int encrypt_connect_server()
{
//return -1;
/* SSL initialization*/
SSL_library_init();
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
ctx = SSL_CTX_new(TLSv1_client_method());
if (ctx == NULL)
{
ERR_print_errors_fp(stdout);
exit(1);
}
/* creat a new SSL based on ctx */
ssl = SSL_new(ctx);
// connect ssl to TCP SOCKET
SSL_set_fd(ssl, sockfd);
/* create ssl connection */
if (SSL_connect(ssl) == -1 || strcmp("(NONE)",SSL_get_cipher(ssl)) == 0)
{
ERR_print_errors_fp(stderr);
return -1;
}
DEBUG_printf("Connected with %s encryption\n", SSL_get_cipher(ssl));
ShowCerts(ssl);
return 1;
}
datum_t
ssl_cipher(PG_FUNC_ARGS)
{
if (proc_port->ssl == NULL)
RET_NULL();
RET_TEXT_P(cstring_to_text(SSL_get_cipher(proc_port->ssl)));
}
bool SSLSocket::waitAccepted(uint64_t millis) {
if(!ssl) {
if(!Socket::waitAccepted(millis)) {
return false;
}
ssl.reset(SSL_new(ctx));
if(!ssl)
checkSSL(-1);
checkSSL(SSL_set_fd(ssl, sock));
}
if(SSL_is_init_finished(ssl)) {
return true;
}
while(true) {
int ret = SSL_accept(ssl);
if(ret == 1) {
dcdebug("Connected to SSL client using %s\n", SSL_get_cipher(ssl));
#ifndef HEADER_OPENSSLV_H
finished = true;
#endif
return true;
}
if(!waitWant(ret, millis)) {
return false;
}
}
}
bool SSLSocket::waitConnected(uint64_t millis) {
if(!ssl) {
if(!Socket::waitConnected(millis)) {
return false;
}
ssl.reset(SSL_new(ctx));
if(!ssl)
checkSSL(-1);
checkSSL(SSL_set_fd(ssl, sock));
}
if(SSL_is_init_finished(ssl)) {
return true;
}
while(true) {
// OpenSSL needs server handshake for NAT traversal
int ret = ssl->server ? SSL_accept(ssl) : SSL_connect(ssl);
if(ret == 1) {
dcdebug("Connected to SSL server using %s as %s\n", SSL_get_cipher(ssl), ssl->server?"server":"client");
#ifndef HEADER_OPENSSLV_H
finished = true;
#endif
return true;
}
if(!waitWant(ret, millis)) {
return false;
}
}
}
std::string TLSSocket::Cipher() const
{
if (!session) return "NONE";
const char* cipher = SSL_get_cipher(session);
if (!cipher) return "NONE";
return cipher;
}
bool SSLSocket::waitAccepted(uint64_t millis) {
if(!ssl) {
if(!Socket::waitAccepted(millis)) {
return false;
}
ssl.reset(SSL_new(ctx));
if(!ssl)
checkSSL(-1);
if(!verifyData) {
SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
} else SSL_set_ex_data(ssl, CryptoManager::idxVerifyData, verifyData.get());
checkSSL(SSL_set_fd(ssl, static_cast<int>(getSock())));
}
if(SSL_is_init_finished(ssl)) {
return true;
}
while(true) {
int ret = SSL_accept(ssl);
if(ret == 1) {
dcdebug("Connected to SSL client using %s\n", SSL_get_cipher(ssl));
return true;
}
if(!waitWant(ret, millis)) {
return false;
}
}
}
int kn_sock_sslconnect(//engine_t e,
handle_t h,
kn_sockaddr *remote,
kn_sockaddr *local){
if(h->type != KN_SOCKET && ((kn_socket*)h)->type != SOCK_STREAM)
return 0;
kn_socket *s = (kn_socket*)h;
if(h->status != SOCKET_NONE) return -1;
//if(s->e) return -1;
SSL_CTX *ctx = SSL_CTX_new(SSLv23_client_method());
if (ctx == NULL) {
ERR_print_errors_fp(stdout);
return -1;
}
((kn_stream_socket*)s)->ctx = ctx;
s->addr_remote = *remote;
int ret = stream_socket_connect((kn_stream_socket*)s,local,remote);
if(ret == 1){
((kn_stream_socket*)s)->ssl = SSL_new(ctx);
SSL_set_fd(((kn_stream_socket*)s)->ssl,h->fd);
if (SSL_connect(((kn_stream_socket*)s)->ssl) == -1){
ERR_print_errors_fp(stderr);
ret = -1;
}
else {
kn_set_noblock(h->fd,0);
h->status = SOCKET_ESTABLISH;
printf("Connected with %s encryption/n", SSL_get_cipher(((kn_stream_socket*)s)->ssl));
ShowCerts(((kn_stream_socket*)s)->ssl);
}
}else{
ret = -1;
}
return ret;
}
int
openhost(char *host, int port)
{
struct hostent *hp;
register int s;
struct sockaddr_in sin;
int err;
X509 *server_cert;
char *str;
if ((hp = gethostbyname(host)) == NULL) {
printf("ERR: gethostbyname\n");
return (-1);
}
if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
perror("socket");
return (-1);
}
sin.sin_family = AF_INET;
sin.sin_port = htons(port);
bcopy(hp->h_addr, &sin.sin_addr, hp->h_length);
alarm(30);
if (connect(s, (struct sockaddr *) &sin, sizeof(sin)) < 0)
return (-1);
alarm(0);
SSLeay_add_ssl_algorithms();
SSL_load_error_strings();
/* ctx = SSL_CTX_new (SSLv23_method()); CHK_NULL(ctx);
*/
ctx = SSL_CTX_new(SSLv2_method());
CHK_NULL(ctx);
ssl = SSL_new(ctx);
CHK_NULL(ssl);
SSL_set_fd(ssl, s);
err = SSL_connect(ssl);
CHK_SSL(err);
printf("SSL connection using %s\n", SSL_get_cipher(ssl));
server_cert = SSL_get_peer_certificate(ssl);
CHK_NULL(server_cert);
printf("Server certificate:\n");
str = X509_NAME_oneline(X509_get_subject_name(server_cert), NULL, 0);
CHK_NULL(str);
printf("\t subject: %s\n", str);
Free(str);
str = X509_NAME_oneline(X509_get_issuer_name(server_cert), NULL, 0);
CHK_NULL(str);
printf("\t issuer: %s\n", str);
Free(str);
X509_free(server_cert);
return (s);
}
int
tls_get_conninfo(struct tls *ctx) {
const char * tmp;
tls_free_conninfo(ctx->conninfo);
if (ctx->ssl_peer_cert != NULL) {
if (tls_get_peer_cert_hash(ctx, &ctx->conninfo->hash) == -1)
goto err;
if (tls_get_peer_cert_subject(ctx, &ctx->conninfo->subject)
== -1)
goto err;
if (tls_get_peer_cert_issuer(ctx, &ctx->conninfo->issuer) == -1)
goto err;
if (tls_get_peer_cert_times(ctx, &ctx->conninfo->notbefore,
&ctx->conninfo->notafter) == -1)
goto err;
}
if ((tmp = SSL_get_version(ctx->ssl_conn)) == NULL)
goto err;
ctx->conninfo->version = strdup(tmp);
if (ctx->conninfo->version == NULL)
goto err;
if ((tmp = SSL_get_cipher(ctx->ssl_conn)) == NULL)
goto err;
ctx->conninfo->cipher = strdup(tmp);
if (ctx->conninfo->cipher == NULL)
goto err;
return (0);
err:
tls_free_conninfo(ctx->conninfo);
return (-1);
}
/*
* printSSLInfo
*
* Prints information about the current SSL connection, if SSL is in use
*/
static void
printSSLInfo(void)
{
#ifdef USE_SSL
int sslbits = -1;
SSL *ssl;
ssl = PQgetssl(pset.db);
if (!ssl)
return; /* no SSL */
SSL_get_cipher_bits(ssl, &sslbits);
printf(_("SSL connection (cipher: %s, bits: %i)\n"),
SSL_get_cipher(ssl), sslbits);
#else
/*
* If psql is compiled without SSL but is using a libpq with SSL, we
* cannot figure out the specifics about the connection. But we know it's
* SSL secured.
*/
if (PQgetssl(pset.db))
printf(_("SSL connection (unknown cipher)\n"));
#endif
}
bool SSLSocket::waitAccepted(uint32_t millis) {
if(!ssl) {
if(!Socket::waitAccepted(millis)) {
return false;
}
ssl.reset(SSL_new(ctx));
if(!ssl)
checkSSL(-1);
checkSSL(SSL_set_fd(ssl, getSock()));
}
if(SSL_is_init_finished(ssl)) {
return true;
}
while(true) {
int ret = SSL_accept(ssl);
if(ret == 1) {
dcdebug("Connected to SSL client using %s\n", SSL_get_cipher(ssl));
return true;
}
if(!waitWant(ret, millis)) {
return false;
}
}
}
/*---------------------------------------------------------------------*/
bool MakeSSLRequest(const char* hostname, int port,
ClientFunction client_func, void* client_data)
{
// Set up context
SSL_CTX* ctx = InitCTX();
CHECK_CALL(ctx);
// Connect to server
int server = OpenConnection(hostname, port);
if(server < 0) return false;
CHECK_CALL(server);
SSL* ssl = SSL_new(ctx);
SSL_set_fd(ssl, server);
// Do handshake
if ( SSL_connect(ssl) == FAIL ) {
ERR_print_errors_fp(stderr);
return false;
}
client_func(ssl, client_data);
fprintf(stderr, "Connected with %s encryption\n", SSL_get_cipher(ssl));
SSL_free(ssl);
close(server);
SSL_CTX_free(ctx);
ERR_free_strings();
EVP_cleanup();
return true;
}
Datum
ssl_cipher(PG_FUNCTION_ARGS)
{
if (MyProcPort->ssl == NULL)
PG_RETURN_NULL();
PG_RETURN_TEXT_P(cstring_to_text(SSL_get_cipher(MyProcPort->ssl)));
}
static int ssl_connect(int sd)
{
char buf[256];
X509 *cert;
SSL_set_fd(ssl, sd);
if (-1 == SSL_connect(ssl))
return -1;
DBG("SSL connection using %s", SSL_get_cipher(ssl));
/* Get server's certificate (note: beware of dynamic allocation) - opt */
cert = SSL_get_peer_certificate(ssl);
if (!cert)
return -1;
/* Logging some cert details. Please note: X509_NAME_oneline doesn't
work when giving NULL instead of a buffer. */
X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf));
DBG("SSL server cert subject: %s", buf);
X509_NAME_oneline(X509_get_issuer_name(cert), buf, sizeof(buf));
DBG("SSL server cert issuer: %s", buf);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
X509_free(cert);
return 0;
}
THREAD_RETURN YASSL_API server_test(void* args)
{
#ifdef _WIN32
WSADATA wsd;
WSAStartup(0x0002, &wsd);
#endif
SOCKET_T sockfd = 0;
SOCKET_T clientfd = 0;
int argc = 0;
char** argv = 0;
set_args(argc, argv, *static_cast<func_args*>(args));
tcp_accept(sockfd, clientfd, *static_cast<func_args*>(args));
tcp_close(sockfd);
SSL_METHOD* method = TLSv1_server_method();
SSL_CTX* ctx = SSL_CTX_new(method);
//SSL_CTX_set_cipher_list(ctx, "RC4-SHA:RC4-MD5");
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0);
set_serverCerts(ctx);
DH* dh = set_tmpDH(ctx);
SSL* ssl = SSL_new(ctx);
SSL_set_fd(ssl, clientfd);
#ifdef NON_BLOCKING
NonBlockingSSL_Accept(ssl, ctx, clientfd);
#else
if (SSL_accept(ssl) != SSL_SUCCESS)
ServerError(ctx, ssl, clientfd, "SSL_accept failed");
#endif
showPeer(ssl);
printf("Using Cipher Suite: %s\n", SSL_get_cipher(ssl));
char command[1024];
int input = SSL_read(ssl, command, sizeof(command));
if (input > 0) {
command[input] = 0;
printf("First client command: %s\n", command);
}
char msg[] = "I hear you, fa shizzle!";
if (SSL_write(ssl, msg, sizeof(msg)) != sizeof(msg))
ServerError(ctx, ssl, clientfd, "SSL_write failed");
DH_free(dh);
SSL_CTX_free(ctx);
SSL_shutdown(ssl);
SSL_free(ssl);
tcp_close(clientfd);
((func_args*)args)->return_code = 0;
return 0;
}
void
be_tls_get_cipher(Port *port, char *ptr, size_t len)
{
if (port->ssl)
strlcpy(ptr, SSL_get_cipher(port->ssl), len);
else
ptr[0] = '\0';
}
const char *
be_tls_get_cipher(Port *port)
{
if (port->ssl)
return SSL_get_cipher(port->ssl);
else
return NULL;
}
int ssl_open(http_t *client, char *msg)
{
char buf[256];
const char *sn;
X509 *cert;
if (!client->ssl_enabled)
return tcp_init(&client->tcp, msg);
tcp_set_port(&client->tcp, HTTPS_DEFAULT_PORT);
DO(tcp_init(&client->tcp, msg));
logit(LOG_INFO, "%s, initiating HTTPS ...", msg);
client->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
if (!client->ssl_ctx)
return RC_HTTPS_OUT_OF_MEMORY;
/* POODLE, only allow TLSv1.x or later */
SSL_CTX_set_options(client->ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION);
SSL_CTX_set_verify(client->ssl_ctx, SSL_VERIFY_PEER, verify_callback);
SSL_CTX_set_verify_depth(client->ssl_ctx, 150);
/* Try to figure out location of trusted CA certs on system */
if (ssl_set_ca_location(client))
return RC_HTTPS_NO_TRUSTED_CA_STORE;
client->ssl = SSL_new(client->ssl_ctx);
if (!client->ssl)
return RC_HTTPS_OUT_OF_MEMORY;
/* SSL SNI support: tell the servername we want to speak to */
http_get_remote_name(client, &sn);
if (!SSL_set_tlsext_host_name(client->ssl, sn))
return RC_HTTPS_SNI_ERROR;
SSL_set_fd(client->ssl, client->tcp.ip.socket);
if (-1 == SSL_connect(client->ssl))
return RC_HTTPS_FAILED_CONNECT;
logit(LOG_INFO, "SSL connection using %s", SSL_get_cipher(client->ssl));
cert = SSL_get_peer_certificate(client->ssl);
if (!cert)
return RC_HTTPS_FAILED_GETTING_CERT;
if (SSL_get_verify_result(client->ssl) == X509_V_OK)
logit(LOG_DEBUG, "Certificate OK");
X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf));
logit(LOG_INFO, "SSL server cert subject: %s", buf);
X509_NAME_oneline(X509_get_issuer_name(cert), buf, sizeof(buf));
logit(LOG_INFO, "SSL server cert issuer: %s", buf);
X509_free(cert);
return 0;
}
/**
* Embeds a socket in a ssl connection.
* @param socket the socket to be used.
* @return The ssl connection or NULL if an error occured.
*/
int embed_ssl_socket(ssl_connection *ssl, int socket) {
int ssl_error;
time_t ssl_time;
if (!ssl)
return FALSE;
if (!ssl_initialized)
start_ssl();
if (socket >= 0) {
ssl->socket = socket;
} else {
LogError("%s: Socket error!\n", prog);
goto sslerror;
}
if ((ssl->handler = SSL_new (ssl->ctx)) == NULL) {
LogError("%s: Cannot initialize the SSL handler -- %s\n", prog, SSLERROR);
goto sslerror;
}
set_noblock(ssl->socket);
if ((ssl->socket_bio = BIO_new_socket(ssl->socket, BIO_NOCLOSE)) == NULL) {
LogError("%s: Cannot generate IO buffer -- %s\n", prog, SSLERROR);
goto sslerror;
}
SSL_set_bio(ssl->handler, ssl->socket_bio, ssl->socket_bio);
ssl_time = time(NULL);
while ((ssl_error = SSL_connect (ssl->handler)) < 0) {
if ((time(NULL) - ssl_time) > SSL_TIMEOUT) {
LogError("%s: SSL service timeout!\n", prog);
goto sslerror;
}
if (!handle_error(ssl_error, ssl))
goto sslerror;
if (!BIO_should_retry(ssl->socket_bio))
goto sslerror;
}
ssl->cipher = (char *) SSL_get_cipher(ssl->handler);
if (! update_ssl_cert_data(ssl)) {
LogError("%s: Cannot get the SSL server certificate!\n", prog);
goto sslerror;
}
return TRUE;
sslerror:
cleanup_ssl_socket(ssl);
return FALSE;
}
/*
* Enable SSL on a connection.
*/
int
fetch_ssl(conn_t *conn, int verbose)
{
#ifdef WITH_SSL
int ret, ssl_err;
/* Init the SSL library and context */
if (!SSL_library_init()){
fprintf(stderr, "SSL library init failed\n");
return (-1);
}
SSL_load_error_strings();
conn->ssl_meth = SSLv23_client_method();
conn->ssl_ctx = SSL_CTX_new(conn->ssl_meth);
SSL_CTX_set_mode(conn->ssl_ctx, SSL_MODE_AUTO_RETRY);
conn->ssl = SSL_new(conn->ssl_ctx);
if (conn->ssl == NULL){
fprintf(stderr, "SSL context creation failed\n");
return (-1);
}
SSL_set_fd(conn->ssl, conn->sd);
while ((ret = SSL_connect(conn->ssl)) == -1) {
ssl_err = SSL_get_error(conn->ssl, ret);
if (ssl_err != SSL_ERROR_WANT_READ &&
ssl_err != SSL_ERROR_WANT_WRITE) {
ERR_print_errors_fp(stderr);
return (-1);
}
}
if (verbose) {
X509_NAME *name;
char *str;
fprintf(stderr, "SSL connection established using %s\n",
SSL_get_cipher(conn->ssl));
conn->ssl_cert = SSL_get_peer_certificate(conn->ssl);
name = X509_get_subject_name(conn->ssl_cert);
str = X509_NAME_oneline(name, 0, 0);
printf("Certificate subject: %s\n", str);
free(str);
name = X509_get_issuer_name(conn->ssl_cert);
str = X509_NAME_oneline(name, 0, 0);
printf("Certificate issuer: %s\n", str);
free(str);
}
return (0);
#else
(void)conn;
(void)verbose;
fprintf(stderr, "SSL support disabled\n");
return (-1);
#endif
}
int ssl_client_handshake(struct Client *cptr) {
char *str;
int err;
cptr->ssl = (struct SSL*)SSL_new (ctx); CHK_NULL(cptr->ssl);
SSL_set_fd ((SSL*)cptr->ssl, cptr->fd);
set_blocking(cptr->fd);
err = SSL_connect ((SSL*)cptr->ssl);
set_non_blocking(cptr->fd);
if ((err)==-1) {
irclog(L_NOTICE,"Could connect to %s:Error in SSL_connect()",
get_client_name(cptr, TRUE));
return 0;
}
/* Following two steps are optional and not required for
data exchange to be successful. */
/* Get the cipher - opt */
set_blocking(cptr->fd);
irclog (L_NOTICE,"SSL connection using %s", SSL_get_cipher ((SSL*)cptr->ssl));
SetSecure(cptr);
/* Get server's certificate (note: beware of dynamic allocation) - opt */
cptr->client_cert = (struct X509*)SSL_get_peer_certificate ((SSL *)cptr->ssl);
set_non_blocking(cptr->fd);
if (cptr->client_cert != NULL)
{
irclog (L_NOTICE,"Server certificate:");
str = X509_NAME_oneline (X509_get_subject_name ((X509*)cptr->client_cert),0,0);
CHK_NULL(str);
irclog (L_NOTICE, "\t subject: %s", str);
// Free (str);
free (str);
str = X509_NAME_oneline (X509_get_issuer_name ((X509*)cptr->client_cert),0,0);
CHK_NULL(str);
irclog (L_NOTICE, "\t issuer: %s", str);
// Free (str);
free (str);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
X509_free ((X509*)cptr->client_cert);
}
else
irclog (L_NOTICE, "Server does not have certificate.");
return 1;
}
static void setSecured(MprSocket *sp)
{
OpenSocket *osp;
sp->secured = 1;
osp = sp->sslSocket;
sp->cipher = sclone(SSL_get_cipher(osp->handle));
sp->session = getOssSession(sp);
}
void kul::https::Server::loop() throw(kul::tcp::Exception){
KUL_DBG_FUNC_ENTER
int32_t newsockfd = accept(sockfd, (struct sockaddr *) &cli_addr, &clilen);
if(newsockfd < 0) KEXCEPTION("HTTPS Server error on accept");
ssl = SSL_new(ctx);
SSL_set_fd(ssl, newsockfd);
//Here is the SSL Accept portion. Now all reads and writes must use SSL
int16_t ssl_err = SSL_accept(ssl);
if(ssl_err <= 0){
short se = 0;
SSL_get_error(ssl, se);
KERR << "HTTPS Server SSL ERROR on SSL_ACCEPT error: " << se;
close(newsockfd);
return;
}
KLOG(DBG) << "SSL_get_cipher: " << SSL_get_cipher(ssl);
cc = SSL_get_peer_certificate (ssl);
if(cc != NULL) {
KLOG(DBG) << "Client certificate:";
KLOG(DBG) << "\t subject: " << X509_NAME_oneline (X509_get_subject_name (cc), 0, 0);
KLOG(DBG) << "\t issuer: %s\n" << X509_NAME_oneline (X509_get_issuer_name (cc), 0, 0);
X509_free(cc);
}else KLOG(ERR) << "Client does not have certificate.";
KOUT(DBG) << "New connection , socket fd is " << newsockfd << ", is : " << inet_ntoa(cli_addr.sin_addr) << ", port : "<< ntohs(cli_addr.sin_port);
onConnect(inet_ntoa(cli_addr.sin_addr), ntohs(cli_addr.sin_port));
int16_t e;
char buffer[_KUL_HTTPS_READ_BUFFER_];
std::stringstream cnt;
do{
bzero(buffer,_KUL_HTTPS_READ_BUFFER_);
e = SSL_read(ssl, buffer, _KUL_HTTPS_READ_BUFFER_ - 1);
if(e) cnt << buffer;
}while(e == (_KUL_HTTPS_READ_BUFFER_ - 1));
if (e < 0){
short se = 0;
SSL_get_error(ssl, se);
if(se) KLOG(ERR) << "SSL_get_error: " << se;
e = -1;
}else
try{
std::string res;
std::shared_ptr<kul::http::ARequest> req = handleRequest(cnt.str(), res);
const kul::http::AResponse& rs(respond(*req.get()));
std::string ret(rs.toString());
e = SSL_write(ssl, ret.c_str(), ret.length());
}catch(const kul::http::Exception& e1){
KERR << e1.what();
e = -1;
}
close(newsockfd);
KOUT(DBG) << "Disconnect , socket fd is " << newsockfd << ", is : " << inet_ntoa(cli_addr.sin_addr) << ", port : "<< ntohs(cli_addr.sin_port);
onDisconnect(inet_ntoa(cli_addr.sin_addr), ntohs(cli_addr.sin_port));
}
int MaOpenSslSocket::read(char *buf, int len)
{
int rc;
if (bio == 0 || ssl == 0) {
return -1;
}
rc = BIO_read(bio, buf, len);
#if DEBUG
if (rc > 0 && !connTraced) {
X509_NAME *xSubject;
X509 *cert;
char subject[260], issuer[260], peer[260];
mprLog(4, "%d: SSL Connected using: \"%s\"\n",
sock, SSL_get_cipher(ssl));
cert = SSL_get_peer_certificate(ssl);
if (cert == 0) {
mprLog(4, "%d: SSL Details: client supplied no certificate\n",
sock);
} else {
xSubject = X509_get_subject_name(cert);
X509_NAME_oneline(xSubject, subject, sizeof(subject) -1);
X509_NAME_oneline(X509_get_issuer_name(cert), issuer,
sizeof(issuer) -1);
X509_NAME_get_text_by_NID(xSubject, NID_commonName, peer,
sizeof(peer) - 1);
mprLog(4, "%d: SSL Subject %s\n", sock, subject);
mprLog(4, "%d: SSL Issuer: %s\n", sock, issuer);
mprLog(4, "%d: SSL Peer: %s\n", sock, peer);
X509_free(cert);
}
connTraced = 1;
}
#endif
if (rc > 0) {
return rc;
} else if (rc == 0) {
if (BIO_should_retry(bio)) {
return 0;
}
flags |= MPR_SOCKET_EOF;
return 0;
}
if (BIO_should_retry(bio)) {
return 0;
}
return rc;
}
/*
*-------------------------------------------------------------------
*
* TlsGetOptionProc --
*
* Computes an option value for a SSL socket based channel, or a
* list of all options and their values.
*
* Results:
* A standard Tcl result. The value of the specified option or a
* list of all options and their values is returned in the
* supplied DString.
*
* Side effects:
* None.
*
*-------------------------------------------------------------------
*/
static int
TlsGetOptionProc(ClientData instanceData, /* Socket state. */
Tcl_Interp *interp, /* For errors - can be NULL. */
CONST84 char *optionName, /* Name of the option to
* retrieve the value for, or
* NULL to get all options and
* their values. */
Tcl_DString *dsPtr) /* Where to store the computed value
* initialized by caller. */
{
State *statePtr = (State *) instanceData;
if (channelTypeVersion == TLS_CHANNEL_VERSION_2) {
Tcl_Channel downChan = Tls_GetParent(statePtr);
Tcl_DriverGetOptionProc *getOptionProc;
getOptionProc = Tcl_ChannelGetOptionProc(Tcl_GetChannelType(downChan));
if (getOptionProc != NULL) {
return (*getOptionProc)(Tcl_GetChannelInstanceData(downChan),
interp, optionName, dsPtr);
} else if (optionName == (char*) NULL) {
/*
* Request is query for all options, this is ok.
*/
return TCL_OK;
}
/*
* Request for a specific option has to fail, we don't have any.
*/
return TCL_ERROR;
} else {
size_t len = 0;
if (optionName != (char *) NULL) {
len = strlen(optionName);
}
#if 0
if ((len == 0) || ((len > 1) && (optionName[1] == 'c') &&
(strncmp(optionName, "-cipher", len) == 0))) {
if (len == 0) {
Tcl_DStringAppendElement(dsPtr, "-cipher");
}
Tcl_DStringAppendElement(dsPtr, SSL_get_cipher(statePtr->ssl));
if (len) {
return TCL_OK;
}
}
#endif
return TCL_OK;
}
}
int ssl_open(http_t *client, char *msg)
{
char buf[256];
const char *sn;
const X509 *cert;
if (!client->ssl_enabled)
return tcp_init(&client->tcp, msg);
tcp_set_port(&client->tcp, 443);
DO(tcp_init(&client->tcp, msg));
logit(LOG_INFO, "%s, initiating HTTPS ...", msg);
client->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
if (!client->ssl_ctx)
return RC_HTTPS_OUT_OF_MEMORY;
client->ssl = SSL_new(client->ssl_ctx);
if (!client->ssl)
return RC_HTTPS_OUT_OF_MEMORY;
/* SSL SNI support: tell the servername we want to speak to */
http_get_remote_name(client, &sn);
if (gnutls_server_name_set(client->ssl->gnutls_state, GNUTLS_NAME_DNS, sn, strlen(sn)))
return RC_HTTPS_SNI_ERROR;
SSL_set_fd(client->ssl, client->tcp.ip.socket);
if (-1 == SSL_connect(client->ssl))
return RC_HTTPS_FAILED_CONNECT;
logit(LOG_INFO, "SSL connection using %s", SSL_get_cipher(client->ssl));
/* Get server's certificate (note: beware of dynamic allocation) - opt */
cert = SSL_get_peer_certificate(client->ssl);
if (!cert)
return RC_HTTPS_FAILED_GETTING_CERT;
/* Logging some cert details. Please note: X509_NAME_oneline doesn't
work when giving NULL instead of a buffer. */
X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf));
logit(LOG_INFO, "SSL server cert subject: %s", buf);
X509_NAME_oneline(X509_get_issuer_name(cert), buf, sizeof(buf));
logit(LOG_INFO, "SSL server cert issuer: %s", buf);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
X509_free(cert);
return 0;
}
void SSLSocket::accept(const Socket& listeningSocket) throw(SocketException) {
Socket::accept(listeningSocket);
if(ssl)
SSL_free(ssl);
ssl = SSL_new(ctx);
if(!ssl)
checkSSL(-1);
checkSSL(SSL_set_fd(ssl, sock));
checkSSL(SSL_accept(ssl));
dcdebug("Connected to SSL client using %s\n", SSL_get_cipher(ssl));
}
int tls_get_cipher(void *ssl_ctx, struct tls_connection *conn,
char *buf, size_t buflen)
{
const char *name;
if (conn == NULL || conn->ssl == NULL)
return -1;
name = SSL_get_cipher(conn->ssl);
if (name == NULL)
return -1;
snprintf(buf, buflen, "%s", name);
return 0;
}
//~~~~~~~~~~~~~~~~~~~~~connect to server~~~~~~~~~~~~~~~~~~~
//成功返回1,失败返回0并且退出
int connectto(int argc,char *args[])
{
//~~~~~~~~~~~~~~~~~~~~~~~~~~~~~判断输入IP是否正确~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
int i,count=0;
if(argc!=2)
{
printf("format error: you mast enter ipaddr like this : client 192.168.0.6\n");
exit(0);
}
for(i=0;*(args[1]+i)!='\0';i++)
{
if(*(args[1]+i)=='.')
count++;
}
if(count!=3)
{
printf("IP format error\n");
exit(0);
}
//~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
if((sockclient=socket(AF_INET,SOCK_STREAM,0))==-1)
{
perror("socket");
exit(0);
}
memset(&sockaddr1,0,sizeof(sockaddr1));
sockaddr1.sin_family = AF_INET;
sockaddr1.sin_addr.s_addr = inet_addr(args[1]);
sockaddr1.sin_port = htons(port);
if(connect(sockclient,(struct sockaddr* )&sockaddr1,sizeof(sockaddr1))==-1)
{
perror("connect");
exit(0);
}
//-----------------------------------------------------------------------
/* 基于 ctx 产生一个新的 SSL */
ssl = SSL_new(ctx);
SSL_set_fd(ssl, sockclient);
/* 建立 SSL 连接 */
if (SSL_connect(ssl) == -1)
ERR_print_errors_fp(stderr);
else
{
printf("Connected with %s encryption\n", SSL_get_cipher(ssl));
ShowCerts(ssl);
}
return 1;
}
void init_clinet_ssl(int server)
{
SSL_library_init();
ctx = InitCTX();
ssl = SSL_new(ctx); /* create new SSL connection state */
SSL_set_fd(ssl, server); /* attach the socket descriptor */
if ( SSL_connect(ssl) == FAIL ) /* perform the connection */
ERR_print_errors_fp(stderr);
else {
printf("Connected with %s encryption\n", SSL_get_cipher(ssl));
ShowCerts(ssl); /* get any certs */
}
}
