Connection *Connection_create(Server *srv, int fd, int rport, const char *remote, SSL_CTX *ssl_ctx) { Connection *conn = h_calloc(sizeof(Connection), 1); check_mem(conn); conn->server = srv; conn->rport = rport; memcpy(conn->remote, remote, IPADDR_SIZE); conn->remote[IPADDR_SIZE] = '\0'; conn->type = 0; conn->req = Request_create(); check_mem(conn->req); if(ssl_ctx != NULL) { conn->iob = IOBuf_create(BUFFER_SIZE, fd, IOBUF_SSL); check(conn->iob != NULL, "Failed to create the SSL IOBuf."); conn->iob->ssl = ssl_server_new(ssl_ctx, IOBuf_fd(conn->iob)); check(conn->iob->ssl != NULL, "Failed to create new ssl for connection"); } else { conn->iob = IOBuf_create(BUFFER_SIZE, fd, IOBUF_SOCKET); } return conn; error: Connection_destroy(conn); return NULL; }
STATIC mp_obj_ssl_socket_t *socket_new(mp_obj_t sock, bool server_side) { mp_obj_ssl_socket_t *o = m_new_obj(mp_obj_ssl_socket_t); o->base.type = &ussl_socket_type; o->buf = NULL; o->bytes_left = 0; o->sock = sock; uint32_t options = SSL_SERVER_VERIFY_LATER; if ((o->ssl_ctx = ssl_ctx_new(options, SSL_DEFAULT_CLNT_SESS)) == NULL) { nlr_raise(mp_obj_new_exception_arg1(&mp_type_OSError, MP_OBJ_NEW_SMALL_INT(EINVAL))); } if (server_side) { o->ssl_sock = ssl_server_new(o->ssl_ctx, (long)sock); } else { o->ssl_sock = ssl_client_new(o->ssl_ctx, (long)sock, NULL, 0); int res; /* check the return status */ if ((res = ssl_handshake_status(o->ssl_sock)) != SSL_OK) { printf("ssl_handshake_status: %d\n", res); ssl_display_error(res); nlr_raise(mp_obj_new_exception_arg1(&mp_type_OSError, MP_OBJ_NEW_SMALL_INT(EIO))); } } return o; }
ScmObj Scm_TLSAccept(ScmTLS* t, int fd) { #if defined(GAUCHE_USE_AXTLS) context_check(t, "accept"); if (t->conn) Scm_SysError("attempt to connect already-connected TLS %S", t); t->conn = ssl_server_new(t->ctx, fd); #endif /*GAUCHE_USE_AXTLS*/ return SCM_OBJ(t); }
static SQRESULT sq_ssl_ctx_server_new(HSQUIRRELVM v){ SQ_FUNC_VARS_NO_TOP(v); GET_ssl_ctx_INSTANCE(); SQ_GET_INTEGER(v, 2, client_fd); SSL *ssl = ssl_server_new(self, client_fd); SQRESULT rc = ssl_constructor(v, ssl, 1); if(rc == SQ_ERROR && ssl){ ssl_free(ssl); } return rc; }
static void addconnection(int sd, char *ip, int is_ssl) { struct connstruct *tp; /* Get ourselves a connstruct */ if (freeconns == NULL) tp = (struct connstruct *)calloc(1, sizeof(struct connstruct)); else { tp = freeconns; freeconns = tp->next; } /* Attach it to the used list */ tp->next = usedconns; usedconns = tp; tp->networkdesc = sd; if (is_ssl) tp->ssl = ssl_server_new(servers->ssl_ctx, sd); tp->is_ssl = is_ssl; tp->filedesc = -1; #if defined(CONFIG_HTTP_HAS_DIRECTORIES) tp->dirp = NULL; #endif *tp->actualfile = '\0'; *tp->filereq = '\0'; tp->state = STATE_WANT_TO_READ_HEAD; tp->reqtype = TYPE_GET; tp->close_when_done = 0; tp->timeout = time(NULL) + CONFIG_HTTP_TIMEOUT; #if defined(CONFIG_HTTP_HAS_CGI) strcpy(tp->remote_addr, ip); #endif }
/** * Implement the SSL server logic. */ static void do_server(int argc, char *argv[]) { int i = 2; uint16_t port = 4433; uint32_t options = SSL_DISPLAY_CERTS; int client_fd; SSL_CTX *ssl_ctx; int server_fd, res = 0; socklen_t client_len; #ifndef CONFIG_SSL_SKELETON_MODE char *private_key_file = NULL; const char *password = NULL; char **cert; int cert_index = 0; int cert_size = ssl_get_config(SSL_MAX_CERT_CFG_OFFSET); #endif #ifdef WIN32 char yes = 1; #else int yes = 1; #endif struct sockaddr_in serv_addr; struct sockaddr_in client_addr; int quiet = 0; #ifdef CONFIG_SSL_CERT_VERIFICATION int ca_cert_index = 0; int ca_cert_size = ssl_get_config(SSL_MAX_CA_CERT_CFG_OFFSET); char **ca_cert = (char **)calloc(1, sizeof(char *)*ca_cert_size); #endif fd_set read_set; #ifndef CONFIG_SSL_SKELETON_MODE cert = (char **)calloc(1, sizeof(char *)*cert_size); #endif while (i < argc) { if (strcmp(argv[i], "-accept") == 0) { if (i >= argc - 1) { print_server_options(argv[i]); } port = atoi(argv[++i]); } #ifndef CONFIG_SSL_SKELETON_MODE else if (strcmp(argv[i], "-cert") == 0) { if (i >= argc - 1 || cert_index >= cert_size) { print_server_options(argv[i]); } cert[cert_index++] = argv[++i]; } else if (strcmp(argv[i], "-key") == 0) { if (i >= argc - 1) { print_server_options(argv[i]); } private_key_file = argv[++i]; options |= SSL_NO_DEFAULT_KEY; } else if (strcmp(argv[i], "-pass") == 0) { if (i >= argc - 1) { print_server_options(argv[i]); } password = argv[++i]; } #endif else if (strcmp(argv[i], "-quiet") == 0) { quiet = 1; options &= ~SSL_DISPLAY_CERTS; } #ifdef CONFIG_SSL_CERT_VERIFICATION else if (strcmp(argv[i], "-verify") == 0) { options |= SSL_CLIENT_AUTHENTICATION; } else if (strcmp(argv[i], "-CAfile") == 0) { if (i >= argc - 1 || ca_cert_index >= ca_cert_size) { print_server_options(argv[i]); } ca_cert[ca_cert_index++] = argv[++i]; } #endif #ifdef CONFIG_SSL_FULL_MODE else if (strcmp(argv[i], "-debug") == 0) { options |= SSL_DISPLAY_BYTES; } else if (strcmp(argv[i], "-state") == 0) { options |= SSL_DISPLAY_STATES; } else if (strcmp(argv[i], "-show-rsa") == 0) { options |= SSL_DISPLAY_RSA; } #endif else { /* don't know what this is */ print_server_options(argv[i]); } i++; } if ((ssl_ctx = ssl_ctx_new(options, SSL_DEFAULT_SVR_SESS)) == NULL) { fprintf(stderr, "Error: Server context is invalid\n"); exit(1); } #ifndef CONFIG_SSL_SKELETON_MODE if (private_key_file) { int obj_type = SSL_OBJ_RSA_KEY; /* auto-detect the key type from the file extension */ if (strstr(private_key_file, ".p8")) { obj_type = SSL_OBJ_PKCS8; } else if (strstr(private_key_file, ".p12")) { obj_type = SSL_OBJ_PKCS12; } if (ssl_obj_load(ssl_ctx, obj_type, private_key_file, password)) { fprintf(stderr, "Error: Private key '%s' is undefined.\n", private_key_file); exit(1); } } for (i = 0; i < cert_index; i++) { if (ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CERT, cert[i], NULL)) { printf("Certificate '%s' is undefined.\n", cert[i]); exit(1); } } #endif #ifdef CONFIG_SSL_CERT_VERIFICATION for (i = 0; i < ca_cert_index; i++) { if (ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CACERT, ca_cert[i], NULL)) { printf("Certificate '%s' is undefined.\n", ca_cert[i]); exit(1); } } free(ca_cert); #endif #ifndef CONFIG_SSL_SKELETON_MODE free(cert); #endif /* Create socket for incoming connections */ if ((server_fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror("socket"); return; } setsockopt(server_fd, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(yes)); /* Construct local address structure */ memset(&serv_addr, 0, sizeof(serv_addr)); /* Zero out structure */ serv_addr.sin_family = AF_INET; /* Internet address family */ serv_addr.sin_addr.s_addr = htonl(INADDR_ANY); /* Any incoming interface */ serv_addr.sin_port = htons(port); /* Local port */ /* Bind to the local address */ if (bind(server_fd, (struct sockaddr *) &serv_addr, sizeof(serv_addr)) < 0) { perror("bind"); exit(1); } if (listen(server_fd, 5) < 0) { perror("listen"); exit(1); } client_len = sizeof(client_addr); /************************************************************************* * This is where the interesting stuff happens. Up until now we've * just been setting up sockets etc. Now we do the SSL handshake. *************************************************************************/ for (;;) { SSL *ssl; int reconnected = 0; if (!quiet) { printf("ACCEPT\n"); TTY_FLUSH(); } if ((client_fd = accept(server_fd, (struct sockaddr *)&client_addr, &client_len)) < 0) { break; } ssl = ssl_server_new(ssl_ctx, client_fd); /* now read (and display) whatever the client sends us */ for (;;) { /* allow parallel reading of client and standard input */ FD_ZERO(&read_set); FD_SET(client_fd, &read_set); #ifndef WIN32 /* win32 doesn't like mixing up stdin and sockets */ if (isatty(STDIN_FILENO)) { /* but only if we are in an active shell */ FD_SET(STDIN_FILENO, &read_set); } if ((res = select(client_fd + 1, &read_set, NULL, NULL, NULL)) > 0) { uint8_t buf[1024]; /* read standard input? */ if (FD_ISSET(STDIN_FILENO, &read_set)) { if (fgets((char *)buf, sizeof(buf), stdin) == NULL) { res = SSL_ERROR_CONN_LOST; } else { /* small hack to check renegotiation */ if (buf[0] == 'r' && (buf[1] == '\n' || buf[1] == '\r')) { res = ssl_renegotiate(ssl); } else { /* write our ramblings to the client */ res = ssl_write(ssl, buf, strlen((char *)buf) + 1); } } } else /* a socket read */ #endif { /* keep reading until we get something interesting */ uint8_t *read_buf; if ((res = ssl_read(ssl, &read_buf)) == SSL_OK) { /* are we in the middle of doing a handshake? */ if (ssl_handshake_status(ssl) != SSL_OK) { reconnected = 0; } else if (!reconnected) { /* we are connected/reconnected */ if (!quiet) { display_session_id(ssl); display_cipher(ssl); } reconnected = 1; } } if (res > SSL_OK) { /* display our interesting output */ int written = 0; while (written < res) { written += write(STDOUT_FILENO, read_buf + written, res - written); } TTY_FLUSH(); } else if (res == SSL_CLOSE_NOTIFY) { printf("shutting down SSL\n"); TTY_FLUSH(); } else if (res < SSL_OK && !quiet) { ssl_display_error(res); } } #ifndef WIN32 } #endif if (res < SSL_OK) { if (!quiet) { printf("CONNECTION CLOSED\n"); TTY_FLUSH(); } break; } } /* client was disconnected or the handshake failed. */ ssl_free(ssl); SOCKET_CLOSE(client_fd); } ssl_ctx_free(ssl_ctx); }