1
/*
2
 *  Copyright 2024-2025 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 *  Licensed under the Apache License 2.0 (the "License").  You may not use
5
 *  this file except in compliance with the License.  You can obtain a copy
6
 *  in the file LICENSE in the source distribution or at
7
 *  https://www.openssl.org/source/license.html
8
 */
9

10
/*
11
 * NB: Changes to this file should also be reflected in
12
 * doc/man7/ossl-guide-quic-server-non-block.pod
13
 */
14

15
#include <string.h>
16

17
/* Include the appropriate header file for SOCK_STREAM */
18
#ifdef _WIN32 /* Windows */
19
# include <stdarg.h>
20
# include <winsock2.h>
21
#else /* Linux/Unix */
22
# include <err.h>
23
# include <sys/socket.h>
24
# include <sys/select.h>
25
# include <netinet/in.h>
26
# include <unistd.h>
27
#endif
28

29
#include <openssl/bio.h>
30
#include <openssl/ssl.h>
31
#include <openssl/err.h>
32
#include <openssl/quic.h>
33

34
#ifdef _WIN32
35
static const char *progname;
36

37
static void vwarnx(const char *fmt, va_list ap)
38
{
39
    if (progname != NULL)
40
        fprintf(stderr, "%s: ", progname);
41
    vfprintf(stderr, fmt, ap);
42
    putc('\n', stderr);
43
}
44

45
static void errx(int status, const char *fmt, ...)
46
{
47
    va_list ap;
48

49
    va_start(ap, fmt);
50
    vwarnx(fmt, ap);
51
    va_end(ap);
52
    exit(status);
53
}
54

55
static void warnx(const char *fmt, ...)
56
{
57
    va_list ap;
58

59
    va_start(ap, fmt);
60
    vwarnx(fmt, ap);
61
    va_end(ap);
62
}
63
#endif
64

65
/*
66
 * ALPN strings for TLS handshake. Only 'http/1.0' and 'hq-interop'
67
 * are accepted.
68
 */
69
static const unsigned char alpn_ossltest[] = {
70
    8,  'h', 't', 't', 'p', '/', '1', '.', '0',
71
    10, 'h', 'q', '-', 'i', 'n', 't', 'e', 'r', 'o', 'p',
72
};
73

74
/*
75
 * This callback validates and negotiates the desired ALPN on the server side.
76
 */
77
static int select_alpn(SSL *ssl, const unsigned char **out,
78
                       unsigned char *out_len, const unsigned char *in,
79
                       unsigned int in_len, void *arg)
80
{
81
    if (SSL_select_next_proto((unsigned char **)out, out_len, alpn_ossltest,
82
                              sizeof(alpn_ossltest), in,
83
                              in_len) == OPENSSL_NPN_NEGOTIATED)
84
        return SSL_TLSEXT_ERR_OK;
85
    return SSL_TLSEXT_ERR_ALERT_FATAL;
86
}
87

88
/* Create SSL_CTX. */
89
static SSL_CTX *create_ctx(const char *cert_path, const char *key_path)
90
{
91
    SSL_CTX *ctx;
92

93
    /*
94
     * An SSL_CTX holds shared configuration information for multiple
95
     * subsequent per-client connections. We specifically load a QUIC
96
     * server method here.
97
     */
98
    ctx = SSL_CTX_new(OSSL_QUIC_server_method());
99
    if (ctx == NULL)
100
        goto err;
101

102
    /*
103
     * Load the server's certificate *chain* file (PEM format), which includes
104
     * not only the leaf (end-entity) server certificate, but also any
105
     * intermediate issuer-CA certificates.  The leaf certificate must be the
106
     * first certificate in the file.
107
     *
108
     * In advanced use-cases this can be called multiple times, once per public
109
     * key algorithm for which the server has a corresponding certificate.
110
     * However, the corresponding private key (see below) must be loaded first,
111
     * *before* moving on to the next chain file.
112
     *
113
     * The requisite files "chain.pem" and "pkey.pem" can be generated by running
114
     * "make chain" in this directory.  If the server will be executed from some
115
     * other directory, move or copy the files there.
116
     */
117
    if (SSL_CTX_use_certificate_chain_file(ctx, cert_path) <= 0) {
118
        fprintf(stderr, "couldn't load certificate file: %s\n", cert_path);
119
        goto err;
120
    }
121

122
    /*
123
     * Load the corresponding private key, this also checks that the private
124
     * key matches the just loaded end-entity certificate.  It does not check
125
     * whether the certificate chain is valid, the certificates could be
126
     * expired, or may otherwise fail to form a chain that a client can validate.
127
     */
128
    if (SSL_CTX_use_PrivateKey_file(ctx, key_path, SSL_FILETYPE_PEM) <= 0) {
129
        fprintf(stderr, "couldn't load key file: %s\n", key_path);
130
        goto err;
131
    }
132

133
    /*
134
     * Clients rarely employ certificate-based authentication, and so we don't
135
     * require "mutual" TLS authentication (indeed there's no way to know
136
     * whether or how the client authenticated the server, so the term "mutual"
137
     * is potentially misleading).
138
     *
139
     * Since we're not soliciting or processing client certificates, we don't
140
     * need to configure a trusted-certificate store, so no call to
141
     * SSL_CTX_set_default_verify_paths() is needed.  The server's own
142
     * certificate chain is assumed valid.
143
     */
144
    SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
145

146
    /* Setup ALPN negotiation callback to decide which ALPN is accepted. */
147
    SSL_CTX_set_alpn_select_cb(ctx, select_alpn, NULL);
148

149
    return ctx;
150

151
err:
152
    SSL_CTX_free(ctx);
153
    return NULL;
154
}
155

156
/* Create UDP socket on the given port. */
157
static int create_socket(uint16_t port)
158
{
159
    int fd;
160
    struct sockaddr_in sa = {0};
161

162
    /* Retrieve the file descriptor for a new UDP socket */
163
    if ((fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) {
164
        fprintf(stderr, "cannot create socket");
165
        return -1;
166
    }
167

168
    sa.sin_family = AF_INET;
169
    sa.sin_port = htons(port);
170

171
    /* Bind to the new UDP socket on localhost */
172
    if (bind(fd, (const struct sockaddr *)&sa, sizeof(sa)) < 0) {
173
        fprintf(stderr, "cannot bind to %u\n", port);
174
        BIO_closesocket(fd);
175
        return -1;
176
    }
177

178
    /* Set port to nonblocking mode */
179
    if (BIO_socket_nbio(fd, 1) <= 0) {
180
        fprintf(stderr, "Unable to set port to nonblocking mode");
181
        BIO_closesocket(fd);
182
        return -1;
183
    }
184

185
    return fd;
186
}
187

188
/**
189
 * @brief Waits for activity on the SSL socket, either for reading or writing.
190
 *
191
 * This function monitors the underlying file descriptor of the given SSL
192
 * connection to determine when it is ready for reading or writing, or both.
193
 * It uses the select function to wait until the socket is either readable
194
 * or writable, depending on what the SSL connection requires.
195
 *
196
 * @param ssl A pointer to the SSL object representing the connection.
197
 *
198
 * @note This function blocks until there is activity on the socket. In a real
199
 * application, you might want to perform other tasks while waiting, such as
200
 * updating a GUI or handling other connections.
201
 *
202
 * @note This function uses select for simplicity and portability. Depending
203
 * on your application's requirements, you might consider using other
204
 * mechanisms like poll or epoll for handling multiple file descriptors.
205
 */
206
static void wait_for_activity(SSL *ssl)
207
{
208
    int sock, isinfinite;
209
    fd_set read_fd, write_fd;
210
    struct timeval tv;
211
    struct timeval *tvp = NULL;
212

213
    /* Get hold of the underlying file descriptor for the socket */
214
    if ((sock = SSL_get_fd(ssl)) == -1) {
215
        fprintf(stderr, "Unable to get file descriptor");
216
        return;
217
    }
218

219
    /* Initialize the fd_set structure */
220
    FD_ZERO(&read_fd);
221
    FD_ZERO(&write_fd);
222

223
    /*
224
     * Determine if we would like to write to the socket, read from it, or both.
225
     */
226
    if (SSL_net_write_desired(ssl))
227
        FD_SET(sock, &write_fd);
228
    if (SSL_net_read_desired(ssl))
229
        FD_SET(sock, &read_fd);
230

231
    /*
232
     * Find out when OpenSSL would next like to be called, regardless of
233
     * whether the state of the underlying socket has changed or not.
234
     */
235
    if (SSL_get_event_timeout(ssl, &tv, &isinfinite) && !isinfinite)
236
        tvp = &tv;
237

238
    /*
239
     * Wait until the socket is writeable or readable. We use select here
240
     * for the sake of simplicity and portability, but you could equally use
241
     * poll/epoll or similar functions
242
     *
243
     * NOTE: For the purposes of this demonstration code this effectively
244
     * makes this demo block until it has something more useful to do. In a
245
     * real application you probably want to go and do other work here (e.g.
246
     * update a GUI, or service other connections).
247
     *
248
     * Let's say for example that you want to update the progress counter on
249
     * a GUI every 100ms. One way to do that would be to use the timeout in
250
     * the last parameter to "select" below. If the tvp value is greater
251
     * than 100ms then use 100ms instead. Then, when select returns, you
252
     * check if it did so because of activity on the file descriptors or
253
     * because of the timeout. If the 100ms GUI timeout has expired but the
254
     * tvp timeout has not then go and update the GUI and then restart the
255
     * "select" (with updated timeouts).
256
     */
257

258
    select(sock + 1, &read_fd, &write_fd, NULL, tvp);
259
}
260

261
/**
262
 * @brief Handles I/O failures on an SSL connection based on the result code.
263
 *
264
 * This function processes the result of an SSL I/O operation and handles
265
 * different types of errors that may occur during the operation. It takes
266
 * appropriate actions such as retrying the operation, reporting errors, or
267
 * returning specific status codes based on the error type.
268
 *
269
 * @param ssl A pointer to the SSL object representing the connection.
270
 * @param res The result code from the SSL I/O operation.
271
 * @return An integer indicating the outcome:
272
 *         - 1: Temporary failure, the operation should be retried.
273
 *         - 0: EOF, indicating the connection has been closed.
274
 *         - -1: A fatal error occurred or the connection has been reset.
275
 *
276
 * @note This function may block if a temporary failure occurs and
277
 * wait_for_activity() is called.
278
 *
279
 * @note If the failure is due to an SSL verification error, additional
280
 * information will be logged to stderr.
281
 */
282
static int handle_io_failure(SSL *ssl, int res)
283
{
284
    switch (SSL_get_error(ssl, res)) {
285
    case SSL_ERROR_WANT_READ:
286
    case SSL_ERROR_WANT_WRITE:
287
        /* Temporary failure. Wait until we can read/write and try again */
288
        wait_for_activity(ssl);
289
        return 1;
290

291
    case SSL_ERROR_ZERO_RETURN:
292
    case SSL_ERROR_NONE:
293
        /* EOF */
294
        return 0;
295

296
    case SSL_ERROR_SYSCALL:
297
        return -1;
298

299
    case SSL_ERROR_SSL:
300
        /*
301
         * Some stream fatal error occurred. This could be because of a
302
         * stream reset - or some failure occurred on the underlying
303
         * connection.
304
         */
305
        switch (SSL_get_stream_read_state(ssl)) {
306
        case SSL_STREAM_STATE_RESET_REMOTE:
307
            printf("Stream reset occurred\n");
308
            /*
309
             * The stream has been reset but the connection is still
310
             * healthy.
311
             */
312
            break;
313

314
        case SSL_STREAM_STATE_CONN_CLOSED:
315
            printf("Connection closed\n");
316
            /* Connection is already closed. */
317
            break;
318

319
        default:
320
            printf("Unknown stream failure\n");
321
            break;
322
        }
323
        /*
324
         * If the failure is due to a verification error we can get more
325
         * information about it from SSL_get_verify_result().
326
         */
327
        if (SSL_get_verify_result(ssl) != X509_V_OK)
328
            printf("Verify error: %s\n",
329
                   X509_verify_cert_error_string(SSL_get_verify_result(ssl)));
330
        return -1;
331

332
    default:
333
        return -1;
334
    }
335
}
336

337
/*
338
 * Main loop for server to accept QUIC connections.
339
 * Echo every request back to the client.
340
 */
341
static int run_quic_server(SSL_CTX *ctx, int fd)
342
{
343
    int ok = -1;
344
    int ret, eof;
345
    SSL *listener, *conn = NULL;
346
    unsigned char buf[8192];
347
    size_t nread, total_read, total_written;
348

349
    /* Create a new QUIC listener */
350
    if ((listener = SSL_new_listener(ctx, 0)) == NULL)
351
        goto err;
352

353
    /* Provide the listener with our UDP socket. */
354
    if (!SSL_set_fd(listener, fd))
355
        goto err;
356

357
    /*
358
     * Set the listener mode to non-blocking, which is inherited by
359
     * child objects.
360
     */
361
    if (!SSL_set_blocking_mode(listener, 0))
362
        goto err;
363

364
    /*
365
     * Begin listening. Note that is not usually needed as SSL_accept_connection
366
     * will implicitly start listening. It is only needed if a server wishes to
367
     * ensure it has started to accept incoming connections but does not wish to
368
     * actually call SSL_accept_connection yet.
369
     */
370
    if (!SSL_listen(listener))
371
        goto err;
372

373
    /*
374
     * Begin an infinite loop of listening for connections. We will only
375
     * exit this loop if we encounter an error.
376
     */
377
    for (;;) {
378
        eof = 0;
379
        total_read = 0;
380
        total_written = 0;
381

382
        /* Pristine error stack for each new connection */
383
        ERR_clear_error();
384

385
        /* Block while waiting for a client connection */
386
        printf("Waiting for connection\n");
387
        while ((conn = SSL_accept_connection(listener, 0)) == NULL)
388
            wait_for_activity(listener);
389
        printf("Accepted new connection\n");
390

391
        /* Read from client until the client sends a end of stream packet */
392
        while (!eof) {
393
            ret = SSL_read_ex(conn, buf + total_read, sizeof(buf) - total_read,
394
                              &nread);
395
            total_read += nread;
396
            if (total_read >= 8192) {
397
                fprintf(stderr, "Could not fit all data into buffer\n");
398
                goto err;
399
            }
400

401
            switch (handle_io_failure(conn, ret)) {
402
            case 1:
403
                continue; /* Retry */
404
            case 0:
405
                /* Reached end of stream */
406
                if (!SSL_has_pending(conn))
407
                    eof = 1;
408
                break;
409
            default:
410
                fprintf(stderr, "Failed reading remaining data\n");
411
                goto err;
412
            }
413
        }
414

415
        /* Echo client input */
416
        while (!SSL_write_ex2(conn, buf,
417
                              total_read,
418
                              SSL_WRITE_FLAG_CONCLUDE, &total_written)) {
419
            if (handle_io_failure(conn, 0) == 1)
420
                continue;
421
            fprintf(stderr, "Failed to write data\n");
422
            goto err;
423
        }
424

425
        if (total_read != total_written)
426
            fprintf(stderr, "Failed to echo data [read: %lu, written: %lu]\n",
427
                    total_read, total_written);
428

429
        /*
430
         * Shut down the connection. We may need to call this multiple times
431
         * to ensure the connection is shutdown completely.
432
         */
433
        while ((ret = SSL_shutdown(conn)) != 1) {
434
            if (ret < 0 && handle_io_failure(conn, ret) == 1)
435
                continue; /* Retry */
436
        }
437

438
        SSL_free(conn);
439
    }
440

441
    ok = EXIT_SUCCESS;
442
err:
443
    SSL_free(listener);
444
    return ok;
445
}
446

447
/* Minimal QUIC HTTP/1.0 server. */
448
int main(int argc, char *argv[])
449
{
450
    int res = EXIT_FAILURE;
451
    SSL_CTX *ctx = NULL;
452
    int fd;
453
    unsigned long port;
454

455
#ifdef _WIN32
456
    progname = argv[0];
457
#endif
458

459
    if (argc != 4)
460
        errx(res, "usage: %s <port> <server.crt> <server.key>", argv[0]);
461

462
    /* Create SSL_CTX that supports QUIC. */
463
    if ((ctx = create_ctx(argv[2], argv[3])) == NULL) {
464
        ERR_print_errors_fp(stderr);
465
        errx(res, "Failed to create context");
466
    }
467

468
    /* Parse port number from command line arguments. */
469
    port = strtoul(argv[1], NULL, 0);
470
    if (port == 0 || port > UINT16_MAX) {
471
        SSL_CTX_free(ctx);
472
        errx(res, "Failed to parse port number");
473
    }
474

475
    /* Create and bind a UDP socket. */
476
    if ((fd = create_socket((uint16_t)port)) < 0) {
477
        SSL_CTX_free(ctx);
478
        ERR_print_errors_fp(stderr);
479
        errx(res, "Failed to create socket");
480
    }
481

482
    /* QUIC server connection acceptance loop. */
483
    if (run_quic_server(ctx, fd) < 0) {
484
        SSL_CTX_free(ctx);
485
        BIO_closesocket(fd);
486
        ERR_print_errors_fp(stderr);
487
        errx(res, "Error in QUIC server loop");
488
    }
489

490
    /* Free resources. */
491
    SSL_CTX_free(ctx);
492
    BIO_closesocket(fd);
493
    res = EXIT_SUCCESS;
494
    return res;
495
}
496

497