File: ssl_secure_server.c

package info (click to toggle)
xmlrpc-c 1.60.05-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 8,132 kB
  • sloc: ansic: 55,332; cpp: 13,541; sh: 3,321; makefile: 2,556; perl: 593; xml: 134
file content (242 lines) | stat: -rw-r--r-- 6,893 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
 
/* A simple standalone XML-RPC server program based on Abyss that uses SSL
   (Secure Sockets Layer) via OpenSSL, with authentication.

   This is like the 'ssl_server' example, except that it requires
   authentication, which means it is much harder to use - you have to set up a
   certificate, private key, DSA parameters, and Diffie-Hellman parameters.

   Example:

     $ ./ssl_secure_server 8080 &
     $ ./curl_client https://localhost:8080/RPC2

   Before the above will work, you have to create a variety of files and put
   them where this program expects to find them.  Example:

     $ mkdir /tmp/ssltest
     $ cd /tmp/ssltest
     $ openssl genpkey -genparam -algorithm DSA >dsap.pem
     $ openssl genpkey -paramfile dsap.pem >dsakey.pem
     $ openssl req -new dsakey.pem >csr.csr
     $ openssl x509 -req -in csr.csr -signkey dsakey.pem >certificate.pem
     $ openssl dhparam -in dsap.pem -dsaparam -outform PEM >dhparam.pem


   You can drive the most difficult part of this example (initial SSL
   handshake) with the 'openssl' program that comes with OpenSSL, as follows.

      $ ./ssl_secure_server 8080 &
      $ openssl -connect localhost:8080 -state

   The 'openssl' command connects and handshakes with the server, then waits
   for you to type stuff to send to the server.  You would have to type a
   complete HTTP header followed by a valid XML-RPC call to complete the
   demonstration.

   This uses the "provide your own Abyss server" mode of operation,
   as opposed to other Xmlrpc-c facilities that create an Abyss server under
   the covers, because this is the only way to get SSL.

   NOTE: We deliberately don't check error indications here to make the code
   easier to read.  If you're having trouble getting this code to run, by all
   means add checks of the "error" and "env" variables!
*/

#define _XOPEN_SOURCE 600
#define WIN32_LEAN_AND_MEAN  /* required by xmlrpc-c/server_abyss.h */

#include <stdlib.h>
#include <stdio.h>
#include <signal.h>
#ifndef _WIN32
#include <sys/socket.h>
#include <netinet/in.h>
#endif

#include <openssl/ssl.h>

#include <xmlrpc-c/base.h>
#include <xmlrpc-c/abyss.h>
#include <xmlrpc-c/abyss_openssl.h>
#include <xmlrpc-c/server.h>
#include <xmlrpc-c/server_abyss.h>

#include "config.h"  /* information about this build environment */


static void
sslInfoCallback(const SSL * const sslP,
                int         const where,
                int         const ret) {

    const char * str;
    int const w = where & ~SSL_ST_MASK;

    if (w & SSL_ST_CONNECT)
        str = "SSL_connect";
    else if (w & SSL_ST_ACCEPT)
        str = "SSL_accept";
    else
        str = "undefined";

    if (where & SSL_CB_LOOP) {
        fprintf(stderr, "%s:%s\n", str, SSL_state_string_long(sslP));
    } else if (where & SSL_CB_ALERT) {
        str = (where & SSL_CB_READ) ? "read" : "write";
        fprintf(stderr, "SSL3 alert %s:%s:%s\n",
                str,
                SSL_alert_type_string_long(ret),
                SSL_alert_desc_string_long(ret));
    } else if (where & SSL_CB_EXIT) {
        if (ret == 0)
            fprintf(stderr, "%s:failed in %s\n",
                    str, SSL_state_string_long(sslP));
        else if (ret < 0) {
            fprintf(stderr, "%s:error in %s\n",
                    str, SSL_state_string_long(sslP));
        }
    }
}



static void
printPeerIpAddr(TSession * const abyssSessionP) {

#ifdef _WIN32
    struct abyss_win_chaninfo * channelInfoP;
#else
    struct abyss_unix_chaninfo * channelInfoP;
#endif
    struct sockaddr_in * sockAddrInP;
    unsigned char * ipAddr;  /* 4 byte array */

    SessionGetChannelInfo(abyssSessionP, (void*)&channelInfoP);

    sockAddrInP = (struct sockaddr_in *) &channelInfoP->peerAddr;

    ipAddr = (unsigned char *)&sockAddrInP->sin_addr.s_addr;

    printf("RPC is from IP address %u.%u.%u.%u\n",
           ipAddr[0], ipAddr[1], ipAddr[2], ipAddr[3]);
}



static xmlrpc_server_shutdown_fn requestShutdown;

static void
shutdownAbyss(xmlrpc_env * const faultP,
              void *       const context,
              const char * const comment,
              void *       const callInfo) {

    TServer * const abyssServerP = context;

    xmlrpc_env_init(faultP);

    ServerTerminate(abyssServerP);
}



static xmlrpc_value *
sample_add(xmlrpc_env *   const envP,
           xmlrpc_value * const paramArrayP,
           void *         const serverInfo,
           void *         const channelInfo) {

    xmlrpc_int x, y, z;

    printPeerIpAddr(channelInfo);

    /* Parse our argument array. */
    xmlrpc_decompose_value(envP, paramArrayP, "(ii)", &x, &y);
    if (envP->fault_occurred)
        return NULL;

    /* Add our two numbers. */
    z = x + y;

    /* Return our result. */
    return xmlrpc_build_value(envP, "i", z);
}



int
main(int           const argc,
     const char ** const argv) {

    struct xmlrpc_method_info3 const methodInfo = {
        .methodName     = "sample.add",
        .methodFunction = &sample_add,
        .serverInfo = NULL
    };

    SSL_CTX * sslCtxP;
    FILE * certFileP;
    TChanSwitch * chanSwitchP;
    TServer abyssServer;
    xmlrpc_registry * registryP;
    xmlrpc_env env;
    const char * error;

    if (argc-1 != 1) {
        fprintf(stderr, "You must specify 1 argument:  The TCP port number "
                "on which to listen for XML-RPC calls.  "
                "You specified %d.\n",  argc-1);
        exit(1);
    }

    AbyssInit(&error);

    xmlrpc_env_init(&env);

    sslCtxP = SSL_CTX_new(SSLv23_server_method());

    SSL_CTX_set_cipher_list(sslCtxP, "ALL:!aNULL");

    SSL_CTX_use_certificate_chain_file(sslCtxP,
                                       "/tmp/ssltest/certificate.pem");

    SSL_CTX_use_PrivateKey_file(sslCtxP, "/tmp/ssltest/dsakey.pem",
                                SSL_FILETYPE_PEM);

    certFileP = fopen("/tmp/ssltest/dhparam.pem", "r");

    DH * const dhP = PEM_read_DHparams(certFileP, NULL, NULL, NULL);

    SSL_CTX_set_tmp_dh(sslCtxP, dhP);

    SSL_CTX_set_info_callback(sslCtxP, sslInfoCallback);

    ChanSwitchOpenSslCreateIpV4Port(atoi(argv[1]), sslCtxP,
                                    &chanSwitchP, &error);

    ServerCreateSwitch(&abyssServer, chanSwitchP, &error);

    registryP = xmlrpc_registry_new(&env);

    xmlrpc_registry_add_method3(&env, registryP, &methodInfo);

    xmlrpc_registry_set_shutdown(registryP, &shutdownAbyss, &abyssServer);

    xmlrpc_server_abyss_set_handlers2(&abyssServer, "/RPC2", registryP);

    ServerInit(&abyssServer);

    printf("Running server...\n");

    ServerRun(&abyssServer);
        /* This waits for TCP connections and processes them as XML-RPC
           RPCs indefinitely (until system.shutdown method performed).
        */

    ServerFree(&abyssServer);
    ChanSwitchDestroy(chanSwitchP);
    SSL_CTX_free(sslCtxP);
    AbyssTerm();

    return 0;
}