static const SSL_METHOD *dtls1_get_client_method(int ver)
{
if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
return (DTLSv1_client_method());
else if (ver == DTLS1_2_VERSION)
return (DTLSv1_2_client_method());
else
return (NULL);
}
void echoclient_test(void* args)
{
SOCKET_T sockfd = 0;
FILE* fin = stdin ;
FILE* fout = stdout;
int inCreated = 0;
int outCreated = 0;
char msg[1024];
char reply[1024+1];
SSL_METHOD* method = 0;
SSL_CTX* ctx = 0;
SSL* ssl = 0;
int doDTLS = 0;
int doPSK = 0;
int sendSz;
int argc = 0;
char** argv = 0;
word16 port = yasslPort;
((func_args*)args)->return_code = -1; /* error state */
#ifndef WOLFSSL_MDK_SHELL
argc = ((func_args*)args)->argc;
argv = ((func_args*)args)->argv;
#endif
if (argc >= 2) {
fin = fopen(argv[1], "r");
inCreated = 1;
}
if (argc >= 3) {
fout = fopen(argv[2], "w");
outCreated = 1;
}
if (!fin) err_sys("can't open input file");
if (!fout) err_sys("can't open output file");
#ifdef CYASSL_DTLS
doDTLS = 1;
#endif
#ifdef CYASSL_LEANPSK
doPSK = 1;
#endif
#if defined(NO_RSA) && !defined(HAVE_ECC)
doPSK = 1;
#endif
#if defined(NO_MAIN_DRIVER) && !defined(USE_WINDOWS_API) && !defined(WOLFSSL_MDK_SHELL)
port = ((func_args*)args)->signal->port;
#endif
#if defined(CYASSL_DTLS)
method = DTLSv1_2_client_method();
#elif !defined(NO_TLS)
method = CyaSSLv23_client_method();
#elif defined(WOLFSSL_ALLOW_SSLV3)
method = SSLv3_client_method();
#else
#error "no valid client method type"
#endif
ctx = SSL_CTX_new(method);
#ifndef NO_FILESYSTEM
#ifndef NO_RSA
if (SSL_CTX_load_verify_locations(ctx, caCert, 0) != SSL_SUCCESS)
err_sys("can't load ca file, Please run from wolfSSL home dir");
#endif
#ifdef HAVE_ECC
if (SSL_CTX_load_verify_locations(ctx, eccCert, 0) != SSL_SUCCESS)
err_sys("can't load ca file, Please run from wolfSSL home dir");
#endif
#elif !defined(NO_CERTS)
if (!doPSK)
load_buffer(ctx, caCert, CYASSL_CA);
#endif
#if defined(CYASSL_SNIFFER)
/* don't use EDH, can't sniff tmp keys */
SSL_CTX_set_cipher_list(ctx, "AES256-SHA");
#endif
if (doPSK) {
#ifndef NO_PSK
const char *defaultCipherList;
CyaSSL_CTX_set_psk_client_callback(ctx, my_psk_client_cb);
#ifdef HAVE_NULL_CIPHER
defaultCipherList = "PSK-NULL-SHA256";
#elif defined(HAVE_AESGCM) && !defined(NO_DH)
defaultCipherList = "DHE-PSK-AES128-GCM-SHA256";
#else
defaultCipherList = "PSK-AES128-CBC-SHA256";
#endif
if (CyaSSL_CTX_set_cipher_list(ctx,defaultCipherList) !=SSL_SUCCESS)
err_sys("client can't set cipher list 2");
#endif
}
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
SSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack);
#endif
#if defined(WOLFSSL_MDK_ARM)
CyaSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);
#endif
ssl = SSL_new(ctx);
tcp_connect(&sockfd, yasslIP, port, doDTLS, ssl);
SSL_set_fd(ssl, sockfd);
#if defined(USE_WINDOWS_API) && defined(CYASSL_DTLS) && defined(NO_MAIN_DRIVER)
/* let echoserver bind first, TODO: add Windows signal like pthreads does */
Sleep(100);
#endif
if (SSL_connect(ssl) != SSL_SUCCESS) err_sys("SSL_connect failed");
while (fgets(msg, sizeof(msg), fin) != 0) {
sendSz = (int)strlen(msg);
if (SSL_write(ssl, msg, sendSz) != sendSz)
err_sys("SSL_write failed");
if (strncmp(msg, "quit", 4) == 0) {
fputs("sending server shutdown command: quit!\n", fout);
break;
}
if (strncmp(msg, "break", 5) == 0) {
fputs("sending server session close: break!\n", fout);
break;
}
#ifndef WOLFSSL_MDK_SHELL
while (sendSz) {
int got;
if ( (got = SSL_read(ssl, reply, sizeof(reply)-1)) > 0) {
reply[got] = 0;
fputs(reply, fout);
fflush(fout) ;
sendSz -= got;
}
else
break;
}
#else
{
int got;
if ( (got = SSL_read(ssl, reply, sizeof(reply)-1)) > 0) {
reply[got] = 0;
fputs(reply, fout);
fflush(fout) ;
sendSz -= got;
}
}
#endif
}
#ifdef CYASSL_DTLS
strncpy(msg, "break", 6);
sendSz = (int)strlen(msg);
/* try to tell server done */
SSL_write(ssl, msg, sendSz);
#else
SSL_shutdown(ssl);
#endif
SSL_free(ssl);
SSL_CTX_free(ctx);
fflush(fout);
if (inCreated) fclose(fin);
if (outCreated) fclose(fout);
CloseSocket(sockfd);
((func_args*)args)->return_code = 0;
}
int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
{
STACK_OF(SSL_CIPHER) *ciphers;
method_const SSL_METHOD *dtls_method;
SSL_SESSION *dtls_session;
SSL *dtls_ssl;
BIO *dtls_bio;
int dtlsver = DTLS1_BAD_VER;
const char *cipher = vpninfo->dtls_cipher;
#ifdef HAVE_DTLS12
if (!strcmp(cipher, "OC-DTLS1_2-AES128-GCM")) {
dtlsver = DTLS1_2_VERSION;
cipher = "AES128-GCM-SHA256";
} else if (!strcmp(cipher, "OC-DTLS1_2-AES256-GCM")) {
dtlsver = DTLS1_2_VERSION;
cipher = "AES256-GCM-SHA384";
#ifndef OPENSSL_NO_PSK
} else if (!strcmp(cipher, "PSK-NEGOTIATE")) {
dtlsver = 0; /* Let it negotiate */
#endif
}
#endif
if (!vpninfo->dtls_ctx) {
#ifdef HAVE_DTLS12
dtls_method = DTLS_client_method();
#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
if (dtlsver == DTLS1_BAD_VER)
dtls_method = DTLSv1_client_method();
#ifdef HAVE_DTLS12
else if (dtlsver == DTLS1_2_VERSION)
dtls_method = DTLSv1_2_client_method();
#endif
#endif
vpninfo->dtls_ctx = SSL_CTX_new(dtls_method);
if (!vpninfo->dtls_ctx) {
vpn_progress(vpninfo, PRG_ERR,
_("Initialise DTLSv1 CTX failed\n"));
openconnect_report_ssl_errors(vpninfo);
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
if (dtlsver) {
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
if (dtlsver == DTLS1_BAD_VER)
SSL_CTX_set_options(vpninfo->dtls_ctx, SSL_OP_CISCO_ANYCONNECT);
#else
if (!SSL_CTX_set_min_proto_version(vpninfo->dtls_ctx, dtlsver) ||
!SSL_CTX_set_max_proto_version(vpninfo->dtls_ctx, dtlsver)) {
vpn_progress(vpninfo, PRG_ERR,
_("Set DTLS CTX version failed\n"));
openconnect_report_ssl_errors(vpninfo);
SSL_CTX_free(vpninfo->dtls_ctx);
vpninfo->dtls_ctx = NULL;
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
#endif
#if defined (HAVE_DTLS12) && !defined(OPENSSL_NO_PSK)
} else {
SSL_CTX_set_psk_client_callback(vpninfo->dtls_ctx, psk_callback);
/* For PSK we override the DTLS master secret with one derived
* from the HTTPS session. */
if (!SSL_export_keying_material(vpninfo->https_ssl,
vpninfo->dtls_secret, PSK_KEY_SIZE,
PSK_LABEL, PSK_LABEL_SIZE, NULL, 0, 0)) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to generate DTLS key\n"));
openconnect_report_ssl_errors(vpninfo);
SSL_CTX_free(vpninfo->dtls_ctx);
vpninfo->dtls_ctx = NULL;
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
SSL_CTX_add_client_custom_ext(vpninfo->dtls_ctx, DTLS_APP_ID_EXT,
pskident_add, pskident_free, vpninfo,
pskident_parse, vpninfo);
/* For SSL_CTX_set_cipher_list() */
cipher = "PSK";
#endif
}
/* If we don't readahead, then we do short reads and throw
away the tail of data packets. */
SSL_CTX_set_read_ahead(vpninfo->dtls_ctx, 1);
if (!SSL_CTX_set_cipher_list(vpninfo->dtls_ctx, cipher)) {
vpn_progress(vpninfo, PRG_ERR,
_("Set DTLS cipher list failed\n"));
SSL_CTX_free(vpninfo->dtls_ctx);
vpninfo->dtls_ctx = NULL;
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
}
dtls_ssl = SSL_new(vpninfo->dtls_ctx);
SSL_set_connect_state(dtls_ssl);
SSL_set_app_data(dtls_ssl, vpninfo);
if (dtlsver) {
ciphers = SSL_get_ciphers(dtls_ssl);
if (dtlsver != 0 && sk_SSL_CIPHER_num(ciphers) != 1) {
vpn_progress(vpninfo, PRG_ERR, _("Not precisely one DTLS cipher\n"));
SSL_CTX_free(vpninfo->dtls_ctx);
SSL_free(dtls_ssl);
vpninfo->dtls_ctx = NULL;
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
/* We're going to "resume" a session which never existed. Fake it... */
dtls_session = generate_dtls_session(vpninfo, dtlsver,
sk_SSL_CIPHER_value(ciphers, 0));
if (!dtls_session) {
SSL_CTX_free(vpninfo->dtls_ctx);
SSL_free(dtls_ssl);
vpninfo->dtls_ctx = NULL;
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
/* Add the generated session to the SSL */
if (!SSL_set_session(dtls_ssl, dtls_session)) {
vpn_progress(vpninfo, PRG_ERR,
_("SSL_set_session() failed with old protocol version 0x%x\n"
"Are you using a version of OpenSSL older than 0.9.8m?\n"
"See http://rt.openssl.org/Ticket/Display.html?id=1751\n"
"Use the --no-dtls command line option to avoid this message\n"),
DTLS1_BAD_VER);
SSL_CTX_free(vpninfo->dtls_ctx);
SSL_free(dtls_ssl);
vpninfo->dtls_ctx = NULL;
vpninfo->dtls_attempt_period = 0;
SSL_SESSION_free(dtls_session);
return -EINVAL;
}
/* We don't need our own refcount on it any more */
SSL_SESSION_free(dtls_session);
}
dtls_bio = BIO_new_socket(dtls_fd, BIO_NOCLOSE);
/* Set non-blocking */
BIO_set_nbio(dtls_bio, 1);
SSL_set_bio(dtls_ssl, dtls_bio, dtls_bio);
vpninfo->dtls_ssl = dtls_ssl;
return 0;
}
int main(int argc, char **argv)
{
int port = 0;
int messagenumber = 5;
char local_addr[256];
int c;
int mclient = 1;
char peer_address[129] = "\0";
int peer_port = PEER_DEFAULT_PORT;
char rest_api_separator = ':';
int use_null_cipher=0;
set_logfile("stdout");
set_execdir();
set_system_parameters(0);
ns_bzero(local_addr, sizeof(local_addr));
while ((c = getopt(argc, argv, "a:d:p:l:n:L:m:e:r:u:w:i:k:z:W:C:E:F:o:bZvsyhcxXgtTSAPDNOUMRIGBJ")) != -1) {
switch (c){
case 'J': {
oauth = 1;
oauth_key_data okd_array[3];
convert_oauth_key_data_raw(&okdr_array[0], &okd_array[0]);
convert_oauth_key_data_raw(&okdr_array[1], &okd_array[1]);
convert_oauth_key_data_raw(&okdr_array[2], &okd_array[2]);
char err_msg[1025] = "\0";
size_t err_msg_size = sizeof(err_msg) - 1;
if (convert_oauth_key_data(&okd_array[0], &okey_array[0], err_msg, err_msg_size) < 0) {
fprintf(stderr, "%s\n", err_msg);
exit(-1);
}
if (convert_oauth_key_data(&okd_array[1], &okey_array[1], err_msg, err_msg_size) < 0) {
fprintf(stderr, "%s\n", err_msg);
exit(-1);
}
if (convert_oauth_key_data(&okd_array[2], &okey_array[2], err_msg, err_msg_size) < 0) {
fprintf(stderr, "%s\n", err_msg);
exit(-1);
}
}
break;
case 'a':
bps = (band_limit_t)strtoul(optarg,NULL,10);
break;
case 'o':
STRCPY(origin,optarg);
break;
case 'B':
random_disconnect = 1;
break;
case 'G':
extra_requests = 1;
break;
case 'F':
STRCPY(cipher_suite,optarg);
break;
case 'I':
no_permissions = 1;
break;
case 'M':
mobility = 1;
break;
case 'E':
{
char* fn = find_config_file(optarg,1);
if(!fn) {
fprintf(stderr,"ERROR: file %s not found\n",optarg);
exit(-1);
}
STRCPY(ca_cert_file,fn);
}
break;
case 'O':
dos = 1;
break;
case 'C':
rest_api_separator=*optarg;
break;
case 'D':
mandatory_channel_padding = 1;
break;
case 'N':
negative_test = 1;
break;
case 'R':
negative_protocol_test = 1;
break;
case 'z':
RTP_PACKET_INTERVAL = atoi(optarg);
break;
case 'Z':
dual_allocation = 1;
break;
case 'u':
STRCPY(g_uname, optarg);
break;
case 'w':
STRCPY(g_upwd, optarg);
break;
case 'g':
dont_fragment = 1;
break;
case 'd':
STRCPY(client_ifname, optarg);
break;
case 'x':
default_address_family = STUN_ATTRIBUTE_REQUESTED_ADDRESS_FAMILY_VALUE_IPV6;
break;
case 'X':
default_address_family = STUN_ATTRIBUTE_REQUESTED_ADDRESS_FAMILY_VALUE_IPV4;
break;
case 'l':
clmessage_length = atoi(optarg);
break;
case 's':
do_not_use_channel = 1;
break;
case 'n':
messagenumber = atoi(optarg);
break;
case 'p':
port = atoi(optarg);
break;
case 'L':
STRCPY(local_addr, optarg);
break;
case 'e':
STRCPY(peer_address, optarg);
break;
case 'r':
peer_port = atoi(optarg);
break;
case 'v':
clnet_verbose = TURN_VERBOSE_NORMAL;
break;
case 'h':
hang_on = 1;
break;
case 'c':
no_rtcp = 1;
break;
case 'm':
mclient = atoi(optarg);
break;
case 'y':
c2c = 1;
break;
case 't':
use_tcp = 1;
break;
case 'b':
use_sctp = 1;
use_tcp = 1;
break;
case 'P':
passive_tcp = 1;
/* implies 'T': */
/* no break */
case 'T':
relay_transport = STUN_ATTRIBUTE_TRANSPORT_TCP_VALUE;
break;
case 'U':
use_null_cipher = 1;
/* implies 'S' */
/* no break */
case 'S':
use_secure = 1;
break;
case 'W':
g_use_auth_secret_with_timestamp = 1;
STRCPY(g_auth_secret,optarg);
break;
case 'i':
{
char* fn = find_config_file(optarg,1);
if(!fn) {
fprintf(stderr,"ERROR: file %s not found\n",optarg);
exit(-1);
}
STRCPY(cert_file,fn);
free(fn);
}
break;
case 'k':
{
char* fn = find_config_file(optarg,1);
if(!fn) {
fprintf(stderr,"ERROR: file %s not found\n",optarg);
exit(-1);
}
STRCPY(pkey_file,fn);
free(fn);
}
break;
default:
fprintf(stderr, "%s\n", Usage);
exit(1);
}
}
if(dual_allocation) {
no_rtcp = 1;
}
if(g_use_auth_secret_with_timestamp) {
{
char new_uname[1025];
const unsigned long exp_time = 3600 * 24; /* one day */
if(g_uname[0]) {
snprintf(new_uname,sizeof(new_uname),"%lu%c%s",(unsigned long)time(NULL) + exp_time,rest_api_separator, (char*)g_uname);
} else {
snprintf(new_uname,sizeof(new_uname),"%lu", (unsigned long)time(NULL) + exp_time);
}
STRCPY(g_uname,new_uname);
}
{
u08bits hmac[MAXSHASIZE];
unsigned int hmac_len;
switch(shatype) {
case SHATYPE_SHA256:
hmac_len = SHA256SIZEBYTES;
break;
case SHATYPE_SHA384:
hmac_len = SHA384SIZEBYTES;
break;
case SHATYPE_SHA512:
hmac_len = SHA512SIZEBYTES;
break;
default:
hmac_len = SHA1SIZEBYTES;
};
hmac[0]=0;
if(stun_calculate_hmac(g_uname, strlen((char*)g_uname), (u08bits*)g_auth_secret, strlen(g_auth_secret), hmac, &hmac_len, shatype)>=0) {
size_t pwd_length = 0;
char *pwd = base64_encode(hmac,hmac_len,&pwd_length);
if(pwd) {
if(pwd_length>0) {
ns_bcopy(pwd,g_upwd,pwd_length);
g_upwd[pwd_length]=0;
}
}
free(pwd);
}
}
}
if(is_TCP_relay()) {
dont_fragment = 0;
no_rtcp = 1;
c2c = 1;
use_tcp = 1;
do_not_use_channel = 1;
}
if(port == 0) {
if(use_secure)
port = DEFAULT_STUN_TLS_PORT;
else
port = DEFAULT_STUN_PORT;
}
if (clmessage_length < (int) sizeof(message_info))
clmessage_length = (int) sizeof(message_info);
const int max_header = 100;
if(clmessage_length > (int)(STUN_BUFFER_SIZE-max_header)) {
fprintf(stderr,"Message length was corrected to %d\n",(STUN_BUFFER_SIZE-max_header));
clmessage_length = (int)(STUN_BUFFER_SIZE-max_header);
}
if (optind >= argc) {
fprintf(stderr, "%s\n", Usage);
exit(-1);
}
if (!c2c) {
if (make_ioa_addr((const u08bits*) peer_address, peer_port, &peer_addr) < 0) {
return -1;
}
if(peer_addr.ss.sa_family == AF_INET6) {
default_address_family = STUN_ATTRIBUTE_REQUESTED_ADDRESS_FAMILY_VALUE_IPV6;
} else if(peer_addr.ss.sa_family == AF_INET) {
default_address_family = STUN_ATTRIBUTE_REQUESTED_ADDRESS_FAMILY_VALUE_IPV4;
}
}
/* SSL Init ==>> */
if(use_secure) {
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
const char *csuite = "ALL"; //"AES256-SHA" "DH"
if(use_null_cipher)
csuite = "eNULL";
else if(cipher_suite[0])
csuite=cipher_suite;
if(use_tcp) {
root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
root_tls_ctx_num++;
root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(TLSv1_client_method());
SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
root_tls_ctx_num++;
#if TLSv1_1_SUPPORTED
root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(TLSv1_1_client_method());
SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
root_tls_ctx_num++;
#if TLSv1_2_SUPPORTED
root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(TLSv1_2_client_method());
SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
root_tls_ctx_num++;
#endif
#endif
} else {
#if !DTLS_SUPPORTED
fprintf(stderr,"ERROR: DTLS is not supported.\n");
exit(-1);
#else
if(OPENSSL_VERSION_NUMBER < 0x10000000L) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: OpenSSL version is rather old, DTLS may not be working correctly.\n");
}
root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(DTLSv1_client_method());
SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
root_tls_ctx_num++;
#if DTLSv1_2_SUPPORTED
root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(DTLSv1_2_client_method());
SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
root_tls_ctx_num++;
#endif
#endif
}
int sslind = 0;
for(sslind = 0; sslind<root_tls_ctx_num; sslind++) {
if(cert_file[0]) {
if (!SSL_CTX_use_certificate_chain_file(root_tls_ctx[sslind], cert_file)) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nERROR: no certificate found!\n");
exit(-1);
}
}
if (!SSL_CTX_use_PrivateKey_file(root_tls_ctx[sslind], pkey_file,
SSL_FILETYPE_PEM)) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nERROR: no private key found!\n");
exit(-1);
}
if(cert_file[0]) {
if (!SSL_CTX_check_private_key(root_tls_ctx[sslind])) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nERROR: invalid private key!\n");
exit(-1);
}
}
if (ca_cert_file[0]) {
if (!SSL_CTX_load_verify_locations(root_tls_ctx[sslind], ca_cert_file, NULL )) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,
"ERROR: cannot load CA from file: %s\n",
ca_cert_file);
}
/* Set to require peer (client) certificate verification */
SSL_CTX_set_verify(root_tls_ctx[sslind], SSL_VERIFY_PEER, NULL );
/* Set the verification depth to 9 */
SSL_CTX_set_verify_depth(root_tls_ctx[sslind], 9);
} else {
SSL_CTX_set_verify(root_tls_ctx[sslind], SSL_VERIFY_NONE, NULL );
}
if(!use_tcp)
SSL_CTX_set_read_ahead(root_tls_ctx[sslind], 1);
}
}
start_mclient(argv[optind], port, client_ifname, local_addr, messagenumber, mclient);
return 0;
}
