2 * Copyright (c) 2013 INSIDE Secure Corporation
3 * Copyright (c) PeerSec Networks, 2002-2011
6 * The latest version of this code is available at http://www.matrixssl.org
8 * This software is open source; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in WITHOUT ANY WARRANTY; without even the
14 * implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
15 * See the GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 * http://www.gnu.org/copyleft/gpl.html
30 #include <sys/socket.h>
32 #include "matrixssl/matrixsslApi.h"
34 //#warning "DO NOT USE THESE DEFAULT KEYS IN PRODUCTION ENVIRONMENTS."
37 * If supporting client authentication, pick ONE identity to auto select a
38 * certificate and private key that support desired algorithms.
40 #define ID_RSA /* RSA Certificate and Key */
42 #define USE_HEADER_KEYS
44 /* If the algorithm type is supported, load a CA for it */
45 #ifdef USE_HEADER_KEYS
47 # include "sampleCerts/RSA/ALL_RSA_CAS.h"
48 /* Identity Certs and Keys for use with Client Authentication */
50 # define EXAMPLE_RSA_KEYS
51 # include "sampleCerts/RSA/2048_RSA.h"
52 # include "sampleCerts/RSA/2048_RSA_KEY.h"
56 static ssize_t safe_write(int fd, const void *buf, size_t count)
61 n = write(fd, buf, count);
62 } while (n < 0 && errno == EINTR);
67 static ssize_t full_write(int fd, const void *buf, size_t len)
75 cc = safe_write(fd, buf, len);
79 /* we already wrote some! */
80 /* user can do another write to know the error code */
83 return cc; /* write() returns -1 on failure. */
87 buf = ((const char *)buf) + cc;
94 static void say(const char *s, ...)
101 sz = vsnprintf(buf, sizeof(buf), s, p);
102 full_write(STDERR_FILENO, buf, sz >= 0 && sz < sizeof(buf) ? sz : strlen(buf));
106 static void die(const char *s, ...)
113 sz = vsnprintf(buf, sizeof(buf), s, p);
114 full_write(STDERR_FILENO, buf, sz >= 0 && sz < sizeof(buf) ? sz : strlen(buf));
120 # define dbg(...) say(__VA_ARGS__)
122 # define dbg(...) ((void)0)
125 static struct pollfd pfd[2] = {
126 { -1, POLLIN|POLLERR|POLLHUP, 0 },
127 { -1, POLLIN|POLLERR|POLLHUP, 0 },
130 #define NETWORK pfd[1]
131 #define STDIN_READY() (pfd[0].revents & (POLLIN|POLLERR|POLLHUP))
132 #define NETWORK_READY() (pfd[1].revents & (POLLIN|POLLERR|POLLHUP))
134 static int wait_for_input(void)
136 if (STDIN.fd == NETWORK.fd) /* means both are -1 */
139 STDIN.revents = NETWORK.revents = 0;
140 return poll(pfd, 2, -1);
143 static int32 certCb(ssl_t *ssl, psX509Cert_t *cert, int32 alert)
145 /* Example to allow anonymous connections based on a define */
147 return SSL_ALLOW_ANON_CONNECTION; // = 254
150 /* Validate the 'not before' and 'not after' dates, etc */
151 return PS_FAILURE; /* if we don't like this cert */
156 static void close_conn_and_exit(ssl_t *ssl, int fd)
161 fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK);
162 /* Quick attempt to send a closure alert, don't worry about failure */
163 if (matrixSslEncodeClosureAlert(ssl) >= 0) {
164 len = matrixSslGetOutdata(ssl, &buf);
166 len = safe_write(fd, buf, len);
168 // matrixSslSentData(ssl, len);
172 //matrixSslDeleteSession(ssl);
173 shutdown(fd, SHUT_WR);
177 static int encode_data(ssl_t *ssl, const void *data, int len)
182 available = matrixSslGetWritebuf(ssl, &buf, len);
184 die("matrixSslGetWritebuf\n");
186 die("len > available\n");
187 memcpy(buf, data, len);
188 if (matrixSslEncodeWritebuf(ssl, len) < 0)
189 die("matrixSslEncodeWritebuf\n");
193 static void flush_to_net(ssl_t *ssl, int fd)
199 while ((len = matrixSslGetOutdata(ssl, &buf)) > 0) {
200 dbg("writing net %d bytes\n", len);
201 if (full_write(fd, buf, len) != len)
202 die("write to network\n");
203 rc = matrixSslSentData(ssl, len);
205 die("matrixSslSentData\n");
209 static void do_io_until_eof_and_exit(int fd, sslKeys_t *keys)
219 /* Note! STDIN.fd is disabled (-1) until SSL handshake is over:
220 * we do not attempt to feed any user data to MatrixSSL
221 * before it is ready.
224 matrixSslNewSessionId(&sid);
225 rc = matrixSslNewClientSession(&ssl, keys, sid, 0, certCb, NULL, NULL, 0);
226 dbg("matrixSslNewClientSession:rc=%d\n", rc);
227 if (rc != MATRIXSSL_REQUEST_SEND)
228 die("matrixSslNewClientSession\n");
230 len = 0; /* only to suppress compiler warning */
233 case MATRIXSSL_REQUEST_SEND:
234 dbg("MATRIXSSL_REQUEST_SEND\n");
235 flush_to_net(ssl, fd);
240 flush_to_net(ssl, fd);
243 case MATRIXSSL_REQUEST_CLOSE:
244 /* what does this mean if we are here? */
245 dbg("MATRIXSSL_REQUEST_CLOSE\n");
246 close_conn_and_exit(ssl, fd);
248 case MATRIXSSL_HANDSHAKE_COMPLETE:
249 dbg("MATRIXSSL_HANDSHAKE_COMPLETE\n");
250 /* Init complete, can start reading local user's data: */
251 STDIN.fd = STDIN_FILENO;
256 dbg("reading stdin\n");
257 len = read(STDIN_FILENO, ibuf, sizeof(ibuf));
259 die("read error on stdin\n");
263 len = encode_data(ssl, ibuf, len);
265 rc = MATRIXSSL_REQUEST_SEND;
272 if (NETWORK_READY()) {
274 (pfd[1].revents & POLLIN) ? "POLLIN" : "",
275 (pfd[1].revents & POLLERR) ? "|POLLERR" : "",
276 (pfd[1].revents & POLLHUP) ? "|POLLHUP" : ""
278 len = matrixSslGetReadbuf(ssl, &buf);
280 die("matrixSslGetReadbuf\n");
281 dbg("reading net up to %d\n", len);
282 len = read(fd, buf, len);
283 dbg("reading net:%d\n", len);
285 die("read error on network\n");
286 if (len == 0) /*eof*/
289 rc = matrixSslReceivedData(ssl, len, &buf, &len32u);
290 dbg("matrixSslReceivedData:rc=%d\n", rc);
293 die("matrixSslReceivedData\n");
297 case MATRIXSSL_APP_DATA:
298 dbg("MATRIXSSL_APP_DATA: writing stdout\n");
300 if (full_write(STDOUT_FILENO, buf, len) != len)
301 die("write to stdout\n");
303 rc = matrixSslProcessedData(ssl, &buf, &len32u);
304 //this was seen returning rc=0:
305 dbg("matrixSslProcessedData:rc=%d\n", rc);
307 } while (rc == MATRIXSSL_APP_DATA);
308 if (pfd[1].fd == -1) {
309 /* Already saw EOF on network, and we processed
310 * and wrote out all ssl data. Signal it:
312 close(STDOUT_FILENO);
316 case MATRIXSSL_REQUEST_RECV:
317 dbg("MATRIXSSL_REQUEST_RECV\n");
321 case MATRIXSSL_RECEIVED_ALERT:
322 dbg("MATRIXSSL_RECEIVED_ALERT\n");
323 /* The first byte of the buffer is the level */
324 /* The second byte is the description */
325 if (buf[0] == SSL_ALERT_LEVEL_FATAL)
326 die("Fatal alert\n");
327 /* Closure alert is normal (and best) way to close */
328 if (buf[1] == SSL_ALERT_CLOSE_NOTIFY)
329 close_conn_and_exit(ssl, fd);
330 die("Warning alert\n");
332 rc = matrixSslProcessedData(ssl, &buf, &len32u);
333 dbg("matrixSslProcessedData:rc=%d\n", rc);
338 /* If rc < 0 it is an error */
339 die("bad rc:%d\n", rc);
343 static sslKeys_t* make_keys(void)
349 if (matrixSslNewKeys(&keys) < 0)
350 die("matrixSslNewKeys\n");
352 #ifdef USE_HEADER_KEYS
354 * In-memory based keys
355 * Build the CA list first for potential client auth usage
358 CAstreamLen = sizeof(RSACAS);
359 if (CAstreamLen > 0) {
360 CAstream = psMalloc(NULL, CAstreamLen);
361 memcpy(CAstream, RSACAS, sizeof(RSACAS));
365 rc = matrixSslLoadRsaKeysMem(keys, RSA2048, sizeof(RSA2048),
366 RSA2048KEY, sizeof(RSA2048KEY), (unsigned char*)CAstream,
369 die("matrixSslLoadRsaKeysMem\n");
374 #endif /* USE_HEADER_KEYS */
378 int main(int argc, char **argv)
384 die("Syntax error\n");
385 if (argv[1][0] != '-')
386 die("Syntax error\n");
387 if (argv[1][1] != 'd')
388 die("Syntax error\n");
389 fd_str = argv[1] + 2;
392 if (!fd_str || fd_str[0] < '0' || fd_str[0] > '9')
393 die("Syntax error\n");
397 die("Syntax error\n");
399 if (matrixSslOpen() < 0)
400 die("matrixSslOpen\n");
402 do_io_until_eof_and_exit(fd, make_keys());
403 /* does not return */