void SSLCommon::loadCerts(SSL_CTX* ctx, char* certFile, char* keyFile, const string& caList, const bool& ldcrts) { if(ldcrts) { /* set the private key from KeyFile (may be the same as CertFile) */ if (1 != SSL_CTX_use_PrivateKey_file(ctx, keyFile, SSL_FILETYPE_PEM)) { ERR_print_errors_fp(stderr); cout << "Couldn't read private key file" << endl; exitSSL("SSL_CTX_use_PrivateKey_file"); } /* set the local certificate from CertFile */ if (1 != SSL_CTX_use_certificate_chain_file(ctx, certFile) ) { ERR_print_errors_fp(stderr); cout << "Couldn't read certificate chain file" << endl; exitSSL("SSL_CTX_use_certificate_chain_file"); } /* verify private key */ if (1 != SSL_CTX_check_private_key(ctx)) { cout << "Private key does not match the public certificate" << endl; exitSSL("SSL_CTX_check_private_key"); } } /* Load the CAs we trust*/ if(!(SSL_CTX_load_verify_locations(ctx, caList.c_str(),0))) { cout << "Can't read CA list" << endl; exitSSL("SSL_CTX_load_verify_locations"); } }
/* Check that the common name matches the host name*/ void SSLCommon::check_cert(SSL *ssl, char *host) { X509 *peer; char peer_CN[256]; if(SSL_get_verify_result(ssl)!=X509_V_OK) exitSSL("Certificate doesn't verify"); /*Check the cert chain. The chain length is automatically checked by OpenSSL when we set the verify depth in the ctx */ /*Check the common name*/ peer=SSL_get_peer_certificate(ssl); X509_NAME_get_text_by_NID(X509_get_subject_name(peer), NID_commonName, peer_CN, 256); if(strcasecmp(peer_CN,host)) exitSSL("Common name doesn't match host name"); }
void SSLCommon::load_ecdh_params(SSL_CTX *ctx, Logger &logger) { SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE | SSL_OP_NO_SSLv2); /* Cheesily pick an elliptic curve to use with elliptic curve ciphersuites. * We just hardcode a single curve which is reasonably decent. * See http://www.mail-archive.com/[email protected]/msg30957.html */ EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1); if (! ecdh) { logger << "Couldn't create elliptic curve" << endl; exitSSL("EC_KEY_new_by_curve_name(ecdh)"); } if (1 != SSL_CTX_set_tmp_ecdh (ctx, ecdh)) { logger << "Couldn't set ecdh parameters" << endl; exitSSL("SSL_CTX_set_tmp_ecdh(ecdh)"); } }
void SSLCommon::loadCerts(SSL_CTX* ctx, char* certFile, char* keyFile, string caList, Logger &logger, bool ldcrts) { if(ldcrts) { /* set the local certificate from CertFile */ if (1 != SSL_CTX_use_certificate_chain_file(ctx, certFile) ) { ERR_print_errors_fp(stderr); logger << "Couldn't read certificate chain file" << endl; exitSSL("SSL_CTX_use_certificate_chain_file"); } /* set the private key from KeyFile (may be the same as CertFile) */ if (1 != SSL_CTX_use_PrivateKey_file(ctx, keyFile, SSL_FILETYPE_PEM)) { ERR_print_errors_fp(stderr); logger << "Couldn't read private key file" << endl; exitSSL("SSL_CTX_use_PrivateKey_file"); } /* verify private key */ if (1 != SSL_CTX_check_private_key(ctx)) { logger << "Private key does not match the public certificate" << endl; exitSSL("SSL_CTX_check_private_key"); } } /* Load the CAs we trust*/ if(!(SSL_CTX_load_verify_locations(ctx, caList.c_str(),0))) { logger << "Can't read CA list" << endl; exitSSL("SSL_CTX_load_verify_locations"); } #if (OPENSSL_VERSION_NUMBER < 0x00905100L) SSL_CTX_set_verify_depth(ctx,1); #endif }
void SSLCommon::load_dh_params(SSL_CTX *ctx,char *file, Logger &logger) { DH *ret = 0; BIO *bio; if ((bio=BIO_new_file(file,"r")) == NULL) { logger << "Couldn't open DH file, defaulting to setting DH to single use" << endl; SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); return; } ret = PEM_read_bio_DHparams(bio,NULL,NULL,NULL); BIO_free(bio); if(SSL_CTX_set_tmp_dh(ctx,ret)<0) { logger << "Couldn't set DH parameters" << endl; exitSSL("SSL_CTX_set_tmp_dh(dhfile)"); } }
SSL_CTX *SSLCommon::initialize_ctx(const bool& isServer) { SSL_METHOD *meth; SSL_CTX *ctx; CRYPTO_set_mem_functions (zeroingMalloc, realloc, free); SSL_library_init (); OpenSSL_add_all_algorithms(); /* load & register all cryptos, etc. */ SSL_load_error_strings(); /* load all error messages */ printf ("Using OpenSSL version \"%s\"\n", SSLeay_version (SSLEAY_VERSION)); /* Set up a SIGPIPE handler */ signal (SIGPIPE, SIG_IGN); /* Create our context*/ if(isServer) { meth = (SSL_METHOD*)SSLv23_server_method(); /* create new server-method instance */ } else { meth = (SSL_METHOD*)SSLv23_client_method(); /* create new client-method instance */ } ctx = SSL_CTX_new(meth); /* create new context from method */ if (ctx == NULL) { cout << "Could not create context" << endl; ERR_print_errors_fp(stderr); exitSSL ("SSL_CTX_new"); } return ctx; }