(_SSL[sslID].sockfd, _CommandAddress, IOCTLV_NET_SSL_DOHANDSHAKE);
return IPC_NO_REPLY;
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
}
break;
}
case IOCTLV_NET_SSL_WRITE:
{
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
WiiSockMan &sm = WiiSockMan::GetInstance();
sm.DoSock(_SSL[sslID].sockfd, _CommandAddress, IOCTLV_NET_SSL_WRITE);
return IPC_NO_REPLY;
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_WRITE "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
INFO_LOG(WII_IPC_SSL, "%s", Memory::GetString(BufferOut2).c_str());
break;
}
case IOCTLV_NET_SSL_READ:
{
int ret = 0;
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
WiiSockMan &sm = WiiSockMan::GetInstance();
sm.DoSock(_SSL[sslID].sockfd, _CommandAddress, IOCTLV_NET_SSL_READ);
return IPC_NO_REPLY;
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_READ(%d)"
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
ret,
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
break;
}
case IOCTLV_NET_SSL_SETROOTCADEFAULT:
{
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
Memory::Write_U32(SSL_OK, _BufferIn);
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
}
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETROOTCADEFAULT "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
break;
}
case IOCTLV_NET_SSL_SETCLIENTCERTDEFAULT:
{
INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETCLIENTCERTDEFAULT "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
int sslID = Memory::Read_U32(BufferOut) - 1;
if (SSLID_VALID(sslID))
{
Memory::Write_U32(SSL_OK, _BufferIn);
}
else
{
Memory::Write_U32(SSL_ERR_ID, _BufferIn);
}
break;
}
default:
ERROR_LOG(WII_IPC_SSL, "%i "
"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "
"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "
"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",
CommandBuffer.Parameter,
_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,
_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,
BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);
break;
}
// SSL return codes are written to BufferIn
Memory::Write_U32(0, _CommandAddress+4);
return IPC_DEFAULT_REPLY;
}
int main( void )
{
int ret, len;
int listen_fd;
int client_fd;
unsigned char buf[1024];
havege_state hs;
ssl_context ssl;
ssl_session ssn;
x509_cert srvcert;
rsa_context rsa;
/*
* 1. Load the certificates and private RSA key
*/
printf( "\n . Loading the server cert. and key..." );
fflush( stdout );
memset( &srvcert, 0, sizeof( x509_cert ) );
/*
* This demonstration program uses embedded test certificates.
* Instead, you may want to use x509parse_crtfile() to read the
* server and CA certificates, as well as x509parse_keyfile().
*/
ret = x509parse_crt( &srvcert, (unsigned char *) test_srv_crt,
strlen( test_srv_crt ) );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
goto exit;
}
ret = x509parse_crt( &srvcert, (unsigned char *) test_ca_crt,
strlen( test_ca_crt ) );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
goto exit;
}
ret = x509parse_key( &rsa, (unsigned char *) test_srv_key,
strlen( test_srv_key ), NULL, 0 );
if( ret != 0 )
{
printf( " failed\n ! x509parse_key returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 2. Setup the listening TCP socket
*/
printf( " . Bind on https://localhost:4433/ ..." );
fflush( stdout );
if( ( ret = net_bind( &listen_fd, NULL, 4433 ) ) != 0 )
{
printf( " failed\n ! net_bind returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 3. Wait until a client connects
*/
#ifdef WIN32
ShellExecute( NULL, "open", "https://localhost:4433/",
NULL, NULL, SW_SHOWNORMAL );
#endif
client_fd = -1;
memset( &ssl, 0, sizeof( ssl ) );
accept:
net_close( client_fd );
ssl_free( &ssl );
printf( " . Waiting for a remote connection ..." );
fflush( stdout );
if( ( ret = net_accept( listen_fd, &client_fd, NULL ) ) != 0 )
{
printf( " failed\n ! net_accept returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 4. Setup stuff
*/
printf( " . Setting up the RNG and SSL data...." );
fflush( stdout );
havege_init( &hs );
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
printf( " failed\n ! ssl_init returned %d\n\n", ret );
goto accept;
}
printf( " ok\n" );
ssl_set_endpoint( &ssl, SSL_IS_SERVER );
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
ssl_set_rng( &ssl, havege_rand, &hs );
ssl_set_dbg( &ssl, my_debug, stdout );
ssl_set_bio( &ssl, net_recv, &client_fd,
net_send, &client_fd );
ssl_set_scb( &ssl, my_get_session,
my_set_session );
ssl_set_ciphers( &ssl, my_ciphers );
ssl_set_session( &ssl, 1, 0, &ssn );
memset( &ssn, 0, sizeof( ssl_session ) );
ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
ssl_set_own_cert( &ssl, &srvcert, &rsa );
ssl_set_dh_param( &ssl, my_dhm_P, my_dhm_G );
/*
* 5. Handshake
*/
printf( " . Performing the SSL/TLS handshake..." );
fflush( stdout );
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_TRY_AGAIN )
{
printf( " failed\n ! ssl_handshake returned %d\n\n", ret );
goto accept;
}
}
printf( " ok\n" );
/*
* 6. Read the HTTP Request
*/
printf( " < Read from client:" );
fflush( stdout );
do
{
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
ret = ssl_read( &ssl, buf, len );
if( ret == POLARSSL_ERR_NET_TRY_AGAIN )
continue;
if( ret <= 0 )
{
switch( ret )
{
case POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY:
printf( " connection was closed gracefully\n" );
break;
case POLARSSL_ERR_NET_CONN_RESET:
printf( " connection was reset by peer\n" );
break;
default:
printf( " ssl_read returned %d\n", ret );
break;
}
break;
}
len = ret;
printf( " %d bytes read\n\n%s", len, (char *) buf );
}
while( 0 );
/*
* 7. Write the 200 Response
*/
printf( " > Write to client:" );
fflush( stdout );
len = sprintf( (char *) buf, HTTP_RESPONSE,
ssl_get_cipher( &ssl ) );
while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 )
{
if( ret == POLARSSL_ERR_NET_CONN_RESET )
{
printf( " failed\n ! peer closed the connection\n\n" );
goto accept;
}
if( ret != POLARSSL_ERR_NET_TRY_AGAIN )
{
printf( " failed\n ! ssl_write returned %d\n\n", ret );
goto exit;
}
}
len = ret;
printf( " %d bytes written\n\n%s\n", len, (char *) buf );
ssl_close_notify( &ssl );
goto accept;
exit:
net_close( client_fd );
x509_free( &srvcert );
rsa_free( &rsa );
ssl_free( &ssl );
cur = s_list_1st;
while( cur != NULL )
{
prv = cur;
cur = cur->next;
memset( prv, 0, sizeof( ssl_session ) );
free( prv );
}
memset( &ssl, 0, sizeof( ssl_context ) );
#ifdef WIN32
printf( " Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
return( ret );
}
static void *handle_ssl_connection( void *data )
{
int ret, len;
thread_info_t *thread_info = (thread_info_t *) data;
int client_fd = thread_info->client_fd;
int thread_id = (int) pthread_self();
unsigned char buf[1024];
char pers[50];
ssl_context ssl;
ctr_drbg_context ctr_drbg;
/* Make sure memory references are valid */
memset( &ssl, 0, sizeof( ssl_context ) );
memset( &ctr_drbg, 0, sizeof( ctr_drbg_context ) );
snprintf( pers, sizeof(pers), "SSL Pthread Thread %d", thread_id );
polarssl_printf( " [ #%d ] Client FD %d\n", thread_id, client_fd );
polarssl_printf( " [ #%d ] Seeding the random number generator...\n", thread_id );
/* entropy_func() is thread-safe if POLARSSL_THREADING_C is set
*/
if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, thread_info->entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
polarssl_printf( " [ #%d ] failed: ctr_drbg_init returned -0x%04x\n",
thread_id, -ret );
goto thread_exit;
}
polarssl_printf( " [ #%d ] ok\n", thread_id );
/*
* 4. Setup stuff
*/
polarssl_printf( " [ #%d ] Setting up the SSL data....\n", thread_id );
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
polarssl_printf( " [ #%d ] failed: ssl_init returned -0x%04x\n",
thread_id, -ret );
goto thread_exit;
}
ssl_set_endpoint( &ssl, SSL_IS_SERVER );
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
/* SSLv3 is deprecated, set minimum to TLS 1.0 */
ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
/* RC4 is deprecated, disable it */
ssl_set_arc4_support( &ssl, SSL_ARC4_DISABLED );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_mutexed_debug, stdout );
/* ssl_cache_get() and ssl_cache_set() are thread-safe if
* POLARSSL_THREADING_C is set.
*/
#if defined(POLARSSL_SSL_CACHE_C)
ssl_set_session_cache( &ssl, ssl_cache_get, thread_info->cache,
ssl_cache_set, thread_info->cache );
#endif
ssl_set_ca_chain( &ssl, thread_info->ca_chain, NULL, NULL );
if( ( ret = ssl_set_own_cert( &ssl, thread_info->server_cert, thread_info->server_key ) ) != 0 )
{
polarssl_printf( " failed\n ! ssl_set_own_cert returned %d\n\n", ret );
goto thread_exit;
}
polarssl_printf( " [ #%d ] ok\n", thread_id );
ssl_set_bio( &ssl, net_recv, &client_fd,
net_send, &client_fd );
polarssl_printf( " [ #%d ] ok\n", thread_id );
/*
* 5. Handshake
*/
polarssl_printf( " [ #%d ] Performing the SSL/TLS handshake\n", thread_id );
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
polarssl_printf( " [ #%d ] failed: ssl_handshake returned -0x%04x\n",
thread_id, -ret );
goto thread_exit;
}
}
polarssl_printf( " [ #%d ] ok\n", thread_id );
/*
* 6. Read the HTTP Request
*/
polarssl_printf( " [ #%d ] < Read from client\n", thread_id );
do
{
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
ret = ssl_read( &ssl, buf, len );
if( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE )
continue;
if( ret <= 0 )
{
switch( ret )
{
case POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY:
polarssl_printf( " [ #%d ] connection was closed gracefully\n",
thread_id );
goto thread_exit;
case POLARSSL_ERR_NET_CONN_RESET:
polarssl_printf( " [ #%d ] connection was reset by peer\n",
thread_id );
goto thread_exit;
default:
polarssl_printf( " [ #%d ] ssl_read returned -0x%04x\n",
thread_id, -ret );
goto thread_exit;
}
}
len = ret;
polarssl_printf( " [ #%d ] %d bytes read\n=====\n%s\n=====\n",
thread_id, len, (char *) buf );
if( ret > 0 )
break;
}
while( 1 );
/*
* 7. Write the 200 Response
*/
polarssl_printf( " [ #%d ] > Write to client:\n", thread_id );
len = sprintf( (char *) buf, HTTP_RESPONSE,
ssl_get_ciphersuite( &ssl ) );
while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 )
{
if( ret == POLARSSL_ERR_NET_CONN_RESET )
{
polarssl_printf( " [ #%d ] failed: peer closed the connection\n",
thread_id );
goto thread_exit;
}
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
polarssl_printf( " [ #%d ] failed: ssl_write returned -0x%04x\n",
thread_id, ret );
goto thread_exit;
}
}
len = ret;
polarssl_printf( " [ #%d ] %d bytes written\n=====\n%s\n=====\n",
thread_id, len, (char *) buf );
polarssl_printf( " [ #%d ] . Closing the connection...", thread_id );
while( ( ret = ssl_close_notify( &ssl ) ) < 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ &&
ret != POLARSSL_ERR_NET_WANT_WRITE )
{
polarssl_printf( " [ #%d ] failed: ssl_close_notify returned -0x%04x\n",
thread_id, ret );
goto thread_exit;
}
}
polarssl_printf( " ok\n" );
ret = 0;
thread_exit:
#ifdef POLARSSL_ERROR_C
if( ret != 0 )
{
char error_buf[100];
polarssl_strerror( ret, error_buf, 100 );
polarssl_printf(" [ #%d ] Last error was: -0x%04x - %s\n\n",
thread_id, -ret, error_buf );
}
#endif
net_close( client_fd );
ctr_drbg_free( &ctr_drbg );
ssl_free( &ssl );
thread_info->thread_complete = 1;
return( NULL );
}
int main( int argc, char *argv[] )
{
int ret, len, server_fd;
unsigned char buf[1024];
char *pers = "ssl_client1";
entropy_context entropy;
ctr_drbg_context ctr_drbg;
ssl_context ssl;
x509_cert cacert;
((void) argc);
((void) argv);
/*
* 0. Initialize the RNG and the session data
*/
memset( &ssl, 0, sizeof( ssl_context ) );
memset( &cacert, 0, sizeof( x509_cert ) );
printf( "\n . Seeding the random number generator..." );
fflush( stdout );
entropy_init( &entropy );
if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy,
(unsigned char *) pers, strlen( pers ) ) ) != 0 )
{
printf( " failed\n ! ctr_drbg_init returned %d\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 0. Initialize certificates
*/
printf( " . Loading the CA root certificate ..." );
fflush( stdout );
#if defined(POLARSSL_CERTS_C)
ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt,
strlen( test_ca_crt ) );
#else
ret = 1;
printf("POLARSSL_CERTS_C not defined.");
#endif
if( ret < 0 )
{
printf( " failed\n ! x509parse_crt returned -0x%x\n\n", -ret );
goto exit;
}
printf( " ok (%d skipped)\n", ret );
/*
* 1. Start the connection
*/
printf( " . Connecting to tcp/%s/%4d...", SERVER_NAME,
SERVER_PORT );
fflush( stdout );
if( ( ret = net_connect( &server_fd, SERVER_NAME,
SERVER_PORT ) ) != 0 )
{
printf( " failed\n ! net_connect returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 2. Setup stuff
*/
printf( " . Setting up the SSL/TLS structure..." );
fflush( stdout );
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
printf( " failed\n ! ssl_init returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
ssl_set_ca_chain( &ssl, &cacert, NULL, "PolarSSL Server 1" );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
ssl_set_bio( &ssl, net_recv, &server_fd,
net_send, &server_fd );
/*
* 4. Handshake
*/
printf( " . Performing the SSL/TLS handshake..." );
fflush( stdout );
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_handshake returned -0x%x\n\n", -ret );
goto exit;
}
}
printf( " ok\n" );
/*
* 5. Verify the server certificate
*/
printf( " . Verifying peer X.509 certificate..." );
if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 )
{
printf( " failed\n" );
if( ( ret & BADCERT_EXPIRED ) != 0 )
printf( " ! server certificate has expired\n" );
if( ( ret & BADCERT_REVOKED ) != 0 )
printf( " ! server certificate has been revoked\n" );
if( ( ret & BADCERT_CN_MISMATCH ) != 0 )
printf( " ! CN mismatch (expected CN=%s)\n", "PolarSSL Server 1" );
if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
printf( " ! self-signed or not signed by a trusted CA\n" );
printf( "\n" );
}
else
printf( " ok\n" );
/*
* 3. Write the GET request
*/
printf( " > Write to server:" );
fflush( stdout );
len = sprintf( (char *) buf, GET_REQUEST );
while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_write returned %d\n\n", ret );
goto exit;
}
}
len = ret;
printf( " %d bytes written\n\n%s", len, (char *) buf );
/*
* 7. Read the HTTP response
*/
printf( " < Read from server:" );
fflush( stdout );
do
{
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
ret = ssl_read( &ssl, buf, len );
if( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE )
continue;
if( ret == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY )
break;
if( ret < 0 )
{
printf( "failed\n ! ssl_read returned %d\n\n", ret );
break;
}
if( ret == 0 )
{
printf( "\n\nEOF\n\n" );
break;
}
len = ret;
printf( " %d bytes read\n\n%s", len, (char *) buf );
}
while( 1 );
ssl_close_notify( &ssl );
exit:
#ifdef POLARSSL_ERROR_C
if( ret != 0 )
{
char error_buf[100];
error_strerror( ret, error_buf, 100 );
printf("Last error was: %d - %s\n\n", ret, error_buf );
}
#endif
x509_free( &cacert );
net_close( server_fd );
ssl_free( &ssl );
memset( &ssl, 0, sizeof( ssl ) );
#if defined(_WIN32)
printf( " + Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
return( ret );
}
int main(void)
{
int ret, len, server_fd = -1;
unsigned char buf[1024];
havege_state hs;
ssl_context ssl;
ssl_session ssn;
/*
* 0. Initialize the RNG and the session data
*/
havege_init(&hs);
memset(&ssl, 0, sizeof(ssl));
memset(&ssn, 0, sizeof(ssl_session));
/*
* 1. Start the connection
*/
printf("\n . Connecting to tcp/%s/%4d...", SERVER_NAME, SERVER_PORT);
fflush(stdout);
if ((ret = net_connect(&server_fd, SERVER_NAME, SERVER_PORT)) != 0) {
printf(" failed\n ! net_connect returned %d\n\n", ret);
goto exit;
}
printf(" ok\n");
/*
* 2. Setup stuff
*/
printf(" . Setting up the SSL/TLS structure...");
fflush(stdout);
if ((ret = ssl_init(&ssl)) != 0) {
printf(" failed\n ! ssl_init returned %d\n\n", ret);
goto exit;
}
printf(" ok\n");
ssl_set_endpoint(&ssl, SSL_IS_CLIENT);
ssl_set_authmode(&ssl, SSL_VERIFY_NONE);
ssl_set_rng(&ssl, havege_rand, &hs);
ssl_set_dbg(&ssl, my_debug, stdout);
ssl_set_bio(&ssl, net_recv, &server_fd, net_send, &server_fd);
ssl_set_ciphers(&ssl, ssl_default_ciphers);
ssl_set_session(&ssl, 1, 600, &ssn);
/*
* 3. Write the GET request
*/
printf(" > Write to server:");
fflush(stdout);
len = sprintf((char *)buf, GET_REQUEST);
while ((ret = ssl_write(&ssl, buf, len)) <= 0) {
if (ret != TROPICSSL_ERR_NET_TRY_AGAIN) {
printf(" failed\n ! ssl_write returned %d\n\n", ret);
goto exit;
}
}
len = ret;
printf(" %d bytes written\n\n%s", len, (char *)buf);
/*
* 7. Read the HTTP response
*/
printf(" < Read from server:");
fflush(stdout);
do {
len = sizeof(buf) - 1;
memset(buf, 0, sizeof(buf));
ret = ssl_read(&ssl, buf, len);
if (ret == TROPICSSL_ERR_NET_TRY_AGAIN)
continue;
if (ret == TROPICSSL_ERR_SSL_PEER_CLOSE_NOTIFY)
break;
if (ret <= 0) {
printf("failed\n ! ssl_read returned %d\n\n", ret);
break;
}
len = ret;
printf(" %d bytes read\n\n%s", len, (char *)buf);
}
while (0);
ssl_close_notify(&ssl);
exit:
net_close(server_fd);
ssl_free(&ssl);
memset(&ssl, 0, sizeof(ssl));
#ifdef WIN32
printf(" + Press Enter to exit this program.\n");
fflush(stdout);
getchar();
#endif
return (ret);
}