/* * Copyright 2014-2022 The GmSSL Project. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the License); you may * not use this file except in compliance with the License. * * http://www.apache.org/licenses/LICENSE-2.0 */ #include #include #include #include #include #include #include #include static const char *options = "[-port num] -cert file -key file [-pass str] -ex_key file [-ex_pass str] [-cacert file]"; static const char *help = "Options\n" "\n" " -port num Listening port number, default 443\n" " -cert file Server's certificate chain in PEM format\n" " -key file Server's encrypted private key in PEM format\n" " -pass str Password to decrypt private key\n" " -cacert file CA certificate for client certificate verification\n" "\n" "Examples\n" "\n" " gmssl sm2keygen -pass 1234 -out rootcakey.pem\n" " gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign -ca\n" " gmssl sm2keygen -pass 1234 -out cakey.pem\n" " gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN \"Sub CA\" -key cakey.pem -pass 1234 -out careq.pem\n" " gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -ca -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem\n" "\n" " gmssl sm2keygen -pass 1234 -out signkey.pem\n" " gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key signkey.pem -pass 1234 -out signreq.pem\n" " gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem\n" "\n" " gmssl sm2keygen -pass 1234 -out enckey.pem\n" " gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key enckey.pem -pass 1234 -out encreq.pem\n" " gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem\n" "\n" " cat signcert.pem > double_certs.pem\n" " cat enccert.pem >> double_certs.pem\n" " cat cacert.pem >> double_certs.pem\n" "\n" " sudo gmssl tlcp_server -port 443 -cert double_certs.pem -key signkey.pem -pass 1234 -ex_key enckey.pem -ex_pass 1234\n" " gmssl tlcp_client -host 127.0.0.1 -cacert rootcacert.pem\n" "\n"; int tlcp_server_main(int argc , char **argv) { int ret = 1; char *prog = argv[0]; int port = 443; char *certfile = NULL; char *signkeyfile = NULL; char *signpass = NULL; char *enckeyfile = NULL; char *encpass = NULL; char *cacertfile = NULL; int server_ciphers[] = { TLS_cipher_ecc_sm4_cbc_sm3, }; TLS_CTX ctx; TLS_CONNECT conn; char buf[1600] = {0}; size_t len = sizeof(buf); tls_socket_t sock; tls_socket_t conn_sock; struct sockaddr_in server_addr; struct sockaddr_in client_addr; tls_socklen_t client_addrlen; argc--; argv++; if (argc < 1) { fprintf(stderr, "usage: %s %s\n", prog, options); return 1; } while (argc > 0) { if (!strcmp(*argv, "-help")) { printf("usage: %s %s\n", prog, options); printf("%s\n", help); return 0; } else if (!strcmp(*argv, "-port")) { if (--argc < 1) goto bad; port = atoi(*(++argv)); } else if (!strcmp(*argv, "-cert")) { if (--argc < 1) goto bad; certfile = *(++argv); } else if (!strcmp(*argv, "-key")) { if (--argc < 1) goto bad; signkeyfile = *(++argv); } else if (!strcmp(*argv, "-pass")) { if (--argc < 1) goto bad; signpass = *(++argv); } else if (!strcmp(*argv, "-ex_key")) { if (--argc < 1) goto bad; enckeyfile = *(++argv); } else if (!strcmp(*argv, "-ex_pass")) { if (--argc < 1) goto bad; encpass = *(++argv); } else if (!strcmp(*argv, "-cacert")) { if (--argc < 1) goto bad; cacertfile = *(++argv); } else { fprintf(stderr, "%s: invalid option '%s'\n", prog, *argv); return 1; bad: fprintf(stderr, "%s: option '%s' argument required\n", prog, *argv); return 1; } argc--; argv++; } if (!certfile) { fprintf(stderr, "%s: '-cert' option required\n", prog); return 1; } if (!signkeyfile) { fprintf(stderr, "%s: '-key' option required\n", prog); return 1; } if (!signpass) { fprintf(stderr, "%s: '-pass' option required\n", prog); return 1; } if (!enckeyfile) { fprintf(stderr, "%s: '-ex_key' option required\n", prog); return 1; } if (!encpass) { fprintf(stderr, "%s: '-ex_pass' option required\n", prog); return 1; } memset(&ctx, 0, sizeof(ctx)); memset(&conn, 0, sizeof(conn)); if (tls_ctx_init(&ctx, TLS_protocol_tlcp, TLS_server_mode) != 1 || tls_ctx_set_cipher_suites(&ctx, server_ciphers, sizeof(server_ciphers)/sizeof(int)) != 1 || tls_ctx_set_tlcp_server_certificate_and_keys(&ctx, certfile, signkeyfile, signpass, enckeyfile, encpass) != 1) { error_print(); return -1; } if (cacertfile) { if (tls_ctx_set_ca_certificates(&ctx, cacertfile, TLS_DEFAULT_VERIFY_DEPTH) != 1) { error_print(); return -1; } } if (tls_socket_lib_init() != 1) { error_print(); return -1; } if (tls_socket_create(&sock, AF_INET, SOCK_STREAM, 0) != 1) { error_print(); return 1; } server_addr.sin_family = AF_INET; server_addr.sin_addr.s_addr = INADDR_ANY; server_addr.sin_port = htons(port); if (tls_socket_bind(sock, &server_addr) != 1) { fprintf(stderr, "%s: socket bind error\n", prog); goto end; } puts("start listen ...\n"); tls_socket_listen(sock, 1); restart: client_addrlen = sizeof(client_addr); if (tls_socket_accept(sock, &client_addr, &conn_sock) != 1) { fprintf(stderr, "%s: socket accept error\n", prog); goto end; } puts("socket connected\n"); if (tls_init(&conn, &ctx) != 1 || tls_set_socket(&conn, conn_sock) != 1) { error_print(); return -1; } if (tls_do_handshake(&conn) != 1) { error_print(); return -1; } for (;;) { int rv; size_t sentlen; do { len = sizeof(buf); if ((rv = tls_recv(&conn, (uint8_t *)buf, sizeof(buf), &len)) != 1) { if (rv < 0) fprintf(stderr, "%s: recv failure\n", prog); else fprintf(stderr, "%s: Disconnected by remote\n", prog); //tls_socket_close(conn.sock); // FIXME: tls_cleanup(&conn); goto restart; } } while (!len); if (tls_send(&conn, (uint8_t *)buf, len, &sentlen) != 1) { fprintf(stderr, "%s: send failure, close connection\n", prog); tls_socket_close(conn.sock); goto end; } } end: return ret; }