mirror of
https://github.com/openssl/openssl.git
synced 2025-02-11 14:22:43 +08:00
d1338fcf12
Update makefile and fix some signedness issues in the demo sources. Drop stray "\n" in the host-port format string that prevented ddd-01 from working (this was also noticed by Neil H). Also, determine the length of the message we are sending and send that many bytes (rather than send sizeof the buffer storing the message). These changes are part of https://github.com/openssl/project/issues/253 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22542)
460 lines
12 KiB
C
460 lines
12 KiB
C
#include <sys/poll.h>
|
|
#include <openssl/ssl.h>
|
|
|
|
/*
|
|
* Demo 5: Client — Client Uses Memory BIO — Nonblocking
|
|
* =====================================================
|
|
*
|
|
* This is an example of (part of) an application which uses libssl in an
|
|
* asynchronous, nonblocking fashion. The application passes memory BIOs to
|
|
* OpenSSL, meaning that it controls both when data is read/written from an SSL
|
|
* object on the decrypted side but also when encrypted data from the network is
|
|
* shunted to/from OpenSSL. In this way OpenSSL is used as a pure state machine
|
|
* which does not make its own network I/O calls. OpenSSL never sees or creates
|
|
* any file descriptor for a network socket. The functions below show all
|
|
* interactions with libssl the application makes, and would hypothetically be
|
|
* linked into a larger application.
|
|
*/
|
|
typedef struct app_conn_st {
|
|
SSL *ssl;
|
|
BIO *ssl_bio, *net_bio;
|
|
int rx_need_tx, tx_need_rx;
|
|
} APP_CONN;
|
|
|
|
/*
|
|
* The application is initializing and wants an SSL_CTX which it will use for
|
|
* some number of outgoing connections, which it creates in subsequent calls to
|
|
* new_conn. The application may also call this function multiple times to
|
|
* create multiple SSL_CTX.
|
|
*/
|
|
SSL_CTX *create_ssl_ctx(void)
|
|
{
|
|
SSL_CTX *ctx;
|
|
|
|
#ifdef USE_QUIC
|
|
ctx = SSL_CTX_new(OSSL_QUIC_client_method());
|
|
#else
|
|
ctx = SSL_CTX_new(TLS_client_method());
|
|
#endif
|
|
if (ctx == NULL)
|
|
return NULL;
|
|
|
|
/* Enable trust chain verification. */
|
|
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
|
|
|
|
/* Load default root CA store. */
|
|
if (SSL_CTX_set_default_verify_paths(ctx) == 0) {
|
|
SSL_CTX_free(ctx);
|
|
return NULL;
|
|
}
|
|
|
|
return ctx;
|
|
}
|
|
|
|
/*
|
|
* The application wants to create a new outgoing connection using a given
|
|
* SSL_CTX.
|
|
*
|
|
* hostname is a string like "openssl.org" used for certificate validation.
|
|
*/
|
|
APP_CONN *new_conn(SSL_CTX *ctx, const char *bare_hostname)
|
|
{
|
|
BIO *ssl_bio, *internal_bio, *net_bio;
|
|
APP_CONN *conn;
|
|
SSL *ssl;
|
|
#ifdef USE_QUIC
|
|
static const unsigned char alpn[] = {5, 'd', 'u', 'm', 'm', 'y'};
|
|
#endif
|
|
|
|
conn = calloc(1, sizeof(APP_CONN));
|
|
if (conn == NULL)
|
|
return NULL;
|
|
|
|
ssl = conn->ssl = SSL_new(ctx);
|
|
if (ssl == NULL) {
|
|
free(conn);
|
|
return NULL;
|
|
}
|
|
|
|
SSL_set_connect_state(ssl); /* cannot fail */
|
|
|
|
#ifdef USE_QUIC
|
|
if (BIO_new_bio_dgram_pair(&internal_bio, 0, &net_bio, 0) <= 0) {
|
|
#else
|
|
if (BIO_new_bio_pair(&internal_bio, 0, &net_bio, 0) <= 0) {
|
|
#endif
|
|
SSL_free(ssl);
|
|
free(conn);
|
|
return NULL;
|
|
}
|
|
|
|
SSL_set_bio(ssl, internal_bio, internal_bio);
|
|
|
|
if (SSL_set1_host(ssl, bare_hostname) <= 0) {
|
|
SSL_free(ssl);
|
|
free(conn);
|
|
return NULL;
|
|
}
|
|
|
|
if (SSL_set_tlsext_host_name(ssl, bare_hostname) <= 0) {
|
|
SSL_free(ssl);
|
|
free(conn);
|
|
return NULL;
|
|
}
|
|
|
|
ssl_bio = BIO_new(BIO_f_ssl());
|
|
if (ssl_bio == NULL) {
|
|
SSL_free(ssl);
|
|
free(conn);
|
|
return NULL;
|
|
}
|
|
|
|
if (BIO_set_ssl(ssl_bio, ssl, BIO_CLOSE) <= 0) {
|
|
SSL_free(ssl);
|
|
BIO_free(ssl_bio);
|
|
return NULL;
|
|
}
|
|
|
|
#ifdef USE_QUIC
|
|
/* Configure ALPN, which is required for QUIC. */
|
|
if (SSL_set_alpn_protos(ssl, alpn, sizeof(alpn))) {
|
|
/* Note: SSL_set_alpn_protos returns 1 for failure. */
|
|
SSL_free(ssl);
|
|
BIO_free(ssl_bio);
|
|
return NULL;
|
|
}
|
|
#endif
|
|
|
|
conn->ssl_bio = ssl_bio;
|
|
conn->net_bio = net_bio;
|
|
return conn;
|
|
}
|
|
|
|
/*
|
|
* Non-blocking transmission.
|
|
*
|
|
* Returns -1 on error. Returns -2 if the function would block (corresponds to
|
|
* EWOULDBLOCK).
|
|
*/
|
|
int tx(APP_CONN *conn, const void *buf, int buf_len)
|
|
{
|
|
int rc, l;
|
|
|
|
l = BIO_write(conn->ssl_bio, buf, buf_len);
|
|
if (l <= 0) {
|
|
rc = SSL_get_error(conn->ssl, l);
|
|
switch (rc) {
|
|
case SSL_ERROR_WANT_READ:
|
|
conn->tx_need_rx = 1;
|
|
case SSL_ERROR_WANT_CONNECT:
|
|
case SSL_ERROR_WANT_WRITE:
|
|
return -2;
|
|
default:
|
|
return -1;
|
|
}
|
|
} else {
|
|
conn->tx_need_rx = 0;
|
|
}
|
|
|
|
return l;
|
|
}
|
|
|
|
/*
|
|
* Non-blocking reception.
|
|
*
|
|
* Returns -1 on error. Returns -2 if the function would block (corresponds to
|
|
* EWOULDBLOCK).
|
|
*/
|
|
int rx(APP_CONN *conn, void *buf, int buf_len)
|
|
{
|
|
int rc, l;
|
|
|
|
l = BIO_read(conn->ssl_bio, buf, buf_len);
|
|
if (l <= 0) {
|
|
rc = SSL_get_error(conn->ssl, l);
|
|
switch (rc) {
|
|
case SSL_ERROR_WANT_WRITE:
|
|
conn->rx_need_tx = 1;
|
|
case SSL_ERROR_WANT_READ:
|
|
return -2;
|
|
default:
|
|
return -1;
|
|
}
|
|
} else {
|
|
conn->rx_need_tx = 0;
|
|
}
|
|
|
|
return l;
|
|
}
|
|
|
|
/*
|
|
* Called to get data which has been enqueued for transmission to the network
|
|
* by OpenSSL. For QUIC, this always outputs a single datagram.
|
|
*
|
|
* IMPORTANT (QUIC): If buf_len is inadequate to hold the datagram, it is truncated
|
|
* (similar to read(2)). A buffer size of at least 1472 must be used by default
|
|
* to guarantee this does not occur.
|
|
*/
|
|
int read_net_tx(APP_CONN *conn, void *buf, int buf_len)
|
|
{
|
|
return BIO_read(conn->net_bio, buf, buf_len);
|
|
}
|
|
|
|
/*
|
|
* Called to feed data which has been received from the network to OpenSSL.
|
|
*
|
|
* QUIC: buf must contain the entirety of a single datagram. It will be consumed
|
|
* entirely (return value == buf_len) or not at all.
|
|
*/
|
|
int write_net_rx(APP_CONN *conn, const void *buf, int buf_len)
|
|
{
|
|
return BIO_write(conn->net_bio, buf, buf_len);
|
|
}
|
|
|
|
/*
|
|
* Determine how much data can be written to the network RX BIO.
|
|
*/
|
|
size_t net_rx_space(APP_CONN *conn)
|
|
{
|
|
return BIO_ctrl_get_write_guarantee(conn->net_bio);
|
|
}
|
|
|
|
/*
|
|
* Determine how much data is currently queued for transmission in the network
|
|
* TX BIO.
|
|
*/
|
|
size_t net_tx_avail(APP_CONN *conn)
|
|
{
|
|
return BIO_ctrl_pending(conn->net_bio);
|
|
}
|
|
|
|
/*
|
|
* These functions returns zero or more of:
|
|
*
|
|
* POLLIN: The SSL state machine is interested in socket readability events.
|
|
*
|
|
* POLLOUT: The SSL state machine is interested in socket writeability events.
|
|
*
|
|
* POLLERR: The SSL state machine is interested in socket error events.
|
|
*
|
|
* get_conn_pending_tx returns events which may cause SSL_write to make
|
|
* progress and get_conn_pending_rx returns events which may cause SSL_read
|
|
* to make progress.
|
|
*/
|
|
int get_conn_pending_tx(APP_CONN *conn)
|
|
{
|
|
#ifdef USE_QUIC
|
|
return (SSL_net_read_desired(conn->ssl) ? POLLIN : 0)
|
|
| (SSL_net_write_desired(conn->ssl) ? POLLOUT : 0)
|
|
| POLLERR;
|
|
#else
|
|
return (conn->tx_need_rx ? POLLIN : 0) | POLLOUT | POLLERR;
|
|
#endif
|
|
}
|
|
|
|
int get_conn_pending_rx(APP_CONN *conn)
|
|
{
|
|
#ifdef USE_QUIC
|
|
return get_conn_pending_tx(conn);
|
|
#else
|
|
return (conn->rx_need_tx ? POLLOUT : 0) | POLLIN | POLLERR;
|
|
#endif
|
|
}
|
|
|
|
/*
|
|
* The application wants to close the connection and free bookkeeping
|
|
* structures.
|
|
*/
|
|
void teardown(APP_CONN *conn)
|
|
{
|
|
BIO_free_all(conn->ssl_bio);
|
|
BIO_free_all(conn->net_bio);
|
|
free(conn);
|
|
}
|
|
|
|
/*
|
|
* The application is shutting down and wants to free a previously
|
|
* created SSL_CTX.
|
|
*/
|
|
void teardown_ctx(SSL_CTX *ctx)
|
|
{
|
|
SSL_CTX_free(ctx);
|
|
}
|
|
|
|
/*
|
|
* ============================================================================
|
|
* Example driver for the above code. This is just to demonstrate that the code
|
|
* works and is not intended to be representative of a real application.
|
|
*/
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
#include <sys/signal.h>
|
|
#include <netdb.h>
|
|
#include <unistd.h>
|
|
#include <fcntl.h>
|
|
#include <errno.h>
|
|
|
|
static int pump(APP_CONN *conn, int fd, int events, int timeout)
|
|
{
|
|
int l, l2;
|
|
char buf[2048]; /* QUIC: would need to be changed if < 1472 */
|
|
size_t wspace;
|
|
struct pollfd pfd = {0};
|
|
|
|
pfd.fd = fd;
|
|
pfd.events = (events & (POLLIN | POLLERR));
|
|
if (net_rx_space(conn) == 0)
|
|
pfd.events &= ~POLLIN;
|
|
if (net_tx_avail(conn) > 0)
|
|
pfd.events |= POLLOUT;
|
|
|
|
if ((pfd.events & (POLLIN|POLLOUT)) == 0)
|
|
return 1;
|
|
|
|
if (poll(&pfd, 1, timeout) == 0)
|
|
return -1;
|
|
|
|
if (pfd.revents & POLLIN) {
|
|
while ((wspace = net_rx_space(conn)) > 0) {
|
|
l = read(fd, buf, wspace > sizeof(buf) ? sizeof(buf) : wspace);
|
|
if (l <= 0) {
|
|
switch (errno) {
|
|
case EAGAIN:
|
|
goto stop;
|
|
default:
|
|
if (l == 0) /* EOF */
|
|
goto stop;
|
|
|
|
fprintf(stderr, "error on read: %d\n", errno);
|
|
return -1;
|
|
}
|
|
break;
|
|
}
|
|
l2 = write_net_rx(conn, buf, l);
|
|
if (l2 < l)
|
|
fprintf(stderr, "short write %d %d\n", l2, l);
|
|
} stop:;
|
|
}
|
|
|
|
if (pfd.revents & POLLOUT) {
|
|
for (;;) {
|
|
l = read_net_tx(conn, buf, sizeof(buf));
|
|
if (l <= 0)
|
|
break;
|
|
l2 = write(fd, buf, l);
|
|
if (l2 < l)
|
|
fprintf(stderr, "short read %d %d\n", l2, l);
|
|
}
|
|
}
|
|
|
|
return 1;
|
|
}
|
|
|
|
int main(int argc, char **argv)
|
|
{
|
|
int rc, fd = -1, res = 1;
|
|
static char tx_msg[300];
|
|
const char *tx_p = tx_msg;
|
|
char rx_buf[2048];
|
|
int l, tx_len;
|
|
int timeout = 2000 /* ms */;
|
|
APP_CONN *conn = NULL;
|
|
struct addrinfo hints = {0}, *result = NULL;
|
|
SSL_CTX *ctx = NULL;
|
|
|
|
if (argc < 3) {
|
|
fprintf(stderr, "usage: %s host port\n", argv[0]);
|
|
goto fail;
|
|
}
|
|
|
|
tx_len = snprintf(tx_msg, sizeof(tx_msg),
|
|
"GET / HTTP/1.0\r\nHost: %s\r\n\r\n",
|
|
argv[1]);
|
|
|
|
ctx = create_ssl_ctx();
|
|
if (ctx == NULL) {
|
|
fprintf(stderr, "cannot create SSL context\n");
|
|
goto fail;
|
|
}
|
|
|
|
hints.ai_family = AF_INET;
|
|
hints.ai_socktype = SOCK_STREAM;
|
|
hints.ai_flags = AI_PASSIVE;
|
|
rc = getaddrinfo(argv[1], argv[2], &hints, &result);
|
|
if (rc < 0) {
|
|
fprintf(stderr, "cannot resolve\n");
|
|
goto fail;
|
|
}
|
|
|
|
signal(SIGPIPE, SIG_IGN);
|
|
|
|
#ifdef USE_QUIC
|
|
fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
|
|
#else
|
|
fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
|
|
#endif
|
|
if (fd < 0) {
|
|
fprintf(stderr, "cannot create socket\n");
|
|
goto fail;
|
|
}
|
|
|
|
rc = connect(fd, result->ai_addr, result->ai_addrlen);
|
|
if (rc < 0) {
|
|
fprintf(stderr, "cannot connect\n");
|
|
goto fail;
|
|
}
|
|
|
|
rc = fcntl(fd, F_SETFL, O_NONBLOCK);
|
|
if (rc < 0) {
|
|
fprintf(stderr, "cannot make socket nonblocking\n");
|
|
goto fail;
|
|
}
|
|
|
|
conn = new_conn(ctx, argv[1]);
|
|
if (conn == NULL) {
|
|
fprintf(stderr, "cannot establish connection\n");
|
|
goto fail;
|
|
}
|
|
|
|
/* TX */
|
|
while (tx_len != 0) {
|
|
l = tx(conn, tx_p, tx_len);
|
|
if (l > 0) {
|
|
tx_p += l;
|
|
tx_len -= l;
|
|
} else if (l == -1) {
|
|
fprintf(stderr, "tx error\n");
|
|
} else if (l == -2) {
|
|
if (pump(conn, fd, get_conn_pending_tx(conn), timeout) != 1) {
|
|
fprintf(stderr, "pump error\n");
|
|
goto fail;
|
|
}
|
|
}
|
|
}
|
|
|
|
/* RX */
|
|
for (;;) {
|
|
l = rx(conn, rx_buf, sizeof(rx_buf));
|
|
if (l > 0) {
|
|
fwrite(rx_buf, 1, l, stdout);
|
|
} else if (l == -1) {
|
|
break;
|
|
} else if (l == -2) {
|
|
if (pump(conn, fd, get_conn_pending_rx(conn), timeout) != 1) {
|
|
fprintf(stderr, "pump error\n");
|
|
goto fail;
|
|
}
|
|
}
|
|
}
|
|
|
|
res = 0;
|
|
fail:
|
|
if (conn != NULL)
|
|
teardown(conn);
|
|
if (ctx != NULL)
|
|
teardown_ctx(ctx);
|
|
if (result != NULL)
|
|
freeaddrinfo(result);
|
|
return res;
|
|
}
|