lcb_error_t
lcbio_ssl_apply(lcbio_SOCKET *sock, lcbio_pSSLCTX sctx)
{
lcbio_pTABLE old_iot = sock->io, new_iot;
lcbio_PROTOCTX *sproto;
if (old_iot->model == LCB_IOMODEL_EVENT) {
new_iot = lcbio_Essl_new(old_iot, sock->u.fd, sctx->ctx);
} else {
new_iot = lcbio_Cssl_new(old_iot, sock->u.sd, sctx->ctx);
}
if (new_iot) {
sproto = calloc(1, sizeof(*sproto));
sproto->id = LCBIO_PROTOCTX_SSL;
sproto->dtor = noop_dtor;
lcbio_protoctx_add(sock, sproto);
lcbio_table_unref(old_iot);
sock->io = new_iot;
/* just for logging */
SSL_set_app_data(((lcbio_XSSL *)new_iot)->ssl, sock);
return LCB_SUCCESS;
} else {
return LCB_ERROR;
}
}
SpiceOpenSSLVerify* spice_openssl_verify_new(SSL *ssl, SPICE_SSL_VERIFY_OP verifyop,
const char *hostname,
const char *pubkey, size_t pubkey_size,
const char *subject)
{
SpiceOpenSSLVerify *v;
if (!verifyop)
return NULL;
v = spice_new0(SpiceOpenSSLVerify, 1);
v->ssl = ssl;
v->verifyop = verifyop;
v->hostname = spice_strdup(hostname);
v->pubkey = (char*)spice_memdup(pubkey, pubkey_size);
v->pubkey_size = pubkey_size;
v->subject = spice_strdup(subject);
v->all_preverify_ok = 1;
SSL_set_app_data(ssl, v);
SSL_set_verify(ssl,
SSL_VERIFY_PEER, openssl_verify);
return v;
}
/*
* Attempt to negotiate secure session.
*/
PostgresPollingStatusType
pqsecure_open_client(PGconn *conn)
{
#ifdef USE_SSL
/* First time through? */
if (conn->ssl == NULL)
{
if (!(conn->ssl = SSL_new(SSL_context)) ||
!SSL_set_app_data(conn->ssl, conn) ||
!SSL_set_fd(conn->ssl, conn->sock))
{
char *err = SSLerrmessage();
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not establish SSL connection: %s\n"),
err);
SSLerrfree(err);
close_SSL(conn);
return PGRES_POLLING_FAILED;
}
/*
* Initialize errorMessage to empty. This allows open_client_SSL() to
* detect whether client_cert_cb() has stored a message.
*/
resetPQExpBuffer(&conn->errorMessage);
}
/* Begin or continue the actual handshake */
return open_client_SSL(conn);
#else
/* shouldn't get here */
return PGRES_POLLING_FAILED;
#endif
}
void *ma_tls_init(MYSQL *mysql)
{
SSL *ssl= NULL;
#ifdef HAVE_TLS_SESSION_CACHE
MA_SSL_SESSION *session= ma_tls_get_session(mysql);
#endif
pthread_mutex_lock(&LOCK_openssl_config);
if (ma_tls_set_certs(mysql))
{
goto error;
}
if (!(ssl= SSL_new(SSL_context)))
goto error;
if (!SSL_set_app_data(ssl, mysql))
goto error;
#ifdef HAVE_TLS_SESSION_CACHE
if (session)
SSL_set_session(ssl, session->session);
#endif
pthread_mutex_unlock(&LOCK_openssl_config);
return (void *)ssl;
error:
pthread_mutex_unlock(&LOCK_openssl_config);
if (ssl)
SSL_free(ssl);
return NULL;
}
/*
allocates a new ssl object
SYNOPSIS
my_ssl_init
mysql connection object
RETURN VALUES
NULL on error
SSL new SSL object
*/
SSL *my_ssl_init(MYSQL *mysql)
{
SSL *ssl= NULL;
DBUG_ENTER("my_ssl_init");
DBUG_ASSERT(mysql->net.vio->ssl == NULL);
if (!my_ssl_initialized)
my_ssl_start(mysql);
pthread_mutex_lock(&LOCK_ssl_config);
if (my_ssl_set_certs(mysql))
goto error;
if (!(ssl= SSL_new(SSL_context)))
goto error;
if (!SSL_set_app_data(ssl, mysql))
goto error;
pthread_mutex_unlock(&LOCK_ssl_config);
DBUG_RETURN(ssl);
error:
pthread_mutex_unlock(&LOCK_ssl_config);
if (ssl)
SSL_free(ssl);
DBUG_RETURN(NULL);
}
void *ma_ssl_init(MYSQL *mysql)
{
int verify;
SSL *ssl= NULL;
pthread_mutex_lock(&LOCK_openssl_config);
if (ma_ssl_set_certs(mysql))
{
goto error;
}
if (!(ssl= SSL_new(SSL_context)))
goto error;
if (!SSL_set_app_data(ssl, mysql))
goto error;
verify= (!mysql->options.ssl_ca && !mysql->options.ssl_capath) ?
SSL_VERIFY_NONE : SSL_VERIFY_PEER;
SSL_CTX_set_verify(SSL_context, verify, my_verify_callback);
SSL_CTX_set_verify_depth(SSL_context, 1);
pthread_mutex_unlock(&LOCK_openssl_config);
return (void *)ssl;
error:
pthread_mutex_unlock(&LOCK_openssl_config);
if (ssl)
SSL_free(ssl);
return NULL;
}
int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn,
int verify_peer, const char *subject_match)
{
if (conn == NULL)
return -1;
free(conn->subject_match);
conn->subject_match = NULL;
if (subject_match) {
conn->subject_match = strdup(subject_match);
if (conn->subject_match == NULL)
return -1;
}
if (verify_peer) {
SSL_set_app_data(conn->ssl, conn);
SSL_set_verify(conn->ssl, SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
SSL_VERIFY_CLIENT_ONCE, tls_verify_cb);
} else {
SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL);
}
SSL_set_accept_state(conn->ssl);
return 0;
}
VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) {
VALUE obj;
SSL_CTX* ctx;
SSL* ssl;
ms_conn* conn = engine_alloc(self, &obj);
ID sym_key = rb_intern("key");
VALUE key = rb_funcall(mini_ssl_ctx, sym_key, 0);
ID sym_cert = rb_intern("cert");
VALUE cert = rb_funcall(mini_ssl_ctx, sym_cert, 0);
ID sym_ca = rb_intern("ca");
VALUE ca = rb_funcall(mini_ssl_ctx, sym_ca, 0);
ID sym_verify_mode = rb_intern("verify_mode");
VALUE verify_mode = rb_funcall(mini_ssl_ctx, sym_verify_mode, 0);
ctx = SSL_CTX_new(SSLv23_server_method());
conn->ctx = ctx;
SSL_CTX_use_certificate_chain_file(ctx, RSTRING_PTR(cert));
SSL_CTX_use_PrivateKey_file(ctx, RSTRING_PTR(key), SSL_FILETYPE_PEM);
if (!NIL_P(ca)) {
SSL_CTX_load_verify_locations(ctx, RSTRING_PTR(ca), NULL);
}
SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE | SSL_OP_NO_COMPRESSION);
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL@STRENGTH");
DH *dh = get_dh1024();
SSL_CTX_set_tmp_dh(ctx, dh);
#ifndef OPENSSL_NO_ECDH
EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_secp521r1);
if (ecdh) {
SSL_CTX_set_tmp_ecdh(ctx, ecdh);
EC_KEY_free(ecdh);
}
#endif
ssl = SSL_new(ctx);
conn->ssl = ssl;
SSL_set_app_data(ssl, NULL);
if (NIL_P(verify_mode)) {
/* SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL); */
} else {
SSL_set_verify(ssl, NUM2INT(verify_mode), engine_verify_callback);
}
SSL_set_bio(ssl, conn->read, conn->write);
SSL_set_accept_state(ssl);
return obj;
}
int MaOpenSslSocket::initConnection()
{
BIO *bioSSL, *bioSock;
if (bio) {
return 0;
}
bio = BIO_new(BIO_f_buffer());
if (bio == 0) {
return MPR_ERR_CANT_INITIALIZE;
}
BIO_set_write_buffer_size(bio, 128);
ssl = (SSL*) SSL_new(context);
mprAssert(ssl);
if (ssl == 0) {
return MPR_ERR_CANT_INITIALIZE;
}
SSL_set_app_data(ssl, (void*) this);
SSL_set_session(ssl, 0);
bioSSL = BIO_new(BIO_f_ssl());
mprAssert(bioSSL);
bioSock = BIO_new_socket(sock, BIO_NOCLOSE);
mprAssert(bioSock);
SSL_set_bio(ssl, bioSock, bioSock);
SSL_set_accept_state(ssl);
BIO_set_ssl(bioSSL, ssl, BIO_CLOSE);
BIO_push(bio, bioSSL);
return 0;
}
static void int_ssl_check(SSL *s, int ret)
{
int e = SSL_get_error(s, ret);
switch(e) {
/* These seem to be harmless and already "dealt with" by our
* non-blocking environment. NB: "ZERO_RETURN" is the clean
* "error" indicating a successfully closed SSL tunnel. We let
* this happen because our IO loop should not appear to have
* broken on this condition - and outside the IO loop, the
* "shutdown" state is checked. */
case SSL_ERROR_NONE:
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
case SSL_ERROR_WANT_X509_LOOKUP:
case SSL_ERROR_ZERO_RETURN:
return;
/* These seem to be indications of a genuine error that should
* result in the SSL tunnel being regarded as "dead". */
case SSL_ERROR_SYSCALL:
case SSL_ERROR_SSL:
SSL_set_app_data(s, (char *)1);
return;
default:
break;
}
/* For any other errors that (a) exist, and (b) crop up - we need to
* interpret what to do with them - so "politely inform" the caller that
* the code needs updating here. */
abort();
}
/*
allocates a new ssl object
SYNOPSIS
my_ssl_init
mysql connection object
RETURN VALUES
NULL on error
SSL new SSL object
*/
SSL *my_ssl_init(MYSQL *mysql)
{
int verify;
SSL *ssl= NULL;
DBUG_ENTER("my_ssl_init");
DBUG_ASSERT(mysql->net.vio->ssl == NULL);
if (!my_ssl_initialized)
my_ssl_start(mysql);
if (!(ssl= SSL_new(SSL_context)))
goto error;
if (!SSL_set_app_data(ssl, mysql))
goto error;
if (my_ssl_set_certs(ssl))
goto error;
verify= (!mysql->options.ssl_ca && !mysql->options.ssl_capath) ?
SSL_VERIFY_NONE : SSL_VERIFY_PEER;
SSL_set_verify(ssl, verify, my_verify_callback);
SSL_set_verify_depth(ssl, 1);
DBUG_RETURN(ssl);
error:
if (ssl)
SSL_free(ssl);
DBUG_RETURN(NULL);
}
static int engine_verify_callback(int preverify_ok, X509_STORE_CTX* ctx) {
X509* err_cert;
SSL* ssl;
int bytes;
unsigned char* buf = NULL;
if(!preverify_ok) {
err_cert = X509_STORE_CTX_get_current_cert(ctx);
if(err_cert) {
/*
* Save the failed certificate for inspection/logging.
*/
bytes = i2d_X509(err_cert, &buf);
if(bytes > 0) {
ms_cert_buf* cert_buf = (ms_cert_buf*)malloc(sizeof(ms_cert_buf));
cert_buf->buf = buf;
cert_buf->bytes = bytes;
ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
SSL_set_app_data(ssl, cert_buf);
}
}
}
return preverify_ok;
}
tnet_dtls_socket_handle_t* tnet_dtls_socket_create(struct tnet_socket_s* wrapped_sock, struct ssl_ctx_st* ssl_ctx)
{
#if !HAVE_OPENSSL || !HAVE_OPENSSL_DTLS
TSK_DEBUG_ERROR("OpenSSL or DTLS not enabled");
return tsk_null;
#else
tnet_dtls_socket_t* socket;
if (!wrapped_sock || !ssl_ctx){
TSK_DEBUG_ERROR("Invalid parameter");
return tsk_null;
}
if ((socket = tsk_object_new(tnet_dtls_socket_def_t))) {
const tsk_bool_t set_mtu = TNET_SOCKET_TYPE_IS_DGRAM(wrapped_sock->type) || 1; //!\ This is required even if the local transport is TCP/TLS because the relayed (TURN) transport could be UDP
socket->wrapped_sock = tsk_object_ref(wrapped_sock);
if (!(socket->ssl = SSL_new(ssl_ctx))) {
TSK_DEBUG_ERROR("SSL_new(CTX) failed [%s]", ERR_error_string(ERR_get_error(), tsk_null));
TSK_OBJECT_SAFE_FREE(socket);
return tsk_null;
}
if (set_mtu) {
SSL_set_options(socket->ssl, SSL_OP_NO_QUERY_MTU);
SSL_set_mtu(socket->ssl, TNET_DTLS_MTU - 28);
socket->ssl->d1->mtu = TNET_DTLS_MTU - 28;
}
if (!(socket->rbio = BIO_new(BIO_s_mem())) || !(socket->wbio = BIO_new(BIO_s_mem()))){
TSK_DEBUG_ERROR("BIO_new_socket(%d) failed [%s]", socket->wrapped_sock->fd, ERR_error_string(ERR_get_error(), tsk_null));
if (socket->rbio){
BIO_free(socket->rbio);
}
if (socket->wbio){
BIO_free(socket->wbio);
}
TSK_OBJECT_SAFE_FREE(socket);
return tsk_null;
}
BIO_set_mem_eof_return(socket->rbio, -1);
BIO_set_mem_eof_return(socket->wbio, -1);
SSL_set_bio(socket->ssl, socket->rbio, socket->wbio);
SSL_set_mode(socket->ssl, SSL_MODE_AUTO_RETRY);
SSL_set_read_ahead(socket->ssl, 1);
if (set_mtu) {
BIO_ctrl(SSL_get_wbio(socket->ssl), BIO_CTRL_DGRAM_SET_MTU, TNET_DTLS_MTU - 28, NULL);
}
if ((socket->verify_peer = (SSL_CTX_get_verify_mode(ssl_ctx) != SSL_VERIFY_NONE))){
TSK_DEBUG_INFO("SSL cert verify: ON");
socket->verify_peer = tsk_true;
SSL_set_verify(socket->ssl, (SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), _tnet_dtls_verify_cert);
}
else {
TSK_DEBUG_ERROR("Verity not enabled");
}
SSL_set_app_data(socket->ssl, socket);
}
return socket;
#endif
}
connection *connection_accepted(server *srv, server_socket *srv_socket, sock_addr *cnt_addr, int cnt) {
connection *con;
srv->cur_fds++;
/* ok, we have the connection, register it */
#if 0
log_error_write(srv, __FILE__, __LINE__, "sd",
"appected()", cnt);
#endif
srv->con_opened++;
con = connections_get_new_connection(srv);
con->fd = cnt;
con->fde_ndx = -1;
fdevent_register(srv->ev, con->fd, connection_handle_fdevent, con);
connection_set_state(srv, con, CON_STATE_REQUEST_START);
con->connection_start = srv->cur_ts;
con->dst_addr = *cnt_addr;
buffer_copy_string(con->dst_addr_buf, inet_ntop_cache_get_ip(srv, &(con->dst_addr)));
con->srv_socket = srv_socket;
if (-1 == fdevent_fcntl_set_nb_cloexec_sock(srv->ev, con->fd)) {
log_error_write(srv, __FILE__, __LINE__, "ss", "fcntl failed: ", strerror(errno));
connection_close(srv, con);
return NULL;
}
#ifdef USE_OPENSSL
/* connect FD to SSL */
if (srv_socket->is_ssl) {
if (NULL == (con->ssl = SSL_new(srv_socket->ssl_ctx))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
ERR_error_string(ERR_get_error(), NULL));
connection_close(srv, con);
return NULL;
}
con->renegotiations = 0;
SSL_set_app_data(con->ssl, con);
SSL_set_accept_state(con->ssl);
if (1 != (SSL_set_fd(con->ssl, cnt))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
ERR_error_string(ERR_get_error(), NULL));
connection_close(srv, con);
return NULL;
}
}
#endif
return con;
}
static serf_ssl_context_t *ssl_init_context(void)
{
serf_ssl_context_t *ssl_ctx;
apr_pool_t *pool;
serf_bucket_alloc_t *allocator;
init_ssl_libraries();
apr_pool_create(&pool, NULL);
allocator = serf_bucket_allocator_create(pool, NULL, NULL);
ssl_ctx = serf_bucket_mem_alloc(allocator, sizeof(*ssl_ctx));
ssl_ctx->refcount = 0;
ssl_ctx->pool = pool;
ssl_ctx->allocator = allocator;
ssl_ctx->ctx = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_client_cert_cb(ssl_ctx->ctx, ssl_need_client_cert);
ssl_ctx->cached_cert = 0;
ssl_ctx->cached_cert_pw = 0;
ssl_ctx->pending_err = APR_SUCCESS;
SSL_CTX_set_verify(ssl_ctx->ctx, SSL_VERIFY_PEER,
validate_server_certificate);
SSL_CTX_set_options(ssl_ctx->ctx, SSL_OP_ALL);
ssl_ctx->ssl = SSL_new(ssl_ctx->ctx);
ssl_ctx->bio = BIO_new(&bio_bucket_method);
ssl_ctx->bio->ptr = ssl_ctx;
SSL_set_bio(ssl_ctx->ssl, ssl_ctx->bio, ssl_ctx->bio);
SSL_set_connect_state(ssl_ctx->ssl);
SSL_set_app_data(ssl_ctx->ssl, ssl_ctx);
ssl_ctx->encrypt.stream = NULL;
ssl_ctx->encrypt.stream_next = NULL;
ssl_ctx->encrypt.pending = serf_bucket_aggregate_create(allocator);
ssl_ctx->encrypt.status = APR_SUCCESS;
serf_databuf_init(&ssl_ctx->encrypt.databuf);
ssl_ctx->encrypt.databuf.read = ssl_encrypt;
ssl_ctx->encrypt.databuf.read_baton = ssl_ctx;
ssl_ctx->decrypt.stream = NULL;
ssl_ctx->decrypt.pending = serf_bucket_aggregate_create(allocator);
ssl_ctx->decrypt.status = APR_SUCCESS;
serf_databuf_init(&ssl_ctx->decrypt.databuf);
ssl_ctx->decrypt.databuf.read = ssl_decrypt;
ssl_ctx->decrypt.databuf.read_baton = ssl_ctx;
return ssl_ctx;
}
BOOL transport_connect_tls(rdpTransport* transport)
{
int tlsStatus;
rdpTls* tls = NULL;
rdpContext* context = transport->context;
rdpSettings* settings = transport->settings;
if (!(tls = tls_new(settings)))
return FALSE;
transport->tls = tls;
if (transport->GatewayEnabled)
transport->layer = TRANSPORT_LAYER_TSG_TLS;
else
transport->layer = TRANSPORT_LAYER_TLS;
tls->hostname = settings->ServerHostname;
tls->port = settings->ServerPort;
if (tls->port == 0)
tls->port = 3389;
tls->isGatewayTransport = FALSE;
tlsStatus = tls_connect(tls, transport->frontBio);
if (tlsStatus < 1)
{
if (tlsStatus < 0)
{
if (!freerdp_get_last_error(context))
freerdp_set_last_error(context, FREERDP_ERROR_TLS_CONNECT_FAILED);
}
else
{
if (!freerdp_get_last_error(context))
freerdp_set_last_error(context, FREERDP_ERROR_CONNECT_CANCELLED);
}
return FALSE;
}
transport->frontBio = tls->bio;
BIO_callback_ctrl(tls->bio, BIO_CTRL_SET_CALLBACK, (bio_info_cb*) transport_ssl_cb);
SSL_set_app_data(tls->ssl, transport);
if (!transport->frontBio)
{
WLog_ERR(TAG, "unable to prepend a filtering TLS bio");
return FALSE;
}
return TRUE;
}
VALUE engine_init_client(VALUE klass) {
VALUE obj;
ms_conn* conn = engine_alloc(klass, &obj);
conn->ctx = SSL_CTX_new(DTLSv1_method());
conn->ssl = SSL_new(conn->ctx);
SSL_set_app_data(conn->ssl, NULL);
SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL);
SSL_set_bio(conn->ssl, conn->read, conn->write);
SSL_set_connect_state(conn->ssl);
return obj;
}
void spice_openssl_verify_free(SpiceOpenSSLVerify* verify)
{
if (!verify)
return;
free(verify->pubkey);
free(verify->subject);
free(verify->hostname);
if (verify->in_subject)
X509_NAME_free(verify->in_subject);
if (verify->ssl)
SSL_set_app_data(verify->ssl, NULL);
free(verify);
}
static int tunala_world_new_item(tunala_world_t * world, int fd,
const char *ip, unsigned short port,
int flipped)
{
tunala_item_t *item;
int newfd;
SSL *new_ssl = NULL;
if (!tunala_world_make_room(world))
return 0;
if ((new_ssl = SSL_new(world->ssl_ctx)) == NULL) {
fprintf(stderr, "Error creating new SSL\n");
ERR_print_errors_fp(stderr);
return 0;
}
item = world->tunnels + (world->tunnels_used++);
state_machine_init(&item->sm);
item->clean_read = item->clean_send =
item->dirty_read = item->dirty_send = -1;
if ((newfd = ip_create_connection_split(ip, port)) == -1)
goto err;
/*
* Which way round? If we're a server, "fd" is the dirty side and the
* connection we open is the clean one. For a client, it's the other way
* around. Unless, of course, we're "flipped" in which case everything
* gets reversed. :-)
*/
if ((world->server_mode && !flipped) || (!world->server_mode && flipped)) {
item->dirty_read = item->dirty_send = fd;
item->clean_read = item->clean_send = newfd;
} else {
item->clean_read = item->clean_send = fd;
item->dirty_read = item->dirty_send = newfd;
}
/*
* We use the SSL's "app_data" to indicate a call-back induced "kill"
*/
SSL_set_app_data(new_ssl, NULL);
if (!state_machine_set_SSL(&item->sm, new_ssl, world->server_mode))
goto err;
return 1;
err:
tunala_world_del_item(world, world->tunnels_used - 1);
return 0;
}
openssl_con *
openssl_connect_fd(openssl_env *env, int fd, int timeout) {
openssl_con *c = (openssl_con *)calloc(1, sizeof(*c));
if (!c) return 0;
c->env = env;
#ifdef HAVE_OPENSSL
c->con = (SSL *)SSL_new(env->ctx);
#elif HAVE_MATRIXSSL
c->con = (SSL *)SSL_new(env->keys, 0);
#endif
c->sock = fd;
c->timeout = timeout;
SSL_set_fd(c->con, c->sock);
#ifdef HAVE_OPENSSL
#ifdef HAVE_OPENSSL_ENGINE
SSL_set_app_data(c->con, c);
#endif
SSL_set_connect_state(c->con);
if (SSL_connect(c->con) < 0) {
char is_error = 0;
#if(_debug_)
unsigned long error;
while ((error = ERR_get_error())) {
syslog(LOG_DEBUG, "%s(%d): TLS: %s", __FUNCTION__, __LINE__, ERR_error_string(error, NULL));
is_error = 1;
}
#endif
if (is_error) {
openssl_free(c);
return 0;
}
}
#elif HAVE_MATRIXSSL
if (!SSL_connect(c->con, certValidator, c)) {
syslog(LOG_ERR, "%s: openssl_connect_fd", strerror(errno));
openssl_free(c);
return 0;
}
#endif
return c;
}
int
tls_accept_fds(struct tls *ctx, struct tls **cctx, int fd_read, int fd_write)
{
struct tls *conn_ctx = *cctx;
int ret, err;
if ((ctx->flags & TLS_SERVER) == 0) {
tls_set_error(ctx, "not a server context");
goto err;
}
if (conn_ctx == NULL) {
if ((conn_ctx = tls_server_conn(ctx)) == NULL) {
tls_set_error(ctx, "connection context failure");
goto err;
}
*cctx = conn_ctx;
if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
tls_set_error(ctx, "ssl failure");
goto err;
}
if (SSL_set_rfd(conn_ctx->ssl_conn, fd_read) != 1 ||
SSL_set_wfd(conn_ctx->ssl_conn, fd_write) != 1) {
tls_set_error(ctx, "ssl set fd failure");
goto err;
}
SSL_set_app_data(conn_ctx->ssl_conn, conn_ctx);
}
if ((ret = SSL_accept(conn_ctx->ssl_conn)) != 1) {
err = tls_ssl_error(ctx, conn_ctx->ssl_conn, ret, "accept");
if (err == TLS_READ_AGAIN || err == TLS_WRITE_AGAIN) {
return (err);
}
goto err;
}
return (0);
err:
return (-1);
}
int ne_sock_use_ssl_os(ne_socket *sock, SSL_CTX *ctx,
SSL_SESSION *sess, SSL **ssl,
void *appdata)
{
int ret;
if (!prng_seeded && RAND_status() != 1) {
set_error(sock, _("SSL disabled due to lack of entropy"));
return NE_SOCK_ERROR;
}
sock->ssl = SSL_new(ctx);
if (!sock->ssl) {
set_error(sock, _("Could not create SSL structure"));
return NE_SOCK_ERROR;
}
if (appdata) {
SSL_set_app_data(sock->ssl, appdata);
}
sock->ops = &iofns_ossl;
SSL_set_mode(sock->ssl, SSL_MODE_AUTO_RETRY);
SSL_set_fd(sock->ssl, sock->fd);
if (sess)
SSL_set_session(sock->ssl, sess);
ret = SSL_connect(sock->ssl);
if (ret != 1) {
error_ossl(sock, ret);
SSL_free(sock->ssl);
sock->ssl = NULL;
return NE_SOCK_ERROR;
}
if (ssl)
*ssl = sock->ssl;
return 0;
}
PUBLIC int sslUpgrade(Webs *wp)
{
WebsSocket *sptr;
BIO *bio;
assert(wp);
sptr = socketPtr(wp->sid);
if ((wp->ssl = SSL_new(sslctx)) == 0) {
return -1;
}
if ((bio = BIO_new_socket(sptr->sock, BIO_NOCLOSE)) == 0) {
return -1;
}
SSL_set_bio(wp->ssl, bio, bio);
SSL_set_accept_state(wp->ssl);
SSL_set_app_data(wp->ssl, (void*) wp);
return 0;
}
/*
* Begin or continue negotiating a secure session.
*/
PostgresPollingStatusType
pqsecure_open_client(PGconn *conn)
{
#ifdef USE_SSL
/* First time through? */
if (conn->ssl == NULL)
{
/* We cannot use MSG_NOSIGNAL to block SIGPIPE when using SSL */
conn->sigpipe_flag = false;
/* Create a connection-specific SSL object */
if (!(conn->ssl = SSL_new(SSL_context)) ||
!SSL_set_app_data(conn->ssl, conn) ||
!SSL_set_fd(conn->ssl, conn->sock))
{
char *err = SSLerrmessage();
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not establish SSL connection: %s\n"),
err);
SSLerrfree(err);
close_SSL(conn);
return PGRES_POLLING_FAILED;
}
/*
* Load client certificate, private key, and trusted CA certs.
*/
if (initialize_SSL(conn) != 0)
{
/* initialize_SSL already put a message in conn->errorMessage */
close_SSL(conn);
return PGRES_POLLING_FAILED;
}
}
/* Begin or continue the actual handshake */
return open_client_SSL(conn);
#else
/* shouldn't get here */
return PGRES_POLLING_FAILED;
#endif
}
int
tls_accept_fds(struct tls *ctx, struct tls **cctx, int fd_read, int fd_write)
{
struct tls *conn_ctx = NULL;
if ((ctx->flags & TLS_SERVER) == 0) {
tls_set_errorx(ctx, "not a server context");
goto err;
}
if ((conn_ctx = tls_server_conn(ctx)) == NULL) {
tls_set_errorx(ctx, "connection context failure");
goto err;
}
if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
tls_set_errorx(ctx, "ssl failure");
goto err;
}
if (SSL_set_app_data(conn_ctx->ssl_conn, conn_ctx) != 1) {
tls_set_errorx(ctx, "ssl application data failure");
goto err;
}
if (SSL_set_rfd(conn_ctx->ssl_conn, fd_read) != 1 ||
SSL_set_wfd(conn_ctx->ssl_conn, fd_write) != 1) {
tls_set_errorx(ctx, "ssl file descriptor failure");
goto err;
}
*cctx = conn_ctx;
return (0);
err:
tls_free(conn_ctx);
*cctx = NULL;
return (-1);
}
void *ma_tls_init(MYSQL *mysql)
{
int verify;
SSL *ssl= NULL;
#ifdef HAVE_TLS_SESSION_CACHE
MA_SSL_SESSION *session= ma_tls_get_session(mysql);
#endif
pthread_mutex_lock(&LOCK_openssl_config);
if (ma_tls_set_certs(mysql))
{
goto error;
}
if (!(ssl= SSL_new(SSL_context)))
goto error;
if (!SSL_set_app_data(ssl, mysql))
goto error;
#ifdef HAVE_TLS_SESSION_CACHE
if (session)
SSL_set_session(ssl, session->session);
#endif
verify= (!mysql->options.ssl_ca && !mysql->options.ssl_capath) ?
SSL_VERIFY_NONE : SSL_VERIFY_PEER;
SSL_CTX_set_verify(SSL_context, verify, my_verify_callback);
SSL_CTX_set_verify_depth(SSL_context, 1);
pthread_mutex_unlock(&LOCK_openssl_config);
return (void *)ssl;
error:
pthread_mutex_unlock(&LOCK_openssl_config);
if (ssl)
SSL_free(ssl);
return NULL;
}
/*
Upgrade a socket to use SSL
*/
PUBLIC int sslUpgrade(Webs *wp)
{
WebsSocket *sptr;
BIO *bio;
assert(wp);
sptr = socketPtr(wp->sid);
if ((wp->ssl = SSL_new(sslctx)) == 0) {
return -1;
}
/*
Create a socket bio. We don't use the BIO except as storage for the fd.
*/
if ((bio = BIO_new_socket((int) sptr->sock, BIO_NOCLOSE)) == 0) {
return -1;
}
SSL_set_bio(wp->ssl, bio, bio);
SSL_set_accept_state(wp->ssl);
SSL_set_app_data(wp->ssl, (void*) wp);
return 0;
}
static int
_evhtp_connection_accept(evbase_t * evbase, evhtp_connection_t * connection) {
if (connection->htp->ssl_ctx != NULL) {
connection->ssl = SSL_new(connection->htp->ssl_ctx);
connection->bev = bufferevent_openssl_socket_new(evbase,
connection->sock, connection->ssl,
BUFFEREVENT_SSL_ACCEPTING,
BEV_OPT_CLOSE_ON_FREE | BEV_OPT_DEFER_CALLBACKS);
SSL_set_app_data(connection->ssl, connection);
goto end;
}
//创建一个socket-based bufferevent
connection->bev = bufferevent_socket_new(evbase, connection->sock,
BEV_OPT_CLOSE_ON_FREE | BEV_OPT_DEFER_CALLBACKS);
end:
bufferevent_set_timeouts(connection->bev,
connection->htp->recv_timeo,
connection->htp->send_timeo);
connection->resume_ev = event_new(evbase, -1, EV_READ | EV_PERSIST,
_evhtp_connection_resumecb, connection);
event_add(connection->resume_ev, NULL);
bufferevent_enable(connection->bev, EV_READ);
bufferevent_setcb(connection->bev,
_evhtp_connection_readcb,
_evhtp_connection_writecb,
_evhtp_connection_eventcb,
connection);
return 0;
} /* _evhtp_connection_accept */
int tls_connection_ca_cert(void *ssl_ctx, struct tls_connection *conn,
const char *ca_cert, const char *subject_match)
{
if (conn == NULL)
return -1;
free(conn->subject_match);
conn->subject_match = NULL;
if (subject_match) {
conn->subject_match = strdup(subject_match);
if (conn->subject_match == NULL)
return -1;
}
if (ca_cert) {
if (SSL_CTX_load_verify_locations(ssl_ctx, ca_cert, NULL) != 1)
{
wpa_printf(MSG_WARNING, "TLS: Failed to load root "
"certificates: %s",
ERR_error_string(ERR_get_error(), NULL));
return -1;
} else {
wpa_printf(MSG_DEBUG, "TLS: Trusted root "
"certificate(s) loaded");
tls_get_errors(ssl_ctx);
}
SSL_set_app_data(conn->ssl, conn);
SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
} else {
/* No ca_cert configured - do not try to verify server
* certificate */
SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL);
}
return 0;
}
int ssl_init_ssl_connection(conn_rec *c)
{
SSLSrvConfigRec *sc;
SSL *ssl;
SSLConnRec *sslconn = myConnConfig(c);
char *vhost_md5;
modssl_ctx_t *mctx;
server_rec *server;
if (!sslconn) {
sslconn = ssl_init_connection_ctx(c);
}
server = sslconn->server;
sc = mySrvConfig(server);
/*
* Seed the Pseudo Random Number Generator (PRNG)
*/
ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT, "");
mctx = sslconn->is_proxy ? sc->proxy : sc->server;
/*
* Create a new SSL connection with the configured server SSL context and
* attach this to the socket. Additionally we register this attachment
* so we can detach later.
*/
if (!(ssl = SSL_new(mctx->ssl_ctx))) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
"Unable to create a new SSL connection from the SSL "
"context");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, server);
c->aborted = 1;
return DECLINED; /* XXX */
}
vhost_md5 = ap_md5_binary(c->pool, (unsigned char *)sc->vhost_id,
sc->vhost_id_len);
if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5,
APR_MD5_DIGESTSIZE*2))
{
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
"Unable to set session id context to `%s'", vhost_md5);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, server);
c->aborted = 1;
return DECLINED; /* XXX */
}
SSL_set_app_data(ssl, c);
SSL_set_app_data2(ssl, NULL); /* will be request_rec */
sslconn->ssl = ssl;
/*
* Configure callbacks for SSL connection
*/
SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA);
SSL_set_tmp_dh_callback(ssl, ssl_callback_TmpDH);
SSL_set_verify_result(ssl, X509_V_OK);
ssl_io_filter_init(c, ssl);
return APR_SUCCESS;
}
