1 /*
2 * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * NB: Changes to this file should also be reflected in
12 * doc/man7/ossl-guide-tls-server-block.pod
13 */
14
15 #include <string.h>
16
17 /* Include the appropriate header file for SOCK_STREAM */
18 #ifdef _WIN32 /* Windows */
19 # include <stdarg.h>
20 # include <winsock2.h>
21 #else /* Linux/Unix */
22 # include <err.h>
23 # include <sys/socket.h>
24 # include <sys/select.h>
25 #endif
26
27 #include <openssl/bio.h>
28 #include <openssl/ssl.h>
29 #include <openssl/err.h>
30
31 static const char cache_id[] = "OpenSSL Demo Server";
32
33 #ifdef _WIN32
34 static const char *progname;
35
vwarnx(const char * fmt,va_list ap)36 static void vwarnx(const char *fmt, va_list ap)
37 {
38 if (progname != NULL)
39 fprintf(stderr, "%s: ", progname);
40 vfprintf(stderr, fmt, ap);
41 putc('\n', stderr);
42 }
43
errx(int status,const char * fmt,...)44 static void errx(int status, const char *fmt, ...)
45 {
46 va_list ap;
47 va_start(ap, fmt);
48 vwarnx(fmt, ap);
49 va_end(ap);
50 exit(status);
51 }
52
warnx(const char * fmt,...)53 static void warnx(const char *fmt, ...)
54 {
55 va_list ap;
56 va_start(ap, fmt);
57 vwarnx(fmt, ap);
58 va_end(ap);
59 }
60 #endif
61
62 /* Minimal TLS echo server. */
main(int argc,char * argv[])63 int main(int argc, char *argv[])
64 {
65 int res = EXIT_FAILURE;
66 long opts;
67 const char *hostport;
68 SSL_CTX *ctx = NULL;
69 BIO *acceptor_bio;
70
71 #ifdef _WIN32
72 progname = argv[0];
73 #endif
74
75 if (argc != 2)
76 errx(res, "Usage: %s [host:]port", argv[0]);
77 hostport = argv[1];
78
79 /*
80 * An SSL_CTX holds shared configuration information for multiple
81 * subsequent per-client SSL connections.
82 */
83 ctx = SSL_CTX_new(TLS_server_method());
84 if (ctx == NULL) {
85 ERR_print_errors_fp(stderr);
86 errx(res, "Failed to create server SSL_CTX");
87 }
88
89 /*
90 * TLS versions older than TLS 1.2 are deprecated by IETF and SHOULD
91 * be avoided if possible.
92 */
93 if (!SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION)) {
94 SSL_CTX_free(ctx);
95 ERR_print_errors_fp(stderr);
96 errx(res, "Failed to set the minimum TLS protocol version");
97 }
98
99 #if 0
100 /*
101 * In applications (e.g. SMTP) where most clients are performing
102 * unauthenticated opportunistic TLS it may make sense to set the security
103 * level to 0, allowing weaker encryption parameters, which are still
104 * stronger than a potential cleartext fallback.
105 *
106 * The default security level is 2 (as of OpenSSL 3.2), which is roughly
107 * equivalent to that of 112 bit symmetric keys, or 2048-bit RSA or
108 * finite-field Diffie-Hellman keys. Notably, non-zero security levels no
109 * longer allow the use of SHA-1 in certificate signatures, key exchange
110 * or in the TLS 1.[01] PRF (so TLS 1.0 and 1.1 require security level 0).
111 */
112 SSL_CTX_set_security_level(ctx, 0);
113 #endif
114
115 /*
116 * Tolerate clients hanging up without a TLS "shutdown". Appropriate in all
117 * application protocols which perform their own message "framing", and
118 * don't rely on TLS to defend against "truncation" attacks.
119 */
120 opts = SSL_OP_IGNORE_UNEXPECTED_EOF;
121
122 /*
123 * Block potential CPU-exhaustion attacks by clients that request frequent
124 * renegotiation. This is of course only effective if there are existing
125 * limits on initial full TLS handshake or connection rates.
126 */
127 opts |= SSL_OP_NO_RENEGOTIATION;
128
129 /*
130 * Most servers elect to use their own cipher preference rather than that of
131 * the client.
132 */
133 opts |= SSL_OP_CIPHER_SERVER_PREFERENCE;
134
135 /* Apply the selection options */
136 SSL_CTX_set_options(ctx, opts);
137
138 /*
139 * Load the server's certificate *chain* file (PEM format), which includes
140 * not only the leaf (end-entity) server certificate, but also any
141 * intermediate issuer-CA certificates. The leaf certificate must be the
142 * first certificate in the file.
143 *
144 * In advanced use-cases this can be called multiple times, once per public
145 * key algorithm for which the server has a corresponding certificate.
146 * However, the corresponding private key (see below) must be loaded first,
147 * *before* moving on to the next chain file.
148 *
149 * The requisite files "chain.pem" and "pkey.pem" can be generated by running
150 * "make chain" in this directory. If the server will be executed from some
151 * other directory, move or copy the files there.
152 */
153 if (SSL_CTX_use_certificate_chain_file(ctx, "chain.pem") <= 0) {
154 SSL_CTX_free(ctx);
155 ERR_print_errors_fp(stderr);
156 errx(res, "Failed to load the server certificate chain file");
157 }
158
159 /*
160 * Load the corresponding private key, this also checks that the private
161 * key matches the just loaded end-entity certificate. It does not check
162 * whether the certificate chain is valid, the certificates could be
163 * expired, or may otherwise fail to form a chain that a client can validate.
164 */
165 if (SSL_CTX_use_PrivateKey_file(ctx, "pkey.pem", SSL_FILETYPE_PEM) <= 0) {
166 SSL_CTX_free(ctx);
167 ERR_print_errors_fp(stderr);
168 errx(res, "Error loading the server private key file, "
169 "possible key/cert mismatch???");
170 }
171
172 /*
173 * Servers that want to enable session resumption must specify a cache id
174 * byte array, that identifies the server application, and reduces the
175 * chance of inappropriate cache sharing.
176 */
177 SSL_CTX_set_session_id_context(ctx, (void *)cache_id, sizeof(cache_id));
178 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);
179
180 /*
181 * How many client TLS sessions to cache. The default is
182 * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (20k in recent OpenSSL versions),
183 * which may be too small or too large.
184 */
185 SSL_CTX_sess_set_cache_size(ctx, 1024);
186
187 /*
188 * Sessions older than this are considered a cache miss even if still in
189 * the cache. The default is two hours. Busy servers whose clients make
190 * many connections in a short burst may want a shorter timeout, on lightly
191 * loaded servers with sporadic connections from any given client, a longer
192 * time may be appropriate.
193 */
194 SSL_CTX_set_timeout(ctx, 3600);
195
196 /*
197 * Clients rarely employ certificate-based authentication, and so we don't
198 * require "mutual" TLS authentication (indeed there's no way to know
199 * whether or how the client authenticated the server, so the term "mutual"
200 * is potentially misleading).
201 *
202 * Since we're not soliciting or processing client certificates, we don't
203 * need to configure a trusted-certificate store, so no call to
204 * SSL_CTX_set_default_verify_paths() is needed. The server's own
205 * certificate chain is assumed valid.
206 */
207 SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
208
209 /*
210 * Create a listener socket wrapped in a BIO.
211 * The first call to BIO_do_accept() initialises the socket
212 */
213 acceptor_bio = BIO_new_accept(hostport);
214 if (acceptor_bio == NULL) {
215 SSL_CTX_free(ctx);
216 ERR_print_errors_fp(stderr);
217 errx(res, "Error creating acceptor bio");
218 }
219
220 BIO_set_bind_mode(acceptor_bio, BIO_BIND_REUSEADDR);
221 if (BIO_do_accept(acceptor_bio) <= 0) {
222 SSL_CTX_free(ctx);
223 ERR_print_errors_fp(stderr);
224 errx(res, "Error setting up acceptor socket");
225 }
226
227 /* Wait for incoming connection */
228 for (;;) {
229 BIO *client_bio;
230 SSL *ssl;
231 unsigned char buf[8192];
232 size_t nread;
233 size_t nwritten;
234 size_t total = 0;
235
236 /* Pristine error stack for each new connection */
237 ERR_clear_error();
238
239 /* Wait for the next client to connect */
240 if (BIO_do_accept(acceptor_bio) <= 0) {
241 /* Client went away before we accepted the connection */
242 continue;
243 }
244
245 /* Pop the client connection from the BIO chain */
246 client_bio = BIO_pop(acceptor_bio);
247 fprintf(stderr, "New client connection accepted\n");
248
249 /* Associate a new SSL handle with the new connection */
250 if ((ssl = SSL_new(ctx)) == NULL) {
251 ERR_print_errors_fp(stderr);
252 warnx("Error creating SSL handle for new connection");
253 BIO_free(client_bio);
254 continue;
255 }
256 SSL_set_bio(ssl, client_bio, client_bio);
257
258 /* Attempt an SSL handshake with the client */
259 if (SSL_accept(ssl) <= 0) {
260 ERR_print_errors_fp(stderr);
261 warnx("Error performing SSL handshake with client");
262 SSL_free(ssl);
263 continue;
264 }
265
266 while (SSL_read_ex(ssl, buf, sizeof(buf), &nread) > 0) {
267 if (SSL_write_ex(ssl, buf, nread, &nwritten) > 0 &&
268 nwritten == nread) {
269 total += nwritten;
270 continue;
271 }
272 warnx("Error echoing client input");
273 break;
274 }
275 fprintf(stderr, "Client connection closed, %zu bytes sent\n", total);
276 SSL_free(ssl);
277 }
278
279 /*
280 * Unreachable placeholder cleanup code, the above loop runs forever.
281 */
282 SSL_CTX_free(ctx);
283 return EXIT_SUCCESS;
284 }
285
