Gitiles
Code Review Sign In
192.168.1.100 / T108_Public / 1acd338075985ba3e977340bb5a0256057fe5edb / . / mbtk / test / polarssl_demo.cc
blob: d43b4d80cd81b3e863cd790935fd4178bd8a04a5 [file] [log] [blame]
liubin281ac462023-07-19 14:22:54 +0800[diff] [blame]1#include <stdio.h>
2#include "mbtk_log.h"
3#include "ql/ql_mcm_sim.h"
4#include <sys/socket.h>
5#include <polarssl/net.h>
6#include <polarssl/ssl.h>
7#include <polarssl/entropy.h>
8#include <polarssl/ctr_drbg.h>
9#include <polarssl/certs.h>
10#include <polarssl/x509.h>
11#include <polarssl/error.h>
12#include <polarssl/debug.h>
13#include <polarssl/config.h>
14
15#define DFL_SERVER_NAME "asr"
16#define DFL_SERVER_ADDR NULL
17#define DFL_SERVER_PORT 4433
18#define DFL_REQUEST_PAGE "/"
19#define DFL_REQUEST_SIZE -1
20#define DFL_DEBUG_LEVEL 0
21#define DFL_NBIO 0
22#define DFL_CA_FILE "/ca.crt"
23#define DFL_CA_PATH "/ca.crt"
24#define DFL_CRT_FILE "/client.crt"
25#define DFL_KEY_FILE "/client.key"
26#define DFL_PSK ""
27#define DFL_PSK_IDENTITY "Client_identity"
28#define DFL_FORCE_CIPHER 0
29#define DFL_RENEGOTIATION SSL_RENEGOTIATION_DISABLED
30#define DFL_ALLOW_LEGACY SSL_LEGACY_NO_RENEGOTIATION
31#define DFL_RENEGOTIATE 0
32#define DFL_EXCHANGES 1
33#define DFL_MIN_VERSION SSL_MINOR_VERSION_3
34#define DFL_MAX_VERSION SSL_MINOR_VERSION_3
35#define DFL_AUTH_MODE SSL_VERIFY_REQUIRED
36#define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE
37#define DFL_TRUNC_HMAC 0
38#define DFL_RECONNECT 0
39#define DFL_RECO_DELAY 0
40#define DFL_TICKETS SSL_SESSION_TICKETS_ENABLED
41#define DFL_ALPN_STRING NULL
42
43#define GET_REQUEST "GET %s HTTP/1.0\r\nExtra-header: "
44#define GET_REQUEST_END "\r\n\r\n"
45
46#define CA_CERT \
47"-----BEGIN CERTIFICATE-----\r\n" \
48"MIIDKjCCAhICCQCOewfZiRCiNjANBgkqhkiG9w0BAQUFADBXMQswCQYDVQQGEwJD\r\n" \
49"TjEQMA4GA1UECBMHU2lDaHVhbjEVMBMGA1UEChMMTU9CSUxFVEVLLkNBMQswCQYD\r\n" \
50"VQQLEwJJVDESMBAGA1UEAxMJTU9CSUxFVEVLMB4XDTE4MDkxODA4MDUzMloXDTMz\r\n" \
51"MDkxOTA4MDUzMlowVzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB1NpQ2h1YW4xFTAT\r\n" \
52"BgNVBAoTDE1PQklMRVRFSy5DQTELMAkGA1UECxMCSVQxEjAQBgNVBAMTCU1PQklM\r\n" \
53"RVRFSzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOkdYJF1h1xjKbY0\r\n" \
54"ipbl88G653PiCh8ZMjmIUYeiDKC8+0wtXZtHvQIl6AncOzBy9XHVOctbKn34exC8\r\n" \
55"SEotMuo2T49vs9VtE8GYu2pOrf3m42NpLRnYAxfm9qw53CMHx+Jn7Oa9fnxa8haA\r\n" \
56"pRc2BTVadWGoS8EEwoZFk0eNb7Z2Gc7U0c+GhISI4oVTTocGvGgMzkvduu5JJbbc\r\n" \
57"BOcNFrii9sRO9vtOYQtqOEg01Uum2Dwp/o2bDLXNJEqAIh4WACiM4iPmmlRHWT2y\r\n" \
58"NjQ3vcbEdrFwbHRtO46+Vw54HnSyCoFb3uCHMNMvXObZ/8AU9E3Cgat4j0sgEeB0\r\n" \
59"hqA4MiMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAtEAjf0CjsLgG9ROdmp1qXYft\r\n" \
60"+ndIT5l82KRK57ZQsfdFbnJOvALeF/ICKU0M2TXgJNiGOA5RxDi00YYdMbOIPwVZ\r\n" \
61"JH4b87J/LYdLAGf+Q+kVI6gWH3hPm4Jzfzq/40KVrf3mpa54yWz6ZYtwfxBjrMgr\r\n" \
62"IVe0O5SIJ99lsddgzgUkqYN2vWJW2zZ50xuXOAyo+pOnjzX0wuOcaBT3JCHWJRAb\r\n" \
63"VhJCf9JbswDgnddJerqFtB8pnpAOdGokLCOoM06q3s3P9mhGX+72HXdX7G8CSAuG\r\n" \
64"PVCGf6RaF0/G4B9R1c3du3lZRlQWfx2pxyU0LS86iFQFWqzqcWEXIcULVdcErQ==\r\n" \
65"-----END CERTIFICATE-----\r\n"
66
67const char ca1_cert[]= CA_CERT;
68
69
70struct options
71{
72 const char *server_name; /* hostname of the server (client only) */
73 const char *server_addr; /* address of the server (client only) */
74 int server_port; /* port on which the ssl service runs */
75 int debug_level; /* level of debugging */
76 int nbio; /* should I/O be blocking? */
77 const char *request_page; /* page on server to request */
78 int request_size; /* pad request with header to requested size */
79 const char *ca_file; /* the file with the CA certificate(s) */
80 const char *ca_path; /* the path with the CA certificate(s) reside */
81 const char *crt_file; /* the file with the client certificate */
82 const char *key_file; /* the file with the client key */
83 const char *psk; /* the pre-shared key */
84 const char *psk_identity; /* the pre-shared key identity */
85 int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */
86 int renegotiation; /* enable / disable renegotiation */
87 int allow_legacy; /* allow legacy renegotiation */
88 int renegotiate; /* attempt renegotiation? */
89 int renego_delay; /* delay before enforcing renegotiation */
90 int exchanges; /* number of data exchanges */
91 int min_version; /* minimum protocol version accepted */
92 int max_version; /* maximum protocol version accepted */
93 int auth_mode; /* verify mode for connection */
94 unsigned char mfl_code; /* code for maximum fragment length */
95 int trunc_hmac; /* negotiate truncated hmac or not */
96 int reconnect; /* attempt to resume session */
97 int reco_delay; /* delay in seconds before resuming session */
98 int tickets; /* enable / disable session tickets */
99 const char *alpn_string; /* ALPN supported protocols */
100} opt;
101
102
103static sim_client_handle_type cli_handle;
104int server_fd = -1;
105
106static void my_debug( void *ctx, int level, const char *str )
107{
108 ((void) level);
109
110 fprintf( (FILE *) ctx, "%s", str );
111 fflush( (FILE *) ctx );
112}
113
114
115static int ssl_client_init()
116{
117 int ret = 0, len, tail_len, i, written, frags;
118 unsigned char buf[SSL_MAX_CONTENT_LEN + 1];
119 const char *pers = "ssl_client";
120
121 entropy_context entropy;
122 ctr_drbg_context ctr_drbg;
123 ssl_context ssl;
124 ssl_session saved_session;
125 x509_crt cacert;
126 x509_crt clicert;
127 pk_context pkey;
128
129 memset( &ssl, 0, sizeof( ssl_context ) );
130 memset( &saved_session, 0, sizeof( ssl_session ) );
131 x509_crt_init( &cacert );
132 x509_crt_init( &clicert );
133 pk_init( &pkey );
134
135 fflush( stdout );
136
137 /*
138 * 0. Initialize the RNG and the session data
139 */
140
141 entropy_init( &entropy );
142 if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy,
143 (const unsigned char *) pers,
144 strlen( pers ) ) ) != 0 )
145 {
146 printf( " failed\n ! ctr_drbg_init returned -0x%x\n", -ret );
147 goto exit;
148 }
149
150 printf( " ok\n" );
151
152 /*
153 * 1.1. Load the trusted CA
154 */
155 //ret = x509_crt_parse(&cacert,ca1_cert,strlen(ca1_cert));
156 ret = x509_crt_parse_file( &cacert, opt.ca_path );
157 if( ret < 0 )
158 {
159 printf( " failed\n ! ca x509_crt_parse returned -0x%x\n\n", -ret );
160 goto exit;
161 }
162 printf( " ok\n" );
163
164 /*
165 * 1.2. Load own certificate and private key
166 *
167 * (can be skipped if client authentication is not required)
168 */
169
170 ret = x509_crt_parse_file( &clicert, opt.crt_file );
171 if( ret != 0 )
172 {
173 printf( " failed\n ! crt x509_crt_parse returned -0x%x\n\n", -ret );
174 goto exit;
175 }
176
177 ret = pk_parse_keyfile( &pkey, opt.key_file, NULL);
178 if( ret != 0 )
179 {
180 printf( " failed\n ! key x509_crt_parse returned -0x%x\n\n", -ret );
181 goto exit;
182 }
183
184 printf( " ok\n" );
185
186 /*
187 * 2. Setup stuff
188 */
189 printf( " . Setting up the SSL/TLS structure..." );
190 fflush( stdout );
191
192 if( ( ret = ssl_init( &ssl ) ) != 0 )
193 {
194 printf( " failed\n ! ssl_init returned -0x%x\n\n", -ret );
195 goto exit;
196 }
197
198 ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
199 ssl_set_authmode( &ssl, opt.auth_mode );
200
201 ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
202 ssl_set_dbg( &ssl, my_debug, stdout );
203
204 ssl_set_bio( &ssl, net_recv, &server_fd, net_send, &server_fd );
205
206 ssl_set_renegotiation( &ssl, opt.renegotiation );
207 ssl_legacy_renegotiation( &ssl, opt.allow_legacy );
208
209 ssl_set_ca_chain( &ssl, &cacert, NULL, NULL );
210
211 if( ( ret = ssl_set_own_cert( &ssl, &clicert, &pkey ) ) != 0 )
212 {
213 printf( " failed\n ! ssl_set_own_cert returned %d\n\n", ret );
214 goto exit;
215 }
216 if( opt.min_version != -1 )
217 ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version );
218 if( opt.max_version != -1 )
219 ssl_set_max_version( &ssl, SSL_MAJOR_VERSION_3, opt.max_version );
220 printf( " ok\n" );
221 /*
222 * 3. Handshake
223 */
224 printf( " . Performing the SSL/TLS handshake..." );
225 fflush( stdout );
226
227 while( ( ret = ssl_handshake( &ssl ) ) != 0 )
228 {
229 if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
230 {
231 printf( " failed\n ! ssl_handshake returned -0x%x\n", -ret );
232 if( ret == POLARSSL_ERR_X509_CERT_VERIFY_FAILED )
233 printf(
234 " Unable to verify the server's certificate. "
235 "Either it is invalid,\n"
236 " or you didn't set ca_file or ca_path "
237 "to an appropriate value.\n"
238 " Alternatively, you may want to use "
239 "auth_mode=optional for testing purposes.\n" );
240 printf( "\n" );
241 goto exit;
242 }
243 }
244
245 printf( " ok\n [ Protocol is %s ]\n [ Ciphersuite is %s ]\n",
246 ssl_get_version( &ssl ), ssl_get_ciphersuite( &ssl ) );
247
248 /*
249 * 4. Verify the server certificate
250 */
251 printf( " . Verifying peer X.509 certificate..." );
252
253 if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 )
254 {
255 printf( " failed\n" );
256
257 if( ( ret & BADCERT_EXPIRED ) != 0 )
258 printf( " ! server certificate has expired\n" );
259
260 if( ( ret & BADCERT_REVOKED ) != 0 )
261 printf( " ! server certificate has been revoked\n" );
262
263 if( ( ret & BADCERT_CN_MISMATCH ) != 0 )
264 printf( " ! CN mismatch (expected CN=%s)\n", opt.server_name );
265
266 if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
267 printf( " ! self-signed or not signed by a trusted CA\n" );
268
269 printf( "\n" );
270 }
271 else
272 printf( " ok\n" );
273
274 if( ssl_get_peer_cert( &ssl ) != NULL )
275 {
276 printf( " . Peer certificate information ...\n" );
277 x509_crt_info( (char *) buf, sizeof( buf ) - 1, " ",
278 ssl_get_peer_cert( &ssl ) );
279 printf( "%s\n", buf );
280 }
281 /*
282 * 5. Write the GET request
283 */
284 printf( " > Write to server:" );
285 fflush( stdout );
286
287 len = snprintf( (char *) buf, sizeof(buf) - 1, GET_REQUEST,
288 opt.request_page );
289 tail_len = strlen( GET_REQUEST_END );
290
291 /* Add padding to GET request to reach opt.request_size in length */
292 if( opt.request_size != DFL_REQUEST_SIZE &&
293 len + tail_len < opt.request_size )
294 {
295 memset( buf + len, 'A', opt.request_size - len - tail_len );
296 len += opt.request_size - len - tail_len;
297 }
298
299 strncpy( (char *) buf + len, GET_REQUEST_END, sizeof(buf) - len - 1 );
300 len += tail_len;
301
302 /* Truncate if request size is smaller than the "natural" size */
303 if( opt.request_size != DFL_REQUEST_SIZE &&
304 len > opt.request_size )
305 {
306 len = opt.request_size;
307
308 /* Still end with \r\n unless that's really not possible */
309 if( len >= 2 ) buf[len - 2] = '\r';
310 if( len >= 1 ) buf[len - 1] = '\n';
311 }
312
313 for( written = 0, frags = 0; written < len; written += ret, frags++ )
314 {
315 while( ( ret = ssl_write( &ssl, buf + written, len - written ) ) <= 0 )
316 {
317 if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
318 {
319 printf( " failed\n ! ssl_write returned -0x%x\n\n", -ret );
320 goto exit;
321 }
322 }
323 }
324
325 buf[written] = '\0';
326 printf( " %d bytes written in %d fragments\n\n%s\n", written, frags, (char *) buf );
327
328 /*
329 * 6. Read the HTTP response
330 */
331 printf( " < Read from server:" );
332 fflush( stdout );
333
334 do
335 {
336 len = sizeof( buf ) - 1;
337 memset( buf, 0, sizeof( buf ) );
338 ret = ssl_read( &ssl, buf, len );
339
340 if( ret == POLARSSL_ERR_NET_WANT_READ ||
341 ret == POLARSSL_ERR_NET_WANT_WRITE )
342 continue;
343
344 if( ret <= 0 )
345 {
346 switch( ret )
347 {
348 case POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY:
349 printf( " connection was closed gracefully\n" );
350 ret = 0;
351 goto close_notify;
352
353 case 0:
354 case POLARSSL_ERR_NET_CONN_RESET:
355 printf( " connection was reset by peer\n" );
356 ret = 0;
357 goto exit;
358
359 default:
360 printf( " ssl_read returned -0x%x\n", -ret );
361 goto exit;
362 }
363 }
364
365 len = ret;
366 buf[len] = '\0';
367 printf( " %d bytes read\n\n%s", len, (char *) buf );
368
369 /* End of message should be detected according to the syntax of the
370 * application protocol (eg HTTP), just use a dummy test here. */
371 if( ret > 0 && buf[len-1] == '\n' )
372 {
373 ret = 0;
374 break;
375 }
376 }
377 while( 1 );
378
379 /*
380 * 7. Done, cleanly close the connection
381 */
382close_notify:
383 printf( " . Closing the connection..." );
384
385 while( ( ret = ssl_close_notify( &ssl ) ) < 0 )
386 {
387 if( ret == POLARSSL_ERR_NET_CONN_RESET )
388 {
389 printf( " ok (already closed by peer)\n" );
390 ret = 0;
391 goto exit;
392 }
393
394 if( ret != POLARSSL_ERR_NET_WANT_READ &&
395 ret != POLARSSL_ERR_NET_WANT_WRITE )
396 {
397 printf( " failed\n ! ssl_close_notify returned %d\n\n", ret );
398 goto exit;
399 }
400 }
401
402 printf( " ok\n" );
403exit:
404 if( server_fd )
405 net_close( server_fd );
406
407 x509_crt_free( &clicert );
408 x509_crt_free( &cacert );
409 pk_free( &pkey );
410 ssl_session_free( &saved_session );
411 ssl_free( &ssl );
412 ctr_drbg_free( &ctr_drbg );
413 entropy_free( &entropy );
414
415 printf( " ok end\n" );
416 return 0;
417}
418
419int main(int argc, char *argv[])
420{
421 printf("Start!\n");
422
423 opt.server_name = DFL_SERVER_NAME;
424 opt.server_addr = DFL_SERVER_ADDR;
425 opt.server_port = DFL_SERVER_PORT;
426 opt.debug_level = DFL_DEBUG_LEVEL;
427 opt.nbio = DFL_NBIO;
428 opt.request_page = DFL_REQUEST_PAGE;
429 opt.request_size = DFL_REQUEST_SIZE;
430 opt.ca_file = DFL_CA_FILE;
431 opt.ca_path = DFL_CA_PATH;
432 opt.crt_file = DFL_CRT_FILE;
433 opt.key_file = DFL_KEY_FILE;
434 opt.psk = DFL_PSK;
435 opt.psk_identity = DFL_PSK_IDENTITY;
436 opt.force_ciphersuite[0]= DFL_FORCE_CIPHER;
437 opt.renegotiation = DFL_RENEGOTIATION;
438 opt.allow_legacy = DFL_ALLOW_LEGACY;
439 opt.renegotiate = DFL_RENEGOTIATE;
440 opt.exchanges = DFL_EXCHANGES;
441 opt.min_version = DFL_MIN_VERSION;
442 opt.max_version = DFL_MAX_VERSION;
443 opt.auth_mode = DFL_AUTH_MODE;
444 opt.mfl_code = DFL_MFL_CODE;
445 opt.trunc_hmac = DFL_TRUNC_HMAC;
446 opt.reconnect = DFL_RECONNECT;
447 opt.reco_delay = DFL_RECO_DELAY;
448 opt.tickets = DFL_TICKETS;
449 opt.alpn_string = DFL_ALPN_STRING;
450
451
452 if(argc < 3)
453 {
454 printf("input error \n example: mbtk_test ip prot\n");
455 return -1;
456 }
457 opt.server_addr = argv[1];
458 opt.server_port = atoi(argv[2]);
459
460 int ret = -1;
461 if( ( ret = net_connect( &server_fd, opt.server_addr,
462 opt.server_port ) ) != 0 )
463 {
464 printf( " failed\n ! net_connect returned -0x%x\n\n", -ret );
465 return -1;
466 }
467
468 ret = net_set_nonblock( server_fd );
469 if( ret != 0 )
470 {
471 printf( " failed\n ! net_set_(non)block() returned -0x%x\n\n", -ret );
472 return -1;
473 }
474 printf( " ok\n" );
475 ret = ssl_client_init();
476 printf("ret is %d\n",ret);
477 printf("End!\n");
478 return 0;
479}