From 19b7a6f6b05d122740b456700054fd032c80d0d7 Mon Sep 17 00:00:00 2001 From: Marcel Poul Date: Fri, 2 Dec 2011 00:19:49 +0000 Subject: [PATCH] server with key and certificate (still SSL3_GET_CLIENT_HELLO error) --- emi.canl.canl-c/src/canl.c | 7 ----- emi.canl.canl-c/src/canl_cert.c | 3 +++ emi.canl.canl-c/src/canl_err.c | 27 ++++++++++--------- emi.canl.canl-c/src/canl_locl.h | 1 + emi.canl.canl-c/src/canl_sample_server.c | 16 ++++++++--- emi.canl.canl-c/src/canl_ssl.c | 46 +++++++++++++++++++++++++------- 6 files changed, 68 insertions(+), 32 deletions(-) diff --git a/emi.canl.canl-c/src/canl.c b/emi.canl.canl-c/src/canl.c index e23f710..18a46ab 100644 --- a/emi.canl.canl-c/src/canl.c +++ b/emi.canl.canl-c/src/canl.c @@ -318,19 +318,12 @@ int canl_io_accept(canl_ctx cc, canl_io_handler io, int port, (*io_new_cc)->sock = new_fd; /* TODO everything fine - set new_io_cc according to their_addr*/ - /*call openssl */ err = ssl_init(glb_cc, *io_new_cc); if (err) goto end; err = ssl_accept(glb_cc, io_cc, (*io_new_cc), timeout); - /*write succes or failure to cc, io*/ - //if (err) - /*cc or io set error*/ - //else - /*cc or io set succes*/ - end: if (err) update_error(glb_cc, "cannot accept connection (canl_io_accept)"); diff --git a/emi.canl.canl-c/src/canl_cert.c b/emi.canl.canl-c/src/canl_cert.c index be71677..df2538e 100644 --- a/emi.canl.canl-c/src/canl_cert.c +++ b/emi.canl.canl-c/src/canl_cert.c @@ -61,6 +61,9 @@ int do_set_ctx_own_cert_file(glb_ctx *cc, char *cert, char *key) if (key) set_key_file(cc, key); + if (cert) + set_cert_file(cc, cert); + return 0; } diff --git a/emi.canl.canl-c/src/canl_err.c b/emi.canl.canl-c/src/canl_err.c index ef9cdf7..fca72aa 100644 --- a/emi.canl.canl-c/src/canl_err.c +++ b/emi.canl.canl-c/src/canl_err.c @@ -5,9 +5,11 @@ #include #include "canl_locl.h" +#define ERR_CODE_LEN 512 + static int resolve_error(glb_ctx *cc, CANL_ERROR err_code, CANL_ERROR_ORIGIN err_orig); -static int ger_error_string(glb_ctx *cc, char *code_str, int *code_len); +static void get_error_string(glb_ctx *cc, char *code_str, int *code_len); /* Save error message into err_msg * use NULL for empty err_format */ @@ -90,9 +92,11 @@ int canl_get_error(canl_ctx cc, char **reason) int e_orig = unknown_error; int error_length = 0; char *new_error = NULL; - char *code_str = NULL; + char code_str[ERR_CODE_LEN]; int code_len = 0; + code_str[0] = '\0'; + glb_ctx *ctx = (glb_ctx*) cc; /*check cc*/ @@ -105,11 +109,7 @@ int canl_get_error(canl_ctx cc, char **reason) goto end; /* get human readable error code*/ - err = ger_error_string(cc, code_str, &code_len); - if (err) { - e_orig = unknown_error; - goto end; - } + get_error_string(cc, code_str, &code_len); /* 1 for new line*/ error_length = strlen(ctx->err_msg) + code_len + 1; @@ -124,18 +124,21 @@ int canl_get_error(canl_ctx cc, char **reason) new_error[code_len] = '\n'; new_error[code_len + 1] = '\0'; strncat(new_error, ctx->err_msg, error_length + 1); - *reason = new_error; end: + *reason = new_error; if (err) set_error(ctx, err, e_orig, "cannot get error message (canl_get_error)"); return err; } /*TODO ! map error codes to their human readable strings */ -static int ger_error_string(glb_ctx *cc, char *code_str, int *code_len) +static void get_error_string(glb_ctx *cc, char *code_str, int *code_len) { - return 0; + *code_len = 0; + if (cc->err_orig == ssl_error) + ERR_error_string_n(cc->err_code, code_str, ERR_CODE_LEN); + *code_len = strlen(code_str); } /*if the error code is known to colin, assign appropriate colin code @@ -157,8 +160,8 @@ static int resolve_error(glb_ctx *cc, CANL_ERROR err_code, switch (err_code) { default: - cc->err_code = unknown; - cc->err_orig = unknown_error; + cc->err_code = err_code; + cc->err_orig = err_orig; break; } diff --git a/emi.canl.canl-c/src/canl_locl.h b/emi.canl.canl-c/src/canl_locl.h index d5ef7a5..4ebf187 100644 --- a/emi.canl.canl-c/src/canl_locl.h +++ b/emi.canl.canl-c/src/canl_locl.h @@ -68,4 +68,5 @@ int ssl_write(glb_ctx *cc, io_handler *io, void *buffer, size_t size, int do_set_ctx_own_cert(glb_ctx *cc, canl_x509 cert, canl_stack_of_x509 chain, canl_pkey key); +int do_set_ctx_own_cert_file(glb_ctx *cc, char *cert, char *key); #endif diff --git a/emi.canl.canl-c/src/canl_sample_server.c b/emi.canl.canl-c/src/canl_sample_server.c index 777d80c..667a27b 100644 --- a/emi.canl.canl-c/src/canl_sample_server.c +++ b/emi.canl.canl-c/src/canl_sample_server.c @@ -14,20 +14,30 @@ int main(int argc, char *argv[]) int err = 0; char *err_msg = NULL; int opt, port = 4321; + char *serv_cert = NULL; + char *serv_key = NULL; char buf[BUF_LEN]; int buf_len = 0; struct timeval timeout; - while ((opt = getopt(argc, argv, "hp:")) != -1) { + while ((opt = getopt(argc, argv, "hp:c:k:")) != -1) { switch (opt) { case 'h': - fprintf(stderr, "Usage: %s [-p port] [-h] \n", argv[0]); + fprintf(stderr, "Usage: %s [-p port] [-c certificate]" + " [-k private key] [-h] \n", argv[0]); break; case 'p': port = atoi(optarg); break; + case 'c': + serv_cert = optarg; + break; + case 'k': + serv_key = optarg; + break; default: /* '?' */ - fprintf(stderr, "Usage: %s [-p port] [-h] \n", argv[0]); + fprintf(stderr, "Usage: %s [-p port] [-c certificate]" + " [-k private key] [-h] \n", argv[0]); exit(-1); } } diff --git a/emi.canl.canl-c/src/canl_ssl.c b/emi.canl.canl-c/src/canl_ssl.c index 3f2c35d..2526d7a 100644 --- a/emi.canl.canl-c/src/canl_ssl.c +++ b/emi.canl.canl-c/src/canl_ssl.c @@ -24,15 +24,34 @@ int ssl_init(glb_ctx *cc, io_handler *io) ssl_meth = SSLv23_method(); //TODO dynamically cc->ssl_ctx = SSL_CTX_new(ssl_meth); if (!cc->ssl_ctx){ - err = 1; //TODO set appropriate - goto end; + err = ERR_get_error(); + e_orig = ssl_error; + goto end; + } + + if (cc->cert_key) { + if (cc->cert_key->key) { + err = SSL_CTX_use_PrivateKey(cc->ssl_ctx, cc->cert_key->key); + if (err) { + err = ERR_get_error(); + e_orig = ssl_error; + goto end; + } + } + else if (cc->cert_key->cert) { + err = SSL_CTX_use_certificate(cc->ssl_ctx, cc->cert_key->cert); + if (err) { + err = ERR_get_error(); + e_orig = ssl_error; + goto end; + } + } } end: if (err) set_error(cc, err, e_orig, "cannot initialize SSL context (ssl_init)"); return err; - } int ssl_connect(glb_ctx *cc, io_handler *io, struct timeval *timeout) @@ -221,6 +240,7 @@ static int do_ssl_accept( glb_ctx *cc, io_handler *io, struct timeval *timeout) { time_t starttime, curtime; int ret = -1, ret2 = -1, err = 0; + CANL_ERROR_ORIGIN e_orig = unknown_error; long errorcode = 0; int expected = 0; int locl_timeout = -1; @@ -236,6 +256,10 @@ static int do_ssl_accept( glb_ctx *cc, io_handler *io, struct timeval *timeout) ret = do_select(io->sock, starttime, locl_timeout, expected); if (ret > 0) { ret2 = SSL_accept(io->s_ctx->ssl_io); + if (ret2 < 0) { + err = ERR_get_error(); + e_orig = ssl_error; + } expected = errorcode = SSL_get_error(io->s_ctx->ssl_io, ret2); } curtime = time(NULL); @@ -250,16 +274,18 @@ static int do_ssl_accept( glb_ctx *cc, io_handler *io, struct timeval *timeout) if (timeout && (curtime - starttime >= locl_timeout)){ timeout->tv_sec=0; timeout->tv_usec=0; - err = ETIMEDOUT; - set_error (cc, err, posix_error, "Connection stuck during handshake: timeout reached (do_ssl_accept)"); - } - else{ - err = -1; //TODO set approp. error message - set_error (cc, err, unknown_error, "Error during SSL handshake (do_ssl_accept)"); + err = ETIMEDOUT; + set_error (cc, err, posix_error, "Connection stuck" + " during handshake: timeout reached (do_ssl_accept)"); } + else if (ret2 < 0) + set_error (cc, err, e_orig, "Error during SSL handshake" + " (do_ssl_accept)"); + else + set_error (cc, err, unknown_error, "Error during SSL handshake" + " (do_ssl_accept)"); return err; } - return 0; } -- 1.8.2.3