static int
openssl_iostream_set(struct ssl_iostream *ssl_io,
const struct ssl_iostream_settings *set,
const char **error_r)
{
const struct ssl_iostream_settings *ctx_set = ssl_io->ctx->set;
int verify_flags;
if (set->verbose)
SSL_set_info_callback(ssl_io->ssl, openssl_info_callback);
if (set->cipher_list != NULL &&
strcmp(ctx_set->cipher_list, set->cipher_list) != 0) {
if (!SSL_set_cipher_list(ssl_io->ssl, set->cipher_list)) {
*error_r = t_strdup_printf(
"Can't set cipher list to '%s': %s",
set->cipher_list, openssl_iostream_error());
return -1;
}
}
if (set->protocols != NULL) {
SSL_clear_options(ssl_io->ssl, OPENSSL_ALL_PROTOCOL_OPTIONS);
SSL_set_options(ssl_io->ssl,
openssl_get_protocol_options(set->protocols));
}
if (set->cert != NULL && strcmp(ctx_set->cert, set->cert) != 0) {
if (openssl_iostream_use_certificate(ssl_io, set->cert, error_r) < 0)
return -1;
}
if (set->key != NULL && strcmp(ctx_set->key, set->key) != 0) {
if (openssl_iostream_use_key(ssl_io, set, error_r) < 0)
return -1;
}
if (set->verify_remote_cert) {
if (ssl_io->ctx->client_ctx)
verify_flags = SSL_VERIFY_NONE;
else
verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
SSL_set_verify(ssl_io->ssl, verify_flags,
openssl_iostream_verify_client_cert);
}
if (set->cert_username_field != NULL) {
ssl_io->username_nid = OBJ_txt2nid(set->cert_username_field);
if (ssl_io->username_nid == NID_undef) {
*error_r = t_strdup_printf(
"Invalid cert_username_field: %s",
set->cert_username_field);
return -1;
}
} else {
ssl_io->username_nid = ssl_io->ctx->username_nid;
}
ssl_io->verbose = set->verbose;
ssl_io->verbose_invalid_cert = set->verbose_invalid_cert || set->verbose;
ssl_io->require_valid_cert = set->require_valid_cert;
return 0;
}
/* Select the appropriate server CTX.
* Returns SSL_TLSEXT_ERR_OK if a match was found.
* If |ignore| is 1, returns SSL_TLSEXT_ERR_NOACK on mismatch.
* Otherwise, returns SSL_TLSEXT_ERR_ALERT_FATAL on mismatch.
* An empty SNI extension also returns SSL_TSLEXT_ERR_NOACK.
*/
static int select_server_ctx(SSL *s, void *arg, int ignore)
{
const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
HANDSHAKE_EX_DATA *ex_data =
(HANDSHAKE_EX_DATA*)(SSL_get_ex_data(s, ex_data_idx));
if (servername == NULL) {
ex_data->servername = SSL_TEST_SERVERNAME_SERVER1;
return SSL_TLSEXT_ERR_NOACK;
}
if (strcmp(servername, "server2") == 0) {
SSL_CTX *new_ctx = (SSL_CTX*)arg;
SSL_set_SSL_CTX(s, new_ctx);
/*
* Copy over all the SSL_CTX options - reasonable behavior
* allows testing of cases where the options between two
* contexts differ/conflict
*/
SSL_clear_options(s, 0xFFFFFFFFL);
SSL_set_options(s, SSL_CTX_get_options(new_ctx));
ex_data->servername = SSL_TEST_SERVERNAME_SERVER2;
return SSL_TLSEXT_ERR_OK;
} else if (strcmp(servername, "server1") == 0) {
ex_data->servername = SSL_TEST_SERVERNAME_SERVER1;
return SSL_TLSEXT_ERR_OK;
} else if (ignore) {
ex_data->servername = SSL_TEST_SERVERNAME_SERVER1;
return SSL_TLSEXT_ERR_NOACK;
} else {
/* Don't set an explicit alert, to test library defaults. */
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
}
/* OpenSSL < 0.9.8m does not have SSL_clear_options() */
long HsOpenSSL_SSL_clear_options(SSL* ssl, long options) {
#if defined(SSL_clear_options)
return SSL_clear_options(ssl, options);
#else
long tmp = SSL_get_options(ssl);
return SSL_set_options(ssl, tmp & ~options);
#endif
}
int main(int argc, char *argv[])
{
BIO *err;
int testresult = 0;
int currtest = 0;
SSL_library_init();
SSL_load_error_strings();
err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);
CRYPTO_malloc_debug_init();
CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
confctx = SSL_CONF_CTX_new();
ctx = SSL_CTX_new(SSLv23_method());
ssl = SSL_new(ctx);
if (confctx == NULL || ctx == NULL)
goto end;
SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
| SSL_CONF_FLAG_CLIENT
| SSL_CONF_FLAG_SERVER);
/*
* For each test set up an SSL_CTX and SSL and see whether SSLv2 is enabled
* as expected after various SSL_CONF_cmd("Protocol", ...) calls.
*/
for (currtest = 0; currtest < TOTAL_NUM_TESTS; currtest++) {
BIO_printf(err, "SSLv2 CONF Test number %d\n", currtest);
if (currtest == TEST_SSL_CTX)
SSL_CONF_CTX_set_ssl_ctx(confctx, ctx);
else
SSL_CONF_CTX_set_ssl(confctx, ssl);
/* SSLv2 should be off by default */
if (!checksslv2(currtest, SSLV2OFF)) {
BIO_printf(err, "SSLv2 CONF Test: Off by default test FAIL\n");
goto end;
}
if (SSL_CONF_cmd(confctx, "Protocol", "ALL") != 2
|| !SSL_CONF_CTX_finish(confctx)) {
BIO_printf(err, "SSLv2 CONF Test: SSL_CONF command FAIL\n");
goto end;
}
/* Should still be off even after ALL Protocols on */
if (!checksslv2(currtest, SSLV2OFF)) {
BIO_printf(err, "SSLv2 CONF Test: Off after config #1 FAIL\n");
goto end;
}
if (SSL_CONF_cmd(confctx, "Protocol", "SSLv2") != 2
|| !SSL_CONF_CTX_finish(confctx)) {
BIO_printf(err, "SSLv2 CONF Test: SSL_CONF command FAIL\n");
goto end;
}
/* Should still be off even if explicitly asked for */
if (!checksslv2(currtest, SSLV2OFF)) {
BIO_printf(err, "SSLv2 CONF Test: Off after config #2 FAIL\n");
goto end;
}
if (SSL_CONF_cmd(confctx, "Protocol", "-SSLv2") != 2
|| !SSL_CONF_CTX_finish(confctx)) {
BIO_printf(err, "SSLv2 CONF Test: SSL_CONF command FAIL\n");;
goto end;
}
if (!checksslv2(currtest, SSLV2OFF)) {
BIO_printf(err, "SSLv2 CONF Test: Off after config #3 FAIL\n");
goto end;
}
if (currtest == TEST_SSL_CTX)
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
else
SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
if (!checksslv2(currtest, SSLV2ON)) {
BIO_printf(err, "SSLv2 CONF Test: On after clear FAIL\n");
goto end;
}
if (SSL_CONF_cmd(confctx, "Protocol", "ALL") != 2
|| !SSL_CONF_CTX_finish(confctx)) {
BIO_printf(err, "SSLv2 CONF Test: SSL_CONF command FAIL\n");
goto end;
}
/* Option has been cleared and config says have SSLv2 so should be on */
if (!checksslv2(currtest, SSLV2ON)) {
BIO_printf(err, "SSLv2 CONF Test: On after config #1 FAIL\n");
goto end;
}
if (SSL_CONF_cmd(confctx, "Protocol", "SSLv2") != 2
|| !SSL_CONF_CTX_finish(confctx)) {
BIO_printf(err, "SSLv2 CONF Test: SSL_CONF command FAIL\n");
goto end;
}
/* Option has been cleared and config says have SSLv2 so should be on */
if (!checksslv2(currtest, SSLV2ON)) {
BIO_printf(err, "SSLv2 CONF Test: On after config #2 FAIL\n");
goto end;
}
if (SSL_CONF_cmd(confctx, "Protocol", "-SSLv2") != 2
|| !SSL_CONF_CTX_finish(confctx)) {
BIO_printf(err, "SSLv2 CONF Test: SSL_CONF command FAIL\n");
goto end;
}
/* Option has been cleared but config says no SSLv2 so should be off */
if (!checksslv2(currtest, SSLV2OFF)) {
BIO_printf(err, "SSLv2 CONF Test: Off after config #4 FAIL\n");
goto end;
}
}
testresult = 1;
end:
SSL_free(ssl);
SSL_CTX_free(ctx);
SSL_CONF_CTX_free(confctx);
if (!testresult) {
printf("SSLv2 CONF test: FAILED (Test %d)\n", currtest);
ERR_print_errors(err);
} else {
printf("SSLv2 CONF test: PASSED\n");
}
ERR_free_strings();
ERR_remove_thread_state(NULL);
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
CRYPTO_mem_leaks(err);
BIO_free(err);
return testresult ? EXIT_SUCCESS : EXIT_FAILURE;
}
static int ssl_servername_cb(SSL *cnx, int *al, void *arg)
{
CertResult result;
const char *sni_name;
(void) al;
(void) arg;
if ((sni_name = SSL_get_servername(cnx, TLSEXT_NAMETYPE_host_name))
== NULL || *sni_name == 0 || validate_sni_name(sni_name) != 0) {
return SSL_TLSEXT_ERR_NOACK;
}
logfile(LOG_INFO, "SNI: [%s]", sni_name);
if (chrooted != 0 || loggedin != 0) {
return SSL_TLSEXT_ERR_NOACK;
}
if (use_extcert == 0) {
return SSL_TLSEXT_ERR_OK;
}
memset(&result, 0, sizeof result);
tls_extcert_get(&result, sni_name);
if (result.cert_ok != 1) {
die(400, LOG_ERR, "Cert handler not ready");
}
if (result.action == CERT_ACTION_DENY) {
die(400, LOG_INFO, MSG_LOGOUT);
}
if (result.action == CERT_ACTION_DEFAULT) {
return SSL_TLSEXT_ERR_OK;
}
if (result.cert_file == NULL) {
if (result.action == CERT_ACTION_STRICT) {
die(400, LOG_ERR, "Missing certificate");
} else {
return SSL_TLSEXT_ERR_OK;
}
}
if (result.key_file == NULL) {
result.key_file = result.cert_file;
}
SSL_CTX_free(tls_ctx);
tls_ctx = NULL;
if (tls_create_new_context(result.cert_file, result.key_file) != 0) {
if (result.action != CERT_ACTION_FALLBACK) {
die(400, LOG_ERR, "Invalid certificate");
}
if (tls_create_new_context(cert_file, key_file) != 0) {
die(400, LOG_ERR, "SSL error");
}
}
if ((client_sni_name = strdup(sni_name)) == NULL) {
die_mem();
}
if (tls_cnx != NULL) {
const long ctx_options = SSL_CTX_get_options(tls_ctx);
SSL_set_SSL_CTX(tls_cnx, tls_ctx);
# ifdef SSL_CTRL_CLEAR_OPTIONS
SSL_clear_options(tls_cnx,
SSL_get_options(tls_cnx) & ~ctx_options);
# endif
SSL_set_options(tls_cnx, ctx_options);
}
if (tls_data_cnx != NULL) {
const long ctx_options = SSL_CTX_get_options(tls_ctx);
SSL_set_SSL_CTX(tls_data_cnx, tls_ctx);
# ifdef SSL_CTRL_CLEAR_OPTIONS
SSL_clear_options(tls_data_cnx,
SSL_get_options(tls_cnx) & ~ctx_options);
# endif
SSL_set_options(tls_data_cnx, ctx_options);
}
return SSL_TLSEXT_ERR_OK;
}
