RE: [ECOS] RE: RE: On Porting OpenSSL v1.0.0c

public inbox for ecos-discuss@sourceware.org
 help / color / mirror / Atom feed

* RE: [ECOS] RE: RE: On Porting OpenSSL v1.0.0c
@ 2011-04-27 19:48 amassa
  0 siblings, 0 replies; 3+ messages in thread
From: amassa @ 2011-04-27 19:48 UTC (permalink / raw)
  To: Retallack, Mark; +Cc: 'ecos-discuss@ecos.sourceware.org'

Hi,

Thanks for the reply.

I do have a call to get the further errors and code similar to the one you included below.  It seems errno is 0 (showing no error), but I need to look into this further to see if it is implemented correctly on this platform because SSL_get_error returns 5 (as you mentioned).

I have also tried to use the callback during connection to obtain more information.  These are the output messages (snippet) I am seeing after the attempt to perform SSL_connect():

do the SSL connection
SSL_connect:before/connect initialization
SSL_connect:error in SSLv3 write client hello A
SSL_connect status  -1
SSL_connect Error  5
sockerrno to connect, err = 0 (No error)
SSL Verify OK
SSL_connect Failed

The callback status returns "error in SSLv3 write client hello A".

I have implemented my own ioctl() (returning ENOSYS) to handle any calls into that function.

Any further ideas are greatly appreciated.

Thanks,
Anthony

---- "Retallack wrote: 
> Hi, 
> 
> One thing hat comes to mind, error 5 is SSL_ERROR_SYSCALL, see: http://www.openssl.org/docs/ssl/SSL_get_error.html
> 
> It also suggests some more debug to use to find out what has happened (for example errno). You can also use something like the following to get a string of the error:
> 
> unsigned long l;
> while ((l=ERR_get_error()))
> {
>     printf("ssl error: %s\n", ERR_error_string(l,NULL));
> }
> 
> Because the underlying transport is not TCP, it might be returning an error because of blocking/non-blocking differences. Also I believe that openssl can use ioctl calls, this may be failing on a serial file descriptor. 
> 
> Mark Retallack 
> 
> -----Original Message-----
> From: ecos-discuss-owner@ecos.sourceware.org [mailto:ecos-discuss-owner@ecos.sourceware.org] On Behalf Of Anthony Massa
> Sent: 26 April 2011 17:53
> To: ecos-discuss@ecos.sourceware.org
> Subject: [ECOS] RE: RE: On Porting OpenSSL v1.0.0c
> 
> Hi,
> 
> I have OpenSSL built into my image (along with a slightly older version of eCos).  I am not able to use the standard socket interface layer over Ethernet - basically the platform I'm using needs to communicate via serial for the network traffic.  So, basically the socket interface functions (connect, send, recv) are implemented to use this serial interface.  I have tested the raw socket interface for the connect, send, and recv functions and they appear to be able to echo with a server properly - so I believe the socket interface is running correctly.
> 
> I am running the test code I included above (ssltest.c) and find that the test is failing at line 725 when the SSL_connect function is called.
> 
> The output I see and errors returned are shown here:
> 
> do the SSL connection
> SSL_connect status  -1
> SSL_connect Error  5
> 
> I appreciate any feedback.
> 
> Thanks,
> Anthony
> 


-- 
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss

^ permalink raw reply	[flat|nested] 3+ messages in thread

[parent not found: <20110425212037.JAAQV.41916.root@cdptpa-web03-z02>]

[parent not found: <03AEFB12CF391F45B74EC59D643A74510787B30FF7@DEFTHW99E24MSX.ww902.siemens.net>]

* [ECOS] RE: RE: On Porting OpenSSL v1.0.0c
       [not found] ` <03AEFB12CF391F45B74EC59D643A74510787B30FF7@DEFTHW99E24MSX.ww902.siemens.net>
@ 2011-04-26 16:53   ` Anthony Massa
  2011-04-27  7:07     ` Retallack, Mark
  0 siblings, 1 reply; 3+ messages in thread
From: Anthony Massa @ 2011-04-26 16:53 UTC (permalink / raw)
  To: ecos-discuss

[-- Attachment #1: Type: text/plain, Size: 874 bytes --]

Hi,

I have OpenSSL built into my image (along with a slightly older version of eCos).  I am not able to use the standard socket interface layer over Ethernet - basically the platform I'm using needs to communicate via serial for the network traffic.  So, basically the socket interface functions (connect, send, recv) are implemented to use this serial interface.  I have tested the raw socket interface for the connect, send, and recv functions and they appear to be able to echo with a server properly - so I believe the socket interface is running correctly.

I am running the test code I included above (ssltest.c) and find that the test is failing at line 725 when the SSL_connect function is called.

The output I see and errors returned are shown here:

do the SSL connection
SSL_connect status  -1
SSL_connect Error  5

I appreciate any feedback.

Thanks,
Anthony


[-- Attachment #2: ssltest.c --]
[-- Type: text/plain, Size: 24983 bytes --]

#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <ctype.h>
#include <errno.h>
#include <limits.h>

#include "os.h"

#include <netinet/in.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <openssl/ssl.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/objects.h>
#include <openssl/bio.h>
#include <openssl/err.h>


//asd


#define ALLOW_INVALID_PURPOSE             0x00000001
#define ALLOW_SELF_SIGNED_CERT_IN_CHAIN   0x00000002
#define VERIFY_SHOW_CERTS                 0x80000000

#define SHUT_RD   0		/* == Win32 SD_RECEIVE */
#define SHUT_WR   1		/* == Win32 SD_SEND    */
#define SHUT_RDWR 2		/* == Win32 SD_BOTH    */


unsigned long verify_control_flags = 0;
int dump_cert_names = 0;
int ignore_all_verify_errors = 0;

char * rootcert = 
"-----BEGIN CERTIFICATE-----\n"
"MIIDbDCCAtWgAwIBAgIBKTANBgkqhkiG9w0BAQQFADCBkTELMAkGA1UEBhMCVVMx\n"
"CzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTYW4gRGllZ28xEzARBgNVBAoTClZlcmlt\n"
"YXRyaXgxDTALBgNVBAsTBFZDQVMxGzAZBgNVBAMTElZlcmltYXRyaXggUk9PVCBD\n"
"QTEgMB4GCSqGSIb3DQEJARYRQ0FAVmVyaW1hdHJpeC5jb20wHhcNMDUwMzIzMjA0\n"
"NzEwWhcNMTUwMzIxMjA0NzEwWjCBhzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNB\n"
"MRMwEQYDVQQKEwpWZXJpbWF0cml4MQ0wCwYDVQQLEwRWQ0FTMRQwEgYDVQQDEwtN\n"
"aWtlIEJlYXR0eTExMC8GCSqGSIb3DQEJARYiU1VCQ0EuMTExMTYxMDgyOTg0M0BW\n"
"ZXJpbWF0cml4LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAy0us/E8u\n"
"2vH1x6AcwDHllaMz3SdJ1plknmOPn2IgPHoOdg+PR2ciAR4wOzXUyOkasUhn8FyS\n"
"p+lPQiv/vfMxu6zG4NtwRF5NIWqCG06pXUIYR3JH4HSbfhf+9IIHsn2HwPolBBRq\n"
"zDJRkKKVLWSlYLjneqhWkYCFLkTshSyw2vcCAwEAAaOB2zCB2DAdBgNVHQ4EFgQU\n"
"CfPXPsVfPryHZq9o7/soM3JAtZUwgagGA1UdIwSBoDCBnaGBl6SBlDCBkTELMAkG\n"
"A1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTYW4gRGllZ28xEzARBgNV\n"
"BAoTClZlcmltYXRyaXgxDTALBgNVBAsTBFZDQVMxGzAZBgNVBAMTElZlcmltYXRy\n"
"aXggUk9PVCBDQTEgMB4GCSqGSIb3DQEJARYRQ0FAVmVyaW1hdHJpeC5jb22CAQAw\n"
"DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQBr9fD+FC5Of2LJb1pw+hUO\n"
"WKFmgulTkVGO5tFo2EddK5k/RywxJ76QmM+ej0Zz9AsvWDJO6HQmpwm8WQbxyG6F\n"
"jq5xKAUJMSmQv3UYY7uwcmcZbtnU6OYfm5zIz1p7F9oJsCWBX3nPQ3SE7DP7xBBK\n"
"KsHR1fLvK1pdTPsSpJsQvw==\n"
"-----END CERTIFICATE-----\n";


int ip_connect( char * host, int port )
{
	struct sockaddr_in sa;
	int s = -1;
	
	/* Set-up the sockaddr_in structure */
	memset((char *)&sa,0,sizeof(sa));
	sa.sin_family=AF_INET;
	sa.sin_port=(unsigned short)port;
    sa.sin_addr.s_addr = inet_addr(host);

SM_printf("connect port = %x\r\n", sa.sin_port);

	/* Create the socket */
	s = socket( AF_INET, SOCK_STREAM, 0 );
	if (s == -1) {
		SM_printf("failed to create the socket\r\n");
		return -1;
	}

	/* Connect */
	if ( connect( s, (struct sockaddr*)&sa, sizeof(sa) ) == -1 ) {
		SM_printf("failed to connect\r\n");
		close(s);
		return -1;
	} 

	return s;

#if 0

   unsigned long addr;
//   struct sockaddr_in them;
   sockaddr them;
   //struct hostent * pHostEnt;
   //char ** pHostAddr = NULL;
   int s = -1;

   /* resolve IP address */
   addr = inet_addr(host);
   if ( -1 == addr )
   {
      SM_printf("Host address must be an IPv4 IP Address\n");
	//SM_printf("Failed to connect, err = %d (%s)\r\n", e, strerror(e));
      return -1;
   }

   /* Set-up the sockaddr_in structure */
   memset((char *)&them,0,sizeof(them));
   them.sin_family=AF_INET;
   //them.sin_port=htons((unsigned short)port);
   them.sin_port=(unsigned short)port;
   them.sin_addr.s_addr = inet_addr(host);
   //memcpy( (void *)&them.sin_addr, (void *)&addr, sizeof(addr) );


   /* create the socket */
   //s = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP );
    s = socket(AF_INET, SOCK_STREAM, 0);
   if (-1 == s) 
   {
	SM_printf("Failed to create socket  %d\n",errno);
      return -1;
   }

   
   if (connect(s, &them, sizeof(them)) == -1) {
//   if (connect(s, &them, sizeof(them) ) == -1 ) 
   {
      int e = errno;
      SM_printf("Failed to connect, err = %d (%s)\n", e, strerror(e) );
      close( s );
      return -1;
   }

   SM_printf("Socket (%d) connect OK to %s:%d\n", s, host, port);
   return s;
#endif
}


void print_cert( X509 * cert )
{
    X509_PURPOSE *ptmp;
    int j, id, i, idret;
    char *pname;
    BIO *STDout=NULL;
    
    // Create BIO object for stdout
    STDout=BIO_new_fp(stdout,BIO_NOCLOSE);

    // Print the certificate text
    X509_print_ex( STDout, cert, 0, 0 );

    // Print the Certificate Purposes
    // This code is from openssl/apps/x509.c
    BIO_printf(STDout, "    Certificate purposes:\n");
    for (j = 0; j < X509_PURPOSE_get_count(); j++)
    {
        ptmp = X509_PURPOSE_get0(j);
        id = X509_PURPOSE_get_id(ptmp);
        pname = X509_PURPOSE_get0_name(ptmp);
        for (i = 0; i < 2; i++)
        {
            idret = X509_check_purpose(cert, id, i);
            BIO_printf(STDout, "        %s%s : ", pname, i ? " CA" : ""); 
            if (idret == 1) 
                BIO_printf(STDout, "Yes\n");
            else if (idret == 0) 
                BIO_printf(STDout, "No\n");
            else 
                BIO_printf(STDout, "Yes (WARNING code=%d)\n", idret);
        }
    }

    // Free our BIO object
    BIO_free_all(STDout);
}



X509 * get_issuer( X509_STORE_CTX *ctx )
{
    X509 *issuer, *tmp_issuer = NULL, *err_cert;
    int res;


    // Ensure we have an X509 Store Context
    if ( !ctx )
    {
       SM_printf( "no CTX\n" );
       return NULL;
    }

    err_cert = X509_STORE_CTX_get_current_cert(ctx);
    if ( NULL == err_cert )
    {
        SM_printf("No cert to get issuer of\n");
        return NULL;
    }

    // Obtain the issuer cert
    issuer = ctx->current_issuer;

    // If the issuer has not been set, try to get it from the trusted 
    // certs in the store.  If this works, the cert will have to be freed
    // later.
    if ( !issuer )
    {
        // It is not set yet, try getting it from the store
        res = X509_STORE_CTX_get1_issuer( &tmp_issuer, ctx, err_cert );
        issuer = tmp_issuer;
        if ( issuer )
        {
            //SM_printf( "Got issuer from trusted certs\n" );
        }
    }

    if ( !issuer)
    {
        // If we did not get the issuer from the trusted certs,
        // try getting it from the stack of untrusted certs.
        // If this works we just get a pointer to the stack 
        // entry and must NOT free it.
        int i;
        X509 *potential_issuer;
        for (i = 0; i < sk_X509_num(ctx->untrusted); i++)
        {
            potential_issuer = sk_X509_value(ctx->untrusted, i);
            if (ctx->check_issued(ctx, err_cert, potential_issuer))
                issuer = potential_issuer;
        }
        if ( issuer )
        {
            //SM_printf("Got issuer from untrusted certs\n");
        }
    }

    if ( !issuer )
    {
       SM_printf( "Could not find issuer cert\n");
    }
    //else 
    //{
    //    SM_printf( "Have issuer cert\n" );
    //}

    // This should be freed to avoid memory leaks, 
    // but this is just a test app, so let it leak!
    //if (tmp_issuer) 
    //    X509_free(tmp_issuer);
    return issuer;

}

void log_ssl_verify_errors( int verify_result )
{
    switch( verify_result ) 
    {
        default:
            SM_printf("UNKNOWN SSL Verify error %ld\n", verify_result);
            break;
        case X509_V_OK:
            SM_printf("SSL Verify OK\n");
            break;
        case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
            SM_printf("SSL Verify UNABLE_TO_GET_ISSUER_CERT\n");
            break;
        case X509_V_ERR_CERT_NOT_YET_VALID:
            SM_printf("SSL Verify CERT_NOT_YET_VALID\n");
            break;
        case X509_V_ERR_CERT_HAS_EXPIRED:
            SM_printf("SSL Verify CERT_HAS_EXPIRED\n");
            break;
        case X509_V_ERR_INVALID_PURPOSE:
            SM_printf("SSL Verify INVALID_PURPOSE\n");
            break;
        case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
            SM_printf("SSL Verify UNABLE_TO_GET_ISSUER_CERT_LOCALLY\n");
            break;
        case X509_V_ERR_PATH_LENGTH_EXCEEDED:
            SM_printf("SSL Verify PATH_LENGTH_EXCEEDED\n");
            break;
        case X509_V_ERR_CERT_UNTRUSTED:
            SM_printf("SSL Verify CERT_UNTRUSTED\n");
            break;
        case X509_V_ERR_CERT_REJECTED:
            SM_printf("SSL Verify CERT_REJECTED\n");
            break;
        case X509_V_ERR_UNABLE_TO_GET_CRL:
            SM_printf("SSL Verify UNABLE_TO_GET_CRL\n");
            break;
        case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
            SM_printf("SSL Verify UNABLE_TO_DECRYPT_CERT_SIGNATURE\n");
            break;
        case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
            SM_printf("SSL Verify UNABLE_TO_DECRYPT_CRL_SIGNATURE\n");
            break;
        case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
            SM_printf("SSL Verify UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY\n");
            break;
        case X509_V_ERR_CERT_SIGNATURE_FAILURE:
            SM_printf("SSL Verify CERT_SIGNATURE_FAILURE\n");
            break;
        case X509_V_ERR_CRL_SIGNATURE_FAILURE:
            SM_printf("SSL Verify CRL_SIGNATURE_FAILURE\n");
            break;
        case X509_V_ERR_CRL_NOT_YET_VALID:
            SM_printf("SSL Verify ERR_CRL_NOT_YET_VALID\n");
            break;
        case X509_V_ERR_CRL_HAS_EXPIRED:
            SM_printf("SSL Verify CRL_HAS_EXPIRED\n");
            break;
        case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
            SM_printf("SSL Verify ERROR_IN_CERT_NOT_BEFORE_FIELD\n");
            break;
        case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
            SM_printf("SSL Verify ERROR_IN_CERT_NOT_AFTER_FIELD\n");
            break;
        case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
            SM_printf("SSL Verify ERROR_IN_CRL_LAST_UPDATE_FIELD\n");
            break;
        case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
            SM_printf("SSL Verify ERROR_IN_CRL_NEXT_UPDATE_FIELD\n");
            break;
        case X509_V_ERR_OUT_OF_MEM:
            SM_printf("SSL Verify OUT_OF_MEM\n");
            break;
        case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
            SM_printf("SSL Verify DEPTH_ZERO_SELF_SIGNED_CERT\n");
            break;
        case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
            SM_printf("SSL Verify SELF_SIGNED_CERT_IN_CHAIN\n");
            break;
        case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
            SM_printf("SSL Verify UNABLE_TO_VERIFY_LEAF_SIGNATURE\n");
            break;
        case X509_V_ERR_CERT_CHAIN_TOO_LONG:
            SM_printf("SSL Verify CERT_CHAIN_TOO_LONG\n");
            break;
        case X509_V_ERR_CERT_REVOKED:
            SM_printf("SSL Verify CERT_REVOKED\n");
            break;
        case X509_V_ERR_INVALID_CA:
            SM_printf("SSL Verify INVALID_CA\n");
            break;
        case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
            SM_printf("SSL Verify SUBJECT_ISSUER_MISMATCH\n");
            break;
        case X509_V_ERR_AKID_SKID_MISMATCH:
            SM_printf("SSL Verify AKID_SKID_MISMATCH\n");
            break;
        case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
            SM_printf("SSL Verify AKID_ISSUER_SERIAL_MISMATCH\n");
            break;
        case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
            SM_printf("SSL Verify UNABLE_TO_GET_CRL_ISSUER\n");
            break;
/*
        case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
        case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
        case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
        case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
        case X509_V_ERR_INVALID_NON_CA:
        case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
        case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:
        case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
        case X509_V_ERR_INVALID_EXTENSION:
        case X509_V_ERR_INVALID_POLICY_EXTENSION:
        case X509_V_ERR_NO_EXPLICIT_POLICY:
        case X509_V_ERR_UNNESTED_RESOURCE:
        case X509_V_ERR_APPLICATION_VERIFICATION:
*/
    }
}

#if 0
void log_ssl_errors( )
{
   unsigned long err;
   char * sErrStr;
   SM_printf("log_ssl_errors -- \n");
   err = ERR_get_error();
   SM_printf("ERR_get_error Error code  %d\n",err);
   while( err != 0 ) 
   {
      SM_printf("Use NULL for error buffer so OpenSSL internal buffer is used.\n");
      // This internal buffer is not thread safe!
      sErrStr = (char *)ERR_error_string( err, NULL );
      if ( sErrStr != NULL ) 
         SM_printf("%lu - %s\n", err, sErrStr );
   }
}
#endif


X509 * pem_to_x509( char * pem )
{
   X509 * pX509 = NULL;
   BIO  * pBio  = NULL;

   /* Allocate BIO object*/
   pBio  = BIO_new( BIO_s_mem() );
   if ( pBio == NULL )
      return NULL;

   /* Put the raw certificate (char format) into the BIO object */
   BIO_write( pBio, pem, strlen(pem) );

   /* Parse the certificate */
   pX509 = (struct x509_st *)PEM_ASN1_read_bio( 
                (char *(*)())d2i_X509  /* DER to Internal conversion fn */
              , PEM_STRING_X509        /* PEM Marker string from pem.h  */
              , pBio                   /* BIO containing cert PEM data  */
              , NULL
              , NULL
              , NULL 
              );
   /* Free the BIO structure */
   BIO_free(pBio);
   /* Return the Cert */
   return pX509;
}


#define MAX_DEPTH 3

int my_verify_callback(int ok, X509_STORE_CTX *ctx)
{
   X509 *err_cert, *issuer;
   int err;
   int depth;
   char buf[256];
   SM_printf("my_verify_callback \n");
 
   err_cert = X509_STORE_CTX_get_current_cert(ctx);
   err      = X509_STORE_CTX_get_error(ctx);
   depth    = X509_STORE_CTX_get_error_depth(ctx);


   SM_printf("------------ Begin Verify Callback --------------\n");
   X509_NAME_oneline(X509_get_subject_name(err_cert),buf,sizeof buf);
   if ( dump_cert_names ) 
   {
      SM_printf("verifying certificate: %s\n", buf);
      print_cert( err_cert );
      SM_printf("\n");
   }
   X509_NAME_oneline(X509_get_issuer_name(err_cert),buf,sizeof buf);
   if ( dump_cert_names ) 
   {
      SM_printf("issued by            : %s\n", buf);
      issuer = get_issuer( ctx );
      if ( issuer )
          print_cert( issuer );
      else
          SM_printf("No issuer yet\n");
      SM_printf("\n");
   }

   if ( !ok ) 
   {
      if ( depth >= MAX_DEPTH ) 
      {
         SM_printf("Verify callback: depth( %d ) exceeds %d\n", depth, MAX_DEPTH );
         X509_STORE_CTX_set_error(ctx,X509_V_ERR_CERT_CHAIN_TOO_LONG);
         ok = 0;
      }
      switch( ctx->error )
      {
      case X509_V_OK:
         SM_printf( "!ok but X509_V_OK?, just say OK\n");
         ok = 1;
         break;

      case X509_V_ERR_INVALID_PURPOSE:
         if ( verify_control_flags & ALLOW_INVALID_PURPOSE )
         {
            SM_printf("ignoring INVALID_PURPOSE error\n");
            X509_STORE_CTX_set_error(ctx,X509_V_OK);
            ok = 1;
         }
         break;

      case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
         if ( verify_control_flags & ALLOW_SELF_SIGNED_CERT_IN_CHAIN )
         {
            SM_printf("ignoring SELF_SIGNED_CERT_IN_CHAIN error\n");
            X509_STORE_CTX_set_error(ctx,X509_V_OK);
            ok = 1;
         }
         break;

      default:
         if ( ignore_all_verify_errors )
         {
            SM_printf("ignoring verify error (%d)", ctx->error);
            log_ssl_verify_errors( ctx->error );
            X509_STORE_CTX_set_error(ctx,X509_V_OK);
            ok = 1;
         }
         else
         {
            SM_printf("verify callback failing on ");
            log_ssl_verify_errors( ctx->error );
         }
         break;
      }    
   }

   SM_printf("------------ End Verify Callback --------------\n");
   return(ok);
}

void usage()
{
   SM_printf("ssltest [options]\n");
   SM_printf("    -s server_addr\n");
   SM_printf("    -p server_port\n");
   SM_printf("    -v             : disable client validation of server\n");
   SM_printf("    -f flags       : 1 to allow invalid purpose\n");
   SM_printf("                   : 2 to allow self signed cert in chain\n");
   SM_printf("                   : 32 to show certs being verified\n");
   SM_printf("    -o             : omit setting local trusted rootcert\n");
   SM_printf("    -i             : ignore all verify errors\n");

}

int ssltest(char *server, int port_num)
{
//   char    * server;
   int       port;
   SSL_CTX * sslctx  = NULL;  /* SSL Context */
   SSL     * sslcon  = NULL;  /* SSL Connection handle */
   int       s       = -1;         /* socket */
   int       err;
   int       e;
   BIO     * sbio    = NULL;
   //int       c;
   int       verify_peer = 1;
   //int       tmp;
   X509    * root_x509 = NULL;
   int       omit_rootcert = 0;
   SM_printf("ssltest: test function ---  \n");

  /* if ( argc < 3 )
   {
      usage();
      return 0;
   }
*/
    /* while ((c = getopt(argc, argv, "inovf:s:p:")) != -1)
         switch (c) {
         case 'v': verify_peer = 0; break;
         case 's': server = optarg; break;
         case 'p': port = atoi(optarg); break;
         case 'f': tmp = atoi(optarg); 
                   if ( tmp > 0 )
                      verify_control_flags |= (1 << (tmp-1));
                   break;
         case 'o': omit_rootcert = 1; break;
         case 'i': ignore_all_verify_errors = 1; 
                   verify_control_flags = 0xFFFFFFFF; 
                   break;
         case 'n': dump_cert_names = 1;
         case '?':
         case 'h': usage(argv[0]);           return 0;
         }
  */
//   server = "192.168.1.12";
   port = port_num;
//   port = 8090;
//   port = 12697;
   ignore_all_verify_errors = 1; 
   verify_control_flags = 0xFFFFFFFF; 
   verify_peer = 0;

   /* Check that port is valid */
   if ( port <= 0 )
   {
      SM_printf("invalid port %d\n", port );
      return 0;
   }

   /* Dump the Validation Flags */
   if ( verify_peer )
   {
      if ( ignore_all_verify_errors )
      {
         SM_printf("Verify Peer ignoring all validation errors\n");
      }
      else
      if ( verify_control_flags )
      {
         SM_printf("Verify Peer: (%x)\n",verify_control_flags);
         if ( verify_control_flags & ALLOW_INVALID_PURPOSE )
             SM_printf("           :Allow Invalid Purpose\n");
         if ( verify_control_flags & ALLOW_SELF_SIGNED_CERT_IN_CHAIN )
             SM_printf("           :Allow Self Signed Cert In Chain\n");
         if ( verify_control_flags & VERIFY_SHOW_CERTS )
             {
             dump_cert_names = 1;
             SM_printf("           :Show names of certs being verified\n");
             }
      }
      else
      {
         SM_printf("Verify Peer with no error exceptions\n");
      }
   }
   else
   {
      SM_printf("Peer Verification disabled\n");
   }

   do {

      /* Initialize OpenSSL */
	
      OpenSSL_add_all_algorithms();
      OpenSSL_add_all_digests();
      OpenSSL_add_all_ciphers();
      OpenSSL_add_ssl_algorithms();
	SSL_library_init();
      SSL_load_error_strings();

      /* Create an SSL Context */
      sslctx = SSL_CTX_new(TLSv1_client_method());
      if ( NULL == sslctx )
      {
         SM_printf("Failed to create SSL Context\n");
         break;
      }
      
SM_printf("SSL_CTX_new log ssl errors\n");
log_ssl_errors();

      /* Initialize the context */
      SSL_CTX_set_quiet_shutdown(sslctx,1);
      SSL_CTX_set_options(sslctx, 0);
      SSL_CTX_sess_set_cache_size(sslctx,128);

      /* Setup for Peer Validation */
      if ( verify_peer )
      {
         if ( !omit_rootcert )
         {
            SM_printf("setting local trusted rootcert\n");
            root_x509 = pem_to_x509( rootcert );
            if ( root_x509 )
               X509_STORE_add_cert( sslctx->cert_store, root_x509 );
            else
            {
               log_ssl_errors();
               SM_printf("Failed to convert rootcert to X509 structure in verify setup\n");
            }
         }
         else
         {
            SM_printf("omitted setting local trusted rootcert\n");
         }

         SM_printf("enabbling client validation of server SSL certificate\n");
         SSL_CTX_set_verify( sslctx
                           , SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT
                           , my_verify_callback
                           );

         SSL_CTX_set_verify_depth( sslctx, 3 );
      }

      /* Create SSL Connection context */
      sslcon = SSL_new(sslctx);
      if ( sslcon == NULL ) 
      {
         SM_printf("SSL_new failed\n");
         break;
      }

SM_printf("SSL_new log ssl errors\n");
log_ssl_errors();

      /* Establish connection to the server */
      s = ip_connect( server, port );
      if ( -1 == s )
      {
         SM_printf("IP connection to %s on port %d Failed\n", server, port);
         break;
      }

      /* Wrap the connected socket in a BIO object so OpenSSL can use it */
      sbio = BIO_new_socket( s, BIO_NOCLOSE );
      if ( sbio == NULL ) 
      {
         SM_printf("Failed to create socket BIO\n");
         break;
      }

SM_printf("BIO_new_socket log ssl errors\n");
log_ssl_errors();

SM_printf("sslcon->type  %d\n",sslcon->type);
SM_printf("sslcon->version  %d\n",sslcon->version); //Protocol Version
SM_printf("sslcon->rwstate  %d\n",sslcon->rwstate);
SM_printf("sslcon->in_handshake  %d\n",sslcon->in_handshake);
SM_printf("sslcon->handshake_func  %d\n",sslcon->handshake_func);
SM_printf("sslcon->state  %d\n",sslcon->state);
SM_printf("sslcon->rstate  %d\n",sslcon->rstate);
SM_printf("sslcon->init_num  %d\n",sslcon->init_num); //amount read/written
SM_printf("sslcon->error  %d\n",sslcon->error);
SM_printf("sslcon->error_code  %d\n",sslcon->error_code); // Actual Error Code
SM_printf("sslcon->client_version  %d\n",sslcon->client_version);

      /* Give the connected socket to OpenSSL */
	SM_printf("Give the connected socket to OpenSSL\n");
      SSL_set_bio( sslcon, sbio, sbio );
      SSL_set_connect_state( sslcon );

      /* Perform the SSL handshake to complete the SSL connection */
      while( 1 )
      {
         /* do the SSL connection */
	   SM_printf("do the SSL connection\n");
         err = SSL_connect( sslcon );

	   SM_printf("SSL_connect status  %d\n", err);
         /* Check for success */
         if ( err > 0 )
         {
            log_ssl_errors();
            log_ssl_verify_errors( sslcon->verify_result );
            SM_printf("SSL_connect succeeded\n");
            break;
         }

         /* Error was returned */
         e = SSL_get_error( sslcon, err );
         if ( (SSL_ERROR_WANT_READ  != e) && (SSL_ERROR_WANT_WRITE != e) )
         {
            SM_printf("SSL_connect Error  %d\n", e);
		log_ssl_errors();
		int e = errno;
	      SM_printf("sockerrno to connect, err = %d (%s)\n", e, strerror(e) );
            log_ssl_verify_errors( sslcon->verify_result );
            SM_printf("SSL_connect Failed\n");

SM_printf("sslcon->type  %d\n",sslcon->type);
SM_printf("sslcon->version  %d\n",sslcon->version); //Protocol Version
SM_printf("sslcon->rwstate  %d\n",sslcon->rwstate);
SM_printf("sslcon->in_handshake  %d\n",sslcon->in_handshake);
SM_printf("sslcon->handshake_func  %d\n",sslcon->handshake_func);
SM_printf("sslcon->state  %d\n",sslcon->state);
SM_printf("sslcon->rstate  %d\n",sslcon->rstate);
SM_printf("sslcon->init_num  %d\n",sslcon->init_num); //amount read/written
SM_printf("sslcon->error  %d\n",sslcon->error);
SM_printf("sslcon->error_code  %d\n",sslcon->error_code); // Actual Error Code
SM_printf("sslcon->client_version  %d\n",sslcon->client_version);

            break;
         }

         /* OpenSSL wants to retry */
         SM_printf("Retry SSL_connect\n");
      }

      /* Connection has either been established, or it has failed */
   } while ( 0 );

   /* Free allocated resources */
   SM_printf("freeing resources\n");
   if ( sslcon )
   {
      SSL_shutdown( sslcon );
      shutdown( SSL_get_fd(sslcon), SHUT_RDWR );
      SSL_free( sslcon );
   }
   if ( s != -1 )
   {
      shutdown( s, SHUT_RDWR );
      close( s );
   }
   if ( sslctx )
      SSL_CTX_free( sslctx );
   if ( root_x509 )
      X509_free( root_x509 );

   EVP_cleanup();
   CRYPTO_cleanup_all_ex_data();
   ERR_remove_state(0);
   ERR_free_strings();

   return 0;
}



[-- Attachment #3: Type: text/plain, Size: 148 bytes --]

-- 
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss

^ permalink raw reply	[flat|nested] 3+ messages in thread

* RE: [ECOS] RE: RE: On Porting OpenSSL v1.0.0c
  2011-04-26 16:53   ` Anthony Massa
@ 2011-04-27  7:07     ` Retallack, Mark
  0 siblings, 0 replies; 3+ messages in thread
From: Retallack, Mark @ 2011-04-27  7:07 UTC (permalink / raw)
  To: 'amassa@san.rr.com'; +Cc: 'ecos-discuss@ecos.sourceware.org'

Hi, 

One thing hat comes to mind, error 5 is SSL_ERROR_SYSCALL, see: http://www.openssl.org/docs/ssl/SSL_get_error.html

It also suggests some more debug to use to find out what has happened (for example errno). You can also use something like the following to get a string of the error:

unsigned long l;
while ((l=ERR_get_error()))
{
    printf("ssl error: %s\n", ERR_error_string(l,NULL));
}

Because the underlying transport is not TCP, it might be returning an error because of blocking/non-blocking differences. Also I believe that openssl can use ioctl calls, this may be failing on a serial file descriptor. 

Mark Retallack 

-----Original Message-----
From: ecos-discuss-owner@ecos.sourceware.org [mailto:ecos-discuss-owner@ecos.sourceware.org] On Behalf Of Anthony Massa
Sent: 26 April 2011 17:53
To: ecos-discuss@ecos.sourceware.org
Subject: [ECOS] RE: RE: On Porting OpenSSL v1.0.0c

Hi,

I have OpenSSL built into my image (along with a slightly older version of eCos).  I am not able to use the standard socket interface layer over Ethernet - basically the platform I'm using needs to communicate via serial for the network traffic.  So, basically the socket interface functions (connect, send, recv) are implemented to use this serial interface.  I have tested the raw socket interface for the connect, send, and recv functions and they appear to be able to echo with a server properly - so I believe the socket interface is running correctly.

I am running the test code I included above (ssltest.c) and find that the test is failing at line 725 when the SSL_connect function is called.

The output I see and errors returned are shown here:

do the SSL connection
SSL_connect status  -1
SSL_connect Error  5

I appreciate any feedback.

Thanks,
Anthony

--
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2011-04-27 19:48 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-04-27 19:48 [ECOS] RE: RE: On Porting OpenSSL v1.0.0c amassa
     [not found] <20110425212037.JAAQV.41916.root@cdptpa-web03-z02>
     [not found] ` <03AEFB12CF391F45B74EC59D643A74510787B30FF7@DEFTHW99E24MSX.ww902.siemens.net>
2011-04-26 16:53   ` Anthony Massa
2011-04-27  7:07     ` Retallack, Mark

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).