diff options
Diffstat (limited to 'openssl/demos/bio')
-rw-r--r-- | openssl/demos/bio/Makefile | 10 | ||||
-rw-r--r-- | openssl/demos/bio/README | 4 | ||||
-rwxr-xr-x | openssl/demos/bio/accept.cnf | 13 | ||||
-rwxr-xr-x | openssl/demos/bio/client-arg.c | 111 | ||||
-rwxr-xr-x | openssl/demos/bio/client-conf.c | 120 | ||||
-rwxr-xr-x | openssl/demos/bio/connect.cnf | 9 | ||||
-rw-r--r-- | openssl/demos/bio/saccept.c | 173 | ||||
-rw-r--r-- | openssl/demos/bio/sconnect.c | 190 | ||||
-rwxr-xr-x | openssl/demos/bio/server-arg.c | 144 | ||||
-rwxr-xr-x | openssl/demos/bio/server-conf.c | 138 | ||||
-rw-r--r-- | openssl/demos/bio/server.pem | 78 |
11 files changed, 777 insertions, 213 deletions
diff --git a/openssl/demos/bio/Makefile b/openssl/demos/bio/Makefile index 435154053..f8c8f0351 100644 --- a/openssl/demos/bio/Makefile +++ b/openssl/demos/bio/Makefile @@ -1,7 +1,7 @@ CC=cc CFLAGS= -g -I../../include -LIBS= -L../.. ../../libssl.a ../../libcrypto.a -EXAMPLES=saccept sconnect +LIBS= -L../.. ../../libssl.a ../../libcrypto.a -ldl +EXAMPLES=saccept sconnect client-arg client-conf all: $(EXAMPLES) @@ -11,6 +11,12 @@ saccept: saccept.o sconnect: sconnect.o $(CC) -o sconnect sconnect.o $(LIBS) +client-arg: client-arg.o + $(CC) -o client-arg client-arg.o $(LIBS) + +client-conf: client-conf.o + $(CC) -o client-conf client-conf.o $(LIBS) + clean: rm -f $(EXAMPLES) *.o diff --git a/openssl/demos/bio/README b/openssl/demos/bio/README index 0b24e5b80..a36bb48a5 100644 --- a/openssl/demos/bio/README +++ b/openssl/demos/bio/README @@ -1,3 +1,7 @@ This directory contains some simple examples of the use of BIO's to simplify socket programming. +The client-conf, server-conf, client-arg and client-conf include examples +of how to use the SSL_CONF API for configuration file or command line +processing. + diff --git a/openssl/demos/bio/accept.cnf b/openssl/demos/bio/accept.cnf new file mode 100755 index 000000000..e4acea75f --- /dev/null +++ b/openssl/demos/bio/accept.cnf @@ -0,0 +1,13 @@ +# Example configuration file +# Port to listen on +Port = 4433 +# Disable TLS v1.2 for test. +# Protocol = ALL, -TLSv1.2 +# Only support 3 curves +Curves = P-521:P-384:P-256 +# Automatic curve selection +ECDHParameters = Automatic +# Restricted signature algorithms +SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512 +Certificate=server.pem +PrivateKey=server.pem diff --git a/openssl/demos/bio/client-arg.c b/openssl/demos/bio/client-arg.c new file mode 100755 index 000000000..dc354cae0 --- /dev/null +++ b/openssl/demos/bio/client-arg.c @@ -0,0 +1,111 @@ +#include <openssl/err.h> +#include <openssl/ssl.h> + +int main(int argc, char **argv) +{ + BIO *sbio = NULL, *out = NULL; + int len; + char tmpbuf[1024]; + SSL_CTX *ctx; + SSL_CONF_CTX *cctx; + SSL *ssl; + char **args = argv + 1; + const char *connect_str = "localhost:4433"; + int nargs = argc - 1; + + ERR_load_crypto_strings(); + ERR_load_SSL_strings(); + SSL_library_init(); + + ctx = SSL_CTX_new(SSLv23_client_method()); + cctx = SSL_CONF_CTX_new(); + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT); + SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); + while (*args && **args == '-') { + int rv; + /* Parse standard arguments */ + rv = SSL_CONF_cmd_argv(cctx, &nargs, &args); + if (rv == -3) { + fprintf(stderr, "Missing argument for %s\n", *args); + goto end; + } + if (rv < 0) { + fprintf(stderr, "Error in command %s\n", *args); + ERR_print_errors_fp(stderr); + goto end; + } + /* If rv > 0 we processed something so proceed to next arg */ + if (rv > 0) + continue; + /* Otherwise application specific argument processing */ + if (!strcmp(*args, "-connect")) { + connect_str = args[1]; + if (connect_str == NULL) { + fprintf(stderr, "Missing -connect argument\n"); + goto end; + } + args += 2; + nargs -= 2; + continue; + } else { + fprintf(stderr, "Unknown argument %s\n", *args); + goto end; + } + } + + if (!SSL_CONF_CTX_finish(cctx)) { + fprintf(stderr, "Finish error\n"); + ERR_print_errors_fp(stderr); + goto err; + } + + /* + * We'd normally set some stuff like the verify paths and * mode here + * because as things stand this will connect to * any server whose + * certificate is signed by any CA. + */ + + sbio = BIO_new_ssl_connect(ctx); + + BIO_get_ssl(sbio, &ssl); + + if (!ssl) { + fprintf(stderr, "Can't locate SSL pointer\n"); + goto end; + } + + /* Don't want any retries */ + SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); + + /* We might want to do other things with ssl here */ + + BIO_set_conn_hostname(sbio, connect_str); + + out = BIO_new_fp(stdout, BIO_NOCLOSE); + if (BIO_do_connect(sbio) <= 0) { + fprintf(stderr, "Error connecting to server\n"); + ERR_print_errors_fp(stderr); + goto end; + } + + if (BIO_do_handshake(sbio) <= 0) { + fprintf(stderr, "Error establishing SSL connection\n"); + ERR_print_errors_fp(stderr); + goto end; + } + + /* Could examine ssl here to get connection info */ + + BIO_puts(sbio, "GET / HTTP/1.0\n\n"); + for (;;) { + len = BIO_read(sbio, tmpbuf, 1024); + if (len <= 0) + break; + BIO_write(out, tmpbuf, len); + } + end: + SSL_CONF_CTX_free(cctx); + BIO_free_all(sbio); + BIO_free(out); + return 0; +} diff --git a/openssl/demos/bio/client-conf.c b/openssl/demos/bio/client-conf.c new file mode 100755 index 000000000..150e7fcf8 --- /dev/null +++ b/openssl/demos/bio/client-conf.c @@ -0,0 +1,120 @@ +#include <openssl/err.h> +#include <openssl/ssl.h> +#include <openssl/conf.h> + +int main(int argc, char **argv) +{ + BIO *sbio = NULL, *out = NULL; + int i, len, rv; + char tmpbuf[1024]; + SSL_CTX *ctx = NULL; + SSL_CONF_CTX *cctx = NULL; + SSL *ssl = NULL; + CONF *conf = NULL; + STACK_OF(CONF_VALUE) *sect = NULL; + CONF_VALUE *cnf; + const char *connect_str = "localhost:4433"; + long errline = -1; + + ERR_load_crypto_strings(); + ERR_load_SSL_strings(); + SSL_library_init(); + + conf = NCONF_new(NULL); + + if (NCONF_load(conf, "connect.cnf", &errline) <= 0) { + if (errline <= 0) + fprintf(stderr, "Error processing config file\n"); + else + fprintf(stderr, "Error on line %ld\n", errline); + goto end; + } + + sect = NCONF_get_section(conf, "default"); + + if (sect == NULL) { + fprintf(stderr, "Error retrieving default section\n"); + goto end; + } + + ctx = SSL_CTX_new(SSLv23_client_method()); + cctx = SSL_CONF_CTX_new(); + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT); + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE); + SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); + for (i = 0; i < sk_CONF_VALUE_num(sect); i++) { + cnf = sk_CONF_VALUE_value(sect, i); + rv = SSL_CONF_cmd(cctx, cnf->name, cnf->value); + if (rv > 0) + continue; + if (rv != -2) { + fprintf(stderr, "Error processing %s = %s\n", + cnf->name, cnf->value); + ERR_print_errors_fp(stderr); + goto end; + } + if (!strcmp(cnf->name, "Connect")) { + connect_str = cnf->value; + } else { + fprintf(stderr, "Unknown configuration option %s\n", cnf->name); + goto end; + } + } + + if (!SSL_CONF_CTX_finish(cctx)) { + fprintf(stderr, "Finish error\n"); + ERR_print_errors_fp(stderr); + goto err; + } + + /* + * We'd normally set some stuff like the verify paths and * mode here + * because as things stand this will connect to * any server whose + * certificate is signed by any CA. + */ + + sbio = BIO_new_ssl_connect(ctx); + + BIO_get_ssl(sbio, &ssl); + + if (!ssl) { + fprintf(stderr, "Can't locate SSL pointer\n"); + goto end; + } + + /* Don't want any retries */ + SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); + + /* We might want to do other things with ssl here */ + + BIO_set_conn_hostname(sbio, connect_str); + + out = BIO_new_fp(stdout, BIO_NOCLOSE); + if (BIO_do_connect(sbio) <= 0) { + fprintf(stderr, "Error connecting to server\n"); + ERR_print_errors_fp(stderr); + goto end; + } + + if (BIO_do_handshake(sbio) <= 0) { + fprintf(stderr, "Error establishing SSL connection\n"); + ERR_print_errors_fp(stderr); + goto end; + } + + /* Could examine ssl here to get connection info */ + + BIO_puts(sbio, "GET / HTTP/1.0\n\n"); + for (;;) { + len = BIO_read(sbio, tmpbuf, 1024); + if (len <= 0) + break; + BIO_write(out, tmpbuf, len); + } + end: + SSL_CONF_CTX_free(cctx); + BIO_free_all(sbio); + BIO_free(out); + NCONF_free(conf); + return 0; +} diff --git a/openssl/demos/bio/connect.cnf b/openssl/demos/bio/connect.cnf new file mode 100755 index 000000000..4dee03c37 --- /dev/null +++ b/openssl/demos/bio/connect.cnf @@ -0,0 +1,9 @@ +# Example configuration file +# Connects to the default port of s_server +Connect = localhost:4433 +# Disable TLS v1.2 for test. +# Protocol = ALL, -TLSv1.2 +# Only support 3 curves +Curves = P-521:P-384:P-256 +# Restricted signature algorithms +SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512 diff --git a/openssl/demos/bio/saccept.c b/openssl/demos/bio/saccept.c index 40cd4daad..e79c87232 100644 --- a/openssl/demos/bio/saccept.c +++ b/openssl/demos/bio/saccept.c @@ -1,13 +1,14 @@ /* NOCW */ /* demos/bio/saccept.c */ -/* A minimal program to server an SSL connection. +/*- + * A minimal program to serve an SSL connection. * It uses blocking. * saccept host:port * host is the interface IP to use. If any interface, use *:port * The default it *:4433 * - * cc -I../../include saccept.c -L../.. -lssl -lcrypto + * cc -I../../include saccept.c -L../.. -lssl -lcrypto -ldl */ #include <stdio.h> @@ -15,98 +16,102 @@ #include <openssl/err.h> #include <openssl/ssl.h> -#define CERT_FILE "server.pem" +#define CERT_FILE "server.pem" -BIO *in=NULL; +BIO *in = NULL; void close_up() - { - if (in != NULL) - BIO_free(in); - } +{ + if (in != NULL) + BIO_free(in); +} -int main(argc,argv) +int main(argc, argv) int argc; char *argv[]; - { - char *port=NULL; - BIO *ssl_bio,*tmp; - SSL_CTX *ctx; - SSL *ssl; - char buf[512]; - int ret=1,i; +{ + char *port = NULL; + BIO *ssl_bio, *tmp; + SSL_CTX *ctx; + SSL *ssl; + char buf[512]; + int ret = 1, i; - if (argc <= 1) - port="*:4433"; - else - port=argv[1]; + if (argc <= 1) + port = "*:4433"; + else + port = argv[1]; - signal(SIGINT,close_up); + signal(SIGINT, close_up); - SSL_load_error_strings(); + SSL_load_error_strings(); #ifdef WATT32 - dbug_init(); - sock_init(); + dbug_init(); + sock_init(); #endif - /* Add ciphers and message digests */ - OpenSSL_add_ssl_algorithms(); - - ctx=SSL_CTX_new(SSLv23_server_method()); - if (!SSL_CTX_use_certificate_file(ctx,CERT_FILE,SSL_FILETYPE_PEM)) - goto err; - if (!SSL_CTX_use_PrivateKey_file(ctx,CERT_FILE,SSL_FILETYPE_PEM)) - goto err; - if (!SSL_CTX_check_private_key(ctx)) - goto err; - - /* Setup server side SSL bio */ - ssl=SSL_new(ctx); - ssl_bio=BIO_new_ssl(ctx,0); - - if ((in=BIO_new_accept(port)) == NULL) goto err; - - /* This means that when a new connection is acceptede on 'in', - * The ssl_bio will be 'dupilcated' and have the new socket - * BIO push into it. Basically it means the SSL BIO will be - * automatically setup */ - BIO_set_accept_bios(in,ssl_bio); - -again: - /* The first call will setup the accept socket, and the second - * will get a socket. In this loop, the first actual accept - * will occur in the BIO_read() function. */ - - if (BIO_do_accept(in) <= 0) goto err; - - for (;;) - { - i=BIO_read(in,buf,512); - if (i == 0) - { - /* If we have finished, remove the underlying - * BIO stack so the next time we call any function - * for this BIO, it will attempt to do an - * accept */ - printf("Done\n"); - tmp=BIO_pop(in); - BIO_free_all(tmp); - goto again; - } - if (i < 0) goto err; - fwrite(buf,1,i,stdout); - fflush(stdout); - } - - ret=0; -err: - if (ret) - { - ERR_print_errors_fp(stderr); - } - if (in != NULL) BIO_free(in); - exit(ret); - return(!ret); - } - + /* Add ciphers and message digests */ + OpenSSL_add_ssl_algorithms(); + + ctx = SSL_CTX_new(SSLv23_server_method()); + if (!SSL_CTX_use_certificate_file(ctx, CERT_FILE, SSL_FILETYPE_PEM)) + goto err; + if (!SSL_CTX_use_PrivateKey_file(ctx, CERT_FILE, SSL_FILETYPE_PEM)) + goto err; + if (!SSL_CTX_check_private_key(ctx)) + goto err; + + /* Setup server side SSL bio */ + ssl = SSL_new(ctx); + ssl_bio = BIO_new_ssl(ctx, 0); + + if ((in = BIO_new_accept(port)) == NULL) + goto err; + + /* + * This means that when a new connection is accepted on 'in', The ssl_bio + * will be 'duplicated' and have the new socket BIO push into it. + * Basically it means the SSL BIO will be automatically setup + */ + BIO_set_accept_bios(in, ssl_bio); + + again: + /* + * The first call will setup the accept socket, and the second will get a + * socket. In this loop, the first actual accept will occur in the + * BIO_read() function. + */ + + if (BIO_do_accept(in) <= 0) + goto err; + + for (;;) { + i = BIO_read(in, buf, 512); + if (i == 0) { + /* + * If we have finished, remove the underlying BIO stack so the + * next time we call any function for this BIO, it will attempt + * to do an accept + */ + printf("Done\n"); + tmp = BIO_pop(in); + BIO_free_all(tmp); + goto again; + } + if (i < 0) + goto err; + fwrite(buf, 1, i, stdout); + fflush(stdout); + } + + ret = 0; + err: + if (ret) { + ERR_print_errors_fp(stderr); + } + if (in != NULL) + BIO_free(in); + exit(ret); + return (!ret); +} diff --git a/openssl/demos/bio/sconnect.c b/openssl/demos/bio/sconnect.c index 880344eb7..e6eddb1c0 100644 --- a/openssl/demos/bio/sconnect.c +++ b/openssl/demos/bio/sconnect.c @@ -1,7 +1,8 @@ /* NOCW */ /* demos/bio/sconnect.c */ -/* A minimal program to do SSL to a passed host and port. +/*- + * A minimal program to do SSL to a passed host and port. * It is actually using non-blocking IO but in a very simple manner * sconnect host:port - it does a 'GET / HTTP/1.0' * @@ -15,107 +16,98 @@ extern int errno; -int main(argc,argv) +int main(argc, argv) int argc; char *argv[]; - { - char *host; - BIO *out; - char buf[1024*10],*p; - SSL_CTX *ssl_ctx=NULL; - SSL *ssl; - BIO *ssl_bio; - int i,len,off,ret=1; - - if (argc <= 1) - host="localhost:4433"; - else - host=argv[1]; +{ + char *host; + BIO *out; + char buf[1024 * 10], *p; + SSL_CTX *ssl_ctx = NULL; + SSL *ssl; + BIO *ssl_bio; + int i, len, off, ret = 1; + + if (argc <= 1) + host = "localhost:4433"; + else + host = argv[1]; #ifdef WATT32 - dbug_init(); - sock_init(); + dbug_init(); + sock_init(); #endif - /* Lets get nice error messages */ - SSL_load_error_strings(); - - /* Setup all the global SSL stuff */ - OpenSSL_add_ssl_algorithms(); - ssl_ctx=SSL_CTX_new(SSLv23_client_method()); - - /* Lets make a SSL structure */ - ssl=SSL_new(ssl_ctx); - SSL_set_connect_state(ssl); - - /* Use it inside an SSL BIO */ - ssl_bio=BIO_new(BIO_f_ssl()); - BIO_set_ssl(ssl_bio,ssl,BIO_CLOSE); - - /* Lets use a connect BIO under the SSL BIO */ - out=BIO_new(BIO_s_connect()); - BIO_set_conn_hostname(out,host); - BIO_set_nbio(out,1); - out=BIO_push(ssl_bio,out); - - p="GET / HTTP/1.0\r\n\r\n"; - len=strlen(p); - - off=0; - for (;;) - { - i=BIO_write(out,&(p[off]),len); - if (i <= 0) - { - if (BIO_should_retry(out)) - { - fprintf(stderr,"write DELAY\n"); - sleep(1); - continue; - } - else - { - goto err; - } - } - off+=i; - len-=i; - if (len <= 0) break; - } - - for (;;) - { - i=BIO_read(out,buf,sizeof(buf)); - if (i == 0) break; - if (i < 0) - { - if (BIO_should_retry(out)) - { - fprintf(stderr,"read DELAY\n"); - sleep(1); - continue; - } - goto err; - } - fwrite(buf,1,i,stdout); - } - - ret=1; - - if (0) - { -err: - if (ERR_peek_error() == 0) /* system call error */ - { - fprintf(stderr,"errno=%d ",errno); - perror("error"); - } - else - ERR_print_errors_fp(stderr); - } - BIO_free_all(out); - if (ssl_ctx != NULL) SSL_CTX_free(ssl_ctx); - exit(!ret); - return(ret); - } - + /* Lets get nice error messages */ + SSL_load_error_strings(); + + /* Setup all the global SSL stuff */ + OpenSSL_add_ssl_algorithms(); + ssl_ctx = SSL_CTX_new(SSLv23_client_method()); + + /* Lets make a SSL structure */ + ssl = SSL_new(ssl_ctx); + SSL_set_connect_state(ssl); + + /* Use it inside an SSL BIO */ + ssl_bio = BIO_new(BIO_f_ssl()); + BIO_set_ssl(ssl_bio, ssl, BIO_CLOSE); + + /* Lets use a connect BIO under the SSL BIO */ + out = BIO_new(BIO_s_connect()); + BIO_set_conn_hostname(out, host); + BIO_set_nbio(out, 1); + out = BIO_push(ssl_bio, out); + + p = "GET / HTTP/1.0\r\n\r\n"; + len = strlen(p); + + off = 0; + for (;;) { + i = BIO_write(out, &(p[off]), len); + if (i <= 0) { + if (BIO_should_retry(out)) { + fprintf(stderr, "write DELAY\n"); + sleep(1); + continue; + } else { + goto err; + } + } + off += i; + len -= i; + if (len <= 0) + break; + } + + for (;;) { + i = BIO_read(out, buf, sizeof(buf)); + if (i == 0) + break; + if (i < 0) { + if (BIO_should_retry(out)) { + fprintf(stderr, "read DELAY\n"); + sleep(1); + continue; + } + goto err; + } + fwrite(buf, 1, i, stdout); + } + + ret = 1; + + if (0) { + err: + if (ERR_peek_error() == 0) { /* system call error */ + fprintf(stderr, "errno=%d ", errno); + perror("error"); + } else + ERR_print_errors_fp(stderr); + } + BIO_free_all(out); + if (ssl_ctx != NULL) + SSL_CTX_free(ssl_ctx); + exit(!ret); + return (ret); +} diff --git a/openssl/demos/bio/server-arg.c b/openssl/demos/bio/server-arg.c new file mode 100755 index 000000000..1d0e1db23 --- /dev/null +++ b/openssl/demos/bio/server-arg.c @@ -0,0 +1,144 @@ +/* NOCW */ +/* demos/bio/server-arg.c */ + +/* + * A minimal program to serve an SSL connection. It uses blocking. It use the + * SSL_CONF API with the command line. cc -I../../include server-arg.c + * -L../.. -lssl -lcrypto -ldl + */ + +#include <stdio.h> +#include <signal.h> +#include <openssl/err.h> +#include <openssl/ssl.h> + +int main(int argc, char *argv[]) +{ + char *port = "*:4433"; + BIO *ssl_bio, *tmp; + SSL_CTX *ctx; + SSL_CONF_CTX *cctx; + char buf[512]; + BIO *in = NULL; + int ret = 1, i; + char **args = argv + 1; + int nargs = argc - 1; + + SSL_load_error_strings(); + + /* Add ciphers and message digests */ + OpenSSL_add_ssl_algorithms(); + + ctx = SSL_CTX_new(SSLv23_server_method()); + + cctx = SSL_CONF_CTX_new(); + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER); + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CERTIFICATE); + SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); + while (*args && **args == '-') { + int rv; + /* Parse standard arguments */ + rv = SSL_CONF_cmd_argv(cctx, &nargs, &args); + if (rv == -3) { + fprintf(stderr, "Missing argument for %s\n", *args); + goto err; + } + if (rv < 0) { + fprintf(stderr, "Error in command %s\n", *args); + ERR_print_errors_fp(stderr); + goto err; + } + /* If rv > 0 we processed something so proceed to next arg */ + if (rv > 0) + continue; + /* Otherwise application specific argument processing */ + if (!strcmp(*args, "-port")) { + port = args[1]; + if (port == NULL) { + fprintf(stderr, "Missing -port argument\n"); + goto err; + } + args += 2; + nargs -= 2; + continue; + } else { + fprintf(stderr, "Unknown argument %s\n", *args); + goto err; + } + } + + if (!SSL_CONF_CTX_finish(cctx)) { + fprintf(stderr, "Finish error\n"); + ERR_print_errors_fp(stderr); + goto err; + } +#if 0 + /* + * Demo of how to iterate over all certificates in an SSL_CTX structure. + */ + { + X509 *x; + int rv; + rv = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST); + while (rv) { + X509 *x = SSL_CTX_get0_certificate(ctx); + X509_NAME_print_ex_fp(stdout, X509_get_subject_name(x), 0, + XN_FLAG_ONELINE); + printf("\n"); + rv = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_NEXT); + } + fflush(stdout); + } +#endif + /* Setup server side SSL bio */ + ssl_bio = BIO_new_ssl(ctx, 0); + + if ((in = BIO_new_accept(port)) == NULL) + goto err; + + /* + * This means that when a new connection is accepted on 'in', The ssl_bio + * will be 'duplicated' and have the new socket BIO push into it. + * Basically it means the SSL BIO will be automatically setup + */ + BIO_set_accept_bios(in, ssl_bio); + + again: + /* + * The first call will setup the accept socket, and the second will get a + * socket. In this loop, the first actual accept will occur in the + * BIO_read() function. + */ + + if (BIO_do_accept(in) <= 0) + goto err; + + for (;;) { + i = BIO_read(in, buf, 512); + if (i == 0) { + /* + * If we have finished, remove the underlying BIO stack so the + * next time we call any function for this BIO, it will attempt + * to do an accept + */ + printf("Done\n"); + tmp = BIO_pop(in); + BIO_free_all(tmp); + goto again; + } + if (i < 0) + goto err; + fwrite(buf, 1, i, stdout); + fflush(stdout); + } + + ret = 0; + err: + if (ret) { + ERR_print_errors_fp(stderr); + } + if (in != NULL) + BIO_free(in); + exit(ret); + return (!ret); +} diff --git a/openssl/demos/bio/server-conf.c b/openssl/demos/bio/server-conf.c new file mode 100755 index 000000000..a09bc9320 --- /dev/null +++ b/openssl/demos/bio/server-conf.c @@ -0,0 +1,138 @@ +/* NOCW */ +/* demos/bio/saccept-conf.c */ + +/* + * A minimal program to serve an SSL connection. It uses blocking. It uses + * the SSL_CONF API with a configuration file. cc -I../../include saccept.c + * -L../.. -lssl -lcrypto -ldl + */ + +#include <stdio.h> +#include <signal.h> +#include <openssl/err.h> +#include <openssl/ssl.h> +#include <openssl/conf.h> + +int main(int argc, char *argv[]) +{ + char *port = "*:4433"; + BIO *in = NULL; + BIO *ssl_bio, *tmp; + SSL_CTX *ctx; + SSL_CONF_CTX *cctx = NULL; + CONF *conf = NULL; + STACK_OF(CONF_VALUE) *sect = NULL; + CONF_VALUE *cnf; + long errline = -1; + char buf[512]; + int ret = 1, i; + + SSL_load_error_strings(); + + /* Add ciphers and message digests */ + OpenSSL_add_ssl_algorithms(); + + conf = NCONF_new(NULL); + + if (NCONF_load(conf, "accept.cnf", &errline) <= 0) { + if (errline <= 0) + fprintf(stderr, "Error processing config file\n"); + else + fprintf(stderr, "Error on line %ld\n", errline); + goto err; + } + + sect = NCONF_get_section(conf, "default"); + + if (sect == NULL) { + fprintf(stderr, "Error retrieving default section\n"); + goto err; + } + + ctx = SSL_CTX_new(SSLv23_server_method()); + cctx = SSL_CONF_CTX_new(); + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER); + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CERTIFICATE); + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE); + SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); + for (i = 0; i < sk_CONF_VALUE_num(sect); i++) { + int rv; + cnf = sk_CONF_VALUE_value(sect, i); + rv = SSL_CONF_cmd(cctx, cnf->name, cnf->value); + if (rv > 0) + continue; + if (rv != -2) { + fprintf(stderr, "Error processing %s = %s\n", + cnf->name, cnf->value); + ERR_print_errors_fp(stderr); + goto err; + } + if (!strcmp(cnf->name, "Port")) { + port = cnf->value; + } else { + fprintf(stderr, "Unknown configuration option %s\n", cnf->name); + goto err; + } + } + + if (!SSL_CONF_CTX_finish(cctx)) { + fprintf(stderr, "Finish error\n"); + ERR_print_errors_fp(stderr); + goto err; + } + + /* Setup server side SSL bio */ + ssl_bio = BIO_new_ssl(ctx, 0); + + if ((in = BIO_new_accept(port)) == NULL) + goto err; + + /* + * This means that when a new connection is accepted on 'in', The ssl_bio + * will be 'duplicated' and have the new socket BIO push into it. + * Basically it means the SSL BIO will be automatically setup + */ + BIO_set_accept_bios(in, ssl_bio); + + again: + /* + * The first call will setup the accept socket, and the second will get a + * socket. In this loop, the first actual accept will occur in the + * BIO_read() function. + */ + + if (BIO_do_accept(in) <= 0) + goto err; + + for (;;) { + i = BIO_read(in, buf, 512); + if (i == 0) { + /* + * If we have finished, remove the underlying BIO stack so the + * next time we call any function for this BIO, it will attempt + * to do an accept + */ + printf("Done\n"); + tmp = BIO_pop(in); + BIO_free_all(tmp); + goto again; + } + if (i < 0) { + if (BIO_should_retry(in)) + continue; + goto err; + } + fwrite(buf, 1, i, stdout); + fflush(stdout); + } + + ret = 0; + err: + if (ret) { + ERR_print_errors_fp(stderr); + } + if (in != NULL) + BIO_free(in); + exit(ret); + return (!ret); +} diff --git a/openssl/demos/bio/server.pem b/openssl/demos/bio/server.pem index 5cf1387d6..d0fc265f0 100644 --- a/openssl/demos/bio/server.pem +++ b/openssl/demos/bio/server.pem @@ -1,30 +1,52 @@ -subject=/C=AU/SP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server -issuer= /C=AU/SP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA ------BEGIN X509 CERTIFICATE----- - -MIIBgjCCASwCAQQwDQYJKoZIhvcNAQEEBQAwODELMAkGA1UEBhMCQVUxDDAKBgNV -BAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBMB4XDTk1MTAwOTIz -MzIwNVoXDTk4MDcwNTIzMzIwNVowYDELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FM -RDEZMBcGA1UEChMQTWluY29tIFB0eS4gTHRkLjELMAkGA1UECxMCQ1MxGzAZBgNV -BAMTElNTTGVheSBkZW1vIHNlcnZlcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC3 -LCXcScWua0PFLkHBLm2VejqpA1F4RQ8q0VjRiPafjx/Z/aWH3ipdMVvuJGa/wFXb -/nDFLDlfWp+oCPwhBtVPAgMBAAEwDQYJKoZIhvcNAQEEBQADQQArNFsihWIjBzb0 -DCsU0BvL2bvSwJrPEqFlkDq3F4M6EGutL9axEcANWgbbEdAvNJD1dmEmoWny27Pn -IMs6ZOZB ------END X509 CERTIFICATE----- +subject= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = Test Server Cert +issuer= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = OpenSSL Test Intermediate CA +-----BEGIN CERTIFICATE----- +MIID5zCCAs+gAwIBAgIJALnu1NlVpZ6zMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV +BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMSIwIAYDVQQLDBlGT1IgVEVT +VElORyBQVVJQT1NFUyBPTkxZMSUwIwYDVQQDDBxPcGVuU1NMIFRlc3QgSW50ZXJt +ZWRpYXRlIENBMB4XDTExMTIwODE0MDE0OFoXDTIxMTAxNjE0MDE0OFowZDELMAkG +A1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxIjAgBgNVBAsMGUZPUiBU +RVNUSU5HIFBVUlBPU0VTIE9OTFkxGTAXBgNVBAMMEFRlc3QgU2VydmVyIENlcnQw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDzhPOSNtyyRspmeuUpxfNJ +KCLTuf7g3uQ4zu4iHOmRO5TQci+HhVlLZrHF9XqFXcIP0y4pWDbMSGuiorUmzmfi +R7bfSdI/+qIQt8KXRH6HNG1t8ou0VSvWId5TS5Dq/er5ODUr9OaaDva7EquHIcMv +vPQGuI+OEAcnleVCy9HVEIySrO4P3CNIicnGkwwiAud05yUAq/gPXBC1hTtmlPD7 +TVcGVSEiJdvzqqlgv02qedGrkki6GY4S7GjZxrrf7Foc2EP+51LJzwLQx3/JfrCU +41NEWAsu/Sl0tQabXESN+zJ1pDqoZ3uHMgpQjeGiE0olr+YcsSW/tJmiU9OiAr8R +AgMBAAGjgY8wgYwwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwLAYJYIZI +AYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQW +BBSCvM8AABPR9zklmifnr9LvIBturDAfBgNVHSMEGDAWgBQ2w2yI55X+sL3szj49 +hqshgYfa2jANBgkqhkiG9w0BAQUFAAOCAQEAqb1NV0B0/pbpK9Z4/bNjzPQLTRLK +WnSNm/Jh5v0GEUOE/Beg7GNjNrmeNmqxAlpqWz9qoeoFZax+QBpIZYjROU3TS3fp +yLsrnlr0CDQ5R7kCCDGa8dkXxemmpZZLbUCpW2Uoy8sAA4JjN9OtsZY7dvUXFgJ7 +vVNTRnI01ghknbtD+2SxSQd3CWF6QhcRMAzZJ1z1cbbwGDDzfvGFPzJ+Sq+zEPds +xoVLLSetCiBc+40ZcDS5dV98h9XD7JMTQfxzA7mNGv73JoZJA6nFgj+ADSlJsY/t +JBv+z1iQRueoh9Qeee+ZbRifPouCB8FDx+AltvHTANdAq0t/K3o+pplMVA== +-----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- - -MIIBPAIBAAJBALcsJdxJxa5rQ8UuQcEubZV6OqkDUXhFDyrRWNGI9p+PH9n9pYfe -Kl0xW+4kZr/AVdv+cMUsOV9an6gI/CEG1U8CAwEAAQJAXJMBZ34ZXHd1vtgL/3hZ -hexKbVTx/djZO4imXO/dxPGRzG2ylYZpHmG32/T1kaHpZlCHoEPgHoSzmxYXfxjG -sQIhAPmZ/bQOjmRUHM/VM2X5zrjjM6z18R1P6l3ObFwt9FGdAiEAu943Yh9SqMRw -tL0xHGxKmM/YJueUw1gB6sLkETN71NsCIQCeT3RhoqXfrpXDoEcEU+gwzjI1bpxq -agiNTOLfqGoA5QIhAIQFYjgzONxex7FLrsKBm16N2SFl5pXsN9SpRqqL2n63AiEA -g9VNIQ3xwpw7og3IbONifeku+J9qGMGQJMKwSTwrFtI= +MIIEpAIBAAKCAQEA84TzkjbcskbKZnrlKcXzSSgi07n+4N7kOM7uIhzpkTuU0HIv +h4VZS2axxfV6hV3CD9MuKVg2zEhroqK1Js5n4ke230nSP/qiELfCl0R+hzRtbfKL +tFUr1iHeU0uQ6v3q+Tg1K/Tmmg72uxKrhyHDL7z0BriPjhAHJ5XlQsvR1RCMkqzu +D9wjSInJxpMMIgLndOclAKv4D1wQtYU7ZpTw+01XBlUhIiXb86qpYL9NqnnRq5JI +uhmOEuxo2ca63+xaHNhD/udSyc8C0Md/yX6wlONTRFgLLv0pdLUGm1xEjfsydaQ6 +qGd7hzIKUI3hohNKJa/mHLElv7SZolPTogK/EQIDAQABAoIBAADq9FwNtuE5IRQn +zGtO4q7Y5uCzZ8GDNYr9RKp+P2cbuWDbvVAecYq2NV9QoIiWJOAYZKklOvekIju3 +r0UZLA0PRiIrTg6NrESx3JrjWDK8QNlUO7CPTZ39/K+FrmMkV9lem9yxjJjyC34D +AQB+YRTx+l14HppjdxNwHjAVQpIx/uO2F5xAMuk32+3K+pq9CZUtrofe1q4Agj9R +5s8mSy9pbRo9kW9wl5xdEotz1LivFOEiqPUJTUq5J5PeMKao3vdK726XI4Z455Nm +W2/MA0YV0ug2FYinHcZdvKM6dimH8GLfa3X8xKRfzjGjTiMSwsdjgMa4awY3tEHH +674jhAECgYEA/zqMrc0zsbNk83sjgaYIug5kzEpN4ic020rSZsmQxSCerJTgNhmg +utKSCt0Re09Jt3LqG48msahX8ycqDsHNvlEGPQSbMu9IYeO3Wr3fAm75GEtFWePY +BhM73I7gkRt4s8bUiUepMG/wY45c5tRF23xi8foReHFFe9MDzh8fJFECgYEA9EFX +4qAik1pOJGNei9BMwmx0I0gfVEIgu0tzeVqT45vcxbxr7RkTEaDoAG6PlbWP6D9a +WQNLp4gsgRM90ZXOJ4up5DsAWDluvaF4/omabMA+MJJ5kGZ0gCj5rbZbKqUws7x8 +bp+6iBfUPJUbcqNqFmi/08Yt7vrDnMnyMw2A/sECgYEAiiuRMxnuzVm34hQcsbhH +6ymVqf7j0PW2qK0F4H1ocT9qhzWFd+RB3kHWrCjnqODQoI6GbGr/4JepHUpre1ex +4UEN5oSS3G0ru0rC3U4C59dZ5KwDHFm7ffZ1pr52ljfQDUsrjjIMRtuiwNK2OoRa +WSsqiaL+SDzSB+nBmpnAizECgYBdt/y6rerWUx4MhDwwtTnel7JwHyo2MDFS6/5g +n8qC2Lj6/fMDRE22w+CA2esp7EJNQJGv+b27iFpbJEDh+/Lf5YzIT4MwVskQ5bYB +JFcmRxUVmf4e09D7o705U/DjCgMH09iCsbLmqQ38ONIRSHZaJtMDtNTHD1yi+jF+ +OT43gQKBgQC/2OHZoko6iRlNOAQ/tMVFNq7fL81GivoQ9F1U0Qr+DH3ZfaH8eIkX +xT0ToMPJUzWAn8pZv0snA0um6SIgvkCuxO84OkANCVbttzXImIsL7pFzfcwV/ERK +UM6j0ZuSMFOCr/lGPAoOQU0fskidGEHi1/kW+suSr28TqsyYZpwBDQ== -----END RSA PRIVATE KEY----- - ------BEGIN DH PARAMETERS----- -MEYCQQDaWDwW2YUiidDkr3VvTMqS3UvlM7gE+w/tlO+cikQD7VdGUNNpmdsp13Yn -a6LT1BLiGPTdHghM9tgAPnxHdOgzAgEC ------END DH PARAMETERS----- - |