diff options
Diffstat (limited to 'openssl/demos/state_machine')
-rw-r--r-- | openssl/demos/state_machine/Makefile | 9 | ||||
-rw-r--r-- | openssl/demos/state_machine/state_machine.c | 416 |
2 files changed, 425 insertions, 0 deletions
diff --git a/openssl/demos/state_machine/Makefile b/openssl/demos/state_machine/Makefile new file mode 100644 index 000000000..c7a114540 --- /dev/null +++ b/openssl/demos/state_machine/Makefile @@ -0,0 +1,9 @@ +CFLAGS=-I../../include -Wall -Werror -g + +all: state_machine + +state_machine: state_machine.o + $(CC) -o state_machine state_machine.o -L../.. -lssl -lcrypto + +test: state_machine + ./state_machine 10000 ../../apps/server.pem ../../apps/server.pem diff --git a/openssl/demos/state_machine/state_machine.c b/openssl/demos/state_machine/state_machine.c new file mode 100644 index 000000000..fef3f3e3d --- /dev/null +++ b/openssl/demos/state_machine/state_machine.c @@ -0,0 +1,416 @@ +/* ==================================================================== + * Copyright (c) 2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +/* + * Nuron, a leader in hardware encryption technology, generously + * sponsored the development of this demo by Ben Laurie. + * + * See http://www.nuron.com/. + */ + +/* + * the aim of this demo is to provide a fully working state-machine + * style SSL implementation, i.e. one where the main loop acquires + * some data, then converts it from or to SSL by feeding it into the + * SSL state machine. It then does any I/O required by the state machine + * and loops. + * + * In order to keep things as simple as possible, this implementation + * listens on a TCP socket, which it expects to get an SSL connection + * on (for example, from s_client) and from then on writes decrypted + * data to stdout and encrypts anything arriving on stdin. Verbose + * commentary is written to stderr. + * + * This implementation acts as a server, but it can also be done for a client. */ + +#include <openssl/ssl.h> +#include <assert.h> +#include <unistd.h> +#include <string.h> +#include <openssl/err.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <netinet/in.h> + +/* die_unless is intended to work like assert, except that it happens + always, even if NDEBUG is defined. Use assert as a stopgap. */ + +#define die_unless(x) assert(x) + +typedef struct + { + SSL_CTX *pCtx; + BIO *pbioRead; + BIO *pbioWrite; + SSL *pSSL; + } SSLStateMachine; + +void SSLStateMachine_print_error(SSLStateMachine *pMachine,const char *szErr) + { + unsigned long l; + + fprintf(stderr,"%s\n",szErr); + while((l=ERR_get_error())) + { + char buf[1024]; + + ERR_error_string_n(l,buf,sizeof buf); + fprintf(stderr,"Error %lx: %s\n",l,buf); + } + } + +SSLStateMachine *SSLStateMachine_new(const char *szCertificateFile, + const char *szKeyFile) + { + SSLStateMachine *pMachine=malloc(sizeof *pMachine); + int n; + + die_unless(pMachine); + + pMachine->pCtx=SSL_CTX_new(SSLv23_server_method()); + die_unless(pMachine->pCtx); + + n=SSL_CTX_use_certificate_file(pMachine->pCtx,szCertificateFile, + SSL_FILETYPE_PEM); + die_unless(n > 0); + + n=SSL_CTX_use_PrivateKey_file(pMachine->pCtx,szKeyFile,SSL_FILETYPE_PEM); + die_unless(n > 0); + + pMachine->pSSL=SSL_new(pMachine->pCtx); + die_unless(pMachine->pSSL); + + pMachine->pbioRead=BIO_new(BIO_s_mem()); + + pMachine->pbioWrite=BIO_new(BIO_s_mem()); + + SSL_set_bio(pMachine->pSSL,pMachine->pbioRead,pMachine->pbioWrite); + + SSL_set_accept_state(pMachine->pSSL); + + return pMachine; + } + +void SSLStateMachine_read_inject(SSLStateMachine *pMachine, + const unsigned char *aucBuf,int nBuf) + { + int n=BIO_write(pMachine->pbioRead,aucBuf,nBuf); + /* If it turns out this assert fails, then buffer the data here + * and just feed it in in churn instead. Seems to me that it + * should be guaranteed to succeed, though. + */ + assert(n == nBuf); + fprintf(stderr,"%d bytes of encrypted data fed to state machine\n",n); + } + +int SSLStateMachine_read_extract(SSLStateMachine *pMachine, + unsigned char *aucBuf,int nBuf) + { + int n; + + if(!SSL_is_init_finished(pMachine->pSSL)) + { + fprintf(stderr,"Doing SSL_accept\n"); + n=SSL_accept(pMachine->pSSL); + if(n == 0) + fprintf(stderr,"SSL_accept returned zero\n"); + if(n < 0) + { + int err; + + if((err=SSL_get_error(pMachine->pSSL,n)) == SSL_ERROR_WANT_READ) + { + fprintf(stderr,"SSL_accept wants more data\n"); + return 0; + } + + SSLStateMachine_print_error(pMachine,"SSL_accept error"); + exit(7); + } + return 0; + } + + n=SSL_read(pMachine->pSSL,aucBuf,nBuf); + if(n < 0) + { + int err=SSL_get_error(pMachine->pSSL,n); + + if(err == SSL_ERROR_WANT_READ) + { + fprintf(stderr,"SSL_read wants more data\n"); + return 0; + } + + SSLStateMachine_print_error(pMachine,"SSL_read error"); + exit(8); + } + + fprintf(stderr,"%d bytes of decrypted data read from state machine\n",n); + return n; + } + +int SSLStateMachine_write_can_extract(SSLStateMachine *pMachine) + { + int n=BIO_pending(pMachine->pbioWrite); + if(n) + fprintf(stderr,"There is encrypted data available to write\n"); + else + fprintf(stderr,"There is no encrypted data available to write\n"); + + return n; + } + +int SSLStateMachine_write_extract(SSLStateMachine *pMachine, + unsigned char *aucBuf,int nBuf) + { + int n; + + n=BIO_read(pMachine->pbioWrite,aucBuf,nBuf); + fprintf(stderr,"%d bytes of encrypted data read from state machine\n",n); + return n; + } + +void SSLStateMachine_write_inject(SSLStateMachine *pMachine, + const unsigned char *aucBuf,int nBuf) + { + int n=SSL_write(pMachine->pSSL,aucBuf,nBuf); + /* If it turns out this assert fails, then buffer the data here + * and just feed it in in churn instead. Seems to me that it + * should be guaranteed to succeed, though. + */ + assert(n == nBuf); + fprintf(stderr,"%d bytes of unencrypted data fed to state machine\n",n); + } + +int OpenSocket(int nPort) + { + int nSocket; + struct sockaddr_in saServer; + struct sockaddr_in saClient; + int one=1; + int nSize; + int nFD; + int nLen; + + nSocket=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); + if(nSocket < 0) + { + perror("socket"); + exit(1); + } + + if(setsockopt(nSocket,SOL_SOCKET,SO_REUSEADDR,(char *)&one,sizeof one) < 0) + { + perror("setsockopt"); + exit(2); + } + + memset(&saServer,0,sizeof saServer); + saServer.sin_family=AF_INET; + saServer.sin_port=htons(nPort); + nSize=sizeof saServer; + if(bind(nSocket,(struct sockaddr *)&saServer,nSize) < 0) + { + perror("bind"); + exit(3); + } + + if(listen(nSocket,512) < 0) + { + perror("listen"); + exit(4); + } + + nLen=sizeof saClient; + nFD=accept(nSocket,(struct sockaddr *)&saClient,&nLen); + if(nFD < 0) + { + perror("accept"); + exit(5); + } + + fprintf(stderr,"Incoming accepted on port %d\n",nPort); + + return nFD; + } + +int main(int argc,char **argv) + { + SSLStateMachine *pMachine; + int nPort; + int nFD; + const char *szCertificateFile; + const char *szKeyFile; + char rbuf[1]; + int nrbuf=0; + + if(argc != 4) + { + fprintf(stderr,"%s <port> <certificate file> <key file>\n",argv[0]); + exit(6); + } + + nPort=atoi(argv[1]); + szCertificateFile=argv[2]; + szKeyFile=argv[3]; + + SSL_library_init(); + OpenSSL_add_ssl_algorithms(); + SSL_load_error_strings(); + ERR_load_crypto_strings(); + + nFD=OpenSocket(nPort); + + pMachine=SSLStateMachine_new(szCertificateFile,szKeyFile); + + for( ; ; ) + { + fd_set rfds,wfds; + unsigned char buf[1024]; + int n; + + FD_ZERO(&rfds); + FD_ZERO(&wfds); + + /* Select socket for input */ + FD_SET(nFD,&rfds); + + /* check whether there's decrypted data */ + if(!nrbuf) + nrbuf=SSLStateMachine_read_extract(pMachine,rbuf,1); + + /* if there's decrypted data, check whether we can write it */ + if(nrbuf) + FD_SET(1,&wfds); + + /* Select socket for output */ + if(SSLStateMachine_write_can_extract(pMachine)) + FD_SET(nFD,&wfds); + + /* Select stdin for input */ + FD_SET(0,&rfds); + + /* Wait for something to do something */ + n=select(nFD+1,&rfds,&wfds,NULL,NULL); + assert(n > 0); + + /* Socket is ready for input */ + if(FD_ISSET(nFD,&rfds)) + { + n=read(nFD,buf,sizeof buf); + if(n == 0) + { + fprintf(stderr,"Got EOF on socket\n"); + exit(0); + } + assert(n > 0); + + SSLStateMachine_read_inject(pMachine,buf,n); + } + + /* stdout is ready for output (and hence we have some to send it) */ + if(FD_ISSET(1,&wfds)) + { + assert(nrbuf == 1); + buf[0]=rbuf[0]; + nrbuf=0; + + n=SSLStateMachine_read_extract(pMachine,buf+1,sizeof buf-1); + if(n < 0) + { + SSLStateMachine_print_error(pMachine,"read extract failed"); + break; + } + assert(n >= 0); + ++n; + if(n > 0) /* FIXME: has to be true now */ + { + int w; + + w=write(1,buf,n); + /* FIXME: we should push back any unwritten data */ + assert(w == n); + } + } + + /* Socket is ready for output (and therefore we have output to send) */ + if(FD_ISSET(nFD,&wfds)) + { + int w; + + n=SSLStateMachine_write_extract(pMachine,buf,sizeof buf); + assert(n > 0); + + w=write(nFD,buf,n); + /* FIXME: we should push back any unwritten data */ + assert(w == n); + } + + /* Stdin is ready for input */ + if(FD_ISSET(0,&rfds)) + { + n=read(0,buf,sizeof buf); + if(n == 0) + { + fprintf(stderr,"Got EOF on stdin\n"); + exit(0); + } + assert(n > 0); + + SSLStateMachine_write_inject(pMachine,buf,n); + } + } + /* not reached */ + return 0; + } |