/*************************************************************************** * nsock_server.c -- A simple example of using nsock to implement TCP * * servers * * * ***********************IMPORTANT NSOCK LICENSE TERMS*********************** * * * The nsock parallel socket event library is (C) 1999-2012 Insecure.Com * * LLC This library is free software; you may redistribute and/or * * modify it under the terms of the GNU General Public License as * * published by the Free Software Foundation; Version 2. This guarantees * * your right to use, modify, and redistribute this software under certain * * conditions. If this license is unacceptable to you, Insecure.Com LLC * * may be willing to sell alternative licenses (contact * * sales@insecure.com ). * * * * As a special exception to the GPL terms, Insecure.Com LLC grants * * permission to link the code of this program with any version of the * * OpenSSL library which is distributed under a license identical to that * * listed in the included docs/licenses/OpenSSL.txt file, and distribute * * linked combinations including the two. You must obey the GNU GPL in all * * respects for all of the code used other than OpenSSL. If you modify * * this file, you may extend this exception to your version of the file, * * but you are not obligated to do so. * * * * If you received these files with a written license agreement stating * * terms other than the (GPL) terms above, then that alternative license * * agreement takes precedence over this comment. * * * * Source is provided to this software because we believe users have a * * right to know exactly what a program is going to do before they run it. * * This also allows you to audit the software for security holes (none * * have been found so far). * * * * Source code also allows you to port Nmap to new platforms, fix bugs, * * and add new features. You are highly encouraged to send your changes * * to nmap-dev@insecure.org for possible incorporation into the main * * distribution. By sending these changes to Fyodor or one of the * * Insecure.Org development mailing lists, it is assumed that you are * * offering the Nmap Project (Insecure.Com LLC) the unlimited, * * non-exclusive right to reuse, modify, and relicense the code. Nmap * * will always be available Open Source, but this is important because the * * inability to relicense code has caused devastating problems for other * * Free Software projects (such as KDE and NASM). We also occasionally * * relicense the code to third parties as discussed above. If you wish to * * specify special license conditions of your contributions, just say so * * when you send them. * * * * This program is distributed in the hope that it will be useful, but * * WITHOUT ANY WARRANTY; without even the implied warranty of * * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * * General Public License v2.0 for more details * * (http://www.gnu.org/licenses/gpl-2.0.html). * * * ***************************************************************************/ #include "nsock.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define DEFAULT_KEY_BITS 1024 #define DEFAULT_CERT_DURATION (60 * 60 * 24 * 365) #define CERTIFICATE_COMMENT "Automatically generated by nsock_server." static int ssl_gen_cert(X509 **cert, EVP_PKEY **key) { RSA *rsa; X509_NAME *subj; X509_EXTENSION *ext; X509V3_CTX ctx; const char *commonName = "localhost"; char dNSName[128]; int rc; *cert = NULL; *key = NULL; /* Generate a private key. */ *key = EVP_PKEY_new(); if (*key == NULL) goto err; do { rsa = RSA_generate_key(DEFAULT_KEY_BITS, RSA_F4, NULL, NULL); if (rsa == NULL) goto err; rc = RSA_check_key(rsa); } while (rc == 0); if (rc == -1) { printf("Error generating RSA key: %s", ERR_error_string(ERR_get_error(), NULL)); exit(1); } if (EVP_PKEY_assign_RSA(*key, rsa) == 0) { RSA_free(rsa); goto err; } /* Generate a certificate. */ *cert = X509_new(); if (*cert == NULL) goto err; if (X509_set_version(*cert, 2) == 0) /* Version 3. */ goto err; ASN1_INTEGER_set(X509_get_serialNumber(*cert), 273279 & 0x7FFFFFFF); /* Set the commonName. */ subj = X509_get_subject_name(*cert); if (X509_NAME_add_entry_by_txt(subj, "commonName", MBSTRING_ASC, (unsigned char *) commonName, -1, -1, 0) == 0) { goto err; } /* Set the dNSName. */ rc = snprintf(dNSName, sizeof(dNSName), "DNS:%s", commonName); if (rc < 0 || rc >= sizeof(dNSName)) goto err; X509V3_set_ctx(&ctx, *cert, *cert, NULL, NULL, 0); ext = X509V3_EXT_conf(NULL, &ctx, "subjectAltName", dNSName); if (ext == NULL) goto err; if (X509_add_ext(*cert, ext, -1) == 0) goto err; /* Set a comment. */ ext = X509V3_EXT_conf(NULL, &ctx, "nsComment", CERTIFICATE_COMMENT); if (ext == NULL) goto err; if (X509_add_ext(*cert, ext, -1) == 0) goto err; if (X509_set_issuer_name(*cert, X509_get_subject_name(*cert)) == 0 || X509_gmtime_adj(X509_get_notBefore(*cert), 0) == 0 || X509_gmtime_adj(X509_get_notAfter(*cert), DEFAULT_CERT_DURATION) == 0 || X509_set_pubkey(*cert, *key) == 0) { goto err; } /* Sign it. */ if (X509_sign(*cert, *key, EVP_sha1()) == 0) goto err; return 1; err: if (*cert != NULL) X509_free(*cert); if (*key != NULL) EVP_PKEY_free(*key); return 0; } static SSL_CTX *get_ssl(void) { SSL_CTX *sslctx; const SSL_METHOD *method; X509 *cert; EVP_PKEY *key; SSL_library_init(); OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); SSL_load_error_strings(); if (!RAND_status()) { printf("Failed to seed OpenSSL PRNG (RAND_status returned false)."); exit(1); } if (!(method = SSLv23_server_method())) { printf("SSLv23_server_method(): %s.", ERR_error_string(ERR_get_error(), NULL)); exit(1); } if (!(sslctx = SSL_CTX_new(method))) { printf("SSL_CTX_new(): %s.", ERR_error_string(ERR_get_error(), NULL)); exit(1); } SSL_CTX_set_options(sslctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); /* Secure ciphers list taken from Nsock. */ if (!SSL_CTX_set_cipher_list(sslctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH")) { printf("Unable to set OpenSSL cipher list: %s", ERR_error_string(ERR_get_error(), NULL)); exit(1); } if (ssl_gen_cert(&cert, &key) == 0) { printf("ssl_gen_cert(): %s.", ERR_error_string(ERR_get_error(), NULL)); exit(1); } if (SSL_CTX_use_certificate(sslctx, cert) != 1) { printf("SSL_CTX_use_certificate(): %s.", ERR_error_string(ERR_get_error(), NULL)); exit(1); } if (SSL_CTX_use_PrivateKey(sslctx, key) != 1) { printf("SSL_CTX_use_PrivateKey(): %s.", ERR_error_string(ERR_get_error(), NULL)); exit(1); } X509_free(cert); EVP_PKEY_free(key); return sslctx; } static void handler(nsock_pool nsp, nsock_event nse, void *udata) { enum nse_status status = nse_status(nse); enum nse_type type = nse_type(nse); nsock_iod nsiod; printf("handler: received callback of type %s with status %s\n", nse_type2str(type), nse_status2str(status)); if (status == NSE_STATUS_SUCCESS) { switch (type) { case NSE_TYPE_LISTEN: nsiod = nsock_accept_client(nse); if (!nsiod || nsi_getsd(nsiod) < 0) { printf("ERRNUM: %d\n", nse_errorcode(nse)); } else { printf("handler: accepting connection: %d\n", nsi_getsd(nsiod)); nsock_printf(nsp, nsiod, handler, -1, NULL, "Your fd was: %d\n", nsi_getsd(nsiod)); } break; case NSE_TYPE_WRITE: printf("DONE!\n"); break; default: fprintf(stderr, "handler: got bogus type -- quitting\n"); exit(1); } } else { printf("Error: %s\n", strerror(nse_errorcode(nse))); } } int main(int argc, char *argv[]) { nsock_pool nsp; nsock_iod nsi; struct addrinfo hints, *res = NULL; SSL_CTX *ssl; if (argc < 3) { fprintf(stderr, "Usage: nsock_server [portnum]\n"); exit(1); } memset(&hints, 0, sizeof(hints)); hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_STREAM; hints.ai_flags = AI_PASSIVE; getaddrinfo(argv[1], argv[2], &hints, &res); ssl = get_ssl(); nsp = nsp_new(NULL); nsp_settrace(nsp, NULL, 10, NULL); nsi = nsi_new(nsp, NULL); assert(nsp); assert(nsi); assert(ssl); nsock_listen(nsp, nsi, handler, -1, NULL, IPPROTO_TCP, (struct sockaddr_storage *)res->ai_addr, res->ai_addrlen, ssl); nsock_loop(nsp, -1); freeaddrinfo(res); return 0; }