int
https_connect(struct url *url, struct url *proxy)
{
static struct tls_config *tls_config = NULL;
int s;
/* One time initialization */
if (tls_config == NULL)
tls_config = https_init();
if ((ctx = tls_client()) == NULL) {
warnx("failed to create tls client");
return -1;
}
if (tls_configure(ctx, tls_config) != 0) {
warnx("%s: %s", __func__, tls_error(ctx));
return -1;
}
if (url->port[0] == '\0')
(void)strlcpy(url->port, "443", sizeof(url->port));
if ((s = http_connect(url, proxy)) == -1)
return -1;
if (tls_connect_socket(ctx, s, url->host) != 0) {
warnx("%s: %s", __func__, tls_error(ctx));
return -1;
}
return s;
}
int main(int argc, char *argv[]) {
tcp_ctx *tcp;
tls_ctx *ctx;
char *host, *port;
if (argc != 3) {
printf("\nusage: tlscmd <host> <port>\n");
return 0;
}
host = argv[1];
port = argv[2];
printf (" [ connecting to %s:%i...\n", host, atoi(port));
tcp = tcp_new_ctx(AF_INET, host, port);
if (tcp!=NULL) {
printf (" [ host resolved to %s.\n", tcp_addr2ip(tcp));
ctx = tls_new_ctx();
if (ctx!=NULL) {
printf (" [ TLS client initialized.\n");
tls_client(tcp, ctx);
tls_free_ctx(ctx);
}
tcp_free_ctx(tcp);
}
return 0;
}
void
connection_init_tls()
{
tls_init();
CurrentConnectionState.TlsConfiguration = tls_config_new();
CurrentConnectionState.ServerContext = tls_server();
CurrentConnectionState.ClientContext = tls_client();
tls_config_set_key_file(CurrentConnectionState.TlsConfiguration,
CurrentConnectionState.PrivateKey);
tls_config_set_cert_file(CurrentConnectionState.TlsConfiguration,
CurrentConnectionState.CertificateFile);
tls_config_insecure_noverifycert(CurrentConnectionState.TlsConfiguration);
if(tls_configure(CurrentConnectionState.ServerContext,
CurrentConnectionState.TlsConfiguration) != 0)
{
printf("%s\n", tls_error(CurrentConnectionState.ServerContext));
}
if(tls_configure(CurrentConnectionState.ClientContext,
CurrentConnectionState.TlsConfiguration) != 0)
{
printf("%s\n", tls_error(CurrentConnectionState.ClientContext));
}
}
int main(int argc, char *argv[])
{
struct tls_config *conf;
struct tls *ctx;
struct tls_cert_info *cert;
int res;
const char *host;
if (argc < 2)
errx(1, "give host as arg\n");
host = argv[1];
res = tls_init();
if (res < 0)
errx(1, "tls_init");
conf = tls_config_new();
if (!conf)
errx(1, "tls_config_new");
tls_config_set_protocols(conf, TLS_PROTOCOLS_ALL);
tls_config_set_ciphers(conf, "fast");
ctx = tls_client();
if (!ctx)
errx(1, "tls_client");
res = tls_configure(ctx, conf);
if (res < 0)
errx(1, "tls_configure: %s", tls_error(ctx));
res = tls_connect(ctx, host, "443");
if (res < 0)
errx(1, "tls_connect: %s", tls_error(ctx));
printf("connect ok\n");
res = tls_get_peer_cert(ctx, &cert);
if (res < 0)
errx(1, "tls_get_peer_cert: %s", tls_error(ctx));
tls_close(ctx);
tls_free(ctx);
tls_config_free(conf);
printf(" CN='%s'\n", cert->subject.common_name);
printf(" C='%s'\n", cert->subject.country_name);
printf(" ST='%s'\n", cert->subject.state_or_province_name);
printf(" L='%s'\n", cert->subject.locality_name);
printf(" S='%s'\n", cert->subject.street_address);
printf(" O='%s'\n", cert->subject.organization_name);
printf(" OU='%s'\n", cert->subject.organizational_unit_name);
tls_cert_free(cert);
return 0;
}
static const char *run_time(const char *val)
{
#ifdef USUAL_LIBSSL_FOR_TLS
ASN1_TIME tmp;
time_t t = 0;
static char buf[128];
struct tm *tm, tmbuf;
struct tls *ctx;
int err;
memset(&tmp, 0, sizeof tmp);
memset(&tmbuf, 0, sizeof tmbuf);
tmp.data = (unsigned char*)val+2;
tmp.length = strlen(val+2);
if (val[0] == 'G' && val[1] == ':') {
tmp.type = V_ASN1_GENERALIZEDTIME;
} else if (val[0] == 'U' && val[1] == ':') {
tmp.type = V_ASN1_UTCTIME;
} else {
tmp.type = val[0];
}
ctx = tls_client();
if (!ctx)
return "NOMEM";
err = tls_asn1_parse_time(ctx, &tmp, &t);
if (err) {
strlcpy(buf, tls_error(ctx), sizeof buf);
tls_free(ctx);
return buf;
}
tls_free(ctx);
tm = gmtime_r(&t, &tmbuf);
if (!tm)
return "E-GMTIME";
strftime(buf, sizeof buf, "%Y-%m-%d %H:%M:%S GMT", tm);
return buf;
#else
return "no-asn1";
#endif
}
int main(int argc, char *argv[])
{
struct tls_config *conf;
struct tls *ctx, *ocsp;
struct tls_cert *cert;
int res;
const char *host;
char buf[256];
if (argc < 2)
errx(1, "give host as arg\n");
host = argv[1];
#ifdef USUAL_LIBSSL_FOR_TLS
printf("libssl: %s\n", SSLeay_version(SSLEAY_VERSION));
#endif
res = tls_init();
if (res < 0)
errx(1, "tls_init");
conf = tls_config_new();
if (!conf)
errx(1, "tls_config_new");
tls_config_set_protocols(conf, TLS_PROTOCOLS_ALL);
tls_config_set_ciphers(conf, "fast");
ctx = tls_client();
if (!ctx)
errx(1, "tls_client");
res = tls_configure(ctx, conf);
if (res < 0)
errx(1, "tls_configure: %s", tls_error(ctx));
res = tls_connect(ctx, host, "443");
if (res < 0)
errx(1, "tls_connect: %s", tls_error(ctx));
res = tls_handshake(ctx);
if (res < 0)
errx(1, "tls_handshake: %s", tls_error(ctx));
res = tls_get_peer_cert(ctx, &cert, NULL);
if (res < 0)
errx(1, "tls_get_peer_cert: %s", tls_error(ctx));
tls_get_connection_info(ctx, buf, sizeof buf);
printf("Connection: '%s'\n", buf);
printf(" CN='%s'\n", cert->subject.common_name);
printf(" C='%s'\n", cert->subject.country_name);
printf(" ST='%s'\n", cert->subject.state_or_province_name);
printf(" L='%s'\n", cert->subject.locality_name);
printf(" S='%s'\n", cert->subject.street_address);
printf(" O='%s'\n", cert->subject.organization_name);
printf(" OU='%s'\n", cert->subject.organizational_unit_name);
show_ocsp_info("OCSP stapling", ctx);
ocsp = NULL;
res = tls_ocsp_check_peer(&ocsp, NULL, ctx);
if (ocsp) {
show_ocsp_info("OCSP responder", ocsp);
tls_free(ocsp);
} else if (res == TLS_NO_OCSP) {
printf("OCSP responder: No OCSP support in libtls\n");
}
if (0) test_context(ctx);
tls_close(ctx);
tls_free(ctx);
tls_config_free(conf);
tls_cert_free(cert);
return 0;
}
int
main(int argc, char *argv[], char *envp[])
{
struct tls *tls = NULL;
int ch;
environ = envp;
/* pipes to communicate with the front end */
int in = -1;
int out = -1;
bool no_name_verification = false;
bool no_cert_verification = false;
bool no_time_verification = false;
char *host = getenv("TCPREMOTEHOST");
struct tls_config *tls_config;
if (getenv("TLSC_NO_VERIFICATION") != NULL) {
no_name_verification = true;
no_cert_verification = true;
no_time_verification = true;
}
if (getenv("TLSC_NO_HOST_VERIFICATION") != NULL)
no_name_verification = true;
if (getenv("TLSC_NO_CERT_VERIFICATION") != NULL)
no_cert_verification = true;
if (getenv("TLSC_NO_TIME_VERIFICATION") != NULL)
no_time_verification = true;
if ((tls_config = tls_config_new()) == NULL)
err(EXIT_FAILURE, "tls_config_new");
char *str = NULL;
if ((str = getenv("TLSC_CERT_FILE")) != NULL)
if (tls_config_set_cert_file(tls_config, str) == -1)
err(EXIT_FAILURE, "tls_config_set_cert_file");
if ((str = getenv("TLSC_KEY_FILE")) != NULL)
if (tls_config_set_key_file(tls_config, str) == -1)
err(EXIT_FAILURE, "tls_config_set_key_file");
if ((str = getenv("TLSC_CA_FILE")) != NULL)
if (tls_config_set_ca_file(tls_config, str) == -1)
err(EXIT_FAILURE, "tls_config_set_ca_file");
if ((str = getenv("TLSC_CA_PATH")) != NULL)
if (tls_config_set_ca_path(tls_config, str) == -1)
err(EXIT_FAILURE, "tls_config_set_ca_path");
while ((ch = getopt(argc, argv, "c:k:f:p:n:HCTVh")) != -1) {
switch (ch) {
case 'c':
if (tls_config_set_cert_file(tls_config, optarg) == -1)
err(EXIT_FAILURE, "tls_config_set_cert_file");
break;
case 'k':
if (tls_config_set_key_file(tls_config, optarg) == -1)
err(EXIT_FAILURE, "tls_config_set_key_file");
break;
case 'f':
if (tls_config_set_ca_file(tls_config, optarg) == -1)
err(EXIT_FAILURE, "tls_config_set_ca_file");
break;
case 'p':
if (tls_config_set_ca_path(tls_config, optarg) == -1)
err(EXIT_FAILURE, "tls_config_set_ca_path");
break;
case 'n':
if ((host = strdup(optarg)) == NULL) goto err;
break;
case 'H':
no_name_verification = true;
break;
case 'C':
no_cert_verification = true;
break;
case 'T':
no_time_verification = true;
break;
case 'V':
no_name_verification = true;
no_cert_verification = true;
no_time_verification = true;
break;
case 'h':
default:
usage();
/* NOTREACHED */
}
}
argc -= optind;
argv += optind;
if (argc < 1)
usage();
/* verification settings */
if (no_cert_verification)
tls_config_insecure_noverifycert(tls_config);
if (no_name_verification)
tls_config_insecure_noverifyname(tls_config);
if (no_time_verification)
tls_config_insecure_noverifytime(tls_config);
/* libtls setup */
if (tls_init() != 0)
err(EXIT_FAILURE, "tls_init");
if ((tls = tls_client()) == NULL)
err(EXIT_FAILURE, "tls_client");
if (tls_configure(tls, tls_config) != 0)
err(EXIT_FAILURE, "tls_configure");
if (tls_connect_fds(tls, READ_FD, WRITE_FD, host) == -1)
goto err;
if (tls_handshake(tls) == -1)
goto err;
/* overide PROTO to signal the application layer that the communication
* channel is save. */
if (setenv("PROTO", "SSL", 1) == -1)
err(EXIT_FAILURE, "setenv");
/* fork front end program */
char *prog = argv[0];
# define PIPE_READ 0
# define PIPE_WRITE 1
int pi[2]; /* input pipe */
int po[2]; /* output pipe */
if (pipe(pi) == -1) err(EXIT_FAILURE, "pipe");
if (pipe(po) == -1) err(EXIT_FAILURE, "pipe");
switch (fork()) {
case -1:
err(EXIT_FAILURE, "fork");
case 0: /* client program */
/* close non-using ends of pipes */
if (close(pi[PIPE_READ]) == -1) err(EXIT_FAILURE, "close");
if (close(po[PIPE_WRITE]) == -1) err(EXIT_FAILURE, "close");
/*
* We have to move one descriptor cause po[] may
* overlaps with descriptor 6 and 7.
*/
int po_read = 0;
if ((po_read = dup(po[PIPE_READ])) == -1)
err(EXIT_FAILURE, "dup");
if (close(po[PIPE_READ]) < 0) err(EXIT_FAILURE, "close");
if (dup2(pi[PIPE_WRITE], WRITE_FD) < 0)
err(EXIT_FAILURE, "dup2");
if (dup2(po_read, READ_FD) < 0) err(EXIT_FAILURE, "dup2");
if (close(pi[PIPE_WRITE]) < 0) err(EXIT_FAILURE, "close");
if (close(po_read) < 0) err(EXIT_FAILURE, "close");
execvpe(prog, argv, environ);
err(EXIT_FAILURE, "execvpe");
default: break; /* parent */
}
/* close non-using ends of pipes */
if (close(pi[PIPE_WRITE]) == -1) err(EXIT_FAILURE, "close");
if (close(po[PIPE_READ]) == -1) err(EXIT_FAILURE, "close");
in = pi[PIPE_READ];
out = po[PIPE_WRITE];
/* communication loop */
for (;;) {
int ret;
char buf[BUFSIZ];
ssize_t sn = 0;
fd_set readfds;
FD_ZERO(&readfds);
FD_SET(in, &readfds);
FD_SET(READ_FD, &readfds);
int max_fd = MAX(in, READ_FD);
ret = select(max_fd+1, &readfds, NULL, NULL, NULL);
if (ret == -1)
err(EXIT_FAILURE, "select");
if (FD_ISSET(READ_FD, &readfds)) {
do {
again:
sn = tls_read(tls, buf, sizeof buf);
if (sn == TLS_WANT_POLLIN ||
sn == TLS_WANT_POLLOUT)
goto again;
if (sn == -1)
goto err;
if (sn == 0)
return EXIT_SUCCESS;
if (write(out, buf, sn) == -1)
err(EXIT_FAILURE, "write()");
} while (sn == sizeof buf);
} else if (FD_ISSET(in, &readfds)) {
if ((sn = read(in, buf, sizeof buf)) == -1)
err(EXIT_FAILURE, "read()");
if (sn == 0)
goto out;
if ((sn = tls_write(tls, buf, sn)) == -1)
goto out;
}
}
out:
tls_close(tls);
return EXIT_SUCCESS;
err:
errx(EXIT_FAILURE, "tls_error: %s", tls_error(tls));
}
int main(int argc, char *argv[])
{
struct tls_config *conf;
struct tls *ctx;
int res;
const char *host;
if (argc < 2)
errx(1, "give host as arg\n");
host = argv[1];
res = tls_init();
if (res < 0)
errx(1, "tls_init");
conf = tls_config_new();
if (!conf)
errx(1, "tls_config_new");
tls_config_set_protocols(conf, TLS_PROTOCOLS_ALL);
tls_config_set_ciphers(conf, "HIGH:+3DES:!aNULL");
tls_config_set_ca_file(conf, "/etc/ssl/certs/ca-certificates.crt");
ctx = tls_client();
if (!ctx)
errx(1, "tls_client");
res = tls_configure(ctx, conf);
if (res < 0)
errx(1, "tls_configure: %s", tls_error(ctx));
res = tls_connect(ctx, host, "443");
if (res < 0)
errx(1, "tls_connect: %s", tls_error(ctx));
res = tls_handshake(ctx);
if (res < 0)
errx(1, "tls_handshake: %s", tls_error(ctx));
printf("connect ok\n");
#if 0
struct tls_cert *cert;
//res = tls_get_peer_cert(ctx, &cert, NULL);
//if (res < 0)
//errx(1, "tls_get_peer_cert: %s", tls_error(ctx));
printf(" CN='%s'\n", cert->subject.common_name);
printf(" C='%s'\n", cert->subject.country_name);
printf(" ST='%s'\n", cert->subject.state_or_province_name);
printf(" L='%s'\n", cert->subject.locality_name);
printf(" S='%s'\n", cert->subject.street_address);
printf(" O='%s'\n", cert->subject.organization_name);
printf(" OU='%s'\n", cert->subject.organizational_unit_name);
tls_cert_free(cert);
#endif
tls_close(ctx);
tls_free(ctx);
tls_config_free(conf);
return 0;
}
static const char *create_worker(struct Worker **w_p, bool is_server, ...)
{
va_list ap;
const char *k, *v;
int klen;
struct Worker *w;
int err;
const char *mem = NULL;
void *fdata;
size_t flen;
const char *errmsg = NULL;
*w_p = NULL;
w = calloc(1, sizeof *w);
if (!w)
return "calloc";
w->wstate = HANDSHAKE;
w->is_server = is_server;
w->config = tls_config_new();
if (!w->config)
return "tls_config_new failed";
if (is_server) {
w->base = tls_server();
if (!w->base)
return "tls_server failed";
} else {
w->ctx = tls_client();
if (!w->ctx)
return "tls_client failed";
}
va_start(ap, is_server);
while (1) {
k = va_arg(ap, char *);
if (!k)
break;
v = strchr(k, '=');
if (!v) {
errmsg = k;
break;
}
v++;
klen = v - k;
err = 0;
if (!strncmp(k, "mem=", klen)) {
mem = v;
} else if (!strncmp(k, "ca=", klen)) {
if (mem) {
fdata = load_file(v, &flen);
if (!fdata) {
errmsg = strerror(errno);
break;
}
err = tls_config_set_ca_mem(w->config, fdata, flen);
free(fdata);
} else {
err = tls_config_set_ca_file(w->config, v);
}
} else if (!strncmp(k, "cert=", klen)) {
if (mem) {
fdata = load_file(v, &flen);
if (!fdata) {
errmsg = strerror(errno);
break;
}
err = tls_config_set_cert_mem(w->config, fdata, flen);
free(fdata);
} else {
err = tls_config_set_cert_file(w->config, v);
}
} else if (!strncmp(k, "key=", klen)) {
if (mem) {
fdata = load_file(v, &flen);
if (!fdata) {
errmsg = strerror(errno);
break;
}
err = tls_config_set_key_mem(w->config, fdata, flen);
free(fdata);
} else {
err = tls_config_set_key_file(w->config, v);
}
} else if (!strncmp(k, "show=", klen)) {
w->show = v;
} else if (!strncmp(k, "ciphers=", klen)) {
err = tls_config_set_ciphers(w->config, v);
} else if (!strncmp(k, "host=", klen)) {
w->hostname = v;
} else if (!strncmp(k, "noverifycert=", klen)) {
tls_config_insecure_noverifycert(w->config);
} else if (!strncmp(k, "noverifyname=", klen)) {
tls_config_insecure_noverifyname(w->config);
} else if (!strncmp(k, "verify=", klen)) {
tls_config_verify(w->config);
} else if (!strncmp(k, "dheparams=", klen)) {
err = tls_config_set_dheparams(w->config, v);
} else if (!strncmp(k, "ecdhecurve=", klen)) {
err = tls_config_set_ecdhecurve(w->config, v);
} else if (!strncmp(k, "protocols=", klen)) {
uint32_t protos;
err = tls_config_parse_protocols(&protos, v);
tls_config_set_protocols(w->config, protos);
} else if (!strncmp(k, "peer-sha1=", klen)) {
w->peer_fingerprint_sha1 = v;
} else if (!strncmp(k, "peer-sha256=", klen)) {
w->peer_fingerprint_sha256 = v;
} else if (!strncmp(k, "verify-client=", klen)) {
tls_config_verify_client(w->config);
} else if (!strncmp(k, "verify-client-optional=", klen)) {
tls_config_verify_client_optional(w->config);
} else if (!strncmp(k, "aggressive-close=", klen)) {
w->aggressive_close = 1;
} else {
errmsg = k;
break;
}
if (err < 0) {
errmsg = k;
break;
}
}
va_end(ap);
if (errmsg)
return errmsg;
if (is_server) {
if (tls_configure(w->base, w->config) < 0)
return tls_error(w->base);
} else {
if (tls_configure(w->ctx, w->config) < 0)
return tls_error(w->ctx);
}
*w_p = w;
return "OK";
}
