kris
/
boringssl
1
0
Vork 0
Code Kwesties 0 Pull-aanvragen 0 Publicaties 0 Wiki Activiteit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4419 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: a3d76d019f
Branches Labels
${ item.name }
Maak branch ${ searchTerm }
van 'a3d76d019f'
${ noResults }
boringssl/tool/server.cc

277 regels
8.4 KiB
Ruw Blame Geschiedenis 

  1. /* Copyright (c) 2014, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/base.h>

  16. 

  17. #include <memory>

  18. 

  19. #include <openssl/err.h>

  20. #include <openssl/rand.h>

  21. #include <openssl/ssl.h>

  22. 

  23. #include "internal.h"

  24. #include "transport_common.h"

  25. 

  26. 

  27. static const struct argument kArguments[] = {

  28.     {

  29.         "-accept", kRequiredArgument,

  30.         "The port of the server to bind on; eg 45102",

  31.     },

  32.     {

  33.         "-cipher", kOptionalArgument,

  34.         "An OpenSSL-style cipher suite string that configures the offered "

  35.         "ciphers",

  36.     },

  37.     {

  38.         "-curves", kOptionalArgument,

  39.         "An OpenSSL-style ECDH curves list that configures the offered curves",

  40.     },

  41.     {

  42.         "-max-version", kOptionalArgument,

  43.         "The maximum acceptable protocol version",

  44.     },

  45.     {

  46.         "-min-version", kOptionalArgument,

  47.         "The minimum acceptable protocol version",

  48.     },

  49.     {

  50.         "-key", kOptionalArgument,

  51.         "PEM-encoded file containing the private key. A self-signed "

  52.         "certificate is generated at runtime if this argument is not provided.",

  53.     },

  54.     {

  55.         "-cert", kOptionalArgument,

  56.         "PEM-encoded file containing the leaf certificate and optional "

  57.         "certificate chain. This is taken from the -key argument if this "

  58.         "argument is not provided.",

  59.     },

  60.     {

  61.         "-ocsp-response", kOptionalArgument, "OCSP response file to send",

  62.     },

  63.     {

  64.         "-loop", kBooleanArgument,

  65.         "The server will continue accepting new sequential connections.",

  66.     },

  67.     {

  68.         "-early-data", kBooleanArgument, "Allow early data",

  69.     },

  70.     {

  71.         "-tls13-variant", kBooleanArgument, "Enable TLS 1.3 variants",

  72.     },

  73.     {

  74.         "", kOptionalArgument, "",

  75.     },

  76. };

  77. 

  78. struct FileCloser {

  79.   void operator()(FILE *file) {

  80.     fclose(file);

  81.   }

  82. };

  83. 

  84. using ScopedFILE = std::unique_ptr<FILE, FileCloser>;

  85. 

  86. static bool LoadOCSPResponse(SSL_CTX *ctx, const char *filename) {

  87.   ScopedFILE f(fopen(filename, "rb"));

  88.   std::vector<uint8_t> data;

  89.   if (f == nullptr ||

  90.       !ReadAll(&data, f.get())) {

  91.     fprintf(stderr, "Error reading %s.\n", filename);

  92.     return false;

  93.   }

  94. 

  95.   if (!SSL_CTX_set_ocsp_response(ctx, data.data(), data.size())) {

  96.     return false;

  97.   }

  98. 

  99.   return true;

  100. }

  101. 

  102. static bssl::UniquePtr<EVP_PKEY> MakeKeyPairForSelfSignedCert() {

  103.   bssl::UniquePtr<EC_KEY> ec_key(EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));

  104.   if (!ec_key || !EC_KEY_generate_key(ec_key.get())) {

  105.     fprintf(stderr, "Failed to generate key pair.\n");

  106.     return nullptr;

  107.   }

  108.   bssl::UniquePtr<EVP_PKEY> evp_pkey(EVP_PKEY_new());

  109.   if (!evp_pkey || !EVP_PKEY_assign_EC_KEY(evp_pkey.get(), ec_key.release())) {

  110.     fprintf(stderr, "Failed to assign key pair.\n");

  111.     return nullptr;

  112.   }

  113.   return evp_pkey;

  114. }

  115. 

  116. static bssl::UniquePtr<X509> MakeSelfSignedCert(EVP_PKEY *evp_pkey,

  117.                                                 const int valid_days) {

  118.   bssl::UniquePtr<X509> x509(X509_new());

  119.   uint32_t serial;

  120.   RAND_bytes(reinterpret_cast<uint8_t*>(&serial), sizeof(serial));

  121.   ASN1_INTEGER_set(X509_get_serialNumber(x509.get()), serial >> 1);

  122.   X509_gmtime_adj(X509_get_notBefore(x509.get()), 0);

  123.   X509_gmtime_adj(X509_get_notAfter(x509.get()), 60 * 60 * 24 * valid_days);

  124. 

  125.   X509_NAME* subject = X509_get_subject_name(x509.get());

  126.   X509_NAME_add_entry_by_txt(subject, "C", MBSTRING_ASC,

  127.                              reinterpret_cast<const uint8_t *>("US"), -1, -1,

  128.                              0);

  129.   X509_NAME_add_entry_by_txt(subject, "O", MBSTRING_ASC,

  130.                              reinterpret_cast<const uint8_t *>("BoringSSL"), -1,

  131.                              -1, 0);

  132.   X509_set_issuer_name(x509.get(), subject);

  133. 

  134.   if (!X509_set_pubkey(x509.get(), evp_pkey)) {

  135.     fprintf(stderr, "Failed to set public key.\n");

  136.     return nullptr;

  137.   }

  138.   if (!X509_sign(x509.get(), evp_pkey, EVP_sha256())) {

  139.     fprintf(stderr, "Failed to sign certificate.\n");

  140.     return nullptr;

  141.   }

  142.   return x509;

  143. }

  144. 

  145. bool Server(const std::vector<std::string> &args) {

  146.   if (!InitSocketLibrary()) {

  147.     return false;

  148.   }

  149. 

  150.   std::map<std::string, std::string> args_map;

  151. 

  152.   if (!ParseKeyValueArguments(&args_map, args, kArguments)) {

  153.     PrintUsage(kArguments);

  154.     return false;

  155.   }

  156. 

  157.   bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));

  158. 

  159.   // Server authentication is required.

  160.   if (args_map.count("-key") != 0) {

  161.     std::string key = args_map["-key"];

  162.     if (!SSL_CTX_use_PrivateKey_file(ctx.get(), key.c_str(),

  163.                                      SSL_FILETYPE_PEM)) {

  164.       fprintf(stderr, "Failed to load private key: %s\n", key.c_str());

  165.       return false;

  166.     }

  167.     const std::string &cert =

  168.         args_map.count("-cert") != 0 ? args_map["-cert"] : key;

  169.     if (!SSL_CTX_use_certificate_chain_file(ctx.get(), cert.c_str())) {

  170.       fprintf(stderr, "Failed to load cert chain: %s\n", cert.c_str());

  171.       return false;

  172.     }

  173.   } else {

  174.     bssl::UniquePtr<EVP_PKEY> evp_pkey = MakeKeyPairForSelfSignedCert();

  175.     if (!evp_pkey) {

  176.       return false;

  177.     }

  178.     bssl::UniquePtr<X509> cert =

  179.         MakeSelfSignedCert(evp_pkey.get(), 365 /* valid_days */);

  180.     if (!cert) {

  181.       return false;

  182.     }

  183.     if (!SSL_CTX_use_PrivateKey(ctx.get(), evp_pkey.get())) {

  184.       fprintf(stderr, "Failed to set private key.\n");

  185.       return false;

  186.     }

  187.     if (!SSL_CTX_use_certificate(ctx.get(), cert.get())) {

  188.       fprintf(stderr, "Failed to set certificate.\n");

  189.       return false;

  190.     }

  191.   }

  192. 

  193.   if (args_map.count("-cipher") != 0 &&

  194.       !SSL_CTX_set_strict_cipher_list(ctx.get(), args_map["-cipher"].c_str())) {

  195.     fprintf(stderr, "Failed setting cipher list\n");

  196.     return false;

  197.   }

  198. 

  199.   if (args_map.count("-curves") != 0 &&

  200.       !SSL_CTX_set1_curves_list(ctx.get(), args_map["-curves"].c_str())) {

  201.     fprintf(stderr, "Failed setting curves list\n");

  202.     return false;

  203.   }

  204. 

  205.   uint16_t max_version = TLS1_3_VERSION;

  206.   if (args_map.count("-max-version") != 0 &&

  207.       !VersionFromString(&max_version, args_map["-max-version"])) {

  208.     fprintf(stderr, "Unknown protocol version: '%s'\n",

  209.             args_map["-max-version"].c_str());

  210.     return false;

  211.   }

  212. 

  213.   if (!SSL_CTX_set_max_proto_version(ctx.get(), max_version)) {

  214.     return false;

  215.   }

  216. 

  217.   if (args_map.count("-min-version") != 0) {

  218.     uint16_t version;

  219.     if (!VersionFromString(&version, args_map["-min-version"])) {

  220.       fprintf(stderr, "Unknown protocol version: '%s'\n",

  221.               args_map["-min-version"].c_str());

  222.       return false;

  223.     }

  224.     if (!SSL_CTX_set_min_proto_version(ctx.get(), version)) {

  225.       return false;

  226.     }

  227.   }

  228. 

  229.   if (args_map.count("-ocsp-response") != 0 &&

  230.       !LoadOCSPResponse(ctx.get(), args_map["-ocsp-response"].c_str())) {

  231.     fprintf(stderr, "Failed to load OCSP response: %s\n", args_map["-ocsp-response"].c_str());

  232.     return false;

  233.   }

  234. 

  235.   if (args_map.count("-early-data") != 0) {

  236.     SSL_CTX_set_early_data_enabled(ctx.get(), 1);

  237.   }

  238. 

  239.   // Enabling any TLS 1.3 variant on the server enables all of them.

  240.   if (args_map.count("-tls13-variant") != 0) {

  241.     SSL_CTX_set_tls13_variant(ctx.get(), tls13_experiment);

  242.   }

  243. 

  244.   Listener listener;

  245.   if (!listener.Init(args_map["-accept"])) {

  246.     return false;

  247.   }

  248. 

  249.   bool result = true;

  250.   do {

  251.     int sock = -1;

  252.     if (!listener.Accept(&sock)) {

  253.       return false;

  254.     }

  255. 

  256.     BIO *bio = BIO_new_socket(sock, BIO_CLOSE);

  257.     bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));

  258.     SSL_set_bio(ssl.get(), bio, bio);

  259. 

  260.     int ret = SSL_accept(ssl.get());

  261.     if (ret != 1) {

  262.       int ssl_err = SSL_get_error(ssl.get(), ret);

  263.       fprintf(stderr, "Error while connecting: %d\n", ssl_err);

  264.       ERR_print_errors_cb(PrintErrorCallback, stderr);

  265.       result = false;

  266.       continue;

  267.     }

  268. 

  269.     fprintf(stderr, "Connected.\n");

  270.     PrintConnectionInfo(ssl.get());

  271. 

  272.     result = TransferData(ssl.get(), sock);

  273.   } while (args_map.count("-loop") != 0);

  274. 

  275.   return result;

  276. }