kris
/
boringssl
1
0
Atdalīts 0
Kods Problēmas 0 Izmaiņu pieprasījumi 0 Laidieni 0 Vikivietne Aktivitāte
Nevar pievienot vairāk kā 25 tēmas Tēmai ir jāsākas ar burtu vai ciparu, tā var saturēt domu zīmes ('-') un var būt līdz 35 simboliem gara.
4106 Revīzijas
12 Atzari
38 MiB
 
 
 
 
 
 
Koks: f131301413
Atzari Tagi
${ item.name }
Izveidot atzaru ${ searchTerm }
no 'f131301413'
${ noResults }
boringssl/tool/server.cc

265 rindas
8.1 KiB
Neapstrādāts Vainot Vēsture 

  1. /* Copyright (c) 2014, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/base.h>

  16. 

  17. #include <memory>

  18. 

  19. #include <openssl/err.h>

  20. #include <openssl/rand.h>

  21. #include <openssl/ssl.h>

  22. 

  23. #include "internal.h"

  24. #include "transport_common.h"

  25. 

  26. 

  27. static const struct argument kArguments[] = {

  28.     {

  29.         "-accept", kRequiredArgument,

  30.         "The port of the server to bind on; eg 45102",

  31.     },

  32.     {

  33.         "-cipher", kOptionalArgument,

  34.         "An OpenSSL-style cipher suite string that configures the offered "

  35.         "ciphers",

  36.     },

  37.     {

  38.         "-curves", kOptionalArgument,

  39.         "An OpenSSL-style ECDH curves list that configures the offered curves",

  40.     },

  41.     {

  42.         "-max-version", kOptionalArgument,

  43.         "The maximum acceptable protocol version",

  44.     },

  45.     {

  46.         "-min-version", kOptionalArgument,

  47.         "The minimum acceptable protocol version",

  48.     },

  49.     {

  50.         "-key", kOptionalArgument,

  51.         "PEM-encoded file containing the private key. A self-signed "

  52.         "certificate is generated at runtime if this argument is not provided.",

  53.     },

  54.     {

  55.         "-cert", kOptionalArgument,

  56.         "PEM-encoded file containing the leaf certificate and optional "

  57.         "certificate chain. This is taken from the -key argument if this "

  58.         "argument is not provided.",

  59.     },

  60.     {

  61.         "-ocsp-response", kOptionalArgument, "OCSP response file to send",

  62.     },

  63.     {

  64.         "-loop", kBooleanArgument,

  65.         "The server will continue accepting new sequential connections.",

  66.     },

  67.     {

  68.         "-early-data", kBooleanArgument, "Allow early data",

  69.     },

  70.     {

  71.         "", kOptionalArgument, "",

  72.     },

  73. };

  74. 

  75. struct FileCloser {

  76.   void operator()(FILE *file) {

  77.     fclose(file);

  78.   }

  79. };

  80. 

  81. using ScopedFILE = std::unique_ptr<FILE, FileCloser>;

  82. 

  83. static bool LoadOCSPResponse(SSL_CTX *ctx, const char *filename) {

  84.   ScopedFILE f(fopen(filename, "rb"));

  85.   std::vector<uint8_t> data;

  86.   if (f == nullptr ||

  87.       !ReadAll(&data, f.get())) {

  88.     fprintf(stderr, "Error reading %s.\n", filename);

  89.     return false;

  90.   }

  91. 

  92.   if (!SSL_CTX_set_ocsp_response(ctx, data.data(), data.size())) {

  93.     return false;

  94.   }

  95. 

  96.   return true;

  97. }

  98. 

  99. static bssl::UniquePtr<EVP_PKEY> MakeKeyPairForSelfSignedCert() {

  100.   bssl::UniquePtr<EC_KEY> ec_key(EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));

  101.   if (!ec_key || !EC_KEY_generate_key(ec_key.get())) {

  102.     fprintf(stderr, "Failed to generate key pair.\n");

  103.     return nullptr;

  104.   }

  105.   bssl::UniquePtr<EVP_PKEY> evp_pkey(EVP_PKEY_new());

  106.   if (!evp_pkey || !EVP_PKEY_assign_EC_KEY(evp_pkey.get(), ec_key.release())) {

  107.     fprintf(stderr, "Failed to assign key pair.\n");

  108.     return nullptr;

  109.   }

  110.   return evp_pkey;

  111. }

  112. 

  113. static bssl::UniquePtr<X509> MakeSelfSignedCert(EVP_PKEY *evp_pkey,

  114.                                                 const int valid_days) {

  115.   bssl::UniquePtr<X509> x509(X509_new());

  116.   uint32_t serial;

  117.   RAND_bytes(reinterpret_cast<uint8_t*>(&serial), sizeof(serial));

  118.   ASN1_INTEGER_set(X509_get_serialNumber(x509.get()), serial >> 1);

  119.   X509_gmtime_adj(X509_get_notBefore(x509.get()), 0);

  120.   X509_gmtime_adj(X509_get_notAfter(x509.get()), 60 * 60 * 24 * valid_days);

  121. 

  122.   X509_NAME* subject = X509_get_subject_name(x509.get());

  123.   X509_NAME_add_entry_by_txt(subject, "C", MBSTRING_ASC,

  124.                              reinterpret_cast<const uint8_t *>("US"), -1, -1,

  125.                              0);

  126.   X509_NAME_add_entry_by_txt(subject, "O", MBSTRING_ASC,

  127.                              reinterpret_cast<const uint8_t *>("BoringSSL"), -1,

  128.                              -1, 0);

  129.   X509_set_issuer_name(x509.get(), subject);

  130. 

  131.   if (!X509_set_pubkey(x509.get(), evp_pkey)) {

  132.     fprintf(stderr, "Failed to set public key.\n");

  133.     return nullptr;

  134.   }

  135.   if (!X509_sign(x509.get(), evp_pkey, EVP_sha256())) {

  136.     fprintf(stderr, "Failed to sign certificate.\n");

  137.     return nullptr;

  138.   }

  139.   return x509;

  140. }

  141. 

  142. bool Server(const std::vector<std::string> &args) {

  143.   if (!InitSocketLibrary()) {

  144.     return false;

  145.   }

  146. 

  147.   std::map<std::string, std::string> args_map;

  148. 

  149.   if (!ParseKeyValueArguments(&args_map, args, kArguments)) {

  150.     PrintUsage(kArguments);

  151.     return false;

  152.   }

  153. 

  154.   bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));

  155.   SSL_CTX_set_options(ctx.get(), SSL_OP_NO_SSLv3);

  156. 

  157.   // Server authentication is required.

  158.   if (args_map.count("-key") != 0) {

  159.     std::string key = args_map["-key"];

  160.     if (!SSL_CTX_use_PrivateKey_file(ctx.get(), key.c_str(),

  161.                                      SSL_FILETYPE_PEM)) {

  162.       fprintf(stderr, "Failed to load private key: %s\n", key.c_str());

  163.       return false;

  164.     }

  165.     const std::string &cert =

  166.         args_map.count("-cert") != 0 ? args_map["-cert"] : key;

  167.     if (!SSL_CTX_use_certificate_chain_file(ctx.get(), cert.c_str())) {

  168.       fprintf(stderr, "Failed to load cert chain: %s\n", cert.c_str());

  169.       return false;

  170.     }

  171.   } else {

  172.     bssl::UniquePtr<EVP_PKEY> evp_pkey = MakeKeyPairForSelfSignedCert();

  173.     if (!evp_pkey) {

  174.       return false;

  175.     }

  176.     bssl::UniquePtr<X509> cert =

  177.         MakeSelfSignedCert(evp_pkey.get(), 365 /* valid_days */);

  178.     if (!cert) {

  179.       return false;

  180.     }

  181.     if (!SSL_CTX_use_PrivateKey(ctx.get(), evp_pkey.get())) {

  182.       fprintf(stderr, "Failed to set private key.\n");

  183.       return false;

  184.     }

  185.     if (!SSL_CTX_use_certificate(ctx.get(), cert.get())) {

  186.       fprintf(stderr, "Failed to set certificate.\n");

  187.       return false;

  188.     }

  189.   }

  190. 

  191.   if (args_map.count("-cipher") != 0 &&

  192.       !SSL_CTX_set_strict_cipher_list(ctx.get(), args_map["-cipher"].c_str())) {

  193.     fprintf(stderr, "Failed setting cipher list\n");

  194.     return false;

  195.   }

  196. 

  197.   if (args_map.count("-curves") != 0 &&

  198.       !SSL_CTX_set1_curves_list(ctx.get(), args_map["-curves"].c_str())) {

  199.     fprintf(stderr, "Failed setting curves list\n");

  200.     return false;

  201.   }

  202. 

  203.   uint16_t max_version = TLS1_3_VERSION;

  204.   if (args_map.count("-max-version") != 0 &&

  205.       !VersionFromString(&max_version, args_map["-max-version"])) {

  206.     fprintf(stderr, "Unknown protocol version: '%s'\n",

  207.             args_map["-max-version"].c_str());

  208.     return false;

  209.   }

  210. 

  211.   if (!SSL_CTX_set_max_proto_version(ctx.get(), max_version)) {

  212.     return false;

  213.   }

  214. 

  215.   if (args_map.count("-min-version") != 0) {

  216.     uint16_t version;

  217.     if (!VersionFromString(&version, args_map["-min-version"])) {

  218.       fprintf(stderr, "Unknown protocol version: '%s'\n",

  219.               args_map["-min-version"].c_str());

  220.       return false;

  221.     }

  222.     if (!SSL_CTX_set_min_proto_version(ctx.get(), version)) {

  223.       return false;

  224.     }

  225.   }

  226. 

  227.   if (args_map.count("-ocsp-response") != 0 &&

  228.       !LoadOCSPResponse(ctx.get(), args_map["-ocsp-response"].c_str())) {

  229.     fprintf(stderr, "Failed to load OCSP response: %s\n", args_map["-ocsp-response"].c_str());

  230.     return false;

  231.   }

  232. 

  233.   if (args_map.count("-early-data") != 0) {

  234.     SSL_CTX_set_early_data_enabled(ctx.get(), 1);

  235.   }

  236. 

  237.   bool result = true;

  238.   do {

  239.     int sock = -1;

  240.     if (!Accept(&sock, args_map["-accept"])) {

  241.       return false;

  242.     }

  243. 

  244.     BIO *bio = BIO_new_socket(sock, BIO_CLOSE);

  245.     bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));

  246.     SSL_set_bio(ssl.get(), bio, bio);

  247. 

  248.     int ret = SSL_accept(ssl.get());

  249.     if (ret != 1) {

  250.       int ssl_err = SSL_get_error(ssl.get(), ret);

  251.       fprintf(stderr, "Error while connecting: %d\n", ssl_err);

  252.       ERR_print_errors_cb(PrintErrorCallback, stderr);

  253.       result = false;

  254.       continue;

  255.     }

  256. 

  257.     fprintf(stderr, "Connected.\n");

  258.     PrintConnectionInfo(ssl.get());

  259. 

  260.     result = TransferData(ssl.get(), sock);

  261.   } while (args_map.count("-loop") != 0);

  262. 

  263.   return result;

  264. }