Another demo.

demos/easy_tls/Makefile

@@ -0,0 +1,123 @@
+# Makefile for easy-tls example application (rudimentary client and server)
+# $Id: Makefile,v 1.1 2001/09/17 19:06:56 bodo Exp $
+
+SOLARIS_CFLAGS=-Wall -pedantic -g -O2
+SOLARIS_LIBS=-lxnet
+
+LINUX_CFLAGS=-Wall -pedantic -g -O2
+LINUX_LIBS=
+
+
+auto-all:
+	case `uname -s` in \
+	SunOS) echo Using SunOS configuration; \
+	  make SYSCFLAGS="$(SOLARIS_CFLAGS)" SYSLIBS="$(SOLARIS_LIBS)" all;; \
+	Linux) echo Using Linux configuration; \
+	  make SYSCFLAGS="$(LINUX_CFLAGS)" SYSLIBS="$(LINUX_LIBS)" all;; \
+	*) echo "unknown system"; exit 1;; \
+	esac
+
+all: test TAGS
+
+# For adapting this Makefile to a different system, only the following
+# definitions should need customizing:
+
+OPENSSLDIR=$(HOME)/openssl/openssl
+CC=gcc
+
+SYSCFLAGS=whatever
+SYSLIBS=whatever
+
+
+#############################################################################
+#
+# SSLeay/OpenSSL imports
+#
+# OPENSSLDIR (set above) can be either the directory where OpenSSL is
+# installed or the directory where it was compiled.
+
+# We rely on having a new OpenSSL release where include files
+# have names like <openssl/ssl.h> (not just <ssl.h>).
+OPENSSLINCLUDES=-I$(OPENSSLDIR)/include
+
+# libcrypto.a and libssl.a are directly in $(OPENSSLDIR) if this is
+# the compile directory, or in $(OPENSSLDIR)/lib if we use an installed
+# library.  With the following definition, we can handle either case.
+OPENSSLLIBS=-L$(OPENSSLDIR) -L$(OPENSSLDIR)/lib -lssl -lcrypto
+
+
+#############################################################################
+#
+# Stuff for handling the source files
+#
+
+SOURCES=easy-tls.c test.c
+HEADERS=easy-tls.h test.h
+DOCSandEXAMPLESetc=Makefile cert.pem cacerts.pem
+EVERYTHING=$(SOURCES) $(HEADERS) $(DOCSandEXAMPLESetc)
+
+ls: ls-l
+ls-l:
+	ls -l $(EVERYTHING)
+# For RCS:
+tag:
+	-rcs -n_`date +%y%m%d`: $(EVERYTHING)
+	rcs -nMYTAG $(EVERYTHING)
+	rcs -nMYTAG: $(EVERYTHING)
+diff:
+	-rcsdiff -rMYTAG -u $(EVERYTHING)
+today:
+	-rcsdiff -r_`date +%y%m%d` -u $(EVERYTHING)
+ident:
+	for a in $(EVERYTHING); do ident $$a; done
+
+# Distribution .tar:
+easy-tls.tar.gz: $(EVERYTHING)
+	tar cvf - $(EVERYTHING) | \
+	gzip -9 > easy-tls.tar.gz
+
+# Working .tar:
+tls.tgz: $(EVERYTHING)
+	tar cfv - `find . -type f -a ! -name '*.tgz' -a ! -name '*.tar.gz'` | \
+	gzip -9 > tls.tgz
+
+# For emacs:
+etags: TAGS
+TAGS: $(SOURCES) $(HEADERS)
+	-etags $(SOURCES) $(HEADERS)
+
+
+#############################################################################
+#
+# Compilation
+#
+# The following definitions are system dependent (and hence defined
+# at the beginning of this Makefile, where they are more easily found):
+
+### CC=gcc
+### SYSCFLAGS=-Wall -pedantic -g -O2
+### SYSLIBS=-lxnet
+
+EXTRACFLAGS=-DTLS_APP=\"test.h\"
+# EXTRACFLAGS=-DTLS_APP=\"test.h\" -DDEBUG_TLS
+
+#
+# The rest shouldn't need to be touched.
+#
+LDFLAGS=$(SYSLIBS) $(OPENSSLLIBS)
+INCLUDES=$(OPENSSLINCLUDES)
+CFLAGS=$(SYSCFLAGS) $(EXTRACFLAGS) $(INCLUDES)
+
+OBJS=easy-tls.o test.o
+
+clean:
+	@rm -f test
+	@rm -f TAGS
+	@rm -f *.o
+	@rm -f core
+
+test: $(OBJS)
+	$(CC) $(OBJS) $(LDFLAGS) -o test
+
+test.o: $(HEADERS)
+easy-tls.o: $(HEADERS)

demos/easy_tls/README

@@ -0,0 +1,64 @@
+easy_tls - generic SSL/TLS proxy
+========
+
+(... and example for non-blocking SSL/TLS I/O multiplexing.)
+
+
+  easy_tls.c, easy_tls.h:
+
+     Small generic SSL/TLS proxy library: With a few function calls,
+     an application socket will be replaced by a pipe handled by a
+     separate SSL/TLS proxy process.  This allows easily adding
+     SSL/TLS support to many programs not originally designed for it.
+
+     [Actually easy_tls.c is not a proper library: Customization
+     requires defining preprocessor macros while compiling it.
+     This is quite confusing, so I'll probably change it.]
+
+     These files may be used under the OpenSSL license.
+
+
+
+  test.c, test.h, Makefile, cert.pem, cacerts.pem:
+
+     Rudimentary example program using the easy_tls library, and
+     example key and certificates for it.  Usage examples:
+
+       $ ./test 8443     # create server listening at port 8443
+       $ ./test 127.0.0.1 8443  # create client, connect to port 8443
+                                # at IP address 127.0.0.1
+
+     'test' will not automatically do SSL/TLS, or even read or write
+     data -- it must be told to do so on input lines starting
+     with a command letter.  'W' means write a line, 'R' means
+     read a line, 'C' means close the connection, 'T' means
+     start an SSL/TLS proxy.  E.g. (user input tagged with '*'):
+
+     * R
+       <<< 220 mail.example.net
+     * WSTARTTLS
+       >>> STARTTLS
+     * R
+       <<< 220 Ready to start TLS
+     * T
+       test_process_init(fd = 3, client_p = 1, apparg = (nil))
+       +++ `E:self signed certificate in certificate chain'
+       +++ `<... certificate info ...>'
+     * WHELO localhost
+       >>> HELO localhost
+       R
+       <<< 250 mail.example.net
+
+     You can even do SSL/TLS over SSL/TLS over SSL/TLS ... by using
+     'T' multiple times.  I have no idea why you would want to though.
+
+
+This code is rather old.  When I find time I will look if it still
+compiles, and update code comments.  The least you will have to do to
+use the sample program 'test' is change the Makefile.
+
+As noted above, easy_tls.c will be changed to become a library one
+day, which means that future revisions will not be fully compatible to
+the current version.
+
+Bodo Möller <bodo@openssl.org>

demos/easy_tls/cacerts.pem

@@ -0,0 +1,18 @@
+$Id: cacerts.pem,v 1.1 2001/09/17 19:06:57 bodo Exp $
+
+issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)
+subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
+-----BEGIN CERTIFICATE-----
+MIICJjCCAY8CAQAwDQYJKoZIhvcNAQEEBQAwXDELMAkGA1UEBhMCQVUxEzARBgNV
+BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYD
+VQQDExNUZXN0IFBDQSAoMTAyNCBiaXQpMB4XDTk3MDYwOTEzNTc0M1oXDTAxMDYw
+OTEzNTc0M1owWzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY
+BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYDVQQDExJUZXN0IENBICgxMDI0
+IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKO7o8t116VP6cgybTsZ
+DCZhr95nYlZuya3aCi1IKoztqwWnjbmDFIriOqGFPrZQ+moMETC9D59iRW/dFXSv
+1F65ka/XY2hLh9exCCo7XuUcDs53Qp3bI3AmMqHjgzE8oO3ajyJAzJkTTOUecQU2
+mw/gI4tMM0LqWMQS7luTy4+xAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAM7achv3v
+hLQJcv/65eGEpBXM40ZDVoFQFFJWaY5p883HTqLB1x4FdzsXHH0QKBTcKpWwqyu4
+YDm3fb8oDugw72bCzfyZK/zVZPR/hVlqI/fvU109Qoc+7oPvIXWky71HfcK6ZBCA
+q30KIqGM/uoM60INq97qjDmCJapagcNBGQs=
+-----END CERTIFICATE-----

demos/easy_tls/cert.pem

@@ -0,0 +1,31 @@
+$Id: cert.pem,v 1.1 2001/09/17 19:06:57 bodo Exp $
+
+Example certificate and key.
+
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAT8CAQEwDQYJKoZIhvcNAQEEBQAwRTELMAkGA1UEBhMCQVUxEzARBgNV
+BAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0
+ZDAeFw05OTA1MDEwMTI2MzVaFw05OTA1MzEwMTI2MzVaMCIxCzAJBgNVBAYTAkRF
+MRMwEQYDVQQDEwpUZXN0c2VydmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+gQD6I3oDKiexwwlkzjar69AIFnVUaG85LtCege2R+CtIDlkQYw68/8MbT3ou0pdF
+AcL9IGiYY3Y0SHM9PqF00RO1MCtNpqTnF3ScLpbmggGjKilmWYn2ai7emdjMjXVL
+tzWW2xGgIGATWQN32KgfJng4jXi1UjEiyLhkw0Zf1I/ggwIDAQABMA0GCSqGSIb3
+DQEBBAUAA4GBAMgM+sbAk8DfjSfa+Rf2gcGXmbrvZAzKzC+5RU3kaq/NyxIXAGco
+9dZjozzWfN/xuGup5boFk+KrP+xdgsaqGHsyzlgEoqz4ekqLjQeVbnoj339hVFU9
+MhPi6JULPxjXKumjfX2LLNkikW5puz8Df3UiX0EiaJvd7EwP8J75tiUT
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQD6I3oDKiexwwlkzjar69AIFnVUaG85LtCege2R+CtIDlkQYw68
+/8MbT3ou0pdFAcL9IGiYY3Y0SHM9PqF00RO1MCtNpqTnF3ScLpbmggGjKilmWYn2
+ai7emdjMjXVLtzWW2xGgIGATWQN32KgfJng4jXi1UjEiyLhkw0Zf1I/ggwIDAQAB
+AoGANST8c1etf1MU19oIO5aqaE19OCXIG7oakNLCCtVTPMfvnE+vffBJH7BPIUuU
+4BBzwRv1nQrkvk72TPjVjOAu81B1SStKQueun2flVuYxp9NyupNWCBley4QdohlP
+I92ml2tzTSPmNIoA6jdGyNzFcGchapRRmejsC39F1RUbHQECQQD9KX81Wt8ZOrri
+dWiEXja1L3X8Bkb9vvUjVMQDTJJPxBJjehC6eurgE6PP6SJD5p/f3RHPCcLr8tSM
+D4P/OpKhAkEA/PFNlhIZUDKK6aTvG2mn7qQ5phbadOoyN1Js3ttWG5OMOZ6b/QlC
+Wvp84h44506BIlv+Tg2YAI0AdBUrf7oEowJAM4joAVd/ROaEtqbJ4PBA2L9RmD06
+5FqkEk4mHLnQqvYx/BgUIbH18ClvVlqSBBqFfw/EmU3WZSuogt6Bs0ocIQJBAOxB
+AoPiYcxbeQ5kZIVJOXaX49SzUdaUDNVJYrEBUzsspHQJJo/Avz606kJVkjbSR6Ft
+JWmIHuqcyMikIV4KxFsCQQCU2evoVjVsqkkbHi7W28f73PGBsyu0KIwlK7nu4h08
+Daf7TAI+A6jW/WRUsJ6dFhUYi7/Jvkcdrlnbgm2fxziX
+-----END RSA PRIVATE KEY-----

demos/easy_tls/easy-tls.h

@@ -0,0 +1,57 @@
+/* -*- Mode: C; c-file-style: "bsd" -*- */
+/*
+ * easy-tls.h -- generic TLS proxy.
+ * $Id: easy-tls.h,v 1.1 2001/09/17 19:06:59 bodo Exp $
+ */
+/*
+ * (c) Copyright 1999 Bodo Moeller.  All rights reserved.
+ */
+
+#ifndef HEADER_TLS_H
+#define HEADER_TLS_H
+
+#ifndef HEADER_SSL_H
+typedef struct ssl_ctx_st SSL_CTX;
+#endif
+
+#define TLS_INFO_SIZE 512 /* max. # of bytes written to infofd */
+
+void tls_set_dhe1024(int i, void* apparg);
+/* Generate DHE parameters:
+ * i >= 0 deterministic (i selects seed), i < 0 random (may take a while).
+ * tls_create_ctx calls this with random non-negative i if the application
+ * has never called it.*/
+
+void tls_rand_seed(void);
+int tls_rand_seed_from_file(const char *filename, size_t n, void *apparg);
+void tls_rand_seed_from_memory(const void *buf, size_t n);
+
+struct tls_create_ctx_args 
+{
+    int client_p;
+    const char *certificate_file;
+    const char *key_file;
+    const char *ca_file;
+    int verify_depth;
+    int fail_unless_verified;
+    int export_p;
+};
+struct tls_create_ctx_args tls_create_ctx_defaultargs(void);
+/* struct tls_create_ctx_args is similar to a conventional argument list,
+ * but it can provide default values and allows for future extension. */
+SSL_CTX *tls_create_ctx(struct tls_create_ctx_args, void *apparg);
+
+struct tls_start_proxy_args
+{
+    int fd;
+    int client_p;
+    SSL_CTX *ctx;
+    pid_t *pid;
+    int *infofd;
+};
+struct tls_start_proxy_args tls_start_proxy_defaultargs(void);
+/* tls_start_proxy return value *MUST* be checked!
+ * 0 means ok, otherwise we've probably run out of some resources. */
+int tls_start_proxy(struct tls_start_proxy_args, void *apparg);
+
+#endif

demos/easy_tls/test.c

@@ -0,0 +1,244 @@
+/* test.c */
+/* $Id: test.c,v 1.1 2001/09/17 19:06:59 bodo Exp $ */
+
+#define L_PORT 9999
+#define C_PORT 443
+
+#include <arpa/inet.h>
+#include <assert.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <netinet/in.h>
+#include <netinet/tcp.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/select.h>
+#include <sys/socket.h>
+#include <unistd.h>
+
+#include "test.h"
+#include "easy-tls.h"
+
+void
+test_process_init(int fd, int client_p, void *apparg)
+{
+    fprintf(stderr, "test_process_init(fd = %d, client_p = %d, apparg = %p)\n", fd, client_p, apparg);
+}
+
+void
+test_errflush(int child_p, char *errbuf, size_t num, void *apparg)
+{
+    fputs(errbuf, stderr);
+}
+
+
+int
+main(int argc, char *argv[])
+{
+    int s, fd, r;
+    FILE *conn_in;
+    FILE *conn_out;
+    char buf[256];
+    SSL_CTX *ctx;
+    int client_p = 0;
+    int port;
+    int tls = 0;
+    char infobuf[TLS_INFO_SIZE + 1];
+
+    if (argc > 1 && argv[1][0] == '-') {
+	fputs("Usage: test [port]                   -- server\n"
+	      "       test num.num.num.num [port]   -- client\n",
+	      stderr);
+	exit(1);
+    }
+
+    if (argc > 1) {
+	if (strchr(argv[1], '.')) {
+	    client_p = 1;
+	}
+    }
+    
+    fputs(client_p ? "Client\n" : "Server\n", stderr);
+    
+    {
+	struct tls_create_ctx_args a = tls_create_ctx_defaultargs();
+	a.client_p = client_p;
+	a.certificate_file = "cert.pem";
+	a.key_file = "cert.pem";
+	a.ca_file = "cacerts.pem";
+	
+	ctx = tls_create_ctx(a, NULL);
+	if (ctx == NULL)
+	    exit(1);
+    }
+    
+    s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+    if (s == -1) {
+	perror("socket");
+	exit(1);
+    }
+    
+    if (client_p) {
+	struct sockaddr_in addr;
+	size_t addr_len = sizeof addr;
+	    
+	addr.sin_family = AF_INET;
+	assert(argc > 1);
+	if (argc > 2)
+	    sscanf(argv[2], "%d", &port);
+	else
+	    port = C_PORT;
+	addr.sin_port = htons(port);
+	addr.sin_addr.s_addr = inet_addr(argv[1]);
+	    
+	r = connect(s, &addr, addr_len);
+	if (r != 0) {
+	    perror("connect");
+	    exit(1);
+	}
+	fd = s;
+	fprintf(stderr, "Connect (fd = %d).\n", fd);
+    } else {
+	/* server */
+	{
+	    int i = 1;
+
+	    r = setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *) &i, sizeof i);
+	    if (r == -1) {
+		perror("setsockopt");
+		exit(1);
+	    }
+	}
+	
+	{
+	    struct sockaddr_in addr;
+	    size_t addr_len = sizeof addr;
+	    
+	    if (argc > 1)
+		sscanf(argv[1], "%d", &port);
+	    else
+		port = L_PORT;
+	    addr.sin_family = AF_INET;
+	    addr.sin_port = htons(port);
+	    addr.sin_addr.s_addr = INADDR_ANY;
+	    
+	    r = bind(s, &addr, addr_len);
+	    if (r != 0) {
+		perror("bind");
+		exit(1);
+	    }
+	}
+    
+	r = listen(s, 1);
+	if (r == -1) {
+	    perror("listen");
+	    exit(1);
+	}
+
+	fprintf(stderr, "Listening at port %i.\n", port);
+	
+	fd = accept(s, NULL, 0);
+	if (fd == -1) {
+	    perror("accept");
+	    exit(1);
+	}
+	
+	fprintf(stderr, "Accept (fd = %d).\n", fd);
+    }
+
+    conn_in = fdopen(fd, "r");
+    if (conn_in == NULL) {
+	perror("fdopen");
+	exit(1);
+    }
+    conn_out = fdopen(fd, "w");
+    if (conn_out == NULL) {
+	perror("fdopen");
+	exit(1);
+    }
+
+    setvbuf(conn_in, NULL, _IOLBF, 256);
+    setvbuf(conn_out, NULL, _IOLBF, 256);
+	
+    while (fgets(buf, sizeof buf, stdin) != NULL) {
+	if (buf[0] == 'W') {
+	    fprintf(conn_out, "%.*s\r\n", (int)(strlen(buf + 1) - 1), buf + 1);
+	    fprintf(stderr, ">>> %.*s\n", (int)(strlen(buf + 1) - 1), buf + 1);
+	} else if (buf[0] == 'C') {
+	    fprintf(stderr, "Closing.\n");
+	    fclose(conn_in);
+	    fclose(conn_out);
+	    exit(0);
+	} else if (buf[0] == 'R') {
+	    int lines = 0;
+
+	    sscanf(buf + 1, "%d", &lines);
+	    do {
+		if (fgets(buf, sizeof buf, conn_in) == NULL) {
+		    if (ferror(conn_in)) {
+			fprintf(stderr, "ERROR\n");
+			exit(1);
+		    }
+		    fprintf(stderr, "CLOSED\n");
+		    return 0;
+		}
+		fprintf(stderr, "<<< %s", buf);
+	    } while (--lines > 0);
+	} else if (buf[0] == 'T') {
+	    int infofd;
+
+	    tls++;
+	    {
+		struct tls_start_proxy_args a = tls_start_proxy_defaultargs();
+		a.fd = fd;
+		a.client_p = client_p;
+		a.ctx = ctx;
+		a.infofd = &infofd;
+		r = tls_start_proxy(a, NULL);
+	    }
+	    assert(r != 1);
+	    if (r != 0) {
+		fprintf(stderr, "tls_start_proxy failed: %d\n", r);
+		switch (r) {
+		case -1:
+		    fputs("socketpair", stderr); break;
+		case 2:
+		    fputs("FD_SETSIZE exceeded", stderr); break;
+		case -3:
+		    fputs("pipe", stderr); break;
+		case -4:
+		    fputs("fork", stderr); break;
+		case -5:
+		    fputs("dup2", stderr); break;
+		default:
+		    fputs("?", stderr);
+		}
+		if (r < 0)
+		    perror("");
+		else
+		    fputc('\n', stderr);
+		exit(1);
+	    }
+	    
+	    r = read(infofd, infobuf, sizeof infobuf - 1);
+	    if (r > 0) {
+		const char *info = infobuf;
+		const char *eol;
+		
+		infobuf[r] = '\0';
+		while ((eol = strchr(info, '\n')) != NULL) {
+		    fprintf(stderr, "+++ `%.*s'\n", eol - info, info);
+		    info = eol+1;
+		}
+		close (infofd);
+	    }
+	} else {
+	    fprintf(stderr, "W...  write line to network\n"
+		    "R[n]  read line (n lines) from network\n"
+		    "C     close\n"
+		    "T     start %sTLS proxy\n", tls ? "another " : "");
+	}
+    }
+    return 0;
+}

demos/easy_tls/test.h

@@ -0,0 +1,11 @@
+/* test.h */
+/* $Id: test.h,v 1.1 2001/09/17 19:07:00 bodo Exp $ */
+
+
+void test_process_init(int fd, int client_p, void *apparg);
+#define TLS_APP_PROCESS_INIT test_process_init
+
+#undef TLS_CUMULATE_ERRORS
+
+void test_errflush(int child_p, char *errbuf, size_t num, void *apparg);
+#define TLS_APP_ERRFLUSH test_errflush