Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // Based off the TLS server example on the openssl wiki.
- // Compiles with boringssl master when put into the boringssl directory and
- // compiled with:
- // # gcc test.c -I ./include/ -L ./ssl/ -L ./crypto/ -lssl -lcrypto -lpthread -o test -std=gnu99
- //
- // Run ./test and connect to 4433
- #include <stdio.h>
- #include <unistd.h>
- #include <string.h>
- #include <sys/socket.h>
- #include <arpa/inet.h>
- #include <openssl/ssl.h>
- #include <openssl/err.h>
- int create_socket(int port)
- {
- int s;
- struct sockaddr_in addr;
- addr.sin_family = AF_INET;
- addr.sin_port = htons(port);
- addr.sin_addr.s_addr = htonl(INADDR_ANY);
- s = socket(AF_INET, SOCK_STREAM, 0);
- if (s < 0) {
- perror("Unable to create socket");
- exit(EXIT_FAILURE);
- }
- if (bind(s, (struct sockaddr*)&addr, sizeof(addr)) < 0) {
- perror("Unable to bind");
- exit(EXIT_FAILURE);
- }
- if (listen(s, 1) < 0) {
- perror("Unable to listen");
- exit(EXIT_FAILURE);
- }
- return s;
- }
- void init_openssl()
- {
- SSL_load_error_strings();
- OpenSSL_add_ssl_algorithms();
- }
- void cleanup_openssl()
- {
- EVP_cleanup();
- }
- SSL_CTX *create_context()
- {
- const SSL_METHOD *method;
- SSL_CTX *ctx;
- method = TLS_server_method();
- ctx = SSL_CTX_new(method);
- if (!ctx) {
- perror("Unable to create SSL context");
- ERR_print_errors_fp(stderr);
- exit(EXIT_FAILURE);
- }
- SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION);
- SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION);
- return ctx;
- }
- // Made this global cause easier
- CRYPTO_BUFFER *dcCryptoBuf = NULL;
- EVP_PKEY *dcPkey = NULL;
- void configure_context(SSL_CTX *ctx)
- {
- SSL_CTX_set_ecdh_auto(ctx, 1);
- /* Set the key and cert */
- if (SSL_CTX_use_certificate_file(ctx, "cert.pem", SSL_FILETYPE_PEM) <= 0) {
- ERR_print_errors_fp(stderr);
- exit(EXIT_FAILURE);
- }
- if (SSL_CTX_use_PrivateKey_file(ctx, "key.pem", SSL_FILETYPE_PEM) <= 0 ) {
- ERR_print_errors_fp(stderr);
- exit(EXIT_FAILURE);
- }
- // Generate credential. Start by reading parent cert + key
- FILE *fp = fopen ("key.pem", "r");
- if (fp == NULL) {
- puts("failed to read key");
- exit(1);
- }
- EVP_PKEY *pkey = PEM_read_PrivateKey(fp, NULL, NULL, NULL);
- fclose (fp);
- if (pkey == NULL) {
- ERR_print_errors_fp (stderr);
- exit(1);
- }
- fp = fopen ("cert.pem", "r");
- if (fp == NULL) {
- puts("failed to read cert");
- exit(1);
- }
- X509 *x509 = PEM_read_X509(fp, NULL, NULL, NULL);
- fclose (fp);
- if (x509 == NULL) {
- ERR_print_errors_fp (stderr);
- exit(1);
- }
- // Convert cert to DER for signing later.
- unsigned char *certBuf = NULL;
- int certLen = i2d_X509(x509, &certBuf);
- if (certLen < 0) {
- puts("failed to DER encode cert");
- exit(1);
- }
- // Open delegated key.
- fp = fopen ("delegated.key", "r");
- if (fp == NULL) {
- puts("failed to read delegated key");
- exit(1);
- }
- dcPkey = PEM_read_PrivateKey(fp, NULL, NULL, NULL);
- fclose(fp);
- if (dcPkey == NULL) {
- ERR_print_errors_fp (stderr);
- exit(1);
- }
- // Dump delegated key public portion for signing later.
- unsigned char *pubkeyBuf = NULL;
- int pubkeyLen = i2d_PUBKEY(dcPkey, &pubkeyBuf);
- if (pubkeyLen < 0) {
- puts("failed to encode delegated public key");
- ERR_print_errors_fp (stderr);
- exit(1);
- }
- // calculate valid time
- int dDays = 0;
- int dSecs = 0;
- if (ASN1_TIME_diff(&dDays, &dSecs, X509_get_notBefore(x509), NULL) != 1) {
- ERR_print_errors_fp (stderr);
- exit(1);
- }
- if (dDays + dSecs < 0) {
- puts("cert isn't active yet");
- exit(1);
- }
- // Add five days.
- uint32_t validTime = htonl((dDays * 86400) + dSecs + (5 * 86400));
- // Use 0x0804 (rsa_pss_rsae_sha256)
- uint16_t sigScheme = htons(0x0804);
- // Generate DC.cred
- // 3 is for pubkey length
- size_t credentialSize = sizeof(validTime) + sizeof(sigScheme) + 3 + pubkeyLen;
- unsigned char *credentialBuf = malloc(credentialSize);
- unsigned char *cursor = credentialBuf;
- memcpy(cursor, &validTime, sizeof(validTime));
- cursor += sizeof(validTime);
- memcpy(cursor, &sigScheme, sizeof(sigScheme));
- cursor += sizeof(sigScheme);
- int netPKLen = htonl(pubkeyLen);
- // god forgive me...
- void *netPKLPtr = (void *)&netPKLen;
- netPKLPtr += 1;
- memcpy(cursor, netPKLPtr, 3);
- cursor += 3;
- memcpy(cursor, pubkeyBuf, pubkeyLen);
- // Generate signature material (header + cert + DC.cred + DC.algorithm).
- // We're using the same algorithm as the expected algo.
- unsigned char *tag = "TLS, server delegated credentials";
- unsigned char *signatureBuf = malloc(
- 64 + strlen(tag) + 1 + certLen +
- credentialSize + sizeof(sigScheme));
- size_t signatureBufLen = 64 + strlen(tag) + 1 + certLen + credentialSize + sizeof(sigScheme);
- cursor = signatureBuf;
- memset(cursor, 0x20, 64);
- cursor += 64;
- memcpy(cursor, tag, strlen(tag));
- cursor += strlen(tag);
- cursor[0] = 0x00;
- cursor += 1;
- memcpy(cursor, certBuf, certLen);
- cursor += certLen;
- memcpy(cursor, credentialBuf, credentialSize);
- cursor += credentialSize;
- memcpy(cursor, &sigScheme, sizeof(sigScheme));
- // generate signature.
- EVP_MD_CTX md_ctx;
- EVP_PKEY_CTX *pkey_ctx;
- EVP_MD_CTX_init(&md_ctx);
- if (!EVP_DigestSignInit(&md_ctx, &pkey_ctx, EVP_sha256(), NULL, pkey) ||
- EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING) != 1 ||
- EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, -1) <= 0) {
- puts("failed to init hash context");
- ERR_print_errors_fp (stderr);
- exit(1);
- }
- unsigned char *sig = NULL;
- size_t sigLen = 0;
- if (EVP_DigestSignUpdate(&md_ctx, signatureBuf, signatureBufLen) != 1) {
- puts("failed to digest");
- ERR_print_errors_fp (stderr);
- exit(1);
- }
- if (EVP_DigestSignFinal(&md_ctx, NULL, &sigLen) != 1) {
- puts("failed to get signature length");
- ERR_print_errors_fp (stderr);
- exit(1);
- }
- sig = malloc(sigLen);
- if (sig == NULL || !EVP_DigestSignFinal(&md_ctx, sig, &sigLen)) {
- puts("failed to get signature");
- ERR_print_errors_fp (stderr);
- exit(1);
- }
- // Now, generate the DC. (DC.cred + DC.algorithm + DC.signature)
- uint16_t sigLenShort = htons(sigLen);
- size_t dcSize = credentialSize + sizeof(sigScheme) + sizeof(sigLenShort) + sigLen;
- uint8_t *dcBuf = NULL;
- dcCryptoBuf = CRYPTO_BUFFER_alloc(
- &dcBuf, dcSize);
- if (dcCryptoBuf == NULL) {
- puts("failed to allocate cryptobuf");
- ERR_print_errors_fp (stderr);
- exit(1);
- }
- cursor = dcBuf;
- memcpy(cursor, credentialBuf, credentialSize);
- cursor += credentialSize;
- memcpy(cursor, &sigScheme, sizeof(sigScheme));
- cursor += sizeof(sigScheme);
- memcpy(cursor, &sigLenShort, sizeof(sigLenShort));
- cursor += sizeof(sigLenShort);
- memcpy(cursor, sig, sigLen);
- OPENSSL_free(certBuf);
- OPENSSL_free(pubkeyBuf);
- }
- int main(int argc, char **argv)
- {
- int sock;
- SSL_CTX *ctx;
- init_openssl();
- ctx = create_context();
- configure_context(ctx);
- sock = create_socket(4433);
- /* Handle connections */
- while(1) {
- struct sockaddr_in addr;
- uint len = sizeof(addr);
- SSL *ssl;
- const char reply[] = "test\n";
- int client = accept(sock, (struct sockaddr*)&addr, &len);
- if (client < 0) {
- perror("Unable to accept");
- exit(EXIT_FAILURE);
- }
- ssl = SSL_new(ctx);
- SSL_set_fd(ssl, client);
- // Set credential
- if (SSL_set1_delegated_credential(ssl, dcCryptoBuf, dcPkey, NULL) != 1) {
- puts("failed to set dc");
- ERR_print_errors_fp (stderr);
- exit(1);
- }
- if (SSL_accept(ssl) <= 0) {
- ERR_print_errors_fp(stderr);
- }
- else {
- SSL_write(ssl, reply, strlen(reply));
- }
- SSL_free(ssl);
- close(client);
- }
- close(sock);
- SSL_CTX_free(ctx);
- cleanup_openssl();
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement