/** Associate an SSL object with a socket and return it.
* \param sock socket descriptor to associate with an SSL object.
* \return pointer to SSL object.
*/
SSL *
ssl_setup_socket(int sock)
{
SSL *ssl;
BIO *bio;
ssl = SSL_new(ctx);
bio = BIO_new_socket(sock, BIO_NOCLOSE);
BIO_set_nbio(bio, 1);
SSL_set_bio(ssl, bio, bio);
return ssl;
}
/** Associate an SSL object with a socket and return it.
* \param sock socket descriptor to associate with an SSL object.
* \return pointer to SSL object.
*/
SSL *
ssl_setup_socket(int sock)
{
SSL *ssl;
BIO *bio;
ssl = ssl_alloc_struct();
bio = BIO_new_socket(sock, BIO_NOCLOSE);
BIO_set_nbio(bio, 1);
SSL_set_bio(ssl, bio, bio);
return ssl;
}
SSL *ssl_new(SSL_CTX *ctx,int s)
{
BIO *sbio;
SSL *ssl;
ssl = SSL_new(ctx);
if (!ssl) return 0;
sbio = BIO_new_socket(s,BIO_NOCLOSE);
if (!sbio) return 0;
SSL_set_bio(ssl,sbio,sbio);
return ssl;
}
static protocol_t *
protocol_ssl_accept(protocol_t * p, void *options)
{
protocol_t *newp;
struct sockaddr_in remote;
socklen_t addrlen;
int ret;
ssl_private_t *ssl_p = (ssl_private_t *) p->_protocol_p;
ssl_private_t *new_ssl_p;
struct sockaddr name;
char hostname[128];
flowop_options_t *flowop_options = (flowop_options_t *) options;
BIO *sbio;
newp = protocol_ssl_new();
new_ssl_p = (ssl_private_t *) newp->_protocol_p;
addrlen = (socklen_t) sizeof (remote);
uperf_debug("ssl - ssl obj waiting for accept\n");
newp->fd = accept(p->fd, (struct sockaddr *) &remote,
&addrlen);
if (newp->fd < 0) {
uperf_log_msg(UPERF_LOG_ERROR, errno, "accept");
return (NULL);
}
if (getnameinfo((const struct sockaddr *) & remote, addrlen,
hostname, sizeof (hostname), NULL, 0, 0) == 0) {
uperf_debug("ssl - Connection from %s:%d\n", hostname,
SOCK_PORT(remote));
strlcpy(newp->host, hostname, sizeof (newp->host));
newp->port = SOCK_PORT(remote);
}
if (flowop_options) {
if ((load_engine(flowop_options->engine)) == -1) {
uperf_info(
"ssl - Engine %s does NOT exist! Using the default OpenSSL softtoken",
flowop_options->engine);
}
}
sbio = BIO_new_socket(newp->fd, BIO_NOCLOSE);
if (!(new_ssl_p->ssl = SSL_new(ctx))) {
uperf_log_msg(UPERF_LOG_ERROR, 0, "SSL_new error");
return (NULL);
}
SSL_set_bio(new_ssl_p->ssl, sbio, sbio);
ret = SSL_accept(new_ssl_p->ssl);
if (my_ssl_error(new_ssl_p->ssl, ret) == 0) {
return (newp);
} else {
return (0);
}
}
/* Main Entry */
int main(int argc, char **argv)
{
// init connection object
Connection conn;
memset(&conn, 0, sizeof(conn));
conn.port = PORT; // assign default port
conn.host = HOST;
// Parse arguments
parseArguments(argc, argv, &conn);
// init SSL library
conn.sslContext = initSSLContext(CLIENT_CERTIFICATE, CA_CERTIFICATE);
SSL_CTX_set_options(conn.sslContext, SSL_OP_NO_SSLv2);
SSL_CTX_set_cipher_list(conn.sslContext, "SHA1");
// Connect
if (tcpConnect(&conn) < 0){
tcpDisconnect(&conn);
exit(0);
}
SSL * ssl = SSL_new(conn.sslContext);
BIO * sbio = BIO_new_socket(conn.socket, BIO_NOCLOSE);
SSL_set_bio(ssl, sbio, sbio);
int ret;
ret = SSL_connect(ssl);
if (ret <= 0){
printf(FMT_CONNECT_ERR);
handleError(ssl, ret);
}
else{
// Process Message
if (checkServerCertification(ssl) == OK){
processMessage(ssl);
}
}
// close ssl connection
if (!SSL_shutdown(ssl)){
tcpDisconnect(&conn);
SSL_shutdown(ssl);
}
SSL_free(ssl);
// Disconnect
tcpDisconnect(&conn);
destroySSLContext(conn.sslContext);
return 1;
}
static int rdp_serve(SSL_CTX * ctx, int sock, BIO *bio_err)
{
// TODO test behavior if we wai for receiving some data on unencrypted socket before commuting to SSL
SocketTransport sockettransport("TestTLSServer", sock, "", 0, 0xFFFFFFF);
char buf[1024];
char * pbuf = buf;
sockettransport.recv(&pbuf, 14);
if(0 != strcmp(buf, "REDEMPTION\r\n\r\n")){
fprintf(stderr,"failed to read expected hello\n");
exit(0);
}
printf("received plain text HELLO, going TLS\n");
sockettransport.tls = new TLSContext();
BIO * sbio = BIO_new_socket(sock, BIO_NOCLOSE);
SSL * ssl = SSL_new(ctx);
SSL_set_bio(ssl, sbio, sbio);
int r = SSL_accept(ssl);
if(r <= 0)
{
BIO_printf(bio_err, "SSL accept error\n");
ERR_print_errors(bio_err);
exit(0);
}
sockettransport.tls->allocated_ctx = ctx;
sockettransport.tls->allocated_ssl = ssl;
sockettransport.tls->io = ssl;
sockettransport.send("Server: Redemption Server\r\n\r\n", 29);
sockettransport.send("Server test page\r\n", 18);
// r = SSL_shutdown(ssl);
// if(!r){
/* If we called SSL_shutdown() first then we always get return value of '0'.
In this case, try again, but first send a TCP FIN to trigger the other side's close_notify*/
// shutdown(sock, 1);
// r=SSL_shutdown(ssl);
// }
// SSL_free(ssl);
return(0);
}
void sslsocket::complete_secure_connect()
{
// create SSL and BIO objects and then initialize ssl client mode.
// setup SSL session now that we have TCP connection.
SSL_CTX* ctx = context_.ssl();
ssl_ = SSL_new(ctx);
if (!ssl_)
throw std::runtime_error("SSL_new failed");
// create new IO object
bio_ = BIO_new_socket(socket_, BIO_NOCLOSE);
if (!bio_)
throw std::runtime_error("BIO_new_socket failed");
// connect the IO object with SSL, this takes the ownership
// of the BIO object.
SSL_set_bio(ssl_, bio_, bio_);
ERR_clear_error();
// go into client mode.
while (true)
{
const int ret = SSL_connect(ssl_);
if (ret == 1)
break;
const int err = SSL_get_error(ssl_, ret);
switch (err)
{
case SSL_ERROR_WANT_READ:
ssl_wait_read();
break;
case SSL_ERROR_WANT_WRITE:
ssl_wait_write();
break;
case SSL_ERROR_SYSCALL:
if (ret == -1)
throw std::system_error(get_last_socket_error(),
"SSL socket I/O error");
// fallthrough intended
default:
throw std::runtime_error("SSL_connect failed");
}
}
}
herror_t
hssl_server_ssl(hsocket_t * sock)
{
SSL *ssl;
int ret;
BIO *sbio;
if (!enabled)
return H_OK;
log_verbose2("Starting SSL initialization for socket %d", sock->sock);
if (!(ssl = SSL_new(context)))
{
log_warn1("SSL_new failed");
return herror_new("hssl_server_ssl", HSSL_ERROR_SERVER,
"Cannot create SSL object");
}
/* SSL_set_fd(ssl, sock->sock); */
sbio = BIO_new_socket(sock->sock, BIO_NOCLOSE);
if (sbio == NULL)
{
log_error1("BIO_new_socket failed");
return NULL;
}
// BIO_set_callback(sbio, hssl_bio_cb);
sbio->method->bread = _hssl_bio_read;
SSL_set_bio(ssl, sbio, sbio);
if ((ret = SSL_accept(ssl)) <= 0)
{
herror_t err;
log_error2("SSL_accept failed (%s)", _hssl_get_error(ssl, ret));
err =
herror_new("hssl_server_ssl", HSSL_ERROR_SERVER,
"SSL_accept failed (%s)", _hssl_get_error(ssl, ret));
SSL_free(ssl);
return err;
}
sock->ssl = ssl;
return H_OK;
}
/*@C
PetscHTTPSConnect - connect to a HTTPS server
Input Parameters:
+ host - the name of the machine hosting the HTTPS server
. port - the port number where the server is hosting, usually 443
- ctx - value obtained with PetscSSLInitializeContext()
Output Parameters:
+ sock - socket to connect
- ssl - the argument passed to PetscHTTPSRequest()
Level: advanced
.seealso: PetscOpenSocket(), PetscHTTPSRequest(), PetscSSLInitializeContext()
@*/
PetscErrorCode PetscHTTPSConnect(const char host[],int port,SSL_CTX *ctx,int *sock,SSL **ssl)
{
BIO *sbio;
PetscErrorCode ierr;
PetscFunctionBegin;
/* Connect the TCP socket*/
ierr = PetscOpenSocket(host,port,sock);CHKERRQ(ierr);
/* Connect the SSL socket */
*ssl = SSL_new(ctx);
sbio = BIO_new_socket(*sock,BIO_NOCLOSE);
SSL_set_bio(*ssl,sbio,sbio);
if (SSL_connect(*ssl) <= 0) SETERRQ(PETSC_COMM_SELF,PETSC_ERR_LIB,"SSL connect error");
PetscFunctionReturn(0);
}
tls_t *tls_init_master(tls_issues_t *ti)
{
/* Default id in case RAND fails */
unsigned char sessionId[32] = "sofia/tls";
tls_t *tls;
#if HAVE_SIGPIPE
signal(SIGPIPE, SIG_IGN); /* Ignore spurios SIGPIPE from OpenSSL */
#endif
tls_set_default(ti);
if (!(tls = tls_create(tls_master)))
return NULL;
if (tls_init_context(tls, ti) < 0) {
int err = errno;
tls_free(tls);
errno = err;
return NULL;
}
RAND_pseudo_bytes(sessionId, sizeof(sessionId));
SSL_CTX_set_session_id_context(tls->ctx,
(void*) sessionId,
sizeof(sessionId));
if (ti->CAfile != NULL)
SSL_CTX_set_client_CA_list(tls->ctx,
SSL_load_client_CA_file(ti->CAfile));
#if 0
if (sock != -1) {
tls->bio_con = BIO_new_socket(sock, BIO_NOCLOSE);
if (tls->bio_con == NULL) {
tls_log_errors(1, "tls_init_master", 0);
tls_free(tls);
errno = EIO;
return NULL;
}
}
#endif
return tls;
}
int kTLSAccept(int handle,void **tlsssl,void **tlssession)
{
BIO *bio;
SSL *ssl;
int ofcmode;
bool flg;
if(!TLSctx){return(RETURN_NG);}
/* すでに存在するソケットを用いてBIOオブジェクトを生成する。BIOオブジェクトが破棄されてもソケットはクローズされない */
bio=BIO_new_socket(handle,BIO_NOCLOSE);
/* SSLオブジェクトを生成する */
ssl=SSL_new(TLSctx);
/* SSLオブジェクトに読み込み/書き込み用BIOオブジェクトをバインドする */
SSL_set_bio(ssl,bio,bio);
/* 認証 */
if (SSL_accept(ssl) <= 0){
kLogWrite(L_ERROR,"%s: Error accepting SSL connection",__FUNCTION__);
TLSClose(ssl,0);
return(RETURN_NG);
}
/* 非ブロックモードに変更 */
ofcmode=fcntl(handle,F_GETFL,0);
ofcmode|=O_NDELAY;
if(fcntl(handle,F_SETFL,ofcmode)){
kLogWrite(L_ERROR,"%s: Couldn't make socket nonblocking",__FUNCTION__);
TLSClose(ssl,0);
return(RETURN_NG);
}
/* Nagle アルゴリズムを無効にする */
if(!NagleFlag){
flg=true;
if(setsockopt(handle,IPPROTO_TCP,TCP_NODELAY,(char*)&flg,sizeof(flg))){
kLogWrite(L_ERROR,"%s: Couldn't setsocktopt TCP_NODELAY",__FUNCTION__);
}
}
*tlsssl=(void*)ssl;
*tlssession=(void*)SSL_get_session(ssl);
kLogWrite(L_TLS,"%s: TLS Accept socket nonblocking OK",__FUNCTION__);
return(RETURN_OK);
}
int
ssl_connect(thread_t * thread)
{
SOCK *sock_obj = THREAD_ARG(thread);
int ret;
sock_obj->ssl = SSL_new(req->ctx);
sock_obj->bio = BIO_new_socket(sock_obj->fd, BIO_NOCLOSE);
BIO_set_nbio(sock_obj->bio, 1); /* Set the Non-Blocking flag */
SSL_set_bio(sock_obj->ssl, sock_obj->bio, sock_obj->bio);
ret = SSL_connect(sock_obj->ssl);
DBG(" SSL_connect return code = %d on fd:%d\n", ret, thread->u.fd);
ssl_printerr(SSL_get_error(sock_obj->ssl, ret));
return (ret > 0) ? 1 : 0;
}
PUBLIC int sslUpgrade(Webs *wp)
{
WebsSocket *sptr;
BIO *bio;
assert(wp);
sptr = socketPtr(wp->sid);
if ((wp->ssl = SSL_new(sslctx)) == 0) {
return -1;
}
if ((bio = BIO_new_socket(sptr->sock, BIO_NOCLOSE)) == 0) {
return -1;
}
SSL_set_bio(wp->ssl, bio, bio);
SSL_set_accept_state(wp->ssl);
SSL_set_app_data(wp->ssl, (void*) wp);
return 0;
}
R_API RSocket *r_socket_accept(RSocket *s) {
RSocket *sock;
socklen_t salen = sizeof (s->sa);
if (!s) {
return NULL;
}
sock = R_NEW0 (RSocket);
if (!sock) {
return NULL;
}
//signal (SIGPIPE, SIG_DFL);
sock->fd = accept (s->fd, (struct sockaddr *)&s->sa, &salen);
if (sock->fd == -1) {
if (errno != EWOULDBLOCK) {
// not just a timeout
r_sys_perror ("accept");
}
free (sock);
return NULL;
}
#if HAVE_LIB_SSL
sock->is_ssl = s->is_ssl;
if (sock->is_ssl) {
sock->sfd = NULL;
sock->ctx = NULL;
sock->bio = NULL;
BIO *sbio = BIO_new_socket (sock->fd, BIO_NOCLOSE);
sock->sfd = SSL_new (s->ctx);
SSL_set_bio (sock->sfd, sbio, sbio);
if (SSL_accept (sock->sfd) <= 0) {
r_socket_free (sock);
return NULL;
}
sock->bio = BIO_new (BIO_f_buffer ());
sbio = BIO_new (BIO_f_ssl ());
BIO_set_ssl (sbio, sock->sfd, BIO_CLOSE);
BIO_push (sock->bio, sbio);
}
#else
sock->is_ssl = 0;
#endif
return sock;
}
int connect_ssl(int socket_h, SSL_CTX *client_ctx, SSL **ssl_h, BIO **s_bio, int timeout)
{
int dummy;
// FIXME handle t/o
#if 0
int rc;
struct timeval to;
fd_set rfds;
FD_ZERO(&rfds);
FD_SET(socket_h, &rfds);
to.tv_sec = timeout / 1000;
to.tv_usec = (timeout - (to.tv_sec * 1000)) * 1000;
/* wait for connection */
rc = select(socket_h + 1, &rfds, NULL, NULL, &to);
if (rc == 0)
return -2; /* timeout */
else if (rc == -1)
{
if (errno == EINTR)
return -3; /* ^C pressed */
else
return -1; /* error */
}
#endif
*ssl_h = SSL_new(client_ctx);
*s_bio = BIO_new_socket(socket_h, BIO_NOCLOSE);
SSL_set_bio(*ssl_h, *s_bio, *s_bio);
dummy = SSL_connect(*ssl_h);
if (dummy <= 0)
{
sprintf(last_error, "problem starting SSL connection: %d\n", SSL_get_error(*ssl_h, dummy));
return -1;
}
return 0;
}
tls_t *tls_init_secondary(tls_t *master, int sock, int accept)
{
tls_t *tls = tls_create(tls_slave);
if (tls) {
tls->ctx = master->ctx;
tls->type = master->type;
tls->accept = accept ? 1 : 0;
tls->verify_outgoing = master->verify_outgoing;
tls->verify_incoming = master->verify_incoming;
tls->verify_subj_out = master->verify_subj_out;
tls->verify_subj_in = master->verify_subj_in;
tls->verify_date = master->verify_date;
tls->x509_verified = master->x509_verified;
if (!(tls->read_buffer = su_alloc(tls->home, tls_buffer_size)))
su_home_unref(tls->home), tls = NULL;
}
if (!tls)
return tls;
assert(sock != -1);
tls->bio_con = BIO_new_socket(sock, BIO_NOCLOSE);
tls->con = SSL_new(tls->ctx);
if (tls->con == NULL) {
tls_log_errors(1, "tls_init_secondary", 0);
tls_free(tls);
errno = EIO;
return NULL;
}
SSL_set_bio(tls->con, tls->bio_con, tls->bio_con);
SSL_set_mode(tls->con, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
SSL_set_ex_data(tls->con, tls_ex_data_idx, tls);
su_setblocking(sock, 0);
return tls;
}
//
// Constructor
//
SSLSocket::SSLSocket(const InetAddress& address, in_port_t port, SSLContext* context)
throw(IOException, SystemException)
: Socket(address, port), _context(context), _session(NULL)
{
// TODO: check if context is != NULL
/* Connect the SSL socket */
_ssl = SSL_new(_context->_ctx);
_sbio = BIO_new_socket(_impl->_fd, BIO_NOCLOSE);
SSL_set_bio(_ssl, _sbio, _sbio);
//SSL_set_connect_state(_ssl);
// Verify certificate
if (SSL_get_verify_result(_ssl) != X509_V_OK) {
throw IOException("SSLSocket: Certificate doesn't verified");
}
_session_creation = true;
_use_client_mode = true;
}
void net::ssl::SSLConnection::setupSocket(const std::string& hostName)
{
net::Socket_T fd = mSocket->getHandle();
BIO *sbio = BIO_new_socket(fd, BIO_NOCLOSE);
SSL_set_bio(mSSL, sbio, sbio);
int val = SSL_connect(mSSL);
if(val <= 0)
{
#if defined(__DEBUG_SOCKET)
if(SSL_get_error(mSSL, val) == SSL_ERROR_WANT_CONNECT)
printf("ERROR_WANT_CONNECT\n");
else if(SSL_get_error(mSSL, val) == SSL_ERROR_ZERO_RETURN)
printf("ERROR_ZERO_RETURN\n");
else if(SSL_get_error(mSSL, val) == SSL_ERROR_SSL)
{
printf("ERROR_SSL: ");
char buffer[120];
ERR_error_string(val, buffer);
BIO_printf(mBioErr, "%s\n", buffer);
}
else if(SSL_get_error(mSSL, val) == SSL_ERROR_SYSCALL)
{
printf("ERROR_SYSCALL: ");
char buffer[120];
ERR_error_string(val, buffer);
BIO_printf(mBioErr, "%s\n", buffer);
}
else if(SSL_get_error(mSSL, val) == SSL_ERROR_NONE)
printf("NO ERROR: WHY AM I HERE?\n");
#endif
throw net::ssl::SSLException
(Ctxt(FmtX("SSL_connect failed: %d", SSL_get_error(mSSL, val))));
}
if(mServerAuthentication)
{
verifyCertificate(hostName);
}
}
/*
Upgrade a socket to use SSL
*/
PUBLIC int sslUpgrade(Webs *wp)
{
WebsSocket *sptr;
BIO *bio;
assert(wp);
sptr = socketPtr(wp->sid);
if ((wp->ssl = SSL_new(sslctx)) == 0) {
return -1;
}
/*
Create a socket bio. We don't use the BIO except as storage for the fd.
*/
if ((bio = BIO_new_socket((int) sptr->sock, BIO_NOCLOSE)) == 0) {
return -1;
}
SSL_set_bio(wp->ssl, bio, bio);
SSL_set_accept_state(wp->ssl);
SSL_set_app_data(wp->ssl, (void*) wp);
return 0;
}
int connect_ssl(int fd, SSL_CTX *client_ctx, SSL **ssl_h, BIO **s_bio, double timeout, double *ssl_handshake)
{
int dummy = -1;
double dstart = get_ts();
struct timeval tv;
tv.tv_sec = (long)(timeout / 1000.0);
tv.tv_usec = (long)(timeout * 1000.0) % 1000000;
*ssl_handshake = -1.0;
if (setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof tv) == -1)
{
set_error(gettext("problem setting receive timeout (%s)"), strerror(errno));
return -1;
}
if (setsockopt(fd, SOL_SOCKET, SO_SNDTIMEO, &tv, sizeof tv) == -1)
{
set_error(gettext("problem setting transmit timeout (%s)"), strerror(errno));
return -1;
}
*ssl_h = SSL_new(client_ctx);
*s_bio = BIO_new_socket(fd, BIO_NOCLOSE);
SSL_set_bio(*ssl_h, *s_bio, *s_bio);
dummy = SSL_connect(*ssl_h);
if (dummy <= 0)
{
set_error(gettext("problem starting SSL connection: %d"), SSL_get_error(*ssl_h, dummy));
return -1;
}
*ssl_handshake = get_ts() - dstart;
return 0;
}
void SSLSocket::attach() {
ssl_internal_stack *stack;
if(idata != 0) {
stack = (ssl_internal_stack *)idata;
delete stack;
}
stack = new ssl_internal_stack();
stack->ssl = SSL_new((SSL_CTX *)ctx.getInternal());
stack->sbio=BIO_new_socket(tsock,BIO_NOCLOSE);
if(stack->sbio == 0x00)
throw SSLSocketAddIOFailure();
SSL_set_bio(stack->ssl, stack->sbio, stack->sbio);
if(SSL_connect(stack->ssl) <= 0)
throw SSLConnectFailed();
//Verify certificate now
int vres;
if((vres = SSL_get_verify_result(stack->ssl)) != X509_V_OK) {
#ifdef USE_DEBUG
::X509 *x5;
x5 = SSL_get_peer_certificate(stack->ssl);
X509 cert(x5);
X509_free(x5);
#endif
switch(vres) {
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
throw X509IssuerCertificateNotFound();
case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
throw X509UnableToDecryptCertificate();
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
#ifdef USE_DEBUG
debugmsg(this, "Certificate not found locally.\n");
#endif
throw CertificateIssuerNotFoundLocally();
default:
throw SSLInvalidCertificate();
}
}
}
CONN *establish_connection(char *addr, char *port)
{
// Blank connection structure
CONN *conn = malloc(sizeof (CONN));
// Initialise connection
init_conn(conn);
// Load certificates
load_certs(conn);
// Create new SSL structure
conn->ssl = SSL_new(conn->ctx);
struct addrinfo hints, *res;
memset(&hints, 0, sizeof hints);
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
getaddrinfo(addr, port, &hints, &res);
conn->sd = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
// Connect to server
if(connect(conn->sd, res->ai_addr, res->ai_addrlen) != 0) {
perror("connection");
}
// Set BIO into SSL structure
conn->bio = BIO_new_socket(conn->sd, BIO_NOCLOSE);
SSL_set_bio(conn->ssl, conn->bio, conn->bio);
// Perform handshake
if(SSL_connect(conn->ssl) != 1) {
perror("handshake\n");
}
printf("Connection Established\n");
return conn;
}
/* ssl_connect_to
* establish ssl connection over tcp connection
*/
SSL *ssl_connect_to(int s) {
SSL *ssl;
SSL_CTX *ctx;
BIO *sbio;
SSL_METHOD *meth;
CRYPTO_malloc_init();
SSL_load_error_strings();
SSL_library_init();
// meth = TLSv1_client_method();
meth = SSLv23_client_method();
ctx = SSL_CTX_new(meth);
ssl = SSL_new(ctx);
sbio = BIO_new_socket(s, BIO_NOCLOSE);
SSL_set_bio(ssl, sbio, sbio);
if (SSL_connect(ssl) <= 0) {
return NULL;
}
return ssl;
}
static int
protocol_ssl_connect(protocol_t * p, void *options)
{
BIO *sbio;
int status;
ssl_private_t *ssl_p = (ssl_private_t *) p->_protocol_p;
flowop_options_t *flowop_options = (flowop_options_t *) options;
uperf_debug("ssl - Connecting to %s:%d\n", p->host, p->port);
status = generic_connect(p, IPPROTO_TCP);
if (status == UPERF_SUCCESS)
set_tcp_options(p->fd, flowop_options);
if (flowop_options && (strcmp(flowop_options->engine, ""))) {
status = load_engine(flowop_options->engine);
if (status == -1) {
uperf_info(
"ssl - Engine %s does NOT exist! Using the default OpenSSL softtoken",
flowop_options->engine);
}
}
if ((ssl_p->ssl = SSL_new(ctx)) == NULL) {
ulog_err("Error initializng SSL");
return (-1);
}
sbio = BIO_new_socket(p->fd, BIO_NOCLOSE);
SSL_set_bio(ssl_p->ssl, sbio, sbio);
status = SSL_connect(ssl_p->ssl);
if (status <= 0) {
uperf_log_msg(UPERF_LOG_ERROR, 0, "ssl connect error");
return (-1);
}
return (0);
}
int
lws_client_socket_service(struct lws_context *context, struct lws *wsi,
struct lws_pollfd *pollfd)
{
struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi];
char *p = (char *)&pt->serv_buf[0];
char *sb = p;
unsigned char c;
int n, len;
switch (wsi->mode) {
case LWSCM_WSCL_WAITING_CONNECT:
/*
* we are under PENDING_TIMEOUT_SENT_CLIENT_HANDSHAKE
* timeout protection set in client-handshake.c
*/
if (!lws_client_connect_2(wsi)) {
/* closed */
lwsl_client("closed\n");
return -1;
}
/* either still pending connection, or changed mode */
return 0;
case LWSCM_WSCL_WAITING_PROXY_REPLY:
/* handle proxy hung up on us */
if (pollfd->revents & LWS_POLLHUP) {
lwsl_warn("Proxy connection %p (fd=%d) dead\n",
(void *)wsi, pollfd->fd);
lws_close_free_wsi(wsi, LWS_CLOSE_STATUS_NOSTATUS);
return 0;
}
n = recv(wsi->sock, sb, LWS_MAX_SOCKET_IO_BUF, 0);
if (n < 0) {
if (LWS_ERRNO == LWS_EAGAIN) {
lwsl_debug("Proxy read returned EAGAIN... retrying\n");
return 0;
}
lws_close_free_wsi(wsi, LWS_CLOSE_STATUS_NOSTATUS);
lwsl_err("ERROR reading from proxy socket\n");
return 0;
}
pt->serv_buf[13] = '\0';
if (strcmp(sb, "HTTP/1.0 200 ") &&
strcmp(sb, "HTTP/1.1 200 ")) {
lws_close_free_wsi(wsi, LWS_CLOSE_STATUS_NOSTATUS);
lwsl_err("ERROR proxy: %s\n", sb);
return 0;
}
/* clear his proxy connection timeout */
lws_set_timeout(wsi, NO_PENDING_TIMEOUT, 0);
/* fallthru */
case LWSCM_WSCL_ISSUE_HANDSHAKE:
/*
* we are under PENDING_TIMEOUT_SENT_CLIENT_HANDSHAKE
* timeout protection set in client-handshake.c
*
* take care of our lws_callback_on_writable
* happening at a time when there's no real connection yet
*/
if (lws_change_pollfd(wsi, LWS_POLLOUT, 0))
return -1;
lws_libev_io(wsi, LWS_EV_STOP | LWS_EV_WRITE);
#ifdef LWS_OPENSSL_SUPPORT
/* we can retry this... just cook the SSL BIO the first time */
if (wsi->use_ssl && !wsi->ssl) {
#if defined(CYASSL_SNI_HOST_NAME) || defined(WOLFSSL_SNI_HOST_NAME) || defined(SSL_CTRL_SET_TLSEXT_HOSTNAME)
const char *hostname = lws_hdr_simple_ptr(wsi,
_WSI_TOKEN_CLIENT_HOST);
#endif
wsi->ssl = SSL_new(context->ssl_client_ctx);
#ifndef USE_WOLFSSL
SSL_set_mode(wsi->ssl,
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
#endif
/*
* use server name indication (SNI), if supported,
* when establishing connection
*/
#ifdef USE_WOLFSSL
#ifdef USE_OLD_CYASSL
#ifdef CYASSL_SNI_HOST_NAME
CyaSSL_UseSNI(wsi->ssl, CYASSL_SNI_HOST_NAME,
hostname, strlen(hostname));
#endif
#else
#ifdef WOLFSSL_SNI_HOST_NAME
wolfSSL_UseSNI(wsi->ssl, WOLFSSL_SNI_HOST_NAME,
hostname, strlen(hostname));
#endif
#endif
#else
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
SSL_set_tlsext_host_name(wsi->ssl, hostname);
#endif
#endif
#ifdef USE_WOLFSSL
/*
* wolfSSL/CyaSSL does certificate verification differently
* from OpenSSL.
* If we should ignore the certificate, we need to set
* this before SSL_new and SSL_connect is called.
* Otherwise the connect will simply fail with error
* code -155
*/
#ifdef USE_OLD_CYASSL
if (wsi->use_ssl == 2)
CyaSSL_set_verify(wsi->ssl,
SSL_VERIFY_NONE, NULL);
#else
if (wsi->use_ssl == 2)
wolfSSL_set_verify(wsi->ssl,
SSL_VERIFY_NONE, NULL);
#endif
#endif /* USE_WOLFSSL */
wsi->client_bio =
BIO_new_socket(wsi->sock, BIO_NOCLOSE);
SSL_set_bio(wsi->ssl, wsi->client_bio, wsi->client_bio);
#ifdef USE_WOLFSSL
#ifdef USE_OLD_CYASSL
CyaSSL_set_using_nonblock(wsi->ssl, 1);
#else
wolfSSL_set_using_nonblock(wsi->ssl, 1);
#endif
#else
BIO_set_nbio(wsi->client_bio, 1); /* nonblocking */
#endif
SSL_set_ex_data(wsi->ssl,
openssl_websocket_private_data_index,
context);
}
if (wsi->use_ssl) {
lws_latency_pre(context, wsi);
n = SSL_connect(wsi->ssl);
lws_latency(context, wsi,
"SSL_connect LWSCM_WSCL_ISSUE_HANDSHAKE", n, n > 0);
if (n < 0) {
n = SSL_get_error(wsi->ssl, n);
if (n == SSL_ERROR_WANT_READ)
goto some_wait;
if (n == SSL_ERROR_WANT_WRITE) {
/*
* wants us to retry connect due to
* state of the underlying ssl layer...
* but since it may be stalled on
* blocked write, no incoming data may
* arrive to trigger the retry.
* Force (possibly many times if the SSL
* state persists in returning the
* condition code, but other sockets
* are getting serviced inbetweentimes)
* us to get called back when writable.
*/
lwsl_info("%s: WANT_WRITE... retrying\n", __func__);
lws_callback_on_writable(wsi);
some_wait:
wsi->mode = LWSCM_WSCL_WAITING_SSL;
return 0; /* no error */
}
n = -1;
}
if (n <= 0) {
/*
* retry if new data comes until we
* run into the connection timeout or win
*/
n = ERR_get_error();
if (n != SSL_ERROR_NONE) {
lwsl_err("SSL connect error %lu: %s\n",
n, ERR_error_string(n, sb));
return 0;
}
}
} else
wsi->ssl = NULL;
/* fallthru */
case LWSCM_WSCL_WAITING_SSL:
if (wsi->use_ssl) {
if (wsi->mode == LWSCM_WSCL_WAITING_SSL) {
lws_latency_pre(context, wsi);
n = SSL_connect(wsi->ssl);
lws_latency(context, wsi,
"SSL_connect LWSCM_WSCL_WAITING_SSL",
n, n > 0);
if (n < 0) {
n = SSL_get_error(wsi->ssl, n);
if (n == SSL_ERROR_WANT_READ)
goto some_wait;
if (n == SSL_ERROR_WANT_WRITE) {
/*
* wants us to retry connect due to
* state of the underlying ssl layer...
* but since it may be stalled on
* blocked write, no incoming data may
* arrive to trigger the retry.
* Force (possibly many times if the SSL
* state persists in returning the
* condition code, but other sockets
* are getting serviced inbetweentimes)
* us to get called back when writable.
*/
lwsl_info("SSL_connect WANT_WRITE... retrying\n");
lws_callback_on_writable(wsi);
goto some_wait;
}
n = -1;
}
if (n <= 0) {
/*
* retry if new data comes until we
* run into the connection timeout or win
*/
n = ERR_get_error();
if (n != SSL_ERROR_NONE) {
lwsl_err("SSL connect error %lu: %s\n",
n, ERR_error_string(n, sb));
return 0;
}
}
}
#ifndef USE_WOLFSSL
/*
* See comment above about wolfSSL certificate
* verification
*/
lws_latency_pre(context, wsi);
n = SSL_get_verify_result(wsi->ssl);
lws_latency(context, wsi,
"SSL_get_verify_result LWS_CONNMODE..HANDSHAKE",
n, n > 0);
if (n != X509_V_OK) {
if ((n == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
n == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) && wsi->use_ssl == 2) {
lwsl_notice("accepting self-signed certificate\n");
} else {
lwsl_err("server's cert didn't look good, X509_V_ERR = %d: %s\n",
n, ERR_error_string(n, sb));
lws_close_free_wsi(wsi,
LWS_CLOSE_STATUS_NOSTATUS);
return 0;
}
}
#endif /* USE_WOLFSSL */
} else
wsi->ssl = NULL;
#endif
wsi->mode = LWSCM_WSCL_ISSUE_HANDSHAKE2;
lws_set_timeout(wsi, PENDING_TIMEOUT_AWAITING_CLIENT_HS_SEND,
AWAITING_TIMEOUT);
/* fallthru */
case LWSCM_WSCL_ISSUE_HANDSHAKE2:
p = lws_generate_client_handshake(wsi, p);
if (p == NULL) {
lwsl_err("Failed to generate handshake for client\n");
lws_close_free_wsi(wsi, LWS_CLOSE_STATUS_NOSTATUS);
return 0;
}
/* send our request to the server */
lws_latency_pre(context, wsi);
n = lws_ssl_capable_write(wsi, (unsigned char *)sb, p - sb);
lws_latency(context, wsi, "send lws_issue_raw", n,
n == p - sb);
switch (n) {
case LWS_SSL_CAPABLE_ERROR:
lwsl_debug("ERROR writing to client socket\n");
lws_close_free_wsi(wsi, LWS_CLOSE_STATUS_NOSTATUS);
return 0;
case LWS_SSL_CAPABLE_MORE_SERVICE:
lws_callback_on_writable(wsi);
break;
}
wsi->u.hdr.parser_state = WSI_TOKEN_NAME_PART;
wsi->u.hdr.lextable_pos = 0;
wsi->mode = LWSCM_WSCL_WAITING_SERVER_REPLY;
lws_set_timeout(wsi, PENDING_TIMEOUT_AWAITING_SERVER_RESPONSE,
AWAITING_TIMEOUT);
break;
case LWSCM_WSCL_WAITING_SERVER_REPLY:
/* handle server hung up on us */
if (pollfd->revents & LWS_POLLHUP) {
lwsl_debug("Server connection %p (fd=%d) dead\n",
(void *)wsi, pollfd->fd);
goto bail3;
}
if (!(pollfd->revents & LWS_POLLIN))
break;
/* interpret the server response */
/*
* HTTP/1.1 101 Switching Protocols
* Upgrade: websocket
* Connection: Upgrade
* Sec-WebSocket-Accept: me89jWimTRKTWwrS3aRrL53YZSo=
* Sec-WebSocket-Nonce: AQIDBAUGBwgJCgsMDQ4PEC==
* Sec-WebSocket-Protocol: chat
*/
/*
* we have to take some care here to only take from the
* socket bytewise. The browser may (and has been seen to
* in the case that onopen() performs websocket traffic)
* coalesce both handshake response and websocket traffic
* in one packet, since at that point the connection is
* definitively ready from browser pov.
*/
len = 1;
while (wsi->u.hdr.parser_state != WSI_PARSING_COMPLETE &&
len > 0) {
n = lws_ssl_capable_read(wsi, &c, 1);
lws_latency(context, wsi, "send lws_issue_raw", n,
n == 1);
switch (n) {
case 0:
case LWS_SSL_CAPABLE_ERROR:
goto bail3;
case LWS_SSL_CAPABLE_MORE_SERVICE:
return 0;
}
if (lws_parse(wsi, c)) {
lwsl_warn("problems parsing header\n");
goto bail3;
}
}
/*
* hs may also be coming in multiple packets, there is a 5-sec
* libwebsocket timeout still active here too, so if parsing did
* not complete just wait for next packet coming in this state
*/
if (wsi->u.hdr.parser_state != WSI_PARSING_COMPLETE)
break;
/*
* otherwise deal with the handshake. If there's any
* packet traffic already arrived we'll trigger poll() again
* right away and deal with it that way
*/
return lws_client_interpret_server_handshake(wsi);
bail3:
lwsl_info("closing conn at LWS_CONNMODE...SERVER_REPLY\n");
lws_close_free_wsi(wsi, LWS_CLOSE_STATUS_NOSTATUS);
return -1;
case LWSCM_WSCL_WAITING_EXTENSION_CONNECT:
lwsl_ext("LWSCM_WSCL_WAITING_EXTENSION_CONNECT\n");
break;
case LWSCM_WSCL_PENDING_CANDIDATE_CHILD:
lwsl_ext("LWSCM_WSCL_PENDING_CANDIDATE_CHILD\n");
break;
default:
break;
}
return 0;
}
int MAIN(int argc, char **argv)
{
int off=0;
SSL *con=NULL,*con2=NULL;
X509_STORE *store = NULL;
int s,k,width,state=0;
char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
int cbuf_len,cbuf_off;
int sbuf_len,sbuf_off;
fd_set readfds,writefds;
short port=PORT;
int full_log=1;
char *host=SSL_HOST_NAME;
char *cert_file=NULL,*key_file=NULL;
int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
char *passarg = NULL, *pass = NULL;
X509 *cert = NULL;
EVP_PKEY *key = NULL;
char *CApath=NULL,*CAfile=NULL,*cipher=NULL;
int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0;
int crlf=0;
int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
SSL_CTX *ctx=NULL;
int ret=1,in_init=1,i,nbio_test=0;
int starttls_proto = PROTO_OFF;
int prexit = 0, vflags = 0;
SSL_METHOD *meth=NULL;
#ifdef sock_type
#undef sock_type
#endif
int sock_type=SOCK_STREAM;
BIO *sbio;
char *inrand=NULL;
int mbuf_len=0;
#ifndef OPENSSL_NO_ENGINE
char *engine_id=NULL;
ENGINE *e=NULL;
#endif
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
struct timeval tv;
#endif
struct sockaddr peer;
int peerlen = sizeof(peer);
int enable_timeouts = 0 ;
long mtu = 0;
#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
meth=SSLv23_client_method();
#elif !defined(OPENSSL_NO_SSL3)
meth=SSLv3_client_method();
#elif !defined(OPENSSL_NO_SSL2)
meth=SSLv2_client_method();
#endif
apps_startup();
c_Pause=0;
c_quiet=0;
c_ign_eof=0;
c_debug=0;
c_msg=0;
c_showcerts=0;
if (bio_err == NULL)
bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
if (!load_config(bio_err, NULL))
goto end;
if ( ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
{
BIO_printf(bio_err,"out of memory\n");
goto end;
}
verify_depth=0;
verify_error=X509_V_OK;
#ifdef FIONBIO
c_nbio=0;
#endif
argc--;
argv++;
while (argc >= 1)
{
if (strcmp(*argv,"-host") == 0)
{
if (--argc < 1) goto bad;
host= *(++argv);
}
else if (strcmp(*argv,"-port") == 0)
{
if (--argc < 1) goto bad;
port=atoi(*(++argv));
if (port == 0) goto bad;
}
else if (strcmp(*argv,"-connect") == 0)
{
if (--argc < 1) goto bad;
if (!extract_host_port(*(++argv),&host,NULL,&port))
goto bad;
}
else if (strcmp(*argv,"-verify") == 0)
{
verify=SSL_VERIFY_PEER;
if (--argc < 1) goto bad;
verify_depth=atoi(*(++argv));
BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
}
else if (strcmp(*argv,"-cert") == 0)
{
if (--argc < 1) goto bad;
cert_file= *(++argv);
}
else if (strcmp(*argv,"-certform") == 0)
{
if (--argc < 1) goto bad;
cert_format = str2fmt(*(++argv));
}
else if (strcmp(*argv,"-crl_check") == 0)
vflags |= X509_V_FLAG_CRL_CHECK;
else if (strcmp(*argv,"-crl_check_all") == 0)
vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
else if (strcmp(*argv,"-prexit") == 0)
prexit=1;
else if (strcmp(*argv,"-crlf") == 0)
crlf=1;
else if (strcmp(*argv,"-quiet") == 0)
{
c_quiet=1;
c_ign_eof=1;
}
else if (strcmp(*argv,"-ign_eof") == 0)
c_ign_eof=1;
else if (strcmp(*argv,"-pause") == 0)
c_Pause=1;
else if (strcmp(*argv,"-debug") == 0)
c_debug=1;
#ifdef WATT32
else if (strcmp(*argv,"-wdebug") == 0)
dbug_init();
#endif
else if (strcmp(*argv,"-msg") == 0)
c_msg=1;
else if (strcmp(*argv,"-showcerts") == 0)
c_showcerts=1;
else if (strcmp(*argv,"-nbio_test") == 0)
nbio_test=1;
else if (strcmp(*argv,"-state") == 0)
state=1;
#ifndef OPENSSL_NO_SSL2
else if (strcmp(*argv,"-ssl2") == 0)
meth=SSLv2_client_method();
#endif
#ifndef OPENSSL_NO_SSL3
else if (strcmp(*argv,"-ssl3") == 0)
meth=SSLv3_client_method();
#endif
#ifndef OPENSSL_NO_TLS1
else if (strcmp(*argv,"-tls1") == 0)
meth=TLSv1_client_method();
#endif
#ifndef OPENSSL_NO_DTLS1
else if (strcmp(*argv,"-dtls1") == 0)
{
meth=DTLSv1_client_method();
sock_type=SOCK_DGRAM;
}
else if (strcmp(*argv,"-timeout") == 0)
enable_timeouts=1;
else if (strcmp(*argv,"-mtu") == 0)
{
if (--argc < 1) goto bad;
mtu = atol(*(++argv));
}
#endif
else if (strcmp(*argv,"-bugs") == 0)
bugs=1;
else if (strcmp(*argv,"-keyform") == 0)
{
if (--argc < 1) goto bad;
key_format = str2fmt(*(++argv));
}
else if (strcmp(*argv,"-pass") == 0)
{
if (--argc < 1) goto bad;
passarg = *(++argv);
}
else if (strcmp(*argv,"-key") == 0)
{
if (--argc < 1) goto bad;
key_file= *(++argv);
}
else if (strcmp(*argv,"-reconnect") == 0)
{
reconnect=5;
}
else if (strcmp(*argv,"-CApath") == 0)
{
if (--argc < 1) goto bad;
CApath= *(++argv);
}
else if (strcmp(*argv,"-CAfile") == 0)
{
if (--argc < 1) goto bad;
CAfile= *(++argv);
}
else if (strcmp(*argv,"-no_tls1") == 0)
off|=SSL_OP_NO_TLSv1;
else if (strcmp(*argv,"-no_ssl3") == 0)
off|=SSL_OP_NO_SSLv3;
else if (strcmp(*argv,"-no_ssl2") == 0)
off|=SSL_OP_NO_SSLv2;
else if (strcmp(*argv,"-serverpref") == 0)
off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
else if (strcmp(*argv,"-cipher") == 0)
{
if (--argc < 1) goto bad;
cipher= *(++argv);
}
#ifdef FIONBIO
else if (strcmp(*argv,"-nbio") == 0)
{
c_nbio=1;
}
#endif
else if (strcmp(*argv,"-starttls") == 0)
{
if (--argc < 1) goto bad;
++argv;
if (strcmp(*argv,"smtp") == 0)
starttls_proto = PROTO_SMTP;
else if (strcmp(*argv,"pop3") == 0)
starttls_proto = PROTO_POP3;
else if (strcmp(*argv,"imap") == 0)
starttls_proto = PROTO_IMAP;
else if (strcmp(*argv,"ftp") == 0)
starttls_proto = PROTO_FTP;
else
goto bad;
}
#ifndef OPENSSL_NO_ENGINE
else if (strcmp(*argv,"-engine") == 0)
{
if (--argc < 1) goto bad;
engine_id = *(++argv);
}
#endif
else if (strcmp(*argv,"-rand") == 0)
{
if (--argc < 1) goto bad;
inrand= *(++argv);
}
else
{
BIO_printf(bio_err,"unknown option %s\n",*argv);
badop=1;
break;
}
argc--;
argv++;
}
if (badop)
{
bad:
sc_usage();
goto end;
}
OpenSSL_add_ssl_algorithms();
SSL_load_error_strings();
#ifndef OPENSSL_NO_ENGINE
e = setup_engine(bio_err, engine_id, 1);
#endif
if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
{
BIO_printf(bio_err, "Error getting password\n");
goto end;
}
if (key_file == NULL)
key_file = cert_file;
if (key_file)
{
key = load_key(bio_err, key_file, key_format, 0, pass, e,
"client certificate private key file");
if (!key)
{
ERR_print_errors(bio_err);
goto end;
}
}
if (cert_file)
{
cert = load_cert(bio_err,cert_file,cert_format,
NULL, e, "client certificate file");
if (!cert)
{
ERR_print_errors(bio_err);
goto end;
}
}
if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
&& !RAND_status())
{
BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
}
if (inrand != NULL)
BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
app_RAND_load_files(inrand));
if (bio_c_out == NULL)
{
if (c_quiet && !c_debug && !c_msg)
{
bio_c_out=BIO_new(BIO_s_null());
}
else
{
if (bio_c_out == NULL)
bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
}
}
ctx=SSL_CTX_new(meth);
if (ctx == NULL)
{
ERR_print_errors(bio_err);
goto end;
}
if (bugs)
SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
else
SSL_CTX_set_options(ctx,off);
/* DTLS: partial reads end up discarding unread UDP bytes :-(
* Setting read ahead solves this problem.
*/
if (sock_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
if (cipher != NULL)
if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
BIO_printf(bio_err,"error setting cipher list\n");
ERR_print_errors(bio_err);
goto end;
}
#if 0
else
SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
#endif
SSL_CTX_set_verify(ctx,verify,verify_callback);
if (!set_cert_key_stuff(ctx,cert,key))
goto end;
if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
(!SSL_CTX_set_default_verify_paths(ctx)))
{
/* BIO_printf(bio_err,"error setting default verify locations\n"); */
ERR_print_errors(bio_err);
/* goto end; */
}
store = SSL_CTX_get_cert_store(ctx);
X509_STORE_set_flags(store, vflags);
con=SSL_new(ctx);
#ifndef OPENSSL_NO_KRB5
if (con && (con->kssl_ctx = kssl_ctx_new()) != NULL)
{
kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVER, host);
}
#endif /* OPENSSL_NO_KRB5 */
/* SSL_set_cipher_list(con,"RC4-MD5"); */
re_start:
if (init_client(&s,host,port,sock_type) == 0)
{
BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
SHUTDOWN(s);
goto end;
}
BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
#ifdef FIONBIO
if (c_nbio)
{
unsigned long l=1;
BIO_printf(bio_c_out,"turning on non blocking io\n");
if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
{
ERR_print_errors(bio_err);
goto end;
}
}
#endif
if (c_Pause & 0x01) con->debug=1;
if ( SSL_version(con) == DTLS1_VERSION)
{
struct timeval timeout;
sbio=BIO_new_dgram(s,BIO_NOCLOSE);
if (getsockname(s, &peer, (void *)&peerlen) < 0)
{
BIO_printf(bio_err, "getsockname:errno=%d\n",
get_last_socket_error());
SHUTDOWN(s);
goto end;
}
(void)BIO_ctrl_set_connected(sbio, 1, &peer);
if ( enable_timeouts)
{
timeout.tv_sec = 0;
timeout.tv_usec = DGRAM_RCV_TIMEOUT;
BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
timeout.tv_sec = 0;
timeout.tv_usec = DGRAM_SND_TIMEOUT;
BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
}
if ( mtu > 0)
{
SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
SSL_set_mtu(con, mtu);
}
else
/* want to do MTU discovery */
BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
}
else
sbio=BIO_new_socket(s,BIO_NOCLOSE);
if (nbio_test)
{
BIO *test;
test=BIO_new(BIO_f_nbio_test());
sbio=BIO_push(test,sbio);
}
if (c_debug)
{
con->debug=1;
BIO_set_callback(sbio,bio_dump_callback);
BIO_set_callback_arg(sbio,(char *)bio_c_out);
}
if (c_msg)
{
SSL_set_msg_callback(con, msg_cb);
SSL_set_msg_callback_arg(con, bio_c_out);
}
SSL_set_bio(con,sbio,sbio);
SSL_set_connect_state(con);
/* ok, lets connect */
width=SSL_get_fd(con)+1;
read_tty=1;
write_tty=0;
tty_on=0;
read_ssl=1;
write_ssl=1;
cbuf_len=0;
cbuf_off=0;
sbuf_len=0;
sbuf_off=0;
/* This is an ugly hack that does a lot of assumptions */
/* We do have to handle multi-line responses which may come
in a single packet or not. We therefore have to use
BIO_gets() which does need a buffering BIO. So during
the initial chitchat we do push a buffering BIO into the
chain that is removed again later on to not disturb the
rest of the s_client operation. */
if (starttls_proto == PROTO_SMTP)
{
int foundit=0;
BIO *fbio = BIO_new(BIO_f_buffer());
BIO_push(fbio, sbio);
/* wait for multi-line response to end from SMTP */
do
{
mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
}
while (mbuf_len>3 && mbuf[3]=='-');
/* STARTTLS command requires EHLO... */
BIO_printf(fbio,"EHLO openssl.client.net\r\n");
(void)BIO_flush(fbio);
/* wait for multi-line response to end EHLO SMTP response */
do
{
mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
if (strstr(mbuf,"STARTTLS"))
foundit=1;
}
while (mbuf_len>3 && mbuf[3]=='-');
(void)BIO_flush(fbio);
BIO_pop(fbio);
BIO_free(fbio);
if (!foundit)
BIO_printf(bio_err,
"didn't found starttls in server response,"
" try anyway...\n");
BIO_printf(sbio,"STARTTLS\r\n");
BIO_read(sbio,sbuf,BUFSIZZ);
}
else if (starttls_proto == PROTO_POP3)
{
BIO_read(sbio,mbuf,BUFSIZZ);
BIO_printf(sbio,"STLS\r\n");
BIO_read(sbio,sbuf,BUFSIZZ);
}
else if (starttls_proto == PROTO_IMAP)
{
int foundit=0;
BIO *fbio = BIO_new(BIO_f_buffer());
BIO_push(fbio, sbio);
BIO_gets(fbio,mbuf,BUFSIZZ);
/* STARTTLS command requires CAPABILITY... */
BIO_printf(fbio,". CAPABILITY\r\n");
(void)BIO_flush(fbio);
/* wait for multi-line CAPABILITY response */
do
{
mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
if (strstr(mbuf,"STARTTLS"))
foundit=1;
}
while (mbuf_len>3 && mbuf[0]!='.');
(void)BIO_flush(fbio);
BIO_pop(fbio);
BIO_free(fbio);
if (!foundit)
BIO_printf(bio_err,
"didn't found STARTTLS in server response,"
" try anyway...\n");
BIO_printf(sbio,". STARTTLS\r\n");
BIO_read(sbio,sbuf,BUFSIZZ);
}
else if (starttls_proto == PROTO_FTP)
{
BIO *fbio = BIO_new(BIO_f_buffer());
BIO_push(fbio, sbio);
/* wait for multi-line response to end from FTP */
do
{
mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
}
while (mbuf_len>3 && mbuf[3]=='-');
(void)BIO_flush(fbio);
BIO_pop(fbio);
BIO_free(fbio);
BIO_printf(sbio,"AUTH TLS\r\n");
BIO_read(sbio,sbuf,BUFSIZZ);
}
for (;;)
{
FD_ZERO(&readfds);
FD_ZERO(&writefds);
if (SSL_in_init(con) && !SSL_total_renegotiations(con))
{
in_init=1;
tty_on=0;
}
else
{
tty_on=1;
if (in_init)
{
in_init=0;
print_stuff(bio_c_out,con,full_log);
if (full_log > 0) full_log--;
if (starttls_proto)
{
BIO_printf(bio_err,"%s",mbuf);
/* We don't need to know any more */
starttls_proto = PROTO_OFF;
}
if (reconnect)
{
reconnect--;
BIO_printf(bio_c_out,"drop connection and then reconnect\n");
SSL_shutdown(con);
SSL_set_connect_state(con);
SHUTDOWN(SSL_get_fd(con));
goto re_start;
}
}
}
ssl_pending = read_ssl && SSL_pending(con);
if (!ssl_pending)
{
#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE)
if (tty_on)
{
if (read_tty) FD_SET(fileno(stdin),&readfds);
if (write_tty) FD_SET(fileno(stdout),&writefds);
}
if (read_ssl)
FD_SET(SSL_get_fd(con),&readfds);
if (write_ssl)
FD_SET(SSL_get_fd(con),&writefds);
#else
if(!tty_on || !write_tty) {
if (read_ssl)
FD_SET(SSL_get_fd(con),&readfds);
if (write_ssl)
FD_SET(SSL_get_fd(con),&writefds);
}
#endif
/* printf("mode tty(%d %d%d) ssl(%d%d)\n",
tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
/* Note: under VMS with SOCKETSHR the second parameter
* is currently of type (int *) whereas under other
* systems it is (void *) if you don't have a cast it
* will choke the compiler: if you do have a cast then
* you can either go for (int *) or (void *).
*/
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
/* Under Windows/DOS we make the assumption that we can
* always write to the tty: therefore if we need to
* write to the tty we just fall through. Otherwise
* we timeout the select every second and see if there
* are any keypresses. Note: this is a hack, in a proper
* Windows application we wouldn't do this.
*/
i=0;
if(!write_tty) {
if(read_tty) {
tv.tv_sec = 1;
tv.tv_usec = 0;
i=select(width,(void *)&readfds,(void *)&writefds,
NULL,&tv);
#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
if(!i && (!_kbhit() || !read_tty) ) continue;
#else
if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
#endif
} else i=select(width,(void *)&readfds,(void *)&writefds,
NULL,NULL);
}
#elif defined(OPENSSL_SYS_NETWARE)
if(!write_tty) {
if(read_tty) {
tv.tv_sec = 1;
tv.tv_usec = 0;
i=select(width,(void *)&readfds,(void *)&writefds,
NULL,&tv);
} else i=select(width,(void *)&readfds,(void *)&writefds,
NULL,NULL);
}
#else
i=select(width,(void *)&readfds,(void *)&writefds,
NULL,NULL);
#endif
if ( i < 0)
{
BIO_printf(bio_err,"bad select %d\n",
get_last_socket_error());
goto shut;
/* goto end; */
}
}
if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
{
k=SSL_write(con,&(cbuf[cbuf_off]),
(unsigned int)cbuf_len);
switch (SSL_get_error(con,k))
{
case SSL_ERROR_NONE:
cbuf_off+=k;
cbuf_len-=k;
if (k <= 0) goto end;
/* we have done a write(con,NULL,0); */
if (cbuf_len <= 0)
{
read_tty=1;
write_ssl=0;
}
else /* if (cbuf_len > 0) */
{
read_tty=0;
write_ssl=1;
}
break;
case SSL_ERROR_WANT_WRITE:
BIO_printf(bio_c_out,"write W BLOCK\n");
write_ssl=1;
read_tty=0;
break;
case SSL_ERROR_WANT_READ:
BIO_printf(bio_c_out,"write R BLOCK\n");
write_tty=0;
read_ssl=1;
write_ssl=0;
break;
case SSL_ERROR_WANT_X509_LOOKUP:
BIO_printf(bio_c_out,"write X BLOCK\n");
break;
case SSL_ERROR_ZERO_RETURN:
if (cbuf_len != 0)
{
BIO_printf(bio_c_out,"shutdown\n");
goto shut;
}
else
{
read_tty=1;
write_ssl=0;
break;
}
case SSL_ERROR_SYSCALL:
if ((k != 0) || (cbuf_len != 0))
{
BIO_printf(bio_err,"write:errno=%d\n",
get_last_socket_error());
goto shut;
}
else
{
read_tty=1;
write_ssl=0;
}
break;
case SSL_ERROR_SSL:
ERR_print_errors(bio_err);
goto shut;
}
}
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
/* Assume Windows/DOS can always write */
else if (!ssl_pending && write_tty)
#else
else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
#endif
{
#ifdef CHARSET_EBCDIC
ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
#endif
i=write(fileno(stdout),&(sbuf[sbuf_off]),sbuf_len);
if (i <= 0)
{
BIO_printf(bio_c_out,"DONE\n");
goto shut;
/* goto end; */
}
sbuf_len-=i;;
sbuf_off+=i;
if (sbuf_len <= 0)
{
read_ssl=1;
write_tty=0;
}
}
else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
{
#ifdef RENEG
{ static int iiii; if (++iiii == 52) {
SSL_renegotiate(con);
iiii=0;
}
}
#endif
#if 1
k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
#else
/* Demo for pending and peek :-) */
k=SSL_read(con,sbuf,16);
{ char zbuf[10240];
printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
}
#endif
switch (SSL_get_error(con,k))
{
case SSL_ERROR_NONE:
if (k <= 0)
goto end;
sbuf_off=0;
sbuf_len=k;
read_ssl=0;
write_tty=1;
break;
case SSL_ERROR_WANT_WRITE:
BIO_printf(bio_c_out,"read W BLOCK\n");
write_ssl=1;
read_tty=0;
break;
case SSL_ERROR_WANT_READ:
BIO_printf(bio_c_out,"read R BLOCK\n");
write_tty=0;
read_ssl=1;
if ((read_tty == 0) && (write_ssl == 0))
write_ssl=1;
break;
case SSL_ERROR_WANT_X509_LOOKUP:
BIO_printf(bio_c_out,"read X BLOCK\n");
break;
case SSL_ERROR_SYSCALL:
BIO_printf(bio_err,"read:errno=%d\n",get_last_socket_error());
goto shut;
case SSL_ERROR_ZERO_RETURN:
BIO_printf(bio_c_out,"closed\n");
goto shut;
case SSL_ERROR_SSL:
ERR_print_errors(bio_err);
goto shut;
/* break; */
}
}
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
else if (_kbhit())
#else
else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
#endif
#elif defined (OPENSSL_SYS_NETWARE)
else if (_kbhit())
#else
else if (FD_ISSET(fileno(stdin),&readfds))
#endif
{
if (crlf)
{
int j, lf_num;
i=read(fileno(stdin),cbuf,BUFSIZZ/2);
lf_num = 0;
/* both loops are skipped when i <= 0 */
for (j = 0; j < i; j++)
if (cbuf[j] == '\n')
lf_num++;
for (j = i-1; j >= 0; j--)
{
cbuf[j+lf_num] = cbuf[j];
if (cbuf[j] == '\n')
{
lf_num--;
i++;
cbuf[j+lf_num] = '\r';
}
}
assert(lf_num == 0);
}
else
i=read(fileno(stdin),cbuf,BUFSIZZ);
if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
{
BIO_printf(bio_err,"DONE\n");
goto shut;
}
if ((!c_ign_eof) && (cbuf[0] == 'R'))
{
BIO_printf(bio_err,"RENEGOTIATING\n");
SSL_renegotiate(con);
cbuf_len=0;
}
else
{
cbuf_len=i;
cbuf_off=0;
#ifdef CHARSET_EBCDIC
ebcdic2ascii(cbuf, cbuf, i);
#endif
}
write_ssl=1;
read_tty=0;
}
}
shut:
SSL_shutdown(con);
SHUTDOWN(SSL_get_fd(con));
ret=0;
end:
if(prexit) print_stuff(bio_c_out,con,1);
if (con != NULL) SSL_free(con);
if (con2 != NULL) SSL_free(con2);
if (ctx != NULL) SSL_CTX_free(ctx);
if (cert)
X509_free(cert);
if (key)
EVP_PKEY_free(key);
if (pass)
OPENSSL_free(pass);
if (cbuf != NULL) {
OPENSSL_cleanse(cbuf,BUFSIZZ);
OPENSSL_free(cbuf);
}
if (sbuf != NULL) {
OPENSSL_cleanse(sbuf,BUFSIZZ);
OPENSSL_free(sbuf);
}
if (mbuf != NULL) {
OPENSSL_cleanse(mbuf,BUFSIZZ);
OPENSSL_free(mbuf);
}
if (bio_c_out != NULL)
{
BIO_free(bio_c_out);
bio_c_out=NULL;
}
apps_shutdown();
OPENSSL_EXIT(ret);
}
static int acpt_state(BIO *b, BIO_ACCEPT *c)
{
BIO *bio = NULL, *dbio;
int s = -1;
int i;
again:
switch (c->state) {
case ACPT_S_BEFORE:
if (c->param_addr == NULL) {
BIOerr(BIO_F_ACPT_STATE, BIO_R_NO_ACCEPT_PORT_SPECIFIED);
return (-1);
}
s = BIO_get_accept_socket(c->param_addr, c->bind_mode);
if (s == INVALID_SOCKET)
return (-1);
if (c->accept_nbio) {
if (!BIO_socket_nbio(s, 1)) {
closesocket(s);
BIOerr(BIO_F_ACPT_STATE,
BIO_R_ERROR_SETTING_NBIO_ON_ACCEPT_SOCKET);
return (-1);
}
}
c->accept_sock = s;
b->num = s;
c->state = ACPT_S_GET_ACCEPT_SOCKET;
return (1);
/* break; */
case ACPT_S_GET_ACCEPT_SOCKET:
if (b->next_bio != NULL) {
c->state = ACPT_S_OK;
goto again;
}
BIO_clear_retry_flags(b);
b->retry_reason = 0;
i = BIO_accept(c->accept_sock, &(c->addr));
/* -2 return means we should retry */
if (i == -2) {
BIO_set_retry_special(b);
b->retry_reason = BIO_RR_ACCEPT;
return -1;
}
if (i < 0)
return (i);
bio = BIO_new_socket(i, BIO_CLOSE);
if (bio == NULL)
goto err;
BIO_set_callback(bio, BIO_get_callback(b));
BIO_set_callback_arg(bio, BIO_get_callback_arg(b));
if (c->nbio) {
if (!BIO_socket_nbio(i, 1)) {
BIOerr(BIO_F_ACPT_STATE,
BIO_R_ERROR_SETTING_NBIO_ON_ACCEPTED_SOCKET);
goto err;
}
}
/*
* If the accept BIO has an bio_chain, we dup it and put the new
* socket at the end.
*/
if (c->bio_chain != NULL) {
if ((dbio = BIO_dup_chain(c->bio_chain)) == NULL)
goto err;
if (!BIO_push(dbio, bio))
goto err;
bio = dbio;
}
if (BIO_push(b, bio) == NULL)
goto err;
c->state = ACPT_S_OK;
return (1);
err:
if (bio != NULL)
BIO_free(bio);
else if (s >= 0)
closesocket(s);
return (0);
/* break; */
case ACPT_S_OK:
if (b->next_bio == NULL) {
c->state = ACPT_S_GET_ACCEPT_SOCKET;
goto again;
}
return (1);
/* break; */
default:
return (0);
/* break; */
}
}
int anetSSLAccept( char *err, int fd, struct redisServer server, anetSSLConnection *ctn) {
ctn->sd = -1;
ctn->ctx = NULL;
ctn->ssl = NULL;
ctn->bio = NULL;
ctn->conn_str = NULL;
if( fd == -1 ) {
return ANET_ERR;
}
ctn->sd = fd;
// Create the SSL Context ( server method )
SSL_CTX* ctx = SSL_CTX_new(TLSv1_1_server_method());
ctn->ctx = ctx;
/*
You will need to generate certificates, the root certificate authority file, the private key file, and the random file yourself.
Google will help. The openssl executable created when you compiled OpenSSL can do all this.
*/
// Load trusted root authorities
SSL_CTX_load_verify_locations(ctx, server.ssl_root_file, server.ssl_root_dir);
// Sets the default certificate password callback function. Read more under the Certificate Verification section.
if( NULL != server.ssl_srvr_cert_passwd ) {
global_ssl_cert_password = server.ssl_srvr_cert_passwd;
SSL_CTX_set_default_passwd_cb(ctx, password_callback);
}
// Sets the certificate file to be used.
SSL_CTX_use_certificate_file(ctx, server.ssl_cert_file, SSL_FILETYPE_PEM);
// Sets the private key file to be used.
SSL_CTX_use_PrivateKey_file(ctx, server.ssl_pk_file, SSL_FILETYPE_PEM);
// Set the maximum depth to be used verifying certificates
// Due to a bug, this is not enforced. The verify callback must enforce it.
SSL_CTX_set_verify_depth(ctx, 1);
// Set the certificate verification callback.
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER /* | SSL_VERIFY_FAIL_IF_NO_PEER_CERT */, verify_callback);
/*
End certificate verification setup.
*/
// We need to load the Diffie-Hellman key exchange parameters.
// First load dh1024.pem (you DID create it, didn't you?)
BIO* bio = BIO_new_file(server.ssl_dhk_file, "r");
// Did we get a handle to the file?
if (bio == NULL) {
anetSetError(err, "SSL Accept: Couldn't open DH param file");
anetCleanupSSL( ctn);
return ANET_ERR;
}
// Read in the DH params.
DH* ret = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
// Free up the BIO object.
BIO_free(bio);
// Set up our SSL_CTX to use the DH parameters.
if (SSL_CTX_set_tmp_dh(ctx, ret) < 0) {
anetSetError(err, "SSL Accept: Couldn't set DH parameters");
anetCleanupSSL( ctn );
return ANET_ERR;
}
// Now we need to generate a RSA key for use.
// 1024-bit key. If you want to use something stronger, go ahead but it must be a power of 2. Upper limit should be 4096.
RSA* rsa = RSA_generate_key(1024, RSA_F4, NULL, NULL);
// Set up our SSL_CTX to use the generated RSA key.
if (!SSL_CTX_set_tmp_rsa(ctx, rsa)) {
anetSetError(err, "SSL Accept: Couldn't set RSA Key");
anetCleanupSSL( ctn );
return ANET_ERR;
}
// Free up the RSA structure.
RSA_free(rsa);
/*
For some reason many tutorials don't include this...
Servers must specify the ciphers they can use, to verify that both the client and the server can use the same cipher.
If you don't do this, you'll get errors relating to "no shared ciphers" or "no common ciphers".
Use all ciphers with the exception of: ones with anonymous Diffie-Hellman, low-strength ciphers, export ciphers, md5 hashing. Ordered from strongest to weakest.
Note that as ciphers become broken, it will be necessary to change the available cipher list to remain secure.
*/
if( NULL == server.ssl_srvr_cipher_list || 0 == strlen(server.ssl_srvr_cipher_list) )
SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
else
SSL_CTX_set_cipher_list(ctx, server.ssl_srvr_cipher_list);
// Set up our SSL object as before
SSL* ssl = SSL_new(ctx);
ctn->ssl = ssl;
// Set up our BIO object to use the client socket
BIO* sslclient = BIO_new_socket(fd, BIO_NOCLOSE);
ctn->bio = sslclient;
// Set up our SSL object to use the BIO.
SSL_set_bio(ssl, sslclient, sslclient);
// Do SSL handshaking.
int r = SSL_accept(ssl);
// Something failed. Print out all the error information, since all of it may be relevant to the problem.
if (r != 1) {
char error[65535];
ERR_error_string_n(ERR_get_error(), error, 65535);
anetSetError(err, "SSL Accept: Error %d - %s ", SSL_get_error(ssl, r), error );
// We failed to accept this client connection.
// Ideally here you'll drop the connection and continue on.
anetCleanupSSL( ctn );
return ANET_ERR;
}
/* Verify certificate */
if (SSL_get_verify_result(ssl) != X509_V_OK) {
anetSetError(err, "SSL Accept: Certificate failed verification!");
// Ideally here you'll close this connection and continue on.
anetCleanupSSL( ctn );
return ANET_ERR;
}
return ANET_OK;
}
/*
* Establishes the connection to the Duo server. On successful return,
* req->cbio is connected and ready to use.
* Return HTTPS_OK on success, error code on failure.
*/
static HTTPScode
_establish_connection(struct https_request * const req,
const char * const api_host,
const char * const api_port)
{
#ifndef HAVE_GETADDRINFO
/* Systems that don't have getaddrinfo can use the BIO
wrappers, but only get IPv4 support. */
int n;
if ((req->cbio = BIO_new(BIO_s_connect())) == NULL) {
ctx->errstr = _SSL_strerror();
return HTTPS_ERR_LIB;
}
BIO_set_conn_hostname(req->cbio, api_host);
BIO_set_conn_port(req->cbio, api_port);
BIO_set_nbio(req->cbio, 1);
while (BIO_do_connect(req->cbio) <= 0) {
if ((n = _BIO_wait(req->cbio, 10000)) != 1) {
ctx->errstr = n ? _SSL_strerror() :
"Connection timed out";
return (n ? HTTPS_ERR_SYSTEM : HTTPS_ERR_SERVER);
}
}
return HTTPS_OK;
#else /* HAVE_GETADDRINFO */
/* IPv6 Support
* BIO wrapped io does not support IPv6 addressing. To work around,
* resolve the address and connect the socket manually. Then pass
* the connected socket to the BIO wrapper with BIO_new_socket.
*/
int connected_socket = -1;
int socket_error = 0;
/* Address Lookup */
struct addrinfo *res = NULL;
struct addrinfo *cur_res = NULL;
struct addrinfo hints;
int error;
memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
error = getaddrinfo(api_host,
api_port,
&hints,
&res);
if (error) {
ctx->errstr = gai_strerror(error);
return HTTPS_ERR_SYSTEM;
}
/* Connect */
for (cur_res = res; cur_res; cur_res = cur_res->ai_next) {
int connretries = 3;
while (connected_socket == -1 && connretries--) {
int sock_flags;
connected_socket = socket(cur_res->ai_family,
cur_res->ai_socktype,
cur_res->ai_protocol);
if (connected_socket == -1) {
continue;
}
sock_flags = fcntl(connected_socket, F_GETFL, 0);
fcntl(connected_socket, F_SETFL, sock_flags|O_NONBLOCK);
if (connect(connected_socket, cur_res->ai_addr, cur_res->ai_addrlen) != 0 &&
errno != EINPROGRESS) {
close(connected_socket);
connected_socket = -1;
break;
}
socket_error = _fd_wait(connected_socket, 10000);
if (socket_error != 1) {
close(connected_socket);
connected_socket = -1;
continue;
}
/* Connected! */
break;
}
}
cur_res = NULL;
freeaddrinfo(res);
res = NULL;
if (connected_socket == -1) {
ctx->errstr = "Failed to connect";
return socket_error ? HTTPS_ERR_SYSTEM : HTTPS_ERR_SERVER;
}
if ((req->cbio = BIO_new_socket(connected_socket, BIO_CLOSE)) == NULL) {
ctx->errstr = _SSL_strerror();
return (HTTPS_ERR_LIB);
}
BIO_set_conn_hostname(req->cbio, api_host);
BIO_set_conn_port(req->cbio, api_port);
BIO_set_nbio(req->cbio, 1);
return HTTPS_OK;
#endif /* HAVE_GETADDRINFO */
}
int openconnect_open_https(struct openconnect_info *vpninfo)
{
method_const SSL_METHOD *ssl3_method;
SSL *https_ssl;
BIO *https_bio;
int ssl_sock;
int err;
if (vpninfo->https_ssl)
return 0;
if (vpninfo->peer_cert) {
X509_free(vpninfo->peer_cert);
vpninfo->peer_cert = NULL;
}
ssl_sock = connect_https_socket(vpninfo);
if (ssl_sock < 0)
return ssl_sock;
ssl3_method = TLSv1_client_method();
if (!vpninfo->https_ctx) {
vpninfo->https_ctx = SSL_CTX_new(ssl3_method);
/* Some servers (or their firewalls) really don't like seeing
extensions. */
#ifdef SSL_OP_NO_TICKET
SSL_CTX_set_options(vpninfo->https_ctx, SSL_OP_NO_TICKET);
#endif
if (vpninfo->cert) {
err = load_certificate(vpninfo);
if (err) {
vpn_progress(vpninfo, PRG_ERR,
_("Loading certificate failed. Aborting.\n"));
SSL_CTX_free(vpninfo->https_ctx);
vpninfo->https_ctx = NULL;
close(ssl_sock);
return err;
}
check_certificate_expiry(vpninfo);
}
/* We just want to do:
SSL_CTX_set_purpose(vpninfo->https_ctx, X509_PURPOSE_ANY);
... but it doesn't work with OpenSSL < 0.9.8k because of
problems with inheritance (fixed in v1.1.4.6 of
crypto/x509/x509_vpm.c) so we have to play silly buggers
instead. This trick doesn't work _either_ in < 0.9.7 but
I don't know of _any_ workaround which will, and can't
be bothered to find out either. */
#if OPENSSL_VERSION_NUMBER >= 0x00908000
SSL_CTX_set_cert_verify_callback(vpninfo->https_ctx,
ssl_app_verify_callback, NULL);
#endif
SSL_CTX_set_default_verify_paths(vpninfo->https_ctx);
#ifdef ANDROID_KEYSTORE
if (vpninfo->cafile && !strncmp(vpninfo->cafile, "keystore:", 9)) {
STACK_OF(X509_INFO) *stack;
X509_STORE *store;
X509_INFO *info;
BIO *b = BIO_from_keystore(vpninfo, vpninfo->cafile);
if (!b) {
SSL_CTX_free(vpninfo->https_ctx);
vpninfo->https_ctx = NULL;
close(ssl_sock);
return -EINVAL;
}
stack = PEM_X509_INFO_read_bio(b, NULL, NULL, NULL);
BIO_free(b);
if (!stack) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to read certs from CA file '%s'\n"),
vpninfo->cafile);
openconnect_report_ssl_errors(vpninfo);
SSL_CTX_free(vpninfo->https_ctx);
vpninfo->https_ctx = NULL;
close(ssl_sock);
return -ENOENT;
}
store = SSL_CTX_get_cert_store(vpninfo->https_ctx);
while ((info = sk_X509_INFO_pop(stack))) {
if (info->x509)
X509_STORE_add_cert(store, info->x509);
if (info->crl)
X509_STORE_add_crl(store, info->crl);
X509_INFO_free(info);
}
sk_X509_INFO_free(stack);
} else
#endif
if (vpninfo->cafile) {
if (!SSL_CTX_load_verify_locations(vpninfo->https_ctx, vpninfo->cafile, NULL)) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to open CA file '%s'\n"),
vpninfo->cafile);
openconnect_report_ssl_errors(vpninfo);
SSL_CTX_free(vpninfo->https_ctx);
vpninfo->https_ctx = NULL;
close(ssl_sock);
return -EINVAL;
}
}
}
https_ssl = SSL_new(vpninfo->https_ctx);
workaround_openssl_certchain_bug(vpninfo, https_ssl);
https_bio = BIO_new_socket(ssl_sock, BIO_NOCLOSE);
BIO_set_nbio(https_bio, 1);
SSL_set_bio(https_ssl, https_bio, https_bio);
vpn_progress(vpninfo, PRG_INFO, _("SSL negotiation with %s\n"),
vpninfo->hostname);
while ((err = SSL_connect(https_ssl)) <= 0) {
fd_set wr_set, rd_set;
int maxfd = ssl_sock;
FD_ZERO(&wr_set);
FD_ZERO(&rd_set);
err = SSL_get_error(https_ssl, err);
if (err == SSL_ERROR_WANT_READ)
FD_SET(ssl_sock, &rd_set);
else if (err == SSL_ERROR_WANT_WRITE)
FD_SET(ssl_sock, &wr_set);
else {
vpn_progress(vpninfo, PRG_ERR, _("SSL connection failure\n"));
openconnect_report_ssl_errors(vpninfo);
SSL_free(https_ssl);
close(ssl_sock);
return -EINVAL;
}
cmd_fd_set(vpninfo, &rd_set, &maxfd);
select(maxfd + 1, &rd_set, &wr_set, NULL, NULL);
if (is_cancel_pending(vpninfo, &rd_set)) {
vpn_progress(vpninfo, PRG_ERR, _("SSL connection cancelled\n"));
SSL_free(https_ssl);
close(ssl_sock);
return -EINVAL;
}
}
if (verify_peer(vpninfo, https_ssl)) {
SSL_free(https_ssl);
close(ssl_sock);
return -EINVAL;
}
vpninfo->ssl_fd = ssl_sock;
vpninfo->https_ssl = https_ssl;
/* Stash this now, because it might not be available later if the
server has disconnected. */
vpninfo->peer_cert = SSL_get_peer_certificate(vpninfo->https_ssl);
vpn_progress(vpninfo, PRG_INFO, _("Connected to HTTPS on %s\n"),
vpninfo->hostname);
return 0;
}
