/* * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ #include #include #include #include #include #include #include #include static const int server_port = 4433; typedef unsigned char bool; #define true 1 #define false 0 /* * This flag won't be useful until both accept/read (TCP & SSL) methods * can be called with a timeout. TBD. */ static volatile bool server_running = true; int create_socket(bool isServer) { int s; int optval = 1; struct sockaddr_in addr; s = socket(AF_INET, SOCK_STREAM, 0); if (s < 0) { perror("Unable to create socket"); exit(EXIT_FAILURE); } if (isServer) { addr.sin_family = AF_INET; addr.sin_port = htons(server_port); addr.sin_addr.s_addr = INADDR_ANY; /* Reuse the address; good for quick restarts */ if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof(optval)) < 0) { perror("setsockopt(SO_REUSEADDR) failed"); exit(EXIT_FAILURE); } if (bind(s, (struct sockaddr*) &addr, sizeof(addr)) < 0) { perror("Unable to bind"); exit(EXIT_FAILURE); } if (listen(s, 1) < 0) { perror("Unable to listen"); exit(EXIT_FAILURE); } } return s; } SSL_CTX* create_context(bool isServer) { const SSL_METHOD *method; SSL_CTX *ctx; if (isServer) method = TLS_server_method(); else method = TLS_client_method(); ctx = SSL_CTX_new(method); if (ctx == NULL) { perror("Unable to create SSL context"); ERR_print_errors_fp(stderr); exit(EXIT_FAILURE); } return ctx; } void configure_server_context(SSL_CTX *ctx) { /* Set the key and cert */ if (SSL_CTX_use_certificate_chain_file(ctx, "cert.pem") <= 0) { ERR_print_errors_fp(stderr); exit(EXIT_FAILURE); } if (SSL_CTX_use_PrivateKey_file(ctx, "key.pem", SSL_FILETYPE_PEM) <= 0) { ERR_print_errors_fp(stderr); exit(EXIT_FAILURE); } } void configure_client_context(SSL_CTX *ctx) { /* * Configure the client to abort the handshake if certificate verification * fails */ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); /* * In a real application you would probably just use the default system certificate trust store and call: * SSL_CTX_set_default_verify_paths(ctx); * In this demo though we are using a self-signed certificate, so the client must trust it directly. */ if (!SSL_CTX_load_verify_locations(ctx, "cert.pem", NULL)) { ERR_print_errors_fp(stderr); exit(EXIT_FAILURE); } } void usage() { printf("Usage: sslecho s\n"); printf(" --or--\n"); printf(" sslecho c ip\n"); printf(" c=client, s=server, ip=dotted ip of server\n"); exit(EXIT_FAILURE); } int main(int argc, char **argv) { bool isServer; int result; SSL_CTX *ssl_ctx = NULL; SSL *ssl = NULL; int server_skt = -1; int client_skt = -1; /* used by getline relying on realloc, can't be statically allocated */ char *txbuf = NULL; size_t txcap = 0; int txlen; char rxbuf[128]; size_t rxcap = sizeof(rxbuf); int rxlen; char *rem_server_ip = NULL; struct sockaddr_in addr; unsigned int addr_len = sizeof(addr); /* ignore SIGPIPE so that server can continue running when client pipe closes abruptly */ signal(SIGPIPE, SIG_IGN); /* Splash */ printf("\nsslecho : Simple Echo Client/Server (OpenSSL 3.0.1-dev) : %s : %s\n\n", __DATE__, __TIME__); /* Need to know if client or server */ if (argc < 2) { usage(); /* NOTREACHED */ } isServer = (argv[1][0] == 's') ? true : false; /* If client get remote server address (could be 127.0.0.1) */ if (!isServer) { if (argc != 3) { usage(); /* NOTREACHED */ } rem_server_ip = argv[2]; } /* Create context used by both client and server */ ssl_ctx = create_context(isServer); /* If server */ if (isServer) { printf("We are the server on port: %d\n\n", server_port); /* Configure server context with appropriate key files */ configure_server_context(ssl_ctx); /* Create server socket; will bind with server port and listen */ server_skt = create_socket(true); /* * Loop to accept clients. * Need to implement timeouts on TCP & SSL connect/read functions * before we can catch a CTRL-C and kill the server. */ while (server_running) { /* Wait for TCP connection from client */ client_skt = accept(server_skt, (struct sockaddr*) &addr, &addr_len); if (client_skt < 0) { perror("Unable to accept"); exit(EXIT_FAILURE); } printf("Client TCP connection accepted\n"); /* Create server SSL structure using newly accepted client socket */ ssl = SSL_new(ssl_ctx); SSL_set_fd(ssl, client_skt); /* Wait for SSL connection from the client */ if (SSL_accept(ssl) <= 0) { ERR_print_errors_fp(stderr); server_running = false; } else { printf("Client SSL connection accepted\n\n"); /* Echo loop */ while (true) { /* Get message from client; will fail if client closes connection */ if ((rxlen = SSL_read(ssl, rxbuf, rxcap)) <= 0) { if (rxlen == 0) { printf("Client closed connection\n"); } else { printf("SSL_read returned %d\n", rxlen); } ERR_print_errors_fp(stderr); break; } /* Insure null terminated input */ rxbuf[rxlen] = 0; /* Look for kill switch */ if (strcmp(rxbuf, "kill\n") == 0) { /* Terminate...with extreme prejudice */ printf("Server received 'kill' command\n"); server_running = false; break; } /* Show received message */ printf("Received: %s", rxbuf); /* Echo it back */ if (SSL_write(ssl, rxbuf, rxlen) <= 0) { ERR_print_errors_fp(stderr); } } } if (server_running) { /* Cleanup for next client */ SSL_shutdown(ssl); SSL_free(ssl); close(client_skt); } } printf("Server exiting...\n"); } /* Else client */ else { printf("We are the client\n\n"); /* Configure client context so we verify the server correctly */ configure_client_context(ssl_ctx); /* Create "bare" socket */ client_skt = create_socket(false); /* Set up connect address */ addr.sin_family = AF_INET; inet_pton(AF_INET, rem_server_ip, &addr.sin_addr.s_addr); addr.sin_port = htons(server_port); /* Do TCP connect with server */ if (connect(client_skt, (struct sockaddr*) &addr, sizeof(addr)) != 0) { perror("Unable to TCP connect to server"); goto exit; } else { printf("TCP connection to server successful\n"); } /* Create client SSL structure using dedicated client socket */ ssl = SSL_new(ssl_ctx); SSL_set_fd(ssl, client_skt); /* Set hostname for SNI */ SSL_set_tlsext_host_name(ssl, rem_server_ip); /* Configure server hostname check */ SSL_set1_host(ssl, rem_server_ip); /* Now do SSL connect with server */ if (SSL_connect(ssl) == 1) { printf("SSL connection to server successful\n\n"); /* Loop to send input from keyboard */ while (true) { /* Get a line of input */ txlen = getline(&txbuf, &txcap, stdin); /* Exit loop on error */ if (txlen < 0 || txbuf == NULL) { break; } /* Exit loop if just a carriage return */ if (txbuf[0] == '\n') { break; } /* Send it to the server */ if ((result = SSL_write(ssl, txbuf, txlen)) <= 0) { printf("Server closed connection\n"); ERR_print_errors_fp(stderr); break; } /* Wait for the echo */ rxlen = SSL_read(ssl, rxbuf, rxcap); if (rxlen <= 0) { printf("Server closed connection\n"); ERR_print_errors_fp(stderr); break; } else { /* Show it */ rxbuf[rxlen] = 0; printf("Received: %s", rxbuf); } } printf("Client exiting...\n"); } else { printf("SSL connection to server failed\n\n"); ERR_print_errors_fp(stderr); } } exit: /* Close up */ if (ssl != NULL) { SSL_shutdown(ssl); SSL_free(ssl); } SSL_CTX_free(ssl_ctx); if (client_skt != -1) close(client_skt); if (server_skt != -1) close(server_skt); if (txbuf != NULL && txcap > 0) free(txbuf); printf("sslecho exiting\n"); return EXIT_SUCCESS; }