diff options
Diffstat (limited to 'networking/ssl_helper-wolfssl/ssl_helper.c')
-rw-r--r-- | networking/ssl_helper-wolfssl/ssl_helper.c | 480 |
1 files changed, 480 insertions, 0 deletions
diff --git a/networking/ssl_helper-wolfssl/ssl_helper.c b/networking/ssl_helper-wolfssl/ssl_helper.c new file mode 100644 index 0000000..38b7b56 --- /dev/null +++ b/networking/ssl_helper-wolfssl/ssl_helper.c @@ -0,0 +1,480 @@ +/* + * Adapted from: + * + * client.c + * + * Copyright (C) 2006-2015 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ +#include <stdlib.h> +#include <unistd.h> +#include <stdarg.h> +#include <string.h> +#include <errno.h> +#include <fcntl.h> +#include <stdio.h> +#include <time.h> +#include <poll.h> +#include <sys/socket.h> + +#include <wolfssl/wolfcrypt/types.h> +#include <wolfssl/ssl.h> + +#if 0 +# define dbg(...) say(__VA_ARGS__) +#else +# define dbg(...) ((void)0) +#endif + +static ssize_t safe_write(int fd, const void *buf, size_t count) +{ + ssize_t n; + + do { + n = write(fd, buf, count); + } while (n < 0 && errno == EINTR); + + return n; +} + +static ssize_t full_write(int fd, const void *buf, size_t len) +{ + ssize_t cc; + ssize_t total; + + total = 0; + + while (len) { + cc = safe_write(fd, buf, len); + + if (cc < 0) { + if (total) { + /* we already wrote some! */ + /* user can do another write to know the error code */ + return total; + } + return cc; /* write() returns -1 on failure. */ + } + + total += cc; + buf = ((const char *)buf) + cc; + len -= cc; + } + + return total; +} + +static void say(const char *s, ...) +{ + char buf[256]; + va_list p; + int sz; + + va_start(p, s); + sz = vsnprintf(buf, sizeof(buf), s, p); + full_write(STDERR_FILENO, buf, sz >= 0 && sz < sizeof(buf) ? sz : strlen(buf)); + va_end(p); +} + +static void die(const char *s, ...) +{ + char buf[256]; + va_list p; + int sz; + + va_start(p, s); + sz = vsnprintf(buf, sizeof(buf), s, p); + full_write(STDERR_FILENO, buf, sz >= 0 && sz < sizeof(buf) ? sz : strlen(buf)); + exit(1); + va_end(p); +} + +static void err_sys(const char *msg) +{ + die("%s\n", msg); +} + +/* ==== */ + +#if 0 +static void showPeer(WOLFSSL* ssl) +{ + WOLFSSL_CIPHER* cipher; + WOLFSSL_X509* peer = wolfSSL_get_peer_certificate(ssl); + if (peer) + ShowX509(peer, "peer's cert info:"); + else + say("peer has no cert!\n"); + say("SSL version is %s\n", wolfSSL_get_version(ssl)); + + cipher = wolfSSL_get_current_cipher(ssl); + say("SSL cipher suite is %s\n", wolfSSL_CIPHER_get_name(cipher)); + + { + WOLFSSL_X509_CHAIN* chain = wolfSSL_get_peer_chain(ssl); + int count = wolfSSL_get_chain_count(chain); + int i; + + for (i = 0; i < count; i++) { + int length; + unsigned char buffer[3072]; + WOLFSSL_X509* chainX509; + + wolfSSL_get_chain_cert_pem(chain, i, buffer, sizeof(buffer), &length); + buffer[length] = 0; + say("cert %d has length %d data = \n%s\n", i, length, buffer); + + chainX509 = wolfSSL_get_chain_X509(chain, i); + if (chainX509) + ShowX509(chainX509, "session cert info:"); + else + say("get_chain_X509 failed\n"); + wolfSSL_FreeX509(chainX509); + } + } +} +#endif + +WOLFSSL *prepare(int sockfd) +{ + WOLFSSL_METHOD* method; + WOLFSSL_CTX* ctx; + WOLFSSL* ssl; + + wolfSSL_Init(); + + method = wolfTLSv1_1_client_method(); + if (method == NULL) + err_sys("out of memory"); + ctx = wolfSSL_CTX_new(method); + if (ctx == NULL) + err_sys("out of memory"); +// if (cipherList) +// if (wolfSSL_CTX_set_cipher_list(ctx, cipherList) != SSL_SUCCESS) +// err_sys("client can't set cipher list 1"); + +// if (fewerPackets) +// wolfSSL_CTX_set_group_messages(ctx); + +//#ifndef NO_DH +// wolfSSL_CTX_SetMinDhKey_Sz(ctx, (word16)minDhKeyBits); +//#endif + +// if (usePsk) { +// wolfSSL_CTX_set_psk_client_callback(ctx, my_psk_client_cb); +// if (cipherList == NULL) { +// const char *defaultCipherList; +//#if defined(HAVE_AESGCM) && !defined(NO_DH) +// defaultCipherList = "DHE-PSK-AES128-GCM-SHA256"; +//#elif defined(HAVE_NULL_CIPHER) +// defaultCipherList = "PSK-NULL-SHA256"; +//#else +// defaultCipherList = "PSK-AES128-CBC-SHA256"; +//#endif +// if (wolfSSL_CTX_set_cipher_list(ctx,defaultCipherList) != SSL_SUCCESS) +// err_sys("client can't set cipher list 2"); +// } +// useClientCert = 0; +// } + +// if (useAnon) { +// if (cipherList == NULL) { +// wolfSSL_CTX_allow_anon_cipher(ctx); +// if (wolfSSL_CTX_set_cipher_list(ctx,"ADH-AES128-SHA") != SSL_SUCCESS) +// err_sys("client can't set cipher list 4"); +// } +// useClientCert = 0; +// } + +//#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) +// wolfSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); +//#endif + +// if (useOcsp) { +// if (ocspUrl != NULL) { +// wolfSSL_CTX_SetOCSP_OverrideURL(ctx, ocspUrl); +// wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE +// | WOLFSSL_OCSP_URL_OVERRIDE); +// } +// else +// wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE); +// } +// +//#ifdef USER_CA_CB +// wolfSSL_CTX_SetCACb(ctx, CaCb); +//#endif +// +//#ifdef VERIFY_CALLBACK +// wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, myVerify); +//#endif +//#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) +// if (useClientCert) { +// if (wolfSSL_CTX_use_certificate_chain_file(ctx, ourCert) != SSL_SUCCESS) +// err_sys("can't load client cert file, check file and run from" +// " wolfSSL home dir"); +// if (wolfSSL_CTX_use_PrivateKey_file(ctx, ourKey, SSL_FILETYPE_PEM) != SSL_SUCCESS) +// err_sys("can't load client private key file, check file and run " +// "from wolfSSL home dir"); +// } +// +// if (!usePsk && !useAnon) { +// if (wolfSSL_CTX_load_verify_locations(ctx, verifyCert,0) != SSL_SUCCESS) +// err_sys("can't load ca file, Please run from wolfSSL home dir"); +//#ifdef HAVE_ECC +// /* load ecc verify too, echoserver uses it by default w/ ecc */ +// if (wolfSSL_CTX_load_verify_locations(ctx, eccCert, 0) != SSL_SUCCESS) +// err_sys("can't load ecc ca file, Please run from wolfSSL home dir"); +//#endif +// } +//#endif /* !NO_FILESYSTEM && !NO_CERTS */ + +//#if !defined(NO_CERTS) +// if (!usePsk && !useAnon && doPeerCheck == 0) +// wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); +// if (!usePsk && !useAnon && overrideDateErrors == 1) +// wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, myDateCb); +//#endif + + wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); + +//#ifdef HAVE_SNI +// if (sniHostName) +// if (wolfSSL_CTX_UseSNI(ctx, 0, sniHostName, XSTRLEN(sniHostName)) != SSL_SUCCESS) +// err_sys("UseSNI failed"); +//#endif + +//#ifdef HAVE_MAX_FRAGMENT +// if (maxFragment) +// if (wolfSSL_CTX_UseMaxFragment(ctx, maxFragment) != SSL_SUCCESS) +// err_sys("UseMaxFragment failed"); +//#endif +//#ifdef HAVE_TRUNCATED_HMAC +// if (truncatedHMAC) +// if (wolfSSL_CTX_UseTruncatedHMAC(ctx) != SSL_SUCCESS) +// err_sys("UseTruncatedHMAC failed"); +//#endif +//#ifdef HAVE_SESSION_TICKET +// if (wolfSSL_CTX_UseSessionTicket(ctx) != SSL_SUCCESS) +// err_sys("UseSessionTicket failed"); +//#endif + +//#if defined(WOLFSSL_MDK_ARM) +// wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); +//#endif + + ssl = wolfSSL_new(ctx); + if (ssl == NULL) + err_sys("out of memory"); + +//#ifdef HAVE_SESSION_TICKET +// wolfSSL_set_SessionTicket_cb(ssl, sessionTicketCB, (void*)"initial session"); +//#endif + +// if (doDTLS) { +// SOCKADDR_IN_T addr; +// build_addr(&addr, host, port, 1); +// wolfSSL_dtls_set_peer(ssl, &addr, sizeof(addr)); +// tcp_socket(&sockfd, 1); +// } wlse { +// tcp_connect(&sockfd, host, port, 0); +// } + +//#ifdef HAVE_POLY1305 +// /* use old poly to connect with google server */ +// if (!XSTRNCMP(domain, "www.google.com", 14)) { +// if (wolfSSL_use_old_poly(ssl, 1) != 0) +// err_sys("unable to set to old poly"); +// } +//#endif + + wolfSSL_set_fd(ssl, sockfd); + +//#ifdef HAVE_CRL +// if (disableCRL == 0) { +// if (wolfSSL_EnableCRL(ssl, WOLFSSL_CRL_CHECKALL) != SSL_SUCCESS) +// err_sys("can't enable crl check"); +// if (wolfSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM, 0) != SSL_SUCCESS) +// err_sys("can't load crl, check crlfile and date validity"); +// if (wolfSSL_SetCRL_Cb(ssl, CRL_CallBack) != SSL_SUCCESS) +// err_sys("can't set crl callback"); +// } +//#endif +//#ifdef HAVE_SECURE_RENEGOTIATION +// if (scr) { +// if (wolfSSL_UseSecureRenegotiation(ssl) != SSL_SUCCESS) +// err_sys("can't enable secure renegotiation"); +// } +//#endif +//#ifdef ATOMIC_USER +// if (atomicUser) +// SetupAtomicUser(ctx, ssl); +//#endif +//#ifdef HAVE_PK_CALLBACKS +// if (pkCallbacks) +// SetupPkCallbacks(ctx, ssl); +//#endif +// if (matchName && doPeerCheck) +// wolfSSL_check_domain_name(ssl, domain); + + if (wolfSSL_connect(ssl) != SSL_SUCCESS) { +// /* see note at top of README */ +// int err = wolfSSL_get_error(ssl, 0); +// char buffer[WOLFSSL_MAX_ERROR_SZ]; +// say("err = %d, %s\n", err, +// wolfSSL_ERR_error_string(err, buffer)); + err_sys("SSL_connect failed"); + } +// showPeer(ssl); + +//#ifdef HAVE_SECURE_RENEGOTIATION +// if (scr && forceScr) { +// if (wolfSSL_Rehandshake(ssl) != SSL_SUCCESS) { +// int err = wolfSSL_get_error(ssl, 0); +// char buffer[WOLFSSL_MAX_ERROR_SZ]; +// say("err = %d, %s\n", err, +// wolfSSL_ERR_error_string(err, buffer)); +// err_sys("wolfSSL_Rehandshake failed"); +// } +// } +//#endif + + return ssl; +} + +static struct pollfd pfd[2] = { + { -1, POLLIN|POLLERR|POLLHUP, 0 }, + { -1, POLLIN|POLLERR|POLLHUP, 0 }, +}; +#define STDIN pfd[0] +#define NETWORK pfd[1] +#define STDIN_READY() (pfd[0].revents & (POLLIN|POLLERR|POLLHUP)) +#define NETWORK_READY() (pfd[1].revents & (POLLIN|POLLERR|POLLHUP)) + +static void wait_for_input(void) +{ + if (STDIN.fd == NETWORK.fd) /* means both are -1 */ + exit(0); + dbg("polling\n"); + STDIN.revents = NETWORK.revents = 0; + while (poll(pfd, 2, -1) < 0 && errno == EINTR) + continue; +} + +static void do_io_until_eof_and_exit(WOLFSSL *ssl, int fd) +{ + int len; + char ibuf[4 * 1024]; + + NETWORK.fd = fd; + STDIN.fd = 0; + + len = 0; /* only to suppress compiler warning */ + for (;;) { + wait_for_input(); + + if (STDIN_READY()) { + dbg("reading stdin\n"); + len = read(STDIN_FILENO, ibuf, sizeof(ibuf)); + if (len < 0) + die("read error on stdin\n"); + if (len == 0) { + dbg("read len = 0, stdin not polled anymore\n"); + STDIN.fd = -1; + } else { + int n = wolfSSL_write(ssl, ibuf, len); + if (n != len) + die("SSL_write(%d) failed (returned %d)\n", len, n); + } + } + + if (NETWORK_READY()) { + dbg("%s%s%s\n", + (pfd[1].revents & POLLIN) ? "POLLIN" : "", + (pfd[1].revents & POLLERR) ? "|POLLERR" : "", + (pfd[1].revents & POLLHUP) ? "|POLLHUP" : "" + ); +/* We are using blocking socket here. + * (Nonblocking socket would complicate writing to it). + * Therefore, SSL_read _can block_ here. + * This is not what wget expects (it wants to see short reads). + * Therefore, we use smallish buffer here, to approximate that. + */ + len = wolfSSL_read(ssl, ibuf, + sizeof(ibuf) < 1024 ? sizeof(ibuf) : 1024 + ); + if (len < 0) + die("SSL_read error on network (%d)\n", len); + if (len > 0) { + int n; + n = full_write(STDOUT_FILENO, ibuf, len); + if (n != len) + die("write(%d) to stdout returned %d\n", len, n); + continue; + } +/* Blocking reads are easier wtr EOF detection (no EAGAIN error to check for) */ + dbg("read len = 0, network not polled anymore\n"); + NETWORK.fd = -1; + /* saw EOF on network, and we processed + * and wrote out all ssl data. Signal it: + */ + close(STDOUT_FILENO); + } + } +} + +int main(int argc, char **argv) +{ + WOLFSSL *ssl; + int fd; + char *fd_str; + + if (!argv[1]) + die("Syntax error\n"); + if (argv[1][0] != '-') + die("Syntax error\n"); + if (argv[1][1] != 'd') + die("Syntax error\n"); + fd_str = argv[1] + 2; + if (!fd_str[0]) + fd_str = argv[2]; + if (!fd_str || fd_str[0] < '0' || fd_str[0] > '9') + die("Syntax error\n"); + + fd = atoi(fd_str); + if (fd < 3) + die("Syntax error\n"); + + ssl = prepare(fd); + do_io_until_eof_and_exit(ssl, fd); + /* does not return */ + +// if (doDTLS == 0) { /* don't send alert after "break" command */ +// ret = wolfSSL_shutdown(ssl); +// if (wc_shutdown && ret == SSL_SHUTDOWN_NOT_DONE) +// wolfSSL_shutdown(ssl); /* bidirectional shutdown */ +// } +//#ifdef ATOMIC_USER +// if (atomicUser) +// FreeAtomicUser(ssl); +//#endif +// wolfSSL_free(ssl); +// CloseSocket(sockfd); +// wolfSSL_CTX_free(ctx); + + return 0; +} |