int ssl_cache_get( void *data, ssl_session *session )
{
time_t t = time( NULL );
ssl_cache_context *cache = (ssl_cache_context *) data;
ssl_cache_entry *cur, *entry;
cur = cache->chain;
entry = NULL;
while( cur != NULL )
{
entry = cur;
cur = cur->next;
if( cache->timeout != 0 &&
(int) ( t - entry->timestamp ) > cache->timeout )
continue;
if( session->ciphersuite != entry->session.ciphersuite ||
session->compression != entry->session.compression ||
session->length != entry->session.length )
continue;
if( memcmp( session->id, entry->session.id,
entry->session.length ) != 0 )
continue;
memcpy( session->master, entry->session.master, 48 );
/*
* Restore peer certificate (without rest of the original chain)
*/
if( entry->peer_cert.p != NULL )
{
session->peer_cert = (x509_cert *) malloc( sizeof(x509_cert) );
if( session->peer_cert == NULL )
return( 1 );
memset( session->peer_cert, 0, sizeof(x509_cert) );
if( x509parse_crt( session->peer_cert, entry->peer_cert.p,
entry->peer_cert.len ) != 0 )
{
free( session->peer_cert );
session->peer_cert = NULL;
return( 1 );
}
}
return( 0 );
}
return( 1 );
}
static besl_result_t wiced_tls_load_certificate( wiced_tls_certificate_t* certificate, const char* cert_string )
{
if ( x509parse_crt( certificate, (unsigned char *) cert_string, (uint32_t) strlen( cert_string ) ) != 0 )
{
wiced_assert("Certificate parse error", 0 != 0 );
return BESL_CERT_PARSE_FAIL;
}
else
{
return BESL_SUCCESS;
}
}
static int belle_sip_certificate_fill(belle_sip_certificates_chain_t* certificate,const char* buff, size_t size,belle_sip_certificate_raw_format_t format) {
#ifdef HAVE_POLARSSL
int err;
#if POLARSSL_VERSION_NUMBER < 0x01030000
if ((err=x509parse_crt(&certificate->cert,(const unsigned char *)buff,size)) <0) {
#else
if ((err=x509_crt_parse(&certificate->cert,(const unsigned char *)buff,size)) <0) {
#endif
char tmp[128];
error_strerror(err,tmp,sizeof(tmp));
belle_sip_error("cannot parse x509 cert because [%s]",tmp);
return -1;
}
return 0;
#else /*HAVE_POLARSSL*/
return -1;
#endif
}
static int belle_sip_certificate_fill_from_file(belle_sip_certificates_chain_t* certificate,const char* path,belle_sip_certificate_raw_format_t format) {
#ifdef HAVE_POLARSSL
int err;
#if POLARSSL_VERSION_NUMBER < 0x01030000
if ((err=x509parse_crtfile(&certificate->cert, path)) <0) {
#else
if ((err=x509_crt_parse_file(&certificate->cert, path)) <0) {
#endif
char tmp[128];
error_strerror(err,tmp,sizeof(tmp));
belle_sip_error("cannot parse x509 cert because [%s]",tmp);
return -1;
}
return 0;
#else /*HAVE_POLARSSL*/
return -1;
#endif
}
/*belle_sip_certificate */
belle_sip_certificates_chain_t* belle_sip_certificates_chain_parse(const char* buff, size_t size,belle_sip_certificate_raw_format_t format) {
belle_sip_certificates_chain_t* certificate = belle_sip_object_new(belle_sip_certificates_chain_t);
if (belle_sip_certificate_fill(certificate,buff, size,format)) {
belle_sip_object_unref(certificate);
certificate=NULL;
}
return certificate;
}
int pkcs11_x509_cert_init( x509_cert *cert, pkcs11h_certificate_t pkcs11_cert )
{
int ret = 1;
unsigned char *cert_blob = NULL;
size_t cert_blob_size = 0;
if( cert == NULL )
{
ret = 2;
goto cleanup;
}
if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, NULL, &cert_blob_size ) != CKR_OK )
{
ret = 3;
goto cleanup;
}
cert_blob = malloc( cert_blob_size );
if( NULL == cert_blob )
{
ret = 4;
goto cleanup;
}
if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, cert_blob, &cert_blob_size ) != CKR_OK )
{
ret = 5;
goto cleanup;
}
if( 0 != x509parse_crt(cert, cert_blob, cert_blob_size ) )
{
ret = 6;
goto cleanup;
}
ret = 0;
cleanup:
if( NULL != cert_blob )
free( cert_blob );
return ret;
}
int main( int argc, char *argv[] )
{
int ret = 0, len, server_fd;
unsigned char buf[1024];
char *pers = "ssl_client2";
entropy_context entropy;
ctr_drbg_context ctr_drbg;
ssl_context ssl;
x509_cert cacert;
x509_cert clicert;
rsa_context rsa;
int i;
char *p, *q;
const int *list;
/*
* Make sure memory references are valid.
*/
server_fd = 0;
memset( &ssl, 0, sizeof( ssl_context ) );
memset( &cacert, 0, sizeof( x509_cert ) );
memset( &clicert, 0, sizeof( x509_cert ) );
memset( &rsa, 0, sizeof( rsa_context ) );
if( argc == 0 )
{
usage:
if( ret == 0 )
ret = 1;
printf( USAGE );
list = ssl_list_ciphersuites();
while( *list )
{
printf(" %s\n", ssl_get_ciphersuite_name( *list ) );
list++;
}
printf("\n");
goto exit;
}
opt.server_name = DFL_SERVER_NAME;
opt.server_port = DFL_SERVER_PORT;
opt.debug_level = DFL_DEBUG_LEVEL;
opt.request_page = DFL_REQUEST_PAGE;
opt.ca_file = DFL_CA_FILE;
opt.ca_path = DFL_CA_PATH;
opt.crt_file = DFL_CRT_FILE;
opt.key_file = DFL_KEY_FILE;
opt.force_ciphersuite[0]= DFL_FORCE_CIPHER;
opt.renegotiation = DFL_RENEGOTIATION;
opt.allow_legacy = DFL_ALLOW_LEGACY;
opt.min_version = DFL_MIN_VERSION;
opt.max_version = DFL_MAX_VERSION;
opt.auth_mode = DFL_AUTH_MODE;
for( i = 1; i < argc; i++ )
{
p = argv[i];
if( ( q = strchr( p, '=' ) ) == NULL )
goto usage;
*q++ = '\0';
if( strcmp( p, "server_name" ) == 0 )
opt.server_name = q;
else if( strcmp( p, "server_port" ) == 0 )
{
opt.server_port = atoi( q );
if( opt.server_port < 1 || opt.server_port > 65535 )
goto usage;
}
else if( strcmp( p, "debug_level" ) == 0 )
{
opt.debug_level = atoi( q );
if( opt.debug_level < 0 || opt.debug_level > 65535 )
goto usage;
}
else if( strcmp( p, "request_page" ) == 0 )
opt.request_page = q;
else if( strcmp( p, "ca_file" ) == 0 )
opt.ca_file = q;
else if( strcmp( p, "ca_path" ) == 0 )
opt.ca_path = q;
else if( strcmp( p, "crt_file" ) == 0 )
opt.crt_file = q;
else if( strcmp( p, "key_file" ) == 0 )
opt.key_file = q;
else if( strcmp( p, "force_ciphersuite" ) == 0 )
{
opt.force_ciphersuite[0] = -1;
opt.force_ciphersuite[0] = ssl_get_ciphersuite_id( q );
if( opt.force_ciphersuite[0] <= 0 )
{
ret = 2;
goto usage;
}
opt.force_ciphersuite[1] = 0;
}
else if( strcmp( p, "renegotiation" ) == 0 )
{
opt.renegotiation = (atoi( q )) ? SSL_RENEGOTIATION_ENABLED :
SSL_RENEGOTIATION_DISABLED;
}
else if( strcmp( p, "allow_legacy" ) == 0 )
{
opt.allow_legacy = atoi( q );
if( opt.allow_legacy < 0 || opt.allow_legacy > 1 )
goto usage;
}
else if( strcmp( p, "min_version" ) == 0 )
{
if( strcmp( q, "ssl3" ) == 0 )
opt.min_version = SSL_MINOR_VERSION_0;
else if( strcmp( q, "tls1" ) == 0 )
opt.min_version = SSL_MINOR_VERSION_1;
else if( strcmp( q, "tls1_1" ) == 0 )
opt.min_version = SSL_MINOR_VERSION_2;
else if( strcmp( q, "tls1_2" ) == 0 )
opt.min_version = SSL_MINOR_VERSION_3;
else
goto usage;
}
else if( strcmp( p, "max_version" ) == 0 )
{
if( strcmp( q, "ssl3" ) == 0 )
opt.max_version = SSL_MINOR_VERSION_0;
else if( strcmp( q, "tls1" ) == 0 )
opt.max_version = SSL_MINOR_VERSION_1;
else if( strcmp( q, "tls1_1" ) == 0 )
opt.max_version = SSL_MINOR_VERSION_2;
else if( strcmp( q, "tls1_2" ) == 0 )
opt.max_version = SSL_MINOR_VERSION_3;
else
goto usage;
}
else if( strcmp( p, "force_version" ) == 0 )
{
if( strcmp( q, "ssl3" ) == 0 )
{
opt.min_version = SSL_MINOR_VERSION_0;
opt.max_version = SSL_MINOR_VERSION_0;
}
else if( strcmp( q, "tls1" ) == 0 )
{
opt.min_version = SSL_MINOR_VERSION_1;
opt.max_version = SSL_MINOR_VERSION_1;
}
else if( strcmp( q, "tls1_1" ) == 0 )
{
opt.min_version = SSL_MINOR_VERSION_2;
opt.max_version = SSL_MINOR_VERSION_2;
}
else if( strcmp( q, "tls1_2" ) == 0 )
{
opt.min_version = SSL_MINOR_VERSION_3;
opt.max_version = SSL_MINOR_VERSION_3;
}
else
goto usage;
}
else if( strcmp( p, "auth_mode" ) == 0 )
{
if( strcmp( q, "none" ) == 0 )
opt.auth_mode = SSL_VERIFY_NONE;
else if( strcmp( q, "optional" ) == 0 )
opt.auth_mode = SSL_VERIFY_OPTIONAL;
else if( strcmp( q, "required" ) == 0 )
opt.auth_mode = SSL_VERIFY_REQUIRED;
else
goto usage;
}
else
goto usage;
}
/*
* 0. Initialize the RNG and the session data
*/
printf( "\n . Seeding the random number generator..." );
fflush( stdout );
entropy_init( &entropy );
if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy,
(unsigned char *) pers, strlen( pers ) ) ) != 0 )
{
printf( " failed\n ! ctr_drbg_init returned -0x%x\n", -ret );
goto exit;
}
printf( " ok\n" );
/*
* 1.1. Load the trusted CA
*/
printf( " . Loading the CA root certificate ..." );
fflush( stdout );
#if defined(POLARSSL_FS_IO)
if( strlen( opt.ca_path ) )
ret = x509parse_crtpath( &cacert, opt.ca_path );
else if( strlen( opt.ca_file ) )
ret = x509parse_crtfile( &cacert, opt.ca_file );
else
#endif
#if defined(POLARSSL_CERTS_C)
ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt,
strlen( test_ca_crt ) );
#else
{
ret = 1;
printf("POLARSSL_CERTS_C not defined.");
}
#endif
if( ret < 0 )
{
printf( " failed\n ! x509parse_crt returned -0x%x\n\n", -ret );
goto exit;
}
printf( " ok (%d skipped)\n", ret );
/*
* 1.2. Load own certificate and private key
*
* (can be skipped if client authentication is not required)
*/
printf( " . Loading the client cert. and key..." );
fflush( stdout );
#if defined(POLARSSL_FS_IO)
if( strlen( opt.crt_file ) )
ret = x509parse_crtfile( &clicert, opt.crt_file );
else
#endif
#if defined(POLARSSL_CERTS_C)
ret = x509parse_crt( &clicert, (unsigned char *) test_cli_crt,
strlen( test_cli_crt ) );
#else
{
ret = 1;
printf("POLARSSL_CERTS_C not defined.");
}
#endif
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned -0x%x\n\n", -ret );
goto exit;
}
#if defined(POLARSSL_FS_IO)
if( strlen( opt.key_file ) )
ret = x509parse_keyfile( &rsa, opt.key_file, "" );
else
#endif
#if defined(POLARSSL_CERTS_C)
ret = x509parse_key( &rsa, (unsigned char *) test_cli_key,
strlen( test_cli_key ), NULL, 0 );
#else
{
ret = 1;
printf("POLARSSL_CERTS_C not defined.");
}
#endif
if( ret != 0 )
{
printf( " failed\n ! x509parse_key returned -0x%x\n\n", -ret );
goto exit;
}
printf( " ok\n" );
/*
* 2. Start the connection
*/
printf( " . Connecting to tcp/%s/%-4d...", opt.server_name,
opt.server_port );
fflush( stdout );
if( ( ret = net_connect( &server_fd, opt.server_name,
opt.server_port ) ) != 0 )
{
printf( " failed\n ! net_connect returned -0x%x\n\n", -ret );
goto exit;
}
printf( " ok\n" );
/*
* 3. Setup stuff
*/
printf( " . Setting up the SSL/TLS structure..." );
fflush( stdout );
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
printf( " failed\n ! ssl_init returned -0x%x\n\n", -ret );
goto exit;
}
printf( " ok\n" );
if( opt.debug_level > 0 )
ssl_set_verify( &ssl, my_verify, NULL );
ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
ssl_set_authmode( &ssl, opt.auth_mode );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
ssl_set_bio( &ssl, net_recv, &server_fd,
net_send, &server_fd );
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
ssl_set_renegotiation( &ssl, opt.renegotiation );
ssl_legacy_renegotiation( &ssl, opt.allow_legacy );
ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name );
ssl_set_own_cert( &ssl, &clicert, &rsa );
ssl_set_hostname( &ssl, opt.server_name );
if( opt.min_version != -1 )
ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version );
if( opt.max_version != -1 )
ssl_set_max_version( &ssl, SSL_MAJOR_VERSION_3, opt.max_version );
/*
* 4. Handshake
*/
printf( " . Performing the SSL/TLS handshake..." );
fflush( stdout );
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_handshake returned -0x%x\n\n", -ret );
goto exit;
}
}
printf( " ok\n [ Ciphersuite is %s ]\n",
ssl_get_ciphersuite( &ssl ) );
/*
* 5. Verify the server certificate
*/
printf( " . Verifying peer X.509 certificate..." );
if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 )
{
printf( " failed\n" );
if( ( ret & BADCERT_EXPIRED ) != 0 )
printf( " ! server certificate has expired\n" );
if( ( ret & BADCERT_REVOKED ) != 0 )
printf( " ! server certificate has been revoked\n" );
if( ( ret & BADCERT_CN_MISMATCH ) != 0 )
printf( " ! CN mismatch (expected CN=%s)\n", opt.server_name );
if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
printf( " ! self-signed or not signed by a trusted CA\n" );
printf( "\n" );
}
else
printf( " ok\n" );
printf( " . Peer certificate information ...\n" );
x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ",
ssl_get_peer_cert( &ssl ) );
printf( "%s\n", buf );
/*
* 6. Write the GET request
*/
printf( " > Write to server:" );
fflush( stdout );
len = sprintf( (char *) buf, GET_REQUEST, opt.request_page );
while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_write returned -0x%x\n\n", -ret );
goto exit;
}
}
len = ret;
printf( " %d bytes written\n\n%s", len, (char *) buf );
/*
* 7. Read the HTTP response
*/
printf( " < Read from server:" );
fflush( stdout );
do
{
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
ret = ssl_read( &ssl, buf, len );
if( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE )
continue;
if( ret == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY )
break;
if( ret < 0 )
{
printf( "failed\n ! ssl_read returned -0x%x\n\n", -ret );
break;
}
if( ret == 0 )
{
printf("\n\nEOF\n\n");
break;
}
len = ret;
printf( " %d bytes read\n\n%s", len, (char *) buf );
}
while( 1 );
ssl_close_notify( &ssl );
exit:
#ifdef POLARSSL_ERROR_C
if( ret != 0 )
{
char error_buf[100];
error_strerror( ret, error_buf, 100 );
printf("Last error was: -0x%X - %s\n\n", -ret, error_buf );
}
#endif
if( server_fd )
net_close( server_fd );
x509_free( &clicert );
x509_free( &cacert );
rsa_free( &rsa );
ssl_free( &ssl );
memset( &ssl, 0, sizeof( ssl ) );
#if defined(_WIN32)
printf( " + Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
return( ret );
}
/**
* @brief SSL Server task.
* @param pvParameters not used
* @retval None
*/
void ssl_server(void const * argument)
{
int ret, len;
int listen_fd;
int client_fd = -1;
unsigned char buf[1524];
ssl_context ssl;
x509_cert srvcert;
rsa_context rsa;
#if defined(POLARSSL_SSL_CACHE_C)
ssl_cache_context cache;
ssl_cache_init( &cache );
#endif
/*
* Load the certificates and private RSA key
*/
printf( "\n . Loading the server cert. and key..." );
memset( &srvcert, 0, sizeof( x509_cert ) );
/*
* This demonstration program uses embedded test certificates.
* Instead, you may want to use x509parse_crtfile() to read the
* server and CA certificates, as well as x509parse_keyfile().
*/
ret = x509parse_crt( &srvcert, (const unsigned char *) test_srv_crt,
strlen( test_srv_crt ) );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
goto exit;
}
ret = x509parse_crt( &srvcert, (const unsigned char *) test_ca_crt,
strlen( test_ca_crt ) );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
goto exit;
}
rsa_init( &rsa, RSA_PKCS_V15, 0 );
ret = x509parse_key( &rsa, (const unsigned char *) test_srv_key,
strlen( test_srv_key ), NULL, 0 );
if( ret != 0 )
{
printf( " failed\n ! x509parse_key returned %d\n\n", ret );
goto exit;
}
printf( " ok\n\r" );
/*
* Setup the listening TCP socket
*/
printf( " . Bind on https://localhost:443/ ..." );
if( ( ret = net_bind( &listen_fd, NULL, 443) ) != 0 )
{
printf( " failed\n ! net_bind returned %d\n\n", ret );
goto exit;
}
printf( " ok\n\r" );
/*
* Setup stuff
*/
printf( " . Setting up the SSL data...." );
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
printf( " failed\n ! ssl_init returned %d\n\n", ret );
goto reset;
}
ssl_set_endpoint( &ssl, SSL_IS_SERVER );
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
ssl_set_rng( &ssl, RandVal , NULL );
ssl_set_dbg( &ssl, my_debug, stdout );
#if defined(POLARSSL_SSL_CACHE_C)
ssl_set_session_cache( &ssl, ssl_cache_get, &cache,
ssl_cache_set, &cache );
#endif
ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
ssl_set_own_cert( &ssl, &srvcert, &rsa );
ssl_set_bio( &ssl, net_recv, &client_fd, net_send, &client_fd );
printf( " ok\n\r" );
for(;;)
{
/*
* Wait until a client connects
*/
client_fd = -1;
printf( " . Waiting for a remote connection ..." );
if( ( ret = net_accept( listen_fd, &client_fd, NULL ) ) != 0 )
{
printf( " failed\n ! net_accept returned %d\n\n", ret );
goto exit;
}
printf( " ok\n\r" );
/*
* Handshake
*/
printf( " . Performing the SSL/TLS handshake..." );
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_handshake returned -0x%x\n\n", -ret );
goto reset;
}
}
printf( " ok\n\r" );
/*
* Read the HTTP Request
*/
printf( " < Read from client:" );
memset( buf, 0, sizeof( buf ) );
len = 0;
do
{
ret = ssl_read( &ssl, buf + len, 1523 - len);
if( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE )
continue;
if( ret <= 0 )
{
switch( ret )
{
case POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY:
printf( " connection was closed gracefully\n" );
break;
case POLARSSL_ERR_NET_CONN_RESET:
printf( " connection was reset by peer\n" );
break;
default:
printf( " ssl_read returned -0x%x\n", -ret );
break;
}
break;
}
len += ret;
if( ret > 1 )
break;
}
while( 1 );
printf( " %d bytes read\n\r", len);
/*
* Write the 200 Response
*/
printf( " > Write to client: " );
/* Send the dynamic html page */
ssl_DynPage(&ssl);
goto reset;
exit:
#ifdef POLARSSL_ERROR_C
if( ret != 0 )
{
char error_buf[100];
error_strerror( ret, error_buf, 100 );
printf("Last error was: %d - %s\n\n", ret, error_buf );
}
#endif
x509_free( &srvcert );
rsa_free( &rsa );
ssl_free( &ssl );
#if defined(POLARSSL_SSL_CACHE_C)
ssl_cache_free( &cache );
#endif
reset:
if (client_fd != -1)
net_close(client_fd);
ssl_session_reset( &ssl );
}
}
int32_t bctbx_x509_certificate_parse(bctbx_x509_certificate_t *cert, const char *buffer, size_t buffer_length) {
return x509parse_crt((x509_cert *)cert, (const unsigned char *)buffer, buffer_length+1);
}
/**
* @brief SSL client task.
* @param pvParameters not used
* @retval None
*/
void ssl_client(void const * argument)
{
int ret, len, server_fd;
unsigned char buf[1024];
ssl_context ssl;
x509_cert cacert;
memset( &ssl, 0, sizeof( ssl_context ) );
memset( &cacert, 0, sizeof( x509_cert ) );
/*
* Initialize certificates
*/
printf( " . Loading the CA root certificate ..." );
#if defined(POLARSSL_CERTS_C)
ret = x509parse_crt( &cacert, (const unsigned char *) test_ca_crt,
strlen( test_ca_crt ) );
#else
ret = 1;
printf("POLARSSL_CERTS_C not defined.");
#endif
if( ret < 0 )
{
printf( " failed\n ! x509parse_crt returned -0x%x\n\n", -ret );
goto exit;
}
printf( " ok (%d skipped)\n", ret );
/* Start the connection */
do
{
printf(( "\n\rSSL : Start the connection \n\r"));
printf("\n\rConnecting to tcp/%s/ Port:%4d...", SSL_SERVER_NAME, SSL_SERVER_PORT);
/* Bint the connection to SSL server port */
ret = net_connect(&server_fd, SSL_SERVER_NAME, SSL_SERVER_PORT);
if(ret != 0)
{
/* Connection to SSL server failed */
printf(" failed \n\r ! net_connect returned %d\n\r", -ret);
/* Wait 500 ms until next retry */
vTaskDelay(500);
}
}while(ret!=0);
printf( " ok\n\r" );
/*
* 2. Setup stuff
*/
printf( " . Setting up the SSL/TLS structure..." );
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
printf( " failed\n ! ssl_init returned %d\n\n\r", ret );
goto exit;
}
printf( " ok\n\r" );
ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
ssl_set_ca_chain( &ssl, &cacert, NULL, "PolarSSL Server 1" );
ssl_set_rng( &ssl, RandVal , NULL );
ssl_set_dbg( &ssl, my_debug, NULL);
ssl_set_bio( &ssl, net_recv, &server_fd,
net_send, &server_fd );
/* Set max ssl version to TLS v1.1 because TLS v1.2 needs SHA-256 for HASH
which is not supported by STM32F417xx Hardware*/
ssl_set_max_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_2);
/*
* Handshake
*/
printf( " . Performing the SSL/TLS handshake..." );
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_handshake returned -0x%x\n\n\r", -ret );
goto exit;
}
}
printf( " ok\n\r" );
/*
* Verify the server certificate
*/
printf( "\n\r . Verifying peer X.509 certificate..." );
if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 )
{
printf( " failed\n\r" );
if( ( ret & BADCERT_EXPIRED ) != 0 )
printf( " ! server certificate has expired\n" );
if( ( ret & BADCERT_REVOKED ) != 0 )
printf( " ! server certificate has been revoked\n" );
if( ( ret & BADCERT_CN_MISMATCH ) != 0 )
printf( " ! CN mismatch (expected CN=%s)\n", "PolarSSL Server 1" );
if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
printf( " ! self-signed or not signed by a trusted CA\n" );
printf( "\n\r" );
}
else
printf( " ok\n\r" );
/*
* Write the GET request
*/
printf( " > Write to server:" );
len = sprintf( (char *) buf, GET_REQUEST );
while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_write returned %d\n\n\r", ret );
goto exit;
}
}
len = ret;
printf( " %d bytes written\n\n\r%s", len, (char *) buf );
/*
* Read the HTTP response
*/
printf( " < Read from server:" );
do
{
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
ret = ssl_read( &ssl, buf, len );
if( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE )
continue;
if( ret == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY )
break;
if( ret < 0 )
{
printf( "failed\n\r ! ssl_read returned %d\n\n\r", ret );
break;
}
if( ret == 0 )
{
printf( "\n\nEOF\n\n\r" );
break;
}
len = ret;
printf( " %d bytes read\n\n\r%s", len, (char *) buf );
}
while( 1 );
exit:
#ifdef POLARSSL_ERROR_C
if( ret != 0 )
{
char error_buf[100];
error_strerror( ret, error_buf, 100 );
printf("Last error was: %d - %s\n\n\r", ret, error_buf );
}
#endif
x509_free( &cacert );
net_close( server_fd );
ssl_free( &ssl );
memset( &ssl, 0, sizeof( ssl ) );
/* Infinite loop */
for( ;; )
{
/* Toggle LED1 */
BSP_LED_Toggle(LED1);
/* Insert 400 ms delay */
osDelay(400);
}
}
int main( int argc, char *argv[] )
{
int ret, len, server_fd;
unsigned char buf[1024];
char *pers = "ssl_client1";
entropy_context entropy;
ctr_drbg_context ctr_drbg;
ssl_context ssl;
x509_cert cacert;
((void) argc);
((void) argv);
/*
* 0. Initialize the RNG and the session data
*/
memset( &ssl, 0, sizeof( ssl_context ) );
memset( &cacert, 0, sizeof( x509_cert ) );
printf( "\n . Seeding the random number generator..." );
fflush( stdout );
entropy_init( &entropy );
if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy,
(unsigned char *) pers, strlen( pers ) ) ) != 0 )
{
printf( " failed\n ! ctr_drbg_init returned %d\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 0. Initialize certificates
*/
printf( " . Loading the CA root certificate ..." );
fflush( stdout );
#if defined(POLARSSL_CERTS_C)
ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt,
strlen( test_ca_crt ) );
#else
ret = 1;
printf("POLARSSL_CERTS_C not defined.");
#endif
if( ret < 0 )
{
printf( " failed\n ! x509parse_crt returned -0x%x\n\n", -ret );
goto exit;
}
printf( " ok (%d skipped)\n", ret );
/*
* 1. Start the connection
*/
printf( " . Connecting to tcp/%s/%4d...", SERVER_NAME,
SERVER_PORT );
fflush( stdout );
if( ( ret = net_connect( &server_fd, SERVER_NAME,
SERVER_PORT ) ) != 0 )
{
printf( " failed\n ! net_connect returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 2. Setup stuff
*/
printf( " . Setting up the SSL/TLS structure..." );
fflush( stdout );
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
printf( " failed\n ! ssl_init returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
ssl_set_ca_chain( &ssl, &cacert, NULL, "PolarSSL Server 1" );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
ssl_set_bio( &ssl, net_recv, &server_fd,
net_send, &server_fd );
/*
* 4. Handshake
*/
printf( " . Performing the SSL/TLS handshake..." );
fflush( stdout );
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_handshake returned -0x%x\n\n", -ret );
goto exit;
}
}
printf( " ok\n" );
/*
* 5. Verify the server certificate
*/
printf( " . Verifying peer X.509 certificate..." );
if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 )
{
printf( " failed\n" );
if( ( ret & BADCERT_EXPIRED ) != 0 )
printf( " ! server certificate has expired\n" );
if( ( ret & BADCERT_REVOKED ) != 0 )
printf( " ! server certificate has been revoked\n" );
if( ( ret & BADCERT_CN_MISMATCH ) != 0 )
printf( " ! CN mismatch (expected CN=%s)\n", "PolarSSL Server 1" );
if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
printf( " ! self-signed or not signed by a trusted CA\n" );
printf( "\n" );
}
else
printf( " ok\n" );
/*
* 3. Write the GET request
*/
printf( " > Write to server:" );
fflush( stdout );
len = sprintf( (char *) buf, GET_REQUEST );
while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_write returned %d\n\n", ret );
goto exit;
}
}
len = ret;
printf( " %d bytes written\n\n%s", len, (char *) buf );
/*
* 7. Read the HTTP response
*/
printf( " < Read from server:" );
fflush( stdout );
do
{
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
ret = ssl_read( &ssl, buf, len );
if( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE )
continue;
if( ret == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY )
break;
if( ret < 0 )
{
printf( "failed\n ! ssl_read returned %d\n\n", ret );
break;
}
if( ret == 0 )
{
printf( "\n\nEOF\n\n" );
break;
}
len = ret;
printf( " %d bytes read\n\n%s", len, (char *) buf );
}
while( 1 );
ssl_close_notify( &ssl );
exit:
#ifdef POLARSSL_ERROR_C
if( ret != 0 )
{
char error_buf[100];
error_strerror( ret, error_buf, 100 );
printf("Last error was: %d - %s\n\n", ret, error_buf );
}
#endif
x509_free( &cacert );
net_close( server_fd );
ssl_free( &ssl );
memset( &ssl, 0, sizeof( ssl ) );
#if defined(_WIN32)
printf( " + Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
return( ret );
}
int main( void )
{
int ret, len;
int listen_fd;
int client_fd;
unsigned char buf[1024];
havege_state hs;
ssl_context ssl;
ssl_session ssn;
x509_cert srvcert;
rsa_context rsa;
/*
* 1. Load the certificates and private RSA key
*/
printf( "\n . Loading the server cert. and key..." );
fflush( stdout );
memset( &srvcert, 0, sizeof( x509_cert ) );
/*
* This demonstration program uses embedded test certificates.
* Instead, you may want to use x509parse_crtfile() to read the
* server and CA certificates, as well as x509parse_keyfile().
*/
ret = x509parse_crt( &srvcert, (unsigned char *) test_srv_crt,
strlen( test_srv_crt ) );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
goto exit;
}
ret = x509parse_crt( &srvcert, (unsigned char *) test_ca_crt,
strlen( test_ca_crt ) );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
goto exit;
}
ret = x509parse_key( &rsa, (unsigned char *) test_srv_key,
strlen( test_srv_key ), NULL, 0 );
if( ret != 0 )
{
printf( " failed\n ! x509parse_key returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 2. Setup the listening TCP socket
*/
printf( " . Bind on https://localhost:4433/ ..." );
fflush( stdout );
if( ( ret = net_bind( &listen_fd, NULL, 4433 ) ) != 0 )
{
printf( " failed\n ! net_bind returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 3. Wait until a client connects
*/
#ifdef WIN32
ShellExecute( NULL, "open", "https://localhost:4433/",
NULL, NULL, SW_SHOWNORMAL );
#endif
client_fd = -1;
memset( &ssl, 0, sizeof( ssl ) );
accept:
net_close( client_fd );
ssl_free( &ssl );
printf( " . Waiting for a remote connection ..." );
fflush( stdout );
if( ( ret = net_accept( listen_fd, &client_fd, NULL ) ) != 0 )
{
printf( " failed\n ! net_accept returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 4. Setup stuff
*/
printf( " . Setting up the RNG and SSL data...." );
fflush( stdout );
havege_init( &hs );
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
printf( " failed\n ! ssl_init returned %d\n\n", ret );
goto accept;
}
printf( " ok\n" );
ssl_set_endpoint( &ssl, SSL_IS_SERVER );
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
ssl_set_rng( &ssl, havege_rand, &hs );
ssl_set_dbg( &ssl, my_debug, stdout );
ssl_set_bio( &ssl, net_recv, &client_fd,
net_send, &client_fd );
ssl_set_scb( &ssl, my_get_session,
my_set_session );
ssl_set_ciphers( &ssl, my_ciphers );
ssl_set_session( &ssl, 1, 0, &ssn );
memset( &ssn, 0, sizeof( ssl_session ) );
ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
ssl_set_own_cert( &ssl, &srvcert, &rsa );
ssl_set_dh_param( &ssl, my_dhm_P, my_dhm_G );
/*
* 5. Handshake
*/
printf( " . Performing the SSL/TLS handshake..." );
fflush( stdout );
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_TRY_AGAIN )
{
printf( " failed\n ! ssl_handshake returned %d\n\n", ret );
goto accept;
}
}
printf( " ok\n" );
/*
* 6. Read the HTTP Request
*/
printf( " < Read from client:" );
fflush( stdout );
do
{
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
ret = ssl_read( &ssl, buf, len );
if( ret == POLARSSL_ERR_NET_TRY_AGAIN )
continue;
if( ret <= 0 )
{
switch( ret )
{
case POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY:
printf( " connection was closed gracefully\n" );
break;
case POLARSSL_ERR_NET_CONN_RESET:
printf( " connection was reset by peer\n" );
break;
default:
printf( " ssl_read returned %d\n", ret );
break;
}
break;
}
len = ret;
printf( " %d bytes read\n\n%s", len, (char *) buf );
}
while( 0 );
/*
* 7. Write the 200 Response
*/
printf( " > Write to client:" );
fflush( stdout );
len = sprintf( (char *) buf, HTTP_RESPONSE,
ssl_get_cipher( &ssl ) );
while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 )
{
if( ret == POLARSSL_ERR_NET_CONN_RESET )
{
printf( " failed\n ! peer closed the connection\n\n" );
goto accept;
}
if( ret != POLARSSL_ERR_NET_TRY_AGAIN )
{
printf( " failed\n ! ssl_write returned %d\n\n", ret );
goto exit;
}
}
len = ret;
printf( " %d bytes written\n\n%s\n", len, (char *) buf );
ssl_close_notify( &ssl );
goto accept;
exit:
net_close( client_fd );
x509_free( &srvcert );
rsa_free( &rsa );
ssl_free( &ssl );
cur = s_list_1st;
while( cur != NULL )
{
prv = cur;
cur = cur->next;
memset( prv, 0, sizeof( ssl_session ) );
free( prv );
}
memset( &ssl, 0, sizeof( ssl_context ) );
#ifdef WIN32
printf( " Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
return( ret );
}
int main( int argc, char *argv[] )
{
int ret, len;
int listen_fd;
int client_fd = -1;
unsigned char buf[1024];
const char *pers = "ssl_server";
entropy_context entropy;
ctr_drbg_context ctr_drbg;
ssl_context ssl;
x509_cert srvcert;
rsa_context rsa;
#if defined(POLARSSL_SSL_CACHE_C)
ssl_cache_context cache;
#endif
((void) argc);
((void) argv);
#if defined(POLARSSL_SSL_CACHE_C)
ssl_cache_init( &cache );
#endif
/*
* 1. Load the certificates and private RSA key
*/
printf( "\n . Loading the server cert. and key..." );
fflush( stdout );
memset( &srvcert, 0, sizeof( x509_cert ) );
/*
* This demonstration program uses embedded test certificates.
* Instead, you may want to use x509parse_crtfile() to read the
* server and CA certificates, as well as x509parse_keyfile().
*/
ret = x509parse_crt( &srvcert, (const unsigned char *) test_srv_crt,
strlen( test_srv_crt ) );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
goto exit;
}
ret = x509parse_crt( &srvcert, (const unsigned char *) test_ca_crt,
strlen( test_ca_crt ) );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
goto exit;
}
rsa_init( &rsa, RSA_PKCS_V15, 0 );
ret = x509parse_key( &rsa, (const unsigned char *) test_srv_key,
strlen( test_srv_key ), NULL, 0 );
if( ret != 0 )
{
printf( " failed\n ! x509parse_key returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 2. Setup the listening TCP socket
*/
printf( " . Bind on https://localhost:4433/ ..." );
fflush( stdout );
if( ( ret = net_bind( &listen_fd, NULL, 4433 ) ) != 0 )
{
printf( " failed\n ! net_bind returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 3. Seed the RNG
*/
printf( " . Seeding the random number generator..." );
fflush( stdout );
entropy_init( &entropy );
if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
printf( " failed\n ! ctr_drbg_init returned %d\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 4. Setup stuff
*/
printf( " . Setting up the SSL data...." );
fflush( stdout );
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
printf( " failed\n ! ssl_init returned %d\n\n", ret );
goto exit;
}
ssl_set_endpoint( &ssl, SSL_IS_SERVER );
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
#if defined(POLARSSL_SSL_CACHE_C)
ssl_set_session_cache( &ssl, ssl_cache_get, &cache,
ssl_cache_set, &cache );
#endif
ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
ssl_set_own_cert( &ssl, &srvcert, &rsa );
printf( " ok\n" );
reset:
#ifdef POLARSSL_ERROR_C
if( ret != 0 )
{
char error_buf[100];
error_strerror( ret, error_buf, 100 );
printf("Last error was: %d - %s\n\n", ret, error_buf );
}
#endif
if( client_fd != -1 )
net_close( client_fd );
ssl_session_reset( &ssl );
/*
* 3. Wait until a client connects
*/
#if defined(_WIN32_WCE)
{
SHELLEXECUTEINFO sei;
ZeroMemory( &sei, sizeof( SHELLEXECUTEINFO ) );
sei.cbSize = sizeof( SHELLEXECUTEINFO );
sei.fMask = 0;
sei.hwnd = 0;
sei.lpVerb = _T( "open" );
sei.lpFile = _T( "https://localhost:4433/" );
sei.lpParameters = NULL;
sei.lpDirectory = NULL;
sei.nShow = SW_SHOWNORMAL;
ShellExecuteEx( &sei );
}
#elif defined(_WIN32)
ShellExecute( NULL, "open", "https://localhost:4433/",
NULL, NULL, SW_SHOWNORMAL );
#endif
client_fd = -1;
printf( " . Waiting for a remote connection ..." );
fflush( stdout );
if( ( ret = net_accept( listen_fd, &client_fd, NULL ) ) != 0 )
{
printf( " failed\n ! net_accept returned %d\n\n", ret );
goto exit;
}
ssl_set_bio( &ssl, net_recv, &client_fd,
net_send, &client_fd );
printf( " ok\n" );
/*
* 5. Handshake
*/
printf( " . Performing the SSL/TLS handshake..." );
fflush( stdout );
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_handshake returned %d\n\n", ret );
goto reset;
}
}
printf( " ok\n" );
/*
* 6. Read the HTTP Request
*/
printf( " < Read from client:" );
fflush( stdout );
do
{
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
ret = ssl_read( &ssl, buf, len );
if( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE )
continue;
if( ret <= 0 )
{
switch( ret )
{
case POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY:
printf( " connection was closed gracefully\n" );
break;
case POLARSSL_ERR_NET_CONN_RESET:
printf( " connection was reset by peer\n" );
break;
default:
printf( " ssl_read returned -0x%x\n", -ret );
break;
}
break;
}
len = ret;
printf( " %d bytes read\n\n%s", len, (char *) buf );
if( ret > 0 )
break;
}
while( 1 );
/*
* 7. Write the 200 Response
*/
printf( " > Write to client:" );
fflush( stdout );
len = sprintf( (char *) buf, HTTP_RESPONSE,
ssl_get_ciphersuite( &ssl ) );
while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 )
{
if( ret == POLARSSL_ERR_NET_CONN_RESET )
{
printf( " failed\n ! peer closed the connection\n\n" );
goto reset;
}
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_write returned %d\n\n", ret );
goto exit;
}
}
len = ret;
printf( " %d bytes written\n\n%s\n", len, (char *) buf );
ret = 0;
goto reset;
exit:
#ifdef POLARSSL_ERROR_C
if( ret != 0 )
{
char error_buf[100];
error_strerror( ret, error_buf, 100 );
printf("Last error was: %d - %s\n\n", ret, error_buf );
}
#endif
net_close( client_fd );
x509_free( &srvcert );
rsa_free( &rsa );
ssl_free( &ssl );
#if defined(POLARSSL_SSL_CACHE_C)
ssl_cache_free( &cache );
#endif
#if defined(_WIN32)
printf( " Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
return( ret );
}
int main( int argc, char *argv[] )
{
int ret = 0, len, server_fd;
unsigned char buf[1024];
#if defined(POLARSSL_BASE64_C)
unsigned char base[1024];
#endif
char hostname[32];
char *pers = "ssl_mail_client";
entropy_context entropy;
ctr_drbg_context ctr_drbg;
ssl_context ssl;
ssl_session ssn;
x509_cert cacert;
x509_cert clicert;
rsa_context rsa;
int i;
size_t j, n;
char *p, *q;
const int *list;
/*
* Make sure memory references are valid.
*/
server_fd = 0;
memset( &ssn, 0, sizeof( ssl_session ) );
memset( &ssl, 0, sizeof( ssl_context ) );
memset( &cacert, 0, sizeof( x509_cert ) );
memset( &clicert, 0, sizeof( x509_cert ) );
memset( &rsa, 0, sizeof( rsa_context ) );
if( argc == 0 )
{
usage:
printf( USAGE );
list = ssl_list_ciphersuites();
while( *list )
{
printf(" %s\n", ssl_get_ciphersuite_name( *list ) );
list++;
}
printf("\n");
goto exit;
}
opt.server_name = DFL_SERVER_NAME;
opt.server_port = DFL_SERVER_PORT;
opt.debug_level = DFL_DEBUG_LEVEL;
opt.authentication = DFL_AUTHENTICATION;
opt.mode = DFL_MODE;
opt.user_name = DFL_USER_NAME;
opt.user_pwd = DFL_USER_PWD;
opt.mail_from = DFL_MAIL_FROM;
opt.mail_to = DFL_MAIL_TO;
opt.ca_file = DFL_CA_FILE;
opt.crt_file = DFL_CRT_FILE;
opt.key_file = DFL_KEY_FILE;
opt.force_ciphersuite[0]= DFL_FORCE_CIPHER;
for( i = 1; i < argc; i++ )
{
n = strlen( argv[i] );
for( j = 0; j < n; j++ )
{
if( argv[i][j] == '=')
break;
if( argv[i][j] >= 'A' && argv[i][j] <= 'Z' )
argv[i][j] |= 0x20;
}
p = argv[i];
if( ( q = strchr( p, '=' ) ) == NULL )
goto usage;
*q++ = '\0';
if( strcmp( p, "server_name" ) == 0 )
opt.server_name = q;
else if( strcmp( p, "server_port" ) == 0 )
{
opt.server_port = atoi( q );
if( opt.server_port < 1 || opt.server_port > 65535 )
goto usage;
}
else if( strcmp( p, "debug_level" ) == 0 )
{
opt.debug_level = atoi( q );
if( opt.debug_level < 0 || opt.debug_level > 65535 )
goto usage;
}
else if( strcmp( p, "authentication" ) == 0 )
{
opt.authentication = atoi( q );
if( opt.authentication < 0 || opt.authentication > 1 )
goto usage;
}
else if( strcmp( p, "mode" ) == 0 )
{
opt.mode = atoi( q );
if( opt.mode < 0 || opt.mode > 1 )
goto usage;
}
else if( strcmp( p, "user_name" ) == 0 )
opt.user_name = q;
else if( strcmp( p, "user_pwd" ) == 0 )
opt.user_pwd = q;
else if( strcmp( p, "mail_from" ) == 0 )
opt.mail_from = q;
else if( strcmp( p, "mail_to" ) == 0 )
opt.mail_to = q;
else if( strcmp( p, "ca_file" ) == 0 )
opt.ca_file = q;
else if( strcmp( p, "crt_file" ) == 0 )
opt.crt_file = q;
else if( strcmp( p, "key_file" ) == 0 )
opt.key_file = q;
else if( strcmp( p, "force_ciphersuite" ) == 0 )
{
opt.force_ciphersuite[0] = -1;
opt.force_ciphersuite[0] = ssl_get_ciphersuite_id( q );
if( opt.force_ciphersuite[0] <= 0 )
goto usage;
opt.force_ciphersuite[1] = 0;
}
else
goto usage;
}
/*
* 0. Initialize the RNG and the session data
*/
printf( "\n . Seeding the random number generator..." );
fflush( stdout );
entropy_init( &entropy );
if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy,
(unsigned char *) pers, strlen( pers ) ) ) != 0 )
{
printf( " failed\n ! ctr_drbg_init returned %d\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 1.1. Load the trusted CA
*/
printf( " . Loading the CA root certificate ..." );
fflush( stdout );
#if defined(POLARSSL_FS_IO)
if( strlen( opt.ca_file ) )
ret = x509parse_crtfile( &cacert, opt.ca_file );
else
#endif
#if defined(POLARSSL_CERTS_C)
ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt,
strlen( test_ca_crt ) );
#else
{
ret = 1;
printf("POLARSSL_CERTS_C not defined.");
}
#endif
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 1.2. Load own certificate and private key
*
* (can be skipped if client authentication is not required)
*/
printf( " . Loading the client cert. and key..." );
fflush( stdout );
#if defined(POLARSSL_FS_IO)
if( strlen( opt.crt_file ) )
ret = x509parse_crtfile( &clicert, opt.crt_file );
else
#endif
#if defined(POLARSSL_CERTS_C)
ret = x509parse_crt( &clicert, (unsigned char *) test_cli_crt,
strlen( test_cli_crt ) );
#else
{
ret = -1;
printf("POLARSSL_CERTS_C not defined.");
}
#endif
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
goto exit;
}
#if defined(POLARSSL_FS_IO)
if( strlen( opt.key_file ) )
ret = x509parse_keyfile( &rsa, opt.key_file, "" );
else
#endif
#if defined(POLARSSL_CERTS_C)
ret = x509parse_key( &rsa, (unsigned char *) test_cli_key,
strlen( test_cli_key ), NULL, 0 );
#else
{
ret = -1;
printf("POLARSSL_CERTS_C not defined.");
}
#endif
if( ret != 0 )
{
printf( " failed\n ! x509parse_key returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 2. Start the connection
*/
printf( " . Connecting to tcp/%s/%-4d...", opt.server_name,
opt.server_port );
fflush( stdout );
if( ( ret = net_connect( &server_fd, opt.server_name,
opt.server_port ) ) != 0 )
{
printf( " failed\n ! net_connect returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 3. Setup stuff
*/
printf( " . Setting up the SSL/TLS structure..." );
fflush( stdout );
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
printf( " failed\n ! ssl_init returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
ssl_set_bio( &ssl, net_recv, &server_fd,
net_send, &server_fd );
if( opt.force_ciphersuite[0] == DFL_FORCE_CIPHER )
ssl_set_ciphersuites( &ssl, ssl_default_ciphersuites );
else
ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
ssl_set_session( &ssl, 1, 600, &ssn );
ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name );
ssl_set_own_cert( &ssl, &clicert, &rsa );
ssl_set_hostname( &ssl, opt.server_name );
if( opt.mode == MODE_SSL_TLS )
{
if( do_handshake( &ssl, &opt ) != 0 )
goto exit;
printf( " > Get header from server:" );
fflush( stdout );
ret = write_ssl_and_get_response( &ssl, buf, 0 );
if( ret < 200 || ret > 299 )
{
printf( " failed\n ! server responded with %d\n\n", ret );
goto exit;
}
printf(" ok\n" );
printf( " > Write EHLO to server:" );
fflush( stdout );
gethostname( hostname, 32 );
len = sprintf( (char *) buf, "EHLO %s\n", hostname );
ret = write_ssl_and_get_response( &ssl, buf, len );
if( ret < 200 || ret > 299 )
{
printf( " failed\n ! server responded with %d\n\n", ret );
goto exit;
}
}
else
{
printf( " > Get header from server:" );
fflush( stdout );
ret = write_and_get_response( server_fd, buf, 0 );
if( ret < 200 || ret > 299 )
{
printf( " failed\n ! server responded with %d\n\n", ret );
goto exit;
}
printf(" ok\n" );
printf( " > Write EHLO to server:" );
fflush( stdout );
gethostname( hostname, 32 );
len = sprintf( (char *) buf, "EHLO %s\n", hostname );
ret = write_and_get_response( server_fd, buf, len );
if( ret < 200 || ret > 299 )
{
printf( " failed\n ! server responded with %d\n\n", ret );
goto exit;
}
printf(" ok\n" );
printf( " > Write STARTTLS to server:" );
fflush( stdout );
gethostname( hostname, 32 );
len = sprintf( (char *) buf, "STARTTLS\n" );
ret = write_and_get_response( server_fd, buf, len );
if( ret < 200 || ret > 299 )
{
printf( " failed\n ! server responded with %d\n\n", ret );
goto exit;
}
printf(" ok\n" );
if( do_handshake( &ssl, &opt ) != 0 )
goto exit;
}
#if defined(POLARSSL_BASE64_C)
if( opt.authentication )
{
printf( " > Write AUTH LOGIN to server:" );
fflush( stdout );
len = sprintf( (char *) buf, "AUTH LOGIN\n" );
ret = write_ssl_and_get_response( &ssl, buf, len );
if( ret < 200 || ret > 399 )
{
printf( " failed\n ! server responded with %d\n\n", ret );
goto exit;
}
printf(" ok\n" );
printf( " > Write username to server: %s", opt.user_name );
fflush( stdout );
n = sizeof( buf );
len = base64_encode( base, &n, (unsigned char *) opt.user_name, strlen( opt.user_name ) );
len = sprintf( (char *) buf, "%s\n", base );
ret = write_ssl_and_get_response( &ssl, buf, len );
if( ret < 300 || ret > 399 )
{
printf( " failed\n ! server responded with %d\n\n", ret );
goto exit;
}
printf(" ok\n" );
printf( " > Write password to server: %s", opt.user_pwd );
fflush( stdout );
len = base64_encode( base, &n, (unsigned char *) opt.user_pwd, strlen( opt.user_pwd ) );
len = sprintf( (char *) buf, "%s\n", base );
ret = write_ssl_and_get_response( &ssl, buf, len );
if( ret < 200 || ret > 399 )
{
printf( " failed\n ! server responded with %d\n\n", ret );
goto exit;
}
printf(" ok\n" );
}
#endif
printf( " > Write MAIL FROM to server:" );
fflush( stdout );
len = sprintf( (char *) buf, "MAIL FROM:<%s>\n", opt.mail_from );
ret = write_ssl_and_get_response( &ssl, buf, len );
if( ret < 200 || ret > 299 )
{
printf( " failed\n ! server responded with %d\n\n", ret );
goto exit;
}
printf(" ok\n" );
printf( " > Write RCPT TO to server:" );
fflush( stdout );
len = sprintf( (char *) buf, "RCPT TO:<%s>\n", opt.mail_to );
ret = write_ssl_and_get_response( &ssl, buf, len );
if( ret < 200 || ret > 299 )
{
printf( " failed\n ! server responded with %d\n\n", ret );
goto exit;
}
printf(" ok\n" );
printf( " > Write DATA to server:" );
fflush( stdout );
len = sprintf( (char *) buf, "DATA\n" );
ret = write_ssl_and_get_response( &ssl, buf, len );
if( ret < 300 || ret > 399 )
{
printf( " failed\n ! server responded with %d\n\n", ret );
goto exit;
}
printf(" ok\n" );
printf( " > Write content to server:" );
fflush( stdout );
len = sprintf( (char *) buf, "From: %s\nSubject: PolarSSL Test mail\n\n"
"This is a simple test mail from the "
"PolarSSL mail client example.\n"
"\n"
"Enjoy!", opt.mail_from );
ret = write_ssl_data( &ssl, buf, len );
len = sprintf( (char *) buf, "\r\n.\r\n");
ret = write_ssl_and_get_response( &ssl, buf, len );
if( ret < 200 || ret > 299 )
{
printf( " failed\n ! server responded with %d\n\n", ret );
goto exit;
}
printf(" ok\n" );
ssl_close_notify( &ssl );
exit:
if( server_fd )
net_close( server_fd );
x509_free( &clicert );
x509_free( &cacert );
rsa_free( &rsa );
ssl_free( &ssl );
memset( &ssl, 0, sizeof( ssl ) );
#if defined(_WIN32)
printf( " + Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
return( ret );
}
int main( int argc, char *argv[] )
{
int ret = 0, len;
int listen_fd;
int client_fd = -1;
unsigned char buf[1024];
const char *pers = "ssl_server2";
entropy_context entropy;
ctr_drbg_context ctr_drbg;
ssl_context ssl;
x509_cert cacert;
x509_cert srvcert;
rsa_context rsa;
#if defined(POLARSSL_SSL_CACHE_C)
ssl_cache_context cache;
#endif
int i;
char *p, *q;
const int *list;
/*
* Make sure memory references are valid.
*/
listen_fd = 0;
memset( &cacert, 0, sizeof( x509_cert ) );
memset( &srvcert, 0, sizeof( x509_cert ) );
memset( &rsa, 0, sizeof( rsa_context ) );
#if defined(POLARSSL_SSL_CACHE_C)
ssl_cache_init( &cache );
#endif
if( argc == 0 )
{
usage:
if( ret == 0 )
ret = 1;
printf( USAGE );
list = ssl_list_ciphersuites();
while( *list )
{
printf(" %s\n", ssl_get_ciphersuite_name( *list ) );
list++;
}
printf("\n");
goto exit;
}
opt.server_port = DFL_SERVER_PORT;
opt.debug_level = DFL_DEBUG_LEVEL;
opt.ca_file = DFL_CA_FILE;
opt.ca_path = DFL_CA_PATH;
opt.crt_file = DFL_CRT_FILE;
opt.key_file = DFL_KEY_FILE;
opt.force_ciphersuite[0]= DFL_FORCE_CIPHER;
opt.renegotiation = DFL_RENEGOTIATION;
opt.allow_legacy = DFL_ALLOW_LEGACY;
opt.min_version = DFL_MIN_VERSION;
opt.auth_mode = DFL_AUTH_MODE;
for( i = 1; i < argc; i++ )
{
p = argv[i];
if( ( q = strchr( p, '=' ) ) == NULL )
goto usage;
*q++ = '\0';
if( strcmp( p, "server_port" ) == 0 )
{
opt.server_port = atoi( q );
if( opt.server_port < 1 || opt.server_port > 65535 )
goto usage;
}
else if( strcmp( p, "debug_level" ) == 0 )
{
opt.debug_level = atoi( q );
if( opt.debug_level < 0 || opt.debug_level > 65535 )
goto usage;
}
else if( strcmp( p, "ca_file" ) == 0 )
opt.ca_file = q;
else if( strcmp( p, "ca_path" ) == 0 )
opt.ca_path = q;
else if( strcmp( p, "crt_file" ) == 0 )
opt.crt_file = q;
else if( strcmp( p, "key_file" ) == 0 )
opt.key_file = q;
else if( strcmp( p, "force_ciphersuite" ) == 0 )
{
opt.force_ciphersuite[0] = -1;
opt.force_ciphersuite[0] = ssl_get_ciphersuite_id( q );
if( opt.force_ciphersuite[0] <= 0 )
{
ret = 2;
goto usage;
}
opt.force_ciphersuite[1] = 0;
}
else if( strcmp( p, "renegotiation" ) == 0 )
{
opt.renegotiation = (atoi( q )) ? SSL_RENEGOTIATION_ENABLED :
SSL_RENEGOTIATION_DISABLED;
}
else if( strcmp( p, "allow_legacy" ) == 0 )
{
opt.allow_legacy = atoi( q );
if( opt.allow_legacy < 0 || opt.allow_legacy > 1 )
goto usage;
}
else if( strcmp( p, "min_version" ) == 0 )
{
if( strcmp( q, "ssl3" ) == 0 )
opt.min_version = SSL_MINOR_VERSION_0;
else if( strcmp( q, "tls1" ) == 0 )
opt.min_version = SSL_MINOR_VERSION_1;
else if( strcmp( q, "tls1_1" ) == 0 )
opt.min_version = SSL_MINOR_VERSION_2;
else if( strcmp( q, "tls1_2" ) == 0 )
opt.min_version = SSL_MINOR_VERSION_3;
else
goto usage;
}
else if( strcmp( p, "auth_mode" ) == 0 )
{
if( strcmp( q, "none" ) == 0 )
opt.auth_mode = SSL_VERIFY_NONE;
else if( strcmp( q, "optional" ) == 0 )
opt.auth_mode = SSL_VERIFY_OPTIONAL;
else if( strcmp( q, "required" ) == 0 )
opt.auth_mode = SSL_VERIFY_REQUIRED;
else
goto usage;
}
else
goto usage;
}
/*
* 0. Initialize the RNG and the session data
*/
printf( "\n . Seeding the random number generator..." );
fflush( stdout );
entropy_init( &entropy );
if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
printf( " failed\n ! ctr_drbg_init returned -0x%x\n", -ret );
goto exit;
}
printf( " ok\n" );
/*
* 1.1. Load the trusted CA
*/
printf( " . Loading the CA root certificate ..." );
fflush( stdout );
#if defined(POLARSSL_FS_IO)
if( strlen( opt.ca_path ) )
ret = x509parse_crtpath( &cacert, opt.ca_path );
else if( strlen( opt.ca_file ) )
ret = x509parse_crtfile( &cacert, opt.ca_file );
else
#endif
#if defined(POLARSSL_CERTS_C)
ret = x509parse_crt( &cacert, (const unsigned char *) test_ca_crt,
strlen( test_ca_crt ) );
#else
{
ret = 1;
printf("POLARSSL_CERTS_C not defined.");
}
#endif
if( ret < 0 )
{
printf( " failed\n ! x509parse_crt returned -0x%x\n\n", -ret );
goto exit;
}
printf( " ok (%d skipped)\n", ret );
/*
* 1.2. Load own certificate and private key
*/
printf( " . Loading the server cert. and key..." );
fflush( stdout );
#if defined(POLARSSL_FS_IO)
if( strlen( opt.crt_file ) )
ret = x509parse_crtfile( &srvcert, opt.crt_file );
else
#endif
#if defined(POLARSSL_CERTS_C)
ret = x509parse_crt( &srvcert, (const unsigned char *) test_srv_crt,
strlen( test_srv_crt ) );
#else
{
ret = 1;
printf("POLARSSL_CERTS_C not defined.");
}
#endif
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned -0x%x\n\n", -ret );
goto exit;
}
#if defined(POLARSSL_FS_IO)
if( strlen( opt.key_file ) )
ret = x509parse_keyfile( &rsa, opt.key_file, "" );
else
#endif
#if defined(POLARSSL_CERTS_C)
ret = x509parse_key( &rsa, (const unsigned char *) test_srv_key,
strlen( test_srv_key ), NULL, 0 );
#else
{
ret = 1;
printf("POLARSSL_CERTS_C not defined.");
}
#endif
if( ret != 0 )
{
printf( " failed\n ! x509parse_key returned -0x%x\n\n", -ret );
goto exit;
}
printf( " ok\n" );
/*
* 2. Setup the listening TCP socket
*/
printf( " . Bind on tcp://localhost:%-4d/ ...", opt.server_port );
fflush( stdout );
if( ( ret = net_bind( &listen_fd, NULL, opt.server_port ) ) != 0 )
{
printf( " failed\n ! net_bind returned -0x%x\n\n", -ret );
goto exit;
}
printf( " ok\n" );
/*
* 3. Setup stuff
*/
printf( " . Setting up the SSL/TLS structure..." );
fflush( stdout );
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
printf( " failed\n ! ssl_init returned -0x%x\n\n", -ret );
goto exit;
}
ssl_set_endpoint( &ssl, SSL_IS_SERVER );
ssl_set_authmode( &ssl, opt.auth_mode );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
#if defined(POLARSSL_SSL_CACHE_C)
ssl_set_session_cache( &ssl, ssl_cache_get, &cache,
ssl_cache_set, &cache );
#endif
if( opt.force_ciphersuite[0] == DFL_FORCE_CIPHER )
ssl_set_ciphersuites( &ssl, my_ciphersuites );
else
ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
ssl_set_renegotiation( &ssl, opt.renegotiation );
ssl_legacy_renegotiation( &ssl, opt.allow_legacy );
ssl_set_ca_chain( &ssl, &cacert, NULL, NULL );
ssl_set_own_cert( &ssl, &srvcert, &rsa );
#if defined(POLARSSL_DHM_C)
/*
* Use different group than default DHM group
*/
ssl_set_dh_param( &ssl, POLARSSL_DHM_RFC5114_MODP_2048_P,
POLARSSL_DHM_RFC5114_MODP_2048_G );
#endif
if( opt.min_version != -1 )
ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version );
printf( " ok\n" );
reset:
#ifdef POLARSSL_ERROR_C
if( ret != 0 )
{
char error_buf[100];
error_strerror( ret, error_buf, 100 );
printf("Last error was: %d - %s\n\n", ret, error_buf );
}
#endif
if( client_fd != -1 )
net_close( client_fd );
ssl_session_reset( &ssl );
/*
* 3. Wait until a client connects
*/
#if defined(_WIN32_WCE)
{
SHELLEXECUTEINFO sei;
ZeroMemory( &sei, sizeof( SHELLEXECUTEINFO ) );
sei.cbSize = sizeof( SHELLEXECUTEINFO );
sei.fMask = 0;
sei.hwnd = 0;
sei.lpVerb = _T( "open" );
sei.lpFile = _T( "https://localhost:4433/" );
sei.lpParameters = NULL;
sei.lpDirectory = NULL;
sei.nShow = SW_SHOWNORMAL;
ShellExecuteEx( &sei );
}
#elif defined(_WIN32)
ShellExecute( NULL, "open", "https://localhost:4433/",
NULL, NULL, SW_SHOWNORMAL );
#endif
client_fd = -1;
printf( " . Waiting for a remote connection ..." );
fflush( stdout );
if( ( ret = net_accept( listen_fd, &client_fd, NULL ) ) != 0 )
{
printf( " failed\n ! net_accept returned -0x%x\n\n", -ret );
goto exit;
}
ssl_set_bio( &ssl, net_recv, &client_fd,
net_send, &client_fd );
printf( " ok\n" );
/*
* 4. Handshake
*/
printf( " . Performing the SSL/TLS handshake..." );
fflush( stdout );
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_handshake returned -0x%x\n\n", -ret );
goto reset;
}
}
printf( " ok\n [ Ciphersuite is %s ]\n",
ssl_get_ciphersuite( &ssl ) );
/*
* 5. Verify the server certificate
*/
printf( " . Verifying peer X.509 certificate..." );
if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 )
{
printf( " failed\n" );
if( !ssl_get_peer_cert( &ssl ) )
printf( " ! no client certificate sent\n" );
if( ( ret & BADCERT_EXPIRED ) != 0 )
printf( " ! client certificate has expired\n" );
if( ( ret & BADCERT_REVOKED ) != 0 )
printf( " ! client certificate has been revoked\n" );
if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
printf( " ! self-signed or not signed by a trusted CA\n" );
printf( "\n" );
}
else
printf( " ok\n" );
if( ssl_get_peer_cert( &ssl ) )
{
printf( " . Peer certificate information ...\n" );
x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ",
ssl_get_peer_cert( &ssl ) );
printf( "%s\n", buf );
}
/*
* 6. Read the HTTP Request
*/
printf( " < Read from client:" );
fflush( stdout );
do
{
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
ret = ssl_read( &ssl, buf, len );
if( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE )
continue;
if( ret <= 0 )
{
switch( ret )
{
case POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY:
printf( " connection was closed gracefully\n" );
break;
case POLARSSL_ERR_NET_CONN_RESET:
printf( " connection was reset by peer\n" );
break;
default:
printf( " ssl_read returned -0x%x\n", -ret );
break;
}
break;
}
len = ret;
printf( " %d bytes read\n\n%s", len, (char *) buf );
if( ret > 0 )
break;
}
while( 1 );
/*
* 7. Write the 200 Response
*/
printf( " > Write to client:" );
fflush( stdout );
len = sprintf( (char *) buf, HTTP_RESPONSE,
ssl_get_ciphersuite( &ssl ) );
while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 )
{
if( ret == POLARSSL_ERR_NET_CONN_RESET )
{
printf( " failed\n ! peer closed the connection\n\n" );
goto reset;
}
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_write returned %d\n\n", ret );
goto exit;
}
}
len = ret;
printf( " %d bytes written\n\n%s\n", len, (char *) buf );
ret = 0;
goto reset;
exit:
#ifdef POLARSSL_ERROR_C
if( ret != 0 )
{
char error_buf[100];
error_strerror( ret, error_buf, 100 );
printf("Last error was: -0x%X - %s\n\n", -ret, error_buf );
}
#endif
net_close( client_fd );
x509_free( &srvcert );
x509_free( &cacert );
rsa_free( &rsa );
ssl_free( &ssl );
#if defined(POLARSSL_SSL_CACHE_C)
ssl_cache_free( &cache );
#endif
#if defined(_WIN32)
printf( " + Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
return( ret );
}
int main( int argc, char *argv[] )
{
int ret, len, cnt = 0, pid;
int listen_fd;
int client_fd;
unsigned char buf[1024];
const char *pers = "ssl_fork_server";
entropy_context entropy;
ctr_drbg_context ctr_drbg;
ssl_context ssl;
x509_cert srvcert;
rsa_context rsa;
((void) argc);
((void) argv);
signal( SIGCHLD, SIG_IGN );
/*
* 0. Initial seeding of the RNG
*/
printf( "\n . Initial seeding of the random generator..." );
fflush( stdout );
entropy_init( &entropy );
if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
printf( " failed\n ! ctr_drbg_init returned %d\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 1. Load the certificates and private RSA key
*/
printf( " . Loading the server cert. and key..." );
fflush( stdout );
memset( &srvcert, 0, sizeof( x509_cert ) );
/*
* This demonstration program uses embedded test certificates.
* Instead, you may want to use x509parse_crtfile() to read the
* server and CA certificates, as well as x509parse_keyfile().
*/
ret = x509parse_crt( &srvcert, (const unsigned char *) test_srv_crt,
strlen( test_srv_crt ) );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
goto exit;
}
ret = x509parse_crt( &srvcert, (const unsigned char *) test_ca_crt,
strlen( test_ca_crt ) );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
goto exit;
}
rsa_init( &rsa, RSA_PKCS_V15, 0 );
ret = x509parse_key( &rsa, (const unsigned char *) test_srv_key,
strlen( test_srv_key ), NULL, 0 );
if( ret != 0 )
{
printf( " failed\n ! x509parse_key returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 2. Setup the listening TCP socket
*/
printf( " . Bind on https://localhost:4433/ ..." );
fflush( stdout );
if( ( ret = net_bind( &listen_fd, NULL, 4433 ) ) != 0 )
{
printf( " failed\n ! net_bind returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
while( 1 )
{
/*
* 3. Wait until a client connects
*/
client_fd = -1;
memset( &ssl, 0, sizeof( ssl ) );
printf( " . Waiting for a remote connection ..." );
fflush( stdout );
if( ( ret = net_accept( listen_fd, &client_fd, NULL ) ) != 0 )
{
printf( " failed\n ! net_accept returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 3.5. Forking server thread
*/
pid = fork();
printf( " . Forking to handle connection ..." );
fflush( stdout );
if( pid < 0 )
{
printf(" failed\n ! fork returned %d\n\n", pid );
goto exit;
}
printf( " ok\n" );
if( pid != 0 )
{
if( ( ret = ctr_drbg_reseed( &ctr_drbg,
(const unsigned char *) "parent",
6 ) ) != 0 )
{
printf( " failed\n ! ctr_drbg_reseed returned %d\n", ret );
goto exit;
}
close( client_fd );
continue;
}
close( listen_fd );
/*
* 4. Setup stuff
*/
printf( " . Setting up the SSL data...." );
fflush( stdout );
if( ( ret = ctr_drbg_reseed( &ctr_drbg,
(const unsigned char *) "child",
5 ) ) != 0 )
{
printf( " failed\n ! ctr_drbg_reseed returned %d\n", ret );
goto exit;
}
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
printf( " failed\n ! ssl_init returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
ssl_set_endpoint( &ssl, SSL_IS_SERVER );
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
ssl_set_bio( &ssl, net_recv, &client_fd,
net_send, &client_fd );
ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
ssl_set_own_cert( &ssl, &srvcert, &rsa );
/*
* 5. Handshake
*/
printf( " . Performing the SSL/TLS handshake..." );
fflush( stdout );
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_handshake returned %d\n\n", ret );
goto exit;
}
}
printf( " ok\n" );
/*
* 6. Read the HTTP Request
*/
printf( " < Read from client:" );
fflush( stdout );
do
{
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
ret = ssl_read( &ssl, buf, len );
if( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE )
continue;
if( ret <= 0 )
{
switch( ret )
{
case POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY:
printf( " connection was closed gracefully\n" );
break;
case POLARSSL_ERR_NET_CONN_RESET:
printf( " connection was reset by peer\n" );
break;
default:
printf( " ssl_read returned %d\n", ret );
break;
}
break;
}
len = ret;
printf( " %d bytes read\n\n%s", len, (char *) buf );
}
while( 0 );
/*
* 7. Write the 200 Response
*/
printf( " > Write to client:" );
fflush( stdout );
len = sprintf( (char *) buf, HTTP_RESPONSE,
ssl_get_ciphersuite( &ssl ) );
while( cnt < 100 )
{
while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 )
{
if( ret == POLARSSL_ERR_NET_CONN_RESET )
{
printf( " failed\n ! peer closed the connection\n\n" );
goto exit;
}
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_write returned %d\n\n", ret );
goto exit;
}
}
len = ret;
printf( " %d bytes written\n\n%s\n", len, (char *) buf );
m_sleep( 1000 );
}
ssl_close_notify( &ssl );
goto exit;
}
exit:
net_close( client_fd );
x509_free( &srvcert );
rsa_free( &rsa );
ssl_free( &ssl );
#if defined(_WIN32)
printf( " Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
return( ret );
}
int main( void )
{
int ret, len, server_fd;
unsigned char buf[1024];
havege_state hs;
ssl_context ssl;
ssl_session ssn;
x509_cert cacert;
x509_cert clicert;
rsa_context rsa;
/*
* 0. Initialize the RNG and the session data
*/
havege_init( &hs );
memset( &ssn, 0, sizeof( ssl_session ) );
/*
* 1.1. Load the trusted CA
*/
printf( "\n . Loading the CA root certificate ..." );
fflush( stdout );
memset( &cacert, 0, sizeof( x509_cert ) );
/*
* Alternatively, you may load the CA certificates from a .pem or
* .crt file by calling x509parse_crtfile( &cacert, "myca.crt" ).
*/
ret = x509parse_crt( &cacert, (unsigned char *) xyssl_ca_crt,
strlen( xyssl_ca_crt ) );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 1.2. Load own certificate and private key
*
* (can be skipped if client authentication is not required)
*/
printf( " . Loading the client cert. and key..." );
fflush( stdout );
memset( &clicert, 0, sizeof( x509_cert ) );
ret = x509parse_crt( &clicert, (unsigned char *) test_cli_crt,
strlen( test_cli_crt ) );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
goto exit;
}
ret = x509parse_key( &rsa, (unsigned char *) test_cli_key,
strlen( test_cli_key ), NULL, 0 );
if( ret != 0 )
{
printf( " failed\n ! x509parse_key returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 2. Start the connection
*/
printf( " . Connecting to tcp/%s/%-4d...", SERVER_NAME,
SERVER_PORT );
fflush( stdout );
if( ( ret = net_connect( &server_fd, SERVER_NAME,
SERVER_PORT ) ) != 0 )
{
printf( " failed\n ! net_connect returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 3. Setup stuff
*/
printf( " . Setting up the SSL/TLS structure..." );
fflush( stdout );
havege_init( &hs );
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
printf( " failed\n ! ssl_init returned %d\n\n", ret );
goto exit;
}
printf( " ok\n" );
ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
ssl_set_rng( &ssl, havege_rand, &hs );
ssl_set_bio( &ssl, net_recv, &server_fd,
net_send, &server_fd );
ssl_set_ciphers( &ssl, ssl_default_ciphers );
ssl_set_session( &ssl, 1, 600, &ssn );
ssl_set_ca_chain( &ssl, &cacert, SERVER_NAME );
ssl_set_own_cert( &ssl, &clicert, &rsa );
ssl_set_hostname( &ssl, SERVER_NAME );
/*
* 4. Handshake
*/
printf( " . Performing the SSL/TLS handshake..." );
fflush( stdout );
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_TRY_AGAIN )
{
printf( " failed\n ! ssl_handshake returned %d\n\n", ret );
goto exit;
}
}
printf( " ok\n [ Cipher is %s ]\n",
ssl_get_cipher( &ssl ) );
/*
* 5. Verify the server certificate
*/
printf( " . Verifying peer X.509 certificate..." );
if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 )
{
printf( " failed\n" );
if( ( ret & BADCERT_EXPIRED ) != 0 )
printf( " ! server certificate has expired\n" );
if( ( ret & BADCERT_REVOKED ) != 0 )
printf( " ! server certificate has been revoked\n" );
if( ( ret & BADCERT_CN_MISMATCH ) != 0 )
printf( " ! CN mismatch (expected CN=%s)\n", SERVER_NAME );
if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
printf( " ! self-signed or not signed by a trusted CA\n" );
printf( "\n" );
}
else
printf( " ok\n" );
printf( " . Peer certificate information ...\n" );
printf( "%s", x509parse_cert_info( " ", ssl.peer_cert ) );
/*
* 6. Write the GET request
*/
printf( " > Write to server:" );
fflush( stdout );
len = sprintf( (char *) buf, GET_REQUEST );
while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 )
{
if( ret != POLARSSL_ERR_NET_TRY_AGAIN )
{
printf( " failed\n ! ssl_write returned %d\n\n", ret );
goto exit;
}
}
len = ret;
printf( " %d bytes written\n\n%s", len, (char *) buf );
/*
* 7. Read the HTTP response
*/
printf( " < Read from server:" );
fflush( stdout );
do
{
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
ret = ssl_read( &ssl, buf, len );
if( ret == POLARSSL_ERR_NET_TRY_AGAIN )
continue;
if( ret == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY )
break;
if( ret <= 0 )
{
printf( "failed\n ! ssl_read returned %d\n\n", ret );
break;
}
len = ret;
printf( " %d bytes read\n\n%s", len, (char *) buf );
}
while( 0 );
ssl_close_notify( &ssl );
exit:
net_close( server_fd );
x509_free( &clicert );
x509_free( &cacert );
rsa_free( &rsa );
ssl_free( &ssl );
memset( &ssl, 0, sizeof( ssl ) );
#ifdef WIN32
printf( " + Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
return( ret );
}
/*
int ctr_drbg_randomx( void *p_rng,
unsigned char *output, size_t output_len ){
char *getEntropyFromZRTP_tmp(unsigned char *p, int iBytes);
getEntropyFromZRTP_tmp(output,(int)output_len);
return 0;
}
*/
int CTTLS::_connect(ADDR *address) {
addrConnected=*address;
// int server_fd=((T_SSL*)pSSL)->sock;
ssl_context *ssl=&((T_SSL*)pSSL)->ssl;
x509_cert *ca=&((T_SSL*)pSSL)->cacert;
#if 0
static int ssl_default_ciphersuitesz[] =
{
#if defined(POLARSSL_DHM_C)
#if defined(POLARSSL_AES_C)
// SSL_EDH_RSA_AES_128_SHA,
SSL_EDH_RSA_AES_256_SHA,
#endif
#if defined(POLARSSL_CAMELLIA_C)
SSL_EDH_RSA_CAMELLIA_128_SHA,
SSL_EDH_RSA_CAMELLIA_256_SHA,
#endif
#if defined(POLARSSL_DES_C)
SSL_EDH_RSA_DES_168_SHA,
#endif
#endif
#if defined(POLARSSL_AES_C)
SSL_RSA_AES_256_SHA,
#endif
#if defined(POLARSSL_CAMELLIA_C)
SSL_RSA_CAMELLIA_256_SHA,
#endif
#if defined(POLARSSL_AES_C)
// SSL_RSA_AES_128_SHA,
#endif
#if defined(POLARSSL_CAMELLIA_C)
// SSL_RSA_CAMELLIA_128_SHA,
#endif
#if defined(POLARSSL_DES_C)
SSL_RSA_DES_168_SHA,
#endif
#if defined(POLARSSL_ARC4_C)
SSL_RSA_RC4_128_SHA,
SSL_RSA_RC4_128_MD5,
#endif
0
};
#else
const int ssl_default_ciphersuitesz[] =
{
#if defined(POLARSSL_DHM_C)
#if defined(POLARSSL_AES_C)
#if defined(POLARSSL_SHA2_C)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
#endif /* POLARSSL_SHA2_C */
#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
#endif
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
#if defined(POLARSSL_SHA2_C)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
#endif
#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
#endif
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
#endif
#if defined(POLARSSL_CAMELLIA_C)
#if defined(POLARSSL_SHA2_C)
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
#endif /* POLARSSL_SHA2_C */
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
#if defined(POLARSSL_SHA2_C)
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
#endif /* POLARSSL_SHA2_C */
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
#endif
#if defined(POLARSSL_DES_C)
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
#endif
#endif
#if defined(POLARSSL_AES_C)
#if defined(POLARSSL_SHA2_C)
TLS_RSA_WITH_AES_256_CBC_SHA256,
#endif /* POLARSSL_SHA2_C */
#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
TLS_RSA_WITH_AES_256_GCM_SHA384,
#endif /* POLARSSL_SHA2_C */
TLS_RSA_WITH_AES_256_CBC_SHA,
#endif
#if defined(POLARSSL_CAMELLIA_C)
#if defined(POLARSSL_SHA2_C)
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
#endif /* POLARSSL_SHA2_C */
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
#endif
#if defined(POLARSSL_AES_C)
#if defined(POLARSSL_SHA2_C)
TLS_RSA_WITH_AES_128_CBC_SHA256,
#endif /* POLARSSL_SHA2_C */
#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
TLS_RSA_WITH_AES_128_GCM_SHA256,
#endif /* POLARSSL_SHA2_C */
TLS_RSA_WITH_AES_128_CBC_SHA,
#endif
#if defined(POLARSSL_CAMELLIA_C)
#if defined(POLARSSL_SHA2_C)
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
#endif /* POLARSSL_SHA2_C */
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
#endif
#if defined(POLARSSL_DES_C)
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
#endif
#if defined(POLARSSL_ARC4_C)
// TLS_RSA_WITH_RC4_128_SHA,
// TLS_RSA_WITH_RC4_128_MD5,
#endif
0
};
#endif
if(iCallingConnect)return 0;
CTAutoIntUnlock _a(&iCallingConnect);
if(!iClosed) {
puts("destr tls");
closeSocket();
Sleep(100);
puts("destr tls ok");
}
char bufX[64];
address->toStr(&bufX[0],0);
int iIncPort=0;
if(address->getPort()==5060)iIncPort++;//TODO fix
iConnected=0;
int ret;
memset( ca, 0, sizeof( x509_cert ) );
do {
#define CERT_VERIFY
int iCertErr=1;
#ifdef CERT_VERIFY
char *p=cert;
if(cert) {
iCertErr = x509parse_crt( ca, (unsigned char *) p, strlen( p ) );
}
#endif
puts(&bufX[0]);
if(net_connect(&(((T_SSL*)pSSL)->sock),&bufX[0],address->getPort()+iIncPort))
break;
iLastTLSSOCK_TEST=(((T_SSL*)pSSL)->sock);
iNeedCallCloseSocket=1;
#ifndef _WIN32
int on=1;
setsockopt((((T_SSL*)pSSL)->sock), SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on));//new 05052012
//TODO set this if need backgr only
#endif
relTcpBGSock(((T_SSL*)pSSL)->voipBCKGR);
((T_SSL*)pSSL)->voipBCKGR=prepareTcpSocketForBg(((T_SSL*)pSSL)->sock);
initEntropy();
if( ( ret = ssl_init( ssl ) ) != 0 )
{
error_strerror(ret,&bufErr[0],sizeof(bufErr)-1);
tivi_slog("ssl_init[%s]",&bufErr[0]);
break;
}
ssl_set_endpoint( ssl, SSL_IS_CLIENT );
ssl_set_authmode( ssl,iCertErr==0?SSL_VERIFY_OPTIONAL:SSL_VERIFY_NONE );
ssl_set_rng( ssl, ctr_drbg_random, &((T_SSL*)pSSL)->ctr_drbg );
ssl_set_dbg( ssl, my_debug, stdout );
ssl_set_bio( ssl, net_recv, (void*)&(((T_SSL*)pSSL)->sock),
net_send, (void*)&(((T_SSL*)pSSL)->sock) );
ssl_set_ciphersuites( ssl, ssl_default_ciphersuitesz );
//ssl_set_session( ssl, 1, 600, &((T_SSL*)pSSL)->ssn );//will timeout after 600, and will be resumed
// ssl_set_session( ssl, 1, 0, &((T_SSL*)pSSL)->ssn );//will never timeout, and will be resumed
iCertFailed=0;
#ifdef CERT_VERIFY
if(iCertErr==0) {
ssl_set_ca_chain( ssl, ca, NULL, &bufCertHost[0] );
ssl_set_hostname( ssl, &bufCertHost[0] );
checkCert();
}
#endif
iClosed=0;
iConnected=1;
addrConnected=*address;
} while(0);
return 0;
}
int main( int argc, char *argv[] )
{
int ret, len, server_fd;
unsigned char buf[2];
havege_state hs;
ssl_context ssl;
ssl_session ssn;
x509_cert cacert;
x509_cert clicert;
rsa_context rsa;
char *SERVER_NAME = argv[1];
char GET_REQUEST[128];
sprintf( GET_REQUEST, "GET %s HTTP/1.1\r\nHost: %s\r\n\r\n", argv[2],
argv[1] );
/*
* 0. Initialize the RNG and the session data
*/
havege_init( &hs );
memset( &ssn, 0, sizeof( ssl_session ) );
memset( &cacert, 0, sizeof( x509_cert ) );
/*
* Alternatively, you may load the CA certificates from a .pem or
* .crt file by calling x509parse_crtfile( &cacert, "myca.crt" ).
*/
ret = x509parse_crt( &cacert, ( unsigned char * )xyssl_ca_crt,
strlen( xyssl_ca_crt ) );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
goto exit;
}
/*
* 1.2. Load own certificate and private key
*
* (can be skipped if client authentication is not required)
*/
memset( &clicert, 0, sizeof( x509_cert ) );
ret = x509parse_crt( &clicert, ( unsigned char * )test_cli_crt,
strlen( test_cli_crt ) );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
goto exit;
}
ret = x509parse_key( &rsa, ( unsigned char * )test_cli_key,
strlen( test_cli_key ), NULL, 0 );
if( ret != 0 )
{
printf( " failed\n ! x509parse_key returned %d\n\n", ret );
goto exit;
}
if( ( ret = net_connect( &server_fd, SERVER_NAME, SERVER_PORT ) ) != 0 )
{
printf( " failed\n ! net_connect returned %d\n\n", ret );
goto exit;
}
havege_init( &hs );
if( ( ret = ssl_init( &ssl ) ) != 0 )
{
printf( " failed\n ! ssl_init returned %d\n\n", ret );
goto exit;
}
ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
ssl_set_rng( &ssl, havege_rand, &hs );
ssl_set_bio( &ssl, net_recv, &server_fd, net_send, &server_fd );
ssl_set_ciphers( &ssl, ssl_default_ciphers );
ssl_set_session( &ssl, 1, 600, &ssn );
ssl_set_ca_chain( &ssl, &cacert, SERVER_NAME );
ssl_set_own_cert( &ssl, &clicert, &rsa );
ssl_set_hostname( &ssl, SERVER_NAME );
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != XYSSL_ERR_NET_TRY_AGAIN )
{
printf( " failed\n ! ssl_handshake returned %d\n\n", ret );
goto exit;
}
}
if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 )
{
printf( "certificate check failed\n" );
if( ( ret & BADCERT_EXPIRED ) != 0 )
printf( " ! server certificate has expired\n" );
if( ( ret & BADCERT_REVOKED ) != 0 )
printf( " ! server certificate has been revoked\n" );
if( ( ret & BADCERT_CN_MISMATCH ) != 0 )
printf( " ! CN mismatch (expected CN=%s)\n", SERVER_NAME );
if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
printf( " ! self-signed or not signed by a trusted CA\n" );
printf( "\n" );
}
len = sprintf( ( char * )buf, GET_REQUEST );
while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 )
{
if( ret != XYSSL_ERR_NET_TRY_AGAIN )
{
printf( " failed\n ! ssl_write returned %d\n\n", ret );
goto exit;
}
}
len = ret;
/*
* 7. Read the HTTP response
*/
fflush( stdout );
FILE *out = fopen( argv[3], "wb" );
int found = 0;
int offset = 0;
do
{
offset = 0;
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
ret = ssl_read( &ssl, buf, len );
if( ret == XYSSL_ERR_NET_TRY_AGAIN )
continue;
if( ret == XYSSL_ERR_SSL_PEER_CLOSE_NOTIFY )
break;
if( ret <= 0 )
{
printf( "failed\n ! ssl_read returned %d\n\n", ret );
break;
}
if( found < 4 )
{
if( found == 0 || found == 2 )
if( buf[0] == '\r' )
{
found++;
continue;
}
else
found = 0;
if( found == 1 || found == 3 )
if( buf[0] == '\n' )
{
found++;
continue;
}
else
found = 0;
}
else
putc( buf[0], out );
len = ret;
}
while( 1 );
ssl_close_notify( &ssl );
exit:
fclose( out );
net_close( server_fd );
x509_free( &clicert );
x509_free( &cacert );
rsa_free( &rsa );
ssl_free( &ssl );
memset( &ssl, 0, sizeof( ssl ) );
return ( ret );
}
