/*
Construct the initial HELLO message to send to the server and initiate
the SSL handshake. Can be used in the re-handshake scenario as well.
*/
int _ssl_doHandshake(SSL *ssl) {
char buf[1024];
int err, rc;
/*
MatrixSSL doesn't provide buffers for data internally. Define them
here to support buffered reading and writing for non-blocking sockets.
Although it causes quite a bit more work, we support dynamically growing
the buffers as needed. Alternately, we could define 16K buffers here
and not worry about growing them.
*/
short cipherSuite = 0;
err = matrixSslEncodeClientHello(ssl->ssl, &(ssl->outsock), cipherSuite);
if (err < 0) {
socketAssert(err < 0);
return -1;
}
/*
Send the hello with a blocking write
*/
err = _psSocketWrite(ssl->fd, &(ssl->outsock));
if (err < 0) {
fprintf(stdout, "Error in socketWrite\n");
return -1;
}
ssl->outsock.start = ssl->outsock.end = ssl->outsock.buf;
/*
Call _ssl_read to work through the handshake. Not actually expecting
data back, so the finished case is simply when the handshake is
complete.
*/
readMore:
rc = _ssl_read(ssl, buf, 1024);
/*
Reading handshake records should always return 0 bytes, we aren't
expecting any data yet.
*/
if(rc > 0 || (rc == 0 && matrixSslHandshakeIsComplete(ssl->ssl) == 0))
{
goto readMore;
}
if(rc < 0)
{
return -1;
}
return 0;
}
int sslWrite(sslConn_t *cp, char *buf, int len, int *status)
{
int rc;
*status = 0;
if (cp->outsock.buf < cp->outsock.start) {
if (cp->outsock.start == cp->outsock.end) {
cp->outsock.start = cp->outsock.end = cp->outsock.buf;
} else {
memmove(cp->outsock.buf, cp->outsock.start, cp->outsock.end - cp->outsock.start);
cp->outsock.end -= (cp->outsock.start - cp->outsock.buf);
cp->outsock.start = cp->outsock.buf;
}
}
if (cp->outBufferCount > 0 && len != cp->outBufferCount) {
socketAssert(len != cp->outBufferCount);
return -1;
}
if (cp->outBufferCount == 0) {
retryEncode:
rc = matrixSslEncode(cp->ssl, (unsigned char *)buf, len, &cp->outsock);
switch (rc) {
case SSL_ERROR:
return -1;
case SSL_FULL:
if (cp->outsock.size > SSL_MAX_BUF_SIZE) {
return -1;
}
cp->outsock.size *= 2;
cp->outsock.buf =
(unsigned char *)realloc(cp->outsock.buf, cp->outsock.size);
cp->outsock.end = cp->outsock.buf + (cp->outsock.end - cp->outsock.start);
cp->outsock.start = cp->outsock.buf;
goto retryEncode;
}
}
rc = send(cp->fd, (char *)cp->outsock.start,
(int)(cp->outsock.end - cp->outsock.start), MSG_NOSIGNAL);
if (rc == SOCKET_ERROR) {
*status = getSocketError();
return -1;
}
cp->outsock.start += rc;
if (cp->outsock.start == cp->outsock.end) {
cp->outBufferCount = 0;
return len;
}
cp->outBufferCount = len;
return 0;
}
sslConn_t *sslDoHandshake(sslConn_t *conn, short cipherSuite)
{
char buf[1024];
int bytes, status, rc;
conn->insock.size = 1024;
conn->insock.start = conn->insock.end = conn->insock.buf =
(unsigned char *)malloc(conn->insock.size);
conn->outsock.size = 1024;
conn->outsock.start = conn->outsock.end = conn->outsock.buf =
(unsigned char *)malloc(conn->outsock.size);
conn->inbuf.size = 0;
conn->inbuf.start = conn->inbuf.end = conn->inbuf.buf = NULL;
bytes = matrixSslEncodeClientHello(conn->ssl, &conn->outsock, cipherSuite);
if (bytes < 0) {
fprintf(stderr, "error %s:%d\n",__FILE__,__LINE__);
socketAssert(bytes < 0);
goto error;
}
if (psSocketWrite(conn->fd, &conn->outsock) < 0) {
fprintf(stdout, "Error in socketWrite\n");
goto error;
}
conn->outsock.start = conn->outsock.end = conn->outsock.buf;
readMore:
rc = sslRead(conn, buf, sizeof(buf), &status);
if (rc == 0) {
if (status == SSLSOCKET_EOF || status == SSLSOCKET_CLOSE_NOTIFY) {
fprintf(stderr, "error %s:%d\n",__FILE__,__LINE__);
goto error;
}
if (matrixSslHandshakeIsComplete(conn->ssl) == 0) {
goto readMore;
}
} else if (rc > 0) {
fprintf(stderr, "sslRead got %d data in sslDoHandshake %s\n", rc, buf);
goto readMore;
} else {
fprintf(stderr, "sslRead error in sslDoHandhake\n");
goto error;
}
return conn;
error:
fprintf(stderr, "error %s:%d\n",__FILE__,__LINE__);
sslFreeConnection(&conn);
return NULL;
}
int sslAccept(sslConn_t **cpp, SOCKET fd, sslKeys_t *keys,
int (*certValidator)(sslCertInfo_t *t, void *arg), int flags)
{
sslConn_t *conn;
unsigned char buf[1024];
int status, rc;
conn = calloc(sizeof(sslConn_t), 1);
conn->fd = fd;
if (matrixSslNewSession(&conn->ssl, keys, NULL,
SSL_FLAGS_SERVER | flags) < 0) {
sslFreeConnection(&conn);
return -1;
}
#ifdef USE_CLIENT_AUTH
matrixSslSetCertValidator(conn->ssl, certValidator, keys);
#endif /* USE_CLIENT_AUTH */
memset(&conn->inbuf, 0x0, sizeof(sslBuf_t));
conn->insock.size = 1024;
conn->insock.start = conn->insock.end = conn->insock.buf =
(unsigned char *)malloc(conn->insock.size);
conn->outsock.size = 1024;
conn->outsock.start = conn->outsock.end = conn->outsock.buf =
(unsigned char *)malloc(conn->outsock.size);
conn->inbuf.size = 0;
conn->inbuf.start = conn->inbuf.end = conn->inbuf.buf = NULL;
*cpp = conn;
readMore:
rc = sslRead(conn, buf, sizeof(buf), &status);
if (rc == 0) {
if (status == SSLSOCKET_EOF || status == SSLSOCKET_CLOSE_NOTIFY) {
sslFreeConnection(&conn);
return -1;
}
if (matrixSslHandshakeIsComplete(conn->ssl) == 0) {
goto readMore;
}
} else if (rc > 0) {
socketAssert(0);
return -1;
} else {
fprintf(stderr, "sslRead error in sslAccept\n");
sslFreeConnection(&conn);
return -1;
}
*cpp = conn;
return 0;
}
/*
Example sslWrite functionality. Takes care of encoding the input buffer
and sending it out on the connection.
Return codes are as follows:
-1 return code is an error. If a socket level error, error code is
contained in status. If using a non-blocking socket
implementation the caller should check for non-fatal errors such as
WOULD_BLOCK before closing the connection. A zero value
in status indicates an error with this routine.
A positive integer return value indicates the number of bytes succesfully
written on the connection. Should always match the len parameter.
0 return code indicates the write must be called again with the same
parameters.
*/
int sslWrite(sslConn_t *cp, char *buf, int len, int *status)
{
int rc;
*status = 0;
/*
Pack the buffered socket data (if any) so that start is at zero.
*/
if (cp->outsock.buf < cp->outsock.start) {
if (cp->outsock.start == cp->outsock.end) {
cp->outsock.start = cp->outsock.end = cp->outsock.buf;
} else {
memmove(cp->outsock.buf, cp->outsock.start, cp->outsock.end - cp->outsock.start);
cp->outsock.end -= (cp->outsock.start - cp->outsock.buf);
cp->outsock.start = cp->outsock.buf;
}
}
/*
If there is buffered output data, the caller must be trying to
send the same amount of data as last time. We don't support
sending additional data until the original buffered request has
been completely sent.
*/
if (cp->outBufferCount > 0 && len != cp->outBufferCount) {
socketAssert(len != cp->outBufferCount);
return -1;
}
/*
If we don't have buffered data, encode the caller's data
*/
if (cp->outBufferCount == 0) {
retryEncode:
rc = matrixSslEncode(cp->ssl, (unsigned char *)buf, len, &cp->outsock);
switch (rc) {
case SSL_ERROR:
return -1;
case SSL_FULL:
if (cp->outsock.size > SSL_MAX_BUF_SIZE) {
return -1;
}
cp->outsock.size *= 2;
cp->outsock.buf =
(unsigned char *)realloc(cp->outsock.buf, cp->outsock.size);
cp->outsock.end = cp->outsock.buf + (cp->outsock.end - cp->outsock.start);
cp->outsock.start = cp->outsock.buf;
goto retryEncode;
}
}
/*
We've got data to send.
*/
rc = send(cp->fd, (char *)cp->outsock.start,
(int)(cp->outsock.end - cp->outsock.start), MSG_NOSIGNAL);
if (rc == SOCKET_ERROR) {
*status = getSocketError();
return -1;
}
cp->outsock.start += rc;
/*
If we wrote it all return the length, otherwise remember the number of
bytes passed in, and return 0 to be called again later.
*/
if (cp->outsock.start == cp->outsock.end) {
cp->outBufferCount = 0;
return len;
}
cp->outBufferCount = len;
return 0;
}
/*
An example socket sslRead implementation that handles the ssl handshake
transparently. Caller passes in allocated buf and length.
Return codes are as follows:
-1 return code is an error. If a socket level error, error code is
contained in status parameter. If using a non-blocking socket
implementation the caller should check for non-fatal errors such as
WOULD_BLOCK before closing the connection. A zero value
in status indicates an error with this routine.
A positive integer return code is the number of bytes successfully read
into the supplied buffer. User can call sslRead again on the updated
buffer is there is more to be read.
0 return code indicates the read was successful, but there was no data
to be returned. If status is set to zero, this is a case internal
to the sslAccept and sslConnect functions that a handshake
message has been exchanged. If status is set to SOCKET_EOF
the connection has been closed by the other side.
*/
int sslRead(sslConn_t *cp, char *buf, int len, int *status)
{
int bytes, rc, remaining;
unsigned char error, alertLevel, alertDescription, performRead;
*status = 0;
if (cp->ssl == NULL || len <= 0) {
return -1;
}
/*
If inbuf is valid, then we have previously decoded data that must be
returned, return as much as possible. Once all buffered data is
returned, free the inbuf.
*/
if (cp->inbuf.buf) {
if (cp->inbuf.start < cp->inbuf.end) {
remaining = (int)(cp->inbuf.end - cp->inbuf.start);
bytes = (int)min(len, remaining);
memcpy(buf, cp->inbuf.start, bytes);
cp->inbuf.start += bytes;
return bytes;
}
free(cp->inbuf.buf);
cp->inbuf.buf = NULL;
}
/*
Pack the buffered socket data (if any) so that start is at zero.
*/
if (cp->insock.buf < cp->insock.start) {
if (cp->insock.start == cp->insock.end) {
cp->insock.start = cp->insock.end = cp->insock.buf;
} else {
memmove(cp->insock.buf, cp->insock.start, cp->insock.end - cp->insock.start);
cp->insock.end -= (cp->insock.start - cp->insock.buf);
cp->insock.start = cp->insock.buf;
}
}
/*
Read up to as many bytes as there are remaining in the buffer. We could
Have encrypted data already cached in conn->insock, but might as well read more
if we can.
*/
performRead = 0;
readMore:
if (cp->insock.end == cp->insock.start || performRead) {
performRead = 1;
bytes = recv(cp->fd, (char *)cp->insock.end,
(int)((cp->insock.buf + cp->insock.size) - cp->insock.end), MSG_NOSIGNAL);
if (bytes == SOCKET_ERROR) {
*status = getSocketError();
return -1;
}
if (bytes == 0) {
*status = SSLSOCKET_EOF;
return 0;
}
cp->insock.end += bytes;
}
/*
Define a temporary sslBuf
*/
cp->inbuf.start = cp->inbuf.end = cp->inbuf.buf = malloc(len);
cp->inbuf.size = len;
/*
Decode the data we just read from the socket
*/
decodeMore:
error = 0;
alertLevel = 0;
alertDescription = 0;
rc = matrixSslDecode(cp->ssl, &cp->insock, &cp->inbuf, &error, &alertLevel,
&alertDescription);
switch (rc) {
/*
Successfully decoded a record that did not return data or require a response.
*/
case SSL_SUCCESS:
return 0;
/*
Successfully decoded an application data record, and placed in tmp buf
*/
case SSL_PROCESS_DATA:
/*
Copy as much as we can from the temp buffer into the caller's buffer
and leave the remainder in conn->inbuf until the next call to read
It is possible that len > data in buffer if the encoded record
was longer than len, but the decoded record isn't!
*/
rc = (int)(cp->inbuf.end - cp->inbuf.start);
rc = min(rc, len);
memcpy(buf, cp->inbuf.start, rc);
cp->inbuf.start += rc;
return rc;
/*
We've decoded a record that requires a response into tmp
If there is no data to be flushed in the out buffer, we can write out
the contents of the tmp buffer. Otherwise, we need to append the data
to the outgoing data buffer and flush it out.
*/
case SSL_SEND_RESPONSE:
bytes = send(cp->fd, (char *)cp->inbuf.start,
(int)(cp->inbuf.end - cp->inbuf.start), MSG_NOSIGNAL);
if (bytes == SOCKET_ERROR) {
*status = getSocketError();
if (*status != WOULD_BLOCK) {
fprintf(stdout, "Socket send error: %d\n", *status);
goto readError;
}
*status = 0;
}
cp->inbuf.start += bytes;
if (cp->inbuf.start < cp->inbuf.end) {
/*
This must be a non-blocking socket since it didn't all get sent
out and there was no error. We want to finish the send here
simply because we are likely in the SSL handshake.
*/
setSocketBlock(cp->fd);
bytes = send(cp->fd, (char *)cp->inbuf.start,
(int)(cp->inbuf.end - cp->inbuf.start), MSG_NOSIGNAL);
if (bytes == SOCKET_ERROR) {
*status = getSocketError();
goto readError;
}
cp->inbuf.start += bytes;
socketAssert(cp->inbuf.start == cp->inbuf.end);
/*
Can safely set back to non-blocking because we wouldn't
have got here if this socket wasn't non-blocking to begin with.
*/
setSocketNonblock(cp->fd);
}
cp->inbuf.start = cp->inbuf.end = cp->inbuf.buf;
return 0;
/*
There was an error decoding the data, or encoding the out buffer.
There may be a response data in the out buffer, so try to send.
We try a single hail-mary send of the data, and then close the socket.
Since we're closing on error, we don't worry too much about a clean flush.
*/
case SSL_ERROR:
fprintf(stderr, "SSL: Closing on protocol error %d\n", error);
if (cp->inbuf.start < cp->inbuf.end) {
setSocketNonblock(cp->fd);
bytes = send(cp->fd, (char *)cp->inbuf.start,
(int)(cp->inbuf.end - cp->inbuf.start), MSG_NOSIGNAL);
}
goto readError;
/*
We've decoded an alert. The level and description passed into
matrixSslDecode are filled in with the specifics.
*/
case SSL_ALERT:
if (alertDescription == SSL_ALERT_CLOSE_NOTIFY) {
*status = SSLSOCKET_CLOSE_NOTIFY;
goto readZero;
}
fprintf(stderr, "SSL: Closing on client alert %d: %d\n",
alertLevel, alertDescription);
goto readError;
/*
We have a partial record, we need to read more data off the socket.
If we have a completely full conn->insock buffer, we'll need to grow it
here so that we CAN read more data when called the next time.
*/
case SSL_PARTIAL:
if (cp->insock.start == cp->insock.buf && cp->insock.end ==
(cp->insock.buf + cp->insock.size)) {
if (cp->insock.size > SSL_MAX_BUF_SIZE) {
goto readError;
}
cp->insock.size *= 2;
cp->insock.start = cp->insock.buf =
(unsigned char *)realloc(cp->insock.buf, cp->insock.size);
cp->insock.end = cp->insock.buf + (cp->insock.size / 2);
}
if (!performRead) {
performRead = 1;
free(cp->inbuf.buf);
cp->inbuf.buf = NULL;
goto readMore;
} else {
goto readZero;
}
/*
The out buffer is too small to fit the decoded or response
data. Increase the size of the buffer and call decode again
*/
case SSL_FULL:
cp->inbuf.size *= 2;
if (cp->inbuf.buf != (unsigned char*)buf) {
free(cp->inbuf.buf);
cp->inbuf.buf = NULL;
}
cp->inbuf.start = cp->inbuf.end = cp->inbuf.buf =
(unsigned char *)malloc(cp->inbuf.size);
goto decodeMore;
}
/*
We consolidated some of the returns here because we must ensure
that conn->inbuf is cleared if pointing at caller's buffer, otherwise
it will be freed later on.
*/
readZero:
if (cp->inbuf.buf == (unsigned char*)buf) {
cp->inbuf.buf = NULL;
}
return 0;
readError:
if (cp->inbuf.buf == (unsigned char*)buf) {
cp->inbuf.buf = NULL;
}
return -1;
}
/*
Construct the initial HELLO message to send to the server and initiate
the SSL handshake. Can be used in the re-handshake scenario as well.
*/
sslConn_t *sslDoHandshake(sslConn_t *conn, short cipherSuite)
{
char buf[1024];
int bytes, status, rc;
/*
MatrixSSL doesn't provide buffers for data internally. Define them
here to support buffered reading and writing for non-blocking sockets.
Although it causes quite a bit more work, we support dynamically growing
the buffers as needed. Alternately, we could define 16K buffers here
and not worry about growing them.
*/
conn->insock.size = 1024;
conn->insock.start = conn->insock.end = conn->insock.buf =
(unsigned char *)malloc(conn->insock.size);
conn->outsock.size = 1024;
conn->outsock.start = conn->outsock.end = conn->outsock.buf =
(unsigned char *)malloc(conn->outsock.size);
conn->inbuf.size = 0;
conn->inbuf.start = conn->inbuf.end = conn->inbuf.buf = NULL;
bytes = matrixSslEncodeClientHello(conn->ssl, &conn->outsock, cipherSuite);
if (bytes < 0) {
socketAssert(bytes < 0);
goto error;
}
/*
Send the hello with a blocking write
*/
if (psSocketWrite(conn->fd, &conn->outsock) < 0) {
fprintf(stdout, "Error in socketWrite\n");
goto error;
}
conn->outsock.start = conn->outsock.end = conn->outsock.buf;
/*
Call sslRead to work through the handshake. Not actually expecting
data back, so the finished case is simply when the handshake is
complete.
*/
readMore:
rc = sslRead(conn, buf, sizeof(buf), &status);
/*
Reading handshake records should always return 0 bytes, we aren't
expecting any data yet.
*/
if (rc == 0) {
if (status == SSLSOCKET_EOF || status == SSLSOCKET_CLOSE_NOTIFY) {
goto error;
}
if (matrixSslHandshakeIsComplete(conn->ssl) == 0) {
goto readMore;
}
} else if (rc > 0) {
fprintf(stderr, "sslRead got %d data in sslDoHandshake %s\n", rc, buf);
goto readMore;
} else {
fprintf(stderr, "sslRead error in sslDoHandhake\n");
goto error;
}
return conn;
error:
sslFreeConnection(&conn);
return NULL;
}
/*
Client side. Open a socket connection to a remote ip and port.
This code is not specific to SSL.
*/
SOCKET socketConnect(char *ip, short port, int *err)
{
struct sockaddr_in addr;
SOCKET fd;
int rc;
struct hostent *hent;
char ipbuf[20];
if ((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
fprintf(stderr, "Error creating socket\n");
*err = getSocketError();
return INVALID_SOCKET;
}
/*
Make sure the socket is not inherited by exec'd processes
Set the REUSEADDR flag to minimize the number of sockets in TIME_WAIT
*/
fcntl(fd, F_SETFD, FD_CLOEXEC);
rc = 1;
// setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *)&rc, sizeof(rc));
setSocketNodelay(fd);
/*
Turn on blocking mode for the connecting socket
*/
setSocketBlock(fd);
/* //Marked by Gemtek
hent = gethostbyname(ip);
if (!hent) {
fprintf(stderr, "Error resolving host\n");
}
*/
memset((char *) &addr, 0x0, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
//Gemtek added
sprintf( ipbuf ,"%s", "127.0.0.1" );
fprintf( stderr , "ip:port ==> %s:%d\n" , ipbuf , port );
//Gemtek added
if( NULL != ip && strlen( ipbuf ) >= 7 && 0!=strcmp( ipbuf , "localhost") )
{
//bcopy(hent->h_addr, &addr.sin_addr, hent->h_length);
addr.sin_addr.s_addr = inet_addr( ipbuf ) ;
}
rc = connect(fd, (struct sockaddr *)&addr, sizeof(addr));
#if WIN
if (rc != 0) {
#else
if (rc < 0) {
#endif
*err = getSocketError();
return INVALID_SOCKET;
}
return fd;
}
/******************************************************************************/
/*
Server side. Accept an incomming SSL connection request.
'conn' will be filled in with information about the accepted ssl connection
return -1 on error, 0 on success, or WOULD_BLOCK for non-blocking sockets
*/
int sslAccept(sslConn_t **cpp, SOCKET fd, sslKeys_t *keys,
int (*certValidator)(sslCertInfo_t *t, void *arg), int flags)
{
sslConn_t *conn;
unsigned char buf[1024];
int status, rc;
/*
Associate a new ssl session with this socket. The session represents
the state of the ssl protocol over this socket. Session caching is
handled automatically by this api.
*/
conn = calloc(sizeof(sslConn_t), 1);
conn->fd = fd;
if (matrixSslNewSession(&conn->ssl, keys, NULL,
SSL_FLAGS_SERVER | flags) < 0) {
sslFreeConnection(&conn);
return -1;
}
/*
MatrixSSL doesn't provide buffers for data internally. Define them
here to support buffered reading and writing for non-blocking sockets.
Although it causes quite a bit more work, we support dynamically growing
the buffers as needed. Alternately, we could define 16K buffers here
and not worry about growing them.
*/
memset(&conn->inbuf, 0x0, sizeof(sslBuf_t));
conn->insock.size = 10240;
conn->insock.start = conn->insock.end = conn->insock.buf =
(unsigned char *)malloc(conn->insock.size);
conn->outsock.size = 10240;
conn->outsock.start = conn->outsock.end = conn->outsock.buf =
(unsigned char *)malloc(conn->outsock.size);
conn->inbuf.size = 0;
conn->inbuf.start = conn->inbuf.end = conn->inbuf.buf = NULL;
*cpp = conn;
readMore:
rc = sslRead(conn, buf, sizeof(buf), &status);
/*
Reading handshake records should always return 0 bytes, we aren't
expecting any data yet.
*/
if (rc == 0) {
if (status == SSLSOCKET_EOF || status == SSLSOCKET_CLOSE_NOTIFY) {
sslFreeConnection(&conn);
return -1;
}
if (matrixSslHandshakeIsComplete(conn->ssl) == 0) {
goto readMore;
}
} else if (rc > 0) {
socketAssert(0);
return -1;
} else {
fprintf(stderr, "sslRead error in sslAccept\n");
sslFreeConnection(&conn);
return -1;
}
*cpp = conn;
return 0;
}
int sslRead(sslConn_t *cp, char *buf, int len, int *status)
{
int bytes, rc, remaining;
unsigned char error, alertLevel, alertDescription, performRead;
*status = 0;
if (cp->ssl == NULL || len <= 0) {
return -1;
}
if (cp->inbuf.buf) {
if (cp->inbuf.start < cp->inbuf.end) {
remaining = (int)(cp->inbuf.end - cp->inbuf.start);
bytes = (int)min(len, remaining);
memcpy(buf, cp->inbuf.start, bytes);
cp->inbuf.start += bytes;
return bytes;
}
free(cp->inbuf.buf);
cp->inbuf.buf = NULL;
}
if (cp->insock.buf < cp->insock.start) {
if (cp->insock.start == cp->insock.end) {
cp->insock.start = cp->insock.end = cp->insock.buf;
} else {
memmove(cp->insock.buf, cp->insock.start, cp->insock.end - cp->insock.start);
cp->insock.end -= (cp->insock.start - cp->insock.buf);
cp->insock.start = cp->insock.buf;
}
}
performRead = 0;
readMore:
if (cp->insock.end == cp->insock.start || performRead) {
performRead = 1;
bytes = recv(cp->fd, (char *)cp->insock.end,
(int)((cp->insock.buf + cp->insock.size) - cp->insock.end), MSG_NOSIGNAL);
if (bytes == SOCKET_ERROR) {
*status = getSocketError();
return -1;
}
if (bytes == 0) {
*status = SSLSOCKET_EOF;
return 0;
}
cp->insock.end += bytes;
}
cp->inbuf.start = cp->inbuf.end = cp->inbuf.buf = malloc(len);
cp->inbuf.size = len;
decodeMore:
error = 0;
alertLevel = 0;
alertDescription = 0;
rc = matrixSslDecode(cp->ssl, &cp->insock, &cp->inbuf, &error, &alertLevel,
&alertDescription);
switch (rc) {
case SSL_SUCCESS:
return 0;
case SSL_PROCESS_DATA:
rc = (int)(cp->inbuf.end - cp->inbuf.start);
rc = min(rc, len);
memcpy(buf, cp->inbuf.start, rc);
cp->inbuf.start += rc;
return rc;
case SSL_SEND_RESPONSE:
bytes = send(cp->fd, (char *)cp->inbuf.start,
(int)(cp->inbuf.end - cp->inbuf.start), MSG_NOSIGNAL);
if (bytes == SOCKET_ERROR) {
*status = getSocketError();
if (*status != WOULD_BLOCK) {
fprintf(stdout, "Socket send error: %d\n", *status);
goto readError;
}
*status = 0;
}
cp->inbuf.start += bytes;
if (cp->inbuf.start < cp->inbuf.end) {
setSocketBlock(cp->fd);
bytes = send(cp->fd, (char *)cp->inbuf.start,
(int)(cp->inbuf.end - cp->inbuf.start), MSG_NOSIGNAL);
if (bytes == SOCKET_ERROR) {
*status = getSocketError();
goto readError;
}
cp->inbuf.start += bytes;
socketAssert(cp->inbuf.start == cp->inbuf.end);
setSocketNonblock(cp->fd);
}
cp->inbuf.start = cp->inbuf.end = cp->inbuf.buf;
return 0;
case SSL_ERROR:
fprintf(stderr, "SSL: Closing on protocol error %d\n", error);
if (cp->inbuf.start < cp->inbuf.end) {
setSocketNonblock(cp->fd);
bytes = send(cp->fd, (char *)cp->inbuf.start,
(int)(cp->inbuf.end - cp->inbuf.start), MSG_NOSIGNAL);
}
goto readError;
case SSL_ALERT:
if (alertDescription == SSL_ALERT_CLOSE_NOTIFY) {
*status = SSLSOCKET_CLOSE_NOTIFY;
goto readZero;
}
fprintf(stderr, "SSL: Closing on client alert %d: %d\n",
alertLevel, alertDescription);
goto readError;
case SSL_PARTIAL:
if (cp->insock.start == cp->insock.buf && cp->insock.end ==
(cp->insock.buf + cp->insock.size)) {
if (cp->insock.size > SSL_MAX_BUF_SIZE) {
goto readError;
}
cp->insock.size *= 2;
cp->insock.start = cp->insock.buf =
(unsigned char *)realloc(cp->insock.buf, cp->insock.size);
cp->insock.end = cp->insock.buf + (cp->insock.size / 2);
}
if (!performRead) {
performRead = 1;
free(cp->inbuf.buf);
cp->inbuf.buf = NULL;
goto readMore;
} else {
goto readZero;
}
case SSL_FULL:
cp->inbuf.size *= 2;
if (cp->inbuf.buf != (unsigned char*)buf) {
free(cp->inbuf.buf);
cp->inbuf.buf = NULL;
}
cp->inbuf.start = cp->inbuf.end = cp->inbuf.buf =
(unsigned char *)malloc(cp->inbuf.size);
goto decodeMore;
}
readZero:
if (cp->inbuf.buf == (unsigned char*)buf) {
cp->inbuf.buf = NULL;
}
return 0;
readError:
if (cp->inbuf.buf == (unsigned char*)buf) {
cp->inbuf.buf = NULL;
}
return -1;
}
int main(int argc, char **argv)
#endif
{
sslSessionId_t *sessionId;
sslConn_t *conn;
sslKeys_t *keys;
WSADATA wsaData;
SOCKET fd;
short cipherSuite;
unsigned char *ip, *c, *requestBuf;
unsigned char buf[1024];
int iterations, requests, connectAgain, status;
int quit, rc, bytes, i, j, err;
time_t t0, t1;
#if REUSE
int anonStatus;
#endif
#if VXWORKS
int argc;
char **argv;
parseCmdLineArgs(arg1, &argc, &argv);
#endif /* VXWORKS */
#if WINCE
int argc;
char **argv;
char args[256];
/*
* parseCmdLineArgs expects an ASCII string and CE is unicoded, so convert
* the command line. args will get hacked up, so you can't pass in a
* static string.
*/
WideCharToMultiByte(CP_ACP, 0, lpCmdLine, -1, args, 256, NULL, NULL);
/*
* Parse the command line into an argv array. This allocs memory, so
* we have to free argv when we're done.
*/
parseCmdLineArgs(args, &argc, &argv);
#endif /* WINCE */
conn = NULL;
/*
First (optional) argument is ip address to connect to (port is hardcoded)
Second (optional) argument is number of iterations to perform
Third (optional) argument is number of keepalive HTTP requests
Fourth (optional) argument is cipher suite number to use (0 for any)
*/
ip = HTTPS_IP;
iterations = ITERATIONS;
requests = REQUESTS;
cipherSuite = 0x0000;
if (argc > 1) {
ip = argv[1];
if (argc > 2) {
iterations = atoi(argv[2]);
socketAssert(iterations > 0);
if (argc > 3) {
requests = atoi(argv[3]);
socketAssert(requests > 0);
if (argc > 4) {
cipherSuite = (short)atoi(argv[4]);
}
}
}
}
/*
Initialize Windows sockets (no-op on other platforms)
*/
WSAStartup(MAKEWORD(1,1), &wsaData);
/*
Initialize the MatrixSSL Library, and read in the certificate file
used to validate the server.
*/
if (matrixSslOpen() < 0) {
fprintf(stderr, "matrixSslOpen failed, exiting...");
}
sessionId = NULL;
if (matrixSslReadKeys(&keys, NULL, NULL, NULL, CAfile) < 0) {
goto promptAndExit;
}
/*
Intialize loop control variables
*/
quit = 0;
connectAgain = 1;
i = 1;
/*
Just reuse the requestBuf and malloc to largest possible message size
*/
requestBuf = malloc(sizeof(requestAgain));
t0 = time(0);
/*
Main ITERATIONS loop
*/
while (!quit && (i < iterations)) {
/*
sslConnect uses port and ip address to connect to SSL server.
Generates a new session
*/
if (connectAgain) {
if ((fd = socketConnect(ip, HTTPS_PORT, &err)) == INVALID_SOCKET) {
fprintf(stdout, "Error connecting to server %s:%d\n", ip, HTTPS_PORT);
matrixSslFreeKeys(keys);
goto promptAndExit;
}
if (sslConnect(&conn, fd, keys, sessionId, cipherSuite, certChecker) < 0) {
quit = 1;
socketShutdown(fd);
fprintf(stderr, "Error connecting to %s:%d\n", ip, HTTPS_PORT);
continue;
}
i++;
connectAgain = 0;
j = 1;
}
if (conn == NULL) {
quit++;
continue;
}
/*
Copy the HTTP request header into the buffer, based of whether or
not we want httpReflector to keep the socket open or not
*/
if (j == requests) {
bytes = (int)strlen(request);
memcpy(requestBuf, request, bytes);
} else {
bytes = (int)strlen(requestAgain);
memcpy(requestBuf, requestAgain, bytes);
}
/*
Send request.
< 0 return indicates an error.
0 return indicates not all data was sent and we must retry
> 0 indicates that all requested bytes were sent
*/
writeMore:
rc = sslWrite(conn, requestBuf, bytes, &status);
if (rc < 0) {
fprintf(stdout, "Internal sslWrite error\n");
socketShutdown(conn->fd);
sslFreeConnection(&conn);
continue;
} else if (rc == 0) {
goto writeMore;
}
/*
Read response
< 0 return indicates an error.
0 return indicates an EOF or CLOSE_NOTIFY in this situation
> 0 indicates that some bytes were read. Keep reading until we see
the /r/n/r/n from the response header. There may be data following
this header, but we don't try too hard to read it for this example.
*/
c = buf;
readMore:
if ((rc = sslRead(conn, c, sizeof(buf) - (int)(c - buf), &status)) > 0) {
c += rc;
if (c - buf < 4 || memcmp(c - 4, "\r\n\r\n", 4) != 0) {
goto readMore;
}
} else {
if (rc < 0) {
fprintf(stdout, "sslRead error. dropping connection.\n");
}
if (rc < 0 || status == SSLSOCKET_EOF ||
status == SSLSOCKET_CLOSE_NOTIFY) {
socketShutdown(conn->fd);
sslFreeConnection(&conn);
continue;
}
goto readMore;
}
/*
Determine if we want to do a pipelined HTTP request/response
*/
if (j++ < requests) {
fprintf(stdout, "R");
continue;
} else {
fprintf(stdout, "C");
}
/*
Reuse the session. Comment out these two lines to test the entire
public key renegotiation each iteration
*/
#if REUSE
matrixSslFreeSessionId(sessionId);
matrixSslGetSessionId(conn->ssl, &sessionId);
/*
This example shows how a user might want to limit a client to
resuming handshakes only with authenticated servers. In this
example, the client will force any non-authenticated (anonymous)
server to go through a complete handshake each time. This is
strictly an example of one policy decision an implementation
might wish to make.
*/
matrixSslGetAnonStatus(conn->ssl, &anonStatus);
if (anonStatus) {
matrixSslFreeSessionId(sessionId);
sessionId = NULL;
}
#endif
/*
Send a closure alert for clean shutdown of remote SSL connection
This is for good form, some implementations just close the socket
*/
sslWriteClosureAlert(conn);
/*
Session done. Connect again if more iterations remaining
*/
socketShutdown(conn->fd);
sslFreeConnection(&conn);
connectAgain = 1;
}
t1 = time(0);
free(requestBuf);
matrixSslFreeSessionId(sessionId);
if (conn && conn->ssl) {
socketShutdown(conn->fd);
sslFreeConnection(&conn);
}
fprintf(stdout, "\n%d connections in %d seconds (%f c/s)\n",
i, (int)(t1 - t0), (double)i / (t1 - t0));
fprintf(stdout, "\n%d requests in %d seconds (%f r/s)\n",
i * requests, (int)(t1 - t0),
(double)(i * requests) / (t1 - t0));
/*
Close listening socket, free remaining items
*/
matrixSslFreeKeys(keys);
matrixSslClose();
WSACleanup();
promptAndExit:
fprintf(stdout, "Press return to exit...\n");
getchar();
#if WINCE || VXWORKS
if (argv) {
free((void*) argv);
}
#endif /* WINCE */
return 0;
}
