Beispiel #1
0
bool Socket::create(int timeout_sec) {
#if defined(unix) || defined(__unix__) || defined(__unix)
  m_sock = socket(AF_INET,
			SOCK_STREAM,
			0);
#endif
	if (!is_valid())
		return false;


	// TIME_WAIT - argh
	int on = 1;
#if defined(unix) || defined(__unix__) || defined(__unix)
	if (setsockopt(m_sock, SOL_SOCKET, SO_REUSEADDR,
			(const char*) &on, sizeof ( on)) == -1)
		return false;

	struct timeval timeout;
	timeout.tv_sec = timeout_sec;
	timeout.tv_usec = 0;

	if (setsockopt(m_sock, SOL_SOCKET, SO_RCVTIMEO, (char *) &timeout, sizeof (timeout)) < 0)
		return false;

	if (setsockopt(m_sock, SOL_SOCKET, SO_SNDTIMEO, (char *) &timeout, sizeof (timeout)) < 0)
		return false;
#endif
	if (socketType == Socket::TLS1_1) {
		InitializeSSL();
#if defined(__APPLE__)
		sslctx = SSL_CTX_new(TLSv1_1_method());
#elif defined(unix) || defined(__unix__) || defined(__unix)
		sslctx = SSL_CTX_new(TLSv1_1_method());
#endif  
#if defined(unix) || defined(__unix__) || defined(__unix)
    SSL_CTX_set_options(sslctx, SSL_OP_SINGLE_DH_USE);
		/*----- Load a client certificate into the SSL_CTX structure -----*/
		if (SSL_CTX_use_certificate_file(sslctx,
      (char*) CLIENT_CERT.c_str(), SSL_FILETYPE_PEM) <= 0
    ) {
			ERR_print_errors_fp(stderr);
			exit(1);
		}
		/*----- Load a private-key into the SSL_CTX structure -----*/
		if (SSL_CTX_use_PrivateKey_file(sslctx, (char*) CLIENT_KEY.c_str(), SSL_FILETYPE_PEM) <= 0) {
			ERR_print_errors_fp(stderr);
			exit(1);
		}
		int CA = SSL_CTX_load_verify_locations(sslctx, (char*) CA_FILE.c_str(), NULL);
		SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, NULL);
		SSL_CTX_set_verify_depth(sslctx, 1);
		cSSL = SSL_new(sslctx);
		int sssfd = SSL_set_fd(cSSL, m_sock);
#endif
	}
	return true;

}
Beispiel #2
0
SSL_CTX* EdSSLContext::buildCtx(int ver)
{
	SSL_CTX *pctx;
	const SSL_METHOD *method;
	switch (ver)
	{
	case SSL_VER_TLSV1:
		method = TLSv1_method();
		break;
	case SSL_VER_TLSV11:
		method = TLSv1_1_method();
		break;
	case SSL_VER_V23:
		method = SSLv23_method();
		break;
	case SSL_VER_V3:
		method = SSLv3_method();
		break;
	case SSL_VER_DTLSV1:
		method = DTLSv1_method();
		break;
	default:
		method = NULL;
		break;
	}
	if (method == NULL)
		return NULL;

	pctx = SSL_CTX_new(method);

	return pctx;
}
Beispiel #3
0
void CTLSConnection::initialize() throw(CTCPConnection::CConnectException)
{
	//Use ONLY TLS 1.1: this is the latest version supported by libssl
	m_TLSContext = SSL_CTX_new(TLSv1_1_method());
	if(m_TLSContext == NULL)
	{
		deallocate();
		throw CConnectException(
			"Failed to create a new SSL/TLS context");
	}

	SSL_CTX_set_options(m_TLSContext,
		SSL_OP_SINGLE_DH_USE | //docs seem to indicate this improves security
		SSL_OP_NO_SSLv2 | //do not use old SSL v2 protocol
		SSL_OP_NO_SSLv3 | //do not use old SSL v3 protocol
		SSL_OP_NO_TLSv1 | //do not use old TLS v1.0 protocol
		SSL_MODE_AUTO_RETRY //send and receive implementations depend on this
		); //TODO

	m_TLSConnection = SSL_new(m_TLSContext);
	if(m_TLSConnection == NULL)
	{
		deallocate();
		throw CConnectException(
			"Failed to create a new SSL/TLS connection structure");
	}

	//TODO:
	if(!SSL_set_fd(m_TLSConnection, getFD()))
	{
		deallocate();
		throw CConnectException(
			"Failed to connect SSL/TLS object to file descriptor");
	}
}
static const SSL_METHOD *tls1_get_method(int ver)
	{
	if (ver == TLS1_1_VERSION)
		return TLSv1_1_method();
	if (ver == TLS1_VERSION)
		return TLSv1_method();
	return NULL;
	}
Beispiel #5
0
extern "C" const SSL_METHOD* CryptoNative_TlsV1_1Method()
{
#if HAVE_TLS_V1_1
    const SSL_METHOD* method = TLSv1_1_method();
    assert(method != nullptr);
    return method;
#else
    return nullptr;
#endif
}
Beispiel #6
0
/**
 * Find the protocol.
 */
static LSEC_SSL_METHOD* str2method(const char *method)
{
  if (!strcmp(method, "sslv23"))  return SSLv23_method();
  if (!strcmp(method, "sslv3"))   return SSLv3_method();
  if (!strcmp(method, "tlsv1"))   return TLSv1_method();
#if (OPENSSL_VERSION_NUMBER >= 0x1000100fL)
  if (!strcmp(method, "tlsv1_1")) return TLSv1_1_method();
  if (!strcmp(method, "tlsv1_2")) return TLSv1_2_method();
#endif
  return NULL;
}
Beispiel #7
0
static const SSL_METHOD *
tls1_get_method(int ver)
{
	if (ver == TLS1_2_VERSION)
		return (TLSv1_2_method());
	if (ver == TLS1_1_VERSION)
		return (TLSv1_1_method());
	if (ver == TLS1_VERSION)
		return (TLSv1_method());
	return (NULL);
}
Beispiel #8
0
// nassl.SSL_CTX.new()
static PyObject* nassl_SSL_CTX_new(PyTypeObject *type, PyObject *args, PyObject *kwds) {
	nassl_SSL_CTX_Object *self;
	int sslVersion;
	SSL_CTX *sslCtx;

    self = (nassl_SSL_CTX_Object *)type->tp_alloc(type, 0);
    if (self == NULL)
    	return NULL;

    self->sslCtx = NULL;
    self->pkeyPasswordBuf = NULL;

	if (!PyArg_ParseTuple(args, "I", &sslVersion)) {
		Py_DECREF(self);
    	return NULL;
    }

    switch (sslVersion) {
		case sslv23:
			sslCtx = SSL_CTX_new(SSLv23_method());
			break;
		case sslv2:
			sslCtx = SSL_CTX_new(SSLv2_method());
			break;
		case sslv3:
			sslCtx = SSL_CTX_new(SSLv3_method());
			break;
		case tlsv1:
			sslCtx = SSL_CTX_new(TLSv1_method());
			break;
		case tlsv1_1:
			sslCtx = SSL_CTX_new(TLSv1_1_method());
			break;
		case tlsv1_2:
			sslCtx = SSL_CTX_new(TLSv1_2_method());
			break;
		default:
        	PyErr_SetString(PyExc_ValueError, "Invalid value for ssl version");
        	Py_DECREF(self);
			return NULL;
	}
	if (sslCtx == NULL) {
        raise_OpenSSL_error();
        Py_DECREF(self);
		return NULL;
	}

    // Add the client certificate callback
    SSL_CTX_set_client_cert_cb(sslCtx, client_cert_cb);

    self->sslCtx = sslCtx;
    return (PyObject *)self;
}
static const SSL_METHOD *
ssl23_get_method(int ver)
{
	if (ver == SSL3_VERSION)
		return (SSLv3_method());
	if (ver == TLS1_VERSION)
		return (TLSv1_method());
	if (ver == TLS1_1_VERSION)
		return (TLSv1_1_method());
	if (ver == TLS1_2_VERSION)
		return (TLSv1_2_method());
	return (NULL);
}
Beispiel #10
0
static const SSL_METHOD *swSSL_get_method(int method)
{
    switch (method)
    {
#ifndef OPENSSL_NO_SSL3_METHOD
    case SW_SSLv3_METHOD:
        return SSLv3_method();
    case SW_SSLv3_SERVER_METHOD:
        return SSLv3_server_method();
    case SW_SSLv3_CLIENT_METHOD:
        return SSLv3_client_method();
#endif
    case SW_SSLv23_SERVER_METHOD:
        return SSLv23_server_method();
    case SW_SSLv23_CLIENT_METHOD:
        return SSLv23_client_method();
    case SW_TLSv1_METHOD:
        return TLSv1_method();
    case SW_TLSv1_SERVER_METHOD:
        return TLSv1_server_method();
    case SW_TLSv1_CLIENT_METHOD:
        return TLSv1_client_method();
#ifdef TLS1_1_VERSION
    case SW_TLSv1_1_METHOD:
        return TLSv1_1_method();
    case SW_TLSv1_1_SERVER_METHOD:
        return TLSv1_1_server_method();
    case SW_TLSv1_1_CLIENT_METHOD:
        return TLSv1_1_client_method();
#endif
#ifdef TLS1_2_VERSION
    case SW_TLSv1_2_METHOD:
        return TLSv1_2_method();
    case SW_TLSv1_2_SERVER_METHOD:
        return TLSv1_2_server_method();
    case SW_TLSv1_2_CLIENT_METHOD:
        return TLSv1_2_client_method();
#endif
    case SW_DTLSv1_METHOD:
        return DTLSv1_method();
    case SW_DTLSv1_SERVER_METHOD:
        return DTLSv1_server_method();
    case SW_DTLSv1_CLIENT_METHOD:
        return DTLSv1_client_method();
    case SW_SSLv23_METHOD:
    default:
        return SSLv23_method();
    }
    return SSLv23_method();
}
Beispiel #11
0
static const SSL_METHOD *ssl23_get_method(int ver)
{
#ifndef OPENSSL_NO_SSL3
    if (ver == SSL3_VERSION)
        return (SSLv3_method());
    else
#endif
    if (ver == TLS1_VERSION)
        return (TLSv1_method());
    else if (ver == TLS1_1_VERSION)
        return (TLSv1_1_method());
    else if (ver == TLS1_2_VERSION)
        return (TLSv1_2_method());
    else
        return (NULL);
}
Beispiel #12
0
static const SSL_METHOD *tls1_get_method(int ver)
{
    if (ver == TLS_ANY_VERSION)
        return TLS_method();
    if (ver == TLS1_2_VERSION)
        return TLSv1_2_method();
    if (ver == TLS1_1_VERSION)
        return TLSv1_1_method();
    if (ver == TLS1_VERSION)
        return TLSv1_method();
#ifndef OPENSSL_NO_SSL3
    if (ver == SSL3_VERSION)
        return (SSLv3_method());
    else
#endif
    return NULL;
}
Beispiel #13
0
static const SSL_METHOD* get_ssl_method(const char* tls_version)
{
	if (!tls_version || !*tls_version)
	{
		LOG_ERROR("tls_version is not set.");
		return 0;
	}

	if (!strcmp(tls_version, "1.0"))
	  return TLSv1_method();
	if (!strcmp(tls_version, "1.1"))
	  return TLSv1_1_method();
	if (!strcmp(tls_version, "1.2"))
	  return TLSv1_2_method();

	LOG_ERROR("Unable to recognize tls_version.");
	return 0;
}
Beispiel #14
0
static const SSL_METHOD *swSSL_get_method(int method)
{
    switch (method)
    {
    case SW_SSLv3_METHOD:
        return SSLv3_method();
    case SW_SSLv3_SERVER_METHOD:
        return SSLv3_server_method();
    case SW_SSLv3_CLIENT_METHOD:
        return SSLv3_client_method();
    case SW_SSLv23_SERVER_METHOD:
        return SSLv23_server_method();
    case SW_SSLv23_CLIENT_METHOD:
        return SSLv23_client_method();
    case SW_TLSv1_METHOD:
        return TLSv1_method();
    case SW_TLSv1_SERVER_METHOD:
        return TLSv1_server_method();
    case SW_TLSv1_CLIENT_METHOD:
        return TLSv1_client_method();
    case SW_TLSv1_1_METHOD:
        return TLSv1_1_method();
    case SW_TLSv1_1_SERVER_METHOD:
        return TLSv1_1_server_method();
    case SW_TLSv1_1_CLIENT_METHOD:
        return TLSv1_1_client_method();
    case SW_TLSv1_2_METHOD:
        return TLSv1_2_method();
    case SW_TLSv1_2_SERVER_METHOD:
        return TLSv1_2_server_method();
    case SW_TLSv1_2_CLIENT_METHOD:
        return TLSv1_2_client_method();
    case SW_DTLSv1_METHOD:
        return DTLSv1_method();
    case SW_DTLSv1_SERVER_METHOD:
        return DTLSv1_server_method();
    case SW_DTLSv1_CLIENT_METHOD:
        return DTLSv1_client_method();
    case SW_SSLv23_METHOD:
    default:
        return SSLv23_method();
    }
    return SSLv23_method();
}
Beispiel #15
0
static int openssl_ssl_ctx_new(lua_State*L)
{
  const char* meth = luaL_optstring(L, 1, "TLSv1");
#if OPENSSL_VERSION_NUMBER >= 0x01000000L
  const
#endif
  SSL_METHOD* method = NULL;
  const char* ciphers;
  SSL_CTX* ctx;
  if (strcmp(meth, "SSLv3") == 0)
    method = SSLv3_method();    /* SSLv3 */
  else if (strcmp(meth, "SSLv3_server") == 0)
    method = SSLv3_server_method(); /* SSLv3 */
  else if (strcmp(meth, "SSLv3_client") == 0)
    method = SSLv3_client_method(); /* SSLv3 */
  else if (strcmp(meth, "SSLv23") == 0)
    method = SSLv23_method();   /* SSLv3 but can rollback to v2 */
  else if (strcmp(meth, "SSLv23_server") == 0)
    method = SSLv23_server_method();  /* SSLv3 but can rollback to v2 */
  else if (strcmp(meth, "SSLv23_client") == 0)
    method = SSLv23_client_method();  /* SSLv3 but can rollback to v2 */

  else if (strcmp(meth, "TLSv1_1") == 0)
    method = TLSv1_1_method();    /* TLSv1.0 */
  else if (strcmp(meth, "TLSv1_1_server") == 0)
    method = TLSv1_1_server_method(); /* TLSv1.0 */
  else if (strcmp(meth, "TLSv1_1_client") == 0)
    method = TLSv1_1_client_method(); /* TLSv1.0 */

  else if (strcmp(meth, "TLSv1_2") == 0)
    method = TLSv1_2_method();    /* TLSv1.0 */
  else if (strcmp(meth, "TLSv1_2_server") == 0)
    method = TLSv1_2_server_method(); /* TLSv1.0 */
  else if (strcmp(meth, "TLSv1_2_client") == 0)
    method = TLSv1_2_client_method(); /* TLSv1.0 */

  else if (strcmp(meth, "TLSv1") == 0)
    method = TLSv1_method();    /* TLSv1.0 */
  else if (strcmp(meth, "TLSv1_server") == 0)
    method = TLSv1_server_method(); /* TLSv1.0 */
  else if (strcmp(meth, "TLSv1_client") == 0)
    method = TLSv1_client_method(); /* TLSv1.0 */

  else if (strcmp(meth, "DTLSv1") == 0)
    method = DTLSv1_method();   /* DTLSv1.0 */
  else if (strcmp(meth, "DTLSv1_server") == 0)
    method = DTLSv1_server_method();  /* DTLSv1.0 */
  else if (strcmp(meth, "DTLSv1_client") == 0)
    method = DTLSv1_client_method();  /* DTLSv1.0 */
#ifndef OPENSSL_NO_SSL2
#if OPENSSL_VERSION_NUMBER < 0x10100000L
  else if (strcmp(meth, "SSLv2") == 0)
    method = SSLv2_method();    /* SSLv2 */
  else if (strcmp(meth, "SSLv2_server") == 0)
    method = SSLv2_server_method(); /* SSLv2 */
  else if (strcmp(meth, "SSLv2_client") == 0)
    method = SSLv2_client_method();
#endif
#ifdef LOAD_SSL_CUSTOM
  LOAD_SSL_CUSTOM
#endif

#endif
  else
    luaL_error(L, "#1:%s not supported\n"
               "Maybe SSLv3 SSLv23 TLSv1 TLSv1_1 TLSv1_2 DTLSv1 [SSLv2], option followed by _client or _server\n",
               "default is SSLv3",
               meth);
  ciphers = luaL_optstring(L, 2, SSL_DEFAULT_CIPHER_LIST);
  ctx = SSL_CTX_new(method);
  if (!ctx)
    luaL_error(L, "#1:%s not supported\n"
               "Maybe SSLv3 SSLv23 TLSv1 TLSv1_1 TLSv1_2 DTLSv1 [SSLv2], option followed by _client or _server\n",
               "default is SSLv3",
               meth);
  openssl_newvalue(L, ctx);
  SSL_CTX_set_cipher_list(ctx, ciphers);
  PUSH_OBJECT(ctx, "openssl.ssl_ctx");
  SSL_CTX_set_app_data(ctx, L);

  return 1;
}
Beispiel #16
0
const SSL_METHOD *TLSv1_1_server_method(void) {
  return TLSv1_1_method();
}
Beispiel #17
0
const SSL_METHOD *TLSv1_1_client_method(void) {
  return TLSv1_1_method();
}
Beispiel #18
0
static const SSL_METHOD *get_method(int protocol, int type)
{
  const SSL_METHOD *method = NULL;

  caml_enter_blocking_section();
  switch (protocol)
  {
    case 0:
      switch (type)
      {
        case 0:
          method = SSLv23_client_method();
          break;

        case 1:
          method = SSLv23_server_method();
          break;

        case 2:
          method = SSLv23_method();
          break;
      }
      break;

    case 1:
      switch (type)
      {
        case 0:
          method = SSLv3_client_method();
          break;

        case 1:
          method = SSLv3_server_method();
          break;

        case 2:
          method = SSLv3_method();
          break;
      }
      break;

    case 2:
      switch (type)
      {
        case 0:
          method = TLSv1_client_method();
          break;

        case 1:
          method = TLSv1_server_method();
          break;

        case 2:
          method = TLSv1_method();
          break;
      }
      break;

    case 3:
#ifdef HAVE_TLS11
      switch (type)
      {
        case 0:
          method = TLSv1_1_client_method();
          break;

        case 1:
          method = TLSv1_1_server_method();
          break;

        case 2:
          method = TLSv1_1_method();
          break;
      }
#endif
      break;

    case 4:
#ifdef HAVE_TLS12
      switch (type)
      {
        case 0:
          method = TLSv1_2_client_method();
          break;

        case 1:
          method = TLSv1_2_server_method();
          break;

        case 2:
          method = TLSv1_2_method();
          break;
      }
#endif
      break;

    default:
      caml_leave_blocking_section();
      caml_invalid_argument("Unknown method (this should not have happened, please report).");
      break;
  }
  caml_leave_blocking_section();

  if (method == NULL)
    caml_raise_constant(*caml_named_value("ssl_exn_method_error"));

  return method;
}