summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHugo Landau <hlandau@openssl.org>2024-04-04 12:33:14 +0100
committerHugo Landau <hlandau@openssl.org>2024-04-19 09:33:53 +0100
commit9c123686d6339842886f877b230f3d06ad9c4226 (patch)
treea46d42cab068bb52952f64579fa3fb7d6a473d0c
parentc8cd1de701ab448e42ec7c6dd417ef28e5604942 (diff)
QUIC: Add demo for QUIC server usage
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24037)
Diffstat
-rw-r--r--demos/quic/server/Makefile30
-rw-r--r--demos/quic/server/README.md19
-rw-r--r--demos/quic/server/server.c230
3 files changed, 279 insertions, 0 deletions
diff --git a/demos/quic/server/Makefile b/demos/quic/server/Makefile
new file mode 100644
index 0000000000..7db6f085c5
--- /dev/null
+++ b/demos/quic/server/Makefile
@@ -0,0 +1,30 @@
+#
+# To run the demo when linked with a shared library (default) ensure that
+# libcrypto and libssl are on the library path. For example:
+#
+# LD_LIBRARY_PATH=../.. ./server 4444 \
+# ../../test/certs/servercert.pem \
+# ../../test/certs/serverkey.pem
+#
+CFLAGS += -I../../../include -g -Wall -Wsign-compare
+LDFLAGS += -L../../..
+LDLIBS = -lcrypto -lssl
+
+.PHONY: all server clean run s_client
+
+all: server
+
+server: server.c
+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS)
+
+clean:
+ $(RM) server *.o
+
+run: server
+ LD_LIBRARY_PATH=../../.. ./server 4444 \
+ ../../../test/certs/servercert.pem \
+ ../../../test/certs/serverkey.pem
+
+s_client:
+ LD_LIBRARY_PATH=../../.. ../../../apps/openssl \
+ s_client -quic -quiet -alpn ossltest -connect 127.0.0.1:4444 || true
diff --git a/demos/quic/server/README.md b/demos/quic/server/README.md
new file mode 100644
index 0000000000..99bc10a328
--- /dev/null
+++ b/demos/quic/server/README.md
@@ -0,0 +1,19 @@
+Simple single-connection QUIC server example
+============================================
+
+This is a simple example of a QUIC server that accepts and handles one
+connection at a time. It demonstrates blocking use of the QUIC server API.
+
+Type `make` to build and `make run` to run.
+
+Usage:
+
+```
+./server <port-number> <certificate-file> <key-file>
+```
+
+Example client usage:
+
+```
+openssl s_client -quic -alpn ossltest -connect 127.0.0.1:<port-number>
+```
diff --git a/demos/quic/server/server.c b/demos/quic/server/server.c
new file mode 100644
index 0000000000..f288d6cd0a
--- /dev/null
+++ b/demos/quic/server/server.c
@@ -0,0 +1,230 @@
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+#include <openssl/quic.h>
+#include <netinet/in.h>
+#include <unistd.h>
+#include <assert.h>
+
+/*
+ * This is a basic demo of QUIC server functionality in which one connection at
+ * a time is accepted in a blocking loop.
+ */
+
+/* ALPN string for TLS handshake */
+static const unsigned char alpn_ossltest[] = {
+ /* "\x08ossltest" (hex for EBCDIC resilience) */
+ 0x08, 0x6f, 0x73, 0x73, 0x6c, 0x74, 0x65, 0x73, 0x74
+};
+
+/* This callback validates and negotiates the desired ALPN on the server side. */
+static int select_alpn(SSL *ssl,
+ const unsigned char **out, unsigned char *out_len,
+ const unsigned char *in, unsigned int in_len,
+ void *arg)
+{
+ if (SSL_select_next_proto((unsigned char **)out, out_len,
+ alpn_ossltest, sizeof(alpn_ossltest), in, in_len)
+ != OPENSSL_NPN_NEGOTIATED)
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+
+ return SSL_TLSEXT_ERR_OK;
+}
+
+/* Create SSL_CTX. */
+static SSL_CTX *create_ctx(const char *cert_path, const char *key_path)
+{
+ SSL_CTX *ctx;
+
+ ctx = SSL_CTX_new(OSSL_QUIC_server_method());
+ if (ctx == NULL)
+ goto err;
+
+ /* Load certificate and corresponding private key. */
+ if (SSL_CTX_use_certificate_chain_file(ctx, cert_path) <= 0) {
+ fprintf(stderr, "couldn't load certificate file: %s\n", cert_path);
+ goto err;
+ }
+
+ if (SSL_CTX_use_PrivateKey_file(ctx, key_path, SSL_FILETYPE_PEM) <= 0) {
+ fprintf(stderr, "couldn't load key file: %s\n", key_path);
+ goto err;
+ }
+
+ if (!SSL_CTX_check_private_key(ctx)) {
+ fprintf(stderr, "private key check failed\n");
+ goto err;
+ }
+
+ /* Setup ALPN negotiation callback. */
+ SSL_CTX_set_alpn_select_cb(ctx, select_alpn, NULL);
+ return ctx;
+
+err:
+ SSL_CTX_free(ctx);
+ return NULL;
+}
+
+/* Create UDP socket using given port. */
+static int create_socket(uint16_t port)
+{
+ int fd = -1;
+ struct sockaddr_in6 sa = {0};
+
+ if ((fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP)) < 0) {
+ fprintf(stderr, "cannot create socket");
+ goto err;
+ }
+
+ sa.sin6_family = AF_INET6;
+ sa.sin6_port = htons(port);
+
+ if (bind(fd, (const struct sockaddr *)&sa, sizeof(sa)) < 0) {
+ fprintf(stderr, "cannot bind to %u\n", port);
+ goto err;
+ }
+
+ return fd;
+
+err:
+ if (fd >= 0)
+ BIO_closesocket(fd);
+
+ return -1;
+}
+
+/* Main loop for servicing a single incoming QUIC connection. */
+static int run_quic_conn(SSL *conn)
+{
+ size_t written = 0;
+
+ fprintf(stderr, "=> Received connection\n");
+
+ /*
+ * Write the message "hello" on the connection using a default stream
+ * and then immediately conclude the stream (end-of-stream). This
+ * demonstrates the use of SSL_write_ex2 for optimised FIN generation.
+ *
+ * Since we inherit our blocking mode from the parent QUIC SSL object (the
+ * listener) by default, this call is also blocking.
+ */
+ if (!SSL_write_ex2(conn, "hello\n", 6, SSL_WRITE_FLAG_CONCLUDE, &written)
+ || written != 6) {
+ fprintf(stderr, "couldn't write on connection\n");
+ ERR_print_errors_fp(stderr);
+ return 0;
+ }
+
+ /* Shut down the connection (blocking). */
+ if (SSL_shutdown(conn) != 1) {
+ ERR_print_errors_fp(stderr);
+ return 0;
+ }
+
+ fprintf(stderr, "=> Finished with connection\n");
+ return 1;
+}
+
+/* Main loop for server to accept QUIC connections. */
+static int run_quic_server(SSL_CTX *ctx, int fd)
+{
+ int ok = 0;
+ SSL *listener = NULL, *conn = NULL;
+
+ /* Create a new QUIC listener. */
+ if ((listener = SSL_new_listener(ctx, 0)) == NULL)
+ goto err;
+
+ /* Provide the listener with our UDP socket. */
+ if (!SSL_set_fd(listener, fd))
+ goto err;
+
+ /* Begin listening. */
+ if (!SSL_listen(listener))
+ goto err;
+
+ /*
+ * Listeners, and other QUIC objects, default to operating in blocking mode,
+ * so the below call is not actually necessary. The configured behaviour is
+ * inherited by child objects.
+ */
+ SSL_set_blocking_mode(listener, 1);
+
+ for (;;) {
+ /* Blocking wait for an incoming connection, similar to accept(2). */
+ conn = SSL_accept_connection(listener, 0);
+ if (conn == NULL) {
+ fprintf(stderr, "error while accepting connection\n");
+ goto err;
+ }
+
+ /*
+ * Optionally, we could disable blocking mode on the accepted connection
+ * here by calling SSL_set_blocking_mode().
+ */
+
+ /*
+ * Service the connection. In a real application this would be done
+ * concurrently. In this demonstration program a single connection is
+ * accepted and serviced at a time.
+ */
+ if (!run_quic_conn(conn)) {
+ SSL_free(conn);
+ goto err;
+ }
+
+ /* Free the connection, then loop again, accepting another connection. */
+ SSL_free(conn);
+ }
+
+ ok = 1;
+err:
+ if (!ok)
+ ERR_print_errors_fp(stderr);
+
+ SSL_free(listener);
+ return ok;
+}
+
+int main(int argc, char **argv)
+{
+ int rc = 1;
+ SSL_CTX *ctx = NULL;
+ int fd = -1;
+ unsigned long port;
+
+ if (argc < 4) {
+ fprintf(stderr, "usage: %s <port> <server.crt> <server.key>\n", argv[0]);
+ goto err;
+ }
+
+ /* Create SSL_CTX. */
+ if ((ctx = create_ctx(argv[2], argv[3])) == NULL)
+ goto err;
+
+ /* Parse port number from command line arguments. */
+ port = strtoul(argv[1], NULL, 0);
+ if (port == 0 || port > UINT16_MAX) {
+ fprintf(stderr, "invalid port: %lu\n", port);
+ goto err;
+ }
+
+ /* Create UDP socket. */
+ if ((fd = create_socket((uint16_t)port)) < 0)
+ goto err;
+
+ /* Enter QUIC server connection acceptance loop. */
+ if (!run_quic_server(ctx, fd))
+ goto err;
+
+ rc = 0;
+err:
+ if (rc != 0)
+ ERR_print_errors_fp(stderr);
+
+ SSL_CTX_free(ctx);
+
+ if (fd != -1)
+ BIO_closesocket(fd);
+
+ return rc;
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-09 20:25:43 +0000