Better guarding, better commenting, remove irrelevant code
Anthony Hu
parent
4b84114c6a
commit
b375acd729
|
|
@ -36,81 +36,13 @@
|
|||
#include <wolfssl/wolfio.h>
|
||||
#include <wolfssl/wolfcrypt/error-crypt.h>
|
||||
|
||||
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
|
||||
#define DEFAULT_PORT 11111
|
||||
|
||||
#define CERT_FILE "../certs/client-cert.pem"
|
||||
#define KEY_FILE "../certs/client-key.pem"
|
||||
#define CA_FILE "../certs/ca-cert.pem"
|
||||
|
||||
#if defined(WOLFSSL_TLS13) && defined(HAVE_SECRET_CALLBACK)
|
||||
|
||||
#ifndef WOLFSSL_SSLKEYLOGFILE_OUTPUT
|
||||
#define WOLFSSL_SSLKEYLOGFILE_OUTPUT "sslkeylog.log"
|
||||
#endif
|
||||
|
||||
/* Callback function for TLS v1.3 secrets for use with Wireshark */
|
||||
static int Tls13SecretCallback(WOLFSSL* ssl, int id, const unsigned char* secret,
|
||||
int secretSz, void* ctx)
|
||||
{
|
||||
int i;
|
||||
const char* str = NULL;
|
||||
unsigned char clientRandom[32];
|
||||
int clientRandomSz;
|
||||
XFILE fp = stderr;
|
||||
if (ctx) {
|
||||
fp = XFOPEN((const char*)ctx, "ab");
|
||||
if (fp == XBADFILE) {
|
||||
return BAD_FUNC_ARG;
|
||||
}
|
||||
}
|
||||
|
||||
clientRandomSz = (int)wolfSSL_get_client_random(ssl, clientRandom,
|
||||
sizeof(clientRandom));
|
||||
|
||||
if (clientRandomSz <= 0) {
|
||||
printf("Error getting client random %d\n", clientRandomSz);
|
||||
}
|
||||
|
||||
#if 0
|
||||
printf("TLS Client Secret CB: Rand %d, Secret %d\n",
|
||||
clientRandomSz, secretSz);
|
||||
#endif
|
||||
|
||||
switch (id) {
|
||||
case CLIENT_EARLY_TRAFFIC_SECRET:
|
||||
str = "CLIENT_EARLY_TRAFFIC_SECRET"; break;
|
||||
case EARLY_EXPORTER_SECRET:
|
||||
str = "EARLY_EXPORTER_SECRET"; break;
|
||||
case CLIENT_HANDSHAKE_TRAFFIC_SECRET:
|
||||
str = "CLIENT_HANDSHAKE_TRAFFIC_SECRET"; break;
|
||||
case SERVER_HANDSHAKE_TRAFFIC_SECRET:
|
||||
str = "SERVER_HANDSHAKE_TRAFFIC_SECRET"; break;
|
||||
case CLIENT_TRAFFIC_SECRET:
|
||||
str = "CLIENT_TRAFFIC_SECRET_0"; break;
|
||||
case SERVER_TRAFFIC_SECRET:
|
||||
str = "SERVER_TRAFFIC_SECRET_0"; break;
|
||||
case EXPORTER_SECRET:
|
||||
str = "EXPORTER_SECRET"; break;
|
||||
}
|
||||
|
||||
fprintf(fp, "%s ", str);
|
||||
for (i = 0; i < clientRandomSz; i++) {
|
||||
fprintf(fp, "%02x", clientRandom[i]);
|
||||
}
|
||||
fprintf(fp, " ");
|
||||
for (i = 0; i < secretSz; i++) {
|
||||
fprintf(fp, "%02x", secret[i]);
|
||||
}
|
||||
fprintf(fp, "\n");
|
||||
|
||||
if (fp != stderr) {
|
||||
XFCLOSE(fp);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
#endif /* WOLFSSL_TLS13 && HAVE_SECRET_CALLBACK */
|
||||
|
||||
int main(int argc, char** argv)
|
||||
{
|
||||
int ret = 0;
|
||||
|
|
@ -201,6 +133,7 @@ int main(int argc, char** argv)
|
|||
goto exit;
|
||||
}
|
||||
|
||||
/* POSTHSAUTH: Prepare for post-handshake authentication. */
|
||||
if ((ret = wolfSSL_CTX_allow_post_handshake_auth(ctx)) != 0) {
|
||||
fprintf(stderr, "ERROR: failed to allow post hand-shake auth.\n");
|
||||
goto exit;
|
||||
|
|
@ -218,25 +151,12 @@ int main(int argc, char** argv)
|
|||
goto exit;
|
||||
}
|
||||
|
||||
#ifdef HAVE_SECRET_CALLBACK
|
||||
/* required for getting random used */
|
||||
wolfSSL_KeepArrays(ssl);
|
||||
|
||||
/* optional logging for wireshark */
|
||||
wolfSSL_set_tls13_secret_cb(ssl, Tls13SecretCallback,
|
||||
(void*)WOLFSSL_SSLKEYLOGFILE_OUTPUT);
|
||||
#endif
|
||||
|
||||
/* Connect to wolfSSL on the server side */
|
||||
if ((ret = wolfSSL_connect(ssl)) != WOLFSSL_SUCCESS) {
|
||||
fprintf(stderr, "ERROR: failed to connect to wolfSSL\n");
|
||||
goto exit;
|
||||
}
|
||||
|
||||
#ifdef HAVE_SECRET_CALLBACK
|
||||
wolfSSL_FreeArrays(ssl);
|
||||
#endif
|
||||
|
||||
/* Get a message for the server from stdin */
|
||||
printf("Message for server: ");
|
||||
memset(buff, 0, sizeof(buff));
|
||||
|
|
@ -263,7 +183,8 @@ int main(int argc, char** argv)
|
|||
/* Print to stdout any data the server sends */
|
||||
printf("Server: %s\n", buff);
|
||||
|
||||
/* Send the second message to the server */
|
||||
/* POSTHSAUTH: Send the second message to the server. This message is now
|
||||
* authenticated. */
|
||||
memset(buff, 0, sizeof(buff));
|
||||
memcpy(buff, "Hello again from the client\n", 28);
|
||||
len = strnlen(buff, sizeof(buff));
|
||||
|
|
@ -294,3 +215,10 @@ exit:
|
|||
|
||||
return ret;
|
||||
}
|
||||
#else
|
||||
int main() {
|
||||
fprintf(stderr, "Please configure with --enable-postauth or compile with "
|
||||
"WOLFSSL_POST_HANDSHAKE_AUTH defined.\n");
|
||||
return 0;
|
||||
}
|
||||
#endif /* WOLFSSL_POST_HANDSHAKE_AUTH */
|
||||
|
|
|
|||
|
|
@ -41,6 +41,7 @@
|
|||
#include <wolfssl/wolfio.h>
|
||||
#include <wolfssl/wolfcrypt/error-crypt.h>
|
||||
|
||||
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
|
||||
#define DEFAULT_PORT 11111
|
||||
|
||||
#define CERT_FILE "../certs/server-cert.pem"
|
||||
|
|
@ -48,75 +49,6 @@
|
|||
#define CA_FILE "../certs/client-cert.pem"
|
||||
|
||||
|
||||
#if defined(WOLFSSL_TLS13) && defined(HAVE_SECRET_CALLBACK)
|
||||
|
||||
#ifndef WOLFSSL_SSLKEYLOGFILE_OUTPUT
|
||||
#define WOLFSSL_SSLKEYLOGFILE_OUTPUT "sslkeylog.log"
|
||||
#endif
|
||||
|
||||
/* Callback function for TLS v1.3 secrets for use with Wireshark */
|
||||
static int Tls13SecretCallback(WOLFSSL* ssl, int id, const unsigned char* secret,
|
||||
int secretSz, void* ctx)
|
||||
{
|
||||
int i;
|
||||
const char* str = NULL;
|
||||
unsigned char serverRandom[32];
|
||||
int serverRandomSz;
|
||||
XFILE fp = stderr;
|
||||
if (ctx) {
|
||||
fp = XFOPEN((const char*)ctx, "ab");
|
||||
if (fp == XBADFILE) {
|
||||
return BAD_FUNC_ARG;
|
||||
}
|
||||
}
|
||||
|
||||
serverRandomSz = (int)wolfSSL_get_server_random(ssl, serverRandom,
|
||||
sizeof(serverRandom));
|
||||
|
||||
if (serverRandomSz <= 0) {
|
||||
printf("Error getting server random %d\n", serverRandomSz);
|
||||
}
|
||||
|
||||
#if 0
|
||||
printf("TLS Server Secret CB: Rand %d, Secret %d\n",
|
||||
serverRandomSz, secretSz);
|
||||
#endif
|
||||
|
||||
switch (id) {
|
||||
case CLIENT_EARLY_TRAFFIC_SECRET:
|
||||
str = "CLIENT_EARLY_TRAFFIC_SECRET"; break;
|
||||
case EARLY_EXPORTER_SECRET:
|
||||
str = "EARLY_EXPORTER_SECRET"; break;
|
||||
case CLIENT_HANDSHAKE_TRAFFIC_SECRET:
|
||||
str = "CLIENT_HANDSHAKE_TRAFFIC_SECRET"; break;
|
||||
case SERVER_HANDSHAKE_TRAFFIC_SECRET:
|
||||
str = "SERVER_HANDSHAKE_TRAFFIC_SECRET"; break;
|
||||
case CLIENT_TRAFFIC_SECRET:
|
||||
str = "CLIENT_TRAFFIC_SECRET_0"; break;
|
||||
case SERVER_TRAFFIC_SECRET:
|
||||
str = "SERVER_TRAFFIC_SECRET_0"; break;
|
||||
case EXPORTER_SECRET:
|
||||
str = "EXPORTER_SECRET"; break;
|
||||
}
|
||||
|
||||
fprintf(fp, "%s ", str);
|
||||
for (i = 0; i < (int)serverRandomSz; i++) {
|
||||
fprintf(fp, "%02x", serverRandom[i]);
|
||||
}
|
||||
fprintf(fp, " ");
|
||||
for (i = 0; i < secretSz; i++) {
|
||||
fprintf(fp, "%02x", secret[i]);
|
||||
}
|
||||
fprintf(fp, "\n");
|
||||
|
||||
if (fp != stderr) {
|
||||
XFCLOSE(fp);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
#endif /* WOLFSSL_TLS13 && HAVE_SECRET_CALLBACK */
|
||||
|
||||
static int mSockfd = SOCKET_INVALID;
|
||||
static int mConnd = SOCKET_INVALID;
|
||||
static int mShutdown = 0;
|
||||
|
|
@ -216,7 +148,8 @@ int main(int argc, char** argv)
|
|||
goto exit;
|
||||
}
|
||||
|
||||
/* No verification during handshake. Will be doing it post handshake. */
|
||||
/* POSTHSAUTH: No verification during handshake. Will be doing it post
|
||||
* handshake. */
|
||||
wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
|
||||
|
||||
/* Load server certificates into WOLFSSL_CTX */
|
||||
|
|
@ -263,15 +196,6 @@ int main(int argc, char** argv)
|
|||
/* Attach wolfSSL to the socket */
|
||||
wolfSSL_set_fd(ssl, mConnd);
|
||||
|
||||
#ifdef HAVE_SECRET_CALLBACK
|
||||
/* required for getting random used */
|
||||
wolfSSL_KeepArrays(ssl);
|
||||
|
||||
/* optional logging for wireshark */
|
||||
wolfSSL_set_tls13_secret_cb(ssl, Tls13SecretCallback,
|
||||
(void*)WOLFSSL_SSLKEYLOGFILE_OUTPUT);
|
||||
#endif
|
||||
|
||||
/* Establish TLS connection */
|
||||
if ((ret = wolfSSL_accept(ssl)) != WOLFSSL_SUCCESS) {
|
||||
fprintf(stderr, "wolfSSL_accept error = %d\n",
|
||||
|
|
@ -281,10 +205,6 @@ int main(int argc, char** argv)
|
|||
|
||||
printf("Client connected successfully\n");
|
||||
|
||||
#ifdef HAVE_SECRET_CALLBACK
|
||||
wolfSSL_FreeArrays(ssl);
|
||||
#endif
|
||||
|
||||
/* Read the client data into our buff array */
|
||||
memset(buff, 0, sizeof(buff));
|
||||
if ((ret = wolfSSL_read(ssl, buff, sizeof(buff)-1)) < 0) {
|
||||
|
|
@ -301,9 +221,12 @@ int main(int argc, char** argv)
|
|||
mShutdown = 1;
|
||||
}
|
||||
|
||||
/* POSTHSAUTH: Require the client to send over their certificate; fail
|
||||
* if we cannot verify the client. */
|
||||
wolfSSL_set_verify(ssl,
|
||||
WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
|
||||
|
||||
/* POSTHSAUTH: Request the certficate and do the verification. */
|
||||
if (wolfSSL_request_certificate(ssl) != WOLFSSL_SUCCESS) {
|
||||
fprintf(stderr, "ERROR: Request for post-hs certificate failed\n");
|
||||
goto exit;
|
||||
|
|
@ -323,7 +246,8 @@ int main(int argc, char** argv)
|
|||
goto exit;
|
||||
}
|
||||
|
||||
/* Read second message into our buff array */
|
||||
/* POSTHSAUTH: Read second message into our buff array. This is now
|
||||
* authenticated. */
|
||||
memset(buff, 0, sizeof(buff));
|
||||
if ((ret = wolfSSL_read(ssl, buff, sizeof(buff)-1)) < 0) {
|
||||
fprintf(stderr, "ERROR: failed to read\n");
|
||||
|
|
@ -372,3 +296,10 @@ exit:
|
|||
|
||||
return ret;
|
||||
}
|
||||
#else
|
||||
int main() {
|
||||
fprintf(stderr, "Please configure with --enable-postauth or compile with "
|
||||
"WOLFSSL_POST_HANDSHAKE_AUTH defined.\n");
|
||||
return 0;
|
||||
}
|
||||
#endif /* WOLFSSL_POST_HANDSHAKE_AUTH */
|
||||
|
|
|
|||
Loading…
Reference in New Issue