static int my_verify( void *data, x509_crt *crt, int depth, int *flags )
{
char buf[1024];
((void) data);
polarssl_printf( "\nVerify requested for (Depth %d):\n", depth );
x509_crt_info( buf, sizeof( buf ) - 1, "", crt );
polarssl_printf( "%s", buf );
if( ( (*flags) & BADCERT_EXPIRED ) != 0 )
polarssl_printf( " ! server certificate has expired\n" );
if( ( (*flags) & BADCERT_REVOKED ) != 0 )
polarssl_printf( " ! server certificate has been revoked\n" );
if( ( (*flags) & BADCERT_CN_MISMATCH ) != 0 )
polarssl_printf( " ! CN mismatch\n" );
if( ( (*flags) & BADCERT_NOT_TRUSTED ) != 0 )
polarssl_printf( " ! self-signed or not signed by a trusted CA\n" );
if( ( (*flags) & BADCRL_NOT_TRUSTED ) != 0 )
polarssl_printf( " ! CRL not trusted\n" );
if( ( (*flags) & BADCRL_EXPIRED ) != 0 )
polarssl_printf( " ! CRL expired\n" );
if( ( (*flags) & BADCERT_OTHER ) != 0 )
polarssl_printf( " ! other (unknown) flag\n" );
if ( ( *flags ) == 0 )
polarssl_printf( " This certificate has no flags\n" );
return( 0 );
}
/*
* Checkup routine
*/
int md2_self_test( int verbose )
{
int i;
unsigned char md2sum[16];
for( i = 0; i < 7; i++ )
{
if( verbose != 0 )
polarssl_printf( " MD2 test #%d: ", i + 1 );
md2( (unsigned char *) md2_test_str[i],
strlen( md2_test_str[i] ), md2sum );
if( memcmp( md2sum, md2_test_sum[i], 16 ) != 0 )
{
if( verbose != 0 )
polarssl_printf( "failed\n" );
return( 1 );
}
if( verbose != 0 )
polarssl_printf( "passed\n" );
}
if( verbose != 0 )
polarssl_printf( "\n" );
return( 0 );
}
/*
* Checkup routine
*/
int arc4_self_test( int verbose )
{
int i;
unsigned char ibuf[8];
unsigned char obuf[8];
arc4_context ctx;
for( i = 0; i < 3; i++ )
{
if( verbose != 0 )
polarssl_printf( " ARC4 test #%d: ", i + 1 );
memcpy( ibuf, arc4_test_pt[i], 8 );
arc4_setup( &ctx, arc4_test_key[i], 8 );
arc4_crypt( &ctx, 8, ibuf, obuf );
if( memcmp( obuf, arc4_test_ct[i], 8 ) != 0 )
{
if( verbose != 0 )
polarssl_printf( "failed\n" );
return( 1 );
}
if( verbose != 0 )
polarssl_printf( "passed\n" );
}
if( verbose != 0 )
polarssl_printf( "\n" );
return( 0 );
}
int main( int argc, char *argv[] )
{
int ret, i;
if( argc == 1 )
{
polarssl_printf( "print mode: sha1sum <file> <file> ...\n" );
polarssl_printf( "check mode: sha1sum -c <checksum file>\n" );
#if defined(_WIN32)
polarssl_printf( "\n Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
return( 1 );
}
if( argc == 3 && strcmp( "-c", argv[1] ) == 0 )
return( sha1_check( argv[2] ) );
ret = 0;
for( i = 1; i < argc; i++ )
ret |= sha1_print( argv[i] );
return( ret );
}
static void dump_buf( const char *title, unsigned char *buf, size_t len )
{
size_t i;
polarssl_printf( "%s", title );
for( i = 0; i < len; i++ )
polarssl_printf("%c%c", "0123456789ABCDEF" [buf[i] / 16],
"0123456789ABCDEF" [buf[i] % 16] );
polarssl_printf( "\n" );
}
static int sha1_print( char *filename )
{
int i;
unsigned char sum[20];
if( sha1_wrapper( filename, sum ) != 0 )
return( 1 );
for( i = 0; i < 20; i++ )
polarssl_printf( "%02x", sum[i] );
polarssl_printf( " %s\n", filename );
return( 0 );
}
/*
* Checkup routine for HMAC_DRBG with SHA-1
*/
SSL_ROM_TEXT_SECTION
int hmac_drbg_self_test( int verbose )
{
hmac_drbg_context ctx;
unsigned char buf[OUTPUT_LEN];
const md_info_t *md_info = md_info_from_type( POLARSSL_MD_SHA1 );
/*
* PR = True
*/
if( verbose != 0 )
polarssl_printf( " HMAC_DRBG (PR = True) : " );
test_offset = 0;
CHK( hmac_drbg_init( &ctx, md_info,
hmac_drbg_self_test_entropy, entropy_pr,
NULL, 0 ) );
hmac_drbg_set_prediction_resistance( &ctx, POLARSSL_HMAC_DRBG_PR_ON );
CHK( hmac_drbg_random( &ctx, buf, OUTPUT_LEN ) );
CHK( hmac_drbg_random( &ctx, buf, OUTPUT_LEN ) );
CHK( memcmp( buf, result_pr, OUTPUT_LEN ) );
hmac_drbg_free( &ctx );
if( verbose != 0 )
polarssl_printf( "passed\n" );
/*
* PR = False
*/
if( verbose != 0 )
polarssl_printf( " HMAC_DRBG (PR = False) : " );
test_offset = 0;
CHK( hmac_drbg_init( &ctx, md_info,
hmac_drbg_self_test_entropy, entropy_nopr,
NULL, 0 ) );
CHK( hmac_drbg_reseed( &ctx, NULL, 0 ) );
CHK( hmac_drbg_random( &ctx, buf, OUTPUT_LEN ) );
CHK( hmac_drbg_random( &ctx, buf, OUTPUT_LEN ) );
CHK( memcmp( buf, result_nopr, OUTPUT_LEN ) );
hmac_drbg_free( &ctx );
if( verbose != 0 )
polarssl_printf( "passed\n" );
if( verbose != 0 )
polarssl_printf( "\n" );
return( 0 );
}
int main( void )
{
polarssl_printf( "POLARSSL_CTR_DRBG_C and/or POLARSSL_ENTROPY_C and/or "
"POLARSSL_NET_C and/or POLARSSL_SSL_CLI_C and/or UNIX "
"not defined.\n");
return( 0 );
}
int main( void )
{
polarssl_printf("POLARSSL_RSA_C and/or POLARSSL_X509_CRT_PARSE_C "
"POLARSSL_FS_IO and/or POLARSSL_X509_CRL_PARSE_C "
"not defined.\n");
return( 0 );
}
int main( void )
{
polarssl_printf("POLARSSL_BIGNUM_C and/or POLARSSL_PK_PARSE_C and/or "
"POLARSSL_FS_IO and/or POLARSSL_ENTROPY_C and/or "
"POLARSSL_CTR_DRBG_C not defined.\n");
return( 0 );
}
/* Dummy checkup routine */
int hmac_drbg_self_test( int verbose )
{
if( verbose != 0 )
polarssl_printf( "\n" );
return( 0 );
}
int main( int argc, char *argv[] )
{
((void) argc);
((void) argv);
polarssl_printf( "POLARSSL_PK_WRITE_C and/or POLARSSL_FS_IO not defined.\n" );
return( 0 );
}
int main( int argc, char *argv[] )
{
((void) argc);
((void) argv);
polarssl_printf("POLARSSL_TIMING_C not defined.\n");
return( 0 );
}
int main( void )
{
polarssl_printf("POLARSSL_BIGNUM_C and/or POLARSSL_CERTS_C and/or POLARSSL_ENTROPY_C "
"and/or POLARSSL_SSL_TLS_C and/or POLARSSL_SSL_SRV_C and/or "
"POLARSSL_NET_C and/or POLARSSL_RSA_C and/or "
"POLARSSL_CTR_DRBG_C and/or POLARSSL_X509_CRT_PARSE_C "
"not defined.\n");
return( 0 );
}
/* Dummy checkup routine */
SSL_ROM_TEXT_SECTION
int hmac_drbg_self_test( int verbose )
{
if( verbose != 0 )
polarssl_printf( "\n" );
return( 0 );
}
int main( int argc, char *argv[] )
{
((void) argc);
((void) argv);
polarssl_printf("POLARSSL_BIGNUM_C and/or POLARSSL_RSA_C and/or "
"POLARSSL_X509_CRL_PARSE_C and/or POLARSSL_FS_IO not defined.\n");
return( 0 );
}
/*
* Checkup routine
*/
int ctr_drbg_self_test( int verbose )
{
ctr_drbg_context ctx;
unsigned char buf[16];
/*
* Based on a NIST CTR_DRBG test vector (PR = True)
*/
if( verbose != 0 )
polarssl_printf( " CTR_DRBG (PR = TRUE) : " );
test_offset = 0;
CHK( ctr_drbg_init_entropy_len( &ctx, ctr_drbg_self_test_entropy,
entropy_source_pr, nonce_pers_pr, 16, 32 ) );
ctr_drbg_set_prediction_resistance( &ctx, CTR_DRBG_PR_ON );
CHK( ctr_drbg_random( &ctx, buf, CTR_DRBG_BLOCKSIZE ) );
CHK( ctr_drbg_random( &ctx, buf, CTR_DRBG_BLOCKSIZE ) );
CHK( memcmp( buf, result_pr, CTR_DRBG_BLOCKSIZE ) );
if( verbose != 0 )
polarssl_printf( "passed\n" );
/*
* Based on a NIST CTR_DRBG test vector (PR = FALSE)
*/
if( verbose != 0 )
polarssl_printf( " CTR_DRBG (PR = FALSE): " );
test_offset = 0;
CHK( ctr_drbg_init_entropy_len( &ctx, ctr_drbg_self_test_entropy,
entropy_source_nopr, nonce_pers_nopr, 16, 32 ) );
CHK( ctr_drbg_random( &ctx, buf, 16 ) );
CHK( ctr_drbg_reseed( &ctx, NULL, 0 ) );
CHK( ctr_drbg_random( &ctx, buf, 16 ) );
CHK( memcmp( buf, result_nopr, 16 ) );
if( verbose != 0 )
polarssl_printf( "passed\n" );
if( verbose != 0 )
polarssl_printf( "\n" );
return( 0 );
}
/*
* Enabled if debug_level > 1 in code below
*/
static int my_verify( void *data, x509_crt *crt, int depth, int *flags )
{
char buf[1024];
((void) data);
polarssl_printf( "\nVerify requested for (Depth %d):\n", depth );
x509_crt_info( buf, sizeof( buf ) - 1, "", crt );
polarssl_printf( "%s", buf );
if ( ( *flags ) == 0 )
polarssl_printf( " This certificate has no flags\n" );
else
{
x509_crt_verify_info( buf, sizeof( buf ), " ! ", *flags );
polarssl_printf( "%s\n", buf );
}
return( 0 );
}
int main( int argc, char *argv[] )
{
((void) argc);
((void) argv);
polarssl_printf("POLARSSL_BIGNUM_C and/or POLARSSL_ENTROPY_C and/or "
"POLARSSL_FS_IO and/or POLARSSL_CTR_DRBG_C and/or "
"POLARSSL_GENPRIME not defined.\n");
return( 0 );
}
int main( int argc, char *argv[] )
{
((void) argc);
((void) argv);
polarssl_printf("POLARSSL_BIGNUM_C and/or POLARSSL_ENTROPY_C and/or "
"POLARSSL_SSL_TLS_C and/or POLARSSL_SSL_CLI_C and/or "
"POLARSSL_NET_C and/or POLARSSL_RSA_C and/or "
"POLARSSL_X509_CRT_PARSE_C and/or POLARSSL_FS_IO and/or "
"POLARSSL_CTR_DRBG_C not defined.\n");
return( 0 );
}
int main( void )
{
int i;
unsigned char digest[16];
char str[] = "Hello, world!";
polarssl_printf( "\n MD5('%s') = ", str );
md5( (unsigned char *) str, 13, digest );
for( i = 0; i < 16; i++ )
polarssl_printf( "%02x", digest[i] );
polarssl_printf( "\n\n" );
#if defined(_WIN32)
polarssl_printf( " Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
return( 0 );
}
int main( int argc, char *argv[] )
{
((void) argc);
((void) argv);
polarssl_printf("POLARSSL_BIGNUM_C and/or POLARSSL_CERTS_C and/or POLARSSL_ENTROPY_C "
"and/or POLARSSL_SSL_TLS_C and/or POLARSSL_SSL_SRV_C and/or "
"POLARSSL_NET_C and/or POLARSSL_RSA_C and/or "
"POLARSSL_CTR_DRBG_C and/or POLARSSL_X509_CRT_PARSE_C and/or "
"POLARSSL_THREADING_C and/or POLARSSL_THREADING_PTHREAD "
"not defined.\n");
return( 0 );
}
int main( int argc, char *argv[] )
{
long int val;
char *end = argv[1];
if( argc != 2 )
{
polarssl_printf( USAGE );
return( 0 );
}
val = strtol( argv[1], &end, 10 );
if( *end != '\0' )
{
val = strtol( argv[1], &end, 16 );
if( *end != '\0' )
{
polarssl_printf( USAGE );
return( 0 );
}
}
if( val > 0 )
val = -val;
if( val != 0 )
{
char error_buf[200];
polarssl_strerror( val, error_buf, 200 );
polarssl_printf("Last error was: -0x%04x - %s\n\n", (int) -val, error_buf );
}
#if defined(_WIN32)
polarssl_printf( " + Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
return( val );
}
static void dump_pubkey( const char *title, ecdsa_context *key )
{
unsigned char buf[300];
size_t len;
if( ecp_point_write_binary( &key->grp, &key->Q,
POLARSSL_ECP_PF_UNCOMPRESSED, &len, buf, sizeof buf ) != 0 )
{
polarssl_printf("internal error\n");
return;
}
dump_buf( title, buf, len );
}
static int thread_create( int client_fd )
{
int ret, i;
/*
* Find in-active or finished thread slot
*/
for( i = 0; i < MAX_NUM_THREADS; i++ )
{
if( threads[i].active == 0 )
break;
if( threads[i].data.thread_complete == 1 )
{
polarssl_printf( " [ main ] Cleaning up thread %d\n", i );
pthread_join(threads[i].thread, NULL );
memset( &threads[i], 0, sizeof(pthread_info_t) );
break;
}
}
if( i == MAX_NUM_THREADS )
return( -1 );
/*
* Fill thread-info for thread
*/
memcpy( &threads[i].data, &base_info, sizeof(base_info) );
threads[i].active = 1;
threads[i].data.client_fd = client_fd;
if( ( ret = pthread_create( &threads[i].thread, NULL, handle_ssl_connection, &threads[i].data ) ) != 0 )
{
return( ret );
}
return( 0 );
}
int main( int argc, char *argv[] )
{
FILE *f;
int ret = 1;
pk_context pk;
entropy_context entropy;
ctr_drbg_context ctr_drbg;
unsigned char hash[20];
unsigned char buf[POLARSSL_MPI_MAX_SIZE];
char filename[512];
const char *pers = "pk_sign";
size_t olen = 0;
entropy_init( &entropy );
pk_init( &pk );
if( argc != 3 )
{
polarssl_printf( "usage: pk_sign <key_file> <filename>\n" );
#if defined(_WIN32)
polarssl_printf( "\n" );
#endif
goto exit;
}
polarssl_printf( "\n . Seeding the random number generator..." );
fflush( stdout );
if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
polarssl_printf( " failed\n ! ctr_drbg_init returned -0x%04x\n", -ret );
goto exit;
}
polarssl_printf( "\n . Reading private key from '%s'", argv[1] );
fflush( stdout );
if( ( ret = pk_parse_keyfile( &pk, argv[1], "" ) ) != 0 )
{
ret = 1;
polarssl_printf( " failed\n ! Could not open '%s'\n", argv[1] );
goto exit;
}
/*
* Compute the SHA-1 hash of the input file,
* then calculate the signature of the hash.
*/
polarssl_printf( "\n . Generating the SHA-1 signature" );
fflush( stdout );
if( ( ret = sha1_file( argv[2], hash ) ) != 0 )
{
polarssl_printf( " failed\n ! Could not open or read %s\n\n", argv[2] );
goto exit;
}
if( ( ret = pk_sign( &pk, POLARSSL_MD_SHA1, hash, 0, buf, &olen,
ctr_drbg_random, &ctr_drbg ) ) != 0 )
{
polarssl_printf( " failed\n ! pk_sign returned -0x%04x\n", -ret );
goto exit;
}
/*
* Write the signature into <filename>-sig.txt
*/
snprintf( filename, sizeof(filename), "%s.sig", argv[2] );
if( ( f = fopen( filename, "wb+" ) ) == NULL )
{
ret = 1;
polarssl_printf( " failed\n ! Could not create %s\n\n", filename );
goto exit;
}
if( fwrite( buf, 1, olen, f ) != olen )
{
polarssl_printf( "failed\n ! fwrite failed\n\n" );
goto exit;
}
fclose( f );
polarssl_printf( "\n . Done (created \"%s\")\n\n", filename );
exit:
pk_free( &pk );
ctr_drbg_free( &ctr_drbg );
entropy_free( &entropy );
#if defined(POLARSSL_ERROR_C)
polarssl_strerror( ret, (char *) buf, sizeof(buf) );
polarssl_printf( " ! Last error was: %s\n", buf );
#endif
#if defined(_WIN32)
polarssl_printf( " + Press Enter to exit this program.\n" );
fflush( stdout );
getchar();
#endif
return( ret );
}
int main( int argc, char *argv[] )
{
int ret = 0;
unsigned char buf[100000];
x509_crl crl;
int i;
char *p, *q;
/*
* Set to sane values
*/
x509_crl_init( &crl );
if( argc == 0 )
{
usage:
polarssl_printf( USAGE );
goto exit;
}
opt.filename = DFL_FILENAME;
for( i = 1; i < argc; i++ )
{
p = argv[i];
if( ( q = strchr( p, '=' ) ) == NULL )
goto usage;
*q++ = '\0';
if( strcmp( p, "filename" ) == 0 )
opt.filename = q;
else
goto usage;
}
/*
* 1.1. Load the CRL
*/
polarssl_printf( "\n . Loading the CRL ..." );
fflush( stdout );
ret = x509_crl_parse_file( &crl, opt.filename );
if( ret != 0 )
{
polarssl_printf( " failed\n ! x509_crl_parse_file returned %d\n\n", ret );
x509_crl_free( &crl );
goto exit;
}
polarssl_printf( " ok\n" );
/*
* 1.2 Print the CRL
*/
polarssl_printf( " . CRL information ...\n" );
ret = x509_crl_info( (char *) buf, sizeof( buf ) - 1, " ", &crl );
if( ret == -1 )
{
polarssl_printf( " failed\n ! x509_crl_info returned %d\n\n", ret );
x509_crl_free( &crl );
goto exit;
}
polarssl_printf( "%s\n", buf );
exit:
x509_crl_free( &crl );
#if defined(_WIN32)
polarssl_printf( " + Press Enter to exit this program.\n" );
fflush( stdout );
getchar();
#endif
return( ret );
}
int main( int argc, const char *argv[] )
{
/* Client and server declarations. */
int ret;
int len;
#if SOCKET_COMMUNICATION
int listen_fd = -1;
int client_fd = -1;
int server_fd = -1;
#endif
unsigned char buf[1024];
/* Handshake step counter */
size_t step = 1;
int flags;
ssl_context s_ssl, c_ssl;
x509_crt srvcert;
pk_context pkey;
#if defined(POLARSSL_SSL_CACHE_C)
ssl_cache_context cache;
#endif
if( argc == 3)
{
packet_in_num = atoi(argv[1]);
packet_in_file = argv[2];
}
else if( argc != 1)
{
usage(argv[0]);
exit(1);
}
/* Server init */
memset( &s_ssl, 0, sizeof( ssl_context ) );
#if defined(POLARSSL_SSL_CACHE_C)
ssl_cache_init( &cache );
#endif
x509_crt_init( &srvcert );
pk_init( &pkey );
/* Client init */
memset( &c_ssl, 0, sizeof( ssl_context ) );
/*x509_crt_init( &cacert );*/
#if defined(POLARSSL_DEBUG_C)
debug_set_threshold( DEBUG_LEVEL );
#endif
/*
* Server:
* Load the certificates and private RSA key
*/
if( packet_in_num == 0 )
{
printf( " . Loading the server cert. and key..." );
fflush( stdout );
}
/*
* This demonstration program uses embedded test certificates.
* Instead, you may want to use x509_crt_parse_file() to read the
* server and CA certificates, as well as pk_parse_keyfile().
*/
ret = x509_crt_parse( &srvcert, (const unsigned char *) test_srv_crt,
strlen( test_srv_crt ) );
if( ret != 0 )
{
printf( " failed\n ! x509_crt_parse returned %d\n\n", ret );
goto exit;
}
ret = x509_crt_parse( &srvcert, (const unsigned char *) test_ca_list,
strlen( test_ca_list ) );
if( ret != 0 )
{
polarssl_printf( " failed\n ! x509_crt_parse returned %d\n\n", ret );
goto exit;
}
ret = pk_parse_key( &pkey, (const unsigned char *) test_srv_key,
strlen( test_srv_key ), NULL, 0 );
if( ret != 0 )
{
printf( " failed\n ! pk_parse_key returned %d\n\n", ret );
goto exit;
}
if( packet_in_num == 0 )
{
printf( " ok\n" );
}
/*
* Server:
* Setup stuff
*/
if( packet_in_num == 0 )
{
printf( " . Server: Setting up the SSL data...." );
fflush( stdout );
}
if( ( ret = ssl_init( &s_ssl ) ) != 0 )
{
polarssl_printf( " failed\n ! ssl_init returned %d\n\n", ret );
goto exit;
}
ssl_set_endpoint( &s_ssl, SSL_IS_SERVER );
ssl_set_authmode( &s_ssl, SSL_VERIFY_NONE );
/* SSLv3 is deprecated, set minimum to TLS 1.0 */
ssl_set_min_version( &s_ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
/* RC4 is deprecated, disable it */
ssl_set_arc4_support( &s_ssl, SSL_ARC4_DISABLED );
ssl_set_rng( &s_ssl, ctr_drbg_deterministic, NULL );
ssl_set_dbg( &s_ssl, my_debug, stdout );
#if defined(POLARSSL_SSL_CACHE_C)
ssl_set_session_cache( &s_ssl, ssl_cache_get, &cache,
ssl_cache_set, &cache );
#endif
ssl_set_ca_chain( &s_ssl, srvcert.next, NULL, NULL );
if( ( ret = ssl_set_own_cert( &s_ssl, &srvcert, &pkey ) ) != 0 )
{
printf( " failed\n ! ssl_set_own_cert returned %d\n\n", ret );
goto exit;
}
if( packet_in_num == 0 )
{
printf( " ok\n" );
}
ssl_session_reset( &s_ssl );
#if SOCKET_COMMUNICATION
/*
* Server:
* Setup the listening TCP socket
*/
if( packet_in_num == 0 )
{
printf( " . Bind on https://localhost:%d/ ...", SERVER_PORT );
fflush( stdout );
}
if( ( ret = net_bind( &listen_fd, NULL, SERVER_PORT ) ) != 0 )
{
printf( " failed\n ! net_bind returned %d\n\n", ret );
goto exit;
}
if( packet_in_num == 0 )
{
printf( " ok\n" );
}
/*
* Client:
* Start the connection
*/
if( packet_in_num == 0 )
{
printf( " . Connecting to tcp/%s/%d...", SERVER_NAME, SERVER_PORT );
fflush( stdout );
}
if( ( ret = net_connect( &server_fd, SERVER_NAME,
SERVER_PORT ) ) != 0 )
{
printf( " failed\n ! net_connect returned %d\n\n", ret );
goto exit;
}
if( packet_in_num == 0 )
{
printf( " ok\n" );
}
/*
* Server:
* Start listening for client connections
*/
if( packet_in_num == 0 )
{
printf( " . Waiting for a remote connection ..." );
fflush( stdout );
}
/*
* Server:
* Accept client connection (socket is set non-blocking in
* library/net.c)
*/
if( ( ret = net_accept( listen_fd, &client_fd,
NULL ) ) != 0 )
{
printf( " failed\n ! net_accept returned %d\n\n", ret );
goto exit;
}
if( packet_in_num == 0 )
{
printf( " ok\n" );
}
ssl_set_bio( &s_ssl, recv_custom, &client_fd, send_custom, &client_fd );
#else
ssl_set_bio( &s_ssl, func_server_recv_buf, NULL, func_server_send_buf, NULL );
#endif
/*
* Client:
* Setup stuff
*/
if( packet_in_num == 0 )
{
printf( " . Client: Setting up the SSL/TLS structure..." );
fflush( stdout );
}
if( ( ret = ssl_init( &c_ssl ) ) != 0 )
{
polarssl_printf( " failed\n ! ssl_init returned %d\n\n", ret );
goto exit;
}
if( packet_in_num == 0 )
{
polarssl_printf( " ok\n" );
}
ssl_set_endpoint( &c_ssl, SSL_IS_CLIENT );
/* OPTIONAL is not optimal for security,
* but makes interop easier in this simplified example */
ssl_set_authmode( &c_ssl, SSL_VERIFY_OPTIONAL );
/* NONE permits man-in-the-middle attacks. */
/*ssl_set_authmode( &c_ssl, VERIFY_NONE );*/
/*ssl_set_authmode( &c_ssl, SSL_VERIFY_REQUIRED );*/
ssl_set_ca_chain( &c_ssl, &srvcert, NULL, "PolarSSL Server 1" );
/* SSLv3 is deprecated, set minimum to TLS 1.0 */
ssl_set_min_version( &c_ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
/* RC4 is deprecated, disable it */
ssl_set_arc4_support( &c_ssl, SSL_ARC4_DISABLED );
ssl_set_rng( &c_ssl, ctr_drbg_deterministic, NULL );
ssl_set_dbg( &c_ssl, my_debug, stdout );
if( ( ret = ssl_set_hostname( &c_ssl, "mbed TLS Server 1" ) ) != 0 )
{
printf( " failed\n ! ssl_set_hostname returned %d\n\n", ret );
goto exit;
}
#if SOCKET_COMMUNICATION
ssl_set_bio( &c_ssl, recv_custom, &server_fd, send_custom, &server_fd );
#else
ssl_set_bio( &c_ssl, func_client_recv_buf, NULL, func_client_send_buf, NULL );
#endif
if( packet_in_num == 0 )
{
printf( " . Performing the SSL/TLS handshake...\n" );
fflush( stdout );
}
/*
* The following number of steps are hardcoded to ensure
* that the client and server complete the handshake without
* waiting infinitely for the other side to send data.
*
* 1 2 3 4 5 6 7 8 9
*/
int client_steps[] = { 2, 1, 1, 1, 4, 2, 1, 1, 3 };
int server_steps[] = { 3, 1, 1, 3, 2, 1, 2, 1, 2 };
do {
/*
* Client:
* Handshake step
*/
int i;
int no_steps;
if( c_ssl.state == SSL_HANDSHAKE_OVER ) {
no_steps = 0;
} else {
no_steps = client_steps[step - 1];
}
for (i = 0; i < no_steps; i++) {
if( ( ret = ssl_handshake_step( &c_ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_handshake returned -0x%x\n\n", -ret );
goto exit;
}
}
}
if( packet_in_num == 0 )
{
printf( "--- client handshake step %zd ok\n", step );
}
/*
* Server:
* Handshake step
*/
if( s_ssl.state == SSL_HANDSHAKE_OVER ) {
printf("over\n");
no_steps = 0;
} else {
no_steps = server_steps[step - 1];
}
for (i = 0; i < no_steps; i++) {
if( ( ret = ssl_handshake_step( &s_ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_handshake returned %d\n\n", ret );
goto exit;
}
}
}
if( packet_in_num == 0 )
{
printf( "--- server handshake step %zd ok\n", step );
}
step++;
} while( ((c_ssl.state != SSL_HANDSHAKE_OVER)
|| (s_ssl.state != SSL_HANDSHAKE_OVER))
&& (step <= MAX_HANDSHAKE_STEPS) );
if( packet_in_num == 0 )
{
printf( "c_ssl.state: %d\n", c_ssl.state != SSL_HANDSHAKE_OVER );
printf( "s_ssl.state: %d\n", s_ssl.state != SSL_HANDSHAKE_OVER );
}
/*
* Client:
* Verify the server certificate
*/
if( packet_in_num == 0 )
{
printf( " . Verifying peer X.509 certificate..." );
}
/* In real life, we probably want to bail out when ret != 0 */
if( ( flags = ssl_get_verify_result( &c_ssl ) ) != 0 )
{
char vrfy_buf[512];
printf( " failed\n" );
x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
printf( "%s\n", vrfy_buf );
}
else if( packet_in_num == 0 )
{
printf( " ok\n" );
}
/*
* Client:
* Write the GET request
*/
if( packet_in_num == 0 )
{
printf( " > Write to server:" );
fflush( stdout );
}
len = sprintf( (char *) buf, GET_REQUEST );
while( ( ret = ssl_write( &c_ssl, buf, len ) ) <= 0 )
{
if( ret !=POLARSSL_ERR_NET_WANT_READ && ret !=POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_write returned %d\n\n", ret );
goto exit;
}
}
len = ret;
if( packet_in_num == 0 )
{
printf( " %d bytes written\n\n%s", len, (char *) buf );
}
/*
* Server:
* Read the HTTP Request
*/
if( packet_in_num == 0 )
{
printf( " < Read from client:" );
fflush( stdout );
}
do
{
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
ret = ssl_read( &s_ssl, buf, len );
if( ret ==POLARSSL_ERR_NET_WANT_READ || ret ==POLARSSL_ERR_NET_WANT_WRITE )
continue;
if( ret <= 0 )
{
switch( ret )
{
case POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY:
printf( " connection was closed gracefully\n" );
break;
case POLARSSL_ERR_NET_CONN_RESET:
printf( " connection was reset by peer\n" );
break;
default:
printf( " ssl_read returned -0x%x\n", -ret );
break;
}
break;
}
len = ret;
if( packet_in_num == 0 )
{
printf( " %d bytes read\n\n%s", len, (char *) buf );
}
if( ret > 0 )
break;
}
while( 1 );
/*
* Server:
* Write the 200 Response
*/
if( packet_in_num == 0 )
{
printf( " > Write to client:" );
fflush( stdout );
}
len = sprintf( (char *) buf, HTTP_RESPONSE,
ssl_get_ciphersuite( &s_ssl ) );
while( ( ret = ssl_write( &s_ssl, buf, len ) ) <= 0 )
{
if( ret == POLARSSL_ERR_NET_CONN_RESET )
{
printf( " failed\n ! peer closed the connection\n\n" );
goto exit;
}
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_write returned %d\n\n", ret );
goto exit;
}
}
len = ret;
if( packet_in_num == 0 )
{
printf( " %d bytes written\n\n%s\n", len, (char *) buf );
}
/*
* Client:
* Read the HTTP response
*/
if( packet_in_num == 0 )
{
printf( " < Read from server:" );
fflush( stdout );
}
do
{
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
ret = ssl_read( &c_ssl, buf, len );
if( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE )
continue;
if( ret == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY )
{
ret = 0;
break;
}
if( ret < 0 )
{
printf( "failed\n ! ssl_read returned %d\n\n", ret );
break;
}
if( ret == 0 )
{
printf( "\n\nEOF\n\n" );
break;
}
len = ret;
if( packet_in_num == 0 )
{
printf( " %d bytes read\n\n%s", len, (char *) buf );
}
/*
* Server:
* Client read response. Close connection.
*/
if ( packet_in_num == 0 )
{
printf( " . Closing the connection..." );
fflush( stdout );
}
while( ( ret = ssl_close_notify( &s_ssl ) ) < 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ &&
ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_close_notify returned %d\n\n", ret );
goto exit;
}
}
if( packet_in_num == 0 )
{
printf( " ok\n" );
}
}
while( 1 );
/*
* Client:
* Close connection.
*/
if( packet_in_num == 0 )
{
printf( " . Closing the connection..." );
fflush( stdout );
}
ssl_close_notify( &c_ssl );
if( packet_in_num == 0 )
{
printf( " ok\n" );
}
/*
* Server:
* We do not have multiple clients and therefore do not goto reset.
*/
/*ret = 0;*/
/*goto reset;*/
exit:
#ifdef POLARSSL_ERROR_C
if( ret != 0 )
{
char error_buf[100];
polarssl_strerror( ret, error_buf, 100 );
printf("Last error was: %d - %s\n\n", ret, error_buf );
}
#endif
#if SOCKET_COMMUNICATION
if ( client_fd != 1 )
net_close( client_fd );
if( server_fd != -1 )
net_close( server_fd );
if ( listen_fd != 1 )
net_close( listen_fd );
#endif
x509_crt_free( &srvcert );
pk_free( &pkey );
ssl_free( &s_ssl );
ssl_free( &c_ssl );
#if defined(POLARSSL_SSL_CACHE_C)
ssl_cache_free( &cache );
#endif
#if defined(_WIN32)
printf( " Press Enter to exit this program.\n" );
fflush( stdout );
getchar();
#endif
return( ret );
}
int main( int argc, char *argv[] )
{
int ret = 0, server_fd;
unsigned char buf[1024];
entropy_context entropy;
ctr_drbg_context ctr_drbg;
ssl_context ssl;
x509_crt cacert;
x509_crt clicert;
x509_crl cacrl;
pk_context pkey;
int i, j;
int flags, verify = 0;
char *p, *q;
const char *pers = "cert_app";
/*
* Set to sane values
*/
server_fd = 0;
x509_crt_init( &cacert );
x509_crt_init( &clicert );
#if defined(POLARSSL_X509_CRL_PARSE_C)
x509_crl_init( &cacrl );
#else
/* Zeroize structure as CRL parsing is not supported and we have to pass
it to the verify function */
memset( &cacrl, 0, sizeof(x509_crl) );
#endif
pk_init( &pkey );
if( argc == 0 )
{
usage:
polarssl_printf( USAGE );
ret = 2;
goto exit;
}
opt.mode = DFL_MODE;
opt.filename = DFL_FILENAME;
opt.ca_file = DFL_CA_FILE;
opt.crl_file = DFL_CRL_FILE;
opt.ca_path = DFL_CA_PATH;
opt.server_name = DFL_SERVER_NAME;
opt.server_port = DFL_SERVER_PORT;
opt.debug_level = DFL_DEBUG_LEVEL;
opt.permissive = DFL_PERMISSIVE;
for( i = 1; i < argc; i++ )
{
p = argv[i];
if( ( q = strchr( p, '=' ) ) == NULL )
goto usage;
*q++ = '\0';
for( j = 0; p + j < q; j++ )
{
if( argv[i][j] >= 'A' && argv[i][j] <= 'Z' )
argv[i][j] |= 0x20;
}
if( strcmp( p, "mode" ) == 0 )
{
if( strcmp( q, "file" ) == 0 )
opt.mode = MODE_FILE;
else if( strcmp( q, "ssl" ) == 0 )
opt.mode = MODE_SSL;
else
goto usage;
}
else if( strcmp( p, "filename" ) == 0 )
opt.filename = q;
else if( strcmp( p, "ca_file" ) == 0 )
opt.ca_file = q;
else if( strcmp( p, "crl_file" ) == 0 )
opt.crl_file = q;
else if( strcmp( p, "ca_path" ) == 0 )
opt.ca_path = q;
else if( strcmp( p, "server_name" ) == 0 )
opt.server_name = q;
else if( strcmp( p, "server_port" ) == 0 )
{
opt.server_port = atoi( q );
if( opt.server_port < 1 || opt.server_port > 65535 )
goto usage;
}
else if( strcmp( p, "debug_level" ) == 0 )
{
opt.debug_level = atoi( q );
if( opt.debug_level < 0 || opt.debug_level > 65535 )
goto usage;
}
else if( strcmp( p, "permissive" ) == 0 )
{
opt.permissive = atoi( q );
if( opt.permissive < 0 || opt.permissive > 1 )
goto usage;
}
else
goto usage;
}
/*
* 1.1. Load the trusted CA
*/
polarssl_printf( " . Loading the CA root certificate ..." );
fflush( stdout );
if( strlen( opt.ca_path ) )
{
ret = x509_crt_parse_path( &cacert, opt.ca_path );
verify = 1;
}
else if( strlen( opt.ca_file ) )
{
ret = x509_crt_parse_file( &cacert, opt.ca_file );
verify = 1;
}
if( ret < 0 )
{
polarssl_printf( " failed\n ! x509_crt_parse returned -0x%x\n\n", -ret );
goto exit;
}
polarssl_printf( " ok (%d skipped)\n", ret );
#if defined(POLARSSL_X509_CRL_PARSE_C)
if( strlen( opt.crl_file ) )
{
if( ( ret = x509_crl_parse_file( &cacrl, opt.crl_file ) ) != 0 )
{
polarssl_printf( " failed\n ! x509_crl_parse returned -0x%x\n\n", -ret );
goto exit;
}
verify = 1;
}
#endif
if( opt.mode == MODE_FILE )
{
x509_crt crt;
x509_crt *cur = &crt;
x509_crt_init( &crt );
/*
* 1.1. Load the certificate(s)
*/
polarssl_printf( "\n . Loading the certificate(s) ..." );
fflush( stdout );
ret = x509_crt_parse_file( &crt, opt.filename );
if( ret < 0 )
{
polarssl_printf( " failed\n ! x509_crt_parse_file returned %d\n\n", ret );
x509_crt_free( &crt );
goto exit;
}
if( opt.permissive == 0 && ret > 0 )
{
polarssl_printf( " failed\n ! x509_crt_parse failed to parse %d certificates\n\n", ret );
x509_crt_free( &crt );
goto exit;
}
polarssl_printf( " ok\n" );
/*
* 1.2 Print the certificate(s)
*/
while( cur != NULL )
{
polarssl_printf( " . Peer certificate information ...\n" );
ret = x509_crt_info( (char *) buf, sizeof( buf ) - 1, " ",
cur );
if( ret == -1 )
{
polarssl_printf( " failed\n ! x509_crt_info returned %d\n\n", ret );
x509_crt_free( &crt );
goto exit;
}
polarssl_printf( "%s\n", buf );
cur = cur->next;
}
/*
* 1.3 Verify the certificate
*/
if( verify )
{
polarssl_printf( " . Verifying X.509 certificate..." );
if( ( ret = x509_crt_verify( &crt, &cacert, &cacrl, NULL, &flags,
my_verify, NULL ) ) != 0 )
{
polarssl_printf( " failed\n" );
if( ( ret & BADCERT_EXPIRED ) != 0 )
polarssl_printf( " ! server certificate has expired\n" );
if( ( ret & BADCERT_REVOKED ) != 0 )
polarssl_printf( " ! server certificate has been revoked\n" );
if( ( ret & BADCERT_CN_MISMATCH ) != 0 )
polarssl_printf( " ! CN mismatch (expected CN=%s)\n", opt.server_name );
if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
polarssl_printf( " ! self-signed or not signed by a trusted CA\n" );
polarssl_printf( "\n" );
}
else
polarssl_printf( " ok\n" );
}
x509_crt_free( &crt );
}
else if( opt.mode == MODE_SSL )
{
/*
* 1. Initialize the RNG and the session data
*/
polarssl_printf( "\n . Seeding the random number generator..." );
fflush( stdout );
entropy_init( &entropy );
if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
polarssl_printf( " failed\n ! ctr_drbg_init returned %d\n", ret );
goto exit;
}
polarssl_printf( " ok\n" );
/*
* 2. Start the connection
*/
polarssl_printf( " . SSL connection to tcp/%s/%-4d...", opt.server_name,
opt.server_port );
fflush( stdout );
if( ( ret = net_connect( &server_fd, opt.server_name,
opt.server_port ) ) != 0 )
{
polarssl_printf( " failed\n ! net_connect returned %d\n\n", ret );
goto exit;
}
/*
* 3. Setup stuff
*/
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
polarssl_printf( " failed\n ! ssl_init returned %d\n\n", ret );
goto exit;
}
ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
if( verify )
{
ssl_set_authmode( &ssl, SSL_VERIFY_REQUIRED );
ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name );
ssl_set_verify( &ssl, my_verify, NULL );
}
else
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
ssl_set_bio( &ssl, net_recv, &server_fd,
net_send, &server_fd );
if( ( ret = ssl_set_own_cert( &ssl, &clicert, &pkey ) ) != 0 )
{
polarssl_printf( " failed\n ! ssl_set_own_cert returned %d\n\n", ret );
goto exit;
}
#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
if( ( ret = ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
{
polarssl_printf( " failed\n ! ssl_set_hostname returned %d\n\n", ret );
goto exit;
}
#endif
/*
* 4. Handshake
*/
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
polarssl_printf( " failed\n ! ssl_handshake returned %d\n\n", ret );
ssl_free( &ssl );
goto exit;
}
}
polarssl_printf( " ok\n" );
/*
* 5. Print the certificate
*/
polarssl_printf( " . Peer certificate information ...\n" );
ret = x509_crt_info( (char *) buf, sizeof( buf ) - 1, " ",
ssl.session->peer_cert );
if( ret == -1 )
{
polarssl_printf( " failed\n ! x509_crt_info returned %d\n\n", ret );
ssl_free( &ssl );
goto exit;
}
polarssl_printf( "%s\n", buf );
ssl_close_notify( &ssl );
ssl_free( &ssl );
}
else
goto usage;
exit:
if( server_fd )
net_close( server_fd );
x509_crt_free( &cacert );
x509_crt_free( &clicert );
#if defined(POLARSSL_X509_CRL_PARSE_C)
x509_crl_free( &cacrl );
#endif
pk_free( &pkey );
ctr_drbg_free( &ctr_drbg );
entropy_free( &entropy );
#if defined(_WIN32)
polarssl_printf( " + Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
if( ret < 0 )
ret = 1;
return( ret );
}
/*
* Checkup routine
*/
int x509_self_test( int verbose )
{
#if defined(POLARSSL_CERTS_C) && defined(POLARSSL_SHA1_C)
int ret;
int flags;
x509_crt cacert;
x509_crt clicert;
if( verbose != 0 )
polarssl_printf( " X.509 certificate load: " );
x509_crt_init( &clicert );
ret = x509_crt_parse( &clicert, (const unsigned char *) test_cli_crt,
strlen( test_cli_crt ) );
if( ret != 0 )
{
if( verbose != 0 )
polarssl_printf( "failed\n" );
return( ret );
}
x509_crt_init( &cacert );
ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_crt,
strlen( test_ca_crt ) );
if( ret != 0 )
{
if( verbose != 0 )
polarssl_printf( "failed\n" );
return( ret );
}
if( verbose != 0 )
polarssl_printf( "passed\n X.509 signature verify: ");
ret = x509_crt_verify( &clicert, &cacert, NULL, NULL, &flags, NULL, NULL );
if( ret != 0 )
{
if( verbose != 0 )
polarssl_printf( "failed\n" );
polarssl_printf( "ret = %d, &flags = %04x\n", ret, flags );
return( ret );
}
if( verbose != 0 )
polarssl_printf( "passed\n\n");
x509_crt_free( &cacert );
x509_crt_free( &clicert );
return( 0 );
#else
((void) verbose);
return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
#endif /* POLARSSL_CERTS_C && POLARSSL_SHA1_C */
}
