Denys Vlasenko | d82046f | 2014-02-23 23:31:13 +0100 | [diff] [blame^] | 1 | /* |
| 2 | * Copyright (c) 2013 INSIDE Secure Corporation |
| 3 | * Copyright (c) PeerSec Networks, 2002-2011 |
| 4 | * All Rights Reserved |
| 5 | * |
| 6 | * The latest version of this code is available at http://www.matrixssl.org |
| 7 | * |
| 8 | * This software is open source; you can redistribute it and/or modify |
| 9 | * it under the terms of the GNU General Public License as published by |
| 10 | * the Free Software Foundation; either version 2 of the License, or |
| 11 | * (at your option) any later version. |
| 12 | * |
| 13 | * This program is distributed in WITHOUT ANY WARRANTY; without even the |
| 14 | * implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
| 15 | * See the GNU General Public License for more details. |
| 16 | * |
| 17 | * You should have received a copy of the GNU General Public License |
| 18 | * along with this program; if not, write to the Free Software |
| 19 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
| 20 | * http://www.gnu.org/copyleft/gpl.html |
| 21 | */ |
| 22 | #include <errno.h> |
| 23 | #include <stdlib.h> |
| 24 | #include <unistd.h> |
| 25 | #include <stdarg.h> |
| 26 | #include <fcntl.h> |
| 27 | #include <stdio.h> |
| 28 | #include <time.h> |
| 29 | #include <poll.h> |
| 30 | #include <sys/socket.h> |
| 31 | |
| 32 | #include "matrixssl/matrixsslApi.h" |
| 33 | |
| 34 | //#warning "DO NOT USE THESE DEFAULT KEYS IN PRODUCTION ENVIRONMENTS." |
| 35 | |
| 36 | /* |
| 37 | * If supporting client authentication, pick ONE identity to auto select a |
| 38 | * certificate and private key that support desired algorithms. |
| 39 | */ |
| 40 | #define ID_RSA /* RSA Certificate and Key */ |
| 41 | |
| 42 | #define USE_HEADER_KEYS |
| 43 | |
| 44 | /* If the algorithm type is supported, load a CA for it */ |
| 45 | #ifdef USE_HEADER_KEYS |
| 46 | /* CAs */ |
| 47 | # include "sampleCerts/RSA/ALL_RSA_CAS.h" |
| 48 | /* Identity Certs and Keys for use with Client Authentication */ |
| 49 | # ifdef ID_RSA |
| 50 | # define EXAMPLE_RSA_KEYS |
| 51 | # include "sampleCerts/RSA/2048_RSA.h" |
| 52 | # include "sampleCerts/RSA/2048_RSA_KEY.h" |
| 53 | # endif |
| 54 | #endif |
| 55 | |
| 56 | static ssize_t safe_write(int fd, const void *buf, size_t count) |
| 57 | { |
| 58 | ssize_t n; |
| 59 | |
| 60 | do { |
| 61 | n = write(fd, buf, count); |
| 62 | } while (n < 0 && errno == EINTR); |
| 63 | |
| 64 | return n; |
| 65 | } |
| 66 | |
| 67 | static ssize_t full_write(int fd, const void *buf, size_t len) |
| 68 | { |
| 69 | ssize_t cc; |
| 70 | ssize_t total; |
| 71 | |
| 72 | total = 0; |
| 73 | |
| 74 | while (len) { |
| 75 | cc = safe_write(fd, buf, len); |
| 76 | |
| 77 | if (cc < 0) { |
| 78 | if (total) { |
| 79 | /* we already wrote some! */ |
| 80 | /* user can do another write to know the error code */ |
| 81 | return total; |
| 82 | } |
| 83 | return cc; /* write() returns -1 on failure. */ |
| 84 | } |
| 85 | |
| 86 | total += cc; |
| 87 | buf = ((const char *)buf) + cc; |
| 88 | len -= cc; |
| 89 | } |
| 90 | |
| 91 | return total; |
| 92 | } |
| 93 | |
| 94 | static void say(const char *s, ...) |
| 95 | { |
| 96 | char buf[256]; |
| 97 | va_list p; |
| 98 | int sz; |
| 99 | |
| 100 | va_start(p, s); |
| 101 | sz = vsnprintf(buf, sizeof(buf), s, p); |
| 102 | full_write(STDERR_FILENO, buf, sz >= 0 && sz < sizeof(buf) ? sz : strlen(buf)); |
| 103 | va_end(p); |
| 104 | } |
| 105 | |
| 106 | static void die(const char *s, ...) |
| 107 | { |
| 108 | char buf[256]; |
| 109 | va_list p; |
| 110 | int sz; |
| 111 | |
| 112 | va_start(p, s); |
| 113 | sz = vsnprintf(buf, sizeof(buf), s, p); |
| 114 | full_write(STDERR_FILENO, buf, sz >= 0 && sz < sizeof(buf) ? sz : strlen(buf)); |
| 115 | exit(1); |
| 116 | va_end(p); |
| 117 | } |
| 118 | |
| 119 | #if 0 |
| 120 | # define dbg(...) say(__VA_ARGS__) |
| 121 | #else |
| 122 | # define dbg(...) ((void)0) |
| 123 | #endif |
| 124 | |
| 125 | static struct pollfd pfd[2] = { |
| 126 | { -1, POLLIN|POLLERR|POLLHUP, 0 }, |
| 127 | { -1, POLLIN|POLLERR|POLLHUP, 0 }, |
| 128 | }; |
| 129 | #define STDIN pfd[0] |
| 130 | #define NETWORK pfd[1] |
| 131 | #define STDIN_READY() (pfd[0].revents & (POLLIN|POLLERR|POLLHUP)) |
| 132 | #define NETWORK_READY() (pfd[1].revents & (POLLIN|POLLERR|POLLHUP)) |
| 133 | |
| 134 | static int wait_for_input(void) |
| 135 | { |
| 136 | if (STDIN.fd == NETWORK.fd) /* means both are -1 */ |
| 137 | exit(0); |
| 138 | dbg("polling\n"); |
| 139 | STDIN.revents = NETWORK.revents = 0; |
| 140 | return poll(pfd, 2, -1); |
| 141 | } |
| 142 | |
| 143 | static int32 certCb(ssl_t *ssl, psX509Cert_t *cert, int32 alert) |
| 144 | { |
| 145 | /* Example to allow anonymous connections based on a define */ |
| 146 | if (alert > 0) { |
| 147 | return SSL_ALLOW_ANON_CONNECTION; // = 254 |
| 148 | } |
| 149 | #if 0 |
| 150 | /* Validate the 'not before' and 'not after' dates, etc */ |
| 151 | return PS_FAILURE; /* if we don't like this cert */ |
| 152 | #endif |
| 153 | return PS_SUCCESS; |
| 154 | } |
| 155 | |
| 156 | static void close_conn_and_exit(ssl_t *ssl, int fd) |
| 157 | { |
| 158 | unsigned char *buf; |
| 159 | int len; |
| 160 | |
| 161 | fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK); |
| 162 | /* Quick attempt to send a closure alert, don't worry about failure */ |
| 163 | if (matrixSslEncodeClosureAlert(ssl) >= 0) { |
| 164 | len = matrixSslGetOutdata(ssl, &buf); |
| 165 | if (len > 0) { |
| 166 | len = safe_write(fd, buf, len); |
| 167 | //if (len > 0) { |
| 168 | // matrixSslSentData(ssl, len); |
| 169 | //} |
| 170 | } |
| 171 | } |
| 172 | //matrixSslDeleteSession(ssl); |
| 173 | shutdown(fd, SHUT_WR); |
| 174 | exit(0); |
| 175 | } |
| 176 | |
| 177 | static int encode_data(ssl_t *ssl, const void *data, int len) |
| 178 | { |
| 179 | unsigned char *buf; |
| 180 | int available; |
| 181 | |
| 182 | available = matrixSslGetWritebuf(ssl, &buf, len); |
| 183 | if (available < 0) |
| 184 | die("matrixSslGetWritebuf\n"); |
| 185 | if (len > available) |
| 186 | die("len > available\n"); |
| 187 | memcpy(buf, data, len); |
| 188 | if (matrixSslEncodeWritebuf(ssl, len) < 0) |
| 189 | die("matrixSslEncodeWritebuf\n"); |
| 190 | return len; |
| 191 | } |
| 192 | |
| 193 | static void flush_to_net(ssl_t *ssl, int fd) |
| 194 | { |
| 195 | int rc; |
| 196 | int len; |
| 197 | unsigned char *buf; |
| 198 | |
| 199 | while ((len = matrixSslGetOutdata(ssl, &buf)) > 0) { |
| 200 | dbg("writing net %d bytes\n", len); |
| 201 | if (full_write(fd, buf, len) != len) |
| 202 | die("write to network\n"); |
| 203 | rc = matrixSslSentData(ssl, len); |
| 204 | if (rc < 0) |
| 205 | die("matrixSslSentData\n"); |
| 206 | } |
| 207 | } |
| 208 | |
| 209 | static void do_io_until_eof_and_exit(int fd, sslKeys_t *keys) |
| 210 | { |
| 211 | int rc; |
| 212 | int len; |
| 213 | uint32_t len32u; |
| 214 | sslSessionId_t *sid; |
| 215 | ssl_t *ssl; |
| 216 | unsigned char *buf; |
| 217 | |
| 218 | NETWORK.fd = fd; |
| 219 | /* Note! STDIN.fd is disabled (-1) until SSL handshake is over: |
| 220 | * we do not attempt to feed any user data to MatrixSSL |
| 221 | * before it is ready. |
| 222 | */ |
| 223 | |
| 224 | matrixSslNewSessionId(&sid); |
| 225 | rc = matrixSslNewClientSession(&ssl, keys, sid, 0, certCb, NULL, NULL, 0); |
| 226 | dbg("matrixSslNewClientSession:rc=%d\n", rc); |
| 227 | if (rc != MATRIXSSL_REQUEST_SEND) |
| 228 | die("matrixSslNewClientSession\n"); |
| 229 | |
| 230 | len = 0; /* only to suppress compiler warning */ |
| 231 | again: |
| 232 | switch (rc) { |
| 233 | case MATRIXSSL_REQUEST_SEND: |
| 234 | dbg("MATRIXSSL_REQUEST_SEND\n"); |
| 235 | flush_to_net(ssl, fd); |
| 236 | goto poll_input; |
| 237 | |
| 238 | case 0: |
| 239 | dbg("rc==0\n"); |
| 240 | flush_to_net(ssl, fd); |
| 241 | goto poll_input; |
| 242 | |
| 243 | case MATRIXSSL_REQUEST_CLOSE: |
| 244 | /* what does this mean if we are here? */ |
| 245 | dbg("MATRIXSSL_REQUEST_CLOSE\n"); |
| 246 | close_conn_and_exit(ssl, fd); |
| 247 | |
| 248 | case MATRIXSSL_HANDSHAKE_COMPLETE: |
| 249 | dbg("MATRIXSSL_HANDSHAKE_COMPLETE\n"); |
| 250 | /* Init complete, can start reading local user's data: */ |
| 251 | STDIN.fd = STDIN_FILENO; |
| 252 | poll_input: |
| 253 | wait_for_input(); |
| 254 | if (STDIN_READY()) { |
| 255 | char ibuf[4 * 1024]; |
| 256 | dbg("reading stdin\n"); |
| 257 | len = read(STDIN_FILENO, ibuf, sizeof(ibuf)); |
| 258 | if (len < 0) |
| 259 | die("read error on stdin\n"); |
| 260 | if (len == 0) |
| 261 | STDIN.fd = -1; |
| 262 | else { |
| 263 | len = encode_data(ssl, ibuf, len); |
| 264 | if (len) { |
| 265 | rc = MATRIXSSL_REQUEST_SEND; |
| 266 | dbg("rc=%d\n", rc); |
| 267 | goto again; |
| 268 | } |
| 269 | } |
| 270 | } |
| 271 | read_network: |
| 272 | if (NETWORK_READY()) { |
| 273 | dbg("%s%s%s\n", |
| 274 | (pfd[1].revents & POLLIN) ? "POLLIN" : "", |
| 275 | (pfd[1].revents & POLLERR) ? "|POLLERR" : "", |
| 276 | (pfd[1].revents & POLLHUP) ? "|POLLHUP" : "" |
| 277 | ); |
| 278 | len = matrixSslGetReadbuf(ssl, &buf); |
| 279 | if (len <= 0) |
| 280 | die("matrixSslGetReadbuf\n"); |
| 281 | dbg("reading net up to %d\n", len); |
| 282 | len = read(fd, buf, len); |
| 283 | dbg("reading net:%d\n", len); |
| 284 | if (len < 0) |
| 285 | die("read error on network\n"); |
| 286 | if (len == 0) /*eof*/ |
| 287 | NETWORK.fd = -1; |
| 288 | len32u = len; |
| 289 | rc = matrixSslReceivedData(ssl, len, &buf, &len32u); |
| 290 | dbg("matrixSslReceivedData:rc=%d\n", rc); |
| 291 | len = len32u; |
| 292 | if (rc < 0) |
| 293 | die("matrixSslReceivedData\n"); |
| 294 | } |
| 295 | goto again; |
| 296 | |
| 297 | case MATRIXSSL_APP_DATA: |
| 298 | dbg("MATRIXSSL_APP_DATA: writing stdout\n"); |
| 299 | do { |
| 300 | if (full_write(STDOUT_FILENO, buf, len) != len) |
| 301 | die("write to stdout\n"); |
| 302 | len32u = len; |
| 303 | rc = matrixSslProcessedData(ssl, &buf, &len32u); |
| 304 | //this was seen returning rc=0: |
| 305 | dbg("matrixSslProcessedData:rc=%d\n", rc); |
| 306 | len = len32u; |
| 307 | } while (rc == MATRIXSSL_APP_DATA); |
| 308 | if (pfd[1].fd == -1) { |
| 309 | /* Already saw EOF on network, and we processed |
| 310 | * and wrote out all ssl data. Signal it: |
| 311 | */ |
| 312 | close(STDOUT_FILENO); |
| 313 | } |
| 314 | goto again; |
| 315 | |
| 316 | case MATRIXSSL_REQUEST_RECV: |
| 317 | dbg("MATRIXSSL_REQUEST_RECV\n"); |
| 318 | wait_for_input(); |
| 319 | goto read_network; |
| 320 | |
| 321 | case MATRIXSSL_RECEIVED_ALERT: |
| 322 | dbg("MATRIXSSL_RECEIVED_ALERT\n"); |
| 323 | /* The first byte of the buffer is the level */ |
| 324 | /* The second byte is the description */ |
| 325 | if (buf[0] == SSL_ALERT_LEVEL_FATAL) |
| 326 | die("Fatal alert\n"); |
| 327 | /* Closure alert is normal (and best) way to close */ |
| 328 | if (buf[1] == SSL_ALERT_CLOSE_NOTIFY) |
| 329 | close_conn_and_exit(ssl, fd); |
| 330 | die("Warning alert\n"); |
| 331 | len32u = len; |
| 332 | rc = matrixSslProcessedData(ssl, &buf, &len32u); |
| 333 | dbg("matrixSslProcessedData:rc=%d\n", rc); |
| 334 | len = len32u; |
| 335 | goto again; |
| 336 | |
| 337 | default: |
| 338 | /* If rc < 0 it is an error */ |
| 339 | die("bad rc:%d\n", rc); |
| 340 | } |
| 341 | } |
| 342 | |
| 343 | static sslKeys_t* make_keys(void) |
| 344 | { |
| 345 | int rc, CAstreamLen; |
| 346 | char *CAstream; |
| 347 | sslKeys_t *keys; |
| 348 | |
| 349 | if (matrixSslNewKeys(&keys) < 0) |
| 350 | die("matrixSslNewKeys\n"); |
| 351 | |
| 352 | #ifdef USE_HEADER_KEYS |
| 353 | /* |
| 354 | * In-memory based keys |
| 355 | * Build the CA list first for potential client auth usage |
| 356 | */ |
| 357 | CAstream = NULL; |
| 358 | CAstreamLen = sizeof(RSACAS); |
| 359 | if (CAstreamLen > 0) { |
| 360 | CAstream = psMalloc(NULL, CAstreamLen); |
| 361 | memcpy(CAstream, RSACAS, sizeof(RSACAS)); |
| 362 | } |
| 363 | |
| 364 | #ifdef ID_RSA |
| 365 | rc = matrixSslLoadRsaKeysMem(keys, RSA2048, sizeof(RSA2048), |
| 366 | RSA2048KEY, sizeof(RSA2048KEY), (unsigned char*)CAstream, |
| 367 | CAstreamLen); |
| 368 | if (rc < 0) |
| 369 | die("matrixSslLoadRsaKeysMem\n"); |
| 370 | #endif |
| 371 | |
| 372 | if (CAstream) |
| 373 | psFree(CAstream); |
| 374 | #endif /* USE_HEADER_KEYS */ |
| 375 | return keys; |
| 376 | } |
| 377 | |
| 378 | int main(int argc, char **argv) |
| 379 | { |
| 380 | int fd; |
| 381 | char *fd_str; |
| 382 | |
| 383 | if (!argv[1]) |
| 384 | die("Syntax error\n"); |
| 385 | if (argv[1][0] != '-') |
| 386 | die("Syntax error\n"); |
| 387 | if (argv[1][1] != 'd') |
| 388 | die("Syntax error\n"); |
| 389 | fd_str = argv[1] + 2; |
| 390 | if (!fd_str[0]) |
| 391 | fd_str = argv[2]; |
| 392 | if (!fd_str || fd_str[0] < '0' || fd_str[0] > '9') |
| 393 | die("Syntax error\n"); |
| 394 | |
| 395 | fd = atoi(fd_str); |
| 396 | if (fd < 3) |
| 397 | die("Syntax error\n"); |
| 398 | |
| 399 | if (matrixSslOpen() < 0) |
| 400 | die("matrixSslOpen\n"); |
| 401 | |
| 402 | do_io_until_eof_and_exit(fd, make_keys()); |
| 403 | /* does not return */ |
| 404 | |
| 405 | return 0; |
| 406 | } |